1*8edacedfSDaniel Fojt /* $OpenBSD: ssl_ciphers.c,v 1.9 2020/09/15 15:28:38 schwarze Exp $ */ 272c33676SMaxim Ag /* 372c33676SMaxim Ag * Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org> 4*8edacedfSDaniel Fojt * Copyright (c) 2015-2018, 2020 Joel Sing <jsing@openbsd.org> 572c33676SMaxim Ag * Copyright (c) 2019 Theo Buehler <tb@openbsd.org> 672c33676SMaxim Ag * 772c33676SMaxim Ag * Permission to use, copy, modify, and distribute this software for any 872c33676SMaxim Ag * purpose with or without fee is hereby granted, provided that the above 972c33676SMaxim Ag * copyright notice and this permission notice appear in all copies. 1072c33676SMaxim Ag * 1172c33676SMaxim Ag * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 1272c33676SMaxim Ag * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 1372c33676SMaxim Ag * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 1472c33676SMaxim Ag * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 1572c33676SMaxim Ag * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 1672c33676SMaxim Ag * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 1772c33676SMaxim Ag * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 1872c33676SMaxim Ag */ 1972c33676SMaxim Ag 2072c33676SMaxim Ag #include <openssl/safestack.h> 2172c33676SMaxim Ag 2272c33676SMaxim Ag #include "bytestring.h" 2372c33676SMaxim Ag #include "ssl_locl.h" 2472c33676SMaxim Ag 2572c33676SMaxim Ag int 26*8edacedfSDaniel Fojt ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher) 27*8edacedfSDaniel Fojt { 28*8edacedfSDaniel Fojt int i; 29*8edacedfSDaniel Fojt 30*8edacedfSDaniel Fojt for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { 31*8edacedfSDaniel Fojt if (sk_SSL_CIPHER_value(ciphers, i)->id == cipher->id) 32*8edacedfSDaniel Fojt return 1; 33*8edacedfSDaniel Fojt } 34*8edacedfSDaniel Fojt 35*8edacedfSDaniel Fojt return 0; 36*8edacedfSDaniel Fojt } 37*8edacedfSDaniel Fojt 38*8edacedfSDaniel Fojt int 39*8edacedfSDaniel Fojt ssl_cipher_allowed_in_version_range(const SSL_CIPHER *cipher, uint16_t min_ver, 4072c33676SMaxim Ag uint16_t max_ver) 4172c33676SMaxim Ag { 4272c33676SMaxim Ag /* XXX: We only support DTLSv1 which is effectively TLSv1.1 */ 4372c33676SMaxim Ag if (min_ver == DTLS1_VERSION || max_ver == DTLS1_VERSION) 4472c33676SMaxim Ag min_ver = max_ver = TLS1_1_VERSION; 4572c33676SMaxim Ag 4672c33676SMaxim Ag switch(cipher->algorithm_ssl) { 4772c33676SMaxim Ag case SSL_SSLV3: 4872c33676SMaxim Ag if (min_ver <= TLS1_2_VERSION) 4972c33676SMaxim Ag return 1; 5072c33676SMaxim Ag break; 5172c33676SMaxim Ag case SSL_TLSV1_2: 5272c33676SMaxim Ag if (min_ver <= TLS1_2_VERSION && TLS1_2_VERSION <= max_ver) 5372c33676SMaxim Ag return 1; 5472c33676SMaxim Ag break; 5572c33676SMaxim Ag case SSL_TLSV1_3: 5672c33676SMaxim Ag if (min_ver <= TLS1_3_VERSION && TLS1_3_VERSION <= max_ver) 5772c33676SMaxim Ag return 1; 5872c33676SMaxim Ag break; 5972c33676SMaxim Ag } 6072c33676SMaxim Ag 6172c33676SMaxim Ag return 0; 6272c33676SMaxim Ag } 6372c33676SMaxim Ag 6472c33676SMaxim Ag int 6572c33676SMaxim Ag ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb) 6672c33676SMaxim Ag { 6772c33676SMaxim Ag SSL_CIPHER *cipher; 6872c33676SMaxim Ag int num_ciphers = 0; 6972c33676SMaxim Ag uint16_t min_vers, max_vers; 7072c33676SMaxim Ag int i; 7172c33676SMaxim Ag 7272c33676SMaxim Ag if (ciphers == NULL) 7372c33676SMaxim Ag return 0; 7472c33676SMaxim Ag 7572c33676SMaxim Ag if (!ssl_supported_version_range(s, &min_vers, &max_vers)) 7672c33676SMaxim Ag return 0; 7772c33676SMaxim Ag 7872c33676SMaxim Ag for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { 7972c33676SMaxim Ag if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL) 8072c33676SMaxim Ag return 0; 81*8edacedfSDaniel Fojt if (!ssl_cipher_allowed_in_version_range(cipher, min_vers, 82*8edacedfSDaniel Fojt max_vers)) 8372c33676SMaxim Ag continue; 8472c33676SMaxim Ag if (!CBB_add_u16(cbb, ssl3_cipher_get_value(cipher))) 8572c33676SMaxim Ag return 0; 8672c33676SMaxim Ag 8772c33676SMaxim Ag num_ciphers++; 8872c33676SMaxim Ag } 8972c33676SMaxim Ag 9072c33676SMaxim Ag /* Add SCSV if there are other ciphers and we're not renegotiating. */ 9172c33676SMaxim Ag if (num_ciphers > 0 && !s->internal->renegotiate) { 9272c33676SMaxim Ag if (!CBB_add_u16(cbb, SSL3_CK_SCSV & SSL3_CK_VALUE_MASK)) 9372c33676SMaxim Ag return 0; 9472c33676SMaxim Ag } 9572c33676SMaxim Ag 9672c33676SMaxim Ag if (!CBB_flush(cbb)) 9772c33676SMaxim Ag return 0; 9872c33676SMaxim Ag 9972c33676SMaxim Ag return 1; 10072c33676SMaxim Ag } 10172c33676SMaxim Ag 10272c33676SMaxim Ag STACK_OF(SSL_CIPHER) * 10372c33676SMaxim Ag ssl_bytes_to_cipher_list(SSL *s, CBS *cbs) 10472c33676SMaxim Ag { 10572c33676SMaxim Ag STACK_OF(SSL_CIPHER) *ciphers = NULL; 10672c33676SMaxim Ag const SSL_CIPHER *cipher; 10772c33676SMaxim Ag uint16_t cipher_value, max_version; 10872c33676SMaxim Ag unsigned long cipher_id; 10972c33676SMaxim Ag 11072c33676SMaxim Ag S3I(s)->send_connection_binding = 0; 11172c33676SMaxim Ag 11272c33676SMaxim Ag if ((ciphers = sk_SSL_CIPHER_new_null()) == NULL) { 11372c33676SMaxim Ag SSLerror(s, ERR_R_MALLOC_FAILURE); 11472c33676SMaxim Ag goto err; 11572c33676SMaxim Ag } 11672c33676SMaxim Ag 11772c33676SMaxim Ag while (CBS_len(cbs) > 0) { 11872c33676SMaxim Ag if (!CBS_get_u16(cbs, &cipher_value)) { 11972c33676SMaxim Ag SSLerror(s, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); 12072c33676SMaxim Ag goto err; 12172c33676SMaxim Ag } 12272c33676SMaxim Ag 12372c33676SMaxim Ag cipher_id = SSL3_CK_ID | cipher_value; 12472c33676SMaxim Ag 125cca6fc52SDaniel Fojt if (cipher_id == SSL3_CK_SCSV) { 12672c33676SMaxim Ag /* 12772c33676SMaxim Ag * TLS_EMPTY_RENEGOTIATION_INFO_SCSV is fatal if 12872c33676SMaxim Ag * renegotiating. 12972c33676SMaxim Ag */ 13072c33676SMaxim Ag if (s->internal->renegotiate) { 13172c33676SMaxim Ag SSLerror(s, SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); 13272c33676SMaxim Ag ssl3_send_alert(s, SSL3_AL_FATAL, 13372c33676SMaxim Ag SSL_AD_HANDSHAKE_FAILURE); 13472c33676SMaxim Ag 13572c33676SMaxim Ag goto err; 13672c33676SMaxim Ag } 13772c33676SMaxim Ag S3I(s)->send_connection_binding = 1; 13872c33676SMaxim Ag continue; 13972c33676SMaxim Ag } 14072c33676SMaxim Ag 14172c33676SMaxim Ag if (cipher_id == SSL3_CK_FALLBACK_SCSV) { 14272c33676SMaxim Ag /* 14372c33676SMaxim Ag * TLS_FALLBACK_SCSV indicates that the client 14472c33676SMaxim Ag * previously tried a higher protocol version. 14572c33676SMaxim Ag * Fail if the current version is an unexpected 14672c33676SMaxim Ag * downgrade. 14772c33676SMaxim Ag */ 148*8edacedfSDaniel Fojt if (!ssl_downgrade_max_version(s, &max_version)) 149*8edacedfSDaniel Fojt goto err; 150*8edacedfSDaniel Fojt if (s->version < max_version) { 15172c33676SMaxim Ag SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK); 15272c33676SMaxim Ag ssl3_send_alert(s, SSL3_AL_FATAL, 15372c33676SMaxim Ag SSL_AD_INAPPROPRIATE_FALLBACK); 15472c33676SMaxim Ag goto err; 15572c33676SMaxim Ag } 15672c33676SMaxim Ag continue; 15772c33676SMaxim Ag } 15872c33676SMaxim Ag 15972c33676SMaxim Ag if ((cipher = ssl3_get_cipher_by_value(cipher_value)) != NULL) { 16072c33676SMaxim Ag if (!sk_SSL_CIPHER_push(ciphers, cipher)) { 16172c33676SMaxim Ag SSLerror(s, ERR_R_MALLOC_FAILURE); 16272c33676SMaxim Ag goto err; 16372c33676SMaxim Ag } 16472c33676SMaxim Ag } 16572c33676SMaxim Ag } 16672c33676SMaxim Ag 16772c33676SMaxim Ag return (ciphers); 16872c33676SMaxim Ag 16972c33676SMaxim Ag err: 17072c33676SMaxim Ag sk_SSL_CIPHER_free(ciphers); 17172c33676SMaxim Ag 17272c33676SMaxim Ag return (NULL); 17372c33676SMaxim Ag } 174*8edacedfSDaniel Fojt 175*8edacedfSDaniel Fojt struct ssl_tls13_ciphersuite { 176*8edacedfSDaniel Fojt const char *name; 177*8edacedfSDaniel Fojt const char *alias; 178*8edacedfSDaniel Fojt unsigned long cid; 179*8edacedfSDaniel Fojt }; 180*8edacedfSDaniel Fojt 181*8edacedfSDaniel Fojt static const struct