1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57 /* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
110 /* ====================================================================
111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
112 * ECC cipher suite support in OpenSSL originally developed by
113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
114 */
115 /* ====================================================================
116 * Copyright 2005 Nokia. All rights reserved.
117 *
118 * The portions of the attached software ("Contribution") is developed by
119 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
120 * license.
121 *
122 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
123 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
124 * support (see RFC 4279) to OpenSSL.
125 *
126 * No patent licenses or other rights except those expressly stated in
127 * the OpenSSL open source license shall be deemed granted or received
128 * expressly, by implication, estoppel, or otherwise.
129 *
130 * No assurances are provided by Nokia that the Contribution does not
131 * infringe the patent or other intellectual property rights of any third
132 * party or that the license provides you with all the necessary rights
133 * to make use of the Contribution.
134 *
135 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
136 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
137 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
138 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
139 * OTHERWISE. */
140
141 #include <openssl/ssl.h>
142
143 #include <assert.h>
144 #include <string.h>
145
146 #include <openssl/err.h>
147 #include <openssl/md5.h>
148 #include <openssl/mem.h>
149 #include <openssl/sha.h>
150 #include <openssl/stack.h>
151
152 #include "internal.h"
153 #include "../crypto/internal.h"
154
155
156 BSSL_NAMESPACE_BEGIN
157
158 static constexpr SSL_CIPHER kCiphers[] = {
159 // The RSA ciphers
160 // Cipher 02
161 {
162 SSL3_TXT_RSA_NULL_SHA,
163 "TLS_RSA_WITH_NULL_SHA",
164 SSL3_CK_RSA_NULL_SHA,
165 SSL_kRSA,
166 SSL_aRSA,
167 SSL_eNULL,
168 SSL_SHA1,
169 SSL_HANDSHAKE_MAC_DEFAULT,
170 },
171
172 // Cipher 0A
173 {
174 SSL3_TXT_RSA_DES_192_CBC3_SHA,
175 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
176 SSL3_CK_RSA_DES_192_CBC3_SHA,
177 SSL_kRSA,
178 SSL_aRSA,
179 SSL_3DES,
180 SSL_SHA1,
181 SSL_HANDSHAKE_MAC_DEFAULT,
182 },
183
184
185 // New AES ciphersuites
186
187 // Cipher 2F
188 {
189 TLS1_TXT_RSA_WITH_AES_128_SHA,
190 "TLS_RSA_WITH_AES_128_CBC_SHA",
191 TLS1_CK_RSA_WITH_AES_128_SHA,
192 SSL_kRSA,
193 SSL_aRSA,
194 SSL_AES128,
195 SSL_SHA1,
196 SSL_HANDSHAKE_MAC_DEFAULT,
197 },
198
199 // Cipher 35
200 {
201 TLS1_TXT_RSA_WITH_AES_256_SHA,
202 "TLS_RSA_WITH_AES_256_CBC_SHA",
203 TLS1_CK_RSA_WITH_AES_256_SHA,
204 SSL_kRSA,
205 SSL_aRSA,
206 SSL_AES256,
207 SSL_SHA1,
208 SSL_HANDSHAKE_MAC_DEFAULT,
209 },
210
211 // PSK cipher suites.
212
213 // Cipher 8C
214 {
215 TLS1_TXT_PSK_WITH_AES_128_CBC_SHA,
216 "TLS_PSK_WITH_AES_128_CBC_SHA",
217 TLS1_CK_PSK_WITH_AES_128_CBC_SHA,
218 SSL_kPSK,
219 SSL_aPSK,
220 SSL_AES128,
221 SSL_SHA1,
222 SSL_HANDSHAKE_MAC_DEFAULT,
223 },
224
225 // Cipher 8D
226 {
227 TLS1_TXT_PSK_WITH_AES_256_CBC_SHA,
228 "TLS_PSK_WITH_AES_256_CBC_SHA",
229 TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
230 SSL_kPSK,
231 SSL_aPSK,
232 SSL_AES256,
233 SSL_SHA1,
234 SSL_HANDSHAKE_MAC_DEFAULT,
235 },
236
237 // GCM ciphersuites from RFC5288
238
239 // Cipher 9C
240 {
241 TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
242 "TLS_RSA_WITH_AES_128_GCM_SHA256",
243 TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
244 SSL_kRSA,
245 SSL_aRSA,
246 SSL_AES128GCM,
247 SSL_AEAD,
248 SSL_HANDSHAKE_MAC_SHA256,
249 },
250
251 // Cipher 9D
252 {
253 TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
254 "TLS_RSA_WITH_AES_256_GCM_SHA384",
255 TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
256 SSL_kRSA,
257 SSL_aRSA,
258 SSL_AES256GCM,
259 SSL_AEAD,
260 SSL_HANDSHAKE_MAC_SHA384,
261 },
262
263 // TLS 1.3 suites.
264
265 // Cipher 1301
266 {
267 TLS1_TXT_AES_128_GCM_SHA256,
268 "TLS_AES_128_GCM_SHA256",
269 TLS1_CK_AES_128_GCM_SHA256,
270 SSL_kGENERIC,
271 SSL_aGENERIC,
272 SSL_AES128GCM,
273 SSL_AEAD,
274 SSL_HANDSHAKE_MAC_SHA256,
275 },
276
277 // Cipher 1302
278 {
279 TLS1_TXT_AES_256_GCM_SHA384,
280 "TLS_AES_256_GCM_SHA384",
281 TLS1_CK_AES_256_GCM_SHA384,
282 SSL_kGENERIC,
283 SSL_aGENERIC,
284 SSL_AES256GCM,
285 SSL_AEAD,
286 SSL_HANDSHAKE_MAC_SHA384,
287 },
288
289 // Cipher 1303
290 {
291 TLS1_TXT_CHACHA20_POLY1305_SHA256,
292 "TLS_CHACHA20_POLY1305_SHA256",
293 TLS1_CK_CHACHA20_POLY1305_SHA256,
294 SSL_kGENERIC,
295 SSL_aGENERIC,
296 SSL_CHACHA20POLY1305,
297 SSL_AEAD,
298 SSL_HANDSHAKE_MAC_SHA256,
299 },
300
301 // Cipher C009
302 {
303 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
304 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
305 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
306 SSL_kECDHE,
307 SSL_aECDSA,
308 SSL_AES128,
309 SSL_SHA1,
310 SSL_HANDSHAKE_MAC_DEFAULT,
311 },
312
313 // Cipher C00A
314 {
315 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
316 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
317 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
318 SSL_kECDHE,
319 SSL_aECDSA,
320 SSL_AES256,
321 SSL_SHA1,
322 SSL_HANDSHAKE_MAC_DEFAULT,
323 },
324
325 // Cipher C013
326 {
327 TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
328 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
329 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
330 SSL_kECDHE,
331 SSL_aRSA,
332 SSL_AES128,
333 SSL_SHA1,
334 SSL_HANDSHAKE_MAC_DEFAULT,
335 },
336
337 // Cipher C014
338 {
339 TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
340 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
341 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
342 SSL_kECDHE,
343 SSL_aRSA,
344 SSL_AES256,
345 SSL_SHA1,
346 SSL_HANDSHAKE_MAC_DEFAULT,
347 },
348
349 // GCM based TLS v1.2 ciphersuites from RFC5289
350
351 // Cipher C02B
352 {
353 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
354 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
355 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
356 SSL_kECDHE,
357 SSL_aECDSA,
358 SSL_AES128GCM,
359 SSL_AEAD,
360 SSL_HANDSHAKE_MAC_SHA256,
361 },
362
363 // Cipher C02C
364 {
365 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
366 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
367 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
368 SSL_kECDHE,
369 SSL_aECDSA,
370 SSL_AES256GCM,
371 SSL_AEAD,
372 SSL_HANDSHAKE_MAC_SHA384,
373 },
374
375 // Cipher C02F
376 {
377 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
378 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
379 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
380 SSL_kECDHE,
381 SSL_aRSA,
382 SSL_AES128GCM,
383 SSL_AEAD,
384 SSL_HANDSHAKE_MAC_SHA256,
385 },
386
387 // Cipher C030
388 {
389 TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
390 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
391 TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
392 SSL_kECDHE,
393 SSL_aRSA,
394 SSL_AES256GCM,
395 SSL_AEAD,
396 SSL_HANDSHAKE_MAC_SHA384,
397 },
398
399 // ECDHE-PSK cipher suites.
