1 /* $OpenBSD: tls13_legacy.c,v 1.38 2022/07/17 15:49:20 jsing Exp $ */ 2 /* 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <limits.h> 19 20 #include "ssl_locl.h" 21 #include "tls13_internal.h" 22 23 static ssize_t 24 tls13_legacy_wire_read(SSL *ssl, uint8_t *buf, size_t len) 25 { 26 int n; 27 28 if (ssl->rbio == NULL) { 29 SSLerror(ssl, SSL_R_BIO_NOT_SET); 30 return TLS13_IO_FAILURE; 31 } 32 33 ssl->internal->rwstate = SSL_READING; 34 errno = 0; 35 36 if ((n = BIO_read(ssl->rbio, buf, len)) <= 0) { 37 if (BIO_should_read(ssl->rbio)) 38 return TLS13_IO_WANT_POLLIN; 39 if (n == 0) 40 return TLS13_IO_EOF; 41 42 if (ERR_peek_error() == 0 && errno != 0) 43 SYSerror(errno); 44 45 return TLS13_IO_FAILURE; 46 } 47 48 if (n == len) 49 ssl->internal->rwstate = SSL_NOTHING; 50 51 return n; 52 } 53 54 ssize_t 55 tls13_legacy_wire_read_cb(void *buf, size_t n, void *arg) 56 { 57 struct tls13_ctx *ctx = arg; 58 59 return tls13_legacy_wire_read(ctx->ssl, buf, n); 60 } 61 62 static ssize_t 63 tls13_legacy_wire_write(SSL *ssl, const uint8_t *buf, size_t len) 64 { 65 int n; 66 67 if (ssl->wbio == NULL) { 68 SSLerror(ssl, SSL_R_BIO_NOT_SET); 69 return TLS13_IO_FAILURE; 70 } 71 72 ssl->internal->rwstate = SSL_WRITING; 73 errno = 0; 74 75 if ((n = BIO_write(ssl->wbio, buf, len)) <= 0) { 76 if (BIO_should_write(ssl->wbio)) 77 return TLS13_IO_WANT_POLLOUT; 78 79 if (ERR_peek_error() == 0 && errno != 0) 80 SYSerror(errno); 81 82 return TLS13_IO_FAILURE; 83 } 84 85 if (n == len) 86 ssl->internal->rwstate = SSL_NOTHING; 87 88 return n; 89 } 90 91 ssize_t 92 tls13_legacy_wire_write_cb(const void *buf, size_t n, void *arg) 93 { 94 struct tls13_ctx *ctx = arg; 95 96 return tls13_legacy_wire_write(ctx->ssl, buf, n); 97 } 98 99 static ssize_t 100 tls13_legacy_wire_flush(SSL *ssl) 101 { 102 if (BIO_flush(ssl->wbio) <= 0) { 103 if (BIO_should_write(ssl->wbio)) 104 return TLS13_IO_WANT_POLLOUT; 105 106 if (ERR_peek_error() == 0 && errno != 0) 107 SYSerror(errno); 108 109 return TLS13_IO_FAILURE; 110 } 111 112 return TLS13_IO_SUCCESS; 113 } 114 115 ssize_t 116 tls13_legacy_wire_flush_cb(void *arg) 117 { 118 struct tls13_ctx *ctx = arg; 119 120 return tls13_legacy_wire_flush(ctx->ssl); 121 } 122 123 static void 124 tls13_legacy_error(SSL *ssl) 125 { 126 struct tls13_ctx *ctx = ssl->internal->tls13; 127 int reason = SSL_R_UNKNOWN; 128 129 /* If we received a fatal alert we already put an error on the stack. */ 130 if (ssl->s3->fatal_alert != 0) 131 return; 132 133 switch (ctx->error.code) { 134 case TLS13_ERR_VERIFY_FAILED: 135 reason = SSL_R_CERTIFICATE_VERIFY_FAILED; 136 break; 137 case TLS13_ERR_HRR_FAILED: 138 reason = SSL_R_NO_CIPHERS_AVAILABLE; 139 break; 140 case TLS13_ERR_TRAILING_DATA: 141 reason = SSL_R_EXTRA_DATA_IN_MESSAGE; 142 break; 143 case TLS13_ERR_NO_SHARED_CIPHER: 144 reason = SSL_R_NO_SHARED_CIPHER; 145 break; 146 case TLS13_ERR_NO_CERTIFICATE: 147 reason = SSL_R_MISSING_RSA_CERTIFICATE; /* XXX */ 148 break; 149 case TLS13_ERR_NO_PEER_CERTIFICATE: 150 reason = SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE; 151 break; 152 } 153 154 /* Something (probably libcrypto) already pushed an error on the stack. */ 155 if (reason == SSL_R_UNKNOWN && ERR_peek_error() != 0) 156 return; 157 158 ERR_put_error(ERR_LIB_SSL, (0xfff), reason, ctx->error.file, 159 ctx->error.line); 160 } 161 162 int 163 tls13_legacy_return_code(SSL *ssl, ssize_t ret) 164 { 165 if (ret > INT_MAX) { 166 SSLerror(ssl, ERR_R_INTERNAL_ERROR); 167 return -1; 168 } 169 170 /* A successful read, write or other operation. */ 171 if (ret > 0) 172 return ret; 173 174 ssl->internal->rwstate = SSL_NOTHING; 175 176 switch (ret) { 177 case TLS13_IO_EOF: 178 return 0; 179 180 case TLS13_IO_FAILURE: 181 tls13_legacy_error(ssl); 182 return -1; 183 184 case TLS13_IO_ALERT: 185 tls13_legacy_error(ssl); 186 return -1; 187 188 case TLS13_IO_WANT_POLLIN: 189 BIO_set_retry_read(ssl->rbio); 190 ssl->internal->rwstate = SSL_READING; 191 return -1; 192 193 case TLS13_IO_WANT_POLLOUT: 194 BIO_set_retry_write(ssl->wbio); 195 ssl->internal->rwstate = SSL_WRITING; 196 return -1; 197 198 case TLS13_IO_WANT_RETRY: 199 SSLerror(ssl, ERR_R_INTERNAL_ERROR); 200 return -1; 201 } 202 203 SSLerror(ssl, ERR_R_INTERNAL_ERROR); 204 return -1; 205 } 206 207 int 208 tls13_legacy_pending(const SSL *ssl) 209 { 210 struct tls13_ctx *ctx = ssl->internal->tls13; 211 ssize_t ret; 212 213 if (ctx == NULL) 214 return 0; 215 216 ret = tls13_pending_application_data(ctx->rl); 217 if (ret < 0 || ret > INT_MAX) 218 return 0; 219 220 return ret; 221 } 222 223 int 224 tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, int peek) 225 { 226 struct tls13_ctx *ctx = ssl->internal->tls13; 227 ssize_t ret; 228 229 if (ctx == NULL || !ctx->handshake_completed) { 230 if ((ret = ssl->internal->handshake_func(ssl)) <= 0) 231 return ret; 232 if (len == 0) 233 return 0; 234 return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLIN); 235 } 236 237 tls13_record_layer_set_retry_after_phh(ctx->rl, 238 (ctx->ssl->internal->mode & SSL_MODE_AUTO_RETRY) != 0); 239 240 if (type != SSL3_RT_APPLICATION_DATA) { 241 SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 242 return -1; 243 } 244 if (len < 0) { 245 SSLerror(ssl, SSL_R_BAD_LENGTH); 246 return -1; 247 } 248 249 if (peek) 250 ret = tls13_peek_application_data(ctx->rl, buf, len); 251 else 252 ret = tls13_read_application_data(ctx->rl, buf, len); 253 254 return tls13_legacy_return_code(ssl, ret); 255 } 256 257 int 258 tls13_legacy_write_bytes(SSL *ssl, int type, const void *vbuf, int len) 259 { 260 struct tls13_ctx *ctx = ssl->internal->tls13; 261 const uint8_t *buf = vbuf; 262 size_t n, sent; 263 ssize_t ret; 264 265 if (ctx == NULL || !ctx->handshake_completed) { 266 if ((ret = ssl->internal->handshake_func(ssl)) <= 0) 267 return ret; 268 if (len == 0) 269 return 0; 270 return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLOUT); 271 } 272 273 if (type != SSL3_RT_APPLICATION_DATA) { 274 SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 275 return -1; 276 } 277 if (len < 0) { 278 SSLerror(ssl, SSL_R_BAD_LENGTH); 279 return -1; 280 } 281 282 /* 283 * The TLSv1.3 record layer write behaviour is the same as 284 * SSL_MODE_ENABLE_PARTIAL_WRITE. 285 */ 286 if (ssl->internal->mode & SSL_MODE_ENABLE_PARTIAL_WRITE) { 287 ret = tls13_write_application_data(ctx->rl, buf, len); 288 return tls13_legacy_return_code(ssl, ret); 289 } 290 291 /* 292 * In the non-SSL_MODE_ENABLE_PARTIAL_WRITE case we have to loop until 293 * we have written out all of the requested data. 294 */ 295 sent = ssl->s3->wnum; 296 if (len < sent) { 297 SSLerror(ssl, SSL_R_BAD_LENGTH); 298 return -1; 299 } 300 n = len - sent; 301 for (;;) { 302 if (n == 0) { 303 ssl->s3->wnum = 0; 304 return sent; 305 } 306 if ((ret = tls13_write_application_data(ctx->rl, 307 &buf[sent], n)) <= 0) { 308 ssl->s3->wnum = sent; 309 return tls13_legacy_return_code(ssl, ret); 310 } 311 sent += ret; 312 n -= ret; 313 } 314 } 315 316 static int 317 tls13_use_legacy_stack(struct tls13_ctx *ctx) 318 { 319 SSL *s = ctx->ssl; 320 CBB cbb, fragment; 321 CBS cbs; 322 323 memset(&cbb, 0, sizeof(cbb)); 324 325 s->method = tls_legacy_method(); 326 327 if (!ssl3_setup_init_buffer(s)) 328 goto err; 329 if (!ssl3_setup_buffers(s)) 330 goto err; 331 if (!ssl_init_wbio_buffer(s, 1)) 332 goto err; 333 334 /* Stash any unprocessed data from the last record. */ 335 tls13_record_layer_rcontent(ctx->rl, &cbs); 336 if (CBS_len(&cbs) > 0) { 337 if (!CBB_init_fixed(&cbb, s->s3->rbuf.buf, 338 s->s3->rbuf.len)) 339 goto err; 340 if (!CBB_add_u8(&cbb, SSL3_RT_HANDSHAKE)) 341 goto err; 342 if (!CBB_add_u16(&cbb, TLS1_2_VERSION)) 343 goto err; 344 if (!CBB_add_u16_length_prefixed(&cbb, &fragment)) 345 goto err; 346 if (!CBB_add_bytes(&fragment, CBS_data(&cbs), CBS_len(&cbs))) 347 goto err; 348 if (!CBB_finish(&cbb, NULL, NULL)) 349 goto err; 350 351 s->s3->rbuf.offset = SSL3_RT_HEADER_LENGTH; 352 s->s3->rbuf.left = CBS_len(&cbs); 353 s->s3->rrec.type = SSL3_RT_HANDSHAKE; 354 s->s3->rrec.length = CBS_len(&cbs); 355 s->internal->rstate = SSL_ST_READ_BODY; 356 s->internal->packet = s->s3->rbuf.buf; 357 s->internal->packet_length = SSL3_RT_HEADER_LENGTH; 358 s->internal->mac_packet = 1; 359 } 360 361 /* Stash the current handshake message. */ 362 tls13_handshake_msg_data(ctx->hs_msg, &cbs); 363 if (!BUF_MEM_grow_clean(s->internal->init_buf, CBS_len(&cbs))) 364 goto err; 365 if (!CBS_write_bytes(&cbs, s->internal->init_buf->data, 366 s->internal->init_buf->length, NULL)) 367 goto err; 368 369 s->s3->hs.tls12.reuse_message = 1; 370 s->s3->hs.tls12.message_type = tls13_handshake_msg_type(ctx->hs_msg); 371 s->s3->hs.tls12.message_size = CBS_len(&cbs) - SSL3_HM_HEADER_LENGTH; 372 373 return 1; 374 375 err: 376 CBB_cleanup(&cbb); 377 378 return 0; 379 } 380 381 int 382 tls13_use_legacy_client(struct tls13_ctx *ctx) 383 { 384 SSL *s = ctx->ssl; 385 386 if (!tls13_use_legacy_stack(ctx)) 387 return 0; 388 389 s->internal->handshake_func = s->method->ssl_connect; 390 s->version = s->method->max_tls_version; 391 392 return 1; 393 } 394 395 int 396 tls13_use_legacy_server(struct tls13_ctx *ctx) 397 { 398 SSL *s = ctx->ssl; 399 400 if (!tls13_use_legacy_stack(ctx)) 401 return 0; 402 403 s->internal->handshake_func = s->method->ssl_accept; 404 s->version = s->method->max_tls_version; 405 s->server = 1; 406 407 return 1; 408 } 409 410 int 411 tls13_legacy_accept(SSL *ssl) 412 { 413 struct tls13_ctx *ctx = ssl->internal->tls13; 414 int ret; 415 416 if (ctx == NULL) { 417 if ((ctx = tls13_ctx_new(TLS13_HS_SERVER, ssl)) == NULL) { 418 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 419 return -1; 420 } 421 if (!tls13_server_init(ctx)) { 422 if (ERR_peek_error() == 0) 423 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 424 return -1; 425 } 426 } 427 428 ERR_clear_error(); 429 430 ret = tls13_server_accept(ctx); 431 if (ret == TLS13_IO_USE_LEGACY) 432 return ssl->method->ssl_accept(ssl); 433 434 ret = tls13_legacy_return_code(ssl, ret); 435 436 if (ctx->info_cb != NULL) 437 ctx->info_cb(ctx, TLS13_INFO_ACCEPT_EXIT, ret); 438 439 return ret; 440 } 441 442 int 443 tls13_legacy_connect(SSL *ssl) 444 { 445 struct tls13_ctx *ctx = ssl->internal->tls13; 446 int ret; 447 448 if (ctx == NULL) { 449 if ((ctx = tls13_ctx_new(TLS13_HS_CLIENT, ssl)) == NULL) { 450 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 451 return -1; 452 } 453 if (!tls13_client_init(ctx)) { 454 if (ERR_peek_error() == 0) 455 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 456 return -1; 457 } 458 } 459 460 ERR_clear_error(); 461 462 ret = tls13_client_connect(ctx); 463 if (ret == TLS13_IO_USE_LEGACY) 464 return ssl->method->ssl_connect(ssl); 465 466 ret = tls13_legacy_return_code(ssl, ret); 467 468 if (ctx->info_cb != NULL) 469 ctx->info_cb(ctx, TLS13_INFO_CONNECT_EXIT, ret); 470 471 return ret; 472 } 473 474 int 475 tls13_legacy_shutdown(SSL *ssl) 476 { 477 struct tls13_ctx *ctx = ssl->internal->tls13; 478 uint8_t buf[512]; /* XXX */ 479 ssize_t ret; 480 481 /* 482 * We need to return 0 at the point that we have completed sending a 483 * close-notify. We return 1 when we have sent and received close-notify 484 * alerts. All other cases, including EOF, return -1 and set internal 485 * state appropriately. 486 */ 487 if (ctx == NULL || ssl->internal->quiet_shutdown) { 488 ssl->internal->shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN; 489 return 1; 490 } 491 492 if (!ctx->close_notify_sent) { 493 /* Enqueue and send close notify. */ 494 if (!(ssl->internal->shutdown & SSL_SENT_SHUTDOWN)) { 495 ssl->internal->shutdown |= SSL_SENT_SHUTDOWN; 496 if ((ret = tls13_send_alert(ctx->rl, 497 TLS13_ALERT_CLOSE_NOTIFY)) < 0) 498 return tls13_legacy_return_code(ssl, ret); 499 } 500 ret = tls13_record_layer_send_pending(ctx->rl); 501 if (ret == TLS13_IO_EOF) 502 return -1; 503 if (ret != TLS13_IO_SUCCESS) 504 return tls13_legacy_return_code(ssl, ret); 505 } else if (!ctx->close_notify_recv) { 506 /* 507 * If there is no application data pending, attempt to read more 508 * data in order to receive a close-notify. This should trigger 509 * a record to be read from the wire, which may be application 510 * handshake or alert data. Only one attempt is made to match 511 * previous semantics. 512 */ 513 if (tls13_pending_application_data(ctx->rl) == 0) { 514 if ((ret = tls13_read_application_data(ctx->rl, buf, 515 sizeof(buf))) < 0) 516 return tls13_legacy_return_code(ssl, ret); 517 if (!ctx->close_notify_recv) 518 return -1; 519 } 520 } 521 522 if (ctx->close_notify_recv) 523 return 1; 524 525 return 0; 526 } 527 528 int 529 tls13_legacy_servername_process(struct tls13_ctx *ctx, uint8_t *alert) 530 { 531 int legacy_alert = SSL_AD_UNRECOGNIZED_NAME; 532 int ret = SSL_TLSEXT_ERR_NOACK; 533 SSL_CTX *ssl_ctx = ctx->ssl->ctx; 534 SSL *s = ctx->ssl; 535 536 if (ssl_ctx->internal->tlsext_servername_callback == NULL) 537 ssl_ctx = s->initial_ctx; 538 if (ssl_ctx->internal->tlsext_servername_callback == NULL) 539 return 1; 540 541 ret = ssl_ctx->internal->tlsext_servername_callback(s, &legacy_alert, 542 ssl_ctx->internal->tlsext_servername_arg); 543 544 /* 545 * Ignore SSL_TLSEXT_ERR_ALERT_WARNING returns to match OpenSSL's 546 * behavior: the only warning alerts in TLSv1.3 are close_notify and 547 * user_canceled, neither of which should be returned by the callback. 548 */ 549 if (ret == SSL_TLSEXT_ERR_ALERT_FATAL) { 550 if (legacy_alert >= 0 && legacy_alert <= 255) 551 *alert = legacy_alert; 552 return 0; 553 } 554 555 return 1; 556 } 557