Add the ability to mutate TLS handshake messages before they are written

We add callbacks so that TLS handshake messages can be modified by the test
framework before they are passed to the handshake hash, possibly encrypted
and written to the network. This enables us to simulate badly behaving
endpoints.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20030)

5 files changed, 65 insertions, 151 deletions

diff --git a/ssl/quic/quic_channel.c b/ssl/quic/quic_channel.c
index 293dddd298..be438426ba 100644
--- a/ssl/quic/quic_channel.c
+++ b/ssl/quic/quic_channel.c
@@ -2081,3 +2081,8 @@ static int ch_server_on_new_conn(QUIC_CHANNEL *ch, const BIO_ADDR *peer,
     ch->doing_proactive_ver_neg = 0; /* not currently supported */
     return 1;
 }
+
+SSL *ossl_quic_channel_get0_ssl(QUIC_CHANNEL *ch)
+{
+    return ch->tls;
+}
diff --git a/ssl/quic/quic_tserver.c b/ssl/quic/quic_tserver.c
index 1bb17e8e53..2a6049b134 100644
--- a/ssl/quic/quic_tserver.c
+++ b/ssl/quic/quic_tserver.c
@@ -123,15 +123,26 @@ void ossl_quic_tserver_free(QUIC_TSERVER *srv)
 }
 
 /* Set mutator callbacks for test framework support */
-int ossl_quic_tserver_set_mutator(QUIC_TSERVER *srv,
-                                  ossl_mutate_packet_cb mutatecb,
-                                  ossl_finish_mutate_cb finishmutatecb,
-                                  void *mutatearg)
+int ossl_quic_tserver_set_plain_packet_mutator(QUIC_TSERVER *srv,
+                                               ossl_mutate_packet_cb mutatecb,
+                                               ossl_finish_mutate_cb finishmutatecb,
+                                               void *mutatearg)
 {
     return ossl_quic_channel_set_mutator(srv->ch, mutatecb, finishmutatecb,
                                          mutatearg);
 }
 
+int ossl_quic_tserver_set_handshake_mutator(QUIC_TSERVER *srv,
+                                            ossl_statem_mutate_handshake_cb mutate_handshake_cb,
+                                            ossl_statem_finish_mutate_handshake_cb finish_mutate_handshake_cb,
+                                            void *mutatearg)
+{
+    return ossl_statem_set_mutator(ossl_quic_channel_get0_ssl(srv->ch),
+                                   mutate_handshake_cb,
+                                   finish_mutate_handshake_cb,
+                                   mutatearg);
+}
+
 int ossl_quic_tserver_tick(QUIC_TSERVER *srv)
 {
     ossl_quic_reactor_tick(ossl_quic_channel_get_reactor(srv->ch));
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index 130cf385a9..f28f4419ef 100644
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -29,7 +29,7 @@
 # include <openssl/ct.h>
 # include "record/record.h"
 # include "internal/recordmethod.h"
-# include "statem/statem.h"
+# include "internal/statem.h"
 # include "internal/packet.h"
 # include "internal/dane.h"
 # include "internal/refcount.h"
diff --git a/ssl/statem/statem.h b/ssl/statem/statem.h
deleted file mode 100644
index 2b73eba6f6..0000000000
--- a/ssl/statem/statem.h
+++ /dev/null
@@ -1,146 +0,0 @@
-/*
- * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/*****************************************************************************
- *                                                                           *
- * These enums should be considered PRIVATE to the state machine. No         *
- * non-state machine code should need to use these                           *
- *                                                                           *
- *****************************************************************************/
-/*
- * Valid return codes used for functions performing work prior to or after
- * sending or receiving a message
- */
-typedef enum {
-    /* Something went wrong */
-    WORK_ERROR,
-    /* We're done working and there shouldn't be anything else to do after */
-    WORK_FINISHED_STOP,
-    /* We're done working move onto the next thing */
-    WORK_FINISHED_CONTINUE,
-    /* We're working on phase A */
-    WORK_MORE_A,
-    /* We're working on phase B */
-    WORK_MORE_B,
-    /* We're working on phase C */
-    WORK_MORE_C
-} WORK_STATE;
-
-/* Write transition return codes */
-typedef enum {
-    /* Something went wrong */
-    WRITE_TRAN_ERROR,
-    /* A transition was successfully completed and we should continue */
-    WRITE_TRAN_CONTINUE,
-    /* There is no more write work to be done */
-    WRITE_TRAN_FINISHED
-} WRITE_TRAN;
-
-/* Message flow states */
-typedef enum {
-    /* No handshake in progress */
-    MSG_FLOW_UNINITED,
-    /* A permanent error with this connection */
-    MSG_FLOW_ERROR,
-    /* We are reading messages */
-    MSG_FLOW_READING,
-    /* We are writing messages */
-    MSG_FLOW_WRITING,
-    /* Handshake has finished */
-    MSG_FLOW_FINISHED
-} MSG_FLOW_STATE;
-
-/* Read states */
-typedef enum {
-    READ_STATE_HEADER,
-    READ_STATE_BODY,
-    READ_STATE_POST_PROCESS
-} READ_STATE;
-
-/* Write states */
-typedef enum {
-    WRITE_STATE_TRANSITION,
-    WRITE_STATE_PRE_WORK,
-    WRITE_STATE_SEND,
-    WRITE_STATE_POST_WORK
-} WRITE_STATE;
-
-typedef enum {
-    CON_FUNC_ERROR = 0,
-    CON_FUNC_SUCCESS,
-    CON_FUNC_DONT_SEND
-} CON_FUNC_RETURN;
-
-/*****************************************************************************
- *                                                                           *
- * This structure should be considered "opaque" to anything outside of the   *
- * state machine. No non-state machine code should be accessing the members  *
- * of this structure.                                                        *
- *                                                                           *
- *****************************************************************************/
-
-struct ossl_statem_st {
-    MSG_FLOW_STATE state;
-    WRITE_STATE write_state;
-    WORK_STATE write_state_work;
-    READ_STATE read_state;
-    WORK_STATE read_state_work;
-    OSSL_HANDSHAKE_STATE hand_state;
-    /* The handshake state requested by an API call (e.g. HelloRequest) */
-    OSSL_HANDSHAKE_STATE request_state;
-    int in_init;
-    int read_state_first_init;
-    /* true when we are actually in SSL_accept() or SSL_connect() */
-    int in_handshake;
-    /*
-     * True when are processing a "real" handshake that needs cleaning up (not
-     * just a HelloRequest or similar).
-     */
-    int cleanuphand;
-    /* Should we skip the CertificateVerify message? */
-    unsigned int no_cert_verify;
-    int use_timer;
-};
-typedef struct ossl_statem_st OSSL_STATEM;
-
-/*****************************************************************************
- *                                                                           *
- * The following macros/functions represent the libssl internal API to the   *
- * state machine. Any libssl code may call these functions/macros            *
- *                                                                           *
- *****************************************************************************/
-
-__owur int ossl_statem_accept(SSL *s);
-__owur int ossl_statem_connect(SSL *s);
-OSSL_HANDSHAKE_STATE ossl_statem_get_state(SSL_CONNECTION *s);
-void ossl_statem_clear(SSL_CONNECTION *s);
-void ossl_statem_set_renegotiate(SSL_CONNECTION *s);
-void ossl_statem_send_fatal(SSL_CONNECTION *s, int al);
-void ossl_statem_fatal(SSL_CONNECTION *s, int al, int reason,
-                       const char *fmt, ...);
-# define SSLfatal_alert(s, al) ossl_statem_send_fatal((s), (al))
-# define SSLfatal(s, al, r) SSLfatal_data((s), (al), (r), NULL)
-# define SSLfatal_data                                          \
-    (ERR_new(),                                                 \
-     ERR_set_debug(OPENSSL_FILE, OPENSSL_LINE, OPENSSL_FUNC),   \
-     ossl_statem_fatal)
-
-int ossl_statem_in_error(const SSL_CONNECTION *s);
-void ossl_statem_set_in_init(SSL_CONNECTION *s, int init);
-int ossl_statem_get_in_handshake(SSL_CONNECTION *s);
-void ossl_statem_set_in_handshake(SSL_CONNECTION *s, int inhand);
-__owur int ossl_statem_skip_early_data(SSL_CONNECTION *s);
-void ossl_statem_check_finish_init(SSL_CONNECTION *s, int send);
-void ossl_statem_set_hello_verify_done(SSL_CONNECTION *s);
-__owur int ossl_statem_app_data_allowed(SSL_CONNECTION *s);
-__owur int ossl_statem_export_allowed(SSL_CONNECTION *s);
-__owur int ossl_statem_export_early_allowed(SSL_CONNECTION *s);
-
-/* Flush the write BIO */
-int statem_flush(SSL_CONNECTION *s);
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 88f3b94f2e..ebedbeefbb 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -36,6 +36,23 @@ const unsigned char hrrrandom[] = {
     0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
 };
 