400
401 // Cipher C035
402 {
403 TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA,
404 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
405 TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
406 SSL_kECDHE,
407 SSL_aPSK,
408 SSL_AES128,
409 SSL_SHA1,
410 SSL_HANDSHAKE_MAC_DEFAULT,
411 },
412
413 // Cipher C036
414 {
415 TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA,
416 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
417 TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA,
418 SSL_kECDHE,
419 SSL_aPSK,
420 SSL_AES256,
421 SSL_SHA1,
422 SSL_HANDSHAKE_MAC_DEFAULT,
423 },
424
425 // ChaCha20-Poly1305 cipher suites.
426
427 // Cipher CCA8
428 {
429 TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
430 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
431 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
432 SSL_kECDHE,
433 SSL_aRSA,
434 SSL_CHACHA20POLY1305,
435 SSL_AEAD,
436 SSL_HANDSHAKE_MAC_SHA256,
437 },
438
439 // Cipher CCA9
440 {
441 TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
442 "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
443 TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
444 SSL_kECDHE,
445 SSL_aECDSA,
446 SSL_CHACHA20POLY1305,
447 SSL_AEAD,
448 SSL_HANDSHAKE_MAC_SHA256,
449 },
450
451 // Cipher CCAB
452 {
453 TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
454 "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
455 TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
456 SSL_kECDHE,
457 SSL_aPSK,
458 SSL_CHACHA20POLY1305,
459 SSL_AEAD,
460 SSL_HANDSHAKE_MAC_SHA256,
461 },
462
463 };
464
AllCiphers()465 Span<const SSL_CIPHER> AllCiphers() {
466 return MakeConstSpan(kCiphers, OPENSSL_ARRAY_SIZE(kCiphers));
467 }
468
469 #define CIPHER_ADD 1
470 #define CIPHER_KILL 2
471 #define CIPHER_DEL 3
472 #define CIPHER_ORD 4
473 #define CIPHER_SPECIAL 5
474
475 typedef struct cipher_order_st {
476 const SSL_CIPHER *cipher;
477 bool active;
478 bool in_group;
479 struct cipher_order_st *next, *prev;
480 } CIPHER_ORDER;
481
482 typedef struct cipher_alias_st {
483 // name is the name of the cipher alias.
484 const char *name;
485
486 // The following fields are bitmasks for the corresponding fields on
487 // |SSL_CIPHER|. A cipher matches a cipher alias iff, for each bitmask, the
488 // bit corresponding to the cipher's value is set to 1. If any bitmask is
489 // all zeroes, the alias matches nothing. Use |~0u| for the default value.
490 uint32_t algorithm_mkey;
491 uint32_t algorithm_auth;
492 uint32_t algorithm_enc;
493 uint32_t algorithm_mac;
494
495 // min_version, if non-zero, matches all ciphers which were added in that
496 // particular protocol version.
497 uint16_t min_version;
498 } CIPHER_ALIAS;
499
500 static const CIPHER_ALIAS kCipherAliases[] = {
501 // "ALL" doesn't include eNULL. It must be explicitly enabled.
502 {"ALL", ~0u, ~0u, ~0u, ~0u, 0},
503
504 // The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing.
505
506 // key exchange aliases
507 // (some of those using only a single bit here combine
508 // multiple key exchange algs according to the RFCs.
509 {"kRSA", SSL_kRSA, ~0u, ~0u, ~0u, 0},
510
511 {"kECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
512 {"kEECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
513 {"ECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
514
515 {"kPSK", SSL_kPSK, ~0u, ~0u, ~0u, 0},
516
517 // server authentication aliases
518 {"aRSA", ~0u, SSL_aRSA, ~0u, ~0u, 0},
519 {"aECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0},
520 {"ECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0},
521 {"aPSK", ~0u, SSL_aPSK, ~0u, ~0u, 0},
522
523 // aliases combining key exchange and server authentication
524 {"ECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
525 {"EECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
526 {"RSA", SSL_kRSA, SSL_aRSA, ~0u, ~0u, 0},
527 {"PSK", SSL_kPSK, SSL_aPSK, ~0u, ~0u, 0},
528
529 // symmetric encryption aliases
530 {"3DES", ~0u, ~0u, SSL_3DES, ~0u, 0},
531 {"AES128", ~0u, ~0u, SSL_AES128 | SSL_AES128GCM, ~0u, 0},
532 {"AES256", ~0u, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, 0},
533 {"AES", ~0u, ~0u, SSL_AES, ~0u, 0},
534 {"AESGCM", ~0u, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, 0},
535 {"CHACHA20", ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0},
536
537 // MAC aliases
538 {"SHA1", ~0u, ~0u, ~0u, SSL_SHA1, 0},
539 {"SHA", ~0u, ~0u, ~0u, SSL_SHA1, 0},
540
541 // Legacy protocol minimum version aliases. "TLSv1" is intentionally the
542 // same as "SSLv3".
543 {"SSLv3", ~0u, ~0u, ~0u, ~0u, SSL3_VERSION},
544 {"TLSv1", ~0u, ~0u, ~0u, ~0u, SSL3_VERSION},
545 {"TLSv1.2", ~0u, ~0u, ~0u, ~0u, TLS1_2_VERSION},
546
547 // Legacy strength classes.
548 {"HIGH", ~0u, ~0u, ~0u, ~0u, 0},
549 {"FIPS", ~0u, ~0u, ~0u, ~0u, 0},
550
551 // Temporary no-op aliases corresponding to removed SHA-2 legacy CBC
552 // ciphers. These should be removed after 2018-05-14.
