/src/libressl/ssl/tls13_legacy.c

Source (jump to first uncovered line)
/*  $OpenBSD: tls13_legacy.c,v 1.44 2024/01/30 14:50:50 jsing Exp $ */
/*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#include <limits.h>

#include "ssl_local.h"
#include "tls13_internal.h"

static ssize_t
tls13_legacy_wire_read(SSL *ssl, uint8_t *buf, size_t len)
{
  int n;

  if (ssl->rbio == NULL) {
    SSLerror(ssl, SSL_R_BIO_NOT_SET);
    return TLS13_IO_FAILURE;
  }

  ssl->rwstate = SSL_READING;
  errno = 0;

  if ((n = BIO_read(ssl->rbio, buf, len)) <= 0) {
    if (BIO_should_read(ssl->rbio))
      return TLS13_IO_WANT_POLLIN;
    if (n == 0)
      return TLS13_IO_EOF;

    if (ERR_peek_error() == 0 && errno != 0)
      SYSerror(errno);

    return TLS13_IO_FAILURE;
  }

  if (n == len)
    ssl->rwstate = SSL_NOTHING;

  return n;
}

ssize_t
tls13_legacy_wire_read_cb(void *buf, size_t n, void *arg)
{
  struct tls13_ctx *ctx = arg;

  return tls13_legacy_wire_read(ctx->ssl, buf, n);
}

static ssize_t
tls13_legacy_wire_write(SSL *ssl, const uint8_t *buf, size_t len)
{
  int n;

  if (ssl->wbio == NULL) {
    SSLerror(ssl, SSL_R_BIO_NOT_SET);
    return TLS13_IO_FAILURE;
  }

  ssl->rwstate = SSL_WRITING;
  errno = 0;

  if ((n = BIO_write(ssl->wbio, buf, len)) <= 0) {
    if (BIO_should_write(ssl->wbio))
      return TLS13_IO_WANT_POLLOUT;

    if (ERR_peek_error() == 0 && errno != 0)
      SYSerror(errno);

    return TLS13_IO_FAILURE;
  }

  if (n == len)
    ssl->rwstate = SSL_NOTHING;

  return n;
}

ssize_t
tls13_legacy_wire_write_cb(const void *buf, size_t n, void *arg)
{
  struct tls13_ctx *ctx = arg;

  return tls13_legacy_wire_write(ctx->ssl, buf, n);
}

static ssize_t
tls13_legacy_wire_flush(SSL *ssl)
{
  if (BIO_flush(ssl->wbio) <= 0) {
    if (BIO_should_write(ssl->wbio))
      return TLS13_IO_WANT_POLLOUT;

    if (ERR_peek_error() == 0 && errno != 0)
      SYSerror(errno);

    return TLS13_IO_FAILURE;
  }

  return TLS13_IO_SUCCESS;
}

ssize_t
tls13_legacy_wire_flush_cb(void *arg)
{
  struct tls13_ctx *ctx = arg;

  return tls13_legacy_wire_flush(ctx->ssl);
}

static void
tls13_legacy_error(SSL *ssl)
{
  struct tls13_ctx *ctx = ssl->tls13;
  int reason = SSL_R_UNKNOWN;

  /* If we received a fatal alert we already put an error on the stack. */
  if (ssl->s3->fatal_alert != 0)
    return;

  switch (ctx->error.code) {
  case TLS13_ERR_VERIFY_FAILED:
    reason = SSL_R_CERTIFICATE_VERIFY_FAILED;
    break;
  case TLS13_ERR_HRR_FAILED:
    reason = SSL_R_NO_CIPHERS_AVAILABLE;
    break;
  case TLS13_ERR_TRAILING_DATA:
    reason = SSL_R_EXTRA_DATA_IN_MESSAGE;
    break;
  case TLS13_ERR_NO_SHARED_CIPHER:
    reason = SSL_R_NO_SHARED_CIPHER;
    break;
  case TLS13_ERR_NO_CERTIFICATE:
    reason = SSL_R_MISSING_RSA_CERTIFICATE; /* XXX */
    break;
  case TLS13_ERR_NO_PEER_CERTIFICATE:
    reason = SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE;
    break;
  }

  /* Something (probably libcrypto) already pushed an error on the stack. */
  if (reason == SSL_R_UNKNOWN && ERR_peek_error() != 0)
    return;

  ERR_put_error(ERR_LIB_SSL, (0xfff), reason, ctx->error.file,
      ctx->error.line);
}

static int
tls13_legacy_return_code(SSL *ssl, ssize_t ret)
{
  if (ret > INT_MAX) {
    SSLerror(ssl, ERR_R_INTERNAL_ERROR);
    return -1;
  }

