1 /* $OpenBSD: ssl_ciphers.c,v 1.15 2022/07/02 16:31:04 tb Exp $ */
2 /*
3 * Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org>
4 * Copyright (c) 2015-2018, 2020 Joel Sing <jsing@openbsd.org>
5 * Copyright (c) 2019 Theo Buehler <tb@openbsd.org>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19
20 #include <openssl/safestack.h>
21
22 #include "bytestring.h"
23 #include "ssl_locl.h"
24
25 int
ssl_cipher_in_list(STACK_OF (SSL_CIPHER)* ciphers,const SSL_CIPHER * cipher)26 ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher)
27 {
28 int i;
29
30 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
31 if (sk_SSL_CIPHER_value(ciphers, i)->id == cipher->id)
32 return 1;
33 }
34
35 return 0;
36 }
37
38 int
ssl_cipher_allowed_in_tls_version_range(const SSL_CIPHER * cipher,uint16_t min_ver,uint16_t max_ver)39 ssl_cipher_allowed_in_tls_version_range(const SSL_CIPHER *cipher, uint16_t min_ver,
40 uint16_t max_ver)
41 {
42 switch(cipher->algorithm_ssl) {
43 case SSL_SSLV3:
44 return (min_ver <= TLS1_2_VERSION);
45 case SSL_TLSV1_2:
46 return (min_ver <= TLS1_2_VERSION && TLS1_2_VERSION <= max_ver);
47 case SSL_TLSV1_3:
48 return (min_ver <= TLS1_3_VERSION && TLS1_3_VERSION <= max_ver);
49 }
50 return 0;
51 }
52
53 int
ssl_cipher_list_to_bytes(SSL * s,STACK_OF (SSL_CIPHER)* ciphers,CBB * cbb)54 ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb)
55 {
56 SSL_CIPHER *cipher;
57 int num_ciphers = 0;
58 uint16_t min_vers, max_vers;
59 int i;
60
61 if (ciphers == NULL)
62 return 0;
63
64 if (!ssl_supported_tls_version_range(s, &min_vers, &max_vers))
65 return 0;
66
67 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
68 if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL)
69 return 0;
70 if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers,
71 max_vers))
72 continue;
73 if (!ssl_security_cipher_check(s, cipher))
74 continue;
75 if (!CBB_add_u16(cbb, ssl3_cipher_get_value(cipher)))
76 return 0;
77
78 num_ciphers++;
79 }
80
81 /* Add SCSV if there are other ciphers and we're not renegotiating. */
82 if (num_ciphers > 0 && !s->internal->renegotiate) {
83 if (!CBB_add_u16(cbb, SSL3_CK_SCSV & SSL3_CK_VALUE_MASK))
84 return 0;
85 }
86
87 if (!CBB_flush(cbb))
88 return 0;
89
90 return 1;
91 }
92
STACK_OF(SSL_CIPHER)93 STACK_OF(SSL_CIPHER) *
94 ssl_bytes_to_cipher_list(SSL *s, CBS *cbs)
95 {
96 STACK_OF(SSL_CIPHER) *ciphers = NULL;
97 const SSL_CIPHER *cipher;
98 uint16_t cipher_value;
99 unsigned long cipher_id;
100
101 s->s3->send_connection_binding = 0;
102
103 if ((ciphers = sk_SSL_CIPHER_new_null()) == NULL) {
104 SSLerror(s, ERR_R_MALLOC_FAILURE);
105 goto err;
106 }
107
108 while (CBS_len(cbs) > 0) {
109 if (!CBS_get_u16(cbs, &cipher_value)) {
110 SSLerror(s, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
111 goto err;
112 }
113
114 cipher_id = SSL3_CK_ID | cipher_value;
115
116 if (cipher_id == SSL3_CK_SCSV) {
117 /*
118 * TLS_EMPTY_RENEGOTIATION_INFO_SCSV is fatal if
119 * renegotiating.
120 */
121 if (s->internal->renegotiate) {
122 SSLerror(s, SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
123 ssl3_send_alert(s, SSL3_AL_FATAL,
124 SSL_AD_HANDSHAKE_FAILURE);
125
126 goto err;
127 }
128 s->s3->send_connection_binding = 1;
129 continue;
130 }
131
132 if (cipher_id == SSL3_CK_FALLBACK_SCSV) {
133 /*
134 * TLS_FALLBACK_SCSV indicates that the client
135 * previously tried a higher protocol version.
136 * Fail if the current version is an unexpected
137 * downgrade.