553 {"SHA256", 0, 0, 0, 0, 0},
554 {"SHA384", 0, 0, 0, 0, 0},
555 };
556
557 static const size_t kCipherAliasesLen = OPENSSL_ARRAY_SIZE(kCipherAliases);
558
ssl_cipher_get_evp_aead(const EVP_AEAD ** out_aead,size_t * out_mac_secret_len,size_t * out_fixed_iv_len,const SSL_CIPHER * cipher,uint16_t version,bool is_dtls)559 bool ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
560 size_t *out_mac_secret_len,
561 size_t *out_fixed_iv_len, const SSL_CIPHER *cipher,
562 uint16_t version, bool is_dtls) {
563 *out_aead = NULL;
564 *out_mac_secret_len = 0;
565 *out_fixed_iv_len = 0;
566
567 const bool is_tls12 = version == TLS1_2_VERSION && !is_dtls;
568 const bool is_tls13 = version == TLS1_3_VERSION && !is_dtls;
569
570 if (cipher->algorithm_mac == SSL_AEAD) {
571 if (cipher->algorithm_enc == SSL_AES128GCM) {
572 if (is_tls12) {
573 *out_aead = EVP_aead_aes_128_gcm_tls12();
574 } else if (is_tls13) {
575 *out_aead = EVP_aead_aes_128_gcm_tls13();
576 } else {
577 *out_aead = EVP_aead_aes_128_gcm();
578 }
579 *out_fixed_iv_len = 4;
580 } else if (cipher->algorithm_enc == SSL_AES256GCM) {
581 if (is_tls12) {
582 *out_aead = EVP_aead_aes_256_gcm_tls12();
583 } else if (is_tls13) {
584 *out_aead = EVP_aead_aes_256_gcm_tls13();
585 } else {
586 *out_aead = EVP_aead_aes_256_gcm();
587 }
588 *out_fixed_iv_len = 4;
589 } else if (cipher->algorithm_enc == SSL_CHACHA20POLY1305) {
590 *out_aead = EVP_aead_chacha20_poly1305();
591 *out_fixed_iv_len = 12;
592 } else {
593 return false;
594 }
595
596 // In TLS 1.3, the iv_len is equal to the AEAD nonce length whereas the code
597 // above computes the TLS 1.2 construction.
598 if (version >= TLS1_3_VERSION) {
599 *out_fixed_iv_len = EVP_AEAD_nonce_length(*out_aead);
600 }
601 } else if (cipher->algorithm_mac == SSL_SHA1) {
602 if (cipher->algorithm_enc == SSL_eNULL) {
603 *out_aead = EVP_aead_null_sha1_tls();
604 } else if (cipher->algorithm_enc == SSL_3DES) {
605 if (version == TLS1_VERSION) {
606 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv();
607 *out_fixed_iv_len = 8;
608 } else {
609 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls();
610 }
611 } else if (cipher->algorithm_enc == SSL_AES128) {
612 if (version == TLS1_VERSION) {
613 *out_aead = EVP_aead_aes_128_cbc_sha1_tls_implicit_iv();
614 *out_fixed_iv_len = 16;
615 } else {
616 *out_aead = EVP_aead_aes_128_cbc_sha1_tls();
617 }
618 } else if (cipher->algorithm_enc == SSL_AES256) {
619 if (version == TLS1_VERSION) {
620 *out_aead = EVP_aead_aes_256_cbc_sha1_tls_implicit_iv();
621 *out_fixed_iv_len = 16;
622 } else {
623 *out_aead = EVP_aead_aes_256_cbc_sha1_tls();
624 }
625 } else {
626 return false;
627 }
628
629 *out_mac_secret_len = SHA_DIGEST_LENGTH;
630 } else {
631 return false;
632 }
633
634 return true;
635 }
636
ssl_get_handshake_digest(uint16_t version,const SSL_CIPHER * cipher)637 const EVP_MD *ssl_get_handshake_digest(uint16_t version,
638 const SSL_CIPHER *cipher) {
639 switch (cipher->algorithm_prf) {
640 case SSL_HANDSHAKE_MAC_DEFAULT:
641 return version >= TLS1_2_VERSION ? EVP_sha256() : EVP_md5_sha1();
642 case SSL_HANDSHAKE_MAC_SHA256:
643 return EVP_sha256();
644 case SSL_HANDSHAKE_MAC_SHA384:
645 return EVP_sha384();
646 default:
647 assert(0);
648 return NULL;
649 }
650 }
651
is_cipher_list_separator(char c,bool is_strict)652 static bool is_cipher_list_separator(char c, bool is_strict) {
653 if (c == ':') {
654 return true;
655 }
656 return !is_strict && (c == ' ' || c == ';' || c == ',');
657 }
658
659 // rule_equals returns whether the NUL-terminated string |rule| is equal to the
660 // |buf_len| bytes at |buf|.
rule_equals(const char * rule,const char * buf,size_t buf_len)661 static bool rule_equals(const char *rule, const char *buf, size_t buf_len) {
662 // |strncmp| alone only checks that |buf| is a prefix of |rule|.
663 return strncmp(rule, buf, buf_len) == 0 && rule[buf_len] == '\0';
664 }
665
ll_append_tail(CIPHER_ORDER ** head,CIPHER_ORDER * curr,CIPHER_ORDER ** tail)666 static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
667 CIPHER_ORDER **tail) {
668 if (curr == *tail) {
669 return;
670 }
671 if (curr == *head) {
672 *head = curr->next;
673 }
674 if (curr->prev != NULL) {
675 curr->prev->next = curr->next;
676 }
677 if (curr->next != NULL) {
678 curr->next->prev = curr->prev;
679 }
680 (*tail)->next = curr;
681 curr->prev = *tail;
682 curr->next = NULL;
683 *tail = curr;
684 }
685
ll_append_head(CIPHER_ORDER ** head,CIPHER_ORDER * curr,CIPHER_ORDER ** tail)686 static void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
687 CIPHER_ORDER **tail) {
688 if (curr == *head) {
689 return;
690 }
691 if (curr == *tail) {
692 *tail = curr->prev;
693 }
694 if (curr->next != NULL) {
695 curr->next->prev = curr->prev;
696 }
697 if (curr->prev != NULL) {
698 curr->prev->next = curr->next;
699 }
700 (*head)->prev = curr;
701 curr->next = *head;
702 curr->prev = NULL;
703 *head = curr;
704 }
705
ssl_cipher_collect_ciphers(Array<CIPHER_ORDER> * out_co_list,CIPHER_ORDER ** out_head,CIPHER_ORDER ** out_tail)706 static bool ssl_cipher_collect_ciphers(Array<CIPHER_ORDER> *out_co_list,
707 CIPHER_ORDER **out_head,
708 CIPHER_ORDER **out_tail) {
709 Array<CIPHER_ORDER> co_list;
710 if (!co_list.Init(OPENSSL_ARRAY_SIZE(kCiphers))) {
711 return false;
712 }
713
714 size_t co_list_num = 0;
715 for (const SSL_CIPHER &cipher : kCiphers) {
716 // TLS 1.3 ciphers do not participate in this mechanism.
717 if (cipher.algorithm_mkey != SSL_kGENERIC) {
718 co_list[co_list_num].cipher = &cipher;
719 co_list[co_list_num].next = NULL;
720 co_list[co_list_num].prev = NULL;
721 co_list[co_list_num].active = false;
722 co_list[co_list_num].in_group = false;
723 co_list_num++;
724 }
725 }
726
727 // Prepare linked list from list entries.
