Google Git
Sign in
boringssl / boringssl.git / e64d2c74fad1c42f396895832ecd1e87641887ce / . / ssl / ssl_cipher.cc
blob: c0f4122a9cb54830d013ae0e3a31efe7c0027e36 [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57/* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
110/* ====================================================================
111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
112 * ECC cipher suite support in OpenSSL originally developed by
113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
114 */
115/* ====================================================================
116 * Copyright 2005 Nokia. All rights reserved.
117 *
118 * The portions of the attached software ("Contribution") is developed by
119 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
120 * license.
121 *
122 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
123 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
124 * support (see RFC 4279) to OpenSSL.
125 *
126 * No patent licenses or other rights except those expressly stated in
127 * the OpenSSL open source license shall be deemed granted or received
128 * expressly, by implication, estoppel, or otherwise.
129 *
130 * No assurances are provided by Nokia that the Contribution does not
131 * infringe the patent or other intellectual property rights of any third
132 * party or that the license provides you with all the necessary rights
133 * to make use of the Contribution.
134 *
135 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
136 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
137 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
138 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
139 * OTHERWISE. */
140
David Benjamin9e4e01e2015-09-15 01:48:04 -0400[diff] [blame]141#include <openssl/ssl.h>
142
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]143#include <assert.h>
David Benjaminf0ae1702015-04-07 23:05:04 -0400[diff] [blame]144#include <string.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]145
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]146#include <openssl/buf.h>
David Benjaminf0ae1702015-04-07 23:05:04 -0400[diff] [blame]147#include <openssl/err.h>
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]148#include <openssl/md5.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]149#include <openssl/mem.h>
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]150#include <openssl/sha.h>
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]151#include <openssl/stack.h>
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]152
David Benjamin2ee94aa2015-04-07 22:38:30 -0400[diff] [blame]153#include "internal.h"
Steven Valdezcb966542016-08-17 16:56:14 -0400[diff] [blame]154#include "../crypto/internal.h"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]155
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]156
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]157/* kCiphers is an array of all supported ciphers, sorted by id. */
David Benjamin20c37312015-11-11 21:33:18 -0800[diff] [blame]158static const SSL_CIPHER kCiphers[] = {
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]159 /* The RSA ciphers */
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]160 /* Cipher 02 */
161 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]162 SSL3_TXT_RSA_NULL_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]163 "TLS_RSA_WITH_NULL_SHA",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]164 SSL3_CK_RSA_NULL_SHA,
165 SSL_kRSA,
166 SSL_aRSA,
167 SSL_eNULL,
168 SSL_SHA1,
169 SSL_HANDSHAKE_MAC_DEFAULT,
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]170 },
171
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]172 /* Cipher 0A */
173 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]174 SSL3_TXT_RSA_DES_192_CBC3_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]175 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]176 SSL3_CK_RSA_DES_192_CBC3_SHA,
177 SSL_kRSA,
178 SSL_aRSA,
179 SSL_3DES,
180 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]181 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]182 },
183
184
185 /* New AES ciphersuites */
186
187 /* Cipher 2F */
188 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]189 TLS1_TXT_RSA_WITH_AES_128_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]190 "TLS_RSA_WITH_AES_128_CBC_SHA",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]191 TLS1_CK_RSA_WITH_AES_128_SHA,
192 SSL_kRSA,
193 SSL_aRSA,
194 SSL_AES128,
195 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]196 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]197 },
198
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]199 /* Cipher 35 */
200 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]201 TLS1_TXT_RSA_WITH_AES_256_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]202 "TLS_RSA_WITH_AES_256_CBC_SHA",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]203 TLS1_CK_RSA_WITH_AES_256_SHA,
204 SSL_kRSA,
205 SSL_aRSA,
206 SSL_AES256,
207 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]208 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]209 },
210
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]211
212 /* TLS v1.2 ciphersuites */
213
214 /* Cipher 3C */
215 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]216 TLS1_TXT_RSA_WITH_AES_128_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]217 "TLS_RSA_WITH_AES_128_CBC_SHA256",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]218 TLS1_CK_RSA_WITH_AES_128_SHA256,
219 SSL_kRSA,
220 SSL_aRSA,
221 SSL_AES128,
222 SSL_SHA256,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]223 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]224 },
225
226 /* Cipher 3D */
227 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]228 TLS1_TXT_RSA_WITH_AES_256_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]229 "TLS_RSA_WITH_AES_256_CBC_SHA256",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]230 TLS1_CK_RSA_WITH_AES_256_SHA256,
231 SSL_kRSA,
232 SSL_aRSA,
233 SSL_AES256,
234 SSL_SHA256,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]235 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]236 },
237
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]238 /* PSK cipher suites. */
239
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]240 /* Cipher 8C */
241 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]242 TLS1_TXT_PSK_WITH_AES_128_CBC_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]243 "TLS_PSK_WITH_AES_128_CBC_SHA",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]244 TLS1_CK_PSK_WITH_AES_128_CBC_SHA,
245 SSL_kPSK,
246 SSL_aPSK,
247 SSL_AES128,
248 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]249 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]250 },
251
252 /* Cipher 8D */
253 {
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]254 TLS1_TXT_PSK_WITH_AES_256_CBC_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]255 "TLS_PSK_WITH_AES_256_CBC_SHA",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]256 TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
257 SSL_kPSK,
258 SSL_aPSK,
259 SSL_AES256,
260 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]261 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]262 },
263
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]264 /* GCM ciphersuites from RFC5288 */
265
266 /* Cipher 9C */
267 {
268 TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]269 "TLS_RSA_WITH_AES_128_GCM_SHA256",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]270 TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
271 SSL_kRSA,
272 SSL_aRSA,
273 SSL_AES128GCM,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]274 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]275 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]276 },
277
278 /* Cipher 9D */
279 {
280 TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]281 "TLS_RSA_WITH_AES_256_GCM_SHA384",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]282 TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
283 SSL_kRSA,
284 SSL_aRSA,
285 SSL_AES256GCM,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]286 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]287 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]288 },
289
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]290 /* TLS 1.3 suites. */
291
292 /* Cipher 1301 */
293 {
294 TLS1_TXT_AES_128_GCM_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]295 "TLS_AES_128_GCM_SHA256",
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]296 TLS1_CK_AES_128_GCM_SHA256,
297 SSL_kGENERIC,
298 SSL_aGENERIC,
299 SSL_AES128GCM,
300 SSL_AEAD,
301 SSL_HANDSHAKE_MAC_SHA256,
302 },
303
304 /* Cipher 1302 */
305 {
306 TLS1_TXT_AES_256_GCM_SHA384,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]307 "TLS_AES_256_GCM_SHA384",
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]308 TLS1_CK_AES_256_GCM_SHA384,
309 SSL_kGENERIC,
310 SSL_aGENERIC,
311 SSL_AES256GCM,
312 SSL_AEAD,
313 SSL_HANDSHAKE_MAC_SHA384,
314 },
315
316 /* Cipher 1303 */
317 {
318 TLS1_TXT_CHACHA20_POLY1305_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]319 "TLS_CHACHA20_POLY1305_SHA256",
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]320 TLS1_CK_CHACHA20_POLY1305_SHA256,
321 SSL_kGENERIC,
322 SSL_aGENERIC,
323 SSL_CHACHA20POLY1305,
324 SSL_AEAD,
325 SSL_HANDSHAKE_MAC_SHA256,
326 },
327
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]328 /* Cipher C009 */
329 {
330 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]331 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]332 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
333 SSL_kECDHE,
334 SSL_aECDSA,
335 SSL_AES128,
336 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]337 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]338 },
339
340 /* Cipher C00A */
341 {
342 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]343 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]344 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
345 SSL_kECDHE,
346 SSL_aECDSA,
347 SSL_AES256,
348 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]349 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]350 },
