1 /* $OpenBSD: tls13_legacy.c,v 1.12 2020/07/30 16:57:53 jsing Exp $ */ 2 /* 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <limits.h> 19 20 #include "ssl_locl.h" 21 #include "tls13_internal.h" 22 23 SSL3_ENC_METHOD TLSv1_3_enc_data = { 24 .enc_flags = SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_TLS1_3_CIPHERS, 25 }; 26 27 static ssize_t 28 tls13_legacy_wire_read(SSL *ssl, uint8_t *buf, size_t len) 29 { 30 int n; 31 32 if (ssl->rbio == NULL) { 33 SSLerror(ssl, SSL_R_BIO_NOT_SET); 34 return TLS13_IO_FAILURE; 35 } 36 37 ssl->internal->rwstate = SSL_READING; 38 39 if ((n = BIO_read(ssl->rbio, buf, len)) <= 0) { 40 if (BIO_should_read(ssl->rbio)) 41 return TLS13_IO_WANT_POLLIN; 42 if (BIO_should_write(ssl->rbio)) 43 return TLS13_IO_WANT_POLLOUT; 44 if (n == 0) 45 return TLS13_IO_EOF; 46 47 return TLS13_IO_FAILURE; 48 } 49 50 if (n == len) 51 ssl->internal->rwstate = SSL_NOTHING; 52 53 return n; 54 } 55 56 ssize_t 57 tls13_legacy_wire_read_cb(void *buf, size_t n, void *arg) 58 { 59 struct tls13_ctx *ctx = arg; 60 61 return tls13_legacy_wire_read(ctx->ssl, buf, n); 62 } 63 64 static ssize_t 65 tls13_legacy_wire_write(SSL *ssl, const uint8_t *buf, size_t len) 66 { 67 int n; 68 69 if (ssl->wbio == NULL) { 70 SSLerror(ssl, SSL_R_BIO_NOT_SET); 71 return TLS13_IO_FAILURE; 72 } 73 74 ssl->internal->rwstate = SSL_WRITING; 75 76 if ((n = BIO_write(ssl->wbio, buf, len)) <= 0) { 77 if (BIO_should_read(ssl->wbio)) 78 return TLS13_IO_WANT_POLLIN; 79 if (BIO_should_write(ssl->wbio)) 80 return TLS13_IO_WANT_POLLOUT; 81 82 return TLS13_IO_FAILURE; 83 } 84 85 if (n == len) 86 ssl->internal->rwstate = SSL_NOTHING; 87 88 return n; 89 } 90 91 ssize_t 92 tls13_legacy_wire_write_cb(const void *buf, size_t n, void *arg) 93 { 94 struct tls13_ctx *ctx = arg; 95 96 return tls13_legacy_wire_write(ctx->ssl, buf, n); 97 } 98 99 static void 100 tls13_legacy_error(SSL *ssl) 101 { 102 struct tls13_ctx *ctx = ssl->internal->tls13; 103 int reason = SSL_R_UNKNOWN; 104 105 /* If we received a fatal alert we already put an error on the stack. */ 106 if (S3I(ssl)->fatal_alert != 0) 107 return; 108 109 switch (ctx->error.code) { 110 case TLS13_ERR_VERIFY_FAILED: 111 reason = SSL_R_CERTIFICATE_VERIFY_FAILED; 112 break; 113 case TLS13_ERR_HRR_FAILED: 114 reason = SSL_R_NO_CIPHERS_AVAILABLE; 115 break; 116 case TLS13_ERR_TRAILING_DATA: 117 reason = SSL_R_EXTRA_DATA_IN_MESSAGE; 118 break; 119 case TLS13_ERR_NO_SHARED_CIPHER: 120 reason = SSL_R_NO_SHARED_CIPHER; 121 break; 122 case TLS13_ERR_NO_CERTIFICATE: 123 reason = SSL_R_MISSING_RSA_CERTIFICATE; /* XXX */ 124 break; 125 case TLS13_ERR_NO_PEER_CERTIFICATE: 126 reason = SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE; 127 break; 128 } 129 130 /* Something (probably libcrypto) already pushed an error on the stack. */ 131 if (reason == SSL_R_UNKNOWN && ERR_peek_error() != 0) 132 return; 133 134 ERR_put_error(ERR_LIB_SSL, (0xfff), reason, ctx->error.file, 135 ctx->error.line); 136 } 137 138 int 139 tls13_legacy_return_code(SSL *ssl, ssize_t ret) 140 { 141 if (ret > INT_MAX) { 142 SSLerror(ssl, ERR_R_INTERNAL_ERROR); 143 return -1; 144 } 145 146 /* A successful read, write or other operation. */ 147 if (ret > 0) 148 return ret; 149 150 ssl->internal->rwstate = SSL_NOTHING; 