[331] | 1 | /*
|
---|
| 2 | * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
|
---|
| 3 | *
|
---|
| 4 | * Licensed under the OpenSSL license (the "License"). You may not use
|
---|
| 5 | * this file except in compliance with the License. You can obtain a copy
|
---|
| 6 | * in the file LICENSE in the source distribution or at
|
---|
| 7 | * https://www.openssl.org/source/license.html
|
---|
| 8 | */
|
---|
| 9 |
|
---|
| 10 | /* ====================================================================
|
---|
| 11 | * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
|
---|
| 12 | * ECC cipher suite support in OpenSSL originally developed by
|
---|
| 13 | * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
|
---|
| 14 | */
|
---|
| 15 | /* ====================================================================
|
---|
| 16 | * Copyright 2005 Nokia. All rights reserved.
|
---|
| 17 | *
|
---|
| 18 | * The portions of the attached software ("Contribution") is developed by
|
---|
| 19 | * Nokia Corporation and is licensed pursuant to the OpenSSL open source
|
---|
| 20 | * license.
|
---|
| 21 | *
|
---|
| 22 | * The Contribution, originally written by Mika Kousa and Pasi Eronen of
|
---|
| 23 | * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
|
---|
| 24 | * support (see RFC 4279) to OpenSSL.
|
---|
| 25 | *
|
---|
| 26 | * No patent licenses or other rights except those expressly stated in
|
---|
| 27 | * the OpenSSL open source license shall be deemed granted or received
|
---|
| 28 | * expressly, by implication, estoppel, or otherwise.
|
---|
| 29 | *
|
---|
| 30 | * No assurances are provided by Nokia that the Contribution does not
|
---|
| 31 | * infringe the patent or other intellectual property rights of any third
|
---|
| 32 | * party or that the license provides you with all the necessary rights
|
---|
| 33 | * to make use of the Contribution.
|
---|
| 34 | *
|
---|
| 35 | * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
|
---|
| 36 | * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
|
---|
| 37 | * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
|
---|
| 38 | * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
|
---|
| 39 | * OTHERWISE.
|
---|
| 40 | */
|
---|
| 41 |
|
---|
| 42 | #include <stdio.h>
|
---|
| 43 | #include <ctype.h>
|
---|
| 44 | #include <openssl/objects.h>
|
---|
| 45 | #include <openssl/comp.h>
|
---|
| 46 | #include <openssl/engine.h>
|
---|
| 47 | #include <openssl/crypto.h>
|
---|
| 48 | #include "ssl_locl.h"
|
---|
| 49 | #include "internal/thread_once.h"
|
---|
| 50 |
|
---|
| 51 | #define SSL_ENC_DES_IDX 0
|
---|
| 52 | #define SSL_ENC_3DES_IDX 1
|
---|
| 53 | #define SSL_ENC_RC4_IDX 2
|
---|
| 54 | #define SSL_ENC_RC2_IDX 3
|
---|
| 55 | #define SSL_ENC_IDEA_IDX 4
|
---|
| 56 | #define SSL_ENC_NULL_IDX 5
|
---|
| 57 | #define SSL_ENC_AES128_IDX 6
|
---|
| 58 | #define SSL_ENC_AES256_IDX 7
|
---|
| 59 | #define SSL_ENC_CAMELLIA128_IDX 8
|
---|
| 60 | #define SSL_ENC_CAMELLIA256_IDX 9
|
---|
| 61 | #define SSL_ENC_GOST89_IDX 10
|
---|
| 62 | #define SSL_ENC_SEED_IDX 11
|
---|
| 63 | #define SSL_ENC_AES128GCM_IDX 12
|
---|
| 64 | #define SSL_ENC_AES256GCM_IDX 13
|
---|
| 65 | #define SSL_ENC_AES128CCM_IDX 14
|
---|
| 66 | #define SSL_ENC_AES256CCM_IDX 15
|
---|
| 67 | #define SSL_ENC_AES128CCM8_IDX 16
|
---|
| 68 | #define SSL_ENC_AES256CCM8_IDX 17
|
---|
| 69 | #define SSL_ENC_GOST8912_IDX 18
|
---|
| 70 | #define SSL_ENC_CHACHA_IDX 19
|
---|
| 71 | #define SSL_ENC_NUM_IDX 20
|
---|
| 72 |
|
---|
| 73 | /* NB: make sure indices in these tables match values above */
|
---|
| 74 |
|
---|
| 75 | typedef struct {
|
---|
| 76 | uint32_t mask;
|
---|
| 77 | int nid;
|
---|
| 78 | } ssl_cipher_table;
|
---|
| 79 |
|
---|
| 80 | /* Table of NIDs for each cipher */
|
---|
| 81 | static const ssl_cipher_table ssl_cipher_table_cipher[SSL_ENC_NUM_IDX] = {
|
---|
| 82 | {SSL_DES, NID_des_cbc}, /* SSL_ENC_DES_IDX 0 */
|
---|
| 83 | {SSL_3DES, NID_des_ede3_cbc}, /* SSL_ENC_3DES_IDX 1 */
|
---|
| 84 | {SSL_RC4, NID_rc4}, /* SSL_ENC_RC4_IDX 2 */
|
---|
| 85 | {SSL_RC2, NID_rc2_cbc}, /* SSL_ENC_RC2_IDX 3 */
|
---|
| 86 | {SSL_IDEA, NID_idea_cbc}, /* SSL_ENC_IDEA_IDX 4 */
|
---|
| 87 | {SSL_eNULL, NID_undef}, /* SSL_ENC_NULL_IDX 5 */
|
---|
| 88 | {SSL_AES128, NID_aes_128_cbc}, /* SSL_ENC_AES128_IDX 6 */
|
---|
| 89 | {SSL_AES256, NID_aes_256_cbc}, /* SSL_ENC_AES256_IDX 7 */
|
---|
| 90 | {SSL_CAMELLIA128, NID_camellia_128_cbc}, /* SSL_ENC_CAMELLIA128_IDX 8 */
|
---|
| 91 | {SSL_CAMELLIA256, NID_camellia_256_cbc}, /* SSL_ENC_CAMELLIA256_IDX 9 */
|
---|
| 92 | {SSL_eGOST2814789CNT, NID_gost89_cnt}, /* SSL_ENC_GOST89_IDX 10 */
|
---|
| 93 | {SSL_SEED, NID_seed_cbc}, /* SSL_ENC_SEED_IDX 11 */
|
---|
| 94 | {SSL_AES128GCM, NID_aes_128_gcm}, /* SSL_ENC_AES128GCM_IDX 12 */
|
---|
| 95 | {SSL_AES256GCM, NID_aes_256_gcm}, /* SSL_ENC_AES256GCM_IDX 13 */
|
---|
| 96 | {SSL_AES128CCM, NID_aes_128_ccm}, /* SSL_ENC_AES128CCM_IDX 14 */
|
---|
| 97 | {SSL_AES256CCM, NID_aes_256_ccm}, /* SSL_ENC_AES256CCM_IDX 15 */
|
---|
| 98 | {SSL_AES128CCM8, NID_aes_128_ccm}, /* SSL_ENC_AES128CCM8_IDX 16 */
|
---|
| 99 | {SSL_AES256CCM8, NID_aes_256_ccm}, /* SSL_ENC_AES256CCM8_IDX 17 */
|
---|
| 100 | {SSL_eGOST2814789CNT12, NID_gost89_cnt_12}, /* SSL_ENC_GOST8912_IDX */
|
---|
| 101 | {SSL_CHACHA20POLY1305, NID_chacha20_poly1305},
|
---|
| 102 | };
|
---|
| 103 |
|
---|
| 104 | static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX] = {
|
---|
| 105 | NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
|
---|
| 106 | NULL, NULL
|
---|
| 107 | };
|
---|
| 108 |
|
---|
| 109 | #define SSL_COMP_NULL_IDX 0
|
---|
| 110 | #define SSL_COMP_ZLIB_IDX 1
|
---|
| 111 | #define SSL_COMP_NUM_IDX 2
|
---|
| 112 |
|
---|
| 113 | static STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
|
---|
| 114 |
|
---|
| 115 | #ifndef OPENSSL_NO_COMP
|
---|
| 116 | static CRYPTO_ONCE ssl_load_builtin_comp_once = CRYPTO_ONCE_STATIC_INIT;
|
---|
| 117 | #endif
|
---|
| 118 |
|
---|
| 119 | /*
|
---|
| 120 | * Constant SSL_MAX_DIGEST equal to size of digests array should be defined
|
---|
| 121 | * in the ssl_locl.h
|
---|
| 122 | */
|
---|
| 123 |
|
---|
| 124 | #define SSL_MD_NUM_IDX SSL_MAX_DIGEST
|
---|
| 125 |
|
---|
| 126 | /* NB: make sure indices in this table matches values above */
|
---|
| 127 | static const ssl_cipher_table ssl_cipher_table_mac[SSL_MD_NUM_IDX] = {
|
---|
| 128 | {SSL_MD5, NID_md5}, /* SSL_MD_MD5_IDX 0 */
|
---|
| 129 | {SSL_SHA1, NID_sha1}, /* SSL_MD_SHA1_IDX 1 */
|
---|
| 130 | {SSL_GOST94, NID_id_GostR3411_94}, /* SSL_MD_GOST94_IDX 2 */
|
---|
| 131 | {SSL_GOST89MAC, NID_id_Gost28147_89_MAC}, /* SSL_MD_GOST89MAC_IDX 3 */
|
---|
| 132 | {SSL_SHA256, NID_sha256}, /* SSL_MD_SHA256_IDX 4 */
|
---|
| 133 | {SSL_SHA384, NID_sha384}, /* SSL_MD_SHA384_IDX 5 */
|
---|
| 134 | {SSL_GOST12_256, NID_id_GostR3411_2012_256}, /* SSL_MD_GOST12_256_IDX 6 */
|
---|
| 135 | {SSL_GOST89MAC12, NID_gost_mac_12}, /* SSL_MD_GOST89MAC12_IDX 7 */
|
---|
| 136 | {SSL_GOST12_512, NID_id_GostR3411_2012_512}, /* SSL_MD_GOST12_512_IDX 8 */
|
---|
| 137 | {0, NID_md5_sha1}, /* SSL_MD_MD5_SHA1_IDX 9 */
|
---|
| 138 | {0, NID_sha224}, /* SSL_MD_SHA224_IDX 10 */
|
---|
| 139 | {0, NID_sha512} /* SSL_MD_SHA512_IDX 11 */
|
---|
| 140 | };
|
---|
| 141 |
|
---|
| 142 | static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX] = {
|
---|
| 143 | NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
|
---|
| 144 | };
|
---|
| 145 |
|
---|
| 146 | /* *INDENT-OFF* */
|
---|
| 147 | static const ssl_cipher_table ssl_cipher_table_kx[] = {
|
---|
| 148 | {SSL_kRSA, NID_kx_rsa},
|
---|
| 149 | {SSL_kECDHE, NID_kx_ecdhe},
|
---|
| 150 | {SSL_kDHE, NID_kx_dhe},
|
---|
| 151 | {SSL_kECDHEPSK, NID_kx_ecdhe_psk},
|
---|
| 152 | {SSL_kDHEPSK, NID_kx_dhe_psk},
|
---|
| 153 | {SSL_kRSAPSK, NID_kx_rsa_psk},
|
---|
| 154 | {SSL_kPSK, NID_kx_psk},
|
---|
| 155 | {SSL_kSRP, NID_kx_srp},
|
---|
| 156 | {SSL_kGOST, NID_kx_gost}
|
---|
| 157 | };
|
---|
| 158 |
|
---|
| 159 | static const ssl_cipher_table ssl_cipher_table_auth[] = {
|
---|
| 160 | {SSL_aRSA, NID_auth_rsa},
|
---|
| 161 | {SSL_aECDSA, NID_auth_ecdsa},
|
---|
| 162 | {SSL_aPSK, NID_auth_psk},
|
---|
| 163 | {SSL_aDSS, NID_auth_dss},
|
---|
| 164 | {SSL_aGOST01, NID_auth_gost01},
|
---|
| 165 | {SSL_aGOST12, NID_auth_gost12},
|
---|
| 166 | {SSL_aSRP, NID_auth_srp},
|
---|
| 167 | {SSL_aNULL, NID_auth_null}
|
---|
| 168 | };
|
---|
| 169 | /* *INDENT-ON* */
|
---|
| 170 |
|
---|
| 171 | /* Utility function for table lookup */
|
---|
| 172 | static int ssl_cipher_info_find(const ssl_cipher_table * table,
|
---|
| 173 | size_t table_cnt, uint32_t mask)
|
---|
| 174 | {
|
---|
| 175 | size_t i;
|
---|
| 176 | for (i = 0; i < table_cnt; i++, table++) {
|
---|
| 177 | if (table->mask == mask)
|
---|
| 178 | return i;
|
---|
| 179 | }
|
---|
| 180 | return -1;
|
---|
| 181 | }
|
---|
| 182 |
|
---|
| 183 | #define ssl_cipher_info_lookup(table, x) \
|
---|
| 184 | ssl_cipher_info_find(table, OSSL_NELEM(table), x)
|
---|
| 185 |
|
---|
| 186 | /*
|
---|
| 187 | * PKEY_TYPE for GOST89MAC is known in advance, but, because implementation
|
---|
| 188 | * is engine-provided, we'll fill it only if corresponding EVP_PKEY_METHOD is
|
---|
| 189 | * found
|
---|
| 190 | */
|
---|
| 191 | static int ssl_mac_pkey_id[SSL_MD_NUM_IDX] = {
|
---|
| 192 | /* MD5, SHA, GOST94, MAC89 */
|
---|
| 193 | EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, NID_undef,
|
---|
| 194 | /* SHA256, SHA384, GOST2012_256, MAC89-12 */
|
---|
| 195 | EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, NID_undef,
|
---|
| 196 | /* GOST2012_512 */
|
---|
| 197 | EVP_PKEY_HMAC,
|
---|
| 198 | };
|
---|
| 199 |
|
---|
| 200 | static int ssl_mac_secret_size[SSL_MD_NUM_IDX];
|
---|
| 201 |
|
---|
| 202 | #define CIPHER_ADD 1
|
---|
| 203 | #define CIPHER_KILL 2
|
---|
| 204 | #define CIPHER_DEL 3
|
---|
| 205 | #define CIPHER_ORD 4
|
---|
| 206 | #define CIPHER_SPECIAL 5
|
---|
| 207 | /*
|
---|
| 208 | * Bump the ciphers to the top of the list.