351
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]352 /* Cipher C013 */
353 {
354 TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]355 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]356 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
357 SSL_kECDHE,
358 SSL_aRSA,
359 SSL_AES128,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]360 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]361 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]362 },
363
364 /* Cipher C014 */
365 {
366 TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]367 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]368 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
369 SSL_kECDHE,
370 SSL_aRSA,
371 SSL_AES256,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]372 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]373 SSL_HANDSHAKE_MAC_DEFAULT,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]374 },
375
376
377 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */
378
379 /* Cipher C023 */
380 {
381 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]382 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]383 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
384 SSL_kECDHE,
385 SSL_aECDSA,
386 SSL_AES128,
387 SSL_SHA256,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]388 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]389 },
390
391 /* Cipher C024 */
392 {
393 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]394 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]395 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
396 SSL_kECDHE,
397 SSL_aECDSA,
398 SSL_AES256,
399 SSL_SHA384,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]400 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]401 },
402
403 /* Cipher C027 */
404 {
405 TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]406 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]407 TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
408 SSL_kECDHE,
409 SSL_aRSA,
410 SSL_AES128,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]411 SSL_SHA256,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]412 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]413 },
414
415 /* Cipher C028 */
416 {
417 TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]418 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]419 TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
420 SSL_kECDHE,
421 SSL_aRSA,
422 SSL_AES256,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]423 SSL_SHA384,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]424 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]425 },
426
427
428 /* GCM based TLS v1.2 ciphersuites from RFC5289 */
429
430 /* Cipher C02B */
431 {
432 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]433 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]434 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
435 SSL_kECDHE,
436 SSL_aECDSA,
437 SSL_AES128GCM,
438 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]439 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]440 },
441
442 /* Cipher C02C */
443 {
444 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]445 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]446 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
447 SSL_kECDHE,
448 SSL_aECDSA,
449 SSL_AES256GCM,
450 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]451 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]452 },
453
454 /* Cipher C02F */
455 {
456 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]457 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]458 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
459 SSL_kECDHE,
460 SSL_aRSA,
461 SSL_AES128GCM,
462 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]463 SSL_HANDSHAKE_MAC_SHA256,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]464 },
465
466 /* Cipher C030 */
467 {
468 TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]469 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]470 TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
471 SSL_kECDHE,
472 SSL_aRSA,
473 SSL_AES256GCM,
474 SSL_AEAD,
David Benjaminb2a985b2015-06-21 15:13:57 -0400[diff] [blame]475 SSL_HANDSHAKE_MAC_SHA384,
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]476 },
477
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]478 /* ECDHE-PSK cipher suites. */
479
480 /* Cipher C035 */
481 {
482 TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]483 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]484 TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]485 SSL_kECDHE,
486 SSL_aPSK,
487 SSL_AES128,
488 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]489 SSL_HANDSHAKE_MAC_DEFAULT,
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]490 },
491
492 /* Cipher C036 */
493 {
494 TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]495 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]496 TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA,
David Benjaminff2df332015-11-18 10:01:16 -0500[diff] [blame]497 SSL_kECDHE,
498 SSL_aPSK,
499 SSL_AES256,
500 SSL_SHA1,
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]501 SSL_HANDSHAKE_MAC_DEFAULT,
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]502 },
503
504 /* ChaCha20-Poly1305 cipher suites. */
505
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]506 /* Cipher CCA8 */
507 {
508 TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]509 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]510 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
511 SSL_kECDHE,
512 SSL_aRSA,
513 SSL_CHACHA20POLY1305,
514 SSL_AEAD,
515 SSL_HANDSHAKE_MAC_SHA256,
516 },
517
518 /* Cipher CCA9 */
519 {
520 TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]521 "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]522 TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
523 SSL_kECDHE,
524 SSL_aECDSA,
525 SSL_CHACHA20POLY1305,
526 SSL_AEAD,
527 SSL_HANDSHAKE_MAC_SHA256,
528 },
529
530 /* Cipher CCAB */
531 {
532 TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]533 "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]534 TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
535 SSL_kECDHE,
536 SSL_aPSK,
537 SSL_CHACHA20POLY1305,
538 SSL_AEAD,
539 SSL_HANDSHAKE_MAC_SHA256,
540 },
Matt Braithwaite053931e2016-05-25 12:06:05 -0700[diff] [blame]541
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]542};
543
Steven Valdezcb966542016-08-17 16:56:14 -0400[diff] [blame]544static const size_t kCiphersLen = OPENSSL_ARRAY_SIZE(kCiphers);
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]545
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]546#define CIPHER_ADD 1
547#define CIPHER_KILL 2
548#define CIPHER_DEL 3
549#define CIPHER_ORD 4
550#define CIPHER_SPECIAL 5
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]551
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]552typedef struct cipher_order_st {
553 const SSL_CIPHER *cipher;
554 int active;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]555 int in_group;
556 struct cipher_order_st *next, *prev;
557} CIPHER_ORDER;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]558
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]559typedef struct cipher_alias_st {
560 /* name is the name of the cipher alias. */
561 const char *name;
562
563 /* The following fields are bitmasks for the corresponding fields on
564 * |SSL_CIPHER|. A cipher matches a cipher alias iff, for each bitmask, the
565 * bit corresponding to the cipher's value is set to 1. If any bitmask is
566 * all zeroes, the alias matches nothing. Use |~0u| for the default value. */
567 uint32_t algorithm_mkey;
568 uint32_t algorithm_auth;
569 uint32_t algorithm_enc;
570 uint32_t algorithm_mac;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]571
572 /* min_version, if non-zero, matches all ciphers which were added in that
573 * particular protocol version. */
574 uint16_t min_version;
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]575} CIPHER_ALIAS;
576
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]577static const CIPHER_ALIAS kCipherAliases[] = {
Matthew Braithwaite651aaef2016-12-08 16:14:36 -0800[diff] [blame]578 /* "ALL" doesn't include eNULL. It must be explicitly enabled. */
579 {"ALL", ~0u, ~0u, ~SSL_eNULL, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]580
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]581 /* The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing. */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]582
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]583 /* key exchange aliases
584 * (some of those using only a single bit here combine
Matthew Braithwaite7e06de52017-04-10 15:52:14 -0700[diff] [blame]585 * multiple key exchange algs according to the RFCs. */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]586 {"kRSA", SSL_kRSA, ~0u, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]587
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]588 {"kECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
589 {"kEECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
590 {"ECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]591
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]592 {"kPSK", SSL_kPSK, ~0u, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]593
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]594 /* server authentication aliases */
Matthew Braithwaite651aaef2016-12-08 16:14:36 -0800[diff] [blame]595 {"aRSA", ~0u, SSL_aRSA, ~SSL_eNULL, ~0u, 0},
596 {"aECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0},
597 {"ECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0},
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]598 {"aPSK", ~0u, SSL_aPSK, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]599
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]600 /* aliases combining key exchange and server authentication */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]601 {"ECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
602 {"EECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
