1 /* $OpenBSD: tls13_legacy.c,v 1.3.4.1 2020/05/19 20:22:33 tb Exp $ */ 2 /* 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <limits.h> 19 20 #include "ssl_locl.h" 21 #include "tls13_internal.h" 22 23 SSL3_ENC_METHOD TLSv1_3_enc_data = { 24 .enc_flags = SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_TLS1_3_CIPHERS, 25 }; 26 27 static ssize_t 28 tls13_legacy_wire_read(SSL *ssl, uint8_t *buf, size_t len) 29 { 30 int n; 31 32 if (ssl->rbio == NULL) { 33 SSLerror(ssl, SSL_R_BIO_NOT_SET); 34 return TLS13_IO_FAILURE; 35 } 36 37 ssl->internal->rwstate = SSL_READING; 38 39 if ((n = BIO_read(ssl->rbio, buf, len)) <= 0) { 40 if (BIO_should_read(ssl->rbio)) 41 return TLS13_IO_WANT_POLLIN; 42 if (BIO_should_write(ssl->rbio)) 43 return TLS13_IO_WANT_POLLOUT; 44 if (n == 0) 45 return TLS13_IO_EOF; 46 47 return TLS13_IO_FAILURE; 48 } 49 50 if (n == len) 51 ssl->internal->rwstate = SSL_NOTHING; 52 53 return n; 54 } 55 56 ssize_t 57 tls13_legacy_wire_read_cb(void *buf, size_t n, void *arg) 58 { 59 struct tls13_ctx *ctx = arg; 60 61 return tls13_legacy_wire_read(ctx->ssl, buf, n); 62 } 63 64 static ssize_t 65 tls13_legacy_wire_write(SSL *ssl, const uint8_t *buf, size_t len) 66 { 67 int n; 68 69 if (ssl->wbio == NULL) { 70 SSLerror(ssl, SSL_R_BIO_NOT_SET); 71 return TLS13_IO_FAILURE; 72 } 73 74 ssl->internal->rwstate = SSL_WRITING; 75 76 if ((n = BIO_write(ssl->wbio, buf, len)) <= 0) { 77 if (BIO_should_read(ssl->wbio)) 78 return TLS13_IO_WANT_POLLIN; 79 if (BIO_should_write(ssl->wbio)) 80 return TLS13_IO_WANT_POLLOUT; 81 82 return TLS13_IO_FAILURE; 83 } 84 85 if (n == len) 86 ssl->internal->rwstate = SSL_NOTHING; 87 88 return n; 89 } 90 91 ssize_t 92 tls13_legacy_wire_write_cb(const void *buf, size_t n, void *arg) 93 { 94 struct tls13_ctx *ctx = arg; 95 96 return tls13_legacy_wire_write(ctx->ssl, buf, n); 97 } 98 99 static void 100 tls13_legacy_error(SSL *ssl) 101 { 102 struct tls13_ctx *ctx = ssl->internal->tls13; 103 int reason = SSL_R_UNKNOWN; 104 105 /* If we received a fatal alert we already put an error on the stack. */ 106 if (S3I(ssl)->fatal_alert != 0) 107 return; 108 109 switch (ctx->error.code) { 110 case TLS13_ERR_VERIFY_FAILED: 111 reason = SSL_R_CERTIFICATE_VERIFY_FAILED; 112 break; 113 case TLS13_ERR_HRR_FAILED: 114 reason = SSL_R_NO_CIPHERS_AVAILABLE; 115 break; 116 case TLS13_ERR_TRAILING_DATA: 117 reason = SSL_R_EXTRA_DATA_IN_MESSAGE; 118 break; 119 case TLS13_ERR_NO_SHARED_CIPHER: 120 reason = SSL_R_NO_SHARED_CIPHER; 121 break; 122 case TLS13_ERR_NO_PEER_CERTIFICATE: 123 reason = SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE; 124 break; 125 } 126 127 /* Something (probably libcrypto) already pushed an error on the stack. */ 128 if (reason == SSL_R_UNKNOWN && ERR_peek_error() != 0) 129 return; 130 131 ERR_put_error(ERR_LIB_SSL, (0xfff), reason, ctx->error.file, 132 ctx->error.line); 133 } 134 135 int 136 tls13_legacy_return_code(SSL *ssl, ssize_t ret) 137 { 138 if (ret > INT_MAX) { 139 SSLerror(ssl, ERR_R_INTERNAL_ERROR); 140 return -1; 141 } 142 143 /* A successful read, write or other operation. */ 144 if (ret > 0) 145 return ret; 146 147 ssl->internal->rwstate = SSL_NOTHING; 148 149 switch (ret) { 150 case TLS13_IO_EOF: 151 return 0; 152 153 case TLS13_IO_FAILURE: 154 tls13_legacy_error(ssl); 