1 /* Copyright (c) 2017, Google Inc.
2  *
3  * Permission to use, copy, modify, and/or distribute this software for any
4  * purpose with or without fee is hereby granted, provided that the above
5  * copyright notice and this permission notice appear in all copies.
6  *
7  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14 
15 #include <openssl/ssl.h>
16 
17 #include <assert.h>
18 
19 #include <openssl/bytestring.h>
20 #include <openssl/err.h>
21 
22 #include "internal.h"
23 #include "../crypto/internal.h"
24 
25 
26 BSSL_NAMESPACE_BEGIN
27 
ssl_protocol_version_from_wire(uint16_t * out,uint16_t version)28 bool ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) {
29   switch (version) {
30     case TLS1_VERSION:
31     case TLS1_1_VERSION:
32     case TLS1_2_VERSION:
33     case TLS1_3_VERSION:
34       *out = version;
35       return true;
36 
37     case DTLS1_VERSION:
38       // DTLS 1.0 is analogous to TLS 1.1, not TLS 1.0.
39       *out = TLS1_1_VERSION;
40       return true;
41 
42     case DTLS1_2_VERSION:
43       *out = TLS1_2_VERSION;
44       return true;
45 
46     default:
47       return false;
48   }
49 }
50 
51 // The follow arrays are the supported versions for TLS and DTLS, in order of
52 // decreasing preference.
53 
54 static const uint16_t kTLSVersions[] = {
55     TLS1_3_VERSION,
56     TLS1_2_VERSION,
57     TLS1_1_VERSION,
58     TLS1_VERSION,
59 };
60 
61 static const uint16_t kDTLSVersions[] = {
62     DTLS1_2_VERSION,
63     DTLS1_VERSION,
64 };
65 
get_method_versions(const SSL_PROTOCOL_METHOD * method,const uint16_t ** out,size_t * out_num)66 static void get_method_versions(const SSL_PROTOCOL_METHOD *method,
67                                 const uint16_t **out, size_t *out_num) {
68   if (method->is_dtls) {
69     *out = kDTLSVersions;
70     *out_num = OPENSSL_ARRAY_SIZE(kDTLSVersions);
71   } else {
72     *out = kTLSVersions;
73     *out_num = OPENSSL_ARRAY_SIZE(kTLSVersions);
74   }
75 }
76 
ssl_method_supports_version(const SSL_PROTOCOL_METHOD * method,uint16_t version)77 bool ssl_method_supports_version(const SSL_PROTOCOL_METHOD *method,
78                                  uint16_t version) {
79   const uint16_t *versions;
80   size_t num_versions;
81   get_method_versions(method, &versions, &num_versions);
82   for (size_t i = 0; i < num_versions; i++) {
83     if (versions[i] == version) {
84       return true;
85     }
86   }
87   return false;
88 }
89 
90 // The following functions map between API versions and wire versions. The
91 // public API works on wire versions.
92 
ssl_version_to_string(uint16_t version)93 static const char *ssl_version_to_string(uint16_t version) {
94   switch (version) {
95     case TLS1_3_VERSION:
96       return "TLSv1.3";
97 
98     case TLS1_2_VERSION:
99       return "TLSv1.2";
100 
101     case TLS1_1_VERSION:
102       return "TLSv1.1";
103 
104     case TLS1_VERSION:
105       return "TLSv1";
106 
107     case DTLS1_VERSION:
108       return "DTLSv1";
109 
110     case DTLS1_2_VERSION:
111       return "DTLSv1.2";
112 
113     default:
114       return "unknown";
115   }
116 }
117 
wire_version_to_api(uint16_t version)118 static uint16_t wire_version_to_api(uint16_t version) {
119   return version;
120 }
121 
122 // api_version_to_wire maps |version| to some representative wire version.
api_version_to_wire(uint16_t * out,uint16_t version)123 static bool api_version_to_wire(uint16_t *out, uint16_t version) {
124   // Check it is a real protocol version.
125   uint16_t unused;
126   if (!ssl_protocol_version_from_wire(&unused, version)) {
127     return false;
128   }
129 
130   *out = version;
131   return true;
132 }
133 
set_version_bound(const SSL_PROTOCOL_METHOD * method,uint16_t * out,uint16_t version)134 static bool set_version_bound(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
135                               uint16_t version) {
136   if (!api_version_to_wire(&version, version) ||
137       !ssl_method_supports_version(method, version) ||
138       !ssl_protocol_version_from_wire(out, version)) {
139     OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_SSL_VERSION);
140     return false;
141   }
142 
143   return true;
144 }
145 
set_min_version(const SSL_PROTOCOL_METHOD * method,uint16_t * out,uint16_t version)146 static bool set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
147                             uint16_t version) {
148   // Zero is interpreted as the default minimum version.
