1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57 /* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
110 /* ====================================================================
111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
112 * ECC cipher suite support in OpenSSL originally developed by
113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
114 */
115 /* ====================================================================
116 * Copyright 2005 Nokia. All rights reserved.
117 *
118 * The portions of the attached software ("Contribution") is developed by
119 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
120 * license.
121 *
122 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
123 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
124 * support (see RFC 4279) to OpenSSL.
125 *
126 * No patent licenses or other rights except those expressly stated in
127 * the OpenSSL open source license shall be deemed granted or received
128 * expressly, by implication, estoppel, or otherwise.
129 *
130 * No assurances are provided by Nokia that the Contribution does not
131 * infringe the patent or other intellectual property rights of any third
132 * party or that the license provides you with all the necessary rights
133 * to make use of the Contribution.
134 *
135 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
136 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
137 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
138 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
139 * OTHERWISE. */
140
141 #include <openssl/ssl.h>
142
143 #include <assert.h>
144 #include <string.h>
145
146 #include <openssl/buf.h>
147 #include <openssl/err.h>
148 #include <openssl/md5.h>
149 #include <openssl/mem.h>
150 #include <openssl/sha.h>
151 #include <openssl/stack.h>
152
153 #include "internal.h"
154 #include "../crypto/internal.h"
155
156
157 /* kCiphers is an array of all supported ciphers, sorted by id. */
158 static const SSL_CIPHER kCiphers[] = {
159 /* The RSA ciphers */
160 /* Cipher 02 */
161 {
162 SSL3_TXT_RSA_NULL_SHA,
163 SSL3_CK_RSA_NULL_SHA,
164 SSL_kRSA,
165 SSL_aRSA,
166 SSL_eNULL,
167 SSL_SHA1,
168 SSL_HANDSHAKE_MAC_DEFAULT,
169 },
170
171 /* Cipher 0A */
172 {
173 SSL3_TXT_RSA_DES_192_CBC3_SHA,
174 SSL3_CK_RSA_DES_192_CBC3_SHA,
175 SSL_kRSA,
176 SSL_aRSA,
177 SSL_3DES,
178 SSL_SHA1,
179 SSL_HANDSHAKE_MAC_DEFAULT,
180 },
181
182
183 /* New AES ciphersuites */
184
185 /* Cipher 2F */
186 {
187 TLS1_TXT_RSA_WITH_AES_128_SHA,
188 TLS1_CK_RSA_WITH_AES_128_SHA,
189 SSL_kRSA,
190 SSL_aRSA,
191 SSL_AES128,
192 SSL_SHA1,
193 SSL_HANDSHAKE_MAC_DEFAULT,
194 },
195
196 #ifdef BORINGSSL_ENABLE_DHE_TLS
197 /* Cipher 33 */
198 {
199 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
200 TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
201 SSL_kDHE,
202 SSL_aRSA,
203 SSL_AES128,
204 SSL_SHA1,
205 SSL_HANDSHAKE_MAC_DEFAULT,
206 },
207 #endif
208
209 /* Cipher 35 */
210 {
211 TLS1_TXT_RSA_WITH_AES_256_SHA,
212 TLS1_CK_RSA_WITH_AES_256_SHA,
213 SSL_kRSA,
214 SSL_aRSA,
215 SSL_AES256,
216 SSL_SHA1,
217 SSL_HANDSHAKE_MAC_DEFAULT,
218 },
219
220 #ifdef BORINGSSL_ENABLE_DHE_TLS
221 /* Cipher 39 */
222 {
223 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
224 TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
225 SSL_kDHE,
226 SSL_aRSA,
227 SSL_AES256,
228 SSL_SHA1,
229 SSL_HANDSHAKE_MAC_DEFAULT,
230 },
231 #endif
232
233
234 /* TLS v1.2 ciphersuites */
235
236 /* Cipher 3C */
237 {
238 TLS1_TXT_RSA_WITH_AES_128_SHA256,
239 TLS1_CK_RSA_WITH_AES_128_SHA256,
240 SSL_kRSA,
241 SSL_aRSA,
242 SSL_AES128,
243 SSL_SHA256,
244 SSL_HANDSHAKE_MAC_SHA256,
245 },
246
247 /* Cipher 3D */
248 {
249 TLS1_TXT_RSA_WITH_AES_256_SHA256,
250 TLS1_CK_RSA_WITH_AES_256_SHA256,
251 SSL_kRSA,
252 SSL_aRSA,
253 SSL_AES256,
254 SSL_SHA256,
255 SSL_HANDSHAKE_MAC_SHA256,
256 },
257
258 #ifdef BORINGSSL_ENABLE_DHE_TLS
259 /* Cipher 67 */
260 {
261 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256,
262 TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
263 SSL_kDHE,
264 SSL_aRSA,
265 SSL_AES128,
266 SSL_SHA256,
267 SSL_HANDSHAKE_MAC_SHA256,
268 },
269
270 /* Cipher 6B */
271 {
272 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256,
273 TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
274 SSL_kDHE,
275 SSL_aRSA,
276 SSL_AES256,
277 SSL_SHA256,
278 SSL_HANDSHAKE_MAC_SHA256,
279 },
280 #endif
281
282 /* PSK cipher suites. */
283
284 /* Cipher 8C */
285 {
286 TLS1_TXT_PSK_WITH_AES_128_CBC_SHA,
287 TLS1_CK_PSK_WITH_AES_128_CBC_SHA,
288 SSL_kPSK,
289 SSL_aPSK,
290 SSL_AES128,
291 SSL_SHA1,
292 SSL_HANDSHAKE_MAC_DEFAULT,
293 },
294
295 /* Cipher 8D */
296 {
297 TLS1_TXT_PSK_WITH_AES_256_CBC_SHA,
298 TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
299 SSL_kPSK,
300 SSL_aPSK,
301 SSL_AES256,
302 SSL_SHA1,
303 SSL_HANDSHAKE_MAC_DEFAULT,
304 },
305
306 /* GCM ciphersuites from RFC5288 */
307
308 /* Cipher 9C */
309 {
310 TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
311 TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
312 SSL_kRSA,
313 SSL_aRSA,
314 SSL_AES128GCM,
315 SSL_AEAD,
316 SSL_HANDSHAKE_MAC_SHA256,
317 },
318
319 /* Cipher 9D */
320 {
321 TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
322 TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
323 SSL_kRSA,
324 SSL_aRSA,
325 SSL_AES256GCM,
326 SSL_AEAD,
327 SSL_HANDSHAKE_MAC_SHA384,
328 },
329
330 #ifdef BORINGSSL_ENABLE_DHE_TLS
331 /* Cipher 9E */
332 {
333 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256,
334 TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256,
335 SSL_kDHE,
336 SSL_aRSA,
337 SSL_AES128GCM,
338 SSL_AEAD,
339 SSL_HANDSHAKE_MAC_SHA256,
340 },
341
342 /* Cipher 9F */
343 {
344 TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384,
345 TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384,
346 SSL_kDHE,
347 SSL_aRSA,
348 SSL_AES256GCM,
349 SSL_AEAD,
350 SSL_HANDSHAKE_MAC_SHA384,
351 },
352 #endif
353
354 /* TLS 1.3 suites. */
355
356 /* Cipher 1301 */
357 {
358 TLS1_TXT_AES_128_GCM_SHA256,
359 TLS1_CK_AES_128_GCM_SHA256,
360 SSL_kGENERIC,
361 SSL_aGENERIC,
362 SSL_AES128GCM,
363 SSL_AEAD,
364 SSL_HANDSHAKE_MAC_SHA256,
365 },
366
367 /* Cipher 1302 */
368 {
369 TLS1_TXT_AES_256_GCM_SHA384,
370 TLS1_CK_AES_256_GCM_SHA384,
371 SSL_kGENERIC,
372 SSL_aGENERIC,
373 SSL_AES256GCM,
374 SSL_AEAD,
375 SSL_HANDSHAKE_MAC_SHA384,
376 },
377
378 /* Cipher 1303 */
379 {
380 TLS1_TXT_CHACHA20_POLY1305_SHA256,
381 TLS1_CK_CHACHA20_POLY1305_SHA256,
382 SSL_kGENERIC,
383 SSL_aGENERIC,
384 SSL_CHACHA20POLY1305,
385 SSL_AEAD,
386 SSL_HANDSHAKE_MAC_SHA256,
