1 /* $OpenBSD: tls13_legacy.c,v 1.13 2020/09/13 15:04:35 jsing Exp $ */
2 /*
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18 #include <limits.h>
19
20 #include "ssl_locl.h"
21 #include "tls13_internal.h"
22
23 SSL3_ENC_METHOD TLSv1_3_enc_data = {
24 .enc_flags = SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_TLS1_3_CIPHERS,
25 };
26
27 static ssize_t
tls13_legacy_wire_read(SSL * ssl,uint8_t * buf,size_t len)28 tls13_legacy_wire_read(SSL *ssl, uint8_t *buf, size_t len)
29 {
30 int n;
31
32 if (ssl->rbio == NULL) {
33 SSLerror(ssl, SSL_R_BIO_NOT_SET);
34 return TLS13_IO_FAILURE;
35 }
36
37 ssl->internal->rwstate = SSL_READING;
38 errno = 0;
39
40 if ((n = BIO_read(ssl->rbio, buf, len)) <= 0) {
41 if (BIO_should_read(ssl->rbio))
42 return TLS13_IO_WANT_POLLIN;
43 if (BIO_should_write(ssl->rbio))
44 return TLS13_IO_WANT_POLLOUT;
45 if (n == 0)
46 return TLS13_IO_EOF;
47
48 if (ERR_peek_error() == 0 && errno != 0)
49 SYSerror(errno);
50
51 return TLS13_IO_FAILURE;
52 }
53
54 if (n == len)
55 ssl->internal->rwstate = SSL_NOTHING;
56
57 return n;
58 }
59
60 ssize_t
tls13_legacy_wire_read_cb(void * buf,size_t n,void * arg)61 tls13_legacy_wire_read_cb(void *buf, size_t n, void *arg)
62 {
63 struct tls13_ctx *ctx = arg;
64
65 return tls13_legacy_wire_read(ctx->ssl, buf, n);
66 }
67
68 static ssize_t
tls13_legacy_wire_write(SSL * ssl,const uint8_t * buf,size_t len)69 tls13_legacy_wire_write(SSL *ssl, const uint8_t *buf, size_t len)
70 {
71 int n;
72
73 if (ssl->wbio == NULL) {
74 SSLerror(ssl, SSL_R_BIO_NOT_SET);
75 return TLS13_IO_FAILURE;
76 }
77
78 ssl->internal->rwstate = SSL_WRITING;
79 errno = 0;
80
81 if ((n = BIO_write(ssl->wbio, buf, len)) <= 0) {
82 if (BIO_should_read(ssl->wbio))
83 return TLS13_IO_WANT_POLLIN;
84 if (BIO_should_write(ssl->wbio))
85 return TLS13_IO_WANT_POLLOUT;
86
87 if (ERR_peek_error() == 0 && errno != 0)
88 SYSerror(errno);
89
90 return TLS13_IO_FAILURE;
91 }
92
93 if (n == len)
94 ssl->internal->rwstate = SSL_NOTHING;
95
96 return n;
97 }
98
99 ssize_t
tls13_legacy_wire_write_cb(const void * buf,size_t n,void * arg)100 tls13_legacy_wire_write_cb(const void *buf, size_t n, void *arg)
101 {
102 struct tls13_ctx *ctx = arg;
103
104 return tls13_legacy_wire_write(ctx->ssl, buf, n);
105 }
106
107 static void
tls13_legacy_error(SSL * ssl)108 tls13_legacy_error(SSL *ssl)
109 {
110 struct tls13_ctx *ctx = ssl->internal->tls13;
111 int reason = SSL_R_UNKNOWN;
112
113 /* If we received a fatal alert we already put an error on the stack. */
114 if (S3I(ssl)->fatal_alert != 0)
115 return;
116
117 switch (ctx->error.code) {
118 case TLS13_ERR_VERIFY_FAILED:
119 reason = SSL_R_CERTIFICATE_VERIFY_FAILED;
120 break;
121 case TLS13_ERR_HRR_FAILED:
122 reason = SSL_R_NO_CIPHERS_AVAILABLE;
123 break;
124 case TLS13_ERR_TRAILING_DATA:
125 reason = SSL_R_EXTRA_DATA_IN_MESSAGE;
126 break;
127 case TLS13_ERR_NO_SHARED_CIPHER:
128 reason = SSL_R_NO_SHARED_CIPHER;
129 break;
130 case TLS13_ERR_NO_CERTIFICATE:
131 reason = SSL_R_MISSING_RSA_CERTIFICATE; /* XXX */
132 break;
133 case TLS13_ERR_NO_PEER_CERTIFICATE:
134 reason = SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE;
135 break;
136 }
137
138 /* Something (probably libcrypto) already pushed an error on the stack. */
139 if (reason == SSL_R_UNKNOWN && ERR_peek_error() != 0)
140 return;
141
142 ERR_put_error(ERR_LIB_SSL, (0xfff), reason, ctx->error.file,
