1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57 /* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
110 /* ====================================================================
111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
112 * ECC cipher suite support in OpenSSL originally developed by
113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
114 */
115 /* ====================================================================
116 * Copyright 2005 Nokia. All rights reserved.
117 *
118 * The portions of the attached software ("Contribution") is developed by
119 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
120 * license.
121 *
122 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
123 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
124 * support (see RFC 4279) to OpenSSL.
125 *
126 * No patent licenses or other rights except those expressly stated in
127 * the OpenSSL open source license shall be deemed granted or received
128 * expressly, by implication, estoppel, or otherwise.
129 *
130 * No assurances are provided by Nokia that the Contribution does not
131 * infringe the patent or other intellectual property rights of any third
132 * party or that the license provides you with all the necessary rights
133 * to make use of the Contribution.
134 *
135 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
136 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
137 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
138 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
139 * OTHERWISE. */
140
141 #include <openssl/ssl.h>
142
143 #include <assert.h>
144 #include <string.h>
145
146 #include <openssl/err.h>
147 #include <openssl/md5.h>
148 #include <openssl/mem.h>
149 #include <openssl/sha.h>
150 #include <openssl/stack.h>
151
152 #include "internal.h"
153 #include "../crypto/internal.h"
154
155
156 BSSL_NAMESPACE_BEGIN
157
158 static constexpr SSL_CIPHER kCiphers[] = {
159 // The RSA ciphers
160
161 // Cipher 0A
162 {
163 SSL3_TXT_RSA_DES_192_CBC3_SHA,
164 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
165 SSL3_CK_RSA_DES_192_CBC3_SHA,
166 SSL_kRSA,
167 SSL_aRSA,
168 SSL_3DES,
169 SSL_SHA1,
170 SSL_HANDSHAKE_MAC_DEFAULT,
171 },
172
173
174 // New AES ciphersuites
175
176 // Cipher 2F
177 {
178 TLS1_TXT_RSA_WITH_AES_128_SHA,
179 "TLS_RSA_WITH_AES_128_CBC_SHA",
180 TLS1_CK_RSA_WITH_AES_128_SHA,
181 SSL_kRSA,
182 SSL_aRSA,
183 SSL_AES128,
184 SSL_SHA1,
185 SSL_HANDSHAKE_MAC_DEFAULT,
186 },
187
188 // Cipher 35
189 {
190 TLS1_TXT_RSA_WITH_AES_256_SHA,
191 "TLS_RSA_WITH_AES_256_CBC_SHA",
192 TLS1_CK_RSA_WITH_AES_256_SHA,
193 SSL_kRSA,
194 SSL_aRSA,
195 SSL_AES256,
196 SSL_SHA1,
197 SSL_HANDSHAKE_MAC_DEFAULT,
198 },
199
200 // PSK cipher suites.
201
202 // Cipher 8C
203 {
204 TLS1_TXT_PSK_WITH_AES_128_CBC_SHA,
205 "TLS_PSK_WITH_AES_128_CBC_SHA",
206 TLS1_CK_PSK_WITH_AES_128_CBC_SHA,
207 SSL_kPSK,
208 SSL_aPSK,
209 SSL_AES128,
210 SSL_SHA1,
211 SSL_HANDSHAKE_MAC_DEFAULT,
212 },
213
214 // Cipher 8D
215 {
216 TLS1_TXT_PSK_WITH_AES_256_CBC_SHA,
217 "TLS_PSK_WITH_AES_256_CBC_SHA",
218 TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
219 SSL_kPSK,
220 SSL_aPSK,
221 SSL_AES256,
222 SSL_SHA1,
223 SSL_HANDSHAKE_MAC_DEFAULT,
224 },
225
226 // GCM ciphersuites from RFC 5288
227
228 // Cipher 9C
229 {
230 TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
231 "TLS_RSA_WITH_AES_128_GCM_SHA256",
232 TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
233 SSL_kRSA,
234 SSL_aRSA,
235 SSL_AES128GCM,
236 SSL_AEAD,
237 SSL_HANDSHAKE_MAC_SHA256,
238 },
239
240 // Cipher 9D
241 {
242 TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
243 "TLS_RSA_WITH_AES_256_GCM_SHA384",
244 TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
245 SSL_kRSA,
246 SSL_aRSA,
247 SSL_AES256GCM,
248 SSL_AEAD,
249 SSL_HANDSHAKE_MAC_SHA384,
250 },
251
252 // TLS 1.3 suites.
253
254 // Cipher 1301
255 {
256 TLS1_3_RFC_AES_128_GCM_SHA256,
257 "TLS_AES_128_GCM_SHA256",
258 TLS1_3_CK_AES_128_GCM_SHA256,
259 SSL_kGENERIC,
260 SSL_aGENERIC,
261 SSL_AES128GCM,
262 SSL_AEAD,
263 SSL_HANDSHAKE_MAC_SHA256,
264 },
265
266 // Cipher 1302
267 {
268 TLS1_3_RFC_AES_256_GCM_SHA384,
269 "TLS_AES_256_GCM_SHA384",
270 TLS1_3_CK_AES_256_GCM_SHA384,
271 SSL_kGENERIC,
272 SSL_aGENERIC,
273 SSL_AES256GCM,
274 SSL_AEAD,
275 SSL_HANDSHAKE_MAC_SHA384,
276 },
277
278 // Cipher 1303
279 {
280 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
281 "TLS_CHACHA20_POLY1305_SHA256",
282 TLS1_3_CK_CHACHA20_POLY1305_SHA256,
283 SSL_kGENERIC,
284 SSL_aGENERIC,
285 SSL_CHACHA20POLY1305,
286 SSL_AEAD,
287 SSL_HANDSHAKE_MAC_SHA256,
288 },
289
290 // Cipher C009
291 {
292 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
293 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
294 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
295 SSL_kECDHE,
296 SSL_aECDSA,
297 SSL_AES128,
298 SSL_SHA1,
299 SSL_HANDSHAKE_MAC_DEFAULT,
300 },
301
302 // Cipher C00A
303 {
304 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
305 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
306 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
307 SSL_kECDHE,
308 SSL_aECDSA,
309 SSL_AES256,
310 SSL_SHA1,
311 SSL_HANDSHAKE_MAC_DEFAULT,
312 },
313
314 // Cipher C013
315 {
316 TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
317 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
318 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
319 SSL_kECDHE,
320 SSL_aRSA,
321 SSL_AES128,
322 SSL_SHA1,
323 SSL_HANDSHAKE_MAC_DEFAULT,
324 },
325
326 // Cipher C014
327 {
328 TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
329 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
330 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
331 SSL_kECDHE,
332 SSL_aRSA,
333 SSL_AES256,
334 SSL_SHA1,
335 SSL_HANDSHAKE_MAC_DEFAULT,
336 },
337
338 // GCM based TLS v1.2 ciphersuites from RFC 5289
339
340 // Cipher C02B
341 {
342 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
343 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
344 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
345 SSL_kECDHE,
346 SSL_aECDSA,
347 SSL_AES128GCM,
348 SSL_AEAD,
349 SSL_HANDSHAKE_MAC_SHA256,
350 },
351
352 // Cipher C02C
353 {
354 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
355 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
356 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
357 SSL_kECDHE,
358 SSL_aECDSA,
359 SSL_AES256GCM,
360 SSL_AEAD,
361 SSL_HANDSHAKE_MAC_SHA384,
362 },
363
364 // Cipher C02F
365 {
366 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
367 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
368 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
369 SSL_kECDHE,
370 SSL_aRSA,
371 SSL_AES128GCM,
372 SSL_AEAD,
373 SSL_HANDSHAKE_MAC_SHA256,
374 },
375
376 // Cipher C030
377 {
378 TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
379 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
380 TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
381 SSL_kECDHE,
382 SSL_aRSA,
383 SSL_AES256GCM,
384 SSL_AEAD,
385 SSL_HANDSHAKE_MAC_SHA384,
386 },
387
388 // ECDHE-PSK cipher suites.
