1 /* $OpenBSD: tls13_legacy.c,v 1.38 2022/07/17 15:49:20 jsing Exp $ */
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21 #include "tls13_internal.h"
24 tls13_legacy_wire_read(SSL
*ssl
, uint8_t *buf
, size_t len
)
28 if (ssl
->rbio
== NULL
) {
29 SSLerror(ssl
, SSL_R_BIO_NOT_SET
);
30 return TLS13_IO_FAILURE
;
33 ssl
->internal
->rwstate
= SSL_READING
;
36 if ((n
= BIO_read(ssl
->rbio
, buf
, len
)) <= 0) {
37 if (BIO_should_read(ssl
->rbio
))
38 return TLS13_IO_WANT_POLLIN
;
42 if (ERR_peek_error() == 0 && errno
!= 0)
45 return TLS13_IO_FAILURE
;
49 ssl
->internal
->rwstate
= SSL_NOTHING
;
55 tls13_legacy_wire_read_cb(void *buf
, size_t n
, void *arg
)
57 struct tls13_ctx
*ctx
= arg
;
59 return tls13_legacy_wire_read(ctx
->ssl
, buf
, n
);
63 tls13_legacy_wire_write(SSL
*ssl
, const uint8_t *buf
, size_t len
)
67 if (ssl
->wbio
== NULL
) {
68 SSLerror(ssl
, SSL_R_BIO_NOT_SET
);
69 return TLS13_IO_FAILURE
;
72 ssl
->internal
->rwstate
= SSL_WRITING
;
75 if ((n
= BIO_write(ssl
->wbio
, buf
, len
)) <= 0) {
76 if (BIO_should_write(ssl
->wbio
))
77 return TLS13_IO_WANT_POLLOUT
;
79 if (ERR_peek_error() == 0 && errno
!= 0)
82 return TLS13_IO_FAILURE
;
86 ssl
->internal
->rwstate
= SSL_NOTHING
;
92 tls13_legacy_wire_write_cb(const void *buf
, size_t n
, void *arg
)
94 struct tls13_ctx
*ctx
= arg
;
96 return tls13_legacy_wire_write(ctx
->ssl
, buf
, n
);
100 tls13_legacy_wire_flush(SSL
*ssl
)
102 if (BIO_flush(ssl
->wbio
) <= 0) {
103 if (BIO_should_write(ssl
->wbio
))
104 return TLS13_IO_WANT_POLLOUT
;
106 if (ERR_peek_error() == 0 && errno
!= 0)
109 return TLS13_IO_FAILURE
;
112 return TLS13_IO_SUCCESS
;
116 tls13_legacy_wire_flush_cb(void *arg
)
118 struct tls13_ctx
*ctx
= arg
;
120 return tls13_legacy_wire_flush(ctx
->ssl
);
124 tls13_legacy_error(SSL
*ssl
)
126 struct tls13_ctx
*ctx
= ssl
->internal
->tls13
;
127 int reason
= SSL_R_UNKNOWN
;
129 /* If we received a fatal alert we already put an error on the stack. */
130 if (ssl
->s3
->fatal_alert
!= 0)
133 switch (ctx
->error
.code
) {
134 case TLS13_ERR_VERIFY_FAILED
:
135 reason
= SSL_R_CERTIFICATE_VERIFY_FAILED
;
137 case TLS13_ERR_HRR_FAILED
:
138 reason
= SSL_R_NO_CIPHERS_AVAILABLE
;
140 case TLS13_ERR_TRAILING_DATA
:
141 reason
= SSL_R_EXTRA_DATA_IN_MESSAGE
;
143 case TLS13_ERR_NO_SHARED_CIPHER
:
144 reason
= SSL_R_NO_SHARED_CIPHER
;
146 case TLS13_ERR_NO_CERTIFICATE
:
147 reason
= SSL_R_MISSING_RSA_CERTIFICATE
; /* XXX */
149 case TLS13_ERR_NO_PEER_CERTIFICATE
:
150 reason
= SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE
;
154 /* Something (probably libcrypto) already pushed an error on the stack. */
