1 /*	$OpenBSD: tls13_handshake.c,v 1.71 2022/04/19 17:01:43 tb Exp $	*/
2 /*
3  * Copyright (c) 2018-2021 Theo Buehler <tb@openbsd.org>
4  * Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
5  *
6  * Permission to use, copy, modify, and distribute this software for any
7  * purpose with or without fee is hereby granted, provided that the above
8  * copyright notice and this permission notice appear in all copies.
9  *
10  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17  */
18 
19 #include <stddef.h>
20 
21 #include "ssl_locl.h"
22 #include "tls13_handshake.h"
23 #include "tls13_internal.h"
24 
25 /* Based on RFC 8446 and inspired by s2n's TLS 1.2 state machine. */
26 
27 struct tls13_handshake_action {
28 	uint8_t	handshake_type;
29 	uint8_t	sender;
30 	uint8_t	handshake_complete;
31 	uint8_t	send_preserve_transcript_hash;
32 	uint8_t	recv_preserve_transcript_hash;
33 
34 	int (*send)(struct tls13_ctx *ctx, CBB *cbb);
35 	int (*sent)(struct tls13_ctx *ctx);
36 	int (*recv)(struct tls13_ctx *ctx, CBS *cbs);
37 };
38 
39 static enum tls13_message_type
40     tls13_handshake_active_state(struct tls13_ctx *ctx);
41 
42 static const struct tls13_handshake_action *
43     tls13_handshake_active_action(struct tls13_ctx *ctx);
44 static int tls13_handshake_advance_state_machine(struct tls13_ctx *ctx);
45 
46 static int tls13_handshake_send_action(struct tls13_ctx *ctx,
47     const struct tls13_handshake_action *action);
48 static int tls13_handshake_recv_action(struct tls13_ctx *ctx,
49     const struct tls13_handshake_action *action);
50 
51 static int tls13_handshake_set_legacy_state(struct tls13_ctx *ctx);
52 static int tls13_handshake_legacy_info_callback(struct tls13_ctx *ctx);
53 
54 static const struct tls13_handshake_action state_machine[] = {
55 	[CLIENT_HELLO] = {
56 		.handshake_type = TLS13_MT_CLIENT_HELLO,
57 		.sender = TLS13_HS_CLIENT,
58 		.send = tls13_client_hello_send,
59 		.sent = tls13_client_hello_sent,
60 		.recv = tls13_client_hello_recv,
61 	},
62 	[CLIENT_HELLO_RETRY] = {
63 		.handshake_type = TLS13_MT_CLIENT_HELLO,
64 		.sender = TLS13_HS_CLIENT,
65 		.send = tls13_client_hello_retry_send,
66 		.recv = tls13_client_hello_retry_recv,
67 	},
68 	[CLIENT_END_OF_EARLY_DATA] = {
69 		.handshake_type = TLS13_MT_END_OF_EARLY_DATA,
70 		.sender = TLS13_HS_CLIENT,
71 		.send = tls13_client_end_of_early_data_send,
72 		.recv = tls13_client_end_of_early_data_recv,
73 	},
74 	[CLIENT_CERTIFICATE] = {
75 		.handshake_type = TLS13_MT_CERTIFICATE,
76 		.sender = TLS13_HS_CLIENT,
77 		.send_preserve_transcript_hash = 1,
78 		.send = tls13_client_certificate_send,
