1 /* Copyright (c) 2017, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <openssl/ssl.h>
16
17 #include <assert.h>
18
19 #include <algorithm>
20
21 #include <openssl/bytestring.h>
22 #include <openssl/err.h>
23 #include <openssl/span.h>
24
25 #include "internal.h"
26 #include "../crypto/internal.h"
27
28
29 BSSL_NAMESPACE_BEGIN
30
ssl_protocol_version_from_wire(uint16_t * out,uint16_t version)31 bool ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) {
32 switch (version) {
33 case TLS1_VERSION:
34 case TLS1_1_VERSION:
35 case TLS1_2_VERSION:
36 case TLS1_3_VERSION:
37 *out = version;
38 return true;
39
40 case DTLS1_VERSION:
41 // DTLS 1.0 is analogous to TLS 1.1, not TLS 1.0.
42 *out = TLS1_1_VERSION;
43 return true;
44
45 case DTLS1_2_VERSION:
46 *out = TLS1_2_VERSION;
47 return true;
48
49 default:
50 return false;
51 }
52 }
53
54 // The follow arrays are the supported versions for TLS and DTLS, in order of
55 // decreasing preference.
56
57 static const uint16_t kTLSVersions[] = {
58 TLS1_3_VERSION,
59 TLS1_2_VERSION,
60 TLS1_1_VERSION,
61 TLS1_VERSION,
62 };
63
64 static const uint16_t kDTLSVersions[] = {
65 DTLS1_2_VERSION,
66 DTLS1_VERSION,
67 };
68
get_method_versions(const SSL_PROTOCOL_METHOD * method)69 static Span<const uint16_t> get_method_versions(
70 const SSL_PROTOCOL_METHOD *method) {
71 return method->is_dtls ? Span<const uint16_t>(kDTLSVersions)
72 : Span<const uint16_t>(kTLSVersions);
73 }
74
ssl_method_supports_version(const SSL_PROTOCOL_METHOD * method,uint16_t version)75 bool ssl_method_supports_version(const SSL_PROTOCOL_METHOD *method,
76 uint16_t version) {
77 for (uint16_t supported : get_method_versions(method)) {
78 if (supported == version) {
79 return true;
80 }
81 }
82 return false;
83 }
84
85 // The following functions map between API versions and wire versions. The
86 // public API works on wire versions.
87
88 static const char* kUnknownVersion = "unknown";
89
90 struct VersionInfo {
91 uint16_t version;
92 const char *name;
93 };
94
95 static const VersionInfo kVersionNames[] = {
96 {TLS1_3_VERSION, "TLSv1.3"},
97 {TLS1_2_VERSION, "TLSv1.2"},
98 {TLS1_1_VERSION, "TLSv1.1"},
99 {TLS1_VERSION, "TLSv1"},
100 {DTLS1_VERSION, "DTLSv1"},
101 {DTLS1_2_VERSION, "DTLSv1.2"},
102 };
103
ssl_version_to_string(uint16_t version)104 static const char *ssl_version_to_string(uint16_t version) {
105 for (const auto &v : kVersionNames) {
106 if (v.version == version) {
107 return v.name;
108 }
109 }
110 return kUnknownVersion;
111 }
112
wire_version_to_api(uint16_t version)113 static uint16_t wire_version_to_api(uint16_t version) {
114 return version;
115 }
116
117 // api_version_to_wire maps |version| to some representative wire version.
api_version_to_wire(uint16_t * out,uint16_t version)118 static bool api_version_to_wire(uint16_t *out, uint16_t version) {
119 // Check it is a real protocol version.
