/src/libressl/ssl/tls13_handshake.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* $OpenBSD: tls13_handshake.c,v 1.71 2022/04/19 17:01:43 tb Exp $ */ |
2 | | /* |
3 | | * Copyright (c) 2018-2021 Theo Buehler <tb@openbsd.org> |
4 | | * Copyright (c) 2019 Joel Sing <jsing@openbsd.org> |
5 | | * |
6 | | * Permission to use, copy, modify, and distribute this software for any |
7 | | * purpose with or without fee is hereby granted, provided that the above |
8 | | * copyright notice and this permission notice appear in all copies. |
9 | | * |
10 | | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
11 | | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
12 | | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
13 | | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
14 | | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
15 | | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
16 | | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
17 | | */ |
18 | | |
19 | | #include <stddef.h> |
20 | | |
21 | | #include "ssl_locl.h" |
22 | | #include "tls13_handshake.h" |
23 | | #include "tls13_internal.h" |
24 | | |
25 | | /* Based on RFC 8446 and inspired by s2n's TLS 1.2 state machine. */ |
26 | | |
27 | | struct tls13_handshake_action { |
28 | | uint8_t handshake_type; |
29 | | uint8_t sender; |
30 | | uint8_t handshake_complete; |
31 | | uint8_t send_preserve_transcript_hash; |
32 | | uint8_t recv_preserve_transcript_hash; |
33 | | |
34 | | int (*send)(struct tls13_ctx *ctx, CBB *cbb); |
35 | | int (*sent)(struct tls13_ctx *ctx); |
36 | | int (*recv)(struct tls13_ctx *ctx, CBS *cbs); |
37 | | }; |
38 | | |
39 | | static enum tls13_message_type |
40 | | tls13_handshake_active_state(struct tls13_ctx *ctx); |
41 | | |
42 | | static const struct tls13_handshake_action * |
43 | | tls13_handshake_active_action(struct tls13_ctx *ctx); |
44 | | static int tls13_handshake_advance_state_machine(struct tls13_ctx *ctx); |
45 | | |
46 | | static int tls13_handshake_send_action(struct tls13_ctx *ctx, |
47 | | const struct tls13_handshake_action *action); |
48 | | static int tls13_handshake_recv_action(struct tls13_ctx *ctx, |
49 | | const struct tls13_handshake_action *action); |
50 | | |
51 | | static int tls13_handshake_set_legacy_state(struct tls13_ctx *ctx); |
52 | | static int tls13_handshake_legacy_info_callback(struct tls13_ctx *ctx); |
53 | | |
54 | | static const struct tls13_handshake_action state_machine[] = { |
55 | | [CLIENT_HELLO] = { |
56 | | .handshake_type = TLS13_MT_CLIENT_HELLO, |
57 | | .sender = TLS13_HS_CLIENT, |
58 | | .send = tls13_client_hello_send, |
59 | | .sent = tls13_client_hello_sent, |
60 | | .recv = tls13_client_hello_recv, |
61 | | }, |
62 | | [CLIENT_HELLO_RETRY] = { |
63 | | .handshake_type = TLS13_MT_CLIENT_HELLO, |
64 | | .sender = TLS13_HS_CLIENT, |
65 | | .send = tls13_client_hello_retry_send, |
66 | | .recv = tls13_client_hello_retry_recv, |
67 | | }, |
68 | | [CLIENT_END_OF_EARLY_DATA] = { |
69 | | .handshake_type = TLS13_MT_END_OF_EARLY_DATA, |
70 | | .sender = TLS13_HS_CLIENT, |
71 | | .send = tls13_client_end_of_early_data_send, |
