1/* Copyright (c) 2017, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#include <openssl/ssl.h>
16
17#include <assert.h>
18
19#include <openssl/bytestring.h>
20#include <openssl/err.h>
21
22#include "internal.h"
23#include "../crypto/internal.h"
24
25
26BSSL_NAMESPACE_BEGIN
27
28bool ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) {
29 switch (version) {
30 case TLS1_VERSION:
31 case TLS1_1_VERSION:
32 case TLS1_2_VERSION:
33 case TLS1_3_VERSION:
34 *out = version;
35 return true;
36
37 case DTLS1_VERSION:
38 // DTLS 1.0 is analogous to TLS 1.1, not TLS 1.0.
39 *out = TLS1_1_VERSION;
40 return true;
41
42 case DTLS1_2_VERSION:
43 *out = TLS1_2_VERSION;
44 return true;
45
46 default:
47 return false;
48 }
49}
50
51// The follow arrays are the supported versions for TLS and DTLS, in order of
52// decreasing preference.
53
54static const uint16_t kTLSVersions[] = {
55 TLS1_3_VERSION,
56 TLS1_2_VERSION,
57 TLS1_1_VERSION,
58 TLS1_VERSION,
59};
60
61static const uint16_t kDTLSVersions[] = {
62 DTLS1_2_VERSION,
63 DTLS1_VERSION,
64};
65
66static void get_method_versions(const SSL_PROTOCOL_METHOD *method,
67 const uint16_t **out, size_t *out_num) {
68 if (method->is_dtls) {
69 *out = kDTLSVersions;
70 *out_num = OPENSSL_ARRAY_SIZE(kDTLSVersions);
71 } else {
72 *out = kTLSVersions;
73 *out_num = OPENSSL_ARRAY_SIZE(kTLSVersions);
74 }
75}
76
77bool ssl_method_supports_version(const SSL_PROTOCOL_METHOD *method,
78 uint16_t version) {
79 const uint16_t *versions;
80 size_t num_versions;
81 get_method_versions(method, &versions, &num_versions);
82 for (size_t i = 0; i < num_versions; i++) {
83 if (versions[i] == version) {
84 return true;
85 }
86 }
87 return false;
88}
89
90// The following functions map between API versions and wire versions. The
91// public API works on wire versions.
92
93static const char *ssl_version_to_string(uint16_t version) {
94 switch (version) {
95 case TLS1_3_VERSION:
96 return "TLSv1.3";
97
98 case TLS1_2_VERSION:
99 return "TLSv1.2";
100
101 case TLS1_1_VERSION:
102 return "TLSv1.1";
103
104 case TLS1_VERSION:
105 return "TLSv1";
106
107 case DTLS1_VERSION:
108 return "DTLSv1";
109
110 case DTLS1_2_VERSION:
111 return "DTLSv1.2";
112
113 default:
114 return "unknown";
115 }
116}
117
118static uint16_t wire_version_to_api(uint16_t version) {
119 return version;
120}
121
122// api_version_to_wire maps |version| to some representative wire version.
123static bool api_version_to_wire(uint16_t *out, uint16_t version) {
124 // Check it is a real protocol version.
125 uint16_t unused;
126 if (!ssl_protocol_version_from_wire(&unused, version)) {
127 return false;
128 }
129
130 *out = version;
131 return true;
132}
133
134static bool set_version_bound(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
135 uint16_t version) {
136 if (!api_version_to_wire(&version, version) ||
137 !ssl_method_supports_version(method, version)) {
138 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_SSL_VERSION);
139 return false;
140 }
141
142 *out = version;
143 return true;
144}
145
146static bool set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
147 uint16_t version) {
148 // Zero is interpreted as the default minimum version.
149 if (version == 0) {
150 *out = method->is_dtls ? DTLS1_VERSION : TLS1_VERSION;
151 return true;
152 }
153
154 return set_version_bound(method, out, version);
155}
156
157static bool set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
158 uint16_t version) {
159 // Zero is interpreted as the default maximum version.
