1 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 2 * All rights reserved. 3 * 4 * This package is an SSL implementation written 5 * by Eric Young (eay (at) cryptsoft.com). 6 * The implementation was written so as to conform with Netscapes SSL. 7 * 8 * This library is free for commercial and non-commercial use as long as 9 * the following conditions are aheared to. The following conditions 10 * apply to all code found in this distribution, be it the RC4, RSA, 11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * included with this distribution is covered by the same copyright terms 13 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 14 * 15 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * the code are not to be removed. 17 * If this package is used in a product, Eric Young should be given attribution 18 * as the author of the parts of the library used. 19 * This can be in the form of a textual message at program startup or 20 * in documentation (online or textual) provided with the package. 21 * 22 * Redistribution and use in source and binary forms, with or without 23 * modification, are permitted provided that the following conditions 24 * are met: 25 * 1. Redistributions of source code must retain the copyright 26 * notice, this list of conditions and the following disclaimer. 27 * 2. Redistributions in binary form must reproduce the above copyright 28 * notice, this list of conditions and the following disclaimer in the 29 * documentation and/or other materials provided with the distribution. 30 * 3. All advertising materials mentioning features or use of this software 31 * must display the following acknowledgement: 32 * "This product includes cryptographic software written by 33 * Eric Young (eay (at) cryptsoft.com)" 34 * The word 'cryptographic' can be left out if the rouines from the library 35 * being used are not cryptographic related :-). 36 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * the apps directory (application code) you must include an acknowledgement: 38 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * SUCH DAMAGE. 51 * 52 * The licence and distribution terms for any publically available version or 53 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * copied and put under another distribution licence 55 * [including the GNU Public Licence.] 56 */ 57 /* ==================================================================== 58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 59 * 60 * Redistribution and use in source and binary forms, with or without 61 * modification, are permitted provided that the following conditions 62 * are met: 63 * 64 * 1. Redistributions of source code must retain the above copyright 65 * notice, this list of conditions and the following disclaimer. 66 * 67 * 2. Redistributions in binary form must reproduce the above copyright 68 * notice, this list of conditions and the following disclaimer in 69 * the documentation and/or other materials provided with the 70 * distribution. 71 * 72 * 3. All advertising materials mentioning features or use of this 73 * software must display the following acknowledgment: 74 * "This product includes software developed by the OpenSSL Project 75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 76 * 77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 78 * endorse or promote products derived from this software without 79 * prior written permission. For written permission, please contact 80 * openssl-core (at) openssl.org. 81 * 82 * 5. Products derived from this software may not be called "OpenSSL" 83 * nor may "OpenSSL" appear in their names without prior written 84 * permission of the OpenSSL Project. 85 * 86 * 6. Redistributions of any form whatsoever must retain the following 87 * acknowledgment: 88 * "This product includes software developed by the OpenSSL Project 89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 90 * 91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 102 * OF THE POSSIBILITY OF SUCH DAMAGE. 103 * ==================================================================== 104 * 105 * This product includes cryptographic software written by Eric Young 106 * (eay (at) cryptsoft.com). This product includes software written by Tim 107 * Hudson (tjh (at) cryptsoft.com). 108 * 109 */ 110 /* ==================================================================== 111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 112 * ECC cipher suite support in OpenSSL originally developed by 113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 114 */ 115 /* ==================================================================== 116 * Copyright 2005 Nokia. All rights reserved. 117 * 118 * The portions of the attached software ("Contribution") is developed by 119 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 120 * license. 121 * 122 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 123 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 124 * support (see RFC 4279) to OpenSSL. 125 * 126 * No patent licenses or other rights except those expressly stated in 127 * the OpenSSL open source license shall be deemed granted or received 128 * expressly, by implication, estoppel, or otherwise. 129 * 130 * No assurances are provided by Nokia that the Contribution does not 131 * infringe the patent or other intellectual property rights of any third 132 * party or that the license provides you with all the necessary rights 133 * to make use of the Contribution. 