1 /* Copyright (c) 2017, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <openssl/ssl.h>
16
17 #include <assert.h>
18
19 #include <algorithm>
20
21 #include <openssl/bytestring.h>
22 #include <openssl/err.h>
23 #include <openssl/span.h>
24
25 #include "../crypto/internal.h"
26 #include "internal.h"
27
28
29 BSSL_NAMESPACE_BEGIN
30
ssl_protocol_version_from_wire(uint16_t * out,uint16_t version)31 bool ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) {
32 switch (version) {
33 case TLS1_VERSION:
34 case TLS1_1_VERSION:
35 case TLS1_2_VERSION:
36 case TLS1_3_VERSION:
37 *out = version;
38 return true;
39
40 case DTLS1_VERSION:
41 // DTLS 1.0 is analogous to TLS 1.1, not TLS 1.0.
42 *out = TLS1_1_VERSION;
43 return true;
44
45 case DTLS1_2_VERSION:
46 *out = TLS1_2_VERSION;
47 return true;
48
49 case DTLS1_3_EXPERIMENTAL_VERSION:
50 *out = TLS1_3_VERSION;
51 return true;
52
53 default:
54 return false;
55 }
56 }
57
58 // The follow arrays are the supported versions for TLS and DTLS, in order of
59 // decreasing preference.
60
61 static const uint16_t kTLSVersions[] = {
62 TLS1_3_VERSION,
63 TLS1_2_VERSION,
64 TLS1_1_VERSION,
65 TLS1_VERSION,
66 };
67
68 static const uint16_t kDTLSVersions[] = {
69 DTLS1_3_EXPERIMENTAL_VERSION,
70 DTLS1_2_VERSION,
71 DTLS1_VERSION,
72 };
73
get_method_versions(const SSL_PROTOCOL_METHOD * method)74 static Span<const uint16_t> get_method_versions(
75 const SSL_PROTOCOL_METHOD *method) {
76 return method->is_dtls ? Span<const uint16_t>(kDTLSVersions)
77 : Span<const uint16_t>(kTLSVersions);
78 }
79
ssl_method_supports_version(const SSL_PROTOCOL_METHOD * method,uint16_t version)80 bool ssl_method_supports_version(const SSL_PROTOCOL_METHOD *method,
81 uint16_t version) {
82 for (uint16_t supported : get_method_versions(method)) {
83 if (supported == version) {
84 return true;
85 }
86 }
87 return false;
88 }
89
90 // The following functions map between API versions and wire versions. The
91 // public API works on wire versions.
92
93 static const char *kUnknownVersion = "unknown";
94
95 struct VersionInfo {
96 uint16_t version;
97 const char *name;
98 };
99
100 static const VersionInfo kVersionNames[] = {
101 {TLS1_3_VERSION, "TLSv1.3"},
102 {TLS1_2_VERSION, "TLSv1.2"},
103 {TLS1_1_VERSION, "TLSv1.1"},
104 {TLS1_VERSION, "TLSv1"},
105 {DTLS1_VERSION, "DTLSv1"},
106 {DTLS1_2_VERSION, "DTLSv1.2"},
107 {DTLS1_3_EXPERIMENTAL_VERSION, "DTLSv1.3"},
108 };
109
ssl_version_to_string(uint16_t version)110 static const char *ssl_version_to_string(uint16_t version) {
111 for (const auto &v : kVersionNames) {
112 if (v.version == version) {
113 return v.name;
114 }
115 }
116 return kUnknownVersion;
117 }
118
wire_version_to_api(uint16_t version)119 static uint16_t wire_version_to_api(uint16_t version) { return version; }
120
121 // api_version_to_wire maps |version| to some representative wire version.
api_version_to_wire(uint16_t * out,uint16_t version)122 static bool api_version_to_wire(uint16_t *out, uint16_t version) {
123 // Check it is a real protocol version.