79 		.recv = tls13_client_certificate_recv,
80 	},
81 	[CLIENT_CERTIFICATE_VERIFY] = {
82 		.handshake_type = TLS13_MT_CERTIFICATE_VERIFY,
83 		.sender = TLS13_HS_CLIENT,
84 		.recv_preserve_transcript_hash = 1,
85 		.send = tls13_client_certificate_verify_send,
86 		.recv = tls13_client_certificate_verify_recv,
87 	},
88 	[CLIENT_FINISHED] = {
89 		.handshake_type = TLS13_MT_FINISHED,
90 		.sender = TLS13_HS_CLIENT,
91 		.recv_preserve_transcript_hash = 1,
92 		.send = tls13_client_finished_send,
93 		.sent = tls13_client_finished_sent,
94 		.recv = tls13_client_finished_recv,
95 	},
96 	[SERVER_HELLO] = {
97 		.handshake_type = TLS13_MT_SERVER_HELLO,
98 		.sender = TLS13_HS_SERVER,
99 		.send = tls13_server_hello_send,
100 		.sent = tls13_server_hello_sent,
101 		.recv = tls13_server_hello_recv,
102 	},
103 	[SERVER_HELLO_RETRY_REQUEST] = {
104 		.handshake_type = TLS13_MT_SERVER_HELLO,
105 		.sender = TLS13_HS_SERVER,
106 		.send = tls13_server_hello_retry_request_send,
107 		.recv = tls13_server_hello_retry_request_recv,
108 		.sent = tls13_server_hello_retry_request_sent,
109 	},
110 	[SERVER_ENCRYPTED_EXTENSIONS] = {
111 		.handshake_type = TLS13_MT_ENCRYPTED_EXTENSIONS,
112 		.sender = TLS13_HS_SERVER,
113 		.send = tls13_server_encrypted_extensions_send,
114 		.recv = tls13_server_encrypted_extensions_recv,
115 	},
116 	[SERVER_CERTIFICATE] = {
117 		.handshake_type = TLS13_MT_CERTIFICATE,
118 		.sender = TLS13_HS_SERVER,
119 		.send_preserve_transcript_hash = 1,
120 		.send = tls13_server_certificate_send,
121 		.recv = tls13_server_certificate_recv,
122 	},
123 	[SERVER_CERTIFICATE_REQUEST] = {
124 		.handshake_type = TLS13_MT_CERTIFICATE_REQUEST,
125 		.sender = TLS13_HS_SERVER,
126 		.send = tls13_server_certificate_request_send,
127 		.recv = tls13_server_certificate_request_recv,
128 	},
129 	[SERVER_CERTIFICATE_VERIFY] = {
130 		.handshake_type = TLS13_MT_CERTIFICATE_VERIFY,
131 		.sender = TLS13_HS_SERVER,
132 		.recv_preserve_transcript_hash = 1,
133 		.send = tls13_server_certificate_verify_send,
134 		.recv = tls13_server_certificate_verify_recv,
135 	},
136 	[SERVER_FINISHED] = {
137 		.handshake_type = TLS13_MT_FINISHED,
138 		.sender = TLS13_HS_SERVER,
139 		.recv_preserve_transcript_hash = 1,
140 		.send_preserve_transcript_hash = 1,
141 		.send = tls13_server_finished_send,
142 		.sent = tls13_server_finished_sent,
143 		.recv = tls13_server_finished_recv,
144 	},
145 	[APPLICATION_DATA] = {
146 		.handshake_complete = 1,
147 	},
148 };
149 
150 const enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {
151 	[INITIAL] = {
152 		CLIENT_HELLO,
153 		SERVER_HELLO_RETRY_REQUEST,
