1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57 /* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
110 /* ====================================================================
111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
112 * ECC cipher suite support in OpenSSL originally developed by
113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
114 */
115 /* ====================================================================
116 * Copyright 2005 Nokia. All rights reserved.
117 *
118 * The portions of the attached software ("Contribution") is developed by
119 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
120 * license.
121 *
122 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
123 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
124 * support (see RFC 4279) to OpenSSL.
125 *
126 * No patent licenses or other rights except those expressly stated in
127 * the OpenSSL open source license shall be deemed granted or received
128 * expressly, by implication, estoppel, or otherwise.
129 *
130 * No assurances are provided by Nokia that the Contribution does not
131 * infringe the patent or other intellectual property rights of any third
132 * party or that the license provides you with all the necessary rights
133 * to make use of the Contribution.
134 *
135 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
136 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
137 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
138 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
139 * OTHERWISE. */
140
141 #include <openssl/ssl.h>
142
143 #include <assert.h>
144 #include <string.h>
145
146 #include <openssl/buf.h>
147 #include <openssl/err.h>
148 #include <openssl/md5.h>
149 #include <openssl/mem.h>
150 #include <openssl/sha.h>
151 #include <openssl/stack.h>
152
153 #include "internal.h"
154 #include "../crypto/internal.h"
155
156
157 namespace bssl {
158
159 // kCiphers is an array of all supported ciphers, sorted by id.
160 static const SSL_CIPHER kCiphers[] = {
161 // The RSA ciphers
162 // Cipher 02
163 {
164 SSL3_TXT_RSA_NULL_SHA,
165 "TLS_RSA_WITH_NULL_SHA",
166 SSL3_CK_RSA_NULL_SHA,
167 SSL_kRSA,
168 SSL_aRSA,
169 SSL_eNULL,
170 SSL_SHA1,
171 SSL_HANDSHAKE_MAC_DEFAULT,
172 },
173
174 // Cipher 0A
175 {
176 SSL3_TXT_RSA_DES_192_CBC3_SHA,
177 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
178 SSL3_CK_RSA_DES_192_CBC3_SHA,
179 SSL_kRSA,
180 SSL_aRSA,
181 SSL_3DES,
182 SSL_SHA1,
183 SSL_HANDSHAKE_MAC_DEFAULT,
184 },
185
186
187 // New AES ciphersuites
188
189 // Cipher 2F
190 {
191 TLS1_TXT_RSA_WITH_AES_128_SHA,
192 "TLS_RSA_WITH_AES_128_CBC_SHA",
193 TLS1_CK_RSA_WITH_AES_128_SHA,
194 SSL_kRSA,
195 SSL_aRSA,
196 SSL_AES128,
197 SSL_SHA1,
198 SSL_HANDSHAKE_MAC_DEFAULT,
199 },
200
201 // Cipher 35
202 {
203 TLS1_TXT_RSA_WITH_AES_256_SHA,
204 "TLS_RSA_WITH_AES_256_CBC_SHA",
205 TLS1_CK_RSA_WITH_AES_256_SHA,
206 SSL_kRSA,
207 SSL_aRSA,
208 SSL_AES256,
209 SSL_SHA1,
210 SSL_HANDSHAKE_MAC_DEFAULT,
211 },
212
213
214 // TLS v1.2 ciphersuites
215
216 // Cipher 3C
217 {
218 TLS1_TXT_RSA_WITH_AES_128_SHA256,
219 "TLS_RSA_WITH_AES_128_CBC_SHA256",
220 TLS1_CK_RSA_WITH_AES_128_SHA256,
221 SSL_kRSA,
222 SSL_aRSA,
223 SSL_AES128,
224 SSL_SHA256,
225 SSL_HANDSHAKE_MAC_SHA256,
226 },
227
228 // Cipher 3D
229 {
230 TLS1_TXT_RSA_WITH_AES_256_SHA256,
231 "TLS_RSA_WITH_AES_256_CBC_SHA256",
232 TLS1_CK_RSA_WITH_AES_256_SHA256,
233 SSL_kRSA,
234 SSL_aRSA,
235 SSL_AES256,
236 SSL_SHA256,
237 SSL_HANDSHAKE_MAC_SHA256,
238 },
239
240 // PSK cipher suites.
241
242 // Cipher 8C
243 {
244 TLS1_TXT_PSK_WITH_AES_128_CBC_SHA,
245 "TLS_PSK_WITH_AES_128_CBC_SHA",
246 TLS1_CK_PSK_WITH_AES_128_CBC_SHA,
247 SSL_kPSK,
248 SSL_aPSK,
249 SSL_AES128,
250 SSL_SHA1,
251 SSL_HANDSHAKE_MAC_DEFAULT,
252 },
253
254 // Cipher 8D
255 {
256 TLS1_TXT_PSK_WITH_AES_256_CBC_SHA,
257 "TLS_PSK_WITH_AES_256_CBC_SHA",
258 TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
259 SSL_kPSK,
260 SSL_aPSK,
261 SSL_AES256,
262 SSL_SHA1,
263 SSL_HANDSHAKE_MAC_DEFAULT,
264 },
265
266 // GCM ciphersuites from RFC5288
267
268 // Cipher 9C
269 {
270 TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
271 "TLS_RSA_WITH_AES_128_GCM_SHA256",
272 TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
273 SSL_kRSA,
274 SSL_aRSA,
275 SSL_AES128GCM,
276 SSL_AEAD,
277 SSL_HANDSHAKE_MAC_SHA256,
278 },
279
280 // Cipher 9D
281 {
282 TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
283 "TLS_RSA_WITH_AES_256_GCM_SHA384",
284 TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
285 SSL_kRSA,
286 SSL_aRSA,
287 SSL_AES256GCM,
288 SSL_AEAD,
289 SSL_HANDSHAKE_MAC_SHA384,
290 },
291
292 // TLS 1.3 suites.