|
---|
| 209 | * This rule isn't currently supported by the public cipherstring API.
|
---|
| 210 | */
|
---|
| 211 | #define CIPHER_BUMP 6
|
---|
| 212 |
|
---|
| 213 | typedef struct cipher_order_st {
|
---|
| 214 | const SSL_CIPHER *cipher;
|
---|
| 215 | int active;
|
---|
| 216 | int dead;
|
---|
| 217 | struct cipher_order_st *next, *prev;
|
---|
| 218 | } CIPHER_ORDER;
|
---|
| 219 |
|
---|
| 220 | static const SSL_CIPHER cipher_aliases[] = {
|
---|
| 221 | /* "ALL" doesn't include eNULL (must be specifically enabled) */
|
---|
| 222 | {0, SSL_TXT_ALL, 0, 0, 0, ~SSL_eNULL},
|
---|
| 223 | /* "COMPLEMENTOFALL" */
|
---|
| 224 | {0, SSL_TXT_CMPALL, 0, 0, 0, SSL_eNULL},
|
---|
| 225 |
|
---|
| 226 | /*
|
---|
| 227 | * "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in
|
---|
| 228 | * ALL!)
|
---|
| 229 | */
|
---|
| 230 | {0, SSL_TXT_CMPDEF, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_NOT_DEFAULT},
|
---|
| 231 |
|
---|
| 232 | /*
|
---|
| 233 | * key exchange aliases (some of those using only a single bit here
|
---|
| 234 | * combine multiple key exchange algs according to the RFCs, e.g. kDHE
|
---|
| 235 | * combines DHE_DSS and DHE_RSA)
|
---|
| 236 | */
|
---|
| 237 | {0, SSL_TXT_kRSA, 0, SSL_kRSA},
|
---|
| 238 |
|
---|
| 239 | {0, SSL_TXT_kEDH, 0, SSL_kDHE},
|
---|
| 240 | {0, SSL_TXT_kDHE, 0, SSL_kDHE},
|
---|
| 241 | {0, SSL_TXT_DH, 0, SSL_kDHE},
|
---|
| 242 |
|
---|
| 243 | {0, SSL_TXT_kEECDH, 0, SSL_kECDHE},
|
---|
| 244 | {0, SSL_TXT_kECDHE, 0, SSL_kECDHE},
|
---|
| 245 | {0, SSL_TXT_ECDH, 0, SSL_kECDHE},
|
---|
| 246 |
|
---|
| 247 | {0, SSL_TXT_kPSK, 0, SSL_kPSK},
|
---|
| 248 | {0, SSL_TXT_kRSAPSK, 0, SSL_kRSAPSK},
|
---|
| 249 | {0, SSL_TXT_kECDHEPSK, 0, SSL_kECDHEPSK},
|
---|
| 250 | {0, SSL_TXT_kDHEPSK, 0, SSL_kDHEPSK},
|
---|
| 251 | {0, SSL_TXT_kSRP, 0, SSL_kSRP},
|
---|
| 252 | {0, SSL_TXT_kGOST, 0, SSL_kGOST},
|
---|
| 253 |
|
---|
| 254 | /* server authentication aliases */
|
---|
| 255 | {0, SSL_TXT_aRSA, 0, 0, SSL_aRSA},
|
---|
| 256 | {0, SSL_TXT_aDSS, 0, 0, SSL_aDSS},
|
---|
| 257 | {0, SSL_TXT_DSS, 0, 0, SSL_aDSS},
|
---|
| 258 | {0, SSL_TXT_aNULL, 0, 0, SSL_aNULL},
|
---|
| 259 | {0, SSL_TXT_aECDSA, 0, 0, SSL_aECDSA},
|
---|
| 260 | {0, SSL_TXT_ECDSA, 0, 0, SSL_aECDSA},
|
---|
| 261 | {0, SSL_TXT_aPSK, 0, 0, SSL_aPSK},
|
---|
| 262 | {0, SSL_TXT_aGOST01, 0, 0, SSL_aGOST01},
|
---|
| 263 | {0, SSL_TXT_aGOST12, 0, 0, SSL_aGOST12},
|
---|
| 264 | {0, SSL_TXT_aGOST, 0, 0, SSL_aGOST01 | SSL_aGOST12},
|
---|
| 265 | {0, SSL_TXT_aSRP, 0, 0, SSL_aSRP},
|
---|
| 266 |
|
---|
| 267 | /* aliases combining key exchange and server authentication */
|
---|
| 268 | {0, SSL_TXT_EDH, 0, SSL_kDHE, ~SSL_aNULL},
|
---|
| 269 | {0, SSL_TXT_DHE, 0, SSL_kDHE, ~SSL_aNULL},
|
---|
| 270 | {0, SSL_TXT_EECDH, 0, SSL_kECDHE, ~SSL_aNULL},
|
---|
| 271 | {0, SSL_TXT_ECDHE, 0, SSL_kECDHE, ~SSL_aNULL},
|
---|
| 272 | {0, SSL_TXT_NULL, 0, 0, 0, SSL_eNULL},
|
---|
| 273 | {0, SSL_TXT_RSA, 0, SSL_kRSA, SSL_aRSA},
|
---|
| 274 | {0, SSL_TXT_ADH, 0, SSL_kDHE, SSL_aNULL},
|
---|
| 275 | {0, SSL_TXT_AECDH, 0, SSL_kECDHE, SSL_aNULL},
|
---|
| 276 | {0, SSL_TXT_PSK, 0, SSL_PSK},
|
---|
| 277 | {0, SSL_TXT_SRP, 0, SSL_kSRP},
|
---|
| 278 |
|
---|
| 279 | /* symmetric encryption aliases */
|
---|
| 280 | {0, SSL_TXT_3DES, 0, 0, 0, SSL_3DES},
|
---|
| 281 | {0, SSL_TXT_RC4, 0, 0, 0, SSL_RC4},
|
---|
| 282 | {0, SSL_TXT_RC2, 0, 0, 0, SSL_RC2},
|
---|
| 283 | {0, SSL_TXT_IDEA, 0, 0, 0, SSL_IDEA},
|
---|
| 284 | {0, SSL_TXT_SEED, 0, 0, 0, SSL_SEED},
|
---|
| 285 | {0, SSL_TXT_eNULL, 0, 0, 0, SSL_eNULL},
|
---|
| 286 | {0, SSL_TXT_GOST, 0, 0, 0, SSL_eGOST2814789CNT | SSL_eGOST2814789CNT12},
|
---|
| 287 | {0, SSL_TXT_AES128, 0, 0, 0,
|
---|
| 288 | SSL_AES128 | SSL_AES128GCM | SSL_AES128CCM | SSL_AES128CCM8},
|
---|
| 289 | {0, SSL_TXT_AES256, 0, 0, 0,
|
---|
| 290 | SSL_AES256 | SSL_AES256GCM | SSL_AES256CCM | SSL_AES256CCM8},
|
---|
| 291 | {0, SSL_TXT_AES, 0, 0, 0, SSL_AES},
|
---|
| 292 | {0, SSL_TXT_AES_GCM, 0, 0, 0, SSL_AES128GCM | SSL_AES256GCM},
|
---|
| 293 | {0, SSL_TXT_AES_CCM, 0, 0, 0,
|
---|
| 294 | SSL_AES128CCM | SSL_AES256CCM | SSL_AES128CCM8 | SSL_AES256CCM8},
|
---|
| 295 | {0, SSL_TXT_AES_CCM_8, 0, 0, 0, SSL_AES128CCM8 | SSL_AES256CCM8},
|
---|
| 296 | {0, SSL_TXT_CAMELLIA128, 0, 0, 0, SSL_CAMELLIA128},
|
---|
| 297 | {0, SSL_TXT_CAMELLIA256, 0, 0, 0, SSL_CAMELLIA256},
|
---|
| 298 | {0, SSL_TXT_CAMELLIA, 0, 0, 0, SSL_CAMELLIA},
|
---|
| 299 | {0, SSL_TXT_CHACHA20, 0, 0, 0, SSL_CHACHA20},
|
---|
| 300 |
|
---|
| 301 | /* MAC aliases */
|
---|
| 302 | {0, SSL_TXT_MD5, 0, 0, 0, 0, SSL_MD5},
|
---|
| 303 | {0, SSL_TXT_SHA1, 0, 0, 0, 0, SSL_SHA1},
|
---|
| 304 | {0, SSL_TXT_SHA, 0, 0, 0, 0, SSL_SHA1},
|
---|
| 305 | {0, SSL_TXT_GOST94, 0, 0, 0, 0, SSL_GOST94},
|
---|
| 306 | {0, SSL_TXT_GOST89MAC, 0, 0, 0, 0, SSL_GOST89MAC | SSL_GOST89MAC12},
|
---|
| 307 | {0, SSL_TXT_SHA256, 0, 0, 0, 0, SSL_SHA256},
|
---|
| 308 | {0, SSL_TXT_SHA384, 0, 0, 0, 0, SSL_SHA384},
|
---|
| 309 | {0, SSL_TXT_GOST12, 0, 0, 0, 0, SSL_GOST12_256},
|
---|
| 310 |
|
---|
| 311 | /* protocol version aliases */
|
---|
| 312 | {0, SSL_TXT_SSLV3, 0, 0, 0, 0, 0, SSL3_VERSION},
|
---|
| 313 | {0, SSL_TXT_TLSV1, 0, 0, 0, 0, 0, TLS1_VERSION},
|
---|
| 314 | {0, "TLSv1.0", 0, 0, 0, 0, 0, TLS1_VERSION},
|
---|
| 315 | {0, SSL_TXT_TLSV1_2, 0, 0, 0, 0, 0, TLS1_2_VERSION},
|
---|
| 316 |
|
---|
| 317 | /* strength classes */
|
---|
| 318 | {0, SSL_TXT_LOW, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_LOW},
|
---|
| 319 | {0, SSL_TXT_MEDIUM, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_MEDIUM},
|
---|
| 320 | {0, SSL_TXT_HIGH, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_HIGH},
|
---|
| 321 | /* FIPS 140-2 approved ciphersuite */
|
---|
| 322 | {0, SSL_TXT_FIPS, 0, 0, 0, ~SSL_eNULL, 0, 0, 0, 0, 0, SSL_FIPS},
|
---|
| 323 |
|
---|
| 324 | /* "EDH-" aliases to "DHE-" labels (for backward compatibility) */
|
---|
| 325 | {0, SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA, 0,
|
---|
| 326 | SSL_kDHE, SSL_aDSS, SSL_3DES, SSL_SHA1, 0, 0, 0, 0, SSL_HIGH | SSL_FIPS},
|
---|
| 327 | {0, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, 0,
|
---|
| 328 | SSL_kDHE, SSL_aRSA, SSL_3DES, SSL_SHA1, 0, 0, 0, 0, SSL_HIGH | SSL_FIPS},
|
---|
| 329 |
|
---|
| 330 | };
|
---|
| 331 |
|
---|
| 332 | /*
|
---|
| 333 | * Search for public key algorithm with given name and return its pkey_id if
|
---|
| 334 | * it is available. Otherwise return 0
|
---|
| 335 | */
|
---|
| 336 | #ifdef OPENSSL_NO_ENGINE
|
---|
| 337 |
|
---|
| 338 | static int get_optional_pkey_id(const char *pkey_name)
|
---|
| 339 | {
|
---|
| 340 | const EVP_PKEY_ASN1_METHOD *ameth;
|
---|
| 341 | int pkey_id = 0;
|
---|
| 342 | ameth = EVP_PKEY_asn1_find_str(NULL, pkey_name, -1);
|
---|
| 343 | if (ameth && EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL,
|
---|
| 344 | ameth) > 0) {
|
---|
| 345 | return pkey_id;
|
---|
| 346 | }
|
---|
| 347 | return 0;
|
---|
| 348 | }
|
---|
| 349 |
|
---|
| 350 | #else
|
---|
| 351 |
|
---|
| 352 | static int get_optional_pkey_id(const char *pkey_name)
|
---|
| 353 | {
|
---|
| 354 | const EVP_PKEY_ASN1_METHOD *ameth;
|
---|
| 355 | ENGINE *tmpeng = NULL;
|
---|
| 356 | int pkey_id = 0;
|
---|
| 357 | ameth = EVP_PKEY_asn1_find_str(&tmpeng, pkey_name, -1);
|
---|
| 358 | if (ameth) {
|
---|
| 359 | if (EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL,
|
---|
| 360 | ameth) <= 0)
|
---|
| 361 | pkey_id = 0;
|
---|
| 362 | }
|
---|
| 363 | ENGINE_finish(tmpeng);
|
---|
| 364 | return pkey_id;
|
---|
| 365 | }
|
---|
| 366 |
|
---|
| 367 | #endif
|
---|
| 368 |
|
---|
| 369 | /* masks of disabled algorithms */
|
---|
| 370 | static uint32_t disabled_enc_mask;
|
---|
| 371 | static uint32_t disabled_mac_mask;
|
---|
| 372 | static uint32_t disabled_mkey_mask;
|
---|
| 373 | static uint32_t disabled_auth_mask;
|
---|
| 374 |
|
---|
| 375 | void ssl_load_ciphers(void)
|
---|
| 376 | {
|
---|
| 377 | size_t i;
|
---|
| 378 | const ssl_cipher_table *t;
|
---|
| 379 |
|
---|
| 380 | disabled_enc_mask = 0;
|
---|
| 381 | ssl_sort_cipher_list();
|
---|
| 382 | for (i = 0, t = ssl_cipher_table_cipher; i < SSL_ENC_NUM_IDX; i++, t++) {
|
---|
| 383 | if (t->nid == NID_undef) {
|
---|
| 384 | ssl_cipher_methods[i] = NULL;
|
---|
| 385 | } else {
|
---|
| 386 | const EVP_CIPHER *cipher = EVP_get_cipherbynid(t->nid);
|
---|
| 387 | ssl_cipher_methods[i] = cipher;
|
---|
| 388 | if (cipher == NULL)
|
---|
| 389 | disabled_enc_mask |= t->mask;
|
---|
| 390 | }
|
---|
| 391 | }
|
---|
| 392 | #ifdef SSL_FORBID_ENULL
|
---|
| 393 | disabled_enc_mask |= SSL_eNULL;
|
---|
| 394 | #endif
|
---|
| 395 | disabled_mac_mask = 0;
|
---|
| 396 | for (i = 0, t = ssl_cipher_table_mac; i < SSL_MD_NUM_IDX; i++, t++) {
|
---|
| 397 | const EVP_MD *md = EVP_get_digestbynid(t->nid);
|
---|
| 398 | ssl_digest_methods[i] = md;
|
---|
| 399 | if (md == NULL) {
|
---|
| 400 | disabled_mac_mask |= t->mask;
|
---|
| 401 | } else {
|
---|
| 402 | ssl_mac_secret_size[i] = EVP_MD_size(md);
|
---|
| 403 | OPENSSL_assert(ssl_mac_secret_size[i] >= 0);
|
---|
| 404 | }
|
---|
| 405 | }
|
---|
| 406 | /* Make sure we can access MD5 and SHA1 */
|
---|
| 407 | OPENSSL_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL);
|
---|
| 408 | OPENSSL_assert(ssl_digest_methods[SSL_MD_SHA1_IDX] != NULL);
|
---|
| 409 |
|
---|
| 410 | disabled_mkey_mask = 0;
|
---|
| 411 | disabled_auth_mask = 0;
|
---|
| 412 |
|
---|
| 413 | #ifdef OPENSSL_NO_RSA
|
---|
| 414 | disabled_mkey_mask |= SSL_kRSA | SSL_kRSAPSK;
|
---|
| 415 | disabled_auth_mask |= SSL_aRSA;
|
---|
| 416 | #endif
|
---|
| 417 | #ifdef OPENSSL_NO_DSA
|
---|
| 418 | disabled_auth_mask |= SSL_aDSS;
|
---|
| 419 | #endif
|
---|
| 420 | #ifdef OPENSSL_NO_DH
|
---|
| 421 | disabled_mkey_mask |= SSL_kDHE | SSL_kDHEPSK;
|
---|
| 422 | #endif
|
---|
| 423 | #ifdef OPENSSL_NO_EC
|
---|
| 424 | disabled_mkey_mask |= SSL_kECDHEPSK;
|
---|
