1/* 2 * Copyright (c) 1999-2001,2005-2014 Apple Inc. All Rights Reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 */ 23 24/* 25 * cipherSpecs.c - SSLCipherSpec declarations 26 */ 27 28#include "sslBuildFlags.h" 29#include "sslContext.h" 30#include "sslCipherSpecs.h" 31#include "sslDebug.h" 32#include "sslMemory.h" 33#include "sslDebug.h" 34#include "sslUtils.h" 35#include "sslPriv.h" 36 37#include <tls_handshake.h> 38 39#include <string.h> 40#include <assert.h> 41#include <Security/SecBase.h> 42 43#include <TargetConditionals.h> 44 45 46/* SecureTransport needs it's own copy of KnownCipherSuites for now, there is a copy in coreTLS, 47 that is exported, but it actually should only included the "default" not the supported */ 48 49#define ENABLE_ECDH 1 50#define ENABLE_AES_GCM 0 51#define ENABLE_PSK 1 52 53static const uint16_t STKnownCipherSuites[] = { 54#if ENABLE_AES_GCM 55 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 56 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 57#endif 58 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 59 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 60 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 61 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 62 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, 63#if ENABLE_AES_GCM 64 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 65 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 66#endif 67 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, 68 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 69 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 70 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 71 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 72#if ENABLE_ECDH 73#if ENABLE_AES_GCM 74 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, 75 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, 76#endif 77 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, 78 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, 79 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, 80 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, 81 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, 82#if ENABLE_AES_GCM 83 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, 84 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, 85#endif 86 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, 87 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, 88 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, 89 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, 90 TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, 91#endif 92 93#if ENABLE_AES_GCM 94 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, 95 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, 96#endif // ENABLE_AES_GCM 97 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, 98 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, 99 TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 100 TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 101 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 102 103#if ENABLE_AES_GCM 104 TLS_RSA_WITH_AES_256_GCM_SHA384, 105 TLS_RSA_WITH_AES_128_GCM_SHA256, 106#endif 107 TLS_RSA_WITH_AES_256_CBC_SHA256, 108 TLS_RSA_WITH_AES_128_CBC_SHA256, 109 TLS_RSA_WITH_AES_256_CBC_SHA, 110 TLS_RSA_WITH_AES_128_CBC_SHA, 111 SSL_RSA_WITH_3DES_EDE_CBC_SHA, 112 113#if ENABLE_RC4 114 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 115 TLS_ECDHE_RSA_WITH_RC4_128_SHA, 116 TLS_ECDH_ECDSA_WITH_RC4_128_SHA, 117 TLS_ECDH_RSA_WITH_RC4_128_SHA, 118 SSL_RSA_WITH_RC4_128_SHA, 119 SSL_RSA_WITH_RC4_128_MD5, 120#endif 121 122 123 /* Unsafe ciphersuites */ 124 