1 /* Copyright (C) 1995-1998 Eric Young ([email protected])
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young ([email protected]).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson ([email protected]).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young ([email protected])"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson ([email protected])"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57 /* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * [email protected].
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * ([email protected]). This product includes software written by Tim
107 * Hudson ([email protected]).
108 *
109 */
110 /* ====================================================================
111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
112 * ECC cipher suite support in OpenSSL originally developed by
113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
114 */
115 /* ====================================================================
116 * Copyright 2005 Nokia. All rights reserved.
117 *
118 * The portions of the attached software ("Contribution") is developed by
119 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
120 * license.
121 *
122 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
123 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
124 * support (see RFC 4279) to OpenSSL.
125 *
126 * No patent licenses or other rights except those expressly stated in
127 * the OpenSSL open source license shall be deemed granted or received
128 * expressly, by implication, estoppel, or otherwise.
129 *
130 * No assurances are provided by Nokia that the Contribution does not
131 * infringe the patent or other intellectual property rights of any third
132 * party or that the license provides you with all the necessary rights
133 * to make use of the Contribution.
134 *
135 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
136 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
137 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
138 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
139 * OTHERWISE. */
140
141 #include <openssl/ssl.h>
142
143 #include <assert.h>
144 #include <string.h>
145
146 #include <openssl/err.h>
147 #include <openssl/md5.h>
148 #include <openssl/mem.h>
149 #include <openssl/sha.h>
150 #include <openssl/stack.h>
151
152 #include "internal.h"
153 #include "../crypto/internal.h"
154
155
156 BSSL_NAMESPACE_BEGIN
157
158 static constexpr SSL_CIPHER kCiphers[] = {
159 // The RSA ciphers
160
161 // Cipher 0A
162 {
163 SSL3_TXT_RSA_DES_192_CBC3_SHA,
164 "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
165 SSL3_CK_RSA_DES_192_CBC3_SHA,
166 SSL_kRSA,
167 SSL_aRSA_DECRYPT,
168 SSL_3DES,
169 SSL_SHA1,
170 SSL_HANDSHAKE_MAC_DEFAULT,
171 },
172
173
174 // New AES ciphersuites
175
176 // Cipher 2F
177 {
178 TLS1_TXT_RSA_WITH_AES_128_SHA,
179 "TLS_RSA_WITH_AES_128_CBC_SHA",
180 TLS1_CK_RSA_WITH_AES_128_SHA,
181 SSL_kRSA,
182 SSL_aRSA_DECRYPT,
183 SSL_AES128,
184 SSL_SHA1,
185 SSL_HANDSHAKE_MAC_DEFAULT,
186 },
187
188 // Cipher 35
189 {
190 TLS1_TXT_RSA_WITH_AES_256_SHA,
191 "TLS_RSA_WITH_AES_256_CBC_SHA",
192 TLS1_CK_RSA_WITH_AES_256_SHA,
193 SSL_kRSA,
194 SSL_aRSA_DECRYPT,
195 SSL_AES256,
196 SSL_SHA1,
197 SSL_HANDSHAKE_MAC_DEFAULT,
198 },
199
200 // PSK cipher suites.
201
202 // Cipher 8C
203 {
204 TLS1_TXT_PSK_WITH_AES_128_CBC_SHA,
205 "TLS_PSK_WITH_AES_128_CBC_SHA",
206 TLS1_CK_PSK_WITH_AES_128_CBC_SHA,
207 SSL_kPSK,
208 SSL_aPSK,
209 SSL_AES128,
210 SSL_SHA1,
211 SSL_HANDSHAKE_MAC_DEFAULT,
212 },
213
214 // Cipher 8D
215 {
216 TLS1_TXT_PSK_WITH_AES_256_CBC_SHA,
217 "TLS_PSK_WITH_AES_256_CBC_SHA",
218 TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
219 SSL_kPSK,
220 SSL_aPSK,
221 SSL_AES256,
222 SSL_SHA1,
223 SSL_HANDSHAKE_MAC_DEFAULT,
224 },
225
226 // GCM ciphersuites from RFC 5288
227
228 // Cipher 9C
229 {
230 TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
231 "TLS_RSA_WITH_AES_128_GCM_SHA256",
232 TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
233 SSL_kRSA,
234 SSL_aRSA_DECRYPT,
235 SSL_AES128GCM,
236 SSL_AEAD,
237 SSL_HANDSHAKE_MAC_SHA256,
238 },
239
240 // Cipher 9D
241 {
242 TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
243 "TLS_RSA_WITH_AES_256_GCM_SHA384",
244 TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
245 SSL_kRSA,
246 SSL_aRSA_DECRYPT,
247 SSL_AES256GCM,
248 SSL_AEAD,
249 SSL_HANDSHAKE_MAC_SHA384,
250 },
251
252 // TLS 1.3 suites.
253
254 // Cipher 1301
255 {
256 TLS1_3_RFC_AES_128_GCM_SHA256,
257 "TLS_AES_128_GCM_SHA256",
258 TLS1_3_CK_AES_128_GCM_SHA256,
259 SSL_kGENERIC,
260 SSL_aGENERIC,
261 SSL_AES128GCM,
262 SSL_AEAD,
263 SSL_HANDSHAKE_MAC_SHA256,
264 },
265
266 // Cipher 1302
267 {
268 TLS1_3_RFC_AES_256_GCM_SHA384,
269 "TLS_AES_256_GCM_SHA384",
270 TLS1_3_CK_AES_256_GCM_SHA384,
271 SSL_kGENERIC,
272 SSL_aGENERIC,
273 SSL_AES256GCM,
274 SSL_AEAD,
275 SSL_HANDSHAKE_MAC_SHA384,
276 },
277
278 // Cipher 1303
279 {
280 TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
281 "TLS_CHACHA20_POLY1305_SHA256",
282 TLS1_3_CK_CHACHA20_POLY1305_SHA256,
283 SSL_kGENERIC,
284 SSL_aGENERIC,
285 SSL_CHACHA20POLY1305,
286 SSL_AEAD,
287 SSL_HANDSHAKE_MAC_SHA256,
288 },
289
290 // Cipher C009
291 {
292 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
293 "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
294 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
295 SSL_kECDHE,
296 SSL_aECDSA,
297 SSL_AES128,
298 SSL_SHA1,
299 SSL_HANDSHAKE_MAC_DEFAULT,
300 },
301
302 // Cipher C00A
303 {
304 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
305 "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
306 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
307 SSL_kECDHE,
308 SSL_aECDSA,
309 SSL_AES256,
310 SSL_SHA1,
311 SSL_HANDSHAKE_MAC_DEFAULT,
312 },
313
314 // Cipher C013
315 {
316 TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
317 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
318 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
319 SSL_kECDHE,
320 SSL_aRSA_SIGN,
321 SSL_AES128,
322 SSL_SHA1,
323 SSL_HANDSHAKE_MAC_DEFAULT,
324 },
325
326 // Cipher C014
327 {
328 TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
329 "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
330 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
331 SSL_kECDHE,
332 SSL_aRSA_SIGN,
333 SSL_AES256,
334 SSL_SHA1,
335 SSL_HANDSHAKE_MAC_DEFAULT,
336 },
337
338 // Cipher C027
339 {
340 TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
341 "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
342 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
343 SSL_kECDHE,
344 SSL_aRSA_SIGN,
345 SSL_AES128,
346 SSL_SHA256,
347 SSL_HANDSHAKE_MAC_SHA256,
348 },
349
350 // GCM based TLS v1.2 ciphersuites from RFC 5289
351
352 // Cipher C02B
353 {
354 TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
355 "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
356 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
357 SSL_kECDHE,
358 SSL_aECDSA,
359 SSL_AES128GCM,
360 SSL_AEAD,
361 SSL_HANDSHAKE_MAC_SHA256,
362 },
363
364 // Cipher C02C
365 {
366 TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
367 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
368 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
369 SSL_kECDHE,
370 SSL_aECDSA,
371 SSL_AES256GCM,
372 SSL_AEAD,
373 SSL_HANDSHAKE_MAC_SHA384,
374 },
375
376 // Cipher C02F
377 {
378 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
379 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
380 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
381 SSL_kECDHE,
382 SSL_aRSA_SIGN,
383 SSL_AES128GCM,
384 SSL_AEAD,
385 SSL_HANDSHAKE_MAC_SHA256,
386 },
387
388 // Cipher C030
389 {
390 TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
391 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
392 TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
393 SSL_kECDHE,
394 SSL_aRSA_SIGN,
395 SSL_AES256GCM,
396 SSL_AEAD,
397 SSL_HANDSHAKE_MAC_SHA384,
398 },
399
400 // ECDHE-PSK cipher suites.
