1 /* $OpenBSD: tls13_legacy.c,v 1.13 2020/09/13 15:04:35 jsing Exp $ */ 2 /* 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <limits.h> 19 20 #include "ssl_locl.h" 21 #include "tls13_internal.h" 22 23 SSL3_ENC_METHOD TLSv1_3_enc_data = { 24 .enc_flags = SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_TLS1_3_CIPHERS, 25 }; 26 27 static ssize_t 28 tls13_legacy_wire_read(SSL *ssl, uint8_t *buf, size_t len) 29 { 30 int n; 31 32 if (ssl->rbio == NULL) { 33 SSLerror(ssl, SSL_R_BIO_NOT_SET); 34 return TLS13_IO_FAILURE; 35 } 36 37 ssl->internal->rwstate = SSL_READING; 38 errno = 0; 39 40 if ((n = BIO_read(ssl->rbio, buf, len)) <= 0) { 41 if (BIO_should_read(ssl->rbio)) 42 return TLS13_IO_WANT_POLLIN; 43 if (BIO_should_write(ssl->rbio)) 44 return TLS13_IO_WANT_POLLOUT; 45 if (n == 0) 46 return TLS13_IO_EOF; 47 48 if (ERR_peek_error() == 0 && errno != 0) 49 SYSerror(errno); 50 51 return TLS13_IO_FAILURE; 52 } 53 54 if (n == len) 55 ssl->internal->rwstate = SSL_NOTHING; 56 57 return n; 58 } 59 60 ssize_t 61 tls13_legacy_wire_read_cb(void *buf, size_t n, void *arg) 62 { 63 struct tls13_ctx *ctx = arg; 64 65 return tls13_legacy_wire_read(ctx->ssl, buf, n); 66 } 67 68 static ssize_t 69 tls13_legacy_wire_write(SSL *ssl, const uint8_t *buf, size_t len) 70 { 71 int n; 72 73 if (ssl->wbio == NULL) { 74 SSLerror(ssl, SSL_R_BIO_NOT_SET); 75 return TLS13_IO_FAILURE; 76 } 77 78 ssl->internal->rwstate = SSL_WRITING; 79 errno = 0; 80 81 if ((n = BIO_write(ssl->wbio, buf, len)) <= 0) { 82 if (BIO_should_read(ssl->wbio)) 83 return TLS13_IO_WANT_POLLIN; 84 if (BIO_should_write(ssl->wbio)) 85 return TLS13_IO_WANT_POLLOUT; 86 87 if (ERR_peek_error() == 0 && errno != 0) 88 SYSerror(errno); 89 90 return TLS13_IO_FAILURE; 91 } 92 93 if (n == len) 94 ssl->internal->rwstate = SSL_NOTHING; 95 96 return n; 97 } 98 99 ssize_t 100 tls13_legacy_wire_write_cb(const void *buf, size_t n, void *arg) 101 { 102 struct tls13_ctx *ctx = arg; 103 104 return tls13_legacy_wire_write(ctx->ssl, buf, n); 105 } 106 107 static void 108 tls13_legacy_error(SSL *ssl) 109 { 110 struct tls13_ctx *ctx = ssl->internal->tls13; 111 int reason = SSL_R_UNKNOWN; 112 113 /* If we received a fatal alert we already put an error on the stack. */ 114 if (S3I(ssl)->fatal_alert != 0) 115 return; 116 117 switch (ctx->error.code) { 118 case TLS13_ERR_VERIFY_FAILED: 119 reason = SSL_R_CERTIFICATE_VERIFY_FAILED; 120 break; 121 case TLS13_ERR_HRR_FAILED: 122 reason = SSL_R_NO_CIPHERS_AVAILABLE; 123 break; 124 case TLS13_ERR_TRAILING_DATA: 125 reason = SSL_R_EXTRA_DATA_IN_MESSAGE; 126 break; 127 case TLS13_ERR_NO_SHARED_CIPHER: 128 reason = SSL_R_NO_SHARED_CIPHER; 129 break; 130 case TLS13_ERR_NO_CERTIFICATE: 131 reason = SSL_R_MISSING_RSA_CERTIFICATE; /* XXX */ 132 break; 133 case TLS13_ERR_NO_PEER_CERTIFICATE: 134 reason = SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE; 135 break; 136 } 137 138 /* Something (probably libcrypto) already pushed an error on the stack. */ 139 if (reason == SSL_R_UNKNOWN && ERR_peek_error() != 0) 140 return; 141 142 ERR_put_error(ERR_LIB_SSL, (0xfff), reason, ctx->error.file, 143 ctx->error.line); 144 } 145 146 int 147 tls13_legacy_return_code(SSL *ssl, ssize_t ret) 148 { 149 if (ret > INT_MAX) { 150 SSLerror(ssl, ERR_R_INTERNAL_ERROR); 151 return -1; 152 } 153 154 /* A successful read, write or other operation. */ 155 if (ret > 0) 156 return ret; 157 158 ssl->internal->rwstate = SSL_NOTHING; 159 160 switch (ret) { 161 case TLS13_IO_EOF: 162 return 0; 163 164 case TLS13_IO_FAILURE: 165 tls13_legacy_error(ssl); 166 return -1; 167 168 case TLS13_IO_ALERT: 169 tls13_legacy_error(ssl); 170 return -1; 171 172 case TLS13_IO_WANT_POLLIN: 173 BIO_set_retry_read(ssl->rbio); 174 ssl->internal->rwstate = SSL_READING; 175 return -1; 176 177 case TLS13_IO_WANT_POLLOUT: 178 BIO_set_retry_write(ssl->wbio); 179 ssl->internal->rwstate = SSL_WRITING; 180 return -1; 181 182 case TLS13_IO_WANT_RETRY: 183 SSLerror(ssl, ERR_R_INTERNAL_ERROR); 184 return -1; 185 } 186 187 SSLerror(ssl, ERR_R_INTERNAL_ERROR); 188 return -1; 189 } 190 191 int 192 tls13_legacy_pending(const SSL *ssl) 193 { 194 struct tls13_ctx *ctx = ssl->internal->tls13; 195 ssize_t ret; 196 197 if (ctx == NULL) 198 return 0; 199 200 ret = tls13_pending_application_data(ctx->rl); 201 if (ret < 0 || ret > INT_MAX) 202 return 0; 203 204 return ret; 205 } 206 207 int 208 tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, int peek) 209 { 210 struct tls13_ctx *ctx = ssl->internal->tls13; 211 ssize_t ret; 212 213 if (ctx == NULL || !ctx->handshake_completed) { 214 if ((ret = ssl->internal->handshake_func(ssl)) <= 0) 215 return ret; 216 return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLIN); 217 } 218 219 tls13_record_layer_set_retry_after_phh(ctx->rl, 220 (ctx->ssl->internal->mode & SSL_MODE_AUTO_RETRY) != 0); 221 222 if (type != SSL3_RT_APPLICATION_DATA) { 223 SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 224 return -1; 225 } 226 if (len < 0) { 227 SSLerror(ssl, SSL_R_BAD_LENGTH); 228 return -1; 229 } 230 231 if (peek) 232 ret = tls13_peek_application_data(ctx->rl, buf, len); 233 else 234 ret = tls13_read_application_data(ctx->rl, buf, len); 235 236 return tls13_legacy_return_code(ssl, ret); 237 } 238 239 int 240 tls13_legacy_write_bytes(SSL *ssl, int type, const void *vbuf, int len) 241 { 242 struct tls13_ctx *ctx = ssl->internal->tls13; 243 const uint8_t *buf = vbuf; 244 size_t n, sent; 245 ssize_t ret; 246 247 if (ctx == NULL || !ctx->handshake_completed) { 248 if ((ret = ssl->internal->handshake_func(ssl)) <= 0) 249 return ret; 250 return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLOUT); 251 } 252 253 if (type != SSL3_RT_APPLICATION_DATA) { 254 SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 255 return -1; 256 } 257 if (len < 0) { 258 SSLerror(ssl, SSL_R_BAD_LENGTH); 259 return -1; 260 } 261 262 /* 263 * The TLSv1.3 record layer write behaviour is the same as 264 * SSL_MODE_ENABLE_PARTIAL_WRITE. 265 */ 266 if (ssl->internal->mode & SSL_MODE_ENABLE_PARTIAL_WRITE) { 267 ret = tls13_write_application_data(ctx->rl, buf, len); 268 return tls13_legacy_return_code(ssl, ret); 269 } 270 271 /* 272 * In the non-SSL_MODE_ENABLE_PARTIAL_WRITE case we have to loop until 273 * we have written out all of the requested data. 274 */ 275 sent = S3I(ssl)->wnum; 276 if (len < sent) { 277 SSLerror(ssl, SSL_R_BAD_LENGTH); 278 return -1; 279 } 280 n = len - sent; 281 for (;;) { 282 if (n == 0) { 283 S3I(ssl)->wnum = 0; 284 return sent; 285 } 286 if ((ret = tls13_write_application_data(ctx->rl, 287 &buf[sent], n)) <= 0) { 288 S3I(ssl)->wnum = sent; 289 return tls13_legacy_return_code(ssl, ret); 290 } 291 sent += ret; 292 n -= ret; 293 } 294 } 295 296 static int 297 tls13_use_legacy_stack(struct tls13_ctx *ctx) 298 { 299 SSL *s = ctx->ssl; 300 CBS cbs; 301 302 if (!ssl3_setup_init_buffer(s)) 303 return 0; 304 if (!ssl3_setup_buffers(s)) 305 return 0; 306 if (!ssl_init_wbio_buffer(s, 1)) 307 return 0; 308 309 /* Stash any unprocessed data from the last record. */ 310 tls13_record_layer_rbuf(ctx->rl, &cbs); 311 if (CBS_len(&cbs) > 0) { 312 if (!CBS_write_bytes(&cbs, 313 S3I(s)->rbuf.buf + SSL3_RT_HEADER_LENGTH, 314 S3I(s)->rbuf.len - SSL3_RT_HEADER_LENGTH, NULL)) 315 return 0; 316 317 S3I(s)->rbuf.offset = SSL3_RT_HEADER_LENGTH; 318 S3I(s)->rbuf.left = CBS_len(&cbs); 319 S3I(s)->rrec.type = SSL3_RT_HANDSHAKE; 320 S3I(s)->rrec.length = CBS_len(&cbs); 321 s->internal->rstate = SSL_ST_READ_BODY; 322 s->internal->packet = S3I(s)->rbuf.buf; 323 s->internal->packet_length = SSL3_RT_HEADER_LENGTH; 324 s->internal->mac_packet = 1; 325 } 326 327 /* Stash the current handshake message. */ 328 tls13_handshake_msg_data(ctx->hs_msg, &cbs); 329 if (!CBS_write_bytes(&cbs, s->internal->init_buf->data, 330 s->internal->init_buf->length, NULL)) 331 return 0; 332 333 S3I(s)->tmp.reuse_message = 1; 334 S3I(s)->tmp.message_type = tls13_handshake_msg_type(ctx->hs_msg); 335 S3I(s)->tmp.message_size = CBS_len(&cbs); 336 337 return 1; 338 } 339 340 int 341 tls13_use_legacy_client(struct tls13_ctx *ctx) 342 { 343 SSL *s = ctx->ssl; 344 345 s->method = tls_legacy_client_method(); 346 s->internal->handshake_func = s->method->internal->ssl_connect; 347 s->client_version = s->version = s->method->internal->max_version; 348 349 if (!tls13_use_legacy_stack(ctx)) 350 return 0; 351 352 S3I(s)->hs.state = SSL3_ST_CR_SRVR_HELLO_A; 353 354 return 1; 355 } 356 357 int 358 tls13_use_legacy_server(struct tls13_ctx *ctx) 359 { 360 SSL *s = ctx->ssl; 361 362 s->method = tls_legacy_server_method(); 363 s->internal->handshake_func = s->method->internal->ssl_accept; 364 s->client_version = s->version = s->method->internal->max_version; 365 s->server = 1; 366 367 if (!tls13_use_legacy_stack(ctx)) 368 return 0; 369 370 S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A; 371 372 return 1; 373 } 374 375 int 376 tls13_legacy_accept(SSL *ssl) 377 { 378 struct tls13_ctx *ctx = ssl->internal->tls13; 379 int ret; 380 381 if (ctx == NULL) { 382 if ((ctx = tls13_ctx_new(TLS13_HS_SERVER)) == NULL) { 383 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 384 return -1; 385 } 386 ssl->internal->tls13 = ctx; 387 ctx->ssl = ssl; 388 ctx->hs = &S3I(ssl)->hs_tls13; 389 390 if (!tls13_server_init(ctx)) { 391 if (ERR_peek_error() == 0) 392 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 393 return -1; 394 } 395 } 396 397 ERR_clear_error(); 398 S3I(ssl)->hs.state = SSL_ST_ACCEPT; 399 400 ret = tls13_server_accept(ctx); 401 if (ret == TLS13_IO_USE_LEGACY) 402 return ssl->method->internal->ssl_accept(ssl); 403 if (ret == TLS13_IO_SUCCESS) 404 S3I(ssl)->hs.state = SSL_ST_OK; 405 406 return tls13_legacy_return_code(ssl, ret); 407 } 408 409 int 410 tls13_legacy_connect(SSL *ssl) 411 { 412 struct tls13_ctx *ctx = ssl->internal->tls13; 413 int ret; 414 415 #ifdef TLS13_USE_LEGACY_CLIENT_AUTH 416 /* XXX drop back to legacy for client