Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 8aaa9e12c288c49134181aa4a8bb27ea5abfd4da / . / ssl / ssl_cipher.c
blob: 55070e9b71dd5bdb5ed302eb0b9a2b162df84663 [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57/* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
110/* ====================================================================
111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
112 * ECC cipher suite support in OpenSSL originally developed by
113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
114 */
115/* ====================================================================
116 * Copyright 2005 Nokia. All rights reserved.
117 *
118 * The portions of the attached software ("Contribution") is developed by
119 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
120 * license.
121 *
122 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
123 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
124 * support (see RFC 4279) to OpenSSL.
125 *
126 * No patent licenses or other rights except those expressly stated in
127 * the OpenSSL open source license shall be deemed granted or received
128 * expressly, by implication, estoppel, or otherwise.
129 *
130 * No assurances are provided by Nokia that the Contribution does not
131 * infringe the patent or other intellectual property rights of any third
132 * party or that the license provides you with all the necessary rights
133 * to make use of the Contribution.
134 *
135 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
136 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
137 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
138 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
139 * OTHERWISE. */
140
David Benjamin9e4e01e2015-09-15 01:48:04 -0400[diff] [blame]141#include <openssl/ssl.h>
142
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]143#include <assert.h>
David Benjaminf0ae1702015-04-07 23:05:04 -0400[diff] [blame]144#include <string.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]145
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]146#include <openssl/buf.h>
David Benjaminf0ae1702015-04-07 23:05:04 -0400[diff] [blame]147#include <openssl/err.h>
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]148#include <openssl/md5.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]149#include <openssl/mem.h>
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]150#include <openssl/sha.h>
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]151#include <openssl/stack.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]152
David Benjamin2ee94aa2015-04-07 22:38:30 -0400[diff] [blame]153#include "internal.h"
Steven Valdezcb966542016-08-17 16:56:14 -0400[diff] [blame]154#include "../crypto/internal.h"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]155
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]156
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]157/* kCiphers is an array of all supported ciphers, sorted by id. */
David Benjamin20c37312015-11-11 21:33:18 -0800[diff] [blame]158static const SSL_CIPHER kCiphers[] = {
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]159 /* The RSA ciphers */
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]160 /* Cipher 02 */
161 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]162 SSL3_TXT_RSA_NULL_SHA,
163 SSL3_CK_RSA_NULL_SHA,
164 SSL_kRSA,
165 SSL_aRSA,
166 SSL_eNULL,
167 SSL_SHA1,
168 SSL_HANDSHAKE_MAC_DEFAULT,
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]169 },
170
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]171 /* Cipher 0A */
172 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]173 SSL3_TXT_RSA_DES_192_CBC3_SHA,
174 SSL3_CK_RSA_DES_192_CBC3_SHA,
175 SSL_kRSA,
176 SSL_aRSA,
177 SSL_3DES,
178 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]179 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]180 },
181
182
183 /* New AES ciphersuites */
184
185 /* Cipher 2F */
186 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]187 TLS1_TXT_RSA_WITH_AES_128_SHA,
188 TLS1_CK_RSA_WITH_AES_128_SHA,
189 SSL_kRSA,
190 SSL_aRSA,
191 SSL_AES128,
192 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]193 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]194 },
195
196 /* Cipher 33 */
197 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]198 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
199 TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
200 SSL_kDHE,
201 SSL_aRSA,
202 SSL_AES128,
203 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]204 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]205 },
206
207 /* Cipher 35 */
208 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]209 TLS1_TXT_RSA_WITH_AES_256_SHA,
210 TLS1_CK_RSA_WITH_AES_256_SHA,
211 SSL_kRSA,
212 SSL_aRSA,
213 SSL_AES256,
214 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]215 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]216 },
217
218 /* Cipher 39 */
219 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]220 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
221 TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
222 SSL_kDHE,
223 SSL_aRSA,
224 SSL_AES256,
225 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]226 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]227 },
228
229
230 /* TLS v1.2 ciphersuites */
231
232 /* Cipher 3C */
233 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]234 TLS1_TXT_RSA_WITH_AES_128_SHA256,
235 TLS1_CK_RSA_WITH_AES_128_SHA256,
236 SSL_kRSA,
237 SSL_aRSA,
238 SSL_AES128,
239 SSL_SHA256,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]240 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]241 },
242
243 /* Cipher 3D */
244 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]245 TLS1_TXT_RSA_WITH_AES_256_SHA256,
246 TLS1_CK_RSA_WITH_AES_256_SHA256,
247 SSL_kRSA,
248 SSL_aRSA,
249 SSL_AES256,
250 SSL_SHA256,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]251 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]252 },
253
254 /* Cipher 67 */
255 {
256 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]257 TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
258 SSL_kDHE,
259 SSL_aRSA,
260 SSL_AES128,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]261 SSL_SHA256,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]262 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]263 },
264
265 /* Cipher 6B */
266 {
267 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]268 TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
269 SSL_kDHE,
270 SSL_aRSA,
271 SSL_AES256,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]272 SSL_SHA256,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]273 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]274 },
275
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]276 /* PSK cipher suites. */
277
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]278 /* Cipher 8C */
279 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]280 TLS1_TXT_PSK_WITH_AES_128_CBC_SHA,
281 TLS1_CK_PSK_WITH_AES_128_CBC_SHA,
282 SSL_kPSK,
283 SSL_aPSK,
284 SSL_AES128,
285 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]286 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]287 },
288
289 /* Cipher 8D */
290 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]291 TLS1_TXT_PSK_WITH_AES_256_CBC_SHA,
292 TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
293 SSL_kPSK,
294 SSL_aPSK,
295 SSL_AES256,
296 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]297 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]298 },
299
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]300 /* GCM ciphersuites from RFC5288 */
301
302 /* Cipher 9C */
303 {
304 TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]305 TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
306 SSL_kRSA,
307 SSL_aRSA,
308 SSL_AES128GCM,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]309 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]310 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]311 },
312
313 /* Cipher 9D */
314 {
315 TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]316 TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
317 SSL_kRSA,
318 SSL_aRSA,
319 SSL_AES256GCM,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]320 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]321 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]322 },
323
324 /* Cipher 9E */
325 {
326 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]327 TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256,
328 SSL_kDHE,
329 SSL_aRSA,
330 SSL_AES128GCM,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]331 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]332 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]333 },
334
335 /* Cipher 9F */
336 {
337 TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]338 TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384,
339 SSL_kDHE,
340 SSL_aRSA,
341 SSL_AES256GCM,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]342 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]343 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]344 },
345
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]346 /* CECPQ1 (combined elliptic curve + post-quantum) suites. */
347
348 /* Cipher 16B7 */
349 {
350 TLS1_TXT_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256,
351 TLS1_CK_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256,
352 SSL_kCECPQ1,
353 SSL_aRSA,
354 SSL_CHACHA20POLY1305,
355 SSL_AEAD,
356 SSL_HANDSHAKE_MAC_SHA256,
357 },
358
359 /* Cipher 16B8 */
360 {
361 TLS1_TXT_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
362 TLS1_CK_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
363 SSL_kCECPQ1,
364 SSL_aECDSA,
365 SSL_CHACHA20POLY1305,
366 SSL_AEAD,
367 SSL_HANDSHAKE_MAC_SHA256,
368 },
369
370 /* Cipher 16B9 */
371 {
372 TLS1_TXT_CECPQ1_RSA_WITH_AES_256_GCM_SHA384,
373 TLS1_CK_CECPQ1_RSA_WITH_AES_256_GCM_SHA384,
374 SSL_kCECPQ1,
375 SSL_aRSA,
376 SSL_AES256GCM,
377 SSL_AEAD,
378 SSL_HANDSHAKE_MAC_SHA384,
379 },
380
381 /* Cipher 16BA */
382 {
383 TLS1_TXT_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384,
384 TLS1_CK_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384,
385 SSL_kCECPQ1,
386 SSL_aECDSA,
387 SSL_AES256GCM,
388 SSL_AEAD,
389 SSL_HANDSHAKE_MAC_SHA384,
390 },
391
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]392 /* Cipher C009 */
393 {
394 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]395 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
