1 /* Copyright (c) 2018, Google Inc. 2 * 3 * Permission to use, copy, modify, and/or distribute this software for any 4 * purpose with or without fee is hereby granted, provided that the above 5 * copyright notice and this permission notice appear in all copies. 6 * 7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 15 #include "handshake_util.h" 16 17 #include <assert.h> 18 #if defined(OPENSSL_LINUX) && !defined(OPENSSL_ANDROID) 19 #include <errno.h> 20 #include <fcntl.h> 21 #include <spawn.h> 22 #include <sys/socket.h> 23 #include <sys/stat.h> 24 #include <sys/types.h> 25 #include <sys/wait.h> 26 #include <unistd.h> 27 #endif 28 29 #include <functional> 30 31 #include "async_bio.h" 32 #include "packeted_bio.h" 33 #include "test_config.h" 34 #include "test_state.h" 35 36 #include <openssl/ssl.h> 37 38 using namespace bssl; 39 40 bool RetryAsync(SSL *ssl, int ret) { 41 // No error; don't retry. 42 if (ret >= 0) { 43 return false; 44 } 45 46 TestState *test_state = GetTestState(ssl); 47 assert(GetTestConfig(ssl)->async); 48 49 if (test_state->packeted_bio != nullptr && 50 PacketedBioAdvanceClock(test_state->packeted_bio)) { 51 // The DTLS retransmit logic silently ignores write failures. So the test 52 // may progress, allow writes through synchronously. 53 AsyncBioEnforceWriteQuota(test_state->async_bio, false); 54 int timeout_ret = DTLSv1_handle_timeout(ssl); 55 AsyncBioEnforceWriteQuota(test_state->async_bio, true); 56 57 if (timeout_ret < 0) { 58 fprintf(stderr, "Error retransmitting.\n"); 59 return false; 60 } 61 return true; 62 } 63 64 // See if we needed to read or write more. If so, allow one byte through on 65 // the appropriate end to maximally stress the state machine. 66 switch (SSL_get_error(ssl, ret)) { 67 case SSL_ERROR_WANT_READ: 68 AsyncBioAllowRead(test_state->async_bio, 1); 69 return true; 70 case SSL_ERROR_WANT_WRITE: 71 AsyncBioAllowWrite(test_state->async_bio, 1); 72 return true; 73 case SSL_ERROR_WANT_CHANNEL_ID_LOOKUP: { 74 UniquePtr<EVP_PKEY> pkey = 75 LoadPrivateKey(GetTestConfig(ssl)->send_channel_id); 76 if (!pkey) { 77 return false; 78 } 79 test_state->channel_id = std::move(pkey); 80 return true; 81 } 82 case SSL_ERROR_WANT_X509_LOOKUP: 83 test_state->cert_ready = true; 84 return true; 85 case SSL_ERROR_PENDING_SESSION: 86 test_state->session = std::move(test_state->pending_session); 87 return true; 88 case SSL_ERROR_PENDING_CERTIFICATE: 89 test_state->early_callback_ready = true; 90 return true; 91 case SSL_ERROR_WANT_PRIVATE_KEY_OPERATION: 92 test_state->private_key_retries++; 93 return true; 94 case SSL_ERROR_WANT_CERTIFICATE_VERIFY: 95 test_state->custom_verify_ready = true; 96 return true; 97 default: 98 return false; 99 } 100 } 101 102 int CheckIdempotentError(const char *name, SSL *ssl, 103 std::function<int()> func) { 104 int ret = func(); 105 int ssl_err = SSL_get_error(ssl, ret); 106 uint32_t err = ERR_peek_error(); 107 if (ssl_err == SSL_ERROR_SSL || ssl_err == SSL_ERROR_ZERO_RETURN) { 108 int ret2 = func(); 109 int ssl_err2 = SSL_get_error(ssl, ret2); 110 uint32_t err2 = ERR_peek_error(); 111 if (ret != ret2 || ssl_err != ssl_err2 || err != err2) { 112 fprintf(stderr, "Repeating %s did not replay the error.\n", name); 113 char buf[256]; 114 ERR_error_string_n(err, buf, sizeof(buf)); 115 fprintf(stderr, "Wanted: %d %d %s\n", ret, ssl_err, buf); 116 ERR_error_string_n(err2, buf, sizeof(buf)); 117 fprintf(stderr, "Got: %d %d %s\n", ret2, ssl_err2, buf); 118 // runner treats exit code 90 as always failing. Otherwise, it may 119 // accidentally consider the result an expected protocol failure. 