/src/boringssl/ssl/ssl_versions.cc
Line | Count | Source |
1 | | // Copyright 2017 The BoringSSL Authors |
2 | | // |
3 | | // Licensed under the Apache License, Version 2.0 (the "License"); |
4 | | // you may not use this file except in compliance with the License. |
5 | | // You may obtain a copy of the License at |
6 | | // |
7 | | // https://www.apache.org/licenses/LICENSE-2.0 |
8 | | // |
9 | | // Unless required by applicable law or agreed to in writing, software |
10 | | // distributed under the License is distributed on an "AS IS" BASIS, |
11 | | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
12 | | // See the License for the specific language governing permissions and |
13 | | // limitations under the License. |
14 | | |
15 | | #include <openssl/ssl.h> |
16 | | |
17 | | #include <assert.h> |
18 | | |
19 | | #include <iterator> |
20 | | |
21 | | #include <openssl/bytestring.h> |
22 | | #include <openssl/err.h> |
23 | | #include <openssl/span.h> |
24 | | |
25 | | #include "internal.h" |
26 | | |
27 | | |
28 | | BSSL_NAMESPACE_BEGIN |
29 | | |
30 | 5.86M | bool ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) { |
31 | 5.86M | switch (version) { |
32 | 310k | case TLS1_VERSION: |
33 | 467k | case TLS1_1_VERSION: |
34 | 4.00M | case TLS1_2_VERSION: |
35 | 4.50M | case TLS1_3_VERSION: |
36 | 4.50M | *out = version; |
37 | 4.50M | return true; |
38 | | |
39 | 107k | case DTLS1_VERSION: |
40 | | // DTLS 1.0 is analogous to TLS 1.1, not TLS 1.0. |
41 | 107k | *out = TLS1_1_VERSION; |
42 | 107k | return true; |
43 | | |
44 | 228k | case DTLS1_2_VERSION: |
45 | 228k | *out = TLS1_2_VERSION; |
46 | 228k | return true; |
47 | | |
48 | 1.00M | case DTLS1_3_VERSION: |
49 | 1.00M | *out = TLS1_3_VERSION; |
50 | 1.00M | return true; |
51 | | |
52 | 19.8k | default: |
53 | 19.8k | return false; |
54 | 5.86M | } |
55 | 5.86M | } |
56 | | |
57 | | // The follow arrays are the supported versions for TLS and DTLS, in order of |
58 | | // decreasing preference. |
59 | | |
60 | | static const uint16_t kTLSVersions[] = { |
61 | | TLS1_3_VERSION, |
62 | | TLS1_2_VERSION, |
63 | | TLS1_1_VERSION, |
64 | | TLS1_VERSION, |
65 | | }; |
66 | | |
67 | | static const uint16_t kDTLSVersions[] = { |
68 | | DTLS1_3_VERSION, |
69 | | DTLS1_2_VERSION, |
70 | | DTLS1_VERSION, |
71 | | }; |
72 | | |
73 | | static Span<const uint16_t> get_method_versions( |
74 | 366k | const SSL_PROTOCOL_METHOD *method) { |
75 | 366k | return method->is_dtls ? Span<const uint16_t>(kDTLSVersions) |
76 | 366k | : Span<const uint16_t>(kTLSVersions); |
77 | 366k | } |
78 | | |
79 | | bool ssl_method_supports_version(const SSL_PROTOCOL_METHOD *method, |
80 | 297k | uint16_t version) { |
81 | 688k | for (uint16_t supported : get_method_versions(method)) { |
82 | 688k | if (supported == version) { |
83 | 295k | return true; |
84 | 295k | } |
85 | 688k | } |
86 | 1.64k | return false; |
87 | 297k | } |
88 | | |
89 | | // The following functions map between API versions and wire versions. The |
90 | | // public API works on wire versions. |
91 | | |
92 | | static const char *const kUnknownVersion = "unknown"; |
93 | | |
94 | | struct VersionInfo { |
95 | | uint16_t version; |
96 | | const char *name; |
97 | | }; |
98 | | |
99 | | static const VersionInfo kVersionNames[] = { |
100 | | {TLS1_3_VERSION, "TLSv1.3"}, {TLS1_2_VERSION, "TLSv1.2"}, |
