Branch data Line data Source code
1 : : /*
2 : : * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 : : *
4 : : * Licensed under the Apache License, Version 2.0 (the "License").
5 : : * You may not use this file except in compliance with the License.
6 : : * A copy of the License is located at
7 : : *
8 : : * http://aws.amazon.com/apache2.0
9 : : *
10 : : * or in the "license" file accompanying this file. This file is distributed
11 : : * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 : : * express or implied. See the License for the specific language governing
13 : : * permissions and limitations under the License.
14 : : */
15 : :
16 : : #include <openssl/crypto.h>
17 : : #include <string.h>
18 : :
19 : : #include "crypto/s2n_cipher.h"
20 : : #include "crypto/s2n_openssl.h"
21 : : #include "crypto/s2n_pq.h"
22 : : #include "error/s2n_errno.h"
23 : : #include "tls/s2n_auth_selection.h"
24 : : #include "tls/s2n_kex.h"
25 : : #include "tls/s2n_psk.h"
26 : : #include "tls/s2n_security_policies.h"
27 : : #include "tls/s2n_tls.h"
28 : : #include "tls/s2n_tls13.h"
29 : : #include "utils/s2n_safety.h"
30 : :
31 : : /*************************
32 : : * S2n Record Algorithms *
33 : : *************************/
34 : : const struct s2n_record_algorithm s2n_record_alg_null = {
35 : : .cipher = &s2n_null_cipher,
36 : : .hmac_alg = S2N_HMAC_NONE,
37 : : .flags = 0,
38 : : .encryption_limit = UINT64_MAX,
39 : : };
40 : :
41 : : const struct s2n_record_algorithm s2n_record_alg_rc4_md5 = {
42 : : .cipher = &s2n_rc4,
43 : : .hmac_alg = S2N_HMAC_MD5,
44 : : .flags = 0,
45 : : .encryption_limit = UINT64_MAX,
46 : : };
47 : :
48 : : const struct s2n_record_algorithm s2n_record_alg_rc4_sslv3_md5 = {
49 : : .cipher = &s2n_rc4,
50 : : .hmac_alg = S2N_HMAC_SSLv3_MD5,
51 : : .flags = 0,
52 : : .encryption_limit = UINT64_MAX,
53 : : };
54 : :
55 : : const struct s2n_record_algorithm s2n_record_alg_rc4_sha = {
56 : : .cipher = &s2n_rc4,
57 : : .hmac_alg = S2N_HMAC_SHA1,
58 : : .flags = 0,
59 : : .encryption_limit = UINT64_MAX,
60 : : };
61 : :
62 : : const struct s2n_record_algorithm s2n_record_alg_rc4_sslv3_sha = {
63 : : .cipher = &s2n_rc4,
64 : : .hmac_alg = S2N_HMAC_SSLv3_SHA1,
65 : : .flags = 0,
66 : : .encryption_limit = UINT64_MAX,
67 : : };
68 : :
69 : : const struct s2n_record_algorithm s2n_record_alg_3des_sha = {
70 : : .cipher = &s2n_3des,
71 : : .hmac_alg = S2N_HMAC_SHA1,
72 : : .flags = 0,
73 : : .encryption_limit = UINT64_MAX,
74 : : };
75 : :
76 : : const struct s2n_record_algorithm s2n_record_alg_3des_sslv3_sha = {
77 : : .cipher = &s2n_3des,
78 : : .hmac_alg = S2N_HMAC_SSLv3_SHA1,
79 : : .flags = 0,
80 : : .encryption_limit = UINT64_MAX,
81 : : };
82 : :
83 : : const struct s2n_record_algorithm s2n_record_alg_aes128_sha = {
84 : : .cipher = &s2n_aes128,
85 : : .hmac_alg = S2N_HMAC_SHA1,
86 : : .flags = 0,
87 : : .encryption_limit = UINT64_MAX,
88 : : };
89 : :
90 : : const struct s2n_record_algorithm s2n_record_alg_aes128_sslv3_sha = {
91 : : .cipher = &s2n_aes128,
92 : : .hmac_alg = S2N_HMAC_SSLv3_SHA1,
93 : : .flags = 0,
94 : : .encryption_limit = UINT64_MAX,
95 : : };
96 : :
97 : : const struct s2n_record_algorithm s2n_record_alg_aes128_sha_composite = {
98 : : .cipher = &s2n_aes128_sha,
99 : : .hmac_alg = S2N_HMAC_NONE,
100 : : .flags = 0,
101 : : .encryption_limit = UINT64_MAX,
102 : : };
103 : :
104 : : const struct s2n_record_algorithm s2n_record_alg_aes128_sha256 = {
105 : : .cipher = &s2n_aes128,
106 : : .hmac_alg = S2N_HMAC_SHA256,
107 : : .flags = 0,
108 : : .encryption_limit = UINT64_MAX,
109 : : };
110 : :
111 : : const struct s2n_record_algorithm s2n_record_alg_aes128_sha256_composite = {
112 : : .cipher = &s2n_aes128_sha256,
113 : : .hmac_alg = S2N_HMAC_NONE,
114 : : .encryption_limit = UINT64_MAX,
115 : : };
116 : :
117 : : const struct s2n_record_algorithm s2n_record_alg_aes256_sha = {
118 : : .cipher = &s2n_aes256,
119 : : .hmac_alg = S2N_HMAC_SHA1,
120 : : .flags = 0,
121 : : .encryption_limit = UINT64_MAX,
122 : : };
123 : :
124 : : const struct s2n_record_algorithm s2n_record_alg_aes256_sslv3_sha = {
125 : : .cipher = &s2n_aes256,
126 : : .hmac_alg = S2N_HMAC_SSLv3_SHA1,
127 : : .flags = 0,
128 : : .encryption_limit = UINT64_MAX,
129 : : };
130 : :
131 : : const struct s2n_record_algorithm s2n_record_alg_aes256_sha_composite = {
132 : : .cipher = &s2n_aes256_sha,
133 : : .hmac_alg = S2N_HMAC_NONE,
134 : : .flags = 0,
135 : : .encryption_limit = UINT64_MAX,
136 : : };
137 : :
138 : : const struct s2n_record_algorithm s2n_record_alg_aes256_sha256 = {
139 : : .cipher = &s2n_aes256,
140 : : .hmac_alg = S2N_HMAC_SHA256,
141 : : .flags = 0,
142 : : .encryption_limit = UINT64_MAX,
143 : : };
144 : :
145 : : const struct s2n_record_algorithm s2n_record_alg_aes256_sha256_composite = {
146 : : .cipher = &s2n_aes256_sha256,
147 : : .hmac_alg = S2N_HMAC_NONE,
148 : : .encryption_limit = UINT64_MAX,
149 : : };
150 : :
151 : : const struct s2n_record_algorithm s2n_record_alg_aes256_sha384 = {
152 : : .cipher = &s2n_aes256,
153 : : .hmac_alg = S2N_HMAC_SHA384,
154 : : .flags = 0,
155 : : .encryption_limit = UINT64_MAX,
156 : : };
157 : :
158 : : const struct s2n_record_algorithm s2n_record_alg_aes128_gcm = {
159 : : .cipher = &s2n_aes128_gcm,
160 : : .hmac_alg = S2N_HMAC_NONE,
161 : : .flags = S2N_TLS12_AES_GCM_AEAD_NONCE,
162 : : .encryption_limit = UINT64_MAX,
163 : : };
164 : :
165 : : const struct s2n_record_algorithm s2n_record_alg_aes256_gcm = {
166 : : .cipher = &s2n_aes256_gcm,
167 : : .hmac_alg = S2N_HMAC_NONE,
168 : : .flags = S2N_TLS12_AES_GCM_AEAD_NONCE,
169 : : .encryption_limit = UINT64_MAX,
170 : : };
171 : :
172 : : const struct s2n_record_algorithm s2n_record_alg_chacha20_poly1305 = {
173 : : .cipher = &s2n_chacha20_poly1305,
174 : : .hmac_alg = S2N_HMAC_NONE,
175 : : /* Per RFC 7905, ChaCha20-Poly1305 will use a nonce construction expected to be used in TLS1.3.
176 : : * Give it a distinct 1.2 nonce value in case this changes.
