1 /* Copyright (c) 2017, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <openssl/ssl.h>
16
17 #include <assert.h>
18
19 #include <openssl/bytestring.h>
20 #include <openssl/err.h>
21
22 #include "internal.h"
23 #include "../crypto/internal.h"
24
25
26 BSSL_NAMESPACE_BEGIN
27
ssl_protocol_version_from_wire(uint16_t * out,uint16_t version)28 bool ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) {
29 switch (version) {
30 case TLS1_VERSION:
31 case TLS1_1_VERSION:
32 case TLS1_2_VERSION:
33 case TLS1_3_VERSION:
34 *out = version;
35 return true;
36
37 case DTLS1_VERSION:
38 // DTLS 1.0 is analogous to TLS 1.1, not TLS 1.0.
39 *out = TLS1_1_VERSION;
40 return true;
41
42 case DTLS1_2_VERSION:
43 *out = TLS1_2_VERSION;
44 return true;
45
46 default:
47 return false;
48 }
49 }
50
51 // The follow arrays are the supported versions for TLS and DTLS, in order of
52 // decreasing preference.
53
54 static const uint16_t kTLSVersions[] = {
55 TLS1_3_VERSION,
56 TLS1_2_VERSION,
57 TLS1_1_VERSION,
58 TLS1_VERSION,
59 };
60
61 static const uint16_t kDTLSVersions[] = {
62 DTLS1_2_VERSION,
63 DTLS1_VERSION,
64 };
65
get_method_versions(const SSL_PROTOCOL_METHOD * method)66 static Span<const uint16_t> get_method_versions(
67 const SSL_PROTOCOL_METHOD *method) {
68 return method->is_dtls ? Span<const uint16_t>(kDTLSVersions)
69 : Span<const uint16_t>(kTLSVersions);
70 }
71
ssl_method_supports_version(const SSL_PROTOCOL_METHOD * method,uint16_t version)72 bool ssl_method_supports_version(const SSL_PROTOCOL_METHOD *method,
73 uint16_t version) {
74 for (uint16_t supported : get_method_versions(method)) {
75 if (supported == version) {
76 return true;
77 }
78 }
79 return false;
80 }
81
82 // The following functions map between API versions and wire versions. The
83 // public API works on wire versions.
84
ssl_version_to_string(uint16_t version)85 static const char *ssl_version_to_string(uint16_t version) {
86 switch (version) {
87 case TLS1_3_VERSION:
88 return "TLSv1.3";
89
90 case TLS1_2_VERSION:
91 return "TLSv1.2";
92
93 case TLS1_1_VERSION:
94 return "TLSv1.1";
95
96 case TLS1_VERSION:
97 return "TLSv1";
98
99 case DTLS1_VERSION:
100 return "DTLSv1";
101
102 case DTLS1_2_VERSION:
103 return "DTLSv1.2";
104
105 default:
106 return "unknown";
107 }
108 }
109
wire_version_to_api(uint16_t version)110 static uint16_t wire_version_to_api(uint16_t version) {
111 return version;
112 }
113
114 // api_version_to_wire maps |version| to some representative wire version.
api_version_to_wire(uint16_t * out,uint16_t version)115 static bool api_version_to_wire(uint16_t *out, uint16_t version) {
116 // Check it is a real protocol version.
117 uint16_t unused;
118 if (!ssl_protocol_version_from_wire(&unused, version)) {
119 return false;
120 }
121
122 *out = version;
123 return true;
124 }
125
set_version_bound(const SSL_PROTOCOL_METHOD * method,uint16_t * out,uint16_t version)126 static bool set_version_bound(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
127 uint16_t version) {
128 if (!api_version_to_wire(&version, version) ||
129 !ssl_method_supports_version(method, version)) {
130 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_SSL_VERSION);
131 return false;
132 }
133
134 *out = version;
135 return true;
136 }
137
set_min_version(const SSL_PROTOCOL_METHOD * method,uint16_t * out,uint16_t version)138 static bool set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
139 uint16_t version) {
140 // Zero is interpreted as the default minimum version.
141 if (version == 0) {
142 *out = method->is_dtls ? DTLS1_VERSION : TLS1_VERSION;
143 return true;
144 }
145
146 return set_version_bound(method, out, version);
147 }
148
set_max_version(const SSL_PROTOCOL_METHOD * method,uint16_t * out,uint16_t version)149 static bool set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
150 uint16_t version) {
151 // Zero is interpreted as the default maximum version.