101 | | {TLS1_1_VERSION, "TLSv1.1"}, {TLS1_VERSION, "TLSv1"}, |
102 | | {DTLS1_VERSION, "DTLSv1"}, {DTLS1_2_VERSION, "DTLSv1.2"}, |
103 | | {DTLS1_3_VERSION, "DTLSv1.3"}, |
104 | | }; |
105 | | |
106 | 0 | static const char *ssl_version_to_string(uint16_t version) { |
107 | 0 | for (const auto &v : kVersionNames) { |
108 | 0 | if (v.version == version) { |
109 | 0 | return v.name; |
110 | 0 | } |
111 | 0 | } |
112 | 0 | return kUnknownVersion; |
113 | 0 | } |
114 | | |
115 | 0 | static uint16_t wire_version_to_api(uint16_t version) { return version; } |
116 | | |
117 | | // api_version_to_wire maps `version` to some representative wire version. |
118 | 24.9k | static bool api_version_to_wire(uint16_t *out, uint16_t version) { |
119 | | // Check it is a real protocol version. |
120 | 24.9k | uint16_t unused; |
121 | 24.9k | if (!ssl_protocol_version_from_wire(&unused, version)) { |
122 | 19.4k | return false; |
123 | 19.4k | } |
124 | | |
125 | 5.44k | *out = version; |
126 | 5.44k | return true; |
127 | 24.9k | } |
128 | | |
129 | | static bool set_version_bound(const SSL_PROTOCOL_METHOD *method, uint16_t *out, |
130 | 24.9k | uint16_t version) { |
131 | 24.9k | if (!api_version_to_wire(&version, version) || |
132 | 20.9k | !ssl_method_supports_version(method, version)) { |
133 | 20.9k | OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_SSL_VERSION); |
134 | 20.9k | return false; |
135 | 20.9k | } |
136 | | |
137 | 3.90k | *out = version; |
138 | 3.90k | return true; |
139 | 24.9k | } |
140 | | |
141 | | static bool set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out, |
142 | 24.4k | uint16_t version) { |
143 | | // Zero is interpreted as the default minimum version. |
144 | 24.4k | if (version == 0) { |
145 | 5.64k | *out = method->is_dtls ? DTLS1_2_VERSION : TLS1_2_VERSION; |
146 | 5.64k | return true; |
147 | 5.64k | } |
148 | | |
149 | 18.7k | return set_version_bound(method, out, version); |
150 | 24.4k | } |
151 | | |
152 | | static bool set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out, |
153 | 12.8k | uint16_t version) { |
154 | | // Zero is interpreted as the default maximum version. |
155 | 12.8k | if (version == 0) { |
156 | 6.67k | *out = method->is_dtls ? DTLS1_3_VERSION : TLS1_3_VERSION; |
157 | 6.67k | return true; |
158 | 6.67k | } |
159 | | |
160 | 6.13k | return set_version_bound(method, out, version); |
161 | 12.8k | } |
162 | | |
163 | | const struct { |
164 | | uint16_t version; |
165 | | uint32_t flag; |
166 | | } kProtocolVersions[] = { |
167 | | {TLS1_VERSION, SSL_OP_NO_TLSv1}, |
168 | | {TLS1_1_VERSION, SSL_OP_NO_TLSv1_1}, |
169 | | {TLS1_2_VERSION, SSL_OP_NO_TLSv1_2}, |
170 | | {TLS1_3_VERSION, SSL_OP_NO_TLSv1_3}, |
171 | | }; |
172 | | |
173 | | bool ssl_get_version_range(const SSL_HANDSHAKE *hs, uint16_t *out_min_version, |
174 | 67.1k | uint16_t *out_max_version) { |
175 | | // For historical reasons, `SSL_OP_NO_DTLSv1` aliases `SSL_OP_NO_TLSv1`, but |
176 | | // DTLS 1.0 should be mapped to TLS 1.1. |
177 | 67.1k | uint32_t options = hs->ssl->options; |
178 | 67.1k | if (SSL_is_dtls(hs->ssl)) { |
179 | 10.5k | options &= ~SSL_OP_NO_TLSv1_1; |
180 | 10.5k | if (options & SSL_OP_NO_DTLSv1) { |
181 | 0 | options |= SSL_OP_NO_TLSv1_1; |
182 | 0 | } |
183 | 10.5k | } |
184 | | |
185 | 67.1k | uint16_t min_version, max_version; |