396 SSL_kECDHE,
397 SSL_aECDSA,
398 SSL_AES128,
399 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]400 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]401 },
402
403 /* Cipher C00A */
404 {
405 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]406 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
407 SSL_kECDHE,
408 SSL_aECDSA,
409 SSL_AES256,
410 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]411 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]412 },
413
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]414 /* Cipher C013 */
415 {
416 TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]417 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
418 SSL_kECDHE,
419 SSL_aRSA,
420 SSL_AES128,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]421 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]422 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]423 },
424
425 /* Cipher C014 */
426 {
427 TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]428 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
429 SSL_kECDHE,
430 SSL_aRSA,
431 SSL_AES256,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]432 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]433 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]434 },
435
436
437 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */
438
439 /* Cipher C023 */
440 {
441 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]442 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
443 SSL_kECDHE,
444 SSL_aECDSA,
445 SSL_AES128,
446 SSL_SHA256,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]447 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]448 },
449
450 /* Cipher C024 */
451 {
452 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]453 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
454 SSL_kECDHE,
455 SSL_aECDSA,
456 SSL_AES256,
457 SSL_SHA384,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]458 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]459 },
460
461 /* Cipher C027 */
462 {
463 TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]464 TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
465 SSL_kECDHE,
466 SSL_aRSA,
467 SSL_AES128,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]468 SSL_SHA256,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]469 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]470 },
471
472 /* Cipher C028 */
473 {
474 TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]475 TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
476 SSL_kECDHE,
477 SSL_aRSA,
478 SSL_AES256,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]479 SSL_SHA384,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]480 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]481 },
482
483
484 /* GCM based TLS v1.2 ciphersuites from RFC5289 */
485
486 /* Cipher C02B */
487 {
488 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]489 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
490 SSL_kECDHE,
491 SSL_aECDSA,
492 SSL_AES128GCM,
493 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]494 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]495 },
496
497 /* Cipher C02C */
498 {
499 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]500 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
501 SSL_kECDHE,
502 SSL_aECDSA,
503 SSL_AES256GCM,
504 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]505 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]506 },
507
508 /* Cipher C02F */
509 {
510 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]511 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
512 SSL_kECDHE,
513 SSL_aRSA,
514 SSL_AES128GCM,
515 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]516 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]517 },
518
519 /* Cipher C030 */
520 {
521 TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]522 TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
523 SSL_kECDHE,
524 SSL_aRSA,
525 SSL_AES256GCM,
526 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]527 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]528 },
529
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]530 /* ECDHE-PSK cipher suites. */
531
532 /* Cipher C035 */
533 {
534 TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA,
535 TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]536 SSL_kECDHE,
537 SSL_aPSK,
538 SSL_AES128,
539 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]540 SSL_HANDSHAKE_MAC_DEFAULT,
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]541 },
542
543 /* Cipher C036 */
544 {
545 TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA,
546 TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]547 SSL_kECDHE,
548 SSL_aPSK,
549 SSL_AES256,
550 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]551 SSL_HANDSHAKE_MAC_DEFAULT,
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]552 },
553
554 /* ChaCha20-Poly1305 cipher suites. */
555
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]556#if !defined(BORINGSSL_ANDROID_SYSTEM)
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]557 {
Brian Smith271777f2015-10-03 13:53:33 -1000[diff] [blame]558 TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_OLD,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]559 TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305_OLD,
560 SSL_kECDHE,
561 SSL_aRSA,
562 SSL_CHACHA20POLY1305_OLD,
563 SSL_AEAD,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]564 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]565 },
566
567 {
Brian Smith271777f2015-10-03 13:53:33 -1000[diff] [blame]568 TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_OLD,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]569 TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305_OLD,
570 SSL_kECDHE,
571 SSL_aECDSA,
572 SSL_CHACHA20POLY1305_OLD,
573 SSL_AEAD,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]574 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]575 },
Adam Langleyd98dc132015-09-23 16:41:33 -0700[diff] [blame]576#endif
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]577
578 /* Cipher CCA8 */
579 {
580 TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
581 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
582 SSL_kECDHE,
583 SSL_aRSA,
584 SSL_CHACHA20POLY1305,
585 SSL_AEAD,
586 SSL_HANDSHAKE_MAC_SHA256,
587 },
588
589 /* Cipher CCA9 */
590 {
591 TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
592 TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
593 SSL_kECDHE,
594 SSL_aECDSA,
595 SSL_CHACHA20POLY1305,
596 SSL_AEAD,
597 SSL_HANDSHAKE_MAC_SHA256,
598 },
599
600 /* Cipher CCAB */
601 {
602 TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
603 TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
604 SSL_kECDHE,
605 SSL_aPSK,
606 SSL_CHACHA20POLY1305,
607 SSL_AEAD,
608 SSL_HANDSHAKE_MAC_SHA256,
609 },
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]610
Steven Valdez3084e7b2016-06-02 12:07:20 -0400[diff] [blame]611 /* Cipher D001 */
612 {
613 TLS1_TXT_ECDHE_PSK_WITH_AES_128_GCM_SHA256,
614 TLS1_CK_ECDHE_PSK_WITH_AES_128_GCM_SHA256,
615 SSL_kECDHE,
616 SSL_aPSK,
617 SSL_AES128GCM,
David Benjaminc9a43682016-06-21 17:30:54 -0400[diff] [blame]618 SSL_AEAD,
Steven Valdez3084e7b2016-06-02 12:07:20 -0400[diff] [blame]619 SSL_HANDSHAKE_MAC_SHA256,
620 },
621
622 /* Cipher D002 */
623 {
624 TLS1_TXT_ECDHE_PSK_WITH_AES_256_GCM_SHA384,
625 TLS1_CK_ECDHE_PSK_WITH_AES_256_GCM_SHA384,
626 SSL_kECDHE,
627 SSL_aPSK,
628 SSL_AES256GCM,
David Benjaminc9a43682016-06-21 17:30:54 -0400[diff] [blame]629 SSL_AEAD,
Steven Valdez3084e7b2016-06-02 12:07:20 -0400[diff] [blame]630 SSL_HANDSHAKE_MAC_SHA384,
631 },
632
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]633};
634
Steven Valdezcb966542016-08-17 16:56:14 -0400[diff] [blame]635static const size_t kCiphersLen = OPENSSL_ARRAY_SIZE(kCiphers);
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]636
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]637#define CIPHER_ADD 1
638#define CIPHER_KILL 2
639#define CIPHER_DEL 3
640#define CIPHER_ORD 4
641#define CIPHER_SPECIAL 5
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]642
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]643typedef struct cipher_order_st {
644 const SSL_CIPHER *cipher;
645 int active;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]646 int in_group;
647 struct cipher_order_st *next, *prev;
648} CIPHER_ORDER;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]649
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]650typedef struct cipher_alias_st {
651 /* name is the name of the cipher alias. */
652 const char *name;
653
654 /* The following fields are bitmasks for the corresponding fields on
655 * |SSL_CIPHER|. A cipher matches a cipher alias iff, for each bitmask, the
656 * bit corresponding to the cipher's value is set to 1. If any bitmask is
657 * all zeroes, the alias matches nothing. Use |~0u| for the default value. */
658 uint32_t algorithm_mkey;
659 uint32_t algorithm_auth;
660 uint32_t algorithm_enc;
661 uint32_t algorithm_mac;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]662
663 /* min_version, if non-zero, matches all ciphers which were added in that
664 * particular protocol version. */
665 uint16_t min_version;
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]666} CIPHER_ALIAS;
667
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]668static const CIPHER_ALIAS kCipherAliases[] = {
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]669 /* "ALL" doesn't include eNULL nor kCECPQ1. These must be explicitly
670 * enabled. */
671 {"ALL", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]672
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]673 /* The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing. */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]674
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]675 /* key exchange aliases
676 * (some of those using only a single bit here combine
677 * multiple key exchange algs according to the RFCs,
678 * e.g. kEDH combines DHE_DSS and DHE_RSA) */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]679 {"kRSA", SSL_kRSA, ~0u, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]680
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]681 {"kDHE", SSL_kDHE, ~0u, ~0u, ~0u, 0},
682 {"kEDH", SSL_kDHE, ~0u, ~0u, ~0u, 0},
683 {"DH", SSL_kDHE, ~0u, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]684
