GCC Code Coverage Report
Directory: ./ Exec Total Coverage
File: lib/libssl/ssl_ciph.c Lines: 466 586 79.5 %
Date: 2017-11-13 Branches: 275 433 63.5 %

Line Branch Exec Source
1
/* $OpenBSD: ssl_ciph.c,v 1.97 2017/08/28 16:37:04 jsing Exp $ */
2
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3
 * All rights reserved.
4
 *
5
 * This package is an SSL implementation written
6
 * by Eric Young (eay@cryptsoft.com).
7
 * The implementation was written so as to conform with Netscapes SSL.
8
 *
9
 * This library is free for commercial and non-commercial use as long as
10
 * the following conditions are aheared to.  The following conditions
11
 * apply to all code found in this distribution, be it the RC4, RSA,
12
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13
 * included with this distribution is covered by the same copyright terms
14
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15
 *
16
 * Copyright remains Eric Young's, and as such any Copyright notices in
17
 * the code are not to be removed.
18
 * If this package is used in a product, Eric Young should be given attribution
19
 * as the author of the parts of the library used.
20
 * This can be in the form of a textual message at program startup or
21
 * in documentation (online or textual) provided with the package.
22
 *
23
 * Redistribution and use in source and binary forms, with or without
24
 * modification, are permitted provided that the following conditions
25
 * are met:
26
 * 1. Redistributions of source code must retain the copyright
27
 *    notice, this list of conditions and the following disclaimer.
28
 * 2. Redistributions in binary form must reproduce the above copyright
29
 *    notice, this list of conditions and the following disclaimer in the
30
 *    documentation and/or other materials provided with the distribution.
31
 * 3. All advertising materials mentioning features or use of this software
32
 *    must display the following acknowledgement:
33
 *    "This product includes cryptographic software written by
34
 *     Eric Young (eay@cryptsoft.com)"
35
 *    The word 'cryptographic' can be left out if the rouines from the library
36
 *    being used are not cryptographic related :-).
37
 * 4. If you include any Windows specific code (or a derivative thereof) from
38
 *    the apps directory (application code) you must include an acknowledgement:
39
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40
 *
41
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51
 * SUCH DAMAGE.
52
 *
53
 * The licence and distribution terms for any publically available version or
54
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
55
 * copied and put under another distribution licence
56
 * [including the GNU Public Licence.]
57
 */
58
/* ====================================================================
59
 * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60
 *
61
 * Redistribution and use in source and binary forms, with or without
62
 * modification, are permitted provided that the following conditions
63
 * are met:
64
 *
65
 * 1. Redistributions of source code must retain the above copyright
66
 *    notice, this list of conditions and the following disclaimer.
67
 *
68
 * 2. Redistributions in binary form must reproduce the above copyright
69
 *    notice, this list of conditions and the following disclaimer in
70
 *    the documentation and/or other materials provided with the
71
 *    distribution.
72
 *
73
 * 3. All advertising materials mentioning features or use of this
74
 *    software must display the following acknowledgment:
75
 *    "This product includes software developed by the OpenSSL Project
76
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77
 *
78
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79
 *    endorse or promote products derived from this software without
80
 *    prior written permission. For written permission, please contact
81
 *    openssl-core@openssl.org.
82
 *
83
 * 5. Products derived from this software may not be called "OpenSSL"
84
 *    nor may "OpenSSL" appear in their names without prior written
85
 *    permission of the OpenSSL Project.
86
 *
87
 * 6. Redistributions of any form whatsoever must retain the following
88
 *    acknowledgment:
89
 *    "This product includes software developed by the OpenSSL Project
90
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91
 *
92
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103
 * OF THE POSSIBILITY OF SUCH DAMAGE.
104
 * ====================================================================
105
 *
106
 * This product includes cryptographic software written by Eric Young
107
 * (eay@cryptsoft.com).  This product includes software written by Tim
108
 * Hudson (tjh@cryptsoft.com).
109
 *
110
 */
111
/* ====================================================================
112
 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113
 * ECC cipher suite support in OpenSSL originally developed by
114
 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115
 */
116
/* ====================================================================
117
 * Copyright 2005 Nokia. All rights reserved.
118
 *
119
 * The portions of the attached software ("Contribution") is developed by
120
 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121
 * license.
122
 *
123
 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124
 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125
 * support (see RFC 4279) to OpenSSL.
126
 *
127
 * No patent licenses or other rights except those expressly stated in
128
 * the OpenSSL open source license shall be deemed granted or received
129
 * expressly, by implication, estoppel, or otherwise.
130
 *
131
 * No assurances are provided by Nokia that the Contribution does not
132
 * infringe the patent or other intellectual property rights of any third
133
 * party or that the license provides you with all the necessary rights
134
 * to make use of the Contribution.
135
 *
136
 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137
 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138
 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139
 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140
 * OTHERWISE.
141
 */
142
143
#include <stdio.h>
144
145
#include <openssl/objects.h>
146
147
#ifndef OPENSSL_NO_ENGINE
148
#include <openssl/engine.h>
149
#endif
150
151
#include "ssl_locl.h"
152
153
#define SSL_ENC_DES_IDX		0
154
#define SSL_ENC_3DES_IDX	1
155
#define SSL_ENC_RC4_IDX		2
156
#define SSL_ENC_IDEA_IDX	3
157
#define SSL_ENC_NULL_IDX	4
158
#define SSL_ENC_AES128_IDX	5
159
#define SSL_ENC_AES256_IDX	6
160
#define SSL_ENC_CAMELLIA128_IDX	7
161
#define SSL_ENC_CAMELLIA256_IDX	8
162
#define SSL_ENC_GOST89_IDX	9
163
#define SSL_ENC_AES128GCM_IDX	10
164
#define SSL_ENC_AES256GCM_IDX	11
165
#define SSL_ENC_NUM_IDX		12
166
167
168
static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX] = {
169
	NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
170
};
171
172
#define SSL_MD_MD5_IDX	0
173
#define SSL_MD_SHA1_IDX	1
174
#define SSL_MD_GOST94_IDX 2
175
#define SSL_MD_GOST89MAC_IDX 3
176
#define SSL_MD_SHA256_IDX 4
177
#define SSL_MD_SHA384_IDX 5
178
#define SSL_MD_STREEBOG256_IDX 6
179
/*Constant SSL_MAX_DIGEST equal to size of digests array should be
180
 * defined in the
181
 * ssl_locl.h */
182
#define SSL_MD_NUM_IDX	SSL_MAX_DIGEST
183
static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX] = {
184
	NULL, NULL, NULL, NULL, NULL, NULL, NULL,
185
};
186
187
static int  ssl_mac_pkey_id[SSL_MD_NUM_IDX] = {
188
	EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_GOSTIMIT,
189
	EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC,
190
};
191
192
static int ssl_mac_secret_size[SSL_MD_NUM_IDX] = {
193
	0, 0, 0, 0, 0, 0, 0,
194
};
195
196
#define CIPHER_ADD	1
197
#define CIPHER_KILL	2
198
#define CIPHER_DEL	3
199
#define CIPHER_ORD	4
200
#define CIPHER_SPECIAL	5
201
202
typedef struct cipher_order_st {
203
	const SSL_CIPHER *cipher;
204
	int active;
205
	int dead;
206
	struct cipher_order_st *next, *prev;
207
} CIPHER_ORDER;
208
209
static const SSL_CIPHER cipher_aliases[] = {
210
211
	/* "ALL" doesn't include eNULL (must be specifically enabled) */
212
	{
213
		.name = SSL_TXT_ALL,
214
		.algorithm_enc = ~SSL_eNULL,
215
	},
216
217
	/* "COMPLEMENTOFALL" */
218
	{
219
		.name = SSL_TXT_CMPALL,
220
		.algorithm_enc = SSL_eNULL,
221
	},
222
223
	/*
224
	 * "COMPLEMENTOFDEFAULT"
225
