Coverage Report

Created: 2025-06-13 06:58

/src/openssl30/ssl/ssl_ciph.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
3
 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4
 * Copyright 2005 Nokia. All rights reserved.
5
 *
6
 * Licensed under the Apache License 2.0 (the "License").  You may not use
7
 * this file except in compliance with the License.  You can obtain a copy
8
 * in the file LICENSE in the source distribution or at
9
 * https://www.openssl.org/source/license.html
10
 */
11
12
#include <stdio.h>
13
#include <ctype.h>
14
#include <openssl/objects.h>
15
#include <openssl/comp.h>
16
#include <openssl/engine.h>
17
#include <openssl/crypto.h>
18
#include <openssl/conf.h>
19
#include <openssl/trace.h>
20
#include "internal/nelem.h"
21
#include "ssl_local.h"
22
#include "internal/thread_once.h"
23
#include "internal/cryptlib.h"
24
25
/* NB: make sure indices in these tables match values above */
26
27
typedef struct {
28
    uint32_t mask;
29
    int nid;
30
} ssl_cipher_table;
31
32
/* Table of NIDs for each cipher */
33
static const ssl_cipher_table ssl_cipher_table_cipher[SSL_ENC_NUM_IDX] = {
34
    {SSL_DES, NID_des_cbc},     /* SSL_ENC_DES_IDX 0 */
35
    {SSL_3DES, NID_des_ede3_cbc}, /* SSL_ENC_3DES_IDX 1 */
36
    {SSL_RC4, NID_rc4},         /* SSL_ENC_RC4_IDX 2 */
37
    {SSL_RC2, NID_rc2_cbc},     /* SSL_ENC_RC2_IDX 3 */
38
    {SSL_IDEA, NID_idea_cbc},   /* SSL_ENC_IDEA_IDX 4 */
39
    {SSL_eNULL, NID_undef},     /* SSL_ENC_NULL_IDX 5 */
40
    {SSL_AES128, NID_aes_128_cbc}, /* SSL_ENC_AES128_IDX 6 */
41
    {SSL_AES256, NID_aes_256_cbc}, /* SSL_ENC_AES256_IDX 7 */
42
    {SSL_CAMELLIA128, NID_camellia_128_cbc}, /* SSL_ENC_CAMELLIA128_IDX 8 */
43
    {SSL_CAMELLIA256, NID_camellia_256_cbc}, /* SSL_ENC_CAMELLIA256_IDX 9 */
44
    {SSL_eGOST2814789CNT, NID_gost89_cnt}, /* SSL_ENC_GOST89_IDX 10 */
45
    {SSL_SEED, NID_seed_cbc},   /* SSL_ENC_SEED_IDX 11 */
46
    {SSL_AES128GCM, NID_aes_128_gcm}, /* SSL_ENC_AES128GCM_IDX 12 */
47
    {SSL_AES256GCM, NID_aes_256_gcm}, /* SSL_ENC_AES256GCM_IDX 13 */
48
    {SSL_AES128CCM, NID_aes_128_ccm}, /* SSL_ENC_AES128CCM_IDX 14 */
49
    {SSL_AES256CCM, NID_aes_256_ccm}, /* SSL_ENC_AES256CCM_IDX 15 */
50
    {SSL_AES128CCM8, NID_aes_128_ccm}, /* SSL_ENC_AES128CCM8_IDX 16 */
51
    {SSL_AES256CCM8, NID_aes_256_ccm}, /* SSL_ENC_AES256CCM8_IDX 17 */
52
    {SSL_eGOST2814789CNT12, NID_gost89_cnt_12}, /* SSL_ENC_GOST8912_IDX 18 */
53
    {SSL_CHACHA20POLY1305, NID_chacha20_poly1305}, /* SSL_ENC_CHACHA_IDX 19 */
54
    {SSL_ARIA128GCM, NID_aria_128_gcm}, /* SSL_ENC_ARIA128GCM_IDX 20 */
55
    {SSL_ARIA256GCM, NID_aria_256_gcm}, /* SSL_ENC_ARIA256GCM_IDX 21 */
56
    {SSL_MAGMA, NID_magma_ctr_acpkm}, /* SSL_ENC_MAGMA_IDX */
57
    {SSL_KUZNYECHIK, NID_kuznyechik_ctr_acpkm}, /* SSL_ENC_KUZNYECHIK_IDX */
58
};
59
60
#define SSL_COMP_NULL_IDX       0
61
0
#define SSL_COMP_ZLIB_IDX       1
62
#define SSL_COMP_NUM_IDX        2
63
64
static STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
65
66
#ifndef OPENSSL_NO_COMP
67
static CRYPTO_ONCE ssl_load_builtin_comp_once = CRYPTO_ONCE_STATIC_INIT;
68
#endif
69
70
/* NB: make sure indices in this table matches values above */
71
static const ssl_cipher_table ssl_cipher_table_mac[SSL_MD_NUM_IDX] = {
72
    {SSL_MD5, NID_md5},         /* SSL_MD_MD5_IDX 0 */
73
    {SSL_SHA1, NID_sha1},       /* SSL_MD_SHA1_IDX 1 */
74
    {SSL_GOST94, NID_id_GostR3411_94}, /* SSL_MD_GOST94_IDX 2 */
75
    {SSL_GOST89MAC, NID_id_Gost28147_89_MAC}, /* SSL_MD_GOST89MAC_IDX 3 */
76
    {SSL_SHA256, NID_sha256},   /* SSL_MD_SHA256_IDX 4 */
77
    {SSL_SHA384, NID_sha384},   /* SSL_MD_SHA384_IDX 5 */
78
    {SSL_GOST12_256, NID_id_GostR3411_2012_256}, /* SSL_MD_GOST12_256_IDX 6 */
79
    {SSL_GOST89MAC12, NID_gost_mac_12}, /* SSL_MD_GOST89MAC12_IDX 7 */
80
    {SSL_GOST12_512, NID_id_GostR3411_2012_512}, /* SSL_MD_GOST12_512_IDX 8 */
81
    {0, NID_md5_sha1},          /* SSL_MD_MD5_SHA1_IDX 9 */
82
    {0, NID_sha224},            /* SSL_MD_SHA224_IDX 10 */
83
    {0, NID_sha512},            /* SSL_MD_SHA512_IDX 11 */
84
    {SSL_MAGMAOMAC, NID_magma_mac}, /* sSL_MD_MAGMAOMAC_IDX */
85
    {SSL_KUZNYECHIKOMAC, NID_kuznyechik_mac} /* SSL_MD_KUZNYECHIKOMAC_IDX */
86
};
87
88
/* *INDENT-OFF* */
89
static const ssl_cipher_table ssl_cipher_table_kx[] = {
90
    {SSL_kRSA,      NID_kx_rsa},
91
    {SSL_kECDHE,    NID_kx_ecdhe},
92
    {SSL_kDHE,      NID_kx_dhe},
93
    {SSL_kECDHEPSK, NID_kx_ecdhe_psk},
94
    {SSL_kDHEPSK,   NID_kx_dhe_psk},
95
    {SSL_kRSAPSK,   NID_kx_rsa_psk},
96
    {SSL_kPSK,      NID_kx_psk},
97
    {SSL_kSRP,      NID_kx_srp},
98
    {SSL_kGOST,     NID_kx_gost},
99
    {SSL_kGOST18,   NID_kx_gost18},
100
    {SSL_kANY,      NID_kx_any}
101
};
102
103
static const ssl_cipher_table ssl_cipher_table_auth[] = {
104
    {SSL_aRSA,    NID_auth_rsa},
105
    {SSL_aECDSA,  NID_auth_ecdsa},
106
    {SSL_aPSK,    NID_auth_psk},
107
    {SSL_aDSS,    NID_auth_dss},
108
    {SSL_aGOST01, NID_auth_gost01},
109
    {SSL_aGOST12, NID_auth_gost12},
110
    {SSL_aSRP,    NID_auth_srp},
111
    {SSL_aNULL,   NID_auth_null},
112
    {SSL_aANY,    NID_auth_any}
113
};
114
/* *INDENT-ON* */
115
116
/* Utility function for table lookup */
117
static int ssl_cipher_info_find(const ssl_cipher_table * table,
118
                                size_t table_cnt, uint32_t mask)
119
48.4k
{
120
48.4k
    size_t i;
121
543k
    for (i = 0; i < table_cnt; i++, table++) {
122
527k
        if (table->mask == mask)
123
33.0k
            return (int)i;
124
527k
    }
125
15.4k
    return -1;
126
48.4k
}
127
128
#define ssl_cipher_info_lookup(table, x) \
129
38.0k
    ssl_cipher_info_find(table, OSSL_NELEM(table), x)
130
131
/*
132
 * PKEY_TYPE for GOST89MAC is known in advance, but, because implementation
133
 * is engine-provided, we'll fill it only if corresponding EVP_PKEY_METHOD is
134
 * found
135
 */
136
static const int default_mac_pkey_id[SSL_MD_NUM_IDX] = {
137
    /* MD5, SHA, GOST94, MAC89 */
138
    EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, NID_undef,
139
    /* SHA256, SHA384, GOST2012_256, MAC89-12 */
140
    EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, NID_undef,
141
    /* GOST2012_512 */
142
    EVP_PKEY_HMAC,
143
    /* MD5/SHA1, SHA224, SHA512, MAGMAOMAC, KUZNYECHIKOMAC */
144
    NID_undef, NID_undef, NID_undef, NID_undef, NID_undef
145
};
146
147
138M
#define CIPHER_ADD      1
148
6.45M
#define CIPHER_KILL     2
149
64.9M
#define CIPHER_DEL      3
150
84.7M
#define CIPHER_ORD      4
151
317k
#define CIPHER_SPECIAL  5
152
/*
153
 * Bump the ciphers to the top of the list.
154
 * This rule isn't currently supported by the public cipherstring API.
155
 */
156
38.3M
#define CIPHER_BUMP     6
157
158
typedef struct cipher_order_st {
159
    const SSL_CIPHER *cipher;
160
    int active;
161
    int dead;
162
    struct cipher_order_st *next, *prev;
163
} CIPHER_ORDER;
164
165
static const SSL_CIPHER cipher_aliases[] = {
166
    /* "ALL" doesn't include eNULL (must be specifically enabled) */
167
    {0, SSL_TXT_ALL, NULL, 0, 0, 0, ~SSL_eNULL},
168
    /* "COMPLEMENTOFALL" */
169
    {0, SSL_TXT_CMPALL, NULL, 0, 0, 0, SSL_eNULL},
170
171
    /*
172
     * "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in
173
     * ALL!)