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]685 {"kECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]686 {"kCECPQ1", SSL_kCECPQ1, ~0u, ~0u, ~0u, 0},
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]687 {"kEECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
688 {"ECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]689
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]690 {"kPSK", SSL_kPSK, ~0u, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]691
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]692 /* server authentication aliases */
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]693 {"aRSA", ~SSL_kCECPQ1, SSL_aRSA, ~SSL_eNULL, ~0u, 0},
694 {"aECDSA", ~SSL_kCECPQ1, SSL_aECDSA, ~0u, ~0u, 0},
695 {"ECDSA", ~SSL_kCECPQ1, SSL_aECDSA, ~0u, ~0u, 0},
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]696 {"aPSK", ~0u, SSL_aPSK, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]697
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]698 /* aliases combining key exchange and server authentication */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]699 {"DHE", SSL_kDHE, ~0u, ~0u, ~0u, 0},
700 {"EDH", SSL_kDHE, ~0u, ~0u, ~0u, 0},
701 {"ECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
702 {"EECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
703 {"RSA", SSL_kRSA, SSL_aRSA, ~SSL_eNULL, ~0u, 0},
704 {"PSK", SSL_kPSK, SSL_aPSK, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]705
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]706 /* symmetric encryption aliases */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]707 {"3DES", ~0u, ~0u, SSL_3DES, ~0u, 0},
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]708 {"AES128", ~0u, ~0u, SSL_AES128 | SSL_AES128GCM, ~0u, 0},
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]709 {"AES256", ~SSL_kCECPQ1, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, 0},
710 {"AES", ~SSL_kCECPQ1, ~0u, SSL_AES, ~0u, 0},
711 {"AESGCM", ~SSL_kCECPQ1, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, 0},
712 {"CHACHA20", ~SSL_kCECPQ1, ~0u, SSL_CHACHA20POLY1305 | SSL_CHACHA20POLY1305_OLD, ~0u,
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]713 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]714
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]715 /* MAC aliases */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]716 {"MD5", ~0u, ~0u, ~0u, SSL_MD5, 0},
717 {"SHA1", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0},
718 {"SHA", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0},
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]719 {"SHA256", ~SSL_kCECPQ1, ~0u, ~0u, SSL_SHA256, 0},
720 {"SHA384", ~SSL_kCECPQ1, ~0u, ~0u, SSL_SHA384, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]721
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]722 /* Legacy protocol minimum version aliases. "TLSv1" is intentionally the
723 * same as "SSLv3". */
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]724 {"SSLv3", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
725 {"TLSv1", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
726 {"TLSv1.2", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, TLS1_2_VERSION},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]727
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]728 /* Legacy strength classes. */
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700[diff] [blame^]729 {"HIGH", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, 0},
730 {"FIPS", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, 0},
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]731};
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]732
Steven Valdezcb966542016-08-17 16:56:14 -0400[diff] [blame]733static const size_t kCipherAliasesLen = OPENSSL_ARRAY_SIZE(kCipherAliases);
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]734
735static int ssl_cipher_id_cmp(const void *in_a, const void *in_b) {
736 const SSL_CIPHER *a = in_a;
737 const SSL_CIPHER *b = in_b;
738
739 if (a->id > b->id) {
740 return 1;
741 } else if (a->id < b->id) {
742 return -1;
743 } else {
744 return 0;
745 }
746}
747
748static int ssl_cipher_ptr_id_cmp(const SSL_CIPHER **a, const SSL_CIPHER **b) {
749 return ssl_cipher_id_cmp(*a, *b);
750}
751
752const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value) {
753 SSL_CIPHER c;
754
755 c.id = 0x03000000L | value;
756 return bsearch(&c, kCiphers, kCiphersLen, sizeof(SSL_CIPHER),
757 ssl_cipher_id_cmp);
758}
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]759
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]760int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
761 size_t *out_mac_secret_len,
762 size_t *out_fixed_iv_len,
763 const SSL_CIPHER *cipher, uint16_t version) {
764 *out_aead = NULL;
765 *out_mac_secret_len = 0;
766 *out_fixed_iv_len = 0;
Adam Langleyc9fb3752014-06-20 12:00:00 -0700[diff] [blame]767
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]768 switch (cipher->algorithm_enc) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]769 case SSL_AES128GCM:
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]770 *out_aead = EVP_aead_aes_128_gcm();
771 *out_fixed_iv_len = 4;
Steven Valdez79750562016-06-16 06:38:04 -0400[diff] [blame]772 break;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]773
774 case SSL_AES256GCM:
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]775 *out_aead = EVP_aead_aes_256_gcm();
776 *out_fixed_iv_len = 4;
Steven Valdez79750562016-06-16 06:38:04 -0400[diff] [blame]777 break;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]778
Adam Langleyd98dc132015-09-23 16:41:33 -0700[diff] [blame]779#if !defined(BORINGSSL_ANDROID_SYSTEM)
Brian Smith271777f2015-10-03 13:53:33 -1000[diff] [blame]780 case SSL_CHACHA20POLY1305_OLD:
Brian Smith3e23e4c2015-10-03 11:38:58 -1000[diff] [blame]781 *out_aead = EVP_aead_chacha20_poly1305_old();
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]782 *out_fixed_iv_len = 0;
Steven Valdez79750562016-06-16 06:38:04 -0400[diff] [blame]783 break;
Adam Langleyd98dc132015-09-23 16:41:33 -0700[diff] [blame]784#endif
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]785
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]786 case SSL_CHACHA20POLY1305:
787 *out_aead = EVP_aead_chacha20_poly1305();
788 *out_fixed_iv_len = 12;
Steven Valdez79750562016-06-16 06:38:04 -0400[diff] [blame]789 break;
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]790
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]791 case SSL_AES128:
792 switch (cipher->algorithm_mac) {
793 case SSL_SHA1:
David Benjamin044abb02014-12-23 10:57:17 -0500[diff] [blame]794 if (version == SSL3_VERSION) {
795 *out_aead = EVP_aead_aes_128_cbc_sha1_ssl3();
796 *out_fixed_iv_len = 16;
797 } else if (version == TLS1_VERSION) {
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]798 *out_aead = EVP_aead_aes_128_cbc_sha1_tls_implicit_iv();
799 *out_fixed_iv_len = 16;
800 } else {
801 *out_aead = EVP_aead_aes_128_cbc_sha1_tls();
802 }
803 *out_mac_secret_len = SHA_DIGEST_LENGTH;
Steven Valdez79750562016-06-16 06:38:04 -0400[diff] [blame]804 break;
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]805 case SSL_SHA256:
806 *out_aead = EVP_aead_aes_128_cbc_sha256_tls();
807 *out_mac_secret_len = SHA256_DIGEST_LENGTH;
Steven Valdez79750562016-06-16 06:38:04 -0400[diff] [blame]808 break;
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]809 default:
810 return 0;
811 }
Steven Valdez79750562016-06-16 06:38:04 -0400[diff] [blame]812 break;
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]813
814 case SSL_AES256:
815 switch (cipher->algorithm_mac) {
816 case SSL_SHA1:
David Benjamin044abb02014-12-23 10:57:17 -0500[diff] [blame]817 if (version == SSL3_VERSION) {
818 *out_aead = EVP_aead_aes_256_cbc_sha1_ssl3();
819 *out_fixed_iv_len = 16;
820 } else if (version == TLS1_VERSION) {
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]821 *out_aead = EVP_aead_aes_256_cbc_sha1_tls_implicit_iv();
822 *out_fixed_iv_len = 16;
823 } else {
824 *out_aead = EVP_aead_aes_256_cbc_sha1_tls();
825 }
826 *out_mac_secret_len = SHA_DIGEST_LENGTH;
Steven Valdez79750562016-06-16 06:38:04 -0400[diff] [blame]827 break;
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]828 case SSL_SHA256:
829 *out_aead = EVP_aead_aes_256_cbc_sha256_tls();
830 *out_mac_secret_len = SHA256_DIGEST_LENGTH;
Steven Valdez79750562016-06-16 06:38:04 -0400[diff] [blame]831 break;
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]832 case SSL_SHA384:
833 *out_aead = EVP_aead_aes_256_cbc_sha384_tls();
834 *out_mac_secret_len = SHA384_DIGEST_LENGTH;
Steven Valdez79750562016-06-16 06:38:04 -0400[diff] [blame]835 break;
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]836 default:
837 return 0;
838 }
Steven Valdez79750562016-06-16 06:38:04 -0400[diff] [blame]839 break;
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]840
841 case SSL_3DES:
842 switch (cipher->algorithm_mac) {
843 case SSL_SHA1:
David Benjamin044abb02014-12-23 10:57:17 -0500[diff] [blame]844 if (version == SSL3_VERSION) {
845 *out_aead = EVP_aead_des_ede3_cbc_sha1_ssl3();
846 *out_fixed_iv_len = 8;
847 } else if (version == TLS1_VERSION) {
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]848 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv();
849 *out_fixed_iv_len = 8;
850 } else {
851 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls();
852 }
853 *out_mac_secret_len = SHA_DIGEST_LENGTH;
Steven Valdez79750562016-06-16 06:38:04 -0400[diff] [blame]854 break;
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]855 default:
856 return 0;
857 }
Steven Valdez79750562016-06-16 06:38:04 -0400[diff] [blame]858 break;
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]859
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]860 case SSL_eNULL:
861 switch (cipher->algorithm_mac) {
862 case SSL_SHA1:
863 if (version == SSL3_VERSION) {
864 *out_aead = EVP_aead_null_sha1_ssl3();
865 } else {
866 *out_aead = EVP_aead_null_sha1_tls();
867 }
868 *out_mac_secret_len = SHA_DIGEST_LENGTH;
Steven Valdez79750562016-06-16 06:38:04 -0400[diff] [blame]869 break;
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]870 default:
871 return 0;
872 }
Steven Valdez79750562016-06-16 06:38:04 -0400[diff] [blame]873 break;
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]874
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]875 default:
876 return 0;
877 }
Steven Valdez79750562016-06-16 06:38:04 -0400[diff] [blame]878
879 /* In TLS 1.3, the iv_len is equal to the AEAD nonce length whereas the code
880 * above computes the TLS 1.2 construction.
