Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 22df69103f807d92595c67ea421aa51b0b34ed13 / . / ssl / ssl_cipher.cc
blob: f1a215fc6fe33cc1207040a85e91f42c42739d16 [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57/* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
110/* ====================================================================
111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
112 * ECC cipher suite support in OpenSSL originally developed by
113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
114 */
115/* ====================================================================
116 * Copyright 2005 Nokia. All rights reserved.
117 *
118 * The portions of the attached software ("Contribution") is developed by
119 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
120 * license.
121 *
122 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
123 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
124 * support (see RFC 4279) to OpenSSL.
125 *
126 * No patent licenses or other rights except those expressly stated in
127 * the OpenSSL open source license shall be deemed granted or received
128 * expressly, by implication, estoppel, or otherwise.
129 *
130 * No assurances are provided by Nokia that the Contribution does not
131 * infringe the patent or other intellectual property rights of any third
132 * party or that the license provides you with all the necessary rights
133 * to make use of the Contribution.
134 *
135 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
136 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
137 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
138 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
139 * OTHERWISE. */
140
David Benjamin9e4e01e2015-09-15 01:48:04 -0400[diff] [blame]141#include <openssl/ssl.h>
142
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]143#include <assert.h>
David Benjaminf0ae1702015-04-07 23:05:04 -0400[diff] [blame]144#include <string.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]145
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]146#include <openssl/buf.h>
David Benjaminf0ae1702015-04-07 23:05:04 -0400[diff] [blame]147#include <openssl/err.h>
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]148#include <openssl/md5.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]149#include <openssl/mem.h>
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]150#include <openssl/sha.h>
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]151#include <openssl/stack.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]152
David Benjamin2ee94aa2015-04-07 22:38:30 -0400[diff] [blame]153#include "internal.h"
Steven Valdezcb966542016-08-17 16:56:14 -0400[diff] [blame]154#include "../crypto/internal.h"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]155
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]156
David Benjamin86e95b82017-07-18 16:34:25 -0400[diff] [blame]157namespace bssl {
158
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]159/* kCiphers is an array of all supported ciphers, sorted by id. */
David Benjamin20c37312015-11-11 21:33:18 -0800[diff] [blame]160static const SSL_CIPHER kCiphers[] = {
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]161 /* The RSA ciphers */
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]162 /* Cipher 02 */
163 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]164 SSL3_TXT_RSA_NULL_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]165 "TLS_RSA_WITH_NULL_SHA",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]166 SSL3_CK_RSA_NULL_SHA,
167 SSL_kRSA,
168 SSL_aRSA,
169 SSL_eNULL,
170 SSL_SHA1,
171 SSL_HANDSHAKE_MAC_DEFAULT,
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]172 },
173
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]174 /* Cipher 0A */
175 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]176 SSL3_TXT_RSA_DES_192_CBC3_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]177 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]178 SSL3_CK_RSA_DES_192_CBC3_SHA,
179 SSL_kRSA,
180 SSL_aRSA,
181 SSL_3DES,
182 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]183 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]184 },
185
186
187 /* New AES ciphersuites */
188
189 /* Cipher 2F */
190 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]191 TLS1_TXT_RSA_WITH_AES_128_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]192 "TLS_RSA_WITH_AES_128_CBC_SHA",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]193 TLS1_CK_RSA_WITH_AES_128_SHA,
194 SSL_kRSA,
195 SSL_aRSA,
196 SSL_AES128,
197 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]198 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]199 },
200
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]201 /* Cipher 35 */
202 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]203 TLS1_TXT_RSA_WITH_AES_256_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]204 "TLS_RSA_WITH_AES_256_CBC_SHA",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]205 TLS1_CK_RSA_WITH_AES_256_SHA,
206 SSL_kRSA,
207 SSL_aRSA,
208 SSL_AES256,
209 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]210 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]211 },
212
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]213
214 /* TLS v1.2 ciphersuites */
215
216 /* Cipher 3C */
217 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]218 TLS1_TXT_RSA_WITH_AES_128_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]219 "TLS_RSA_WITH_AES_128_CBC_SHA256",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]220 TLS1_CK_RSA_WITH_AES_128_SHA256,
221 SSL_kRSA,
222 SSL_aRSA,
223 SSL_AES128,
224 SSL_SHA256,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]225 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]226 },
227
228 /* Cipher 3D */
229 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]230 TLS1_TXT_RSA_WITH_AES_256_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]231 "TLS_RSA_WITH_AES_256_CBC_SHA256",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]232 TLS1_CK_RSA_WITH_AES_256_SHA256,
233 SSL_kRSA,
234 SSL_aRSA,
235 SSL_AES256,
236 SSL_SHA256,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]237 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]238 },
239
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]240 /* PSK cipher suites. */
241
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]242 /* Cipher 8C */
243 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]244 TLS1_TXT_PSK_WITH_AES_128_CBC_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]245 "TLS_PSK_WITH_AES_128_CBC_SHA",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]246 TLS1_CK_PSK_WITH_AES_128_CBC_SHA,
247 SSL_kPSK,
248 SSL_aPSK,
249 SSL_AES128,
250 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]251 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]252 },
253
254 /* Cipher 8D */
255 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]256 TLS1_TXT_PSK_WITH_AES_256_CBC_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]257 "TLS_PSK_WITH_AES_256_CBC_SHA",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]258 TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
259 SSL_kPSK,
260 SSL_aPSK,
261 SSL_AES256,
262 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]263 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]264 },
265
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]266 /* GCM ciphersuites from RFC5288 */
267
268 /* Cipher 9C */
269 {
270 TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]271 "TLS_RSA_WITH_AES_128_GCM_SHA256",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]272 TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
273 SSL_kRSA,
274 SSL_aRSA,
275 SSL_AES128GCM,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]276 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]277 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]278 },
279
280 /* Cipher 9D */
281 {
282 TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]283 "TLS_RSA_WITH_AES_256_GCM_SHA384",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]284 TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
285 SSL_kRSA,
286 SSL_aRSA,
287 SSL_AES256GCM,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]288 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]289 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]290 },
291
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]292 /* TLS 1.3 suites. */
293
294 /* Cipher 1301 */
295 {
296 TLS1_TXT_AES_128_GCM_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]297 "TLS_AES_128_GCM_SHA256",
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]298 TLS1_CK_AES_128_GCM_SHA256,
299 SSL_kGENERIC,
300 SSL_aGENERIC,
301 SSL_AES128GCM,
302 SSL_AEAD,
303 SSL_HANDSHAKE_MAC_SHA256,
304 },
305
306 /* Cipher 1302 */
307 {
308 TLS1_TXT_AES_256_GCM_SHA384,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]309 "TLS_AES_256_GCM_SHA384",
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]310 TLS1_CK_AES_256_GCM_SHA384,
311 SSL_kGENERIC,
312 SSL_aGENERIC,
313 SSL_AES256GCM,
314 SSL_AEAD,
315 SSL_HANDSHAKE_MAC_SHA384,
316 },
317
318 /* Cipher 1303 */
319 {
320 TLS1_TXT_CHACHA20_POLY1305_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]321 "TLS_CHACHA20_POLY1305_SHA256",
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]322 TLS1_CK_CHACHA20_POLY1305_SHA256,
323 SSL_kGENERIC,
324 SSL_aGENERIC,
325 SSL_CHACHA20POLY1305,
326 SSL_AEAD,
327 SSL_HANDSHAKE_MAC_SHA256,
328 },
329
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]330 /* Cipher C009 */
331 {
332 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]333 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]334 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
335 SSL_kECDHE,
336 SSL_aECDSA,
337 SSL_AES128,
338 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]339 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]340 },
341
342 /* Cipher C00A */
343 {
344 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]345 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]346 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
