xref: /openbsd-src/lib/libssl/ssl_ciphers.c (revision de8cc8edbc71bd3e3bc7fbffa27ba0e564c37d8b) 
1 /*	$OpenBSD: ssl_ciphers.c,v 1.10 2021/02/25 17:06:05 jsing Exp $ */
2 /*
3  * Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org>
4  * Copyright (c) 2015-2018, 2020 Joel Sing <jsing@openbsd.org>
5  * Copyright (c) 2019 Theo Buehler <tb@openbsd.org>
6  *
7  * Permission to use, copy, modify, and distribute this software for any
8  * purpose with or without fee is hereby granted, provided that the above
9  * copyright notice and this permission notice appear in all copies.
10  *
11  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18  */
19 
20 #include <openssl/safestack.h>
21 
22 #include "bytestring.h"
23 #include "ssl_locl.h"
24 
25 int
26 ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher)
27 {
28 	int i;
29 
30 	for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
31 		if (sk_SSL_CIPHER_value(ciphers, i)->id == cipher->id)
32 			return 1;
33 	}
34 
35 	return 0;
36 }
37 
38 int
39 ssl_cipher_allowed_in_tls_version_range(const SSL_CIPHER *cipher, uint16_t min_ver,
40     uint16_t max_ver)
41 {
42 	switch(cipher->algorithm_ssl) {
43 	case SSL_SSLV3:
44 		return (min_ver <= TLS1_2_VERSION);
45 	case SSL_TLSV1_2:
46 		return (min_ver <= TLS1_2_VERSION && TLS1_2_VERSION <= max_ver);
47 	case SSL_TLSV1_3:
48 		return (min_ver <= TLS1_3_VERSION && TLS1_3_VERSION <= max_ver);
49 	}
50 	return 0;
51 }
52 
53 int
54 ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb)
55 {
56 	SSL_CIPHER *cipher;
57 	int num_ciphers = 0;
58 	uint16_t min_vers, max_vers;
59 	int i;
60 
61 	if (ciphers == NULL)
62 		return 0;
63 
64 	if (!ssl_supported_tls_version_range(s, &min_vers, &max_vers))
65 		return 0;
66 
67 	for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
68 		if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL)
69 			return 0;
70 		if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers,
71 		    max_vers))
72 			continue;
73 		if (!CBB_add_u16(cbb, ssl3_cipher_get_value(cipher)))
74 			return 0;
75 
76 		num_ciphers++;
77 	}
78 
79 	/* Add SCSV if there are other ciphers and we're not renegotiating. */
80 	if (num_ciphers > 0 && !s->internal->renegotiate) {
81 		if (!CBB_add_u16(cbb, SSL3_CK_SCSV & SSL3_CK_VALUE_MASK))
82 			return 0;
83 	}
84 
85 	if (!CBB_flush(cbb))
86 		return 0;
87 
88 	return 1;
89 }
90 
91 STACK_OF(SSL_CIPHER) *
92 ssl_bytes_to_cipher_list(SSL *s, CBS *cbs)
93 {
94 	STACK_OF(SSL_CIPHER) *ciphers = NULL;
95 	const SSL_CIPHER *cipher;
96 	uint16_t cipher_value, max_version;
97 	unsigned long cipher_id;
98 
99 	S3I(s)->send_connection_binding = 0;
100 
101 	if ((ciphers = sk_SSL_CIPHER_new_null()) == NULL) {
102 		SSLerror(s, ERR_R_MALLOC_FAILURE);
103 		goto err;
104 	}
105 
106 	while (CBS_len(cbs) > 0) {
107 		if (!CBS_get_u16(cbs, &cipher_value)) {
108 			SSLerror(s, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
109 			goto err;
110 		}
111 
112 		cipher_id = SSL3_CK_ID | cipher_value;
113 
114 		if (cipher_id == SSL3_CK_SCSV) {
115 			/*
116 			 * TLS_EMPTY_RENEGOTIATION_INFO_SCSV is fatal if
117 			 * renegotiating.
118 			 */
119 			if (s->internal->renegotiate) {
120 				SSLerror(s, SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
121 				ssl3_send_alert(s, SSL3_AL_FATAL,
122 				    SSL_AD_HANDSHAKE_FAILURE);
123 
124 				goto err;
125 			}
126 			S3I(s)->send_connection_binding = 1;
127 			continue;
128 		}
129 
130 		if (cipher_id == SSL3_CK_FALLBACK_SCSV) {
131 			/*
132 			 * TLS_FALLBACK_SCSV indicates that the client
133 			 * previously tried a higher protocol version.
134 			 * Fail if the current version is an unexpected
135 			 * downgrade.