155 if (reason
== SSL_R_UNKNOWN
&& ERR_peek_error() != 0)
158 ERR_put_error(ERR_LIB_SSL
, (0xfff), reason
, ctx
->error
.file
,
163 tls13_legacy_return_code(SSL
*ssl
, ssize_t ret
)
166 SSLerror(ssl
, ERR_R_INTERNAL_ERROR
);
170 /* A successful read, write or other operation. */
174 ssl
->internal
->rwstate
= SSL_NOTHING
;
180 case TLS13_IO_FAILURE
:
181 tls13_legacy_error(ssl
);
185 tls13_legacy_error(ssl
);
188 case TLS13_IO_WANT_POLLIN
:
189 BIO_set_retry_read(ssl
->rbio
);
190 ssl
->internal
->rwstate
= SSL_READING
;
193 case TLS13_IO_WANT_POLLOUT
:
194 BIO_set_retry_write(ssl
->wbio
);
195 ssl
->internal
->rwstate
= SSL_WRITING
;
198 case TLS13_IO_WANT_RETRY
:
199 SSLerror(ssl
, ERR_R_INTERNAL_ERROR
);
203 SSLerror(ssl
, ERR_R_INTERNAL_ERROR
);
208 tls13_legacy_pending(const SSL
*ssl
)
210 struct tls13_ctx
*ctx
= ssl
->internal
->tls13
;
216 ret
= tls13_pending_application_data(ctx
->rl
);
217 if (ret
< 0 || ret
> INT_MAX
)
224 tls13_legacy_read_bytes(SSL
*ssl
, int type
, unsigned char *buf
, int len
, int peek
)
226 struct tls13_ctx
*ctx
= ssl
->internal
->tls13
;
229 if (ctx
== NULL
|| !ctx
->handshake_completed
) {
230 if ((ret
= ssl
->internal
->handshake_func(ssl
)) <= 0)
234 return tls13_legacy_return_code(ssl
, TLS13_IO_WANT_POLLIN
);
237 tls13_record_layer_set_retry_after_phh(ctx
->rl
,
238 (ctx
->ssl
->internal
->mode
& SSL_MODE_AUTO_RETRY
) != 0);
240 if (type
!= SSL3_RT_APPLICATION_DATA
) {
241 SSLerror(ssl
, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED
);
245 SSLerror(ssl
, SSL_R_BAD_LENGTH
);
250 ret
= tls13_peek_application_data(ctx
->rl
, buf
, len
);
252 ret
= tls13_read_application_data(ctx
->rl
, buf
, len
);
254 return tls13_legacy_return_code(ssl
, ret
);
258 tls13_legacy_write_bytes(SSL
*ssl
, int type
, const void *vbuf
, int len
)
260 struct tls13_ctx
*ctx
= ssl
->internal
->tls13
;
261 const uint8_t *buf
= vbuf
;
265 if (ctx
== NULL
|| !ctx
->handshake_completed
) {
266 if ((ret
= ssl
->internal
->handshake_func(ssl
)) <= 0)
270 return tls13_legacy_return_code(ssl
, TLS13_IO_WANT_POLLOUT
);
273 if (type
!= SSL3_RT_APPLICATION_DATA
) {
274 SSLerror(ssl
, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED
);
278 SSLerror(ssl
, SSL_R_BAD_LENGTH
);
283 * The TLSv1.3 record layer write behaviour is the same as
284 * SSL_MODE_ENABLE_PARTIAL_WRITE.
286 if (ssl
->internal
->mode
& SSL_MODE_ENABLE_PARTIAL_WRITE
) {
287 ret
= tls13_write_application_data(ctx
->rl
, buf
, len
);
288 return tls13_legacy_return_code(ssl
, ret
);
292 * In the non-SSL_MODE_ENABLE_PARTIAL_WRITE case we have to loop until
293 * we have written out all of the requested data.
