1 /* 2 * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved 4 * Copyright 2005 Nokia. All rights reserved. 5 * 6 * Licensed under the Apache License 2.0 (the "License"). You may not use 7 * this file except in compliance with the License. You can obtain a copy 8 * in the file LICENSE in the source distribution or at 9 * https://www.openssl.org/source/license.html 10 */ 11 12 #include <stdio.h> 13 #include <ctype.h> 14 #include <openssl/objects.h> 15 #include <openssl/comp.h> 16 #include <openssl/engine.h> 17 #include <openssl/crypto.h> 18 #include <openssl/conf.h> 19 #include <openssl/trace.h> 20 #include "internal/nelem.h" 21 #include "ssl_local.h" 22 #include "internal/thread_once.h" 23 #include "internal/cryptlib.h" 24 #include "internal/comp.h" 25 #include "internal/ssl_unwrap.h" 26 27 /* NB: make sure indices in these tables match values above */ 28 29 typedef struct { 30 uint32_t mask; 31 int nid; 32 } ssl_cipher_table; 33 34 /* Table of NIDs for each cipher */ 35 static const ssl_cipher_table ssl_cipher_table_cipher[SSL_ENC_NUM_IDX] = { 36 {SSL_DES, NID_des_cbc}, /* SSL_ENC_DES_IDX 0 */ 37 {SSL_3DES, NID_des_ede3_cbc}, /* SSL_ENC_3DES_IDX 1 */ 38 {SSL_RC4, NID_rc4}, /* SSL_ENC_RC4_IDX 2 */ 39 {SSL_RC2, NID_rc2_cbc}, /* SSL_ENC_RC2_IDX 3 */ 40 {SSL_IDEA, NID_idea_cbc}, /* SSL_ENC_IDEA_IDX 4 */ 41 {SSL_eNULL, NID_undef}, /* SSL_ENC_NULL_IDX 5 */ 42 {SSL_AES128, NID_aes_128_cbc}, /* SSL_ENC_AES128_IDX 6 */ 43 {SSL_AES256, NID_aes_256_cbc}, /* SSL_ENC_AES256_IDX 7 */ 44 {SSL_CAMELLIA128, NID_camellia_128_cbc}, /* SSL_ENC_CAMELLIA128_IDX 8 */ 45 {SSL_CAMELLIA256, NID_camellia_256_cbc}, /* SSL_ENC_CAMELLIA256_IDX 9 */ 46 {SSL_eGOST2814789CNT, NID_gost89_cnt}, /* SSL_ENC_GOST89_IDX 10 */ 47 {SSL_SEED, NID_seed_cbc}, /* SSL_ENC_SEED_IDX 11 */ 48 {SSL_AES128GCM, NID_aes_128_gcm}, /* SSL_ENC_AES128GCM_IDX 12 */ 49 {SSL_AES256GCM, NID_aes_256_gcm}, /* SSL_ENC_AES256GCM_IDX 13 */ 50 {SSL_AES128CCM, NID_aes_128_ccm}, /* SSL_ENC_AES128CCM_IDX 14 */ 51 {SSL_AES256CCM, NID_aes_256_ccm}, /* SSL_ENC_AES256CCM_IDX 15 */ 52 {SSL_AES128CCM8, NID_aes_128_ccm}, /* SSL_ENC_AES128CCM8_IDX 16 */ 53 {SSL_AES256CCM8, NID_aes_256_ccm}, /* SSL_ENC_AES256CCM8_IDX 17 */ 54 {SSL_eGOST2814789CNT12, NID_gost89_cnt_12}, /* SSL_ENC_GOST8912_IDX 18 */ 55 {SSL_CHACHA20POLY1305, NID_chacha20_poly1305}, /* SSL_ENC_CHACHA_IDX 19 */ 56 {SSL_ARIA128GCM, NID_aria_128_gcm}, /* SSL_ENC_ARIA128GCM_IDX 20 */ 57 {SSL_ARIA256GCM, NID_aria_256_gcm}, /* SSL_ENC_ARIA256GCM_IDX 21 */ 58 {SSL_MAGMA, NID_magma_ctr_acpkm}, /* SSL_ENC_MAGMA_IDX */ 59 {SSL_KUZNYECHIK, NID_kuznyechik_ctr_acpkm}, /* SSL_ENC_KUZNYECHIK_IDX */ 60 }; 61 62 /* NB: make sure indices in this table matches values above */ 63 static const ssl_cipher_table ssl_cipher_table_mac[SSL_MD_NUM_IDX] = { 64 {SSL_MD5, NID_md5}, /* SSL_MD_MD5_IDX 0 */ 65 {SSL_SHA1, NID_sha1}, /* SSL_MD_SHA1_IDX 1 */ 66 {SSL_GOST94, NID_id_GostR3411_94}, /* SSL_MD_GOST94_IDX 2 */ 67 {SSL_GOST89MAC, NID_id_Gost28147_89_MAC}, /* SSL_MD_GOST89MAC_IDX 3 */ 68 {SSL_SHA256, NID_sha256}, /* SSL_MD_SHA256_IDX 4 */ 69 {SSL_SHA384, NID_sha384}, /* SSL_MD_SHA384_IDX 5 */ 70 {SSL_GOST12_256, NID_id_GostR3411_2012_256}, /* SSL_MD_GOST12_256_IDX 6 */ 71 {SSL_GOST89MAC12, NID_gost_mac_12}, /* SSL_MD_GOST89MAC12_IDX 7 */ 72 {SSL_GOST12_512, NID_id_GostR3411_2012_512}, /* SSL_MD_GOST12_512_IDX 8 */ 73 {0, NID_md5_sha1}, /* SSL_MD_MD5_SHA1_IDX 9 */ 74 {0, NID_sha224}, /* SSL_MD_SHA224_IDX 10 */ 75 {0, NID_sha512}, /* SSL_MD_SHA512_IDX 11 */ 76 {SSL_MAGMAOMAC, NID_magma_mac}, /* sSL_MD_MAGMAOMAC_IDX */ 77 {SSL_KUZNYECHIKOMAC, NID_kuznyechik_mac} /* SSL_MD_KUZNYECHIKOMAC_IDX */ 78 }; 79 80 /* *INDENT-OFF* */ 81 static const ssl_cipher_table ssl_cipher_table_kx[] = { 82 {SSL_kRSA, NID_kx_rsa}, 83 {SSL_kECDHE, NID_kx_ecdhe}, 84 {SSL_kDHE, NID_kx_dhe}, 85 {SSL_kECDHEPSK, NID_kx_ecdhe_psk}, 86 {SSL_kDHEPSK, NID_kx_dhe_psk}, 87 {SSL_kRSAPSK, NID_kx_rsa_psk}, 88 {SSL_kPSK, NID_kx_psk}, 89 {SSL_kSRP, NID_kx_srp}, 90 {SSL_kGOST, NID_kx_gost}, 91 {SSL_kGOST18, NID_kx_gost18}, 92 {SSL_kANY, NID_kx_any} 93 }; 94 95 static const ssl_cipher_table ssl_cipher_table_auth[] = { 96 {SSL_aRSA, NID_auth_rsa}, 97 {SSL_aECDSA, NID_auth_ecdsa}, 98 {SSL_aPSK, NID_auth_psk}, 99 {SSL_aDSS, NID_auth_dss}, 100 {SSL_aGOST01, NID_auth_gost01}, 101 {SSL_aGOST12, NID_auth_gost12}, 102 {SSL_aSRP, NID_auth_srp}, 103 {SSL_aNULL, NID_auth_null}, 104 {SSL_aANY, NID_auth_any} 105 }; 106 /* *INDENT-ON* */ 107 108 /* Utility function for table lookup */ 109 static int ssl_cipher_info_find(const ssl_cipher_table *table, 110 size_t table_cnt, uint32_t mask) 111 { 112 size_t i; 113 for (i = 0; i < table_cnt; i++, table++) { 114 if (table->mask == mask) 115 return (int)i; 116 } 117 return -1; 118 } 119 120 #define ssl_cipher_info_lookup(table, x) \ 121 ssl_cipher_info_find(table, OSSL_NELEM(table), x) 122 123 /* 124 * PKEY_TYPE for GOST89MAC is known in advance, but, because implementation 125 * is engine-provided, we'll fill it only if corresponding EVP_PKEY_METHOD is 126 * found 127 */ 128 static const int default_mac_pkey_id[SSL_MD_NUM_IDX] = { 129 /* MD5, SHA, GOST94, MAC89 */ 130 EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, NID_undef, 131 /* SHA256, SHA384, GOST2012_256, MAC89-12 */ 132 EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, NID_undef, 133 /* GOST2012_512 */ 134 EVP_PKEY_HMAC, 135 /* MD5/SHA1, SHA224, SHA512, MAGMAOMAC, KUZNYECHIKOMAC */ 136 NID_undef, NID_undef, NID_undef, NID_undef, NID_undef 137 }; 138 139 #define CIPHER_ADD 1 140 #define CIPHER_KILL 2 141 #define CIPHER_DEL 3 142 #define CIPHER_ORD 4 143 #define CIPHER_SPECIAL 5 144 /* 145 * Bump the ciphers to the top of the list. 146 * This rule isn't currently supported by the public cipherstring API. 147 */ 148 #define CIPHER_BUMP 6 149 150 typedef struct cipher_order_st { 151 const SSL_CIPHER *cipher; 152 int active; 153 int dead; 154 struct cipher_order_st *next, *prev; 155 } CIPHER_ORDER; 156 157 static const SSL_CIPHER cipher_aliases[] = { 158 /* "ALL" doesn't include eNULL (must be specifically enabled) */ 159 {0, SSL_TXT_ALL, NULL, 0, 0, 0, ~SSL_eNULL}, 160 /* "COMPLEMENTOFALL" */ 161 {0, SSL_TXT_CMPALL, NULL, 0, 0, 0, SSL_eNULL}, 162 163 /* 164 * "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in 165 * ALL!) 166 */ 167 {0, SSL_TXT_CMPDEF, NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_NOT_DEFAULT}, 168 169 /* 170 * key exchange aliases (some of those using only a single bit here 171 * combine multiple key exchange algs according to the RFCs, e.g. kDHE 172 * combines DHE_DSS and DHE_RSA) 173 */ 174 {0, SSL_TXT_kRSA, NULL, 0, SSL_kRSA}, 175 176 {0, SSL_TXT_kEDH, NULL, 0, SSL_kDHE}, 177 {0, SSL_TXT_kDHE, NULL, 0, SSL_kDHE}, 178 {0, SSL_TXT_DH, NULL, 0, SSL_kDHE}, 179 180 {0, SSL_TXT_kEECDH, NULL, 0, SSL_kECDHE}, 181 {0, SSL_TXT_kECDHE, NULL, 0, SSL_kECDHE}, 182 {0, SSL_TXT_ECDH, NULL, 0, SSL_kECDHE}, 183 184 {0, SSL_TXT_kPSK, NULL, 0, SSL_kPSK}, 185 {0, SSL_TXT_kRSAPSK, NULL, 0, SSL_kRSAPSK}, 186 {0, SSL_TXT_kECDHEPSK, NULL, 0, SSL_kECDHEPSK}, 187 {0, SSL_TXT_kDHEPSK, NULL, 0, SSL_kDHEPSK}, 188 {0, SSL_TXT_kSRP, NULL, 0, SSL_kSRP}, 189 {0, SSL_TXT_kGOST, NULL, 0, SSL_kGOST}, 190 {0, SSL_TXT_kGOST18, NULL, 0, SSL_kGOST18}, 191 192 /* server authentication aliases */ 193 {0, SSL_TXT_aRSA, NULL, 0, 0, SSL_aRSA}, 194 {0, SSL_TXT_aDSS, NULL, 0, 0, SSL_aDSS}, 195 {0, SSL_TXT_DSS, NULL, 0, 0, SSL_aDSS}, 196 {0, SSL_TXT_aNULL, NULL, 0, 0, SSL_aNULL}, 197 {0, SSL_TXT_aECDSA, NULL, 0, 0, SSL_aECDSA}, 198 {0, SSL_TXT_ECDSA, NULL, 0, 0, SSL_aECDSA}, 199 {0, SSL_TXT_aPSK, NULL, 0, 0, SSL_aPSK}, 200 {0, SSL_TXT_aGOST01, NULL, 0, 0, SSL_aGOST01}, 201 {0, SSL_TXT_aGOST12, NULL, 0, 0, SSL_aGOST12}, 202 {0, SSL_TXT_aGOST, NULL, 0, 0, SSL_aGOST01 | SSL_aGOST12}, 203 {0, SSL_TXT_aSRP, NULL, 0, 0, SSL_aSRP}, 204 205 /* aliases combining key exchange and server authentication */ 206 {0, SSL_TXT_EDH, NULL, 0, SSL_kDHE, ~SSL_aNULL}, 207 {0, SSL_TXT_DHE, NULL, 0, SSL_kDHE, ~SSL_aNULL}, 208 {0, SSL_TXT_EECDH, NULL, 0, SSL_kECDHE, ~SSL_aNULL}, 209 {0, SSL_TXT_ECDHE, NULL, 0, SSL_kECDHE, ~SSL_aNULL}, 210 {0, SSL_TXT_NULL, NULL, 0, 0, 0, SSL_eNULL}, 211 {0, SSL_TXT_RSA, NULL, 0, SSL_kRSA, SSL_aRSA}, 212 {0, SSL_TXT_ADH, NULL, 0, SSL_kDHE, SSL_aNULL}, 213 {0, SSL_TXT_AECDH, NULL, 0, SSL_kECDHE, SSL_aNULL}, 214 {0, SSL_TXT_PSK, NULL, 0, SSL_PSK}, 215 {0, SSL_TXT_SRP, NULL, 0, SSL_kSRP}, 216 217 /* symmetric encryption aliases */ 218 {0, SSL_TXT_3DES, NULL, 0, 0, 0, SSL_3DES}, 219 {0, SSL_TXT_RC4, NULL, 0, 0, 0, SSL_RC4}, 220 {0, SSL_TXT_RC2, NULL, 0, 0, 0, SSL_RC2}, 221 {0, SSL_TXT_IDEA, NULL, 0, 0, 0, SSL_IDEA}, 222 {0, SSL_TXT_SEED, NULL, 0, 0, 0, SSL_SEED}, 223 {0, SSL_TXT_eNULL, NULL, 0, 0, 0, SSL_eNULL}, 224 {0, SSL_TXT_GOST, NULL, 0, 0, 0, 225 SSL_eGOST2814789CNT | SSL_eGOST2814789CNT12 | SSL_MAGMA | SSL_KUZNYECHIK}, 226 {0, SSL_TXT_AES128, NULL, 0, 0, 0, 227 SSL_AES128 | SSL_AES128GCM | SSL_AES128CCM | SSL_AES128CCM8}, 228 {0, SSL_TXT_AES256, NULL, 0, 0, 0, 229 SSL_AES256 | SSL_AES256GCM | SSL_AES256CCM | SSL_AES256CCM8}, 230 {0, SSL_TXT_AES, NULL, 0, 0, 0, SSL_AES}, 231 {0, SSL_TXT_AES_GCM, NULL, 0, 0, 0, SSL_AES128GCM | SSL_AES256GCM}, 232 {0, SSL_TXT_AES_CCM, NULL, 0, 0, 0, 233 SSL_AES128CCM | SSL_AES256CCM | SSL_AES128CCM8 | SSL_AES256CCM8}, 234 {0, SSL_TXT_AES_CCM_8, NULL, 0, 0, 0, SSL_AES128CCM8 | SSL_AES256CCM8}, 235 {0, SSL_TXT_CAMELLIA128, NULL, 0, 0, 0, SSL_CAMELLIA128}, 236 {0, SSL_TXT_CAMELLIA256, NULL, 0, 0, 0, SSL_CAMELLIA256}, 237 {0, SSL_TXT_CAMELLIA, NULL, 0, 0, 0, SSL_CAMELLIA}, 238 {0, SSL_TXT_CHACHA20, NULL, 0, 0, 0, SSL_CHACHA20}, 239 {0, SSL_TXT_GOST2012_GOST8912_GOST8912, NULL, 0, 0, 0, SSL_eGOST2814789CNT12}, 240 241 {0, SSL_TXT_ARIA, NULL, 0, 0, 0, SSL_ARIA}, 242 {0, SSL_TXT_ARIA_GCM, NULL, 0, 0, 0, SSL_ARIA128GCM | SSL_ARIA256GCM}, 243 {0, SSL_TXT_ARIA128, NULL, 0, 0, 0, SSL_ARIA128GCM}, 244 {0, SSL_TXT_ARIA256, NULL, 0, 0, 0, SSL_ARIA256GCM}, 245 {0, SSL_TXT_CBC, NULL, 0, 0, 0, SSL_CBC}, 246 247 /* MAC aliases */ 248 {0, SSL_TXT_MD5, NULL, 0, 0, 0, 0, SSL_MD5}, 249 {0, SSL_TXT_SHA1, NULL, 0, 0, 0, 0, SSL_SHA1}, 250 {0, SSL_TXT_SHA, NULL, 0, 0, 0, 0, SSL_SHA1}, 251 {0, SSL_TXT_GOST94, NULL, 0, 0, 0, 0, SSL_GOST94}, 252 {0, SSL_TXT_GOST89MAC, NULL, 0, 0, 0, 0, SSL_GOST89MAC | SSL_GOST89MAC12}, 253 {0, SSL_TXT_SHA256, NULL, 0, 0, 0, 0, SSL_SHA256}, 254 {0, SSL_TXT_SHA384, NULL, 0, 0, 0, 0, SSL_SHA384}, 255 {0, SSL_TXT_GOST12, NULL, 0, 0, 0, 0, SSL_GOST12_256}, 256 257 /* protocol version aliases */ 258 {0, SSL_TXT_SSLV3, NULL, 0, 0, 0, 0, 0, SSL3_VERSION}, 259 {0, SSL_TXT_TLSV1, NULL, 0, 0, 0, 0, 0, TLS1_VERSION}, 260 {0, "TLSv1.0", NULL, 0, 0, 0, 0, 0, TLS1_VERSION}, 261 {0, SSL_TXT_TLSV1_2, NULL, 0, 0, 0, 0, 0, TLS1_2_VERSION}, 262 263 /* strength classes */ 264 {0, SSL_TXT_LOW, NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_LOW}, 265 {0, SSL_TXT_MEDIUM, NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_MEDIUM}, 266 {0, SSL_TXT_HIGH, NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_HIGH}, 267 /* FIPS 140-2 approved ciphersuite */ 268 {0, SSL_TXT_FIPS, NULL, 0, 0, 0, ~SSL_eNULL, 0, 0, 0, 0, 0, SSL_FIPS}, 269 270 /* "EDH-" aliases to "DHE-" labels (for backward compatibility) */ 271 {0, SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA, NULL, 0, 272 SSL_kDHE, SSL_aDSS, SSL_3DES, SSL_SHA1, 0, 0, 0, 0, SSL_HIGH | SSL_FIPS}, 273 {0, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, NULL, 0, 274 SSL_kDHE, SSL_aRSA, SSL_3DES, SSL_SHA1, 0, 0, 0, 0, SSL_HIGH | SSL_FIPS}, 275 276 }; 277 278 /* 279 * Search for public key algorithm with given name and return its pkey_id if 280 * it is available. Otherwise return 0 281 */ 282 #ifdef OPENSSL_NO_ENGINE 283 284 static int get_optional_pkey_id(const char *pkey_name) 285 { 286 const EVP_PKEY_ASN1_METHOD *ameth; 287 int pkey_id = 0; 288 ameth = EVP_PKEY_asn1_find_str(NULL, pkey_name, -1); 289 if (ameth && EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, 290 ameth) > 0) 291 return pkey_id; 292 return 0; 293 } 294 295 #else 296 297 static int get_optional_pkey_id(const char *pkey_name) 298 { 299 const EVP_PKEY_ASN1_METHOD *ameth; 300 ENGINE *tmpeng = NULL; 301 int pkey_id = 0; 302 ameth = EVP_PKEY_asn1_find_str(&tmpeng, pkey_name, -1); 303 if (ameth) { 304 if (EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, 305 ameth) <= 0) 306 pkey_id = 0; 307 } 308 tls_engine_finish(tmpeng); 309 return pkey_id; 310 } 311 312 #endif 313 314 int ssl_load_ciphers(SSL_CTX *ctx) 315 { 316 size_t i; 317 const ssl_cipher_table *t; 318 EVP_KEYEXCH *kex = NULL; 319 EVP_SIGNATURE *sig = NULL; 320 321 ctx->disabled_enc_mask = 0; 322 for (i = 0, t = ssl_cipher_table_cipher; i < SSL_ENC_NUM_IDX; i++, t++) { 323 if (t->nid != NID_undef) { 324 const EVP_CIPHER *cipher 325 = ssl_evp_cipher_fetch(ctx->libctx, t->nid, ctx->propq); 326 327 ctx->ssl_cipher_methods[i] = cipher; 328 if (cipher == NULL) 329 ctx->disabled_enc_mask |= t->mask; 330 } 331 } 332 ctx->disabled_mac_mask = 0; 333 for (i = 0, t = ssl_cipher_table_mac; i < SSL_MD_NUM_IDX; i++, t++) { 334 const EVP_MD *md 335 = ssl_evp_md_fetch(ctx->libctx, t->nid, ctx->propq); 336 337 ctx->ssl_digest_methods[i] = md; 338 if (md == NULL) { 339 ctx->disabled_mac_mask |= t->mask; 340 } else { 341 int tmpsize = EVP_MD_get_size(md); 342 343 if (!ossl_assert(tmpsize > 0)) 344 return 0; 345 ctx->ssl_mac_secret_size[i] = tmpsize; 346 } 347 } 348 349 ctx->disabled_mkey_mask = 0; 350 ctx->disabled_auth_mask = 0; 351 352 /* 353 * We ignore any errors from the fetches below. They are expected to fail 354 * if these algorithms are not available. 355 */ 356 ERR_set_mark(); 357 sig = EVP_SIGNATURE_fetch(ctx->libctx, "DSA", ctx->propq); 358 if (sig == NULL) 359 ctx->disabled_auth_mask |= SSL_aDSS; 360 else 361 EVP_SIGNATURE_free(sig); 362 kex = EVP_KEYEXCH_fetch(ctx->libctx, "DH", ctx->propq); 363 if (kex == NULL) 364 ctx->disabled_mkey_mask |= SSL_kDHE | SSL_kDHEPSK; 365 else 366 EVP_KEYEXCH_free(kex); 367 kex = EVP_KEYEXCH_fetch(ctx->libctx, "ECDH", ctx->propq); 368 if (kex == NULL) 369 ctx->disabled_mkey_mask |= SSL_kECDHE | SSL_kECDHEPSK; 370 else 371 EVP_KEYEXCH_free(kex); 372 sig = EVP_SIGNATURE_fetch(ctx->libctx, "ECDSA", ctx->propq); 373 if (sig == NULL) 374 ctx->disabled_auth_mask |= SSL_aECDSA; 375 else 376 EVP_SIGNATURE_free(sig); 377 ERR_pop_to_mark(); 378 379 #ifdef OPENSSL_NO_PSK 380 ctx->disabled_mkey_mask |= SSL_PSK; 381 ctx->disabled_auth_mask |= SSL_aPSK; 382 #endif 383 #ifdef OPENSSL_NO_SRP 384 ctx->disabled_mkey_mask |= SSL_kSRP; 385 #endif 386 387 /* 388 * Check for presence of GOST 34.10 algorithms, and if they are not 389 * present, disable appropriate auth and key exchange 390 */ 391 memcpy(ctx->ssl_mac_pkey_id, default_mac_pkey_id, 392 sizeof(ctx->ssl_mac_pkey_id)); 393 394 ctx->ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX] = 395 get_optional_pkey_id(SN_id_Gost28147_89_MAC); 396 if (ctx->ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]) 397 ctx->ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX] = 32; 398 else 399 ctx->disabled_mac_mask |= SSL_GOST89MAC; 400 401 ctx->ssl_mac_pkey_id[SSL_MD_GOST89MAC12_IDX] = 402 get_optional_pkey_id(SN_gost_mac_12); 403 if (ctx->ssl_mac_pkey_id[SSL_MD_GOST89MAC12_IDX]) 404 ctx->ssl_mac_secret_size[SSL_MD_GOST89MAC12_IDX] = 32; 405 else 406 ctx->disabled_mac_mask |= SSL_GOST89MAC12; 407 408 ctx->ssl_mac_pkey_id[SSL_MD_MAGMAOMAC_IDX] = 409 get_optional_pkey_id(SN_magma_mac); 410 if (ctx->ssl_mac_pkey_id[SSL_MD_MAGMAOMAC_IDX]) 411 ctx->ssl_mac_secret_size[SSL_MD_MAGMAOMAC_IDX] = 32; 412 else 413 ctx->disabled_mac_mask |= SSL_MAGMAOMAC; 414 415 ctx->ssl_mac_pkey_id[SSL_MD_KUZNYECHIKOMAC_IDX] = 416 get_optional_pkey_id(SN_kuznyechik_mac); 417 if (ctx->ssl_mac_pkey_id[SSL_MD_KUZNYECHIKOMAC_IDX]) 418 ctx->ssl_mac_secret_size[SSL_MD_KUZNYECHIKOMAC_IDX] = 32; 419 else 420 ctx->disabled_mac_mask |= SSL_KUZNYECHIKOMAC; 421 422 if (!get_optional_pkey_id(SN_id_GostR3410_2001)) 423 ctx->disabled_auth_mask |= SSL_aGOST01 | SSL_aGOST12; 424 if (!get_optional_pkey_id(SN_id_GostR3410_2012_256)) 425 ctx->disabled_auth_mask |= SSL_aGOST12; 426 if (!get_optional_pkey_id(SN_id_GostR3410_2012_512)) 427 ctx->disabled_auth_mask |= SSL_aGOST12; 428 /* 429 * Disable GOST key exchange if no GOST signature algs are available * 430 */ 431 if ((ctx->disabled_auth_mask & (SSL_aGOST01 | SSL_aGOST12)) == 432 (SSL_aGOST01 | SSL_aGOST12)) 433 ctx->disabled_mkey_mask |= SSL_kGOST; 434 435 