136 			 */
137 			if (!ssl_downgrade_max_version(s, &max_version))
138 				goto err;
139 			if (s->version < max_version) {
140 				SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK);
141 				ssl3_send_alert(s, SSL3_AL_FATAL,
142 					SSL_AD_INAPPROPRIATE_FALLBACK);
143 				goto err;
144 			}
145 			continue;
146 		}
147 
148 		if ((cipher = ssl3_get_cipher_by_value(cipher_value)) != NULL) {
149 			if (!sk_SSL_CIPHER_push(ciphers, cipher)) {
150 				SSLerror(s, ERR_R_MALLOC_FAILURE);
151 				goto err;
152 			}
153 		}
154 	}
155 
156 	return (ciphers);
157 
158  err:
159 	sk_SSL_CIPHER_free(ciphers);
160 
161 	return (NULL);
162 }
163 
164 struct ssl_tls13_ciphersuite {
165 	const char *name;
166 	const char *alias;
167 	unsigned long cid;
168 };
169 
170 static const struct ssl_tls13_ciphersuite ssl_tls13_ciphersuites[] = {
171 	{
172 		.name = TLS1_3_TXT_AES_128_GCM_SHA256,
173 		.alias = "TLS_AES_128_GCM_SHA256",
174 		.cid = TLS1_3_CK_AES_128_GCM_SHA256,
175 	},
176 	{
177 		.name = TLS1_3_TXT_AES_256_GCM_SHA384,
178 		.alias = "TLS_AES_256_GCM_SHA384",
179 		.cid = TLS1_3_CK_AES_256_GCM_SHA384,
180 	},
181 	{
182 		.name = TLS1_3_TXT_CHACHA20_POLY1305_SHA256,
183 		.alias = "TLS_CHACHA20_POLY1305_SHA256",
184 		.cid = TLS1_3_CK_CHACHA20_POLY1305_SHA256,
185 	},
186 	{
187 		.name = TLS1_3_TXT_AES_128_CCM_SHA256,
188 		.alias = "TLS_AES_128_CCM_SHA256",
189 		.cid = TLS1_3_CK_AES_128_CCM_SHA256,
190 	},
191 	{
192 		.name = TLS1_3_TXT_AES_128_CCM_8_SHA256,
193 		.alias = "TLS_AES_128_CCM_8_SHA256",
194 		.cid = TLS1_3_CK_AES_128_CCM_8_SHA256,
195 	},
196 	{
197 		.name = NULL,
198 	},
199 };
200 
201 int
202 ssl_parse_ciphersuites(STACK_OF(SSL_CIPHER) **out_ciphers, const char *str)
203 {
204 	const struct ssl_tls13_ciphersuite *ciphersuite;
205 	STACK_OF(SSL_CIPHER) *ciphers;
206 	const SSL_CIPHER *cipher;
207 	char *s = NULL;
208 	char *p, *q;
209 	int i;
210 	int ret = 0;
211 
212 	if ((ciphers = sk_SSL_CIPHER_new_null()) == NULL)
213 		goto err;
214 
215 	/* An empty string is valid and means no ciphers. */
216 	if (strcmp(str, "") == 0)
217 		goto done;
218 
219 	if ((s = strdup(str)) == NULL)
220 		goto err;
221 
222 	q = s;
223 	while ((p = strsep(&q, ":")) != NULL) {
224 		ciphersuite = &ssl_tls13_ciphersuites[0];
225 		for (i = 0; ciphersuite->name != NULL; i++) {
226 			if (strcmp(p, ciphersuite->name) == 0)
227 				break;
228 			if (strcmp(p, ciphersuite->alias) == 0)
229 				break;
230 			ciphersuite = &ssl_tls13_ciphersuites[i];
231 		}
232 		if (ciphersuite->name == NULL)
233 			goto err;
234 
235 		/* We know about the cipher suite, but it is not supported. */
236 		if ((cipher = ssl3_get_cipher_by_id(ciphersuite->cid)) == NULL)
237 			continue;
238 
239 		if (!sk_SSL_CIPHER_push(ciphers, cipher))
240 			goto err;
241 	}
242 
243  done:
244 	sk_SSL_CIPHER_free(*out_ciphers);
245 	*out_ciphers = ciphers;
246 	ciphers = NULL;
247 	ret = 1;
248 
249  err:
250 	sk_SSL_CIPHER_free(ciphers);
251 	free(s);
252 
253 	return ret;
254 }
255 
256 int
257 ssl_merge_cipherlists(STACK_OF(SSL_CIPHER) *cipherlist,
258     STACK_OF(SSL_CIPHER) *cipherlist_tls13,
259     STACK_OF(SSL_CIPHER) **out_cipherlist)
260 {
261 	STACK_OF(SSL_CIPHER) *ciphers = NULL;
262 	const SSL_CIPHER *cipher;
263 	int i, ret = 0;
264 
265 	if ((ciphers = sk_SSL_CIPHER_dup(cipherlist_tls13)) == NULL)
266 		goto err;
267 	for (i = 0; i < sk_SSL_CIPHER_num(cipherlist); i++) {
268 		cipher = sk_SSL_CIPHER_value(cipherlist, i);
269 		if (cipher->algorithm_ssl == SSL_TLSV1_3)
270 			continue;
271 		if (!sk_SSL_CIPHER_push(ciphers, cipher))
272 			goto err;
273 	}
274 
275 	sk_SSL_CIPHER_free(*out_cipherlist);
276 	*out_cipherlist = ciphers;
277 	ciphers = NULL;
278 
279 	ret = 1;
280 
281  err:
282 	sk_SSL_CIPHER_free(ciphers);
283 
284 	return ret;
285 }
286