Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 2f3404bb810a0a78ff0415b846d6264c7c691361 / . / ssl / ssl_cipher.c
blob: 01bb872675a3e169a0c872a1cc414895c3c02b15 [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57/* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
110/* ====================================================================
111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
112 * ECC cipher suite support in OpenSSL originally developed by
113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
114 */
115/* ====================================================================
116 * Copyright 2005 Nokia. All rights reserved.
117 *
118 * The portions of the attached software ("Contribution") is developed by
119 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
120 * license.
121 *
122 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
123 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
124 * support (see RFC 4279) to OpenSSL.
125 *
126 * No patent licenses or other rights except those expressly stated in
127 * the OpenSSL open source license shall be deemed granted or received
128 * expressly, by implication, estoppel, or otherwise.
129 *
130 * No assurances are provided by Nokia that the Contribution does not
131 * infringe the patent or other intellectual property rights of any third
132 * party or that the license provides you with all the necessary rights
133 * to make use of the Contribution.
134 *
135 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
136 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
137 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
138 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
139 * OTHERWISE. */
140
David Benjamin9e4e01e2015-09-15 01:48:04 -0400[diff] [blame]141#include <openssl/ssl.h>
142
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]143#include <assert.h>
David Benjaminf0ae1702015-04-07 23:05:04 -0400[diff] [blame]144#include <string.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]145
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]146#include <openssl/buf.h>
David Benjaminf0ae1702015-04-07 23:05:04 -0400[diff] [blame]147#include <openssl/err.h>
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]148#include <openssl/md5.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]149#include <openssl/mem.h>
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]150#include <openssl/sha.h>
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]151#include <openssl/stack.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]152
David Benjamin2ee94aa2015-04-07 22:38:30 -0400[diff] [blame]153#include "internal.h"
Steven Valdezcb966542016-08-17 16:56:14 -0400[diff] [blame]154#include "../crypto/internal.h"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]155
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]156
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]157/* kCiphers is an array of all supported ciphers, sorted by id. */
David Benjamin20c37312015-11-11 21:33:18 -0800[diff] [blame]158static const SSL_CIPHER kCiphers[] = {
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]159 /* The RSA ciphers */
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]160 /* Cipher 02 */
161 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]162 SSL3_TXT_RSA_NULL_SHA,
163 SSL3_CK_RSA_NULL_SHA,
164 SSL_kRSA,
165 SSL_aRSA,
166 SSL_eNULL,
167 SSL_SHA1,
168 SSL_HANDSHAKE_MAC_DEFAULT,
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]169 },
170
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]171 /* Cipher 0A */
172 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]173 SSL3_TXT_RSA_DES_192_CBC3_SHA,
174 SSL3_CK_RSA_DES_192_CBC3_SHA,
175 SSL_kRSA,
176 SSL_aRSA,
177 SSL_3DES,
178 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]179 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]180 },
181
182
183 /* New AES ciphersuites */
184
185 /* Cipher 2F */
186 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]187 TLS1_TXT_RSA_WITH_AES_128_SHA,
188 TLS1_CK_RSA_WITH_AES_128_SHA,
189 SSL_kRSA,
190 SSL_aRSA,
191 SSL_AES128,
192 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]193 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]194 },
195
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]196 /* Cipher 35 */
197 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]198 TLS1_TXT_RSA_WITH_AES_256_SHA,
199 TLS1_CK_RSA_WITH_AES_256_SHA,
200 SSL_kRSA,
201 SSL_aRSA,
202 SSL_AES256,
203 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]204 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]205 },
206
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]207
208 /* TLS v1.2 ciphersuites */
209
210 /* Cipher 3C */
211 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]212 TLS1_TXT_RSA_WITH_AES_128_SHA256,
213 TLS1_CK_RSA_WITH_AES_128_SHA256,
214 SSL_kRSA,
215 SSL_aRSA,
216 SSL_AES128,
217 SSL_SHA256,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]218 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]219 },
220
221 /* Cipher 3D */
222 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]223 TLS1_TXT_RSA_WITH_AES_256_SHA256,
224 TLS1_CK_RSA_WITH_AES_256_SHA256,
225 SSL_kRSA,
226 SSL_aRSA,
227 SSL_AES256,
228 SSL_SHA256,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]229 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]230 },
231
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]232 /* PSK cipher suites. */
233
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]234 /* Cipher 8C */
235 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]236 TLS1_TXT_PSK_WITH_AES_128_CBC_SHA,
237 TLS1_CK_PSK_WITH_AES_128_CBC_SHA,
238 SSL_kPSK,
239 SSL_aPSK,
240 SSL_AES128,
241 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]242 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]243 },
244
245 /* Cipher 8D */
246 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]247 TLS1_TXT_PSK_WITH_AES_256_CBC_SHA,
248 TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
249 SSL_kPSK,
250 SSL_aPSK,
251 SSL_AES256,
252 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]253 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]254 },
255
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]256 /* GCM ciphersuites from RFC5288 */
257
258 /* Cipher 9C */
259 {
260 TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]261 TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
262 SSL_kRSA,
263 SSL_aRSA,
264 SSL_AES128GCM,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]265 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]266 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]267 },
268
269 /* Cipher 9D */
270 {
271 TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]272 TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
273 SSL_kRSA,
274 SSL_aRSA,
275 SSL_AES256GCM,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]276 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]277 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]278 },
279
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]280 /* TLS 1.3 suites. */
281
282 /* Cipher 1301 */
283 {
284 TLS1_TXT_AES_128_GCM_SHA256,
285 TLS1_CK_AES_128_GCM_SHA256,
286 SSL_kGENERIC,
287 SSL_aGENERIC,
288 SSL_AES128GCM,
289 SSL_AEAD,
290 SSL_HANDSHAKE_MAC_SHA256,
291 },
292
293 /* Cipher 1302 */
294 {
295 TLS1_TXT_AES_256_GCM_SHA384,
296 TLS1_CK_AES_256_GCM_SHA384,
297 SSL_kGENERIC,
298 SSL_aGENERIC,
299 SSL_AES256GCM,
300 SSL_AEAD,
301 SSL_HANDSHAKE_MAC_SHA384,
302 },
303
304 /* Cipher 1303 */
305 {
306 TLS1_TXT_CHACHA20_POLY1305_SHA256,
307 TLS1_CK_CHACHA20_POLY1305_SHA256,
308 SSL_kGENERIC,
309 SSL_aGENERIC,
310 SSL_CHACHA20POLY1305,
311 SSL_AEAD,
312 SSL_HANDSHAKE_MAC_SHA256,
313 },
314
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]315 /* Cipher C009 */
316 {
317 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]318 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
319 SSL_kECDHE,
320 SSL_aECDSA,
321 SSL_AES128,
322 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]323 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]324 },
325
326 /* Cipher C00A */
327 {
328 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]329 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
330 SSL_kECDHE,
331 SSL_aECDSA,
332 SSL_AES256,
333 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]334 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]335 },
336
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]337 /* Cipher C013 */
338 {
339 TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]340 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
341 SSL_kECDHE,
342 SSL_aRSA,
343 SSL_AES128,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]344 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]345 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]346 },
347
348 /* Cipher C014 */
349 {
350 TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]351 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
352 SSL_kECDHE,
353 SSL_aRSA,
354 SSL_AES256,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]355 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]356 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]357 },
358
359
360 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */
361
362 /* Cipher C023 */
363 {
364 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]365 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
366 SSL_kECDHE,
367 SSL_aECDSA,
368 SSL_AES128,
369 SSL_SHA256,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]370 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]371 },
372
373 /* Cipher C024 */
374 {
375 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]376 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
377 SSL_kECDHE,
378 SSL_aECDSA,
379 SSL_AES256,
380 SSL_SHA384,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]381 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]382 },