389
390 // Cipher C035
391 {
392 TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA,
393 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
394 TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
395 SSL_kECDHE,
396 SSL_aPSK,
397 SSL_AES128,
398 SSL_SHA1,
399 SSL_HANDSHAKE_MAC_DEFAULT,
400 },
401
402 // Cipher C036
403 {
404 TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA,
405 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
406 TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA,
407 SSL_kECDHE,
408 SSL_aPSK,
409 SSL_AES256,
410 SSL_SHA1,
411 SSL_HANDSHAKE_MAC_DEFAULT,
412 },
413
414 // ChaCha20-Poly1305 cipher suites.
415
416 // Cipher CCA8
417 {
418 TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
419 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
420 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
421 SSL_kECDHE,
422 SSL_aRSA,
423 SSL_CHACHA20POLY1305,
424 SSL_AEAD,
425 SSL_HANDSHAKE_MAC_SHA256,
426 },
427
428 // Cipher CCA9
429 {
430 TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
431 "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
432 TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
433 SSL_kECDHE,
434 SSL_aECDSA,
435 SSL_CHACHA20POLY1305,
436 SSL_AEAD,
437 SSL_HANDSHAKE_MAC_SHA256,
438 },
439
440 // Cipher CCAB
441 {
442 TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
443 "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
444 TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
445 SSL_kECDHE,
446 SSL_aPSK,
447 SSL_CHACHA20POLY1305,
448 SSL_AEAD,
449 SSL_HANDSHAKE_MAC_SHA256,
450 },
451
452 };
453
AllCiphers()454 Span<const SSL_CIPHER> AllCiphers() {
455 return MakeConstSpan(kCiphers, OPENSSL_ARRAY_SIZE(kCiphers));
456 }
457
458 #define CIPHER_ADD 1
459 #define CIPHER_KILL 2
460 #define CIPHER_DEL 3
461 #define CIPHER_ORD 4
462 #define CIPHER_SPECIAL 5
463
464 typedef struct cipher_order_st {
465 const SSL_CIPHER *cipher;
466 bool active;
467 bool in_group;
468 struct cipher_order_st *next, *prev;
469 } CIPHER_ORDER;
470
471 typedef struct cipher_alias_st {
472 // name is the name of the cipher alias.
473 const char *name;
474
475 // The following fields are bitmasks for the corresponding fields on
476 // |SSL_CIPHER|. A cipher matches a cipher alias iff, for each bitmask, the
477 // bit corresponding to the cipher's value is set to 1. If any bitmask is
478 // all zeroes, the alias matches nothing. Use |~0u| for the default value.
479 uint32_t algorithm_mkey;
480 uint32_t algorithm_auth;
481 uint32_t algorithm_enc;
482 uint32_t algorithm_mac;
483
484 // min_version, if non-zero, matches all ciphers which were added in that
485 // particular protocol version.
486 uint16_t min_version;
487 } CIPHER_ALIAS;
488
489 static const CIPHER_ALIAS kCipherAliases[] = {
490 {"ALL", ~0u, ~0u, ~0u, ~0u, 0},
491
492 // The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing.
493
494 // key exchange aliases
495 // (some of those using only a single bit here combine
496 // multiple key exchange algs according to the RFCs.
497 {"kRSA", SSL_kRSA, ~0u, ~0u, ~0u, 0},
498
499 {"kECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
500 {"kEECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
501 {"ECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
502
503 {"kPSK", SSL_kPSK, ~0u, ~0u, ~0u, 0},
504
505 // server authentication aliases
506 {"aRSA", ~0u, SSL_aRSA, ~0u, ~0u, 0},
507 {"aECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0},
508 {"ECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0},
509 {"aPSK", ~0u, SSL_aPSK, ~0u, ~0u, 0},
510
511 // aliases combining key exchange and server authentication
512 {"ECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
513 {"EECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
514 {"RSA", SSL_kRSA, SSL_aRSA, ~0u, ~0u, 0},
515 {"PSK", SSL_kPSK, SSL_aPSK, ~0u, ~0u, 0},
516
517 // symmetric encryption aliases
518 {"3DES", ~0u, ~0u, SSL_3DES, ~0u, 0},
519 {"AES128", ~0u, ~0u, SSL_AES128 | SSL_AES128GCM, ~0u, 0},
520 {"AES256", ~0u, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, 0},
521 {"AES", ~0u, ~0u, SSL_AES, ~0u, 0},
522 {"AESGCM", ~0u, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, 0},
523 {"CHACHA20", ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0},
524
525 // MAC aliases
526 {"SHA1", ~0u, ~0u, ~0u, SSL_SHA1, 0},
527 {"SHA", ~0u, ~0u, ~0u, SSL_SHA1, 0},
528
529 // Legacy protocol minimum version aliases. "TLSv1" is intentionally the
530 // same as "SSLv3".
531 {"SSLv3", ~0u, ~0u, ~0u, ~0u, SSL3_VERSION},
532 {"TLSv1", ~0u, ~0u, ~0u, ~0u, SSL3_VERSION},
533 {"TLSv1.2", ~0u, ~0u, ~0u, ~0u, TLS1_2_VERSION},
534
535 // Legacy strength classes.
536 {"HIGH", ~0u, ~0u, ~0u, ~0u, 0},
537 {"FIPS", ~0u, ~0u, ~0u, ~0u, 0},
538
539 // Temporary no-op aliases corresponding to removed SHA-2 legacy CBC
540 // ciphers. These should be removed after 2018-05-14.