293
294 // Cipher 1301
295 {
296 TLS1_TXT_AES_128_GCM_SHA256,
297 "TLS_AES_128_GCM_SHA256",
298 TLS1_CK_AES_128_GCM_SHA256,
299 SSL_kGENERIC,
300 SSL_aGENERIC,
301 SSL_AES128GCM,
302 SSL_AEAD,
303 SSL_HANDSHAKE_MAC_SHA256,
304 },
305
306 // Cipher 1302
307 {
308 TLS1_TXT_AES_256_GCM_SHA384,
309 "TLS_AES_256_GCM_SHA384",
310 TLS1_CK_AES_256_GCM_SHA384,
311 SSL_kGENERIC,
312 SSL_aGENERIC,
313 SSL_AES256GCM,
314 SSL_AEAD,
315 SSL_HANDSHAKE_MAC_SHA384,
316 },
317
318 // Cipher 1303
319 {
320 TLS1_TXT_CHACHA20_POLY1305_SHA256,
321 "TLS_CHACHA20_POLY1305_SHA256",
322 TLS1_CK_CHACHA20_POLY1305_SHA256,
323 SSL_kGENERIC,
324 SSL_aGENERIC,
325 SSL_CHACHA20POLY1305,
326 SSL_AEAD,
327 SSL_HANDSHAKE_MAC_SHA256,
328 },
329
330 // Cipher C009
331 {
332 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
333 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
334 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
335 SSL_kECDHE,
336 SSL_aECDSA,
337 SSL_AES128,
338 SSL_SHA1,
339 SSL_HANDSHAKE_MAC_DEFAULT,
340 },
341
342 // Cipher C00A
343 {
344 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
345 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
346 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
347 SSL_kECDHE,
348 SSL_aECDSA,
349 SSL_AES256,
350 SSL_SHA1,
351 SSL_HANDSHAKE_MAC_DEFAULT,
352 },
353
354 // Cipher C013
355 {
356 TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
357 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
358 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
359 SSL_kECDHE,
360 SSL_aRSA,
361 SSL_AES128,
362 SSL_SHA1,
363 SSL_HANDSHAKE_MAC_DEFAULT,
364 },
365
366 // Cipher C014
367 {
368 TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
369 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
370 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
371 SSL_kECDHE,
372 SSL_aRSA,
373 SSL_AES256,
374 SSL_SHA1,
375 SSL_HANDSHAKE_MAC_DEFAULT,
376 },
377
378
379 // HMAC based TLS v1.2 ciphersuites from RFC5289
380
381 // Cipher C023
382 {
383 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
384 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
385 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
386 SSL_kECDHE,
387 SSL_aECDSA,
388 SSL_AES128,
389 SSL_SHA256,
390 SSL_HANDSHAKE_MAC_SHA256,
391 },
392
393 // Cipher C024
394 {
395 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
396 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
397 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
398 SSL_kECDHE,
399 SSL_aECDSA,
400 SSL_AES256,
401 SSL_SHA384,
402 SSL_HANDSHAKE_MAC_SHA384,
403 },
404
405 // Cipher C027
406 {
407 TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
408 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
409 TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
410 SSL_kECDHE,
411 SSL_aRSA,
412 SSL_AES128,
413 SSL_SHA256,
414 SSL_HANDSHAKE_MAC_SHA256,
415 },
416
417 // Cipher C028
418 {
419 TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
420 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
421 TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
422 SSL_kECDHE,
423 SSL_aRSA,
424 SSL_AES256,
425 SSL_SHA384,
426 SSL_HANDSHAKE_MAC_SHA384,
427 },
428
429
430 // GCM based TLS v1.2 ciphersuites from RFC5289
431
432 // Cipher C02B
433 {
434 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
435 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
436 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
437 SSL_kECDHE,
438 SSL_aECDSA,
439 SSL_AES128GCM,
440 SSL_AEAD,
441 SSL_HANDSHAKE_MAC_SHA256,
442 },
443
444 // Cipher C02C
445 {
446 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
447 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
448 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
449 SSL_kECDHE,
450 SSL_aECDSA,
451 SSL_AES256GCM,
452 SSL_AEAD,
453 SSL_HANDSHAKE_MAC_SHA384,
454 },
455
456 // Cipher C02F
457 {
458 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
459 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
460 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
461 SSL_kECDHE,
462 SSL_aRSA,
463 SSL_AES128GCM,
464 SSL_AEAD,
465 SSL_HANDSHAKE_MAC_SHA256,
466 },
467
468 // Cipher C030
469 {
470 TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
471 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
472 TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
473 SSL_kECDHE,
474 SSL_aRSA,
475 SSL_AES256GCM,
476 SSL_AEAD,
477 SSL_HANDSHAKE_MAC_SHA384,
478 },
479
480 // ECDHE-PSK cipher suites.
481
482 // Cipher C035
483 {
484 TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA,
485 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
486 TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
487 SSL_kECDHE,
488 SSL_aPSK,
489 SSL_AES128,
490 SSL_SHA1,
491 SSL_HANDSHAKE_MAC_DEFAULT,
492 },
493
494 // Cipher C036
495 {
496 TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA,
497 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
498 TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA,
499 SSL_kECDHE,
500 SSL_aPSK,
501 SSL_AES256,
502 SSL_SHA1,
503 SSL_HANDSHAKE_MAC_DEFAULT,
504 },
505
506 // ChaCha20-Poly1305 cipher suites.
507
508 // Cipher CCA8
509 {
510 TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
511 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
512 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
513 SSL_kECDHE,
514 SSL_aRSA,
515 SSL_CHACHA20POLY1305,
516 SSL_AEAD,
517 SSL_HANDSHAKE_MAC_SHA256,
518 },
519
520 // Cipher CCA9
521 {
522 TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
523 "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
524 TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
525 SSL_kECDHE,
526 SSL_aECDSA,
527 SSL_CHACHA20POLY1305,
528 SSL_AEAD,
529 SSL_HANDSHAKE_MAC_SHA256,
530 },
531
532 // Cipher CCAB
533 {
534 TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
535 "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
536 TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
537 SSL_kECDHE,
538 SSL_aPSK,
539 SSL_CHACHA20POLY1305,
540 SSL_AEAD,
541 SSL_HANDSHAKE_MAC_SHA256,
542 },
543
544 };
545
546 static const size_t kCiphersLen = OPENSSL_ARRAY_SIZE(kCiphers);
547
548 #define CIPHER_ADD 1
549 #define CIPHER_KILL 2
550 #define CIPHER_DEL 3
551 #define CIPHER_ORD 4
552 #define CIPHER_SPECIAL 5
553
554 typedef struct cipher_order_st {
555 const SSL_CIPHER *cipher;
556 bool active;
557 bool in_group;
558 struct cipher_order_st *next, *prev;
559 } CIPHER_ORDER;
560
561 typedef struct cipher_alias_st {
562 // name is the name of the cipher alias.
563 const char *name;
564
565 // The following fields are bitmasks for the corresponding fields on
566 // |SSL_CIPHER|. A cipher matches a cipher alias iff, for each bitmask, the
567 // bit corresponding to the cipher's value is set to 1. If any bitmask is
568 // all zeroes, the alias matches nothing. Use |~0u| for the default value.
569 uint32_t algorithm_mkey;
570 uint32_t algorithm_auth;
571 uint32_t algorithm_enc;
572 uint32_t algorithm_mac;
573
574 // min_version, if non-zero, matches all ciphers which were added in that
575 // particular protocol version.
576 uint16_t min_version;
577 } CIPHER_ALIAS;
578
579 static const CIPHER_ALIAS kCipherAliases[] = {
580 // "ALL" doesn't include eNULL. It must be explicitly enabled.
581 {"ALL", ~0u, ~0u, ~0u, ~0u, 0},
582
583 // The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing.
584
585 // key exchange aliases
586 // (some of those using only a single bit here combine
587 // multiple key exchange algs according to the RFCs.
