1 /* Copyright (c) 2017, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <openssl/ssl.h>
16
17 #include <assert.h>
18
19 #include <openssl/bytestring.h>
20 #include <openssl/err.h>
21
22 #include "internal.h"
23 #include "../crypto/internal.h"
24
25
26 BSSL_NAMESPACE_BEGIN
27
ssl_protocol_version_from_wire(uint16_t * out,uint16_t version)28 bool ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) {
29 switch (version) {
30 case TLS1_VERSION:
31 case TLS1_1_VERSION:
32 case TLS1_2_VERSION:
33 case TLS1_3_VERSION:
34 *out = version;
35 return true;
36
37 case DTLS1_VERSION:
38 // DTLS 1.0 is analogous to TLS 1.1, not TLS 1.0.
39 *out = TLS1_1_VERSION;
40 return true;
41
42 case DTLS1_2_VERSION:
43 *out = TLS1_2_VERSION;
44 return true;
45
46 default:
47 return false;
48 }
49 }
50
51 // The follow arrays are the supported versions for TLS and DTLS, in order of
52 // decreasing preference.
53
54 static const uint16_t kTLSVersions[] = {
55 TLS1_3_VERSION,
56 TLS1_2_VERSION,
57 TLS1_1_VERSION,
58 TLS1_VERSION,
59 };
60
61 static const uint16_t kDTLSVersions[] = {
62 DTLS1_2_VERSION,
63 DTLS1_VERSION,
64 };
65
get_method_versions(const SSL_PROTOCOL_METHOD * method,const uint16_t ** out,size_t * out_num)66 static void get_method_versions(const SSL_PROTOCOL_METHOD *method,
67 const uint16_t **out, size_t *out_num) {
68 if (method->is_dtls) {
69 *out = kDTLSVersions;
70 *out_num = OPENSSL_ARRAY_SIZE(kDTLSVersions);
71 } else {
72 *out = kTLSVersions;
73 *out_num = OPENSSL_ARRAY_SIZE(kTLSVersions);
74 }
75 }
76
ssl_method_supports_version(const SSL_PROTOCOL_METHOD * method,uint16_t version)77 bool ssl_method_supports_version(const SSL_PROTOCOL_METHOD *method,
78 uint16_t version) {
79 const uint16_t *versions;
80 size_t num_versions;
81 get_method_versions(method, &versions, &num_versions);
82 for (size_t i = 0; i < num_versions; i++) {
83 if (versions[i] == version) {
84 return true;
85 }
86 }
87 return false;
88 }
89
90 // The following functions map between API versions and wire versions. The
91 // public API works on wire versions.
92
ssl_version_to_string(uint16_t version)93 static const char *ssl_version_to_string(uint16_t version) {
94 switch (version) {
95 case TLS1_3_VERSION:
96 return "TLSv1.3";
97
98 case TLS1_2_VERSION:
99 return "TLSv1.2";
100
101 case TLS1_1_VERSION:
102 return "TLSv1.1";
103
104 case TLS1_VERSION:
105 return "TLSv1";
106
107 case DTLS1_VERSION:
108 return "DTLSv1";
109
110 case DTLS1_2_VERSION:
111 return "DTLSv1.2";
112
113 default:
114 return "unknown";
115 }
116 }
117
wire_version_to_api(uint16_t version)118 static uint16_t wire_version_to_api(uint16_t version) {
119 return version;
120 }
121
122 // api_version_to_wire maps |version| to some representative wire version.
api_version_to_wire(uint16_t * out,uint16_t version)123 static bool api_version_to_wire(uint16_t *out, uint16_t version) {
124 // Check it is a real protocol version.
125 uint16_t unused;
126 if (!ssl_protocol_version_from_wire(&unused, version)) {
127 return false;
128 }
129
130 *out = version;
131 return true;
132 }
133
set_version_bound(const SSL_PROTOCOL_METHOD * method,uint16_t * out,uint16_t version)134 static bool set_version_bound(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
135 uint16_t version) {
136 if (!api_version_to_wire(&version, version) ||
137 !ssl_method_supports_version(method, version) ||
138 !ssl_protocol_version_from_wire(out, version)) {
139 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_SSL_VERSION);
140 return false;
141 }
142
143 return true;
144 }
145
set_min_version(const SSL_PROTOCOL_METHOD * method,uint16_t * out,uint16_t version)146 static bool set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
147 uint16_t version) {
148 // Zero is interpreted as the default minimum version.
149 if (version == 0) {
150 // TLS 1.0 does not exist in DTLS.
