• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2  * All rights reserved.
3  *
4  * This package is an SSL implementation written
5  * by Eric Young (eay@cryptsoft.com).
6  * The implementation was written so as to conform with Netscapes SSL.
7  *
8  * This library is free for commercial and non-commercial use as long as
9  * the following conditions are aheared to.  The following conditions
10  * apply to all code found in this distribution, be it the RC4, RSA,
11  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
12  * included with this distribution is covered by the same copyright terms
13  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14  *
15  * Copyright remains Eric Young's, and as such any Copyright notices in
16  * the code are not to be removed.
17  * If this package is used in a product, Eric Young should be given attribution
18  * as the author of the parts of the library used.
19  * This can be in the form of a textual message at program startup or
20  * in documentation (online or textual) provided with the package.
21  *
22  * Redistribution and use in source and binary forms, with or without
23  * modification, are permitted provided that the following conditions
24  * are met:
25  * 1. Redistributions of source code must retain the copyright
26  *    notice, this list of conditions and the following disclaimer.
27  * 2. Redistributions in binary form must reproduce the above copyright
28  *    notice, this list of conditions and the following disclaimer in the
29  *    documentation and/or other materials provided with the distribution.
30  * 3. All advertising materials mentioning features or use of this software
31  *    must display the following acknowledgement:
32  *    "This product includes cryptographic software written by
33  *     Eric Young (eay@cryptsoft.com)"
34  *    The word 'cryptographic' can be left out if the rouines from the library
35  *    being used are not cryptographic related :-).
36  * 4. If you include any Windows specific code (or a derivative thereof) from
37  *    the apps directory (application code) you must include an acknowledgement:
38  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50  * SUCH DAMAGE.
51  *
52  * The licence and distribution terms for any publically available version or
53  * derivative of this code cannot be changed.  i.e. this code cannot simply be
54  * copied and put under another distribution licence
55  * [including the GNU Public Licence.]
56  */
57 /* ====================================================================
58  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
59  *
60  * Redistribution and use in source and binary forms, with or without
61  * modification, are permitted provided that the following conditions
62  * are met:
63  *
64  * 1. Redistributions of source code must retain the above copyright
65  *    notice, this list of conditions and the following disclaimer.
66  *
67  * 2. Redistributions in binary form must reproduce the above copyright
68  *    notice, this list of conditions and the following disclaimer in
69  *    the documentation and/or other materials provided with the
70  *    distribution.
71  *
72  * 3. All advertising materials mentioning features or use of this
73  *    software must display the following acknowledgment:
74  *    "This product includes software developed by the OpenSSL Project
75  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76  *
77  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78  *    endorse or promote products derived from this software without
79  *    prior written permission. For written permission, please contact
80  *    openssl-core@openssl.org.
81  *
82  * 5. Products derived from this software may not be called "OpenSSL"
83  *    nor may "OpenSSL" appear in their names without prior written
84  *    permission of the OpenSSL Project.
85  *
86  * 6. Redistributions of any form whatsoever must retain the following
87  *    acknowledgment:
88  *    "This product includes software developed by the OpenSSL Project
89  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90  *
91  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
95  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102  * OF THE POSSIBILITY OF SUCH DAMAGE.
103  * ====================================================================
104  *
105  * This product includes cryptographic software written by Eric Young
106  * (eay@cryptsoft.com).  This product includes software written by Tim
107  * Hudson (tjh@cryptsoft.com).
108  *
109  */
110 /* ====================================================================
111  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
112  * ECC cipher suite support in OpenSSL originally developed by
113  * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
114  */
115 /* ====================================================================
116  * Copyright 2005 Nokia. All rights reserved.
117  *
118  * The portions of the attached software ("Contribution") is developed by
119  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
120  * license.
121  *
122  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
123  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
124  * support (see RFC 4279) to OpenSSL.
125  *
126  * No patent licenses or other rights except those expressly stated in
127  * the OpenSSL open source license shall be deemed granted or received
128  * expressly, by implication, estoppel, or otherwise.
129  *
130  * No assurances are provided by Nokia that the Contribution does not
131  * infringe the patent or other intellectual property rights of any third
132  * party or that the license provides you with all the necessary rights
133  * to make use of the Contribution.
134  *
135  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
136  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
137  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
138  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
139  * OTHERWISE. */
140 
141 #include <openssl/ssl.h>
142 
143 #include <assert.h>
144 #include <stdio.h>
145 #include <string.h>
146 
147 #include <openssl/buf.h>
148 #include <openssl/err.h>
149 #include <openssl/md5.h>
150 #include <openssl/mem.h>
151 #include <openssl/sha.h>
152 #include <openssl/stack.h>
153 
154 #include "internal.h"
155 
156 
157 /* kCiphers is an array of all supported ciphers, sorted by id. */
158 static const SSL_CIPHER kCiphers[] = {
159     /* The RSA ciphers */
160     /* Cipher 02 */
161     {
162      SSL3_TXT_RSA_NULL_SHA,
163      SSL3_CK_RSA_NULL_SHA,
164      SSL_kRSA,
165      SSL_aRSA,
166      SSL_eNULL,
167      SSL_SHA1,
168      SSL_HANDSHAKE_MAC_DEFAULT,
169     },
170 
171     /* Cipher 04 */
172     {
173      SSL3_TXT_RSA_RC4_128_MD5,
174      SSL3_CK_RSA_RC4_128_MD5,
175      SSL_kRSA,
176      SSL_aRSA,
177      SSL_RC4,
178      SSL_MD5,
179      SSL_HANDSHAKE_MAC_DEFAULT,
180     },
181 
182     /* Cipher 05 */
183     {
184      SSL3_TXT_RSA_RC4_128_SHA,
185      SSL3_CK_RSA_RC4_128_SHA,
186      SSL_kRSA,
187      SSL_aRSA,
188      SSL_RC4,
189      SSL_SHA1,
190      SSL_HANDSHAKE_MAC_DEFAULT,
191     },
192 
193     /* Cipher 0A */
194     {
195      SSL3_TXT_RSA_DES_192_CBC3_SHA,
196      SSL3_CK_RSA_DES_192_CBC3_SHA,
197      SSL_kRSA,
198      SSL_aRSA,
199      SSL_3DES,
200      SSL_SHA1,
201      SSL_HANDSHAKE_MAC_DEFAULT,
202     },
203 
204 
205     /* New AES ciphersuites */
206 
207     /* Cipher 2F */
208     {
209      TLS1_TXT_RSA_WITH_AES_128_SHA,
210      TLS1_CK_RSA_WITH_AES_128_SHA,
211      SSL_kRSA,
212      SSL_aRSA,
213      SSL_AES128,
214      SSL_SHA1,
215      SSL_HANDSHAKE_MAC_DEFAULT,
216     },
217 
218     /* Cipher 33 */
219     {
220      TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
221      TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
222      SSL_kDHE,
223      SSL_aRSA,
224      SSL_AES128,
225      SSL_SHA1,
226      SSL_HANDSHAKE_MAC_DEFAULT,
227     },
228 
229     /* Cipher 35 */
230     {