588 {"kRSA", SSL_kRSA, ~0u, ~0u, ~0u, 0},
589
590 {"kECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
591 {"kEECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
592 {"ECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
593
594 {"kPSK", SSL_kPSK, ~0u, ~0u, ~0u, 0},
595
596 // server authentication aliases
597 {"aRSA", ~0u, SSL_aRSA, ~0u, ~0u, 0},
598 {"aECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0},
599 {"ECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0},
600 {"aPSK", ~0u, SSL_aPSK, ~0u, ~0u, 0},
601
602 // aliases combining key exchange and server authentication
603 {"ECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
604 {"EECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
605 {"RSA", SSL_kRSA, SSL_aRSA, ~0u, ~0u, 0},
606 {"PSK", SSL_kPSK, SSL_aPSK, ~0u, ~0u, 0},
607
608 // symmetric encryption aliases
609 {"3DES", ~0u, ~0u, SSL_3DES, ~0u, 0},
610 {"AES128", ~0u, ~0u, SSL_AES128 | SSL_AES128GCM, ~0u, 0},
611 {"AES256", ~0u, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, 0},
612 {"AES", ~0u, ~0u, SSL_AES, ~0u, 0},
613 {"AESGCM", ~0u, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, 0},
614 {"CHACHA20", ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0},
615
616 // MAC aliases
617 {"SHA1", ~0u, ~0u, ~0u, SSL_SHA1, 0},
618 {"SHA", ~0u, ~0u, ~0u, SSL_SHA1, 0},
619 {"SHA256", ~0u, ~0u, ~0u, SSL_SHA256, 0},
620 {"SHA384", ~0u, ~0u, ~0u, SSL_SHA384, 0},
621
622 // Legacy protocol minimum version aliases. "TLSv1" is intentionally the
623 // same as "SSLv3".
624 {"SSLv3", ~0u, ~0u, ~0u, ~0u, SSL3_VERSION},
625 {"TLSv1", ~0u, ~0u, ~0u, ~0u, SSL3_VERSION},
626 {"TLSv1.2", ~0u, ~0u, ~0u, ~0u, TLS1_2_VERSION},
627
628 // Legacy strength classes.
629 {"HIGH", ~0u, ~0u, ~0u, ~0u, 0},
630 {"FIPS", ~0u, ~0u, ~0u, ~0u, 0},
631 };
632
633 static const size_t kCipherAliasesLen = OPENSSL_ARRAY_SIZE(kCipherAliases);
634
ssl_cipher_id_cmp(const void * in_a,const void * in_b)635 static int ssl_cipher_id_cmp(const void *in_a, const void *in_b) {
636 const SSL_CIPHER *a = reinterpret_cast<const SSL_CIPHER *>(in_a);
637 const SSL_CIPHER *b = reinterpret_cast<const SSL_CIPHER *>(in_b);
638
639 if (a->id > b->id) {
640 return 1;
641 } else if (a->id < b->id) {
642 return -1;
643 } else {
644 return 0;
645 }
646 }
647
ssl_cipher_get_evp_aead(const EVP_AEAD ** out_aead,size_t * out_mac_secret_len,size_t * out_fixed_iv_len,const SSL_CIPHER * cipher,uint16_t version,int is_dtls)648 bool ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
649 size_t *out_mac_secret_len,
650 size_t *out_fixed_iv_len, const SSL_CIPHER *cipher,
651 uint16_t version, int is_dtls) {
652 *out_aead = NULL;
653 *out_mac_secret_len = 0;
654 *out_fixed_iv_len = 0;
655
656 const int is_tls12 = version == TLS1_2_VERSION && !is_dtls;
657
658 if (cipher->algorithm_mac == SSL_AEAD) {
659 if (cipher->algorithm_enc == SSL_AES128GCM) {
660 *out_aead =
661 is_tls12 ? EVP_aead_aes_128_gcm_tls12() : EVP_aead_aes_128_gcm();
662 *out_fixed_iv_len = 4;
663 } else if (cipher->algorithm_enc == SSL_AES256GCM) {
664 *out_aead =
665 is_tls12 ? EVP_aead_aes_256_gcm_tls12() : EVP_aead_aes_256_gcm();
666 *out_fixed_iv_len = 4;
667 } else if (cipher->algorithm_enc == SSL_CHACHA20POLY1305) {
668 *out_aead = EVP_aead_chacha20_poly1305();
669 *out_fixed_iv_len = 12;
670 } else {
671 return false;
672 }
673
674 // In TLS 1.3, the iv_len is equal to the AEAD nonce length whereas the code
675 // above computes the TLS 1.2 construction.
676 if (version >= TLS1_3_VERSION) {
677 *out_fixed_iv_len = EVP_AEAD_nonce_length(*out_aead);
678 }
679 } else if (cipher->algorithm_mac == SSL_SHA1) {
680 if (cipher->algorithm_enc == SSL_eNULL) {
681 if (version == SSL3_VERSION) {
682 *out_aead = EVP_aead_null_sha1_ssl3();
683 } else {
684 *out_aead = EVP_aead_null_sha1_tls();
685 }
686 } else if (cipher->algorithm_enc == SSL_3DES) {
687 if (version == SSL3_VERSION) {
688 *out_aead = EVP_aead_des_ede3_cbc_sha1_ssl3();
689 *out_fixed_iv_len = 8;
690 } else if (version == TLS1_VERSION) {
691 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv();
692 *out_fixed_iv_len = 8;
693 } else {
694 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls();
695 }
696 } else if (cipher->algorithm_enc == SSL_AES128) {
697 if (version == SSL3_VERSION) {
698 *out_aead = EVP_aead_aes_128_cbc_sha1_ssl3();
699 *out_fixed_iv_len = 16;
700 } else if (version == TLS1_VERSION) {
701 *out_aead = EVP_aead_aes_128_cbc_sha1_tls_implicit_iv();
702 *out_fixed_iv_len = 16;
703 } else {
704 *out_aead = EVP_aead_aes_128_cbc_sha1_tls();
705 }
706 } else if (cipher->algorithm_enc == SSL_AES256) {
707 if (version == SSL3_VERSION) {
708 *out_aead = EVP_aead_aes_256_cbc_sha1_ssl3();
709 *out_fixed_iv_len = 16;
710 } else if (version == TLS1_VERSION) {
711 *out_aead = EVP_aead_aes_256_cbc_sha1_tls_implicit_iv();
712 *out_fixed_iv_len = 16;
713 } else {
714 *out_aead = EVP_aead_aes_256_cbc_sha1_tls();
715 }
716 } else {
717 return false;
718 }
719
720 *out_mac_secret_len = SHA_DIGEST_LENGTH;
721 } else if (cipher->algorithm_mac == SSL_SHA256) {
722 if (cipher->algorithm_enc == SSL_AES128) {
723 *out_aead = EVP_aead_aes_128_cbc_sha256_tls();
724 } else if (cipher->algorithm_enc == SSL_AES256) {
725 *out_aead = EVP_aead_aes_256_cbc_sha256_tls();
726 } else {
727 return false;
728 }
729
730 *out_mac_secret_len = SHA256_DIGEST_LENGTH;
731 } else if (cipher->algorithm_mac == SSL_SHA384) {
732 if (cipher->algorithm_enc != SSL_AES256) {
733 return false;
734 }
735
736 *out_aead = EVP_aead_aes_256_cbc_sha384_tls();
737 *out_mac_secret_len = SHA384_DIGEST_LENGTH;
738 } else {
739 return false;
740 }
741
742 return true;
743 }
744
ssl_get_handshake_digest(uint16_t version,const SSL_CIPHER * cipher)745 const EVP_MD *ssl_get_handshake_digest(uint16_t version,
746 const SSL_CIPHER *cipher) {
747 switch (cipher->algorithm_prf) {
748 case SSL_HANDSHAKE_MAC_DEFAULT:
749 return version >= TLS1_2_VERSION ? EVP_sha256() : EVP_md5_sha1();
750 case SSL_HANDSHAKE_MAC_SHA256:
751 return EVP_sha256();
752 case SSL_HANDSHAKE_MAC_SHA384:
753 return EVP_sha384();
754 default:
755 assert(0);
756 return NULL;
757 }
758 }
759
is_cipher_list_separator(char c,int is_strict)760 static bool is_cipher_list_separator(char c, int is_strict) {
761 if (c == ':') {
762 return true;
763 }
764 return !is_strict && (c == ' ' || c == ';' || c == ',');
765 }
766
767 // rule_equals returns whether the NUL-terminated string |rule| is equal to the
768 // |buf_len| bytes at |buf|.
rule_equals(const char * rule,const char * buf,size_t buf_len)769 static bool rule_equals(const char *rule, const char *buf, size_t buf_len) {
770 // |strncmp| alone only checks that |buf| is a prefix of |rule|.
