1 /* Copyright (c) 2018, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include "handshake_util.h"
16
17 #include <assert.h>
18 #if defined(OPENSSL_LINUX) && !defined(OPENSSL_ANDROID)
19 #include <errno.h>
20 #include <fcntl.h>
21 #include <spawn.h>
22 #include <sys/socket.h>
23 #include <sys/stat.h>
24 #include <sys/types.h>
25 #include <sys/wait.h>
26 #include <unistd.h>
27 #endif
28
29 #include <functional>
30
31 #include "async_bio.h"
32 #include "packeted_bio.h"
33 #include "test_config.h"
34 #include "test_state.h"
35
36 #include <openssl/ssl.h>
37
38 using namespace bssl;
39
RetryAsync(SSL * ssl,int ret)40 bool RetryAsync(SSL *ssl, int ret) {
41 // No error; don't retry.
42 if (ret >= 0) {
43 return false;
44 }
45
46 TestState *test_state = GetTestState(ssl);
47 assert(GetTestConfig(ssl)->async);
48
49 if (test_state->packeted_bio != nullptr &&
50 PacketedBioAdvanceClock(test_state->packeted_bio)) {
51 // The DTLS retransmit logic silently ignores write failures. So the test
52 // may progress, allow writes through synchronously.
53 AsyncBioEnforceWriteQuota(test_state->async_bio, false);
54 int timeout_ret = DTLSv1_handle_timeout(ssl);
55 AsyncBioEnforceWriteQuota(test_state->async_bio, true);
56
57 if (timeout_ret < 0) {
58 fprintf(stderr, "Error retransmitting.\n");
59 return false;
60 }
61 return true;
62 }
63
64 // See if we needed to read or write more. If so, allow one byte through on
65 // the appropriate end to maximally stress the state machine.
66 switch (SSL_get_error(ssl, ret)) {
67 case SSL_ERROR_WANT_READ:
68 AsyncBioAllowRead(test_state->async_bio, 1);
69 return true;
70 case SSL_ERROR_WANT_WRITE:
71 AsyncBioAllowWrite(test_state->async_bio, 1);
72 return true;
73 case SSL_ERROR_WANT_CHANNEL_ID_LOOKUP: {
74 UniquePtr<EVP_PKEY> pkey =
75 LoadPrivateKey(GetTestConfig(ssl)->send_channel_id);
76 if (!pkey) {
77 return false;
78 }
79 test_state->channel_id = std::move(pkey);
80 return true;
81 }
82 case SSL_ERROR_WANT_X509_LOOKUP:
83 test_state->cert_ready = true;
84 return true;
85 case SSL_ERROR_PENDING_SESSION:
86 test_state->session = std::move(test_state->pending_session);
87 return true;
88 case SSL_ERROR_PENDING_CERTIFICATE:
89 test_state->early_callback_ready = true;
90 return true;
91 case SSL_ERROR_WANT_PRIVATE_KEY_OPERATION:
92 test_state->private_key_retries++;
93 return true;
94 case SSL_ERROR_WANT_CERTIFICATE_VERIFY:
95 test_state->custom_verify_ready = true;
96 return true;
97 default:
98 return false;
99 }
100 }
101
CheckIdempotentError(const char * name,SSL * ssl,std::function<int ()> func)102 int CheckIdempotentError(const char *name, SSL *ssl,
103 std::function<int()> func) {
104 int ret = func();
105 int ssl_err = SSL_get_error(ssl, ret);
106 uint32_t err = ERR_peek_error();
107 if (ssl_err == SSL_ERROR_SSL || ssl_err == SSL_ERROR_ZERO_RETURN) {
108 int ret2 = func();
109 int ssl_err2 = SSL_get_error(ssl, ret2);
110 uint32_t err2 = ERR_peek_error();
111 if (ret != ret2 || ssl_err != ssl_err2 || err != err2) {
112 fprintf(stderr, "Repeating %s did not replay the error.\n", name);
113 char buf[256];
114 ERR_error_string_n(err, buf, sizeof(buf));
115 fprintf(stderr, "Wanted: %d %d %s\n", ret, ssl_err, buf);
116 ERR_error_string_n(err2, buf, sizeof(buf));
117 fprintf(stderr, "Got: %d %d %s\n", ret2, ssl_err2, buf);
118 // runner treats exit code 90 as always failing. Otherwise, it may
119 // accidentally consider the result an expected protocol failure.
120 exit(90);
121 }
122 }
123 return ret;
124 }
125
126 #if defined(OPENSSL_LINUX) && !defined(OPENSSL_ANDROID)
127
128 // MoveBIOs moves the |BIO|s of |src| to |dst|. It is used for handoff.
