1 files changed, 0 insertions, 526 deletions
diff --git a/src/lib/libssl/tls13_legacy.c b/src/lib/libssl/tls13_legacy.c
deleted file mode 100644
index beb8952402..0000000000
--- a/src/lib/libssl/tls13_legacy.c
+++ /dev/null
@@ -1,526 +0,0 @@
-/*      $OpenBSD: tls13_legacy.c,v 1.26 2021/07/01 17:53:39 jsing Exp $ */
-/*
- * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-#include <limits.h>
-#include "ssl_locl.h"
-#include "tls13_internal.h"
-static ssize_t
-tls13_legacy_wire_read(SSL *ssl, uint8_t *buf, size_t len)
-{
-        int n;
-        if (ssl->rbio == NULL) {
-                SSLerror(ssl, SSL_R_BIO_NOT_SET);
-                return TLS13_IO_FAILURE;
-        }
-        ssl->internal->rwstate = SSL_READING;
-        errno = 0;
-        if ((n = BIO_read(ssl->rbio, buf, len)) <= 0) {
-                if (BIO_should_read(ssl->rbio))
-                        return TLS13_IO_WANT_POLLIN;
-                if (n == 0)
-                        return TLS13_IO_EOF;
-                if (ERR_peek_error() == 0 && errno != 0)
-                        SYSerror(errno);
-                return TLS13_IO_FAILURE;
-        }
-        if (n == len)
-                ssl->internal->rwstate = SSL_NOTHING;
-        return n;
-}
-ssize_t
-tls13_legacy_wire_read_cb(void *buf, size_t n, void *arg)
-{
-        struct tls13_ctx *ctx = arg;
-        return tls13_legacy_wire_read(ctx->ssl, buf, n);
-}
-static ssize_t
-tls13_legacy_wire_write(SSL *ssl, const uint8_t *buf, size_t len)
-{
-        int n;
-        if (ssl->wbio == NULL) {
-                SSLerror(ssl, SSL_R_BIO_NOT_SET);
-                return TLS13_IO_FAILURE;
-        }
-        ssl->internal->rwstate = SSL_WRITING;
-        errno = 0;
-        if ((n = BIO_write(ssl->wbio, buf, len)) <= 0) {
-                if (BIO_should_write(ssl->wbio))
-                        return TLS13_IO_WANT_POLLOUT;
-                if (ERR_peek_error() == 0 && errno != 0)
-                        SYSerror(errno);
-                return TLS13_IO_FAILURE;
-        }
-        if (n == len)
-                ssl->internal->rwstate = SSL_NOTHING;
-        return n;
-}
-ssize_t
-tls13_legacy_wire_write_cb(const void *buf, size_t n, void *arg)
-{
-        struct tls13_ctx *ctx = arg;
-        return tls13_legacy_wire_write(ctx->ssl, buf, n);
-}
-static void
-tls13_legacy_error(SSL *ssl)
-{
-        struct tls13_ctx *ctx = ssl->internal->tls13;
-        int reason = SSL_R_UNKNOWN;
-        /* If we received a fatal alert we already put an error on the stack. */
-        if (S3I(ssl)->fatal_alert != 0)
-                return;
-        switch (ctx->error.code) {
-        case TLS13_ERR_VERIFY_FAILED:
-                reason = SSL_R_CERTIFICATE_VERIFY_FAILED;
-                break;
-        case TLS13_ERR_HRR_FAILED:
-                reason = SSL_R_NO_CIPHERS_AVAILABLE;
-                break;
-        case TLS13_ERR_TRAILING_DATA:
-                reason = SSL_R_EXTRA_DATA_IN_MESSAGE;
-                break;
-        case TLS13_ERR_NO_SHARED_CIPHER:
-                reason = SSL_R_NO_SHARED_CIPHER;
-                break;
-        case TLS13_ERR_NO_CERTIFICATE:
-                reason = SSL_R_MISSING_RSA_CERTIFICATE; /* XXX */
-                break;
-        case TLS13_ERR_NO_PEER_CERTIFICATE:
-                reason = SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE;
-                break;
-        }
-        /* Something (probably libcrypto) already pushed an error on the stack. */
-        if (reason == SSL_R_UNKNOWN && ERR_peek_error() != 0)
-                return;
-        ERR_put_error(ERR_LIB_SSL, (0xfff), reason, ctx->error.file,
-            ctx->error.line);
-}
-int
-tls13_legacy_return_code(SSL *ssl, ssize_t ret)