124 uint16_t unused;
125 if (!ssl_protocol_version_from_wire(&unused, version)) {
126 return false;
127 }
128
129 *out = version;
130 return true;
131 }
132
set_version_bound(const SSL_PROTOCOL_METHOD * method,uint16_t * out,uint16_t version)133 static bool set_version_bound(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
134 uint16_t version) {
135 if (!api_version_to_wire(&version, version) ||
136 !ssl_method_supports_version(method, version)) {
137 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_SSL_VERSION);
138 return false;
139 }
140
141 *out = version;
142 return true;
143 }
144
set_min_version(const SSL_PROTOCOL_METHOD * method,uint16_t * out,uint16_t version)145 static bool set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
146 uint16_t version) {
147 // Zero is interpreted as the default minimum version.
148 if (version == 0) {
149 *out = method->is_dtls ? DTLS1_2_VERSION : TLS1_2_VERSION;
150 return true;
151 }
152
153 return set_version_bound(method, out, version);
154 }
155
set_max_version(const SSL_PROTOCOL_METHOD * method,uint16_t * out,uint16_t version)156 static bool set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
157 uint16_t version) {
158 // Zero is interpreted as the default maximum version.
159 if (version == 0) {
160 *out = method->is_dtls ? DTLS1_2_VERSION : TLS1_3_VERSION;
161 return true;
162 }
163
164 return set_version_bound(method, out, version);
165 }
166
167 const struct {
168 uint16_t version;
169 uint32_t flag;
170 } kProtocolVersions[] = {
171 {TLS1_VERSION, SSL_OP_NO_TLSv1},
172 {TLS1_1_VERSION, SSL_OP_NO_TLSv1_1},
173 {TLS1_2_VERSION, SSL_OP_NO_TLSv1_2},
174 {TLS1_3_VERSION, SSL_OP_NO_TLSv1_3},
175 };
176
ssl_get_version_range(const SSL_HANDSHAKE * hs,uint16_t * out_min_version,uint16_t * out_max_version)177 bool ssl_get_version_range(const SSL_HANDSHAKE *hs, uint16_t *out_min_version,
178 uint16_t *out_max_version) {
179 // For historical reasons, |SSL_OP_NO_DTLSv1| aliases |SSL_OP_NO_TLSv1|, but
180 // DTLS 1.0 should be mapped to TLS 1.1.
181 uint32_t options = hs->ssl->options;
182 if (SSL_is_dtls(hs->ssl)) {
183 options &= ~SSL_OP_NO_TLSv1_1;
184 if (options & SSL_OP_NO_DTLSv1) {
185 options |= SSL_OP_NO_TLSv1_1;
186 }
187 }
188
189 uint16_t min_version, max_version;
190 if (!ssl_protocol_version_from_wire(&min_version,
191 hs->config->conf_min_version) ||
192 !ssl_protocol_version_from_wire(&max_version,
193 hs->config->conf_max_version)) {
194 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
195 return false;
196 }
197
198 // QUIC requires TLS 1.3.
199 if (hs->ssl->quic_method && min_version < TLS1_3_VERSION) {
200 min_version = TLS1_3_VERSION;
201 }
202
203 // The |SSL_OP_NO_*| flags disable individual protocols. This has two
204 // problems. First, prior to TLS 1.3, the protocol can only express a
205 // contiguous range of versions. Second, a library consumer trying to set a
206 // maximum version cannot disable protocol versions that get added in a future
207 // version of the library.
208 //
209 // To account for both of these, OpenSSL interprets the client-side bitmask
210 // as a min/max range by picking the lowest contiguous non-empty range of
211 // enabled protocols. Note that this means it is impossible to set a maximum
212 // version of the higest supported TLS version in a future-proof way.
213 bool any_enabled = false;
214 for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kProtocolVersions); i++) {
215 // Only look at the versions already enabled.
216 if (min_version > kProtocolVersions[i].version) {
217 continue;
218 }
219 if (max_version < kProtocolVersions[i].version) {
220 break;
221 }
222
223 if (!(options & kProtocolVersions[i].flag)) {
224 // The minimum version is the first enabled version.
225 if (!any_enabled) {
226 any_enabled = true;
227 min_version = kProtocolVersions[i].version;
228 }
229 continue;
230 }
231
232 // If there is a disabled version after the first enabled one, all versions
233 // after it are implicitly disabled.
