1 /* $OpenBSD: tls13_legacy.c,v 1.38 2022/07/17 15:49:20 jsing Exp $ */
2 /*
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18 #include <limits.h>
19
20 #include "ssl_locl.h"
21 #include "tls13_internal.h"
22
23 static ssize_t
tls13_legacy_wire_read(SSL * ssl,uint8_t * buf,size_t len)24 tls13_legacy_wire_read(SSL *ssl, uint8_t *buf, size_t len)
25 {
26 int n;
27
28 if (ssl->rbio == NULL) {
29 SSLerror(ssl, SSL_R_BIO_NOT_SET);
30 return TLS13_IO_FAILURE;
31 }
32
33 ssl->internal->rwstate = SSL_READING;
34 errno = 0;
35
36 if ((n = BIO_read(ssl->rbio, buf, len)) <= 0) {
37 if (BIO_should_read(ssl->rbio))
38 return TLS13_IO_WANT_POLLIN;
39 if (n == 0)
40 return TLS13_IO_EOF;
41
42 if (ERR_peek_error() == 0 && errno != 0)
43 SYSerror(errno);
44
45 return TLS13_IO_FAILURE;
46 }
47
48 if (n == len)
49 ssl->internal->rwstate = SSL_NOTHING;
50
51 return n;
52 }
53
54 ssize_t
tls13_legacy_wire_read_cb(void * buf,size_t n,void * arg)55 tls13_legacy_wire_read_cb(void *buf, size_t n, void *arg)
56 {
57 struct tls13_ctx *ctx = arg;
58
59 return tls13_legacy_wire_read(ctx->ssl, buf, n);
60 }
61
62 static ssize_t
tls13_legacy_wire_write(SSL * ssl,const uint8_t * buf,size_t len)63 tls13_legacy_wire_write(SSL *ssl, const uint8_t *buf, size_t len)
64 {
65 int n;
66
67 if (ssl->wbio == NULL) {
68 SSLerror(ssl, SSL_R_BIO_NOT_SET);
69 return TLS13_IO_FAILURE;
70 }
71
72 ssl->internal->rwstate = SSL_WRITING;
73 errno = 0;
74
75 if ((n = BIO_write(ssl->wbio, buf, len)) <= 0) {
76 if (BIO_should_write(ssl->wbio))
77 return TLS13_IO_WANT_POLLOUT;
78
79 if (ERR_peek_error() == 0 && errno != 0)
80 SYSerror(errno);
81
82 return TLS13_IO_FAILURE;
83 }
84
85 if (n == len)
86 ssl->internal->rwstate = SSL_NOTHING;
87
88 return n;
89 }
90
91 ssize_t
tls13_legacy_wire_write_cb(const void * buf,size_t n,void * arg)92 tls13_legacy_wire_write_cb(const void *buf, size_t n, void *arg)
93 {
94 struct tls13_ctx *ctx = arg;
95
96 return tls13_legacy_wire_write(ctx->ssl, buf, n);
97 }
98
99 static ssize_t
tls13_legacy_wire_flush(SSL * ssl)100 tls13_legacy_wire_flush(SSL *ssl)
101 {
102 if (BIO_flush(ssl->wbio) <= 0) {
103 if (BIO_should_write(ssl->wbio))
104 return TLS13_IO_WANT_POLLOUT;
105
106 if (ERR_peek_error() == 0 && errno != 0)
107 SYSerror(errno);
108
109 return TLS13_IO_FAILURE;
110 }
111
112 return TLS13_IO_SUCCESS;
113 }
114
115 ssize_t
tls13_legacy_wire_flush_cb(void * arg)116 tls13_legacy_wire_flush_cb(void *arg)
117 {
118 struct tls13_ctx *ctx = arg;
119
120 return tls13_legacy_wire_flush(ctx->ssl);
121 }
122
123 static void
tls13_legacy_error(SSL * ssl)124 tls13_legacy_error(SSL *ssl)
125 {
126 struct tls13_ctx *ctx = ssl->internal->tls13;
127 int reason = SSL_R_UNKNOWN;
128
129 /* If we received a fatal alert we already put an error on the stack. */
130 if (ssl->s3->fatal_alert != 0)
131 return;
132
133 switch (ctx->error.code) {
134 case TLS13_ERR_VERIFY_FAILED:
135 reason = SSL_R_CERTIFICATE_VERIFY_FAILED;
136 break;
137 case TLS13_ERR_HRR_FAILED:
138 reason = SSL_R_NO_CIPHERS_AVAILABLE;