72 | | .recv = tls13_client_end_of_early_data_recv, |
73 | | }, |
74 | | [CLIENT_CERTIFICATE] = { |
75 | | .handshake_type = TLS13_MT_CERTIFICATE, |
76 | | .sender = TLS13_HS_CLIENT, |
77 | | .send_preserve_transcript_hash = 1, |
78 | | .send = tls13_client_certificate_send, |
79 | | .recv = tls13_client_certificate_recv, |
80 | | }, |
81 | | [CLIENT_CERTIFICATE_VERIFY] = { |
82 | | .handshake_type = TLS13_MT_CERTIFICATE_VERIFY, |
83 | | .sender = TLS13_HS_CLIENT, |
84 | | .recv_preserve_transcript_hash = 1, |
85 | | .send = tls13_client_certificate_verify_send, |
86 | | .recv = tls13_client_certificate_verify_recv, |
87 | | }, |
88 | | [CLIENT_FINISHED] = { |
89 | | .handshake_type = TLS13_MT_FINISHED, |
90 | | .sender = TLS13_HS_CLIENT, |
91 | | .recv_preserve_transcript_hash = 1, |
92 | | .send = tls13_client_finished_send, |
93 | | .sent = tls13_client_finished_sent, |
94 | | .recv = tls13_client_finished_recv, |
95 | | }, |
96 | | [SERVER_HELLO] = { |
97 | | .handshake_type = TLS13_MT_SERVER_HELLO, |
98 | | .sender = TLS13_HS_SERVER, |
99 | | .send = tls13_server_hello_send, |
100 | | .sent = tls13_server_hello_sent, |
101 | | .recv = tls13_server_hello_recv, |
102 | | }, |
103 | | [SERVER_HELLO_RETRY_REQUEST] = { |
104 | | .handshake_type = TLS13_MT_SERVER_HELLO, |
105 | | .sender = TLS13_HS_SERVER, |
106 | | .send = tls13_server_hello_retry_request_send, |
107 | | .recv = tls13_server_hello_retry_request_recv, |
108 | | .sent = tls13_server_hello_retry_request_sent, |
109 | | }, |
110 | | [SERVER_ENCRYPTED_EXTENSIONS] = { |
111 | | .handshake_type = TLS13_MT_ENCRYPTED_EXTENSIONS, |
112 | | .sender = TLS13_HS_SERVER, |
113 | | .send = tls13_server_encrypted_extensions_send, |
114 | | .recv = tls13_server_encrypted_extensions_recv, |
115 | | }, |
116 | | [SERVER_CERTIFICATE] = { |
117 | | .handshake_type = TLS13_MT_CERTIFICATE, |
118 | | .sender = TLS13_HS_SERVER, |
119 | | .send_preserve_transcript_hash = 1, |
120 | | .send = tls13_server_certificate_send, |
121 | | .recv = tls13_server_certificate_recv, |
122 | | }, |
123 | | [SERVER_CERTIFICATE_REQUEST] = { |
124 | | .handshake_type = TLS13_MT_CERTIFICATE_REQUEST, |
125 | | .sender = TLS13_HS_SERVER, |
126 | | .send = tls13_server_certificate_request_send, |
127 | | .recv = tls13_server_certificate_request_recv, |
128 | | }, |
129 | | [SERVER_CERTIFICATE_VERIFY] = { |
130 | | .handshake_type = TLS13_MT_CERTIFICATE_VERIFY, |
131 | | .sender = TLS13_HS_SERVER, |
132 | | .recv_preserve_transcript_hash = 1, |
133 | | .send = tls13_server_certificate_verify_send, |
134 | | .recv = tls13_server_certificate_verify_recv, |
135 | | }, |
136 | | [SERVER_FINISHED] = { |
137 | | .handshake_type = TLS13_MT_FINISHED, |
138 | | .sender = TLS13_HS_SERVER, |
139 | | .recv_preserve_transcript_hash = 1, |
140 | | .send_preserve_transcript_hash = 1, |
141 | | .send = tls13_server_finished_send, |
142 | | .sent = tls13_server_finished_sent, |
143 | | .recv = tls13_server_finished_recv, |
144 | | }, |
145 | | [APPLICATION_DATA] = { |
146 | | .handshake_complete = 1, |
147 | | }, |
148 | | }; |
149 | | |
150 | | const enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = { |
151 | | [INITIAL] = { |
152 | | CLIENT_HELLO, |
153 | | SERVER_HELLO_RETRY_REQUEST, |
154 | | CLIENT_HELLO_RETRY, |
155 | | SERVER_HELLO, |
156 | | }, |
157 | | [NEGOTIATED] = { |
158 | | CLIENT_HELLO, |
159 | | SERVER_HELLO_RETRY_REQUEST, |
160 | | CLIENT_HELLO_RETRY, |
161 | | SERVER_HELLO, |
162 | | SERVER_ENCRYPTED_EXTENSIONS, |
163 | | SERVER_CERTIFICATE_REQUEST, |
164 | | SERVER_CERTIFICATE, |
165 | | SERVER_CERTIFICATE_VERIFY, |
166 | | SERVER_FINISHED, |
167 | | CLIENT_CERTIFICATE, |
168 | | CLIENT_FINISHED, |
169 | | APPLICATION_DATA, |
170 | | }, |
171 | | [NEGOTIATED | WITHOUT_HRR] = { |
172 | | CLIENT_HELLO, |
173 | | SERVER_HELLO, |
174 | | SERVER_ENCRYPTED_EXTENSIONS, |
175 | | SERVER_CERTIFICATE_REQUEST, |
176 | | SERVER_CERTIFICATE, |
177 | | SERVER_CERTIFICATE_VERIFY, |
178 | | SERVER_FINISHED, |
179 | | CLIENT_CERTIFICATE, |
180 | | CLIENT_FINISHED, |
181 | | APPLICATION_DATA, |
182 | | }, |
183 | | [NEGOTIATED | WITHOUT_CR] = { |
184 | | CLIENT_HELLO, |
185 | | SERVER_HELLO_RETRY_REQUEST, |
186 | | CLIENT_HELLO_RETRY, |
187 | | SERVER_HELLO, |
188 | | SERVER_ENCRYPTED_EXTENSIONS, |
189 | | SERVER_CERTIFICATE, |
190 | | SERVER_CERTIFICATE_VERIFY, |
191 | | SERVER_FINISHED, |
192 | | CLIENT_FINISHED, |
193 | | APPLICATION_DATA, |
194 | | }, |
195 | | [NEGOTIATED | WITHOUT_HRR | WITHOUT_CR] = { |
196 | | CLIENT_HELLO, |
197 | | SERVER_HELLO, |
198 | | SERVER_ENCRYPTED_EXTENSIONS, |
199 | | SERVER_CERTIFICATE, |
200 | | SERVER_CERTIFICATE_VERIFY, |
201 | | SERVER_FINISHED, |
202 | | CLIENT_FINISHED, |
203 | | APPLICATION_DATA, |
204 | | }, |
205 | | [NEGOTIATED | WITH_PSK] = { |
206 | | CLIENT_HELLO, |
207 | | SERVER_HELLO_RETRY_REQUEST, |
208 | | CLIENT_HELLO_RETRY, |
209 | | SERVER_HELLO, |
210 | | SERVER_ENCRYPTED_EXTENSIONS, |
211 | | SERVER_FINISHED, |
212 | | CLIENT_FINISHED, |
213 | | APPLICATION_DATA, |
214 | | }, |
215 | | [NEGOTIATED | WITHOUT_HRR | WITH_PSK] = { |
216 | | CLIENT_HELLO, |
217 | | SERVER_HELLO, |
218 | | SERVER_ENCRYPTED_EXTENSIONS, |
219 | | SERVER_FINISHED, |
220 | | CLIENT_FINISHED, |
221 | | APPLICATION_DATA, |
222 | | }, |
223 | | [NEGOTIATED | WITH_CCV] = { |
224 | | CLIENT_HELLO, |
225 | | SERVER_HELLO_RETRY_REQUEST, |
226 | | CLIENT_HELLO_RETRY, |
227 | | SERVER_HELLO, |
228 | | SERVER_ENCRYPTED_EXTENSIONS, |
229 | | SERVER_CERTIFICATE_REQUEST, |
230 | | SERVER_CERTIFICATE, |
231 | | SERVER_CERTIFICATE_VERIFY, |
232 | | SERVER_FINISHED, |
233 | | CLIENT_CERTIFICATE, |
234 | | CLIENT_CERTIFICATE_VERIFY, |
235 | | CLIENT_FINISHED, |
236 | | APPLICATION_DATA, |
237 | | }, |
238 | | [NEGOTIATED | WITHOUT_HRR | WITH_CCV] = { |
239 | | CLIENT_HELLO, |
240 | | SERVER_HELLO, |
241 | | SERVER_ENCRYPTED_EXTENSIONS, |
242 | | SERVER_CERTIFICATE_REQUEST, |
243 | | SERVER_CERTIFICATE, |
244 | | SERVER_CERTIFICATE_VERIFY, |
245 | | SERVER_FINISHED, |
246 | | CLIENT_CERTIFICATE, |
247 | | CLIENT_CERTIFICATE_VERIFY, |
248 | | CLIENT_FINISHED, |
249 | | APPLICATION_DATA, |
250 | | }, |
251 | | }; |
252 | | |
253 | | const size_t handshake_count = sizeof(handshakes) / sizeof(handshakes[0]); |
254 | | |
255 | | #ifndef TLS13_DEBUG |
256 | | #define DEBUGF(...) |