728 if (co_list_num > 0) {
729 co_list[0].prev = NULL;
730
731 if (co_list_num > 1) {
732 co_list[0].next = &co_list[1];
733
734 for (size_t i = 1; i < co_list_num - 1; i++) {
735 co_list[i].prev = &co_list[i - 1];
736 co_list[i].next = &co_list[i + 1];
737 }
738
739 co_list[co_list_num - 1].prev = &co_list[co_list_num - 2];
740 }
741
742 co_list[co_list_num - 1].next = NULL;
743
744 *out_head = &co_list[0];
745 *out_tail = &co_list[co_list_num - 1];
746 } else {
747 *out_head = nullptr;
748 *out_tail = nullptr;
749 }
750 *out_co_list = std::move(co_list);
751 return true;
752 }
753
~SSLCipherPreferenceList()754 SSLCipherPreferenceList::~SSLCipherPreferenceList() {
755 OPENSSL_free(in_group_flags);
756 }
757
Init(UniquePtr<STACK_OF (SSL_CIPHER)> ciphers_arg,Span<const bool> in_group_flags_arg)758 bool SSLCipherPreferenceList::Init(UniquePtr<STACK_OF(SSL_CIPHER)> ciphers_arg,
759 Span<const bool> in_group_flags_arg) {
760 if (sk_SSL_CIPHER_num(ciphers_arg.get()) != in_group_flags_arg.size()) {
761 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
762 return false;
763 }
764
765 Array<bool> copy;
766 if (!copy.CopyFrom(in_group_flags_arg)) {
767 return false;
768 }
769 ciphers = std::move(ciphers_arg);
770 size_t unused_len;
771 copy.Release(&in_group_flags, &unused_len);
772 return true;
773 }
774
Init(const SSLCipherPreferenceList & other)775 bool SSLCipherPreferenceList::Init(const SSLCipherPreferenceList& other) {
776 size_t size = sk_SSL_CIPHER_num(other.ciphers.get());
777 Span<const bool> other_flags(other.in_group_flags, size);
778 UniquePtr<STACK_OF(SSL_CIPHER)> other_ciphers(sk_SSL_CIPHER_dup(
779 other.ciphers.get()));
780 if (!other_ciphers) {
781 return false;
782 }
783 return Init(std::move(other_ciphers), other_flags);
784 }
785
Remove(const SSL_CIPHER * cipher)786 void SSLCipherPreferenceList::Remove(const SSL_CIPHER *cipher) {
787 size_t index;
788 if (!sk_SSL_CIPHER_find(ciphers.get(), &index, cipher)) {
789 return;
790 }
791 if (!in_group_flags[index] /* last element of group */ && index > 0) {
792 in_group_flags[index-1] = false;
793 }
794 for (size_t i = index; i < sk_SSL_CIPHER_num(ciphers.get()) - 1; ++i) {
795 in_group_flags[i] = in_group_flags[i+1];
796 }
797 sk_SSL_CIPHER_delete(ciphers.get(), index);
798 }
799
800 // ssl_cipher_apply_rule applies the rule type |rule| to ciphers matching its
801 // parameters in the linked list from |*head_p| to |*tail_p|. It writes the new
802 // head and tail of the list to |*head_p| and |*tail_p|, respectively.
803 //
804 // - If |cipher_id| is non-zero, only that cipher is selected.
805 // - Otherwise, if |strength_bits| is non-negative, it selects ciphers
806 // of that strength.
807 // - Otherwise, it selects ciphers that match each bitmasks in |alg_*| and
808 // |min_version|.
ssl_cipher_apply_rule(uint32_t cipher_id,uint32_t alg_mkey,uint32_t alg_auth,uint32_t alg_enc,uint32_t alg_mac,uint16_t min_version,int rule,int strength_bits,bool in_group,CIPHER_ORDER ** head_p,CIPHER_ORDER ** tail_p)809 static void ssl_cipher_apply_rule(
810 uint32_t cipher_id, uint32_t alg_mkey, uint32_t alg_auth,
811 uint32_t alg_enc, uint32_t alg_mac, uint16_t min_version, int rule,
812 int strength_bits, bool in_group, CIPHER_ORDER **head_p,
813 CIPHER_ORDER **tail_p) {
814 CIPHER_ORDER *head, *tail, *curr, *next, *last;
815 const SSL_CIPHER *cp;
816 bool reverse = false;
817
818 if (cipher_id == 0 && strength_bits == -1 && min_version == 0 &&
819 (alg_mkey == 0 || alg_auth == 0 || alg_enc == 0 || alg_mac == 0)) {
820 // The rule matches nothing, so bail early.
821 return;
822 }
823
824 if (rule == CIPHER_DEL) {
825 // needed to maintain sorting between currently deleted ciphers
826 reverse = true;
827 }
828
829 head = *head_p;
830 tail = *tail_p;
831
832 if (reverse) {
833 next = tail;
834 last = head;
835 } else {
836 next = head;
837 last = tail;
838 }
839
840 curr = NULL;
841 for (;;) {
842 if (curr == last) {
843 break;
844 }
845
846 curr = next;
847 if (curr == NULL) {
848 break;
849 }
850
851 next = reverse ? curr->prev : curr->next;
852 cp = curr->cipher;
853
854 // Selection criteria is either a specific cipher, the value of
855 // |strength_bits|, or the algorithms used.
856 if (cipher_id != 0) {
857 if (cipher_id != cp->id) {
858 continue;
859 }
860 } else if (strength_bits >= 0) {
861 if (strength_bits != SSL_CIPHER_get_bits(cp, NULL)) {
862 continue;
863 }
864 } else {
865 if (!(alg_mkey & cp->algorithm_mkey) ||
866 !(alg_auth & cp->algorithm_auth) ||
867 !(alg_enc & cp->algorithm_enc) ||
868 !(alg_mac & cp->algorithm_mac) ||
869 (min_version != 0 && SSL_CIPHER_get_min_version(cp) != min_version) ||
870 // The NULL cipher must be selected explicitly.
871 cp->algorithm_enc == SSL_eNULL) {
872 continue;
873 }
874 }
875
876 // add the cipher if it has not been added yet.
877 if (rule == CIPHER_ADD) {
878 // reverse == false
879 if (!curr->active) {
880 ll_append_tail(&head, curr, &tail);
881 curr->active = true;
882 curr->in_group = in_group;
883 }
884 }
885
886 // Move the added cipher to this location
887 else if (rule == CIPHER_ORD) {
888 // reverse == false
889 if (curr->active) {
890 ll_append_tail(&head, curr, &tail);
891 curr->in_group = false;
892 }
893 } else if (rule == CIPHER_DEL) {
894 // reverse == true
895 if (curr->active) {
896 // most recently deleted ciphersuites get best positions
897 // for any future CIPHER_ADD (note that the CIPHER_DEL loop
898 // works in reverse to maintain the order)
899 ll_append_head(&head, curr, &tail);
900 curr->active = false;
901 curr->in_group = false;
902 }
903 } else if (rule == CIPHER_KILL) {
904 // reverse == false
905 if (head == curr) {
906 head = curr->next;
907 } else {
908 curr->prev->next = curr->next;
909 }
910
911 if (tail == curr) {
912 tail = curr->prev;
913 }
914 curr->active = false;
915 if (curr->next != NULL) {
916 curr->next->prev = curr->prev;
917 }
918 if (curr->prev != NULL) {
919 curr->prev->next = curr->next;
920 }
921 curr->next = NULL;
922 curr->prev = NULL;
923 }
924 }
925
926 *head_p = head;
927 *tail_p = tail;
928 }
929
ssl_cipher_strength_sort(CIPHER_ORDER ** head_p,CIPHER_ORDER ** tail_p)930 static bool ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
931 CIPHER_ORDER **tail_p) {
932 // This routine sorts the ciphers with descending strength. The sorting must
933 // keep the pre-sorted sequence, so we apply the normal sorting routine as
934 // '+' movement to the end of the list.
