Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 5a6e6169615f205cb788ec9e29aebdd148f586b0 / . / ssl / ssl_cipher.c
blob: 99aba72cc4deafd50f77ea97db205a69a9c46d30 [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57/* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
110/* ====================================================================
111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
112 * ECC cipher suite support in OpenSSL originally developed by
113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
114 */
115/* ====================================================================
116 * Copyright 2005 Nokia. All rights reserved.
117 *
118 * The portions of the attached software ("Contribution") is developed by
119 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
120 * license.
121 *
122 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
123 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
124 * support (see RFC 4279) to OpenSSL.
125 *
126 * No patent licenses or other rights except those expressly stated in
127 * the OpenSSL open source license shall be deemed granted or received
128 * expressly, by implication, estoppel, or otherwise.
129 *
130 * No assurances are provided by Nokia that the Contribution does not
131 * infringe the patent or other intellectual property rights of any third
132 * party or that the license provides you with all the necessary rights
133 * to make use of the Contribution.
134 *
135 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
136 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
137 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
138 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
139 * OTHERWISE. */
140
David Benjamin9e4e01e2015-09-15 01:48:04 -0400[diff] [blame]141#include <openssl/ssl.h>
142
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]143#include <assert.h>
David Benjaminf0ae1702015-04-07 23:05:04 -0400[diff] [blame]144#include <string.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]145
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]146#include <openssl/buf.h>
David Benjaminf0ae1702015-04-07 23:05:04 -0400[diff] [blame]147#include <openssl/err.h>
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]148#include <openssl/md5.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]149#include <openssl/mem.h>
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]150#include <openssl/sha.h>
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]151#include <openssl/stack.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]152
David Benjamin2ee94aa2015-04-07 22:38:30 -0400[diff] [blame]153#include "internal.h"
Steven Valdezcb966542016-08-17 16:56:14 -0400[diff] [blame]154#include "../crypto/internal.h"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]155
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]156
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]157/* kCiphers is an array of all supported ciphers, sorted by id. */
David Benjamin20c37312015-11-11 21:33:18 -0800[diff] [blame]158static const SSL_CIPHER kCiphers[] = {
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]159 /* The RSA ciphers */
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]160 /* Cipher 02 */
161 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]162 SSL3_TXT_RSA_NULL_SHA,
163 SSL3_CK_RSA_NULL_SHA,
164 SSL_kRSA,
165 SSL_aRSA,
166 SSL_eNULL,
167 SSL_SHA1,
168 SSL_HANDSHAKE_MAC_DEFAULT,
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]169 },
170
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]171 /* Cipher 0A */
172 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]173 SSL3_TXT_RSA_DES_192_CBC3_SHA,
174 SSL3_CK_RSA_DES_192_CBC3_SHA,
175 SSL_kRSA,
176 SSL_aRSA,
177 SSL_3DES,
178 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]179 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]180 },
181
182
183 /* New AES ciphersuites */
184
185 /* Cipher 2F */
186 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]187 TLS1_TXT_RSA_WITH_AES_128_SHA,
188 TLS1_CK_RSA_WITH_AES_128_SHA,
189 SSL_kRSA,
190 SSL_aRSA,
191 SSL_AES128,
192 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]193 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]194 },
195
196 /* Cipher 33 */
197 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]198 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
199 TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
200 SSL_kDHE,
201 SSL_aRSA,
202 SSL_AES128,
203 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]204 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]205 },
206
207 /* Cipher 35 */
208 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]209 TLS1_TXT_RSA_WITH_AES_256_SHA,
210 TLS1_CK_RSA_WITH_AES_256_SHA,
211 SSL_kRSA,
212 SSL_aRSA,
213 SSL_AES256,
214 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]215 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]216 },
217
218 /* Cipher 39 */
219 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]220 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
221 TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
222 SSL_kDHE,
223 SSL_aRSA,
224 SSL_AES256,
225 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]226 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]227 },
228
229
230 /* TLS v1.2 ciphersuites */
231
232 /* Cipher 3C */
233 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]234 TLS1_TXT_RSA_WITH_AES_128_SHA256,
235 TLS1_CK_RSA_WITH_AES_128_SHA256,
236 SSL_kRSA,
237 SSL_aRSA,
238 SSL_AES128,
239 SSL_SHA256,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]240 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]241 },
242
243 /* Cipher 3D */
244 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]245 TLS1_TXT_RSA_WITH_AES_256_SHA256,
246 TLS1_CK_RSA_WITH_AES_256_SHA256,
247 SSL_kRSA,
248 SSL_aRSA,
249 SSL_AES256,
250 SSL_SHA256,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]251 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]252 },
253
254 /* Cipher 67 */
255 {
256 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]257 TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
258 SSL_kDHE,
259 SSL_aRSA,
260 SSL_AES128,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]261 SSL_SHA256,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]262 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]263 },
264
265 /* Cipher 6B */
266 {
267 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]268 TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
269 SSL_kDHE,
270 SSL_aRSA,
271 SSL_AES256,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]272 SSL_SHA256,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]273 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]274 },
275
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]276 /* PSK cipher suites. */
277
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]278 /* Cipher 8C */
279 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]280 TLS1_TXT_PSK_WITH_AES_128_CBC_SHA,
281 TLS1_CK_PSK_WITH_AES_128_CBC_SHA,
282 SSL_kPSK,
283 SSL_aPSK,
284 SSL_AES128,
285 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]286 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]287 },
288
289 /* Cipher 8D */
290 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]291 TLS1_TXT_PSK_WITH_AES_256_CBC_SHA,
292 TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
293 SSL_kPSK,
294 SSL_aPSK,
295 SSL_AES256,
296 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]297 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]298 },
299
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]300 /* GCM ciphersuites from RFC5288 */
301
302 /* Cipher 9C */
303 {
304 TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]305 TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
306 SSL_kRSA,
307 SSL_aRSA,
308 SSL_AES128GCM,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]309 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]310 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]311 },
312
313 /* Cipher 9D */
314 {
315 TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]316 TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
317 SSL_kRSA,
318 SSL_aRSA,
319 SSL_AES256GCM,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]320 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]321 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]322 },
323
324 /* Cipher 9E */
325 {
326 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]327 TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256,
328 SSL_kDHE,
329 SSL_aRSA,
330 SSL_AES128GCM,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]331 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]332 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]333 },
334
335 /* Cipher 9F */
336 {
337 TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]338 TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384,
339 SSL_kDHE,
340 SSL_aRSA,
341 SSL_AES256GCM,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]342 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]343 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]344 },
345
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]346 /* TLS 1.3 suites. */
347
348 /* Cipher 1301 */
349 {
350 TLS1_TXT_AES_128_GCM_SHA256,
351 TLS1_CK_AES_128_GCM_SHA256,
352 SSL_kGENERIC,
353 SSL_aGENERIC,
354 SSL_AES128GCM,
355 SSL_AEAD,
356 SSL_HANDSHAKE_MAC_SHA256,
357 },
358
359 /* Cipher 1302 */
360 {
361 TLS1_TXT_AES_256_GCM_SHA384,
362 TLS1_CK_AES_256_GCM_SHA384,
363 SSL_kGENERIC,
364 SSL_aGENERIC,
365 SSL_AES256GCM,
366 SSL_AEAD,
367 SSL_HANDSHAKE_MAC_SHA384,
368 },
369
370 /* Cipher 1303 */
371 {
372 TLS1_TXT_CHACHA20_POLY1305_SHA256,
373 TLS1_CK_CHACHA20_POLY1305_SHA256,
374 SSL_kGENERIC,
375 SSL_aGENERIC,
376 SSL_CHACHA20POLY1305,
377 SSL_AEAD,
378 SSL_HANDSHAKE_MAC_SHA256,
379 },
380
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]381 /* CECPQ1 (combined elliptic curve + post-quantum) suites. */
382
383 /* Cipher 16B7 */
384 {
385 TLS1_TXT_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256,
386 TLS1_CK_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256,
387 SSL_kCECPQ1,
388 SSL_aRSA,
389 SSL_CHACHA20POLY1305,
390 SSL_AEAD,
391 SSL_HANDSHAKE_MAC_SHA256,
392 },
393
394 /* Cipher 16B8 */
395 {
396 TLS1_TXT_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
397 TLS1_CK_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
398 SSL_kCECPQ1,
399 SSL_aECDSA,
400 SSL_CHACHA20POLY1305,
401 SSL_AEAD,
402 SSL_HANDSHAKE_MAC_SHA256,
403 },
404
405 /* Cipher 16B9 */
406 {
407 TLS1_TXT_CECPQ1_RSA_WITH_AES_256_GCM_SHA384,
408 TLS1_CK_CECPQ1_RSA_WITH_AES_256_GCM_SHA384,