154 		CLIENT_HELLO_RETRY,
155 		SERVER_HELLO,
156 	},
157 	[NEGOTIATED] = {
158 		CLIENT_HELLO,
159 		SERVER_HELLO_RETRY_REQUEST,
160 		CLIENT_HELLO_RETRY,
161 		SERVER_HELLO,
162 		SERVER_ENCRYPTED_EXTENSIONS,
163 		SERVER_CERTIFICATE_REQUEST,
164 		SERVER_CERTIFICATE,
165 		SERVER_CERTIFICATE_VERIFY,
166 		SERVER_FINISHED,
167 		CLIENT_CERTIFICATE,
168 		CLIENT_FINISHED,
169 		APPLICATION_DATA,
170 	},
171 	[NEGOTIATED | WITHOUT_HRR] = {
172 		CLIENT_HELLO,
173 		SERVER_HELLO,
174 		SERVER_ENCRYPTED_EXTENSIONS,
175 		SERVER_CERTIFICATE_REQUEST,
176 		SERVER_CERTIFICATE,
177 		SERVER_CERTIFICATE_VERIFY,
178 		SERVER_FINISHED,
179 		CLIENT_CERTIFICATE,
180 		CLIENT_FINISHED,
181 		APPLICATION_DATA,
182 	},
183 	[NEGOTIATED | WITHOUT_CR] = {
184 		CLIENT_HELLO,
185 		SERVER_HELLO_RETRY_REQUEST,
186 		CLIENT_HELLO_RETRY,
187 		SERVER_HELLO,
188 		SERVER_ENCRYPTED_EXTENSIONS,
189 		SERVER_CERTIFICATE,
190 		SERVER_CERTIFICATE_VERIFY,
191 		SERVER_FINISHED,
192 		CLIENT_FINISHED,
193 		APPLICATION_DATA,
194 	},
195 	[NEGOTIATED | WITHOUT_HRR | WITHOUT_CR] = {
196 		CLIENT_HELLO,
197 		SERVER_HELLO,
198 		SERVER_ENCRYPTED_EXTENSIONS,
199 		SERVER_CERTIFICATE,
200 		SERVER_CERTIFICATE_VERIFY,
201 		SERVER_FINISHED,
202 		CLIENT_FINISHED,
203 		APPLICATION_DATA,
204 	},
205 	[NEGOTIATED | WITH_PSK] = {
206 		CLIENT_HELLO,
207 		SERVER_HELLO_RETRY_REQUEST,
208 		CLIENT_HELLO_RETRY,
209 		SERVER_HELLO,
210 		SERVER_ENCRYPTED_EXTENSIONS,
211 		SERVER_FINISHED,
212 		CLIENT_FINISHED,
213 		APPLICATION_DATA,
214 	},
215 	[NEGOTIATED | WITHOUT_HRR | WITH_PSK] = {
216 		CLIENT_HELLO,
217 		SERVER_HELLO,
218 		SERVER_ENCRYPTED_EXTENSIONS,
219 		SERVER_FINISHED,
220 		CLIENT_FINISHED,
221 		APPLICATION_DATA,
222 	},
223 	[NEGOTIATED | WITH_CCV] = {
224 		CLIENT_HELLO,
225 		SERVER_HELLO_RETRY_REQUEST,
226 		CLIENT_HELLO_RETRY,
227 		SERVER_HELLO,
228 		SERVER_ENCRYPTED_EXTENSIONS,
229 		SERVER_CERTIFICATE_REQUEST,
230 		SERVER_CERTIFICATE,
231 		SERVER_CERTIFICATE_VERIFY,
232 		SERVER_FINISHED,
233 		CLIENT_CERTIFICATE,
234 		CLIENT_CERTIFICATE_VERIFY,
235 		CLIENT_FINISHED,
236 		APPLICATION_DATA,
237 	},
238 	[NEGOTIATED | WITHOUT_HRR | WITH_CCV] = {
239 		CLIENT_HELLO,
240 		SERVER_HELLO,
241 		SERVER_ENCRYPTED_EXTENSIONS,
242 		SERVER_CERTIFICATE_REQUEST,
243 		SERVER_CERTIFICATE,
244 		SERVER_CERTIFICATE_VERIFY,
245 		SERVER_FINISHED,
246 		CLIENT_CERTIFICATE,
247 		CLIENT_CERTIFICATE_VERIFY,
248 		CLIENT_FINISHED,
249 		APPLICATION_DATA,
250 	},
251 };
252 
253 const size_t handshake_count = sizeof(handshakes) / sizeof(handshakes[0]);
254 
255 #ifndef TLS13_DEBUG
256 #define DEBUGF(...)