541 {"SHA256", 0, 0, 0, 0, 0},
542 {"SHA384", 0, 0, 0, 0, 0},
543 };
544
545 static const size_t kCipherAliasesLen = OPENSSL_ARRAY_SIZE(kCipherAliases);
546
ssl_cipher_get_evp_aead(const EVP_AEAD ** out_aead,size_t * out_mac_secret_len,size_t * out_fixed_iv_len,const SSL_CIPHER * cipher,uint16_t version,bool is_dtls)547 bool ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
548 size_t *out_mac_secret_len,
549 size_t *out_fixed_iv_len, const SSL_CIPHER *cipher,
550 uint16_t version, bool is_dtls) {
551 *out_aead = NULL;
552 *out_mac_secret_len = 0;
553 *out_fixed_iv_len = 0;
554
555 const bool is_tls12 = version == TLS1_2_VERSION && !is_dtls;
556 const bool is_tls13 = version == TLS1_3_VERSION && !is_dtls;
557
558 if (cipher->algorithm_mac == SSL_AEAD) {
559 if (cipher->algorithm_enc == SSL_AES128GCM) {
560 if (is_tls12) {
561 *out_aead = EVP_aead_aes_128_gcm_tls12();
562 } else if (is_tls13) {
563 *out_aead = EVP_aead_aes_128_gcm_tls13();
564 } else {
565 *out_aead = EVP_aead_aes_128_gcm();
566 }
567 *out_fixed_iv_len = 4;
568 } else if (cipher->algorithm_enc == SSL_AES256GCM) {
569 if (is_tls12) {
570 *out_aead = EVP_aead_aes_256_gcm_tls12();
571 } else if (is_tls13) {
572 *out_aead = EVP_aead_aes_256_gcm_tls13();
573 } else {
574 *out_aead = EVP_aead_aes_256_gcm();
575 }
576 *out_fixed_iv_len = 4;
577 } else if (cipher->algorithm_enc == SSL_CHACHA20POLY1305) {
578 *out_aead = EVP_aead_chacha20_poly1305();
579 *out_fixed_iv_len = 12;
580 } else {
581 return false;
582 }
583
584 // In TLS 1.3, the iv_len is equal to the AEAD nonce length whereas the code
585 // above computes the TLS 1.2 construction.
586 if (version >= TLS1_3_VERSION) {
587 *out_fixed_iv_len = EVP_AEAD_nonce_length(*out_aead);
588 }
589 } else if (cipher->algorithm_mac == SSL_SHA1) {
590 if (cipher->algorithm_enc == SSL_3DES) {
591 if (version == TLS1_VERSION) {
592 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv();
593 *out_fixed_iv_len = 8;
594 } else {
595 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls();
596 }
597 } else if (cipher->algorithm_enc == SSL_AES128) {
598 if (version == TLS1_VERSION) {
599 *out_aead = EVP_aead_aes_128_cbc_sha1_tls_implicit_iv();
600 *out_fixed_iv_len = 16;
601 } else {
602 *out_aead = EVP_aead_aes_128_cbc_sha1_tls();
603 }
604 } else if (cipher->algorithm_enc == SSL_AES256) {
605 if (version == TLS1_VERSION) {
606 *out_aead = EVP_aead_aes_256_cbc_sha1_tls_implicit_iv();
607 *out_fixed_iv_len = 16;
608 } else {
609 *out_aead = EVP_aead_aes_256_cbc_sha1_tls();
610 }
611 } else {
612 return false;
613 }
614
615 *out_mac_secret_len = SHA_DIGEST_LENGTH;
616 } else {
617 return false;
618 }
619
620 return true;
621 }
622
ssl_get_handshake_digest(uint16_t version,const SSL_CIPHER * cipher)623 const EVP_MD *ssl_get_handshake_digest(uint16_t version,
624 const SSL_CIPHER *cipher) {
625 switch (cipher->algorithm_prf) {
626 case SSL_HANDSHAKE_MAC_DEFAULT:
627 return version >= TLS1_2_VERSION ? EVP_sha256() : EVP_md5_sha1();
628 case SSL_HANDSHAKE_MAC_SHA256:
629 return EVP_sha256();
630 case SSL_HANDSHAKE_MAC_SHA384:
631 return EVP_sha384();
632 default:
633 assert(0);
634 return NULL;
635 }
636 }
637
is_cipher_list_separator(char c,bool is_strict)638 static bool is_cipher_list_separator(char c, bool is_strict) {
639 if (c == ':') {
640 return true;
641 }
642 return !is_strict && (c == ' ' || c == ';' || c == ',');
643 }
644
645 // rule_equals returns whether the NUL-terminated string |rule| is equal to the
646 // |buf_len| bytes at |buf|.
rule_equals(const char * rule,const char * buf,size_t buf_len)647 static bool rule_equals(const char *rule, const char *buf, size_t buf_len) {
648 // |strncmp| alone only checks that |buf| is a prefix of |rule|.
649 return strncmp(rule, buf, buf_len) == 0 && rule[buf_len] == '\0';
650 }
651
ll_append_tail(CIPHER_ORDER ** head,CIPHER_ORDER * curr,CIPHER_ORDER ** tail)652 static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
653 CIPHER_ORDER **tail) {
654 if (curr == *tail) {
655 return;
656 }
657 if (curr == *head) {
658 *head = curr->next;
659 }
660 if (curr->prev != NULL) {
661 curr->prev->next = curr->next;
662 }
663 if (curr->next != NULL) {
664 curr->next->prev = curr->prev;
665 }
666 (*tail)->next = curr;
667 curr->prev = *tail;
668 curr->next = NULL;
669 *tail = curr;
670 }
671
ll_append_head(CIPHER_ORDER ** head,CIPHER_ORDER * curr,CIPHER_ORDER ** tail)672 static void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
673 CIPHER_ORDER **tail) {
674 if (curr == *head) {
675 return;
676 }
677 if (curr == *tail) {
678 *tail = curr->prev;
679 }
680 if (curr->next != NULL) {
681 curr->next->prev = curr->prev;
682 }
683 if (curr->prev != NULL) {
684 curr->prev->next = curr->next;
685 }
686 (*head)->prev = curr;
687 curr->next = *head;
688 curr->prev = NULL;
689 *head = curr;
690 }
691
ssl_cipher_collect_ciphers(Array<CIPHER_ORDER> * out_co_list,CIPHER_ORDER ** out_head,CIPHER_ORDER ** out_tail)692 static bool ssl_cipher_collect_ciphers(Array<CIPHER_ORDER> *out_co_list,
693 CIPHER_ORDER **out_head,
694 CIPHER_ORDER **out_tail) {
695 Array<CIPHER_ORDER> co_list;
696 if (!co_list.Init(OPENSSL_ARRAY_SIZE(kCiphers))) {
697 return false;
698 }
699
700 size_t co_list_num = 0;
701 for (const SSL_CIPHER &cipher : kCiphers) {
702 // TLS 1.3 ciphers do not participate in this mechanism.
703 if (cipher.algorithm_mkey != SSL_kGENERIC) {
704 co_list[co_list_num].cipher = &cipher;
705 co_list[co_list_num].next = NULL;
706 co_list[co_list_num].prev = NULL;
707 co_list[co_list_num].active = false;
708 co_list[co_list_num].in_group = false;
709 co_list_num++;
710 }
711 }
712
713 // Prepare linked list from list entries.
