Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 86e95b852eb4a1e43116cb6951b450b78bd52b4b / . / ssl / ssl_cipher.cc
blob: ecf87e857041002bff2956c7fb5f7a03edac6458 [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57/* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
110/* ====================================================================
111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
112 * ECC cipher suite support in OpenSSL originally developed by
113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
114 */
115/* ====================================================================
116 * Copyright 2005 Nokia. All rights reserved.
117 *
118 * The portions of the attached software ("Contribution") is developed by
119 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
120 * license.
121 *
122 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
123 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
124 * support (see RFC 4279) to OpenSSL.
125 *
126 * No patent licenses or other rights except those expressly stated in
127 * the OpenSSL open source license shall be deemed granted or received
128 * expressly, by implication, estoppel, or otherwise.
129 *
130 * No assurances are provided by Nokia that the Contribution does not
131 * infringe the patent or other intellectual property rights of any third
132 * party or that the license provides you with all the necessary rights
133 * to make use of the Contribution.
134 *
135 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
136 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
137 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
138 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
139 * OTHERWISE. */
140
David Benjamin86e95b82017-07-18 16:34:25 -0400[diff] [blame^]141#define BORINGSSL_INTERNAL_CXX_TYPES
142
David Benjamin9e4e01e2015-09-15 01:48:04 -0400[diff] [blame]143#include <openssl/ssl.h>
144
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]145#include <assert.h>
David Benjaminf0ae1702015-04-07 23:05:04 -0400[diff] [blame]146#include <string.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]147
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]148#include <openssl/buf.h>
David Benjaminf0ae1702015-04-07 23:05:04 -0400[diff] [blame]149#include <openssl/err.h>
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]150#include <openssl/md5.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]151#include <openssl/mem.h>
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]152#include <openssl/sha.h>
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]153#include <openssl/stack.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]154
David Benjamin2ee94aa2015-04-07 22:38:30 -0400[diff] [blame]155#include "internal.h"
Steven Valdezcb966542016-08-17 16:56:14 -0400[diff] [blame]156#include "../crypto/internal.h"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]157
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]158
David Benjamin86e95b82017-07-18 16:34:25 -0400[diff] [blame^]159namespace bssl {
160
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]161/* kCiphers is an array of all supported ciphers, sorted by id. */
David Benjamin20c37312015-11-11 21:33:18 -0800[diff] [blame]162static const SSL_CIPHER kCiphers[] = {
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]163 /* The RSA ciphers */
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]164 /* Cipher 02 */
165 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]166 SSL3_TXT_RSA_NULL_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]167 "TLS_RSA_WITH_NULL_SHA",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]168 SSL3_CK_RSA_NULL_SHA,
169 SSL_kRSA,
170 SSL_aRSA,
171 SSL_eNULL,
172 SSL_SHA1,
173 SSL_HANDSHAKE_MAC_DEFAULT,
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]174 },
175
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]176 /* Cipher 0A */
177 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]178 SSL3_TXT_RSA_DES_192_CBC3_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]179 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]180 SSL3_CK_RSA_DES_192_CBC3_SHA,
181 SSL_kRSA,
182 SSL_aRSA,
183 SSL_3DES,
184 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]185 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]186 },
187
188
189 /* New AES ciphersuites */
190
191 /* Cipher 2F */
192 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]193 TLS1_TXT_RSA_WITH_AES_128_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]194 "TLS_RSA_WITH_AES_128_CBC_SHA",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]195 TLS1_CK_RSA_WITH_AES_128_SHA,
196 SSL_kRSA,
197 SSL_aRSA,
198 SSL_AES128,
199 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]200 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]201 },
202
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]203 /* Cipher 35 */
204 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]205 TLS1_TXT_RSA_WITH_AES_256_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]206 "TLS_RSA_WITH_AES_256_CBC_SHA",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]207 TLS1_CK_RSA_WITH_AES_256_SHA,
208 SSL_kRSA,
209 SSL_aRSA,
210 SSL_AES256,
211 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]212 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]213 },
214
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]215
216 /* TLS v1.2 ciphersuites */
217
218 /* Cipher 3C */
219 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]220 TLS1_TXT_RSA_WITH_AES_128_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]221 "TLS_RSA_WITH_AES_128_CBC_SHA256",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]222 TLS1_CK_RSA_WITH_AES_128_SHA256,
223 SSL_kRSA,
224 SSL_aRSA,
225 SSL_AES128,
226 SSL_SHA256,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]227 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]228 },
229
230 /* Cipher 3D */
231 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]232 TLS1_TXT_RSA_WITH_AES_256_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]233 "TLS_RSA_WITH_AES_256_CBC_SHA256",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]234 TLS1_CK_RSA_WITH_AES_256_SHA256,
235 SSL_kRSA,
236 SSL_aRSA,
237 SSL_AES256,
238 SSL_SHA256,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]239 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]240 },
241
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]242 /* PSK cipher suites. */
243
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]244 /* Cipher 8C */
245 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]246 TLS1_TXT_PSK_WITH_AES_128_CBC_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]247 "TLS_PSK_WITH_AES_128_CBC_SHA",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]248 TLS1_CK_PSK_WITH_AES_128_CBC_SHA,
249 SSL_kPSK,
250 SSL_aPSK,
251 SSL_AES128,
252 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]253 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]254 },
255
256 /* Cipher 8D */
257 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]258 TLS1_TXT_PSK_WITH_AES_256_CBC_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]259 "TLS_PSK_WITH_AES_256_CBC_SHA",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]260 TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
261 SSL_kPSK,
262 SSL_aPSK,
263 SSL_AES256,
264 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]265 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]266 },
267
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]268 /* GCM ciphersuites from RFC5288 */
269
270 /* Cipher 9C */
271 {
272 TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]273 "TLS_RSA_WITH_AES_128_GCM_SHA256",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]274 TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
275 SSL_kRSA,
276 SSL_aRSA,
277 SSL_AES128GCM,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]278 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]279 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]280 },
281
282 /* Cipher 9D */
283 {
284 TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]285 "TLS_RSA_WITH_AES_256_GCM_SHA384",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]286 TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
287 SSL_kRSA,
288 SSL_aRSA,
289 SSL_AES256GCM,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]290 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]291 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]292 },
293
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]294 /* TLS 1.3 suites. */
295
296 /* Cipher 1301 */
297 {
298 TLS1_TXT_AES_128_GCM_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]299 "TLS_AES_128_GCM_SHA256",
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]300 TLS1_CK_AES_128_GCM_SHA256,
301 SSL_kGENERIC,
302 SSL_aGENERIC,
303 SSL_AES128GCM,
304 SSL_AEAD,
305 SSL_HANDSHAKE_MAC_SHA256,
306 },
307
308 /* Cipher 1302 */
309 {
310 TLS1_TXT_AES_256_GCM_SHA384,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]311 "TLS_AES_256_GCM_SHA384",
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]312 TLS1_CK_AES_256_GCM_SHA384,
313 SSL_kGENERIC,
314 SSL_aGENERIC,
315 SSL_AES256GCM,
316 SSL_AEAD,
317 SSL_HANDSHAKE_MAC_SHA384,
318 },
319
320 /* Cipher 1303 */
321 {
322 TLS1_TXT_CHACHA20_POLY1305_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]323 "TLS_CHACHA20_POLY1305_SHA256",
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]324 TLS1_CK_CHACHA20_POLY1305_SHA256,
325 SSL_kGENERIC,
326 SSL_aGENERIC,
327 SSL_CHACHA20POLY1305,
328 SSL_AEAD,
329 SSL_HANDSHAKE_MAC_SHA256,
330 },
331
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]332 /* Cipher C009 */
333 {
334 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]335 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]336 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
337 SSL_kECDHE,
338 SSL_aECDSA,
339 SSL_AES128,
340 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]341 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]342 },
343
344 /* Cipher C00A */
345 {