401
402 // Cipher C035
403 {
404 TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA,
405 "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
406 TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
407 SSL_kECDHE,
408 SSL_aPSK,
409 SSL_AES128,
410 SSL_SHA1,
411 SSL_HANDSHAKE_MAC_DEFAULT,
412 },
413
414 // Cipher C036
415 {
416 TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA,
417 "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
418 TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA,
419 SSL_kECDHE,
420 SSL_aPSK,
421 SSL_AES256,
422 SSL_SHA1,
423 SSL_HANDSHAKE_MAC_DEFAULT,
424 },
425
426 // ChaCha20-Poly1305 cipher suites.
427
428 // Cipher CCA8
429 {
430 TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
431 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
432 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
433 SSL_kECDHE,
434 SSL_aRSA_SIGN,
435 SSL_CHACHA20POLY1305,
436 SSL_AEAD,
437 SSL_HANDSHAKE_MAC_SHA256,
438 },
439
440 // Cipher CCA9
441 {
442 TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
443 "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
444 TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
445 SSL_kECDHE,
446 SSL_aECDSA,
447 SSL_CHACHA20POLY1305,
448 SSL_AEAD,
449 SSL_HANDSHAKE_MAC_SHA256,
450 },
451
452 // Cipher CCAB
453 {
454 TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
455 "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
456 TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
457 SSL_kECDHE,
458 SSL_aPSK,
459 SSL_CHACHA20POLY1305,
460 SSL_AEAD,
461 SSL_HANDSHAKE_MAC_SHA256,
462 },
463
464 };
465
AllCiphers()466 Span<const SSL_CIPHER> AllCiphers() {
467 return MakeConstSpan(kCiphers, OPENSSL_ARRAY_SIZE(kCiphers));
468 }
469
NumTLS13Ciphers()470 static constexpr size_t NumTLS13Ciphers() {
471 size_t num = 0;
472 for (const auto &cipher : kCiphers) {
473 if (cipher.algorithm_mkey == SSL_kGENERIC) {
474 num++;
475 }
476 }
477 return num;
478 }
479
480 #define CIPHER_ADD 1
481 #define CIPHER_KILL 2
482 #define CIPHER_DEL 3
483 #define CIPHER_ORD 4
484 #define CIPHER_SPECIAL 5
485
486 typedef struct cipher_order_st {
487 const SSL_CIPHER *cipher;
488 bool active;
489 bool in_group;
490 struct cipher_order_st *next, *prev;
491 } CIPHER_ORDER;
492
493 typedef struct cipher_alias_st {
494 // name is the name of the cipher alias.
495 const char *name = nullptr;
496
497 // The following fields are bitmasks for the corresponding fields on
498 // |SSL_CIPHER|. A cipher matches a cipher alias iff, for each bitmask, the
499 // bit corresponding to the cipher's value is set to 1. If any bitmask is
500 // all zeroes, the alias matches nothing. Use |~0u| for the default value.
501 uint32_t algorithm_mkey = ~0u;
502 uint32_t algorithm_auth = ~0u;
503 uint32_t algorithm_enc = ~0u;
504 uint32_t algorithm_mac = ~0u;
505
506 // min_version, if non-zero, matches all ciphers which were added in that
507 // particular protocol version.
508 uint16_t min_version = 0;
509
510 // include_deprecated, if true, means this alias includes deprecated ciphers.
511 bool include_deprecated = false;
512 } CIPHER_ALIAS;
513
514 static const CIPHER_ALIAS kCipherAliases[] = {
515 {"ALL", ~0u, ~0u, ~0u, ~0u, 0},
516
517 // The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing.
518
519 // key exchange aliases
520 // (some of those using only a single bit here combine
521 // multiple key exchange algs according to the RFCs.
522 {"kRSA", SSL_kRSA, ~0u, ~0u, ~0u, 0},
523
524 {"kECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
525 {"kEECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
526 {"ECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
527
528 {"kPSK", SSL_kPSK, ~0u, ~0u, ~0u, 0},
529
530 // server authentication aliases
531 {"aRSA", ~0u, SSL_aRSA_SIGN | SSL_aRSA_DECRYPT, ~0u, ~0u, 0},
532 {"aECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0},
533 {"ECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0},
534 {"aPSK", ~0u, SSL_aPSK, ~0u, ~0u, 0},
535
536 // aliases combining key exchange and server authentication
537 {"ECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
538 {"EECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
539 {"RSA", SSL_kRSA, SSL_aRSA_SIGN | SSL_aRSA_DECRYPT, ~0u, ~0u, 0},
540 {"PSK", SSL_kPSK, SSL_aPSK, ~0u, ~0u, 0},
541
542 // symmetric encryption aliases
543 {"3DES", ~0u, ~0u, SSL_3DES, ~0u, 0, /*include_deprecated=*/true},
544 {"AES128", ~0u, ~0u, SSL_AES128 | SSL_AES128GCM, ~0u, 0,
545 /*include_deprecated=*/false},
546 {"AES256", ~0u, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, 0,
547 /*include_deprecated=*/false},
548 {"AES", ~0u, ~0u, SSL_AES, ~0u, 0},
549 {"AESGCM", ~0u, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, 0,
550 /*include_deprecated=*/false},
551 {"CHACHA20", ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0,
552 /*include_deprecated=*/false},
553
554 // MAC aliases
555 {"SHA1", ~0u, ~0u, ~0u, SSL_SHA1, 0},
556 {"SHA", ~0u, ~0u, ~0u, SSL_SHA1, 0},
557
558 // Legacy protocol minimum version aliases. "TLSv1" is intentionally the
559 // same as "SSLv3".
560 {"SSLv3", ~0u, ~0u, ~0u, ~0u, SSL3_VERSION},
561 {"TLSv1", ~0u, ~0u, ~0u, ~0u, SSL3_VERSION},
562 {"TLSv1.2", ~0u, ~0u, ~0u, ~0u, TLS1_2_VERSION},
563
564 // Legacy strength classes.
565 {"HIGH", ~0u, ~0u, ~0u, ~0u, 0},
566 {"FIPS", ~0u, ~0u, ~0u, ~0u, 0},
567
568 // Temporary no-op aliases corresponding to removed SHA-2 legacy CBC
569 // ciphers. These should be removed after 2018-05-14.
