1 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay (at) cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay (at) cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] 56 */ 57 /* ==================================================================== 58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 59 * 60 * Redistribution and use in source and binary forms, with or without 61 * modification, are permitted provided that the following conditions 62 * are met: 63 * 64 * 1. Redistributions of source code must retain the above copyright 65 * notice, this list of conditions and the following disclaimer. 66 * 67 * 2. Redistributions in binary form must reproduce the above copyright 68 * notice, this list of conditions and the following disclaimer in 69 * the documentation and/or other materials provided with the 70 * distribution. 71 * 72 * 3. All advertising materials mentioning features or use of this 73 * software must display the following acknowledgment: 74 * "This product includes software developed by the OpenSSL Project 75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 76 * 77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 78 * endorse or promote products derived from this software without 79 * prior written permission. For written permission, please contact 80 * openssl-core (at) openssl.org. 81 * 82 * 5. Products derived from this software may not be called "OpenSSL" 83 * nor may "OpenSSL" appear in their names without prior written 84 * permission of the OpenSSL Project. 85 * 86 * 6. Redistributions of any form whatsoever must retain the following 87 * acknowledgment: 88 * "This product includes software developed by the OpenSSL Project 89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 90 * 91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 102 * OF THE POSSIBILITY OF SUCH DAMAGE. 103 * ==================================================================== 104 * 105 * This product includes cryptographic software written by Eric Young 106 * (eay (at) cryptsoft.com). This product includes software written by Tim 107 * Hudson (tjh (at) cryptsoft.com). 108 * 109 */ 110 /* ==================================================================== 111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 112 * ECC cipher suite support in OpenSSL originally developed by 113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 114 */ 115 /* ==================================================================== 116 * Copyright 2005 Nokia. All rights reserved. 117 * 118 * The portions of the attached software ("Contribution") is developed by 119 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 120 * license. 121 * 122 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 123 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 124 * support (see RFC 4279) to OpenSSL. 125 * 126 * No patent licenses or other rights except those expressly stated in 127 * the OpenSSL open source license shall be deemed granted or received 128 * expressly, by implication, estoppel, or otherwise. 129 * 130 * No assurances are provided by Nokia that the Contribution does not 131 * infringe the patent or other intellectual property rights of any third 132 * party or that the license provides you with all the necessary rights 133 * to make use of the Contribution. 134 * 135 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 136 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 137 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 138 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 139 * OTHERWISE. */ 140 141 #include <openssl/ssl.h> 142 143 #include <assert.h> 144 #include <string.h> 145 146 #include <openssl/buf.h> 147 #include <openssl/err.h> 148 #include <openssl/md5.h> 149 #include <openssl/mem.h> 150 #include <openssl/sha.h> 151 #include <openssl/stack.h> 152 153 #include "internal.h" 154 #include "../crypto/internal.h" 155 156 157 /* kCiphers is an array of all supported ciphers, sorted by id. */ 158 static const SSL_CIPHER kCiphers[] = { 159 /* The RSA ciphers */ 160 /* Cipher 02 */ 161 { 162 SSL3_TXT_RSA_NULL_SHA, 163 "TLS_RSA_WITH_NULL_SHA", 164 SSL3_CK_RSA_NULL_SHA, 165 SSL_kRSA, 166 SSL_aRSA, 167 SSL_eNULL, 168 SSL_SHA1, 169 SSL_HANDSHAKE_MAC_DEFAULT, 170 }, 171 172 /* Cipher 0A */ 173 { 174 SSL3_TXT_RSA_DES_192_CBC3_SHA, 175 "TLS_RSA_WITH_3DES_EDE_CBC_SHA", 176 SSL3_CK_RSA_DES_192_CBC3_SHA, 177 SSL_kRSA, 178 SSL_aRSA, 179 SSL_3DES, 180 SSL_SHA1, 181 SSL_HANDSHAKE_MAC_DEFAULT, 182 }, 183 184 185 /* New AES ciphersuites */ 186 187 /* Cipher 2F */ 188 { 189 TLS1_TXT_RSA_WITH_AES_128_SHA, 190 "TLS_RSA_WITH_AES_128_CBC_SHA", 191 TLS1_CK_RSA_WITH_AES_128_SHA, 192 SSL_kRSA, 193 SSL_aRSA, 194 SSL_AES128, 195 SSL_SHA1, 196 SSL_HANDSHAKE_MAC_DEFAULT, 197 }, 198 199 /* Cipher 35 */ 200 { 201 TLS1_TXT_RSA_WITH_AES_256_SHA, 202 "TLS_RSA_WITH_AES_256_CBC_SHA", 203 TLS1_CK_RSA_WITH_AES_256_SHA, 204 SSL_kRSA, 205 SSL_aRSA, 206 SSL_AES256, 207 SSL_SHA1, 208 SSL_HANDSHAKE_MAC_DEFAULT, 209 }, 210 211 212 /* TLS v1.2 ciphersuites */ 213 214 /* Cipher 3C */ 215 { 216 TLS1_TXT_RSA_WITH_AES_128_SHA256, 217 "TLS_RSA_WITH_AES_128_CBC_SHA256", 218 TLS1_CK_RSA_WITH_AES_128_SHA256, 219 SSL_kRSA, 220 SSL_aRSA, 221 SSL_AES128, 222 SSL_SHA256, 223 SSL_HANDSHAKE_MAC_SHA256, 224 }, 225 226 /* Cipher 3D */ 227 { 228 TLS1_TXT_RSA_WITH_AES_256_SHA256, 229 "TLS_RSA_WITH_AES_256_CBC_SHA256", 230 TLS1_CK_RSA_WITH_AES_256_SHA256, 231 SSL_kRSA, 232 SSL_aRSA, 233 SSL_AES256, 234 SSL_SHA256, 235 SSL_HANDSHAKE_MAC_SHA256, 236 }, 237 238 /* PSK cipher suites. */ 239 240 /* Cipher 8C */ 241 { 242 TLS1_TXT_PSK_WITH_AES_128_CBC_SHA, 243 "TLS_PSK_WITH_AES_128_CBC_SHA", 244 TLS1_CK_PSK_WITH_AES_128_CBC_SHA, 245 SSL_kPSK, 246 SSL_aPSK, 247 SSL_AES128, 248 SSL_SHA1, 249 SSL_HANDSHAKE_MAC_DEFAULT, 250 }, 251 252 /* Cipher 8D */ 253 { 254 TLS1_TXT_PSK_WITH_AES_256_CBC_SHA, 255 "TLS_PSK_WITH_AES_256_CBC_SHA", 256 TLS1_CK_PSK_WITH_AES_256_CBC_SHA, 257 SSL_kPSK, 