-{
-        if (ret > INT_MAX) {
-                SSLerror(ssl, ERR_R_INTERNAL_ERROR);
-                return -1;
-        }
-        /* A successful read, write or other operation. */
-        if (ret > 0)
-                return ret;
-        ssl->internal->rwstate = SSL_NOTHING;
-        switch (ret) {
-        case TLS13_IO_EOF:
-                return 0;
-        case TLS13_IO_FAILURE:
-                tls13_legacy_error(ssl);
-                return -1;
-        case TLS13_IO_ALERT:
-                tls13_legacy_error(ssl);
-                return -1;
-        case TLS13_IO_WANT_POLLIN:
-                BIO_set_retry_read(ssl->rbio);
-                ssl->internal->rwstate = SSL_READING;
-                return -1;
-        case TLS13_IO_WANT_POLLOUT:
-                BIO_set_retry_write(ssl->wbio);
-                ssl->internal->rwstate = SSL_WRITING;
-                return -1;
-        case TLS13_IO_WANT_RETRY:
-                SSLerror(ssl, ERR_R_INTERNAL_ERROR);
-                return -1;
-        }
-        SSLerror(ssl, ERR_R_INTERNAL_ERROR);
-        return -1;
-}
-int
-tls13_legacy_pending(const SSL *ssl)
-{
-        struct tls13_ctx *ctx = ssl->internal->tls13;
-        ssize_t ret;
-        if (ctx == NULL)
-                return 0;
-        ret = tls13_pending_application_data(ctx->rl);
-        if (ret < 0 || ret > INT_MAX)
-                return 0;
-        return ret;
-}
-int
-tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, int peek)
-{
-        struct tls13_ctx *ctx = ssl->internal->tls13;
-        ssize_t ret;
-        if (ctx == NULL || !ctx->handshake_completed) {
-                if ((ret = ssl->internal->handshake_func(ssl)) <= 0)
-                        return ret;
-                return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLIN);
-        }
-        tls13_record_layer_set_retry_after_phh(ctx->rl,
-            (ctx->ssl->internal->mode & SSL_MODE_AUTO_RETRY) != 0);
-        if (type != SSL3_RT_APPLICATION_DATA) {
-                SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-                return -1;
-        }
-        if (len < 0) {
-                SSLerror(ssl, SSL_R_BAD_LENGTH);
-                return -1;
-        }
-        if (peek)
-                ret = tls13_peek_application_data(ctx->rl, buf, len);
-        else
-                ret = tls13_read_application_data(ctx->rl, buf, len);
-        return tls13_legacy_return_code(ssl, ret);
-}
-int
-tls13_legacy_write_bytes(SSL *ssl, int type, const void *vbuf, int len)
-{
-        struct tls13_ctx *ctx = ssl->internal->tls13;
-        const uint8_t *buf = vbuf;
-        size_t n, sent;
-        ssize_t ret;
-        if (ctx == NULL || !ctx->handshake_completed) {
-                if ((ret = ssl->internal->handshake_func(ssl)) <= 0)
-                        return ret;
-                return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLOUT);
-        }
-        if (type != SSL3_RT_APPLICATION_DATA) {
-                SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-                return -1;
-        }
-        if (len < 0) {
-                SSLerror(ssl, SSL_R_BAD_LENGTH);
-                return -1;
-        }
-        /*
-         * The TLSv1.3 record layer write behaviour is the same as
-         * SSL_MODE_ENABLE_PARTIAL_WRITE.
-         */
-        if (ssl->internal->mode & SSL_MODE_ENABLE_PARTIAL_WRITE) {
-                ret = tls13_write_application_data(ctx->rl, buf, len);
-                return tls13_legacy_return_code(ssl, ret);
-        }
-        /*
-         * In the non-SSL_MODE_ENABLE_PARTIAL_WRITE case we have to loop until
-         * we have written out all of the requested data.
