Google Git
Sign in
boringssl / boringssl.git / c660417bd7a7a438eddb0bc087931671b6a849e7 / . / ssl / ssl_cipher.c
blob: e78374b9b113cf045ba89bb1e2868f619b1912f0 [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57/* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
110/* ====================================================================
111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
112 * ECC cipher suite support in OpenSSL originally developed by
113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
114 */
115/* ====================================================================
116 * Copyright 2005 Nokia. All rights reserved.
117 *
118 * The portions of the attached software ("Contribution") is developed by
119 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
120 * license.
121 *
122 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
123 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
124 * support (see RFC 4279) to OpenSSL.
125 *
126 * No patent licenses or other rights except those expressly stated in
127 * the OpenSSL open source license shall be deemed granted or received
128 * expressly, by implication, estoppel, or otherwise.
129 *
130 * No assurances are provided by Nokia that the Contribution does not
131 * infringe the patent or other intellectual property rights of any third
132 * party or that the license provides you with all the necessary rights
133 * to make use of the Contribution.
134 *
135 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
136 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
137 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
138 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
139 * OTHERWISE. */
140
David Benjamin9e4e01e2015-09-15 01:48:04 -0400[diff] [blame]141#include <openssl/ssl.h>
142
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]143#include <assert.h>
David Benjaminf0ae1702015-04-07 23:05:04 -0400[diff] [blame]144#include <string.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]145
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]146#include <openssl/buf.h>
David Benjaminf0ae1702015-04-07 23:05:04 -0400[diff] [blame]147#include <openssl/err.h>
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]148#include <openssl/md5.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]149#include <openssl/mem.h>
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]150#include <openssl/sha.h>
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]151#include <openssl/stack.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]152
David Benjamin2ee94aa2015-04-07 22:38:30 -0400[diff] [blame]153#include "internal.h"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]154
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]155
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]156/* kCiphers is an array of all supported ciphers, sorted by id. */
David Benjamin20c37312015-11-11 21:33:18 -0800[diff] [blame]157static const SSL_CIPHER kCiphers[] = {
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]158 /* The RSA ciphers */
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]159 /* Cipher 02 */
160 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]161 SSL3_TXT_RSA_NULL_SHA,
162 SSL3_CK_RSA_NULL_SHA,
163 SSL_kRSA,
164 SSL_aRSA,
165 SSL_eNULL,
166 SSL_SHA1,
167 SSL_HANDSHAKE_MAC_DEFAULT,
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]168 },
169
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]170 /* Cipher 04 */
171 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]172 SSL3_TXT_RSA_RC4_128_MD5,
173 SSL3_CK_RSA_RC4_128_MD5,
174 SSL_kRSA,
175 SSL_aRSA,
176 SSL_RC4,
177 SSL_MD5,
178 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]179 },
180
181 /* Cipher 05 */
182 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]183 SSL3_TXT_RSA_RC4_128_SHA,
184 SSL3_CK_RSA_RC4_128_SHA,
185 SSL_kRSA,
186 SSL_aRSA,
187 SSL_RC4,
188 SSL_SHA1,
189 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]190 },
191
192 /* Cipher 0A */
193 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]194 SSL3_TXT_RSA_DES_192_CBC3_SHA,
195 SSL3_CK_RSA_DES_192_CBC3_SHA,
196 SSL_kRSA,
197 SSL_aRSA,
198 SSL_3DES,
199 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]200 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]201 },
202
203
204 /* New AES ciphersuites */
205
206 /* Cipher 2F */
207 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]208 TLS1_TXT_RSA_WITH_AES_128_SHA,
209 TLS1_CK_RSA_WITH_AES_128_SHA,
210 SSL_kRSA,
211 SSL_aRSA,
212 SSL_AES128,
213 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]214 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]215 },
216
217 /* Cipher 33 */
218 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]219 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
220 TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
221 SSL_kDHE,
222 SSL_aRSA,
223 SSL_AES128,
224 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]225 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]226 },
227
228 /* Cipher 35 */
229 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]230 TLS1_TXT_RSA_WITH_AES_256_SHA,
231 TLS1_CK_RSA_WITH_AES_256_SHA,
232 SSL_kRSA,
233 SSL_aRSA,
234 SSL_AES256,
235 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]236 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]237 },
238
239 /* Cipher 39 */
240 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]241 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
242 TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
243 SSL_kDHE,
244 SSL_aRSA,
245 SSL_AES256,
246 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]247 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]248 },
249
250
251 /* TLS v1.2 ciphersuites */
252
253 /* Cipher 3C */
254 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]255 TLS1_TXT_RSA_WITH_AES_128_SHA256,
256 TLS1_CK_RSA_WITH_AES_128_SHA256,
257 SSL_kRSA,
258 SSL_aRSA,
259 SSL_AES128,
260 SSL_SHA256,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]261 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]262 },
263
264 /* Cipher 3D */
265 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]266 TLS1_TXT_RSA_WITH_AES_256_SHA256,
267 TLS1_CK_RSA_WITH_AES_256_SHA256,
268 SSL_kRSA,
269 SSL_aRSA,
270 SSL_AES256,
271 SSL_SHA256,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]272 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]273 },
274
275 /* Cipher 67 */
276 {
277 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]278 TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
279 SSL_kDHE,
280 SSL_aRSA,
281 SSL_AES128,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]282 SSL_SHA256,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]283 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]284 },
285
286 /* Cipher 6B */
287 {
288 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]289 TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
290 SSL_kDHE,
291 SSL_aRSA,
292 SSL_AES256,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]293 SSL_SHA256,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]294 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]295 },
296
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]297 /* PSK cipher suites. */
298
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]299 /* Cipher 8A */
300 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]301 TLS1_TXT_PSK_WITH_RC4_128_SHA,
302 TLS1_CK_PSK_WITH_RC4_128_SHA,
303 SSL_kPSK,
304 SSL_aPSK,
305 SSL_RC4,
306 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]307 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]308 },
309
310 /* Cipher 8C */
311 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]312 TLS1_TXT_PSK_WITH_AES_128_CBC_SHA,
313 TLS1_CK_PSK_WITH_AES_128_CBC_SHA,
314 SSL_kPSK,
315 SSL_aPSK,
316 SSL_AES128,
317 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]318 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]319 },
320
321 /* Cipher 8D */
322 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]323 TLS1_TXT_PSK_WITH_AES_256_CBC_SHA,
324 TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
325 SSL_kPSK,
326 SSL_aPSK,
327 SSL_AES256,
328 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]329 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]330 },
331
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]332 /* GCM ciphersuites from RFC5288 */
333
334 /* Cipher 9C */
335 {
336 TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]337 TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
338 SSL_kRSA,
339 SSL_aRSA,
340 SSL_AES128GCM,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]341 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]342 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]343 },
344
345 /* Cipher 9D */
346 {
347 TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]348 TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
349 SSL_kRSA,
350 SSL_aRSA,
351 SSL_AES256GCM,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]352 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]353 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]354 },
355
356 /* Cipher 9E */
357 {
358 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]359 TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256,
360 SSL_kDHE,
361 SSL_aRSA,
362 SSL_AES128GCM,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]363 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]364 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]365 },
366
367 /* Cipher 9F */
368 {
369 TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]370 TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384,
371 SSL_kDHE,
372 SSL_aRSA,
373 SSL_AES256GCM,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]374 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]375 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]376 },
377
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]378 /* CECPQ1 (combined elliptic curve + post-quantum) suites. */
379
380 /* Cipher 16B7 */
381 {
382 TLS1_TXT_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256,
383 TLS1_CK_CECPQ1_RSA_WITH_CHACHA20_POLY1305_SHA256,
384 SSL_kCECPQ1,
385 SSL_aRSA,
386 SSL_CHACHA20POLY1305,