409 SSL_kCECPQ1,
410 SSL_aRSA,
411 SSL_AES256GCM,
412 SSL_AEAD,
413 SSL_HANDSHAKE_MAC_SHA384,
414 },
415
416 /* Cipher 16BA */
417 {
418 TLS1_TXT_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384,
419 TLS1_CK_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384,
420 SSL_kCECPQ1,
421 SSL_aECDSA,
422 SSL_AES256GCM,
423 SSL_AEAD,
424 SSL_HANDSHAKE_MAC_SHA384,
425 },
426
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]427 /* Cipher C009 */
428 {
429 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]430 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
431 SSL_kECDHE,
432 SSL_aECDSA,
433 SSL_AES128,
434 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]435 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]436 },
437
438 /* Cipher C00A */
439 {
440 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]441 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
442 SSL_kECDHE,
443 SSL_aECDSA,
444 SSL_AES256,
445 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]446 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]447 },
448
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]449 /* Cipher C013 */
450 {
451 TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]452 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
453 SSL_kECDHE,
454 SSL_aRSA,
455 SSL_AES128,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]456 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]457 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]458 },
459
460 /* Cipher C014 */
461 {
462 TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]463 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
464 SSL_kECDHE,
465 SSL_aRSA,
466 SSL_AES256,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]467 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]468 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]469 },
470
471
472 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */
473
474 /* Cipher C023 */
475 {
476 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]477 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
478 SSL_kECDHE,
479 SSL_aECDSA,
480 SSL_AES128,
481 SSL_SHA256,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]482 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]483 },
484
485 /* Cipher C024 */
486 {
487 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]488 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
489 SSL_kECDHE,
490 SSL_aECDSA,
491 SSL_AES256,
492 SSL_SHA384,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]493 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]494 },
495
496 /* Cipher C027 */
497 {
498 TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]499 TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
500 SSL_kECDHE,
501 SSL_aRSA,
502 SSL_AES128,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]503 SSL_SHA256,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]504 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]505 },
506
507 /* Cipher C028 */
508 {
509 TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]510 TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
511 SSL_kECDHE,
512 SSL_aRSA,
513 SSL_AES256,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]514 SSL_SHA384,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]515 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]516 },
517
518
519 /* GCM based TLS v1.2 ciphersuites from RFC5289 */
520
521 /* Cipher C02B */
522 {
523 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]524 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
525 SSL_kECDHE,
526 SSL_aECDSA,
527 SSL_AES128GCM,
528 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]529 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]530 },
531
532 /* Cipher C02C */
533 {
534 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]535 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
536 SSL_kECDHE,
537 SSL_aECDSA,
538 SSL_AES256GCM,
539 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]540 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]541 },
542
543 /* Cipher C02F */
544 {
545 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]546 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
547 SSL_kECDHE,
548 SSL_aRSA,
549 SSL_AES128GCM,
550 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]551 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]552 },
553
554 /* Cipher C030 */
555 {
556 TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]557 TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
558 SSL_kECDHE,
559 SSL_aRSA,
560 SSL_AES256GCM,
561 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]562 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]563 },
564
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]565 /* ECDHE-PSK cipher suites. */
566
567 /* Cipher C035 */
568 {
569 TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA,
570 TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]571 SSL_kECDHE,
572 SSL_aPSK,
573 SSL_AES128,
574 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]575 SSL_HANDSHAKE_MAC_DEFAULT,
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]576 },
577
578 /* Cipher C036 */
579 {
580 TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA,
581 TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]582 SSL_kECDHE,
583 SSL_aPSK,
584 SSL_AES256,
585 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]586 SSL_HANDSHAKE_MAC_DEFAULT,
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]587 },
588
589 /* ChaCha20-Poly1305 cipher suites. */
590
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]591#if !defined(BORINGSSL_ANDROID_SYSTEM)
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]592 {
Brian Smith271777f2015-10-03 13:53:33 -1000[diff] [blame]593 TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_OLD,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]594 TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305_OLD,
595 SSL_kECDHE,
596 SSL_aRSA,
597 SSL_CHACHA20POLY1305_OLD,
598 SSL_AEAD,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]599 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]600 },
601
602 {
Brian Smith271777f2015-10-03 13:53:33 -1000[diff] [blame]603 TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_OLD,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]604 TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305_OLD,
605 SSL_kECDHE,
606 SSL_aECDSA,
607 SSL_CHACHA20POLY1305_OLD,
608 SSL_AEAD,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]609 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]610 },
Adam Langleyd98dc132015-09-23 16:41:33 -0700[diff] [blame]611#endif
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]612
613 /* Cipher CCA8 */
614 {
615 TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
616 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
617 SSL_kECDHE,
618 SSL_aRSA,
619 SSL_CHACHA20POLY1305,
620 SSL_AEAD,
621 SSL_HANDSHAKE_MAC_SHA256,
622 },
623
624 /* Cipher CCA9 */
625 {
626 TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
627 TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
628 SSL_kECDHE,
629 SSL_aECDSA,
630 SSL_CHACHA20POLY1305,
631 SSL_AEAD,
632 SSL_HANDSHAKE_MAC_SHA256,
633 },
634
635 /* Cipher CCAB */
636 {
637 TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
638 TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
639 SSL_kECDHE,
640 SSL_aPSK,
641 SSL_CHACHA20POLY1305,
642 SSL_AEAD,
643 SSL_HANDSHAKE_MAC_SHA256,
644 },
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]645
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]646};
647
Steven Valdezcb966542016-08-17 16:56:14 -0400[diff] [blame]648static const size_t kCiphersLen = OPENSSL_ARRAY_SIZE(kCiphers);
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]649
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]650#define CIPHER_ADD 1
651#define CIPHER_KILL 2
652#define CIPHER_DEL 3
653#define CIPHER_ORD 4
654#define CIPHER_SPECIAL 5
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]655
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]656typedef struct cipher_order_st {
657 const SSL_CIPHER *cipher;
658 int active;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]659 int in_group;
660 struct cipher_order_st *next, *prev;
661} CIPHER_ORDER;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]662
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]663typedef struct cipher_alias_st {
664 /* name is the name of the cipher alias. */
665 const char *name;
666
667 /* The following fields are bitmasks for the corresponding fields on
668 * |SSL_CIPHER|. A cipher matches a cipher alias iff, for each bitmask, the
669 * bit corresponding to the cipher's value is set to 1. If any bitmask is
670 * all zeroes, the alias matches nothing. Use |~0u| for the default value. */
671 uint32_t algorithm_mkey;
672 uint32_t algorithm_auth;
673 uint32_t algorithm_enc;
674 uint32_t algorithm_mac;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]675
676 /* min_version, if non-zero, matches all ciphers which were added in that
677 * particular protocol version. */
678 uint16_t min_version;
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]679} CIPHER_ALIAS;
680
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]681static const CIPHER_ALIAS kCipherAliases[] = {
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]682 /* "ALL" doesn't include eNULL nor kCECPQ1. These must be explicitly
683 * enabled. */
684 {"ALL", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]685
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]686 /* The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing. */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]687
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]688 /* key exchange aliases
689 * (some of those using only a single bit here combine
690 * multiple key exchange algs according to the RFCs,
691 * e.g. kEDH combines DHE_DSS and DHE_RSA) */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]692 {"kRSA", SSL_kRSA, ~0u, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]693
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]694 {"kDHE", SSL_kDHE, ~0u, ~0u, ~0u, 0},
695 {"kEDH", SSL_kDHE, ~0u, ~0u, ~0u, 0},
696 {"DH", SSL_kDHE, ~0u, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]697
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]698 {"kECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]699 {"kCECPQ1", SSL_kCECPQ1, ~0u, ~0u, ~0u, 0},
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]700 {"kEECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
701 {"ECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]702