	 * (does *not* include ciphersuites not found in ALL!)
226
	 */
227
	{
228
		.name = SSL_TXT_CMPDEF,
229
		.algorithm_mkey = SSL_kDHE|SSL_kECDHE,
230
		.algorithm_auth = SSL_aNULL,
231
		.algorithm_enc = ~SSL_eNULL,
232
	},
233
234
	/*
235
	 * key exchange aliases
236
	 * (some of those using only a single bit here combine multiple key
237
	 * exchange algs according to the RFCs, e.g. kEDH combines DHE_DSS
238
	 * and DHE_RSA)
239
	 */
240
	{
241
		.name = SSL_TXT_kRSA,
242
		.algorithm_mkey = SSL_kRSA,
243
	},
244
	{
245
		.name = SSL_TXT_kEDH,
246
		.algorithm_mkey = SSL_kDHE,
247
	},
248
	{
249
		.name = SSL_TXT_DH,
250
		.algorithm_mkey = SSL_kDHE,
251
	},
252
	{
253
		.name = SSL_TXT_kEECDH,
254
		.algorithm_mkey = SSL_kECDHE,
255
	},
256
	{
257
		.name = SSL_TXT_ECDH,
258
		.algorithm_mkey = SSL_kECDHE,
259
	},
260
	{
261
		.name = SSL_TXT_kGOST,
262
		.algorithm_mkey = SSL_kGOST,
263
	},
264
265
	/* server authentication aliases */
266
	{
267
		.name = SSL_TXT_aRSA,
268
		.algorithm_auth = SSL_aRSA,
269
	},
270
	{
271
		.name = SSL_TXT_aDSS,
272
		.algorithm_auth = SSL_aDSS,
273
	},
274
	{
275
		.name = SSL_TXT_DSS,
276
		.algorithm_auth = SSL_aDSS,
277
	},
278
	{
279
		.name = SSL_TXT_aNULL,
280
		.algorithm_auth = SSL_aNULL,
281
	},
282
	{
283
		.name = SSL_TXT_aECDSA,
284
		.algorithm_auth = SSL_aECDSA,
285
	},
286
	{
287
		.name = SSL_TXT_ECDSA,
288
		.algorithm_auth = SSL_aECDSA,
289
	},
290
	{
291
		.name = SSL_TXT_aGOST01,
292
		.algorithm_auth = SSL_aGOST01,
293
	},
294
	{
295
		.name = SSL_TXT_aGOST,
296
		.algorithm_auth = SSL_aGOST01,
297
	},
298
299
	/* aliases combining key exchange and server authentication */
300
	{
301
		.name = SSL_TXT_DHE,
302
		.algorithm_mkey = SSL_kDHE,
303
		.algorithm_auth = ~SSL_aNULL,
304
	},
305
	{
306
		.name = SSL_TXT_EDH,
307
		.algorithm_mkey = SSL_kDHE,
308
		.algorithm_auth = ~SSL_aNULL,
309
	},
310
	{
311
		.name = SSL_TXT_ECDHE,
312
		.algorithm_mkey = SSL_kECDHE,
313
		.algorithm_auth = ~SSL_aNULL,
314
	},
315
	{
316
		.name = SSL_TXT_EECDH,
317
		.algorithm_mkey = SSL_kECDHE,
318
		.algorithm_auth = ~SSL_aNULL,
319
	},
320
	{
321
		.name = SSL_TXT_NULL,
322
		.algorithm_enc = SSL_eNULL,
323
	},
324
	{
325
		.name = SSL_TXT_RSA,
326
		.algorithm_mkey = SSL_kRSA,
327
		.algorithm_auth = SSL_aRSA,
328
	},
329
	{
330
		.name = SSL_TXT_ADH,
331
		.algorithm_mkey = SSL_kDHE,
332
		.algorithm_auth = SSL_aNULL,
333
	},
334
	{
335
		.name = SSL_TXT_AECDH,
336
		.algorithm_mkey = SSL_kECDHE,
337
		.algorithm_auth = SSL_aNULL,
338
	},
339
340
	/* symmetric encryption aliases */
341
	{
342
		.name = SSL_TXT_DES,
343
		.algorithm_enc = SSL_DES,
344
	},
345
	{
346
		.name = SSL_TXT_3DES,
347
		.algorithm_enc = SSL_3DES,
348
	},
349
	{
350
		.name = SSL_TXT_RC4,
351
		.algorithm_enc = SSL_RC4,
352
	},
353
	{
354
		.name = SSL_TXT_IDEA,
355
		.algorithm_enc = SSL_IDEA,
356
	},
357
	{
358
		.name = SSL_TXT_eNULL,
359
		.algorithm_enc = SSL_eNULL,
360
	},
361
	{
362
		.name = SSL_TXT_AES128,
363
		.algorithm_enc = SSL_AES128|SSL_AES128GCM,
364
	},
365
	{
366
		.name = SSL_TXT_AES256,
367
		.algorithm_enc = SSL_AES256|SSL_AES256GCM,
368
	},
369
	{
370
		.name = SSL_TXT_AES,
371
		.algorithm_enc = SSL_AES,
372
	},
373
	{
374
		.name = SSL_TXT_AES_GCM,
375
		.algorithm_enc = SSL_AES128GCM|SSL_AES256GCM,
376
	},
377
	{
378
		.name = SSL_TXT_CAMELLIA128,
379
		.algorithm_enc = SSL_CAMELLIA128,
380
	},
381
	{
382
		.name = SSL_TXT_CAMELLIA256,
383
		.algorithm_enc = SSL_CAMELLIA256,
384
	},
385
	{
386
		.name = SSL_TXT_CAMELLIA,
387
		.algorithm_enc = SSL_CAMELLIA128|SSL_CAMELLIA256,
388
	},
389
	{
390
		.name = SSL_TXT_CHACHA20,
391
		.algorithm_enc = SSL_CHACHA20POLY1305,
392
	},
393
394
	/* MAC aliases */
395
	{
396
		.name = SSL_TXT_AEAD,
397
		.algorithm_mac = SSL_AEAD,
398
	},
399
	{
400
		.name = SSL_TXT_MD5,
401
		.algorithm_mac = SSL_MD5,
402
	},
403
	{
404
		.name = SSL_TXT_SHA1,
405
		.algorithm_mac = SSL_SHA1,
406
	},
407
	{
408
		.name = SSL_TXT_SHA,
409
		.algorithm_mac = SSL_SHA1,
410
	},
411
	{
412
		.name = SSL_TXT_GOST94,
413
		.algorithm_mac = SSL_GOST94,
414
	},
415
	{
416
		.name = SSL_TXT_GOST89MAC,
417
		.algorithm_mac = SSL_GOST89MAC,
418
	},
419
	{
420
		.name = SSL_TXT_SHA256,
421
		.algorithm_mac = SSL_SHA256,
422
	},
423
	{
424
		.name = SSL_TXT_SHA384,
425
		.algorithm_mac = SSL_SHA384,
426
	},
427
	{
428
		.name = SSL_TXT_STREEBOG256,
429
		.algorithm_mac = SSL_STREEBOG256,
430
	},
431
432
	/* protocol version aliases */
433
	{
434
		.name = SSL_TXT_SSLV3,
435
		.algorithm_ssl = SSL_SSLV3,
436
	},
437
	{
438
		.name = SSL_TXT_TLSV1,
439
		.algorithm_ssl = SSL_TLSV1,
440
	},
441
	{
442
		.name = SSL_TXT_TLSV1_2,
443
		.algorithm_ssl = SSL_TLSV1_2,
444
	},
445
446
	/* strength classes */
447
	{
448
		.name = SSL_TXT_LOW,
449
		.algo_strength = SSL_LOW,
450
	},
451
	{
452
		.name = SSL_TXT_MEDIUM,
453
		.algo_strength = SSL_MEDIUM,
454
	},
455
	{
456
		.name = SSL_TXT_HIGH,
457
		.algo_strength = SSL_HIGH,
458
	},
459
};
460
461
void
462
ssl_load_ciphers(void)
463
{
464
2877
	ssl_cipher_methods[SSL_ENC_DES_IDX] =
465
5754
	    EVP_get_cipherbyname(SN_des_cbc);
466
2877
	ssl_cipher_methods[SSL_ENC_3DES_IDX] =
467
2877
	    EVP_get_cipherbyname(SN_des_ede3_cbc);
468
2877
	ssl_cipher_methods[SSL_ENC_RC4_IDX] =
469
2877
	    EVP_get_cipherbyname(SN_rc4);
470
2877
	ssl_cipher_methods[SSL_ENC_IDEA_IDX] = NULL;
471
2877
	ssl_cipher_methods[SSL_ENC_AES128_IDX] =
472
2877
	    EVP_get_cipherbyname(SN_aes_128_cbc);
473
2877
	ssl_cipher_methods[SSL_ENC_AES256_IDX] =
474
2877
	    EVP_get_cipherbyname(SN_aes_256_cbc);
475
2877
	ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] =
476
2877
	    EVP_get_cipherbyname(SN_camellia_128_cbc);
477
2877
	ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] =
478
2877
	    EVP_get_cipherbyname(SN_camellia_256_cbc);
479
2877
	ssl_cipher_methods[SSL_ENC_GOST89_IDX] =
480
2877
	    EVP_get_cipherbyname(SN_gost89_cnt);
481
482
2877
	ssl_cipher_methods[SSL_ENC_AES128GCM_IDX] =
483
2877
	    EVP_get_cipherbyname(SN_aes_128_gcm);
484
2877
	ssl_cipher_methods[SSL_ENC_AES256GCM_IDX] =
485
2877
	    EVP_get_cipherbyname(SN_aes_256_gcm);
486
487
2877
	ssl_digest_methods[SSL_MD_MD5_IDX] =
488
2877
	    EVP_get_digestbyname(SN_md5);
489
2877
	ssl_mac_secret_size[SSL_MD_MD5_IDX] =
490
2877
	    EVP_MD_size(ssl_digest_methods[SSL_MD_MD5_IDX]);
491
2877
	OPENSSL_assert(ssl_mac_secret_size[SSL_MD_MD5_IDX] >= 0);
492
2877
	ssl_digest_methods[SSL_MD_SHA1_IDX] =
493
2877
	    EVP_get_digestbyname(SN_sha1);
494
2877
	ssl_mac_secret_size[SSL_MD_SHA1_IDX] =
495
2877
	    EVP_MD_size(ssl_digest_methods[SSL_MD_SHA1_IDX]);
496
2877
	OPENSSL_assert(ssl_mac_secret_size[SSL_MD_SHA1_IDX] >= 0);
497
2877
	ssl_digest_methods[SSL_MD_GOST94_IDX] =
498
2877
	    EVP_get_digestbyname(SN_id_GostR3411_94);
499
2877
	if (ssl_digest_methods[SSL_MD_GOST94_IDX]) {
500
2877
		ssl_mac_secret_size[SSL_MD_GOST94_IDX] =
501
2877
		    EVP_MD_size(ssl_digest_methods[SSL_MD_GOST94_IDX]);
502
2877
		OPENSSL_assert(ssl_mac_secret_size[SSL_MD_GOST94_IDX] >= 0);
503
	}
504
2877
	ssl_digest_methods[SSL_MD_GOST89MAC_IDX] =
505
2877
	    EVP_get_digestbyname(SN_id_Gost28147_89_MAC);
506
2877
	if (ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]) {
507
2877
		ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX] = 32;
508
2877
	}
509
510
2877
	ssl_digest_methods[SSL_MD_SHA256_IDX] =
511
2877
	    EVP_get_digestbyname(SN_sha256);
512
2877
	ssl_mac_secret_size[SSL_MD_SHA256_IDX] =
513
2877
	    EVP_MD_size(ssl_digest_methods[SSL_MD_SHA256_IDX]);
514
2877
	ssl_digest_methods[SSL_MD_SHA384_IDX] =
515
2877
	    EVP_get_digestbyname(SN_sha384);
516
2877
	ssl_mac_secret_size[SSL_MD_SHA384_IDX] =
517
2877
	    EVP_MD_size(ssl_digest_methods[SSL_MD_SHA384_IDX]);
518
2877
	ssl_digest_methods[SSL_MD_STREEBOG256_IDX] =
519
2877
	    EVP_get_digestbyname(SN_id_tc26_gost3411_2012_256);
520
2877
	ssl_mac_secret_size[SSL_MD_STREEBOG256_IDX] =
521
2877
	    EVP_MD_size(ssl_digest_methods[SSL_MD_STREEBOG256_IDX]);
522
2877
}
523
524
int
525
ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
526
    const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size)
527
{
528
	const SSL_CIPHER *c;
529
	int i;
530
531
492
	c = s->cipher;
532
246
	if (c == NULL)
533
		return (0);
534
535
	/*
536
	 * This function does not handle EVP_AEAD.
537
	 * See ssl_cipher_get_aead_evp instead.
538
	 */
539
246
	if (c->algorithm2 & SSL_CIPHER_ALGORITHM2_AEAD)
540
		return(0);
541
542
246
	if ((enc == NULL) || (md == NULL))
543
		return (0);
544
545