177 : : */
178 : : .flags = S2N_TLS12_CHACHA_POLY_AEAD_NONCE,
179 : : .encryption_limit = UINT64_MAX,
180 : : };
181 : :
182 : : /* TLS 1.3 Record Algorithms */
183 : : const struct s2n_record_algorithm s2n_tls13_record_alg_aes128_gcm = {
184 : : .cipher = &s2n_tls13_aes128_gcm,
185 : : .hmac_alg = S2N_HMAC_NONE, /* previously used in 1.2 prf, we do not need this */
186 : : .flags = S2N_TLS13_RECORD_AEAD_NONCE,
187 : : .encryption_limit = S2N_TLS13_AES_GCM_MAXIMUM_RECORD_NUMBER,
188 : : };
189 : :
190 : : const struct s2n_record_algorithm s2n_tls13_record_alg_aes256_gcm = {
191 : : .cipher = &s2n_tls13_aes256_gcm,
192 : : .hmac_alg = S2N_HMAC_NONE,
193 : : .flags = S2N_TLS13_RECORD_AEAD_NONCE,
194 : : .encryption_limit = S2N_TLS13_AES_GCM_MAXIMUM_RECORD_NUMBER,
195 : : };
196 : :
197 : : const struct s2n_record_algorithm s2n_tls13_record_alg_chacha20_poly1305 = {
198 : : .cipher = &s2n_chacha20_poly1305,
199 : : .hmac_alg = S2N_HMAC_NONE,
200 : : /* this mirrors s2n_record_alg_chacha20_poly1305 with the exception of TLS 1.3 nonce flag */
201 : : .flags = S2N_TLS13_RECORD_AEAD_NONCE,
202 : : .encryption_limit = UINT64_MAX,
203 : : };
204 : :
205 : : /*********************
206 : : * S2n Cipher Suites *
207 : : *********************/
208 : :
209 : : /* This is the initial cipher suite, but is never negotiated */
210 : : struct s2n_cipher_suite s2n_null_cipher_suite = {
211 : : .available = 1,
212 : : .name = "TLS_NULL_WITH_NULL_NULL",
213 : : .iana_name = "TLS_NULL_WITH_NULL_NULL",
214 : : .iana_value = { TLS_NULL_WITH_NULL_NULL },
215 : : .key_exchange_alg = &s2n_rsa,
216 : : .auth_method = S2N_AUTHENTICATION_RSA,
217 : : .record_alg = &s2n_record_alg_null,
218 : : };
219 : :
220 : : struct s2n_cipher_suite s2n_rsa_with_rc4_128_md5 = /* 0x00,0x04 */ {
221 : : .available = 0,
222 : : .name = "RC4-MD5",
223 : : .iana_name = "TLS_RSA_WITH_RC4_128_MD5",
224 : : .iana_value = { TLS_RSA_WITH_RC4_128_MD5 },
225 : : .key_exchange_alg = &s2n_rsa,
226 : : .auth_method = S2N_AUTHENTICATION_RSA,
227 : : .record_alg = NULL,
228 : : .all_record_algs = { &s2n_record_alg_rc4_md5 },
229 : : .num_record_algs = 1,
230 : : .sslv3_record_alg = &s2n_record_alg_rc4_sslv3_md5,
231 : : .prf_alg = S2N_HMAC_SHA256,
232 : : .minimum_required_tls_version = S2N_SSLv3,
233 : : };
234 : :
235 : : struct s2n_cipher_suite s2n_rsa_with_rc4_128_sha = /* 0x00,0x05 */ {
236 : : .available = 0,
237 : : .name = "RC4-SHA",
238 : : .iana_name = "TLS_RSA_WITH_RC4_128_SHA",
239 : : .iana_value = { TLS_RSA_WITH_RC4_128_SHA },
240 : : .key_exchange_alg = &s2n_rsa,
241 : : .auth_method = S2N_AUTHENTICATION_RSA,
242 : : .record_alg = NULL,
243 : : .all_record_algs = { &s2n_record_alg_rc4_sha },
244 : : .num_record_algs = 1,
245 : : .sslv3_record_alg = &s2n_record_alg_rc4_sslv3_sha,
246 : : .prf_alg = S2N_HMAC_SHA256,
247 : : .minimum_required_tls_version = S2N_SSLv3,
248 : : };
249 : :
250 : : struct s2n_cipher_suite s2n_rsa_with_3des_ede_cbc_sha = /* 0x00,0x0A */ {
251 : : .available = 0,
252 : : .name = "DES-CBC3-SHA",
253 : : .iana_name = "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
254 : : .iana_value = { TLS_RSA_WITH_3DES_EDE_CBC_SHA },
255 : : .key_exchange_alg = &s2n_rsa,
256 : : .auth_method = S2N_AUTHENTICATION_RSA,
257 : : .record_alg = NULL,
258 : : .all_record_algs = { &s2n_record_alg_3des_sha },
259 : : .num_record_algs = 1,
260 : : .sslv3_record_alg = &s2n_record_alg_3des_sslv3_sha,
261 : : .prf_alg = S2N_HMAC_SHA256,
262 : : .minimum_required_tls_version = S2N_SSLv3,
263 : : };
264 : :
265 : : struct s2n_cipher_suite s2n_dhe_rsa_with_3des_ede_cbc_sha = /* 0x00,0x16 */ {
266 : : .available = 0,
267 : : .name = "DHE-RSA-DES-CBC3-SHA",
268 : : .iana_name = "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
269 : : .iana_value = { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA },
270 : : .key_exchange_alg = &s2n_dhe,
271 : : .auth_method = S2N_AUTHENTICATION_RSA,
272 : : .record_alg = NULL,
273 : : .all_record_algs = { &s2n_record_alg_3des_sha },
274 : : .num_record_algs = 1,
275 : : .sslv3_record_alg = &s2n_record_alg_3des_sslv3_sha,
276 : : .prf_alg = S2N_HMAC_SHA256,
277 : : .minimum_required_tls_version = S2N_SSLv3,
278 : : };
279 : :
280 : : struct s2n_cipher_suite s2n_rsa_with_aes_128_cbc_sha = /* 0x00,0x2F */ {
281 : : .available = 0,
282 : : .name = "AES128-SHA",
283 : : .iana_name = "TLS_RSA_WITH_AES_128_CBC_SHA",
284 : : .iana_value = { TLS_RSA_WITH_AES_128_CBC_SHA },
285 : : .key_exchange_alg = &s2n_rsa,
286 : : .auth_method = S2N_AUTHENTICATION_RSA,
287 : : .record_alg = NULL,
288 : : .all_record_algs = { &s2n_record_alg_aes128_sha_composite, &s2n_record_alg_aes128_sha },
289 : : .num_record_algs = 2,
290 : : .sslv3_record_alg = &s2n_record_alg_aes128_sslv3_sha,
291 : : .prf_alg = S2N_HMAC_SHA256,
292 : : .minimum_required_tls_version = S2N_SSLv3,
293 : : };
294 : :
295 : : struct s2n_cipher_suite s2n_dhe_rsa_with_aes_128_cbc_sha = /* 0x00,0x33 */ {
296 : : .available = 0,
297 : : .name = "DHE-RSA-AES128-SHA",
298 : : .iana_name = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
299 : : .iana_value = { TLS_DHE_RSA_WITH_AES_128_CBC_SHA },
300 : : .key_exchange_alg = &s2n_dhe,
301 : : .auth_method = S2N_AUTHENTICATION_RSA,
302 : : .record_alg = NULL,
303 : : .all_record_algs = { &s2n_record_alg_aes128_sha_composite, &s2n_record_alg_aes128_sha },
304 : : .num_record_algs = 2,
305 : : .sslv3_record_alg = &s2n_record_alg_aes128_sslv3_sha,
306 : : .prf_alg = S2N_HMAC_SHA256,
307 : : .minimum_required_tls_version = S2N_SSLv3,
308 : : };
309 : :
310 : : struct s2n_cipher_suite s2n_rsa_with_aes_256_cbc_sha = /* 0x00,0x35 */ {
311 : : .available = 0,
312 : : .name = "AES256-SHA",
313 : : .iana_name = "TLS_RSA_WITH_AES_256_CBC_SHA",
314 : : .iana_value = { TLS_RSA_WITH_AES_256_CBC_SHA },
315 : : .key_exchange_alg = &s2n_rsa,
316 : : .auth_method = S2N_AUTHENTICATION_RSA,
317 : : .record_alg = NULL,
318 : : .all_record_algs = { &s2n_record_alg_aes256_sha_composite, &s2n_record_alg_aes256_sha },
319 : : .num_record_algs = 2,
320 : : .sslv3_record_alg = &s2n_record_alg_aes256_sslv3_sha,
321 : : .prf_alg = S2N_HMAC_SHA256,
322 : : .minimum_required_tls_version = S2N_SSLv3,
323 : : };
324 : :
325 : : struct s2n_cipher_suite s2n_dhe_rsa_with_aes_256_cbc_sha = /* 0x00,0x39 */ {
326 : : .available = 0,
327 : : .name = "DHE-RSA-AES256-SHA",
328 : : .iana_name = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
329 : : .iana_value = { TLS_DHE_RSA_WITH_AES_256_CBC_SHA },
330 : : .key_exchange_alg = &s2n_dhe,
331 : : .auth_method = S2N_AUTHENTICATION_RSA,
332 : : .record_alg = NULL,
333 : : .all_record_algs = { &s2n_record_alg_aes256_sha_composite, &s2n_record_alg_aes256_sha },
334 : : .num_record_algs = 2,
335 : : .sslv3_record_alg = &s2n_record_alg_aes256_sslv3_sha,
336 : : .prf_alg = S2N_HMAC_SHA256,
337 : : .minimum_required_tls_version = S2N_SSLv3,
338 : : };
339 : :
340 : : struct s2n_cipher_suite s2n_rsa_with_aes_128_cbc_sha256 = /* 0x00,0x3C */ {
341 : : .available = 0,
342 : : .name = "AES128-SHA256",
343 : : .iana_name = "TLS_RSA_WITH_AES_128_CBC_SHA256",
344 : : .iana_value = { TLS_RSA_WITH_AES_128_CBC_SHA256 },
345 : : .key_exchange_alg = &s2n_rsa,
346 : : .auth_method = S2N_AUTHENTICATION_RSA,
347 : : .record_alg = NULL,
348 : : .all_record_algs = { &s2n_record_alg_aes128_sha256_composite, &s2n_record_alg_aes128_sha256 },
349 : : .num_record_algs = 2,
350 : : .sslv3_record_alg = NULL,
351 : : .prf_alg = S2N_HMAC_SHA256,
352 : : .minimum_required_tls_version = S2N_TLS12,
353 : : };
354 : :
355 : : struct s2n_cipher_suite s2n_rsa_with_aes_256_cbc_sha256 = /* 0x00,0x3D */ {
356 : : .available = 0,
357 : : .name = "AES256-SHA256",
358 : : .iana_name = "TLS_RSA_WITH_AES_256_CBC_SHA256",
359 : : .iana_value = { TLS_RSA_WITH_AES_256_CBC_SHA256 },
360 : : .key_exchange_alg = &s2n_rsa,
361 : : .auth_method = S2N_AUTHENTICATION_RSA,
362 : : .record_alg = NULL,
363 : : .all_record_algs = { &s2n_record_alg_aes256_sha256_composite, &s2n_record_alg_aes256_sha256 },
364 : : .num_record_algs = 2,
365 : : .sslv3_record_alg = NULL,
366 : : .prf_alg = S2N_HMAC_SHA256,
367 : : .minimum_required_tls_version = S2N_TLS12,
368 : : };
369 : :
370 : : struct s2n_cipher_suite s2n_dhe_rsa_with_aes_128_cbc_sha256 = /* 0x00,0x67 */ {
371 : : .available = 0,
372 : : .name = "DHE-RSA-AES128-SHA256",
373 : : .iana_name = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
374 : : .iana_value = { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 },
375 : : .key_exchange_alg = &s2n_dhe,
376 : : .auth_method = S2N_AUTHENTICATION_RSA,