570 {"SHA256", 0, 0, 0, 0, 0},
571 {"SHA384", 0, 0, 0, 0, 0},
572 };
573
574 static const size_t kCipherAliasesLen = OPENSSL_ARRAY_SIZE(kCipherAliases);
575
ssl_cipher_get_evp_aead(const EVP_AEAD ** out_aead,size_t * out_mac_secret_len,size_t * out_fixed_iv_len,const SSL_CIPHER * cipher,uint16_t version,bool is_dtls)576 bool ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
577 size_t *out_mac_secret_len,
578 size_t *out_fixed_iv_len, const SSL_CIPHER *cipher,
579 uint16_t version, bool is_dtls) {
580 *out_aead = NULL;
581 *out_mac_secret_len = 0;
582 *out_fixed_iv_len = 0;
583
584 const bool is_tls12 = version == TLS1_2_VERSION && !is_dtls;
585 const bool is_tls13 = version == TLS1_3_VERSION && !is_dtls;
586
587 if (cipher->algorithm_mac == SSL_AEAD) {
588 if (cipher->algorithm_enc == SSL_AES128GCM) {
589 if (is_tls12) {
590 *out_aead = EVP_aead_aes_128_gcm_tls12();
591 } else if (is_tls13) {
592 *out_aead = EVP_aead_aes_128_gcm_tls13();
593 } else {
594 *out_aead = EVP_aead_aes_128_gcm();
595 }
596 *out_fixed_iv_len = 4;
597 } else if (cipher->algorithm_enc == SSL_AES256GCM) {
598 if (is_tls12) {
599 *out_aead = EVP_aead_aes_256_gcm_tls12();
600 } else if (is_tls13) {
601 *out_aead = EVP_aead_aes_256_gcm_tls13();
602 } else {
603 *out_aead = EVP_aead_aes_256_gcm();
604 }
605 *out_fixed_iv_len = 4;
606 } else if (cipher->algorithm_enc == SSL_CHACHA20POLY1305) {
607 *out_aead = EVP_aead_chacha20_poly1305();
608 *out_fixed_iv_len = 12;
609 } else {
610 return false;
611 }
612
613 // In TLS 1.3, the iv_len is equal to the AEAD nonce length whereas the code
614 // above computes the TLS 1.2 construction.
615 if (version >= TLS1_3_VERSION) {
616 *out_fixed_iv_len = EVP_AEAD_nonce_length(*out_aead);
617 }
618 } else if (cipher->algorithm_mac == SSL_SHA1) {
619 if (cipher->algorithm_enc == SSL_3DES) {
620 if (version == TLS1_VERSION) {
621 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv();
622 *out_fixed_iv_len = 8;
623 } else {
624 *out_aead = EVP_aead_des_ede3_cbc_sha1_tls();
625 }
626 } else if (cipher->algorithm_enc == SSL_AES128) {
627 if (version == TLS1_VERSION) {
628 *out_aead = EVP_aead_aes_128_cbc_sha1_tls_implicit_iv();
629 *out_fixed_iv_len = 16;
630 } else {
631 *out_aead = EVP_aead_aes_128_cbc_sha1_tls();
632 }
633 } else if (cipher->algorithm_enc == SSL_AES256) {
634 if (version == TLS1_VERSION) {
635 *out_aead = EVP_aead_aes_256_cbc_sha1_tls_implicit_iv();
636 *out_fixed_iv_len = 16;
637 } else {
638 *out_aead = EVP_aead_aes_256_cbc_sha1_tls();
639 }
640 } else {
641 return false;
642 }
643
644 *out_mac_secret_len = SHA_DIGEST_LENGTH;
645 } else if (cipher->algorithm_mac == SSL_SHA256) {
646 if (cipher->algorithm_enc == SSL_AES128) {
647 *out_aead = EVP_aead_aes_128_cbc_sha256_tls();
648 } else {
649 return false;
650 }
651
652 *out_mac_secret_len = SHA256_DIGEST_LENGTH;
653 } else {
654 return false;
655 }
656
657 return true;
658 }
659
ssl_get_handshake_digest(uint16_t version,const SSL_CIPHER * cipher)660 const EVP_MD *ssl_get_handshake_digest(uint16_t version,
661 const SSL_CIPHER *cipher) {
662 switch (cipher->algorithm_prf) {
663 case SSL_HANDSHAKE_MAC_DEFAULT:
664 return version >= TLS1_2_VERSION ? EVP_sha256() : EVP_md5_sha1();
665 case SSL_HANDSHAKE_MAC_SHA256:
666 return EVP_sha256();
667 case SSL_HANDSHAKE_MAC_SHA384:
668 return EVP_sha384();
669 default:
670 assert(0);
671 return NULL;
672 }
673 }
674
is_cipher_list_separator(char c,bool is_strict)675 static bool is_cipher_list_separator(char c, bool is_strict) {
676 if (c == ':') {
677 return true;
678 }
679 return !is_strict && (c == ' ' || c == ';' || c == ',');
680 }
681
682 // rule_equals returns whether the NUL-terminated string |rule| is equal to the
683 // |buf_len| bytes at |buf|.
rule_equals(const char * rule,const char * buf,size_t buf_len)684 static bool rule_equals(const char *rule, const char *buf, size_t buf_len) {
685 // |strncmp| alone only checks that |buf| is a prefix of |rule|.
686 return strncmp(rule, buf, buf_len) == 0 && rule[buf_len] == '\0';
687 }
688
ll_append_tail(CIPHER_ORDER ** head,CIPHER_ORDER * curr,CIPHER_ORDER ** tail)689 static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
690 CIPHER_ORDER **tail) {
691 if (curr == *tail) {
692 return;
693 }
694 if (curr == *head) {
695 *head = curr->next;
696 }
697 if (curr->prev != NULL) {
698 curr->prev->next = curr->next;
699 }
700 if (curr->next != NULL) {
701 curr->next->prev = curr->prev;
702 }
703 (*tail)->next = curr;
704 curr->prev = *tail;
705 curr->next = NULL;
706 *tail = curr;
707 }
708
ll_append_head(CIPHER_ORDER ** head,CIPHER_ORDER * curr,CIPHER_ORDER ** tail)709 static void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
710 CIPHER_ORDER **tail) {
711 if (curr == *head) {
712 return;
713 }
714 if (curr == *tail) {
715 *tail = curr->prev;
716 }
717 if (curr->next != NULL) {
718 curr->next->prev = curr->prev;
719 }
720 if (curr->prev != NULL) {
721 curr->prev->next = curr->next;
722 }
723 (*head)->prev = curr;
724 curr->next = *head;
725 curr->prev = NULL;
726 *head = curr;
727 }
728
~SSLCipherPreferenceList()729 SSLCipherPreferenceList::~SSLCipherPreferenceList() {
730 OPENSSL_free(in_group_flags);
731 }
732
Init(UniquePtr<STACK_OF (SSL_CIPHER)> ciphers_arg,Span<const bool> in_group_flags_arg)733 bool SSLCipherPreferenceList::Init(UniquePtr<STACK_OF(SSL_CIPHER)> ciphers_arg,
734 Span<const bool> in_group_flags_arg) {
735 if (sk_SSL_CIPHER_num(ciphers_arg.get()) != in_group_flags_arg.size()) {
736 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
737 return false;
738 }
739
740 Array<bool> copy;
741 if (!copy.CopyFrom(in_group_flags_arg)) {
742 return false;
743 }
744 ciphers = std::move(ciphers_arg);
745 size_t unused_len;
746 copy.Release(&in_group_flags, &unused_len);
747 return true;
748 }
749
Init(const SSLCipherPreferenceList & other)750 bool SSLCipherPreferenceList::Init(const SSLCipherPreferenceList& other) {
751 size_t size = sk_SSL_CIPHER_num(other.ciphers.get());
752 Span<const bool> other_flags(other.in_group_flags, size);
753 UniquePtr<STACK_OF(SSL_CIPHER)> other_ciphers(sk_SSL_CIPHER_dup(
754 other.ciphers.get()));
755 if (!other_ciphers) {
756 return false;
757 }
758 return Init(std::move(other_ciphers), other_flags);
759 }
760
Remove(const SSL_CIPHER * cipher)761 void SSLCipherPreferenceList::Remove(const SSL_CIPHER *cipher) {
762 size_t index;
763 if (!sk_SSL_CIPHER_find(ciphers.get(), &index, cipher)) {
764 return;
765 }
766 if (!in_group_flags[index] /* last element of group */ && index > 0) {
767 in_group_flags[index-1] = false;
768 }
769 for (size_t i = index; i < sk_SSL_CIPHER_num(ciphers.get()) - 1; ++i) {
770 in_group_flags[i] = in_group_flags[i+1];
771 }
772 sk_SSL_CIPHER_delete(ciphers.get(), index);
773 }
774
ssl_cipher_is_deprecated(const SSL_CIPHER * cipher)775 bool ssl_cipher_is_deprecated(const SSL_CIPHER *cipher) {
776 return cipher->id == TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ||
777 cipher->algorithm_enc == SSL_3DES;
778 }
779
780 // ssl_cipher_apply_rule applies the rule type |rule| to ciphers matching its
781 // parameters in the linked list from |*head_p| to |*tail_p|. It writes the new
782 // head and tail of the list to |*head_p| and |*tail_p|, respectively.
