1 files changed, 0 insertions, 563 deletions
diff --git a/src/lib/libssl/tls13_legacy.c b/src/lib/libssl/tls13_legacy.c
deleted file mode 100644
index 6c33eccc61..0000000000
--- a/src/lib/libssl/tls13_legacy.c
+++ /dev/null
@@ -1,563 +0,0 @@
-/*      $OpenBSD: tls13_legacy.c,v 1.44 2024/01/30 14:50:50 jsing Exp $ */
-/*
- * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-#include <limits.h>
-#include "ssl_local.h"
-#include "tls13_internal.h"
-static ssize_t
-tls13_legacy_wire_read(SSL *ssl, uint8_t *buf, size_t len)
-{
-        int n;
-        if (ssl->rbio == NULL) {
-                SSLerror(ssl, SSL_R_BIO_NOT_SET);
-                return TLS13_IO_FAILURE;
-        }
-        ssl->rwstate = SSL_READING;
-        errno = 0;
-        if ((n = BIO_read(ssl->rbio, buf, len)) <= 0) {
-                if (BIO_should_read(ssl->rbio))
-                        return TLS13_IO_WANT_POLLIN;
-                if (n == 0)
-                        return TLS13_IO_EOF;
-                if (ERR_peek_error() == 0 && errno != 0)
-                        SYSerror(errno);
-                return TLS13_IO_FAILURE;
-        }
-        if (n == len)
-                ssl->rwstate = SSL_NOTHING;
-        return n;
-}
-ssize_t
-tls13_legacy_wire_read_cb(void *buf, size_t n, void *arg)
-{
-        struct tls13_ctx *ctx = arg;
-        return tls13_legacy_wire_read(ctx->ssl, buf, n);
-}
-static ssize_t
-tls13_legacy_wire_write(SSL *ssl, const uint8_t *buf, size_t len)
-{
-        int n;
-        if (ssl->wbio == NULL) {
-                SSLerror(ssl, SSL_R_BIO_NOT_SET);
-                return TLS13_IO_FAILURE;
-        }
-        ssl->rwstate = SSL_WRITING;
-        errno = 0;
-        if ((n = BIO_write(ssl->wbio, buf, len)) <= 0) {
-                if (BIO_should_write(ssl->wbio))
-                        return TLS13_IO_WANT_POLLOUT;
-                if (ERR_peek_error() == 0 && errno != 0)
-                        SYSerror(errno);
-                return TLS13_IO_FAILURE;
-        }
-        if (n == len)
-                ssl->rwstate = SSL_NOTHING;
-        return n;
-}
-ssize_t
-tls13_legacy_wire_write_cb(const void *buf, size_t n, void *arg)
-{
-        struct tls13_ctx *ctx = arg;
-        return tls13_legacy_wire_write(ctx->ssl, buf, n);
-}
-static ssize_t
-tls13_legacy_wire_flush(SSL *ssl)
-{
-        if (BIO_flush(ssl->wbio) <= 0) {
-                if (BIO_should_write(ssl->wbio))
-                        return TLS13_IO_WANT_POLLOUT;
-                if (ERR_peek_error() == 0 && errno != 0)
-                        SYSerror(errno);
-                return TLS13_IO_FAILURE;
-        }
-        return TLS13_IO_SUCCESS;
-}
-ssize_t
-tls13_legacy_wire_flush_cb(void *arg)
-{
-        struct tls13_ctx *ctx = arg;
-        return tls13_legacy_wire_flush(ctx->ssl);
-}
-static void
-tls13_legacy_error(SSL *ssl)
-{
-        struct tls13_ctx *ctx = ssl->tls13;
-        int reason = SSL_R_UNKNOWN;
-        /* If we received a fatal alert we already put an error on the stack. */
-        if (ssl->s3->fatal_alert != 0)
-                return;
-        switch (ctx->error.code) {
-        case TLS13_ERR_VERIFY_FAILED:
-                reason = SSL_R_CERTIFICATE_VERIFY_FAILED;
-                break;
-        case TLS13_ERR_HRR_FAILED:
-                reason = SSL_R_NO_CIPHERS_AVAILABLE;
-                break;
-        case TLS13_ERR_TRAILING_DATA:
-                reason = SSL_R_EXTRA_DATA_IN_MESSAGE;
-                break;
-        case TLS13_ERR_NO_SHARED_CIPHER:
-                reason = SSL_R_NO_SHARED_CIPHER;
-                break;
-        case TLS13_ERR_NO_CERTIFICATE:
-                reason = SSL_R_MISSING_RSA_CERTIFICATE; /* XXX */
-                break;
-        case TLS13_ERR_NO_PEER_CERTIFICATE:
-                reason = SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE;
-                break;
-        }
-        /* Something (probably libcrypto) already pushed an error on the stack. */