377 : : .record_alg = NULL,
378 : : .all_record_algs = { &s2n_record_alg_aes128_sha256_composite, &s2n_record_alg_aes128_sha256 },
379 : : .num_record_algs = 2,
380 : : .sslv3_record_alg = NULL,
381 : : .prf_alg = S2N_HMAC_SHA256,
382 : : .minimum_required_tls_version = S2N_TLS12,
383 : : };
384 : :
385 : : struct s2n_cipher_suite s2n_dhe_rsa_with_aes_256_cbc_sha256 = /* 0x00,0x6B */ {
386 : : .available = 0,
387 : : .name = "DHE-RSA-AES256-SHA256",
388 : : .iana_name = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
389 : : .iana_value = { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 },
390 : : .key_exchange_alg = &s2n_dhe,
391 : : .auth_method = S2N_AUTHENTICATION_RSA,
392 : : .record_alg = NULL,
393 : : .all_record_algs = { &s2n_record_alg_aes256_sha256_composite, &s2n_record_alg_aes256_sha256 },
394 : : .num_record_algs = 2,
395 : : .sslv3_record_alg = NULL,
396 : : .prf_alg = S2N_HMAC_SHA256,
397 : : .minimum_required_tls_version = S2N_TLS12,
398 : : };
399 : :
400 : : struct s2n_cipher_suite s2n_rsa_with_aes_128_gcm_sha256 = /* 0x00,0x9C */ {
401 : : .available = 0,
402 : : .name = "AES128-GCM-SHA256",
403 : : .iana_name = "TLS_RSA_WITH_AES_128_GCM_SHA256",
404 : : .iana_value = { TLS_RSA_WITH_AES_128_GCM_SHA256 },
405 : : .key_exchange_alg = &s2n_rsa,
406 : : .auth_method = S2N_AUTHENTICATION_RSA,
407 : : .record_alg = NULL,
408 : : .all_record_algs = { &s2n_record_alg_aes128_gcm },
409 : : .num_record_algs = 1,
410 : : .sslv3_record_alg = NULL,
411 : : .prf_alg = S2N_HMAC_SHA256,
412 : : .minimum_required_tls_version = S2N_TLS12,
413 : : };
414 : :
415 : : struct s2n_cipher_suite s2n_rsa_with_aes_256_gcm_sha384 = /* 0x00,0x9D */ {
416 : : .available = 0,
417 : : .name = "AES256-GCM-SHA384",
418 : : .iana_name = "TLS_RSA_WITH_AES_256_GCM_SHA384",
419 : : .iana_value = { TLS_RSA_WITH_AES_256_GCM_SHA384 },
420 : : .key_exchange_alg = &s2n_rsa,
421 : : .auth_method = S2N_AUTHENTICATION_RSA,
422 : : .record_alg = NULL,
423 : : .all_record_algs = { &s2n_record_alg_aes256_gcm },
424 : : .num_record_algs = 1,
425 : : .sslv3_record_alg = NULL,
426 : : .prf_alg = S2N_HMAC_SHA384,
427 : : .minimum_required_tls_version = S2N_TLS12,
428 : : };
429 : :
430 : : struct s2n_cipher_suite s2n_dhe_rsa_with_aes_128_gcm_sha256 = /* 0x00,0x9E */ {
431 : : .available = 0,
432 : : .name = "DHE-RSA-AES128-GCM-SHA256",
433 : : .iana_name = "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
434 : : .iana_value = { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 },
435 : : .key_exchange_alg = &s2n_dhe,
436 : : .auth_method = S2N_AUTHENTICATION_RSA,
437 : : .record_alg = NULL,
438 : : .all_record_algs = { &s2n_record_alg_aes128_gcm },
439 : : .num_record_algs = 1,
440 : : .sslv3_record_alg = NULL,
441 : : .prf_alg = S2N_HMAC_SHA256,
442 : : .minimum_required_tls_version = S2N_TLS12,
443 : : };
444 : :
445 : : struct s2n_cipher_suite s2n_dhe_rsa_with_aes_256_gcm_sha384 = /* 0x00,0x9F */ {
446 : : .available = 0,
447 : : .name = "DHE-RSA-AES256-GCM-SHA384",
448 : : .iana_name = "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
449 : : .iana_value = { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 },
450 : : .key_exchange_alg = &s2n_dhe,
451 : : .auth_method = S2N_AUTHENTICATION_RSA,
452 : : .record_alg = NULL,
453 : : .all_record_algs = { &s2n_record_alg_aes256_gcm },
454 : : .num_record_algs = 1,
455 : : .sslv3_record_alg = NULL,
456 : : .prf_alg = S2N_HMAC_SHA384,
457 : : .minimum_required_tls_version = S2N_TLS12,
458 : : };
459 : :
460 : : struct s2n_cipher_suite s2n_ecdhe_ecdsa_with_aes_128_cbc_sha = /* 0xC0,0x09 */ {
461 : : .available = 0,
462 : : .name = "ECDHE-ECDSA-AES128-SHA",
463 : : .iana_name = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
464 : : .iana_value = { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA },
465 : : .key_exchange_alg = &s2n_ecdhe,
466 : : .auth_method = S2N_AUTHENTICATION_ECDSA,
467 : : .record_alg = NULL,
468 : : .all_record_algs = { &s2n_record_alg_aes128_sha_composite, &s2n_record_alg_aes128_sha },
469 : : .num_record_algs = 2,
470 : : .sslv3_record_alg = &s2n_record_alg_aes128_sslv3_sha,
471 : : .prf_alg = S2N_HMAC_SHA256,
472 : : .minimum_required_tls_version = S2N_SSLv3,
473 : : };
474 : :
475 : : struct s2n_cipher_suite s2n_ecdhe_ecdsa_with_aes_256_cbc_sha = /* 0xC0,0x0A */ {
476 : : .available = 0,
477 : : .name = "ECDHE-ECDSA-AES256-SHA",
478 : : .iana_name = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
479 : : .iana_value = { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA },
480 : : .key_exchange_alg = &s2n_ecdhe,
481 : : .auth_method = S2N_AUTHENTICATION_ECDSA,
482 : : .record_alg = NULL,
483 : : .all_record_algs = { &s2n_record_alg_aes256_sha_composite, &s2n_record_alg_aes256_sha },
484 : : .num_record_algs = 2,
485 : : .sslv3_record_alg = &s2n_record_alg_aes256_sslv3_sha,
486 : : .prf_alg = S2N_HMAC_SHA256,
487 : : .minimum_required_tls_version = S2N_SSLv3,
488 : : };
489 : :
490 : : struct s2n_cipher_suite s2n_ecdhe_rsa_with_rc4_128_sha = /* 0xC0,0x11 */ {
491 : : .available = 0,
492 : : .name = "ECDHE-RSA-RC4-SHA",
493 : : .iana_name = "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
494 : : .iana_value = { TLS_ECDHE_RSA_WITH_RC4_128_SHA },
495 : : .key_exchange_alg = &s2n_ecdhe,
496 : : .auth_method = S2N_AUTHENTICATION_RSA,
497 : : .record_alg = NULL,
498 : : .all_record_algs = { &s2n_record_alg_rc4_sha },
499 : : .num_record_algs = 1,
500 : : .sslv3_record_alg = &s2n_record_alg_rc4_sslv3_sha,
501 : : .prf_alg = S2N_HMAC_SHA256,
502 : : .minimum_required_tls_version = S2N_SSLv3,
503 : : };
504 : :
505 : : struct s2n_cipher_suite s2n_ecdhe_rsa_with_3des_ede_cbc_sha = /* 0xC0,0x12 */ {
506 : : .available = 0,
507 : : .name = "ECDHE-RSA-DES-CBC3-SHA",
508 : : .iana_name = "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
509 : : .iana_value = { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA },
510 : : .key_exchange_alg = &s2n_ecdhe,
511 : : .auth_method = S2N_AUTHENTICATION_RSA,
512 : : .record_alg = NULL,
513 : : .all_record_algs = { &s2n_record_alg_3des_sha },
514 : : .num_record_algs = 1,
515 : : .sslv3_record_alg = &s2n_record_alg_3des_sslv3_sha,
516 : : .prf_alg = S2N_HMAC_SHA256,
517 : : .minimum_required_tls_version = S2N_SSLv3,
518 : : };
519 : :
520 : : struct s2n_cipher_suite s2n_ecdhe_rsa_with_aes_128_cbc_sha = /* 0xC0,0x13 */ {
521 : : .available = 0,
522 : : .name = "ECDHE-RSA-AES128-SHA",
523 : : .iana_name = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
524 : : .iana_value = { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA },
525 : : .key_exchange_alg = &s2n_ecdhe,
526 : : .auth_method = S2N_AUTHENTICATION_RSA,
527 : : .record_alg = NULL,
528 : : .all_record_algs = { &s2n_record_alg_aes128_sha_composite, &s2n_record_alg_aes128_sha },
529 : : .num_record_algs = 2,
530 : : .sslv3_record_alg = &s2n_record_alg_aes128_sslv3_sha,
531 : : .prf_alg = S2N_HMAC_SHA256,
532 : : .minimum_required_tls_version = S2N_SSLv3,
533 : : };
534 : :
535 : : struct s2n_cipher_suite s2n_ecdhe_rsa_with_aes_256_cbc_sha = /* 0xC0,0x14 */ {
536 : : .available = 0,
537 : : .name = "ECDHE-RSA-AES256-SHA",
538 : : .iana_name = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
539 : : .iana_value = { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA },
540 : : .key_exchange_alg = &s2n_ecdhe,
541 : : .auth_method = S2N_AUTHENTICATION_RSA,
542 : : .record_alg = NULL,
543 : : .all_record_algs = { &s2n_record_alg_aes256_sha_composite, &s2n_record_alg_aes256_sha },
544 : : .num_record_algs = 2,
545 : : .sslv3_record_alg = &s2n_record_alg_aes256_sslv3_sha,
546 : : .prf_alg = S2N_HMAC_SHA256,
547 : : .minimum_required_tls_version = S2N_SSLv3,
548 : : };
549 : :
550 : : struct s2n_cipher_suite s2n_ecdhe_ecdsa_with_aes_128_cbc_sha256 = /* 0xC0,0x23 */ {
551 : : .available = 0,
552 : : .name = "ECDHE-ECDSA-AES128-SHA256",
553 : : .iana_name = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
554 : : .iana_value = { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 },
555 : : .key_exchange_alg = &s2n_ecdhe,
556 : : .auth_method = S2N_AUTHENTICATION_ECDSA,
557 : : .record_alg = NULL,
558 : : .all_record_algs = { &s2n_record_alg_aes128_sha256_composite, &s2n_record_alg_aes128_sha256 },
559 : : .num_record_algs = 2,
560 : : .sslv3_record_alg = NULL,
561 : : .prf_alg = S2N_HMAC_SHA256,
562 : : .minimum_required_tls_version = S2N_TLS12,
563 : : };
564 : :
565 : : struct s2n_cipher_suite s2n_ecdhe_ecdsa_with_aes_256_cbc_sha384 = /* 0xC0,0x24 */ {
566 : : .available = 0,
