xref: /openbsd-src/lib/libssl/tls13_legacy.c (revision 24bb5fcea3ed904bc467217bdaadb5dfc618d5bf) 
1 /*	$OpenBSD: tls13_legacy.c,v 1.26 2021/07/01 17:53:39 jsing Exp $ */
2 /*
3  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4  *
5  * Permission to use, copy, modify, and distribute this software for any
6  * purpose with or without fee is hereby granted, provided that the above
7  * copyright notice and this permission notice appear in all copies.
8  *
9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16  */
17 
18 #include <limits.h>
19 
20 #include "ssl_locl.h"
21 #include "tls13_internal.h"
22 
23 static ssize_t
24 tls13_legacy_wire_read(SSL *ssl, uint8_t *buf, size_t len)
25 {
26 	int n;
27 
28 	if (ssl->rbio == NULL) {
29 		SSLerror(ssl, SSL_R_BIO_NOT_SET);
30 		return TLS13_IO_FAILURE;
31 	}
32 
33 	ssl->internal->rwstate = SSL_READING;
34 	errno = 0;
35 
36 	if ((n = BIO_read(ssl->rbio, buf, len)) <= 0) {
37 		if (BIO_should_read(ssl->rbio))
38 			return TLS13_IO_WANT_POLLIN;
39 		if (n == 0)
40 			return TLS13_IO_EOF;
41 
42 		if (ERR_peek_error() == 0 && errno != 0)
43 			SYSerror(errno);
44 
45 		return TLS13_IO_FAILURE;
46 	}
47 
48 	if (n == len)
49 		ssl->internal->rwstate = SSL_NOTHING;
50 
51 	return n;
52 }
53 
54 ssize_t
55 tls13_legacy_wire_read_cb(void *buf, size_t n, void *arg)
56 {
57 	struct tls13_ctx *ctx = arg;
58 
59 	return tls13_legacy_wire_read(ctx->ssl, buf, n);
60 }
61 
62 static ssize_t
63 tls13_legacy_wire_write(SSL *ssl, const uint8_t *buf, size_t len)
64 {
65 	int n;
66 
67 	if (ssl->wbio == NULL) {
68 		SSLerror(ssl, SSL_R_BIO_NOT_SET);
69 		return TLS13_IO_FAILURE;
70 	}
71 
72 	ssl->internal->rwstate = SSL_WRITING;
73 	errno = 0;
74 
75 	if ((n = BIO_write(ssl->wbio, buf, len)) <= 0) {
76 		if (BIO_should_write(ssl->wbio))
77 			return TLS13_IO_WANT_POLLOUT;
78 
79 		if (ERR_peek_error() == 0 && errno != 0)
80 			SYSerror(errno);
81 
82 		return TLS13_IO_FAILURE;
83 	}
84 
85 	if (n == len)
86 		ssl->internal->rwstate = SSL_NOTHING;
87 
88 	return n;
89 }
90 
91 ssize_t
92 tls13_legacy_wire_write_cb(const void *buf, size_t n, void *arg)
93 {
94 	struct tls13_ctx *ctx = arg;
95 
96 	return tls13_legacy_wire_write(ctx->ssl, buf, n);
97 }
98 
99 static void
100 tls13_legacy_error(SSL *ssl)
101 {
102 	struct tls13_ctx *ctx = ssl->internal->tls13;
103 	int reason = SSL_R_UNKNOWN;
104 
105 	/* If we received a fatal alert we already put an error on the stack. */
106 	if (S3I(ssl)->fatal_alert != 0)
107 		return;
108 
109 	switch (ctx->error.code) {
110 	case TLS13_ERR_VERIFY_FAILED:
111 		reason = SSL_R_CERTIFICATE_VERIFY_FAILED;
112 		break;
113 	case TLS13_ERR_HRR_FAILED:
114 		reason = SSL_R_NO_CIPHERS_AVAILABLE;
115 		break;
116 	case TLS13_ERR_TRAILING_DATA:
117 		reason = SSL_R_EXTRA_DATA_IN_MESSAGE;
118 		break;
119 	case TLS13_ERR_NO_SHARED_CIPHER:
120 		reason = SSL_R_NO_SHARED_CIPHER;
121 		break;
122 	case TLS13_ERR_NO_CERTIFICATE:
123 		reason = SSL_R_MISSING_RSA_CERTIFICATE; /* XXX */
124 		break;
125 	case TLS13_ERR_NO_PEER_CERTIFICATE:
126 		reason = SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE;
127 		break;
128 	}
129 
130 	/* Something (probably libcrypto) already pushed an error on the stack. */
131 	if (reason == SSL_R_UNKNOWN && ERR_peek_error() != 0)
132 		return;
133 
134 	ERR_put_error(ERR_LIB_SSL, (0xfff), reason, ctx->error.file,