387 },
388
389 /* Cipher C009 */
390 {
391 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
392 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
393 SSL_kECDHE,
394 SSL_aECDSA,
395 SSL_AES128,
396 SSL_SHA1,
397 SSL_HANDSHAKE_MAC_DEFAULT,
398 },
399
400 /* Cipher C00A */
401 {
402 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
403 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
404 SSL_kECDHE,
405 SSL_aECDSA,
406 SSL_AES256,
407 SSL_SHA1,
408 SSL_HANDSHAKE_MAC_DEFAULT,
409 },
410
411 /* Cipher C013 */
412 {
413 TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
414 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
415 SSL_kECDHE,
416 SSL_aRSA,
417 SSL_AES128,
418 SSL_SHA1,
419 SSL_HANDSHAKE_MAC_DEFAULT,
420 },
421
422 /* Cipher C014 */
423 {
424 TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
425 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
426 SSL_kECDHE,
427 SSL_aRSA,
428 SSL_AES256,
429 SSL_SHA1,
430 SSL_HANDSHAKE_MAC_DEFAULT,
431 },
432
433
434 /* HMAC based TLS v1.2 ciphersuites from RFC5289 */
435
436 /* Cipher C023 */
437 {
438 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
439 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
440 SSL_kECDHE,
441 SSL_aECDSA,
442 SSL_AES128,
443 SSL_SHA256,
444 SSL_HANDSHAKE_MAC_SHA256,
445 },
446
447 /* Cipher C024 */
448 {
449 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
450 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
451 SSL_kECDHE,
452 SSL_aECDSA,
453 SSL_AES256,
454 SSL_SHA384,
455 SSL_HANDSHAKE_MAC_SHA384,
456 },
457
458 /* Cipher C027 */
459 {
460 TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
461 TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
462 SSL_kECDHE,
463 SSL_aRSA,
464 SSL_AES128,
465 SSL_SHA256,
466 SSL_HANDSHAKE_MAC_SHA256,
467 },
468
469 /* Cipher C028 */
470 {
471 TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
472 TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
473 SSL_kECDHE,
474 SSL_aRSA,
475 SSL_AES256,
476 SSL_SHA384,
477 SSL_HANDSHAKE_MAC_SHA384,
478 },
479
480
481 /* GCM based TLS v1.2 ciphersuites from RFC5289 */
482
483 /* Cipher C02B */
484 {
485 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
486 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
487 SSL_kECDHE,
488 SSL_aECDSA,
489 SSL_AES128GCM,
490 SSL_AEAD,
491 SSL_HANDSHAKE_MAC_SHA256,
492 },
493
494 /* Cipher C02C */
495 {
496 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
497 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
498 SSL_kECDHE,
499 SSL_aECDSA,
500 SSL_AES256GCM,
501 SSL_AEAD,
502 SSL_HANDSHAKE_MAC_SHA384,
503 },
504
505 /* Cipher C02F */
506 {
507 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
508 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
509 SSL_kECDHE,
510 SSL_aRSA,
511 SSL_AES128GCM,
512 SSL_AEAD,
513 SSL_HANDSHAKE_MAC_SHA256,
514 },
515
516 /* Cipher C030 */
517 {
518 TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
519 TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
520 SSL_kECDHE,
521 SSL_aRSA,
522 SSL_AES256GCM,
523 SSL_AEAD,
524 SSL_HANDSHAKE_MAC_SHA384,
525 },
526
527 /* ECDHE-PSK cipher suites. */
528
529 /* Cipher C035 */
530 {
531 TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA,
532 TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
533 SSL_kECDHE,
534 SSL_aPSK,
535 SSL_AES128,
536 SSL_SHA1,
537 SSL_HANDSHAKE_MAC_DEFAULT,
538 },
539
540 /* Cipher C036 */
541 {
542 TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA,
543 TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA,
544 SSL_kECDHE,
545 SSL_aPSK,
546 SSL_AES256,
547 SSL_SHA1,
548 SSL_HANDSHAKE_MAC_DEFAULT,
549 },
550
551 /* ChaCha20-Poly1305 cipher suites. */
552
553 /* Cipher CCA8 */
554 {
555 TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
556 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
557 SSL_kECDHE,
558 SSL_aRSA,
559 SSL_CHACHA20POLY1305,
560 SSL_AEAD,
561 SSL_HANDSHAKE_MAC_SHA256,
562 },
563
564 /* Cipher CCA9 */
565 {
566 TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
567 TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
568 SSL_kECDHE,
569 SSL_aECDSA,
570 SSL_CHACHA20POLY1305,
571 SSL_AEAD,
572 SSL_HANDSHAKE_MAC_SHA256,
573 },
574
575 /* Cipher CCAB */
576 {
577 TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
578 TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
579 SSL_kECDHE,
580 SSL_aPSK,
581 SSL_CHACHA20POLY1305,
582 SSL_AEAD,
583 SSL_HANDSHAKE_MAC_SHA256,
584 },
585
586 };
587
588 static const size_t kCiphersLen = OPENSSL_ARRAY_SIZE(kCiphers);
589
590 #define CIPHER_ADD 1
591 #define CIPHER_KILL 2
592 #define CIPHER_DEL 3
593 #define CIPHER_ORD 4
594 #define CIPHER_SPECIAL 5
595
596 typedef struct cipher_order_st {
597 const SSL_CIPHER *cipher;
598 int active;
599 int in_group;
600 struct cipher_order_st *next, *prev;
601 } CIPHER_ORDER;
602
603 typedef struct cipher_alias_st {
604 /* name is the name of the cipher alias. */
605 const char *name;
606
607 /* The following fields are bitmasks for the corresponding fields on
608 * |SSL_CIPHER|. A cipher matches a cipher alias iff, for each bitmask, the
609 * bit corresponding to the cipher's value is set to 1. If any bitmask is
610 * all zeroes, the alias matches nothing. Use |~0u| for the default value. */
611 uint32_t algorithm_mkey;
612 uint32_t algorithm_auth;
613 uint32_t algorithm_enc;
614 uint32_t algorithm_mac;
615
616 /* min_version, if non-zero, matches all ciphers which were added in that
617 * particular protocol version. */
618 uint16_t min_version;
619 } CIPHER_ALIAS;
620
621 static const CIPHER_ALIAS kCipherAliases[] = {
622 /* "ALL" doesn't include eNULL. It must be explicitly enabled. */
623 {"ALL", ~0u, ~0u, ~SSL_eNULL, ~0u, 0},
624
625 /* The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing. */
626
627 /* key exchange aliases
628 * (some of those using only a single bit here combine
629 * multiple key exchange algs according to the RFCs,
630 * e.g. kEDH combines DHE_DSS and DHE_RSA) */
631 {"kRSA", SSL_kRSA, ~0u, ~0u, ~0u, 0},
632
633 #ifdef BORINGSSL_ENABLE_DHE_TLS
634 {"kDHE", SSL_kDHE, ~0u, ~0u, ~0u, 0},
635 {"kEDH", SSL_kDHE, ~0u, ~0u, ~0u, 0},
636 {"DH", SSL_kDHE, ~0u, ~0u, ~0u, 0},
637 #endif
638
639 {"kECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
640 {"kEECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
641 {"ECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
642
643 {"kPSK", SSL_kPSK, ~0u, ~0u, ~0u, 0},
644
645 /* server authentication aliases */
646 {"aRSA", ~0u, SSL_aRSA, ~SSL_eNULL, ~0u, 0},
647 {"aECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0},