783 //
784 // - If |cipher_id| is non-zero, only that cipher is selected.
785 // - Otherwise, if |strength_bits| is non-negative, it selects ciphers
786 // of that strength.
787 // - Otherwise, |alias| must be non-null. It selects ciphers that matches
788 // |*alias|.
ssl_cipher_apply_rule(uint32_t cipher_id,const CIPHER_ALIAS * alias,int rule,int strength_bits,bool in_group,CIPHER_ORDER ** head_p,CIPHER_ORDER ** tail_p)789 static void ssl_cipher_apply_rule(uint32_t cipher_id, const CIPHER_ALIAS *alias,
790 int rule, int strength_bits, bool in_group,
791 CIPHER_ORDER **head_p,
792 CIPHER_ORDER **tail_p) {
793 CIPHER_ORDER *head, *tail, *curr, *next, *last;
794 const SSL_CIPHER *cp;
795 bool reverse = false;
796
797 if (cipher_id == 0 && strength_bits == -1 && alias->min_version == 0 &&
798 (alias->algorithm_mkey == 0 || alias->algorithm_auth == 0 ||
799 alias->algorithm_enc == 0 || alias->algorithm_mac == 0)) {
800 // The rule matches nothing, so bail early.
801 return;
802 }
803
804 if (rule == CIPHER_DEL) {
805 // needed to maintain sorting between currently deleted ciphers
806 reverse = true;
807 }
808
809 head = *head_p;
810 tail = *tail_p;
811
812 if (reverse) {
813 next = tail;
814 last = head;
815 } else {
816 next = head;
817 last = tail;
818 }
819
820 curr = NULL;
821 for (;;) {
822 if (curr == last) {
823 break;
824 }
825
826 curr = next;
827 if (curr == NULL) {
828 break;
829 }
830
831 next = reverse ? curr->prev : curr->next;
832 cp = curr->cipher;
833
834 // Selection criteria is either a specific cipher, the value of
835 // |strength_bits|, or the algorithms used.
836 if (cipher_id != 0) {
837 if (cipher_id != cp->id) {
838 continue;
839 }
840 } else if (strength_bits >= 0) {
841 if (strength_bits != SSL_CIPHER_get_bits(cp, NULL)) {
842 continue;
843 }
844 } else {
845 if (!(alias->algorithm_mkey & cp->algorithm_mkey) ||
846 !(alias->algorithm_auth & cp->algorithm_auth) ||
847 !(alias->algorithm_enc & cp->algorithm_enc) ||
848 !(alias->algorithm_mac & cp->algorithm_mac) ||
849 (alias->min_version != 0 &&
850 SSL_CIPHER_get_min_version(cp) != alias->min_version) ||
851 (!alias->include_deprecated && ssl_cipher_is_deprecated(cp))) {
852 continue;
853 }
854 }
855
856 // add the cipher if it has not been added yet.
857 if (rule == CIPHER_ADD) {
858 // reverse == false
859 if (!curr->active) {
860 ll_append_tail(&head, curr, &tail);
861 curr->active = true;
862 curr->in_group = in_group;
863 }
864 }
865
866 // Move the added cipher to this location
867 else if (rule == CIPHER_ORD) {
868 // reverse == false
869 if (curr->active) {
870 ll_append_tail(&head, curr, &tail);
871 curr->in_group = false;
872 }
873 } else if (rule == CIPHER_DEL) {
874 // reverse == true
875 if (curr->active) {
876 // most recently deleted ciphersuites get best positions
877 // for any future CIPHER_ADD (note that the CIPHER_DEL loop
878 // works in reverse to maintain the order)
879 ll_append_head(&head, curr, &tail);
880 curr->active = false;
881 curr->in_group = false;
882 }
883 } else if (rule == CIPHER_KILL) {
884 // reverse == false
885 if (head == curr) {
886 head = curr->next;
887 } else {
888 curr->prev->next = curr->next;
889 }
890
891 if (tail == curr) {
892 tail = curr->prev;
893 }
894 curr->active = false;
895 if (curr->next != NULL) {
896 curr->next->prev = curr->prev;
897 }
898 if (curr->prev != NULL) {
899 curr->prev->next = curr->next;
900 }
901 curr->next = NULL;
902 curr->prev = NULL;
903 }
904 }
905
906 *head_p = head;
907 *tail_p = tail;
908 }
909
ssl_cipher_strength_sort(CIPHER_ORDER ** head_p,CIPHER_ORDER ** tail_p)910 static bool ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
911 CIPHER_ORDER **tail_p) {
912 // This routine sorts the ciphers with descending strength. The sorting must
913 // keep the pre-sorted sequence, so we apply the normal sorting routine as
914 // '+' movement to the end of the list.
915 int max_strength_bits = 0;
916 CIPHER_ORDER *curr = *head_p;
917 while (curr != NULL) {
918 if (curr->active &&
919 SSL_CIPHER_get_bits(curr->cipher, NULL) > max_strength_bits) {
920 max_strength_bits = SSL_CIPHER_get_bits(curr->cipher, NULL);
921 }
922 curr = curr->next;
923 }
924
925 Array<int> number_uses;
926 if (!number_uses.Init(max_strength_bits + 1)) {
927 return false;
928 }
929 OPENSSL_memset(number_uses.data(), 0, (max_strength_bits + 1) * sizeof(int));
930
931 // Now find the strength_bits values actually used.
932 curr = *head_p;
933 while (curr != NULL) {
934 if (curr->active) {
935 number_uses[SSL_CIPHER_get_bits(curr->cipher, NULL)]++;
936 }
937 curr = curr->next;
938 }
939
940 // Go through the list of used strength_bits values in descending order.