-        if (reason == SSL_R_UNKNOWN && ERR_peek_error() != 0)
-                return;
-        ERR_put_error(ERR_LIB_SSL, (0xfff), reason, ctx->error.file,
-            ctx->error.line);
-}
-static int
-tls13_legacy_return_code(SSL *ssl, ssize_t ret)
-{
-        if (ret > INT_MAX) {
-                SSLerror(ssl, ERR_R_INTERNAL_ERROR);
-                return -1;
-        }
-        /* A successful read, write or other operation. */
-        if (ret > 0)
-                return ret;
-        ssl->rwstate = SSL_NOTHING;
-        switch (ret) {
-        case TLS13_IO_EOF:
-                return 0;
-        case TLS13_IO_FAILURE:
-                tls13_legacy_error(ssl);
-                return -1;
-        case TLS13_IO_ALERT:
-                tls13_legacy_error(ssl);
-                return -1;
-        case TLS13_IO_WANT_POLLIN:
-                BIO_set_retry_read(ssl->rbio);
-                ssl->rwstate = SSL_READING;
-                return -1;
-        case TLS13_IO_WANT_POLLOUT:
-                BIO_set_retry_write(ssl->wbio);
-                ssl->rwstate = SSL_WRITING;
-                return -1;
-        case TLS13_IO_WANT_RETRY:
-                SSLerror(ssl, ERR_R_INTERNAL_ERROR);
-                return -1;
-        }
-        SSLerror(ssl, ERR_R_INTERNAL_ERROR);
-        return -1;
-}
-int
-tls13_legacy_pending(const SSL *ssl)
-{
-        struct tls13_ctx *ctx = ssl->tls13;
-        ssize_t ret;
-        if (ctx == NULL)
-                return 0;
-        ret = tls13_pending_application_data(ctx->rl);
-        if (ret < 0 || ret > INT_MAX)
-                return 0;
-        return ret;
-}
-int
-tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, int peek)
-{
-        struct tls13_ctx *ctx = ssl->tls13;
-        ssize_t ret;
-        if (ctx == NULL || !ctx->handshake_completed) {
-                if ((ret = ssl->handshake_func(ssl)) <= 0)
-                        return ret;
-                if (len == 0)
-                        return 0;
-                return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLIN);
-        }
-        tls13_record_layer_set_retry_after_phh(ctx->rl,
-            (ctx->ssl->mode & SSL_MODE_AUTO_RETRY) != 0);
-        if (type != SSL3_RT_APPLICATION_DATA) {
-                SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-                return -1;
-        }
-        if (len < 0) {
-                SSLerror(ssl, SSL_R_BAD_LENGTH);
-                return -1;
-        }
-        if (peek)
-                ret = tls13_peek_application_data(ctx->rl, buf, len);
-        else
-                ret = tls13_read_application_data(ctx->rl, buf, len);
-        return tls13_legacy_return_code(ssl, ret);
-}
-int
-tls13_legacy_write_bytes(SSL *ssl, int type, const void *vbuf, int len)
-{
-        struct tls13_ctx *ctx = ssl->tls13;
-        const uint8_t *buf = vbuf;
-        size_t n, sent;
-        ssize_t ret;
-        if (ctx == NULL || !ctx->handshake_completed) {
-                if ((ret = ssl->handshake_func(ssl)) <= 0)
-                        return ret;
-                if (len == 0)
-                        return 0;
-                return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLOUT);
-        }
-        if (type != SSL3_RT_APPLICATION_DATA) {
-                SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-                return -1;
-        }
-        if (len < 0) {
-                SSLerror(ssl, SSL_R_BAD_LENGTH);
-                return -1;
-        }
-        /*
-         * The TLSv1.3 record layer write behaviour is the same as
-         * SSL_MODE_ENABLE_PARTIAL_WRITE.
-         */
-        if (ssl->mode & SSL_MODE_ENABLE_PARTIAL_WRITE) {
-                ret = tls13_write_application_data(ctx->rl, buf, len);
-                return tls13_legacy_return_code(ssl, ret);
-        }
-        /*
-         * In the non-SSL_MODE_ENABLE_PARTIAL_WRITE case we have to loop until
-         * we have written out all of the requested data.
