/src/libressl/ssl/tls13_handshake.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* $OpenBSD: tls13_handshake.c,v 1.73 2024/02/03 19:57:14 tb Exp $ */ |
2 | | /* |
3 | | * Copyright (c) 2018-2021 Theo Buehler <tb@openbsd.org> |
4 | | * Copyright (c) 2019 Joel Sing <jsing@openbsd.org> |
5 | | * |
6 | | * Permission to use, copy, modify, and distribute this software for any |
7 | | * purpose with or without fee is hereby granted, provided that the above |
8 | | * copyright notice and this permission notice appear in all copies. |
9 | | * |
10 | | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
11 | | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
12 | | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
13 | | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
14 | | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
15 | | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
16 | | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
17 | | */ |
18 | | |
19 | | #include <stddef.h> |
20 | | |
21 | | #include "ssl_local.h" |
22 | | #include "tls13_handshake.h" |
23 | | #include "tls13_internal.h" |
24 | | |
25 | | /* Based on RFC 8446 and inspired by s2n's TLS 1.2 state machine. */ |
26 | | |
27 | | struct tls13_handshake_action { |
28 | | uint8_t handshake_type; |
29 | | uint8_t sender; |
30 | | uint8_t handshake_complete; |
31 | | uint8_t send_preserve_transcript_hash; |
32 | | uint8_t recv_preserve_transcript_hash; |
33 | | |
34 | | int (*send)(struct tls13_ctx *ctx, CBB *cbb); |
35 | | int (*sent)(struct tls13_ctx *ctx); |
36 | | int (*recv)(struct tls13_ctx *ctx, CBS *cbs); |
37 | | }; |
38 | | |
39 | | static enum tls13_message_type |
40 | | tls13_handshake_active_state(struct tls13_ctx *ctx); |
41 | | |
42 | | static const struct tls13_handshake_action * |
43 | | tls13_handshake_active_action(struct tls13_ctx *ctx); |
44 | | static int tls13_handshake_advance_state_machine(struct tls13_ctx *ctx); |
45 | | |
46 | | static int tls13_handshake_send_action(struct tls13_ctx *ctx, |
47 | | const struct tls13_handshake_action *action); |
48 | | static int tls13_handshake_recv_action(struct tls13_ctx *ctx, |
49 | | const struct tls13_handshake_action *action); |
50 | | |
51 | | static int tls13_handshake_set_legacy_state(struct tls13_ctx *ctx); |
52 | | static int tls13_handshake_legacy_info_callback(struct tls13_ctx *ctx); |
53 | | |
54 | | static const struct tls13_handshake_action state_machine[] = { |
55 | | [CLIENT_HELLO] = { |
56 | | .handshake_type = TLS13_MT_CLIENT_HELLO, |
57 | | .sender = TLS13_HS_CLIENT, |
58 | | .send = tls13_client_hello_send, |
59 | | .sent = tls13_client_hello_sent, |
60 | | .recv = tls13_client_hello_recv, |
61 | | }, |
62 | | [CLIENT_HELLO_RETRY] = { |
63 | | .handshake_type = TLS13_MT_CLIENT_HELLO, |
64 | | .sender = TLS13_HS_CLIENT, |
65 | | .send = tls13_client_hello_retry_send, |
66 | | .recv = tls13_client_hello_retry_recv, |
67 | | }, |
68 | | [CLIENT_END_OF_EARLY_DATA] = { |
69 | | .handshake_type = TLS13_MT_END_OF_EARLY_DATA, |
70 | | .sender = TLS13_HS_CLIENT, |
71 | | .send = tls13_client_end_of_early_data_send, |
72 | | .recv = tls13_client_end_of_early_data_recv, |