383
384 /* Cipher C027 */
385 {
386 TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]387 TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
388 SSL_kECDHE,
389 SSL_aRSA,
390 SSL_AES128,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]391 SSL_SHA256,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]392 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]393 },
394
395 /* Cipher C028 */
396 {
397 TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]398 TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
399 SSL_kECDHE,
400 SSL_aRSA,
401 SSL_AES256,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]402 SSL_SHA384,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]403 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]404 },
405
406
407 /* GCM based TLS v1.2 ciphersuites from RFC5289 */
408
409 /* Cipher C02B */
410 {
411 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]412 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
413 SSL_kECDHE,
414 SSL_aECDSA,
415 SSL_AES128GCM,
416 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]417 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]418 },
419
420 /* Cipher C02C */
421 {
422 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]423 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
424 SSL_kECDHE,
425 SSL_aECDSA,
426 SSL_AES256GCM,
427 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]428 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]429 },
430
431 /* Cipher C02F */
432 {
433 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]434 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
435 SSL_kECDHE,
436 SSL_aRSA,
437 SSL_AES128GCM,
438 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]439 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]440 },
441
442 /* Cipher C030 */
443 {
444 TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]445 TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
446 SSL_kECDHE,
447 SSL_aRSA,
448 SSL_AES256GCM,
449 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]450 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]451 },
452
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]453 /* ECDHE-PSK cipher suites. */
454
455 /* Cipher C035 */
456 {
457 TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA,
458 TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]459 SSL_kECDHE,
460 SSL_aPSK,
461 SSL_AES128,
462 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]463 SSL_HANDSHAKE_MAC_DEFAULT,
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]464 },
465
466 /* Cipher C036 */
467 {
468 TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA,
469 TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]470 SSL_kECDHE,
471 SSL_aPSK,
472 SSL_AES256,
473 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]474 SSL_HANDSHAKE_MAC_DEFAULT,
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]475 },
476
477 /* ChaCha20-Poly1305 cipher suites. */
478
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]479 /* Cipher CCA8 */
480 {
481 TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
482 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
483 SSL_kECDHE,
484 SSL_aRSA,
485 SSL_CHACHA20POLY1305,
486 SSL_AEAD,
487 SSL_HANDSHAKE_MAC_SHA256,
488 },
489
490 /* Cipher CCA9 */
491 {
492 TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
493 TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
494 SSL_kECDHE,
495 SSL_aECDSA,
496 SSL_CHACHA20POLY1305,
497 SSL_AEAD,
498 SSL_HANDSHAKE_MAC_SHA256,
499 },
500
501 /* Cipher CCAB */
502 {
503 TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
504 TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
505 SSL_kECDHE,
506 SSL_aPSK,
507 SSL_CHACHA20POLY1305,
508 SSL_AEAD,
509 SSL_HANDSHAKE_MAC_SHA256,
510 },
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]511
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]512};
513
Steven Valdezcb966542016-08-17 16:56:14 -0400[diff] [blame]514static const size_t kCiphersLen = OPENSSL_ARRAY_SIZE(kCiphers);
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]515
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]516#define CIPHER_ADD 1
517#define CIPHER_KILL 2
518#define CIPHER_DEL 3
519#define CIPHER_ORD 4
520#define CIPHER_SPECIAL 5
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]521
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]522typedef struct cipher_order_st {
523 const SSL_CIPHER *cipher;
524 int active;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]525 int in_group;
526 struct cipher_order_st *next, *prev;
527} CIPHER_ORDER;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]528
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]529typedef struct cipher_alias_st {
530 /* name is the name of the cipher alias. */
531 const char *name;
532
533 /* The following fields are bitmasks for the corresponding fields on
534 * |SSL_CIPHER|. A cipher matches a cipher alias iff, for each bitmask, the
535 * bit corresponding to the cipher's value is set to 1. If any bitmask is
536 * all zeroes, the alias matches nothing. Use |~0u| for the default value. */
537 uint32_t algorithm_mkey;
538 uint32_t algorithm_auth;
539 uint32_t algorithm_enc;
540 uint32_t algorithm_mac;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]541
542 /* min_version, if non-zero, matches all ciphers which were added in that
543 * particular protocol version. */
544 uint16_t min_version;
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]545} CIPHER_ALIAS;
546
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]547static const CIPHER_ALIAS kCipherAliases[] = {
Matthew Braithwaite651aaef2016-12-08 16:14:36 -0800[diff] [blame]548 /* "ALL" doesn't include eNULL. It must be explicitly enabled. */
549 {"ALL", ~0u, ~0u, ~SSL_eNULL, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]550
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]551 /* The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing. */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]552
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]553 /* key exchange aliases
554 * (some of those using only a single bit here combine
Matthew Braithwaite7e06de52017-04-10 15:52:14 -0700[diff] [blame]555 * multiple key exchange algs according to the RFCs. */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]556 {"kRSA", SSL_kRSA, ~0u, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]557
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]558 {"kECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
559 {"kEECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
560 {"ECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]561
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]562 {"kPSK", SSL_kPSK, ~0u, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]563
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]564 /* server authentication aliases */
Matthew Braithwaite651aaef2016-12-08 16:14:36 -0800[diff] [blame]565 {"aRSA", ~0u, SSL_aRSA, ~SSL_eNULL, ~0u, 0},
566 {"aECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0},
567 {"ECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0},
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]568 {"aPSK", ~0u, SSL_aPSK, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]569
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]570 /* aliases combining key exchange and server authentication */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]571 {"ECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
572 {"EECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
573 {"RSA", SSL_kRSA, SSL_aRSA, ~SSL_eNULL, ~0u, 0},
574 {"PSK", SSL_kPSK, SSL_aPSK, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]575
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]576 /* symmetric encryption aliases */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]577 {"3DES", ~0u, ~0u, SSL_3DES, ~0u, 0},
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]578 {"AES128", ~0u, ~0u, SSL_AES128 | SSL_AES128GCM, ~0u, 0},
Matthew Braithwaite651aaef2016-12-08 16:14:36 -0800[diff] [blame]579 {"AES256", ~0u, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, 0},
580 {"AES", ~0u, ~0u, SSL_AES, ~0u, 0},
581 {"AESGCM", ~0u, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, 0},
Adam Langley2e839242017-01-19 15:12:44 -0800[diff] [blame]582 {"CHACHA20", ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]583
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]584 /* MAC aliases */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]585 {"SHA1", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0},
586 {"SHA", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0},
Matthew Braithwaite651aaef2016-12-08 16:14:36 -0800[diff] [blame]587 {"SHA256", ~0u, ~0u, ~0u, SSL_SHA256, 0},
588 {"SHA384", ~0u, ~0u, ~0u, SSL_SHA384, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]589
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]590 /* Legacy protocol minimum version aliases. "TLSv1" is intentionally the
591 * same as "SSLv3". */
Matthew Braithwaite651aaef2016-12-08 16:14:36 -0800[diff] [blame]592 {"SSLv3", ~0u, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
593 {"TLSv1", ~0u, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
594 {"TLSv1.2", ~0u, ~0u, ~SSL_eNULL, ~0u, TLS1_2_VERSION},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]595
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]596 /* Legacy strength classes. */
Matthew Braithwaite651aaef2016-12-08 16:14:36 -0800[diff] [blame]597 {"HIGH", ~0u, ~0u, ~SSL_eNULL, ~0u, 0},
598 {"FIPS", ~0u, ~0u, ~SSL_eNULL, ~0u, 0},
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]599};
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]600
Steven Valdezcb966542016-08-17 16:56:14 -0400[diff] [blame]601static const size_t kCipherAliasesLen = OPENSSL_ARRAY_SIZE(kCipherAliases);