603 {"RSA", SSL_kRSA, SSL_aRSA, ~SSL_eNULL, ~0u, 0},
604 {"PSK", SSL_kPSK, SSL_aPSK, ~0u, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]605
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]606 /* symmetric encryption aliases */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]607 {"3DES", ~0u, ~0u, SSL_3DES, ~0u, 0},
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]608 {"AES128", ~0u, ~0u, SSL_AES128 | SSL_AES128GCM, ~0u, 0},
Matthew Braithwaite651aaef2016-12-08 16:14:36 -0800[diff] [blame]609 {"AES256", ~0u, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, 0},
610 {"AES", ~0u, ~0u, SSL_AES, ~0u, 0},
611 {"AESGCM", ~0u, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, 0},
Adam Langley2e839242017-01-19 15:12:44 -0800[diff] [blame]612 {"CHACHA20", ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]613
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]614 /* MAC aliases */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]615 {"SHA1", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0},
616 {"SHA", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0},
Matthew Braithwaite651aaef2016-12-08 16:14:36 -0800[diff] [blame]617 {"SHA256", ~0u, ~0u, ~0u, SSL_SHA256, 0},
618 {"SHA384", ~0u, ~0u, ~0u, SSL_SHA384, 0},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]619
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]620 /* Legacy protocol minimum version aliases. "TLSv1" is intentionally the
621 * same as "SSLv3". */
Matthew Braithwaite651aaef2016-12-08 16:14:36 -0800[diff] [blame]622 {"SSLv3", ~0u, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
623 {"TLSv1", ~0u, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
624 {"TLSv1.2", ~0u, ~0u, ~SSL_eNULL, ~0u, TLS1_2_VERSION},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]625
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]626 /* Legacy strength classes. */
Matthew Braithwaite651aaef2016-12-08 16:14:36 -0800[diff] [blame]627 {"HIGH", ~0u, ~0u, ~SSL_eNULL, ~0u, 0},
628 {"FIPS", ~0u, ~0u, ~SSL_eNULL, ~0u, 0},
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]629};
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]630
Steven Valdezcb966542016-08-17 16:56:14 -0400[diff] [blame]631static const size_t kCipherAliasesLen = OPENSSL_ARRAY_SIZE(kCipherAliases);
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]632
633static int ssl_cipher_id_cmp(const void *in_a, const void *in_b) {
David Benjamine64d2c72017-07-12 16:31:08 -0400[diff] [blame^]634 const SSL_CIPHER *a = reinterpret_cast<const SSL_CIPHER *>(in_a);
635 const SSL_CIPHER *b = reinterpret_cast<const SSL_CIPHER *>(in_b);
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]636
637 if (a->id > b->id) {
638 return 1;
639 } else if (a->id < b->id) {
640 return -1;
641 } else {
642 return 0;
643 }
644}
645
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]646const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value) {
647 SSL_CIPHER c;
648
649 c.id = 0x03000000L | value;
David Benjamine64d2c72017-07-12 16:31:08 -0400[diff] [blame^]650 return reinterpret_cast<const SSL_CIPHER *>(bsearch(
651 &c, kCiphers, kCiphersLen, sizeof(SSL_CIPHER), ssl_cipher_id_cmp));
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]652}
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]653
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]654int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
655 size_t *out_mac_secret_len,
656 size_t *out_fixed_iv_len,
Steven Valdez2f3404b2017-05-24 16:54:35 -0400[diff] [blame]657 const SSL_CIPHER *cipher, uint16_t version, int is_dtls) {
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]658 *out_aead = NULL;
659 *out_mac_secret_len = 0;
660 *out_fixed_iv_len = 0;
Adam Langleyc9fb3752014-06-20 12:00:00 -0700[diff] [blame]661
Steven Valdez2f3404b2017-05-24 16:54:35 -0400[diff] [blame]662 const int is_tls12 = version == TLS1_2_VERSION && !is_dtls;
663
David Benjamin305e6fb2016-10-27 18:19:00 -0400[diff] [blame]664 if (cipher->algorithm_mac == SSL_AEAD) {
665 if (cipher->algorithm_enc == SSL_AES128GCM) {
Steven Valdez2f3404b2017-05-24 16:54:35 -0400[diff] [blame]666 *out_aead =
667 is_tls12 ? EVP_aead_aes_128_gcm_tls12() : EVP_aead_aes_128_gcm();
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]668 *out_fixed_iv_len = 4;
David Benjamin305e6fb2016-10-27 18:19:00 -0400[diff] [blame]669 } else if (cipher->algorithm_enc == SSL_AES256GCM) {
Steven Valdez2f3404b2017-05-24 16:54:35 -0400[diff] [blame]670 *out_aead =
671 is_tls12 ? EVP_aead_aes_256_gcm_tls12() : EVP_aead_aes_256_gcm();
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]672 *out_fixed_iv_len = 4;
David Benjamin305e6fb2016-10-27 18:19:00 -0400[diff] [blame]673 } else if (cipher->algorithm_enc == SSL_CHACHA20POLY1305) {
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]674 *out_aead = EVP_aead_chacha20_poly1305();
675 *out_fixed_iv_len = 12;
David Benjamin305e6fb2016-10-27 18:19:00 -0400[diff] [blame]676 } else {
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]677 return 0;
David Benjamin305e6fb2016-10-27 18:19:00 -0400[diff] [blame]678 }
679
680 /* In TLS 1.3, the iv_len is equal to the AEAD nonce length whereas the code
681 * above computes the TLS 1.2 construction. */
682 if (version >= TLS1_3_VERSION) {
683 *out_fixed_iv_len = EVP_AEAD_nonce_length(*out_aead);
684 }
685 } else if (cipher->algorithm_mac == SSL_SHA1) {
686 if (cipher->algorithm_enc == SSL_eNULL) {
687 if (version == SSL3_VERSION) {
688 *out_aead = EVP_aead_null_sha1_ssl3();
689 } else {
690 *out_aead = EVP_aead_null_sha1_tls();
691 }
692 } else if (cipher->algorithm_enc == SSL_3DES) {
693 if (version == SSL3_VERSION) {
694 *out_aead = EVP_aead_des_ede3_cbc_sha1_ssl3();
695 *out_fixed_iv_len = 8;
696 } else if (version == TLS1_VERSION) {
697 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv();
698 *out_fixed_iv_len = 8;
699 } else {
700 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls();
701 }
702 } else if (cipher->algorithm_enc == SSL_AES128) {
703 if (version == SSL3_VERSION) {
704 *out_aead = EVP_aead_aes_128_cbc_sha1_ssl3();
705 *out_fixed_iv_len = 16;
706 } else if (version == TLS1_VERSION) {
707 *out_aead = EVP_aead_aes_128_cbc_sha1_tls_implicit_iv();
708 *out_fixed_iv_len = 16;
709 } else {
710 *out_aead = EVP_aead_aes_128_cbc_sha1_tls();
711 }
712 } else if (cipher->algorithm_enc == SSL_AES256) {
713 if (version == SSL3_VERSION) {
714 *out_aead = EVP_aead_aes_256_cbc_sha1_ssl3();
715 *out_fixed_iv_len = 16;
716 } else if (version == TLS1_VERSION) {
717 *out_aead = EVP_aead_aes_256_cbc_sha1_tls_implicit_iv();
718 *out_fixed_iv_len = 16;
719 } else {
720 *out_aead = EVP_aead_aes_256_cbc_sha1_tls();
721 }
722 } else {
723 return 0;
724 }
725
726 *out_mac_secret_len = SHA_DIGEST_LENGTH;
727 } else if (cipher->algorithm_mac == SSL_SHA256) {
728 if (cipher->algorithm_enc == SSL_AES128) {
729 *out_aead = EVP_aead_aes_128_cbc_sha256_tls();
730 } else if (cipher->algorithm_enc == SSL_AES256) {
731 *out_aead = EVP_aead_aes_256_cbc_sha256_tls();
732 } else {
733 return 0;
734 }
735
736 *out_mac_secret_len = SHA256_DIGEST_LENGTH;
737 } else if (cipher->algorithm_mac == SSL_SHA384) {
738 if (cipher->algorithm_enc != SSL_AES256) {
739 return 0;
740 }
741
742 *out_aead = EVP_aead_aes_256_cbc_sha384_tls();
743 *out_mac_secret_len = SHA384_DIGEST_LENGTH;
744 } else {
745 return 0;
David Benjaminea72bd02014-12-21 21:27:41 -0500[diff] [blame]746 }
Steven Valdez79750562016-06-16 06:38:04 -0400[diff] [blame]747
Steven Valdez79750562016-06-16 06:38:04 -0400[diff] [blame]748 return 1;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]749}
Adam Langleyc9fb3752014-06-20 12:00:00 -0700[diff] [blame]750
Steven Valdez908ac192017-01-12 13:17:07 -0500[diff] [blame]751const EVP_MD *ssl_get_handshake_digest(uint32_t algorithm_prf,
752 uint16_t version) {
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]753 switch (algorithm_prf) {
754 case SSL_HANDSHAKE_MAC_DEFAULT:
Steven Valdez908ac192017-01-12 13:17:07 -0500[diff] [blame]755 return version >= TLS1_2_VERSION ? EVP_sha256() : EVP_md5_sha1();
David Benjaminb0883312015-08-06 09:54:13 -0400[diff] [blame]756 case SSL_HANDSHAKE_MAC_SHA256:
757 return EVP_sha256();
758 case SSL_HANDSHAKE_MAC_SHA384:
759 return EVP_sha384();
760 default:
761 return NULL;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]762 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]763}
764
765#define ITEM_SEP(a) \
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]766 (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ','))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]767
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]768/* rule_equals returns one iff the NUL-terminated string |rule| is equal to the
769 * |buf_len| bytes at |buf|. */
770static int rule_equals(const char *rule, const char *buf, size_t buf_len) {
771 /* |strncmp| alone only checks that |buf| is a prefix of |rule|. */
772 return strncmp(rule, buf, buf_len) == 0 && rule[buf_len] == '\0';
773}
774
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]775static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]776 CIPHER_ORDER **tail) {
777 if (curr == *tail) {
778 return;
779 }
780 if (curr == *head) {
781 *head = curr->next;
782 }
783 if (curr->prev != NULL) {
784 curr->prev->next = curr->next;
785 }
786 if (curr->next != NULL) {
787 curr->next->prev = curr->prev;
788 }
789 (*tail)->next = curr;
790 curr->prev = *tail;
791 curr->next = NULL;
792 *tail = curr;
793}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]794
795static void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]796 CIPHER_ORDER **tail) {
797 if (curr == *head) {
798 return;
799 }
800 if (curr == *tail) {
801 *tail = curr->prev;
802 }
803 if (curr->next != NULL) {
804 curr->next->prev = curr->prev;
805 }
806 if (curr->prev != NULL) {
807 curr->prev->next = curr->next;
808 }
809 (*head)->prev = curr;
810 curr->next = *head;
811 curr->prev = NULL;
812 *head = curr;
813}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]814