246
	switch (c->algorithm_enc) {
546
	case SSL_DES:
547
		i = SSL_ENC_DES_IDX;
548
6
		break;
549
	case SSL_3DES:
550
		i = SSL_ENC_3DES_IDX;
551
6
		break;
552
	case SSL_RC4:
553
		i = SSL_ENC_RC4_IDX;
554
		break;
555
	case SSL_IDEA:
556
		i = SSL_ENC_IDEA_IDX;
557
		break;
558
	case SSL_eNULL:
559
		i = SSL_ENC_NULL_IDX;
560
18
		break;
561
	case SSL_AES128:
562
		i = SSL_ENC_AES128_IDX;
563
24
		break;
564
	case SSL_AES256:
565
		i = SSL_ENC_AES256_IDX;
566
156
		break;
567
	case SSL_CAMELLIA128:
568
		i = SSL_ENC_CAMELLIA128_IDX;
569
18
		break;
570
	case SSL_CAMELLIA256:
571
		i = SSL_ENC_CAMELLIA256_IDX;
572
18
		break;
573
	case SSL_eGOST2814789CNT:
574
		i = SSL_ENC_GOST89_IDX;
575
		break;
576
	case SSL_AES128GCM:
577
		i = SSL_ENC_AES128GCM_IDX;
578
		break;
579
	case SSL_AES256GCM:
580
		i = SSL_ENC_AES256GCM_IDX;
581
		break;
582
	default:
583
		i = -1;
584
		break;
585
	}
586
587
246
	if ((i < 0) || (i >= SSL_ENC_NUM_IDX))
588
		*enc = NULL;
589
	else {
590
246
		if (i == SSL_ENC_NULL_IDX)
591
18
			*enc = EVP_enc_null();
592
		else
593
228
			*enc = ssl_cipher_methods[i];
594
	}
595
596


246
	switch (c->algorithm_mac) {
597
	case SSL_MD5:
598
		i = SSL_MD_MD5_IDX;
599
6
		break;
600
	case SSL_SHA1:
601
		i = SSL_MD_SHA1_IDX;
602
174
		break;
603
	case SSL_SHA256:
604
		i = SSL_MD_SHA256_IDX;
605
60
		break;
606
	case SSL_SHA384:
607
		i = SSL_MD_SHA384_IDX;
608
6
		break;
609
	case SSL_GOST94:
610
		i = SSL_MD_GOST94_IDX;
611
		break;
612
	case SSL_GOST89MAC:
613
		i = SSL_MD_GOST89MAC_IDX;
614
		break;
615
	case SSL_STREEBOG256:
616
		i = SSL_MD_STREEBOG256_IDX;
617
		break;
618
	default:
619
		i = -1;
620
		break;
621
	}
622
246
	if ((i < 0) || (i >= SSL_MD_NUM_IDX)) {
623
		*md = NULL;
624
625
		if (mac_pkey_type != NULL)
626
			*mac_pkey_type = NID_undef;
627
		if (mac_secret_size != NULL)
628
			*mac_secret_size = 0;
629
		if (c->algorithm_mac == SSL_AEAD)
630
			mac_pkey_type = NULL;
631
	} else {
632
246
		*md = ssl_digest_methods[i];
633
246
		if (mac_pkey_type != NULL)
634
246
			*mac_pkey_type = ssl_mac_pkey_id[i];
635
246
		if (mac_secret_size != NULL)
636
246
			*mac_secret_size = ssl_mac_secret_size[i];
637
	}
638
639

492
	if ((*enc != NULL) &&
640

246
	    (*md != NULL || (EVP_CIPHER_flags(*enc)&EVP_CIPH_FLAG_AEAD_CIPHER)) &&
641
492
	    (!mac_pkey_type || *mac_pkey_type != NID_undef)) {
642
		const EVP_CIPHER *evp;
643
644