120 exit(90); 121 } 122 } 123 return ret; 124 } 125 126 #if defined(OPENSSL_LINUX) && !defined(OPENSSL_ANDROID) 127 128 // MoveBIOs moves the |BIO|s of |src| to |dst|. It is used for handoff. 129 static void MoveBIOs(SSL *dest, SSL *src) { 130 BIO *rbio = SSL_get_rbio(src); 131 BIO_up_ref(rbio); 132 SSL_set0_rbio(dest, rbio); 133 134 BIO *wbio = SSL_get_wbio(src); 135 BIO_up_ref(wbio); 136 SSL_set0_wbio(dest, wbio); 137 138 SSL_set0_rbio(src, nullptr); 139 SSL_set0_wbio(src, nullptr); 140 } 141 142 static bool HandoffReady(SSL *ssl, int ret) { 143 return ret < 0 && SSL_get_error(ssl, ret) == SSL_ERROR_HANDOFF; 144 } 145 146 static ssize_t read_eintr(int fd, void *out, size_t len) { 147 ssize_t ret; 148 do { 149 ret = read(fd, out, len); 150 } while (ret < 0 && errno == EINTR); 151 return ret; 152 } 153 154 static ssize_t write_eintr(int fd, const void *in, size_t len) { 155 ssize_t ret; 156 do { 157 ret = write(fd, in, len); 158 } while (ret < 0 && errno == EINTR); 159 return ret; 160 } 161 162 static ssize_t waitpid_eintr(pid_t pid, int *wstatus, int options) { 163 pid_t ret; 164 do { 165 ret = waitpid(pid, wstatus, options); 166 } while (ret < 0 && errno == EINTR); 167 return ret; 168 } 169 170 // Proxy relays data between |socket|, which is connected to the client, and the 171 // handshaker, which is connected to the numerically specified file descriptors, 172 // until the handshaker returns control. 173 static bool Proxy(BIO *socket, bool async, int control, int rfd, int wfd) { 174 for (;;) { 175 fd_set rfds; 176 FD_ZERO(&rfds); 177 FD_SET(wfd, &rfds); 178 FD_SET(control, &rfds); 179 int fd_max = wfd > control ? wfd : control; 180 if (select(fd_max + 1, &rfds, nullptr, nullptr, nullptr) == -1) { 181 perror("select"); 182 return false; 183 } 184 185 char buf[64]; 186 ssize_t bytes; 187 if (FD_ISSET(wfd, &rfds) && 188 (bytes = read_eintr(wfd, buf, sizeof(buf))) > 0) { 189 char *b = buf; 190 while (bytes) { 191 int written = BIO_write(socket, b, bytes); 192 if (!written) { 193 fprintf(stderr, "BIO_write wrote nothing\n"); 194 return false; 195 } 196 if (written < 0) { 197 if (async) { 198 AsyncBioAllowWrite(socket, 1); 199 continue; 200 } 201 fprintf(stderr, "BIO_write failed\n"); 202 return false; 203 } 204 b += written; 205 bytes -= written; 206 } 207 // Flush all pending data from the handshaker to the client before 208 // considering control messages. 209 continue; 210 } 211 212 if (!FD_ISSET(control, &rfds)) { 213 continue; 214 } 215 216 char msg; 217 if (read_eintr(control, &msg, 1) != 1) { 218 perror("read"); 219 return false; 220 } 221 switch (msg) { 222 case kControlMsgHandback: 223 return true; 224 case kControlMsgError: 225 return false; 226 case kControlMsgWantRead: 227 break; 228 default: 229 fprintf(stderr, "Unknown control message from handshaker: %c\n", msg); 230 return false; 231 } 232 233 char readbuf[64]; 234 if (async) { 235 AsyncBioAllowRead(socket, 1); 236 } 237 int read = BIO_read(socket, readbuf, sizeof(readbuf)); 238 if (read < 1) { 239 fprintf(stderr, "BIO_read failed\n"); 240 return false; 241 } 242 ssize_t written = write_eintr(rfd, readbuf, read); 243 if (written == -1) { 244 perror("write"); 245 return false; 246 } 247 if (written != read) { 248 fprintf(stderr, "short write (%zu of %d bytes)\n", written, read); 249 return false; 250 } 251 // The handshaker blocks on the control channel, so we have to signal 252 // it that the data have been written. 253 msg = kControlMsgWriteCompleted; 254 if (write_eintr(control, &msg, 1) != 1) { 255 perror("write"); 256 return false; 257 } 258 } 259 } 260 261 class ScopedFD { 262 public: 263 explicit ScopedFD(int fd): fd_(fd) {} 264 ~ScopedFD() { close(fd_); } 265 private: 266 const int fd_; 267 }; 268 269 // RunHandshaker forks and execs the handshaker binary, handing off |input|, 270 // and, after proxying some amount of handshake traffic, handing back |out|. 