1 /* Copyright (c) 2018, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include "handshake_util.h"
16
17 #include <assert.h>
18 #if defined(OPENSSL_LINUX) && !defined(OPENSSL_ANDROID)
19 #include <errno.h>
20 #include <fcntl.h>
21 #include <spawn.h>
22 #include <sys/socket.h>
23 #include <sys/stat.h>
24 #include <sys/types.h>
25 #include <sys/wait.h>
26 #include <unistd.h>
27 #endif
28
29 #include <functional>
30
31 #include "async_bio.h"
32 #include "packeted_bio.h"
33 #include "test_config.h"
34 #include "test_state.h"
35
36 #include <openssl/ssl.h>
37
38 using namespace bssl;
39
RetryAsync(SSL * ssl,int ret)40 bool RetryAsync(SSL *ssl, int ret) {
41 const TestConfig *config = GetTestConfig(ssl);
42 TestState *test_state = GetTestState(ssl);
43 if (ret >= 0) {
44 return false;
45 }
46
47 int ssl_err = SSL_get_error(ssl, ret);
48 if (ssl_err == SSL_ERROR_WANT_RENEGOTIATE && config->renegotiate_explicit) {
49 test_state->explicit_renegotiates++;
50 return SSL_renegotiate(ssl);
51 }
52
53 if (test_state->quic_transport && ssl_err == SSL_ERROR_WANT_READ) {
54 return test_state->quic_transport->ReadHandshake();
55 }
56
57 if (!config->async) {
58 // Only asynchronous tests should trigger other retries.
59 return false;
60 }
61
62 if (test_state->packeted_bio != nullptr &&
63 PacketedBioAdvanceClock(test_state->packeted_bio)) {
64 // The DTLS retransmit logic silently ignores write failures. So the test
65 // may progress, allow writes through synchronously.
66 AsyncBioEnforceWriteQuota(test_state->async_bio, false);
67 int timeout_ret = DTLSv1_handle_timeout(ssl);
68 AsyncBioEnforceWriteQuota(test_state->async_bio, true);
69
70 if (timeout_ret < 0) {
71 fprintf(stderr, "Error retransmitting.\n");
72 return false;
73 }
74 return true;
75 }
76
77 // See if we needed to read or write more. If so, allow one byte through on
78 // the appropriate end to maximally stress the state machine.
79 switch (ssl_err) {
80 case SSL_ERROR_WANT_READ:
81 AsyncBioAllowRead(test_state->async_bio, 1);
82 return true;
83 case SSL_ERROR_WANT_WRITE:
84 AsyncBioAllowWrite(test_state->async_bio, 1);
85 return true;
86 case SSL_ERROR_WANT_CHANNEL_ID_LOOKUP: {
87 UniquePtr<EVP_PKEY> pkey = LoadPrivateKey(config->send_channel_id);
88 if (!pkey) {
89 return false;
90 }
91 test_state->channel_id = std::move(pkey);
92 return true;
93 }
94 case SSL_ERROR_WANT_X509_LOOKUP:
95 test_state->cert_ready = true;
96 return true;
97 case SSL_ERROR_PENDING_SESSION:
98 test_state->session = std::move(test_state->pending_session);
99 return true;
100 case SSL_ERROR_PENDING_CERTIFICATE:
101 test_state->early_callback_ready = true;
102 return true;
103 case SSL_ERROR_WANT_PRIVATE_KEY_OPERATION:
104 test_state->private_key_retries++;
105 return true;
106 case SSL_ERROR_WANT_CERTIFICATE_VERIFY:
107 test_state->custom_verify_ready = true;
108 return true;
109 default:
110 return false;
111 }
112 }
113
CheckIdempotentError(const char * name,SSL * ssl,std::function<int ()> func)114 int CheckIdempotentError(const char *name, SSL *ssl,
115 std::function<int()> func) {
116 int ret = func();
117 int ssl_err = SSL_get_error(ssl, ret);
118 uint32_t err = ERR_peek_error();
119 if (ssl_err == SSL_ERROR_SSL || ssl_err == SSL_ERROR_ZERO_RETURN) {
120 int ret2 = func();
121 int ssl_err2 = SSL_get_error(ssl, ret2);
122 uint32_t err2 = ERR_peek_error();
123 if (ret != ret2 || ssl_err != ssl_err2 || err != err2) {
124 fprintf(stderr, "Repeating %s did not replay the error.\n", name);
125 char buf[256];
126 ERR_error_string_n(err, buf, sizeof(buf));
127 fprintf(stderr, "Wanted: %d %d %s\n", ret, ssl_err, buf);
128 ERR_error_string_n(err2, buf, sizeof(buf));
129 fprintf(stderr, "Got: %d %d %s\n", ret2, ssl_err2, buf);
130 // runner treats exit code 90 as always failing. Otherwise, it may
131 // accidentally consider the result an expected protocol failure.