347 SSL_kECDHE,
348 SSL_aECDSA,
349 SSL_AES256,
350 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]351 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]352 },
353
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]354 /* Cipher C013 */
355 {
356 TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]357 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]358 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
359 SSL_kECDHE,
360 SSL_aRSA,
361 SSL_AES128,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]362 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]363 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]364 },
365
366 /* Cipher C014 */
367 {
368 TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]369 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]370 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
371 SSL_kECDHE,
372 SSL_aRSA,
373 SSL_AES256,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]374 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]375 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]376 },
377
378
379 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */
380
381 /* Cipher C023 */
382 {
383 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]384 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]385 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
386 SSL_kECDHE,
387 SSL_aECDSA,
388 SSL_AES128,
389 SSL_SHA256,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]390 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]391 },
392
393 /* Cipher C024 */
394 {
395 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]396 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]397 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
398 SSL_kECDHE,
399 SSL_aECDSA,
400 SSL_AES256,
401 SSL_SHA384,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]402 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]403 },
404
405 /* Cipher C027 */
406 {
407 TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]408 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]409 TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
410 SSL_kECDHE,
411 SSL_aRSA,
412 SSL_AES128,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]413 SSL_SHA256,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]414 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]415 },
416
417 /* Cipher C028 */
418 {
419 TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]420 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]421 TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
422 SSL_kECDHE,
423 SSL_aRSA,
424 SSL_AES256,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]425 SSL_SHA384,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]426 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]427 },
428
429
430 /* GCM based TLS v1.2 ciphersuites from RFC5289 */
431
432 /* Cipher C02B */
433 {
434 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]435 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]436 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
437 SSL_kECDHE,
438 SSL_aECDSA,
439 SSL_AES128GCM,
440 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]441 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]442 },
443
444 /* Cipher C02C */
445 {
446 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]447 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]448 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
449 SSL_kECDHE,
450 SSL_aECDSA,
451 SSL_AES256GCM,
452 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]453 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]454 },
455
456 /* Cipher C02F */
457 {
458 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]459 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]460 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
461 SSL_kECDHE,
462 SSL_aRSA,
463 SSL_AES128GCM,
464 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]465 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]466 },
467
468 /* Cipher C030 */
469 {
470 TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]471 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]472 TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
473 SSL_kECDHE,
474 SSL_aRSA,
475 SSL_AES256GCM,
476 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]477 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]478 },
479
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]480 /* ECDHE-PSK cipher suites. */
481
482 /* Cipher C035 */
483 {
484 TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]485 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]486 TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]487 SSL_kECDHE,
488 SSL_aPSK,
489 SSL_AES128,
490 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]491 SSL_HANDSHAKE_MAC_DEFAULT,
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]492 },
493
494 /* Cipher C036 */
495 {
496 TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]497 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]498 TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]499 SSL_kECDHE,
500 SSL_aPSK,
501 SSL_AES256,
502 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]503 SSL_HANDSHAKE_MAC_DEFAULT,
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]504 },
505
506 /* ChaCha20-Poly1305 cipher suites. */
507
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]508 /* Cipher CCA8 */
509 {
510 TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]511 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]512 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
513 SSL_kECDHE,
514 SSL_aRSA,
515 SSL_CHACHA20POLY1305,
516 SSL_AEAD,
517 SSL_HANDSHAKE_MAC_SHA256,
518 },
519
520 /* Cipher CCA9 */
521 {
522 TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]523 "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]524 TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
525 SSL_kECDHE,
526 SSL_aECDSA,
527 SSL_CHACHA20POLY1305,
528 SSL_AEAD,
529 SSL_HANDSHAKE_MAC_SHA256,
530 },
531
532 /* Cipher CCAB */
533 {
534 TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]535 "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]536 TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
537 SSL_kECDHE,
538 SSL_aPSK,
539 SSL_CHACHA20POLY1305,
540 SSL_AEAD,
541 SSL_HANDSHAKE_MAC_SHA256,
542 },
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]543
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]544};
545
Steven Valdezcb966542016-08-17 16:56:14 -0400[diff] [blame]546static const size_t kCiphersLen = OPENSSL_ARRAY_SIZE(kCiphers);
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]547
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]548#define CIPHER_ADD 1
549#define CIPHER_KILL 2
550#define CIPHER_DEL 3
551#define CIPHER_ORD 4
552#define CIPHER_SPECIAL 5
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]553
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]554typedef struct cipher_order_st {
555 const SSL_CIPHER *cipher;
556 int active;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]557 int in_group;
558 struct cipher_order_st *next, *prev;
559} CIPHER_ORDER;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]560
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]561typedef struct cipher_alias_st {
562 /* name is the name of the cipher alias. */
563 const char *name;
564
565 /* The following fields are bitmasks for the corresponding fields on
566 * |SSL_CIPHER|. A cipher matches a cipher alias iff, for each bitmask, the
567 * bit corresponding to the cipher's value is set to 1. If any bitmask is
568 * all zeroes, the alias matches nothing. Use |~0u| for the default value. */
569 uint32_t algorithm_mkey;
570 uint32_t algorithm_auth;
571 uint32_t algorithm_enc;
572 uint32_t algorithm_mac;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]573
574 /* min_version, if non-zero, matches all ciphers which were added in that
575 * particular protocol version. */
576 uint16_t min_version;
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]577} CIPHER_ALIAS;
578
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]579static const CIPHER_ALIAS kCipherAliases[] = {
Matthew Braithwaite651aaef2016-12-08 16:14:36 -0800[diff] [blame]580 /* "ALL" doesn't include eNULL. It must be explicitly enabled. */
581 {"ALL", ~0u, ~0u, ~SSL_eNULL, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]582
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]583 /* The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing. */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]584
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]585 /* key exchange aliases
586 * (some of those using only a single bit here combine
Matthew Braithwaite7e06de52017-04-10 15:52:14 -0700[diff] [blame]587 * multiple key exchange algs according to the RFCs. */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]588 {"kRSA", SSL_kRSA, ~0u, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]589
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]590 {"kECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
591 {"kEECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
592 {"ECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]593
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]594 {"kPSK", SSL_kPSK, ~0u, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]595
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]596 /* server authentication aliases */
Matthew Braithwaite651aaef2016-12-08 16:14:36 -0800[diff] [blame]597 {"aRSA", ~0u, SSL_aRSA, ~SSL_eNULL, ~0u, 0},
598 {"aECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0},
599 {"ECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0},
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]600 {"aPSK", ~0u, SSL_aPSK, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]601
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]602 /* aliases combining key exchange and server authentication */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]603 {"ECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