| 425 | disabled_auth_mask |= SSL_aECDSA;
|
---|
| 426 | #endif
|
---|
| 427 | #ifdef OPENSSL_NO_PSK
|
---|
| 428 | disabled_mkey_mask |= SSL_PSK;
|
---|
| 429 | disabled_auth_mask |= SSL_aPSK;
|
---|
| 430 | #endif
|
---|
| 431 | #ifdef OPENSSL_NO_SRP
|
---|
| 432 | disabled_mkey_mask |= SSL_kSRP;
|
---|
| 433 | #endif
|
---|
| 434 |
|
---|
| 435 | /*
|
---|
| 436 | * Check for presence of GOST 34.10 algorithms, and if they are not
|
---|
| 437 | * present, disable appropriate auth and key exchange
|
---|
| 438 | */
|
---|
| 439 | ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX] = get_optional_pkey_id("gost-mac");
|
---|
| 440 | if (ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]) {
|
---|
| 441 | ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX] = 32;
|
---|
| 442 | } else {
|
---|
| 443 | disabled_mac_mask |= SSL_GOST89MAC;
|
---|
| 444 | }
|
---|
| 445 |
|
---|
| 446 | ssl_mac_pkey_id[SSL_MD_GOST89MAC12_IDX] =
|
---|
| 447 | get_optional_pkey_id("gost-mac-12");
|
---|
| 448 | if (ssl_mac_pkey_id[SSL_MD_GOST89MAC12_IDX]) {
|
---|
| 449 | ssl_mac_secret_size[SSL_MD_GOST89MAC12_IDX] = 32;
|
---|
| 450 | } else {
|
---|
| 451 | disabled_mac_mask |= SSL_GOST89MAC12;
|
---|
| 452 | }
|
---|
| 453 |
|
---|
| 454 | if (!get_optional_pkey_id("gost2001"))
|
---|
| 455 | disabled_auth_mask |= SSL_aGOST01 | SSL_aGOST12;
|
---|
| 456 | if (!get_optional_pkey_id("gost2012_256"))
|
---|
| 457 | disabled_auth_mask |= SSL_aGOST12;
|
---|
| 458 | if (!get_optional_pkey_id("gost2012_512"))
|
---|
| 459 | disabled_auth_mask |= SSL_aGOST12;
|
---|
| 460 | /*
|
---|
| 461 | * Disable GOST key exchange if no GOST signature algs are available *
|
---|
| 462 | */
|
---|
| 463 | if ((disabled_auth_mask & (SSL_aGOST01 | SSL_aGOST12)) ==
|
---|
| 464 | (SSL_aGOST01 | SSL_aGOST12))
|
---|
| 465 | disabled_mkey_mask |= SSL_kGOST;
|
---|
| 466 | }
|
---|
| 467 |
|
---|
| 468 | #ifndef OPENSSL_NO_COMP
|
---|
| 469 |
|
---|
| 470 | static int sk_comp_cmp(const SSL_COMP *const *a, const SSL_COMP *const *b)
|
---|
| 471 | {
|
---|
| 472 | return ((*a)->id - (*b)->id);
|
---|
| 473 | }
|
---|
| 474 |
|
---|
| 475 | DEFINE_RUN_ONCE_STATIC(do_load_builtin_compressions)
|
---|
| 476 | {
|
---|
| 477 | SSL_COMP *comp = NULL;
|
---|
| 478 | COMP_METHOD *method = COMP_zlib();
|
---|
| 479 |
|
---|
| 480 | CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE);
|
---|
| 481 | ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp);
|
---|
| 482 |
|
---|
| 483 | if (COMP_get_type(method) != NID_undef && ssl_comp_methods != NULL) {
|
---|
| 484 | comp = OPENSSL_malloc(sizeof(*comp));
|
---|
| 485 | if (comp != NULL) {
|
---|
| 486 | comp->method = method;
|
---|
| 487 | comp->id = SSL_COMP_ZLIB_IDX;
|
---|
| 488 | comp->name = COMP_get_name(method);
|
---|
| 489 | sk_SSL_COMP_push(ssl_comp_methods, comp);
|
---|
| 490 | sk_SSL_COMP_sort(ssl_comp_methods);
|
---|
| 491 | }
|
---|
| 492 | }
|
---|
| 493 | CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE);
|
---|
| 494 | return 1;
|
---|
| 495 | }
|
---|
| 496 |
|
---|
| 497 | static int load_builtin_compressions(void)
|
---|
| 498 | {
|
---|
| 499 | return RUN_ONCE(&ssl_load_builtin_comp_once, do_load_builtin_compressions);
|
---|
| 500 | }
|
---|
| 501 | #endif
|
---|
| 502 |
|
---|
| 503 | int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
|
---|
| 504 | const EVP_MD **md, int *mac_pkey_type,
|
---|
| 505 | int *mac_secret_size, SSL_COMP **comp, int use_etm)
|
---|
| 506 | {
|
---|
| 507 | int i;
|
---|
| 508 | const SSL_CIPHER *c;
|
---|
| 509 |
|
---|
| 510 | c = s->cipher;
|
---|
| 511 | if (c == NULL)
|
---|
| 512 | return (0);
|
---|
| 513 | if (comp != NULL) {
|
---|
| 514 | SSL_COMP ctmp;
|
---|
| 515 | #ifndef OPENSSL_NO_COMP
|
---|
| 516 | if (!load_builtin_compressions()) {
|
---|
| 517 | /*
|
---|
| 518 | * Currently don't care, since a failure only means that
|
---|
| 519 | * ssl_comp_methods is NULL, which is perfectly OK
|
---|
| 520 | */
|
---|
| 521 | }
|
---|
| 522 | #endif
|
---|
| 523 | *comp = NULL;
|
---|
| 524 | ctmp.id = s->compress_meth;
|
---|
| 525 | if (ssl_comp_methods != NULL) {
|
---|
| 526 | i = sk_SSL_COMP_find(ssl_comp_methods, &ctmp);
|
---|
| 527 | if (i >= 0)
|
---|
| 528 | *comp = sk_SSL_COMP_value(ssl_comp_methods, i);
|
---|
| 529 | else
|
---|
| 530 | *comp = NULL;
|
---|
| 531 | }
|
---|
| 532 | /* If were only interested in comp then return success */
|
---|
| 533 | if ((enc == NULL) && (md == NULL))
|
---|
| 534 | return 1;
|
---|
| 535 | }
|
---|
| 536 |
|
---|
| 537 | if ((enc == NULL) || (md == NULL))
|
---|
| 538 | return 0;
|
---|
| 539 |
|
---|
| 540 | i = ssl_cipher_info_lookup(ssl_cipher_table_cipher, c->algorithm_enc);
|
---|
| 541 |
|
---|
| 542 | if (i == -1)
|
---|
| 543 | *enc = NULL;
|
---|
| 544 | else {
|
---|
| 545 | if (i == SSL_ENC_NULL_IDX)
|
---|
| 546 | *enc = EVP_enc_null();
|
---|
| 547 | else
|
---|
| 548 | *enc = ssl_cipher_methods[i];
|
---|
| 549 | }
|
---|
| 550 |
|
---|
| 551 | i = ssl_cipher_info_lookup(ssl_cipher_table_mac, c->algorithm_mac);
|
---|
| 552 | if (i == -1) {
|
---|
| 553 | *md = NULL;
|
---|
| 554 | if (mac_pkey_type != NULL)
|
---|
| 555 | *mac_pkey_type = NID_undef;
|
---|
| 556 | if (mac_secret_size != NULL)
|
---|
| 557 | *mac_secret_size = 0;
|
---|
| 558 | if (c->algorithm_mac == SSL_AEAD)
|
---|
| 559 | mac_pkey_type = NULL;
|
---|
| 560 | } else {
|
---|
| 561 | *md = ssl_digest_methods[i];
|
---|
| 562 | if (mac_pkey_type != NULL)
|
---|
| 563 | *mac_pkey_type = ssl_mac_pkey_id[i];
|
---|
| 564 | if (mac_secret_size != NULL)
|
---|
| 565 | *mac_secret_size = ssl_mac_secret_size[i];
|
---|
| 566 | }
|
---|
| 567 |
|
---|
| 568 | if ((*enc != NULL) &&
|
---|
| 569 | (*md != NULL || (EVP_CIPHER_flags(*enc) & EVP_CIPH_FLAG_AEAD_CIPHER))
|
---|
| 570 | && (!mac_pkey_type || *mac_pkey_type != NID_undef)) {
|
---|
| 571 | const EVP_CIPHER *evp;
|
---|
| 572 |
|
---|
| 573 | if (use_etm)
|
---|
| 574 | return 1;
|
---|
| 575 |
|
---|
| 576 | if (s->ssl_version >> 8 != TLS1_VERSION_MAJOR ||
|
---|
| 577 | s->ssl_version < TLS1_VERSION)
|
---|
| 578 | return 1;
|
---|
| 579 |
|
---|
| 580 | if (FIPS_mode())
|
---|
| 581 | return 1;
|
---|
| 582 |
|
---|
| 583 | if (c->algorithm_enc == SSL_RC4 &&
|
---|
| 584 | c->algorithm_mac == SSL_MD5 &&
|
---|
| 585 | (evp = EVP_get_cipherbyname("RC4-HMAC-MD5")))
|
---|
| 586 | *enc = evp, *md = NULL;
|
---|
| 587 | else if (c->algorithm_enc == SSL_AES128 &&
|
---|
| 588 | c->algorithm_mac == SSL_SHA1 &&
|
---|
| 589 | (evp = EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA1")))
|
---|
| 590 | *enc = evp, *md = NULL;
|
---|
| 591 | else if (c->algorithm_enc == SSL_AES256 &&
|
---|
| 592 | c->algorithm_mac == SSL_SHA1 &&
|
---|
| 593 | (evp = EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1")))
|
---|
| 594 | *enc = evp, *md = NULL;
|
---|
| 595 | else if (c->algorithm_enc == SSL_AES128 &&
|
---|
| 596 | c->algorithm_mac == SSL_SHA256 &&
|
---|
| 597 | (evp = EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA256")))
|
---|
| 598 | *enc = evp, *md = NULL;
|
---|
| 599 | else if (c->algorithm_enc == SSL_AES256 &&
|
---|
| 600 | c->algorithm_mac == SSL_SHA256 &&
|
---|
| 601 | (evp = EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA256")))
|
---|
| 602 | *enc = evp, *md = NULL;
|
---|
| 603 | return (1);
|
---|
| 604 | } else
|
---|
| 605 | return (0);
|
---|
| 606 | }
|
---|
| 607 |
|
---|
| 608 | const EVP_MD *ssl_md(int idx)
|
---|
| 609 | {
|
---|
| 610 | idx &= SSL_HANDSHAKE_MAC_MASK;
|
---|
| 611 | if (idx < 0 || idx >= SSL_MD_NUM_IDX)
|
---|
| 612 | return NULL;
|
---|
| 613 | return ssl_digest_methods[idx];
|
---|
| 614 | }
|
---|
| 615 |
|
---|
| 616 | const EVP_MD *ssl_handshake_md(SSL *s)
|
---|
| 617 | {
|
---|
| 618 | return ssl_md(ssl_get_algorithm2(s));
|
---|
| 619 | }
|
---|
| 620 |
|
---|
| 621 | const EVP_MD *ssl_prf_md(SSL *s)
|
---|
| 622 | {
|
---|
| 623 | return ssl_md(ssl_get_algorithm2(s) >> TLS1_PRF_DGST_SHIFT);
|
---|
| 624 | }
|
---|
| 625 |
|
---|
| 626 | #define ITEM_SEP(a) \
|
---|
| 627 | (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ','))
|
---|
| 628 |
|
---|
| 629 | static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
|
---|
| 630 | CIPHER_ORDER **tail)
|
---|
| 631 | {
|
---|
| 632 | if (curr == *tail)
|
---|
| 633 | return;
|
---|
| 634 | if (curr == *head)
|
---|
| 635 | *head = curr->next;
|
---|
| 636 | if (curr->prev != NULL)
|
---|
| 637 | curr->prev->next = curr->next;
|
---|
| 638 | if (curr->next != NULL)
|
---|
| 639 | curr->next->prev = curr->prev;
|
---|
| 640 | (*tail)->next = curr;
|
---|
| 641 | curr->prev = *tail;
|
---|
| 642 | curr->next = NULL;
|
---|
| 643 | *tail = curr;
|
---|
| 644 | }
|
---|
| 645 |
|
---|
| 646 | static void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
|
---|
| 647 | CIPHER_ORDER **tail)
|
---|
| 648 | {
|
---|
| 649 | if (curr == *head)
|
---|
| 650 | return;
|
---|
| 651 | if (curr == *tail)
|
---|
| 652 | *tail = curr->prev;
|
---|
| 653 | if (curr->next != NULL)
|
---|
| 654 | curr->next->prev = curr->prev;
|
---|
| 655 | if (curr->prev != NULL)
|
---|
| 656 | curr->prev->next = curr->next;
|
---|
| 657 | (*head)->prev = curr;
|
---|
| 658 | curr->next = *head;
|
---|
| 659 | curr->prev = NULL;
|
---|
| 660 | *head = curr;
|
---|
| 661 | }
|
---|
| 662 |
|
---|
| 663 | static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
|
---|
| 664 | int num_of_ciphers,
|
---|
| 665 | uint32_t disabled_mkey,
|
---|
| 666 | uint32_t disabled_auth,
|
---|
| 667 | uint32_t disabled_enc,
|
---|
| 668 | uint32_t disabled_mac,
|
---|
| 669 | CIPHER_ORDER *co_list,
|
---|
| 670 | CIPHER_ORDER **head_p,
|
---|
| 671 | CIPHER_ORDER **tail_p)
|
---|
| 672 | {
|
---|
| 673 | int i, co_list_num;
|
---|
| 674 | const SSL_CIPHER *c;
|
---|
| 675 |
|
---|
| 676 | /*
|
---|
| 677 | * We have num_of_ciphers descriptions compiled in, depending on the
|
---|
| 678 | * method selected (SSLv3, TLSv1 etc).
