1 /* $OpenBSD: ssl_versions.c,v 1.24 2022/09/11 18:13:30 jsing Exp $ */
2 /*
3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18 #include "ssl_locl.h"
19
20 static uint16_t
ssl_dtls_to_tls_version(uint16_t dtls_ver)21 ssl_dtls_to_tls_version(uint16_t dtls_ver)
22 {
23 if (dtls_ver == DTLS1_VERSION)
24 return TLS1_1_VERSION;
25 if (dtls_ver == DTLS1_2_VERSION)
26 return TLS1_2_VERSION;
27 return 0;
28 }
29
30 static uint16_t
ssl_tls_to_dtls_version(uint16_t tls_ver)31 ssl_tls_to_dtls_version(uint16_t tls_ver)
32 {
33 if (tls_ver == TLS1_1_VERSION)
34 return DTLS1_VERSION;
35 if (tls_ver == TLS1_2_VERSION)
36 return DTLS1_2_VERSION;
37 return 0;
38 }
39
40 static int
ssl_clamp_tls_version_range(uint16_t * min_ver,uint16_t * max_ver,uint16_t clamp_min,uint16_t clamp_max)41 ssl_clamp_tls_version_range(uint16_t *min_ver, uint16_t *max_ver,
42 uint16_t clamp_min, uint16_t clamp_max)
43 {
44 if (clamp_min > clamp_max || *min_ver > *max_ver)
45 return 0;
46 if (clamp_max < *min_ver || clamp_min > *max_ver)
47 return 0;
48
49 if (*min_ver < clamp_min)
50 *min_ver = clamp_min;
51 if (*max_ver > clamp_max)
52 *max_ver = clamp_max;
53
54 return 1;
55 }
56
57 int
ssl_version_set_min(const SSL_METHOD * meth,uint16_t proto_ver,uint16_t max_tls_ver,uint16_t * out_tls_ver,uint16_t * out_proto_ver)58 ssl_version_set_min(const SSL_METHOD *meth, uint16_t proto_ver,
59 uint16_t max_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver)
60 {
61 uint16_t min_proto, min_version, max_version;
62
63 if (proto_ver == 0) {
64 *out_tls_ver = meth->min_tls_version;
65 *out_proto_ver = 0;
66 return 1;
67 }
68
69 min_version = proto_ver;
70 max_version = max_tls_ver;
71
72 if (meth->dtls) {
73 if ((min_version = ssl_dtls_to_tls_version(proto_ver)) == 0)
74 return 0;
75 }
76
77 if (!ssl_clamp_tls_version_range(&min_version, &max_version,
78 meth->min_tls_version, meth->max_tls_version))
79 return 0;
80
81 min_proto = min_version;
82 if (meth->dtls) {
83 if ((min_proto = ssl_tls_to_dtls_version(min_version)) == 0)
84 return 0;
85 }
86 *out_tls_ver = min_version;
87 *out_proto_ver = min_proto;
88
89 return 1;
90 }
91
92 int
ssl_version_set_max(const SSL_METHOD * meth,uint16_t proto_ver,uint16_t min_tls_ver,uint16_t * out_tls_ver,uint16_t * out_proto_ver)93 ssl_version_set_max(const SSL_METHOD *meth, uint16_t proto_ver,
94 uint16_t min_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver)
95 {
96 uint16_t max_proto, min_version, max_version;
97
98 if (proto_ver == 0) {
99 *out_tls_ver = meth->max_tls_version;
100 *out_proto_ver = 0;
101 return 1;
102 }
103
104 min_version = min_tls_ver;
105 max_version = proto_ver;
106
107 if (meth->dtls) {
108 if ((max_version = ssl_dtls_to_tls_version(proto_ver)) == 0)
109 return 0;
110 }
111
112 if (!ssl_clamp_tls_version_range(&min_version, &max_version,
113 meth->min_tls_version, meth->max_tls_version))
114 return 0;
115
116 max_proto = max_version;
117 if (meth->dtls) {
118 if ((max_proto = ssl_tls_to_dtls_version(max_version)) == 0)
119 return 0;
120 }
121 *out_tls_ver = max_version;
122 *out_proto_ver = max_proto;
123
124 return 1;
125 }
126
127 int
ssl_enabled_tls_version_range(SSL * s,uint16_t * min_ver,uint16_t * max_ver)128 ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
129 {
130 uint16_t min_version, max_version;
131 unsigned long options;
132
133 /*
134 * The enabled versions have to be a contiguous range, which means we
135 * cannot enable and disable single versions at our whim, even though
136 * this is what the OpenSSL flags allow. The historical way this has
137 * been handled is by making a flag mean that all higher versions
138 * are disabled, if any version lower than the flag is enabled.