138 */
139 if (s->s3->hs.negotiated_tls_version <
140 s->s3->hs.our_max_tls_version) {
141 SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK);
142 ssl3_send_alert(s, SSL3_AL_FATAL,
143 SSL_AD_INAPPROPRIATE_FALLBACK);
144 goto err;
145 }
146 continue;
147 }
148
149 if ((cipher = ssl3_get_cipher_by_value(cipher_value)) != NULL) {
150 if (!sk_SSL_CIPHER_push(ciphers, cipher)) {
151 SSLerror(s, ERR_R_MALLOC_FAILURE);
152 goto err;
153 }
154 }
155 }
156
157 return (ciphers);
158
159 err:
160 sk_SSL_CIPHER_free(ciphers);
161
162 return (NULL);
163 }
164
165 struct ssl_tls13_ciphersuite {
166 const char *name;
167 const char *alias;
168 unsigned long cid;
169 };
170
171 static const struct ssl_tls13_ciphersuite ssl_tls13_ciphersuites[] = {
172 {
173 .name = TLS1_3_RFC_AES_128_GCM_SHA256,
174 .alias = TLS1_3_TXT_AES_128_GCM_SHA256,
175 .cid = TLS1_3_CK_AES_128_GCM_SHA256,
176 },
177 {
178 .name = TLS1_3_RFC_AES_256_GCM_SHA384,
179 .alias = TLS1_3_TXT_AES_256_GCM_SHA384,
180 .cid = TLS1_3_CK_AES_256_GCM_SHA384,
181 },
182 {
183 .name = TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
184 .alias = TLS1_3_TXT_CHACHA20_POLY1305_SHA256,
185 .cid = TLS1_3_CK_CHACHA20_POLY1305_SHA256,
186 },
187 {
188 .name = TLS1_3_RFC_AES_128_CCM_SHA256,
189 .alias = TLS1_3_TXT_AES_128_CCM_SHA256,
190 .cid = TLS1_3_CK_AES_128_CCM_SHA256,
191 },
192 {
193 .name = TLS1_3_RFC_AES_128_CCM_8_SHA256,
194 .alias = TLS1_3_TXT_AES_128_CCM_8_SHA256,
195 .cid = TLS1_3_CK_AES_128_CCM_8_SHA256,
196 },
197 {
198 .name = NULL,
199 },
200 };
201
202 int
ssl_parse_ciphersuites(STACK_OF (SSL_CIPHER)** out_ciphers,const char * str)203 ssl_parse_ciphersuites(STACK_OF(SSL_CIPHER) **out_ciphers, const char *str)
204 {
205 const struct ssl_tls13_ciphersuite *ciphersuite;
206 STACK_OF(SSL_CIPHER) *ciphers;
207 const SSL_CIPHER *cipher;
208 char *s = NULL;
209 char *p, *q;
210 int i;
211 int ret = 0;
212
213 if ((ciphers = sk_SSL_CIPHER_new_null()) == NULL)
214 goto err;
215
216 /* An empty string is valid and means no ciphers. */
217 if (strcmp(str, "") == 0)
218 goto done;
219
220 if ((s = strdup(str)) == NULL)
221 goto err;
222
223 q = s;
224 while ((p = strsep(&q, ":")) != NULL) {
225 ciphersuite = &ssl_tls13_ciphersuites[0];
226 for (i = 0; ciphersuite->name != NULL; i++) {
227 if (strcmp(p, ciphersuite->name) == 0)
228 break;
229 if (strcmp(p, ciphersuite->alias) == 0)
230 break;
231 ciphersuite = &ssl_tls13_ciphersuites[i];
232 }
233 if (ciphersuite->name == NULL)
234 goto err;
235
236 /* We know about the cipher suite, but it is not supported. */
237 if ((cipher = ssl3_get_cipher_by_id(ciphersuite->cid)) == NULL)
238 continue;
239
240 if (!sk_SSL_CIPHER_push(ciphers, cipher))
241 goto err;
242 }
243
244 done:
245 sk_SSL_CIPHER_free(*out_ciphers);
246 *out_ciphers = ciphers;
247 ciphers = NULL;
248 ret = 1;
249
250 err:
251 sk_SSL_CIPHER_free(ciphers);
252 free(s);
253
254 return ret;
255 }
256
257 int
ssl_merge_cipherlists(STACK_OF (SSL_CIPHER)* cipherlist,STACK_OF (SSL_CIPHER)* cipherlist_tls13,STACK_OF (SSL_CIPHER)** out_cipherlist)258 ssl_merge_cipherlists(STACK_OF(SSL_CIPHER) *cipherlist,
259 STACK_OF(SSL_CIPHER) *cipherlist_tls13,
260 STACK_OF(SSL_CIPHER) **out_cipherlist)
261 {
262 STACK_OF(SSL_CIPHER) *ciphers = NULL;
263 const SSL_CIPHER *cipher;
264 int i, ret = 0;
265
266 if ((ciphers = sk_SSL_CIPHER_dup(cipherlist_tls13)) == NULL)
267 goto err;
268 for (i = 0; i < sk_SSL_CIPHER_num(cipherlist); i++) {
269 cipher = sk_SSL_CIPHER_value(cipherlist, i);
270 if (cipher->algorithm_ssl == SSL_TLSV1_3)
271 continue;
272 if (!sk_SSL_CIPHER_push(ciphers, cipher))
273 goto err;
274 }
275
276 sk_SSL_CIPHER_free(*out_cipherlist);
277 *out_cipherlist = ciphers;
278 ciphers = NULL;
279
280 ret = 1;
281
282 err:
283 sk_SSL_CIPHER_free(ciphers);
284
285 return ret;
286 }
287