295 sent
= ssl
->s3
->wnum
;
297 SSLerror(ssl
, SSL_R_BAD_LENGTH
);
306 if ((ret
= tls13_write_application_data(ctx
->rl
,
307 &buf
[sent
], n
)) <= 0) {
308 ssl
->s3
->wnum
= sent
;
309 return tls13_legacy_return_code(ssl
, ret
);
317 tls13_use_legacy_stack(struct tls13_ctx
*ctx
)
323 memset(&cbb
, 0, sizeof(cbb
));
325 s
->method
= tls_legacy_method();
327 if (!ssl3_setup_init_buffer(s
))
329 if (!ssl3_setup_buffers(s
))
331 if (!ssl_init_wbio_buffer(s
, 1))
334 /* Stash any unprocessed data from the last record. */
335 tls13_record_layer_rcontent(ctx
->rl
, &cbs
);
336 if (CBS_len(&cbs
) > 0) {
337 if (!CBB_init_fixed(&cbb
, s
->s3
->rbuf
.buf
,
340 if (!CBB_add_u8(&cbb
, SSL3_RT_HANDSHAKE
))
342 if (!CBB_add_u16(&cbb
, TLS1_2_VERSION
))
344 if (!CBB_add_u16_length_prefixed(&cbb
, &fragment
))
346 if (!CBB_add_bytes(&fragment
, CBS_data(&cbs
), CBS_len(&cbs
)))
348 if (!CBB_finish(&cbb
, NULL
, NULL
))
351 s
->s3
->rbuf
.offset
= SSL3_RT_HEADER_LENGTH
;
352 s
->s3
->rbuf
.left
= CBS_len(&cbs
);
353 s
->s3
->rrec
.type
= SSL3_RT_HANDSHAKE
;
354 s
->s3
->rrec
.length
= CBS_len(&cbs
);
355 s
->internal
->rstate
= SSL_ST_READ_BODY
;
356 s
->internal
->packet
= s
->s3
->rbuf
.buf
;
357 s
->internal
->packet_length
= SSL3_RT_HEADER_LENGTH
;
358 s
->internal
->mac_packet
= 1;
361 /* Stash the current handshake message. */
362 tls13_handshake_msg_data(ctx
->hs_msg
, &cbs
);
363 if (!BUF_MEM_grow_clean(s
->internal
->init_buf
, CBS_len(&cbs
)))
365 if (!CBS_write_bytes(&cbs
, s
->internal
->init_buf
->data
,
366 s
->internal
->init_buf
->length
, NULL
))
369 s
->s3
->hs
.tls12
.reuse_message
= 1;
370 s
->s3
->hs
.tls12
.message_type
= tls13_handshake_msg_type(ctx
->hs_msg
);
371 s
->s3
->hs
.tls12
.message_size
= CBS_len(&cbs
) - SSL3_HM_HEADER_LENGTH
;
382 tls13_use_legacy_client(struct tls13_ctx
*ctx
)
386 if (!tls13_use_legacy_stack(ctx
))
389 s
->internal
->handshake_func
= s
->method
->ssl_connect
;
390 s
->version
= s
->method
->max_tls_version
;
396 tls13_use_legacy_server(struct tls13_ctx
*ctx
)
400 if (!tls13_use_legacy_stack(ctx
))
403 s
->internal
->handshake_func
= s
->method
->ssl_accept
;
404 s
->version
= s
->method
->max_tls_version
;
411 tls13_legacy_accept(SSL
*ssl
)
413 struct tls13_ctx
*ctx
= ssl
->internal
->tls13
;
417 if ((ctx
= tls13_ctx_new(TLS13_HS_SERVER
, ssl
)) == NULL
) {
418 SSLerror(ssl
, ERR_R_INTERNAL_ERROR
); /* XXX */
421 if (!tls13_server_init(ctx
)) {
422 if (ERR_peek_error() == 0)
423 SSLerror(ssl
, ERR_R_INTERNAL_ERROR
); /* XXX */
430 ret
= tls13_server_accept(ctx
);
431 if (ret
== TLS13_IO_USE_LEGACY
)
432 return ssl
->method
->ssl_accept(ssl
);
434 ret
= tls13_legacy_return_code(ssl
, ret
);
436 if (ctx
->info_cb
!= NULL
)
437 ctx
->info_cb(ctx
, TLS13_INFO_ACCEPT_EXIT
, ret
);
443 tls13_legacy_connect(SSL
*ssl
)
445 struct tls13_ctx
*ctx
= ssl
->internal
->tls13
;
449 if ((ctx
