1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57 /* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
110 /* ====================================================================
111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
112 * ECC cipher suite support in OpenSSL originally developed by
113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
114 */
115 /* ====================================================================
116 * Copyright 2005 Nokia. All rights reserved.
117 *
118 * The portions of the attached software ("Contribution") is developed by
119 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
120 * license.
121 *
122 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
123 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
124 * support (see RFC 4279) to OpenSSL.
125 *
126 * No patent licenses or other rights except those expressly stated in
127 * the OpenSSL open source license shall be deemed granted or received
128 * expressly, by implication, estoppel, or otherwise.
129 *
130 * No assurances are provided by Nokia that the Contribution does not
131 * infringe the patent or other intellectual property rights of any third
132 * party or that the license provides you with all the necessary rights
133 * to make use of the Contribution.
134 *
135 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
136 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
137 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
138 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
139 * OTHERWISE. */
140
141 #include <assert.h>
142 #include <stdio.h>
143 #include <string.h>
144
145 #include <openssl/buf.h>
146 #include <openssl/err.h>
147 #include <openssl/md5.h>
148 #include <openssl/mem.h>
149 #include <openssl/sha.h>
150 #include <openssl/stack.h>
151
152 #include "internal.h"
153
154
155 /* kCiphers is an array of all supported ciphers, sorted by id. */
156 const SSL_CIPHER kCiphers[] = {
157 /* The RSA ciphers */
158 /* Cipher 04 */
159 {
160 SSL3_TXT_RSA_RC4_128_MD5, SSL3_CK_RSA_RC4_128_MD5, SSL_kRSA, SSL_aRSA,
161 SSL_RC4, SSL_MD5, SSL_SSLV3, SSL_MEDIUM,
162 SSL_HANDSHAKE_MAC_DEFAULT, 128, 128,
163 },
164
165 /* Cipher 05 */
166 {
167 SSL3_TXT_RSA_RC4_128_SHA, SSL3_CK_RSA_RC4_128_SHA, SSL_kRSA, SSL_aRSA,
168 SSL_RC4, SSL_SHA1, SSL_SSLV3, SSL_MEDIUM,
169 SSL_HANDSHAKE_MAC_DEFAULT, 128, 128,
170 },
171
172 /* Cipher 0A */
173 {
174 SSL3_TXT_RSA_DES_192_CBC3_SHA, SSL3_CK_RSA_DES_192_CBC3_SHA, SSL_kRSA,
175 SSL_aRSA, SSL_3DES, SSL_SHA1, SSL_SSLV3, SSL_HIGH | SSL_FIPS,
176 SSL_HANDSHAKE_MAC_DEFAULT, 112, 168,
177 },
178
179
180 /* New AES ciphersuites */
181
182 /* Cipher 2F */
183 {
184 TLS1_TXT_RSA_WITH_AES_128_SHA, TLS1_CK_RSA_WITH_AES_128_SHA, SSL_kRSA,
185 SSL_aRSA, SSL_AES128, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
186 SSL_HANDSHAKE_MAC_DEFAULT, 128, 128,
187 },
188
189 /* Cipher 33 */
190 {
191 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
192 SSL_kDHE, SSL_aRSA, SSL_AES128, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
193 SSL_HANDSHAKE_MAC_DEFAULT, 128, 128,
194 },
195
196 /* Cipher 35 */
197 {
198 TLS1_TXT_RSA_WITH_AES_256_SHA, TLS1_CK_RSA_WITH_AES_256_SHA, SSL_kRSA,
199 SSL_aRSA, SSL_AES256, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
200 SSL_HANDSHAKE_MAC_DEFAULT, 256, 256,
201 },
202
203 /* Cipher 39 */
204 {
205 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
206 SSL_kDHE, SSL_aRSA, SSL_AES256, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
207 SSL_HANDSHAKE_MAC_DEFAULT, 256, 256,
208 },
209
210
211 /* TLS v1.2 ciphersuites */
212
213 /* Cipher 3C */
214 {
215 TLS1_TXT_RSA_WITH_AES_128_SHA256, TLS1_CK_RSA_WITH_AES_128_SHA256,
216 SSL_kRSA, SSL_aRSA, SSL_AES128, SSL_SHA256, SSL_TLSV1_2,
217 SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA256, 128, 128,
218 },
219
220 /* Cipher 3D */
221 {
222 TLS1_TXT_RSA_WITH_AES_256_SHA256, TLS1_CK_RSA_WITH_AES_256_SHA256,
223 SSL_kRSA, SSL_aRSA, SSL_AES256, SSL_SHA256, SSL_TLSV1_2,
224 SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA256, 256, 256,
225 },
226
227 /* Cipher 67 */
228 {
229 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256,
230 TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, SSL_kDHE, SSL_aRSA, SSL_AES128,
231 SSL_SHA256, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
232 SSL_HANDSHAKE_MAC_SHA256, 128, 128,
233 },
234
235 /* Cipher 6B */
236 {
237 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256,
238 TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, SSL_kDHE, SSL_aRSA, SSL_AES256,
239 SSL_SHA256, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
240 SSL_HANDSHAKE_MAC_SHA256, 256, 256,
241 },
242
243 /* PSK cipher suites. */
244
245 /* Cipher 8A */
246 {
247 TLS1_TXT_PSK_WITH_RC4_128_SHA, TLS1_CK_PSK_WITH_RC4_128_SHA, SSL_kPSK,
248 SSL_aPSK, SSL_RC4, SSL_SHA1, SSL_TLSV1, SSL_MEDIUM,
249 SSL_HANDSHAKE_MAC_DEFAULT, 128, 128,
250 },
251
252 /* Cipher 8C */
253 {
254 TLS1_TXT_PSK_WITH_AES_128_CBC_SHA, TLS1_CK_PSK_WITH_AES_128_CBC_SHA,
255 SSL_kPSK, SSL_aPSK, SSL_AES128, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
256 SSL_HANDSHAKE_MAC_DEFAULT, 128, 128,
257 },
258
259 /* Cipher 8D */
260 {
261 TLS1_TXT_PSK_WITH_AES_256_CBC_SHA, TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
262 SSL_kPSK, SSL_aPSK, SSL_AES256, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
263 SSL_HANDSHAKE_MAC_DEFAULT, 256, 256,
264 },
265
266 /* GCM ciphersuites from RFC5288 */
267
268 /* Cipher 9C */
269 {
270 TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
271 TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, SSL_kRSA, SSL_aRSA, SSL_AES128GCM,
272 SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
273 SSL_HANDSHAKE_MAC_SHA256 |
274 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
275 128, 128,
276 },
277
278 /* Cipher 9D */
279 {
280 TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
281 TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, SSL_kRSA, SSL_aRSA, SSL_AES256GCM,
282 SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
283 SSL_HANDSHAKE_MAC_SHA384 |
284 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
285 256, 256,
286 },
287