  /* A successful read, write or other operation. */
  if (ret > 0)
    return ret;

  ssl->rwstate = SSL_NOTHING;

  switch (ret) {
  case TLS13_IO_EOF:
    return 0;

  case TLS13_IO_FAILURE:
    tls13_legacy_error(ssl);
    return -1;

  case TLS13_IO_ALERT:
    tls13_legacy_error(ssl);
    return -1;

  case TLS13_IO_WANT_POLLIN:
    BIO_set_retry_read(ssl->rbio);
    ssl->rwstate = SSL_READING;
    return -1;

  case TLS13_IO_WANT_POLLOUT:
    BIO_set_retry_write(ssl->wbio);
    ssl->rwstate = SSL_WRITING;
    return -1;

  case TLS13_IO_WANT_RETRY:
    SSLerror(ssl, ERR_R_INTERNAL_ERROR);
    return -1;
  }

  SSLerror(ssl, ERR_R_INTERNAL_ERROR);
  return -1;
}

int
tls13_legacy_pending(const SSL *ssl)
{
  struct tls13_ctx *ctx = ssl->tls13;
  ssize_t ret;

  if (ctx == NULL)
    return 0;

  ret = tls13_pending_application_data(ctx->rl);
  if (ret < 0 || ret > INT_MAX)
    return 0;

  return ret;
}

int
tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, int peek)
{
  struct tls13_ctx *ctx = ssl->tls13;
  ssize_t ret;

  if (ctx == NULL || !ctx->handshake_completed) {
    if ((ret = ssl->handshake_func(ssl)) <= 0)
      return ret;
    if (len == 0)
      return 0;
    return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLIN);
  }

  tls13_record_layer_set_retry_after_phh(ctx->rl,
      (ctx->ssl->mode & SSL_MODE_AUTO_RETRY) != 0);

  if (type != SSL3_RT_APPLICATION_DATA) {
    SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
    return -1;
  }
  if (len < 0) {
    SSLerror(ssl, SSL_R_BAD_LENGTH);
    return -1;
  }

  if (peek)
    ret = tls13_peek_application_data(ctx->rl, buf, len);
  else
    ret = tls13_read_application_data(ctx->rl, buf, len);

  return tls13_legacy_return_code(ssl, ret);
}

int
tls13_legacy_write_bytes(SSL *ssl, int type, const void *vbuf, int len)
{
  struct tls13_ctx *ctx = ssl->tls13;
  const uint8_t *buf = vbuf;
  size_t n, sent;
  ssize_t ret;

  if (ctx == NULL || !ctx->handshake_completed) {
    if ((ret = ssl->handshake_func(ssl)) <= 0)
      return ret;
    if (len == 0)
      return 0;
    return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLOUT);
  }

  if (type != SSL3_RT_APPLICATION_DATA) {
    SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
    return -1;
  }
  if (len < 0) {
    SSLerror(ssl, SSL_R_BAD_LENGTH);
    return -1;
  }

  /*
   * The TLSv1.3 record layer write behaviour is the same as
   * SSL_MODE_ENABLE_PARTIAL_WRITE.
   */
  if (ssl->mode & SSL_MODE_ENABLE_PARTIAL_WRITE) {
    ret = tls13_write_application_data(ctx->rl, buf, len);
    return tls13_legacy_return_code(ssl, ret);
  }

  /*
   * In the non-SSL_MODE_ENABLE_PARTIAL_WRITE case we have to loop until
   * we have written out all of the requested data.
   */
  sent = ssl->s3->wnum;
  if (len < sent) {
    SSLerror(ssl, SSL_R_BAD_LENGTH);
    return -1;
  }
  n = len - sent;
  for (;;) {
    if (n == 0) {
      ssl->s3->wnum = 0;
      return sent;
    }
    if ((ret = tls13_write_application_data(ctx->rl,
        &buf[sent], n)) <= 0) {
      ssl->s3->wnum = sent;
      return tls13_legacy_return_code(ssl, ret);
    }
    sent += ret;
    n -= ret;
  }
}

static int
tls13_use_legacy_stack(struct tls13_ctx *ctx)
{
  SSL *s = ctx->ssl;
  CBB cbb, fragment;
  CBS cbs;

  memset(&cbb, 0, sizeof(cbb));

  if (!ssl3_setup_init_buffer(s))
    goto err;
  if (!ssl3_setup_buffers(s))
    goto err;
  if (!ssl_init_wbio_buffer(s, 1))
    goto err;