152 if (version == 0) {
153 *out = method->is_dtls ? DTLS1_2_VERSION : TLS1_2_VERSION;
154 return true;
155 }
156
157 return set_version_bound(method, out, version);
158 }
159
160 const struct {
161 uint16_t version;
162 uint32_t flag;
163 } kProtocolVersions[] = {
164 {TLS1_VERSION, SSL_OP_NO_TLSv1},
165 {TLS1_1_VERSION, SSL_OP_NO_TLSv1_1},
166 {TLS1_2_VERSION, SSL_OP_NO_TLSv1_2},
167 {TLS1_3_VERSION, SSL_OP_NO_TLSv1_3},
168 };
169
ssl_get_version_range(const SSL_HANDSHAKE * hs,uint16_t * out_min_version,uint16_t * out_max_version)170 bool ssl_get_version_range(const SSL_HANDSHAKE *hs, uint16_t *out_min_version,
171 uint16_t *out_max_version) {
172 // For historical reasons, |SSL_OP_NO_DTLSv1| aliases |SSL_OP_NO_TLSv1|, but
173 // DTLS 1.0 should be mapped to TLS 1.1.
174 uint32_t options = hs->ssl->options;
175 if (SSL_is_dtls(hs->ssl)) {
176 options &= ~SSL_OP_NO_TLSv1_1;
177 if (options & SSL_OP_NO_DTLSv1) {
178 options |= SSL_OP_NO_TLSv1_1;
179 }
180 }
181
182 uint16_t min_version, max_version;
183 if (!ssl_protocol_version_from_wire(&min_version,
184 hs->config->conf_min_version) ||
185 !ssl_protocol_version_from_wire(&max_version,
186 hs->config->conf_max_version)) {
187 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
188 return false;
189 }
190
191 // QUIC requires TLS 1.3.
192 if (hs->ssl->quic_method && min_version < TLS1_3_VERSION) {
193 min_version = TLS1_3_VERSION;
194 }
195
196 // OpenSSL's API for controlling versions entails blacklisting individual
197 // protocols. This has two problems. First, on the client, the protocol can
198 // only express a contiguous range of versions. Second, a library consumer
199 // trying to set a maximum version cannot disable protocol versions that get
200 // added in a future version of the library.
201 //
202 // To account for both of these, OpenSSL interprets the client-side bitmask
203 // as a min/max range by picking the lowest contiguous non-empty range of
204 // enabled protocols. Note that this means it is impossible to set a maximum
205 // version of the higest supported TLS version in a future-proof way.
206 bool any_enabled = false;
207 for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kProtocolVersions); i++) {
208 // Only look at the versions already enabled.
209 if (min_version > kProtocolVersions[i].version) {
210 continue;
211 }
212 if (max_version < kProtocolVersions[i].version) {
213 break;
214 }
215
216 if (!(options & kProtocolVersions[i].flag)) {
217 // The minimum version is the first enabled version.
218 if (!any_enabled) {
219 any_enabled = true;
220 min_version = kProtocolVersions[i].version;
221 }
222 continue;
223 }
224
225 // If there is a disabled version after the first enabled one, all versions
226 // after it are implicitly disabled.
227 if (any_enabled) {
228 max_version = kProtocolVersions[i-1].version;
229 break;
230 }
231 }
232
233 if (!any_enabled) {
234 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SUPPORTED_VERSIONS_ENABLED);
235 return false;
236 }
237
238 *out_min_version = min_version;
239 *out_max_version = max_version;
240 return true;
241 }
242
ssl_version(const SSL * ssl)243 static uint16_t ssl_version(const SSL *ssl) {
244 // In early data, we report the predicted version.
245 if (SSL_in_early_data(ssl) && !ssl->server) {
246 return ssl->s3->hs->early_session->ssl_version;
247 }
248 return ssl->version;
249 }
250
ssl_protocol_version(const SSL * ssl)251 uint16_t ssl_protocol_version(const SSL *ssl) {
252 assert(ssl->s3->have_version);
253 uint16_t version;
254 if (!ssl_protocol_version_from_wire(&version, ssl->version)) {
255 // |ssl->version| will always be set to a valid version.
256 assert(0);
257 return 0;
258 }
259
260 return version;
261 }
262
ssl_supports_version(SSL_HANDSHAKE * hs,uint16_t version)263 bool ssl_supports_version(SSL_HANDSHAKE *hs, uint16_t version) {
264 SSL *const ssl = hs->ssl;
265 uint16_t protocol_version;
266 if (!ssl_method_supports_version(ssl->method, version) ||
267 !ssl_protocol_version_from_wire(&protocol_version, version) ||
268 hs->min_version > protocol_version ||
269 protocol_version > hs->max_version) {
270 return false;
271 }
272
273 return true;
274 }
275
ssl_add_supported_versions(SSL_HANDSHAKE * hs,CBB * cbb)276 bool ssl_add_supported_versions(SSL_HANDSHAKE *hs, CBB *cbb) {
277 for (uint16_t version : get_method_versions(hs->ssl->method)) {
278 if (ssl_supports_version(hs, version) &&
279 !CBB_add_u16(cbb, version)) {
280 return false;
281 }
282 }
283 return true;
284 }
285
ssl_negotiate_version(SSL_HANDSHAKE * hs,uint8_t * out_alert,uint16_t * out_version,const CBS * peer_versions)286 bool ssl_negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert,
287 uint16_t *out_version, const CBS *peer_versions) {
288 for (uint16_t version : get_method_versions(hs->ssl->method)) {
289 if (!ssl_supports_version(hs, version)) {
290 continue;
291 }
292
293 // JDK 11, prior to 11.0.2, has a buggy TLS 1.3 implementation which fails
294 // to send SNI when offering 1.3 sessions. Disable TLS 1.3 for such
295 // clients. We apply this logic here rather than |ssl_supports_version| so
296 // the downgrade signal continues to query the true capabilities. (The
297 // workaround is a limitation of the peer's capabilities rather than our
298 // own.)