231      TLS1_TXT_RSA_WITH_AES_256_SHA,
232      TLS1_CK_RSA_WITH_AES_256_SHA,
233      SSL_kRSA,
234      SSL_aRSA,
235      SSL_AES256,
236      SSL_SHA1,
237      SSL_HANDSHAKE_MAC_DEFAULT,
238     },
239 
240     /* Cipher 39 */
241     {
242      TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
243      TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
244      SSL_kDHE,
245      SSL_aRSA,
246      SSL_AES256,
247      SSL_SHA1,
248      SSL_HANDSHAKE_MAC_DEFAULT,
249     },
250 
251 
252     /* TLS v1.2 ciphersuites */
253 
254     /* Cipher 3C */
255     {
256      TLS1_TXT_RSA_WITH_AES_128_SHA256,
257      TLS1_CK_RSA_WITH_AES_128_SHA256,
258      SSL_kRSA,
259      SSL_aRSA,
260      SSL_AES128,
261      SSL_SHA256,
262      SSL_HANDSHAKE_MAC_SHA256,
263     },
264 
265     /* Cipher 3D */
266     {
267      TLS1_TXT_RSA_WITH_AES_256_SHA256,
268      TLS1_CK_RSA_WITH_AES_256_SHA256,
269      SSL_kRSA,
270      SSL_aRSA,
271      SSL_AES256,
272      SSL_SHA256,
273      SSL_HANDSHAKE_MAC_SHA256,
274     },
275 
276     /* Cipher 67 */
277     {
278      TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256,
279      TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
280      SSL_kDHE,
281      SSL_aRSA,
282      SSL_AES128,
283      SSL_SHA256,
284      SSL_HANDSHAKE_MAC_SHA256,
285     },
286 
287     /* Cipher 6B */
288     {
289      TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256,
290      TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
291      SSL_kDHE,
292      SSL_aRSA,
293      SSL_AES256,
294      SSL_SHA256,
295      SSL_HANDSHAKE_MAC_SHA256,
296     },
297 
298     /* PSK cipher suites. */
299 
300     /* Cipher 8A */
301     {
302      TLS1_TXT_PSK_WITH_RC4_128_SHA,
303      TLS1_CK_PSK_WITH_RC4_128_SHA,
304      SSL_kPSK,
305      SSL_aPSK,
306      SSL_RC4,
307      SSL_SHA1,
308      SSL_HANDSHAKE_MAC_DEFAULT,
309     },
310 
311     /* Cipher 8C */
312     {
313      TLS1_TXT_PSK_WITH_AES_128_CBC_SHA,
314      TLS1_CK_PSK_WITH_AES_128_CBC_SHA,
315      SSL_kPSK,
316      SSL_aPSK,
317      SSL_AES128,
318      SSL_SHA1,
319      SSL_HANDSHAKE_MAC_DEFAULT,
320     },
321 
322     /* Cipher 8D */
323     {
324      TLS1_TXT_PSK_WITH_AES_256_CBC_SHA,
325      TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
326      SSL_kPSK,
327      SSL_aPSK,
328      SSL_AES256,
329      SSL_SHA1,
330      SSL_HANDSHAKE_MAC_DEFAULT,
331     },
332 
333     /* GCM ciphersuites from RFC5288 */
334 
335     /* Cipher 9C */
336     {
337      TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
338      TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
339      SSL_kRSA,
340      SSL_aRSA,
341      SSL_AES128GCM,
342      SSL_AEAD,
343      SSL_HANDSHAKE_MAC_SHA256,
344     },
345 
346     /* Cipher 9D */
347     {
348      TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
349      TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
350      SSL_kRSA,
351      SSL_aRSA,
352      SSL_AES256GCM,
353      SSL_AEAD,
354      SSL_HANDSHAKE_MAC_SHA384,
355     },
356 
357     /* Cipher 9E */
358     {
359      TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256,
360      TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256,
361      SSL_kDHE,
362      SSL_aRSA,
363      SSL_AES128GCM,
364      SSL_AEAD,
365      SSL_HANDSHAKE_MAC_SHA256,
366     },
367 
368     /* Cipher 9F */
369     {
370      TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384,
371      TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384,
372      SSL_kDHE,
373      SSL_aRSA,
374      SSL_AES256GCM,
375      SSL_AEAD,
376      SSL_HANDSHAKE_MAC_SHA384,
377     },
378 
379     /* Cipher C007 */
380     {
381      TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
382      TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA,
383      SSL_kECDHE,
384      SSL_aECDSA,
385      SSL_RC4,
386      SSL_SHA1,
387      SSL_HANDSHAKE_MAC_DEFAULT,
388     },
389 
390     /* Cipher C009 */
391     {
392      TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
393      TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
394      SSL_kECDHE,
395      SSL_aECDSA,
396      SSL_AES128,
397      SSL_SHA1,
398      SSL_HANDSHAKE_MAC_DEFAULT,
399     },
400 
401     /* Cipher C00A */
402     {
403      TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
404      TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
405      SSL_kECDHE,
406      SSL_aECDSA,
407      SSL_AES256,
408      SSL_SHA1,
409      SSL_HANDSHAKE_MAC_DEFAULT,
410     },
411 
412     /* Cipher C011 */
413     {
414      TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
415      TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA,
416      SSL_kECDHE,
417      SSL_aRSA,
418      SSL_RC4,
419      SSL_SHA1,
420      SSL_HANDSHAKE_MAC_DEFAULT,
421     },
422 
423     /* Cipher C013 */
424     {
425      TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
426      TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
427      SSL_kECDHE,
428      SSL_aRSA,
429      SSL_AES128,
430      SSL_SHA1,
431      SSL_HANDSHAKE_MAC_DEFAULT,
432     },
433 
434     /* Cipher C014 */
435     {
436      TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
437      TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
438      SSL_kECDHE,
439      SSL_aRSA,
440      SSL_AES256,
441      SSL_SHA1,
442      SSL_HANDSHAKE_MAC_DEFAULT,
443     },
444 
445 
446     /* HMAC based TLS v1.2 ciphersuites from RFC5289 */
447 
448     /* Cipher C023 */
449     {
450      TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
451      TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
452      SSL_kECDHE,
453      SSL_aECDSA,
454      SSL_AES128,
455      SSL_SHA256,
456      SSL_HANDSHAKE_MAC_SHA256,
457     },
458 
459     /* Cipher C024 */
460     {
461      TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
462      TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
463      SSL_kECDHE,
464      SSL_aECDSA,
465      SSL_AES256,
466      SSL_SHA384,
467      SSL_HANDSHAKE_MAC_SHA384,
468     },
469 
470     /* Cipher C027 */
471     {
472      TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
473      TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
474      SSL_kECDHE,
475      SSL_aRSA,
476      SSL_AES128,
477      SSL_SHA256,
478      SSL_HANDSHAKE_MAC_SHA256,
479     },
480 
481     /* Cipher C028 */
482     {
483      TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
484      TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
485      SSL_kECDHE,
486      SSL_aRSA,
487      SSL_AES256,
488      SSL_SHA384,
489      SSL_HANDSHAKE_MAC_SHA384,
490     },
491 
492 
493     /* GCM based TLS v1.2 ciphersuites from RFC5289 */
494 
495     /* Cipher C02B */
496     {
497      TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
498      TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
499      SSL_kECDHE,
500      SSL_aECDSA,
501      SSL_AES128GCM,
502      SSL_AEAD,
503      SSL_HANDSHAKE_MAC_SHA256,
504     },
505 
506     /* Cipher C02C */
507     {
508      TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
509      TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
510      SSL_kECDHE,
511      SSL_aECDSA,
512      SSL_AES256GCM,
513      SSL_AEAD,
514      SSL_HANDSHAKE_MAC_SHA384,
515     },
516 
517     /* Cipher C02F */
518     {
519      TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
520      TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
521      SSL_kECDHE,
522      SSL_aRSA,
523      SSL_AES128GCM,
524      SSL_AEAD,
525      SSL_HANDSHAKE_MAC_SHA256,
526     },
527 
528     /* Cipher C030 */
529     {
530      TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
531      TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
532      SSL_kECDHE,
533      SSL_aRSA,
534      SSL_AES256GCM,
535      SSL_AEAD,
536      SSL_HANDSHAKE_MAC_SHA384,
537     },
538 
539     /* ECDHE-PSK cipher suites. */
540 
541     /* Cipher C035 */
542     {