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]602
603static int ssl_cipher_id_cmp(const void *in_a, const void *in_b) {
604 const SSL_CIPHER *a = in_a;
605 const SSL_CIPHER *b = in_b;
606
607 if (a->id > b->id) {
608 return 1;
609 } else if (a->id < b->id) {
610 return -1;
611 } else {
612 return 0;
613 }
614}
615
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]616const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value) {
617 SSL_CIPHER c;
618
619 c.id = 0x03000000L | value;
620 return bsearch(&c, kCiphers, kCiphersLen, sizeof(SSL_CIPHER),
621 ssl_cipher_id_cmp);
622}
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]623
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]624int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
625 size_t *out_mac_secret_len,
626 size_t *out_fixed_iv_len,
Steven Valdez2f3404b2017-05-24 16:54:35 -0400[diff] [blame^]627 const SSL_CIPHER *cipher, uint16_t version, int is_dtls) {
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]628 *out_aead = NULL;
629 *out_mac_secret_len = 0;
630 *out_fixed_iv_len = 0;
Adam Langleyc9fb3752014-06-20 12:00:00 -0700[diff] [blame]631
Steven Valdez2f3404b2017-05-24 16:54:35 -0400[diff] [blame^]632 const int is_tls12 = version == TLS1_2_VERSION && !is_dtls;
633
David Benjamin305e6fb2016-10-27 18:19:00 -0400[diff] [blame]634 if (cipher->algorithm_mac == SSL_AEAD) {
635 if (cipher->algorithm_enc == SSL_AES128GCM) {
Steven Valdez2f3404b2017-05-24 16:54:35 -0400[diff] [blame^]636 *out_aead =
637 is_tls12 ? EVP_aead_aes_128_gcm_tls12() : EVP_aead_aes_128_gcm();
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]638 *out_fixed_iv_len = 4;
David Benjamin305e6fb2016-10-27 18:19:00 -0400[diff] [blame]639 } else if (cipher->algorithm_enc == SSL_AES256GCM) {
Steven Valdez2f3404b2017-05-24 16:54:35 -0400[diff] [blame^]640 *out_aead =
641 is_tls12 ? EVP_aead_aes_256_gcm_tls12() : EVP_aead_aes_256_gcm();
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]642 *out_fixed_iv_len = 4;
David Benjamin305e6fb2016-10-27 18:19:00 -0400[diff] [blame]643 } else if (cipher->algorithm_enc == SSL_CHACHA20POLY1305) {
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]644 *out_aead = EVP_aead_chacha20_poly1305();
645 *out_fixed_iv_len = 12;
David Benjamin305e6fb2016-10-27 18:19:00 -0400[diff] [blame]646 } else {
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]647 return 0;
David Benjamin305e6fb2016-10-27 18:19:00 -0400[diff] [blame]648 }
649
650 /* In TLS 1.3, the iv_len is equal to the AEAD nonce length whereas the code
651 * above computes the TLS 1.2 construction. */
652 if (version >= TLS1_3_VERSION) {
653 *out_fixed_iv_len = EVP_AEAD_nonce_length(*out_aead);
654 }
655 } else if (cipher->algorithm_mac == SSL_SHA1) {
656 if (cipher->algorithm_enc == SSL_eNULL) {
657 if (version == SSL3_VERSION) {
658 *out_aead = EVP_aead_null_sha1_ssl3();
659 } else {
660 *out_aead = EVP_aead_null_sha1_tls();
661 }
662 } else if (cipher->algorithm_enc == SSL_3DES) {
663 if (version == SSL3_VERSION) {
664 *out_aead = EVP_aead_des_ede3_cbc_sha1_ssl3();
665 *out_fixed_iv_len = 8;
666 } else if (version == TLS1_VERSION) {
667 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv();
668 *out_fixed_iv_len = 8;
669 } else {
670 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls();
671 }
672 } else if (cipher->algorithm_enc == SSL_AES128) {
673 if (version == SSL3_VERSION) {
674 *out_aead = EVP_aead_aes_128_cbc_sha1_ssl3();
675 *out_fixed_iv_len = 16;
676 } else if (version == TLS1_VERSION) {
677 *out_aead = EVP_aead_aes_128_cbc_sha1_tls_implicit_iv();
678 *out_fixed_iv_len = 16;
679 } else {
680 *out_aead = EVP_aead_aes_128_cbc_sha1_tls();
681 }
682 } else if (cipher->algorithm_enc == SSL_AES256) {
683 if (version == SSL3_VERSION) {
684 *out_aead = EVP_aead_aes_256_cbc_sha1_ssl3();
685 *out_fixed_iv_len = 16;
686 } else if (version == TLS1_VERSION) {
687 *out_aead = EVP_aead_aes_256_cbc_sha1_tls_implicit_iv();
688 *out_fixed_iv_len = 16;
689 } else {
690 *out_aead = EVP_aead_aes_256_cbc_sha1_tls();
691 }
692 } else {
693 return 0;
694 }
695
696 *out_mac_secret_len = SHA_DIGEST_LENGTH;
697 } else if (cipher->algorithm_mac == SSL_SHA256) {
698 if (cipher->algorithm_enc == SSL_AES128) {
699 *out_aead = EVP_aead_aes_128_cbc_sha256_tls();
700 } else if (cipher->algorithm_enc == SSL_AES256) {
701 *out_aead = EVP_aead_aes_256_cbc_sha256_tls();
702 } else {
703 return 0;
704 }
705
706 *out_mac_secret_len = SHA256_DIGEST_LENGTH;
707 } else if (cipher->algorithm_mac == SSL_SHA384) {
708 if (cipher->algorithm_enc != SSL_AES256) {
709 return 0;
710 }
711
712 *out_aead = EVP_aead_aes_256_cbc_sha384_tls();
713 *out_mac_secret_len = SHA384_DIGEST_LENGTH;
714 } else {
715 return 0;
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]716 }
Steven Valdez79750562016-06-16 06:38:04 -0400[diff] [blame]717
Steven Valdez79750562016-06-16 06:38:04 -0400[diff] [blame]718 return 1;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]719}
Adam Langleyc9fb3752014-06-20 12:00:00 -0700[diff] [blame]720
Steven Valdez908ac192017-01-12 13:17:07 -0500[diff] [blame]721const EVP_MD *ssl_get_handshake_digest(uint32_t algorithm_prf,
722 uint16_t version) {
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]723 switch (algorithm_prf) {
724 case SSL_HANDSHAKE_MAC_DEFAULT:
Steven Valdez908ac192017-01-12 13:17:07 -0500[diff] [blame]725 return version >= TLS1_2_VERSION ? EVP_sha256() : EVP_md5_sha1();
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]726 case SSL_HANDSHAKE_MAC_SHA256:
727 return EVP_sha256();
728 case SSL_HANDSHAKE_MAC_SHA384:
729 return EVP_sha384();
730 default:
731 return NULL;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]732 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]733}
734
735#define ITEM_SEP(a) \
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]736 (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ','))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]737
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]738/* rule_equals returns one iff the NUL-terminated string |rule| is equal to the
739 * |buf_len| bytes at |buf|. */
740static int rule_equals(const char *rule, const char *buf, size_t buf_len) {
741 /* |strncmp| alone only checks that |buf| is a prefix of |rule|. */
742 return strncmp(rule, buf, buf_len) == 0 && rule[buf_len] == '\0';
743}
744
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]745static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]746 CIPHER_ORDER **tail) {
747 if (curr == *tail) {
748 return;
749 }
750 if (curr == *head) {
751 *head = curr->next;
752 }
753 if (curr->prev != NULL) {
754 curr->prev->next = curr->next;
755 }
756 if (curr->next != NULL) {
757 curr->next->prev = curr->prev;
758 }
759 (*tail)->next = curr;
760 curr->prev = *tail;
761 curr->next = NULL;
762 *tail = curr;
763}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]764
765static void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]766 CIPHER_ORDER **tail) {
767 if (curr == *head) {
768 return;
769 }
770 if (curr == *tail) {
771 *tail = curr->prev;
772 }
773 if (curr->next != NULL) {
774 curr->next->prev = curr->prev;
775 }
776 if (curr->prev != NULL) {
777 curr->prev->next = curr->next;
778 }
779 (*head)->prev = curr;
780 curr->next = *head;
781 curr->prev = NULL;
782 *head = curr;
783}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]784
David Benjamin82c9e902014-12-12 15:55:27 -0500[diff] [blame]785static void ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD *ssl_method,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]786 CIPHER_ORDER *co_list,
787 CIPHER_ORDER **head_p,
788 CIPHER_ORDER **tail_p) {
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]789 /* The set of ciphers is static, but some subset may be unsupported by
790 * |ssl_method|, so the list may be smaller. */
791 size_t co_list_num = 0;
David Benjamin54091232016-09-05 12:47:25 -0400[diff] [blame]792 for (size_t i = 0; i < kCiphersLen; i++) {
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]793 const SSL_CIPHER *cipher = &kCiphers[i];
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]794 if (ssl_method->supports_cipher(cipher) &&
795 /* TLS 1.3 ciphers do not participate in this mechanism. */
796 cipher->algorithm_mkey != SSL_kGENERIC) {
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]797 co_list[co_list_num].cipher = cipher;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]798 co_list[co_list_num].next = NULL;
799 co_list[co_list_num].prev = NULL;
800 co_list[co_list_num].active = 0;
801 co_list[co_list_num].in_group = 0;
802 co_list_num++;
803 }
804 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]805
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]806 /* Prepare linked list from list entries. */
807 if (co_list_num > 0) {
808 co_list[0].prev = NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]809
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]810 if (co_list_num > 1) {
811 co_list[0].next = &co_list[1];
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]812
David Benjamin54091232016-09-05 12:47:25 -0400[diff] [blame]813 for (size_t i = 1; i < co_list_num - 1; i++) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]814 co_list[i].prev = &co_list[i - 1];
815 co_list[i].next = &co_list[i + 1];
816 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]817
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]818 co_list[co_list_num - 1].prev = &co_list[co_list_num - 2];
819 }
820
821 co_list[co_list_num - 1].next = NULL;
822
823 *head_p = &co_list[0];
824 *tail_p = &co_list[co_list_num - 1];
825 }
826}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]827
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]828/* ssl_cipher_apply_rule applies the rule type |rule| to ciphers matching its
829 * parameters in the linked list from |*head_p| to |*tail_p|. It writes the new
830 * head and tail of the list to |*head_p| and |*tail_p|, respectively.
