Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / boringssl / 1f278ae75520bf67658f222a252fc94dec3c156f / . / src / ssl / ssl_versions.cc
blob: 212c3ac945cf2d34ca849f06aed2fdc2bdc2d040 [file] [log] [blame]
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]1/* Copyright (c) 2017, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#include <openssl/ssl.h>
16
17#include <assert.h>
18
19#include <openssl/bytestring.h>
20#include <openssl/err.h>
21
22#include "internal.h"
23#include "../crypto/internal.h"
24
25
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]26namespace bssl {
27
Robert Sloanae1abf92017-10-05 12:50:08 -0700[diff] [blame]28bool ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) {
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]29 switch (version) {
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]30 case TLS1_VERSION:
31 case TLS1_1_VERSION:
32 case TLS1_2_VERSION:
Robert Sloand9e572d2018-08-27 12:27:00 -0700[diff] [blame]33 case TLS1_3_VERSION:
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]34 *out = version;
Robert Sloanae1abf92017-10-05 12:50:08 -0700[diff] [blame]35 return true;
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]36
Robert Sloan0db7f542018-01-16 15:48:33 -0800[diff] [blame]37 case TLS1_3_DRAFT23_VERSION:
Robert Sloandc2f6092018-04-10 10:22:33 -0700[diff] [blame]38 case TLS1_3_DRAFT28_VERSION:
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]39 *out = TLS1_3_VERSION;
Robert Sloanae1abf92017-10-05 12:50:08 -0700[diff] [blame]40 return true;
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]41
42 case DTLS1_VERSION:
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]43 // DTLS 1.0 is analogous to TLS 1.1, not TLS 1.0.
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]44 *out = TLS1_1_VERSION;
Robert Sloanae1abf92017-10-05 12:50:08 -0700[diff] [blame]45 return true;
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]46
47 case DTLS1_2_VERSION:
48 *out = TLS1_2_VERSION;
Robert Sloanae1abf92017-10-05 12:50:08 -0700[diff] [blame]49 return true;
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]50
51 default:
Robert Sloanae1abf92017-10-05 12:50:08 -0700[diff] [blame]52 return false;
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]53 }
54}
55
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]56// The follow arrays are the supported versions for TLS and DTLS, in order of
57// decreasing preference.
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]58
59static const uint16_t kTLSVersions[] = {
Robert Sloand9e572d2018-08-27 12:27:00 -0700[diff] [blame]60 TLS1_3_VERSION,
Robert Sloandc2f6092018-04-10 10:22:33 -0700[diff] [blame]61 TLS1_3_DRAFT28_VERSION,
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]62 TLS1_3_DRAFT23_VERSION,
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]63 TLS1_2_VERSION,
64 TLS1_1_VERSION,
65 TLS1_VERSION,
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]66};
67
68static const uint16_t kDTLSVersions[] = {
69 DTLS1_2_VERSION,
70 DTLS1_VERSION,
71};
72
73static void get_method_versions(const SSL_PROTOCOL_METHOD *method,
74 const uint16_t **out, size_t *out_num) {
75 if (method->is_dtls) {
76 *out = kDTLSVersions;
77 *out_num = OPENSSL_ARRAY_SIZE(kDTLSVersions);
78 } else {
79 *out = kTLSVersions;
80 *out_num = OPENSSL_ARRAY_SIZE(kTLSVersions);
81 }
82}
83
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]84bool ssl_method_supports_version(const SSL_PROTOCOL_METHOD *method,
85 uint16_t version) {
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]86 const uint16_t *versions;
87 size_t num_versions;
88 get_method_versions(method, &versions, &num_versions);
89 for (size_t i = 0; i < num_versions; i++) {
90 if (versions[i] == version) {
Robert Sloanae1abf92017-10-05 12:50:08 -0700[diff] [blame]91 return true;
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]92 }
93 }
Robert Sloanae1abf92017-10-05 12:50:08 -0700[diff] [blame]94 return false;
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]95}
96
Robert Sloanae1abf92017-10-05 12:50:08 -0700[diff] [blame]97// The following functions map between API versions and wire versions. The
98// public API works on wire versions, except that TLS 1.3 draft versions all
99// appear as TLS 1.3. This will get collapsed back down when TLS 1.3 is
100// finalized.