120 uint16_t unused;
121 if (!ssl_protocol_version_from_wire(&unused, version)) {
122 return false;
123 }
124
125 *out = version;
126 return true;
127 }
128
set_version_bound(const SSL_PROTOCOL_METHOD * method,uint16_t * out,uint16_t version)129 static bool set_version_bound(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
130 uint16_t version) {
131 if (!api_version_to_wire(&version, version) ||
132 !ssl_method_supports_version(method, version)) {
133 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_SSL_VERSION);
134 return false;
135 }
136
137 *out = version;
138 return true;
139 }
140
set_min_version(const SSL_PROTOCOL_METHOD * method,uint16_t * out,uint16_t version)141 static bool set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
142 uint16_t version) {
143 // Zero is interpreted as the default minimum version.
144 if (version == 0) {
145 *out = method->is_dtls ? DTLS1_2_VERSION : TLS1_2_VERSION;
146 return true;
147 }
148
149 return set_version_bound(method, out, version);
150 }
151
set_max_version(const SSL_PROTOCOL_METHOD * method,uint16_t * out,uint16_t version)152 static bool set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
153 uint16_t version) {
154 // Zero is interpreted as the default maximum version.
155 if (version == 0) {
156 *out = method->is_dtls ? DTLS1_2_VERSION : TLS1_3_VERSION;
157 return true;
158 }
159
160 return set_version_bound(method, out, version);
161 }
162
163 const struct {
164 uint16_t version;
165 uint32_t flag;
166 } kProtocolVersions[] = {
167 {TLS1_VERSION, SSL_OP_NO_TLSv1},
168 {TLS1_1_VERSION, SSL_OP_NO_TLSv1_1},
169 {TLS1_2_VERSION, SSL_OP_NO_TLSv1_2},
170 {TLS1_3_VERSION, SSL_OP_NO_TLSv1_3},
171 };
172
ssl_get_version_range(const SSL_HANDSHAKE * hs,uint16_t * out_min_version,uint16_t * out_max_version)173 bool ssl_get_version_range(const SSL_HANDSHAKE *hs, uint16_t *out_min_version,
174 uint16_t *out_max_version) {
175 // For historical reasons, |SSL_OP_NO_DTLSv1| aliases |SSL_OP_NO_TLSv1|, but
176 // DTLS 1.0 should be mapped to TLS 1.1.
177 uint32_t options = hs->ssl->options;
178 if (SSL_is_dtls(hs->ssl)) {
179 options &= ~SSL_OP_NO_TLSv1_1;
180 if (options & SSL_OP_NO_DTLSv1) {
181 options |= SSL_OP_NO_TLSv1_1;
182 }
183 }
184
185 uint16_t min_version, max_version;
186 if (!ssl_protocol_version_from_wire(&min_version,
187 hs->config->conf_min_version) ||
188 !ssl_protocol_version_from_wire(&max_version,
189 hs->config->conf_max_version)) {
190 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
191 return false;
192 }
193
194 // QUIC requires TLS 1.3.
195 if (hs->ssl->quic_method && min_version < TLS1_3_VERSION) {
196 min_version = TLS1_3_VERSION;
197 }
198
199 // The |SSL_OP_NO_*| flags disable individual protocols. This has two
200 // problems. First, prior to TLS 1.3, the protocol can only express a
201 // contiguous range of versions. Second, a library consumer trying to set a
202 // maximum version cannot disable protocol versions that get added in a future
203 // version of the library.
204 //
205 // To account for both of these, OpenSSL interprets the client-side bitmask
206 // as a min/max range by picking the lowest contiguous non-empty range of
207 // enabled protocols. Note that this means it is impossible to set a maximum
208 // version of the higest supported TLS version in a future-proof way.
209 bool any_enabled = false;
210 for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kProtocolVersions); i++) {
211 // Only look at the versions already enabled.
212 if (min_version > kProtocolVersions[i].version) {
213 continue;
214 }
215 if (max_version < kProtocolVersions[i].version) {
216 break;
217 }
218
219 if (!(options & kProtocolVersions[i].flag)) {
220 // The minimum version is the first enabled version.