+int ossl_statem_set_mutator(SSL *s,
+                            ossl_statem_mutate_handshake_cb mutate_handshake_cb,
+                            ossl_statem_finish_mutate_handshake_cb finish_mutate_handshake_cb,
+                            void *mutatearg)
+{
+    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
+
+    if (sc == NULL)
+        return 0;
+
+    sc->statem.mutate_handshake_cb = mutate_handshake_cb;
+    sc->statem.mutatearg = mutatearg;
+    sc->statem.finish_mutate_handshake_cb = finish_mutate_handshake_cb;
+
+    return 1;
+}
+
 /*
  * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
  * SSL3_RT_CHANGE_CIPHER_SPEC)
@@ -46,6 +63,32 @@ int ssl3_do_write(SSL_CONNECTION *s, int type)
     size_t written = 0;
     SSL *ssl = SSL_CONNECTION_GET_SSL(s);
 
+    /*
+     * If we're running the test suite then we may need to mutate the message
+     * we've been asked to write. Does not happen in normal operation.
+     */
+    if (s->statem.mutate_handshake_cb != NULL
+            && !s->statem.write_in_progress
+            && type == SSL3_RT_HANDSHAKE
+            && s->init_num >= SSL3_HM_HEADER_LENGTH) {
+        unsigned char *msg;
+        size_t msglen;
+
+        if (!s->statem.mutate_handshake_cb((unsigned char *)s->init_buf->data,
+                                           s->init_num,
+                                           &msg, &msglen,
+                                           s->statem.mutatearg))
+            return -1;
+        if (msglen < SSL3_HM_HEADER_LENGTH
+                || !BUF_MEM_grow(s->init_buf, msglen))
+            return -1;
+        memcpy(s->init_buf->data, msg, msglen);
+        s->init_num = msglen;
+        s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
+        s->statem.finish_mutate_handshake_cb(s->statem.mutatearg);
+        s->statem.write_in_progress = 1;
+    }
+
     ret = ssl3_write_bytes(ssl, type, &s->init_buf->data[s->init_off],
                            s->init_num, &written);
     if (ret < 0)
@@ -65,6 +108,7 @@ int ssl3_do_write(SSL_CONNECTION *s, int type)
                                  written))
                 return -1;
     if (written == s->init_num) {
+        s->statem.write_in_progress = 0;
         if (s->msg_callback)
             s->msg_callback(1, s->version, type, s->init_buf->data,
                             (size_t)(s->init_off + s->init_num), ssl,