151 *out = method->is_dtls ? TLS1_1_VERSION : TLS1_VERSION;
152 return true;
153 }
154
155 return set_version_bound(method, out, version);
156 }
157
set_max_version(const SSL_PROTOCOL_METHOD * method,uint16_t * out,uint16_t version)158 static bool set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
159 uint16_t version) {
160 // Zero is interpreted as the default maximum version.
161 if (version == 0) {
162 *out = TLS1_2_VERSION;
163 return true;
164 }
165
166 return set_version_bound(method, out, version);
167 }
168
169 const struct {
170 uint16_t version;
171 uint32_t flag;
172 } kProtocolVersions[] = {
173 {TLS1_VERSION, SSL_OP_NO_TLSv1},
174 {TLS1_1_VERSION, SSL_OP_NO_TLSv1_1},
175 {TLS1_2_VERSION, SSL_OP_NO_TLSv1_2},
176 {TLS1_3_VERSION, SSL_OP_NO_TLSv1_3},
177 };
178
ssl_get_version_range(const SSL_HANDSHAKE * hs,uint16_t * out_min_version,uint16_t * out_max_version)179 bool ssl_get_version_range(const SSL_HANDSHAKE *hs, uint16_t *out_min_version,
180 uint16_t *out_max_version) {
181 // For historical reasons, |SSL_OP_NO_DTLSv1| aliases |SSL_OP_NO_TLSv1|, but
182 // DTLS 1.0 should be mapped to TLS 1.1.
183 uint32_t options = hs->ssl->options;
184 if (SSL_is_dtls(hs->ssl)) {
185 options &= ~SSL_OP_NO_TLSv1_1;
186 if (options & SSL_OP_NO_DTLSv1) {
187 options |= SSL_OP_NO_TLSv1_1;
188 }
189 }
190
191 uint16_t min_version = hs->config->conf_min_version;
192 uint16_t max_version = hs->config->conf_max_version;
193
194 // QUIC requires TLS 1.3.
195 if (hs->ssl->quic_method && min_version < TLS1_3_VERSION) {
196 min_version = TLS1_3_VERSION;
197 }
198
199 // OpenSSL's API for controlling versions entails blacklisting individual
200 // protocols. This has two problems. First, on the client, the protocol can
201 // only express a contiguous range of versions. Second, a library consumer
202 // trying to set a maximum version cannot disable protocol versions that get
203 // added in a future version of the library.
204 //
205 // To account for both of these, OpenSSL interprets the client-side bitmask
206 // as a min/max range by picking the lowest contiguous non-empty range of
207 // enabled protocols. Note that this means it is impossible to set a maximum
208 // version of the higest supported TLS version in a future-proof way.
209 bool any_enabled = false;
210 for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kProtocolVersions); i++) {
211 // Only look at the versions already enabled.
212 if (min_version > kProtocolVersions[i].version) {
213 continue;
214 }
215 if (max_version < kProtocolVersions[i].version) {
216 break;
217 }
218
219 if (!(options & kProtocolVersions[i].flag)) {
220 // The minimum version is the first enabled version.
221 if (!any_enabled) {
222 any_enabled = true;
223 min_version = kProtocolVersions[i].version;
224 }
225 continue;
226 }
227
228 // If there is a disabled version after the first enabled one, all versions
229 // after it are implicitly disabled.
230 if (any_enabled) {
231 max_version = kProtocolVersions[i-1].version;
232 break;
233 }
234 }
235
236 if (!any_enabled) {
237 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SUPPORTED_VERSIONS_ENABLED);
238 return false;
239 }
240
241 *out_min_version = min_version;
242 *out_max_version = max_version;
243 return true;
244 }
245
ssl_version(const SSL * ssl)246 static uint16_t ssl_version(const SSL *ssl) {
247 // In early data, we report the predicted version.
248 if (SSL_in_early_data(ssl) && !ssl->server) {
249 return ssl->s3->hs->early_session->ssl_version;
250 }
251 return ssl->version;
252 }
253
ssl_protocol_version(const SSL * ssl)254 uint16_t ssl_protocol_version(const SSL *ssl) {
255 assert(ssl->s3->have_version);
256 uint16_t version;
257 if (!ssl_protocol_version_from_wire(&version, ssl->version)) {
258 // |ssl->version| will always be set to a valid version.