MoveBIOs(SSL * dest,SSL * src)129 static void MoveBIOs(SSL *dest, SSL *src) {
130 BIO *rbio = SSL_get_rbio(src);
131 BIO_up_ref(rbio);
132 SSL_set0_rbio(dest, rbio);
133
134 BIO *wbio = SSL_get_wbio(src);
135 BIO_up_ref(wbio);
136 SSL_set0_wbio(dest, wbio);
137
138 SSL_set0_rbio(src, nullptr);
139 SSL_set0_wbio(src, nullptr);
140 }
141
HandoffReady(SSL * ssl,int ret)142 static bool HandoffReady(SSL *ssl, int ret) {
143 return ret < 0 && SSL_get_error(ssl, ret) == SSL_ERROR_HANDOFF;
144 }
145
read_eintr(int fd,void * out,size_t len)146 static ssize_t read_eintr(int fd, void *out, size_t len) {
147 ssize_t ret;
148 do {
149 ret = read(fd, out, len);
150 } while (ret < 0 && errno == EINTR);
151 return ret;
152 }
153
write_eintr(int fd,const void * in,size_t len)154 static ssize_t write_eintr(int fd, const void *in, size_t len) {
155 ssize_t ret;
156 do {
157 ret = write(fd, in, len);
158 } while (ret < 0 && errno == EINTR);
159 return ret;
160 }
161
waitpid_eintr(pid_t pid,int * wstatus,int options)162 static ssize_t waitpid_eintr(pid_t pid, int *wstatus, int options) {
163 pid_t ret;
164 do {
165 ret = waitpid(pid, wstatus, options);
166 } while (ret < 0 && errno == EINTR);
167 return ret;
168 }
169
170 // Proxy relays data between |socket|, which is connected to the client, and the
171 // handshaker, which is connected to the numerically specified file descriptors,
172 // until the handshaker returns control.
Proxy(BIO * socket,bool async,int control,int rfd,int wfd)173 static bool Proxy(BIO *socket, bool async, int control, int rfd, int wfd) {
174 for (;;) {
175 fd_set rfds;
176 FD_ZERO(&rfds);
177 FD_SET(wfd, &rfds);
178 FD_SET(control, &rfds);
179 int fd_max = wfd > control ? wfd : control;
180 if (select(fd_max + 1, &rfds, nullptr, nullptr, nullptr) == -1) {
181 perror("select");
182 return false;
183 }
184
185 char buf[64];
186 ssize_t bytes;
187 if (FD_ISSET(wfd, &rfds) &&
188 (bytes = read_eintr(wfd, buf, sizeof(buf))) > 0) {
189 char *b = buf;
190 while (bytes) {
191 int written = BIO_write(socket, b, bytes);
192 if (!written) {
193 fprintf(stderr, "BIO_write wrote nothing\n");
194 return false;
195 }
196 if (written < 0) {
197 if (async) {
198 AsyncBioAllowWrite(socket, 1);
199 continue;
200 }
201 fprintf(stderr, "BIO_write failed\n");
202 return false;
203 }
204 b += written;
205 bytes -= written;
206 }
207 // Flush all pending data from the handshaker to the client before
208 // considering control messages.
209 continue;
210 }
211
212 if (!FD_ISSET(control, &rfds)) {
213 continue;
214 }
215
216 char msg;
217 if (read_eintr(control, &msg, 1) != 1) {
218 perror("read");
219 return false;
220 }
221 switch (msg) {
222 case kControlMsgHandback:
223 return true;
224 case kControlMsgError:
225 return false;
226 case kControlMsgWantRead:
227 break;
228 default:
229 fprintf(stderr, "Unknown control message from handshaker: %c\n", msg);
230 return false;
231 }
232
233 char readbuf[64];
234 if (async) {
235 AsyncBioAllowRead(socket, 1);
236 }
237 int read = BIO_read(socket, readbuf, sizeof(readbuf));
238 if (read < 1) {
239 fprintf(stderr, "BIO_read failed\n");
240 return false;
241 }
242 ssize_t written = write_eintr(rfd, readbuf, read);
243 if (written == -1) {
244 perror("write");
245 return false;
246 }
247 if (written != read) {
248 fprintf(stderr, "short write (%zu of %d bytes)\n", written, read);
249 return false;
250 }
251 // The handshaker blocks on the control channel, so we have to signal
252 // it that the data have been written.
253 msg = kControlMsgWriteCompleted;
254 if (write_eintr(control, &msg, 1) != 1) {
255 perror("write");
256 return false;
257 }
258 }
259 }
260
261 class ScopedFD {
262 public:
ScopedFD(int fd)263 explicit ScopedFD(int fd): fd_(fd) {}
~ScopedFD()264 ~ScopedFD() { close(fd_); }
265 private:
266 const int fd_;
267 };
268
269 // RunHandshaker forks and execs the handshaker binary, handing off |input|,
270 // and, after proxying some amount of handshake traffic, handing back |out|.
