1/* Copyright (c) 2017, Google Inc. 2 * 3 * Permission to use, copy, modify, and/or distribute this software for any 4 * purpose with or without fee is hereby granted, provided that the above 5 * copyright notice and this permission notice appear in all copies. 6 * 7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 15#include <openssl/ssl.h> 16 17#include <assert.h> 18 19#include <openssl/bytestring.h> 20#include <openssl/err.h> 21 22#include "internal.h" 23#include "../crypto/internal.h" 24 25 26namespace bssl { 27 28bool ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) { 29 switch (version) { 30 case SSL3_VERSION: 31 case TLS1_VERSION: 32 case TLS1_1_VERSION: 33 case TLS1_2_VERSION: 34 *out = version; 35 return true; 36 37 case TLS1_3_DRAFT23_VERSION: 38 *out = TLS1_3_VERSION; 39 return true; 40 41 case DTLS1_VERSION: 42 // DTLS 1.0 is analogous to TLS 1.1, not TLS 1.0. 43 *out = TLS1_1_VERSION; 44 return true; 45 46 case DTLS1_2_VERSION: 47 *out = TLS1_2_VERSION; 48 return true; 49 50 default: 51 return false; 52 } 53} 54 55// The follow arrays are the supported versions for TLS and DTLS, in order of 56// decreasing preference. 57 58static const uint16_t kTLSVersions[] = { 59 TLS1_3_DRAFT23_VERSION, 60 TLS1_2_VERSION, 61 TLS1_1_VERSION, 62 TLS1_VERSION, 63 SSL3_VERSION, 64}; 65 66static const uint16_t kDTLSVersions[] = { 67 DTLS1_2_VERSION, 68 DTLS1_VERSION, 69}; 70 71static void get_method_versions(const SSL_PROTOCOL_METHOD *method, 72 const uint16_t **out, size_t *out_num) { 73 if (method->is_dtls) { 74 *out = kDTLSVersions; 75 *out_num = OPENSSL_ARRAY_SIZE(kDTLSVersions); 76 } else { 77 *out = kTLSVersions; 78 *out_num = OPENSSL_ARRAY_SIZE(kTLSVersions); 79 } 80} 81 82static bool method_supports_version(const SSL_PROTOCOL_METHOD *method, 83 uint16_t version) { 84 const uint16_t *versions; 85 size_t num_versions; 86 get_method_versions(method, &versions, &num_versions); 87 for (size_t i = 0; i < num_versions; i++) { 88 if (versions[i] == version) { 89 return true; 90 } 91 } 92 return false; 93} 94 95// The following functions map between API versions and wire versions. The 96// public API works on wire versions, except that TLS 1.3 draft versions all 97// appear as TLS 1.3. This will get collapsed back down when TLS 1.3 is 98// finalized. 99 100static const char *ssl_version_to_string(uint16_t version) { 101 switch (version) { 102 case TLS1_3_DRAFT23_VERSION: 103 return "TLSv1.3"; 104 105 case TLS1_2_VERSION: 106 return "TLSv1.2"; 107 108 case TLS1_1_VERSION: 109 return "TLSv1.1"; 110 111 case TLS1_VERSION: 112 return "TLSv1"; 113 114 case SSL3_VERSION: 115 return "SSLv3"; 116 117 case DTLS1_VERSION: 118 return "DTLSv1"; 119 120 case DTLS1_2_VERSION: 121 return "DTLSv1.2"; 122 123 default: 124 return "unknown"; 125 } 126} 127 128static uint16_t wire_version_to_api(uint16_t version) { 129 switch (version) { 130 // Report TLS 1.3 draft versions as TLS 1.3 in the public API. 131 case TLS1_3_DRAFT23_VERSION: 132 return TLS1_3_VERSION; 133 default: 134 return version; 135 } 136} 137 138// api_version_to_wire maps |version| to some representative wire version. In 139// particular, it picks an arbitrary TLS 1.3 representative. This should only be 140// used in context where that does not matter. 141static bool api_version_to_wire(uint16_t *out, uint16_t version) { 142 if (version == TLS1_3_DRAFT23_VERSION) { 143 return false; 144 } 145 if (version == TLS1_3_VERSION) { 146 version = TLS1_3_DRAFT23_VERSION; 147 } 148 149 // Check it is a real protocol version. 