1/*	$OpenBSD: ssl_ciphers.c,v 1.17 2022/11/26 16:08:55 tb Exp $ */
2/*
3 * Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org>
4 * Copyright (c) 2015-2018, 2020 Joel Sing <jsing@openbsd.org>
5 * Copyright (c) 2019 Theo Buehler <tb@openbsd.org>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19
20#include <openssl/safestack.h>
21
22#include "bytestring.h"
23#include "ssl_local.h"
24
25int
26ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher)
27{
28	int i;
29
30	for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
31		if (sk_SSL_CIPHER_value(ciphers, i)->id == cipher->id)
32			return 1;
33	}
34
35	return 0;
36}
37
38int
39ssl_cipher_allowed_in_tls_version_range(const SSL_CIPHER *cipher, uint16_t min_ver,
40    uint16_t max_ver)
41{
42	switch(cipher->algorithm_ssl) {
43	case SSL_SSLV3:
44		return (min_ver <= TLS1_2_VERSION);
45	case SSL_TLSV1_2:
46		return (min_ver <= TLS1_2_VERSION && TLS1_2_VERSION <= max_ver);
47	case SSL_TLSV1_3:
48		return (min_ver <= TLS1_3_VERSION && TLS1_3_VERSION <= max_ver);
49	}
50	return 0;
51}
52
53int
54ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb)
55{
56	SSL_CIPHER *cipher;
57	int num_ciphers = 0;
58	uint16_t min_vers, max_vers;
59	int i;
60
61	if (ciphers == NULL)
62		return 0;
63
64	if (!ssl_supported_tls_version_range(s, &min_vers, &max_vers))
65		return 0;
66
67	for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
68		if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL)
69			return 0;
70		if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers,
71		    max_vers))
72			continue;
73		if (!ssl_security_cipher_check(s, cipher))
74			continue;
75		if (!CBB_add_u16(cbb, ssl3_cipher_get_value(cipher)))
76			return 0;
77
78		num_ciphers++;
79	}
80
81	/* Add SCSV if there are other ciphers and we're not renegotiating. */
82	if (num_ciphers > 0 && !s->renegotiate) {
83		if (!CBB_add_u16(cbb, SSL3_CK_SCSV & SSL3_CK_VALUE_MASK))
84			return 0;
85	}
86
87	if (!CBB_flush(cbb))
88		return 0;
89
90	return 1;
91}
92
93STACK_OF(SSL_CIPHER) *
94ssl_bytes_to_cipher_list(SSL *s, CBS *cbs)
95{
96	STACK_OF(SSL_CIPHER) *ciphers = NULL;
97	const SSL_CIPHER *cipher;
98	uint16_t cipher_value;
99	unsigned long cipher_id;
100
101	s->s3->send_connection_binding = 0;
102
103	if ((ciphers = sk_SSL_CIPHER_new_null()) == NULL) {
104		SSLerror(s, ERR_R_MALLOC_FAILURE);
105		goto err;
106	}
107
108	while (CBS_len(cbs) > 0) {
109		if (!CBS_get_u16(cbs, &cipher_value)) {
110			SSLerror(s, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
111			goto err;
112		}
113
114		cipher_id = SSL3_CK_ID | cipher_value;
115
116		if (cipher_id == SSL3_CK_SCSV) {
117			/*
118			 * TLS_EMPTY_RENEGOTIATION_INFO_SCSV is fatal if
119			 * renegotiating.
120			 */
121			if (s->renegotiate) {
122				SSLerror(s, SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
123				ssl3_send_alert(s, SSL3_AL_FATAL,
124				    SSL_AD_HANDSHAKE_FAILURE);
125
126				goto err;
127			}
128			s->s3->send_connection_binding = 1;
129			continue;
130		}
131
132		if (cipher_id == SSL3_CK_FALLBACK_SCSV) {
133			/*
134			 * TLS_FALLBACK_SCSV indicates that the client
135			 * previously tried a higher protocol version.
136			 * Fail if the current version is an unexpected
137			 * downgrade.