831 *
832 * - If |cipher_id| is non-zero, only that cipher is selected.
833 * - Otherwise, if |strength_bits| is non-negative, it selects ciphers
834 * of that strength.
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]835 * - Otherwise, it selects ciphers that match each bitmasks in |alg_*| and
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]836 * |min_version|. */
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]837static void ssl_cipher_apply_rule(
David Benjamin107db582015-04-08 00:41:59 -0400[diff] [blame]838 uint32_t cipher_id, uint32_t alg_mkey, uint32_t alg_auth,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]839 uint32_t alg_enc, uint32_t alg_mac, uint16_t min_version, int rule,
840 int strength_bits, int in_group, CIPHER_ORDER **head_p,
841 CIPHER_ORDER **tail_p) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]842 CIPHER_ORDER *head, *tail, *curr, *next, *last;
843 const SSL_CIPHER *cp;
844 int reverse = 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]845
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]846 if (cipher_id == 0 && strength_bits == -1 && min_version == 0 &&
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]847 (alg_mkey == 0 || alg_auth == 0 || alg_enc == 0 || alg_mac == 0)) {
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]848 /* The rule matches nothing, so bail early. */
849 return;
850 }
851
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]852 if (rule == CIPHER_DEL) {
853 /* needed to maintain sorting between currently deleted ciphers */
854 reverse = 1;
855 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]856
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]857 head = *head_p;
858 tail = *tail_p;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]859
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]860 if (reverse) {
861 next = tail;
862 last = head;
863 } else {
864 next = head;
865 last = tail;
866 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]867
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]868 curr = NULL;
869 for (;;) {
870 if (curr == last) {
871 break;
872 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]873
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]874 curr = next;
875 if (curr == NULL) {
876 break;
877 }
Adam Langleye3142a72014-07-24 17:56:48 -0700[diff] [blame]878
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]879 next = reverse ? curr->prev : curr->next;
880 cp = curr->cipher;
Adam Langleye3142a72014-07-24 17:56:48 -0700[diff] [blame]881
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]882 /* Selection criteria is either a specific cipher, the value of
883 * |strength_bits|, or the algorithms used. */
884 if (cipher_id != 0) {
885 if (cipher_id != cp->id) {
886 continue;
887 }
888 } else if (strength_bits >= 0) {
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]889 if (strength_bits != SSL_CIPHER_get_bits(cp, NULL)) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]890 continue;
891 }
David Benjamin881f1962016-08-10 18:29:12 -0400[diff] [blame]892 } else {
893 if (!(alg_mkey & cp->algorithm_mkey) ||
894 !(alg_auth & cp->algorithm_auth) ||
895 !(alg_enc & cp->algorithm_enc) ||
896 !(alg_mac & cp->algorithm_mac) ||
897 (min_version != 0 && SSL_CIPHER_get_min_version(cp) != min_version)) {
898 continue;
899 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]900 }
Adam Langleye3142a72014-07-24 17:56:48 -0700[diff] [blame]901
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]902 /* add the cipher if it has not been added yet. */
903 if (rule == CIPHER_ADD) {
904 /* reverse == 0 */
905 if (!curr->active) {
906 ll_append_tail(&head, curr, &tail);
907 curr->active = 1;
908 curr->in_group = in_group;
909 }
910 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]911
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]912 /* Move the added cipher to this location */
913 else if (rule == CIPHER_ORD) {
914 /* reverse == 0 */
915 if (curr->active) {
916 ll_append_tail(&head, curr, &tail);
917 curr->in_group = 0;
918 }
919 } else if (rule == CIPHER_DEL) {
920 /* reverse == 1 */
921 if (curr->active) {
922 /* most recently deleted ciphersuites get best positions
923 * for any future CIPHER_ADD (note that the CIPHER_DEL loop
924 * works in reverse to maintain the order) */
925 ll_append_head(&head, curr, &tail);
926 curr->active = 0;
927 curr->in_group = 0;
928 }
929 } else if (rule == CIPHER_KILL) {
930 /* reverse == 0 */
931 if (head == curr) {
932 head = curr->next;
933 } else {
934 curr->prev->next = curr->next;
935 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]936
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]937 if (tail == curr) {
938 tail = curr->prev;
939 }
940 curr->active = 0;
941 if (curr->next != NULL) {
942 curr->next->prev = curr->prev;
943 }
944 if (curr->prev != NULL) {
945 curr->prev->next = curr->next;
946 }
947 curr->next = NULL;
948 curr->prev = NULL;
949 }
950 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]951
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]952 *head_p = head;
953 *tail_p = tail;
954}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]955
956static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]957 CIPHER_ORDER **tail_p) {
958 int max_strength_bits, i, *number_uses;
959 CIPHER_ORDER *curr;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]960
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]961 /* This routine sorts the ciphers with descending strength. The sorting must
962 * keep the pre-sorted sequence, so we apply the normal sorting routine as
963 * '+' movement to the end of the list. */
964 max_strength_bits = 0;
965 curr = *head_p;
966 while (curr != NULL) {
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]967 if (curr->active &&
968 SSL_CIPHER_get_bits(curr->cipher, NULL) > max_strength_bits) {
969 max_strength_bits = SSL_CIPHER_get_bits(curr->cipher, NULL);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]970 }
971 curr = curr->next;
972 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]973
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]974 number_uses = OPENSSL_malloc((max_strength_bits + 1) * sizeof(int));
975 if (!number_uses) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]976 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]977 return 0;
978 }
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]979 OPENSSL_memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int));
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]980
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]981 /* Now find the strength_bits values actually used. */
982 curr = *head_p;
983 while (curr != NULL) {
984 if (curr->active) {
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]985 number_uses[SSL_CIPHER_get_bits(curr->cipher, NULL)]++;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]986 }
987 curr = curr->next;
988 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]989
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]990 /* Go through the list of used strength_bits values in descending order. */
991 for (i = max_strength_bits; i >= 0; i--) {
992 if (number_uses[i] > 0) {
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]993 ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, CIPHER_ORD, i, 0, head_p, tail_p);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]994 }
995 }
996
997 OPENSSL_free(number_uses);
998 return 1;
999}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1000
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1001static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method,
1002 const char *rule_str,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1003 CIPHER_ORDER **head_p,
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]1004 CIPHER_ORDER **tail_p, int strict) {
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1005 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1006 uint16_t min_version;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1007 const char *l, *buf;
Adam Langleyf139c992016-10-02 09:56:09 -0700[diff] [blame]1008 int multi, skip_rule, rule, ok, in_group = 0, has_group = 0;
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1009 size_t j, buf_len;
1010 uint32_t cipher_id;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1011 char ch;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1012
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1013 l = rule_str;
1014 for (;;) {
1015 ch = *l;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1016
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1017 if (ch == '\0') {
1018 break; /* done */
1019 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1020
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1021 if (in_group) {
1022 if (ch == ']') {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1023 if (*tail_p) {