604 {"EECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
605 {"RSA", SSL_kRSA, SSL_aRSA, ~SSL_eNULL, ~0u, 0},
606 {"PSK", SSL_kPSK, SSL_aPSK, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]607
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]608 /* symmetric encryption aliases */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]609 {"3DES", ~0u, ~0u, SSL_3DES, ~0u, 0},
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]610 {"AES128", ~0u, ~0u, SSL_AES128 | SSL_AES128GCM, ~0u, 0},
Matthew Braithwaite651aaef2016-12-08 16:14:36 -0800[diff] [blame]611 {"AES256", ~0u, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, 0},
612 {"AES", ~0u, ~0u, SSL_AES, ~0u, 0},
613 {"AESGCM", ~0u, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, 0},
Adam Langley2e839242017-01-19 15:12:44 -0800[diff] [blame]614 {"CHACHA20", ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]615
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]616 /* MAC aliases */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]617 {"SHA1", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0},
618 {"SHA", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0},
Matthew Braithwaite651aaef2016-12-08 16:14:36 -0800[diff] [blame]619 {"SHA256", ~0u, ~0u, ~0u, SSL_SHA256, 0},
620 {"SHA384", ~0u, ~0u, ~0u, SSL_SHA384, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]621
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]622 /* Legacy protocol minimum version aliases. "TLSv1" is intentionally the
623 * same as "SSLv3". */
Matthew Braithwaite651aaef2016-12-08 16:14:36 -0800[diff] [blame]624 {"SSLv3", ~0u, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
625 {"TLSv1", ~0u, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
626 {"TLSv1.2", ~0u, ~0u, ~SSL_eNULL, ~0u, TLS1_2_VERSION},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]627
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]628 /* Legacy strength classes. */
Matthew Braithwaite651aaef2016-12-08 16:14:36 -0800[diff] [blame]629 {"HIGH", ~0u, ~0u, ~SSL_eNULL, ~0u, 0},
630 {"FIPS", ~0u, ~0u, ~SSL_eNULL, ~0u, 0},
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]631};
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]632
Steven Valdezcb966542016-08-17 16:56:14 -0400[diff] [blame]633static const size_t kCipherAliasesLen = OPENSSL_ARRAY_SIZE(kCipherAliases);
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]634
635static int ssl_cipher_id_cmp(const void *in_a, const void *in_b) {
David Benjamine64d2c72017-07-12 16:31:08 -0400[diff] [blame]636 const SSL_CIPHER *a = reinterpret_cast<const SSL_CIPHER *>(in_a);
637 const SSL_CIPHER *b = reinterpret_cast<const SSL_CIPHER *>(in_b);
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]638
639 if (a->id > b->id) {
640 return 1;
641 } else if (a->id < b->id) {
642 return -1;
643 } else {
644 return 0;
645 }
646}
647
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]648int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
649 size_t *out_mac_secret_len,
650 size_t *out_fixed_iv_len,
Steven Valdez2f3404b2017-05-24 16:54:35 -0400[diff] [blame]651 const SSL_CIPHER *cipher, uint16_t version, int is_dtls) {
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]652 *out_aead = NULL;
653 *out_mac_secret_len = 0;
654 *out_fixed_iv_len = 0;
Adam Langleyc9fb3752014-06-20 12:00:00 -0700[diff] [blame]655
Steven Valdez2f3404b2017-05-24 16:54:35 -0400[diff] [blame]656 const int is_tls12 = version == TLS1_2_VERSION && !is_dtls;
657
David Benjamin305e6fb2016-10-27 18:19:00 -0400[diff] [blame]658 if (cipher->algorithm_mac == SSL_AEAD) {
659 if (cipher->algorithm_enc == SSL_AES128GCM) {
Steven Valdez2f3404b2017-05-24 16:54:35 -0400[diff] [blame]660 *out_aead =
661 is_tls12 ? EVP_aead_aes_128_gcm_tls12() : EVP_aead_aes_128_gcm();
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]662 *out_fixed_iv_len = 4;
David Benjamin305e6fb2016-10-27 18:19:00 -0400[diff] [blame]663 } else if (cipher->algorithm_enc == SSL_AES256GCM) {
Steven Valdez2f3404b2017-05-24 16:54:35 -0400[diff] [blame]664 *out_aead =
665 is_tls12 ? EVP_aead_aes_256_gcm_tls12() : EVP_aead_aes_256_gcm();
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]666 *out_fixed_iv_len = 4;
David Benjamin305e6fb2016-10-27 18:19:00 -0400[diff] [blame]667 } else if (cipher->algorithm_enc == SSL_CHACHA20POLY1305) {
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]668 *out_aead = EVP_aead_chacha20_poly1305();
669 *out_fixed_iv_len = 12;
David Benjamin305e6fb2016-10-27 18:19:00 -0400[diff] [blame]670 } else {
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]671 return 0;
David Benjamin305e6fb2016-10-27 18:19:00 -0400[diff] [blame]672 }
673
674 /* In TLS 1.3, the iv_len is equal to the AEAD nonce length whereas the code
675 * above computes the TLS 1.2 construction. */
676 if (version >= TLS1_3_VERSION) {
677 *out_fixed_iv_len = EVP_AEAD_nonce_length(*out_aead);
678 }
679 } else if (cipher->algorithm_mac == SSL_SHA1) {
680 if (cipher->algorithm_enc == SSL_eNULL) {
681 if (version == SSL3_VERSION) {
682 *out_aead = EVP_aead_null_sha1_ssl3();
683 } else {
684 *out_aead = EVP_aead_null_sha1_tls();
685 }
686 } else if (cipher->algorithm_enc == SSL_3DES) {
687 if (version == SSL3_VERSION) {
688 *out_aead = EVP_aead_des_ede3_cbc_sha1_ssl3();
689 *out_fixed_iv_len = 8;
690 } else if (version == TLS1_VERSION) {
691 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv();
692 *out_fixed_iv_len = 8;
693 } else {
694 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls();
695 }
696 } else if (cipher->algorithm_enc == SSL_AES128) {
697 if (version == SSL3_VERSION) {
698 *out_aead = EVP_aead_aes_128_cbc_sha1_ssl3();
699 *out_fixed_iv_len = 16;
700 } else if (version == TLS1_VERSION) {
701 *out_aead = EVP_aead_aes_128_cbc_sha1_tls_implicit_iv();
702 *out_fixed_iv_len = 16;
703 } else {
704 *out_aead = EVP_aead_aes_128_cbc_sha1_tls();
705 }
706 } else if (cipher->algorithm_enc == SSL_AES256) {
707 if (version == SSL3_VERSION) {
708 *out_aead = EVP_aead_aes_256_cbc_sha1_ssl3();
709 *out_fixed_iv_len = 16;
710 } else if (version == TLS1_VERSION) {
711 *out_aead = EVP_aead_aes_256_cbc_sha1_tls_implicit_iv();
712 *out_fixed_iv_len = 16;
713 } else {
714 *out_aead = EVP_aead_aes_256_cbc_sha1_tls();
715 }
716 } else {
717 return 0;
718 }
719
720 *out_mac_secret_len = SHA_DIGEST_LENGTH;
721 } else if (cipher->algorithm_mac == SSL_SHA256) {
722 if (cipher->algorithm_enc == SSL_AES128) {
723 *out_aead = EVP_aead_aes_128_cbc_sha256_tls();
724 } else if (cipher->algorithm_enc == SSL_AES256) {
725 *out_aead = EVP_aead_aes_256_cbc_sha256_tls();
726 } else {
727 return 0;
728 }
729
730 *out_mac_secret_len = SHA256_DIGEST_LENGTH;
731 } else if (cipher->algorithm_mac == SSL_SHA384) {
732 if (cipher->algorithm_enc != SSL_AES256) {
733 return 0;
734 }
735
736 *out_aead = EVP_aead_aes_256_cbc_sha384_tls();
737 *out_mac_secret_len = SHA384_DIGEST_LENGTH;
738 } else {
739 return 0;
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]740 }
Steven Valdez79750562016-06-16 06:38:04 -0400[diff] [blame]741
Steven Valdez79750562016-06-16 06:38:04 -0400[diff] [blame]742 return 1;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]743}
Adam Langleyc9fb3752014-06-20 12:00:00 -0700[diff] [blame]744
Steven Valdez908ac192017-01-12 13:17:07 -0500[diff] [blame]745const EVP_MD *ssl_get_handshake_digest(uint32_t algorithm_prf,
746 uint16_t version) {
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]747 switch (algorithm_prf) {
748 case SSL_HANDSHAKE_MAC_DEFAULT:
Steven Valdez908ac192017-01-12 13:17:07 -0500[diff] [blame]749 return version >= TLS1_2_VERSION ? EVP_sha256() : EVP_md5_sha1();
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]750 case SSL_HANDSHAKE_MAC_SHA256:
751 return EVP_sha256();
752 case SSL_HANDSHAKE_MAC_SHA384:
753 return EVP_sha384();
754 default:
755 return NULL;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]756 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]757}
758
Adam Langley22df6912017-07-25 12:27:37 -0700[diff] [blame^]759static bool is_cipher_list_separator(char c, int is_strict) {
760 if (c == ':') {
761 return true;
762 }
763 return !is_strict && (c == ' ' || c == ';' || c == ',');
764}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]765
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]766/* rule_equals returns one iff the NUL-terminated string |rule| is equal to the
767 * |buf_len| bytes at |buf|. */
768static int rule_equals(const char *rule, const char *buf, size_t buf_len) {
769 /* |strncmp| alone only checks that |buf| is a prefix of |rule|. */
770 return strncmp(rule, buf, buf_len) == 0 && rule[buf_len] == '\0';
771}
772
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]773static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]774 CIPHER_ORDER **tail) {
775 if (curr == *tail) {
776 return;
777 }
778 if (curr == *head) {
779 *head = curr->next;
780 }
781 if (curr->prev != NULL) {
782 curr->prev->next = curr->next;
783 }
784 if (curr->next != NULL) {
785 curr->next->prev = curr->prev;
786 }
787 (*tail)->next = curr;
788 curr->prev = *tail;
789 curr->next = NULL;
790 *tail = curr;
791}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]792
793static void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]794 CIPHER_ORDER **tail) {
795 if (curr == *head) {
796 return;
797 }
798 if (curr == *tail) {
799 *tail = curr->prev;
800 }
801 if (curr->next != NULL) {
802 curr->next->prev = curr->prev;
803 }
804 if (curr->prev != NULL) {
805 curr->prev->next = curr->next;
806 }
807 (*head)->prev = curr;
808 curr->next = *head;
809 curr->prev = NULL;
810 *head = curr;
811}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]812
David Benjamin82c9e902014-12-12 15:55:27 -0500[diff] [blame]813static void ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD *ssl_method,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]814 CIPHER_ORDER *co_list,
815 CIPHER_ORDER **head_p,
816 CIPHER_ORDER **tail_p) {
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]817 /* The set of ciphers is static, but some subset may be unsupported by
