1 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay (at) cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay (at) cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] 56 */ 57 /* ==================================================================== 58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 59 * 60 * Redistribution and use in source and binary forms, with or without 61 * modification, are permitted provided that the following conditions 62 * are met: 63 * 64 * 1. Redistributions of source code must retain the above copyright 65 * notice, this list of conditions and the following disclaimer. 66 * 67 * 2. Redistributions in binary form must reproduce the above copyright 68 * notice, this list of conditions and the following disclaimer in 69 * the documentation and/or other materials provided with the 70 * distribution. 71 * 72 * 3. All advertising materials mentioning features or use of this 73 * software must display the following acknowledgment: 74 * "This product includes software developed by the OpenSSL Project 75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 76 * 77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 78 * endorse or promote products derived from this software without 79 * prior written permission. For written permission, please contact 80 * openssl-core (at) openssl.org. 81 * 82 * 5. Products derived from this software may not be called "OpenSSL" 83 * nor may "OpenSSL" appear in their names without prior written 84 * permission of the OpenSSL Project. 85 * 86 * 6. Redistributions of any form whatsoever must retain the following 87 * acknowledgment: 88 * "This product includes software developed by the OpenSSL Project 89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 90 * 91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 102 * OF THE POSSIBILITY OF SUCH DAMAGE. 103 * ==================================================================== 104 * 105 * This product includes cryptographic software written by Eric Young 106 * (eay (at) cryptsoft.com). This product includes software written by Tim 107 * Hudson (tjh (at) cryptsoft.com). 108 * 109 */ 110 /* ==================================================================== 111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 112 * ECC cipher suite support in OpenSSL originally developed by 113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 114 */ 115 /* ==================================================================== 116 * Copyright 2005 Nokia. All rights reserved. 117 * 118 * The portions of the attached software ("Contribution") is developed by 119 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 120 * license. 121 * 122 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 123 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 124 * support (see RFC 4279) to OpenSSL. 125 * 126 * No patent licenses or other rights except those expressly stated in 127 * the OpenSSL open source license shall be deemed granted or received 128 * expressly, by implication, estoppel, or otherwise. 129 * 130 * No assurances are provided by Nokia that the Contribution does not 131 * infringe the patent or other intellectual property rights of any third 132 * party or that the license provides you with all the necessary rights 133 * to make use of the Contribution. 134 * 135 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 136 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 137 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 138 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 139 * OTHERWISE. */ 140 141 #include <assert.h> 142 #include <stdio.h> 143 #include <string.h> 144 145 #include <openssl/buf.h> 146 #include <openssl/err.h> 147 #include <openssl/md5.h> 148 #include <openssl/mem.h> 149 #include <openssl/sha.h> 150 #include <openssl/stack.h> 151 152 #include "internal.h" 153 154 155 /* kCiphers is an array of all supported ciphers, sorted by id. */ 156 const SSL_CIPHER kCiphers[] = { 157 /* The RSA ciphers */ 158 /* Cipher 04 */ 159 { 160 SSL3_TXT_RSA_RC4_128_MD5, SSL3_CK_RSA_RC4_128_MD5, SSL_kRSA, SSL_aRSA, 161 SSL_RC4, SSL_MD5, SSL_SSLV3, SSL_MEDIUM, 162 SSL_HANDSHAKE_MAC_DEFAULT, 128, 128, 163 }, 164 165 /* Cipher 05 */ 166 { 167 SSL3_TXT_RSA_RC4_128_SHA, SSL3_CK_RSA_RC4_128_SHA, SSL_kRSA, SSL_aRSA, 168 SSL_RC4, SSL_SHA1, SSL_SSLV3, SSL_MEDIUM, 169 SSL_HANDSHAKE_MAC_DEFAULT, 128, 128, 170 }, 171 172 /* Cipher 0A */ 173 { 174 SSL3_TXT_RSA_DES_192_CBC3_SHA, SSL3_CK_RSA_DES_192_CBC3_SHA, SSL_kRSA, 175 SSL_aRSA, SSL_3DES, SSL_SHA1, SSL_SSLV3, SSL_HIGH | SSL_FIPS, 176 SSL_HANDSHAKE_MAC_DEFAULT, 112, 168, 177 }, 178 179 180 /* New AES ciphersuites */ 181 182 /* Cipher 2F */ 183 { 184 TLS1_TXT_RSA_WITH_AES_128_SHA, TLS1_CK_RSA_WITH_AES_128_SHA, SSL_kRSA, 185 SSL_aRSA, SSL_AES128, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS, 186 SSL_HANDSHAKE_MAC_DEFAULT, 128, 128, 187 }, 188 189 /* Cipher 33 */ 190 { 191 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, TLS1_CK_DHE_RSA_WITH_AES_128_SHA, 192 SSL_kDHE, SSL_aRSA, SSL_AES128, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS, 193 SSL_HANDSHAKE_MAC_DEFAULT, 128, 128, 194 }, 195 196 /* Cipher 35 */ 197 { 198 TLS1_TXT_RSA_WITH_AES_256_SHA, TLS1_CK_RSA_WITH_AES_256_SHA, SSL_kRSA, 199 SSL_aRSA, SSL_AES256, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS, 200 SSL_HANDSHAKE_MAC_DEFAULT, 256, 256, 201 }, 202 203 /* Cipher 39 */ 204 { 205 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, TLS1_CK_DHE_RSA_WITH_AES_256_SHA, 206 SSL_kDHE, SSL_aRSA, SSL_AES256, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS, 207 SSL_HANDSHAKE_MAC_DEFAULT, 256, 256, 208 }, 209 210 211 /* TLS v1.2 ciphersuites */ 212 213 /* Cipher 3C */ 214 { 215 TLS1_TXT_RSA_WITH_AES_128_SHA256, TLS1_CK_RSA_WITH_AES_128_SHA256, 216 SSL_kRSA, SSL_aRSA, SSL_AES128, SSL_SHA256, SSL_TLSV1_2, 217 SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA256, 128, 128, 218 }, 219 220 /* Cipher 3D */ 221 { 222 TLS1_TXT_RSA_WITH_AES_256_SHA256, TLS1_CK_RSA_WITH_AES_256_SHA256, 223 SSL_kRSA, SSL_aRSA, SSL_AES256, SSL_SHA256, SSL_TLSV1_2, 224 SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA256, 256, 256, 225 }, 226 227 /* Cipher 67 */ 228 { 229 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256, 