73 | | }, |
74 | | [CLIENT_CERTIFICATE] = { |
75 | | .handshake_type = TLS13_MT_CERTIFICATE, |
76 | | .sender = TLS13_HS_CLIENT, |
77 | | .send_preserve_transcript_hash = 1, |
78 | | .send = tls13_client_certificate_send, |
79 | | .recv = tls13_client_certificate_recv, |
80 | | }, |
81 | | [CLIENT_CERTIFICATE_VERIFY] = { |
82 | | .handshake_type = TLS13_MT_CERTIFICATE_VERIFY, |
83 | | .sender = TLS13_HS_CLIENT, |
84 | | .recv_preserve_transcript_hash = 1, |
85 | | .send = tls13_client_certificate_verify_send, |
86 | | .recv = tls13_client_certificate_verify_recv, |
87 | | }, |
88 | | [CLIENT_FINISHED] = { |
89 | | .handshake_type = TLS13_MT_FINISHED, |
90 | | .sender = TLS13_HS_CLIENT, |
91 | | .recv_preserve_transcript_hash = 1, |
92 | | .send = tls13_client_finished_send, |
93 | | .sent = tls13_client_finished_sent, |
94 | | .recv = tls13_client_finished_recv, |
95 | | }, |
96 | | [SERVER_HELLO] = { |
97 | | .handshake_type = TLS13_MT_SERVER_HELLO, |
98 | | .sender = TLS13_HS_SERVER, |
99 | | .send = tls13_server_hello_send, |
100 | | .sent = tls13_server_hello_sent, |
101 | | .recv = tls13_server_hello_recv, |
102 | | }, |
103 | | [SERVER_HELLO_RETRY_REQUEST] = { |
104 | | .handshake_type = TLS13_MT_SERVER_HELLO, |
105 | | .sender = TLS13_HS_SERVER, |
106 | | .send = tls13_server_hello_retry_request_send, |
107 | | .recv = tls13_server_hello_retry_request_recv, |
108 | | .sent = tls13_server_hello_retry_request_sent, |
109 | | }, |
110 | | [SERVER_ENCRYPTED_EXTENSIONS] = { |
111 | | .handshake_type = TLS13_MT_ENCRYPTED_EXTENSIONS, |
112 | | .sender = TLS13_HS_SERVER, |
113 | | .send = tls13_server_encrypted_extensions_send, |
114 | | .recv = tls13_server_encrypted_extensions_recv, |
115 | | }, |
116 | | [SERVER_CERTIFICATE] = { |
117 | | .handshake_type = TLS13_MT_CERTIFICATE, |
118 | | .sender = TLS13_HS_SERVER, |
119 | | .send_preserve_transcript_hash = 1, |
120 | | .send = tls13_server_certificate_send, |
121 | | .recv = tls13_server_certificate_recv, |
122 | | }, |
123 | | [SERVER_CERTIFICATE_REQUEST] = { |
124 | | .handshake_type = TLS13_MT_CERTIFICATE_REQUEST, |
125 | | .sender = TLS13_HS_SERVER, |
126 | | .send = tls13_server_certificate_request_send, |
127 | | .recv = tls13_server_certificate_request_recv, |
128 | | }, |
129 | | [SERVER_CERTIFICATE_VERIFY] = { |
130 | | .handshake_type = TLS13_MT_CERTIFICATE_VERIFY, |
131 | | .sender = TLS13_HS_SERVER, |
132 | | .recv_preserve_transcript_hash = 1, |
133 | | .send = tls13_server_certificate_verify_send, |
134 | | .recv = tls13_server_certificate_verify_recv, |
135 | | }, |
136 | | [SERVER_FINISHED] = { |
137 | | .handshake_type = TLS13_MT_FINISHED, |
138 | | .sender = TLS13_HS_SERVER, |
139 | | .recv_preserve_transcript_hash = 1, |
140 | | .send_preserve_transcript_hash = 1, |
141 | | .send = tls13_server_finished_send, |
142 | | .sent = tls13_server_finished_sent, |
143 | | .recv = tls13_server_finished_recv, |
144 | | }, |
145 | | [APPLICATION_DATA] = { |
146 | | .handshake_complete = 1, |
147 | | }, |
148 | | }; |
149 | | |
150 | | const enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = { |
151 | | [INITIAL] = { |
