sslCipherSpecs.c
1 /* 2 * Copyright (c) 1999-2001,2005-2011 Apple Inc. All Rights Reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 */ 23 24 /* 25 * cipherSpecs.c - SSLCipherSpec declarations 26 */ 27 28 #include "sslBuildFlags.h" 29 #include "CipherSuite.h" 30 #include "sslCipherSpecs.h" 31 #include "sslDebug.h" 32 #include "sslMemory.h" 33 #include "sslDebug.h" 34 #include "sslUtils.h" 35 #include "tls_handshake_priv.h" 36 37 #include <string.h> 38 #include <assert.h> 39 40 #include <TargetConditionals.h> 41 42 #define ENABLE_AES_GCM 1 43 #define ENABLE_PSK 1 44 45 /* 46 This list is exported and used by a couple project, don't change it. 47 Internally, use AllCipherSuites instead. 48 */ 49 50 const uint16_t KnownCipherSuites[] = { 51 #if ENABLE_AES_GCM 52 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 53 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 54 #endif 55 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 56 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 57 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 58 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 59 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, 60 #if ENABLE_AES_GCM 61 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 62 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 63 #endif 64 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, 65 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 66 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 67 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 68 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 69 70 #if ENABLE_AES_GCM 71 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, 72 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, 73 #endif // ENABLE_AES_GCM 74 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, 75 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, 76 TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 77 TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 78 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 79 80 #if ENABLE_AES_GCM 81 TLS_RSA_WITH_AES_256_GCM_SHA384, 82 TLS_RSA_WITH_AES_128_GCM_SHA256, 83 #endif 84 TLS_RSA_WITH_AES_256_CBC_SHA256, 85 TLS_RSA_WITH_AES_128_CBC_SHA256, 86 TLS_RSA_WITH_AES_256_CBC_SHA, 87 TLS_RSA_WITH_AES_128_CBC_SHA, 88 SSL_RSA_WITH_3DES_EDE_CBC_SHA, 89 }; 90 91 const unsigned CipherSuiteCount = sizeof(KnownCipherSuites)/sizeof(KnownCipherSuites[0]); 92 93 94 /* EC Curves we support: */ 95 const uint16_t KnownCurves[] = { 96 tls_curve_secp256r1, 97 tls_curve_secp384r1, 98 tls_curve_secp521r1 99 }; 100 101 const unsigned CurvesCount = sizeof(KnownCurves)/sizeof(KnownCurves[0]); 102 103 /* SigAlgs we support: */ 104 const tls_signature_and_hash_algorithm KnownSigAlgs[] = { 105 {tls_hash_algorithm_SHA256, tls_signature_algorithm_RSA}, 106 {tls_hash_algorithm_SHA1, tls_signature_algorithm_RSA}, 107 {tls_hash_algorithm_SHA384, tls_signature_algorithm_RSA}, 108 {tls_hash_algorithm_SHA512, tls_signature_algorithm_RSA}, 109 {tls_hash_algorithm_SHA256, tls_signature_algorithm_ECDSA}, 110 {tls_hash_algorithm_SHA1, tls_signature_algorithm_ECDSA}, 111 {tls_hash_algorithm_SHA384, tls_signature_algorithm_ECDSA}, 112 {tls_hash_algorithm_SHA512, tls_signature_algorithm_ECDSA}, 113 }; 114 const unsigned SigAlgsCount = sizeof(KnownSigAlgs)/sizeof(KnownSigAlgs[0]); 115 116 /* 117 * Given a valid ctx->validCipherSpecs array, calculate how many of those 118 * cipherSpecs are *not* SSLv2 only, storing result in 119 * ctx->numValidNonSSLv2Specs. ClientHello routines need this to set 120 * up outgoing cipherSpecs arrays correctly. 121 * 122 * Also determines if any ECDSA/ECDH ciphers are enabled; we need to know 123 * that when creating a hello message. 124 */ 125 void sslAnalyzeCipherSpecs(tls_handshake_t ctx) 126 { 127 unsigned dex; 128 const uint16_t *cipherSuite; 129 130 cipherSuite = &ctx->enabledCipherSuites[0]; 131 ctx->ecdsaEnable = false; 132 for(dex=0; dex<ctx->numEnabledCipherSuites; dex++, cipherSuite++) { 133 switch(sslCipherSuiteGetKeyExchangeMethod(*cipherSuite)) { 134 case SSL_ECDHE_ECDSA: 135 case SSL_ECDHE_RSA: 136 case SSL_ECDH_anon: 137 ctx->ecdsaEnable = true; 138 break; 139 default: 140 break; 141 } 142 } 143 } 144 145 /*** 146 *** End of publically exported functions declared in SecureTransport.h 147 ***/ 148 149 void InitCipherSpecParams(tls_handshake_t ctx) 150 { 151 SSLCipherSpecParams *dst = &ctx->selectedCipherSpecParams; 152 153 dst->cipherSpec = ctx->selectedCipher; 154 dst->macSize = sslCipherSuiteGetMacSize(ctx->selectedCipher); 155 dst->macAlg = sslCipherSuiteGetMacAlgorithm(ctx->selectedCipher); 156 dst->keySize = sslCipherSuiteGetSymmetricCipherKeySize(ctx->selectedCipher); 157 dst->blockSize = sslCipherSuiteGetSymmetricCipherBlockIvSize(ctx->selectedCipher); 158 dst->ivSize = dst->blockSize; 159 dst->keyExchangeMethod = sslCipherSuiteGetKeyExchangeMethod(ctx->selectedCipher); 160 }; 161 162 163 bool cipherSuiteInSet(uint16_t cs, uint16_t *ciphersuites, size_t numCiphersuites) 164 { 165 size_t i; 166 167 for(i=0; i<numCiphersuites; i++) { 168 if(ciphersuites[i]==cs) 169 return true; 170 } 171 172 return false; 173 } 174 175 176 /* verify that a ciphersuite is valid for this server config */ 177 /* Currently, only check that the server identity is proper */ 178 static bool 179 verifyCipherSuite(tls_handshake_t ctx, uint16_t cs) 180 { 181 KeyExchangeMethod kem = sslCipherSuiteGetKeyExchangeMethod(cs); 182 183 switch (kem) { 184 case SSL_RSA: 185 case SSL_DHE_RSA: 186 case SSL_ECDHE_RSA: 187 return ((ctx->signingPrivKeyRef) && (ctx->signingPrivKeyRef->desc.type == tls_private_key_type_rsa)); 188 break; 189 case SSL_ECDHE_ECDSA: 190 return ((ctx->signingPrivKeyRef) && (ctx->signingPrivKeyRef->desc.type == tls_private_key_type_ecdsa)); 191 break; 192 /* Other key exchange don't care about certificate key */ 193 default: 194 return true; 195 } 196 } 197 198 199 /* Server routine to select ciphersuite during anew handshake */ 200 int 201 SelectNewCiphersuite(tls_handshake_t ctx) 202 { 203 int i; 204 205 assert(ctx->isServer); 206 207 for (i=0; i<ctx->numEnabledCipherSuites; i++) { 208 if(cipherSuiteInSet(ctx->enabledCipherSuites[i], ctx->requestedCipherSuites, ctx->numRequestedCipherSuites) && 209 verifyCipherSuite(ctx, ctx->enabledCipherSuites[i])) 