935 int max_strength_bits = 0;
936 CIPHER_ORDER *curr = *head_p;
937 while (curr != NULL) {
938 if (curr->active &&
939 SSL_CIPHER_get_bits(curr->cipher, NULL) > max_strength_bits) {
940 max_strength_bits = SSL_CIPHER_get_bits(curr->cipher, NULL);
941 }
942 curr = curr->next;
943 }
944
945 Array<int> number_uses;
946 if (!number_uses.Init(max_strength_bits + 1)) {
947 return false;
948 }
949 OPENSSL_memset(number_uses.data(), 0, (max_strength_bits + 1) * sizeof(int));
950
951 // Now find the strength_bits values actually used.
952 curr = *head_p;
953 while (curr != NULL) {
954 if (curr->active) {
955 number_uses[SSL_CIPHER_get_bits(curr->cipher, NULL)]++;
956 }
957 curr = curr->next;
958 }
959
960 // Go through the list of used strength_bits values in descending order.
961 for (int i = max_strength_bits; i >= 0; i--) {
962 if (number_uses[i] > 0) {
963 ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, CIPHER_ORD, i, false, head_p,
964 tail_p);
965 }
966 }
967
968 return true;
969 }
970
ssl_cipher_process_rulestr(const char * rule_str,CIPHER_ORDER ** head_p,CIPHER_ORDER ** tail_p,bool strict)971 static bool ssl_cipher_process_rulestr(const char *rule_str,
972 CIPHER_ORDER **head_p,
973 CIPHER_ORDER **tail_p, bool strict) {
974 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
975 uint16_t min_version;
976 const char *l, *buf;
977 int rule;
978 bool multi, skip_rule, in_group = false, has_group = false;
979 size_t j, buf_len;
980 uint32_t cipher_id;
981 char ch;
982
983 l = rule_str;
984 for (;;) {
985 ch = *l;
986
987 if (ch == '\0') {
988 break; // done
989 }
990
991 if (in_group) {
992 if (ch == ']') {
993 if (*tail_p) {
994 (*tail_p)->in_group = false;
995 }
996 in_group = false;
997 l++;
998 continue;
999 }
1000
1001 if (ch == '|') {
1002 rule = CIPHER_ADD;
1003 l++;
1004 continue;
1005 } else if (!(ch >= 'a' && ch <= 'z') && !(ch >= 'A' && ch <= 'Z') &&
1006 !(ch >= '0' && ch <= '9')) {
1007 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_OPERATOR_IN_GROUP);
1008 return false;
1009 } else {
1010 rule = CIPHER_ADD;
1011 }
1012 } else if (ch == '-') {
1013 rule = CIPHER_DEL;
1014 l++;
1015 } else if (ch == '+') {
1016 rule = CIPHER_ORD;
1017 l++;
1018 } else if (ch == '!') {
1019 rule = CIPHER_KILL;
1020 l++;
1021 } else if (ch == '@') {
1022 rule = CIPHER_SPECIAL;
1023 l++;
1024 } else if (ch == '[') {
1025 assert(!in_group);
1026 in_group = true;
1027 has_group = true;
1028 l++;
1029 continue;
1030 } else {
1031 rule = CIPHER_ADD;
1032 }
1033
1034 // If preference groups are enabled, the only legal operator is +.
1035 // Otherwise the in_group bits will get mixed up.
1036 if (has_group && rule != CIPHER_ADD) {
1037 OPENSSL_PUT_ERROR(SSL, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
1038 return false;
1039 }
1040
1041 if (is_cipher_list_separator(ch, strict)) {
1042 l++;
1043 continue;
1044 }
1045
1046 multi = false;
1047 cipher_id = 0;
1048 alg_mkey = ~0u;
1049 alg_auth = ~0u;
1050 alg_enc = ~0u;
1051 alg_mac = ~0u;
1052 min_version = 0;
1053 skip_rule = false;
1054
1055 for (;;) {
1056 ch = *l;
1057 buf = l;
1058 buf_len = 0;
1059 while ((ch >= 'A' && ch <= 'Z') || (ch >= '0' && ch <= '9') ||
1060 (ch >= 'a' && ch <= 'z') || ch == '-' || ch == '.' || ch == '_') {
1061 ch = *(++l);
1062 buf_len++;
1063 }
1064
1065 if (buf_len == 0) {
1066 // We hit something we cannot deal with, it is no command or separator
1067 // nor alphanumeric, so we call this an error.
1068 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
1069 return false;
1070 }
1071
1072 if (rule == CIPHER_SPECIAL) {
1073 break;
1074 }
1075
1076 // Look for a matching exact cipher. These aren't allowed in multipart
1077 // rules.
1078 if (!multi && ch != '+') {
1079 for (j = 0; j < OPENSSL_ARRAY_SIZE(kCiphers); j++) {
1080 const SSL_CIPHER *cipher = &kCiphers[j];
1081 if (rule_equals(cipher->name, buf, buf_len) ||
1082 rule_equals(cipher->standard_name, buf, buf_len)) {
1083 cipher_id = cipher->id;
1084 break;
1085 }
1086 }
1087 }
1088 if (cipher_id == 0) {
1089 // If not an exact cipher, look for a matching cipher alias.
1090 for (j = 0; j < kCipherAliasesLen; j++) {
1091 if (rule_equals(kCipherAliases[j].name, buf, buf_len)) {
1092 alg_mkey &= kCipherAliases[j].algorithm_mkey;
1093 alg_auth &= kCipherAliases[j].algorithm_auth;
1094 alg_enc &= kCipherAliases[j].algorithm_enc;
1095 alg_mac &= kCipherAliases[j].algorithm_mac;
1096
1097 if (min_version != 0 &&
1098 min_version != kCipherAliases[j].min_version) {
1099 skip_rule = true;
1100 } else {
1101 min_version = kCipherAliases[j].min_version;
1102 }
1103 break;
1104 }
1105 }
1106 if (j == kCipherAliasesLen) {
1107 skip_rule = true;
1108 if (strict) {
1109 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
1110 return false;
1111 }
1112 }
1113 }
1114
1115 // Check for a multipart rule.
1116 if (ch != '+') {
1117 break;
1118 }
1119 l++;
1120 multi = true;
1121 }
1122
1123 // Ok, we have the rule, now apply it.
1124 if (rule == CIPHER_SPECIAL) {
1125 if (buf_len != 8 || strncmp(buf, "STRENGTH", 8) != 0) {
1126 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
1127 return false;
1128 }
1129 if (!ssl_cipher_strength_sort(head_p, tail_p)) {
1130 return false;
1131 }
1132
1133 // We do not support any "multi" options together with "@", so throw away
1134 // the rest of the command, if any left, until end or ':' is found.