230 TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, SSL_kDHE, SSL_aRSA, SSL_AES128, 231 SSL_SHA256, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS, 232 SSL_HANDSHAKE_MAC_SHA256, 128, 128, 233 }, 234 235 /* Cipher 6B */ 236 { 237 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256, 238 TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, SSL_kDHE, SSL_aRSA, SSL_AES256, 239 SSL_SHA256, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS, 240 SSL_HANDSHAKE_MAC_SHA256, 256, 256, 241 }, 242 243 /* PSK cipher suites. */ 244 245 /* Cipher 8A */ 246 { 247 TLS1_TXT_PSK_WITH_RC4_128_SHA, TLS1_CK_PSK_WITH_RC4_128_SHA, SSL_kPSK, 248 SSL_aPSK, SSL_RC4, SSL_SHA1, SSL_TLSV1, SSL_MEDIUM, 249 SSL_HANDSHAKE_MAC_DEFAULT, 128, 128, 250 }, 251 252 /* Cipher 8C */ 253 { 254 TLS1_TXT_PSK_WITH_AES_128_CBC_SHA, TLS1_CK_PSK_WITH_AES_128_CBC_SHA, 255 SSL_kPSK, SSL_aPSK, SSL_AES128, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS, 256 SSL_HANDSHAKE_MAC_DEFAULT, 128, 128, 257 }, 258 259 /* Cipher 8D */ 260 { 261 TLS1_TXT_PSK_WITH_AES_256_CBC_SHA, TLS1_CK_PSK_WITH_AES_256_CBC_SHA, 262 SSL_kPSK, SSL_aPSK, SSL_AES256, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS, 263 SSL_HANDSHAKE_MAC_DEFAULT, 256, 256, 264 }, 265 266 /* GCM ciphersuites from RFC5288 */ 267 268 /* Cipher 9C */ 269 { 270 TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256, 271 TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, SSL_kRSA, SSL_aRSA, SSL_AES128GCM, 272 SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS, 273 SSL_HANDSHAKE_MAC_SHA256 | 274 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD, 275 128, 128, 276 }, 277 278 /* Cipher 9D */ 279 { 280 TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384, 281 TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, SSL_kRSA, SSL_aRSA, SSL_AES256GCM, 282 SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS, 283 SSL_HANDSHAKE_MAC_SHA384 | 284 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD, 285 256, 256, 286 }, 287 288 /* Cipher 9E */ 289 { 290 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256, 291 TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kDHE, SSL_aRSA, SSL_AES128GCM, 292 SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS, 293 SSL_HANDSHAKE_MAC_SHA256 | 294 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD, 295 128, 128, 296 }, 297 298 /* Cipher 9F */ 299 { 300 TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384, 301 TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_kDHE, SSL_aRSA, SSL_AES256GCM, 302 SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS, 303 SSL_HANDSHAKE_MAC_SHA384 | 304 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD, 305 256, 256, 306 }, 307 308 /* Cipher C007 */ 309 { 310 TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA, 311 TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_kECDHE, SSL_aECDSA, SSL_RC4, 312 SSL_SHA1, SSL_TLSV1, SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT, 128, 313 128, 314 }, 315 316 /* Cipher C009 */ 317 { 318 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 319 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDHE, SSL_aECDSA, 320 SSL_AES128, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS, 321 SSL_HANDSHAKE_MAC_DEFAULT, 128, 128, 322 }, 323 324 /* Cipher C00A */ 325 { 326 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 327 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDHE, SSL_aECDSA, 328 SSL_AES256, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS, 329 SSL_HANDSHAKE_MAC_DEFAULT, 256, 256, 330 }, 331 332 /* Cipher C011 */ 333 { 334 TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA, 335 SSL_kECDHE, SSL_aRSA, SSL_RC4, SSL_SHA1, SSL_TLSV1, SSL_MEDIUM, 336 SSL_HANDSHAKE_MAC_DEFAULT, 128, 128, 337 }, 338 339 /* Cipher C013 */ 340 { 341 TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, 342 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_kECDHE, SSL_aRSA, SSL_AES128, 343 SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS, 344 SSL_HANDSHAKE_MAC_DEFAULT, 128, 128, 345 }, 346 347 /* Cipher C014 */ 348 { 349 TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA, 350 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_kECDHE, SSL_aRSA, SSL_AES256, 351 SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS, 352 SSL_HANDSHAKE_MAC_DEFAULT, 256, 256, 353 }, 354 355 356 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */ 357 358 /* Cipher C023 */ 359 { 360 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256, 361 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, SSL_kECDHE, SSL_aECDSA, 362 SSL_AES128, SSL_SHA256, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS, 363 SSL_HANDSHAKE_MAC_SHA256, 128, 128, 364 }, 365 366 /* Cipher C024 */ 367 { 368 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384, 369 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, SSL_kECDHE, SSL_aECDSA, 370 SSL_AES256, SSL_SHA384, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS, 371 SSL_HANDSHAKE_MAC_SHA384, 256, 256, 372 }, 373 374 /* Cipher C027 */ 375 { 376 TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256, 377 TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, SSL_kECDHE, SSL_aRSA, SSL_AES128, 378 SSL_SHA256, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS, 379 SSL_HANDSHAKE_MAC_SHA256, 128, 128, 380 }, 381 382 /* Cipher C028 */ 383 { 384 TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384, 385 TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, SSL_kECDHE, SSL_aRSA, SSL_AES256, 386 SSL_SHA384, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS, 387 SSL_HANDSHAKE_MAC_SHA384, 256, 256, 388 }, 389 390 391 /* GCM based TLS v1.2 ciphersuites from RFC5289 */ 392 393 /* Cipher C02B */ 394 { 395 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 396 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_kECDHE, SSL_aECDSA, 397 SSL_AES128GCM, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS, 398 SSL_HANDSHAKE_MAC_SHA256 | 399 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD, 400 128, 128, 401 }, 402 403 /* Cipher C02C */ 404 { 405 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 406 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_kECDHE, SSL_aECDSA, 407 SSL_AES256GCM, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS, 