150 uint16_t unused; 151 if (!ssl_protocol_version_from_wire(&unused, version)) { 152 return false; 153 } 154 155 *out = version; 156 return true; 157} 158 159static bool set_version_bound(const SSL_PROTOCOL_METHOD *method, uint16_t *out, 160 uint16_t version) { 161 if (!api_version_to_wire(&version, version) || 162 !method_supports_version(method, version) || 163 !ssl_protocol_version_from_wire(out, version)) { 164 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_SSL_VERSION); 165 return false; 166 } 167 168 return true; 169} 170 171static bool set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out, 172 uint16_t version) { 173 // Zero is interpreted as the default minimum version. 174 if (version == 0) { 175 // SSL 3.0 is disabled by default and TLS 1.0 does not exist in DTLS. 176 *out = method->is_dtls ? TLS1_1_VERSION : TLS1_VERSION; 177 return true; 178 } 179 180 return set_version_bound(method, out, version); 181} 182 183static bool set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out, 184 uint16_t version) { 185 // Zero is interpreted as the default maximum version. 186 if (version == 0) { 187 *out = TLS1_2_VERSION; 188 return true; 189 } 190 191 return set_version_bound(method, out, version); 192} 193 194const struct { 195 uint16_t version; 196 uint32_t flag; 197} kProtocolVersions[] = { 198 {SSL3_VERSION, SSL_OP_NO_SSLv3}, 199 {TLS1_VERSION, SSL_OP_NO_TLSv1}, 200 {TLS1_1_VERSION, SSL_OP_NO_TLSv1_1}, 201 {TLS1_2_VERSION, SSL_OP_NO_TLSv1_2}, 202 {TLS1_3_VERSION, SSL_OP_NO_TLSv1_3}, 203}; 204 205bool ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version, 206 uint16_t *out_max_version) { 207 // For historical reasons, |SSL_OP_NO_DTLSv1| aliases |SSL_OP_NO_TLSv1|, but 208 // DTLS 1.0 should be mapped to TLS 1.1. 209 uint32_t options = ssl->options; 210 if (SSL_is_dtls(ssl)) { 211 options &= ~SSL_OP_NO_TLSv1_1; 212 if (options & SSL_OP_NO_DTLSv1) { 213 options |= SSL_OP_NO_TLSv1_1; 214 } 215 } 216 217 uint16_t min_version = ssl->conf_min_version; 218 uint16_t max_version = ssl->conf_max_version; 219 220 // OpenSSL's API for controlling versions entails blacklisting individual 221 // protocols. This has two problems. First, on the client, the protocol can 222 // only express a contiguous range of versions. Second, a library consumer 223 // trying to set a maximum version cannot disable protocol versions that get 224 // added in a future version of the library. 225 // 226 // To account for both of these, OpenSSL interprets the client-side bitmask 227 // as a min/max range by picking the lowest contiguous non-empty range of 228 // enabled protocols. Note that this means it is impossible to set a maximum 229 // version of the higest supported TLS version in a future-proof way. 230 bool any_enabled = false; 231 for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kProtocolVersions); i++) { 232 // Only look at the versions already enabled. 233 if (min_version > kProtocolVersions[i].version) { 234 continue; 235 } 236 if (max_version < kProtocolVersions[i].version) { 237 break; 238 } 239 240 if (!(options & kProtocolVersions[i].flag)) { 241 // The minimum version is the first enabled version. 242 if (!any_enabled) { 243 any_enabled = true; 244 min_version = kProtocolVersions[i].version; 245 } 246 continue; 247 } 248 249 // If there is a disabled version after the first enabled one, all versions 250 // after it are implicitly disabled. 251 if (any_enabled) { 252 max_version = kProtocolVersions[i-1].version; 253 break; 254 } 255 } 256 257 if (!any_enabled) { 258 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SUPPORTED_VERSIONS_ENABLED); 259 return false; 260 } 261 262 *out_min_version = min_version; 263 *out_max_version = max_version; 264 return true; 265} 266 267static uint16_t ssl_version(const SSL *ssl) { 268 // In early data, we report the predicted version. 269 if (SSL_in_early_data(ssl) && !ssl->server) { 270 return ssl->s3->hs->early_session->ssl_version; 271 } 272 return ssl->version; 273} 274 275uint16_t ssl_protocol_version(const SSL *ssl) { 276 assert(ssl->s3->have_version); 277 uint16_t version; 278 if (!ssl_protocol_version_from_wire(&version, ssl->version)) { 279 // |ssl->version| will always be set to a valid version. 