346 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]347 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]348 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
349 SSL_kECDHE,
350 SSL_aECDSA,
351 SSL_AES256,
352 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]353 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]354 },
355
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]356 /* Cipher C013 */
357 {
358 TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]359 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]360 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
361 SSL_kECDHE,
362 SSL_aRSA,
363 SSL_AES128,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]364 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]365 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]366 },
367
368 /* Cipher C014 */
369 {
370 TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]371 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]372 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
373 SSL_kECDHE,
374 SSL_aRSA,
375 SSL_AES256,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]376 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]377 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]378 },
379
380
381 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */
382
383 /* Cipher C023 */
384 {
385 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]386 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]387 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
388 SSL_kECDHE,
389 SSL_aECDSA,
390 SSL_AES128,
391 SSL_SHA256,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]392 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]393 },
394
395 /* Cipher C024 */
396 {
397 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]398 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]399 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
400 SSL_kECDHE,
401 SSL_aECDSA,
402 SSL_AES256,
403 SSL_SHA384,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]404 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]405 },
406
407 /* Cipher C027 */
408 {
409 TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]410 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]411 TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
412 SSL_kECDHE,
413 SSL_aRSA,
414 SSL_AES128,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]415 SSL_SHA256,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]416 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]417 },
418
419 /* Cipher C028 */
420 {
421 TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]422 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]423 TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
424 SSL_kECDHE,
425 SSL_aRSA,
426 SSL_AES256,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]427 SSL_SHA384,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]428 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]429 },
430
431
432 /* GCM based TLS v1.2 ciphersuites from RFC5289 */
433
434 /* Cipher C02B */
435 {
436 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]437 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]438 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
439 SSL_kECDHE,
440 SSL_aECDSA,
441 SSL_AES128GCM,
442 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]443 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]444 },
445
446 /* Cipher C02C */
447 {
448 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]449 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]450 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
451 SSL_kECDHE,
452 SSL_aECDSA,
453 SSL_AES256GCM,
454 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]455 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]456 },
457
458 /* Cipher C02F */
459 {
460 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]461 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]462 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
463 SSL_kECDHE,
464 SSL_aRSA,
465 SSL_AES128GCM,
466 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]467 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]468 },
469
470 /* Cipher C030 */
471 {
472 TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]473 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]474 TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
475 SSL_kECDHE,
476 SSL_aRSA,
477 SSL_AES256GCM,
478 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]479 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]480 },
481
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]482 /* ECDHE-PSK cipher suites. */
483
484 /* Cipher C035 */
485 {
486 TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]487 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]488 TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]489 SSL_kECDHE,
490 SSL_aPSK,
491 SSL_AES128,
492 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]493 SSL_HANDSHAKE_MAC_DEFAULT,
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]494 },
495
496 /* Cipher C036 */
497 {
498 TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]499 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]500 TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]501 SSL_kECDHE,
502 SSL_aPSK,
503 SSL_AES256,
504 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]505 SSL_HANDSHAKE_MAC_DEFAULT,
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]506 },
507
508 /* ChaCha20-Poly1305 cipher suites. */
509
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]510 /* Cipher CCA8 */
511 {
512 TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]513 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]514 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
515 SSL_kECDHE,
516 SSL_aRSA,
517 SSL_CHACHA20POLY1305,
518 SSL_AEAD,
519 SSL_HANDSHAKE_MAC_SHA256,
520 },
521
522 /* Cipher CCA9 */
523 {
524 TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]525 "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]526 TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
527 SSL_kECDHE,
528 SSL_aECDSA,
529 SSL_CHACHA20POLY1305,
530 SSL_AEAD,
531 SSL_HANDSHAKE_MAC_SHA256,
532 },
533
534 /* Cipher CCAB */
535 {
536 TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]537 "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]538 TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
539 SSL_kECDHE,
540 SSL_aPSK,
541 SSL_CHACHA20POLY1305,
542 SSL_AEAD,
543 SSL_HANDSHAKE_MAC_SHA256,
544 },
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]545
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]546};
547
Steven Valdezcb966542016-08-17 16:56:14 -0400[diff] [blame]548static const size_t kCiphersLen = OPENSSL_ARRAY_SIZE(kCiphers);
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]549
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]550#define CIPHER_ADD 1
551#define CIPHER_KILL 2
552#define CIPHER_DEL 3
553#define CIPHER_ORD 4
554#define CIPHER_SPECIAL 5
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]555
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]556typedef struct cipher_order_st {
557 const SSL_CIPHER *cipher;
558 int active;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]559 int in_group;
560 struct cipher_order_st *next, *prev;
561} CIPHER_ORDER;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]562
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]563typedef struct cipher_alias_st {
564 /* name is the name of the cipher alias. */
565 const char *name;
566
567 /* The following fields are bitmasks for the corresponding fields on
568 * |SSL_CIPHER|. A cipher matches a cipher alias iff, for each bitmask, the
569 * bit corresponding to the cipher's value is set to 1. If any bitmask is
570 * all zeroes, the alias matches nothing. Use |~0u| for the default value. */
571 uint32_t algorithm_mkey;
572 uint32_t algorithm_auth;
573 uint32_t algorithm_enc;
574 uint32_t algorithm_mac;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]575
576 /* min_version, if non-zero, matches all ciphers which were added in that
577 * particular protocol version. */
578 uint16_t min_version;
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]579} CIPHER_ALIAS;
580
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]581static const CIPHER_ALIAS kCipherAliases[] = {
Matthew Braithwaite651aaef2016-12-08 16:14:36 -0800[diff] [blame]582 /* "ALL" doesn't include eNULL. It must be explicitly enabled. */
583 {"ALL", ~0u, ~0u, ~SSL_eNULL, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]584
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]585 /* The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing. */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]586
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]587 /* key exchange aliases
588 * (some of those using only a single bit here combine
Matthew Braithwaite7e06de52017-04-10 15:52:14 -0700[diff] [blame]589 * multiple key exchange algs according to the RFCs. */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]590 {"kRSA", SSL_kRSA, ~0u, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]591
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]592 {"kECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
593 {"kEECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
594 {"ECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]595
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]596 {"kPSK", SSL_kPSK, ~0u, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]597
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]598 /* server authentication aliases */
Matthew Braithwaite651aaef2016-12-08 16:14:36 -0800[diff] [blame]599 {"aRSA", ~0u, SSL_aRSA, ~SSL_eNULL, ~0u, 0},
600 {"aECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0},
601 {"ECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0},
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]602 {"aPSK", ~0u, SSL_aPSK, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]603
