1 /* $OpenBSD: tls13_legacy.c,v 1.44 2024/01/30 14:50:50 jsing Exp $ */
2 /*
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18 #include <limits.h>
19
20 #include "ssl_local.h"
21 #include "tls13_internal.h"
22
23 static ssize_t
tls13_legacy_wire_read(SSL * ssl,uint8_t * buf,size_t len)24 tls13_legacy_wire_read(SSL *ssl, uint8_t *buf, size_t len)
25 {
26 int n;
27
28 if (ssl->rbio == NULL) {
29 SSLerror(ssl, SSL_R_BIO_NOT_SET);
30 return TLS13_IO_FAILURE;
31 }
32
33 ssl->rwstate = SSL_READING;
34 errno = 0;
35
36 if ((n = BIO_read(ssl->rbio, buf, len)) <= 0) {
37 if (BIO_should_read(ssl->rbio))
38 return TLS13_IO_WANT_POLLIN;
39 if (n == 0)
40 return TLS13_IO_EOF;
41
42 if (ERR_peek_error() == 0 && errno != 0)
43 SYSerror(errno);
44
45 return TLS13_IO_FAILURE;
46 }
47
48 if (n == len)
49 ssl->rwstate = SSL_NOTHING;
50
51 return n;
52 }
53
54 ssize_t
tls13_legacy_wire_read_cb(void * buf,size_t n,void * arg)55 tls13_legacy_wire_read_cb(void *buf, size_t n, void *arg)
56 {
57 struct tls13_ctx *ctx = arg;
58
59 return tls13_legacy_wire_read(ctx->ssl, buf, n);
60 }
61
62 static ssize_t
tls13_legacy_wire_write(SSL * ssl,const uint8_t * buf,size_t len)63 tls13_legacy_wire_write(SSL *ssl, const uint8_t *buf, size_t len)
64 {
65 int n;
66
67 if (ssl->wbio == NULL) {
68 SSLerror(ssl, SSL_R_BIO_NOT_SET);
69 return TLS13_IO_FAILURE;
70 }
71
72 ssl->rwstate = SSL_WRITING;
73 errno = 0;
74
75 if ((n = BIO_write(ssl->wbio, buf, len)) <= 0) {
76 if (BIO_should_write(ssl->wbio))
77 return TLS13_IO_WANT_POLLOUT;
78
79 if (ERR_peek_error() == 0 && errno != 0)
80 SYSerror(errno);
81
82 return TLS13_IO_FAILURE;
83 }
84
85 if (n == len)
86 ssl->rwstate = SSL_NOTHING;
87
88 return n;
89 }
90
91 ssize_t
tls13_legacy_wire_write_cb(const void * buf,size_t n,void * arg)92 tls13_legacy_wire_write_cb(const void *buf, size_t n, void *arg)
93 {
94 struct tls13_ctx *ctx = arg;
95
96 return tls13_legacy_wire_write(ctx->ssl, buf, n);
97 }
98
99 static ssize_t
tls13_legacy_wire_flush(SSL * ssl)100 tls13_legacy_wire_flush(SSL *ssl)
101 {
102 if (BIO_flush(ssl->wbio) <= 0) {
103 if (BIO_should_write(ssl->wbio))
104 return TLS13_IO_WANT_POLLOUT;
105
106 if (ERR_peek_error() == 0 && errno != 0)
107 SYSerror(errno);
108
109 return TLS13_IO_FAILURE;
110 }
111
112 return TLS13_IO_SUCCESS;
113 }
114
115 ssize_t
tls13_legacy_wire_flush_cb(void * arg)116 tls13_legacy_wire_flush_cb(void *arg)
117 {
118 struct tls13_ctx *ctx = arg;
119
120 return tls13_legacy_wire_flush(ctx->ssl);
121 }
122
123 static void
tls13_legacy_error(SSL * ssl)124 tls13_legacy_error(SSL *ssl)
125 {
126 struct tls13_ctx *ctx = ssl->tls13;
127 int reason = SSL_R_UNKNOWN;
128
129 /* If we received a fatal alert we already put an error on the stack. */
130 if (ssl->s3->fatal_alert != 0)
131 return;
132
133 switch (ctx->error.code) {
134 case TLS13_ERR_VERIFY_FAILED:
135 reason = SSL_R_CERTIFICATE_VERIFY_FAILED;
136 break;
137 case TLS13_ERR_HRR_FAILED:
138 reason = SSL_R_NO_CIPHERS_AVAILABLE;
139 break;
140 case TLS13_ERR_TRAILING_DATA:
141 reason = SSL_R_EXTRA_DATA_IN_MESSAGE;
142 break;
143 case TLS13_ERR_NO_SHARED_CIPHER:
144 reason = SSL_R_NO_SHARED_CIPHER;
145 break;
146 case TLS13_ERR_NO_CERTIFICATE:
147 reason = SSL_R_MISSING_RSA_CERTIFICATE; /* XXX */
148 break;
149 case TLS13_ERR_NO_PEER_CERTIFICATE:
150 reason = SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE;
151 break;
152 }
153
154 /* Something (probably libcrypto) already pushed an error on the stack. */
155 if (reason == SSL_R_UNKNOWN && ERR_peek_error() != 0)
156 return;
157
158 ERR_put_error(ERR_LIB_SSL, (0xfff), reason, ctx->error.file,
159 ctx->error.line);
160 }
161
162 static int
tls13_legacy_return_code(SSL * ssl,ssize_t ret)163 tls13_legacy_return_code(SSL *ssl, ssize_t ret)
164 {
165 if (ret > INT_MAX) {
166 SSLerror(ssl, ERR_R_INTERNAL_ERROR);
167 return -1;
168 }
169
170 /* A successful read, write or other operation. */
171 if (ret > 0)
172 return ret;
173
174 ssl->rwstate = SSL_NOTHING;
175
176 switch (ret) {
177 case TLS13_IO_EOF:
178 return 0;
179
180 case TLS13_IO_FAILURE:
181 tls13_legacy_error(ssl);
182 return -1;
183
184 case TLS13_IO_ALERT:
185 tls13_legacy_error(ssl);
186 return -1;
187
188 case TLS13_IO_WANT_POLLIN:
189 BIO_set_retry_read(ssl->rbio);
190 ssl->rwstate = SSL_READING;
191 return -1;
192
193 case TLS13_IO_WANT_POLLOUT:
194 BIO_set_retry_write(ssl->wbio);
195 ssl->rwstate = SSL_WRITING;
196 return -1;
197
198 case TLS13_IO_WANT_RETRY:
199 SSLerror(ssl, ERR_R_INTERNAL_ERROR);
200 return -1;
201 }
202
203 SSLerror(ssl, ERR_R_INTERNAL_ERROR);
204 return -1;
205 }
206
207 int
tls13_legacy_pending(const SSL * ssl)208 tls13_legacy_pending(const SSL *ssl)
209 {
210 struct tls13_ctx *ctx = ssl->tls13;
211 ssize_t ret;
212
213 if (ctx == NULL)
214 return 0;
215
216 ret = tls13_pending_application_data(ctx->rl);
217 if (ret < 0 || ret > INT_MAX)
218 return 0;
219
220 return ret;
221 }
222
223 int
tls13_legacy_read_bytes(SSL * ssl,int type,unsigned char * buf,int len,int peek)224 tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, int peek)
225 {
226 struct tls13_ctx *ctx = ssl->tls13;
227 ssize_t ret;
228
229 if (ctx == NULL || !ctx->handshake_completed) {
230 if ((ret = ssl->handshake_func(ssl)) <= 0)
231 return ret;
232 if (len == 0)
233 return 0;
234 return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLIN);
235 }
236
237 tls13_record_layer_set_retry_after_phh(ctx->rl,
238 (ctx->ssl->mode & SSL_MODE_AUTO_RETRY) != 0);
239
240 if (type != SSL3_RT_APPLICATION_DATA) {
241 SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
242 return -1;
243 }
244 if (len < 0) {
245 SSLerror(ssl, SSL_R_BAD_LENGTH);
246 return -1;
247 }
248
249 if (peek)
250 ret = tls13_peek_application_data(ctx->rl, buf, len);
251 else
252 ret = tls13_read_application_data(ctx->rl, buf, len);
253
254 return tls13_legacy_return_code(ssl, ret);
255 }
256
257 int
tls13_legacy_write_bytes(SSL * ssl,int type,const void * vbuf,int len)258 tls13_legacy_write_bytes(SSL *ssl, int type, const void *vbuf, int len)
259 {