257 | | #else |
258 | | #define DEBUGF(...) fprintf(stderr, __VA_ARGS__) |
259 | | |
260 | | static const char * |
261 | | tls13_handshake_mode_name(uint8_t mode) |
262 | | { |
263 | | switch (mode) { |
264 | | case TLS13_HS_CLIENT: |
265 | | return "Client"; |
266 | | case TLS13_HS_SERVER: |
267 | | return "Server"; |
268 | | } |
269 | | return "Unknown"; |
270 | | } |
271 | | |
272 | | static const char * |
273 | | tls13_handshake_message_name(uint8_t msg_type) |
274 | | { |
275 | | switch (msg_type) { |
276 | | case TLS13_MT_CLIENT_HELLO: |
277 | | return "ClientHello"; |
278 | | case TLS13_MT_SERVER_HELLO: |
279 | | return "ServerHello"; |
280 | | case TLS13_MT_NEW_SESSION_TICKET: |
281 | | return "NewSessionTicket"; |
282 | | case TLS13_MT_END_OF_EARLY_DATA: |
283 | | return "EndOfEarlyData"; |
284 | | case TLS13_MT_ENCRYPTED_EXTENSIONS: |
285 | | return "EncryptedExtensions"; |
286 | | case TLS13_MT_CERTIFICATE: |
287 | | return "Certificate"; |
288 | | case TLS13_MT_CERTIFICATE_REQUEST: |
289 | | return "CertificateRequest"; |
290 | | case TLS13_MT_CERTIFICATE_VERIFY: |
291 | | return "CertificateVerify"; |
292 | | case TLS13_MT_FINISHED: |
293 | | return "Finished"; |
294 | | } |
295 | | return "Unknown"; |
296 | | } |
297 | | #endif |
298 | | |
299 | | static enum tls13_message_type |
300 | | tls13_handshake_active_state(struct tls13_ctx *ctx) |
301 | 21.6k | { |
302 | 21.6k | struct tls13_handshake_stage hs = ctx->handshake_stage; |
303 | | |
304 | 21.6k | if (hs.hs_type >= handshake_count) |
305 | 0 | return INVALID; |
306 | 21.6k | if (hs.message_number >= TLS13_NUM_MESSAGE_TYPES) |
307 | 0 | return INVALID; |
308 | | |
309 | 21.6k | return handshakes[hs.hs_type][hs.message_number]; |
310 | 21.6k | } |
311 | | |
312 | | static const struct tls13_handshake_action * |
313 | | tls13_handshake_active_action(struct tls13_ctx *ctx) |
314 | 14.3k | { |
315 | 14.3k | enum tls13_message_type mt = tls13_handshake_active_state(ctx); |
316 | | |
317 | 14.3k | if (mt == INVALID) |
318 | 0 | return NULL; |
319 | | |
320 | 14.3k | return &state_machine[mt]; |
321 | 14.3k | } |
322 | | |
323 | | static int |
324 | | tls13_handshake_advance_state_machine(struct tls13_ctx *ctx) |
325 | 592 | { |
326 | 592 | if (++ctx->handshake_stage.message_number >= TLS13_NUM_MESSAGE_TYPES) |
327 | 0 | return 0; |
328 | | |
329 | 592 | return 1; |
330 | 592 | } |
331 | | |
332 | | static int |
333 | | tls13_handshake_end_of_flight(struct tls13_ctx *ctx, |
334 | | const struct tls13_handshake_action *previous) |
335 | 431 | { |
336 | 431 | const struct tls13_handshake_action *current; |
337 | | |
338 | 431 | if ((current = tls13_handshake_active_action(ctx)) == NULL) |
339 | 0 | return 1; |
340 | | |
341 | 431 | return current->sender != previous->sender; |
342 | 431 | } |
343 | | |
344 | | int |
345 | | tls13_handshake_msg_record(struct tls13_ctx *ctx) |
346 | 6.19k | { |
347 | 6.19k | CBS cbs; |
348 | | |
349 | 6.19k | tls13_handshake_msg_data(ctx->hs_msg, &cbs); |
350 | 6.19k | return tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs)); |
351 | 6.19k | } |
352 | | |
353 | | int |
354 | | tls13_handshake_perform(struct tls13_ctx *ctx) |