567 : : .name = "ECDHE-ECDSA-AES256-SHA384",
568 : : .iana_name = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
569 : : .iana_value = { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 },
570 : : .key_exchange_alg = &s2n_ecdhe,
571 : : .auth_method = S2N_AUTHENTICATION_ECDSA,
572 : : .record_alg = NULL,
573 : : .all_record_algs = { &s2n_record_alg_aes256_sha384 },
574 : : .num_record_algs = 1,
575 : : .sslv3_record_alg = NULL,
576 : : .prf_alg = S2N_HMAC_SHA384,
577 : : .minimum_required_tls_version = S2N_TLS12,
578 : : };
579 : :
580 : : struct s2n_cipher_suite s2n_ecdhe_rsa_with_aes_128_cbc_sha256 = /* 0xC0,0x27 */ {
581 : : .available = 0,
582 : : .name = "ECDHE-RSA-AES128-SHA256",
583 : : .iana_name = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
584 : : .iana_value = { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 },
585 : : .key_exchange_alg = &s2n_ecdhe,
586 : : .auth_method = S2N_AUTHENTICATION_RSA,
587 : : .record_alg = NULL,
588 : : .all_record_algs = { &s2n_record_alg_aes128_sha256_composite, &s2n_record_alg_aes128_sha256 },
589 : : .num_record_algs = 2,
590 : : .sslv3_record_alg = NULL,
591 : : .prf_alg = S2N_HMAC_SHA256,
592 : : .minimum_required_tls_version = S2N_TLS12,
593 : : };
594 : :
595 : : struct s2n_cipher_suite s2n_ecdhe_rsa_with_aes_256_cbc_sha384 = /* 0xC0,0x28 */ {
596 : : .available = 0,
597 : : .name = "ECDHE-RSA-AES256-SHA384",
598 : : .iana_name = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
599 : : .iana_value = { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 },
600 : : .key_exchange_alg = &s2n_ecdhe,
601 : : .auth_method = S2N_AUTHENTICATION_RSA,
602 : : .record_alg = NULL,
603 : : .all_record_algs = { &s2n_record_alg_aes256_sha384 },
604 : : .num_record_algs = 1,
605 : : .sslv3_record_alg = NULL,
606 : : .prf_alg = S2N_HMAC_SHA384,
607 : : .minimum_required_tls_version = S2N_TLS12,
608 : : };
609 : :
610 : : struct s2n_cipher_suite s2n_ecdhe_ecdsa_with_aes_128_gcm_sha256 = /* 0xC0,0x2B */ {
611 : : .available = 0,
612 : : .name = "ECDHE-ECDSA-AES128-GCM-SHA256",
613 : : .iana_name = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
614 : : .iana_value = { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 },
615 : : .key_exchange_alg = &s2n_ecdhe,
616 : : .auth_method = S2N_AUTHENTICATION_ECDSA,
617 : : .record_alg = NULL,
618 : : .all_record_algs = { &s2n_record_alg_aes128_gcm },
619 : : .num_record_algs = 1,
620 : : .sslv3_record_alg = NULL,
621 : : .prf_alg = S2N_HMAC_SHA256,
622 : : .minimum_required_tls_version = S2N_TLS12,
623 : : };
624 : :
625 : : struct s2n_cipher_suite s2n_ecdhe_ecdsa_with_aes_256_gcm_sha384 = /* 0xC0,0x2C */ {
626 : : .available = 0,
627 : : .name = "ECDHE-ECDSA-AES256-GCM-SHA384",
628 : : .iana_name = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
629 : : .iana_value = { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 },
630 : : .key_exchange_alg = &s2n_ecdhe,
631 : : .auth_method = S2N_AUTHENTICATION_ECDSA,
632 : : .record_alg = NULL,
633 : : .all_record_algs = { &s2n_record_alg_aes256_gcm },
634 : : .num_record_algs = 1,
635 : : .sslv3_record_alg = NULL,
636 : : .prf_alg = S2N_HMAC_SHA384,
637 : : .minimum_required_tls_version = S2N_TLS12,
638 : : };
639 : :
640 : : struct s2n_cipher_suite s2n_ecdhe_rsa_with_aes_128_gcm_sha256 = /* 0xC0,0x2F */ {
641 : : .available = 0,
642 : : .name = "ECDHE-RSA-AES128-GCM-SHA256",
643 : : .iana_name = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
644 : : .iana_value = { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 },
645 : : .key_exchange_alg = &s2n_ecdhe,
646 : : .auth_method = S2N_AUTHENTICATION_RSA,
647 : : .record_alg = NULL,
648 : : .all_record_algs = { &s2n_record_alg_aes128_gcm },
649 : : .num_record_algs = 1,
650 : : .sslv3_record_alg = NULL,
651 : : .prf_alg = S2N_HMAC_SHA256,
652 : : .minimum_required_tls_version = S2N_TLS12,
653 : : };
654 : :
655 : : struct s2n_cipher_suite s2n_ecdhe_rsa_with_aes_256_gcm_sha384 = /* 0xC0,0x30 */ {
656 : : .available = 0,
657 : : .name = "ECDHE-RSA-AES256-GCM-SHA384",
658 : : .iana_name = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
659 : : .iana_value = { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 },
660 : : .key_exchange_alg = &s2n_ecdhe,
661 : : .auth_method = S2N_AUTHENTICATION_RSA,
662 : : .record_alg = NULL,
663 : : .all_record_algs = { &s2n_record_alg_aes256_gcm },
664 : : .num_record_algs = 1,
665 : : .sslv3_record_alg = NULL,
666 : : .prf_alg = S2N_HMAC_SHA384,
667 : : .minimum_required_tls_version = S2N_TLS12,
668 : : };
669 : :
670 : : struct s2n_cipher_suite s2n_ecdhe_rsa_with_chacha20_poly1305_sha256 = /* 0xCC,0xA8 */ {
671 : : .available = 0,
672 : : .name = "ECDHE-RSA-CHACHA20-POLY1305",
673 : : .iana_name = "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
674 : : .iana_value = { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 },
675 : : .key_exchange_alg = &s2n_ecdhe,
676 : : .auth_method = S2N_AUTHENTICATION_RSA,
677 : : .record_alg = NULL,
678 : : .all_record_algs = { &s2n_record_alg_chacha20_poly1305 },
679 : : .num_record_algs = 1,
680 : : .sslv3_record_alg = NULL,
681 : : .prf_alg = S2N_HMAC_SHA256,
682 : : .minimum_required_tls_version = S2N_TLS12,
683 : : };
684 : :
685 : : struct s2n_cipher_suite s2n_ecdhe_ecdsa_with_chacha20_poly1305_sha256 = /* 0xCC,0xA9 */ {
686 : : .available = 0,
687 : : .name = "ECDHE-ECDSA-CHACHA20-POLY1305",
688 : : .iana_name = "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
689 : : .iana_value = { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 },
690 : : .key_exchange_alg = &s2n_ecdhe,
691 : : .auth_method = S2N_AUTHENTICATION_ECDSA,
692 : : .record_alg = NULL,
693 : : .all_record_algs = { &s2n_record_alg_chacha20_poly1305 },
694 : : .num_record_algs = 1,
695 : : .sslv3_record_alg = NULL,
696 : : .prf_alg = S2N_HMAC_SHA256,
697 : : .minimum_required_tls_version = S2N_TLS12,
698 : : };
699 : :
700 : : struct s2n_cipher_suite s2n_dhe_rsa_with_chacha20_poly1305_sha256 = /* 0xCC,0xAA */ {
701 : : .available = 0,
702 : : .name = "DHE-RSA-CHACHA20-POLY1305",
703 : : .iana_name = "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
704 : : .iana_value = { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 },
705 : : .key_exchange_alg = &s2n_dhe,
706 : : .auth_method = S2N_AUTHENTICATION_RSA,
707 : : .record_alg = NULL,
708 : : .all_record_algs = { &s2n_record_alg_chacha20_poly1305 },
709 : : .num_record_algs = 1,
710 : : .sslv3_record_alg = NULL,
711 : : .prf_alg = S2N_HMAC_SHA256,
712 : : .minimum_required_tls_version = S2N_TLS12,
713 : : };
714 : :
715 : : struct s2n_cipher_suite s2n_tls13_aes_128_gcm_sha256 = {
716 : : .available = 0,
717 : : .name = "TLS_AES_128_GCM_SHA256",
718 : : .iana_name = "TLS_AES_128_GCM_SHA256",
719 : : .iana_value = { TLS_AES_128_GCM_SHA256 },
720 : : .key_exchange_alg = &s2n_tls13_kex,
721 : : .auth_method = S2N_AUTHENTICATION_METHOD_TLS13,
722 : : .record_alg = NULL,
723 : : .all_record_algs = { &s2n_tls13_record_alg_aes128_gcm },
724 : : .num_record_algs = 1,
725 : : .sslv3_record_alg = NULL,
726 : : .prf_alg = S2N_HMAC_SHA256,
727 : : .minimum_required_tls_version = S2N_TLS13,
728 : : };
729 : :
730 : : struct s2n_cipher_suite s2n_tls13_aes_256_gcm_sha384 = {
731 : : .available = 0,
732 : : .name = "TLS_AES_256_GCM_SHA384",
733 : : .iana_name = "TLS_AES_256_GCM_SHA384",
734 : : .iana_value = { TLS_AES_256_GCM_SHA384 },
735 : : .key_exchange_alg = &s2n_tls13_kex,
736 : : .auth_method = S2N_AUTHENTICATION_METHOD_TLS13,
737 : : .record_alg = NULL,
738 : : .all_record_algs = { &s2n_tls13_record_alg_aes256_gcm },
739 : : .num_record_algs = 1,
740 : : .sslv3_record_alg = NULL,
741 : : .prf_alg = S2N_HMAC_SHA384,
742 : : .minimum_required_tls_version = S2N_TLS13,
743 : : };
744 : :
745 : : struct s2n_cipher_suite s2n_tls13_chacha20_poly1305_sha256 = {
746 : : .available = 0,
747 : : .name = "TLS_CHACHA20_POLY1305_SHA256",
748 : : .iana_name = "TLS_CHACHA20_POLY1305_SHA256",
749 : : .iana_value = { TLS_CHACHA20_POLY1305_SHA256 },
750 : : .key_exchange_alg = &s2n_tls13_kex,
751 : : .auth_method = S2N_AUTHENTICATION_METHOD_TLS13,
752 : : .record_alg = NULL,
753 : : .all_record_algs = { &s2n_tls13_record_alg_chacha20_poly1305 },
754 : : .num_record_algs = 1,
755 : : .sslv3_record_alg = NULL,
756 : : .prf_alg = S2N_HMAC_SHA256,
757 : : .minimum_required_tls_version = S2N_TLS13,
758 : : };
759 : :
760 : : /* All of the cipher suites that s2n negotiates in order of IANA value.
761 : : * New cipher suites MUST be added here, IN ORDER, or they will not be
762 : : * properly initialized.