-         */
-        sent = S3I(ssl)->wnum;
-        if (len < sent) {
-                SSLerror(ssl, SSL_R_BAD_LENGTH);
-                return -1;
-        }
-        n = len - sent;
-        for (;;) {
-                if (n == 0) {
-                        S3I(ssl)->wnum = 0;
-                        return sent;
-                }
-                if ((ret = tls13_write_application_data(ctx->rl,
-                    &buf[sent], n)) <= 0) {
-                        S3I(ssl)->wnum = sent;
-                        return tls13_legacy_return_code(ssl, ret);
-                }
-                sent += ret;
-                n -= ret;
-        }
-}
-static int
-tls13_use_legacy_stack(struct tls13_ctx *ctx)
-{
-        SSL *s = ctx->ssl;
-        CBB cbb, fragment;
-        CBS cbs;
-        memset(&cbb, 0, sizeof(cbb));
-        s->method = tls_legacy_method();
-        if (!ssl3_setup_init_buffer(s))
-                goto err;
-        if (!ssl3_setup_buffers(s))
-                goto err;
-        if (!ssl_init_wbio_buffer(s, 1))
-                goto err;
-        /* Stash any unprocessed data from the last record. */
-        tls13_record_layer_rbuf(ctx->rl, &cbs);
-        if (CBS_len(&cbs) > 0) {
-                if (!CBB_init_fixed(&cbb, S3I(s)->rbuf.buf,
-                    S3I(s)->rbuf.len))
-                        goto err;
-                if (!CBB_add_u8(&cbb, SSL3_RT_HANDSHAKE))
-                        goto err;
-                if (!CBB_add_u16(&cbb, TLS1_2_VERSION))
-                        goto err;
-                if (!CBB_add_u16_length_prefixed(&cbb, &fragment))
-                        goto err;
-                if (!CBB_add_bytes(&fragment, CBS_data(&cbs), CBS_len(&cbs)))
-                        goto err;
-                if (!CBB_finish(&cbb, NULL, NULL))
-                        goto err;
-                S3I(s)->rbuf.offset = SSL3_RT_HEADER_LENGTH;
-                S3I(s)->rbuf.left = CBS_len(&cbs);
-                S3I(s)->rrec.type = SSL3_RT_HANDSHAKE;
-                S3I(s)->rrec.length = CBS_len(&cbs);
-                s->internal->rstate = SSL_ST_READ_BODY;
-                s->internal->packet = S3I(s)->rbuf.buf;
-                s->internal->packet_length = SSL3_RT_HEADER_LENGTH;
-                s->internal->mac_packet = 1;
-        }
-        /* Stash the current handshake message. */
-        tls13_handshake_msg_data(ctx->hs_msg, &cbs);
-        if (!BUF_MEM_grow_clean(s->internal->init_buf, CBS_len(&cbs)))
-                goto err;
-        if (!CBS_write_bytes(&cbs, s->internal->init_buf->data,
-            s->internal->init_buf->length, NULL))
-                goto err;
-        S3I(s)->hs.tls12.reuse_message = 1;
-        S3I(s)->hs.tls12.message_type = tls13_handshake_msg_type(ctx->hs_msg);
-        S3I(s)->hs.tls12.message_size = CBS_len(&cbs);
-        return 1;
- err:
-        CBB_cleanup(&cbb);
-        return 0;
-}
-int
-tls13_use_legacy_client(struct tls13_ctx *ctx)
-{
-        SSL *s = ctx->ssl;
-        if (!tls13_use_legacy_stack(ctx))
-                return 0;
-        s->internal->handshake_func = s->method->ssl_connect;
-        s->client_version = s->version = s->method->max_tls_version;
-        return 1;
-}
-int
-tls13_use_legacy_server(struct tls13_ctx *ctx)
-{
-        SSL *s = ctx->ssl;
-        if (!tls13_use_legacy_stack(ctx))
-                return 0;
-        s->internal->handshake_func = s->method->ssl_accept;
-        s->client_version = s->version = s->method->max_tls_version;
-        s->server = 1;
-        return 1;
-}
-int
-tls13_legacy_accept(SSL *ssl)
-{
-        struct tls13_ctx *ctx = ssl->internal->tls13;
-        int ret;
-        if (ctx == NULL) {
-                if ((ctx = tls13_ctx_new(TLS13_HS_SERVER)) == NULL) {
-                        SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
-                        return -1;
-                }
-                ssl->internal->tls13 = ctx;
-                ctx->ssl = ssl;
-                ctx->hs = &S3I(ssl)->hs;
-                if (!tls13_server_init(ctx)) {
-                        if (ERR_peek_error() == 0)
-                                SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
-                        return -1;
-                }
-        }
-        ERR_clear_error();
-        ret = tls13_server_accept(ctx);
-        if (ret == TLS13_IO_USE_LEGACY)
-                return ssl->method->ssl_accept(ssl);
-        return tls13_legacy_return_code(ssl, ret);
-}
-int
-tls13_legacy_connect(SSL *ssl)
-{
-        struct tls13_ctx *ctx = ssl->internal->tls13;
-        int ret;