174
     */
175
    {0, SSL_TXT_CMPDEF, NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_NOT_DEFAULT},
176
177
    /*
178
     * key exchange aliases (some of those using only a single bit here
179
     * combine multiple key exchange algs according to the RFCs, e.g. kDHE
180
     * combines DHE_DSS and DHE_RSA)
181
     */
182
    {0, SSL_TXT_kRSA, NULL, 0, SSL_kRSA},
183
184
    {0, SSL_TXT_kEDH, NULL, 0, SSL_kDHE},
185
    {0, SSL_TXT_kDHE, NULL, 0, SSL_kDHE},
186
    {0, SSL_TXT_DH, NULL, 0, SSL_kDHE},
187
188
    {0, SSL_TXT_kEECDH, NULL, 0, SSL_kECDHE},
189
    {0, SSL_TXT_kECDHE, NULL, 0, SSL_kECDHE},
190
    {0, SSL_TXT_ECDH, NULL, 0, SSL_kECDHE},
191
192
    {0, SSL_TXT_kPSK, NULL, 0, SSL_kPSK},
193
    {0, SSL_TXT_kRSAPSK, NULL, 0, SSL_kRSAPSK},
194
    {0, SSL_TXT_kECDHEPSK, NULL, 0, SSL_kECDHEPSK},
195
    {0, SSL_TXT_kDHEPSK, NULL, 0, SSL_kDHEPSK},
196
    {0, SSL_TXT_kSRP, NULL, 0, SSL_kSRP},
197
    {0, SSL_TXT_kGOST, NULL, 0, SSL_kGOST},
198
    {0, SSL_TXT_kGOST18, NULL, 0, SSL_kGOST18},
199
200
    /* server authentication aliases */
201
    {0, SSL_TXT_aRSA, NULL, 0, 0, SSL_aRSA},
202
    {0, SSL_TXT_aDSS, NULL, 0, 0, SSL_aDSS},
203
    {0, SSL_TXT_DSS, NULL, 0, 0, SSL_aDSS},
204
    {0, SSL_TXT_aNULL, NULL, 0, 0, SSL_aNULL},
205
    {0, SSL_TXT_aECDSA, NULL, 0, 0, SSL_aECDSA},
206
    {0, SSL_TXT_ECDSA, NULL, 0, 0, SSL_aECDSA},
207
    {0, SSL_TXT_aPSK, NULL, 0, 0, SSL_aPSK},
208
    {0, SSL_TXT_aGOST01, NULL, 0, 0, SSL_aGOST01},
209
    {0, SSL_TXT_aGOST12, NULL, 0, 0, SSL_aGOST12},
210
    {0, SSL_TXT_aGOST, NULL, 0, 0, SSL_aGOST01 | SSL_aGOST12},
211
    {0, SSL_TXT_aSRP, NULL, 0, 0, SSL_aSRP},
212
213
    /* aliases combining key exchange and server authentication */
214
    {0, SSL_TXT_EDH, NULL, 0, SSL_kDHE, ~SSL_aNULL},
215
    {0, SSL_TXT_DHE, NULL, 0, SSL_kDHE, ~SSL_aNULL},
216
    {0, SSL_TXT_EECDH, NULL, 0, SSL_kECDHE, ~SSL_aNULL},
217
    {0, SSL_TXT_ECDHE, NULL, 0, SSL_kECDHE, ~SSL_aNULL},
218
    {0, SSL_TXT_NULL, NULL, 0, 0, 0, SSL_eNULL},
219
    {0, SSL_TXT_RSA, NULL, 0, SSL_kRSA, SSL_aRSA},
220
    {0, SSL_TXT_ADH, NULL, 0, SSL_kDHE, SSL_aNULL},
221
    {0, SSL_TXT_AECDH, NULL, 0, SSL_kECDHE, SSL_aNULL},
222
    {0, SSL_TXT_PSK, NULL, 0, SSL_PSK},
223
    {0, SSL_TXT_SRP, NULL, 0, SSL_kSRP},
224
225
    /* symmetric encryption aliases */
226
    {0, SSL_TXT_3DES, NULL, 0, 0, 0, SSL_3DES},
227
    {0, SSL_TXT_RC4, NULL, 0, 0, 0, SSL_RC4},
228
    {0, SSL_TXT_RC2, NULL, 0, 0, 0, SSL_RC2},
229
    {0, SSL_TXT_IDEA, NULL, 0, 0, 0, SSL_IDEA},
230
    {0, SSL_TXT_SEED, NULL, 0, 0, 0, SSL_SEED},
231
    {0, SSL_TXT_eNULL, NULL, 0, 0, 0, SSL_eNULL},
232
    {0, SSL_TXT_GOST, NULL, 0, 0, 0,
233
     SSL_eGOST2814789CNT | SSL_eGOST2814789CNT12 | SSL_MAGMA | SSL_KUZNYECHIK},
234
    {0, SSL_TXT_AES128, NULL, 0, 0, 0,
235
     SSL_AES128 | SSL_AES128GCM | SSL_AES128CCM | SSL_AES128CCM8},
236
    {0, SSL_TXT_AES256, NULL, 0, 0, 0,
237
     SSL_AES256 | SSL_AES256GCM | SSL_AES256CCM | SSL_AES256CCM8},
238
    {0, SSL_TXT_AES, NULL, 0, 0, 0, SSL_AES},
239
    {0, SSL_TXT_AES_GCM, NULL, 0, 0, 0, SSL_AES128GCM | SSL_AES256GCM},
240
    {0, SSL_TXT_AES_CCM, NULL, 0, 0, 0,
241
     SSL_AES128CCM | SSL_AES256CCM | SSL_AES128CCM8 | SSL_AES256CCM8},
242
    {0, SSL_TXT_AES_CCM_8, NULL, 0, 0, 0, SSL_AES128CCM8 | SSL_AES256CCM8},
243
    {0, SSL_TXT_CAMELLIA128, NULL, 0, 0, 0, SSL_CAMELLIA128},
244
    {0, SSL_TXT_CAMELLIA256, NULL, 0, 0, 0, SSL_CAMELLIA256},
245
    {0, SSL_TXT_CAMELLIA, NULL, 0, 0, 0, SSL_CAMELLIA},
246
    {0, SSL_TXT_CHACHA20, NULL, 0, 0, 0, SSL_CHACHA20},
247
    {0, SSL_TXT_GOST2012_GOST8912_GOST8912, NULL, 0, 0, 0, SSL_eGOST2814789CNT12},
248
249
    {0, SSL_TXT_ARIA, NULL, 0, 0, 0, SSL_ARIA},
250
    {0, SSL_TXT_ARIA_GCM, NULL, 0, 0, 0, SSL_ARIA128GCM | SSL_ARIA256GCM},
251
    {0, SSL_TXT_ARIA128, NULL, 0, 0, 0, SSL_ARIA128GCM},
252
    {0, SSL_TXT_ARIA256, NULL, 0, 0, 0, SSL_ARIA256GCM},
253
    {0, SSL_TXT_CBC, NULL, 0, 0, 0, SSL_CBC},
254
255
    /* MAC aliases */
256
    {0, SSL_TXT_MD5, NULL, 0, 0, 0, 0, SSL_MD5},
257
    {0, SSL_TXT_SHA1, NULL, 0, 0, 0, 0, SSL_SHA1},
258
    {0, SSL_TXT_SHA, NULL, 0, 0, 0, 0, SSL_SHA1},
259
    {0, SSL_TXT_GOST94, NULL, 0, 0, 0, 0, SSL_GOST94},
260
    {0, SSL_TXT_GOST89MAC, NULL, 0, 0, 0, 0, SSL_GOST89MAC | SSL_GOST89MAC12},
261
    {0, SSL_TXT_SHA256, NULL, 0, 0, 0, 0, SSL_SHA256},
262
    {0, SSL_TXT_SHA384, NULL, 0, 0, 0, 0, SSL_SHA384},
263
    {0, SSL_TXT_GOST12, NULL, 0, 0, 0, 0, SSL_GOST12_256},
264
265
    /* protocol version aliases */
266
    {0, SSL_TXT_SSLV3, NULL, 0, 0, 0, 0, 0, SSL3_VERSION},
267
    {0, SSL_TXT_TLSV1, NULL, 0, 0, 0, 0, 0, TLS1_VERSION},
268
    {0, "TLSv1.0", NULL, 0, 0, 0, 0, 0, TLS1_VERSION},
269
    {0, SSL_TXT_TLSV1_2, NULL, 0, 0, 0, 0, 0, TLS1_2_VERSION},
270
271
    /* strength classes */
272
    {0, SSL_TXT_LOW, NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_LOW},
273
    {0, SSL_TXT_MEDIUM, NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_MEDIUM},
274
    {0, SSL_TXT_HIGH, NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, SSL_HIGH},
275
    /* FIPS 140-2 approved ciphersuite */
276
    {0, SSL_TXT_FIPS, NULL, 0, 0, 0, ~SSL_eNULL, 0, 0, 0, 0, 0, SSL_FIPS},
277
278
    /* "EDH-" aliases to "DHE-" labels (for backward compatibility) */
279
    {0, SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA, NULL, 0,
280
     SSL_kDHE, SSL_aDSS, SSL_3DES, SSL_SHA1, 0, 0, 0, 0, SSL_HIGH | SSL_FIPS},
281
    {0, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA, NULL, 0,
282
     SSL_kDHE, SSL_aRSA, SSL_3DES, SSL_SHA1, 0, 0, 0, 0, SSL_HIGH | SSL_FIPS},
283
284
};
285
286
/*
287
 * Search for public key algorithm with given name and return its pkey_id if
288
 * it is available. Otherwise return 0
289
 */
290
#ifdef OPENSSL_NO_ENGINE
291
292
static int get_optional_pkey_id(const char *pkey_name)
293
{
294
    const EVP_PKEY_ASN1_METHOD *ameth;
295
    int pkey_id = 0;
296
    ameth = EVP_PKEY_asn1_find_str(NULL, pkey_name, -1);
297
    if (ameth && EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL,
298
                                         ameth) > 0)
299
        return pkey_id;
300
    return 0;
301
}
302
303
#else
304
305
static int get_optional_pkey_id(const char *pkey_name)
306
555k
{
307
555k
    const EVP_PKEY_ASN1_METHOD *ameth;
308
555k
    ENGINE *tmpeng = NULL;
309
555k
    int pkey_id = 0;
310
555k
    ameth = EVP_PKEY_asn1_find_str(&tmpeng, pkey_name, -1);
311
555k
    if (ameth) {
312
0
        if (EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL,
313
0
                                    ameth) <= 0)
314
0
            pkey_id = 0;
315
0
    }
316
555k
    tls_engine_finish(tmpeng);
317
555k
    return pkey_id;
318
555k
}
319
320
#endif
321
322
int ssl_load_ciphers(SSL_CTX *ctx)
323
48.2k
{
324
48.2k
    size_t i;
325
48.2k
    const ssl_cipher_table *t;
326
48.2k
    EVP_KEYEXCH *kex = NULL;
327
48.2k
    EVP_SIGNATURE *sig = NULL;
328
329
48.2k
    ctx->disabled_enc_mask = 0;
330
1.20M
    for (i = 0, t = ssl_cipher_table_cipher; i < SSL_ENC_NUM_IDX; i++, t++) {
331
1.15M
        if (t->nid != NID_undef) {
332
1.11M
            const EVP_CIPHER *cipher
333
1.11M
                = ssl_evp_cipher_fetch(ctx->libctx, t->nid, ctx->propq);
334
335
1.11M
            ctx->ssl_cipher_methods[i] = cipher;
336
1.11M
            if (cipher == NULL)
337
434k
                ctx->disabled_enc_mask |= t->mask;
338
1.11M
        }
339
1.15M
    }
340
48.2k
    ctx->disabled_mac_mask = 0;
341
724k
    for (i = 0, t = ssl_cipher_table_mac; i < SSL_MD_NUM_IDX; i++, t++) {
342
675k
        const EVP_MD *md
343
675k
            = ssl_evp_md_fetch(ctx->libctx, t->nid, ctx->propq);
344
345
675k
        ctx->ssl_digest_methods[i] = md;
346
675k
        if (md == NULL) {
347
337k
            ctx->disabled_mac_mask |= t->mask;
348
337k
        } else {
349
337k
            int tmpsize = EVP_MD_get_size(md);
350
337k
            if (!ossl_assert(tmpsize >= 0))
351
0
                return 0;
352
337k
            ctx->ssl_mac_secret_size[i] = tmpsize;
353
337k
        }
354
675k
    }
355
356
48.2k
    ctx->disabled_mkey_mask = 0;
357
48.2k
    ctx->disabled_auth_mask = 0;
358
359
    /*
360
     * We ignore any errors from the fetches below. They are expected to fail
361
     * if theose algorithms are not available.