-         */
-        sent = ssl->s3->wnum;
-        if (len < sent) {
-                SSLerror(ssl, SSL_R_BAD_LENGTH);
-                return -1;
-        }
-        n = len - sent;
-        for (;;) {
-                if (n == 0) {
-                        ssl->s3->wnum = 0;
-                        return sent;
-                }
-                if ((ret = tls13_write_application_data(ctx->rl,
-                    &buf[sent], n)) <= 0) {
-                        ssl->s3->wnum = sent;
-                        return tls13_legacy_return_code(ssl, ret);
-                }
-                sent += ret;
-                n -= ret;
-        }
-}
-static int
-tls13_use_legacy_stack(struct tls13_ctx *ctx)
-{
-        SSL *s = ctx->ssl;
-        CBB cbb, fragment;
-        CBS cbs;
-        memset(&cbb, 0, sizeof(cbb));
-        if (!ssl3_setup_init_buffer(s))
-                goto err;
-        if (!ssl3_setup_buffers(s))
-                goto err;
-        if (!ssl_init_wbio_buffer(s, 1))
-                goto err;
-        /* Stash any unprocessed data from the last record. */
-        tls13_record_layer_rcontent(ctx->rl, &cbs);
-        if (CBS_len(&cbs) > 0) {
-                if (!CBB_init_fixed(&cbb, s->s3->rbuf.buf,
-                    s->s3->rbuf.len))
-                        goto err;
-                if (!CBB_add_u8(&cbb, SSL3_RT_HANDSHAKE))
-                        goto err;
-                if (!CBB_add_u16(&cbb, TLS1_2_VERSION))
-                        goto err;
-                if (!CBB_add_u16_length_prefixed(&cbb, &fragment))
-                        goto err;
-                if (!CBB_add_bytes(&fragment, CBS_data(&cbs), CBS_len(&cbs)))
-                        goto err;
-                if (!CBB_finish(&cbb, NULL, NULL))
-                        goto err;
-                s->s3->rbuf.offset = SSL3_RT_HEADER_LENGTH;
-                s->s3->rbuf.left = CBS_len(&cbs);
-                s->s3->rrec.type = SSL3_RT_HANDSHAKE;
-                s->s3->rrec.length = CBS_len(&cbs);
-                s->rstate = SSL_ST_READ_BODY;
-                s->packet = s->s3->rbuf.buf;
-                s->packet_length = SSL3_RT_HEADER_LENGTH;
-                s->mac_packet = 1;
-        }
-        /* Stash the current handshake message. */
-        tls13_handshake_msg_data(ctx->hs_msg, &cbs);
-        if (!BUF_MEM_grow_clean(s->init_buf, CBS_len(&cbs)))
-                goto err;
-        if (!CBS_write_bytes(&cbs, s->init_buf->data,
-            s->init_buf->length, NULL))
-                goto err;
-        s->s3->hs.tls12.reuse_message = 1;
-        s->s3->hs.tls12.message_type = tls13_handshake_msg_type(ctx->hs_msg);
-        s->s3->hs.tls12.message_size = CBS_len(&cbs) - SSL3_HM_HEADER_LENGTH;
-        /*
-         * Only switch the method after initialization is complete
-         * as we start part way into the legacy state machine.
-         */
-        s->method = tls_legacy_method();
-        return 1;
- err:
-        CBB_cleanup(&cbb);
-        return 0;
-}
-int
-tls13_use_legacy_client(struct tls13_ctx *ctx)
-{
-        SSL *s = ctx->ssl;
-        if (!tls13_use_legacy_stack(ctx))
-                return 0;
-        s->handshake_func = s->method->ssl_connect;
-        s->version = s->method->max_tls_version;
-        return 1;
-}
-int
-tls13_use_legacy_server(struct tls13_ctx *ctx)
-{
-        SSL *s = ctx->ssl;
-        if (!tls13_use_legacy_stack(ctx))
-                return 0;
-        s->handshake_func = s->method->ssl_accept;
-        s->version = s->method->max_tls_version;
-        s->server = 1;
-        return 1;
-}
-int
-tls13_legacy_accept(SSL *ssl)
-{
-        struct tls13_ctx *ctx = ssl->tls13;
-        int ret;
-        if (ctx == NULL) {
-                if ((ctx = tls13_ctx_new(TLS13_HS_SERVER, ssl)) == NULL) {
-                        SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
-                        return -1;
-                }
-                if (!tls13_server_init(ctx)) {
-                        if (ERR_peek_error() == 0)
-                                SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
-                        return -1;
-                }
-        }
-        ERR_clear_error();
-        ret = tls13_server_accept(ctx);
-        if (ret == TLS13_IO_USE_LEGACY)
-                return ssl->method->ssl_accept(ssl);
-        ret = tls13_legacy_return_code(ssl, ret);
-        if (ctx->info_cb != NULL)
-                ctx->info_cb(ctx, TLS13_INFO_ACCEPT_EXIT, ret);
-        return ret;
-}
-int
-tls13_legacy_connect(SSL *ssl)
-{
-        struct tls13_ctx *ctx = ssl->tls13;
-        int ret;
-        if (ctx == NULL) {
-                if ((ctx = tls13_ctx_new(TLS13_HS_CLIENT, ssl)) == NULL) {
-                        SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
-                        return -1;
-                }
-                if (!tls13_client_init(ctx)) {
-                        if (ERR_peek_error() == 0)
-                                SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
-                        return -1;
-                }
-        }
-        ERR_clear_error();
-        ret = tls13_client_connect(ctx);
-        if (ret == TLS13_IO_USE_LEGACY)
-                return ssl->method->ssl_connect(ssl);
-        ret = tls13_legacy_return_code(ssl, ret);
-        if (ctx->info_cb != NULL)
-                ctx->info_cb(ctx, TLS13_INFO_CONNECT_EXIT, ret);
-        return ret;
-}
-int
-tls13_legacy_shutdown(SSL *ssl)
-{
-        struct tls13_ctx *ctx = ssl->tls13;
-        uint8_t buf[512]; /* XXX */
-        ssize_t ret;
-        /*
-         * We need to return 0 at the point that we have completed sending a
-         * close-notify. We return 1 when we have sent and received close-notify
-         * alerts. All other cases, including EOF, return -1 and set internal
-         * state appropriately. Note that all of this insanity can also be
-         * externally controlled by manipulating the shutdown flags.