RunHandshaker(BIO * bio,const TestConfig * config,bool is_resume,const Array<uint8_t> & input,Array<uint8_t> * out)271 static bool RunHandshaker(BIO *bio, const TestConfig *config, bool is_resume,
272 const Array<uint8_t> &input,
273 Array<uint8_t> *out) {
274 if (config->handshaker_path.empty()) {
275 fprintf(stderr, "no -handshaker-path specified\n");
276 return false;
277 }
278 struct stat dummy;
279 if (stat(config->handshaker_path.c_str(), &dummy) == -1) {
280 perror(config->handshaker_path.c_str());
281 return false;
282 }
283
284 // A datagram socket guarantees that writes are all-or-nothing.
285 int control[2];
286 if (socketpair(AF_LOCAL, SOCK_DGRAM, 0, control) != 0) {
287 perror("socketpair");
288 return false;
289 }
290 int rfd[2], wfd[2];
291 // We use pipes, rather than some other mechanism, for their buffers. During
292 // the handshake, this process acts as a dumb proxy until receiving the
293 // handback signal, which arrives asynchronously. The race condition means
294 // that this process could incorrectly proxy post-handshake data from the
295 // client to the handshaker.
296 //
297 // To avoid this, this process never proxies data to the handshaker that the
298 // handshaker has not explicitly requested as a result of hitting
299 // |SSL_ERROR_WANT_READ|. Pipes allow the data to sit in a buffer while the
300 // two processes synchronize over the |control| channel.
301 if (pipe(rfd) != 0 || pipe(wfd) != 0) {
302 perror("pipe2");
303 return false;
304 }
305
306 fflush(stdout);
307 fflush(stderr);
308
309 std::vector<char *> args;
310 bssl::UniquePtr<char> handshaker_path(
311 OPENSSL_strdup(config->handshaker_path.c_str()));
312 args.push_back(handshaker_path.get());
313 char resume[] = "-handshaker-resume";
314 if (is_resume) {
315 args.push_back(resume);
316 }
317 // config->argv omits argv[0].
318 for (int j = 0; j < config->argc; ++j) {
319 args.push_back(config->argv[j]);
320 }
321 args.push_back(nullptr);
322
323 posix_spawn_file_actions_t actions;
324 if (posix_spawn_file_actions_init(&actions) != 0 ||
325 posix_spawn_file_actions_addclose(&actions, control[0]) ||
326 posix_spawn_file_actions_addclose(&actions, rfd[1]) ||
327 posix_spawn_file_actions_addclose(&actions, wfd[0])) {
328 return false;
329 }
330 assert(kFdControl != rfd[0]);
331 assert(kFdControl != wfd[1]);
332 if (control[1] != kFdControl &&
333 posix_spawn_file_actions_adddup2(&actions, control[1], kFdControl) != 0) {
334 return false;
335 }
336 assert(kFdProxyToHandshaker != wfd[1]);
337 if (rfd[0] != kFdProxyToHandshaker &&
338 posix_spawn_file_actions_adddup2(&actions, rfd[0],
339 kFdProxyToHandshaker) != 0) {
340 return false;
341 }
342 if (wfd[1] != kFdHandshakerToProxy &&
343 posix_spawn_file_actions_adddup2(&actions, wfd[1],
344 kFdHandshakerToProxy) != 0) {
345 return false;
346 }
347
348 // MSan doesn't know that |posix_spawn| initializes its output, so initialize
349 // it to -1.
350 pid_t handshaker_pid = -1;
351 int ret = posix_spawn(&handshaker_pid, args[0], &actions, nullptr,
352 args.data(), environ);
353 if (posix_spawn_file_actions_destroy(&actions) != 0 ||
354 ret != 0) {
355 return false;
356 }
357
358 close(control[1]);
359 close(rfd[0]);
360 close(wfd[1]);
361 ScopedFD rfd_closer(rfd[1]);
362 ScopedFD wfd_closer(wfd[0]);
363 ScopedFD control_closer(control[0]);
364
365 if (write_eintr(control[0], input.data(), input.size()) == -1) {
366 perror("write");
367 return false;
368 }
369 bool ok = Proxy(bio, config->async, control[0], rfd[1], wfd[0]);
370 int wstatus;
371 if (waitpid_eintr(handshaker_pid, &wstatus, 0) != handshaker_pid) {
372 perror("waitpid");
373 return false;
374 }
375 if (ok && wstatus) {
376 fprintf(stderr, "handshaker exited irregularly\n");
377 return false;
378 }
379 if (!ok) {
380 return false; // This is a "good", i.e. expected, error.