543      TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA,
544      TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
545      SSL_kECDHE,
546      SSL_aPSK,
547      SSL_AES128,
548      SSL_SHA1,
549      SSL_HANDSHAKE_MAC_DEFAULT,
550     },
551 
552     /* Cipher C036 */
553     {
554      TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA,
555      TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA,
556      SSL_kECDHE,
557      SSL_aPSK,
558      SSL_AES256,
559      SSL_SHA1,
560      SSL_HANDSHAKE_MAC_DEFAULT,
561     },
562 
563     /* ChaCha20-Poly1305 cipher suites. */
564 
565 #if !defined(BORINGSSL_ANDROID_SYSTEM)
566     {
567      TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_OLD,
568      TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305_OLD,
569      SSL_kECDHE,
570      SSL_aRSA,
571      SSL_CHACHA20POLY1305_OLD,
572      SSL_AEAD,
573      SSL_HANDSHAKE_MAC_SHA256,
574     },
575 
576     {
577      TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_OLD,
578      TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305_OLD,
579      SSL_kECDHE,
580      SSL_aECDSA,
581      SSL_CHACHA20POLY1305_OLD,
582      SSL_AEAD,
583      SSL_HANDSHAKE_MAC_SHA256,
584     },
585 #endif
586 
587     /* Cipher CCA8 */
588     {
589      TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
590      TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
591      SSL_kECDHE,
592      SSL_aRSA,
593      SSL_CHACHA20POLY1305,
594      SSL_AEAD,
595      SSL_HANDSHAKE_MAC_SHA256,
596     },
597 
598     /* Cipher CCA9 */
599     {
600      TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
601      TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
602      SSL_kECDHE,
603      SSL_aECDSA,
604      SSL_CHACHA20POLY1305,
605      SSL_AEAD,
606      SSL_HANDSHAKE_MAC_SHA256,
607     },
608 
609     /* Cipher CCAB */
610     {
611      TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
612      TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
613      SSL_kECDHE,
614      SSL_aPSK,
615      SSL_CHACHA20POLY1305,
616      SSL_AEAD,
617      SSL_HANDSHAKE_MAC_SHA256,
618     },
619 };
620 
621 static const size_t kCiphersLen = sizeof(kCiphers) / sizeof(kCiphers[0]);
622 
623 #define CIPHER_ADD 1
624 #define CIPHER_KILL 2
625 #define CIPHER_DEL 3
626 #define CIPHER_ORD 4
627 #define CIPHER_SPECIAL 5
628 
629 typedef struct cipher_order_st {
630   const SSL_CIPHER *cipher;
631   int active;
632   int in_group;
633   struct cipher_order_st *next, *prev;
634 } CIPHER_ORDER;
635 
636 typedef struct cipher_alias_st {
637   /* name is the name of the cipher alias. */
638   const char *name;
639 
640   /* The following fields are bitmasks for the corresponding fields on
641    * |SSL_CIPHER|. A cipher matches a cipher alias iff, for each bitmask, the
642    * bit corresponding to the cipher's value is set to 1. If any bitmask is
643    * all zeroes, the alias matches nothing. Use |~0u| for the default value. */
644   uint32_t algorithm_mkey;
645   uint32_t algorithm_auth;
646   uint32_t algorithm_enc;
647   uint32_t algorithm_mac;
648 
649   /* min_version, if non-zero, matches all ciphers which were added in that
650    * particular protocol version. */
651   uint16_t min_version;
652 } CIPHER_ALIAS;
653 
654 static const CIPHER_ALIAS kCipherAliases[] = {
655     /* "ALL" doesn't include eNULL (must be specifically enabled) */
656     {"ALL", ~0u, ~0u, ~SSL_eNULL, ~0u, 0},
657 
658     /* The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing. */
659 
660     /* key exchange aliases
661      * (some of those using only a single bit here combine
662      * multiple key exchange algs according to the RFCs,
663      * e.g. kEDH combines DHE_DSS and DHE_RSA) */
664     {"kRSA", SSL_kRSA, ~0u, ~0u, ~0u, 0},
665 
666     {"kDHE", SSL_kDHE, ~0u, ~0u, ~0u, 0},
667     {"kEDH", SSL_kDHE, ~0u, ~0u, ~0u, 0},
668     {"DH", SSL_kDHE, ~0u, ~0u, ~0u, 0},
669 
670     {"kECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
671     {"kEECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
672     {"ECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
673 
674     {"kPSK", SSL_kPSK, ~0u, ~0u, ~0u, 0},
675 
676     /* server authentication aliases */
677     {"aRSA", ~0u, SSL_aRSA, ~SSL_eNULL, ~0u, 0},
678     {"aECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0},
679     {"ECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0},
680     {"aPSK", ~0u, SSL_aPSK, ~0u, ~0u, 0},
681 
682     /* aliases combining key exchange and server authentication */
683     {"DHE", SSL_kDHE, ~0u, ~0u, ~0u, 0},
684     {"EDH", SSL_kDHE, ~0u, ~0u, ~0u, 0},
685     {"ECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
686     {"EECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
687     {"RSA", SSL_kRSA, SSL_aRSA, ~SSL_eNULL, ~0u, 0},
688     {"PSK", SSL_kPSK, SSL_aPSK, ~0u, ~0u, 0},
689 
690     /* symmetric encryption aliases */
691     {"3DES", ~0u, ~0u, SSL_3DES, ~0u, 0},
692     {"RC4", ~0u, ~0u, SSL_RC4, ~0u, 0},
693     {"AES128", ~0u, ~0u, SSL_AES128 | SSL_AES128GCM, ~0u, 0},
694     {"AES256", ~0u, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, 0},
695     {"AES", ~0u, ~0u, SSL_AES, ~0u, 0},
696     {"AESGCM", ~0u, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, 0},
697     {"CHACHA20", ~0u, ~0u, SSL_CHACHA20POLY1305 | SSL_CHACHA20POLY1305_OLD, ~0u,
698      0},
699 
700     /* MAC aliases */
701     {"MD5", ~0u, ~0u, ~0u, SSL_MD5, 0},
702     {"SHA1", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0},
703     {"SHA", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0},
704     {"SHA256", ~0u, ~0u, ~0u, SSL_SHA256, 0},
705     {"SHA384", ~0u, ~0u, ~0u, SSL_SHA384, 0},
706 
707     /* Legacy protocol minimum version aliases. "TLSv1" is intentionally the
708      * same as "SSLv3". */
709     {"SSLv3", ~0u, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
710     {"TLSv1", ~0u, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
711     {"TLSv1.2", ~0u, ~0u, ~SSL_eNULL, ~0u, TLS1_2_VERSION},
712 
713     /* Legacy strength classes. */
714     {"MEDIUM", ~0u, ~0u, SSL_RC4, ~0u, 0},
715     {"HIGH", ~0u, ~0u, ~(SSL_eNULL|SSL_RC4), ~0u, 0},
716     {"FIPS", ~0u, ~0u, ~(SSL_eNULL|SSL_RC4), ~0u, 0},
717 };
718 
719 static const size_t kCipherAliasesLen =
720     sizeof(kCipherAliases) / sizeof(kCipherAliases[0]);
721 
ssl_cipher_id_cmp(const void * in_a,const void * in_b)722 static int ssl_cipher_id_cmp(const void *in_a, const void *in_b) {
723   const SSL_CIPHER *a = in_a;
724   const SSL_CIPHER *b = in_b;
725 
726   if (a->id > b->id) {
727     return 1;
728   } else if (a->id < b->id) {
729     return -1;
730   } else {
731     return 0;
732   }
733 }
734 
ssl_cipher_ptr_id_cmp(const SSL_CIPHER ** a,const SSL_CIPHER ** b)735 static int ssl_cipher_ptr_id_cmp(const SSL_CIPHER **a, const SSL_CIPHER **b) {
736   return ssl_cipher_id_cmp(*a, *b);
737 }
738 
SSL_get_cipher_by_value(uint16_t value)739 const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value) {
740   SSL_CIPHER c;
741 
742   c.id = 0x03000000L | value;
743   return bsearch(&c, kCiphers, kCiphersLen, sizeof(SSL_CIPHER),
744                  ssl_cipher_id_cmp);
745 }
746 
ssl_cipher_get_evp_aead(const EVP_AEAD ** out_aead,size_t * out_mac_secret_len,size_t * out_fixed_iv_len,const SSL_CIPHER * cipher,uint16_t version)747 int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
748                             size_t *out_mac_secret_len,
749                             size_t *out_fixed_iv_len,
750                             const SSL_CIPHER *cipher, uint16_t version) {
751   *out_aead = NULL;
752   *out_mac_secret_len = 0;
753   *out_fixed_iv_len = 0;
754 
755   switch (cipher->algorithm_enc) {
756     case SSL_AES128GCM:
757       *out_aead = EVP_aead_aes_128_gcm();
758       *out_fixed_iv_len = 4;
759       return 1;
760 
761     case SSL_AES256GCM:
762       *out_aead = EVP_aead_aes_256_gcm();
763       *out_fixed_iv_len = 4;
764       return 1;
765 
766 #if !defined(BORINGSSL_ANDROID_SYSTEM)