771 return strncmp(rule, buf, buf_len) == 0 && rule[buf_len] == '\0';
772 }
773
ll_append_tail(CIPHER_ORDER ** head,CIPHER_ORDER * curr,CIPHER_ORDER ** tail)774 static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
775 CIPHER_ORDER **tail) {
776 if (curr == *tail) {
777 return;
778 }
779 if (curr == *head) {
780 *head = curr->next;
781 }
782 if (curr->prev != NULL) {
783 curr->prev->next = curr->next;
784 }
785 if (curr->next != NULL) {
786 curr->next->prev = curr->prev;
787 }
788 (*tail)->next = curr;
789 curr->prev = *tail;
790 curr->next = NULL;
791 *tail = curr;
792 }
793
ll_append_head(CIPHER_ORDER ** head,CIPHER_ORDER * curr,CIPHER_ORDER ** tail)794 static void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
795 CIPHER_ORDER **tail) {
796 if (curr == *head) {
797 return;
798 }
799 if (curr == *tail) {
800 *tail = curr->prev;
801 }
802 if (curr->next != NULL) {
803 curr->next->prev = curr->prev;
804 }
805 if (curr->prev != NULL) {
806 curr->prev->next = curr->next;
807 }
808 (*head)->prev = curr;
809 curr->next = *head;
810 curr->prev = NULL;
811 *head = curr;
812 }
813
ssl_cipher_collect_ciphers(CIPHER_ORDER * co_list,CIPHER_ORDER ** head_p,CIPHER_ORDER ** tail_p)814 static void ssl_cipher_collect_ciphers(CIPHER_ORDER *co_list,
815 CIPHER_ORDER **head_p,
816 CIPHER_ORDER **tail_p) {
817 size_t co_list_num = 0;
818 for (const SSL_CIPHER &cipher : kCiphers) {
819 // TLS 1.3 ciphers do not participate in this mechanism.
820 if (cipher.algorithm_mkey != SSL_kGENERIC) {
821 co_list[co_list_num].cipher = &cipher;
822 co_list[co_list_num].next = NULL;
823 co_list[co_list_num].prev = NULL;
824 co_list[co_list_num].active = false;
825 co_list[co_list_num].in_group = false;
826 co_list_num++;
827 }
828 }
829
830 // Prepare linked list from list entries.
831 if (co_list_num > 0) {
832 co_list[0].prev = NULL;
833
834 if (co_list_num > 1) {
835 co_list[0].next = &co_list[1];
836
837 for (size_t i = 1; i < co_list_num - 1; i++) {
838 co_list[i].prev = &co_list[i - 1];
839 co_list[i].next = &co_list[i + 1];
840 }
841
842 co_list[co_list_num - 1].prev = &co_list[co_list_num - 2];
843 }
844
845 co_list[co_list_num - 1].next = NULL;
846
847 *head_p = &co_list[0];
848 *tail_p = &co_list[co_list_num - 1];
849 }
850 }
851
852 // ssl_cipher_apply_rule applies the rule type |rule| to ciphers matching its
853 // parameters in the linked list from |*head_p| to |*tail_p|. It writes the new
854 // head and tail of the list to |*head_p| and |*tail_p|, respectively.
855 //
856 // - If |cipher_id| is non-zero, only that cipher is selected.
857 // - Otherwise, if |strength_bits| is non-negative, it selects ciphers
858 // of that strength.
859 // - Otherwise, it selects ciphers that match each bitmasks in |alg_*| and
860 // |min_version|.
ssl_cipher_apply_rule(uint32_t cipher_id,uint32_t alg_mkey,uint32_t alg_auth,uint32_t alg_enc,uint32_t alg_mac,uint16_t min_version,int rule,int strength_bits,bool in_group,CIPHER_ORDER ** head_p,CIPHER_ORDER ** tail_p)861 static void ssl_cipher_apply_rule(
862 uint32_t cipher_id, uint32_t alg_mkey, uint32_t alg_auth,
863 uint32_t alg_enc, uint32_t alg_mac, uint16_t min_version, int rule,
864 int strength_bits, bool in_group, CIPHER_ORDER **head_p,
865 CIPHER_ORDER **tail_p) {
866 CIPHER_ORDER *head, *tail, *curr, *next, *last;
867 const SSL_CIPHER *cp;
868 bool reverse = false;
869
870 if (cipher_id == 0 && strength_bits == -1 && min_version == 0 &&
871 (alg_mkey == 0 || alg_auth == 0 || alg_enc == 0 || alg_mac == 0)) {
872 // The rule matches nothing, so bail early.
873 return;
874 }
875
876 if (rule == CIPHER_DEL) {
877 // needed to maintain sorting between currently deleted ciphers
878 reverse = true;
879 }
880
881 head = *head_p;
882 tail = *tail_p;
883
884 if (reverse) {
885 next = tail;
886 last = head;
887 } else {
888 next = head;
889 last = tail;
890 }
891
892 curr = NULL;
893 for (;;) {
894 if (curr == last) {
895 break;
896 }
897
898 curr = next;
899 if (curr == NULL) {
900 break;
901 }
902
903 next = reverse ? curr->prev : curr->next;
904 cp = curr->cipher;
905
906 // Selection criteria is either a specific cipher, the value of
907 // |strength_bits|, or the algorithms used.
908 if (cipher_id != 0) {
909 if (cipher_id != cp->id) {
910 continue;
911 }
912 } else if (strength_bits >= 0) {
913 if (strength_bits != SSL_CIPHER_get_bits(cp, NULL)) {
914 continue;
915 }
916 } else {
917 if (!(alg_mkey & cp->algorithm_mkey) ||
918 !(alg_auth & cp->algorithm_auth) ||
919 !(alg_enc & cp->algorithm_enc) ||
920 !(alg_mac & cp->algorithm_mac) ||
921 (min_version != 0 && SSL_CIPHER_get_min_version(cp) != min_version) ||
922 // The NULL cipher must be selected explicitly.
923 cp->algorithm_enc == SSL_eNULL) {
924 continue;
925 }
926 }
927
928 // add the cipher if it has not been added yet.