143 ctx->error.line);
144 }
145
146 int
tls13_legacy_return_code(SSL * ssl,ssize_t ret)147 tls13_legacy_return_code(SSL *ssl, ssize_t ret)
148 {
149 if (ret > INT_MAX) {
150 SSLerror(ssl, ERR_R_INTERNAL_ERROR);
151 return -1;
152 }
153
154 /* A successful read, write or other operation. */
155 if (ret > 0)
156 return ret;
157
158 ssl->internal->rwstate = SSL_NOTHING;
159
160 switch (ret) {
161 case TLS13_IO_EOF:
162 return 0;
163
164 case TLS13_IO_FAILURE:
165 tls13_legacy_error(ssl);
166 return -1;
167
168 case TLS13_IO_ALERT:
169 tls13_legacy_error(ssl);
170 return -1;
171
172 case TLS13_IO_WANT_POLLIN:
173 BIO_set_retry_read(ssl->rbio);
174 ssl->internal->rwstate = SSL_READING;
175 return -1;
176
177 case TLS13_IO_WANT_POLLOUT:
178 BIO_set_retry_write(ssl->wbio);
179 ssl->internal->rwstate = SSL_WRITING;
180 return -1;
181
182 case TLS13_IO_WANT_RETRY:
183 SSLerror(ssl, ERR_R_INTERNAL_ERROR);
184 return -1;
185 }
186
187 SSLerror(ssl, ERR_R_INTERNAL_ERROR);
188 return -1;
189 }
190
191 int
tls13_legacy_pending(const SSL * ssl)192 tls13_legacy_pending(const SSL *ssl)
193 {
194 struct tls13_ctx *ctx = ssl->internal->tls13;
195 ssize_t ret;
196
197 if (ctx == NULL)
198 return 0;
199
200 ret = tls13_pending_application_data(ctx->rl);
201 if (ret < 0 || ret > INT_MAX)
202 return 0;
203
204 return ret;
205 }
206
207 int
tls13_legacy_read_bytes(SSL * ssl,int type,unsigned char * buf,int len,int peek)208 tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, int peek)
209 {
210 struct tls13_ctx *ctx = ssl->internal->tls13;
211 ssize_t ret;
212
213 if (ctx == NULL || !ctx->handshake_completed) {
214 if ((ret = ssl->internal->handshake_func(ssl)) <= 0)
215 return ret;
216 return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLIN);
217 }
218
219 tls13_record_layer_set_retry_after_phh(ctx->rl,
220 (ctx->ssl->internal->mode & SSL_MODE_AUTO_RETRY) != 0);
221
222 if (type != SSL3_RT_APPLICATION_DATA) {
223 SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
224 return -1;
225 }
226 if (len < 0) {
227 SSLerror(ssl, SSL_R_BAD_LENGTH);
228 return -1;
229 }
230
231 if (peek)
232 ret = tls13_peek_application_data(ctx->rl, buf, len);
233 else
234 ret = tls13_read_application_data(ctx->rl, buf, len);
235
236 return tls13_legacy_return_code(ssl, ret);
237 }
238
239 int
tls13_legacy_write_bytes(SSL * ssl,int type,const void * vbuf,int len)240 tls13_legacy_write_bytes(SSL *ssl, int type, const void *vbuf, int len)
241 {
242 struct tls13_ctx *ctx = ssl->internal->tls13;
243 const uint8_t *buf = vbuf;
244 size_t n, sent;
245 ssize_t ret;
246
247 if (ctx == NULL || !ctx->handshake_completed) {
248 if ((ret = ssl->internal->handshake_func(ssl)) <= 0)
249 return ret;
250 return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLOUT);
251 }
252
253 if (type != SSL3_RT_APPLICATION_DATA) {
254 SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
255 return -1;
256 }
257 if (len < 0) {
258 SSLerror(ssl, SSL_R_BAD_LENGTH);
259 return -1;
260 }
261
262 /*
263 * The TLSv1.3 record layer write behaviour is the same as
264 * SSL_MODE_ENABLE_PARTIAL_WRITE.
265 */
266 if (ssl->internal->mode & SSL_MODE_ENABLE_PARTIAL_WRITE) {
267 ret = tls13_write_application_data(ctx->rl, buf, len);
268 return tls13_legacy_return_code(ssl, ret);
269 }
270
271 /*
272 * In the non-SSL_MODE_ENABLE_PARTIAL_WRITE case we have to loop until
273 * we have written out all of the requested data.