-         */
-        if (ctx == NULL || ssl->quiet_shutdown) {
-                ssl->shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN;
-                return 1;
-        }
-        if ((ssl->shutdown & SSL_SENT_SHUTDOWN) == 0) {
-                ssl->shutdown |= SSL_SENT_SHUTDOWN;
-                ret = tls13_send_alert(ctx->rl, TLS13_ALERT_CLOSE_NOTIFY);
-                if (ret == TLS13_IO_EOF)
-                        return -1;
-                if (ret != TLS13_IO_SUCCESS)
-                        return tls13_legacy_return_code(ssl, ret);
-                goto done;
-        }
-        ret = tls13_record_layer_send_pending(ctx->rl);
-        if (ret == TLS13_IO_EOF)
-                return -1;
-        if (ret != TLS13_IO_SUCCESS)
-                return tls13_legacy_return_code(ssl, ret);
-        if ((ssl->shutdown & SSL_RECEIVED_SHUTDOWN) == 0) {
-                /*
-                 * If there is no application data pending, attempt to read more
-                 * data in order to receive a close-notify. This should trigger
-                 * a record to be read from the wire, which may be application
-                 * handshake or alert data. Only one attempt is made with no
-                 * error handling, in order to match previous semantics.
-                 */
-                if (tls13_pending_application_data(ctx->rl) == 0) {
-                        (void)tls13_read_application_data(ctx->rl, buf, sizeof(buf));
-                        if (!ctx->close_notify_recv)
-                                return -1;
-                }
-        }
- done:
-        if (ssl->shutdown == (SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN))
-                return 1;
-        return 0;
-}
-int
-tls13_legacy_servername_process(struct tls13_ctx *ctx, uint8_t *alert)
-{
-        int legacy_alert = SSL_AD_UNRECOGNIZED_NAME;
-        int ret = SSL_TLSEXT_ERR_NOACK;
-        SSL_CTX *ssl_ctx = ctx->ssl->ctx;
-        SSL *s = ctx->ssl;
-        if (ssl_ctx->tlsext_servername_callback == NULL)
-                ssl_ctx = s->initial_ctx;
-        if (ssl_ctx->tlsext_servername_callback == NULL)
-                return 1;
-        ret = ssl_ctx->tlsext_servername_callback(s, &legacy_alert,
-            ssl_ctx->tlsext_servername_arg);
-        /*
-         * Ignore SSL_TLSEXT_ERR_ALERT_WARNING returns to match OpenSSL's
-         * behavior: the only warning alerts in TLSv1.3 are close_notify and
-         * user_canceled, neither of which should be returned by the callback.
-         */
-        if (ret == SSL_TLSEXT_ERR_ALERT_FATAL) {
-                if (legacy_alert >= 0 && legacy_alert <= 255)
-                        *alert = legacy_alert;
-                return 0;
-        }
-        return 1;
-}

diff --git a/src/lib/libssl/tls13_legacy.c b/src/lib/libssl/tls13_legacy.c deleted file mode 100644 index 6c33eccc61..0000000000 --- a/src/lib/libssl/tls13_legacy.c +++ /dev/null
@@ -1,563 +0,0 @@
1	/* $OpenBSD: tls13_legacy.c,v 1.44 2024/01/30 14:50:50 jsing Exp $ */
2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	*
5	* Permission to use, copy, modify, and distribute this software for any
6	* purpose with or without fee is hereby granted, provided that the above
7	* copyright notice and this permission notice appear in all copies.
