1 /* Copyright (c) 2017, Google Inc. 2 * 3 * Permission to use, copy, modify, and/or distribute this software for any 4 * purpose with or without fee is hereby granted, provided that the above 5 * copyright notice and this permission notice appear in all copies. 6 * 7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 15 #include <openssl/ssl.h> 16 17 #include <assert.h> 18 19 #include <openssl/bytestring.h> 20 #include <openssl/err.h> 21 22 #include "internal.h" 23 #include "../crypto/internal.h" 24 25 26 int ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) { 27 switch (version) { 28 case SSL3_VERSION: 29 case TLS1_VERSION: 30 case TLS1_1_VERSION: 31 case TLS1_2_VERSION: 32 *out = version; 33 return 1; 34 35 case TLS1_3_DRAFT_VERSION: 36 case TLS1_3_EXPERIMENT_VERSION: 37 case TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION: 38 *out = TLS1_3_VERSION; 39 return 1; 40 41 case DTLS1_VERSION: 42 /* DTLS 1.0 is analogous to TLS 1.1, not TLS 1.0. */ 43 *out = TLS1_1_VERSION; 44 return 1; 45 46 case DTLS1_2_VERSION: 47 *out = TLS1_2_VERSION; 48 return 1; 49 50 default: 51 return 0; 52 } 53 } 54 55 /* The follow arrays are the supported versions for TLS and DTLS, in order of 56 * decreasing preference. */ 57 58 static const uint16_t kTLSVersions[] = { 59 TLS1_3_EXPERIMENT_VERSION, 60 TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION, 61 TLS1_3_DRAFT_VERSION, 62 TLS1_2_VERSION, 63 TLS1_1_VERSION, 64 TLS1_VERSION, 65 SSL3_VERSION, 66 }; 67 68 static const uint16_t kDTLSVersions[] = { 69 DTLS1_2_VERSION, 70 DTLS1_VERSION, 71 }; 72 73 static void get_method_versions(const SSL_PROTOCOL_METHOD *method, 74 const uint16_t **out, size_t *out_num) { 75 if (method->is_dtls) { 76 *out = kDTLSVersions; 77 *out_num = OPENSSL_ARRAY_SIZE(kDTLSVersions); 78 } else { 79 *out = kTLSVersions; 80 *out_num = OPENSSL_ARRAY_SIZE(kTLSVersions); 81 } 82 } 83 84 static int method_supports_version(const SSL_PROTOCOL_METHOD *method, 85 uint16_t version) { 86 const uint16_t *versions; 87 size_t num_versions; 88 get_method_versions(method, &versions, &num_versions); 89 for (size_t i = 0; i < num_versions; i++) { 90 if (versions[i] == version) { 91 return 1; 92 } 93 } 94 return 0; 95 } 96 97 static int set_version_bound(const SSL_PROTOCOL_METHOD *method, uint16_t *out, 98 uint16_t version) { 99 /* The public API uses wire versions, except we use |TLS1_3_VERSION| 100 * everywhere to refer to any draft TLS 1.3 versions. In this direction, we 101 * map it to some representative TLS 1.3 draft version. */ 102 if (version == TLS1_3_DRAFT_VERSION || 103 version == TLS1_3_EXPERIMENT_VERSION || 104 version == TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION) { 105 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_SSL_VERSION); 106 return 0; 107 } 108 if (version == TLS1_3_VERSION) { 109 version = TLS1_3_DRAFT_VERSION; 110 } 111 112 if (!method_supports_version(method, version) || 113 !ssl_protocol_version_from_wire(out, version)) { 114 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_SSL_VERSION); 115 return 0; 116 } 117 118 return 1; 119 } 120 121 static int set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out, 122 uint16_t version) { 123 /* Zero is interpreted as the default minimum version. */ 124 if (version == 0) { 125 /* SSL 3.0 is disabled by default and TLS 1.0 does not exist in DTLS. */ 126 *out = method->is_dtls ? TLS1_1_VERSION : TLS1_VERSION; 127 return 1; 128 } 129 130 return set_version_bound(method, out, version); 131 } 132 133 static int set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out, 134 uint16_t version) { 135 /* Zero is interpreted as the default maximum version. */ 