1 /* $OpenBSD: tls13_handshake.c,v 1.71 2022/04/19 17:01:43 tb Exp $ */
2 /*
3 * Copyright (c) 2018-2021 Theo Buehler <tb@openbsd.org>
4 * Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19 #include <stddef.h>
20
21 #include "ssl_locl.h"
22 #include "tls13_handshake.h"
23 #include "tls13_internal.h"
24
25 /* Based on RFC 8446 and inspired by s2n's TLS 1.2 state machine. */
26
27 struct tls13_handshake_action {
28 uint8_t handshake_type;
29 uint8_t sender;
30 uint8_t handshake_complete;
31 uint8_t send_preserve_transcript_hash;
32 uint8_t recv_preserve_transcript_hash;
33
34 int (*send)(struct tls13_ctx *ctx, CBB *cbb);
35 int (*sent)(struct tls13_ctx *ctx);
36 int (*recv)(struct tls13_ctx *ctx, CBS *cbs);
37 };
38
39 static enum tls13_message_type
40 tls13_handshake_active_state(struct tls13_ctx *ctx);
41
42 static const struct tls13_handshake_action *
43 tls13_handshake_active_action(struct tls13_ctx *ctx);
44 static int tls13_handshake_advance_state_machine(struct tls13_ctx *ctx);
45
46 static int tls13_handshake_send_action(struct tls13_ctx *ctx,
47 const struct tls13_handshake_action *action);
48 static int tls13_handshake_recv_action(struct tls13_ctx *ctx,
49 const struct tls13_handshake_action *action);
50
51 static int tls13_handshake_set_legacy_state(struct tls13_ctx *ctx);
52 static int tls13_handshake_legacy_info_callback(struct tls13_ctx *ctx);
53
54 static const struct tls13_handshake_action state_machine[] = {
55 [CLIENT_HELLO] = {
56 .handshake_type = TLS13_MT_CLIENT_HELLO,
57 .sender = TLS13_HS_CLIENT,
58 .send = tls13_client_hello_send,
59 .sent = tls13_client_hello_sent,
60 .recv = tls13_client_hello_recv,
61 },
62 [CLIENT_HELLO_RETRY] = {
63 .handshake_type = TLS13_MT_CLIENT_HELLO,
64 .sender = TLS13_HS_CLIENT,
65 .send = tls13_client_hello_retry_send,
66 .recv = tls13_client_hello_retry_recv,
67 },
68 [CLIENT_END_OF_EARLY_DATA] = {
69 .handshake_type = TLS13_MT_END_OF_EARLY_DATA,
70 .sender = TLS13_HS_CLIENT,
71 .send = tls13_client_end_of_early_data_send,
72 .recv = tls13_client_end_of_early_data_recv,
73 },
74 [CLIENT_CERTIFICATE] = {
75 .handshake_type = TLS13_MT_CERTIFICATE,
76 .sender = TLS13_HS_CLIENT,
77 .send_preserve_transcript_hash = 1,
78 .send = tls13_client_certificate_send,
79 .recv = tls13_client_certificate_recv,
80 },
81 [CLIENT_CERTIFICATE_VERIFY] = {
82 .handshake_type = TLS13_MT_CERTIFICATE_VERIFY,
83 .sender = TLS13_HS_CLIENT,