8	*
9	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	*/
17
18	#include <limits.h>
19
20	#include "ssl_local.h"
21	#include "tls13_internal.h"
22
23	static ssize_t
24	tls13_legacy_wire_read(SSL ssl, uint8_t buf, size_t len)
25	{
26	int n;
27
28	if (ssl->rbio == NULL) {
29	SSLerror(ssl, SSL_R_BIO_NOT_SET);
30	return TLS13_IO_FAILURE;
31	}
32
33	ssl->rwstate = SSL_READING;
34	errno = 0;
35
36	if ((n = BIO_read(ssl->rbio, buf, len)) <= 0) {
37	if (BIO_should_read(ssl->rbio))
38	return TLS13_IO_WANT_POLLIN;
39	if (n == 0)
40	return TLS13_IO_EOF;
41
42	if (ERR_peek_error() == 0 && errno != 0)
43	SYSerror(errno);
44
45	return TLS13_IO_FAILURE;
46	}
47
48	if (n == len)
49	ssl->rwstate = SSL_NOTHING;
50
51	return n;
52	}
53
54	ssize_t
55	tls13_legacy_wire_read_cb(void buf, size_t n, void arg)
56	{
57	struct tls13_ctx *ctx = arg;
58
59	return tls13_legacy_wire_read(ctx->ssl, buf, n);
60	}
61
62	static ssize_t
63	tls13_legacy_wire_write(SSL ssl, const uint8_t buf, size_t len)
64	{
65	int n;
66
67	if (ssl->wbio == NULL) {
68	SSLerror(ssl, SSL_R_BIO_NOT_SET);
69	return TLS13_IO_FAILURE;
70	}
71
72	ssl->rwstate = SSL_WRITING;
73	errno = 0;
74
75	if ((n = BIO_write(ssl->wbio, buf, len)) <= 0) {
76	if (BIO_should_write(ssl->wbio))
77	return TLS13_IO_WANT_POLLOUT;
78
79	if (ERR_peek_error() == 0 && errno != 0)
80	SYSerror(errno);
81
82	return TLS13_IO_FAILURE;
83	}
84
85	if (n == len)
86	ssl->rwstate = SSL_NOTHING;
87
88	return n;
89	}
90
91	ssize_t
92	tls13_legacy_wire_write_cb(const void buf, size_t n, void arg)
93	{
94	struct tls13_ctx *ctx = arg;
95
96	return tls13_legacy_wire_write(ctx->ssl, buf, n);
97	}
98
99	static ssize_t
100	tls13_legacy_wire_flush(SSL *ssl)
101	{
102	if (BIO_flush(ssl->wbio) <= 0) {
103	if (BIO_should_write(ssl->wbio))
104	return TLS13_IO_WANT_POLLOUT;
105
106	if (ERR_peek_error() == 0 && errno != 0)
107	SYSerror(errno);
108
109	return TLS13_IO_FAILURE;
110	}
111
112	return TLS13_IO_SUCCESS;
113	}
114
115	ssize_t
116	tls13_legacy_wire_flush_cb(void *arg)
117	{
118	struct tls13_ctx *ctx = arg;
119
120	return tls13_legacy_wire_flush(ctx->ssl);
121	}
122
123	static void
124	tls13_legacy_error(SSL *ssl)
125	{
126	struct tls13_ctx *ctx = ssl->tls13;
127	int reason = SSL_R_UNKNOWN;
128
129	/* If we received a fatal alert we already put an error on the stack. */
130	if (ssl->s3->fatal_alert != 0)
131	return;
132
133	switch (ctx->error.code) {
134	case TLS13_ERR_VERIFY_FAILED:
135	reason = SSL_R_CERTIFICATE_VERIFY_FAILED;
136	break;
137	case TLS13_ERR_HRR_FAILED:
138	reason = SSL_R_NO_CIPHERS_AVAILABLE;
139	break;
140	case TLS13_ERR_TRAILING_DATA:
141	reason = SSL_R_EXTRA_DATA_IN_MESSAGE;
142	break;
143	case TLS13_ERR_NO_SHARED_CIPHER:
144	reason = SSL_R_NO_SHARED_CIPHER;
145	break;
146	case TLS13_ERR_NO_CERTIFICATE:
147	reason = SSL_R_MISSING_RSA_CERTIFICATE; /* XXX */
148	break;
149	case TLS13_ERR_NO_PEER_CERTIFICATE:
150	reason = SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE;
151	break;
152	}
153
154	/* Something (probably libcrypto) already pushed an error on the stack. */
155	if (reason == SSL_R_UNKNOWN && ERR_peek_error() != 0)
156	return;
157
158	ERR_put_error(ERR_LIB_SSL, (0xfff), reason, ctx->error.file,