if ((ctx->disabled_auth_mask & SSL_aGOST12) == SSL_aGOST12) 436 ctx->disabled_mkey_mask |= SSL_kGOST18; 437 438 return 1; 439 } 440 441 int ssl_cipher_get_evp_cipher(SSL_CTX *ctx, const SSL_CIPHER *sslc, 442 const EVP_CIPHER **enc) 443 { 444 int i = ssl_cipher_info_lookup(ssl_cipher_table_cipher, 445 sslc->algorithm_enc); 446 447 if (i == -1) { 448 *enc = NULL; 449 } else { 450 if (i == SSL_ENC_NULL_IDX) { 451 /* 452 * We assume we don't care about this coming from an ENGINE so 453 * just do a normal EVP_CIPHER_fetch instead of 454 * ssl_evp_cipher_fetch() 455 */ 456 *enc = EVP_CIPHER_fetch(ctx->libctx, "NULL", ctx->propq); 457 if (*enc == NULL) 458 return 0; 459 } else { 460 const EVP_CIPHER *cipher = ctx->ssl_cipher_methods[i]; 461 462 if (cipher == NULL 463 || !ssl_evp_cipher_up_ref(cipher)) 464 return 0; 465 *enc = ctx->ssl_cipher_methods[i]; 466 } 467 } 468 return 1; 469 } 470 471 int ssl_cipher_get_evp_md_mac(SSL_CTX *ctx, const SSL_CIPHER *sslc, 472 const EVP_MD **md, 473 int *mac_pkey_type, size_t *mac_secret_size) 474 { 475 int i = ssl_cipher_info_lookup(ssl_cipher_table_mac, sslc->algorithm_mac); 476 477 if (i == -1) { 478 *md = NULL; 479 if (mac_pkey_type != NULL) 480 *mac_pkey_type = NID_undef; 481 if (mac_secret_size != NULL) 482 *mac_secret_size = 0; 483 } else { 484 const EVP_MD *digest = ctx->ssl_digest_methods[i]; 485 486 if (digest == NULL || !ssl_evp_md_up_ref(digest)) 487 return 0; 488 489 *md = digest; 490 if (mac_pkey_type != NULL) 491 *mac_pkey_type = ctx->ssl_mac_pkey_id[i]; 492 if (mac_secret_size != NULL) 493 *mac_secret_size = ctx->ssl_mac_secret_size[i]; 494 } 495 return 1; 496 } 497 498 int ssl_cipher_get_evp(SSL_CTX *ctx, const SSL_SESSION *s, 499 const EVP_CIPHER **enc, const EVP_MD **md, 500 int *mac_pkey_type, size_t *mac_secret_size, 501 SSL_COMP **comp, int use_etm) 502 { 503 int i; 504 const SSL_CIPHER *c; 505 506 c = s->cipher; 507 if (c == NULL) 508 return 0; 509 if (comp != NULL) { 510 SSL_COMP ctmp; 511 STACK_OF(SSL_COMP) *comp_methods; 512 513 *comp = NULL; 514 ctmp.id = s->compress_meth; 515 comp_methods = SSL_COMP_get_compression_methods(); 516 if (comp_methods != NULL) { 517 i = sk_SSL_COMP_find(comp_methods, &ctmp); 518 if (i >= 0) 519 *comp = sk_SSL_COMP_value(comp_methods, i); 520 } 521 /* If were only interested in comp then return success */ 522 if ((enc == NULL) && (md == NULL)) 523 return 1; 524 } 525 526 if ((enc == NULL) || (md == NULL)) 527 return 0; 528 529 if (!ssl_cipher_get_evp_cipher(ctx, c, enc)) 530 return 0; 531 532 if (!ssl_cipher_get_evp_md_mac(ctx, c, md, mac_pkey_type, 533 mac_secret_size)) { 534 ssl_evp_cipher_free(*enc); 535 return 0; 536 } 537 538 if ((*enc != NULL) 539 && (*md != NULL 540 || (EVP_CIPHER_get_flags(*enc) & EVP_CIPH_FLAG_AEAD_CIPHER)) 541 && (c->algorithm_mac == SSL_AEAD 542 || mac_pkey_type == NULL || *mac_pkey_type != NID_undef)) { 543 const EVP_CIPHER *evp = NULL; 544 545 if (use_etm 546 || s->ssl_version >> 8 != TLS1_VERSION_MAJOR 547 || s->ssl_version < TLS1_VERSION) 548 return 1; 549 550 if (c->algorithm_enc == SSL_RC4 551 && c->algorithm_mac == SSL_MD5) 552 evp = ssl_evp_cipher_fetch(ctx->libctx, NID_rc4_hmac_md5, 553 ctx->propq); 554 else if (c->algorithm_enc == SSL_AES128 555 && c->algorithm_mac == SSL_SHA1) 556 evp = ssl_evp_cipher_fetch(ctx->libctx, 557 NID_aes_128_cbc_hmac_sha1, 558 ctx->propq); 559 else if (c->algorithm_enc == SSL_AES256 560 && c->algorithm_mac == SSL_SHA1) 561 evp = ssl_evp_cipher_fetch(ctx->libctx, 562 NID_aes_256_cbc_hmac_sha1, 563 ctx->propq); 564 else if (c->algorithm_enc == SSL_AES128 565 && c->algorithm_mac == SSL_SHA256) 566 evp = ssl_evp_cipher_fetch(ctx->libctx, 567 NID_aes_128_cbc_hmac_sha256, 568 ctx->propq); 569 else if (c->algorithm_enc == SSL_AES256 570 && c->algorithm_mac == SSL_SHA256) 571 evp = ssl_evp_cipher_fetch(ctx->libctx, 572 NID_aes_256_cbc_hmac_sha256, 573 ctx->propq); 574 575 if (evp != NULL) { 576 ssl_evp_cipher_free(*enc); 577 ssl_evp_md_free(*md); 578 *enc = evp; 579 *md = NULL; 580 } 581 return 1; 582 } 583 584 return 0; 585 } 586 587 const EVP_MD *ssl_md(SSL_CTX *ctx, int idx) 588 { 589 idx &= SSL_HANDSHAKE_MAC_MASK; 590 if (idx < 0 || idx >= SSL_MD_NUM_IDX) 591 return NULL; 592 return ctx->ssl_digest_methods[idx]; 593 } 594 595 const EVP_MD *ssl_handshake_md(SSL_CONNECTION *s) 596 { 597 return ssl_md(SSL_CONNECTION_GET_CTX(s), ssl_get_algorithm2(s)); 598 } 599 600 const EVP_MD *ssl_prf_md(SSL_CONNECTION *s) 601 { 602 return ssl_md(SSL_CONNECTION_GET_CTX(s), 603 ssl_get_algorithm2(s) >> TLS1_PRF_DGST_SHIFT); 604 } 605 606 607 #define ITEM_SEP(a) \ 608 (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ',')) 609 610 static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr, 611 CIPHER_ORDER **tail) 612 { 613 if (curr == *tail) 614 return; 615 if (curr == *head) 616 *head = curr->next; 617 if (curr->prev != NULL) 618 curr->prev->next = curr->next; 619 if (curr->next != NULL) 620 curr->next->prev = curr->prev; 621 (*tail)->next = curr; 622 curr->prev = *tail; 623 curr->next = NULL; 624 *tail = curr; 625 } 626 627 static void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr, 628 CIPHER_ORDER **tail) 629 { 630 if (curr == *head) 631 return; 632 if (curr == *tail) 633 *tail = curr->prev; 634 if (curr->next != NULL) 635 curr->next->prev = curr->prev; 636 if (curr->prev != NULL) 637 curr->prev->next = curr->next; 638 (*head)->prev = curr; 639 curr->next = *head; 640 curr->prev = NULL; 641 *head = curr; 642 } 643 644 static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, 645 int num_of_ciphers, 646 uint32_t disabled_mkey, 647 uint32_t disabled_auth, 648 uint32_t disabled_enc, 649 uint32_t disabled_mac, 650 CIPHER_ORDER *co_list, 651 CIPHER_ORDER **head_p, 652 CIPHER_ORDER **tail_p) 653 { 654 int i, co_list_num; 655 const SSL_CIPHER *c; 656 657 /* 658 * We have num_of_ciphers descriptions compiled in, depending on the 659 * method selected (SSLv3, TLSv1 etc). 660 * These will later be sorted in a linked list with at most num 661 * entries. 662 */ 663 664 /* Get the initial list of ciphers */ 665 co_list_num = 0; /* actual count of ciphers */ 666 for (i = 0; i < num_of_ciphers; i++) { 667 c = ssl_method->get_cipher(i); 668 /* drop those that use any of that is not available */ 669 if (c == NULL || !c->valid) 670 continue; 671 if ((c->algorithm_mkey & disabled_mkey) || 672 (c->algorithm_auth & disabled_auth) || 673 (c->algorithm_enc & disabled_enc) || 674 (c->algorithm_mac & disabled_mac)) 675 continue; 676 if (((ssl_method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS) == 0) && 677 c->min_tls == 0) 678 continue; 679 if (((ssl_method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS) != 0) && 680 c->min_dtls == 0) 681 continue; 682 683 co_list[co_list_num].cipher = c; 684 co_list[co_list_num].next = NULL; 685 co_list[co_list_num].prev = NULL; 686 co_list[co_list_num].active = 0; 687 co_list_num++; 688 } 689 690 /* 691 * Prepare linked list from list entries 692 */ 693 if (co_list_num > 0) { 694 co_list[0].prev = NULL; 695 696 if (co_list_num > 1) { 697 co_list[0].next = &co_list[1]; 698 699 for (i = 1; i < co_list_num - 1; i++) { 700 co_list[i].prev = &co_list[i - 1]; 701 co_list[i].next = &co_list[i + 1]; 702 } 703 704 co_list[co_list_num - 1].prev = &co_list[co_list_num - 2]; 705 } 706 707 co_list[co_list_num - 1].next = NULL; 708 709 *head_p = &co_list[0]; 710 *tail_p = &co_list[co_list_num - 1]; 711 } 712 } 713 714 static void ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list, 715 int num_of_group_aliases, 716 uint32_t disabled_mkey, 717 uint32_t disabled_auth, 718 uint32_t disabled_enc, 719 uint32_t disabled_mac, 720 CIPHER_ORDER *head) 721 { 722 CIPHER_ORDER *ciph_curr; 723 const SSL_CIPHER **ca_curr; 724 int i; 725 uint32_t mask_mkey = ~disabled_mkey; 726 uint32_t mask_auth = ~disabled_auth; 727 uint32_t mask_enc = ~disabled_enc; 728 uint32_t mask_mac = ~disabled_mac; 729 730 /* 731 * First, add the real ciphers as already collected 732 */ 733 ciph_curr = head; 734 ca_curr = ca_list; 735 while (ciph_curr != NULL) { 736 *ca_curr = ciph_curr->cipher; 737 ca_curr++; 738 ciph_curr = ciph_curr->next; 739 } 740 741 /* 742 * Now we add the available ones from the cipher_aliases[] table. 