155 return -1; 156 157 case TLS13_IO_ALERT: 158 tls13_legacy_error(ssl); 159 return -1; 160 161 case TLS13_IO_WANT_POLLIN: 162 BIO_set_retry_read(ssl->rbio); 163 ssl->internal->rwstate = SSL_READING; 164 return -1; 165 166 case TLS13_IO_WANT_POLLOUT: 167 BIO_set_retry_write(ssl->wbio); 168 ssl->internal->rwstate = SSL_WRITING; 169 return -1; 170 171 case TLS13_IO_WANT_RETRY: 172 SSLerror(ssl, ERR_R_INTERNAL_ERROR); 173 return -1; 174 } 175 176 SSLerror(ssl, ERR_R_INTERNAL_ERROR); 177 return -1; 178 } 179 180 int 181 tls13_legacy_pending(const SSL *ssl) 182 { 183 struct tls13_ctx *ctx = ssl->internal->tls13; 184 ssize_t ret; 185 186 if (ctx == NULL) 187 return 0; 188 189 ret = tls13_pending_application_data(ctx->rl); 190 if (ret < 0 || ret > INT_MAX) 191 return 0; 192 193 return ret; 194 } 195 196 int 197 tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, int peek) 198 { 199 struct tls13_ctx *ctx = ssl->internal->tls13; 200 ssize_t ret; 201 202 if (ctx == NULL || !ctx->handshake_completed) { 203 if ((ret = ssl->internal->handshake_func(ssl)) <= 0) 204 return ret; 205 return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLIN); 206 } 207 208 if (type != SSL3_RT_APPLICATION_DATA) { 209 SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 210 return -1; 211 } 212 if (len < 0) { 213 SSLerror(ssl, SSL_R_BAD_LENGTH); 214 return -1; 215 } 216 217 if (peek) 218 ret = tls13_peek_application_data(ctx->rl, buf, len); 219 else 220 ret = tls13_read_application_data(ctx->rl, buf, len); 221 222 return tls13_legacy_return_code(ssl, ret); 223 } 224 225 int 226 tls13_legacy_write_bytes(SSL *ssl, int type, const void *vbuf, int len) 227 { 228 struct tls13_ctx *ctx = ssl->internal->tls13; 229 const uint8_t *buf = vbuf; 230 size_t n, sent; 231 ssize_t ret; 232 233 if (ctx == NULL || !ctx->handshake_completed) { 234 if ((ret = ssl->internal->handshake_func(ssl)) <= 0) 235 return ret; 236 return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLOUT); 237 } 238 239 if (type != SSL3_RT_APPLICATION_DATA) { 240 SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 241 return -1; 242 } 243 if (len < 0) { 244 SSLerror(ssl, SSL_R_BAD_LENGTH); 245 return -1; 246 } 247 248 /* 249 * The TLSv1.3 record layer write behaviour is the same as 250 * SSL_MODE_ENABLE_PARTIAL_WRITE. 251 */ 252 if (ssl->internal->mode & SSL_MODE_ENABLE_PARTIAL_WRITE) { 253 ret = tls13_write_application_data(ctx->rl, buf, len); 254 return tls13_legacy_return_code(ssl, ret); 255 } 256 257 /* 258 * In the non-SSL_MODE_ENABLE_PARTIAL_WRITE case we have to loop until 259 * we have written out all of the requested data. 260 */ 261 sent = S3I(ssl)->wnum; 262 if (len < sent) { 263 SSLerror(ssl, SSL_R_BAD_LENGTH); 264 return -1; 265 } 266 n = len - sent; 267 for (;;) { 268 if (n == 0) { 269 S3I(ssl)->wnum = 0; 270 return sent; 271 } 272 if ((ret = tls13_write_application_data(ctx->rl, 273 &buf[sent], n)) <= 0) { 274 S3I(ssl)->wnum = sent; 275 return tls13_legacy_return_code(ssl, ret); 276 } 277 sent += ret; 278 n -= ret; 279 } 280 } 281 282 int 283 tls13_use_legacy_client(struct tls13_ctx *ctx) 284 { 285 SSL *s = ctx->ssl; 286 CBS cbs; 287 288 s->method = tls_legacy_client_method(); 289 s->internal->handshake_func = s->method->internal->ssl_connect; 290 s->client_version = s->version = s->method->internal->max_version; 291 292 if (!ssl3_setup_init_buffer(s)) 293 goto err; 294 if (!ssl3_setup_buffers(s)) 295 goto err; 296 if (!ssl_init_wbio_buffer(s, 0)) 297 goto err; 298 299 if (s->bbio != s->wbio) 300 s->wbio = BIO_push(s->bbio, s->wbio); 301 302 /* Stash any unprocessed data from the last record. */ 303 tls13_record_layer_rbuf(ctx->rl, &cbs); 304 if (CBS_len(&cbs) > 0) { 305 if (!CBS_write_bytes(&cbs, 306 S3I(s)->rbuf.buf + SSL3_RT_HEADER_LENGTH, 307 S3I(s)->rbuf.len - SSL3_RT_HEADER_LENGTH, NULL)) 308 goto err; 309 310 S3I(s)->rbuf.offset = SSL3_RT_HEADER_LENGTH; 311 S3I(s)->rbuf.left = CBS_len(&cbs); 312 S3I(s)->rrec.type = SSL3_RT_HANDSHAKE; 313 S3I(s)->rrec.length = CBS_len(&cbs); 314 s->internal->rstate = SSL_ST_READ_BODY; 315 s->internal->packet = S3I(s)->rbuf.buf; 316 s->internal->packet_length = SSL3_RT_HEADER_LENGTH; 317 s->internal->mac_packet = 1; 318 } 319 320 /* Stash the current handshake message. */ 321 tls13_handshake_msg_data(ctx->hs_msg, &cbs); 322 if (!CBS_write_bytes(&cbs, s->internal->init_buf->data, 323 s->internal->init_buf->length, NULL)) 324 goto err; 325 326 S3I(s)->tmp.reuse_message = 1; 327 S3I(s)->tmp.message_type = tls13_handshake_msg_type(ctx->hs_msg); 328 S3I(s)->tmp.message_size = CBS_len(&cbs); 329 330 S3I(s)->hs.state = SSL3_ST_CR_SRVR_HELLO_A; 331 332 return 1; 333 334 err: 335 return 0; 336 } 337 338 int 339 tls13_use_legacy_server(struct tls13_ctx *ctx) 340 { 341 SSL *s = ctx->ssl; 342 CBS cbs; 343 344 s->method = tls_legacy_server_method(); 345 s->internal->handshake_func = s->method->internal->ssl_accept; 346 s->client_version = s->version = s->method->internal->max_version; 347 s->server = 1; 348 349 if (!ssl3_setup_init_buffer(s)) 350 goto err; 351 if (!ssl3_setup_buffers(s)) 352 goto err; 353 if (!ssl_init_wbio_buffer(s, 0)) 354 goto err; 355 356 if (s->bbio != s->wbio) 357 s->wbio = BIO_push(s->bbio, s->wbio); 358 359 /* Stash any unprocessed data from the last record. */ 360 tls13_record_layer_rbuf(ctx->rl, &cbs); 361 if (CBS_len(&cbs) > 0) { 362 if (!CBS_write_bytes(&cbs, 363 S3I(s)->rbuf.buf + SSL3_RT_HEADER_LENGTH, 364 S3I(s)->rbuf.len - SSL3_RT_HEADER_LENGTH, NULL)) 365 goto err; 366 367 S3I(s)->rbuf.offset = SSL3_RT_HEADER_LENGTH; 368 S3I(s)->rbuf.left = CBS_len(&cbs); 369 S3I(s)->rrec.type = SSL3_RT_HANDSHAKE; 370 S3I(s)->rrec.length = CBS_len(&cbs); 371 s->internal->rstate = SSL_ST_READ_BODY; 372 s->internal->packet = S3I(s)->rbuf.buf; 373 s->internal->packet_length = SSL3_RT_HEADER_LENGTH; 374 s->internal->mac_packet = 1; 375 } 376 377 /* Stash the current handshake message. */ 378 tls13_handshake_msg_data(ctx->hs_msg, &cbs); 379 if (!CBS_write_bytes(&cbs, s->internal->init_buf->data, 380 s->internal->init_buf->length, NULL)) 381 goto err; 382 383 S3I(s)->tmp.reuse_message = 1; 384 S3I(s)->tmp.message_type = tls13_handshake_msg_type(ctx->hs_msg); 385 S3I(s)->tmp.message_size = CBS_len(&cbs); 386 387 S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A; 388 389 return 1; 390 391 err: 392 return 0; 393 } 394 395 int 396 tls13_legacy_accept(SSL *ssl) 397 { 398 struct tls13_ctx *ctx = ssl->internal->tls13; 399 int ret; 400 401 if (ctx == NULL) { 402 if ((ctx = tls13_ctx_new(TLS13_HS_SERVER)) == NULL) { 403 