408 SSL_HANDSHAKE_MAC_SHA384 | 409 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD, 410 256, 256, 411 }, 412 413 /* Cipher C02F */ 414 { 415 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 416 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kECDHE, SSL_aRSA, 417 SSL_AES128GCM, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS, 418 SSL_HANDSHAKE_MAC_SHA256 | 419 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD, 420 128, 128, 421 }, 422 423 /* Cipher C030 */ 424 { 425 TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 426 TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_kECDHE, SSL_aRSA, 427 SSL_AES256GCM, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS, 428 SSL_HANDSHAKE_MAC_SHA384 | 429 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD, 430 256, 256, 431 }, 432 433 /* ECDHE-PSK cipher suites. */ 434 435 /* Cipher C035 */ 436 { 437 TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA, 438 TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA, 439 SSL_kECDHE, SSL_aPSK, SSL_AES128, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS, 440 SSL_HANDSHAKE_MAC_DEFAULT, 128, 128, 441 }, 442 443 /* Cipher C036 */ 444 { 445 TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA, 446 TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA, 447 SSL_kECDHE, SSL_aPSK, SSL_AES256, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS, 448 SSL_HANDSHAKE_MAC_DEFAULT, 256, 256, 449 }, 450 451 /* ChaCha20-Poly1305 cipher suites. */ 452 453 #if !defined(ANDROID) 454 { 455 TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305, 456 TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, SSL_kECDHE, SSL_aRSA, 457 SSL_CHACHA20POLY1305, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH, 458 SSL_HANDSHAKE_MAC_SHA256, 459 256, 0, 460 }, 461 462 { 463 TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 464 TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, SSL_kECDHE, SSL_aECDSA, 465 SSL_CHACHA20POLY1305, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH, 466 SSL_HANDSHAKE_MAC_SHA256, 467 256, 0, 468 }, 469 470 { 471 TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305, 472 TLS1_CK_DHE_RSA_CHACHA20_POLY1305, SSL_kDHE, SSL_aRSA, 473 SSL_CHACHA20POLY1305, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH, 474 SSL_HANDSHAKE_MAC_SHA256, 475 256, 0, 476 }, 477 #endif 478 }; 479 480 static const size_t kCiphersLen = sizeof(kCiphers) / sizeof(kCiphers[0]); 481 482 struct handshake_digest { 483 uint32_t mask; 484 const EVP_MD *(*md_func)(void); 485 }; 486 487 static const struct handshake_digest ssl_handshake_digests[SSL_MAX_DIGEST] = { 488 {SSL_HANDSHAKE_MAC_MD5, EVP_md5}, 489 {SSL_HANDSHAKE_MAC_SHA, EVP_sha1}, 490 {SSL_HANDSHAKE_MAC_SHA256, EVP_sha256}, 491 {SSL_HANDSHAKE_MAC_SHA384, EVP_sha384}, 492 }; 493 494 #define CIPHER_ADD 1 495 #define CIPHER_KILL 2 496 #define CIPHER_DEL 3 497 #define CIPHER_ORD 4 498 #define CIPHER_SPECIAL 5 499 500 typedef struct cipher_order_st { 501 const SSL_CIPHER *cipher; 502 int active; 503 int in_group; 504 struct cipher_order_st *next, *prev; 505 } CIPHER_ORDER; 506 507 typedef struct cipher_alias_st { 508 /* name is the name of the cipher alias. */ 509 const char *name; 510 511 /* The following fields are bitmasks for the corresponding fields on 512 * |SSL_CIPHER|. A cipher matches a cipher alias iff, for each bitmask, the 513 * bit corresponding to the cipher's value is set to 1. If any bitmask is 514 * all zeroes, the alias matches nothing. Use |~0u| for the default value. */ 515 uint32_t algorithm_mkey; 516 uint32_t algorithm_auth; 517 uint32_t algorithm_enc; 518 uint32_t algorithm_mac; 519 uint32_t algorithm_ssl; 520 uint32_t algo_strength; 521 } CIPHER_ALIAS; 522 523 static const CIPHER_ALIAS kCipherAliases[] = { 524 {SSL_TXT_ALL, ~0u, ~0u, ~0u, ~0u, ~0u, ~0u}, 525 526 /* The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing. */ 527 528 /* key exchange aliases 529 * (some of those using only a single bit here combine 530 * multiple key exchange algs according to the RFCs, 531 * e.g. kEDH combines DHE_DSS and DHE_RSA) */ 532 {SSL_TXT_kRSA, SSL_kRSA, ~0u, ~0u, ~0u, ~0u, ~0u}, 533 534 {SSL_TXT_kDHE, SSL_kDHE, ~0u, ~0u, ~0u, ~0u, ~0u}, 535 {SSL_TXT_kEDH, SSL_kDHE, ~0u, ~0u, ~0u, ~0u, ~0u}, 536 {SSL_TXT_DH, SSL_kDHE, ~0u, ~0u, ~0u, ~0u, ~0u}, 537 538 {SSL_TXT_kECDHE, SSL_kECDHE, ~0u, ~0u, ~0u, ~0u, ~0u}, 539 {SSL_TXT_kEECDH, SSL_kECDHE, ~0u, ~0u, ~0u, ~0u, ~0u}, 540 {SSL_TXT_ECDH, SSL_kECDHE, ~0u, ~0u, ~0u, ~0u, ~0u}, 541 542 {SSL_TXT_kPSK, SSL_kPSK, ~0u, ~0u, ~0u, ~0u, ~0u}, 543 544 /* server authentication aliases */ 545 {SSL_TXT_aRSA, ~0u, SSL_aRSA, ~0u, ~0u, ~0u, ~0u}, 546 {SSL_TXT_aECDSA, ~0u, SSL_aECDSA, ~0u, ~0u, ~0u, ~0u}, 547 {SSL_TXT_ECDSA, ~0u, SSL_aECDSA, ~0u, ~0u, ~0u, ~0u}, 548 {SSL_TXT_aPSK, ~0u, SSL_aPSK, ~0u, ~0u, ~0u, ~0u}, 549 550 /* aliases combining key exchange and server authentication */ 551 {SSL_TXT_DHE, SSL_kDHE, ~0u, ~0u, ~0u, ~0u, ~0u}, 552 {SSL_TXT_EDH, SSL_kDHE, ~0u, ~0u, ~0u, ~0u, ~0u}, 553 {SSL_TXT_ECDHE, SSL_kECDHE, ~0u, ~0u, ~0u, ~0u, ~0u}, 554 {SSL_TXT_EECDH, SSL_kECDHE, ~0u, ~0u, ~0u, ~0u, ~0u}, 555 {SSL_TXT_RSA, SSL_kRSA, SSL_aRSA, ~0u, ~0u, ~0u, ~0u}, 556 {SSL_TXT_PSK, SSL_kPSK, SSL_aPSK, ~0u, ~0u, ~0u, ~0u}, 557 558 /* symmetric encryption aliases */ 559 {SSL_TXT_3DES, ~0u, ~0u, SSL_3DES, ~0u, ~0u, ~0u}, 560 {SSL_TXT_RC4, ~0u, ~0u, SSL_RC4, ~0u, ~0u, ~0u}, 561 {SSL_TXT_AES128, ~0u, ~0u, SSL_AES128 | SSL_AES128GCM, ~0u, ~0u, ~0u}, 562 {SSL_TXT_AES256, ~0u, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, ~0u, ~0u}, 563 {SSL_TXT_AES, ~0u, ~0u, SSL_AES, ~0u, ~0u, ~0u}, 564 {SSL_TXT_AES_GCM, ~0u, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, ~0u, ~0u}, 565 {SSL_TXT_CHACHA20, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, ~0u, ~0u}, 566 567 /* MAC aliases */ 568 {SSL_TXT_MD5, ~0u, ~0u, ~0u, SSL_MD5, ~0u, ~0u}, 569 {SSL_TXT_SHA1, ~0u, ~0u, ~0u, SSL_SHA1, ~0u, ~0u}, 570 {SSL_TXT_SHA, ~0u, ~0u, ~0u, SSL_SHA1, ~0u, ~0u}, 571 {SSL_TXT_SHA256, ~0u, ~0u, ~0u, SSL_SHA256, ~0u, ~0u}, 572 {SSL_TXT_SHA384, ~0u, ~0u, ~0u, SSL_SHA384, ~0u, ~0u}, 573 574 /* protocol version aliases */ 575 {SSL_TXT_SSLV3, ~0u, ~0u, ~0u, ~0u, SSL_SSLV3, ~0u}, 576 {SSL_TXT_TLSV1, ~0u, ~0u, ~0u, ~0u, SSL_TLSV1, ~0u}, 