David Benjamin82c9e902014-12-12 15:55:27 -0500[diff] [blame]815static void ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD *ssl_method,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]816 CIPHER_ORDER *co_list,
817 CIPHER_ORDER **head_p,
818 CIPHER_ORDER **tail_p) {
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]819 /* The set of ciphers is static, but some subset may be unsupported by
820 * |ssl_method|, so the list may be smaller. */
821 size_t co_list_num = 0;
David Benjamin54091232016-09-05 12:47:25 -0400[diff] [blame]822 for (size_t i = 0; i < kCiphersLen; i++) {
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]823 const SSL_CIPHER *cipher = &kCiphers[i];
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]824 if (ssl_method->supports_cipher(cipher) &&
825 /* TLS 1.3 ciphers do not participate in this mechanism. */
826 cipher->algorithm_mkey != SSL_kGENERIC) {
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]827 co_list[co_list_num].cipher = cipher;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]828 co_list[co_list_num].next = NULL;
829 co_list[co_list_num].prev = NULL;
830 co_list[co_list_num].active = 0;
831 co_list[co_list_num].in_group = 0;
832 co_list_num++;
833 }
834 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]835
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]836 /* Prepare linked list from list entries. */
837 if (co_list_num > 0) {
838 co_list[0].prev = NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]839
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]840 if (co_list_num > 1) {
841 co_list[0].next = &co_list[1];
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]842
David Benjamin54091232016-09-05 12:47:25 -0400[diff] [blame]843 for (size_t i = 1; i < co_list_num - 1; i++) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]844 co_list[i].prev = &co_list[i - 1];
845 co_list[i].next = &co_list[i + 1];
846 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]847
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]848 co_list[co_list_num - 1].prev = &co_list[co_list_num - 2];
849 }
850
851 co_list[co_list_num - 1].next = NULL;
852
853 *head_p = &co_list[0];
854 *tail_p = &co_list[co_list_num - 1];
855 }
856}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]857
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]858/* ssl_cipher_apply_rule applies the rule type |rule| to ciphers matching its
859 * parameters in the linked list from |*head_p| to |*tail_p|. It writes the new
860 * head and tail of the list to |*head_p| and |*tail_p|, respectively.
861 *
862 * - If |cipher_id| is non-zero, only that cipher is selected.
863 * - Otherwise, if |strength_bits| is non-negative, it selects ciphers
864 * of that strength.
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]865 * - Otherwise, it selects ciphers that match each bitmasks in |alg_*| and
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]866 * |min_version|. */
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]867static void ssl_cipher_apply_rule(
David Benjamin107db582015-04-08 00:41:59 -0400[diff] [blame]868 uint32_t cipher_id, uint32_t alg_mkey, uint32_t alg_auth,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]869 uint32_t alg_enc, uint32_t alg_mac, uint16_t min_version, int rule,
870 int strength_bits, int in_group, CIPHER_ORDER **head_p,
871 CIPHER_ORDER **tail_p) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]872 CIPHER_ORDER *head, *tail, *curr, *next, *last;
873 const SSL_CIPHER *cp;
874 int reverse = 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]875
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]876 if (cipher_id == 0 && strength_bits == -1 && min_version == 0 &&
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]877 (alg_mkey == 0 || alg_auth == 0 || alg_enc == 0 || alg_mac == 0)) {
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]878 /* The rule matches nothing, so bail early. */
879 return;
880 }
881
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]882 if (rule == CIPHER_DEL) {
883 /* needed to maintain sorting between currently deleted ciphers */
884 reverse = 1;
885 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]886
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]887 head = *head_p;
888 tail = *tail_p;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]889
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]890 if (reverse) {
891 next = tail;
892 last = head;
893 } else {
894 next = head;
895 last = tail;
896 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]897
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]898 curr = NULL;
899 for (;;) {
900 if (curr == last) {
901 break;
902 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]903
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]904 curr = next;
905 if (curr == NULL) {
906 break;
907 }
Adam Langleye3142a72014-07-24 17:56:48 -0700[diff] [blame]908
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]909 next = reverse ? curr->prev : curr->next;
910 cp = curr->cipher;
Adam Langleye3142a72014-07-24 17:56:48 -0700[diff] [blame]911
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]912 /* Selection criteria is either a specific cipher, the value of
913 * |strength_bits|, or the algorithms used. */
914 if (cipher_id != 0) {
915 if (cipher_id != cp->id) {
916 continue;
917 }
918 } else if (strength_bits >= 0) {
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]919 if (strength_bits != SSL_CIPHER_get_bits(cp, NULL)) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]920 continue;
921 }
David Benjamin881f1962016-08-10 18:29:12 -0400[diff] [blame]922 } else {
923 if (!(alg_mkey & cp->algorithm_mkey) ||
924 !(alg_auth & cp->algorithm_auth) ||
925 !(alg_enc & cp->algorithm_enc) ||
926 !(alg_mac & cp->algorithm_mac) ||
927 (min_version != 0 && SSL_CIPHER_get_min_version(cp) != min_version)) {
928 continue;
929 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]930 }
Adam Langleye3142a72014-07-24 17:56:48 -0700[diff] [blame]931
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]932 /* add the cipher if it has not been added yet. */
933 if (rule == CIPHER_ADD) {
934 /* reverse == 0 */
935 if (!curr->active) {
936 ll_append_tail(&head, curr, &tail);
937 curr->active = 1;
938 curr->in_group = in_group;
939 }
940 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]941
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]942 /* Move the added cipher to this location */
943 else if (rule == CIPHER_ORD) {
944 /* reverse == 0 */
945 if (curr->active) {
946 ll_append_tail(&head, curr, &tail);
947 curr->in_group = 0;
948 }
949 } else if (rule == CIPHER_DEL) {
950 /* reverse == 1 */
951 if (curr->active) {
952 /* most recently deleted ciphersuites get best positions
953 * for any future CIPHER_ADD (note that the CIPHER_DEL loop
954 * works in reverse to maintain the order) */
955 ll_append_head(&head, curr, &tail);
956 curr->active = 0;
957 curr->in_group = 0;
958 }
959 } else if (rule == CIPHER_KILL) {
960 /* reverse == 0 */
961 if (head == curr) {
962 head = curr->next;
963 } else {
964 curr->prev->next = curr->next;
965 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]966
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]967 if (tail == curr) {
968 tail = curr->prev;
969 }
970 curr->active = 0;
971 if (curr->next != NULL) {
972 curr->next->prev = curr->prev;
973 }
974 if (curr->prev != NULL) {
975 curr->prev->next = curr->next;
976 }
977 curr->next = NULL;
978 curr->prev = NULL;
979 }
980 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]981
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]982 *head_p = head;
983 *tail_p = tail;
984}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]985
986static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]987 CIPHER_ORDER **tail_p) {
988 int max_strength_bits, i, *number_uses;
989 CIPHER_ORDER *curr;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]990
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]991 /* This routine sorts the ciphers with descending strength. The sorting must
992 * keep the pre-sorted sequence, so we apply the normal sorting routine as
993 * '+' movement to the end of the list. */
994 max_strength_bits = 0;
995 curr = *head_p;
996 while (curr != NULL) {
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]997 if (curr->active &&
998 SSL_CIPHER_get_bits(curr->cipher, NULL) > max_strength_bits) {
999 max_strength_bits = SSL_CIPHER_get_bits(curr->cipher, NULL);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1000 }
1001 curr = curr->next;
1002 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1003
David Benjamine64d2c72017-07-12 16:31:08 -0400[diff] [blame^]1004 number_uses = (int *)OPENSSL_malloc((max_strength_bits + 1) * sizeof(int));
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1005 if (!number_uses) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1006 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1007 return 0;
1008 }
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]1009 OPENSSL_memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int));
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1010
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1011 /* Now find the strength_bits values actually used. */
1012 curr = *head_p;
1013 while (curr != NULL) {
1014 if (curr->active) {
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1015 number_uses[SSL_CIPHER_get_bits(curr->cipher, NULL)]++;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1016 }
1017 curr = curr->next;
1018 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1019
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1020 /* Go through the list of used strength_bits values in descending order. */
1021 for (i = max_strength_bits; i >= 0; i--) {
1022 if (number_uses[i] > 0) {
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1023 ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, CIPHER_ORD, i, 0, head_p, tail_p);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1024 }
1025 }
1026
1027 OPENSSL_free(number_uses);
1028 return 1;
1029}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1030
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1031static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method,