  /* Stash any unprocessed data from the last record. */
  tls13_record_layer_rcontent(ctx->rl, &cbs);
  if (CBS_len(&cbs) > 0) {
    if (!CBB_init_fixed(&cbb, s->s3->rbuf.buf,
        s->s3->rbuf.len))
      goto err;
    if (!CBB_add_u8(&cbb, SSL3_RT_HANDSHAKE))
      goto err;
    if (!CBB_add_u16(&cbb, TLS1_2_VERSION))
      goto err;
    if (!CBB_add_u16_length_prefixed(&cbb, &fragment))
      goto err;
    if (!CBB_add_bytes(&fragment, CBS_data(&cbs), CBS_len(&cbs)))
      goto err;
    if (!CBB_finish(&cbb, NULL, NULL))
      goto err;

    s->s3->rbuf.offset = SSL3_RT_HEADER_LENGTH;
    s->s3->rbuf.left = CBS_len(&cbs);
    s->s3->rrec.type = SSL3_RT_HANDSHAKE;
    s->s3->rrec.length = CBS_len(&cbs);
    s->rstate = SSL_ST_READ_BODY;
    s->packet = s->s3->rbuf.buf;
    s->packet_length = SSL3_RT_HEADER_LENGTH;
    s->mac_packet = 1;
  }

  /* Stash the current handshake message. */
  tls13_handshake_msg_data(ctx->hs_msg, &cbs);
  if (!BUF_MEM_grow_clean(s->init_buf, CBS_len(&cbs)))
    goto err;
  if (!CBS_write_bytes(&cbs, s->init_buf->data,
      s->init_buf->length, NULL))
    goto err;

  s->s3->hs.tls12.reuse_message = 1;
  s->s3->hs.tls12.message_type = tls13_handshake_msg_type(ctx->hs_msg);
  s->s3->hs.tls12.message_size = CBS_len(&cbs) - SSL3_HM_HEADER_LENGTH;

  /*
   * Only switch the method after initialization is complete
   * as we start part way into the legacy state machine.
   */
  s->method = tls_legacy_method();

  return 1;

 err:
  CBB_cleanup(&cbb);

  return 0;
}

int
tls13_use_legacy_client(struct tls13_ctx *ctx)
{
  SSL *s = ctx->ssl;

  if (!tls13_use_legacy_stack(ctx))
    return 0;

  s->handshake_func = s->method->ssl_connect;
  s->version = s->method->max_tls_version;

  return 1;
}

int
tls13_use_legacy_server(struct tls13_ctx *ctx)
{
  SSL *s = ctx->ssl;

  if (!tls13_use_legacy_stack(ctx))
    return 0;

  s->handshake_func = s->method->ssl_accept;
  s->version = s->method->max_tls_version;
  s->server = 1;

  return 1;
}

int
tls13_legacy_accept(SSL *ssl)
{
  struct tls13_ctx *ctx = ssl->tls13;
  int ret;

  if (ctx == NULL) {
    if ((ctx = tls13_ctx_new(TLS13_HS_SERVER, ssl)) == NULL) {
      SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
      return -1;
    }
    if (!tls13_server_init(ctx)) {
      if (ERR_peek_error() == 0)
        SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
      return -1;
    }
  }

  ERR_clear_error();

  ret = tls13_server_accept(ctx);
  if (ret == TLS13_IO_USE_LEGACY)
    return ssl->method->ssl_accept(ssl);

  ret = tls13_legacy_return_code(ssl, ret);

  if (ctx->info_cb != NULL)
    ctx->info_cb(ctx, TLS13_INFO_ACCEPT_EXIT, ret);

  return ret;
}

int
tls13_legacy_connect(SSL *ssl)
{
  struct tls13_ctx *ctx = ssl->tls13;
  int ret;

  if (ctx == NULL) {
    if ((ctx = tls13_ctx_new(TLS13_HS_CLIENT, ssl)) == NULL) {
      SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
      return -1;
    }
    if (!tls13_client_init(ctx)) {
      if (ERR_peek_error() == 0)
        SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
      return -1;
    }
  }

  ERR_clear_error();

  ret = tls13_client_connect(ctx);
  if (ret == TLS13_IO_USE_LEGACY)
    return ssl->method->ssl_connect(ssl);

  ret = tls13_legacy_return_code(ssl, ret);

  if (ctx->info_cb != NULL)
    ctx->info_cb(ctx, TLS13_INFO_CONNECT_EXIT, ret);

  return ret;
}

int
tls13_legacy_shutdown(SSL *ssl)
{
  struct tls13_ctx *ctx = ssl->tls13;
  uint8_t buf[512]; /* XXX */
  ssize_t ret;