271 static bool RunHandshaker(BIO *bio, const TestConfig *config, bool is_resume, 272 const Array<uint8_t> &input, 273 Array<uint8_t> *out) { 274 if (config->handshaker_path.empty()) { 275 fprintf(stderr, "no -handshaker-path specified\n"); 276 return false; 277 } 278 struct stat dummy; 279 if (stat(config->handshaker_path.c_str(), &dummy) == -1) { 280 perror(config->handshaker_path.c_str()); 281 return false; 282 } 283 284 // A datagram socket guarantees that writes are all-or-nothing. 285 int control[2]; 286 if (socketpair(AF_LOCAL, SOCK_DGRAM, 0, control) != 0) { 287 perror("socketpair"); 288 return false; 289 } 290 int rfd[2], wfd[2]; 291 // We use pipes, rather than some other mechanism, for their buffers. During 292 // the handshake, this process acts as a dumb proxy until receiving the 293 // handback signal, which arrives asynchronously. The race condition means 294 // that this process could incorrectly proxy post-handshake data from the 295 // client to the handshaker. 296 // 297 // To avoid this, this process never proxies data to the handshaker that the 298 // handshaker has not explicitly requested as a result of hitting 299 // |SSL_ERROR_WANT_READ|. Pipes allow the data to sit in a buffer while the 300 // two processes synchronize over the |control| channel. 301 if (pipe(rfd) != 0 || pipe(wfd) != 0) { 302 perror("pipe2"); 303 return false; 304 } 305 306 fflush(stdout); 307 fflush(stderr); 308 309 std::vector<char *> args; 310 bssl::UniquePtr<char> handshaker_path( 311 OPENSSL_strdup(config->handshaker_path.c_str())); 312 args.push_back(handshaker_path.get()); 313 char resume[] = "-handshaker-resume"; 314 if (is_resume) { 315 args.push_back(resume); 316 } 317 // config->argv omits argv[0]. 318 for (int j = 0; j < config->argc; ++j) { 319 args.push_back(config->argv[j]); 320 } 321 args.push_back(nullptr); 322 323 posix_spawn_file_actions_t actions; 324 if (posix_spawn_file_actions_init(&actions) != 0 || 325 posix_spawn_file_actions_addclose(&actions, control[0]) || 326 posix_spawn_file_actions_addclose(&actions, rfd[1]) || 327 posix_spawn_file_actions_addclose(&actions, wfd[0])) { 328 return false; 329 } 330 assert(kFdControl != rfd[0]); 331 assert(kFdControl != wfd[1]); 332 if (control[1] != kFdControl && 333 posix_spawn_file_actions_adddup2(&actions, control[1], kFdControl) != 0) { 334 return false; 335 } 336 assert(kFdProxyToHandshaker != wfd[1]); 337 if (rfd[0] != kFdProxyToHandshaker && 338 posix_spawn_file_actions_adddup2(&actions, rfd[0], 339 kFdProxyToHandshaker) != 0) { 340 return false; 341 } 342 if (wfd[1] != kFdHandshakerToProxy && 343 posix_spawn_file_actions_adddup2(&actions, wfd[1], 344 kFdHandshakerToProxy) != 0) { 345 return false; 346 } 347 348 // MSan doesn't know that |posix_spawn| initializes its output, so initialize 349 // it to -1. 350 pid_t handshaker_pid = -1; 351 int ret = posix_spawn(&handshaker_pid, args[0], &actions, nullptr, 352 args.data(), environ); 353 if (posix_spawn_file_actions_destroy(&actions) != 0 || 354 ret != 0) { 355 return false; 356 } 357 358 close(control[1]); 359 close(rfd[0]); 360 close(wfd[1]); 361 ScopedFD rfd_closer(rfd[1]); 362 ScopedFD wfd_closer(wfd[0]); 363 ScopedFD control_closer(control[0]); 364 365 if (write_eintr(control[0], input.data(), input.size()) == -1) { 366 perror("write"); 367 return false; 368 } 369 bool ok = Proxy(bio, config->async, control[0], rfd[1], wfd[0]); 370 int wstatus; 371 if (waitpid_eintr(handshaker_pid, &wstatus, 0) != handshaker_pid) { 372 perror("waitpid"); 373 return false; 374 } 375 if (ok && wstatus) { 376 fprintf(stderr, "handshaker exited irregularly\n"); 377 return false; 378 } 379 if (!ok) { 380 return false; // This is a "good", i.e. expected, error. 