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]604 /* aliases combining key exchange and server authentication */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]605 {"ECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
606 {"EECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
607 {"RSA", SSL_kRSA, SSL_aRSA, ~SSL_eNULL, ~0u, 0},
608 {"PSK", SSL_kPSK, SSL_aPSK, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]609
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]610 /* symmetric encryption aliases */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]611 {"3DES", ~0u, ~0u, SSL_3DES, ~0u, 0},
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]612 {"AES128", ~0u, ~0u, SSL_AES128 | SSL_AES128GCM, ~0u, 0},
Matthew Braithwaite651aaef2016-12-08 16:14:36 -0800[diff] [blame]613 {"AES256", ~0u, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, 0},
614 {"AES", ~0u, ~0u, SSL_AES, ~0u, 0},
615 {"AESGCM", ~0u, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, 0},
Adam Langley2e839242017-01-19 15:12:44 -0800[diff] [blame]616 {"CHACHA20", ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]617
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]618 /* MAC aliases */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]619 {"SHA1", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0},
620 {"SHA", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0},
Matthew Braithwaite651aaef2016-12-08 16:14:36 -0800[diff] [blame]621 {"SHA256", ~0u, ~0u, ~0u, SSL_SHA256, 0},
622 {"SHA384", ~0u, ~0u, ~0u, SSL_SHA384, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]623
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]624 /* Legacy protocol minimum version aliases. "TLSv1" is intentionally the
625 * same as "SSLv3". */
Matthew Braithwaite651aaef2016-12-08 16:14:36 -0800[diff] [blame]626 {"SSLv3", ~0u, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
627 {"TLSv1", ~0u, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
628 {"TLSv1.2", ~0u, ~0u, ~SSL_eNULL, ~0u, TLS1_2_VERSION},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]629
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]630 /* Legacy strength classes. */
Matthew Braithwaite651aaef2016-12-08 16:14:36 -0800[diff] [blame]631 {"HIGH", ~0u, ~0u, ~SSL_eNULL, ~0u, 0},
632 {"FIPS", ~0u, ~0u, ~SSL_eNULL, ~0u, 0},
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]633};
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]634
Steven Valdezcb966542016-08-17 16:56:14 -0400[diff] [blame]635static const size_t kCipherAliasesLen = OPENSSL_ARRAY_SIZE(kCipherAliases);
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]636
637static int ssl_cipher_id_cmp(const void *in_a, const void *in_b) {
David Benjamine64d2c72017-07-12 16:31:08 -0400[diff] [blame]638 const SSL_CIPHER *a = reinterpret_cast<const SSL_CIPHER *>(in_a);
639 const SSL_CIPHER *b = reinterpret_cast<const SSL_CIPHER *>(in_b);
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]640
641 if (a->id > b->id) {
642 return 1;
643 } else if (a->id < b->id) {
644 return -1;
645 } else {
646 return 0;
647 }
648}
649
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]650int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
651 size_t *out_mac_secret_len,
652 size_t *out_fixed_iv_len,
Steven Valdez2f3404b2017-05-24 16:54:35 -0400[diff] [blame]653 const SSL_CIPHER *cipher, uint16_t version, int is_dtls) {
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]654 *out_aead = NULL;
655 *out_mac_secret_len = 0;
656 *out_fixed_iv_len = 0;
Adam Langleyc9fb3752014-06-20 12:00:00 -0700[diff] [blame]657
Steven Valdez2f3404b2017-05-24 16:54:35 -0400[diff] [blame]658 const int is_tls12 = version == TLS1_2_VERSION && !is_dtls;
659
David Benjamin305e6fb2016-10-27 18:19:00 -0400[diff] [blame]660 if (cipher->algorithm_mac == SSL_AEAD) {
661 if (cipher->algorithm_enc == SSL_AES128GCM) {
Steven Valdez2f3404b2017-05-24 16:54:35 -0400[diff] [blame]662 *out_aead =
663 is_tls12 ? EVP_aead_aes_128_gcm_tls12() : EVP_aead_aes_128_gcm();
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]664 *out_fixed_iv_len = 4;
David Benjamin305e6fb2016-10-27 18:19:00 -0400[diff] [blame]665 } else if (cipher->algorithm_enc == SSL_AES256GCM) {
Steven Valdez2f3404b2017-05-24 16:54:35 -0400[diff] [blame]666 *out_aead =
667 is_tls12 ? EVP_aead_aes_256_gcm_tls12() : EVP_aead_aes_256_gcm();
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]668 *out_fixed_iv_len = 4;
David Benjamin305e6fb2016-10-27 18:19:00 -0400[diff] [blame]669 } else if (cipher->algorithm_enc == SSL_CHACHA20POLY1305) {
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]670 *out_aead = EVP_aead_chacha20_poly1305();
671 *out_fixed_iv_len = 12;
David Benjamin305e6fb2016-10-27 18:19:00 -0400[diff] [blame]672 } else {
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]673 return 0;
David Benjamin305e6fb2016-10-27 18:19:00 -0400[diff] [blame]674 }
675
676 /* In TLS 1.3, the iv_len is equal to the AEAD nonce length whereas the code
677 * above computes the TLS 1.2 construction. */
678 if (version >= TLS1_3_VERSION) {
679 *out_fixed_iv_len = EVP_AEAD_nonce_length(*out_aead);
680 }
681 } else if (cipher->algorithm_mac == SSL_SHA1) {
682 if (cipher->algorithm_enc == SSL_eNULL) {
683 if (version == SSL3_VERSION) {
684 *out_aead = EVP_aead_null_sha1_ssl3();
685 } else {
686 *out_aead = EVP_aead_null_sha1_tls();
687 }
688 } else if (cipher->algorithm_enc == SSL_3DES) {
689 if (version == SSL3_VERSION) {
690 *out_aead = EVP_aead_des_ede3_cbc_sha1_ssl3();
691 *out_fixed_iv_len = 8;
692 } else if (version == TLS1_VERSION) {
693 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv();
694 *out_fixed_iv_len = 8;
695 } else {
696 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls();
697 }
698 } else if (cipher->algorithm_enc == SSL_AES128) {
699 if (version == SSL3_VERSION) {
700 *out_aead = EVP_aead_aes_128_cbc_sha1_ssl3();
701 *out_fixed_iv_len = 16;
702 } else if (version == TLS1_VERSION) {
703 *out_aead = EVP_aead_aes_128_cbc_sha1_tls_implicit_iv();
704 *out_fixed_iv_len = 16;
705 } else {
706 *out_aead = EVP_aead_aes_128_cbc_sha1_tls();
707 }
708 } else if (cipher->algorithm_enc == SSL_AES256) {
709 if (version == SSL3_VERSION) {
710 *out_aead = EVP_aead_aes_256_cbc_sha1_ssl3();
711 *out_fixed_iv_len = 16;
712 } else if (version == TLS1_VERSION) {
713 *out_aead = EVP_aead_aes_256_cbc_sha1_tls_implicit_iv();
714 *out_fixed_iv_len = 16;
715 } else {
716 *out_aead = EVP_aead_aes_256_cbc_sha1_tls();
717 }
718 } else {
719 return 0;
720 }
721
722 *out_mac_secret_len = SHA_DIGEST_LENGTH;
723 } else if (cipher->algorithm_mac == SSL_SHA256) {
724 if (cipher->algorithm_enc == SSL_AES128) {
725 *out_aead = EVP_aead_aes_128_cbc_sha256_tls();
726 } else if (cipher->algorithm_enc == SSL_AES256) {
727 *out_aead = EVP_aead_aes_256_cbc_sha256_tls();
728 } else {
729 return 0;
730 }
731
732 *out_mac_secret_len = SHA256_DIGEST_LENGTH;
733 } else if (cipher->algorithm_mac == SSL_SHA384) {
734 if (cipher->algorithm_enc != SSL_AES256) {
735 return 0;
736 }
737
738 *out_aead = EVP_aead_aes_256_cbc_sha384_tls();
739 *out_mac_secret_len = SHA384_DIGEST_LENGTH;
740 } else {
741 return 0;
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]742 }
Steven Valdez79750562016-06-16 06:38:04 -0400[diff] [blame]743
Steven Valdez79750562016-06-16 06:38:04 -0400[diff] [blame]744 return 1;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]745}
Adam Langleyc9fb3752014-06-20 12:00:00 -0700[diff] [blame]746
Steven Valdez908ac192017-01-12 13:17:07 -0500[diff] [blame]747const EVP_MD *ssl_get_handshake_digest(uint32_t algorithm_prf,
748 uint16_t version) {
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]749 switch (algorithm_prf) {
750 case SSL_HANDSHAKE_MAC_DEFAULT:
Steven Valdez908ac192017-01-12 13:17:07 -0500[diff] [blame]751 return version >= TLS1_2_VERSION ? EVP_sha256() : EVP_md5_sha1();
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]752 case SSL_HANDSHAKE_MAC_SHA256:
753 return EVP_sha256();
754 case SSL_HANDSHAKE_MAC_SHA384:
755 return EVP_sha384();
756 default:
757 return NULL;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]758 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]759}
760
761#define ITEM_SEP(a) \
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]762 (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ','))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]763
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]764/* rule_equals returns one iff the NUL-terminated string |rule| is equal to the
765 * |buf_len| bytes at |buf|. */
766static int rule_equals(const char *rule, const char *buf, size_t buf_len) {
767 /* |strncmp| alone only checks that |buf| is a prefix of |rule|. */
768 return strncmp(rule, buf, buf_len) == 0 && rule[buf_len] == '\0';
769}
770
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]771static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]772 CIPHER_ORDER **tail) {
773 if (curr == *tail) {
774 return;
775 }
776 if (curr == *head) {
777 *head = curr->next;
778 }
779 if (curr->prev != NULL) {
780 curr->prev->next = curr->next;
781 }
782 if (curr->next != NULL) {
783 curr->next->prev = curr->prev;
784 }
785 (*tail)->next = curr;
786 curr->prev = *tail;
787 curr->next = NULL;
788 *tail = curr;
789}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]790
791static void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]792 CIPHER_ORDER **tail) {
793 if (curr == *head) {
794 return;
795 }
796 if (curr == *tail) {
797 *tail = curr->prev;
798 }
799 if (curr->next != NULL) {
800 curr->next->prev = curr->prev;
801 }
802 if (curr->prev != NULL) {
803 curr->prev->next = curr->next;
804 }
805 (*head)->prev = curr;
806 curr->next = *head;
807 curr->prev = NULL;
808 *head = curr;
809}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]810
David Benjamin82c9e902014-12-12 15:55:27 -0500[diff] [blame]811static void ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD *ssl_method,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]812 CIPHER_ORDER *co_list,
813 CIPHER_ORDER **head_p,
814 CIPHER_ORDER **tail_p) {