125#if ENABLE_AES_GCM 126 TLS_DH_anon_WITH_AES_256_GCM_SHA384, 127 TLS_DH_anon_WITH_AES_128_GCM_SHA256, 128#endif 129 TLS_DH_anon_WITH_AES_128_CBC_SHA256, 130 TLS_DH_anon_WITH_AES_256_CBC_SHA256, 131 TLS_DH_anon_WITH_AES_128_CBC_SHA, 132 TLS_DH_anon_WITH_AES_256_CBC_SHA, 133 SSL_DH_anon_WITH_RC4_128_MD5, 134 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, 135 136 TLS_ECDHE_ECDSA_WITH_NULL_SHA, 137 TLS_ECDHE_RSA_WITH_NULL_SHA, 138#if ENABLE_ECDH 139 TLS_ECDH_ECDSA_WITH_NULL_SHA, 140 TLS_ECDH_RSA_WITH_NULL_SHA, 141#endif 142 143#if ENABLE_PSK 144 TLS_PSK_WITH_AES_256_CBC_SHA384, 145 TLS_PSK_WITH_AES_128_CBC_SHA256, 146 TLS_PSK_WITH_AES_256_CBC_SHA, 147 TLS_PSK_WITH_AES_128_CBC_SHA, 148 TLS_PSK_WITH_RC4_128_SHA, 149 TLS_PSK_WITH_3DES_EDE_CBC_SHA, 150 TLS_PSK_WITH_NULL_SHA384, 151 TLS_PSK_WITH_NULL_SHA256, 152 TLS_PSK_WITH_NULL_SHA, 153#endif 154 155 TLS_RSA_WITH_NULL_SHA256, 156 SSL_RSA_WITH_NULL_SHA, 157 SSL_RSA_WITH_NULL_MD5 158 159}; 160 161static const unsigned STCipherSuiteCount = sizeof(STKnownCipherSuites)/sizeof(STKnownCipherSuites[0]); 162 163 164/* 165 * Build ctx->validCipherSpecs as a copy of KnownCipherSpecs, assuming that 166 * validCipherSpecs is currently not valid (i.e., SSLSetEnabledCiphers() has 167 * not been called). 168 */ 169OSStatus sslBuildCipherSuiteArray(SSLContext *ctx) 170{ 171 size_t size; 172 unsigned dex; 173 174 assert(ctx != NULL); 175 assert(ctx->validCipherSuites == NULL); 176 177 ctx->numValidCipherSuites = STCipherSuiteCount; 178 size = STCipherSuiteCount * sizeof(uint16_t); 179 ctx->validCipherSuites = (uint16_t *)sslMalloc(size); 180 if(ctx->validCipherSuites == NULL) { 181 ctx->numValidCipherSuites = 0; 182 return errSecAllocate; 183 } 184 185 /* 186 * Trim out inappropriate ciphers: 187 * -- trim anonymous ciphers if !ctx->anonCipherEnable 188 * -- trim ECDSA ciphers for server side if appropriate 189 * -- trim ECDSA ciphers if TLSv1 disable or SSLv2 enabled (since 190 * we MUST do the Client Hello extensions to make these ciphers 191 * work reliably) 192 * -- trim Stream ciphers if DTLSv1 enable 193 * -- trim CBC ciphers when doing SSLv3 fallback 194 */ 195 uint16_t *dst = ctx->validCipherSuites; 196 const uint16_t *src = STKnownCipherSuites; 197 198 bool trimECDSA = false; 199 if((ctx->protocolSide==kSSLServerSide) && !SSL_ECDSA_SERVER) { 200 trimECDSA = true; 201 } 202 if(ctx->minProtocolVersion == SSL_Version_2_0 203 || ctx->maxProtocolVersion == SSL_Version_3_0) { 204 /* We trim ECDSA cipher suites if SSL2 is enabled or 205 The maximum allowed protocol is SSL3. Note that this 206 won't trim ECDSA cipherspecs for DTLS which should be 207 the right thing to do here. */ 208 trimECDSA = true; 209 } 210 211 /* trim Stream Ciphers for DTLS */ 212 bool trimRC4 = ctx->isDTLS; 213 214 /* trim CBC cipher when doing SSLv3 only fallback */ 215 bool trimCBC = (ctx->protocolSide==kSSLClientSide) 216 && (ctx->maxProtocolVersion == SSL_Version_3_0) 217 && ctx->fallbackEnabled; 218 219 bool trimDHE = (ctx->protocolSide==kSSLServerSide) && 220 !ctx->dhParamsEncoded.length; 221 222 for(dex=0; dex<STCipherSuiteCount; dex++) { 223 KeyExchangeMethod kem = sslCipherSuiteGetKeyExchangeMethod(*src); 224 uint8_t keySize = sslCipherSuiteGetSymmetricCipherKeySize(*src); 225 HMAC_Algs mac = sslCipherSuiteGetMacAlgorithm(*src); 226 SSL_CipherAlgorithm cipher = sslCipherSuiteGetSymmetricCipherAlgorithm(*src); 227 /* First skip ECDSA ciphers as appropriate */ 228 switch(kem) { 229 case SSL_ECDH_ECDSA: 230 case SSL_ECDHE_ECDSA: 231 case SSL_ECDH_RSA: 232 case SSL_ECDHE_RSA: 233 case SSL_ECDH_anon: 234 if(trimECDSA) { 235 /* Skip this one */ 236 ctx->numValidCipherSuites--; 237 src++; 238 continue; 