818 * |ssl_method|, so the list may be smaller. */
819 size_t co_list_num = 0;
David Benjamin54091232016-09-05 12:47:25 -0400[diff] [blame]820 for (size_t i = 0; i < kCiphersLen; i++) {
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]821 const SSL_CIPHER *cipher = &kCiphers[i];
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]822 if (ssl_method->supports_cipher(cipher) &&
823 /* TLS 1.3 ciphers do not participate in this mechanism. */
824 cipher->algorithm_mkey != SSL_kGENERIC) {
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]825 co_list[co_list_num].cipher = cipher;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]826 co_list[co_list_num].next = NULL;
827 co_list[co_list_num].prev = NULL;
828 co_list[co_list_num].active = 0;
829 co_list[co_list_num].in_group = 0;
830 co_list_num++;
831 }
832 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]833
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]834 /* Prepare linked list from list entries. */
835 if (co_list_num > 0) {
836 co_list[0].prev = NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]837
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]838 if (co_list_num > 1) {
839 co_list[0].next = &co_list[1];
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]840
David Benjamin54091232016-09-05 12:47:25 -0400[diff] [blame]841 for (size_t i = 1; i < co_list_num - 1; i++) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]842 co_list[i].prev = &co_list[i - 1];
843 co_list[i].next = &co_list[i + 1];
844 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]845
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]846 co_list[co_list_num - 1].prev = &co_list[co_list_num - 2];
847 }
848
849 co_list[co_list_num - 1].next = NULL;
850
851 *head_p = &co_list[0];
852 *tail_p = &co_list[co_list_num - 1];
853 }
854}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]855
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]856/* ssl_cipher_apply_rule applies the rule type |rule| to ciphers matching its
857 * parameters in the linked list from |*head_p| to |*tail_p|. It writes the new
858 * head and tail of the list to |*head_p| and |*tail_p|, respectively.
859 *
860 * - If |cipher_id| is non-zero, only that cipher is selected.
861 * - Otherwise, if |strength_bits| is non-negative, it selects ciphers
862 * of that strength.
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]863 * - Otherwise, it selects ciphers that match each bitmasks in |alg_*| and
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]864 * |min_version|. */
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]865static void ssl_cipher_apply_rule(
David Benjamin107db582015-04-08 00:41:59 -0400[diff] [blame]866 uint32_t cipher_id, uint32_t alg_mkey, uint32_t alg_auth,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]867 uint32_t alg_enc, uint32_t alg_mac, uint16_t min_version, int rule,
868 int strength_bits, int in_group, CIPHER_ORDER **head_p,
869 CIPHER_ORDER **tail_p) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]870 CIPHER_ORDER *head, *tail, *curr, *next, *last;
871 const SSL_CIPHER *cp;
872 int reverse = 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]873
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]874 if (cipher_id == 0 && strength_bits == -1 && min_version == 0 &&
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]875 (alg_mkey == 0 || alg_auth == 0 || alg_enc == 0 || alg_mac == 0)) {
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]876 /* The rule matches nothing, so bail early. */
877 return;
878 }
879
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]880 if (rule == CIPHER_DEL) {
881 /* needed to maintain sorting between currently deleted ciphers */
882 reverse = 1;
883 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]884
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]885 head = *head_p;
886 tail = *tail_p;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]887
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]888 if (reverse) {
889 next = tail;
890 last = head;
891 } else {
892 next = head;
893 last = tail;
894 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]895
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]896 curr = NULL;
897 for (;;) {
898 if (curr == last) {
899 break;
900 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]901
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]902 curr = next;
903 if (curr == NULL) {
904 break;
905 }
Adam Langleye3142a72014-07-24 17:56:48 -0700[diff] [blame]906
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]907 next = reverse ? curr->prev : curr->next;
908 cp = curr->cipher;
Adam Langleye3142a72014-07-24 17:56:48 -0700[diff] [blame]909
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]910 /* Selection criteria is either a specific cipher, the value of
911 * |strength_bits|, or the algorithms used. */
912 if (cipher_id != 0) {
913 if (cipher_id != cp->id) {
914 continue;
915 }
916 } else if (strength_bits >= 0) {
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]917 if (strength_bits != SSL_CIPHER_get_bits(cp, NULL)) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]918 continue;
919 }
David Benjamin881f1962016-08-10 18:29:12 -0400[diff] [blame]920 } else {
921 if (!(alg_mkey & cp->algorithm_mkey) ||
922 !(alg_auth & cp->algorithm_auth) ||
923 !(alg_enc & cp->algorithm_enc) ||
924 !(alg_mac & cp->algorithm_mac) ||
925 (min_version != 0 && SSL_CIPHER_get_min_version(cp) != min_version)) {
926 continue;
927 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]928 }
Adam Langleye3142a72014-07-24 17:56:48 -0700[diff] [blame]929
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]930 /* add the cipher if it has not been added yet. */
931 if (rule == CIPHER_ADD) {
932 /* reverse == 0 */
933 if (!curr->active) {
934 ll_append_tail(&head, curr, &tail);
935 curr->active = 1;
936 curr->in_group = in_group;
937 }
938 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]939
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]940 /* Move the added cipher to this location */
941 else if (rule == CIPHER_ORD) {
942 /* reverse == 0 */
943 if (curr->active) {
944 ll_append_tail(&head, curr, &tail);
945 curr->in_group = 0;
946 }
947 } else if (rule == CIPHER_DEL) {
948 /* reverse == 1 */
949 if (curr->active) {
950 /* most recently deleted ciphersuites get best positions
951 * for any future CIPHER_ADD (note that the CIPHER_DEL loop
952 * works in reverse to maintain the order) */
953 ll_append_head(&head, curr, &tail);
954 curr->active = 0;
955 curr->in_group = 0;
956 }
957 } else if (rule == CIPHER_KILL) {
958 /* reverse == 0 */
959 if (head == curr) {
960 head = curr->next;
961 } else {
962 curr->prev->next = curr->next;
963 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]964
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]965 if (tail == curr) {
966 tail = curr->prev;
967 }
968 curr->active = 0;
969 if (curr->next != NULL) {
970 curr->next->prev = curr->prev;
971 }
972 if (curr->prev != NULL) {
973 curr->prev->next = curr->next;
974 }
975 curr->next = NULL;
976 curr->prev = NULL;
977 }
978 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]979
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]980 *head_p = head;
981 *tail_p = tail;
982}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]983
984static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]985 CIPHER_ORDER **tail_p) {
986 int max_strength_bits, i, *number_uses;
987 CIPHER_ORDER *curr;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]988
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]989 /* This routine sorts the ciphers with descending strength. The sorting must
990 * keep the pre-sorted sequence, so we apply the normal sorting routine as
991 * '+' movement to the end of the list. */
992 max_strength_bits = 0;
993 curr = *head_p;
994 while (curr != NULL) {
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]995 if (curr->active &&
996 SSL_CIPHER_get_bits(curr->cipher, NULL) > max_strength_bits) {
997 max_strength_bits = SSL_CIPHER_get_bits(curr->cipher, NULL);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]998 }
999 curr = curr->next;
1000 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1001
David Benjamine64d2c72017-07-12 16:31:08 -0400[diff] [blame]1002 number_uses = (int *)OPENSSL_malloc((max_strength_bits + 1) * sizeof(int));
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1003 if (!number_uses) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1004 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1005 return 0;
1006 }
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]1007 OPENSSL_memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int));
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1008
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1009 /* Now find the strength_bits values actually used. */
1010 curr = *head_p;
1011 while (curr != NULL) {
1012 if (curr->active) {
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1013 number_uses[SSL_CIPHER_get_bits(curr->cipher, NULL)]++;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1014 }
1015 curr = curr->next;
1016 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1017
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1018 /* Go through the list of used strength_bits values in descending order. */
1019 for (i = max_strength_bits; i >= 0; i--) {
1020 if (number_uses[i] > 0) {
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1021 ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, CIPHER_ORD, i, 0, head_p, tail_p);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1022 }
1023 }
1024
1025 OPENSSL_free(number_uses);
1026 return 1;
1027}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1028
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1029static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method,
1030 const char *rule_str,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1031 CIPHER_ORDER **head_p,
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]1032 CIPHER_ORDER **tail_p, int strict) {