84 .recv_preserve_transcript_hash = 1,
85 .send = tls13_client_certificate_verify_send,
86 .recv = tls13_client_certificate_verify_recv,
87 },
88 [CLIENT_FINISHED] = {
89 .handshake_type = TLS13_MT_FINISHED,
90 .sender = TLS13_HS_CLIENT,
91 .recv_preserve_transcript_hash = 1,
92 .send = tls13_client_finished_send,
93 .sent = tls13_client_finished_sent,
94 .recv = tls13_client_finished_recv,
95 },
96 [SERVER_HELLO] = {
97 .handshake_type = TLS13_MT_SERVER_HELLO,
98 .sender = TLS13_HS_SERVER,
99 .send = tls13_server_hello_send,
100 .sent = tls13_server_hello_sent,
101 .recv = tls13_server_hello_recv,
102 },
103 [SERVER_HELLO_RETRY_REQUEST] = {
104 .handshake_type = TLS13_MT_SERVER_HELLO,
105 .sender = TLS13_HS_SERVER,
106 .send = tls13_server_hello_retry_request_send,
107 .recv = tls13_server_hello_retry_request_recv,
108 .sent = tls13_server_hello_retry_request_sent,
109 },
110 [SERVER_ENCRYPTED_EXTENSIONS] = {
111 .handshake_type = TLS13_MT_ENCRYPTED_EXTENSIONS,
112 .sender = TLS13_HS_SERVER,
113 .send = tls13_server_encrypted_extensions_send,
114 .recv = tls13_server_encrypted_extensions_recv,
115 },
116 [SERVER_CERTIFICATE] = {
117 .handshake_type = TLS13_MT_CERTIFICATE,
118 .sender = TLS13_HS_SERVER,
119 .send_preserve_transcript_hash = 1,
120 .send = tls13_server_certificate_send,
121 .recv = tls13_server_certificate_recv,
122 },
123 [SERVER_CERTIFICATE_REQUEST] = {
124 .handshake_type = TLS13_MT_CERTIFICATE_REQUEST,
125 .sender = TLS13_HS_SERVER,
126 .send = tls13_server_certificate_request_send,
127 .recv = tls13_server_certificate_request_recv,
128 },
129 [SERVER_CERTIFICATE_VERIFY] = {
130 .handshake_type = TLS13_MT_CERTIFICATE_VERIFY,
131 .sender = TLS13_HS_SERVER,
132 .recv_preserve_transcript_hash = 1,
133 .send = tls13_server_certificate_verify_send,
134 .recv = tls13_server_certificate_verify_recv,
135 },
136 [SERVER_FINISHED] = {
137 .handshake_type = TLS13_MT_FINISHED,
138 .sender = TLS13_HS_SERVER,
139 .recv_preserve_transcript_hash = 1,
140 .send_preserve_transcript_hash = 1,
141 .send = tls13_server_finished_send,
142 .sent = tls13_server_finished_sent,
143 .recv = tls13_server_finished_recv,
144 },
145 [APPLICATION_DATA] = {
146 .handshake_complete = 1,
147 },
148 };
149
150 const enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {
151 [INITIAL] = {
152 CLIENT_HELLO,
153 SERVER_HELLO_RETRY_REQUEST,
154 CLIENT_HELLO_RETRY,
155 SERVER_HELLO,