577 {SSL_TXT_TLSV1_2, ~0u, ~0u, ~0u, ~0u, SSL_TLSV1_2, ~0u}, 578 579 /* strength classes */ 580 {SSL_TXT_MEDIUM, ~0u, ~0u, ~0u, ~0u, ~0u, SSL_MEDIUM}, 581 {SSL_TXT_HIGH, ~0u, ~0u, ~0u, ~0u, ~0u, SSL_HIGH}, 582 /* FIPS 140-2 approved ciphersuite */ 583 {SSL_TXT_FIPS, ~0u, ~0u, ~0u, ~0u, ~0u, SSL_FIPS}, 584 }; 585 586 static const size_t kCipherAliasesLen = 587 sizeof(kCipherAliases) / sizeof(kCipherAliases[0]); 588 589 static int ssl_cipher_id_cmp(const void *in_a, const void *in_b) { 590 const SSL_CIPHER *a = in_a; 591 const SSL_CIPHER *b = in_b; 592 593 if (a->id > b->id) { 594 return 1; 595 } else if (a->id < b->id) { 596 return -1; 597 } else { 598 return 0; 599 } 600 } 601 602 static int ssl_cipher_ptr_id_cmp(const SSL_CIPHER **a, const SSL_CIPHER **b) { 603 return ssl_cipher_id_cmp(*a, *b); 604 } 605 606 const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value) { 607 SSL_CIPHER c; 608 609 c.id = 0x03000000L | value; 610 return bsearch(&c, kCiphers, kCiphersLen, sizeof(SSL_CIPHER), 611 ssl_cipher_id_cmp); 612 } 613 614 int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead, 615 size_t *out_mac_secret_len, 616 size_t *out_fixed_iv_len, 617 const SSL_CIPHER *cipher, uint16_t version) { 618 *out_aead = NULL; 619 *out_mac_secret_len = 0; 620 *out_fixed_iv_len = 0; 621 622 switch (cipher->algorithm_enc) { 623 case SSL_AES128GCM: 624 *out_aead = EVP_aead_aes_128_gcm(); 625 *out_fixed_iv_len = 4; 626 return 1; 627 628 case SSL_AES256GCM: 629 *out_aead = EVP_aead_aes_256_gcm(); 630 *out_fixed_iv_len = 4; 631 return 1; 632 633 #if !defined(ANDROID) 634 case SSL_CHACHA20POLY1305: 635 *out_aead = EVP_aead_chacha20_poly1305(); 636 *out_fixed_iv_len = 0; 637 return 1; 638 #endif 639 640 case SSL_RC4: 641 switch (cipher->algorithm_mac) { 642 case SSL_MD5: 643 if (version == SSL3_VERSION) { 644 *out_aead = EVP_aead_rc4_md5_ssl3(); 645 } else { 646 *out_aead = EVP_aead_rc4_md5_tls(); 647 } 648 *out_mac_secret_len = MD5_DIGEST_LENGTH; 649 return 1; 650 case SSL_SHA1: 651 if (version == SSL3_VERSION) { 652 *out_aead = EVP_aead_rc4_sha1_ssl3(); 653 } else { 654 *out_aead = EVP_aead_rc4_sha1_tls(); 655 } 656 *out_mac_secret_len = SHA_DIGEST_LENGTH; 657 return 1; 658 default: 659 return 0; 660 } 661 662 case SSL_AES128: 663 switch (cipher->algorithm_mac) { 664 case SSL_SHA1: 665 if (version == SSL3_VERSION) { 666 *out_aead = EVP_aead_aes_128_cbc_sha1_ssl3(); 667 *out_fixed_iv_len = 16; 668 } else if (version == TLS1_VERSION) { 669 *out_aead = EVP_aead_aes_128_cbc_sha1_tls_implicit_iv(); 670 *out_fixed_iv_len = 16; 671 } else { 672 *out_aead = EVP_aead_aes_128_cbc_sha1_tls(); 673 } 674 *out_mac_secret_len = SHA_DIGEST_LENGTH; 675 return 1; 676 case SSL_SHA256: 677 *out_aead = EVP_aead_aes_128_cbc_sha256_tls(); 678 *out_mac_secret_len = SHA256_DIGEST_LENGTH; 679 return 1; 680 default: 681 return 0; 682 } 683 684 case SSL_AES256: 685 switch (cipher->algorithm_mac) { 686 case SSL_SHA1: 687 if (version == SSL3_VERSION) { 688 *out_aead = EVP_aead_aes_256_cbc_sha1_ssl3(); 689 *out_fixed_iv_len = 16; 690 } else if (version == TLS1_VERSION) { 691 *out_aead = EVP_aead_aes_256_cbc_sha1_tls_implicit_iv(); 692 *out_fixed_iv_len = 16; 693 } else { 694 *out_aead = EVP_aead_aes_256_cbc_sha1_tls(); 695 } 696 *out_mac_secret_len = SHA_DIGEST_LENGTH; 697 return 1; 698 case SSL_SHA256: 699 *out_aead = EVP_aead_aes_256_cbc_sha256_tls(); 700 *out_mac_secret_len = SHA256_DIGEST_LENGTH; 701 return 1; 702 case SSL_SHA384: 703 *out_aead = EVP_aead_aes_256_cbc_sha384_tls(); 704 *out_mac_secret_len = SHA384_DIGEST_LENGTH; 705 return 1; 706 default: 707 return 0; 708 } 709 710 case SSL_3DES: 711 switch (cipher->algorithm_mac) { 712 case SSL_SHA1: 713 if (version == SSL3_VERSION) { 714 *out_aead = EVP_aead_des_ede3_cbc_sha1_ssl3(); 715 *out_fixed_iv_len = 8; 716 } else if (version == TLS1_VERSION) { 717 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(); 718 *out_fixed_iv_len = 8; 719 } else { 720 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls(); 721 } 722 *out_mac_secret_len = SHA_DIGEST_LENGTH; 723 return 1; 724 default: 725 return 0; 726 } 727 728 default: 729 return 0; 730 } 731 } 732 733 int ssl_get_handshake_digest(uint32_t *out_mask, const EVP_MD **out_md, 734 size_t idx) { 735 if (idx >= SSL_MAX_DIGEST) { 736 return 0; 737 } 738 *out_mask = ssl_handshake_digests[idx].mask; 739 *out_md = ssl_handshake_digests[idx].md_func(); 740 return 1; 741 } 742 743 #define ITEM_SEP(a) \ 744 (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ',')) 745 746 /* rule_equals returns one iff the NUL-terminated string |rule| is equal to the 747 * |buf_len| bytes at |buf|. */ 748 static int rule_equals(const char *rule, const char *buf, size_t buf_len) { 749 /* |strncmp| alone only checks that |buf| is a prefix of |rule|. */ 750 return strncmp(rule, buf, buf_len) == 0 && rule[buf_len] == '\0'; 751 } 752 753 static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr, 754 CIPHER_ORDER **tail) { 755 if (curr == *tail) { 756 return; 757 } 758 if (curr == *head) { 759 *head = curr->next; 760 } 761 if (curr->prev != NULL) { 762 curr->prev->next = curr->next; 763 } 764 if (curr->next != NULL) { 765 curr->next->prev = curr->prev; 766 } 767 (*tail)->next = curr; 768 curr->prev = *tail; 769 curr->next = NULL; 770 *tail = curr; 771 } 772 773 static void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr, 774 CIPHER_ORDER **tail) { 775 if (curr == *head) { 776 return; 777 } 778 if (curr == *tail) { 779 *tail = curr->prev; 780 } 781 if (curr->next != NULL) { 782 curr->next->prev = curr->prev; 783 } 784 if (curr->prev != NULL) { 785 curr->prev->next = curr->next; 786 } 787 (*head)->prev = curr; 788 curr->next = *head; 789 curr->prev = NULL; 790 *head = curr; 791 } 792 793 static void ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD *ssl_method, 794 CIPHER_ORDER *co_list, 795 CIPHER_ORDER **head_p, 796 CIPHER_ORDER **tail_p) { 797 /* The set of ciphers is static, but some subset may be unsupported by 798 * |ssl_method|, so the list may be smaller. */ 799 size_t co_list_num = 0; 800 size_t i; 801 for (i = 0; i < kCiphersLen; i++) { 802 const SSL_CIPHER *cipher = &kCiphers[i]; 803 if (ssl_method->supports_cipher(cipher)) { 804 co_list[co_list_num].cipher = cipher; 805 co_list[co_list_num].next = NULL; 806 co_list[co_list_num].prev = NULL; 807 co_list[co_list_num].active = 0; 808 co_list[co_list_num].in_group = 0; 809 co_list_num++; 810 } 811 } 812 813 /* Prepare linked list from list entries. */ 814 if (co_list_num > 0) { 815 co_list[0].prev = NULL; 816 817 if (co_list_num > 1) { 818 co_list[0].next = &co_list[1]; 819 820 for (i = 1; i < co_list_num - 1; i++) { 821 co_list[i].prev = &co_list[i - 1]; 822 co_list[i].next = &co_list[i + 1]; 823 } 824 825 co_list[co_list_num - 1].prev = &co_list[co_list_num - 2]; 826 } 827 828 co_list[co_list_num - 1].next = NULL; 829 830 *head_p = &co_list[0]; 831 *tail_p = &co_list[co_list_num - 1]; 832 } 833 } 834 835 /* ssl_cipher_apply_rule applies the rule type |rule| to ciphers matching its 836 * parameters in the linked list from |*head_p| to |*tail_p|. It writes the new 837 * head and tail of the list to |*head_p| and |*tail_p|, respectively. 