132 exit(90);
133 }
134 }
135 return ret;
136 }
137
138 #if defined(OPENSSL_LINUX) && !defined(OPENSSL_ANDROID)
139
140 // MoveBIOs moves the |BIO|s of |src| to |dst|. It is used for handoff.
MoveBIOs(SSL * dest,SSL * src)141 static void MoveBIOs(SSL *dest, SSL *src) {
142 BIO *rbio = SSL_get_rbio(src);
143 BIO_up_ref(rbio);
144 SSL_set0_rbio(dest, rbio);
145
146 BIO *wbio = SSL_get_wbio(src);
147 BIO_up_ref(wbio);
148 SSL_set0_wbio(dest, wbio);
149
150 SSL_set0_rbio(src, nullptr);
151 SSL_set0_wbio(src, nullptr);
152 }
153
HandoffReady(SSL * ssl,int ret)154 static bool HandoffReady(SSL *ssl, int ret) {
155 return ret < 0 && SSL_get_error(ssl, ret) == SSL_ERROR_HANDOFF;
156 }
157
read_eintr(int fd,void * out,size_t len)158 static ssize_t read_eintr(int fd, void *out, size_t len) {
159 ssize_t ret;
160 do {
161 ret = read(fd, out, len);
162 } while (ret < 0 && errno == EINTR);
163 return ret;
164 }
165
write_eintr(int fd,const void * in,size_t len)166 static ssize_t write_eintr(int fd, const void *in, size_t len) {
167 ssize_t ret;
168 do {
169 ret = write(fd, in, len);
170 } while (ret < 0 && errno == EINTR);
171 return ret;
172 }
173
waitpid_eintr(pid_t pid,int * wstatus,int options)174 static ssize_t waitpid_eintr(pid_t pid, int *wstatus, int options) {
175 pid_t ret;
176 do {
177 ret = waitpid(pid, wstatus, options);
178 } while (ret < 0 && errno == EINTR);
179 return ret;
180 }
181
182 // Proxy relays data between |socket|, which is connected to the client, and the
183 // handshaker, which is connected to the numerically specified file descriptors,
184 // until the handshaker returns control.
Proxy(BIO * socket,bool async,int control,int rfd,int wfd)185 static bool Proxy(BIO *socket, bool async, int control, int rfd, int wfd) {
186 for (;;) {
187 fd_set rfds;
188 FD_ZERO(&rfds);
189 FD_SET(wfd, &rfds);
190 FD_SET(control, &rfds);
191 int fd_max = wfd > control ? wfd : control;
192 if (select(fd_max + 1, &rfds, nullptr, nullptr, nullptr) == -1) {
193 perror("select");
194 return false;
195 }
196
197 char buf[64];
198 ssize_t bytes;
199 if (FD_ISSET(wfd, &rfds) &&
200 (bytes = read_eintr(wfd, buf, sizeof(buf))) > 0) {
201 char *b = buf;
202 while (bytes) {
203 int written = BIO_write(socket, b, bytes);
204 if (!written) {
205 fprintf(stderr, "BIO_write wrote nothing\n");
206 return false;
207 }
208 if (written < 0) {
209 if (async) {
210 AsyncBioAllowWrite(socket, 1);
211 continue;
212 }
213 fprintf(stderr, "BIO_write failed\n");
214 return false;
215 }
216 b += written;
217 bytes -= written;
218 }
219 // Flush all pending data from the handshaker to the client before
220 // considering control messages.
