1 // Copyright 2017 The BoringSSL Authors
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #include <openssl/ssl.h>
16
17 #include <assert.h>
18
19 #include <algorithm>
20
21 #include <openssl/bytestring.h>
22 #include <openssl/err.h>
23 #include <openssl/span.h>
24
25 #include "../crypto/internal.h"
26 #include "internal.h"
27
28
29 BSSL_NAMESPACE_BEGIN
30
ssl_protocol_version_from_wire(uint16_t * out,uint16_t version)31 bool ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) {
32 switch (version) {
33 case TLS1_VERSION:
34 case TLS1_1_VERSION:
35 case TLS1_2_VERSION:
36 case TLS1_3_VERSION:
37 *out = version;
38 return true;
39
40 case DTLS1_VERSION:
41 // DTLS 1.0 is analogous to TLS 1.1, not TLS 1.0.
42 *out = TLS1_1_VERSION;
43 return true;
44
45 case DTLS1_2_VERSION:
46 *out = TLS1_2_VERSION;
47 return true;
48
49 case DTLS1_3_VERSION:
50 *out = TLS1_3_VERSION;
51 return true;
52
53 default:
54 return false;
55 }
56 }
57
58 // The follow arrays are the supported versions for TLS and DTLS, in order of
59 // decreasing preference.
60
61 static const uint16_t kTLSVersions[] = {
62 TLS1_3_VERSION,
63 TLS1_2_VERSION,
64 TLS1_1_VERSION,
65 TLS1_VERSION,
66 };
67
68 static const uint16_t kDTLSVersions[] = {
69 DTLS1_3_VERSION,
70 DTLS1_2_VERSION,
71 DTLS1_VERSION,
72 };
73
get_method_versions(const SSL_PROTOCOL_METHOD * method)74 static Span<const uint16_t> get_method_versions(
75 const SSL_PROTOCOL_METHOD *method) {
76 return method->is_dtls ? Span<const uint16_t>(kDTLSVersions)
77 : Span<const uint16_t>(kTLSVersions);
78 }
79
ssl_method_supports_version(const SSL_PROTOCOL_METHOD * method,uint16_t version)80 bool ssl_method_supports_version(const SSL_PROTOCOL_METHOD *method,
81 uint16_t version) {
82 for (uint16_t supported : get_method_versions(method)) {
83 if (supported == version) {
84 return true;
85 }
86 }
87 return false;
88 }
89
90 // The following functions map between API versions and wire versions. The
91 // public API works on wire versions.
92
93 static const char *kUnknownVersion = "unknown";
94
95 struct VersionInfo {
96 uint16_t version;
97 const char *name;
98 };
99
100 static const VersionInfo kVersionNames[] = {
101 {TLS1_3_VERSION, "TLSv1.3"},
102 {TLS1_2_VERSION, "TLSv1.2"},
103 {TLS1_1_VERSION, "TLSv1.1"},
104 {TLS1_VERSION, "TLSv1"},
105 {DTLS1_VERSION, "DTLSv1"},
106 {DTLS1_2_VERSION, "DTLSv1.2"},
107 {DTLS1_3_VERSION, "DTLSv1.3"},
108 };
109
ssl_version_to_string(uint16_t version)110 static const char *ssl_version_to_string(uint16_t version) {
111 for (const auto &v : kVersionNames) {
112 if (v.version == version) {
113 return v.name;
114 }
115 }
116 return kUnknownVersion;
117 }
118
wire_version_to_api(uint16_t version)119 static uint16_t wire_version_to_api(uint16_t version) { return version; }
120
121 // api_version_to_wire maps |version| to some representative wire version.
api_version_to_wire(uint16_t * out,uint16_t version)122 static bool api_version_to_wire(uint16_t *out, uint16_t version) {
123 // Check it is a real protocol version.
124 uint16_t unused;
125 if (!ssl_protocol_version_from_wire(&unused, version)) {
126 return false;
127 }
128
129 *out = version;
130 return true;
131 }
132
set_version_bound(const SSL_PROTOCOL_METHOD * method,uint16_t * out,uint16_t version)133 static bool set_version_bound(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
134 uint16_t version) {
135 if (!api_version_to_wire(&version, version) ||
136 !ssl_method_supports_version(method, version)) {
137 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_SSL_VERSION);
138 return false;
139 }
140
141 *out = version;
142 return true;
143 }
144
set_min_version(const SSL_PROTOCOL_METHOD * method,uint16_t * out,uint16_t version)145 static bool set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
146 uint16_t version) {
147 // Zero is interpreted as the default minimum version.