929 if (rule == CIPHER_ADD) {
930 // reverse == false
931 if (!curr->active) {
932 ll_append_tail(&head, curr, &tail);
933 curr->active = true;
934 curr->in_group = in_group;
935 }
936 }
937
938 // Move the added cipher to this location
939 else if (rule == CIPHER_ORD) {
940 // reverse == false
941 if (curr->active) {
942 ll_append_tail(&head, curr, &tail);
943 curr->in_group = false;
944 }
945 } else if (rule == CIPHER_DEL) {
946 // reverse == true
947 if (curr->active) {
948 // most recently deleted ciphersuites get best positions
949 // for any future CIPHER_ADD (note that the CIPHER_DEL loop
950 // works in reverse to maintain the order)
951 ll_append_head(&head, curr, &tail);
952 curr->active = false;
953 curr->in_group = false;
954 }
955 } else if (rule == CIPHER_KILL) {
956 // reverse == false
957 if (head == curr) {
958 head = curr->next;
959 } else {
960 curr->prev->next = curr->next;
961 }
962
963 if (tail == curr) {
964 tail = curr->prev;
965 }
966 curr->active = false;
967 if (curr->next != NULL) {
968 curr->next->prev = curr->prev;
969 }
970 if (curr->prev != NULL) {
971 curr->prev->next = curr->next;
972 }
973 curr->next = NULL;
974 curr->prev = NULL;
975 }
976 }
977
978 *head_p = head;
979 *tail_p = tail;
980 }
981
ssl_cipher_strength_sort(CIPHER_ORDER ** head_p,CIPHER_ORDER ** tail_p)982 static bool ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
983 CIPHER_ORDER **tail_p) {
984 // This routine sorts the ciphers with descending strength. The sorting must
985 // keep the pre-sorted sequence, so we apply the normal sorting routine as
986 // '+' movement to the end of the list.
987 int max_strength_bits = 0;
988 CIPHER_ORDER *curr = *head_p;
989 while (curr != NULL) {
990 if (curr->active &&
991 SSL_CIPHER_get_bits(curr->cipher, NULL) > max_strength_bits) {
992 max_strength_bits = SSL_CIPHER_get_bits(curr->cipher, NULL);
993 }
994 curr = curr->next;
995 }
996
997 Array<int> number_uses;
998 if (!number_uses.Init(max_strength_bits + 1)) {
999 return false;
1000 }
1001 OPENSSL_memset(number_uses.data(), 0, (max_strength_bits + 1) * sizeof(int));
1002
1003 // Now find the strength_bits values actually used.
1004 curr = *head_p;
1005 while (curr != NULL) {
1006 if (curr->active) {
1007 number_uses[SSL_CIPHER_get_bits(curr->cipher, NULL)]++;
1008 }
1009 curr = curr->next;
1010 }
1011
1012 // Go through the list of used strength_bits values in descending order.
1013 for (int i = max_strength_bits; i >= 0; i--) {
1014 if (number_uses[i] > 0) {
1015 ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, CIPHER_ORD, i, false, head_p,
1016 tail_p);
1017 }
1018 }
1019
1020 return true;
1021 }
1022
ssl_cipher_process_rulestr(const char * rule_str,CIPHER_ORDER ** head_p,CIPHER_ORDER ** tail_p,bool strict)1023 static bool ssl_cipher_process_rulestr(const char *rule_str,
1024 CIPHER_ORDER **head_p,
1025 CIPHER_ORDER **tail_p, bool strict) {
1026 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
1027 uint16_t min_version;
1028 const char *l, *buf;
1029 int rule;
1030 bool multi, skip_rule, in_group = false, has_group = false;
1031 size_t j, buf_len;
1032 uint32_t cipher_id;
1033 char ch;
1034
1035 l = rule_str;
1036 for (;;) {
1037 ch = *l;
1038
1039 if (ch == '\0') {
1040 break; // done
1041 }
1042
1043 if (in_group) {
1044 if (ch == ']') {
1045 if (*tail_p) {
1046 (*tail_p)->in_group = false;
1047 }
1048 in_group = false;
1049 l++;
1050 continue;
1051 }
1052
1053 if (ch == '|') {
1054 rule = CIPHER_ADD;
1055 l++;
1056 continue;
1057 } else if (!(ch >= 'a' && ch <= 'z') && !(ch >= 'A' && ch <= 'Z') &&
1058 !(ch >= '0' && ch <= '9')) {
1059 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_OPERATOR_IN_GROUP);
1060 return false;
1061 } else {
1062 rule = CIPHER_ADD;
1063 }
1064 } else if (ch == '-') {
1065 rule = CIPHER_DEL;
1066 l++;
1067 } else if (ch == '+') {
1068 rule = CIPHER_ORD;
1069 l++;
1070 } else if (ch == '!') {
1071 rule = CIPHER_KILL;
1072 l++;
1073 } else if (ch == '@') {
1074 rule = CIPHER_SPECIAL;
1075 l++;
1076 } else if (ch == '[') {
1077 assert(!in_group);
1078 in_group = true;
1079 has_group = true;
1080 l++;
1081 continue;
1082 } else {
1083 rule = CIPHER_ADD;
1084 }
1085
1086 // If preference groups are enabled, the only legal operator is +.
1087 // Otherwise the in_group bits will get mixed up.
1088 if (has_group && rule != CIPHER_ADD) {
1089 OPENSSL_PUT_ERROR(SSL, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
1090 return false;
1091 }
1092
1093 if (is_cipher_list_separator(ch, strict)) {
1094 l++;
1095 continue;
1096 }
1097
1098 multi = false;
1099 cipher_id = 0;
1100 alg_mkey = ~0u;
1101 alg_auth = ~0u;
1102 alg_enc = ~0u;
1103 alg_mac = ~0u;
1104 min_version = 0;
1105 skip_rule = false;
1106
1107 for (;;) {
1108 ch = *l;
1109 buf = l;
1110 buf_len = 0;
1111 while ((ch >= 'A' && ch <= 'Z') || (ch >= '0' && ch <= '9') ||
1112 (ch >= 'a' && ch <= 'z') || ch == '-' || ch == '.' || ch == '_') {
1113 ch = *(++l);
1114 buf_len++;
1115 }
1116
1117 if (buf_len == 0) {
1118 // We hit something we cannot deal with, it is no command or separator
1119 // nor alphanumeric, so we call this an error.
1120 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
1121 return false;
1122 }
1123
1124 if (rule == CIPHER_SPECIAL) {
1125 break;
1126 }
1127
1128 // Look for a matching exact cipher. These aren't allowed in multipart
1129 // rules.
1130 if (!multi && ch != '+') {
1131 for (j = 0; j < kCiphersLen; j++) {
1132 const SSL_CIPHER *cipher = &kCiphers[j];
1133 if (rule_equals(cipher->name, buf, buf_len) ||
1134 rule_equals(cipher->standard_name, buf, buf_len)) {
1135 cipher_id = cipher->id;
1136 break;
1137 }
1138 }
1139 }
1140 if (cipher_id == 0) {
1141 // If not an exact cipher, look for a matching cipher alias.
1142 for (j = 0; j < kCipherAliasesLen; j++) {
1143 if (rule_equals(kCipherAliases[j].name, buf, buf_len)) {
1144 alg_mkey &= kCipherAliases[j].algorithm_mkey;
1145 alg_auth &= kCipherAliases[j].algorithm_auth;
1146 alg_enc &= kCipherAliases[j].algorithm_enc;
1147 alg_mac &= kCipherAliases[j].algorithm_mac;
1148
1149 if (min_version != 0 &&
1150 min_version != kCipherAliases[j].min_version) {
1151 skip_rule = true;
1152 } else {
1153 min_version = kCipherAliases[j].min_version;
1154 }
1155 break;
1156 }
1157 }
1158 if (j == kCipherAliasesLen) {
1159 skip_rule = true;
1160 if (strict) {
1161 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
1162 return false;
1163 }
1164 }
1165 }
1166
1167 // Check for a multipart rule.