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]703 {"kPSK", SSL_kPSK, ~0u, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]704
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]705 /* server authentication aliases */
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]706 {"aRSA", ~SSL_kCECPQ1, SSL_aRSA, ~SSL_eNULL, ~0u, 0},
707 {"aECDSA", ~SSL_kCECPQ1, SSL_aECDSA, ~0u, ~0u, 0},
708 {"ECDSA", ~SSL_kCECPQ1, SSL_aECDSA, ~0u, ~0u, 0},
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]709 {"aPSK", ~0u, SSL_aPSK, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]710
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]711 /* aliases combining key exchange and server authentication */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]712 {"DHE", SSL_kDHE, ~0u, ~0u, ~0u, 0},
713 {"EDH", SSL_kDHE, ~0u, ~0u, ~0u, 0},
714 {"ECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
715 {"EECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
716 {"RSA", SSL_kRSA, SSL_aRSA, ~SSL_eNULL, ~0u, 0},
717 {"PSK", SSL_kPSK, SSL_aPSK, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]718
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]719 /* symmetric encryption aliases */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]720 {"3DES", ~0u, ~0u, SSL_3DES, ~0u, 0},
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]721 {"AES128", ~0u, ~0u, SSL_AES128 | SSL_AES128GCM, ~0u, 0},
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]722 {"AES256", ~SSL_kCECPQ1, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, 0},
723 {"AES", ~SSL_kCECPQ1, ~0u, SSL_AES, ~0u, 0},
724 {"AESGCM", ~SSL_kCECPQ1, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, 0},
725 {"CHACHA20", ~SSL_kCECPQ1, ~0u, SSL_CHACHA20POLY1305 | SSL_CHACHA20POLY1305_OLD, ~0u,
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]726 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]727
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]728 /* MAC aliases */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]729 {"MD5", ~0u, ~0u, ~0u, SSL_MD5, 0},
730 {"SHA1", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0},
731 {"SHA", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0},
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]732 {"SHA256", ~SSL_kCECPQ1, ~0u, ~0u, SSL_SHA256, 0},
733 {"SHA384", ~SSL_kCECPQ1, ~0u, ~0u, SSL_SHA384, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]734
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]735 /* Legacy protocol minimum version aliases. "TLSv1" is intentionally the
736 * same as "SSLv3". */
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]737 {"SSLv3", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
738 {"TLSv1", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
739 {"TLSv1.2", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, TLS1_2_VERSION},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]740
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]741 /* Legacy strength classes. */
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700[diff] [blame]742 {"HIGH", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, 0},
743 {"FIPS", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, 0},
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]744};
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]745
Steven Valdezcb966542016-08-17 16:56:14 -0400[diff] [blame]746static const size_t kCipherAliasesLen = OPENSSL_ARRAY_SIZE(kCipherAliases);
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]747
748static int ssl_cipher_id_cmp(const void *in_a, const void *in_b) {
749 const SSL_CIPHER *a = in_a;
750 const SSL_CIPHER *b = in_b;
751
752 if (a->id > b->id) {
753 return 1;
754 } else if (a->id < b->id) {
755 return -1;
756 } else {
757 return 0;
758 }
759}
760
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]761const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value) {
762 SSL_CIPHER c;
763
764 c.id = 0x03000000L | value;
765 return bsearch(&c, kCiphers, kCiphersLen, sizeof(SSL_CIPHER),
766 ssl_cipher_id_cmp);
767}
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]768
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]769int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
770 size_t *out_mac_secret_len,
771 size_t *out_fixed_iv_len,
772 const SSL_CIPHER *cipher, uint16_t version) {
773 *out_aead = NULL;
774 *out_mac_secret_len = 0;
775 *out_fixed_iv_len = 0;
Adam Langleyc9fb3752014-06-20 12:00:00 -0700[diff] [blame]776
David Benjamin305e6fb2016-10-27 18:19:00 -0400[diff] [blame]777 if (cipher->algorithm_mac == SSL_AEAD) {
778 if (cipher->algorithm_enc == SSL_AES128GCM) {
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]779 *out_aead = EVP_aead_aes_128_gcm();
780 *out_fixed_iv_len = 4;
David Benjamin305e6fb2016-10-27 18:19:00 -0400[diff] [blame]781 } else if (cipher->algorithm_enc == SSL_AES256GCM) {
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]782 *out_aead = EVP_aead_aes_256_gcm();
783 *out_fixed_iv_len = 4;
Adam Langleyd98dc132015-09-23 16:41:33 -0700[diff] [blame]784#if !defined(BORINGSSL_ANDROID_SYSTEM)
David Benjamin305e6fb2016-10-27 18:19:00 -0400[diff] [blame]785 } else if (cipher->algorithm_enc == SSL_CHACHA20POLY1305_OLD) {
Brian Smith3e23e4c2015-10-03 11:38:58 -1000[diff] [blame]786 *out_aead = EVP_aead_chacha20_poly1305_old();
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]787 *out_fixed_iv_len = 0;
Adam Langleyd98dc132015-09-23 16:41:33 -0700[diff] [blame]788#endif
David Benjamin305e6fb2016-10-27 18:19:00 -0400[diff] [blame]789 } else if (cipher->algorithm_enc == SSL_CHACHA20POLY1305) {
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]790 *out_aead = EVP_aead_chacha20_poly1305();
791 *out_fixed_iv_len = 12;
David Benjamin305e6fb2016-10-27 18:19:00 -0400[diff] [blame]792 } else {
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]793 return 0;
David Benjamin305e6fb2016-10-27 18:19:00 -0400[diff] [blame]794 }
795
796 /* In TLS 1.3, the iv_len is equal to the AEAD nonce length whereas the code
797 * above computes the TLS 1.2 construction. */
798 if (version >= TLS1_3_VERSION) {
799 *out_fixed_iv_len = EVP_AEAD_nonce_length(*out_aead);
800 }
801 } else if (cipher->algorithm_mac == SSL_SHA1) {
802 if (cipher->algorithm_enc == SSL_eNULL) {
803 if (version == SSL3_VERSION) {
804 *out_aead = EVP_aead_null_sha1_ssl3();
805 } else {
806 *out_aead = EVP_aead_null_sha1_tls();
807 }
808 } else if (cipher->algorithm_enc == SSL_3DES) {
809 if (version == SSL3_VERSION) {
810 *out_aead = EVP_aead_des_ede3_cbc_sha1_ssl3();
811 *out_fixed_iv_len = 8;
812 } else if (version == TLS1_VERSION) {
813 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv();
814 *out_fixed_iv_len = 8;
815 } else {
816 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls();
817 }
818 } else if (cipher->algorithm_enc == SSL_AES128) {
819 if (version == SSL3_VERSION) {
820 *out_aead = EVP_aead_aes_128_cbc_sha1_ssl3();
821 *out_fixed_iv_len = 16;
822 } else if (version == TLS1_VERSION) {
823 *out_aead = EVP_aead_aes_128_cbc_sha1_tls_implicit_iv();
824 *out_fixed_iv_len = 16;
825 } else {
826 *out_aead = EVP_aead_aes_128_cbc_sha1_tls();
827 }
828 } else if (cipher->algorithm_enc == SSL_AES256) {
829 if (version == SSL3_VERSION) {
830 *out_aead = EVP_aead_aes_256_cbc_sha1_ssl3();
831 *out_fixed_iv_len = 16;
832 } else if (version == TLS1_VERSION) {
833 *out_aead = EVP_aead_aes_256_cbc_sha1_tls_implicit_iv();
834 *out_fixed_iv_len = 16;
835 } else {
836 *out_aead = EVP_aead_aes_256_cbc_sha1_tls();
837 }
838 } else {
839 return 0;
840 }
841
842 *out_mac_secret_len = SHA_DIGEST_LENGTH;
843 } else if (cipher->algorithm_mac == SSL_SHA256) {
844 if (cipher->algorithm_enc == SSL_AES128) {
845 *out_aead = EVP_aead_aes_128_cbc_sha256_tls();
846 } else if (cipher->algorithm_enc == SSL_AES256) {
847 *out_aead = EVP_aead_aes_256_cbc_sha256_tls();
848 } else {
849 return 0;
850 }
851
852 *out_mac_secret_len = SHA256_DIGEST_LENGTH;
853 } else if (cipher->algorithm_mac == SSL_SHA384) {
854 if (cipher->algorithm_enc != SSL_AES256) {
855 return 0;
856 }
857
858 *out_aead = EVP_aead_aes_256_cbc_sha384_tls();
859 *out_mac_secret_len = SHA384_DIGEST_LENGTH;
860 } else {
861 return 0;
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]862 }
Steven Valdez79750562016-06-16 06:38:04 -0400[diff] [blame]863
Steven Valdez79750562016-06-16 06:38:04 -0400[diff] [blame]864 return 1;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]865}
Adam Langleyc9fb3752014-06-20 12:00:00 -0700[diff] [blame]866
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]867const EVP_MD *ssl_get_handshake_digest(uint32_t algorithm_prf) {
868 switch (algorithm_prf) {
869 case SSL_HANDSHAKE_MAC_DEFAULT:
870 return EVP_sha1();
871 case SSL_HANDSHAKE_MAC_SHA256:
872 return EVP_sha256();
873 case SSL_HANDSHAKE_MAC_SHA384:
874 return EVP_sha384();
875 default:
876 return NULL;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]877 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]878}
879
880#define ITEM_SEP(a) \
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]881 (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ','))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]882
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]883/* rule_equals returns one iff the NUL-terminated string |rule| is equal to the
884 * |buf_len| bytes at |buf|. */
885static int rule_equals(const char *rule, const char *buf, size_t buf_len) {
886 /* |strncmp| alone only checks that |buf| is a prefix of |rule|. */
887 return strncmp(rule, buf, buf_len) == 0 && rule[buf_len] == '\0';
888}
889
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]890static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]891 CIPHER_ORDER **tail) {
892 if (curr == *tail) {
893 return;
894 }
895 if (curr == *head) {
896 *head = curr->next;
897 }
898 if (curr->prev != NULL) {
899 curr->prev->next = curr->next;
900 }
901 if (curr->next != NULL) {
902 curr->next->prev = curr->prev;
903 }
904 (*tail)->next = curr;
905 curr->prev = *tail;
906 curr->next = NULL;
907 *tail = curr;
908}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]909
910static void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]911 CIPHER_ORDER **tail) {
912 if (curr == *head) {
913 return;
914 }
915 if (curr == *tail) {
916 *tail = curr->prev;
917 }
918 if (curr->next != NULL) {
919 curr->next->prev = curr->prev;
920 }
921 if (curr->prev != NULL) {
922 curr->prev->next = curr->next;
923 }
924 (*head)->prev = curr;
925 curr->next = *head;
926 curr->prev = NULL;
927 *head = curr;
928}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]929