|
---|
| 679 | * These will later be sorted in a linked list with at most num
|
---|
| 680 | * entries.
|
---|
| 681 | */
|
---|
| 682 |
|
---|
| 683 | /* Get the initial list of ciphers */
|
---|
| 684 | co_list_num = 0; /* actual count of ciphers */
|
---|
| 685 | for (i = 0; i < num_of_ciphers; i++) {
|
---|
| 686 | c = ssl_method->get_cipher(i);
|
---|
| 687 | /* drop those that use any of that is not available */
|
---|
| 688 | if (c == NULL || !c->valid)
|
---|
| 689 | continue;
|
---|
| 690 | if (FIPS_mode() && (c->algo_strength & SSL_FIPS))
|
---|
| 691 | continue;
|
---|
| 692 | if ((c->algorithm_mkey & disabled_mkey) ||
|
---|
| 693 | (c->algorithm_auth & disabled_auth) ||
|
---|
| 694 | (c->algorithm_enc & disabled_enc) ||
|
---|
| 695 | (c->algorithm_mac & disabled_mac))
|
---|
| 696 | continue;
|
---|
| 697 | if (((ssl_method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS) == 0) &&
|
---|
| 698 | c->min_tls == 0)
|
---|
| 699 | continue;
|
---|
| 700 | if (((ssl_method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS) != 0) &&
|
---|
| 701 | c->min_dtls == 0)
|
---|
| 702 | continue;
|
---|
| 703 |
|
---|
| 704 | co_list[co_list_num].cipher = c;
|
---|
| 705 | co_list[co_list_num].next = NULL;
|
---|
| 706 | co_list[co_list_num].prev = NULL;
|
---|
| 707 | co_list[co_list_num].active = 0;
|
---|
| 708 | co_list_num++;
|
---|
| 709 | /*
|
---|
| 710 | * if (!sk_push(ca_list,(char *)c)) goto err;
|
---|
| 711 | */
|
---|
| 712 | }
|
---|
| 713 |
|
---|
| 714 | /*
|
---|
| 715 | * Prepare linked list from list entries
|
---|
| 716 | */
|
---|
| 717 | if (co_list_num > 0) {
|
---|
| 718 | co_list[0].prev = NULL;
|
---|
| 719 |
|
---|
| 720 | if (co_list_num > 1) {
|
---|
| 721 | co_list[0].next = &co_list[1];
|
---|
| 722 |
|
---|
| 723 | for (i = 1; i < co_list_num - 1; i++) {
|
---|
| 724 | co_list[i].prev = &co_list[i - 1];
|
---|
| 725 | co_list[i].next = &co_list[i + 1];
|
---|
| 726 | }
|
---|
| 727 |
|
---|
| 728 | co_list[co_list_num - 1].prev = &co_list[co_list_num - 2];
|
---|
| 729 | }
|
---|
| 730 |
|
---|
| 731 | co_list[co_list_num - 1].next = NULL;
|
---|
| 732 |
|
---|
| 733 | *head_p = &co_list[0];
|
---|
| 734 | *tail_p = &co_list[co_list_num - 1];
|
---|
| 735 | }
|
---|
| 736 | }
|
---|
| 737 |
|
---|
| 738 | static void ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list,
|
---|
| 739 | int num_of_group_aliases,
|
---|
| 740 | uint32_t disabled_mkey,
|
---|
| 741 | uint32_t disabled_auth,
|
---|
| 742 | uint32_t disabled_enc,
|
---|
| 743 | uint32_t disabled_mac,
|
---|
| 744 | CIPHER_ORDER *head)
|
---|
| 745 | {
|
---|
| 746 | CIPHER_ORDER *ciph_curr;
|
---|
| 747 | const SSL_CIPHER **ca_curr;
|
---|
| 748 | int i;
|
---|
| 749 | uint32_t mask_mkey = ~disabled_mkey;
|
---|
| 750 | uint32_t mask_auth = ~disabled_auth;
|
---|
| 751 | uint32_t mask_enc = ~disabled_enc;
|
---|
| 752 | uint32_t mask_mac = ~disabled_mac;
|
---|
| 753 |
|
---|
| 754 | /*
|
---|
| 755 | * First, add the real ciphers as already collected
|
---|
| 756 | */
|
---|
| 757 | ciph_curr = head;
|
---|
| 758 | ca_curr = ca_list;
|
---|
| 759 | while (ciph_curr != NULL) {
|
---|
| 760 | *ca_curr = ciph_curr->cipher;
|
---|
| 761 | ca_curr++;
|
---|
| 762 | ciph_curr = ciph_curr->next;
|
---|
| 763 | }
|
---|
| 764 |
|
---|
| 765 | /*
|
---|
| 766 | * Now we add the available ones from the cipher_aliases[] table.
|
---|
| 767 | * They represent either one or more algorithms, some of which
|
---|
| 768 | * in any affected category must be supported (set in enabled_mask),
|
---|
| 769 | * or represent a cipher strength value (will be added in any case because algorithms=0).
|
---|
| 770 | */
|
---|
| 771 | for (i = 0; i < num_of_group_aliases; i++) {
|
---|
| 772 | uint32_t algorithm_mkey = cipher_aliases[i].algorithm_mkey;
|
---|
| 773 | uint32_t algorithm_auth = cipher_aliases[i].algorithm_auth;
|
---|
| 774 | uint32_t algorithm_enc = cipher_aliases[i].algorithm_enc;
|
---|
| 775 | uint32_t algorithm_mac = cipher_aliases[i].algorithm_mac;
|
---|
| 776 |
|
---|
| 777 | if (algorithm_mkey)
|
---|
| 778 | if ((algorithm_mkey & mask_mkey) == 0)
|
---|
| 779 | continue;
|
---|
| 780 |
|
---|
| 781 | if (algorithm_auth)
|
---|
| 782 | if ((algorithm_auth & mask_auth) == 0)
|
---|
| 783 | continue;
|
---|
| 784 |
|
---|
| 785 | if (algorithm_enc)
|
---|
| 786 | if ((algorithm_enc & mask_enc) == 0)
|
---|
| 787 | continue;
|
---|
| 788 |
|
---|
| 789 | if (algorithm_mac)
|
---|
| 790 | if ((algorithm_mac & mask_mac) == 0)
|
---|
| 791 | continue;
|
---|
| 792 |
|
---|
| 793 | *ca_curr = (SSL_CIPHER *)(cipher_aliases + i);
|
---|
| 794 | ca_curr++;
|
---|
| 795 | }
|
---|
| 796 |
|
---|
| 797 | *ca_curr = NULL; /* end of list */
|
---|
| 798 | }
|
---|
| 799 |
|
---|
| 800 | static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
|
---|
| 801 | uint32_t alg_auth, uint32_t alg_enc,
|
---|
| 802 | uint32_t alg_mac, int min_tls,
|
---|
| 803 | uint32_t algo_strength, int rule,
|
---|
| 804 | int32_t strength_bits, CIPHER_ORDER **head_p,
|
---|
| 805 | CIPHER_ORDER **tail_p)
|
---|
| 806 | {
|
---|
| 807 | CIPHER_ORDER *head, *tail, *curr, *next, *last;
|
---|
| 808 | const SSL_CIPHER *cp;
|
---|
| 809 | int reverse = 0;
|
---|
| 810 |
|
---|
| 811 | #ifdef CIPHER_DEBUG
|
---|
| 812 | fprintf(stderr,
|
---|
| 813 | "Applying rule %d with %08x/%08x/%08x/%08x/%08x %08x (%d)\n",
|
---|
| 814 | rule, alg_mkey, alg_auth, alg_enc, alg_mac, min_tls,
|
---|
| 815 | algo_strength, strength_bits);
|
---|
| 816 | #endif
|
---|
| 817 |
|
---|
| 818 | if (rule == CIPHER_DEL || rule == CIPHER_BUMP)
|
---|
| 819 | reverse = 1; /* needed to maintain sorting between currently
|
---|
| 820 | * deleted ciphers */
|
---|
| 821 |
|
---|
| 822 | head = *head_p;
|
---|
| 823 | tail = *tail_p;
|
---|
| 824 |
|
---|
| 825 | if (reverse) {
|
---|
| 826 | next = tail;
|
---|
| 827 | last = head;
|
---|
| 828 | } else {
|
---|
| 829 | next = head;
|
---|
| 830 | last = tail;
|
---|
| 831 | }
|
---|
| 832 |
|
---|
| 833 | curr = NULL;
|
---|
| 834 | for (;;) {
|
---|
| 835 | if (curr == last)
|
---|
| 836 | break;
|
---|
| 837 |
|
---|
| 838 | curr = next;
|
---|
| 839 |
|
---|
| 840 | if (curr == NULL)
|
---|
| 841 | break;
|
---|
| 842 |
|
---|
| 843 | next = reverse ? curr->prev : curr->next;
|
---|
| 844 |
|
---|
| 845 | cp = curr->cipher;
|
---|
| 846 |
|
---|
| 847 | /*
|
---|
| 848 | * Selection criteria is either the value of strength_bits
|
---|
| 849 | * or the algorithms used.