1168 if (ch != '+') {
1169 break;
1170 }
1171 l++;
1172 multi = true;
1173 }
1174
1175 // Ok, we have the rule, now apply it.
1176 if (rule == CIPHER_SPECIAL) {
1177 if (buf_len != 8 || strncmp(buf, "STRENGTH", 8) != 0) {
1178 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
1179 return false;
1180 }
1181 if (!ssl_cipher_strength_sort(head_p, tail_p)) {
1182 return false;
1183 }
1184
1185 // We do not support any "multi" options together with "@", so throw away
1186 // the rest of the command, if any left, until end or ':' is found.
1187 while (*l != '\0' && !is_cipher_list_separator(*l, strict)) {
1188 l++;
1189 }
1190 } else if (!skip_rule) {
1191 ssl_cipher_apply_rule(cipher_id, alg_mkey, alg_auth, alg_enc, alg_mac,
1192 min_version, rule, -1, in_group, head_p, tail_p);
1193 }
1194 }
1195
1196 if (in_group) {
1197 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
1198 return false;
1199 }
1200
1201 return true;
1202 }
1203
ssl_create_cipher_list(struct ssl_cipher_preference_list_st ** out_cipher_list,const char * rule_str,bool strict)1204 bool ssl_create_cipher_list(
1205 struct ssl_cipher_preference_list_st **out_cipher_list,
1206 const char *rule_str, bool strict) {
1207 STACK_OF(SSL_CIPHER) *cipherstack = NULL;
1208 CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
1209 uint8_t *in_group_flags = NULL;
1210 unsigned int num_in_group_flags = 0;
1211 struct ssl_cipher_preference_list_st *pref_list = NULL;
1212
1213 // Return with error if nothing to do.
1214 if (rule_str == NULL || out_cipher_list == NULL) {
1215 return false;
1216 }
1217
1218 // Now we have to collect the available ciphers from the compiled in ciphers.
1219 // We cannot get more than the number compiled in, so it is used for
1220 // allocation.
1221 co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * kCiphersLen);
1222 if (co_list == NULL) {
1223 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
1224 return false;
1225 }
1226
1227 ssl_cipher_collect_ciphers(co_list, &head, &tail);
1228
1229 // Now arrange all ciphers by preference:
1230 // TODO(davidben): Compute this order once and copy it.
1231
1232 // Everything else being equal, prefer ECDHE_ECDSA and ECDHE_RSA over other
1233 // key exchange mechanisms
1234 ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, ~0u, ~0u, 0, CIPHER_ADD, -1,
1235 false, &head, &tail);
1236 ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, false,
1237 &head, &tail);
1238 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, false, &head,
1239 &tail);
1240
1241 // Order the bulk ciphers. First the preferred AEAD ciphers. We prefer
1242 // CHACHA20 unless there is hardware support for fast and constant-time
1243 // AES_GCM. Of the two CHACHA20 variants, the new one is preferred over the
1244 // old one.
1245 if (EVP_has_aes_hardware()) {
1246 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1,
1247 false, &head, &tail);
1248 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1,
1249 false, &head, &tail);
1250 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD,
1251 -1, false, &head, &tail);
1252 } else {
1253 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD,
1254 -1, false, &head, &tail);
1255 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1,
1256 false, &head, &tail);
1257 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1,
1258 false, &head, &tail);
1259 }
1260
1261 // Then the legacy non-AEAD ciphers: AES_128_CBC, AES_256_CBC,
1262 // 3DES_EDE_CBC_SHA.
1263 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128, ~0u, 0, CIPHER_ADD, -1, false,
1264 &head, &tail);
1265 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256, ~0u, 0, CIPHER_ADD, -1, false,
1266 &head, &tail);
1267 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_3DES, ~0u, 0, CIPHER_ADD, -1, false,
1268 &head, &tail);
1269
1270 // Temporarily enable everything else for sorting
1271 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, false, &head,
1272 &tail);
1273
1274 // Move ciphers without forward secrecy to the end.
1275 ssl_cipher_apply_rule(0, (SSL_kRSA | SSL_kPSK), ~0u, ~0u, ~0u, 0, CIPHER_ORD,
1276 -1, false, &head, &tail);
1277
1278 // Now disable everything (maintaining the ordering!)
1279 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, false, &head,
1280 &tail);
1281
1282 // If the rule_string begins with DEFAULT, apply the default rule before
1283 // using the (possibly available) additional rules.
1284 const char *rule_p = rule_str;
1285 if (strncmp(rule_str, "DEFAULT", 7) == 0) {
1286 if (!ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, &head, &tail,
1287 strict)) {
1288 goto err;
1289 }
1290 rule_p += 7;
1291 if (*rule_p == ':') {
1292 rule_p++;
1293 }
1294 }
1295
1296 if (*rule_p != '\0' &&
1297 !ssl_cipher_process_rulestr(rule_p, &head, &tail, strict)) {
1298 goto err;
1299 }
1300
1301 // Allocate new "cipherstack" for the result, return with error
1302 // if we cannot get one.
1303 cipherstack = sk_SSL_CIPHER_new_null();
1304 if (cipherstack == NULL) {
1305 goto err;
1306 }
1307
1308 in_group_flags = (uint8_t *)OPENSSL_malloc(kCiphersLen);
1309 if (!in_group_flags) {
1310 goto err;
1311 }
1312
1313 // The cipher selection for the list is done. The ciphers are added
1314 // to the resulting precedence to the STACK_OF(SSL_CIPHER).
1315 for (curr = head; curr != NULL; curr = curr->next) {
1316 if (curr->active) {
1317 if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
1318 goto err;
1319 }
1320 in_group_flags[num_in_group_flags++] = curr->in_group;
1321 }
1322 }
1323 OPENSSL_free(co_list); // Not needed any longer
1324 co_list = NULL;
1325
1326 pref_list = (ssl_cipher_preference_list_st *)OPENSSL_malloc(
1327 sizeof(struct ssl_cipher_preference_list_st));
1328 if (!pref_list) {
1329 goto err;
1330 }
1331 pref_list->ciphers = cipherstack;
1332 pref_list->in_group_flags = NULL;
1333 if (num_in_group_flags) {
1334 pref_list->in_group_flags = (uint8_t *)OPENSSL_malloc(num_in_group_flags);
1335 if (!pref_list->in_group_flags) {
1336 goto err;
1337 }
1338 OPENSSL_memcpy(pref_list->in_group_flags, in_group_flags,
1339 num_in_group_flags);
1340 }
1341 OPENSSL_free(in_group_flags);
1342 in_group_flags = NULL;
1343 if (*out_cipher_list != NULL) {
1344 ssl_cipher_preference_list_free(*out_cipher_list);
1345 }
1346 *out_cipher_list = pref_list;
1347 pref_list = NULL;
1348
1349 // Configuring an empty cipher list is an error but still updates the
1350 // output.