941 for (int i = max_strength_bits; i >= 0; i--) {
942 if (number_uses[i] > 0) {
943 ssl_cipher_apply_rule(/*cipher_id=*/0, /*alias=*/nullptr, CIPHER_ORD, i,
944 false, head_p, tail_p);
945 }
946 }
947
948 return true;
949 }
950
ssl_cipher_process_rulestr(const char * rule_str,CIPHER_ORDER ** head_p,CIPHER_ORDER ** tail_p,bool strict)951 static bool ssl_cipher_process_rulestr(const char *rule_str,
952 CIPHER_ORDER **head_p,
953 CIPHER_ORDER **tail_p, bool strict) {
954 const char *l, *buf;
955 bool in_group = false, has_group = false;
956 size_t j, buf_len;
957 char ch;
958
959 l = rule_str;
960 for (;;) {
961 ch = *l;
962
963 if (ch == '\0') {
964 break; // done
965 }
966
967 int rule;
968 if (in_group) {
969 if (ch == ']') {
970 if (*tail_p) {
971 (*tail_p)->in_group = false;
972 }
973 in_group = false;
974 l++;
975 continue;
976 }
977
978 if (ch == '|') {
979 rule = CIPHER_ADD;
980 l++;
981 continue;
982 } else if (!OPENSSL_isalnum(ch)) {
983 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_OPERATOR_IN_GROUP);
984 return false;
985 } else {
986 rule = CIPHER_ADD;
987 }
988 } else if (ch == '-') {
989 rule = CIPHER_DEL;
990 l++;
991 } else if (ch == '+') {
992 rule = CIPHER_ORD;
993 l++;
994 } else if (ch == '!') {
995 rule = CIPHER_KILL;
996 l++;
997 } else if (ch == '@') {
998 rule = CIPHER_SPECIAL;
999 l++;
1000 } else if (ch == '[') {
1001 assert(!in_group);
1002 in_group = true;
1003 has_group = true;
1004 l++;
1005 continue;
1006 } else {
1007 rule = CIPHER_ADD;
1008 }
1009
1010 // If preference groups are enabled, the only legal operator is +.
1011 // Otherwise the in_group bits will get mixed up.
1012 if (has_group && rule != CIPHER_ADD) {
1013 OPENSSL_PUT_ERROR(SSL, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
1014 return false;
1015 }
1016
1017 if (is_cipher_list_separator(ch, strict)) {
1018 l++;
1019 continue;
1020 }
1021
1022 bool multi = false;
1023 uint32_t cipher_id = 0;
1024 CIPHER_ALIAS alias;
1025 bool skip_rule = false;
1026
1027 // When adding, exclude deprecated ciphers by default.
1028 alias.include_deprecated = rule != CIPHER_ADD;
1029
1030 for (;;) {
1031 ch = *l;
1032 buf = l;
1033 buf_len = 0;
1034 while (OPENSSL_isalnum(ch) || ch == '-' || ch == '.' || ch == '_') {
1035 ch = *(++l);
1036 buf_len++;
1037 }
1038
1039 if (buf_len == 0) {
1040 // We hit something we cannot deal with, it is no command or separator
1041 // nor alphanumeric, so we call this an error.
1042 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
1043 return false;
1044 }
1045
1046 if (rule == CIPHER_SPECIAL) {
1047 break;
1048 }
1049
1050 // Look for a matching exact cipher. These aren't allowed in multipart
1051 // rules.
1052 if (!multi && ch != '+') {
1053 for (j = 0; j < OPENSSL_ARRAY_SIZE(kCiphers); j++) {
1054 const SSL_CIPHER *cipher = &kCiphers[j];
1055 if (rule_equals(cipher->name, buf, buf_len) ||
1056 rule_equals(cipher->standard_name, buf, buf_len)) {
1057 cipher_id = cipher->id;
1058 break;
1059 }
1060 }
1061 }
1062 if (cipher_id == 0) {
1063 // If not an exact cipher, look for a matching cipher alias.
1064 for (j = 0; j < kCipherAliasesLen; j++) {
1065 if (rule_equals(kCipherAliases[j].name, buf, buf_len)) {
1066 alias.algorithm_mkey &= kCipherAliases[j].algorithm_mkey;
1067 alias.algorithm_auth &= kCipherAliases[j].algorithm_auth;
1068 alias.algorithm_enc &= kCipherAliases[j].algorithm_enc;
1069 alias.algorithm_mac &= kCipherAliases[j].algorithm_mac;
1070
1071 // When specifying a combination of aliases, if any aliases
1072 // enables deprecated ciphers, deprecated ciphers are included. This
1073 // is slightly different from the bitmasks in that adding aliases
1074 // can increase the set of matched ciphers. This is so that an alias
1075 // like "RSA" will only specifiy AES-based RSA ciphers, but
1076 // "RSA+3DES" will still specify 3DES.
1077 alias.include_deprecated |= kCipherAliases[j].include_deprecated;
1078
1079 if (alias.min_version != 0 &&
1080 alias.min_version != kCipherAliases[j].min_version) {
1081 skip_rule = true;
1082 } else {
1083 alias.min_version = kCipherAliases[j].min_version;
1084 }
1085 break;
1086 }
1087 }
1088 if (j == kCipherAliasesLen) {
1089 skip_rule = true;
1090 if (strict) {
1091 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
1092 return false;
1093 }
1094 }
1095 }
1096
1097 // Check for a multipart rule.
1098 if (ch != '+') {
1099 break;
1100 }
1101 l++;
1102 multi = true;
1103 }
1104
1105 // Ok, we have the rule, now apply it.
1106 if (rule == CIPHER_SPECIAL) {
1107 if (buf_len != 8 || strncmp(buf, "STRENGTH", 8) != 0) {
1108 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
1109 return false;
1110 }
1111 if (!ssl_cipher_strength_sort(head_p, tail_p)) {
1112 return false;
1113 }
1114
1115 // We do not support any "multi" options together with "@", so throw away
1116 // the rest of the command, if any left, until end or ':' is found.
1117 while (*l != '\0' && !is_cipher_list_separator(*l, strict)) {
1118 l++;
1119 }
1120 } else if (!skip_rule) {
1121 ssl_cipher_apply_rule(cipher_id, &alias, rule, -1, in_group, head_p,
1122 tail_p);
1123 }
1124 }
1125
1126 if (in_group) {
1127 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
1128 return false;
1129 }
1130
1131 return true;
1132 }
1133
ssl_create_cipher_list(UniquePtr<SSLCipherPreferenceList> * out_cipher_list,const bool has_aes_hw,const char * rule_str,bool strict)1134 bool ssl_create_cipher_list(UniquePtr<SSLCipherPreferenceList> *out_cipher_list,
1135 const bool has_aes_hw, const char *rule_str,
1136 bool strict) {
1137 // Return with error if nothing to do.
1138 if (rule_str == NULL || out_cipher_list == NULL) {
1139 return false;
1140 }
1141
1142 // We prefer ECDHE ciphers over non-PFS ciphers. Then we prefer AEAD over
1143 // non-AEAD. The constants are masked by 0xffff to remove the vestigial 0x03
1144 // byte from SSL 2.0.