-#ifdef TLS13_USE_LEGACY_CLIENT_AUTH
-        /* XXX drop back to legacy for client auth for now */
-        if (ssl->cert->key->privatekey != NULL) {
-                ssl->method = tls_legacy_client_method();
-                return ssl->method->ssl_connect(ssl);
-        }
-#endif
-        if (ctx == NULL) {
-                if ((ctx = tls13_ctx_new(TLS13_HS_CLIENT)) == NULL) {
-                        SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
-                        return -1;
-                }
-                ssl->internal->tls13 = ctx;
-                ctx->ssl = ssl;
-                ctx->hs = &S3I(ssl)->hs;
-                if (!tls13_client_init(ctx)) {
-                        if (ERR_peek_error() == 0)
-                                SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
-                        return -1;
-                }
-        }
-        ERR_clear_error();
-        ret = tls13_client_connect(ctx);
-        if (ret == TLS13_IO_USE_LEGACY)
-                return ssl->method->ssl_connect(ssl);
-        return tls13_legacy_return_code(ssl, ret);
-}
-int
-tls13_legacy_shutdown(SSL *ssl)
-{
-        struct tls13_ctx *ctx = ssl->internal->tls13;
-        uint8_t buf[512]; /* XXX */
-        ssize_t ret;
-        /*
-         * We need to return 0 when we have sent a close-notify but have not
-         * yet received one. We return 1 only once we have sent and received
-         * close-notify alerts. All other cases return -1 and set internal
-         * state appropriately.
-         */
-        if (ctx == NULL || ssl->internal->quiet_shutdown) {
-                ssl->internal->shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN;
-                return 1;
-        }
-        if (!ctx->close_notify_sent) {
-                /* Enqueue and send close notify. */
-                if (!(ssl->internal->shutdown & SSL_SENT_SHUTDOWN)) {
-                        ssl->internal->shutdown |= SSL_SENT_SHUTDOWN;
-                        if ((ret = tls13_send_alert(ctx->rl,
-                            TLS13_ALERT_CLOSE_NOTIFY)) < 0)
-                                return tls13_legacy_return_code(ssl, ret);
-                }
-                if ((ret = tls13_record_layer_send_pending(ctx->rl)) !=
-                    TLS13_IO_SUCCESS)
-                        return tls13_legacy_return_code(ssl, ret);
-        } else if (!ctx->close_notify_recv) {
-                /*
-                 * If there is no application data pending, attempt to read more
-                 * data in order to receive a close notify. This should trigger
-                 * a record to be read from the wire, which may be application
-                 * handshake or alert data. Only one attempt is made to match
-                 * previous semantics.
-                 */
-                if (tls13_pending_application_data(ctx->rl) == 0) {
-                        if ((ret = tls13_read_application_data(ctx->rl, buf,
-                            sizeof(buf))) < 0)
-                                return tls13_legacy_return_code(ssl, ret);
-                }
-        }
-        if (ctx->close_notify_recv)
-                return 1;
-        return 0;
-}
-int
-tls13_legacy_servername_process(struct tls13_ctx *ctx, uint8_t *alert)
-{
-        int legacy_alert = SSL_AD_UNRECOGNIZED_NAME;
-        int ret = SSL_TLSEXT_ERR_NOACK;
-        SSL_CTX *ssl_ctx = ctx->ssl->ctx;
-        SSL *s = ctx->ssl;
-        if (ssl_ctx->internal->tlsext_servername_callback == NULL)
-                ssl_ctx = s->initial_ctx;
-        if (ssl_ctx->internal->tlsext_servername_callback == NULL)
-                return 1;
-        ret = ssl_ctx->internal->tlsext_servername_callback(s, &legacy_alert,
-            ssl_ctx->internal->tlsext_servername_arg);
-        if (ret == SSL_TLSEXT_ERR_ALERT_FATAL ||
-            ret == SSL_TLSEXT_ERR_ALERT_WARNING) {
-                if (legacy_alert >= 0 && legacy_alert <= 255)
-                        *alert = legacy_alert;
-                return 0;
-        }
-        return 1;
-}

diff --git a/src/lib/libssl/tls13_legacy.c b/src/lib/libssl/tls13_legacy.c deleted file mode 100644 index beb8952402..0000000000 --- a/src/lib/libssl/tls13_legacy.c +++ /dev/null
@@ -1,526 +0,0 @@
1	/* $OpenBSD: tls13_legacy.c,v 1.26 2021/07/01 17:53:39 jsing Exp $ */
2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	*
5	* Permission to use, copy, modify, and distribute this software for any
6	* purpose with or without fee is hereby granted, provided that the above
7	* copyright notice and this permission notice appear in all copies.