387 SSL_AEAD,
388 SSL_HANDSHAKE_MAC_SHA256,
389 },
390
391 /* Cipher 16B8 */
392 {
393 TLS1_TXT_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
394 TLS1_CK_CECPQ1_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
395 SSL_kCECPQ1,
396 SSL_aECDSA,
397 SSL_CHACHA20POLY1305,
398 SSL_AEAD,
399 SSL_HANDSHAKE_MAC_SHA256,
400 },
401
402 /* Cipher 16B9 */
403 {
404 TLS1_TXT_CECPQ1_RSA_WITH_AES_256_GCM_SHA384,
405 TLS1_CK_CECPQ1_RSA_WITH_AES_256_GCM_SHA384,
406 SSL_kCECPQ1,
407 SSL_aRSA,
408 SSL_AES256GCM,
409 SSL_AEAD,
410 SSL_HANDSHAKE_MAC_SHA384,
411 },
412
413 /* Cipher 16BA */
414 {
415 TLS1_TXT_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384,
416 TLS1_CK_CECPQ1_ECDSA_WITH_AES_256_GCM_SHA384,
417 SSL_kCECPQ1,
418 SSL_aECDSA,
419 SSL_AES256GCM,
420 SSL_AEAD,
421 SSL_HANDSHAKE_MAC_SHA384,
422 },
423
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]424 /* Cipher C007 */
425 {
426 TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]427 TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA,
428 SSL_kECDHE,
429 SSL_aECDSA,
430 SSL_RC4,
431 SSL_SHA1,
432 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]433 },
434
435 /* Cipher C009 */
436 {
437 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]438 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
439 SSL_kECDHE,
440 SSL_aECDSA,
441 SSL_AES128,
442 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]443 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]444 },
445
446 /* Cipher C00A */
447 {
448 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]449 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
450 SSL_kECDHE,
451 SSL_aECDSA,
452 SSL_AES256,
453 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]454 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]455 },
456
457 /* Cipher C011 */
458 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]459 TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
460 TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA,
461 SSL_kECDHE,
462 SSL_aRSA,
463 SSL_RC4,
464 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]465 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]466 },
467
468 /* Cipher C013 */
469 {
470 TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]471 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
472 SSL_kECDHE,
473 SSL_aRSA,
474 SSL_AES128,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]475 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]476 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]477 },
478
479 /* Cipher C014 */
480 {
481 TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]482 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
483 SSL_kECDHE,
484 SSL_aRSA,
485 SSL_AES256,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]486 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]487 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]488 },
489
490
491 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */
492
493 /* Cipher C023 */
494 {
495 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]496 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
497 SSL_kECDHE,
498 SSL_aECDSA,
499 SSL_AES128,
500 SSL_SHA256,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]501 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]502 },
503
504 /* Cipher C024 */
505 {
506 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]507 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
508 SSL_kECDHE,
509 SSL_aECDSA,
510 SSL_AES256,
511 SSL_SHA384,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]512 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]513 },
514
515 /* Cipher C027 */
516 {
517 TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]518 TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
519 SSL_kECDHE,
520 SSL_aRSA,
521 SSL_AES128,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]522 SSL_SHA256,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]523 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]524 },
525
526 /* Cipher C028 */
527 {
528 TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]529 TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
530 SSL_kECDHE,
531 SSL_aRSA,
532 SSL_AES256,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]533 SSL_SHA384,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]534 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]535 },
536
537
538 /* GCM based TLS v1.2 ciphersuites from RFC5289 */
539
540 /* Cipher C02B */
541 {
542 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]543 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
544 SSL_kECDHE,
545 SSL_aECDSA,
546 SSL_AES128GCM,
547 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]548 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]549 },
550
551 /* Cipher C02C */
552 {
553 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]554 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
555 SSL_kECDHE,
556 SSL_aECDSA,
557 SSL_AES256GCM,
558 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]559 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]560 },
561
562 /* Cipher C02F */
563 {
564 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]565 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
566 SSL_kECDHE,
567 SSL_aRSA,
568 SSL_AES128GCM,
569 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]570 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]571 },
572
573 /* Cipher C030 */
574 {
575 TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]576 TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
577 SSL_kECDHE,
578 SSL_aRSA,
579 SSL_AES256GCM,
580 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]581 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]582 },
583
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]584 /* ECDHE-PSK cipher suites. */
585
586 /* Cipher C035 */
587 {
588 TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA,
589 TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]590 SSL_kECDHE,
591 SSL_aPSK,
592 SSL_AES128,
593 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]594 SSL_HANDSHAKE_MAC_DEFAULT,
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]595 },
596
597 /* Cipher C036 */
598 {
599 TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA,
600 TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]601 SSL_kECDHE,
602 SSL_aPSK,
603 SSL_AES256,
604 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]605 SSL_HANDSHAKE_MAC_DEFAULT,
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]606 },
607
608 /* ChaCha20-Poly1305 cipher suites. */
609
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]610#if !defined(BORINGSSL_ANDROID_SYSTEM)
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]611 {
Brian Smith271777f2015-10-03 13:53:33 -1000[diff] [blame]612 TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_OLD,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]613 TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305_OLD,
614 SSL_kECDHE,
615 SSL_aRSA,
616 SSL_CHACHA20POLY1305_OLD,
617 SSL_AEAD,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]618 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]619 },
620
621 {
Brian Smith271777f2015-10-03 13:53:33 -1000[diff] [blame]622 TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_OLD,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]623 TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305_OLD,
624 SSL_kECDHE,
625 SSL_aECDSA,
626 SSL_CHACHA20POLY1305_OLD,
627 SSL_AEAD,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]628 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]629 },
Adam Langleyd98dc132015-09-23 16:41:33 -0700[diff] [blame]630#endif
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]631
632 /* Cipher CCA8 */
633 {
634 TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
635 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
636 SSL_kECDHE,
637 SSL_aRSA,
638 SSL_CHACHA20POLY1305,
639 SSL_AEAD,
640 SSL_HANDSHAKE_MAC_SHA256,
641 },
642
643 /* Cipher CCA9 */
644 {
645 TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
646 TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
647 SSL_kECDHE,
648 SSL_aECDSA,
649 SSL_CHACHA20POLY1305,
650 SSL_AEAD,
651 SSL_HANDSHAKE_MAC_SHA256,
652 },
653
654 /* Cipher CCAB */
655 {
656 TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
657 TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
658 SSL_kECDHE,
659 SSL_aPSK,
660 SSL_CHACHA20POLY1305,
661 SSL_AEAD,
662 SSL_HANDSHAKE_MAC_SHA256,
663 },
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]664
Steven Valdez3084e7b2016-06-02 12:07:20 -0400[diff] [blame]665 /* Cipher D001 */
666 {
667 TLS1_TXT_ECDHE_PSK_WITH_AES_128_GCM_SHA256,
668 TLS1_CK_ECDHE_PSK_WITH_AES_128_GCM_SHA256,
669 SSL_kECDHE,
670 SSL_aPSK,
671 SSL_AES128GCM,
672 SSL_SHA256,
673 SSL_HANDSHAKE_MAC_SHA256,
674 },
675
676 /* Cipher D002 */
677 {
678 TLS1_TXT_ECDHE_PSK_WITH_AES_256_GCM_SHA384,
679 TLS1_CK_ECDHE_PSK_WITH_AES_256_GCM_SHA384,
680 SSL_kECDHE,
681 SSL_aPSK,
682 SSL_AES256GCM,
683 SSL_SHA384,
684 SSL_HANDSHAKE_MAC_SHA384,
685 },
686
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]687};
688
689static const size_t kCiphersLen = sizeof(kCiphers) / sizeof(kCiphers[0]);
690
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]691#define CIPHER_ADD 1
692#define CIPHER_KILL 2
693#define CIPHER_DEL 3
694#define CIPHER_ORD 4
695#define CIPHER_SPECIAL 5
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]696
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]697typedef struct cipher_order_st {
698 const SSL_CIPHER *cipher;
699 int active;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]700 int in_group;
701 struct cipher_order_st *next, *prev;
702} CIPHER_ORDER;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]703
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]704typedef struct cipher_alias_st {
705 /* name is the name of the cipher alias. */
706 const char *name;
707
708 /* The following fields are bitmasks for the corresponding fields on
709 * |SSL_CIPHER|. A cipher matches a cipher alias iff, for each bitmask, the
710 * bit corresponding to the cipher's value is set to 1. If any bitmask is