743 * They represent either one or more algorithms, some of which 744 * in any affected category must be supported (set in enabled_mask), 745 * or represent a cipher strength value (will be added in any case because algorithms=0). 746 */ 747 for (i = 0; i < num_of_group_aliases; i++) { 748 uint32_t algorithm_mkey = cipher_aliases[i].algorithm_mkey; 749 uint32_t algorithm_auth = cipher_aliases[i].algorithm_auth; 750 uint32_t algorithm_enc = cipher_aliases[i].algorithm_enc; 751 uint32_t algorithm_mac = cipher_aliases[i].algorithm_mac; 752 753 if (algorithm_mkey) 754 if ((algorithm_mkey & mask_mkey) == 0) 755 continue; 756 757 if (algorithm_auth) 758 if ((algorithm_auth & mask_auth) == 0) 759 continue; 760 761 if (algorithm_enc) 762 if ((algorithm_enc & mask_enc) == 0) 763 continue; 764 765 if (algorithm_mac) 766 if ((algorithm_mac & mask_mac) == 0) 767 continue; 768 769 *ca_curr = (SSL_CIPHER *)(cipher_aliases + i); 770 ca_curr++; 771 } 772 773 *ca_curr = NULL; /* end of list */ 774 } 775 776 static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey, 777 uint32_t alg_auth, uint32_t alg_enc, 778 uint32_t alg_mac, int min_tls, 779 uint32_t algo_strength, int rule, 780 int32_t strength_bits, CIPHER_ORDER **head_p, 781 CIPHER_ORDER **tail_p) 782 { 783 CIPHER_ORDER *head, *tail, *curr, *next, *last; 784 const SSL_CIPHER *cp; 785 int reverse = 0; 786 787 OSSL_TRACE_BEGIN(TLS_CIPHER) { 788 BIO_printf(trc_out, 789 "Applying rule %d with %08x/%08x/%08x/%08x/%08x %08x (%d)\n", 790 rule, (unsigned int)alg_mkey, (unsigned int)alg_auth, 791 (unsigned int)alg_enc, (unsigned int)alg_mac, min_tls, 792 (unsigned int)algo_strength, (int)strength_bits); 793 } 794 795 if (rule == CIPHER_DEL || rule == CIPHER_BUMP) 796 reverse = 1; /* needed to maintain sorting between currently 797 * deleted ciphers */ 798 799 head = *head_p; 800 tail = *tail_p; 801 802 if (reverse) { 803 next = tail; 804 last = head; 805 } else { 806 next = head; 807 last = tail; 808 } 809 810 curr = NULL; 811 for (;;) { 812 if (curr == last) 813 break; 814 815 curr = next; 816 817 if (curr == NULL) 818 break; 819 820 next = reverse ? curr->prev : curr->next; 821 822 cp = curr->cipher; 823 824 /* 825 * Selection criteria is either the value of strength_bits 826 * or the algorithms used. 827 */ 828 if (strength_bits >= 0) { 829 if (strength_bits != cp->strength_bits) 830 continue; 831 } else { 832 if (trc_out != NULL) { 833 BIO_printf(trc_out, 834 "\nName: %s:" 835 "\nAlgo = %08x/%08x/%08x/%08x/%08x Algo_strength = %08x\n", 836 cp->name, 837 (unsigned int)cp->algorithm_mkey, 838 (unsigned int)cp->algorithm_auth, 839 (unsigned int)cp->algorithm_enc, 840 (unsigned int)cp->algorithm_mac, 841 cp->min_tls, 842 (unsigned int)cp->algo_strength); 843 } 844 if (cipher_id != 0 && (cipher_id != cp->id)) 845 continue; 846 if (alg_mkey && !(alg_mkey & cp->algorithm_mkey)) 847 continue; 848 if (alg_auth && !(alg_auth & cp->algorithm_auth)) 849 continue; 850 if (alg_enc && !(alg_enc & cp->algorithm_enc)) 851 continue; 852 if (alg_mac && !(alg_mac & cp->algorithm_mac)) 853 continue; 854 if (min_tls && (min_tls != cp->min_tls)) 855 continue; 856 if ((algo_strength & SSL_STRONG_MASK) 857 && !(algo_strength & SSL_STRONG_MASK & cp->algo_strength)) 858 continue; 859 if ((algo_strength & SSL_DEFAULT_MASK) 860 && !(algo_strength & SSL_DEFAULT_MASK & cp->algo_strength)) 861 continue; 862 } 863 864 if (trc_out != NULL) 865 BIO_printf(trc_out, "Action = %d\n", rule); 866 867 /* add the cipher if it has not been added yet. */ 868 if (rule == CIPHER_ADD) { 869 /* reverse == 0 */ 870 if (!curr->active) { 871 ll_append_tail(&head, curr, &tail); 872 curr->active = 1; 873 } 874 } 875 /* Move the added cipher to this location */ 876 else if (rule == CIPHER_ORD) { 877 /* reverse == 0 */ 878 if (curr->active) { 879 ll_append_tail(&head, curr, &tail); 880 } 881 } else if (rule == CIPHER_DEL) { 882 /* reverse == 1 */ 883 if (curr->active) { 884 /* 885 * most recently deleted ciphersuites get best positions for 886 * any future CIPHER_ADD (note that the CIPHER_DEL loop works 887 * in reverse to maintain the order) 888 */ 889 ll_append_head(&head, curr, &tail); 890 curr->active = 0; 891 } 892 } else if (rule == CIPHER_BUMP) { 893 if (curr->active) 894 ll_append_head(&head, curr, &tail); 895 } else if (rule == CIPHER_KILL) { 896 /* reverse == 0 */ 897 if (head == curr) 898 head = curr->next; 899 else 900 curr->prev->next = curr->next; 901 if (tail == curr) 902 tail = curr->prev; 903 curr->active = 0; 904 if (curr->next != NULL) 905 curr->next->prev = curr->prev; 906 if (curr->prev != NULL) 907 curr->prev->next = curr->next; 908 curr->next = NULL; 909 curr->prev = NULL; 910 } 911 } 912 913 *head_p = head; 914 *tail_p = tail; 915 916 OSSL_TRACE_END(TLS_CIPHER); 917 } 918 919 static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p, 920 CIPHER_ORDER **tail_p) 921 { 922 int32_t max_strength_bits; 923 int i, *number_uses; 924 CIPHER_ORDER *curr; 925 926 /* 927 * This routine sorts the ciphers with descending strength. The sorting 928 * must keep the pre-sorted sequence, so we apply the normal sorting 929 * routine as '+' movement to the end of the list. 930 */ 931 max_strength_bits = 0; 932 curr = *head_p; 933 while (curr != NULL) { 934 if (curr->active && (curr->cipher->strength_bits > max_strength_bits)) 935 max_strength_bits = curr->cipher->strength_bits; 936 curr = curr->next; 937 } 938 939 number_uses = OPENSSL_zalloc(sizeof(int) * (max_strength_bits + 1)); 940 if (number_uses == NULL) 941 return 0; 942 943 /* 944 * Now find the strength_bits values actually used 945 */ 946 curr = *head_p; 947 while (curr != NULL) { 948 if (curr->active) 949 number_uses[curr->cipher->strength_bits]++; 950 curr = curr->next; 951 } 952 /* 953 * Go through the list of used strength_bits values in descending 954 * order. 955 */ 956 for (i = max_strength_bits; i >= 0; i--) 957 if (number_uses[i] > 0) 958 ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ORD, i, head_p, 959 tail_p); 960 961 OPENSSL_free(number_uses); 962 return 1; 963 } 964 965 static int ssl_cipher_process_rulestr(const char *rule_str, 966 CIPHER_ORDER **head_p, 967 CIPHER_ORDER **tail_p, 968 const SSL_CIPHER **ca_list, CERT *c) 969 { 970 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac, algo_strength; 971 int min_tls; 972 const char *l, *buf; 973 int j, multi, found, rule, retval, ok, buflen; 974 uint32_t cipher_id = 0; 975 char ch; 976 977 retval = 1; 978 l = rule_str; 979 for (;;) { 980 ch = *l; 981 982 if (ch == '\0') 983 break; /* done */ 984 if (ch == '-') { 985 rule = CIPHER_DEL; 986 l++; 987 } else if (ch == '+') { 988 rule = CIPHER_ORD; 989 l++; 990 } else if (ch == '!') { 991 rule = CIPHER_KILL; 992 l++; 993 } else if (ch == '@') { 994 rule = CIPHER_SPECIAL; 995 l++; 996 } else { 997 rule = CIPHER_ADD; 998 } 999 1000 if (ITEM_SEP(ch)) { 1001 l++; 1002 continue; 1003 } 1004 1005 alg_mkey = 0; 1006 alg_auth = 0; 1007 alg_enc = 0; 1008 alg_mac = 0; 1009 min_tls = 0; 1010 algo_strength = 0; 1011 1012 for (;;) { 1013 ch = *l; 1014 buf = l; 1015 buflen = 0; 1016 #ifndef CHARSET_EBCDIC 1017 while (((ch >= 'A') && (ch <= 'Z')) || 1018 ((ch >= '0') && (ch <= '9')) || 1019 ((ch >= 'a') && (ch <= 'z')) || 1020 (ch == '-') || (ch == '_') || (ch == '.') || (ch == '=')) 1021 #else 1022 while (isalnum((unsigned char)ch) || (ch == '-') || (ch == '_') || (ch == '.') 1023 || (ch == '=')) 1024 #endif 1025 { 1026 ch = *(++l); 1027 buflen++; 1028 } 1029 1030 if (buflen == 0) { 1031 /* 1032 * We hit something we cannot deal with, 1033 * it is no command or separator nor 1034 * alphanumeric, so we call this an error. 1035 */ 1036 ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_COMMAND); 1037 return 0; 1038 } 1039 1040 if (rule == CIPHER_SPECIAL) { 1041 found = 0; /* unused -- avoid compiler warning */ 1042 break; /* special treatment */ 1043 } 1044 1045 /* check for multi-part specification */ 1046 if (ch == '+') { 1047 multi = 1; 1048 l++; 1049 } else { 1050 multi = 0; 1051 } 1052 1053 /* 1054 * Now search for the cipher alias in the ca_list. Be careful 1055 * with the strncmp, because the "buflen" limitation 1056 * will make the rule "ADH:SOME" and the cipher 1057 * "ADH-MY-CIPHER" look like a match for buflen=3. 