156 },
157 [NEGOTIATED] = {
158 CLIENT_HELLO,
159 SERVER_HELLO_RETRY_REQUEST,
160 CLIENT_HELLO_RETRY,
161 SERVER_HELLO,
162 SERVER_ENCRYPTED_EXTENSIONS,
163 SERVER_CERTIFICATE_REQUEST,
164 SERVER_CERTIFICATE,
165 SERVER_CERTIFICATE_VERIFY,
166 SERVER_FINISHED,
167 CLIENT_CERTIFICATE,
168 CLIENT_FINISHED,
169 APPLICATION_DATA,
170 },
171 [NEGOTIATED | WITHOUT_HRR] = {
172 CLIENT_HELLO,
173 SERVER_HELLO,
174 SERVER_ENCRYPTED_EXTENSIONS,
175 SERVER_CERTIFICATE_REQUEST,
176 SERVER_CERTIFICATE,
177 SERVER_CERTIFICATE_VERIFY,
178 SERVER_FINISHED,
179 CLIENT_CERTIFICATE,
180 CLIENT_FINISHED,
181 APPLICATION_DATA,
182 },
183 [NEGOTIATED | WITHOUT_CR] = {
184 CLIENT_HELLO,
185 SERVER_HELLO_RETRY_REQUEST,
186 CLIENT_HELLO_RETRY,
187 SERVER_HELLO,
188 SERVER_ENCRYPTED_EXTENSIONS,
189 SERVER_CERTIFICATE,
190 SERVER_CERTIFICATE_VERIFY,
191 SERVER_FINISHED,
192 CLIENT_FINISHED,
193 APPLICATION_DATA,
194 },
195 [NEGOTIATED | WITHOUT_HRR | WITHOUT_CR] = {
196 CLIENT_HELLO,
197 SERVER_HELLO,
198 SERVER_ENCRYPTED_EXTENSIONS,
199 SERVER_CERTIFICATE,
200 SERVER_CERTIFICATE_VERIFY,
201 SERVER_FINISHED,
202 CLIENT_FINISHED,
203 APPLICATION_DATA,
204 },
205 [NEGOTIATED | WITH_PSK] = {
206 CLIENT_HELLO,
207 SERVER_HELLO_RETRY_REQUEST,
208 CLIENT_HELLO_RETRY,
209 SERVER_HELLO,
210 SERVER_ENCRYPTED_EXTENSIONS,
211 SERVER_FINISHED,
212 CLIENT_FINISHED,
213 APPLICATION_DATA,
214 },
215 [NEGOTIATED | WITHOUT_HRR | WITH_PSK] = {
216 CLIENT_HELLO,
217 SERVER_HELLO,
218 SERVER_ENCRYPTED_EXTENSIONS,
219 SERVER_FINISHED,
220 CLIENT_FINISHED,
221 APPLICATION_DATA,
222 },
223 [NEGOTIATED | WITH_CCV] = {
224 CLIENT_HELLO,
225 SERVER_HELLO_RETRY_REQUEST,
226 CLIENT_HELLO_RETRY,
227 SERVER_HELLO,
228 SERVER_ENCRYPTED_EXTENSIONS,
229 SERVER_CERTIFICATE_REQUEST,
230 SERVER_CERTIFICATE,
231 SERVER_CERTIFICATE_VERIFY,
232 SERVER_FINISHED,
233 CLIENT_CERTIFICATE,
234 CLIENT_CERTIFICATE_VERIFY,
235 CLIENT_FINISHED,
236 APPLICATION_DATA,
237 },
238 [NEGOTIATED | WITHOUT_HRR | WITH_CCV] = {
239 CLIENT_HELLO,
240 SERVER_HELLO,
241 SERVER_ENCRYPTED_EXTENSIONS,
242 SERVER_CERTIFICATE_REQUEST,
243 SERVER_CERTIFICATE,
244 SERVER_CERTIFICATE_VERIFY,
245 SERVER_FINISHED,
246 CLIENT_CERTIFICATE,
247 CLIENT_CERTIFICATE_VERIFY,
248 CLIENT_FINISHED,
249 APPLICATION_DATA,
250 },
251 };
252
253 const size_t handshake_count = sizeof(handshakes) / sizeof(handshakes[0]);
254
255 #ifndef TLS13_DEBUG
256 #define DEBUGF(...)