711 * all zeroes, the alias matches nothing. Use |~0u| for the default value. */
712 uint32_t algorithm_mkey;
713 uint32_t algorithm_auth;
714 uint32_t algorithm_enc;
715 uint32_t algorithm_mac;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]716
717 /* min_version, if non-zero, matches all ciphers which were added in that
718 * particular protocol version. */
719 uint16_t min_version;
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]720} CIPHER_ALIAS;
721
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]722static const CIPHER_ALIAS kCipherAliases[] = {
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]723 /* "ALL" doesn't include eNULL nor kCECPQ1. These must be explicitly
724 * enabled. */
725 {"ALL", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]726
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]727 /* The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing. */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]728
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]729 /* key exchange aliases
730 * (some of those using only a single bit here combine
731 * multiple key exchange algs according to the RFCs,
732 * e.g. kEDH combines DHE_DSS and DHE_RSA) */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]733 {"kRSA", SSL_kRSA, ~0u, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]734
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]735 {"kDHE", SSL_kDHE, ~0u, ~0u, ~0u, 0},
736 {"kEDH", SSL_kDHE, ~0u, ~0u, ~0u, 0},
737 {"DH", SSL_kDHE, ~0u, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]738
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]739 {"kECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]740 {"kCECPQ1", SSL_kCECPQ1, ~0u, ~0u, ~0u, 0},
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]741 {"kEECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
742 {"ECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]743
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]744 {"kPSK", SSL_kPSK, ~0u, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]745
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]746 /* server authentication aliases */
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]747 {"aRSA", ~SSL_kCECPQ1, SSL_aRSA, ~SSL_eNULL, ~0u, 0},
748 {"aECDSA", ~SSL_kCECPQ1, SSL_aECDSA, ~0u, ~0u, 0},
749 {"ECDSA", ~SSL_kCECPQ1, SSL_aECDSA, ~0u, ~0u, 0},
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]750 {"aPSK", ~0u, SSL_aPSK, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]751
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]752 /* aliases combining key exchange and server authentication */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]753 {"DHE", SSL_kDHE, ~0u, ~0u, ~0u, 0},
754 {"EDH", SSL_kDHE, ~0u, ~0u, ~0u, 0},
755 {"ECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
756 {"EECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
757 {"RSA", SSL_kRSA, SSL_aRSA, ~SSL_eNULL, ~0u, 0},
758 {"PSK", SSL_kPSK, SSL_aPSK, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]759
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]760 /* symmetric encryption aliases */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]761 {"3DES", ~0u, ~0u, SSL_3DES, ~0u, 0},
762 {"RC4", ~0u, ~0u, SSL_RC4, ~0u, 0},
763 {"AES128", ~0u, ~0u, SSL_AES128 | SSL_AES128GCM, ~0u, 0},
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]764 {"AES256", ~SSL_kCECPQ1, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, 0},
765 {"AES", ~SSL_kCECPQ1, ~0u, SSL_AES, ~0u, 0},
766 {"AESGCM", ~SSL_kCECPQ1, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, 0},
767 {"CHACHA20", ~SSL_kCECPQ1, ~0u, SSL_CHACHA20POLY1305 | SSL_CHACHA20POLY1305_OLD, ~0u,
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]768 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]769
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]770 /* MAC aliases */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]771 {"MD5", ~0u, ~0u, ~0u, SSL_MD5, 0},
772 {"SHA1", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0},
773 {"SHA", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0},
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]774 {"SHA256", ~SSL_kCECPQ1, ~0u, ~0u, SSL_SHA256, 0},
775 {"SHA384", ~SSL_kCECPQ1, ~0u, ~0u, SSL_SHA384, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]776
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]777 /* Legacy protocol minimum version aliases. "TLSv1" is intentionally the
778 * same as "SSLv3". */
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]779 {"SSLv3", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
780 {"TLSv1", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
781 {"TLSv1.2", ~SSL_kCECPQ1, ~0u, ~SSL_eNULL, ~0u, TLS1_2_VERSION},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]782
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]783 /* Legacy strength classes. */
784 {"MEDIUM", ~0u, ~0u, SSL_RC4, ~0u, 0},
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]785 {"HIGH", ~SSL_kCECPQ1, ~0u, ~(SSL_eNULL|SSL_RC4), ~0u, 0},
786 {"FIPS", ~SSL_kCECPQ1, ~0u, ~(SSL_eNULL|SSL_RC4), ~0u, 0},
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]787};
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]788
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]789static const size_t kCipherAliasesLen =
790 sizeof(kCipherAliases) / sizeof(kCipherAliases[0]);
791
792static int ssl_cipher_id_cmp(const void *in_a, const void *in_b) {
793 const SSL_CIPHER *a = in_a;
794 const SSL_CIPHER *b = in_b;
795
796 if (a->id > b->id) {
797 return 1;
798 } else if (a->id < b->id) {
799 return -1;
800 } else {
801 return 0;
802 }
803}
804
805static int ssl_cipher_ptr_id_cmp(const SSL_CIPHER **a, const SSL_CIPHER **b) {
806 return ssl_cipher_id_cmp(*a, *b);
807}
808
809const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value) {
810 SSL_CIPHER c;
811
812 c.id = 0x03000000L | value;
813 return bsearch(&c, kCiphers, kCiphersLen, sizeof(SSL_CIPHER),
814 ssl_cipher_id_cmp);
815}
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]816
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]817int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
818 size_t *out_mac_secret_len,
819 size_t *out_fixed_iv_len,
820 const SSL_CIPHER *cipher, uint16_t version) {
821 *out_aead = NULL;
822 *out_mac_secret_len = 0;
823 *out_fixed_iv_len = 0;
Adam Langleyc9fb3752014-06-20 12:00:00 -0700[diff] [blame]824
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]825 switch (cipher->algorithm_enc) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]826 case SSL_AES128GCM:
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]827 *out_aead = EVP_aead_aes_128_gcm();
828 *out_fixed_iv_len = 4;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]829 return 1;
830
831 case SSL_AES256GCM:
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]832 *out_aead = EVP_aead_aes_256_gcm();
833 *out_fixed_iv_len = 4;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]834 return 1;
835
Adam Langleyd98dc132015-09-23 16:41:33 -0700[diff] [blame]836#if !defined(BORINGSSL_ANDROID_SYSTEM)
Brian Smith271777f2015-10-03 13:53:33 -1000[diff] [blame]837 case SSL_CHACHA20POLY1305_OLD:
Brian Smith3e23e4c2015-10-03 11:38:58 -1000[diff] [blame]838 *out_aead = EVP_aead_chacha20_poly1305_old();
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]839 *out_fixed_iv_len = 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]840 return 1;
Adam Langleyd98dc132015-09-23 16:41:33 -0700[diff] [blame]841#endif
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]842
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]843 case SSL_CHACHA20POLY1305:
844 *out_aead = EVP_aead_chacha20_poly1305();
845 *out_fixed_iv_len = 12;
846 return 1;
847
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]848 case SSL_RC4:
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]849 switch (cipher->algorithm_mac) {
850 case SSL_MD5:
David Benjamin044abb02014-12-23 10:57:17 -0500[diff] [blame]851 if (version == SSL3_VERSION) {
852 *out_aead = EVP_aead_rc4_md5_ssl3();
853 } else {
854 *out_aead = EVP_aead_rc4_md5_tls();
855 }
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]856 *out_mac_secret_len = MD5_DIGEST_LENGTH;
857 return 1;
858 case SSL_SHA1:
David Benjamin044abb02014-12-23 10:57:17 -0500[diff] [blame]859 if (version == SSL3_VERSION) {
860 *out_aead = EVP_aead_rc4_sha1_ssl3();
861 } else {
862 *out_aead = EVP_aead_rc4_sha1_tls();
863 }
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]864 *out_mac_secret_len = SHA_DIGEST_LENGTH;
865 return 1;
866 default:
867 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]868 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]869
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]870 case SSL_AES128:
871 switch (cipher->algorithm_mac) {
872 case SSL_SHA1:
David Benjamin044abb02014-12-23 10:57:17 -0500[diff] [blame]873 if (version == SSL3_VERSION) {
874 *out_aead = EVP_aead_aes_128_cbc_sha1_ssl3();
875 *out_fixed_iv_len = 16;
876 } else if (version == TLS1_VERSION) {
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]877 *out_aead = EVP_aead_aes_128_cbc_sha1_tls_implicit_iv();
878 *out_fixed_iv_len = 16;
879 } else {
880 *out_aead = EVP_aead_aes_128_cbc_sha1_tls();
881 }
882 *out_mac_secret_len = SHA_DIGEST_LENGTH;
883 return 1;
884 case SSL_SHA256:
885 *out_aead = EVP_aead_aes_128_cbc_sha256_tls();
886 *out_mac_secret_len = SHA256_DIGEST_LENGTH;
887 return 1;
888 default:
889 return 0;
890 }
891
892 case SSL_AES256:
893 switch (cipher->algorithm_mac) {
894 case SSL_SHA1:
David Benjamin044abb02014-12-23 10:57:17 -0500[diff] [blame]895 if (version == SSL3_VERSION) {
896 *out_aead = EVP_aead_aes_256_cbc_sha1_ssl3();
897 *out_fixed_iv_len = 16;
898 } else if (version == TLS1_VERSION) {
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]899 *out_aead = EVP_aead_aes_256_cbc_sha1_tls_implicit_iv();
900 *out_fixed_iv_len = 16;
901 } else {
902 *out_aead = EVP_aead_aes_256_cbc_sha1_tls();
903 }
904 *out_mac_secret_len = SHA_DIGEST_LENGTH;
905 return 1;
906 case SSL_SHA256:
907 *out_aead = EVP_aead_aes_256_cbc_sha256_tls();
908 *out_mac_secret_len = SHA256_DIGEST_LENGTH;
909 return 1;
910 case SSL_SHA384:
911 *out_aead = EVP_aead_aes_256_cbc_sha384_tls();