152 | | CLIENT_HELLO, |
153 | | SERVER_HELLO_RETRY_REQUEST, |
154 | | CLIENT_HELLO_RETRY, |
155 | | SERVER_HELLO, |
156 | | }, |
157 | | [NEGOTIATED] = { |
158 | | CLIENT_HELLO, |
159 | | SERVER_HELLO_RETRY_REQUEST, |
160 | | CLIENT_HELLO_RETRY, |
161 | | SERVER_HELLO, |
162 | | SERVER_ENCRYPTED_EXTENSIONS, |
163 | | SERVER_CERTIFICATE_REQUEST, |
164 | | SERVER_CERTIFICATE, |
165 | | SERVER_CERTIFICATE_VERIFY, |
166 | | SERVER_FINISHED, |
167 | | CLIENT_CERTIFICATE, |
168 | | CLIENT_FINISHED, |
169 | | APPLICATION_DATA, |
170 | | }, |
171 | | [NEGOTIATED | WITHOUT_HRR] = { |
172 | | CLIENT_HELLO, |
173 | | SERVER_HELLO, |
174 | | SERVER_ENCRYPTED_EXTENSIONS, |
175 | | SERVER_CERTIFICATE_REQUEST, |
176 | | SERVER_CERTIFICATE, |
177 | | SERVER_CERTIFICATE_VERIFY, |
178 | | SERVER_FINISHED, |
179 | | CLIENT_CERTIFICATE, |
180 | | CLIENT_FINISHED, |
181 | | APPLICATION_DATA, |
182 | | }, |
183 | | [NEGOTIATED | WITHOUT_CR] = { |
184 | | CLIENT_HELLO, |
185 | | SERVER_HELLO_RETRY_REQUEST, |
186 | | CLIENT_HELLO_RETRY, |
187 | | SERVER_HELLO, |
188 | | SERVER_ENCRYPTED_EXTENSIONS, |
189 | | SERVER_CERTIFICATE, |
190 | | SERVER_CERTIFICATE_VERIFY, |
191 | | SERVER_FINISHED, |
192 | | CLIENT_FINISHED, |
193 | | APPLICATION_DATA, |
194 | | }, |
195 | | [NEGOTIATED | WITHOUT_HRR | WITHOUT_CR] = { |
196 | | CLIENT_HELLO, |
197 | | SERVER_HELLO, |
198 | | SERVER_ENCRYPTED_EXTENSIONS, |
199 | | SERVER_CERTIFICATE, |
200 | | SERVER_CERTIFICATE_VERIFY, |
201 | | SERVER_FINISHED, |
202 | | CLIENT_FINISHED, |
203 | | APPLICATION_DATA, |
204 | | }, |
205 | | [NEGOTIATED | WITH_PSK] = { |
206 | | CLIENT_HELLO, |
207 | | SERVER_HELLO_RETRY_REQUEST, |
208 | | CLIENT_HELLO_RETRY, |
209 | | SERVER_HELLO, |
210 | | SERVER_ENCRYPTED_EXTENSIONS, |
211 | | SERVER_FINISHED, |
212 | | CLIENT_FINISHED, |
213 | | APPLICATION_DATA, |
214 | | }, |
215 | | [NEGOTIATED | WITHOUT_HRR | WITH_PSK] = { |
216 | | CLIENT_HELLO, |
217 | | SERVER_HELLO, |
218 | | SERVER_ENCRYPTED_EXTENSIONS, |
219 | | SERVER_FINISHED, |
220 | | CLIENT_FINISHED, |
221 | | APPLICATION_DATA, |
222 | | }, |
223 | | [NEGOTIATED | WITH_CCV] = { |
224 | | CLIENT_HELLO, |
225 | | SERVER_HELLO_RETRY_REQUEST, |
226 | | CLIENT_HELLO_RETRY, |
227 | | SERVER_HELLO, |
228 | | SERVER_ENCRYPTED_EXTENSIONS, |
229 | | SERVER_CERTIFICATE_REQUEST, |
230 | | SERVER_CERTIFICATE, |
231 | | SERVER_CERTIFICATE_VERIFY, |
232 | | SERVER_FINISHED, |
233 | | CLIENT_CERTIFICATE, |
234 | | CLIENT_CERTIFICATE_VERIFY, |
235 | | CLIENT_FINISHED, |
236 | | APPLICATION_DATA, |
237 | | }, |
238 | | [NEGOTIATED | WITHOUT_HRR | WITH_CCV] = { |
239 | | CLIENT_HELLO, |
240 | | SERVER_HELLO, |
241 | | SERVER_ENCRYPTED_EXTENSIONS, |
242 | | SERVER_CERTIFICATE_REQUEST, |
243 | | SERVER_CERTIFICATE, |
244 | | SERVER_CERTIFICATE_VERIFY, |
245 | | SERVER_FINISHED, |
246 | | CLIENT_CERTIFICATE, |
247 | | CLIENT_CERTIFICATE_VERIFY, |
248 | | CLIENT_FINISHED, |
249 | | APPLICATION_DATA, |
250 | | }, |
251 | | }; |
252 | | |
253 | | const size_t handshake_count = sizeof(handshakes) / sizeof(handshakes[0]); |
254 | | |
255 | | #ifndef TLS13_DEBUG |
256 | | #define DEBUGF(...) |
257 | | #else |
258 | | #define DEBUGF(...) fprintf(stderr, __VA_ARGS__) |