8	*
9	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	*/
17
18	#include <limits.h>
19
20	#include "ssl_locl.h"
21	#include "tls13_internal.h"
22
23	static ssize_t
24	tls13_legacy_wire_read(SSL ssl, uint8_t buf, size_t len)
25	{
26	int n;
27
28	if (ssl->rbio == NULL) {
29	SSLerror(ssl, SSL_R_BIO_NOT_SET);
30	return TLS13_IO_FAILURE;
31	}
32
33	ssl->internal->rwstate = SSL_READING;
34	errno = 0;
35
36	if ((n = BIO_read(ssl->rbio, buf, len)) <= 0) {
37	if (BIO_should_read(ssl->rbio))
38	return TLS13_IO_WANT_POLLIN;
39	if (n == 0)
40	return TLS13_IO_EOF;
41
42	if (ERR_peek_error() == 0 && errno != 0)
43	SYSerror(errno);
44
45	return TLS13_IO_FAILURE;
46	}
47
48	if (n == len)
49	ssl->internal->rwstate = SSL_NOTHING;
50
51	return n;
52	}
53
54	ssize_t
55	tls13_legacy_wire_read_cb(void buf, size_t n, void arg)
56	{
57	struct tls13_ctx *ctx = arg;
58
59	return tls13_legacy_wire_read(ctx->ssl, buf, n);
60	}
61
62	static ssize_t
63	tls13_legacy_wire_write(SSL ssl, const uint8_t buf, size_t len)
64	{
65	int n;
66
67	if (ssl->wbio == NULL) {
68	SSLerror(ssl, SSL_R_BIO_NOT_SET);
69	return TLS13_IO_FAILURE;
70	}
71
72	ssl->internal->rwstate = SSL_WRITING;
73	errno = 0;
74
75	if ((n = BIO_write(ssl->wbio, buf, len)) <= 0) {
76	if (BIO_should_write(ssl->wbio))
77	return TLS13_IO_WANT_POLLOUT;
78
79	if (ERR_peek_error() == 0 && errno != 0)
80	SYSerror(errno);
81
82	return TLS13_IO_FAILURE;
83	}
84
85	if (n == len)
86	ssl->internal->rwstate = SSL_NOTHING;
87
88	return n;
89	}
90
91	ssize_t
92	tls13_legacy_wire_write_cb(const void buf, size_t n, void arg)
93	{
94	struct tls13_ctx *ctx = arg;
95
96	return tls13_legacy_wire_write(ctx->ssl, buf, n);
97	}
98
99	static void
100	tls13_legacy_error(SSL *ssl)
101	{
102	struct tls13_ctx *ctx = ssl->internal->tls13;
103	int reason = SSL_R_UNKNOWN;
104
105	/* If we received a fatal alert we already put an error on the stack. */
106	if (S3I(ssl)->fatal_alert != 0)
107	return;
108
109	switch (ctx->error.code) {
110	case TLS13_ERR_VERIFY_FAILED:
111	reason = SSL_R_CERTIFICATE_VERIFY_FAILED;
112	break;
113	case TLS13_ERR_HRR_FAILED:
114	reason = SSL_R_NO_CIPHERS_AVAILABLE;
115	break;
116	case TLS13_ERR_TRAILING_DATA:
117	reason = SSL_R_EXTRA_DATA_IN_MESSAGE;
118	break;
119	case TLS13_ERR_NO_SHARED_CIPHER:
120	reason = SSL_R_NO_SHARED_CIPHER;
121	break;
122	case TLS13_ERR_NO_CERTIFICATE:
123	reason = SSL_R_MISSING_RSA_CERTIFICATE; /* XXX */
124	break;
125	case TLS13_ERR_NO_PEER_CERTIFICATE:
126	reason = SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE;
127	break;
128	}
129
130	/* Something (probably libcrypto) already pushed an error on the stack. */
131	if (reason == SSL_R_UNKNOWN && ERR_peek_error() != 0)
132	return;
133
134	ERR_put_error(ERR_LIB_SSL, (0xfff), reason, ctx->error.file,
135	ctx->error.line);
136	}
137
138	int
139	tls13_legacy_return_code(SSL *ssl, ssize_t ret)
140	{
141	if (ret > INT_MAX) {
142	SSLerror(ssl, ERR_R_INTERNAL_ERROR);
143	return -1;
144	}
145