  /*
   * We need to return 0 at the point that we have completed sending a
   * close-notify. We return 1 when we have sent and received close-notify
   * alerts. All other cases, including EOF, return -1 and set internal
   * state appropriately. Note that all of this insanity can also be
   * externally controlled by manipulating the shutdown flags.
   */
  if (ctx == NULL || ssl->quiet_shutdown) {
    ssl->shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN;
    return 1;
  }

  if ((ssl->shutdown & SSL_SENT_SHUTDOWN) == 0) {
    ssl->shutdown |= SSL_SENT_SHUTDOWN;
    ret = tls13_send_alert(ctx->rl, TLS13_ALERT_CLOSE_NOTIFY);
    if (ret == TLS13_IO_EOF)
      return -1;
    if (ret != TLS13_IO_SUCCESS)
      return tls13_legacy_return_code(ssl, ret);
    goto done;
  }

  ret = tls13_record_layer_send_pending(ctx->rl);
  if (ret == TLS13_IO_EOF)
    return -1;
  if (ret != TLS13_IO_SUCCESS)
    return tls13_legacy_return_code(ssl, ret);

  if ((ssl->shutdown & SSL_RECEIVED_SHUTDOWN) == 0) {
    /*
     * If there is no application data pending, attempt to read more
     * data in order to receive a close-notify. This should trigger
     * a record to be read from the wire, which may be application
     * handshake or alert data. Only one attempt is made with no
     * error handling, in order to match previous semantics.
     */
    if (tls13_pending_application_data(ctx->rl) == 0) {
      (void)tls13_read_application_data(ctx->rl, buf, sizeof(buf));
      if (!ctx->close_notify_recv)
        return -1;
    }
  }

 done:
  if (ssl->shutdown == (SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN))
    return 1;

  return 0;
}

int
tls13_legacy_servername_process(struct tls13_ctx *ctx, uint8_t *alert)
{
  int legacy_alert = SSL_AD_UNRECOGNIZED_NAME;
  int ret = SSL_TLSEXT_ERR_NOACK;
  SSL_CTX *ssl_ctx = ctx->ssl->ctx;
  SSL *s = ctx->ssl;

  if (ssl_ctx->tlsext_servername_callback == NULL)
    ssl_ctx = s->initial_ctx;
  if (ssl_ctx->tlsext_servername_callback == NULL)
    return 1;

  ret = ssl_ctx->tlsext_servername_callback(s, &legacy_alert,
      ssl_ctx->tlsext_servername_arg);

  /*
   * Ignore SSL_TLSEXT_ERR_ALERT_WARNING returns to match OpenSSL's
   * behavior: the only warning alerts in TLSv1.3 are close_notify and
   * user_canceled, neither of which should be returned by the callback.
   */
  if (ret == SSL_TLSEXT_ERR_ALERT_FATAL) {
    if (legacy_alert >= 0 && legacy_alert <= 255)
      *alert = legacy_alert;
    return 0;
  }