234 if (any_enabled) {
235 max_version = kProtocolVersions[i - 1].version;
236 break;
237 }
238 }
239
240 if (!any_enabled) {
241 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SUPPORTED_VERSIONS_ENABLED);
242 return false;
243 }
244
245 *out_min_version = min_version;
246 *out_max_version = max_version;
247 return true;
248 }
249
ssl_version(const SSL * ssl)250 static uint16_t ssl_version(const SSL *ssl) {
251 // In early data, we report the predicted version. Note it is possible that we
252 // have a predicted version and a *different* true version. This means 0-RTT
253 // has been rejected, but until the reject has reported to the application and
254 // applied with |SSL_reset_early_data_reject|, we continue reporting a
255 // self-consistent connection.
256 if (SSL_in_early_data(ssl) && !ssl->server) {
257 return ssl->s3->hs->early_session->ssl_version;
258 }
259 if (ssl->s3->version != 0) {
260 return ssl->s3->version;
261 }
262 // The TLS versions has not yet been negotiated. Historically, we would return
263 // (D)TLS 1.2, so preserve that behavior.
264 return SSL_is_dtls(ssl) ? DTLS1_2_VERSION : TLS1_2_VERSION;
265 }
266
ssl_has_final_version(const SSL * ssl)267 bool ssl_has_final_version(const SSL *ssl) {
268 return ssl->s3->version != 0 &&
269 (ssl->s3->hs == nullptr || !ssl->s3->hs->is_early_version);
270 }
271
ssl_protocol_version(const SSL * ssl)272 uint16_t ssl_protocol_version(const SSL *ssl) {
273 assert(ssl->s3->version != 0);
274 uint16_t version;
275 if (!ssl_protocol_version_from_wire(&version, ssl->s3->version)) {
276 // |ssl->s3->version| will always be set to a valid version.
277 assert(0);
278 return 0;
279 }
280
281 return version;
282 }
283
ssl_supports_version(const SSL_HANDSHAKE * hs,uint16_t version)284 bool ssl_supports_version(const SSL_HANDSHAKE *hs, uint16_t version) {
285 const SSL *const ssl = hs->ssl;
286 uint16_t protocol_version;
287 if (!ssl_method_supports_version(ssl->method, version) ||
288 !ssl_protocol_version_from_wire(&protocol_version, version) ||
289 hs->min_version > protocol_version ||
290 protocol_version > hs->max_version) {
291 return false;
292 }
293
294 return true;
295 }
296
ssl_add_supported_versions(const SSL_HANDSHAKE * hs,CBB * cbb,uint16_t extra_min_version)297 bool ssl_add_supported_versions(const SSL_HANDSHAKE *hs, CBB *cbb,
298 uint16_t extra_min_version) {
299 for (uint16_t version : get_method_versions(hs->ssl->method)) {
300 uint16_t protocol_version;
301 if (ssl_supports_version(hs, version) &&
302 ssl_protocol_version_from_wire(&protocol_version, version) &&
303 protocol_version >= extra_min_version && //
304 !CBB_add_u16(cbb, version)) {
305 return false;
306 }
307 }
308 return true;
309 }
310
ssl_negotiate_version(SSL_HANDSHAKE * hs,uint8_t * out_alert,uint16_t * out_version,const CBS * peer_versions)311 bool ssl_negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert,
312 uint16_t *out_version, const CBS *peer_versions) {
313 for (uint16_t version : get_method_versions(hs->ssl->method)) {
314 if (!ssl_supports_version(hs, version)) {
315 continue;
316 }
317
318 // JDK 11, prior to 11.0.2, has a buggy TLS 1.3 implementation which fails
319 // to send SNI when offering 1.3 sessions. Disable TLS 1.3 for such
320 // clients. We apply this logic here rather than |ssl_supports_version| so
321 // the downgrade signal continues to query the true capabilities. (The
322 // workaround is a limitation of the peer's capabilities rather than our
323 // own.)
324 //
325 // See https://bugs.openjdk.java.net/browse/JDK-8211806.