258 SSL_aPSK, 259 SSL_AES256, 260 SSL_SHA1, 261 SSL_HANDSHAKE_MAC_DEFAULT, 262 }, 263 264 /* GCM ciphersuites from RFC5288 */ 265 266 /* Cipher 9C */ 267 { 268 TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256, 269 "TLS_RSA_WITH_AES_128_GCM_SHA256", 270 TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 271 SSL_kRSA, 272 SSL_aRSA, 273 SSL_AES128GCM, 274 SSL_AEAD, 275 SSL_HANDSHAKE_MAC_SHA256, 276 }, 277 278 /* Cipher 9D */ 279 { 280 TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384, 281 "TLS_RSA_WITH_AES_256_GCM_SHA384", 282 TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, 283 SSL_kRSA, 284 SSL_aRSA, 285 SSL_AES256GCM, 286 SSL_AEAD, 287 SSL_HANDSHAKE_MAC_SHA384, 288 }, 289 290 /* TLS 1.3 suites. */ 291 292 /* Cipher 1301 */ 293 { 294 TLS1_TXT_AES_128_GCM_SHA256, 295 "TLS_AES_128_GCM_SHA256", 296 TLS1_CK_AES_128_GCM_SHA256, 297 SSL_kGENERIC, 298 SSL_aGENERIC, 299 SSL_AES128GCM, 300 SSL_AEAD, 301 SSL_HANDSHAKE_MAC_SHA256, 302 }, 303 304 /* Cipher 1302 */ 305 { 306 TLS1_TXT_AES_256_GCM_SHA384, 307 "TLS_AES_256_GCM_SHA384", 308 TLS1_CK_AES_256_GCM_SHA384, 309 SSL_kGENERIC, 310 SSL_aGENERIC, 311 SSL_AES256GCM, 312 SSL_AEAD, 313 SSL_HANDSHAKE_MAC_SHA384, 314 }, 315 316 /* Cipher 1303 */ 317 { 318 TLS1_TXT_CHACHA20_POLY1305_SHA256, 319 "TLS_CHACHA20_POLY1305_SHA256", 320 TLS1_CK_CHACHA20_POLY1305_SHA256, 321 SSL_kGENERIC, 322 SSL_aGENERIC, 323 SSL_CHACHA20POLY1305, 324 SSL_AEAD, 325 SSL_HANDSHAKE_MAC_SHA256, 326 }, 327 328 /* Cipher C009 */ 329 { 330 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 331 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", 332 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 333 SSL_kECDHE, 334 SSL_aECDSA, 335 SSL_AES128, 336 SSL_SHA1, 337 SSL_HANDSHAKE_MAC_DEFAULT, 338 }, 339 340 /* Cipher C00A */ 341 { 342 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 343 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", 344 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 345 SSL_kECDHE, 346 SSL_aECDSA, 347 SSL_AES256, 348 SSL_SHA1, 349 SSL_HANDSHAKE_MAC_DEFAULT, 350 }, 351 352 /* Cipher C013 */ 353 { 354 TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, 355 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", 356 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 357 SSL_kECDHE, 358 SSL_aRSA, 359 SSL_AES128, 360 SSL_SHA1, 361 SSL_HANDSHAKE_MAC_DEFAULT, 362 }, 363 364 /* Cipher C014 */ 365 { 366 TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA, 367 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", 368 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 369 SSL_kECDHE, 370 SSL_aRSA, 371 SSL_AES256, 372 SSL_SHA1, 373 SSL_HANDSHAKE_MAC_DEFAULT, 374 }, 375 376 377 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */ 378 379 /* Cipher C023 */ 380 { 381 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256, 382 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", 383 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, 384 SSL_kECDHE, 385 SSL_aECDSA, 386 SSL_AES128, 387 SSL_SHA256, 388 SSL_HANDSHAKE_MAC_SHA256, 389 }, 390 391 /* Cipher C024 */ 392 { 393 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384, 394 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", 395 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, 396 SSL_kECDHE, 397 SSL_aECDSA, 398 SSL_AES256, 399 SSL_SHA384, 400 SSL_HANDSHAKE_MAC_SHA384, 401 }, 402 403 /* Cipher C027 */ 404 { 405 TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256, 406 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", 407 TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, 408 SSL_kECDHE, 409 SSL_aRSA, 410 SSL_AES128, 411 SSL_SHA256, 412 SSL_HANDSHAKE_MAC_SHA256, 413 }, 414 415 /* Cipher C028 */ 416 { 417 TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384, 418 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", 419 TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, 420 SSL_kECDHE, 421 SSL_aRSA, 422 SSL_AES256, 423 SSL_SHA384, 424 SSL_HANDSHAKE_MAC_SHA384, 425 }, 426 427 428 /* GCM based TLS v1.2 ciphersuites from RFC5289 */ 429 430 /* Cipher C02B */ 431 { 432 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 433 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", 434 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 435 SSL_kECDHE, 436 SSL_aECDSA, 437 SSL_AES128GCM, 438 SSL_AEAD, 439 SSL_HANDSHAKE_MAC_SHA256, 440 }, 441 442 /* Cipher C02C */ 443 { 444 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 445 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", 446 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 447 SSL_kECDHE, 448 SSL_aECDSA, 449 SSL_AES256GCM, 450 SSL_AEAD, 451 SSL_HANDSHAKE_MAC_SHA384, 452 }, 453 454 /* Cipher C02F */ 455 { 456 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 457 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", 458 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 459 SSL_kECDHE, 460 SSL_aRSA, 461 SSL_AES128GCM, 462 SSL_AEAD, 463 SSL_HANDSHAKE_MAC_SHA256, 464 }, 465 466 /* Cipher C030 */ 467 { 468 TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 469 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", 470 TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 471 SSL_kECDHE, 472 SSL_aRSA, 473 SSL_AES256GCM, 474 SSL_AEAD, 475 SSL_HANDSHAKE_MAC_SHA384, 476 }, 477 478 /* ECDHE-PSK cipher suites. */ 479 480 /* Cipher C035 */ 481 { 482 TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA, 483 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA", 484 TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA, 485 SSL_kECDHE, 486 SSL_aPSK, 487 SSL_AES128, 488 SSL_SHA1, 489 SSL_HANDSHAKE_MAC_DEFAULT, 490 }, 491 492 /* Cipher C036 */ 493 { 494 TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA, 495 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA", 496 TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA, 497 SSL_kECDHE, 498 SSL_aPSK, 499 SSL_AES256, 500 SSL_SHA1, 501 