xref: /openbsd/lib/libssl/ssl_ciphers.c (revision 4bdff4be) 
1 /*	$OpenBSD: ssl_ciphers.c,v 1.17 2022/11/26 16:08:55 tb Exp $ */
2 /*
3  * Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org>
4  * Copyright (c) 2015-2018, 2020 Joel Sing <jsing@openbsd.org>
5  * Copyright (c) 2019 Theo Buehler <tb@openbsd.org>
6  *
7  * Permission to use, copy, modify, and distribute this software for any
8  * purpose with or without fee is hereby granted, provided that the above
9  * copyright notice and this permission notice appear in all copies.
10  *
11  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18  */
19 
20 #include <openssl/safestack.h>
21 
22 #include "bytestring.h"
23 #include "ssl_local.h"
24 
25 int
26 ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher)
27 {
28 	int i;
29 
30 	for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
31 		if (sk_SSL_CIPHER_value(ciphers, i)->id == cipher->id)
32 			return 1;
33 	}
34 
35 	return 0;
36 }
37 
38 int
39 ssl_cipher_allowed_in_tls_version_range(const SSL_CIPHER *cipher, uint16_t min_ver,
40     uint16_t max_ver)
41 {
42 	switch(cipher->algorithm_ssl) {
43 	case SSL_SSLV3:
44 		return (min_ver <= TLS1_2_VERSION);
45 	case SSL_TLSV1_2:
46 		return (min_ver <= TLS1_2_VERSION && TLS1_2_VERSION <= max_ver);
47 	case SSL_TLSV1_3:
48 		return (min_ver <= TLS1_3_VERSION && TLS1_3_VERSION <= max_ver);
49 	}
50 	return 0;
51 }
52 
53 int
54 ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb)
55 {
56 	SSL_CIPHER *cipher;
57 	int num_ciphers = 0;
58 	uint16_t min_vers, max_vers;
59 	int i;
60 
61 	if (ciphers == NULL)
62 		return 0;
63 
64 	if (!ssl_supported_tls_version_range(s, &min_vers, &max_vers))
65 		return 0;
66 
67 	for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
68 		if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL)
69 			return 0;
70 		if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers,
71 		    max_vers))
72 			continue;
73 		if (!ssl_security_cipher_check(s, cipher))
74 			continue;
75 		if (!CBB_add_u16(cbb, ssl3_cipher_get_value(cipher)))
76 			return 0;
77 
78 		num_ciphers++;
79 	}
80 
81 	/* Add SCSV if there are other ciphers and we're not renegotiating. */
82 	if (num_ciphers > 0 && !s->renegotiate) {
83 		if (!CBB_add_u16(cbb, SSL3_CK_SCSV & SSL3_CK_VALUE_MASK))
84 			return 0;
85 	}
86 
87 	if (!CBB_flush(cbb))
88 		return 0;
89 
90 	return 1;
91 }
92 
93 STACK_OF(SSL_CIPHER) *
94 ssl_bytes_to_cipher_list(SSL *s, CBS *cbs)
95 {
96 	STACK_OF(SSL_CIPHER) *ciphers = NULL;
97 	const SSL_CIPHER *cipher;
98 	uint16_t cipher_value;
99 	unsigned long cipher_id;
100 
101 	s->s3->send_connection_binding = 0;
102 
103 	if ((ciphers = sk_SSL_CIPHER_new_null()) == NULL) {
104 		SSLerror(s, ERR_R_MALLOC_FAILURE);
105 		goto err;
106 	}
107 
108 	while (CBS_len(cbs) > 0) {
109 		if (!CBS_get_u16(cbs, &cipher_value)) {
110 			SSLerror(s, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
111 			goto err;
112 		}
113 
114 		cipher_id = SSL3_CK_ID | cipher_value;
115 
116 		if (cipher_id == SSL3_CK_SCSV) {
117 			/*
118 			 * TLS_EMPTY_RENEGOTIATION_INFO_SCSV is fatal if
119 			 * renegotiating.
120 			 */
121 			if (s->renegotiate) {
122 				SSLerror(s, SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
123 				ssl3_send_alert(s, SSL3_AL_FATAL,
124 				    SSL_AD_HANDSHAKE_FAILURE);
125 
126 				goto err;
127 			}
128 			s->s3->send_connection_binding = 1;
129 			continue;
130 		}
131 
132 		if (cipher_id == SSL3_CK_FALLBACK_SCSV) {
133 			/*
134 			 * TLS_FALLBACK_SCSV indicates that the client
135 			 * previously tried a higher protocol version.
136 			 * Fail if the current version is an unexpected
137 			 * downgrade.