355 | 6.07k | { |
356 | 6.07k | const struct tls13_handshake_action *action; |
357 | 6.07k | int sending; |
358 | 6.07k | int ret; |
359 | | |
360 | 6.07k | if (!ctx->handshake_started) { |
361 | | /* |
362 | | * Set legacy state to connect/accept and call info callback |
363 | | * to signal that the handshake started. |
364 | | */ |
365 | 6.07k | if (!tls13_handshake_set_legacy_state(ctx)) |
366 | 0 | return TLS13_IO_FAILURE; |
367 | 6.07k | if (!tls13_handshake_legacy_info_callback(ctx)) |
368 | 0 | return TLS13_IO_FAILURE; |
369 | | |
370 | 6.07k | ctx->handshake_started = 1; |
371 | | |
372 | | /* Set legacy state for initial ClientHello read or write. */ |
373 | 6.07k | if (!tls13_handshake_set_legacy_state(ctx)) |
374 | 0 | return TLS13_IO_FAILURE; |
375 | 6.07k | } |
376 | | |
377 | 6.66k | for (;;) { |
378 | 6.66k | if ((action = tls13_handshake_active_action(ctx)) == NULL) |
379 | 0 | return TLS13_IO_FAILURE; |
380 | | |
381 | 6.66k | if (ctx->need_flush) { |
382 | 133 | if ((ret = tls13_record_layer_flush(ctx->rl)) != |
383 | 133 | TLS13_IO_SUCCESS) |
384 | 0 | return ret; |
385 | 133 | ctx->need_flush = 0; |
386 | 133 | } |
387 | | |
388 | 6.66k | if (action->handshake_complete) { |
389 | 0 | ctx->handshake_completed = 1; |
390 | 0 | tls13_record_layer_handshake_completed(ctx->rl); |
391 | |
|
392 | 0 | if (!tls13_handshake_set_legacy_state(ctx)) |
393 | 0 | return TLS13_IO_FAILURE; |
394 | 0 | if (!tls13_handshake_legacy_info_callback(ctx)) |
395 | 0 | return TLS13_IO_FAILURE; |
396 | | |
397 | 0 | return TLS13_IO_SUCCESS; |
398 | 0 | } |
399 | | |
400 | 6.66k | sending = action->sender == ctx->mode; |
401 | | |
402 | 6.66k | DEBUGF("%s %s %s\n", tls13_handshake_mode_name(ctx->mode), |
403 | 6.66k | sending ? "sending" : "receiving", |
404 | 6.66k | tls13_handshake_message_name(action->handshake_type)); |
405 | | |
406 | 6.66k | if (ctx->alert != 0) |
407 | 0 | return tls13_send_alert(ctx->rl, ctx->alert); |
408 | | |
409 | 6.66k | if (sending) |
410 | 459 | ret = tls13_handshake_send_action(ctx, action); |
411 | 6.20k | else |
412 | 6.20k | ret = tls13_handshake_recv_action(ctx, action); |
413 | | |
414 | 6.66k | if (ctx->alert != 0) |
415 | 140 | return tls13_send_alert(ctx->rl, ctx->alert); |
416 | | |
417 | 6.52k | if (ret <= 0) { |
418 | 5.93k | DEBUGF("%s %s returned %d\n", |
419 | 5.93k | tls13_handshake_mode_name(ctx->mode), |
420 | 5.93k | (action->sender == ctx->mode) ? "send" : "recv", |
421 | 5.93k | ret); |
422 | 5.93k | return ret; |
423 | 5.93k | } |
424 | | |
425 | 592 | if (!tls13_handshake_legacy_info_callback(ctx)) |
426 | 0 | return TLS13_IO_FAILURE; |
427 | | |
428 | 592 | if (!tls13_handshake_advance_state_machine(ctx)) |
429 | 0 | return TLS13_IO_FAILURE; |
430 | | |
431 | 592 | if (sending) |
432 | 431 | ctx->need_flush = tls13_handshake_end_of_flight(ctx, |
433 | 431 | action); |
434 | | |
435 | 592 | if (!tls13_handshake_set_legacy_state(ctx)) |
436 | 0 | return TLS13_IO_FAILURE; |
437 | 592 | } |
438 | 6.07k | } |
439 | | |
440 | | static int |
441 | | tls13_handshake_send_action(struct tls13_ctx *ctx, |