149   if (version == 0) {
150     // TLS 1.0 does not exist in DTLS.
151     *out = method->is_dtls ? TLS1_1_VERSION : TLS1_VERSION;
152     return true;
153   }
154 
155   return set_version_bound(method, out, version);
156 }
157 
set_max_version(const SSL_PROTOCOL_METHOD * method,uint16_t * out,uint16_t version)158 static bool set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
159                             uint16_t version) {
160   // Zero is interpreted as the default maximum version.
161   if (version == 0) {
162     *out = TLS1_2_VERSION;
163     return true;
164   }
165 
166   return set_version_bound(method, out, version);
167 }
168 
169 const struct {
170   uint16_t version;
171   uint32_t flag;
172 } kProtocolVersions[] = {
173     {TLS1_VERSION, SSL_OP_NO_TLSv1},
174     {TLS1_1_VERSION, SSL_OP_NO_TLSv1_1},
175     {TLS1_2_VERSION, SSL_OP_NO_TLSv1_2},
176     {TLS1_3_VERSION, SSL_OP_NO_TLSv1_3},
177 };
178 
ssl_get_version_range(const SSL_HANDSHAKE * hs,uint16_t * out_min_version,uint16_t * out_max_version)179 bool ssl_get_version_range(const SSL_HANDSHAKE *hs, uint16_t *out_min_version,
180                            uint16_t *out_max_version) {
181   // For historical reasons, |SSL_OP_NO_DTLSv1| aliases |SSL_OP_NO_TLSv1|, but
182   // DTLS 1.0 should be mapped to TLS 1.1.
183   uint32_t options = hs->ssl->options;
184   if (SSL_is_dtls(hs->ssl)) {
185     options &= ~SSL_OP_NO_TLSv1_1;
186     if (options & SSL_OP_NO_DTLSv1) {
187       options |= SSL_OP_NO_TLSv1_1;
188     }
189   }
190 
191   uint16_t min_version = hs->config->conf_min_version;
192   uint16_t max_version = hs->config->conf_max_version;
193 
194   // QUIC requires TLS 1.3.
195   if (hs->ssl->quic_method && min_version < TLS1_3_VERSION) {
196     min_version = TLS1_3_VERSION;
197   }
198 
199   // OpenSSL's API for controlling versions entails blacklisting individual
200   // protocols. This has two problems. First, on the client, the protocol can
201   // only express a contiguous range of versions. Second, a library consumer
202   // trying to set a maximum version cannot disable protocol versions that get
203   // added in a future version of the library.
204   //
205   // To account for both of these, OpenSSL interprets the client-side bitmask
206   // as a min/max range by picking the lowest contiguous non-empty range of
207   // enabled protocols. Note that this means it is impossible to set a maximum
208   // version of the higest supported TLS version in a future-proof way.
209   bool any_enabled = false;
210   for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kProtocolVersions); i++) {
211     // Only look at the versions already enabled.
212     if (min_version > kProtocolVersions[i].version) {
213       continue;
214     }
215     if (max_version < kProtocolVersions[i].version) {
216       break;
217     }
218 
219     if (!(options & kProtocolVersions[i].flag)) {
220       // The minimum version is the first enabled version.
221       if (!any_enabled) {
222         any_enabled = true;
223         min_version = kProtocolVersions[i].version;
224       }
225       continue;
226     }
227 
228     // If there is a disabled version after the first enabled one, all versions
229     // after it are implicitly disabled.
230     if (any_enabled) {
231       max_version = kProtocolVersions[i-1].version;
232       break;
233     }
234   }
235 
236   if (!any_enabled) {
237     OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SUPPORTED_VERSIONS_ENABLED);
238     return false;
239   }
240 
241   *out_min_version = min_version;
242   *out_max_version = max_version;
243   return true;
244 }
245 
ssl_version(const SSL * ssl)246 static uint16_t ssl_version(const SSL *ssl) {
247   // In early data, we report the predicted version.
248   if (SSL_in_early_data(ssl) && !ssl->server) {
249     return ssl->s3->hs->early_session->ssl_version;
250   }
251   return ssl->version;
252 }
253 
ssl_protocol_version(const SSL * ssl)254 uint16_t ssl_protocol_version(const SSL *ssl) {
255   assert(ssl->s3->have_version);
256   uint16_t version;
257   if (!ssl_protocol_version_from_wire(&version, ssl->version)) {
258     // |ssl->version| will always be set to a valid version.