767     case SSL_CHACHA20POLY1305_OLD:
768       *out_aead = EVP_aead_chacha20_poly1305_old();
769       *out_fixed_iv_len = 0;
770       return 1;
771 #endif
772 
773     case SSL_CHACHA20POLY1305:
774       *out_aead = EVP_aead_chacha20_poly1305();
775       *out_fixed_iv_len = 12;
776       return 1;
777 
778     case SSL_RC4:
779       switch (cipher->algorithm_mac) {
780         case SSL_MD5:
781           if (version == SSL3_VERSION) {
782             *out_aead = EVP_aead_rc4_md5_ssl3();
783           } else {
784             *out_aead = EVP_aead_rc4_md5_tls();
785           }
786           *out_mac_secret_len = MD5_DIGEST_LENGTH;
787           return 1;
788         case SSL_SHA1:
789           if (version == SSL3_VERSION) {
790             *out_aead = EVP_aead_rc4_sha1_ssl3();
791           } else {
792             *out_aead = EVP_aead_rc4_sha1_tls();
793           }
794           *out_mac_secret_len = SHA_DIGEST_LENGTH;
795           return 1;
796         default:
797           return 0;
798       }
799 
800     case SSL_AES128:
801       switch (cipher->algorithm_mac) {
802         case SSL_SHA1:
803           if (version == SSL3_VERSION) {
804             *out_aead = EVP_aead_aes_128_cbc_sha1_ssl3();
805             *out_fixed_iv_len = 16;
806           } else if (version == TLS1_VERSION) {
807             *out_aead = EVP_aead_aes_128_cbc_sha1_tls_implicit_iv();
808             *out_fixed_iv_len = 16;
809           } else {
810             *out_aead = EVP_aead_aes_128_cbc_sha1_tls();
811           }
812           *out_mac_secret_len = SHA_DIGEST_LENGTH;
813           return 1;
814         case SSL_SHA256:
815           *out_aead = EVP_aead_aes_128_cbc_sha256_tls();
816           *out_mac_secret_len = SHA256_DIGEST_LENGTH;
817           return 1;
818         default:
819           return 0;
820       }
821 
822     case SSL_AES256:
823       switch (cipher->algorithm_mac) {
824         case SSL_SHA1:
825           if (version == SSL3_VERSION) {
826             *out_aead = EVP_aead_aes_256_cbc_sha1_ssl3();
827             *out_fixed_iv_len = 16;
828           } else if (version == TLS1_VERSION) {
829             *out_aead = EVP_aead_aes_256_cbc_sha1_tls_implicit_iv();
830             *out_fixed_iv_len = 16;
831           } else {
832             *out_aead = EVP_aead_aes_256_cbc_sha1_tls();
833           }
834           *out_mac_secret_len = SHA_DIGEST_LENGTH;
835           return 1;
836         case SSL_SHA256:
837           *out_aead = EVP_aead_aes_256_cbc_sha256_tls();
838           *out_mac_secret_len = SHA256_DIGEST_LENGTH;
839           return 1;
840         case SSL_SHA384:
841           *out_aead = EVP_aead_aes_256_cbc_sha384_tls();
842           *out_mac_secret_len = SHA384_DIGEST_LENGTH;
843           return 1;
844         default:
845           return 0;
846       }
847 
848     case SSL_3DES:
849       switch (cipher->algorithm_mac) {
850         case SSL_SHA1:
851           if (version == SSL3_VERSION) {
852             *out_aead = EVP_aead_des_ede3_cbc_sha1_ssl3();
853             *out_fixed_iv_len = 8;
854           } else if (version == TLS1_VERSION) {
855             *out_aead = EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv();
856             *out_fixed_iv_len = 8;
857           } else {
858             *out_aead = EVP_aead_des_ede3_cbc_sha1_tls();
859           }
860           *out_mac_secret_len = SHA_DIGEST_LENGTH;
861           return 1;
862         default:
863           return 0;
864       }
865 
866     case SSL_eNULL:
867       switch (cipher->algorithm_mac) {
868         case SSL_SHA1:
869           if (version == SSL3_VERSION) {
870             *out_aead = EVP_aead_null_sha1_ssl3();
871           } else {
872             *out_aead = EVP_aead_null_sha1_tls();
873           }
874           *out_mac_secret_len = SHA_DIGEST_LENGTH;
875           return 1;
876         default:
877           return 0;
878       }
879 
880     default:
881       return 0;
882   }
883 }
884 
ssl_get_handshake_digest(uint32_t algorithm_prf)885 const EVP_MD *ssl_get_handshake_digest(uint32_t algorithm_prf) {
886   switch (algorithm_prf) {
887     case SSL_HANDSHAKE_MAC_DEFAULT:
888       return EVP_sha1();
889     case SSL_HANDSHAKE_MAC_SHA256:
890       return EVP_sha256();
891     case SSL_HANDSHAKE_MAC_SHA384:
892       return EVP_sha384();
893     default:
894       return NULL;
895   }
896 }
897 
898 #define ITEM_SEP(a) \
899   (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ','))
900 
901 /* rule_equals returns one iff the NUL-terminated string |rule| is equal to the
902  * |buf_len| bytes at |buf|. */
rule_equals(const char * rule,const char * buf,size_t buf_len)903 static int rule_equals(const char *rule, const char *buf, size_t buf_len) {
904   /* |strncmp| alone only checks that |buf| is a prefix of |rule|. */
905   return strncmp(rule, buf, buf_len) == 0 && rule[buf_len] == '\0';
906 }
907 
ll_append_tail(CIPHER_ORDER ** head,CIPHER_ORDER * curr,CIPHER_ORDER ** tail)908 static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
909                            CIPHER_ORDER **tail) {
910   if (curr == *tail) {
911     return;
912   }
913   if (curr == *head) {
914     *head = curr->next;
915   }
916   if (curr->prev != NULL) {
917     curr->prev->next = curr->next;
918   }
919   if (curr->next != NULL) {
920     curr->next->prev = curr->prev;
921   }
922   (*tail)->next = curr;
923   curr->prev = *tail;
924   curr->next = NULL;
925   *tail = curr;
926 }
927 
ll_append_head(CIPHER_ORDER ** head,CIPHER_ORDER * curr,CIPHER_ORDER ** tail)928 static void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
929                            CIPHER_ORDER **tail) {
930   if (curr == *head) {
931     return;
932   }
933   if (curr == *tail) {
934     *tail = curr->prev;
935   }
936   if (curr->next != NULL) {
937     curr->next->prev = curr->prev;
938   }
939   if (curr->prev != NULL) {
940     curr->prev->next = curr->next;
941   }
942   (*head)->prev = curr;
943   curr->next = *head;
944   curr->prev = NULL;
945   *head = curr;
946 }
947 
ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD * ssl_method,CIPHER_ORDER * co_list,CIPHER_ORDER ** head_p,CIPHER_ORDER ** tail_p)948 static void ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD *ssl_method,
949                                        CIPHER_ORDER *co_list,
950                                        CIPHER_ORDER **head_p,
951                                        CIPHER_ORDER **tail_p) {
952   /* The set of ciphers is static, but some subset may be unsupported by
953    * |ssl_method|, so the list may be smaller. */
954   size_t co_list_num = 0;
955   size_t i;
956   for (i = 0; i < kCiphersLen; i++) {
957     const SSL_CIPHER *cipher = &kCiphers[i];
958     if (ssl_method->supports_cipher(cipher)) {
959       co_list[co_list_num].cipher = cipher;
960       co_list[co_list_num].next = NULL;
961       co_list[co_list_num].prev = NULL;
962       co_list[co_list_num].active = 0;
963       co_list[co_list_num].in_group = 0;
964       co_list_num++;
965     }
966   }
967 
968   /* Prepare linked list from list entries. */
969   if (co_list_num > 0) {
970     co_list[0].prev = NULL;
971 
972     if (co_list_num > 1) {
973       co_list[0].next = &co_list[1];
974 
975       for (i = 1; i < co_list_num - 1; i++) {
976         co_list[i].prev = &co_list[i - 1];
977         co_list[i].next = &co_list[i + 1];
978       }
979 
980       co_list[co_list_num - 1].prev = &co_list[co_list_num - 2];
981     }
982 
983     co_list[co_list_num - 1].next = NULL;
984 
985     *head_p = &co_list[0];
986     *tail_p = &co_list[co_list_num - 1];
987   }
988 }
989 
990 /* ssl_cipher_apply_rule applies the rule type |rule| to ciphers matching its
991  * parameters in the linked list from |*head_p| to |*tail_p|. It writes the new
992  * head and tail of the list to |*head_p| and |*tail_p|, respectively.
993  *
994  * - If |cipher_id| is non-zero, only that cipher is selected.
995  * - Otherwise, if |strength_bits| is non-negative, it selects ciphers
996  *   of that strength.