259 | | |
260 | | static const char * |
261 | | tls13_handshake_mode_name(uint8_t mode) |
262 | | { |
263 | | switch (mode) { |
264 | | case TLS13_HS_CLIENT: |
265 | | return "Client"; |
266 | | case TLS13_HS_SERVER: |
267 | | return "Server"; |
268 | | } |
269 | | return "Unknown"; |
270 | | } |
271 | | |
272 | | static const char * |
273 | | tls13_handshake_message_name(uint8_t msg_type) |
274 | | { |
275 | | switch (msg_type) { |
276 | | case TLS13_MT_CLIENT_HELLO: |
277 | | return "ClientHello"; |
278 | | case TLS13_MT_SERVER_HELLO: |
279 | | return "ServerHello"; |
280 | | case TLS13_MT_NEW_SESSION_TICKET: |
281 | | return "NewSessionTicket"; |
282 | | case TLS13_MT_END_OF_EARLY_DATA: |
283 | | return "EndOfEarlyData"; |
284 | | case TLS13_MT_ENCRYPTED_EXTENSIONS: |
285 | | return "EncryptedExtensions"; |
286 | | case TLS13_MT_CERTIFICATE: |
287 | | return "Certificate"; |
288 | | case TLS13_MT_CERTIFICATE_REQUEST: |
289 | | return "CertificateRequest"; |
290 | | case TLS13_MT_CERTIFICATE_VERIFY: |
291 | | return "CertificateVerify"; |
292 | | case TLS13_MT_FINISHED: |
293 | | return "Finished"; |
294 | | } |
295 | | return "Unknown"; |
296 | | } |
297 | | #endif |
298 | | |
299 | | static enum tls13_message_type |
300 | | tls13_handshake_active_state(struct tls13_ctx *ctx) |
301 | 66.8k | { |
302 | 66.8k | struct tls13_handshake_stage hs = ctx->handshake_stage; |
303 | | |
304 | 66.8k | if (hs.hs_type >= handshake_count) |
305 | 0 | return INVALID; |
306 | 66.8k | if (hs.message_number >= TLS13_NUM_MESSAGE_TYPES) |
307 | 0 | return INVALID; |
308 | | |
309 | 66.8k | return handshakes[hs.hs_type][hs.message_number]; |
310 | 66.8k | } |
311 | | |
312 | | static const struct tls13_handshake_action * |
313 | | tls13_handshake_active_action(struct tls13_ctx *ctx) |
314 | 44.4k | { |
315 | 44.4k | enum tls13_message_type mt = tls13_handshake_active_state(ctx); |
316 | | |
317 | 44.4k | if (mt == INVALID) |
318 | 0 | return NULL; |
319 | | |
320 | 44.4k | return &state_machine[mt]; |
321 | 44.4k | } |
322 | | |
323 | | static int |
324 | | tls13_handshake_advance_state_machine(struct tls13_ctx *ctx) |
325 | 6.43k | { |
326 | 6.43k | if (++ctx->handshake_stage.message_number >= TLS13_NUM_MESSAGE_TYPES) |
327 | 0 | return 0; |
328 | | |
329 | 6.43k | return 1; |
330 | 6.43k | } |
331 | | |
332 | | static int |
333 | | tls13_handshake_end_of_flight(struct tls13_ctx *ctx, |
334 | | const struct tls13_handshake_action *previous) |
335 | 6.23k | { |
336 | 6.23k | const struct tls13_handshake_action *current; |
337 | | |
338 | 6.23k | if ((current = tls13_handshake_active_action(ctx)) == NULL) |
339 | 0 | return 1; |
340 | | |
341 | 6.23k | return current->sender != previous->sender; |
342 | 6.23k | } |
343 | | |
344 | | int |
345 | | tls13_handshake_msg_record(struct tls13_ctx *ctx) |
346 | 20.0k | { |
347 | 20.0k | CBS cbs; |
348 | | |
349 | 20.0k | tls13_handshake_msg_data(ctx->hs_msg, &cbs); |
350 | 20.0k | return tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs)); |
351 | 20.0k | } |
352 | | |
353 | | int |
354 | | tls13_handshake_perform(struct tls13_ctx *ctx) |
355 | 9.47k | { |