420
		if (s->ssl_version >> 8 != TLS1_VERSION_MAJOR ||
645
174
		    s->ssl_version < TLS1_VERSION)
646
72
			return 1;
647
648

174
		if (c->algorithm_enc == SSL_RC4 &&
649
		    c->algorithm_mac == SSL_MD5 &&
650
		    (evp = EVP_get_cipherbyname("RC4-HMAC-MD5")))
651
			*enc = evp, *md = NULL;
652

174
		else if (c->algorithm_enc == SSL_AES128 &&
653
18
		    c->algorithm_mac == SSL_SHA1 &&
654
		    (evp = EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA1")))
655
			*enc = evp, *md = NULL;
656

282
		else if (c->algorithm_enc == SSL_AES256 &&
657
126
		    c->algorithm_mac == SSL_SHA1 &&
658
108
		    (evp = EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1")))
659
108
			*enc = evp, *md = NULL;
660
174
		return (1);
661
	} else
662
		return (0);
663
246
}
664
665
/*
666
 * ssl_cipher_get_evp_aead sets aead to point to the correct EVP_AEAD object
667
 * for s->cipher. It returns 1 on success and 0 on error.
668
 */
669
int
670
ssl_cipher_get_evp_aead(const SSL_SESSION *s, const EVP_AEAD **aead)
671
{
672
31634
	const SSL_CIPHER *c = s->cipher;
673
674
15817
	*aead = NULL;
675
676
15817
	if (c == NULL)
677
		return 0;
678
15817
	if ((c->algorithm2 & SSL_CIPHER_ALGORITHM2_AEAD) == 0)
679
		return 0;
680
681

15817
	switch (c->algorithm_enc) {
682
#ifndef OPENSSL_NO_AES
683
	case SSL_AES128GCM:
684
18
		*aead = EVP_aead_aes_128_gcm();
685
18
		return 1;
686
	case SSL_AES256GCM:
687
15787
		*aead = EVP_aead_aes_256_gcm();
688
15787
		return 1;
689
#endif
690
	case SSL_CHACHA20POLY1305:
691
12
		*aead = EVP_aead_chacha20_poly1305();
692
12
		return 1;
693
	default:
694
		break;
695
	}
696
	return 0;
697
15817
}
698
699
int
700
ssl_get_handshake_evp_md(SSL *s, const EVP_MD **md)
701
{
702
167322
	*md = NULL;
703
704

83661
	switch (ssl_get_algorithm2(s) & SSL_HANDSHAKE_MAC_MASK) {
705
	case SSL_HANDSHAKE_MAC_DEFAULT:
706
1395
		*md = EVP_md5_sha1();
707
1395
		return 1;
708
	case SSL_HANDSHAKE_MAC_GOST94:
709
384
		*md = EVP_gostr341194();
710
384
		return 1;
711
	case SSL_HANDSHAKE_MAC_SHA256:
712
924
		*md = EVP_sha256();
713
924
		return 1;
714
	case SSL_HANDSHAKE_MAC_SHA384:
715
80574
		*md = EVP_sha384();
716
80574
		return 1;
717
	case SSL_HANDSHAKE_MAC_STREEBOG256:
718
384
		*md = EVP_streebog256();
719
384
		return 1;
720
	default:
721
		break;
722
	}
723
724
	return 0;
725
83661
}
726
727
#define ITEM_SEP(a) \
728
	(((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ','))
729
730
static void
731
ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
732
    CIPHER_ORDER **tail)
733
{
734
573542
	if (curr == *tail)
735
		return;
736
286612
	if (curr == *head)
737
114247
		*head = curr->next;
738
286612
	if (curr->prev != NULL)
739
172365
		curr->prev->next = curr->next;
740
286612
	if (curr->next != NULL)
741
286612
		curr->next->prev = curr->prev;
742
286612
	(*tail)->next = curr;
743
286612
	curr->prev= *tail;
744
286612
	curr->next = NULL;
745
286612
	*tail = curr;
746
573383
}
747
748
static void
749
ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
750
    CIPHER_ORDER **tail)
751
{
752
212392
	if (curr == *head)
753
		return;
754
106196
	if (curr == *tail)
755
106196
		*tail = curr->prev;
756
106196
	if (curr->next != NULL)
757
		curr->next->prev = curr->prev;
758
106196
	if (curr->prev != NULL)
759
106196
		curr->prev->next = curr->next;
760
106196
	(*head)->prev = curr;
761
106196
	curr->next= *head;
762
106196
	curr->prev = NULL;
763
106196
	*head = curr;
764
212392
}
765
766
static void
767
ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth,
768
    unsigned long *enc, unsigned long *mac, unsigned long *ssl)
769
{
770
2218
	*mkey = 0;
771
1109
	*auth = 0;
772
1109
	*enc = 0;
773
1109
	*mac = 0;
774
1109
	*ssl = 0;
775
776
	/*
777
	 * Check for the availability of GOST 34.10 public/private key
778
	 * algorithms. If they are not available disable the associated
779
	 * authentication and key exchange algorithms.
780
	 */
781
1109
	if (EVP_PKEY_meth_find(NID_id_GostR3410_2001) == NULL) {
782
		*auth |= SSL_aGOST01;
783
		*mkey |= SSL_kGOST;
784
	}
785
786
#ifdef SSL_FORBID_ENULL
787
	*enc |= SSL_eNULL;
788
#endif
789
790
1109
	*enc |= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES : 0;
791
1109
	*enc |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES : 0;
792
1109
	*enc |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 : 0;
793
1109
	*enc |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA : 0;
794
1109
	*enc |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES128 : 0;
795
1109
	*enc |= (ssl_cipher_methods[SSL_ENC_AES256_IDX] == NULL) ? SSL_AES256 : 0;
796
1109
	*enc |= (ssl_cipher_methods[SSL_ENC_AES128GCM_IDX] == NULL) ? SSL_AES128GCM : 0;
797
1109
	*enc |= (ssl_cipher_methods[SSL_ENC_AES256GCM_IDX] == NULL) ? SSL_AES256GCM : 0;
798
1109
	*enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA128 : 0;
799
1109
	*enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] == NULL) ? SSL_CAMELLIA256 : 0;
800
1109
	*enc |= (ssl_cipher_methods[SSL_ENC_GOST89_IDX] == NULL) ? SSL_eGOST2814789CNT : 0;
801
802
1109
	*mac |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 : 0;
803
1109
	*mac |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1 : 0;
804
1109
	*mac |= (ssl_digest_methods[SSL_MD_SHA256_IDX] == NULL) ? SSL_SHA256 : 0;
805
1109
	*mac |= (ssl_digest_methods[SSL_MD_SHA384_IDX] == NULL) ? SSL_SHA384 : 0;
806
1109
	*mac |= (ssl_digest_methods[SSL_MD_GOST94_IDX] == NULL) ? SSL_GOST94 : 0;
807
1109
	*mac |= (ssl_digest_methods[SSL_MD_GOST89MAC_IDX] == NULL) ? SSL_GOST89MAC : 0;
808
1109
	*mac |= (ssl_digest_methods[SSL_MD_STREEBOG256_IDX] == NULL) ? SSL_STREEBOG256 : 0;
809
1109
}
810
811
static void
812
ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, int num_of_ciphers,
813
    unsigned long disabled_mkey, unsigned long disabled_auth,
814
    unsigned long disabled_enc, unsigned long disabled_mac,
815
    unsigned long disabled_ssl, CIPHER_ORDER *co_list,
816
    CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
817
{
818
	int i, co_list_num;
819
	const SSL_CIPHER *c;
820
821
	/*
822
	 * We have num_of_ciphers descriptions compiled in, depending on the
823
	 * method selected (SSLv3, TLSv1, etc). These will later be sorted in
824
	 * a linked list with at most num entries.
825
	 */
826
827
	/* Get the initial list of ciphers */
828
	co_list_num = 0;	/* actual count of ciphers */
829
163023
	for (i = 0; i < num_of_ciphers; i++) {
830
79848
		c = ssl_method->get_cipher(i);
831
		/* drop those that use any of that is not available */
832