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]815 /* The set of ciphers is static, but some subset may be unsupported by
816 * |ssl_method|, so the list may be smaller. */
817 size_t co_list_num = 0;
David Benjamin54091232016-09-05 12:47:25 -0400[diff] [blame]818 for (size_t i = 0; i < kCiphersLen; i++) {
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]819 const SSL_CIPHER *cipher = &kCiphers[i];
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]820 if (ssl_method->supports_cipher(cipher) &&
821 /* TLS 1.3 ciphers do not participate in this mechanism. */
822 cipher->algorithm_mkey != SSL_kGENERIC) {
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]823 co_list[co_list_num].cipher = cipher;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]824 co_list[co_list_num].next = NULL;
825 co_list[co_list_num].prev = NULL;
826 co_list[co_list_num].active = 0;
827 co_list[co_list_num].in_group = 0;
828 co_list_num++;
829 }
830 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]831
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]832 /* Prepare linked list from list entries. */
833 if (co_list_num > 0) {
834 co_list[0].prev = NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]835
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]836 if (co_list_num > 1) {
837 co_list[0].next = &co_list[1];
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]838
David Benjamin54091232016-09-05 12:47:25 -0400[diff] [blame]839 for (size_t i = 1; i < co_list_num - 1; i++) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]840 co_list[i].prev = &co_list[i - 1];
841 co_list[i].next = &co_list[i + 1];
842 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]843
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]844 co_list[co_list_num - 1].prev = &co_list[co_list_num - 2];
845 }
846
847 co_list[co_list_num - 1].next = NULL;
848
849 *head_p = &co_list[0];
850 *tail_p = &co_list[co_list_num - 1];
851 }
852}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]853
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]854/* ssl_cipher_apply_rule applies the rule type |rule| to ciphers matching its
855 * parameters in the linked list from |*head_p| to |*tail_p|. It writes the new
856 * head and tail of the list to |*head_p| and |*tail_p|, respectively.
857 *
858 * - If |cipher_id| is non-zero, only that cipher is selected.
859 * - Otherwise, if |strength_bits| is non-negative, it selects ciphers
860 * of that strength.
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]861 * - Otherwise, it selects ciphers that match each bitmasks in |alg_*| and
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]862 * |min_version|. */
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]863static void ssl_cipher_apply_rule(
David Benjamin107db582015-04-08 00:41:59 -0400[diff] [blame]864 uint32_t cipher_id, uint32_t alg_mkey, uint32_t alg_auth,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]865 uint32_t alg_enc, uint32_t alg_mac, uint16_t min_version, int rule,
866 int strength_bits, int in_group, CIPHER_ORDER **head_p,
867 CIPHER_ORDER **tail_p) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]868 CIPHER_ORDER *head, *tail, *curr, *next, *last;
869 const SSL_CIPHER *cp;
870 int reverse = 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]871
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]872 if (cipher_id == 0 && strength_bits == -1 && min_version == 0 &&
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]873 (alg_mkey == 0 || alg_auth == 0 || alg_enc == 0 || alg_mac == 0)) {
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]874 /* The rule matches nothing, so bail early. */
875 return;
876 }
877
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]878 if (rule == CIPHER_DEL) {
879 /* needed to maintain sorting between currently deleted ciphers */
880 reverse = 1;
881 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]882
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]883 head = *head_p;
884 tail = *tail_p;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]885
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]886 if (reverse) {
887 next = tail;
888 last = head;
889 } else {
890 next = head;
891 last = tail;
892 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]893
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]894 curr = NULL;
895 for (;;) {
896 if (curr == last) {
897 break;
898 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]899
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]900 curr = next;
901 if (curr == NULL) {
902 break;
903 }
Adam Langleye3142a72014-07-24 17:56:48 -0700[diff] [blame]904
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]905 next = reverse ? curr->prev : curr->next;
906 cp = curr->cipher;
Adam Langleye3142a72014-07-24 17:56:48 -0700[diff] [blame]907
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]908 /* Selection criteria is either a specific cipher, the value of
909 * |strength_bits|, or the algorithms used. */
910 if (cipher_id != 0) {
911 if (cipher_id != cp->id) {
912 continue;
913 }
914 } else if (strength_bits >= 0) {
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]915 if (strength_bits != SSL_CIPHER_get_bits(cp, NULL)) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]916 continue;
917 }
David Benjamin881f1962016-08-10 18:29:12 -0400[diff] [blame]918 } else {
919 if (!(alg_mkey & cp->algorithm_mkey) ||
920 !(alg_auth & cp->algorithm_auth) ||
921 !(alg_enc & cp->algorithm_enc) ||
922 !(alg_mac & cp->algorithm_mac) ||
923 (min_version != 0 && SSL_CIPHER_get_min_version(cp) != min_version)) {
924 continue;
925 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]926 }
Adam Langleye3142a72014-07-24 17:56:48 -0700[diff] [blame]927
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]928 /* add the cipher if it has not been added yet. */
929 if (rule == CIPHER_ADD) {
930 /* reverse == 0 */
931 if (!curr->active) {
932 ll_append_tail(&head, curr, &tail);
933 curr->active = 1;
934 curr->in_group = in_group;
935 }
936 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]937
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]938 /* Move the added cipher to this location */
939 else if (rule == CIPHER_ORD) {
940 /* reverse == 0 */
941 if (curr->active) {
942 ll_append_tail(&head, curr, &tail);
943 curr->in_group = 0;
944 }
945 } else if (rule == CIPHER_DEL) {
946 /* reverse == 1 */
947 if (curr->active) {
948 /* most recently deleted ciphersuites get best positions
949 * for any future CIPHER_ADD (note that the CIPHER_DEL loop
950 * works in reverse to maintain the order) */
951 ll_append_head(&head, curr, &tail);
952 curr->active = 0;
953 curr->in_group = 0;
954 }
955 } else if (rule == CIPHER_KILL) {
956 /* reverse == 0 */
957 if (head == curr) {
958 head = curr->next;
959 } else {
960 curr->prev->next = curr->next;
961 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]962
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]963 if (tail == curr) {
964 tail = curr->prev;
965 }
966 curr->active = 0;
967 if (curr->next != NULL) {
968 curr->next->prev = curr->prev;
969 }
970 if (curr->prev != NULL) {
971 curr->prev->next = curr->next;
972 }
973 curr->next = NULL;
974 curr->prev = NULL;
975 }
976 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]977
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]978 *head_p = head;
979 *tail_p = tail;
980}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]981
982static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]983 CIPHER_ORDER **tail_p) {
984 int max_strength_bits, i, *number_uses;
985 CIPHER_ORDER *curr;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]986
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]987 /* This routine sorts the ciphers with descending strength. The sorting must
988 * keep the pre-sorted sequence, so we apply the normal sorting routine as
989 * '+' movement to the end of the list. */
990 max_strength_bits = 0;
991 curr = *head_p;
992 while (curr != NULL) {
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]993 if (curr->active &&
994 SSL_CIPHER_get_bits(curr->cipher, NULL) > max_strength_bits) {
995 max_strength_bits = SSL_CIPHER_get_bits(curr->cipher, NULL);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]996 }
997 curr = curr->next;
998 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]999
David Benjamine64d2c72017-07-12 16:31:08 -0400[diff] [blame]1000 number_uses = (int *)OPENSSL_malloc((max_strength_bits + 1) * sizeof(int));
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1001 if (!number_uses) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1002 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1003 return 0;
1004 }
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]1005 OPENSSL_memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int));
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1006
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1007 /* Now find the strength_bits values actually used. */
1008 curr = *head_p;
1009 while (curr != NULL) {
1010 if (curr->active) {
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1011 number_uses[SSL_CIPHER_get_bits(curr->cipher, NULL)]++;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1012 }
1013 curr = curr->next;
1014 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1015
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1016 /* Go through the list of used strength_bits values in descending order. */
1017 for (i = max_strength_bits; i >= 0; i--) {
1018 if (number_uses[i] > 0) {
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1019 ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, CIPHER_ORD, i, 0, head_p, tail_p);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1020 }
1021 }
1022
1023 OPENSSL_free(number_uses);
1024 return 1;
1025}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1026
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1027static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method,
1028 const char *rule_str,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1029 CIPHER_ORDER **head_p,