381 }
382
383 constexpr size_t kBufSize = 1024 * 1024;
384 bssl::UniquePtr<uint8_t> buf((uint8_t *) OPENSSL_malloc(kBufSize));
385 int len = read_eintr(control[0], buf.get(), kBufSize);
386 if (len == -1) {
387 perror("read");
388 return false;
389 }
390 out->CopyFrom({buf.get(), (size_t)len});
391 return true;
392 }
393
394 // PrepareHandoff accepts the |ClientHello| from |ssl| and serializes state to
395 // be passed to the handshaker. The serialized state includes both the SSL
396 // handoff, as well test-related state.
PrepareHandoff(SSL * ssl,SettingsWriter * writer,Array<uint8_t> * out_handoff)397 static bool PrepareHandoff(SSL *ssl, SettingsWriter *writer,
398 Array<uint8_t> *out_handoff) {
399 SSL_set_handoff_mode(ssl, 1);
400
401 const TestConfig *config = GetTestConfig(ssl);
402 int ret = -1;
403 do {
404 ret = CheckIdempotentError(
405 "SSL_do_handshake", ssl,
406 [&]() -> int { return SSL_do_handshake(ssl); });
407 } while (!HandoffReady(ssl, ret) &&
408 config->async &&
409 RetryAsync(ssl, ret));
410 if (!HandoffReady(ssl, ret)) {
411 fprintf(stderr, "Handshake failed while waiting for handoff.\n");
412 return false;
413 }
414
415 ScopedCBB cbb;
416 if (!CBB_init(cbb.get(), 512) ||
417 !SSL_serialize_handoff(ssl, cbb.get()) ||
418 !writer->WriteHandoff({CBB_data(cbb.get()), CBB_len(cbb.get())}) ||
419 !SerializeContextState(ssl->ctx.get(), cbb.get()) ||
420 !GetTestState(ssl)->Serialize(cbb.get())) {
421 fprintf(stderr, "Handoff serialisation failed.\n");
422 return false;
423 }
424 return CBBFinishArray(cbb.get(), out_handoff);
425 }
426
427 // DoSplitHandshake delegates the SSL handshake to a separate process, called
428 // the handshaker. This process proxies I/O between the handshaker and the
429 // client, using the |BIO| from |ssl|. After a successful handshake, |ssl| is
430 // replaced with a new |SSL| object, in a way that is intended to be invisible
431 // to the caller.
DoSplitHandshake(UniquePtr<SSL> * ssl,SettingsWriter * writer,bool is_resume)432 bool DoSplitHandshake(UniquePtr<SSL> *ssl, SettingsWriter *writer,
433 bool is_resume) {
434 assert(SSL_get_rbio(ssl->get()) == SSL_get_wbio(ssl->get()));
435 Array<uint8_t> handshaker_input;
436 const TestConfig *config = GetTestConfig(ssl->get());
437 // out is the response from the handshaker, which includes a serialized
438 // handback message, but also serialized updates to the |TestState|.
439 Array<uint8_t> out;
440 if (!PrepareHandoff(ssl->get(), writer, &handshaker_input) ||
441 !RunHandshaker(SSL_get_rbio(ssl->get()), config, is_resume,
442 handshaker_input, &out)) {
443 fprintf(stderr, "Handoff failed.\n");
444 return false;
445 }
446
447 UniquePtr<SSL> ssl_handback =
448 config->NewSSL((*ssl)->ctx.get(), nullptr, false, nullptr);
449 if (!ssl_handback) {
450 return false;
451 }
452 CBS output, handback;
453 CBS_init(&output, out.data(), out.size());
454 if (!CBS_get_u24_length_prefixed(&output, &handback) ||
455 !DeserializeContextState(&output, ssl_handback->ctx.get()) ||
456 !SetTestState(ssl_handback.get(), TestState::Deserialize(
457 &output, ssl_handback->ctx.get())) ||
458 !GetTestState(ssl_handback.get()) ||
459 !writer->WriteHandback(handback) ||
460 !SSL_apply_handback(ssl_handback.get(), handback)) {
461 fprintf(stderr, "Handback failed.\n");
462 return false;
463 }
464 MoveBIOs(ssl_handback.get(), ssl->get());
465 GetTestState(ssl_handback.get())->async_bio =
466 GetTestState(ssl->get())->async_bio;
467 GetTestState(ssl->get())->async_bio = nullptr;
468
469 *ssl = std::move(ssl_handback);
470 return true;
471 }
472
473 #endif // defined(OPENSSL_LINUX) && !defined(OPENSSL_ANDROID)
474