148 if (version == 0) {
149 *out = method->is_dtls ? DTLS1_2_VERSION : TLS1_2_VERSION;
150 return true;
151 }
152
153 return set_version_bound(method, out, version);
154 }
155
set_max_version(const SSL_PROTOCOL_METHOD * method,uint16_t * out,uint16_t version)156 static bool set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
157 uint16_t version) {
158 // Zero is interpreted as the default maximum version.
159 // TODO(crbug.com/42290594): Enable DTLS 1.3 by default, after it's
160 // successfully shipped in WebRTC.
161 if (version == 0) {
162 *out = method->is_dtls ? DTLS1_2_VERSION : TLS1_3_VERSION;
163 return true;
164 }
165
166 return set_version_bound(method, out, version);
167 }
168
169 const struct {
170 uint16_t version;
171 uint32_t flag;
172 } kProtocolVersions[] = {
173 {TLS1_VERSION, SSL_OP_NO_TLSv1},
174 {TLS1_1_VERSION, SSL_OP_NO_TLSv1_1},
175 {TLS1_2_VERSION, SSL_OP_NO_TLSv1_2},
176 {TLS1_3_VERSION, SSL_OP_NO_TLSv1_3},
177 };
178
ssl_get_version_range(const SSL_HANDSHAKE * hs,uint16_t * out_min_version,uint16_t * out_max_version)179 bool ssl_get_version_range(const SSL_HANDSHAKE *hs, uint16_t *out_min_version,
180 uint16_t *out_max_version) {
181 // For historical reasons, |SSL_OP_NO_DTLSv1| aliases |SSL_OP_NO_TLSv1|, but
182 // DTLS 1.0 should be mapped to TLS 1.1.
183 uint32_t options = hs->ssl->options;
184 if (SSL_is_dtls(hs->ssl)) {
185 options &= ~SSL_OP_NO_TLSv1_1;
186 if (options & SSL_OP_NO_DTLSv1) {
187 options |= SSL_OP_NO_TLSv1_1;
188 }
189 }
190
191 uint16_t min_version, max_version;
192 if (!ssl_protocol_version_from_wire(&min_version,
193 hs->config->conf_min_version) ||
194 !ssl_protocol_version_from_wire(&max_version,
195 hs->config->conf_max_version)) {
196 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
197 return false;
198 }
199
200 // QUIC requires TLS 1.3.
201 if (SSL_is_quic(hs->ssl) && min_version < TLS1_3_VERSION) {
202 min_version = TLS1_3_VERSION;
203 }
204
205 // The |SSL_OP_NO_*| flags disable individual protocols. This has two
206 // problems. First, prior to TLS 1.3, the protocol can only express a
207 // contiguous range of versions. Second, a library consumer trying to set a
208 // maximum version cannot disable protocol versions that get added in a future
209 // version of the library.
210 //
211 // To account for both of these, OpenSSL interprets the client-side bitmask
212 // as a min/max range by picking the lowest contiguous non-empty range of
213 // enabled protocols. Note that this means it is impossible to set a maximum
214 // version of the higest supported TLS version in a future-proof way.
215 bool any_enabled = false;
216 for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kProtocolVersions); i++) {
217 // Only look at the versions already enabled.
218 if (min_version > kProtocolVersions[i].version) {
219 continue;
220 }
221 if (max_version < kProtocolVersions[i].version) {
222 break;
223 }
224
225 if (!(options & kProtocolVersions[i].flag)) {
226 // The minimum version is the first enabled version.
227 if (!any_enabled) {
228 any_enabled = true;
229 min_version = kProtocolVersions[i].version;
230 }
231 continue;
232 }
233
234 // If there is a disabled version after the first enabled one, all versions
235 // after it are implicitly disabled.