186 | 67.1k | if (!ssl_protocol_version_from_wire(&min_version, |
187 | 67.1k | hs->config->conf_min_version) || |
188 | 67.1k | !ssl_protocol_version_from_wire(&max_version, |
189 | 67.1k | hs->config->conf_max_version)) { |
190 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
191 | 0 | return false; |
192 | 0 | } |
193 | | |
194 | | // QUIC requires TLS 1.3. |
195 | 67.1k | if (SSL_is_quic(hs->ssl) && min_version < TLS1_3_VERSION) { |
196 | 0 | min_version = TLS1_3_VERSION; |
197 | 0 | } |
198 | | |
199 | | // The `SSL_OP_NO_*` flags disable individual protocols. This has two |
200 | | // problems. First, prior to TLS 1.3, the protocol can only express a |
201 | | // contiguous range of versions. Second, a library consumer trying to set a |
202 | | // maximum version cannot disable protocol versions that get added in a future |
203 | | // version of the library. |
204 | | // |
205 | | // To account for both of these, OpenSSL interprets the client-side bitmask |
206 | | // as a min/max range by picking the lowest contiguous non-empty range of |
207 | | // enabled protocols. Note that this means it is impossible to set a maximum |
208 | | // version of the highest supported TLS version in a future-proof way. |
209 | 67.1k | bool any_enabled = false; |
210 | 335k | for (size_t i = 0; i < std::size(kProtocolVersions); i++) { |
211 | | // Only look at the versions already enabled. |
212 | 268k | if (min_version > kProtocolVersions[i].version) { |
213 | 10.5k | continue; |
214 | 10.5k | } |
215 | 257k | if (max_version < kProtocolVersions[i].version) { |
216 | 0 | break; |
217 | 0 | } |
218 | | |
219 | 257k | if (!(options & kProtocolVersions[i].flag)) { |
220 | | // The minimum version is the first enabled version. |
221 | 257k | if (!any_enabled) { |
222 | 67.1k | any_enabled = true; |
223 | 67.1k | min_version = kProtocolVersions[i].version; |
224 | 67.1k | } |
225 | 257k | continue; |
226 | 257k | } |
227 | | |
228 | | // If there is a disabled version after the first enabled one, all versions |
229 | | // after it are implicitly disabled. |
230 | 0 | if (any_enabled) { |
231 | 0 | max_version = kProtocolVersions[i - 1].version; |
232 | 0 | break; |
233 | 0 | } |
234 | 0 | } |
235 | | |
236 | 67.1k | if (!any_enabled) { |
237 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SUPPORTED_VERSIONS_ENABLED); |
238 | 0 | return false; |
239 | 0 | } |
240 | | |
241 | 67.1k | *out_min_version = min_version; |
242 | 67.1k | *out_max_version = max_version; |
243 | 67.1k | return true; |
244 | 67.1k | } |
245 | | |
246 | 0 | static uint16_t ssl_version(const SSL *ssl) { |
247 | | // In early data, we report the predicted version. Note it is possible that we |
248 | | // have a predicted version and a *different* true version. This means 0-RTT |
249 | | // has been rejected, but until the reject has reported to the application and |
250 | | // applied with `SSL_reset_early_data_reject`, we continue reporting a |
251 | | // self-consistent connection. |
252 | 0 | if (SSL_in_early_data(ssl) && !ssl->server) { |
253 | 0 | return ssl->s3->hs->early_session->ssl_version; |
254 | 0 | } |
255 | 0 | if (ssl->s3->version != 0) { |
256 | 0 | return ssl->s3->version; |
257 | 0 | } |
258 | | // The TLS versions has not yet been negotiated. Historically, we would return |
259 | | // (D)TLS 1.2, so preserve that behavior. |