259     assert(0);
260     return 0;
261   }
262 
263   return version;
264 }
265 
ssl_supports_version(SSL_HANDSHAKE * hs,uint16_t version)266 bool ssl_supports_version(SSL_HANDSHAKE *hs, uint16_t version) {
267   SSL *const ssl = hs->ssl;
268   uint16_t protocol_version;
269   if (!ssl_method_supports_version(ssl->method, version) ||
270       !ssl_protocol_version_from_wire(&protocol_version, version) ||
271       hs->min_version > protocol_version ||
272       protocol_version > hs->max_version) {
273     return false;
274   }
275 
276   return true;
277 }
278 
ssl_add_supported_versions(SSL_HANDSHAKE * hs,CBB * cbb)279 bool ssl_add_supported_versions(SSL_HANDSHAKE *hs, CBB *cbb) {
280   const uint16_t *versions;
281   size_t num_versions;
282   get_method_versions(hs->ssl->method, &versions, &num_versions);
283   for (size_t i = 0; i < num_versions; i++) {
284     if (ssl_supports_version(hs, versions[i]) &&
285         !CBB_add_u16(cbb, versions[i])) {
286       return false;
287     }
288   }
289   return true;
290 }
291 
ssl_negotiate_version(SSL_HANDSHAKE * hs,uint8_t * out_alert,uint16_t * out_version,const CBS * peer_versions)292 bool ssl_negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert,
293                            uint16_t *out_version, const CBS *peer_versions) {
294   const uint16_t *versions;
295   size_t num_versions;
296   get_method_versions(hs->ssl->method, &versions, &num_versions);
297   for (size_t i = 0; i < num_versions; i++) {
298     if (!ssl_supports_version(hs, versions[i])) {
299       continue;
300     }
301 
302     // JDK 11, prior to 11.0.2, has a buggy TLS 1.3 implementation which fails
303     // to send SNI when offering 1.3 sessions. Disable TLS 1.3 for such
304     // clients. We apply this logic here rather than |ssl_supports_version| so
305     // the downgrade signal continues to query the true capabilities. (The
306     // workaround is a limitation of the peer's capabilities rather than our
307     // own.)
308     //
309     // See https://bugs.openjdk.java.net/browse/JDK-8211806.
310     if (versions[i] == TLS1_3_VERSION && hs->apply_jdk11_workaround) {
311       continue;
312     }
313 
314     CBS copy = *peer_versions;
315     while (CBS_len(&copy) != 0) {
316       uint16_t version;
317       if (!CBS_get_u16(&copy, &version)) {
318         OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
319         *out_alert = SSL_AD_DECODE_ERROR;
320         return false;
321       }
322 
323       if (version == versions[i]) {
324         *out_version = version;
325         return true;
326       }
327     }
328   }
329 
330   OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL);
331   *out_alert = SSL_AD_PROTOCOL_VERSION;
332   return false;
333 }
334 
335 BSSL_NAMESPACE_END
336 
337 using namespace bssl;
338 
SSL_CTX_set_min_proto_version(SSL_CTX * ctx,uint16_t version)339 int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) {
340   return set_min_version(ctx->method, &ctx->conf_min_version, version);
341 }
342 
SSL_CTX_set_max_proto_version(SSL_CTX * ctx,uint16_t version)343 int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) {
344   return set_max_version(ctx->method, &ctx->conf_max_version, version);
345 }
346 
SSL_set_min_proto_version(SSL * ssl,uint16_t version)347 int SSL_set_min_proto_version(SSL *ssl, uint16_t version) {
348   if (!ssl->config) {
349     return 0;
350   }
351   return set_min_version(ssl->method, &ssl->config->conf_min_version, version);
352 }
353 
SSL_set_max_proto_version(SSL * ssl,uint16_t version)354 int SSL_set_max_proto_version(SSL *ssl, uint16_t version) {
355   if (!ssl->config) {
356     return 0;
357   }
358   return set_max_version(ssl->method, &ssl->config->conf_max_version, version);
359 }
360 
SSL_version(const SSL * ssl)361 int SSL_version(const SSL *ssl) {
362   return wire_version_to_api(ssl_version(ssl));
363 }
364 
SSL_get_version(const SSL * ssl)365 const char *SSL_get_version(const SSL *ssl) {
366   return ssl_version_to_string(ssl_version(ssl));
367 }
368 
SSL_SESSION_get_version(const SSL_SESSION * session)369 const char *SSL_SESSION_get_version(const SSL_SESSION *session) {
370   return ssl_version_to_string(session->ssl_version);
371 }
372 
SSL_SESSION_get_protocol_version(const SSL_SESSION * session)373 uint16_t SSL_SESSION_get_protocol_version(const SSL_SESSION *session) {
374   return wire_version_to_api(session->ssl_version);
375 }
376 
SSL_SESSION_set_protocol_version(SSL_SESSION * session,uint16_t version)377 int SSL_SESSION_set_protocol_version(SSL_SESSION *session, uint16_t version) {
378   // This picks a representative TLS 1.3 version, but this API should only be
379   // used on unit test sessions anyway.
380   return api_version_to_wire(&session->ssl_version, version);
381 }
382