912 *out_mac_secret_len = SHA384_DIGEST_LENGTH;
913 return 1;
914 default:
915 return 0;
916 }
917
918 case SSL_3DES:
919 switch (cipher->algorithm_mac) {
920 case SSL_SHA1:
David Benjamin044abb02014-12-23 10:57:17 -0500[diff] [blame]921 if (version == SSL3_VERSION) {
922 *out_aead = EVP_aead_des_ede3_cbc_sha1_ssl3();
923 *out_fixed_iv_len = 8;
924 } else if (version == TLS1_VERSION) {
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]925 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv();
926 *out_fixed_iv_len = 8;
927 } else {
928 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls();
929 }
930 *out_mac_secret_len = SHA_DIGEST_LENGTH;
931 return 1;
932 default:
933 return 0;
934 }
935
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]936 case SSL_eNULL:
937 switch (cipher->algorithm_mac) {
938 case SSL_SHA1:
939 if (version == SSL3_VERSION) {
940 *out_aead = EVP_aead_null_sha1_ssl3();
941 } else {
942 *out_aead = EVP_aead_null_sha1_tls();
943 }
944 *out_mac_secret_len = SHA_DIGEST_LENGTH;
945 return 1;
946 default:
947 return 0;
948 }
949
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]950 default:
951 return 0;
952 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]953}
Adam Langleyc9fb3752014-06-20 12:00:00 -0700[diff] [blame]954
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]955const EVP_MD *ssl_get_handshake_digest(uint32_t algorithm_prf) {
956 switch (algorithm_prf) {
957 case SSL_HANDSHAKE_MAC_DEFAULT:
958 return EVP_sha1();
959 case SSL_HANDSHAKE_MAC_SHA256:
960 return EVP_sha256();
961 case SSL_HANDSHAKE_MAC_SHA384:
962 return EVP_sha384();
963 default:
964 return NULL;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]965 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]966}
967
968#define ITEM_SEP(a) \
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]969 (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ','))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]970
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]971/* rule_equals returns one iff the NUL-terminated string |rule| is equal to the
972 * |buf_len| bytes at |buf|. */
973static int rule_equals(const char *rule, const char *buf, size_t buf_len) {
974 /* |strncmp| alone only checks that |buf| is a prefix of |rule|. */
975 return strncmp(rule, buf, buf_len) == 0 && rule[buf_len] == '\0';
976}
977
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]978static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]979 CIPHER_ORDER **tail) {
980 if (curr == *tail) {
981 return;
982 }
983 if (curr == *head) {
984 *head = curr->next;
985 }
986 if (curr->prev != NULL) {
987 curr->prev->next = curr->next;
988 }
989 if (curr->next != NULL) {
990 curr->next->prev = curr->prev;
991 }
992 (*tail)->next = curr;
993 curr->prev = *tail;
994 curr->next = NULL;
995 *tail = curr;
996}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]997
998static void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]999 CIPHER_ORDER **tail) {
1000 if (curr == *head) {
1001 return;
1002 }
1003 if (curr == *tail) {
1004 *tail = curr->prev;
1005 }
1006 if (curr->next != NULL) {
1007 curr->next->prev = curr->prev;
1008 }
1009 if (curr->prev != NULL) {
1010 curr->prev->next = curr->next;
1011 }
1012 (*head)->prev = curr;
1013 curr->next = *head;
1014 curr->prev = NULL;
1015 *head = curr;
1016}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1017
David Benjamin82c9e902014-12-12 15:55:27 -0500[diff] [blame]1018static void ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD *ssl_method,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1019 CIPHER_ORDER *co_list,
1020 CIPHER_ORDER **head_p,
1021 CIPHER_ORDER **tail_p) {
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1022 /* The set of ciphers is static, but some subset may be unsupported by
1023 * |ssl_method|, so the list may be smaller. */
1024 size_t co_list_num = 0;
1025 size_t i;
1026 for (i = 0; i < kCiphersLen; i++) {
1027 const SSL_CIPHER *cipher = &kCiphers[i];
1028 if (ssl_method->supports_cipher(cipher)) {
1029 co_list[co_list_num].cipher = cipher;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1030 co_list[co_list_num].next = NULL;
1031 co_list[co_list_num].prev = NULL;
1032 co_list[co_list_num].active = 0;
1033 co_list[co_list_num].in_group = 0;
1034 co_list_num++;
1035 }
1036 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1037
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1038 /* Prepare linked list from list entries. */
1039 if (co_list_num > 0) {
1040 co_list[0].prev = NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1041
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1042 if (co_list_num > 1) {
1043 co_list[0].next = &co_list[1];
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1044
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1045 for (i = 1; i < co_list_num - 1; i++) {
1046 co_list[i].prev = &co_list[i - 1];
1047 co_list[i].next = &co_list[i + 1];
1048 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1049
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1050 co_list[co_list_num - 1].prev = &co_list[co_list_num - 2];
1051 }
1052
1053 co_list[co_list_num - 1].next = NULL;
1054
1055 *head_p = &co_list[0];
1056 *tail_p = &co_list[co_list_num - 1];
1057 }
1058}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1059
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1060/* ssl_cipher_apply_rule applies the rule type |rule| to ciphers matching its
1061 * parameters in the linked list from |*head_p| to |*tail_p|. It writes the new
1062 * head and tail of the list to |*head_p| and |*tail_p|, respectively.
1063 *
1064 * - If |cipher_id| is non-zero, only that cipher is selected.
1065 * - Otherwise, if |strength_bits| is non-negative, it selects ciphers
1066 * of that strength.
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1067 * - Otherwise, it selects ciphers that match each bitmasks in |alg_*| and
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1068 * |min_version|. */
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1069static void ssl_cipher_apply_rule(
David Benjamin107db582015-04-08 00:41:59 -0400[diff] [blame]1070 uint32_t cipher_id, uint32_t alg_mkey, uint32_t alg_auth,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1071 uint32_t alg_enc, uint32_t alg_mac, uint16_t min_version, int rule,
1072 int strength_bits, int in_group, CIPHER_ORDER **head_p,
1073 CIPHER_ORDER **tail_p) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1074 CIPHER_ORDER *head, *tail, *curr, *next, *last;
1075 const SSL_CIPHER *cp;
1076 int reverse = 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1077
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1078 if (cipher_id == 0 && strength_bits == -1 && min_version == 0 &&
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1079 (alg_mkey == 0 || alg_auth == 0 || alg_enc == 0 || alg_mac == 0)) {
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1080 /* The rule matches nothing, so bail early. */
1081 return;
1082 }
1083
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1084 if (rule == CIPHER_DEL) {
1085 /* needed to maintain sorting between currently deleted ciphers */
1086 reverse = 1;
1087 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1088
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1089 head = *head_p;
1090 tail = *tail_p;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1091
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1092 if (reverse) {
1093 next = tail;
1094 last = head;
1095 } else {
1096 next = head;
1097 last = tail;
1098 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1099
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1100 curr = NULL;
1101 for (;;) {
1102 if (curr == last) {
1103 break;
1104 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1105
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1106 curr = next;
1107 if (curr == NULL) {
1108 break;
1109 }
Adam Langleye3142a72014-07-24 17:56:48 -0700[diff] [blame]1110
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1111 next = reverse ? curr->prev : curr->next;
1112 cp = curr->cipher;
Adam Langleye3142a72014-07-24 17:56:48 -0700[diff] [blame]1113
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1114 /* Selection criteria is either a specific cipher, the value of
1115 * |strength_bits|, or the algorithms used. */
1116 if (cipher_id != 0) {
1117 if (cipher_id != cp->id) {
1118 continue;
1119 }
1120 } else if (strength_bits >= 0) {
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1121 if (strength_bits != SSL_CIPHER_get_bits(cp, NULL)) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1122 continue;
1123 }
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1124 } else if (!(alg_mkey & cp->algorithm_mkey) ||
1125 !(alg_auth & cp->algorithm_auth) ||
1126 !(alg_enc & cp->algorithm_enc) ||
1127 !(alg_mac & cp->algorithm_mac) ||
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1128 (min_version != 0 &&
1129 SSL_CIPHER_get_min_version(cp) != min_version)) {
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1130 continue;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1131 }
Adam Langleye3142a72014-07-24 17:56:48 -0700[diff] [blame]1132
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1133 /* add the cipher if it has not been added yet. */
1134 if (rule == CIPHER_ADD) {
1135 /* reverse == 0 */
1136 if (!curr->active) {
1137 ll_append_tail(&head, curr, &tail);
1138 curr->active = 1;
1139 curr->in_group = in_group;
1140 }
1141 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1142
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1143 /* Move the added cipher to this location */
1144 else if (rule == CIPHER_ORD) {
1145 /* reverse == 0 */
1146 if (curr->active) {
1147 ll_append_tail(&head, curr, &tail);
1148 curr->in_group = 0;
1149 }
1150 } else if (rule == CIPHER_DEL) {
1151 /* reverse == 1 */
1152 if (curr->active) {
1153 /* most recently deleted ciphersuites get best positions
1154 * for any future CIPHER_ADD (note that the CIPHER_DEL loop
1155 * works in reverse to maintain the order) */
1156 ll_append_head(&head, curr, &tail);
1157 curr->active = 0;
1158 curr->in_group = 0;
1159 }
1160 } else if (rule == CIPHER_KILL) {