288 /* Cipher 9E */
289 {
290 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256,
291 TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kDHE, SSL_aRSA, SSL_AES128GCM,
292 SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
293 SSL_HANDSHAKE_MAC_SHA256 |
294 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
295 128, 128,
296 },
297
298 /* Cipher 9F */
299 {
300 TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384,
301 TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_kDHE, SSL_aRSA, SSL_AES256GCM,
302 SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
303 SSL_HANDSHAKE_MAC_SHA384 |
304 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
305 256, 256,
306 },
307
308 /* Cipher C007 */
309 {
310 TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
311 TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_kECDHE, SSL_aECDSA, SSL_RC4,
312 SSL_SHA1, SSL_TLSV1, SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT, 128,
313 128,
314 },
315
316 /* Cipher C009 */
317 {
318 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
319 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDHE, SSL_aECDSA,
320 SSL_AES128, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
321 SSL_HANDSHAKE_MAC_DEFAULT, 128, 128,
322 },
323
324 /* Cipher C00A */
325 {
326 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
327 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDHE, SSL_aECDSA,
328 SSL_AES256, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
329 SSL_HANDSHAKE_MAC_DEFAULT, 256, 256,
330 },
331
332 /* Cipher C011 */
333 {
334 TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA,
335 SSL_kECDHE, SSL_aRSA, SSL_RC4, SSL_SHA1, SSL_TLSV1, SSL_MEDIUM,
336 SSL_HANDSHAKE_MAC_DEFAULT, 128, 128,
337 },
338
339 /* Cipher C013 */
340 {
341 TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
342 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_kECDHE, SSL_aRSA, SSL_AES128,
343 SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
344 SSL_HANDSHAKE_MAC_DEFAULT, 128, 128,
345 },
346
347 /* Cipher C014 */
348 {
349 TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
350 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_kECDHE, SSL_aRSA, SSL_AES256,
351 SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
352 SSL_HANDSHAKE_MAC_DEFAULT, 256, 256,
353 },
354
355
356 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */
357
358 /* Cipher C023 */
359 {
360 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
361 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, SSL_kECDHE, SSL_aECDSA,
362 SSL_AES128, SSL_SHA256, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
363 SSL_HANDSHAKE_MAC_SHA256, 128, 128,
364 },
365
366 /* Cipher C024 */
367 {
368 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
369 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, SSL_kECDHE, SSL_aECDSA,
370 SSL_AES256, SSL_SHA384, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
371 SSL_HANDSHAKE_MAC_SHA384, 256, 256,
372 },
373
374 /* Cipher C027 */
375 {
376 TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
377 TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, SSL_kECDHE, SSL_aRSA, SSL_AES128,
378 SSL_SHA256, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
379 SSL_HANDSHAKE_MAC_SHA256, 128, 128,
380 },
381
382 /* Cipher C028 */
383 {
384 TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
385 TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, SSL_kECDHE, SSL_aRSA, SSL_AES256,
386 SSL_SHA384, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
387 SSL_HANDSHAKE_MAC_SHA384, 256, 256,
388 },
389
390
391 /* GCM based TLS v1.2 ciphersuites from RFC5289 */
392
393 /* Cipher C02B */
394 {
395 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
396 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_kECDHE, SSL_aECDSA,
397 SSL_AES128GCM, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
398 SSL_HANDSHAKE_MAC_SHA256 |
399 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
400 128, 128,
401 },
402
403 /* Cipher C02C */
404 {
405 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
406 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_kECDHE, SSL_aECDSA,
407 SSL_AES256GCM, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
408 SSL_HANDSHAKE_MAC_SHA384 |
409 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
410 256, 256,
411 },
412
413 /* Cipher C02F */
414 {
415 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
416 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kECDHE, SSL_aRSA,
417 SSL_AES128GCM, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
418 SSL_HANDSHAKE_MAC_SHA256 |
419 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
420 128, 128,
421 },
422
423 /* Cipher C030 */
424 {
425 TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
426 TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_kECDHE, SSL_aRSA,
427 SSL_AES256GCM, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
428 SSL_HANDSHAKE_MAC_SHA384 |
429 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
430 256, 256,
431 },
432
433 /* ECDHE-PSK cipher suites. */
434
435 /* Cipher C035 */
436 {
437 TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA,
438 TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
439 SSL_kECDHE, SSL_aPSK, SSL_AES128, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
440 SSL_HANDSHAKE_MAC_DEFAULT, 128, 128,
441 },
442
443 /* Cipher C036 */
444 {
445 TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA,
446 TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA,
447 SSL_kECDHE, SSL_aPSK, SSL_AES256, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
448 SSL_HANDSHAKE_MAC_DEFAULT, 256, 256,
449 },
450
451 /* ChaCha20-Poly1305 cipher suites. */
452
453 #if !defined(ANDROID)
454 {
455 TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305,
456 TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, SSL_kECDHE, SSL_aRSA,
457 SSL_CHACHA20POLY1305, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH,
458 SSL_HANDSHAKE_MAC_SHA256,
459 256, 0,
460 },
461
462 {
463 TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
464 TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, SSL_kECDHE, SSL_aECDSA,
