xref: /dragonfly/crypto/libressl/ssl/ssl_versions.c (revision 961e30ea7dc61d1112b778ea4981eac68129fb86)
1 /* $OpenBSD: ssl_versions.c,v 1.24 2022/09/11 18:13:30 jsing Exp $ */
2 /*
3  * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4  *
5  * Permission to use, copy, modify, and distribute this software for any
6  * purpose with or without fee is hereby granted, provided that the above
7  * copyright notice and this permission notice appear in all copies.
8  *
9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16  */
17 
18 #include "ssl_locl.h"
19 
20 static uint16_t
ssl_dtls_to_tls_version(uint16_t dtls_ver)21 ssl_dtls_to_tls_version(uint16_t dtls_ver)
22 {
23           if (dtls_ver == DTLS1_VERSION)
24                     return TLS1_1_VERSION;
25           if (dtls_ver == DTLS1_2_VERSION)
26                     return TLS1_2_VERSION;
27           return 0;
28 }
29 
30 static uint16_t
ssl_tls_to_dtls_version(uint16_t tls_ver)31 ssl_tls_to_dtls_version(uint16_t tls_ver)
32 {
33           if (tls_ver == TLS1_1_VERSION)
34                     return DTLS1_VERSION;
35           if (tls_ver == TLS1_2_VERSION)
36                     return DTLS1_2_VERSION;
37           return 0;
38 }
39 
40 static int
ssl_clamp_tls_version_range(uint16_t * min_ver,uint16_t * max_ver,uint16_t clamp_min,uint16_t clamp_max)41 ssl_clamp_tls_version_range(uint16_t *min_ver, uint16_t *max_ver,
42     uint16_t clamp_min, uint16_t clamp_max)
43 {
44           if (clamp_min > clamp_max || *min_ver > *max_ver)
45                     return 0;
46           if (clamp_max < *min_ver || clamp_min > *max_ver)
47                     return 0;
48 
49           if (*min_ver < clamp_min)
50                     *min_ver = clamp_min;
51           if (*max_ver > clamp_max)
52                     *max_ver = clamp_max;
53 
54           return 1;
55 }
56 
57 int
ssl_version_set_min(const SSL_METHOD * meth,uint16_t proto_ver,uint16_t max_tls_ver,uint16_t * out_tls_ver,uint16_t * out_proto_ver)58 ssl_version_set_min(const SSL_METHOD *meth, uint16_t proto_ver,
59     uint16_t max_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver)
60 {
61           uint16_t min_proto, min_version, max_version;
62 
63           if (proto_ver == 0) {
64                     *out_tls_ver = meth->min_tls_version;
65                     *out_proto_ver = 0;
66                     return 1;
67           }
68 
69           min_version = proto_ver;
70           max_version = max_tls_ver;
71 
72           if (meth->dtls) {
73                     if ((min_version = ssl_dtls_to_tls_version(proto_ver)) == 0)
74                               return 0;
75           }
76 
77           if (!ssl_clamp_tls_version_range(&min_version, &max_version,
78               meth->min_tls_version, meth->max_tls_version))
79                     return 0;
80 
81           min_proto = min_version;
82           if (meth->dtls) {
83                     if ((min_proto = ssl_tls_to_dtls_version(min_version)) == 0)
84                               return 0;
85           }
86           *out_tls_ver = min_version;
87           *out_proto_ver = min_proto;
88 
89           return 1;
90 }
91 
92 int
ssl_version_set_max(const SSL_METHOD * meth,uint16_t proto_ver,uint16_t min_tls_ver,uint16_t * out_tls_ver,uint16_t * out_proto_ver)93 ssl_version_set_max(const SSL_METHOD *meth, uint16_t proto_ver,
94     uint16_t min_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver)
95 {
96           uint16_t max_proto, min_version, max_version;
97 
98           if (proto_ver == 0) {
99                     *out_tls_ver = meth->max_tls_version;
100                     *out_proto_ver = 0;
101                     return 1;
102           }
103 
104           min_version = min_tls_ver;
105           max_version = proto_ver;
106 
107           if (meth->dtls) {
108                     if ((max_version = ssl_dtls_to_tls_version(proto_ver)) == 0)
109                               return 0;
110           }
111 
112           if (!ssl_clamp_tls_version_range(&min_version, &max_version,
113               meth->min_tls_version, meth->max_tls_version))
114                     return 0;
115 
116           max_proto = max_version;
117           if (meth->dtls) {
118                     if ((max_proto = ssl_tls_to_dtls_version(max_version)) == 0)
119                               return 0;
120           }
121           *out_tls_ver = max_version;
122           *out_proto_ver = max_proto;
123 
124           return 1;
125 }
126 
127 int
ssl_enabled_tls_version_range(SSL * s,uint16_t * min_ver,uint16_t * max_ver)128 ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
129 {
130           uint16_t min_version, max_version;
131           unsigned long options;
132 
133           /*
134            * The enabled versions have to be a contiguous range, which means we
135            * cannot enable and disable single versions at our whim, even though
136            * this is what the OpenSSL flags allow. The historical way this has
137            * been handled is by making a flag mean that all higher versions
138            * are disabled, if any version lower than the flag is enabled.