356 | 9.47k | const struct tls13_handshake_action *action; |
357 | 9.47k | int sending; |
358 | 9.47k | int ret; |
359 | | |
360 | 9.47k | if (!ctx->handshake_started) { |
361 | | /* |
362 | | * Set legacy state to connect/accept and call info callback |
363 | | * to signal that the handshake started. |
364 | | */ |
365 | 9.47k | if (!tls13_handshake_set_legacy_state(ctx)) |
366 | 0 | return TLS13_IO_FAILURE; |
367 | 9.47k | if (!tls13_handshake_legacy_info_callback(ctx)) |
368 | 0 | return TLS13_IO_FAILURE; |
369 | | |
370 | 9.47k | ctx->handshake_started = 1; |
371 | | |
372 | | /* Set legacy state for initial ClientHello read or write. */ |
373 | 9.47k | if (!tls13_handshake_set_legacy_state(ctx)) |
374 | 0 | return TLS13_IO_FAILURE; |
375 | 9.47k | } |
376 | | |
377 | 15.9k | for (;;) { |
378 | 15.9k | if ((action = tls13_handshake_active_action(ctx)) == NULL) |
379 | 0 | return TLS13_IO_FAILURE; |
380 | | |
381 | 15.9k | if (ctx->need_flush) { |
382 | 5.82k | if ((ret = tls13_record_layer_flush(ctx->rl)) != |
383 | 5.82k | TLS13_IO_SUCCESS) |
384 | 0 | return ret; |
385 | 5.82k | ctx->need_flush = 0; |
386 | 5.82k | } |
387 | | |
388 | 15.9k | if (action->handshake_complete) { |
389 | 0 | ctx->handshake_completed = 1; |
390 | 0 | tls13_record_layer_handshake_completed(ctx->rl); |
391 | |
|
392 | 0 | if (!tls13_handshake_set_legacy_state(ctx)) |
393 | 0 | return TLS13_IO_FAILURE; |
394 | 0 | if (!tls13_handshake_legacy_info_callback(ctx)) |
395 | 0 | return TLS13_IO_FAILURE; |
396 | | |
397 | 0 | return TLS13_IO_SUCCESS; |
398 | 0 | } |
399 | | |
400 | 15.9k | sending = action->sender == ctx->mode; |
401 | | |
402 | 15.9k | DEBUGF("%s %s %s\n", tls13_handshake_mode_name(ctx->mode), |
403 | 15.9k | sending ? "sending" : "receiving", |
404 | 15.9k | tls13_handshake_message_name(action->handshake_type)); |
405 | | |
406 | 15.9k | if (ctx->alert != 0) |
407 | 0 | return tls13_send_alert(ctx->rl, ctx->alert); |
408 | | |
409 | 15.9k | if (sending) |
410 | 6.26k | ret = tls13_handshake_send_action(ctx, action); |
411 | 9.64k | else |
412 | 9.64k | ret = tls13_handshake_recv_action(ctx, action); |
413 | | |
414 | 15.9k | if (ctx->alert != 0) |
415 | 262 | return tls13_send_alert(ctx->rl, ctx->alert); |
416 | | |
417 | 15.6k | if (ret <= 0) { |
418 | 9.21k | DEBUGF("%s %s returned %d\n", |
419 | 9.21k | tls13_handshake_mode_name(ctx->mode), |
420 | 9.21k | (action->sender == ctx->mode) ? "send" : "recv", |
421 | 9.21k | ret); |
422 | 9.21k | return ret; |
423 | 9.21k | } |
424 | | |
425 | 6.43k | if (!tls13_handshake_legacy_info_callback(ctx)) |
426 | 0 | return TLS13_IO_FAILURE; |
427 | | |
428 | 6.43k | if (!tls13_handshake_advance_state_machine(ctx)) |
429 | 0 | return TLS13_IO_FAILURE; |
430 | | |
431 | 6.43k | if (sending) |
432 | 6.23k | ctx->need_flush = tls13_handshake_end_of_flight(ctx, |
433 | 6.23k | action); |
434 | | |
435 | 6.43k | if (!tls13_handshake_set_legacy_state(ctx)) |
436 | 0 | return TLS13_IO_FAILURE; |
437 | 6.43k | } |
438 | 9.47k | } |
439 | | |
440 | | static int |
441 | | tls13_handshake_send_action(struct tls13_ctx *ctx, |
442 | | const struct tls13_handshake_action *action) |