146	/* A successful read, write or other operation. */
147	if (ret > 0)
148	return ret;
149
150	ssl->internal->rwstate = SSL_NOTHING;
151
152	switch (ret) {
153	case TLS13_IO_EOF:
154	return 0;
155
156	case TLS13_IO_FAILURE:
157	tls13_legacy_error(ssl);
158	return -1;
159
160	case TLS13_IO_ALERT:
161	tls13_legacy_error(ssl);
162	return -1;
163
164	case TLS13_IO_WANT_POLLIN:
165	BIO_set_retry_read(ssl->rbio);
166	ssl->internal->rwstate = SSL_READING;
167	return -1;
168
169	case TLS13_IO_WANT_POLLOUT:
170	BIO_set_retry_write(ssl->wbio);
171	ssl->internal->rwstate = SSL_WRITING;
172	return -1;
173
174	case TLS13_IO_WANT_RETRY:
175	SSLerror(ssl, ERR_R_INTERNAL_ERROR);
176	return -1;
177	}
178
179	SSLerror(ssl, ERR_R_INTERNAL_ERROR);
180	return -1;
181	}
182
183	int
184	tls13_legacy_pending(const SSL *ssl)
185	{
186	struct tls13_ctx *ctx = ssl->internal->tls13;
187	ssize_t ret;
188
189	if (ctx == NULL)
190	return 0;
191
192	ret = tls13_pending_application_data(ctx->rl);
193	if (ret < 0 \|\| ret > INT_MAX)
194	return 0;
195
196	return ret;
197	}
198
199	int
200	tls13_legacy_read_bytes(SSL ssl, int type, unsigned char buf, int len, int peek)
201	{
202	struct tls13_ctx *ctx = ssl->internal->tls13;
203	ssize_t ret;
204
205	if (ctx == NULL \|\| !ctx->handshake_completed) {
206	if ((ret = ssl->internal->handshake_func(ssl)) <= 0)
207	return ret;
208	return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLIN);
209	}
210
211	tls13_record_layer_set_retry_after_phh(ctx->rl,
212	(ctx->ssl->internal->mode & SSL_MODE_AUTO_RETRY) != 0);
213
214	if (type != SSL3_RT_APPLICATION_DATA) {
215	SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
216	return -1;
217	}
218	if (len < 0) {
219	SSLerror(ssl, SSL_R_BAD_LENGTH);
220	return -1;
221	}
222
223	if (peek)
224	ret = tls13_peek_application_data(ctx->rl, buf, len);
225	else
226	ret = tls13_read_application_data(ctx->rl, buf, len);
227
228	return tls13_legacy_return_code(ssl, ret);
229	}
230
231	int
232	tls13_legacy_write_bytes(SSL ssl, int type, const void vbuf, int len)
233	{
234	struct tls13_ctx *ctx = ssl->internal->tls13;
235	const uint8_t *buf = vbuf;
236	size_t n, sent;
237	ssize_t ret;
238
239	if (ctx == NULL \|\| !ctx->handshake_completed) {
240	if ((ret = ssl->internal->handshake_func(ssl)) <= 0)
241	return ret;
242	return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLOUT);
243	}
244
245	if (type != SSL3_RT_APPLICATION_DATA) {
246	SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
247	return -1;
248	}
249	if (len < 0) {
250	SSLerror(ssl, SSL_R_BAD_LENGTH);
251	return -1;
252	}
253
254	/*
255	* The TLSv1.3 record layer write behaviour is the same as
256	* SSL_MODE_ENABLE_PARTIAL_WRITE.
257	*/
258	if (ssl->internal->mode & SSL_MODE_ENABLE_PARTIAL_WRITE) {
259	ret = tls13_write_application_data(ctx->rl, buf, len);
260	return tls13_legacy_return_code(ssl, ret);
261	}
262
263	/*
264	* In the non-SSL_MODE_ENABLE_PARTIAL_WRITE case we have to loop until
265	* we have written out all of the requested data.