151 152 switch (ret) { 153 case TLS13_IO_EOF: 154 return 0; 155 156 case TLS13_IO_FAILURE: 157 tls13_legacy_error(ssl); 158 return -1; 159 160 case TLS13_IO_ALERT: 161 tls13_legacy_error(ssl); 162 return -1; 163 164 case TLS13_IO_WANT_POLLIN: 165 BIO_set_retry_read(ssl->rbio); 166 ssl->internal->rwstate = SSL_READING; 167 return -1; 168 169 case TLS13_IO_WANT_POLLOUT: 170 BIO_set_retry_write(ssl->wbio); 171 ssl->internal->rwstate = SSL_WRITING; 172 return -1; 173 174 case TLS13_IO_WANT_RETRY: 175 SSLerror(ssl, ERR_R_INTERNAL_ERROR); 176 return -1; 177 } 178 179 SSLerror(ssl, ERR_R_INTERNAL_ERROR); 180 return -1; 181 } 182 183 int 184 tls13_legacy_pending(const SSL *ssl) 185 { 186 struct tls13_ctx *ctx = ssl->internal->tls13; 187 ssize_t ret; 188 189 if (ctx == NULL) 190 return 0; 191 192 ret = tls13_pending_application_data(ctx->rl); 193 if (ret < 0 || ret > INT_MAX) 194 return 0; 195 196 return ret; 197 } 198 199 int 200 tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, int peek) 201 { 202 struct tls13_ctx *ctx = ssl->internal->tls13; 203 ssize_t ret; 204 205 if (ctx == NULL || !ctx->handshake_completed) { 206 if ((ret = ssl->internal->handshake_func(ssl)) <= 0) 207 return ret; 208 return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLIN); 209 } 210 211 tls13_record_layer_set_retry_after_phh(ctx->rl, 212 (ctx->ssl->internal->mode & SSL_MODE_AUTO_RETRY) != 0); 213 214 if (type != SSL3_RT_APPLICATION_DATA) { 215 SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 216 return -1; 217 } 218 if (len < 0) { 219 SSLerror(ssl, SSL_R_BAD_LENGTH); 220 return -1; 221 } 222 223 if (peek) 224 ret = tls13_peek_application_data(ctx->rl, buf, len); 225 else 226 ret = tls13_read_application_data(ctx->rl, buf, len); 227 228 return tls13_legacy_return_code(ssl, ret); 229 } 230 231 int 232 tls13_legacy_write_bytes(SSL *ssl, int type, const void *vbuf, int len) 233 { 234 struct tls13_ctx *ctx = ssl->internal->tls13; 235 const uint8_t *buf = vbuf; 236 size_t n, sent; 237 ssize_t ret; 238 239 if (ctx == NULL || !ctx->handshake_completed) { 240 if ((ret = ssl->internal->handshake_func(ssl)) <= 0) 241 return ret; 242 return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLOUT); 243 } 244 245 if (type != SSL3_RT_APPLICATION_DATA) { 246 SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 247 return -1; 248 } 249 if (len < 0) { 250 SSLerror(ssl, SSL_R_BAD_LENGTH); 251 return -1; 252 } 253 254 /* 255 * The TLSv1.3 record layer write behaviour is the same as 256 * SSL_MODE_ENABLE_PARTIAL_WRITE. 257 */ 258 if (ssl->internal->mode & SSL_MODE_ENABLE_PARTIAL_WRITE) { 259 ret = tls13_write_application_data(ctx->rl, buf, len); 260 return tls13_legacy_return_code(ssl, ret); 261 } 262 263 /* 264 * In the non-SSL_MODE_ENABLE_PARTIAL_WRITE case we have to loop until 265 * we have written out all of the requested data. 266 */ 267 sent = S3I(ssl)->wnum; 268 if (len < sent) { 269 SSLerror(ssl, SSL_R_BAD_LENGTH); 270 return -1; 271 } 272 n = len - sent; 273 for (;;) { 274 if (n == 0) { 275 S3I(ssl)->wnum = 0; 276 return sent; 277 } 278 if ((ret = tls13_write_application_data(ctx->rl, 279 &buf[sent], n)) <= 0) { 280 S3I(ssl)->wnum = sent; 281 return tls13_legacy_return_code(ssl, ret); 282 } 283 sent += ret; 284 n -= ret; 285 } 286 } 287 288 static int 289 tls13_use_legacy_stack(struct tls13_ctx *ctx) 290 { 291 SSL *s = ctx->ssl; 292 CBS cbs; 293 294 if (!ssl3_setup_init_buffer(s)) 295 return 0; 296 if (!ssl3_setup_buffers(s)) 297 return 0; 298 if (!ssl_init_wbio_buffer(s, 1)) 299 return 0; 300 301 /* Stash any unprocessed data from the last record. */ 302 tls13_record_layer_rbuf(ctx->rl, &cbs); 303 if (CBS_len(&cbs) > 0) { 304 if (!CBS_write_bytes(&cbs, 305 S3I(s)->rbuf.buf + SSL3_RT_HEADER_LENGTH, 306 S3I(s)->rbuf.len - SSL3_RT_HEADER_LENGTH, NULL)) 307 return 0; 308 309 S3I(s)->rbuf.offset = SSL3_RT_HEADER_LENGTH; 310 S3I(s)->rbuf.left = CBS_len(&cbs); 311 S3I(s)->rrec.type = SSL3_RT_HANDSHAKE; 312 S3I(s)->rrec.length = CBS_len(&cbs); 313 s->internal->rstate = SSL_ST_READ_BODY; 314 s->internal->packet = S3I(s)->rbuf.buf; 315 s->internal->packet_length = SSL3_RT_HEADER_LENGTH; 316 s->internal->mac_packet = 1; 317 } 318 319 /* Stash the current handshake message. */ 320 tls13_handshake_msg_data(ctx->hs_msg, &cbs); 321 if (!CBS_write_bytes(&cbs, s->internal->init_buf->data, 322 s->internal->init_buf->length, NULL)) 323 return 0; 324 325 S3I(s)->tmp.reuse_message = 1; 326 S3I(s)->tmp.message_type = tls13_handshake_msg_type(ctx->hs_msg); 327 S3I(s)->tmp.message_size = CBS_len(&cbs); 328 329 return 1; 330 } 331 332 int 333 tls13_use_legacy_client(struct tls13_ctx *ctx) 334 { 335 SSL *s = ctx->ssl; 336 337 s->method = tls_legacy_client_method(); 338 s->internal->handshake_func = s->method->internal->ssl_connect; 339 s->client_version = s->version = s->method->internal->max_version; 340 341 if (!tls13_use_legacy_stack(ctx)) 342 return 0; 343 344 S3I(s)->hs.state = SSL3_ST_CR_SRVR_HELLO_A; 345 346 return 1; 347 } 348 349 int 350 tls13_use_legacy_server(struct tls13_ctx *ctx) 351 { 352 SSL *s = ctx->ssl; 353 354 s->method = tls_legacy_server_method(); 355 s->internal->handshake_func = s->method->internal->ssl_accept; 356 s->client_version = s->version = s->method->internal->max_version; 357 s->server = 1; 358 359 if (!tls13_use_legacy_stack(ctx)) 360 return 0; 361 362 S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A; 363 364 return 1; 365 } 366 367 int 368 tls13_legacy_accept(SSL *ssl) 369 { 370 struct tls13_ctx *ctx = ssl->internal->tls13; 371 int ret; 372 373 if (ctx == NULL) { 374 if ((ctx = tls13_ctx_new(TLS13_HS_SERVER)) == NULL) { 375 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 376 return -1; 377 } 378 ssl->internal->tls13 = ctx; 379 ctx->ssl = ssl; 380 ctx->hs = &S3I(ssl)->hs_tls13; 381 382 if (!tls13_server_init(ctx)) { 383 if (ERR_peek_error() == 0) 384 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 385 return -1; 386 } 387 } 388 389 ERR_clear_error(); 390 S3I(ssl)->hs.state = SSL_ST_ACCEPT; 391 392 ret = tls13_server_accept(ctx); 393 if (ret == TLS13_IO_USE_LEGACY) 394 return ssl->method->internal->ssl_accept(ssl); 395 if (ret == TLS13_IO_SUCCESS) 396 S3I(ssl)->hs.state = SSL_ST_OK; 397 398 return tls13_legacy_return_code(ssl, ret); 399 } 400 401 int 402 tls13_legacy_connect(SSL *ssl) 403 { 404 struct tls13_ctx *ctx = ssl->internal->tls13; 405 int ret; 406 407 #ifdef TLS13_USE_LEGACY_CLIENT_AUTH 408 /* XXX drop back to legacy for client auth for now */ 409 if (ssl->cert->key->privatekey != NULL) { 410 ssl->method = tls_legacy_client_method(); 411 return ssl->method->internal->ssl_connect(ssl); 412 } 413 #endif 414 415 if (ctx == NULL) { 416 if ((ctx = tls13_ctx_new(TLS13_HS_CLIENT)) == NULL) { 417 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 418 return -1; 419 } 420 ssl->internal->tls13 = ctx; 421 ctx->ssl = ssl; 422 ctx->hs = &S3I(ssl)->hs_tls13; 423 424 if (!tls13_client_init(ctx)) { 425 if (ERR_peek_error() == 0) 426 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 427 return -1; 428 } 429 } 430 431 ERR_clear_error(); 432 S3I(ssl)->hs.state = SSL_ST_CONNECT; 433 434 ret = tls13_client_connect(ctx); 435 if (ret == TLS13_IO_USE_LEGACY) 436 return ssl->method->internal->ssl_connect(ssl); 437 if (ret == TLS13_IO_SUCCESS) 438 S3I(ssl)->hs.state = SSL_ST_OK; 439 440 return tls13_legacy_return_code(ssl, ret); 441 } 442 443 int 444 tls13_legacy_shutdown(SSL *ssl) 445 { 446 struct tls13_ctx *ctx = ssl->internal->tls13; 447 uint8_t buf[512]; /* XXX */ 448 ssize_t ret; 449 450 /* 451 * We need to return 0 when we have sent a close-notify but have not 452 * yet received one. We return 1 only once we have sent and received 453 * close-notify alerts. All other cases return -1 and set internal 454 * state appropriately. 455 */ 456 if (ctx == NULL || ssl->internal->quiet_shutdown) { 457 ssl->internal->shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN; 458 return 1; 459 } 460 461 if (!ctx->close_notify_sent) { 462 /* Enqueue and send close notify. */ 463 if (!(ssl->internal->shutdown & SSL_SENT_SHUTDOWN)) { 464 ssl->internal->shutdown |= SSL_SENT_SHUTDOWN; 465 if ((ret = tls13_send_alert(ctx->rl, 466 TLS13_ALERT_CLOSE_NOTIFY)) < 0) 467 return tls13_legacy_return_code(ssl, ret); 468 } 469 if ((ret = tls13_record_layer_send_pending(ctx->rl)) != 470 TLS13_IO_SUCCESS) 471 return tls13_legacy_return_code(ssl, ret); 472 } else if (!ctx->close_notify_recv) { 473 /* 474 * If there is no application data pending, attempt to read more 475 * data in order to receive a close notify. This should trigger 476 * a record to be read from the wire, which may be application 477 * handshake or alert data. Only one attempt is made to match 478 * previous semantics. 479 */ 480 if (tls13_pending_application_data(ctx->rl) == 0) { 481 if ((ret = tls13_read_application_data(ctx->rl, buf, 482 sizeof(buf))) < 0) 483 return tls13_legacy_return_code(ssl, ret); 484 } 485 } 486 487 if (ctx->close_notify_recv) 488 return 1; 489 490 return 0; 491 } 492 493 int 494 tls13_legacy_servername_process(struct tls13_ctx *ctx, uint8_t *alert) 495 { 496 int legacy_alert = SSL_AD_UNRECOGNIZED_NAME; 497 int ret = SSL_TLSEXT_ERR_NOACK; 498 SSL_CTX *ssl_ctx = ctx->ssl->ctx; 499 SSL *ssl = ctx->ssl; 500 501 if (ssl_ctx->internal->tlsext_servername_callback == NULL) 502 ssl_ctx = ssl->initial_ctx; 503 if (ssl_ctx->internal->tlsext_servername_callback == NULL) 504 return 1; 505 506 ret = ssl_ctx->internal->tlsext_servername_callback(ssl, &legacy_alert, 507 ssl_ctx->internal->tlsext_servername_arg); 508 509 if (ret == SSL_TLSEXT_ERR_ALERT_FATAL || 510 ret == SSL_TLSEXT_ERR_ALERT_WARNING) { 511 if (legacy_alert >= 0 && legacy_alert <= 255) 512 *alert = legacy_alert; 513 return 0; 514 } 515 516 return 1; 517 } 518