1 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay (at) cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay (at) cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] 56 */ 57 /* ==================================================================== 58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 59 * 60 * Redistribution and use in source and binary forms, with or without 61 * modification, are permitted provided that the following conditions 62 * are met: 63 * 64 * 1. Redistributions of source code must retain the above copyright 65 * notice, this list of conditions and the following disclaimer. 66 * 67 * 2. Redistributions in binary form must reproduce the above copyright 68 * notice, this list of conditions and the following disclaimer in 69 * the documentation and/or other materials provided with the 70 * distribution. 71 * 72 * 3. All advertising materials mentioning features or use of this 73 * software must display the following acknowledgment: 74 * "This product includes software developed by the OpenSSL Project 75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 76 * 77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 78 * endorse or promote products derived from this software without 79 * prior written permission. For written permission, please contact 80 * openssl-core (at) openssl.org. 81 * 82 * 5. Products derived from this software may not be called "OpenSSL" 83 * nor may "OpenSSL" appear in their names without prior written 84 * permission of the OpenSSL Project. 85 * 86 * 6. Redistributions of any form whatsoever must retain the following 87 * acknowledgment: 88 * "This product includes software developed by the OpenSSL Project 89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 90 * 91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 102 * OF THE POSSIBILITY OF SUCH DAMAGE. 103 * ==================================================================== 104 * 105 * This product includes cryptographic software written by Eric Young 106 * (eay (at) cryptsoft.com). This product includes software written by Tim 107 * Hudson (tjh (at) cryptsoft.com). 108 * 109 */ 110 /* ==================================================================== 111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 112 * ECC cipher suite support in OpenSSL originally developed by 113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 114 */ 115 /* ==================================================================== 116 * Copyright 2005 Nokia. All rights reserved. 117 * 118 * The portions of the attached software ("Contribution") is developed by 119 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 120 * license. 121 * 122 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 123 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 124 * support (see RFC 4279) to OpenSSL. 125 * 126 * No patent licenses or other rights except those expressly stated in 127 * the OpenSSL open source license shall be deemed granted or received 128 * expressly, by implication, estoppel, or otherwise. 129 * 130 * No assurances are provided by Nokia that the Contribution does not 131 * infringe the patent or other intellectual property rights of any third 132 * party or that the license provides you with all the necessary rights 133 * to make use of the Contribution. 134 * 135 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 136 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 137 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 138 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 139 * OTHERWISE. */ 140 141 #include <openssl/ssl.h> 142 143 #include <assert.h> 144 #include <stdio.h> 145 #include <string.h> 146 147 #include <openssl/buf.h> 148 #include <openssl/err.h> 149 #include <openssl/md5.h> 150 #include <openssl/mem.h> 151 #include <openssl/sha.h> 152 #include <openssl/stack.h> 153 154 #include "internal.h" 155 156 157 /* kCiphers is an array of all supported ciphers, sorted by id. */ 158 static const SSL_CIPHER kCiphers[] = { 159 /* The RSA ciphers */ 160 /* Cipher 02 */ 161 { 162 SSL3_TXT_RSA_NULL_SHA, 163 SSL3_CK_RSA_NULL_SHA, 164 SSL_kRSA, 165 SSL_aRSA, 166 SSL_eNULL, 167 SSL_SHA1, 168 SSL_HANDSHAKE_MAC_DEFAULT, 169 }, 170 171 /* Cipher 04 */ 172 { 173 SSL3_TXT_RSA_RC4_128_MD5, 174 SSL3_CK_RSA_RC4_128_MD5, 175 SSL_kRSA, 176 SSL_aRSA, 177 SSL_RC4, 178 SSL_MD5, 179 SSL_HANDSHAKE_MAC_DEFAULT, 180 }, 181 182 /* Cipher 05 */ 183 { 184 SSL3_TXT_RSA_RC4_128_SHA, 185 SSL3_CK_RSA_RC4_128_SHA, 186 SSL_kRSA, 187 SSL_aRSA, 188 SSL_RC4, 189 SSL_SHA1, 190 SSL_HANDSHAKE_MAC_DEFAULT, 191 }, 192 193 /* Cipher 0A */ 194 { 195 SSL3_TXT_RSA_DES_192_CBC3_SHA, 196 SSL3_CK_RSA_DES_192_CBC3_SHA, 197 SSL_kRSA, 198 SSL_aRSA, 199 SSL_3DES, 200 SSL_SHA1, 201 SSL_HANDSHAKE_MAC_DEFAULT, 202 }, 203 204 205 /* New AES ciphersuites */ 206 207 /* Cipher 2F */ 208 { 209 TLS1_TXT_RSA_WITH_AES_128_SHA, 210 TLS1_CK_RSA_WITH_AES_128_SHA, 211 SSL_kRSA, 212 SSL_aRSA, 213 SSL_AES128, 214 SSL_SHA1, 215 SSL_HANDSHAKE_MAC_DEFAULT, 216 }, 217 218 /* Cipher 33 */ 219 { 220 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, 221 TLS1_CK_DHE_RSA_WITH_AES_128_SHA, 222 SSL_kDHE, 223 SSL_aRSA, 224 SSL_AES128, 225 SSL_SHA1, 226 SSL_HANDSHAKE_MAC_DEFAULT, 227 }, 228 229 /* Cipher 35 */ 230 { 231 TLS1_TXT_RSA_WITH_AES_256_SHA, 232 TLS1_CK_RSA_WITH_AES_256_SHA, 233 SSL_kRSA, 234 SSL_aRSA, 235 SSL_AES256, 236 SSL_SHA1, 237 SSL_HANDSHAKE_MAC_DEFAULT, 238 }, 239 240 /* Cipher 39 */ 241 { 242 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, 243 TLS1_CK_DHE_RSA_WITH_AES_256_SHA, 244 SSL_kDHE, 245 SSL_aRSA, 246 SSL_AES256, 247 SSL_SHA1, 248 SSL_HANDSHAKE_MAC_DEFAULT, 249 }, 250 251 252 /* TLS v1.2 ciphersuites */ 253 254 /* Cipher 3C */ 255 { 256 TLS1_TXT_RSA_WITH_AES_128_SHA256, 257 TLS1_CK_RSA_WITH_AES_128_SHA256, 258 SSL_kRSA, 259 SSL_aRSA, 260 SSL_AES128, 261 SSL_SHA256, 262 SSL_HANDSHAKE_MAC_SHA256, 263 }, 264 265 /* Cipher 3D */ 266 { 267 TLS1_TXT_RSA_WITH_AES_256_SHA256, 268 TLS1_CK_RSA_WITH_AES_256_SHA256, 269 SSL_kRSA, 270 SSL_aRSA, 271 SSL_AES256, 272 SSL_SHA256, 273 SSL_HANDSHAKE_MAC_SHA256, 274 }, 275 276 /* Cipher 67 */ 277 { 278 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256, 279 TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, 280 SSL_kDHE, 281 SSL_aRSA, 282 SSL_AES128, 283 SSL_SHA256, 284 SSL_HANDSHAKE_MAC_SHA256, 285 }, 286 287 /* Cipher 6B */ 288 { 289 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256, 290 TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, 291 SSL_kDHE, 292 SSL_aRSA, 293 SSL_AES256, 294 SSL_SHA256, 295 SSL_HANDSHAKE_MAC_SHA256, 296 }, 297 298 /* PSK cipher suites. */ 299 300 /* Cipher 8A */ 301 { 302 TLS1_TXT_PSK_WITH_RC4_128_SHA, 303 TLS1_CK_PSK_WITH_RC4_128_SHA, 304 SSL_kPSK, 305 SSL_aPSK, 306 SSL_RC4, 307 SSL_SHA1, 308 SSL_HANDSHAKE_MAC_DEFAULT, 309 }, 310 311 /* Cipher 8C */ 312 { 313 TLS1_TXT_PSK_WITH_AES_128_CBC_SHA, 314 TLS1_CK_PSK_WITH_AES_128_CBC_SHA, 315 SSL_kPSK, 316 SSL_aPSK, 317 SSL_AES128, 318 SSL_SHA1, 319 SSL_HANDSHAKE_MAC_DEFAULT, 320 }, 321 322 /* Cipher 8D */ 323 { 324 TLS1_TXT_PSK_WITH_AES_256_CBC_SHA, 325 TLS1_CK_PSK_WITH_AES_256_CBC_SHA, 326 SSL_kPSK, 327 SSL_aPSK, 328 SSL_AES256, 329 SSL_SHA1, 330 SSL_HANDSHAKE_MAC_DEFAULT, 331 }, 332 333 /* GCM ciphersuites from RFC5288 */ 334 335 /* Cipher 9C */ 336 { 337 TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256, 338 TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 339 SSL_kRSA, 340 SSL_aRSA, 341 SSL_AES128GCM, 342 SSL_AEAD, 343 SSL_HANDSHAKE_MAC_SHA256, 344 }, 345 346 /* Cipher 9D */ 347 { 348 TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384, 349 TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, 350 SSL_kRSA, 351 SSL_aRSA, 352 SSL_AES256GCM, 353 SSL_AEAD, 354 SSL_HANDSHAKE_MAC_SHA384, 355 }, 356 357 /* Cipher 9E */ 358 { 359 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256, 360 TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, 361 SSL_kDHE, 362 SSL_aRSA, 363 SSL_AES128GCM, 364 SSL_AEAD, 365 SSL_HANDSHAKE_MAC_SHA256, 366 }, 367 368 /* Cipher 9F */ 369 { 370 TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384, 371 TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384, 372 SSL_kDHE, 373 SSL_aRSA, 374 SSL_AES256GCM, 375 SSL_AEAD, 376 SSL_HANDSHAKE_MAC_SHA384, 377 }, 378 379 /* Cipher C007 */ 380 { 381 TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA, 382 TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA, 383 SSL_kECDHE, 384 SSL_aECDSA, 385 SSL_RC4, 386 SSL_SHA1, 387 SSL_HANDSHAKE_MAC_DEFAULT, 388 }, 389 390 /* Cipher C009 */ 391 { 392 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 393 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 394 SSL_kECDHE, 395 SSL_aECDSA, 396 SSL_AES128, 397 SSL_SHA1, 398 SSL_HANDSHAKE_MAC_DEFAULT, 399 }, 400 401 /* Cipher C00A */ 402 { 403 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 404 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 405 SSL_kECDHE, 406 SSL_aECDSA, 407 SSL_AES256, 408 SSL_SHA1, 409 SSL_HANDSHAKE_MAC_DEFAULT, 410 }, 411 412 /* Cipher C011 */ 413 { 414 TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, 415 TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA, 416 SSL_kECDHE, 417 SSL_aRSA, 418 SSL_RC4, 419 SSL_SHA1, 420 SSL_HANDSHAKE_MAC_DEFAULT, 421 }, 422 423 /* Cipher C013 */ 424 { 425 TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, 426 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 427 SSL_kECDHE, 428 SSL_aRSA, 429 SSL_AES128, 430 SSL_SHA1, 431 SSL_HANDSHAKE_MAC_DEFAULT, 432 }, 433 434 /* Cipher C014 */ 435 { 436 TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA, 437 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 438 SSL_kECDHE, 439 SSL_aRSA, 440 SSL_AES256, 441 SSL_SHA1, 442 SSL_HANDSHAKE_MAC_DEFAULT, 443 }, 444 445 446 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */ 447 448 /* Cipher C023 */ 449 { 450 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256, 451 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, 452 SSL_kECDHE, 453 SSL_aECDSA, 454 SSL_AES128, 455 SSL_SHA256, 456 SSL_HANDSHAKE_MAC_SHA256, 457 }, 458 459 /* Cipher C024 */ 460 { 461 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384, 462 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, 463 SSL_kECDHE, 464 SSL_aECDSA, 465 SSL_AES256, 466 SSL_SHA384, 467 SSL_HANDSHAKE_MAC_SHA384, 468 }, 469 470 /* Cipher C027 */ 471 { 472 TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256, 473 TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, 474 SSL_kECDHE, 475 SSL_aRSA, 476 SSL_AES128, 477 SSL_SHA256, 478 SSL_HANDSHAKE_MAC_SHA256, 479 }, 480 481 /* Cipher C028 */ 482 { 483 TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384, 484 TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, 485 SSL_kECDHE, 486 SSL_aRSA, 487 SSL_AES256, 488 SSL_SHA384, 489 SSL_HANDSHAKE_MAC_SHA384, 490 }, 491 492 493 /* GCM based TLS v1.2 ciphersuites from RFC5289 */ 494 495 /* Cipher C02B */ 496 { 497 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 498 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 499 SSL_kECDHE, 500 SSL_aECDSA, 501 SSL_AES128GCM, 502 SSL_AEAD, 503 SSL_HANDSHAKE_MAC_SHA256, 504 }, 505 506 /* Cipher C02C */ 507 { 508 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 509 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 510 SSL_kECDHE, 511 SSL_aECDSA, 512 SSL_AES256GCM, 513 SSL_AEAD, 514 SSL_HANDSHAKE_MAC_SHA384, 515 }, 516 517 /* Cipher C02F */ 518 { 519 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 520 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 521 SSL_kECDHE, 522 SSL_aRSA, 523 SSL_AES128GCM, 524 SSL_AEAD, 525 SSL_HANDSHAKE_MAC_SHA256, 526 }, 527 528 /* Cipher C030 */ 529 { 530 TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 531 TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 532 SSL_kECDHE, 533 SSL_aRSA, 534 SSL_AES256GCM, 535 SSL_AEAD, 536 SSL_HANDSHAKE_MAC_SHA384, 537 }, 538 539 /* ECDHE-PSK cipher suites. */ 540 541 /* Cipher C035 */ 542 { 543 TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA, 544 TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA, 545 SSL_kECDHE, 546 SSL_aPSK, 547 SSL_AES128, 548 SSL_SHA1, 549 SSL_HANDSHAKE_MAC_DEFAULT, 550 }, 551 552 /* Cipher C036 */ 553 { 554 TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA, 555 TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA, 556 SSL_kECDHE, 557 SSL_aPSK, 558 SSL_AES256, 559 SSL_SHA1, 560 SSL_HANDSHAKE_MAC_DEFAULT, 561 }, 562 563 /* ChaCha20-Poly1305 cipher suites. */ 564 565 #if !defined(BORINGSSL_ANDROID_SYSTEM) 566 { 567 TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_OLD, 568 TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305_OLD, 569 SSL_kECDHE, 570 SSL_aRSA, 571 SSL_CHACHA20POLY1305_OLD, 572 SSL_AEAD, 573 SSL_HANDSHAKE_MAC_SHA256, 574 }, 575 576 { 577 TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_OLD, 578 TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305_OLD, 579 SSL_kECDHE, 580 SSL_aECDSA, 581 SSL_CHACHA20POLY1305_OLD, 582 SSL_AEAD, 583 SSL_HANDSHAKE_MAC_SHA256, 584 }, 585 #endif 586 587 /* Cipher CCA8 */ 588 { 589 TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 590 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 591 SSL_kECDHE, 592 SSL_aRSA, 593 SSL_CHACHA20POLY1305, 594 SSL_AEAD, 