260 | 0 | return SSL_is_dtls(ssl) ? DTLS1_2_VERSION : TLS1_2_VERSION; |
261 | 0 | } |
262 | | |
263 | 690k | bool ssl_has_final_version(const SSL *ssl) { |
264 | 690k | return ssl->s3->version != 0 && |
265 | 560k | (ssl->s3->hs == nullptr || !ssl->s3->hs->is_early_version); |
266 | 690k | } |
267 | | |
268 | 4.71M | uint16_t ssl_protocol_version(const SSL *ssl) { |
269 | 4.71M | assert(ssl->s3->version != 0); |
270 | 4.71M | uint16_t version; |
271 | 4.71M | if (!ssl_protocol_version_from_wire(&version, ssl->s3->version)) { |
272 | | // `ssl->s3->version` will always be set to a valid version. |
273 | 0 | assert(0); |
274 | 0 | return 0; |
275 | 0 | } |
276 | | |
277 | 4.71M | return version; |
278 | 4.71M | } |
279 | | |
280 | 291k | bool ssl_supports_version(const SSL_HANDSHAKE *hs, uint16_t version) { |
281 | 291k | const SSL *const ssl = hs->ssl; |
282 | 291k | uint16_t protocol_version; |
283 | 291k | if (!ssl_method_supports_version(ssl->method, version) || |
284 | 291k | !ssl_protocol_version_from_wire(&protocol_version, version) || |
285 | 291k | hs->min_version > protocol_version || |
286 | 291k | protocol_version > hs->max_version) { |
287 | 108 | return false; |
288 | 108 | } |
289 | | |
290 | 291k | return true; |
291 | 291k | } |
292 | | |
293 | | bool ssl_add_supported_versions(const SSL_HANDSHAKE *hs, CBB *cbb, |
294 | 54.5k | uint16_t extra_min_version) { |
295 | 211k | for (uint16_t version : get_method_versions(hs->ssl->method)) { |
296 | 211k | uint16_t protocol_version; |
297 | 211k | if (ssl_supports_version(hs, version) && |
298 | 211k | ssl_protocol_version_from_wire(&protocol_version, version) && |
299 | 211k | protocol_version >= extra_min_version && // |
300 | 211k | !CBB_add_u16(cbb, version)) { |
301 | 0 | return false; |
302 | 0 | } |
303 | 211k | } |
304 | 54.5k | return true; |
305 | 54.5k | } |
306 | | |
307 | | bool ssl_negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
308 | 14.4k | uint16_t *out_version, const CBS *peer_versions) { |
309 | 28.8k | for (uint16_t version : get_method_versions(hs->ssl->method)) { |
310 | 28.8k | if (!ssl_supports_version(hs, version)) { |
311 | 0 | continue; |
312 | 0 | } |
313 | | |
314 | | // JDK 11, prior to 11.0.2, has a buggy TLS 1.3 implementation which fails |
315 | | // to send SNI when offering 1.3 sessions. Disable TLS 1.3 for such |
316 | | // clients. We apply this logic here rather than `ssl_supports_version` so |
317 | | // the downgrade signal continues to query the true capabilities. (The |
318 | | // workaround is a limitation of the peer's capabilities rather than our |
319 | | // own.) |
320 | | // |
321 | | // See https://bugs.openjdk.java.net/browse/JDK-8211806. |
322 | 28.8k | if (version == TLS1_3_VERSION && hs->apply_jdk11_workaround) { |
323 | 0 | continue; |
324 | 0 | } |
325 | | |
326 | 28.8k | CBS copy = *peer_versions; |
327 | 58.5k | while (CBS_len(©) != 0) { |
328 | 44.0k | uint16_t peer_version; |
329 | 44.0k | if (!CBS_get_u16(©, &peer_version)) { |
330 | 5 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
331 | 5 | *out_alert = SSL_AD_DECODE_ERROR; |
332 | 5 | return false; |
333 | 5 | } |
334 | | |
335 | 44.0k | if (peer_version == version) { |
336 | 14.3k | *out_version = version; |
337 | 14.3k | return true; |
338 | 14.3k | } |
339 | 44.0k | } |
340 | 28.8k | } |
341 | | |