648 {"ECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0},
649 {"aPSK", ~0u, SSL_aPSK, ~0u, ~0u, 0},
650
651 /* aliases combining key exchange and server authentication */
652 #ifdef BORINGSSL_ENABLE_DHE_TLS
653 {"DHE", SSL_kDHE, ~0u, ~0u, ~0u, 0},
654 {"EDH", SSL_kDHE, ~0u, ~0u, ~0u, 0},
655 #endif
656 {"ECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
657 {"EECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
658 {"RSA", SSL_kRSA, SSL_aRSA, ~SSL_eNULL, ~0u, 0},
659 {"PSK", SSL_kPSK, SSL_aPSK, ~0u, ~0u, 0},
660
661 /* symmetric encryption aliases */
662 {"3DES", ~0u, ~0u, SSL_3DES, ~0u, 0},
663 {"AES128", ~0u, ~0u, SSL_AES128 | SSL_AES128GCM, ~0u, 0},
664 {"AES256", ~0u, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, 0},
665 {"AES", ~0u, ~0u, SSL_AES, ~0u, 0},
666 {"AESGCM", ~0u, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, 0},
667 {"CHACHA20", ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0},
668
669 /* MAC aliases */
670 {"SHA1", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0},
671 {"SHA", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0},
672 {"SHA256", ~0u, ~0u, ~0u, SSL_SHA256, 0},
673 {"SHA384", ~0u, ~0u, ~0u, SSL_SHA384, 0},
674
675 /* Legacy protocol minimum version aliases. "TLSv1" is intentionally the
676 * same as "SSLv3". */
677 {"SSLv3", ~0u, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
678 {"TLSv1", ~0u, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
679 {"TLSv1.2", ~0u, ~0u, ~SSL_eNULL, ~0u, TLS1_2_VERSION},
680
681 /* Legacy strength classes. */
682 {"HIGH", ~0u, ~0u, ~SSL_eNULL, ~0u, 0},
683 {"FIPS", ~0u, ~0u, ~SSL_eNULL, ~0u, 0},
684 };
685
686 static const size_t kCipherAliasesLen = OPENSSL_ARRAY_SIZE(kCipherAliases);
687
ssl_cipher_id_cmp(const void * in_a,const void * in_b)688 static int ssl_cipher_id_cmp(const void *in_a, const void *in_b) {
689 const SSL_CIPHER *a = in_a;
690 const SSL_CIPHER *b = in_b;
691
692 if (a->id > b->id) {
693 return 1;
694 } else if (a->id < b->id) {
695 return -1;
696 } else {
697 return 0;
698 }
699 }
700
SSL_get_cipher_by_value(uint16_t value)701 const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value) {
702 SSL_CIPHER c;
703
704 c.id = 0x03000000L | value;
705 return bsearch(&c, kCiphers, kCiphersLen, sizeof(SSL_CIPHER),
706 ssl_cipher_id_cmp);
707 }
708
ssl_cipher_get_evp_aead(const EVP_AEAD ** out_aead,size_t * out_mac_secret_len,size_t * out_fixed_iv_len,const SSL_CIPHER * cipher,uint16_t version)709 int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
710 size_t *out_mac_secret_len,
711 size_t *out_fixed_iv_len,
712 const SSL_CIPHER *cipher, uint16_t version) {
713 *out_aead = NULL;
714 *out_mac_secret_len = 0;
715 *out_fixed_iv_len = 0;
716
717 if (cipher->algorithm_mac == SSL_AEAD) {
718 if (cipher->algorithm_enc == SSL_AES128GCM) {
719 *out_aead = EVP_aead_aes_128_gcm();
720 *out_fixed_iv_len = 4;
721 } else if (cipher->algorithm_enc == SSL_AES256GCM) {
722 *out_aead = EVP_aead_aes_256_gcm();
723 *out_fixed_iv_len = 4;
724 } else if (cipher->algorithm_enc == SSL_CHACHA20POLY1305) {
725 *out_aead = EVP_aead_chacha20_poly1305();
726 *out_fixed_iv_len = 12;
727 } else {
728 return 0;
729 }
730
731 /* In TLS 1.3, the iv_len is equal to the AEAD nonce length whereas the code
732 * above computes the TLS 1.2 construction. */
733 if (version >= TLS1_3_VERSION) {
734 *out_fixed_iv_len = EVP_AEAD_nonce_length(*out_aead);
735 }
736 } else if (cipher->algorithm_mac == SSL_SHA1) {
737 if (cipher->algorithm_enc == SSL_eNULL) {
738 if (version == SSL3_VERSION) {
739 *out_aead = EVP_aead_null_sha1_ssl3();
740 } else {
741 *out_aead = EVP_aead_null_sha1_tls();
742 }
743 } else if (cipher->algorithm_enc == SSL_3DES) {
744 if (version == SSL3_VERSION) {
745 *out_aead = EVP_aead_des_ede3_cbc_sha1_ssl3();
746 *out_fixed_iv_len = 8;
747 } else if (version == TLS1_VERSION) {
748 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv();
749 *out_fixed_iv_len = 8;
750 } else {
751 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls();
752 }
753 } else if (cipher->algorithm_enc == SSL_AES128) {
754 if (version == SSL3_VERSION) {
755 *out_aead = EVP_aead_aes_128_cbc_sha1_ssl3();
756 *out_fixed_iv_len = 16;
757 } else if (version == TLS1_VERSION) {
758 *out_aead = EVP_aead_aes_128_cbc_sha1_tls_implicit_iv();
759 *out_fixed_iv_len = 16;
760 } else {
761 *out_aead = EVP_aead_aes_128_cbc_sha1_tls();
762 }
763 } else if (cipher->algorithm_enc == SSL_AES256) {
764 if (version == SSL3_VERSION) {
765 *out_aead = EVP_aead_aes_256_cbc_sha1_ssl3();
766 *out_fixed_iv_len = 16;
767 } else if (version == TLS1_VERSION) {
768 *out_aead = EVP_aead_aes_256_cbc_sha1_tls_implicit_iv();
769 *out_fixed_iv_len = 16;
770 } else {
771 *out_aead = EVP_aead_aes_256_cbc_sha1_tls();
772 }
773 } else {
774 return 0;
775 }
776
777 *out_mac_secret_len = SHA_DIGEST_LENGTH;
778 } else if (cipher->algorithm_mac == SSL_SHA256) {
779 if (cipher->algorithm_enc == SSL_AES128) {
780 *out_aead = EVP_aead_aes_128_cbc_sha256_tls();
781 } else if (cipher->algorithm_enc == SSL_AES256) {
782 *out_aead = EVP_aead_aes_256_cbc_sha256_tls();
783 } else {
784 return 0;
785 }
786
787 *out_mac_secret_len = SHA256_DIGEST_LENGTH;
788 } else if (cipher->algorithm_mac == SSL_SHA384) {
789 if (cipher->algorithm_enc != SSL_AES256) {
790 return 0;
791 }
792
793 *out_aead = EVP_aead_aes_256_cbc_sha384_tls();
794 *out_mac_secret_len = SHA384_DIGEST_LENGTH;
795 } else {
796 return 0;
797 }
798
799 return 1;
800 }
801
ssl_get_handshake_digest(uint32_t algorithm_prf,uint16_t version)802 const EVP_MD *ssl_get_handshake_digest(uint32_t algorithm_prf,
803 uint16_t version) {
804 switch (algorithm_prf) {
805 case SSL_HANDSHAKE_MAC_DEFAULT:
806 return version >= TLS1_2_VERSION ? EVP_sha256() : EVP_md5_sha1();
807 case SSL_HANDSHAKE_MAC_SHA256:
808 return EVP_sha256();
809 case SSL_HANDSHAKE_MAC_SHA384:
810 return EVP_sha384();
811 default:
812 return NULL;
813 }
814 }
815
816 #define ITEM_SEP(a) \
817 (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ','))
818
819 /* rule_equals returns one iff the NUL-terminated string |rule| is equal to the
820 * |buf_len| bytes at |buf|. */
rule_equals(const char * rule,const char * buf,size_t buf_len)821 static int rule_equals(const char *rule, const char *buf, size_t buf_len) {
822 /* |strncmp| alone only checks that |buf| is a prefix of |rule|. */
823 return strncmp(rule, buf, buf_len) == 0 && rule[buf_len] == '\0';
824 }
825
ll_append_tail(CIPHER_ORDER ** head,CIPHER_ORDER * curr,CIPHER_ORDER ** tail)826 static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