David Benjamin82c9e902014-12-12 15:55:27 -0500[diff] [blame]930static void ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD *ssl_method,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]931 CIPHER_ORDER *co_list,
932 CIPHER_ORDER **head_p,
933 CIPHER_ORDER **tail_p) {
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]934 /* The set of ciphers is static, but some subset may be unsupported by
935 * |ssl_method|, so the list may be smaller. */
936 size_t co_list_num = 0;
David Benjamin54091232016-09-05 12:47:25 -0400[diff] [blame]937 for (size_t i = 0; i < kCiphersLen; i++) {
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]938 const SSL_CIPHER *cipher = &kCiphers[i];
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]939 if (ssl_method->supports_cipher(cipher) &&
940 /* TLS 1.3 ciphers do not participate in this mechanism. */
941 cipher->algorithm_mkey != SSL_kGENERIC) {
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]942 co_list[co_list_num].cipher = cipher;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]943 co_list[co_list_num].next = NULL;
944 co_list[co_list_num].prev = NULL;
945 co_list[co_list_num].active = 0;
946 co_list[co_list_num].in_group = 0;
947 co_list_num++;
948 }
949 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]950
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]951 /* Prepare linked list from list entries. */
952 if (co_list_num > 0) {
953 co_list[0].prev = NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]954
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]955 if (co_list_num > 1) {
956 co_list[0].next = &co_list[1];
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]957
David Benjamin54091232016-09-05 12:47:25 -0400[diff] [blame]958 for (size_t i = 1; i < co_list_num - 1; i++) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]959 co_list[i].prev = &co_list[i - 1];
960 co_list[i].next = &co_list[i + 1];
961 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]962
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]963 co_list[co_list_num - 1].prev = &co_list[co_list_num - 2];
964 }
965
966 co_list[co_list_num - 1].next = NULL;
967
968 *head_p = &co_list[0];
969 *tail_p = &co_list[co_list_num - 1];
970 }
971}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]972
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]973/* ssl_cipher_apply_rule applies the rule type |rule| to ciphers matching its
974 * parameters in the linked list from |*head_p| to |*tail_p|. It writes the new
975 * head and tail of the list to |*head_p| and |*tail_p|, respectively.
976 *
977 * - If |cipher_id| is non-zero, only that cipher is selected.
978 * - Otherwise, if |strength_bits| is non-negative, it selects ciphers
979 * of that strength.
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]980 * - Otherwise, it selects ciphers that match each bitmasks in |alg_*| and
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]981 * |min_version|. */
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]982static void ssl_cipher_apply_rule(
David Benjamin107db582015-04-08 00:41:59 -0400[diff] [blame]983 uint32_t cipher_id, uint32_t alg_mkey, uint32_t alg_auth,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]984 uint32_t alg_enc, uint32_t alg_mac, uint16_t min_version, int rule,
985 int strength_bits, int in_group, CIPHER_ORDER **head_p,
986 CIPHER_ORDER **tail_p) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]987 CIPHER_ORDER *head, *tail, *curr, *next, *last;
988 const SSL_CIPHER *cp;
989 int reverse = 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]990
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]991 if (cipher_id == 0 && strength_bits == -1 && min_version == 0 &&
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]992 (alg_mkey == 0 || alg_auth == 0 || alg_enc == 0 || alg_mac == 0)) {
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]993 /* The rule matches nothing, so bail early. */
994 return;
995 }
996
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]997 if (rule == CIPHER_DEL) {
998 /* needed to maintain sorting between currently deleted ciphers */
999 reverse = 1;
1000 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1001
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1002 head = *head_p;
1003 tail = *tail_p;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1004
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1005 if (reverse) {
1006 next = tail;
1007 last = head;
1008 } else {
1009 next = head;
1010 last = tail;
1011 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1012
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1013 curr = NULL;
1014 for (;;) {
1015 if (curr == last) {
1016 break;
1017 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1018
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1019 curr = next;
1020 if (curr == NULL) {
1021 break;
1022 }
Adam Langleye3142a72014-07-24 17:56:48 -0700[diff] [blame]1023
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1024 next = reverse ? curr->prev : curr->next;
1025 cp = curr->cipher;
Adam Langleye3142a72014-07-24 17:56:48 -0700[diff] [blame]1026
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1027 /* Selection criteria is either a specific cipher, the value of
1028 * |strength_bits|, or the algorithms used. */
1029 if (cipher_id != 0) {
1030 if (cipher_id != cp->id) {
1031 continue;
1032 }
1033 } else if (strength_bits >= 0) {
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1034 if (strength_bits != SSL_CIPHER_get_bits(cp, NULL)) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1035 continue;
1036 }
David Benjamin881f1962016-08-10 18:29:12 -0400[diff] [blame]1037 } else {
1038 if (!(alg_mkey & cp->algorithm_mkey) ||
1039 !(alg_auth & cp->algorithm_auth) ||
1040 !(alg_enc & cp->algorithm_enc) ||
1041 !(alg_mac & cp->algorithm_mac) ||
1042 (min_version != 0 && SSL_CIPHER_get_min_version(cp) != min_version)) {
1043 continue;
1044 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1045 }
Adam Langleye3142a72014-07-24 17:56:48 -0700[diff] [blame]1046
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1047 /* add the cipher if it has not been added yet. */
1048 if (rule == CIPHER_ADD) {
1049 /* reverse == 0 */
1050 if (!curr->active) {
1051 ll_append_tail(&head, curr, &tail);
1052 curr->active = 1;
1053 curr->in_group = in_group;
1054 }
1055 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1056
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1057 /* Move the added cipher to this location */
1058 else if (rule == CIPHER_ORD) {
1059 /* reverse == 0 */
1060 if (curr->active) {
1061 ll_append_tail(&head, curr, &tail);
1062 curr->in_group = 0;
1063 }
1064 } else if (rule == CIPHER_DEL) {
1065 /* reverse == 1 */
1066 if (curr->active) {
1067 /* most recently deleted ciphersuites get best positions
1068 * for any future CIPHER_ADD (note that the CIPHER_DEL loop
1069 * works in reverse to maintain the order) */
1070 ll_append_head(&head, curr, &tail);
1071 curr->active = 0;
1072 curr->in_group = 0;
1073 }
1074 } else if (rule == CIPHER_KILL) {
1075 /* reverse == 0 */
1076 if (head == curr) {
1077 head = curr->next;
1078 } else {
1079 curr->prev->next = curr->next;
1080 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1081
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1082 if (tail == curr) {
1083 tail = curr->prev;
1084 }
1085 curr->active = 0;
1086 if (curr->next != NULL) {
1087 curr->next->prev = curr->prev;
1088 }
1089 if (curr->prev != NULL) {
1090 curr->prev->next = curr->next;
1091 }
1092 curr->next = NULL;
1093 curr->prev = NULL;
1094 }
1095 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1096
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1097 *head_p = head;
1098 *tail_p = tail;
1099}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1100
1101static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1102 CIPHER_ORDER **tail_p) {
1103 int max_strength_bits, i, *number_uses;
1104 CIPHER_ORDER *curr;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1105
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1106 /* This routine sorts the ciphers with descending strength. The sorting must
1107 * keep the pre-sorted sequence, so we apply the normal sorting routine as
1108 * '+' movement to the end of the list. */
1109 max_strength_bits = 0;
1110 curr = *head_p;
1111 while (curr != NULL) {
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1112 if (curr->active &&
1113 SSL_CIPHER_get_bits(curr->cipher, NULL) > max_strength_bits) {
1114 max_strength_bits = SSL_CIPHER_get_bits(curr->cipher, NULL);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1115 }
1116 curr = curr->next;
1117 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1118
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1119 number_uses = OPENSSL_malloc((max_strength_bits + 1) * sizeof(int));
1120 if (!number_uses) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1121 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1122 return 0;
1123 }
1124 memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int));
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1125
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1126 /* Now find the strength_bits values actually used. */
1127 curr = *head_p;
1128 while (curr != NULL) {
1129 if (curr->active) {
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1130 number_uses[SSL_CIPHER_get_bits(curr->cipher, NULL)]++;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1131 }
1132 curr = curr->next;
1133 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1134
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1135 /* Go through the list of used strength_bits values in descending order. */
1136 for (i = max_strength_bits; i >= 0; i--) {
1137 if (number_uses[i] > 0) {
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1138 ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, CIPHER_ORD, i, 0, head_p, tail_p);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1139 }
1140 }
1141
1142 OPENSSL_free(number_uses);
1143 return 1;
1144}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1145
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1146static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method,
1147 const char *rule_str,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1148 CIPHER_ORDER **head_p,
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1149 CIPHER_ORDER **tail_p) {
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1150 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1151 uint16_t min_version;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1152 const char *l, *buf;