266	*/
267	sent = S3I(ssl)->wnum;
268	if (len < sent) {
269	SSLerror(ssl, SSL_R_BAD_LENGTH);
270	return -1;
271	}
272	n = len - sent;
273	for (;;) {
274	if (n == 0) {
275	S3I(ssl)->wnum = 0;
276	return sent;
277	}
278	if ((ret = tls13_write_application_data(ctx->rl,
279	&buf[sent], n)) <= 0) {
280	S3I(ssl)->wnum = sent;
281	return tls13_legacy_return_code(ssl, ret);
282	}
283	sent += ret;
284	n -= ret;
285	}
286	}
287
288	static int
289	tls13_use_legacy_stack(struct tls13_ctx *ctx)
290	{
291	SSL *s = ctx->ssl;
292	CBB cbb, fragment;
293	CBS cbs;
294
295	memset(&cbb, 0, sizeof(cbb));
296
297	s->method = tls_legacy_method();
298
299	if (!ssl3_setup_init_buffer(s))
300	goto err;
301	if (!ssl3_setup_buffers(s))
302	goto err;
303	if (!ssl_init_wbio_buffer(s, 1))
304	goto err;
305
306	/* Stash any unprocessed data from the last record. */
307	tls13_record_layer_rbuf(ctx->rl, &cbs);
308	if (CBS_len(&cbs) > 0) {
309	if (!CBB_init_fixed(&cbb, S3I(s)->rbuf.buf,
310	S3I(s)->rbuf.len))
311	goto err;
312	if (!CBB_add_u8(&cbb, SSL3_RT_HANDSHAKE))
313	goto err;
314	if (!CBB_add_u16(&cbb, TLS1_2_VERSION))
315	goto err;
316	if (!CBB_add_u16_length_prefixed(&cbb, &fragment))
317	goto err;
318	if (!CBB_add_bytes(&fragment, CBS_data(&cbs), CBS_len(&cbs)))
319	goto err;
320	if (!CBB_finish(&cbb, NULL, NULL))
321	goto err;
322
323	S3I(s)->rbuf.offset = SSL3_RT_HEADER_LENGTH;
324	S3I(s)->rbuf.left = CBS_len(&cbs);
325	S3I(s)->rrec.type = SSL3_RT_HANDSHAKE;
326	S3I(s)->rrec.length = CBS_len(&cbs);
327	s->internal->rstate = SSL_ST_READ_BODY;
328	s->internal->packet = S3I(s)->rbuf.buf;
329	s->internal->packet_length = SSL3_RT_HEADER_LENGTH;
330	s->internal->mac_packet = 1;
331	}
332
333	/* Stash the current handshake message. */
334	tls13_handshake_msg_data(ctx->hs_msg, &cbs);
335	if (!BUF_MEM_grow_clean(s->internal->init_buf, CBS_len(&cbs)))
336	goto err;
337	if (!CBS_write_bytes(&cbs, s->internal->init_buf->data,
338	s->internal->init_buf->length, NULL))
339	goto err;
340
341	S3I(s)->hs.tls12.reuse_message = 1;
342	S3I(s)->hs.tls12.message_type = tls13_handshake_msg_type(ctx->hs_msg);
343	S3I(s)->hs.tls12.message_size = CBS_len(&cbs);
344
345	return 1;
346
347	err:
348	CBB_cleanup(&cbb);
349
350	return 0;
351	}
352
353	int
354	tls13_use_legacy_client(struct tls13_ctx *ctx)
355	{
356	SSL *s = ctx->ssl;
357
358	if (!tls13_use_legacy_stack(ctx))
359	return 0;
360
361	s->internal->handshake_func = s->method->ssl_connect;
362	s->client_version = s->version = s->method->max_tls_version;
363
364	return 1;
365	}
366
367	int
368	tls13_use_legacy_server(struct tls13_ctx *ctx)
369	{
370	SSL *s = ctx->ssl;
371
372	if (!tls13_use_legacy_stack(ctx))
373	return 0;
374
375	s->internal->handshake_func = s->method->ssl_accept;
376	s->client_version = s->version = s->method->max_tls_version;
377	s->server = 1;
378
379	return 1;
380	}
381
382	int
383	tls13_legacy_accept(SSL *ssl)
384	{
385	struct tls13_ctx *ctx = ssl->internal->tls13;
386	int ret;
387
388	if (ctx == NULL) {
389	if ((ctx = tls13_ctx_new(TLS13_HS_SERVER)) == NULL) {
390	SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
391	return -1;
392	}
393	ssl->internal->tls13 = ctx;
394	ctx->ssl = ssl;
395	ctx->hs = &S3I(ssl)->hs;
396
397	if (!tls13_server_init(ctx)) {
398	if (ERR_peek_error() == 0)
399	SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
400	return -1;
401	}
402	}
403
404	ERR_clear_error();
405
406	ret = tls13_server_accept(ctx);
407	if (ret == TLS13_IO_USE_LEGACY)