SSL_HANDSHAKE_MAC_DEFAULT, 502 }, 503 504 /* ChaCha20-Poly1305 cipher suites. */ 505 506 /* Cipher CCA8 */ 507 { 508 TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 509 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", 510 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 511 SSL_kECDHE, 512 SSL_aRSA, 513 SSL_CHACHA20POLY1305, 514 SSL_AEAD, 515 SSL_HANDSHAKE_MAC_SHA256, 516 }, 517 518 /* Cipher CCA9 */ 519 { 520 TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 521 "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", 522 TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 523 SSL_kECDHE, 524 SSL_aECDSA, 525 SSL_CHACHA20POLY1305, 526 SSL_AEAD, 527 SSL_HANDSHAKE_MAC_SHA256, 528 }, 529 530 /* Cipher CCAB */ 531 { 532 TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256, 533 "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256", 534 TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256, 535 SSL_kECDHE, 536 SSL_aPSK, 537 SSL_CHACHA20POLY1305, 538 SSL_AEAD, 539 SSL_HANDSHAKE_MAC_SHA256, 540 }, 541 542 }; 543 544 static const size_t kCiphersLen = OPENSSL_ARRAY_SIZE(kCiphers); 545 546 #define CIPHER_ADD 1 547 #define CIPHER_KILL 2 548 #define CIPHER_DEL 3 549 #define CIPHER_ORD 4 550 #define CIPHER_SPECIAL 5 551 552 typedef struct cipher_order_st { 553 const SSL_CIPHER *cipher; 554 int active; 555 int in_group; 556 struct cipher_order_st *next, *prev; 557 } CIPHER_ORDER; 558 559 typedef struct cipher_alias_st { 560 /* name is the name of the cipher alias. */ 561 const char *name; 562 563 /* The following fields are bitmasks for the corresponding fields on 564 * |SSL_CIPHER|. A cipher matches a cipher alias iff, for each bitmask, the 565 * bit corresponding to the cipher's value is set to 1. If any bitmask is 566 * all zeroes, the alias matches nothing. Use |~0u| for the default value. */ 567 uint32_t algorithm_mkey; 568 uint32_t algorithm_auth; 569 uint32_t algorithm_enc; 570 uint32_t algorithm_mac; 571 572 /* min_version, if non-zero, matches all ciphers which were added in that 573 * particular protocol version. */ 574 uint16_t min_version; 575 } CIPHER_ALIAS; 576 577 static const CIPHER_ALIAS kCipherAliases[] = { 578 /* "ALL" doesn't include eNULL. It must be explicitly enabled. */ 579 {"ALL", ~0u, ~0u, ~SSL_eNULL, ~0u, 0}, 580 581 /* The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing. */ 582 583 /* key exchange aliases 584 * (some of those using only a single bit here combine 585 * multiple key exchange algs according to the RFCs. */ 586 {"kRSA", SSL_kRSA, ~0u, ~0u, ~0u, 0}, 587 588 {"kECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0}, 589 {"kEECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0}, 590 {"ECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0}, 591 592 {"kPSK", SSL_kPSK, ~0u, ~0u, ~0u, 0}, 593 594 /* server authentication aliases */ 595 {"aRSA", ~0u, SSL_aRSA, ~SSL_eNULL, ~0u, 0}, 596 {"aECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0}, 597 {"ECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0}, 598 {"aPSK", ~0u, SSL_aPSK, ~0u, ~0u, 0}, 599 600 /* aliases combining key exchange and server authentication */ 601 {"ECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0}, 602 {"EECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0}, 603 {"RSA", SSL_kRSA, SSL_aRSA, ~SSL_eNULL, ~0u, 0}, 604 {"PSK", SSL_kPSK, SSL_aPSK, ~0u, ~0u, 0}, 605 606 /* symmetric encryption aliases */ 607 {"3DES", ~0u, ~0u, SSL_3DES, ~0u, 0}, 608 {"AES128", ~0u, ~0u, SSL_AES128 | SSL_AES128GCM, ~0u, 0}, 609 {"AES256", ~0u, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, 0}, 610 {"AES", ~0u, ~0u, SSL_AES, ~0u, 0}, 611 {"AESGCM", ~0u, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, 0}, 612 {"CHACHA20", ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0}, 613 614 /* MAC aliases */ 615 {"SHA1", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0}, 616 {"SHA", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0}, 617 {"SHA256", ~0u, ~0u, ~0u, SSL_SHA256, 0}, 618 {"SHA384", ~0u, ~0u, ~0u, SSL_SHA384, 0}, 619 620 /* Legacy protocol minimum version aliases. "TLSv1" is intentionally the 621 * same as "SSLv3". */ 622 {"SSLv3", ~0u, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION}, 623 {"TLSv1", ~0u, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION}, 624 {"TLSv1.2", ~0u, ~0u, ~SSL_eNULL, ~0u, TLS1_2_VERSION}, 625 626 /* Legacy strength classes. */ 627 {"HIGH", ~0u, ~0u, ~SSL_eNULL, ~0u, 0}, 628 {"FIPS", ~0u, ~0u, ~SSL_eNULL, ~0u, 0}, 629 }; 630 631 static const size_t kCipherAliasesLen = OPENSSL_ARRAY_SIZE(kCipherAliases); 632 633 static int ssl_cipher_id_cmp(const void *in_a, const void *in_b) { 634 const SSL_CIPHER *a = reinterpret_cast<const SSL_CIPHER *>(in_a); 635 const SSL_CIPHER *b = reinterpret_cast<const SSL_CIPHER *>(in_b); 636 637 if (a->id > b->id) { 638 return 1; 639 } else if (a->id < b->id) { 640 return -1; 641 } else { 642 return 0; 643 } 644 } 645 646 const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value) { 647 SSL_CIPHER c; 648 649 c.id = 0x03000000L | value; 650 return reinterpret_cast<const SSL_CIPHER *>(bsearch( 651 &c, kCiphers, kCiphersLen, sizeof(SSL_CIPHER), ssl_cipher_id_cmp)); 652 } 653 654 int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead, 655 size_t *out_mac_secret_len, 656 size_t *out_fixed_iv_len, 657 const SSL_CIPHER *cipher, uint16_t version, int is_dtls) { 658 *out_aead = NULL; 659 *out_mac_secret_len = 0; 660 *out_fixed_iv_len = 0; 661 662 const int is_tls12 = version == TLS1_2_VERSION && !is_dtls; 663 664 if (cipher->algorithm_mac == SSL_AEAD) { 665 if (cipher->algorithm_enc == SSL_AES128GCM) { 666 *out_aead = 667 is_tls12 ? EVP_aead_aes_128_gcm_tls12() : EVP_aead_aes_128_gcm(); 668 *out_fixed_iv_len = 4; 669 } else if (cipher->algorithm_enc == SSL_AES256GCM) { 670 *out_aead = 671 is_tls12 ? EVP_aead_aes_256_gcm_tls12() : EVP_aead_aes_256_gcm(); 672 *out_fixed_iv_len = 4; 673 } else if (cipher->algorithm_enc == SSL_CHACHA20POLY1305) { 674 *out_aead = EVP_aead_chacha20_poly1305(); 675 *out_fixed_iv_len = 12; 676 } else { 677 return 0; 678 } 679 680 /* In TLS 1.3, the iv_len is equal to the AEAD nonce length whereas the code 681 * above computes the TLS 1.2 construction. */ 682 if (version >= TLS1_3_VERSION) { 683 *out_fixed_iv_len = EVP_AEAD_nonce_length(*out_aead); 684 } 685 } else if (cipher->algorithm_mac == SSL_SHA1) { 686 if (cipher->algorithm_enc == SSL_eNULL) { 687 if (version == SSL3_VERSION) { 688 *out_aead = EVP_aead_null_sha1_ssl3(); 689 } else { 690 *out_aead = EVP_aead_null_sha1_tls(); 691 } 692 } else if (cipher->algorithm_enc == SSL_3DES) { 693 if (version == SSL3_VERSION) { 694 *out_aead = EVP_aead_des_ede3_cbc_sha1_ssl3(); 695 *out_fixed_iv_len = 8; 696 } else if (version == TLS1_VERSION) { 697 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(); 698 *out_fixed_iv_len = 8; 699 } else { 700 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls(); 701 } 702 } else if (cipher->algorithm_enc == SSL_AES128) { 703 if (version == SSL3_VERSION) { 704 *out_aead = EVP_aead_aes_128_cbc_sha1_ssl3(); 705 *out_fixed_iv_len = 16; 706 } else if (version == TLS1_VERSION) { 707 *out_aead = EVP_aead_aes_128_cbc_sha1_tls_implicit_iv(); 708 *out_fixed_iv_len = 16; 709 } else { 710 *out_aead = EVP_aead_aes_128_cbc_sha1_tls(); 711 } 712 } else if (cipher->algorithm_enc == SSL_AES256) { 713 if (version == SSL3_VERSION) { 714 *out_aead = EVP_aead_aes_256_cbc_sha1_ssl3(); 715 *out_fixed_iv_len = 16; 716 } else if (version == TLS1_VERSION) { 717 *out_aead = EVP_aead_aes_256_cbc_sha1_tls_implicit_iv(); 718 *out_fixed_iv_len = 16; 719 } else { 720 *out_aead = EVP_aead_aes_256_cbc_sha1_tls(); 721 } 722 } else { 723 return 0; 724 } 725 726 *out_mac_secret_len = SHA_DIGEST_LENGTH; 727 } else if (cipher->algorithm_mac == SSL_SHA256) { 728 if (cipher->algorithm_enc == SSL_AES128) { 729 *out_aead = EVP_aead_aes_128_cbc_sha256_tls(); 730 } else if (cipher->algorithm_enc == SSL_AES256) { 731 *out_aead = EVP_aead_aes_256_cbc_sha256_tls(); 732 } else { 733 return 0; 734 } 735 736 *out_mac_secret_len = SHA256_DIGEST_LENGTH; 737 } else if (cipher->algorithm_mac == SSL_SHA384) { 738 if (cipher->algorithm_enc != SSL_AES256) { 739 return 0; 740 } 741 742 *out_aead = EVP_aead_aes_256_cbc_sha384_tls(); 743 *out_mac_secret_len = SHA384_DIGEST_LENGTH; 744 } else { 745 return 0; 746 } 747 748 return 1; 749 } 750 751 const EVP_MD *ssl_get_handshake_digest(uint32_t algorithm_prf, 752 uint16_t version) { 753 switch (algorithm_prf) { 754 case SSL_HANDSHAKE_MAC_DEFAULT: 755 return version >= TLS1_2_VERSION ? EVP_sha256() : EVP_md5_sha1(); 756 case SSL_HANDSHAKE_MAC_SHA256: 757 return EVP_sha256(); 758 case SSL_HANDSHAKE_MAC_SHA384: 759 return EVP_sha384(); 760 default: 761 return NULL; 762 } 763 } 764 765 #define ITEM_SEP(a) \ 766 (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ',')) 767 768 /* rule_equals returns one iff the NUL-terminated string |rule| is equal to the 769 * |buf_len| bytes at |buf|. */ 770 static int rule_equals(const char *rule, const char *buf, size_t buf_len) { 771 /* |strncmp| alone only checks that |buf| is a prefix of |rule|. */ 772 return strncmp(rule, buf, buf_len) == 0 && rule[buf_len] == '\0'; 773 } 774 775 static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr, 776 CIPHER_ORDER **tail) { 777 if (curr == *tail) { 778 return; 779 } 780 if (curr == *head) { 781 *head = curr->next; 782 } 783 if (curr->prev != NULL) { 784 curr->prev->next = curr->next; 785 } 786 if (curr->next != NULL) { 787 curr->next->prev = curr->prev; 788 } 789 (*tail)->next = curr; 790 curr->prev = *tail; 791 curr->next = NULL; 792 *tail = curr; 793 } 794 795 static void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr, 796 CIPHER_ORDER **tail) { 797 if (curr == *head) { 798 return; 799 } 800 if (curr == *tail) { 801 *tail = curr->prev; 802 } 803 if (curr->next != NULL) { 804 curr->next->prev = curr->prev; 805 } 806 if (curr->prev != NULL) { 807 curr->prev->next = curr->next; 808 } 809 (*head)->prev = curr; 810 curr->next = *head; 811 curr->prev = NULL; 812 *head = curr; 813 } 814 815 static void ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD *ssl_method, 816 CIPHER_ORDER *co_list, 817 CIPHER_ORDER **head_p, 818 CIPHER_ORDER **tail_p) { 819 /* The set of ciphers is static, but some subset may be unsupported by 820 * |ssl_method|, so the list may be smaller. */ 821 size_t co_list_num = 0; 822 for (size_t i = 0; i < kCiphersLen; i++) { 823 const SSL_CIPHER *cipher = &kCiphers[i]; 824 if (ssl_method->supports_cipher(cipher) && 825 /* TLS 1.3 ciphers do not participate in this mechanism. */ 826 cipher->algorithm_mkey != SSL_kGENERIC) { 827 co_list[co_list_num].cipher = cipher; 828 co_list[co_list_num].next = NULL; 829 co_list[co_list_num].prev = NULL; 830 co_list[co_list_num].active = 0; 831 co_list[co_list_num].in_group = 0; 832 co_list_num++; 833 } 834 } 835 836 /* Prepare linked list from list entries. */ 837 if (co_list_num > 0) { 838 co_list[0].prev = NULL; 839 840 if (co_list_num > 1) { 841 co_list[0].next = &co_list[1]; 842 843 for (size_t i = 1; i < co_list_num - 1; i++) { 844 co_list[i].prev = &co_list[i - 1]; 845 co_list[i].next = &co_list[i + 1]; 846 } 847 848 co_list[co_list_num - 1].prev = &co_list[co_list_num - 2]; 849 } 850 851 co_list[co_list_num - 1].next = NULL; 852 853 *head_p = &co_list[0]; 854 *tail_p = &co_list[co_list_num - 1]; 855 } 856 } 857 858 /* ssl_cipher_apply_rule applies the rule type |rule| to ciphers matching its 859 * parameters in the linked list from |*head_p| to |*tail_p|. It writes the new 860 * head and tail of the list to |*head_p| and |*tail_p|, respectively. 861 * 862 * - If |cipher_id| is non-zero, only that cipher is selected. 863 * - Otherwise, if |strength_bits| is non-negative, it selects ciphers 864 * of that strength. 