239 } 240 else { 241 break; 242 } 243 default: 244 break; 245 } 246 if(!ctx->anonCipherEnable) { 247 /* trim out the anonymous (and null-auth-cipher) ciphers */ 248 if(mac == HA_Null) { 249 /* skip this one */ 250 ctx->numValidCipherSuites--; 251 src++; 252 continue; 253 } 254 switch(kem) { 255 case SSL_DH_anon: 256 case SSL_DH_anon_EXPORT: 257 case SSL_ECDH_anon: 258 /* skip this one */ 259 ctx->numValidCipherSuites--; 260 src++; 261 continue; 262 default: 263 break; 264 } 265 } 266 if(ctx->falseStartEnabled) { 267 switch(kem){ 268 case SSL_ECDHE_ECDSA: 269 case SSL_ECDHE_RSA: 270 case SSL_DHE_RSA: 271 case SSL_DHE_DSS: 272 /* Ok for false start */ 273 break; 274 default: 275 /* Not ok, skip */ 276 ctx->numValidCipherSuites--; 277 src++; 278 continue; 279 } 280 switch(cipher) { 281 case SSL_CipherAlgorithmAES_128_CBC: 282 case SSL_CipherAlgorithmAES_128_GCM: 283 case SSL_CipherAlgorithmAES_256_CBC: 284 case SSL_CipherAlgorithmAES_256_GCM: 285 case SSL_CipherAlgorithmRC4_128: 286 /* Ok for false start */ 287 break; 288 default: 289 /* Not ok, skip*/ 290 ctx->numValidCipherSuites--; 291 src++; 292 continue; 293 } 294 } 295 296 /* This will skip the simple DES cipher suites, but not the NULL cipher ones */ 297 if (keySize == 8) 298 { 299 /* skip this one */ 300 ctx->numValidCipherSuites--; 301 src++; 302 continue; 303 } 304 305 /* Trim PSK ciphersuites, they need to be enabled explicitely */ 306 if (kem==TLS_PSK) { 307 ctx->numValidCipherSuites--; 308 src++; 309 continue; 310 } 311 312 if (trimDHE) { 313 switch(kem) { 314 case SSL_DHE_DSS: 315 case SSL_DHE_DSS_EXPORT: 316 case SSL_DHE_RSA: 317 case SSL_DHE_RSA_EXPORT: 318 /* skip this one */ 319 ctx->numValidCipherSuites--; 320 src++; 321 continue; 322 default: 323 break; 324 } 325 } 326 327 if (trimRC4 && (cipher==SSL_CipherAlgorithmRC4_128)) { 328 ctx->numValidCipherSuites--; 329 src++; 330 continue; 331 } 332 333 if(trimCBC) { 334 switch (cipher) { 335 case SSL_CipherAlgorithmAES_128_CBC: 336 case SSL_CipherAlgorithmAES_256_CBC: 337 case SSL_CipherAlgorithm3DES_CBC: 338 ctx->numValidCipherSuites--; 339 src++; 340 continue; 341 default: 342 break; 343 } 344 } 345 346 if(cipher==SSL_CipherAlgorithmNull) { 347 ctx->numValidCipherSuites--; 348 src++; 349 continue; 350 } 351 352 /* This one is good to go */ 353 *dst++ = *src++; 354 } 355 356 // sslAnalyzeCipherSpecs(ctx); 357 358 tls_handshake_set_ciphersuites(ctx->hdsk, ctx->validCipherSuites, ctx->numValidCipherSuites); 359 360 return errSecSuccess; 361} 362 363 364/* 365 * Convert an array of SSLCipherSuites (which is always KnownCipherSpecs) 366 * to an array of SSLCipherSuites. 367 */ 368static OSStatus 369cipherSuitesToCipherSuites( 370 size_t numCipherSuites, 371 const uint16_t *cipherSuites, 372 SSLCipherSuite *ciphers, /* RETURNED */ 373 size_t *numCiphers) /* IN/OUT */ 374{ 375 size_t i; 376 if(*numCiphers < numCipherSuites) { 377 return errSSLBufferOverflow; 378 } 379 380 /* NOTE: this is required to go from uint16_t to SSLCipherSuite 381 which is either 32 or 16 bits, depending on the platform */ 382 for(i=0;i<numCipherSuites; i++) { 383 ciphers[i]=cipherSuites[i]; 384 } 385 *numCiphers = numCipherSuites; 386 return errSecSuccess; 387} 388 389/*** 390 *** Publically exported functions declared in SecureTransport.h 391 ***/ 392 393/* 394 * Determine number and values of all of the SSLCipherSuites we support. 395 * Caller allocates output buffer for SSLGetSupportedCiphers() and passes in 396 * its size in *numCiphers. If supplied buffer is too small, errSSLBufferOverflow 397 * will be returned. 