Automatically complete the handshake from tls13_legacy_{read,write}_bytes()

If the TLS handshake has not been completed, automatically complete the
handshake as part of the read/write call, implementing the current
SSL_read()/SSL_write() behaviour.

Once the TLS handshake is completed we push a WANT_POLLIN or WANT_POLLOUT
back up to the caller, since some applications appear to incorrectly call
SSL_read() or SSL_write(), rather than repeating the previous call. This
can lead to attempts to read data that does not exist, since the
WANT_POLLIN was actually triggered as part of the handshake.

ok inoguchi@ tb@

1 files changed, 13 insertions, 1 deletions

diff --git a/lib/libssl/tls13_lib.c b/lib/libssl/tls13_lib.c
index e371d717506..c5e2faf3fc8 100644
--- a/lib/libssl/tls13_lib.c
+++ b/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tls13_lib.c,v 1.7 2019/02/28 17:44:56 jsing Exp $ */
+/*	$OpenBSD: tls13_lib.c,v 1.8 2019/02/28 17:56:43 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -241,6 +241,12 @@ tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, int pee
 	struct tls13_ctx *ctx = ssl->internal->tls13;
 	ssize_t ret;
 
+	if (ctx == NULL || !ctx->handshake_completed) {
+		if ((ret = ssl->internal->handshake_func(ssl)) <= 0)
+			return ret;
+		return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLIN);
+	}
+
 	if (peek) {
 		/* XXX - support peek... */
 		SSLerror(ssl, ERR_R_INTERNAL_ERROR);
@@ -266,6 +272,12 @@ tls13_legacy_write_bytes(SSL *ssl, int type, const void *buf, int len)
 	struct tls13_ctx *ctx = ssl->internal->tls13;
 	ssize_t ret;
 
+	if (ctx == NULL || !ctx->handshake_completed) {
+		if ((ret = ssl->internal->handshake_func(ssl)) <= 0)
+			return ret;
+		return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLOUT);
+	}
+
 	if (type != SSL3_RT_APPLICATION_DATA) {
 		SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
 		return -1;