257 #else
258 #define DEBUGF(...) fprintf(stderr, __VA_ARGS__)
259 
260 static const char *
tls13_handshake_mode_name(uint8_t mode)261 tls13_handshake_mode_name(uint8_t mode)
262 {
263 	switch (mode) {
264 	case TLS13_HS_CLIENT:
265 		return "Client";
266 	case TLS13_HS_SERVER:
267 		return "Server";
268 	}
269 	return "Unknown";
270 }
271 
272 static const char *
tls13_handshake_message_name(uint8_t msg_type)273 tls13_handshake_message_name(uint8_t msg_type)
274 {
275 	switch (msg_type) {
276 	case TLS13_MT_CLIENT_HELLO:
277 		return "ClientHello";
278 	case TLS13_MT_SERVER_HELLO:
279 		return "ServerHello";
280 	case TLS13_MT_NEW_SESSION_TICKET:
281 		return "NewSessionTicket";
282 	case TLS13_MT_END_OF_EARLY_DATA:
283 		return "EndOfEarlyData";
284 	case TLS13_MT_ENCRYPTED_EXTENSIONS:
285 		return "EncryptedExtensions";
286 	case TLS13_MT_CERTIFICATE:
287 		return "Certificate";
288 	case TLS13_MT_CERTIFICATE_REQUEST:
289 		return "CertificateRequest";
290 	case TLS13_MT_CERTIFICATE_VERIFY:
291 		return "CertificateVerify";
292 	case TLS13_MT_FINISHED:
293 		return "Finished";
294 	}
295 	return "Unknown";
296 }
297 #endif
298 
299 static enum tls13_message_type
tls13_handshake_active_state(struct tls13_ctx * ctx)300 tls13_handshake_active_state(struct tls13_ctx *ctx)
301 {
302 	struct tls13_handshake_stage hs = ctx->handshake_stage;
303 
304 	if (hs.hs_type >= handshake_count)
305 		return INVALID;
306 	if (hs.message_number >= TLS13_NUM_MESSAGE_TYPES)
307 		return INVALID;
308 
309 	return handshakes[hs.hs_type][hs.message_number];
310 }
311 
312 static const struct tls13_handshake_action *
tls13_handshake_active_action(struct tls13_ctx * ctx)313 tls13_handshake_active_action(struct tls13_ctx *ctx)
314 {
315 	enum tls13_message_type mt = tls13_handshake_active_state(ctx);
316 
317 	if (mt == INVALID)
318 		return NULL;
319 
320 	return &state_machine[mt];
321 }
322 
323 static int
tls13_handshake_advance_state_machine(struct tls13_ctx * ctx)324 tls13_handshake_advance_state_machine(struct tls13_ctx *ctx)
325 {
326 	if (++ctx->handshake_stage.message_number >= TLS13_NUM_MESSAGE_TYPES)
327 		return 0;
328 
329 	return 1;
330 }
331 
332 static int
tls13_handshake_end_of_flight(struct tls13_ctx * ctx,const struct tls13_handshake_action * previous)333 tls13_handshake_end_of_flight(struct tls13_ctx *ctx,
334     const struct tls13_handshake_action *previous)
335 {
336 	const struct tls13_handshake_action *current;
337 
338 	if ((current = tls13_handshake_active_action(ctx)) == NULL)
339 		return 1;
340 
341 	return current->sender != previous->sender;
342 }
343 
344 int
tls13_handshake_msg_record(struct tls13_ctx * ctx)345 tls13_handshake_msg_record(struct tls13_ctx *ctx)
346 {
347 	CBS cbs;
348 
349 	tls13_handshake_msg_data(ctx->hs_msg, &cbs);
350 	return tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs));
351 }
352 
353 int
tls13_handshake_perform(struct tls13_ctx * ctx)354 tls13_handshake_perform(struct tls13_ctx *ctx)
355 {
356 	const struct tls13_handshake_action *action;
357 	int sending;
358 	int ret;
359 
360 	if (!ctx->handshake_started) {
361 		/*
362 		 * Set legacy state to connect/accept and call info callback
363 		 * to signal that the handshake started.
364 		 */
365 		if (!tls13_handshake_set_legacy_state(ctx))
366 			return TLS13_IO_FAILURE;
367 		if (!tls13_handshake_legacy_info_callback(ctx))