827 CIPHER_ORDER **tail) {
828 if (curr == *tail) {
829 return;
830 }
831 if (curr == *head) {
832 *head = curr->next;
833 }
834 if (curr->prev != NULL) {
835 curr->prev->next = curr->next;
836 }
837 if (curr->next != NULL) {
838 curr->next->prev = curr->prev;
839 }
840 (*tail)->next = curr;
841 curr->prev = *tail;
842 curr->next = NULL;
843 *tail = curr;
844 }
845
ll_append_head(CIPHER_ORDER ** head,CIPHER_ORDER * curr,CIPHER_ORDER ** tail)846 static void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
847 CIPHER_ORDER **tail) {
848 if (curr == *head) {
849 return;
850 }
851 if (curr == *tail) {
852 *tail = curr->prev;
853 }
854 if (curr->next != NULL) {
855 curr->next->prev = curr->prev;
856 }
857 if (curr->prev != NULL) {
858 curr->prev->next = curr->next;
859 }
860 (*head)->prev = curr;
861 curr->next = *head;
862 curr->prev = NULL;
863 *head = curr;
864 }
865
ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD * ssl_method,CIPHER_ORDER * co_list,CIPHER_ORDER ** head_p,CIPHER_ORDER ** tail_p)866 static void ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD *ssl_method,
867 CIPHER_ORDER *co_list,
868 CIPHER_ORDER **head_p,
869 CIPHER_ORDER **tail_p) {
870 /* The set of ciphers is static, but some subset may be unsupported by
871 * |ssl_method|, so the list may be smaller. */
872 size_t co_list_num = 0;
873 for (size_t i = 0; i < kCiphersLen; i++) {
874 const SSL_CIPHER *cipher = &kCiphers[i];
875 if (ssl_method->supports_cipher(cipher) &&
876 /* TLS 1.3 ciphers do not participate in this mechanism. */
877 cipher->algorithm_mkey != SSL_kGENERIC) {
878 co_list[co_list_num].cipher = cipher;
879 co_list[co_list_num].next = NULL;
880 co_list[co_list_num].prev = NULL;
881 co_list[co_list_num].active = 0;
882 co_list[co_list_num].in_group = 0;
883 co_list_num++;
884 }
885 }
886
887 /* Prepare linked list from list entries. */
888 if (co_list_num > 0) {
889 co_list[0].prev = NULL;
890
891 if (co_list_num > 1) {
892 co_list[0].next = &co_list[1];
893
894 for (size_t i = 1; i < co_list_num - 1; i++) {
895 co_list[i].prev = &co_list[i - 1];
896 co_list[i].next = &co_list[i + 1];
897 }
898
899 co_list[co_list_num - 1].prev = &co_list[co_list_num - 2];
900 }
901
902 co_list[co_list_num - 1].next = NULL;
903
904 *head_p = &co_list[0];
905 *tail_p = &co_list[co_list_num - 1];
906 }
907 }
908
909 /* ssl_cipher_apply_rule applies the rule type |rule| to ciphers matching its
910 * parameters in the linked list from |*head_p| to |*tail_p|. It writes the new
911 * head and tail of the list to |*head_p| and |*tail_p|, respectively.
912 *
913 * - If |cipher_id| is non-zero, only that cipher is selected.
914 * - Otherwise, if |strength_bits| is non-negative, it selects ciphers
915 * of that strength.
916 * - Otherwise, it selects ciphers that match each bitmasks in |alg_*| and
917 * |min_version|. */
ssl_cipher_apply_rule(uint32_t cipher_id,uint32_t alg_mkey,uint32_t alg_auth,uint32_t alg_enc,uint32_t alg_mac,uint16_t min_version,int rule,int strength_bits,int in_group,CIPHER_ORDER ** head_p,CIPHER_ORDER ** tail_p)918 static void ssl_cipher_apply_rule(
919 uint32_t cipher_id, uint32_t alg_mkey, uint32_t alg_auth,
920 uint32_t alg_enc, uint32_t alg_mac, uint16_t min_version, int rule,
921 int strength_bits, int in_group, CIPHER_ORDER **head_p,
922 CIPHER_ORDER **tail_p) {
923 CIPHER_ORDER *head, *tail, *curr, *next, *last;
924 const SSL_CIPHER *cp;
925 int reverse = 0;
926
927 if (cipher_id == 0 && strength_bits == -1 && min_version == 0 &&
928 (alg_mkey == 0 || alg_auth == 0 || alg_enc == 0 || alg_mac == 0)) {
929 /* The rule matches nothing, so bail early. */
930 return;
931 }
932
933 if (rule == CIPHER_DEL) {
934 /* needed to maintain sorting between currently deleted ciphers */
935 reverse = 1;
936 }
937
938 head = *head_p;
939 tail = *tail_p;
940
941 if (reverse) {
942 next = tail;
943 last = head;
944 } else {
945 next = head;
946 last = tail;
947 }
948
949 curr = NULL;
950 for (;;) {
951 if (curr == last) {
952 break;
953 }
954
955 curr = next;
956 if (curr == NULL) {
957 break;
958 }
959
960 next = reverse ? curr->prev : curr->next;
961 cp = curr->cipher;
962
963 /* Selection criteria is either a specific cipher, the value of
964 * |strength_bits|, or the algorithms used. */
965 if (cipher_id != 0) {
966 if (cipher_id != cp->id) {
967 continue;
968 }
969 } else if (strength_bits >= 0) {
970 if (strength_bits != SSL_CIPHER_get_bits(cp, NULL)) {
971 continue;
972 }
973 } else {
974 if (!(alg_mkey & cp->algorithm_mkey) ||
975 !(alg_auth & cp->algorithm_auth) ||
976 !(alg_enc & cp->algorithm_enc) ||
977 !(alg_mac & cp->algorithm_mac) ||
978 (min_version != 0 && SSL_CIPHER_get_min_version(cp) != min_version)) {
979 continue;
980 }
981 }
982
983 /* add the cipher if it has not been added yet. */
984 if (rule == CIPHER_ADD) {
985 /* reverse == 0 */
986 if (!curr->active) {
987 ll_append_tail(&head, curr, &tail);
988 curr->active = 1;
989 curr->in_group = in_group;
990 }
991 }
992
993 /* Move the added cipher to this location */
994 else if (rule == CIPHER_ORD) {
995 /* reverse == 0 */
996 if (curr->active) {
997 ll_append_tail(&head, curr, &tail);
998 curr->in_group = 0;
999 }
1000 } else if (rule == CIPHER_DEL) {
1001 /* reverse == 1 */
1002 if (curr->active) {
1003 /* most recently deleted ciphersuites get best positions
1004 * for any future CIPHER_ADD (note that the CIPHER_DEL loop
1005 * works in reverse to maintain the order) */
1006 ll_append_head(&head, curr, &tail);
1007 curr->active = 0;
1008 curr->in_group = 0;
1009 }
1010 } else if (rule == CIPHER_KILL) {
1011 /* reverse == 0 */
1012 if (head == curr) {
1013 head = curr->next;
1014 } else {
1015 curr->prev->next = curr->next;
1016 }
1017
1018 if (tail == curr) {
1019 tail = curr->prev;
1020 }
1021 curr->active = 0;
1022 if (curr->next != NULL) {
1023 curr->next->prev = curr->prev;
1024 }
1025 if (curr->prev != NULL) {
1026 curr->prev->next = curr->next;
1027 }
1028 curr->next = NULL;
1029 curr->prev = NULL;
1030 }
1031 }
1032
1033 *head_p = head;
1034 *tail_p = tail;
1035 }
1036
ssl_cipher_strength_sort(CIPHER_ORDER ** head_p,CIPHER_ORDER ** tail_p)1037 static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
1038 CIPHER_ORDER **tail_p) {
1039 int max_strength_bits, i, *number_uses;
1040 CIPHER_ORDER *curr;
1041
1042 /* This routine sorts the ciphers with descending strength. The sorting must
1043 * keep the pre-sorted sequence, so we apply the normal sorting routine as
1044 * '+' movement to the end of the list. */
1045 max_strength_bits = 0;
1046 curr = *head_p;
1047 while (curr != NULL) {
1048 if (curr->active &&