595 SSL_HANDSHAKE_MAC_SHA256, 596 }, 597 598 /* Cipher CCA9 */ 599 { 600 TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 601 TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 602 SSL_kECDHE, 603 SSL_aECDSA, 604 SSL_CHACHA20POLY1305, 605 SSL_AEAD, 606 SSL_HANDSHAKE_MAC_SHA256, 607 }, 608 609 /* Cipher CCAB */ 610 { 611 TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256, 612 TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256, 613 SSL_kECDHE, 614 SSL_aPSK, 615 SSL_CHACHA20POLY1305, 616 SSL_AEAD, 617 SSL_HANDSHAKE_MAC_SHA256, 618 }, 619 }; 620 621 static const size_t kCiphersLen = sizeof(kCiphers) / sizeof(kCiphers[0]); 622 623 #define CIPHER_ADD 1 624 #define CIPHER_KILL 2 625 #define CIPHER_DEL 3 626 #define CIPHER_ORD 4 627 #define CIPHER_SPECIAL 5 628 629 typedef struct cipher_order_st { 630 const SSL_CIPHER *cipher; 631 int active; 632 int in_group; 633 struct cipher_order_st *next, *prev; 634 } CIPHER_ORDER; 635 636 typedef struct cipher_alias_st { 637 /* name is the name of the cipher alias. */ 638 const char *name; 639 640 /* The following fields are bitmasks for the corresponding fields on 641 * |SSL_CIPHER|. A cipher matches a cipher alias iff, for each bitmask, the 642 * bit corresponding to the cipher's value is set to 1. If any bitmask is 643 * all zeroes, the alias matches nothing. Use |~0u| for the default value. */ 644 uint32_t algorithm_mkey; 645 uint32_t algorithm_auth; 646 uint32_t algorithm_enc; 647 uint32_t algorithm_mac; 648 649 /* min_version, if non-zero, matches all ciphers which were added in that 650 * particular protocol version. */ 651 uint16_t min_version; 652 } CIPHER_ALIAS; 653 654 static const CIPHER_ALIAS kCipherAliases[] = { 655 /* "ALL" doesn't include eNULL (must be specifically enabled) */ 656 {"ALL", ~0u, ~0u, ~SSL_eNULL, ~0u, 0}, 657 658 /* The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing. */ 659 660 /* key exchange aliases 661 * (some of those using only a single bit here combine 662 * multiple key exchange algs according to the RFCs, 663 * e.g. kEDH combines DHE_DSS and DHE_RSA) */ 664 {"kRSA", SSL_kRSA, ~0u, ~0u, ~0u, 0}, 665 666 {"kDHE", SSL_kDHE, ~0u, ~0u, ~0u, 0}, 667 {"kEDH", SSL_kDHE, ~0u, ~0u, ~0u, 0}, 668 {"DH", SSL_kDHE, ~0u, ~0u, ~0u, 0}, 669 670 {"kECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0}, 671 {"kEECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0}, 672 {"ECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0}, 673 674 {"kPSK", SSL_kPSK, ~0u, ~0u, ~0u, 0}, 675 676 /* server authentication aliases */ 677 {"aRSA", ~0u, SSL_aRSA, ~SSL_eNULL, ~0u, 0}, 678 {"aECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0}, 679 {"ECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0}, 680 {"aPSK", ~0u, SSL_aPSK, ~0u, ~0u, 0}, 681 682 /* aliases combining key exchange and server authentication */ 683 {"DHE", SSL_kDHE, ~0u, ~0u, ~0u, 0}, 684 {"EDH", SSL_kDHE, ~0u, ~0u, ~0u, 0}, 685 {"ECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0}, 686 {"EECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0}, 687 {"RSA", SSL_kRSA, SSL_aRSA, ~SSL_eNULL, ~0u, 0}, 688 {"PSK", SSL_kPSK, SSL_aPSK, ~0u, ~0u, 0}, 689 690 /* symmetric encryption aliases */ 691 {"3DES", ~0u, ~0u, SSL_3DES, ~0u, 0}, 692 {"RC4", ~0u, ~0u, SSL_RC4, ~0u, 0}, 693 {"AES128", ~0u, ~0u, SSL_AES128 | SSL_AES128GCM, ~0u, 0}, 694 {"AES256", ~0u, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, 0}, 695 {"AES", ~0u, ~0u, SSL_AES, ~0u, 0}, 696 {"AESGCM", ~0u, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, 0}, 697 {"CHACHA20", ~0u, ~0u, SSL_CHACHA20POLY1305 | SSL_CHACHA20POLY1305_OLD, ~0u, 698 0}, 699 700 /* MAC aliases */ 701 {"MD5", ~0u, ~0u, ~0u, SSL_MD5, 0}, 702 {"SHA1", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0}, 703 {"SHA", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0}, 704 {"SHA256", ~0u, ~0u, ~0u, SSL_SHA256, 0}, 705 {"SHA384", ~0u, ~0u, ~0u, SSL_SHA384, 0}, 706 707 /* Legacy protocol minimum version aliases. "TLSv1" is intentionally the 708 * same as "SSLv3". */ 709 {"SSLv3", ~0u, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION}, 710 {"TLSv1", ~0u, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION}, 711 {"TLSv1.2", ~0u, ~0u, ~SSL_eNULL, ~0u, TLS1_2_VERSION}, 712 713 /* Legacy strength classes. */ 714 {"MEDIUM", ~0u, ~0u, SSL_RC4, ~0u, 0}, 715 {"HIGH", ~0u, ~0u, ~(SSL_eNULL|SSL_RC4), ~0u, 0}, 716 {"FIPS", ~0u, ~0u, ~(SSL_eNULL|SSL_RC4), ~0u, 0}, 717 }; 718 719 static const size_t kCipherAliasesLen = 720 sizeof(kCipherAliases) / sizeof(kCipherAliases[0]); 721 722 static int ssl_cipher_id_cmp(const void *in_a, const void *in_b) { 723 const SSL_CIPHER *a = in_a; 724 const SSL_CIPHER *b = in_b; 725 726 if (a->id > b->id) { 727 return 1; 728 } else if (a->id < b->id) { 729 return -1; 730 } else { 731 return 0; 732 } 733 } 734 735 static int ssl_cipher_ptr_id_cmp(const SSL_CIPHER **a, const SSL_CIPHER **b) { 736 return ssl_cipher_id_cmp(*a, *b); 737 } 738 739 const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value) { 740 SSL_CIPHER c; 741 742 c.id = 0x03000000L | value; 743 return bsearch(&c, kCiphers, kCiphersLen, sizeof(SSL_CIPHER), 744 ssl_cipher_id_cmp); 745 } 746 747 int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead, 748 size_t *out_mac_secret_len, 749 size_t *out_fixed_iv_len, 750 const SSL_CIPHER *cipher, uint16_t version) { 751 *out_aead = NULL; 752 *out_mac_secret_len = 0; 753 *out_fixed_iv_len = 0; 754 755 switch (cipher->algorithm_enc) { 756 case SSL_AES128GCM: 757 *out_aead = EVP_aead_aes_128_gcm(); 758 *out_fixed_iv_len = 4; 759 return 1; 760 761 case SSL_AES256GCM: 762 *out_aead = EVP_aead_aes_256_gcm(); 763 *out_fixed_iv_len = 4; 764 return 1; 765 766 #if !defined(BORINGSSL_ANDROID_SYSTEM) 767 case SSL_CHACHA20POLY1305_OLD: 768 *out_aead = EVP_aead_chacha20_poly1305_old(); 769 *out_fixed_iv_len = 0; 770 return 1; 771 #endif 772 773 case SSL_CHACHA20POLY1305: 774 *out_aead = EVP_aead_chacha20_poly1305(); 775 *out_fixed_iv_len = 12; 776 return 1; 777 778 case SSL_RC4: 779 switch (cipher->algorithm_mac) { 780 case SSL_MD5: 781 if (version == SSL3_VERSION) { 782 *out_aead = EVP_aead_rc4_md5_ssl3(); 783 } else { 784 *out_aead = EVP_aead_rc4_md5_tls(); 785 } 786 *out_mac_secret_len = MD5_DIGEST_LENGTH; 787 return 1; 788 case SSL_SHA1: 789 if (version == SSL3_VERSION) { 790 *out_aead = EVP_aead_rc4_sha1_ssl3(); 791 } else { 792 *out_aead = EVP_aead_rc4_sha1_tls(); 793 } 794 *out_mac_secret_len = SHA_DIGEST_LENGTH; 795 return 1; 796 default: 797 return 0; 798 } 799 800 case SSL_AES128: 801 switch (cipher->algorithm_mac) { 802 case SSL_SHA1: 803 if (version == SSL3_VERSION) { 804 *out_aead = EVP_aead_aes_128_cbc_sha1_ssl3(); 805 *out_fixed_iv_len = 16; 806 } else if (version == TLS1_VERSION) { 807 *out_aead = EVP_aead_aes_128_cbc_sha1_tls_implicit_iv(); 808 *out_fixed_iv_len = 16; 809 } else { 810 *out_aead = EVP_aead_aes_128_cbc_sha1_tls(); 811 } 812 *out_mac_secret_len = SHA_DIGEST_LENGTH; 813 return 1; 814 case SSL_SHA256: 815 *out_aead = EVP_aead_aes_128_cbc_sha256_tls(); 816 *out_mac_secret_len = SHA256_DIGEST_LENGTH; 817 return 1; 818 default: 819 return 0; 820 } 821 822 case SSL_AES256: 823 switch (cipher->algorithm_mac) { 824 case SSL_SHA1: 825 if (version == SSL3_VERSION) { 826 *out_aead = EVP_aead_aes_256_cbc_sha1_ssl3(); 827 *out_fixed_iv_len = 16; 828 } else if (version == TLS1_VERSION) { 829 *out_aead = EVP_aead_aes_256_cbc_sha1_tls_implicit_iv(); 830 *out_fixed_iv_len = 16; 831 } else { 832 *out_aead = EVP_aead_aes_256_cbc_sha1_tls(); 833 } 834 *out_mac_secret_len = SHA_DIGEST_LENGTH; 835 return 1; 836 case SSL_SHA256: 837 *out_aead = EVP_aead_aes_256_cbc_sha256_tls(); 838 *out_mac_secret_len = SHA256_DIGEST_LENGTH; 839 return 1; 840 case SSL_SHA384: 841 *out_aead = EVP_aead_aes_256_cbc_sha384_tls(); 842 *out_mac_secret_len = SHA384_DIGEST_LENGTH; 843 return 1; 844 default: 845 return 0; 846 } 847 848 case SSL_3DES: 849 switch (cipher->algorithm_mac) { 850 case SSL_SHA1: 851 if (version == SSL3_VERSION) { 852 *out_aead = EVP_aead_des_ede3_cbc_sha1_ssl3(); 853 *out_fixed_iv_len = 8; 854 } else if (version == TLS1_VERSION) { 855 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(); 856 *out_fixed_iv_len = 8; 857 } else { 858 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls(); 859 } 860 *out_mac_secret_len = SHA_DIGEST_LENGTH; 861 return 1; 862 default: 863 return 0; 864 } 865 866 case SSL_eNULL: 867 switch (cipher->algorithm_mac) { 868 case SSL_SHA1: 869 if (version == SSL3_VERSION) { 870 *out_aead = EVP_aead_null_sha1_ssl3(); 871 } else { 872 *out_aead = EVP_aead_null_sha1_tls(); 873 } 874 *out_mac_secret_len = SHA_DIGEST_LENGTH; 875 return 1; 876 default: 877 return 0; 878 } 879 880 default: 881 return 0; 882 } 883 } 884 885 const EVP_MD *ssl_get_handshake_digest(uint32_t algorithm_prf) { 886 switch (algorithm_prf) { 887 case SSL_HANDSHAKE_MAC_DEFAULT: 888 return EVP_sha1(); 889 case SSL_HANDSHAKE_MAC_SHA256: 890 return EVP_sha256(); 891 case SSL_HANDSHAKE_MAC_SHA384: 892 return EVP_sha384(); 893 default: 894 return NULL; 895 } 896 } 897 898 #define ITEM_SEP(a) \ 899 (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ',')) 900 901 /* rule_equals returns one iff the NUL-terminated string |rule| is equal to the 902 * |buf_len| bytes at |buf|. */ 903 static int rule_equals(const char *rule, const char *buf, size_t buf_len) { 904 /* |strncmp| alone only checks that |buf| is a prefix of |rule|. */ 905 return strncmp(rule, buf, buf_len) == 0 && rule[buf_len] == '\0'; 906 } 907 908 static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr, 909 CIPHER_ORDER **tail) { 910 if (curr == *tail) { 911 return; 912 } 913 if (curr == *head) { 914 *head = curr->next; 915 } 916 if (curr->prev != NULL) { 917 curr->prev->next = curr->next; 918 } 919 if (curr->next != NULL) { 920 curr->next->prev = curr->prev; 921 } 922 (*tail)->next = curr; 923 curr->prev = *tail; 924 curr->next = NULL; 925 *tail = curr; 926 } 927 928 static void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr, 929 CIPHER_ORDER **tail) { 930 if (curr == *head) { 931 return; 932 } 933 if (curr == *tail) { 934 *tail = curr->prev; 935 } 936 if (curr->next != NULL) { 937 curr->next->prev = curr->prev; 938 } 939 if (curr->prev != NULL) { 940 curr->prev->next = curr->next; 941 } 942 (*head)->prev = curr; 943 curr->next = *head; 944 curr->prev = NULL; 945 *head = curr; 946 } 947 948 static void ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD *ssl_method, 949 CIPHER_ORDER *co_list, 950 CIPHER_ORDER **head_p, 951 CIPHER_ORDER **tail_p) { 952 /* The set of ciphers is static, but some subset may be unsupported by 953 * |ssl_method|, so the list may be smaller. */ 954 size_t co_list_num = 0; 955 size_t i; 956 for (i = 0; i < kCiphersLen; i++) { 957 const SSL_CIPHER *cipher = &kCiphers[i]; 958 if (ssl_method->supports_cipher(cipher)) { 959 co_list[co_list_num].cipher = cipher; 960 co_list[co_list_num].next = NULL; 961 co_list[co_list_num].prev = NULL; 962 co_list[co_list_num].active = 0; 963 co_list[co_list_num].in_group = 0; 964 co_list_num++; 965 } 966 } 967 968 /* Prepare linked list from list entries. */ 969 if (co_list_num > 0) { 970 co_list[0].prev = NULL; 971 972 if (co_list_num > 1) { 973 co_list[0].next = &co_list[1]; 974 975 for (i = 1; i < co_list_num - 1; i++) { 976 co_list[i].prev = &co_list[i - 1]; 977 co_list[i].next = &co_list[i + 1]; 978 } 979 980 co_list[co_list_num - 1].prev = &co_list[co_list_num - 2]; 981 } 982 983 co_list[co_list_num - 1].next = NULL; 984 985 *head_p = &co_list[0]; 986 *tail_p = &co_list[co_list_num - 1]; 987 } 988 } 989 990 /* ssl_cipher_apply_rule applies the rule type |rule| to ciphers matching its 991 * parameters in the linked list from |*head_p| to |*tail_p|. It writes the new 992 * head and tail of the list to |*head_p| and |*tail_p|, respectively. 993 * 994 * - If |cipher_id| is non-zero, only that cipher is selected. 995 * - Otherwise, if |strength_bits| is non-negative, it selects ciphers 996 * of that strength. 997 * - Otherwise, it selects ciphers that match each bitmasks in |alg_*| and 998 * |min_version|. */ 999 static void ssl_cipher_apply_rule( 1000 uint32_t cipher_id, uint32_t alg_mkey, uint32_t alg_auth, 1001 uint32_t alg_enc, uint32_t alg_mac, uint16_t min_version, int rule, 1002 int strength_bits, int in_group, CIPHER_ORDER **head_p, 1003 CIPHER_ORDER **tail_p) { 1004 CIPHER_ORDER *head, *tail, *curr, *next, *last; 1005 const SSL_CIPHER *cp; 1006 int reverse = 0; 1007 1008 if (cipher_id == 0 && strength_bits == -1 && min_version == 0 && 1009 (alg_mkey == 0 || alg_auth == 0 || alg_enc == 0 || alg_mac == 0)) { 1010 /* The rule matches nothing, so bail early. */ 1011 return; 1012 } 1013 1014 if (rule == CIPHER_DEL) { 1015 /* needed to maintain sorting between currently deleted ciphers */ 1016 reverse = 1; 1017 } 1018 1019 head = *head_p; 1020 tail = *tail_p; 1021 1022 if (reverse) { 1023 next = tail; 1024 last = head; 1025 } else { 1026 next = head; 1027 last = tail; 1028 } 1029 1030 curr = NULL; 1031 for (;;) { 1032 if (curr == last) { 1033 break; 1034 } 1035 1036 curr = next; 1037 if (curr == NULL) { 1038 break; 1039 } 1040 1041 next = reverse ? curr->prev : curr->next; 1042 cp = curr->cipher; 1043 1044 /* Selection criteria is either a specific cipher, the value of 1045 * |strength_bits|, or the algorithms used. */ 1046 if (cipher_id != 0) { 1047 if (cipher_id != cp->id) { 1048 continue; 1049 } 1050 } else if (strength_bits >= 0) { 1051 if (strength_bits != SSL_CIPHER_get_bits(cp, NULL)) { 1052 continue; 1053 } 1054 } else if (!