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]1030 CIPHER_ORDER **tail_p, int strict) {
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1031 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1032 uint16_t min_version;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1033 const char *l, *buf;
David Benjaminbf5f1922017-07-01 11:13:53 -0400[diff] [blame]1034 int multi, skip_rule, rule, in_group = 0, has_group = 0;
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1035 size_t j, buf_len;
1036 uint32_t cipher_id;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1037 char ch;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1038
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1039 l = rule_str;
1040 for (;;) {
1041 ch = *l;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1042
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1043 if (ch == '\0') {
1044 break; /* done */
1045 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1046
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1047 if (in_group) {
1048 if (ch == ']') {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1049 if (*tail_p) {
1050 (*tail_p)->in_group = 0;
1051 }
1052 in_group = 0;
1053 l++;
1054 continue;
1055 }
David Benjamin37d92462014-09-20 17:54:24 -0400[diff] [blame]1056
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1057 if (ch == '|') {
1058 rule = CIPHER_ADD;
1059 l++;
1060 continue;
1061 } else if (!(ch >= 'a' && ch <= 'z') && !(ch >= 'A' && ch <= 'Z') &&
1062 !(ch >= '0' && ch <= '9')) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1063 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_OPERATOR_IN_GROUP);
Adam Langleyf139c992016-10-02 09:56:09 -0700[diff] [blame]1064 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1065 } else {
1066 rule = CIPHER_ADD;
1067 }
1068 } else if (ch == '-') {
1069 rule = CIPHER_DEL;
1070 l++;
1071 } else if (ch == '+') {
1072 rule = CIPHER_ORD;
1073 l++;
1074 } else if (ch == '!') {
1075 rule = CIPHER_KILL;
1076 l++;
1077 } else if (ch == '@') {
1078 rule = CIPHER_SPECIAL;
1079 l++;
1080 } else if (ch == '[') {
David Benjaminbf5f1922017-07-01 11:13:53 -0400[diff] [blame]1081 assert(!in_group);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1082 in_group = 1;
1083 has_group = 1;
1084 l++;
1085 continue;
1086 } else {
1087 rule = CIPHER_ADD;
1088 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1089
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1090 /* If preference groups are enabled, the only legal operator is +.
1091 * Otherwise the in_group bits will get mixed up. */
1092 if (has_group && rule != CIPHER_ADD) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1093 OPENSSL_PUT_ERROR(SSL, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
Adam Langleyf139c992016-10-02 09:56:09 -0700[diff] [blame]1094 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1095 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1096
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1097 if (ITEM_SEP(ch)) {
1098 l++;
1099 continue;
1100 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1101
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1102 multi = 0;
1103 cipher_id = 0;
1104 alg_mkey = ~0u;
1105 alg_auth = ~0u;
1106 alg_enc = ~0u;
1107 alg_mac = ~0u;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1108 min_version = 0;
1109 skip_rule = 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1110
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1111 for (;;) {
1112 ch = *l;
1113 buf = l;
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1114 buf_len = 0;
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]1115 while ((ch >= 'A' && ch <= 'Z') || (ch >= '0' && ch <= '9') ||
1116 (ch >= 'a' && ch <= 'z') || ch == '-' || ch == '.' || ch == '_') {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1117 ch = *(++l);
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1118 buf_len++;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1119 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1120
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1121 if (buf_len == 0) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1122 /* We hit something we cannot deal with, it is no command or separator
1123 * nor alphanumeric, so we call this an error. */
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1124 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
Adam Langleyf99f2442016-10-02 09:53:38 -0700[diff] [blame]1125 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1126 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1127
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1128 if (rule == CIPHER_SPECIAL) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1129 break;
1130 }
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1131
1132 /* Look for a matching exact cipher. These aren't allowed in multipart
1133 * rules. */
1134 if (!multi && ch != '+') {
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1135 for (j = 0; j < kCiphersLen; j++) {
1136 const SSL_CIPHER *cipher = &kCiphers[j];
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]1137 if (rule_equals(cipher->name, buf, buf_len) ||
1138 rule_equals(cipher->standard_name, buf, buf_len)) {
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1139 cipher_id = cipher->id;
1140 break;
1141 }
1142 }
1143 }
1144 if (cipher_id == 0) {
1145 /* If not an exact cipher, look for a matching cipher alias. */
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1146 for (j = 0; j < kCipherAliasesLen; j++) {
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1147 if (rule_equals(kCipherAliases[j].name, buf, buf_len)) {
1148 alg_mkey &= kCipherAliases[j].algorithm_mkey;
1149 alg_auth &= kCipherAliases[j].algorithm_auth;
1150 alg_enc &= kCipherAliases[j].algorithm_enc;
1151 alg_mac &= kCipherAliases[j].algorithm_mac;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1152
1153 if (min_version != 0 &&
1154 min_version != kCipherAliases[j].min_version) {
1155 skip_rule = 1;
1156 } else {
1157 min_version = kCipherAliases[j].min_version;
1158 }
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1159 break;
1160 }
1161 }
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1162 if (j == kCipherAliasesLen) {
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1163 skip_rule = 1;
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]1164 if (strict) {
1165 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
1166 return 0;
1167 }
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1168 }
1169 }
1170
1171 /* Check for a multipart rule. */
1172 if (ch != '+') {
1173 break;
1174 }
1175 l++;
1176 multi = 1;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1177 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1178
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1179 /* Ok, we have the rule, now apply it. */
1180 if (rule == CIPHER_SPECIAL) {
David Benjaminbf5f1922017-07-01 11:13:53 -0400[diff] [blame]1181 if (buf_len != 8 || strncmp(buf, "STRENGTH", 8) != 0) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1182 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
David Benjaminbf5f1922017-07-01 11:13:53 -0400[diff] [blame]1183 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1184 }
David Benjaminbf5f1922017-07-01 11:13:53 -0400[diff] [blame]1185 if (!ssl_cipher_strength_sort(head_p, tail_p)) {
Adam Langleyf139c992016-10-02 09:56:09 -0700[diff] [blame]1186 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1187 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1188
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1189 /* We do not support any "multi" options together with "@", so throw away
1190 * the rest of the command, if any left, until end or ':' is found. */
1191 while (*l != '\0' && !ITEM_SEP(*l)) {
1192 l++;
1193 }
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1194 } else if (!skip_rule) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1195 ssl_cipher_apply_rule(cipher_id, alg_mkey, alg_auth, alg_enc, alg_mac,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1196 min_version, rule, -1, in_group, head_p, tail_p);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1197 }
1198 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1199
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1200 if (in_group) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1201 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
Adam Langleyf139c992016-10-02 09:56:09 -0700[diff] [blame]1202 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1203 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1204
Adam Langleyf139c992016-10-02 09:56:09 -0700[diff] [blame]1205 return 1;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1206}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1207
Matthew Braithwaite6ad20dc2017-02-21 16:41:33 -0800[diff] [blame]1208int ssl_create_cipher_list(
1209 const SSL_PROTOCOL_METHOD *ssl_method,
1210 struct ssl_cipher_preference_list_st **out_cipher_list,
1211 const char *rule_str, int strict) {
David Benjamind2cb1c12016-11-02 17:49:09 -0400[diff] [blame]1212 STACK_OF(SSL_CIPHER) *cipherstack = NULL;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1213 CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1214 uint8_t *in_group_flags = NULL;
1215 unsigned int num_in_group_flags = 0;
1216 struct ssl_cipher_preference_list_st *pref_list = NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1217
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1218 /* Return with error if nothing to do. */
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1219 if (rule_str == NULL || out_cipher_list == NULL) {
Matthew Braithwaite6ad20dc2017-02-21 16:41:33 -0800[diff] [blame]1220 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1221 }
David Benjamin5213df42014-08-20 14:19:54 -0400[diff] [blame]1222
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1223 /* Now we have to collect the available ciphers from the compiled in ciphers.