714 if (co_list_num > 0) {
715 co_list[0].prev = NULL;
716
717 if (co_list_num > 1) {
718 co_list[0].next = &co_list[1];
719
720 for (size_t i = 1; i < co_list_num - 1; i++) {
721 co_list[i].prev = &co_list[i - 1];
722 co_list[i].next = &co_list[i + 1];
723 }
724
725 co_list[co_list_num - 1].prev = &co_list[co_list_num - 2];
726 }
727
728 co_list[co_list_num - 1].next = NULL;
729
730 *out_head = &co_list[0];
731 *out_tail = &co_list[co_list_num - 1];
732 } else {
733 *out_head = nullptr;
734 *out_tail = nullptr;
735 }
736 *out_co_list = std::move(co_list);
737 return true;
738 }
739
~SSLCipherPreferenceList()740 SSLCipherPreferenceList::~SSLCipherPreferenceList() {
741 OPENSSL_free(in_group_flags);
742 }
743
Init(UniquePtr<STACK_OF (SSL_CIPHER)> ciphers_arg,Span<const bool> in_group_flags_arg)744 bool SSLCipherPreferenceList::Init(UniquePtr<STACK_OF(SSL_CIPHER)> ciphers_arg,
745 Span<const bool> in_group_flags_arg) {
746 if (sk_SSL_CIPHER_num(ciphers_arg.get()) != in_group_flags_arg.size()) {
747 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
748 return false;
749 }
750
751 Array<bool> copy;
752 if (!copy.CopyFrom(in_group_flags_arg)) {
753 return false;
754 }
755 ciphers = std::move(ciphers_arg);
756 size_t unused_len;
757 copy.Release(&in_group_flags, &unused_len);
758 return true;
759 }
760
Init(const SSLCipherPreferenceList & other)761 bool SSLCipherPreferenceList::Init(const SSLCipherPreferenceList& other) {
762 size_t size = sk_SSL_CIPHER_num(other.ciphers.get());
763 Span<const bool> other_flags(other.in_group_flags, size);
764 UniquePtr<STACK_OF(SSL_CIPHER)> other_ciphers(sk_SSL_CIPHER_dup(
765 other.ciphers.get()));
766 if (!other_ciphers) {
767 return false;
768 }
769 return Init(std::move(other_ciphers), other_flags);
770 }
771
Remove(const SSL_CIPHER * cipher)772 void SSLCipherPreferenceList::Remove(const SSL_CIPHER *cipher) {
773 size_t index;
774 if (!sk_SSL_CIPHER_find(ciphers.get(), &index, cipher)) {
775 return;
776 }
777 if (!in_group_flags[index] /* last element of group */ && index > 0) {
778 in_group_flags[index-1] = false;
779 }
780 for (size_t i = index; i < sk_SSL_CIPHER_num(ciphers.get()) - 1; ++i) {
781 in_group_flags[i] = in_group_flags[i+1];
782 }
783 sk_SSL_CIPHER_delete(ciphers.get(), index);
784 }
785
786 // ssl_cipher_apply_rule applies the rule type |rule| to ciphers matching its
787 // parameters in the linked list from |*head_p| to |*tail_p|. It writes the new
788 // head and tail of the list to |*head_p| and |*tail_p|, respectively.
789 //
790 // - If |cipher_id| is non-zero, only that cipher is selected.
791 // - Otherwise, if |strength_bits| is non-negative, it selects ciphers
792 // of that strength.
793 // - Otherwise, it selects ciphers that match each bitmasks in |alg_*| and
794 // |min_version|.
ssl_cipher_apply_rule(uint32_t cipher_id,uint32_t alg_mkey,uint32_t alg_auth,uint32_t alg_enc,uint32_t alg_mac,uint16_t min_version,int rule,int strength_bits,bool in_group,CIPHER_ORDER ** head_p,CIPHER_ORDER ** tail_p)795 static void ssl_cipher_apply_rule(
796 uint32_t cipher_id, uint32_t alg_mkey, uint32_t alg_auth,
797 uint32_t alg_enc, uint32_t alg_mac, uint16_t min_version, int rule,
798 int strength_bits, bool in_group, CIPHER_ORDER **head_p,
799 CIPHER_ORDER **tail_p) {
800 CIPHER_ORDER *head, *tail, *curr, *next, *last;
801 const SSL_CIPHER *cp;
802 bool reverse = false;
803
804 if (cipher_id == 0 && strength_bits == -1 && min_version == 0 &&
805 (alg_mkey == 0 || alg_auth == 0 || alg_enc == 0 || alg_mac == 0)) {
806 // The rule matches nothing, so bail early.
807 return;
808 }
809
810 if (rule == CIPHER_DEL) {
811 // needed to maintain sorting between currently deleted ciphers
812 reverse = true;
813 }
814
815 head = *head_p;
816 tail = *tail_p;
817
818 if (reverse) {
819 next = tail;
820 last = head;
821 } else {
822 next = head;
823 last = tail;
824 }
825
826 curr = NULL;
827 for (;;) {
828 if (curr == last) {
829 break;
830 }
831
832 curr = next;
833 if (curr == NULL) {
834 break;
835 }
836
837 next = reverse ? curr->prev : curr->next;
838 cp = curr->cipher;
839
840 // Selection criteria is either a specific cipher, the value of
841 // |strength_bits|, or the algorithms used.
842 if (cipher_id != 0) {
843 if (cipher_id != cp->id) {
844 continue;
845 }
846 } else if (strength_bits >= 0) {
847 if (strength_bits != SSL_CIPHER_get_bits(cp, NULL)) {
848 continue;
849 }
850 } else {
851 if (!(alg_mkey & cp->algorithm_mkey) ||
852 !(alg_auth & cp->algorithm_auth) ||
853 !(alg_enc & cp->algorithm_enc) ||
854 !(alg_mac & cp->algorithm_mac) ||
855 (min_version != 0 && SSL_CIPHER_get_min_version(cp) != min_version)) {
856 continue;
857 }
858 }
859
860 // add the cipher if it has not been added yet.
861 if (rule == CIPHER_ADD) {
862 // reverse == false
863 if (!curr->active) {
864 ll_append_tail(&head, curr, &tail);
865 curr->active = true;
866 curr->in_group = in_group;
867 }
868 }
869
870 // Move the added cipher to this location
871 else if (rule == CIPHER_ORD) {
872 // reverse == false
873 if (curr->active) {
874 ll_append_tail(&head, curr, &tail);
875 curr->in_group = false;
876 }
877 } else if (rule == CIPHER_DEL) {
878 // reverse == true
879 if (curr->active) {
880 // most recently deleted ciphersuites get best positions
881 // for any future CIPHER_ADD (note that the CIPHER_DEL loop
882 // works in reverse to maintain the order)
883 ll_append_head(&head, curr, &tail);
884 curr->active = false;
885 curr->in_group = false;
886 }
887 } else if (rule == CIPHER_KILL) {
888 // reverse == false
889 if (head == curr) {
890 head = curr->next;
891 } else {
892 curr->prev->next = curr->next;
893 }
894
895 if (tail == curr) {
896 tail = curr->prev;
897 }
898 curr->active = false;
899 if (curr->next != NULL) {
900 curr->next->prev = curr->prev;
901 }
902 if (curr->prev != NULL) {
903 curr->prev->next = curr->next;
904 }
905 curr->next = NULL;
906 curr->prev = NULL;
907 }
908 }
909
910 *head_p = head;
911 *tail_p = tail;
912 }
913
ssl_cipher_strength_sort(CIPHER_ORDER ** head_p,CIPHER_ORDER ** tail_p)914 static bool ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
915 CIPHER_ORDER **tail_p) {
916 // This routine sorts the ciphers with descending strength. The sorting must
917 // keep the pre-sorted sequence, so we apply the normal sorting routine as
918 // '+' movement to the end of the list.