763 : : */
764 : : static struct s2n_cipher_suite *s2n_all_cipher_suites[] = {
765 : : &s2n_rsa_with_rc4_128_md5, /* 0x00,0x04 */
766 : : &s2n_rsa_with_rc4_128_sha, /* 0x00,0x05 */
767 : : &s2n_rsa_with_3des_ede_cbc_sha, /* 0x00,0x0A */
768 : : &s2n_dhe_rsa_with_3des_ede_cbc_sha, /* 0x00,0x16 */
769 : : &s2n_rsa_with_aes_128_cbc_sha, /* 0x00,0x2F */
770 : : &s2n_dhe_rsa_with_aes_128_cbc_sha, /* 0x00,0x33 */
771 : : &s2n_rsa_with_aes_256_cbc_sha, /* 0x00,0x35 */
772 : : &s2n_dhe_rsa_with_aes_256_cbc_sha, /* 0x00,0x39 */
773 : : &s2n_rsa_with_aes_128_cbc_sha256, /* 0x00,0x3C */
774 : : &s2n_rsa_with_aes_256_cbc_sha256, /* 0x00,0x3D */
775 : : &s2n_dhe_rsa_with_aes_128_cbc_sha256, /* 0x00,0x67 */
776 : : &s2n_dhe_rsa_with_aes_256_cbc_sha256, /* 0x00,0x6B */
777 : : &s2n_rsa_with_aes_128_gcm_sha256, /* 0x00,0x9C */
778 : : &s2n_rsa_with_aes_256_gcm_sha384, /* 0x00,0x9D */
779 : : &s2n_dhe_rsa_with_aes_128_gcm_sha256, /* 0x00,0x9E */
780 : : &s2n_dhe_rsa_with_aes_256_gcm_sha384, /* 0x00,0x9F */
781 : :
782 : : &s2n_tls13_aes_128_gcm_sha256, /* 0x13,0x01 */
783 : : &s2n_tls13_aes_256_gcm_sha384, /* 0x13,0x02 */
784 : : &s2n_tls13_chacha20_poly1305_sha256, /* 0x13,0x03 */
785 : :
786 : : &s2n_ecdhe_ecdsa_with_aes_128_cbc_sha, /* 0xC0,0x09 */
787 : : &s2n_ecdhe_ecdsa_with_aes_256_cbc_sha, /* 0xC0,0x0A */
788 : : &s2n_ecdhe_rsa_with_rc4_128_sha, /* 0xC0,0x11 */
789 : : &s2n_ecdhe_rsa_with_3des_ede_cbc_sha, /* 0xC0,0x12 */
790 : : &s2n_ecdhe_rsa_with_aes_128_cbc_sha, /* 0xC0,0x13 */
791 : : &s2n_ecdhe_rsa_with_aes_256_cbc_sha, /* 0xC0,0x14 */
792 : : &s2n_ecdhe_ecdsa_with_aes_128_cbc_sha256, /* 0xC0,0x23 */
793 : : &s2n_ecdhe_ecdsa_with_aes_256_cbc_sha384, /* 0xC0,0x24 */
794 : : &s2n_ecdhe_rsa_with_aes_128_cbc_sha256, /* 0xC0,0x27 */
795 : : &s2n_ecdhe_rsa_with_aes_256_cbc_sha384, /* 0xC0,0x28 */
796 : : &s2n_ecdhe_ecdsa_with_aes_128_gcm_sha256, /* 0xC0,0x2B */
797 : : &s2n_ecdhe_ecdsa_with_aes_256_gcm_sha384, /* 0xC0,0x2C */
798 : : &s2n_ecdhe_rsa_with_aes_128_gcm_sha256, /* 0xC0,0x2F */
799 : : &s2n_ecdhe_rsa_with_aes_256_gcm_sha384, /* 0xC0,0x30 */
800 : : &s2n_ecdhe_rsa_with_chacha20_poly1305_sha256, /* 0xCC,0xA8 */
801 : : &s2n_ecdhe_ecdsa_with_chacha20_poly1305_sha256, /* 0xCC,0xA9 */
802 : : &s2n_dhe_rsa_with_chacha20_poly1305_sha256, /* 0xCC,0xAA */
803 : : };
804 : :
805 : : /* All supported ciphers. Exposed for integration testing. */
806 : : const struct s2n_cipher_preferences cipher_preferences_test_all = {
807 : : .count = s2n_array_len(s2n_all_cipher_suites),
808 : : .suites = s2n_all_cipher_suites,
809 : : };
810 : :
811 : : /* All TLS12 Cipher Suites */
812 : :
813 : : static struct s2n_cipher_suite *s2n_all_tls12_cipher_suites[] = {
814 : : &s2n_rsa_with_rc4_128_md5, /* 0x00,0x04 */
815 : : &s2n_rsa_with_rc4_128_sha, /* 0x00,0x05 */
816 : : &s2n_rsa_with_3des_ede_cbc_sha, /* 0x00,0x0A */
817 : : &s2n_dhe_rsa_with_3des_ede_cbc_sha, /* 0x00,0x16 */
818 : : &s2n_rsa_with_aes_128_cbc_sha, /* 0x00,0x2F */
819 : : &s2n_dhe_rsa_with_aes_128_cbc_sha, /* 0x00,0x33 */
820 : : &s2n_rsa_with_aes_256_cbc_sha, /* 0x00,0x35 */
821 : : &s2n_dhe_rsa_with_aes_256_cbc_sha, /* 0x00,0x39 */
822 : : &s2n_rsa_with_aes_128_cbc_sha256, /* 0x00,0x3C */
823 : : &s2n_rsa_with_aes_256_cbc_sha256, /* 0x00,0x3D */
824 : : &s2n_dhe_rsa_with_aes_128_cbc_sha256, /* 0x00,0x67 */
825 : : &s2n_dhe_rsa_with_aes_256_cbc_sha256, /* 0x00,0x6B */
826 : : &s2n_rsa_with_aes_128_gcm_sha256, /* 0x00,0x9C */
827 : : &s2n_rsa_with_aes_256_gcm_sha384, /* 0x00,0x9D */
828 : : &s2n_dhe_rsa_with_aes_128_gcm_sha256, /* 0x00,0x9E */
829 : : &s2n_dhe_rsa_with_aes_256_gcm_sha384, /* 0x00,0x9F */
830 : :
831 : : &s2n_ecdhe_ecdsa_with_aes_128_cbc_sha, /* 0xC0,0x09 */
832 : : &s2n_ecdhe_ecdsa_with_aes_256_cbc_sha, /* 0xC0,0x0A */
833 : : &s2n_ecdhe_rsa_with_rc4_128_sha, /* 0xC0,0x11 */
834 : : &s2n_ecdhe_rsa_with_3des_ede_cbc_sha, /* 0xC0,0x12 */
835 : : &s2n_ecdhe_rsa_with_aes_128_cbc_sha, /* 0xC0,0x13 */
836 : : &s2n_ecdhe_rsa_with_aes_256_cbc_sha, /* 0xC0,0x14 */
837 : : &s2n_ecdhe_ecdsa_with_aes_128_cbc_sha256, /* 0xC0,0x23 */
838 : : &s2n_ecdhe_ecdsa_with_aes_256_cbc_sha384, /* 0xC0,0x24 */
839 : : &s2n_ecdhe_rsa_with_aes_128_cbc_sha256, /* 0xC0,0x27 */
840 : : &s2n_ecdhe_rsa_with_aes_256_cbc_sha384, /* 0xC0,0x28 */
841 : : &s2n_ecdhe_ecdsa_with_aes_128_gcm_sha256, /* 0xC0,0x2B */
842 : : &s2n_ecdhe_ecdsa_with_aes_256_gcm_sha384, /* 0xC0,0x2C */
843 : : &s2n_ecdhe_rsa_with_aes_128_gcm_sha256, /* 0xC0,0x2F */
844 : : &s2n_ecdhe_rsa_with_aes_256_gcm_sha384, /* 0xC0,0x30 */
845 : : &s2n_ecdhe_rsa_with_chacha20_poly1305_sha256, /* 0xCC,0xA8 */
846 : : &s2n_ecdhe_ecdsa_with_chacha20_poly1305_sha256, /* 0xCC,0xA9 */
847 : : &s2n_dhe_rsa_with_chacha20_poly1305_sha256, /* 0xCC,0xAA */
848 : : };
849 : :
850 : : const struct s2n_cipher_preferences cipher_preferences_test_all_tls12 = {
851 : : .count = s2n_array_len(s2n_all_tls12_cipher_suites),
852 : : .suites = s2n_all_tls12_cipher_suites,
853 : : };
854 : :
855 : : /* All of the cipher suites that s2n can negotiate when in FIPS mode,
856 : : * in order of IANA value. Exposed for the "test_all_fips" cipher preference list.
857 : : */
858 : : static struct s2n_cipher_suite *s2n_all_fips_cipher_suites[] = {
859 : : &s2n_dhe_rsa_with_aes_128_cbc_sha, /* 0x00,0x33 */
860 : : &s2n_dhe_rsa_with_aes_256_cbc_sha, /* 0x00,0x39 */
861 : : &s2n_dhe_rsa_with_aes_128_cbc_sha256, /* 0x00,0x67 */
862 : : &s2n_dhe_rsa_with_aes_256_cbc_sha256, /* 0x00,0x6B */
863 : : &s2n_dhe_rsa_with_aes_128_gcm_sha256, /* 0x00,0x9E */
864 : : &s2n_dhe_rsa_with_aes_256_gcm_sha384, /* 0x00,0x9F */
865 : : &s2n_tls13_aes_128_gcm_sha256, /* 0x13,0x01 */
866 : : &s2n_tls13_aes_256_gcm_sha384, /* 0x13,0x02 */
867 : : &s2n_ecdhe_ecdsa_with_aes_128_cbc_sha, /* 0xC0,0x09 */
868 : : &s2n_ecdhe_ecdsa_with_aes_256_cbc_sha, /* 0xC0,0x0A */
869 : : &s2n_ecdhe_rsa_with_aes_128_cbc_sha, /* 0xC0,0x13 */
870 : : &s2n_ecdhe_rsa_with_aes_256_cbc_sha, /* 0xC0,0x14 */
871 : : &s2n_ecdhe_ecdsa_with_aes_128_cbc_sha256, /* 0xC0,0x23 */
872 : : &s2n_ecdhe_ecdsa_with_aes_256_cbc_sha384, /* 0xC0,0x24 */
873 : : &s2n_ecdhe_rsa_with_aes_128_cbc_sha256, /* 0xC0,0x27 */
874 : : &s2n_ecdhe_rsa_with_aes_256_cbc_sha384, /* 0xC0,0x28 */
875 : : &s2n_ecdhe_ecdsa_with_aes_128_gcm_sha256, /* 0xC0,0x2B */
876 : : &s2n_ecdhe_ecdsa_with_aes_256_gcm_sha384, /* 0xC0,0x2C */
877 : : &s2n_ecdhe_rsa_with_aes_128_gcm_sha256, /* 0xC0,0x2F */
878 : : &s2n_ecdhe_rsa_with_aes_256_gcm_sha384, /* 0xC0,0x30 */
879 : : };
880 : :
881 : : /* All supported FIPS ciphers. Exposed for integration testing. */
882 : : const struct s2n_cipher_preferences cipher_preferences_test_all_fips = {
883 : : .count = s2n_array_len(s2n_all_fips_cipher_suites),
884 : : .suites = s2n_all_fips_cipher_suites,
885 : : };
886 : :
887 : : /* All of the ECDSA cipher suites that s2n can negotiate, in order of IANA
888 : : * value. Exposed for the "test_all_ecdsa" cipher preference list.