1224 * We cannot get more than the number compiled in, so it is used for
1225 * allocation. */
David Benjamine64d2c72017-07-12 16:31:08 -0400[diff] [blame]1226 co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * kCiphersLen);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1227 if (co_list == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1228 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Matthew Braithwaite6ad20dc2017-02-21 16:41:33 -0800[diff] [blame]1229 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1230 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1231
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1232 ssl_cipher_collect_ciphers(ssl_method, co_list, &head, &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1233
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1234 /* Now arrange all ciphers by preference:
1235 * TODO(davidben): Compute this order once and copy it. */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1236
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]1237 /* Everything else being equal, prefer ECDHE_ECDSA and ECDHE_RSA over other
1238 * key exchange mechanisms */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1239 ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, ~0u, ~0u, 0, CIPHER_ADD, -1,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1240 0, &head, &tail);
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1241 ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0,
1242 &head, &tail);
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1243 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, 0, &head,
1244 &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1245
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1246 /* Order the bulk ciphers. First the preferred AEAD ciphers. We prefer
1247 * CHACHA20 unless there is hardware support for fast and constant-time
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1248 * AES_GCM. Of the two CHACHA20 variants, the new one is preferred over the
1249 * old one. */
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1250 if (EVP_has_aes_hardware()) {
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1251 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1252 &head, &tail);
David Benjamin43336652016-03-03 15:32:29 -0500[diff] [blame]1253 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1254 &head, &tail);
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1255 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD,
1256 -1, 0, &head, &tail);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1257 } else {
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1258 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD,
1259 -1, 0, &head, &tail);
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1260 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1261 &head, &tail);
David Benjamin43336652016-03-03 15:32:29 -0500[diff] [blame]1262 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1263 &head, &tail);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1264 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1265
David Benjamin43336652016-03-03 15:32:29 -0500[diff] [blame]1266 /* Then the legacy non-AEAD ciphers: AES_128_CBC, AES_256_CBC,
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700[diff] [blame]1267 * 3DES_EDE_CBC_SHA. */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1268 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128, ~0u, 0, CIPHER_ADD, -1, 0,
1269 &head, &tail);
David Benjamin43336652016-03-03 15:32:29 -0500[diff] [blame]1270 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256, ~0u, 0, CIPHER_ADD, -1, 0,
1271 &head, &tail);
1272 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_3DES, ~0u, 0, CIPHER_ADD, -1, 0, &head,
1273 &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1274
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1275 /* Temporarily enable everything else for sorting */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1276 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0, &head,
1277 &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1278
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1279 /* Move ciphers without forward secrecy to the end. */
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1280 ssl_cipher_apply_rule(0, (SSL_kRSA | SSL_kPSK), ~0u, ~0u, ~0u, 0,
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1281 CIPHER_ORD, -1, 0, &head, &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1282
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1283 /* Now disable everything (maintaining the ordering!) */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1284 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, 0, &head,
1285 &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1286
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1287 /* If the rule_string begins with DEFAULT, apply the default rule before
1288 * using the (possibly available) additional rules. */
David Benjamin11a7b3c2016-11-03 17:03:48 -0400[diff] [blame]1289 const char *rule_p = rule_str;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1290 if (strncmp(rule_str, "DEFAULT", 7) == 0) {
David Benjamin11a7b3c2016-11-03 17:03:48 -0400[diff] [blame]1291 if (!ssl_cipher_process_rulestr(ssl_method, SSL_DEFAULT_CIPHER_LIST, &head,
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]1292 &tail, strict)) {
David Benjamin11a7b3c2016-11-03 17:03:48 -0400[diff] [blame]1293 goto err;
1294 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1295 rule_p += 7;
1296 if (*rule_p == ':') {
1297 rule_p++;
1298 }
1299 }
Adam Langley858a88d2014-06-20 12:00:00 -0700[diff] [blame]1300
David Benjamin11a7b3c2016-11-03 17:03:48 -0400[diff] [blame]1301 if (*rule_p != '\0' &&
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]1302 !ssl_cipher_process_rulestr(ssl_method, rule_p, &head, &tail, strict)) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1303 goto err;
1304 }
1305
1306 /* Allocate new "cipherstack" for the result, return with error
1307 * if we cannot get one. */
1308 cipherstack = sk_SSL_CIPHER_new_null();
1309 if (cipherstack == NULL) {
1310 goto err;
1311 }
1312
David Benjamine64d2c72017-07-12 16:31:08 -0400[diff] [blame]1313 in_group_flags = (uint8_t *)OPENSSL_malloc(kCiphersLen);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1314 if (!in_group_flags) {
1315 goto err;
1316 }
1317
1318 /* The cipher selection for the list is done. The ciphers are added
1319 * to the resulting precedence to the STACK_OF(SSL_CIPHER). */
1320 for (curr = head; curr != NULL; curr = curr->next) {
1321 if (curr->active) {
David Benjamin2adb7ec2015-01-11 19:59:06 -0500[diff] [blame]1322 if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
1323 goto err;
1324 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1325 in_group_flags[num_in_group_flags++] = curr->in_group;
1326 }
1327 }
1328 OPENSSL_free(co_list); /* Not needed any longer */
1329 co_list = NULL;
1330
David Benjamine64d2c72017-07-12 16:31:08 -0400[diff] [blame]1331 pref_list = (ssl_cipher_preference_list_st *)OPENSSL_malloc(
1332 sizeof(struct ssl_cipher_preference_list_st));
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1333 if (!pref_list) {
1334 goto err;
1335 }
1336 pref_list->ciphers = cipherstack;
David Benjamine64d2c72017-07-12 16:31:08 -0400[diff] [blame]1337 pref_list->in_group_flags = (uint8_t *)OPENSSL_malloc(num_in_group_flags);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1338 if (!pref_list->in_group_flags) {
1339 goto err;
1340 }
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]1341 OPENSSL_memcpy(pref_list->in_group_flags, in_group_flags, num_in_group_flags);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1342 OPENSSL_free(in_group_flags);