919 int max_strength_bits = 0;
920 CIPHER_ORDER *curr = *head_p;
921 while (curr != NULL) {
922 if (curr->active &&
923 SSL_CIPHER_get_bits(curr->cipher, NULL) > max_strength_bits) {
924 max_strength_bits = SSL_CIPHER_get_bits(curr->cipher, NULL);
925 }
926 curr = curr->next;
927 }
928
929 Array<int> number_uses;
930 if (!number_uses.Init(max_strength_bits + 1)) {
931 return false;
932 }
933 OPENSSL_memset(number_uses.data(), 0, (max_strength_bits + 1) * sizeof(int));
934
935 // Now find the strength_bits values actually used.
936 curr = *head_p;
937 while (curr != NULL) {
938 if (curr->active) {
939 number_uses[SSL_CIPHER_get_bits(curr->cipher, NULL)]++;
940 }
941 curr = curr->next;
942 }
943
944 // Go through the list of used strength_bits values in descending order.
945 for (int i = max_strength_bits; i >= 0; i--) {
946 if (number_uses[i] > 0) {
947 ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, CIPHER_ORD, i, false, head_p,
948 tail_p);
949 }
950 }
951
952 return true;
953 }
954
ssl_cipher_process_rulestr(const char * rule_str,CIPHER_ORDER ** head_p,CIPHER_ORDER ** tail_p,bool strict)955 static bool ssl_cipher_process_rulestr(const char *rule_str,
956 CIPHER_ORDER **head_p,
957 CIPHER_ORDER **tail_p, bool strict) {
958 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
959 uint16_t min_version;
960 const char *l, *buf;
961 int rule;
962 bool multi, skip_rule, in_group = false, has_group = false;
963 size_t j, buf_len;
964 uint32_t cipher_id;
965 char ch;
966
967 l = rule_str;
968 for (;;) {
969 ch = *l;
970
971 if (ch == '\0') {
972 break; // done
973 }
974
975 if (in_group) {
976 if (ch == ']') {
977 if (*tail_p) {
978 (*tail_p)->in_group = false;
979 }
980 in_group = false;
981 l++;
982 continue;
983 }
984
985 if (ch == '|') {
986 rule = CIPHER_ADD;
987 l++;
988 continue;
989 } else if (!OPENSSL_isalnum(ch)) {
990 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_OPERATOR_IN_GROUP);
991 return false;
992 } else {
993 rule = CIPHER_ADD;
994 }
995 } else if (ch == '-') {
996 rule = CIPHER_DEL;
997 l++;
998 } else if (ch == '+') {
999 rule = CIPHER_ORD;
1000 l++;
1001 } else if (ch == '!') {
1002 rule = CIPHER_KILL;
1003 l++;
1004 } else if (ch == '@') {
1005 rule = CIPHER_SPECIAL;
1006 l++;
1007 } else if (ch == '[') {
1008 assert(!in_group);
1009 in_group = true;
1010 has_group = true;
1011 l++;
1012 continue;
1013 } else {
1014 rule = CIPHER_ADD;
1015 }
1016
1017 // If preference groups are enabled, the only legal operator is +.
1018 // Otherwise the in_group bits will get mixed up.
1019 if (has_group && rule != CIPHER_ADD) {
1020 OPENSSL_PUT_ERROR(SSL, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
1021 return false;
1022 }
1023
1024 if (is_cipher_list_separator(ch, strict)) {
1025 l++;
1026 continue;
1027 }
1028
1029 multi = false;
1030 cipher_id = 0;
1031 alg_mkey = ~0u;
1032 alg_auth = ~0u;
1033 alg_enc = ~0u;
1034 alg_mac = ~0u;
1035 min_version = 0;
1036 skip_rule = false;
1037
1038 for (;;) {
1039 ch = *l;
1040 buf = l;
1041 buf_len = 0;
1042 while (OPENSSL_isalnum(ch) || ch == '-' || ch == '.' || ch == '_') {
1043 ch = *(++l);
1044 buf_len++;
1045 }
1046
1047 if (buf_len == 0) {
1048 // We hit something we cannot deal with, it is no command or separator
1049 // nor alphanumeric, so we call this an error.
1050 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
1051 return false;
1052 }
1053
1054 if (rule == CIPHER_SPECIAL) {
1055 break;
1056 }
1057
1058 // Look for a matching exact cipher. These aren't allowed in multipart
1059 // rules.
1060 if (!multi && ch != '+') {
1061 for (j = 0; j < OPENSSL_ARRAY_SIZE(kCiphers); j++) {
1062 const SSL_CIPHER *cipher = &kCiphers[j];
1063 if (rule_equals(cipher->name, buf, buf_len) ||
1064 rule_equals(cipher->standard_name, buf, buf_len)) {
1065 cipher_id = cipher->id;
1066 break;
1067 }
1068 }
1069 }
1070 if (cipher_id == 0) {
1071 // If not an exact cipher, look for a matching cipher alias.
1072 for (j = 0; j < kCipherAliasesLen; j++) {
1073 if (rule_equals(kCipherAliases[j].name, buf, buf_len)) {
1074 alg_mkey &= kCipherAliases[j].algorithm_mkey;
1075 alg_auth &= kCipherAliases[j].algorithm_auth;
1076 alg_enc &= kCipherAliases[j].algorithm_enc;
1077 alg_mac &= kCipherAliases[j].algorithm_mac;
1078
1079 if (min_version != 0 &&
1080 min_version != kCipherAliases[j].min_version) {
1081 skip_rule = true;
1082 } else {
1083 min_version = kCipherAliases[j].min_version;
1084 }
1085 break;
1086 }
1087 }
1088 if (j == kCipherAliasesLen) {
1089 skip_rule = true;
1090 if (strict) {
1091 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
1092 return false;
1093 }
1094 }
1095 }
1096
1097 // Check for a multipart rule.
1098 if (ch != '+') {
1099 break;
1100 }
1101 l++;
1102 multi = true;
1103 }
1104
1105 // Ok, we have the rule, now apply it.
1106 if (rule == CIPHER_SPECIAL) {
1107 if (buf_len != 8 || strncmp(buf, "STRENGTH", 8) != 0) {
1108 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
1109 return false;
1110 }
1111 if (!ssl_cipher_strength_sort(head_p, tail_p)) {
1112 return false;
1113 }
1114
1115 // We do not support any "multi" options together with "@", so throw away
1116 // the rest of the command, if any left, until end or ':' is found.