134 * 135 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 136 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 137 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 138 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 139 * OTHERWISE. */ 140 141 #include <openssl/ssl.h> 142 143 #include <assert.h> 144 #include <string.h> 145 146 #include <openssl/buf.h> 147 #include <openssl/err.h> 148 #include <openssl/md5.h> 149 #include <openssl/mem.h> 150 #include <openssl/sha.h> 151 #include <openssl/stack.h> 152 153 #include "internal.h" 154 #include "../crypto/internal.h" 155 156 157 namespace bssl { 158 159 // kCiphers is an array of all supported ciphers, sorted by id. 160 static const SSL_CIPHER kCiphers[] = { 161 // The RSA ciphers 162 // Cipher 02 163 { 164 SSL3_TXT_RSA_NULL_SHA, 165 "TLS_RSA_WITH_NULL_SHA", 166 SSL3_CK_RSA_NULL_SHA, 167 SSL_kRSA, 168 SSL_aRSA, 169 SSL_eNULL, 170 SSL_SHA1, 171 SSL_HANDSHAKE_MAC_DEFAULT, 172 }, 173 174 // Cipher 0A 175 { 176 SSL3_TXT_RSA_DES_192_CBC3_SHA, 177 "TLS_RSA_WITH_3DES_EDE_CBC_SHA", 178 SSL3_CK_RSA_DES_192_CBC3_SHA, 179 SSL_kRSA, 180 SSL_aRSA, 181 SSL_3DES, 182 SSL_SHA1, 183 SSL_HANDSHAKE_MAC_DEFAULT, 184 }, 185 186 187 // New AES ciphersuites 188 189 // Cipher 2F 190 { 191 TLS1_TXT_RSA_WITH_AES_128_SHA, 192 "TLS_RSA_WITH_AES_128_CBC_SHA", 193 TLS1_CK_RSA_WITH_AES_128_SHA, 194 SSL_kRSA, 195 SSL_aRSA, 196 SSL_AES128, 197 SSL_SHA1, 198 SSL_HANDSHAKE_MAC_DEFAULT, 199 }, 200 201 // Cipher 35 202 { 203 TLS1_TXT_RSA_WITH_AES_256_SHA, 204 "TLS_RSA_WITH_AES_256_CBC_SHA", 205 TLS1_CK_RSA_WITH_AES_256_SHA, 206 SSL_kRSA, 207 SSL_aRSA, 208 SSL_AES256, 209 SSL_SHA1, 210 SSL_HANDSHAKE_MAC_DEFAULT, 211 }, 212 213 214 // TLS v1.2 ciphersuites 215 216 // Cipher 3C 217 { 218 TLS1_TXT_RSA_WITH_AES_128_SHA256, 219 "TLS_RSA_WITH_AES_128_CBC_SHA256", 220 TLS1_CK_RSA_WITH_AES_128_SHA256, 221 SSL_kRSA, 222 SSL_aRSA, 223 SSL_AES128, 224 SSL_SHA256, 225 SSL_HANDSHAKE_MAC_SHA256, 226 }, 227 228 // Cipher 3D 229 { 230 TLS1_TXT_RSA_WITH_AES_256_SHA256, 231 "TLS_RSA_WITH_AES_256_CBC_SHA256", 232 TLS1_CK_RSA_WITH_AES_256_SHA256, 233 SSL_kRSA, 234 SSL_aRSA, 235 SSL_AES256, 236 SSL_SHA256, 237 SSL_HANDSHAKE_MAC_SHA256, 238 }, 239 240 // PSK cipher suites. 241 242 // Cipher 8C 243 { 244 TLS1_TXT_PSK_WITH_AES_128_CBC_SHA, 245 "TLS_PSK_WITH_AES_128_CBC_SHA", 246 TLS1_CK_PSK_WITH_AES_128_CBC_SHA, 247 SSL_kPSK, 248 SSL_aPSK, 249 SSL_AES128, 250 SSL_SHA1, 251 SSL_HANDSHAKE_MAC_DEFAULT, 252 }, 253 254 // Cipher 8D 255 { 256 TLS1_TXT_PSK_WITH_AES_256_CBC_SHA, 257 "TLS_PSK_WITH_AES_256_CBC_SHA", 258 TLS1_CK_PSK_WITH_AES_256_CBC_SHA, 259 SSL_kPSK, 260 SSL_aPSK, 261 SSL_AES256, 262 SSL_SHA1, 263 SSL_HANDSHAKE_MAC_DEFAULT, 264 }, 265 266 // GCM ciphersuites from RFC5288 267 268 // Cipher 9C 269 { 270 TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256, 271 "TLS_RSA_WITH_AES_128_GCM_SHA256", 272 TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 273 SSL_kRSA, 274 SSL_aRSA, 275 SSL_AES128GCM, 276 SSL_AEAD, 277 SSL_HANDSHAKE_MAC_SHA256, 278 }, 279 280 // Cipher 9D 281 { 282 TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384, 283 "TLS_RSA_WITH_AES_256_GCM_SHA384", 284 TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, 285 SSL_kRSA, 286 SSL_aRSA, 287 SSL_AES256GCM, 288 SSL_AEAD, 289 SSL_HANDSHAKE_MAC_SHA384, 290 }, 291 292 // TLS 1.3 suites. 293 294 // Cipher 1301 295 { 296 TLS1_TXT_AES_128_GCM_SHA256, 297 "TLS_AES_128_GCM_SHA256", 298 TLS1_CK_AES_128_GCM_SHA256, 299 SSL_kGENERIC, 300 SSL_aGENERIC, 301 SSL_AES128GCM, 302 SSL_AEAD, 303 SSL_HANDSHAKE_MAC_SHA256, 304 }, 305 306 // Cipher 1302 307 { 308 TLS1_TXT_AES_256_GCM_SHA384, 309 "TLS_AES_256_GCM_SHA384", 310 TLS1_CK_AES_256_GCM_SHA384, 311 SSL_kGENERIC, 312 SSL_aGENERIC, 313 SSL_AES256GCM, 314 SSL_AEAD, 315 SSL_HANDSHAKE_MAC_SHA384, 316 }, 317 318 // Cipher 1303 319 { 320 TLS1_TXT_CHACHA20_POLY1305_SHA256, 321 "TLS_CHACHA20_POLY1305_SHA256", 322 TLS1_CK_CHACHA20_POLY1305_SHA256, 323 SSL_kGENERIC, 324 SSL_aGENERIC, 325 SSL_CHACHA20POLY1305, 326 SSL_AEAD, 327 SSL_HANDSHAKE_MAC_SHA256, 328 }, 329 330 // Cipher C009 331 { 332 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 333 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", 334 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 335 SSL_kECDHE, 336 SSL_aECDSA, 337 SSL_AES128, 338 SSL_SHA1, 339 SSL_HANDSHAKE_MAC_DEFAULT, 340 }, 341 342 // Cipher C00A 343 { 344 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 345 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", 346 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 347 SSL_kECDHE, 348 SSL_aECDSA, 349 SSL_AES256, 350 SSL_SHA1, 351 SSL_HANDSHAKE_MAC_DEFAULT, 352 }, 353 354 // Cipher C013 355 { 356 TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, 357 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", 358 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 359 SSL_kECDHE, 360 SSL_aRSA, 361 SSL_AES128, 362 SSL_SHA1, 363 SSL_HANDSHAKE_MAC_DEFAULT, 364 }, 365 366 // Cipher C014 367 { 368 TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA, 369 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", 370 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 371 SSL_kECDHE, 372 SSL_aRSA, 373 SSL_AES256, 374 SSL_SHA1, 375 SSL_HANDSHAKE_MAC_DEFAULT, 376 }, 377 378 379 // HMAC based TLS v1.2 ciphersuites from RFC5289 380 381 // Cipher C023 382 { 383 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256, 384 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", 385 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, 386 SSL_kECDHE, 387 SSL_aECDSA, 388 SSL_AES128, 389 SSL_SHA256, 390 SSL_HANDSHAKE_MAC_SHA256, 391 }, 392 393 // Cipher C024 394 { 395 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384, 396 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", 397 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, 398 SSL_kECDHE, 399 SSL_aECDSA, 400 SSL_AES256, 401 SSL_SHA384, 402 SSL_HANDSHAKE_MAC_SHA384, 403 }, 404 405 // Cipher C027 406 { 407 TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256, 408 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", 409 TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, 410 SSL_kECDHE, 411 SSL_aRSA, 412 SSL_AES128, 413 SSL_SHA256, 414 SSL_HANDSHAKE_MAC_SHA256, 415 }, 416 417 // Cipher C028 418 { 419 TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384, 420 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", 421 TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, 422 SSL_kECDHE, 423 SSL_aRSA, 424 SSL_AES256, 425 SSL_SHA384, 426 SSL_HANDSHAKE_MAC_SHA384, 427 }, 428 429 430 // GCM based TLS v1.2 ciphersuites from RFC5289 431 432 // Cipher C02B 433 { 434 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 435 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", 436 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 437 SSL_kECDHE, 438 SSL_aECDSA, 439 SSL_AES128GCM, 440 SSL_AEAD, 441 SSL_HANDSHAKE_MAC_SHA256, 442 }, 443 444 // Cipher C02C 445 { 446 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 447 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", 448 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 449 SSL_kECDHE, 450 SSL_aECDSA, 451 SSL_AES256GCM, 452 SSL_AEAD, 453 SSL_HANDSHAKE_MAC_SHA384, 454 }, 455 456 // Cipher C02F 457 { 458 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 459 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", 460 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 461 SSL_kECDHE, 462 SSL_aRSA, 463 SSL_AES128GCM, 464 SSL_AEAD, 465 SSL_HANDSHAKE_MAC_SHA256, 466 }, 467 468 // Cipher C030 469 { 470 TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 471 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", 472 TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 473 SSL_kECDHE, 474 SSL_aRSA, 475 SSL_AES256GCM, 476 SSL_AEAD, 477 SSL_HANDSHAKE_MAC_SHA384, 478 }, 479 480 // ECDHE-PSK cipher suites. 481 482 // Cipher C035 483 { 484 TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA, 485 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA", 486 TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA, 487 SSL_kECDHE, 488 SSL_aPSK, 489 SSL_AES128, 490 SSL_SHA1, 491 SSL_HANDSHAKE_MAC_DEFAULT, 492 }, 493 494 // Cipher C036 495 { 496 TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA, 497 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA", 498 TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA, 499 SSL_kECDHE, 500 SSL_aPSK, 501 SSL_AES256, 502 SSL_SHA1, 503 SSL_HANDSHAKE_MAC_DEFAULT, 504 }, 505 506 // ChaCha20-Poly1305 cipher suites. 507 508 // Cipher CCA8 509 { 510 TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 511 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", 512 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 513 SSL_kECDHE, 514 SSL_aRSA, 515 SSL_CHACHA20POLY1305, 516 SSL_AEAD, 517 SSL_HANDSHAKE_MAC_SHA256, 518 }, 519 520 // Cipher CCA9 521 { 522 TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 523 "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", 524 TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 525 SSL_kECDHE, 526 SSL_aECDSA, 527 SSL_CHACHA20POLY1305, 528 SSL_AEAD, 529 SSL_HANDSHAKE_MAC_SHA256, 530 }, 531 532 // Cipher CCAB 533 { 534 TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256, 535 "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256", 536 TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256, 537 SSL_kECDHE, 538 SSL_aPSK, 539 SSL_CHACHA20POLY1305, 540 SSL_AEAD, 541 SSL_HANDSHAKE_MAC_SHA256, 542 }, 543 544 }; 545 546 static const size_t kCiphersLen = OPENSSL_ARRAY_SIZE(kCiphers); 547 548 #define CIPHER_ADD 1 549 #define CIPHER_KILL 2 550 #define CIPHER_DEL 3 551 #define CIPHER_ORD 4 552 #define CIPHER_SPECIAL 5 553 554 typedef struct cipher_order_st { 555 const SSL_CIPHER *cipher; 556 bool active; 557 bool in_group; 558 struct cipher_order_st *next, *prev; 559 } CIPHER_ORDER; 560 561 typedef struct cipher_alias_st { 562 // name is the name of the cipher alias. 563 const char *name; 564 565 // The following fields are bitmasks for the corresponding fields on 566 // |SSL_CIPHER|. A cipher matches a cipher alias iff, for each bitmask, the 567 // bit corresponding to the cipher's value is set to 1. If any bitmask is 568 // all zeroes, the alias matches nothing. Use |~0u| for the default value. 569 uint32_t algorithm_mkey; 570 uint32_t algorithm_auth; 571 uint32_t algorithm_enc; 572 uint32_t algorithm_mac; 573 574 // min_version, if non-zero, matches all ciphers which were added in that 575 // particular protocol version. 576 uint16_t min_version; 577 } CIPHER_ALIAS; 578 579 static const CIPHER_ALIAS kCipherAliases[] = { 580 // "ALL" doesn't include eNULL. It must be explicitly enabled. 581 {"ALL", ~0u, ~0u, ~0u, ~0u, 0}, 582 583 // The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing. 584 585 // key exchange aliases 586 // (some of those using only a single bit here combine 587 // multiple key exchange algs according to the RFCs. 588 {"kRSA", SSL_kRSA, ~0u, ~0u, ~0u, 0}, 589 590 {"kECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0}, 591 {"kEECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0}, 592 {"ECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0}, 593 594 {"kPSK", SSL_kPSK, ~0u, ~0u, ~0u, 0}, 595 596 // server authentication aliases 597 {"aRSA", ~0u, SSL_aRSA, ~0u, ~0u, 0}, 598 {"aECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0}, 599 {"ECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0}, 600 {"aPSK", ~0u, SSL_aPSK, ~0u, ~0u, 0}, 601 602 // aliases combining key exchange and server authentication 603 {"ECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0}, 604 {"EECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0}, 605 {"RSA", SSL_kRSA, SSL_aRSA, ~0u, ~0u, 0}, 606 {"PSK", SSL_kPSK, SSL_aPSK, ~0u, ~0u, 0}, 607 608 // symmetric encryption aliases 609 {"3DES", ~0u, ~0u, SSL_3DES, ~0u, 0}, 610 {"AES128", ~0u, ~0u, SSL_AES128 | SSL_AES128GCM, ~0u, 0}, 611 {"AES256", ~0u, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, 0}, 612 {"AES", ~0u, ~0u, SSL_AES, ~0u, 0}, 613 {"AESGCM", ~0u, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, 0}, 614 {"CHACHA20", ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0}, 615 616 // MAC aliases 617 {"SHA1", ~0u, ~0u, ~0u, SSL_SHA1, 0}, 618 {"SHA", ~0u, ~0u, ~0u, SSL_SHA1, 0}, 619 {"SHA256", ~0u, ~0u, ~0u, SSL_SHA256, 0}, 620 {"SHA384", ~0u, ~0u, ~0u, SSL_SHA384, 0}, 621 622 // Legacy protocol minimum version aliases. "TLSv1" is intentionally the 623 // same as "SSLv3". 624 {"SSLv3", ~0u, ~0u, ~0u, ~0u, SSL3_VERSION}, 625 {"TLSv1", ~0u, ~0u, ~0u, ~0u, SSL3_VERSION}, 626 {"TLSv1.2", ~0u, ~0u, ~0u, ~0u, TLS1_2_VERSION}, 627 628 // Legacy strength classes. 