465 SSL_CHACHA20POLY1305, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH,
466 SSL_HANDSHAKE_MAC_SHA256,
467 256, 0,
468 },
469
470 {
471 TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305,
472 TLS1_CK_DHE_RSA_CHACHA20_POLY1305, SSL_kDHE, SSL_aRSA,
473 SSL_CHACHA20POLY1305, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH,
474 SSL_HANDSHAKE_MAC_SHA256,
475 256, 0,
476 },
477 #endif
478 };
479
480 static const size_t kCiphersLen = sizeof(kCiphers) / sizeof(kCiphers[0]);
481
482 struct handshake_digest {
483 uint32_t mask;
484 const EVP_MD *(*md_func)(void);
485 };
486
487 static const struct handshake_digest ssl_handshake_digests[SSL_MAX_DIGEST] = {
488 {SSL_HANDSHAKE_MAC_MD5, EVP_md5},
489 {SSL_HANDSHAKE_MAC_SHA, EVP_sha1},
490 {SSL_HANDSHAKE_MAC_SHA256, EVP_sha256},
491 {SSL_HANDSHAKE_MAC_SHA384, EVP_sha384},
492 };
493
494 #define CIPHER_ADD 1
495 #define CIPHER_KILL 2
496 #define CIPHER_DEL 3
497 #define CIPHER_ORD 4
498 #define CIPHER_SPECIAL 5
499
500 typedef struct cipher_order_st {
501 const SSL_CIPHER *cipher;
502 int active;
503 int in_group;
504 struct cipher_order_st *next, *prev;
505 } CIPHER_ORDER;
506
507 typedef struct cipher_alias_st {
508 /* name is the name of the cipher alias. */
509 const char *name;
510
511 /* The following fields are bitmasks for the corresponding fields on
512 * |SSL_CIPHER|. A cipher matches a cipher alias iff, for each bitmask, the
513 * bit corresponding to the cipher's value is set to 1. If any bitmask is
514 * all zeroes, the alias matches nothing. Use |~0u| for the default value. */
515 uint32_t algorithm_mkey;
516 uint32_t algorithm_auth;
517 uint32_t algorithm_enc;
518 uint32_t algorithm_mac;
519 uint32_t algorithm_ssl;
520 uint32_t algo_strength;
521 } CIPHER_ALIAS;
522
523 static const CIPHER_ALIAS kCipherAliases[] = {
524 {SSL_TXT_ALL, ~0u, ~0u, ~0u, ~0u, ~0u, ~0u},
525
526 /* The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing. */
527
528 /* key exchange aliases
529 * (some of those using only a single bit here combine
530 * multiple key exchange algs according to the RFCs,
531 * e.g. kEDH combines DHE_DSS and DHE_RSA) */
532 {SSL_TXT_kRSA, SSL_kRSA, ~0u, ~0u, ~0u, ~0u, ~0u},
533
534 {SSL_TXT_kDHE, SSL_kDHE, ~0u, ~0u, ~0u, ~0u, ~0u},
535 {SSL_TXT_kEDH, SSL_kDHE, ~0u, ~0u, ~0u, ~0u, ~0u},
536 {SSL_TXT_DH, SSL_kDHE, ~0u, ~0u, ~0u, ~0u, ~0u},
537
538 {SSL_TXT_kECDHE, SSL_kECDHE, ~0u, ~0u, ~0u, ~0u, ~0u},
539 {SSL_TXT_kEECDH, SSL_kECDHE, ~0u, ~0u, ~0u, ~0u, ~0u},
540 {SSL_TXT_ECDH, SSL_kECDHE, ~0u, ~0u, ~0u, ~0u, ~0u},
541
542 {SSL_TXT_kPSK, SSL_kPSK, ~0u, ~0u, ~0u, ~0u, ~0u},
543
544 /* server authentication aliases */
545 {SSL_TXT_aRSA, ~0u, SSL_aRSA, ~0u, ~0u, ~0u, ~0u},
546 {SSL_TXT_aECDSA, ~0u, SSL_aECDSA, ~0u, ~0u, ~0u, ~0u},
547 {SSL_TXT_ECDSA, ~0u, SSL_aECDSA, ~0u, ~0u, ~0u, ~0u},
548 {SSL_TXT_aPSK, ~0u, SSL_aPSK, ~0u, ~0u, ~0u, ~0u},
549
550 /* aliases combining key exchange and server authentication */
551 {SSL_TXT_DHE, SSL_kDHE, ~0u, ~0u, ~0u, ~0u, ~0u},
552 {SSL_TXT_EDH, SSL_kDHE, ~0u, ~0u, ~0u, ~0u, ~0u},
553 {SSL_TXT_ECDHE, SSL_kECDHE, ~0u, ~0u, ~0u, ~0u, ~0u},
554 {SSL_TXT_EECDH, SSL_kECDHE, ~0u, ~0u, ~0u, ~0u, ~0u},
555 {SSL_TXT_RSA, SSL_kRSA, SSL_aRSA, ~0u, ~0u, ~0u, ~0u},
556 {SSL_TXT_PSK, SSL_kPSK, SSL_aPSK, ~0u, ~0u, ~0u, ~0u},
557
558 /* symmetric encryption aliases */
559 {SSL_TXT_3DES, ~0u, ~0u, SSL_3DES, ~0u, ~0u, ~0u},
560 {SSL_TXT_RC4, ~0u, ~0u, SSL_RC4, ~0u, ~0u, ~0u},
561 {SSL_TXT_AES128, ~0u, ~0u, SSL_AES128 | SSL_AES128GCM, ~0u, ~0u, ~0u},
562 {SSL_TXT_AES256, ~0u, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, ~0u, ~0u},
563 {SSL_TXT_AES, ~0u, ~0u, SSL_AES, ~0u, ~0u, ~0u},
564 {SSL_TXT_AES_GCM, ~0u, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, ~0u, ~0u},
565 {SSL_TXT_CHACHA20, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, ~0u, ~0u},
566
567 /* MAC aliases */
568 {SSL_TXT_MD5, ~0u, ~0u, ~0u, SSL_MD5, ~0u, ~0u},
569 {SSL_TXT_SHA1, ~0u, ~0u, ~0u, SSL_SHA1, ~0u, ~0u},
570 {SSL_TXT_SHA, ~0u, ~0u, ~0u, SSL_SHA1, ~0u, ~0u},
571 {SSL_TXT_SHA256, ~0u, ~0u, ~0u, SSL_SHA256, ~0u, ~0u},
572 {SSL_TXT_SHA384, ~0u, ~0u, ~0u, SSL_SHA384, ~0u, ~0u},
573
574 /* protocol version aliases */
575 {SSL_TXT_SSLV3, ~0u, ~0u, ~0u, ~0u, SSL_SSLV3, ~0u},
576 {SSL_TXT_TLSV1, ~0u, ~0u, ~0u, ~0u, SSL_TLSV1, ~0u},
577 {SSL_TXT_TLSV1_2, ~0u, ~0u, ~0u, ~0u, SSL_TLSV1_2, ~0u},
578
579 /* strength classes */
580 {SSL_TXT_MEDIUM, ~0u, ~0u, ~0u, ~0u, ~0u, SSL_MEDIUM},
581 {SSL_TXT_HIGH, ~0u, ~0u, ~0u, ~0u, ~0u, SSL_HIGH},
582 /* FIPS 140-2 approved ciphersuite */
583 {SSL_TXT_FIPS, ~0u, ~0u, ~0u, ~0u, ~0u, SSL_FIPS},
584 };
585
586 static const size_t kCipherAliasesLen =
587 sizeof(kCipherAliases) / sizeof(kCipherAliases[0]);
588
ssl_cipher_id_cmp(const void * in_a,const void * in_b)589 static int ssl_cipher_id_cmp(const void *in_a, const void *in_b) {
590 const SSL_CIPHER *a = in_a;
591 const SSL_CIPHER *b = in_b;
592
593 if (a->id > b->id) {
594 return 1;
595 } else if (a->id < b->id) {
596 return -1;
597 } else {
598 return 0;
599 }
600 }
601
ssl_cipher_ptr_id_cmp(const SSL_CIPHER ** a,const SSL_CIPHER ** b)602 static int ssl_cipher_ptr_id_cmp(const SSL_CIPHER **a, const SSL_CIPHER **b) {
603 return ssl_cipher_id_cmp(*a, *b);
604 }
605
SSL_get_cipher_by_value(uint16_t value)606 const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value) {
607 SSL_CIPHER c;
608
609 c.id = 0x03000000L | value;
610 return bsearch(&c, kCiphers, kCiphersLen, sizeof(SSL_CIPHER),
611 ssl_cipher_id_cmp);
612 }
613
ssl_cipher_get_evp_aead(const EVP_AEAD ** out_aead,size_t * out_mac_secret_len,size_t * out_fixed_iv_len,const SSL_CIPHER * cipher,uint16_t version)614 int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
615 size_t *out_mac_secret_len,
616 size_t *out_fixed_iv_len,
617 const SSL_CIPHER *cipher, uint16_t version) {
618 *out_aead = NULL;
619 *out_mac_secret_len = 0;
620 *out_fixed_iv_len = 0;
621
622 switch (cipher->algorithm_enc) {
623 case SSL_AES128GCM:
624 *out_aead = EVP_aead_aes_128_gcm();
625 *out_fixed_iv_len = 4;
626 return 1;
627
628 case SSL_AES256GCM:
629 *out_aead = EVP_aead_aes_256_gcm();
630 *out_fixed_iv_len = 4;
631 return 1;
632
633 #if !defined(ANDROID)