Adam Langleyf139c992016-10-02 09:56:09 -0700[diff] [blame]1153 int multi, skip_rule, rule, ok, in_group = 0, has_group = 0;
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1154 size_t j, buf_len;
1155 uint32_t cipher_id;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1156 char ch;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1157
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1158 l = rule_str;
1159 for (;;) {
1160 ch = *l;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1161
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1162 if (ch == '\0') {
1163 break; /* done */
1164 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1165
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1166 if (in_group) {
1167 if (ch == ']') {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1168 if (*tail_p) {
1169 (*tail_p)->in_group = 0;
1170 }
1171 in_group = 0;
1172 l++;
1173 continue;
1174 }
David Benjamin37d92462014-09-20 17:54:24 -0400[diff] [blame]1175
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1176 if (ch == '|') {
1177 rule = CIPHER_ADD;
1178 l++;
1179 continue;
1180 } else if (!(ch >= 'a' && ch <= 'z') && !(ch >= 'A' && ch <= 'Z') &&
1181 !(ch >= '0' && ch <= '9')) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1182 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_OPERATOR_IN_GROUP);
Adam Langleyf139c992016-10-02 09:56:09 -0700[diff] [blame]1183 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1184 } else {
1185 rule = CIPHER_ADD;
1186 }
1187 } else if (ch == '-') {
1188 rule = CIPHER_DEL;
1189 l++;
1190 } else if (ch == '+') {
1191 rule = CIPHER_ORD;
1192 l++;
1193 } else if (ch == '!') {
1194 rule = CIPHER_KILL;
1195 l++;
1196 } else if (ch == '@') {
1197 rule = CIPHER_SPECIAL;
1198 l++;
1199 } else if (ch == '[') {
1200 if (in_group) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1201 OPENSSL_PUT_ERROR(SSL, SSL_R_NESTED_GROUP);
Adam Langleyf139c992016-10-02 09:56:09 -0700[diff] [blame]1202 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1203 }
1204 in_group = 1;
1205 has_group = 1;
1206 l++;
1207 continue;
1208 } else {
1209 rule = CIPHER_ADD;
1210 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1211
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1212 /* If preference groups are enabled, the only legal operator is +.
1213 * Otherwise the in_group bits will get mixed up. */
1214 if (has_group && rule != CIPHER_ADD) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1215 OPENSSL_PUT_ERROR(SSL, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
Adam Langleyf139c992016-10-02 09:56:09 -0700[diff] [blame]1216 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1217 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1218
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1219 if (ITEM_SEP(ch)) {
1220 l++;
1221 continue;
1222 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1223
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1224 multi = 0;
1225 cipher_id = 0;
1226 alg_mkey = ~0u;
1227 alg_auth = ~0u;
1228 alg_enc = ~0u;
1229 alg_mac = ~0u;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1230 min_version = 0;
1231 skip_rule = 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1232
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1233 for (;;) {
1234 ch = *l;
1235 buf = l;
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1236 buf_len = 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1237 while (((ch >= 'A') && (ch <= 'Z')) || ((ch >= '0') && (ch <= '9')) ||
1238 ((ch >= 'a') && (ch <= 'z')) || (ch == '-') || (ch == '.')) {
1239 ch = *(++l);
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1240 buf_len++;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1241 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1242
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1243 if (buf_len == 0) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1244 /* We hit something we cannot deal with, it is no command or separator
1245 * nor alphanumeric, so we call this an error. */
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1246 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
Adam Langleyf99f2442016-10-02 09:53:38 -0700[diff] [blame]1247 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1248 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1249
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1250 if (rule == CIPHER_SPECIAL) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1251 break;
1252 }
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1253
1254 /* Look for a matching exact cipher. These aren't allowed in multipart
1255 * rules. */
1256 if (!multi && ch != '+') {
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1257 for (j = 0; j < kCiphersLen; j++) {
1258 const SSL_CIPHER *cipher = &kCiphers[j];
1259 if (rule_equals(cipher->name, buf, buf_len)) {
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1260 cipher_id = cipher->id;
1261 break;
1262 }
1263 }
1264 }
1265 if (cipher_id == 0) {
1266 /* If not an exact cipher, look for a matching cipher alias. */
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1267 for (j = 0; j < kCipherAliasesLen; j++) {
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1268 if (rule_equals(kCipherAliases[j].name, buf, buf_len)) {
1269 alg_mkey &= kCipherAliases[j].algorithm_mkey;
1270 alg_auth &= kCipherAliases[j].algorithm_auth;
1271 alg_enc &= kCipherAliases[j].algorithm_enc;
1272 alg_mac &= kCipherAliases[j].algorithm_mac;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1273
1274 if (min_version != 0 &&
1275 min_version != kCipherAliases[j].min_version) {
1276 skip_rule = 1;
1277 } else {
1278 min_version = kCipherAliases[j].min_version;
1279 }
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1280 break;
1281 }
1282 }
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1283 if (j == kCipherAliasesLen) {
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1284 skip_rule = 1;
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1285 }
1286 }
1287
1288 /* Check for a multipart rule. */
1289 if (ch != '+') {
1290 break;
1291 }
1292 l++;
1293 multi = 1;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1294 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1295
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1296 /* If one of the CHACHA20_POLY1305 variants is selected, include the other
1297 * as well. They have the same name to avoid requiring changes in
1298 * configuration. Apply this transformation late so that the cipher name
1299 * still behaves as an exact name and not an alias in multipart rules.
1300 *
1301 * This is temporary and will be removed when the pre-standard construction
1302 * is removed. */
1303 if (cipher_id == TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305_OLD ||
1304 cipher_id == TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256) {
1305 cipher_id = 0;
1306 alg_mkey = SSL_kECDHE;
1307 alg_auth = SSL_aRSA;
1308 alg_enc = SSL_CHACHA20POLY1305|SSL_CHACHA20POLY1305_OLD;
1309 alg_mac = SSL_AEAD;
1310 } else if (cipher_id == TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305_OLD ||
1311 cipher_id == TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256) {
1312 cipher_id = 0;
1313 alg_mkey = SSL_kECDHE;
1314 alg_auth = SSL_aECDSA;
1315 alg_enc = SSL_CHACHA20POLY1305|SSL_CHACHA20POLY1305_OLD;
1316 alg_mac = SSL_AEAD;
1317 }
1318
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1319 /* Ok, we have the rule, now apply it. */
1320 if (rule == CIPHER_SPECIAL) {
1321 /* special command */
1322 ok = 0;
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1323 if (buf_len == 8 && !strncmp(buf, "STRENGTH", 8)) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1324 ok = ssl_cipher_strength_sort(head_p, tail_p);
1325 } else {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1326 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1327 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1328
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1329 if (ok == 0) {
Adam Langleyf139c992016-10-02 09:56:09 -0700[diff] [blame]1330 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1331 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1332
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1333 /* We do not support any "multi" options together with "@", so throw away
1334 * the rest of the command, if any left, until end or ':' is found. */
1335 while (*l != '\0' && !ITEM_SEP(*l)) {
1336 l++;
1337 }
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1338 } else if (!skip_rule) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1339 ssl_cipher_apply_rule(cipher_id, alg_mkey, alg_auth, alg_enc, alg_mac,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1340 min_version, rule, -1, in_group, head_p, tail_p);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1341 }
1342 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1343
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1344 if (in_group) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1345 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
Adam Langleyf139c992016-10-02 09:56:09 -0700[diff] [blame]1346 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1347 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1348
Adam Langleyf139c992016-10-02 09:56:09 -0700[diff] [blame]1349 return 1;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1350}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1351
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1352STACK_OF(SSL_CIPHER) *
1353ssl_create_cipher_list(const SSL_PROTOCOL_METHOD *ssl_method,
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1354 struct ssl_cipher_preference_list_st **out_cipher_list,
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1355 const char *rule_str) {
David Benjamind2cb1c12016-11-02 17:49:09 -0400[diff] [blame]1356 STACK_OF(SSL_CIPHER) *cipherstack = NULL;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1357 CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1358 uint8_t *in_group_flags = NULL;
1359 unsigned int num_in_group_flags = 0;
1360 struct ssl_cipher_preference_list_st *pref_list = NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1361
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1362 /* Return with error if nothing to do. */
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1363 if (rule_str == NULL || out_cipher_list == NULL) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1364 return NULL;
1365 }
David Benjamin5213df42014-08-20 14:19:54 -0400[diff] [blame]1366
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1367 /* Now we have to collect the available ciphers from the compiled in ciphers.
