blob: 65656885be36136670efa9eed8c33413f2f5a998 [file] [log] [blame]
Steven Valdez8f36c512017-06-20 10:55:02 -04001/* Copyright (c) 2017, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#include <openssl/ssl.h>
16
17#include <assert.h>
18
19#include <openssl/bytestring.h>
20#include <openssl/err.h>
21
22#include "internal.h"
23#include "../crypto/internal.h"
24
25
26int ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) {
27 switch (version) {
28 case SSL3_VERSION:
29 case TLS1_VERSION:
30 case TLS1_1_VERSION:
31 case TLS1_2_VERSION:
32 *out = version;
33 return 1;
34
35 case TLS1_3_DRAFT_VERSION:
36 *out = TLS1_3_VERSION;
37 return 1;
38
39 case DTLS1_VERSION:
40 /* DTLS 1.0 is analogous to TLS 1.1, not TLS 1.0. */
41 *out = TLS1_1_VERSION;
42 return 1;
43
44 case DTLS1_2_VERSION:
45 *out = TLS1_2_VERSION;
46 return 1;
47
48 default:
49 return 0;
50 }
51}
52
53/* The follow arrays are the supported versions for TLS and DTLS, in order of
54 * decreasing preference. */
55
56static const uint16_t kTLSVersions[] = {
57 TLS1_3_DRAFT_VERSION,
58 TLS1_2_VERSION,
59 TLS1_1_VERSION,
60 TLS1_VERSION,
61 SSL3_VERSION,
62};
63
64static const uint16_t kDTLSVersions[] = {
65 DTLS1_2_VERSION,
66 DTLS1_VERSION,
67};
68
69static void get_method_versions(const SSL_PROTOCOL_METHOD *method,
70 const uint16_t **out, size_t *out_num) {
71 if (method->is_dtls) {
72 *out = kDTLSVersions;
73 *out_num = OPENSSL_ARRAY_SIZE(kDTLSVersions);
74 } else {
75 *out = kTLSVersions;
76 *out_num = OPENSSL_ARRAY_SIZE(kTLSVersions);
77 }
78}
79
80static int method_supports_version(const SSL_PROTOCOL_METHOD *method,
81 uint16_t version) {
82 const uint16_t *versions;
83 size_t num_versions;
84 get_method_versions(method, &versions, &num_versions);
85 for (size_t i = 0; i < num_versions; i++) {
86 if (versions[i] == version) {
87 return 1;
88 }
89 }
90 return 0;
91}
92
93static int set_version_bound(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
94 uint16_t version) {
95 /* The public API uses wire versions, except we use |TLS1_3_VERSION|
96 * everywhere to refer to any draft TLS 1.3 versions. In this direction, we
97 * map it to some representative TLS 1.3 draft version. */
98 if (version == TLS1_3_VERSION) {
99 version = TLS1_3_DRAFT_VERSION;
100 }
101
102 return method_supports_version(method, version) &&
103 ssl_protocol_version_from_wire(out, version);
104}
105
106static int set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
107 uint16_t version) {
108 /* Zero is interpreted as the default minimum version. */
109 if (version == 0) {
110 /* SSL 3.0 is disabled by default and TLS 1.0 does not exist in DTLS. */
111 *out = method->is_dtls ? TLS1_1_VERSION : TLS1_VERSION;
112 return 1;
113 }
114
115 return set_version_bound(method, out, version);
116}
117
118static int set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
119 uint16_t version) {
120 /* Zero is interpreted as the default maximum version. */
121 if (version == 0) {
122 *out = TLS1_2_VERSION;
123 return 1;
124 }
125
126 return set_version_bound(method, out, version);
127}
128
129int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) {
130 return set_min_version(ctx->method, &ctx->conf_min_version, version);
131}
132
133int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) {
134 return set_max_version(ctx->method, &ctx->conf_max_version, version);
135}
136
137int SSL_set_min_proto_version(SSL *ssl, uint16_t version) {
138 return set_min_version(ssl->method, &ssl->conf_min_version, version);
139}
140
141int SSL_set_max_proto_version(SSL *ssl, uint16_t version) {
142 return set_max_version(ssl->method, &ssl->conf_max_version, version);
143}
144
145const struct {
146 uint16_t version;
147 uint32_t flag;
148} kProtocolVersions[] = {
149 {SSL3_VERSION, SSL_OP_NO_SSLv3},
150 {TLS1_VERSION, SSL_OP_NO_TLSv1},
151 {TLS1_1_VERSION, SSL_OP_NO_TLSv1_1},
152 {TLS1_2_VERSION, SSL_OP_NO_TLSv1_2},
153 {TLS1_3_VERSION, SSL_OP_NO_TLSv1_3},
154};
155
156int ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version,
157 uint16_t *out_max_version) {
158 /* For historical reasons, |SSL_OP_NO_DTLSv1| aliases |SSL_OP_NO_TLSv1|, but
159 * DTLS 1.0 should be mapped to TLS 1.1. */
160 uint32_t options = ssl->options;
161 if (SSL_is_dtls(ssl)) {
162 options &= ~SSL_OP_NO_TLSv1_1;
163 if (options & SSL_OP_NO_DTLSv1) {
164 options |= SSL_OP_NO_TLSv1_1;
165 }
166 }
167
168 uint16_t min_version = ssl->conf_min_version;
169 uint16_t max_version = ssl->conf_max_version;
170
171 /* OpenSSL's API for controlling versions entails blacklisting individual
172 * protocols. This has two problems. First, on the client, the protocol can
173 * only express a contiguous range of versions. Second, a library consumer
174 * trying to set a maximum version cannot disable protocol versions that get
175 * added in a future version of the library.