|
---|
| 850 | */
|
---|
| 851 | if (strength_bits >= 0) {
|
---|
| 852 | if (strength_bits != cp->strength_bits)
|
---|
| 853 | continue;
|
---|
| 854 | } else {
|
---|
| 855 | #ifdef CIPHER_DEBUG
|
---|
| 856 | fprintf(stderr,
|
---|
| 857 | "\nName: %s:\nAlgo = %08x/%08x/%08x/%08x/%08x Algo_strength = %08x\n",
|
---|
| 858 | cp->name, cp->algorithm_mkey, cp->algorithm_auth,
|
---|
| 859 | cp->algorithm_enc, cp->algorithm_mac, cp->min_tls,
|
---|
| 860 | cp->algo_strength);
|
---|
| 861 | #endif
|
---|
| 862 | if (alg_mkey && !(alg_mkey & cp->algorithm_mkey))
|
---|
| 863 | continue;
|
---|
| 864 | if (alg_auth && !(alg_auth & cp->algorithm_auth))
|
---|
| 865 | continue;
|
---|
| 866 | if (alg_enc && !(alg_enc & cp->algorithm_enc))
|
---|
| 867 | continue;
|
---|
| 868 | if (alg_mac && !(alg_mac & cp->algorithm_mac))
|
---|
| 869 | continue;
|
---|
| 870 | if (min_tls && (min_tls != cp->min_tls))
|
---|
| 871 | continue;
|
---|
| 872 | if ((algo_strength & SSL_STRONG_MASK)
|
---|
| 873 | && !(algo_strength & SSL_STRONG_MASK & cp->algo_strength))
|
---|
| 874 | continue;
|
---|
| 875 | if ((algo_strength & SSL_DEFAULT_MASK)
|
---|
| 876 | && !(algo_strength & SSL_DEFAULT_MASK & cp->algo_strength))
|
---|
| 877 | continue;
|
---|
| 878 | }
|
---|
| 879 |
|
---|
| 880 | #ifdef CIPHER_DEBUG
|
---|
| 881 | fprintf(stderr, "Action = %d\n", rule);
|
---|
| 882 | #endif
|
---|
| 883 |
|
---|
| 884 | /* add the cipher if it has not been added yet. */
|
---|
| 885 | if (rule == CIPHER_ADD) {
|
---|
| 886 | /* reverse == 0 */
|
---|
| 887 | if (!curr->active) {
|
---|
| 888 | ll_append_tail(&head, curr, &tail);
|
---|
| 889 | curr->active = 1;
|
---|
| 890 | }
|
---|
| 891 | }
|
---|
| 892 | /* Move the added cipher to this location */
|
---|
| 893 | else if (rule == CIPHER_ORD) {
|
---|
| 894 | /* reverse == 0 */
|
---|
| 895 | if (curr->active) {
|
---|
| 896 | ll_append_tail(&head, curr, &tail);
|
---|
| 897 | }
|
---|
| 898 | } else if (rule == CIPHER_DEL) {
|
---|
| 899 | /* reverse == 1 */
|
---|
| 900 | if (curr->active) {
|
---|
| 901 | /*
|
---|
| 902 | * most recently deleted ciphersuites get best positions for
|
---|
| 903 | * any future CIPHER_ADD (note that the CIPHER_DEL loop works
|
---|
| 904 | * in reverse to maintain the order)
|
---|
| 905 | */
|
---|
| 906 | ll_append_head(&head, curr, &tail);
|
---|
| 907 | curr->active = 0;
|
---|
| 908 | }
|
---|
| 909 | } else if (rule == CIPHER_BUMP) {
|
---|
| 910 | if (curr->active)
|
---|
| 911 | ll_append_head(&head, curr, &tail);
|
---|
| 912 | } else if (rule == CIPHER_KILL) {
|
---|
| 913 | /* reverse == 0 */
|
---|
| 914 | if (head == curr)
|
---|
| 915 | head = curr->next;
|
---|
| 916 | else
|
---|
| 917 | curr->prev->next = curr->next;
|
---|
| 918 | if (tail == curr)
|
---|
| 919 | tail = curr->prev;
|
---|
| 920 | curr->active = 0;
|
---|
| 921 | if (curr->next != NULL)
|
---|
| 922 | curr->next->prev = curr->prev;
|
---|
| 923 | if (curr->prev != NULL)
|
---|
| 924 | curr->prev->next = curr->next;
|
---|
| 925 | curr->next = NULL;
|
---|
| 926 | curr->prev = NULL;
|
---|
| 927 | }
|
---|
| 928 | }
|
---|
| 929 |
|
---|
| 930 | *head_p = head;
|
---|
| 931 | *tail_p = tail;
|
---|
| 932 | }
|
---|
| 933 |
|
---|
| 934 | static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
|
---|
| 935 | CIPHER_ORDER **tail_p)
|
---|
| 936 | {
|
---|
| 937 | int32_t max_strength_bits;
|
---|
| 938 | int i, *number_uses;
|
---|
| 939 | CIPHER_ORDER *curr;
|
---|
| 940 |
|
---|
| 941 | /*
|
---|
| 942 | * This routine sorts the ciphers with descending strength. The sorting
|
---|
| 943 | * must keep the pre-sorted sequence, so we apply the normal sorting
|
---|
| 944 | * routine as '+' movement to the end of the list.
|
---|
| 945 | */
|
---|
| 946 | max_strength_bits = 0;
|
---|
| 947 | curr = *head_p;
|
---|
| 948 | while (curr != NULL) {
|
---|
| 949 | if (curr->active && (curr->cipher->strength_bits > max_strength_bits))
|
---|
| 950 | max_strength_bits = curr->cipher->strength_bits;
|
---|
| 951 | curr = curr->next;
|
---|
| 952 | }
|
---|
| 953 |
|
---|
| 954 | number_uses = OPENSSL_zalloc(sizeof(int) * (max_strength_bits + 1));
|
---|
| 955 | if (number_uses == NULL) {
|
---|
| 956 | SSLerr(SSL_F_SSL_CIPHER_STRENGTH_SORT, ERR_R_MALLOC_FAILURE);
|
---|
| 957 | return (0);
|
---|
| 958 | }
|
---|
| 959 |
|
---|
| 960 | /*
|
---|
| 961 | * Now find the strength_bits values actually used
|
---|
| 962 | */
|
---|
| 963 | curr = *head_p;
|
---|
| 964 | while (curr != NULL) {
|
---|
| 965 | if (curr->active)
|
---|
| 966 | number_uses[curr->cipher->strength_bits]++;
|
---|
| 967 | curr = curr->next;
|
---|
| 968 | }
|
---|
| 969 | /*
|
---|
| 970 | * Go through the list of used strength_bits values in descending
|
---|
| 971 | * order.
|
---|
| 972 | */
|
---|
| 973 | for (i = max_strength_bits; i >= 0; i--)
|
---|
| 974 | if (number_uses[i] > 0)
|
---|
| 975 | ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ORD, i, head_p,
|
---|
| 976 | tail_p);
|
---|
| 977 |
|
---|
| 978 | OPENSSL_free(number_uses);
|
---|
| 979 | return (1);
|
---|
| 980 | }
|
---|
| 981 |
|
---|
| 982 | static int ssl_cipher_process_rulestr(const char *rule_str,
|
---|
| 983 | CIPHER_ORDER **head_p,
|
---|
| 984 | CIPHER_ORDER **tail_p,
|
---|
| 985 | const SSL_CIPHER **ca_list, CERT *c)
|
---|
| 986 | {
|
---|
| 987 | uint32_t alg_mkey, alg_auth, alg_enc, alg_mac, algo_strength;
|
---|
| 988 | int min_tls;
|
---|
| 989 | const char *l, *buf;
|
---|
| 990 | int j, multi, found, rule, retval, ok, buflen;
|
---|
| 991 | uint32_t cipher_id = 0;
|
---|
| 992 | char ch;
|
---|
| 993 |
|
---|
| 994 | retval = 1;
|
---|
| 995 | l = rule_str;
|
---|
| 996 | for (;;) {
|
---|
| 997 | ch = *l;
|
---|
| 998 |
|
---|
| 999 | if (ch == '\0')
|
---|
| 1000 | break; /* done */
|
---|
| 1001 | if (ch == '-') {
|
---|
| 1002 | rule = CIPHER_DEL;
|
---|
| 1003 | l++;
|
---|
| 1004 | } else if (ch == '+') {
|
---|
| 1005 | rule = CIPHER_ORD;
|
---|
| 1006 | l++;
|
---|
| 1007 | } else if (ch == '!') {
|
---|
| 1008 | rule = CIPHER_KILL;
|
---|
| 1009 | l++;
|
---|
| 1010 | } else if (ch == '@') {
|
---|
| 1011 | rule = CIPHER_SPECIAL;
|
---|
| 1012 | l++;
|
---|
| 1013 | } else {
|
---|
| 1014 | rule = CIPHER_ADD;
|
---|
| 1015 | }
|
---|
| 1016 |
|
---|
| 1017 | if (ITEM_SEP(ch)) {
|
---|
| 1018 | l++;
|
---|
| 1019 | continue;
|
---|
| 1020 | }
|
---|
| 1021 |
|
---|
| 1022 | alg_mkey = 0;
|
---|
| 1023 | alg_auth = 0;
|
---|
| 1024 | alg_enc = 0;
|
---|
| 1025 | alg_mac = 0;
|
---|
| 1026 | min_tls = 0;
|
---|
| 1027 | algo_strength = 0;
|
---|
| 1028 |
|
---|
| 1029 | for (;;) {
|
---|
| 1030 | ch = *l;
|
---|
| 1031 | buf = l;
|
---|
| 1032 | buflen = 0;
|
---|
| 1033 | #ifndef CHARSET_EBCDIC
|
---|
| 1034 | while (((ch >= 'A') && (ch <= 'Z')) ||
|
---|
| 1035 | ((ch >= '0') && (ch <= '9')) ||
|
---|
| 1036 | ((ch >= 'a') && (ch <= 'z')) ||
|
---|
| 1037 | (ch == '-') || (ch == '.') || (ch == '='))
|
---|
| 1038 | #else
|
---|
| 1039 | while (isalnum(ch) || (ch == '-') || (ch == '.') || (ch == '='))
|
---|
| 1040 | #endif
|
---|
| 1041 | {
|
---|
| 1042 | ch = *(++l);
|
---|
| 1043 | buflen++;
|
---|
| 1044 | }
|
---|
| 1045 |
|
---|
| 1046 | if (buflen == 0) {
|
---|
| 1047 | /*
|
---|
| 1048 | * We hit something we cannot deal with,
|
---|
| 1049 | * it is no command or separator nor
|
---|
| 1050 | * alphanumeric, so we call this an error.
|
---|
| 1051 | */
|
---|
| 1052 | SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_INVALID_COMMAND);
|
---|
| 1053 | retval = found = 0;
|
---|
| 1054 | l++;
|
---|
| 1055 | break;
|
---|
| 1056 | }
|
---|
| 1057 |
|
---|
| 1058 | if (rule == CIPHER_SPECIAL) {
|
---|
| 1059 | found = 0; /* unused -- avoid compiler warning */
|
---|
| 1060 | break; /* special treatment */
|
---|
| 1061 | }
|
---|
| 1062 |
|
---|
| 1063 | /* check for multi-part specification */
|
---|
| 1064 | if (ch == '+') {
|
---|
| 1065 | multi = 1;
|
---|
| 1066 | l++;
|
---|
| 1067 | } else
|
---|
| 1068 | multi = 0;
|
---|
| 1069 |
|
---|
| 1070 | /*
|
---|
| 1071 | * Now search for the cipher alias in the ca_list. Be careful
|
---|
| 1072 | * with the strncmp, because the "buflen" limitation
|
---|
| 1073 | * will make the rule "ADH:SOME" and the cipher
|
---|
| 1074 | * "ADH-MY-CIPHER" look like a match for buflen=3.
|
---|
| 1075 | * So additionally check whether the cipher name found
|
---|
| 1076 | * has the correct length. We can save a strlen() call:
|
---|
| 1077 | * just checking for the '\0' at the right place is
|
---|
| 1078 | * sufficient, we have to strncmp() anyway. (We cannot
|
---|
| 1079 | * use strcmp(), because buf is not '\0' terminated.)
|
---|
| 1080 | */
|
---|
| 1081 | j = found = 0;
|
---|
| 1082 | cipher_id = 0;
|
---|
| 1083 | while (ca_list[j]) {
|
---|
| 1084 | if (strncmp(buf, ca_list[j]->name, buflen) == 0
|
---|
| 1085 | && (ca_list[j]->name[buflen] == '\0')) {
|
---|
| 1086 | found = 1;
|
---|
| 1087 | break;
|
---|
| 1088 | } else
|
---|
| 1089 | j++;
|
---|
| 1090 | }
|
---|
| 1091 |
|
---|
| 1092 | if (!found)
|
---|
| 1093 | break; /* ignore this entry */
|
---|
| 1094 |
|
---|
| 1095 | if (ca_list[j]->algorithm_mkey) {
|
---|
| 1096 | if (alg_mkey) {
|
---|
| 1097 | alg_mkey &= ca_list[j]->algorithm_mkey;
|
---|
| 1098 | if (!alg_mkey) {
|
---|
| 1099 | found = 0;
|
---|
| 1100 | break;
|
---|
| 1101 | }
|
---|
| 1102 | } else
|
---|
| 1103 | alg_mkey = ca_list[j]->algorithm_mkey;
|
---|
| 1104 | }
|
---|
| 1105 |
|
---|
| 1106 | if (ca_list[j]->algorithm_auth) {
|
---|
| 1107 | if (alg_auth) {
|
---|
| 1108 | alg_auth &= ca_list[j]->algorithm_auth;
|
---|
| 1109 | if (!alg_auth) {
|
---|
| 1110 | found = 0;
|
---|
| 1111 | break;
|
---|
| 1112 | }
|
---|
| 1113 | } else
|
---|
| 1114 | alg_auth = ca_list[j]->algorithm_auth;
|
---|
| 1115 | }
|
---|
| 1116 |
|
---|
| 1117 | if (ca_list[j]->algorithm_enc) {
|
---|
| 1118 | if (alg_enc) {
|
---|
| 1119 | alg_enc &= ca_list[j]->algorithm_enc;
|
---|
| 1120 | if (!alg_enc) {
|
---|
| 1121 | found = 0;
|
---|
| 1122 | break;
|
---|
| 1123 | }
|
---|
| 1124 | } else
|
---|
| 1125 | alg_enc = ca_list[j]->algorithm_enc;
|
---|
| 1126 | }
|
---|
| 1127 |
|
---|
| 1128 | if (ca_list[j]->algorithm_mac) {
|
---|
| 1129 | if (alg_mac) {
|
---|
| 1130 | alg_mac &= ca_list[j]->algorithm_mac;
|
---|
| 1131 | if (!alg_mac) {
|
---|
| 1132 | found = 0;
|
---|
| 1133 | break;
|
---|
| 1134 | }
|
---|
| 1135 | } else
|
---|
| 1136 | alg_mac = ca_list[j]->algorithm_mac;
|
---|
| 1137 | }
|
---|
| 1138 |
|
---|
| 1139 | if (ca_list[j]->algo_strength & SSL_STRONG_MASK) {
|
---|
| 1140 | if (algo_strength & SSL_STRONG_MASK) {
|
---|
| 1141 | algo_strength &=
|
---|
| 1142 | (ca_list[j]->algo_strength & SSL_STRONG_MASK) |
|
---|
| 1143 | ~SSL_STRONG_MASK;
|
---|
| 1144 | if (!(algo_strength & SSL_STRONG_MASK)) {
|
---|
| 1145 | found = 0;
|
---|
| 1146 | break;
|
---|
| 1147 | }
|
---|
| 1148 | } else
|
---|
| 1149 | algo_strength = ca_list[j]->algo_strength & SSL_STRONG_MASK;
|
---|
| 1150 | }
|
---|
| 1151 |
|
---|
| 1152 | if (ca_list[j]->algo_strength & SSL_DEFAULT_MASK) {
|
---|
| 1153 | if (algo_strength & SSL_DEFAULT_MASK) {
|
---|
| 1154 | algo_strength &=
|
---|
| 1155 | (ca_list[j]->algo_strength & SSL_DEFAULT_MASK) |
|
---|
| 1156 | ~SSL_DEFAULT_MASK;
|
---|
| 1157 | if (!(algo_strength & SSL_DEFAULT_MASK)) {
|
---|
| 1158 | found = 0;
|
---|
| 1159 | break;
|
---|
| 1160 | }
|
---|
| 1161 | } else
|
---|
| 1162 | algo_strength |=
|
---|
| 1163 | ca_list[j]->algo_strength & SSL_DEFAULT_MASK;
|
---|
| 1164 | }
|
---|
| 1165 |
|
---|
| 1166 | if (ca_list[j]->valid) {
|
---|
| 1167 | /*
|
---|
| 1168 | * explicit ciphersuite found; its protocol version does not
|
---|
| 1169 | * become part of the search pattern!