1368 * We cannot get more than the number compiled in, so it is used for
1369 * allocation. */
Brian Smith5ba06892016-02-07 09:36:04 -1000[diff] [blame]1370 co_list = OPENSSL_malloc(sizeof(CIPHER_ORDER) * kCiphersLen);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1371 if (co_list == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1372 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1373 return NULL;
1374 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1375
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1376 ssl_cipher_collect_ciphers(ssl_method, co_list, &head, &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1377
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1378 /* Now arrange all ciphers by preference:
1379 * TODO(davidben): Compute this order once and copy it. */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1380
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]1381 /* Everything else being equal, prefer ECDHE_ECDSA and ECDHE_RSA over other
1382 * key exchange mechanisms */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1383 ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, ~0u, ~0u, 0, CIPHER_ADD, -1,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1384 0, &head, &tail);
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1385 ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0,
1386 &head, &tail);
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1387 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, 0, &head,
1388 &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1389
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1390 /* Order the bulk ciphers. First the preferred AEAD ciphers. We prefer
1391 * CHACHA20 unless there is hardware support for fast and constant-time
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1392 * AES_GCM. Of the two CHACHA20 variants, the new one is preferred over the
1393 * old one. */
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1394 if (EVP_has_aes_hardware()) {
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1395 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1396 &head, &tail);
David Benjamin43336652016-03-03 15:32:29 -0500[diff] [blame]1397 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1398 &head, &tail);
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1399 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD,
1400 -1, 0, &head, &tail);
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1401 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305_OLD, ~0u, 0,
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1402 CIPHER_ADD, -1, 0, &head, &tail);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1403 } else {
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1404 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD,
1405 -1, 0, &head, &tail);
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1406 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305_OLD, ~0u, 0,
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1407 CIPHER_ADD, -1, 0, &head, &tail);
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1408 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1409 &head, &tail);
David Benjamin43336652016-03-03 15:32:29 -0500[diff] [blame]1410 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1411 &head, &tail);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1412 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1413
David Benjamin43336652016-03-03 15:32:29 -0500[diff] [blame]1414 /* Then the legacy non-AEAD ciphers: AES_128_CBC, AES_256_CBC,
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700[diff] [blame]1415 * 3DES_EDE_CBC_SHA. */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1416 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128, ~0u, 0, CIPHER_ADD, -1, 0,
1417 &head, &tail);
David Benjamin43336652016-03-03 15:32:29 -0500[diff] [blame]1418 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256, ~0u, 0, CIPHER_ADD, -1, 0,
1419 &head, &tail);
1420 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_3DES, ~0u, 0, CIPHER_ADD, -1, 0, &head,
1421 &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1422
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1423 /* Temporarily enable everything else for sorting */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1424 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0, &head,
1425 &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1426
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1427 /* Move ciphers without forward secrecy to the end. */
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1428 ssl_cipher_apply_rule(0, (SSL_kRSA | SSL_kPSK), ~0u, ~0u, ~0u, 0,
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1429 CIPHER_ORD, -1, 0, &head, &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1430
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1431 /* Now disable everything (maintaining the ordering!) */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1432 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, 0, &head,
1433 &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1434
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1435 /* If the rule_string begins with DEFAULT, apply the default rule before
1436 * using the (possibly available) additional rules. */
David Benjamin11a7b3c2016-11-03 17:03:48 -0400[diff] [blame]1437 const char *rule_p = rule_str;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1438 if (strncmp(rule_str, "DEFAULT", 7) == 0) {
David Benjamin11a7b3c2016-11-03 17:03:48 -0400[diff] [blame]1439 if (!ssl_cipher_process_rulestr(ssl_method, SSL_DEFAULT_CIPHER_LIST, &head,
1440 &tail)) {
1441 goto err;
1442 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1443 rule_p += 7;
1444 if (*rule_p == ':') {
1445 rule_p++;
1446 }
1447 }
Adam Langley858a88d2014-06-20 12:00:00 -0700[diff] [blame]1448
David Benjamin11a7b3c2016-11-03 17:03:48 -0400[diff] [blame]1449 if (*rule_p != '\0' &&
1450 !ssl_cipher_process_rulestr(ssl_method, rule_p, &head, &tail)) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1451 goto err;
1452 }
1453
1454 /* Allocate new "cipherstack" for the result, return with error
1455 * if we cannot get one. */
1456 cipherstack = sk_SSL_CIPHER_new_null();
1457 if (cipherstack == NULL) {
1458 goto err;
1459 }
1460
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1461 in_group_flags = OPENSSL_malloc(kCiphersLen);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1462 if (!in_group_flags) {
1463 goto err;
1464 }
1465
1466 /* The cipher selection for the list is done. The ciphers are added
1467 * to the resulting precedence to the STACK_OF(SSL_CIPHER). */
1468 for (curr = head; curr != NULL; curr = curr->next) {
1469 if (curr->active) {
David Benjamin2adb7ec2015-01-11 19:59:06 -0500[diff] [blame]1470 if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
1471 goto err;
1472 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1473 in_group_flags[num_in_group_flags++] = curr->in_group;
1474 }
1475 }
1476 OPENSSL_free(co_list); /* Not needed any longer */
1477 co_list = NULL;
1478
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1479 pref_list = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
1480 if (!pref_list) {
1481 goto err;
1482 }
1483 pref_list->ciphers = cipherstack;
1484 pref_list->in_group_flags = OPENSSL_malloc(num_in_group_flags);
1485 if (!pref_list->in_group_flags) {
1486 goto err;
1487 }
1488 memcpy(pref_list->in_group_flags, in_group_flags, num_in_group_flags);
1489 OPENSSL_free(in_group_flags);
1490 in_group_flags = NULL;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1491 if (*out_cipher_list != NULL) {
1492 ssl_cipher_preference_list_free(*out_cipher_list);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1493 }
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1494 *out_cipher_list = pref_list;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1495 pref_list = NULL;
1496
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1497 return cipherstack;
Adam Langley858a88d2014-06-20 12:00:00 -0700[diff] [blame]1498
1499err:
David Benjamin2755a3e2015-04-22 16:17:58 -0400[diff] [blame]1500 OPENSSL_free(co_list);
1501 OPENSSL_free(in_group_flags);
1502 sk_SSL_CIPHER_free(cipherstack);
David Benjamin2755a3e2015-04-22 16:17:58 -0400[diff] [blame]1503 if (pref_list) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1504 OPENSSL_free(pref_list->in_group_flags);
1505 }
David Benjamin2755a3e2015-04-22 16:17:58 -0400[diff] [blame]1506 OPENSSL_free(pref_list);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1507 return NULL;
1508}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1509
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1510uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher) { return cipher->id; }
1511
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1512uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher) {
1513 uint32_t id = cipher->id;
1514 /* All ciphers are SSLv3. */