139 break;
140 case TLS13_ERR_TRAILING_DATA:
141 reason = SSL_R_EXTRA_DATA_IN_MESSAGE;
142 break;
143 case TLS13_ERR_NO_SHARED_CIPHER:
144 reason = SSL_R_NO_SHARED_CIPHER;
145 break;
146 case TLS13_ERR_NO_CERTIFICATE:
147 reason = SSL_R_MISSING_RSA_CERTIFICATE; /* XXX */
148 break;
149 case TLS13_ERR_NO_PEER_CERTIFICATE:
150 reason = SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE;
151 break;
152 }
153
154 /* Something (probably libcrypto) already pushed an error on the stack. */
155 if (reason == SSL_R_UNKNOWN && ERR_peek_error() != 0)
156 return;
157
158 ERR_put_error(ERR_LIB_SSL, (0xfff), reason, ctx->error.file,
159 ctx->error.line);
160 }
161
162 int
tls13_legacy_return_code(SSL * ssl,ssize_t ret)163 tls13_legacy_return_code(SSL *ssl, ssize_t ret)
164 {
165 if (ret > INT_MAX) {
166 SSLerror(ssl, ERR_R_INTERNAL_ERROR);
167 return -1;
168 }
169
170 /* A successful read, write or other operation. */
171 if (ret > 0)
172 return ret;
173
174 ssl->internal->rwstate = SSL_NOTHING;
175
176 switch (ret) {
177 case TLS13_IO_EOF:
178 return 0;
179
180 case TLS13_IO_FAILURE:
181 tls13_legacy_error(ssl);
182 return -1;
183
184 case TLS13_IO_ALERT:
185 tls13_legacy_error(ssl);
186 return -1;
187
188 case TLS13_IO_WANT_POLLIN:
189 BIO_set_retry_read(ssl->rbio);
190 ssl->internal->rwstate = SSL_READING;
191 return -1;
192
193 case TLS13_IO_WANT_POLLOUT:
194 BIO_set_retry_write(ssl->wbio);
195 ssl->internal->rwstate = SSL_WRITING;
196 return -1;
197
198 case TLS13_IO_WANT_RETRY:
199 SSLerror(ssl, ERR_R_INTERNAL_ERROR);
200 return -1;
201 }
202
203 SSLerror(ssl, ERR_R_INTERNAL_ERROR);
204 return -1;
205 }
206
207 int
tls13_legacy_pending(const SSL * ssl)208 tls13_legacy_pending(const SSL *ssl)
209 {
210 struct tls13_ctx *ctx = ssl->internal->tls13;
211 ssize_t ret;
212
213 if (ctx == NULL)
214 return 0;
215
216 ret = tls13_pending_application_data(ctx->rl);
217 if (ret < 0 || ret > INT_MAX)
218 return 0;
219
220 return ret;
221 }
222
223 int
tls13_legacy_read_bytes(SSL * ssl,int type,unsigned char * buf,int len,int peek)224 tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, int peek)
225 {
226 struct tls13_ctx *ctx = ssl->internal->tls13;
227 ssize_t ret;
228
229 if (ctx == NULL || !ctx->handshake_completed) {
230 if ((ret = ssl->internal->handshake_func(ssl)) <= 0)
231 return ret;
232 if (len == 0)
233 return 0;
234 return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLIN);
235 }
236
237 tls13_record_layer_set_retry_after_phh(ctx->rl,
238 (ctx->ssl->internal->mode & SSL_MODE_AUTO_RETRY) != 0);
239
240 if (type != SSL3_RT_APPLICATION_DATA) {
241 SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
242 return -1;
243 }
244 if (len < 0) {
245 SSLerror(ssl, SSL_R_BAD_LENGTH);
246 return -1;
247 }
248
249 if (peek)
250 ret = tls13_peek_application_data(ctx->rl, buf, len);
251 else
252 ret = tls13_read_application_data(ctx->rl, buf, len);
253
254 return tls13_legacy_return_code(ssl, ret);
255 }
256
257 int