  return 1;
}

Coverage Report

Created: 2025-03-09 06:52

Line	Count	Source (jump to first uncovered line)
1		/* $OpenBSD: tls13_legacy.c,v 1.44 2024/01/30 14:50:50 jsing Exp $ */
2		/*
3		* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4		*
5		* Permission to use, copy, modify, and distribute this software for any
6		* purpose with or without fee is hereby granted, provided that the above
7		* copyright notice and this permission notice appear in all copies.
8		*
9		* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10		* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11		* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12		* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13		* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14		* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15		* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16		*/
17
18		#include <limits.h>
19
20		#include "ssl_local.h"
21		#include "tls13_internal.h"
22
23		static ssize_t
24		tls13_legacy_wire_read(SSL ssl, uint8_t buf, size_t len)
25	48.3k	{
26	48.3k	int n;
27
28	48.3k	if (ssl->rbio == NULL) {
29	0	SSLerror(ssl, SSL_R_BIO_NOT_SET);
30	0	return TLS13_IO_FAILURE;
31	0	}
32
33	48.3k	ssl->rwstate = SSL_READING;
34	48.3k	errno = 0;
35
36	48.3k	if ((n = BIO_read(ssl->rbio, buf, len)) <= 0) {
37	500	if (BIO_should_read(ssl->rbio))
38	500	return TLS13_IO_WANT_POLLIN;
39	0	if (n == 0)
40	0	return TLS13_IO_EOF;
41
42	0	if (ERR_peek_error() == 0 && errno != 0)
43	0	SYSerror(errno);
44
45	0	return TLS13_IO_FAILURE;
46	0	}
47
48	47.8k	if (n == len)
49	47.5k	ssl->rwstate = SSL_NOTHING;
50
51	47.8k	return n;
52	48.3k	}
53
54		ssize_t
55		tls13_legacy_wire_read_cb(void buf, size_t n, void arg)
56	48.3k	{
57	48.3k	struct tls13_ctx *ctx = arg;
58
59	48.3k	return tls13_legacy_wire_read(ctx->ssl, buf, n);
60	48.3k	}
61
62		static ssize_t
63		tls13_legacy_wire_write(SSL ssl, const uint8_t buf, size_t len)
64	6.94k	{
65	6.94k	int n;
66
67	6.94k	if (ssl->wbio == NULL) {
68	0	SSLerror(ssl, SSL_R_BIO_NOT_SET);
69	0	return TLS13_IO_FAILURE;
70	0	}
71
72	6.94k	ssl->rwstate = SSL_WRITING;
73	6.94k	errno = 0;
74
75	6.94k	if ((n = BIO_write(ssl->wbio, buf, len)) <= 0) {
76	0	if (BIO_should_write(ssl->wbio))
77	0	return TLS13_IO_WANT_POLLOUT;
78
79	0	if (ERR_peek_error() == 0 && errno != 0)
80	0	SYSerror(errno);
81
82	0	return TLS13_IO_FAILURE;
83	0	}
84
85	6.94k	if (n == len)
86	6.94k	ssl->rwstate = SSL_NOTHING;
87
88	6.94k	return n;
89	6.94k	}
90
91		ssize_t
92		tls13_legacy_wire_write_cb(const void buf, size_t n, void arg)
93	6.94k	{
94	6.94k	struct tls13_ctx *ctx = arg;
95
96	6.94k	return tls13_legacy_wire_write(ctx->ssl, buf, n);
97	6.94k	}
98
99		static ssize_t
100		tls13_legacy_wire_flush(SSL *ssl)
101	5.82k	{
102	5.82k	if (BIO_flush(ssl->wbio) <= 0) {
103	0	if (BIO_should_write(ssl->wbio))
104	0	return TLS13_IO_WANT_POLLOUT;
105
106	0	if (ERR_peek_error() == 0 && errno != 0)
107	0	SYSerror(errno);
108
109	0	return TLS13_IO_FAILURE;
110	0	}
111
112	5.82k	return TLS13_IO_SUCCESS;
113	5.82k	}
114
115		ssize_t
116		tls13_legacy_wire_flush_cb(void *arg)
117	5.82k	{
118	5.82k	struct tls13_ctx *ctx = arg;
119
120	5.82k	return tls13_legacy_wire_flush(ctx->ssl);
121	5.82k	}
122
123		static void
124		tls13_legacy_error(SSL *ssl)
125	792	{
126	792	struct tls13_ctx *ctx = ssl->tls13;
127	792	int reason = SSL_R_UNKNOWN;
128
129		/* If we received a fatal alert we already put an error on the stack. */
130	792	if (ssl->s3->fatal_alert != 0)
131	36	return;
132
133	756	switch (ctx->error.code) {
134	0	case TLS13_ERR_VERIFY_FAILED:
135	0	reason = SSL_R_CERTIFICATE_VERIFY_FAILED;
136	0	break;
137	0	case TLS13_ERR_HRR_FAILED:
138	0	reason = SSL_R_NO_CIPHERS_AVAILABLE;
139	0	break;
140	1	case TLS13_ERR_TRAILING_DATA:
141	1	reason = SSL_R_EXTRA_DATA_IN_MESSAGE;
142	1	break;
143	15	case TLS13_ERR_NO_SHARED_CIPHER:
144	15	reason = SSL_R_NO_SHARED_CIPHER;
145	15	break;