1351 if (sk_SSL_CIPHER_num((*out_cipher_list)->ciphers) == 0) {
1352 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHER_MATCH);
1353 return false;
1354 }
1355
1356 return true;
1357
1358 err:
1359 OPENSSL_free(co_list);
1360 OPENSSL_free(in_group_flags);
1361 sk_SSL_CIPHER_free(cipherstack);
1362 if (pref_list) {
1363 OPENSSL_free(pref_list->in_group_flags);
1364 }
1365 OPENSSL_free(pref_list);
1366 return false;
1367 }
1368
ssl_cipher_get_value(const SSL_CIPHER * cipher)1369 uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher) {
1370 uint32_t id = cipher->id;
1371 // All ciphers are SSLv3.
1372 assert((id & 0xff000000) == 0x03000000);
1373 return id & 0xffff;
1374 }
1375
ssl_cipher_auth_mask_for_key(const EVP_PKEY * key)1376 uint32_t ssl_cipher_auth_mask_for_key(const EVP_PKEY *key) {
1377 switch (EVP_PKEY_id(key)) {
1378 case EVP_PKEY_RSA:
1379 return SSL_aRSA;
1380 case EVP_PKEY_EC:
1381 case EVP_PKEY_ED25519:
1382 // Ed25519 keys in TLS 1.2 repurpose the ECDSA ciphers.
1383 return SSL_aECDSA;
1384 default:
1385 return 0;
1386 }
1387 }
1388
ssl_cipher_uses_certificate_auth(const SSL_CIPHER * cipher)1389 bool ssl_cipher_uses_certificate_auth(const SSL_CIPHER *cipher) {
1390 return (cipher->algorithm_auth & SSL_aCERT) != 0;
1391 }
1392
ssl_cipher_requires_server_key_exchange(const SSL_CIPHER * cipher)1393 bool ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher) {
1394 // Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange. It is
1395 // optional or omitted in all others.
1396 return (cipher->algorithm_mkey & SSL_kECDHE) != 0;
1397 }
1398
ssl_cipher_get_record_split_len(const SSL_CIPHER * cipher)1399 size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher) {
1400 size_t block_size;
1401 switch (cipher->algorithm_enc) {
1402 case SSL_3DES:
1403 block_size = 8;
1404 break;
1405 case SSL_AES128:
1406 case SSL_AES256:
1407 block_size = 16;
1408 break;
1409 default:
1410 return 0;
1411 }
1412
1413 // All supported TLS 1.0 ciphers use SHA-1.
1414 assert(cipher->algorithm_mac == SSL_SHA1);
1415 size_t ret = 1 + SHA_DIGEST_LENGTH;
1416 ret += block_size - (ret % block_size);
1417 return ret;
1418 }
1419
1420 } // namespace bssl
1421
1422 using namespace bssl;
1423
SSL_get_cipher_by_value(uint16_t value)1424 const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value) {
1425 SSL_CIPHER c;
1426
1427 c.id = 0x03000000L | value;
1428 return reinterpret_cast<const SSL_CIPHER *>(bsearch(
1429 &c, kCiphers, kCiphersLen, sizeof(SSL_CIPHER), ssl_cipher_id_cmp));
1430 }
1431
SSL_CIPHER_get_id(const SSL_CIPHER * cipher)1432 uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher) { return cipher->id; }
1433
SSL_CIPHER_is_aead(const SSL_CIPHER * cipher)1434 int SSL_CIPHER_is_aead(const SSL_CIPHER *cipher) {
1435 return (cipher->algorithm_mac & SSL_AEAD) != 0;
1436 }
1437
SSL_CIPHER_get_cipher_nid(const SSL_CIPHER * cipher)1438 int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *cipher) {
1439 switch (cipher->algorithm_enc) {
1440 case SSL_eNULL:
1441 return NID_undef;
1442 case SSL_3DES:
1443 return NID_des_ede3_cbc;
1444 case SSL_AES128:
1445 return NID_aes_128_cbc;
1446 case SSL_AES256:
1447 return NID_aes_256_cbc;
1448 case SSL_AES128GCM:
1449 return NID_aes_128_gcm;
1450 case SSL_AES256GCM:
1451 return NID_aes_256_gcm;
1452 case SSL_CHACHA20POLY1305:
1453 return NID_chacha20_poly1305;
1454 }
1455 assert(0);
1456 return NID_undef;
1457 }
1458
SSL_CIPHER_get_digest_nid(const SSL_CIPHER * cipher)1459 int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *cipher) {
1460 switch (cipher->algorithm_mac) {
1461 case SSL_AEAD:
1462 return NID_undef;
1463 case SSL_SHA1:
1464 return NID_sha1;
1465 case SSL_SHA256:
1466 return NID_sha256;
1467 case SSL_SHA384:
1468 return NID_sha384;
1469 }
1470 assert(0);
1471 return NID_undef;
1472 }
1473
SSL_CIPHER_get_kx_nid(const SSL_CIPHER * cipher)1474 int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *cipher) {
1475 switch (cipher->algorithm_mkey) {
1476 case SSL_kRSA:
1477 return NID_kx_rsa;
1478 case SSL_kECDHE:
1479 return NID_kx_ecdhe;
1480 case SSL_kPSK:
1481 return NID_kx_psk;
1482 case SSL_kGENERIC:
1483 return NID_kx_any;
1484 }
1485 assert(0);
1486 return NID_undef;
1487 }
1488
SSL_CIPHER_get_auth_nid(const SSL_CIPHER * cipher)1489 int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *cipher) {
1490 switch (cipher->algorithm_auth) {
1491 case SSL_aRSA:
1492 return NID_auth_rsa;
1493 case SSL_aECDSA:
1494 return NID_auth_ecdsa;
1495 case SSL_aPSK:
1496 return NID_auth_psk;
1497 case SSL_aGENERIC:
1498 return NID_auth_any;
1499 }
1500 assert(0);
1501 return NID_undef;
1502 }
1503
SSL_CIPHER_get_prf_nid(const SSL_CIPHER * cipher)1504 int SSL_CIPHER_get_prf_nid(const SSL_CIPHER *cipher) {
1505 switch (cipher->algorithm_prf) {
1506 case SSL_HANDSHAKE_MAC_DEFAULT:
1507 return NID_md5_sha1;
1508 case SSL_HANDSHAKE_MAC_SHA256:
1509 return NID_sha256;
1510 case SSL_HANDSHAKE_MAC_SHA384:
1511 return NID_sha384;
1512 }
1513 assert(0);
1514 return NID_undef;
1515 }
1516
SSL_CIPHER_is_block_cipher(const SSL_CIPHER * cipher)1517 int SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher) {
1518 return (cipher->algorithm_enc & SSL_eNULL) == 0 &&
1519 cipher->algorithm_mac != SSL_AEAD;
1520 }
1521
SSL_CIPHER_get_min_version(const SSL_CIPHER * cipher)1522 uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher) {
1523 if (cipher->algorithm_mkey == SSL_kGENERIC ||
1524 cipher->algorithm_auth == SSL_aGENERIC) {
1525 return TLS1_3_VERSION;
1526 }
1527
1528 if (cipher->algorithm_prf != SSL_HANDSHAKE_MAC_DEFAULT) {
1529 // Cipher suites before TLS 1.2 use the default PRF, while all those added
1530 // afterwards specify a particular hash.