362
     */
363
48.2k
    ERR_set_mark();
364
48.2k
    sig = EVP_SIGNATURE_fetch(ctx->libctx, "DSA", ctx->propq);
365
48.2k
    if (sig == NULL)
366
0
        ctx->disabled_auth_mask |= SSL_aDSS;
367
48.2k
    else
368
48.2k
        EVP_SIGNATURE_free(sig);
369
48.2k
    kex = EVP_KEYEXCH_fetch(ctx->libctx, "DH", ctx->propq);
370
48.2k
    if (kex == NULL)
371
0
        ctx->disabled_mkey_mask |= SSL_kDHE | SSL_kDHEPSK;
372
48.2k
    else
373
48.2k
        EVP_KEYEXCH_free(kex);
374
48.2k
    kex = EVP_KEYEXCH_fetch(ctx->libctx, "ECDH", ctx->propq);
375
48.2k
    if (kex == NULL)
376
0
        ctx->disabled_mkey_mask |= SSL_kECDHE | SSL_kECDHEPSK;
377
48.2k
    else
378
48.2k
        EVP_KEYEXCH_free(kex);
379
48.2k
    sig = EVP_SIGNATURE_fetch(ctx->libctx, "ECDSA", ctx->propq);
380
48.2k
    if (sig == NULL)
381
0
        ctx->disabled_auth_mask |= SSL_aECDSA;
382
48.2k
    else
383
48.2k
        EVP_SIGNATURE_free(sig);
384
48.2k
    ERR_pop_to_mark();
385
386
#ifdef OPENSSL_NO_PSK
387
    ctx->disabled_mkey_mask |= SSL_PSK;
388
    ctx->disabled_auth_mask |= SSL_aPSK;
389
#endif
390
#ifdef OPENSSL_NO_SRP
391
    ctx->disabled_mkey_mask |= SSL_kSRP;
392
#endif
393
394
    /*
395
     * Check for presence of GOST 34.10 algorithms, and if they are not
396
     * present, disable appropriate auth and key exchange
397
     */
398
48.2k
    memcpy(ctx->ssl_mac_pkey_id, default_mac_pkey_id,
399
48.2k
           sizeof(ctx->ssl_mac_pkey_id));
400
401
48.2k
    ctx->ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX] =
402
48.2k
        get_optional_pkey_id(SN_id_Gost28147_89_MAC);
403
48.2k
    if (ctx->ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX])
404
0
        ctx->ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX] = 32;
405
48.2k
    else
406
48.2k
        ctx->disabled_mac_mask |= SSL_GOST89MAC;
407
408
48.2k
    ctx->ssl_mac_pkey_id[SSL_MD_GOST89MAC12_IDX] =
409
48.2k
        get_optional_pkey_id(SN_gost_mac_12);
410
48.2k
    if (ctx->ssl_mac_pkey_id[SSL_MD_GOST89MAC12_IDX])
411
0
        ctx->ssl_mac_secret_size[SSL_MD_GOST89MAC12_IDX] = 32;
412
48.2k
    else
413
48.2k
        ctx->disabled_mac_mask |= SSL_GOST89MAC12;
414
415
48.2k
    ctx->ssl_mac_pkey_id[SSL_MD_MAGMAOMAC_IDX] =
416
48.2k
        get_optional_pkey_id(SN_magma_mac);
417
48.2k
    if (ctx->ssl_mac_pkey_id[SSL_MD_MAGMAOMAC_IDX])
418
0
        ctx->ssl_mac_secret_size[SSL_MD_MAGMAOMAC_IDX] = 32;
419
48.2k
    else
420
48.2k
        ctx->disabled_mac_mask |= SSL_MAGMAOMAC;
421
422
48.2k
    ctx->ssl_mac_pkey_id[SSL_MD_KUZNYECHIKOMAC_IDX] =
423
48.2k
        get_optional_pkey_id(SN_kuznyechik_mac);
424
48.2k
    if (ctx->ssl_mac_pkey_id[SSL_MD_KUZNYECHIKOMAC_IDX])
425
0
        ctx->ssl_mac_secret_size[SSL_MD_KUZNYECHIKOMAC_IDX] = 32;
426
48.2k
    else
427
48.2k
        ctx->disabled_mac_mask |= SSL_KUZNYECHIKOMAC;
428
429
48.2k
    if (!get_optional_pkey_id(SN_id_GostR3410_2001))
430
48.2k
        ctx->disabled_auth_mask |= SSL_aGOST01 | SSL_aGOST12;
431
48.2k
    if (!get_optional_pkey_id(SN_id_GostR3410_2012_256))
432
48.2k
        ctx->disabled_auth_mask |= SSL_aGOST12;
433
48.2k
    if (!get_optional_pkey_id(SN_id_GostR3410_2012_512))
434
48.2k
        ctx->disabled_auth_mask |= SSL_aGOST12;
435
    /*
436
     * Disable GOST key exchange if no GOST signature algs are available *
437
     */
438
48.2k
    if ((ctx->disabled_auth_mask & (SSL_aGOST01 | SSL_aGOST12)) ==
439
48.2k
        (SSL_aGOST01 | SSL_aGOST12))
440
48.2k
        ctx->disabled_mkey_mask |= SSL_kGOST;
441
442
48.2k
    if ((ctx->disabled_auth_mask & SSL_aGOST12) ==  SSL_aGOST12)
443
48.2k
        ctx->disabled_mkey_mask |= SSL_kGOST18;
444
445
48.2k
    return 1;
446
48.2k
}
447
448
#ifndef OPENSSL_NO_COMP
449
450
static int sk_comp_cmp(const SSL_COMP *const *a, const SSL_COMP *const *b)
451
0
{
452
0
    return ((*a)->id - (*b)->id);
453
0
}
454
455
DEFINE_RUN_ONCE_STATIC(do_load_builtin_compressions)
456
20
{
457
20
    SSL_COMP *comp = NULL;
458
20
    COMP_METHOD *method = COMP_zlib();
459
460
20
    ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp);
461
462
20
    if (COMP_get_type(method) != NID_undef && ssl_comp_methods != NULL) {
463
0
        comp = OPENSSL_malloc(sizeof(*comp));
464
0
        if (comp != NULL) {
465
0
            comp->method = method;
466
0
            comp->id = SSL_COMP_ZLIB_IDX;
467
0
            comp->name = COMP_get_name(method);
468
0
            if (!sk_SSL_COMP_push(ssl_comp_methods, comp))
469
0
                OPENSSL_free(comp);
470
0
            sk_SSL_COMP_sort(ssl_comp_methods);
471
0
        }
472
0
    }
473
20
    return 1;
474
20
}
475
476
static int load_builtin_compressions(void)
477
54.9k
{
478
54.9k
    return RUN_ONCE(&ssl_load_builtin_comp_once, do_load_builtin_compressions);
479
54.9k
}
480
#endif
481
482
int ssl_cipher_get_evp_cipher(SSL_CTX *ctx, const SSL_CIPHER *sslc,
483
                              const EVP_CIPHER **enc)
484
24.2k
{
485
24.2k
    int i = ssl_cipher_info_lookup(ssl_cipher_table_cipher, sslc->algorithm_enc);
486
487
24.2k
    if (i == -1) {
488
0
        *enc = NULL;
489
24.2k
    } else {
490
24.2k
        if (i == SSL_ENC_NULL_IDX) {
491
            /*
492
             * We assume we don't care about this coming from an ENGINE so
493
             * just do a normal EVP_CIPHER_fetch instead of
494
             * ssl_evp_cipher_fetch()
495
             */
496
3.56k
            *enc = EVP_CIPHER_fetch(ctx->libctx, "NULL", ctx->propq);
497
3.56k
            if (*enc == NULL)
498
0
                return 0;
499
20.6k
        } else {
500
20.6k
            const EVP_CIPHER *cipher = ctx->ssl_cipher_methods[i];
501
502
20.6k
            if (cipher == NULL
503
20.6k
                    || !ssl_evp_cipher_up_ref(cipher))
504
0
                return 0;
505
20.6k
            *enc = ctx->ssl_cipher_methods[i];
506
20.6k
        }
507
24.2k
    }
508
24.2k
    return 1;
509
24.2k
}
510
511
int ssl_cipher_get_evp(SSL_CTX *ctx, const SSL_SESSION *s,
512
                       const EVP_CIPHER **enc, const EVP_MD **md,
513
                       int *mac_pkey_type, size_t *mac_secret_size,
514
                       SSL_COMP **comp, int use_etm)
515
13.7k
{
516
13.7k
    int i;
517
13.7k
    const SSL_CIPHER *c;
518
519
13.7k
    c = s->cipher;
520
13.7k
    if (c == NULL)
521
0
        return 0;
522
13.7k
    if (comp != NULL) {
523
6.60k
        SSL_COMP ctmp;
524
6.60k
#ifndef OPENSSL_NO_COMP
525
6.60k
        if (!load_builtin_compressions()) {
526
            /*
527
             * Currently don't care, since a failure only means that
528
             * ssl_comp_methods is NULL, which is perfectly OK
529
             */
530
0
        }
531
6.60k
#endif
532
6.60k
        *comp = NULL;
533
6.60k
        ctmp.id = s->compress_meth;
534
6.60k
        if (ssl_comp_methods != NULL) {
535
6.60k
            i = sk_SSL_COMP_find(ssl_comp_methods, &ctmp);
536
6.60k
            if (i >= 0)
537
0
                *comp = sk_SSL_COMP_value(ssl_comp_methods, i);
538
6.60k
        }
539
        /* If were only interested in comp then return success */
540
6.60k
        if ((enc == NULL) && (md == NULL))
541
6
            return 1;
542
6.60k
    }
543
544
13.7k
    if ((enc == NULL) || (md == NULL))
545
0
        return 0;
546
547
13.7k
    if (!ssl_cipher_get_evp_cipher(ctx, c, enc))
548
0
        return 0;
549
550
13.7k
    i = ssl_cipher_info_lookup(ssl_cipher_table_mac, c->algorithm_mac);
551
13.7k
    if (i == -1) {
552
8.59k
        *md = NULL;
553
8.59k
        if (mac_pkey_type != NULL)
554
1.43k
            *mac_pkey_type = NID_undef;
555
8.59k
        if (mac_secret_size != NULL)
556
1.43k
            *mac_secret_size = 0;
557
8.59k
        if (c->algorithm_mac == SSL_AEAD)
558
8.59k
            mac_pkey_type = NULL;
559
8.59k
    } else {
560
5.15k
        const EVP_MD *digest = ctx->ssl_digest_methods[i];
561
562
5.15k
        if (digest == NULL
563
5.15k
                || !ssl_evp_md_up_ref(digest)) {
564
0
            ssl_evp_cipher_free(*enc);
565
0
            return 0;
566
0
        }
567
5.15k
        *md = digest;
568
5.15k
        if (mac_pkey_type != NULL)
569
3.97k
            *mac_pkey_type = ctx->ssl_mac_pkey_id[i];
570
5.15k
        if (mac_secret_size != NULL)
571
3.97k
            *mac_secret_size = ctx->ssl_mac_secret_size[i];
572
5.15k
    }
573
574
13.7k
    if ((*enc != NULL)
575
13.7k
        && (*md != NULL 
576
13.7k
            || (EVP_CIPHER_get_flags(*enc) & EVP_CIPH_FLAG_AEAD_CIPHER))
577
13.7k
        && (!mac_pkey_type || *mac_pkey_type != NID_undef)) {
578
13.7k
        const EVP_CIPHER *evp = NULL;
579
580
13.7k
        if (use_etm
581
13.7k
                || s->ssl_version >> 8 != TLS1_VERSION_MAJOR
582
13.7k
                || s->ssl_version < TLS1_VERSION)
583
1.60k
            return 1;
584
585
12.1k
        if (c->algorithm_enc == SSL_RC4
586
12.1k
                && c->algorithm_mac == SSL_MD5)
587
0
            evp = ssl_evp_cipher_fetch(ctx->libctx, NID_rc4_hmac_md5,
588
0
                                       ctx->propq);
589
12.1k
        else if (c->algorithm_enc == SSL_AES128
590
12.1k
                    && c->algorithm_mac == SSL_SHA1)
591
142
            evp = ssl_evp_cipher_fetch(ctx->libctx,
592
142
                                       NID_aes_128_cbc_hmac_sha1,
593
142
                                       ctx->propq);
594
12.0k
        else if (c->algorithm_enc == SSL_AES256
595
12.0k
                    && c->algorithm_mac == SSL_SHA1)
596
491
             evp = ssl_evp_cipher_fetch(ctx->libctx,
597
491
                                        NID_aes_256_cbc_hmac_sha1,
598
491
                                        ctx->propq);
599
11.5k
        else if (c->algorithm_enc == SSL_AES128
600
11.5k
                    && c->algorithm_mac == SSL_SHA256)
601
824
            evp = ssl_evp_cipher_fetch(ctx->libctx,
602
824
                                       NID_aes_128_cbc_hmac_sha256,
603
824
                                       ctx->propq);
604
10.6k
        else if (c->algorithm_enc == SSL_AES256
605
10.6k
                    && c->algorithm_mac == SSL_SHA256)
606
127
            evp = ssl_evp_cipher_fetch(ctx->libctx,
607
127
                                       NID_aes_256_cbc_hmac_sha256,
608
127
                                       ctx->propq);
609
610
12.1k
        if (evp != NULL) {
611
1.58k
            ssl_evp_cipher_free(*enc);
612
1.58k
            ssl_evp_md_free(*md);
613
1.58k
            *enc = evp;
614
1.58k
            *md = NULL;
615
1.58k
        }
616
12.1k
        return 1;
617
13.7k
    }
618
619
0
    return 0;
620
13.7k
}
621
622
const EVP_MD *ssl_md(SSL_CTX *ctx, int idx)
623
1.99M
{
624
1.99M
    idx &= SSL_HANDSHAKE_MAC_MASK;
625
1.99M
    if (idx < 0 || idx >= SSL_MD_NUM_IDX)
626
0
        return NULL;
627
1.99M
    return ctx->ssl_digest_methods[idx];
628
1.99M
}
629
630
const EVP_MD *ssl_handshake_md(SSL *s)
631
186k
{
632
186k
    return ssl_md(s->ctx, ssl_get_algorithm2(s));
633
186k
}
634
635
const EVP_MD *ssl_prf_md(SSL *s)
636
27.5k
{
637
27.5k
    return ssl_md(s->ctx, ssl_get_algorithm2(s) >> TLS1_PRF_DGST_SHIFT);
638
27.5k
}
639
640
#define ITEM_SEP(a) \
641
244k
        (((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ','))
642
643
static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
644
                           CIPHER_ORDER **tail)
645
67.1M
{
646
67.1M
    if (curr == *tail)
647
114k
        return;
648
66.9M
    if (curr == *head)
649
23.1M
        *head = curr->next;
650
66.9M
    if (curr->prev != NULL)
651
43.8M
        curr->prev->next = curr->next;
652
66.9M
    if (curr->next != NULL)
653
66.9M
        curr->next->prev = curr->prev;
654
66.9M
    (*tail)->next = curr;
655
66.9M
    curr->prev = *tail;
656
66.9M
    curr->next = NULL;
657
66.9M
    *tail = curr;
658
66.9M
}
659
660
static void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,
661
                           CIPHER_ORDER **tail)
662
52.0M
{
663
52.0M
    if (curr == *head)
664
0
        return;
665
52.0M
    if (curr == *tail)
666
23.2M
        *tail = curr->prev;
667
52.0M
    if (curr->next != NULL)
668
28.8M
        curr->next->prev = curr->prev;
669
52.0M
    if (curr->prev != NULL)
670
52.0M
        curr->prev->next = curr->next;
671
52.0M
    (*head)->prev = curr;
672
52.0M
    curr->next = *head;
673
52.0M
    curr->prev = NULL;
674
52.0M
    *head = curr;
675
52.0M
}
676
677
static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
678
                                       int num_of_ciphers,
679
                                       uint32_t disabled_mkey,
680
                                       uint32_t disabled_auth,
681
                                       uint32_t disabled_enc,
682
                                       uint32_t disabled_mac,
683
                                       CIPHER_ORDER *co_list,
684
                                       CIPHER_ORDER **head_p,
685
                                       CIPHER_ORDER **tail_p)
686
136k
{
687
136k
    int i, co_list_num;
688
136k
    const SSL_CIPHER *c;
689
690
    /*
691
     * We have num_of_ciphers descriptions compiled in, depending on the
692
     * method selected (SSLv3, TLSv1 etc).