139 */
140
141 min_version = 0;
142 max_version = TLS1_3_VERSION;
143 options = s->internal->options;
144
145 if (SSL_is_dtls(s)) {
146 options = 0;
147 if (s->internal->options & SSL_OP_NO_DTLSv1)
148 options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1;
149 if (s->internal->options & SSL_OP_NO_DTLSv1_2)
150 options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2;
151 }
152
153 if ((options & SSL_OP_NO_TLSv1) == 0)
154 min_version = TLS1_VERSION;
155 else if ((options & SSL_OP_NO_TLSv1_1) == 0)
156 min_version = TLS1_1_VERSION;
157 else if ((options & SSL_OP_NO_TLSv1_2) == 0)
158 min_version = TLS1_2_VERSION;
159 else if ((options & SSL_OP_NO_TLSv1_3) == 0)
160 min_version = TLS1_3_VERSION;
161
162 if ((options & SSL_OP_NO_TLSv1_3) && min_version < TLS1_3_VERSION)
163 max_version = TLS1_2_VERSION;
164 if ((options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION)
165 max_version = TLS1_1_VERSION;
166 if ((options & SSL_OP_NO_TLSv1_1) && min_version < TLS1_1_VERSION)
167 max_version = TLS1_VERSION;
168 if ((options & SSL_OP_NO_TLSv1) && min_version < TLS1_VERSION)
169 max_version = 0;
170
171 /* Everything has been disabled... */
172 if (min_version == 0 || max_version == 0)
173 return 0;
174
175 /* Limit to configured version range. */
176 if (!ssl_clamp_tls_version_range(&min_version, &max_version,
177 s->internal->min_tls_version, s->internal->max_tls_version))
178 return 0;
179
180 /* QUIC requires a minimum of TLSv1.3. */
181 if (SSL_is_quic(s)) {
182 if (max_version < TLS1_3_VERSION)
183 return 0;
184 if (min_version < TLS1_3_VERSION)
185 min_version = TLS1_3_VERSION;
186 }
187
188 if (min_ver != NULL)
189 *min_ver = min_version;
190 if (max_ver != NULL)
191 *max_ver = max_version;
192
193 return 1;
194 }
195
196 int
ssl_supported_tls_version_range(SSL * s,uint16_t * min_ver,uint16_t * max_ver)197 ssl_supported_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
198 {
199 uint16_t min_version, max_version;
200
201 if (!ssl_enabled_tls_version_range(s, &min_version, &max_version))
202 return 0;
203
204 /* Limit to the versions supported by this method. */
205 if (!ssl_clamp_tls_version_range(&min_version, &max_version,
206 s->method->min_tls_version, s->method->max_tls_version))
207 return 0;
208
209 if (min_ver != NULL)
210 *min_ver = min_version;
211 if (max_ver != NULL)
212 *max_ver = max_version;
213
214 return 1;
215 }
216
217 uint16_t
ssl_tls_version(uint16_t version)218 ssl_tls_version(uint16_t version)
219 {
220 if (version == TLS1_VERSION || version == TLS1_1_VERSION ||
221 version == TLS1_2_VERSION || version == TLS1_3_VERSION)
222 return version;
223
224 if (version == DTLS1_VERSION)
225 return TLS1_1_VERSION;
226 if (version == DTLS1_2_VERSION)
227 return TLS1_2_VERSION;
228
229 return 0;
230 }
231
232 uint16_t
ssl_effective_tls_version(SSL * s)233 ssl_effective_tls_version(SSL *s)
234 {
235 if (s->s3->hs.negotiated_tls_version > 0)
236 return s->s3->hs.negotiated_tls_version;
237
238 return s->s3->hs.our_max_tls_version;
239 }
240
241 int
ssl_max_supported_version(SSL * s,uint16_t * max_ver)242 ssl_max_supported_version(SSL *s, uint16_t *max_ver)
243 {
244 uint16_t max_version;
245
246 *max_ver = 0;
247
248 if (!ssl_supported_tls_version_range(s, NULL, &max_version))
249 return 0;
250
251 if (SSL_is_dtls(s)) {
252 if ((max_version = ssl_tls_to_dtls_version(max_version)) == 0)
253 return 0;
254 }
255
256 *max_ver = max_version;
257
258 return 1;
259 }
260
261 int