135 	    ctx->error.line);
136 }
137 
138 int
139 tls13_legacy_return_code(SSL *ssl, ssize_t ret)
140 {
141 	if (ret > INT_MAX) {
142 		SSLerror(ssl, ERR_R_INTERNAL_ERROR);
143 		return -1;
144 	}
145 
146 	/* A successful read, write or other operation. */
147 	if (ret > 0)
148 		return ret;
149 
150 	ssl->internal->rwstate = SSL_NOTHING;
151 
152 	switch (ret) {
153 	case TLS13_IO_EOF:
154 		return 0;
155 
156 	case TLS13_IO_FAILURE:
157 		tls13_legacy_error(ssl);
158 		return -1;
159 
160 	case TLS13_IO_ALERT:
161 		tls13_legacy_error(ssl);
162 		return -1;
163 
164 	case TLS13_IO_WANT_POLLIN:
165 		BIO_set_retry_read(ssl->rbio);
166 		ssl->internal->rwstate = SSL_READING;
167 		return -1;
168 
169 	case TLS13_IO_WANT_POLLOUT:
170 		BIO_set_retry_write(ssl->wbio);
171 		ssl->internal->rwstate = SSL_WRITING;
172 		return -1;
173 
174 	case TLS13_IO_WANT_RETRY:
175 		SSLerror(ssl, ERR_R_INTERNAL_ERROR);
176 		return -1;
177 	}
178 
179 	SSLerror(ssl, ERR_R_INTERNAL_ERROR);
180 	return -1;
181 }
182 
183 int
184 tls13_legacy_pending(const SSL *ssl)
185 {
186 	struct tls13_ctx *ctx = ssl->internal->tls13;
187 	ssize_t ret;
188 
189 	if (ctx == NULL)
190 		return 0;
191 
192 	ret = tls13_pending_application_data(ctx->rl);
193 	if (ret < 0 || ret > INT_MAX)
194 		return 0;
195 
196 	return ret;
197 }
198 
199 int
200 tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, int peek)
201 {
202 	struct tls13_ctx *ctx = ssl->internal->tls13;
203 	ssize_t ret;
204 
205 	if (ctx == NULL || !ctx->handshake_completed) {
206 		if ((ret = ssl->internal->handshake_func(ssl)) <= 0)
207 			return ret;
208 		return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLIN);
209 	}
210 
211 	tls13_record_layer_set_retry_after_phh(ctx->rl,
212 	    (ctx->ssl->internal->mode & SSL_MODE_AUTO_RETRY) != 0);
213 
214 	if (type != SSL3_RT_APPLICATION_DATA) {
215 		SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
216 		return -1;
217 	}
218 	if (len < 0) {
219 		SSLerror(ssl, SSL_R_BAD_LENGTH);
220 		return -1;
221 	}
222 
223 	if (peek)
224 		ret = tls13_peek_application_data(ctx->rl, buf, len);
225 	else
226 		ret = tls13_read_application_data(ctx->rl, buf, len);
227 
228 	return tls13_legacy_return_code(ssl, ret);
229 }
230 
231 int
232 tls13_legacy_write_bytes(SSL *ssl, int type, const void *vbuf, int len)
233 {
234 	struct tls13_ctx *ctx = ssl->internal->tls13;
235 	const uint8_t *buf = vbuf;
236 	size_t n, sent;
237 	ssize_t ret;
238 
239 	if (ctx == NULL || !ctx->handshake_completed) {
240 		if ((ret = ssl->internal->handshake_func(ssl)) <= 0)
241 			return ret;
242 		return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLOUT);
243 	}
244 
245 	if (type != SSL3_RT_APPLICATION_DATA) {
246 		SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
247 		return -1;
248 	}
249 	if (len < 0) {
250 		SSLerror(ssl, SSL_R_BAD_LENGTH);
251 		return -1;
252 	}
253 
254 	/*
255 	 * The TLSv1.3 record layer write behaviour is the same as
256 	 * SSL_MODE_ENABLE_PARTIAL_WRITE.
257 	 */
258 	if (ssl->internal->mode & SSL_MODE_ENABLE_PARTIAL_WRITE) {
259 		ret = tls13_write_application_data(ctx->rl, buf, len);
260 		return tls13_legacy_return_code(ssl, ret);
261 	}
262 
263 	/*
264 	 * In the non-SSL_MODE_ENABLE_PARTIAL_WRITE case we have to loop until
265 	 * we have written out all of the requested data.