997  * - Otherwise, it selects ciphers that match each bitmasks in |alg_*| and
998  *   |min_version|. */
ssl_cipher_apply_rule(uint32_t cipher_id,uint32_t alg_mkey,uint32_t alg_auth,uint32_t alg_enc,uint32_t alg_mac,uint16_t min_version,int rule,int strength_bits,int in_group,CIPHER_ORDER ** head_p,CIPHER_ORDER ** tail_p)999 static void ssl_cipher_apply_rule(
1000     uint32_t cipher_id, uint32_t alg_mkey, uint32_t alg_auth,
1001     uint32_t alg_enc, uint32_t alg_mac, uint16_t min_version, int rule,
1002     int strength_bits, int in_group, CIPHER_ORDER **head_p,
1003     CIPHER_ORDER **tail_p) {
1004   CIPHER_ORDER *head, *tail, *curr, *next, *last;
1005   const SSL_CIPHER *cp;
1006   int reverse = 0;
1007 
1008   if (cipher_id == 0 && strength_bits == -1 && min_version == 0 &&
1009       (alg_mkey == 0 || alg_auth == 0 || alg_enc == 0 || alg_mac == 0)) {
1010     /* The rule matches nothing, so bail early. */
1011     return;
1012   }
1013 
1014   if (rule == CIPHER_DEL) {
1015     /* needed to maintain sorting between currently deleted ciphers */
1016     reverse = 1;
1017   }
1018 
1019   head = *head_p;
1020   tail = *tail_p;
1021 
1022   if (reverse) {
1023     next = tail;
1024     last = head;
1025   } else {
1026     next = head;
1027     last = tail;
1028   }
1029 
1030   curr = NULL;
1031   for (;;) {
1032     if (curr == last) {
1033       break;
1034     }
1035 
1036     curr = next;
1037     if (curr == NULL) {
1038       break;
1039     }
1040 
1041     next = reverse ? curr->prev : curr->next;
1042     cp = curr->cipher;
1043 
1044     /* Selection criteria is either a specific cipher, the value of
1045      * |strength_bits|, or the algorithms used. */
1046     if (cipher_id != 0) {
1047       if (cipher_id != cp->id) {
1048         continue;
1049       }
1050     } else if (strength_bits >= 0) {
1051       if (strength_bits != SSL_CIPHER_get_bits(cp, NULL)) {
1052         continue;
1053       }
1054     } else if (!(alg_mkey & cp->algorithm_mkey) ||
1055                !(alg_auth & cp->algorithm_auth) ||
1056                !(alg_enc & cp->algorithm_enc) ||
1057                !(alg_mac & cp->algorithm_mac) ||
1058                (min_version != 0 &&
1059                 SSL_CIPHER_get_min_version(cp) != min_version)) {
1060       continue;
1061     }
1062 
1063     /* add the cipher if it has not been added yet. */
1064     if (rule == CIPHER_ADD) {
1065       /* reverse == 0 */
1066       if (!curr->active) {
1067         ll_append_tail(&head, curr, &tail);
1068         curr->active = 1;
1069         curr->in_group = in_group;
1070       }
1071     }
1072 
1073     /* Move the added cipher to this location */
1074     else if (rule == CIPHER_ORD) {
1075       /* reverse == 0 */
1076       if (curr->active) {
1077         ll_append_tail(&head, curr, &tail);
1078         curr->in_group = 0;
1079       }
1080     } else if (rule == CIPHER_DEL) {
1081       /* reverse == 1 */
1082       if (curr->active) {
1083         /* most recently deleted ciphersuites get best positions
1084          * for any future CIPHER_ADD (note that the CIPHER_DEL loop
1085          * works in reverse to maintain the order) */
1086         ll_append_head(&head, curr, &tail);
1087         curr->active = 0;
1088         curr->in_group = 0;
1089       }
1090     } else if (rule == CIPHER_KILL) {
1091       /* reverse == 0 */
1092       if (head == curr) {
1093         head = curr->next;
1094       } else {
1095         curr->prev->next = curr->next;
1096       }
1097 
1098       if (tail == curr) {
1099         tail = curr->prev;
1100       }
1101       curr->active = 0;
1102       if (curr->next != NULL) {
1103         curr->next->prev = curr->prev;
1104       }
1105       if (curr->prev != NULL) {
1106         curr->prev->next = curr->next;
1107       }
1108       curr->next = NULL;
1109       curr->prev = NULL;
1110     }
1111   }
1112 
1113   *head_p = head;
1114   *tail_p = tail;
1115 }
1116 
ssl_cipher_strength_sort(CIPHER_ORDER ** head_p,CIPHER_ORDER ** tail_p)1117 static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
1118                                     CIPHER_ORDER **tail_p) {
1119   int max_strength_bits, i, *number_uses;
1120   CIPHER_ORDER *curr;
1121 
1122   /* This routine sorts the ciphers with descending strength. The sorting must
1123    * keep the pre-sorted sequence, so we apply the normal sorting routine as
1124    * '+' movement to the end of the list. */
1125   max_strength_bits = 0;
1126   curr = *head_p;
1127   while (curr != NULL) {
1128     if (curr->active &&
1129         SSL_CIPHER_get_bits(curr->cipher, NULL) > max_strength_bits) {
1130       max_strength_bits = SSL_CIPHER_get_bits(curr->cipher, NULL);
1131     }
1132     curr = curr->next;
1133   }
1134 
1135   number_uses = OPENSSL_malloc((max_strength_bits + 1) * sizeof(int));
1136   if (!number_uses) {
1137     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
1138     return 0;
1139   }
1140   memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int));
1141 
1142   /* Now find the strength_bits values actually used. */
1143   curr = *head_p;
1144   while (curr != NULL) {
1145     if (curr->active) {
1146       number_uses[SSL_CIPHER_get_bits(curr->cipher, NULL)]++;
1147     }
1148     curr = curr->next;
1149   }
1150 
1151   /* Go through the list of used strength_bits values in descending order. */
1152   for (i = max_strength_bits; i >= 0; i--) {
1153     if (number_uses[i] > 0) {
1154       ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, CIPHER_ORD, i, 0, head_p, tail_p);
1155     }
1156   }
1157 
1158   OPENSSL_free(number_uses);
1159   return 1;
1160 }
1161 
ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD * ssl_method,const char * rule_str,CIPHER_ORDER ** head_p,CIPHER_ORDER ** tail_p)1162 static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method,
1163                                       const char *rule_str,
1164                                       CIPHER_ORDER **head_p,
1165                                       CIPHER_ORDER **tail_p) {
1166   uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
1167   uint16_t min_version;
1168   const char *l, *buf;
1169   int multi, skip_rule, rule, retval, ok, in_group = 0, has_group = 0;
1170   size_t j, buf_len;
1171   uint32_t cipher_id;
1172   char ch;
1173 
1174   retval = 1;
1175   l = rule_str;
1176   for (;;) {
1177     ch = *l;
1178 
1179     if (ch == '\0') {
1180       break; /* done */
1181     }
1182 
1183     if (in_group) {
1184       if (ch == ']') {
1185         if (*tail_p) {
1186           (*tail_p)->in_group = 0;
1187         }
1188         in_group = 0;
1189         l++;
1190         continue;
1191       }
1192 
1193       if (ch == '|') {
1194         rule = CIPHER_ADD;
1195         l++;
1196         continue;
1197       } else if (!(ch >= 'a' && ch <= 'z') && !(ch >= 'A' && ch <= 'Z') &&
1198                  !(ch >= '0' && ch <= '9')) {
1199         OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_OPERATOR_IN_GROUP);
1200         retval = in_group = 0;
1201         break;
1202       } else {
1203         rule = CIPHER_ADD;
1204       }
1205     } else if (ch == '-') {
1206       rule = CIPHER_DEL;
1207       l++;
1208     } else if (ch == '+') {
1209       rule = CIPHER_ORD;
1210       l++;
1211     } else if (ch == '!') {
1212       rule = CIPHER_KILL;
1213       l++;
1214     } else if (ch == '@') {
1215       rule = CIPHER_SPECIAL;
1216       l++;
1217     } else if (ch == '[') {
1218       if (in_group) {
1219         OPENSSL_PUT_ERROR(SSL, SSL_R_NESTED_GROUP);
1220         retval = in_group = 0;
1221         break;
1222       }
1223       in_group = 1;
1224       has_group = 1;
1225       l++;
1226       continue;
1227     } else {
1228       rule = CIPHER_ADD;
1229     }
1230 
1231     /* If preference groups are enabled, the only legal operator is +.
1232      * Otherwise the in_group bits will get mixed up. */
1233     if (has_group && rule != CIPHER_ADD) {
1234       OPENSSL_PUT_ERROR(SSL, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
1235       retval = in_group = 0;
1236       break;
1237     }
1238 
1239     if (ITEM_SEP(ch)) {
1240       l++;
1241       continue;
1242     }
1243 
1244     multi = 0;
1245     cipher_id = 0;
1246     alg_mkey = ~0u;
1247     alg_auth = ~0u;
1248     alg_enc = ~0u;
1249     alg_mac = ~0u;
1250     min_version = 0;
1251     skip_rule = 0;
1252 
1253     for (;;) {
1254       ch = *l;
1255       buf = l;
1256       buf_len = 0;
1257       while (((ch >= 'A') && (ch <= 'Z')) || ((ch >= '0') && (ch <= '9')) ||
1258              ((ch >= 'a') && (ch <= 'z')) || (ch == '-') || (ch == '.')) {
1259         ch = *(++l);
1260         buf_len++;
1261       }
1262 
1263       if (buf_len == 0) {
1264         /* We hit something we cannot deal with, it is no command or separator
1265          * nor alphanumeric, so we call this an error. */
1266         OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
1267         retval = in_group = 0;
1268         l++;
1269         break;
1270       }
1271 
1272       if (rule == CIPHER_SPECIAL) {
1273         break;
1274       }
1275 
1276       /* Look for a matching exact cipher. These aren't allowed in multipart
1277        * rules. */
1278       if (!multi && ch != '+') {
1279         for (j = 0; j < kCiphersLen; j++) {
1280           const SSL_CIPHER *cipher = &kCiphers[j];
1281           if (rule_equals(cipher->name, buf, buf_len)) {
1282             cipher_id = cipher->id;
1283             break;
1284           }
1285         }
1286       }
1287       if (cipher_id == 0) {
1288         /* If not an exact cipher, look for a matching cipher alias. */
1289         for (j = 0; j < kCipherAliasesLen; j++) {
1290           if (rule_equals(kCipherAliases[j].name, buf, buf_len)) {
1291             alg_mkey &= kCipherAliases[j].algorithm_mkey;
1292             alg_auth &= kCipherAliases[j].algorithm_auth;
1293             alg_enc &= kCipherAliases[j].algorithm_enc;
1294             alg_mac &= kCipherAliases[j].algorithm_mac;
1295 
1296             if (min_version != 0 &&
1297                 min_version != kCipherAliases[j].min_version) {
1298               skip_rule = 1;
1299             } else {
1300               min_version = kCipherAliases[j].min_version;
1301             }
1302             break;
1303           }
1304         }
1305         if (j == kCipherAliasesLen) {
1306           skip_rule = 1;
1307         }
1308       }
1309 
1310       /* Check for a multipart rule. */
1311       if (ch != '+') {
1312         break;
1313       }
1314       l++;
1315       multi = 1;
1316     }
1317 
1318     /* If one of the CHACHA20_POLY1305 variants is selected, include the other
1319      * as well. They have the same name to avoid requiring changes in
1320      * configuration. Apply this transformation late so that the cipher name
1321      * still behaves as an exact name and not an alias in multipart rules.