159	ctx->error.line);
160	}
161
162	static int
163	tls13_legacy_return_code(SSL *ssl, ssize_t ret)
164	{
165	if (ret > INT_MAX) {
166	SSLerror(ssl, ERR_R_INTERNAL_ERROR);
167	return -1;
168	}
169
170	/* A successful read, write or other operation. */
171	if (ret > 0)
172	return ret;
173
174	ssl->rwstate = SSL_NOTHING;
175
176	switch (ret) {
177	case TLS13_IO_EOF:
178	return 0;
179
180	case TLS13_IO_FAILURE:
181	tls13_legacy_error(ssl);
182	return -1;
183
184	case TLS13_IO_ALERT:
185	tls13_legacy_error(ssl);
186	return -1;
187
188	case TLS13_IO_WANT_POLLIN:
189	BIO_set_retry_read(ssl->rbio);
190	ssl->rwstate = SSL_READING;
191	return -1;
192
193	case TLS13_IO_WANT_POLLOUT:
194	BIO_set_retry_write(ssl->wbio);
195	ssl->rwstate = SSL_WRITING;
196	return -1;
197
198	case TLS13_IO_WANT_RETRY:
199	SSLerror(ssl, ERR_R_INTERNAL_ERROR);
200	return -1;
201	}
202
203	SSLerror(ssl, ERR_R_INTERNAL_ERROR);
204	return -1;
205	}
206
207	int
208	tls13_legacy_pending(const SSL *ssl)
209	{
210	struct tls13_ctx *ctx = ssl->tls13;
211	ssize_t ret;
212
213	if (ctx == NULL)
214	return 0;
215
216	ret = tls13_pending_application_data(ctx->rl);
217	if (ret < 0 \|\| ret > INT_MAX)
218	return 0;
219
220	return ret;
221	}
222
223	int
224	tls13_legacy_read_bytes(SSL ssl, int type, unsigned char buf, int len, int peek)
225	{
226	struct tls13_ctx *ctx = ssl->tls13;
227	ssize_t ret;
228
229	if (ctx == NULL \|\| !ctx->handshake_completed) {
230	if ((ret = ssl->handshake_func(ssl)) <= 0)
231	return ret;
232	if (len == 0)
233	return 0;
234	return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLIN);
235	}
236
237	tls13_record_layer_set_retry_after_phh(ctx->rl,
238	(ctx->ssl->mode & SSL_MODE_AUTO_RETRY) != 0);
239
240	if (type != SSL3_RT_APPLICATION_DATA) {
241	SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
242	return -1;
243	}
244	if (len < 0) {
245	SSLerror(ssl, SSL_R_BAD_LENGTH);
246	return -1;
247	}
248
249	if (peek)
250	ret = tls13_peek_application_data(ctx->rl, buf, len);
251	else
252	ret = tls13_read_application_data(ctx->rl, buf, len);
253
254	return tls13_legacy_return_code(ssl, ret);
255	}
256
257	int
258	tls13_legacy_write_bytes(SSL ssl, int type, const void vbuf, int len)
259	{
260	struct tls13_ctx *ctx = ssl->tls13;
261	const uint8_t *buf = vbuf;
262	size_t n, sent;
263	ssize_t ret;
264
265	if (ctx == NULL \|\| !ctx->handshake_completed) {
266	if ((ret = ssl->handshake_func(ssl)) <= 0)
267	return ret;
268	if (len == 0)
269	return 0;
270	return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLOUT);
271	}
272
273	if (type != SSL3_RT_APPLICATION_DATA) {
274	SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
275	return -1;
276	}
277	if (len < 0) {
278	SSLerror(ssl, SSL_R_BAD_LENGTH);
279	return -1;
280	}
281
282	/*
283	* The TLSv1.3 record layer write behaviour is the same as
284	* SSL_MODE_ENABLE_PARTIAL_WRITE.
285	*/
286	if (ssl->mode & SSL_MODE_ENABLE_PARTIAL_WRITE) {
287	ret = tls13_write_application_data(ctx->rl, buf, len);
288	return tls13_legacy_return_code(ssl, ret);
289	}
290
291	/*
292	* In the non-SSL_MODE_ENABLE_PARTIAL_WRITE case we have to loop until
293	* we have written out all of the requested data.