368 			return TLS13_IO_FAILURE;
369 
370 		ctx->handshake_started = 1;
371 
372 		/* Set legacy state for initial ClientHello read or write. */
373 		if (!tls13_handshake_set_legacy_state(ctx))
374 			return TLS13_IO_FAILURE;
375 	}
376 
377 	for (;;) {
378 		if ((action = tls13_handshake_active_action(ctx)) == NULL)
379 			return TLS13_IO_FAILURE;
380 
381 		if (ctx->need_flush) {
382 			if ((ret = tls13_record_layer_flush(ctx->rl)) !=
383 			    TLS13_IO_SUCCESS)
384 				return ret;
385 			ctx->need_flush = 0;
386 		}
387 
388 		if (action->handshake_complete) {
389 			ctx->handshake_completed = 1;
390 			tls13_record_layer_handshake_completed(ctx->rl);
391 
392 			if (!tls13_handshake_set_legacy_state(ctx))
393 				return TLS13_IO_FAILURE;
394 			if (!tls13_handshake_legacy_info_callback(ctx))
395 				return TLS13_IO_FAILURE;
396 
397 			return TLS13_IO_SUCCESS;
398 		}
399 
400 		sending = action->sender == ctx->mode;
401 
402 		DEBUGF("%s %s %s\n", tls13_handshake_mode_name(ctx->mode),
403 		    sending ? "sending" : "receiving",
404 		    tls13_handshake_message_name(action->handshake_type));
405 
406 		if (ctx->alert != 0)
407 			return tls13_send_alert(ctx->rl, ctx->alert);
408 
409 		if (sending)
410 			ret = tls13_handshake_send_action(ctx, action);
411 		else
412 			ret = tls13_handshake_recv_action(ctx, action);
413 
414 		if (ctx->alert != 0)
415 			return tls13_send_alert(ctx->rl, ctx->alert);
416 
417 		if (ret <= 0) {
418 			DEBUGF("%s %s returned %d\n",
419 			    tls13_handshake_mode_name(ctx->mode),
420 			    (action->sender == ctx->mode) ? "send" : "recv",
421 			    ret);
422 			return ret;
423 		}
424 
425 		if (!tls13_handshake_legacy_info_callback(ctx))
426 			return TLS13_IO_FAILURE;
427 
428 		if (!tls13_handshake_advance_state_machine(ctx))
429 			return TLS13_IO_FAILURE;
430 
431 		if (sending)
432 			ctx->need_flush = tls13_handshake_end_of_flight(ctx,
433 			    action);
434 
435 		if (!tls13_handshake_set_legacy_state(ctx))
436 			return TLS13_IO_FAILURE;
437 	}
438 }
439 
440 static int
tls13_handshake_send_action(struct tls13_ctx * ctx,const struct tls13_handshake_action * action)441 tls13_handshake_send_action(struct tls13_ctx *ctx,
442     const struct tls13_handshake_action *action)
443 {
444 	ssize_t ret;
445 	CBB cbb;
446 
447 	if (ctx->send_dummy_ccs) {
448 		if ((ret = tls13_send_dummy_ccs(ctx->rl)) != TLS13_IO_SUCCESS)
449 			return ret;
450 		ctx->send_dummy_ccs = 0;
451 		if (ctx->send_dummy_ccs_after) {
452 			ctx->send_dummy_ccs_after = 0;
453 			return TLS13_IO_SUCCESS;
454 		}
455 	}
456 
457 	/* If we have no handshake message, we need to build one. */
458 	if (ctx->hs_msg == NULL) {
459 		if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL)
460 			return TLS13_IO_FAILURE;
461 		if (!tls13_handshake_msg_start(ctx->hs_msg, &cbb,
462 		    action->handshake_type))
463 			return TLS13_IO_FAILURE;
464 		if (!action->send(ctx, &cbb))
465 			return TLS13_IO_FAILURE;
466 		if (!tls13_handshake_msg_finish(ctx->hs_msg))
467 			return TLS13_IO_FAILURE;
468 	}
469 
470 	if ((ret = tls13_handshake_msg_send(ctx->hs_msg, ctx->rl)) <= 0)
471 		return ret;
472 
473 	if (!tls13_handshake_msg_record(ctx))
474 		return TLS13_IO_FAILURE;
475 
476 	if (action->send_preserve_transcript_hash) {
477 		if (!tls1_transcript_hash_value(ctx->ssl,
478 		    ctx->hs->tls13.transcript_hash,