838 * 839 * - If |cipher_id| is non-zero, only that cipher is selected. 840 * - Otherwise, if |strength_bits| is non-negative, it selects ciphers 841 * of that strength. 842 * - Otherwise, it selects ciphers that match each bitmasks in |alg_*| and 843 * |algo_strength|. */ 844 static void ssl_cipher_apply_rule( 845 uint32_t cipher_id, uint32_t alg_mkey, uint32_t alg_auth, 846 uint32_t alg_enc, uint32_t alg_mac, uint32_t alg_ssl, 847 uint32_t algo_strength, int rule, int strength_bits, int in_group, 848 CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) { 849 CIPHER_ORDER *head, *tail, *curr, *next, *last; 850 const SSL_CIPHER *cp; 851 int reverse = 0; 852 853 if (cipher_id == 0 && strength_bits == -1 && 854 (alg_mkey == 0 || alg_auth == 0 || alg_enc == 0 || alg_mac == 0 || 855 alg_ssl == 0 || algo_strength == 0)) { 856 /* The rule matches nothing, so bail early. */ 857 return; 858 } 859 860 if (rule == CIPHER_DEL) { 861 /* needed to maintain sorting between currently deleted ciphers */ 862 reverse = 1; 863 } 864 865 head = *head_p; 866 tail = *tail_p; 867 868 if (reverse) { 869 next = tail; 870 last = head; 871 } else { 872 next = head; 873 last = tail; 874 } 875 876 curr = NULL; 877 for (;;) { 878 if (curr == last) { 879 break; 880 } 881 882 curr = next; 883 if (curr == NULL) { 884 break; 885 } 886 887 next = reverse ? curr->prev : curr->next; 888 cp = curr->cipher; 889 890 /* Selection criteria is either a specific cipher, the value of 891 * |strength_bits|, or the algorithms used. */ 892 if (cipher_id != 0) { 893 if (cipher_id != cp->id) { 894 continue; 895 } 896 } else if (strength_bits >= 0) { 897 if (strength_bits != cp->strength_bits) { 898 continue; 899 } 900 } else if (!(alg_mkey & cp->algorithm_mkey) || 901 !(alg_auth & cp->algorithm_auth) || 902 !(alg_enc & cp->algorithm_enc) || 903 !(alg_mac & cp->algorithm_mac) || 904 !(alg_ssl & cp->algorithm_ssl) || 905 !(algo_strength & cp->algo_strength)) { 906 continue; 907 } 908 909 /* add the cipher if it has not been added yet. */ 910 if (rule == CIPHER_ADD) { 911 /* reverse == 0 */ 912 if (!curr->active) { 913 ll_append_tail(&head, curr, &tail); 914 curr->active = 1; 915 curr->in_group = in_group; 916 } 917 } 918 919 /* Move the added cipher to this location */ 920 else if (rule == CIPHER_ORD) { 921 /* reverse == 0 */ 922 if (curr->active) { 923 ll_append_tail(&head, curr, &tail); 924 curr->in_group = 0; 925 } 926 } else if (rule == CIPHER_DEL) { 927 /* reverse == 1 */ 928 if (curr->active) { 929 /* most recently deleted ciphersuites get best positions 930 * for any future CIPHER_ADD (note that the CIPHER_DEL loop 931 * works in reverse to maintain the order) */ 932 ll_append_head(&head, curr, &tail); 933 curr->active = 0; 934 curr->in_group = 0; 935 } 936 } else if (rule == CIPHER_KILL) { 937 /* reverse == 0 */ 938 if (head == curr) { 939 head = curr->next; 940 } else { 941 curr->prev->next = curr->next; 942 } 943 944 if (tail == curr) { 945 tail = curr->prev; 946 } 947 curr->active = 0; 948 if (curr->next != NULL) { 949 curr->next->prev = curr->prev; 950 } 951 if (curr->prev != NULL) { 952 curr->prev->next = curr->next; 953 } 954 curr->next = NULL; 955 curr->prev = NULL; 956 } 957 } 958 959 *head_p = head; 960 *tail_p = tail; 961 } 962 963 static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p, 964 CIPHER_ORDER **tail_p) { 965 int max_strength_bits, i, *number_uses; 966 CIPHER_ORDER *curr; 967 968 /* This routine sorts the ciphers with descending strength. The sorting must 969 * keep the pre-sorted sequence, so we apply the normal sorting routine as 970 * '+' movement to the end of the list. */ 971 max_strength_bits = 0; 972 curr = *head_p; 973 while (curr != NULL) { 974 if (curr->active && curr->cipher->strength_bits > max_strength_bits) { 975 max_strength_bits = curr->cipher->strength_bits; 976 } 977 curr = curr->next; 978 } 979 980 number_uses = OPENSSL_malloc((max_strength_bits + 1) * sizeof(int)); 981 if (!number_uses) { 982 OPENSSL_PUT_ERROR(SSL, ssl_cipher_strength_sort, ERR_R_MALLOC_FAILURE); 983 return 0; 984 } 985 memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int)); 986 987 /* Now find the strength_bits values actually used. */ 988 curr = *head_p; 989 while (curr != NULL) { 990 if (curr->active) { 991 number_uses[curr->cipher->strength_bits]++; 992 } 993 curr = curr->next; 994 } 995 996 /* Go through the list of used strength_bits values in descending order. */ 997 for (i = max_strength_bits; i >= 0; i--) { 998 if (number_uses[i] > 0) { 999 ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ORD, i, 0, head_p, 1000 tail_p); 1001 } 1002 } 1003 1004 OPENSSL_free(number_uses); 1005 return 1; 1006 } 1007 1008 static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method, 1009 const char *rule_str, 1010 CIPHER_ORDER **head_p, 1011 CIPHER_ORDER **tail_p) { 1012 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength; 1013 const char *l, *buf; 1014 int multi, rule, retval, ok, in_group = 0, has_group = 0; 1015 size_t j, buf_len; 1016 uint32_t cipher_id; 1017 char ch; 1018 1019 retval = 1; 1020 l = rule_str; 1021 for (;;) { 1022 ch = *l; 1023 1024 if (ch == '\0') { 1025 break; /* done */ 1026 } 1027 1028 if (in_group) { 1029 if (ch == ']') { 1030 if (*tail_p) { 1031 (*tail_p)->in_group = 0; 1032 } 1033 in_group = 0; 1034 l++; 1035 continue; 1036 } 1037 1038 if (ch == '|') { 1039 rule = CIPHER_ADD; 1040 l++; 1041 continue; 1042 } else if (!