1024 (*tail_p)->in_group = 0;
1025 }
1026 in_group = 0;
1027 l++;
1028 continue;
1029 }
David Benjamin37d92462014-09-20 17:54:24 -0400[diff] [blame]1030
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1031 if (ch == '|') {
1032 rule = CIPHER_ADD;
1033 l++;
1034 continue;
1035 } else if (!(ch >= 'a' && ch <= 'z') && !(ch >= 'A' && ch <= 'Z') &&
1036 !(ch >= '0' && ch <= '9')) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1037 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_OPERATOR_IN_GROUP);
Adam Langleyf139c992016-10-02 09:56:09 -0700[diff] [blame]1038 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1039 } else {
1040 rule = CIPHER_ADD;
1041 }
1042 } else if (ch == '-') {
1043 rule = CIPHER_DEL;
1044 l++;
1045 } else if (ch == '+') {
1046 rule = CIPHER_ORD;
1047 l++;
1048 } else if (ch == '!') {
1049 rule = CIPHER_KILL;
1050 l++;
1051 } else if (ch == '@') {
1052 rule = CIPHER_SPECIAL;
1053 l++;
1054 } else if (ch == '[') {
1055 if (in_group) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1056 OPENSSL_PUT_ERROR(SSL, SSL_R_NESTED_GROUP);
Adam Langleyf139c992016-10-02 09:56:09 -0700[diff] [blame]1057 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1058 }
1059 in_group = 1;
1060 has_group = 1;
1061 l++;
1062 continue;
1063 } else {
1064 rule = CIPHER_ADD;
1065 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1066
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1067 /* If preference groups are enabled, the only legal operator is +.
1068 * Otherwise the in_group bits will get mixed up. */
1069 if (has_group && rule != CIPHER_ADD) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1070 OPENSSL_PUT_ERROR(SSL, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
Adam Langleyf139c992016-10-02 09:56:09 -0700[diff] [blame]1071 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1072 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1073
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1074 if (ITEM_SEP(ch)) {
1075 l++;
1076 continue;
1077 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1078
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1079 multi = 0;
1080 cipher_id = 0;
1081 alg_mkey = ~0u;
1082 alg_auth = ~0u;
1083 alg_enc = ~0u;
1084 alg_mac = ~0u;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1085 min_version = 0;
1086 skip_rule = 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1087
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1088 for (;;) {
1089 ch = *l;
1090 buf = l;
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1091 buf_len = 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1092 while (((ch >= 'A') && (ch <= 'Z')) || ((ch >= '0') && (ch <= '9')) ||
1093 ((ch >= 'a') && (ch <= 'z')) || (ch == '-') || (ch == '.')) {
1094 ch = *(++l);
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1095 buf_len++;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1096 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1097
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1098 if (buf_len == 0) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1099 /* We hit something we cannot deal with, it is no command or separator
1100 * nor alphanumeric, so we call this an error. */
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1101 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
Adam Langleyf99f2442016-10-02 09:53:38 -0700[diff] [blame]1102 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1103 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1104
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1105 if (rule == CIPHER_SPECIAL) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1106 break;
1107 }
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1108
1109 /* Look for a matching exact cipher. These aren't allowed in multipart
1110 * rules. */
1111 if (!multi && ch != '+') {
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1112 for (j = 0; j < kCiphersLen; j++) {
1113 const SSL_CIPHER *cipher = &kCiphers[j];
1114 if (rule_equals(cipher->name, buf, buf_len)) {
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1115 cipher_id = cipher->id;
1116 break;
1117 }
1118 }
1119 }
1120 if (cipher_id == 0) {
1121 /* If not an exact cipher, look for a matching cipher alias. */
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1122 for (j = 0; j < kCipherAliasesLen; j++) {
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1123 if (rule_equals(kCipherAliases[j].name, buf, buf_len)) {
1124 alg_mkey &= kCipherAliases[j].algorithm_mkey;
1125 alg_auth &= kCipherAliases[j].algorithm_auth;
1126 alg_enc &= kCipherAliases[j].algorithm_enc;
1127 alg_mac &= kCipherAliases[j].algorithm_mac;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1128
1129 if (min_version != 0 &&
1130 min_version != kCipherAliases[j].min_version) {
1131 skip_rule = 1;
1132 } else {
1133 min_version = kCipherAliases[j].min_version;
1134 }
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1135 break;
1136 }
1137 }
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1138 if (j == kCipherAliasesLen) {
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1139 skip_rule = 1;
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]1140 if (strict) {
1141 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
1142 return 0;
1143 }
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1144 }
1145 }
1146
1147 /* Check for a multipart rule. */
1148 if (ch != '+') {
1149 break;
1150 }
1151 l++;
1152 multi = 1;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1153 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1154
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1155 /* Ok, we have the rule, now apply it. */
1156 if (rule == CIPHER_SPECIAL) {
1157 /* special command */
1158 ok = 0;
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1159 if (buf_len == 8 && !strncmp(buf, "STRENGTH", 8)) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1160 ok = ssl_cipher_strength_sort(head_p, tail_p);
1161 } else {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1162 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1163 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1164
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1165 if (ok == 0) {
Adam Langleyf139c992016-10-02 09:56:09 -0700[diff] [blame]1166 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1167 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1168
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1169 /* We do not support any "multi" options together with "@", so throw away
1170 * the rest of the command, if any left, until end or ':' is found. */
1171 while (*l != '\0' && !ITEM_SEP(*l)) {
1172 l++;
1173 }
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1174 } else if (!skip_rule) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1175 ssl_cipher_apply_rule(cipher_id, alg_mkey, alg_auth, alg_enc, alg_mac,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1176 min_version, rule, -1, in_group, head_p, tail_p);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1177 }
1178 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1179
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1180 if (in_group) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1181 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
Adam Langleyf139c992016-10-02 09:56:09 -0700[diff] [blame]1182 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1183 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1184
Adam Langleyf139c992016-10-02 09:56:09 -0700[diff] [blame]1185 return 1;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1186}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1187
Matthew Braithwaite6ad20dc2017-02-21 16:41:33 -0800[diff] [blame]1188int ssl_create_cipher_list(
1189 const SSL_PROTOCOL_METHOD *ssl_method,
1190 struct ssl_cipher_preference_list_st **out_cipher_list,
1191 const char *rule_str, int strict) {
David Benjamind2cb1c12016-11-02 17:49:09 -0400[diff] [blame]1192 STACK_OF(SSL_CIPHER) *cipherstack = NULL;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1193 CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1194 uint8_t *in_group_flags = NULL;
1195 unsigned int num_in_group_flags = 0;
1196 struct ssl_cipher_preference_list_st *pref_list = NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1197
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1198 /* Return with error if nothing to do. */
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1199 if (rule_str == NULL || out_cipher_list == NULL) {
Matthew Braithwaite6ad20dc2017-02-21 16:41:33 -0800[diff] [blame]1200 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1201 }
David Benjamin5213df42014-08-20 14:19:54 -0400[diff] [blame]1202
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1203 /* Now we have to collect the available ciphers from the compiled in ciphers.