237708
		if ((c != NULL) && c->valid &&
833
78930
		    !(c->algorithm_mkey & disabled_mkey) &&
834
78930
		    !(c->algorithm_auth & disabled_auth) &&
835
78930
		    !(c->algorithm_enc & disabled_enc) &&
836
78930
		    !(c->algorithm_mac & disabled_mac) &&
837
78930
		    !(c->algorithm_ssl & disabled_ssl)) {
838
78930
			co_list[co_list_num].cipher = c;
839
78930
			co_list[co_list_num].next = NULL;
840
78930
			co_list[co_list_num].prev = NULL;
841
78930
			co_list[co_list_num].active = 0;
842
78930
			co_list_num++;
843
			/*
844
			if (!sk_push(ca_list,(char *)c)) goto err;
845
			*/
846
78930
		}
847
	}
848
849
	/*
850
	 * Prepare linked list from list entries
851
	 */
852
1109
	if (co_list_num > 0) {
853
1109
		co_list[0].prev = NULL;
854
855
1109
		if (co_list_num > 1) {
856
1109
			co_list[0].next = &co_list[1];
857
858
155642
			for (i = 1; i < co_list_num - 1; i++) {
859
76712
				co_list[i].prev = &co_list[i - 1];
860
76712
				co_list[i].next = &co_list[i + 1];
861
			}
862
863
1109
			co_list[co_list_num - 1].prev =
864
1109
			    &co_list[co_list_num - 2];
865
1109
		}
866
867
1109
		co_list[co_list_num - 1].next = NULL;
868
869
1109
		*head_p = &co_list[0];
870
1109
		*tail_p = &co_list[co_list_num - 1];
871
1109
	}
872
1109
}
873
874
static void
875
ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list, int num_of_group_aliases,
876
    unsigned long disabled_mkey, unsigned long disabled_auth,
877
    unsigned long disabled_enc, unsigned long disabled_mac,
878
    unsigned long disabled_ssl, CIPHER_ORDER *head)
879
{
880
	CIPHER_ORDER *ciph_curr;
881
	const SSL_CIPHER **ca_curr;
882
	int i;
883
2218
	unsigned long mask_mkey = ~disabled_mkey;
884
1109
	unsigned long mask_auth = ~disabled_auth;
885
1109
	unsigned long mask_enc = ~disabled_enc;
886
1109
	unsigned long mask_mac = ~disabled_mac;
887
1109
	unsigned long mask_ssl = ~disabled_ssl;
888
889
	/*
890
	 * First, add the real ciphers as already collected
891
	 */
892
	ciph_curr = head;
893
	ca_curr = ca_list;
894
160078
	while (ciph_curr != NULL) {
895
78930
		*ca_curr = ciph_curr->cipher;
896
78930
		ca_curr++;
897
78930
		ciph_curr = ciph_curr->next;
898
	}
899
900
	/*
901
	 * Now we add the available ones from the cipher_aliases[] table.
902
	 * They represent either one or more algorithms, some of which
903
	 * in any affected category must be supported (set in enabled_mask),
904
	 * or represent a cipher strength value (will be added in any case because algorithms=0).
905
	 */
906
119772
	for (i = 0; i < num_of_group_aliases; i++) {
907
58777
		unsigned long algorithm_mkey = cipher_aliases[i].algorithm_mkey;
908
58777
		unsigned long algorithm_auth = cipher_aliases[i].algorithm_auth;
909
58777
		unsigned long algorithm_enc = cipher_aliases[i].algorithm_enc;
910
58777
		unsigned long algorithm_mac = cipher_aliases[i].algorithm_mac;
911
58777
		unsigned long algorithm_ssl = cipher_aliases[i].algorithm_ssl;
912
913
58777
		if (algorithm_mkey)
914
15526
			if ((algorithm_mkey & mask_mkey) == 0)
915
				continue;
916
917
58777
		if (algorithm_auth)
918
17744
			if ((algorithm_auth & mask_auth) == 0)
919
				continue;
920
921
58777
		if (algorithm_enc)
922
18853
			if ((algorithm_enc & mask_enc) == 0)
923
1109
				continue;
924
925
57668
		if (algorithm_mac)
926
9981
			if ((algorithm_mac & mask_mac) == 0)
927
				continue;
928
929
57668
		if (algorithm_ssl)
930
3327
			if ((algorithm_ssl & mask_ssl) == 0)
931
				continue;
932
933
57668
		*ca_curr = (SSL_CIPHER *)(cipher_aliases + i);
934
57668
		ca_curr++;
935
57668
	}
936
937
1109
	*ca_curr = NULL;	/* end of list */
938
1109
}
939
940
static void
941
ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long alg_mkey,
942
    unsigned long alg_auth, unsigned long alg_enc, unsigned long alg_mac,
943
    unsigned long alg_ssl, unsigned long algo_strength,
944
    int rule, int strength_bits, CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
945
{
946
45880
	CIPHER_ORDER *head, *tail, *curr, *next, *last;
947
	const SSL_CIPHER *cp;
948
	int reverse = 0;
949
950
951
22940
	if (rule == CIPHER_DEL)
952
		reverse = 1; /* needed to maintain sorting between currently deleted ciphers */
953
954
22940
	head = *head_p;
955
22940
	tail = *tail_p;
956
957
22940
	if (reverse) {
958
		next = tail;
959
2218
		last = head;
960
2218
	} else {
961
20722
		next = head;
962
		last = tail;
963
	}
964
965
	curr = NULL;
966
482922
	for (;;) {
967
1634928
		if (curr == last)
968
			break;
969
		curr = next;
970
1611988
		next = reverse ? curr->prev : curr->next;
971
972
1611988
		cp = curr->cipher;
973
974
		/*
975
		 * Selection criteria is either the value of strength_bits
976
		 * or the algorithms used.
977
		 */
978
1611988
		if (strength_bits >= 0) {
979
394650
			if (strength_bits != cp->strength_bits)
980
315720
				continue;
981
		} else {
982
983

1691524
			if (alg_mkey && !(alg_mkey & cp->algorithm_mkey))
984
324251
				continue;
985

1108136
			if (alg_auth && !(alg_auth & cp->algorithm_auth))
986
139686
				continue;
987

1148019
			if (alg_enc && !(alg_enc & cp->algorithm_enc))
988
286634
				continue;
989

556613
			if (alg_mac && !(alg_mac & cp->algorithm_mac))
990
83205
				continue;
991

384507
			if (alg_ssl && !(alg_ssl & cp->algorithm_ssl))
992
210
				continue;
993

393614
			if ((algo_strength & SSL_STRONG_MASK) && !(algo_strength & SSL_STRONG_MASK & cp->algo_strength))
994
2300
				continue;
995
		}
996
997
998
		/* add the cipher if it has not been added yet. */
999
459982
		if (rule == CIPHER_ADD) {
1000
			/* reverse == 0 */
1001
205796
			if (!curr->active) {
1002
160881
				ll_append_tail(&head, curr, &tail);
1003
160881
				curr->active = 1;
1004
160881
			}
1005
		}
1006
		/* Move the added cipher to this location */
1007
254186
		else if (rule == CIPHER_ORD) {
1008
			/* reverse == 0 */
1009
125890
			if (curr->active) {
1010
125890
				ll_append_tail(&head, curr, &tail);
1011
125890
			}
1012
128296
		} else if (rule == CIPHER_DEL) {
1013
			/* reverse == 1 */
1014
106196
			if (curr->active) {
1015
				/* most recently deleted ciphersuites get best positions
1016
				 * for any future CIPHER_ADD (note that the CIPHER_DEL loop
1017
				 * works in reverse to maintain the order) */
1018
106196
				ll_append_head(&head, curr, &tail);
1019
106196
				curr->active = 0;
1020
106196
			}
1021
22100
		} else if (rule == CIPHER_KILL) {
1022
			/* reverse == 0 */
1023
22100
			if (head == curr)
1024
5753
				head = curr->next;
1025
			else
1026
16347
				curr->prev->next = curr->next;
1027
22100
			if (tail == curr)
1028
				tail = curr->prev;
1029
22100
			curr->active = 0;
1030
22100
			if (curr->next != NULL)
1031
22100
				curr->next->prev = curr->prev;
1032
22100
			if (curr->prev != NULL)
1033
16347
				curr->prev->next = curr->next;
1034
22100
			curr->next = NULL;
1035
22100
			curr->prev = NULL;
1036
22100
		}
1037
	}
1038
1039
22940
	*head_p = head;
1040
22940
	*tail_p = tail;
1041
22940
}
1042
1043
static int
1044
ssl_cipher_strength_sort(CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p)
1045
{
1046
	int max_strength_bits, i, *number_uses;
1047
	CIPHER_ORDER *curr;
1048
1049
	/*
1050
	 * This routine sorts the ciphers with descending strength. The sorting
1051
	 * must keep the pre-sorted sequence, so we apply the normal sorting
1052
	 * routine as '+' movement to the end of the list.
1053
	 */
1054
	max_strength_bits = 0;
1055
2218
	curr = *head_p;
1056
160078
	while (curr != NULL) {
1057