274 */
275 sent = S3I(ssl)->wnum;
276 if (len < sent) {
277 SSLerror(ssl, SSL_R_BAD_LENGTH);
278 return -1;
279 }
280 n = len - sent;
281 for (;;) {
282 if (n == 0) {
283 S3I(ssl)->wnum = 0;
284 return sent;
285 }
286 if ((ret = tls13_write_application_data(ctx->rl,
287 &buf[sent], n)) <= 0) {
288 S3I(ssl)->wnum = sent;
289 return tls13_legacy_return_code(ssl, ret);
290 }
291 sent += ret;
292 n -= ret;
293 }
294 }
295
296 static int
tls13_use_legacy_stack(struct tls13_ctx * ctx)297 tls13_use_legacy_stack(struct tls13_ctx *ctx)
298 {
299 SSL *s = ctx->ssl;
300 CBS cbs;
301
302 if (!ssl3_setup_init_buffer(s))
303 return 0;
304 if (!ssl3_setup_buffers(s))
305 return 0;
306 if (!ssl_init_wbio_buffer(s, 1))
307 return 0;
308
309 /* Stash any unprocessed data from the last record. */
310 tls13_record_layer_rbuf(ctx->rl, &cbs);
311 if (CBS_len(&cbs) > 0) {
312 if (!CBS_write_bytes(&cbs,
313 S3I(s)->rbuf.buf + SSL3_RT_HEADER_LENGTH,
314 S3I(s)->rbuf.len - SSL3_RT_HEADER_LENGTH, NULL))
315 return 0;
316
317 S3I(s)->rbuf.offset = SSL3_RT_HEADER_LENGTH;
318 S3I(s)->rbuf.left = CBS_len(&cbs);
319 S3I(s)->rrec.type = SSL3_RT_HANDSHAKE;
320 S3I(s)->rrec.length = CBS_len(&cbs);
321 s->internal->rstate = SSL_ST_READ_BODY;
322 s->internal->packet = S3I(s)->rbuf.buf;
323 s->internal->packet_length = SSL3_RT_HEADER_LENGTH;
324 s->internal->mac_packet = 1;
325 }
326
327 /* Stash the current handshake message. */
328 tls13_handshake_msg_data(ctx->hs_msg, &cbs);
329 if (!CBS_write_bytes(&cbs, s->internal->init_buf->data,
330 s->internal->init_buf->length, NULL))
331 return 0;
332
333 S3I(s)->tmp.reuse_message = 1;
334 S3I(s)->tmp.message_type = tls13_handshake_msg_type(ctx->hs_msg);
335 S3I(s)->tmp.message_size = CBS_len(&cbs);
336
337 return 1;
338 }
339
340 int
tls13_use_legacy_client(struct tls13_ctx * ctx)341 tls13_use_legacy_client(struct tls13_ctx *ctx)
342 {
343 SSL *s = ctx->ssl;
344
345 s->method = tls_legacy_client_method();
346 s->internal->handshake_func = s->method->internal->ssl_connect;
347 s->client_version = s->version = s->method->internal->max_version;
348
349 if (!tls13_use_legacy_stack(ctx))
350 return 0;
351
352 S3I(s)->hs.state = SSL3_ST_CR_SRVR_HELLO_A;
353
354 return 1;
355 }
356
357 int
tls13_use_legacy_server(struct tls13_ctx * ctx)358 tls13_use_legacy_server(struct tls13_ctx *ctx)
359 {
360 SSL *s = ctx->ssl;
361
362 s->method = tls_legacy_server_method();
363 s->internal->handshake_func = s->method->internal->ssl_accept;
364 s->client_version = s->version = s->method->internal->max_version;
365 s->server = 1;
366
367 if (!tls13_use_legacy_stack(ctx))
368 return 0;
369
370 S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A;
371
372 return 1;
373 }
374
375 int
tls13_legacy_accept(SSL * ssl)376 tls13_legacy_accept(SSL *ssl)
377 {
378 struct tls13_ctx *ctx = ssl->internal->tls13;
379 int ret;
380
381 if (ctx == NULL) {
382 if ((ctx = tls13_ctx_new(TLS13_HS_SERVER)) == NULL) {
383 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
384 return -1;
385 }
386 ssl->internal->tls13 = ctx;
387 ctx->ssl = ssl;
388 ctx->hs = &S3I(ssl)->hs_tls13;
389
390 if (!tls13_server_init(ctx)) {
391 if (ERR_peek_error() == 0)
392 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
393 return -1;
394 }
395 }
396
397 ERR_clear_error();
398 S3I(ssl)->hs.state = SSL_ST_ACCEPT;
399
400 ret = tls13_server_accept(ctx);
401 if (ret == TLS13_IO_USE_LEGACY)
402 return ssl->method->internal->ssl_accept(ssl);
403 if (ret == TLS13_IO_SUCCESS)
404 S3I(ssl)->hs.state = SSL_ST_OK;
405
406 return tls13_legacy_return_code(ssl, ret);
407 }
408
409 int
