• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* Copyright (c) 2017, Google Inc.
2  *
3  * Permission to use, copy, modify, and/or distribute this software for any
4  * purpose with or without fee is hereby granted, provided that the above
5  * copyright notice and this permission notice appear in all copies.
6  *
7  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14 
15 #include <openssl/ssl.h>
16 
17 #include <assert.h>
18 
19 #include <openssl/bytestring.h>
20 #include <openssl/err.h>
21 
22 #include "internal.h"
23 #include "../crypto/internal.h"
24 
25 
26 namespace bssl {
27 
ssl_protocol_version_from_wire(uint16_t * out,uint16_t version)28 bool ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) {
29   switch (version) {
30     case SSL3_VERSION:
31     case TLS1_VERSION:
32     case TLS1_1_VERSION:
33     case TLS1_2_VERSION:
34       *out = version;
35       return true;
36 
37     case TLS1_3_DRAFT23_VERSION:
38       *out = TLS1_3_VERSION;
39       return true;
40 
41     case DTLS1_VERSION:
42       // DTLS 1.0 is analogous to TLS 1.1, not TLS 1.0.
43       *out = TLS1_1_VERSION;
44       return true;
45 
46     case DTLS1_2_VERSION:
47       *out = TLS1_2_VERSION;
48       return true;
49 
50     default:
51       return false;
52   }
53 }
54 
55 // The follow arrays are the supported versions for TLS and DTLS, in order of
56 // decreasing preference.
57 
58 static const uint16_t kTLSVersions[] = {
59     TLS1_3_DRAFT23_VERSION,
60     TLS1_2_VERSION,
61     TLS1_1_VERSION,
62     TLS1_VERSION,
63     SSL3_VERSION,
64 };
65 
66 static const uint16_t kDTLSVersions[] = {
67     DTLS1_2_VERSION,
68     DTLS1_VERSION,
69 };
70 
get_method_versions(const SSL_PROTOCOL_METHOD * method,const uint16_t ** out,size_t * out_num)71 static void get_method_versions(const SSL_PROTOCOL_METHOD *method,
72                                 const uint16_t **out, size_t *out_num) {
73   if (method->is_dtls) {
74     *out = kDTLSVersions;
75     *out_num = OPENSSL_ARRAY_SIZE(kDTLSVersions);
76   } else {
77     *out = kTLSVersions;
78     *out_num = OPENSSL_ARRAY_SIZE(kTLSVersions);
79   }
80 }
81 
method_supports_version(const SSL_PROTOCOL_METHOD * method,uint16_t version)82 static bool method_supports_version(const SSL_PROTOCOL_METHOD *method,
83                                     uint16_t version) {
84   const uint16_t *versions;
85   size_t num_versions;
86   get_method_versions(method, &versions, &num_versions);
87   for (size_t i = 0; i < num_versions; i++) {
88     if (versions[i] == version) {
89       return true;
90     }
91   }
92   return false;
93 }
94 
95 // The following functions map between API versions and wire versions. The
96 // public API works on wire versions, except that TLS 1.3 draft versions all
97 // appear as TLS 1.3. This will get collapsed back down when TLS 1.3 is
98 // finalized.
99 
ssl_version_to_string(uint16_t version)100 static const char *ssl_version_to_string(uint16_t version) {
101   switch (version) {
102     case TLS1_3_DRAFT23_VERSION:
103       return "TLSv1.3";
104 
105     case TLS1_2_VERSION:
106       return "TLSv1.2";
107 
108     case TLS1_1_VERSION:
109       return "TLSv1.1";
110 
111     case TLS1_VERSION:
112       return "TLSv1";
113 
114     case SSL3_VERSION:
115       return "SSLv3";
116 
117     case DTLS1_VERSION:
118       return "DTLSv1";
119 
120     case DTLS1_2_VERSION:
121       return "DTLSv1.2";
122 
123     default:
124       return "unknown";
125   }
126 }
127 
wire_version_to_api(uint16_t version)128 static uint16_t wire_version_to_api(uint16_t version) {
129   switch (version) {
130     // Report TLS 1.3 draft versions as TLS 1.3 in the public API.
131     case TLS1_3_DRAFT23_VERSION:
132       return TLS1_3_VERSION;
133     default:
134       return version;
135   }
136 }
137 
138 // api_version_to_wire maps |version| to some representative wire version. In
139 // particular, it picks an arbitrary TLS 1.3 representative. This should only be
140 // used in context where that does not matter.
api_version_to_wire(uint16_t * out,uint16_t version)141 static bool api_version_to_wire(uint16_t *out, uint16_t version) {
142   if (version == TLS1_3_DRAFT23_VERSION) {
143     return false;
144   }
145   if (version == TLS1_3_VERSION) {
146     version = TLS1_3_DRAFT23_VERSION;
147   }
148 
149   // Check it is a real protocol version.