408	return ssl->method->ssl_accept(ssl);
409
410	return tls13_legacy_return_code(ssl, ret);
411	}
412
413	int
414	tls13_legacy_connect(SSL *ssl)
415	{
416	struct tls13_ctx *ctx = ssl->internal->tls13;
417	int ret;
418
419	#ifdef TLS13_USE_LEGACY_CLIENT_AUTH
420	/* XXX drop back to legacy for client auth for now */
421	if (ssl->cert->key->privatekey != NULL) {
422	ssl->method = tls_legacy_client_method();
423	return ssl->method->ssl_connect(ssl);
424	}
425	#endif
426
427	if (ctx == NULL) {
428	if ((ctx = tls13_ctx_new(TLS13_HS_CLIENT)) == NULL) {
429	SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
430	return -1;
431	}
432	ssl->internal->tls13 = ctx;
433	ctx->ssl = ssl;
434	ctx->hs = &S3I(ssl)->hs;
435
436	if (!tls13_client_init(ctx)) {
437	if (ERR_peek_error() == 0)
438	SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
439	return -1;
440	}
441	}
442
443	ERR_clear_error();
444
445	ret = tls13_client_connect(ctx);
446	if (ret == TLS13_IO_USE_LEGACY)
447	return ssl->method->ssl_connect(ssl);
448
449	return tls13_legacy_return_code(ssl, ret);
450	}
451
452	int
453	tls13_legacy_shutdown(SSL *ssl)
454	{
455	struct tls13_ctx *ctx = ssl->internal->tls13;
456	uint8_t buf[512]; /* XXX */
457	ssize_t ret;
458
459	/*
460	* We need to return 0 when we have sent a close-notify but have not
461	* yet received one. We return 1 only once we have sent and received
462	* close-notify alerts. All other cases return -1 and set internal
463	* state appropriately.
464	*/
465	if (ctx == NULL \|\| ssl->internal->quiet_shutdown) {
466	ssl->internal->shutdown = SSL_SENT_SHUTDOWN \| SSL_RECEIVED_SHUTDOWN;
467	return 1;
468	}
469
470	if (!ctx->close_notify_sent) {
471	/* Enqueue and send close notify. */
472	if (!(ssl->internal->shutdown & SSL_SENT_SHUTDOWN)) {
473	ssl->internal->shutdown \|= SSL_SENT_SHUTDOWN;
474	if ((ret = tls13_send_alert(ctx->rl,
475	TLS13_ALERT_CLOSE_NOTIFY)) < 0)
476	return tls13_legacy_return_code(ssl, ret);
477	}
478	if ((ret = tls13_record_layer_send_pending(ctx->rl)) !=
479	TLS13_IO_SUCCESS)
480	return tls13_legacy_return_code(ssl, ret);
481	} else if (!ctx->close_notify_recv) {
482	/*
483	* If there is no application data pending, attempt to read more
484	* data in order to receive a close notify. This should trigger
485	* a record to be read from the wire, which may be application
486	* handshake or alert data. Only one attempt is made to match
487	* previous semantics.
488	*/
489	if (tls13_pending_application_data(ctx->rl) == 0) {
490	if ((ret = tls13_read_application_data(ctx->rl, buf,
491	sizeof(buf))) < 0)
492	return tls13_legacy_return_code(ssl, ret);
493	}
494	}
495
496	if (ctx->close_notify_recv)
497	return 1;
498
499	return 0;
500	}
501
502	int
503	tls13_legacy_servername_process(struct tls13_ctx ctx, uint8_t alert)
504	{
505	int legacy_alert = SSL_AD_UNRECOGNIZED_NAME;
506	int ret = SSL_TLSEXT_ERR_NOACK;
507	SSL_CTX *ssl_ctx = ctx->ssl->ctx;
508	SSL *s = ctx->ssl;
509
510	if (ssl_ctx->internal->tlsext_servername_callback == NULL)
511	ssl_ctx = s->initial_ctx;
512	if (ssl_ctx->internal->tlsext_servername_callback == NULL)
513	return 1;
514
515	ret = ssl_ctx->internal->tlsext_servername_callback(s, &legacy_alert,
516	ssl_ctx->internal->tlsext_servername_arg);
517
518	if (ret == SSL_TLSEXT_ERR_ALERT_FATAL \|\|
519	ret == SSL_TLSEXT_ERR_ALERT_WARNING) {
520	if (legacy_alert >= 0 && legacy_alert <= 255)
521	*alert = legacy_alert;
522	return 0;
523	}
524
525	return 1;
526	}