865 * - Otherwise, it selects ciphers that match each bitmasks in |alg_*| and 866 * |min_version|. */ 867 static void ssl_cipher_apply_rule( 868 uint32_t cipher_id, uint32_t alg_mkey, uint32_t alg_auth, 869 uint32_t alg_enc, uint32_t alg_mac, uint16_t min_version, int rule, 870 int strength_bits, int in_group, CIPHER_ORDER **head_p, 871 CIPHER_ORDER **tail_p) { 872 CIPHER_ORDER *head, *tail, *curr, *next, *last; 873 const SSL_CIPHER *cp; 874 int reverse = 0; 875 876 if (cipher_id == 0 && strength_bits == -1 && min_version == 0 && 877 (alg_mkey == 0 || alg_auth == 0 || alg_enc == 0 || alg_mac == 0)) { 878 /* The rule matches nothing, so bail early. */ 879 return; 880 } 881 882 if (rule == CIPHER_DEL) { 883 /* needed to maintain sorting between currently deleted ciphers */ 884 reverse = 1; 885 } 886 887 head = *head_p; 888 tail = *tail_p; 889 890 if (reverse) { 891 next = tail; 892 last = head; 893 } else { 894 next = head; 895 last = tail; 896 } 897 898 curr = NULL; 899 for (;;) { 900 if (curr == last) { 901 break; 902 } 903 904 curr = next; 905 if (curr == NULL) { 906 break; 907 } 908 909 next = reverse ? curr->prev : curr->next; 910 cp = curr->cipher; 911 912 /* Selection criteria is either a specific cipher, the value of 913 * |strength_bits|, or the algorithms used. */ 914 if (cipher_id != 0) { 915 if (cipher_id != cp->id) { 916 continue; 917 } 918 } else if (strength_bits >= 0) { 919 if (strength_bits != SSL_CIPHER_get_bits(cp, NULL)) { 920 continue; 921 } 922 } else { 923 if (!(alg_mkey & cp->algorithm_mkey) || 924 !(alg_auth & cp->algorithm_auth) || 925 !(alg_enc & cp->algorithm_enc) || 926 !(alg_mac & cp->algorithm_mac) || 927 (min_version != 0 && SSL_CIPHER_get_min_version(cp) != min_version)) { 928 continue; 929 } 930 } 931 932 /* add the cipher if it has not been added yet. */ 933 if (rule == CIPHER_ADD) { 934 /* reverse == 0 */ 935 if (!curr->active) { 936 ll_append_tail(&head, curr, &tail); 937 curr->active = 1; 938 curr->in_group = in_group; 939 } 940 } 941 942 /* Move the added cipher to this location */ 943 else if (rule == CIPHER_ORD) { 944 /* reverse == 0 */ 945 if (curr->active) { 946 ll_append_tail(&head, curr, &tail); 947 curr->in_group = 0; 948 } 949 } else if (rule == CIPHER_DEL) { 950 /* reverse == 1 */ 951 if (curr->active) { 952 /* most recently deleted ciphersuites get best positions 953 * for any future CIPHER_ADD (note that the CIPHER_DEL loop 954 * works in reverse to maintain the order) */ 955 ll_append_head(&head, curr, &tail); 956 curr->active = 0; 957 curr->in_group = 0; 958 } 959 } else if (rule == CIPHER_KILL) { 960 /* reverse == 0 */ 961 if (head == curr) { 962 head = curr->next; 963 } else { 964 curr->prev->next = curr->next; 965 } 966 967 if (tail == curr) { 968 tail = curr->prev; 969 } 970 curr->active = 0; 971 if (curr->next != NULL) { 972 curr->next->prev = curr->prev; 973 } 974 if (curr->prev != NULL) { 975 curr->prev->next = curr->next; 976 } 977 curr->next = NULL; 978 curr->prev = NULL; 979 } 980 } 981 982 *head_p = head; 983 *tail_p = tail; 984 } 985 986 static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p, 987 CIPHER_ORDER **tail_p) { 988 int max_strength_bits, i, *number_uses; 989 CIPHER_ORDER *curr; 990 991 /* This routine sorts the ciphers with descending strength. The sorting must 992 * keep the pre-sorted sequence, so we apply the normal sorting routine as 993 * '+' movement to the end of the list. */ 994 max_strength_bits = 0; 995 curr = *head_p; 996 while (curr != NULL) { 997 if (curr->active && 998 SSL_CIPHER_get_bits(curr->cipher, NULL) > max_strength_bits) { 999 max_strength_bits = SSL_CIPHER_get_bits(curr->cipher, NULL); 1000 } 1001 curr = curr->next; 1002 } 1003 1004 number_uses = (int *)OPENSSL_malloc((max_strength_bits + 1) * sizeof(int)); 1005 if (!number_uses) { 1006 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 1007 return 0; 1008 } 1009 OPENSSL_memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int)); 1010 1011 /* Now find the strength_bits values actually used. */ 1012 curr = *head_p; 1013 while (curr != NULL) { 1014 if (curr->active) { 1015 number_uses[SSL_CIPHER_get_bits(curr->cipher, NULL)]++; 1016 } 1017 curr = curr->next; 1018 } 1019 1020 /* Go through the list of used strength_bits values in descending order. */ 1021 for (i = max_strength_bits; i >= 0; i--) { 1022 if (number_uses[i] > 0) { 1023 ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, CIPHER_ORD, i, 0, head_p, tail_p); 1024 } 1025 } 1026 1027 OPENSSL_free(number_uses); 1028 return 1; 1029 } 1030 1031 static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method, 1032 const char *rule_str, 1033 CIPHER_ORDER **head_p, 1034 CIPHER_ORDER **tail_p, int strict) { 1035 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac; 1036 uint16_t min_version; 1037 const char *l, *buf; 1038 int multi, skip_rule, rule, in_group = 0, has_group = 0; 1039 size_t j, buf_len; 1040 uint32_t cipher_id; 1041 char ch; 1042 1043 l = rule_str; 1044 for (;;) { 1045 ch = *l; 1046 1047 if (ch == '\0') { 1048 break; /* done */ 1049 } 1050 1051 if (in_group) { 1052 if (ch == ']') { 1053 if (*tail_p) { 1054 (*tail_p)->in_group = 0; 1055 } 1056 in_group = 0; 1057 l++; 1058 continue; 1059 } 1060 1061 if (ch == '|') { 1062 rule = CIPHER_ADD; 1063 l++; 1064 continue; 1065 } else if (!(ch >= 'a' && ch <= 'z') && !(ch >= 'A' && ch <= 'Z') && 1066 !(ch >= '0' && ch <= '9')) { 1067 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_OPERATOR_IN_GROUP); 1068 return 0; 1069 } else { 1070 rule = CIPHER_ADD; 1071 } 1072 } else if (ch == '-') { 1073 rule = CIPHER_DEL; 1074 l++; 1075 } else if (ch == '+') { 1076 rule = CIPHER_ORD; 1077 l++; 1078 } else if (ch == '!') { 1079 rule = CIPHER_KILL; 1080 l++; 1081 } else if (ch == '@') { 1082 rule = CIPHER_SPECIAL; 1083 l++; 1084 } else if (ch == '[') { 1085 assert(!in_group); 1086 in_group = 1; 1087 has_group = 1; 1088 l++; 1089 continue; 1090 } else { 1091 rule = CIPHER_ADD; 1092 } 1093 1094 /* If preference groups are enabled, the only legal operator is +. 