1032 const char *rule_str,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1033 CIPHER_ORDER **head_p,
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]1034 CIPHER_ORDER **tail_p, int strict) {
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1035 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1036 uint16_t min_version;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1037 const char *l, *buf;
David Benjaminbf5f1922017-07-01 11:13:53 -0400[diff] [blame]1038 int multi, skip_rule, rule, in_group = 0, has_group = 0;
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1039 size_t j, buf_len;
1040 uint32_t cipher_id;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1041 char ch;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1042
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1043 l = rule_str;
1044 for (;;) {
1045 ch = *l;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1046
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1047 if (ch == '\0') {
1048 break; /* done */
1049 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1050
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1051 if (in_group) {
1052 if (ch == ']') {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1053 if (*tail_p) {
1054 (*tail_p)->in_group = 0;
1055 }
1056 in_group = 0;
1057 l++;
1058 continue;
1059 }
David Benjamin37d92462014-09-20 17:54:24 -0400[diff] [blame]1060
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1061 if (ch == '|') {
1062 rule = CIPHER_ADD;
1063 l++;
1064 continue;
1065 } else if (!(ch >= 'a' && ch <= 'z') && !(ch >= 'A' && ch <= 'Z') &&
1066 !(ch >= '0' && ch <= '9')) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1067 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_OPERATOR_IN_GROUP);
Adam Langleyf139c992016-10-02 09:56:09 -0700[diff] [blame]1068 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1069 } else {
1070 rule = CIPHER_ADD;
1071 }
1072 } else if (ch == '-') {
1073 rule = CIPHER_DEL;
1074 l++;
1075 } else if (ch == '+') {
1076 rule = CIPHER_ORD;
1077 l++;
1078 } else if (ch == '!') {
1079 rule = CIPHER_KILL;
1080 l++;
1081 } else if (ch == '@') {
1082 rule = CIPHER_SPECIAL;
1083 l++;
1084 } else if (ch == '[') {
David Benjaminbf5f1922017-07-01 11:13:53 -0400[diff] [blame]1085 assert(!in_group);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1086 in_group = 1;
1087 has_group = 1;
1088 l++;
1089 continue;
1090 } else {
1091 rule = CIPHER_ADD;
1092 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1093
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1094 /* If preference groups are enabled, the only legal operator is +.
1095 * Otherwise the in_group bits will get mixed up. */
1096 if (has_group && rule != CIPHER_ADD) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1097 OPENSSL_PUT_ERROR(SSL, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
Adam Langleyf139c992016-10-02 09:56:09 -0700[diff] [blame]1098 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1099 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1100
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1101 if (ITEM_SEP(ch)) {
1102 l++;
1103 continue;
1104 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1105
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1106 multi = 0;
1107 cipher_id = 0;
1108 alg_mkey = ~0u;
1109 alg_auth = ~0u;
1110 alg_enc = ~0u;
1111 alg_mac = ~0u;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1112 min_version = 0;
1113 skip_rule = 0;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1114
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1115 for (;;) {
1116 ch = *l;
1117 buf = l;
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1118 buf_len = 0;
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]1119 while ((ch >= 'A' && ch <= 'Z') || (ch >= '0' && ch <= '9') ||
1120 (ch >= 'a' && ch <= 'z') || ch == '-' || ch == '.' || ch == '_') {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1121 ch = *(++l);
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1122 buf_len++;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1123 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1124
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1125 if (buf_len == 0) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1126 /* We hit something we cannot deal with, it is no command or separator
1127 * nor alphanumeric, so we call this an error. */
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1128 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
Adam Langleyf99f2442016-10-02 09:53:38 -0700[diff] [blame]1129 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1130 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1131
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1132 if (rule == CIPHER_SPECIAL) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1133 break;
1134 }
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1135
1136 /* Look for a matching exact cipher. These aren't allowed in multipart
1137 * rules. */
1138 if (!multi && ch != '+') {
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1139 for (j = 0; j < kCiphersLen; j++) {
1140 const SSL_CIPHER *cipher = &kCiphers[j];
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]1141 if (rule_equals(cipher->name, buf, buf_len) ||
1142 rule_equals(cipher->standard_name, buf, buf_len)) {
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1143 cipher_id = cipher->id;
1144 break;
1145 }
1146 }
1147 }
1148 if (cipher_id == 0) {
1149 /* If not an exact cipher, look for a matching cipher alias. */
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1150 for (j = 0; j < kCipherAliasesLen; j++) {
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1151 if (rule_equals(kCipherAliases[j].name, buf, buf_len)) {
1152 alg_mkey &= kCipherAliases[j].algorithm_mkey;
1153 alg_auth &= kCipherAliases[j].algorithm_auth;
1154 alg_enc &= kCipherAliases[j].algorithm_enc;
1155 alg_mac &= kCipherAliases[j].algorithm_mac;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1156
1157 if (min_version != 0 &&
1158 min_version != kCipherAliases[j].min_version) {
1159 skip_rule = 1;
1160 } else {
1161 min_version = kCipherAliases[j].min_version;
1162 }
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1163 break;
1164 }
1165 }
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1166 if (j == kCipherAliasesLen) {
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1167 skip_rule = 1;
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]1168 if (strict) {
1169 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
1170 return 0;
1171 }
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1172 }
1173 }
1174
1175 /* Check for a multipart rule. */
1176 if (ch != '+') {
1177 break;
1178 }
1179 l++;
1180 multi = 1;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1181 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1182
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1183 /* Ok, we have the rule, now apply it. */
1184 if (rule == CIPHER_SPECIAL) {
David Benjaminbf5f1922017-07-01 11:13:53 -0400[diff] [blame]1185 if (buf_len != 8 || strncmp(buf, "STRENGTH", 8) != 0) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1186 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
David Benjaminbf5f1922017-07-01 11:13:53 -0400[diff] [blame]1187 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1188 }
David Benjaminbf5f1922017-07-01 11:13:53 -0400[diff] [blame]1189 if (!ssl_cipher_strength_sort(head_p, tail_p)) {
Adam Langleyf139c992016-10-02 09:56:09 -0700[diff] [blame]1190 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1191 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1192
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1193 /* We do not support any "multi" options together with "@", so throw away
1194 * the rest of the command, if any left, until end or ':' is found. */
1195 while (*l != '\0' && !ITEM_SEP(*l)) {
1196 l++;
1197 }
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1198 } else if (!skip_rule) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1199 ssl_cipher_apply_rule(cipher_id, alg_mkey, alg_auth, alg_enc, alg_mac,
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1200 min_version, rule, -1, in_group, head_p, tail_p);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1201 }
1202 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1203
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1204 if (in_group) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1205 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
Adam Langleyf139c992016-10-02 09:56:09 -0700[diff] [blame]1206 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1207 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1208
Adam Langleyf139c992016-10-02 09:56:09 -0700[diff] [blame]1209 return 1;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1210}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1211
Matthew Braithwaite6ad20dc2017-02-21 16:41:33 -0800[diff] [blame]1212int ssl_create_cipher_list(
1213 const SSL_PROTOCOL_METHOD *ssl_method,
1214 struct ssl_cipher_preference_list_st **out_cipher_list,
1215 const char *rule_str, int strict) {
David Benjamind2cb1c12016-11-02 17:49:09 -0400[diff] [blame]1216 STACK_OF(SSL_CIPHER) *cipherstack = NULL;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1217 CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1218 uint8_t *in_group_flags = NULL;
1219 unsigned int num_in_group_flags = 0;
1220 struct ssl_cipher_preference_list_st *pref_list = NULL;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1221
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1222 /* Return with error if nothing to do. */
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1223 if (rule_str == NULL || out_cipher_list == NULL) {
Matthew Braithwaite6ad20dc2017-02-21 16:41:33 -0800[diff] [blame]1224 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1225 }
David Benjamin5213df42014-08-20 14:19:54 -0400[diff] [blame]1226
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1227 /* Now we have to collect the available ciphers from the compiled in ciphers.