889 : : */
890 : : static struct s2n_cipher_suite *s2n_all_ecdsa_cipher_suites[] = {
891 : : &s2n_ecdhe_ecdsa_with_aes_128_cbc_sha, /* 0xC0,0x09 */
892 : : &s2n_ecdhe_ecdsa_with_aes_256_cbc_sha, /* 0xC0,0x0A */
893 : : &s2n_ecdhe_ecdsa_with_aes_128_cbc_sha256, /* 0xC0,0x23 */
894 : : &s2n_ecdhe_ecdsa_with_aes_256_cbc_sha384, /* 0xC0,0x24 */
895 : : &s2n_ecdhe_ecdsa_with_aes_128_gcm_sha256, /* 0xC0,0x2B */
896 : : &s2n_ecdhe_ecdsa_with_aes_256_gcm_sha384, /* 0xC0,0x2C */
897 : : &s2n_ecdhe_ecdsa_with_chacha20_poly1305_sha256, /* 0xCC,0xA9 */
898 : : };
899 : :
900 : : /* All supported ECDSA cipher suites. Exposed for integration testing. */
901 : : const struct s2n_cipher_preferences cipher_preferences_test_all_ecdsa = {
902 : : .count = s2n_array_len(s2n_all_ecdsa_cipher_suites),
903 : : .suites = s2n_all_ecdsa_cipher_suites,
904 : : };
905 : :
906 : : /* All cipher suites that uses RSA key exchange. Exposed for unit or integration tests. */
907 : : static struct s2n_cipher_suite *s2n_all_rsa_kex_cipher_suites[] = {
908 : : &s2n_rsa_with_aes_128_cbc_sha, /* 0x00,0x2F */
909 : : &s2n_rsa_with_rc4_128_md5, /* 0x00,0x04 */
910 : : &s2n_rsa_with_rc4_128_sha, /* 0x00,0x05 */
911 : : &s2n_rsa_with_3des_ede_cbc_sha, /* 0x00,0x0A */
912 : : &s2n_rsa_with_aes_128_cbc_sha, /* 0x00,0x2F */
913 : : &s2n_rsa_with_aes_256_cbc_sha, /* 0x00,0x35 */
914 : : &s2n_rsa_with_aes_128_cbc_sha256, /* 0x00,0x3C */
915 : : &s2n_rsa_with_aes_256_cbc_sha256, /* 0x00,0x3D */
916 : : &s2n_rsa_with_aes_128_gcm_sha256, /* 0x00,0x9C */
917 : : &s2n_rsa_with_aes_256_gcm_sha384, /* 0x00,0x9D */
918 : : };
919 : :
920 : : /* Cipher preferences with rsa key exchange. Exposed for unit and integration tests. */
921 : : const struct s2n_cipher_preferences cipher_preferences_test_all_rsa_kex = {
922 : : .count = s2n_array_len(s2n_all_rsa_kex_cipher_suites),
923 : : .suites = s2n_all_rsa_kex_cipher_suites,
924 : : };
925 : :
926 : : /* All ECDSA cipher suites first, then the rest of the supported ciphers that s2n can negotiate.
927 : : * Exposed for the "test_ecdsa_priority" cipher preference list.
928 : : */
929 : : static struct s2n_cipher_suite *s2n_ecdsa_priority_cipher_suites[] = {
930 : : &s2n_ecdhe_ecdsa_with_aes_128_cbc_sha, /* 0xC0,0x09 */
931 : : &s2n_ecdhe_ecdsa_with_aes_256_cbc_sha, /* 0xC0,0x0A */
932 : : &s2n_ecdhe_ecdsa_with_aes_128_cbc_sha256, /* 0xC0,0x23 */
933 : : &s2n_ecdhe_ecdsa_with_aes_256_cbc_sha384, /* 0xC0,0x24 */
934 : : &s2n_ecdhe_ecdsa_with_aes_128_gcm_sha256, /* 0xC0,0x2B */
935 : : &s2n_ecdhe_ecdsa_with_aes_256_gcm_sha384, /* 0xC0,0x2C */
936 : : &s2n_ecdhe_ecdsa_with_chacha20_poly1305_sha256, /* 0xCC,0xA9 */
937 : : &s2n_rsa_with_rc4_128_md5, /* 0x00,0x04 */
938 : : &s2n_rsa_with_rc4_128_sha, /* 0x00,0x05 */
939 : : &s2n_rsa_with_3des_ede_cbc_sha, /* 0x00,0x0A */
940 : : &s2n_dhe_rsa_with_3des_ede_cbc_sha, /* 0x00,0x16 */
941 : : &s2n_rsa_with_aes_128_cbc_sha, /* 0x00,0x2F */
942 : : &s2n_dhe_rsa_with_aes_128_cbc_sha, /* 0x00,0x33 */
943 : : &s2n_rsa_with_aes_256_cbc_sha, /* 0x00,0x35 */
944 : : &s2n_dhe_rsa_with_aes_256_cbc_sha, /* 0x00,0x39 */
945 : : &s2n_rsa_with_aes_128_cbc_sha256, /* 0x00,0x3C */
946 : : &s2n_rsa_with_aes_256_cbc_sha256, /* 0x00,0x3D */
947 : : &s2n_dhe_rsa_with_aes_128_cbc_sha256, /* 0x00,0x67 */
948 : : &s2n_dhe_rsa_with_aes_256_cbc_sha256, /* 0x00,0x6B */
949 : : &s2n_rsa_with_aes_128_gcm_sha256, /* 0x00,0x9C */
950 : : &s2n_rsa_with_aes_256_gcm_sha384, /* 0x00,0x9D */
951 : : &s2n_dhe_rsa_with_aes_128_gcm_sha256, /* 0x00,0x9E */
952 : : &s2n_dhe_rsa_with_aes_256_gcm_sha384, /* 0x00,0x9F */
953 : : &s2n_ecdhe_rsa_with_rc4_128_sha, /* 0xC0,0x11 */
954 : : &s2n_ecdhe_rsa_with_3des_ede_cbc_sha, /* 0xC0,0x12 */
955 : : &s2n_ecdhe_rsa_with_aes_128_cbc_sha, /* 0xC0,0x13 */
956 : : &s2n_ecdhe_rsa_with_aes_256_cbc_sha, /* 0xC0,0x14 */
957 : : &s2n_ecdhe_rsa_with_aes_128_cbc_sha256, /* 0xC0,0x27 */
958 : : &s2n_ecdhe_rsa_with_aes_256_cbc_sha384, /* 0xC0,0x28 */
959 : : &s2n_ecdhe_rsa_with_aes_128_gcm_sha256, /* 0xC0,0x2F */
960 : : &s2n_ecdhe_rsa_with_aes_256_gcm_sha384, /* 0xC0,0x30 */
961 : : &s2n_ecdhe_rsa_with_chacha20_poly1305_sha256, /* 0xCC,0xA8 */
962 : : &s2n_dhe_rsa_with_chacha20_poly1305_sha256, /* 0xCC,0xAA */
963 : : };
964 : :
965 : : /* All cipher suites, but with ECDSA priority. Exposed for integration testing. */
966 : : const struct s2n_cipher_preferences cipher_preferences_test_ecdsa_priority = {
967 : : .count = s2n_array_len(s2n_ecdsa_priority_cipher_suites),
968 : : .suites = s2n_ecdsa_priority_cipher_suites,
969 : : };
970 : :
971 : : static struct s2n_cipher_suite *s2n_all_tls13_cipher_suites[] = {
972 : : &s2n_tls13_aes_128_gcm_sha256, /* 0x13,0x01 */
973 : : &s2n_tls13_aes_256_gcm_sha384, /* 0x13,0x02 */
974 : : &s2n_tls13_chacha20_poly1305_sha256, /* 0x13,0x03 */
975 : : };
976 : :
977 : : const struct s2n_cipher_preferences cipher_preferences_test_all_tls13 = {
978 : : .count = s2n_array_len(s2n_all_tls13_cipher_suites),
979 : : .suites = s2n_all_tls13_cipher_suites,
980 : : };
981 : :
982 : : static bool should_init_crypto = true;
983 : : static bool crypto_initialized = false;
984 : : int s2n_crypto_disable_init(void)
985 : 0 : {
986 [ # # ][ # # ]: 0 : POSIX_ENSURE(!crypto_initialized, S2N_ERR_INITIALIZED);
987 : 0 : should_init_crypto = false;
988 : 0 : return S2N_SUCCESS;
989 : 0 : }
990 : :
991 : : /* Determines cipher suite availability and selects record algorithms */
992 : : int s2n_cipher_suites_init(void)
993 : 545 : {
994 : 545 : const int num_cipher_suites = s2n_array_len(s2n_all_cipher_suites);
995 [ + + ]: 20165 : for (int i = 0; i < num_cipher_suites; i++) {
996 : 19620 : struct s2n_cipher_suite *cur_suite = s2n_all_cipher_suites[i];
997 : 19620 : cur_suite->available = 0;
998 : 19620 : cur_suite->record_alg = NULL;
999 : :
1000 : : /* Find the highest priority supported record algorithm */
1001 [ + + ]: 21255 : for (int j = 0; j < cur_suite->num_record_algs; j++) {
1002 : : /* Can we use the record algorithm's cipher? Won't be available if the system CPU architecture
1003 : : * doesn't support it or if the libcrypto lacks the feature. All hmac_algs are supported.