1343 in_group_flags = NULL;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1344 if (*out_cipher_list != NULL) {
1345 ssl_cipher_preference_list_free(*out_cipher_list);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1346 }
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1347 *out_cipher_list = pref_list;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1348 pref_list = NULL;
1349
David Benjamin91222b82017-03-09 20:10:56 -0500[diff] [blame]1350 /* Configuring an empty cipher list is an error but still updates the
1351 * output. */
1352 if (sk_SSL_CIPHER_num((*out_cipher_list)->ciphers) == 0) {
1353 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHER_MATCH);
1354 return 0;
1355 }
1356
Matthew Braithwaite6ad20dc2017-02-21 16:41:33 -0800[diff] [blame]1357 return 1;
Adam Langley858a88d2014-06-20 12:00:00 -0700[diff] [blame]1358
1359err:
David Benjamin2755a3e2015-04-22 16:17:58 -0400[diff] [blame]1360 OPENSSL_free(co_list);
1361 OPENSSL_free(in_group_flags);
1362 sk_SSL_CIPHER_free(cipherstack);
David Benjamin2755a3e2015-04-22 16:17:58 -0400[diff] [blame]1363 if (pref_list) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1364 OPENSSL_free(pref_list->in_group_flags);
1365 }
David Benjamin2755a3e2015-04-22 16:17:58 -0400[diff] [blame]1366 OPENSSL_free(pref_list);
Matthew Braithwaite6ad20dc2017-02-21 16:41:33 -0800[diff] [blame]1367 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1368}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1369
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1370uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher) {
1371 uint32_t id = cipher->id;
1372 /* All ciphers are SSLv3. */
1373 assert((id & 0xff000000) == 0x03000000);
1374 return id & 0xffff;
1375}
1376
David Benjamin86e95b82017-07-18 16:34:25 -0400[diff] [blame^]1377uint32_t ssl_cipher_auth_mask_for_key(const EVP_PKEY *key) {
1378 switch (EVP_PKEY_id(key)) {
1379 case EVP_PKEY_RSA:
1380 return SSL_aRSA;
1381 case EVP_PKEY_EC:
1382 case EVP_PKEY_ED25519:
1383 /* Ed25519 keys in TLS 1.2 repurpose the ECDSA ciphers. */
1384 return SSL_aECDSA;
1385 default:
1386 return 0;
1387 }
1388}
1389
1390int ssl_cipher_uses_certificate_auth(const SSL_CIPHER *cipher) {
1391 return (cipher->algorithm_auth & SSL_aCERT) != 0;
1392}
1393
1394int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher) {
1395 /* Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange. */
1396 if (cipher->algorithm_mkey & SSL_kECDHE) {
1397 return 1;
1398 }
1399
1400 /* It is optional in all others. */
1401 return 0;
1402}
1403
1404size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher) {
1405 size_t block_size;
1406 switch (cipher->algorithm_enc) {
1407 case SSL_3DES:
1408 block_size = 8;
1409 break;
1410 case SSL_AES128:
1411 case SSL_AES256:
1412 block_size = 16;
1413 break;
1414 default:
1415 return 0;
1416 }
1417
1418 /* All supported TLS 1.0 ciphers use SHA-1. */
1419 assert(cipher->algorithm_mac == SSL_SHA1);
1420 size_t ret = 1 + SHA_DIGEST_LENGTH;
1421 ret += block_size - (ret % block_size);
1422 return ret;
1423}
1424
1425} // namespace bssl
1426
1427using namespace bssl;
1428
1429const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value) {
1430 SSL_CIPHER c;
1431
1432 c.id = 0x03000000L | value;
1433 return reinterpret_cast<const SSL_CIPHER *>(bsearch(
1434 &c, kCiphers, kCiphersLen, sizeof(SSL_CIPHER), ssl_cipher_id_cmp));
1435}
1436
1437uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher) { return cipher->id; }
1438
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1439int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher) {
1440 return (cipher->algorithm_enc & SSL_AES) != 0;
1441}
1442
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1443int SSL_CIPHER_has_SHA1_HMAC(const SSL_CIPHER *cipher) {
1444 return (cipher->algorithm_mac & SSL_SHA1) != 0;
1445}
1446
David Benjamina211aee2016-02-24 17:18:44 -0500[diff] [blame]1447int SSL_CIPHER_has_SHA256_HMAC(const SSL_CIPHER *cipher) {
1448 return (cipher->algorithm_mac & SSL_SHA256) != 0;
1449}
1450
Alessandro Ghedini48b6b8f2017-05-12 12:53:31 +0100[diff] [blame]1451int SSL_CIPHER_has_SHA384_HMAC(const SSL_CIPHER *cipher) {
1452 return (cipher->algorithm_mac & SSL_SHA384) != 0;
1453}
1454
Alessandro Ghedini0726fb72017-01-17 13:27:08 +0000[diff] [blame]1455int SSL_CIPHER_is_AEAD(const SSL_CIPHER *cipher) {
1456 return (cipher->algorithm_mac & SSL_AEAD) != 0;
1457}
1458
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1459int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher) {
David Benjaminc0125ef2015-09-09 09:11:07 -0400[diff] [blame]1460 return (cipher->algorithm_enc & (SSL_AES128GCM | SSL_AES256GCM)) != 0;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1461}
1462
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1463int SSL_CIPHER_is_AES128GCM(const SSL_CIPHER *cipher) {
1464 return (cipher->algorithm_enc & SSL_AES128GCM) != 0;
1465}
1466
Adam Langleyb00061c2015-11-16 17:44:52 -0800[diff] [blame]1467int SSL_CIPHER_is_AES128CBC(const SSL_CIPHER *cipher) {
1468 return (cipher->algorithm_enc & SSL_AES128) != 0;
1469}
1470
1471int SSL_CIPHER_is_AES256CBC(const SSL_CIPHER *cipher) {
1472 return (cipher->algorithm_enc & SSL_AES256) != 0;
1473}
1474
David Benjamin51a01a52015-10-29 13:19:56 -0400[diff] [blame]1475int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *cipher) {
Adam Langley2e839242017-01-19 15:12:44 -0800[diff] [blame]1476 return (cipher->algorithm_enc & SSL_CHACHA20POLY1305) != 0;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1477}
1478
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1479int SSL_CIPHER_is_NULL(const SSL_CIPHER *cipher) {
1480 return (cipher->algorithm_enc & SSL_eNULL) != 0;
1481}
1482
1483int SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher) {
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700[diff] [blame]1484 return (cipher->algorithm_enc & SSL_eNULL) == 0 &&
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1485 cipher->algorithm_mac != SSL_AEAD;
1486}
1487
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1488int SSL_CIPHER_is_ECDSA(const SSL_CIPHER *cipher) {
1489 return (cipher->algorithm_auth & SSL_aECDSA) != 0;
1490}
1491
David Benjamin4cc36ad2015-12-19 14:23:26 -0500[diff] [blame]1492int SSL_CIPHER_is_ECDHE(const SSL_CIPHER *cipher) {
1493 return (cipher->algorithm_mkey & SSL_kECDHE) != 0;
1494}
1495
David Benjamin745745d2017-01-10 08:34:14 -0500[diff] [blame]1496int SSL_CIPHER_is_static_RSA(const SSL_CIPHER *cipher) {
1497 return (cipher->algorithm_mkey & SSL_kRSA) != 0;
1498}
1499
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1500uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher) {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1501 if (cipher->algorithm_mkey == SSL_kGENERIC ||
1502 cipher->algorithm_auth == SSL_aGENERIC) {
1503 return TLS1_3_VERSION;
1504 }
1505
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1506 if (cipher->algorithm_prf != SSL_HANDSHAKE_MAC_DEFAULT) {
1507 /* Cipher suites before TLS 1.2 use the default PRF, while all those added
1508 * afterwards specify a particular hash. */
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1509 return TLS1_2_VERSION;
1510 }
1511 return SSL3_VERSION;
1512}
1513
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1514uint16_t SSL_CIPHER_get_max_version(const SSL_CIPHER *cipher) {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1515 if (cipher->algorithm_mkey == SSL_kGENERIC ||
1516 cipher->algorithm_auth == SSL_aGENERIC) {
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1517 return TLS1_3_VERSION;
1518 }
1519 return TLS1_2_VERSION;
1520}
1521
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1522/* return the actual cipher being used */
1523const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher) {
