1 /* $OpenBSD: ssl_versions.c,v 1.27 2023/07/02 17:21:32 beck Exp $ */
2 /*
3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18 #include "ssl_local.h"
19
20 static uint16_t
ssl_dtls_to_tls_version(uint16_t dtls_ver)21 ssl_dtls_to_tls_version(uint16_t dtls_ver)
22 {
23 if (dtls_ver == DTLS1_VERSION)
24 return TLS1_1_VERSION;
25 if (dtls_ver == DTLS1_2_VERSION)
26 return TLS1_2_VERSION;
27 return 0;
28 }
29
30 static uint16_t
ssl_tls_to_dtls_version(uint16_t tls_ver)31 ssl_tls_to_dtls_version(uint16_t tls_ver)
32 {
33 if (tls_ver == TLS1_1_VERSION)
34 return DTLS1_VERSION;
35 if (tls_ver == TLS1_2_VERSION)
36 return DTLS1_2_VERSION;
37 return 0;
38 }
39
40 static int
ssl_clamp_tls_version_range(uint16_t * min_ver,uint16_t * max_ver,uint16_t clamp_min,uint16_t clamp_max)41 ssl_clamp_tls_version_range(uint16_t *min_ver, uint16_t *max_ver,
42 uint16_t clamp_min, uint16_t clamp_max)
43 {
44 if (clamp_min > clamp_max || *min_ver > *max_ver)
45 return 0;
46 if (clamp_max < *min_ver || clamp_min > *max_ver)
47 return 0;
48
49 if (*min_ver < clamp_min)
50 *min_ver = clamp_min;
51 if (*max_ver > clamp_max)
52 *max_ver = clamp_max;
53
54 return 1;
55 }
56
57 int
ssl_version_set_min(const SSL_METHOD * meth,uint16_t proto_ver,uint16_t max_tls_ver,uint16_t * out_tls_ver,uint16_t * out_proto_ver)58 ssl_version_set_min(const SSL_METHOD *meth, uint16_t proto_ver,
59 uint16_t max_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver)
60 {
61 uint16_t min_proto, min_version, max_version;
62
63 if (proto_ver == 0) {
64 *out_tls_ver = meth->min_tls_version;
65 *out_proto_ver = 0;
66 return 1;
67 }
68
69 min_version = proto_ver;
70 max_version = max_tls_ver;
71
72 if (meth->dtls) {
73 if ((min_version = ssl_dtls_to_tls_version(proto_ver)) == 0)
74 return 0;
75 }
76
77 if (!ssl_clamp_tls_version_range(&min_version, &max_version,
78 meth->min_tls_version, meth->max_tls_version))
79 return 0;
80
81 min_proto = min_version;
82 if (meth->dtls) {
83 if ((min_proto = ssl_tls_to_dtls_version(min_version)) == 0)
84 return 0;
85 }
86 *out_tls_ver = min_version;
87 *out_proto_ver = min_proto;
88
89 return 1;
90 }
91
92 int
ssl_version_set_max(const SSL_METHOD * meth,uint16_t proto_ver,uint16_t min_tls_ver,uint16_t * out_tls_ver,uint16_t * out_proto_ver)93 ssl_version_set_max(const SSL_METHOD *meth, uint16_t proto_ver,
94 uint16_t min_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver)
95 {
96 uint16_t max_proto, min_version, max_version;
97
98 if (proto_ver == 0) {
99 *out_tls_ver = meth->max_tls_version;
100 *out_proto_ver = 0;
101 return 1;
102 }
103
104 min_version = min_tls_ver;
105 max_version = proto_ver;
106
107 if (meth->dtls) {
108 if ((max_version = ssl_dtls_to_tls_version(proto_ver)) == 0)
109 return 0;
110 }
111
112 if (!ssl_clamp_tls_version_range(&min_version, &max_version,
113 meth->min_tls_version, meth->max_tls_version))
114 return 0;
115
116 max_proto = max_version;
117 if (meth->dtls) {
118 if ((max_proto = ssl_tls_to_dtls_version(max_version)) == 0)
119 return 0;
120 }
121 *out_tls_ver = max_version;
122 *out_proto_ver = max_proto;
123
124 return 1;
125 }
126
127 int
ssl_enabled_tls_version_range(SSL * s,uint16_t * min_ver,uint16_t * max_ver)128 ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
129 {
130 uint16_t min_version, max_version;
131 unsigned long options;
132
133 /*
134 * The enabled versions have to be a contiguous range, which means we
135 * cannot enable and disable single versions at our whim, even though
136 * this is what the OpenSSL flags allow. The historical way this has
137 * been handled is by making a flag mean that all higher versions
138 * are disabled, if any version lower than the flag is enabled.