157860
		if (curr->active &&
1058
78930
		    (curr->cipher->strength_bits > max_strength_bits))
1059
1109
			max_strength_bits = curr->cipher->strength_bits;
1060
78930
		curr = curr->next;
1061
	}
1062
1063
1109
	number_uses = calloc((max_strength_bits + 1), sizeof(int));
1064
1109
	if (!number_uses) {
1065
		SSLerrorx(ERR_R_MALLOC_FAILURE);
1066
		return (0);
1067
	}
1068
1069
	/*
1070
	 * Now find the strength_bits values actually used
1071
	 */
1072
1109
	curr = *head_p;
1073
160078
	while (curr != NULL) {
1074
78930
		if (curr->active)
1075
78930
			number_uses[curr->cipher->strength_bits]++;
1076
78930
		curr = curr->next;
1077
	}
1078
	/*
1079
	 * Go through the list of used strength_bits values in descending
1080
	 * order.
1081
	 */
1082
572244
	for (i = max_strength_bits; i >= 0; i--)
1083
285013
		if (number_uses[i] > 0)
1084
5545
			ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ORD, i, head_p, tail_p);
1085
1086
1109
	free(number_uses);
1087
1109
	return (1);
1088
1109
}
1089
1090
static int
1091
ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p,
1092
    CIPHER_ORDER **tail_p, const SSL_CIPHER **ca_list)
1093
{
1094
	unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl;
1095
	unsigned long algo_strength;
1096
	int j, multi, found, rule, retval, ok, buflen;
1097
	unsigned long cipher_id = 0;
1098
	const char *l, *buf;
1099
	char ch;
1100
1101
	retval = 1;
1102
	l = rule_str;
1103
9377
	for (;;) {
1104
15427
		ch = *l;
1105
1106
15427
		if (ch == '\0')
1107
			break;
1108
1109
15427
		if (ch == '-') {
1110
			rule = CIPHER_DEL;
1111
			l++;
1112
15427
		} else if (ch == '+') {
1113
			rule = CIPHER_ORD;
1114
			l++;
1115
15427
		} else if (ch == '!') {
1116
			rule = CIPHER_KILL;
1117
3601
			l++;
1118
15427
		} else if (ch == '@') {
1119
			rule = CIPHER_SPECIAL;
1120
			l++;
1121
		} else {
1122
			rule = CIPHER_ADD;
1123
		}
1124
1125


40231
		if (ITEM_SEP(ch)) {
1126
7159
			l++;
1127
7159
			continue;
1128
		}
1129
1130
		alg_mkey = 0;
1131
		alg_auth = 0;
1132
		alg_enc = 0;
1133
		alg_mac = 0;
1134
		alg_ssl = 0;
1135
		algo_strength = 0;
1136
1137
8618
		for (;;) {
1138
8618
			ch = *l;
1139
			buf = l;
1140
			buflen = 0;
1141

287504
			while (((ch >= 'A') && (ch <= 'Z')) ||
1142

65749
			    ((ch >= '0') && (ch <= '9')) ||
1143

25046
			    ((ch >= 'a') && (ch <= 'z')) ||
1144
27946
			    (ch == '-') || (ch == '.')) {
1145
96292
				ch = *(++l);
1146
96292
				buflen++;
1147
			}
1148
1149
8618
			if (buflen == 0) {
1150
				/*
1151
				 * We hit something we cannot deal with,
1152
				 * it is no command or separator nor
1153
				 * alphanumeric, so we call this an error.
1154
				 */
1155
				SSLerrorx(SSL_R_INVALID_COMMAND);
1156
				retval = found = 0;
1157
				l++;
1158
				break;
1159
			}
1160
1161
8618
			if (rule == CIPHER_SPECIAL) {
1162
				 /* unused -- avoid compiler warning */
1163
				found = 0;
1164
				/* special treatment */
1165
				break;
1166
			}
1167
1168
			/* check for multi-part specification */
1169
8618
			if (ch == '+') {
1170
				multi = 1;
1171
350
				l++;
1172
350
			} else
1173
				multi = 0;
1174
1175
			/*
1176
			 * Now search for the cipher alias in the ca_list.
1177
			 * Be careful with the strncmp, because the "buflen"
1178
			 * limitation will make the rule "ADH:SOME" and the
1179
			 * cipher "ADH-MY-CIPHER" look like a match for
1180
			 * buflen=3. So additionally check whether the cipher
1181
			 * name found has the correct length. We can save a
1182
			 * strlen() call: just checking for the '\0' at the
1183
			 * right place is sufficient, we have to strncmp()
1184
			 * anyway (we cannot use strcmp(), because buf is not
1185
			 * '\0' terminated.)
1186
			 */
1187
			j = found = 0;
1188
			cipher_id = 0;
1189
1316352
			while (ca_list[j]) {
1190

667080
				if (!strncmp(buf, ca_list[j]->name, buflen) &&
1191
10867
				    (ca_list[j]->name[buflen] == '\0')) {
1192
					found = 1;
1193
6655
					break;
1194
				} else
1195
649558
					j++;
1196
			}
1197
1198
8618
			if (!found)
1199
				break;	/* ignore this entry */
1200
1201
6655
			if (ca_list[j]->algorithm_mkey) {
1202
3302
				if (alg_mkey) {
1203
					alg_mkey &= ca_list[j]->algorithm_mkey;
1204
					if (!alg_mkey) {
1205
						found = 0;
1206
						break;
1207
					}
1208
				} else
1209
					alg_mkey = ca_list[j]->algorithm_mkey;
1210
			}
1211
1212
6655
			if (ca_list[j]->algorithm_auth) {
1213
4068
				if (alg_auth) {
1214
					alg_auth &= ca_list[j]->algorithm_auth;
1215
					if (!alg_auth) {
1216
						found = 0;
1217
						break;
1218
					}
1219
				} else
1220
					alg_auth = ca_list[j]->algorithm_auth;
1221
			}
1222
1223
6655
			if (ca_list[j]->algorithm_enc) {
1224
5093
				if (alg_enc) {
1225
					alg_enc &= ca_list[j]->algorithm_enc;
1226
					if (!alg_enc) {
1227
						found = 0;
1228
						break;
1229
					}
1230
				} else
1231
					alg_enc = ca_list[j]->algorithm_enc;
1232
			}
1233
1234
6655
			if (ca_list[j]->algorithm_mac) {
1235
3284
				if (alg_mac) {
1236
					alg_mac &= ca_list[j]->algorithm_mac;
1237
					if (!alg_mac) {
1238
						found = 0;
1239
						break;
1240
					}
1241
				} else
1242
					alg_mac = ca_list[j]->algorithm_mac;
1243
			}
1244
1245
6655
			if (ca_list[j]->algo_strength & SSL_STRONG_MASK) {
1246
3162
				if (algo_strength & SSL_STRONG_MASK) {
1247
					algo_strength &=
1248
					    (ca_list[j]->algo_strength &
1249
					    SSL_STRONG_MASK) | ~SSL_STRONG_MASK;
1250
					if (!(algo_strength &
1251
					    SSL_STRONG_MASK)) {
1252
						found = 0;
1253
						break;
1254
					}
1255
				} else
1256
3162
					algo_strength |=
1257
					    ca_list[j]->algo_strength &
1258
					    SSL_STRONG_MASK;
1259
			}
1260
1261
6655
			if (ca_list[j]->valid) {
1262
				/*
1263
				 * explicit ciphersuite found; its protocol
1264
				 * version does not become part of the search
1265
				 * pattern!
1266
				 */
1267
3062
				cipher_id = ca_list[j]->id;
1268
3062
			} else {
1269
				/*
1270
				 * not an explicit ciphersuite; only in this
1271
				 * case, the protocol version is considered
1272
				 * part of the search pattern
1273
				 */
1274
3593
				if (ca_list[j]->algorithm_ssl) {
1275
131
					if (alg_ssl) {
1276
						alg_ssl &=
1277
						    ca_list[j]->algorithm_ssl;
1278
						if (!alg_ssl) {
1279
							found = 0;
1280
							break;
1281
						}
1282
					} else
1283
						alg_ssl =
1284
						    ca_list[j]->algorithm_ssl;
1285
				}
1286
			}
1287
1288
6655
			if (!multi)
1289
				break;
1290
		}
1291
1292
		/*
1293
		 * Ok, we have the rule, now apply it
1294
		 */
1295
8268
		if (rule == CIPHER_SPECIAL) {
1296
			/* special command */
1297
			ok = 0;
1298
			if ((buflen == 8) && !strncmp(buf, "STRENGTH", 8))
1299
				ok = ssl_cipher_strength_sort(head_p, tail_p);
1300
			else
1301
				SSLerrorx(SSL_R_INVALID_COMMAND);
1302
			if (ok == 0)
1303
				retval = 0;
1304
			/*
1305
			 * We do not support any "multi" options
1306
			 * together with "@", so throw away the
1307
			 * rest of the command, if any left, until
1308
			 * end or ':' is found.
1309
			 */
1310
			while ((*l != '\0') && !ITEM_SEP(*l))
1311
				l++;
1312
8268
		} else if (found) {
1313
6305
			ssl_cipher_apply_rule(cipher_id, alg_mkey, alg_auth,
1314
			    alg_enc, alg_mac, alg_ssl, algo_strength, rule,
1315
			    -1, head_p, tail_p);
1316
6305
		} else {
1317