(alg_mkey & cp->algorithm_mkey) || 1055 !(alg_auth & cp->algorithm_auth) || 1056 !(alg_enc & cp->algorithm_enc) || 1057 !(alg_mac & cp->algorithm_mac) || 1058 (min_version != 0 && 1059 SSL_CIPHER_get_min_version(cp) != min_version)) { 1060 continue; 1061 } 1062 1063 /* add the cipher if it has not been added yet. */ 1064 if (rule == CIPHER_ADD) { 1065 /* reverse == 0 */ 1066 if (!curr->active) { 1067 ll_append_tail(&head, curr, &tail); 1068 curr->active = 1; 1069 curr->in_group = in_group; 1070 } 1071 } 1072 1073 /* Move the added cipher to this location */ 1074 else if (rule == CIPHER_ORD) { 1075 /* reverse == 0 */ 1076 if (curr->active) { 1077 ll_append_tail(&head, curr, &tail); 1078 curr->in_group = 0; 1079 } 1080 } else if (rule == CIPHER_DEL) { 1081 /* reverse == 1 */ 1082 if (curr->active) { 1083 /* most recently deleted ciphersuites get best positions 1084 * for any future CIPHER_ADD (note that the CIPHER_DEL loop 1085 * works in reverse to maintain the order) */ 1086 ll_append_head(&head, curr, &tail); 1087 curr->active = 0; 1088 curr->in_group = 0; 1089 } 1090 } else if (rule == CIPHER_KILL) { 1091 /* reverse == 0 */ 1092 if (head == curr) { 1093 head = curr->next; 1094 } else { 1095 curr->prev->next = curr->next; 1096 } 1097 1098 if (tail == curr) { 1099 tail = curr->prev; 1100 } 1101 curr->active = 0; 1102 if (curr->next != NULL) { 1103 curr->next->prev = curr->prev; 1104 } 1105 if (curr->prev != NULL) { 1106 curr->prev->next = curr->next; 1107 } 1108 curr->next = NULL; 1109 curr->prev = NULL; 1110 } 1111 } 1112 1113 *head_p = head; 1114 *tail_p = tail; 1115 } 1116 1117 static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p, 1118 CIPHER_ORDER **tail_p) { 1119 int max_strength_bits, i, *number_uses; 1120 CIPHER_ORDER *curr; 1121 1122 /* This routine sorts the ciphers with descending strength. The sorting must 1123 * keep the pre-sorted sequence, so we apply the normal sorting routine as 1124 * '+' movement to the end of the list. */ 1125 max_strength_bits = 0; 1126 curr = *head_p; 1127 while (curr != NULL) { 1128 if (curr->active && 1129 SSL_CIPHER_get_bits(curr->cipher, NULL) > max_strength_bits) { 1130 max_strength_bits = SSL_CIPHER_get_bits(curr->cipher, NULL); 1131 } 1132 curr = curr->next; 1133 } 1134 1135 number_uses = OPENSSL_malloc((max_strength_bits + 1) * sizeof(int)); 1136 if (!number_uses) { 1137 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 1138 return 0; 1139 } 1140 memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int)); 1141 1142 /* Now find the strength_bits values actually used. */ 1143 curr = *head_p; 1144 while (curr != NULL) { 1145 if (curr->active) { 1146 number_uses[SSL_CIPHER_get_bits(curr->cipher, NULL)]++; 1147 } 1148 curr = curr->next; 1149 } 1150 1151 /* Go through the list of used strength_bits values in descending order. */ 1152 for (i = max_strength_bits; i >= 0; i--) { 1153 if (number_uses[i] > 0) { 1154 ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, CIPHER_ORD, i, 0, head_p, tail_p); 1155 } 1156 } 1157 1158 OPENSSL_free(number_uses); 1159 return 1; 1160 } 1161 1162 static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method, 1163 const char *rule_str, 1164 CIPHER_ORDER **head_p, 1165 CIPHER_ORDER **tail_p) { 1166 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac; 1167 uint16_t min_version; 1168 const char *l, *buf; 1169 int multi, skip_rule, rule, retval, ok, in_group = 0, has_group = 0; 1170 size_t j, buf_len; 1171 uint32_t cipher_id; 1172 char ch; 1173 1174 retval = 1; 1175 l = rule_str; 1176 for (;;) { 1177 ch = *l; 1178 1179 if (ch == '\0') { 1180 break; /* done */ 1181 } 1182 1183 if (in_group) { 1184 if (ch == ']') { 1185 if (*tail_p) { 1186 (*tail_p)->in_group = 0; 1187 } 1188 in_group = 0; 1189 l++; 1190 continue; 1191 } 1192 1193 if (ch == '|') { 1194 rule = CIPHER_ADD; 1195 l++; 1196 continue; 1197 } else if (!(ch >= 'a' && ch <= 'z') && !(ch >= 'A' && ch <= 'Z') && 1198 !(ch >= '0' && ch <= '9')) { 1199 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_OPERATOR_IN_GROUP); 1200 retval = in_group = 0; 1201 break; 1202 } else { 1203 rule = CIPHER_ADD; 1204 } 1205 } else if (ch == '-') { 1206 rule = CIPHER_DEL; 1207 l++; 1208 } else if (ch == '+') { 1209 rule = CIPHER_ORD; 1210 l++; 1211 } else if (ch == '!') { 1212 rule = CIPHER_KILL; 1213 l++; 1214 } else if (ch == '@') { 1215 rule = CIPHER_SPECIAL; 1216 l++; 1217 } else if (ch == '[') { 1218 if (in_group) { 1219 OPENSSL_PUT_ERROR(SSL, SSL_R_NESTED_GROUP); 1220 retval = in_group = 0; 1221 break; 1222 } 1223 in_group = 1; 1224 has_group = 1; 1225 l++; 1226 continue; 1227 } else { 1228 rule = CIPHER_ADD; 1229 } 1230 1231 /* If preference groups are enabled, the only legal operator is +. 1232 * Otherwise the in_group bits will get mixed up. */ 1233 if (has_group && rule != CIPHER_ADD) { 1234 OPENSSL_PUT_ERROR(SSL, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS); 1235 retval = in_group = 0; 1236 break; 1237 } 1238 1239 if (ITEM_SEP(ch)) { 1240 l++; 1241 continue; 1242 } 1243 1244 multi = 0; 1245 cipher_id = 0; 1246 alg_mkey = ~0u; 1247 alg_auth = ~0u; 1248 alg_enc = ~0u; 1249 alg_mac = ~0u; 1250 min_version = 0; 1251 skip_rule = 0; 1252 1253 for (;;) { 1254 ch = *l; 1255 buf = l; 1256 buf_len = 0; 1257 while (((ch >= 'A') && (ch <= 'Z')) || ((ch >= '0') && (ch <= '9')) || 1258 ((ch >= 'a') && (ch <= 'z')) || (ch == '-') || (ch == '.')) { 1259 ch = *(++l); 1260 buf_len++; 1261 } 1262 1263 if (buf_len == 0) { 1264 /* We hit something we cannot deal with, it is no command or separator 1265 * nor alphanumeric, so we call this an error. */ 1266 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND); 1267 retval = in_group = 0; 1268 l++; 1269 break; 1270 } 1271 1272 if (rule == CIPHER_SPECIAL) { 1273 break; 1274 } 1275 1276 /* Look for a matching exact cipher. These aren't allowed in multipart 1277 * rules. */ 1278 if (!multi && ch != '+') { 1279 for (j = 0; j < kCiphersLen; j++) { 1280 const SSL_CIPHER *cipher = &kCiphers[j]; 1281 if (rule_equals(cipher->name, buf, buf_len)) { 1282 cipher_id = cipher->id; 1283 break; 1284 } 1285 } 1286 } 1287 if (cipher_id == 0) { 1288 /* If not an exact cipher, look for a matching cipher alias. */ 1289 for (j = 0; j < kCipherAliasesLen; j++) { 1290 if (rule_equals(kCipherAliases[j].name, buf, buf_len)) { 1291 alg_mkey &= kCipherAliases[j].algorithm_mkey; 1292 alg_auth &= kCipherAliases[j].algorithm_auth; 1293 alg_enc &= kCipherAliases[j].algorithm_enc; 1294 alg_mac &= kCipherAliases[j].algorithm_mac; 1295 1296 if (min_version != 0 && 1297 min_version != kCipherAliases[j].min_version) { 1298 skip_rule = 1; 1299 } else { 1300 min_version = kCipherAliases[j].min_version; 1301 } 1302 break; 1303 } 1304 } 1305 if (j == kCipherAliasesLen) { 1306 skip_rule = 1; 1307 } 1308 } 1309 1310 /* Check for a multipart rule. */ 1311 if (ch != '+') { 1312 break; 1313 } 1314 l++; 1315 multi = 1; 1316 } 1317 1318 /* If one of the CHACHA20_POLY1305 variants is selected, include the other 1319 * as well. They have the same name to avoid requiring changes in 1320 * configuration. Apply this transformation late so that the cipher name 1321 * still behaves as an exact name and not an alias in multipart rules. 