1 /* $OpenBSD: ssl_versions.c,v 1.24 2022/09/11 18:13:30 jsing Exp $ */ 2 /* 3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include "ssl_locl.h" 19 20 static uint16_t 21 ssl_dtls_to_tls_version(uint16_t dtls_ver) 22 { 23 if (dtls_ver == DTLS1_VERSION) 24 return TLS1_1_VERSION; 25 if (dtls_ver == DTLS1_2_VERSION) 26 return TLS1_2_VERSION; 27 return 0; 28 } 29 30 static uint16_t 31 ssl_tls_to_dtls_version(uint16_t tls_ver) 32 { 33 if (tls_ver == TLS1_1_VERSION) 34 return DTLS1_VERSION; 35 if (tls_ver == TLS1_2_VERSION) 36 return DTLS1_2_VERSION; 37 return 0; 38 } 39 40 static int 41 ssl_clamp_tls_version_range(uint16_t *min_ver, uint16_t *max_ver, 42 uint16_t clamp_min, uint16_t clamp_max) 43 { 44 if (clamp_min > clamp_max || *min_ver > *max_ver) 45 return 0; 46 if (clamp_max < *min_ver || clamp_min > *max_ver) 47 return 0; 48 49 if (*min_ver < clamp_min) 50 *min_ver = clamp_min; 51 if (*max_ver > clamp_max) 52 *max_ver = clamp_max; 53 54 return 1; 55 } 56 57 int 58 ssl_version_set_min(const SSL_METHOD *meth, uint16_t proto_ver, 59 uint16_t max_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver) 60 { 61 uint16_t min_proto, min_version, max_version; 62 63 if (proto_ver == 0) { 64 *out_tls_ver = meth->min_tls_version; 65 *out_proto_ver = 0; 66 return 1; 67 } 68 69 min_version = proto_ver; 70 max_version = max_tls_ver; 71 72 if (meth->dtls) { 73 if ((min_version = ssl_dtls_to_tls_version(proto_ver)) == 0) 74 return 0; 75 } 76 77 if (!ssl_clamp_tls_version_range(&min_version, &max_version, 78 meth->min_tls_version, meth->max_tls_version)) 79 return 0; 80 81 min_proto = min_version; 82 if (meth->dtls) { 83 if ((min_proto = ssl_tls_to_dtls_version(min_version)) == 0) 84 return 0; 85 } 86 *out_tls_ver = min_version; 87 *out_proto_ver = min_proto; 88 89 return 1; 90 } 91 92 int 93 ssl_version_set_max(const SSL_METHOD *meth, uint16_t proto_ver, 94 uint16_t min_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver) 95 { 96 uint16_t max_proto, min_version, max_version; 97 98 if (proto_ver == 0) { 99 *out_tls_ver = meth->max_tls_version; 100 *out_proto_ver = 0; 101 return 1; 102 } 103 104 min_version = min_tls_ver; 105 max_version = proto_ver; 106 107 if (meth->dtls) { 108 if ((max_version = ssl_dtls_to_tls_version(proto_ver)) == 0) 109 return 0; 110 } 111 112 if (!ssl_clamp_tls_version_range(&min_version, &max_version, 113 meth->min_tls_version, meth->max_tls_version)) 114 return 0; 115 116 max_proto = max_version; 117 if (meth->dtls) { 118 if ((max_proto = ssl_tls_to_dtls_version(max_version)) == 0) 119 return 0; 120 } 121 *out_tls_ver = max_version; 122 *out_proto_ver = max_proto; 123 124 return 1; 125 } 126 127 int 128 ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) 129 { 130 uint16_t min_version, max_version; 131 unsigned long options; 132 133 /* 134 * The enabled versions have to be a contiguous range, which means we 135 * cannot enable and disable single versions at our whim, even though 136 * this is what the OpenSSL flags allow. The historical way this has 137 * been handled is by making a flag mean that all higher versions 138 * are disabled, if any version lower than the flag is enabled. 