693
     * These will later be sorted in a linked list with at most num
694
     * entries.
695
     */
696
697
    /* Get the initial list of ciphers */
698
136k
    co_list_num = 0;            /* actual count of ciphers */
699
21.9M
    for (i = 0; i < num_of_ciphers; i++) {
700
21.8M
        c = ssl_method->get_cipher(i);
701
        /* drop those that use any of that is not available */
702
21.8M
        if (c == NULL || !c->valid)
703
0
            continue;
704
21.8M
        if ((c->algorithm_mkey & disabled_mkey) ||
705
21.8M
            (c->algorithm_auth & disabled_auth) ||
706
21.8M
            (c->algorithm_enc & disabled_enc) ||
707
21.8M
            (c->algorithm_mac & disabled_mac))
708
2.51M
            continue;
709
19.3M
        if (((ssl_method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS) == 0) &&
710
19.3M
            c->min_tls == 0)
711
0
            continue;
712
19.3M
        if (((ssl_method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS) != 0) &&
713
19.3M
            c->min_dtls == 0)
714
0
            continue;
715
716
19.3M
        co_list[co_list_num].cipher = c;
717
19.3M
        co_list[co_list_num].next = NULL;
718
19.3M
        co_list[co_list_num].prev = NULL;
719
19.3M
        co_list[co_list_num].active = 0;
720
19.3M
        co_list_num++;
721
19.3M
    }
722
723
    /*
724
     * Prepare linked list from list entries
725
     */
726
136k
    if (co_list_num > 0) {
727
114k
        co_list[0].prev = NULL;
728
729
114k
        if (co_list_num > 1) {
730
114k
            co_list[0].next = &co_list[1];
731
732
19.2M
            for (i = 1; i < co_list_num - 1; i++) {
733
19.0M
                co_list[i].prev = &co_list[i - 1];
734
19.0M
                co_list[i].next = &co_list[i + 1];
735
19.0M
            }
736
737
114k
            co_list[co_list_num - 1].prev = &co_list[co_list_num - 2];
738
114k
        }
739
740
114k
        co_list[co_list_num - 1].next = NULL;
741
742
114k
        *head_p = &co_list[0];
743
114k
        *tail_p = &co_list[co_list_num - 1];
744
114k
    }
745
136k
}
746
747
static void ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list,
748
                                       int num_of_group_aliases,
749
                                       uint32_t disabled_mkey,
750
                                       uint32_t disabled_auth,
751
                                       uint32_t disabled_enc,
752
                                       uint32_t disabled_mac,
753
                                       CIPHER_ORDER *head)
754
136k
{
755
136k
    CIPHER_ORDER *ciph_curr;
756
136k
    const SSL_CIPHER **ca_curr;
757
136k
    int i;
758
136k
    uint32_t mask_mkey = ~disabled_mkey;
759
136k
    uint32_t mask_auth = ~disabled_auth;
760
136k
    uint32_t mask_enc = ~disabled_enc;
761
136k
    uint32_t mask_mac = ~disabled_mac;
762
763
    /*
764
     * First, add the real ciphers as already collected
765
     */
766
136k
    ciph_curr = head;
767
136k
    ca_curr = ca_list;
768
19.4M
    while (ciph_curr != NULL) {
769
19.3M
        *ca_curr = ciph_curr->cipher;
770
19.3M
        ca_curr++;
771
19.3M
        ciph_curr = ciph_curr->next;
772
19.3M
    }
773
774
    /*
775
     * Now we add the available ones from the cipher_aliases[] table.
776
     * They represent either one or more algorithms, some of which
777
     * in any affected category must be supported (set in enabled_mask),
778
     * or represent a cipher strength value (will be added in any case because algorithms=0).
779
     */
780
10.9M
    for (i = 0; i < num_of_group_aliases; i++) {
781
10.7M
        uint32_t algorithm_mkey = cipher_aliases[i].algorithm_mkey;
782
10.7M
        uint32_t algorithm_auth = cipher_aliases[i].algorithm_auth;
783
10.7M
        uint32_t algorithm_enc = cipher_aliases[i].algorithm_enc;
784
10.7M
        uint32_t algorithm_mac = cipher_aliases[i].algorithm_mac;
785
786
10.7M
        if (algorithm_mkey)
787
3.41M
            if ((algorithm_mkey & mask_mkey) == 0)
788
273k
                continue;
789
790
10.5M
        if (algorithm_auth)
791
2.73M
            if ((algorithm_auth & mask_auth) == 0)
792
409k
                continue;
793
794
10.1M
        if (algorithm_enc)
795
3.95M
            if ((algorithm_enc & mask_enc) == 0)
796
819k
                continue;
797
798
9.28M
        if (algorithm_mac)
799
1.36M
            if ((algorithm_mac & mask_mac) == 0)
800
409k
                continue;
801
802
8.87M
        *ca_curr = (SSL_CIPHER *)(cipher_aliases + i);
803
8.87M
        ca_curr++;
804
8.87M
    }
805
806
136k
    *ca_curr = NULL;            /* end of list */
807
136k
}
808
809
static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
810
                                  uint32_t alg_auth, uint32_t alg_enc,
811
                                  uint32_t alg_mac, int min_tls,
812
                                  uint32_t algo_strength, int rule,
813
                                  int32_t strength_bits, CIPHER_ORDER **head_p,
814
                                  CIPHER_ORDER **tail_p)
815
3.19M
{
816
3.19M
    CIPHER_ORDER *head, *tail, *curr, *next, *last;
817
3.19M
    const SSL_CIPHER *cp;
818
3.19M
    int reverse = 0;
819
820
3.19M
    OSSL_TRACE_BEGIN(TLS_CIPHER){
821
0
        BIO_printf(trc_out,
822
0
                   "Applying rule %d with %08x/%08x/%08x/%08x/%08x %08x (%d)\n",
823
0
                   rule, alg_mkey, alg_auth, alg_enc, alg_mac, min_tls,
824
0
                   algo_strength, strength_bits);
825
0
    }
826
827
3.19M
    if (rule == CIPHER_DEL || rule == CIPHER_BUMP)
828
819k
        reverse = 1;            /* needed to maintain sorting between currently
829
                                 * deleted ciphers */
830
831
3.19M
    head = *head_p;
832
3.19M
    tail = *tail_p;
833
834
3.19M
    if (reverse) {
835
819k
        next = tail;
836
819k
        last = head;
837
2.37M
    } else {
838
2.37M
        next = head;
839
2.37M
        last = tail;
840
2.37M
    }
841
842
3.19M
    curr = NULL;
843
462M
    for (;;) {
844
462M
        if (curr == last)
845
3.19M
            break;
846
847
459M
        curr = next;
848
849
459M
        if (curr == NULL)
850
0
            break;
851
852
459M
        next = reverse ? curr->prev : curr->next;
853
854
459M
        cp = curr->cipher;
855
856
        /*
857
         * Selection criteria is either the value of strength_bits
858
         * or the algorithms used.
859
         */
860
459M
        if (strength_bits >= 0) {
861
88.3M
            if (strength_bits != cp->strength_bits)
862
69.0M
                continue;
863
371M
        } else {
864
371M
            if (trc_out != NULL) {
865
0
                BIO_printf(trc_out,
866
0
                           "\nName: %s:"
867
0
                           "\nAlgo = %08x/%08x/%08x/%08x/%08x Algo_strength = %08x\n",
868
0
                           cp->name, cp->algorithm_mkey, cp->algorithm_auth,
869
0
                           cp->algorithm_enc, cp->algorithm_mac, cp->min_tls,
870
0
                           cp->algo_strength);
871
0
            }
872
371M
            if (cipher_id != 0 && (cipher_id != cp->id))
873
0
                continue;
874
371M
            if (alg_mkey && !(alg_mkey & cp->algorithm_mkey))
875
101M
                continue;
876
269M
            if (alg_auth && !(alg_auth & cp->algorithm_auth))
877
19.5M
                continue;
878
250M
            if (alg_enc && !(alg_enc & cp->algorithm_enc))
879
80.5M
                continue;
880
169M
            if (alg_mac && !(alg_mac & cp->algorithm_mac))
881
36.9M
                continue;
882
132M
            if (min_tls && (min_tls != cp->min_tls))
883
9.48M
                continue;
884
123M
            if ((algo_strength & SSL_STRONG_MASK)
885
123M
                && !(algo_strength & SSL_STRONG_MASK & cp->algo_strength))
886
0
                continue;
887
123M
            if ((algo_strength & SSL_DEFAULT_MASK)
888
123M
                && !(algo_strength & SSL_DEFAULT_MASK & cp->algo_strength))
889
4.28M
                continue;
890
123M
        }
891
892
138M
        if (trc_out != NULL)
893
0
            BIO_printf(trc_out, "Action = %d\n", rule);
894
895
        /* add the cipher if it has not been added yet. */
896
138M
        if (rule == CIPHER_ADD) {
897
            /* reverse == 0 */
898
54.0M
            if (!curr->active) {
899
41.5M
                ll_append_tail(&head, curr, &tail);
900
41.5M
                curr->active = 1;
901
41.5M
            }
902
54.0M
        }
903
        /* Move the added cipher to this location */
904
84.0M
        else if (rule == CIPHER_ORD) {
905
            /* reverse == 0 */
906
25.6M
            if (curr->active) {
907
25.6M
                ll_append_tail(&head, curr, &tail);
908
25.6M
            }
909
58.4M
        } else if (rule == CIPHER_DEL) {
910
            /* reverse == 1 */
911
23.2M
            if (curr->active) {
912
                /*
913
                 * most recently deleted ciphersuites get best positions for
914
                 * any future CIPHER_ADD (note that the CIPHER_DEL loop works
915
                 * in reverse to maintain the order)
916
                 */
917
23.2M
                ll_append_head(&head, curr, &tail);
918
23.2M
                curr->active = 0;
919
23.2M
            }
920
35.2M
        } else if (rule == CIPHER_BUMP) {
921
28.8M
            if (curr->active)
922
28.8M
                ll_append_head(&head, curr, &tail);
923
28.8M
        } else if (rule == CIPHER_KILL) {
924
            /* reverse == 0 */
925
6.40M
            if (head == curr)
926
1.02M
                head = curr->next;
927
5.37M
            else
928
5.37M
                curr->prev->next = curr->next;
929
6.40M
            if (tail == curr)
930
57.1k
                tail = curr->prev;
931
6.40M
            curr->active = 0;
932
6.40M
            if (curr->next != NULL)
933
6.34M
                curr->next->prev = curr->prev;
934
6.40M
            if (curr->prev != NULL)
935
5.37M
                curr->prev->next = curr->next;
936
6.40M
            curr->next = NULL;
937
6.40M
            curr->prev = NULL;
938
6.40M
        }
939
138M
    }
940
941
3.19M
    *head_p = head;
942
3.19M
    *tail_p = tail;
943
944
3.19M
    OSSL_TRACE_END(TLS_CIPHER);
945
3.19M
}
946
947
static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
948
                                    CIPHER_ORDER **tail_p)
949
136k
{
950
136k
    int32_t max_strength_bits;
951
136k
    int i, *number_uses;
952
136k
    CIPHER_ORDER *curr;
953
954
    /*
955
     * This routine sorts the ciphers with descending strength. The sorting
956
     * must keep the pre-sorted sequence, so we apply the normal sorting
957
     * routine as '+' movement to the end of the list.
958
     */
959
136k
    max_strength_bits = 0;
960
136k
    curr = *head_p;
961
19.4M
    while (curr != NULL) {
962
19.3M
        if (curr->active && (curr->cipher->strength_bits > max_strength_bits))
963
114k
            max_strength_bits = curr->cipher->strength_bits;
964
19.3M
        curr = curr->next;
965
19.3M
    }
966
967
136k
    number_uses = OPENSSL_zalloc(sizeof(int) * (max_strength_bits + 1));
968
136k
    if (number_uses == NULL) {
969
0
        ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
970
0
        return 0;
971
0
    }
972
973
    /*
974
     * Now find the strength_bits values actually used
975
     */
976
136k
    curr = *head_p;
977
19.4M
    while (curr != NULL) {
978
19.3M
        if (curr->active)
979
19.3M
            number_uses[curr->cipher->strength_bits]++;
980
19.3M
        curr = curr->next;
981
19.3M
    }
982
    /*
983
     * Go through the list of used strength_bits values in descending
984
     * order.