260 struct tls13_ctx *ctx = ssl->tls13;
261 const uint8_t *buf = vbuf;
262 size_t n, sent;
263 ssize_t ret;
264
265 if (ctx == NULL || !ctx->handshake_completed) {
266 if ((ret = ssl->handshake_func(ssl)) <= 0)
267 return ret;
268 if (len == 0)
269 return 0;
270 return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLOUT);
271 }
272
273 if (type != SSL3_RT_APPLICATION_DATA) {
274 SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
275 return -1;
276 }
277 if (len < 0) {
278 SSLerror(ssl, SSL_R_BAD_LENGTH);
279 return -1;
280 }
281
282 /*
283 * The TLSv1.3 record layer write behaviour is the same as
284 * SSL_MODE_ENABLE_PARTIAL_WRITE.
285 */
286 if (ssl->mode & SSL_MODE_ENABLE_PARTIAL_WRITE) {
287 ret = tls13_write_application_data(ctx->rl, buf, len);
288 return tls13_legacy_return_code(ssl, ret);
289 }
290
291 /*
292 * In the non-SSL_MODE_ENABLE_PARTIAL_WRITE case we have to loop until
293 * we have written out all of the requested data.
294 */
295 sent = ssl->s3->wnum;
296 if (len < sent) {
297 SSLerror(ssl, SSL_R_BAD_LENGTH);
298 return -1;
299 }
300 n = len - sent;
301 for (;;) {
302 if (n == 0) {
303 ssl->s3->wnum = 0;
304 return sent;
305 }
306 if ((ret = tls13_write_application_data(ctx->rl,
307 &buf[sent], n)) <= 0) {
308 ssl->s3->wnum = sent;
309 return tls13_legacy_return_code(ssl, ret);
310 }
311 sent += ret;
312 n -= ret;
313 }
314 }
315
316 static int
tls13_use_legacy_stack(struct tls13_ctx * ctx)317 tls13_use_legacy_stack(struct tls13_ctx *ctx)
318 {
319 SSL *s = ctx->ssl;
320 CBB cbb, fragment;
321 CBS cbs;
322
323 memset(&cbb, 0, sizeof(cbb));
324
325 if (!ssl3_setup_init_buffer(s))
326 goto err;
327 if (!ssl3_setup_buffers(s))
328 goto err;
329 if (!ssl_init_wbio_buffer(s, 1))
330 goto err;
331
332 /* Stash any unprocessed data from the last record. */
333 tls13_record_layer_rcontent(ctx->rl, &cbs);
334 if (CBS_len(&cbs) > 0) {
335 if (!CBB_init_fixed(&cbb, s->s3->rbuf.buf,
336 s->s3->rbuf.len))
337 goto err;
338 if (!CBB_add_u8(&cbb, SSL3_RT_HANDSHAKE))
339 goto err;
340 if (!CBB_add_u16(&cbb, TLS1_2_VERSION))
341 goto err;
342 if (!CBB_add_u16_length_prefixed(&cbb, &fragment))
343 goto err;
344 if (!CBB_add_bytes(&fragment, CBS_data(&cbs), CBS_len(&cbs)))
345 goto err;
346 if (!CBB_finish(&cbb, NULL, NULL))
347 goto err;
348
349 s->s3->rbuf.offset = SSL3_RT_HEADER_LENGTH;
350 s->s3->rbuf.left = CBS_len(&cbs);
351 s->s3->rrec.type = SSL3_RT_HANDSHAKE;
352 s->s3->rrec.length = CBS_len(&cbs);
353 s->rstate = SSL_ST_READ_BODY;
354 s->packet = s->s3->rbuf.buf;
355 s->packet_length = SSL3_RT_HEADER_LENGTH;
356 s->mac_packet = 1;
357 }
358
359 /* Stash the current handshake message. */
360 tls13_handshake_msg_data(ctx->hs_msg, &cbs);
361 if (!BUF_MEM_grow_clean(s->init_buf, CBS_len(&cbs)))
362 goto err;
363 if (!CBS_write_bytes(&cbs, s->init_buf->data,
364 s->init_buf->length, NULL))
365 goto err;
366
367 s->s3->hs.tls12.reuse_message = 1;
368 s->s3->hs.tls12.message_type = tls13_handshake_msg_type(ctx->hs_msg);