|
---|
| 1170 | */
|
---|
| 1171 |
|
---|
| 1172 | cipher_id = ca_list[j]->id;
|
---|
| 1173 | } else {
|
---|
| 1174 | /*
|
---|
| 1175 | * not an explicit ciphersuite; only in this case, the
|
---|
| 1176 | * protocol version is considered part of the search pattern
|
---|
| 1177 | */
|
---|
| 1178 |
|
---|
| 1179 | if (ca_list[j]->min_tls) {
|
---|
| 1180 | if (min_tls != 0 && min_tls != ca_list[j]->min_tls) {
|
---|
| 1181 | found = 0;
|
---|
| 1182 | break;
|
---|
| 1183 | } else {
|
---|
| 1184 | min_tls = ca_list[j]->min_tls;
|
---|
| 1185 | }
|
---|
| 1186 | }
|
---|
| 1187 | }
|
---|
| 1188 |
|
---|
| 1189 | if (!multi)
|
---|
| 1190 | break;
|
---|
| 1191 | }
|
---|
| 1192 |
|
---|
| 1193 | /*
|
---|
| 1194 | * Ok, we have the rule, now apply it
|
---|
| 1195 | */
|
---|
| 1196 | if (rule == CIPHER_SPECIAL) { /* special command */
|
---|
| 1197 | ok = 0;
|
---|
| 1198 | if ((buflen == 8) && strncmp(buf, "STRENGTH", 8) == 0)
|
---|
| 1199 | ok = ssl_cipher_strength_sort(head_p, tail_p);
|
---|
| 1200 | else if (buflen == 10 && strncmp(buf, "SECLEVEL=", 9) == 0) {
|
---|
| 1201 | int level = buf[9] - '0';
|
---|
| 1202 | if (level < 0 || level > 5) {
|
---|
| 1203 | SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR,
|
---|
| 1204 | SSL_R_INVALID_COMMAND);
|
---|
| 1205 | } else {
|
---|
| 1206 | c->sec_level = level;
|
---|
| 1207 | ok = 1;
|
---|
| 1208 | }
|
---|
| 1209 | } else
|
---|
| 1210 | SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, SSL_R_INVALID_COMMAND);
|
---|
| 1211 | if (ok == 0)
|
---|
| 1212 | retval = 0;
|
---|
| 1213 | /*
|
---|
| 1214 | * We do not support any "multi" options
|
---|
| 1215 | * together with "@", so throw away the
|
---|
| 1216 | * rest of the command, if any left, until
|
---|
| 1217 | * end or ':' is found.
|
---|
| 1218 | */
|
---|
| 1219 | while ((*l != '\0') && !ITEM_SEP(*l))
|
---|
| 1220 | l++;
|
---|
| 1221 | } else if (found) {
|
---|
| 1222 | ssl_cipher_apply_rule(cipher_id,
|
---|
| 1223 | alg_mkey, alg_auth, alg_enc, alg_mac,
|
---|
| 1224 | min_tls, algo_strength, rule, -1, head_p,
|
---|
| 1225 | tail_p);
|
---|
| 1226 | } else {
|
---|
| 1227 | while ((*l != '\0') && !ITEM_SEP(*l))
|
---|
| 1228 | l++;
|
---|
| 1229 | }
|
---|
| 1230 | if (*l == '\0')
|
---|
| 1231 | break; /* done */
|
---|
| 1232 | }
|
---|
| 1233 |
|
---|
| 1234 | return (retval);
|
---|
| 1235 | }
|
---|
| 1236 |
|
---|
| 1237 | #ifndef OPENSSL_NO_EC
|
---|
| 1238 | static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
|
---|
| 1239 | const char **prule_str)
|
---|
| 1240 | {
|
---|
| 1241 | unsigned int suiteb_flags = 0, suiteb_comb2 = 0;
|
---|
| 1242 | if (strncmp(*prule_str, "SUITEB128ONLY", 13) == 0) {
|
---|
| 1243 | suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS_ONLY;
|
---|
| 1244 | } else if (strncmp(*prule_str, "SUITEB128C2", 11) == 0) {
|
---|
| 1245 | suiteb_comb2 = 1;
|
---|
| 1246 | suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS;
|
---|
| 1247 | } else if (strncmp(*prule_str, "SUITEB128", 9) == 0) {
|
---|
| 1248 | suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS;
|
---|
| 1249 | } else if (strncmp(*prule_str, "SUITEB192", 9) == 0) {
|
---|
| 1250 | suiteb_flags = SSL_CERT_FLAG_SUITEB_192_LOS;
|
---|
| 1251 | }
|
---|
| 1252 |
|
---|
| 1253 | if (suiteb_flags) {
|
---|
| 1254 | c->cert_flags &= ~SSL_CERT_FLAG_SUITEB_128_LOS;
|
---|
| 1255 | c->cert_flags |= suiteb_flags;
|
---|
| 1256 | } else
|
---|
| 1257 | suiteb_flags = c->cert_flags & SSL_CERT_FLAG_SUITEB_128_LOS;
|
---|
| 1258 |
|
---|
| 1259 | if (!suiteb_flags)
|
---|
| 1260 | return 1;
|
---|
| 1261 | /* Check version: if TLS 1.2 ciphers allowed we can use Suite B */
|
---|
| 1262 |
|
---|
| 1263 | if (!(meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS)) {
|
---|
| 1264 | SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST,
|
---|
| 1265 | SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE);
|
---|
| 1266 | return 0;
|
---|
| 1267 | }
|
---|
| 1268 | # ifndef OPENSSL_NO_EC
|
---|
| 1269 | switch (suiteb_flags) {
|
---|
| 1270 | case SSL_CERT_FLAG_SUITEB_128_LOS:
|
---|
| 1271 | if (suiteb_comb2)
|
---|
| 1272 | *prule_str = "ECDHE-ECDSA-AES256-GCM-SHA384";
|
---|
| 1273 | else
|
---|
| 1274 | *prule_str =
|
---|
| 1275 | "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384";
|
---|
| 1276 | break;
|
---|
| 1277 | case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
|
---|
| 1278 | *prule_str = "ECDHE-ECDSA-AES128-GCM-SHA256";
|
---|
| 1279 | break;
|
---|
| 1280 | case SSL_CERT_FLAG_SUITEB_192_LOS:
|
---|
| 1281 | *prule_str = "ECDHE-ECDSA-AES256-GCM-SHA384";
|
---|
| 1282 | break;
|
---|
| 1283 | }
|
---|
| 1284 | return 1;
|
---|
| 1285 | # else
|
---|
| 1286 | SSLerr(SSL_F_CHECK_SUITEB_CIPHER_LIST, SSL_R_ECDH_REQUIRED_FOR_SUITEB_MODE);
|
---|
| 1287 | return 0;
|
---|
| 1288 | # endif
|
---|
| 1289 | }
|
---|
| 1290 | #endif
|
---|
| 1291 |
|
---|
| 1292 | STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK_OF(SSL_CIPHER)
|
---|
| 1293 | **cipher_list, STACK_OF(SSL_CIPHER)
|
---|
| 1294 | **cipher_list_by_id,
|
---|
| 1295 | const char *rule_str, CERT *c)
|
---|
| 1296 | {
|
---|
| 1297 | int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
|
---|
| 1298 | uint32_t disabled_mkey, disabled_auth, disabled_enc, disabled_mac;
|
---|
| 1299 | STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list;
|
---|
| 1300 | const char *rule_p;
|
---|
| 1301 | CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
|
---|
| 1302 | const SSL_CIPHER **ca_list = NULL;
|
---|
| 1303 |
|
---|
| 1304 | /*
|
---|
| 1305 | * Return with error if nothing to do.
|
---|
| 1306 | */
|
---|
| 1307 | if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
|
---|
| 1308 | return NULL;
|
---|
| 1309 | #ifndef OPENSSL_NO_EC
|
---|
| 1310 | if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))
|
---|
| 1311 | return NULL;
|
---|
| 1312 | #endif
|
---|
| 1313 |
|
---|
| 1314 | /*
|
---|
| 1315 | * To reduce the work to do we only want to process the compiled
|
---|
| 1316 | * in algorithms, so we first get the mask of disabled ciphers.
|
---|
| 1317 | */
|
---|
| 1318 |
|
---|
| 1319 | disabled_mkey = disabled_mkey_mask;
|
---|
| 1320 | disabled_auth = disabled_auth_mask;
|
---|
| 1321 | disabled_enc = disabled_enc_mask;
|
---|
| 1322 | disabled_mac = disabled_mac_mask;
|
---|
| 1323 |
|
---|
| 1324 | /*
|
---|
| 1325 | * Now we have to collect the available ciphers from the compiled
|
---|
| 1326 | * in ciphers. We cannot get more than the number compiled in, so
|
---|
| 1327 | * it is used for allocation.
|
---|
| 1328 | */
|
---|
| 1329 | num_of_ciphers = ssl_method->num_ciphers();
|
---|
| 1330 |
|
---|
| 1331 | co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
|
---|
| 1332 | if (co_list == NULL) {
|
---|
| 1333 | SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
|
---|
| 1334 | return (NULL); /* Failure */
|
---|
| 1335 | }
|
---|
| 1336 |
|
---|
| 1337 | ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
|
---|
| 1338 | disabled_mkey, disabled_auth, disabled_enc,
|
---|
| 1339 | disabled_mac, co_list, &head, &tail);
|
---|
| 1340 |
|
---|
| 1341 | /* Now arrange all ciphers by preference. */
|
---|
| 1342 |
|
---|
| 1343 | /*
|
---|
| 1344 | * Everything else being equal, prefer ephemeral ECDH over other key
|
---|
| 1345 | * exchange mechanisms.
|
---|
| 1346 | * For consistency, prefer ECDSA over RSA (though this only matters if the
|
---|
| 1347 | * server has both certificates, and is using the DEFAULT, or a client
|
---|
| 1348 | * preference).
|
---|
| 1349 | */
|
---|
| 1350 | ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, 0, 0, 0, 0, CIPHER_ADD,
|
---|
| 1351 | -1, &head, &tail);
|
---|
| 1352 | ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head,
|
---|
| 1353 | &tail);
|
---|
| 1354 | ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head,
|
---|
| 1355 | &tail);
|
---|
| 1356 |
|
---|
| 1357 | /* Within each strength group, we prefer GCM over CHACHA... */
|
---|
| 1358 | ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1,
|
---|
| 1359 | &head, &tail);
|
---|
| 1360 | ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1,
|
---|
| 1361 | &head, &tail);
|
---|
| 1362 |
|
---|
| 1363 | /*
|
---|
| 1364 | * ...and generally, our preferred cipher is AES.
|
---|
| 1365 | * Note that AEADs will be bumped to take preference after sorting by
|
---|
| 1366 | * strength.
|
---|
| 1367 | */
|
---|
| 1368 | ssl_cipher_apply_rule(0, 0, 0, SSL_AES ^ SSL_AESGCM, 0, 0, 0, CIPHER_ADD,
|
---|
| 1369 | -1, &head, &tail);
|
---|
| 1370 |
|
---|
| 1371 | /* Temporarily enable everything else for sorting */
|
---|
| 1372 | ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
|
---|
| 1373 |
|
---|
| 1374 | /* Low priority for MD5 */
|
---|
| 1375 | ssl_cipher_apply_rule(0, 0, 0, 0, SSL_MD5, 0, 0, CIPHER_ORD, -1, &head,
|
---|
| 1376 | &tail);
|
---|
| 1377 |
|
---|
| 1378 | /*
|
---|
| 1379 | * Move anonymous ciphers to the end. Usually, these will remain
|
---|
| 1380 | * disabled. (For applications that allow them, they aren't too bad, but
|
---|
| 1381 | * we prefer authenticated ciphers.)
|
---|
| 1382 | */
|
---|
| 1383 | ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
|
---|
| 1384 | &tail);
|
---|
| 1385 |
|
---|
| 1386 | /*
|
---|
| 1387 | * ssl_cipher_apply_rule(0, 0, SSL_aDH, 0, 0, 0, 0, CIPHER_ORD, -1,
|
---|
| 1388 | * &head, &tail);
|
---|
| 1389 | */
|
---|
| 1390 | ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
|
---|
| 1391 | &tail);
|
---|
| 1392 | ssl_cipher_apply_rule(0, SSL_kPSK, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
|
---|
| 1393 | &tail);
|
---|
| 1394 |
|
---|
| 1395 | /* RC4 is sort-of broken -- move the the end */
|
---|
| 1396 | ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head,
|
---|
| 1397 | &tail);
|
---|
| 1398 |
|
---|
| 1399 | /*
|
---|
| 1400 | * Now sort by symmetric encryption strength. The above ordering remains
|
---|
| 1401 | * in force within each class
|
---|
| 1402 | */
|
---|
| 1403 | if (!ssl_cipher_strength_sort(&head, &tail)) {
|
---|
| 1404 | OPENSSL_free(co_list);
|
---|
| 1405 | return NULL;
|
---|
| 1406 | }
|
---|
| 1407 |
|
---|
| 1408 | /*
|
---|
| 1409 | * Partially overrule strength sort to prefer TLS 1.2 ciphers/PRFs.
|
---|
| 1410 | * TODO(openssl-team): is there an easier way to accomplish all this?
|
---|
| 1411 | */
|
---|
| 1412 | ssl_cipher_apply_rule(0, 0, 0, 0, 0, TLS1_2_VERSION, 0, CIPHER_BUMP, -1,
|
---|
| 1413 | &head, &tail);
|
---|
| 1414 |
|
---|
| 1415 | /*
|
---|
| 1416 | * Irrespective of strength, enforce the following order:
|
---|
| 1417 | * (EC)DHE + AEAD > (EC)DHE > rest of AEAD > rest.