634 case SSL_CHACHA20POLY1305:
635 *out_aead = EVP_aead_chacha20_poly1305();
636 *out_fixed_iv_len = 0;
637 return 1;
638 #endif
639
640 case SSL_RC4:
641 switch (cipher->algorithm_mac) {
642 case SSL_MD5:
643 if (version == SSL3_VERSION) {
644 *out_aead = EVP_aead_rc4_md5_ssl3();
645 } else {
646 *out_aead = EVP_aead_rc4_md5_tls();
647 }
648 *out_mac_secret_len = MD5_DIGEST_LENGTH;
649 return 1;
650 case SSL_SHA1:
651 if (version == SSL3_VERSION) {
652 *out_aead = EVP_aead_rc4_sha1_ssl3();
653 } else {
654 *out_aead = EVP_aead_rc4_sha1_tls();
655 }
656 *out_mac_secret_len = SHA_DIGEST_LENGTH;
657 return 1;
658 default:
659 return 0;
660 }
661
662 case SSL_AES128:
663 switch (cipher->algorithm_mac) {
664 case SSL_SHA1:
665 if (version == SSL3_VERSION) {
666 *out_aead = EVP_aead_aes_128_cbc_sha1_ssl3();
667 *out_fixed_iv_len = 16;
668 } else if (version == TLS1_VERSION) {
669 *out_aead = EVP_aead_aes_128_cbc_sha1_tls_implicit_iv();
670 *out_fixed_iv_len = 16;
671 } else {
672 *out_aead = EVP_aead_aes_128_cbc_sha1_tls();
673 }
674 *out_mac_secret_len = SHA_DIGEST_LENGTH;
675 return 1;
676 case SSL_SHA256:
677 *out_aead = EVP_aead_aes_128_cbc_sha256_tls();
678 *out_mac_secret_len = SHA256_DIGEST_LENGTH;
679 return 1;
680 default:
681 return 0;
682 }
683
684 case SSL_AES256:
685 switch (cipher->algorithm_mac) {
686 case SSL_SHA1:
687 if (version == SSL3_VERSION) {
688 *out_aead = EVP_aead_aes_256_cbc_sha1_ssl3();
689 *out_fixed_iv_len = 16;
690 } else if (version == TLS1_VERSION) {
691 *out_aead = EVP_aead_aes_256_cbc_sha1_tls_implicit_iv();
692 *out_fixed_iv_len = 16;
693 } else {
694 *out_aead = EVP_aead_aes_256_cbc_sha1_tls();
695 }
696 *out_mac_secret_len = SHA_DIGEST_LENGTH;
697 return 1;
698 case SSL_SHA256:
699 *out_aead = EVP_aead_aes_256_cbc_sha256_tls();
700 *out_mac_secret_len = SHA256_DIGEST_LENGTH;
701 return 1;
702 case SSL_SHA384:
703 *out_aead = EVP_aead_aes_256_cbc_sha384_tls();
704 *out_mac_secret_len = SHA384_DIGEST_LENGTH;
705 return 1;
706 default:
707 return 0;
708 }
709
710 case SSL_3DES:
711 switch (cipher->algorithm_mac) {
712 case SSL_SHA1:
713 if (version == SSL3_VERSION) {
714 *out_aead = EVP_aead_des_ede3_cbc_sha1_ssl3();
715 *out_fixed_iv_len = 8;
716 } else if (version == TLS1_VERSION) {
717 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv();
718 *out_fixed_iv_len = 8;
719 } else {
720 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls();
721 }
722 *out_mac_secret_len = SHA_DIGEST_LENGTH;
723 return 1;
724 default:
725 return 0;
726 }
727
728 default:
729 return 0;
730 }
731 }
732
ssl_get_handshake_digest(uint32_t * out_mask,const EVP_MD ** out_md,size_t idx)733 int ssl_get_handshake_digest(uint32_t *out_mask, const EVP_MD **out_md,
734 size_t idx) {
735 if (idx >= SSL_MAX_DIGEST) {
736 return 0;
737 }
738 *out_mask = ssl_handshake_digests[idx].mask;
739 *out_md = ssl_handshake_digests[idx].md_func();
740 return 1;
741 }
742
743 #define ITEM_SEP(a) \
744 (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ','))
745
746 /* rule_equals returns one iff the NUL-terminated string |rule| is equal to the
747 * |buf_len| bytes at |buf|. */
rule_equals(const char * rule,const char * buf,size_t buf_len)748 static int rule_equals(const char *rule, const char *buf, size_t buf_len) {
749 /* |strncmp| alone only checks that |buf| is a prefix of |rule|. */
750 return strncmp(rule, buf, buf_len) == 0 && rule[buf_len] == '\0';
751 }
752
ll_append_tail(CIPHER_ORDER ** head,CIPHER_ORDER * curr,CIPHER_ORDER ** tail)753 static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
754 CIPHER_ORDER **tail) {
755 if (curr == *tail) {
756 return;
757 }
758 if (curr == *head) {
759 *head = curr->next;
760 }
761 if (curr->prev != NULL) {
762 curr->prev->next = curr->next;
763 }
764 if (curr->next != NULL) {
765 curr->next->prev = curr->prev;
766 }
767 (*tail)->next = curr;
768 curr->prev = *tail;
769 curr->next = NULL;
770 *tail = curr;
771 }
772
ll_append_head(CIPHER_ORDER ** head,CIPHER_ORDER * curr,CIPHER_ORDER ** tail)773 static void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
774 CIPHER_ORDER **tail) {
775 if (curr == *head) {
776 return;
777 }
778 if (curr == *tail) {
779 *tail = curr->prev;
780 }
781 if (curr->next != NULL) {
782 curr->next->prev = curr->prev;
783 }
784 if (curr->prev != NULL) {
785 curr->prev->next = curr->next;
786 }
787 (*head)->prev = curr;
788 curr->next = *head;
789 curr->prev = NULL;
790 *head = curr;
791 }
792
ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD * ssl_method,CIPHER_ORDER * co_list,CIPHER_ORDER ** head_p,CIPHER_ORDER ** tail_p)793 static void ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD *ssl_method,
794 CIPHER_ORDER *co_list,
795 CIPHER_ORDER **head_p,
796 CIPHER_ORDER **tail_p) {
797 /* The set of ciphers is static, but some subset may be unsupported by
798 * |ssl_method|, so the list may be smaller. */
799 size_t co_list_num = 0;
800 size_t i;
801 for (i = 0; i < kCiphersLen; i++) {
802 const SSL_CIPHER *cipher = &kCiphers[i];
803 if (ssl_method->supports_cipher(cipher)) {
804 co_list[co_list_num].cipher = cipher;
805 co_list[co_list_num].next = NULL;
806 co_list[co_list_num].prev = NULL;
807 co_list[co_list_num].active = 0;
808 co_list[co_list_num].in_group = 0;
809 co_list_num++;
810 }
811 }
812
813 /* Prepare linked list from list entries. */
814 if (co_list_num > 0) {
815 co_list[0].prev = NULL;
816
817 if (co_list_num > 1) {
818 co_list[0].next = &co_list[1];
819
820 for (i = 1; i < co_list_num - 1; i++) {
821 co_list[i].prev = &co_list[i - 1];
822 co_list[i].next = &co_list[i + 1];
823 }
824
825 co_list[co_list_num - 1].prev = &co_list[co_list_num - 2];
826 }
827
828 co_list[co_list_num - 1].next = NULL;
829
830 *head_p = &co_list[0];
831 *tail_p = &co_list[co_list_num - 1];
832 }
833 }
834
835 /* ssl_cipher_apply_rule applies the rule type |rule| to ciphers matching its
836 * parameters in the linked list from |*head_p| to |*tail_p|. It writes the new
837 * head and tail of the list to |*head_p| and |*tail_p|, respectively.
838 *
839 * - If |cipher_id| is non-zero, only that cipher is selected.
840 * - Otherwise, if |strength_bits| is non-negative, it selects ciphers
841 * of that strength.