1322      *
1323      * This is temporary and will be removed when the pre-standard construction
1324      * is removed. */
1325     if (cipher_id == TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305_OLD ||
1326         cipher_id == TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256) {
1327       cipher_id = 0;
1328       alg_mkey = SSL_kECDHE;
1329       alg_auth = SSL_aRSA;
1330       alg_enc = SSL_CHACHA20POLY1305|SSL_CHACHA20POLY1305_OLD;
1331       alg_mac = SSL_AEAD;
1332     } else if (cipher_id == TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305_OLD ||
1333                cipher_id == TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256) {
1334       cipher_id = 0;
1335       alg_mkey = SSL_kECDHE;
1336       alg_auth = SSL_aECDSA;
1337       alg_enc = SSL_CHACHA20POLY1305|SSL_CHACHA20POLY1305_OLD;
1338       alg_mac = SSL_AEAD;
1339     }
1340 
1341     /* Ok, we have the rule, now apply it. */
1342     if (rule == CIPHER_SPECIAL) {
1343       /* special command */
1344       ok = 0;
1345       if (buf_len == 8 && !strncmp(buf, "STRENGTH", 8)) {
1346         ok = ssl_cipher_strength_sort(head_p, tail_p);
1347       } else {
1348         OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
1349       }
1350 
1351       if (ok == 0) {
1352         retval = 0;
1353       }
1354 
1355       /* We do not support any "multi" options together with "@", so throw away
1356        * the rest of the command, if any left, until end or ':' is found. */
1357       while (*l != '\0' && !ITEM_SEP(*l)) {
1358         l++;
1359       }
1360     } else if (!skip_rule) {
1361       ssl_cipher_apply_rule(cipher_id, alg_mkey, alg_auth, alg_enc, alg_mac,
1362                             min_version, rule, -1, in_group, head_p, tail_p);
1363     }
1364   }
1365 
1366   if (in_group) {
1367     OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
1368     retval = 0;
1369   }
1370 
1371   return retval;
1372 }
1373 
STACK_OF(SSL_CIPHER)1374 STACK_OF(SSL_CIPHER) *
1375 ssl_create_cipher_list(const SSL_PROTOCOL_METHOD *ssl_method,
1376                        struct ssl_cipher_preference_list_st **out_cipher_list,
1377                        STACK_OF(SSL_CIPHER) **out_cipher_list_by_id,
1378                        const char *rule_str) {
1379   int ok;
1380   STACK_OF(SSL_CIPHER) *cipherstack = NULL, *tmp_cipher_list = NULL;
1381   const char *rule_p;
1382   CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
1383   uint8_t *in_group_flags = NULL;
1384   unsigned int num_in_group_flags = 0;
1385   struct ssl_cipher_preference_list_st *pref_list = NULL;
1386 
1387   /* Return with error if nothing to do. */
1388   if (rule_str == NULL || out_cipher_list == NULL) {
1389     return NULL;
1390   }
1391 
1392   /* Now we have to collect the available ciphers from the compiled in ciphers.
1393    * We cannot get more than the number compiled in, so it is used for
1394    * allocation. */
1395   co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * kCiphersLen);
1396   if (co_list == NULL) {
1397     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
1398     return NULL;
1399   }
1400 
1401   ssl_cipher_collect_ciphers(ssl_method, co_list, &head, &tail);
1402 
1403   /* Now arrange all ciphers by preference:
1404    * TODO(davidben): Compute this order once and copy it. */
1405 
1406   /* Everything else being equal, prefer ECDHE_ECDSA then ECDHE_RSA over other
1407    * key exchange mechanisms */
1408   ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, ~0u, ~0u, 0, CIPHER_ADD, -1,
1409                         0, &head, &tail);
1410   ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0,
1411                         &head, &tail);
1412   ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, 0,
1413                         &head, &tail);
1414 
1415   /* Order the bulk ciphers. First the preferred AEAD ciphers. We prefer
1416    * CHACHA20 unless there is hardware support for fast and constant-time
1417    * AES_GCM. Of the two CHACHA20 variants, the new one is preferred over the
1418    * old one. */
1419   if (EVP_has_aes_hardware()) {
1420     ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1421                           &head, &tail);
1422     ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1423                           &head, &tail);
1424     ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD,
1425                           -1, 0, &head, &tail);
1426     ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305_OLD, ~0u, 0,
1427                           CIPHER_ADD, -1, 0, &head, &tail);
1428   } else {
1429     ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD,
1430                           -1, 0, &head, &tail);
1431     ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305_OLD, ~0u, 0,
1432                           CIPHER_ADD, -1, 0, &head, &tail);
1433     ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1434                           &head, &tail);
1435     ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1436                           &head, &tail);
1437   }
1438 
1439   /* Then the legacy non-AEAD ciphers: AES_256_CBC, AES-128_CBC, RC4_128_SHA,
1440    * RC4_128_MD5, 3DES_EDE_CBC_SHA. */
1441   ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256, ~0u, 0, CIPHER_ADD, -1, 0,
1442                         &head, &tail);
1443   ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128, ~0u, 0, CIPHER_ADD, -1, 0,
1444                         &head, &tail);
1445   ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_RC4, ~SSL_MD5, 0, CIPHER_ADD, -1, 0,
1446                         &head, &tail);
1447   ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_RC4, SSL_MD5, 0, CIPHER_ADD, -1, 0,
1448                         &head, &tail);
1449   ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_3DES, ~0u, 0, CIPHER_ADD, -1, 0, &head,
1450                         &tail);
1451 
1452   /* Temporarily enable everything else for sorting */
1453   ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0, &head,
1454                         &tail);
1455 
1456   /* Move ciphers without forward secrecy to the end. */
1457   ssl_cipher_apply_rule(0, ~(SSL_kDHE | SSL_kECDHE), ~0u, ~0u, ~0u, 0,
1458                         CIPHER_ORD, -1, 0, &head, &tail);
1459 
1460   /* Now disable everything (maintaining the ordering!) */
1461   ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, 0, &head,
1462                         &tail);
1463 
1464   /* If the rule_string begins with DEFAULT, apply the default rule before
1465    * using the (possibly available) additional rules. */
1466   ok = 1;
1467   rule_p = rule_str;
1468   if (strncmp(rule_str, "DEFAULT", 7) == 0) {
1469     ok = ssl_cipher_process_rulestr(ssl_method, SSL_DEFAULT_CIPHER_LIST, &head,
1470                                     &tail);
1471     rule_p += 7;
1472     if (*rule_p == ':') {
1473       rule_p++;
1474     }
1475   }
1476 
1477   if (ok && strlen(rule_p) > 0) {
1478     ok = ssl_cipher_process_rulestr(ssl_method, rule_p, &head, &tail);
1479   }
1480 
1481   if (!ok) {
1482     goto err;
1483   }
1484 
1485   /* Allocate new "cipherstack" for the result, return with error
1486    * if we cannot get one. */
1487   cipherstack = sk_SSL_CIPHER_new_null();
1488   if (cipherstack == NULL) {
1489     goto err;
1490   }
1491 
1492   in_group_flags = OPENSSL_malloc(kCiphersLen);
1493   if (!in_group_flags) {
1494     goto err;
1495   }
1496 
1497   /* The cipher selection for the list is done. The ciphers are added
1498    * to the resulting precedence to the STACK_OF(SSL_CIPHER). */
1499   for (curr = head; curr != NULL; curr = curr->next) {
1500     if (curr->active) {
1501       if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