= tls13_ctx_new(TLS13_HS_CLIENT
, ssl
)) == NULL
) {
450 SSLerror(ssl
, ERR_R_INTERNAL_ERROR
); /* XXX */
453 if (!tls13_client_init(ctx
)) {
454 if (ERR_peek_error() == 0)
455 SSLerror(ssl
, ERR_R_INTERNAL_ERROR
); /* XXX */
462 ret
= tls13_client_connect(ctx
);
463 if (ret
== TLS13_IO_USE_LEGACY
)
464 return ssl
->method
->ssl_connect(ssl
);
466 ret
= tls13_legacy_return_code(ssl
, ret
);
468 if (ctx
->info_cb
!= NULL
)
469 ctx
->info_cb(ctx
, TLS13_INFO_CONNECT_EXIT
, ret
);
475 tls13_legacy_shutdown(SSL
*ssl
)
477 struct tls13_ctx
*ctx
= ssl
->internal
->tls13
;
478 uint8_t buf
[512]; /* XXX */
482 * We need to return 0 at the point that we have completed sending a
483 * close-notify. We return 1 when we have sent and received close-notify
484 * alerts. All other cases, including EOF, return -1 and set internal
485 * state appropriately.
487 if (ctx
== NULL
|| ssl
->internal
->quiet_shutdown
) {
488 ssl
->internal
->shutdown
= SSL_SENT_SHUTDOWN
| SSL_RECEIVED_SHUTDOWN
;
492 if (!ctx
->close_notify_sent
) {
493 /* Enqueue and send close notify. */
494 if (!(ssl
->internal
->shutdown
& SSL_SENT_SHUTDOWN
)) {
495 ssl
->internal
->shutdown
|= SSL_SENT_SHUTDOWN
;
496 if ((ret
= tls13_send_alert(ctx
->rl
,
497 TLS13_ALERT_CLOSE_NOTIFY
)) < 0)
498 return tls13_legacy_return_code(ssl
, ret
);
500 ret
= tls13_record_layer_send_pending(ctx
->rl
);
501 if (ret
== TLS13_IO_EOF
)
503 if (ret
!= TLS13_IO_SUCCESS
)
504 return tls13_legacy_return_code(ssl
, ret
);
505 } else if (!ctx
->close_notify_recv
) {
507 * If there is no application data pending, attempt to read more
508 * data in order to receive a close-notify. This should trigger
509 * a record to be read from the wire, which may be application
510 * handshake or alert data. Only one attempt is made to match
511 * previous semantics.
513 if (tls13_pending_application_data(ctx
->rl
) == 0) {
514 if ((ret
= tls13_read_application_data(ctx
->rl
, buf
,
516 return tls13_legacy_return_code(ssl
, ret
);
517 if (!ctx
->close_notify_recv
)
522 if (ctx
->close_notify_recv
)
529 tls13_legacy_servername_process(struct tls13_ctx
*ctx
, uint8_t *alert
)
531 int legacy_alert
= SSL_AD_UNRECOGNIZED_NAME
;
532 int ret
= SSL_TLSEXT_ERR_NOACK
;
533 SSL_CTX
*ssl_ctx
= ctx
->ssl
->ctx
;
536 if (ssl_ctx
->internal
->tlsext_servername_callback
== NULL
)
537 ssl_ctx
= s
->initial_ctx
;
538 if (ssl_ctx
->internal
->tlsext_servername_callback
== NULL
)
541 ret
= ssl_ctx
->internal
->tlsext_servername_callback(s
, &legacy_alert
,
542 ssl_ctx
->internal
->tlsext_servername_arg
);
545 * Ignore SSL_TLSEXT_ERR_ALERT_WARNING returns to match OpenSSL's
546 * behavior: the only warning alerts in TLSv1.3 are close_notify and
547 * user_canceled, neither of which should be returned by the callback.
549 if (ret
== SSL_TLSEXT_ERR_ALERT_FATAL
) {
550 if (legacy_alert
>= 0 && legacy_alert
<= 255)
551 *alert
= legacy_alert
;