629 {"HIGH", ~0u, ~0u, ~0u, ~0u, 0}, 630 {"FIPS", ~0u, ~0u, ~0u, ~0u, 0}, 631 }; 632 633 static const size_t kCipherAliasesLen = OPENSSL_ARRAY_SIZE(kCipherAliases); 634 635 static int ssl_cipher_id_cmp(const void *in_a, const void *in_b) { 636 const SSL_CIPHER *a = reinterpret_cast<const SSL_CIPHER *>(in_a); 637 const SSL_CIPHER *b = reinterpret_cast<const SSL_CIPHER *>(in_b); 638 639 if (a->id > b->id) { 640 return 1; 641 } else if (a->id < b->id) { 642 return -1; 643 } else { 644 return 0; 645 } 646 } 647 648 bool ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead, 649 size_t *out_mac_secret_len, 650 size_t *out_fixed_iv_len, const SSL_CIPHER *cipher, 651 uint16_t version, int is_dtls) { 652 *out_aead = NULL; 653 *out_mac_secret_len = 0; 654 *out_fixed_iv_len = 0; 655 656 const int is_tls12 = version == TLS1_2_VERSION && !is_dtls; 657 658 if (cipher->algorithm_mac == SSL_AEAD) { 659 if (cipher->algorithm_enc == SSL_AES128GCM) { 660 *out_aead = 661 is_tls12 ? EVP_aead_aes_128_gcm_tls12() : EVP_aead_aes_128_gcm(); 662 *out_fixed_iv_len = 4; 663 } else if (cipher->algorithm_enc == SSL_AES256GCM) { 664 *out_aead = 665 is_tls12 ? EVP_aead_aes_256_gcm_tls12() : EVP_aead_aes_256_gcm(); 666 *out_fixed_iv_len = 4; 667 } else if (cipher->algorithm_enc == SSL_CHACHA20POLY1305) { 668 *out_aead = EVP_aead_chacha20_poly1305(); 669 *out_fixed_iv_len = 12; 670 } else { 671 return false; 672 } 673 674 // In TLS 1.3, the iv_len is equal to the AEAD nonce length whereas the code 675 // above computes the TLS 1.2 construction. 676 if (version >= TLS1_3_VERSION) { 677 *out_fixed_iv_len = EVP_AEAD_nonce_length(*out_aead); 678 } 679 } else if (cipher->algorithm_mac == SSL_SHA1) { 680 if (cipher->algorithm_enc == SSL_eNULL) { 681 if (version == SSL3_VERSION) { 682 *out_aead = EVP_aead_null_sha1_ssl3(); 683 } else { 684 *out_aead = EVP_aead_null_sha1_tls(); 685 } 686 } else if (cipher->algorithm_enc == SSL_3DES) { 687 if (version == SSL3_VERSION) { 688 *out_aead = EVP_aead_des_ede3_cbc_sha1_ssl3(); 689 *out_fixed_iv_len = 8; 690 } else if (version == TLS1_VERSION) { 691 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(); 692 *out_fixed_iv_len = 8; 693 } else { 694 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls(); 695 } 696 } else if (cipher->algorithm_enc == SSL_AES128) { 697 if (version == SSL3_VERSION) { 698 *out_aead = EVP_aead_aes_128_cbc_sha1_ssl3(); 699 *out_fixed_iv_len = 16; 700 } else if (version == TLS1_VERSION) { 701 *out_aead = EVP_aead_aes_128_cbc_sha1_tls_implicit_iv(); 702 *out_fixed_iv_len = 16; 703 } else { 704 *out_aead = EVP_aead_aes_128_cbc_sha1_tls(); 705 } 706 } else if (cipher->algorithm_enc == SSL_AES256) { 707 if (version == SSL3_VERSION) { 708 *out_aead = EVP_aead_aes_256_cbc_sha1_ssl3(); 709 *out_fixed_iv_len = 16; 710 } else if (version == TLS1_VERSION) { 711 *out_aead = EVP_aead_aes_256_cbc_sha1_tls_implicit_iv(); 712 *out_fixed_iv_len = 16; 713 } else { 714 *out_aead = EVP_aead_aes_256_cbc_sha1_tls(); 715 } 716 } else { 717 return false; 718 } 719 720 *out_mac_secret_len = SHA_DIGEST_LENGTH; 721 } else if (cipher->algorithm_mac == SSL_SHA256) { 722 if (cipher->algorithm_enc == SSL_AES128) { 723 *out_aead = EVP_aead_aes_128_cbc_sha256_tls(); 724 } else if (cipher->algorithm_enc == SSL_AES256) { 725 *out_aead = EVP_aead_aes_256_cbc_sha256_tls(); 726 } else { 727 return false; 728 } 729 730 *out_mac_secret_len = SHA256_DIGEST_LENGTH; 731 } else if (cipher->algorithm_mac == SSL_SHA384) { 732 if (cipher->algorithm_enc != SSL_AES256) { 733 return false; 734 } 735 736 *out_aead = EVP_aead_aes_256_cbc_sha384_tls(); 737 *out_mac_secret_len = SHA384_DIGEST_LENGTH; 738 } else { 739 return false; 740 } 741 742 return true; 743 } 744 745 const EVP_MD *ssl_get_handshake_digest(uint16_t version, 746 const SSL_CIPHER *cipher) { 747 switch (cipher->algorithm_prf) { 748 case SSL_HANDSHAKE_MAC_DEFAULT: 749 return version >= TLS1_2_VERSION ? EVP_sha256() : EVP_md5_sha1(); 750 case SSL_HANDSHAKE_MAC_SHA256: 751 return EVP_sha256(); 752 case SSL_HANDSHAKE_MAC_SHA384: 753 return EVP_sha384(); 754 default: 755 assert(0); 756 return NULL; 757 } 758 } 759 760 static bool is_cipher_list_separator(char c, int is_strict) { 761 if (c == ':') { 762 return true; 763 } 764 return !is_strict && (c == ' ' || c == ';' || c == ','); 765 } 766 767 // rule_equals returns whether the NUL-terminated string |rule| is equal to the 768 // |buf_len| bytes at |buf|. 769 static bool rule_equals(const char *rule, const char *buf, size_t buf_len) { 770 // |strncmp| alone only checks that |buf| is a prefix of |rule|. 771 return strncmp(rule, buf, buf_len) == 0 && rule[buf_len] == '\0'; 772 } 773 774 static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr, 775 CIPHER_ORDER **tail) { 776 if (curr == *tail) { 777 return; 778 } 779 if (curr == *head) { 780 *head = curr->next; 781 } 782 if (curr->prev != NULL) { 783 curr->prev->next = curr->next; 784 } 785 if (curr->next != NULL) { 786 curr->next->prev = curr->prev; 787 } 788 (*tail)->next = curr; 789 curr->prev = *tail; 790 curr->next = NULL; 791 *tail = curr; 792 } 793 794 static void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr, 795 CIPHER_ORDER **tail) { 796 if (curr == *head) { 797 return; 798 } 799 if (curr == *tail) { 800 *tail = curr->prev; 801 } 802 if (curr->next != NULL) { 803 curr->next->prev = curr->prev; 804 } 805 if (curr->prev != NULL) { 806 curr->prev->next = curr->next; 807 } 808 (*head)->prev = curr; 809 curr->next = *head; 810 curr->prev = NULL; 811 *head = curr; 812 } 813 814 static void ssl_cipher_collect_ciphers(CIPHER_ORDER *co_list, 815 CIPHER_ORDER **head_p, 816 CIPHER_ORDER **tail_p) { 817 size_t co_list_num = 0; 818 for (const SSL_CIPHER &cipher : kCiphers) { 819 // TLS 1.3 ciphers do not participate in this mechanism. 820 if (cipher.algorithm_mkey != SSL_kGENERIC) { 821 co_list[co_list_num].cipher = &cipher; 822 co_list[co_list_num].next = NULL; 823 co_list[co_list_num].prev = NULL; 824 co_list[co_list_num].active = false; 825 co_list[co_list_num].in_group = false; 826 co_list_num++; 827 } 828 } 829 830 // Prepare linked list from list entries. 831 if (co_list_num > 0) { 832 co_list[0].prev = NULL; 833 834 if (co_list_num > 1) { 835 co_list[0].next = &co_list[1]; 836 837 for (size_t i = 1; i < co_list_num - 1; i++) { 838 co_list[i].prev = &co_list[i - 1]; 839 co_list[i].next = &co_list[i + 1]; 840 } 841 842 co_list[co_list_num - 1].prev = &co_list[co_list_num - 2]; 843 } 844 845 co_list[co_list_num - 1].next = NULL; 846 847 *head_p = &co_list[0]; 848 *tail_p = &co_list[co_list_num - 1]; 849 } 850 } 851 852 // ssl_cipher_apply_rule applies the rule type |rule| to ciphers matching its 853 // parameters in the linked list from |*head_p| to |*tail_p|. It writes the new 854 // head and tail of the list to |*head_p| and |*tail_p|, respectively. 