1058 * So additionally check whether the cipher name found 1059 * has the correct length. We can save a strlen() call: 1060 * just checking for the '\0' at the right place is 1061 * sufficient, we have to strncmp() anyway. (We cannot 1062 * use strcmp(), because buf is not '\0' terminated.) 1063 */ 1064 j = found = 0; 1065 cipher_id = 0; 1066 while (ca_list[j]) { 1067 if (strncmp(buf, ca_list[j]->name, buflen) == 0 1068 && (ca_list[j]->name[buflen] == '\0')) { 1069 found = 1; 1070 break; 1071 } else if (ca_list[j]->stdname != NULL 1072 && strncmp(buf, ca_list[j]->stdname, buflen) == 0 1073 && ca_list[j]->stdname[buflen] == '\0') { 1074 found = 1; 1075 break; 1076 } else 1077 j++; 1078 } 1079 1080 if (!found) 1081 break; /* ignore this entry */ 1082 1083 if (ca_list[j]->algorithm_mkey) { 1084 if (alg_mkey) { 1085 alg_mkey &= ca_list[j]->algorithm_mkey; 1086 if (!alg_mkey) { 1087 found = 0; 1088 break; 1089 } 1090 } else { 1091 alg_mkey = ca_list[j]->algorithm_mkey; 1092 } 1093 } 1094 1095 if (ca_list[j]->algorithm_auth) { 1096 if (alg_auth) { 1097 alg_auth &= ca_list[j]->algorithm_auth; 1098 if (!alg_auth) { 1099 found = 0; 1100 break; 1101 } 1102 } else { 1103 alg_auth = ca_list[j]->algorithm_auth; 1104 } 1105 } 1106 1107 if (ca_list[j]->algorithm_enc) { 1108 if (alg_enc) { 1109 alg_enc &= ca_list[j]->algorithm_enc; 1110 if (!alg_enc) { 1111 found = 0; 1112 break; 1113 } 1114 } else { 1115 alg_enc = ca_list[j]->algorithm_enc; 1116 } 1117 } 1118 1119 if (ca_list[j]->algorithm_mac) { 1120 if (alg_mac) { 1121 alg_mac &= ca_list[j]->algorithm_mac; 1122 if (!alg_mac) { 1123 found = 0; 1124 break; 1125 } 1126 } else { 1127 alg_mac = ca_list[j]->algorithm_mac; 1128 } 1129 } 1130 1131 if (ca_list[j]->algo_strength & SSL_STRONG_MASK) { 1132 if (algo_strength & SSL_STRONG_MASK) { 1133 algo_strength &= 1134 (ca_list[j]->algo_strength & SSL_STRONG_MASK) | 1135 ~SSL_STRONG_MASK; 1136 if (!(algo_strength & SSL_STRONG_MASK)) { 1137 found = 0; 1138 break; 1139 } 1140 } else { 1141 algo_strength = ca_list[j]->algo_strength & SSL_STRONG_MASK; 1142 } 1143 } 1144 1145 if (ca_list[j]->algo_strength & SSL_DEFAULT_MASK) { 1146 if (algo_strength & SSL_DEFAULT_MASK) { 1147 algo_strength &= 1148 (ca_list[j]->algo_strength & SSL_DEFAULT_MASK) | 1149 ~SSL_DEFAULT_MASK; 1150 if (!(algo_strength & SSL_DEFAULT_MASK)) { 1151 found = 0; 1152 break; 1153 } 1154 } else { 1155 algo_strength |= 1156 ca_list[j]->algo_strength & SSL_DEFAULT_MASK; 1157 } 1158 } 1159 1160 if (ca_list[j]->valid) { 1161 /* 1162 * explicit ciphersuite found; its protocol version does not 1163 * become part of the search pattern! 1164 */ 1165 1166 cipher_id = ca_list[j]->id; 1167 } else { 1168 /* 1169 * not an explicit ciphersuite; only in this case, the 1170 * protocol version is considered part of the search pattern 1171 */ 1172 1173 if (ca_list[j]->min_tls) { 1174 if (min_tls != 0 && min_tls != ca_list[j]->min_tls) { 1175 found = 0; 1176 break; 1177 } else { 1178 min_tls = ca_list[j]->min_tls; 1179 } 1180 } 1181 } 1182 1183 if (!multi) 1184 break; 1185 } 1186 1187 /* 1188 * Ok, we have the rule, now apply it 1189 */ 1190 if (rule == CIPHER_SPECIAL) { /* special command */ 1191 ok = 0; 1192 if ((buflen == 8) && HAS_PREFIX(buf, "STRENGTH")) { 1193 ok = ssl_cipher_strength_sort(head_p, tail_p); 1194 } else if (buflen == 10 && CHECK_AND_SKIP_PREFIX(buf, "SECLEVEL=")) { 1195 int level = *buf - '0'; 1196 if (level < 0 || level > 5) { 1197 ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_COMMAND); 1198 } else { 1199 c->sec_level = level; 1200 ok = 1; 1201 } 1202 } else { 1203 ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_COMMAND); 1204 } 1205 if (ok == 0) 1206 retval = 0; 1207 /* 1208 * We do not support any "multi" options 1209 * together with "@", so throw away the 1210 * rest of the command, if any left, until 1211 * end or ':' is found. 1212 */ 1213 while ((*l != '\0') && !ITEM_SEP(*l)) 1214 l++; 1215 } else if (found) { 1216 ssl_cipher_apply_rule(cipher_id, 1217 alg_mkey, alg_auth, alg_enc, alg_mac, 1218 min_tls, algo_strength, rule, -1, head_p, 1219 tail_p); 1220 } else { 1221 while ((*l != '\0') && !ITEM_SEP(*l)) 1222 l++; 1223 } 1224 if (*l == '\0') 1225 break; /* done */ 1226 } 1227 1228 return retval; 1229 } 1230 1231 static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c, 1232 const char **prule_str) 1233 { 1234 unsigned int suiteb_flags = 0, suiteb_comb2 = 0; 1235 if (HAS_PREFIX(*prule_str, "SUITEB128ONLY")) { 1236 suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS_ONLY; 1237 } else if (HAS_PREFIX(*prule_str, "SUITEB128C2")) { 1238 suiteb_comb2 = 1; 1239 suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS; 1240 } else if (HAS_PREFIX(*prule_str, "SUITEB128")) { 1241 suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS; 1242 } else if (HAS_PREFIX(*prule_str, "SUITEB192")) { 1243 suiteb_flags = SSL_CERT_FLAG_SUITEB_192_LOS; 1244 } 1245 1246 if (suiteb_flags) { 1247 c->cert_flags &= ~SSL_CERT_FLAG_SUITEB_128_LOS; 1248 c->cert_flags |= suiteb_flags; 1249 } else { 1250 suiteb_flags = c->cert_flags & SSL_CERT_FLAG_SUITEB_128_LOS; 1251 } 1252 1253 if (!suiteb_flags) 1254 return 1; 1255 /* Check version: if TLS 1.2 ciphers allowed we can use Suite B */ 1256 1257 if (!(meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS)) { 1258 ERR_raise(ERR_LIB_SSL, SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE); 1259 return 0; 1260 } 1261 1262 switch (suiteb_flags) { 1263 case SSL_CERT_FLAG_SUITEB_128_LOS: 1264 if (suiteb_comb2) 1265 *prule_str = "ECDHE-ECDSA-AES256-GCM-SHA384"; 1266 else 1267 *prule_str = 1268 "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384"; 1269 break; 1270 case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY: 1271 *prule_str = "ECDHE-ECDSA-AES128-GCM-SHA256"; 1272 break; 1273 case SSL_CERT_FLAG_SUITEB_192_LOS: 1274 *prule_str = "ECDHE-ECDSA-AES256-GCM-SHA384"; 1275 break; 1276 } 1277 return 1; 1278 } 1279 1280 static int ciphersuite_cb(const char *elem, int len, void *arg) 1281 { 1282 STACK_OF(SSL_CIPHER) *ciphersuites = (STACK_OF(SSL_CIPHER) *)arg; 1283 const SSL_CIPHER *cipher; 1284 /* Arbitrary sized temp buffer for the cipher name. Should be big enough */ 1285 char name[80]; 1286 1287 if (len > (int)(sizeof(name) - 1)) 1288 /* Anyway return 1 so we can parse rest of the list */ 1289 return 1; 1290 1291 memcpy(name, elem, len); 1292 name[len] = '\0'; 1293 1294 cipher = ssl3_get_cipher_by_std_name(name); 1295 if (cipher == NULL) 1296 /* Ciphersuite not found but return 1 to parse rest of the list */ 1297 return 1; 1298 1299 if (!sk_SSL_CIPHER_push(ciphersuites, cipher)) { 1300 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); 1301 return 0; 1302 } 1303 1304 return 1; 1305 } 1306 1307 static __owur int set_ciphersuites(STACK_OF(SSL_CIPHER) **currciphers, const char *str) 1308 { 1309 STACK_OF(SSL_CIPHER) *newciphers = sk_SSL_CIPHER_new_null(); 1310 1311 if (newciphers == NULL) 1312 return 0; 1313 1314 /* Parse the list. We explicitly allow an empty list */ 1315 if (*str != '\0' 1316 && (CONF_parse_list(str, ':', 1, ciphersuite_cb, newciphers) <= 0 1317 || sk_SSL_CIPHER_num(newciphers) == 0)) { 1318 ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH); 1319 sk_SSL_CIPHER_free(newciphers); 1320 return 0; 1321 } 1322 sk_SSL_CIPHER_free(*currciphers); 1323 *currciphers = newciphers; 1324 1325 return 1; 1326 } 1327 1328 static int update_cipher_list_by_id(STACK_OF(SSL_CIPHER) **cipher_list_by_id, 1329 STACK_OF(SSL_CIPHER) *cipherstack) 1330 { 1331 STACK_OF(SSL_CIPHER) *tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack); 1332 1333 if (tmp_cipher_list == NULL) { 1334 return 0; 1335 } 1336 1337 sk_SSL_CIPHER_free(*cipher_list_by_id); 1338 *cipher_list_by_id = tmp_cipher_list; 1339 1340 (void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id, ssl_cipher_ptr_id_cmp); 1341 sk_SSL_CIPHER_sort(*cipher_list_by_id); 1342 1343 return 1; 1344 } 1345 1346 static int update_cipher_list(SSL_CTX *ctx, 1347 STACK_OF(SSL_CIPHER) **cipher_list, 1348 STACK_OF(SSL_CIPHER) **cipher_list_by_id, 1349 STACK_OF(SSL_CIPHER) *tls13_ciphersuites) 1350 { 1351 