985
     */
986
29.5M
    for (i = max_strength_bits; i >= 0; i--)
987
29.4M
        if (number_uses[i] > 0)
988
522k
            ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ORD, i, head_p,
989
522k
                                  tail_p);
990
991
136k
    OPENSSL_free(number_uses);
992
136k
    return 1;
993
136k
}
994
995
static int ssl_cipher_process_rulestr(const char *rule_str,
996
                                      CIPHER_ORDER **head_p,
997
                                      CIPHER_ORDER **tail_p,
998
                                      const SSL_CIPHER **ca_list, CERT *c)
999
48.9k
{
1000
48.9k
    uint32_t alg_mkey, alg_auth, alg_enc, alg_mac, algo_strength;
1001
48.9k
    int min_tls;
1002
48.9k
    const char *l, *buf;
1003
48.9k
    int j, multi, found, rule, retval, ok, buflen;
1004
48.9k
    uint32_t cipher_id = 0;
1005
48.9k
    char ch;
1006
1007
48.9k
    retval = 1;
1008
48.9k
    l = rule_str;
1009
244k
    for ( ; ; ) {
1010
244k
        ch = *l;
1011
1012
244k
        if (ch == '\0')
1013
0
            break;              /* done */
1014
244k
        if (ch == '-') {
1015
0
            rule = CIPHER_DEL;
1016
0
            l++;
1017
244k
        } else if (ch == '+') {
1018
0
            rule = CIPHER_ORD;
1019
0
            l++;
1020
244k
        } else if (ch == '!') {
1021
48.9k
            rule = CIPHER_KILL;
1022
48.9k
            l++;
1023
195k
        } else if (ch == '@') {
1024
24.4k
            rule = CIPHER_SPECIAL;
1025
24.4k
            l++;
1026
171k
        } else {
1027
171k
            rule = CIPHER_ADD;
1028
171k
        }
1029
1030
244k
        if (ITEM_SEP(ch)) {
1031
97.8k
            l++;
1032
97.8k
            continue;
1033
97.8k
        }
1034
1035
146k
        alg_mkey = 0;
1036
146k
        alg_auth = 0;
1037
146k
        alg_enc = 0;
1038
146k
        alg_mac = 0;
1039
146k
        min_tls = 0;
1040
146k
        algo_strength = 0;
1041
1042
146k
        for (;;) {
1043
146k
            ch = *l;
1044
146k
            buf = l;
1045
146k
            buflen = 0;
1046
146k
#ifndef CHARSET_EBCDIC
1047
1.24M
            while (((ch >= 'A') && (ch <= 'Z')) ||
1048
1.24M
                   ((ch >= '0') && (ch <= '9')) ||
1049
1.24M
                   ((ch >= 'a') && (ch <= 'z')) ||
1050
1.24M
                   (ch == '-') || (ch == '.') || (ch == '='))
1051
#else
1052
            while (isalnum((unsigned char)ch) || (ch == '-') || (ch == '.')
1053
                   || (ch == '='))
1054
#endif
1055
1.10M
            {
1056
1.10M
                ch = *(++l);
1057
1.10M
                buflen++;
1058
1.10M
            }
1059
1060
146k
            if (buflen == 0) {
1061
                /*
1062
                 * We hit something we cannot deal with,
1063
                 * it is no command or separator nor
1064
                 * alphanumeric, so we call this an error.
1065
                 */
1066
0
                ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_COMMAND);
1067
0
                return 0;
1068
0
            }
1069
1070
146k
            if (rule == CIPHER_SPECIAL) {
1071
24.4k
                found = 0;      /* unused -- avoid compiler warning */
1072
24.4k
                break;          /* special treatment */
1073
24.4k
            }
1074
1075
            /* check for multi-part specification */
1076
122k
            if (ch == '+') {
1077
0
                multi = 1;
1078
0
                l++;
1079
122k
            } else {
1080
122k
                multi = 0;
1081
122k
            }
1082
1083
            /*
1084
             * Now search for the cipher alias in the ca_list. Be careful
1085
             * with the strncmp, because the "buflen" limitation
1086
             * will make the rule "ADH:SOME" and the cipher
1087
             * "ADH-MY-CIPHER" look like a match for buflen=3.
1088
             * So additionally check whether the cipher name found
1089
             * has the correct length. We can save a strlen() call:
1090
             * just checking for the '\0' at the right place is
1091
             * sufficient, we have to strncmp() anyway. (We cannot
1092
             * use strcmp(), because buf is not '\0' terminated.)
1093
             */
1094
122k
            j = found = 0;
1095
122k
            cipher_id = 0;
1096
22.4M
            while (ca_list[j]) {
1097
22.4M
                if (strncmp(buf, ca_list[j]->name, buflen) == 0
1098
22.4M
                    && (ca_list[j]->name[buflen] == '\0')) {
1099
122k
                    found = 1;
1100
122k
                    break;
1101
122k
                } else
1102
22.3M
                    j++;
1103
22.4M
            }
1104
1105
122k
            if (!found)
1106
0
                break;          /* ignore this entry */
1107
1108
122k
            if (ca_list[j]->algorithm_mkey) {
1109
0
                if (alg_mkey) {
1110
0
                    alg_mkey &= ca_list[j]->algorithm_mkey;
1111
0
                    if (!alg_mkey) {
1112
0
                        found = 0;
1113
0
                        break;
1114
0
                    }
1115
0
                } else {
1116
0
                    alg_mkey = ca_list[j]->algorithm_mkey;
1117
0
                }
1118
0
            }
1119
1120
122k
            if (ca_list[j]->algorithm_auth) {
1121
0
                if (alg_auth) {
1122
0
                    alg_auth &= ca_list[j]->algorithm_auth;
1123
0
                    if (!alg_auth) {
1124
0
                        found = 0;
1125
0
                        break;
1126
0
                    }
1127
0
                } else {
1128
0
                    alg_auth = ca_list[j]->algorithm_auth;
1129
0
                }
1130
0
            }
1131
1132
122k
            if (ca_list[j]->algorithm_enc) {
1133
97.8k
                if (alg_enc) {
1134
0
                    alg_enc &= ca_list[j]->algorithm_enc;
1135
0
                    if (!alg_enc) {
1136
0
                        found = 0;
1137
0
                        break;
1138
0
                    }
1139
97.8k
                } else {
1140
97.8k
                    alg_enc = ca_list[j]->algorithm_enc;
1141
97.8k
                }
1142
97.8k
            }
1143
1144
122k
            if (ca_list[j]->algorithm_mac) {
1145
0
                if (alg_mac) {
1146
0
                    alg_mac &= ca_list[j]->algorithm_mac;
1147
0
                    if (!alg_mac) {
1148
0
                        found = 0;
1149
0
                        break;
1150
0
                    }
1151
0
                } else {
1152
0
                    alg_mac = ca_list[j]->algorithm_mac;
1153
0
                }
1154
0
            }
1155
1156
122k
            if (ca_list[j]->algo_strength & SSL_STRONG_MASK) {
1157
0
                if (algo_strength & SSL_STRONG_MASK) {
1158
0
                    algo_strength &=
1159
0
                        (ca_list[j]->algo_strength & SSL_STRONG_MASK) |
1160
0
                        ~SSL_STRONG_MASK;
1161
0
                    if (!(algo_strength & SSL_STRONG_MASK)) {
1162
0
                        found = 0;
1163
0
                        break;
1164
0
                    }
1165
0
                } else {
1166
0
                    algo_strength = ca_list[j]->algo_strength & SSL_STRONG_MASK;
1167
0
                }
1168
0
            }
1169
1170
122k
            if (ca_list[j]->algo_strength & SSL_DEFAULT_MASK) {
1171
24.4k
                if (algo_strength & SSL_DEFAULT_MASK) {
1172
0
                    algo_strength &=
1173
0
                        (ca_list[j]->algo_strength & SSL_DEFAULT_MASK) |
1174
0
                        ~SSL_DEFAULT_MASK;
1175
0
                    if (!(algo_strength & SSL_DEFAULT_MASK)) {
1176
0
                        found = 0;
1177
0
                        break;
1178
0
                    }
1179
24.4k
                } else {
1180
24.4k
                    algo_strength |=
1181
24.4k
                        ca_list[j]->algo_strength & SSL_DEFAULT_MASK;
1182
24.4k
                }
1183
24.4k
            }
1184
1185
122k
            if (ca_list[j]->valid) {
1186
                /*
1187
                 * explicit ciphersuite found; its protocol version does not
1188
                 * become part of the search pattern!
1189
                 */
1190
1191
0
                cipher_id = ca_list[j]->id;
1192
122k
            } else {
1193
                /*
1194
                 * not an explicit ciphersuite; only in this case, the
1195
                 * protocol version is considered part of the search pattern
1196
                 */
1197
1198
122k
                if (ca_list[j]->min_tls) {
1199
0
                    if (min_tls != 0 && min_tls != ca_list[j]->min_tls) {
1200
0
                        found = 0;
1201
0
                        break;
1202
0
                    } else {
1203
0
                        min_tls = ca_list[j]->min_tls;
1204
0
                    }
1205
0
                }
1206
122k
            }
1207
1208
122k
            if (!multi)
1209
122k
                break;
1210
122k
        }
1211
1212
        /*
1213
         * Ok, we have the rule, now apply it
1214
         */
1215
146k
        if (rule == CIPHER_SPECIAL) { /* special command */
1216
24.4k
            ok = 0;
1217
24.4k
            if ((buflen == 8) && strncmp(buf, "STRENGTH", 8) == 0) {
1218
0
                ok = ssl_cipher_strength_sort(head_p, tail_p);
1219
24.4k
            } else if (buflen == 10 && strncmp(buf, "SECLEVEL=", 9) == 0) {
1220
24.4k
                int level = buf[9] - '0';
1221
24.4k
                if (level < 0 || level > 5) {
1222
0
                    ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_COMMAND);
1223
24.4k
                } else {
1224
24.4k
                    c->sec_level = level;
1225
24.4k
                    ok = 1;
1226
24.4k
                }
1227
24.4k
            } else {
1228
0
                ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_COMMAND);
1229
0
            }
1230
24.4k
            if (ok == 0)
1231
0
                retval = 0;
1232
            /*
1233
             * We do not support any "multi" options
1234
             * together with "@", so throw away the
1235
             * rest of the command, if any left, until
1236
             * end or ':' is found.