auth for now */ 417 if (ssl->cert->key->privatekey != NULL) { 418 ssl->method = tls_legacy_client_method(); 419 return ssl->method->internal->ssl_connect(ssl); 420 } 421 #endif 422 423 if (ctx == NULL) { 424 if ((ctx = tls13_ctx_new(TLS13_HS_CLIENT)) == NULL) { 425 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 426 return -1; 427 } 428 ssl->internal->tls13 = ctx; 429 ctx->ssl = ssl; 430 ctx->hs = &S3I(ssl)->hs_tls13; 431 432 if (!tls13_client_init(ctx)) { 433 if (ERR_peek_error() == 0) 434 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 435 return -1; 436 } 437 } 438 439 ERR_clear_error(); 440 S3I(ssl)->hs.state = SSL_ST_CONNECT; 441 442 ret = tls13_client_connect(ctx); 443 if (ret == TLS13_IO_USE_LEGACY) 444 return ssl->method->internal->ssl_connect(ssl); 445 if (ret == TLS13_IO_SUCCESS) 446 S3I(ssl)->hs.state = SSL_ST_OK; 447 448 return tls13_legacy_return_code(ssl, ret); 449 } 450 451 int 452 tls13_legacy_shutdown(SSL *ssl) 453 { 454 struct tls13_ctx *ctx = ssl->internal->tls13; 455 uint8_t buf[512]; /* XXX */ 456 ssize_t ret; 457 458 /* 459 * We need to return 0 when we have sent a close-notify but have not 460 * yet received one. We return 1 only once we have sent and received 461 * close-notify alerts. All other cases return -1 and set internal 462 * state appropriately. 463 */ 464 if (ctx == NULL || ssl->internal->quiet_shutdown) { 465 ssl->internal->shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN; 466 return 1; 467 } 468 469 if (!ctx->close_notify_sent) { 470 /* Enqueue and send close notify. */ 471 if (!(ssl->internal->shutdown & SSL_SENT_SHUTDOWN)) { 472 ssl->internal->shutdown |= SSL_SENT_SHUTDOWN; 473 if ((ret = tls13_send_alert(ctx->rl, 474 TLS13_ALERT_CLOSE_NOTIFY)) < 0) 475 return tls13_legacy_return_code(ssl, ret); 476 } 477 if ((ret = tls13_record_layer_send_pending(ctx->rl)) != 478 TLS13_IO_SUCCESS) 479 return tls13_legacy_return_code(ssl, ret); 480 } else if (!ctx->close_notify_recv) { 481 /* 482 * If there is no application data pending, attempt to read more 483 * data in order to receive a close notify. This should trigger 484 * a record to be read from the wire, which may be application 485 * handshake or alert data. Only one attempt is made to match 486 * previous semantics. 487 */ 488 if (tls13_pending_application_data(ctx->rl) == 0) { 489 if ((ret = tls13_read_application_data(ctx->rl, buf, 490 sizeof(buf))) < 0) 491 return tls13_legacy_return_code(ssl, ret); 492 } 493 } 494 495 if (ctx->close_notify_recv) 496 return 1; 497 498 return 0; 499 } 500 501 int 502 tls13_legacy_servername_process(struct tls13_ctx *ctx, uint8_t *alert) 503 { 504 int legacy_alert = SSL_AD_UNRECOGNIZED_NAME; 505 int ret = SSL_TLSEXT_ERR_NOACK; 506 SSL_CTX *ssl_ctx = ctx->ssl->ctx; 507 SSL *ssl = ctx->ssl; 508 509 if (ssl_ctx->internal->tlsext_servername_callback == NULL) 510 ssl_ctx = ssl->initial_ctx; 511 if (ssl_ctx->internal->tlsext_servername_callback == NULL) 512 return 1; 513 514 ret = ssl_ctx->internal->tlsext_servername_callback(ssl, &legacy_alert, 515 ssl_ctx->internal->tlsext_servername_arg); 516 517 if (ret == SSL_TLSEXT_ERR_ALERT_FATAL || 518 ret == SSL_TLSEXT_ERR_ALERT_WARNING) { 519 if (legacy_alert >= 0 && legacy_alert <= 255) 520 *alert = legacy_alert; 521 return 0; 522 } 523 524 return 1; 525 } 526