342 | 60 | OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL); |
343 | 60 | *out_alert = SSL_AD_PROTOCOL_VERSION; |
344 | 60 | return false; |
345 | 14.4k | } |
346 | | |
347 | | BSSL_NAMESPACE_END |
348 | | |
349 | | using namespace bssl; |
350 | | |
351 | 24.4k | int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) { |
352 | 24.4k | auto *ctx_impl = FromOpaque(ctx); |
353 | 24.4k | return set_min_version(ctx_impl->method, &ctx_impl->conf_min_version, |
354 | 24.4k | version); |
355 | 24.4k | } |
356 | | |
357 | 12.8k | int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) { |
358 | 12.8k | auto *ctx_impl = FromOpaque(ctx); |
359 | 12.8k | return set_max_version(ctx_impl->method, &ctx_impl->conf_max_version, |
360 | 12.8k | version); |
361 | 12.8k | } |
362 | | |
363 | 0 | uint16_t SSL_CTX_get_min_proto_version(const SSL_CTX *ctx) { |
364 | 0 | return FromOpaque(ctx)->conf_min_version; |
365 | 0 | } |
366 | | |
367 | 0 | uint16_t SSL_CTX_get_max_proto_version(const SSL_CTX *ctx) { |
368 | 0 | return FromOpaque(ctx)->conf_max_version; |
369 | 0 | } |
370 | | |
371 | 0 | int SSL_set_min_proto_version(SSL *ssl, uint16_t version) { |
372 | 0 | if (!ssl->config) { |
373 | 0 | return 0; |
374 | 0 | } |
375 | 0 | return set_min_version(ssl->method, &ssl->config->conf_min_version, version); |
376 | 0 | } |
377 | | |
378 | 0 | int SSL_set_max_proto_version(SSL *ssl, uint16_t version) { |
379 | 0 | if (!ssl->config) { |
380 | 0 | return 0; |
381 | 0 | } |
382 | 0 | return set_max_version(ssl->method, &ssl->config->conf_max_version, version); |
383 | 0 | } |
384 | | |
385 | 0 | uint16_t SSL_get_min_proto_version(const SSL *ssl) { |
386 | 0 | if (!ssl->config) { |
387 | 0 | assert(ssl->config); |
388 | 0 | return 0; |
389 | 0 | } |
390 | 0 | return ssl->config->conf_min_version; |
391 | 0 | } |
392 | | |
393 | 0 | uint16_t SSL_get_max_proto_version(const SSL *ssl) { |
394 | 0 | if (!ssl->config) { |
395 | 0 | assert(ssl->config); |
396 | 0 | return 0; |
397 | 0 | } |
398 | 0 | return ssl->config->conf_max_version; |
399 | 0 | } |
400 | | |
401 | 0 | int SSL_version(const SSL *ssl) { |
402 | 0 | return wire_version_to_api(ssl_version(ssl)); |
403 | 0 | } |
404 | | |
405 | 0 | const char *SSL_get_version(const SSL *ssl) { |
406 | 0 | return ssl_version_to_string(ssl_version(ssl)); |
407 | 0 | } |
408 | | |
409 | 0 | size_t SSL_get_all_version_names(const char **out, size_t max_out) { |
410 | 0 | return GetAllNames(out, max_out, Span(&kUnknownVersion, 1), |
411 | 0 | &VersionInfo::name, Span(kVersionNames)); |
412 | 0 | } |
413 | | |
414 | 0 | const char *SSL_SESSION_get_version(const SSL_SESSION *session) { |
415 | 0 | return ssl_version_to_string(session->ssl_version); |
416 | 0 | } |
417 | | |
418 | 0 | uint16_t SSL_SESSION_get_protocol_version(const SSL_SESSION *session) { |
419 | 0 | return wire_version_to_api(session->ssl_version); |
420 | 0 | } |
421 | | |
422 | 0 | int SSL_SESSION_set_protocol_version(SSL_SESSION *session, uint16_t version) { |
423 | | // This picks a representative TLS 1.3 version, but this API should only be |
424 | | // used on unit test sessions anyway. |
425 | 0 | return api_version_to_wire(&session->ssl_version, version); |
426 | 0 | } |
427 | | |
428 | 0 | int SSL_CTX_set_record_protocol_version(SSL_CTX *ctx, int version) { |
429 | 0 | return version == 0; |
430 | 0 | } |