221 continue;
222 }
223
224 if (!FD_ISSET(control, &rfds)) {
225 continue;
226 }
227
228 char msg;
229 if (read_eintr(control, &msg, 1) != 1) {
230 perror("read");
231 return false;
232 }
233 switch (msg) {
234 case kControlMsgHandback:
235 return true;
236 case kControlMsgError:
237 return false;
238 case kControlMsgWantRead:
239 break;
240 default:
241 fprintf(stderr, "Unknown control message from handshaker: %c\n", msg);
242 return false;
243 }
244
245 auto proxy_data = [&](uint8_t *out, size_t len) -> bool {
246 if (async) {
247 AsyncBioAllowRead(socket, len);
248 }
249
250 while (len > 0) {
251 int bytes_read = BIO_read(socket, out, len);
252 if (bytes_read < 1) {
253 fprintf(stderr, "BIO_read failed\n");
254 return false;
255 }
256
257 ssize_t bytes_written = write_eintr(rfd, out, bytes_read);
258 if (bytes_written == -1) {
259 perror("write");
260 return false;
261 }
262 if (bytes_written != bytes_read) {
263 fprintf(stderr, "short write (%zu of %d bytes)\n", bytes_written,
264 bytes_read);
265 return false;
266 }
267
268 len -= bytes_read;
269 out += bytes_read;
270 }
271 return true;
272 };
273
274 // Process one SSL record at a time. That way, we don't send the handshaker
275 // anything it doesn't want to process, e.g. early data.
276 uint8_t header[SSL3_RT_HEADER_LENGTH];
277 if (!proxy_data(header, sizeof(header))) {
278 return false;
279 }
280 if (header[1] != 3) {
281 fprintf(stderr, "bad header\n");
282 return false;
283 }
284 size_t remaining = (header[3] << 8) + header[4];
285 while (remaining > 0) {
286 uint8_t readbuf[64];
287 size_t len = remaining > sizeof(readbuf) ? sizeof(readbuf) : remaining;
288 if (!proxy_data(readbuf, len)) {
289 return false;
290 }
291 remaining -= len;
292 }
293
294 // The handshaker blocks on the control channel, so we have to signal
295 // it that the data have been written.
296 msg = kControlMsgWriteCompleted;
297 if (write_eintr(control, &msg, 1) != 1) {
298 perror("write");
299 return false;
300 }
301 }
302 }
303
304 class ScopedFD {
305 public:
ScopedFD(int fd)306 explicit ScopedFD(int fd): fd_(fd) {}
~ScopedFD()307 ~ScopedFD() { close(fd_); }
308 private:
309 const int fd_;
310 };
311
312 // RunHandshaker forks and execs the handshaker binary, handing off |input|,
313 // and, after proxying some amount of handshake traffic, handing back |out|.
RunHandshaker(BIO * bio,const TestConfig * config,bool is_resume,const Array<uint8_t> & input,Array<uint8_t> * out)314 static bool RunHandshaker(BIO *bio, const TestConfig *config, bool is_resume,
315 const Array<uint8_t> &input,
316 Array<uint8_t> *out) {
317 if (config->handshaker_path.empty()) {
318 fprintf(stderr, "no -handshaker-path specified\n");
319 return false;
320 }
321 struct stat dummy;
322 if (stat(config->handshaker_path.c_str(), &dummy) == -1) {
323 perror(config->handshaker_path.c_str());
324 return false;
325 }
326
327 // A datagram socket guarantees that writes are all-or-nothing.
328 int control[2];
329 if (socketpair(AF_LOCAL, SOCK_DGRAM, 0, control) != 0) {
330 perror("socketpair");
331 return false;
332 }
333 int rfd[2], wfd[2];
334 // We use pipes, rather than some other mechanism, for their buffers. During
335 // the handshake, this process acts as a dumb proxy until receiving the
336 // handback signal, which arrives asynchronously. The race condition means
337 // that this process could incorrectly proxy post-handshake data from the
338 // client to the handshaker.