236 if (any_enabled) {
237 max_version = kProtocolVersions[i - 1].version;
238 break;
239 }
240 }
241
242 if (!any_enabled) {
243 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SUPPORTED_VERSIONS_ENABLED);
244 return false;
245 }
246
247 *out_min_version = min_version;
248 *out_max_version = max_version;
249 return true;
250 }
251
ssl_version(const SSL * ssl)252 static uint16_t ssl_version(const SSL *ssl) {
253 // In early data, we report the predicted version. Note it is possible that we
254 // have a predicted version and a *different* true version. This means 0-RTT
255 // has been rejected, but until the reject has reported to the application and
256 // applied with |SSL_reset_early_data_reject|, we continue reporting a
257 // self-consistent connection.
258 if (SSL_in_early_data(ssl) && !ssl->server) {
259 return ssl->s3->hs->early_session->ssl_version;
260 }
261 if (ssl->s3->version != 0) {
262 return ssl->s3->version;
263 }
264 // The TLS versions has not yet been negotiated. Historically, we would return
265 // (D)TLS 1.2, so preserve that behavior.
266 return SSL_is_dtls(ssl) ? DTLS1_2_VERSION : TLS1_2_VERSION;
267 }
268
ssl_has_final_version(const SSL * ssl)269 bool ssl_has_final_version(const SSL *ssl) {
270 return ssl->s3->version != 0 &&
271 (ssl->s3->hs == nullptr || !ssl->s3->hs->is_early_version);
272 }
273
ssl_protocol_version(const SSL * ssl)274 uint16_t ssl_protocol_version(const SSL *ssl) {
275 assert(ssl->s3->version != 0);
276 uint16_t version;
277 if (!ssl_protocol_version_from_wire(&version, ssl->s3->version)) {
278 // |ssl->s3->version| will always be set to a valid version.
279 assert(0);
280 return 0;
281 }
282
283 return version;
284 }
285
ssl_supports_version(const SSL_HANDSHAKE * hs,uint16_t version)286 bool ssl_supports_version(const SSL_HANDSHAKE *hs, uint16_t version) {
287 const SSL *const ssl = hs->ssl;
288 uint16_t protocol_version;
289 if (!ssl_method_supports_version(ssl->method, version) ||
290 !ssl_protocol_version_from_wire(&protocol_version, version) ||
291 hs->min_version > protocol_version ||
292 protocol_version > hs->max_version) {
293 return false;
294 }
295
296 return true;
297 }
298
ssl_add_supported_versions(const SSL_HANDSHAKE * hs,CBB * cbb,uint16_t extra_min_version)299 bool ssl_add_supported_versions(const SSL_HANDSHAKE *hs, CBB *cbb,
300 uint16_t extra_min_version) {
301 for (uint16_t version : get_method_versions(hs->ssl->method)) {
302 uint16_t protocol_version;
303 if (ssl_supports_version(hs, version) &&
304 ssl_protocol_version_from_wire(&protocol_version, version) &&
305 protocol_version >= extra_min_version && //
306 !CBB_add_u16(cbb, version)) {
307 return false;
308 }
309 }
310 return true;
311 }
312
ssl_negotiate_version(SSL_HANDSHAKE * hs,uint8_t * out_alert,uint16_t * out_version,const CBS * peer_versions)313 bool ssl_negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert,
314 uint16_t *out_version, const CBS *peer_versions) {
315 for (uint16_t version : get_method_versions(hs->ssl->method)) {
316 if (!ssl_supports_version(hs, version)) {
317 continue;
318 }
319
320 // JDK 11, prior to 11.0.2, has a buggy TLS 1.3 implementation which fails
321 // to send SNI when offering 1.3 sessions. Disable TLS 1.3 for such
322 // clients. We apply this logic here rather than |ssl_supports_version| so
323 // the downgrade signal continues to query the true capabilities. (The
324 // workaround is a limitation of the peer's capabilities rather than our
325 // own.)
326 //
327 // See https://bugs.openjdk.java.net/browse/JDK-8211806.