881 *
882 * TODO(davidben,svaldez): Avoid computing the wrong value and fixing it. */
883 if (version >= TLS1_3_VERSION) {
884 *out_fixed_iv_len = EVP_AEAD_nonce_length(*out_aead);
885 assert(*out_fixed_iv_len >= 8);
886 }
887 return 1;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]888}
Adam Langleyc9fb3752014-06-20 12:00:00 -0700[diff] [blame]889
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]890const EVP_MD *ssl_get_handshake_digest(uint32_t algorithm_prf) {
891 switch (algorithm_prf) {
892 case SSL_HANDSHAKE_MAC_DEFAULT:
893 return EVP_sha1();
894 case SSL_HANDSHAKE_MAC_SHA256:
895 return EVP_sha256();
896 case SSL_HANDSHAKE_MAC_SHA384:
897 return EVP_sha384();
898 default:
899 return NULL;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]900 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]901}
902
903#define ITEM_SEP(a) \
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]904 (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ','))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]905
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]906/* rule_equals returns one iff the NUL-terminated string |rule| is equal to the
907 * |buf_len| bytes at |buf|. */
908static int rule_equals(const char *rule, const char *buf, size_t buf_len) {
909 /* |strncmp| alone only checks that |buf| is a prefix of |rule|. */
910 return strncmp(rule, buf, buf_len) == 0 && rule[buf_len] == '\0';
911}
912
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]913static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]914 CIPHER_ORDER **tail) {
915 if (curr == *tail) {
916 return;
917 }
918 if (curr == *head) {
919 *head = curr->next;
920 }
921 if (curr->prev != NULL) {
922 curr->prev->next = curr->next;
923 }
924 if (curr->next != NULL) {
925 curr->next->prev = curr->prev;
926 }
927 (*tail)->next = curr;
928 curr->prev = *tail;
929 curr->next = NULL;
930 *tail = curr;
931}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]932
933static void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]934 CIPHER_ORDER **tail) {
935 if (curr == *head) {
936 return;
937 }
938 if (curr == *tail) {
939 *tail = curr->prev;
940 }
941 if (curr->next != NULL) {
942 curr->next->prev = curr->prev;
943 }
944 if (curr->prev != NULL) {
945 curr->prev->next = curr->next;
946 }
947 (*head)->prev = curr;
948 curr->next = *head;
949 curr->prev = NULL;
950 *head = curr;
951}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]952
David Benjamin82c9e902014-12-12 15:55:27 -0500[diff] [blame]953static void ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD *ssl_method,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]954 CIPHER_ORDER *co_list,
955 CIPHER_ORDER **head_p,
956 CIPHER_ORDER **tail_p) {
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]957 /* The set of ciphers is static, but some subset may be unsupported by
958 * |ssl_method|, so the list may be smaller. */
959 size_t co_list_num = 0;
David Benjamin54091232016-09-05 12:47:25 -0400[diff] [blame]960 for (size_t i = 0; i < kCiphersLen; i++) {
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]961 const SSL_CIPHER *cipher = &kCiphers[i];
962 if (ssl_method->supports_cipher(cipher)) {
963 co_list[co_list_num].cipher = cipher;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]964 co_list[co_list_num].next = NULL;
965 co_list[co_list_num].prev = NULL;
966 co_list[co_list_num].active = 0;
967 co_list[co_list_num].in_group = 0;
968 co_list_num++;
969 }
970 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]971
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]972 /* Prepare linked list from list entries. */
973 if (co_list_num > 0) {
974 co_list[0].prev = NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]975
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]976 if (co_list_num > 1) {
977 co_list[0].next = &co_list[1];
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]978
David Benjamin54091232016-09-05 12:47:25 -0400[diff] [blame]979 for (size_t i = 1; i < co_list_num - 1; i++) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]980 co_list[i].prev = &co_list[i - 1];
981 co_list[i].next = &co_list[i + 1];
982 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]983
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]984 co_list[co_list_num - 1].prev = &co_list[co_list_num - 2];
985 }
986
987 co_list[co_list_num - 1].next = NULL;
988
989 *head_p = &co_list[0];
990 *tail_p = &co_list[co_list_num - 1];
991 }
992}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]993
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]994/* ssl_cipher_apply_rule applies the rule type |rule| to ciphers matching its
995 * parameters in the linked list from |*head_p| to |*tail_p|. It writes the new
996 * head and tail of the list to |*head_p| and |*tail_p|, respectively.
997 *
998 * - If |cipher_id| is non-zero, only that cipher is selected.
999 * - Otherwise, if |strength_bits| is non-negative, it selects ciphers
1000 * of that strength.
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1001 * - Otherwise, it selects ciphers that match each bitmasks in |alg_*| and
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1002 * |min_version|. */
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1003static void ssl_cipher_apply_rule(
David Benjamin107db582015-04-08 00:41:59 -0400[diff] [blame]1004 uint32_t cipher_id, uint32_t alg_mkey, uint32_t alg_auth,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1005 uint32_t alg_enc, uint32_t alg_mac, uint16_t min_version, int rule,
1006 int strength_bits, int in_group, CIPHER_ORDER **head_p,
1007 CIPHER_ORDER **tail_p) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1008 CIPHER_ORDER *head, *tail, *curr, *next, *last;
1009 const SSL_CIPHER *cp;
1010 int reverse = 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1011
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1012 if (cipher_id == 0 && strength_bits == -1 && min_version == 0 &&
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1013 (alg_mkey == 0 || alg_auth == 0 || alg_enc == 0 || alg_mac == 0)) {
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1014 /* The rule matches nothing, so bail early. */
1015 return;
1016 }
1017
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1018 if (rule == CIPHER_DEL) {
1019 /* needed to maintain sorting between currently deleted ciphers */
1020 reverse = 1;
1021 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1022
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1023 head = *head_p;
1024 tail = *tail_p;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1025
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1026 if (reverse) {
1027 next = tail;
1028 last = head;
1029 } else {
1030 next = head;
1031 last = tail;
1032 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1033
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1034 curr = NULL;
1035 for (;;) {
1036 if (curr == last) {
1037 break;
1038 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1039
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1040 curr = next;
1041 if (curr == NULL) {
1042 break;
1043 }
Adam Langleye3142a72014-07-24 17:56:48 -0700[diff] [blame]1044
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1045 next = reverse ? curr->prev : curr->next;
1046 cp = curr->cipher;
Adam Langleye3142a72014-07-24 17:56:48 -0700[diff] [blame]1047
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1048 /* Selection criteria is either a specific cipher, the value of
1049 * |strength_bits|, or the algorithms used. */
1050 if (cipher_id != 0) {
1051 if (cipher_id != cp->id) {
1052 continue;
1053 }
1054 } else if (strength_bits >= 0) {
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1055 if (strength_bits != SSL_CIPHER_get_bits(cp, NULL)) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1056 continue;
1057 }
David Benjamin881f1962016-08-10 18:29:12 -0400[diff] [blame]1058 } else {
1059 if (!(alg_mkey & cp->algorithm_mkey) ||
1060 !(alg_auth & cp->algorithm_auth) ||
1061 !(alg_enc & cp->algorithm_enc) ||
1062 !(alg_mac & cp->algorithm_mac) ||
1063 (min_version != 0 && SSL_CIPHER_get_min_version(cp) != min_version)) {
1064 continue;
1065 }
1066
1067 /* The following ciphers are internal implementation details of TLS 1.3
1068 * resumption but are not yet finalized. Disable them by default until
1069 * then. */
1070 if (cp->id == TLS1_CK_ECDHE_PSK_WITH_AES_128_GCM_SHA256 ||
1071 cp->id == TLS1_CK_ECDHE_PSK_WITH_AES_256_GCM_SHA384) {
1072 continue;
1073 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1074 }
Adam Langleye3142a72014-07-24 17:56:48 -0700[diff] [blame]1075
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1076 /* add the cipher if it has not been added yet. */
1077 if (rule == CIPHER_ADD) {
1078 /* reverse == 0 */
1079 if (!curr->active) {
1080 ll_append_tail(&head, curr, &tail);
1081 curr->active = 1;
1082 curr->in_group = in_group;
1083 }
1084 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1085
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1086 /* Move the added cipher to this location */
1087 else if (rule == CIPHER_ORD) {
1088 /* reverse == 0 */
1089 if (curr->active) {
1090 ll_append_tail(&head, curr, &tail);
1091 curr->in_group = 0;
1092 }
1093 } else if (rule == CIPHER_DEL) {
1094 /* reverse == 1 */
1095 if (curr->active) {
1096 /* most recently deleted ciphersuites get best positions
1097 * for any future CIPHER_ADD (note that the CIPHER_DEL loop
1098 * works in reverse to maintain the order) */
1099 ll_append_head(&head, curr, &tail);
1100 curr->active = 0;
1101 curr->in_group = 0;
1102 }
1103 } else if (rule == CIPHER_KILL) {
1104 /* reverse == 0 */
1105 if (head == curr) {
1106 head = curr->next;
1107 } else {
1108 curr->prev->next = curr->next;
1109 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1110
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1111 if (tail == curr) {
1112 tail = curr->prev;
1113 }
1114 curr->active = 0;
1115 if (curr->next != NULL) {
1116 curr->next->prev = curr->prev;
1117 }
1118 if (curr->prev != NULL) {
1119 curr->prev->next = curr->next;
1120 }
1121 curr->next = NULL;
1122 curr->prev = NULL;
1123 }
1124 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1125
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1126 *head_p = head;
1127 *tail_p = tail;
1128}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1129
1130static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1131 CIPHER_ORDER **tail_p) {
1132 int max_strength_bits, i, *number_uses;
1133 CIPHER_ORDER *curr;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1134
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1135 /* This routine sorts the ciphers with descending strength. The sorting must
1136 * keep the pre-sorted sequence, so we apply the normal sorting routine as
1137 * '+' movement to the end of the list. */
1138 max_strength_bits = 0;
1139 curr = *head_p;
1140 while (curr != NULL) {
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1141 if (curr->active &&
1142 SSL_CIPHER_get_bits(curr->cipher, NULL) > max_strength_bits) {
1143 max_strength_bits = SSL_CIPHER_get_bits(curr->cipher, NULL);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1144 }
1145 curr = curr->next;
1146 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1147
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1148 number_uses = OPENSSL_malloc((max_strength_bits + 1) * sizeof(int));
1149 if (!number_uses) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1150 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1151 return 0;
1152 }
1153 memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int));
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1154
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1155 /* Now find the strength_bits values actually used. */
1156 curr = *head_p;
1157 while (curr != NULL) {
1158 if (curr->active) {