1515 assert((id & 0xff000000) == 0x03000000);
1516 return id & 0xffff;
1517}
1518
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1519int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher) {
1520 return (cipher->algorithm_enc & SSL_AES) != 0;
1521}
1522
1523int SSL_CIPHER_has_MD5_HMAC(const SSL_CIPHER *cipher) {
1524 return (cipher->algorithm_mac & SSL_MD5) != 0;
1525}
1526
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1527int SSL_CIPHER_has_SHA1_HMAC(const SSL_CIPHER *cipher) {
1528 return (cipher->algorithm_mac & SSL_SHA1) != 0;
1529}
1530
David Benjamina211aee2016-02-24 17:18:44 -0500[diff] [blame]1531int SSL_CIPHER_has_SHA256_HMAC(const SSL_CIPHER *cipher) {
1532 return (cipher->algorithm_mac & SSL_SHA256) != 0;
1533}
1534
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1535int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher) {
David Benjaminc0125ef2015-09-09 09:11:07 -0400[diff] [blame]1536 return (cipher->algorithm_enc & (SSL_AES128GCM | SSL_AES256GCM)) != 0;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1537}
1538
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1539int SSL_CIPHER_is_AES128GCM(const SSL_CIPHER *cipher) {
1540 return (cipher->algorithm_enc & SSL_AES128GCM) != 0;
1541}
1542
Adam Langleyb00061c2015-11-16 17:44:52 -0800[diff] [blame]1543int SSL_CIPHER_is_AES128CBC(const SSL_CIPHER *cipher) {
1544 return (cipher->algorithm_enc & SSL_AES128) != 0;
1545}
1546
1547int SSL_CIPHER_is_AES256CBC(const SSL_CIPHER *cipher) {
1548 return (cipher->algorithm_enc & SSL_AES256) != 0;
1549}
1550
David Benjamin51a01a52015-10-29 13:19:56 -0400[diff] [blame]1551int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *cipher) {
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1552 return (cipher->algorithm_enc &
1553 (SSL_CHACHA20POLY1305 | SSL_CHACHA20POLY1305_OLD)) != 0;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1554}
1555
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1556int SSL_CIPHER_is_NULL(const SSL_CIPHER *cipher) {
1557 return (cipher->algorithm_enc & SSL_eNULL) != 0;
1558}
1559
1560int SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher) {
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700[diff] [blame]1561 return (cipher->algorithm_enc & SSL_eNULL) == 0 &&
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1562 cipher->algorithm_mac != SSL_AEAD;
1563}
1564
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1565int SSL_CIPHER_is_ECDSA(const SSL_CIPHER *cipher) {
1566 return (cipher->algorithm_auth & SSL_aECDSA) != 0;
1567}
1568
David Benjamin0fc7df52016-06-02 18:36:33 -0400[diff] [blame]1569int SSL_CIPHER_is_DHE(const SSL_CIPHER *cipher) {
1570 return (cipher->algorithm_mkey & SSL_kDHE) != 0;
1571}
1572
David Benjamin4cc36ad2015-12-19 14:23:26 -0500[diff] [blame]1573int SSL_CIPHER_is_ECDHE(const SSL_CIPHER *cipher) {
1574 return (cipher->algorithm_mkey & SSL_kECDHE) != 0;
1575}
1576
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]1577int SSL_CIPHER_is_CECPQ1(const SSL_CIPHER *cipher) {
1578 return (cipher->algorithm_mkey & SSL_kCECPQ1) != 0;
1579}
1580
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1581uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher) {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1582 if (cipher->algorithm_mkey == SSL_kGENERIC ||
1583 cipher->algorithm_auth == SSL_aGENERIC) {
1584 return TLS1_3_VERSION;
1585 }
1586
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1587 if (cipher->algorithm_prf != SSL_HANDSHAKE_MAC_DEFAULT) {
1588 /* Cipher suites before TLS 1.2 use the default PRF, while all those added
1589 * afterwards specify a particular hash. */
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1590 return TLS1_2_VERSION;
1591 }
1592 return SSL3_VERSION;
1593}
1594
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1595uint16_t SSL_CIPHER_get_max_version(const SSL_CIPHER *cipher) {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1596 if (cipher->algorithm_mkey == SSL_kGENERIC ||
1597 cipher->algorithm_auth == SSL_aGENERIC) {
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1598 return TLS1_3_VERSION;
1599 }
1600 return TLS1_2_VERSION;
1601}
1602
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1603/* return the actual cipher being used */
1604const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher) {
1605 if (cipher != NULL) {
1606 return cipher->name;
1607 }
1608
1609 return "(NONE)";
1610}
1611
1612const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher) {
1613 if (cipher == NULL) {
1614 return "";
1615 }
1616
1617 switch (cipher->algorithm_mkey) {
1618 case SSL_kRSA:
1619 return "RSA";
1620
1621 case SSL_kDHE:
1622 switch (cipher->algorithm_auth) {
1623 case SSL_aRSA:
1624 return "DHE_RSA";
1625 default:
1626 assert(0);
1627 return "UNKNOWN";
1628 }
1629
1630 case SSL_kECDHE:
1631 switch (cipher->algorithm_auth) {
1632 case SSL_aECDSA:
1633 return "ECDHE_ECDSA";
1634 case SSL_aRSA:
1635 return "ECDHE_RSA";
1636 case SSL_aPSK:
1637 return "ECDHE_PSK";
1638 default:
1639 assert(0);
1640 return "UNKNOWN";
1641 }
1642
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]1643 case SSL_kCECPQ1:
1644 switch (cipher->algorithm_auth) {
1645 case SSL_aECDSA:
1646 return "CECPQ1_ECDSA";
1647 case SSL_aRSA:
1648 return "CECPQ1_RSA";
1649 default:
1650 assert(0);
1651 return "UNKNOWN";
1652 }
1653
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1654 case SSL_kPSK:
1655 assert(cipher->algorithm_auth == SSL_aPSK);
1656 return "PSK";
1657
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1658 case SSL_kGENERIC:
1659 assert(cipher->algorithm_auth == SSL_aGENERIC);
1660 return "GENERIC";
1661
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1662 default:
1663 assert(0);
1664 return "UNKNOWN";
1665 }
1666}
1667
1668static const char *ssl_cipher_get_enc_name(const SSL_CIPHER *cipher) {
1669 switch (cipher->algorithm_enc) {
1670 case SSL_3DES:
1671 return "3DES_EDE_CBC";
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1672 case SSL_AES128:
1673 return "AES_128_CBC";
1674 case SSL_AES256:
1675 return "AES_256_CBC";
1676 case SSL_AES128GCM:
1677 return "AES_128_GCM";
1678 case SSL_AES256GCM:
1679 return "AES_256_GCM";
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1680 case SSL_CHACHA20POLY1305:
Brian Smith271777f2015-10-03 13:53:33 -1000[diff] [blame]1681 case SSL_CHACHA20POLY1305_OLD:
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1682 return "CHACHA20_POLY1305";
1683 break;
1684 default:
1685 assert(0);
1686 return "UNKNOWN";
1687 }
1688}
1689
1690static const char *ssl_cipher_get_prf_name(const SSL_CIPHER *cipher) {
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]1691 switch (cipher->algorithm_prf) {
1692 case SSL_HANDSHAKE_MAC_DEFAULT:
1693 /* Before TLS 1.2, the PRF component is the hash used in the HMAC, which is
1694 * only ever MD5 or SHA-1. */
1695 switch (cipher->algorithm_mac) {
1696 case SSL_MD5:
1697 return "MD5";
1698 case SSL_SHA1:
1699 return "SHA";
1700 }
1701 break;
1702 case SSL_HANDSHAKE_MAC_SHA256:
1703 return "SHA256";
1704 case SSL_HANDSHAKE_MAC_SHA384:
1705 return "SHA384";
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1706 }
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]1707 assert(0);
1708 return "UNKNOWN";
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1709}
1710
1711char *SSL_CIPHER_get_rfc_name(const SSL_CIPHER *cipher) {
1712 if (cipher == NULL) {
1713 return NULL;
1714 }
1715
1716 const char *kx_name = SSL_CIPHER_get_kx_name(cipher);
1717 const char *enc_name = ssl_cipher_get_enc_name(cipher);
1718 const char *prf_name = ssl_cipher_get_prf_name(cipher);
1719
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1720 /* The final name is TLS_{kx_name}_WITH_{enc_name}_{prf_name} or
1721 * TLS_{enc_name}_{prf_name} depending on whether the cipher is AEAD-only. */
1722 size_t len = 4 + strlen(enc_name) + 1 + strlen(prf_name) + 1;
1723
1724 if (cipher->algorithm_mkey != SSL_kGENERIC) {
1725 len += strlen(kx_name) + 6;
1726 }
1727
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1728 char *ret = OPENSSL_malloc(len);
1729 if (ret == NULL) {
1730 return NULL;
1731 }
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1732
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1733 if (BUF_strlcpy(ret, "TLS_", len) >= len ||
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1734 (cipher->algorithm_mkey != SSL_kGENERIC &&
1735 (BUF_strlcat(ret, kx_name, len) >= len ||
1736 BUF_strlcat(ret, "_WITH_", len) >= len)) ||
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1737 BUF_strlcat(ret, enc_name, len) >= len ||
1738 BUF_strlcat(ret, "_", len) >= len ||
1739 BUF_strlcat(ret, prf_name, len) >= len) {
1740 assert(0);
1741 OPENSSL_free(ret);
1742 return NULL;
1743 }
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1744
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1745 assert(strlen(ret) + 1 == len);
1746 return ret;
1747}
1748
1749int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *out_alg_bits) {