136 if (version == 0) { 137 *out = TLS1_2_VERSION; 138 return 1; 139 } 140 141 return set_version_bound(method, out, version); 142 } 143 144 int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) { 145 return set_min_version(ctx->method, &ctx->conf_min_version, version); 146 } 147 148 int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) { 149 return set_max_version(ctx->method, &ctx->conf_max_version, version); 150 } 151 152 int SSL_set_min_proto_version(SSL *ssl, uint16_t version) { 153 return set_min_version(ssl->method, &ssl->conf_min_version, version); 154 } 155 156 int SSL_set_max_proto_version(SSL *ssl, uint16_t version) { 157 return set_max_version(ssl->method, &ssl->conf_max_version, version); 158 } 159 160 const struct { 161 uint16_t version; 162 uint32_t flag; 163 } kProtocolVersions[] = { 164 {SSL3_VERSION, SSL_OP_NO_SSLv3}, 165 {TLS1_VERSION, SSL_OP_NO_TLSv1}, 166 {TLS1_1_VERSION, SSL_OP_NO_TLSv1_1}, 167 {TLS1_2_VERSION, SSL_OP_NO_TLSv1_2}, 168 {TLS1_3_VERSION, SSL_OP_NO_TLSv1_3}, 169 }; 170 171 int ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version, 172 uint16_t *out_max_version) { 173 /* For historical reasons, |SSL_OP_NO_DTLSv1| aliases |SSL_OP_NO_TLSv1|, but 174 * DTLS 1.0 should be mapped to TLS 1.1. */ 175 uint32_t options = ssl->options; 176 if (SSL_is_dtls(ssl)) { 177 options &= ~SSL_OP_NO_TLSv1_1; 178 if (options & SSL_OP_NO_DTLSv1) { 179 options |= SSL_OP_NO_TLSv1_1; 180 } 181 } 182 183 uint16_t min_version = ssl->conf_min_version; 184 uint16_t max_version = ssl->conf_max_version; 185 186 /* OpenSSL's API for controlling versions entails blacklisting individual 187 * protocols. This has two problems. First, on the client, the protocol can 188 * only express a contiguous range of versions. Second, a library consumer 189 * trying to set a maximum version cannot disable protocol versions that get 190 * added in a future version of the library. 191 * 192 * To account for both of these, OpenSSL interprets the client-side bitmask 193 * as a min/max range by picking the lowest contiguous non-empty range of 194 * enabled protocols. Note that this means it is impossible to set a maximum 195 * version of the higest supported TLS version in a future-proof way. */ 196 int any_enabled = 0; 197 for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kProtocolVersions); i++) { 198 /* Only look at the versions already enabled. */ 199 if (min_version > kProtocolVersions[i].version) { 200 continue; 201 } 202 if (max_version < kProtocolVersions[i].version) { 203 break; 204 } 205 206 if (!(options & kProtocolVersions[i].flag)) { 207 /* The minimum version is the first enabled version. */ 208 if (!any_enabled) { 209 any_enabled = 1; 210 min_version = kProtocolVersions[i].version; 211 } 212 continue; 213 } 214 215 /* If there is a disabled version after the first enabled one, all versions 216 * after it are implicitly disabled. */ 217 if (any_enabled) { 218 max_version = kProtocolVersions[i-1].version; 219 break; 220 } 221 } 222 223 if (!any_enabled) { 224 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SUPPORTED_VERSIONS_ENABLED); 225 return 0; 226 } 227 228 *out_min_version = min_version; 229 *out_max_version = max_version; 230 return 1; 231 } 232 233 static uint16_t ssl_version(const SSL *ssl) { 234 /* In early data, we report the predicted version. */ 235 if (SSL_in_early_data(ssl) && !ssl->server) { 236 return ssl->s3->hs->early_session->ssl_version; 237 } 238 return ssl->version; 239 } 240 241 int SSL_version(const SSL *ssl) { 242 uint16_t ret = ssl_version(ssl); 243 /* Report TLS 1.3 draft version as TLS 1.3 in the public API. */ 244 if (ret == TLS1_3_DRAFT_VERSION || ret == TLS1_3_EXPERIMENT_VERSION || 245 ret == TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION) { 246 return TLS1_3_VERSION; 247 } 248 return ret; 249 } 250 251 static const char *ssl_get_version(int version) { 252 switch (version) { 253 /* Report TLS 1.3 draft version as TLS 1.3 in the public API. */ 254 case TLS1_3_DRAFT_VERSION: 255 case TLS1_3_EXPERIMENT_VERSION: 256 case TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION: 257 return "TLSv1.3"; 258 259 case TLS1_2_VERSION: 260 return "TLSv1.2"; 261 262 case TLS1_1_VERSION: 263 return "TLSv1.1"; 264 265 case TLS1_VERSION: 266 return "TLSv1"; 267 268 case SSL3_VERSION: 269 return "SSLv3"; 270 271 case DTLS1_VERSION: 272 return "DTLSv1"; 273 274 case DTLS1_2_VERSION: 275 return "DTLSv1.2"; 276 277 default: 278 return "unknown"; 279 } 280 } 281 282 const char *SSL_get_version(const SSL *ssl) { 283 return ssl_get_version(ssl_version(ssl)); 284 } 285 286 const char *SSL_SESSION_get_version(const SSL_SESSION *session) { 287 return ssl_get_version(session->ssl_version); 288 } 289 290 uint16_t ssl3_protocol_version(const SSL *ssl) { 291 assert(ssl->s3->have_version); 292 uint16_t version; 293 if (!ssl_protocol_version_from_wire(&version, ssl->version)) { 294 /* |ssl->version| will always be set to a valid version. */ 295 assert(0); 296 return 0; 297 } 298 299 return version; 300 } 301 302 int ssl_supports_version(SSL_HANDSHAKE *hs, uint16_t version) { 303 SSL *const ssl = hs->ssl; 304 /* As a client, only allow the configured TLS 1.3 variant. As a server, 305 * support all TLS 1.3 variants as long as tls13_variant is set to a 306 * non-default value. */ 307 if (ssl->server) { 308 if (ssl->tls13_variant == tls13_default && 309 (version == TLS1_3_EXPERIMENT_VERSION || 310 version == TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION)) { 311 return 0; 312 } 313 } else { 314 if ((ssl->tls13_variant != tls13_experiment && 315 version == TLS1_3_EXPERIMENT_VERSION) || 316 (ssl->tls13_variant != tls13_record_type_experiment && 317 version == TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION) || 318 (ssl->tls13_variant != tls13_default && 319 version == TLS1_3_DRAFT_VERSION)) { 320 return 0; 321 } 322 } 323 324 uint16_t protocol_version; 325 return method_supports_version(ssl->method, version) && 326 ssl_protocol_version_from_wire(&protocol_version, version) && 327 hs->min_version <= protocol_version && 328 protocol_version <= hs->max_version; 329 } 330 331 int ssl_add_supported_versions(SSL_HANDSHAKE *hs, CBB *cbb) { 332 const uint16_t *versions; 333 size_t num_versions; 334 get_method_versions(hs->ssl->method, &versions, &num_versions); 335 for (size_t i = 0; i < num_versions; i++) { 336 if (ssl_supports_version(hs, versions[i]) && 337 !CBB_add_u16(cbb, versions[i])) { 338 return 0; 339 } 340 } 341 return 1; 342 } 343 344 int ssl_negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert, 345 uint16_t *out_version, const CBS *peer_versions) { 346 const uint16_t *versions; 347 size_t num_versions; 348 get_method_versions(hs->ssl->method, &versions, &num_versions); 349 for (size_t i = 0; i < num_versions; i++) { 350 if (!ssl_supports_version(hs, versions[i])) { 351 continue; 352 } 353 354 CBS copy = *peer_versions; 355 while (CBS_len(©) != 0) { 356 uint16_t version; 357 if (!CBS_get_u16(©, &version)) { 358 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 359 *out_alert = SSL_AD_DECODE_ERROR; 360 return 0; 361 } 362 363 if (version == versions[i]) { 364 *out_version = version; 365 return 1; 366 } 367 } 368 } 369 370 OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL); 371 *out_alert = SSL_AD_PROTOCOL_VERSION; 372 return 0; 373 } 374