326 if (version == TLS1_3_VERSION && hs->apply_jdk11_workaround) {
327 continue;
328 }
329
330 CBS copy = *peer_versions;
331 while (CBS_len(©) != 0) {
332 uint16_t peer_version;
333 if (!CBS_get_u16(©, &peer_version)) {
334 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
335 *out_alert = SSL_AD_DECODE_ERROR;
336 return false;
337 }
338
339 if (peer_version == version) {
340 *out_version = version;
341 return true;
342 }
343 }
344 }
345
346 OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL);
347 *out_alert = SSL_AD_PROTOCOL_VERSION;
348 return false;
349 }
350
351 BSSL_NAMESPACE_END
352
353 using namespace bssl;
354
SSL_CTX_set_min_proto_version(SSL_CTX * ctx,uint16_t version)355 int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) {
356 return set_min_version(ctx->method, &ctx->conf_min_version, version);
357 }
358
SSL_CTX_set_max_proto_version(SSL_CTX * ctx,uint16_t version)359 int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) {
360 return set_max_version(ctx->method, &ctx->conf_max_version, version);
361 }
362
SSL_CTX_get_min_proto_version(const SSL_CTX * ctx)363 uint16_t SSL_CTX_get_min_proto_version(const SSL_CTX *ctx) {
364 return ctx->conf_min_version;
365 }
366
SSL_CTX_get_max_proto_version(const SSL_CTX * ctx)367 uint16_t SSL_CTX_get_max_proto_version(const SSL_CTX *ctx) {
368 return ctx->conf_max_version;
369 }
370
SSL_set_min_proto_version(SSL * ssl,uint16_t version)371 int SSL_set_min_proto_version(SSL *ssl, uint16_t version) {
372 if (!ssl->config) {
373 return 0;
374 }
375 return set_min_version(ssl->method, &ssl->config->conf_min_version, version);
376 }
377
SSL_set_max_proto_version(SSL * ssl,uint16_t version)378 int SSL_set_max_proto_version(SSL *ssl, uint16_t version) {
379 if (!ssl->config) {
380 return 0;
381 }
382 return set_max_version(ssl->method, &ssl->config->conf_max_version, version);
383 }
384
SSL_get_min_proto_version(const SSL * ssl)385 uint16_t SSL_get_min_proto_version(const SSL *ssl) {
386 if (!ssl->config) {
387 return 0;
388 }
389 return ssl->config->conf_min_version;
390 }
391
SSL_get_max_proto_version(const SSL * ssl)392 uint16_t SSL_get_max_proto_version(const SSL *ssl) {
393 if (!ssl->config) {
394 return 0;
395 }
396 return ssl->config->conf_max_version;
397 }
398
SSL_version(const SSL * ssl)399 int SSL_version(const SSL *ssl) {
400 return wire_version_to_api(ssl_version(ssl));
401 }
402
SSL_get_version(const SSL * ssl)403 const char *SSL_get_version(const SSL *ssl) {
404 return ssl_version_to_string(ssl_version(ssl));
405 }
406
SSL_get_all_version_names(const char ** out,size_t max_out)407 size_t SSL_get_all_version_names(const char **out, size_t max_out) {
408 return GetAllNames(out, max_out, MakeConstSpan(&kUnknownVersion, 1),
409 &VersionInfo::name, MakeConstSpan(kVersionNames));
410 }
411
SSL_SESSION_get_version(const SSL_SESSION * session)412 const char *SSL_SESSION_get_version(const SSL_SESSION *session) {
413 return ssl_version_to_string(session->ssl_version);
414 }
415
SSL_SESSION_get_protocol_version(const SSL_SESSION * session)416 uint16_t SSL_SESSION_get_protocol_version(const SSL_SESSION *session) {
417 return wire_version_to_api(session->ssl_version);
418 }
419
SSL_SESSION_set_protocol_version(SSL_SESSION * session,uint16_t version)420 int SSL_SESSION_set_protocol_version(SSL_SESSION *session, uint16_t version) {
421 // This picks a representative TLS 1.3 version, but this API should only be
422 // used on unit test sessions anyway.
423 return api_version_to_wire(&session->ssl_version, version);
424 }
425
SSL_CTX_set_record_protocol_version(SSL_CTX * ctx,int version)426 int SSL_CTX_set_record_protocol_version(SSL_CTX *ctx, int version) {
427 return version == 0;
428 }
429