257 #else
258 #define DEBUGF(...) fprintf(stderr, __VA_ARGS__)
259
260 static const char *
tls13_handshake_mode_name(uint8_t mode)261 tls13_handshake_mode_name(uint8_t mode)
262 {
263 switch (mode) {
264 case TLS13_HS_CLIENT:
265 return "Client";
266 case TLS13_HS_SERVER:
267 return "Server";
268 }
269 return "Unknown";
270 }
271
272 static const char *
tls13_handshake_message_name(uint8_t msg_type)273 tls13_handshake_message_name(uint8_t msg_type)
274 {
275 switch (msg_type) {
276 case TLS13_MT_CLIENT_HELLO:
277 return "ClientHello";
278 case TLS13_MT_SERVER_HELLO:
279 return "ServerHello";
280 case TLS13_MT_NEW_SESSION_TICKET:
281 return "NewSessionTicket";
282 case TLS13_MT_END_OF_EARLY_DATA:
283 return "EndOfEarlyData";
284 case TLS13_MT_ENCRYPTED_EXTENSIONS:
285 return "EncryptedExtensions";
286 case TLS13_MT_CERTIFICATE:
287 return "Certificate";
288 case TLS13_MT_CERTIFICATE_REQUEST:
289 return "CertificateRequest";
290 case TLS13_MT_CERTIFICATE_VERIFY:
291 return "CertificateVerify";
292 case TLS13_MT_FINISHED:
293 return "Finished";
294 }
295 return "Unknown";
296 }
297 #endif
298
299 static enum tls13_message_type
tls13_handshake_active_state(struct tls13_ctx * ctx)300 tls13_handshake_active_state(struct tls13_ctx *ctx)
301 {
302 struct tls13_handshake_stage hs = ctx->handshake_stage;
303
304 if (hs.hs_type >= handshake_count)
305 return INVALID;
306 if (hs.message_number >= TLS13_NUM_MESSAGE_TYPES)
307 return INVALID;
308
309 return handshakes[hs.hs_type][hs.message_number];
310 }
311
312 static const struct tls13_handshake_action *
tls13_handshake_active_action(struct tls13_ctx * ctx)313 tls13_handshake_active_action(struct tls13_ctx *ctx)
314 {
315 enum tls13_message_type mt = tls13_handshake_active_state(ctx);
316
317 if (mt == INVALID)
318 return NULL;
319
320 return &state_machine[mt];
321 }
322
323 static int
tls13_handshake_advance_state_machine(struct tls13_ctx * ctx)324 tls13_handshake_advance_state_machine(struct tls13_ctx *ctx)
325 {
326 if (++ctx->handshake_stage.message_number >= TLS13_NUM_MESSAGE_TYPES)
327 return 0;
328
329 return 1;
330 }
331
332 static int
tls13_handshake_end_of_flight(struct tls13_ctx * ctx,const struct tls13_handshake_action * previous)333 tls13_handshake_end_of_flight(struct tls13_ctx *ctx,
334 const struct tls13_handshake_action *previous)
335 {
336 const struct tls13_handshake_action *current;
337
338 if ((current = tls13_handshake_active_action(ctx)) == NULL)
339 return 1;
340
341 return current->sender != previous->sender;
342 }
343
344 int
tls13_handshake_msg_record(struct tls13_ctx * ctx)345 tls13_handshake_msg_record(struct tls13_ctx *ctx)
346 {
347 CBS cbs;
348
349 tls13_handshake_msg_data(ctx->hs_msg, &cbs);
350 return tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs));
351 }
352
353 int
tls13_handshake_perform(struct tls13_ctx * ctx)354 tls13_handshake_perform(struct tls13_ctx *ctx)
355 {
356 const struct tls13_handshake_action *action;
357 int sending;
358 int ret;
359
360 if (!ctx->handshake_started) {
361 /*
362 * Set legacy state to connect/accept and call info callback
363 * to signal that the handshake started.
364 */
365 if (!tls13_handshake_set_legacy_state(ctx))