1117 while (*l != '\0' && !is_cipher_list_separator(*l, strict)) {
1118 l++;
1119 }
1120 } else if (!skip_rule) {
1121 ssl_cipher_apply_rule(cipher_id, alg_mkey, alg_auth, alg_enc, alg_mac,
1122 min_version, rule, -1, in_group, head_p, tail_p);
1123 }
1124 }
1125
1126 if (in_group) {
1127 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
1128 return false;
1129 }
1130
1131 return true;
1132 }
1133
ssl_create_cipher_list(UniquePtr<SSLCipherPreferenceList> * out_cipher_list,const bool has_aes_hw,const char * rule_str,bool strict)1134 bool ssl_create_cipher_list(UniquePtr<SSLCipherPreferenceList> *out_cipher_list,
1135 const bool has_aes_hw, const char *rule_str,
1136 bool strict) {
1137 // Return with error if nothing to do.
1138 if (rule_str == NULL || out_cipher_list == NULL) {
1139 return false;
1140 }
1141
1142 // Now we have to collect the available ciphers from the compiled in ciphers.
1143 // We cannot get more than the number compiled in, so it is used for
1144 // allocation.
1145 Array<CIPHER_ORDER> co_list;
1146 CIPHER_ORDER *head = nullptr, *tail = nullptr;
1147 if (!ssl_cipher_collect_ciphers(&co_list, &head, &tail)) {
1148 return false;
1149 }
1150
1151 // Now arrange all ciphers by preference:
1152 // TODO(davidben): Compute this order once and copy it.
1153
1154 // Everything else being equal, prefer ECDHE_ECDSA and ECDHE_RSA over other
1155 // key exchange mechanisms
1156 ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, ~0u, ~0u, 0, CIPHER_ADD, -1,
1157 false, &head, &tail);
1158 ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, false,
1159 &head, &tail);
1160 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, false, &head,
1161 &tail);
1162
1163 // Order the bulk ciphers. First the preferred AEAD ciphers. We prefer
1164 // CHACHA20 unless there is hardware support for fast and constant-time
1165 // AES_GCM. Of the two CHACHA20 variants, the new one is preferred over the
1166 // old one.
1167 if (has_aes_hw) {
1168 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1,
1169 false, &head, &tail);
1170 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1,
1171 false, &head, &tail);
1172 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD,
1173 -1, false, &head, &tail);
1174 } else {
1175 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD,
1176 -1, false, &head, &tail);
1177 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1,
1178 false, &head, &tail);
1179 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1,
1180 false, &head, &tail);
1181 }
1182
1183 // Then the legacy non-AEAD ciphers: AES_128_CBC, AES_256_CBC,
1184 // 3DES_EDE_CBC_SHA.
1185 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128, ~0u, 0, CIPHER_ADD, -1, false,
1186 &head, &tail);
1187 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256, ~0u, 0, CIPHER_ADD, -1, false,
1188 &head, &tail);
1189 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_3DES, ~0u, 0, CIPHER_ADD, -1, false,
1190 &head, &tail);
1191
1192 // Temporarily enable everything else for sorting
1193 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, false, &head,
1194 &tail);
1195
1196 // Move ciphers without forward secrecy to the end.
1197 ssl_cipher_apply_rule(0, (SSL_kRSA | SSL_kPSK), ~0u, ~0u, ~0u, 0, CIPHER_ORD,
1198 -1, false, &head, &tail);
1199
1200 // Now disable everything (maintaining the ordering!)
1201 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, false, &head,
1202 &tail);
1203
1204 // If the rule_string begins with DEFAULT, apply the default rule before
1205 // using the (possibly available) additional rules.
1206 const char *rule_p = rule_str;
1207 if (strncmp(rule_str, "DEFAULT", 7) == 0) {
1208 if (!ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, &head, &tail,
1209 strict)) {
1210 return false;
1211 }
1212 rule_p += 7;
1213 if (*rule_p == ':') {
1214 rule_p++;
1215 }
1216 }
1217
1218 if (*rule_p != '\0' &&
1219 !ssl_cipher_process_rulestr(rule_p, &head, &tail, strict)) {
1220 return false;
1221 }
1222
1223 // Allocate new "cipherstack" for the result, return with error
1224 // if we cannot get one.
1225 UniquePtr<STACK_OF(SSL_CIPHER)> cipherstack(sk_SSL_CIPHER_new_null());
1226 Array<bool> in_group_flags;
1227 if (cipherstack == nullptr ||
1228 !in_group_flags.Init(OPENSSL_ARRAY_SIZE(kCiphers))) {
1229 return false;
1230 }
1231
1232 // The cipher selection for the list is done. The ciphers are added
1233 // to the resulting precedence to the STACK_OF(SSL_CIPHER).
1234 size_t num_in_group_flags = 0;
1235 for (CIPHER_ORDER *curr = head; curr != NULL; curr = curr->next) {
1236 if (curr->active) {
1237 if (!sk_SSL_CIPHER_push(cipherstack.get(), curr->cipher)) {
1238 return false;
1239 }
1240 in_group_flags[num_in_group_flags++] = curr->in_group;
1241 }
1242 }
1243
1244 UniquePtr<SSLCipherPreferenceList> pref_list =
1245 MakeUnique<SSLCipherPreferenceList>();
1246 if (!pref_list ||
1247 !pref_list->Init(
1248 std::move(cipherstack),
1249 MakeConstSpan(in_group_flags).subspan(0, num_in_group_flags))) {
1250 return false;
1251 }
1252
1253 *out_cipher_list = std::move(pref_list);
1254
1255 // Configuring an empty cipher list is an error but still updates the
1256 // output.
1257 if (sk_SSL_CIPHER_num((*out_cipher_list)->ciphers.get()) == 0) {
1258 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHER_MATCH);
1259 return false;
1260 }
1261
1262 return true;
1263 }
1264
ssl_cipher_auth_mask_for_key(const EVP_PKEY * key)1265 uint32_t ssl_cipher_auth_mask_for_key(const EVP_PKEY *key) {
1266 switch (EVP_PKEY_id(key)) {
1267 case EVP_PKEY_RSA:
1268 return SSL_aRSA;
1269 case EVP_PKEY_EC:
1270 case EVP_PKEY_ED25519:
1271 // Ed25519 keys in TLS 1.2 repurpose the ECDSA ciphers.
1272 return SSL_aECDSA;
1273 default:
1274 return 0;
1275 }
1276 }
1277
ssl_cipher_uses_certificate_auth(const SSL_CIPHER * cipher)1278 bool ssl_cipher_uses_certificate_auth(const SSL_CIPHER *cipher) {
1279 return (cipher->algorithm_auth & SSL_aCERT) != 0;
1280 }
1281
ssl_cipher_requires_server_key_exchange(const SSL_CIPHER * cipher)1282 bool ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher) {
1283 // Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange. It is
1284 // optional or omitted in all others.