1161 /* reverse == 0 */
1162 if (head == curr) {
1163 head = curr->next;
1164 } else {
1165 curr->prev->next = curr->next;
1166 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1167
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1168 if (tail == curr) {
1169 tail = curr->prev;
1170 }
1171 curr->active = 0;
1172 if (curr->next != NULL) {
1173 curr->next->prev = curr->prev;
1174 }
1175 if (curr->prev != NULL) {
1176 curr->prev->next = curr->next;
1177 }
1178 curr->next = NULL;
1179 curr->prev = NULL;
1180 }
1181 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1182
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1183 *head_p = head;
1184 *tail_p = tail;
1185}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1186
1187static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1188 CIPHER_ORDER **tail_p) {
1189 int max_strength_bits, i, *number_uses;
1190 CIPHER_ORDER *curr;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1191
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1192 /* This routine sorts the ciphers with descending strength. The sorting must
1193 * keep the pre-sorted sequence, so we apply the normal sorting routine as
1194 * '+' movement to the end of the list. */
1195 max_strength_bits = 0;
1196 curr = *head_p;
1197 while (curr != NULL) {
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1198 if (curr->active &&
1199 SSL_CIPHER_get_bits(curr->cipher, NULL) > max_strength_bits) {
1200 max_strength_bits = SSL_CIPHER_get_bits(curr->cipher, NULL);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1201 }
1202 curr = curr->next;
1203 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1204
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1205 number_uses = OPENSSL_malloc((max_strength_bits + 1) * sizeof(int));
1206 if (!number_uses) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1207 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1208 return 0;
1209 }
1210 memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int));
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1211
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1212 /* Now find the strength_bits values actually used. */
1213 curr = *head_p;
1214 while (curr != NULL) {
1215 if (curr->active) {
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1216 number_uses[SSL_CIPHER_get_bits(curr->cipher, NULL)]++;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1217 }
1218 curr = curr->next;
1219 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1220
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1221 /* Go through the list of used strength_bits values in descending order. */
1222 for (i = max_strength_bits; i >= 0; i--) {
1223 if (number_uses[i] > 0) {
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1224 ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, CIPHER_ORD, i, 0, head_p, tail_p);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1225 }
1226 }
1227
1228 OPENSSL_free(number_uses);
1229 return 1;
1230}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1231
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1232static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method,
1233 const char *rule_str,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1234 CIPHER_ORDER **head_p,
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1235 CIPHER_ORDER **tail_p) {
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1236 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1237 uint16_t min_version;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1238 const char *l, *buf;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1239 int multi, skip_rule, rule, retval, ok, in_group = 0, has_group = 0;
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1240 size_t j, buf_len;
1241 uint32_t cipher_id;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1242 char ch;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1243
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1244 retval = 1;
1245 l = rule_str;
1246 for (;;) {
1247 ch = *l;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1248
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1249 if (ch == '\0') {
1250 break; /* done */
1251 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1252
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1253 if (in_group) {
1254 if (ch == ']') {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1255 if (*tail_p) {
1256 (*tail_p)->in_group = 0;
1257 }
1258 in_group = 0;
1259 l++;
1260 continue;
1261 }
David Benjamin37d92462014-09-20 17:54:24 -0400[diff] [blame]1262
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1263 if (ch == '|') {
1264 rule = CIPHER_ADD;
1265 l++;
1266 continue;
1267 } else if (!(ch >= 'a' && ch <= 'z') && !(ch >= 'A' && ch <= 'Z') &&
1268 !(ch >= '0' && ch <= '9')) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1269 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_OPERATOR_IN_GROUP);
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1270 retval = in_group = 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1271 break;
1272 } else {
1273 rule = CIPHER_ADD;
1274 }
1275 } else if (ch == '-') {
1276 rule = CIPHER_DEL;
1277 l++;
1278 } else if (ch == '+') {
1279 rule = CIPHER_ORD;
1280 l++;
1281 } else if (ch == '!') {
1282 rule = CIPHER_KILL;
1283 l++;
1284 } else if (ch == '@') {
1285 rule = CIPHER_SPECIAL;
1286 l++;
1287 } else if (ch == '[') {
1288 if (in_group) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1289 OPENSSL_PUT_ERROR(SSL, SSL_R_NESTED_GROUP);
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1290 retval = in_group = 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1291 break;
1292 }
1293 in_group = 1;
1294 has_group = 1;
1295 l++;
1296 continue;
1297 } else {
1298 rule = CIPHER_ADD;
1299 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1300
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1301 /* If preference groups are enabled, the only legal operator is +.
1302 * Otherwise the in_group bits will get mixed up. */
1303 if (has_group && rule != CIPHER_ADD) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1304 OPENSSL_PUT_ERROR(SSL, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1305 retval = in_group = 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1306 break;
1307 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1308
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1309 if (ITEM_SEP(ch)) {
1310 l++;
1311 continue;
1312 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1313
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1314 multi = 0;
1315 cipher_id = 0;
1316 alg_mkey = ~0u;
1317 alg_auth = ~0u;
1318 alg_enc = ~0u;
1319 alg_mac = ~0u;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1320 min_version = 0;
1321 skip_rule = 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1322
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1323 for (;;) {
1324 ch = *l;
1325 buf = l;
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1326 buf_len = 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1327 while (((ch >= 'A') && (ch <= 'Z')) || ((ch >= '0') && (ch <= '9')) ||
1328 ((ch >= 'a') && (ch <= 'z')) || (ch == '-') || (ch == '.')) {
1329 ch = *(++l);
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1330 buf_len++;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1331 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1332
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1333 if (buf_len == 0) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1334 /* We hit something we cannot deal with, it is no command or separator
1335 * nor alphanumeric, so we call this an error. */
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1336 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1337 retval = in_group = 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1338 l++;
1339 break;
1340 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1341
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1342 if (rule == CIPHER_SPECIAL) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1343 break;
1344 }
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1345
1346 /* Look for a matching exact cipher. These aren't allowed in multipart
1347 * rules. */
1348 if (!multi && ch != '+') {
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1349 for (j = 0; j < kCiphersLen; j++) {
1350 const SSL_CIPHER *cipher = &kCiphers[j];
1351 if (rule_equals(cipher->name, buf, buf_len)) {
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1352 cipher_id = cipher->id;
1353 break;
1354 }
1355 }
1356 }
1357 if (cipher_id == 0) {
1358 /* If not an exact cipher, look for a matching cipher alias. */
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1359 for (j = 0; j < kCipherAliasesLen; j++) {
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1360 if (rule_equals(kCipherAliases[j].name, buf, buf_len)) {
1361 alg_mkey &= kCipherAliases[j].algorithm_mkey;
1362 alg_auth &= kCipherAliases[j].algorithm_auth;
1363 alg_enc &= kCipherAliases[j].algorithm_enc;
1364 alg_mac &= kCipherAliases[j].algorithm_mac;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1365
1366 if (min_version != 0 &&
1367 min_version != kCipherAliases[j].min_version) {
1368 skip_rule = 1;
1369 } else {
1370 min_version = kCipherAliases[j].min_version;
1371 }
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1372 break;
1373 }
1374 }
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1375 if (j == kCipherAliasesLen) {
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1376 skip_rule = 1;
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1377 }
1378 }
1379
1380 /* Check for a multipart rule. */
1381 if (ch != '+') {
1382 break;
1383 }
1384 l++;
1385 multi = 1;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1386 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1387
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1388 /* If one of the CHACHA20_POLY1305 variants is selected, include the other
1389 * as well. They have the same name to avoid requiring changes in
1390 * configuration. Apply this transformation late so that the cipher name
1391 * still behaves as an exact name and not an alias in multipart rules.