1095 * Otherwise the in_group bits will get mixed up. */ 1096 if (has_group && rule != CIPHER_ADD) { 1097 OPENSSL_PUT_ERROR(SSL, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS); 1098 return 0; 1099 } 1100 1101 if (ITEM_SEP(ch)) { 1102 l++; 1103 continue; 1104 } 1105 1106 multi = 0; 1107 cipher_id = 0; 1108 alg_mkey = ~0u; 1109 alg_auth = ~0u; 1110 alg_enc = ~0u; 1111 alg_mac = ~0u; 1112 min_version = 0; 1113 skip_rule = 0; 1114 1115 for (;;) { 1116 ch = *l; 1117 buf = l; 1118 buf_len = 0; 1119 while ((ch >= 'A' && ch <= 'Z') || (ch >= '0' && ch <= '9') || 1120 (ch >= 'a' && ch <= 'z') || ch == '-' || ch == '.' || ch == '_') { 1121 ch = *(++l); 1122 buf_len++; 1123 } 1124 1125 if (buf_len == 0) { 1126 /* We hit something we cannot deal with, it is no command or separator 1127 * nor alphanumeric, so we call this an error. */ 1128 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND); 1129 return 0; 1130 } 1131 1132 if (rule == CIPHER_SPECIAL) { 1133 break; 1134 } 1135 1136 /* Look for a matching exact cipher. These aren't allowed in multipart 1137 * rules. */ 1138 if (!multi && ch != '+') { 1139 for (j = 0; j < kCiphersLen; j++) { 1140 const SSL_CIPHER *cipher = &kCiphers[j]; 1141 if (rule_equals(cipher->name, buf, buf_len) || 1142 rule_equals(cipher->standard_name, buf, buf_len)) { 1143 cipher_id = cipher->id; 1144 break; 1145 } 1146 } 1147 } 1148 if (cipher_id == 0) { 1149 /* If not an exact cipher, look for a matching cipher alias. */ 1150 for (j = 0; j < kCipherAliasesLen; j++) { 1151 if (rule_equals(kCipherAliases[j].name, buf, buf_len)) { 1152 alg_mkey &= kCipherAliases[j].algorithm_mkey; 1153 alg_auth &= kCipherAliases[j].algorithm_auth; 1154 alg_enc &= kCipherAliases[j].algorithm_enc; 1155 alg_mac &= kCipherAliases[j].algorithm_mac; 1156 1157 if (min_version != 0 && 1158 min_version != kCipherAliases[j].min_version) { 1159 skip_rule = 1; 1160 } else { 1161 min_version = kCipherAliases[j].min_version; 1162 } 1163 break; 1164 } 1165 } 1166 if (j == kCipherAliasesLen) { 1167 skip_rule = 1; 1168 if (strict) { 1169 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND); 1170 return 0; 1171 } 1172 } 1173 } 1174 1175 /* Check for a multipart rule. */ 1176 if (ch != '+') { 1177 break; 1178 } 1179 l++; 1180 multi = 1; 1181 } 1182 1183 /* Ok, we have the rule, now apply it. */ 1184 if (rule == CIPHER_SPECIAL) { 1185 if (buf_len != 8 || strncmp(buf, "STRENGTH", 8) != 0) { 1186 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND); 1187 return 0; 1188 } 1189 if (!ssl_cipher_strength_sort(head_p, tail_p)) { 1190 return 0; 1191 } 1192 1193 /* We do not support any "multi" options together with "@", so throw away 1194 * the rest of the command, if any left, until end or ':' is found. */ 1195 while (*l != '\0' && !ITEM_SEP(*l)) { 1196 l++; 1197 } 1198 } else if (!skip_rule) { 1199 ssl_cipher_apply_rule(cipher_id, alg_mkey, alg_auth, alg_enc, alg_mac, 1200 min_version, rule, -1, in_group, head_p, tail_p); 1201 } 1202 } 1203 1204 if (in_group) { 1205 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND); 1206 return 0; 1207 } 1208 1209 return 1; 1210 } 1211 1212 int ssl_create_cipher_list( 1213 const SSL_PROTOCOL_METHOD *ssl_method, 1214 struct ssl_cipher_preference_list_st **out_cipher_list, 1215 const char *rule_str, int strict) { 1216 STACK_OF(SSL_CIPHER) *cipherstack = NULL; 1217 CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; 1218 uint8_t *in_group_flags = NULL; 1219 unsigned int num_in_group_flags = 0; 1220 struct ssl_cipher_preference_list_st *pref_list = NULL; 1221 1222 /* Return with error if nothing to do. */ 1223 if (rule_str == NULL || out_cipher_list == NULL) { 1224 return 0; 1225 } 1226 1227 /* Now we have to collect the available ciphers from the compiled in ciphers. 1228 * We cannot get more than the number compiled in, so it is used for 1229 * allocation. */ 1230 co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * kCiphersLen); 1231 if (co_list == NULL) { 1232 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 1233 return 0; 1234 } 1235 1236 ssl_cipher_collect_ciphers(ssl_method, co_list, &head, &tail); 1237 1238 /* Now arrange all ciphers by preference: 1239 * TODO(davidben): Compute this order once and copy it. */ 1240 1241 /* Everything else being equal, prefer ECDHE_ECDSA and ECDHE_RSA over other 1242 * key exchange mechanisms */ 1243 ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, ~0u, ~0u, 0, CIPHER_ADD, -1, 1244 0, &head, &tail); 1245 ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0, 1246 &head, &tail); 1247 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, 0, &head, 1248 &tail); 1249 1250 /* Order the bulk ciphers. First the preferred AEAD ciphers. We prefer 1251 * CHACHA20 unless there is hardware support for fast and constant-time 1252 * AES_GCM. Of the two CHACHA20 variants, the new one is preferred over the 1253 * old one. */ 1254 if (EVP_has_aes_hardware()) { 1255 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, 0, 1256 &head, &tail); 1257 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1, 0, 1258 &head, &tail); 1259 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD, 1260 -1, 0, &head, &tail); 1261 } else { 1262 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD, 1263 -1, 0, &head, &tail); 1264 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, 0, 1265 &head, &tail); 1266 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1, 0, 1267 &head, &tail); 1268 } 1269 1270 /* Then the legacy non-AEAD ciphers: AES_128_CBC, AES_256_CBC, 1271 * 3DES_EDE_CBC_SHA. */ 1272 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128, ~0u, 0, CIPHER_ADD, -1, 0, 1273 &head, &tail); 1274 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256, ~0u, 0, CIPHER_ADD, -1, 0, 1275 &head, &tail); 1276 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_3DES, ~0u, 0, CIPHER_ADD, -1, 0, &head, 1277 &tail); 1278 1279 /* Temporarily enable everything else for sorting */ 1280 