1 /* $OpenBSD: tls13_legacy.c,v 1.9 2020/06/24 18:04:33 jsing Exp $ */ 2 /* 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <limits.h> 19 20 #include "ssl_locl.h" 21 #include "tls13_internal.h" 22 23 SSL3_ENC_METHOD TLSv1_3_enc_data = { 24 .enc_flags = SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_TLS1_3_CIPHERS, 25 }; 26 27 static ssize_t 28 tls13_legacy_wire_read(SSL *ssl, uint8_t *buf, size_t len) 29 { 30 int n; 31 32 if (ssl->rbio == NULL) { 33 SSLerror(ssl, SSL_R_BIO_NOT_SET); 34 return TLS13_IO_FAILURE; 35 } 36 37 ssl->internal->rwstate = SSL_READING; 38 39 if ((n = BIO_read(ssl->rbio, buf, len)) <= 0) { 40 if (BIO_should_read(ssl->rbio)) 41 return TLS13_IO_WANT_POLLIN; 42 if (BIO_should_write(ssl->rbio)) 43 return TLS13_IO_WANT_POLLOUT; 44 if (n == 0) 45 return TLS13_IO_EOF; 46 47 return TLS13_IO_FAILURE; 48 } 49 50 if (n == len) 51 ssl->internal->rwstate = SSL_NOTHING; 52 53 return n; 54 } 55 56 ssize_t 57 tls13_legacy_wire_read_cb(void *buf, size_t n, void *arg) 58 { 59 struct tls13_ctx *ctx = arg; 60 61 return tls13_legacy_wire_read(ctx->ssl, buf, n); 62 } 63 64 static ssize_t 65 tls13_legacy_wire_write(SSL *ssl, const uint8_t *buf, size_t len) 66 { 67 int n; 68 69 if (ssl->wbio == NULL) { 70 SSLerror(ssl, SSL_R_BIO_NOT_SET); 71 return TLS13_IO_FAILURE; 72 } 73 74 ssl->internal->rwstate = SSL_WRITING; 75 76 if ((n = BIO_write(ssl->wbio, buf, len)) <= 0) { 77 if (BIO_should_read(ssl->wbio)) 78 return TLS13_IO_WANT_POLLIN; 79 if (BIO_should_write(ssl->wbio)) 80 return TLS13_IO_WANT_POLLOUT; 81 82 return TLS13_IO_FAILURE; 83 } 84 85 if (n == len) 86 ssl->internal->rwstate = SSL_NOTHING; 87 88 return n; 89 } 90 91 ssize_t 92 tls13_legacy_wire_write_cb(const void *buf, size_t n, void *arg) 93 { 94 struct tls13_ctx *ctx = arg; 95 96 return tls13_legacy_wire_write(ctx->ssl, buf, n); 97 } 98 99 static void 100 tls13_legacy_error(SSL *ssl) 101 { 102 struct tls13_ctx *ctx = ssl->internal->tls13; 103 int reason = SSL_R_UNKNOWN; 104 105 /* If we received a fatal alert we already put an error on the stack. */ 106 if (S3I(ssl)->fatal_alert != 0) 107 return; 108 109 switch (ctx->error.code) { 110 case TLS13_ERR_VERIFY_FAILED: 111 reason = SSL_R_CERTIFICATE_VERIFY_FAILED; 112 break; 113 case TLS13_ERR_HRR_FAILED: 114 reason = SSL_R_NO_CIPHERS_AVAILABLE; 115 break; 116 case TLS13_ERR_TRAILING_DATA: 117 reason = SSL_R_EXTRA_DATA_IN_MESSAGE; 118 break; 119 case TLS13_ERR_NO_SHARED_CIPHER: 120 reason = SSL_R_NO_SHARED_CIPHER; 121 break; 122 case TLS13_ERR_NO_CERTIFICATE: 123 reason = SSL_R_MISSING_RSA_CERTIFICATE; /* XXX */ 124 break; 125 case TLS13_ERR_NO_PEER_CERTIFICATE: 126 reason = SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE; 127 break; 128 } 129 130 /* Something (probably libcrypto) already pushed an error on the stack. */ 131 if (reason == SSL_R_UNKNOWN && ERR_peek_error() != 0) 132 return; 133 134 ERR_put_error(ERR_LIB_SSL, (0xfff), reason, ctx->error.file, 135 ctx->error.line); 136 } 137 138 int 139 tls13_legacy_return_code(SSL *ssl, ssize_t ret) 140 { 141 if (ret > INT_MAX) { 142 SSLerror(ssl, ERR_R_INTERNAL_ERROR); 143 return -1; 144 } 145 146 /* A successful read, write or other operation. */ 147 if (ret > 0) 148 return ret; 149 150 ssl->internal->rwstate = SSL_NOTHING; 151 152 switch (ret) { 153 case TLS13_IO_EOF: 154 return 0; 155 156 case TLS13_IO_FAILURE: 157 tls13_legacy_error(ssl); 158 return -1; 159 160 case TLS13_IO_ALERT: 161 tls13_legacy_error(ssl); 162 return -1; 163 164 case TLS13_IO_WANT_POLLIN: 165 BIO_set_retry_read(ssl->rbio); 166 ssl->internal->rwstate = SSL_READING; 167 return -1; 168 169 case TLS13_IO_WANT_POLLOUT: 170 BIO_set_retry_write(ssl->wbio); 171 ssl->internal->rwstate = SSL_WRITING; 172 return -1; 173 174 case TLS13_IO_WANT_RETRY: 175 SSLerror(ssl, ERR_R_INTERNAL_ERROR); 176 return -1; 177 } 178 179 SSLerror(ssl, ERR_R_INTERNAL_ERROR); 180 return -1; 181 } 182 183 int 184 tls13_legacy_pending(const SSL *ssl) 185 { 186 struct tls13_ctx *ctx = ssl->internal->tls13; 187 ssize_t ret; 188 189 if (ctx == NULL) 190 return 0; 191 192 ret = tls13_pending_application_data(ctx->rl); 193 if (ret < 0 || ret > INT_MAX) 194 return 0; 195 196 return ret; 197 } 198 199 int 200 tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, int peek) 201 { 202 struct tls13_ctx *ctx = ssl->internal->tls13; 203 ssize_t ret; 204 205 if (ctx == NULL || !ctx->handshake_completed) { 206 if ((ret = ssl->internal->handshake_func(ssl)) <= 0) 207 return ret; 208 return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLIN); 209 } 210 211 if (type != SSL3_RT_APPLICATION_DATA) { 212 SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 213 return -1; 214 } 215 if (len < 0) { 216 SSLerror(ssl, SSL_R_BAD_LENGTH); 217 return -1; 218 } 219 220 if (peek) 221 ret = tls13_peek_application_data(ctx->rl, buf, len); 222 else 223 ret = tls13_read_application_data(ctx->rl, buf, len); 224 225 return tls13_legacy_return_code(ssl, ret); 226 } 227 228 int 229 tls13_legacy_write_bytes(SSL *ssl, int type, const void *vbuf, int len) 230 { 231 struct tls13_ctx *ctx = ssl->internal->tls13; 232 const uint8_t *buf = vbuf; 233 size_t n, sent; 234 ssize_t ret; 235 236 if (ctx == NULL || !ctx->handshake_completed) { 237 if ((ret = ssl->internal->handshake_func(ssl)) <= 0) 238 return ret; 239 return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLOUT); 240 } 241 242 if (type != SSL3_RT_APPLICATION_DATA) { 243 SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 244 return -1; 245 } 246 if (len < 0) { 247 SSLerror(ssl, SSL_R_BAD_LENGTH); 248 return -1; 249 } 250 251 /* 252 * The TLSv1.3 record layer write behaviour is the same as 253 * SSL_MODE_ENABLE_PARTIAL_WRITE. 