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1159 number_uses[SSL_CIPHER_get_bits(curr->cipher, NULL)]++;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1160 }
1161 curr = curr->next;
1162 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1163
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1164 /* Go through the list of used strength_bits values in descending order. */
1165 for (i = max_strength_bits; i >= 0; i--) {
1166 if (number_uses[i] > 0) {
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1167 ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, CIPHER_ORD, i, 0, head_p, tail_p);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1168 }
1169 }
1170
1171 OPENSSL_free(number_uses);
1172 return 1;
1173}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1174
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1175static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method,
1176 const char *rule_str,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1177 CIPHER_ORDER **head_p,
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1178 CIPHER_ORDER **tail_p) {
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1179 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1180 uint16_t min_version;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1181 const char *l, *buf;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1182 int multi, skip_rule, rule, retval, ok, in_group = 0, has_group = 0;
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1183 size_t j, buf_len;
1184 uint32_t cipher_id;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1185 char ch;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1186
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1187 retval = 1;
1188 l = rule_str;
1189 for (;;) {
1190 ch = *l;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1191
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1192 if (ch == '\0') {
1193 break; /* done */
1194 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1195
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1196 if (in_group) {
1197 if (ch == ']') {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1198 if (*tail_p) {
1199 (*tail_p)->in_group = 0;
1200 }
1201 in_group = 0;
1202 l++;
1203 continue;
1204 }
David Benjamin37d92462014-09-20 17:54:24 -0400[diff] [blame]1205
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1206 if (ch == '|') {
1207 rule = CIPHER_ADD;
1208 l++;
1209 continue;
1210 } else if (!(ch >= 'a' && ch <= 'z') && !(ch >= 'A' && ch <= 'Z') &&
1211 !(ch >= '0' && ch <= '9')) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1212 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_OPERATOR_IN_GROUP);
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1213 retval = in_group = 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1214 break;
1215 } else {
1216 rule = CIPHER_ADD;
1217 }
1218 } else if (ch == '-') {
1219 rule = CIPHER_DEL;
1220 l++;
1221 } else if (ch == '+') {
1222 rule = CIPHER_ORD;
1223 l++;
1224 } else if (ch == '!') {
1225 rule = CIPHER_KILL;
1226 l++;
1227 } else if (ch == '@') {
1228 rule = CIPHER_SPECIAL;
1229 l++;
1230 } else if (ch == '[') {
1231 if (in_group) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1232 OPENSSL_PUT_ERROR(SSL, SSL_R_NESTED_GROUP);
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1233 retval = in_group = 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1234 break;
1235 }
1236 in_group = 1;
1237 has_group = 1;
1238 l++;
1239 continue;
1240 } else {
1241 rule = CIPHER_ADD;
1242 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1243
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1244 /* If preference groups are enabled, the only legal operator is +.
1245 * Otherwise the in_group bits will get mixed up. */
1246 if (has_group && rule != CIPHER_ADD) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1247 OPENSSL_PUT_ERROR(SSL, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1248 retval = in_group = 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1249 break;
1250 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1251
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1252 if (ITEM_SEP(ch)) {
1253 l++;
1254 continue;
1255 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1256
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1257 multi = 0;
1258 cipher_id = 0;
1259 alg_mkey = ~0u;
1260 alg_auth = ~0u;
1261 alg_enc = ~0u;
1262 alg_mac = ~0u;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1263 min_version = 0;
1264 skip_rule = 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1265
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1266 for (;;) {
1267 ch = *l;
1268 buf = l;
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1269 buf_len = 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1270 while (((ch >= 'A') && (ch <= 'Z')) || ((ch >= '0') && (ch <= '9')) ||
1271 ((ch >= 'a') && (ch <= 'z')) || (ch == '-') || (ch == '.')) {
1272 ch = *(++l);
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1273 buf_len++;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1274 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1275
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1276 if (buf_len == 0) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1277 /* We hit something we cannot deal with, it is no command or separator
1278 * nor alphanumeric, so we call this an error. */
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1279 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1280 retval = in_group = 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1281 l++;
1282 break;
1283 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1284
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1285 if (rule == CIPHER_SPECIAL) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1286 break;
1287 }
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1288
1289 /* Look for a matching exact cipher. These aren't allowed in multipart
1290 * rules. */
1291 if (!multi && ch != '+') {
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1292 for (j = 0; j < kCiphersLen; j++) {
1293 const SSL_CIPHER *cipher = &kCiphers[j];
1294 if (rule_equals(cipher->name, buf, buf_len)) {
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1295 cipher_id = cipher->id;
1296 break;
1297 }
1298 }
1299 }
1300 if (cipher_id == 0) {
1301 /* If not an exact cipher, look for a matching cipher alias. */
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1302 for (j = 0; j < kCipherAliasesLen; j++) {
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1303 if (rule_equals(kCipherAliases[j].name, buf, buf_len)) {
1304 alg_mkey &= kCipherAliases[j].algorithm_mkey;
1305 alg_auth &= kCipherAliases[j].algorithm_auth;
1306 alg_enc &= kCipherAliases[j].algorithm_enc;
1307 alg_mac &= kCipherAliases[j].algorithm_mac;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1308
1309 if (min_version != 0 &&
1310 min_version != kCipherAliases[j].min_version) {
1311 skip_rule = 1;
1312 } else {
1313 min_version = kCipherAliases[j].min_version;
1314 }
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1315 break;
1316 }
1317 }
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1318 if (j == kCipherAliasesLen) {
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1319 skip_rule = 1;
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1320 }
1321 }
1322
1323 /* Check for a multipart rule. */
1324 if (ch != '+') {
1325 break;
1326 }
1327 l++;
1328 multi = 1;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1329 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1330
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1331 /* If one of the CHACHA20_POLY1305 variants is selected, include the other
1332 * as well. They have the same name to avoid requiring changes in
1333 * configuration. Apply this transformation late so that the cipher name
1334 * still behaves as an exact name and not an alias in multipart rules.
1335 *
1336 * This is temporary and will be removed when the pre-standard construction
1337 * is removed. */
1338 if (cipher_id == TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305_OLD ||
1339 cipher_id == TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256) {
1340 cipher_id = 0;
1341 alg_mkey = SSL_kECDHE;
1342 alg_auth = SSL_aRSA;
1343 alg_enc = SSL_CHACHA20POLY1305|SSL_CHACHA20POLY1305_OLD;
1344 alg_mac = SSL_AEAD;
1345 } else if (cipher_id == TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305_OLD ||
1346 cipher_id == TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256) {
1347 cipher_id = 0;
1348 alg_mkey = SSL_kECDHE;
1349 alg_auth = SSL_aECDSA;
1350 alg_enc = SSL_CHACHA20POLY1305|SSL_CHACHA20POLY1305_OLD;
1351 alg_mac = SSL_AEAD;
1352 }
1353
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1354 /* Ok, we have the rule, now apply it. */
1355 if (rule == CIPHER_SPECIAL) {
1356 /* special command */
1357 ok = 0;
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1358 if (buf_len == 8 && !strncmp(buf, "STRENGTH", 8)) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1359 ok = ssl_cipher_strength_sort(head_p, tail_p);
1360 } else {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1361 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1362 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1363
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1364 if (ok == 0) {
1365 retval = 0;
1366 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1367
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1368 /* We do not support any "multi" options together with "@", so throw away
1369 * the rest of the command, if any left, until end or ':' is found. */
1370 while (*l != '\0' && !ITEM_SEP(*l)) {
1371 l++;
1372 }
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1373 } else if (!skip_rule) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1374 ssl_cipher_apply_rule(cipher_id, alg_mkey, alg_auth, alg_enc, alg_mac,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1375 min_version, rule, -1, in_group, head_p, tail_p);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1376 }
1377 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1378
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1379 if (in_group) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1380 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1381 retval = 0;
1382 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1383
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1384 return retval;
1385}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1386
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1387STACK_OF(SSL_CIPHER) *
1388ssl_create_cipher_list(const SSL_PROTOCOL_METHOD *ssl_method,
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1389 struct ssl_cipher_preference_list_st **out_cipher_list,
1390 STACK_OF(SSL_CIPHER) **out_cipher_list_by_id,
1391 const char *rule_str) {
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1392 int ok;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1393 STACK_OF(SSL_CIPHER) *cipherstack = NULL, *tmp_cipher_list = NULL;
1394 const char *rule_p;
1395 CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1396 uint8_t *in_group_flags = NULL;
1397 unsigned int num_in_group_flags = 0;
1398 struct ssl_cipher_preference_list_st *pref_list = NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1399
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1400 /* Return with error if nothing to do. */
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1401 if (rule_str == NULL || out_cipher_list == NULL) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1402 return NULL;
1403 }
David Benjamin5213df42014-08-20 14:19:54 -0400[diff] [blame]1404
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1405 /* Now we have to collect the available ciphers from the compiled in ciphers.