369 s->s3->hs.tls12.message_size = CBS_len(&cbs) - SSL3_HM_HEADER_LENGTH;
370
371 /*
372 * Only switch the method after initialization is complete
373 * as we start part way into the legacy state machine.
374 */
375 s->method = tls_legacy_method();
376
377 return 1;
378
379 err:
380 CBB_cleanup(&cbb);
381
382 return 0;
383 }
384
385 int
tls13_use_legacy_client(struct tls13_ctx * ctx)386 tls13_use_legacy_client(struct tls13_ctx *ctx)
387 {
388 SSL *s = ctx->ssl;
389
390 if (!tls13_use_legacy_stack(ctx))
391 return 0;
392
393 s->handshake_func = s->method->ssl_connect;
394 s->version = s->method->max_tls_version;
395
396 return 1;
397 }
398
399 int
tls13_use_legacy_server(struct tls13_ctx * ctx)400 tls13_use_legacy_server(struct tls13_ctx *ctx)
401 {
402 SSL *s = ctx->ssl;
403
404 if (!tls13_use_legacy_stack(ctx))
405 return 0;
406
407 s->handshake_func = s->method->ssl_accept;
408 s->version = s->method->max_tls_version;
409 s->server = 1;
410
411 return 1;
412 }
413
414 int
tls13_legacy_accept(SSL * ssl)415 tls13_legacy_accept(SSL *ssl)
416 {
417 struct tls13_ctx *ctx = ssl->tls13;
418 int ret;
419
420 if (ctx == NULL) {
421 if ((ctx = tls13_ctx_new(TLS13_HS_SERVER, ssl)) == NULL) {
422 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
423 return -1;
424 }
425 if (!tls13_server_init(ctx)) {
426 if (ERR_peek_error() == 0)
427 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
428 return -1;
429 }
430 }
431
432 ERR_clear_error();
433
434 ret = tls13_server_accept(ctx);
435 if (ret == TLS13_IO_USE_LEGACY)
436 return ssl->method->ssl_accept(ssl);
437
438 ret = tls13_legacy_return_code(ssl, ret);
439
440 if (ctx->info_cb != NULL)
441 ctx->info_cb(ctx, TLS13_INFO_ACCEPT_EXIT, ret);
442
443 return ret;
444 }
445
446 int
tls13_legacy_connect(SSL * ssl)447 tls13_legacy_connect(SSL *ssl)
448 {
449 struct tls13_ctx *ctx = ssl->tls13;
450 int ret;
451
452 if (ctx == NULL) {
453 if ((ctx = tls13_ctx_new(TLS13_HS_CLIENT, ssl)) == NULL) {
454 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
455 return -1;
456 }
457 if (!tls13_client_init(ctx)) {
458 if (ERR_peek_error() == 0)
459 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
460 return -1;
461 }
462 }
463
464 ERR_clear_error();
465
466 ret = tls13_client_connect(ctx);
467 if (ret == TLS13_IO_USE_LEGACY)
468 return ssl->method->ssl_connect(ssl);
469
470 ret = tls13_legacy_return_code(ssl, ret);
471
472 if (ctx->info_cb != NULL)
473 ctx->info_cb(ctx, TLS13_INFO_CONNECT_EXIT, ret);
474
475 return ret;
476 }
477
478 int
tls13_legacy_shutdown(SSL * ssl)479 tls13_legacy_shutdown(SSL *ssl)
480 {
481 struct tls13_ctx *ctx = ssl->tls13;
482 uint8_t buf[512]; /* XXX */
483 ssize_t ret;
484
485 /*
486 * We need to return 0 at the point that we have completed sending a
487 * close-notify. We return 1 when we have sent and received close-notify
488 * alerts. All other cases, including EOF, return -1 and set internal
489 * state appropriately. Note that all of this insanity can also be
490 * externally controlled by manipulating the shutdown flags.