1524 if (cipher != NULL) {
1525 return cipher->name;
1526 }
1527
1528 return "(NONE)";
1529}
1530
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]1531const char *SSL_CIPHER_standard_name(const SSL_CIPHER *cipher) {
1532 return cipher->standard_name;
1533}
1534
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1535const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher) {
1536 if (cipher == NULL) {
1537 return "";
1538 }
1539
1540 switch (cipher->algorithm_mkey) {
1541 case SSL_kRSA:
1542 return "RSA";
1543
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1544 case SSL_kECDHE:
1545 switch (cipher->algorithm_auth) {
1546 case SSL_aECDSA:
1547 return "ECDHE_ECDSA";
1548 case SSL_aRSA:
1549 return "ECDHE_RSA";
1550 case SSL_aPSK:
1551 return "ECDHE_PSK";
1552 default:
1553 assert(0);
1554 return "UNKNOWN";
1555 }
1556
1557 case SSL_kPSK:
1558 assert(cipher->algorithm_auth == SSL_aPSK);
1559 return "PSK";
1560
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1561 case SSL_kGENERIC:
1562 assert(cipher->algorithm_auth == SSL_aGENERIC);
1563 return "GENERIC";
1564
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1565 default:
1566 assert(0);
1567 return "UNKNOWN";
1568 }
1569}
1570
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1571char *SSL_CIPHER_get_rfc_name(const SSL_CIPHER *cipher) {
1572 if (cipher == NULL) {
1573 return NULL;
1574 }
1575
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]1576 return OPENSSL_strdup(SSL_CIPHER_standard_name(cipher));
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1577}
1578
1579int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *out_alg_bits) {
1580 if (cipher == NULL) {
1581 return 0;
1582 }
1583
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1584 int alg_bits, strength_bits;
1585 switch (cipher->algorithm_enc) {
1586 case SSL_AES128:
1587 case SSL_AES128GCM:
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1588 alg_bits = 128;
1589 strength_bits = 128;
1590 break;
1591
1592 case SSL_AES256:
1593 case SSL_AES256GCM:
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1594 case SSL_CHACHA20POLY1305:
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1595 alg_bits = 256;
1596 strength_bits = 256;
1597 break;
1598
1599 case SSL_3DES:
1600 alg_bits = 168;
1601 strength_bits = 112;
1602 break;
1603
1604 case SSL_eNULL:
1605 alg_bits = 0;
1606 strength_bits = 0;
1607 break;
1608
1609 default:
1610 assert(0);
1611 alg_bits = 0;
1612 strength_bits = 0;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1613 }
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1614
1615 if (out_alg_bits != NULL) {
1616 *out_alg_bits = alg_bits;
1617 }
1618 return strength_bits;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1619}
1620
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1621const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf,
1622 int len) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1623 const char *kx, *au, *enc, *mac;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1624 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1625
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1626 alg_mkey = cipher->algorithm_mkey;
1627 alg_auth = cipher->algorithm_auth;
1628 alg_enc = cipher->algorithm_enc;
1629 alg_mac = cipher->algorithm_mac;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1630
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1631 switch (alg_mkey) {
1632 case SSL_kRSA:
1633 kx = "RSA";
1634 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1635
David Benjamin7061e282015-03-19 11:10:48 -0400[diff] [blame]1636 case SSL_kECDHE:
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1637 kx = "ECDH";
1638 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1639
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1640 case SSL_kPSK:
1641 kx = "PSK";
1642 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1643
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1644 case SSL_kGENERIC:
1645 kx = "GENERIC";
1646 break;
1647
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1648 default:
1649 kx = "unknown";
1650 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1651
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1652 switch (alg_auth) {
1653 case SSL_aRSA:
1654 au = "RSA";
1655 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1656
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1657 case SSL_aECDSA:
1658 au = "ECDSA";
1659 break;
Adam Langley4d4bff82014-06-20 12:00:00 -0700[diff] [blame]1660
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1661 case SSL_aPSK:
1662 au = "PSK";
1663 break;
Adam Langley4d4bff82014-06-20 12:00:00 -0700[diff] [blame]1664
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1665 case SSL_aGENERIC:
1666 au = "GENERIC";
1667 break;
1668
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1669 default:
1670 au = "unknown";
1671 break;
1672 }
Adam Langleyde0b2022014-06-20 12:00:00 -0700[diff] [blame]1673
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1674 switch (alg_enc) {
1675 case SSL_3DES:
1676 enc = "3DES(168)";
1677 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1678
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1679 case SSL_AES128:
1680 enc = "AES(128)";
1681 break;
1682
1683 case SSL_AES256:
1684 enc = "AES(256)";
1685 break;
1686
1687 case SSL_AES128GCM:
1688 enc = "AESGCM(128)";
1689 break;
1690
1691 case SSL_AES256GCM:
1692 enc = "AESGCM(256)";
1693 break;
1694
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1695 case SSL_CHACHA20POLY1305:
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1696 enc = "ChaCha20-Poly1305";
1697 break;
1698
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1699 case SSL_eNULL:
1700 enc="None";
1701 break;
1702
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1703 default:
1704 enc = "unknown";
1705 break;
1706 }
1707
1708 switch (alg_mac) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1709 case SSL_SHA1:
1710 mac = "SHA1";
1711 break;
1712
1713 case SSL_SHA256:
1714 mac = "SHA256";
1715 break;
1716
1717 case SSL_SHA384:
1718 mac = "SHA384";
1719 break;
1720
1721 case SSL_AEAD:
1722 mac = "AEAD";
1723 break;
1724
1725 default:
1726 mac = "unknown";
1727 break;
1728 }
1729
1730 if (buf == NULL) {
1731 len = 128;
David Benjamine64d2c72017-07-12 16:31:08 -0400[diff] [blame]1732 buf = (char *)OPENSSL_malloc(len);
David Benjamin1eed2c02015-02-08 23:20:06 -0500[diff] [blame]1733 if (buf == NULL) {
1734 return NULL;
1735 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1736 } else if (len < 128) {
1737 return "Buffer too small";
1738 }
1739
Brian Smith0687bdf2016-01-17 09:18:26 -1000[diff] [blame]1740 BIO_snprintf(buf, len, "%-23s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n",
1741 cipher->name, kx, au, enc, mac);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1742 return buf;
1743}
1744
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1745const char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher) {
1746 return "TLSv1/SSLv3";
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1747}
1748
David Benjamind55bd792017-05-18 11:33:08 -0400[diff] [blame]1749STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void) { return NULL; }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1750
Matt Braithwaite6a1275b2015-06-26 12:09:10 -0700[diff] [blame]1751int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) { return 1; }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1752
Matt Braithwaite6a1275b2015-06-26 12:09:10 -0700[diff] [blame]1753const char *SSL_COMP_get_name(const COMP_METHOD *comp) { return NULL; }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1754
Adam Langley3e9e0432016-10-03 15:58:07 -0700[diff] [blame]1755void SSL_COMP_free_compression_methods(void) {}