443 | 6.26k | { |
444 | 6.26k | ssize_t ret; |
445 | 6.26k | CBB cbb; |
446 | | |
447 | 6.26k | if (ctx->send_dummy_ccs) { |
448 | 0 | if ((ret = tls13_send_dummy_ccs(ctx->rl)) != TLS13_IO_SUCCESS) |
449 | 0 | return ret; |
450 | 0 | ctx->send_dummy_ccs = 0; |
451 | 0 | if (ctx->send_dummy_ccs_after) { |
452 | 0 | ctx->send_dummy_ccs_after = 0; |
453 | 0 | return TLS13_IO_SUCCESS; |
454 | 0 | } |
455 | 0 | } |
456 | | |
457 | | /* If we have no handshake message, we need to build one. */ |
458 | 6.26k | if (ctx->hs_msg == NULL) { |
459 | 6.26k | if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL) |
460 | 0 | return TLS13_IO_FAILURE; |
461 | 6.26k | if (!tls13_handshake_msg_start(ctx->hs_msg, &cbb, |
462 | 6.26k | action->handshake_type)) |
463 | 0 | return TLS13_IO_FAILURE; |
464 | 6.26k | if (!action->send(ctx, &cbb)) |
465 | 25 | return TLS13_IO_FAILURE; |
466 | 6.23k | if (!tls13_handshake_msg_finish(ctx->hs_msg)) |
467 | 0 | return TLS13_IO_FAILURE; |
468 | 6.23k | } |
469 | | |
470 | 6.23k | if ((ret = tls13_handshake_msg_send(ctx->hs_msg, ctx->rl)) <= 0) |
471 | 0 | return ret; |
472 | | |
473 | 6.23k | if (!tls13_handshake_msg_record(ctx)) |
474 | 0 | return TLS13_IO_FAILURE; |
475 | | |
476 | 6.23k | if (action->send_preserve_transcript_hash) { |
477 | 184 | if (!tls1_transcript_hash_value(ctx->ssl, |
478 | 184 | ctx->hs->tls13.transcript_hash, |
479 | 184 | sizeof(ctx->hs->tls13.transcript_hash), |
480 | 184 | &ctx->hs->tls13.transcript_hash_len)) |
481 | 0 | return TLS13_IO_FAILURE; |
482 | 184 | } |
483 | | |
484 | 6.23k | if (ctx->handshake_message_sent_cb != NULL) |
485 | 6.23k | ctx->handshake_message_sent_cb(ctx); |
486 | | |
487 | 6.23k | tls13_handshake_msg_free(ctx->hs_msg); |
488 | 6.23k | ctx->hs_msg = NULL; |
489 | | |
490 | 6.23k | if (action->sent != NULL && !action->sent(ctx)) |
491 | 1 | return TLS13_IO_FAILURE; |
492 | | |
493 | 6.23k | if (ctx->send_dummy_ccs_after) { |
494 | 57 | ctx->send_dummy_ccs = 1; |
495 | 57 | if ((ret = tls13_send_dummy_ccs(ctx->rl)) != TLS13_IO_SUCCESS) |
496 | 0 | return ret; |
497 | 57 | ctx->send_dummy_ccs = 0; |
498 | 57 | ctx->send_dummy_ccs_after = 0; |
499 | 57 | } |
500 | | |
501 | 6.23k | return TLS13_IO_SUCCESS; |
502 | 6.23k | } |
503 | | |
504 | | static int |
505 | | tls13_handshake_recv_action(struct tls13_ctx *ctx, |
506 | | const struct tls13_handshake_action *action) |
507 | 9.64k | { |
508 | 9.64k | uint8_t msg_type; |
509 | 9.64k | ssize_t ret; |
510 | 9.64k | CBS cbs; |
511 | | |
512 | 9.64k | if (ctx->hs_msg == NULL) { |
513 | 9.64k | if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL) |
514 | 0 | return TLS13_IO_FAILURE; |
515 | 9.64k | } |
516 | | |
517 | 9.64k | if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) <= 0) |
518 | 946 | return ret; |
519 | | |
520 | 8.70k | if (action->recv_preserve_transcript_hash) { |
521 | 8 | if (!tls1_transcript_hash_value(ctx->ssl, |
522 | 8 | ctx->hs->tls13.transcript_hash, |
523 | 8 | sizeof(ctx->hs->tls13.transcript_hash), |
524 | 8 | &ctx->hs->tls13.transcript_hash_len)) |
525 | 0 | return TLS13_IO_FAILURE; |
526 | 8 | } |
527 | | |
528 | 8.70k | if (!tls13_handshake_msg_record(ctx)) |