int i; 1352 STACK_OF(SSL_CIPHER) *tmp_cipher_list = sk_SSL_CIPHER_dup(*cipher_list); 1353 1354 if (tmp_cipher_list == NULL) 1355 return 0; 1356 1357 /* 1358 * Delete any existing TLSv1.3 ciphersuites. These are always first in the 1359 * list. 1360 */ 1361 while (sk_SSL_CIPHER_num(tmp_cipher_list) > 0 1362 && sk_SSL_CIPHER_value(tmp_cipher_list, 0)->min_tls 1363 == TLS1_3_VERSION) 1364 (void)sk_SSL_CIPHER_delete(tmp_cipher_list, 0); 1365 1366 /* Insert the new TLSv1.3 ciphersuites */ 1367 for (i = sk_SSL_CIPHER_num(tls13_ciphersuites) - 1; i >= 0; i--) { 1368 const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i); 1369 1370 /* Don't include any TLSv1.3 ciphersuites that are disabled */ 1371 if ((sslc->algorithm_enc & ctx->disabled_enc_mask) == 0 1372 && (ssl_cipher_table_mac[sslc->algorithm2 1373 & SSL_HANDSHAKE_MAC_MASK].mask 1374 & ctx->disabled_mac_mask) == 0) { 1375 sk_SSL_CIPHER_unshift(tmp_cipher_list, sslc); 1376 } 1377 } 1378 1379 if (!update_cipher_list_by_id(cipher_list_by_id, tmp_cipher_list)) { 1380 sk_SSL_CIPHER_free(tmp_cipher_list); 1381 return 0; 1382 } 1383 1384 sk_SSL_CIPHER_free(*cipher_list); 1385 *cipher_list = tmp_cipher_list; 1386 1387 return 1; 1388 } 1389 1390 int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str) 1391 { 1392 int ret = set_ciphersuites(&(ctx->tls13_ciphersuites), str); 1393 1394 if (ret && ctx->cipher_list != NULL) 1395 return update_cipher_list(ctx, &ctx->cipher_list, &ctx->cipher_list_by_id, 1396 ctx->tls13_ciphersuites); 1397 1398 return ret; 1399 } 1400 1401 int SSL_set_ciphersuites(SSL *s, const char *str) 1402 { 1403 STACK_OF(SSL_CIPHER) *cipher_list; 1404 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); 1405 int ret; 1406 1407 if (sc == NULL) 1408 return 0; 1409 1410 ret = set_ciphersuites(&(sc->tls13_ciphersuites), str); 1411 1412 if (sc->cipher_list == NULL) { 1413 if ((cipher_list = SSL_get_ciphers(s)) != NULL) 1414 sc->cipher_list = sk_SSL_CIPHER_dup(cipher_list); 1415 } 1416 if (ret && sc->cipher_list != NULL) 1417 return update_cipher_list(s->ctx, &sc->cipher_list, 1418 &sc->cipher_list_by_id, 1419 sc->tls13_ciphersuites); 1420 1421 return ret; 1422 } 1423 1424 STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, 1425 STACK_OF(SSL_CIPHER) *tls13_ciphersuites, 1426 STACK_OF(SSL_CIPHER) **cipher_list, 1427 STACK_OF(SSL_CIPHER) **cipher_list_by_id, 1428 const char *rule_str, 1429 CERT *c) 1430 { 1431 int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases, i; 1432 uint32_t disabled_mkey, disabled_auth, disabled_enc, disabled_mac; 1433 STACK_OF(SSL_CIPHER) *cipherstack; 1434 const char *rule_p; 1435 CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; 1436 const SSL_CIPHER **ca_list = NULL; 1437 const SSL_METHOD *ssl_method = ctx->method; 1438 1439 /* 1440 * Return with error if nothing to do. 1441 */ 1442 if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL) 1443 return NULL; 1444 1445 if (!check_suiteb_cipher_list(ssl_method, c, &rule_str)) 1446 return NULL; 1447 1448 /* 1449 * To reduce the work to do we only want to process the compiled 1450 * in algorithms, so we first get the mask of disabled ciphers. 1451 */ 1452 1453 disabled_mkey = ctx->disabled_mkey_mask; 1454 disabled_auth = ctx->disabled_auth_mask; 1455 disabled_enc = ctx->disabled_enc_mask; 1456 disabled_mac = ctx->disabled_mac_mask; 1457 1458 /* 1459 * Now we have to collect the available ciphers from the compiled 1460 * in ciphers. We cannot get more than the number compiled in, so 1461 * it is used for allocation. 1462 */ 1463 num_of_ciphers = ssl_method->num_ciphers(); 1464 1465 if (num_of_ciphers > 0) { 1466 co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers); 1467 if (co_list == NULL) 1468 return NULL; /* Failure */ 1469 } 1470 1471 ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, 1472 disabled_mkey, disabled_auth, disabled_enc, 1473 disabled_mac, co_list, &head, &tail); 1474 1475 /* Now arrange all ciphers by preference. */ 1476 1477 /* 1478 * Everything else being equal, prefer ephemeral ECDH over other key 1479 * exchange mechanisms. 1480 * For consistency, prefer ECDSA over RSA (though this only matters if the 1481 * server has both certificates, and is using the DEFAULT, or a client 1482 * preference). 1483 */ 1484 ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, 0, 0, 0, 0, CIPHER_ADD, 1485 -1, &head, &tail); 1486 ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, 1487 &tail); 1488 ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, 1489 &tail); 1490 1491 /* Within each strength group, we prefer GCM over CHACHA... */ 1492 ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1, 1493 &head, &tail); 1494 ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1, 1495 &head, &tail); 1496 1497 /* 1498 * ...and generally, our preferred cipher is AES. 1499 * Note that AEADs will be bumped to take preference after sorting by 1500 * strength. 1501 */ 1502 ssl_cipher_apply_rule(0, 0, 0, SSL_AES ^ SSL_AESGCM, 0, 0, 0, CIPHER_ADD, 1503 -1, &head, &tail); 1504 1505 /* Temporarily enable everything else for sorting */ 1506 ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail); 1507 1508 /* Low priority for MD5 */ 1509 ssl_cipher_apply_rule(0, 0, 0, 0, SSL_MD5, 0, 0, CIPHER_ORD, -1, &head, 1510 &tail); 1511 1512 /* 1513 * Move anonymous ciphers to the end. Usually, these will remain 1514 * disabled. (For applications that allow them, they aren't too bad, but 1515 * we prefer authenticated ciphers.) 1516 */ 1517 ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, &head, 1518 &tail); 1519 1520 ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, 1521 &tail); 1522 ssl_cipher_apply_rule(0, SSL_kPSK, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, 1523 &tail); 1524 1525 /* RC4 is sort-of broken -- move to the end */ 1526 ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head, 1527 &tail); 1528 1529 /* 1530 * Now sort by symmetric encryption strength. The above ordering remains 1531 * in force within each class 1532 */ 1533 if (!ssl_cipher_strength_sort(&head, &tail)) { 1534 OPENSSL_free(co_list); 1535 return NULL; 1536 } 1537 1538 /* 1539 * Partially overrule strength sort to prefer TLS 1.2 ciphers/PRFs. 1540 */ 1541 ssl_cipher_apply_rule(0, 0, 0, 0, 0, TLS1_2_VERSION, 0, CIPHER_BUMP, -1, 1542 &head, &tail); 1543 1544 /* 1545 * Irrespective of strength, enforce the following order: 1546 * (EC)DHE + AEAD > (EC)DHE > rest of AEAD > rest. 1547 * Within each group, ciphers remain sorted by strength and previous 1548 * preference, i.e., 1549 * 1) ECDHE > DHE 1550 * 2) GCM > CHACHA 1551 * 3) AES > rest 1552 * 4) TLS 1.2 > legacy 1553 * 1554 * Because we now bump ciphers to the top of the list, we proceed in 1555 * reverse order of preference. 1556 */ 1557 ssl_cipher_apply_rule(0, 0, 0, 0, SSL_AEAD, 0, 0, CIPHER_BUMP, -1, 1558 &head, &tail); 1559 ssl_cipher_apply_rule(0, SSL_kDHE | SSL_kECDHE, 0, 0, 0, 0, 0, 1560 CIPHER_BUMP, -1, &head, &tail); 1561 ssl_cipher_apply_rule(0, SSL_kDHE | SSL_kECDHE, 0, 0, SSL_AEAD, 0, 0, 1562 CIPHER_BUMP, -1, &head, &tail); 1563 1564 /* Now disable everything (maintaining the ordering!) */ 1565 ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail); 1566 1567 /* 1568 * We also need cipher aliases for selecting based on the rule_str. 1569 * There might be two types of entries in the rule_str: 1) names 1570 * of ciphers themselves 2) aliases for groups of ciphers. 1571 * For 1) we need the available ciphers and for 2) the cipher 1572 * groups of cipher_aliases added together in one list (otherwise 1573 * we would be happy with just the cipher_aliases table). 1574 */ 1575 num_of_group_aliases = OSSL_NELEM(cipher_aliases); 1576 num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; 1577 ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max); 1578 if (ca_list == NULL) { 1579 OPENSSL_free(co_list); 1580 return NULL; /* Failure */ 1581 } 1582 ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, 1583 disabled_mkey, disabled_auth, disabled_enc, 1584 disabled_mac, head); 1585 1586 /* 1587 * If the rule_string begins with DEFAULT, apply the default rule 1588 * before using the (possibly available) additional rules. 