1 /* $OpenBSD: tls13_legacy.c,v 1.21 2021/01/07 16:26:31 tb Exp $ */ 2 /* 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <limits.h> 19 20 #include "ssl_locl.h" 21 #include "tls13_internal.h" 22 23 static ssize_t 24 tls13_legacy_wire_read(SSL *ssl, uint8_t *buf, size_t len) 25 { 26 int n; 27 28 if (ssl->rbio == NULL) { 29 SSLerror(ssl, SSL_R_BIO_NOT_SET); 30 return TLS13_IO_FAILURE; 31 } 32 33 ssl->internal->rwstate = SSL_READING; 34 errno = 0; 35 36 if ((n = BIO_read(ssl->rbio, buf, len)) <= 0) { 37 if (BIO_should_read(ssl->rbio)) 38 return TLS13_IO_WANT_POLLIN; 39 if (n == 0) 40 return TLS13_IO_EOF; 41 42 if (ERR_peek_error() == 0 && errno != 0) 43 SYSerror(errno); 44 45 return TLS13_IO_FAILURE; 46 } 47 48 if (n == len) 49 ssl->internal->rwstate = SSL_NOTHING; 50 51 return n; 52 } 53 54 ssize_t 55 tls13_legacy_wire_read_cb(void *buf, size_t n, void *arg) 56 { 57 struct tls13_ctx *ctx = arg; 58 59 return tls13_legacy_wire_read(ctx->ssl, buf, n); 60 } 61 62 static ssize_t 63 tls13_legacy_wire_write(SSL *ssl, const uint8_t *buf, size_t len) 64 { 65 int n; 66 67 if (ssl->wbio == NULL) { 68 SSLerror(ssl, SSL_R_BIO_NOT_SET); 69 return TLS13_IO_FAILURE; 70 } 71 72 ssl->internal->rwstate = SSL_WRITING; 73 errno = 0; 74 75 if ((n = BIO_write(ssl->wbio, buf, len)) <= 0) { 76 if (BIO_should_write(ssl->wbio)) 77 return TLS13_IO_WANT_POLLOUT; 78 79 if (ERR_peek_error() == 0 && errno != 0) 80 SYSerror(errno); 81 82 return TLS13_IO_FAILURE; 83 } 84 85 if (n == len) 86 ssl->internal->rwstate = SSL_NOTHING; 87 88 return n; 89 } 90 91 ssize_t 92 tls13_legacy_wire_write_cb(const void *buf, size_t n, void *arg) 93 { 94 struct tls13_ctx *ctx = arg; 95 96 return tls13_legacy_wire_write(ctx->ssl, buf, n); 97 } 98 99 static void 100 tls13_legacy_error(SSL *ssl) 101 { 102 struct tls13_ctx *ctx = ssl->internal->tls13; 103 int reason = SSL_R_UNKNOWN; 104 105 /* If we received a fatal alert we already put an error on the stack. */ 106 if (S3I(ssl)->fatal_alert != 0) 107 return; 108 109 switch (ctx->error.code) { 110 case TLS13_ERR_VERIFY_FAILED: 111 reason = SSL_R_CERTIFICATE_VERIFY_FAILED; 112 break; 113 case TLS13_ERR_HRR_FAILED: 114 reason = SSL_R_NO_CIPHERS_AVAILABLE; 115 break; 116 case TLS13_ERR_TRAILING_DATA: 117 reason = SSL_R_EXTRA_DATA_IN_MESSAGE; 118 break; 119 case TLS13_ERR_NO_SHARED_CIPHER: 120 reason = SSL_R_NO_SHARED_CIPHER; 121 break; 122 case TLS13_ERR_NO_CERTIFICATE: 123 reason = SSL_R_MISSING_RSA_CERTIFICATE; /* XXX */ 124 break; 125 case TLS13_ERR_NO_PEER_CERTIFICATE: 126 reason = SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE; 127 break; 128 } 129 130 /* Something (probably libcrypto) already pushed an error on the stack. */ 131 if (reason == SSL_R_UNKNOWN && ERR_peek_error() != 0) 132 return; 133 134 ERR_put_error(ERR_LIB_SSL, (0xfff), reason, ctx->error.file, 135 ctx->error.line); 136 } 137 138 int 139 tls13_legacy_return_code(SSL *ssl, ssize_t ret) 140 { 141 if (ret > INT_MAX) { 142 SSLerror(ssl, ERR_R_INTERNAL_ERROR); 143 return -1; 144 } 145 146 /* A successful read, write or other operation. */ 147 if (ret > 0) 148 return ret; 149 150 ssl->internal->rwstate = SSL_NOTHING; 151 152 switch (ret) { 153 case TLS13_IO_EOF: 154 return 0; 155 156 case TLS13_IO_FAILURE: 157 tls13_legacy_error(ssl); 158 return -1; 159 160 case TLS13_IO_ALERT: 161 tls13_legacy_error(ssl); 