1285 return (cipher->algorithm_mkey & SSL_kECDHE) != 0;
1286 }
1287
ssl_cipher_get_record_split_len(const SSL_CIPHER * cipher)1288 size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher) {
1289 size_t block_size;
1290 switch (cipher->algorithm_enc) {
1291 case SSL_3DES:
1292 block_size = 8;
1293 break;
1294 case SSL_AES128:
1295 case SSL_AES256:
1296 block_size = 16;
1297 break;
1298 default:
1299 return 0;
1300 }
1301
1302 // All supported TLS 1.0 ciphers use SHA-1.
1303 assert(cipher->algorithm_mac == SSL_SHA1);
1304 size_t ret = 1 + SHA_DIGEST_LENGTH;
1305 ret += block_size - (ret % block_size);
1306 return ret;
1307 }
1308
1309 BSSL_NAMESPACE_END
1310
1311 using namespace bssl;
1312
ssl_cipher_id_cmp(const SSL_CIPHER * a,const SSL_CIPHER * b)1313 static constexpr int ssl_cipher_id_cmp(const SSL_CIPHER *a,
1314 const SSL_CIPHER *b) {
1315 if (a->id > b->id) {
1316 return 1;
1317 }
1318 if (a->id < b->id) {
1319 return -1;
1320 }
1321 return 0;
1322 }
1323
ssl_cipher_id_cmp_void(const void * in_a,const void * in_b)1324 static int ssl_cipher_id_cmp_void(const void *in_a, const void *in_b) {
1325 return ssl_cipher_id_cmp(reinterpret_cast<const SSL_CIPHER *>(in_a),
1326 reinterpret_cast<const SSL_CIPHER *>(in_b));
1327 }
1328
1329 template <size_t N>
ssl_ciphers_sorted(const SSL_CIPHER (& ciphers)[N])1330 static constexpr bool ssl_ciphers_sorted(const SSL_CIPHER (&ciphers)[N]) {
1331 for (size_t i = 1; i < N; i++) {
1332 if (ssl_cipher_id_cmp(&ciphers[i - 1], &ciphers[i]) >= 0) {
1333 return false;
1334 }
1335 }
1336 return true;
1337 }
1338
1339 static_assert(ssl_ciphers_sorted(kCiphers),
1340 "Ciphers are not sorted, bsearch won't work");
1341
SSL_get_cipher_by_value(uint16_t value)1342 const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value) {
1343 SSL_CIPHER c;
1344
1345 c.id = 0x03000000L | value;
1346 return reinterpret_cast<const SSL_CIPHER *>(bsearch(
1347 &c, kCiphers, OPENSSL_ARRAY_SIZE(kCiphers), sizeof(SSL_CIPHER),
1348 ssl_cipher_id_cmp_void));
1349 }
1350
SSL_CIPHER_get_id(const SSL_CIPHER * cipher)1351 uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher) { return cipher->id; }
1352
SSL_CIPHER_get_protocol_id(const SSL_CIPHER * cipher)1353 uint16_t SSL_CIPHER_get_protocol_id(const SSL_CIPHER *cipher) {
1354 // All OpenSSL cipher IDs are prefaced with 0x03. Historically this referred
1355 // to SSLv2 vs SSLv3.
1356 assert((cipher->id & 0xff000000) == 0x03000000);
1357 return static_cast<uint16_t>(cipher->id);
1358 }
1359
SSL_CIPHER_get_value(const SSL_CIPHER * cipher)1360 uint16_t SSL_CIPHER_get_value(const SSL_CIPHER *cipher) {
1361 return SSL_CIPHER_get_protocol_id(cipher);
1362 }
1363
SSL_CIPHER_is_aead(const SSL_CIPHER * cipher)1364 int SSL_CIPHER_is_aead(const SSL_CIPHER *cipher) {
1365 return (cipher->algorithm_mac & SSL_AEAD) != 0;
1366 }
1367
SSL_CIPHER_get_cipher_nid(const SSL_CIPHER * cipher)1368 int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *cipher) {
1369 switch (cipher->algorithm_enc) {
1370 case SSL_3DES:
1371 return NID_des_ede3_cbc;
1372 case SSL_AES128:
1373 return NID_aes_128_cbc;
1374 case SSL_AES256:
1375 return NID_aes_256_cbc;
1376 case SSL_AES128GCM:
1377 return NID_aes_128_gcm;
1378 case SSL_AES256GCM:
1379 return NID_aes_256_gcm;
1380 case SSL_CHACHA20POLY1305:
1381 return NID_chacha20_poly1305;
1382 }
1383 assert(0);
1384 return NID_undef;
1385 }
1386
SSL_CIPHER_get_digest_nid(const SSL_CIPHER * cipher)1387 int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *cipher) {
1388 switch (cipher->algorithm_mac) {
1389 case SSL_AEAD:
1390 return NID_undef;
1391 case SSL_SHA1:
1392 return NID_sha1;
1393 }
1394 assert(0);
1395 return NID_undef;
1396 }
1397
SSL_CIPHER_get_kx_nid(const SSL_CIPHER * cipher)1398 int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *cipher) {
1399 switch (cipher->algorithm_mkey) {
1400 case SSL_kRSA:
1401 return NID_kx_rsa;
1402 case SSL_kECDHE:
1403 return NID_kx_ecdhe;
1404 case SSL_kPSK:
1405 return NID_kx_psk;
1406 case SSL_kGENERIC:
1407 return NID_kx_any;
1408 }
1409 assert(0);
1410 return NID_undef;
1411 }
1412
SSL_CIPHER_get_auth_nid(const SSL_CIPHER * cipher)1413 int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *cipher) {
1414 switch (cipher->algorithm_auth) {
1415 case SSL_aRSA:
1416 return NID_auth_rsa;
1417 case SSL_aECDSA:
1418 return NID_auth_ecdsa;
1419 case SSL_aPSK:
1420 return NID_auth_psk;
1421 case SSL_aGENERIC:
1422 return NID_auth_any;
1423 }
1424 assert(0);
1425 return NID_undef;
1426 }
1427
SSL_CIPHER_get_prf_nid(const SSL_CIPHER * cipher)1428 int SSL_CIPHER_get_prf_nid(const SSL_CIPHER *cipher) {
1429 switch (cipher->algorithm_prf) {
1430 case SSL_HANDSHAKE_MAC_DEFAULT:
1431 return NID_md5_sha1;
1432 case SSL_HANDSHAKE_MAC_SHA256:
1433 return NID_sha256;
1434 case SSL_HANDSHAKE_MAC_SHA384:
1435 return NID_sha384;
1436 }
1437 assert(0);
1438 return NID_undef;
1439 }
1440
SSL_CIPHER_is_block_cipher(const SSL_CIPHER * cipher)1441 int SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher) {
1442 return cipher->algorithm_mac != SSL_AEAD;
1443 }
1444
SSL_CIPHER_get_min_version(const SSL_CIPHER * cipher)1445 uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher) {
1446 if (cipher->algorithm_mkey == SSL_kGENERIC ||
1447 cipher->algorithm_auth == SSL_aGENERIC) {
1448 return TLS1_3_VERSION;
1449 }
1450
1451 if (cipher->algorithm_prf != SSL_HANDSHAKE_MAC_DEFAULT) {
1452 // Cipher suites before TLS 1.2 use the default PRF, while all those added
1453 // afterwards specify a particular hash.