842 * - Otherwise, it selects ciphers that match each bitmasks in |alg_*| and
843 * |algo_strength|. */
ssl_cipher_apply_rule(uint32_t cipher_id,uint32_t alg_mkey,uint32_t alg_auth,uint32_t alg_enc,uint32_t alg_mac,uint32_t alg_ssl,uint32_t algo_strength,int rule,int strength_bits,int in_group,CIPHER_ORDER ** head_p,CIPHER_ORDER ** tail_p)844 static void ssl_cipher_apply_rule(
845 uint32_t cipher_id, uint32_t alg_mkey, uint32_t alg_auth,
846 uint32_t alg_enc, uint32_t alg_mac, uint32_t alg_ssl,
847 uint32_t algo_strength, int rule, int strength_bits, int in_group,
848 CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) {
849 CIPHER_ORDER *head, *tail, *curr, *next, *last;
850 const SSL_CIPHER *cp;
851 int reverse = 0;
852
853 if (cipher_id == 0 && strength_bits == -1 &&
854 (alg_mkey == 0 || alg_auth == 0 || alg_enc == 0 || alg_mac == 0 ||
855 alg_ssl == 0 || algo_strength == 0)) {
856 /* The rule matches nothing, so bail early. */
857 return;
858 }
859
860 if (rule == CIPHER_DEL) {
861 /* needed to maintain sorting between currently deleted ciphers */
862 reverse = 1;
863 }
864
865 head = *head_p;
866 tail = *tail_p;
867
868 if (reverse) {
869 next = tail;
870 last = head;
871 } else {
872 next = head;
873 last = tail;
874 }
875
876 curr = NULL;
877 for (;;) {
878 if (curr == last) {
879 break;
880 }
881
882 curr = next;
883 if (curr == NULL) {
884 break;
885 }
886
887 next = reverse ? curr->prev : curr->next;
888 cp = curr->cipher;
889
890 /* Selection criteria is either a specific cipher, the value of
891 * |strength_bits|, or the algorithms used. */
892 if (cipher_id != 0) {
893 if (cipher_id != cp->id) {
894 continue;
895 }
896 } else if (strength_bits >= 0) {
897 if (strength_bits != cp->strength_bits) {
898 continue;
899 }
900 } else if (!(alg_mkey & cp->algorithm_mkey) ||
901 !(alg_auth & cp->algorithm_auth) ||
902 !(alg_enc & cp->algorithm_enc) ||
903 !(alg_mac & cp->algorithm_mac) ||
904 !(alg_ssl & cp->algorithm_ssl) ||
905 !(algo_strength & cp->algo_strength)) {
906 continue;
907 }
908
909 /* add the cipher if it has not been added yet. */
910 if (rule == CIPHER_ADD) {
911 /* reverse == 0 */
912 if (!curr->active) {
913 ll_append_tail(&head, curr, &tail);
914 curr->active = 1;
915 curr->in_group = in_group;
916 }
917 }
918
919 /* Move the added cipher to this location */
920 else if (rule == CIPHER_ORD) {
921 /* reverse == 0 */
922 if (curr->active) {
923 ll_append_tail(&head, curr, &tail);
924 curr->in_group = 0;
925 }
926 } else if (rule == CIPHER_DEL) {
927 /* reverse == 1 */
928 if (curr->active) {
929 /* most recently deleted ciphersuites get best positions
930 * for any future CIPHER_ADD (note that the CIPHER_DEL loop
931 * works in reverse to maintain the order) */
932 ll_append_head(&head, curr, &tail);
933 curr->active = 0;
934 curr->in_group = 0;
935 }
936 } else if (rule == CIPHER_KILL) {
937 /* reverse == 0 */
938 if (head == curr) {
939 head = curr->next;
940 } else {
941 curr->prev->next = curr->next;
942 }
943
944 if (tail == curr) {
945 tail = curr->prev;
946 }
947 curr->active = 0;
948 if (curr->next != NULL) {
949 curr->next->prev = curr->prev;
950 }
951 if (curr->prev != NULL) {
952 curr->prev->next = curr->next;
953 }
954 curr->next = NULL;
955 curr->prev = NULL;
956 }
957 }
958
959 *head_p = head;
960 *tail_p = tail;
961 }
962
ssl_cipher_strength_sort(CIPHER_ORDER ** head_p,CIPHER_ORDER ** tail_p)963 static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
964 CIPHER_ORDER **tail_p) {
965 int max_strength_bits, i, *number_uses;
966 CIPHER_ORDER *curr;
967
968 /* This routine sorts the ciphers with descending strength. The sorting must
969 * keep the pre-sorted sequence, so we apply the normal sorting routine as
970 * '+' movement to the end of the list. */
971 max_strength_bits = 0;
972 curr = *head_p;
973 while (curr != NULL) {
974 if (curr->active && curr->cipher->strength_bits > max_strength_bits) {
975 max_strength_bits = curr->cipher->strength_bits;
976 }
977 curr = curr->next;
978 }
979
980 number_uses = OPENSSL_malloc((max_strength_bits + 1) * sizeof(int));
981 if (!number_uses) {
982 OPENSSL_PUT_ERROR(SSL, ssl_cipher_strength_sort, ERR_R_MALLOC_FAILURE);
983 return 0;
984 }
985 memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int));
986
987 /* Now find the strength_bits values actually used. */
988 curr = *head_p;
989 while (curr != NULL) {
990 if (curr->active) {
991 number_uses[curr->cipher->strength_bits]++;
992 }
993 curr = curr->next;
994 }
995
996 /* Go through the list of used strength_bits values in descending order. */
997 for (i = max_strength_bits; i >= 0; i--) {
998 if (number_uses[i] > 0) {
999 ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ORD, i, 0, head_p,
1000 tail_p);
1001 }
1002 }
1003
1004 OPENSSL_free(number_uses);
1005 return 1;
1006 }
1007
ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD * ssl_method,const char * rule_str,CIPHER_ORDER ** head_p,CIPHER_ORDER ** tail_p)1008 static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method,
1009 const char *rule_str,
1010 CIPHER_ORDER **head_p,
1011 CIPHER_ORDER **tail_p) {
1012 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength;
1013 const char *l, *buf;
1014 int multi, rule, retval, ok, in_group = 0, has_group = 0;
1015 size_t j, buf_len;
1016 uint32_t cipher_id;
1017 char ch;
1018
1019 retval = 1;
1020 l = rule_str;
1021 for (;;) {
1022 ch = *l;
1023
1024 if (ch == '\0') {
1025 break; /* done */
1026 }
1027
1028 if (in_group) {
1029 if (ch == ']') {
1030 if (*tail_p) {
1031 (*tail_p)->in_group = 0;
1032 }
1033 in_group = 0;
1034 l++;
1035 continue;
1036 }
1037
1038 if (ch == '|') {
1039 rule = CIPHER_ADD;
1040 l++;
1041 continue;
1042 } else if (!(ch >= 'a' && ch <= 'z') && !(ch >= 'A' && ch <= 'Z') &&
1043 !(ch >= '0' && ch <= '9')) {
1044 OPENSSL_PUT_ERROR(SSL, ssl_cipher_process_rulestr,
1045 SSL_R_UNEXPECTED_OPERATOR_IN_GROUP);
1046 retval = in_group = 0;
1047 break;
1048 } else {
1049 rule = CIPHER_ADD;
1050 }
1051 } else if (ch == '-') {
1052 rule = CIPHER_DEL;
1053 l++;
1054 } else if (ch == '+') {
1055 rule = CIPHER_ORD;
1056 l++;
1057 } else if (ch == '!') {
1058 rule = CIPHER_KILL;
1059 l++;
1060 } else if (ch == '@') {
1061 rule = CIPHER_SPECIAL;
1062 l++;
1063 } else if (ch == '[') {
1064 if (in_group) {
1065 OPENSSL_PUT_ERROR(SSL, ssl_cipher_process_rulestr, SSL_R_NESTED_GROUP);
1066 retval = in_group = 0;
1067 break;
1068 }
1069 in_group = 1;
1070 has_group = 1;
1071 l++;
1072 continue;
1073 } else {
1074 rule = CIPHER_ADD;
1075 }
1076
1077 /* If preference groups are enabled, the only legal operator is +.
