1 /* $OpenBSD: ssl_ciphers.c,v 1.15 2022/07/02 16:31:04 tb Exp $ */
3 * Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org>
4 * Copyright (c) 2015-2018, 2020 Joel Sing <jsing@openbsd.org>
5 * Copyright (c) 2019 Theo Buehler <tb@openbsd.org>
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
20 #include <openssl/safestack.h>
22 #include "bytestring.h"
26 ssl_cipher_in_list(STACK_OF(SSL_CIPHER
) *ciphers
, const SSL_CIPHER
*cipher
)
30 for (i
= 0; i
< sk_SSL_CIPHER_num(ciphers
); i
++) {
31 if (sk_SSL_CIPHER_value(ciphers
, i
)->id
== cipher
->id
)
39 ssl_cipher_allowed_in_tls_version_range(const SSL_CIPHER
*cipher
, uint16_t min_ver
,
42 switch(cipher
->algorithm_ssl
) {
44 return (min_ver
<= TLS1_2_VERSION
);
46 return (min_ver
<= TLS1_2_VERSION
&& TLS1_2_VERSION
<= max_ver
);
48 return (min_ver
<= TLS1_3_VERSION
&& TLS1_3_VERSION
<= max_ver
);
54 ssl_cipher_list_to_bytes(SSL
*s
, STACK_OF(SSL_CIPHER
) *ciphers
, CBB
*cbb
)
58 uint16_t min_vers
, max_vers
;
64 if (!ssl_supported_tls_version_range(s
, &min_vers
, &max_vers
))
67 for (i
= 0; i
< sk_SSL_CIPHER_num(ciphers
); i
++) {
68 if ((cipher
= sk_SSL_CIPHER_value(ciphers
, i
)) == NULL
)
70 if (!ssl_cipher_allowed_in_tls_version_range(cipher
, min_vers
,
73 if (!ssl_security_cipher_check(s
, cipher
))
75 if (!CBB_add_u16(cbb
, ssl3_cipher_get_value(cipher
)))
81 /* Add SCSV if there are other ciphers and we're not renegotiating. */
82 if (num_ciphers
> 0 && !s
->internal
->renegotiate
) {
83 if (!CBB_add_u16(cbb
, SSL3_CK_SCSV
& SSL3_CK_VALUE_MASK
))
93 STACK_OF(SSL_CIPHER
) *
94 ssl_bytes_to_cipher_list(SSL
*s
, CBS
*cbs
)
96 STACK_OF(SSL_CIPHER
) *ciphers
= NULL
;
97 const SSL_CIPHER
*cipher
;
98 uint16_t cipher_value
;
99 unsigned long cipher_id
;
101 s
->s3
->send_connection_binding
= 0;
103 if ((ciphers
= sk_SSL_CIPHER_new_null()) == NULL
) {
104 SSLerror(s
, ERR_R_MALLOC_FAILURE
);
108 while (CBS_len(cbs
) > 0) {
109 if (!CBS_get_u16(cbs
, &cipher_value
)) {
110 SSLerror(s
, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST
);
114 cipher_id
= SSL3_CK_ID
| cipher_value
;
116 if (cipher_id
== SSL3_CK_SCSV
) {
118 * TLS_EMPTY_RENEGOTIATION_INFO_SCSV is fatal if
121 if (s
->internal
->renegotiate
) {
122 SSLerror(s
, SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING
);
123 ssl3_send_alert(s
, SSL3_AL_FATAL
,
124 SSL_AD_HANDSHAKE_FAILURE
);
128 s
->s3
->send_connection_binding
= 1;
132 if (cipher_id
== SSL3_CK_FALLBACK_SCSV
) {
134 * TLS_FALLBACK_SCSV indicates that the client
135 * previously tried a higher protocol version.