|
---|
| 1418 | * Within each group, ciphers remain sorted by strength and previous
|
---|
| 1419 | * preference, i.e.,
|
---|
| 1420 | * 1) ECDHE > DHE
|
---|
| 1421 | * 2) GCM > CHACHA
|
---|
| 1422 | * 3) AES > rest
|
---|
| 1423 | * 4) TLS 1.2 > legacy
|
---|
| 1424 | *
|
---|
| 1425 | * Because we now bump ciphers to the top of the list, we proceed in
|
---|
| 1426 | * reverse order of preference.
|
---|
| 1427 | */
|
---|
| 1428 | ssl_cipher_apply_rule(0, 0, 0, 0, SSL_AEAD, 0, 0, CIPHER_BUMP, -1,
|
---|
| 1429 | &head, &tail);
|
---|
| 1430 | ssl_cipher_apply_rule(0, SSL_kDHE | SSL_kECDHE, 0, 0, 0, 0, 0,
|
---|
| 1431 | CIPHER_BUMP, -1, &head, &tail);
|
---|
| 1432 | ssl_cipher_apply_rule(0, SSL_kDHE | SSL_kECDHE, 0, 0, SSL_AEAD, 0, 0,
|
---|
| 1433 | CIPHER_BUMP, -1, &head, &tail);
|
---|
| 1434 |
|
---|
| 1435 | /* Now disable everything (maintaining the ordering!) */
|
---|
| 1436 | ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
|
---|
| 1437 |
|
---|
| 1438 | /*
|
---|
| 1439 | * We also need cipher aliases for selecting based on the rule_str.
|
---|
| 1440 | * There might be two types of entries in the rule_str: 1) names
|
---|
| 1441 | * of ciphers themselves 2) aliases for groups of ciphers.
|
---|
| 1442 | * For 1) we need the available ciphers and for 2) the cipher
|
---|
| 1443 | * groups of cipher_aliases added together in one list (otherwise
|
---|
| 1444 | * we would be happy with just the cipher_aliases table).
|
---|
| 1445 | */
|
---|
| 1446 | num_of_group_aliases = OSSL_NELEM(cipher_aliases);
|
---|
| 1447 | num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
|
---|
| 1448 | ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
|
---|
| 1449 | if (ca_list == NULL) {
|
---|
| 1450 | OPENSSL_free(co_list);
|
---|
| 1451 | SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
|
---|
| 1452 | return (NULL); /* Failure */
|
---|
| 1453 | }
|
---|
| 1454 | ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
|
---|
| 1455 | disabled_mkey, disabled_auth, disabled_enc,
|
---|
| 1456 | disabled_mac, head);
|
---|
| 1457 |
|
---|
| 1458 | /*
|
---|
| 1459 | * If the rule_string begins with DEFAULT, apply the default rule
|
---|
| 1460 | * before using the (possibly available) additional rules.
|
---|
| 1461 | */
|
---|
| 1462 | ok = 1;
|
---|
| 1463 | rule_p = rule_str;
|
---|
| 1464 | if (strncmp(rule_str, "DEFAULT", 7) == 0) {
|
---|
| 1465 | ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
|
---|
| 1466 | &head, &tail, ca_list, c);
|
---|
| 1467 | rule_p += 7;
|
---|
| 1468 | if (*rule_p == ':')
|
---|
| 1469 | rule_p++;
|
---|
| 1470 | }
|
---|
| 1471 |
|
---|
| 1472 | if (ok && (strlen(rule_p) > 0))
|
---|
| 1473 | ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list, c);
|
---|
| 1474 |
|
---|
| 1475 | OPENSSL_free(ca_list); /* Not needed anymore */
|
---|
| 1476 |
|
---|
| 1477 | if (!ok) { /* Rule processing failure */
|
---|
| 1478 | OPENSSL_free(co_list);
|
---|
| 1479 | return (NULL);
|
---|
| 1480 | }
|
---|
| 1481 |
|
---|
| 1482 | /*
|
---|
| 1483 | * Allocate new "cipherstack" for the result, return with error
|
---|
| 1484 | * if we cannot get one.
|
---|
| 1485 | */
|
---|
| 1486 | if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
|
---|
| 1487 | OPENSSL_free(co_list);
|
---|
| 1488 | return (NULL);
|
---|
| 1489 | }
|
---|
| 1490 |
|
---|
| 1491 | /*
|
---|
| 1492 | * The cipher selection for the list is done. The ciphers are added
|
---|
| 1493 | * to the resulting precedence to the STACK_OF(SSL_CIPHER).
|
---|
| 1494 | */
|
---|
| 1495 | for (curr = head; curr != NULL; curr = curr->next) {
|
---|
| 1496 | if (curr->active
|
---|
| 1497 | && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS)) {
|
---|
| 1498 | if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
|
---|
| 1499 | OPENSSL_free(co_list);
|
---|
| 1500 | sk_SSL_CIPHER_free(cipherstack);
|
---|
| 1501 | return NULL;
|
---|
| 1502 | }
|
---|
| 1503 | #ifdef CIPHER_DEBUG
|
---|
| 1504 | fprintf(stderr, "<%s>\n", curr->cipher->name);
|
---|
| 1505 | #endif
|
---|
| 1506 | }
|
---|
| 1507 | }
|
---|
| 1508 | OPENSSL_free(co_list); /* Not needed any longer */
|
---|
| 1509 |
|
---|
| 1510 | tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack);
|
---|
| 1511 | if (tmp_cipher_list == NULL) {
|
---|
| 1512 | sk_SSL_CIPHER_free(cipherstack);
|
---|
| 1513 | return NULL;
|
---|
| 1514 | }
|
---|
| 1515 | sk_SSL_CIPHER_free(*cipher_list);
|
---|
| 1516 | *cipher_list = cipherstack;
|
---|
| 1517 | if (*cipher_list_by_id != NULL)
|
---|
| 1518 | sk_SSL_CIPHER_free(*cipher_list_by_id);
|
---|
| 1519 | *cipher_list_by_id = tmp_cipher_list;
|
---|
| 1520 | (void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id, ssl_cipher_ptr_id_cmp);
|
---|
| 1521 |
|
---|
| 1522 | sk_SSL_CIPHER_sort(*cipher_list_by_id);
|
---|
| 1523 | return (cipherstack);
|
---|
| 1524 | }
|
---|
| 1525 |
|
---|
| 1526 | char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
|
---|
| 1527 | {
|
---|
| 1528 | const char *ver;
|
---|
| 1529 | const char *kx, *au, *enc, *mac;
|
---|
| 1530 | uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
|
---|
| 1531 | static const char *format = "%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n";
|
---|
| 1532 |
|
---|
| 1533 | if (buf == NULL) {
|
---|
| 1534 | len = 128;
|
---|
| 1535 | buf = OPENSSL_malloc(len);
|
---|
| 1536 | if (buf == NULL)
|
---|
| 1537 | return NULL;
|
---|
| 1538 | } else if (len < 128)
|
---|
| 1539 | return NULL;
|
---|
| 1540 |
|
---|
| 1541 | alg_mkey = cipher->algorithm_mkey;
|
---|
| 1542 | alg_auth = cipher->algorithm_auth;
|
---|
| 1543 | alg_enc = cipher->algorithm_enc;
|
---|
| 1544 | alg_mac = cipher->algorithm_mac;
|
---|
| 1545 |
|
---|
| 1546 | ver = ssl_protocol_to_string(cipher->min_tls);
|
---|
| 1547 |
|
---|
| 1548 | switch (alg_mkey) {
|
---|
| 1549 | case SSL_kRSA:
|
---|
| 1550 | kx = "RSA";
|
---|
| 1551 | break;
|
---|
| 1552 | case SSL_kDHE:
|
---|
| 1553 | kx = "DH";
|
---|
| 1554 | break;
|
---|
| 1555 | case SSL_kECDHE:
|
---|
| 1556 | kx = "ECDH";
|
---|
| 1557 | break;
|
---|
| 1558 | case SSL_kPSK:
|
---|
| 1559 | kx = "PSK";
|
---|
| 1560 | break;
|
---|
| 1561 | case SSL_kRSAPSK:
|
---|
| 1562 | kx = "RSAPSK";
|
---|
| 1563 | break;
|
---|
| 1564 | case SSL_kECDHEPSK:
|
---|
| 1565 | kx = "ECDHEPSK";
|
---|
| 1566 | break;
|
---|
| 1567 | case SSL_kDHEPSK:
|
---|
| 1568 | kx = "DHEPSK";
|
---|
| 1569 | break;
|
---|
| 1570 | case SSL_kSRP:
|
---|
| 1571 | kx = "SRP";
|
---|
| 1572 | break;
|
---|
| 1573 | case SSL_kGOST:
|
---|
| 1574 | kx = "GOST";
|
---|
| 1575 | break;
|
---|
| 1576 | default:
|
---|
| 1577 | kx = "unknown";
|
---|
| 1578 | }
|
---|
| 1579 |
|
---|
| 1580 | switch (alg_auth) {
|
---|
| 1581 | case SSL_aRSA:
|
---|
| 1582 | au = "RSA";
|
---|
| 1583 | break;
|
---|
| 1584 | case SSL_aDSS:
|
---|
| 1585 | au = "DSS";
|
---|
| 1586 | break;
|
---|
| 1587 | case SSL_aNULL:
|
---|
| 1588 | au = "None";
|
---|
| 1589 | break;
|
---|
| 1590 | case SSL_aECDSA:
|
---|
| 1591 | au = "ECDSA";
|
---|
| 1592 | break;
|
---|
| 1593 | case SSL_aPSK:
|
---|
| 1594 | au = "PSK";
|
---|
| 1595 | break;
|
---|
| 1596 | case SSL_aSRP:
|
---|
| 1597 | au = "SRP";
|
---|
| 1598 | break;
|
---|
| 1599 | case SSL_aGOST01:
|
---|
| 1600 | au = "GOST01";
|
---|
| 1601 | break;
|
---|
| 1602 | /* New GOST ciphersuites have both SSL_aGOST12 and SSL_aGOST01 bits */
|
---|
| 1603 | case (SSL_aGOST12 | SSL_aGOST01):
|
---|
| 1604 | au = "GOST12";
|
---|
| 1605 | break;
|
---|
| 1606 | default:
|
---|
| 1607 | au = "unknown";
|
---|
| 1608 | break;
|
---|
| 1609 | }
|
---|
| 1610 |
|
---|
| 1611 | switch (alg_enc) {
|
---|
| 1612 | case SSL_DES:
|
---|
| 1613 | enc = "DES(56)";
|
---|
| 1614 | break;
|
---|
| 1615 | case SSL_3DES:
|
---|
| 1616 | enc = "3DES(168)";
|
---|
| 1617 | break;
|
---|
| 1618 | case SSL_RC4:
|
---|
| 1619 | enc = "RC4(128)";
|
---|
| 1620 | break;
|
---|
| 1621 | case SSL_RC2:
|
---|
| 1622 | enc = "RC2(128)";
|
---|
| 1623 | break;
|
---|
| 1624 | case SSL_IDEA:
|
---|
| 1625 | enc = "IDEA(128)";
|
---|
| 1626 | break;
|
---|
| 1627 | case SSL_eNULL:
|
---|
| 1628 | enc = "None";
|
---|
| 1629 | break;
|
---|
| 1630 | case SSL_AES128:
|
---|
| 1631 | enc = "AES(128)";
|
---|
| 1632 | break;
|
---|
| 1633 | case SSL_AES256:
|
---|
| 1634 | enc = "AES(256)";
|
---|
| 1635 | break;
|
---|
| 1636 | case SSL_AES128GCM:
|
---|
| 1637 | enc = "AESGCM(128)";
|
---|
| 1638 | break;
|
---|
| 1639 | case SSL_AES256GCM:
|
---|
| 1640 | enc = "AESGCM(256)";
|
---|
| 1641 | break;
|
---|
| 1642 | case SSL_AES128CCM:
|
---|
| 1643 | enc = "AESCCM(128)";
|
---|
| 1644 | break;
|
---|
| 1645 | case SSL_AES256CCM:
|
---|
| 1646 | enc = "AESCCM(256)";
|
---|
| 1647 | break;
|
---|
| 1648 | case SSL_AES128CCM8:
|
---|
| 1649 | enc = "AESCCM8(128)";
|
---|
| 1650 | break;
|
---|
| 1651 | case SSL_AES256CCM8:
|
---|
| 1652 | enc = "AESCCM8(256)";
|
---|
| 1653 | break;
|
---|
| 1654 | case SSL_CAMELLIA128:
|
---|
| 1655 | enc = "Camellia(128)";
|
---|
| 1656 | break;
|
---|
| 1657 | case SSL_CAMELLIA256:
|
---|
| 1658 | enc = "Camellia(256)";
|
---|
| 1659 | break;
|
---|
| 1660 | case SSL_SEED:
|
---|
| 1661 | enc = "SEED(128)";
|
---|
| 1662 | break;
|
---|
| 1663 | case SSL_eGOST2814789CNT:
|
---|
| 1664 | case SSL_eGOST2814789CNT12:
|
---|
| 1665 | enc = "GOST89(256)";
|
---|
| 1666 | break;
|
---|
| 1667 | case SSL_CHACHA20POLY1305:
|
---|
| 1668 | enc = "CHACHA20/POLY1305(256)";
|
---|
| 1669 | break;
|
---|
| 1670 | default:
|
---|
| 1671 | enc = "unknown";
|
---|
| 1672 | break;
|
---|
| 1673 | }
|
---|
| 1674 |
|
---|
| 1675 | switch (alg_mac) {
|
---|
| 1676 | case SSL_MD5:
|
---|
| 1677 | mac = "MD5";
|
---|
| 1678 | break;
|
---|
| 1679 | case SSL_SHA1:
|
---|
| 1680 | mac = "SHA1";
|
---|
| 1681 | break;
|
---|
| 1682 | case SSL_SHA256:
|
---|
| 1683 | mac = "SHA256";
|
---|
| 1684 | break;
|
---|
| 1685 | case SSL_SHA384:
|
---|
| 1686 | mac = "SHA384";
|
---|
| 1687 | break;
|
---|
| 1688 | case SSL_AEAD:
|
---|
| 1689 | mac = "AEAD";
|
---|
| 1690 | break;
|
---|
| 1691 | case SSL_GOST89MAC:
|
---|
| 1692 | case SSL_GOST89MAC12:
|
---|
| 1693 | mac = "GOST89";
|
---|
| 1694 | break;
|
---|
| 1695 | case SSL_GOST94:
|
---|
| 1696 | mac = "GOST94";
|
---|
| 1697 | break;
|
---|
| 1698 | case SSL_GOST12_256:
|
---|
| 1699 | case SSL_GOST12_512:
|
---|
| 1700 | mac = "GOST2012";
|
---|
| 1701 | break;
|
---|
| 1702 | default:
|
---|
| 1703 | mac = "unknown";
|
---|
| 1704 | break;
|
---|
| 1705 | }
|
---|
| 1706 |
|
---|
| 1707 | BIO_snprintf(buf, len, format, cipher->name, ver, kx, au, enc, mac);
|
---|
| 1708 |
|
---|
| 1709 | return (buf);
|
---|
| 1710 | }
|
---|
| 1711 |
|
---|
| 1712 | const char *SSL_CIPHER_get_version(const SSL_CIPHER *c)
|
---|
| 1713 | {
|
---|
| 1714 | if (c == NULL)
|
---|
| 1715 | return "(NONE)";
|
---|
| 1716 |
|
---|
| 1717 | /*
|
---|
| 1718 | * Backwards-compatibility crutch. In almost all contexts we report TLS
|
---|
| 1719 | * 1.0 as "TLSv1", but for ciphers we report "TLSv1.0".
