1 /* $OpenBSD: ssl_ciphers.c,v 1.9 2020/09/15 15:28:38 schwarze Exp $ */ 2 /* 3 * Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org> 4 * Copyright (c) 2015-2018, 2020 Joel Sing <jsing@openbsd.org> 5 * Copyright (c) 2019 Theo Buehler <tb@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #include <openssl/safestack.h> 21 22 #include "bytestring.h" 23 #include "ssl_locl.h" 24 25 int 26 ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher) 27 { 28 int i; 29 30 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { 31 if (sk_SSL_CIPHER_value(ciphers, i)->id == cipher->id) 32 return 1; 33 } 34 35 return 0; 36 } 37 38 int 39 ssl_cipher_allowed_in_version_range(const SSL_CIPHER *cipher, uint16_t min_ver, 40 uint16_t max_ver) 41 { 42 /* XXX: We only support DTLSv1 which is effectively TLSv1.1 */ 43 if (min_ver == DTLS1_VERSION || max_ver == DTLS1_VERSION) 44 min_ver = max_ver = TLS1_1_VERSION; 45 46 switch(cipher->algorithm_ssl) { 47 case SSL_SSLV3: 48 if (min_ver <= TLS1_2_VERSION) 49 return 1; 50 break; 51 case SSL_TLSV1_2: 52 if (min_ver <= TLS1_2_VERSION && TLS1_2_VERSION <= max_ver) 53 return 1; 54 break; 55 case SSL_TLSV1_3: 56 if (min_ver <= TLS1_3_VERSION && TLS1_3_VERSION <= max_ver) 57 return 1; 58 break; 59 } 60 61 return 0; 62 } 63 64 int 65 ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb) 66 { 67 SSL_CIPHER *cipher; 68 int num_ciphers = 0; 69 uint16_t min_vers, max_vers; 70 int i; 71 72 if (ciphers == NULL) 73 return 0; 74 75 if (!ssl_supported_version_range(s, &min_vers, &max_vers)) 76 return 0; 77 78 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { 79 if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL) 80 return 0; 81 if (!ssl_cipher_allowed_in_version_range(cipher, min_vers, 82 max_vers)) 83 continue; 84 if (!CBB_add_u16(cbb, ssl3_cipher_get_value(cipher))) 85 return 0; 86 87 num_ciphers++; 88 } 89 90 /* Add SCSV if there are other ciphers and we're not renegotiating. */ 91 if (num_ciphers > 0 && !s->internal->renegotiate) { 92 if (!CBB_add_u16(cbb, SSL3_CK_SCSV & SSL3_CK_VALUE_MASK)) 93 return 0; 94 } 95 96 if (!CBB_flush(cbb)) 97 return 0; 98 99 return 1; 100 } 101 102 STACK_OF(SSL_CIPHER) * 103 ssl_bytes_to_cipher_list(SSL *s, CBS *cbs) 104 { 105 STACK_OF(SSL_CIPHER) *ciphers = NULL; 106 const SSL_CIPHER *cipher; 107 uint16_t cipher_value, max_version; 108 unsigned long cipher_id; 109 110 S3I(s)->send_connection_binding = 0; 111 112 if ((ciphers = sk_SSL_CIPHER_new_null()) == NULL) { 113 SSLerror(s, ERR_R_MALLOC_FAILURE); 114 goto err; 115 } 116 117 while (CBS_len(cbs) > 0) { 118 if (!CBS_get_u16(cbs, &cipher_value)) { 119 SSLerror(s, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); 120 goto err; 121 } 122 123 cipher_id = SSL3_CK_ID | cipher_value; 124 125 if (cipher_id == SSL3_CK_SCSV) { 126 /* 127 * TLS_EMPTY_RENEGOTIATION_INFO_SCSV is fatal if 128 * renegotiating. 129 */ 130 if (s->internal->renegotiate) { 131 SSLerror(s, SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); 132 ssl3_send_alert(s, SSL3_AL_FATAL, 133 SSL_AD_HANDSHAKE_FAILURE); 134 135 goto err; 136 } 137 S3I(s)->send_connection_binding = 1; 138 continue; 139 } 140 141 if (cipher_id == SSL3_CK_FALLBACK_SCSV) { 142 /* 143 * TLS_FALLBACK_SCSV indicates that the client 144 * previously tried a higher protocol version. 145 * Fail if the current version is an unexpected 146 * downgrade. 