6126
			while ((*l != '\0') && !ITEM_SEP(*l))
1318
				l++;
1319
		}
1320
8268
		if (*l == '\0')
1321
			break; /* done */
1322
	}
1323
1324
1109
	return (retval);
1325
}
1326
1327
static inline int
1328
ssl_aes_is_accelerated(void)
1329
{
1330
#if defined(__i386__) || defined(__x86_64__)
1331
2218
	return ((OPENSSL_cpu_caps() & (1ULL << 57)) != 0);
1332
#else
1333
	return (0);
1334
#endif
1335
}
1336
1337
STACK_OF(SSL_CIPHER) *
1338
ssl_create_cipher_list(const SSL_METHOD *ssl_method,
1339
    STACK_OF(SSL_CIPHER) **cipher_list,
1340
    STACK_OF(SSL_CIPHER) **cipher_list_by_id,
1341
    const char *rule_str)
1342
{
1343
	int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
1344
2218
	unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl;
1345
	STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list;
1346
	const char *rule_p;
1347
1109
	CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
1348
	const SSL_CIPHER **ca_list = NULL;
1349
1350
	/*
1351
	 * Return with error if nothing to do.
1352
	 */
1353
1109
	if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
1354
		return NULL;
1355
1356
	/*
1357
	 * To reduce the work to do we only want to process the compiled
1358
	 * in algorithms, so we first get the mask of disabled ciphers.
1359
	 */
1360
1109
	ssl_cipher_get_disabled(&disabled_mkey, &disabled_auth, &disabled_enc, &disabled_mac, &disabled_ssl);
1361
1362
	/*
1363
	 * Now we have to collect the available ciphers from the compiled
1364
	 * in ciphers. We cannot get more than the number compiled in, so
1365
	 * it is used for allocation.
1366
	 */
1367
1109
	num_of_ciphers = ssl_method->num_ciphers();
1368
1109
	co_list = reallocarray(NULL, num_of_ciphers, sizeof(CIPHER_ORDER));
1369
1109
	if (co_list == NULL) {
1370
		SSLerrorx(ERR_R_MALLOC_FAILURE);
1371
		return(NULL);	/* Failure */
1372
	}
1373
1374
1109
	ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
1375
1109
	disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl,
1376
	co_list, &head, &tail);
1377
1378
1379
	/* Now arrange all ciphers by preference: */
1380
1381
	/* Everything else being equal, prefer ephemeral ECDH over other key exchange mechanisms */
1382
1109
	ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
1383
1109
	ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
1384
1385
1109
	if (ssl_aes_is_accelerated() == 1) {
1386
		/*
1387
		 * We have hardware assisted AES - prefer AES as a symmetric
1388
		 * cipher, with CHACHA20 second.
1389
		 */
1390
1109
		ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0,
1391
		    CIPHER_ADD, -1, &head, &tail);
1392
1109
		ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305,
1393
		    0, 0, 0, CIPHER_ADD, -1, &head, &tail);
1394
1109
	} else {
1395
		/*
1396
		 * CHACHA20 is fast and safe on all hardware and is thus our
1397
		 * preferred symmetric cipher, with AES second.
1398
		 */
1399
		ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305,
1400
		    0, 0, 0, CIPHER_ADD, -1, &head, &tail);
1401
		ssl_cipher_apply_rule(0, 0, 0, SSL_AES, 0, 0, 0,
1402
		    CIPHER_ADD, -1, &head, &tail);
1403
	}
1404
1405
	/* Temporarily enable everything else for sorting */
1406
1109
	ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
1407
1408
	/* Low priority for MD5 */
1409
1109
	ssl_cipher_apply_rule(0, 0, 0, 0, SSL_MD5, 0, 0, CIPHER_ORD, -1, &head, &tail);
1410
1411
	/* Move anonymous ciphers to the end.  Usually, these will remain disabled.
1412
	 * (For applications that allow them, they aren't too bad, but we prefer
1413
	 * authenticated ciphers.) */
1414
1109
	ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1415
1416
	/* Move ciphers without forward secrecy to the end */
1417
1109
	ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1418
1419
	/* RC4 is sort of broken - move it to the end */
1420
1109
	ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head, &tail);
1421
1422
	/* Now sort by symmetric encryption strength.  The above ordering remains
1423
	 * in force within each class */
1424
1109
	if (!ssl_cipher_strength_sort(&head, &tail)) {
1425
		free(co_list);
1426
		return NULL;
1427
	}
1428
1429
	/* Now disable everything (maintaining the ordering!) */
1430
1109
	ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
1431
1432
1433
	/*
1434
	 * We also need cipher aliases for selecting based on the rule_str.
1435
	 * There might be two types of entries in the rule_str: 1) names
1436
	 * of ciphers themselves 2) aliases for groups of ciphers.
1437
	 * For 1) we need the available ciphers and for 2) the cipher
1438
	 * groups of cipher_aliases added together in one list (otherwise
1439
	 * we would be happy with just the cipher_aliases table).
1440
	 */
1441
	num_of_group_aliases = sizeof(cipher_aliases) / sizeof(SSL_CIPHER);
1442
1109
	num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
1443
1109
	ca_list = reallocarray(NULL, num_of_alias_max, sizeof(SSL_CIPHER *));
1444
1109
	if (ca_list == NULL) {
1445
		free(co_list);
1446
		SSLerrorx(ERR_R_MALLOC_FAILURE);
1447
		return(NULL);	/* Failure */
1448
	}
1449
1109
	ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
1450
1109
	disabled_mkey, disabled_auth, disabled_enc,
1451
1109
	disabled_mac, disabled_ssl, head);
1452
1453
	/*
1454
	 * If the rule_string begins with DEFAULT, apply the default rule
1455
	 * before using the (possibly available) additional rules.
1456
	 */
1457
	ok = 1;
1458
	rule_p = rule_str;
1459
1109
	if (strncmp(rule_str, "DEFAULT", 7) == 0) {
1460
		ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
1461
		&head, &tail, ca_list);
1462
		rule_p += 7;
1463
		if (*rule_p == ':')
1464
			rule_p++;
1465
	}
1466
1467