tls13_legacy_write_bytes(SSL * ssl,int type,const void * vbuf,int len)258 tls13_legacy_write_bytes(SSL *ssl, int type, const void *vbuf, int len)
259 {
260 struct tls13_ctx *ctx = ssl->internal->tls13;
261 const uint8_t *buf = vbuf;
262 size_t n, sent;
263 ssize_t ret;
264
265 if (ctx == NULL || !ctx->handshake_completed) {
266 if ((ret = ssl->internal->handshake_func(ssl)) <= 0)
267 return ret;
268 if (len == 0)
269 return 0;
270 return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLOUT);
271 }
272
273 if (type != SSL3_RT_APPLICATION_DATA) {
274 SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
275 return -1;
276 }
277 if (len < 0) {
278 SSLerror(ssl, SSL_R_BAD_LENGTH);
279 return -1;
280 }
281
282 /*
283 * The TLSv1.3 record layer write behaviour is the same as
284 * SSL_MODE_ENABLE_PARTIAL_WRITE.
285 */
286 if (ssl->internal->mode & SSL_MODE_ENABLE_PARTIAL_WRITE) {
287 ret = tls13_write_application_data(ctx->rl, buf, len);
288 return tls13_legacy_return_code(ssl, ret);
289 }
290
291 /*
292 * In the non-SSL_MODE_ENABLE_PARTIAL_WRITE case we have to loop until
293 * we have written out all of the requested data.
294 */
295 sent = ssl->s3->wnum;
296 if (len < sent) {
297 SSLerror(ssl, SSL_R_BAD_LENGTH);
298 return -1;
299 }
300 n = len - sent;
301 for (;;) {
302 if (n == 0) {
303 ssl->s3->wnum = 0;
304 return sent;
305 }
306 if ((ret = tls13_write_application_data(ctx->rl,
307 &buf[sent], n)) <= 0) {
308 ssl->s3->wnum = sent;
309 return tls13_legacy_return_code(ssl, ret);
310 }
311 sent += ret;
312 n -= ret;
313 }
314 }
315
316 static int
tls13_use_legacy_stack(struct tls13_ctx * ctx)317 tls13_use_legacy_stack(struct tls13_ctx *ctx)
318 {
319 SSL *s = ctx->ssl;
320 CBB cbb, fragment;
321 CBS cbs;
322
323 memset(&cbb, 0, sizeof(cbb));
324
325 s->method = tls_legacy_method();
326
327 if (!ssl3_setup_init_buffer(s))
328 goto err;
329 if (!ssl3_setup_buffers(s))
330 goto err;
331 if (!ssl_init_wbio_buffer(s, 1))
332 goto err;
333
334 /* Stash any unprocessed data from the last record. */
335 tls13_record_layer_rcontent(ctx->rl, &cbs);
336 if (CBS_len(&cbs) > 0) {
337 if (!CBB_init_fixed(&cbb, s->s3->rbuf.buf,
338 s->s3->rbuf.len))
339 goto err;
340 if (!CBB_add_u8(&cbb, SSL3_RT_HANDSHAKE))
341 goto err;
342 if (!CBB_add_u16(&cbb, TLS1_2_VERSION))
343 goto err;
344 if (!CBB_add_u16_length_prefixed(&cbb, &fragment))
345 goto err;
346 if (!CBB_add_bytes(&fragment, CBS_data(&cbs), CBS_len(&cbs)))
347 goto err;
348 if (!CBB_finish(&cbb, NULL, NULL))
349 goto err;
350
351 s->s3->rbuf.offset = SSL3_RT_HEADER_LENGTH;
352 s->s3->rbuf.left = CBS_len(&cbs);
353 s->s3->rrec.type = SSL3_RT_HANDSHAKE;
354 s->s3->rrec.length = CBS_len(&cbs);
355 s->internal->rstate = SSL_ST_READ_BODY;
356 s->internal->packet = s->s3->rbuf.buf;
357 s->internal->packet_length = SSL3_RT_HEADER_LENGTH;
358 s->internal->mac_packet = 1;
359 }
360
361 /* Stash the current handshake message. */
362 tls13_handshake_msg_data(ctx->hs_msg, &cbs);
363 if (!BUF_MEM_grow_clean(s->internal->init_buf, CBS_len(&cbs)))
364 goto err;