366 return TLS13_IO_FAILURE;
367 if (!tls13_handshake_legacy_info_callback(ctx))
368 return TLS13_IO_FAILURE;
369
370 ctx->handshake_started = 1;
371
372 /* Set legacy state for initial ClientHello read or write. */
373 if (!tls13_handshake_set_legacy_state(ctx))
374 return TLS13_IO_FAILURE;
375 }
376
377 for (;;) {
378 if ((action = tls13_handshake_active_action(ctx)) == NULL)
379 return TLS13_IO_FAILURE;
380
381 if (ctx->need_flush) {
382 if ((ret = tls13_record_layer_flush(ctx->rl)) !=
383 TLS13_IO_SUCCESS)
384 return ret;
385 ctx->need_flush = 0;
386 }
387
388 if (action->handshake_complete) {
389 ctx->handshake_completed = 1;
390 tls13_record_layer_handshake_completed(ctx->rl);
391
392 if (!tls13_handshake_set_legacy_state(ctx))
393 return TLS13_IO_FAILURE;
394 if (!tls13_handshake_legacy_info_callback(ctx))
395 return TLS13_IO_FAILURE;
396
397 return TLS13_IO_SUCCESS;
398 }
399
400 sending = action->sender == ctx->mode;
401
402 DEBUGF("%s %s %s\n", tls13_handshake_mode_name(ctx->mode),
403 sending ? "sending" : "receiving",
404 tls13_handshake_message_name(action->handshake_type));
405
406 if (ctx->alert != 0)
407 return tls13_send_alert(ctx->rl, ctx->alert);
408
409 if (sending)
410 ret = tls13_handshake_send_action(ctx, action);
411 else
412 ret = tls13_handshake_recv_action(ctx, action);
413
414 if (ctx->alert != 0)
415 return tls13_send_alert(ctx->rl, ctx->alert);
416
417 if (ret <= 0) {
418 DEBUGF("%s %s returned %d\n",
419 tls13_handshake_mode_name(ctx->mode),
420 (action->sender == ctx->mode) ? "send" : "recv",
421 ret);
422 return ret;
423 }
424
425 if (!tls13_handshake_legacy_info_callback(ctx))
426 return TLS13_IO_FAILURE;
427
428 if (!tls13_handshake_advance_state_machine(ctx))
429 return TLS13_IO_FAILURE;
430
431 if (sending)
432 ctx->need_flush = tls13_handshake_end_of_flight(ctx,
433 action);
434
435 if (!tls13_handshake_set_legacy_state(ctx))
436 return TLS13_IO_FAILURE;
437 }
438 }
439
440 static int
tls13_handshake_send_action(struct tls13_ctx * ctx,const struct tls13_handshake_action * action)441 tls13_handshake_send_action(struct tls13_ctx *ctx,
442 const struct tls13_handshake_action *action)
443 {
444 ssize_t ret;
445 CBB cbb;
446
447 if (ctx->send_dummy_ccs) {
448 if ((ret = tls13_send_dummy_ccs(ctx->rl)) != TLS13_IO_SUCCESS)
449 return ret;
450 ctx->send_dummy_ccs = 0;
451 if (ctx->send_dummy_ccs_after) {
452 ctx->send_dummy_ccs_after = 0;
453 return TLS13_IO_SUCCESS;
454 }
455 }
456
457 /* If we have no handshake message, we need to build one. */
458 if (ctx->hs_msg == NULL) {
459 if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL)
460 return TLS13_IO_FAILURE;
461 if (!tls13_handshake_msg_start(ctx->hs_msg, &cbb,
462 action->handshake_type))
463 return TLS13_IO_FAILURE;
464 if (!action->send(ctx, &cbb))
465 return TLS13_IO_FAILURE;
466 if (!tls13_handshake_msg_finish(ctx->hs_msg))
467 return TLS13_IO_FAILURE;
468 }
469
470 if ((ret = tls13_handshake_msg_send(ctx->hs_msg, ctx->rl)) <= 0)
471 return ret;
472
473 if (!tls13_handshake_msg_record(ctx))
474 return TLS13_IO_FAILURE;
475
476 if (action->send_preserve_transcript_hash) {
477 if (!tls1_transcript_hash_value(ctx->ssl,
478 ctx->hs->tls13.transcript_hash,