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1033 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1034 uint16_t min_version;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1035 const char *l, *buf;
David Benjaminbf5f1922017-07-01 11:13:53 -0400[diff] [blame]1036 int multi, skip_rule, rule, in_group = 0, has_group = 0;
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1037 size_t j, buf_len;
1038 uint32_t cipher_id;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1039 char ch;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1040
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1041 l = rule_str;
1042 for (;;) {
1043 ch = *l;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1044
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1045 if (ch == '\0') {
1046 break; /* done */
1047 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1048
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1049 if (in_group) {
1050 if (ch == ']') {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1051 if (*tail_p) {
1052 (*tail_p)->in_group = 0;
1053 }
1054 in_group = 0;
1055 l++;
1056 continue;
1057 }
David Benjamin37d92462014-09-20 17:54:24 -0400[diff] [blame]1058
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1059 if (ch == '|') {
1060 rule = CIPHER_ADD;
1061 l++;
1062 continue;
1063 } else if (!(ch >= 'a' && ch <= 'z') && !(ch >= 'A' && ch <= 'Z') &&
1064 !(ch >= '0' && ch <= '9')) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1065 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_OPERATOR_IN_GROUP);
Adam Langleyf139c992016-10-02 09:56:09 -0700[diff] [blame]1066 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1067 } else {
1068 rule = CIPHER_ADD;
1069 }
1070 } else if (ch == '-') {
1071 rule = CIPHER_DEL;
1072 l++;
1073 } else if (ch == '+') {
1074 rule = CIPHER_ORD;
1075 l++;
1076 } else if (ch == '!') {
1077 rule = CIPHER_KILL;
1078 l++;
1079 } else if (ch == '@') {
1080 rule = CIPHER_SPECIAL;
1081 l++;
1082 } else if (ch == '[') {
David Benjaminbf5f1922017-07-01 11:13:53 -0400[diff] [blame]1083 assert(!in_group);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1084 in_group = 1;
1085 has_group = 1;
1086 l++;
1087 continue;
1088 } else {
1089 rule = CIPHER_ADD;
1090 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1091
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1092 /* If preference groups are enabled, the only legal operator is +.
1093 * Otherwise the in_group bits will get mixed up. */
1094 if (has_group && rule != CIPHER_ADD) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1095 OPENSSL_PUT_ERROR(SSL, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
Adam Langleyf139c992016-10-02 09:56:09 -0700[diff] [blame]1096 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1097 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1098
Adam Langley22df6912017-07-25 12:27:37 -0700[diff] [blame^]1099 if (is_cipher_list_separator(ch, strict)) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1100 l++;
1101 continue;
1102 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1103
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1104 multi = 0;
1105 cipher_id = 0;
1106 alg_mkey = ~0u;
1107 alg_auth = ~0u;
1108 alg_enc = ~0u;
1109 alg_mac = ~0u;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1110 min_version = 0;
1111 skip_rule = 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1112
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1113 for (;;) {
1114 ch = *l;
1115 buf = l;
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1116 buf_len = 0;
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]1117 while ((ch >= 'A' && ch <= 'Z') || (ch >= '0' && ch <= '9') ||
1118 (ch >= 'a' && ch <= 'z') || ch == '-' || ch == '.' || ch == '_') {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1119 ch = *(++l);
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1120 buf_len++;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1121 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1122
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1123 if (buf_len == 0) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1124 /* We hit something we cannot deal with, it is no command or separator
1125 * nor alphanumeric, so we call this an error. */
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1126 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
Adam Langleyf99f2442016-10-02 09:53:38 -0700[diff] [blame]1127 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1128 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1129
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1130 if (rule == CIPHER_SPECIAL) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1131 break;
1132 }
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1133
1134 /* Look for a matching exact cipher. These aren't allowed in multipart
1135 * rules. */
1136 if (!multi && ch != '+') {
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1137 for (j = 0; j < kCiphersLen; j++) {
1138 const SSL_CIPHER *cipher = &kCiphers[j];
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]1139 if (rule_equals(cipher->name, buf, buf_len) ||
1140 rule_equals(cipher->standard_name, buf, buf_len)) {
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1141 cipher_id = cipher->id;
1142 break;
1143 }
1144 }
1145 }
1146 if (cipher_id == 0) {
1147 /* If not an exact cipher, look for a matching cipher alias. */
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1148 for (j = 0; j < kCipherAliasesLen; j++) {
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1149 if (rule_equals(kCipherAliases[j].name, buf, buf_len)) {
1150 alg_mkey &= kCipherAliases[j].algorithm_mkey;
1151 alg_auth &= kCipherAliases[j].algorithm_auth;
1152 alg_enc &= kCipherAliases[j].algorithm_enc;
1153 alg_mac &= kCipherAliases[j].algorithm_mac;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1154
1155 if (min_version != 0 &&
1156 min_version != kCipherAliases[j].min_version) {
1157 skip_rule = 1;
1158 } else {
1159 min_version = kCipherAliases[j].min_version;
1160 }
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1161 break;
1162 }
1163 }
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1164 if (j == kCipherAliasesLen) {
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1165 skip_rule = 1;
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]1166 if (strict) {
1167 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
1168 return 0;
1169 }
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1170 }
1171 }
1172
1173 /* Check for a multipart rule. */
1174 if (ch != '+') {
1175 break;
1176 }
1177 l++;
1178 multi = 1;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1179 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1180
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1181 /* Ok, we have the rule, now apply it. */
1182 if (rule == CIPHER_SPECIAL) {
David Benjaminbf5f1922017-07-01 11:13:53 -0400[diff] [blame]1183 if (buf_len != 8 || strncmp(buf, "STRENGTH", 8) != 0) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1184 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
David Benjaminbf5f1922017-07-01 11:13:53 -0400[diff] [blame]1185 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1186 }
David Benjaminbf5f1922017-07-01 11:13:53 -0400[diff] [blame]1187 if (!ssl_cipher_strength_sort(head_p, tail_p)) {
Adam Langleyf139c992016-10-02 09:56:09 -0700[diff] [blame]1188 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1189 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1190
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1191 /* We do not support any "multi" options together with "@", so throw away
1192 * the rest of the command, if any left, until end or ':' is found. */
Adam Langley22df6912017-07-25 12:27:37 -0700[diff] [blame^]1193 while (*l != '\0' && !is_cipher_list_separator(*l, strict)) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1194 l++;
1195 }
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1196 } else if (!skip_rule) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1197 ssl_cipher_apply_rule(cipher_id, alg_mkey, alg_auth, alg_enc, alg_mac,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1198 min_version, rule, -1, in_group, head_p, tail_p);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1199 }
1200 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1201
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1202 if (in_group) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1203 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
Adam Langleyf139c992016-10-02 09:56:09 -0700[diff] [blame]1204 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1205 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1206
Adam Langleyf139c992016-10-02 09:56:09 -0700[diff] [blame]1207 return 1;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1208}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1209
Matthew Braithwaite6ad20dc2017-02-21 16:41:33 -0800[diff] [blame]1210int ssl_create_cipher_list(
1211 const SSL_PROTOCOL_METHOD *ssl_method,
1212 struct ssl_cipher_preference_list_st **out_cipher_list,
1213 const char *rule_str, int strict) {
David Benjamind2cb1c12016-11-02 17:49:09 -0400[diff] [blame]1214 STACK_OF(SSL_CIPHER) *cipherstack = NULL;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1215 CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1216 uint8_t *in_group_flags = NULL;
1217 unsigned int num_in_group_flags = 0;
1218 struct ssl_cipher_preference_list_st *pref_list = NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1219
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1220 /* Return with error if nothing to do. */
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1221 if (rule_str == NULL || out_cipher_list == NULL) {
Matthew Braithwaite6ad20dc2017-02-21 16:41:33 -0800[diff] [blame]1222 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1223 }
David Benjamin5213df42014-08-20 14:19:54 -0400[diff] [blame]1224
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1225 /* Now we have to collect the available ciphers from the compiled in ciphers.