855 // 856 // - If |cipher_id| is non-zero, only that cipher is selected. 857 // - Otherwise, if |strength_bits| is non-negative, it selects ciphers 858 // of that strength. 859 // - Otherwise, it selects ciphers that match each bitmasks in |alg_*| and 860 // |min_version|. 861 static void ssl_cipher_apply_rule( 862 uint32_t cipher_id, uint32_t alg_mkey, uint32_t alg_auth, 863 uint32_t alg_enc, uint32_t alg_mac, uint16_t min_version, int rule, 864 int strength_bits, bool in_group, CIPHER_ORDER **head_p, 865 CIPHER_ORDER **tail_p) { 866 CIPHER_ORDER *head, *tail, *curr, *next, *last; 867 const SSL_CIPHER *cp; 868 bool reverse = false; 869 870 if (cipher_id == 0 && strength_bits == -1 && min_version == 0 && 871 (alg_mkey == 0 || alg_auth == 0 || alg_enc == 0 || alg_mac == 0)) { 872 // The rule matches nothing, so bail early. 873 return; 874 } 875 876 if (rule == CIPHER_DEL) { 877 // needed to maintain sorting between currently deleted ciphers 878 reverse = true; 879 } 880 881 head = *head_p; 882 tail = *tail_p; 883 884 if (reverse) { 885 next = tail; 886 last = head; 887 } else { 888 next = head; 889 last = tail; 890 } 891 892 curr = NULL; 893 for (;;) { 894 if (curr == last) { 895 break; 896 } 897 898 curr = next; 899 if (curr == NULL) { 900 break; 901 } 902 903 next = reverse ? curr->prev : curr->next; 904 cp = curr->cipher; 905 906 // Selection criteria is either a specific cipher, the value of 907 // |strength_bits|, or the algorithms used. 908 if (cipher_id != 0) { 909 if (cipher_id != cp->id) { 910 continue; 911 } 912 } else if (strength_bits >= 0) { 913 if (strength_bits != SSL_CIPHER_get_bits(cp, NULL)) { 914 continue; 915 } 916 } else { 917 if (!(alg_mkey & cp->algorithm_mkey) || 918 !(alg_auth & cp->algorithm_auth) || 919 !(alg_enc & cp->algorithm_enc) || 920 !(alg_mac & cp->algorithm_mac) || 921 (min_version != 0 && SSL_CIPHER_get_min_version(cp) != min_version) || 922 // The NULL cipher must be selected explicitly. 923 cp->algorithm_enc == SSL_eNULL) { 924 continue; 925 } 926 } 927 928 // add the cipher if it has not been added yet. 929 if (rule == CIPHER_ADD) { 930 // reverse == false 931 if (!curr->active) { 932 ll_append_tail(&head, curr, &tail); 933 curr->active = true; 934 curr->in_group = in_group; 935 } 936 } 937 938 // Move the added cipher to this location 939 else if (rule == CIPHER_ORD) { 940 // reverse == false 941 if (curr->active) { 942 ll_append_tail(&head, curr, &tail); 943 curr->in_group = false; 944 } 945 } else if (rule == CIPHER_DEL) { 946 // reverse == true 947 if (curr->active) { 948 // most recently deleted ciphersuites get best positions 949 // for any future CIPHER_ADD (note that the CIPHER_DEL loop 950 // works in reverse to maintain the order) 951 ll_append_head(&head, curr, &tail); 952 curr->active = false; 953 curr->in_group = false; 954 } 955 } else if (rule == CIPHER_KILL) { 956 // reverse == false 957 if (head == curr) { 958 head = curr->next; 959 } else { 960 curr->prev->next = curr->next; 961 } 962 963 if (tail == curr) { 964 tail = curr->prev; 965 } 966 curr->active = false; 967 if (curr->next != NULL) { 968 curr->next->prev = curr->prev; 969 } 970 if (curr->prev != NULL) { 971 curr->prev->next = curr->next; 972 } 973 curr->next = NULL; 974 curr->prev = NULL; 975 } 976 } 977 978 *head_p = head; 979 *tail_p = tail; 980 } 981 982 static bool ssl_cipher_strength_sort(CIPHER_ORDER **head_p, 983 CIPHER_ORDER **tail_p) { 984 // This routine sorts the ciphers with descending strength. The sorting must 985 // keep the pre-sorted sequence, so we apply the normal sorting routine as 986 // '+' movement to the end of the list. 987 int max_strength_bits = 0; 988 CIPHER_ORDER *curr = *head_p; 989 while (curr != NULL) { 990 if (curr->active && 991 SSL_CIPHER_get_bits(curr->cipher, NULL) > max_strength_bits) { 992 max_strength_bits = SSL_CIPHER_get_bits(curr->cipher, NULL); 993 } 994 curr = curr->next; 995 } 996 997 Array<int> number_uses; 998 if (!number_uses.Init(max_strength_bits + 1)) { 999 return false; 1000 } 1001 OPENSSL_memset(number_uses.data(), 0, (max_strength_bits + 1) * sizeof(int)); 1002 1003 // Now find the strength_bits values actually used. 1004 curr = *head_p; 1005 while (curr != NULL) { 1006 if (curr->active) { 1007 number_uses[SSL_CIPHER_get_bits(curr->cipher, NULL)]++; 1008 } 1009 curr = curr->next; 1010 } 1011 1012 // Go through the list of used strength_bits values in descending order. 1013 for (int i = max_strength_bits; i >= 0; i--) { 1014 if (number_uses[i] > 0) { 1015 ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, CIPHER_ORD, i, false, head_p, 1016 tail_p); 1017 } 1018 } 1019 1020 return true; 1021 } 1022 1023 static bool ssl_cipher_process_rulestr(const char *rule_str, 1024 CIPHER_ORDER **head_p, 1025 CIPHER_ORDER **tail_p, bool strict) { 1026 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac; 1027 uint16_t min_version; 1028 const char *l, *buf; 1029 int rule; 1030 bool multi, skip_rule, in_group = false, has_group = false; 1031 size_t j, buf_len; 1032 uint32_t cipher_id; 1033 char ch; 1034 1035 l = rule_str; 1036 for (;;) { 1037 ch = *l; 1038 1039 if (ch == '\0') { 1040 break; // done 1041 } 1042 1043 if (in_group) { 1044 if (ch == ']') { 1045 if (*tail_p) { 1046 (*tail_p)->in_group = false; 1047 } 1048 in_group = false; 1049 l++; 1050 continue; 1051 } 1052 1053 if (ch == '|') { 1054 rule = CIPHER_ADD; 1055 l++; 1056 continue; 1057 } else if (!(ch >= 'a' && ch <= 'z') && !(ch >= 'A' && ch <= 'Z') && 1058 !(ch >= '0' && ch <= '9')) { 1059 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_OPERATOR_IN_GROUP); 1060 return false; 1061 } else { 1062 rule = CIPHER_ADD; 1063 } 1064 } else if (ch == '-') { 1065 rule = CIPHER_DEL; 1066 l++; 1067 } else if (ch == '+') { 1068 rule = CIPHER_ORD; 1069 l++; 1070 } else if (ch == '!') { 1071 rule = CIPHER_KILL; 1072 l++; 1073 } else if (ch == '@') { 1074 rule = CIPHER_SPECIAL; 1075 l++; 1076 } else if (ch == '[') { 1077 assert(!in_group); 1078 in_group = true; 1079 has_group = true; 1080 l++; 1081 continue; 1082 } else { 1083 rule = CIPHER_ADD; 1084 } 1085 1086 // If preference groups are enabled, the only legal operator is +. 