266 	 */
267 	sent = S3I(ssl)->wnum;
268 	if (len < sent) {
269 		SSLerror(ssl, SSL_R_BAD_LENGTH);
270 		return -1;
271 	}
272 	n = len - sent;
273 	for (;;) {
274 		if (n == 0) {
275 			S3I(ssl)->wnum = 0;
276 			return sent;
277 		}
278 		if ((ret = tls13_write_application_data(ctx->rl,
279 		    &buf[sent], n)) <= 0) {
280 			S3I(ssl)->wnum = sent;
281 			return tls13_legacy_return_code(ssl, ret);
282 		}
283 		sent += ret;
284 		n -= ret;
285 	}
286 }
287 
288 static int
289 tls13_use_legacy_stack(struct tls13_ctx *ctx)
290 {
291 	SSL *s = ctx->ssl;
292 	CBB cbb, fragment;
293 	CBS cbs;
294 
295 	memset(&cbb, 0, sizeof(cbb));
296 
297 	s->method = tls_legacy_method();
298 
299 	if (!ssl3_setup_init_buffer(s))
300 		goto err;
301 	if (!ssl3_setup_buffers(s))
302 		goto err;
303 	if (!ssl_init_wbio_buffer(s, 1))
304 		goto err;
305 
306 	/* Stash any unprocessed data from the last record. */
307 	tls13_record_layer_rbuf(ctx->rl, &cbs);
308 	if (CBS_len(&cbs) > 0) {
309 		if (!CBB_init_fixed(&cbb, S3I(s)->rbuf.buf,
310 		    S3I(s)->rbuf.len))
311 			goto err;
312 		if (!CBB_add_u8(&cbb, SSL3_RT_HANDSHAKE))
313 			goto err;
314 		if (!CBB_add_u16(&cbb, TLS1_2_VERSION))
315 			goto err;
316 		if (!CBB_add_u16_length_prefixed(&cbb, &fragment))
317 			goto err;
318 		if (!CBB_add_bytes(&fragment, CBS_data(&cbs), CBS_len(&cbs)))
319 			goto err;
320 		if (!CBB_finish(&cbb, NULL, NULL))
321 			goto err;
322 
323 		S3I(s)->rbuf.offset = SSL3_RT_HEADER_LENGTH;
324 		S3I(s)->rbuf.left = CBS_len(&cbs);
325 		S3I(s)->rrec.type = SSL3_RT_HANDSHAKE;
326 		S3I(s)->rrec.length = CBS_len(&cbs);
327 		s->internal->rstate = SSL_ST_READ_BODY;
328 		s->internal->packet = S3I(s)->rbuf.buf;
329 		s->internal->packet_length = SSL3_RT_HEADER_LENGTH;
330 		s->internal->mac_packet = 1;
331 	}
332 
333 	/* Stash the current handshake message. */
334 	tls13_handshake_msg_data(ctx->hs_msg, &cbs);
335 	if (!BUF_MEM_grow_clean(s->internal->init_buf, CBS_len(&cbs)))
336 		goto err;
337 	if (!CBS_write_bytes(&cbs, s->internal->init_buf->data,
338 	    s->internal->init_buf->length, NULL))
339 		goto err;
340 
341 	S3I(s)->hs.tls12.reuse_message = 1;
342 	S3I(s)->hs.tls12.message_type = tls13_handshake_msg_type(ctx->hs_msg);
343 	S3I(s)->hs.tls12.message_size = CBS_len(&cbs);
344 
345 	return 1;
346 
347  err:
348 	CBB_cleanup(&cbb);
349 
350 	return 0;
351 }
352 
353 int
354 tls13_use_legacy_client(struct tls13_ctx *ctx)
355 {
356 	SSL *s = ctx->ssl;
357 
358 	if (!tls13_use_legacy_stack(ctx))
359 		return 0;
360 
361 	s->internal->handshake_func = s->method->ssl_connect;
362 	s->client_version = s->version = s->method->max_tls_version;
363 
364 	return 1;
365 }
366 
367 int
368 tls13_use_legacy_server(struct tls13_ctx *ctx)
369 {
370 	SSL *s = ctx->ssl;
371 
372 	if (!tls13_use_legacy_stack(ctx))
373 		return 0;
374 
375 	s->internal->handshake_func = s->method->ssl_accept;
376 	s->client_version = s->version = s->method->max_tls_version;
377 	s->server = 1;
378 
379 	return 1;
380 }
381 
382 int
383 tls13_legacy_accept(SSL *ssl)
384 {
385 	struct tls13_ctx *ctx = ssl->internal->tls13;
386 	int ret;
387 
388 	if (ctx == NULL) {
389 		if ((ctx = tls13_ctx_new(TLS13_HS_SERVER)) == NULL) {
390 			SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
391 			return -1;
392 		}
393 		ssl->internal->tls13 = ctx;
394 		ctx->ssl = ssl;
395 		ctx->hs = &S3I(ssl)->hs;
396 
397 		if (!tls13_server_init(ctx)) {
398 			if (ERR_peek_error() == 0)
399 				SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
400 			return -1;
401 		}
402 	}
403 
404 	ERR_clear_error();
405 
406 	ret = tls13_server_accept(ctx);
407 	if (ret == TLS13_IO_USE_LEGACY)