479 		    sizeof(ctx->hs->tls13.transcript_hash),
480 		    &ctx->hs->tls13.transcript_hash_len))
481 			return TLS13_IO_FAILURE;
482 	}
483 
484 	if (ctx->handshake_message_sent_cb != NULL)
485 		ctx->handshake_message_sent_cb(ctx);
486 
487 	tls13_handshake_msg_free(ctx->hs_msg);
488 	ctx->hs_msg = NULL;
489 
490 	if (action->sent != NULL && !action->sent(ctx))
491 		return TLS13_IO_FAILURE;
492 
493 	if (ctx->send_dummy_ccs_after) {
494 		ctx->send_dummy_ccs = 1;
495 		if ((ret = tls13_send_dummy_ccs(ctx->rl)) != TLS13_IO_SUCCESS)
496 			return ret;
497 		ctx->send_dummy_ccs = 0;
498 		ctx->send_dummy_ccs_after = 0;
499 	}
500 
501 	return TLS13_IO_SUCCESS;
502 }
503 
504 static int
tls13_handshake_recv_action(struct tls13_ctx * ctx,const struct tls13_handshake_action * action)505 tls13_handshake_recv_action(struct tls13_ctx *ctx,
506     const struct tls13_handshake_action *action)
507 {
508 	uint8_t msg_type;
509 	ssize_t ret;
510 	CBS cbs;
511 
512 	if (ctx->hs_msg == NULL) {
513 		if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL)
514 			return TLS13_IO_FAILURE;
515 	}
516 
517 	if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) <= 0)
518 		return ret;
519 
520 	if (action->recv_preserve_transcript_hash) {
521 		if (!tls1_transcript_hash_value(ctx->ssl,
522 		    ctx->hs->tls13.transcript_hash,
523 		    sizeof(ctx->hs->tls13.transcript_hash),
524 		    &ctx->hs->tls13.transcript_hash_len))
525 			return TLS13_IO_FAILURE;
526 	}
527 
528 	if (!tls13_handshake_msg_record(ctx))
529 		return TLS13_IO_FAILURE;
530 
531 	if (ctx->handshake_message_recv_cb != NULL)
532 		ctx->handshake_message_recv_cb(ctx);
533 
534 	/*
535 	 * In TLSv1.3 there is no way to know if you're going to receive a
536 	 * certificate request message or not, hence we have to special case it
537 	 * here. The receive handler also knows how to deal with this situation.
538 	 */
539 	msg_type = tls13_handshake_msg_type(ctx->hs_msg);
540 	if (msg_type != action->handshake_type &&
541 	    (msg_type != TLS13_MT_CERTIFICATE ||
542 	     action->handshake_type != TLS13_MT_CERTIFICATE_REQUEST))
543 		return tls13_send_alert(ctx->rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
544 
545 	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
546 		return TLS13_IO_FAILURE;
547 
548 	ret = TLS13_IO_FAILURE;
549 	if (action->recv(ctx, &cbs)) {
550 		if (CBS_len(&cbs) != 0) {
551 			tls13_set_errorx(ctx, TLS13_ERR_TRAILING_DATA, 0,
552 			    "trailing data in handshake message", NULL);
553 			ctx->alert = TLS13_ALERT_DECODE_ERROR;
554 		} else {
555 			ret = TLS13_IO_SUCCESS;
556 		}
557 	}
558 
559 	tls13_handshake_msg_free(ctx->hs_msg);
560 	ctx->hs_msg = NULL;
561 
562 	if (ctx->ssl->method->version < TLS1_3_VERSION)
563 		return TLS13_IO_USE_LEGACY;
564 
565 	return ret;
566 }
567 
568 struct tls13_handshake_legacy_state {
569 	int recv;
570 	int send;
571 };
572 
573 static const struct tls13_handshake_legacy_state legacy_states[] = {
574 	[CLIENT_HELLO] = {
575 		.recv = SSL3_ST_SR_CLNT_HELLO_A,
576 		.send = SSL3_ST_CW_CLNT_HELLO_A,
577 	},
578 	[SERVER_HELLO_RETRY_REQUEST] = {
579 		.recv = SSL3_ST_CR_SRVR_HELLO_A,
580 		.send = SSL3_ST_SW_SRVR_HELLO_A,
581 	},
582 	[CLIENT_HELLO_RETRY] = {
583 		.recv = SSL3_ST_SR_CLNT_HELLO_A,
584 		.send = SSL3_ST_CW_CLNT_HELLO_A,
585 	},
586 	[SERVER_HELLO] = {
587 		.recv = SSL3_ST_CR_SRVR_HELLO_A,