398 */ 399OSStatus 400SSLGetNumberSupportedCiphers (SSLContextRef ctx, 401 size_t *numCiphers) 402{ 403 if((ctx == NULL) || (numCiphers == NULL)) { 404 return errSecParam; 405 } 406 *numCiphers = STCipherSuiteCount; 407 return errSecSuccess; 408} 409 410OSStatus 411SSLGetSupportedCiphers (SSLContextRef ctx, 412 SSLCipherSuite *ciphers, /* RETURNED */ 413 size_t *numCiphers) /* IN/OUT */ 414{ 415 if((ctx == NULL) || (ciphers == NULL) || (numCiphers == NULL)) { 416 return errSecParam; 417 } 418 return cipherSuitesToCipherSuites(STCipherSuiteCount, 419 STKnownCipherSuites, 420 ciphers, 421 numCiphers); 422} 423 424/* 425 * Specify a (typically) restricted set of SSLCipherSuites to be enabled by 426 * the current SSLContext. Can only be called when no session is active. Default 427 * set of enabled SSLCipherSuites is NOT the same as the complete set of supported 428 * SSLCipherSuites as obtained by SSLGetSupportedCiphers(). 429 */ 430OSStatus 431SSLSetEnabledCiphers (SSLContextRef ctx, 432 const SSLCipherSuite *ciphers, 433 size_t numCiphers) 434{ 435 size_t size; 436 unsigned foundCiphers=0; 437 unsigned callerDex; 438 unsigned tableDex; 439 440 if((ctx == NULL) || (ciphers == NULL) || (numCiphers == 0)) { 441 return errSecParam; 442 } 443 if(sslIsSessionActive(ctx)) { 444 /* can't do this with an active session */ 445 return errSecBadReq; 446 } 447 size = numCiphers * sizeof(uint16_t); 448 ctx->validCipherSuites = (uint16_t *)sslMalloc(size); 449 if(ctx->validCipherSuites == NULL) { 450 ctx->numValidCipherSuites = 0; 451 return errSecAllocate; 452 } 453 454 /* 455 * Run thru caller's specs, keep only the supported ones. 456 */ 457 for(callerDex=0; callerDex<numCiphers; callerDex++) { 458 /* find matching CipherSpec in our known table */ 459 for(tableDex=0; tableDex<STCipherSuiteCount; tableDex++) { 460 if(ciphers[callerDex] == STKnownCipherSuites[tableDex]) { 461 ctx->validCipherSuites[foundCiphers] = STKnownCipherSuites[tableDex]; 462 foundCiphers++; 463 break; 464 } 465 } 466 } 467 468 if(foundCiphers==0) { 469 /* caller specified only unsupported ciphersuites */ 470 sslFree(ctx->validCipherSuites); 471 ctx->validCipherSuites = NULL; 472 return errSSLBadCipherSuite; 473 } 474 475 /* success */ 476 ctx->numValidCipherSuites = foundCiphers; 477 478 tls_handshake_set_ciphersuites(ctx->hdsk, ctx->validCipherSuites, ctx->numValidCipherSuites); 479 480 return errSecSuccess; 481} 482 483/* 484 * Determine number and values of all of the SSLCipherSuites currently enabled. 485 * Caller allocates output buffer for SSLGetEnabledCiphers() and passes in 486 * its size in *numCiphers. If supplied buffer is too small, errSSLBufferOverflow 487 * will be returned. 488 */ 489OSStatus 490SSLGetNumberEnabledCiphers (SSLContextRef ctx, 491 size_t *numCiphers) 492{ 493 if((ctx == NULL) || (numCiphers == NULL)) { 494 return errSecParam; 495 } 496 if(ctx->validCipherSuites == NULL) { 497 /* hasn't been set; use default */ 498 *numCiphers = STCipherSuiteCount; 499 } 500 else { 501 /* caller set via SSLSetEnabledCiphers */ 502 *numCiphers = ctx->numValidCipherSuites; 503 } 504 return errSecSuccess; 505} 506 507OSStatus 508SSLGetEnabledCiphers (SSLContextRef ctx, 509 SSLCipherSuite *ciphers, /* RETURNED */ 510 size_t *numCiphers) /* IN/OUT */ 511{ 512 if((ctx == NULL) || (ciphers == NULL) || (numCiphers == NULL)) { 513 return errSecParam; 514 } 515 if(ctx->validCipherSuites == NULL) { 516 /* hasn't been set; use default */ 517 return cipherSuitesToCipherSuites(STCipherSuiteCount, 518 STKnownCipherSuites, 519 ciphers, 520 numCiphers); 521 } 522 else { 523 /* use the ones specified in SSLSetEnabledCiphers() */ 524 return cipherSuitesToCipherSuites(ctx->numValidCipherSuites, 525 ctx->validCipherSuites, 526 ciphers, 527 numCiphers); 528 } 529} 530