1049 SSL_CIPHER_get_bits(curr->cipher, NULL) > max_strength_bits) {
1050 max_strength_bits = SSL_CIPHER_get_bits(curr->cipher, NULL);
1051 }
1052 curr = curr->next;
1053 }
1054
1055 number_uses = OPENSSL_malloc((max_strength_bits + 1) * sizeof(int));
1056 if (!number_uses) {
1057 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
1058 return 0;
1059 }
1060 OPENSSL_memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int));
1061
1062 /* Now find the strength_bits values actually used. */
1063 curr = *head_p;
1064 while (curr != NULL) {
1065 if (curr->active) {
1066 number_uses[SSL_CIPHER_get_bits(curr->cipher, NULL)]++;
1067 }
1068 curr = curr->next;
1069 }
1070
1071 /* Go through the list of used strength_bits values in descending order. */
1072 for (i = max_strength_bits; i >= 0; i--) {
1073 if (number_uses[i] > 0) {
1074 ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, CIPHER_ORD, i, 0, head_p, tail_p);
1075 }
1076 }
1077
1078 OPENSSL_free(number_uses);
1079 return 1;
1080 }
1081
ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD * ssl_method,const char * rule_str,CIPHER_ORDER ** head_p,CIPHER_ORDER ** tail_p,int strict)1082 static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method,
1083 const char *rule_str,
1084 CIPHER_ORDER **head_p,
1085 CIPHER_ORDER **tail_p, int strict) {
1086 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
1087 uint16_t min_version;
1088 const char *l, *buf;
1089 int multi, skip_rule, rule, ok, in_group = 0, has_group = 0;
1090 size_t j, buf_len;
1091 uint32_t cipher_id;
1092 char ch;
1093
1094 l = rule_str;
1095 for (;;) {
1096 ch = *l;
1097
1098 if (ch == '\0') {
1099 break; /* done */
1100 }
1101
1102 if (in_group) {
1103 if (ch == ']') {
1104 if (*tail_p) {
1105 (*tail_p)->in_group = 0;
1106 }
1107 in_group = 0;
1108 l++;
1109 continue;
1110 }
1111
1112 if (ch == '|') {
1113 rule = CIPHER_ADD;
1114 l++;
1115 continue;
1116 } else if (!(ch >= 'a' && ch <= 'z') && !(ch >= 'A' && ch <= 'Z') &&
1117 !(ch >= '0' && ch <= '9')) {
1118 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_OPERATOR_IN_GROUP);
1119 return 0;
1120 } else {
1121 rule = CIPHER_ADD;
1122 }
1123 } else if (ch == '-') {
1124 rule = CIPHER_DEL;
1125 l++;
1126 } else if (ch == '+') {
1127 rule = CIPHER_ORD;
1128 l++;
1129 } else if (ch == '!') {
1130 rule = CIPHER_KILL;
1131 l++;
1132 } else if (ch == '@') {
1133 rule = CIPHER_SPECIAL;
1134 l++;
1135 } else if (ch == '[') {
1136 if (in_group) {
1137 OPENSSL_PUT_ERROR(SSL, SSL_R_NESTED_GROUP);
1138 return 0;
1139 }
1140 in_group = 1;
1141 has_group = 1;
1142 l++;
1143 continue;
1144 } else {
1145 rule = CIPHER_ADD;
1146 }
1147
1148 /* If preference groups are enabled, the only legal operator is +.
1149 * Otherwise the in_group bits will get mixed up. */
1150 if (has_group && rule != CIPHER_ADD) {
1151 OPENSSL_PUT_ERROR(SSL, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
1152 return 0;
1153 }
1154
1155 if (ITEM_SEP(ch)) {
1156 l++;
1157 continue;
1158 }
1159
1160 multi = 0;
1161 cipher_id = 0;
1162 alg_mkey = ~0u;
1163 alg_auth = ~0u;
1164 alg_enc = ~0u;
1165 alg_mac = ~0u;
1166 min_version = 0;
1167 skip_rule = 0;
1168
1169 for (;;) {
1170 ch = *l;
1171 buf = l;
1172 buf_len = 0;
1173 while (((ch >= 'A') && (ch <= 'Z')) || ((ch >= '0') && (ch <= '9')) ||
1174 ((ch >= 'a') && (ch <= 'z')) || (ch == '-') || (ch == '.')) {
1175 ch = *(++l);
1176 buf_len++;
1177 }
1178
1179 if (buf_len == 0) {
1180 /* We hit something we cannot deal with, it is no command or separator
1181 * nor alphanumeric, so we call this an error. */
1182 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
1183 return 0;
1184 }
1185
1186 if (rule == CIPHER_SPECIAL) {
1187 break;
1188 }
1189
1190 /* Look for a matching exact cipher. These aren't allowed in multipart
1191 * rules. */
1192 if (!multi && ch != '+') {
1193 for (j = 0; j < kCiphersLen; j++) {
1194 const SSL_CIPHER *cipher = &kCiphers[j];
1195 if (rule_equals(cipher->name, buf, buf_len)) {
1196 cipher_id = cipher->id;
1197 break;
1198 }
1199 }
1200 }
1201 if (cipher_id == 0) {
1202 /* If not an exact cipher, look for a matching cipher alias. */
1203 for (j = 0; j < kCipherAliasesLen; j++) {
1204 if (rule_equals(kCipherAliases[j].name, buf, buf_len)) {
1205 alg_mkey &= kCipherAliases[j].algorithm_mkey;
1206 alg_auth &= kCipherAliases[j].algorithm_auth;
1207 alg_enc &= kCipherAliases[j].algorithm_enc;
1208 alg_mac &= kCipherAliases[j].algorithm_mac;
1209
1210 if (min_version != 0 &&
1211 min_version != kCipherAliases[j].min_version) {
1212 skip_rule = 1;
1213 } else {
1214 min_version = kCipherAliases[j].min_version;
1215 }
1216 break;
1217 }
1218 }
1219 if (j == kCipherAliasesLen) {
1220 skip_rule = 1;
1221 if (strict) {
1222 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
1223 return 0;
1224 }
1225 }
1226 }
1227
1228 /* Check for a multipart rule. */
1229 if (ch != '+') {
1230 break;
1231 }
1232 l++;
1233 multi = 1;
1234 }
1235
1236 /* Ok, we have the rule, now apply it. */
1237 if (rule == CIPHER_SPECIAL) {
1238 /* special command */
1239 ok = 0;
1240 if (buf_len == 8 && !strncmp(buf, "STRENGTH", 8)) {
1241 ok = ssl_cipher_strength_sort(head_p, tail_p);
1242 } else {
1243 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
1244 }
1245
1246 if (ok == 0) {
1247 return 0;
1248 }
1249
1250 /* We do not support any "multi" options together with "@", so throw away
1251 * the rest of the command, if any left, until end or ':' is found. */
1252 while (*l != '\0' && !ITEM_SEP(*l)) {
1253 l++;
1254 }
1255 } else if (!skip_rule) {
1256 ssl_cipher_apply_rule(cipher_id, alg_mkey, alg_auth, alg_enc, alg_mac,
1257 min_version, rule, -1, in_group, head_p, tail_p);
1258 }
1259 }
1260
1261 if (in_group) {
1262 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
1263 return 0;
1264 }
1265
1266 return 1;
1267 }
1268
ssl_create_cipher_list(const SSL_PROTOCOL_METHOD * ssl_method,struct ssl_cipher_preference_list_st ** out_cipher_list,const char * rule_str,int strict)1269 int ssl_create_cipher_list(
1270 const SSL_PROTOCOL_METHOD *ssl_method,
1271 struct ssl_cipher_preference_list_st **out_cipher_list,
1272 const char *rule_str, int strict) {
1273 STACK_OF(SSL_CIPHER) *cipherstack = NULL;
1274 CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
1275 uint8_t *in_group_flags = NULL;
1276 unsigned int num_in_group_flags = 0;
1277 struct ssl_cipher_preference_list_st *pref_list = NULL;
1278
1279 /* Return with error if nothing to do. */
1280 if (rule_str == NULL || out_cipher_list == NULL) {
1281 return 0;
1282 }
1283
1284 /* Now we have to collect the available ciphers from the compiled in ciphers.