381 } 382 383 constexpr size_t kBufSize = 1024 * 1024; 384 bssl::UniquePtr<uint8_t> buf((uint8_t *) OPENSSL_malloc(kBufSize)); 385 int len = read_eintr(control[0], buf.get(), kBufSize); 386 if (len == -1) { 387 perror("read"); 388 return false; 389 } 390 out->CopyFrom({buf.get(), (size_t)len}); 391 return true; 392 } 393 394 // PrepareHandoff accepts the |ClientHello| from |ssl| and serializes state to 395 // be passed to the handshaker. The serialized state includes both the SSL 396 // handoff, as well test-related state. 397 static bool PrepareHandoff(SSL *ssl, SettingsWriter *writer, 398 Array<uint8_t> *out_handoff) { 399 SSL_set_handoff_mode(ssl, 1); 400 401 const TestConfig *config = GetTestConfig(ssl); 402 int ret = -1; 403 do { 404 ret = CheckIdempotentError( 405 "SSL_do_handshake", ssl, 406 [&]() -> int { return SSL_do_handshake(ssl); }); 407 } while (!HandoffReady(ssl, ret) && 408 config->async && 409 RetryAsync(ssl, ret)); 410 if (!HandoffReady(ssl, ret)) { 411 fprintf(stderr, "Handshake failed while waiting for handoff.\n"); 412 return false; 413 } 414 415 ScopedCBB cbb; 416 if (!CBB_init(cbb.get(), 512) || 417 !SSL_serialize_handoff(ssl, cbb.get()) || 418 !writer->WriteHandoff({CBB_data(cbb.get()), CBB_len(cbb.get())}) || 419 !SerializeContextState(ssl->ctx.get(), cbb.get()) || 420 !GetTestState(ssl)->Serialize(cbb.get())) { 421 fprintf(stderr, "Handoff serialisation failed.\n"); 422 return false; 423 } 424 return CBBFinishArray(cbb.get(), out_handoff); 425 } 426 427 // DoSplitHandshake delegates the SSL handshake to a separate process, called 428 // the handshaker. This process proxies I/O between the handshaker and the 429 // client, using the |BIO| from |ssl|. After a successful handshake, |ssl| is 430 // replaced with a new |SSL| object, in a way that is intended to be invisible 431 // to the caller. 432 bool DoSplitHandshake(UniquePtr<SSL> *ssl, SettingsWriter *writer, 433 bool is_resume) { 434 assert(SSL_get_rbio(ssl->get()) == SSL_get_wbio(ssl->get())); 435 Array<uint8_t> handshaker_input; 436 const TestConfig *config = GetTestConfig(ssl->get()); 437 // out is the response from the handshaker, which includes a serialized 438 // handback message, but also serialized updates to the |TestState|. 439 Array<uint8_t> out; 440 if (!PrepareHandoff(ssl->get(), writer, &handshaker_input) || 441 !RunHandshaker(SSL_get_rbio(ssl->get()), config, is_resume, 442 handshaker_input, &out)) { 443 fprintf(stderr, "Handoff failed.\n"); 444 return false; 445 } 446 447 UniquePtr<SSL> ssl_handback = 448 config->NewSSL((*ssl)->ctx.get(), nullptr, false, nullptr); 449 if (!ssl_handback) { 450 return false; 451 } 452 CBS output, handback; 453 CBS_init(&output, out.data(), out.size()); 454 if (!CBS_get_u24_length_prefixed(&output, &handback) || 455 !DeserializeContextState(&output, ssl_handback->ctx.get()) || 456 !SetTestState(ssl_handback.get(), TestState::Deserialize( 457 &output, ssl_handback->ctx.get())) || 458 !GetTestState(ssl_handback.get()) || 459 !writer->WriteHandback(handback) || 460 !SSL_apply_handback(ssl_handback.get(), handback)) { 461 fprintf(stderr, "Handback failed.\n"); 462 return false; 463 } 464 MoveBIOs(ssl_handback.get(), ssl->get()); 465 GetTestState(ssl_handback.get())->async_bio = 466 GetTestState(ssl->get())->async_bio; 467 GetTestState(ssl->get())->async_bio = nullptr; 468 469 *ssl = std::move(ssl_handback); 470 return true; 471 } 472 473 #endif // defined(OPENSSL_LINUX) && !defined(OPENSSL_ANDROID) 474