1589 */ 1590 ok = 1; 1591 rule_p = rule_str; 1592 if (HAS_PREFIX(rule_str, "DEFAULT")) { 1593 ok = ssl_cipher_process_rulestr(OSSL_default_cipher_list(), 1594 &head, &tail, ca_list, c); 1595 rule_p += 7; 1596 if (*rule_p == ':') 1597 rule_p++; 1598 } 1599 1600 if (ok && (rule_p[0] != '\0')) 1601 ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list, c); 1602 1603 OPENSSL_free(ca_list); /* Not needed anymore */ 1604 1605 if (!ok) { /* Rule processing failure */ 1606 OPENSSL_free(co_list); 1607 return NULL; 1608 } 1609 1610 /* 1611 * Allocate new "cipherstack" for the result, return with error 1612 * if we cannot get one. 1613 */ 1614 if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) { 1615 OPENSSL_free(co_list); 1616 return NULL; 1617 } 1618 1619 /* Add TLSv1.3 ciphers first - we always prefer those if possible */ 1620 for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) { 1621 const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i); 1622 1623 /* Don't include any TLSv1.3 ciphers that are disabled */ 1624 if ((sslc->algorithm_enc & disabled_enc) != 0 1625 || (ssl_cipher_table_mac[sslc->algorithm2 1626 & SSL_HANDSHAKE_MAC_MASK].mask 1627 & ctx->disabled_mac_mask) != 0) { 1628 sk_SSL_CIPHER_delete(tls13_ciphersuites, i); 1629 i--; 1630 continue; 1631 } 1632 1633 if (!sk_SSL_CIPHER_push(cipherstack, sslc)) { 1634 OPENSSL_free(co_list); 1635 sk_SSL_CIPHER_free(cipherstack); 1636 return NULL; 1637 } 1638 } 1639 1640 OSSL_TRACE_BEGIN(TLS_CIPHER) { 1641 BIO_printf(trc_out, "cipher selection:\n"); 1642 } 1643 /* 1644 * The cipher selection for the list is done. The ciphers are added 1645 * to the resulting precedence to the STACK_OF(SSL_CIPHER). 1646 */ 1647 for (curr = head; curr != NULL; curr = curr->next) { 1648 if (curr->active) { 1649 if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) { 1650 OPENSSL_free(co_list); 1651 sk_SSL_CIPHER_free(cipherstack); 1652 OSSL_TRACE_CANCEL(TLS_CIPHER); 1653 return NULL; 1654 } 1655 if (trc_out != NULL) 1656 BIO_printf(trc_out, "<%s>\n", curr->cipher->name); 1657 } 1658 } 1659 OPENSSL_free(co_list); /* Not needed any longer */ 1660 OSSL_TRACE_END(TLS_CIPHER); 1661 1662 if (!update_cipher_list_by_id(cipher_list_by_id, cipherstack)) { 1663 sk_SSL_CIPHER_free(cipherstack); 1664 return NULL; 1665 } 1666 sk_SSL_CIPHER_free(*cipher_list); 1667 *cipher_list = cipherstack; 1668 1669 return cipherstack; 1670 } 1671 1672 char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) 1673 { 1674 const char *ver; 1675 const char *kx, *au, *enc, *mac; 1676 uint32_t alg_mkey, alg_auth, alg_enc, alg_mac; 1677 static const char *const format = "%-30s %-7s Kx=%-8s Au=%-5s Enc=%-22s Mac=%-4s\n"; 1678 1679 if (buf == NULL) { 1680 len = 128; 1681 if ((buf = OPENSSL_malloc(len)) == NULL) 1682 return NULL; 1683 } else if (len < 128) { 1684 return NULL; 1685 } 1686 1687 alg_mkey = cipher->algorithm_mkey; 1688 alg_auth = cipher->algorithm_auth; 1689 alg_enc = cipher->algorithm_enc; 1690 alg_mac = cipher->algorithm_mac; 1691 1692 ver = ssl_protocol_to_string(cipher->min_tls); 1693 1694 switch (alg_mkey) { 1695 case SSL_kRSA: 1696 kx = "RSA"; 1697 break; 1698 case SSL_kDHE: 1699 kx = "DH"; 1700 break; 1701 case SSL_kECDHE: 1702 kx = "ECDH"; 1703 break; 1704 case SSL_kPSK: 1705 kx = "PSK"; 1706 break; 1707 case SSL_kRSAPSK: 1708 kx = "RSAPSK"; 1709 break; 1710 case SSL_kECDHEPSK: 1711 kx = "ECDHEPSK"; 1712 break; 1713 case SSL_kDHEPSK: 1714 kx = "DHEPSK"; 1715 break; 1716 case SSL_kSRP: 1717 kx = "SRP"; 1718 break; 1719 case SSL_kGOST: 1720 kx = "GOST"; 1721 break; 1722 case SSL_kGOST18: 1723 kx = "GOST18"; 1724 break; 1725 case SSL_kANY: 1726 kx = "any"; 1727 break; 1728 default: 1729 kx = "unknown"; 1730 } 1731 1732 switch (alg_auth) { 1733 case SSL_aRSA: 1734 au = "RSA"; 1735 break; 1736 case SSL_aDSS: 1737 au = "DSS"; 1738 break; 1739 case SSL_aNULL: 1740 au = "None"; 1741 break; 1742 case SSL_aECDSA: 1743 au = "ECDSA"; 1744 break; 1745 case SSL_aPSK: 1746 au = "PSK"; 1747 break; 1748 case SSL_aSRP: 1749 au = "SRP"; 1750 break; 1751 case SSL_aGOST01: 1752 au = "GOST01"; 1753 break; 1754 /* New GOST ciphersuites have both SSL_aGOST12 and SSL_aGOST01 bits */ 1755 case (SSL_aGOST12 | SSL_aGOST01): 1756 au = "GOST12"; 1757 break; 1758 case SSL_aANY: 1759 au = "any"; 1760 break; 1761 default: 1762 au = "unknown"; 1763 break; 1764 } 1765 1766 switch (alg_enc) { 1767 case SSL_DES: 1768 enc = "DES(56)"; 1769 break; 1770 case SSL_3DES: 1771 enc = "3DES(168)"; 1772 break; 1773 case SSL_RC4: 1774 enc = "RC4(128)"; 1775 break; 1776 case SSL_RC2: 1777 enc = "RC2(128)"; 1778 break; 1779 case SSL_IDEA: 1780 enc = "IDEA(128)"; 1781 break; 1782 case SSL_eNULL: 1783 enc = "None"; 1784 break; 1785 case SSL_AES128: 1786 enc = "AES(128)"; 1787 break; 1788 case SSL_AES256: 1789 enc = "AES(256)"; 1790 break; 1791 case SSL_AES128GCM: 1792 enc = "AESGCM(128)"; 1793 break; 1794 case SSL_AES256GCM: 1795 enc = "AESGCM(256)"; 1796 break; 1797 case SSL_AES128CCM: 1798 enc = "AESCCM(128)"; 1799 break; 1800 case SSL_AES256CCM: 1801 enc = "AESCCM(256)"; 1802 break; 1803 case SSL_AES128CCM8: 1804 enc = "AESCCM8(128)"; 1805 break; 1806 case SSL_AES256CCM8: 1807 enc = "AESCCM8(256)"; 1808 break; 1809 case SSL_CAMELLIA128: 1810 enc = "Camellia(128)"; 1811 break; 1812 case SSL_CAMELLIA256: 1813 enc = "Camellia(256)"; 1814 break; 1815 case SSL_ARIA128GCM: 1816 enc = "ARIAGCM(128)"; 1817 break; 1818 case SSL_ARIA256GCM: 1819 enc = "ARIAGCM(256)"; 1820 break; 1821 case SSL_SEED: 1822 enc = "SEED(128)"; 1823 break; 1824 case SSL_eGOST2814789CNT: 1825 case SSL_eGOST2814789CNT12: 1826 enc = "GOST89(256)"; 1827 break; 1828 case SSL_MAGMA: 1829 enc = "MAGMA"; 1830 break; 1831 case SSL_KUZNYECHIK: 1832 enc = "KUZNYECHIK"; 1833 break; 1834 case SSL_CHACHA20POLY1305: 1835 enc = "CHACHA20/POLY1305(256)"; 1836 break; 1837 default: 1838 enc = "unknown"; 1839 break; 1840 } 1841 1842 switch (alg_mac) { 1843 case SSL_MD5: 1844 mac = "MD5"; 1845 break; 1846 case SSL_SHA1: 1847 mac = "SHA1"; 1848 break; 1849 case SSL_SHA256: 1850 mac = "SHA256"; 1851 break; 1852 case SSL_SHA384: 1853 mac = "SHA384"; 1854 break; 1855 case SSL_AEAD: 1856 mac = "AEAD"; 1857 break; 1858 case SSL_GOST89MAC: 1859 case SSL_GOST89MAC12: 1860 mac = "GOST89"; 1861 break; 1862 case SSL_GOST94: 1863 mac = "GOST94"; 1864 break; 1865 case SSL_GOST12_256: 1866 case SSL_GOST12_512: 1867 mac = "GOST2012"; 1868 break; 1869 default: 1870 mac = "unknown"; 1871 break; 1872 } 1873 1874 BIO_snprintf(buf, len, format, cipher->name, ver, kx, au, enc, mac); 1875 1876 return buf; 1877 } 1878 1879 const char *SSL_CIPHER_get_version(const SSL_CIPHER *c) 1880 { 1881 if (c == NULL) 1882 return "(NONE)"; 1883 1884 /* 1885 * Backwards-compatibility crutch. In almost all contexts we report TLS 1886 * 1.0 as "TLSv1", but for ciphers we report "TLSv1.0". 1887 */ 1888 if (c->min_tls == TLS1_VERSION) 1889 return "TLSv1.0"; 1890 return ssl_protocol_to_string(c->min_tls); 1891 } 1892 1893 /* return the actual cipher being used */ 1894 const char *SSL_CIPHER_get_name(const SSL_CIPHER *c) 1895 { 1896 if (c != NULL) 1897 return c->name; 1898 return "(NONE)"; 1899 } 1900 1901 /* return the actual cipher being used in RFC standard name */ 1902 const char *SSL_CIPHER_standard_name(const SSL_CIPHER *c) 1903 { 1904 if (c != NULL) 1905 return c->stdname; 1906 return "(NONE)"; 1907 } 1908 1909 /* return the OpenSSL name based on given RFC standard name */ 1910 const char *OPENSSL_cipher_name(const char *stdname) 1911 { 1912 const SSL_CIPHER *c; 1913 1914 if (stdname == NULL) 1915 return "(NONE)"; 1916 c = ssl3_get_cipher_by_std_name(stdname); 1917 return SSL_CIPHER_get_name(c); 1918 } 1919 1920 /* number of bits for symmetric cipher */ 1921 int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits) 1922 { 1923 int ret = 0; 1924 1925 if (c != NULL) { 1926 if (alg_bits != NULL) 1927 *alg_bits = (int)c->alg_bits; 1928 ret = (int)c->strength_bits; 1929 } 1930 return ret; 1931 } 1932 1933 uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *c) 1934 { 1935 return c->id; 1936 } 1937 1938 uint16_t SSL_CIPHER_get_protocol_id(const SSL_CIPHER *c) 1939 { 1940 return c->id & 0xFFFF; 1941 } 1942 1943 SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n) 