1 /* $OpenBSD: tls13_legacy.c,v 1.13.4.1 2021/02/03 07:06:14 tb Exp $ */ 2 /* 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <limits.h> 19 20 #include "ssl_locl.h" 21 #include "tls13_internal.h" 22 23 SSL3_ENC_METHOD TLSv1_3_enc_data = { 24 .enc_flags = SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_TLS1_3_CIPHERS, 25 }; 26 27 static ssize_t 28 tls13_legacy_wire_read(SSL *ssl, uint8_t *buf, size_t len) 29 { 30 int n; 31 32 if (ssl->rbio == NULL) { 33 SSLerror(ssl, SSL_R_BIO_NOT_SET); 34 return TLS13_IO_FAILURE; 35 } 36 37 ssl->internal->rwstate = SSL_READING; 38 errno = 0; 39 40 if ((n = BIO_read(ssl->rbio, buf, len)) <= 0) { 41 if (BIO_should_read(ssl->rbio)) 42 return TLS13_IO_WANT_POLLIN; 43 if (n == 0) 44 return TLS13_IO_EOF; 45 46 if (ERR_peek_error() == 0 && errno != 0) 47 SYSerror(errno); 48 49 return TLS13_IO_FAILURE; 50 } 51 52 if (n == len) 53 ssl->internal->rwstate = SSL_NOTHING; 54 55 return n; 56 } 57 58 ssize_t 59 tls13_legacy_wire_read_cb(void *buf, size_t n, void *arg) 60 { 61 struct tls13_ctx *ctx = arg; 62 63 return tls13_legacy_wire_read(ctx->ssl, buf, n); 64 } 65 66 static ssize_t 67 tls13_legacy_wire_write(SSL *ssl, const uint8_t *buf, size_t len) 68 { 69 int n; 70 71 if (ssl->wbio == NULL) { 72 SSLerror(ssl, SSL_R_BIO_NOT_SET); 73 return TLS13_IO_FAILURE; 74 } 75 76 ssl->internal->rwstate = SSL_WRITING; 77 errno = 0; 78 79 if ((n = BIO_write(ssl->wbio, buf, len)) <= 0) { 80 if (BIO_should_write(ssl->wbio)) 81 return TLS13_IO_WANT_POLLOUT; 82 83 if (ERR_peek_error() == 0 && errno != 0) 84 SYSerror(errno); 85 86 return TLS13_IO_FAILURE; 87 } 88 89 if (n == len) 90 ssl->internal->rwstate = SSL_NOTHING; 91 92 return n; 93 } 94 95 ssize_t 96 tls13_legacy_wire_write_cb(const void *buf, size_t n, void *arg) 97 { 98 struct tls13_ctx *ctx = arg; 99 100 return tls13_legacy_wire_write(ctx->ssl, buf, n); 101 } 102 103 static void 104 tls13_legacy_error(SSL *ssl) 105 { 106 struct tls13_ctx *ctx = ssl->internal->tls13; 107 int reason = SSL_R_UNKNOWN; 108 109 /* If we received a fatal alert we already put an error on the stack. */ 110 if (S3I(ssl)->fatal_alert != 0) 111 return; 112 113 switch (ctx->error.code) { 114 case TLS13_ERR_VERIFY_FAILED: 115 reason = SSL_R_CERTIFICATE_VERIFY_FAILED; 116 break; 117 case TLS13_ERR_HRR_FAILED: 118 reason = SSL_R_NO_CIPHERS_AVAILABLE; 119 break; 120 case TLS13_ERR_TRAILING_DATA: 121 reason = SSL_R_EXTRA_DATA_IN_MESSAGE; 122 break; 123 case TLS13_ERR_NO_SHARED_CIPHER: 124 reason = SSL_R_NO_SHARED_CIPHER; 125 break; 126 case TLS13_ERR_NO_CERTIFICATE: 127 reason = SSL_R_MISSING_RSA_CERTIFICATE; /* XXX */ 128 break; 129 case TLS13_ERR_NO_PEER_CERTIFICATE: 130 reason = SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE; 131 break; 132 } 133 134 /* Something (probably libcrypto) already pushed an error on the stack. */ 135 if (reason == SSL_R_UNKNOWN && ERR_peek_error() != 0) 136 return; 137 138 ERR_put_error(ERR_LIB_SSL, (0xfff), reason, ctx->error.file, 139 ctx->error.line); 140 } 141 142 int 143 tls13_legacy_return_code(SSL *ssl, ssize_t ret) 144 { 145 if (ret > INT_MAX) { 146 SSLerror(ssl, ERR_R_INTERNAL_ERROR); 147 return -1; 148 } 149 150 /* A successful read, write or other operation. */ 151 if (ret > 0) 152 return ret; 153 154 