339 //
340 // To avoid this, this process never proxies data to the handshaker that the
341 // handshaker has not explicitly requested as a result of hitting
342 // |SSL_ERROR_WANT_READ|. Pipes allow the data to sit in a buffer while the
343 // two processes synchronize over the |control| channel.
344 if (pipe(rfd) != 0 || pipe(wfd) != 0) {
345 perror("pipe2");
346 return false;
347 }
348
349 fflush(stdout);
350 fflush(stderr);
351
352 std::vector<char *> args;
353 bssl::UniquePtr<char> handshaker_path(
354 OPENSSL_strdup(config->handshaker_path.c_str()));
355 args.push_back(handshaker_path.get());
356 char resume[] = "-handshaker-resume";
357 if (is_resume) {
358 args.push_back(resume);
359 }
360 // config->argv omits argv[0].
361 for (int j = 0; j < config->argc; ++j) {
362 args.push_back(config->argv[j]);
363 }
364 args.push_back(nullptr);
365
366 posix_spawn_file_actions_t actions;
367 if (posix_spawn_file_actions_init(&actions) != 0 ||
368 posix_spawn_file_actions_addclose(&actions, control[0]) ||
369 posix_spawn_file_actions_addclose(&actions, rfd[1]) ||
370 posix_spawn_file_actions_addclose(&actions, wfd[0])) {
371 return false;
372 }
373 assert(kFdControl != rfd[0]);
374 assert(kFdControl != wfd[1]);
375 if (control[1] != kFdControl &&
376 posix_spawn_file_actions_adddup2(&actions, control[1], kFdControl) != 0) {
377 return false;
378 }
379 assert(kFdProxyToHandshaker != wfd[1]);
380 if (rfd[0] != kFdProxyToHandshaker &&
381 posix_spawn_file_actions_adddup2(&actions, rfd[0],
382 kFdProxyToHandshaker) != 0) {
383 return false;
384 }
385 if (wfd[1] != kFdHandshakerToProxy &&
386 posix_spawn_file_actions_adddup2(&actions, wfd[1],
387 kFdHandshakerToProxy) != 0) {
388 return false;
389 }
390
391 // MSan doesn't know that |posix_spawn| initializes its output, so initialize
392 // it to -1.
393 pid_t handshaker_pid = -1;
394 int ret = posix_spawn(&handshaker_pid, args[0], &actions, nullptr,
395 args.data(), environ);
396 if (posix_spawn_file_actions_destroy(&actions) != 0 ||
397 ret != 0) {
398 return false;
399 }
400
401 close(control[1]);
402 close(rfd[0]);
403 close(wfd[1]);
404 ScopedFD rfd_closer(rfd[1]);
405 ScopedFD wfd_closer(wfd[0]);
406 ScopedFD control_closer(control[0]);
407
408 if (write_eintr(control[0], input.data(), input.size()) == -1) {
409 perror("write");
410 return false;
411 }
412 bool ok = Proxy(bio, config->async, control[0], rfd[1], wfd[0]);
413 int wstatus;
414 if (waitpid_eintr(handshaker_pid, &wstatus, 0) != handshaker_pid) {
415 perror("waitpid");
416 return false;
417 }
418 if (ok && wstatus) {
419 fprintf(stderr, "handshaker exited irregularly\n");
420 return false;
421 }
422 if (!ok) {
423 return false; // This is a "good", i.e. expected, error.
424 }
425
426 constexpr size_t kBufSize = 1024 * 1024;
427 bssl::UniquePtr<uint8_t> buf((uint8_t *) OPENSSL_malloc(kBufSize));
428 int len = read_eintr(control[0], buf.get(), kBufSize);
429 if (len == -1) {
430 perror("read");
431 return false;
432 }
433 out->CopyFrom({buf.get(), (size_t)len});
434 return true;
435 }
436
437 // PrepareHandoff accepts the |ClientHello| from |ssl| and serializes state to
438 // be passed to the handshaker. The serialized state includes both the SSL
439 // handoff, as well test-related state.