139 */ 140 141 min_version = 0; 142 max_version = TLS1_3_VERSION; 143 options = s->internal->options; 144 145 if (SSL_is_dtls(s)) { 146 options = 0; 147 if (s->internal->options & SSL_OP_NO_DTLSv1) 148 options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1; 149 if (s->internal->options & SSL_OP_NO_DTLSv1_2) 150 options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2; 151 } 152 153 if ((options & SSL_OP_NO_TLSv1) == 0) 154 min_version = TLS1_VERSION; 155 else if ((options & SSL_OP_NO_TLSv1_1) == 0) 156 min_version = TLS1_1_VERSION; 157 else if ((options & SSL_OP_NO_TLSv1_2) == 0) 158 min_version = TLS1_2_VERSION; 159 else if ((options & SSL_OP_NO_TLSv1_3) == 0) 160 min_version = TLS1_3_VERSION; 161 162 if ((options & SSL_OP_NO_TLSv1_3) && min_version < TLS1_3_VERSION) 163 max_version = TLS1_2_VERSION; 164 if ((options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION) 165 max_version = TLS1_1_VERSION; 166 if ((options & SSL_OP_NO_TLSv1_1) && min_version < TLS1_1_VERSION) 167 max_version = TLS1_VERSION; 168 if ((options & SSL_OP_NO_TLSv1) && min_version < TLS1_VERSION) 169 max_version = 0; 170 171 /* Everything has been disabled... */ 172 if (min_version == 0 || max_version == 0) 173 return 0; 174 175 /* Limit to configured version range. */ 176 if (!ssl_clamp_tls_version_range(&min_version, &max_version, 177 s->internal->min_tls_version, s->internal->max_tls_version)) 178 return 0; 179 180 /* QUIC requires a minimum of TLSv1.3. */ 181 if (SSL_is_quic(s)) { 182 if (max_version < TLS1_3_VERSION) 183 return 0; 184 if (min_version < TLS1_3_VERSION) 185 min_version = TLS1_3_VERSION; 186 } 187 188 if (min_ver != NULL) 189 *min_ver = min_version; 190 if (max_ver != NULL) 191 *max_ver = max_version; 192 193 return 1; 194 } 195 196 int 197 ssl_supported_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) 198 { 199 uint16_t min_version, max_version; 200 201 if (!ssl_enabled_tls_version_range(s, &min_version, &max_version)) 202 return 0; 203 204 /* Limit to the versions supported by this method. */ 205 if (!ssl_clamp_tls_version_range(&min_version, &max_version, 206 s->method->min_tls_version, s->method->max_tls_version)) 207 return 0; 208 209 if (min_ver != NULL) 210 *min_ver = min_version; 211 if (max_ver != NULL) 212 *max_ver = max_version; 213 214 return 1; 215 } 216 217 uint16_t 218 ssl_tls_version(uint16_t version) 219 { 220 if (version == TLS1_VERSION || version == TLS1_1_VERSION || 221 version == TLS1_2_VERSION || version == TLS1_3_VERSION) 222 return version; 223 224 if (version == DTLS1_VERSION) 225 return TLS1_1_VERSION; 226 if (version == DTLS1_2_VERSION) 227 return TLS1_2_VERSION; 228 229 return 0; 230 } 231 232 uint16_t 233 ssl_effective_tls_version(SSL *s) 234 { 235 if (s->s3->hs.negotiated_tls_version > 0) 236 return s->s3->hs.negotiated_tls_version; 237 238 return s->s3->hs.our_max_tls_version; 239 } 240 241 int 242 ssl_max_supported_version(SSL *s, uint16_t *max_ver) 243 { 244 uint16_t max_version; 245 246 *max_ver = 0; 247 248 if (!ssl_supported_tls_version_range(s, NULL, &max_version)) 249 return 0; 250 251 if (SSL_is_dtls(s)) { 252 if ((max_version = ssl_tls_to_dtls_version(max_version)) == 0) 253 return 0; 254 } 255 256 *max_ver = max_version; 257 258 return 1; 259 } 260 261 int 262 ssl_max_legacy_version(SSL *s, uint16_t *max_ver) 