210 { 211 ctx->selectedCipher = ctx->enabledCipherSuites[i]; 212 sslLogNegotiateDebug("TLS server: selected ciphersuite 0x%04x", (unsigned)ctx->selectedCipher); 213 InitCipherSpecParams(ctx); 214 return 0; 215 } 216 } 217 218 return errSSLNegotiation; 219 } 220 221 222 /* Client Routine to validate the selected ciphersuite */ 223 int 224 ValidateSelectedCiphersuite(tls_handshake_t ctx) 225 { 226 unsigned i; 227 228 assert(!ctx->isServer); 229 assert(ctx->selectedCipher != 0); 230 231 for (i=0; i<ctx->numEnabledCipherSuites; i++) 232 { 233 if (ctx->enabledCipherSuites[i] == ctx->selectedCipher) { 234 InitCipherSpecParams(ctx); 235 /* Make sure we're configured to handle this cipherSuite. */ 236 return errSSLSuccess; //sslVerifySelectedCipher(ctx); 237 } 238 } 239 /* Not found */ 240 return errSSLNegotiation; 241 } 242 243 // 244 // MARK : Supported ciphersuites helpers 245 // 246 247 static 248 bool tls_handshake_kem_is_supported(bool server, KeyExchangeMethod kem) 249 { 250 switch(kem) { 251 case SSL_RSA: 252 case SSL_DHE_RSA: 253 case SSL_DH_anon: 254 case TLS_PSK: 255 case SSL_ECDHE_ECDSA: 256 case SSL_ECDHE_RSA: 257 case SSL_ECDH_anon: 258 return true; 259 default: 260 return false; 261 } 262 } 263 264 265 static 266 bool tls_handshake_kem_is_allowed(tls_handshake_config_t config, KeyExchangeMethod kem) 267 { 268 switch(config) { 269 case tls_handshake_config_none: 270 case tls_handshake_config_ATSv2: 271 return true; 272 case tls_handshake_config_ATSv1: 273 return (kem == SSL_ECDHE_ECDSA || kem == SSL_ECDHE_RSA); 274 case tls_handshake_config_legacy_DHE: 275 return (kem==SSL_RSA || kem == SSL_DHE_RSA || kem == SSL_ECDHE_ECDSA || kem == SSL_ECDHE_RSA); 276 case tls_handshake_config_ATSv1_noPFS: 277 case tls_handshake_config_default: 278 case tls_handshake_config_standard: 279 case tls_handshake_config_RC4_fallback: 280 case tls_handshake_config_TLSv1_fallback: 281 case tls_handshake_config_TLSv1_RC4_fallback: 282 case tls_handshake_config_legacy: 283 case tls_handshake_config_3DES_fallback: 284 case tls_handshake_config_TLSv1_3DES_fallback: 285 return (kem==SSL_RSA || kem == SSL_ECDHE_ECDSA || kem == SSL_ECDHE_RSA); 286 case tls_handshake_config_standard_TLSv3: 287 return (kem == SSL_ECDHE_ECDSA); 288 case tls_handshake_config_anonymous: 289 return (kem==SSL_ECDH_anon || kem == SSL_DH_anon); 290 } 291 292 /* Note: we do this here instead of a 'default:' case, so that the compiler will warn us when 293 adding new config in the enum */ 294 return (kem==SSL_RSA || kem == SSL_ECDHE_ECDSA || kem == SSL_ECDHE_RSA); 295 } 296 297 static 298 bool tls_handshake_kem_is_valid(tls_handshake_t ctx, KeyExchangeMethod kem) 299 { 300 switch(kem) { 301 case SSL_RSA: 302 case SSL_DH_RSA: 303 case SSL_DHE_RSA: 304 case SSL_DH_anon: 305 case TLS_PSK: 306 return true; 307 case SSL_ECDHE_ECDSA: 308 case SSL_ECDHE_RSA: 309 case SSL_ECDH_anon: 310 return ctx->maxProtocolVersion!