254 */ 255 if (ssl->internal->mode & SSL_MODE_ENABLE_PARTIAL_WRITE) { 256 ret = tls13_write_application_data(ctx->rl, buf, len); 257 return tls13_legacy_return_code(ssl, ret); 258 } 259 260 /* 261 * In the non-SSL_MODE_ENABLE_PARTIAL_WRITE case we have to loop until 262 * we have written out all of the requested data. 263 */ 264 sent = S3I(ssl)->wnum; 265 if (len < sent) { 266 SSLerror(ssl, SSL_R_BAD_LENGTH); 267 return -1; 268 } 269 n = len - sent; 270 for (;;) { 271 if (n == 0) { 272 S3I(ssl)->wnum = 0; 273 return sent; 274 } 275 if ((ret = tls13_write_application_data(ctx->rl, 276 &buf[sent], n)) <= 0) { 277 S3I(ssl)->wnum = sent; 278 return tls13_legacy_return_code(ssl, ret); 279 } 280 sent += ret; 281 n -= ret; 282 } 283 } 284 285 int 286 tls13_use_legacy_client(struct tls13_ctx *ctx) 287 { 288 SSL *s = ctx->ssl; 289 CBS cbs; 290 291 s->method = tls_legacy_client_method(); 292 s->internal->handshake_func = s->method->internal->ssl_connect; 293 s->client_version = s->version = s->method->internal->max_version; 294 295 if (!ssl3_setup_init_buffer(s)) 296 goto err; 297 if (!ssl3_setup_buffers(s)) 298 goto err; 299 if (!ssl_init_wbio_buffer(s, 0)) 300 goto err; 301 302 if (s->bbio != s->wbio) 303 s->wbio = BIO_push(s->bbio, s->wbio); 304 305 /* Stash any unprocessed data from the last record. */ 306 tls13_record_layer_rbuf(ctx->rl, &cbs); 307 if (CBS_len(&cbs) > 0) { 308 if (!CBS_write_bytes(&cbs, 309 S3I(s)->rbuf.buf + SSL3_RT_HEADER_LENGTH, 310 S3I(s)->rbuf.len - SSL3_RT_HEADER_LENGTH, NULL)) 311 goto err; 312 313 S3I(s)->rbuf.offset = SSL3_RT_HEADER_LENGTH; 314 S3I(s)->rbuf.left = CBS_len(&cbs); 315 S3I(s)->rrec.type = SSL3_RT_HANDSHAKE; 316 S3I(s)->rrec.length = CBS_len(&cbs); 317 s->internal->rstate = SSL_ST_READ_BODY; 318 s->internal->packet = S3I(s)->rbuf.buf; 319 s->internal->packet_length = SSL3_RT_HEADER_LENGTH; 320 s->internal->mac_packet = 1; 321 } 322 323 /* Stash the current handshake message. */ 324 tls13_handshake_msg_data(ctx->hs_msg, &cbs); 325 if (!CBS_write_bytes(&cbs, s->internal->init_buf->data, 326 s->internal->init_buf->length, NULL)) 327 goto err; 328 329 S3I(s)->tmp.reuse_message = 1; 330 S3I(s)->tmp.message_type = tls13_handshake_msg_type(ctx->hs_msg); 331 S3I(s)->tmp.message_size = CBS_len(&cbs); 332 333 S3I(s)->hs.state = SSL3_ST_CR_SRVR_HELLO_A; 334 335 return 1; 336 337 err: 338 return 0; 339 } 340 341 int 342 tls13_use_legacy_server(struct tls13_ctx *ctx) 343 { 344 SSL *s = ctx->ssl; 345 CBS cbs; 346 347 s->method = tls_legacy_server_method(); 348 s->internal->handshake_func = s->method->internal->ssl_accept; 349 s->client_version = s->version = s->method->internal->max_version; 350 s->server = 1; 351 352 if (!ssl3_setup_init_buffer(s)) 353 goto err; 354 if (!ssl3_setup_buffers(s)) 355 goto err; 356 if (!ssl_init_wbio_buffer(s, 0)) 357 goto err; 358 359 if (s->bbio != s->wbio) 360 s->wbio = BIO_push(s->bbio, s->wbio); 361 362 /* Stash any unprocessed data from the last record. */ 363 tls13_record_layer_rbuf(ctx->rl, &cbs); 364 if (CBS_len(&cbs) > 0) { 365 if (!CBS_write_bytes(&cbs, 366 S3I(s)->rbuf.buf + SSL3_RT_HEADER_LENGTH, 367 S3I(s)->rbuf.len - SSL3_RT_HEADER_LENGTH, NULL)) 368 goto err; 369 370 S3I(s)->rbuf.offset = SSL3_RT_HEADER_LENGTH; 371 S3I(s)->rbuf.left = CBS_len(&cbs); 372 S3I(s)->rrec.type = SSL3_RT_HANDSHAKE; 373 S3I(s)->rrec.length = CBS_len(&cbs); 374 s->internal->rstate = SSL_ST_READ_BODY; 375 s->internal->packet = S3I(s)->rbuf.buf; 376 s->internal->packet_length = SSL3_RT_HEADER_LENGTH; 377 s->internal->mac_packet = 1; 378 } 379 380 /* Stash the current handshake message. */ 381 tls13_handshake_msg_data(ctx->hs_msg, &cbs); 382 if (!CBS_write_bytes(&cbs, s->internal->init_buf->data, 383 s->internal->init_buf->length, NULL)) 384 goto err; 385 386 S3I(s)->tmp.reuse_message = 1; 387 S3I(s)->tmp.message_type = tls13_handshake_msg_type(ctx->hs_msg); 388 S3I(s)->tmp.message_size = CBS_len(&cbs); 389 390 S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A; 391 392 return 1; 393 394 err: 395 return 0; 396 } 397 398 int 399 tls13_legacy_accept(SSL *ssl) 400 { 401 struct tls13_ctx *ctx = ssl->internal->tls13; 402 int ret; 403 404 if (ctx == NULL) { 405 if ((ctx = tls13_ctx_new(TLS13_HS_SERVER)) == NULL) { 406 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 407 return -1; 408 } 409 ssl->internal->tls13 = ctx; 410 ctx->ssl = ssl; 411 ctx->hs = &S3I(ssl)->hs_tls13; 412 413 if (!tls13_server_init(ctx)) { 414 if (ERR_peek_error() == 0) 415 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 416 return -1; 417 } 418 } 419 420 ERR_clear_error(); 421 S3I(ssl)->hs.state = SSL_ST_ACCEPT; 422 423 ret = tls13_server_accept(ctx); 424 if (ret == TLS13_IO_USE_LEGACY) 425 return ssl->method->internal->ssl_accept(ssl); 426 if (ret == TLS13_IO_SUCCESS) 427 S3I(ssl)->hs.state = SSL_ST_OK; 428 429 return tls13_legacy_return_code(ssl, ret); 430 } 431 432 int 433 tls13_legacy_connect(SSL *ssl) 434 { 435 struct tls13_ctx *ctx = ssl->internal->tls13; 436 int ret; 437 438 #ifdef TLS13_USE_LEGACY_CLIENT_AUTH 439 /* XXX drop back to legacy for client auth for now */ 440 if (ssl->cert->key->privatekey != NULL) { 441 ssl->method = tls_legacy_client_method(); 442 return ssl->method->internal->ssl_connect(ssl); 443 } 444 #endif 445 446 if (ctx == NULL) { 447 if ((ctx = tls13_ctx_new(TLS13_HS_CLIENT)) == NULL) { 448 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 449 return -1; 450 } 451 ssl->internal->tls13 = ctx; 452 ctx->ssl = ssl; 453 ctx->hs = &S3I(ssl)->hs_tls13; 454 455 if (!tls13_client_init(ctx)) { 456 if (ERR_peek_error() == 