160 if (version == 0) {
161 *out = method->is_dtls ? DTLS1_2_VERSION : TLS1_2_VERSION;
162 return true;
163 }
164
165 return set_version_bound(method, out, version);
166}
167
168const struct {
169 uint16_t version;
170 uint32_t flag;
171} kProtocolVersions[] = {
172 {TLS1_VERSION, SSL_OP_NO_TLSv1},
173 {TLS1_1_VERSION, SSL_OP_NO_TLSv1_1},
174 {TLS1_2_VERSION, SSL_OP_NO_TLSv1_2},
175 {TLS1_3_VERSION, SSL_OP_NO_TLSv1_3},
176};
177
178bool ssl_get_version_range(const SSL_HANDSHAKE *hs, uint16_t *out_min_version,
179 uint16_t *out_max_version) {
180 // For historical reasons, |SSL_OP_NO_DTLSv1| aliases |SSL_OP_NO_TLSv1|, but
181 // DTLS 1.0 should be mapped to TLS 1.1.
182 uint32_t options = hs->ssl->options;
183 if (SSL_is_dtls(hs->ssl)) {
184 options &= ~SSL_OP_NO_TLSv1_1;
185 if (options & SSL_OP_NO_DTLSv1) {
186 options |= SSL_OP_NO_TLSv1_1;
187 }
188 }
189
190 uint16_t min_version, max_version;
191 if (!ssl_protocol_version_from_wire(&min_version,
192 hs->config->conf_min_version) ||
193 !ssl_protocol_version_from_wire(&max_version,
194 hs->config->conf_max_version)) {
195 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
196 return false;
197 }
198
199 // QUIC requires TLS 1.3.
200 if (hs->ssl->quic_method && min_version < TLS1_3_VERSION) {
201 min_version = TLS1_3_VERSION;
202 }
203
204 // OpenSSL's API for controlling versions entails blacklisting individual
205 // protocols. This has two problems. First, on the client, the protocol can
206 // only express a contiguous range of versions. Second, a library consumer
207 // trying to set a maximum version cannot disable protocol versions that get
208 // added in a future version of the library.
209 //
210 // To account for both of these, OpenSSL interprets the client-side bitmask
211 // as a min/max range by picking the lowest contiguous non-empty range of
212 // enabled protocols. Note that this means it is impossible to set a maximum
213 // version of the higest supported TLS version in a future-proof way.
214 bool any_enabled = false;
215 for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kProtocolVersions); i++) {
216 // Only look at the versions already enabled.
217 if (min_version > kProtocolVersions[i].version) {
218 continue;
219 }
220 if (max_version < kProtocolVersions[i].version) {
221 break;
222 }
223
224 if (!(options & kProtocolVersions[i].flag)) {
225 // The minimum version is the first enabled version.
226 if (!any_enabled) {
227 any_enabled = true;
228 min_version = kProtocolVersions[i].version;
229 }
230 continue;
231 }
232
233 // If there is a disabled version after the first enabled one, all versions
234 // after it are implicitly disabled.
235 if (any_enabled) {
236 max_version = kProtocolVersions[i-1].version;
237 break;
238 }
239 }
240
241 if (!any_enabled) {
242 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SUPPORTED_VERSIONS_ENABLED);
243 return false;
244 }
245
246 *out_min_version = min_version;
247 *out_max_version = max_version;
248 return true;
249}
250
251static uint16_t ssl_version(const SSL *ssl) {
252 // In early data, we report the predicted version.
253 if (SSL_in_early_data(ssl) && !ssl->server) {
254 return ssl->s3->hs->early_session->ssl_version;
255 }
256 return ssl->version;
257}
258
259uint16_t ssl_protocol_version(const SSL *ssl) {
260 assert(ssl->s3->have_version);
261 uint16_t version;
262 if (!ssl_protocol_version_from_wire(&version, ssl->version)) {
263 // |ssl->version| will always be set to a valid version.