146	21	case TLS13_ERR_NO_CERTIFICATE:
147	21	reason = SSL_R_MISSING_RSA_CERTIFICATE; /* XXX */
148	21	break;
149	0	case TLS13_ERR_NO_PEER_CERTIFICATE:
150	0	reason = SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE;
151	0	break;
152	756	}
153
154		/* Something (probably libcrypto) already pushed an error on the stack. */
155	756	if (reason == SSL_R_UNKNOWN && ERR_peek_error() != 0)
156	637	return;
157
158	119	ERR_put_error(ERR_LIB_SSL, (0xfff), reason, ctx->error.file,
159	119	ctx->error.line);
160	119	}
161
162		static int
163		tls13_legacy_return_code(SSL *ssl, ssize_t ret)
164	1.29k	{
165	1.29k	if (ret > INT_MAX) {
166	0	SSLerror(ssl, ERR_R_INTERNAL_ERROR);
167	0	return -1;
168	0	}
169
170		/* A successful read, write or other operation. */
171	1.29k	if (ret > 0)
172	0	return ret;
173
174	1.29k	ssl->rwstate = SSL_NOTHING;
175
176	1.29k	switch (ret) {
177	6	case TLS13_IO_EOF:
178	6	return 0;
179
180	106	case TLS13_IO_FAILURE:
181	106	tls13_legacy_error(ssl);
182	106	return -1;
183
184	686	case TLS13_IO_ALERT:
185	686	tls13_legacy_error(ssl);
186	686	return -1;
187
188	500	case TLS13_IO_WANT_POLLIN:
189	500	BIO_set_retry_read(ssl->rbio);
190	500	ssl->rwstate = SSL_READING;
191	500	return -1;
192
193	0	case TLS13_IO_WANT_POLLOUT:
194	0	BIO_set_retry_write(ssl->wbio);
195	0	ssl->rwstate = SSL_WRITING;
196	0	return -1;
197
198	0	case TLS13_IO_WANT_RETRY:
199	0	SSLerror(ssl, ERR_R_INTERNAL_ERROR);
200	0	return -1;
201	1.29k	}
202
203	0	SSLerror(ssl, ERR_R_INTERNAL_ERROR);
204	0	return -1;
205	1.29k	}
206
207		int
208		tls13_legacy_pending(const SSL *ssl)
209	0	{
210	0	struct tls13_ctx *ctx = ssl->tls13;
211	0	ssize_t ret;
212
213	0	if (ctx == NULL)
214	0	return 0;
215
216	0	ret = tls13_pending_application_data(ctx->rl);
217	0	if (ret < 0 \|\| ret > INT_MAX)
218	0	return 0;
219
220	0	return ret;
221	0	}
222
223		int
224		tls13_legacy_read_bytes(SSL ssl, int type, unsigned char buf, int len, int peek)
225	0	{
226	0	struct tls13_ctx *ctx = ssl->tls13;
227	0	ssize_t ret;
228
229	0	if (ctx == NULL \|\| !ctx->handshake_completed) {
230	0	if ((ret = ssl->handshake_func(ssl)) <= 0)
231	0	return ret;
232	0	if (len == 0)
233	0	return 0;
234	0	return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLIN);
235	0	}
236
237	0	tls13_record_layer_set_retry_after_phh(ctx->rl,
238	0	(ctx->ssl->mode & SSL_MODE_AUTO_RETRY) != 0);
239
240	0	if (type != SSL3_RT_APPLICATION_DATA) {
241	0	SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
242	0	return -1;
243	0	}
244	0	if (len < 0) {
245	0	SSLerror(ssl, SSL_R_BAD_LENGTH);
246	0	return -1;
247	0	}
248
249	0	if (peek)
250	0	ret = tls13_peek_application_data(ctx->rl, buf, len);
251	0	else
252	0	ret = tls13_read_application_data(ctx->rl, buf, len);
253
254	0	return tls13_legacy_return_code(ssl, ret);
255	0	}
256
257		int
258		tls13_legacy_write_bytes(SSL ssl, int type, const void vbuf, int len)
259	0	{
260	0	struct tls13_ctx *ctx = ssl->tls13;
261	0	const uint8_t *buf = vbuf;
262	0	size_t n, sent;
263	0	ssize_t ret;
264
265	0	if (ctx == NULL \|\| !ctx->handshake_completed) {
266	0	if ((ret = ssl->handshake_func(ssl)) <= 0)
267	0	return ret;
268	0	if (len == 0)
269	0	return 0;
270	0	return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLOUT);
271	0	}
272
273	0	if (type != SSL3_RT_APPLICATION_DATA) {
274	0	SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
275	0	return -1;
276	0	}
277	0	if (len < 0) {
278	0	SSLerror(ssl, SSL_R_BAD_LENGTH);
279	0	return -1;
280	0	}
281
282		/*
283		* The TLSv1.3 record layer write behaviour is the same as
284		* SSL_MODE_ENABLE_PARTIAL_WRITE.
285		*/
286	0	if (ssl->mode & SSL_MODE_ENABLE_PARTIAL_WRITE) {
287	0	ret = tls13_write_application_data(ctx->rl, buf, len);
288	0	return tls13_legacy_return_code(ssl, ret);
289	0	}
290
291		/*
292		* In the non-SSL_MODE_ENABLE_PARTIAL_WRITE case we have to loop until
293		* we have written out all of the requested data.