1237
             */
1238
24.4k
            while ((*l != '\0') && !ITEM_SEP(*l))
1239
0
                l++;
1240
122k
        } else if (found) {
1241
122k
            ssl_cipher_apply_rule(cipher_id,
1242
122k
                                  alg_mkey, alg_auth, alg_enc, alg_mac,
1243
122k
                                  min_tls, algo_strength, rule, -1, head_p,
1244
122k
                                  tail_p);
1245
122k
        } else {
1246
0
            while ((*l != '\0') && !ITEM_SEP(*l))
1247
0
                l++;
1248
0
        }
1249
146k
        if (*l == '\0')
1250
48.9k
            break;              /* done */
1251
146k
    }
1252
1253
48.9k
    return retval;
1254
48.9k
}
1255
1256
static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c,
1257
                                    const char **prule_str)
1258
136k
{
1259
136k
    unsigned int suiteb_flags = 0, suiteb_comb2 = 0;
1260
136k
    if (strncmp(*prule_str, "SUITEB128ONLY", 13) == 0) {
1261
0
        suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS_ONLY;
1262
136k
    } else if (strncmp(*prule_str, "SUITEB128C2", 11) == 0) {
1263
0
        suiteb_comb2 = 1;
1264
0
        suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS;
1265
136k
    } else if (strncmp(*prule_str, "SUITEB128", 9) == 0) {
1266
0
        suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS;
1267
136k
    } else if (strncmp(*prule_str, "SUITEB192", 9) == 0) {
1268
0
        suiteb_flags = SSL_CERT_FLAG_SUITEB_192_LOS;
1269
0
    }
1270
1271
136k
    if (suiteb_flags) {
1272
0
        c->cert_flags &= ~SSL_CERT_FLAG_SUITEB_128_LOS;
1273
0
        c->cert_flags |= suiteb_flags;
1274
136k
    } else {
1275
136k
        suiteb_flags = c->cert_flags & SSL_CERT_FLAG_SUITEB_128_LOS;
1276
136k
    }
1277
1278
136k
    if (!suiteb_flags)
1279
136k
        return 1;
1280
    /* Check version: if TLS 1.2 ciphers allowed we can use Suite B */
1281
1282
0
    if (!(meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS)) {
1283
0
        ERR_raise(ERR_LIB_SSL, SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE);
1284
0
        return 0;
1285
0
    }
1286
1287
0
    switch (suiteb_flags) {
1288
0
    case SSL_CERT_FLAG_SUITEB_128_LOS:
1289
0
        if (suiteb_comb2)
1290
0
            *prule_str = "ECDHE-ECDSA-AES256-GCM-SHA384";
1291
0
        else
1292
0
            *prule_str =
1293
0
                "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384";
1294
0
        break;
1295
0
    case SSL_CERT_FLAG_SUITEB_128_LOS_ONLY:
1296
0
        *prule_str = "ECDHE-ECDSA-AES128-GCM-SHA256";
1297
0
        break;
1298
0
    case SSL_CERT_FLAG_SUITEB_192_LOS:
1299
0
        *prule_str = "ECDHE-ECDSA-AES256-GCM-SHA384";
1300
0
        break;
1301
0
    }
1302
0
    return 1;
1303
0
}
1304
1305
static int ciphersuite_cb(const char *elem, int len, void *arg)
1306
238k
{
1307
238k
    STACK_OF(SSL_CIPHER) *ciphersuites = (STACK_OF(SSL_CIPHER) *)arg;
1308
238k
    const SSL_CIPHER *cipher;
1309
    /* Arbitrary sized temp buffer for the cipher name. Should be big enough */
1310
238k
    char name[80];
1311
1312
238k
    if (len > (int)(sizeof(name) - 1))
1313
        /* Anyway return 1 so we can parse rest of the list */
1314
0
        return 1;
1315
1316
238k
    memcpy(name, elem, len);
1317
238k
    name[len] = '\0';
1318
1319
238k
    cipher = ssl3_get_cipher_by_std_name(name);
1320
238k
    if (cipher == NULL)
1321
        /* Ciphersuite not found but return 1 to parse rest of the list */
1322
0
        return 1;
1323
1324
238k
    if (!sk_SSL_CIPHER_push(ciphersuites, cipher)) {
1325
0
        ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
1326
0
        return 0;
1327
0
    }
1328
1329
238k
    return 1;
1330
238k
}
1331
1332
static __owur int set_ciphersuites(STACK_OF(SSL_CIPHER) **currciphers, const char *str)
1333
79.3k
{
1334
79.3k
    STACK_OF(SSL_CIPHER) *newciphers = sk_SSL_CIPHER_new_null();
1335
1336
79.3k
    if (newciphers == NULL)
1337
0
        return 0;
1338
1339
    /* Parse the list. We explicitly allow an empty list */
1340
79.3k
    if (*str != '\0'
1341
79.3k
            && (CONF_parse_list(str, ':', 1, ciphersuite_cb, newciphers) <= 0
1342
79.3k
                || sk_SSL_CIPHER_num(newciphers) == 0)) {
1343
0
        ERR_raise(ERR_LIB_SSL, SSL_R_NO_CIPHER_MATCH);
1344
0
        sk_SSL_CIPHER_free(newciphers);
1345
0
        return 0;
1346
0
    }
1347
79.3k
    sk_SSL_CIPHER_free(*currciphers);
1348
79.3k
    *currciphers = newciphers;
1349
1350
79.3k
    return 1;
1351
79.3k
}
1352
1353
static int update_cipher_list_by_id(STACK_OF(SSL_CIPHER) **cipher_list_by_id,
1354
                                    STACK_OF(SSL_CIPHER) *cipherstack)
1355
136k
{
1356
136k
    STACK_OF(SSL_CIPHER) *tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack);
1357
1358
136k
    if (tmp_cipher_list == NULL) {
1359
0
        return 0;
1360
0
    }
1361
1362
136k
    sk_SSL_CIPHER_free(*cipher_list_by_id);
1363
136k
    *cipher_list_by_id = tmp_cipher_list;
1364
1365
136k
    (void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id, ssl_cipher_ptr_id_cmp);
1366
136k
    sk_SSL_CIPHER_sort(*cipher_list_by_id);
1367
1368
136k
    return 1;
1369
136k
}
1370
1371
static int update_cipher_list(SSL_CTX *ctx,
1372
                              STACK_OF(SSL_CIPHER) **cipher_list,
1373
                              STACK_OF(SSL_CIPHER) **cipher_list_by_id,
1374
                              STACK_OF(SSL_CIPHER) *tls13_ciphersuites)
1375
0
{
1376
0
    int i;
1377
0
    STACK_OF(SSL_CIPHER) *tmp_cipher_list = sk_SSL_CIPHER_dup(*cipher_list);
1378
1379
0
    if (tmp_cipher_list == NULL)
1380
0
        return 0;
1381
1382
    /*
1383
     * Delete any existing TLSv1.3 ciphersuites. These are always first in the
1384
     * list.
1385
     */
1386
0
    while (sk_SSL_CIPHER_num(tmp_cipher_list) > 0
1387
0
           && sk_SSL_CIPHER_value(tmp_cipher_list, 0)->min_tls
1388
0
              == TLS1_3_VERSION)
1389
0
        (void)sk_SSL_CIPHER_delete(tmp_cipher_list, 0);
1390
1391
    /* Insert the new TLSv1.3 ciphersuites */
1392
0
    for (i = sk_SSL_CIPHER_num(tls13_ciphersuites) - 1; i >= 0; i--) {
1393
0
        const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
1394
1395
        /* Don't include any TLSv1.3 ciphersuites that are disabled */
1396
0
        if ((sslc->algorithm_enc & ctx->disabled_enc_mask) == 0
1397
0
                && (ssl_cipher_table_mac[sslc->algorithm2
1398
0
                                         & SSL_HANDSHAKE_MAC_MASK].mask
1399
0
                    & ctx->disabled_mac_mask) == 0) {
1400
0
            sk_SSL_CIPHER_unshift(tmp_cipher_list, sslc);
1401
0
        }
1402
0
    }
1403
1404
0
    if (!update_cipher_list_by_id(cipher_list_by_id, tmp_cipher_list)) {
1405
0
        sk_SSL_CIPHER_free(tmp_cipher_list);
1406
0
        return 0;
1407
0
    }
1408
1409
0
    sk_SSL_CIPHER_free(*cipher_list);
1410
0
    *cipher_list = tmp_cipher_list;
1411
1412
0
    return 1;
1413
0
}
1414
1415
int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str)
1416
79.3k
{
1417
79.3k
    int ret = set_ciphersuites(&(ctx->tls13_ciphersuites), str);
1418
1419
79.3k
    if (ret && ctx->cipher_list != NULL)
1420
0
        return update_cipher_list(ctx, &ctx->cipher_list, &ctx->cipher_list_by_id,
1421
0
                                  ctx->tls13_ciphersuites);
1422
1423
79.3k
    return ret;
1424
79.3k
}
1425
1426
int SSL_set_ciphersuites(SSL *s, const char *str)
1427
0
{
1428
0
    STACK_OF(SSL_CIPHER) *cipher_list;
1429
0
    int ret = set_ciphersuites(&(s->tls13_ciphersuites), str);
1430
1431
0
    if (s->cipher_list == NULL) {
1432
0
        if ((cipher_list = SSL_get_ciphers(s)) != NULL)
1433
0
            s->cipher_list = sk_SSL_CIPHER_dup(cipher_list);
1434
0
    }
1435
0
    if (ret && s->cipher_list != NULL)
1436
0
        return update_cipher_list(s->ctx, &s->cipher_list, &s->cipher_list_by_id,
1437
0
                                  s->tls13_ciphersuites);
1438
1439
0
    return ret;
1440
0
}
1441
1442
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
1443
                                             STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
1444
                                             STACK_OF(SSL_CIPHER) **cipher_list,
1445
                                             STACK_OF(SSL_CIPHER) **cipher_list_by_id,
1446
                                             const char *rule_str,
1447
                                             CERT *c)
1448
48.9k
{
1449
48.9k
    int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases, i;
1450
48.9k
    uint32_t disabled_mkey, disabled_auth, disabled_enc, disabled_mac;
1451
48.9k
    STACK_OF(SSL_CIPHER) *cipherstack;
1452
48.9k
    const char *rule_p;
1453
48.9k
    CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
1454
48.9k
    const SSL_CIPHER **ca_list = NULL;
1455
48.9k
    const SSL_METHOD *ssl_method = ctx->method;
1456
1457
    /*
1458
     * Return with error if nothing to do.
1459
     */
1460
48.9k
    if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
1461
0
        return NULL;
1462
1463
48.9k
    if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))
1464
0
        return NULL;
1465
1466
    /*
1467
     * To reduce the work to do we only want to process the compiled
1468
     * in algorithms, so we first get the mask of disabled ciphers.
1469
     */
1470
1471
48.9k
    disabled_mkey = ctx->disabled_mkey_mask;
1472
48.9k
    disabled_auth = ctx->disabled_auth_mask;
1473
48.9k
    disabled_enc = ctx->disabled_enc_mask;
1474
48.9k
    disabled_mac = ctx->disabled_mac_mask;
1475
1476
    /*
1477
     * Now we have to collect the available ciphers from the compiled
1478
     * in ciphers. We cannot get more than the number compiled in, so
1479
     * it is used for allocation.
1480
     */
1481
48.9k
    num_of_ciphers = ssl_method->num_ciphers();
1482
1483
48.9k
    co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
1484
48.9k
    if (co_list == NULL) {
1485
0
        ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
1486
0
        return NULL;          /* Failure */
1487
0
    }
1488
1489
48.9k
    ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
1490
48.9k
                               disabled_mkey, disabled_auth, disabled_enc,
1491
48.9k
                               disabled_mac, co_list, &head, &tail);
1492
1493
    /* Now arrange all ciphers by preference. */
1494
1495
    /*
1496
     * Everything else being equal, prefer ephemeral ECDH over other key
1497
     * exchange mechanisms.
1498
     * For consistency, prefer ECDSA over RSA (though this only matters if the
1499
     * server has both certificates, and is using the DEFAULT, or a client
1500
     * preference).
1501
     */
1502
48.9k
    ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, 0, 0, 0, 0, CIPHER_ADD,
1503
48.9k
                          -1, &head, &tail);
1504
48.9k
    ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head,
1505
48.9k
                          &tail);
1506
48.9k
    ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head,
1507
48.9k
                          &tail);
1508
1509
    /* Within each strength group, we prefer GCM over CHACHA... */
1510
48.9k
    ssl_cipher_apply_rule(0, 0, 0, SSL_AESGCM, 0, 0, 0, CIPHER_ADD, -1,
1511
48.9k
                          &head, &tail);
1512
48.9k
    ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20, 0, 0, 0, CIPHER_ADD, -1,
1513
48.9k
                          &head, &tail);
1514
1515
    /*
1516
     * ...and generally, our preferred cipher is AES.
1517
     * Note that AEADs will be bumped to take preference after sorting by
1518
     * strength.
1519
     */
1520
48.9k
    ssl_cipher_apply_rule(0, 0, 0, SSL_AES ^ SSL_AESGCM, 0, 0, 0, CIPHER_ADD,
1521
48.9k
                          -1, &head, &tail);
1522
1523
    /* Temporarily enable everything else for sorting */
1524
48.9k
    ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail);
1525
1526
    /* Low priority for MD5 */
1527
48.9k
    ssl_cipher_apply_rule(0, 0, 0, 0, SSL_MD5, 0, 0, CIPHER_ORD, -1, &head,
1528
48.9k
                          &tail);
1529
1530
    /*
1531
     * Move anonymous ciphers to the end.  Usually, these will remain
1532
     * disabled. (For applications that allow them, they aren't too bad, but
1533
     * we prefer authenticated ciphers.)
1534
     */
1535
48.9k
    ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
1536
48.9k
                          &tail);
1537
1538
48.9k
    ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
1539
48.9k
                          &tail);
1540
48.9k
    ssl_cipher_apply_rule(0, SSL_kPSK, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
1541
48.9k
                          &tail);
1542
1543
    /* RC4 is sort-of broken -- move to the end */
1544
48.9k
    ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head,
1545
48.9k
                          &tail);
1546
1547
    /*
1548
     * Now sort by symmetric encryption strength.  The above ordering remains
1549
     * in force within each class
1550
     */
1551
48.9k
    if (!ssl_cipher_strength_sort(&head, &tail)) {
1552
0
        OPENSSL_free(co_list);
1553
0
        return NULL;
1554
0
    }
1555
1556
    /*
1557
     * Partially overrule strength sort to prefer TLS 1.2 ciphers/PRFs.
1558
     */
1559
48.9k
    ssl_cipher_apply_rule(0, 0, 0, 0, 0, TLS1_2_VERSION, 0, CIPHER_BUMP, -1,
1560
48.9k
                          &head, &tail);
1561
1562
    /*
1563
     * Irrespective of strength, enforce the following order:
1564
     * (EC)DHE + AEAD > (EC)DHE > rest of AEAD > rest.
1565
     * Within each group, ciphers remain sorted by strength and previous
1566
     * preference, i.e.,
1567
     * 1) ECDHE > DHE
1568
     * 2) GCM > CHACHA
1569
     * 3) AES > rest
1570
     * 4) TLS 1.2 > legacy
1571
     *
1572
     * Because we now bump ciphers to the top of the list, we proceed in
1573
     * reverse order of preference.
1574
     */
1575
48.9k
    ssl_cipher_apply_rule(0, 0, 0, 0, SSL_AEAD, 0, 0, CIPHER_BUMP, -1,
1576
48.9k
                          &head, &tail);
1577
48.9k
    ssl_cipher_apply_rule(0, SSL_kDHE | SSL_kECDHE, 0, 0, 0, 0, 0,
1578
48.9k
                          CIPHER_BUMP, -1, &head, &tail);
1579
48.9k
    ssl_cipher_apply_rule(0, SSL_kDHE | SSL_kECDHE, 0, 0, SSL_AEAD, 0, 0,
1580
48.9k
                          CIPHER_BUMP, -1, &head, &tail);
1581
1582
    /* Now disable everything (maintaining the ordering!) */
1583
48.9k
    ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail);
1584
1585
    /*
1586
     * We also need cipher aliases for selecting based on the rule_str.