1087 // Otherwise the in_group bits will get mixed up. 1088 if (has_group && rule != CIPHER_ADD) { 1089 OPENSSL_PUT_ERROR(SSL, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS); 1090 return false; 1091 } 1092 1093 if (is_cipher_list_separator(ch, strict)) { 1094 l++; 1095 continue; 1096 } 1097 1098 multi = false; 1099 cipher_id = 0; 1100 alg_mkey = ~0u; 1101 alg_auth = ~0u; 1102 alg_enc = ~0u; 1103 alg_mac = ~0u; 1104 min_version = 0; 1105 skip_rule = false; 1106 1107 for (;;) { 1108 ch = *l; 1109 buf = l; 1110 buf_len = 0; 1111 while ((ch >= 'A' && ch <= 'Z') || (ch >= '0' && ch <= '9') || 1112 (ch >= 'a' && ch <= 'z') || ch == '-' || ch == '.' || ch == '_') { 1113 ch = *(++l); 1114 buf_len++; 1115 } 1116 1117 if (buf_len == 0) { 1118 // We hit something we cannot deal with, it is no command or separator 1119 // nor alphanumeric, so we call this an error. 1120 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND); 1121 return false; 1122 } 1123 1124 if (rule == CIPHER_SPECIAL) { 1125 break; 1126 } 1127 1128 // Look for a matching exact cipher. These aren't allowed in multipart 1129 // rules. 1130 if (!multi && ch != '+') { 1131 for (j = 0; j < kCiphersLen; j++) { 1132 const SSL_CIPHER *cipher = &kCiphers[j]; 1133 if (rule_equals(cipher->name, buf, buf_len) || 1134 rule_equals(cipher->standard_name, buf, buf_len)) { 1135 cipher_id = cipher->id; 1136 break; 1137 } 1138 } 1139 } 1140 if (cipher_id == 0) { 1141 // If not an exact cipher, look for a matching cipher alias. 1142 for (j = 0; j < kCipherAliasesLen; j++) { 1143 if (rule_equals(kCipherAliases[j].name, buf, buf_len)) { 1144 alg_mkey &= kCipherAliases[j].algorithm_mkey; 1145 alg_auth &= kCipherAliases[j].algorithm_auth; 1146 alg_enc &= kCipherAliases[j].algorithm_enc; 1147 alg_mac &= kCipherAliases[j].algorithm_mac; 1148 1149 if (min_version != 0 && 1150 min_version != kCipherAliases[j].min_version) { 1151 skip_rule = true; 1152 } else { 1153 min_version = kCipherAliases[j].min_version; 1154 } 1155 break; 1156 } 1157 } 1158 if (j == kCipherAliasesLen) { 1159 skip_rule = true; 1160 if (strict) { 1161 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND); 1162 return false; 1163 } 1164 } 1165 } 1166 1167 // Check for a multipart rule. 1168 if (ch != '+') { 1169 break; 1170 } 1171 l++; 1172 multi = true; 1173 } 1174 1175 // Ok, we have the rule, now apply it. 1176 if (rule == CIPHER_SPECIAL) { 1177 if (buf_len != 8 || strncmp(buf, "STRENGTH", 8) != 0) { 1178 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND); 1179 return false; 1180 } 1181 if (!ssl_cipher_strength_sort(head_p, tail_p)) { 1182 return false; 1183 } 1184 1185 // We do not support any "multi" options together with "@", so throw away 1186 // the rest of the command, if any left, until end or ':' is found. 1187 while (*l != '\0' && !is_cipher_list_separator(*l, strict)) { 1188 l++; 1189 } 1190 } else if (!skip_rule) { 1191 ssl_cipher_apply_rule(cipher_id, alg_mkey, alg_auth, alg_enc, alg_mac, 1192 min_version, rule, -1, in_group, head_p, tail_p); 1193 } 1194 } 1195 1196 if (in_group) { 1197 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND); 1198 return false; 1199 } 1200 1201 return true; 1202 } 1203 1204 bool ssl_create_cipher_list( 1205 struct ssl_cipher_preference_list_st **out_cipher_list, 1206 const char *rule_str, bool strict) { 1207 STACK_OF(SSL_CIPHER) *cipherstack = NULL; 1208 CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; 1209 uint8_t *in_group_flags = NULL; 1210 unsigned int num_in_group_flags = 0; 1211 struct ssl_cipher_preference_list_st *pref_list = NULL; 1212 1213 // Return with error if nothing to do. 1214 if (rule_str == NULL || out_cipher_list == NULL) { 1215 return false; 1216 } 1217 1218 // Now we have to collect the available ciphers from the compiled in ciphers. 1219 // We cannot get more than the number compiled in, so it is used for 1220 // allocation. 1221 co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * kCiphersLen); 1222 if (co_list == NULL) { 1223 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 1224 return false; 1225 } 1226 1227 ssl_cipher_collect_ciphers(co_list, &head, &tail); 1228 1229 // Now arrange all ciphers by preference: 1230 // TODO(davidben): Compute this order once and copy it. 1231 1232 // Everything else being equal, prefer ECDHE_ECDSA and ECDHE_RSA over other 1233 // key exchange mechanisms 1234 ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, ~0u, ~0u, 0, CIPHER_ADD, -1, 1235 false, &head, &tail); 1236 ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, false, 1237 &head, &tail); 1238 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, false, &head, 1239 &tail); 1240 1241 // Order the bulk ciphers. First the preferred AEAD ciphers. We prefer 1242 // CHACHA20 unless there is hardware support for fast and constant-time 1243 // AES_GCM. Of the two CHACHA20 variants, the new one is preferred over the 1244 // old one. 1245 if (EVP_has_aes_hardware()) { 1246 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, 1247 false, &head, &tail); 1248 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1, 1249 false, &head, &tail); 1250 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD, 1251 -1, false, &head, &tail); 1252 } else { 1253 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD, 1254 -1, false, &head, &tail); 1255 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, 1256 false, &head, &tail); 1257 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1, 1258 false, &head, &tail); 1259 } 1260 1261 // Then the legacy non-AEAD ciphers: AES_128_CBC, AES_256_CBC, 1262 // 3DES_EDE_CBC_SHA. 1263 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128, ~0u, 0, CIPHER_ADD, -1, false, 1264 &head, &tail); 1265 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256, ~0u, 0, CIPHER_ADD, -1, false, 1266 &head, &tail); 1267 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_3DES, ~0u, 0, CIPHER_ADD, -1, false, 1268 &head, &tail); 1269 1270 // Temporarily enable everything else for sorting 1271 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, false, &head, 1272 &tail); 1273 1274 // Move ciphers without forward secrecy to the end. 1275 ssl_cipher_apply_rule(0, (SSL_kRSA | SSL_kPSK), ~0u, ~0u, ~0u, 0, CIPHER_ORD, 1276 -1, false, &head, &tail); 1277 1278 // Now disable everything (maintaining the ordering!) 