162 return -1; 163 164 case TLS13_IO_WANT_POLLIN: 165 BIO_set_retry_read(ssl->rbio); 166 ssl->internal->rwstate = SSL_READING; 167 return -1; 168 169 case TLS13_IO_WANT_POLLOUT: 170 BIO_set_retry_write(ssl->wbio); 171 ssl->internal->rwstate = SSL_WRITING; 172 return -1; 173 174 case TLS13_IO_WANT_RETRY: 175 SSLerror(ssl, ERR_R_INTERNAL_ERROR); 176 return -1; 177 } 178 179 SSLerror(ssl, ERR_R_INTERNAL_ERROR); 180 return -1; 181 } 182 183 int 184 tls13_legacy_pending(const SSL *ssl) 185 { 186 struct tls13_ctx *ctx = ssl->internal->tls13; 187 ssize_t ret; 188 189 if (ctx == NULL) 190 return 0; 191 192 ret = tls13_pending_application_data(ctx->rl); 193 if (ret < 0 || ret > INT_MAX) 194 return 0; 195 196 return ret; 197 } 198 199 int 200 tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, int peek) 201 { 202 struct tls13_ctx *ctx = ssl->internal->tls13; 203 ssize_t ret; 204 205 if (ctx == NULL || !ctx->handshake_completed) { 206 if ((ret = ssl->internal->handshake_func(ssl)) <= 0) 207 return ret; 208 return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLIN); 209 } 210 211 tls13_record_layer_set_retry_after_phh(ctx->rl, 212 (ctx->ssl->internal->mode & SSL_MODE_AUTO_RETRY) != 0); 213 214 if (type != SSL3_RT_APPLICATION_DATA) { 215 SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 216 return -1; 217 } 218 if (len < 0) { 219 SSLerror(ssl, SSL_R_BAD_LENGTH); 220 return -1; 221 } 222 223 if (peek) 224 ret = tls13_peek_application_data(ctx->rl, buf, len); 225 else 226 ret = tls13_read_application_data(ctx->rl, buf, len); 227 228 return tls13_legacy_return_code(ssl, ret); 229 } 230 231 int 232 tls13_legacy_write_bytes(SSL *ssl, int type, const void *vbuf, int len) 233 { 234 struct tls13_ctx *ctx = ssl->internal->tls13; 235 const uint8_t *buf = vbuf; 236 size_t n, sent; 237 ssize_t ret; 238 239 if (ctx == NULL || !ctx->handshake_completed) { 240 if ((ret = ssl->internal->handshake_func(ssl)) <= 0) 241 return ret; 242 return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLOUT); 243 } 244 245 if (type != SSL3_RT_APPLICATION_DATA) { 246 SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 247 return -1; 248 } 249 if (len < 0) { 250 SSLerror(ssl, SSL_R_BAD_LENGTH); 251 return -1; 252 } 253 254 /* 255 * The TLSv1.3 record layer write behaviour is the same as 256 * SSL_MODE_ENABLE_PARTIAL_WRITE. 257 */ 258 if (ssl->internal->mode & SSL_MODE_ENABLE_PARTIAL_WRITE) { 259 ret = tls13_write_application_data(ctx->rl, buf, len); 260 return tls13_legacy_return_code(ssl, ret); 261 } 262 263 /* 264 * In the non-SSL_MODE_ENABLE_PARTIAL_WRITE case we have to loop until 265 * we have written out all of the requested data. 266 */ 267 sent = S3I(ssl)->wnum; 268 if (len < sent) { 269 SSLerror(ssl, SSL_R_BAD_LENGTH); 270 return -1; 271 } 272 n = len - sent; 273 for (;;) { 274 if (n == 0) { 275 S3I(ssl)->wnum = 0; 276 return sent; 277 } 278 if ((ret = tls13_write_application_data(ctx->rl, 279 &buf[sent], n)) <= 0) { 280 S3I(ssl)->wnum = sent; 281 return tls13_legacy_return_code(ssl, ret); 282 } 283 sent += ret; 284 n -= ret; 285 } 286 } 287 288 static int 289 tls13_use_legacy_stack(struct tls13_ctx *ctx) 290 { 291 SSL *s = ctx->ssl; 292 CBB cbb, fragment; 293 CBS cbs; 294 295 memset(&cbb, 0, sizeof(cbb)); 296 297 s->method = tls_legacy_method(); 298 299 if (!ssl3_setup_init_buffer(s)) 300 goto err; 301 if (!ssl3_setup_buffers(s)) 302 goto err; 303 if (!ssl_init_wbio_buffer(s, 1)) 304 goto err; 305 306 /* Stash any unprocessed data from the last record. */ 307 tls13_record_layer_rbuf(ctx->rl, &cbs); 308 if (CBS_len(&cbs) > 0) { 309 if (!CBB_init_fixed(&cbb, S3I(s)->rbuf.buf, 310 S3I(s)->rbuf.len)) 311 goto err; 312 if (!CBB_add_u8(&cbb, SSL3_RT_HANDSHAKE)) 313 goto err; 314 if (!CBB_add_u16(&cbb, TLS1_2_VERSION)) 315 goto err; 316 if (!CBB_add_u16_length_prefixed(&cbb, &fragment)) 317 goto err; 318 if (!CBB_add_bytes(&fragment, CBS_data(&cbs), CBS_len(&cbs))) 319 goto err; 320 if (!CBB_finish(&cbb, NULL, NULL)) 321 goto err; 322 323 S3I(s)->rbuf.offset = SSL3_RT_HEADER_LENGTH; 324 S3I(s)->rbuf.left = CBS_len(&cbs); 325 S3I(s)->rrec.type = SSL3_RT_HANDSHAKE; 326 S3I(s)->rrec.length = CBS_len(&cbs); 327 s->internal->rstate = SSL_ST_READ_BODY; 328 s->internal->packet = S3I(s)->rbuf.buf; 329 s->internal->packet_length = SSL3_RT_HEADER_LENGTH; 330 s->internal->mac_packet = 1; 331 } 332 333 /* Stash the current handshake message. */ 334 tls13_handshake_msg_data(ctx->hs_msg, &cbs); 335 if (!BUF_MEM_grow_clean(s->internal->init_buf, CBS_len(&cbs))) 336 goto err; 337 if (!CBS_write_bytes(&cbs, s->internal->init_buf->data, 338 s->internal->init_buf->length, NULL)) 339 goto err; 340 341 S3I(s)->tmp.reuse_message = 1; 342 S3I(s)->tmp.message_type = tls13_handshake_msg_type(ctx->hs_msg); 343 S3I(s)->tmp.message_size = CBS_len(&cbs); 344 345 return 1; 346 347 err: 348 CBB_cleanup(&cbb); 349 350 return 0; 351 } 352 353 int 354 tls13_use_legacy_client(struct tls13_ctx *ctx) 355 { 356 SSL *s = ctx->ssl; 357 358 if (!tls13_use_legacy_stack(ctx)) 359 return 0; 360 361 s->internal->handshake_func = s->method->internal->ssl_connect; 362 s->client_version = s->version = s->method->internal->max_version; 363 364 S3I(s)->hs.state = SSL3_ST_CR_SRVR_HELLO_A; 365 366 return 1; 367 } 368 369 int 370 tls13_use_legacy_server(struct tls13_ctx *ctx) 371 { 372 SSL *s = ctx->ssl; 373 374 if (!tls13_use_legacy_stack(ctx)) 375 return 0; 376 377 s->internal->handshake_func = s->method->internal->ssl_accept; 378 s->client_version = s->version = s->method->internal->max_version; 379 s->server = 1; 380 381 S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A; 382 383 return 1; 384 } 385 386 int 387 tls13_legacy_accept(SSL *ssl) 388 { 389 struct tls13_ctx *ctx = ssl->internal->tls13; 390 int ret; 391 392 if (ctx == NULL) { 393 if ((ctx = tls13_ctx_new(TLS13_HS_SERVER)) == NULL) { 394 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 395 return -1; 396 } 397 ssl->internal->tls13 = ctx; 398 ctx->ssl = ssl; 399 ctx->hs = &S3I(ssl)->hs_tls13; 400 401 if (!tls13_server_init(ctx)) { 402 if (ERR_peek_error() == 0) 403 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 404 return -1; 405 } 406 } 407 408 ERR_clear_error(); 409 S3I(ssl)->hs.state = SSL_ST_ACCEPT; 410 411 ret = tls13_server_accept(ctx); 412 if (ret == TLS13_IO_USE_LEGACY) 413 return ssl->method->internal->ssl_accept(ssl); 414 if (ret == TLS13_IO_SUCCESS) 415 S3I(ssl)->hs.state = SSL_ST_OK; 416 417 return tls13_legacy_return_code(ssl, ret); 418 } 419 420 int 421 tls13_legacy_connect(SSL *ssl) 422 { 423 struct tls13_ctx *ctx = ssl->internal->tls13; 424 int ret; 425 426 #ifdef TLS13_USE_LEGACY_CLIENT_AUTH 427 /* XXX drop back to legacy for client auth for now */ 428 if (ssl->cert->key->privatekey != NULL) { 429 ssl->method = tls_legacy_client_method(); 430 return ssl->method->internal->ssl_connect(ssl); 431 } 432 #endif 433 434 if (ctx == NULL) { 435 if ((ctx = tls13_ctx_new(TLS13_HS_CLIENT)) == NULL) { 436 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 437 return -1; 438 } 439 ssl->internal->tls13 = ctx; 440 ctx->ssl = ssl; 441 ctx->hs = &S3I(ssl)->hs_tls13; 442 443 if (!tls13_client_init(ctx)) { 444 if (ERR_peek_error() == 0) 445 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 446 return -1; 447 } 448 } 449 450 ERR_clear_error(); 451 S3I(ssl)->hs.state = SSL_ST_CONNECT; 452 453 ret = tls13_client_connect(ctx); 454 if (ret == TLS13_IO_USE_LEGACY) 455 return ssl->method->internal->ssl_connect(ssl); 456 if (ret == TLS13_IO_SUCCESS) 457 S3I(ssl)->hs.state = SSL_ST_OK; 458 459 return tls13_legacy_return_code(ssl, ret); 460 } 461 462 int 463 tls13_legacy_shutdown(SSL *ssl) 464 { 465 struct tls13_ctx *ctx = ssl->internal->tls13; 466 uint8_t buf[512]; /* XXX */ 467 ssize_t ret; 468 469 /* 470 * We need to return 0 when we have sent a close-notify but have not 471 * yet received one. We return 1 only once we have sent and received 472 * close-notify alerts. All other cases return -1 and set internal 473 * state appropriately. 474 */ 475 if (ctx == NULL || ssl->internal->quiet_shutdown) { 476 ssl->internal->shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN; 477 return 1; 478 } 479 480 if (!ctx->close_notify_sent) { 481 /* Enqueue and send close notify. */ 482 if (!(ssl->internal->shutdown & SSL_SENT_SHUTDOWN)) { 483 ssl->internal->shutdown |= SSL_SENT_SHUTDOWN; 484 if ((ret = tls13_send_alert(ctx->rl, 485 TLS13_ALERT_CLOSE_NOTIFY)) < 0) 486 return tls13_legacy_return_code(ssl, ret); 487 } 488 if ((ret = tls13_record_layer_send_pending(ctx->rl)) != 489 TLS13_IO_SUCCESS) 490 return tls13_legacy_return_code(ssl, ret); 491 } else if (!ctx->close_notify_recv) { 492 /* 493 * If there is no application data pending, attempt to read more 494 * data in order to receive a close notify. This should trigger 495 * a record to be read from the wire, which may be application 496 * handshake or alert data. Only one attempt is made to match 497 * previous semantics. 498 */ 499 if (tls13_pending_application_data(ctx->rl) == 0) { 500 if ((ret = tls13_read_application_data(ctx->rl, buf, 501 sizeof(buf))) < 0) 502 return tls13_legacy_return_code(ssl, ret); 503 } 504 } 505 506 if (ctx->close_notify_recv) 507 return 1; 508 509 return 0; 510 } 511 512 int 513 tls13_legacy_servername_process(struct tls13_ctx *ctx, uint8_t *alert) 514 { 515 int legacy_alert = SSL_AD_UNRECOGNIZED_NAME; 516 int ret = SSL_TLSEXT_ERR_NOACK; 517 SSL_CTX *ssl_ctx = ctx->ssl->ctx; 518 SSL *s = ctx->ssl; 519 520 if (ssl_ctx->internal->tlsext_servername_callback == NULL) 521 ssl_ctx = s->initial_ctx; 522 if (ssl_ctx->internal->tlsext_servername_callback == NULL) 523 return 1; 524 525 ret = ssl_ctx->internal->tlsext_servername_callback(s, &legacy_alert, 526 ssl_ctx->internal->tlsext_servername_arg); 527 528 if (ret == SSL_TLSEXT_ERR_ALERT_FATAL || 529 ret == SSL_TLSEXT_ERR_ALERT_WARNING) { 530 if (legacy_alert >= 0 && legacy_alert <= 255) 531 *alert = legacy_alert; 532 return 0; 533 } 534 535 return 1; 536 } 537