1204 * We cannot get more than the number compiled in, so it is used for
1205 * allocation. */
Brian Smith5ba06892016-02-07 09:36:04 -1000[diff] [blame]1206 co_list = OPENSSL_malloc(sizeof(CIPHER_ORDER) * kCiphersLen);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1207 if (co_list == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1208 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Matthew Braithwaite6ad20dc2017-02-21 16:41:33 -0800[diff] [blame]1209 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1210 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1211
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1212 ssl_cipher_collect_ciphers(ssl_method, co_list, &head, &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1213
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1214 /* Now arrange all ciphers by preference:
1215 * TODO(davidben): Compute this order once and copy it. */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1216
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]1217 /* Everything else being equal, prefer ECDHE_ECDSA and ECDHE_RSA over other
1218 * key exchange mechanisms */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1219 ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, ~0u, ~0u, 0, CIPHER_ADD, -1,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1220 0, &head, &tail);
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1221 ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0,
1222 &head, &tail);
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1223 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, 0, &head,
1224 &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1225
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1226 /* Order the bulk ciphers. First the preferred AEAD ciphers. We prefer
1227 * CHACHA20 unless there is hardware support for fast and constant-time
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1228 * AES_GCM. Of the two CHACHA20 variants, the new one is preferred over the
1229 * old one. */
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1230 if (EVP_has_aes_hardware()) {
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1231 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1232 &head, &tail);
David Benjamin43336652016-03-03 15:32:29 -0500[diff] [blame]1233 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1234 &head, &tail);
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1235 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD,
1236 -1, 0, &head, &tail);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1237 } else {
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1238 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD,
1239 -1, 0, &head, &tail);
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1240 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1241 &head, &tail);
David Benjamin43336652016-03-03 15:32:29 -0500[diff] [blame]1242 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1243 &head, &tail);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1244 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1245
David Benjamin43336652016-03-03 15:32:29 -0500[diff] [blame]1246 /* Then the legacy non-AEAD ciphers: AES_128_CBC, AES_256_CBC,
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700[diff] [blame]1247 * 3DES_EDE_CBC_SHA. */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1248 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128, ~0u, 0, CIPHER_ADD, -1, 0,
1249 &head, &tail);
David Benjamin43336652016-03-03 15:32:29 -0500[diff] [blame]1250 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256, ~0u, 0, CIPHER_ADD, -1, 0,
1251 &head, &tail);
1252 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_3DES, ~0u, 0, CIPHER_ADD, -1, 0, &head,
1253 &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1254
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1255 /* Temporarily enable everything else for sorting */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1256 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0, &head,
1257 &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1258
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1259 /* Move ciphers without forward secrecy to the end. */
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1260 ssl_cipher_apply_rule(0, (SSL_kRSA | SSL_kPSK), ~0u, ~0u, ~0u, 0,
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1261 CIPHER_ORD, -1, 0, &head, &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1262
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1263 /* Now disable everything (maintaining the ordering!) */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1264 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, 0, &head,
1265 &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1266
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1267 /* If the rule_string begins with DEFAULT, apply the default rule before
1268 * using the (possibly available) additional rules. */
David Benjamin11a7b3c2016-11-03 17:03:48 -0400[diff] [blame]1269 const char *rule_p = rule_str;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1270 if (strncmp(rule_str, "DEFAULT", 7) == 0) {
David Benjamin11a7b3c2016-11-03 17:03:48 -0400[diff] [blame]1271 if (!ssl_cipher_process_rulestr(ssl_method, SSL_DEFAULT_CIPHER_LIST, &head,
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]1272 &tail, strict)) {
David Benjamin11a7b3c2016-11-03 17:03:48 -0400[diff] [blame]1273 goto err;
1274 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1275 rule_p += 7;
1276 if (*rule_p == ':') {
1277 rule_p++;
1278 }
1279 }
Adam Langley858a88d2014-06-20 12:00:00 -0700[diff] [blame]1280
David Benjamin11a7b3c2016-11-03 17:03:48 -0400[diff] [blame]1281 if (*rule_p != '\0' &&
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]1282 !ssl_cipher_process_rulestr(ssl_method, rule_p, &head, &tail, strict)) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1283 goto err;
1284 }
1285
1286 /* Allocate new "cipherstack" for the result, return with error
1287 * if we cannot get one. */
1288 cipherstack = sk_SSL_CIPHER_new_null();
1289 if (cipherstack == NULL) {
1290 goto err;
1291 }
1292
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1293 in_group_flags = OPENSSL_malloc(kCiphersLen);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1294 if (!in_group_flags) {
1295 goto err;
1296 }
1297
1298 /* The cipher selection for the list is done. The ciphers are added
1299 * to the resulting precedence to the STACK_OF(SSL_CIPHER). */
1300 for (curr = head; curr != NULL; curr = curr->next) {
1301 if (curr->active) {
David Benjamin2adb7ec2015-01-11 19:59:06 -0500[diff] [blame]1302 if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
1303 goto err;
1304 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1305 in_group_flags[num_in_group_flags++] = curr->in_group;
1306 }
1307 }
1308 OPENSSL_free(co_list); /* Not needed any longer */
1309 co_list = NULL;
1310
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1311 pref_list = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
1312 if (!pref_list) {
1313 goto err;
1314 }
1315 pref_list->ciphers = cipherstack;
1316 pref_list->in_group_flags = OPENSSL_malloc(num_in_group_flags);
1317 if (!pref_list->in_group_flags) {
1318 goto err;
1319 }
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]1320 OPENSSL_memcpy(pref_list->in_group_flags, in_group_flags, num_in_group_flags);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1321 OPENSSL_free(in_group_flags);
1322 in_group_flags = NULL;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1323 if (*out_cipher_list != NULL) {
1324 ssl_cipher_preference_list_free(*out_cipher_list);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1325 }
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1326 *out_cipher_list = pref_list;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1327 pref_list = NULL;
1328
David Benjamin91222b82017-03-09 20:10:56 -0500[diff] [blame]1329 /* Configuring an empty cipher list is an error but still updates the
1330 * output. */
1331 if (sk_SSL_CIPHER_num((*out_cipher_list)->ciphers) == 0) {
1332 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHER_MATCH);
1333 return 0;
1334 }
1335
Matthew Braithwaite6ad20dc2017-02-21 16:41:33 -0800[diff] [blame]1336 return 1;
Adam Langley858a88d2014-06-20 12:00:00 -0700[diff] [blame]1337
1338err:
David Benjamin2755a3e2015-04-22 16:17:58 -0400[diff] [blame]1339 OPENSSL_free(co_list);
1340 OPENSSL_free(in_group_flags);
1341 sk_SSL_CIPHER_free(cipherstack);