294	*/
295	sent = ssl->s3->wnum;
296	if (len < sent) {
297	SSLerror(ssl, SSL_R_BAD_LENGTH);
298	return -1;
299	}
300	n = len - sent;
301	for (;;) {
302	if (n == 0) {
303	ssl->s3->wnum = 0;
304	return sent;
305	}
306	if ((ret = tls13_write_application_data(ctx->rl,
307	&buf[sent], n)) <= 0) {
308	ssl->s3->wnum = sent;
309	return tls13_legacy_return_code(ssl, ret);
310	}
311	sent += ret;
312	n -= ret;
313	}
314	}
315
316	static int
317	tls13_use_legacy_stack(struct tls13_ctx *ctx)
318	{
319	SSL *s = ctx->ssl;
320	CBB cbb, fragment;
321	CBS cbs;
322
323	memset(&cbb, 0, sizeof(cbb));
324
325	if (!ssl3_setup_init_buffer(s))
326	goto err;
327	if (!ssl3_setup_buffers(s))
328	goto err;
329	if (!ssl_init_wbio_buffer(s, 1))
330	goto err;
331
332	/* Stash any unprocessed data from the last record. */
333	tls13_record_layer_rcontent(ctx->rl, &cbs);
334	if (CBS_len(&cbs) > 0) {
335	if (!CBB_init_fixed(&cbb, s->s3->rbuf.buf,
336	s->s3->rbuf.len))
337	goto err;
338	if (!CBB_add_u8(&cbb, SSL3_RT_HANDSHAKE))
339	goto err;
340	if (!CBB_add_u16(&cbb, TLS1_2_VERSION))
341	goto err;
342	if (!CBB_add_u16_length_prefixed(&cbb, &fragment))
343	goto err;
344	if (!CBB_add_bytes(&fragment, CBS_data(&cbs), CBS_len(&cbs)))
345	goto err;
346	if (!CBB_finish(&cbb, NULL, NULL))
347	goto err;
348
349	s->s3->rbuf.offset = SSL3_RT_HEADER_LENGTH;
350	s->s3->rbuf.left = CBS_len(&cbs);
351	s->s3->rrec.type = SSL3_RT_HANDSHAKE;
352	s->s3->rrec.length = CBS_len(&cbs);
353	s->rstate = SSL_ST_READ_BODY;
354	s->packet = s->s3->rbuf.buf;
355	s->packet_length = SSL3_RT_HEADER_LENGTH;
356	s->mac_packet = 1;
357	}
358
359	/* Stash the current handshake message. */
360	tls13_handshake_msg_data(ctx->hs_msg, &cbs);
361	if (!BUF_MEM_grow_clean(s->init_buf, CBS_len(&cbs)))
362	goto err;
363	if (!CBS_write_bytes(&cbs, s->init_buf->data,
364	s->init_buf->length, NULL))
365	goto err;
366
367	s->s3->hs.tls12.reuse_message = 1;
368	s->s3->hs.tls12.message_type = tls13_handshake_msg_type(ctx->hs_msg);
369	s->s3->hs.tls12.message_size = CBS_len(&cbs) - SSL3_HM_HEADER_LENGTH;
370
371	/*
372	* Only switch the method after initialization is complete
373	* as we start part way into the legacy state machine.
374	*/
375	s->method = tls_legacy_method();
376
377	return 1;
378
379	err:
380	CBB_cleanup(&cbb);
381
382	return 0;
383	}
384
385	int
386	tls13_use_legacy_client(struct tls13_ctx *ctx)
387	{
388	SSL *s = ctx->ssl;
389
390	if (!tls13_use_legacy_stack(ctx))
391	return 0;
392
393	s->handshake_func = s->method->ssl_connect;
394	s->version = s->method->max_tls_version;
395
396	return 1;
397	}
398
399	int
400	tls13_use_legacy_server(struct tls13_ctx *ctx)
401	{
402	SSL *s = ctx->ssl;
403
404	if (!tls13_use_legacy_stack(ctx))
405	return 0;
406
407	s->handshake_func = s->method->ssl_accept;
408	s->version = s->method->max_tls_version;
409	s->server = 1;
410
411	return 1;
412	}
413
414	int
415	tls13_legacy_accept(SSL *ssl)
416	{
417	struct tls13_ctx *ctx = ssl->tls13;
418	int ret;
419
420	if (ctx == NULL) {
421	if ((ctx = tls13_ctx_new(TLS13_HS_SERVER, ssl)) == NULL) {
422	SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
423	return -1;
424	}
425	if (!tls13_server_init(ctx)) {
426	if (ERR_peek_error() == 0)
427	SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
428	return -1;
429	}
430	}
431
432	ERR_clear_error();
433
434	ret = tls13_server_accept(ctx);
435	if (ret == TLS13_IO_USE_LEGACY)
436	return ssl->method->ssl_accept(ssl);
437
438	ret = tls13_legacy_return_code(ssl, ret);
439
440	if (ctx->info_cb != NULL)