ssl_tls13_ciphersuite ssl_tls13_ciphersuites[] = { 182*8edacedfSDaniel Fojt { 183*8edacedfSDaniel Fojt .name = TLS1_3_TXT_AES_128_GCM_SHA256, 184*8edacedfSDaniel Fojt .alias = "TLS_AES_128_GCM_SHA256", 185*8edacedfSDaniel Fojt .cid = TLS1_3_CK_AES_128_GCM_SHA256, 186*8edacedfSDaniel Fojt }, 187*8edacedfSDaniel Fojt { 188*8edacedfSDaniel Fojt .name = TLS1_3_TXT_AES_256_GCM_SHA384, 189*8edacedfSDaniel Fojt .alias = "TLS_AES_256_GCM_SHA384", 190*8edacedfSDaniel Fojt .cid = TLS1_3_CK_AES_256_GCM_SHA384, 191*8edacedfSDaniel Fojt }, 192*8edacedfSDaniel Fojt { 193*8edacedfSDaniel Fojt .name = TLS1_3_TXT_CHACHA20_POLY1305_SHA256, 194*8edacedfSDaniel Fojt .alias = "TLS_CHACHA20_POLY1305_SHA256", 195*8edacedfSDaniel Fojt .cid = TLS1_3_CK_CHACHA20_POLY1305_SHA256, 196*8edacedfSDaniel Fojt }, 197*8edacedfSDaniel Fojt { 198*8edacedfSDaniel Fojt .name = TLS1_3_TXT_AES_128_CCM_SHA256, 199*8edacedfSDaniel Fojt .alias = "TLS_AES_128_CCM_SHA256", 200*8edacedfSDaniel Fojt .cid = TLS1_3_CK_AES_128_CCM_SHA256, 201*8edacedfSDaniel Fojt }, 202*8edacedfSDaniel Fojt { 203*8edacedfSDaniel Fojt .name = TLS1_3_TXT_AES_128_CCM_8_SHA256, 204*8edacedfSDaniel Fojt .alias = "TLS_AES_128_CCM_8_SHA256", 205*8edacedfSDaniel Fojt .cid = TLS1_3_CK_AES_128_CCM_8_SHA256, 206*8edacedfSDaniel Fojt }, 207*8edacedfSDaniel Fojt { 208*8edacedfSDaniel Fojt .name = NULL, 209*8edacedfSDaniel Fojt }, 210*8edacedfSDaniel Fojt }; 211*8edacedfSDaniel Fojt 212*8edacedfSDaniel Fojt int 213*8edacedfSDaniel Fojt ssl_parse_ciphersuites(STACK_OF(SSL_CIPHER) **out_ciphers, const char *str) 214*8edacedfSDaniel Fojt { 215*8edacedfSDaniel Fojt const struct ssl_tls13_ciphersuite *ciphersuite; 216*8edacedfSDaniel Fojt STACK_OF(SSL_CIPHER) *ciphers; 217*8edacedfSDaniel Fojt const SSL_CIPHER *cipher; 218*8edacedfSDaniel Fojt char *s = NULL; 219*8edacedfSDaniel Fojt char *p, *q; 220*8edacedfSDaniel Fojt int i; 221*8edacedfSDaniel Fojt int ret = 0; 222*8edacedfSDaniel Fojt 223*8edacedfSDaniel Fojt if ((ciphers = sk_SSL_CIPHER_new_null()) == NULL) 224*8edacedfSDaniel Fojt goto err; 225*8edacedfSDaniel Fojt 226*8edacedfSDaniel Fojt /* An empty string is valid and means no ciphers. */ 227*8edacedfSDaniel Fojt if (strcmp(str, "") == 0) 228*8edacedfSDaniel Fojt goto done; 229*8edacedfSDaniel Fojt 230*8edacedfSDaniel Fojt if ((s = strdup(str)) == NULL) 231*8edacedfSDaniel Fojt goto err; 232*8edacedfSDaniel Fojt 233*8edacedfSDaniel Fojt q = s; 234*8edacedfSDaniel Fojt while ((p = strsep(&q, ":")) != NULL) { 235*8edacedfSDaniel Fojt ciphersuite = &ssl_tls13_ciphersuites[0]; 236*8edacedfSDaniel Fojt for (i = 0; ciphersuite->name != NULL; i++) { 237*8edacedfSDaniel