(ch >= 'a' && ch <= 'z') && !(ch >= 'A' && ch <= 'Z') && 1043 !(ch >= '0' && ch <= '9')) { 1044 OPENSSL_PUT_ERROR(SSL, ssl_cipher_process_rulestr, 1045 SSL_R_UNEXPECTED_OPERATOR_IN_GROUP); 1046 retval = in_group = 0; 1047 break; 1048 } else { 1049 rule = CIPHER_ADD; 1050 } 1051 } else if (ch == '-') { 1052 rule = CIPHER_DEL; 1053 l++; 1054 } else if (ch == '+') { 1055 rule = CIPHER_ORD; 1056 l++; 1057 } else if (ch == '!') { 1058 rule = CIPHER_KILL; 1059 l++; 1060 } else if (ch == '@') { 1061 rule = CIPHER_SPECIAL; 1062 l++; 1063 } else if (ch == '[') { 1064 if (in_group) { 1065 OPENSSL_PUT_ERROR(SSL, ssl_cipher_process_rulestr, SSL_R_NESTED_GROUP); 1066 retval = in_group = 0; 1067 break; 1068 } 1069 in_group = 1; 1070 has_group = 1; 1071 l++; 1072 continue; 1073 } else { 1074 rule = CIPHER_ADD; 1075 } 1076 1077 /* If preference groups are enabled, the only legal operator is +. 1078 * Otherwise the in_group bits will get mixed up. */ 1079 if (has_group && rule != CIPHER_ADD) { 1080 OPENSSL_PUT_ERROR(SSL, ssl_cipher_process_rulestr, 1081 SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS); 1082 retval = in_group = 0; 1083 break; 1084 } 1085 1086 if (ITEM_SEP(ch)) { 1087 l++; 1088 continue; 1089 } 1090 1091 multi = 0; 1092 cipher_id = 0; 1093 alg_mkey = ~0u; 1094 alg_auth = ~0u; 1095 alg_enc = ~0u; 1096 alg_mac = ~0u; 1097 alg_ssl = ~0u; 1098 algo_strength = ~0u; 1099 1100 for (;;) { 1101 ch = *l; 1102 buf = l; 1103 buf_len = 0; 1104 while (((ch >= 'A') && (ch <= 'Z')) || ((ch >= '0') && (ch <= '9')) || 1105 ((ch >= 'a') && (ch <= 'z')) || (ch == '-') || (ch == '.')) { 1106 ch = *(++l); 1107 buf_len++; 1108 } 1109 1110 if (buf_len == 0) { 1111 /* We hit something we cannot deal with, it is no command or separator 1112 * nor alphanumeric, so we call this an error. */ 1113 OPENSSL_PUT_ERROR(SSL, ssl_cipher_process_rulestr, 1114 SSL_R_INVALID_COMMAND); 1115 retval = in_group = 0; 1116 l++; 1117 break; 1118 } 1119 1120 if (rule == CIPHER_SPECIAL) { 1121 break; 1122 } 1123 1124 /* Look for a matching exact cipher. These aren't allowed in multipart 1125 * rules. */ 1126 if (!multi && ch != '+') { 1127 for (j = 0; j < kCiphersLen; j++) { 1128 const SSL_CIPHER *cipher = &kCiphers[j]; 1129 if (rule_equals(cipher->name, buf, buf_len)) { 1130 cipher_id = cipher->id; 1131 break; 1132 } 1133 } 1134 } 1135 if (cipher_id == 0) { 1136 /* If not an exact cipher, look for a matching cipher alias. */ 1137 for (j = 0; j < kCipherAliasesLen; j++) { 1138 if (rule_equals(kCipherAliases[j].name, buf, buf_len)) { 1139 alg_mkey &= kCipherAliases[j].algorithm_mkey; 1140 alg_auth &= kCipherAliases[j].algorithm_auth; 1141 alg_enc &= kCipherAliases[j].algorithm_enc; 1142 alg_mac &= kCipherAliases[j].algorithm_mac; 1143 alg_ssl &= kCipherAliases[j].algorithm_ssl; 1144 algo_strength &= kCipherAliases[j].algo_strength; 1145 break; 1146 } 1147 } 1148 if (j == kCipherAliasesLen) { 1149 alg_mkey = alg_auth = alg_enc = alg_mac = alg_ssl = algo_strength = 0; 1150 } 1151 } 1152 1153 /* Check for a multipart rule. */ 1154 if (ch != '+') { 1155 break; 1156 } 1157 l++; 1158 multi = 1; 1159 } 1160 1161 /* Ok, we have the rule, now apply it. */ 1162 if (rule == CIPHER_SPECIAL) { 1163 /* special command */ 1164 ok = 0; 1165 if (buf_len == 8 && !strncmp(buf, "STRENGTH", 8)) { 1166 ok = ssl_cipher_strength_sort(head_p, tail_p); 1167 } else { 1168 OPENSSL_PUT_ERROR(SSL, ssl_cipher_process_rulestr, 1169 SSL_R_INVALID_COMMAND); 1170 } 1171 1172 if (ok == 0) { 1173 retval = 0; 1174 } 1175 1176 /* We do not support any "multi" options together with "@", so throw away 1177 * the rest of the command, if any left, until end or ':' is found. */ 1178 while (*l != '\0' && !ITEM_SEP(*l)) { 1179 l++; 1180 } 1181 } else { 1182 ssl_cipher_apply_rule(cipher_id, alg_mkey, alg_auth, alg_enc, alg_mac, 1183 alg_ssl, algo_strength, rule, -1, in_group, head_p, 1184 tail_p); 1185 } 1186 } 1187 1188 if (in_group) { 1189 OPENSSL_PUT_ERROR(SSL, ssl_cipher_process_rulestr, SSL_R_INVALID_COMMAND); 1190 retval = 0; 1191 } 1192 1193 return retval; 1194 } 1195 1196 STACK_OF(SSL_CIPHER) * 1197 ssl_create_cipher_list(const SSL_PROTOCOL_METHOD *ssl_method, 1198 struct ssl_cipher_preference_list_st **out_cipher_list, 1199 STACK_OF(SSL_CIPHER) **out_cipher_list_by_id, 1200 const char *rule_str) { 1201 int ok; 1202 STACK_OF(SSL_CIPHER) *cipherstack = NULL, *tmp_cipher_list = NULL; 1203 const char *rule_p; 1204 CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; 1205 uint8_t *in_group_flags = NULL; 1206 unsigned int num_in_group_flags = 0; 1207 struct ssl_cipher_preference_list_st *pref_list = NULL; 1208 1209 /* Return with error if nothing to do. */ 1210 if (rule_str == NULL || out_cipher_list == NULL) { 1211 return NULL; 1212 } 1213 1214 /* Now we have to collect the available ciphers from the compiled in ciphers. 1215 * We cannot get more than the number compiled in, so it is used for 1216 * allocation. */ 1217 co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * kCiphersLen); 1218 if (co_list == NULL) { 1219 OPENSSL_PUT_ERROR(SSL, ssl_create_cipher_list, ERR_R_MALLOC_FAILURE); 1220 return NULL; 1221 } 1222 1223 ssl_cipher_collect_ciphers(ssl_method, co_list, &head, &tail); 1224 1225 /* Now arrange all ciphers by preference: 1226 * TODO(davidben): Compute this order once and copy it. */ 1227 1228 /* Everything else being equal, prefer ECDHE_ECDSA then ECDHE_RSA over other 1229 * key exchange mechanisms */ 1230 ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, ~0u, ~0u, ~0u, ~0u, 1231 CIPHER_ADD, -1, 0, &head, &tail); 1232 ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, ~0u, ~0u, CIPHER_ADD, -1, 1233 0, &head, &tail); 1234 ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, ~0u, ~0u, CIPHER_DEL, -1, 1235 0, &head, &tail); 1236 1237 /* Order the bulk ciphers. First the preferred AEAD ciphers. We prefer 1238 * CHACHA20 unless there is hardware support for fast and constant-time 1239 * AES_GCM. */ 1240 if (EVP_has_aes_hardware()) { 1241 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, ~0u, ~0u, CIPHER_ADD, 1242 -1, 0, &head, &tail); 1243 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, ~0u, ~0u, CIPHER_ADD, 1244 -1, 0, &head, &tail); 1245 