294		*/
295	0	sent = ssl->s3->wnum;
296	0	if (len < sent) {
297	0	SSLerror(ssl, SSL_R_BAD_LENGTH);
298	0	return -1;
299	0	}
300	0	n = len - sent;
301	0	for (;;) {
302	0	if (n == 0) {
303	0	ssl->s3->wnum = 0;
304	0	return sent;
305	0	}
306	0	if ((ret = tls13_write_application_data(ctx->rl,
307	0	&buf[sent], n)) <= 0) {
308	0	ssl->s3->wnum = sent;
309	0	return tls13_legacy_return_code(ssl, ret);
310	0	}
311	0	sent += ret;
312	0	n -= ret;
313	0	}
314	0	}
315
316		static int
317		tls13_use_legacy_stack(struct tls13_ctx *ctx)
318	8.18k	{
319	8.18k	SSL *s = ctx->ssl;
320	8.18k	CBB cbb, fragment;
321	8.18k	CBS cbs;
322
323	8.18k	memset(&cbb, 0, sizeof(cbb));
324
325	8.18k	if (!ssl3_setup_init_buffer(s))
326	0	goto err;
327	8.18k	if (!ssl3_setup_buffers(s))
328	0	goto err;
329	8.18k	if (!ssl_init_wbio_buffer(s, 1))
330	0	goto err;
331
332		/* Stash any unprocessed data from the last record. */
333	8.18k	tls13_record_layer_rcontent(ctx->rl, &cbs);
334	8.18k	if (CBS_len(&cbs) > 0) {
335	2.22k	if (!CBB_init_fixed(&cbb, s->s3->rbuf.buf,
336	2.22k	s->s3->rbuf.len))
337	0	goto err;
338	2.22k	if (!CBB_add_u8(&cbb, SSL3_RT_HANDSHAKE))
339	0	goto err;
340	2.22k	if (!CBB_add_u16(&cbb, TLS1_2_VERSION))
341	0	goto err;
342	2.22k	if (!CBB_add_u16_length_prefixed(&cbb, &fragment))
343	0	goto err;
344	2.22k	if (!CBB_add_bytes(&fragment, CBS_data(&cbs), CBS_len(&cbs)))
345	0	goto err;
346	2.22k	if (!CBB_finish(&cbb, NULL, NULL))
347	0	goto err;
348
349	2.22k	s->s3->rbuf.offset = SSL3_RT_HEADER_LENGTH;
350	2.22k	s->s3->rbuf.left = CBS_len(&cbs);
351	2.22k	s->s3->rrec.type = SSL3_RT_HANDSHAKE;
352	2.22k	s->s3->rrec.length = CBS_len(&cbs);
353	2.22k	s->rstate = SSL_ST_READ_BODY;
354	2.22k	s->packet = s->s3->rbuf.buf;
355	2.22k	s->packet_length = SSL3_RT_HEADER_LENGTH;
356	2.22k	s->mac_packet = 1;
357	2.22k	}
358
359		/* Stash the current handshake message. */
360	8.18k	tls13_handshake_msg_data(ctx->hs_msg, &cbs);
361	8.18k	if (!BUF_MEM_grow_clean(s->init_buf, CBS_len(&cbs)))
362	0	goto err;
363	8.18k	if (!CBS_write_bytes(&cbs, s->init_buf->data,
364	8.18k	s->init_buf->length, NULL))
365	0	goto err;
366
367	8.18k	s->s3->hs.tls12.reuse_message = 1;
368	8.18k	s->s3->hs.tls12.message_type = tls13_handshake_msg_type(ctx->hs_msg);
369	8.18k	s->s3->hs.tls12.message_size = CBS_len(&cbs) - SSL3_HM_HEADER_LENGTH;
370
371		/*
372		* Only switch the method after initialization is complete
373		* as we start part way into the legacy state machine.
374		*/
375	8.18k	s->method = tls_legacy_method();
376
377	8.18k	return 1;
378
379	0	err:
380	0	CBB_cleanup(&cbb);
381
382	0	return 0;
383	8.18k	}
384
385		int
386		tls13_use_legacy_client(struct tls13_ctx *ctx)
387	5.13k	{
388	5.13k	SSL *s = ctx->ssl;
389
390	5.13k	if (!tls13_use_legacy_stack(ctx))
391	0	return 0;
392
393	5.13k	s->handshake_func = s->method->ssl_connect;
394	5.13k	s->version = s->method->max_tls_version;
395
396	5.13k	return 1;
397	5.13k	}
398
399		int
400		tls13_use_legacy_server(struct tls13_ctx *ctx)
401	3.05k	{
402	3.05k	SSL *s = ctx->ssl;
403
404	3.05k	if (!tls13_use_legacy_stack(ctx))
405	0	return 0;
406
407	3.05k	s->handshake_func = s->method->ssl_accept;
408	3.05k	s->version = s->method->max_tls_version;
409	3.05k	s->server = 1;
410
411	3.05k	return 1;
412	3.05k	}
413
414		int
415		tls13_legacy_accept(SSL *ssl)
416	3.82k	{
417	3.82k	struct tls13_ctx *ctx = ssl->tls13;
418	3.82k	int ret;
419
420	3.82k	if (ctx == NULL) {
421	3.82k	if ((ctx = tls13_ctx_new(TLS13_HS_SERVER, ssl)) == NULL) {
422	0	SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
423	0	return -1;
424	0	}
425	3.82k	if (!tls13_server_init(ctx)) {
426	0	if (ERR_peek_error() == 0)
427	0	SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
428	0	return -1;
429	0	}
430	3.82k	}
431
432	3.82k	ERR_clear_error();
433
434	3.82k	ret = tls13_server_accept(ctx);
435	3.82k	if (ret == TLS13_IO_USE_LEGACY)
436	3.04k	return ssl->method->ssl_accept(ssl);