1004 : : */
1005 [ + + ]: 19620 : if (cur_suite->all_record_algs[j]->cipher->is_available()) {
1006 : : /* Found a supported record algorithm. Use it. */
1007 : 17985 : cur_suite->available = 1;
1008 : 17985 : cur_suite->record_alg = cur_suite->all_record_algs[j];
1009 : 17985 : break;
1010 : 17985 : }
1011 : 19620 : }
1012 : :
1013 : : /* Mark PQ cipher suites as unavailable if PQ is disabled */
1014 [ - + ][ # # ]: 19620 : if (s2n_kex_includes(cur_suite->key_exchange_alg, &s2n_kem) && !s2n_pq_is_enabled()) {
1015 : 0 : cur_suite->available = 0;
1016 : 0 : cur_suite->record_alg = NULL;
1017 : 0 : }
1018 : :
1019 : : /* Initialize SSLv3 cipher suite if SSLv3 utilizes a different record algorithm */
1020 [ + + ][ + + ]: 19620 : if (cur_suite->sslv3_record_alg && cur_suite->sslv3_record_alg->cipher->is_available()) {
1021 : 5995 : struct s2n_blob cur_suite_mem = { 0 };
1022 [ - + ]: 5995 : POSIX_GUARD(s2n_blob_init(&cur_suite_mem, (uint8_t *) cur_suite, sizeof(struct s2n_cipher_suite)));
1023 : 5995 : struct s2n_blob new_suite_mem = { 0 };
1024 [ - + ]: 5995 : POSIX_GUARD(s2n_dup(&cur_suite_mem, &new_suite_mem));
1025 : :
1026 : 5995 : struct s2n_cipher_suite *new_suite = (struct s2n_cipher_suite *) (void *) new_suite_mem.data;
1027 : 5995 : new_suite->available = 1;
1028 : 5995 : new_suite->record_alg = cur_suite->sslv3_record_alg;
1029 : 5995 : cur_suite->sslv3_cipher_suite = new_suite;
1030 : 13625 : } else {
1031 : 13625 : cur_suite->sslv3_cipher_suite = cur_suite;
1032 : 13625 : }
1033 : 19620 : }
1034 : :
1035 [ + - ]: 545 : if (should_init_crypto) {
1036 : : #if !S2N_OPENSSL_VERSION_AT_LEAST(1, 1, 0)
1037 : : /*https://wiki.openssl.org/index.php/Manual:OpenSSL_add_all_algorithms(3)*/
1038 : : OpenSSL_add_all_algorithms();
1039 : : #else
1040 : 545 : OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS | OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
1041 : 545 : #endif
1042 : 545 : }
1043 : :
1044 : 545 : crypto_initialized = true;
1045 : :
1046 : 545 : return S2N_SUCCESS;
1047 : 545 : }
1048 : :
1049 : : /* Reset any selected record algorithms */
1050 : : S2N_RESULT s2n_cipher_suites_cleanup(void)
1051 : 576 : {
1052 : 576 : const int num_cipher_suites = s2n_array_len(s2n_all_cipher_suites);
1053 [ + + ]: 21312 : for (int i = 0; i < num_cipher_suites; i++) {
1054 : 20736 : struct s2n_cipher_suite *cur_suite = s2n_all_cipher_suites[i];
1055 : 20736 : cur_suite->available = 0;
1056 : 20736 : cur_suite->record_alg = NULL;
1057 : :
1058 : : /* Release custom SSLv3 cipher suites */
1059 [ + + ]: 20736 : if (cur_suite->sslv3_cipher_suite != cur_suite) {
1060 [ - + ]: 7111 : RESULT_GUARD_POSIX(s2n_free_object((uint8_t **) &cur_suite->sslv3_cipher_suite, sizeof(struct s2n_cipher_suite)));
1061 : 7111 : }
1062 : 20736 : cur_suite->sslv3_cipher_suite = NULL;
1063 : 20736 : }
1064 : :
1065 [ + - ]: 576 : if (should_init_crypto) {
1066 : : #if !S2N_OPENSSL_VERSION_AT_LEAST(1, 1, 0)
1067 : : /*https://wiki.openssl.org/index.php/Manual:OpenSSL_add_all_algorithms(3)*/
1068 : : EVP_cleanup();
1069 : :
1070 : : /* per the reqs here https://www.openssl.org/docs/man1.1.0/crypto/OPENSSL_init_crypto.html we don't explicitly call
1071 : : * cleanup in later versions */
1072 : : #endif
1073 : 576 : }
1074 : 576 : return S2N_RESULT_OK;
1075 : 576 : }
1076 : :
1077 : : S2N_RESULT s2n_cipher_suite_from_iana(const uint8_t *iana, size_t iana_len, struct s2n_cipher_suite **cipher_suite)
1078 : 66018 : {
1079 [ + + ][ + - ]: 66018 : RESULT_ENSURE_REF(cipher_suite);
1080 : 66017 : *cipher_suite = NULL;
1081 [ + + ][ + - ]: 66017 : RESULT_ENSURE_REF(iana);
1082 [ + - ][ + + ]: 66016 : RESULT_ENSURE_EQ(iana_len, S2N_TLS_CIPHER_SUITE_LEN);
1083 : :
1084 : 66014 : int low = 0;
1085 : 66014 : int top = s2n_array_len(s2n_all_cipher_suites) - 1;
1086 : :
1087 : : /* Perform a textbook binary search */
1088 [ + + ]: 413496 : while (low <= top) {
1089 : : /* Check in the middle */
1090 : 347995 : size_t mid = low + ((top - low) / 2);
1091 : 347995 : int m = memcmp(s2n_all_cipher_suites[mid]->iana_value, iana, S2N_TLS_CIPHER_SUITE_LEN);
1092 : :
1093 [ + + ]: 347995 : if (m == 0) {
1094 : 513 : *cipher_suite = s2n_all_cipher_suites[mid];
1095 : 513 : return S2N_RESULT_OK;
1096 [ + + ]: 347482 : } else if (m > 0) {
1097 : 146451 : top = mid - 1;
1098 [ + - ]: 201031 : } else if (m < 0) {
1099 : 201031 : low = mid + 1;
1100 : 201031 : }
1101 : 347995 : }
1102 [ + - ]: 65501 : RESULT_BAIL(S2N_ERR_CIPHER_NOT_SUPPORTED);
1103 : 65501 : }
1104 : :
1105 : : int s2n_set_cipher_as_client(struct s2n_connection *conn, uint8_t wire[S2N_TLS_CIPHER_SUITE_LEN])
1106 : 7211 : {
1107 [ # # ][ - + ]: 7211 : POSIX_ENSURE_REF(conn);
1108 [ # # ][ - + ]: 7211 : POSIX_ENSURE_REF(conn->secure);
1109 [ - + ][ # # ]: 7211 : POSIX_ENSURE_REF(conn->secure->cipher_suite);
1110 : :
1111 : 7211 : const struct s2n_security_policy *security_policy = NULL;
1112 [ - + ]: 7211 : POSIX_GUARD(s2n_connection_get_security_policy(conn, &security_policy));
1113 [ # # ][ - + ]: 7211 : POSIX_ENSURE_REF(security_policy);
1114 : :
1115 : : /**
1116 : : * Ensure that the wire cipher suite is contained in the security
1117 : : * policy, and thus was offered by the client.
1118 : : *
1119 : : *= https://www.rfc-editor.org/rfc/rfc8446#4.1.3
1120 : : *# A client which receives a
1121 : : *# cipher suite that was not offered MUST abort the handshake with an
1122 : : *# "illegal_parameter" alert.
1123 : : *
1124 : : *= https://www.rfc-editor.org/rfc/rfc8446#4.1.4
1125 : : *# A client which receives a cipher suite that was not offered MUST
1126 : : *# abort the handshake.
1127 : : *
1128 : : *= https://www.rfc-editor.org/rfc/rfc8446#4.1.4
1129 : : *# Upon receipt of a HelloRetryRequest, the client MUST check the
1130 : : *# legacy_version, legacy_session_id_echo, cipher_suite
1131 : : **/
1132 : 7211 : struct s2n_cipher_suite *cipher_suite = NULL;
1133 [ + + ]: 20028 : for (size_t i = 0; i < security_policy->cipher_preferences->count; i++) {
1134 : 20024 : const uint8_t *ours = security_policy->cipher_preferences->suites[i]->iana_value;
1135 [ + + ]: 20024 : if (s2n_constant_time_equals(wire, ours, S2N_TLS_CIPHER_SUITE_LEN)) {
1136 : 7207 : cipher_suite = security_policy->cipher_preferences->suites[i];
1137 : 7207 : break;
1138 : 7207 : }
1139 : 20024 : }
1140 [ + + ][ + - ]: 7211 : POSIX_ENSURE(cipher_suite != NULL, S2N_ERR_CIPHER_NOT_SUPPORTED);
1141 : :
1142 [ - + ][ # # ]: 7207 : POSIX_ENSURE(cipher_suite->available, S2N_ERR_CIPHER_NOT_SUPPORTED);
1143 : :
1144 : : /** Clients MUST verify
1145 : : *= https://www.rfc-editor.org/rfc/rfc8446#section-4.2.11
1146 : : *# that the server selected a cipher suite
1147 : : *# indicating a Hash associated with the PSK
1148 : : **/
1149 [ + + ]: 7207 : if (conn->psk_params.chosen_psk) {
1150 [ + + ][ + - ]: 594 : POSIX_ENSURE(cipher_suite->prf_alg == conn->psk_params.chosen_psk->hmac_alg,
1151 : 594 : S2N_ERR_CIPHER_NOT_SUPPORTED);
1152 : 594 : }
1153 : :
1154 : : /**
1155 : : *= https://www.rfc-editor.org/rfc/rfc8446#4.1.4
1156 : : *# Upon receiving
1157 : : *# the ServerHello, clients MUST check that the cipher suite supplied in
1158 : : *# the ServerHello is the same as that in the HelloRetryRequest and
1159 : : *# otherwise abort the handshake with an "illegal_parameter" alert.
1160 : : **/
1161 [ + + ][ + + ]: 7206 : if (s2n_is_hello_retry_handshake(conn) && !s2n_is_hello_retry_message(conn)) {
1162 [ + - ][ + + ]: 620 : POSIX_ENSURE(conn->secure->cipher_suite->iana_value == cipher_suite->iana_value, S2N_ERR_CIPHER_NOT_SUPPORTED);
1163 : 619 : return S2N_SUCCESS;
1164 : 620 : }
1165 : :
1166 : 6586 : conn->secure->cipher_suite = cipher_suite;
1167 : :
1168 : : /* For SSLv3 use SSLv3-specific ciphers */
1169 [ + + ]: 6586 : if (conn->actual_protocol_version == S2N_SSLv3) {
1170 : 98 : conn->secure->cipher_suite = conn->secure->cipher_suite->sslv3_cipher_suite;
1171 [ - + ][ # # ]: 98 : POSIX_ENSURE_REF(conn->secure->cipher_suite);
1172 : 98 : }
1173 : :
1174 : 6586 : return 0;
1175 : 6586 : }
1176 : :
1177 : : static int s2n_wire_ciphers_contain(const uint8_t *match, const uint8_t *wire, uint32_t count, uint32_t cipher_suite_len)
1178 : 18620 : {
1179 [ + + ]: 184332 : for (size_t i = 0; i < count; i++) {
1180 : 182332 : const uint8_t *theirs = wire + (i * cipher_suite_len) + (cipher_suite_len - S2N_TLS_CIPHER_SUITE_LEN);
1181 : :
1182 [ + + ]: 182332 : if (s2n_constant_time_equals(match, theirs, S2N_TLS_CIPHER_SUITE_LEN)) {
1183 : 16620 : return 1;
1184 : 16620 : }
1185 : 182332 : }
1186 : :
1187 : 2000 : return 0;
1188 : 18620 : }
1189 : :
1190 : : bool s2n_cipher_suite_uses_chacha20_alg(struct s2n_cipher_suite *cipher_suite)
1191 : 28 : {
1192 [ + - ][ + - ]: 28 : return cipher_suite && cipher_suite->record_alg && cipher_suite->record_alg->cipher == &s2n_chacha20_poly1305;
[ + + ]
1193 : 28 : }
1194 : :
1195 : : /* Iff the server has enabled allow_chacha20_boosting and the client has a chacha20 cipher suite as its most
1196 : : * preferred cipher suite, then we have mutual chacha20 boosting support.