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, ~0u, ~0u, 1246 CIPHER_ADD, -1, 0, &head, &tail); 1247 } else { 1248 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, ~0u, ~0u, 1249 CIPHER_ADD, -1, 0, &head, &tail); 1250 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, ~0u, ~0u, CIPHER_ADD, 1251 -1, 0, &head, &tail); 1252 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, ~0u, ~0u, CIPHER_ADD, 1253 -1, 0, &head, &tail); 1254 } 1255 1256 /* Then the legacy non-AEAD ciphers: AES_256_CBC, AES-128_CBC, RC4_128_SHA, 1257 * RC4_128_MD5, 3DES_EDE_CBC_SHA. */ 1258 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256, ~0u, ~0u, ~0u, CIPHER_ADD, -1, 1259 0, &head, &tail); 1260 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128, ~0u, ~0u, ~0u, CIPHER_ADD, -1, 1261 0, &head, &tail); 1262 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_RC4, ~SSL_MD5, ~0u, ~0u, CIPHER_ADD, 1263 -1, 0, &head, &tail); 1264 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_RC4, SSL_MD5, ~0u, ~0u, CIPHER_ADD, -1, 1265 0, &head, &tail); 1266 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_3DES, ~0u, ~0u, ~0u, CIPHER_ADD, -1, 0, 1267 &head, &tail); 1268 1269 /* Temporarily enable everything else for sorting */ 1270 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, ~0u, ~0u, CIPHER_ADD, -1, 0, 1271 &head, &tail); 1272 1273 /* Move ciphers without forward secrecy to the end. */ 1274 ssl_cipher_apply_rule(0, ~(SSL_kDHE | SSL_kECDHE), ~0u, ~0u, ~0u, ~0u, ~0u, 1275 CIPHER_ORD, -1, 0, &head, &tail); 1276 1277 /* Now disable everything (maintaining the ordering!) */ 1278 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, ~0u, ~0u, CIPHER_DEL, -1, 0, 1279 &head, &tail); 1280 1281 /* If the rule_string begins with DEFAULT, apply the default rule before 1282 * using the (possibly available) additional rules. */ 1283 ok = 1; 1284 rule_p = rule_str; 1285 if (strncmp(rule_str, "DEFAULT", 7) == 0) { 1286 ok = ssl_cipher_process_rulestr(ssl_method, SSL_DEFAULT_CIPHER_LIST, &head, 1287 &tail); 1288 rule_p += 7; 1289 if (*rule_p == ':') { 1290 rule_p++; 1291 } 1292 } 1293 1294 if (ok && strlen(rule_p) > 0) { 1295 ok = ssl_cipher_process_rulestr(ssl_method, rule_p, &head, &tail); 1296 } 1297 1298 if (!ok) { 1299 goto err; 1300 } 1301 1302 /* Allocate new "cipherstack" for the result, return with error 1303 * if we cannot get one. */ 1304 cipherstack = sk_SSL_CIPHER_new_null(); 1305 if (cipherstack == NULL) { 1306 goto err; 1307 } 1308 1309 in_group_flags = OPENSSL_malloc(kCiphersLen); 1310 if (!in_group_flags) { 1311 goto err; 1312 } 1313 1314 /* The cipher selection for the list is done. The ciphers are added 1315 * to the resulting precedence to the STACK_OF(SSL_CIPHER). */ 1316 for (curr = head; curr != NULL; curr = curr->next) { 1317 if (curr->active) { 1318 if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) { 1319 goto err; 1320 } 1321 in_group_flags[num_in_group_flags++] = curr->in_group; 1322 } 1323 } 1324 OPENSSL_free(co_list); /* Not needed any longer */ 1325 co_list = NULL; 1326 1327 tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack); 1328 if (tmp_cipher_list == NULL) { 1329 goto err; 1330 } 1331 pref_list = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st)); 1332 if (!pref_list) { 1333 goto err; 1334 } 1335 pref_list->ciphers = cipherstack; 1336 pref_list->in_group_flags = OPENSSL_malloc(num_in_group_flags); 1337 if (!pref_list->in_group_flags) { 1338 goto err; 1339 } 1340 memcpy(pref_list->in_group_flags, in_group_flags, num_in_group_flags); 1341 OPENSSL_free(in_group_flags); 1342 in_group_flags = NULL; 1343 if (*out_cipher_list != NULL) { 1344 ssl_cipher_preference_list_free(*out_cipher_list); 1345 } 1346 *out_cipher_list = pref_list; 1347 pref_list = NULL; 1348 1349 if (out_cipher_list_by_id != NULL) { 1350 sk_SSL_CIPHER_free(*out_cipher_list_by_id); 1351 *out_cipher_list_by_id = tmp_cipher_list; 1352 tmp_cipher_list = NULL; 1353 (void) sk_SSL_CIPHER_set_cmp_func(*out_cipher_list_by_id, 1354 ssl_cipher_ptr_id_cmp); 1355 1356 sk_SSL_CIPHER_sort(*out_cipher_list_by_id); 1357 } else { 1358 sk_SSL_CIPHER_free(tmp_cipher_list); 1359 tmp_cipher_list = NULL; 1360 } 1361 1362 return cipherstack; 1363 1364 err: 1365 OPENSSL_free(co_list); 1366 OPENSSL_free(in_group_flags); 1367 sk_SSL_CIPHER_free(cipherstack); 1368 sk_SSL_CIPHER_free(tmp_cipher_list); 1369 if (pref_list) { 1370 OPENSSL_free(pref_list->in_group_flags); 1371 } 1372 OPENSSL_free(pref_list); 1373 return NULL; 1374 } 1375 1376 uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher) { return cipher->id; } 1377 1378 uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher) { 1379 uint32_t id = cipher->id; 1380 /* All ciphers are SSLv3. */ 1381 assert((id & 0xff000000) == 0x03000000); 1382 return id & 0xffff; 1383 } 1384 1385 int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher) { 1386 return (cipher->algorithm_enc & SSL_AES) != 0; 1387 } 1388 1389 int SSL_CIPHER_has_MD5_HMAC(const SSL_CIPHER *cipher) { 1390 return (cipher->algorithm_mac & SSL_MD5) != 0; 1391 } 1392 1393 int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher) { 1394 return (cipher->algorithm_mac & (SSL_AES128GCM | SSL_AES256GCM)) != 0; 1395 } 1396 1397 int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *cipher) { 1398 return (cipher->algorithm_enc & SSL_CHACHA20POLY1305) != 0; 1399 } 1400 1401 /* return the actual cipher being used */ 1402 const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher) { 1403 if (cipher != NULL) { 1404 return cipher->name; 1405 } 1406 1407 return "(NONE)"; 1408 } 1409 1410 const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher) { 1411 if (cipher == NULL) { 1412 return ""; 1413 } 1414 1415 switch (cipher->algorithm_mkey) { 1416 case SSL_kRSA: 1417 return "RSA"; 1418 1419 case SSL_kDHE: 1420 switch (cipher->algorithm_auth) { 1421 case SSL_aRSA: 1422 return "DHE_RSA"; 1423 default: 1424 assert(0); 1425 return "UNKNOWN"; 1426 } 1427 1428 case SSL_kECDHE: 1429 switch (cipher->algorithm_auth) { 1430 case SSL_aECDSA: 1431 return "ECDHE_ECDSA"; 1432 case SSL_aRSA: 1433 return "ECDHE_RSA"; 1434 case SSL_aPSK: 1435 return "ECDHE_PSK"; 1436 default: 1437 assert(0); 1438 return "UNKNOWN"; 1439 } 1440 1441 case SSL_kPSK: 1442 assert(cipher->algorithm_auth == SSL_aPSK); 