1392 *
1393 * This is temporary and will be removed when the pre-standard construction
1394 * is removed. */
1395 if (cipher_id == TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305_OLD ||
1396 cipher_id == TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256) {
1397 cipher_id = 0;
1398 alg_mkey = SSL_kECDHE;
1399 alg_auth = SSL_aRSA;
1400 alg_enc = SSL_CHACHA20POLY1305|SSL_CHACHA20POLY1305_OLD;
1401 alg_mac = SSL_AEAD;
1402 } else if (cipher_id == TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305_OLD ||
1403 cipher_id == TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256) {
1404 cipher_id = 0;
1405 alg_mkey = SSL_kECDHE;
1406 alg_auth = SSL_aECDSA;
1407 alg_enc = SSL_CHACHA20POLY1305|SSL_CHACHA20POLY1305_OLD;
1408 alg_mac = SSL_AEAD;
1409 }
1410
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1411 /* Ok, we have the rule, now apply it. */
1412 if (rule == CIPHER_SPECIAL) {
1413 /* special command */
1414 ok = 0;
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1415 if (buf_len == 8 && !strncmp(buf, "STRENGTH", 8)) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1416 ok = ssl_cipher_strength_sort(head_p, tail_p);
1417 } else {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1418 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1419 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1420
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1421 if (ok == 0) {
1422 retval = 0;
1423 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1424
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1425 /* We do not support any "multi" options together with "@", so throw away
1426 * the rest of the command, if any left, until end or ':' is found. */
1427 while (*l != '\0' && !ITEM_SEP(*l)) {
1428 l++;
1429 }
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1430 } else if (!skip_rule) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1431 ssl_cipher_apply_rule(cipher_id, alg_mkey, alg_auth, alg_enc, alg_mac,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1432 min_version, rule, -1, in_group, head_p, tail_p);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1433 }
1434 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1435
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1436 if (in_group) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1437 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1438 retval = 0;
1439 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1440
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1441 return retval;
1442}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1443
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1444STACK_OF(SSL_CIPHER) *
1445ssl_create_cipher_list(const SSL_PROTOCOL_METHOD *ssl_method,
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1446 struct ssl_cipher_preference_list_st **out_cipher_list,
1447 STACK_OF(SSL_CIPHER) **out_cipher_list_by_id,
1448 const char *rule_str) {
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1449 int ok;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1450 STACK_OF(SSL_CIPHER) *cipherstack = NULL, *tmp_cipher_list = NULL;
1451 const char *rule_p;
1452 CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1453 uint8_t *in_group_flags = NULL;
1454 unsigned int num_in_group_flags = 0;
1455 struct ssl_cipher_preference_list_st *pref_list = NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1456
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1457 /* Return with error if nothing to do. */
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1458 if (rule_str == NULL || out_cipher_list == NULL) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1459 return NULL;
1460 }
David Benjamin5213df42014-08-20 14:19:54 -0400[diff] [blame]1461
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1462 /* Now we have to collect the available ciphers from the compiled in ciphers.
1463 * We cannot get more than the number compiled in, so it is used for
1464 * allocation. */
Brian Smith5ba06892016-02-07 09:36:04 -1000[diff] [blame]1465 co_list = OPENSSL_malloc(sizeof(CIPHER_ORDER) * kCiphersLen);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1466 if (co_list == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1467 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1468 return NULL;
1469 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1470
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1471 ssl_cipher_collect_ciphers(ssl_method, co_list, &head, &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1472
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1473 /* Now arrange all ciphers by preference:
1474 * TODO(davidben): Compute this order once and copy it. */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1475
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1476 /* Everything else being equal, prefer ECDHE_ECDSA then ECDHE_RSA over other
1477 * key exchange mechanisms */
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]1478
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1479 ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, ~0u, ~0u, 0, CIPHER_ADD, -1,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1480 0, &head, &tail);
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1481 ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0,
1482 &head, &tail);
1483 ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, 0,
1484 &head, &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1485
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1486 /* Order the bulk ciphers. First the preferred AEAD ciphers. We prefer
1487 * CHACHA20 unless there is hardware support for fast and constant-time
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1488 * AES_GCM. Of the two CHACHA20 variants, the new one is preferred over the
1489 * old one. */
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1490 if (EVP_has_aes_hardware()) {
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1491 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1492 &head, &tail);
David Benjamin43336652016-03-03 15:32:29 -0500[diff] [blame]1493 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1494 &head, &tail);
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1495 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD,
1496 -1, 0, &head, &tail);
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1497 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305_OLD, ~0u, 0,
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1498 CIPHER_ADD, -1, 0, &head, &tail);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1499 } else {
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1500 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD,
1501 -1, 0, &head, &tail);
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1502 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305_OLD, ~0u, 0,
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1503 CIPHER_ADD, -1, 0, &head, &tail);
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1504 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1505 &head, &tail);
David Benjamin43336652016-03-03 15:32:29 -0500[diff] [blame]1506 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1507 &head, &tail);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1508 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1509
David Benjamin43336652016-03-03 15:32:29 -0500[diff] [blame]1510 /* Then the legacy non-AEAD ciphers: AES_128_CBC, AES_256_CBC,
1511 * 3DES_EDE_CBC_SHA, RC4_128_SHA, RC4_128_MD5. */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1512 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128, ~0u, 0, CIPHER_ADD, -1, 0,
1513 &head, &tail);
David Benjamin43336652016-03-03 15:32:29 -0500[diff] [blame]1514 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256, ~0u, 0, CIPHER_ADD, -1, 0,
1515 &head, &tail);
1516 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_3DES, ~0u, 0, CIPHER_ADD, -1, 0, &head,
1517 &tail);
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1518 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_RC4, ~SSL_MD5, 0, CIPHER_ADD, -1, 0,
1519 &head, &tail);
1520 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_RC4, SSL_MD5, 0, CIPHER_ADD, -1, 0,
1521 &head, &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1522
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1523 /* Temporarily enable everything else for sorting */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1524 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0, &head,
1525 &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1526
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1527 /* Move ciphers without forward secrecy to the end. */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1528 ssl_cipher_apply_rule(0, ~(SSL_kDHE | SSL_kECDHE), ~0u, ~0u, ~0u, 0,
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1529 CIPHER_ORD, -1, 0, &head, &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1530
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1531 /* Now disable everything (maintaining the ordering!) */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1532 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, 0, &head,
1533 &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1534
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1535 /* If the rule_string begins with DEFAULT, apply the default rule before
1536 * using the (possibly available) additional rules. */
1537 ok = 1;
1538 rule_p = rule_str;
1539 if (strncmp(rule_str, "DEFAULT", 7) == 0) {
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1540 ok = ssl_cipher_process_rulestr(ssl_method, SSL_DEFAULT_CIPHER_LIST, &head,
1541 &tail);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1542 rule_p += 7;
1543 if (*rule_p == ':') {
1544 rule_p++;
1545 }
1546 }
Adam Langley858a88d2014-06-20 12:00:00 -0700[diff] [blame]1547
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1548 if (ok && strlen(rule_p) > 0) {
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1549 ok = ssl_cipher_process_rulestr(ssl_method, rule_p, &head, &tail);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1550 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1551
