1 /* Copyright (c) 2017, Google Inc. 2 * 3 * Permission to use, copy, modify, and/or distribute this software for any 4 * purpose with or without fee is hereby granted, provided that the above 5 * copyright notice and this permission notice appear in all copies. 6 * 7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 15 #include <openssl/ssl.h> 16 17 #include <assert.h> 18 19 #include <openssl/bytestring.h> 20 #include <openssl/err.h> 21 22 #include "internal.h" 23 #include "../crypto/internal.h" 24 25 26 BSSL_NAMESPACE_BEGIN 27 28 bool ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) { 29 switch (version) { 30 case TLS1_VERSION: 31 case TLS1_1_VERSION: 32 case TLS1_2_VERSION: 33 case TLS1_3_VERSION: 34 *out = version; 35 return true; 36 37 case DTLS1_VERSION: 38 // DTLS 1.0 is analogous to TLS 1.1, not TLS 1.0. 39 *out = TLS1_1_VERSION; 40 return true; 41 42 case DTLS1_2_VERSION: 43 *out = TLS1_2_VERSION; 44 return true; 45 46 default: 47 return false; 48 } 49 } 50 51 // The follow arrays are the supported versions for TLS and DTLS, in order of 52 // decreasing preference. 53 54 static const uint16_t kTLSVersions[] = { 55 TLS1_3_VERSION, 56 TLS1_2_VERSION, 57 TLS1_1_VERSION, 58 TLS1_VERSION, 59 }; 60 61 static const uint16_t kDTLSVersions[] = { 62 DTLS1_2_VERSION, 63 DTLS1_VERSION, 64 }; 65 66 static void get_method_versions(const SSL_PROTOCOL_METHOD *method, 67 const uint16_t **out, size_t *out_num) { 68 if (method->is_dtls) { 69 *out = kDTLSVersions; 70 *out_num = OPENSSL_ARRAY_SIZE(kDTLSVersions); 71 } else { 72 *out = kTLSVersions; 73 *out_num = OPENSSL_ARRAY_SIZE(kTLSVersions); 74 } 75 } 76 77 bool ssl_method_supports_version(const SSL_PROTOCOL_METHOD *method, 78 uint16_t version) { 79 const uint16_t *versions; 80 size_t num_versions; 81 get_method_versions(method, &versions, &num_versions); 82 for (size_t i = 0; i < num_versions; i++) { 83 if (versions[i] == version) { 84 return true; 85 } 86 } 87 return false; 88 } 89 90 // The following functions map between API versions and wire versions. The 91 // public API works on wire versions. 92 93 static const char *ssl_version_to_string(uint16_t version) { 94 switch (version) { 95 case TLS1_3_VERSION: 96 return "TLSv1.3"; 97 98 case TLS1_2_VERSION: 99 return "TLSv1.2"; 100 101 case TLS1_1_VERSION: 102 return "TLSv1.1"; 103 104 case TLS1_VERSION: 105 return "TLSv1"; 106 107 case DTLS1_VERSION: 108 return "DTLSv1"; 109 110 case DTLS1_2_VERSION: 111 return "DTLSv1.2"; 112 113 default: 114 return "unknown"; 115 } 116 } 117 118 static uint16_t wire_version_to_api(uint16_t version) { 119 return version; 120 } 121 122 // api_version_to_wire maps |version| to some representative wire version. 123 static bool api_version_to_wire(uint16_t *out, uint16_t version) { 124 // Check it is a real protocol version. 125 uint16_t unused; 126 if (!ssl_protocol_version_from_wire(&unused, version)) { 127 return false; 128 } 129 130 *out = version; 131 return true; 132 } 133 134 static bool set_version_bound(const SSL_PROTOCOL_METHOD *method, uint16_t *out, 135 uint16_t version) { 136 if (!api_version_to_wire(&version, version) || 137 !ssl_method_supports_version(method, version) || 138 !ssl_protocol_version_from_wire(out, version)) { 139 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_SSL_VERSION); 140 return false; 141 } 142 143 return true; 144 } 145 146 static bool set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out, 147 uint16_t version) { 148 // Zero is interpreted as the default minimum version. 