ssl->internal->rwstate = SSL_NOTHING; 155 156 switch (ret) { 157 case TLS13_IO_EOF: 158 return 0; 159 160 case TLS13_IO_FAILURE: 161 tls13_legacy_error(ssl); 162 return -1; 163 164 case TLS13_IO_ALERT: 165 tls13_legacy_error(ssl); 166 return -1; 167 168 case TLS13_IO_WANT_POLLIN: 169 BIO_set_retry_read(ssl->rbio); 170 ssl->internal->rwstate = SSL_READING; 171 return -1; 172 173 case TLS13_IO_WANT_POLLOUT: 174 BIO_set_retry_write(ssl->wbio); 175 ssl->internal->rwstate = SSL_WRITING; 176 return -1; 177 178 case TLS13_IO_WANT_RETRY: 179 SSLerror(ssl, ERR_R_INTERNAL_ERROR); 180 return -1; 181 } 182 183 SSLerror(ssl, ERR_R_INTERNAL_ERROR); 184 return -1; 185 } 186 187 int 188 tls13_legacy_pending(const SSL *ssl) 189 { 190 struct tls13_ctx *ctx = ssl->internal->tls13; 191 ssize_t ret; 192 193 if (ctx == NULL) 194 return 0; 195 196 ret = tls13_pending_application_data(ctx->rl); 197 if (ret < 0 || ret > INT_MAX) 198 return 0; 199 200 return ret; 201 } 202 203 int 204 tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, int peek) 205 { 206 struct tls13_ctx *ctx = ssl->internal->tls13; 207 ssize_t ret; 208 209 if (ctx == NULL || !ctx->handshake_completed) { 210 if ((ret = ssl->internal->handshake_func(ssl)) <= 0) 211 return ret; 212 return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLIN); 213 } 214 215 tls13_record_layer_set_retry_after_phh(ctx->rl, 216 (ctx->ssl->internal->mode & SSL_MODE_AUTO_RETRY) != 0); 217 218 if (type != SSL3_RT_APPLICATION_DATA) { 219 SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 220 return -1; 221 } 222 if (len < 0) { 223 SSLerror(ssl, SSL_R_BAD_LENGTH); 224 return -1; 225 } 226 227 if (peek) 228 ret = tls13_peek_application_data(ctx->rl, buf, len); 229 else 230 ret = tls13_read_application_data(ctx->rl, buf, len); 231 232 return tls13_legacy_return_code(ssl, ret); 233 } 234 235 int 236 tls13_legacy_write_bytes(SSL *ssl, int type, const void *vbuf, int len) 237 { 238 struct tls13_ctx *ctx = ssl->internal->tls13; 239 const uint8_t *buf = vbuf; 240 size_t n, sent; 241 ssize_t ret; 242 243 if (ctx == NULL || !ctx->handshake_completed) { 244 if ((ret = ssl->internal->handshake_func(ssl)) <= 0) 245 return ret; 246 return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLOUT); 247 } 248 249 if (type != SSL3_RT_APPLICATION_DATA) { 250 SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 251 return -1; 252 } 253 if (len < 0) { 254 SSLerror(ssl, SSL_R_BAD_LENGTH); 255 return -1; 256 } 257 258 /* 259 * The TLSv1.3 record layer write behaviour is the same as 260 * SSL_MODE_ENABLE_PARTIAL_WRITE. 261 */ 262 if (ssl->internal->mode & SSL_MODE_ENABLE_PARTIAL_WRITE) { 263 ret = tls13_write_application_data(ctx->rl, buf, len); 264 return tls13_legacy_return_code(ssl, ret); 265 } 266 267 /* 268 * In the non-SSL_MODE_ENABLE_PARTIAL_WRITE case we have to loop until 269 * we have written out all of the requested data. 270 */ 271 sent = S3I(ssl)->wnum; 272 if (len < sent) { 273 SSLerror(ssl, SSL_R_BAD_LENGTH); 274 return -1; 275 } 276 n = len - sent; 277 for (;;) { 278 if (n == 0) { 279 S3I(ssl)->wnum = 0; 280 return sent; 281 } 282 if ((ret = tls13_write_application_data(ctx->rl, 283 &buf[sent], n)) <= 0) { 284 S3I(ssl)->wnum = sent; 285 return tls13_legacy_return_code(ssl, ret); 286 } 287 sent += ret; 288 n -= ret; 289 } 290 } 291 292 static int 293 tls13_use_legacy_stack(struct tls13_ctx *ctx) 294 { 295 SSL *s = ctx->ssl; 296 CBS cbs; 297 298 if (!ssl3_setup_init_buffer(s)) 299 return 0; 300 if (!ssl3_setup_buffers(s)) 301 return 0; 302 if (!ssl_init_wbio_buffer(s, 1)) 303 return 0; 304 305 /* Stash any unprocessed data from the last record. */ 306 tls13_record_layer_rbuf(ctx->rl, &cbs); 307 if (CBS_len(&cbs) > 0) { 308 if (!CBS_write_bytes(&cbs, 309 S3I(s)->rbuf.buf + SSL3_RT_HEADER_LENGTH, 310 S3I(s)->rbuf.len - SSL3_RT_HEADER_LENGTH, NULL)) 311 return 0; 312 313 S3I(s)->rbuf.offset = SSL3_RT_HEADER_LENGTH; 314 S3I(s)->rbuf.left = CBS_len(&cbs); 315 S3I(s)->rrec.type = SSL3_RT_HANDSHAKE; 316 S3I(s)->rrec.length = CBS_len(&cbs); 317 s->internal->rstate = SSL_ST_READ_BODY; 318 s->internal->packet = S3I(s)->rbuf.buf; 319 s->internal->packet_length = SSL3_RT_HEADER_LENGTH; 320 s->internal->mac_packet = 1; 321 } 322 323 /* Stash the current handshake message. */ 324 tls13_handshake_msg_data(ctx->hs_msg, &cbs); 325 if (!CBS_write_bytes(&cbs, s->internal->init_buf->data, 326 s->internal->init_buf->length, NULL)) 327 return 0; 328 329 S3I(s)->tmp.reuse_message = 1; 330 S3I(s)->tmp.message_type = tls13_handshake_msg_type(ctx->hs_msg); 331 S3I(s)->tmp.message_size = CBS_len(&cbs); 332 333 return 1; 334 } 335 336 int 337 tls13_use_legacy_client(struct tls13_ctx *ctx) 338 { 339 SSL *s = ctx->ssl; 340 341 s->method = tls_legacy_client_method(); 342 s->internal->handshake_func = s->method->internal->ssl_connect; 343 s->client_version = s->version = s->method->internal->max_version; 344 345 if (!tls13_use_legacy_stack(ctx)) 346 return 0; 347 348 S3I(s)->hs.state = SSL3_ST_CR_SRVR_HELLO_A; 349 350 return 1; 351 } 352 353 int 354 tls13_use_legacy_server(struct tls13_ctx *ctx) 355 { 356 SSL *s = ctx->ssl; 357 358 s->method = tls_legacy_server_method(); 359 s->internal->handshake_func = s->method->internal->ssl_accept; 360 s->client_version = s->version = s->method->internal->max_version; 361 s->server = 1; 362 363 if (!tls13_use_legacy_stack(ctx)) 364 return 0; 365 366 S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A; 367 368 return 1; 369 } 370 371 int 372 tls13_legacy_accept(SSL *ssl) 373 { 374 struct tls13_ctx *ctx = ssl->internal->tls13; 375 int ret; 376 377 if (ctx == NULL) { 378 if ((ctx = tls13_ctx_new(TLS13_HS_SERVER)) == NULL) { 379 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 380 return -1; 381 } 382 ssl->internal->tls13 = ctx; 383 ctx->ssl = ssl; 384 ctx->hs = &S3I(ssl)->hs_tls13; 385 386 if (!tls13_server_init(ctx)) { 387 if (ERR_peek_error() == 0) 388 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 389 return -1; 390 } 391 } 392 393 ERR_clear_error(); 394 S3I(ssl)->hs.state = SSL_ST_ACCEPT; 395 396 ret = tls13_server_accept(ctx); 397 if (ret == TLS13_IO_USE_LEGACY) 398 return ssl->method->internal->ssl_accept(ssl); 399 if (ret == TLS13_IO_SUCCESS) 400 S3I(ssl)->hs.state = SSL_ST_OK; 401 402 return tls13_legacy_return_code(ssl, ret); 403 } 404 405 int 406 tls13_legacy_connect(SSL *ssl) 407 { 408 struct tls13_ctx *ctx = ssl->internal->tls13; 409 int ret; 410 411 #ifdef TLS13_USE_LEGACY_CLIENT_AUTH 412 /* XXX drop back to legacy for client auth for now */ 413 if (ssl->cert->key->privatekey != NULL) { 414 ssl->method = tls_legacy_client_method(); 415 return ssl->method->internal->ssl_connect(ssl); 416 } 417 #endif 418 419 if (ctx == NULL) { 420 if ((ctx = tls13_ctx_new(TLS13_HS_CLIENT)) == NULL) { 421 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 422 return -1; 423 } 424 ssl->internal->tls13 = ctx; 425 ctx->ssl = ssl; 426 ctx->hs = &S3I(ssl)->hs_tls13; 427 428 if (!tls13_client_init(ctx)) { 429 if (ERR_peek_error() == 0) 430 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 431 return -1; 432 } 433 } 434 435 ERR_clear_error(); 436 S3I(ssl)->hs.state = SSL_ST_CONNECT; 437 438 ret = tls13_client_connect(ctx); 439 if (ret == TLS13_IO_USE_LEGACY) 440 return ssl->method->internal->ssl_connect(ssl); 441 if (ret == TLS13_IO_SUCCESS) 442 S3I(ssl)->hs.state = SSL_ST_OK; 443 444 return tls13_legacy_return_code(ssl, ret); 445 } 446 447 int 448 tls13_legacy_shutdown(SSL *ssl) 449 { 450 struct tls13_ctx *ctx = ssl->internal->tls13; 451 uint8_t buf[512]; /* XXX */ 452 ssize_t ret; 453 454 /* 455 * We need to return 0 when we have sent a close-notify but have not 456 * yet received one. We return 1 only once we have sent and received 457 * close-notify alerts. All other cases return -1 and set internal 458 * state appropriately. 459 */ 460 if (ctx == NULL || ssl->internal->quiet_shutdown) { 461 ssl->internal->shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN; 462 return 1; 463 } 464 465 if (!ctx->close_notify_sent) { 466 /* Enqueue and send close notify. */ 467 if (!(ssl->internal->shutdown & SSL_SENT_SHUTDOWN)) { 468 ssl->internal->shutdown |= SSL_SENT_SHUTDOWN; 469 if ((ret = tls13_send_alert(ctx->rl, 470 TLS13_ALERT_CLOSE_NOTIFY)) < 0) 471 return tls13_legacy_return_code(ssl, ret); 472 } 473 if ((ret = tls13_record_layer_send_pending(ctx->rl)) != 474 TLS13_IO_SUCCESS) 475 return tls13_legacy_return_code(ssl, ret); 476 } else if (!ctx->close_notify_recv) { 477 /* 478 * If there is no application data pending, attempt to read more 479 * data in order to receive a close notify. This should trigger 480 * a record to be read from the wire, which may be application 481 * handshake or alert data. Only one attempt is made to match 482 * previous semantics. 483 */ 484 if (tls13_pending_application_data(ctx->rl) == 0) { 485 if ((ret = tls13_read_application_data(ctx->rl, buf, 486 sizeof(buf))) < 0) 487 return tls13_legacy_return_code(ssl, ret); 488 } 489 } 490 491 if (ctx->close_notify_recv) 492 return 1; 493 494 return 0; 495 } 496 497 int 498 tls13_legacy_servername_process(struct tls13_ctx *ctx, uint8_t *alert) 499 { 500 int legacy_alert = SSL_AD_UNRECOGNIZED_NAME; 501 int ret = SSL_TLSEXT_ERR_NOACK; 502 SSL_CTX *ssl_ctx = ctx->ssl->ctx; 503 SSL *ssl = ctx->ssl; 504 505 if (ssl_ctx->internal->tlsext_servername_callback == NULL) 506 ssl_ctx = ssl->initial_ctx; 507 if (ssl_ctx->internal->tlsext_servername_callback == NULL) 508 return 1; 509 510 ret = ssl_ctx->internal->tlsext_servername_callback(ssl, &legacy_alert, 511 ssl_ctx->internal->tlsext_servername_arg); 512 513 if (ret == SSL_TLSEXT_ERR_ALERT_FATAL || 514 ret == SSL_TLSEXT_ERR_ALERT_WARNING) { 515 if (legacy_alert >= 0 && legacy_alert <= 255) 516 *alert = legacy_alert; 517 return 0; 518 } 519 520 return 1; 521 } 522