1226 * We cannot get more than the number compiled in, so it is used for
1227 * allocation. */
David Benjamine64d2c72017-07-12 16:31:08 -0400[diff] [blame]1228 co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * kCiphersLen);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1229 if (co_list == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1230 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Matthew Braithwaite6ad20dc2017-02-21 16:41:33 -0800[diff] [blame]1231 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1232 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1233
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1234 ssl_cipher_collect_ciphers(ssl_method, co_list, &head, &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1235
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1236 /* Now arrange all ciphers by preference:
1237 * TODO(davidben): Compute this order once and copy it. */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1238
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]1239 /* Everything else being equal, prefer ECDHE_ECDSA and ECDHE_RSA over other
1240 * key exchange mechanisms */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1241 ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, ~0u, ~0u, 0, CIPHER_ADD, -1,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1242 0, &head, &tail);
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1243 ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0,
1244 &head, &tail);
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1245 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, 0, &head,
1246 &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1247
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1248 /* Order the bulk ciphers. First the preferred AEAD ciphers. We prefer
1249 * CHACHA20 unless there is hardware support for fast and constant-time
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1250 * AES_GCM. Of the two CHACHA20 variants, the new one is preferred over the
1251 * old one. */
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1252 if (EVP_has_aes_hardware()) {
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1253 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1254 &head, &tail);
David Benjamin43336652016-03-03 15:32:29 -0500[diff] [blame]1255 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1256 &head, &tail);
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1257 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD,
1258 -1, 0, &head, &tail);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1259 } else {
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1260 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD,
1261 -1, 0, &head, &tail);
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1262 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1263 &head, &tail);
David Benjamin43336652016-03-03 15:32:29 -0500[diff] [blame]1264 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1265 &head, &tail);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1266 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1267
David Benjamin43336652016-03-03 15:32:29 -0500[diff] [blame]1268 /* Then the legacy non-AEAD ciphers: AES_128_CBC, AES_256_CBC,
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700[diff] [blame]1269 * 3DES_EDE_CBC_SHA. */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1270 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128, ~0u, 0, CIPHER_ADD, -1, 0,
1271 &head, &tail);
David Benjamin43336652016-03-03 15:32:29 -0500[diff] [blame]1272 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256, ~0u, 0, CIPHER_ADD, -1, 0,
1273 &head, &tail);
1274 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_3DES, ~0u, 0, CIPHER_ADD, -1, 0, &head,
1275 &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1276
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1277 /* Temporarily enable everything else for sorting */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1278 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0, &head,
1279 &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1280
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1281 /* Move ciphers without forward secrecy to the end. */
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1282 ssl_cipher_apply_rule(0, (SSL_kRSA | SSL_kPSK), ~0u, ~0u, ~0u, 0,
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1283 CIPHER_ORD, -1, 0, &head, &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1284
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1285 /* Now disable everything (maintaining the ordering!) */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1286 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, 0, &head,
1287 &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1288
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1289 /* If the rule_string begins with DEFAULT, apply the default rule before
1290 * using the (possibly available) additional rules. */
David Benjamin11a7b3c2016-11-03 17:03:48 -0400[diff] [blame]1291 const char *rule_p = rule_str;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1292 if (strncmp(rule_str, "DEFAULT", 7) == 0) {
David Benjamin11a7b3c2016-11-03 17:03:48 -0400[diff] [blame]1293 if (!ssl_cipher_process_rulestr(ssl_method, SSL_DEFAULT_CIPHER_LIST, &head,
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]1294 &tail, strict)) {
David Benjamin11a7b3c2016-11-03 17:03:48 -0400[diff] [blame]1295 goto err;
1296 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1297 rule_p += 7;
1298 if (*rule_p == ':') {
1299 rule_p++;
1300 }
1301 }
Adam Langley858a88d2014-06-20 12:00:00 -0700[diff] [blame]1302
David Benjamin11a7b3c2016-11-03 17:03:48 -0400[diff] [blame]1303 if (*rule_p != '\0' &&
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]1304 !ssl_cipher_process_rulestr(ssl_method, rule_p, &head, &tail, strict)) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1305 goto err;
1306 }
1307
1308 /* Allocate new "cipherstack" for the result, return with error
1309 * if we cannot get one. */
1310 cipherstack = sk_SSL_CIPHER_new_null();
1311 if (cipherstack == NULL) {
1312 goto err;
1313 }
1314
David Benjamine64d2c72017-07-12 16:31:08 -0400[diff] [blame]1315 in_group_flags = (uint8_t *)OPENSSL_malloc(kCiphersLen);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1316 if (!in_group_flags) {
1317 goto err;
1318 }
1319
1320 /* The cipher selection for the list is done. The ciphers are added
1321 * to the resulting precedence to the STACK_OF(SSL_CIPHER). */
1322 for (curr = head; curr != NULL; curr = curr->next) {
1323 if (curr->active) {
David Benjamin2adb7ec2015-01-11 19:59:06 -0500[diff] [blame]1324 if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
1325 goto err;
1326 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1327 in_group_flags[num_in_group_flags++] = curr->in_group;
1328 }
1329 }
1330 OPENSSL_free(co_list); /* Not needed any longer */
1331 co_list = NULL;
1332
David Benjamine64d2c72017-07-12 16:31:08 -0400[diff] [blame]1333 pref_list = (ssl_cipher_preference_list_st *)OPENSSL_malloc(
1334 sizeof(struct ssl_cipher_preference_list_st));
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1335 if (!pref_list) {
1336 goto err;
1337 }
1338 pref_list->ciphers = cipherstack;
David Benjamine64d2c72017-07-12 16:31:08 -0400[diff] [blame]1339 pref_list->in_group_flags = (uint8_t *)OPENSSL_malloc(num_in_group_flags);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1340 if (!pref_list->in_group_flags) {
1341 goto err;
1342 }
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]1343 OPENSSL_memcpy(pref_list->in_group_flags, in_group_flags, num_in_group_flags);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1344 OPENSSL_free(in_group_flags);