149 if (version == 0) { 150 // TLS 1.0 does not exist in DTLS. 151 *out = method->is_dtls ? TLS1_1_VERSION : TLS1_VERSION; 152 return true; 153 } 154 155 return set_version_bound(method, out, version); 156 } 157 158 static bool set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out, 159 uint16_t version) { 160 // Zero is interpreted as the default maximum version. 161 if (version == 0) { 162 *out = TLS1_2_VERSION; 163 return true; 164 } 165 166 return set_version_bound(method, out, version); 167 } 168 169 const struct { 170 uint16_t version; 171 uint32_t flag; 172 } kProtocolVersions[] = { 173 {TLS1_VERSION, SSL_OP_NO_TLSv1}, 174 {TLS1_1_VERSION, SSL_OP_NO_TLSv1_1}, 175 {TLS1_2_VERSION, SSL_OP_NO_TLSv1_2}, 176 {TLS1_3_VERSION, SSL_OP_NO_TLSv1_3}, 177 }; 178 179 bool ssl_get_version_range(const SSL_HANDSHAKE *hs, uint16_t *out_min_version, 180 uint16_t *out_max_version) { 181 // For historical reasons, |SSL_OP_NO_DTLSv1| aliases |SSL_OP_NO_TLSv1|, but 182 // DTLS 1.0 should be mapped to TLS 1.1. 183 uint32_t options = hs->ssl->options; 184 if (SSL_is_dtls(hs->ssl)) { 185 options &= ~SSL_OP_NO_TLSv1_1; 186 if (options & SSL_OP_NO_DTLSv1) { 187 options |= SSL_OP_NO_TLSv1_1; 188 } 189 } 190 191 uint16_t min_version = hs->config->conf_min_version; 192 uint16_t max_version = hs->config->conf_max_version; 193 194 // QUIC requires TLS 1.3. 195 if (hs->ssl->quic_method && min_version < TLS1_3_VERSION) { 196 min_version = TLS1_3_VERSION; 197 } 198 199 // OpenSSL's API for controlling versions entails blacklisting individual 200 // protocols. This has two problems. First, on the client, the protocol can 201 // only express a contiguous range of versions. Second, a library consumer 202 // trying to set a maximum version cannot disable protocol versions that get 203 // added in a future version of the library. 204 // 205 // To account for both of these, OpenSSL interprets the client-side bitmask 206 // as a min/max range by picking the lowest contiguous non-empty range of 207 // enabled protocols. Note that this means it is impossible to set a maximum 208 // version of the higest supported TLS version in a future-proof way. 209 bool any_enabled = false; 210 for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kProtocolVersions); i++) { 211 // Only look at the versions already enabled. 212 if (min_version > kProtocolVersions[i].version) { 213 continue; 214 } 215 if (max_version < kProtocolVersions[i].version) { 216 break; 217 } 218 219 if (!(options & kProtocolVersions[i].flag)) { 220 // The minimum version is the first enabled version. 221 if (!any_enabled) { 222 any_enabled = true; 223 min_version = kProtocolVersions[i].version; 224 } 225 continue; 226 } 227 228 // If there is a disabled version after the first enabled one, all versions 229 // after it are implicitly disabled. 230 if (any_enabled) { 231 max_version = kProtocolVersions[i-1].version; 232 break; 233 } 234 } 235 236 if (!any_enabled) { 237 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SUPPORTED_VERSIONS_ENABLED); 238 return false; 239 } 240 241 *out_min_version = min_version; 242 *out_max_version = max_version; 243 return true; 244 } 245 246 static uint16_t ssl_version(const SSL *ssl) { 247 // In early data, we report the predicted version. 248 if (SSL_in_early_data(ssl) && !ssl->server) { 249 return ssl->s3->hs->early_session->ssl_version; 250 } 251 return ssl->version; 252 } 253 254 uint16_t ssl_protocol_version(const SSL *ssl) { 255 assert(ssl->s3->have_version); 256 uint16_t version; 257 if (!ssl_protocol_version_from_wire(&version, ssl->version)) { 258 // |ssl->version| will always be set to a valid version. 