Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / bd70845a80c22cb02ee76ed1b5bfae8898e0f763 / . / ssl / ssl_versions.cc
blob: 0b13781d4dfdb0ae907f1b02a62143b7f56dc223 [file] [log] [blame]
Steven Valdez8f36c512017-06-20 10:55:02 -0400[diff] [blame]1/* Copyright (c) 2017, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#include <openssl/ssl.h>
16
17#include <assert.h>
18
19#include <openssl/bytestring.h>
20#include <openssl/err.h>
21
22#include "internal.h"
23#include "../crypto/internal.h"
24
25
David Benjamin86e95b82017-07-18 16:34:25 -0400[diff] [blame]26namespace bssl {
27
Steven Valdez8f36c512017-06-20 10:55:02 -0400[diff] [blame]28int ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) {
29 switch (version) {
30 case SSL3_VERSION:
31 case TLS1_VERSION:
32 case TLS1_1_VERSION:
33 case TLS1_2_VERSION:
34 *out = version;
35 return 1;
36
37 case TLS1_3_DRAFT_VERSION:
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame]38 case TLS1_3_EXPERIMENT_VERSION:
Steven Valdezdbe01582017-07-14 10:39:28 -0400[diff] [blame]39 case TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION:
Steven Valdez8f36c512017-06-20 10:55:02 -0400[diff] [blame]40 *out = TLS1_3_VERSION;
41 return 1;
42
43 case DTLS1_VERSION:
44 /* DTLS 1.0 is analogous to TLS 1.1, not TLS 1.0. */
45 *out = TLS1_1_VERSION;
46 return 1;
47
48 case DTLS1_2_VERSION:
49 *out = TLS1_2_VERSION;
50 return 1;
51
52 default:
53 return 0;
54 }
55}
56
57/* The follow arrays are the supported versions for TLS and DTLS, in order of
58 * decreasing preference. */
59
60static const uint16_t kTLSVersions[] = {
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame]61 TLS1_3_EXPERIMENT_VERSION,
Steven Valdezdbe01582017-07-14 10:39:28 -0400[diff] [blame]62 TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION,
63 TLS1_3_DRAFT_VERSION,
Steven Valdez8f36c512017-06-20 10:55:02 -0400[diff] [blame]64 TLS1_2_VERSION,
65 TLS1_1_VERSION,
66 TLS1_VERSION,
67 SSL3_VERSION,
68};
69
70static const uint16_t kDTLSVersions[] = {
71 DTLS1_2_VERSION,
72 DTLS1_VERSION,
73};
74
75static void get_method_versions(const SSL_PROTOCOL_METHOD *method,
76 const uint16_t **out, size_t *out_num) {
77 if (method->is_dtls) {
78 *out = kDTLSVersions;
79 *out_num = OPENSSL_ARRAY_SIZE(kDTLSVersions);
80 } else {
81 *out = kTLSVersions;
82 *out_num = OPENSSL_ARRAY_SIZE(kTLSVersions);
83 }
84}
85
86static int method_supports_version(const SSL_PROTOCOL_METHOD *method,
87 uint16_t version) {
88 const uint16_t *versions;
89 size_t num_versions;
90 get_method_versions(method, &versions, &num_versions);
91 for (size_t i = 0; i < num_versions; i++) {
92 if (versions[i] == version) {
93 return 1;
94 }
95 }
96 return 0;
97}
98
99static int set_version_bound(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
100 uint16_t version) {
101 /* The public API uses wire versions, except we use |TLS1_3_VERSION|
102 * everywhere to refer to any draft TLS 1.3 versions. In this direction, we
103 * map it to some representative TLS 1.3 draft version. */
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame]104 if (version == TLS1_3_DRAFT_VERSION ||
Steven Valdezdbe01582017-07-14 10:39:28 -0400[diff] [blame]105 version == TLS1_3_EXPERIMENT_VERSION ||
106 version == TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION) {
David Benjamin353577c2017-06-29 15:54:58 -0400[diff] [blame]107 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_SSL_VERSION);
108 return 0;
109 }
Steven Valdez8f36c512017-06-20 10:55:02 -0400[diff] [blame]110 if (version == TLS1_3_VERSION) {
111 version = TLS1_3_DRAFT_VERSION;
112 }
113
David Benjamin353577c2017-06-29 15:54:58 -0400[diff] [blame]114 if (!method_supports_version(method, version) ||
115 !ssl_protocol_version_from_wire(out, version)) {
116 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_SSL_VERSION);
117 return 0;
118 }
119
120 return 1;
Steven Valdez8f36c512017-06-20 10:55:02 -0400[diff] [blame]121}
122
123static int set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
124 uint16_t version) {
125 /* Zero is interpreted as the default minimum version. */
126 if (version == 0) {
127 /* SSL 3.0 is disabled by default and TLS 1.0 does not exist in DTLS. */
128 *out = method->is_dtls ? TLS1_1_VERSION : TLS1_VERSION;
129 return 1;
130 }
131
132 return set_version_bound(method, out, version);
133}
134
135static int set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