479 sizeof(ctx->hs->tls13.transcript_hash),
480 &ctx->hs->tls13.transcript_hash_len))
481 return TLS13_IO_FAILURE;
482 }
483
484 if (ctx->handshake_message_sent_cb != NULL)
485 ctx->handshake_message_sent_cb(ctx);
486
487 tls13_handshake_msg_free(ctx->hs_msg);
488 ctx->hs_msg = NULL;
489
490 if (action->sent != NULL && !action->sent(ctx))
491 return TLS13_IO_FAILURE;
492
493 if (ctx->send_dummy_ccs_after) {
494 ctx->send_dummy_ccs = 1;
495 if ((ret = tls13_send_dummy_ccs(ctx->rl)) != TLS13_IO_SUCCESS)
496 return ret;
497 ctx->send_dummy_ccs = 0;
498 ctx->send_dummy_ccs_after = 0;
499 }
500
501 return TLS13_IO_SUCCESS;
502 }
503
504 static int
tls13_handshake_recv_action(struct tls13_ctx * ctx,const struct tls13_handshake_action * action)505 tls13_handshake_recv_action(struct tls13_ctx *ctx,
506 const struct tls13_handshake_action *action)
507 {
508 uint8_t msg_type;
509 ssize_t ret;
510 CBS cbs;
511
512 if (ctx->hs_msg == NULL) {
513 if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL)
514 return TLS13_IO_FAILURE;
515 }
516
517 if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) <= 0)
518 return ret;
519
520 if (action->recv_preserve_transcript_hash) {
521 if (!tls1_transcript_hash_value(ctx->ssl,
522 ctx->hs->tls13.transcript_hash,
523 sizeof(ctx->hs->tls13.transcript_hash),
524 &ctx->hs->tls13.transcript_hash_len))
525 return TLS13_IO_FAILURE;
526 }
527
528 if (!tls13_handshake_msg_record(ctx))
529 return TLS13_IO_FAILURE;
530
531 if (ctx->handshake_message_recv_cb != NULL)
532 ctx->handshake_message_recv_cb(ctx);
533
534 /*
535 * In TLSv1.3 there is no way to know if you're going to receive a
536 * certificate request message or not, hence we have to special case it
537 * here. The receive handler also knows how to deal with this situation.
538 */
539 msg_type = tls13_handshake_msg_type(ctx->hs_msg);
540 if (msg_type != action->handshake_type &&
541 (msg_type != TLS13_MT_CERTIFICATE ||
542 action->handshake_type != TLS13_MT_CERTIFICATE_REQUEST))
543 return tls13_send_alert(ctx->rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
544
545 if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
546 return TLS13_IO_FAILURE;
547
548 ret = TLS13_IO_FAILURE;
549 if (action->recv(ctx, &cbs)) {
550 if (CBS_len(&cbs) != 0) {
551 tls13_set_errorx(ctx, TLS13_ERR_TRAILING_DATA, 0,
552 "trailing data in handshake message", NULL);
553 ctx->alert = TLS13_ALERT_DECODE_ERROR;
554 } else {
555 ret = TLS13_IO_SUCCESS;
556 }
557 }
558
559 tls13_handshake_msg_free(ctx->hs_msg);
560 ctx->hs_msg = NULL;
561
562 if (ctx->ssl->method->version < TLS1_3_VERSION)
563 return TLS13_IO_USE_LEGACY;
564
565 return ret;
566 }
567
568 struct tls13_handshake_legacy_state {
569 int recv;
570 int send;
571 };
572
573 static const struct tls13_handshake_legacy_state legacy_states[] = {
574 [CLIENT_HELLO] = {
575 .recv = SSL3_ST_SR_CLNT_HELLO_A,
576 .send = SSL3_ST_CW_CLNT_HELLO_A,
577 },
578 [SERVER_HELLO_RETRY_REQUEST] = {
579 .recv = SSL3_ST_CR_SRVR_HELLO_A,
580 .send = SSL3_ST_SW_SRVR_HELLO_A,
581 },
582 [CLIENT_HELLO_RETRY] = {
583 .recv = SSL3_ST_SR_CLNT_HELLO_A,
584 .send = SSL3_ST_CW_CLNT_HELLO_A,
585 },
586 [SERVER_HELLO] = {
587 .recv = SSL3_ST_CR_SRVR_HELLO_A,