David Benjamin2755a3e2015-04-22 16:17:58 -0400[diff] [blame]1342 if (pref_list) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1343 OPENSSL_free(pref_list->in_group_flags);
1344 }
David Benjamin2755a3e2015-04-22 16:17:58 -0400[diff] [blame]1345 OPENSSL_free(pref_list);
Matthew Braithwaite6ad20dc2017-02-21 16:41:33 -0800[diff] [blame]1346 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1347}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1348
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1349uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher) { return cipher->id; }
1350
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1351uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher) {
1352 uint32_t id = cipher->id;
1353 /* All ciphers are SSLv3. */
1354 assert((id & 0xff000000) == 0x03000000);
1355 return id & 0xffff;
1356}
1357
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1358int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher) {
1359 return (cipher->algorithm_enc & SSL_AES) != 0;
1360}
1361
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1362int SSL_CIPHER_has_SHA1_HMAC(const SSL_CIPHER *cipher) {
1363 return (cipher->algorithm_mac & SSL_SHA1) != 0;
1364}
1365
David Benjamina211aee2016-02-24 17:18:44 -0500[diff] [blame]1366int SSL_CIPHER_has_SHA256_HMAC(const SSL_CIPHER *cipher) {
1367 return (cipher->algorithm_mac & SSL_SHA256) != 0;
1368}
1369
Alessandro Ghedini48b6b8f2017-05-12 12:53:31 +0100[diff] [blame]1370int SSL_CIPHER_has_SHA384_HMAC(const SSL_CIPHER *cipher) {
1371 return (cipher->algorithm_mac & SSL_SHA384) != 0;
1372}
1373
Alessandro Ghedini0726fb72017-01-17 13:27:08 +0000[diff] [blame]1374int SSL_CIPHER_is_AEAD(const SSL_CIPHER *cipher) {
1375 return (cipher->algorithm_mac & SSL_AEAD) != 0;
1376}
1377
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1378int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher) {
David Benjaminc0125ef2015-09-09 09:11:07 -0400[diff] [blame]1379 return (cipher->algorithm_enc & (SSL_AES128GCM | SSL_AES256GCM)) != 0;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1380}
1381
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1382int SSL_CIPHER_is_AES128GCM(const SSL_CIPHER *cipher) {
1383 return (cipher->algorithm_enc & SSL_AES128GCM) != 0;
1384}
1385
Adam Langleyb00061c2015-11-16 17:44:52 -0800[diff] [blame]1386int SSL_CIPHER_is_AES128CBC(const SSL_CIPHER *cipher) {
1387 return (cipher->algorithm_enc & SSL_AES128) != 0;
1388}
1389
1390int SSL_CIPHER_is_AES256CBC(const SSL_CIPHER *cipher) {
1391 return (cipher->algorithm_enc & SSL_AES256) != 0;
1392}
1393
David Benjamin51a01a52015-10-29 13:19:56 -0400[diff] [blame]1394int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *cipher) {
Adam Langley2e839242017-01-19 15:12:44 -0800[diff] [blame]1395 return (cipher->algorithm_enc & SSL_CHACHA20POLY1305) != 0;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1396}
1397
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1398int SSL_CIPHER_is_NULL(const SSL_CIPHER *cipher) {
1399 return (cipher->algorithm_enc & SSL_eNULL) != 0;
1400}
1401
1402int SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher) {
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700[diff] [blame]1403 return (cipher->algorithm_enc & SSL_eNULL) == 0 &&
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1404 cipher->algorithm_mac != SSL_AEAD;
1405}
1406
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1407int SSL_CIPHER_is_ECDSA(const SSL_CIPHER *cipher) {
1408 return (cipher->algorithm_auth & SSL_aECDSA) != 0;
1409}
1410
David Benjamin4cc36ad2015-12-19 14:23:26 -0500[diff] [blame]1411int SSL_CIPHER_is_ECDHE(const SSL_CIPHER *cipher) {
1412 return (cipher->algorithm_mkey & SSL_kECDHE) != 0;
1413}
1414
David Benjamin745745d2017-01-10 08:34:14 -0500[diff] [blame]1415int SSL_CIPHER_is_static_RSA(const SSL_CIPHER *cipher) {
1416 return (cipher->algorithm_mkey & SSL_kRSA) != 0;
1417}
1418
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1419uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher) {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1420 if (cipher->algorithm_mkey == SSL_kGENERIC ||
1421 cipher->algorithm_auth == SSL_aGENERIC) {
1422 return TLS1_3_VERSION;
1423 }
1424
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1425 if (cipher->algorithm_prf != SSL_HANDSHAKE_MAC_DEFAULT) {
1426 /* Cipher suites before TLS 1.2 use the default PRF, while all those added
1427 * afterwards specify a particular hash. */
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1428 return TLS1_2_VERSION;
1429 }
1430 return SSL3_VERSION;
1431}
1432
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1433uint16_t SSL_CIPHER_get_max_version(const SSL_CIPHER *cipher) {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1434 if (cipher->algorithm_mkey == SSL_kGENERIC ||
1435 cipher->algorithm_auth == SSL_aGENERIC) {
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1436 return TLS1_3_VERSION;
1437 }
1438 return TLS1_2_VERSION;
1439}
1440
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1441/* return the actual cipher being used */
1442const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher) {
1443 if (cipher != NULL) {
1444 return cipher->name;
1445 }
1446
1447 return "(NONE)";
1448}
1449
1450const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher) {
1451 if (cipher == NULL) {
1452 return "";
1453 }
1454
1455 switch (cipher->algorithm_mkey) {
1456 case SSL_kRSA:
1457 return "RSA";
1458
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1459 case SSL_kECDHE:
1460 switch (cipher->algorithm_auth) {
1461 case SSL_aECDSA:
1462 return "ECDHE_ECDSA";
1463 case SSL_aRSA:
1464 return "ECDHE_RSA";
1465 case SSL_aPSK:
1466 return "ECDHE_PSK";
1467 default:
1468 assert(0);
1469 return "UNKNOWN";
1470 }
1471
1472 case SSL_kPSK:
1473 assert(cipher->algorithm_auth == SSL_aPSK);
1474 return "PSK";
1475
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1476 case SSL_kGENERIC:
1477 assert(cipher->algorithm_auth == SSL_aGENERIC);
1478 return "GENERIC";
1479
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1480 default:
1481 assert(0);
1482 return "UNKNOWN";
1483 }
1484}
1485
1486static const char *ssl_cipher_get_enc_name(const SSL_CIPHER *cipher) {
1487 switch (cipher->algorithm_enc) {
1488 case SSL_3DES:
1489 return "3DES_EDE_CBC";
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1490 case SSL_AES128:
1491 return "AES_128_CBC";
1492 case SSL_AES256:
1493 return "AES_256_CBC";
1494 case SSL_AES128GCM:
1495 return "AES_128_GCM";
1496 case SSL_AES256GCM:
1497 return "AES_256_GCM";
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1498 case SSL_CHACHA20POLY1305:
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1499 return "CHACHA20_POLY1305";
1500 break;
1501 default:
1502 assert(0);
1503 return "UNKNOWN";
1504 }
1505}
1506
1507static const char *ssl_cipher_get_prf_name(const SSL_CIPHER *cipher) {
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]1508 switch (cipher->algorithm_prf) {
1509 case SSL_HANDSHAKE_MAC_DEFAULT:
David Benjamin5fc99c62017-01-10 08:19:12 -0500[diff] [blame]1510 /* Before TLS 1.2, the PRF component is the hash used in the HMAC, which
1511 * is SHA-1 for all supported ciphers. */
1512 assert(cipher->algorithm_mac == SSL_SHA1);
1513 return "SHA";
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]1514 case SSL_HANDSHAKE_MAC_SHA256:
1515 return "SHA256";
1516 case SSL_HANDSHAKE_MAC_SHA384:
1517 return "SHA384";
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1518 }
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]1519 assert(0);
1520 return "UNKNOWN";
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1521}
1522
1523char *SSL_CIPHER_get_rfc_name(const SSL_CIPHER *cipher) {
1524 if (cipher == NULL) {
1525 return NULL;
1526 }
1527
1528 const char *kx_name = SSL_CIPHER_get_kx_name(cipher);
1529 const char *enc_name = ssl_cipher_get_enc_name(cipher);
1530 const char *prf_name = ssl_cipher_get_prf_name(cipher);
1531
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1532 /* The final name is TLS_{kx_name}_WITH_{enc_name}_{prf_name} or
1533 * TLS_{enc_name}_{prf_name} depending on whether the cipher is AEAD-only. */
1534 size_t len = 4 + strlen(enc_name) + 1 + strlen(prf_name) + 1;
1535
1536 if (cipher->algorithm_mkey != SSL_kGENERIC) {
1537 len += strlen(kx_name) + 6;
1538 }
1539
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1540 char *ret = OPENSSL_malloc(len);
1541 if (ret == NULL) {
1542 return NULL;
1543 }
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1544
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1545 if (BUF_strlcpy(ret, "TLS_", len) >= len ||
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1546 (cipher->algorithm_mkey != SSL_kGENERIC &&