139            */
140 
141           min_version = 0;
142           max_version = TLS1_3_VERSION;
143           options = s->internal->options;
144 
145           if (SSL_is_dtls(s)) {
146                     options = 0;
147                     if (s->internal->options & SSL_OP_NO_DTLSv1)
148                               options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1;
149                     if (s->internal->options & SSL_OP_NO_DTLSv1_2)
150                               options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2;
151           }
152 
153           if ((options & SSL_OP_NO_TLSv1) == 0)
154                     min_version = TLS1_VERSION;
155           else if ((options & SSL_OP_NO_TLSv1_1) == 0)
156                     min_version = TLS1_1_VERSION;
157           else if ((options & SSL_OP_NO_TLSv1_2) == 0)
158                     min_version = TLS1_2_VERSION;
159           else if ((options & SSL_OP_NO_TLSv1_3) == 0)
160                     min_version = TLS1_3_VERSION;
161 
162           if ((options & SSL_OP_NO_TLSv1_3) && min_version < TLS1_3_VERSION)
163                     max_version = TLS1_2_VERSION;
164           if ((options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION)
165                     max_version = TLS1_1_VERSION;
166           if ((options & SSL_OP_NO_TLSv1_1) && min_version < TLS1_1_VERSION)
167                     max_version = TLS1_VERSION;
168           if ((options & SSL_OP_NO_TLSv1) && min_version < TLS1_VERSION)
169                     max_version = 0;
170 
171           /* Everything has been disabled... */
172           if (min_version == 0 || max_version == 0)
173                     return 0;
174 
175           /* Limit to configured version range. */
176           if (!ssl_clamp_tls_version_range(&min_version, &max_version,
177               s->internal->min_tls_version, s->internal->max_tls_version))
178                     return 0;
179 
180           /* QUIC requires a minimum of TLSv1.3. */
181           if (SSL_is_quic(s)) {
182                     if (max_version < TLS1_3_VERSION)
183                               return 0;
184                     if (min_version < TLS1_3_VERSION)
185                               min_version = TLS1_3_VERSION;
186           }
187 
188           if (min_ver != NULL)
189                     *min_ver = min_version;
190           if (max_ver != NULL)
191                     *max_ver = max_version;
192 
193           return 1;
194 }
195 
196 int
ssl_supported_tls_version_range(SSL * s,uint16_t * min_ver,uint16_t * max_ver)197 ssl_supported_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
198 {
199           uint16_t min_version, max_version;
200 
201           if (!ssl_enabled_tls_version_range(s, &min_version, &max_version))
202                     return 0;
203 
204           /* Limit to the versions supported by this method. */
205           if (!ssl_clamp_tls_version_range(&min_version, &max_version,
206               s->method->min_tls_version, s->method->max_tls_version))
207                     return 0;
208 
209           if (min_ver != NULL)
210                     *min_ver = min_version;
211           if (max_ver != NULL)
212                     *max_ver = max_version;
213 
214           return 1;
215 }
216 
217 uint16_t
ssl_tls_version(uint16_t version)218 ssl_tls_version(uint16_t version)
219 {
220           if (version == TLS1_VERSION || version == TLS1_1_VERSION ||
221               version == TLS1_2_VERSION || version == TLS1_3_VERSION)
222                     return version;
223 
224           if (version == DTLS1_VERSION)
225                     return TLS1_1_VERSION;
226           if (version == DTLS1_2_VERSION)
227                     return TLS1_2_VERSION;
228 
229           return 0;
230 }
231 
232 uint16_t
ssl_effective_tls_version(SSL * s)233 ssl_effective_tls_version(SSL *s)
234 {
235           if (s->s3->hs.negotiated_tls_version > 0)
236                     return s->s3->hs.negotiated_tls_version;
237 
238           return s->s3->hs.our_max_tls_version;
239 }
240 
241 int
ssl_max_supported_version(SSL * s,uint16_t * max_ver)242 ssl_max_supported_version(SSL *s, uint16_t *max_ver)
243 {
244           uint16_t max_version;
245 
246           *max_ver = 0;
247 
248           if (!ssl_supported_tls_version_range(s, NULL, &max_version))
249                     return 0;
250 
251           if (SSL_is_dtls(s)) {
252                     if ((max_version = ssl_tls_to_dtls_version(max_version)) == 0)
253                               return 0;
254           }
255 
256           *max_ver = max_version;
257 
258           return 1;
259 }
260 
261 int
ssl_max_legacy_version(SSL * s,uint16_t * max_ver)262 ssl_max_legacy_version(SSL *s, uint16_t *max_ver)