150   uint16_t unused;
151   if (!ssl_protocol_version_from_wire(&unused, version)) {
152     return false;
153   }
154 
155   *out = version;
156   return true;
157 }
158 
set_version_bound(const SSL_PROTOCOL_METHOD * method,uint16_t * out,uint16_t version)159 static bool set_version_bound(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
160                               uint16_t version) {
161   if (!api_version_to_wire(&version, version) ||
162       !method_supports_version(method, version) ||
163       !ssl_protocol_version_from_wire(out, version)) {
164     OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_SSL_VERSION);
165     return false;
166   }
167 
168   return true;
169 }
170 
set_min_version(const SSL_PROTOCOL_METHOD * method,uint16_t * out,uint16_t version)171 static bool set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
172                             uint16_t version) {
173   // Zero is interpreted as the default minimum version.
174   if (version == 0) {
175     // SSL 3.0 is disabled by default and TLS 1.0 does not exist in DTLS.
176     *out = method->is_dtls ? TLS1_1_VERSION : TLS1_VERSION;
177     return true;
178   }
179 
180   return set_version_bound(method, out, version);
181 }
182 
set_max_version(const SSL_PROTOCOL_METHOD * method,uint16_t * out,uint16_t version)183 static bool set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
184                             uint16_t version) {
185   // Zero is interpreted as the default maximum version.
186   if (version == 0) {
187     *out = TLS1_2_VERSION;
188     return true;
189   }
190 
191   return set_version_bound(method, out, version);
192 }
193 
194 const struct {
195   uint16_t version;
196   uint32_t flag;
197 } kProtocolVersions[] = {
198     {SSL3_VERSION, SSL_OP_NO_SSLv3},
199     {TLS1_VERSION, SSL_OP_NO_TLSv1},
200     {TLS1_1_VERSION, SSL_OP_NO_TLSv1_1},
201     {TLS1_2_VERSION, SSL_OP_NO_TLSv1_2},
202     {TLS1_3_VERSION, SSL_OP_NO_TLSv1_3},
203 };
204 
ssl_get_version_range(const SSL * ssl,uint16_t * out_min_version,uint16_t * out_max_version)205 bool ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version,
206                            uint16_t *out_max_version) {
207   // For historical reasons, |SSL_OP_NO_DTLSv1| aliases |SSL_OP_NO_TLSv1|, but
208   // DTLS 1.0 should be mapped to TLS 1.1.
209   uint32_t options = ssl->options;
210   if (SSL_is_dtls(ssl)) {
211     options &= ~SSL_OP_NO_TLSv1_1;
212     if (options & SSL_OP_NO_DTLSv1) {
213       options |= SSL_OP_NO_TLSv1_1;
214     }
215   }
216 
217   uint16_t min_version = ssl->conf_min_version;
218   uint16_t max_version = ssl->conf_max_version;
219 
220   // OpenSSL's API for controlling versions entails blacklisting individual
221   // protocols. This has two problems. First, on the client, the protocol can
222   // only express a contiguous range of versions. Second, a library consumer
223   // trying to set a maximum version cannot disable protocol versions that get
224   // added in a future version of the library.
225   //
226   // To account for both of these, OpenSSL interprets the client-side bitmask
227   // as a min/max range by picking the lowest contiguous non-empty range of
228   // enabled protocols. Note that this means it is impossible to set a maximum
229   // version of the higest supported TLS version in a future-proof way.
230   bool any_enabled = false;
231   for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kProtocolVersions); i++) {
232     // Only look at the versions already enabled.
233     if (min_version > kProtocolVersions[i].version) {
234       continue;
235     }
236     if (max_version < kProtocolVersions[i].version) {
237       break;
238     }
239 
240     if (!(options & kProtocolVersions[i].flag)) {
241       // The minimum version is the first enabled version.
242       if (!any_enabled) {
243         any_enabled = true;
244         min_version = kProtocolVersions[i].version;
245       }
246       continue;
247     }
248 
249     // If there is a disabled version after the first enabled one, all versions
250     // after it are implicitly disabled.
251     if (any_enabled) {
252       max_version = kProtocolVersions[i-1].version;
253       break;
254     }
255   }
256 
257   if (!any_enabled) {
258     OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SUPPORTED_VERSIONS_ENABLED);
259     return false;
260   }
261 
262   *out_min_version = min_version;
263   *out_max_version = max_version;
264   return true;
265 }
266 
ssl_version(const SSL * ssl)267 static uint16_t ssl_version(const SSL *ssl) {
268   // In early data, we report the predicted version.
269   if (SSL_in_early_data(ssl) && !ssl->server) {
270     return ssl->s3->hs->early_session->ssl_version;
271   }
272   return ssl->version;
273 }
274 
ssl_protocol_version(const SSL * ssl)275 uint16_t ssl_protocol_version(const SSL *ssl) {
276   assert(ssl->s3->have_version);
277   uint16_t version;
278   if (!ssl_protocol_version_from_wire(&version, ssl->version)) {
279     // |ssl->version| will always be set to a valid version.