280 assert(0); 281 return 0; 282 } 283 284 return version; 285} 286 287bool ssl_supports_version(SSL_HANDSHAKE *hs, uint16_t version) { 288 SSL *const ssl = hs->ssl; 289 uint16_t protocol_version; 290 if (!method_supports_version(ssl->method, version) || 291 !ssl_protocol_version_from_wire(&protocol_version, version) || 292 hs->min_version > protocol_version || 293 protocol_version > hs->max_version) { 294 return false; 295 } 296 297 // This logic is part of the TLS 1.3 variants mechanism used in TLS 1.3 298 // experimentation. Although we currently only have one variant, TLS 1.3 does 299 // not a final stable deployment yet, so leave the logic in place for now. 300 if (protocol_version != TLS1_3_VERSION || 301 (ssl->tls13_variant == tls13_default && 302 version == TLS1_3_DRAFT23_VERSION)) { 303 return true; 304 } 305 306 // The server, when not configured at |tls13_default|, should additionally 307 // enable all variants. 308 if (ssl->server && ssl->tls13_variant != tls13_default) { 309 return true; 310 } 311 312 return false; 313} 314 315bool ssl_add_supported_versions(SSL_HANDSHAKE *hs, CBB *cbb) { 316 const uint16_t *versions; 317 size_t num_versions; 318 get_method_versions(hs->ssl->method, &versions, &num_versions); 319 for (size_t i = 0; i < num_versions; i++) { 320 if (ssl_supports_version(hs, versions[i]) && 321 !CBB_add_u16(cbb, versions[i])) { 322 return false; 323 } 324 } 325 return true; 326} 327 328bool ssl_negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert, 329 uint16_t *out_version, const CBS *peer_versions) { 330 const uint16_t *versions; 331 size_t num_versions; 332 get_method_versions(hs->ssl->method, &versions, &num_versions); 333 for (size_t i = 0; i < num_versions; i++) { 334 if (!ssl_supports_version(hs, versions[i])) { 335 continue; 336 } 337 338 CBS copy = *peer_versions; 339 while (CBS_len(©) != 0) { 340 uint16_t version; 341 if (!CBS_get_u16(©, &version)) { 342 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 343 *out_alert = SSL_AD_DECODE_ERROR; 344 return false; 345 } 346 347 if (version == versions[i]) { 348 *out_version = version; 349 return true; 350 } 351 } 352 } 353 354 OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL); 355 *out_alert = SSL_AD_PROTOCOL_VERSION; 356 return false; 357} 358 359} // namespace bssl 360 361using namespace bssl; 362 363int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) { 364 return set_min_version(ctx->method, &ctx->conf_min_version, version); 365} 366 367int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) { 368 return set_max_version(ctx->method, &ctx->conf_max_version, version); 369} 370 371int SSL_set_min_proto_version(SSL *ssl, uint16_t version) { 372 return set_min_version(ssl->method, &ssl->conf_min_version, version); 373} 374 375int SSL_set_max_proto_version(SSL *ssl, uint16_t version) { 376 return set_max_version(ssl->method, &ssl->conf_max_version, version); 377} 378 379int SSL_version(const SSL *ssl) { 380 return wire_version_to_api(ssl_version(ssl)); 381} 382 383const char *SSL_get_version(const SSL *ssl) { 384 return ssl_version_to_string(ssl_version(ssl)); 385} 386 387const char *SSL_SESSION_get_version(const SSL_SESSION *session) { 388 return ssl_version_to_string(session->ssl_version); 389} 390 391uint16_t SSL_SESSION_get_protocol_version(const SSL_SESSION *session) { 392 return wire_version_to_api(session->ssl_version); 393} 394 395int SSL_SESSION_set_protocol_version(SSL_SESSION *session, uint16_t version) { 396 // This picks a representative TLS 1.3 version, but this API should only be 397 // used on unit test sessions anyway. 398 return api_version_to_wire(&session->ssl_version, version); 399} 400