259 assert(0);
260 return 0;
261 }
262
263 return version;
264 }
265
ssl_supports_version(SSL_HANDSHAKE * hs,uint16_t version)266 bool ssl_supports_version(SSL_HANDSHAKE *hs, uint16_t version) {
267 SSL *const ssl = hs->ssl;
268 uint16_t protocol_version;
269 if (!ssl_method_supports_version(ssl->method, version) ||
270 !ssl_protocol_version_from_wire(&protocol_version, version) ||
271 hs->min_version > protocol_version ||
272 protocol_version > hs->max_version) {
273 return false;
274 }
275
276 return true;
277 }
278
ssl_add_supported_versions(SSL_HANDSHAKE * hs,CBB * cbb)279 bool ssl_add_supported_versions(SSL_HANDSHAKE *hs, CBB *cbb) {
280 const uint16_t *versions;
281 size_t num_versions;
282 get_method_versions(hs->ssl->method, &versions, &num_versions);
283 for (size_t i = 0; i < num_versions; i++) {
284 if (ssl_supports_version(hs, versions[i]) &&
285 !CBB_add_u16(cbb, versions[i])) {
286 return false;
287 }
288 }
289 return true;
290 }
291
ssl_negotiate_version(SSL_HANDSHAKE * hs,uint8_t * out_alert,uint16_t * out_version,const CBS * peer_versions)292 bool ssl_negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert,
293 uint16_t *out_version, const CBS *peer_versions) {
294 const uint16_t *versions;
295 size_t num_versions;
296 get_method_versions(hs->ssl->method, &versions, &num_versions);
297 for (size_t i = 0; i < num_versions; i++) {
298 if (!ssl_supports_version(hs, versions[i])) {
299 continue;
300 }
301
302 // JDK 11, prior to 11.0.2, has a buggy TLS 1.3 implementation which fails
303 // to send SNI when offering 1.3 sessions. Disable TLS 1.3 for such
304 // clients. We apply this logic here rather than |ssl_supports_version| so
305 // the downgrade signal continues to query the true capabilities. (The
306 // workaround is a limitation of the peer's capabilities rather than our
307 // own.)
308 //
309 // See https://bugs.openjdk.java.net/browse/JDK-8211806.
310 if (versions[i] == TLS1_3_VERSION && hs->apply_jdk11_workaround) {
311 continue;
312 }
313
314 CBS copy = *peer_versions;
315 while (CBS_len(©) != 0) {
316 uint16_t version;
317 if (!CBS_get_u16(©, &version)) {
318 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
319 *out_alert = SSL_AD_DECODE_ERROR;
320 return false;
321 }
322
323 if (version == versions[i]) {
324 *out_version = version;
325 return true;
326 }
327 }
328 }
329
330 OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL);
331 *out_alert = SSL_AD_PROTOCOL_VERSION;
332 return false;
333 }
334
335 BSSL_NAMESPACE_END
336
337 using namespace bssl;
338
SSL_CTX_set_min_proto_version(SSL_CTX * ctx,uint16_t version)339 int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) {
340 return set_min_version(ctx->method, &ctx->conf_min_version, version);
341 }
342
SSL_CTX_set_max_proto_version(SSL_CTX * ctx,uint16_t version)343 int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) {
344 return set_max_version(ctx->method, &ctx->conf_max_version, version);
345 }
346
SSL_set_min_proto_version(SSL * ssl,uint16_t version)347 int SSL_set_min_proto_version(SSL *ssl, uint16_t version) {
348 if (!ssl->config) {
349 return 0;
350 }
351 return set_min_version(ssl->method, &ssl->config->conf_min_version, version);
352 }
353
SSL_set_max_proto_version(SSL * ssl,uint16_t version)354 int SSL_set_max_proto_version(SSL *ssl, uint16_t version) {
355 if (!ssl->config) {
356 return 0;
357 }
358 return set_max_version(ssl->method, &ssl->config->conf_max_version, version);
359 }
360
SSL_version(const SSL * ssl)361 int SSL_version(const SSL *ssl) {
362 return wire_version_to_api(ssl_version(ssl));
363 }
364
SSL_get_version(const SSL * ssl)365 const char *SSL_get_version(const SSL *ssl) {
366 return ssl_version_to_string(ssl_version(ssl));
367 }
368
SSL_SESSION_get_version(const SSL_SESSION * session)369 const char *SSL_SESSION_get_version(const SSL_SESSION *session) {
370 return ssl_version_to_string(session->ssl_version);
371 }
372
SSL_SESSION_get_protocol_version(const SSL_SESSION * session)373 uint16_t SSL_SESSION_get_protocol_version(const SSL_SESSION *session) {
374 return wire_version_to_api(session->ssl_version);
375 }
376
SSL_SESSION_set_protocol_version(SSL_SESSION * session,uint16_t version)377 int SSL_SESSION_set_protocol_version(SSL_SESSION *session, uint16_t version) {
378 // This picks a representative TLS 1.3 version, but this API should only be
379 // used on unit test sessions anyway.
380 return api_version_to_wire(&session->ssl_version, version);
381 }
382