138 			 */
139 			if (s->s3->hs.negotiated_tls_version <
140 			    s->s3->hs.our_max_tls_version) {
141 				SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK);
142 				ssl3_send_alert(s, SSL3_AL_FATAL,
143 					SSL_AD_INAPPROPRIATE_FALLBACK);
144 				goto err;
145 			}
146 			continue;
147 		}
148 
149 		if ((cipher = ssl3_get_cipher_by_value(cipher_value)) != NULL) {
150 			if (!sk_SSL_CIPHER_push(ciphers, cipher)) {
151 				SSLerror(s, ERR_R_MALLOC_FAILURE);
152 				goto err;
153 			}
154 		}
155 	}
156 
157 	return (ciphers);
158 
159  err:
160 	sk_SSL_CIPHER_free(ciphers);
161 
162 	return (NULL);
163 }
164 
165 struct ssl_tls13_ciphersuite {
166 	const char *name;
167 	const char *alias;
168 	unsigned long cid;
169 };
170 
171 static const struct ssl_tls13_ciphersuite ssl_tls13_ciphersuites[] = {
172 	{
173 		.name = TLS1_3_RFC_AES_128_GCM_SHA256,
174 		.alias = TLS1_3_TXT_AES_128_GCM_SHA256,
175 		.cid = TLS1_3_CK_AES_128_GCM_SHA256,
176 	},
177 	{
178 		.name = TLS1_3_RFC_AES_256_GCM_SHA384,
179 		.alias = TLS1_3_TXT_AES_256_GCM_SHA384,
180 		.cid = TLS1_3_CK_AES_256_GCM_SHA384,
181 	},
182 	{
183 		.name = TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
184 		.alias = TLS1_3_TXT_CHACHA20_POLY1305_SHA256,
185 		.cid = TLS1_3_CK_CHACHA20_POLY1305_SHA256,
186 	},
187 	{
188 		.name = TLS1_3_RFC_AES_128_CCM_SHA256,
189 		.alias = TLS1_3_TXT_AES_128_CCM_SHA256,
190 		.cid = TLS1_3_CK_AES_128_CCM_SHA256,
191 	},
192 	{
193 		.name = TLS1_3_RFC_AES_128_CCM_8_SHA256,
194 		.alias = TLS1_3_TXT_AES_128_CCM_8_SHA256,
195 		.cid = TLS1_3_CK_AES_128_CCM_8_SHA256,
196 	},
197 	{
198 		.name = NULL,
199 	},
200 };
201 
202 int
203 ssl_parse_ciphersuites(STACK_OF(SSL_CIPHER) **out_ciphers, const char *str)
204 {
205 	const struct ssl_tls13_ciphersuite *ciphersuite;
206 	STACK_OF(SSL_CIPHER) *ciphers;
207 	const SSL_CIPHER *cipher;
208 	char *s = NULL;
209 	char *p, *q;
210 	int i;
211 	int ret = 0;
212 
213 	if ((ciphers = sk_SSL_CIPHER_new_null()) == NULL)
214 		goto err;
215 
216 	/* An empty string is valid and means no ciphers. */
217 	if (strcmp(str, "") == 0)
218 		goto done;
219 
220 	if ((s = strdup(str)) == NULL)
221 		goto err;
222 
223 	q = s;
224 	while ((p = strsep(&q, ":")) != NULL) {
225 		ciphersuite = &ssl_tls13_ciphersuites[0];
226 		for (i = 0; ciphersuite->name != NULL; i++) {
227 			if (strcmp(p, ciphersuite->name) == 0)
228 				break;
229 			if (strcmp(p, ciphersuite->alias) == 0)
230 				break;
231 			ciphersuite = &ssl_tls13_ciphersuites[i];
232 		}
233 		if (ciphersuite->name == NULL)
234 			goto err;
235 
236 		/* We know about the cipher suite, but it is not supported. */
237 		if ((cipher = ssl3_get_cipher_by_id(ciphersuite->cid)) == NULL)
238 			continue;
239 
240 		if (!sk_SSL_CIPHER_push(ciphers, cipher))
241 			goto err;
242 	}
243 
244  done:
245 	sk_SSL_CIPHER_free(*out_ciphers);
246 	*out_ciphers = ciphers;
247 	ciphers = NULL;
248 	ret = 1;
249 
250  err:
251 	sk_SSL_CIPHER_free(ciphers);
252 	free(s);
253 
254 	return ret;
255 }
256 
257 int
258 ssl_merge_cipherlists(STACK_OF(SSL_CIPHER) *cipherlist,
259     STACK_OF(SSL_CIPHER) *cipherlist_tls13,
260     STACK_OF(SSL_CIPHER) **out_cipherlist)
261 {
262 	STACK_OF(SSL_CIPHER) *ciphers = NULL;
263 	const SSL_CIPHER *cipher;
264 	int i, ret = 0;
265 
266 	if ((ciphers = sk_SSL_CIPHER_dup(cipherlist_tls13)) == NULL)
267 		goto err;
268 	for (i = 0; i < sk_SSL_CIPHER_num(cipherlist); i++) {
269 		cipher = sk_SSL_CIPHER_value(cipherlist, i);
270 		if (cipher->algorithm_ssl == SSL_TLSV1_3)
271 			continue;
272 		if (!sk_SSL_CIPHER_push(ciphers, cipher))
273 			goto err;
274 	}
275 
276 	sk_SSL_CIPHER_free(*out_cipherlist);
277 	*out_cipherlist = ciphers;
278 	ciphers = NULL;
279 
280 	ret = 1;
281 
282  err:
283 	sk_SSL_CIPHER_free(ciphers);
284 
285 	return ret;
286 }
287