588 .send = SSL3_ST_SW_SRVR_HELLO_A,
589 },
590 [SERVER_ENCRYPTED_EXTENSIONS] = {
591 .send = 0,
592 .recv = 0,
593 },
594 [SERVER_CERTIFICATE_REQUEST] = {
595 .recv = SSL3_ST_CR_CERT_REQ_A,
596 .send = SSL3_ST_SW_CERT_REQ_A,
597 },
598 [SERVER_CERTIFICATE] = {
599 .recv = SSL3_ST_CR_CERT_A,
600 .send = SSL3_ST_SW_CERT_A,
601 },
602 [SERVER_CERTIFICATE_VERIFY] = {
603 .send = 0,
604 .recv = 0,
605 },
606 [SERVER_FINISHED] = {
607 .recv = SSL3_ST_CR_FINISHED_A,
608 .send = SSL3_ST_SW_FINISHED_A,
609 },
610 [CLIENT_END_OF_EARLY_DATA] = {
611 .send = 0,
612 .recv = 0,
613 },
614 [CLIENT_CERTIFICATE] = {
615 .recv = SSL3_ST_SR_CERT_VRFY_A,
616 .send = SSL3_ST_CW_CERT_VRFY_B,
617 },
618 [CLIENT_CERTIFICATE_VERIFY] = {
619 .send = 0,
620 .recv = 0,
621 },
622 [CLIENT_FINISHED] = {
623 .recv = SSL3_ST_SR_FINISHED_A,
624 .send = SSL3_ST_CW_FINISHED_A,
625 },
626 [APPLICATION_DATA] = {
627 .recv = 0,
628 .send = 0,
629 },
630 };
631
632 CTASSERT(sizeof(state_machine) / sizeof(state_machine[0]) ==
633 sizeof(legacy_states) / sizeof(legacy_states[0]));
634
635 static int
tls13_handshake_legacy_state(struct tls13_ctx * ctx,int * out_state)636 tls13_handshake_legacy_state(struct tls13_ctx *ctx, int *out_state)
637 {
638 const struct tls13_handshake_action *action;
639 enum tls13_message_type mt;
640
641 *out_state = 0;
642
643 if (!ctx->handshake_started) {
644 if (ctx->mode == TLS13_HS_CLIENT)
645 *out_state = SSL_ST_CONNECT;
646 else
647 *out_state = SSL_ST_ACCEPT;
648
649 return 1;
650 }
651
652 if (ctx->handshake_completed) {
653 *out_state = SSL_ST_OK;
654 return 1;
655 }
656
657 if ((mt = tls13_handshake_active_state(ctx)) == INVALID)
658 return 0;
659
660 if ((action = tls13_handshake_active_action(ctx)) == NULL)
661 return 0;
662
663 if (action->sender == ctx->mode)
664 *out_state = legacy_states[mt].send;
665 else
666 *out_state = legacy_states[mt].recv;
667
668 return 1;
669 }
670
671 static int
tls13_handshake_info_position(struct tls13_ctx * ctx)672 tls13_handshake_info_position(struct tls13_ctx *ctx)
673 {
674 if (!ctx->handshake_started)
675 return TLS13_INFO_HANDSHAKE_STARTED;
676
677 if (ctx->handshake_completed)
678 return TLS13_INFO_HANDSHAKE_COMPLETED;
679
680 if (ctx->mode == TLS13_HS_CLIENT)
681 return TLS13_INFO_CONNECT_LOOP;
682 else
683 return TLS13_INFO_ACCEPT_LOOP;
684 }
685
686 static int
tls13_handshake_legacy_info_callback(struct tls13_ctx * ctx)687 tls13_handshake_legacy_info_callback(struct tls13_ctx *ctx)
688 {
689 int state, where;
690
691 if (!tls13_handshake_legacy_state(ctx, &state))
692 return 0;
693
694 /* Do nothing if there's no corresponding legacy state. */
695 if (state == 0)
696 return 1;
697
698 if (ctx->info_cb != NULL) {
699 where = tls13_handshake_info_position(ctx);
700 ctx->info_cb(ctx, where, 1);
701 }
702
703 return 1;
704 }
705
706 static int
tls13_handshake_set_legacy_state(struct tls13_ctx * ctx)707 tls13_handshake_set_legacy_state(struct tls13_ctx *ctx)
708 {
709 int state;
710
711 if (!tls13_handshake_legacy_state(ctx, &state))
712 return 0;
713
714 /* Do nothing if there's no corresponding legacy state. */
715 if (state == 0)
716 return 1;
717
718 ctx->hs->state = state;
719
720 return 1;
721 }
722