365 if (!CBS_write_bytes(&cbs, s->internal->init_buf->data,
366 s->internal->init_buf->length, NULL))
367 goto err;
368
369 s->s3->hs.tls12.reuse_message = 1;
370 s->s3->hs.tls12.message_type = tls13_handshake_msg_type(ctx->hs_msg);
371 s->s3->hs.tls12.message_size = CBS_len(&cbs) - SSL3_HM_HEADER_LENGTH;
372
373 return 1;
374
375 err:
376 CBB_cleanup(&cbb);
377
378 return 0;
379 }
380
381 int
tls13_use_legacy_client(struct tls13_ctx * ctx)382 tls13_use_legacy_client(struct tls13_ctx *ctx)
383 {
384 SSL *s = ctx->ssl;
385
386 if (!tls13_use_legacy_stack(ctx))
387 return 0;
388
389 s->internal->handshake_func = s->method->ssl_connect;
390 s->version = s->method->max_tls_version;
391
392 return 1;
393 }
394
395 int
tls13_use_legacy_server(struct tls13_ctx * ctx)396 tls13_use_legacy_server(struct tls13_ctx *ctx)
397 {
398 SSL *s = ctx->ssl;
399
400 if (!tls13_use_legacy_stack(ctx))
401 return 0;
402
403 s->internal->handshake_func = s->method->ssl_accept;
404 s->version = s->method->max_tls_version;
405 s->server = 1;
406
407 return 1;
408 }
409
410 int
tls13_legacy_accept(SSL * ssl)411 tls13_legacy_accept(SSL *ssl)
412 {
413 struct tls13_ctx *ctx = ssl->internal->tls13;
414 int ret;
415
416 if (ctx == NULL) {
417 if ((ctx = tls13_ctx_new(TLS13_HS_SERVER, ssl)) == NULL) {
418 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
419 return -1;
420 }
421 if (!tls13_server_init(ctx)) {
422 if (ERR_peek_error() == 0)
423 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
424 return -1;
425 }
426 }
427
428 ERR_clear_error();
429
430 ret = tls13_server_accept(ctx);
431 if (ret == TLS13_IO_USE_LEGACY)
432 return ssl->method->ssl_accept(ssl);
433
434 ret = tls13_legacy_return_code(ssl, ret);
435
436 if (ctx->info_cb != NULL)
437 ctx->info_cb(ctx, TLS13_INFO_ACCEPT_EXIT, ret);
438
439 return ret;
440 }
441
442 int
tls13_legacy_connect(SSL * ssl)443 tls13_legacy_connect(SSL *ssl)
444 {
445 struct tls13_ctx *ctx = ssl->internal->tls13;
446 int ret;
447
448 if (ctx == NULL) {
449 if ((ctx = tls13_ctx_new(TLS13_HS_CLIENT, ssl)) == NULL) {
450 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
451 return -1;
452 }
453 if (!tls13_client_init(ctx)) {
454 if (ERR_peek_error() == 0)
455 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
456 return -1;
457 }
458 }
459
460 ERR_clear_error();
461
462 ret = tls13_client_connect(ctx);
463 if (ret == TLS13_IO_USE_LEGACY)
464 return ssl->method->ssl_connect(ssl);
465
466 ret = tls13_legacy_return_code(ssl, ret);
467
468 if (ctx->info_cb != NULL)
469 ctx->info_cb(ctx, TLS13_INFO_CONNECT_EXIT, ret);
470
471 return ret;
472 }
473
474 int
tls13_legacy_shutdown(SSL * ssl)475 tls13_legacy_shutdown(SSL *ssl)
476 {
477 struct tls13_ctx *ctx = ssl->internal->tls13;
478 uint8_t buf[512]; /* XXX */
479 ssize_t ret;
480
481 /*
482 * We need to return 0 at the point that we have completed sending a
483 * close-notify. We return 1 when we have sent and received close-notify
484 * alerts. All other cases, including EOF, return -1 and set internal
485 * state appropriately.