529 | 0 | return TLS13_IO_FAILURE; |
530 | | |
531 | 8.70k | if (ctx->handshake_message_recv_cb != NULL) |
532 | 8.70k | ctx->handshake_message_recv_cb(ctx); |
533 | | |
534 | | /* |
535 | | * In TLSv1.3 there is no way to know if you're going to receive a |
536 | | * certificate request message or not, hence we have to special case it |
537 | | * here. The receive handler also knows how to deal with this situation. |
538 | | */ |
539 | 8.70k | msg_type = tls13_handshake_msg_type(ctx->hs_msg); |
540 | 8.70k | if (msg_type != action->handshake_type && |
541 | 8.70k | (msg_type != TLS13_MT_CERTIFICATE || |
542 | 55 | action->handshake_type != TLS13_MT_CERTIFICATE_REQUEST)) |
543 | 55 | return tls13_send_alert(ctx->rl, TLS13_ALERT_UNEXPECTED_MESSAGE); |
544 | | |
545 | 8.64k | if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs)) |
546 | 0 | return TLS13_IO_FAILURE; |
547 | | |
548 | 8.64k | ret = TLS13_IO_FAILURE; |
549 | 8.64k | if (!action->recv(ctx, &cbs)) |
550 | 270 | goto err; |
551 | | |
552 | 8.37k | if (CBS_len(&cbs) != 0) { |
553 | 1 | tls13_set_errorx(ctx, TLS13_ERR_TRAILING_DATA, 0, |
554 | 1 | "trailing data in handshake message", NULL); |
555 | 1 | ctx->alert = TLS13_ALERT_DECODE_ERROR; |
556 | 1 | goto err; |
557 | 1 | } |
558 | | |
559 | 8.37k | ret = TLS13_IO_SUCCESS; |
560 | 8.37k | if (ctx->ssl->method->version < TLS1_3_VERSION) |
561 | 8.18k | ret = TLS13_IO_USE_LEGACY; |
562 | | |
563 | 8.64k | err: |
564 | 8.64k | tls13_handshake_msg_free(ctx->hs_msg); |
565 | 8.64k | ctx->hs_msg = NULL; |
566 | | |
567 | 8.64k | return ret; |
568 | 8.37k | } |
569 | | |
570 | | struct tls13_handshake_legacy_state { |
571 | | int recv; |
572 | | int send; |
573 | | }; |
574 | | |
575 | | static const struct tls13_handshake_legacy_state legacy_states[] = { |
576 | | [CLIENT_HELLO] = { |
577 | | .recv = SSL3_ST_SR_CLNT_HELLO_A, |
578 | | .send = SSL3_ST_CW_CLNT_HELLO_A, |
579 | | }, |
580 | | [SERVER_HELLO_RETRY_REQUEST] = { |
581 | | .recv = SSL3_ST_CR_SRVR_HELLO_A, |
582 | | .send = SSL3_ST_SW_SRVR_HELLO_A, |
583 | | }, |
584 | | [CLIENT_HELLO_RETRY] = { |
585 | | .recv = SSL3_ST_SR_CLNT_HELLO_A, |
586 | | .send = SSL3_ST_CW_CLNT_HELLO_A, |
587 | | }, |
588 | | [SERVER_HELLO] = { |
589 | | .recv = SSL3_ST_CR_SRVR_HELLO_A, |
590 | | .send = SSL3_ST_SW_SRVR_HELLO_A, |
591 | | }, |
592 | | [SERVER_ENCRYPTED_EXTENSIONS] = { |
593 | | .send = 0, |
594 | | .recv = 0, |
595 | | }, |
596 | | [SERVER_CERTIFICATE_REQUEST] = { |
597 | | .recv = SSL3_ST_CR_CERT_REQ_A, |
598 | | .send = SSL3_ST_SW_CERT_REQ_A, |
599 | | }, |
600 | | [SERVER_CERTIFICATE] = { |
601 | | .recv = SSL3_ST_CR_CERT_A, |
602 | | .send = SSL3_ST_SW_CERT_A, |
603 | | }, |
604 | | [SERVER_CERTIFICATE_VERIFY] = { |
605 | | .send = 0, |
606 | | .recv = 0, |
607 | | }, |
608 | | [SERVER_FINISHED] = { |
609 | | .recv = SSL3_ST_CR_FINISHED_A, |
610 | | .send = SSL3_ST_SW_FINISHED_A, |
611 | | }, |
612 | | [CLIENT_END_OF_EARLY_DATA] = { |
613 | | .send = 0, |
614 | | .recv = 0, |
615 | | }, |
616 | | [CLIENT_CERTIFICATE] = { |
617 | | .recv = SSL3_ST_SR_CERT_VRFY_A, |
618 | | .send = SSL3_ST_CW_CERT_VRFY_B, |
619 | | }, |
620 | | [CLIENT_CERTIFICATE_VERIFY] = { |