1145 static const uint16_t kAESCiphers[] = {
1146 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 & 0xffff,
1147 TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256 & 0xffff,
1148 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 & 0xffff,
1149 TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384 & 0xffff,
1150 };
1151 static const uint16_t kChaChaCiphers[] = {
1152 TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 & 0xffff,
1153 TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 & 0xffff,
1154 TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 & 0xffff,
1155 };
1156 static const uint16_t kLegacyCiphers[] = {
1157 TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA & 0xffff,
1158 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA & 0xffff,
1159 TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA & 0xffff,
1160 TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA & 0xffff,
1161 TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA & 0xffff,
1162 TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA & 0xffff,
1163 TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA256 & 0xffff,
1164 TLS1_CK_RSA_WITH_AES_128_GCM_SHA256 & 0xffff,
1165 TLS1_CK_RSA_WITH_AES_256_GCM_SHA384 & 0xffff,
1166 TLS1_CK_RSA_WITH_AES_128_SHA & 0xffff,
1167 TLS1_CK_PSK_WITH_AES_128_CBC_SHA & 0xffff,
1168 TLS1_CK_RSA_WITH_AES_256_SHA & 0xffff,
1169 TLS1_CK_PSK_WITH_AES_256_CBC_SHA & 0xffff,
1170 SSL3_CK_RSA_DES_192_CBC3_SHA & 0xffff,
1171 };
1172
1173 // Set up a linked list of ciphers.
1174 CIPHER_ORDER co_list[OPENSSL_ARRAY_SIZE(kAESCiphers) +
1175 OPENSSL_ARRAY_SIZE(kChaChaCiphers) +
1176 OPENSSL_ARRAY_SIZE(kLegacyCiphers)];
1177 for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(co_list); i++) {
1178 co_list[i].next =
1179 i + 1 < OPENSSL_ARRAY_SIZE(co_list) ? &co_list[i + 1] : nullptr;
1180 co_list[i].prev = i == 0 ? nullptr : &co_list[i - 1];
1181 co_list[i].active = false;
1182 co_list[i].in_group = false;
1183 }
1184 CIPHER_ORDER *head = &co_list[0];
1185 CIPHER_ORDER *tail = &co_list[OPENSSL_ARRAY_SIZE(co_list) - 1];
1186
1187 // Order AES ciphers vs ChaCha ciphers based on whether we have AES hardware.
1188 //
1189 // TODO(crbug.com/boringssl/29): We should also set up equipreference groups
1190 // as a server.
1191 size_t num = 0;
1192 if (has_aes_hw) {
1193 for (uint16_t id : kAESCiphers) {
1194 co_list[num++].cipher = SSL_get_cipher_by_value(id);
1195 assert(co_list[num - 1].cipher != nullptr);
1196 }
1197 }
1198 for (uint16_t id : kChaChaCiphers) {
1199 co_list[num++].cipher = SSL_get_cipher_by_value(id);
1200 assert(co_list[num - 1].cipher != nullptr);
1201 }
1202 if (!has_aes_hw) {
1203 for (uint16_t id : kAESCiphers) {
1204 co_list[num++].cipher = SSL_get_cipher_by_value(id);
1205 assert(co_list[num - 1].cipher != nullptr);
1206 }
1207 }
1208 for (uint16_t id : kLegacyCiphers) {
1209 co_list[num++].cipher = SSL_get_cipher_by_value(id);
1210 assert(co_list[num - 1].cipher != nullptr);
1211 }
1212 assert(num == OPENSSL_ARRAY_SIZE(co_list));
1213 static_assert(OPENSSL_ARRAY_SIZE(co_list) + NumTLS13Ciphers() ==
1214 OPENSSL_ARRAY_SIZE(kCiphers),
1215 "Not all ciphers are included in the cipher order");
1216
1217 // If the rule_string begins with DEFAULT, apply the default rule before
1218 // using the (possibly available) additional rules.
1219 const char *rule_p = rule_str;
1220 if (strncmp(rule_str, "DEFAULT", 7) == 0) {
1221 if (!ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, &head, &tail,
1222 strict)) {
1223 return false;
1224 }
1225 rule_p += 7;
1226 if (*rule_p == ':') {
1227 rule_p++;
1228 }
1229 }
1230
1231 if (*rule_p != '\0' &&
1232 !ssl_cipher_process_rulestr(rule_p, &head, &tail, strict)) {
1233 return false;
1234 }
1235
1236 // Allocate new "cipherstack" for the result, return with error
1237 // if we cannot get one.
1238 UniquePtr<STACK_OF(SSL_CIPHER)> cipherstack(sk_SSL_CIPHER_new_null());
1239 Array<bool> in_group_flags;
1240 if (cipherstack == nullptr ||
1241 !in_group_flags.Init(OPENSSL_ARRAY_SIZE(kCiphers))) {
1242 return false;
1243 }
1244
1245 // The cipher selection for the list is done. The ciphers are added
1246 // to the resulting precedence to the STACK_OF(SSL_CIPHER).
1247 size_t num_in_group_flags = 0;
1248 for (CIPHER_ORDER *curr = head; curr != NULL; curr = curr->next) {
1249 if (curr->active) {
1250 if (!sk_SSL_CIPHER_push(cipherstack.get(), curr->cipher)) {
1251 return false;
1252 }
1253 in_group_flags[num_in_group_flags++] = curr->in_group;
1254 }
1255 }
1256
1257 UniquePtr<SSLCipherPreferenceList> pref_list =
1258 MakeUnique<SSLCipherPreferenceList>();
1259 if (!pref_list ||
1260 !pref_list->Init(
1261 std::move(cipherstack),
1262 MakeConstSpan(in_group_flags).subspan(0, num_in_group_flags))) {
1263 return false;
1264 }
1265
1266 *out_cipher_list = std::move(pref_list);
1267
1268 // Configuring an empty cipher list is an error but still updates the
1269 // output.
1270 if (sk_SSL_CIPHER_num((*out_cipher_list)->ciphers.get()) == 0) {
1271 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHER_MATCH);
1272 return false;
1273 }
1274
1275 return true;
1276 }
1277
ssl_cipher_auth_mask_for_key(const EVP_PKEY * key,bool sign_ok)1278 uint32_t ssl_cipher_auth_mask_for_key(const EVP_PKEY *key, bool sign_ok) {
1279 switch (EVP_PKEY_id(key)) {
1280 case EVP_PKEY_RSA:
1281 return sign_ok ? (SSL_aRSA_SIGN | SSL_aRSA_DECRYPT) : SSL_aRSA_DECRYPT;
1282 case EVP_PKEY_EC:
1283 case EVP_PKEY_ED25519:
1284 // Ed25519 keys in TLS 1.2 repurpose the ECDSA ciphers.
1285 return sign_ok ? SSL_aECDSA : 0;
1286 default:
1287 return 0;
1288 }
1289 }
1290
ssl_cipher_uses_certificate_auth(const SSL_CIPHER * cipher)1291 bool ssl_cipher_uses_certificate_auth(const SSL_CIPHER *cipher) {
1292 return (cipher->algorithm_auth & SSL_aCERT) != 0;
1293 }
1294
ssl_cipher_requires_server_key_exchange(const SSL_CIPHER * cipher)1295 bool ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher) {
1296 // Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange. It is
1297 // optional or omitted in all others.
1298 return (cipher->algorithm_mkey & SSL_kECDHE) != 0;
1299 }
1300
ssl_cipher_get_record_split_len(const SSL_CIPHER * cipher)1301 size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher) {
1302 size_t block_size;
1303 switch (cipher->algorithm_enc) {
1304 case SSL_3DES:
1305 block_size = 8;
1306 break;
1307 case SSL_AES128:
1308 case SSL_AES256:
1309 block_size = 16;
1310 break;
1311 default:
1312 return 0;
1313 }
1314
1315 // All supported TLS 1.0 ciphers use SHA-1.