139 */
140
141 min_version = 0;
142 max_version = TLS1_3_VERSION;
143 options = s->options;
144
145 if (SSL_is_dtls(s)) {
146 options = 0;
147 if (s->options & SSL_OP_NO_DTLSv1)
148 options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1;
149 if (s->options & SSL_OP_NO_DTLSv1_2)
150 options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2;
151 }
152
153 if ((options & SSL_OP_NO_TLSv1_2) == 0)
154 min_version = TLS1_2_VERSION;
155 else if ((options & SSL_OP_NO_TLSv1_3) == 0)
156 min_version = TLS1_3_VERSION;
157
158 if ((options & SSL_OP_NO_TLSv1_3) && min_version < TLS1_3_VERSION)
159 max_version = TLS1_2_VERSION;
160 if ((options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION)
161 max_version = 0;
162
163 /* Everything has been disabled... */
164 if (min_version == 0 || max_version == 0)
165 return 0;
166
167 /* Limit to configured version range. */
168 if (!ssl_clamp_tls_version_range(&min_version, &max_version,
169 s->min_tls_version, s->max_tls_version))
170 return 0;
171
172 /* QUIC requires a minimum of TLSv1.3. */
173 if (SSL_is_quic(s)) {
174 if (max_version < TLS1_3_VERSION)
175 return 0;
176 if (min_version < TLS1_3_VERSION)
177 min_version = TLS1_3_VERSION;
178 }
179
180 if (min_ver != NULL)
181 *min_ver = min_version;
182 if (max_ver != NULL)
183 *max_ver = max_version;
184
185 return 1;
186 }
187
188 int
ssl_supported_tls_version_range(SSL * s,uint16_t * min_ver,uint16_t * max_ver)189 ssl_supported_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
190 {
191 uint16_t min_version, max_version;
192
193 if (!ssl_enabled_tls_version_range(s, &min_version, &max_version))
194 return 0;
195
196 /* Limit to the versions supported by this method. */
197 if (!ssl_clamp_tls_version_range(&min_version, &max_version,
198 s->method->min_tls_version, s->method->max_tls_version))
199 return 0;
200
201 if (min_ver != NULL)
202 *min_ver = min_version;
203 if (max_ver != NULL)
204 *max_ver = max_version;
205
206 return 1;
207 }
208
209 uint16_t
ssl_tls_version(uint16_t version)210 ssl_tls_version(uint16_t version)
211 {
212 if (version == TLS1_VERSION || version == TLS1_1_VERSION ||
213 version == TLS1_2_VERSION || version == TLS1_3_VERSION)
214 return version;
215
216 if (version == DTLS1_VERSION)
217 return TLS1_1_VERSION;
218 if (version == DTLS1_2_VERSION)
219 return TLS1_2_VERSION;
220
221 return 0;
222 }
223
224 uint16_t
ssl_effective_tls_version(SSL * s)225 ssl_effective_tls_version(SSL *s)
226 {
227 if (s->s3->hs.negotiated_tls_version > 0)
228 return s->s3->hs.negotiated_tls_version;
229
230 return s->s3->hs.our_max_tls_version;
231 }
232
233 int
ssl_max_supported_version(SSL * s,uint16_t * max_ver)234 ssl_max_supported_version(SSL *s, uint16_t *max_ver)
235 {
236 uint16_t max_version;
237
238 *max_ver = 0;
239
240 if (!ssl_supported_tls_version_range(s, NULL, &max_version))
241 return 0;
242
243 if (SSL_is_dtls(s)) {
244 if ((max_version = ssl_tls_to_dtls_version(max_version)) == 0)
245 return 0;
246 }
247
248 *max_ver = max_version;
249
250 return 1;
251 }
252
253 int
ssl_max_legacy_version(SSL * s,uint16_t * max_ver)254 ssl_max_legacy_version(SSL *s, uint16_t *max_ver)
255 {
256 uint16_t max_version;
257
258 if ((max_version = s->s3->hs.our_max_tls_version) > TLS1_2_VERSION)
259 max_version = TLS1_2_VERSION;