263 {
264           uint16_t max_version;
265 
266           if ((max_version = s->s3->hs.our_max_tls_version) > TLS1_2_VERSION)
267                     max_version = TLS1_2_VERSION;
268 
269           if (SSL_is_dtls(s)) {
270                     if ((max_version = ssl_tls_to_dtls_version(max_version)) == 0)
271                               return 0;
272           }
273 
274           *max_ver = max_version;
275 
276           return 1;
277 }
278 
279 int
ssl_max_shared_version(SSL * s,uint16_t peer_ver,uint16_t * max_ver)280 ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver)
281 {
282           uint16_t min_version, max_version, peer_tls_version, shared_version;
283 
284           *max_ver = 0;
285           peer_tls_version = peer_ver;
286 
287           if (SSL_is_dtls(s)) {
288                     if ((peer_ver >> 8) != DTLS1_VERSION_MAJOR)
289                               return 0;
290 
291                     /*
292                      * Convert the peer version to a TLS version - DTLS versions are
293                      * the 1's complement of TLS version numbers (but not the actual
294                      * protocol version numbers, that would be too sensible). Not to
295                      * mention that DTLSv1.0 is really equivalent to DTLSv1.1.
296                      */
297                     peer_tls_version = ssl_dtls_to_tls_version(peer_ver);
298 
299                     /*
300                      * This may be a version that we do not know about, if it is
301                      * newer than DTLS1_2_VERSION (yes, less than is correct due
302                      * to the "clever" versioning scheme), use TLS1_2_VERSION.
303                      */
304                     if (peer_tls_version == 0) {
305                               if (peer_ver < DTLS1_2_VERSION)
306                                         peer_tls_version = TLS1_2_VERSION;
307                     }
308           }
309 
310           if (peer_tls_version >= TLS1_3_VERSION)
311                     shared_version = TLS1_3_VERSION;
312           else if (peer_tls_version >= TLS1_2_VERSION)
313                     shared_version = TLS1_2_VERSION;
314           else if (peer_tls_version >= TLS1_1_VERSION)
315                     shared_version = TLS1_1_VERSION;
316           else if (peer_tls_version >= TLS1_VERSION)
317                     shared_version = TLS1_VERSION;
318           else
319                     return 0;
320 
321           if (!ssl_supported_tls_version_range(s, &min_version, &max_version))
322                     return 0;
323 
324           if (shared_version < min_version)
325                     return 0;
326 
327           if (shared_version > max_version)
328                     shared_version = max_version;
329 
330           if (SSL_is_dtls(s)) {
331                     /*
332                      * The resulting shared version will by definition be something
333                      * that we know about. Switch back from TLS to DTLS.
334                      */
335                     shared_version = ssl_tls_to_dtls_version(shared_version);
336                     if (shared_version == 0)
337                               return 0;
338           }
339 
340           if (!ssl_security_version(s, shared_version))
341                     return 0;
342 
343           *max_ver = shared_version;
344 
345           return 1;
346 }
347 
348 int
ssl_check_version_from_server(SSL * s,uint16_t server_version)349 ssl_check_version_from_server(SSL *s, uint16_t server_version)
350 {
351           uint16_t min_tls_version, max_tls_version, server_tls_version;
352 
353           /* Ensure that the version selected by the server is valid. */
354 
355           server_tls_version = server_version;
356           if (SSL_is_dtls(s)) {
357                     server_tls_version = ssl_dtls_to_tls_version(server_version);
358                     if (server_tls_version == 0)
359                               return 0;
360           }
361 
362           if (!ssl_supported_tls_version_range(s, &min_tls_version,
363               &max_tls_version))
364                     return 0;
365 
366           if (server_tls_version < min_tls_version ||
367               server_tls_version > max_tls_version)
368                     return 0;
369 
370           return ssl_security_version(s, server_tls_version);
371 }
372 
373 int
ssl_legacy_stack_version(SSL * s,uint16_t version)374 ssl_legacy_stack_version(SSL *s, uint16_t version)
375 {
376           if (SSL_is_dtls(s))
377                     return version == DTLS1_VERSION || version == DTLS1_2_VERSION;
378 
379           return version == TLS1_VERSION || version == TLS1_1_VERSION ||
380               version == TLS1_2_VERSION;
381 }
382