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]101
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]102static const char *ssl_version_to_string(uint16_t version) {
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]103 switch (version) {
Robert Sloan0db7f542018-01-16 15:48:33 -0800[diff] [blame]104 case TLS1_3_DRAFT23_VERSION:
Robert Sloandc2f6092018-04-10 10:22:33 -0700[diff] [blame]105 case TLS1_3_DRAFT28_VERSION:
Robert Sloand9e572d2018-08-27 12:27:00 -0700[diff] [blame]106 case TLS1_3_VERSION:
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]107 return "TLSv1.3";
108
109 case TLS1_2_VERSION:
110 return "TLSv1.2";
111
112 case TLS1_1_VERSION:
113 return "TLSv1.1";
114
115 case TLS1_VERSION:
116 return "TLSv1";
117
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]118 case DTLS1_VERSION:
119 return "DTLSv1";
120
121 case DTLS1_2_VERSION:
122 return "DTLSv1.2";
123
124 default:
125 return "unknown";
126 }
127}
128
Robert Sloanae1abf92017-10-05 12:50:08 -0700[diff] [blame]129static uint16_t wire_version_to_api(uint16_t version) {
130 switch (version) {
131 // Report TLS 1.3 draft versions as TLS 1.3 in the public API.
Robert Sloan0db7f542018-01-16 15:48:33 -0800[diff] [blame]132 case TLS1_3_DRAFT23_VERSION:
Robert Sloandc2f6092018-04-10 10:22:33 -0700[diff] [blame]133 case TLS1_3_DRAFT28_VERSION:
Robert Sloand9e572d2018-08-27 12:27:00 -0700[diff] [blame]134 case TLS1_3_VERSION:
Robert Sloanae1abf92017-10-05 12:50:08 -0700[diff] [blame]135 return TLS1_3_VERSION;
136 default:
137 return version;
138 }
139}
140
141// api_version_to_wire maps |version| to some representative wire version. In
142// particular, it picks an arbitrary TLS 1.3 representative. This should only be
143// used in context where that does not matter.
144static bool api_version_to_wire(uint16_t *out, uint16_t version) {
Robert Sloandc2f6092018-04-10 10:22:33 -0700[diff] [blame]145 if (version == TLS1_3_DRAFT23_VERSION ||
146 version == TLS1_3_DRAFT28_VERSION) {
Robert Sloanae1abf92017-10-05 12:50:08 -0700[diff] [blame]147 return false;
148 }
Robert Sloanae1abf92017-10-05 12:50:08 -0700[diff] [blame]149
150 // Check it is a real protocol version.
151 uint16_t unused;
152 if (!ssl_protocol_version_from_wire(&unused, version)) {
153 return false;
154 }
155
156 *out = version;
157 return true;
158}
159
160static bool set_version_bound(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
161 uint16_t version) {
162 if (!api_version_to_wire(&version, version) ||
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]163 !ssl_method_supports_version(method, version) ||
Robert Sloanae1abf92017-10-05 12:50:08 -0700[diff] [blame]164 !ssl_protocol_version_from_wire(out, version)) {
165 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_SSL_VERSION);
166 return false;
167 }
168
169 return true;
170}
171
172static bool set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
173 uint16_t version) {
174 // Zero is interpreted as the default minimum version.
175 if (version == 0) {
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]176 // TLS 1.0 does not exist in DTLS.
Robert Sloanae1abf92017-10-05 12:50:08 -0700[diff] [blame]177 *out = method->is_dtls ? TLS1_1_VERSION : TLS1_VERSION;
178 return true;
179 }
180
181 return set_version_bound(method, out, version);
182}
183
184static bool set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
185 uint16_t version) {
186 // Zero is interpreted as the default maximum version.
187 if (version == 0) {
188 *out = TLS1_2_VERSION;
189 return true;
190 }
191
192 return set_version_bound(method, out, version);
193}
194
195const struct {
196 uint16_t version;
197 uint32_t flag;
198} kProtocolVersions[] = {
Robert Sloanae1abf92017-10-05 12:50:08 -0700[diff] [blame]199 {TLS1_VERSION, SSL_OP_NO_TLSv1},
200 {TLS1_1_VERSION, SSL_OP_NO_TLSv1_1},
201 {TLS1_2_VERSION, SSL_OP_NO_TLSv1_2},
202 {TLS1_3_VERSION, SSL_OP_NO_TLSv1_3},
203};
204
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]205bool ssl_get_version_range(const SSL_HANDSHAKE *hs, uint16_t *out_min_version,
Robert Sloanae1abf92017-10-05 12:50:08 -0700[diff] [blame]206 uint16_t *out_max_version) {
207 // For historical reasons, |SSL_OP_NO_DTLSv1| aliases |SSL_OP_NO_TLSv1|, but
208 // DTLS 1.0 should be mapped to TLS 1.1.