442 | | const struct tls13_handshake_action *action) |
443 | 459 | { |
444 | 459 | ssize_t ret; |
445 | 459 | CBB cbb; |
446 | | |
447 | 459 | if (ctx->send_dummy_ccs) { |
448 | 0 | if ((ret = tls13_send_dummy_ccs(ctx->rl)) != TLS13_IO_SUCCESS) |
449 | 0 | return ret; |
450 | 0 | ctx->send_dummy_ccs = 0; |
451 | 0 | if (ctx->send_dummy_ccs_after) { |
452 | 0 | ctx->send_dummy_ccs_after = 0; |
453 | 0 | return TLS13_IO_SUCCESS; |
454 | 0 | } |
455 | 0 | } |
456 | | |
457 | | /* If we have no handshake message, we need to build one. */ |
458 | 459 | if (ctx->hs_msg == NULL) { |
459 | 459 | if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL) |
460 | 0 | return TLS13_IO_FAILURE; |
461 | 459 | if (!tls13_handshake_msg_start(ctx->hs_msg, &cbb, |
462 | 459 | action->handshake_type)) |
463 | 0 | return TLS13_IO_FAILURE; |
464 | 459 | if (!action->send(ctx, &cbb)) |
465 | 26 | return TLS13_IO_FAILURE; |
466 | 433 | if (!tls13_handshake_msg_finish(ctx->hs_msg)) |
467 | 0 | return TLS13_IO_FAILURE; |
468 | 433 | } |
469 | | |
470 | 433 | if ((ret = tls13_handshake_msg_send(ctx->hs_msg, ctx->rl)) <= 0) |
471 | 0 | return ret; |
472 | | |
473 | 433 | if (!tls13_handshake_msg_record(ctx)) |
474 | 0 | return TLS13_IO_FAILURE; |
475 | | |
476 | 433 | if (action->send_preserve_transcript_hash) { |
477 | 126 | if (!tls1_transcript_hash_value(ctx->ssl, |
478 | 126 | ctx->hs->tls13.transcript_hash, |
479 | 126 | sizeof(ctx->hs->tls13.transcript_hash), |
480 | 126 | &ctx->hs->tls13.transcript_hash_len)) |
481 | 0 | return TLS13_IO_FAILURE; |
482 | 126 | } |
483 | | |
484 | 433 | if (ctx->handshake_message_sent_cb != NULL) |
485 | 433 | ctx->handshake_message_sent_cb(ctx); |
486 | | |
487 | 433 | tls13_handshake_msg_free(ctx->hs_msg); |
488 | 433 | ctx->hs_msg = NULL; |
489 | | |
490 | 433 | if (action->sent != NULL && !action->sent(ctx)) |
491 | 2 | return TLS13_IO_FAILURE; |
492 | | |
493 | 431 | if (ctx->send_dummy_ccs_after) { |
494 | 122 | ctx->send_dummy_ccs = 1; |
495 | 122 | if ((ret = tls13_send_dummy_ccs(ctx->rl)) != TLS13_IO_SUCCESS) |
496 | 0 | return ret; |
497 | 122 | ctx->send_dummy_ccs = 0; |
498 | 122 | ctx->send_dummy_ccs_after = 0; |
499 | 122 | } |
500 | | |
501 | 431 | return TLS13_IO_SUCCESS; |
502 | 431 | } |
503 | | |
504 | | static int |
505 | | tls13_handshake_recv_action(struct tls13_ctx *ctx, |
506 | | const struct tls13_handshake_action *action) |
507 | 6.20k | { |
508 | 6.20k | uint8_t msg_type; |
509 | 6.20k | ssize_t ret; |
510 | 6.20k | CBS cbs; |
511 | | |
512 | 6.20k | if (ctx->hs_msg == NULL) { |
513 | 6.20k | if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL) |
514 | 0 | return TLS13_IO_FAILURE; |
515 | 6.20k | } |
516 | | |
517 | 6.20k | if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) <= 0) |
518 | 445 | return ret; |
519 | | |
520 | 5.76k | if (action->recv_preserve_transcript_hash) { |
521 | 11 | if (!tls1_transcript_hash_value(ctx->ssl, |
522 | 11 | ctx->hs->tls13.transcript_hash, |
523 | 11 | sizeof(ctx->hs->tls13.transcript_hash), |
524 | 11 | &ctx->hs->tls13.transcript_hash_len)) |
525 | 0 | return TLS13_IO_FAILURE; |
526 | 11 | } |
527 | | |
528 | 5.76k | if (!tls13_handshake_msg_record(ctx)) |