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0, &head, 1281 &tail); 1282 1283 /* Move ciphers without forward secrecy to the end. */ 1284 ssl_cipher_apply_rule(0, (SSL_kRSA | SSL_kPSK), ~0u, ~0u, ~0u, 0, 1285 CIPHER_ORD, -1, 0, &head, &tail); 1286 1287 /* Now disable everything (maintaining the ordering!) */ 1288 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, 0, &head, 1289 &tail); 1290 1291 /* If the rule_string begins with DEFAULT, apply the default rule before 1292 * using the (possibly available) additional rules. */ 1293 const char *rule_p = rule_str; 1294 if (strncmp(rule_str, "DEFAULT", 7) == 0) { 1295 if (!ssl_cipher_process_rulestr(ssl_method, SSL_DEFAULT_CIPHER_LIST, &head, 1296 &tail, strict)) { 1297 goto err; 1298 } 1299 rule_p += 7; 1300 if (*rule_p == ':') { 1301 rule_p++; 1302 } 1303 } 1304 1305 if (*rule_p != '\0' && 1306 !ssl_cipher_process_rulestr(ssl_method, rule_p, &head, &tail, strict)) { 1307 goto err; 1308 } 1309 1310 /* Allocate new "cipherstack" for the result, return with error 1311 * if we cannot get one. */ 1312 cipherstack = sk_SSL_CIPHER_new_null(); 1313 if (cipherstack == NULL) { 1314 goto err; 1315 } 1316 1317 in_group_flags = (uint8_t *)OPENSSL_malloc(kCiphersLen); 1318 if (!in_group_flags) { 1319 goto err; 1320 } 1321 1322 /* The cipher selection for the list is done. The ciphers are added 1323 * to the resulting precedence to the STACK_OF(SSL_CIPHER). */ 1324 for (curr = head; curr != NULL; curr = curr->next) { 1325 if (curr->active) { 1326 if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) { 1327 goto err; 1328 } 1329 in_group_flags[num_in_group_flags++] = curr->in_group; 1330 } 1331 } 1332 OPENSSL_free(co_list); /* Not needed any longer */ 1333 co_list = NULL; 1334 1335 pref_list = (ssl_cipher_preference_list_st *)OPENSSL_malloc( 1336 sizeof(struct ssl_cipher_preference_list_st)); 1337 if (!pref_list) { 1338 goto err; 1339 } 1340 pref_list->ciphers = cipherstack; 1341 pref_list->in_group_flags = (uint8_t *)OPENSSL_malloc(num_in_group_flags); 1342 if (!pref_list->in_group_flags) { 1343 goto err; 1344 } 1345 OPENSSL_memcpy(pref_list->in_group_flags, in_group_flags, num_in_group_flags); 1346 OPENSSL_free(in_group_flags); 1347 in_group_flags = NULL; 1348 if (*out_cipher_list != NULL) { 1349 ssl_cipher_preference_list_free(*out_cipher_list); 1350 } 1351 *out_cipher_list = pref_list; 1352 pref_list = NULL; 1353 1354 /* Configuring an empty cipher list is an error but still updates the 1355 * output. */ 1356 if (sk_SSL_CIPHER_num((*out_cipher_list)->ciphers) == 0) { 1357 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHER_MATCH); 1358 return 0; 1359 } 1360 1361 return 1; 1362 1363 err: 1364 OPENSSL_free(co_list); 1365 OPENSSL_free(in_group_flags); 1366 sk_SSL_CIPHER_free(cipherstack); 1367 if (pref_list) { 1368 OPENSSL_free(pref_list->in_group_flags); 1369 } 1370 OPENSSL_free(pref_list); 1371 return 0; 1372 } 1373 1374 uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher) { return cipher->id; } 1375 1376 uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher) { 1377 uint32_t id = cipher->id; 1378 /* All ciphers are SSLv3. */ 1379 assert((id & 0xff000000) == 0x03000000); 1380 return id & 0xffff; 1381 } 1382 1383 int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher) { 1384 return (cipher->algorithm_enc & SSL_AES) != 0; 1385 } 1386 1387 int SSL_CIPHER_has_SHA1_HMAC(const SSL_CIPHER *cipher) { 1388 return (cipher->algorithm_mac & SSL_SHA1) != 0; 1389 } 1390 1391 int SSL_CIPHER_has_SHA256_HMAC(const SSL_CIPHER *cipher) { 1392 return (cipher->algorithm_mac & SSL_SHA256) != 0; 1393 } 1394 1395 int SSL_CIPHER_has_SHA384_HMAC(const SSL_CIPHER *cipher) { 1396 return (cipher->algorithm_mac & SSL_SHA384) != 0; 1397 } 1398 1399 int SSL_CIPHER_is_AEAD(const SSL_CIPHER *cipher) { 1400 return (cipher->algorithm_mac & SSL_AEAD) != 0; 1401 } 1402 1403 int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher) { 1404 return (cipher->algorithm_enc & (SSL_AES128GCM | SSL_AES256GCM)) != 0; 1405 } 1406 1407 int SSL_CIPHER_is_AES128GCM(const SSL_CIPHER *cipher) { 1408 return (cipher->algorithm_enc & SSL_AES128GCM) != 0; 1409 } 1410 1411 int SSL_CIPHER_is_AES128CBC(const SSL_CIPHER *cipher) { 1412 return (cipher->algorithm_enc & SSL_AES128) != 0; 1413 } 1414 1415 int SSL_CIPHER_is_AES256CBC(const SSL_CIPHER *cipher) { 1416 return (cipher->algorithm_enc & SSL_AES256) != 0; 1417 } 1418 1419 int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *cipher) { 1420 return (cipher->algorithm_enc & SSL_CHACHA20POLY1305) != 0; 1421 } 1422 1423 int SSL_CIPHER_is_NULL(const SSL_CIPHER *cipher) { 1424 return (cipher->algorithm_enc & SSL_eNULL) != 0; 1425 } 1426 1427 int SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher) { 1428 return (cipher->algorithm_enc & SSL_eNULL) == 0 && 1429 cipher->algorithm_mac != SSL_AEAD; 1430 } 1431 1432 int SSL_CIPHER_is_ECDSA(const SSL_CIPHER *cipher) { 1433 return (cipher->algorithm_auth & SSL_aECDSA) != 0; 1434 } 1435 1436 int SSL_CIPHER_is_ECDHE(const SSL_CIPHER *cipher) { 1437 return (cipher->algorithm_mkey & SSL_kECDHE) != 0; 1438 } 1439 1440 int SSL_CIPHER_is_static_RSA(const SSL_CIPHER *cipher) { 1441 return (cipher->algorithm_mkey & SSL_kRSA) != 0; 1442 } 1443 1444 uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher) { 1445 if (cipher->algorithm_mkey == SSL_kGENERIC || 1446 cipher->algorithm_auth == SSL_aGENERIC) { 1447 return TLS1_3_VERSION; 1448 } 1449 1450 if (cipher->algorithm_prf != SSL_HANDSHAKE_MAC_DEFAULT) { 1451 /* Cipher suites before TLS 1.2 use the default PRF, while all those added 1452 * afterwards specify a particular hash. */ 1453 return TLS1_2_VERSION; 1454 } 1455 return SSL3_VERSION; 1456 } 1457 1458 uint16_t SSL_CIPHER_get_max_version(const SSL_CIPHER *cipher) { 1459 if (cipher->algorithm_mkey == SSL_kGENERIC || 1460 cipher->algorithm_auth == SSL_aGENERIC) { 1461 return TLS1_3_VERSION; 1462 } 1463 return TLS1_2_VERSION; 1464 } 1465 