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]209 uint32_t options = hs->ssl->options;
210 if (SSL_is_dtls(hs->ssl)) {
Robert Sloanae1abf92017-10-05 12:50:08 -0700[diff] [blame]211 options &= ~SSL_OP_NO_TLSv1_1;
212 if (options & SSL_OP_NO_DTLSv1) {
213 options |= SSL_OP_NO_TLSv1_1;
214 }
215 }
216
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]217 uint16_t min_version = hs->config->conf_min_version;
218 uint16_t max_version = hs->config->conf_max_version;
Robert Sloanae1abf92017-10-05 12:50:08 -0700[diff] [blame]219
220 // OpenSSL's API for controlling versions entails blacklisting individual
221 // protocols. This has two problems. First, on the client, the protocol can
222 // only express a contiguous range of versions. Second, a library consumer
223 // trying to set a maximum version cannot disable protocol versions that get
224 // added in a future version of the library.
225 //
226 // To account for both of these, OpenSSL interprets the client-side bitmask
227 // as a min/max range by picking the lowest contiguous non-empty range of
228 // enabled protocols. Note that this means it is impossible to set a maximum
229 // version of the higest supported TLS version in a future-proof way.
230 bool any_enabled = false;
231 for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kProtocolVersions); i++) {
232 // Only look at the versions already enabled.
233 if (min_version > kProtocolVersions[i].version) {
234 continue;
235 }
236 if (max_version < kProtocolVersions[i].version) {
237 break;
238 }
239
240 if (!(options & kProtocolVersions[i].flag)) {
241 // The minimum version is the first enabled version.
242 if (!any_enabled) {
243 any_enabled = true;
244 min_version = kProtocolVersions[i].version;
245 }
246 continue;
247 }
248
249 // If there is a disabled version after the first enabled one, all versions
250 // after it are implicitly disabled.
251 if (any_enabled) {
252 max_version = kProtocolVersions[i-1].version;
253 break;
254 }
255 }
256
257 if (!any_enabled) {
258 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SUPPORTED_VERSIONS_ENABLED);
259 return false;
260 }
261
262 *out_min_version = min_version;
263 *out_max_version = max_version;
264 return true;
265}
266
267static uint16_t ssl_version(const SSL *ssl) {
268 // In early data, we report the predicted version.
269 if (SSL_in_early_data(ssl) && !ssl->server) {
270 return ssl->s3->hs->early_session->ssl_version;
271 }
272 return ssl->version;
273}
274
Robert Sloan921ef2c2017-10-17 09:02:20 -0700[diff] [blame]275uint16_t ssl_protocol_version(const SSL *ssl) {
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]276 assert(ssl->s3->have_version);
277 uint16_t version;
278 if (!ssl_protocol_version_from_wire(&version, ssl->version)) {
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]279 // |ssl->version| will always be set to a valid version.
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]280 assert(0);
281 return 0;
282 }
283
284 return version;
285}
286
Robert Sloanae1abf92017-10-05 12:50:08 -0700[diff] [blame]287bool ssl_supports_version(SSL_HANDSHAKE *hs, uint16_t version) {
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]288 SSL *const ssl = hs->ssl;
Robert Sloanb1b54b82017-11-06 13:50:02 -0800[diff] [blame]289 uint16_t protocol_version;
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]290 if (!ssl_method_supports_version(ssl->method, version) ||
Robert Sloanb1b54b82017-11-06 13:50:02 -0800[diff] [blame]291 !ssl_protocol_version_from_wire(&protocol_version, version) ||
292 hs->min_version > protocol_version ||
293 protocol_version > hs->max_version) {
294 return false;
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]295 }
296
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]297 // If the TLS 1.3 variant is set to |tls13_default|, all variants are enabled,
298 // otherwise only the matching version is enabled.