328 if (version == TLS1_3_VERSION && hs->apply_jdk11_workaround) {
329 continue;
330 }
331
332 CBS copy = *peer_versions;
333 while (CBS_len(©) != 0) {
334 uint16_t peer_version;
335 if (!CBS_get_u16(©, &peer_version)) {
336 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
337 *out_alert = SSL_AD_DECODE_ERROR;
338 return false;
339 }
340
341 if (peer_version == version) {
342 *out_version = version;
343 return true;
344 }
345 }
346 }
347
348 OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL);
349 *out_alert = SSL_AD_PROTOCOL_VERSION;
350 return false;
351 }
352
353 BSSL_NAMESPACE_END
354
355 using namespace bssl;
356
SSL_CTX_set_min_proto_version(SSL_CTX * ctx,uint16_t version)357 int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) {
358 return set_min_version(ctx->method, &ctx->conf_min_version, version);
359 }
360
SSL_CTX_set_max_proto_version(SSL_CTX * ctx,uint16_t version)361 int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) {
362 return set_max_version(ctx->method, &ctx->conf_max_version, version);
363 }
364
SSL_CTX_get_min_proto_version(const SSL_CTX * ctx)365 uint16_t SSL_CTX_get_min_proto_version(const SSL_CTX *ctx) {
366 return ctx->conf_min_version;
367 }
368
SSL_CTX_get_max_proto_version(const SSL_CTX * ctx)369 uint16_t SSL_CTX_get_max_proto_version(const SSL_CTX *ctx) {
370 return ctx->conf_max_version;
371 }
372
SSL_set_min_proto_version(SSL * ssl,uint16_t version)373 int SSL_set_min_proto_version(SSL *ssl, uint16_t version) {
374 if (!ssl->config) {
375 return 0;
376 }
377 return set_min_version(ssl->method, &ssl->config->conf_min_version, version);
378 }
379
SSL_set_max_proto_version(SSL * ssl,uint16_t version)380 int SSL_set_max_proto_version(SSL *ssl, uint16_t version) {
381 if (!ssl->config) {
382 return 0;
383 }
384 return set_max_version(ssl->method, &ssl->config->conf_max_version, version);
385 }
386
SSL_get_min_proto_version(const SSL * ssl)387 uint16_t SSL_get_min_proto_version(const SSL *ssl) {
388 if (!ssl->config) {
389 assert(ssl->config);
390 return 0;
391 }
392 return ssl->config->conf_min_version;
393 }
394
SSL_get_max_proto_version(const SSL * ssl)395 uint16_t SSL_get_max_proto_version(const SSL *ssl) {
396 if (!ssl->config) {
397 assert(ssl->config);
398 return 0;
399 }
400 return ssl->config->conf_max_version;
401 }
402
SSL_version(const SSL * ssl)403 int SSL_version(const SSL *ssl) {
404 return wire_version_to_api(ssl_version(ssl));
405 }
406
SSL_get_version(const SSL * ssl)407 const char *SSL_get_version(const SSL *ssl) {
408 return ssl_version_to_string(ssl_version(ssl));
409 }
410
SSL_get_all_version_names(const char ** out,size_t max_out)411 size_t SSL_get_all_version_names(const char **out, size_t max_out) {
412 return GetAllNames(out, max_out, Span(&kUnknownVersion, 1),
413 &VersionInfo::name, Span(kVersionNames));
414 }
415
SSL_SESSION_get_version(const SSL_SESSION * session)416 const char *SSL_SESSION_get_version(const SSL_SESSION *session) {
417 return ssl_version_to_string(session->ssl_version);
418 }
419
SSL_SESSION_get_protocol_version(const SSL_SESSION * session)420 uint16_t SSL_SESSION_get_protocol_version(const SSL_SESSION *session) {
421 return wire_version_to_api(session->ssl_version);
422 }
423
SSL_SESSION_set_protocol_version(SSL_SESSION * session,uint16_t version)424 int SSL_SESSION_set_protocol_version(SSL_SESSION *session, uint16_t version) {
425 // This picks a representative TLS 1.3 version, but this API should only be
426 // used on unit test sessions anyway.
427 return api_version_to_wire(&session->ssl_version, version);
428 }
429
SSL_CTX_set_record_protocol_version(SSL_CTX * ctx,int version)430 int SSL_CTX_set_record_protocol_version(SSL_CTX *ctx, int version) {
431 return version == 0;
432 }
433