1285 * We cannot get more than the number compiled in, so it is used for
1286 * allocation. */
1287 co_list = OPENSSL_malloc(sizeof(CIPHER_ORDER) * kCiphersLen);
1288 if (co_list == NULL) {
1289 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
1290 return 0;
1291 }
1292
1293 ssl_cipher_collect_ciphers(ssl_method, co_list, &head, &tail);
1294
1295 /* Now arrange all ciphers by preference:
1296 * TODO(davidben): Compute this order once and copy it. */
1297
1298 /* Everything else being equal, prefer ECDHE_ECDSA and ECDHE_RSA over other
1299 * key exchange mechanisms */
1300 ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, ~0u, ~0u, 0, CIPHER_ADD, -1,
1301 0, &head, &tail);
1302 ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0,
1303 &head, &tail);
1304 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, 0, &head,
1305 &tail);
1306
1307 /* Order the bulk ciphers. First the preferred AEAD ciphers. We prefer
1308 * CHACHA20 unless there is hardware support for fast and constant-time
1309 * AES_GCM. Of the two CHACHA20 variants, the new one is preferred over the
1310 * old one. */
1311 if (EVP_has_aes_hardware()) {
1312 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1313 &head, &tail);
1314 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1315 &head, &tail);
1316 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD,
1317 -1, 0, &head, &tail);
1318 } else {
1319 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0, CIPHER_ADD,
1320 -1, 0, &head, &tail);
1321 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1322 &head, &tail);
1323 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, 0, CIPHER_ADD, -1, 0,
1324 &head, &tail);
1325 }
1326
1327 /* Then the legacy non-AEAD ciphers: AES_128_CBC, AES_256_CBC,
1328 * 3DES_EDE_CBC_SHA. */
1329 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128, ~0u, 0, CIPHER_ADD, -1, 0,
1330 &head, &tail);
1331 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256, ~0u, 0, CIPHER_ADD, -1, 0,
1332 &head, &tail);
1333 ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_3DES, ~0u, 0, CIPHER_ADD, -1, 0, &head,
1334 &tail);
1335
1336 /* Temporarily enable everything else for sorting */
1337 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0, &head,
1338 &tail);
1339
1340 /* Move ciphers without forward secrecy to the end. */
1341 ssl_cipher_apply_rule(0, (SSL_kRSA | SSL_kPSK), ~0u, ~0u, ~0u, 0,
1342 CIPHER_ORD, -1, 0, &head, &tail);
1343
1344 /* Now disable everything (maintaining the ordering!) */
1345 ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, 0, &head,
1346 &tail);
1347
1348 /* If the rule_string begins with DEFAULT, apply the default rule before
1349 * using the (possibly available) additional rules. */
1350 const char *rule_p = rule_str;
1351 if (strncmp(rule_str, "DEFAULT", 7) == 0) {
1352 if (!ssl_cipher_process_rulestr(ssl_method, SSL_DEFAULT_CIPHER_LIST, &head,
1353 &tail, strict)) {
1354 goto err;
1355 }
1356 rule_p += 7;
1357 if (*rule_p == ':') {
1358 rule_p++;
1359 }
1360 }
1361
1362 if (*rule_p != '\0' &&
1363 !ssl_cipher_process_rulestr(ssl_method, rule_p, &head, &tail, strict)) {
1364 goto err;
1365 }
1366
1367 /* Allocate new "cipherstack" for the result, return with error
1368 * if we cannot get one. */
1369 cipherstack = sk_SSL_CIPHER_new_null();
1370 if (cipherstack == NULL) {
1371 goto err;
1372 }
1373
1374 in_group_flags = OPENSSL_malloc(kCiphersLen);
1375 if (!in_group_flags) {
1376 goto err;
1377 }
1378
1379 /* The cipher selection for the list is done. The ciphers are added
1380 * to the resulting precedence to the STACK_OF(SSL_CIPHER). */
1381 for (curr = head; curr != NULL; curr = curr->next) {
1382 if (curr->active) {
1383 if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
1384 goto err;
1385 }
1386 in_group_flags[num_in_group_flags++] = curr->in_group;
1387 }
1388 }
1389 OPENSSL_free(co_list); /* Not needed any longer */
1390 co_list = NULL;
1391
1392 pref_list = OPENSSL_malloc(sizeof(struct ssl_cipher_preference_list_st));
1393 if (!pref_list) {
1394 goto err;
1395 }
1396 pref_list->ciphers = cipherstack;
1397 pref_list->in_group_flags = OPENSSL_malloc(num_in_group_flags);
1398 if (!pref_list->in_group_flags) {
1399 goto err;
1400 }
1401 OPENSSL_memcpy(pref_list->in_group_flags, in_group_flags, num_in_group_flags);
1402 OPENSSL_free(in_group_flags);
1403 in_group_flags = NULL;
1404 if (*out_cipher_list != NULL) {
1405 ssl_cipher_preference_list_free(*out_cipher_list);
1406 }
1407 *out_cipher_list = pref_list;
1408 pref_list = NULL;
1409
1410 /* Configuring an empty cipher list is an error but still updates the
1411 * output. */
1412 if (sk_SSL_CIPHER_num((*out_cipher_list)->ciphers) == 0) {
1413 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHER_MATCH);
1414 return 0;
1415 }
1416
1417 return 1;
1418
1419 err:
1420 OPENSSL_free(co_list);
1421 OPENSSL_free(in_group_flags);
1422 sk_SSL_CIPHER_free(cipherstack);
1423 if (pref_list) {
1424 OPENSSL_free(pref_list->in_group_flags);
1425 }
1426 OPENSSL_free(pref_list);
1427 return 0;
1428 }
1429
SSL_CIPHER_get_id(const SSL_CIPHER * cipher)1430 uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher) { return cipher->id; }
1431
ssl_cipher_get_value(const SSL_CIPHER * cipher)1432 uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher) {
1433 uint32_t id = cipher->id;
1434 /* All ciphers are SSLv3. */
1435 assert((id & 0xff000000) == 0x03000000);
1436 return id & 0xffff;
1437 }
1438
SSL_CIPHER_is_AES(const SSL_CIPHER * cipher)1439 int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher) {
1440 return (cipher->algorithm_enc & SSL_AES) != 0;
1441 }
1442
SSL_CIPHER_has_SHA1_HMAC(const SSL_CIPHER * cipher)1443 int SSL_CIPHER_has_SHA1_HMAC(const SSL_CIPHER *cipher) {
1444 return (cipher->algorithm_mac & SSL_SHA1) != 0;
1445 }
1446
SSL_CIPHER_has_SHA256_HMAC(const SSL_CIPHER * cipher)1447 int SSL_CIPHER_has_SHA256_HMAC(const SSL_CIPHER *cipher) {
1448 return (cipher->algorithm_mac & SSL_SHA256) != 0;