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 404 return -1; 405 } 406 ssl->internal->tls13 = ctx; 407 ctx->ssl = ssl; 408 ctx->hs = &S3I(ssl)->hs_tls13; 409 410 if (!tls13_server_init(ctx)) { 411 if (ERR_peek_error() == 0) 412 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 413 return -1; 414 } 415 } 416 417 ERR_clear_error(); 418 S3I(ssl)->hs.state = SSL_ST_ACCEPT; 419 420 ret = tls13_server_accept(ctx); 421 if (ret == TLS13_IO_USE_LEGACY) 422 return ssl->method->internal->ssl_accept(ssl); 423 if (ret == TLS13_IO_SUCCESS) 424 S3I(ssl)->hs.state = SSL_ST_OK; 425 426 return tls13_legacy_return_code(ssl, ret); 427 } 428 429 int 430 tls13_legacy_connect(SSL *ssl) 431 { 432 struct tls13_ctx *ctx = ssl->internal->tls13; 433 int ret; 434 435 #ifdef TLS13_USE_LEGACY_CLIENT_AUTH 436 /* XXX drop back to legacy for client auth for now */ 437 if (ssl->cert->key->privatekey != NULL) { 438 ssl->method = tls_legacy_client_method(); 439 return ssl->method->internal->ssl_connect(ssl); 440 } 441 #endif 442 443 if (ctx == NULL) { 444 if ((ctx = tls13_ctx_new(TLS13_HS_CLIENT)) == NULL) { 445 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 446 return -1; 447 } 448 ssl->internal->tls13 = ctx; 449 ctx->ssl = ssl; 450 ctx->hs = &S3I(ssl)->hs_tls13; 451 452 if (!tls13_client_init(ctx)) { 453 if (ERR_peek_error() == 0) 454 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 455 return -1; 456 } 457 } 458 459 ERR_clear_error(); 460 S3I(ssl)->hs.state = SSL_ST_CONNECT; 461 462 ret = tls13_client_connect(ctx); 463 if (ret == TLS13_IO_USE_LEGACY) 464 return ssl->method->internal->ssl_connect(ssl); 465 if (ret == TLS13_IO_SUCCESS) 466 S3I(ssl)->hs.state = SSL_ST_OK; 467 468 return tls13_legacy_return_code(ssl, ret); 469 } 470 471 int 472 tls13_legacy_shutdown(SSL *ssl) 473 { 474 struct tls13_ctx *ctx = ssl->internal->tls13; 475 uint8_t buf[512]; /* XXX */ 476 ssize_t ret; 477 478 /* 479 * We need to return 0 when we have sent a close-notify but have not 480 * yet received one. We return 1 only once we have sent and received 481 * close-notify alerts. All other cases return -1 and set internal 482 * state appropriately. 483 */ 484 if (ctx == NULL || ssl->internal->quiet_shutdown) { 485 ssl->internal->shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN; 486 return 1; 487 } 488 489 /* Send close notify. */ 490 if (!ctx->close_notify_sent) { 491 ctx->close_notify_sent = 1; 492 if ((ret = tls13_send_alert(ctx->rl, SSL_AD_CLOSE_NOTIFY)) < 0) 493 return tls13_legacy_return_code(ssl, ret); 494 } 495 496 /* Ensure close notify has been sent. */ 497 if ((ret = tls13_record_layer_send_pending(ctx->rl)) != TLS13_IO_SUCCESS) 498 return tls13_legacy_return_code(ssl, ret); 499 500 /* Receive close notify. */ 501 if (!ctx->close_notify_recv) { 502 /* 503 * If there is still application data pending then we have no 504 * option but to discard it here. The application should have 505 * continued to call SSL_read() instead of SSL_shutdown(). 506 */ 507 /* XXX - tls13_drain_application_data()? */ 508 if ((ret = tls13_read_application_data(ctx->rl, buf, sizeof(buf))) > 0) 509 ret = TLS13_IO_WANT_POLLIN; 510 if (ret != TLS13_IO_EOF) 511 return tls13_legacy_return_code(ssl, ret); 512 } 513 514 if (ctx->close_notify_recv) 515 return 1; 516 517 return 0; 518 } 519