1466 /* return the actual cipher being used */ 1467 const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher) { 1468 if (cipher != NULL) { 1469 return cipher->name; 1470 } 1471 1472 return "(NONE)"; 1473 } 1474 1475 const char *SSL_CIPHER_standard_name(const SSL_CIPHER *cipher) { 1476 return cipher->standard_name; 1477 } 1478 1479 const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher) { 1480 if (cipher == NULL) { 1481 return ""; 1482 } 1483 1484 switch (cipher->algorithm_mkey) { 1485 case SSL_kRSA: 1486 return "RSA"; 1487 1488 case SSL_kECDHE: 1489 switch (cipher->algorithm_auth) { 1490 case SSL_aECDSA: 1491 return "ECDHE_ECDSA"; 1492 case SSL_aRSA: 1493 return "ECDHE_RSA"; 1494 case SSL_aPSK: 1495 return "ECDHE_PSK"; 1496 default: 1497 assert(0); 1498 return "UNKNOWN"; 1499 } 1500 1501 case SSL_kPSK: 1502 assert(cipher->algorithm_auth == SSL_aPSK); 1503 return "PSK"; 1504 1505 case SSL_kGENERIC: 1506 assert(cipher->algorithm_auth == SSL_aGENERIC); 1507 return "GENERIC"; 1508 1509 default: 1510 assert(0); 1511 return "UNKNOWN"; 1512 } 1513 } 1514 1515 char *SSL_CIPHER_get_rfc_name(const SSL_CIPHER *cipher) { 1516 if (cipher == NULL) { 1517 return NULL; 1518 } 1519 1520 return OPENSSL_strdup(SSL_CIPHER_standard_name(cipher)); 1521 } 1522 1523 int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *out_alg_bits) { 1524 if (cipher == NULL) { 1525 return 0; 1526 } 1527 1528 int alg_bits, strength_bits; 1529 switch (cipher->algorithm_enc) { 1530 case SSL_AES128: 1531 case SSL_AES128GCM: 1532 alg_bits = 128; 1533 strength_bits = 128; 1534 break; 1535 1536 case SSL_AES256: 1537 case SSL_AES256GCM: 1538 case SSL_CHACHA20POLY1305: 1539 alg_bits = 256; 1540 strength_bits = 256; 1541 break; 1542 1543 case SSL_3DES: 1544 alg_bits = 168; 1545 strength_bits = 112; 1546 break; 1547 1548 case SSL_eNULL: 1549 alg_bits = 0; 1550 strength_bits = 0; 1551 break; 1552 1553 default: 1554 assert(0); 1555 alg_bits = 0; 1556 strength_bits = 0; 1557 } 1558 1559 if (out_alg_bits != NULL) { 1560 *out_alg_bits = alg_bits; 1561 } 1562 return strength_bits; 1563 } 1564 1565 const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, 1566 int len) { 1567 const char *kx, *au, *enc, *mac; 1568 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac; 1569 1570 alg_mkey = cipher->algorithm_mkey; 1571 alg_auth = cipher->algorithm_auth; 1572 alg_enc = cipher->algorithm_enc; 1573 alg_mac = cipher->algorithm_mac; 1574 1575 switch (alg_mkey) { 1576 case SSL_kRSA: 1577 kx = "RSA"; 1578 break; 1579 1580 case SSL_kECDHE: 1581 kx = "ECDH"; 1582 break; 1583 1584 case SSL_kPSK: 1585 kx = "PSK"; 1586 break; 1587 1588 case SSL_kGENERIC: 1589 kx = "GENERIC"; 1590 break; 1591 1592 default: 1593 kx = "unknown"; 1594 } 1595 1596 switch (alg_auth) { 1597 case SSL_aRSA: 1598 au = "RSA"; 1599 break; 1600 1601 case SSL_aECDSA: 1602 au = "ECDSA"; 1603 break; 1604 1605 case SSL_aPSK: 1606 au = "PSK"; 1607 break; 1608 1609 case SSL_aGENERIC: 1610 au = "GENERIC"; 1611 break; 1612 1613 default: 1614 au = "unknown"; 1615 break; 1616 } 1617 1618 switch (alg_enc) { 1619 case SSL_3DES: 1620 enc = "3DES(168)"; 1621 break; 1622 1623 case SSL_AES128: 1624 enc = "AES(128)"; 1625 break; 1626 1627 case SSL_AES256: 1628 enc = "AES(256)"; 1629 break; 1630 1631 case SSL_AES128GCM: 1632 enc = "AESGCM(128)"; 1633 break; 1634 1635 case SSL_AES256GCM: 1636 enc = "AESGCM(256)"; 1637 break; 1638 1639 case SSL_CHACHA20POLY1305: 1640 enc = "ChaCha20-Poly1305"; 1641 break; 1642 1643 case SSL_eNULL: 1644 enc="None"; 1645 break; 1646 1647 default: 1648 enc = "unknown"; 1649 break; 1650 } 1651 1652 switch (alg_mac) { 1653 case SSL_SHA1: 1654 mac = "SHA1"; 1655 break; 1656 1657 case SSL_SHA256: 1658 mac = "SHA256"; 1659 break; 1660 1661 case SSL_SHA384: 1662 mac = "SHA384"; 1663 break; 1664 1665 case SSL_AEAD: 1666 mac = "AEAD"; 1667 break; 1668 1669 default: 1670 mac = "unknown"; 1671 break; 1672 } 1673 1674 if (buf == NULL) { 1675 len = 128; 1676 buf = (char *)OPENSSL_malloc(len); 1677 if (buf == NULL) { 1678 return NULL; 1679 } 1680 } else if (len < 128) { 1681 return "Buffer too small"; 1682 } 1683 1684 BIO_snprintf(buf, len, "%-23s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n", 1685 cipher->name, kx, au, enc, mac); 1686 return buf; 1687 } 1688 1689 const char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher) { 1690 return "TLSv1/SSLv3"; 1691 } 1692 1693 STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void) { return NULL; } 1694 1695 int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) { return 1; } 1696 1697 const char *SSL_COMP_get_name(const COMP_METHOD *comp) { return NULL; } 1698 1699 void SSL_COMP_free_compression_methods(void) {} 1700 1701 uint32_t ssl_cipher_auth_mask_for_key(const EVP_PKEY *key) { 1702 switch (EVP_PKEY_id(key)) { 1703 case EVP_PKEY_RSA: 1704 return SSL_aRSA; 1705 case EVP_PKEY_EC: 1706 case EVP_PKEY_ED25519: 1707 /* Ed25519 keys in TLS 1.2 repurpose the ECDSA ciphers. */ 1708 return SSL_aECDSA; 1709 default: 1710 return 0; 1711 } 1712 } 1713 1714 int ssl_cipher_uses_certificate_auth(const SSL_CIPHER *cipher) { 1715 return (cipher->algorithm_auth & SSL_aCERT) != 0; 1716 } 1717 1718 int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher) { 1719 /* Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange. */ 1720 if (cipher->algorithm_mkey & SSL_kECDHE) { 1721 return 1; 1722 } 1723 1724 /* It is optional in all others. */ 1725 return 0; 1726 } 1727 1728 size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher) { 1729 size_t block_size; 1730 switch (cipher->algorithm_enc) { 1731 case SSL_3DES: 1732 block_size = 8; 1733 break; 1734 case SSL_AES128: 1735 case SSL_AES256: 1736 block_size = 16; 1737 break; 1738 default: 1739 return 0; 1740 } 1741 1742 /* All supported TLS 1.0 ciphers use SHA-1. */ 1743 assert(cipher->algorithm_mac == SSL_SHA1); 1744 size_t ret = 1 + SHA_DIGEST_LENGTH; 1745 ret += block_size - (ret % block_size); 1746 return ret; 1747 } 1748