|
---|
| 1720 | */
|
---|
| 1721 | if (c->min_tls == TLS1_VERSION)
|
---|
| 1722 | return "TLSv1.0";
|
---|
| 1723 | return ssl_protocol_to_string(c->min_tls);
|
---|
| 1724 | }
|
---|
| 1725 |
|
---|
| 1726 | /* return the actual cipher being used */
|
---|
| 1727 | const char *SSL_CIPHER_get_name(const SSL_CIPHER *c)
|
---|
| 1728 | {
|
---|
| 1729 | if (c != NULL)
|
---|
| 1730 | return (c->name);
|
---|
| 1731 | return ("(NONE)");
|
---|
| 1732 | }
|
---|
| 1733 |
|
---|
| 1734 | /* number of bits for symmetric cipher */
|
---|
| 1735 | int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits)
|
---|
| 1736 | {
|
---|
| 1737 | int ret = 0;
|
---|
| 1738 |
|
---|
| 1739 | if (c != NULL) {
|
---|
| 1740 | if (alg_bits != NULL)
|
---|
| 1741 | *alg_bits = (int)c->alg_bits;
|
---|
| 1742 | ret = (int)c->strength_bits;
|
---|
| 1743 | }
|
---|
| 1744 | return ret;
|
---|
| 1745 | }
|
---|
| 1746 |
|
---|
| 1747 | uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *c)
|
---|
| 1748 | {
|
---|
| 1749 | return c->id;
|
---|
| 1750 | }
|
---|
| 1751 |
|
---|
| 1752 | SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n)
|
---|
| 1753 | {
|
---|
| 1754 | SSL_COMP *ctmp;
|
---|
| 1755 | int i, nn;
|
---|
| 1756 |
|
---|
| 1757 | if ((n == 0) || (sk == NULL))
|
---|
| 1758 | return (NULL);
|
---|
| 1759 | nn = sk_SSL_COMP_num(sk);
|
---|
| 1760 | for (i = 0; i < nn; i++) {
|
---|
| 1761 | ctmp = sk_SSL_COMP_value(sk, i);
|
---|
| 1762 | if (ctmp->id == n)
|
---|
| 1763 | return (ctmp);
|
---|
| 1764 | }
|
---|
| 1765 | return (NULL);
|
---|
| 1766 | }
|
---|
| 1767 |
|
---|
| 1768 | #ifdef OPENSSL_NO_COMP
|
---|
| 1769 | STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void)
|
---|
| 1770 | {
|
---|
| 1771 | return NULL;
|
---|
| 1772 | }
|
---|
| 1773 |
|
---|
| 1774 | STACK_OF(SSL_COMP) *SSL_COMP_set0_compression_methods(STACK_OF(SSL_COMP)
|
---|
| 1775 | *meths)
|
---|
| 1776 | {
|
---|
| 1777 | return meths;
|
---|
| 1778 | }
|
---|
| 1779 |
|
---|
| 1780 | int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
|
---|
| 1781 | {
|
---|
| 1782 | return 1;
|
---|
| 1783 | }
|
---|
| 1784 |
|
---|
| 1785 | #else
|
---|
| 1786 | STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void)
|
---|
| 1787 | {
|
---|
| 1788 | load_builtin_compressions();
|
---|
| 1789 | return (ssl_comp_methods);
|
---|
| 1790 | }
|
---|
| 1791 |
|
---|
| 1792 | STACK_OF(SSL_COMP) *SSL_COMP_set0_compression_methods(STACK_OF(SSL_COMP)
|
---|
| 1793 | *meths)
|
---|
| 1794 | {
|
---|
| 1795 | STACK_OF(SSL_COMP) *old_meths = ssl_comp_methods;
|
---|
| 1796 | ssl_comp_methods = meths;
|
---|
| 1797 | return old_meths;
|
---|
| 1798 | }
|
---|
| 1799 |
|
---|
| 1800 | static void cmeth_free(SSL_COMP *cm)
|
---|
| 1801 | {
|
---|
| 1802 | OPENSSL_free(cm);
|
---|
| 1803 | }
|
---|
| 1804 |
|
---|
| 1805 | void ssl_comp_free_compression_methods_int(void)
|
---|
| 1806 | {
|
---|
| 1807 | STACK_OF(SSL_COMP) *old_meths = ssl_comp_methods;
|
---|
| 1808 | ssl_comp_methods = NULL;
|
---|
| 1809 | sk_SSL_COMP_pop_free(old_meths, cmeth_free);
|
---|
| 1810 | }
|
---|
| 1811 |
|
---|
| 1812 | int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
|
---|
| 1813 | {
|
---|
| 1814 | SSL_COMP *comp;
|
---|
| 1815 |
|
---|
| 1816 | if (cm == NULL || COMP_get_type(cm) == NID_undef)
|
---|
| 1817 | return 1;
|
---|
| 1818 |
|
---|
| 1819 | /*-
|
---|
| 1820 | * According to draft-ietf-tls-compression-04.txt, the
|
---|
| 1821 | * compression number ranges should be the following:
|
---|
| 1822 | *
|
---|
| 1823 | * 0 to 63: methods defined by the IETF
|
---|
| 1824 | * 64 to 192: external party methods assigned by IANA
|
---|
| 1825 | * 193 to 255: reserved for private use
|
---|
| 1826 | */
|
---|
| 1827 | if (id < 193 || id > 255) {
|
---|
| 1828 | SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,
|
---|
| 1829 | SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE);
|
---|
| 1830 | return 1;
|
---|
| 1831 | }
|
---|
| 1832 |
|
---|
| 1833 | CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE);
|
---|
| 1834 | comp = OPENSSL_malloc(sizeof(*comp));
|
---|
| 1835 | if (comp == NULL) {
|
---|
| 1836 | CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE);
|
---|
| 1837 | SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD, ERR_R_MALLOC_FAILURE);
|
---|
| 1838 | return (1);
|
---|
| 1839 | }
|
---|
| 1840 |
|
---|
| 1841 | comp->id = id;
|
---|
| 1842 | comp->method = cm;
|
---|
| 1843 | load_builtin_compressions();
|
---|
| 1844 | if (ssl_comp_methods && sk_SSL_COMP_find(ssl_comp_methods, comp) >= 0) {
|
---|
| 1845 | OPENSSL_free(comp);
|
---|
| 1846 | CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE);
|
---|
| 1847 | SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD,
|
---|
| 1848 | SSL_R_DUPLICATE_COMPRESSION_ID);
|
---|
| 1849 | return (1);
|
---|
| 1850 | }
|
---|
| 1851 | if (ssl_comp_methods == NULL || !sk_SSL_COMP_push(ssl_comp_methods, comp)) {
|
---|
| 1852 | OPENSSL_free(comp);
|
---|
| 1853 | CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE);
|
---|
| 1854 | SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD, ERR_R_MALLOC_FAILURE);
|
---|
| 1855 | return (1);
|
---|
| 1856 | }
|
---|
| 1857 | CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE);
|
---|
| 1858 | return (0);
|
---|
| 1859 | }
|
---|
| 1860 | #endif
|
---|
| 1861 |
|
---|
| 1862 | const char *SSL_COMP_get_name(const COMP_METHOD *comp)
|
---|
| 1863 | {
|
---|
| 1864 | #ifndef OPENSSL_NO_COMP
|
---|
| 1865 | return comp ? COMP_get_name(comp) : NULL;
|
---|
| 1866 | #else
|
---|
| 1867 | return NULL;
|
---|
| 1868 | #endif
|
---|
| 1869 | }
|
---|
| 1870 |
|
---|
| 1871 | const char *SSL_COMP_get0_name(const SSL_COMP *comp)
|
---|
| 1872 | {
|
---|
| 1873 | #ifndef OPENSSL_NO_COMP
|
---|
| 1874 | return comp->name;
|
---|
| 1875 | #else
|
---|
| 1876 | return NULL;
|
---|
| 1877 | #endif
|
---|
| 1878 | }
|
---|
| 1879 |
|
---|
| 1880 | int SSL_COMP_get_id(const SSL_COMP *comp)
|
---|
| 1881 | {
|
---|
| 1882 | #ifndef OPENSSL_NO_COMP
|
---|
| 1883 | return comp->id;
|
---|
| 1884 | #else
|
---|
| 1885 | return -1;
|
---|
| 1886 | #endif
|
---|
| 1887 | }
|
---|
| 1888 |
|
---|
| 1889 | /* For a cipher return the index corresponding to the certificate type */
|
---|
| 1890 | int ssl_cipher_get_cert_index(const SSL_CIPHER *c)
|
---|
| 1891 | {
|
---|
| 1892 | uint32_t alg_a;
|
---|
| 1893 |
|
---|
| 1894 | alg_a = c->algorithm_auth;
|
---|
| 1895 |
|
---|
| 1896 | if (alg_a & SSL_aECDSA)
|
---|
| 1897 | return SSL_PKEY_ECC;
|
---|
| 1898 | else if (alg_a & SSL_aDSS)
|
---|
| 1899 | return SSL_PKEY_DSA_SIGN;
|
---|
| 1900 | else if (alg_a & SSL_aRSA)
|
---|
| 1901 | return SSL_PKEY_RSA_ENC;
|
---|
| 1902 | else if (alg_a & SSL_aGOST12)
|
---|
| 1903 | return SSL_PKEY_GOST_EC;
|
---|
| 1904 | else if (alg_a & SSL_aGOST01)
|
---|
| 1905 | return SSL_PKEY_GOST01;
|
---|
| 1906 |
|
---|
| 1907 | return -1;
|
---|
| 1908 | }
|
---|
| 1909 |
|
---|
| 1910 | const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl, const unsigned char *ptr)
|
---|
| 1911 | {
|
---|
| 1912 | const SSL_CIPHER *c = ssl->method->get_cipher_by_char(ptr);
|
---|
| 1913 |
|
---|
| 1914 | if (c == NULL || c->valid == 0)
|
---|
| 1915 | return NULL;
|
---|
| 1916 | return c;
|
---|
| 1917 | }
|
---|
| 1918 |
|
---|
| 1919 | const SSL_CIPHER *SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr)
|
---|
| 1920 | {
|
---|
| 1921 | return ssl->method->get_cipher_by_char(ptr);
|
---|
| 1922 | }
|
---|
| 1923 |
|
---|
| 1924 | int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c)
|
---|
| 1925 | {
|
---|
| 1926 | int i;
|
---|
| 1927 | if (c == NULL)
|
---|
| 1928 | return NID_undef;
|
---|
| 1929 | i = ssl_cipher_info_lookup(ssl_cipher_table_cipher, c->algorithm_enc);
|
---|
| 1930 | if (i == -1)
|
---|
| 1931 | return NID_undef;
|
---|
| 1932 | return ssl_cipher_table_cipher[i].nid;
|
---|
| 1933 | }
|
---|
| 1934 |
|
---|
| 1935 | int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c)
|
---|
| 1936 | {
|
---|
| 1937 | int i = ssl_cipher_info_lookup(ssl_cipher_table_mac, c->algorithm_mac);
|
---|
| 1938 |
|
---|
| 1939 | if (i == -1)
|
---|
| 1940 | return NID_undef;
|
---|
| 1941 | return ssl_cipher_table_mac[i].nid;
|
---|
| 1942 | }
|
---|
| 1943 |
|
---|
| 1944 | int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c)
|
---|
| 1945 | {
|
---|
| 1946 | int i = ssl_cipher_info_lookup(ssl_cipher_table_kx, c->algorithm_mkey);
|
---|
| 1947 |
|
---|
| 1948 | if (i == -1)
|
---|
| 1949 | return NID_undef;
|
---|
| 1950 | return ssl_cipher_table_kx[i].nid;
|
---|
| 1951 | }
|
---|
| 1952 |
|
---|
| 1953 | int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c)
|
---|
| 1954 | {
|
---|
| 1955 | int i = ssl_cipher_info_lookup(ssl_cipher_table_auth, c->algorithm_auth);
|
---|
| 1956 |
|
---|
| 1957 | if (i == -1)
|
---|
| 1958 | return NID_undef;
|
---|
| 1959 | return ssl_cipher_table_auth[i].nid;
|
---|
| 1960 | }
|
---|
| 1961 |
|
---|
| 1962 | int SSL_CIPHER_is_aead(const SSL_CIPHER *c)
|
---|
| 1963 | {
|
---|
| 1964 | return (c->algorithm_mac & SSL_AEAD) ? 1 : 0;
|
---|
| 1965 | }
|
---|