1322 * 1323 * This is temporary and will be removed when the pre-standard construction 1324 * is removed. */ 1325 if (cipher_id == TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305_OLD || 1326 cipher_id == TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256) { 1327 cipher_id = 0; 1328 alg_mkey = SSL_kECDHE; 1329 alg_auth = SSL_aRSA; 1330 alg_enc = SSL_CHACHA20POLY1305|SSL_CHACHA20POLY1305_OLD; 1331 alg_mac = SSL_AEAD; 1332 } else if (cipher_id == TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305_OLD || 1333 cipher_id == TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256) { 1334 cipher_id = 0; 1335 alg_mkey = SSL_kECDHE; 1336 alg_auth = SSL_aECDSA; 1337 alg_enc = SSL_CHACHA20POLY1305|SSL_CHACHA20POLY1305_OLD; 1338 alg_mac = SSL_AEAD; 1339 } 1340 1341 /* Ok, we have the rule, now apply it. */ 1342 if (rule == CIPHER_SPECIAL) { 1343 /* special command */ 1344 ok = 0; 1345 if (buf_len == 8 && !strncmp(buf, "STRENGTH", 8)) { 1346 ok = ssl_cipher_strength_sort(head_p, tail_p); 1347 } else { 1348 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND); 1349 } 1350 1351 if (ok == 0) { 1352 retval = 0; 1353 } 1354 1355 /* We do not support any "multi" options together with "@", so throw away 1356 * the rest of the command, if any left, until end or ':' is found. */ 1357 while (*l != '\0' && !ITEM_SEP(*l)) { 1358 l++; 1359 } 1360 } else if (!skip_rule) { 1361 ssl_cipher_apply_rule(cipher_id, alg_mkey, alg_auth, alg_enc, alg_mac, 1362 min_version, rule, -1, in_group, head_p, tail_p); 1363 } 1364 } 1365 1366 if (in_group) { 1367 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND); 1368 retval = 0; 1369 } 1370 1371 return retval; 1372 } 1373 1374 STACK_OF(SSL_CIPHER) * 1375 ssl_create_cipher_list(const SSL_PROTOCOL_METHOD *ssl_method, 1376 struct ssl_cipher_preference_list_st **out_cipher_list, 1377 STACK_OF(SSL_CIPHER) **out_cipher_list_by_id, 1378 const char *rule_str) { 1379 int ok; 1380 STACK_OF(SSL_CIPHER) *cipherstack = NULL, *tmp_cipher_list = NULL; 1381 const char *rule_p; 1382 CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; 1383 uint8_t *in_group_flags = NULL; 1384 unsigned int num_in_group_flags = 0; 1385 struct ssl_cipher_preference_list_st *pref_list = NULL; 1386 1387 /* Return with error if nothing to do. */ 1388 if (rule_str == NULL || out_cipher_list == NULL) { 1389 return NULL; 1390 } 1391 1392 /* Now we have to collect the available ciphers from the compiled in ciphers. 1393 * We cannot get more than the number compiled in, so it is used for 1394 * allocation. */ 1395 co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * kCiphersLen); 1396 if (co_list == NULL) { 1397 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 1398 return NULL; 1399 } 1400 1401 ssl_cipher_collect_ciphers(ssl_method, co_list, &head, &tail); 1402 1403 /* Now arrange all ciphers by preference: 1404 * TODO(davidben): Compute this order once and copy it. */ 1405 1406 /* Everything else being equal, prefer ECDHE_ECDSA then ECDHE_RSA over other 1407 * key exchange mechanisms */ 1408 ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, ~0u, ~0u, 0, CIPHER_ADD, -1, 1409 0, &head, &tail); 1410 ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0, 1411 &head, &tail); 1412 ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, 0, 1413 &head, &tail); 1414 1415 /* Order the bulk ciphers. First the preferred AEAD ciphers. We prefer 1416 * CHACHA20 unless there is hardware support for fast and constant-time 1417 * AES_GCM. Of the two CHACHA20 variants, the new one is preferred over the 1418 * old one. */ 1419 if (EVP_has_aes_hardware()) { 1420 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1, 0, 1421 &head, &tail); 1422 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, 0, 1423 &head, &tail); 1424 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD, 1425 -1, 0, &head, &tail); 1426 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305_OLD, ~0u, 0, 1427 CIPHER_ADD, -1, 0, &head, &tail); 1428 } else { 1429 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD, 1430 -1, 0, &head, &tail); 1431 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305_OLD, ~0u, 0, 1432 CIPHER_ADD, -1, 0, &head, &tail); 1433 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1, 0, 1434 &head, &tail); 1435 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, 0, 1436 &head, &tail); 1437 } 1438 1439 /* Then the legacy non-AEAD ciphers: AES_256_CBC, AES-128_CBC, RC4_128_SHA, 1440 * RC4_128_MD5, 3DES_EDE_CBC_SHA. */ 1441 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256, ~0u, 0, CIPHER_ADD, -1, 0, 1442 &head, &tail); 1443 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128, ~0u, 0, CIPHER_ADD, -1, 0, 1444 &head, &tail); 1445 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_RC4, ~SSL_MD5, 0, CIPHER_ADD, -1, 0, 1446 &head, &tail); 1447 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_RC4, SSL_MD5, 0, CIPHER_ADD, -1, 0, 1448 &head, &tail); 1449 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_3DES, ~0u, 0, CIPHER_ADD, -1, 0, &head, 1450 &tail); 1451 1452 /* Temporarily enable everything else for sorting */ 1453 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0, &head, 1454 &tail); 1455 1456 /* Move ciphers without forward secrecy to the end. */ 1457 ssl_cipher_apply_rule(0, ~(SSL_kDHE | SSL_kECDHE), ~0u, ~0u, ~0u, 0, 1458 CIPHER_ORD, -1, 0, &head, &tail); 1459 1460 /* Now disable everything (maintaining the ordering!) */ 1461 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, 0, &head, 1462 &tail); 1463 1464 /* If the rule_string begins with DEFAULT, apply the default rule before 1465 * using the (possibly available) additional rules. */ 1466 ok = 1; 1467 rule_p = rule_str; 1468 if (strncmp(rule_str, "DEFAULT", 7) == 0) { 1469 ok = ssl_cipher_process_rulestr(ssl_method, SSL_DEFAULT_CIPHER_LIST, &head, 