1279 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, false, &head, 1280 &tail); 1281 1282 // If the rule_string begins with DEFAULT, apply the default rule before 1283 // using the (possibly available) additional rules. 1284 const char *rule_p = rule_str; 1285 if (strncmp(rule_str, "DEFAULT", 7) == 0) { 1286 if (!ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, &head, &tail, 1287 strict)) { 1288 goto err; 1289 } 1290 rule_p += 7; 1291 if (*rule_p == ':') { 1292 rule_p++; 1293 } 1294 } 1295 1296 if (*rule_p != '\0' && 1297 !ssl_cipher_process_rulestr(rule_p, &head, &tail, strict)) { 1298 goto err; 1299 } 1300 1301 // Allocate new "cipherstack" for the result, return with error 1302 // if we cannot get one. 1303 cipherstack = sk_SSL_CIPHER_new_null(); 1304 if (cipherstack == NULL) { 1305 goto err; 1306 } 1307 1308 in_group_flags = (uint8_t *)OPENSSL_malloc(kCiphersLen); 1309 if (!in_group_flags) { 1310 goto err; 1311 } 1312 1313 // The cipher selection for the list is done. The ciphers are added 1314 // to the resulting precedence to the STACK_OF(SSL_CIPHER). 1315 for (curr = head; curr != NULL; curr = curr->next) { 1316 if (curr->active) { 1317 if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) { 1318 goto err; 1319 } 1320 in_group_flags[num_in_group_flags++] = curr->in_group; 1321 } 1322 } 1323 OPENSSL_free(co_list); // Not needed any longer 1324 co_list = NULL; 1325 1326 pref_list = (ssl_cipher_preference_list_st *)OPENSSL_malloc( 1327 sizeof(struct ssl_cipher_preference_list_st)); 1328 if (!pref_list) { 1329 goto err; 1330 } 1331 pref_list->ciphers = cipherstack; 1332 pref_list->in_group_flags = NULL; 1333 if (num_in_group_flags) { 1334 pref_list->in_group_flags = (uint8_t *)OPENSSL_malloc(num_in_group_flags); 1335 if (!pref_list->in_group_flags) { 1336 goto err; 1337 } 1338 OPENSSL_memcpy(pref_list->in_group_flags, in_group_flags, 1339 num_in_group_flags); 1340 } 1341 OPENSSL_free(in_group_flags); 1342 in_group_flags = NULL; 1343 if (*out_cipher_list != NULL) { 1344 ssl_cipher_preference_list_free(*out_cipher_list); 1345 } 1346 *out_cipher_list = pref_list; 1347 pref_list = NULL; 1348 1349 // Configuring an empty cipher list is an error but still updates the 1350 // output. 1351 if (sk_SSL_CIPHER_num((*out_cipher_list)->ciphers) == 0) { 1352 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHER_MATCH); 1353 return false; 1354 } 1355 1356 return true; 1357 1358 err: 1359 OPENSSL_free(co_list); 1360 OPENSSL_free(in_group_flags); 1361 sk_SSL_CIPHER_free(cipherstack); 1362 if (pref_list) { 1363 OPENSSL_free(pref_list->in_group_flags); 1364 } 1365 OPENSSL_free(pref_list); 1366 return false; 1367 } 1368 1369 uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher) { 1370 uint32_t id = cipher->id; 1371 // All ciphers are SSLv3. 1372 assert((id & 0xff000000) == 0x03000000); 1373 return id & 0xffff; 1374 } 1375 1376 uint32_t ssl_cipher_auth_mask_for_key(const EVP_PKEY *key) { 1377 switch (EVP_PKEY_id(key)) { 1378 case EVP_PKEY_RSA: 1379 return SSL_aRSA; 1380 case EVP_PKEY_EC: 1381 case EVP_PKEY_ED25519: 1382 // Ed25519 keys in TLS 1.2 repurpose the ECDSA ciphers. 1383 return SSL_aECDSA; 1384 default: 1385 return 0; 1386 } 1387 } 1388 1389 bool ssl_cipher_uses_certificate_auth(const SSL_CIPHER *cipher) { 1390 return (cipher->algorithm_auth & SSL_aCERT) != 0; 1391 } 1392 1393 bool ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher) { 1394 // Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange. It is 1395 // optional or omitted in all others. 1396 return (cipher->algorithm_mkey & SSL_kECDHE) != 0; 1397 } 1398 1399 size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher) { 1400 size_t block_size; 1401 switch (cipher->algorithm_enc) { 1402 case SSL_3DES: 1403 block_size = 8; 1404 break; 1405 case SSL_AES128: 1406 case SSL_AES256: 1407 block_size = 16; 1408 break; 1409 default: 1410 return 0; 1411 } 1412 1413 // All supported TLS 1.0 ciphers use SHA-1. 1414 assert(cipher->algorithm_mac == SSL_SHA1); 1415 size_t ret = 1 + SHA_DIGEST_LENGTH; 1416 ret += block_size - (ret % block_size); 1417 return ret; 1418 } 1419 1420 } // namespace bssl 1421 1422 using namespace bssl; 1423 1424 const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value) { 1425 SSL_CIPHER c; 1426 1427 c.id = 0x03000000L | value; 1428 return reinterpret_cast<const SSL_CIPHER *>(bsearch( 1429 &c, kCiphers, kCiphersLen, sizeof(SSL_CIPHER), ssl_cipher_id_cmp)); 1430 } 1431 1432 uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher) { return cipher->id; } 1433 1434 int SSL_CIPHER_is_aead(const SSL_CIPHER *cipher) { 1435 return (cipher->algorithm_mac & SSL_AEAD) != 0; 1436 } 1437 1438 int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *cipher) { 1439 switch (cipher->algorithm_enc) { 1440 case SSL_eNULL: 1441 return NID_undef; 1442 case SSL_3DES: 1443 return NID_des_ede3_cbc; 1444 case SSL_AES128: 1445 return NID_aes_128_cbc; 1446 case SSL_AES256: 1447 return NID_aes_256_cbc; 1448 case SSL_AES128GCM: 1449 return NID_aes_128_gcm; 1450 case SSL_AES256GCM: 1451 return NID_aes_256_gcm; 1452 case SSL_CHACHA20POLY1305: 1453 return NID_chacha20_poly1305; 1454 } 1455 assert(0); 1456 return NID_undef; 1457 } 1458 1459 int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *cipher) { 1460 switch (cipher->algorithm_mac) { 1461 case SSL_AEAD: 1462 return NID_undef; 1463 case SSL_SHA1: 1464 return NID_sha1; 1465 case SSL_SHA256: 1466 return NID_sha256; 1467 case SSL_SHA384: 1468 return NID_sha384; 1469 } 1470 assert(0); 1471 return NID_undef; 1472 } 1473 1474 int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *cipher) { 1475 switch (cipher->algorithm_mkey) { 1476 case SSL_kRSA: 1477 return NID_kx_rsa; 1478 case SSL_kECDHE: 1479 return NID_kx_ecdhe; 1480 case SSL_kPSK: 1481 return NID_kx_psk; 1482 case SSL_kGENERIC: 1483 return NID_kx_any; 1484 } 1485 assert(0); 1486 return NID_undef; 1487 } 1488 1489 int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *cipher) { 