1454 return TLS1_2_VERSION;
1455 }
1456 return SSL3_VERSION;
1457 }
1458
SSL_CIPHER_get_max_version(const SSL_CIPHER * cipher)1459 uint16_t SSL_CIPHER_get_max_version(const SSL_CIPHER *cipher) {
1460 if (cipher->algorithm_mkey == SSL_kGENERIC ||
1461 cipher->algorithm_auth == SSL_aGENERIC) {
1462 return TLS1_3_VERSION;
1463 }
1464 return TLS1_2_VERSION;
1465 }
1466
1467 // return the actual cipher being used
SSL_CIPHER_get_name(const SSL_CIPHER * cipher)1468 const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher) {
1469 if (cipher != NULL) {
1470 return cipher->name;
1471 }
1472
1473 return "(NONE)";
1474 }
1475
SSL_CIPHER_standard_name(const SSL_CIPHER * cipher)1476 const char *SSL_CIPHER_standard_name(const SSL_CIPHER *cipher) {
1477 return cipher->standard_name;
1478 }
1479
SSL_CIPHER_get_kx_name(const SSL_CIPHER * cipher)1480 const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher) {
1481 if (cipher == NULL) {
1482 return "";
1483 }
1484
1485 switch (cipher->algorithm_mkey) {
1486 case SSL_kRSA:
1487 return "RSA";
1488
1489 case SSL_kECDHE:
1490 switch (cipher->algorithm_auth) {
1491 case SSL_aECDSA:
1492 return "ECDHE_ECDSA";
1493 case SSL_aRSA:
1494 return "ECDHE_RSA";
1495 case SSL_aPSK:
1496 return "ECDHE_PSK";
1497 default:
1498 assert(0);
1499 return "UNKNOWN";
1500 }
1501
1502 case SSL_kPSK:
1503 assert(cipher->algorithm_auth == SSL_aPSK);
1504 return "PSK";
1505
1506 case SSL_kGENERIC:
1507 assert(cipher->algorithm_auth == SSL_aGENERIC);
1508 return "GENERIC";
1509
1510 default:
1511 assert(0);
1512 return "UNKNOWN";
1513 }
1514 }
1515
SSL_CIPHER_get_bits(const SSL_CIPHER * cipher,int * out_alg_bits)1516 int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *out_alg_bits) {
1517 if (cipher == NULL) {
1518 return 0;
1519 }
1520
1521 int alg_bits, strength_bits;
1522 switch (cipher->algorithm_enc) {
1523 case SSL_AES128:
1524 case SSL_AES128GCM:
1525 alg_bits = 128;
1526 strength_bits = 128;
1527 break;
1528
1529 case SSL_AES256:
1530 case SSL_AES256GCM:
1531 case SSL_CHACHA20POLY1305:
1532 alg_bits = 256;
1533 strength_bits = 256;
1534 break;
1535
1536 case SSL_3DES:
1537 alg_bits = 168;
1538 strength_bits = 112;
1539 break;
1540
1541 default:
1542 assert(0);
1543 alg_bits = 0;
1544 strength_bits = 0;
1545 }
1546
1547 if (out_alg_bits != NULL) {
1548 *out_alg_bits = alg_bits;
1549 }
1550 return strength_bits;
1551 }
1552
SSL_CIPHER_description(const SSL_CIPHER * cipher,char * buf,int len)1553 const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf,
1554 int len) {
1555 const char *kx, *au, *enc, *mac;
1556 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
1557
1558 alg_mkey = cipher->algorithm_mkey;
1559 alg_auth = cipher->algorithm_auth;
1560 alg_enc = cipher->algorithm_enc;
1561 alg_mac = cipher->algorithm_mac;
1562
1563 switch (alg_mkey) {
1564 case SSL_kRSA:
1565 kx = "RSA";
1566 break;
1567
1568 case SSL_kECDHE:
1569 kx = "ECDH";
1570 break;
1571
1572 case SSL_kPSK:
1573 kx = "PSK";
1574 break;
1575
1576 case SSL_kGENERIC:
1577 kx = "GENERIC";
1578 break;
1579
1580 default:
1581 kx = "unknown";
1582 }
1583
1584 switch (alg_auth) {
1585 case SSL_aRSA:
1586 au = "RSA";
1587 break;
1588
1589 case SSL_aECDSA:
1590 au = "ECDSA";
1591 break;
1592
1593 case SSL_aPSK:
1594 au = "PSK";
1595 break;
1596
1597 case SSL_aGENERIC:
1598 au = "GENERIC";
1599 break;
1600
1601 default:
1602 au = "unknown";
1603 break;
1604 }
1605
1606 switch (alg_enc) {
1607 case SSL_3DES:
1608 enc = "3DES(168)";
1609 break;
1610
1611 case SSL_AES128:
1612 enc = "AES(128)";
1613 break;
1614
1615 case SSL_AES256:
1616 enc = "AES(256)";
1617 break;
1618
1619 case SSL_AES128GCM:
1620 enc = "AESGCM(128)";
1621 break;
1622
1623 case SSL_AES256GCM:
1624 enc = "AESGCM(256)";
1625 break;
1626
1627 case SSL_CHACHA20POLY1305:
1628 enc = "ChaCha20-Poly1305";
1629 break;
1630
1631 default:
1632 enc = "unknown";
1633 break;
1634 }
1635
1636 switch (alg_mac) {
1637 case SSL_SHA1:
1638 mac = "SHA1";
1639 break;
1640
1641 case SSL_AEAD:
1642 mac = "AEAD";
1643 break;
1644
1645 default:
1646 mac = "unknown";
1647 break;
1648 }
1649
1650 if (buf == NULL) {
1651 len = 128;
1652 buf = (char *)OPENSSL_malloc(len);
1653 if (buf == NULL) {
1654 return NULL;
1655 }
1656 } else if (len < 128) {
1657 return "Buffer too small";
1658 }
1659
1660 BIO_snprintf(buf, len, "%-23s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n",
1661 cipher->name, kx, au, enc, mac);
1662 return buf;
1663 }
1664
SSL_CIPHER_get_version(const SSL_CIPHER * cipher)1665 const char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher) {
1666 return "TLSv1/SSLv3";
1667 }
1668
STACK_OF(SSL_COMP)1669 STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void) { return NULL; }
1670
SSL_COMP_add_compression_method(int id,COMP_METHOD * cm)1671 int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) { return 1; }
1672
SSL_COMP_get_name(const COMP_METHOD * comp)1673 const char *SSL_COMP_get_name(const COMP_METHOD *comp) { return NULL; }
1674
SSL_COMP_get0_name(const SSL_COMP * comp)1675 const char *SSL_COMP_get0_name(const SSL_COMP *comp) { return comp->name; }
1676
SSL_COMP_get_id(const SSL_COMP * comp)1677 int SSL_COMP_get_id(const SSL_COMP *comp) { return comp->id; }
1678
SSL_COMP_free_compression_methods(void)1679 void SSL_COMP_free_compression_methods(void) {}
1680