=tls_protocol_version_SSL_3; // EC ciphersuites not valid for SSLv3 311 default: 312 return false; 313 } 314 } 315 316 static 317 bool tls_handshake_sym_is_supported(bool dtls, SSL_CipherAlgorithm sym) 318 { 319 switch (sym) { 320 case SSL_CipherAlgorithmNull: 321 case SSL_CipherAlgorithmAES_128_CBC: 322 case SSL_CipherAlgorithm3DES_CBC: 323 case SSL_CipherAlgorithmAES_256_CBC: 324 case SSL_CipherAlgorithmAES_256_GCM: 325 case SSL_CipherAlgorithmAES_128_GCM: 326 return true; 327 case SSL_CipherAlgorithmRC4_128: 328 return !dtls; 329 default: 330 return false; 331 } 332 } 333 334 static 335 bool tls_handshake_sym_is_allowed(tls_handshake_config_t config, SSL_CipherAlgorithm sym) 336 { 337 switch(config) { 338 case tls_handshake_config_none: 339 return true; 340 case tls_handshake_config_ATSv2: 341 return (sym>=SSL_CipherAlgorithmAES_128_GCM); 342 case tls_handshake_config_ATSv1: 343 case tls_handshake_config_ATSv1_noPFS: 344 case tls_handshake_config_anonymous: 345 case tls_handshake_config_standard: 346 return (sym>=SSL_CipherAlgorithmAES_128_CBC && sym != SSL_CipherAlgorithmChaCha20_Poly1305); 347 case tls_handshake_config_standard_TLSv3: 348 return (sym>=SSL_CipherAlgorithmAES_128_CBC); 349 case tls_handshake_config_default: 350 case tls_handshake_config_TLSv1_fallback: 351 case tls_handshake_config_3DES_fallback: 352 case tls_handshake_config_TLSv1_3DES_fallback: 353 return (sym>=SSL_CipherAlgorithm3DES_CBC && sym != SSL_CipherAlgorithmChaCha20_Poly1305); 354 case tls_handshake_config_legacy: 355 case tls_handshake_config_RC4_fallback: 356 case tls_handshake_config_TLSv1_RC4_fallback: 357 case tls_handshake_config_legacy_DHE: 358 return ((sym==SSL_CipherAlgorithmRC4_128) || (sym>=SSL_CipherAlgorithm3DES_CBC)) 359 && sym != SSL_CipherAlgorithmChaCha20_Poly1305; 360 } 361 362 /* Note: we do this here instead of a 'default:' case, so that the compiler will warn us when 363 adding new config in the enum */ 364 return (sym>=SSL_CipherAlgorithm3DES_CBC); 365 } 366 367 static 368 bool tls_handshake_sym_is_valid(tls_handshake_t ctx, SSL_CipherAlgorithm sym) 369 { 370 switch (sym) { 371 case SSL_CipherAlgorithmNull: 372 case SSL_CipherAlgorithmRC4_128: 373 return true; 374 case SSL_CipherAlgorithmAES_128_CBC: 375 case SSL_CipherAlgorithm3DES_CBC: 376 case SSL_CipherAlgorithmAES_256_CBC: 377 return !(ctx->maxProtocolVersion==tls_protocol_version_SSL_3 && ctx->fallback); 378 case SSL_CipherAlgorithmAES_256_GCM: 379 case SSL_CipherAlgorithmAES_128_GCM: 380 return ctx->maxProtocolVersion==tls_protocol_version_TLS_1_2; 381 default: 382 return false; 383 } 384 } 385 386 static 387 bool tls_handshake_mac_is_supported(HMAC_Algs mac) 388 { 389 switch (mac){ 390 case HA_Null: 391 case HA_MD5: 392 case HA_SHA1: 393 case HA_SHA256: 394 case HA_SHA384: 395 return true; 396 default: 397 return false; 398 } 399 } 400 401 static 402 bool tls_handshake_mac_is_allowed(tls_handshake_config_t config, HMAC_Algs mac) 403 { 404 switch(config) { 405 case tls_handshake_config_none: 406 return true; 407 case tls_handshake_config_standard_TLSv3: 408 case tls_handshake_config_ATSv1: 409 case tls_handshake_config_ATSv1_noPFS: 410 case tls_handshake_config_ATSv2: 411 case tls_handshake_config_anonymous: 412 return (mac>=HA_SHA1); 413 case tls_handshake_config_default: 414 case tls_handshake_config_legacy: 415 case tls_handshake_config_RC4_fallback: 416 case