441	ctx->info_cb(ctx, TLS13_INFO_ACCEPT_EXIT, ret);
442
443	return ret;
444	}
445
446	int
447	tls13_legacy_connect(SSL *ssl)
448	{
449	struct tls13_ctx *ctx = ssl->tls13;
450	int ret;
451
452	if (ctx == NULL) {
453	if ((ctx = tls13_ctx_new(TLS13_HS_CLIENT, ssl)) == NULL) {
454	SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
455	return -1;
456	}
457	if (!tls13_client_init(ctx)) {
458	if (ERR_peek_error() == 0)
459	SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
460	return -1;
461	}
462	}
463
464	ERR_clear_error();
465
466	ret = tls13_client_connect(ctx);
467	if (ret == TLS13_IO_USE_LEGACY)
468	return ssl->method->ssl_connect(ssl);
469
470	ret = tls13_legacy_return_code(ssl, ret);
471
472	if (ctx->info_cb != NULL)
473	ctx->info_cb(ctx, TLS13_INFO_CONNECT_EXIT, ret);
474
475	return ret;
476	}
477
478	int
479	tls13_legacy_shutdown(SSL *ssl)
480	{
481	struct tls13_ctx *ctx = ssl->tls13;
482	uint8_t buf[512]; /* XXX */
483	ssize_t ret;
484
485	/*
486	* We need to return 0 at the point that we have completed sending a
487	* close-notify. We return 1 when we have sent and received close-notify
488	* alerts. All other cases, including EOF, return -1 and set internal
489	* state appropriately. Note that all of this insanity can also be
490	* externally controlled by manipulating the shutdown flags.
491	*/
492	if (ctx == NULL \|\| ssl->quiet_shutdown) {
493	ssl->shutdown = SSL_SENT_SHUTDOWN \| SSL_RECEIVED_SHUTDOWN;
494	return 1;
495	}
496
497	if ((ssl->shutdown & SSL_SENT_SHUTDOWN) == 0) {
498	ssl->shutdown \|= SSL_SENT_SHUTDOWN;
499	ret = tls13_send_alert(ctx->rl, TLS13_ALERT_CLOSE_NOTIFY);
500	if (ret == TLS13_IO_EOF)
501	return -1;
502	if (ret != TLS13_IO_SUCCESS)
503	return tls13_legacy_return_code(ssl, ret);
504	goto done;
505	}
506
507	ret = tls13_record_layer_send_pending(ctx->rl);
508	if (ret == TLS13_IO_EOF)
509	return -1;
510	if (ret != TLS13_IO_SUCCESS)
511	return tls13_legacy_return_code(ssl, ret);
512
513	if ((ssl->shutdown & SSL_RECEIVED_SHUTDOWN) == 0) {
514	/*
515	* If there is no application data pending, attempt to read more
516	* data in order to receive a close-notify. This should trigger
517	* a record to be read from the wire, which may be application
518	* handshake or alert data. Only one attempt is made with no
519	* error handling, in order to match previous semantics.
520	*/
521	if (tls13_pending_application_data(ctx->rl) == 0) {
522	(void)tls13_read_application_data(ctx->rl, buf, sizeof(buf));
523	if (!ctx->close_notify_recv)
524	return -1;
525	}
526	}
527
528	done:
529	if (ssl->shutdown == (SSL_SENT_SHUTDOWN \| SSL_RECEIVED_SHUTDOWN))
530	return 1;
531
532	return 0;
533	}
534
535	int
536	tls13_legacy_servername_process(struct tls13_ctx ctx, uint8_t alert)
537	{
538	int legacy_alert = SSL_AD_UNRECOGNIZED_NAME;
539	int ret = SSL_TLSEXT_ERR_NOACK;
540	SSL_CTX *ssl_ctx = ctx->ssl->ctx;
541	SSL *s = ctx->ssl;
542
543	if (ssl_ctx->tlsext_servername_callback == NULL)
544	ssl_ctx = s->initial_ctx;
545	if (ssl_ctx->tlsext_servername_callback == NULL)
546	return 1;
547
548	ret = ssl_ctx->tlsext_servername_callback(s, &legacy_alert,
549	ssl_ctx->tlsext_servername_arg);
550
551	/*
552	* Ignore SSL_TLSEXT_ERR_ALERT_WARNING returns to match OpenSSL's
553	* behavior: the only warning alerts in TLSv1.3 are close_notify and
554	* user_canceled, neither of which should be returned by the callback.
555	*/
556	if (ret == SSL_TLSEXT_ERR_ALERT_FATAL) {
557	if (legacy_alert >= 0 && legacy_alert <= 255)
558	*alert = legacy_alert;
559	return 0;
560	}
561
562	return 1;
563	}