1078 * Otherwise the in_group bits will get mixed up. */
1079 if (has_group && rule != CIPHER_ADD) {
1080 OPENSSL_PUT_ERROR(SSL, ssl_cipher_process_rulestr,
1081 SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
1082 retval = in_group = 0;
1083 break;
1084 }
1085
1086 if (ITEM_SEP(ch)) {
1087 l++;
1088 continue;
1089 }
1090
1091 multi = 0;
1092 cipher_id = 0;
1093 alg_mkey = ~0u;
1094 alg_auth = ~0u;
1095 alg_enc = ~0u;
1096 alg_mac = ~0u;
1097 alg_ssl = ~0u;
1098 algo_strength = ~0u;
1099
1100 for (;;) {
1101 ch = *l;
1102 buf = l;
1103 buf_len = 0;
1104 while (((ch >= 'A') && (ch <= 'Z')) || ((ch >= '0') && (ch <= '9')) ||
1105 ((ch >= 'a') && (ch <= 'z')) || (ch == '-') || (ch == '.')) {
1106 ch = *(++l);
1107 buf_len++;
1108 }
1109
1110 if (buf_len == 0) {
1111 /* We hit something we cannot deal with, it is no command or separator
1112 * nor alphanumeric, so we call this an error. */
1113 OPENSSL_PUT_ERROR(SSL, ssl_cipher_process_rulestr,
1114 SSL_R_INVALID_COMMAND);
1115 retval = in_group = 0;
1116 l++;
1117 break;
1118 }
1119
1120 if (rule == CIPHER_SPECIAL) {
1121 break;
1122 }
1123
1124 /* Look for a matching exact cipher. These aren't allowed in multipart
1125 * rules. */
1126 if (!multi && ch != '+') {
1127 for (j = 0; j < kCiphersLen; j++) {
1128 const SSL_CIPHER *cipher = &kCiphers[j];
1129 if (rule_equals(cipher->name, buf, buf_len)) {
1130 cipher_id = cipher->id;
1131 break;
1132 }
1133 }
1134 }
1135 if (cipher_id == 0) {
1136 /* If not an exact cipher, look for a matching cipher alias. */
1137 for (j = 0; j < kCipherAliasesLen; j++) {
1138 if (rule_equals(kCipherAliases[j].name, buf, buf_len)) {
1139 alg_mkey &= kCipherAliases[j].algorithm_mkey;
1140 alg_auth &= kCipherAliases[j].algorithm_auth;
1141 alg_enc &= kCipherAliases[j].algorithm_enc;
1142 alg_mac &= kCipherAliases[j].algorithm_mac;
1143 alg_ssl &= kCipherAliases[j].algorithm_ssl;
1144 algo_strength &= kCipherAliases[j].algo_strength;
1145 break;
1146 }
1147 }
1148 if (j == kCipherAliasesLen) {
1149 alg_mkey = alg_auth = alg_enc = alg_mac = alg_ssl = algo_strength = 0;
1150 }
1151 }
1152
1153 /* Check for a multipart rule. */
1154 if (ch != '+') {
1155 break;
1156 }
1157 l++;
1158 multi = 1;
1159 }
1160
1161 /* Ok, we have the rule, now apply it. */
1162 if (rule == CIPHER_SPECIAL) {
1163 /* special command */
1164 ok = 0;
1165 if (buf_len == 8 && !strncmp(buf, "STRENGTH", 8)) {
1166 ok = ssl_cipher_strength_sort(head_p, tail_p);
1167 } else {
1168 OPENSSL_PUT_ERROR(SSL, ssl_cipher_process_rulestr,
1169 SSL_R_INVALID_COMMAND);
1170 }
1171
1172 if (ok == 0) {
1173 retval = 0;
1174 }
1175
1176 /* We do not support any "multi" options together with "@", so throw away
1177 * the rest of the command, if any left, until end or ':' is found. */
1178 while (*l != '\0' && !ITEM_SEP(*l)) {
1179 l++;
1180 }
1181 } else {
1182 ssl_cipher_apply_rule(cipher_id, alg_mkey, alg_auth, alg_enc, alg_mac,
1183 alg_ssl, algo_strength, rule, -1, in_group, head_p,
1184 tail_p);
1185 }
1186 }
1187
1188 if (in_group) {
1189 OPENSSL_PUT_ERROR(SSL, ssl_cipher_process_rulestr, SSL_R_INVALID_COMMAND);
1190 retval = 0;
1191 }
1192
1193 return retval;
1194 }
1195
STACK_OF(SSL_CIPHER)1196 STACK_OF(SSL_CIPHER) *
1197 ssl_create_cipher_list(const SSL_PROTOCOL_METHOD *ssl_method,
1198 struct ssl_cipher_preference_list_st **out_cipher_list,
1199 STACK_OF(SSL_CIPHER) **out_cipher_list_by_id,
1200 const char *rule_str) {
1201 int ok;
1202 STACK_OF(SSL_CIPHER) *cipherstack = NULL, *tmp_cipher_list = NULL;
1203 const char *rule_p;
1204 CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
1205 uint8_t *in_group_flags = NULL;
1206 unsigned int num_in_group_flags = 0;
1207 struct ssl_cipher_preference_list_st *pref_list = NULL;
1208
1209 /* Return with error if nothing to do. */
1210 if (rule_str == NULL || out_cipher_list == NULL) {
1211 return NULL;
1212 }
1213
1214 /* Now we have to collect the available ciphers from the compiled in ciphers.
1215 * We cannot get more than the number compiled in, so it is used for
1216 * allocation. */
1217 co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * kCiphersLen);
1218 if (co_list == NULL) {
1219 OPENSSL_PUT_ERROR(SSL, ssl_create_cipher_list, ERR_R_MALLOC_FAILURE);
1220 return NULL;
1221 }
1222
1223 ssl_cipher_collect_ciphers(ssl_method, co_list, &head, &tail);
1224
1225 /* Now arrange all ciphers by preference:
1226 * TODO(davidben): Compute this order once and copy it. */
1227
1228 /* Everything else being equal, prefer ECDHE_ECDSA then ECDHE_RSA over other
1229 * key exchange mechanisms */
1230 ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, ~0u, ~0u, ~0u, ~0u,
1231 CIPHER_ADD, -1, 0, &head, &tail);
1232 ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, ~0u, ~0u, CIPHER_ADD, -1,
1233 0, &head, &tail);
1234 ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, ~0u, ~0u, CIPHER_DEL, -1,
1235 0, &head, &tail);
1236
1237 /* Order the bulk ciphers. First the preferred AEAD ciphers. We prefer
1238 * CHACHA20 unless there is hardware support for fast and constant-time
1239 * AES_GCM. */
1240 if (EVP_has_aes_hardware()) {
1241 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, ~0u, ~0u, CIPHER_ADD,
1242 -1, 0, &head, &tail);
1243 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, ~0u, ~0u, CIPHER_ADD,
1244 -1, 0, &head, &tail);
1245 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, ~0u, ~0u,
1246 CIPHER_ADD, -1, 0, &head, &tail);
1247 } else {
1248 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, ~0u, ~0u,
1249 CIPHER_ADD, -1, 0, &head, &tail);
1250 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, ~0u, ~0u, CIPHER_ADD,
1251 -1, 0, &head, &tail);
1252 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, ~0u, ~0u, CIPHER_ADD,
1253 -1, 0, &head, &tail);
1254 }
1255
1256 /* Then the legacy non-AEAD ciphers: AES_256_CBC, AES-128_CBC, RC4_128_SHA,
1257 * RC4_128_MD5, 3DES_EDE_CBC_SHA. */
1258 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256, ~0u, ~0u, ~0u, CIPHER_ADD, -1,
1259 0, &head, &tail);
1260 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128, ~0u, ~0u, ~0u, CIPHER_ADD, -1,
1261 0, &head, &tail);
1262 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_RC4, ~SSL_MD5, ~0u, ~0u, CIPHER_ADD,
1263 -1, 0, &head, &tail);