136 * Fail if the current version is an unexpected
139 if (s
->s3
->hs
.negotiated_tls_version
<
140 s
->s3
->hs
.our_max_tls_version
) {
141 SSLerror(s
, SSL_R_INAPPROPRIATE_FALLBACK
);
142 ssl3_send_alert(s
, SSL3_AL_FATAL
,
143 SSL_AD_INAPPROPRIATE_FALLBACK
);
149 if ((cipher
= ssl3_get_cipher_by_value(cipher_value
)) != NULL
) {
150 if (!sk_SSL_CIPHER_push(ciphers
, cipher
)) {
151 SSLerror(s
, ERR_R_MALLOC_FAILURE
);
160 sk_SSL_CIPHER_free(ciphers
);
165 struct ssl_tls13_ciphersuite
{
171 static const struct ssl_tls13_ciphersuite ssl_tls13_ciphersuites
[] = {
173 .name
= TLS1_3_RFC_AES_128_GCM_SHA256
,
174 .alias
= TLS1_3_TXT_AES_128_GCM_SHA256
,
175 .cid
= TLS1_3_CK_AES_128_GCM_SHA256
,
178 .name
= TLS1_3_RFC_AES_256_GCM_SHA384
,
179 .alias
= TLS1_3_TXT_AES_256_GCM_SHA384
,
180 .cid
= TLS1_3_CK_AES_256_GCM_SHA384
,
183 .name
= TLS1_3_RFC_CHACHA20_POLY1305_SHA256
,
184 .alias
= TLS1_3_TXT_CHACHA20_POLY1305_SHA256
,
185 .cid
= TLS1_3_CK_CHACHA20_POLY1305_SHA256
,
188 .name
= TLS1_3_RFC_AES_128_CCM_SHA256
,
189 .alias
= TLS1_3_TXT_AES_128_CCM_SHA256
,
190 .cid
= TLS1_3_CK_AES_128_CCM_SHA256
,
193 .name
= TLS1_3_RFC_AES_128_CCM_8_SHA256
,
194 .alias
= TLS1_3_TXT_AES_128_CCM_8_SHA256
,
195 .cid
= TLS1_3_CK_AES_128_CCM_8_SHA256
,
203 ssl_parse_ciphersuites(STACK_OF(SSL_CIPHER
) **out_ciphers
, const char *str
)
205 const struct ssl_tls13_ciphersuite
*ciphersuite
;
206 STACK_OF(SSL_CIPHER
) *ciphers
;
207 const SSL_CIPHER
*cipher
;
213 if ((ciphers
= sk_SSL_CIPHER_new_null()) == NULL
)
216 /* An empty string is valid and means no ciphers. */
217 if (strcmp(str
, "") == 0)
220 if ((s
= strdup(str
)) == NULL
)
224 while ((p
= strsep(&q
, ":")) != NULL
) {
225 ciphersuite
= &ssl_tls13_ciphersuites
[0];
226 for (i
= 0; ciphersuite
->name
!= NULL
; i
++) {
227 if (strcmp(p
, ciphersuite
->name
) == 0)
229 if (strcmp(p
, ciphersuite
->alias
) == 0)
231 ciphersuite
= &ssl_tls13_ciphersuites
[i
];
233 if (ciphersuite
->name
== NULL
)
236 /* We know about the cipher suite, but it is not supported. */
237 if ((cipher
= ssl3_get_cipher_by_id(ciphersuite
->cid
)) == NULL
)
240 if (!sk_SSL_CIPHER_push(ciphers
, cipher
))
245 sk_SSL_CIPHER_free(*out_ciphers
);
246 *out_ciphers
= ciphers
;
251 sk_SSL_CIPHER_free(ciphers
);
258 ssl_merge_cipherlists(STACK_OF(SSL_CIPHER
) *cipherlist
,
259 STACK_OF(SSL_CIPHER
) *cipherlist_tls13
,
260 STACK_OF(SSL_CIPHER
) **out_cipherlist
)
262 STACK_OF(SSL_CIPHER
) *ciphers
= NULL
;
263 const SSL_CIPHER
*cipher
;
266 if ((ciphers
= sk_SSL_CIPHER_dup(cipherlist_tls13
)) == NULL
)
268 for (i
= 0; i
< sk_SSL_CIPHER_num(cipherlist
); i
++) {
269 cipher
= sk_SSL_CIPHER_value(cipherlist
, i
);
270 if (cipher
->algorithm_ssl
== SSL_TLSV1_3
)
272 if (!sk_SSL_CIPHER_push(ciphers
, cipher
))
276 sk_SSL_CIPHER_free(*out_cipherlist
);
277 *out_cipherlist
= ciphers
;
283 sk_SSL_CIPHER_free(ciphers
);