408 		return ssl->method->ssl_accept(ssl);
409 
410 	return tls13_legacy_return_code(ssl, ret);
411 }
412 
413 int
414 tls13_legacy_connect(SSL *ssl)
415 {
416 	struct tls13_ctx *ctx = ssl->internal->tls13;
417 	int ret;
418 
419 #ifdef TLS13_USE_LEGACY_CLIENT_AUTH
420 	/* XXX drop back to legacy for client auth for now */
421 	if (ssl->cert->key->privatekey != NULL) {
422 		ssl->method = tls_legacy_client_method();
423 		return ssl->method->ssl_connect(ssl);
424 	}
425 #endif
426 
427 	if (ctx == NULL) {
428 		if ((ctx = tls13_ctx_new(TLS13_HS_CLIENT)) == NULL) {
429 			SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
430 			return -1;
431 		}
432 		ssl->internal->tls13 = ctx;
433 		ctx->ssl = ssl;
434 		ctx->hs = &S3I(ssl)->hs;
435 
436 		if (!tls13_client_init(ctx)) {
437 			if (ERR_peek_error() == 0)
438 				SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
439 			return -1;
440 		}
441 	}
442 
443 	ERR_clear_error();
444 
445 	ret = tls13_client_connect(ctx);
446 	if (ret == TLS13_IO_USE_LEGACY)
447 		return ssl->method->ssl_connect(ssl);
448 
449 	return tls13_legacy_return_code(ssl, ret);
450 }
451 
452 int
453 tls13_legacy_shutdown(SSL *ssl)
454 {
455 	struct tls13_ctx *ctx = ssl->internal->tls13;
456 	uint8_t buf[512]; /* XXX */
457 	ssize_t ret;
458 
459 	/*
460 	 * We need to return 0 when we have sent a close-notify but have not
461 	 * yet received one. We return 1 only once we have sent and received
462 	 * close-notify alerts. All other cases return -1 and set internal
463 	 * state appropriately.
464 	 */
465 	if (ctx == NULL || ssl->internal->quiet_shutdown) {
466 		ssl->internal->shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN;
467 		return 1;
468 	}
469 
470 	if (!ctx->close_notify_sent) {
471 		/* Enqueue and send close notify. */
472 		if (!(ssl->internal->shutdown & SSL_SENT_SHUTDOWN)) {
473 			ssl->internal->shutdown |= SSL_SENT_SHUTDOWN;
474 			if ((ret = tls13_send_alert(ctx->rl,
475 			    TLS13_ALERT_CLOSE_NOTIFY)) < 0)
476 				return tls13_legacy_return_code(ssl, ret);
477 		}
478 		if ((ret = tls13_record_layer_send_pending(ctx->rl)) !=
479 		    TLS13_IO_SUCCESS)
480 			return tls13_legacy_return_code(ssl, ret);
481 	} else if (!ctx->close_notify_recv) {
482 		/*
483 		 * If there is no application data pending, attempt to read more
484 		 * data in order to receive a close notify. This should trigger
485 		 * a record to be read from the wire, which may be application
486 		 * handshake or alert data. Only one attempt is made to match
487 		 * previous semantics.
488 		 */
489 		if (tls13_pending_application_data(ctx->rl) == 0) {
490 			if ((ret = tls13_read_application_data(ctx->rl, buf,
491 			    sizeof(buf))) < 0)
492 				return tls13_legacy_return_code(ssl, ret);
493 		}
494 	}
495 
496 	if (ctx->close_notify_recv)
497 		return 1;
498 
499 	return 0;
500 }
501 
502 int
503 tls13_legacy_servername_process(struct tls13_ctx *ctx, uint8_t *alert)
504 {
505 	int legacy_alert = SSL_AD_UNRECOGNIZED_NAME;
506 	int ret = SSL_TLSEXT_ERR_NOACK;
507 	SSL_CTX *ssl_ctx = ctx->ssl->ctx;
508 	SSL *s = ctx->ssl;
509 
510 	if (ssl_ctx->internal->tlsext_servername_callback == NULL)
511 		ssl_ctx = s->initial_ctx;
512 	if (ssl_ctx->internal->tlsext_servername_callback == NULL)
513 		return 1;
514 
515 	ret = ssl_ctx->internal->tlsext_servername_callback(s, &legacy_alert,
516 	    ssl_ctx->internal->tlsext_servername_arg);
517 
518 	if (ret == SSL_TLSEXT_ERR_ALERT_FATAL ||
519 	    ret == SSL_TLSEXT_ERR_ALERT_WARNING) {
520 		if (legacy_alert >= 0 && legacy_alert <= 255)
521 			*alert = legacy_alert;
522 		return 0;
523 	}
524 
525 	return 1;
526 }
527