1345 in_group_flags = NULL;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1346 if (*out_cipher_list != NULL) {
1347 ssl_cipher_preference_list_free(*out_cipher_list);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1348 }
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1349 *out_cipher_list = pref_list;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1350 pref_list = NULL;
1351
David Benjamin91222b82017-03-09 20:10:56 -0500[diff] [blame]1352 /* Configuring an empty cipher list is an error but still updates the
1353 * output. */
1354 if (sk_SSL_CIPHER_num((*out_cipher_list)->ciphers) == 0) {
1355 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHER_MATCH);
1356 return 0;
1357 }
1358
Matthew Braithwaite6ad20dc2017-02-21 16:41:33 -0800[diff] [blame]1359 return 1;
Adam Langley858a88d2014-06-20 12:00:00 -0700[diff] [blame]1360
1361err:
David Benjamin2755a3e2015-04-22 16:17:58 -0400[diff] [blame]1362 OPENSSL_free(co_list);
1363 OPENSSL_free(in_group_flags);
1364 sk_SSL_CIPHER_free(cipherstack);
David Benjamin2755a3e2015-04-22 16:17:58 -0400[diff] [blame]1365 if (pref_list) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1366 OPENSSL_free(pref_list->in_group_flags);
1367 }
David Benjamin2755a3e2015-04-22 16:17:58 -0400[diff] [blame]1368 OPENSSL_free(pref_list);
Matthew Braithwaite6ad20dc2017-02-21 16:41:33 -0800[diff] [blame]1369 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1370}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1371
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1372uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher) {
1373 uint32_t id = cipher->id;
1374 /* All ciphers are SSLv3. */
1375 assert((id & 0xff000000) == 0x03000000);
1376 return id & 0xffff;
1377}
1378
David Benjamin86e95b82017-07-18 16:34:25 -0400[diff] [blame]1379uint32_t ssl_cipher_auth_mask_for_key(const EVP_PKEY *key) {
1380 switch (EVP_PKEY_id(key)) {
1381 case EVP_PKEY_RSA:
1382 return SSL_aRSA;
1383 case EVP_PKEY_EC:
1384 case EVP_PKEY_ED25519:
1385 /* Ed25519 keys in TLS 1.2 repurpose the ECDSA ciphers. */
1386 return SSL_aECDSA;
1387 default:
1388 return 0;
1389 }
1390}
1391
1392int ssl_cipher_uses_certificate_auth(const SSL_CIPHER *cipher) {
1393 return (cipher->algorithm_auth & SSL_aCERT) != 0;
1394}
1395
1396int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher) {
1397 /* Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange. */
1398 if (cipher->algorithm_mkey & SSL_kECDHE) {
1399 return 1;
1400 }
1401
1402 /* It is optional in all others. */
1403 return 0;
1404}
1405
1406size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher) {
1407 size_t block_size;
1408 switch (cipher->algorithm_enc) {
1409 case SSL_3DES:
1410 block_size = 8;
1411 break;
1412 case SSL_AES128:
1413 case SSL_AES256:
1414 block_size = 16;
1415 break;
1416 default:
1417 return 0;
1418 }
1419
1420 /* All supported TLS 1.0 ciphers use SHA-1. */
1421 assert(cipher->algorithm_mac == SSL_SHA1);
1422 size_t ret = 1 + SHA_DIGEST_LENGTH;
1423 ret += block_size - (ret % block_size);
1424 return ret;
1425}
1426
1427} // namespace bssl
1428
1429using namespace bssl;
1430
1431const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value) {
1432 SSL_CIPHER c;
1433
1434 c.id = 0x03000000L | value;
1435 return reinterpret_cast<const SSL_CIPHER *>(bsearch(
1436 &c, kCiphers, kCiphersLen, sizeof(SSL_CIPHER), ssl_cipher_id_cmp));
1437}
1438
1439uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher) { return cipher->id; }
1440
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1441int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher) {
1442 return (cipher->algorithm_enc & SSL_AES) != 0;
1443}
1444
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1445int SSL_CIPHER_has_SHA1_HMAC(const SSL_CIPHER *cipher) {
1446 return (cipher->algorithm_mac & SSL_SHA1) != 0;
1447}
1448
David Benjamina211aee2016-02-24 17:18:44 -0500[diff] [blame]1449int SSL_CIPHER_has_SHA256_HMAC(const SSL_CIPHER *cipher) {
1450 return (cipher->algorithm_mac & SSL_SHA256) != 0;
1451}
1452
Alessandro Ghedini48b6b8f2017-05-12 12:53:31 +0100[diff] [blame]1453int SSL_CIPHER_has_SHA384_HMAC(const SSL_CIPHER *cipher) {
1454 return (cipher->algorithm_mac & SSL_SHA384) != 0;
1455}
1456
Alessandro Ghedini0726fb72017-01-17 13:27:08 +0000[diff] [blame]1457int SSL_CIPHER_is_AEAD(const SSL_CIPHER *cipher) {
1458 return (cipher->algorithm_mac & SSL_AEAD) != 0;
1459}
1460
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1461int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher) {
David Benjaminc0125ef2015-09-09 09:11:07 -0400[diff] [blame]1462 return (cipher->algorithm_enc & (SSL_AES128GCM | SSL_AES256GCM)) != 0;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1463}
1464
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1465int SSL_CIPHER_is_AES128GCM(const SSL_CIPHER *cipher) {
1466 return (cipher->algorithm_enc & SSL_AES128GCM) != 0;
1467}
1468
Adam Langleyb00061c2015-11-16 17:44:52 -0800[diff] [blame]1469int SSL_CIPHER_is_AES128CBC(const SSL_CIPHER *cipher) {
1470 return (cipher->algorithm_enc & SSL_AES128) != 0;
1471}
1472
1473int SSL_CIPHER_is_AES256CBC(const SSL_CIPHER *cipher) {
1474 return (cipher->algorithm_enc & SSL_AES256) != 0;
1475}
1476
David Benjamin51a01a52015-10-29 13:19:56 -0400[diff] [blame]1477int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *cipher) {
Adam Langley2e839242017-01-19 15:12:44 -0800[diff] [blame]1478 return (cipher->algorithm_enc & SSL_CHACHA20POLY1305) != 0;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1479}
1480
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1481int SSL_CIPHER_is_NULL(const SSL_CIPHER *cipher) {
1482 return (cipher->algorithm_enc & SSL_eNULL) != 0;
1483}
1484
1485int SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher) {
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700[diff] [blame]1486 return (cipher->algorithm_enc & SSL_eNULL) == 0 &&
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1487 cipher->algorithm_mac != SSL_AEAD;
1488}
1489
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1490int SSL_CIPHER_is_ECDSA(const SSL_CIPHER *cipher) {
1491 return (cipher->algorithm_auth & SSL_aECDSA) != 0;
1492}
1493
David Benjamin4cc36ad2015-12-19 14:23:26 -0500[diff] [blame]1494int SSL_CIPHER_is_ECDHE(const SSL_CIPHER *cipher) {
1495 return (cipher->algorithm_mkey & SSL_kECDHE) != 0;
1496}
1497
David Benjamin745745d2017-01-10 08:34:14 -0500[diff] [blame]1498int SSL_CIPHER_is_static_RSA(const SSL_CIPHER *cipher) {
1499 return (cipher->algorithm_mkey & SSL_kRSA) != 0;
1500}
1501
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1502uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher) {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1503 if (cipher->algorithm_mkey == SSL_kGENERIC ||
1504 cipher->algorithm_auth == SSL_aGENERIC) {
1505 return TLS1_3_VERSION;
1506 }
1507
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1508 if (cipher->algorithm_prf != SSL_HANDSHAKE_MAC_DEFAULT) {
1509 /* Cipher suites before TLS 1.2 use the default PRF, while all those added
1510 * afterwards specify a particular hash. */
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1511 return TLS1_2_VERSION;
1512 }
1513 return SSL3_VERSION;
1514}
1515
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1516uint16_t SSL_CIPHER_get_max_version(const SSL_CIPHER *cipher) {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1517 if (cipher->algorithm_mkey == SSL_kGENERIC ||
1518 cipher->algorithm_auth == SSL_aGENERIC) {
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1519 return TLS1_3_VERSION;
1520 }
1521 return TLS1_2_VERSION;
1522}
1523
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1524/* return the actual cipher being used */
1525const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher) {