1406 * We cannot get more than the number compiled in, so it is used for
1407 * allocation. */
Brian Smith5ba06892016-02-07 09:36:04 -1000[diff] [blame]1408 co_list = OPENSSL_malloc(sizeof(CIPHER_ORDER) * kCiphersLen);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1409 if (co_list == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1410 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1411 return NULL;
1412 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1413
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1414 ssl_cipher_collect_ciphers(ssl_method, co_list, &head, &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1415
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1416 /* Now arrange all ciphers by preference:
1417 * TODO(davidben): Compute this order once and copy it. */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1418
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1419 /* Everything else being equal, prefer ECDHE_ECDSA then ECDHE_RSA over other
1420 * key exchange mechanisms */
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]1421
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1422 ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, ~0u, ~0u, 0, CIPHER_ADD, -1,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1423 0, &head, &tail);
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1424 ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0,
1425 &head, &tail);
1426 ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, 0,
1427 &head, &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1428
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1429 /* Order the bulk ciphers. First the preferred AEAD ciphers. We prefer
1430 * CHACHA20 unless there is hardware support for fast and constant-time
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1431 * AES_GCM. Of the two CHACHA20 variants, the new one is preferred over the
1432 * old one. */
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1433 if (EVP_has_aes_hardware()) {
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1434 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1435 &head, &tail);
David Benjamin43336652016-03-03 15:32:29 -0500[diff] [blame]1436 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1437 &head, &tail);
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1438 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD,
1439 -1, 0, &head, &tail);
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1440 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305_OLD, ~0u, 0,
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1441 CIPHER_ADD, -1, 0, &head, &tail);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1442 } else {
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1443 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD,
1444 -1, 0, &head, &tail);
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1445 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305_OLD, ~0u, 0,
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1446 CIPHER_ADD, -1, 0, &head, &tail);
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1447 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1448 &head, &tail);
David Benjamin43336652016-03-03 15:32:29 -0500[diff] [blame]1449 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1450 &head, &tail);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1451 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1452
David Benjamin43336652016-03-03 15:32:29 -0500[diff] [blame]1453 /* Then the legacy non-AEAD ciphers: AES_128_CBC, AES_256_CBC,
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700[diff] [blame^]1454 * 3DES_EDE_CBC_SHA. */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1455 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128, ~0u, 0, CIPHER_ADD, -1, 0,
1456 &head, &tail);
David Benjamin43336652016-03-03 15:32:29 -0500[diff] [blame]1457 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256, ~0u, 0, CIPHER_ADD, -1, 0,
1458 &head, &tail);
1459 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_3DES, ~0u, 0, CIPHER_ADD, -1, 0, &head,
1460 &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1461
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1462 /* Temporarily enable everything else for sorting */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1463 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0, &head,
1464 &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1465
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1466 /* Move ciphers without forward secrecy to the end. */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1467 ssl_cipher_apply_rule(0, ~(SSL_kDHE | SSL_kECDHE), ~0u, ~0u, ~0u, 0,
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1468 CIPHER_ORD, -1, 0, &head, &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1469
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1470 /* Now disable everything (maintaining the ordering!) */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1471 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, 0, &head,
1472 &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1473
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1474 /* If the rule_string begins with DEFAULT, apply the default rule before
1475 * using the (possibly available) additional rules. */
1476 ok = 1;
1477 rule_p = rule_str;
1478 if (strncmp(rule_str, "DEFAULT", 7) == 0) {
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1479 ok = ssl_cipher_process_rulestr(ssl_method, SSL_DEFAULT_CIPHER_LIST, &head,
1480 &tail);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1481 rule_p += 7;
1482 if (*rule_p == ':') {
1483 rule_p++;
1484 }
1485 }
Adam Langley858a88d2014-06-20 12:00:00 -0700[diff] [blame]1486
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1487 if (ok && strlen(rule_p) > 0) {
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1488 ok = ssl_cipher_process_rulestr(ssl_method, rule_p, &head, &tail);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1489 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1490
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1491 if (!ok) {
1492 goto err;
1493 }
1494
1495 /* Allocate new "cipherstack" for the result, return with error
1496 * if we cannot get one. */
1497 cipherstack = sk_SSL_CIPHER_new_null();
1498 if (cipherstack == NULL) {
1499 goto err;
1500 }
1501
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1502 in_group_flags = OPENSSL_malloc(kCiphersLen);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1503 if (!in_group_flags) {
1504 goto err;
1505 }
1506
1507 /* The cipher selection for the list is done. The ciphers are added
1508 * to the resulting precedence to the STACK_OF(SSL_CIPHER). */
1509 for (curr = head; curr != NULL; curr = curr->next) {
1510 if (curr->active) {
David Benjamin2adb7ec2015-01-11 19:59:06 -0500[diff] [blame]1511 if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
1512 goto err;
1513 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1514 in_group_flags[num_in_group_flags++] = curr->in_group;
1515 }
1516 }
1517 OPENSSL_free(co_list); /* Not needed any longer */
1518 co_list = NULL;
1519
1520 tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack);
1521 if (tmp_cipher_list == NULL) {
1522 goto err;
1523 }
1524 pref_list = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
1525 if (!pref_list) {
1526 goto err;
1527 }
1528 pref_list->ciphers = cipherstack;
1529 pref_list->in_group_flags = OPENSSL_malloc(num_in_group_flags);
1530 if (!pref_list->in_group_flags) {
1531 goto err;
1532 }
1533 memcpy(pref_list->in_group_flags, in_group_flags, num_in_group_flags);
1534 OPENSSL_free(in_group_flags);
1535 in_group_flags = NULL;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1536 if (*out_cipher_list != NULL) {
1537 ssl_cipher_preference_list_free(*out_cipher_list);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1538 }
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1539 *out_cipher_list = pref_list;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1540 pref_list = NULL;
1541
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1542 if (out_cipher_list_by_id != NULL) {
David Benjamin2755a3e2015-04-22 16:17:58 -0400[diff] [blame]1543 sk_SSL_CIPHER_free(*out_cipher_list_by_id);
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1544 *out_cipher_list_by_id = tmp_cipher_list;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1545 tmp_cipher_list = NULL;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1546 (void) sk_SSL_CIPHER_set_cmp_func(*out_cipher_list_by_id,
1547 ssl_cipher_ptr_id_cmp);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1548
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1549 sk_SSL_CIPHER_sort(*out_cipher_list_by_id);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1550 } else {
1551 sk_SSL_CIPHER_free(tmp_cipher_list);
1552 tmp_cipher_list = NULL;
1553 }
1554
1555 return cipherstack;
Adam Langley858a88d2014-06-20 12:00:00 -0700[diff] [blame]1556
1557err:
David Benjamin2755a3e2015-04-22 16:17:58 -0400[diff] [blame]1558 OPENSSL_free(co_list);
1559 OPENSSL_free(in_group_flags);
1560 sk_SSL_CIPHER_free(cipherstack);
1561 sk_SSL_CIPHER_free(tmp_cipher_list);