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1552 if (!ok) {
1553 goto err;
1554 }
1555
1556 /* Allocate new "cipherstack" for the result, return with error
1557 * if we cannot get one. */
1558 cipherstack = sk_SSL_CIPHER_new_null();
1559 if (cipherstack == NULL) {
1560 goto err;
1561 }
1562
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1563 in_group_flags = OPENSSL_malloc(kCiphersLen);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1564 if (!in_group_flags) {
1565 goto err;
1566 }
1567
1568 /* The cipher selection for the list is done. The ciphers are added
1569 * to the resulting precedence to the STACK_OF(SSL_CIPHER). */
1570 for (curr = head; curr != NULL; curr = curr->next) {
1571 if (curr->active) {
David Benjamin2adb7ec2015-01-11 19:59:06 -0500[diff] [blame]1572 if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
1573 goto err;
1574 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1575 in_group_flags[num_in_group_flags++] = curr->in_group;
1576 }
1577 }
1578 OPENSSL_free(co_list); /* Not needed any longer */
1579 co_list = NULL;
1580
1581 tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack);
1582 if (tmp_cipher_list == NULL) {
1583 goto err;
1584 }
1585 pref_list = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
1586 if (!pref_list) {
1587 goto err;
1588 }
1589 pref_list->ciphers = cipherstack;
1590 pref_list->in_group_flags = OPENSSL_malloc(num_in_group_flags);
1591 if (!pref_list->in_group_flags) {
1592 goto err;
1593 }
1594 memcpy(pref_list->in_group_flags, in_group_flags, num_in_group_flags);
1595 OPENSSL_free(in_group_flags);
1596 in_group_flags = NULL;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1597 if (*out_cipher_list != NULL) {
1598 ssl_cipher_preference_list_free(*out_cipher_list);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1599 }
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1600 *out_cipher_list = pref_list;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1601 pref_list = NULL;
1602
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1603 if (out_cipher_list_by_id != NULL) {
David Benjamin2755a3e2015-04-22 16:17:58 -0400[diff] [blame]1604 sk_SSL_CIPHER_free(*out_cipher_list_by_id);
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1605 *out_cipher_list_by_id = tmp_cipher_list;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1606 tmp_cipher_list = NULL;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1607 (void) sk_SSL_CIPHER_set_cmp_func(*out_cipher_list_by_id,
1608 ssl_cipher_ptr_id_cmp);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1609
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1610 sk_SSL_CIPHER_sort(*out_cipher_list_by_id);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1611 } else {
1612 sk_SSL_CIPHER_free(tmp_cipher_list);
1613 tmp_cipher_list = NULL;
1614 }
1615
1616 return cipherstack;
Adam Langley858a88d2014-06-20 12:00:00 -0700[diff] [blame]1617
1618err:
David Benjamin2755a3e2015-04-22 16:17:58 -0400[diff] [blame]1619 OPENSSL_free(co_list);
1620 OPENSSL_free(in_group_flags);
1621 sk_SSL_CIPHER_free(cipherstack);
1622 sk_SSL_CIPHER_free(tmp_cipher_list);
1623 if (pref_list) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1624 OPENSSL_free(pref_list->in_group_flags);
1625 }
David Benjamin2755a3e2015-04-22 16:17:58 -0400[diff] [blame]1626 OPENSSL_free(pref_list);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1627 return NULL;
1628}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1629
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1630uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher) { return cipher->id; }
1631
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1632uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher) {
1633 uint32_t id = cipher->id;
1634 /* All ciphers are SSLv3. */
1635 assert((id & 0xff000000) == 0x03000000);
1636 return id & 0xffff;
1637}
1638
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1639int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher) {
1640 return (cipher->algorithm_enc & SSL_AES) != 0;
1641}
1642
1643int SSL_CIPHER_has_MD5_HMAC(const SSL_CIPHER *cipher) {
1644 return (cipher->algorithm_mac & SSL_MD5) != 0;
1645}
1646
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1647int SSL_CIPHER_has_SHA1_HMAC(const SSL_CIPHER *cipher) {
1648 return (cipher->algorithm_mac & SSL_SHA1) != 0;
1649}
1650
David Benjamina211aee2016-02-24 17:18:44 -0500[diff] [blame]1651int SSL_CIPHER_has_SHA256_HMAC(const SSL_CIPHER *cipher) {
1652 return (cipher->algorithm_mac & SSL_SHA256) != 0;
1653}
1654
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1655int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher) {
David Benjaminc0125ef2015-09-09 09:11:07 -0400[diff] [blame]1656 return (cipher->algorithm_enc & (SSL_AES128GCM | SSL_AES256GCM)) != 0;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1657}
1658
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1659int SSL_CIPHER_is_AES128GCM(const SSL_CIPHER *cipher) {
1660 return (cipher->algorithm_enc & SSL_AES128GCM) != 0;
1661}
1662
Adam Langleyb00061c2015-11-16 17:44:52 -0800[diff] [blame]1663int SSL_CIPHER_is_AES128CBC(const SSL_CIPHER *cipher) {
1664 return (cipher->algorithm_enc & SSL_AES128) != 0;
1665}
1666
1667int SSL_CIPHER_is_AES256CBC(const SSL_CIPHER *cipher) {
1668 return (cipher->algorithm_enc & SSL_AES256) != 0;
1669}
1670
David Benjamin51a01a52015-10-29 13:19:56 -0400[diff] [blame]1671int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *cipher) {
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1672 return (cipher->algorithm_enc &
1673 (SSL_CHACHA20POLY1305 | SSL_CHACHA20POLY1305_OLD)) != 0;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1674}
1675
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1676int SSL_CIPHER_is_NULL(const SSL_CIPHER *cipher) {
1677 return (cipher->algorithm_enc & SSL_eNULL) != 0;
1678}
1679
Adam Langleyd7fe75c2015-09-18 15:40:48 -0700[diff] [blame]1680int SSL_CIPHER_is_RC4(const SSL_CIPHER *cipher) {
1681 return (cipher->algorithm_enc & SSL_RC4) != 0;
1682}
1683
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1684int SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher) {
1685 /* Neither stream cipher nor AEAD. */
1686 return (cipher->algorithm_enc & (SSL_RC4 | SSL_eNULL)) == 0 &&
1687 cipher->algorithm_mac != SSL_AEAD;
1688}
1689
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1690int SSL_CIPHER_is_ECDSA(const SSL_CIPHER *cipher) {
1691 return (cipher->algorithm_auth & SSL_aECDSA) != 0;
1692}
1693
David Benjamin0fc7df52016-06-02 18:36:33 -0400[diff] [blame]1694int SSL_CIPHER_is_DHE(const SSL_CIPHER *cipher) {
1695 return (cipher->algorithm_mkey & SSL_kDHE) != 0;
1696}
1697
David Benjamin4cc36ad2015-12-19 14:23:26 -0500[diff] [blame]1698int SSL_CIPHER_is_ECDHE(const SSL_CIPHER *cipher) {
1699 return (cipher->algorithm_mkey & SSL_kECDHE) != 0;
1700}
1701
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]1702int SSL_CIPHER_is_CECPQ1(const SSL_CIPHER *cipher) {
1703 return (cipher->algorithm_mkey & SSL_kCECPQ1) != 0;
1704}
1705
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1706uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher) {
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1707 if (cipher->algorithm_prf != SSL_HANDSHAKE_MAC_DEFAULT) {
1708 /* Cipher suites before TLS 1.2 use the default PRF, while all those added
1709 * afterwards specify a particular hash. */
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1710 return TLS1_2_VERSION;
1711 }
1712 return SSL3_VERSION;
1713}
1714
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1715/* return the actual cipher being used */
1716const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher) {
1717 if (cipher != NULL) {
1718 return cipher->name;
1719 }
1720
1721 return "(NONE)";
1722}
1723
1724const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher) {
1725 if (cipher == NULL) {
1726 return "";
1727 }
1728
1729 switch (cipher->algorithm_mkey) {
1730 case SSL_kRSA:
1731 return "RSA";
1732
1733 case SSL_kDHE:
1734 switch (cipher->algorithm_auth) {
1735 case SSL_aRSA:
1736 return "DHE_RSA";
1737 default:
1738 assert(0);
1739 return "UNKNOWN";
1740 }
1741
1742 case SSL_kECDHE:
1743 switch (cipher->algorithm_auth) {
1744 case SSL_aECDSA:
1745 return "ECDHE_ECDSA";
1746 case SSL_aRSA:
1747 return "ECDHE_RSA";
1748 case SSL_aPSK:
1749 return "ECDHE_PSK";
1750 default:
1751 assert(0);
1752 return "UNKNOWN";
1753 }
1754
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]1755 case SSL_kCECPQ1:
1756 switch (cipher->algorithm_auth) {
1757 case SSL_aECDSA:
1758 return "CECPQ1_ECDSA";
1759 case SSL_aRSA:
1760 return "CECPQ1_RSA";
1761 default:
1762 assert(0);
1763 return "UNKNOWN";
1764 }
1765
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1766 case SSL_kPSK:
1767 assert(cipher->algorithm_auth == SSL_aPSK);
1768 return "PSK";
1769
1770 default:
1771 assert(0);
1772 return "UNKNOWN";
1773 }
1774}
1775
1776static const char *ssl_cipher_get_enc_name(const SSL_CIPHER *cipher) {
1777 switch (cipher->algorithm_enc) {
1778 case SSL_3DES:
1779 return "3DES_EDE_CBC";
1780 case SSL_RC4:
1781 return "RC4";
1782 case SSL_AES128:
1783 return "AES_128_CBC";
1784 case SSL_AES256:
1785 return "AES_256_CBC";
1786 case SSL_AES128GCM:
1787 return "AES_128_GCM";
1788 case SSL_AES256GCM:
1789 return "AES_256_GCM";
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1790 case SSL_CHACHA20POLY1305:
Brian Smith271777f2015-10-03 13:53:33 -1000[diff] [blame]1791 case SSL_CHACHA20POLY1305_OLD:
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1792 return "CHACHA20_POLY1305";
1793 break;
1794 default:
1795 assert(0);
1796 return "UNKNOWN";
1797 }
1798}
1799
1800static const char *ssl_cipher_get_prf_name(const SSL_CIPHER *cipher) {
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]1801 switch (cipher->algorithm_prf) {
1802 case SSL_HANDSHAKE_MAC_DEFAULT:
1803 /* Before TLS 1.2, the PRF component is the hash used in the HMAC, which is
1804 * only ever MD5 or SHA-1. */
1805 switch (cipher->algorithm_mac) {
1806 case SSL_MD5:
1807 return "MD5";
1808 case SSL_SHA1:
1809 return "SHA";
1810 }
1811 break;
1812 case SSL_HANDSHAKE_MAC_SHA256:
1813 return "SHA256";
1814 case SSL_HANDSHAKE_MAC_SHA384:
1815 return "SHA384";
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1816 }
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]1817 assert(0);
1818 return "UNKNOWN";
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1819}
1820
1821char *SSL_CIPHER_get_rfc_name(const SSL_CIPHER *cipher) {
1822 if (cipher == NULL) {
1823 return NULL;
1824 }
1825
1826 const char *kx_name = SSL_CIPHER_get_kx_name(cipher);
1827 const char *enc_name = ssl_cipher_get_enc_name(cipher);
1828 const char *prf_name = ssl_cipher_get_prf_name(cipher);
1829
1830 /* The final name is TLS_{kx_name}_WITH_{enc_name}_{prf_name}. */
1831 size_t len = 4 + strlen(kx_name) + 6 + strlen(enc_name) + 1 +
1832 strlen(prf_name) + 1;
1833 char *ret = OPENSSL_malloc(len);
1834 if (ret == NULL) {
1835 return NULL;
1836 }
1837 if (BUF_strlcpy(ret, "TLS_", len) >= len ||
1838 BUF_strlcat(ret, kx_name, len) >= len ||
1839 BUF_strlcat(ret, "_WITH_", len) >= len ||
1840 BUF_strlcat(ret, enc_name, len) >= len ||
1841 BUF_strlcat(ret, "_", len) >= len ||
1842 BUF_strlcat(ret, prf_name, len) >= len) {
1843 assert(0);
1844 OPENSSL_free(ret);
1845 return NULL;
1846 }
1847 assert(strlen(ret) + 1 == len);
1848 return ret;
1849}
1850
1851int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *out_alg_bits) {
1852 if (cipher == NULL) {
1853 return 0;
1854 }
1855
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1856 int alg_bits, strength_bits;
1857 switch (cipher->algorithm_enc) {
1858 case SSL_AES128:
1859 case SSL_AES128GCM:
1860 case SSL_RC4:
1861 alg_bits = 128;
1862 strength_bits = 128;
1863 break;
1864
1865 case SSL_AES256:
1866 case SSL_AES256GCM:
1867#if !defined(BORINGSSL_ANDROID_SYSTEM)
1868 case SSL_CHACHA20POLY1305_OLD:
1869#endif
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1870 case SSL_CHACHA20POLY1305:
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1871 alg_bits = 256;
1872 strength_bits = 256;
1873 break;
1874
1875 case SSL_3DES:
1876 alg_bits = 168;
1877 strength_bits = 112;
1878 break;
1879
1880 case SSL_eNULL:
1881 alg_bits = 0;
1882 strength_bits = 0;
1883 break;
1884
1885 default:
1886 assert(0);
1887 alg_bits = 0;
1888 strength_bits = 0;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1889 }
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1890
1891 if (out_alg_bits != NULL) {
1892 *out_alg_bits = alg_bits;
1893 }
1894 return strength_bits;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1895}
1896
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1897const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf,
1898 int len) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1899 const char *kx, *au, *enc, *mac;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1900 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1901
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1902 alg_mkey = cipher->algorithm_mkey;
1903 alg_auth = cipher->algorithm_auth;
1904 alg_enc = cipher->algorithm_enc;
1905 alg_mac = cipher->algorithm_mac;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1906
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1907 switch (alg_mkey) {
1908 case SSL_kRSA:
1909 kx = "RSA";
1910 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1911
David Benjamin7061e282015-03-19 11:10:48 -0400[diff] [blame]1912 case SSL_kDHE:
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1913 kx = "DH";
1914 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1915
David Benjamin7061e282015-03-19 11:10:48 -0400[diff] [blame]1916 case SSL_kECDHE:
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1917 kx = "ECDH";
1918 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1919
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]1920 case SSL_kCECPQ1:
1921 kx = "CECPQ1";
1922 break;
1923
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1924 case SSL_kPSK:
1925 kx = "PSK";
1926 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1927
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1928 default:
1929 kx = "unknown";
1930 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1931
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1932 switch (alg_auth) {
1933 case SSL_aRSA:
1934 au = "RSA";
1935 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1936
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1937 case SSL_aECDSA:
1938 au = "ECDSA";
1939 break;
Adam Langley4d4bff82014-06-20 12:00:00 -0700[diff] [blame]1940
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1941 case SSL_aPSK:
1942 au = "PSK";
1943 break;
Adam Langley4d4bff82014-06-20 12:00:00 -0700[diff] [blame]1944
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1945 default:
1946 au = "unknown";
1947 break;
1948 }
Adam Langleyde0b2022014-06-20 12:00:00 -0700[diff] [blame]1949
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1950 switch (alg_enc) {
1951 case SSL_3DES:
1952 enc = "3DES(168)";
1953 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1954
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1955 case SSL_RC4:
1956 enc = "RC4(128)";
1957 break;
1958
1959 case SSL_AES128:
1960 enc = "AES(128)";
1961 break;
1962
1963 case SSL_AES256:
1964 enc = "AES(256)";
1965 break;
1966
1967 case SSL_AES128GCM:
1968 enc = "AESGCM(128)";
1969 break;
1970
1971 case SSL_AES256GCM:
1972 enc = "AESGCM(256)";
1973 break;
1974
Brian Smith271777f2015-10-03 13:53:33 -1000[diff] [blame]1975 case SSL_CHACHA20POLY1305_OLD:
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1976 enc = "ChaCha20-Poly1305-Old";
1977 break;
1978
1979 case SSL_CHACHA20POLY1305:
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1980 enc = "ChaCha20-Poly1305";
1981 break;
1982
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1983 case SSL_eNULL:
1984 enc="None";
1985 break;
1986
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1987 default:
1988 enc = "unknown";
1989 break;
1990 }
1991
1992 switch (alg_mac) {
1993 case SSL_MD5:
1994 mac = "MD5";
1995 break;
1996
1997 case SSL_SHA1:
1998 mac = "SHA1";
1999 break;
2000
2001 case SSL_SHA256:
2002 mac = "SHA256";
2003 break;
2004
2005 case SSL_SHA384:
2006 mac = "SHA384";
2007 break;
2008
2009 case SSL_AEAD:
2010 mac = "AEAD";
2011 break;
2012
2013 default:
2014 mac = "unknown";
2015 break;
2016 }
2017
2018 if (buf == NULL) {
2019 len = 128;
2020 buf = OPENSSL_malloc(len);
David Benjamin1eed2c02015-02-08 23:20:06 -0500[diff] [blame]2021 if (buf == NULL) {
2022 return NULL;
2023 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]2024 } else if (len < 128) {
2025 return "Buffer too small";
2026 }
2027
Brian Smith0687bdf2016-01-17 09:18:26 -1000[diff] [blame]2028 BIO_snprintf(buf, len, "%-23s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n",
2029 cipher->name, kx, au, enc, mac);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]2030 return buf;
2031}
2032
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]2033const char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher) {
2034 return "TLSv1/SSLv3";
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]2035}
2036
Matt Braithwaite6a1275b2015-06-26 12:09:10 -0700[diff] [blame]2037COMP_METHOD *SSL_COMP_get_compression_methods(void) { return NULL; }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]2038
Matt Braithwaite6a1275b2015-06-26 12:09:10 -0700[diff] [blame]2039int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) { return 1; }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]2040
Matt Braithwaite6a1275b2015-06-26 12:09:10 -0700[diff] [blame]2041const char *SSL_COMP_get_name(const COMP_METHOD *comp) { return NULL; }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2042
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]2043int ssl_cipher_get_key_type(const SSL_CIPHER *cipher) {
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]2044 uint32_t alg_a = cipher->algorithm_auth;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2045
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]2046 if (alg_a & SSL_aECDSA) {
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]2047 return EVP_PKEY_EC;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]2048 } else if (alg_a & SSL_aRSA) {
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]2049 return EVP_PKEY_RSA;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]2050 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2051
David Benjamind1d80782015-07-05 11:54:09 -0400[diff] [blame]2052 return EVP_PKEY_NONE;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]2053}
David Benjamin9c651c92014-07-12 13:27:45 -0400[diff] [blame]2054
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]2055int ssl_cipher_uses_certificate_auth(const SSL_CIPHER *cipher) {
2056 return (cipher->algorithm_auth & SSL_aCERT) != 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]2057}
2058
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]2059int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher) {
2060 /* Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange. */
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]2061 if (cipher->algorithm_mkey & SSL_kDHE ||
2062 cipher->algorithm_mkey & SSL_kECDHE ||
2063 cipher->algorithm_mkey & SSL_kCECPQ1) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]2064 return 1;
2065 }
2066
2067 /* It is optional in all others. */
2068 return 0;
2069}
David Benjaminb8d28cf2015-07-28 21:34:45 -0400[diff] [blame]2070
2071size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher) {
2072 size_t block_size;
2073 switch (cipher->algorithm_enc) {
2074 case SSL_3DES:
2075 block_size = 8;
2076 break;
2077 case SSL_AES128:
2078 case SSL_AES256:
2079 block_size = 16;
2080 break;
2081 default:
2082 return 0;
2083 }
2084
2085 size_t mac_len;
2086 switch (cipher->algorithm_mac) {
2087 case SSL_MD5:
2088 mac_len = MD5_DIGEST_LENGTH;
2089 break;
2090 case SSL_SHA1:
2091 mac_len = SHA_DIGEST_LENGTH;
2092 break;
2093 default:
2094 return 0;
2095 }
2096
2097 size_t ret = 1 + mac_len;
2098 ret += block_size - (ret % block_size);
2099 return ret;
2100}