1587
     * There might be two types of entries in the rule_str: 1) names
1588
     * of ciphers themselves 2) aliases for groups of ciphers.
1589
     * For 1) we need the available ciphers and for 2) the cipher
1590
     * groups of cipher_aliases added together in one list (otherwise
1591
     * we would be happy with just the cipher_aliases table).
1592
     */
1593
48.9k
    num_of_group_aliases = OSSL_NELEM(cipher_aliases);
1594
48.9k
    num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
1595
48.9k
    ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
1596
48.9k
    if (ca_list == NULL) {
1597
0
        OPENSSL_free(co_list);
1598
0
        ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
1599
0
        return NULL;          /* Failure */
1600
0
    }
1601
48.9k
    ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
1602
48.9k
                               disabled_mkey, disabled_auth, disabled_enc,
1603
48.9k
                               disabled_mac, head);
1604
1605
    /*
1606
     * If the rule_string begins with DEFAULT, apply the default rule
1607
     * before using the (possibly available) additional rules.
1608
     */
1609
48.9k
    ok = 1;
1610
48.9k
    rule_p = rule_str;
1611
48.9k
    if (strncmp(rule_str, "DEFAULT", 7) == 0) {
1612
0
        ok = ssl_cipher_process_rulestr(OSSL_default_cipher_list(),
1613
0
                                        &head, &tail, ca_list, c);
1614
0
        rule_p += 7;
1615
0
        if (*rule_p == ':')
1616
0
            rule_p++;
1617
0
    }
1618
1619
48.9k
    if (ok && (rule_p[0] != '\0'))
1620
48.9k
        ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list, c);
1621
1622
48.9k
    OPENSSL_free(ca_list);      /* Not needed anymore */
1623
1624
48.9k
    if (!ok) {                  /* Rule processing failure */
1625
0
        OPENSSL_free(co_list);
1626
0
        return NULL;
1627
0
    }
1628
1629
    /*
1630
     * Allocate new "cipherstack" for the result, return with error
1631
     * if we cannot get one.
1632
     */
1633
48.9k
    if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
1634
0
        OPENSSL_free(co_list);
1635
0
        return NULL;
1636
0
    }
1637
1638
    /* Add TLSv1.3 ciphers first - we always prefer those if possible */
1639
195k
    for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
1640
146k
        const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
1641
1642
        /* Don't include any TLSv1.3 ciphers that are disabled */
1643
146k
        if ((sslc->algorithm_enc & disabled_enc) != 0
1644
146k
                || (ssl_cipher_table_mac[sslc->algorithm2
1645
146k
                                         & SSL_HANDSHAKE_MAC_MASK].mask
1646
146k
                    & ctx->disabled_mac_mask) != 0) {
1647
0
            sk_SSL_CIPHER_delete(tls13_ciphersuites, i);
1648
0
            i--;
1649
0
            continue;
1650
0
        }
1651
1652
146k
        if (!sk_SSL_CIPHER_push(cipherstack, sslc)) {
1653
0
            OPENSSL_free(co_list);
1654
0
            sk_SSL_CIPHER_free(cipherstack);
1655
0
            return NULL;
1656
0
        }
1657
146k
    }
1658
1659
48.9k
    OSSL_TRACE_BEGIN(TLS_CIPHER) {
1660
0
        BIO_printf(trc_out, "cipher selection:\n");
1661
0
    }
1662
    /*
1663
     * The cipher selection for the list is done. The ciphers are added
1664
     * to the resulting precedence to the STACK_OF(SSL_CIPHER).
1665
     */
1666
5.57M
    for (curr = head; curr != NULL; curr = curr->next) {
1667
5.52M
        if (curr->active) {
1668
5.52M
            if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
1669
0
                OPENSSL_free(co_list);
1670
0
                sk_SSL_CIPHER_free(cipherstack);
1671
0
                OSSL_TRACE_CANCEL(TLS_CIPHER);
1672
0
                return NULL;
1673
0
            }
1674
5.52M
            if (trc_out != NULL)
1675
0
                BIO_printf(trc_out, "<%s>\n", curr->cipher->name);
1676
5.52M
        }
1677
5.52M
    }
1678
48.9k
    OPENSSL_free(co_list);      /* Not needed any longer */
1679
48.9k
    OSSL_TRACE_END(TLS_CIPHER);
1680
1681
48.9k
    if (!update_cipher_list_by_id(cipher_list_by_id, cipherstack)) {
1682
0
        sk_SSL_CIPHER_free(cipherstack);
1683
0
        return NULL;
1684
0
    }
1685
48.9k
    sk_SSL_CIPHER_free(*cipher_list);
1686
48.9k
    *cipher_list = cipherstack;
1687
1688
48.9k
    return cipherstack;
1689
48.9k
}
1690
1691
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
1692
0
{
1693
0
    const char *ver;
1694
0
    const char *kx, *au, *enc, *mac;
1695
0
    uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;
1696
0
    static const char *format = "%-30s %-7s Kx=%-8s Au=%-5s Enc=%-22s Mac=%-4s\n";
1697
1698
0
    if (buf == NULL) {
1699
0
        len = 128;
1700
0
        if ((buf = OPENSSL_malloc(len)) == NULL) {
1701
0
            ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
1702
0
            return NULL;
1703
0
        }
1704
0
    } else if (len < 128) {
1705
0
        return NULL;
1706
0
    }
1707
1708
0
    alg_mkey = cipher->algorithm_mkey;
1709
0
    alg_auth = cipher->algorithm_auth;
1710
0
    alg_enc = cipher->algorithm_enc;
1711
0
    alg_mac = cipher->algorithm_mac;
1712
1713
0
    ver = ssl_protocol_to_string(cipher->min_tls);
1714
1715
0
    switch (alg_mkey) {
1716
0
    case SSL_kRSA:
1717
0
        kx = "RSA";
1718
0
        break;
1719
0
    case SSL_kDHE:
1720
0
        kx = "DH";
1721
0
        break;
1722
0
    case SSL_kECDHE:
1723
0
        kx = "ECDH";
1724
0
        break;
1725
0
    case SSL_kPSK:
1726
0
        kx = "PSK";
1727
0
        break;
1728
0
    case SSL_kRSAPSK:
1729
0
        kx = "RSAPSK";
1730
0
        break;
1731
0
    case SSL_kECDHEPSK:
1732
0
        kx = "ECDHEPSK";
1733
0
        break;
1734
0
    case SSL_kDHEPSK:
1735
0
        kx = "DHEPSK";
1736
0
        break;
1737
0
    case SSL_kSRP:
1738
0
        kx = "SRP";
1739
0
        break;
1740
0
    case SSL_kGOST:
1741
0
        kx = "GOST";
1742
0
        break;
1743
0
    case SSL_kGOST18:
1744
0
        kx = "GOST18";
1745
0
        break;
1746
0
    case SSL_kANY:
1747
0
        kx = "any";
1748
0
        break;
1749
0
    default:
1750
0
        kx = "unknown";
1751
0
    }
1752
1753
0
    switch (alg_auth) {
1754
0
    case SSL_aRSA:
1755
0
        au = "RSA";
1756
0
        break;
1757
0
    case SSL_aDSS:
1758
0
        au = "DSS";
1759
0
        break;
1760
0
    case SSL_aNULL:
1761
0
        au = "None";
1762
0
        break;
1763
0
    case SSL_aECDSA:
1764
0
        au = "ECDSA";
1765
0
        break;
1766
0
    case SSL_aPSK:
1767
0
        au = "PSK";
1768
0
        break;
1769
0
    case SSL_aSRP:
1770
0
        au = "SRP";
1771
0
        break;
1772
0
    case SSL_aGOST01:
1773
0
        au = "GOST01";
1774
0
        break;
1775
    /* New GOST ciphersuites have both SSL_aGOST12 and SSL_aGOST01 bits */
1776
0
    case (SSL_aGOST12 | SSL_aGOST01):
1777
0
        au = "GOST12";
1778
0
        break;
1779
0
    case SSL_aANY:
1780
0
        au = "any";
1781
0
        break;
1782
0
    default:
1783
0
        au = "unknown";
1784
0
        break;
1785
0
    }
1786
1787
0
    switch (alg_enc) {
1788
0
    case SSL_DES:
1789
0
        enc = "DES(56)";
1790
0
        break;
1791
0
    case SSL_3DES:
1792
0
        enc = "3DES(168)";
1793
0
        break;
1794
0
    case SSL_RC4:
1795
0
        enc = "RC4(128)";
1796
0
        break;
1797
0
    case SSL_RC2:
1798
0
        enc = "RC2(128)";
1799
0
        break;
1800
0
    case SSL_IDEA:
1801
0
        enc = "IDEA(128)";
1802
0
        break;
1803
0
    case SSL_eNULL:
1804
0
        enc = "None";
1805
0
        break;
1806
0
    case SSL_AES128:
1807
0
        enc = "AES(128)";
1808
0
        break;
1809
0
    case SSL_AES256:
1810
0
        enc = "AES(256)";
1811
0
        break;
1812
0
    case SSL_AES128GCM:
1813
0
        enc = "AESGCM(128)";
1814
0
        break;
1815
0
    case SSL_AES256GCM:
1816
0
        enc = "AESGCM(256)";
1817
0
        break;
1818
0
    case SSL_AES128CCM:
1819
0
        enc = "AESCCM(128)";
1820
0
        break;
1821
0
    case SSL_AES256CCM:
1822
0
        enc = "AESCCM(256)";
1823
0
        break;
1824
0
    case SSL_AES128CCM8:
1825
0
        enc = "AESCCM8(128)";
1826
0
        break;
1827
0
    case SSL_AES256CCM8:
1828
0
        enc = "AESCCM8(256)";
1829
0
        break;
1830
0
    case SSL_CAMELLIA128:
1831
0
        enc = "Camellia(128)";
1832
0
        break;
1833
0
    case SSL_CAMELLIA256:
1834
0
        enc = "Camellia(256)";
1835
0
        break;
1836
0
    case SSL_ARIA128GCM:
1837
0
        enc = "ARIAGCM(128)";
1838
0
        break;
1839
0
    case SSL_ARIA256GCM:
1840
0
        enc = "ARIAGCM(256)";
1841
0
        break;
1842
0
    case SSL_SEED:
1843
0
        enc = "SEED(128)";
1844
0
        break;
1845
0
    case SSL_eGOST2814789CNT:
1846
0
    case SSL_eGOST2814789CNT12:
1847
0
        enc = "GOST89(256)";
1848
0
        break;
1849
0
    case SSL_MAGMA:
1850
0
        enc = "MAGMA";
1851
0
        break;
1852
0
    case SSL_KUZNYECHIK:
1853
0
        enc = "KUZNYECHIK";
1854
0
        break;
1855
0
    case SSL_CHACHA20POLY1305:
1856
0
        enc = "CHACHA20/POLY1305(256)";
1857
0
        break;
1858
0
    default:
1859
0
        enc = "unknown";
1860
0
        break;
1861
0
    }
1862
1863
0
    switch (alg_mac) {
1864
0
    case SSL_MD5:
1865
0
        mac = "MD5";
1866
0
        break;
1867
0
    case SSL_SHA1:
1868
0
        mac = "SHA1";
1869
0
        break;
1870
0
    case SSL_SHA256:
1871
0
        mac = "SHA256";
1872
0
        break;
1873
0
    case SSL_SHA384:
1874
0
        mac = "SHA384";
1875
0
        break;
1876
0
    case SSL_AEAD:
1877
0
        mac = "AEAD";
1878
0
        break;
1879
0
    case SSL_GOST89MAC:
1880
0
    case SSL_GOST89MAC12:
1881
0
        mac = "GOST89";
1882
0
        break;
1883
0
    case SSL_GOST94:
1884
0
        mac = "GOST94";
1885
0
        break;
1886
0
    case SSL_GOST12_256:
1887
0
    case SSL_GOST12_512:
1888
0
        mac = "GOST2012";
1889
0
        break;
1890
0
    default:
1891
0
        mac = "unknown";
1892
0
        break;
1893
0
    }
1894
1895
0
    BIO_snprintf(buf, len, format, cipher->name, ver, kx, au, enc, mac);
1896
1897
0
    return buf;
1898
0
}
1899
1900
const char *SSL_CIPHER_get_version(const SSL_CIPHER *c)
1901
0
{
1902
0
    if (c == NULL)
1903
0
        return "(NONE)";
1904
1905
    /*
1906
     * Backwards-compatibility crutch.  In almost all contexts we report TLS
1907
     * 1.0 as "TLSv1", but for ciphers we report "TLSv1.0".