1470 &tail); 1471 rule_p += 7; 1472 if (*rule_p == ':') { 1473 rule_p++; 1474 } 1475 } 1476 1477 if (ok && strlen(rule_p) > 0) { 1478 ok = ssl_cipher_process_rulestr(ssl_method, rule_p, &head, &tail); 1479 } 1480 1481 if (!ok) { 1482 goto err; 1483 } 1484 1485 /* Allocate new "cipherstack" for the result, return with error 1486 * if we cannot get one. */ 1487 cipherstack = sk_SSL_CIPHER_new_null(); 1488 if (cipherstack == NULL) { 1489 goto err; 1490 } 1491 1492 in_group_flags = OPENSSL_malloc(kCiphersLen); 1493 if (!in_group_flags) { 1494 goto err; 1495 } 1496 1497 /* The cipher selection for the list is done. The ciphers are added 1498 * to the resulting precedence to the STACK_OF(SSL_CIPHER). */ 1499 for (curr = head; curr != NULL; curr = curr->next) { 1500 if (curr->active) { 1501 if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) { 1502 goto err; 1503 } 1504 in_group_flags[num_in_group_flags++] = curr->in_group; 1505 } 1506 } 1507 OPENSSL_free(co_list); /* Not needed any longer */ 1508 co_list = NULL; 1509 1510 tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack); 1511 if (tmp_cipher_list == NULL) { 1512 goto err; 1513 } 1514 pref_list = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st)); 1515 if (!pref_list) { 1516 goto err; 1517 } 1518 pref_list->ciphers = cipherstack; 1519 pref_list->in_group_flags = OPENSSL_malloc(num_in_group_flags); 1520 if (!pref_list->in_group_flags) { 1521 goto err; 1522 } 1523 memcpy(pref_list->in_group_flags, in_group_flags, num_in_group_flags); 1524 OPENSSL_free(in_group_flags); 1525 in_group_flags = NULL; 1526 if (*out_cipher_list != NULL) { 1527 ssl_cipher_preference_list_free(*out_cipher_list); 1528 } 1529 *out_cipher_list = pref_list; 1530 pref_list = NULL; 1531 1532 if (out_cipher_list_by_id != NULL) { 1533 sk_SSL_CIPHER_free(*out_cipher_list_by_id); 1534 *out_cipher_list_by_id = tmp_cipher_list; 1535 tmp_cipher_list = NULL; 1536 (void) sk_SSL_CIPHER_set_cmp_func(*out_cipher_list_by_id, 1537 ssl_cipher_ptr_id_cmp); 1538 1539 sk_SSL_CIPHER_sort(*out_cipher_list_by_id); 1540 } else { 1541 sk_SSL_CIPHER_free(tmp_cipher_list); 1542 tmp_cipher_list = NULL; 1543 } 1544 1545 return cipherstack; 1546 1547 err: 1548 OPENSSL_free(co_list); 1549 OPENSSL_free(in_group_flags); 1550 sk_SSL_CIPHER_free(cipherstack); 1551 sk_SSL_CIPHER_free(tmp_cipher_list); 1552 if (pref_list) { 1553 OPENSSL_free(pref_list->in_group_flags); 1554 } 1555 OPENSSL_free(pref_list); 1556 return NULL; 1557 } 1558 1559 uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher) { return cipher->id; } 1560 1561 uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher) { 1562 uint32_t id = cipher->id; 1563 /* All ciphers are SSLv3. */ 1564 assert((id & 0xff000000) == 0x03000000); 1565 return id & 0xffff; 1566 } 1567 1568 int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher) { 1569 return (cipher->algorithm_enc & SSL_AES) != 0; 1570 } 1571 1572 int SSL_CIPHER_has_MD5_HMAC(const SSL_CIPHER *cipher) { 1573 return (cipher->algorithm_mac & SSL_MD5) != 0; 1574 } 1575 1576 int SSL_CIPHER_has_SHA1_HMAC(const SSL_CIPHER *cipher) { 1577 return (cipher->algorithm_mac & SSL_SHA1) != 0; 1578 } 1579 1580 int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher) { 1581 return (cipher->algorithm_enc & (SSL_AES128GCM | SSL_AES256GCM)) != 0; 1582 } 1583 1584 int SSL_CIPHER_is_AES128GCM(const SSL_CIPHER *cipher) { 1585 return (cipher->algorithm_enc & SSL_AES128GCM) != 0; 1586 } 1587 1588 int SSL_CIPHER_is_AES128CBC(const SSL_CIPHER *cipher) { 1589 return (cipher->algorithm_enc & SSL_AES128) != 0; 1590 } 1591 1592 int SSL_CIPHER_is_AES256CBC(const SSL_CIPHER *cipher) { 1593 return (cipher->algorithm_enc & SSL_AES256) != 0; 1594 } 1595 1596 int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *cipher) { 1597 return (cipher->algorithm_enc & 1598 (SSL_CHACHA20POLY1305 | SSL_CHACHA20POLY1305_OLD)) != 0; 1599 } 1600 1601 int SSL_CIPHER_is_NULL(const SSL_CIPHER *cipher) { 1602 return (cipher->algorithm_enc & SSL_eNULL) != 0; 1603 } 1604 1605 int SSL_CIPHER_is_RC4(const SSL_CIPHER *cipher) { 1606 return (cipher->algorithm_enc & SSL_RC4) != 0; 1607 } 1608 1609 int SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher) { 1610 /* Neither stream cipher nor AEAD. */ 1611 return (cipher->algorithm_enc & (SSL_RC4 | SSL_eNULL)) == 0 && 1612 cipher->algorithm_mac != SSL_AEAD; 1613 } 1614 1615 int SSL_CIPHER_is_ECDSA(const SSL_CIPHER *cipher) { 1616 return (cipher->algorithm_auth & SSL_aECDSA) != 0; 1617 } 1618 1619 int SSL_CIPHER_is_ECDHE(const SSL_CIPHER *cipher) { 1620 return (cipher->algorithm_mkey & SSL_kECDHE) != 0; 1621 } 1622 1623 uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher) { 1624 if (cipher->algorithm_prf != SSL_HANDSHAKE_MAC_DEFAULT) { 1625 /* Cipher suites before TLS 1.2 use the default PRF, while all those added 1626 * afterwards specify a particular hash. */ 1627 return TLS1_2_VERSION; 1628 } 1629 return SSL3_VERSION; 1630 } 1631 1632 /* return the actual cipher being used */ 1633 const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher) { 1634 if (cipher != NULL) { 1635 return cipher->name; 1636 } 1637 1638 return "(NONE)"; 1639 } 1640 1641 const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher) { 1642 if (cipher == NULL) { 1643 return ""; 1644 } 1645 1646 switch (cipher->algorithm_mkey) { 1647 case SSL_kRSA: 1648 return "RSA"; 1649 1650 case SSL_kDHE: 1651 switch (cipher->algorithm_auth) { 1652 case SSL_aRSA: 1653 return "DHE_RSA"; 1654 default: 1655 assert(0); 1656 return "UNKNOWN"; 1657 } 1658 1659 case SSL_kECDHE: 1660 switch (cipher->algorithm_auth) { 1661 case SSL_aECDSA: 1662 return "ECDHE_ECDSA"; 1663 case SSL_aRSA: 1664 return "ECDHE_RSA"; 1665 case SSL_aPSK: 1666 return "ECDHE_PSK"; 1667 default: 1668 assert(0); 1669 return "UNKNOWN"; 1670 } 1671 1672 case SSL_kPSK: 1673 assert(cipher->algorithm_auth == SSL_aPSK); 1674 return "PSK"; 1675 1676 default: 1677 assert(0); 1678 return "UNKNOWN"; 1679 } 1680 } 1681 1682 static const char *ssl_cipher_get_enc_name(const SSL_CIPHER *cipher) { 1683 switch (cipher->algorithm_enc) { 1684 case SSL_3DES: 1685 return "3DES_EDE_CBC"; 1686 case SSL_RC4: 1687 return "RC4"; 1688 case SSL_AES128: 1689 return "AES_128_CBC"; 1690 case SSL_AES256: 1691 return "AES_256_CBC"; 1692 case SSL_AES128GCM: 1693 return "AES_128_GCM"; 1694 case SSL_AES256GCM: 1695 return "AES_256_GCM"; 1696 case SSL_CHACHA20POLY1305: 1697 case SSL_CHACHA20POLY1305_OLD: 1698 return "CHACHA20_POLY1305"; 1699 break; 1700 default: 1701 assert(0); 1702 return "UNKNOWN"; 1703 } 1704 } 1705 1706 static const char *ssl_cipher_get_prf_name(const SSL_CIPHER *cipher) { 1707 switch (cipher->algorithm_prf) { 1708 case SSL_HANDSHAKE_MAC_DEFAULT: 1709 /* Before TLS 1.2, the PRF component is the hash used in the HMAC, which is 1710 * only ever MD5 or SHA-1. */ 1711 switch (cipher->algorithm_mac) { 1712 case SSL_MD5: 1713 return "MD5"; 1714 case SSL_SHA1: 1715 return "SHA"; 1716 } 1717 break; 1718 case SSL_HANDSHAKE_MAC_SHA256: 1719 return "SHA256"; 1720 case SSL_HANDSHAKE_MAC_SHA384: 1721 return "SHA384"; 1722 } 1723 assert(0); 1724 return "UNKNOWN"; 1725 } 1726 1727 char *SSL_CIPHER_get_rfc_name(const SSL_CIPHER *cipher) { 1728 if (cipher == NULL) { 1729 return NULL; 1730 } 1731 1732 const char *kx_name = SSL_CIPHER_get_kx_name(cipher); 1733 const char *enc_name = ssl_cipher_get_enc_name(cipher); 1734 const char *prf_name = ssl_cipher_get_prf_name(cipher); 1735 1736 /* The final name is TLS_{kx_name}_WITH_{enc_name}_{prf_name}. */ 1737 size_t len = 4 + strlen(kx_name) + 6 + strlen(enc_name) + 1 + 1738 strlen(prf_name) + 1; 1739 char *ret = OPENSSL_malloc(len); 1740 if (ret == NULL) { 1741 return NULL; 1742 } 1743 if (BUF_strlcpy(ret, "TLS_", len) >= len || 1744 BUF_strlcat(ret, kx_name, len) >= len || 1745 BUF_strlcat(ret, "_WITH_", len) >= len || 1746 BUF_strlcat(ret, enc_name, len) >= len || 1747 BUF_strlcat(ret, "_", len) >= len || 1748 BUF_strlcat(ret, prf_name, len) >= len) { 1749 assert(0); 1750 OPENSSL_free(ret); 1751 return NULL; 1752 } 1753 assert(strlen(ret) + 1 == len); 1754 return ret; 1755 } 1756 1757 int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *out_alg_bits) { 1758 if (cipher == NULL) { 1759 return 0; 1760 } 1761 1762 int alg_bits, strength_bits; 1763 switch (cipher->algorithm_enc) { 1764 case SSL_AES128: 1765 case SSL_AES128GCM: 1766 case SSL_RC4: 1767 alg_bits = 128; 1768 strength_bits = 128; 1769 break; 1770 1771 case SSL_AES256: 1772 case SSL_AES256GCM: 1773 #if !defined(BORINGSSL_ANDROID_SYSTEM) 1774 case SSL_CHACHA20POLY1305_OLD: 1775 #endif 1776 case SSL_CHACHA20POLY1305: 1777 alg_bits = 256; 1778 strength_bits = 256; 1779 break; 1780 1781 case SSL_3DES: 1782 alg_bits = 168; 1783 strength_bits = 112; 1784 break; 1785 1786 case SSL_eNULL: 1787 alg_bits = 0; 1788 strength_bits = 0; 1789 break; 1790 1791 default: 1792 assert(0); 1793 alg_bits = 0; 1794 strength_bits = 0; 1795 } 1796 1797 if (out_alg_bits != NULL) { 1798 *out_alg_bits = alg_bits; 1799 } 1800 return strength_bits; 1801 } 1802 1803 const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, 1804 int len) { 1805 const char *kx, *au, *enc, *mac; 1806 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac; 1807 static const char *format = "%-23s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n"; 1808 1809 alg_mkey = cipher->algorithm_mkey; 1810 alg_auth = cipher->algorithm_auth; 1811 alg_enc = cipher->algorithm_enc; 1812 alg_mac = cipher->algorithm_mac; 1813 1814 switch (alg_mkey) { 1815 case SSL_kRSA: 1816 kx = "RSA"; 1817 break; 1818 1819 case SSL_kDHE: 1820 kx = "DH"; 1821 break; 1822 1823 case SSL_kECDHE: 1824 kx = "ECDH"; 1825 break; 1826 1827 case SSL_kPSK: 1828 kx = "PSK"; 1829 break; 1830 1831 default: 1832 kx = "unknown"; 1833 } 1834 1835 switch (alg_auth) { 1836 case SSL_aRSA: 1837 au = "RSA"; 1838 break; 1839 1840 case SSL_aECDSA: 1841 au = "ECDSA"; 1842 break; 1843 1844 case SSL_aPSK: 1845 au = "PSK"; 1846 break; 1847 1848 default: 1849 au = "unknown"; 1850 break; 1851 } 1852 1853 switch (alg_enc) { 1854 case SSL_3DES: 1855 enc = "3DES(168)"; 1856 break; 1857 1858 case SSL_RC4: 1859 enc = "RC4(128)"; 1860 break; 1861 1862 case SSL_AES128: 1863 enc = "AES(128)"; 1864 break; 1865 1866 case SSL_AES256: 1867 enc = "AES(256)"; 1868 break; 1869 1870 case SSL_AES128GCM: 1871 enc = "AESGCM(128)"; 1872 break; 1873 1874 case SSL_AES256GCM: 1875 enc = "AESGCM(256)"; 1876 break; 1877 1878 case SSL_CHACHA20POLY1305_OLD: 1879 enc = "ChaCha20-Poly1305-Old"; 1880 break; 1881 1882 case SSL_CHACHA20POLY1305: 1883 enc = "ChaCha20-Poly1305"; 1884 break; 1885 1886 case SSL_eNULL: 1887 enc="None"; 1888 break; 1889 1890 default: 1891 enc = "unknown"; 1892 break; 1893 } 1894 1895 switch (alg_mac) { 1896 case SSL_MD5: 1897 mac = "MD5"; 1898 break; 1899 1900 case SSL_SHA1: 1901 mac = "SHA1"; 1902 break; 1903 1904 case SSL_SHA256: 1905 mac = "SHA256"; 1906 break; 1907 1908 case SSL_SHA384: 1909 mac = "SHA384"; 1910 break; 1911 1912 case SSL_AEAD: 1913 mac = "AEAD"; 1914 break; 1915 1916 default: 1917 mac = "unknown"; 1918 break; 1919 } 1920 1921 if (buf == NULL) { 1922 len = 128; 1923 buf = OPENSSL_malloc(len); 1924 if (buf == NULL) { 1925 return NULL; 1926 } 1927 } else if (len < 128) { 1928 return "Buffer too small"; 1929 } 1930 1931 BIO_snprintf(buf, len, format, cipher->name, kx, au, enc, mac); 1932 return buf; 1933 } 1934 1935 const char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher) { 1936 return "TLSv1/SSLv3"; 1937 } 1938 1939 COMP_METHOD *SSL_COMP_get_compression_methods(void) { return NULL; } 1940 1941 int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) { return 1; } 1942 1943 const char *SSL_COMP_get_name(const COMP_METHOD *comp) { return NULL; } 1944 1945 int ssl_cipher_get_key_type(const SSL_CIPHER *cipher) { 1946 uint32_t alg_a = cipher->algorithm_auth; 1947 1948 if (alg_a & SSL_aECDSA) { 1949 return EVP_PKEY_EC; 1950 } else if (alg_a & SSL_aRSA) { 1951 return EVP_PKEY_RSA; 1952 } 1953 1954 return EVP_PKEY_NONE; 1955 } 1956 1957 int ssl_cipher_has_server_public_key(const SSL_CIPHER *cipher) { 1958 /* PSK-authenticated ciphers do not use a certificate. (RSA_PSK is not 1959 * supported.) */ 1960 if (cipher->algorithm_auth & SSL_aPSK) { 1961 return 0; 1962 } 1963 1964 /* All other ciphers include it. */ 1965 return 1; 1966 } 1967 1968 int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher) { 1969 /* Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange. */ 1970 if (cipher->algorithm_mkey & SSL_kDHE || cipher->algorithm_mkey & SSL_kECDHE) { 1971 return 1; 1972 } 1973 1974 /* It is optional in all others. */ 1975 return 0; 1976 } 1977 1978 size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher) { 1979 size_t block_size; 1980 switch (cipher->algorithm_enc) { 1981 case SSL_3DES: 1982 block_size = 8; 1983 break; 1984 case SSL_AES128: 1985 case SSL_AES256: 1986 block_size = 16; 1987 break; 1988 default: 1989 return 0; 1990 } 1991 1992 size_t mac_len; 1993 switch (cipher->algorithm_mac) { 1994 case SSL_MD5: 1995 mac_len = MD5_DIGEST_LENGTH; 1996 break; 1997 case SSL_SHA1: 1998 mac_len = SHA_DIGEST_LENGTH; 1999 break; 2000 default: 2001 return 0; 2002 } 2003 2004 size_t ret = 1 + mac_len; 2005 ret += block_size - (ret % block_size); 2006 return ret; 2007 } 2008