PrepareHandoff(SSL * ssl,SettingsWriter * writer,Array<uint8_t> * out_handoff)440 static bool PrepareHandoff(SSL *ssl, SettingsWriter *writer,
441 Array<uint8_t> *out_handoff) {
442 SSL_set_handoff_mode(ssl, 1);
443
444 const TestConfig *config = GetTestConfig(ssl);
445 int ret = -1;
446 do {
447 ret = CheckIdempotentError(
448 "SSL_do_handshake", ssl,
449 [&]() -> int { return SSL_do_handshake(ssl); });
450 } while (!HandoffReady(ssl, ret) &&
451 config->async &&
452 RetryAsync(ssl, ret));
453 if (!HandoffReady(ssl, ret)) {
454 fprintf(stderr, "Handshake failed while waiting for handoff.\n");
455 return false;
456 }
457
458 ScopedCBB cbb;
459 SSL_CLIENT_HELLO hello;
460 if (!CBB_init(cbb.get(), 512) ||
461 !SSL_serialize_handoff(ssl, cbb.get(), &hello) ||
462 !writer->WriteHandoff({CBB_data(cbb.get()), CBB_len(cbb.get())}) ||
463 !SerializeContextState(ssl->ctx.get(), cbb.get()) ||
464 !GetTestState(ssl)->Serialize(cbb.get())) {
465 fprintf(stderr, "Handoff serialisation failed.\n");
466 return false;
467 }
468 return CBBFinishArray(cbb.get(), out_handoff);
469 }
470
471 // DoSplitHandshake delegates the SSL handshake to a separate process, called
472 // the handshaker. This process proxies I/O between the handshaker and the
473 // client, using the |BIO| from |ssl|. After a successful handshake, |ssl| is
474 // replaced with a new |SSL| object, in a way that is intended to be invisible
475 // to the caller.
DoSplitHandshake(UniquePtr<SSL> * ssl,SettingsWriter * writer,bool is_resume)476 bool DoSplitHandshake(UniquePtr<SSL> *ssl, SettingsWriter *writer,
477 bool is_resume) {
478 assert(SSL_get_rbio(ssl->get()) == SSL_get_wbio(ssl->get()));
479 Array<uint8_t> handshaker_input;
480 const TestConfig *config = GetTestConfig(ssl->get());
481 // out is the response from the handshaker, which includes a serialized
482 // handback message, but also serialized updates to the |TestState|.
483 Array<uint8_t> out;
484 if (!PrepareHandoff(ssl->get(), writer, &handshaker_input) ||
485 !RunHandshaker(SSL_get_rbio(ssl->get()), config, is_resume,
486 handshaker_input, &out)) {
487 fprintf(stderr, "Handoff failed.\n");
488 return false;
489 }
490
491 UniquePtr<SSL> ssl_handback =
492 config->NewSSL((*ssl)->ctx.get(), nullptr, false, nullptr);
493 if (!ssl_handback) {
494 return false;
495 }
496 CBS output, handback;
497 CBS_init(&output, out.data(), out.size());
498 if (!CBS_get_u24_length_prefixed(&output, &handback) ||
499 !DeserializeContextState(&output, ssl_handback->ctx.get()) ||
500 !SetTestState(ssl_handback.get(), TestState::Deserialize(
501 &output, ssl_handback->ctx.get())) ||
502 !GetTestState(ssl_handback.get()) ||
503 !writer->WriteHandback(handback) ||
504 !SSL_apply_handback(ssl_handback.get(), handback)) {
505 fprintf(stderr, "Handback failed.\n");
506 return false;
507 }
508 MoveBIOs(ssl_handback.get(), ssl->get());
509 GetTestState(ssl_handback.get())->async_bio =
510 GetTestState(ssl->get())->async_bio;
511 GetTestState(ssl->get())->async_bio = nullptr;
512
513 *ssl = std::move(ssl_handback);
514 return true;
515 }
516
517 #endif // defined(OPENSSL_LINUX) && !defined(OPENSSL_ANDROID)
518