1908
     */
1909
0
    if (c->min_tls == TLS1_VERSION)
1910
0
        return "TLSv1.0";
1911
0
    return ssl_protocol_to_string(c->min_tls);
1912
0
}
1913
1914
/* return the actual cipher being used */
1915
const char *SSL_CIPHER_get_name(const SSL_CIPHER *c)
1916
0
{
1917
0
    if (c != NULL)
1918
0
        return c->name;
1919
0
    return "(NONE)";
1920
0
}
1921
1922
/* return the actual cipher being used in RFC standard name */
1923
const char *SSL_CIPHER_standard_name(const SSL_CIPHER *c)
1924
0
{
1925
0
    if (c != NULL)
1926
0
        return c->stdname;
1927
0
    return "(NONE)";
1928
0
}
1929
1930
/* return the OpenSSL name based on given RFC standard name */
1931
const char *OPENSSL_cipher_name(const char *stdname)
1932
0
{
1933
0
    const SSL_CIPHER *c;
1934
1935
0
    if (stdname == NULL)
1936
0
        return "(NONE)";
1937
0
    c = ssl3_get_cipher_by_std_name(stdname);
1938
0
    return SSL_CIPHER_get_name(c);
1939
0
}
1940
1941
/* number of bits for symmetric cipher */
1942
int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits)
1943
0
{
1944
0
    int ret = 0;
1945
1946
0
    if (c != NULL) {
1947
0
        if (alg_bits != NULL)
1948
0
            *alg_bits = (int)c->alg_bits;
1949
0
        ret = (int)c->strength_bits;
1950
0
    }
1951
0
    return ret;
1952
0
}
1953
1954
uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *c)
1955
241k
{
1956
241k
    return c->id;
1957
241k
}
1958
1959
uint16_t SSL_CIPHER_get_protocol_id(const SSL_CIPHER *c)
1960
0
{
1961
0
    return c->id & 0xFFFF;
1962
0
}
1963
1964
SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n)
1965
0
{
1966
0
    SSL_COMP *ctmp;
1967
0
    int i, nn;
1968
1969
0
    if ((n == 0) || (sk == NULL))
1970
0
        return NULL;
1971
0
    nn = sk_SSL_COMP_num(sk);
1972
0
    for (i = 0; i < nn; i++) {
1973
0
        ctmp = sk_SSL_COMP_value(sk, i);
1974
0
        if (ctmp->id == n)
1975
0
            return ctmp;
1976
0
    }
1977
0
    return NULL;
1978
0
}
1979
1980
#ifdef OPENSSL_NO_COMP
1981
STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void)
1982
{
1983
    return NULL;
1984
}
1985
1986
STACK_OF(SSL_COMP) *SSL_COMP_set0_compression_methods(STACK_OF(SSL_COMP)
1987
                                                      *meths)
1988
{
1989
    return meths;
1990
}
1991
1992
int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
1993
{
1994
    return 1;
1995
}
1996
1997
#else
1998
STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void)
1999
48.3k
{
2000
48.3k
    load_builtin_compressions();
2001
48.3k
    return ssl_comp_methods;
2002
48.3k
}
2003
2004
STACK_OF(SSL_COMP) *SSL_COMP_set0_compression_methods(STACK_OF(SSL_COMP)
2005
                                                      *meths)
2006
0
{
2007
0
    STACK_OF(SSL_COMP) *old_meths = ssl_comp_methods;
2008
0
    ssl_comp_methods = meths;
2009
0
    return old_meths;
2010
0
}
2011
2012
static void cmeth_free(SSL_COMP *cm)
2013
0
{
2014
0
    OPENSSL_free(cm);
2015
0
}
2016
2017
void ssl_comp_free_compression_methods_int(void)
2018
20
{
2019
20
    STACK_OF(SSL_COMP) *old_meths = ssl_comp_methods;
2020
20
    ssl_comp_methods = NULL;
2021
20
    sk_SSL_COMP_pop_free(old_meths, cmeth_free);
2022
20
}
2023
2024
int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm)
2025
0
{
2026
0
    SSL_COMP *comp;
2027
2028
0
    if (cm == NULL || COMP_get_type(cm) == NID_undef)
2029
0
        return 1;
2030
2031
    /*-
2032
     * According to draft-ietf-tls-compression-04.txt, the
2033
     * compression number ranges should be the following:
2034
     *
2035
     *   0 to  63:  methods defined by the IETF
2036
     *  64 to 192:  external party methods assigned by IANA
2037
     * 193 to 255:  reserved for private use
2038
     */
2039
0
    if (id < 193 || id > 255) {
2040
0
        ERR_raise(ERR_LIB_SSL, SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE);
2041
0
        return 1;
2042
0
    }
2043
2044
0
    comp = OPENSSL_malloc(sizeof(*comp));
2045
0
    if (comp == NULL) {
2046
0
        ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
2047
0
        return 1;
2048
0
    }
2049
2050
0
    comp->id = id;
2051
0
    comp->method = cm;
2052
0
    load_builtin_compressions();
2053
0
    if (ssl_comp_methods && sk_SSL_COMP_find(ssl_comp_methods, comp) >= 0) {
2054
0
        OPENSSL_free(comp);
2055
0
        ERR_raise(ERR_LIB_SSL, SSL_R_DUPLICATE_COMPRESSION_ID);
2056
0
        return 1;
2057
0
    }
2058
0
    if (ssl_comp_methods == NULL || !sk_SSL_COMP_push(ssl_comp_methods, comp)) {
2059
0
        OPENSSL_free(comp);
2060
0
        ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
2061
0
        return 1;
2062
0
    }
2063
0
    return 0;
2064
0
}
2065
#endif
2066
2067
const char *SSL_COMP_get_name(const COMP_METHOD *comp)
2068
0
{
2069
0
#ifndef OPENSSL_NO_COMP
2070
0
    return comp ? COMP_get_name(comp) : NULL;
2071
#else
2072
    return NULL;
2073
#endif
2074
0
}
2075
2076
const char *SSL_COMP_get0_name(const SSL_COMP *comp)
2077
0
{
2078
0
#ifndef OPENSSL_NO_COMP
2079
0
    return comp->name;
2080
#else
2081
    return NULL;
2082
#endif
2083
0
}
2084
2085
int SSL_COMP_get_id(const SSL_COMP *comp)
2086
0
{
2087
0
#ifndef OPENSSL_NO_COMP
2088
0
    return comp->id;
2089
#else
2090
    return -1;
2091
#endif
2092
0
}
2093
2094
const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl, const unsigned char *ptr,
2095
                                         int all)
2096
371k
{
2097
371k
    const SSL_CIPHER *c = ssl->method->get_cipher_by_char(ptr);
2098
2099
371k
    if (c == NULL || (!all && c->valid == 0))
2100
206k
        return NULL;
2101
165k
    return c;
2102
371k
}
2103
2104
const SSL_CIPHER *SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr)
2105
0
{
2106
0
    return ssl->method->get_cipher_by_char(ptr);
2107
0
}
2108
2109
int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c)
2110
0
{
2111
0
    int i;
2112
0
    if (c == NULL)
2113
0
        return NID_undef;
2114
0
    i = ssl_cipher_info_lookup(ssl_cipher_table_cipher, c->algorithm_enc);
2115
0
    if (i == -1)
2116
0
        return NID_undef;
2117
0
    return ssl_cipher_table_cipher[i].nid;
2118
0
}
2119
2120
int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c)
2121
0
{
2122
0
    int i = ssl_cipher_info_lookup(ssl_cipher_table_mac, c->algorithm_mac);
2123
2124
0
    if (i == -1)
2125
0
        return NID_undef;
2126
0
    return ssl_cipher_table_mac[i].nid;
2127
0
}
2128
2129
int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c)
2130
0
{
2131
0
    int i = ssl_cipher_info_lookup(ssl_cipher_table_kx, c->algorithm_mkey);
2132
2133
0
    if (i == -1)
2134
0
        return NID_undef;
2135
0
    return ssl_cipher_table_kx[i].nid;
2136
0
}
2137
2138
int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c)
2139
0
{
2140
0
    int i = ssl_cipher_info_lookup(ssl_cipher_table_auth, c->algorithm_auth);
2141
2142
0
    if (i == -1)
2143
0
        return NID_undef;
2144
0
    return ssl_cipher_table_auth[i].nid;
2145
0
}
2146
2147
const EVP_MD *SSL_CIPHER_get_handshake_digest(const SSL_CIPHER *c)
2148
0
{
2149
0
    int idx = c->algorithm2 & SSL_HANDSHAKE_MAC_MASK;
2150
2151
0
    if (idx < 0 || idx >= SSL_MD_NUM_IDX)
2152
0
        return NULL;
2153
0
    return EVP_get_digestbynid(ssl_cipher_table_mac[idx].nid);
2154
0
}
2155
2156
int SSL_CIPHER_is_aead(const SSL_CIPHER *c)
2157
0
{
2158
0
    return (c->algorithm_mac & SSL_AEAD) ? 1 : 0;
2159
0
}
2160
2161
int ssl_cipher_get_overhead(const SSL_CIPHER *c, size_t *mac_overhead,
2162
                            size_t *int_overhead, size_t *blocksize,
2163
                            size_t *ext_overhead)
2164
0
{
2165
0
    size_t mac = 0, in = 0, blk = 0, out = 0;
2166
2167
    /* Some hard-coded numbers for the CCM/Poly1305 MAC overhead
2168
     * because there are no handy #defines for those. */
2169
0
    if (c->algorithm_enc & (SSL_AESGCM | SSL_ARIAGCM)) {
2170
0
        out = EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
2171
0
    } else if (c->algorithm_enc & (SSL_AES128CCM | SSL_AES256CCM)) {
2172
0
        out = EVP_CCM_TLS_EXPLICIT_IV_LEN + 16;
2173
0
    } else if (c->algorithm_enc & (SSL_AES128CCM8 | SSL_AES256CCM8)) {
2174
0
        out = EVP_CCM_TLS_EXPLICIT_IV_LEN + 8;
2175
0
    } else if (c->algorithm_enc & SSL_CHACHA20POLY1305) {
2176
0
        out = 16;
2177
0
    } else if (c->algorithm_mac & SSL_AEAD) {
2178
        /* We're supposed to have handled all the AEAD modes above */
2179
0
        return 0;
2180
0
    } else {
2181
        /* Non-AEAD modes. Calculate MAC/cipher overhead separately */
2182
0
        int digest_nid = SSL_CIPHER_get_digest_nid(c);
2183
0
        const EVP_MD *e_md = EVP_get_digestbynid(digest_nid);
2184
2185
0
        if (e_md == NULL)
2186
0
            return 0;
2187
2188
0
        mac = EVP_MD_get_size(e_md);
2189
0
        if (c->algorithm_enc != SSL_eNULL) {
2190
0
            int cipher_nid = SSL_CIPHER_get_cipher_nid(c);
2191
0
            const EVP_CIPHER *e_ciph = EVP_get_cipherbynid(cipher_nid);
2192
2193
            /* If it wasn't AEAD or SSL_eNULL, we expect it to be a
2194
               known CBC cipher. */
2195
0
            if (e_ciph == NULL ||
2196
0
                EVP_CIPHER_get_mode(e_ciph) != EVP_CIPH_CBC_MODE)
2197
0
                return 0;
2198
2199
0
            in = 1; /* padding length byte */
2200
0
            out = EVP_CIPHER_get_iv_length(e_ciph);
2201
0
            blk = EVP_CIPHER_get_block_size(e_ciph);
2202
0
        }
2203
0
    }
2204
2205
0
    *mac_overhead = mac;
2206
0
    *int_overhead = in;
2207
0
    *blocksize = blk;
2208
0
    *ext_overhead = out;
2209
2210
0
    return 1;
2211
0
}
2212
2213
int ssl_cert_is_disabled(SSL_CTX *ctx, size_t idx)
2214
552k
{
2215
552k
    const SSL_CERT_LOOKUP *cl = ssl_cert_lookup_by_idx(idx);
2216
2217
552k
    if (cl == NULL || (cl->amask & ctx->disabled_auth_mask) != 0)
2218
0
        return 1;
2219
552k
    return 0;
2220
552k
}
2221
2222
/*
2223
 * Default list of TLSv1.2 (and earlier) ciphers
2224
 * SSL_DEFAULT_CIPHER_LIST deprecated in 3.0.0
2225
 * Update both macro and function simultaneously
2226
 */
2227
const char *OSSL_default_cipher_list(void)
2228
79.3k
{
2229
79.3k
    return "ALL:!COMPLEMENTOFDEFAULT:!eNULL";
2230
79.3k
}
2231
2232
/*
2233
 * Default list of TLSv1.3 (and later) ciphers
2234
 * TLS_DEFAULT_CIPHERSUITES deprecated in 3.0.0
2235
 * Update both macro and function simultaneously
2236
 */
2237
const char *OSSL_default_ciphersuites(void)
2238
79.3k
{
2239
79.3k
    return "TLS_AES_256_GCM_SHA384:"
2240
79.3k
           "TLS_CHACHA20_POLY1305_SHA256:"
2241
79.3k
           "TLS_AES_128_GCM_SHA256";
2242
79.3k
}