1264 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_RC4, SSL_MD5, ~0u, ~0u, CIPHER_ADD, -1,
1265 0, &head, &tail);
1266 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_3DES, ~0u, ~0u, ~0u, CIPHER_ADD, -1, 0,
1267 &head, &tail);
1268
1269 /* Temporarily enable everything else for sorting */
1270 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, ~0u, ~0u, CIPHER_ADD, -1, 0,
1271 &head, &tail);
1272
1273 /* Move ciphers without forward secrecy to the end. */
1274 ssl_cipher_apply_rule(0, ~(SSL_kDHE | SSL_kECDHE), ~0u, ~0u, ~0u, ~0u, ~0u,
1275 CIPHER_ORD, -1, 0, &head, &tail);
1276
1277 /* Now disable everything (maintaining the ordering!) */
1278 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, ~0u, ~0u, CIPHER_DEL, -1, 0,
1279 &head, &tail);
1280
1281 /* If the rule_string begins with DEFAULT, apply the default rule before
1282 * using the (possibly available) additional rules. */
1283 ok = 1;
1284 rule_p = rule_str;
1285 if (strncmp(rule_str, "DEFAULT", 7) == 0) {
1286 ok = ssl_cipher_process_rulestr(ssl_method, SSL_DEFAULT_CIPHER_LIST, &head,
1287 &tail);
1288 rule_p += 7;
1289 if (*rule_p == ':') {
1290 rule_p++;
1291 }
1292 }
1293
1294 if (ok && strlen(rule_p) > 0) {
1295 ok = ssl_cipher_process_rulestr(ssl_method, rule_p, &head, &tail);
1296 }
1297
1298 if (!ok) {
1299 goto err;
1300 }
1301
1302 /* Allocate new "cipherstack" for the result, return with error
1303 * if we cannot get one. */
1304 cipherstack = sk_SSL_CIPHER_new_null();
1305 if (cipherstack == NULL) {
1306 goto err;
1307 }
1308
1309 in_group_flags = OPENSSL_malloc(kCiphersLen);
1310 if (!in_group_flags) {
1311 goto err;
1312 }
1313
1314 /* The cipher selection for the list is done. The ciphers are added
1315 * to the resulting precedence to the STACK_OF(SSL_CIPHER). */
1316 for (curr = head; curr != NULL; curr = curr->next) {
1317 if (curr->active) {
1318 if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
1319 goto err;
1320 }
1321 in_group_flags[num_in_group_flags++] = curr->in_group;
1322 }
1323 }
1324 OPENSSL_free(co_list); /* Not needed any longer */
1325 co_list = NULL;
1326
1327 tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack);
1328 if (tmp_cipher_list == NULL) {
1329 goto err;
1330 }
1331 pref_list = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
1332 if (!pref_list) {
1333 goto err;
1334 }
1335 pref_list->ciphers = cipherstack;
1336 pref_list->in_group_flags = OPENSSL_malloc(num_in_group_flags);
1337 if (!pref_list->in_group_flags) {
1338 goto err;
1339 }
1340 memcpy(pref_list->in_group_flags, in_group_flags, num_in_group_flags);
1341 OPENSSL_free(in_group_flags);
1342 in_group_flags = NULL;
1343 if (*out_cipher_list != NULL) {
1344 ssl_cipher_preference_list_free(*out_cipher_list);
1345 }
1346 *out_cipher_list = pref_list;
1347 pref_list = NULL;
1348
1349 if (out_cipher_list_by_id != NULL) {
1350 sk_SSL_CIPHER_free(*out_cipher_list_by_id);
1351 *out_cipher_list_by_id = tmp_cipher_list;
1352 tmp_cipher_list = NULL;
1353 (void) sk_SSL_CIPHER_set_cmp_func(*out_cipher_list_by_id,
1354 ssl_cipher_ptr_id_cmp);
1355
1356 sk_SSL_CIPHER_sort(*out_cipher_list_by_id);
1357 } else {
1358 sk_SSL_CIPHER_free(tmp_cipher_list);
1359 tmp_cipher_list = NULL;
1360 }
1361
1362 return cipherstack;
1363
1364 err:
1365 OPENSSL_free(co_list);
1366 OPENSSL_free(in_group_flags);
1367 sk_SSL_CIPHER_free(cipherstack);
1368 sk_SSL_CIPHER_free(tmp_cipher_list);
1369 if (pref_list) {
1370 OPENSSL_free(pref_list->in_group_flags);
1371 }
1372 OPENSSL_free(pref_list);
1373 return NULL;
1374 }
1375
SSL_CIPHER_get_id(const SSL_CIPHER * cipher)1376 uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher) { return cipher->id; }
1377
ssl_cipher_get_value(const SSL_CIPHER * cipher)1378 uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher) {
1379 uint32_t id = cipher->id;
1380 /* All ciphers are SSLv3. */
1381 assert((id & 0xff000000) == 0x03000000);
1382 return id & 0xffff;
1383 }
1384
SSL_CIPHER_is_AES(const SSL_CIPHER * cipher)1385 int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher) {
1386 return (cipher->algorithm_enc & SSL_AES) != 0;
1387 }
1388
SSL_CIPHER_has_MD5_HMAC(const SSL_CIPHER * cipher)1389 int SSL_CIPHER_has_MD5_HMAC(const SSL_CIPHER *cipher) {
1390 return (cipher->algorithm_mac & SSL_MD5) != 0;
1391 }
1392
SSL_CIPHER_is_AESGCM(const SSL_CIPHER * cipher)1393 int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher) {
1394 return (cipher->algorithm_mac & (SSL_AES128GCM | SSL_AES256GCM)) != 0;
1395 }
1396
SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER * cipher)1397 int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *cipher) {
1398 return (cipher->algorithm_enc & SSL_CHACHA20POLY1305) != 0;
1399 }
1400
1401 /* return the actual cipher being used */
SSL_CIPHER_get_name(const SSL_CIPHER * cipher)1402 const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher) {
1403 if (cipher != NULL) {
1404 return cipher->name;
1405 }
1406
1407 return "(NONE)";
1408 }
1409
SSL_CIPHER_get_kx_name(const SSL_CIPHER * cipher)1410 const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher) {
1411 if (cipher == NULL) {
1412 return "";
1413 }
1414
1415 switch (cipher->algorithm_mkey) {
1416 case SSL_kRSA:
1417 return "RSA";
1418
1419 case SSL_kDHE:
1420 switch (cipher->algorithm_auth) {
1421 case SSL_aRSA:
1422 return "DHE_RSA";
1423 default:
1424 assert(0);
1425 return "UNKNOWN";
1426 }
1427
1428 case SSL_kECDHE:
1429 switch (cipher->algorithm_auth) {
1430 case SSL_aECDSA:
1431 return "ECDHE_ECDSA";
1432 case SSL_aRSA:
1433 return "ECDHE_RSA";
1434 case SSL_aPSK:
1435 return "ECDHE_PSK";
1436 default:
1437 assert(0);
1438 return "UNKNOWN";
1439 }
1440
1441 case SSL_kPSK:
1442 assert(cipher->algorithm_auth == SSL_aPSK);
1443 return "PSK";
1444
1445 default:
1446 assert(0);
1447 return "UNKNOWN";
1448 }
1449 }
1450
ssl_cipher_get_enc_name(const SSL_CIPHER * cipher)1451 static const char *ssl_cipher_get_enc_name(const SSL_CIPHER *cipher) {
1452 switch (cipher->algorithm_enc) {
1453 case SSL_3DES:
1454 return "3DES_EDE_CBC";
1455 case SSL_RC4:
1456 return "RC4";
1457 case SSL_AES128:
1458 return "AES_128_CBC";
1459 case SSL_AES256:
1460 return "AES_256_CBC";
1461 case SSL_AES128GCM:
1462 return "AES_128_GCM";
1463 case SSL_AES256GCM:
1464 return "AES_256_GCM";
1465 case SSL_CHACHA20POLY1305:
1466 return "CHACHA20_POLY1305";