1502         goto err;
1503       }
1504       in_group_flags[num_in_group_flags++] = curr->in_group;
1505     }
1506   }
1507   OPENSSL_free(co_list); /* Not needed any longer */
1508   co_list = NULL;
1509 
1510   tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack);
1511   if (tmp_cipher_list == NULL) {
1512     goto err;
1513   }
1514   pref_list = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
1515   if (!pref_list) {
1516     goto err;
1517   }
1518   pref_list->ciphers = cipherstack;
1519   pref_list->in_group_flags = OPENSSL_malloc(num_in_group_flags);
1520   if (!pref_list->in_group_flags) {
1521     goto err;
1522   }
1523   memcpy(pref_list->in_group_flags, in_group_flags, num_in_group_flags);
1524   OPENSSL_free(in_group_flags);
1525   in_group_flags = NULL;
1526   if (*out_cipher_list != NULL) {
1527     ssl_cipher_preference_list_free(*out_cipher_list);
1528   }
1529   *out_cipher_list = pref_list;
1530   pref_list = NULL;
1531 
1532   if (out_cipher_list_by_id != NULL) {
1533     sk_SSL_CIPHER_free(*out_cipher_list_by_id);
1534     *out_cipher_list_by_id = tmp_cipher_list;
1535     tmp_cipher_list = NULL;
1536     (void) sk_SSL_CIPHER_set_cmp_func(*out_cipher_list_by_id,
1537                                       ssl_cipher_ptr_id_cmp);
1538 
1539     sk_SSL_CIPHER_sort(*out_cipher_list_by_id);
1540   } else {
1541     sk_SSL_CIPHER_free(tmp_cipher_list);
1542     tmp_cipher_list = NULL;
1543   }
1544 
1545   return cipherstack;
1546 
1547 err:
1548   OPENSSL_free(co_list);
1549   OPENSSL_free(in_group_flags);
1550   sk_SSL_CIPHER_free(cipherstack);
1551   sk_SSL_CIPHER_free(tmp_cipher_list);
1552   if (pref_list) {
1553     OPENSSL_free(pref_list->in_group_flags);
1554   }
1555   OPENSSL_free(pref_list);
1556   return NULL;
1557 }
1558 
SSL_CIPHER_get_id(const SSL_CIPHER * cipher)1559 uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher) { return cipher->id; }
1560 
ssl_cipher_get_value(const SSL_CIPHER * cipher)1561 uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher) {
1562   uint32_t id = cipher->id;
1563   /* All ciphers are SSLv3. */
1564   assert((id & 0xff000000) == 0x03000000);
1565   return id & 0xffff;
1566 }
1567 
SSL_CIPHER_is_AES(const SSL_CIPHER * cipher)1568 int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher) {
1569   return (cipher->algorithm_enc & SSL_AES) != 0;
1570 }
1571 
SSL_CIPHER_has_MD5_HMAC(const SSL_CIPHER * cipher)1572 int SSL_CIPHER_has_MD5_HMAC(const SSL_CIPHER *cipher) {
1573   return (cipher->algorithm_mac & SSL_MD5) != 0;
1574 }
1575 
SSL_CIPHER_has_SHA1_HMAC(const SSL_CIPHER * cipher)1576 int SSL_CIPHER_has_SHA1_HMAC(const SSL_CIPHER *cipher) {
1577   return (cipher->algorithm_mac & SSL_SHA1) != 0;
1578 }
1579 
SSL_CIPHER_is_AESGCM(const SSL_CIPHER * cipher)1580 int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher) {
1581   return (cipher->algorithm_enc & (SSL_AES128GCM | SSL_AES256GCM)) != 0;
1582 }
1583 
SSL_CIPHER_is_AES128GCM(const SSL_CIPHER * cipher)1584 int SSL_CIPHER_is_AES128GCM(const SSL_CIPHER *cipher) {
1585   return (cipher->algorithm_enc & SSL_AES128GCM) != 0;
1586 }
1587 
SSL_CIPHER_is_AES128CBC(const SSL_CIPHER * cipher)1588 int SSL_CIPHER_is_AES128CBC(const SSL_CIPHER *cipher) {
1589   return (cipher->algorithm_enc & SSL_AES128) != 0;
1590 }
1591 
SSL_CIPHER_is_AES256CBC(const SSL_CIPHER * cipher)1592 int SSL_CIPHER_is_AES256CBC(const SSL_CIPHER *cipher) {
1593   return (cipher->algorithm_enc & SSL_AES256) != 0;
1594 }
1595 
SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER * cipher)1596 int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *cipher) {
1597   return (cipher->algorithm_enc &
1598           (SSL_CHACHA20POLY1305 | SSL_CHACHA20POLY1305_OLD)) != 0;
1599 }
1600 
SSL_CIPHER_is_NULL(const SSL_CIPHER * cipher)1601 int SSL_CIPHER_is_NULL(const SSL_CIPHER *cipher) {
1602   return (cipher->algorithm_enc & SSL_eNULL) != 0;
1603 }
1604 
SSL_CIPHER_is_RC4(const SSL_CIPHER * cipher)1605 int SSL_CIPHER_is_RC4(const SSL_CIPHER *cipher) {
1606   return (cipher->algorithm_enc & SSL_RC4) != 0;
1607 }
1608 
SSL_CIPHER_is_block_cipher(const SSL_CIPHER * cipher)1609 int SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher) {
1610   /* Neither stream cipher nor AEAD. */
1611   return (cipher->algorithm_enc & (SSL_RC4 | SSL_eNULL)) == 0 &&
1612       cipher->algorithm_mac != SSL_AEAD;
1613 }
1614 
SSL_CIPHER_is_ECDSA(const SSL_CIPHER * cipher)1615 int SSL_CIPHER_is_ECDSA(const SSL_CIPHER *cipher) {
1616   return (cipher->algorithm_auth & SSL_aECDSA) != 0;
1617 }
1618 
SSL_CIPHER_is_ECDHE(const SSL_CIPHER * cipher)1619 int SSL_CIPHER_is_ECDHE(const SSL_CIPHER *cipher) {
1620   return (cipher->algorithm_mkey & SSL_kECDHE) != 0;
1621 }
1622 
SSL_CIPHER_get_min_version(const SSL_CIPHER * cipher)1623 uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher) {
1624   if (cipher->algorithm_prf != SSL_HANDSHAKE_MAC_DEFAULT) {
1625     /* Cipher suites before TLS 1.2 use the default PRF, while all those added
1626      * afterwards specify a particular hash. */
1627     return TLS1_2_VERSION;
1628   }
1629   return SSL3_VERSION;
1630 }
1631 
1632 /* return the actual cipher being used */
SSL_CIPHER_get_name(const SSL_CIPHER * cipher)1633 const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher) {
1634   if (cipher != NULL) {
1635     return cipher->name;
1636   }
1637 
1638   return "(NONE)";
1639 }
1640 
SSL_CIPHER_get_kx_name(const SSL_CIPHER * cipher)1641 const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher) {
1642   if (cipher == NULL) {
1643     return "";
1644   }
1645 
1646   switch (cipher->algorithm_mkey) {
1647     case SSL_kRSA:
1648       return "RSA";
1649 
1650     case SSL_kDHE:
1651       switch (cipher->algorithm_auth) {
1652         case SSL_aRSA:
1653           return "DHE_RSA";
1654         default:
1655           assert(0);
1656           return "UNKNOWN";
1657       }
1658 
1659     case SSL_kECDHE:
1660       switch (cipher->algorithm_auth) {
1661         case SSL_aECDSA:
1662           return "ECDHE_ECDSA";
1663         case SSL_aRSA:
1664           return "ECDHE_RSA";
1665         case SSL_aPSK:
1666           return "ECDHE_PSK";
1667         default:
1668           assert(0);
1669           return "UNKNOWN";
1670       }
1671 
1672     case SSL_kPSK:
1673       assert(cipher->algorithm_auth == SSL_aPSK);
1674       return "PSK";
1675 
1676     default:
1677       assert(0);
1678       return "UNKNOWN";
1679   }
1680 }
1681 
ssl_cipher_get_enc_name(const SSL_CIPHER * cipher)1682 static const char *ssl_cipher_get_enc_name(const SSL_CIPHER *cipher) {
1683   switch (cipher->algorithm_enc) {
1684     case SSL_3DES:
1685       return "3DES_EDE_CBC";
1686     case SSL_RC4:
1687       return "RC4";
1688     case SSL_AES128:
1689       return "AES_128_CBC";
1690     case SSL_AES256:
1691       return "AES_256_CBC";
1692     case SSL_AES128GCM:
1693       return "AES_128_GCM";
1694     case SSL_AES256GCM:
1695       return "AES_256_GCM";
1696     case SSL_CHACHA20POLY1305:
1697     case SSL_CHACHA20POLY1305_OLD:
1698       return "CHACHA20_POLY1305";
1699       break;
1700     default:
1701       assert(0);
1702       return "UNKNOWN";
1703   }
1704 }
1705 
ssl_cipher_get_prf_name(const SSL_CIPHER * cipher)1706 static const char *ssl_cipher_get_prf_name(const SSL_CIPHER *cipher) {
1707   switch (cipher->algorithm_prf) {
1708     case SSL_HANDSHAKE_MAC_DEFAULT:
1709       /* Before TLS 1.2, the PRF component is the hash used in the HMAC, which is
1710        * only ever MD5 or SHA-1. */
1711       switch (cipher->algorithm_mac) {
1712         case SSL_MD5:
1713           return "MD5";
1714         case SSL_SHA1:
1715           return "SHA";
1716       }
1717       break;
1718     case SSL_HANDSHAKE_MAC_SHA256:
1719       return "SHA256";