0) 457 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 458 return -1; 459 } 460 } 461 462 ERR_clear_error(); 463 S3I(ssl)->hs.state = SSL_ST_CONNECT; 464 465 ret = tls13_client_connect(ctx); 466 if (ret == TLS13_IO_USE_LEGACY) 467 return ssl->method->internal->ssl_connect(ssl); 468 if (ret == TLS13_IO_SUCCESS) 469 S3I(ssl)->hs.state = SSL_ST_OK; 470 471 return tls13_legacy_return_code(ssl, ret); 472 } 473 474 int 475 tls13_legacy_shutdown(SSL *ssl) 476 { 477 struct tls13_ctx *ctx = ssl->internal->tls13; 478 uint8_t buf[512]; /* XXX */ 479 ssize_t ret; 480 481 /* 482 * We need to return 0 when we have sent a close-notify but have not 483 * yet received one. We return 1 only once we have sent and received 484 * close-notify alerts. All other cases return -1 and set internal 485 * state appropriately. 486 */ 487 if (ctx == NULL || ssl->internal->quiet_shutdown) { 488 ssl->internal->shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN; 489 return 1; 490 } 491 492 if (!ctx->close_notify_sent) { 493 /* Enqueue and send close notify. */ 494 if (!(ssl->internal->shutdown & SSL_SENT_SHUTDOWN)) { 495 ssl->internal->shutdown |= SSL_SENT_SHUTDOWN; 496 if ((ret = tls13_send_alert(ctx->rl, 497 TLS13_ALERT_CLOSE_NOTIFY)) < 0) 498 return tls13_legacy_return_code(ssl, ret); 499 } 500 if ((ret = tls13_record_layer_send_pending(ctx->rl)) != 501 TLS13_IO_SUCCESS) 502 return tls13_legacy_return_code(ssl, ret); 503 } else if (!ctx->close_notify_recv) { 504 /* 505 * If there is no application data pending, attempt to read more 506 * data in order to receive a close notify. This should trigger 507 * a record to be read from the wire, which may be application 508 * handshake or alert data. Only one attempt is made to match 509 * previous semantics. 510 */ 511 if (tls13_pending_application_data(ctx->rl) == 0) { 512 if ((ret = tls13_read_application_data(ctx->rl, buf, 513 sizeof(buf))) < 0) 514 return tls13_legacy_return_code(ssl, ret); 515 } 516 } 517 518 if (ctx->close_notify_recv) 519 return 1; 520 521 return 0; 522 } 523 524 int 525 tls13_legacy_servername_process(struct tls13_ctx *ctx, uint8_t *alert) 526 { 527 int legacy_alert = SSL_AD_UNRECOGNIZED_NAME; 528 int ret = SSL_TLSEXT_ERR_NOACK; 529 SSL_CTX *ssl_ctx = ctx->ssl->ctx; 530 SSL *ssl = ctx->ssl; 531 532 if (ssl_ctx->internal->tlsext_servername_callback == NULL) 533 ssl_ctx = ssl->initial_ctx; 534 if (ssl_ctx->internal->tlsext_servername_callback == NULL) 535 return 1; 536 537 ret = ssl_ctx->internal->tlsext_servername_callback(ssl, &legacy_alert, 538 ssl_ctx->internal->tlsext_servername_arg); 539 540 if (ret == SSL_TLSEXT_ERR_ALERT_FATAL || 541 ret == SSL_TLSEXT_ERR_ALERT_WARNING) { 542 if (legacy_alert >= 0 && legacy_alert <= 255) 543 *alert = legacy_alert; 544 return 0; 545 } 546 547 return 1; 548 } 549