529 | 0 | return TLS13_IO_FAILURE; |
530 | | |
531 | 5.76k | if (ctx->handshake_message_recv_cb != NULL) |
532 | 5.76k | ctx->handshake_message_recv_cb(ctx); |
533 | | |
534 | | /* |
535 | | * In TLSv1.3 there is no way to know if you're going to receive a |
536 | | * certificate request message or not, hence we have to special case it |
537 | | * here. The receive handler also knows how to deal with this situation. |
538 | | */ |
539 | 5.76k | msg_type = tls13_handshake_msg_type(ctx->hs_msg); |
540 | 5.76k | if (msg_type != action->handshake_type && |
541 | 5.76k | (msg_type != TLS13_MT_CERTIFICATE || |
542 | 31 | action->handshake_type != TLS13_MT_CERTIFICATE_REQUEST)) |
543 | 31 | return tls13_send_alert(ctx->rl, TLS13_ALERT_UNEXPECTED_MESSAGE); |
544 | | |
545 | 5.73k | if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs)) |
546 | 0 | return TLS13_IO_FAILURE; |
547 | | |
548 | 5.73k | ret = TLS13_IO_FAILURE; |
549 | 5.73k | if (action->recv(ctx, &cbs)) { |
550 | 5.56k | if (CBS_len(&cbs) != 0) { |
551 | 1 | tls13_set_errorx(ctx, TLS13_ERR_TRAILING_DATA, 0, |
552 | 1 | "trailing data in handshake message", NULL); |
553 | 1 | ctx->alert = TLS13_ALERT_DECODE_ERROR; |
554 | 5.56k | } else { |
555 | 5.56k | ret = TLS13_IO_SUCCESS; |
556 | 5.56k | } |
557 | 5.56k | } |
558 | | |
559 | 5.73k | tls13_handshake_msg_free(ctx->hs_msg); |
560 | 5.73k | ctx->hs_msg = NULL; |
561 | | |
562 | 5.73k | if (ctx->ssl->method->version < TLS1_3_VERSION) |
563 | 5.42k | return TLS13_IO_USE_LEGACY; |
564 | | |
565 | 304 | return ret; |
566 | 5.73k | } |
567 | | |
568 | | struct tls13_handshake_legacy_state { |
569 | | int recv; |
570 | | int send; |
571 | | }; |
572 | | |
573 | | static const struct tls13_handshake_legacy_state legacy_states[] = { |
574 | | [CLIENT_HELLO] = { |
575 | | .recv = SSL3_ST_SR_CLNT_HELLO_A, |
576 | | .send = SSL3_ST_CW_CLNT_HELLO_A, |
577 | | }, |
578 | | [SERVER_HELLO_RETRY_REQUEST] = { |
579 | | .recv = SSL3_ST_CR_SRVR_HELLO_A, |
580 | | .send = SSL3_ST_SW_SRVR_HELLO_A, |
581 | | }, |
582 | | [CLIENT_HELLO_RETRY] = { |
583 | | .recv = SSL3_ST_SR_CLNT_HELLO_A, |
584 | | .send = SSL3_ST_CW_CLNT_HELLO_A, |
585 | | }, |
586 | | [SERVER_HELLO] = { |
587 | | .recv = SSL3_ST_CR_SRVR_HELLO_A, |
588 | | .send = SSL3_ST_SW_SRVR_HELLO_A, |
589 | | }, |
590 | | [SERVER_ENCRYPTED_EXTENSIONS] = { |
591 | | .send = 0, |
592 | | .recv = 0, |
593 | | }, |
594 | | [SERVER_CERTIFICATE_REQUEST] = { |
595 | | .recv = SSL3_ST_CR_CERT_REQ_A, |
596 | | .send = SSL3_ST_SW_CERT_REQ_A, |
597 | | }, |
598 | | [SERVER_CERTIFICATE] = { |
599 | | .recv = SSL3_ST_CR_CERT_A, |
600 | | .send = SSL3_ST_SW_CERT_A, |
601 | | }, |
602 | | [SERVER_CERTIFICATE_VERIFY] = { |
603 | | .send = 0, |
604 | | .recv = 0, |
605 | | }, |
606 | | [SERVER_FINISHED] = { |
607 | | .recv = SSL3_ST_CR_FINISHED_A, |
608 | | .send = SSL3_ST_SW_FINISHED_A, |
609 | | }, |
610 | | [CLIENT_END_OF_EARLY_DATA] = { |
611 | | .send = 0, |
612 | | .recv = 0, |
613 | | }, |
614 | | [CLIENT_CERTIFICATE] = { |
615 | | .recv = SSL3_ST_SR_CERT_VRFY_A, |
616 | | .send = SSL3_ST_CW_CERT_VRFY_B, |
617 | | }, |
618 | | [CLIENT_CERTIFICATE_VERIFY] = { |