1135 while (*l != '\0' && !is_cipher_list_separator(*l, strict)) {
1136 l++;
1137 }
1138 } else if (!skip_rule) {
1139 ssl_cipher_apply_rule(cipher_id, alg_mkey, alg_auth, alg_enc, alg_mac,
1140 min_version, rule, -1, in_group, head_p, tail_p);
1141 }
1142 }
1143
1144 if (in_group) {
1145 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
1146 return false;
1147 }
1148
1149 return true;
1150 }
1151
ssl_create_cipher_list(UniquePtr<SSLCipherPreferenceList> * out_cipher_list,const char * rule_str,bool strict)1152 bool ssl_create_cipher_list(UniquePtr<SSLCipherPreferenceList> *out_cipher_list,
1153 const char *rule_str, bool strict) {
1154 // Return with error if nothing to do.
1155 if (rule_str == NULL || out_cipher_list == NULL) {
1156 return false;
1157 }
1158
1159 // Now we have to collect the available ciphers from the compiled in ciphers.
1160 // We cannot get more than the number compiled in, so it is used for
1161 // allocation.
1162 Array<CIPHER_ORDER> co_list;
1163 CIPHER_ORDER *head = nullptr, *tail = nullptr;
1164 if (!ssl_cipher_collect_ciphers(&co_list, &head, &tail)) {
1165 return false;
1166 }
1167
1168 // Now arrange all ciphers by preference:
1169 // TODO(davidben): Compute this order once and copy it.
1170
1171 // Everything else being equal, prefer ECDHE_ECDSA and ECDHE_RSA over other
1172 // key exchange mechanisms
1173 ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, ~0u, ~0u, 0, CIPHER_ADD, -1,
1174 false, &head, &tail);
1175 ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, false,
1176 &head, &tail);
1177 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, false, &head,
1178 &tail);
1179
1180 // Order the bulk ciphers. First the preferred AEAD ciphers. We prefer
1181 // CHACHA20 unless there is hardware support for fast and constant-time
1182 // AES_GCM. Of the two CHACHA20 variants, the new one is preferred over the
1183 // old one.
1184 if (EVP_has_aes_hardware()) {
1185 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1,
1186 false, &head, &tail);
1187 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1,
1188 false, &head, &tail);
1189 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD,
1190 -1, false, &head, &tail);
1191 } else {
1192 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD,
1193 -1, false, &head, &tail);
1194 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1,
1195 false, &head, &tail);
1196 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1,
1197 false, &head, &tail);
1198 }
1199
1200 // Then the legacy non-AEAD ciphers: AES_128_CBC, AES_256_CBC,
1201 // 3DES_EDE_CBC_SHA.
1202 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128, ~0u, 0, CIPHER_ADD, -1, false,
1203 &head, &tail);
1204 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256, ~0u, 0, CIPHER_ADD, -1, false,
1205 &head, &tail);
1206 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_3DES, ~0u, 0, CIPHER_ADD, -1, false,
1207 &head, &tail);
1208
1209 // Temporarily enable everything else for sorting
1210 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, false, &head,
1211 &tail);
1212
1213 // Move ciphers without forward secrecy to the end.
1214 ssl_cipher_apply_rule(0, (SSL_kRSA | SSL_kPSK), ~0u, ~0u, ~0u, 0, CIPHER_ORD,
1215 -1, false, &head, &tail);
1216
1217 // Now disable everything (maintaining the ordering!)
1218 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, false, &head,
1219 &tail);
1220
1221 // If the rule_string begins with DEFAULT, apply the default rule before
1222 // using the (possibly available) additional rules.
1223 const char *rule_p = rule_str;
1224 if (strncmp(rule_str, "DEFAULT", 7) == 0) {
1225 if (!ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, &head, &tail,
1226 strict)) {
1227 return false;
1228 }
1229 rule_p += 7;
1230 if (*rule_p == ':') {
1231 rule_p++;
1232 }
1233 }
1234
1235 if (*rule_p != '\0' &&
1236 !ssl_cipher_process_rulestr(rule_p, &head, &tail, strict)) {
1237 return false;
1238 }
1239
1240 // Allocate new "cipherstack" for the result, return with error
1241 // if we cannot get one.
1242 UniquePtr<STACK_OF(SSL_CIPHER)> cipherstack(sk_SSL_CIPHER_new_null());
1243 Array<bool> in_group_flags;
1244 if (cipherstack == nullptr ||
1245 !in_group_flags.Init(OPENSSL_ARRAY_SIZE(kCiphers))) {
1246 return false;
1247 }
1248
1249 // The cipher selection for the list is done. The ciphers are added
1250 // to the resulting precedence to the STACK_OF(SSL_CIPHER).
1251 size_t num_in_group_flags = 0;
1252 for (CIPHER_ORDER *curr = head; curr != NULL; curr = curr->next) {
1253 if (curr->active) {
1254 if (!sk_SSL_CIPHER_push(cipherstack.get(), curr->cipher)) {
1255 return false;
1256 }
1257 in_group_flags[num_in_group_flags++] = curr->in_group;
1258 }
1259 }
1260
1261 UniquePtr<SSLCipherPreferenceList> pref_list =
1262 MakeUnique<SSLCipherPreferenceList>();
1263 if (!pref_list ||
1264 !pref_list->Init(
1265 std::move(cipherstack),
1266 MakeConstSpan(in_group_flags).subspan(0, num_in_group_flags))) {
1267 return false;
1268 }
1269
1270 *out_cipher_list = std::move(pref_list);
1271
1272 // Configuring an empty cipher list is an error but still updates the
1273 // output.
1274 if (sk_SSL_CIPHER_num((*out_cipher_list)->ciphers.get()) == 0) {
1275 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHER_MATCH);
1276 return false;
1277 }
1278
1279 return true;
1280 }
1281
ssl_cipher_get_value(const SSL_CIPHER * cipher)1282 uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher) {
1283 uint32_t id = cipher->id;
1284 // All OpenSSL cipher IDs are prefaced with 0x03. Historically this referred
1285 // to SSLv2 vs SSLv3.
1286 assert((id & 0xff000000) == 0x03000000);
1287 return id & 0xffff;
1288 }
1289
ssl_cipher_auth_mask_for_key(const EVP_PKEY * key)1290 uint32_t ssl_cipher_auth_mask_for_key(const EVP_PKEY *key) {
1291 switch (EVP_PKEY_id(key)) {
1292 case EVP_PKEY_RSA:
1293 return SSL_aRSA;
1294 case EVP_PKEY_EC:
1295 case EVP_PKEY_ED25519:
1296 // Ed25519 keys in TLS 1.2 repurpose the ECDSA ciphers.
1297 return SSL_aECDSA;
1298 default:
1299 return 0;
1300 }
1301 }
1302
ssl_cipher_uses_certificate_auth(const SSL_CIPHER * cipher)1303 bool ssl_cipher_uses_certificate_auth(const SSL_CIPHER *cipher) {
1304 return (cipher->algorithm_auth & SSL_aCERT) != 0;
1305 }
1306
ssl_cipher_requires_server_key_exchange(const SSL_CIPHER * cipher)1307 bool ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher) {
1308 // Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange. It is
1309 // optional or omitted in all others.