Fojt if (strcmp(p, ciphersuite->name) == 0) 238*8edacedfSDaniel Fojt break; 239*8edacedfSDaniel Fojt if (strcmp(p, ciphersuite->alias) == 0) 240*8edacedfSDaniel Fojt break; 241*8edacedfSDaniel Fojt ciphersuite = &ssl_tls13_ciphersuites[i]; 242*8edacedfSDaniel Fojt } 243*8edacedfSDaniel Fojt if (ciphersuite->name == NULL) 244*8edacedfSDaniel Fojt goto err; 245*8edacedfSDaniel Fojt 246*8edacedfSDaniel Fojt /* We know about the cipher suite, but it is not supported. */ 247*8edacedfSDaniel Fojt if ((cipher = ssl3_get_cipher_by_id(ciphersuite->cid)) == NULL) 248*8edacedfSDaniel Fojt continue; 249*8edacedfSDaniel Fojt 250*8edacedfSDaniel Fojt if (!sk_SSL_CIPHER_push(ciphers, cipher)) 251*8edacedfSDaniel Fojt goto err; 252*8edacedfSDaniel Fojt } 253*8edacedfSDaniel Fojt 254*8edacedfSDaniel Fojt done: 255*8edacedfSDaniel Fojt sk_SSL_CIPHER_free(*out_ciphers); 256*8edacedfSDaniel Fojt *out_ciphers = ciphers; 257*8edacedfSDaniel Fojt ciphers = NULL; 258*8edacedfSDaniel Fojt ret = 1; 259*8edacedfSDaniel Fojt 260*8edacedfSDaniel Fojt err: 261*8edacedfSDaniel Fojt sk_SSL_CIPHER_free(ciphers); 262*8edacedfSDaniel Fojt free(s); 263*8edacedfSDaniel Fojt 264*8edacedfSDaniel Fojt return ret; 265*8edacedfSDaniel Fojt } 266*8edacedfSDaniel Fojt 267*8edacedfSDaniel Fojt int 268*8edacedfSDaniel Fojt ssl_merge_cipherlists(STACK_OF(SSL_CIPHER) *cipherlist, 269*8edacedfSDaniel Fojt STACK_OF(SSL_CIPHER) *cipherlist_tls13, 270*8edacedfSDaniel Fojt STACK_OF(SSL_CIPHER) **out_cipherlist) 271*8edacedfSDaniel Fojt { 272*8edacedfSDaniel Fojt STACK_OF(SSL_CIPHER) *ciphers = NULL; 273*8edacedfSDaniel Fojt const SSL_CIPHER *cipher; 274*8edacedfSDaniel Fojt int i, ret = 0; 275*8edacedfSDaniel Fojt 276*8edacedfSDaniel Fojt if ((ciphers = sk_SSL_CIPHER_dup(cipherlist_tls13)) == NULL) 277*8edacedfSDaniel Fojt goto err; 278*8edacedfSDaniel Fojt for (i = 0; i < sk_SSL_CIPHER_num(cipherlist); i++) { 279*8edacedfSDaniel Fojt cipher = sk_SSL_CIPHER_value(cipherlist, i); 280*8edacedfSDaniel Fojt if (cipher->algorithm_ssl == SSL_TLSV1_3) 281*8edacedfSDaniel Fojt continue; 282*8edacedfSDaniel Fojt if (!sk_SSL_CIPHER_push(ciphers, cipher)) 283*8edacedfSDaniel Fojt goto err; 284*8edacedfSDaniel Fojt } 285*8edacedfSDaniel Fojt 286*8edacedfSDaniel Fojt sk_SSL_CIPHER_free(*out_cipherlist); 287*8edacedfSDaniel Fojt *out_cipherlist = ciphers; 288*8edacedfSDaniel Fojt ciphers = NULL; 289*8edacedfSDaniel Fojt 290*8edacedfSDaniel Fojt ret = 1; 291*8edacedfSDaniel Fojt 292*8edacedfSDaniel Fojt err: 293*8edacedfSDaniel Fojt sk_SSL_CIPHER_free(ciphers); 294*8edacedfSDaniel Fojt 295*8edacedfSDaniel Fojt return ret; 296*8edacedfSDaniel Fojt } 297