299 //
300 // See https://bugs.openjdk.java.net/browse/JDK-8211806.
301 if (version == TLS1_3_VERSION && hs->apply_jdk11_workaround) {
302 continue;
303 }
304
305 CBS copy = *peer_versions;
306 while (CBS_len(©) != 0) {
307 uint16_t peer_version;
308 if (!CBS_get_u16(©, &peer_version)) {
309 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
310 *out_alert = SSL_AD_DECODE_ERROR;
311 return false;
312 }
313
314 if (peer_version == version) {
315 *out_version = version;
316 return true;
317 }
318 }
319 }
320
321 OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL);
322 *out_alert = SSL_AD_PROTOCOL_VERSION;
323 return false;
324 }
325
326 BSSL_NAMESPACE_END
327
328 using namespace bssl;
329
SSL_CTX_set_min_proto_version(SSL_CTX * ctx,uint16_t version)330 int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) {
331 return set_min_version(ctx->method, &ctx->conf_min_version, version);
332 }
333
SSL_CTX_set_max_proto_version(SSL_CTX * ctx,uint16_t version)334 int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) {
335 return set_max_version(ctx->method, &ctx->conf_max_version, version);
336 }
337
SSL_CTX_get_min_proto_version(const SSL_CTX * ctx)338 uint16_t SSL_CTX_get_min_proto_version(const SSL_CTX *ctx) {
339 return ctx->conf_min_version;
340 }
341
SSL_CTX_get_max_proto_version(const SSL_CTX * ctx)342 uint16_t SSL_CTX_get_max_proto_version(const SSL_CTX *ctx) {
343 return ctx->conf_max_version;
344 }
345
SSL_set_min_proto_version(SSL * ssl,uint16_t version)346 int SSL_set_min_proto_version(SSL *ssl, uint16_t version) {
347 if (!ssl->config) {
348 return 0;
349 }
350 return set_min_version(ssl->method, &ssl->config->conf_min_version, version);
351 }
352
SSL_set_max_proto_version(SSL * ssl,uint16_t version)353 int SSL_set_max_proto_version(SSL *ssl, uint16_t version) {
354 if (!ssl->config) {
355 return 0;
356 }
357 return set_max_version(ssl->method, &ssl->config->conf_max_version, version);
358 }
359
SSL_get_min_proto_version(const SSL * ssl)360 uint16_t SSL_get_min_proto_version(const SSL *ssl) {
361 if (!ssl->config) {
362 return 0;
363 }
364 return ssl->config->conf_min_version;
365 }
366
SSL_get_max_proto_version(const SSL * ssl)367 uint16_t SSL_get_max_proto_version(const SSL *ssl) {
368 if (!ssl->config) {
369 return 0;
370 }
371 return ssl->config->conf_max_version;
372 }
373
SSL_version(const SSL * ssl)374 int SSL_version(const SSL *ssl) {
375 return wire_version_to_api(ssl_version(ssl));
376 }
377
SSL_get_version(const SSL * ssl)378 const char *SSL_get_version(const SSL *ssl) {
379 return ssl_version_to_string(ssl_version(ssl));
380 }
381
SSL_SESSION_get_version(const SSL_SESSION * session)382 const char *SSL_SESSION_get_version(const SSL_SESSION *session) {
383 return ssl_version_to_string(session->ssl_version);
384 }
385
SSL_SESSION_get_protocol_version(const SSL_SESSION * session)386 uint16_t SSL_SESSION_get_protocol_version(const SSL_SESSION *session) {
387 return wire_version_to_api(session->ssl_version);
388 }
389
SSL_SESSION_set_protocol_version(SSL_SESSION * session,uint16_t version)390 int SSL_SESSION_set_protocol_version(SSL_SESSION *session, uint16_t version) {
391 // This picks a representative TLS 1.3 version, but this API should only be
392 // used on unit test sessions anyway.
393 return api_version_to_wire(&session->ssl_version, version);
394 }
395