1526 if (cipher != NULL) {
1527 return cipher->name;
1528 }
1529
1530 return "(NONE)";
1531}
1532
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]1533const char *SSL_CIPHER_standard_name(const SSL_CIPHER *cipher) {
1534 return cipher->standard_name;
1535}
1536
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1537const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher) {
1538 if (cipher == NULL) {
1539 return "";
1540 }
1541
1542 switch (cipher->algorithm_mkey) {
1543 case SSL_kRSA:
1544 return "RSA";
1545
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1546 case SSL_kECDHE:
1547 switch (cipher->algorithm_auth) {
1548 case SSL_aECDSA:
1549 return "ECDHE_ECDSA";
1550 case SSL_aRSA:
1551 return "ECDHE_RSA";
1552 case SSL_aPSK:
1553 return "ECDHE_PSK";
1554 default:
1555 assert(0);
1556 return "UNKNOWN";
1557 }
1558
1559 case SSL_kPSK:
1560 assert(cipher->algorithm_auth == SSL_aPSK);
1561 return "PSK";
1562
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1563 case SSL_kGENERIC:
1564 assert(cipher->algorithm_auth == SSL_aGENERIC);
1565 return "GENERIC";
1566
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1567 default:
1568 assert(0);
1569 return "UNKNOWN";
1570 }
1571}
1572
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1573char *SSL_CIPHER_get_rfc_name(const SSL_CIPHER *cipher) {
1574 if (cipher == NULL) {
1575 return NULL;
1576 }
1577
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]1578 return OPENSSL_strdup(SSL_CIPHER_standard_name(cipher));
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1579}
1580
1581int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *out_alg_bits) {
1582 if (cipher == NULL) {
1583 return 0;
1584 }
1585
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1586 int alg_bits, strength_bits;
1587 switch (cipher->algorithm_enc) {
1588 case SSL_AES128:
1589 case SSL_AES128GCM:
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1590 alg_bits = 128;
1591 strength_bits = 128;
1592 break;
1593
1594 case SSL_AES256:
1595 case SSL_AES256GCM:
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1596 case SSL_CHACHA20POLY1305:
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1597 alg_bits = 256;
1598 strength_bits = 256;
1599 break;
1600
1601 case SSL_3DES:
1602 alg_bits = 168;
1603 strength_bits = 112;
1604 break;
1605
1606 case SSL_eNULL:
1607 alg_bits = 0;
1608 strength_bits = 0;
1609 break;
1610
1611 default:
1612 assert(0);
1613 alg_bits = 0;
1614 strength_bits = 0;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1615 }
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1616
1617 if (out_alg_bits != NULL) {
1618 *out_alg_bits = alg_bits;
1619 }
1620 return strength_bits;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1621}
1622
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1623const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf,
1624 int len) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1625 const char *kx, *au, *enc, *mac;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1626 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1627
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1628 alg_mkey = cipher->algorithm_mkey;
1629 alg_auth = cipher->algorithm_auth;
1630 alg_enc = cipher->algorithm_enc;
1631 alg_mac = cipher->algorithm_mac;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1632
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1633 switch (alg_mkey) {
1634 case SSL_kRSA:
1635 kx = "RSA";
1636 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1637
David Benjamin7061e282015-03-19 11:10:48 -0400[diff] [blame]1638 case SSL_kECDHE:
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1639 kx = "ECDH";
1640 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1641
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1642 case SSL_kPSK:
1643 kx = "PSK";
1644 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1645
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1646 case SSL_kGENERIC:
1647 kx = "GENERIC";
1648 break;
1649
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1650 default:
1651 kx = "unknown";
1652 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1653
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1654 switch (alg_auth) {
1655 case SSL_aRSA:
1656 au = "RSA";
1657 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1658
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1659 case SSL_aECDSA:
1660 au = "ECDSA";
1661 break;
Adam Langley4d4bff82014-06-20 12:00:00 -0700[diff] [blame]1662
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1663 case SSL_aPSK:
1664 au = "PSK";
1665 break;
Adam Langley4d4bff82014-06-20 12:00:00 -0700[diff] [blame]1666
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1667 case SSL_aGENERIC:
1668 au = "GENERIC";
1669 break;
1670
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1671 default:
1672 au = "unknown";
1673 break;
1674 }
Adam Langleyde0b2022014-06-20 12:00:00 -0700[diff] [blame]1675
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1676 switch (alg_enc) {
1677 case SSL_3DES:
1678 enc = "3DES(168)";
1679 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1680
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1681 case SSL_AES128:
1682 enc = "AES(128)";
1683 break;
1684
1685 case SSL_AES256:
1686 enc = "AES(256)";
1687 break;
1688
1689 case SSL_AES128GCM:
1690 enc = "AESGCM(128)";
1691 break;
1692
1693 case SSL_AES256GCM:
1694 enc = "AESGCM(256)";
1695 break;
1696
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1697 case SSL_CHACHA20POLY1305:
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1698 enc = "ChaCha20-Poly1305";
1699 break;
1700
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1701 case SSL_eNULL:
1702 enc="None";
1703 break;
1704
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1705 default:
1706 enc = "unknown";
1707 break;
1708 }
1709
1710 switch (alg_mac) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1711 case SSL_SHA1:
1712 mac = "SHA1";
1713 break;
1714
1715 case SSL_SHA256:
1716 mac = "SHA256";
1717 break;
1718
1719 case SSL_SHA384:
1720 mac = "SHA384";
1721 break;
1722
1723 case SSL_AEAD:
1724 mac = "AEAD";
1725 break;
1726
1727 default:
1728 mac = "unknown";
1729 break;
1730 }
1731
1732 if (buf == NULL) {
1733 len = 128;
David Benjamine64d2c72017-07-12 16:31:08 -0400[diff] [blame]1734 buf = (char *)OPENSSL_malloc(len);
David Benjamin1eed2c02015-02-08 23:20:06 -0500[diff] [blame]1735 if (buf == NULL) {
1736 return NULL;
1737 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1738 } else if (len < 128) {
1739 return "Buffer too small";
1740 }
1741
Brian Smith0687bdf2016-01-17 09:18:26 -1000[diff] [blame]1742 BIO_snprintf(buf, len, "%-23s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n",
1743 cipher->name, kx, au, enc, mac);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1744 return buf;
1745}
1746
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1747const char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher) {
1748 return "TLSv1/SSLv3";
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1749}
1750
David Benjamind55bd792017-05-18 11:33:08 -0400[diff] [blame]1751STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void) { return NULL; }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1752
Matt Braithwaite6a1275b2015-06-26 12:09:10 -0700[diff] [blame]1753int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) { return 1; }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1754
Matt Braithwaite6a1275b2015-06-26 12:09:10 -0700[diff] [blame]1755const char *SSL_COMP_get_name(const COMP_METHOD *comp) { return NULL; }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1756
Adam Langley3e9e0432016-10-03 15:58:07 -0700[diff] [blame]1757void SSL_COMP_free_compression_methods(void) {}