176 *
177 * To account for both of these, OpenSSL interprets the client-side bitmask
178 * as a min/max range by picking the lowest contiguous non-empty range of
179 * enabled protocols. Note that this means it is impossible to set a maximum
180 * version of the higest supported TLS version in a future-proof way. */
181 int any_enabled = 0;
182 for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kProtocolVersions); i++) {
183 /* Only look at the versions already enabled. */
184 if (min_version > kProtocolVersions[i].version) {
185 continue;
186 }
187 if (max_version < kProtocolVersions[i].version) {
188 break;
189 }
190
191 if (!(options & kProtocolVersions[i].flag)) {
192 /* The minimum version is the first enabled version. */
193 if (!any_enabled) {
194 any_enabled = 1;
195 min_version = kProtocolVersions[i].version;
196 }
197 continue;
198 }
199
200 /* If there is a disabled version after the first enabled one, all versions
201 * after it are implicitly disabled. */
202 if (any_enabled) {
203 max_version = kProtocolVersions[i-1].version;
204 break;
205 }
206 }
207
208 if (!any_enabled) {
209 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SUPPORTED_VERSIONS_ENABLED);
210 return 0;
211 }
212
213 *out_min_version = min_version;
214 *out_max_version = max_version;
215 return 1;
216}
217
218int SSL_version(const SSL *ssl) {
219 /* Report TLS 1.3 draft version as TLS 1.3 in the public API. */
220 if (ssl->version == TLS1_3_DRAFT_VERSION) {
221 return TLS1_3_VERSION;
222 }
223
224 return ssl->version;
225}
226
227static const char *ssl_get_version(int version) {
228 switch (version) {
229 /* Report TLS 1.3 draft version as TLS 1.3 in the public API. */
230 case TLS1_3_DRAFT_VERSION:
231 return "TLSv1.3";
232
233 case TLS1_2_VERSION:
234 return "TLSv1.2";
235
236 case TLS1_1_VERSION:
237 return "TLSv1.1";
238
239 case TLS1_VERSION:
240 return "TLSv1";
241
242 case SSL3_VERSION:
243 return "SSLv3";
244
245 case DTLS1_VERSION:
246 return "DTLSv1";
247
248 case DTLS1_2_VERSION:
249 return "DTLSv1.2";
250
251 default:
252 return "unknown";
253 }
254}
255
256const char *SSL_get_version(const SSL *ssl) {
257 return ssl_get_version(ssl->version);
258}
259
260const char *SSL_SESSION_get_version(const SSL_SESSION *session) {
261 return ssl_get_version(session->ssl_version);
262}
263
264uint16_t ssl3_protocol_version(const SSL *ssl) {
265 assert(ssl->s3->have_version);
266 uint16_t version;
267 if (!ssl_protocol_version_from_wire(&version, ssl->version)) {
268 /* |ssl->version| will always be set to a valid version. */
269 assert(0);
270 return 0;
271 }
272
273 return version;
274}
275
276int ssl_supports_version(SSL_HANDSHAKE *hs, uint16_t version) {
277 uint16_t protocol_version;
278 return method_supports_version(hs->ssl->method, version) &&
279 ssl_protocol_version_from_wire(&protocol_version, version) &&
280 hs->min_version <= protocol_version &&
281 protocol_version <= hs->max_version;
282}
283
284int ssl_add_supported_versions(SSL_HANDSHAKE *hs, CBB *cbb) {
285 const uint16_t *versions;
286 size_t num_versions;
287 get_method_versions(hs->ssl->method, &versions, &num_versions);
288 for (size_t i = 0; i < num_versions; i++) {
289 if (ssl_supports_version(hs, versions[i]) &&
290 !CBB_add_u16(cbb, versions[i])) {
291 return 0;
292 }
293 }
294 return 1;
295}
296
297int ssl_negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert,
298 uint16_t *out_version, const CBS *peer_versions) {
299 const uint16_t *versions;
300 size_t num_versions;
301 get_method_versions(hs->ssl->method, &versions, &num_versions);
302 for (size_t i = 0; i < num_versions; i++) {
303 if (!ssl_supports_version(hs, versions[i])) {
304 continue;
305 }
306
307 CBS copy = *peer_versions;
308 while (CBS_len(&copy) != 0) {
309 uint16_t version;
310 if (!CBS_get_u16(&copy, &version)) {
311 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
312 *out_alert = SSL_AD_DECODE_ERROR;
313 return 0;
314 }
315
316 if (version == versions[i]) {
317 *out_version = version;
318 return 1;
319 }
320 }
321 }
322
323 OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL);
324 *out_alert = SSL_AD_PROTOCOL_VERSION;
325 return 0;
326}