619 | | .send = 0, |
620 | | .recv = 0, |
621 | | }, |
622 | | [CLIENT_FINISHED] = { |
623 | | .recv = SSL3_ST_SR_FINISHED_A, |
624 | | .send = SSL3_ST_CW_FINISHED_A, |
625 | | }, |
626 | | [APPLICATION_DATA] = { |
627 | | .recv = 0, |
628 | | .send = 0, |
629 | | }, |
630 | | }; |
631 | | |
632 | | CTASSERT(sizeof(state_machine) / sizeof(state_machine[0]) == |
633 | | sizeof(legacy_states) / sizeof(legacy_states[0])); |
634 | | |
635 | | static int |
636 | | tls13_handshake_legacy_state(struct tls13_ctx *ctx, int *out_state) |
637 | 19.4k | { |
638 | 19.4k | const struct tls13_handshake_action *action; |
639 | 19.4k | enum tls13_message_type mt; |
640 | | |
641 | 19.4k | *out_state = 0; |
642 | | |
643 | 19.4k | if (!ctx->handshake_started) { |
644 | 12.1k | if (ctx->mode == TLS13_HS_CLIENT) |
645 | 0 | *out_state = SSL_ST_CONNECT; |
646 | 12.1k | else |
647 | 12.1k | *out_state = SSL_ST_ACCEPT; |
648 | | |
649 | 12.1k | return 1; |
650 | 12.1k | } |
651 | | |
652 | 7.25k | if (ctx->handshake_completed) { |
653 | 0 | *out_state = SSL_ST_OK; |
654 | 0 | return 1; |
655 | 0 | } |
656 | | |
657 | 7.25k | if ((mt = tls13_handshake_active_state(ctx)) == INVALID) |
658 | 0 | return 0; |
659 | | |
660 | 7.25k | if ((action = tls13_handshake_active_action(ctx)) == NULL) |
661 | 0 | return 0; |
662 | | |
663 | 7.25k | if (action->sender == ctx->mode) |
664 | 890 | *out_state = legacy_states[mt].send; |
665 | 6.36k | else |
666 | 6.36k | *out_state = legacy_states[mt].recv; |
667 | | |
668 | 7.25k | return 1; |
669 | 7.25k | } |
670 | | |
671 | | static int |
672 | | tls13_handshake_info_position(struct tls13_ctx *ctx) |
673 | 6.51k | { |
674 | 6.51k | if (!ctx->handshake_started) |
675 | 6.07k | return TLS13_INFO_HANDSHAKE_STARTED; |
676 | | |
677 | 443 | if (ctx->handshake_completed) |
678 | 0 | return TLS13_INFO_HANDSHAKE_COMPLETED; |
679 | | |
680 | 443 | if (ctx->mode == TLS13_HS_CLIENT) |
681 | 0 | return TLS13_INFO_CONNECT_LOOP; |
682 | 443 | else |
683 | 443 | return TLS13_INFO_ACCEPT_LOOP; |
684 | 443 | } |
685 | | |
686 | | static int |
687 | | tls13_handshake_legacy_info_callback(struct tls13_ctx *ctx) |
688 | 6.66k | { |
689 | 6.66k | int state, where; |
690 | | |
691 | 6.66k | if (!tls13_handshake_legacy_state(ctx, &state)) |
692 | 0 | return 0; |
693 | | |
694 | | /* Do nothing if there's no corresponding legacy state. */ |
695 | 6.66k | if (state == 0) |
696 | 149 | return 1; |
697 | | |
698 | 6.51k | if (ctx->info_cb != NULL) { |
699 | 6.51k | where = tls13_handshake_info_position(ctx); |
700 | 6.51k | ctx->info_cb(ctx, where, 1); |
701 | 6.51k | } |
702 | | |
703 | 6.51k | return 1; |
704 | 6.66k | } |
705 | | |
706 | | static int |
707 | | tls13_handshake_set_legacy_state(struct tls13_ctx *ctx) |
708 | 12.7k | { |
709 | 12.7k | int state; |
710 | | |
711 | 12.7k | if (!tls13_handshake_legacy_state(ctx, &state)) |
712 | 0 | return 0; |
713 | | |
714 | | /* Do nothing if there's no corresponding legacy state. */ |
715 | 12.7k | if (state == 0) |
716 | 149 | return 1; |
717 | | |
718 | 12.5k | ctx->hs->state = state; |
719 | | |
720 | 12.5k | return 1; |
721 | 12.7k | } |