1547 (BUF_strlcat(ret, kx_name, len) >= len ||
1548 BUF_strlcat(ret, "_WITH_", len) >= len)) ||
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1549 BUF_strlcat(ret, enc_name, len) >= len ||
1550 BUF_strlcat(ret, "_", len) >= len ||
1551 BUF_strlcat(ret, prf_name, len) >= len) {
1552 assert(0);
1553 OPENSSL_free(ret);
1554 return NULL;
1555 }
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1556
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1557 assert(strlen(ret) + 1 == len);
1558 return ret;
1559}
1560
1561int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *out_alg_bits) {
1562 if (cipher == NULL) {
1563 return 0;
1564 }
1565
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1566 int alg_bits, strength_bits;
1567 switch (cipher->algorithm_enc) {
1568 case SSL_AES128:
1569 case SSL_AES128GCM:
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1570 alg_bits = 128;
1571 strength_bits = 128;
1572 break;
1573
1574 case SSL_AES256:
1575 case SSL_AES256GCM:
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1576 case SSL_CHACHA20POLY1305:
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1577 alg_bits = 256;
1578 strength_bits = 256;
1579 break;
1580
1581 case SSL_3DES:
1582 alg_bits = 168;
1583 strength_bits = 112;
1584 break;
1585
1586 case SSL_eNULL:
1587 alg_bits = 0;
1588 strength_bits = 0;
1589 break;
1590
1591 default:
1592 assert(0);
1593 alg_bits = 0;
1594 strength_bits = 0;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1595 }
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1596
1597 if (out_alg_bits != NULL) {
1598 *out_alg_bits = alg_bits;
1599 }
1600 return strength_bits;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1601}
1602
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1603const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf,
1604 int len) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1605 const char *kx, *au, *enc, *mac;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1606 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1607
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1608 alg_mkey = cipher->algorithm_mkey;
1609 alg_auth = cipher->algorithm_auth;
1610 alg_enc = cipher->algorithm_enc;
1611 alg_mac = cipher->algorithm_mac;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1612
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1613 switch (alg_mkey) {
1614 case SSL_kRSA:
1615 kx = "RSA";
1616 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1617
David Benjamin7061e282015-03-19 11:10:48 -0400[diff] [blame]1618 case SSL_kECDHE:
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1619 kx = "ECDH";
1620 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1621
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1622 case SSL_kPSK:
1623 kx = "PSK";
1624 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1625
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1626 case SSL_kGENERIC:
1627 kx = "GENERIC";
1628 break;
1629
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1630 default:
1631 kx = "unknown";
1632 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1633
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1634 switch (alg_auth) {
1635 case SSL_aRSA:
1636 au = "RSA";
1637 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1638
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1639 case SSL_aECDSA:
1640 au = "ECDSA";
1641 break;
Adam Langley4d4bff82014-06-20 12:00:00 -0700[diff] [blame]1642
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1643 case SSL_aPSK:
1644 au = "PSK";
1645 break;
Adam Langley4d4bff82014-06-20 12:00:00 -0700[diff] [blame]1646
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1647 case SSL_aGENERIC:
1648 au = "GENERIC";
1649 break;
1650
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1651 default:
1652 au = "unknown";
1653 break;
1654 }
Adam Langleyde0b2022014-06-20 12:00:00 -0700[diff] [blame]1655
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1656 switch (alg_enc) {
1657 case SSL_3DES:
1658 enc = "3DES(168)";
1659 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1660
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1661 case SSL_AES128:
1662 enc = "AES(128)";
1663 break;
1664
1665 case SSL_AES256:
1666 enc = "AES(256)";
1667 break;
1668
1669 case SSL_AES128GCM:
1670 enc = "AESGCM(128)";
1671 break;
1672
1673 case SSL_AES256GCM:
1674 enc = "AESGCM(256)";
1675 break;
1676
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1677 case SSL_CHACHA20POLY1305:
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1678 enc = "ChaCha20-Poly1305";
1679 break;
1680
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1681 case SSL_eNULL:
1682 enc="None";
1683 break;
1684
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1685 default:
1686 enc = "unknown";
1687 break;
1688 }
1689
1690 switch (alg_mac) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1691 case SSL_SHA1:
1692 mac = "SHA1";
1693 break;
1694
1695 case SSL_SHA256:
1696 mac = "SHA256";
1697 break;
1698
1699 case SSL_SHA384:
1700 mac = "SHA384";
1701 break;
1702
1703 case SSL_AEAD:
1704 mac = "AEAD";
1705 break;
1706
1707 default:
1708 mac = "unknown";
1709 break;
1710 }
1711
1712 if (buf == NULL) {
1713 len = 128;
1714 buf = OPENSSL_malloc(len);
David Benjamin1eed2c02015-02-08 23:20:06 -0500[diff] [blame]1715 if (buf == NULL) {
1716 return NULL;
1717 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1718 } else if (len < 128) {
1719 return "Buffer too small";
1720 }
1721
Brian Smith0687bdf2016-01-17 09:18:26 -1000[diff] [blame]1722 BIO_snprintf(buf, len, "%-23s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n",
1723 cipher->name, kx, au, enc, mac);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1724 return buf;
1725}
1726
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1727const char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher) {
1728 return "TLSv1/SSLv3";
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1729}
1730
David Benjamind55bd792017-05-18 11:33:08 -0400[diff] [blame]1731STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void) { return NULL; }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1732
Matt Braithwaite6a1275b2015-06-26 12:09:10 -0700[diff] [blame]1733int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) { return 1; }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1734
Matt Braithwaite6a1275b2015-06-26 12:09:10 -0700[diff] [blame]1735const char *SSL_COMP_get_name(const COMP_METHOD *comp) { return NULL; }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1736
Adam Langley3e9e0432016-10-03 15:58:07 -0700[diff] [blame]1737void SSL_COMP_free_compression_methods(void) {}
1738
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]1739uint32_t ssl_cipher_auth_mask_for_key(const EVP_PKEY *key) {
1740 switch (EVP_PKEY_id(key)) {
1741 case EVP_PKEY_RSA:
1742 return SSL_aRSA;
1743 case EVP_PKEY_EC:
1744 case EVP_PKEY_ED25519:
1745 /* Ed25519 keys in TLS 1.2 repurpose the ECDSA ciphers. */
1746 return SSL_aECDSA;
1747 default:
1748 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1749 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1750}
David Benjamin9c651c92014-07-12 13:27:45 -0400[diff] [blame]1751
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]1752int ssl_cipher_uses_certificate_auth(const SSL_CIPHER *cipher) {
1753 return (cipher->algorithm_auth & SSL_aCERT) != 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1754}
1755
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1756int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher) {
1757 /* Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange. */
Matthew Braithwaite7e06de52017-04-10 15:52:14 -0700[diff] [blame]1758 if (cipher->algorithm_mkey & SSL_kECDHE) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1759 return 1;
1760 }
1761
1762 /* It is optional in all others. */
1763 return 0;
1764}
David Benjaminb8d28cf2015-07-28 21:34:45 -0400[diff] [blame]1765
1766size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher) {
1767 size_t block_size;
1768 switch (cipher->algorithm_enc) {
1769 case SSL_3DES:
1770 block_size = 8;
1771 break;
1772 case SSL_AES128:
1773 case SSL_AES256:
1774 block_size = 16;
1775 break;
1776 default:
1777 return 0;
1778 }
1779
David Benjamin5fc99c62017-01-10 08:19:12 -0500[diff] [blame]1780 /* All supported TLS 1.0 ciphers use SHA-1. */
1781 assert(cipher->algorithm_mac == SSL_SHA1);
1782 size_t ret = 1 + SHA_DIGEST_LENGTH;
David Benjaminb8d28cf2015-07-28 21:34:45 -0400[diff] [blame]1783 ret += block_size - (ret % block_size);
1784 return ret;
1785}