1316 assert(cipher->algorithm_mac == SSL_SHA1);
1317 size_t ret = 1 + SHA_DIGEST_LENGTH;
1318 ret += block_size - (ret % block_size);
1319 return ret;
1320 }
1321
1322 BSSL_NAMESPACE_END
1323
1324 using namespace bssl;
1325
ssl_cipher_id_cmp(const SSL_CIPHER * a,const SSL_CIPHER * b)1326 static constexpr int ssl_cipher_id_cmp(const SSL_CIPHER *a,
1327 const SSL_CIPHER *b) {
1328 if (a->id > b->id) {
1329 return 1;
1330 }
1331 if (a->id < b->id) {
1332 return -1;
1333 }
1334 return 0;
1335 }
1336
ssl_cipher_id_cmp_void(const void * in_a,const void * in_b)1337 static int ssl_cipher_id_cmp_void(const void *in_a, const void *in_b) {
1338 return ssl_cipher_id_cmp(reinterpret_cast<const SSL_CIPHER *>(in_a),
1339 reinterpret_cast<const SSL_CIPHER *>(in_b));
1340 }
1341
1342 template <size_t N>
ssl_ciphers_sorted(const SSL_CIPHER (& ciphers)[N])1343 static constexpr bool ssl_ciphers_sorted(const SSL_CIPHER (&ciphers)[N]) {
1344 for (size_t i = 1; i < N; i++) {
1345 if (ssl_cipher_id_cmp(&ciphers[i - 1], &ciphers[i]) >= 0) {
1346 return false;
1347 }
1348 }
1349 return true;
1350 }
1351
1352 static_assert(ssl_ciphers_sorted(kCiphers),
1353 "Ciphers are not sorted, bsearch won't work");
1354
SSL_get_cipher_by_value(uint16_t value)1355 const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value) {
1356 SSL_CIPHER c;
1357
1358 c.id = 0x03000000L | value;
1359 return reinterpret_cast<const SSL_CIPHER *>(bsearch(
1360 &c, kCiphers, OPENSSL_ARRAY_SIZE(kCiphers), sizeof(SSL_CIPHER),
1361 ssl_cipher_id_cmp_void));
1362 }
1363
SSL_CIPHER_get_id(const SSL_CIPHER * cipher)1364 uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher) { return cipher->id; }
1365
SSL_CIPHER_get_protocol_id(const SSL_CIPHER * cipher)1366 uint16_t SSL_CIPHER_get_protocol_id(const SSL_CIPHER *cipher) {
1367 // All OpenSSL cipher IDs are prefaced with 0x03. Historically this referred
1368 // to SSLv2 vs SSLv3.
1369 assert((cipher->id & 0xff000000) == 0x03000000);
1370 return static_cast<uint16_t>(cipher->id);
1371 }
1372
SSL_CIPHER_is_aead(const SSL_CIPHER * cipher)1373 int SSL_CIPHER_is_aead(const SSL_CIPHER *cipher) {
1374 return (cipher->algorithm_mac & SSL_AEAD) != 0;
1375 }
1376
SSL_CIPHER_get_cipher_nid(const SSL_CIPHER * cipher)1377 int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *cipher) {
1378 switch (cipher->algorithm_enc) {
1379 case SSL_3DES:
1380 return NID_des_ede3_cbc;
1381 case SSL_AES128:
1382 return NID_aes_128_cbc;
1383 case SSL_AES256:
1384 return NID_aes_256_cbc;
1385 case SSL_AES128GCM:
1386 return NID_aes_128_gcm;
1387 case SSL_AES256GCM:
1388 return NID_aes_256_gcm;
1389 case SSL_CHACHA20POLY1305:
1390 return NID_chacha20_poly1305;
1391 }
1392 assert(0);
1393 return NID_undef;
1394 }
1395
SSL_CIPHER_get_digest_nid(const SSL_CIPHER * cipher)1396 int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *cipher) {
1397 switch (cipher->algorithm_mac) {
1398 case SSL_AEAD:
1399 return NID_undef;
1400 case SSL_SHA1:
1401 return NID_sha1;
1402 case SSL_SHA256:
1403 return NID_sha256;
1404 }
1405 assert(0);
1406 return NID_undef;
1407 }
1408
SSL_CIPHER_get_kx_nid(const SSL_CIPHER * cipher)1409 int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *cipher) {
1410 switch (cipher->algorithm_mkey) {
1411 case SSL_kRSA:
1412 return NID_kx_rsa;
1413 case SSL_kECDHE:
1414 return NID_kx_ecdhe;
1415 case SSL_kPSK:
1416 return NID_kx_psk;
1417 case SSL_kGENERIC:
1418 return NID_kx_any;
1419 }
1420 assert(0);
1421 return NID_undef;
1422 }
1423
SSL_CIPHER_get_auth_nid(const SSL_CIPHER * cipher)1424 int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *cipher) {
1425 switch (cipher->algorithm_auth) {
1426 case SSL_aRSA_DECRYPT:
1427 case SSL_aRSA_SIGN:
1428 return NID_auth_rsa;
1429 case SSL_aECDSA:
1430 return NID_auth_ecdsa;
1431 case SSL_aPSK:
1432 return NID_auth_psk;
1433 case SSL_aGENERIC:
1434 return NID_auth_any;
1435 }
1436 assert(0);
1437 return NID_undef;
1438 }
1439
SSL_CIPHER_get_handshake_digest(const SSL_CIPHER * cipher)1440 const EVP_MD *SSL_CIPHER_get_handshake_digest(const SSL_CIPHER *cipher) {
1441 switch (cipher->algorithm_prf) {
1442 case SSL_HANDSHAKE_MAC_DEFAULT:
1443 return EVP_md5_sha1();
1444 case SSL_HANDSHAKE_MAC_SHA256:
1445 return EVP_sha256();
1446 case SSL_HANDSHAKE_MAC_SHA384:
1447 return EVP_sha384();
1448 }
1449 assert(0);
1450 return NULL;
1451 }
1452
SSL_CIPHER_get_prf_nid(const SSL_CIPHER * cipher)1453 int SSL_CIPHER_get_prf_nid(const SSL_CIPHER *cipher) {
1454 const EVP_MD *md = SSL_CIPHER_get_handshake_digest(cipher);
1455 if (md == NULL) {
1456 return NID_undef;
1457 }
1458 return EVP_MD_nid(md);
1459 }
1460
SSL_CIPHER_is_block_cipher(const SSL_CIPHER * cipher)1461 int SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher) {
1462 return cipher->algorithm_mac != SSL_AEAD;
1463 }
1464
SSL_CIPHER_get_min_version(const SSL_CIPHER * cipher)1465 uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher) {
1466 if (cipher->algorithm_mkey == SSL_kGENERIC ||
1467 cipher->algorithm_auth == SSL_aGENERIC) {
1468 return TLS1_3_VERSION;
1469 }
1470
1471 if (cipher->algorithm_prf != SSL_HANDSHAKE_MAC_DEFAULT) {
1472 // Cipher suites before TLS 1.2 use the default PRF, while all those added
1473 // afterwards specify a particular hash.