1562 if (pref_list) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1563 OPENSSL_free(pref_list->in_group_flags);
1564 }
David Benjamin2755a3e2015-04-22 16:17:58 -0400[diff] [blame]1565 OPENSSL_free(pref_list);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1566 return NULL;
1567}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1568
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1569uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher) { return cipher->id; }
1570
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1571uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher) {
1572 uint32_t id = cipher->id;
1573 /* All ciphers are SSLv3. */
1574 assert((id & 0xff000000) == 0x03000000);
1575 return id & 0xffff;
1576}
1577
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]1578int ssl_cipher_get_ecdhe_psk_cipher(const SSL_CIPHER *cipher,
1579 uint16_t *out_cipher) {
1580 switch (cipher->id) {
1581 case TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
1582 case TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:
1583 case TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256:
1584 *out_cipher = TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 & 0xffff;
1585 return 1;
1586
1587 case TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
1588 case TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
1589 case TLS1_CK_ECDHE_PSK_WITH_AES_128_GCM_SHA256:
1590 *out_cipher = TLS1_CK_ECDHE_PSK_WITH_AES_128_GCM_SHA256 & 0xffff;
1591 return 1;
1592
1593 case TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
1594 case TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
1595 case TLS1_CK_ECDHE_PSK_WITH_AES_256_GCM_SHA384:
1596 *out_cipher = TLS1_CK_ECDHE_PSK_WITH_AES_256_GCM_SHA384 & 0xffff;
1597 return 1;
1598 }
1599 return 0;
1600}
1601
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1602int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher) {
1603 return (cipher->algorithm_enc & SSL_AES) != 0;
1604}
1605
1606int SSL_CIPHER_has_MD5_HMAC(const SSL_CIPHER *cipher) {
1607 return (cipher->algorithm_mac & SSL_MD5) != 0;
1608}
1609
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1610int SSL_CIPHER_has_SHA1_HMAC(const SSL_CIPHER *cipher) {
1611 return (cipher->algorithm_mac & SSL_SHA1) != 0;
1612}
1613
David Benjamina211aee2016-02-24 17:18:44 -0500[diff] [blame]1614int SSL_CIPHER_has_SHA256_HMAC(const SSL_CIPHER *cipher) {
1615 return (cipher->algorithm_mac & SSL_SHA256) != 0;
1616}
1617
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1618int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher) {
David Benjaminc0125ef2015-09-09 09:11:07 -0400[diff] [blame]1619 return (cipher->algorithm_enc & (SSL_AES128GCM | SSL_AES256GCM)) != 0;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1620}
1621
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1622int SSL_CIPHER_is_AES128GCM(const SSL_CIPHER *cipher) {
1623 return (cipher->algorithm_enc & SSL_AES128GCM) != 0;
1624}
1625
Adam Langleyb00061c2015-11-16 17:44:52 -0800[diff] [blame]1626int SSL_CIPHER_is_AES128CBC(const SSL_CIPHER *cipher) {
1627 return (cipher->algorithm_enc & SSL_AES128) != 0;
1628}
1629
1630int SSL_CIPHER_is_AES256CBC(const SSL_CIPHER *cipher) {
1631 return (cipher->algorithm_enc & SSL_AES256) != 0;
1632}
1633
David Benjamin51a01a52015-10-29 13:19:56 -0400[diff] [blame]1634int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *cipher) {
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1635 return (cipher->algorithm_enc &
1636 (SSL_CHACHA20POLY1305 | SSL_CHACHA20POLY1305_OLD)) != 0;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1637}
1638
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1639int SSL_CIPHER_is_NULL(const SSL_CIPHER *cipher) {
1640 return (cipher->algorithm_enc & SSL_eNULL) != 0;
1641}
1642
1643int SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher) {
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700[diff] [blame^]1644 return (cipher->algorithm_enc & SSL_eNULL) == 0 &&
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1645 cipher->algorithm_mac != SSL_AEAD;
1646}
1647
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1648int SSL_CIPHER_is_ECDSA(const SSL_CIPHER *cipher) {
1649 return (cipher->algorithm_auth & SSL_aECDSA) != 0;
1650}
1651
David Benjamin0fc7df52016-06-02 18:36:33 -0400[diff] [blame]1652int SSL_CIPHER_is_DHE(const SSL_CIPHER *cipher) {
1653 return (cipher->algorithm_mkey & SSL_kDHE) != 0;
1654}
1655
David Benjamin4cc36ad2015-12-19 14:23:26 -0500[diff] [blame]1656int SSL_CIPHER_is_ECDHE(const SSL_CIPHER *cipher) {
1657 return (cipher->algorithm_mkey & SSL_kECDHE) != 0;
1658}
1659
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]1660int SSL_CIPHER_is_CECPQ1(const SSL_CIPHER *cipher) {
1661 return (cipher->algorithm_mkey & SSL_kCECPQ1) != 0;
1662}
1663
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1664uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher) {
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1665 if (cipher->algorithm_prf != SSL_HANDSHAKE_MAC_DEFAULT) {
1666 /* Cipher suites before TLS 1.2 use the default PRF, while all those added
1667 * afterwards specify a particular hash. */
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1668 return TLS1_2_VERSION;
1669 }
1670 return SSL3_VERSION;
1671}
1672
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1673uint16_t SSL_CIPHER_get_max_version(const SSL_CIPHER *cipher) {
1674 if (cipher->algorithm_mac == SSL_AEAD &&
1675 (cipher->algorithm_enc & SSL_CHACHA20POLY1305_OLD) == 0 &&
David Benjamin54c217c2016-07-13 12:35:25 -0400[diff] [blame]1676 (cipher->algorithm_mkey & SSL_kECDHE) != 0 &&
1677 /* TODO(davidben,svaldez): Support PSK-based ciphers in TLS 1.3. */
1678 (cipher->algorithm_auth & SSL_aCERT) != 0) {
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1679 return TLS1_3_VERSION;
1680 }
1681 return TLS1_2_VERSION;
1682}
1683
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1684/* return the actual cipher being used */
1685const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher) {
1686 if (cipher != NULL) {
1687 return cipher->name;
1688 }
1689
1690 return "(NONE)";
1691}
1692
1693const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher) {
1694 if (cipher == NULL) {
1695 return "";
1696 }
1697
1698 switch (cipher->algorithm_mkey) {
1699 case SSL_kRSA:
1700 return "RSA";
1701
1702 case SSL_kDHE:
1703 switch (cipher->algorithm_auth) {
1704 case SSL_aRSA:
1705 return "DHE_RSA";
1706 default:
1707 assert(0);
1708 return "UNKNOWN";
1709 }
1710
1711 case SSL_kECDHE:
1712 switch (cipher->algorithm_auth) {
1713 case SSL_aECDSA:
1714 return "ECDHE_ECDSA";
1715 case SSL_aRSA:
1716 return "ECDHE_RSA";
1717 case SSL_aPSK:
1718 return "ECDHE_PSK";
1719 default:
1720 assert(0);
1721 return "UNKNOWN";
1722 }
1723
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]1724 case SSL_kCECPQ1:
1725 switch (cipher->algorithm_auth) {
1726 case SSL_aECDSA:
1727 return "CECPQ1_ECDSA";
1728 case SSL_aRSA:
1729 return "CECPQ1_RSA";
1730 default:
1731 assert(0);
1732 return "UNKNOWN";
1733 }
1734
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1735 case SSL_kPSK:
1736 assert(cipher->algorithm_auth == SSL_aPSK);
1737 return "PSK";
1738
1739 default:
1740 assert(0);
1741 return "UNKNOWN";
1742 }
1743}
1744
1745static const char *ssl_cipher_get_enc_name(const SSL_CIPHER *cipher) {
1746 switch (cipher->algorithm_enc) {
1747 case SSL_3DES:
1748 return "3DES_EDE_CBC";
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1749 case SSL_AES128:
1750 return "AES_128_CBC";
1751 case SSL_AES256:
1752 return "AES_256_CBC";
1753 case SSL_AES128GCM:
1754 return "AES_128_GCM";
1755 case SSL_AES256GCM:
1756 return "AES_256_GCM";
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1757 case SSL_CHACHA20POLY1305:
Brian Smith271777f2015-10-03 13:53:33 -1000[diff] [blame]1758 case SSL_CHACHA20POLY1305_OLD:
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1759 return "CHACHA20_POLY1305";
1760 break;
1761 default:
1762 assert(0);
1763 return "UNKNOWN";
1764 }
1765}
1766
1767static const char *ssl_cipher_get_prf_name(const SSL_CIPHER *cipher) {
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]1768 switch (cipher->algorithm_prf) {
1769 case SSL_HANDSHAKE_MAC_DEFAULT:
1770 /* Before TLS 1.2, the PRF component is the hash used in the HMAC, which is
1771 * only ever MD5 or SHA-1. */
1772 switch (cipher->algorithm_mac) {
1773 case SSL_MD5:
1774 return "MD5";
1775 case SSL_SHA1:
1776 return "SHA";
1777 }
1778 break;
1779 case SSL_HANDSHAKE_MAC_SHA256:
1780 return "SHA256";
1781 case SSL_HANDSHAKE_MAC_SHA384:
1782 return "SHA384";
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1783 }
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]1784 assert(0);
1785 return "UNKNOWN";
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1786}
1787
1788char *SSL_CIPHER_get_rfc_name(const SSL_CIPHER *cipher) {
1789 if (cipher == NULL) {
1790 return NULL;
1791 }
1792
1793 const char *kx_name = SSL_CIPHER_get_kx_name(cipher);
1794 const char *enc_name = ssl_cipher_get_enc_name(cipher);
1795 const char *prf_name = ssl_cipher_get_prf_name(cipher);
1796
1797 /* The final name is TLS_{kx_name}_WITH_{enc_name}_{prf_name}. */
1798 size_t len = 4 + strlen(kx_name) + 6 + strlen(enc_name) + 1 +