147 */ 148 if (!ssl_downgrade_max_version(s, &max_version)) 149 goto err; 150 if (s->version < max_version) { 151 SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK); 152 ssl3_send_alert(s, SSL3_AL_FATAL, 153 SSL_AD_INAPPROPRIATE_FALLBACK); 154 goto err; 155 } 156 continue; 157 } 158 159 if ((cipher = ssl3_get_cipher_by_value(cipher_value)) != NULL) { 160 if (!sk_SSL_CIPHER_push(ciphers, cipher)) { 161 SSLerror(s, ERR_R_MALLOC_FAILURE); 162 goto err; 163 } 164 } 165 } 166 167 return (ciphers); 168 169 err: 170 sk_SSL_CIPHER_free(ciphers); 171 172 return (NULL); 173 } 174 175 struct ssl_tls13_ciphersuite { 176 const char *name; 177 const char *alias; 178 unsigned long cid; 179 }; 180 181 static const struct ssl_tls13_ciphersuite ssl_tls13_ciphersuites[] = { 182 { 183 .name = TLS1_3_TXT_AES_128_GCM_SHA256, 184 .alias = "TLS_AES_128_GCM_SHA256", 185 .cid = TLS1_3_CK_AES_128_GCM_SHA256, 186 }, 187 { 188 .name = TLS1_3_TXT_AES_256_GCM_SHA384, 189 .alias = "TLS_AES_256_GCM_SHA384", 190 .cid = TLS1_3_CK_AES_256_GCM_SHA384, 191 }, 192 { 193 .name = TLS1_3_TXT_CHACHA20_POLY1305_SHA256, 194 .alias = "TLS_CHACHA20_POLY1305_SHA256", 195 .cid = TLS1_3_CK_CHACHA20_POLY1305_SHA256, 196 }, 197 { 198 .name = TLS1_3_TXT_AES_128_CCM_SHA256, 199 .alias = "TLS_AES_128_CCM_SHA256", 200 .cid = TLS1_3_CK_AES_128_CCM_SHA256, 201 }, 202 { 203 .name = TLS1_3_TXT_AES_128_CCM_8_SHA256, 204 .alias = "TLS_AES_128_CCM_8_SHA256", 205 .cid = TLS1_3_CK_AES_128_CCM_8_SHA256, 206 }, 207 { 208 .name = NULL, 209 }, 210 }; 211 212 int 213 ssl_parse_ciphersuites(STACK_OF(SSL_CIPHER) **out_ciphers, const char *str) 214 { 215 const struct ssl_tls13_ciphersuite *ciphersuite; 216 STACK_OF(SSL_CIPHER) *ciphers; 217 const SSL_CIPHER *cipher; 218 char *s = NULL; 219 char *p, *q; 220 int i; 221 int ret = 0; 222 223 if ((ciphers = sk_SSL_CIPHER_new_null()) == NULL) 224 goto err; 225 226 /* An empty string is valid and means no ciphers. */ 227 if (strcmp(str, "") == 0) 228 goto done; 229 230 if ((s = strdup(str)) == NULL) 231 goto err; 232 233 q = s; 234 while ((p = strsep(&q, ":")) != NULL) { 235 ciphersuite = &ssl_tls13_ciphersuites[0]; 236 for (i = 0; ciphersuite->name != NULL; i++) { 237 if (strcmp(p, ciphersuite->name) == 0) 238 break; 239 if (strcmp(p, ciphersuite->alias) == 0) 240 break; 241 ciphersuite = &ssl_tls13_ciphersuites[i]; 242 } 243 if (ciphersuite->name == NULL) 244 goto err; 245 246 /* We know about the cipher suite, but it is not supported. */ 247 if ((cipher = ssl3_get_cipher_by_id(ciphersuite->cid)) == NULL) 248 continue; 249 250 if (!sk_SSL_CIPHER_push(ciphers, cipher)) 251 goto err; 252 } 253 254 done: 255 sk_SSL_CIPHER_free(*out_ciphers); 256 *out_ciphers = ciphers; 257 ciphers = NULL; 258 ret = 1; 259 260 err: 261 sk_SSL_CIPHER_free(ciphers); 262 free(s); 263 264 return ret; 265 } 266 267 int 268 ssl_merge_cipherlists(STACK_OF(SSL_CIPHER) *cipherlist, 269 STACK_OF(SSL_CIPHER) *cipherlist_tls13, 270 STACK_OF(SSL_CIPHER) **out_cipherlist) 271 { 272 STACK_OF(SSL_CIPHER) *ciphers = NULL; 273 const SSL_CIPHER *cipher; 274 int i, ret = 0; 275 276 if ((ciphers = sk_SSL_CIPHER_dup(cipherlist_tls13)) == NULL) 277 goto err; 278 for (i = 0; i < sk_SSL_CIPHER_num(cipherlist); i++) { 279 cipher = sk_SSL_CIPHER_value(cipherlist, i); 280 if (cipher->algorithm_ssl == SSL_TLSV1_3) 281 continue; 282 if (!sk_SSL_CIPHER_push(ciphers, cipher)) 283 goto err; 284 } 285 286 sk_SSL_CIPHER_free(*out_cipherlist); 287 *out_cipherlist = ciphers; 288 ciphers = NULL; 289 290 ret = 1; 291 292 err: 293 sk_SSL_CIPHER_free(ciphers); 294 295 return ret; 296 } 297