1449 }
1450
SSL_CIPHER_is_AEAD(const SSL_CIPHER * cipher)1451 int SSL_CIPHER_is_AEAD(const SSL_CIPHER *cipher) {
1452 return (cipher->algorithm_mac & SSL_AEAD) != 0;
1453 }
1454
SSL_CIPHER_is_AESGCM(const SSL_CIPHER * cipher)1455 int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher) {
1456 return (cipher->algorithm_enc & (SSL_AES128GCM | SSL_AES256GCM)) != 0;
1457 }
1458
SSL_CIPHER_is_AES128GCM(const SSL_CIPHER * cipher)1459 int SSL_CIPHER_is_AES128GCM(const SSL_CIPHER *cipher) {
1460 return (cipher->algorithm_enc & SSL_AES128GCM) != 0;
1461 }
1462
SSL_CIPHER_is_AES128CBC(const SSL_CIPHER * cipher)1463 int SSL_CIPHER_is_AES128CBC(const SSL_CIPHER *cipher) {
1464 return (cipher->algorithm_enc & SSL_AES128) != 0;
1465 }
1466
SSL_CIPHER_is_AES256CBC(const SSL_CIPHER * cipher)1467 int SSL_CIPHER_is_AES256CBC(const SSL_CIPHER *cipher) {
1468 return (cipher->algorithm_enc & SSL_AES256) != 0;
1469 }
1470
SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER * cipher)1471 int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *cipher) {
1472 return (cipher->algorithm_enc & SSL_CHACHA20POLY1305) != 0;
1473 }
1474
SSL_CIPHER_is_NULL(const SSL_CIPHER * cipher)1475 int SSL_CIPHER_is_NULL(const SSL_CIPHER *cipher) {
1476 return (cipher->algorithm_enc & SSL_eNULL) != 0;
1477 }
1478
SSL_CIPHER_is_block_cipher(const SSL_CIPHER * cipher)1479 int SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher) {
1480 return (cipher->algorithm_enc & SSL_eNULL) == 0 &&
1481 cipher->algorithm_mac != SSL_AEAD;
1482 }
1483
SSL_CIPHER_is_ECDSA(const SSL_CIPHER * cipher)1484 int SSL_CIPHER_is_ECDSA(const SSL_CIPHER *cipher) {
1485 return (cipher->algorithm_auth & SSL_aECDSA) != 0;
1486 }
1487
SSL_CIPHER_is_DHE(const SSL_CIPHER * cipher)1488 int SSL_CIPHER_is_DHE(const SSL_CIPHER *cipher) {
1489 return (cipher->algorithm_mkey & SSL_kDHE) != 0;
1490 }
1491
SSL_CIPHER_is_ECDHE(const SSL_CIPHER * cipher)1492 int SSL_CIPHER_is_ECDHE(const SSL_CIPHER *cipher) {
1493 return (cipher->algorithm_mkey & SSL_kECDHE) != 0;
1494 }
1495
SSL_CIPHER_is_static_RSA(const SSL_CIPHER * cipher)1496 int SSL_CIPHER_is_static_RSA(const SSL_CIPHER *cipher) {
1497 return (cipher->algorithm_mkey & SSL_kRSA) != 0;
1498 }
1499
SSL_CIPHER_get_min_version(const SSL_CIPHER * cipher)1500 uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher) {
1501 if (cipher->algorithm_mkey == SSL_kGENERIC ||
1502 cipher->algorithm_auth == SSL_aGENERIC) {
1503 return TLS1_3_VERSION;
1504 }
1505
1506 if (cipher->algorithm_prf != SSL_HANDSHAKE_MAC_DEFAULT) {
1507 /* Cipher suites before TLS 1.2 use the default PRF, while all those added
1508 * afterwards specify a particular hash. */
1509 return TLS1_2_VERSION;
1510 }
1511 return SSL3_VERSION;
1512 }
1513
SSL_CIPHER_get_max_version(const SSL_CIPHER * cipher)1514 uint16_t SSL_CIPHER_get_max_version(const SSL_CIPHER *cipher) {
1515 if (cipher->algorithm_mkey == SSL_kGENERIC ||
1516 cipher->algorithm_auth == SSL_aGENERIC) {
1517 return TLS1_3_VERSION;
1518 }
1519 return TLS1_2_VERSION;
1520 }
1521
1522 /* return the actual cipher being used */
SSL_CIPHER_get_name(const SSL_CIPHER * cipher)1523 const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher) {
1524 if (cipher != NULL) {
1525 return cipher->name;
1526 }
1527
1528 return "(NONE)";
1529 }
1530
SSL_CIPHER_get_kx_name(const SSL_CIPHER * cipher)1531 const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher) {
1532 if (cipher == NULL) {
1533 return "";
1534 }
1535
1536 switch (cipher->algorithm_mkey) {
1537 case SSL_kRSA:
1538 return "RSA";
1539
1540 case SSL_kDHE:
1541 switch (cipher->algorithm_auth) {
1542 case SSL_aRSA:
1543 return "DHE_RSA";
1544 default:
1545 assert(0);
1546 return "UNKNOWN";
1547 }
1548
1549 case SSL_kECDHE:
1550 switch (cipher->algorithm_auth) {
1551 case SSL_aECDSA:
1552 return "ECDHE_ECDSA";
1553 case SSL_aRSA:
1554 return "ECDHE_RSA";
1555 case SSL_aPSK:
1556 return "ECDHE_PSK";
1557 default:
1558 assert(0);
1559 return "UNKNOWN";
1560 }
1561
1562 case SSL_kPSK:
1563 assert(cipher->algorithm_auth == SSL_aPSK);
1564 return "PSK";
1565
1566 case SSL_kGENERIC:
1567 assert(cipher->algorithm_auth == SSL_aGENERIC);
1568 return "GENERIC";
1569
1570 default:
1571 assert(0);
1572 return "UNKNOWN";
1573 }
1574 }
1575
ssl_cipher_get_enc_name(const SSL_CIPHER * cipher)1576 static const char *ssl_cipher_get_enc_name(const SSL_CIPHER *cipher) {
1577 switch (cipher->algorithm_enc) {
1578 case SSL_3DES:
1579 return "3DES_EDE_CBC";
1580 case SSL_AES128:
1581 return "AES_128_CBC";
1582 case SSL_AES256:
1583 return "AES_256_CBC";
1584 case SSL_AES128GCM:
1585 return "AES_128_GCM";
1586 case SSL_AES256GCM:
1587 return "AES_256_GCM";
1588 case SSL_CHACHA20POLY1305:
1589 return "CHACHA20_POLY1305";
1590 break;
1591 default:
1592 assert(0);
1593 return "UNKNOWN";
1594 }
1595 }
1596
ssl_cipher_get_prf_name(const SSL_CIPHER * cipher)1597 static const char *ssl_cipher_get_prf_name(const SSL_CIPHER *cipher) {
1598 switch (cipher->algorithm_prf) {
1599 case SSL_HANDSHAKE_MAC_DEFAULT:
1600 /* Before TLS 1.2, the PRF component is the hash used in the HMAC, which
1601 * is SHA-1 for all supported ciphers. */
1602 assert(cipher->algorithm_mac == SSL_SHA1);
1603 return "SHA";
1604 case SSL_HANDSHAKE_MAC_SHA256:
1605 return "SHA256";
1606 case SSL_HANDSHAKE_MAC_SHA384:
1607 return "SHA384";
1608 }
1609 assert(0);
1610 return "UNKNOWN";
1611 }
1612
SSL_CIPHER_get_rfc_name(const SSL_CIPHER * cipher)1613 char *SSL_CIPHER_get_rfc_name(const SSL_CIPHER *cipher) {
1614 if (cipher == NULL) {
1615 return NULL;
1616 }
1617
1618 const char *kx_name = SSL_CIPHER_get_kx_name(cipher);
1619 const char *enc_name = ssl_cipher_get_enc_name(cipher);
1620 const char *prf_name = ssl_cipher_get_prf_name(cipher);
1621
1622 /* The final name is TLS_{kx_name}_WITH_{enc_name}_{prf_name} or
1623 * TLS_{enc_name}_{prf_name} depending on whether the cipher is AEAD-only. */
1624 size_t len = 4 + strlen(enc_name) + 1 + strlen(prf_name) + 1;
