xref: /dflybsd-src/crypto/libressl/ssl/ssl_ciphers.c (revision cca6fc5243d2098262ea81f83ad5b28d3b800f4a) 
1*cca6fc52SDaniel Fojt /*	$OpenBSD: ssl_ciphers.c,v 1.3 2019/05/15 09:13:16 bcook Exp $ */
272c33676SMaxim Ag /*
372c33676SMaxim Ag  * Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org>
472c33676SMaxim Ag  * Copyright (c) 2015-2018 Joel Sing <jsing@openbsd.org>
572c33676SMaxim Ag  * Copyright (c) 2019 Theo Buehler <tb@openbsd.org>
672c33676SMaxim Ag  *
772c33676SMaxim Ag  * Permission to use, copy, modify, and distribute this software for any
872c33676SMaxim Ag  * purpose with or without fee is hereby granted, provided that the above
972c33676SMaxim Ag  * copyright notice and this permission notice appear in all copies.
1072c33676SMaxim Ag  *
1172c33676SMaxim Ag  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
1272c33676SMaxim Ag  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
1372c33676SMaxim Ag  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
1472c33676SMaxim Ag  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
1572c33676SMaxim Ag  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
1672c33676SMaxim Ag  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1772c33676SMaxim Ag  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
1872c33676SMaxim Ag  */
1972c33676SMaxim Ag 
2072c33676SMaxim Ag #include <openssl/safestack.h>
2172c33676SMaxim Ag 
2272c33676SMaxim Ag #include "bytestring.h"
2372c33676SMaxim Ag #include "ssl_locl.h"
2472c33676SMaxim Ag 
2572c33676SMaxim Ag int
2672c33676SMaxim Ag ssl_cipher_is_permitted(const SSL_CIPHER *cipher, uint16_t min_ver,
2772c33676SMaxim Ag     uint16_t max_ver)
2872c33676SMaxim Ag {
2972c33676SMaxim Ag 	/* XXX: We only support DTLSv1 which is effectively TLSv1.1 */
3072c33676SMaxim Ag 	if (min_ver == DTLS1_VERSION || max_ver == DTLS1_VERSION)
3172c33676SMaxim Ag 		min_ver = max_ver = TLS1_1_VERSION;
3272c33676SMaxim Ag 
3372c33676SMaxim Ag 	switch(cipher->algorithm_ssl) {
3472c33676SMaxim Ag 	case SSL_SSLV3:
3572c33676SMaxim Ag 		if (min_ver <= TLS1_2_VERSION)
3672c33676SMaxim Ag 			return 1;
3772c33676SMaxim Ag 		break;
3872c33676SMaxim Ag 	case SSL_TLSV1_2:
3972c33676SMaxim Ag 		if (min_ver <= TLS1_2_VERSION && TLS1_2_VERSION <= max_ver)
4072c33676SMaxim Ag 			return 1;
4172c33676SMaxim Ag 		break;
4272c33676SMaxim Ag 	case SSL_TLSV1_3:
4372c33676SMaxim Ag 		if (min_ver <= TLS1_3_VERSION && TLS1_3_VERSION <= max_ver)
4472c33676SMaxim Ag 			return 1;
4572c33676SMaxim Ag 		break;
4672c33676SMaxim Ag 	}
4772c33676SMaxim Ag 
4872c33676SMaxim Ag 	return 0;
4972c33676SMaxim Ag }
5072c33676SMaxim Ag 
5172c33676SMaxim Ag int
5272c33676SMaxim Ag ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb)
5372c33676SMaxim Ag {
5472c33676SMaxim Ag 	SSL_CIPHER *cipher;
5572c33676SMaxim Ag 	int num_ciphers = 0;
5672c33676SMaxim Ag 	uint16_t min_vers, max_vers;
5772c33676SMaxim Ag 	int i;
5872c33676SMaxim Ag 
5972c33676SMaxim Ag 	if (ciphers == NULL)
6072c33676SMaxim Ag 		return 0;
6172c33676SMaxim Ag 
6272c33676SMaxim Ag 	if (!ssl_supported_version_range(s, &min_vers, &max_vers))
6372c33676SMaxim Ag 		return 0;
6472c33676SMaxim Ag 
6572c33676SMaxim Ag 	for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
6672c33676SMaxim Ag 		if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL)
6772c33676SMaxim Ag 			return 0;
6872c33676SMaxim Ag 
6972c33676SMaxim Ag 		if (!ssl_cipher_is_permitted(cipher, min_vers, max_vers))
7072c33676SMaxim Ag 			continue;
7172c33676SMaxim Ag 
7272c33676SMaxim Ag 		if (!CBB_add_u16(cbb, ssl3_cipher_get_value(cipher)))
7372c33676SMaxim Ag 			return 0;
7472c33676SMaxim Ag 
7572c33676SMaxim Ag 		num_ciphers++;
7672c33676SMaxim Ag 	}