221 if (!any_enabled) {
222 any_enabled = true;
223 min_version = kProtocolVersions[i].version;
224 }
225 continue;
226 }
227
228 // If there is a disabled version after the first enabled one, all versions
229 // after it are implicitly disabled.
230 if (any_enabled) {
231 max_version = kProtocolVersions[i-1].version;
232 break;
233 }
234 }
235
236 if (!any_enabled) {
237 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SUPPORTED_VERSIONS_ENABLED);
238 return false;
239 }
240
241 *out_min_version = min_version;
242 *out_max_version = max_version;
243 return true;
244 }
245
ssl_version(const SSL * ssl)246 static uint16_t ssl_version(const SSL *ssl) {
247 // In early data, we report the predicted version.
248 if (SSL_in_early_data(ssl) && !ssl->server) {
249 return ssl->s3->hs->early_session->ssl_version;
250 }
251 return ssl->version;
252 }
253
ssl_protocol_version(const SSL * ssl)254 uint16_t ssl_protocol_version(const SSL *ssl) {
255 assert(ssl->s3->have_version);
256 uint16_t version;
257 if (!ssl_protocol_version_from_wire(&version, ssl->version)) {
258 // |ssl->version| will always be set to a valid version.
259 assert(0);
260 return 0;
261 }
262
263 return version;
264 }
265
ssl_supports_version(const SSL_HANDSHAKE * hs,uint16_t version)266 bool ssl_supports_version(const SSL_HANDSHAKE *hs, uint16_t version) {
267 const SSL *const ssl = hs->ssl;
268 uint16_t protocol_version;
269 if (!ssl_method_supports_version(ssl->method, version) ||
270 !ssl_protocol_version_from_wire(&protocol_version, version) ||
271 hs->min_version > protocol_version ||
272 protocol_version > hs->max_version) {
273 return false;
274 }
275
276 return true;
277 }
278
ssl_add_supported_versions(const SSL_HANDSHAKE * hs,CBB * cbb,uint16_t extra_min_version)279 bool ssl_add_supported_versions(const SSL_HANDSHAKE *hs, CBB *cbb,
280 uint16_t extra_min_version) {
281 for (uint16_t version : get_method_versions(hs->ssl->method)) {
282 uint16_t protocol_version;
283 if (ssl_supports_version(hs, version) &&
284 ssl_protocol_version_from_wire(&protocol_version, version) &&
285 protocol_version >= extra_min_version && //
286 !CBB_add_u16(cbb, version)) {
287 return false;
288 }
289 }
290 return true;
291 }
292
ssl_negotiate_version(SSL_HANDSHAKE * hs,uint8_t * out_alert,uint16_t * out_version,const CBS * peer_versions)293 bool ssl_negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert,
294 uint16_t *out_version, const CBS *peer_versions) {
295 for (uint16_t version : get_method_versions(hs->ssl->method)) {
296 if (!ssl_supports_version(hs, version)) {
297 continue;
298 }
299
300 // JDK 11, prior to 11.0.2, has a buggy TLS 1.3 implementation which fails
301 // to send SNI when offering 1.3 sessions. Disable TLS 1.3 for such
302 // clients. We apply this logic here rather than |ssl_supports_version| so
303 // the downgrade signal continues to query the true capabilities. (The
304 // workaround is a limitation of the peer's capabilities rather than our
305 // own.)
306 //
307 // See https://bugs.openjdk.java.net/browse/JDK-8211806.