1625
1626 if (cipher->algorithm_mkey != SSL_kGENERIC) {
1627 len += strlen(kx_name) + 6;
1628 }
1629
1630 char *ret = OPENSSL_malloc(len);
1631 if (ret == NULL) {
1632 return NULL;
1633 }
1634
1635 if (BUF_strlcpy(ret, "TLS_", len) >= len ||
1636 (cipher->algorithm_mkey != SSL_kGENERIC &&
1637 (BUF_strlcat(ret, kx_name, len) >= len ||
1638 BUF_strlcat(ret, "_WITH_", len) >= len)) ||
1639 BUF_strlcat(ret, enc_name, len) >= len ||
1640 BUF_strlcat(ret, "_", len) >= len ||
1641 BUF_strlcat(ret, prf_name, len) >= len) {
1642 assert(0);
1643 OPENSSL_free(ret);
1644 return NULL;
1645 }
1646
1647 assert(strlen(ret) + 1 == len);
1648 return ret;
1649 }
1650
SSL_CIPHER_get_bits(const SSL_CIPHER * cipher,int * out_alg_bits)1651 int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *out_alg_bits) {
1652 if (cipher == NULL) {
1653 return 0;
1654 }
1655
1656 int alg_bits, strength_bits;
1657 switch (cipher->algorithm_enc) {
1658 case SSL_AES128:
1659 case SSL_AES128GCM:
1660 alg_bits = 128;
1661 strength_bits = 128;
1662 break;
1663
1664 case SSL_AES256:
1665 case SSL_AES256GCM:
1666 case SSL_CHACHA20POLY1305:
1667 alg_bits = 256;
1668 strength_bits = 256;
1669 break;
1670
1671 case SSL_3DES:
1672 alg_bits = 168;
1673 strength_bits = 112;
1674 break;
1675
1676 case SSL_eNULL:
1677 alg_bits = 0;
1678 strength_bits = 0;
1679 break;
1680
1681 default:
1682 assert(0);
1683 alg_bits = 0;
1684 strength_bits = 0;
1685 }
1686
1687 if (out_alg_bits != NULL) {
1688 *out_alg_bits = alg_bits;
1689 }
1690 return strength_bits;
1691 }
1692
SSL_CIPHER_description(const SSL_CIPHER * cipher,char * buf,int len)1693 const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf,
1694 int len) {
1695 const char *kx, *au, *enc, *mac;
1696 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
1697
1698 alg_mkey = cipher->algorithm_mkey;
1699 alg_auth = cipher->algorithm_auth;
1700 alg_enc = cipher->algorithm_enc;
1701 alg_mac = cipher->algorithm_mac;
1702
1703 switch (alg_mkey) {
1704 case SSL_kRSA:
1705 kx = "RSA";
1706 break;
1707
1708 case SSL_kDHE:
1709 kx = "DH";
1710 break;
1711
1712 case SSL_kECDHE:
1713 kx = "ECDH";
1714 break;
1715
1716 case SSL_kPSK:
1717 kx = "PSK";
1718 break;
1719
1720 case SSL_kGENERIC:
1721 kx = "GENERIC";
1722 break;
1723
1724 default:
1725 kx = "unknown";
1726 }
1727
1728 switch (alg_auth) {
1729 case SSL_aRSA:
1730 au = "RSA";
1731 break;
1732
1733 case SSL_aECDSA:
1734 au = "ECDSA";
1735 break;
1736
1737 case SSL_aPSK:
1738 au = "PSK";
1739 break;
1740
1741 case SSL_aGENERIC:
1742 au = "GENERIC";
1743 break;
1744
1745 default:
1746 au = "unknown";
1747 break;
1748 }
1749
1750 switch (alg_enc) {
1751 case SSL_3DES:
1752 enc = "3DES(168)";
1753 break;
1754
1755 case SSL_AES128:
1756 enc = "AES(128)";
1757 break;
1758
1759 case SSL_AES256:
1760 enc = "AES(256)";
1761 break;
1762
1763 case SSL_AES128GCM:
1764 enc = "AESGCM(128)";
1765 break;
1766
1767 case SSL_AES256GCM:
1768 enc = "AESGCM(256)";
1769 break;
1770
1771 case SSL_CHACHA20POLY1305:
1772 enc = "ChaCha20-Poly1305";
1773 break;
1774
1775 case SSL_eNULL:
1776 enc="None";
1777 break;
1778
1779 default:
1780 enc = "unknown";
1781 break;
1782 }
1783
1784 switch (alg_mac) {
1785 case SSL_SHA1:
1786 mac = "SHA1";
1787 break;
1788
1789 case SSL_SHA256:
1790 mac = "SHA256";
1791 break;
1792
1793 case SSL_SHA384:
1794 mac = "SHA384";
1795 break;
1796
1797 case SSL_AEAD:
1798 mac = "AEAD";
1799 break;
1800
1801 default:
1802 mac = "unknown";
1803 break;
1804 }
1805
1806 if (buf == NULL) {
1807 len = 128;
1808 buf = OPENSSL_malloc(len);
1809 if (buf == NULL) {
1810 return NULL;
1811 }
1812 } else if (len < 128) {
1813 return "Buffer too small";
1814 }
1815
1816 BIO_snprintf(buf, len, "%-23s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n",
1817 cipher->name, kx, au, enc, mac);
1818 return buf;
1819 }
1820
SSL_CIPHER_get_version(const SSL_CIPHER * cipher)1821 const char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher) {
1822 return "TLSv1/SSLv3";
1823 }
1824
SSL_COMP_get_compression_methods(void)1825 COMP_METHOD *SSL_COMP_get_compression_methods(void) { return NULL; }
1826
SSL_COMP_add_compression_method(int id,COMP_METHOD * cm)1827 int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) { return 1; }
1828
SSL_COMP_get_name(const COMP_METHOD * comp)1829 const char *SSL_COMP_get_name(const COMP_METHOD *comp) { return NULL; }
1830
SSL_COMP_free_compression_methods(void)1831 void SSL_COMP_free_compression_methods(void) {}
1832
ssl_cipher_get_key_type(const SSL_CIPHER * cipher)1833 int ssl_cipher_get_key_type(const SSL_CIPHER *cipher) {
1834 uint32_t alg_a = cipher->algorithm_auth;
1835
1836 if (alg_a & SSL_aECDSA) {
1837 return EVP_PKEY_EC;
1838 } else if (alg_a & SSL_aRSA) {
1839 return EVP_PKEY_RSA;
1840 }
1841
1842 return EVP_PKEY_NONE;
1843 }
1844
ssl_cipher_uses_certificate_auth(const SSL_CIPHER * cipher)1845 int ssl_cipher_uses_certificate_auth(const SSL_CIPHER *cipher) {
1846 return (cipher->algorithm_auth & SSL_aCERT) != 0;
1847 }
1848
ssl_cipher_requires_server_key_exchange(const SSL_CIPHER * cipher)1849 int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher) {
1850 /* Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange. */
1851 if (cipher->algorithm_mkey & SSL_kDHE ||
1852 cipher->algorithm_mkey & SSL_kECDHE) {
1853 return 1;
1854 }
1855
1856 /* It is optional in all others. */
1857 return 0;
1858 }
1859
ssl_cipher_get_record_split_len(const SSL_CIPHER * cipher)1860 size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher) {
1861 size_t block_size;
1862 switch (cipher->algorithm_enc) {
1863 case SSL_3DES:
1864 block_size = 8;
1865 break;
1866 case SSL_AES128:
1867 case SSL_AES256:
1868 block_size = 16;
1869 break;
1870 default:
1871 return 0;
1872 }
1873
1874 /* All supported TLS 1.0 ciphers use SHA-1. */
1875 assert(cipher->algorithm_mac == SSL_SHA1);
1876 size_t ret = 1 + SHA_DIGEST_LENGTH;
1877 ret += block_size - (ret % block_size);
1878 return ret;
1879 }
1880