1228 * We cannot get more than the number compiled in, so it is used for
1229 * allocation. */
David Benjamine64d2c72017-07-12 16:31:08 -0400[diff] [blame^]1230 co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * kCiphersLen);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1231 if (co_list == NULL) {
David Benjamin3570d732015-06-29 00:28:17 -0400[diff] [blame]1232 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
Matthew Braithwaite6ad20dc2017-02-21 16:41:33 -0800[diff] [blame]1233 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1234 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1235
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1236 ssl_cipher_collect_ciphers(ssl_method, co_list, &head, &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1237
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1238 /* Now arrange all ciphers by preference:
1239 * TODO(davidben): Compute this order once and copy it. */
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1240
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]1241 /* Everything else being equal, prefer ECDHE_ECDSA and ECDHE_RSA over other
1242 * key exchange mechanisms */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1243 ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, ~0u, ~0u, 0, CIPHER_ADD, -1,
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1244 0, &head, &tail);
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1245 ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0,
1246 &head, &tail);
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1247 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, 0, &head,
1248 &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1249
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1250 /* Order the bulk ciphers. First the preferred AEAD ciphers. We prefer
1251 * CHACHA20 unless there is hardware support for fast and constant-time
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1252 * AES_GCM. Of the two CHACHA20 variants, the new one is preferred over the
1253 * old one. */
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1254 if (EVP_has_aes_hardware()) {
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1255 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1256 &head, &tail);
David Benjamin43336652016-03-03 15:32:29 -0500[diff] [blame]1257 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1258 &head, &tail);
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1259 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD,
1260 -1, 0, &head, &tail);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1261 } else {
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1262 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD,
1263 -1, 0, &head, &tail);
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1264 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1265 &head, &tail);
David Benjamin43336652016-03-03 15:32:29 -0500[diff] [blame]1266 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1267 &head, &tail);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1268 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1269
David Benjamin43336652016-03-03 15:32:29 -0500[diff] [blame]1270 /* Then the legacy non-AEAD ciphers: AES_128_CBC, AES_256_CBC,
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700[diff] [blame]1271 * 3DES_EDE_CBC_SHA. */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1272 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128, ~0u, 0, CIPHER_ADD, -1, 0,
1273 &head, &tail);
David Benjamin43336652016-03-03 15:32:29 -0500[diff] [blame]1274 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256, ~0u, 0, CIPHER_ADD, -1, 0,
1275 &head, &tail);
1276 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_3DES, ~0u, 0, CIPHER_ADD, -1, 0, &head,
1277 &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1278
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1279 /* Temporarily enable everything else for sorting */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1280 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0, &head,
1281 &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1282
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1283 /* Move ciphers without forward secrecy to the end. */
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1284 ssl_cipher_apply_rule(0, (SSL_kRSA | SSL_kPSK), ~0u, ~0u, ~0u, 0,
David Benjamin0344daf2015-04-08 02:08:01 -0400[diff] [blame]1285 CIPHER_ORD, -1, 0, &head, &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1286
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1287 /* Now disable everything (maintaining the ordering!) */
David Benjamind6e9eec2015-11-18 09:48:55 -0500[diff] [blame]1288 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, 0, &head,
1289 &tail);
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1290
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1291 /* If the rule_string begins with DEFAULT, apply the default rule before
1292 * using the (possibly available) additional rules. */
David Benjamin11a7b3c2016-11-03 17:03:48 -0400[diff] [blame]1293 const char *rule_p = rule_str;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1294 if (strncmp(rule_str, "DEFAULT", 7) == 0) {
David Benjamin11a7b3c2016-11-03 17:03:48 -0400[diff] [blame]1295 if (!ssl_cipher_process_rulestr(ssl_method, SSL_DEFAULT_CIPHER_LIST, &head,
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]1296 &tail, strict)) {
David Benjamin11a7b3c2016-11-03 17:03:48 -0400[diff] [blame]1297 goto err;
1298 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1299 rule_p += 7;
1300 if (*rule_p == ':') {
1301 rule_p++;
1302 }
1303 }
Adam Langley858a88d2014-06-20 12:00:00 -0700[diff] [blame]1304
David Benjamin11a7b3c2016-11-03 17:03:48 -0400[diff] [blame]1305 if (*rule_p != '\0' &&
Matthew Braithwaitea57dcfb2017-02-17 22:08:23 -0800[diff] [blame]1306 !ssl_cipher_process_rulestr(ssl_method, rule_p, &head, &tail, strict)) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1307 goto err;
1308 }
1309
1310 /* Allocate new "cipherstack" for the result, return with error
1311 * if we cannot get one. */
1312 cipherstack = sk_SSL_CIPHER_new_null();
1313 if (cipherstack == NULL) {
1314 goto err;
1315 }
1316
David Benjamine64d2c72017-07-12 16:31:08 -0400[diff] [blame^]1317 in_group_flags = (uint8_t *)OPENSSL_malloc(kCiphersLen);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1318 if (!in_group_flags) {
1319 goto err;
1320 }
1321
1322 /* The cipher selection for the list is done. The ciphers are added
1323 * to the resulting precedence to the STACK_OF(SSL_CIPHER). */
1324 for (curr = head; curr != NULL; curr = curr->next) {
1325 if (curr->active) {
David Benjamin2adb7ec2015-01-11 19:59:06 -0500[diff] [blame]1326 if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
1327 goto err;
1328 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1329 in_group_flags[num_in_group_flags++] = curr->in_group;
1330 }
1331 }
1332 OPENSSL_free(co_list); /* Not needed any longer */
1333 co_list = NULL;
1334
David Benjamine64d2c72017-07-12 16:31:08 -0400[diff] [blame^]1335 pref_list = (ssl_cipher_preference_list_st *)OPENSSL_malloc(
1336 sizeof(struct ssl_cipher_preference_list_st));
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1337 if (!pref_list) {
1338 goto err;
1339 }
1340 pref_list->ciphers = cipherstack;
David Benjamine64d2c72017-07-12 16:31:08 -0400[diff] [blame^]1341 pref_list->in_group_flags = (uint8_t *)OPENSSL_malloc(num_in_group_flags);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1342 if (!pref_list->in_group_flags) {
1343 goto err;
1344 }
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]1345 OPENSSL_memcpy(pref_list->in_group_flags, in_group_flags, num_in_group_flags);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1346 OPENSSL_free(in_group_flags);
1347 in_group_flags = NULL;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1348 if (*out_cipher_list != NULL) {