1467 break;
1468 default:
1469 assert(0);
1470 return "UNKNOWN";
1471 }
1472 }
1473
ssl_cipher_get_prf_name(const SSL_CIPHER * cipher)1474 static const char *ssl_cipher_get_prf_name(const SSL_CIPHER *cipher) {
1475 if ((cipher->algorithm2 & SSL_HANDSHAKE_MAC_DEFAULT) ==
1476 SSL_HANDSHAKE_MAC_DEFAULT) {
1477 /* Before TLS 1.2, the PRF component is the hash used in the HMAC, which is
1478 * only ever MD5 or SHA-1. */
1479 switch (cipher->algorithm_mac) {
1480 case SSL_MD5:
1481 return "MD5";
1482 case SSL_SHA1:
1483 return "SHA";
1484 default:
1485 assert(0);
1486 return "UNKNOWN";
1487 }
1488 } else if (cipher->algorithm2 & SSL_HANDSHAKE_MAC_SHA256) {
1489 return "SHA256";
1490 } else if (cipher->algorithm2 & SSL_HANDSHAKE_MAC_SHA384) {
1491 return "SHA384";
1492 } else {
1493 assert(0);
1494 return "UNKNOWN";
1495 }
1496 }
1497
SSL_CIPHER_get_rfc_name(const SSL_CIPHER * cipher)1498 char *SSL_CIPHER_get_rfc_name(const SSL_CIPHER *cipher) {
1499 if (cipher == NULL) {
1500 return NULL;
1501 }
1502
1503 const char *kx_name = SSL_CIPHER_get_kx_name(cipher);
1504 const char *enc_name = ssl_cipher_get_enc_name(cipher);
1505 const char *prf_name = ssl_cipher_get_prf_name(cipher);
1506
1507 /* The final name is TLS_{kx_name}_WITH_{enc_name}_{prf_name}. */
1508 size_t len = 4 + strlen(kx_name) + 6 + strlen(enc_name) + 1 +
1509 strlen(prf_name) + 1;
1510 char *ret = OPENSSL_malloc(len);
1511 if (ret == NULL) {
1512 return NULL;
1513 }
1514 if (BUF_strlcpy(ret, "TLS_", len) >= len ||
1515 BUF_strlcat(ret, kx_name, len) >= len ||
1516 BUF_strlcat(ret, "_WITH_", len) >= len ||
1517 BUF_strlcat(ret, enc_name, len) >= len ||
1518 BUF_strlcat(ret, "_", len) >= len ||
1519 BUF_strlcat(ret, prf_name, len) >= len) {
1520 assert(0);
1521 OPENSSL_free(ret);
1522 return NULL;
1523 }
1524 assert(strlen(ret) + 1 == len);
1525 return ret;
1526 }
1527
SSL_CIPHER_get_bits(const SSL_CIPHER * cipher,int * out_alg_bits)1528 int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *out_alg_bits) {
1529 if (cipher == NULL) {
1530 return 0;
1531 }
1532
1533 if (out_alg_bits != NULL) {
1534 *out_alg_bits = cipher->alg_bits;
1535 }
1536 return cipher->strength_bits;
1537 }
1538
SSL_CIPHER_description(const SSL_CIPHER * cipher,char * buf,int len)1539 const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf,
1540 int len) {
1541 const char *ver;
1542 const char *kx, *au, *enc, *mac;
1543 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl;
1544 static const char *format = "%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n";
1545
1546 alg_mkey = cipher->algorithm_mkey;
1547 alg_auth = cipher->algorithm_auth;
1548 alg_enc = cipher->algorithm_enc;
1549 alg_mac = cipher->algorithm_mac;
1550 alg_ssl = cipher->algorithm_ssl;
1551
1552 if (alg_ssl & SSL_SSLV3) {
1553 ver = "SSLv3";
1554 } else if (alg_ssl & SSL_TLSV1_2) {
1555 ver = "TLSv1.2";
1556 } else {
1557 ver = "unknown";
1558 }
1559
1560 switch (alg_mkey) {
1561 case SSL_kRSA:
1562 kx = "RSA";
1563 break;
1564
1565 case SSL_kDHE:
1566 kx = "DH";
1567 break;
1568
1569 case SSL_kECDHE:
1570 kx = "ECDH";
1571 break;
1572
1573 case SSL_kPSK:
1574 kx = "PSK";
1575 break;
1576
1577 default:
1578 kx = "unknown";
1579 }
1580
1581 switch (alg_auth) {
1582 case SSL_aRSA:
1583 au = "RSA";
1584 break;
1585
1586 case SSL_aECDSA:
1587 au = "ECDSA";
1588 break;
1589
1590 case SSL_aPSK:
1591 au = "PSK";
1592 break;
1593
1594 default:
1595 au = "unknown";
1596 break;
1597 }
1598
1599 switch (alg_enc) {
1600 case SSL_3DES:
1601 enc = "3DES(168)";
1602 break;
1603
1604 case SSL_RC4:
1605 enc = "RC4(128)";
1606 break;
1607
1608 case SSL_AES128:
1609 enc = "AES(128)";
1610 break;
1611
1612 case SSL_AES256:
1613 enc = "AES(256)";
1614 break;
1615
1616 case SSL_AES128GCM:
1617 enc = "AESGCM(128)";
1618 break;
1619
1620 case SSL_AES256GCM:
1621 enc = "AESGCM(256)";
1622 break;
1623
1624 case SSL_CHACHA20POLY1305:
1625 enc = "ChaCha20-Poly1305";
1626 break;
1627
1628 default:
1629 enc = "unknown";
1630 break;
1631 }
1632
1633 switch (alg_mac) {
1634 case SSL_MD5:
1635 mac = "MD5";
1636 break;
1637
1638 case SSL_SHA1:
1639 mac = "SHA1";
1640 break;
1641
1642 case SSL_SHA256:
1643 mac = "SHA256";
1644 break;
1645
1646 case SSL_SHA384:
1647 mac = "SHA384";
1648 break;
1649
1650 case SSL_AEAD:
1651 mac = "AEAD";
1652 break;
1653
1654 default:
1655 mac = "unknown";
1656 break;
1657 }
1658
1659 if (buf == NULL) {
1660 len = 128;
1661 buf = OPENSSL_malloc(len);
1662 if (buf == NULL) {
1663 return NULL;
1664 }
1665 } else if (len < 128) {
1666 return "Buffer too small";
1667 }
1668
1669 BIO_snprintf(buf, len, format, cipher->name, ver, kx, au, enc, mac);
1670 return buf;
1671 }
1672
SSL_CIPHER_get_version(const SSL_CIPHER * cipher)1673 const char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher) {
1674 return "TLSv1/SSLv3";
1675 }
1676
SSL_COMP_get_compression_methods(void)1677 void *SSL_COMP_get_compression_methods(void) { return NULL; }
1678
SSL_COMP_add_compression_method(int id,void * cm)1679 int SSL_COMP_add_compression_method(int id, void *cm) { return 1; }
1680
SSL_COMP_get_name(const void * comp)1681 const char *SSL_COMP_get_name(const void *comp) { return NULL; }
1682
ssl_cipher_get_cert_index(const SSL_CIPHER * cipher)1683 int ssl_cipher_get_cert_index(const SSL_CIPHER *cipher) {
1684 uint32_t alg_a = cipher->algorithm_auth;
1685
1686 if (alg_a & SSL_aECDSA) {
1687 return SSL_PKEY_ECC;
1688 } else if (alg_a & SSL_aRSA) {
1689 return SSL_PKEY_RSA_ENC;
1690 }
1691
1692 return -1;
1693 }
1694
ssl_cipher_has_server_public_key(const SSL_CIPHER * cipher)1695 int ssl_cipher_has_server_public_key(const SSL_CIPHER *cipher) {
1696 /* PSK-authenticated ciphers do not use a public key, except for
1697 * RSA_PSK. */
1698 if ((cipher->algorithm_auth & SSL_aPSK) &&
1699 !(cipher->algorithm_mkey & SSL_kRSA)) {
1700 return 0;
1701 }
1702
1703 /* All other ciphers include it. */
1704 return 1;
1705 }
1706
ssl_cipher_requires_server_key_exchange(const SSL_CIPHER * cipher)1707 int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher) {
1708 /* Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange. */
1709 if (cipher->algorithm_mkey & SSL_kDHE || cipher->algorithm_mkey & SSL_kECDHE) {
1710 return 1;
1711 }
1712
1713 /* It is optional in all others. */
1714 return 0;
1715 }
1716