1197 : : */
1198 : : static S2N_RESULT s2n_validate_chacha20_boosting(const struct s2n_cipher_preferences *cipher_preferences, const uint8_t *wire,
1199 : : uint32_t cipher_suite_len)
1200 : 7418 : {
1201 [ - + ][ # # ]: 7418 : RESULT_ENSURE_REF(cipher_preferences);
1202 [ # # ][ - + ]: 7418 : RESULT_ENSURE_REF(wire);
1203 : :
1204 [ + - ][ + + ]: 7418 : RESULT_ENSURE_EQ(cipher_preferences->allow_chacha20_boosting, true);
1205 : :
1206 : 9 : const uint8_t *clients_first_cipher_iana = wire + cipher_suite_len - S2N_TLS_CIPHER_SUITE_LEN;
1207 : :
1208 : 9 : struct s2n_cipher_suite *client_first_cipher_suite = NULL;
1209 [ - + ]: 9 : RESULT_GUARD(s2n_cipher_suite_from_iana(clients_first_cipher_iana, S2N_TLS_CIPHER_SUITE_LEN, &client_first_cipher_suite));
1210 [ - + ][ # # ]: 9 : RESULT_ENSURE_REF(client_first_cipher_suite);
1211 : :
1212 [ + + ][ + - ]: 9 : RESULT_ENSURE_EQ(s2n_cipher_suite_uses_chacha20_alg(client_first_cipher_suite), true);
1213 : 7 : return S2N_RESULT_OK;
1214 : 9 : }
1215 : :
1216 : : static int s2n_set_cipher_as_server(struct s2n_connection *conn, uint8_t *wire, uint32_t count, uint32_t cipher_suite_len)
1217 : 7420 : {
1218 [ - + ][ # # ]: 7420 : POSIX_ENSURE_REF(conn);
1219 [ - + ][ # # ]: 7420 : POSIX_ENSURE_REF(conn->secure);
1220 : :
1221 : 7420 : uint8_t renegotiation_info_scsv[S2N_TLS_CIPHER_SUITE_LEN] = { TLS_EMPTY_RENEGOTIATION_INFO_SCSV };
1222 : 7420 : struct s2n_cipher_suite *higher_vers_match = NULL;
1223 : 7420 : struct s2n_cipher_suite *non_chacha20_match = NULL;
1224 : :
1225 : : /* RFC 7507 - If client is attempting to negotiate a TLS Version that is lower than the highest supported server
1226 : : * version, and the client cipher list contains TLS_FALLBACK_SCSV, then the server must abort the connection since
1227 : : * TLS_FALLBACK_SCSV should only be present when the client previously failed to negotiate a higher TLS version.
1228 : : */
1229 [ + + ]: 7420 : if (conn->client_protocol_version < conn->server_protocol_version) {
1230 : 146 : uint8_t fallback_scsv[S2N_TLS_CIPHER_SUITE_LEN] = { TLS_FALLBACK_SCSV };
1231 [ + + ]: 146 : if (s2n_wire_ciphers_contain(fallback_scsv, wire, count, cipher_suite_len)) {
1232 [ + - ]: 1 : POSIX_BAIL(S2N_ERR_FALLBACK_DETECTED);
1233 : 1 : }
1234 : 146 : }
1235 : :
1236 [ + + ]: 7419 : if (s2n_wire_ciphers_contain(renegotiation_info_scsv, wire, count, cipher_suite_len)) {
1237 : : /** For renegotiation handshakes:
1238 : : *= https://www.rfc-editor.org/rfc/rfc5746#3.7
1239 : : *# o When a ClientHello is received, the server MUST verify that it
1240 : : *# does not contain the TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV. If
1241 : : *# the SCSV is present, the server MUST abort the handshake.
1242 : : */
1243 [ + + ][ + - ]: 7034 : POSIX_ENSURE(!s2n_handshake_is_renegotiation(conn), S2N_ERR_BAD_MESSAGE);
1244 : :
1245 : : /** For initial handshakes:
1246 : : *= https://www.rfc-editor.org/rfc/rfc5746#3.6
1247 : : *# o When a ClientHello is received, the server MUST check if it
1248 : : *# includes the TLS_EMPTY_RENEGOTIATION_INFO_SCSV SCSV. If it does,
1249 : : *# set the secure_renegotiation flag to TRUE.
1250 : : */
1251 : 7033 : conn->secure_renegotiation = 1;
1252 : 7033 : }
1253 : :
1254 : 7418 : const struct s2n_security_policy *security_policy = NULL;
1255 [ - + ]: 7418 : POSIX_GUARD(s2n_connection_get_security_policy(conn, &security_policy));
1256 : :
1257 : 7418 : const struct s2n_cipher_preferences *cipher_preferences = security_policy->cipher_preferences;
1258 [ # # ][ - + ]: 7418 : POSIX_ENSURE_REF(cipher_preferences);
1259 : :
1260 : 7418 : bool try_chacha20_boosting = s2n_result_is_ok(s2n_validate_chacha20_boosting(cipher_preferences, wire, cipher_suite_len));
1261 : :
1262 : : /*
1263 : : * s2n only respects server preference order and chooses the server's
1264 : : * most preferred mutually supported cipher suite.
1265 : : *
1266 : : * If chacha20 boosting is enabled, we prefer chacha20 cipher suites over all
1267 : : * other cipher suites.
1268 : : *
1269 : : * If no mutually supported cipher suites are found, we choose one with a version
1270 : : * too high for the current connection (higher_vers_match).
1271 : : */
1272 [ + + ]: 11082 : for (size_t i = 0; i < cipher_preferences->count; i++) {
1273 : 11055 : const uint8_t *ours = cipher_preferences->suites[i]->iana_value;
1274 : :
1275 [ + + ]: 11055 : if (s2n_wire_ciphers_contain(ours, wire, count, cipher_suite_len)) {
1276 : : /* We have a match */
1277 : 9585 : struct s2n_cipher_suite *match = cipher_preferences->suites[i];
1278 : :
1279 : : /* Never use TLS1.3 ciphers on a pre-TLS1.3 connection, and vice versa */
1280 [ + + ]: 9585 : if ((conn->actual_protocol_version >= S2N_TLS13) != (match->minimum_required_tls_version >= S2N_TLS13)) {
1281 : 517 : continue;
1282 : 517 : }
1283 : :
1284 : : /* If connection is for SSLv3, use SSLv3 version of suites */
1285 [ + + ]: 9068 : if (conn->actual_protocol_version == S2N_SSLv3) {
1286 : 119 : match = match->sslv3_cipher_suite;
1287 : 119 : }
1288 : :
1289 : : /* Skip the suite if we don't have an available implementation */
1290 [ + + ]: 9068 : if (!match->available) {
1291 : 16 : continue;
1292 : 16 : }
1293 : :
1294 : : /* Make sure the cipher is valid for available certs */
1295 [ + + ]: 9052 : if (s2n_is_cipher_suite_valid_for_auth(conn, match) != S2N_SUCCESS) {
1296 : 1611 : continue;
1297 : 1611 : }
1298 : :
1299 : : /* If the kex is not supported continue to the next candidate */
1300 : 7441 : bool kex_supported = false;
1301 [ - + ]: 7441 : POSIX_GUARD_RESULT(s2n_kex_supported(match, conn, &kex_supported));
1302 [ + + ]: 7441 : if (!kex_supported) {
1303 : 20 : continue;
1304 : 20 : }
1305 : : /* If the kex is not configured correctly continue to the next candidate */
1306 [ - + ]: 7421 : if (s2n_result_is_error(s2n_configure_kex(match, conn))) {
1307 : 0 : continue;
1308 : 0 : }
1309 : :
1310 : : /**
1311 : : *= https://www.rfc-editor.org/rfc/rfc8446#section-4.2.11
1312 : : *# The server MUST ensure that it selects a compatible PSK
1313 : : *# (if any) and cipher suite.
1314 : : **/
1315 [ + + ]: 7421 : if (conn->psk_params.chosen_psk != NULL) {
1316 [ + + ]: 1085 : if (match->prf_alg != conn->psk_params.chosen_psk->hmac_alg) {
1317 : 17 : continue;
1318 : 17 : }
1319 : 1085 : }
1320 : :
1321 : : /* Don't immediately choose a cipher the connection shouldn't be able to support */
1322 [ + + ]: 7404 : if (conn->actual_protocol_version < match->minimum_required_tls_version) {
1323 [ + - ]: 6 : if (!higher_vers_match) {
1324 : 6 : higher_vers_match = match;
1325 : 6 : }
1326 : 6 : continue;
1327 : 6 : }
1328 : :
1329 : : /* The server and client have chacha20 boosting support enabled AND the server identified a negotiable match */
1330 [ + + ]: 7398 : if (try_chacha20_boosting) {
1331 [ + + ]: 13 : if (s2n_cipher_suite_uses_chacha20_alg(match)) {
1332 : 6 : conn->secure->cipher_suite = match;
1333 : 6 : return S2N_SUCCESS;
1334 : 6 : }
1335 : :
1336 : : /* Save the valid non-chacha20 match in case no valid chacha20 match is found */
1337 [ + + ]: 7 : if (!non_chacha20_match) {
1338 : 6 : non_chacha20_match = match;
1339 : 6 : }
1340 : 7 : continue;
1341 : 13 : }
1342 : :
1343 : 7385 : conn->secure->cipher_suite = match;
1344 : 7385 : return S2N_SUCCESS;
1345 : 7398 : }
1346 : 11055 : }
1347 : :
1348 [ - + ]: 27 : if (non_chacha20_match) {
1349 : 0 : conn->secure->cipher_suite = non_chacha20_match;
1350 : 0 : return S2N_SUCCESS;
1351 : 0 : }
1352 : :
1353 : : /* Settle for a cipher with a higher required proto version, if it was set */
1354 [ + + ]: 27 : if (higher_vers_match) {
1355 : 6 : conn->secure->cipher_suite = higher_vers_match;
1356 : 6 : return S2N_SUCCESS;
1357 : 6 : }
1358 : :
1359 [ + - ]: 21 : POSIX_BAIL(S2N_ERR_CIPHER_NOT_SUPPORTED);
1360 : 21 : }
1361 : :
1362 : : int s2n_set_cipher_as_sslv2_server(struct s2n_connection *conn, uint8_t *wire, uint16_t count)
1363 : 6 : {
1364 : 6 : return s2n_set_cipher_as_server(conn, wire, count, S2N_SSLv2_CIPHER_SUITE_LEN);
1365 : 6 : }
1366 : :
1367 : : int s2n_set_cipher_as_tls_server(struct s2n_connection *conn, uint8_t *wire, uint16_t count)
1368 : 7414 : {
1369 : 7414 : return s2n_set_cipher_as_server(conn, wire, count, S2N_TLS_CIPHER_SUITE_LEN);
1370 : 7414 : }
1371 : :
1372 : : bool s2n_cipher_suite_requires_ecc_extension(struct s2n_cipher_suite *cipher)
1373 : 1166762 : {
1374 [ - + ]: 1166762 : if (!cipher) {
1375 : 0 : return false;
1376 : 0 : }
1377 : :
1378 : : /* TLS1.3 does not include key exchange algorithms in its cipher suites,
1379 : : * but the elliptic curves extension is always required. */
1380 [ + + ]: 1166762 : if (cipher->minimum_required_tls_version >= S2N_TLS13) {
1381 : 106744 : return true;
1382 : 106744 : }
1383 : :
1384 [ + + ]: 1060018 : if (s2n_kex_includes(cipher->key_exchange_alg, &s2n_ecdhe)) {
1385 : 586165 : return true;
1386 : 586165 : }
1387 : :
1388 : 473853 : return false;
1389 : 1060018 : }
1390 : :
1391 : : bool s2n_cipher_suite_requires_pq_extension(struct s2n_cipher_suite *cipher)
1392 : 1030596 : {
1393 [ - + ]: 1030596 : if (!cipher) {
1394 : 0 : return false;
1395 : 0 : }
1396 : :
1397 [ - + ]: 1030596 : if (s2n_kex_includes(cipher->key_exchange_alg, &s2n_kem)) {
1398 : 0 : return true;
1399 : 0 : }
1400 : 1030596 : return false;
1401 : 1030596 : }
|