491 */
492 if (ctx == NULL || ssl->quiet_shutdown) {
493 ssl->shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN;
494 return 1;
495 }
496
497 if ((ssl->shutdown & SSL_SENT_SHUTDOWN) == 0) {
498 ssl->shutdown |= SSL_SENT_SHUTDOWN;
499 ret = tls13_send_alert(ctx->rl, TLS13_ALERT_CLOSE_NOTIFY);
500 if (ret == TLS13_IO_EOF)
501 return -1;
502 if (ret != TLS13_IO_SUCCESS)
503 return tls13_legacy_return_code(ssl, ret);
504 goto done;
505 }
506
507 ret = tls13_record_layer_send_pending(ctx->rl);
508 if (ret == TLS13_IO_EOF)
509 return -1;
510 if (ret != TLS13_IO_SUCCESS)
511 return tls13_legacy_return_code(ssl, ret);
512
513 if ((ssl->shutdown & SSL_RECEIVED_SHUTDOWN) == 0) {
514 /*
515 * If there is no application data pending, attempt to read more
516 * data in order to receive a close-notify. This should trigger
517 * a record to be read from the wire, which may be application
518 * handshake or alert data. Only one attempt is made with no
519 * error handling, in order to match previous semantics.
520 */
521 if (tls13_pending_application_data(ctx->rl) == 0) {
522 (void)tls13_read_application_data(ctx->rl, buf, sizeof(buf));
523 if (!ctx->close_notify_recv)
524 return -1;
525 }
526 }
527
528 done:
529 if (ssl->shutdown == (SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN))
530 return 1;
531
532 return 0;
533 }
534
535 int
tls13_legacy_servername_process(struct tls13_ctx * ctx,uint8_t * alert)536 tls13_legacy_servername_process(struct tls13_ctx *ctx, uint8_t *alert)
537 {
538 int legacy_alert = SSL_AD_UNRECOGNIZED_NAME;
539 int ret = SSL_TLSEXT_ERR_NOACK;
540 SSL_CTX *ssl_ctx = ctx->ssl->ctx;
541 SSL *s = ctx->ssl;
542
543 if (ssl_ctx->tlsext_servername_callback == NULL)
544 ssl_ctx = s->initial_ctx;
545 if (ssl_ctx->tlsext_servername_callback == NULL)
546 return 1;
547
548 ret = ssl_ctx->tlsext_servername_callback(s, &legacy_alert,
549 ssl_ctx->tlsext_servername_arg);
550
551 /*
552 * Ignore SSL_TLSEXT_ERR_ALERT_WARNING returns to match OpenSSL's
553 * behavior: the only warning alerts in TLSv1.3 are close_notify and
554 * user_canceled, neither of which should be returned by the callback.
555 */
556 if (ret == SSL_TLSEXT_ERR_ALERT_FATAL) {
557 if (legacy_alert >= 0 && legacy_alert <= 255)
558 *alert = legacy_alert;
559 return 0;
560 }
561
562 return 1;
563 }
564