264 assert(0);
265 return 0;
266 }
267
268 return version;
269}
270
271bool ssl_supports_version(SSL_HANDSHAKE *hs, uint16_t version) {
272 SSL *const ssl = hs->ssl;
273 uint16_t protocol_version;
274 if (!ssl_method_supports_version(ssl->method, version) ||
275 !ssl_protocol_version_from_wire(&protocol_version, version) ||
276 hs->min_version > protocol_version ||
277 protocol_version > hs->max_version) {
278 return false;
279 }
280
281 return true;
282}
283
284bool ssl_add_supported_versions(SSL_HANDSHAKE *hs, CBB *cbb) {
285 const uint16_t *versions;
286 size_t num_versions;
287 get_method_versions(hs->ssl->method, &versions, &num_versions);
288 for (size_t i = 0; i < num_versions; i++) {
289 if (ssl_supports_version(hs, versions[i]) &&
290 !CBB_add_u16(cbb, versions[i])) {
291 return false;
292 }
293 }
294 return true;
295}
296
297bool ssl_negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert,
298 uint16_t *out_version, const CBS *peer_versions) {
299 const uint16_t *versions;
300 size_t num_versions;
301 get_method_versions(hs->ssl->method, &versions, &num_versions);
302 for (size_t i = 0; i < num_versions; i++) {
303 if (!ssl_supports_version(hs, versions[i])) {
304 continue;
305 }
306
307 // JDK 11, prior to 11.0.2, has a buggy TLS 1.3 implementation which fails
308 // to send SNI when offering 1.3 sessions. Disable TLS 1.3 for such
309 // clients. We apply this logic here rather than |ssl_supports_version| so
310 // the downgrade signal continues to query the true capabilities. (The
311 // workaround is a limitation of the peer's capabilities rather than our
312 // own.)
313 //
314 // See https://bugs.openjdk.java.net/browse/JDK-8211806.
315 if (versions[i] == TLS1_3_VERSION && hs->apply_jdk11_workaround) {
316 continue;
317 }
318
319 CBS copy = *peer_versions;
320 while (CBS_len(&copy) != 0) {
321 uint16_t version;
322 if (!CBS_get_u16(&copy, &version)) {
323 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
324 *out_alert = SSL_AD_DECODE_ERROR;
325 return false;
326 }
327
328 if (version == versions[i]) {
329 *out_version = version;
330 return true;
331 }
332 }
333 }
334
335 OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL);
336 *out_alert = SSL_AD_PROTOCOL_VERSION;
337 return false;
338}
339
340BSSL_NAMESPACE_END
341
342using namespace bssl;
343
344int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) {
345 return set_min_version(ctx->method, &ctx->conf_min_version, version);
346}
347
348int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) {
349 return set_max_version(ctx->method, &ctx->conf_max_version, version);
350}
351
352uint16_t SSL_CTX_get_min_proto_version(SSL_CTX *ctx) {
353 return ctx->conf_min_version;
354}
355
356uint16_t SSL_CTX_get_max_proto_version(SSL_CTX *ctx) {
357 return ctx->conf_max_version;
358}
359
360int SSL_set_min_proto_version(SSL *ssl, uint16_t version) {
361 if (!ssl->config) {
362 return 0;
363 }
364 return set_min_version(ssl->method, &ssl->config->conf_min_version, version);
365}
366
367int SSL_set_max_proto_version(SSL *ssl, uint16_t version) {
368 if (!ssl->config) {
369 return 0;
370 }
371 return set_max_version(ssl->method, &ssl->config->conf_max_version, version);
372}
373
374int SSL_version(const SSL *ssl) {
375 return wire_version_to_api(ssl_version(ssl));
376}
377
378const char *SSL_get_version(const SSL *ssl) {
379 return ssl_version_to_string(ssl_version(ssl));
380}
381
382const char *SSL_SESSION_get_version(const SSL_SESSION *session) {
383 return ssl_version_to_string(session->ssl_version);
384}
385
386uint16_t SSL_SESSION_get_protocol_version(const SSL_SESSION *session) {
387 return wire_version_to_api(session->ssl_version);
388}
389
390int SSL_SESSION_set_protocol_version(SSL_SESSION *session, uint16_t version) {
391 // This picks a representative TLS 1.3 version, but this API should only be
392 // used on unit test sessions anyway.
393 return api_version_to_wire(&session->ssl_version, version);
394}
395