588 		.send = SSL3_ST_SW_SRVR_HELLO_A,
589 	},
590 	[SERVER_ENCRYPTED_EXTENSIONS] = {
591 		.send = 0,
592 		.recv = 0,
593 	},
594 	[SERVER_CERTIFICATE_REQUEST] = {
595 		.recv = SSL3_ST_CR_CERT_REQ_A,
596 		.send = SSL3_ST_SW_CERT_REQ_A,
597 	},
598 	[SERVER_CERTIFICATE] = {
599 		.recv = SSL3_ST_CR_CERT_A,
600 		.send = SSL3_ST_SW_CERT_A,
601 	},
602 	[SERVER_CERTIFICATE_VERIFY] = {
603 		.send = 0,
604 		.recv = 0,
605 	},
606 	[SERVER_FINISHED] = {
607 		.recv = SSL3_ST_CR_FINISHED_A,
608 		.send = SSL3_ST_SW_FINISHED_A,
609 	},
610 	[CLIENT_END_OF_EARLY_DATA] = {
611 		.send = 0,
612 		.recv = 0,
613 	},
614 	[CLIENT_CERTIFICATE] = {
615 		.recv = SSL3_ST_SR_CERT_VRFY_A,
616 		.send = SSL3_ST_CW_CERT_VRFY_B,
617 	},
618 	[CLIENT_CERTIFICATE_VERIFY] = {
619 		.send = 0,
620 		.recv = 0,
621 	},
622 	[CLIENT_FINISHED] = {
623 		.recv = SSL3_ST_SR_FINISHED_A,
624 		.send = SSL3_ST_CW_FINISHED_A,
625 	},
626 	[APPLICATION_DATA] = {
627 		.recv = 0,
628 		.send = 0,
629 	},
630 };
631 
632 CTASSERT(sizeof(state_machine) / sizeof(state_machine[0]) ==
633     sizeof(legacy_states) / sizeof(legacy_states[0]));
634 
635 static int
tls13_handshake_legacy_state(struct tls13_ctx * ctx,int * out_state)636 tls13_handshake_legacy_state(struct tls13_ctx *ctx, int *out_state)
637 {
638 	const struct tls13_handshake_action *action;
639 	enum tls13_message_type mt;
640 
641 	*out_state = 0;
642 
643 	if (!ctx->handshake_started) {
644 		if (ctx->mode == TLS13_HS_CLIENT)
645 			*out_state = SSL_ST_CONNECT;
646 		else
647 			*out_state = SSL_ST_ACCEPT;
648 
649 		return 1;
650 	}
651 
652 	if (ctx->handshake_completed) {
653 		*out_state = SSL_ST_OK;
654 		return 1;
655 	}
656 
657 	if ((mt = tls13_handshake_active_state(ctx)) == INVALID)
658 		return 0;
659 
660 	if ((action = tls13_handshake_active_action(ctx)) == NULL)
661 		return 0;
662 
663 	if (action->sender == ctx->mode)
664 		*out_state = legacy_states[mt].send;
665 	else
666 		*out_state = legacy_states[mt].recv;
667 
668 	return 1;
669 }
670 
671 static int
tls13_handshake_info_position(struct tls13_ctx * ctx)672 tls13_handshake_info_position(struct tls13_ctx *ctx)
673 {
674 	if (!ctx->handshake_started)
675 		return TLS13_INFO_HANDSHAKE_STARTED;
676 
677 	if (ctx->handshake_completed)
678 		return TLS13_INFO_HANDSHAKE_COMPLETED;
679 
680 	if (ctx->mode == TLS13_HS_CLIENT)
681 		return TLS13_INFO_CONNECT_LOOP;
682 	else
683 		return TLS13_INFO_ACCEPT_LOOP;
684 }
685 
686 static int
tls13_handshake_legacy_info_callback(struct tls13_ctx * ctx)687 tls13_handshake_legacy_info_callback(struct tls13_ctx *ctx)
688 {
689 	int state, where;
690 
691 	if (!tls13_handshake_legacy_state(ctx, &state))
692 		return 0;
693 
694 	/* Do nothing if there's no corresponding legacy state. */
695 	if (state == 0)
696 		return 1;
697 
698 	if (ctx->info_cb != NULL) {
699 		where = tls13_handshake_info_position(ctx);
700 		ctx->info_cb(ctx, where, 1);
701 	}
702 
703 	return 1;
704 }
705 
706 static int
tls13_handshake_set_legacy_state(struct tls13_ctx * ctx)707 tls13_handshake_set_legacy_state(struct tls13_ctx *ctx)
708 {
709 	int state;
710 
711 	if (!tls13_handshake_legacy_state(ctx, &state))
712 		return 0;
713 
714 	/* Do nothing if there's no corresponding legacy state. */
715 	if (state == 0)
716 		return 1;
717 
718 	ctx->hs->state = state;
719 
720 	return 1;
721 }
722