280     assert(0);
281     return 0;
282   }
283 
284   return version;
285 }
286 
ssl_supports_version(SSL_HANDSHAKE * hs,uint16_t version)287 bool ssl_supports_version(SSL_HANDSHAKE *hs, uint16_t version) {
288   SSL *const ssl = hs->ssl;
289   uint16_t protocol_version;
290   if (!method_supports_version(ssl->method, version) ||
291       !ssl_protocol_version_from_wire(&protocol_version, version) ||
292       hs->min_version > protocol_version ||
293       protocol_version > hs->max_version) {
294     return false;
295   }
296 
297   // This logic is part of the TLS 1.3 variants mechanism used in TLS 1.3
298   // experimentation. Although we currently only have one variant, TLS 1.3 does
299   // not a final stable deployment yet, so leave the logic in place for now.
300   if (protocol_version != TLS1_3_VERSION ||
301       (ssl->tls13_variant == tls13_default &&
302        version == TLS1_3_DRAFT23_VERSION)) {
303     return true;
304   }
305 
306   // The server, when not configured at |tls13_default|, should additionally
307   // enable all variants.
308   if (ssl->server && ssl->tls13_variant != tls13_default) {
309     return true;
310   }
311 
312   return false;
313 }
314 
ssl_add_supported_versions(SSL_HANDSHAKE * hs,CBB * cbb)315 bool ssl_add_supported_versions(SSL_HANDSHAKE *hs, CBB *cbb) {
316   const uint16_t *versions;
317   size_t num_versions;
318   get_method_versions(hs->ssl->method, &versions, &num_versions);
319   for (size_t i = 0; i < num_versions; i++) {
320     if (ssl_supports_version(hs, versions[i]) &&
321         !CBB_add_u16(cbb, versions[i])) {
322       return false;
323     }
324   }
325   return true;
326 }
327 
ssl_negotiate_version(SSL_HANDSHAKE * hs,uint8_t * out_alert,uint16_t * out_version,const CBS * peer_versions)328 bool ssl_negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert,
329                            uint16_t *out_version, const CBS *peer_versions) {
330   const uint16_t *versions;
331   size_t num_versions;
332   get_method_versions(hs->ssl->method, &versions, &num_versions);
333   for (size_t i = 0; i < num_versions; i++) {
334     if (!ssl_supports_version(hs, versions[i])) {
335       continue;
336     }
337 
338     CBS copy = *peer_versions;
339     while (CBS_len(&copy) != 0) {
340       uint16_t version;
341       if (!CBS_get_u16(&copy, &version)) {
342         OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
343         *out_alert = SSL_AD_DECODE_ERROR;
344         return false;
345       }
346 
347       if (version == versions[i]) {
348         *out_version = version;
349         return true;
350       }
351     }
352   }
353 
354   OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL);
355   *out_alert = SSL_AD_PROTOCOL_VERSION;
356   return false;
357 }
358 
359 }  // namespace bssl
360 
361 using namespace bssl;
362 
SSL_CTX_set_min_proto_version(SSL_CTX * ctx,uint16_t version)363 int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) {
364   return set_min_version(ctx->method, &ctx->conf_min_version, version);
365 }
366 
SSL_CTX_set_max_proto_version(SSL_CTX * ctx,uint16_t version)367 int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) {
368   return set_max_version(ctx->method, &ctx->conf_max_version, version);
369 }
370 
SSL_set_min_proto_version(SSL * ssl,uint16_t version)371 int SSL_set_min_proto_version(SSL *ssl, uint16_t version) {
372   return set_min_version(ssl->method, &ssl->conf_min_version, version);
373 }
374 
SSL_set_max_proto_version(SSL * ssl,uint16_t version)375 int SSL_set_max_proto_version(SSL *ssl, uint16_t version) {
376   return set_max_version(ssl->method, &ssl->conf_max_version, version);
377 }
378 
SSL_version(const SSL * ssl)379 int SSL_version(const SSL *ssl) {
380   return wire_version_to_api(ssl_version(ssl));
381 }
382 
SSL_get_version(const SSL * ssl)383 const char *SSL_get_version(const SSL *ssl) {
384   return ssl_version_to_string(ssl_version(ssl));
385 }
386 
SSL_SESSION_get_version(const SSL_SESSION * session)387 const char *SSL_SESSION_get_version(const SSL_SESSION *session) {
388   return ssl_version_to_string(session->ssl_version);
389 }
390 
SSL_SESSION_get_protocol_version(const SSL_SESSION * session)391 uint16_t SSL_SESSION_get_protocol_version(const SSL_SESSION *session) {
392   return wire_version_to_api(session->ssl_version);
393 }
394 
SSL_SESSION_set_protocol_version(SSL_SESSION * session,uint16_t version)395 int SSL_SESSION_set_protocol_version(SSL_SESSION *session, uint16_t version) {
396   // This picks a representative TLS 1.3 version, but this API should only be
397   // used on unit test sessions anyway.
398   return api_version_to_wire(&session->ssl_version, version);
399 }
400