2218
	if (ok && (strlen(rule_p) > 0))
1468
1109
		ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list);
1469
1470
1109
	free((void *)ca_list);	/* Not needed anymore */
1471
1472
1109
	if (!ok) {
1473
		/* Rule processing failure */
1474
		free(co_list);
1475
		return (NULL);
1476
	}
1477
1478
	/*
1479
	 * Allocate new "cipherstack" for the result, return with error
1480
	 * if we cannot get one.
1481
	 */
1482
1109
	if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
1483
		free(co_list);
1484
		return (NULL);
1485
	}
1486
1487
	/*
1488
	 * The cipher selection for the list is done. The ciphers are added
1489
	 * to the resulting precedence to the STACK_OF(SSL_CIPHER).
1490
	 */
1491
115878
	for (curr = head; curr != NULL; curr = curr->next) {
1492
56830
		if (curr->active) {
1493
40628
			sk_SSL_CIPHER_push(cipherstack, curr->cipher);
1494
40628
		}
1495
	}
1496
1109
	free(co_list);	/* Not needed any longer */
1497
1498
1109
	tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack);
1499
1109
	if (tmp_cipher_list == NULL) {
1500
		sk_SSL_CIPHER_free(cipherstack);
1501
		return NULL;
1502
	}
1503
1109
	sk_SSL_CIPHER_free(*cipher_list);
1504
1109
	*cipher_list = cipherstack;
1505
1109
	sk_SSL_CIPHER_free(*cipher_list_by_id);
1506
1109
	*cipher_list_by_id = tmp_cipher_list;
1507
1109
	(void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id,
1508
	    ssl_cipher_ptr_id_cmp);
1509
1510
1109
	sk_SSL_CIPHER_sort(*cipher_list_by_id);
1511
1109
	return (cipherstack);
1512
1109
}
1513
1514
const SSL_CIPHER *
1515
SSL_CIPHER_get_by_id(unsigned int id)
1516
{
1517
282
	return ssl3_get_cipher_by_id(id);
1518
}
1519
1520
const SSL_CIPHER *
1521
SSL_CIPHER_get_by_value(uint16_t value)
1522
{
1523
282
	return ssl3_get_cipher_by_value(value);
1524
}
1525
1526
char *
1527
SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
1528
{
1529
	unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, alg2;
1530
	const char *ver, *kx, *au, *enc, *mac;
1531
188
	char *ret;
1532
	int l;
1533
1534
94
	alg_mkey = cipher->algorithm_mkey;
1535
94
	alg_auth = cipher->algorithm_auth;
1536
94
	alg_enc = cipher->algorithm_enc;
1537
94
	alg_mac = cipher->algorithm_mac;
1538
94
	alg_ssl = cipher->algorithm_ssl;
1539
1540
94
	alg2 = cipher->algorithm2;
1541
1542
94
	if (alg_ssl & SSL_SSLV3)
1543
48
		ver = "SSLv3";
1544
46
	else if (alg_ssl & SSL_TLSV1_2)
1545
46
		ver = "TLSv1.2";
1546
	else
1547
		ver = "unknown";
1548
1549

94
	switch (alg_mkey) {
1550
	case SSL_kRSA:
1551
		kx = "RSA";
1552
28
		break;
1553
	case SSL_kDHE:
1554
		kx = "DH";
1555
26
		break;
1556
	case SSL_kECDHE:
1557
		kx = "ECDH";
1558
36
		break;
1559
	case SSL_kGOST:
1560
		kx = "GOST";
1561
4
		break;
1562
	default:
1563
		kx = "unknown";
1564
	}
1565
1566

94
	switch (alg_auth) {
1567
	case SSL_aRSA:
1568
		au = "RSA";
1569
72
		break;
1570
	case SSL_aDSS:
1571
		au = "DSS";
1572
		break;
1573
	case SSL_aNULL:
1574
		au = "None";
1575
		break;
1576
	case SSL_aECDSA:
1577
		au = "ECDSA";
1578
18
		break;
1579
	case SSL_aGOST01:
1580
		au = "GOST01";
1581
4
		break;
1582
	default:
1583
		au = "unknown";
1584
		break;
1585
	}
1586
1587



94
	switch (alg_enc) {
1588
	case SSL_DES:
1589
		enc = "DES(56)";
1590
4
		break;
1591
	case SSL_3DES:
1592
		enc = "3DES(168)";
1593
8
		break;
1594
	case SSL_RC4:
1595
8
		enc = alg2 & SSL2_CF_8_BYTE_ENC ? "RC4(64)" : "RC4(128)";
1596
8
		break;
1597
	case SSL_IDEA:
1598
		enc = "IDEA(128)";
1599
		break;
1600
	case SSL_eNULL:
1601
		enc = "None";
1602
		break;
1603
	case SSL_AES128:
1604
		enc = "AES(128)";
1605
16
		break;
1606
	case SSL_AES256:
1607
		enc = "AES(256)";
1608
16
		break;
1609
	case SSL_AES128GCM:
1610
		enc = "AESGCM(128)";
1611
8
		break;
1612
	case SSL_AES256GCM:
1613
		enc = "AESGCM(256)";
1614
8
		break;
1615
	case SSL_CAMELLIA128:
1616
		enc = "Camellia(128)";
1617
8
		break;
1618
	case SSL_CAMELLIA256:
1619
		enc = "Camellia(256)";
1620
8
		break;
1621
	case SSL_CHACHA20POLY1305:
1622
		enc = "ChaCha20-Poly1305";
1623
6
		break;
1624
	case SSL_eGOST2814789CNT:
1625
		enc = "GOST-28178-89-CNT";
1626
4
		break;
1627
	default:
1628
		enc = "unknown";
1629
		break;
1630
	}
1631
1632


94
	switch (alg_mac) {
1633
	case SSL_MD5:
1634
		mac = "MD5";
1635
2
		break;
1636
	case SSL_SHA1:
1637
		mac = "SHA1";
1638
42
		break;
1639
	case SSL_SHA256:
1640
		mac = "SHA256";
1641
20
		break;
1642
	case SSL_SHA384:
1643
		mac = "SHA384";
1644
4
		break;
1645
	case SSL_AEAD:
1646
		mac = "AEAD";
1647
22
		break;
1648
	case SSL_GOST94:
1649
		mac = "GOST94";
1650
		break;
1651
	case SSL_GOST89MAC:
1652
		mac = "GOST89IMIT";
1653
4
		break;
1654
	case SSL_STREEBOG256:
1655
		mac = "STREEBOG256";
1656
		break;
1657
	default:
1658
		mac = "unknown";
1659
		break;
1660
	}
1661
1662
188
	if (asprintf(&ret, "%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n",
1663
188
	    cipher->name, ver, kx, au, enc, mac) == -1)
1664
		return "OPENSSL_malloc Error";
1665
1666
94
	if (buf != NULL) {
1667
		l = strlcpy(buf, ret, len);
1668
		free(ret);
1669
		ret = buf;
1670
		if (l >= len)
1671
			ret = "Buffer too small";
1672
	}
1673
1674
94
	return (ret);
1675
94
}
1676
1677
char *
1678
SSL_CIPHER_get_version(const SSL_CIPHER *c)
1679
{
1680
368
	if (c == NULL)
1681
		return("(NONE)");
1682
184
	if ((c->id >> 24) == 3)
1683
184
		return("TLSv1/SSLv3");
1684
	else
1685
		return("unknown");
1686
184
}
1687
1688
/* return the actual cipher being used */
1689
const char *
1690
SSL_CIPHER_get_name(const SSL_CIPHER *c)
1691
{
1692
590
	if (c != NULL)
1693
295
		return (c->name);
1694
	return("(NONE)");
1695
295
}
1696
1697
/* number of bits for symmetric cipher */
1698
int
1699
SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits)
1700
{
1701
	int ret = 0;
1702
1703
	if (c != NULL) {
1704
		if (alg_bits != NULL)
1705
			*alg_bits = c->alg_bits;
1706
		ret = c->strength_bits;
1707
	}
1708
	return (ret);
1709
}
1710
1711
unsigned long
1712
SSL_CIPHER_get_id(const SSL_CIPHER *c)
1713
{
1714
282
	return c->id;
1715
}
1716
1717
uint16_t
1718
SSL_CIPHER_get_value(const SSL_CIPHER *c)
1719
{
1720
506
	return ssl3_cipher_get_value(c);
1721
}
1722
1723
void *
1724
SSL_COMP_get_compression_methods(void)
1725
{
1726
	return NULL;
1727
}
1728
1729
int
1730
SSL_COMP_add_compression_method(int id, void *cm)
1731
{
1732
	return 1;
1733
}
1734
1735
const char *
1736
SSL_COMP_get_name(const void *comp)
1737
{
1738
	return NULL;
1739
}