308 if (version == TLS1_3_VERSION && hs->apply_jdk11_workaround) {
309 continue;
310 }
311
312 CBS copy = *peer_versions;
313 while (CBS_len(©) != 0) {
314 uint16_t peer_version;
315 if (!CBS_get_u16(©, &peer_version)) {
316 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
317 *out_alert = SSL_AD_DECODE_ERROR;
318 return false;
319 }
320
321 if (peer_version == version) {
322 *out_version = version;
323 return true;
324 }
325 }
326 }
327
328 OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL);
329 *out_alert = SSL_AD_PROTOCOL_VERSION;
330 return false;
331 }
332
333 BSSL_NAMESPACE_END
334
335 using namespace bssl;
336
SSL_CTX_set_min_proto_version(SSL_CTX * ctx,uint16_t version)337 int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) {
338 return set_min_version(ctx->method, &ctx->conf_min_version, version);
339 }
340
SSL_CTX_set_max_proto_version(SSL_CTX * ctx,uint16_t version)341 int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) {
342 return set_max_version(ctx->method, &ctx->conf_max_version, version);
343 }
344
SSL_CTX_get_min_proto_version(const SSL_CTX * ctx)345 uint16_t SSL_CTX_get_min_proto_version(const SSL_CTX *ctx) {
346 return ctx->conf_min_version;
347 }
348
SSL_CTX_get_max_proto_version(const SSL_CTX * ctx)349 uint16_t SSL_CTX_get_max_proto_version(const SSL_CTX *ctx) {
350 return ctx->conf_max_version;
351 }
352
SSL_set_min_proto_version(SSL * ssl,uint16_t version)353 int SSL_set_min_proto_version(SSL *ssl, uint16_t version) {
354 if (!ssl->config) {
355 return 0;
356 }
357 return set_min_version(ssl->method, &ssl->config->conf_min_version, version);
358 }
359
SSL_set_max_proto_version(SSL * ssl,uint16_t version)360 int SSL_set_max_proto_version(SSL *ssl, uint16_t version) {
361 if (!ssl->config) {
362 return 0;
363 }
364 return set_max_version(ssl->method, &ssl->config->conf_max_version, version);
365 }
366
SSL_get_min_proto_version(const SSL * ssl)367 uint16_t SSL_get_min_proto_version(const SSL *ssl) {
368 if (!ssl->config) {
369 return 0;
370 }
371 return ssl->config->conf_min_version;
372 }
373
SSL_get_max_proto_version(const SSL * ssl)374 uint16_t SSL_get_max_proto_version(const SSL *ssl) {
375 if (!ssl->config) {
376 return 0;
377 }
378 return ssl->config->conf_max_version;
379 }
380
SSL_version(const SSL * ssl)381 int SSL_version(const SSL *ssl) {
382 return wire_version_to_api(ssl_version(ssl));
383 }
384
SSL_get_version(const SSL * ssl)385 const char *SSL_get_version(const SSL *ssl) {
386 return ssl_version_to_string(ssl_version(ssl));
387 }
388
SSL_get_all_version_names(const char ** out,size_t max_out)389 size_t SSL_get_all_version_names(const char **out, size_t max_out) {
390 return GetAllNames(out, max_out, MakeConstSpan(&kUnknownVersion, 1),
391 &VersionInfo::name, MakeConstSpan(kVersionNames));
392 }
393
SSL_SESSION_get_version(const SSL_SESSION * session)394 const char *SSL_SESSION_get_version(const SSL_SESSION *session) {
395 return ssl_version_to_string(session->ssl_version);
396 }
397
SSL_SESSION_get_protocol_version(const SSL_SESSION * session)398 uint16_t SSL_SESSION_get_protocol_version(const SSL_SESSION *session) {
399 return wire_version_to_api(session->ssl_version);
400 }
401
SSL_SESSION_set_protocol_version(SSL_SESSION * session,uint16_t version)402 int SSL_SESSION_set_protocol_version(SSL_SESSION *session, uint16_t version) {
403 // This picks a representative TLS 1.3 version, but this API should only be
404 // used on unit test sessions anyway.
405 return api_version_to_wire(&session->ssl_version, version);
406 }
407
SSL_CTX_set_record_protocol_version(SSL_CTX * ctx,int version)408 int SSL_CTX_set_record_protocol_version(SSL_CTX *ctx, int version) {
409 return version == 0;
410 }
411