tls_handshake_config_TLSv1_RC4_fallback: 417 case tls_handshake_config_standard: 418 case tls_handshake_config_TLSv1_fallback: 419 case tls_handshake_config_legacy_DHE: 420 case tls_handshake_config_3DES_fallback: 421 case tls_handshake_config_TLSv1_3DES_fallback: 422 return (mac>=HA_MD5); 423 } 424 425 /* Note: we do this here instead of a 'default:' case, so that the compiler will warn us when 426 adding new config in the enum */ 427 return (mac>=HA_MD5); 428 } 429 430 static 431 bool tls_handshake_mac_is_valid(tls_handshake_t ctx, HMAC_Algs mac) 432 { 433 /* All MACs are always valid */ 434 return true; 435 } 436 437 /* Do we support this ciphersuites ? */ 438 bool tls_handshake_ciphersuite_is_supported(bool server, bool dtls, uint16_t ciphersuite) 439 { 440 uint16_t cs = ciphersuite; 441 442 KeyExchangeMethod kem = sslCipherSuiteGetKeyExchangeMethod(cs); 443 SSL_CipherAlgorithm sym = sslCipherSuiteGetSymmetricCipherAlgorithm(cs); 444 HMAC_Algs mac = sslCipherSuiteGetMacAlgorithm(cs); 445 446 return tls_handshake_kem_is_supported(server, kem) 447 && tls_handshake_sym_is_supported(dtls, sym) 448 && tls_handshake_mac_is_supported(mac); 449 } 450 451 /* Is this ciphersuite allowed in this configuration */ 452 bool tls_handshake_ciphersuite_is_allowed(tls_handshake_config_t config, uint16_t ciphersuite) 453 { 454 uint16_t cs = ciphersuite; 455 456 KeyExchangeMethod kem = sslCipherSuiteGetKeyExchangeMethod(cs); 457 SSL_CipherAlgorithm sym = sslCipherSuiteGetSymmetricCipherAlgorithm(cs); 458 HMAC_Algs mac = sslCipherSuiteGetMacAlgorithm(cs); 459 460 return tls_handshake_kem_is_allowed(config,kem) 461 && tls_handshake_sym_is_allowed(config, sym) 462 && tls_handshake_mac_is_allowed(config, mac); 463 } 464 465 /* Is this ciphersuite valid for the current context */ 466 bool tls_handshake_ciphersuite_is_valid(tls_handshake_t ctx, uint16_t ciphersuite) 467 { 468 uint16_t cs = ciphersuite; 469 470 KeyExchangeMethod kem = sslCipherSuiteGetKeyExchangeMethod(cs); 471 SSL_CipherAlgorithm sym = sslCipherSuiteGetSymmetricCipherAlgorithm(cs); 472 HMAC_Algs mac = sslCipherSuiteGetMacAlgorithm(cs); 473 474 return tls_handshake_kem_is_valid(ctx,kem) 475 && tls_handshake_sym_is_valid(ctx, sym) 476 && tls_handshake_mac_is_valid(ctx, mac); 477 } 478 479 bool tls_handshake_curve_is_supported(uint16_t curve) 480 { 481 switch(curve) { 482 case tls_curve_secp256r1: 483 case tls_curve_secp384r1: 484 case tls_curve_secp521r1: 485 return true; 486 default: 487 return false; 488 } 489 } 490 491 bool tls_handshake_sigalg_is_supported(tls_signature_and_hash_algorithm sigalg) 492 { 493 494 bool hash_supported; 495 bool sig_supported; 496 497 switch(sigalg.hash) { 498 case tls_hash_algorithm_SHA1: 499 case tls_hash_algorithm_SHA256: 500 case tls_hash_algorithm_SHA384: 501 case tls_hash_algorithm_SHA512: 502 hash_supported = true; 503 break; 504 default: 505 hash_supported = false; 506 } 507 508 switch(sigalg.signature) { 509 case tls_signature_algorithm_RSA: 510 case tls_signature_algorithm_ECDSA: 511 sig_supported = true; 512 break; 513 default: 514 sig_supported = false; 515 } 516 517 return sig_supported && hash_supported; 518 }