File Coverage

src/ssl/ssl_client_full.c

Criterion	Covered	Total	%
statement	24	24	100.0
branch	2	2	100.0
condition			n/a
subroutine			n/a
pod			n/a
total	26	26	100.0

line	stmt	bran	code
1			/*
2			* Copyright (c) 2016 Thomas Pornin
3			*
4			* Permission is hereby granted, free of charge, to any person obtaining
5			* a copy of this software and associated documentation files (the
6			* "Software"), to deal in the Software without restriction, including
7			* without limitation the rights to use, copy, modify, merge, publish,
8			* distribute, sublicense, and/or sell copies of the Software, and to
9			* permit persons to whom the Software is furnished to do so, subject to
10			* the following conditions:
11			*
12			* The above copyright notice and this permission notice shall be
13			* included in all copies or substantial portions of the Software.
14			*
15			* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16			* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17			* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18			* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19			* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20			* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21			* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22			* SOFTWARE.
23			*/
24
25			#include "inner.h"
26
27			/* see bearssl_ssl.h */
28			void
29	1		br_ssl_client_init_full(br_ssl_client_context *cc,
30			br_x509_minimal_context *xc,
31			const br_x509_trust_anchor *trust_anchors, size_t trust_anchors_num)
32			{
33			/*
34			* The "full" profile supports all implemented cipher suites.
35			*
36			* Rationale for suite order, from most important to least
37			* important rule:
38			*
39			* -- Don't use 3DES if AES or ChaCha20 is available.
40			* -- Try to have Forward Secrecy (ECDHE suite) if possible.
41			* -- When not using Forward Secrecy, ECDH key exchange is
42			* better than RSA key exchange (slightly more expensive on the
43			* client, but much cheaper on the server, and it implies smaller
44			* messages).
45			* -- ChaCha20+Poly1305 is better than AES/GCM (faster, smaller code).
46			* -- GCM is better than CCM and CBC. CCM is better than CBC.
47			* -- CCM is preferable over CCM_8 (with CCM_8, forgeries may succeed
48			* with probability 2^(-64)).
49			* -- AES-128 is preferred over AES-256 (AES-128 is already
50			* strong enough, and AES-256 is 40% more expensive).
51			*/
52			static const uint16_t suites[] = {
53			BR_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
54			BR_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
55			BR_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
56			BR_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
57			BR_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
58			BR_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
59			BR_TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
60			BR_TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
61			BR_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
62			BR_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
63			BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
64			BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
65			BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
66			BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
67			BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
68			BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
69			BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
70			BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
71			BR_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
72			BR_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
73			BR_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
74			BR_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
75			BR_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
76			BR_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
77			BR_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
78			BR_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
79			BR_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
80			BR_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
81			BR_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
82			BR_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
83			BR_TLS_RSA_WITH_AES_128_GCM_SHA256,
84			BR_TLS_RSA_WITH_AES_256_GCM_SHA384,
85			BR_TLS_RSA_WITH_AES_128_CCM,
86			BR_TLS_RSA_WITH_AES_256_CCM,
87			BR_TLS_RSA_WITH_AES_128_CCM_8,
88			BR_TLS_RSA_WITH_AES_256_CCM_8,
89			BR_TLS_RSA_WITH_AES_128_CBC_SHA256,
90			BR_TLS_RSA_WITH_AES_256_CBC_SHA256,
91			BR_TLS_RSA_WITH_AES_128_CBC_SHA,
92			BR_TLS_RSA_WITH_AES_256_CBC_SHA,
93			BR_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
94			BR_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
95			BR_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
96			BR_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
97			BR_TLS_RSA_WITH_3DES_EDE_CBC_SHA
98			};
99
100			/*
101			* All hash functions are activated.
102			* Note: the X.509 validation engine will nonetheless refuse to
103			* validate signatures that use MD5 as hash function.
104			*/
105			static const br_hash_class *hashes[] = {
106			&br_md5_vtable,
107			&br_sha1_vtable,
108			&br_sha224_vtable,
109			&br_sha256_vtable,
110			&br_sha384_vtable,
111			&br_sha512_vtable
112			};
113
114			int id;
115
116			/*
117			* Reset client context and set supported versions from TLS-1.0
118			* to TLS-1.2 (inclusive).
119			*/
120	1		br_ssl_client_zero(cc);
121	1		br_ssl_engine_set_versions(&cc->eng, BR_TLS10, BR_TLS12);
122
123			/*
124			* X.509 engine uses SHA-256 to hash certificate DN (for
125			* comparisons).
126			*/
127	1		br_x509_minimal_init(xc, &br_sha256_vtable,
128			trust_anchors, trust_anchors_num);
129
130			/*
131			* Set suites and asymmetric crypto implementations. We use the
132			* "i31" code for RSA (it is somewhat faster than the "i32"
133			* implementation).
134			* TODO: change that when better implementations are made available.
135			*/
136	1		br_ssl_engine_set_suites(&cc->eng, suites,
137			(sizeof suites) / (sizeof suites[0]));
138	1		br_ssl_client_set_default_rsapub(cc);
139	1		br_ssl_engine_set_default_rsavrfy(&cc->eng);
140	1		br_ssl_engine_set_default_ecdsa(&cc->eng);
141	1		br_x509_minimal_set_rsa(xc, br_ssl_engine_get_rsavrfy(&cc->eng));
142	1		br_x509_minimal_set_ecdsa(xc,
143			br_ssl_engine_get_ec(&cc->eng),
144			br_ssl_engine_get_ecdsa(&cc->eng));
145
146			/*
147			* Set supported hash functions, for the SSL engine and for the
148			* X.509 engine.
149			*/
150	7	100	for (id = br_md5_ID; id <= br_sha512_ID; id ++) {
151			const br_hash_class *hc;
152
153	6		hc = hashes[id - 1];
154	6		br_ssl_engine_set_hash(&cc->eng, id, hc);
155	6		br_x509_minimal_set_hash(xc, id, hc);
156			}
157
158			/*
159			* Link the X.509 engine in the SSL engine.
160			*/
161	1		br_ssl_engine_set_x509(&cc->eng, &xc->vtable);
162
163			/*
164			* Set the PRF implementations.
165			*/
166	1		br_ssl_engine_set_prf10(&cc->eng, &br_tls10_prf);
167	1		br_ssl_engine_set_prf_sha256(&cc->eng, &br_tls12_sha256_prf);
168	1		br_ssl_engine_set_prf_sha384(&cc->eng, &br_tls12_sha384_prf);
169
170			/*
171			* Symmetric encryption. We use the "default" implementations
172			* (fastest among constant-time implementations).
173			*/
174	1		br_ssl_engine_set_default_aes_cbc(&cc->eng);
175	1		br_ssl_engine_set_default_aes_ccm(&cc->eng);
176	1		br_ssl_engine_set_default_aes_gcm(&cc->eng);
177	1		br_ssl_engine_set_default_des_cbc(&cc->eng);
178	1		br_ssl_engine_set_default_chapol(&cc->eng);
179	1		}