1799 strlen(prf_name) + 1;
1800 char *ret = OPENSSL_malloc(len);
1801 if (ret == NULL) {
1802 return NULL;
1803 }
1804 if (BUF_strlcpy(ret, "TLS_", len) >= len ||
1805 BUF_strlcat(ret, kx_name, len) >= len ||
1806 BUF_strlcat(ret, "_WITH_", len) >= len ||
1807 BUF_strlcat(ret, enc_name, len) >= len ||
1808 BUF_strlcat(ret, "_", len) >= len ||
1809 BUF_strlcat(ret, prf_name, len) >= len) {
1810 assert(0);
1811 OPENSSL_free(ret);
1812 return NULL;
1813 }
1814 assert(strlen(ret) + 1 == len);
1815 return ret;
1816}
1817
1818int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *out_alg_bits) {
1819 if (cipher == NULL) {
1820 return 0;
1821 }
1822
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1823 int alg_bits, strength_bits;
1824 switch (cipher->algorithm_enc) {
1825 case SSL_AES128:
1826 case SSL_AES128GCM:
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1827 alg_bits = 128;
1828 strength_bits = 128;
1829 break;
1830
1831 case SSL_AES256:
1832 case SSL_AES256GCM:
1833#if !defined(BORINGSSL_ANDROID_SYSTEM)
1834 case SSL_CHACHA20POLY1305_OLD:
1835#endif
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1836 case SSL_CHACHA20POLY1305:
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1837 alg_bits = 256;
1838 strength_bits = 256;
1839 break;
1840
1841 case SSL_3DES:
1842 alg_bits = 168;
1843 strength_bits = 112;
1844 break;
1845
1846 case SSL_eNULL:
1847 alg_bits = 0;
1848 strength_bits = 0;
1849 break;
1850
1851 default:
1852 assert(0);
1853 alg_bits = 0;
1854 strength_bits = 0;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1855 }
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1856
1857 if (out_alg_bits != NULL) {
1858 *out_alg_bits = alg_bits;
1859 }
1860 return strength_bits;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1861}
1862
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1863const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf,
1864 int len) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1865 const char *kx, *au, *enc, *mac;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1866 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1867
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1868 alg_mkey = cipher->algorithm_mkey;
1869 alg_auth = cipher->algorithm_auth;
1870 alg_enc = cipher->algorithm_enc;
1871 alg_mac = cipher->algorithm_mac;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1872
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1873 switch (alg_mkey) {
1874 case SSL_kRSA:
1875 kx = "RSA";
1876 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1877
David Benjamin7061e282015-03-19 11:10:48 -0400[diff] [blame]1878 case SSL_kDHE:
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1879 kx = "DH";
1880 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1881
David Benjamin7061e282015-03-19 11:10:48 -0400[diff] [blame]1882 case SSL_kECDHE:
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1883 kx = "ECDH";
1884 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1885
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]1886 case SSL_kCECPQ1:
1887 kx = "CECPQ1";
1888 break;
1889
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1890 case SSL_kPSK:
1891 kx = "PSK";
1892 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1893
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1894 default:
1895 kx = "unknown";
1896 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1897
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1898 switch (alg_auth) {
1899 case SSL_aRSA:
1900 au = "RSA";
1901 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1902
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1903 case SSL_aECDSA:
1904 au = "ECDSA";
1905 break;
Adam Langley4d4bff82014-06-20 12:00:00 -0700[diff] [blame]1906
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1907 case SSL_aPSK:
1908 au = "PSK";
1909 break;
Adam Langley4d4bff82014-06-20 12:00:00 -0700[diff] [blame]1910
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1911 default:
1912 au = "unknown";
1913 break;
1914 }
Adam Langleyde0b2022014-06-20 12:00:00 -0700[diff] [blame]1915
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1916 switch (alg_enc) {
1917 case SSL_3DES:
1918 enc = "3DES(168)";
1919 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1920
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1921 case SSL_AES128:
1922 enc = "AES(128)";
1923 break;
1924
1925 case SSL_AES256:
1926 enc = "AES(256)";
1927 break;
1928
1929 case SSL_AES128GCM:
1930 enc = "AESGCM(128)";
1931 break;
1932
1933 case SSL_AES256GCM:
1934 enc = "AESGCM(256)";
1935 break;
1936
Brian Smith271777f2015-10-03 13:53:33 -1000[diff] [blame]1937 case SSL_CHACHA20POLY1305_OLD:
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1938 enc = "ChaCha20-Poly1305-Old";
1939 break;
1940
1941 case SSL_CHACHA20POLY1305:
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1942 enc = "ChaCha20-Poly1305";
1943 break;
1944
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1945 case SSL_eNULL:
1946 enc="None";
1947 break;
1948
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1949 default:
1950 enc = "unknown";
1951 break;
1952 }
1953
1954 switch (alg_mac) {
1955 case SSL_MD5:
1956 mac = "MD5";
1957 break;
1958
1959 case SSL_SHA1:
1960 mac = "SHA1";
1961 break;
1962
1963 case SSL_SHA256:
1964 mac = "SHA256";
1965 break;
1966
1967 case SSL_SHA384:
1968 mac = "SHA384";
1969 break;
1970
1971 case SSL_AEAD:
1972 mac = "AEAD";
1973 break;
1974
1975 default:
1976 mac = "unknown";
1977 break;
1978 }
1979
1980 if (buf == NULL) {
1981 len = 128;
1982 buf = OPENSSL_malloc(len);
David Benjamin1eed2c02015-02-08 23:20:06 -0500[diff] [blame]1983 if (buf == NULL) {
1984 return NULL;
1985 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1986 } else if (len < 128) {
1987 return "Buffer too small";
1988 }
1989
Brian Smith0687bdf2016-01-17 09:18:26 -1000[diff] [blame]1990 BIO_snprintf(buf, len, "%-23s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n",
1991 cipher->name, kx, au, enc, mac);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1992 return buf;
1993}
1994
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1995const char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher) {
1996 return "TLSv1/SSLv3";
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1997}
1998
Matt Braithwaite6a1275b2015-06-26 12:09:10 -0700[diff] [blame]1999COMP_METHOD *SSL_COMP_get_compression_methods(void) { return NULL; }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]2000
Matt Braithwaite6a1275b2015-06-26 12:09:10 -0700[diff] [blame]2001int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) { return 1; }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]2002
Matt Braithwaite6a1275b2015-06-26 12:09:10 -0700[diff] [blame]2003const char *SSL_COMP_get_name(const COMP_METHOD *comp) { return NULL; }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2004
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]2005int ssl_cipher_get_key_type(const SSL_CIPHER *cipher) {
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]2006 uint32_t alg_a = cipher->algorithm_auth;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2007
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]2008 if (alg_a & SSL_aECDSA) {
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]2009 return EVP_PKEY_EC;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]2010 } else if (alg_a & SSL_aRSA) {
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]2011 return EVP_PKEY_RSA;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]2012 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2013
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]2014 return EVP_PKEY_NONE;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]2015}
David Benjamin9c651c92014-07-12 13:27:45 -0400[diff] [blame]2016
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]2017int ssl_cipher_uses_certificate_auth(const SSL_CIPHER *cipher) {
2018 return (cipher->algorithm_auth & SSL_aCERT) != 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]2019}
2020
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]2021int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher) {
2022 /* Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange. */
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]2023 if (cipher->algorithm_mkey & SSL_kDHE ||
2024 cipher->algorithm_mkey & SSL_kECDHE ||
2025 cipher->algorithm_mkey & SSL_kCECPQ1) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]2026 return 1;
2027 }
2028
2029 /* It is optional in all others. */
2030 return 0;
2031}
David Benjaminb8d28cf2015-07-28 21:34:45 -0400[diff] [blame]2032
2033size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher) {
2034 size_t block_size;
2035 switch (cipher->algorithm_enc) {
2036 case SSL_3DES:
2037 block_size = 8;
2038 break;
2039 case SSL_AES128:
2040 case SSL_AES256:
2041 block_size = 16;
2042 break;
2043 default:
2044 return 0;
2045 }
2046
2047 size_t mac_len;
2048 switch (cipher->algorithm_mac) {
2049 case SSL_MD5:
2050 mac_len = MD5_DIGEST_LENGTH;
2051 break;
2052 case SSL_SHA1:
2053 mac_len = SHA_DIGEST_LENGTH;
2054 break;
2055 default:
2056 return 0;
2057 }
2058
2059 size_t ret = 1 + mac_len;
2060 ret += block_size - (ret % block_size);
2061 return ret;
2062}