486 */
487 if (ctx == NULL || ssl->internal->quiet_shutdown) {
488 ssl->internal->shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN;
489 return 1;
490 }
491
492 if (!ctx->close_notify_sent) {
493 /* Enqueue and send close notify. */
494 if (!(ssl->internal->shutdown & SSL_SENT_SHUTDOWN)) {
495 ssl->internal->shutdown |= SSL_SENT_SHUTDOWN;
496 if ((ret = tls13_send_alert(ctx->rl,
497 TLS13_ALERT_CLOSE_NOTIFY)) < 0)
498 return tls13_legacy_return_code(ssl, ret);
499 }
500 ret = tls13_record_layer_send_pending(ctx->rl);
501 if (ret == TLS13_IO_EOF)
502 return -1;
503 if (ret != TLS13_IO_SUCCESS)
504 return tls13_legacy_return_code(ssl, ret);
505 } else if (!ctx->close_notify_recv) {
506 /*
507 * If there is no application data pending, attempt to read more
508 * data in order to receive a close-notify. This should trigger
509 * a record to be read from the wire, which may be application
510 * handshake or alert data. Only one attempt is made to match
511 * previous semantics.
512 */
513 if (tls13_pending_application_data(ctx->rl) == 0) {
514 if ((ret = tls13_read_application_data(ctx->rl, buf,
515 sizeof(buf))) < 0)
516 return tls13_legacy_return_code(ssl, ret);
517 if (!ctx->close_notify_recv)
518 return -1;
519 }
520 }
521
522 if (ctx->close_notify_recv)
523 return 1;
524
525 return 0;
526 }
527
528 int
tls13_legacy_servername_process(struct tls13_ctx * ctx,uint8_t * alert)529 tls13_legacy_servername_process(struct tls13_ctx *ctx, uint8_t *alert)
530 {
531 int legacy_alert = SSL_AD_UNRECOGNIZED_NAME;
532 int ret = SSL_TLSEXT_ERR_NOACK;
533 SSL_CTX *ssl_ctx = ctx->ssl->ctx;
534 SSL *s = ctx->ssl;
535
536 if (ssl_ctx->internal->tlsext_servername_callback == NULL)
537 ssl_ctx = s->initial_ctx;
538 if (ssl_ctx->internal->tlsext_servername_callback == NULL)
539 return 1;
540
541 ret = ssl_ctx->internal->tlsext_servername_callback(s, &legacy_alert,
542 ssl_ctx->internal->tlsext_servername_arg);
543
544 /*
545 * Ignore SSL_TLSEXT_ERR_ALERT_WARNING returns to match OpenSSL's
546 * behavior: the only warning alerts in TLSv1.3 are close_notify and
547 * user_canceled, neither of which should be returned by the callback.
548 */
549 if (ret == SSL_TLSEXT_ERR_ALERT_FATAL) {
550 if (legacy_alert >= 0 && legacy_alert <= 255)
551 *alert = legacy_alert;
552 return 0;
553 }
554
555 return 1;
556 }
557