621 | | .send = 0, |
622 | | .recv = 0, |
623 | | }, |
624 | | [CLIENT_FINISHED] = { |
625 | | .recv = SSL3_ST_SR_FINISHED_A, |
626 | | .send = SSL3_ST_CW_FINISHED_A, |
627 | | }, |
628 | | [APPLICATION_DATA] = { |
629 | | .recv = 0, |
630 | | .send = 0, |
631 | | }, |
632 | | }; |
633 | | |
634 | | CTASSERT(sizeof(state_machine) / sizeof(state_machine[0]) == |
635 | | sizeof(legacy_states) / sizeof(legacy_states[0])); |
636 | | |
637 | | static int |
638 | | tls13_handshake_legacy_state(struct tls13_ctx *ctx, int *out_state) |
639 | 41.2k | { |
640 | 41.2k | const struct tls13_handshake_action *action; |
641 | 41.2k | enum tls13_message_type mt; |
642 | | |
643 | 41.2k | *out_state = 0; |
644 | | |
645 | 41.2k | if (!ctx->handshake_started) { |
646 | 18.9k | if (ctx->mode == TLS13_HS_CLIENT) |
647 | 11.3k | *out_state = SSL_ST_CONNECT; |
648 | 7.64k | else |
649 | 7.64k | *out_state = SSL_ST_ACCEPT; |
650 | | |
651 | 18.9k | return 1; |
652 | 18.9k | } |
653 | | |
654 | 22.3k | if (ctx->handshake_completed) { |
655 | 0 | *out_state = SSL_ST_OK; |
656 | 0 | return 1; |
657 | 0 | } |
658 | | |
659 | 22.3k | if ((mt = tls13_handshake_active_state(ctx)) == INVALID) |
660 | 0 | return 0; |
661 | | |
662 | 22.3k | if ((action = tls13_handshake_active_action(ctx)) == NULL) |
663 | 0 | return 0; |
664 | | |
665 | 22.3k | if (action->sender == ctx->mode) |
666 | 12.4k | *out_state = legacy_states[mt].send; |
667 | 9.84k | else |
668 | 9.84k | *out_state = legacy_states[mt].recv; |
669 | | |
670 | 22.3k | return 1; |
671 | 22.3k | } |
672 | | |
673 | | static int |
674 | | tls13_handshake_info_position(struct tls13_ctx *ctx) |
675 | 15.7k | { |
676 | 15.7k | if (!ctx->handshake_started) |
677 | 9.47k | return TLS13_INFO_HANDSHAKE_STARTED; |
678 | | |
679 | 6.22k | if (ctx->handshake_completed) |
680 | 0 | return TLS13_INFO_HANDSHAKE_COMPLETED; |
681 | | |
682 | 6.22k | if (ctx->mode == TLS13_HS_CLIENT) |
683 | 5.65k | return TLS13_INFO_CONNECT_LOOP; |
684 | 569 | else |
685 | 569 | return TLS13_INFO_ACCEPT_LOOP; |
686 | 6.22k | } |
687 | | |
688 | | static int |
689 | | tls13_handshake_legacy_info_callback(struct tls13_ctx *ctx) |
690 | 15.9k | { |
691 | 15.9k | int state, where; |
692 | | |
693 | 15.9k | if (!tls13_handshake_legacy_state(ctx, &state)) |
694 | 0 | return 0; |
695 | | |
696 | | /* Do nothing if there's no corresponding legacy state. */ |
697 | 15.9k | if (state == 0) |
698 | 205 | return 1; |
699 | | |
700 | 15.7k | if (ctx->info_cb != NULL) { |
701 | 15.7k | where = tls13_handshake_info_position(ctx); |
702 | 15.7k | ctx->info_cb(ctx, where, 1); |
703 | 15.7k | } |
704 | | |
705 | 15.7k | return 1; |
706 | 15.9k | } |
707 | | |
708 | | static int |
709 | | tls13_handshake_set_legacy_state(struct tls13_ctx *ctx) |
710 | 25.3k | { |
711 | 25.3k | int state; |
712 | | |
713 | 25.3k | if (!tls13_handshake_legacy_state(ctx, &state)) |
714 | 0 | return 0; |
715 | | |
716 | | /* Do nothing if there's no corresponding legacy state. */ |
717 | 25.3k | if (state == 0) |
718 | 205 | return 1; |
719 | | |
720 | 25.1k | ctx->hs->state = state; |
721 | | |
722 | 25.1k | return 1; |
723 | 25.3k | } |