1720     case SSL_HANDSHAKE_MAC_SHA384:
1721       return "SHA384";
1722   }
1723   assert(0);
1724   return "UNKNOWN";
1725 }
1726 
SSL_CIPHER_get_rfc_name(const SSL_CIPHER * cipher)1727 char *SSL_CIPHER_get_rfc_name(const SSL_CIPHER *cipher) {
1728   if (cipher == NULL) {
1729     return NULL;
1730   }
1731 
1732   const char *kx_name = SSL_CIPHER_get_kx_name(cipher);
1733   const char *enc_name = ssl_cipher_get_enc_name(cipher);
1734   const char *prf_name = ssl_cipher_get_prf_name(cipher);
1735 
1736   /* The final name is TLS_{kx_name}_WITH_{enc_name}_{prf_name}. */
1737   size_t len = 4 + strlen(kx_name) + 6 + strlen(enc_name) + 1 +
1738       strlen(prf_name) + 1;
1739   char *ret = OPENSSL_malloc(len);
1740   if (ret == NULL) {
1741     return NULL;
1742   }
1743   if (BUF_strlcpy(ret, "TLS_", len) >= len ||
1744       BUF_strlcat(ret, kx_name, len) >= len ||
1745       BUF_strlcat(ret, "_WITH_", len) >= len ||
1746       BUF_strlcat(ret, enc_name, len) >= len ||
1747       BUF_strlcat(ret, "_", len) >= len ||
1748       BUF_strlcat(ret, prf_name, len) >= len) {
1749     assert(0);
1750     OPENSSL_free(ret);
1751     return NULL;
1752   }
1753   assert(strlen(ret) + 1 == len);
1754   return ret;
1755 }
1756 
SSL_CIPHER_get_bits(const SSL_CIPHER * cipher,int * out_alg_bits)1757 int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *out_alg_bits) {
1758   if (cipher == NULL) {
1759     return 0;
1760   }
1761 
1762   int alg_bits, strength_bits;
1763   switch (cipher->algorithm_enc) {
1764     case SSL_AES128:
1765     case SSL_AES128GCM:
1766     case SSL_RC4:
1767       alg_bits = 128;
1768       strength_bits = 128;
1769       break;
1770 
1771     case SSL_AES256:
1772     case SSL_AES256GCM:
1773 #if !defined(BORINGSSL_ANDROID_SYSTEM)
1774     case SSL_CHACHA20POLY1305_OLD:
1775 #endif
1776     case SSL_CHACHA20POLY1305:
1777       alg_bits = 256;
1778       strength_bits = 256;
1779       break;
1780 
1781     case SSL_3DES:
1782       alg_bits = 168;
1783       strength_bits = 112;
1784       break;
1785 
1786     case SSL_eNULL:
1787       alg_bits = 0;
1788       strength_bits = 0;
1789       break;
1790 
1791     default:
1792       assert(0);
1793       alg_bits = 0;
1794       strength_bits = 0;
1795   }
1796 
1797   if (out_alg_bits != NULL) {
1798     *out_alg_bits = alg_bits;
1799   }
1800   return strength_bits;
1801 }
1802 
SSL_CIPHER_description(const SSL_CIPHER * cipher,char * buf,int len)1803 const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf,
1804                                    int len) {
1805   const char *kx, *au, *enc, *mac;
1806   uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
1807   static const char *format = "%-23s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n";
1808 
1809   alg_mkey = cipher->algorithm_mkey;
1810   alg_auth = cipher->algorithm_auth;
1811   alg_enc = cipher->algorithm_enc;
1812   alg_mac = cipher->algorithm_mac;
1813 
1814   switch (alg_mkey) {
1815     case SSL_kRSA:
1816       kx = "RSA";
1817       break;
1818 
1819     case SSL_kDHE:
1820       kx = "DH";
1821       break;
1822 
1823     case SSL_kECDHE:
1824       kx = "ECDH";
1825       break;
1826 
1827     case SSL_kPSK:
1828       kx = "PSK";
1829       break;
1830 
1831     default:
1832       kx = "unknown";
1833   }
1834 
1835   switch (alg_auth) {
1836     case SSL_aRSA:
1837       au = "RSA";
1838       break;
1839 
1840     case SSL_aECDSA:
1841       au = "ECDSA";
1842       break;
1843 
1844     case SSL_aPSK:
1845       au = "PSK";
1846       break;
1847 
1848     default:
1849       au = "unknown";
1850       break;
1851   }
1852 
1853   switch (alg_enc) {
1854     case SSL_3DES:
1855       enc = "3DES(168)";
1856       break;
1857 
1858     case SSL_RC4:
1859       enc = "RC4(128)";
1860       break;
1861 
1862     case SSL_AES128:
1863       enc = "AES(128)";
1864       break;
1865 
1866     case SSL_AES256:
1867       enc = "AES(256)";
1868       break;
1869 
1870     case SSL_AES128GCM:
1871       enc = "AESGCM(128)";
1872       break;
1873 
1874     case SSL_AES256GCM:
1875       enc = "AESGCM(256)";
1876       break;
1877 
1878     case SSL_CHACHA20POLY1305_OLD:
1879       enc = "ChaCha20-Poly1305-Old";
1880       break;
1881 
1882     case SSL_CHACHA20POLY1305:
1883       enc = "ChaCha20-Poly1305";
1884       break;
1885 
1886     case SSL_eNULL:
1887       enc="None";
1888       break;
1889 
1890     default:
1891       enc = "unknown";
1892       break;
1893   }
1894 
1895   switch (alg_mac) {
1896     case SSL_MD5:
1897       mac = "MD5";
1898       break;
1899 
1900     case SSL_SHA1:
1901       mac = "SHA1";
1902       break;
1903 
1904     case SSL_SHA256:
1905       mac = "SHA256";
1906       break;
1907 
1908     case SSL_SHA384:
1909       mac = "SHA384";
1910       break;
1911 
1912     case SSL_AEAD:
1913       mac = "AEAD";
1914       break;
1915 
1916     default:
1917       mac = "unknown";
1918       break;
1919   }
1920 
1921   if (buf == NULL) {
1922     len = 128;
1923     buf = OPENSSL_malloc(len);
1924     if (buf == NULL) {
1925       return NULL;
1926     }
1927   } else if (len < 128) {
1928     return "Buffer too small";
1929   }
1930 
1931   BIO_snprintf(buf, len, format, cipher->name, kx, au, enc, mac);
1932   return buf;
1933 }
1934 
SSL_CIPHER_get_version(const SSL_CIPHER * cipher)1935 const char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher) {
1936   return "TLSv1/SSLv3";
1937 }
1938 
SSL_COMP_get_compression_methods(void)1939 COMP_METHOD *SSL_COMP_get_compression_methods(void) { return NULL; }
1940 
SSL_COMP_add_compression_method(int id,COMP_METHOD * cm)1941 int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) { return 1; }
1942 
SSL_COMP_get_name(const COMP_METHOD * comp)1943 const char *SSL_COMP_get_name(const COMP_METHOD *comp) { return NULL; }
1944 
ssl_cipher_get_key_type(const SSL_CIPHER * cipher)1945 int ssl_cipher_get_key_type(const SSL_CIPHER *cipher) {
1946   uint32_t alg_a = cipher->algorithm_auth;
1947 
1948   if (alg_a & SSL_aECDSA) {
1949     return EVP_PKEY_EC;
1950   } else if (alg_a & SSL_aRSA) {
1951     return EVP_PKEY_RSA;
1952   }
1953 
1954   return EVP_PKEY_NONE;
1955 }
1956 
ssl_cipher_has_server_public_key(const SSL_CIPHER * cipher)1957 int ssl_cipher_has_server_public_key(const SSL_CIPHER *cipher) {
1958   /* PSK-authenticated ciphers do not use a certificate. (RSA_PSK is not
1959    * supported.) */
1960   if (cipher->algorithm_auth & SSL_aPSK) {
1961     return 0;
1962   }
1963 
1964   /* All other ciphers include it. */
1965   return 1;
1966 }
1967 
ssl_cipher_requires_server_key_exchange(const SSL_CIPHER * cipher)1968 int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher) {
1969   /* Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange. */
1970   if (cipher->algorithm_mkey & SSL_kDHE || cipher->algorithm_mkey & SSL_kECDHE) {
1971     return 1;
1972   }
1973 
1974   /* It is optional in all others. */
1975   return 0;
1976 }
1977 
ssl_cipher_get_record_split_len(const SSL_CIPHER * cipher)1978 size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher) {
1979   size_t block_size;
1980   switch (cipher->algorithm_enc) {
1981     case SSL_3DES:
1982       block_size = 8;
1983       break;
1984     case SSL_AES128:
1985     case SSL_AES256:
1986       block_size = 16;
1987       break;
1988     default:
1989       return 0;
1990   }
1991 
1992   size_t mac_len;
1993   switch (cipher->algorithm_mac) {
1994     case SSL_MD5:
1995       mac_len = MD5_DIGEST_LENGTH;
1996       break;
1997     case SSL_SHA1:
1998       mac_len = SHA_DIGEST_LENGTH;
1999       break;
2000     default:
2001       return 0;
2002   }
2003 
2004   size_t ret = 1 + mac_len;
2005   ret += block_size - (ret % block_size);
2006   return ret;
2007 }
2008