1349 ssl_cipher_preference_list_free(*out_cipher_list);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1350 }
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1351 *out_cipher_list = pref_list;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1352 pref_list = NULL;
1353
David Benjamin91222b82017-03-09 20:10:56 -0500[diff] [blame]1354 /* Configuring an empty cipher list is an error but still updates the
1355 * output. */
1356 if (sk_SSL_CIPHER_num((*out_cipher_list)->ciphers) == 0) {
1357 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHER_MATCH);
1358 return 0;
1359 }
1360
Matthew Braithwaite6ad20dc2017-02-21 16:41:33 -0800[diff] [blame]1361 return 1;
Adam Langley858a88d2014-06-20 12:00:00 -0700[diff] [blame]1362
1363err:
David Benjamin2755a3e2015-04-22 16:17:58 -0400[diff] [blame]1364 OPENSSL_free(co_list);
1365 OPENSSL_free(in_group_flags);
1366 sk_SSL_CIPHER_free(cipherstack);
David Benjamin2755a3e2015-04-22 16:17:58 -0400[diff] [blame]1367 if (pref_list) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1368 OPENSSL_free(pref_list->in_group_flags);
1369 }
David Benjamin2755a3e2015-04-22 16:17:58 -0400[diff] [blame]1370 OPENSSL_free(pref_list);
Matthew Braithwaite6ad20dc2017-02-21 16:41:33 -0800[diff] [blame]1371 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1372}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1373
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1374uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher) { return cipher->id; }
1375
David Benjamina1c90a52015-05-30 17:03:14 -0400[diff] [blame]1376uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher) {
1377 uint32_t id = cipher->id;
1378 /* All ciphers are SSLv3. */
1379 assert((id & 0xff000000) == 0x03000000);
1380 return id & 0xffff;
1381}
1382
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1383int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher) {
1384 return (cipher->algorithm_enc & SSL_AES) != 0;
1385}
1386
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1387int SSL_CIPHER_has_SHA1_HMAC(const SSL_CIPHER *cipher) {
1388 return (cipher->algorithm_mac & SSL_SHA1) != 0;
1389}
1390
David Benjamina211aee2016-02-24 17:18:44 -0500[diff] [blame]1391int SSL_CIPHER_has_SHA256_HMAC(const SSL_CIPHER *cipher) {
1392 return (cipher->algorithm_mac & SSL_SHA256) != 0;
1393}
1394
Alessandro Ghedini48b6b8f2017-05-12 12:53:31 +0100[diff] [blame]1395int SSL_CIPHER_has_SHA384_HMAC(const SSL_CIPHER *cipher) {
1396 return (cipher->algorithm_mac & SSL_SHA384) != 0;
1397}
1398
Alessandro Ghedini0726fb72017-01-17 13:27:08 +0000[diff] [blame]1399int SSL_CIPHER_is_AEAD(const SSL_CIPHER *cipher) {
1400 return (cipher->algorithm_mac & SSL_AEAD) != 0;
1401}
1402
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1403int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher) {
David Benjaminc0125ef2015-09-09 09:11:07 -0400[diff] [blame]1404 return (cipher->algorithm_enc & (SSL_AES128GCM | SSL_AES256GCM)) != 0;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1405}
1406
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1407int SSL_CIPHER_is_AES128GCM(const SSL_CIPHER *cipher) {
1408 return (cipher->algorithm_enc & SSL_AES128GCM) != 0;
1409}
1410
Adam Langleyb00061c2015-11-16 17:44:52 -0800[diff] [blame]1411int SSL_CIPHER_is_AES128CBC(const SSL_CIPHER *cipher) {
1412 return (cipher->algorithm_enc & SSL_AES128) != 0;
1413}
1414
1415int SSL_CIPHER_is_AES256CBC(const SSL_CIPHER *cipher) {
1416 return (cipher->algorithm_enc & SSL_AES256) != 0;
1417}
1418
David Benjamin51a01a52015-10-29 13:19:56 -0400[diff] [blame]1419int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *cipher) {
Adam Langley2e839242017-01-19 15:12:44 -0800[diff] [blame]1420 return (cipher->algorithm_enc & SSL_CHACHA20POLY1305) != 0;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1421}
1422
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1423int SSL_CIPHER_is_NULL(const SSL_CIPHER *cipher) {
1424 return (cipher->algorithm_enc & SSL_eNULL) != 0;
1425}
1426
1427int SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher) {
Matthew Braithwaite8aaa9e12016-09-07 15:09:58 -0700[diff] [blame]1428 return (cipher->algorithm_enc & SSL_eNULL) == 0 &&
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1429 cipher->algorithm_mac != SSL_AEAD;
1430}
1431
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1432int SSL_CIPHER_is_ECDSA(const SSL_CIPHER *cipher) {
1433 return (cipher->algorithm_auth & SSL_aECDSA) != 0;
1434}
1435
David Benjamin4cc36ad2015-12-19 14:23:26 -0500[diff] [blame]1436int SSL_CIPHER_is_ECDHE(const SSL_CIPHER *cipher) {
1437 return (cipher->algorithm_mkey & SSL_kECDHE) != 0;
1438}
1439
David Benjamin745745d2017-01-10 08:34:14 -0500[diff] [blame]1440int SSL_CIPHER_is_static_RSA(const SSL_CIPHER *cipher) {
1441 return (cipher->algorithm_mkey & SSL_kRSA) != 0;
1442}
1443
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1444uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher) {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1445 if (cipher->algorithm_mkey == SSL_kGENERIC ||
1446 cipher->algorithm_auth == SSL_aGENERIC) {
1447 return TLS1_3_VERSION;
1448 }
1449
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1450 if (cipher->algorithm_prf != SSL_HANDSHAKE_MAC_DEFAULT) {
1451 /* Cipher suites before TLS 1.2 use the default PRF, while all those added
1452 * afterwards specify a particular hash. */
David Benjaminef793f42015-11-05 18:16:27 -0500[diff] [blame]1453 return TLS1_2_VERSION;
1454 }
1455 return SSL3_VERSION;
1456}
1457
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1458uint16_t SSL_CIPHER_get_max_version(const SSL_CIPHER *cipher) {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1459 if (cipher->algorithm_mkey == SSL_kGENERIC ||
1460 cipher->algorithm_auth == SSL_aGENERIC) {
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1461 return TLS1_3_VERSION;
1462 }
1463 return TLS1_2_VERSION;
1464}
1465
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1466/* return the actual cipher being used */
1467const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher) {
1468 if (cipher != NULL) {
1469 return cipher->name;
1470 }
1471
1472 return "(NONE)";
1473}
1474
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]1475const char *SSL_CIPHER_standard_name(const SSL_CIPHER *cipher) {
1476 return cipher->standard_name;
1477}
1478
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1479const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher) {
1480 if (cipher == NULL) {
1481 return "";
1482 }
1483
1484 switch (cipher->algorithm_mkey) {
1485 case SSL_kRSA:
1486 return "RSA";
1487
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1488 case SSL_kECDHE:
1489 switch (cipher->algorithm_auth) {
1490 case SSL_aECDSA:
1491 return "ECDHE_ECDSA";
1492 case SSL_aRSA:
1493 return "ECDHE_RSA";
1494 case SSL_aPSK:
1495 return "ECDHE_PSK";
1496 default:
1497 assert(0);
1498 return "UNKNOWN";
1499 }
1500
1501 case SSL_kPSK:
1502 assert(cipher->algorithm_auth == SSL_aPSK);
1503 return "PSK";
1504
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1505 case SSL_kGENERIC:
1506 assert(cipher->algorithm_auth == SSL_aGENERIC);
1507 return "GENERIC";
1508
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1509 default:
1510 assert(0);
1511 return "UNKNOWN";
1512 }
1513}
1514
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1515char *SSL_CIPHER_get_rfc_name(const SSL_CIPHER *cipher) {
1516 if (cipher == NULL) {
1517 return NULL;
1518 }
1519
David Benjamin6fff3862017-06-21 21:07:04 -0400[diff] [blame]1520 return OPENSSL_strdup(SSL_CIPHER_standard_name(cipher));
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1521}
1522
1523int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *out_alg_bits) {
1524 if (cipher == NULL) {
1525 return 0;
1526 }
1527
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1528 int alg_bits, strength_bits;
1529 switch (cipher->algorithm_enc) {