1750 if (cipher == NULL) {
1751 return 0;
1752 }
1753
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1754 int alg_bits, strength_bits;
1755 switch (cipher->algorithm_enc) {
1756 case SSL_AES128:
1757 case SSL_AES128GCM:
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1758 alg_bits = 128;
1759 strength_bits = 128;
1760 break;
1761
1762 case SSL_AES256:
1763 case SSL_AES256GCM:
1764#if !defined(BORINGSSL_ANDROID_SYSTEM)
1765 case SSL_CHACHA20POLY1305_OLD:
1766#endif
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1767 case SSL_CHACHA20POLY1305:
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1768 alg_bits = 256;
1769 strength_bits = 256;
1770 break;
1771
1772 case SSL_3DES:
1773 alg_bits = 168;
1774 strength_bits = 112;
1775 break;
1776
1777 case SSL_eNULL:
1778 alg_bits = 0;
1779 strength_bits = 0;
1780 break;
1781
1782 default:
1783 assert(0);
1784 alg_bits = 0;
1785 strength_bits = 0;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1786 }
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1787
1788 if (out_alg_bits != NULL) {
1789 *out_alg_bits = alg_bits;
1790 }
1791 return strength_bits;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1792}
1793
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1794const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf,
1795 int len) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1796 const char *kx, *au, *enc, *mac;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1797 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1798
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1799 alg_mkey = cipher->algorithm_mkey;
1800 alg_auth = cipher->algorithm_auth;
1801 alg_enc = cipher->algorithm_enc;
1802 alg_mac = cipher->algorithm_mac;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1803
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1804 switch (alg_mkey) {
1805 case SSL_kRSA:
1806 kx = "RSA";
1807 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1808
David Benjamin7061e282015-03-19 11:10:48 -0400[diff] [blame]1809 case SSL_kDHE:
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1810 kx = "DH";
1811 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1812
David Benjamin7061e282015-03-19 11:10:48 -0400[diff] [blame]1813 case SSL_kECDHE:
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1814 kx = "ECDH";
1815 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1816
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]1817 case SSL_kCECPQ1:
1818 kx = "CECPQ1";
1819 break;
1820
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1821 case SSL_kPSK:
1822 kx = "PSK";
1823 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1824
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1825 case SSL_kGENERIC:
1826 kx = "GENERIC";
1827 break;
1828
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1829 default:
1830 kx = "unknown";
1831 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1832
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1833 switch (alg_auth) {
1834 case SSL_aRSA:
1835 au = "RSA";
1836 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1837
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1838 case SSL_aECDSA:
1839 au = "ECDSA";
1840 break;
Adam Langley4d4bff82014-06-20 12:00:00 -0700[diff] [blame]1841
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1842 case SSL_aPSK:
1843 au = "PSK";
1844 break;
Adam Langley4d4bff82014-06-20 12:00:00 -0700[diff] [blame]1845
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1846 case SSL_aGENERIC:
1847 au = "GENERIC";
1848 break;
1849
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1850 default:
1851 au = "unknown";
1852 break;
1853 }
Adam Langleyde0b2022014-06-20 12:00:00 -0700[diff] [blame]1854
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1855 switch (alg_enc) {
1856 case SSL_3DES:
1857 enc = "3DES(168)";
1858 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1859
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1860 case SSL_AES128:
1861 enc = "AES(128)";
1862 break;
1863
1864 case SSL_AES256:
1865 enc = "AES(256)";
1866 break;
1867
1868 case SSL_AES128GCM:
1869 enc = "AESGCM(128)";
1870 break;
1871
1872 case SSL_AES256GCM:
1873 enc = "AESGCM(256)";
1874 break;
1875
Brian Smith271777f2015-10-03 13:53:33 -1000[diff] [blame]1876 case SSL_CHACHA20POLY1305_OLD:
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1877 enc = "ChaCha20-Poly1305-Old";
1878 break;
1879
1880 case SSL_CHACHA20POLY1305:
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1881 enc = "ChaCha20-Poly1305";
1882 break;
1883
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1884 case SSL_eNULL:
1885 enc="None";
1886 break;
1887
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1888 default:
1889 enc = "unknown";
1890 break;
1891 }
1892
1893 switch (alg_mac) {
1894 case SSL_MD5:
1895 mac = "MD5";
1896 break;
1897
1898 case SSL_SHA1:
1899 mac = "SHA1";
1900 break;
1901
1902 case SSL_SHA256:
1903 mac = "SHA256";
1904 break;
1905
1906 case SSL_SHA384:
1907 mac = "SHA384";
1908 break;
1909
1910 case SSL_AEAD:
1911 mac = "AEAD";
1912 break;
1913
1914 default:
1915 mac = "unknown";
1916 break;
1917 }
1918
1919 if (buf == NULL) {
1920 len = 128;
1921 buf = OPENSSL_malloc(len);
David Benjamin1eed2c02015-02-08 23:20:06 -0500[diff] [blame]1922 if (buf == NULL) {
1923 return NULL;
1924 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1925 } else if (len < 128) {
1926 return "Buffer too small";
1927 }
1928
Brian Smith0687bdf2016-01-17 09:18:26 -1000[diff] [blame]1929 BIO_snprintf(buf, len, "%-23s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n",
1930 cipher->name, kx, au, enc, mac);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1931 return buf;
1932}
1933
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1934const char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher) {
1935 return "TLSv1/SSLv3";
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1936}
1937
Matt Braithwaite6a1275b2015-06-26 12:09:10 -0700[diff] [blame]1938COMP_METHOD *SSL_COMP_get_compression_methods(void) { return NULL; }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1939
Matt Braithwaite6a1275b2015-06-26 12:09:10 -0700[diff] [blame]1940int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) { return 1; }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1941
Matt Braithwaite6a1275b2015-06-26 12:09:10 -0700[diff] [blame]1942const char *SSL_COMP_get_name(const COMP_METHOD *comp) { return NULL; }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1943
Adam Langley3e9e0432016-10-03 15:58:07 -0700[diff] [blame]1944void SSL_COMP_free_compression_methods(void) {}
1945
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]1946int ssl_cipher_get_key_type(const SSL_CIPHER *cipher) {
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1947 uint32_t alg_a = cipher->algorithm_auth;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1948
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1949 if (alg_a & SSL_aECDSA) {
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]1950 return EVP_PKEY_EC;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1951 } else if (alg_a & SSL_aRSA) {
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]1952 return EVP_PKEY_RSA;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1953 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1954
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]1955 return EVP_PKEY_NONE;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1956}
David Benjamin9c651c92014-07-12 13:27:45 -0400[diff] [blame]1957
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]1958int ssl_cipher_uses_certificate_auth(const SSL_CIPHER *cipher) {
1959 return (cipher->algorithm_auth & SSL_aCERT) != 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1960}
1961
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1962int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher) {
1963 /* Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange. */
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]1964 if (cipher->algorithm_mkey & SSL_kDHE ||
1965 cipher->algorithm_mkey & SSL_kECDHE ||
1966 cipher->algorithm_mkey & SSL_kCECPQ1) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1967 return 1;
1968 }
1969
1970 /* It is optional in all others. */
1971 return 0;
1972}
David Benjaminb8d28cf2015-07-28 21:34:45 -0400[diff] [blame]1973
1974size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher) {
1975 size_t block_size;
1976 switch (cipher->algorithm_enc) {
1977 case SSL_3DES:
1978 block_size = 8;
1979 break;
1980 case SSL_AES128:
1981 case SSL_AES256:
1982 block_size = 16;
1983 break;
1984 default:
1985 return 0;
1986 }
1987
1988 size_t mac_len;
1989 switch (cipher->algorithm_mac) {
1990 case SSL_MD5:
1991 mac_len = MD5_DIGEST_LENGTH;
1992 break;
1993 case SSL_SHA1:
1994 mac_len = SHA_DIGEST_LENGTH;
1995 break;
1996 default:
1997 return 0;
1998 }
1999
2000 size_t ret = 1 + mac_len;
2001 ret += block_size - (ret % block_size);
2002 return ret;
2003}