1944 { 1945 SSL_COMP *ctmp; 1946 SSL_COMP srch_key; 1947 int i; 1948 1949 if ((n == 0) || (sk == NULL)) 1950 return NULL; 1951 srch_key.id = n; 1952 i = sk_SSL_COMP_find(sk, &srch_key); 1953 if (i >= 0) 1954 ctmp = sk_SSL_COMP_value(sk, i); 1955 else 1956 ctmp = NULL; 1957 1958 return ctmp; 1959 } 1960 1961 #ifdef OPENSSL_NO_COMP 1962 STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void) 1963 { 1964 return NULL; 1965 } 1966 1967 STACK_OF(SSL_COMP) *SSL_COMP_set0_compression_methods(STACK_OF(SSL_COMP) 1968 *meths) 1969 { 1970 return meths; 1971 } 1972 1973 int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) 1974 { 1975 return 1; 1976 } 1977 1978 #else 1979 STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void) 1980 { 1981 STACK_OF(SSL_COMP) **rv; 1982 1983 rv = (STACK_OF(SSL_COMP) **)OSSL_LIB_CTX_get_data(NULL, 1984 OSSL_LIB_CTX_COMP_METHODS); 1985 if (rv != NULL) 1986 return *rv; 1987 else 1988 return NULL; 1989 } 1990 1991 STACK_OF(SSL_COMP) *SSL_COMP_set0_compression_methods(STACK_OF(SSL_COMP) 1992 *meths) 1993 { 1994 STACK_OF(SSL_COMP) **comp_methods; 1995 STACK_OF(SSL_COMP) *old_meths; 1996 1997 comp_methods = (STACK_OF(SSL_COMP) **)OSSL_LIB_CTX_get_data(NULL, 1998 OSSL_LIB_CTX_COMP_METHODS); 1999 if (comp_methods == NULL) { 2000 old_meths = meths; 2001 } else { 2002 old_meths = *comp_methods; 2003 *comp_methods = meths; 2004 } 2005 2006 return old_meths; 2007 } 2008 2009 int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) 2010 { 2011 STACK_OF(SSL_COMP) *comp_methods; 2012 SSL_COMP *comp; 2013 2014 comp_methods = SSL_COMP_get_compression_methods(); 2015 2016 if (comp_methods == NULL) 2017 return 1; 2018 2019 if (cm == NULL || COMP_get_type(cm) == NID_undef) 2020 return 1; 2021 2022 /*- 2023 * According to draft-ietf-tls-compression-04.txt, the 2024 * compression number ranges should be the following: 2025 * 2026 * 0 to 63: methods defined by the IETF 2027 * 64 to 192: external party methods assigned by IANA 2028 * 193 to 255: reserved for private use 2029 */ 2030 if (id < 193 || id > 255) { 2031 ERR_raise(ERR_LIB_SSL, SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE); 2032 return 1; 2033 } 2034 2035 comp = OPENSSL_malloc(sizeof(*comp)); 2036 if (comp == NULL) 2037 return 1; 2038 2039 comp->id = id; 2040 if (sk_SSL_COMP_find(comp_methods, comp) >= 0) { 2041 OPENSSL_free(comp); 2042 ERR_raise(ERR_LIB_SSL, SSL_R_DUPLICATE_COMPRESSION_ID); 2043 return 1; 2044 } 2045 if (!sk_SSL_COMP_push(comp_methods, comp)) { 2046 OPENSSL_free(comp); 2047 ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB); 2048 return 1; 2049 } 2050 2051 return 0; 2052 } 2053 #endif 2054 2055 const char *SSL_COMP_get_name(const COMP_METHOD *comp) 2056 { 2057 #ifndef OPENSSL_NO_COMP 2058 return comp ? COMP_get_name(comp) : NULL; 2059 #else 2060 return NULL; 2061 #endif 2062 } 2063 2064 const char *SSL_COMP_get0_name(const SSL_COMP *comp) 2065 { 2066 #ifndef OPENSSL_NO_COMP 2067 return comp->name; 2068 #else 2069 return NULL; 2070 #endif 2071 } 2072 2073 int SSL_COMP_get_id(const SSL_COMP *comp) 2074 { 2075 #ifndef OPENSSL_NO_COMP 2076 return comp->id; 2077 #else 2078 return -1; 2079 #endif 2080 } 2081 2082 const SSL_CIPHER *ssl_get_cipher_by_char(SSL_CONNECTION *s, 2083 const unsigned char *ptr, 2084 int all) 2085 { 2086 const SSL_CIPHER *c = SSL_CONNECTION_GET_SSL(s)->method->get_cipher_by_char(ptr); 2087 2088 if (c == NULL || (!all && c->valid == 0)) 2089 return NULL; 2090 return c; 2091 } 2092 2093 const SSL_CIPHER *SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr) 2094 { 2095 return ssl->method->get_cipher_by_char(ptr); 2096 } 2097 2098 int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c) 2099 { 2100 int i; 2101 if (c == NULL) 2102 return NID_undef; 2103 i = ssl_cipher_info_lookup(ssl_cipher_table_cipher, c->algorithm_enc); 2104 if (i == -1) 2105 return NID_undef; 2106 return ssl_cipher_table_cipher[i].nid; 2107 } 2108 2109 int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c) 2110 { 2111 int i = ssl_cipher_info_lookup(ssl_cipher_table_mac, c->algorithm_mac); 2112 2113 if (i == -1) 2114 return NID_undef; 2115 return ssl_cipher_table_mac[i].nid; 2116 } 2117 2118 int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c) 2119 { 2120 int i = ssl_cipher_info_lookup(ssl_cipher_table_kx, c->algorithm_mkey); 2121 2122 if (i == -1) 2123 return NID_undef; 2124 return ssl_cipher_table_kx[i].nid; 2125 } 2126 2127 int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c) 2128 { 2129 int i = ssl_cipher_info_lookup(ssl_cipher_table_auth, c->algorithm_auth); 2130 2131 if (i == -1) 2132 return NID_undef; 2133 return ssl_cipher_table_auth[i].nid; 2134 } 2135 2136 int ssl_get_md_idx(int md_nid) { 2137 int i; 2138 2139 for(i = 0; i < SSL_MD_NUM_IDX; i++) { 2140 if (md_nid == ssl_cipher_table_mac[i].nid) 2141 return i; 2142 } 2143 return -1; 2144 } 2145 2146 const EVP_MD *SSL_CIPHER_get_handshake_digest(const SSL_CIPHER *c) 2147 { 2148 int idx = c->algorithm2 & SSL_HANDSHAKE_MAC_MASK; 2149 2150 if (idx < 0 || idx >= SSL_MD_NUM_IDX) 2151 return NULL; 2152 return EVP_get_digestbynid(ssl_cipher_table_mac[idx].nid); 2153 } 2154 2155 int SSL_CIPHER_is_aead(const SSL_CIPHER *c) 2156 { 2157 return (c->algorithm_mac & SSL_AEAD) ? 1 : 0; 2158 } 2159 2160 int ssl_cipher_get_overhead(const SSL_CIPHER *c, size_t *mac_overhead, 2161 size_t *int_overhead, size_t *blocksize, 2162 size_t *ext_overhead) 2163 { 2164 int mac = 0, in = 0, blk = 0, out = 0; 2165 2166 /* Some hard-coded numbers for the CCM/Poly1305 MAC overhead 2167 * because there are no handy #defines for those. */ 2168 if (c->algorithm_enc & (SSL_AESGCM | SSL_ARIAGCM)) { 2169 out = EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN; 2170 } else if (c->algorithm_enc & (SSL_AES128CCM | SSL_AES256CCM)) { 2171 out = EVP_CCM_TLS_EXPLICIT_IV_LEN + 16; 2172 } else if (c->algorithm_enc & (SSL_AES128CCM8 | SSL_AES256CCM8)) { 2173 out = EVP_CCM_TLS_EXPLICIT_IV_LEN + 8; 2174 } else if (c->algorithm_enc & SSL_CHACHA20POLY1305) { 2175 out = 16; 2176 } else if (c->algorithm_mac & SSL_AEAD) { 2177 /* We're supposed to have handled all the AEAD modes above */ 2178 return 0; 2179 } else { 2180 /* Non-AEAD modes. Calculate MAC/cipher overhead separately */ 2181 int digest_nid = SSL_CIPHER_get_digest_nid(c); 2182 const EVP_MD *e_md = EVP_get_digestbynid(digest_nid); 2183 2184 if (e_md == NULL) 2185 return 0; 2186 2187 mac = EVP_MD_get_size(e_md); 2188 if (mac <= 0) 2189 return 0; 2190 if (c->algorithm_enc != SSL_eNULL) { 2191 int cipher_nid = SSL_CIPHER_get_cipher_nid(c); 2192 const EVP_CIPHER *e_ciph = EVP_get_cipherbynid(cipher_nid); 2193 2194 /* If it wasn't AEAD or SSL_eNULL, we expect it to be a 2195 known CBC cipher. */ 2196 if (e_ciph == NULL || 2197 EVP_CIPHER_get_mode(e_ciph) != EVP_CIPH_CBC_MODE) 2198 return 0; 2199 2200 in = 1; /* padding length byte */ 2201 out = EVP_CIPHER_get_iv_length(e_ciph); 2202 if (out < 0) 2203 return 0; 2204 blk = EVP_CIPHER_get_block_size(e_ciph); 2205 if (blk <= 0) 2206 return 0; 2207 } 2208 } 2209 2210 *mac_overhead = (size_t)mac; 2211 *int_overhead = (size_t)in; 2212 *blocksize = (size_t)blk; 2213 *ext_overhead = (size_t)out; 2214 2215 return 1; 2216 } 2217 2218 int ssl_cert_is_disabled(SSL_CTX *ctx, size_t idx) 2219 { 2220 const SSL_CERT_LOOKUP *cl; 2221 2222 /* A provider-loaded key type is always enabled */ 2223 if (idx >= SSL_PKEY_NUM) 2224 return 0; 2225 2226 cl = ssl_cert_lookup_by_idx(idx, ctx); 2227 if (cl == NULL || (cl->amask & ctx->disabled_auth_mask) != 0) 2228 return 1; 2229 return 0; 2230 } 2231 2232 /* 2233 * Default list of TLSv1.2 (and earlier) ciphers 2234 * SSL_DEFAULT_CIPHER_LIST deprecated in 3.0.0 2235 * Update both macro and function simultaneously 2236 */ 2237 const char *OSSL_default_cipher_list(void) 2238 { 2239 return "ALL:!COMPLEMENTOFDEFAULT:!eNULL"; 2240 } 2241 2242 /* 2243 * Default list of TLSv1.3 (and later) ciphers 2244 * TLS_DEFAULT_CIPHERSUITES deprecated in 3.0.0 2245 * Update both macro and function simultaneously 2246 */ 2247 const char *OSSL_default_ciphersuites(void) 2248 { 2249 return "TLS_AES_256_GCM_SHA384:" 2250 "TLS_CHACHA20_POLY1305_SHA256:" 2251 "TLS_AES_128_GCM_SHA256"; 2252 } 2253