263 { 264 uint16_t max_version; 265 266 if ((max_version = s->s3->hs.our_max_tls_version) > TLS1_2_VERSION) 267 max_version = TLS1_2_VERSION; 268 269 if (SSL_is_dtls(s)) { 270 if ((max_version = ssl_tls_to_dtls_version(max_version)) == 0) 271 return 0; 272 } 273 274 *max_ver = max_version; 275 276 return 1; 277 } 278 279 int 280 ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver) 281 { 282 uint16_t min_version, max_version, peer_tls_version, shared_version; 283 284 *max_ver = 0; 285 peer_tls_version = peer_ver; 286 287 if (SSL_is_dtls(s)) { 288 if ((peer_ver >> 8) != DTLS1_VERSION_MAJOR) 289 return 0; 290 291 /* 292 * Convert the peer version to a TLS version - DTLS versions are 293 * the 1's complement of TLS version numbers (but not the actual 294 * protocol version numbers, that would be too sensible). Not to 295 * mention that DTLSv1.0 is really equivalent to DTLSv1.1. 296 */ 297 peer_tls_version = ssl_dtls_to_tls_version(peer_ver); 298 299 /* 300 * This may be a version that we do not know about, if it is 301 * newer than DTLS1_2_VERSION (yes, less than is correct due 302 * to the "clever" versioning scheme), use TLS1_2_VERSION. 303 */ 304 if (peer_tls_version == 0) { 305 if (peer_ver < DTLS1_2_VERSION) 306 peer_tls_version = TLS1_2_VERSION; 307 } 308 } 309 310 if (peer_tls_version >= TLS1_3_VERSION) 311 shared_version = TLS1_3_VERSION; 312 else if (peer_tls_version >= TLS1_2_VERSION) 313 shared_version = TLS1_2_VERSION; 314 else if (peer_tls_version >= TLS1_1_VERSION) 315 shared_version = TLS1_1_VERSION; 316 else if (peer_tls_version >= TLS1_VERSION) 317 shared_version = TLS1_VERSION; 318 else 319 return 0; 320 321 if (!ssl_supported_tls_version_range(s, &min_version, &max_version)) 322 return 0; 323 324 if (shared_version < min_version) 325 return 0; 326 327 if (shared_version > max_version) 328 shared_version = max_version; 329 330 if (SSL_is_dtls(s)) { 331 /* 332 * The resulting shared version will by definition be something 333 * that we know about. Switch back from TLS to DTLS. 334 */ 335 shared_version = ssl_tls_to_dtls_version(shared_version); 336 if (shared_version == 0) 337 return 0; 338 } 339 340 if (!ssl_security_version(s, shared_version)) 341 return 0; 342 343 *max_ver = shared_version; 344 345 return 1; 346 } 347 348 int 349 ssl_check_version_from_server(SSL *s, uint16_t server_version) 350 { 351 uint16_t min_tls_version, max_tls_version, server_tls_version; 352 353 /* Ensure that the version selected by the server is valid. */ 354 355 server_tls_version = server_version; 356 if (SSL_is_dtls(s)) { 357 server_tls_version = ssl_dtls_to_tls_version(server_version); 358 if (server_tls_version == 0) 359 return 0; 360 } 361 362 if (!ssl_supported_tls_version_range(s, &min_tls_version, 363 &max_tls_version)) 364 return 0; 365 366 if (server_tls_version < min_tls_version || 367 server_tls_version > max_tls_version) 368 return 0; 369 370 return ssl_security_version(s, server_tls_version); 371 } 372 373 int 374 ssl_legacy_stack_version(SSL *s, uint16_t version) 375 { 376 if (SSL_is_dtls(s)) 377 return version == DTLS1_VERSION || version == DTLS1_2_VERSION; 378 379 return version == TLS1_VERSION || version == TLS1_1_VERSION || 380 version == TLS1_2_VERSION; 381 } 382