1530 case SSL_AES128:
1531 case SSL_AES128GCM:
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1532 alg_bits = 128;
1533 strength_bits = 128;
1534 break;
1535
1536 case SSL_AES256:
1537 case SSL_AES256GCM:
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1538 case SSL_CHACHA20POLY1305:
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1539 alg_bits = 256;
1540 strength_bits = 256;
1541 break;
1542
1543 case SSL_3DES:
1544 alg_bits = 168;
1545 strength_bits = 112;
1546 break;
1547
1548 case SSL_eNULL:
1549 alg_bits = 0;
1550 strength_bits = 0;
1551 break;
1552
1553 default:
1554 assert(0);
1555 alg_bits = 0;
1556 strength_bits = 0;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1557 }
David Benjamin9f2e2772015-11-18 09:59:43 -0500[diff] [blame]1558
1559 if (out_alg_bits != NULL) {
1560 *out_alg_bits = alg_bits;
1561 }
1562 return strength_bits;
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1563}
1564
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1565const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf,
1566 int len) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1567 const char *kx, *au, *enc, *mac;
David Benjamindcb6ef02015-11-06 15:35:54 -0500[diff] [blame]1568 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1569
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1570 alg_mkey = cipher->algorithm_mkey;
1571 alg_auth = cipher->algorithm_auth;
1572 alg_enc = cipher->algorithm_enc;
1573 alg_mac = cipher->algorithm_mac;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1574
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1575 switch (alg_mkey) {
1576 case SSL_kRSA:
1577 kx = "RSA";
1578 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1579
David Benjamin7061e282015-03-19 11:10:48 -0400[diff] [blame]1580 case SSL_kECDHE:
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1581 kx = "ECDH";
1582 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1583
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1584 case SSL_kPSK:
1585 kx = "PSK";
1586 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1587
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1588 case SSL_kGENERIC:
1589 kx = "GENERIC";
1590 break;
1591
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1592 default:
1593 kx = "unknown";
1594 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1595
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1596 switch (alg_auth) {
1597 case SSL_aRSA:
1598 au = "RSA";
1599 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1600
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1601 case SSL_aECDSA:
1602 au = "ECDSA";
1603 break;
Adam Langley4d4bff82014-06-20 12:00:00 -0700[diff] [blame]1604
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1605 case SSL_aPSK:
1606 au = "PSK";
1607 break;
Adam Langley4d4bff82014-06-20 12:00:00 -0700[diff] [blame]1608
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1609 case SSL_aGENERIC:
1610 au = "GENERIC";
1611 break;
1612
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1613 default:
1614 au = "unknown";
1615 break;
1616 }
Adam Langleyde0b2022014-06-20 12:00:00 -0700[diff] [blame]1617
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1618 switch (alg_enc) {
1619 case SSL_3DES:
1620 enc = "3DES(168)";
1621 break;
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1622
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1623 case SSL_AES128:
1624 enc = "AES(128)";
1625 break;
1626
1627 case SSL_AES256:
1628 enc = "AES(256)";
1629 break;
1630
1631 case SSL_AES128GCM:
1632 enc = "AESGCM(128)";
1633 break;
1634
1635 case SSL_AES256GCM:
1636 enc = "AESGCM(256)";
1637 break;
1638
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1639 case SSL_CHACHA20POLY1305:
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1640 enc = "ChaCha20-Poly1305";
1641 break;
1642
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1643 case SSL_eNULL:
1644 enc="None";
1645 break;
1646
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1647 default:
1648 enc = "unknown";
1649 break;
1650 }
1651
1652 switch (alg_mac) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1653 case SSL_SHA1:
1654 mac = "SHA1";
1655 break;
1656
1657 case SSL_SHA256:
1658 mac = "SHA256";
1659 break;
1660
1661 case SSL_SHA384:
1662 mac = "SHA384";
1663 break;
1664
1665 case SSL_AEAD:
1666 mac = "AEAD";
1667 break;
1668
1669 default:
1670 mac = "unknown";
1671 break;
1672 }
1673
1674 if (buf == NULL) {
1675 len = 128;
David Benjamine64d2c72017-07-12 16:31:08 -0400[diff] [blame^]1676 buf = (char *)OPENSSL_malloc(len);
David Benjamin1eed2c02015-02-08 23:20:06 -0500[diff] [blame]1677 if (buf == NULL) {
1678 return NULL;
1679 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1680 } else if (len < 128) {
1681 return "Buffer too small";
1682 }
1683
Brian Smith0687bdf2016-01-17 09:18:26 -1000[diff] [blame]1684 BIO_snprintf(buf, len, "%-23s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n",
1685 cipher->name, kx, au, enc, mac);
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1686 return buf;
1687}
1688
David Benjamin71f07942015-04-08 02:36:59 -0400[diff] [blame]1689const char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher) {
1690 return "TLSv1/SSLv3";
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1691}
1692
David Benjamind55bd792017-05-18 11:33:08 -0400[diff] [blame]1693STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void) { return NULL; }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1694
Matt Braithwaite6a1275b2015-06-26 12:09:10 -0700[diff] [blame]1695int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) { return 1; }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1696
Matt Braithwaite6a1275b2015-06-26 12:09:10 -0700[diff] [blame]1697const char *SSL_COMP_get_name(const COMP_METHOD *comp) { return NULL; }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1698
Adam Langley3e9e0432016-10-03 15:58:07 -0700[diff] [blame]1699void SSL_COMP_free_compression_methods(void) {}
1700
David Benjamin69522112017-03-28 15:38:29 -0500[diff] [blame]1701uint32_t ssl_cipher_auth_mask_for_key(const EVP_PKEY *key) {
1702 switch (EVP_PKEY_id(key)) {
1703 case EVP_PKEY_RSA:
1704 return SSL_aRSA;
1705 case EVP_PKEY_EC:
1706 case EVP_PKEY_ED25519:
1707 /* Ed25519 keys in TLS 1.2 repurpose the ECDSA ciphers. */
1708 return SSL_aECDSA;
1709 default:
1710 return 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1711 }
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1712}
David Benjamin9c651c92014-07-12 13:27:45 -0400[diff] [blame]1713
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]1714int ssl_cipher_uses_certificate_auth(const SSL_CIPHER *cipher) {
1715 return (cipher->algorithm_auth & SSL_aCERT) != 0;
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1716}
1717
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1718int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher) {
1719 /* Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange. */
Matthew Braithwaite7e06de52017-04-10 15:52:14 -0700[diff] [blame]1720 if (cipher->algorithm_mkey & SSL_kECDHE) {
Adam Langleyfcf25832014-12-18 17:42:32 -0800[diff] [blame]1721 return 1;
1722 }
1723
1724 /* It is optional in all others. */
1725 return 0;
1726}
David Benjaminb8d28cf2015-07-28 21:34:45 -0400[diff] [blame]1727
1728size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher) {
1729 size_t block_size;
1730 switch (cipher->algorithm_enc) {
1731 case SSL_3DES:
1732 block_size = 8;
1733 break;
1734 case SSL_AES128:
1735 case SSL_AES256:
1736 block_size = 16;
1737 break;
1738 default:
1739 return 0;
1740 }
1741
David Benjamin5fc99c62017-01-10 08:19:12 -0500[diff] [blame]1742 /* All supported TLS 1.0 ciphers use SHA-1. */
1743 assert(cipher->algorithm_mac == SSL_SHA1);
1744 size_t ret = 1 + SHA_DIGEST_LENGTH;
David Benjaminb8d28cf2015-07-28 21:34:45 -0400[diff] [blame]1745 ret += block_size - (ret % block_size);
1746 return ret;
1747}