tls13_legacy_connect(SSL * ssl)410 tls13_legacy_connect(SSL *ssl)
411 {
412 struct tls13_ctx *ctx = ssl->internal->tls13;
413 int ret;
414
415 #ifdef TLS13_USE_LEGACY_CLIENT_AUTH
416 /* XXX drop back to legacy for client auth for now */
417 if (ssl->cert->key->privatekey != NULL) {
418 ssl->method = tls_legacy_client_method();
419 return ssl->method->internal->ssl_connect(ssl);
420 }
421 #endif
422
423 if (ctx == NULL) {
424 if ((ctx = tls13_ctx_new(TLS13_HS_CLIENT)) == NULL) {
425 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
426 return -1;
427 }
428 ssl->internal->tls13 = ctx;
429 ctx->ssl = ssl;
430 ctx->hs = &S3I(ssl)->hs_tls13;
431
432 if (!tls13_client_init(ctx)) {
433 if (ERR_peek_error() == 0)
434 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
435 return -1;
436 }
437 }
438
439 ERR_clear_error();
440 S3I(ssl)->hs.state = SSL_ST_CONNECT;
441
442 ret = tls13_client_connect(ctx);
443 if (ret == TLS13_IO_USE_LEGACY)
444 return ssl->method->internal->ssl_connect(ssl);
445 if (ret == TLS13_IO_SUCCESS)
446 S3I(ssl)->hs.state = SSL_ST_OK;
447
448 return tls13_legacy_return_code(ssl, ret);
449 }
450
451 int
tls13_legacy_shutdown(SSL * ssl)452 tls13_legacy_shutdown(SSL *ssl)
453 {
454 struct tls13_ctx *ctx = ssl->internal->tls13;
455 uint8_t buf[512]; /* XXX */
456 ssize_t ret;
457
458 /*
459 * We need to return 0 when we have sent a close-notify but have not
460 * yet received one. We return 1 only once we have sent and received
461 * close-notify alerts. All other cases return -1 and set internal
462 * state appropriately.
463 */
464 if (ctx == NULL || ssl->internal->quiet_shutdown) {
465 ssl->internal->shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN;
466 return 1;
467 }
468
469 if (!ctx->close_notify_sent) {
470 /* Enqueue and send close notify. */
471 if (!(ssl->internal->shutdown & SSL_SENT_SHUTDOWN)) {
472 ssl->internal->shutdown |= SSL_SENT_SHUTDOWN;
473 if ((ret = tls13_send_alert(ctx->rl,
474 TLS13_ALERT_CLOSE_NOTIFY)) < 0)
475 return tls13_legacy_return_code(ssl, ret);
476 }
477 if ((ret = tls13_record_layer_send_pending(ctx->rl)) !=
478 TLS13_IO_SUCCESS)
479 return tls13_legacy_return_code(ssl, ret);
480 } else if (!ctx->close_notify_recv) {
481 /*
482 * If there is no application data pending, attempt to read more
483 * data in order to receive a close notify. This should trigger
484 * a record to be read from the wire, which may be application
485 * handshake or alert data. Only one attempt is made to match
486 * previous semantics.
487 */
488 if (tls13_pending_application_data(ctx->rl) == 0) {
489 if ((ret = tls13_read_application_data(ctx->rl, buf,
490 sizeof(buf))) < 0)
491 return tls13_legacy_return_code(ssl, ret);
492 }
493 }
494
495 if (ctx->close_notify_recv)
496 return 1;
497
498 return 0;
499 }
500
501 int
tls13_legacy_servername_process(struct tls13_ctx * ctx,uint8_t * alert)502 tls13_legacy_servername_process(struct tls13_ctx *ctx, uint8_t *alert)
503 {
504 int legacy_alert = SSL_AD_UNRECOGNIZED_NAME;
505 int ret = SSL_TLSEXT_ERR_NOACK;
506 SSL_CTX *ssl_ctx = ctx->ssl->ctx;
507 SSL *ssl = ctx->ssl;
508
509 if (ssl_ctx->internal->tlsext_servername_callback == NULL)
510 ssl_ctx = ssl->initial_ctx;
511 if (ssl_ctx->internal->tlsext_servername_callback == NULL)
512 return 1;
513
514 ret = ssl_ctx->internal->tlsext_servername_callback(ssl, &legacy_alert,
515 ssl_ctx->internal->tlsext_servername_arg);
516
517 if (ret == SSL_TLSEXT_ERR_ALERT_FATAL ||
518 ret == SSL_TLSEXT_ERR_ALERT_WARNING) {
519 if (legacy_alert >= 0 && legacy_alert <= 255)
520 *alert = legacy_alert;
521 return 0;
522 }
523
524 return 1;
525 }
526