260
261 if (SSL_is_dtls(s)) {
262 if ((max_version = ssl_tls_to_dtls_version(max_version)) == 0)
263 return 0;
264 }
265
266 *max_ver = max_version;
267
268 return 1;
269 }
270
271 int
ssl_max_shared_version(SSL * s,uint16_t peer_ver,uint16_t * max_ver)272 ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver)
273 {
274 uint16_t min_version, max_version, peer_tls_version, shared_version;
275
276 *max_ver = 0;
277 peer_tls_version = peer_ver;
278
279 if (SSL_is_dtls(s)) {
280 if ((peer_ver >> 8) != DTLS1_VERSION_MAJOR)
281 return 0;
282
283 /*
284 * Convert the peer version to a TLS version - DTLS versions are
285 * the 1's complement of TLS version numbers (but not the actual
286 * protocol version numbers, that would be too sensible). Not to
287 * mention that DTLSv1.0 is really equivalent to DTLSv1.1.
288 */
289 peer_tls_version = ssl_dtls_to_tls_version(peer_ver);
290
291 /*
292 * This may be a version that we do not know about, if it is
293 * newer than DTLS1_2_VERSION (yes, less than is correct due
294 * to the "clever" versioning scheme), use TLS1_2_VERSION.
295 */
296 if (peer_tls_version == 0) {
297 if (peer_ver < DTLS1_2_VERSION)
298 peer_tls_version = TLS1_2_VERSION;
299 }
300 }
301
302 if (peer_tls_version >= TLS1_3_VERSION)
303 shared_version = TLS1_3_VERSION;
304 else if (peer_tls_version >= TLS1_2_VERSION)
305 shared_version = TLS1_2_VERSION;
306 else if (peer_tls_version >= TLS1_1_VERSION)
307 shared_version = TLS1_1_VERSION;
308 else if (peer_tls_version >= TLS1_VERSION)
309 shared_version = TLS1_VERSION;
310 else
311 return 0;
312
313 if (!ssl_supported_tls_version_range(s, &min_version, &max_version))
314 return 0;
315
316 if (shared_version < min_version)
317 return 0;
318
319 if (shared_version > max_version)
320 shared_version = max_version;
321
322 if (SSL_is_dtls(s)) {
323 /*
324 * The resulting shared version will by definition be something
325 * that we know about. Switch back from TLS to DTLS.
326 */
327 shared_version = ssl_tls_to_dtls_version(shared_version);
328 if (shared_version == 0)
329 return 0;
330 }
331
332 if (!ssl_security_version(s, shared_version))
333 return 0;
334
335 *max_ver = shared_version;
336
337 return 1;
338 }
339
340 int
ssl_check_version_from_server(SSL * s,uint16_t server_version)341 ssl_check_version_from_server(SSL *s, uint16_t server_version)
342 {
343 uint16_t min_tls_version, max_tls_version, server_tls_version;
344
345 /* Ensure that the version selected by the server is valid. */
346
347 server_tls_version = server_version;
348 if (SSL_is_dtls(s)) {
349 server_tls_version = ssl_dtls_to_tls_version(server_version);
350 if (server_tls_version == 0)
351 return 0;
352 }
353
354 if (!ssl_supported_tls_version_range(s, &min_tls_version,
355 &max_tls_version))
356 return 0;
357
358 if (server_tls_version < min_tls_version ||
359 server_tls_version > max_tls_version)
360 return 0;
361
362 return ssl_security_version(s, server_tls_version);
363 }
364
365 int
ssl_legacy_stack_version(SSL * s,uint16_t version)366 ssl_legacy_stack_version(SSL *s, uint16_t version)
367 {
368 if (SSL_is_dtls(s))
369 return version == DTLS1_VERSION || version == DTLS1_2_VERSION;
370
371 return version == TLS1_VERSION || version == TLS1_1_VERSION ||
372 version == TLS1_2_VERSION;
373 }
374