299 if (protocol_version == TLS1_3_VERSION) {
300 switch (ssl->tls13_variant) {
301 case tls13_draft23:
302 return version == TLS1_3_DRAFT23_VERSION;
303 case tls13_draft28:
304 return version == TLS1_3_DRAFT28_VERSION;
Robert Sloand9e572d2018-08-27 12:27:00 -0700[diff] [blame]305 case tls13_rfc:
306 return version == TLS1_3_VERSION;
Robert Sloan1f278ae2018-09-04 13:56:45 -0700[diff] [blame^]307 case tls13_all:
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]308 return true;
309 }
Robert Sloanb1b54b82017-11-06 13:50:02 -0800[diff] [blame]310 }
311
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]312 return true;
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]313}
314
Robert Sloanae1abf92017-10-05 12:50:08 -0700[diff] [blame]315bool ssl_add_supported_versions(SSL_HANDSHAKE *hs, CBB *cbb) {
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]316 const uint16_t *versions;
317 size_t num_versions;
318 get_method_versions(hs->ssl->method, &versions, &num_versions);
319 for (size_t i = 0; i < num_versions; i++) {
320 if (ssl_supports_version(hs, versions[i]) &&
321 !CBB_add_u16(cbb, versions[i])) {
Robert Sloanae1abf92017-10-05 12:50:08 -0700[diff] [blame]322 return false;
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]323 }
324 }
Robert Sloanae1abf92017-10-05 12:50:08 -0700[diff] [blame]325 return true;
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]326}
327
Robert Sloanae1abf92017-10-05 12:50:08 -0700[diff] [blame]328bool ssl_negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert,
329 uint16_t *out_version, const CBS *peer_versions) {
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]330 const uint16_t *versions;
331 size_t num_versions;
332 get_method_versions(hs->ssl->method, &versions, &num_versions);
333 for (size_t i = 0; i < num_versions; i++) {
334 if (!ssl_supports_version(hs, versions[i])) {
335 continue;
336 }
337
338 CBS copy = *peer_versions;
339 while (CBS_len(&copy) != 0) {
340 uint16_t version;
341 if (!CBS_get_u16(&copy, &version)) {
342 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
343 *out_alert = SSL_AD_DECODE_ERROR;
Robert Sloanae1abf92017-10-05 12:50:08 -0700[diff] [blame]344 return false;
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]345 }
346
347 if (version == versions[i]) {
348 *out_version = version;
Robert Sloanae1abf92017-10-05 12:50:08 -0700[diff] [blame]349 return true;
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]350 }
351 }
352 }
353
354 OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL);
355 *out_alert = SSL_AD_PROTOCOL_VERSION;
Robert Sloanae1abf92017-10-05 12:50:08 -0700[diff] [blame]356 return false;
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]357}
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]358
Robert Sloandc2f6092018-04-10 10:22:33 -0700[diff] [blame]359bool ssl_is_draft28(uint16_t version) {
Robert Sloand9e572d2018-08-27 12:27:00 -0700[diff] [blame]360 return version == TLS1_3_DRAFT28_VERSION || version == TLS1_3_VERSION;
Robert Sloandc2f6092018-04-10 10:22:33 -0700[diff] [blame]361}
362
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]363} // namespace bssl
364
365using namespace bssl;
366
367int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) {
368 return set_min_version(ctx->method, &ctx->conf_min_version, version);
369}
370
371int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) {
372 return set_max_version(ctx->method, &ctx->conf_max_version, version);
373}
374
375int SSL_set_min_proto_version(SSL *ssl, uint16_t version) {
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]376 if (!ssl->config) {
377 return 0;
378 }
379 return set_min_version(ssl->method, &ssl->config->conf_min_version, version);
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]380}
381
382int SSL_set_max_proto_version(SSL *ssl, uint16_t version) {
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]383 if (!ssl->config) {
384 return 0;
385 }
386 return set_max_version(ssl->method, &ssl->config->conf_max_version, version);
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]387}
388
389int SSL_version(const SSL *ssl) {
Robert Sloanae1abf92017-10-05 12:50:08 -0700[diff] [blame]390 return wire_version_to_api(ssl_version(ssl));
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]391}
392
393const char *SSL_get_version(const SSL *ssl) {
394 return ssl_version_to_string(ssl_version(ssl));
395}
396
397const char *SSL_SESSION_get_version(const SSL_SESSION *session) {
398 return ssl_version_to_string(session->ssl_version);
399}
Robert Sloanae1abf92017-10-05 12:50:08 -0700[diff] [blame]400
401uint16_t SSL_SESSION_get_protocol_version(const SSL_SESSION *session) {
402 return wire_version_to_api(session->ssl_version);
403}
404
405int SSL_SESSION_set_protocol_version(SSL_SESSION *session, uint16_t version) {
406 // This picks a representative TLS 1.3 version, but this API should only be
407 // used on unit test sessions anyway.
408 return api_version_to_wire(&session->ssl_version, version);
409}