1474 return TLS1_2_VERSION;
1475 }
1476 return SSL3_VERSION;
1477 }
1478
SSL_CIPHER_get_max_version(const SSL_CIPHER * cipher)1479 uint16_t SSL_CIPHER_get_max_version(const SSL_CIPHER *cipher) {
1480 if (cipher->algorithm_mkey == SSL_kGENERIC ||
1481 cipher->algorithm_auth == SSL_aGENERIC) {
1482 return TLS1_3_VERSION;
1483 }
1484 return TLS1_2_VERSION;
1485 }
1486
1487 static const char* kUnknownCipher = "(NONE)";
1488
1489 // return the actual cipher being used
SSL_CIPHER_get_name(const SSL_CIPHER * cipher)1490 const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher) {
1491 if (cipher != NULL) {
1492 return cipher->name;
1493 }
1494
1495 return kUnknownCipher;
1496 }
1497
SSL_CIPHER_standard_name(const SSL_CIPHER * cipher)1498 const char *SSL_CIPHER_standard_name(const SSL_CIPHER *cipher) {
1499 return cipher->standard_name;
1500 }
1501
SSL_CIPHER_get_kx_name(const SSL_CIPHER * cipher)1502 const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher) {
1503 if (cipher == NULL) {
1504 return "";
1505 }
1506
1507 switch (cipher->algorithm_mkey) {
1508 case SSL_kRSA:
1509 return "RSA";
1510
1511 case SSL_kECDHE:
1512 switch (cipher->algorithm_auth) {
1513 case SSL_aECDSA:
1514 return "ECDHE_ECDSA";
1515 case SSL_aRSA_SIGN:
1516 return "ECDHE_RSA";
1517 case SSL_aPSK:
1518 return "ECDHE_PSK";
1519 default:
1520 assert(0);
1521 return "UNKNOWN";
1522 }
1523
1524 case SSL_kPSK:
1525 assert(cipher->algorithm_auth == SSL_aPSK);
1526 return "PSK";
1527
1528 case SSL_kGENERIC:
1529 assert(cipher->algorithm_auth == SSL_aGENERIC);
1530 return "GENERIC";
1531
1532 default:
1533 assert(0);
1534 return "UNKNOWN";
1535 }
1536 }
1537
SSL_CIPHER_get_bits(const SSL_CIPHER * cipher,int * out_alg_bits)1538 int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *out_alg_bits) {
1539 if (cipher == NULL) {
1540 return 0;
1541 }
1542
1543 int alg_bits, strength_bits;
1544 switch (cipher->algorithm_enc) {
1545 case SSL_AES128:
1546 case SSL_AES128GCM:
1547 alg_bits = 128;
1548 strength_bits = 128;
1549 break;
1550
1551 case SSL_AES256:
1552 case SSL_AES256GCM:
1553 case SSL_CHACHA20POLY1305:
1554 alg_bits = 256;
1555 strength_bits = 256;
1556 break;
1557
1558 case SSL_3DES:
1559 alg_bits = 168;
1560 strength_bits = 112;
1561 break;
1562
1563 default:
1564 assert(0);
1565 alg_bits = 0;
1566 strength_bits = 0;
1567 }
1568
1569 if (out_alg_bits != NULL) {
1570 *out_alg_bits = alg_bits;
1571 }
1572 return strength_bits;
1573 }
1574
SSL_CIPHER_description(const SSL_CIPHER * cipher,char * buf,int len)1575 const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf,
1576 int len) {
1577 const char *kx, *au, *enc, *mac;
1578 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
1579
1580 alg_mkey = cipher->algorithm_mkey;
1581 alg_auth = cipher->algorithm_auth;
1582 alg_enc = cipher->algorithm_enc;
1583 alg_mac = cipher->algorithm_mac;
1584
1585 switch (alg_mkey) {
1586 case SSL_kRSA:
1587 kx = "RSA";
1588 break;
1589
1590 case SSL_kECDHE:
1591 kx = "ECDH";
1592 break;
1593
1594 case SSL_kPSK:
1595 kx = "PSK";
1596 break;
1597
1598 case SSL_kGENERIC:
1599 kx = "GENERIC";
1600 break;
1601
1602 default:
1603 kx = "unknown";
1604 }
1605
1606 switch (alg_auth) {
1607 case SSL_aRSA_DECRYPT:
1608 case SSL_aRSA_SIGN:
1609 au = "RSA";
1610 break;
1611
1612 case SSL_aECDSA:
1613 au = "ECDSA";
1614 break;
1615
1616 case SSL_aPSK:
1617 au = "PSK";
1618 break;
1619
1620 case SSL_aGENERIC:
1621 au = "GENERIC";
1622 break;
1623
1624 default:
1625 au = "unknown";
1626 break;
1627 }
1628
1629 switch (alg_enc) {
1630 case SSL_3DES:
1631 enc = "3DES(168)";
1632 break;
1633
1634 case SSL_AES128:
1635 enc = "AES(128)";
1636 break;
1637
1638 case SSL_AES256:
1639 enc = "AES(256)";
1640 break;
1641
1642 case SSL_AES128GCM:
1643 enc = "AESGCM(128)";
1644 break;
1645
1646 case SSL_AES256GCM:
1647 enc = "AESGCM(256)";
1648 break;
1649
1650 case SSL_CHACHA20POLY1305:
1651 enc = "ChaCha20-Poly1305";
1652 break;
1653
1654 default:
1655 enc = "unknown";
1656 break;
1657 }
1658
1659 switch (alg_mac) {
1660 case SSL_SHA1:
1661 mac = "SHA1";
1662 break;
1663
1664 case SSL_SHA256:
1665 mac = "SHA256";
1666 break;
1667
1668 case SSL_AEAD:
1669 mac = "AEAD";
1670 break;
1671
1672 default:
1673 mac = "unknown";
1674 break;
1675 }
1676
1677 if (buf == NULL) {
1678 len = 128;
1679 buf = (char *)OPENSSL_malloc(len);
1680 if (buf == NULL) {
1681 return NULL;
1682 }
1683 } else if (len < 128) {
1684 return "Buffer too small";
1685 }
1686
1687 snprintf(buf, len, "%-23s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n", cipher->name,
1688 kx, au, enc, mac);
1689 return buf;
1690 }
1691
SSL_CIPHER_get_version(const SSL_CIPHER * cipher)1692 const char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher) {
1693 return "TLSv1/SSLv3";
1694 }
1695
STACK_OF(SSL_COMP)1696 STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void) { return NULL; }
1697
SSL_COMP_add_compression_method(int id,COMP_METHOD * cm)1698 int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) { return 1; }
1699
SSL_COMP_get_name(const COMP_METHOD * comp)1700 const char *SSL_COMP_get_name(const COMP_METHOD *comp) { return NULL; }
1701
SSL_COMP_get0_name(const SSL_COMP * comp)1702 const char *SSL_COMP_get0_name(const SSL_COMP *comp) { return comp->name; }
1703
SSL_COMP_get_id(const SSL_COMP * comp)1704 int SSL_COMP_get_id(const SSL_COMP *comp) { return comp->id; }
1705
SSL_COMP_free_compression_methods(void)1706 void SSL_COMP_free_compression_methods(void) {}
1707
SSL_get_all_cipher_names(const char ** out,size_t max_out)1708 size_t SSL_get_all_cipher_names(const char **out, size_t max_out) {
1709 return GetAllNames(out, max_out, MakeConstSpan(&kUnknownCipher, 1),
1710 &SSL_CIPHER::name, MakeConstSpan(kCiphers));
1711 }
1712
SSL_get_all_standard_cipher_names(const char ** out,size_t max_out)1713 size_t SSL_get_all_standard_cipher_names(const char **out, size_t max_out) {
1714 return GetAllNames(out, max_out, Span<const char *>(),
1715 &SSL_CIPHER::standard_name, MakeConstSpan(kCiphers));
1716 }
1717