1/* $OpenBSD: ssl_versions.c,v 1.27 2023/07/02 17:21:32 beck Exp $ */ 2/* 3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18#include "ssl_local.h" 19 20static uint16_t 21ssl_dtls_to_tls_version(uint16_t dtls_ver) 22{ 23 if (dtls_ver == DTLS1_VERSION) 24 return TLS1_1_VERSION; 25 if (dtls_ver == DTLS1_2_VERSION) 26 return TLS1_2_VERSION; 27 return 0; 28} 29 30static uint16_t 31ssl_tls_to_dtls_version(uint16_t tls_ver) 32{ 33 if (tls_ver == TLS1_1_VERSION) 34 return DTLS1_VERSION; 35 if (tls_ver == TLS1_2_VERSION) 36 return DTLS1_2_VERSION; 37 return 0; 38} 39 40static int 41ssl_clamp_tls_version_range(uint16_t *min_ver, uint16_t *max_ver, 42 uint16_t clamp_min, uint16_t clamp_max) 43{ 44 if (clamp_min > clamp_max || *min_ver > *max_ver) 45 return 0; 46 if (clamp_max < *min_ver || clamp_min > *max_ver) 47 return 0; 48 49 if (*min_ver < clamp_min) 50 *min_ver = clamp_min; 51 if (*max_ver > clamp_max) 52 *max_ver = clamp_max; 53 54 return 1; 55} 56 57int 58ssl_version_set_min(const SSL_METHOD *meth, uint16_t proto_ver, 59 uint16_t max_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver) 60{ 61 uint16_t min_proto, min_version, max_version; 62 63 if (proto_ver == 0) { 64 *out_tls_ver = meth->min_tls_version; 65 *out_proto_ver = 0; 66 return 1; 67 } 68 69 min_version = proto_ver; 70 max_version = max_tls_ver; 71 72 if (meth->dtls) { 73 if ((min_version = ssl_dtls_to_tls_version(proto_ver)) == 0) 74 return 0; 75 } 76 77 if (!ssl_clamp_tls_version_range(&min_version, &max_version, 78 meth->min_tls_version, meth->max_tls_version)) 79 return 0; 80 81 min_proto = min_version; 82 if (meth->dtls) { 83 if ((min_proto = ssl_tls_to_dtls_version(min_version)) == 0) 84 return 0; 85 } 86 *out_tls_ver = min_version; 87 *out_proto_ver = min_proto; 88 89 return 1; 90} 91 92int 93ssl_version_set_max(const SSL_METHOD *meth, uint16_t proto_ver, 94 uint16_t min_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver) 95{ 96 uint16_t max_proto, min_version, max_version; 97 98 if (proto_ver == 0) { 99 *out_tls_ver = meth->max_tls_version; 100 *out_proto_ver = 0; 101 return 1; 102 } 103 104 min_version = min_tls_ver; 105 max_version = proto_ver; 106 107 if (meth->dtls) { 108 if ((max_version = ssl_dtls_to_tls_version(proto_ver)) == 0) 109 return 0; 110 } 111 112 if (!ssl_clamp_tls_version_range(&min_version, &max_version, 113 meth->min_tls_version, meth->max_tls_version)) 114 return 0; 115 116 max_proto = max_version; 117 if (meth->dtls) { 118 if ((max_proto = ssl_tls_to_dtls_version(max_version)) == 0) 119 return 0; 120 } 121 *out_tls_ver = max_version; 122 *out_proto_ver = max_proto; 123 124 return 1; 125} 126 127int 128ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) 129{ 130 uint16_t min_version, max_version; 131 unsigned long options; 132 133 /* 134 * The enabled versions have to be a contiguous range, which means we 135 * cannot enable and disable single versions at our whim, even though 136 * this is what the OpenSSL flags allow. The historical way this has 137 * been handled is by making a flag mean that all higher versions 138 * are disabled, if any version lower than the flag is enabled. 139 */ 140 141 min_version = 0; 142 max_version = TLS1_3_VERSION; 143 options = s->options; 144 145 if (SSL_is_dtls(s)) { 146 options = 0; 147 if (s->options & SSL_OP_NO_DTLSv1) 148 options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1; 149 if (s->options & SSL_OP_NO_DTLSv1_2) 150 options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2; 151 } 152 153 if ((options & SSL_OP_NO_TLSv1_2) == 0) 154 min_version = TLS1_2_VERSION; 155 else if ((options & SSL_OP_NO_TLSv1_3) == 0) 156 min_version = TLS1_3_VERSION; 157 158 if ((options & SSL_OP_NO_TLSv1_3) && min_version < TLS1_3_VERSION) 159 max_version = TLS1_2_VERSION; 160 if ((options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION) 161 max_version = 0; 162 163 /* Everything has been disabled... */ 164 if (min_version == 0 || max_version == 0) 165 return 0; 166 167 /* Limit to configured version range. */ 168 if (!ssl_clamp_tls_version_range(&min_version, &max_version, 169 s->min_tls_version, s->max_tls_version)) 170 return 0; 171 172 /* QUIC requires a minimum of TLSv1.3. */ 173 if (SSL_is_quic(s)) { 174 if (max_version < TLS1_3_VERSION) 175 return 0; 176 if (min_version < TLS1_3_VERSION) 177 min_version = TLS1_3_VERSION; 178 } 179 180 if (min_ver != NULL) 181 *min_ver = min_version; 182 if (max_ver != NULL) 183 *max_ver = max_version; 184 185 return 1; 186} 187 188int 189ssl_supported_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) 190{ 191 uint16_t min_version, max_version; 192 193 if (!ssl_enabled_tls_version_range(s, &min_version, &max_version)) 194 return 0; 195 196 /* Limit to the versions supported by this method. */ 197 if (!ssl_clamp_tls_version_range(&min_version, &max_version, 198 s->method->min_tls_version, s->method->max_tls_version)) 199 return 0; 200 201 if (min_ver != NULL) 202 *min_ver = min_version; 203 if (max_ver != NULL) 204 *max_ver = max_version; 205 206 return 1; 207} 208 209uint16_t 210ssl_tls_version(uint16_t version) 211{ 212 if (version == TLS1_VERSION || version == TLS1_1_VERSION || 213 version == TLS1_2_VERSION || version == TLS1_3_VERSION) 214 return version; 215 216 if (version == DTLS1_VERSION) 217 return TLS1_1_VERSION; 218 if (version == DTLS1_2_VERSION) 219 return TLS1_2_VERSION; 220 221 return 0; 222} 223 224uint16_t 225ssl_effective_tls_version(SSL *s) 226{ 227 if (s->s3->hs.negotiated_tls_version > 0) 228 return s->s3->hs.negotiated_tls_version; 229 230 return s->s3->hs.our_max_tls_version; 231} 232 233int 234ssl_max_supported_version(SSL *s, uint16_t *max_ver) 235{ 236 uint16_t max_version; 237 238 *max_ver = 0; 239 240 if (!ssl_supported_tls_version_range(s, NULL, &max_version)) 241 return 0; 242 243 if (SSL_is_dtls(s)) { 244 if ((max_version = ssl_tls_to_dtls_version(max_version)) == 0) 245 return 0; 246 } 247 248 *max_ver = max_version; 249 250 return 1; 251} 252 253int 254ssl_max_legacy_version(SSL *s, uint16_t *max_ver) 255{ 256 uint16_t max_version; 257 258 if ((max_version = s->s3->hs.our_max_tls_version) > TLS1_2_VERSION) 259 max_version = TLS1_2_VERSION; 260 261 if (SSL_is_dtls(s)) { 262 if ((max_version = ssl_tls_to_dtls_version(max_version)) == 0) 263 return 0; 264 } 265 266 *max_ver = max_version; 267 268 return 1; 269} 270 271int 272ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver) 273{ 274 uint16_t min_version, max_version, peer_tls_version, shared_version; 275 276 *max_ver = 0; 277 peer_tls_version = peer_ver; 278 279 if (SSL_is_dtls(s)) { 280 if ((peer_ver >> 8) != DTLS1_VERSION_MAJOR) 281 return 0; 282 283 /* 284 * Convert the peer version to a TLS version - DTLS versions are 285 * the 1's complement of TLS version numbers (but not the actual 286 * protocol version numbers, that would be too sensible). Not to 287 * mention that DTLSv1.0 is really equivalent to DTLSv1.1. 288 */ 289 peer_tls_version = ssl_dtls_to_tls_version(peer_ver); 290 291 /* 292 * This may be a version that we do not know about, if it is 293 * newer than DTLS1_2_VERSION (yes, less than is correct due 294 * to the "clever" versioning scheme), use TLS1_2_VERSION. 295 */ 296 if (peer_tls_version == 0) { 297 if (peer_ver < DTLS1_2_VERSION) 298 peer_tls_version = TLS1_2_VERSION; 299 } 300 } 301 302 if (peer_tls_version >= TLS1_3_VERSION) 303 shared_version = TLS1_3_VERSION; 304 else if (peer_tls_version >= TLS1_2_VERSION) 305 shared_version = TLS1_2_VERSION; 306 else if (peer_tls_version >= TLS1_1_VERSION) 307 shared_version = TLS1_1_VERSION; 308 else if (peer_tls_version >= TLS1_VERSION) 309 shared_version = TLS1_VERSION; 310 else 311 return 0; 312 313 if (!ssl_supported_tls_version_range(s, &min_version, &max_version)) 314 return 0; 315 316 if (shared_version < min_version) 317 return 0; 318 319 if (shared_version > max_version) 320 shared_version = max_version; 321 322 if (SSL_is_dtls(s)) { 323 /* 324 * The resulting shared version will by definition be something 325 * that we know about. Switch back from TLS to DTLS. 326 */ 327 shared_version = ssl_tls_to_dtls_version(shared_version); 328 if (shared_version == 0) 329 return 0; 330 } 331 332 if (!ssl_security_version(s, shared_version)) 333 return 0; 334 335 *max_ver = shared_version; 336 337 return 1; 338} 339 340int 341ssl_check_version_from_server(SSL *s, uint16_t server_version) 342{ 343 uint16_t min_tls_version, max_tls_version, server_tls_version; 344 345 /* Ensure that the version selected by the server is valid. */ 346 347 server_tls_version = server_version; 348 if (SSL_is_dtls(s)) { 349 server_tls_version = ssl_dtls_to_tls_version(server_version); 350 if (server_tls_version == 0) 351 return 0; 352 } 353 354 if (!ssl_supported_tls_version_range(s, &min_tls_version, 355 &max_tls_version)) 356 return 0; 357 358 if (server_tls_version < min_tls_version || 359 server_tls_version > max_tls_version) 360 return 0; 361 362 return ssl_security_version(s, server_tls_version); 363} 364 365int 366ssl_legacy_stack_version(SSL *s, uint16_t version) 367{ 368 if (SSL_is_dtls(s)) 369 return version == DTLS1_VERSION || version == DTLS1_2_VERSION; 370 371 return version == TLS1_VERSION || version == TLS1_1_VERSION || 372 version == TLS1_2_VERSION; 373} 374