136 uint16_t version) {
137 /* Zero is interpreted as the default maximum version. */
138 if (version == 0) {
139 *out = TLS1_2_VERSION;
140 return 1;
141 }
142
143 return set_version_bound(method, out, version);
144}
145
Steven Valdez8f36c512017-06-20 10:55:02 -0400[diff] [blame]146const struct {
147 uint16_t version;
148 uint32_t flag;
149} kProtocolVersions[] = {
150 {SSL3_VERSION, SSL_OP_NO_SSLv3},
151 {TLS1_VERSION, SSL_OP_NO_TLSv1},
152 {TLS1_1_VERSION, SSL_OP_NO_TLSv1_1},
153 {TLS1_2_VERSION, SSL_OP_NO_TLSv1_2},
154 {TLS1_3_VERSION, SSL_OP_NO_TLSv1_3},
155};
156
157int ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version,
158 uint16_t *out_max_version) {
159 /* For historical reasons, |SSL_OP_NO_DTLSv1| aliases |SSL_OP_NO_TLSv1|, but
160 * DTLS 1.0 should be mapped to TLS 1.1. */
161 uint32_t options = ssl->options;
162 if (SSL_is_dtls(ssl)) {
163 options &= ~SSL_OP_NO_TLSv1_1;
164 if (options & SSL_OP_NO_DTLSv1) {
165 options |= SSL_OP_NO_TLSv1_1;
166 }
167 }
168
169 uint16_t min_version = ssl->conf_min_version;
170 uint16_t max_version = ssl->conf_max_version;
171
172 /* OpenSSL's API for controlling versions entails blacklisting individual
173 * protocols. This has two problems. First, on the client, the protocol can
174 * only express a contiguous range of versions. Second, a library consumer
175 * trying to set a maximum version cannot disable protocol versions that get
176 * added in a future version of the library.
177 *
178 * To account for both of these, OpenSSL interprets the client-side bitmask
179 * as a min/max range by picking the lowest contiguous non-empty range of
180 * enabled protocols. Note that this means it is impossible to set a maximum
181 * version of the higest supported TLS version in a future-proof way. */
182 int any_enabled = 0;
183 for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kProtocolVersions); i++) {
184 /* Only look at the versions already enabled. */
185 if (min_version > kProtocolVersions[i].version) {
186 continue;
187 }
188 if (max_version < kProtocolVersions[i].version) {
189 break;
190 }
191
192 if (!(options & kProtocolVersions[i].flag)) {
193 /* The minimum version is the first enabled version. */
194 if (!any_enabled) {
195 any_enabled = 1;
196 min_version = kProtocolVersions[i].version;
197 }
198 continue;
199 }
200
201 /* If there is a disabled version after the first enabled one, all versions
202 * after it are implicitly disabled. */
203 if (any_enabled) {
204 max_version = kProtocolVersions[i-1].version;
205 break;
206 }
207 }
208
209 if (!any_enabled) {
210 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SUPPORTED_VERSIONS_ENABLED);
211 return 0;
212 }
213
214 *out_min_version = min_version;
215 *out_max_version = max_version;
216 return 1;
217}
218
David Benjamind9cbb532017-07-07 13:17:19 -0400[diff] [blame]219static uint16_t ssl_version(const SSL *ssl) {
220 /* In early data, we report the predicted version. */
221 if (SSL_in_early_data(ssl) && !ssl->server) {
222 return ssl->s3->hs->early_session->ssl_version;
223 }
224 return ssl->version;
225}
226
David Benjamin86e95b82017-07-18 16:34:25 -0400[diff] [blame]227static const char *ssl_version_to_string(uint16_t version) {
Steven Valdez8f36c512017-06-20 10:55:02 -0400[diff] [blame]228 switch (version) {
229 /* Report TLS 1.3 draft version as TLS 1.3 in the public API. */
230 case TLS1_3_DRAFT_VERSION:
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame]231 case TLS1_3_EXPERIMENT_VERSION:
Steven Valdezdbe01582017-07-14 10:39:28 -0400[diff] [blame]232 case TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION:
Steven Valdez8f36c512017-06-20 10:55:02 -0400[diff] [blame]233 return "TLSv1.3";
234
235 case TLS1_2_VERSION:
236 return "TLSv1.2";
237
238 case TLS1_1_VERSION:
239 return "TLSv1.1";
240
241 case TLS1_VERSION:
242 return "TLSv1";
243
244 case SSL3_VERSION:
245 return "SSLv3";
246
247 case DTLS1_VERSION:
248 return "DTLSv1";
249
250 case DTLS1_2_VERSION:
251 return "DTLSv1.2";
252
253 default:
254 return "unknown";
255 }
256}
257
Steven Valdez8f36c512017-06-20 10:55:02 -0400[diff] [blame]258uint16_t ssl3_protocol_version(const SSL *ssl) {
259 assert(ssl->s3->have_version);
260 uint16_t version;
261 if (!ssl_protocol_version_from_wire(&version, ssl->version)) {
262 /* |ssl->version| will always be set to a valid version. */
263 assert(0);
264 return 0;
265 }
266
267 return version;
268}
269