1310 return (cipher->algorithm_mkey & SSL_kECDHE) != 0;
1311 }
1312
ssl_cipher_get_record_split_len(const SSL_CIPHER * cipher)1313 size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher) {
1314 size_t block_size;
1315 switch (cipher->algorithm_enc) {
1316 case SSL_3DES:
1317 block_size = 8;
1318 break;
1319 case SSL_AES128:
1320 case SSL_AES256:
1321 block_size = 16;
1322 break;
1323 default:
1324 return 0;
1325 }
1326
1327 // All supported TLS 1.0 ciphers use SHA-1.
1328 assert(cipher->algorithm_mac == SSL_SHA1);
1329 size_t ret = 1 + SHA_DIGEST_LENGTH;
1330 ret += block_size - (ret % block_size);
1331 return ret;
1332 }
1333
1334 BSSL_NAMESPACE_END
1335
1336 using namespace bssl;
1337
ssl_cipher_id_cmp_inner(const SSL_CIPHER * a,const SSL_CIPHER * b)1338 static constexpr int ssl_cipher_id_cmp_inner(const SSL_CIPHER *a,
1339 const SSL_CIPHER *b) {
1340 // C++11's constexpr functions must have a body consisting of just a
1341 // return-statement.
1342 return (a->id > b->id) ? 1 : ((a->id < b->id) ? -1 : 0);
1343 }
1344
ssl_cipher_id_cmp(const void * in_a,const void * in_b)1345 static int ssl_cipher_id_cmp(const void *in_a, const void *in_b) {
1346 return ssl_cipher_id_cmp_inner(reinterpret_cast<const SSL_CIPHER *>(in_a),
1347 reinterpret_cast<const SSL_CIPHER *>(in_b));
1348 }
1349
1350 template <typename T, size_t N>
countof(T const (&)[N])1351 static constexpr size_t countof(T const (&)[N]) {
1352 return N;
1353 }
1354
1355 template <typename T, size_t I>
check_order(const T (& arr)[I],size_t N)1356 static constexpr int check_order(const T (&arr)[I], size_t N) {
1357 // C++11's constexpr functions must have a body consisting of just a
1358 // return-statement.
1359 return N > 1 ? ((ssl_cipher_id_cmp_inner(&arr[N - 2], &arr[N - 1]) < 0)
1360 ? check_order(arr, N - 1)
1361 : 0)
1362 : 1;
1363 }
1364
1365 static_assert(check_order(kCiphers, countof(kCiphers)) == 1,
1366 "Ciphers are not sorted, bsearch won't work");
1367
SSL_get_cipher_by_value(uint16_t value)1368 const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value) {
1369 SSL_CIPHER c;
1370
1371 c.id = 0x03000000L | value;
1372 return reinterpret_cast<const SSL_CIPHER *>(bsearch(
1373 &c, kCiphers, OPENSSL_ARRAY_SIZE(kCiphers), sizeof(SSL_CIPHER),
1374 ssl_cipher_id_cmp));
1375 }
1376
SSL_CIPHER_get_id(const SSL_CIPHER * cipher)1377 uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher) { return cipher->id; }
1378
SSL_CIPHER_get_value(const SSL_CIPHER * cipher)1379 uint16_t SSL_CIPHER_get_value(const SSL_CIPHER *cipher) {
1380 return static_cast<uint16_t>(cipher->id);
1381 }
1382
SSL_CIPHER_is_aead(const SSL_CIPHER * cipher)1383 int SSL_CIPHER_is_aead(const SSL_CIPHER *cipher) {
1384 return (cipher->algorithm_mac & SSL_AEAD) != 0;
1385 }
1386
SSL_CIPHER_get_cipher_nid(const SSL_CIPHER * cipher)1387 int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *cipher) {
1388 switch (cipher->algorithm_enc) {
1389 case SSL_eNULL:
1390 return NID_undef;
1391 case SSL_3DES:
1392 return NID_des_ede3_cbc;
1393 case SSL_AES128:
1394 return NID_aes_128_cbc;
1395 case SSL_AES256:
1396 return NID_aes_256_cbc;
1397 case SSL_AES128GCM:
1398 return NID_aes_128_gcm;
1399 case SSL_AES256GCM:
1400 return NID_aes_256_gcm;
1401 case SSL_CHACHA20POLY1305:
1402 return NID_chacha20_poly1305;
1403 }
1404 assert(0);
1405 return NID_undef;
1406 }
1407
SSL_CIPHER_get_digest_nid(const SSL_CIPHER * cipher)1408 int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *cipher) {
1409 switch (cipher->algorithm_mac) {
1410 case SSL_AEAD:
1411 return NID_undef;
1412 case SSL_SHA1:
1413 return NID_sha1;
1414 }
1415 assert(0);
1416 return NID_undef;
1417 }
1418
SSL_CIPHER_get_kx_nid(const SSL_CIPHER * cipher)1419 int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *cipher) {
1420 switch (cipher->algorithm_mkey) {
1421 case SSL_kRSA:
1422 return NID_kx_rsa;
1423 case SSL_kECDHE:
1424 return NID_kx_ecdhe;
1425 case SSL_kPSK:
1426 return NID_kx_psk;
1427 case SSL_kGENERIC:
1428 return NID_kx_any;
1429 }
1430 assert(0);
1431 return NID_undef;
1432 }
1433
SSL_CIPHER_get_auth_nid(const SSL_CIPHER * cipher)1434 int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *cipher) {
1435 switch (cipher->algorithm_auth) {
1436 case SSL_aRSA:
1437 return NID_auth_rsa;
1438 case SSL_aECDSA:
1439 return NID_auth_ecdsa;
1440 case SSL_aPSK:
1441 return NID_auth_psk;
1442 case SSL_aGENERIC:
1443 return NID_auth_any;
1444 }
1445 assert(0);
1446 return NID_undef;
1447 }
1448
SSL_CIPHER_get_prf_nid(const SSL_CIPHER * cipher)1449 int SSL_CIPHER_get_prf_nid(const SSL_CIPHER *cipher) {
1450 switch (cipher->algorithm_prf) {
1451 case SSL_HANDSHAKE_MAC_DEFAULT:
1452 return NID_md5_sha1;
1453 case SSL_HANDSHAKE_MAC_SHA256:
1454 return NID_sha256;
1455 case SSL_HANDSHAKE_MAC_SHA384:
1456 return NID_sha384;
1457 }
1458 assert(0);
1459 return NID_undef;
1460 }
1461
SSL_CIPHER_is_block_cipher(const SSL_CIPHER * cipher)1462 int SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher) {
1463 return (cipher->algorithm_enc & SSL_eNULL) == 0 &&
1464 cipher->algorithm_mac != SSL_AEAD;
1465 }
1466
SSL_CIPHER_get_min_version(const SSL_CIPHER * cipher)1467 uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher) {
1468 if (cipher->algorithm_mkey == SSL_kGENERIC ||
1469 cipher->algorithm_auth == SSL_aGENERIC) {
1470 return TLS1_3_VERSION;
1471 }
1472
1473 if (cipher->algorithm_prf != SSL_HANDSHAKE_MAC_DEFAULT) {
1474 // Cipher suites before TLS 1.2 use the default PRF, while all those added
1475 // afterwards specify a particular hash.