1490 switch (cipher->algorithm_auth) { 1491 case SSL_aRSA: 1492 return NID_auth_rsa; 1493 case SSL_aECDSA: 1494 return NID_auth_ecdsa; 1495 case SSL_aPSK: 1496 return NID_auth_psk; 1497 case SSL_aGENERIC: 1498 return NID_auth_any; 1499 } 1500 assert(0); 1501 return NID_undef; 1502 } 1503 1504 int SSL_CIPHER_get_prf_nid(const SSL_CIPHER *cipher) { 1505 switch (cipher->algorithm_prf) { 1506 case SSL_HANDSHAKE_MAC_DEFAULT: 1507 return NID_md5_sha1; 1508 case SSL_HANDSHAKE_MAC_SHA256: 1509 return NID_sha256; 1510 case SSL_HANDSHAKE_MAC_SHA384: 1511 return NID_sha384; 1512 } 1513 assert(0); 1514 return NID_undef; 1515 } 1516 1517 int SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher) { 1518 return (cipher->algorithm_enc & SSL_eNULL) == 0 && 1519 cipher->algorithm_mac != SSL_AEAD; 1520 } 1521 1522 uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher) { 1523 if (cipher->algorithm_mkey == SSL_kGENERIC || 1524 cipher->algorithm_auth == SSL_aGENERIC) { 1525 return TLS1_3_VERSION; 1526 } 1527 1528 if (cipher->algorithm_prf != SSL_HANDSHAKE_MAC_DEFAULT) { 1529 // Cipher suites before TLS 1.2 use the default PRF, while all those added 1530 // afterwards specify a particular hash. 1531 return TLS1_2_VERSION; 1532 } 1533 return SSL3_VERSION; 1534 } 1535 1536 uint16_t SSL_CIPHER_get_max_version(const SSL_CIPHER *cipher) { 1537 if (cipher->algorithm_mkey == SSL_kGENERIC || 1538 cipher->algorithm_auth == SSL_aGENERIC) { 1539 return TLS1_3_VERSION; 1540 } 1541 return TLS1_2_VERSION; 1542 } 1543 1544 // return the actual cipher being used 1545 const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher) { 1546 if (cipher != NULL) { 1547 return cipher->name; 1548 } 1549 1550 return "(NONE)"; 1551 } 1552 1553 const char *SSL_CIPHER_standard_name(const SSL_CIPHER *cipher) { 1554 return cipher->standard_name; 1555 } 1556 1557 const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher) { 1558 if (cipher == NULL) { 1559 return ""; 1560 } 1561 1562 switch (cipher->algorithm_mkey) { 1563 case SSL_kRSA: 1564 return "RSA"; 1565 1566 case SSL_kECDHE: 1567 switch (cipher->algorithm_auth) { 1568 case SSL_aECDSA: 1569 return "ECDHE_ECDSA"; 1570 case SSL_aRSA: 1571 return "ECDHE_RSA"; 1572 case SSL_aPSK: 1573 return "ECDHE_PSK"; 1574 default: 1575 assert(0); 1576 return "UNKNOWN"; 1577 } 1578 1579 case SSL_kPSK: 1580 assert(cipher->algorithm_auth == SSL_aPSK); 1581 return "PSK"; 1582 1583 case SSL_kGENERIC: 1584 assert(cipher->algorithm_auth == SSL_aGENERIC); 1585 return "GENERIC"; 1586 1587 default: 1588 assert(0); 1589 return "UNKNOWN"; 1590 } 1591 } 1592 1593 char *SSL_CIPHER_get_rfc_name(const SSL_CIPHER *cipher) { 1594 if (cipher == NULL) { 1595 return NULL; 1596 } 1597 1598 return OPENSSL_strdup(SSL_CIPHER_standard_name(cipher)); 1599 } 1600 1601 int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *out_alg_bits) { 1602 if (cipher == NULL) { 1603 return 0; 1604 } 1605 1606 int alg_bits, strength_bits; 1607 switch (cipher->algorithm_enc) { 1608 case SSL_AES128: 1609 case SSL_AES128GCM: 1610 alg_bits = 128; 1611 strength_bits = 128; 1612 break; 1613 1614 case SSL_AES256: 1615 case SSL_AES256GCM: 1616 case SSL_CHACHA20POLY1305: 1617 alg_bits = 256; 1618 strength_bits = 256; 1619 break; 1620 1621 case SSL_3DES: 1622 alg_bits = 168; 1623 strength_bits = 112; 1624 break; 1625 1626 case SSL_eNULL: 1627 alg_bits = 0; 1628 strength_bits = 0; 1629 break; 1630 1631 default: 1632 assert(0); 1633 alg_bits = 0; 1634 strength_bits = 0; 1635 } 1636 1637 if (out_alg_bits != NULL) { 1638 *out_alg_bits = alg_bits; 1639 } 1640 return strength_bits; 1641 } 1642 1643 const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, 1644 int len) { 1645 const char *kx, *au, *enc, *mac; 1646 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac; 1647 1648 alg_mkey = cipher->algorithm_mkey; 1649 alg_auth = cipher->algorithm_auth; 1650 alg_enc = cipher->algorithm_enc; 1651 alg_mac = cipher->algorithm_mac; 1652 1653 switch (alg_mkey) { 1654 case SSL_kRSA: 1655 kx = "RSA"; 1656 break; 1657 1658 case SSL_kECDHE: 1659 kx = "ECDH"; 1660 break; 1661 1662 case SSL_kPSK: 1663 kx = "PSK"; 1664 break; 1665 1666 case SSL_kGENERIC: 1667 kx = "GENERIC"; 1668 break; 1669 1670 default: 1671 kx = "unknown"; 1672 } 1673 1674 switch (alg_auth) { 1675 case SSL_aRSA: 1676 au = "RSA"; 1677 break; 1678 1679 case SSL_aECDSA: 1680 au = "ECDSA"; 1681 break; 1682 1683 case SSL_aPSK: 1684 au = "PSK"; 1685 break; 1686 1687 case SSL_aGENERIC: 1688 au = "GENERIC"; 1689 break; 1690 1691 default: 1692 au = "unknown"; 1693 break; 1694 } 1695 1696 switch (alg_enc) { 1697 case SSL_3DES: 1698 enc = "3DES(168)"; 1699 break; 1700 1701 case SSL_AES128: 1702 enc = "AES(128)"; 1703 break; 1704 1705 case SSL_AES256: 1706 enc = "AES(256)"; 1707 break; 1708 1709 case SSL_AES128GCM: 1710 enc = "AESGCM(128)"; 1711 break; 1712 1713 case SSL_AES256GCM: 1714 enc = "AESGCM(256)"; 1715 break; 1716 1717 case SSL_CHACHA20POLY1305: 1718 enc = "ChaCha20-Poly1305"; 1719 break; 1720 1721 case SSL_eNULL: 1722 enc="None"; 1723 break; 1724 1725 default: 1726 enc = "unknown"; 1727 break; 1728 } 1729 1730 switch (alg_mac) { 1731 case SSL_SHA1: 1732 mac = "SHA1"; 1733 break; 1734 1735 case SSL_SHA256: 1736 mac = "SHA256"; 1737 break; 1738 1739 case SSL_SHA384: 1740 mac = "SHA384"; 1741 break; 1742 1743 case SSL_AEAD: 1744 mac = "AEAD"; 1745 break; 1746 1747 default: 1748 mac = "unknown"; 1749 break; 1750 } 1751 1752 if (buf == NULL) { 1753 len = 128; 1754 buf = (char *)OPENSSL_malloc(len); 1755 if (buf == NULL) { 1756 return NULL; 1757 } 1758 } else if (len < 128) { 1759 return "Buffer too small"; 1760 } 1761 1762 BIO_snprintf(buf, len, "%-23s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n", 1763 cipher->name, kx, au, enc, mac); 1764 return buf; 1765 } 1766 1767 const char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher) { 1768 return "TLSv1/SSLv3"; 1769 } 1770 1771 STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void) { return NULL; } 1772 1773 int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) { return 1; } 1774 1775 const char *SSL_COMP_get_name(const COMP_METHOD *comp) { return NULL; } 1776 1777 void SSL_COMP_free_compression_methods(void) {} 1778