259 assert(0); 260 return 0; 261 } 262 263 return version; 264 } 265 266 bool ssl_supports_version(SSL_HANDSHAKE *hs, uint16_t version) { 267 SSL *const ssl = hs->ssl; 268 uint16_t protocol_version; 269 if (!ssl_method_supports_version(ssl->method, version) || 270 !ssl_protocol_version_from_wire(&protocol_version, version) || 271 hs->min_version > protocol_version || 272 protocol_version > hs->max_version) { 273 return false; 274 } 275 276 return true; 277 } 278 279 bool ssl_add_supported_versions(SSL_HANDSHAKE *hs, CBB *cbb) { 280 const uint16_t *versions; 281 size_t num_versions; 282 get_method_versions(hs->ssl->method, &versions, &num_versions); 283 for (size_t i = 0; i < num_versions; i++) { 284 if (ssl_supports_version(hs, versions[i]) && 285 !CBB_add_u16(cbb, versions[i])) { 286 return false; 287 } 288 } 289 return true; 290 } 291 292 bool ssl_negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert, 293 uint16_t *out_version, const CBS *peer_versions) { 294 const uint16_t *versions; 295 size_t num_versions; 296 get_method_versions(hs->ssl->method, &versions, &num_versions); 297 for (size_t i = 0; i < num_versions; i++) { 298 if (!ssl_supports_version(hs, versions[i])) { 299 continue; 300 } 301 302 // JDK 11, prior to 11.0.2, has a buggy TLS 1.3 implementation which fails 303 // to send SNI when offering 1.3 sessions. Disable TLS 1.3 for such 304 // clients. We apply this logic here rather than |ssl_supports_version| so 305 // the downgrade signal continues to query the true capabilities. (The 306 // workaround is a limitation of the peer's capabilities rather than our 307 // own.) 308 // 309 // See https://bugs.openjdk.java.net/browse/JDK-8211806. 310 if (versions[i] == TLS1_3_VERSION && hs->apply_jdk11_workaround) { 311 continue; 312 } 313 314 CBS copy = *peer_versions; 315 while (CBS_len(©) != 0) { 316 uint16_t version; 317 if (!CBS_get_u16(©, &version)) { 318 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 319 *out_alert = SSL_AD_DECODE_ERROR; 320 return false; 321 } 322 323 if (version == versions[i]) { 324 *out_version = version; 325 return true; 326 } 327 } 328 } 329 330 OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL); 331 *out_alert = SSL_AD_PROTOCOL_VERSION; 332 return false; 333 } 334 335 BSSL_NAMESPACE_END 336 337 using namespace bssl; 338 339 int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) { 340 return set_min_version(ctx->method, &ctx->conf_min_version, version); 341 } 342 343 int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) { 344 return set_max_version(ctx->method, &ctx->conf_max_version, version); 345 } 346 347 int SSL_set_min_proto_version(SSL *ssl, uint16_t version) { 348 if (!ssl->config) { 349 return 0; 350 } 351 return set_min_version(ssl->method, &ssl->config->conf_min_version, version); 352 } 353 354 int SSL_set_max_proto_version(SSL *ssl, uint16_t version) { 355 if (!ssl->config) { 356 return 0; 357 } 358 return set_max_version(ssl->method, &ssl->config->conf_max_version, version); 359 } 360 361 int SSL_version(const SSL *ssl) { 362 return wire_version_to_api(ssl_version(ssl)); 363 } 364 365 const char *SSL_get_version(const SSL *ssl) { 366 return ssl_version_to_string(ssl_version(ssl)); 367 } 368 369 const char *SSL_SESSION_get_version(const SSL_SESSION *session) { 370 return ssl_version_to_string(session->ssl_version); 371 } 372 373 uint16_t SSL_SESSION_get_protocol_version(const SSL_SESSION *session) { 374 return wire_version_to_api(session->ssl_version); 375 } 376 377 int SSL_SESSION_set_protocol_version(SSL_SESSION *session, uint16_t version) { 378 // This picks a representative TLS 1.3 version, but this API should only be 379 // used on unit test sessions anyway. 380 return api_version_to_wire(&session->ssl_version, version); 381 } 382