270int ssl_supports_version(SSL_HANDSHAKE *hs, uint16_t version) {
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame]271 SSL *const ssl = hs->ssl;
272 /* As a client, only allow the configured TLS 1.3 variant. As a server,
273 * support all TLS 1.3 variants as long as tls13_variant is set to a
274 * non-default value. */
275 if (ssl->server) {
Steven Valdez52586f92017-07-11 15:08:32 -0400[diff] [blame]276 if (ssl->tls13_variant == tls13_default &&
Steven Valdezdbe01582017-07-14 10:39:28 -0400[diff] [blame]277 (version == TLS1_3_EXPERIMENT_VERSION ||
278 version == TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION)) {
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame]279 return 0;
280 }
281 } else {
Steven Valdez52586f92017-07-11 15:08:32 -0400[diff] [blame]282 if ((ssl->tls13_variant != tls13_experiment &&
Steven Valdez0e4a4482017-07-17 11:12:34 -0400[diff] [blame]283 ssl->tls13_variant != tls13_no_session_id_experiment &&
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame]284 version == TLS1_3_EXPERIMENT_VERSION) ||
Steven Valdezdbe01582017-07-14 10:39:28 -0400[diff] [blame]285 (ssl->tls13_variant != tls13_record_type_experiment &&
286 version == TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION) ||
Steven Valdez52586f92017-07-11 15:08:32 -0400[diff] [blame]287 (ssl->tls13_variant != tls13_default &&
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame]288 version == TLS1_3_DRAFT_VERSION)) {
289 return 0;
290 }
291 }
292
Steven Valdez8f36c512017-06-20 10:55:02 -0400[diff] [blame]293 uint16_t protocol_version;
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame]294 return method_supports_version(ssl->method, version) &&
Steven Valdez8f36c512017-06-20 10:55:02 -0400[diff] [blame]295 ssl_protocol_version_from_wire(&protocol_version, version) &&
296 hs->min_version <= protocol_version &&
297 protocol_version <= hs->max_version;
298}
299
300int ssl_add_supported_versions(SSL_HANDSHAKE *hs, CBB *cbb) {
301 const uint16_t *versions;
302 size_t num_versions;
303 get_method_versions(hs->ssl->method, &versions, &num_versions);
304 for (size_t i = 0; i < num_versions; i++) {
305 if (ssl_supports_version(hs, versions[i]) &&
306 !CBB_add_u16(cbb, versions[i])) {
307 return 0;
308 }
309 }
310 return 1;
311}
312
313int ssl_negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert,
314 uint16_t *out_version, const CBS *peer_versions) {
315 const uint16_t *versions;
316 size_t num_versions;
317 get_method_versions(hs->ssl->method, &versions, &num_versions);
318 for (size_t i = 0; i < num_versions; i++) {
319 if (!ssl_supports_version(hs, versions[i])) {
320 continue;
321 }
322
323 CBS copy = *peer_versions;
324 while (CBS_len(&copy) != 0) {
325 uint16_t version;
326 if (!CBS_get_u16(&copy, &version)) {
327 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
328 *out_alert = SSL_AD_DECODE_ERROR;
329 return 0;
330 }
331
332 if (version == versions[i]) {
333 *out_version = version;
334 return 1;
335 }
336 }
337 }
338
339 OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL);
340 *out_alert = SSL_AD_PROTOCOL_VERSION;
341 return 0;
342}
David Benjamin86e95b82017-07-18 16:34:25 -0400[diff] [blame]343
344} // namespace bssl
345
346using namespace bssl;
347
348int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) {
349 return set_min_version(ctx->method, &ctx->conf_min_version, version);
350}
351
352int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) {
353 return set_max_version(ctx->method, &ctx->conf_max_version, version);
354}
355
356int SSL_set_min_proto_version(SSL *ssl, uint16_t version) {
357 return set_min_version(ssl->method, &ssl->conf_min_version, version);
358}
359
360int SSL_set_max_proto_version(SSL *ssl, uint16_t version) {
361 return set_max_version(ssl->method, &ssl->conf_max_version, version);
362}
363
364int SSL_version(const SSL *ssl) {
365 uint16_t ret = ssl_version(ssl);
366 /* Report TLS 1.3 draft version as TLS 1.3 in the public API. */
367 if (ret == TLS1_3_DRAFT_VERSION || ret == TLS1_3_EXPERIMENT_VERSION ||
368 ret == TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION) {
369 return TLS1_3_VERSION;
370 }
371 return ret;
372}
373
374const char *SSL_get_version(const SSL *ssl) {
375 return ssl_version_to_string(ssl_version(ssl));
376}
377
378const char *SSL_SESSION_get_version(const SSL_SESSION *session) {
379 return ssl_version_to_string(session->ssl_version);
380}