1443 return "PSK"; 1444 1445 default: 1446 assert(0); 1447 return "UNKNOWN"; 1448 } 1449 } 1450 1451 static const char *ssl_cipher_get_enc_name(const SSL_CIPHER *cipher) { 1452 switch (cipher->algorithm_enc) { 1453 case SSL_3DES: 1454 return "3DES_EDE_CBC"; 1455 case SSL_RC4: 1456 return "RC4"; 1457 case SSL_AES128: 1458 return "AES_128_CBC"; 1459 case SSL_AES256: 1460 return "AES_256_CBC"; 1461 case SSL_AES128GCM: 1462 return "AES_128_GCM"; 1463 case SSL_AES256GCM: 1464 return "AES_256_GCM"; 1465 case SSL_CHACHA20POLY1305: 1466 return "CHACHA20_POLY1305"; 1467 break; 1468 default: 1469 assert(0); 1470 return "UNKNOWN"; 1471 } 1472 } 1473 1474 static const char *ssl_cipher_get_prf_name(const SSL_CIPHER *cipher) { 1475 if ((cipher->algorithm2 & SSL_HANDSHAKE_MAC_DEFAULT) == 1476 SSL_HANDSHAKE_MAC_DEFAULT) { 1477 /* Before TLS 1.2, the PRF component is the hash used in the HMAC, which is 1478 * only ever MD5 or SHA-1. */ 1479 switch (cipher->algorithm_mac) { 1480 case SSL_MD5: 1481 return "MD5"; 1482 case SSL_SHA1: 1483 return "SHA"; 1484 default: 1485 assert(0); 1486 return "UNKNOWN"; 1487 } 1488 } else if (cipher->algorithm2 & SSL_HANDSHAKE_MAC_SHA256) { 1489 return "SHA256"; 1490 } else if (cipher->algorithm2 & SSL_HANDSHAKE_MAC_SHA384) { 1491 return "SHA384"; 1492 } else { 1493 assert(0); 1494 return "UNKNOWN"; 1495 } 1496 } 1497 1498 char *SSL_CIPHER_get_rfc_name(const SSL_CIPHER *cipher) { 1499 if (cipher == NULL) { 1500 return NULL; 1501 } 1502 1503 const char *kx_name = SSL_CIPHER_get_kx_name(cipher); 1504 const char *enc_name = ssl_cipher_get_enc_name(cipher); 1505 const char *prf_name = ssl_cipher_get_prf_name(cipher); 1506 1507 /* The final name is TLS_{kx_name}_WITH_{enc_name}_{prf_name}. */ 1508 size_t len = 4 + strlen(kx_name) + 6 + strlen(enc_name) + 1 + 1509 strlen(prf_name) + 1; 1510 char *ret = OPENSSL_malloc(len); 1511 if (ret == NULL) { 1512 return NULL; 1513 } 1514 if (BUF_strlcpy(ret, "TLS_", len) >= len || 1515 BUF_strlcat(ret, kx_name, len) >= len || 1516 BUF_strlcat(ret, "_WITH_", len) >= len || 1517 BUF_strlcat(ret, enc_name, len) >= len || 1518 BUF_strlcat(ret, "_", len) >= len || 1519 BUF_strlcat(ret, prf_name, len) >= len) { 1520 assert(0); 1521 OPENSSL_free(ret); 1522 return NULL; 1523 } 1524 assert(strlen(ret) + 1 == len); 1525 return ret; 1526 } 1527 1528 int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *out_alg_bits) { 1529 if (cipher == NULL) { 1530 return 0; 1531 } 1532 1533 if (out_alg_bits != NULL) { 1534 *out_alg_bits = cipher->alg_bits; 1535 } 1536 return cipher->strength_bits; 1537 } 1538 1539 const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, 1540 int len) { 1541 const char *ver; 1542 const char *kx, *au, *enc, *mac; 1543 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl; 1544 static const char *format = "%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n"; 1545 1546 alg_mkey = cipher->algorithm_mkey; 1547 alg_auth = cipher->algorithm_auth; 1548 alg_enc = cipher->algorithm_enc; 1549 alg_mac = cipher->algorithm_mac; 1550 alg_ssl = cipher->algorithm_ssl; 1551 1552 if (alg_ssl & SSL_SSLV3) { 1553 ver = "SSLv3"; 1554 } else if (alg_ssl & SSL_TLSV1_2) { 1555 ver = "TLSv1.2"; 1556 } else { 1557 ver = "unknown"; 1558 } 1559 1560 switch (alg_mkey) { 1561 case SSL_kRSA: 1562 kx = "RSA"; 1563 break; 1564 1565 case SSL_kDHE: 1566 kx = "DH"; 1567 break; 1568 1569 case SSL_kECDHE: 1570 kx = "ECDH"; 1571 break; 1572 1573 case SSL_kPSK: 1574 kx = "PSK"; 1575 break; 1576 1577 default: 1578 kx = "unknown"; 1579 } 1580 1581 switch (alg_auth) { 1582 case SSL_aRSA: 1583 au = "RSA"; 1584 break; 1585 1586 case SSL_aECDSA: 1587 au = "ECDSA"; 1588 break; 1589 1590 case SSL_aPSK: 1591 au = "PSK"; 1592 break; 1593 1594 default: 1595 au = "unknown"; 1596 break; 1597 } 1598 1599 switch (alg_enc) { 1600 case SSL_3DES: 1601 enc = "3DES(168)"; 1602 break; 1603 1604 case SSL_RC4: 1605 enc = "RC4(128)"; 1606 break; 1607 1608 case SSL_AES128: 1609 enc = "AES(128)"; 1610 break; 1611 1612 case SSL_AES256: 1613 enc = "AES(256)"; 1614 break; 1615 1616 case SSL_AES128GCM: 1617 enc = "AESGCM(128)"; 1618 break; 1619 1620 case SSL_AES256GCM: 1621 enc = "AESGCM(256)"; 1622 break; 1623 1624 case SSL_CHACHA20POLY1305: 1625 enc = "ChaCha20-Poly1305"; 1626 break; 1627 1628 default: 1629 enc = "unknown"; 1630 break; 1631 } 1632 1633 switch (alg_mac) { 1634 case SSL_MD5: 1635 mac = "MD5"; 1636 break; 1637 1638 case SSL_SHA1: 1639 mac = "SHA1"; 1640 break; 1641 1642 case SSL_SHA256: 1643 mac = "SHA256"; 1644 break; 1645 1646 case SSL_SHA384: 1647 mac = "SHA384"; 1648 break; 1649 1650 case SSL_AEAD: 1651 mac = "AEAD"; 1652 break; 1653 1654 default: 1655 mac = "unknown"; 1656 break; 1657 } 1658 1659 if (buf == NULL) { 1660 len = 128; 1661 buf = OPENSSL_malloc(len); 1662 if (buf == NULL) { 1663 return NULL; 1664 } 1665 } else if (len < 128) { 1666 return "Buffer too small"; 1667 } 1668 1669 BIO_snprintf(buf, len, format, cipher->name, ver, kx, au, enc, mac); 1670 return buf; 1671 } 1672 1673 const char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher) { 1674 return "TLSv1/SSLv3"; 1675 } 1676 1677 void *SSL_COMP_get_compression_methods(void) { return NULL; } 1678 1679 int SSL_COMP_add_compression_method(int id, void *cm) { return 1; } 1680 1681 const char *SSL_COMP_get_name(const void *comp) { return NULL; } 1682 1683 int ssl_cipher_get_cert_index(const SSL_CIPHER *cipher) { 1684 uint32_t alg_a = cipher->algorithm_auth; 1685 1686 if (alg_a & SSL_aECDSA) { 1687 return SSL_PKEY_ECC; 1688 } else if (alg_a & SSL_aRSA) { 1689 return SSL_PKEY_RSA_ENC; 1690 } 1691 1692 return -1; 1693 } 1694 1695 int ssl_cipher_has_server_public_key(const SSL_CIPHER *cipher) { 1696 /* PSK-authenticated ciphers do not use a public key, except for 1697 * RSA_PSK. */ 1698 if ((cipher->algorithm_auth & SSL_aPSK) && 1699 !(cipher->algorithm_mkey & SSL_kRSA)) { 1700 return 0; 1701 } 1702 1703 /* All other ciphers include it. */ 1704 return 1; 1705 } 1706 1707 int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher) { 1708 /* Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange. */ 1709 if (cipher->algorithm_mkey & SSL_kDHE || cipher->algorithm_mkey & SSL_kECDHE) { 1710 return 1; 1711 } 1712 1713 /* It is optional in all others. */ 1714 return 0; 1715 } 1716