7772c33676SMaxim Ag 
7872c33676SMaxim Ag 	/* Add SCSV if there are other ciphers and we're not renegotiating. */
7972c33676SMaxim Ag 	if (num_ciphers > 0 && !s->internal->renegotiate) {
8072c33676SMaxim Ag 		if (!CBB_add_u16(cbb, SSL3_CK_SCSV & SSL3_CK_VALUE_MASK))
8172c33676SMaxim Ag 			return 0;
8272c33676SMaxim Ag 	}
8372c33676SMaxim Ag 
8472c33676SMaxim Ag 	if (!CBB_flush(cbb))
8572c33676SMaxim Ag 		return 0;
8672c33676SMaxim Ag 
8772c33676SMaxim Ag 	return 1;
8872c33676SMaxim Ag }
8972c33676SMaxim Ag 
9072c33676SMaxim Ag STACK_OF(SSL_CIPHER) *
9172c33676SMaxim Ag ssl_bytes_to_cipher_list(SSL *s, CBS *cbs)
9272c33676SMaxim Ag {
9372c33676SMaxim Ag 	STACK_OF(SSL_CIPHER) *ciphers = NULL;
9472c33676SMaxim Ag 	const SSL_CIPHER *cipher;
9572c33676SMaxim Ag 	uint16_t cipher_value, max_version;
9672c33676SMaxim Ag 	unsigned long cipher_id;
9772c33676SMaxim Ag 
9872c33676SMaxim Ag 	S3I(s)->send_connection_binding = 0;
9972c33676SMaxim Ag 
10072c33676SMaxim Ag 	if ((ciphers = sk_SSL_CIPHER_new_null()) == NULL) {
10172c33676SMaxim Ag 		SSLerror(s, ERR_R_MALLOC_FAILURE);
10272c33676SMaxim Ag 		goto err;
10372c33676SMaxim Ag 	}
10472c33676SMaxim Ag 
10572c33676SMaxim Ag 	while (CBS_len(cbs) > 0) {
10672c33676SMaxim Ag 		if (!CBS_get_u16(cbs, &cipher_value)) {
10772c33676SMaxim Ag 			SSLerror(s, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
10872c33676SMaxim Ag 			goto err;
10972c33676SMaxim Ag 		}
11072c33676SMaxim Ag 
11172c33676SMaxim Ag 		cipher_id = SSL3_CK_ID | cipher_value;
11272c33676SMaxim Ag 
113*cca6fc52SDaniel Fojt 		if (cipher_id == SSL3_CK_SCSV) {
11472c33676SMaxim Ag 			/*
11572c33676SMaxim Ag 			 * TLS_EMPTY_RENEGOTIATION_INFO_SCSV is fatal if
11672c33676SMaxim Ag 			 * renegotiating.
11772c33676SMaxim Ag 			 */
11872c33676SMaxim Ag 			if (s->internal->renegotiate) {
11972c33676SMaxim Ag 				SSLerror(s, SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
12072c33676SMaxim Ag 				ssl3_send_alert(s, SSL3_AL_FATAL,
12172c33676SMaxim Ag 				    SSL_AD_HANDSHAKE_FAILURE);
12272c33676SMaxim Ag 
12372c33676SMaxim Ag 				goto err;
12472c33676SMaxim Ag 			}
12572c33676SMaxim Ag 			S3I(s)->send_connection_binding = 1;
12672c33676SMaxim Ag 			continue;
12772c33676SMaxim Ag 		}
12872c33676SMaxim Ag 
12972c33676SMaxim Ag 		if (cipher_id == SSL3_CK_FALLBACK_SCSV) {
13072c33676SMaxim Ag 			/*
13172c33676SMaxim Ag 			 * TLS_FALLBACK_SCSV indicates that the client
13272c33676SMaxim Ag 			 * previously tried a higher protocol version.
13372c33676SMaxim Ag 			 * Fail if the current version is an unexpected
13472c33676SMaxim Ag 			 * downgrade.
13572c33676SMaxim Ag 			 */
13672c33676SMaxim Ag 			max_version = ssl_max_server_version(s);
13772c33676SMaxim Ag 			if (max_version == 0 || s->version < max_version) {
13872c33676SMaxim Ag 				SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK);
13972c33676SMaxim Ag 				ssl3_send_alert(s, SSL3_AL_FATAL,
14072c33676SMaxim Ag 					SSL_AD_INAPPROPRIATE_FALLBACK);
14172c33676SMaxim Ag 				goto err;
14272c33676SMaxim Ag 			}
14372c33676SMaxim Ag 			continue;
14472c33676SMaxim Ag 		}
14572c33676SMaxim Ag 
14672c33676SMaxim Ag 		if ((cipher = ssl3_get_cipher_by_value(cipher_value)) != NULL) {
14772c33676SMaxim Ag 			if (!sk_SSL_CIPHER_push(ciphers, cipher)) {
14872c33676SMaxim Ag 				SSLerror(s, ERR_R_MALLOC_FAILURE);
14972c33676SMaxim Ag 				goto err;
15072c33676SMaxim Ag 			}
15172c33676SMaxim Ag 		}
15272c33676SMaxim Ag 	}
15372c33676SMaxim Ag 
15472c33676SMaxim Ag 	return (ciphers);
15572c33676SMaxim Ag 
15672c33676SMaxim Ag  err:
15772c33676SMaxim Ag 	sk_SSL_CIPHER_free(ciphers);
15872c33676SMaxim Ag 
15972c33676SMaxim Ag 	return (NULL);
16072c33676SMaxim Ag }
161