1531 return TLS1_2_VERSION;
1532 }
1533 return SSL3_VERSION;
1534 }
1535
SSL_CIPHER_get_max_version(const SSL_CIPHER * cipher)1536 uint16_t SSL_CIPHER_get_max_version(const SSL_CIPHER *cipher) {
1537 if (cipher->algorithm_mkey == SSL_kGENERIC ||
1538 cipher->algorithm_auth == SSL_aGENERIC) {
1539 return TLS1_3_VERSION;
1540 }
1541 return TLS1_2_VERSION;
1542 }
1543
1544 // return the actual cipher being used
SSL_CIPHER_get_name(const SSL_CIPHER * cipher)1545 const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher) {
1546 if (cipher != NULL) {
1547 return cipher->name;
1548 }
1549
1550 return "(NONE)";
1551 }
1552
SSL_CIPHER_standard_name(const SSL_CIPHER * cipher)1553 const char *SSL_CIPHER_standard_name(const SSL_CIPHER *cipher) {
1554 return cipher->standard_name;
1555 }
1556
SSL_CIPHER_get_kx_name(const SSL_CIPHER * cipher)1557 const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher) {
1558 if (cipher == NULL) {
1559 return "";
1560 }
1561
1562 switch (cipher->algorithm_mkey) {
1563 case SSL_kRSA:
1564 return "RSA";
1565
1566 case SSL_kECDHE:
1567 switch (cipher->algorithm_auth) {
1568 case SSL_aECDSA:
1569 return "ECDHE_ECDSA";
1570 case SSL_aRSA:
1571 return "ECDHE_RSA";
1572 case SSL_aPSK:
1573 return "ECDHE_PSK";
1574 default:
1575 assert(0);
1576 return "UNKNOWN";
1577 }
1578
1579 case SSL_kPSK:
1580 assert(cipher->algorithm_auth == SSL_aPSK);
1581 return "PSK";
1582
1583 case SSL_kGENERIC:
1584 assert(cipher->algorithm_auth == SSL_aGENERIC);
1585 return "GENERIC";
1586
1587 default:
1588 assert(0);
1589 return "UNKNOWN";
1590 }
1591 }
1592
SSL_CIPHER_get_rfc_name(const SSL_CIPHER * cipher)1593 char *SSL_CIPHER_get_rfc_name(const SSL_CIPHER *cipher) {
1594 if (cipher == NULL) {
1595 return NULL;
1596 }
1597
1598 return OPENSSL_strdup(SSL_CIPHER_standard_name(cipher));
1599 }
1600
SSL_CIPHER_get_bits(const SSL_CIPHER * cipher,int * out_alg_bits)1601 int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *out_alg_bits) {
1602 if (cipher == NULL) {
1603 return 0;
1604 }
1605
1606 int alg_bits, strength_bits;
1607 switch (cipher->algorithm_enc) {
1608 case SSL_AES128:
1609 case SSL_AES128GCM:
1610 alg_bits = 128;
1611 strength_bits = 128;
1612 break;
1613
1614 case SSL_AES256:
1615 case SSL_AES256GCM:
1616 case SSL_CHACHA20POLY1305:
1617 alg_bits = 256;
1618 strength_bits = 256;
1619 break;
1620
1621 case SSL_3DES:
1622 alg_bits = 168;
1623 strength_bits = 112;
1624 break;
1625
1626 case SSL_eNULL:
1627 alg_bits = 0;
1628 strength_bits = 0;
1629 break;
1630
1631 default:
1632 assert(0);
1633 alg_bits = 0;
1634 strength_bits = 0;
1635 }
1636
1637 if (out_alg_bits != NULL) {
1638 *out_alg_bits = alg_bits;
1639 }
1640 return strength_bits;
1641 }
1642
SSL_CIPHER_description(const SSL_CIPHER * cipher,char * buf,int len)1643 const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf,
1644 int len) {
1645 const char *kx, *au, *enc, *mac;
1646 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
1647
1648 alg_mkey = cipher->algorithm_mkey;
1649 alg_auth = cipher->algorithm_auth;
1650 alg_enc = cipher->algorithm_enc;
1651 alg_mac = cipher->algorithm_mac;
1652
1653 switch (alg_mkey) {
1654 case SSL_kRSA:
1655 kx = "RSA";
1656 break;
1657
1658 case SSL_kECDHE:
1659 kx = "ECDH";
1660 break;
1661
1662 case SSL_kPSK:
1663 kx = "PSK";
1664 break;
1665
1666 case SSL_kGENERIC:
1667 kx = "GENERIC";
1668 break;
1669
1670 default:
1671 kx = "unknown";
1672 }
1673
1674 switch (alg_auth) {
1675 case SSL_aRSA:
1676 au = "RSA";
1677 break;
1678
1679 case SSL_aECDSA:
1680 au = "ECDSA";
1681 break;
1682
1683 case SSL_aPSK:
1684 au = "PSK";
1685 break;
1686
1687 case SSL_aGENERIC:
1688 au = "GENERIC";
1689 break;
1690
1691 default:
1692 au = "unknown";
1693 break;
1694 }
1695
1696 switch (alg_enc) {
1697 case SSL_3DES:
1698 enc = "3DES(168)";
1699 break;
1700
1701 case SSL_AES128:
1702 enc = "AES(128)";
1703 break;
1704
1705 case SSL_AES256:
1706 enc = "AES(256)";
1707 break;
1708
1709 case SSL_AES128GCM:
1710 enc = "AESGCM(128)";
1711 break;
1712
1713 case SSL_AES256GCM:
1714 enc = "AESGCM(256)";
1715 break;
1716
1717 case SSL_CHACHA20POLY1305:
1718 enc = "ChaCha20-Poly1305";
1719 break;
1720
1721 case SSL_eNULL:
1722 enc="None";
1723 break;
1724
1725 default:
1726 enc = "unknown";
1727 break;
1728 }
1729
1730 switch (alg_mac) {
1731 case SSL_SHA1:
1732 mac = "SHA1";
1733 break;
1734
1735 case SSL_SHA256:
1736 mac = "SHA256";
1737 break;
1738
1739 case SSL_SHA384:
1740 mac = "SHA384";
1741 break;
1742
1743 case SSL_AEAD:
1744 mac = "AEAD";
1745 break;
1746
1747 default:
1748 mac = "unknown";
1749 break;
1750 }
1751
1752 if (buf == NULL) {
1753 len = 128;
1754 buf = (char *)OPENSSL_malloc(len);
1755 if (buf == NULL) {
1756 return NULL;
1757 }
1758 } else if (len < 128) {
1759 return "Buffer too small";
1760 }
1761
1762 BIO_snprintf(buf, len, "%-23s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n",
1763 cipher->name, kx, au, enc, mac);
1764 return buf;
1765 }
1766
SSL_CIPHER_get_version(const SSL_CIPHER * cipher)1767 const char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher) {
1768 return "TLSv1/SSLv3";
1769 }
1770
STACK_OF(SSL_COMP)1771 STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void) { return NULL; }
1772
SSL_COMP_add_compression_method(int id,COMP_METHOD * cm)1773 int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) { return 1; }
1774
SSL_COMP_get_name(const COMP_METHOD * comp)1775 const char *SSL_COMP_get_name(const COMP_METHOD *comp) { return NULL; }
1776
SSL_COMP_free_compression_methods(void)1777 void SSL_COMP_free_compression_methods(void) {}
1778