138			 */
139			if (s->s3->hs.negotiated_tls_version <
140			    s->s3->hs.our_max_tls_version) {
141				SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK);
142				ssl3_send_alert(s, SSL3_AL_FATAL,
143					SSL_AD_INAPPROPRIATE_FALLBACK);
144				goto err;
145			}
146			continue;
147		}
148
149		if ((cipher = ssl3_get_cipher_by_value(cipher_value)) != NULL) {
150			if (!sk_SSL_CIPHER_push(ciphers, cipher)) {
151				SSLerror(s, ERR_R_MALLOC_FAILURE);
152				goto err;
153			}
154		}
155	}
156
157	return (ciphers);
158
159 err:
160	sk_SSL_CIPHER_free(ciphers);
161
162	return (NULL);
163}
164
165struct ssl_tls13_ciphersuite {
166	const char *name;
167	const char *alias;
168	unsigned long cid;
169};
170
171static const struct ssl_tls13_ciphersuite ssl_tls13_ciphersuites[] = {
172	{
173		.name = TLS1_3_RFC_AES_128_GCM_SHA256,
174		.alias = TLS1_3_TXT_AES_128_GCM_SHA256,
175		.cid = TLS1_3_CK_AES_128_GCM_SHA256,
176	},
177	{
178		.name = TLS1_3_RFC_AES_256_GCM_SHA384,
179		.alias = TLS1_3_TXT_AES_256_GCM_SHA384,
180		.cid = TLS1_3_CK_AES_256_GCM_SHA384,
181	},
182	{
183		.name = TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
184		.alias = TLS1_3_TXT_CHACHA20_POLY1305_SHA256,
185		.cid = TLS1_3_CK_CHACHA20_POLY1305_SHA256,
186	},
187	{
188		.name = TLS1_3_RFC_AES_128_CCM_SHA256,
189		.alias = TLS1_3_TXT_AES_128_CCM_SHA256,
190		.cid = TLS1_3_CK_AES_128_CCM_SHA256,
191	},
192	{
193		.name = TLS1_3_RFC_AES_128_CCM_8_SHA256,
194		.alias = TLS1_3_TXT_AES_128_CCM_8_SHA256,
195		.cid = TLS1_3_CK_AES_128_CCM_8_SHA256,
196	},
197	{
198		.name = NULL,
199	},
200};
201
202int
203ssl_parse_ciphersuites(STACK_OF(SSL_CIPHER) **out_ciphers, const char *str)
204{
205	const struct ssl_tls13_ciphersuite *ciphersuite;
206	STACK_OF(SSL_CIPHER) *ciphers;
207	const SSL_CIPHER *cipher;
208	char *s = NULL;
209	char *p, *q;
210	int i;
211	int ret = 0;
212
213	if ((ciphers = sk_SSL_CIPHER_new_null()) == NULL)
214		goto err;
215
216	/* An empty string is valid and means no ciphers. */
217	if (strcmp(str, "") == 0)
218		goto done;
219
220	if ((s = strdup(str)) == NULL)
221		goto err;
222
223	q = s;
224	while ((p = strsep(&q, ":")) != NULL) {
225		ciphersuite = &ssl_tls13_ciphersuites[0];
226		for (i = 0; ciphersuite->name != NULL; i++) {
227			if (strcmp(p, ciphersuite->name) == 0)
228				break;
229			if (strcmp(p, ciphersuite->alias) == 0)
230				break;
231			ciphersuite = &ssl_tls13_ciphersuites[i];
232		}
233		if (ciphersuite->name == NULL)
234			goto err;
235
236		/* We know about the cipher suite, but it is not supported. */
237		if ((cipher = ssl3_get_cipher_by_id(ciphersuite->cid)) == NULL)
238			continue;
239
240		if (!sk_SSL_CIPHER_push(ciphers, cipher))
241			goto err;
242	}
243
244 done:
245	sk_SSL_CIPHER_free(*out_ciphers);
246	*out_ciphers = ciphers;
247	ciphers = NULL;
248	ret = 1;
249
250 err:
251	sk_SSL_CIPHER_free(ciphers);
252	free(s);
253
254	return ret;
255}
256
257int
258ssl_merge_cipherlists(STACK_OF(SSL_CIPHER) *cipherlist,
259    STACK_OF(SSL_CIPHER) *cipherlist_tls13,
260    STACK_OF(SSL_CIPHER) **out_cipherlist)
261{
262	STACK_OF(SSL_CIPHER) *ciphers = NULL;
263	const SSL_CIPHER *cipher;
264	int i, ret = 0;
265
266	if ((ciphers = sk_SSL_CIPHER_dup(cipherlist_tls13)) == NULL)
267		goto err;
268	for (i = 0; i < sk_SSL_CIPHER_num(cipherlist); i++) {
269		cipher = sk_SSL_CIPHER_value(cipherlist, i);
270		if (cipher->algorithm_ssl == SSL_TLSV1_3)
271			continue;
272		if (!sk_SSL_CIPHER_push(ciphers, cipher))
273			goto err;
274	}
275
276	sk_SSL_CIPHER_free(*out_cipherlist);
277	*out_cipherlist = ciphers;
278	ciphers = NULL;
279
280	ret = 1;
281
282 err:
283	sk_SSL_CIPHER_free(ciphers);
284
285	return ret;
286}
287