437
438	772	ret = tls13_legacy_return_code(ssl, ret);
439
440	772	if (ctx->info_cb != NULL)
441	772	ctx->info_cb(ctx, TLS13_INFO_ACCEPT_EXIT, ret);
442
443	772	return ret;
444	3.82k	}
445
446		int
447		tls13_legacy_connect(SSL *ssl)
448	5.65k	{
449	5.65k	struct tls13_ctx *ctx = ssl->tls13;
450	5.65k	int ret;
451
452	5.65k	if (ctx == NULL) {
453	5.65k	if ((ctx = tls13_ctx_new(TLS13_HS_CLIENT, ssl)) == NULL) {
454	0	SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
455	0	return -1;
456	0	}
457	5.65k	if (!tls13_client_init(ctx)) {
458	0	if (ERR_peek_error() == 0)
459	0	SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
460	0	return -1;
461	0	}
462	5.65k	}
463
464	5.65k	ERR_clear_error();
465
466	5.65k	ret = tls13_client_connect(ctx);
467	5.65k	if (ret == TLS13_IO_USE_LEGACY)
468	5.13k	return ssl->method->ssl_connect(ssl);
469
470	526	ret = tls13_legacy_return_code(ssl, ret);
471
472	526	if (ctx->info_cb != NULL)
473	526	ctx->info_cb(ctx, TLS13_INFO_CONNECT_EXIT, ret);
474
475	526	return ret;
476	5.65k	}
477
478		int
479		tls13_legacy_shutdown(SSL *ssl)
480	0	{
481	0	struct tls13_ctx *ctx = ssl->tls13;
482	0	uint8_t buf[512]; /* XXX */
483	0	ssize_t ret;
484
485		/*
486		* We need to return 0 at the point that we have completed sending a
487		* close-notify. We return 1 when we have sent and received close-notify
488		* alerts. All other cases, including EOF, return -1 and set internal
489		* state appropriately. Note that all of this insanity can also be
490		* externally controlled by manipulating the shutdown flags.
491		*/
492	0	if (ctx == NULL \|\| ssl->quiet_shutdown) {
493	0	ssl->shutdown = SSL_SENT_SHUTDOWN \| SSL_RECEIVED_SHUTDOWN;
494	0	return 1;
495	0	}
496
497	0	if ((ssl->shutdown & SSL_SENT_SHUTDOWN) == 0) {
498	0	ssl->shutdown \|= SSL_SENT_SHUTDOWN;
499	0	ret = tls13_send_alert(ctx->rl, TLS13_ALERT_CLOSE_NOTIFY);
500	0	if (ret == TLS13_IO_EOF)
501	0	return -1;
502	0	if (ret != TLS13_IO_SUCCESS)
503	0	return tls13_legacy_return_code(ssl, ret);
504	0	goto done;
505	0	}
506
507	0	ret = tls13_record_layer_send_pending(ctx->rl);
508	0	if (ret == TLS13_IO_EOF)
509	0	return -1;
510	0	if (ret != TLS13_IO_SUCCESS)
511	0	return tls13_legacy_return_code(ssl, ret);
512
513	0	if ((ssl->shutdown & SSL_RECEIVED_SHUTDOWN) == 0) {
514		/*
515		* If there is no application data pending, attempt to read more
516		* data in order to receive a close-notify. This should trigger
517		* a record to be read from the wire, which may be application
518		* handshake or alert data. Only one attempt is made with no
519		* error handling, in order to match previous semantics.
520		*/
521	0	if (tls13_pending_application_data(ctx->rl) == 0) {
522	0	(void)tls13_read_application_data(ctx->rl, buf, sizeof(buf));
523	0	if (!ctx->close_notify_recv)
524	0	return -1;
525	0	}
526	0	}
527
528	0	done:
529	0	if (ssl->shutdown == (SSL_SENT_SHUTDOWN \| SSL_RECEIVED_SHUTDOWN))
530	0	return 1;
531
532	0	return 0;
533	0	}
534
535		int
536		tls13_legacy_servername_process(struct tls13_ctx ctx, uint8_t alert)
537	114	{
538	114	int legacy_alert = SSL_AD_UNRECOGNIZED_NAME;
539	114	int ret = SSL_TLSEXT_ERR_NOACK;
540	114	SSL_CTX *ssl_ctx = ctx->ssl->ctx;
541	114	SSL *s = ctx->ssl;
542
543	114	if (ssl_ctx->tlsext_servername_callback == NULL)
544	114	ssl_ctx = s->initial_ctx;
545	114	if (ssl_ctx->tlsext_servername_callback == NULL)
546	114	return 1;
547
548	0	ret = ssl_ctx->tlsext_servername_callback(s, &legacy_alert,
549	0	ssl_ctx->tlsext_servername_arg);
550
551		/*
552		* Ignore SSL_TLSEXT_ERR_ALERT_WARNING returns to match OpenSSL's
553		* behavior: the only warning alerts in TLSv1.3 are close_notify and
554		* user_canceled, neither of which should be returned by the callback.
555		*/
556	0	if (ret == SSL_TLSEXT_ERR_ALERT_FATAL) {
557	0	if (legacy_alert >= 0 && legacy_alert <= 255)
558	0	*alert = legacy_alert;
559	0	return 0;
560	0	}
561
562	0	return 1;
563	0	}