1476 return TLS1_2_VERSION;
1477 }
1478 return SSL3_VERSION;
1479 }
1480
SSL_CIPHER_get_max_version(const SSL_CIPHER * cipher)1481 uint16_t SSL_CIPHER_get_max_version(const SSL_CIPHER *cipher) {
1482 if (cipher->algorithm_mkey == SSL_kGENERIC ||
1483 cipher->algorithm_auth == SSL_aGENERIC) {
1484 return TLS1_3_VERSION;
1485 }
1486 return TLS1_2_VERSION;
1487 }
1488
1489 // return the actual cipher being used
SSL_CIPHER_get_name(const SSL_CIPHER * cipher)1490 const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher) {
1491 if (cipher != NULL) {
1492 return cipher->name;
1493 }
1494
1495 return "(NONE)";
1496 }
1497
SSL_CIPHER_standard_name(const SSL_CIPHER * cipher)1498 const char *SSL_CIPHER_standard_name(const SSL_CIPHER *cipher) {
1499 return cipher->standard_name;
1500 }
1501
SSL_CIPHER_get_kx_name(const SSL_CIPHER * cipher)1502 const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher) {
1503 if (cipher == NULL) {
1504 return "";
1505 }
1506
1507 switch (cipher->algorithm_mkey) {
1508 case SSL_kRSA:
1509 return "RSA";
1510
1511 case SSL_kECDHE:
1512 switch (cipher->algorithm_auth) {
1513 case SSL_aECDSA:
1514 return "ECDHE_ECDSA";
1515 case SSL_aRSA:
1516 return "ECDHE_RSA";
1517 case SSL_aPSK:
1518 return "ECDHE_PSK";
1519 default:
1520 assert(0);
1521 return "UNKNOWN";
1522 }
1523
1524 case SSL_kPSK:
1525 assert(cipher->algorithm_auth == SSL_aPSK);
1526 return "PSK";
1527
1528 case SSL_kGENERIC:
1529 assert(cipher->algorithm_auth == SSL_aGENERIC);
1530 return "GENERIC";
1531
1532 default:
1533 assert(0);
1534 return "UNKNOWN";
1535 }
1536 }
1537
SSL_CIPHER_get_rfc_name(const SSL_CIPHER * cipher)1538 char *SSL_CIPHER_get_rfc_name(const SSL_CIPHER *cipher) {
1539 if (cipher == NULL) {
1540 return NULL;
1541 }
1542
1543 return OPENSSL_strdup(SSL_CIPHER_standard_name(cipher));
1544 }
1545
SSL_CIPHER_get_bits(const SSL_CIPHER * cipher,int * out_alg_bits)1546 int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *out_alg_bits) {
1547 if (cipher == NULL) {
1548 return 0;
1549 }
1550
1551 int alg_bits, strength_bits;
1552 switch (cipher->algorithm_enc) {
1553 case SSL_AES128:
1554 case SSL_AES128GCM:
1555 alg_bits = 128;
1556 strength_bits = 128;
1557 break;
1558
1559 case SSL_AES256:
1560 case SSL_AES256GCM:
1561 case SSL_CHACHA20POLY1305:
1562 alg_bits = 256;
1563 strength_bits = 256;
1564 break;
1565
1566 case SSL_3DES:
1567 alg_bits = 168;
1568 strength_bits = 112;
1569 break;
1570
1571 case SSL_eNULL:
1572 alg_bits = 0;
1573 strength_bits = 0;
1574 break;
1575
1576 default:
1577 assert(0);
1578 alg_bits = 0;
1579 strength_bits = 0;
1580 }
1581
1582 if (out_alg_bits != NULL) {
1583 *out_alg_bits = alg_bits;
1584 }
1585 return strength_bits;
1586 }
1587
SSL_CIPHER_description(const SSL_CIPHER * cipher,char * buf,int len)1588 const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf,
1589 int len) {
1590 const char *kx, *au, *enc, *mac;
1591 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
1592
1593 alg_mkey = cipher->algorithm_mkey;
1594 alg_auth = cipher->algorithm_auth;
1595 alg_enc = cipher->algorithm_enc;
1596 alg_mac = cipher->algorithm_mac;
1597
1598 switch (alg_mkey) {
1599 case SSL_kRSA:
1600 kx = "RSA";
1601 break;
1602
1603 case SSL_kECDHE:
1604 kx = "ECDH";
1605 break;
1606
1607 case SSL_kPSK:
1608 kx = "PSK";
1609 break;
1610
1611 case SSL_kGENERIC:
1612 kx = "GENERIC";
1613 break;
1614
1615 default:
1616 kx = "unknown";
1617 }
1618
1619 switch (alg_auth) {
1620 case SSL_aRSA:
1621 au = "RSA";
1622 break;
1623
1624 case SSL_aECDSA:
1625 au = "ECDSA";
1626 break;
1627
1628 case SSL_aPSK:
1629 au = "PSK";
1630 break;
1631
1632 case SSL_aGENERIC:
1633 au = "GENERIC";
1634 break;
1635
1636 default:
1637 au = "unknown";
1638 break;
1639 }
1640
1641 switch (alg_enc) {
1642 case SSL_3DES:
1643 enc = "3DES(168)";
1644 break;
1645
1646 case SSL_AES128:
1647 enc = "AES(128)";
1648 break;
1649
1650 case SSL_AES256:
1651 enc = "AES(256)";
1652 break;
1653
1654 case SSL_AES128GCM:
1655 enc = "AESGCM(128)";
1656 break;
1657
1658 case SSL_AES256GCM:
1659 enc = "AESGCM(256)";
1660 break;
1661
1662 case SSL_CHACHA20POLY1305:
1663 enc = "ChaCha20-Poly1305";
1664 break;
1665
1666 case SSL_eNULL:
1667 enc="None";
1668 break;
1669
1670 default:
1671 enc = "unknown";
1672 break;
1673 }
1674
1675 switch (alg_mac) {
1676 case SSL_SHA1:
1677 mac = "SHA1";
1678 break;
1679
1680 case SSL_AEAD:
1681 mac = "AEAD";
1682 break;
1683
1684 default:
1685 mac = "unknown";
1686 break;
1687 }
1688
1689 if (buf == NULL) {
1690 len = 128;
1691 buf = (char *)OPENSSL_malloc(len);
1692 if (buf == NULL) {
1693 return NULL;
1694 }
1695 } else if (len < 128) {
1696 return "Buffer too small";
1697 }
1698
1699 BIO_snprintf(buf, len, "%-23s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n",
1700 cipher->name, kx, au, enc, mac);
1701 return buf;
1702 }
1703
SSL_CIPHER_get_version(const SSL_CIPHER * cipher)1704 const char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher) {
1705 return "TLSv1/SSLv3";
1706 }
1707
STACK_OF(SSL_COMP)1708 STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void) { return NULL; }
1709
SSL_COMP_add_compression_method(int id,COMP_METHOD * cm)1710 int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) { return 1; }
1711
SSL_COMP_get_name(const COMP_METHOD * comp)1712 const char *SSL_COMP_get_name(const COMP_METHOD *comp) { return NULL; }
1713
SSL_COMP_get0_name(const SSL_COMP * comp)1714 const char *SSL_COMP_get0_name(const SSL_COMP *comp) { return comp->name; }
1715
SSL_COMP_get_id(const SSL_COMP * comp)1716 int SSL_COMP_get_id(const SSL_COMP *comp) { return comp->id; }
1717
SSL_COMP_free_compression_methods(void)1718 void SSL_COMP_free_compression_methods(void) {}
1719