ssl_max_legacy_version(SSL * s,uint16_t * max_ver)262 ssl_max_legacy_version(SSL *s, uint16_t *max_ver)
263 {
264 uint16_t max_version;
265
266 if ((max_version = s->s3->hs.our_max_tls_version) > TLS1_2_VERSION)
267 max_version = TLS1_2_VERSION;
268
269 if (SSL_is_dtls(s)) {
270 if ((max_version = ssl_tls_to_dtls_version(max_version)) == 0)
271 return 0;
272 }
273
274 *max_ver = max_version;
275
276 return 1;
277 }
278
279 int
ssl_max_shared_version(SSL * s,uint16_t peer_ver,uint16_t * max_ver)280 ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver)
281 {
282 uint16_t min_version, max_version, peer_tls_version, shared_version;
283
284 *max_ver = 0;
285 peer_tls_version = peer_ver;
286
287 if (SSL_is_dtls(s)) {
288 if ((peer_ver >> 8) != DTLS1_VERSION_MAJOR)
289 return 0;
290
291 /*
292 * Convert the peer version to a TLS version - DTLS versions are
293 * the 1's complement of TLS version numbers (but not the actual
294 * protocol version numbers, that would be too sensible). Not to
295 * mention that DTLSv1.0 is really equivalent to DTLSv1.1.
296 */
297 peer_tls_version = ssl_dtls_to_tls_version(peer_ver);
298
299 /*
300 * This may be a version that we do not know about, if it is
301 * newer than DTLS1_2_VERSION (yes, less than is correct due
302 * to the "clever" versioning scheme), use TLS1_2_VERSION.
303 */
304 if (peer_tls_version == 0) {
305 if (peer_ver < DTLS1_2_VERSION)
306 peer_tls_version = TLS1_2_VERSION;
307 }
308 }
309
310 if (peer_tls_version >= TLS1_3_VERSION)
311 shared_version = TLS1_3_VERSION;
312 else if (peer_tls_version >= TLS1_2_VERSION)
313 shared_version = TLS1_2_VERSION;
314 else if (peer_tls_version >= TLS1_1_VERSION)
315 shared_version = TLS1_1_VERSION;
316 else if (peer_tls_version >= TLS1_VERSION)
317 shared_version = TLS1_VERSION;
318 else
319 return 0;
320
321 if (!ssl_supported_tls_version_range(s, &min_version, &max_version))
322 return 0;
323
324 if (shared_version < min_version)
325 return 0;
326
327 if (shared_version > max_version)
328 shared_version = max_version;
329
330 if (SSL_is_dtls(s)) {
331 /*
332 * The resulting shared version will by definition be something
333 * that we know about. Switch back from TLS to DTLS.
334 */
335 shared_version = ssl_tls_to_dtls_version(shared_version);
336 if (shared_version == 0)
337 return 0;
338 }
339
340 if (!ssl_security_version(s, shared_version))
341 return 0;
342
343 *max_ver = shared_version;
344
345 return 1;
346 }
347
348 int
ssl_check_version_from_server(SSL * s,uint16_t server_version)349 ssl_check_version_from_server(SSL *s, uint16_t server_version)
350 {
351 uint16_t min_tls_version, max_tls_version, server_tls_version;
352
353 /* Ensure that the version selected by the server is valid. */
354
355 server_tls_version = server_version;
356 if (SSL_is_dtls(s)) {
357 server_tls_version = ssl_dtls_to_tls_version(server_version);
358 if (server_tls_version == 0)
359 return 0;
360 }
361
362 if (!ssl_supported_tls_version_range(s, &min_tls_version,
363 &max_tls_version))
364 return 0;
365
366 if (server_tls_version < min_tls_version ||
367 server_tls_version > max_tls_version)
368 return 0;
369
370 return ssl_security_version(s, server_tls_version);
371 }
372
373 int
ssl_legacy_stack_version(SSL * s,uint16_t version)374 ssl_legacy_stack_version(SSL *s, uint16_t version)
375 {
376 if (SSL_is_dtls(s))
377 return version == DTLS1_VERSION || version == DTLS1_2_VERSION;
378
379 return version == TLS1_VERSION || version == TLS1_1_VERSION ||
380 version == TLS1_2_VERSION;
381 }
382