1 /* $OpenBSD: tls13_handshake.c,v 1.71 2022/04/19 17:01:43 tb Exp $ */ 2 /* 3 * Copyright (c) 2018-2021 Theo Buehler <tb@openbsd.org> 4 * Copyright (c) 2019 Joel Sing <jsing@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <stddef.h> 20 21 #include "ssl_locl.h" 22 #include "tls13_handshake.h" 23 #include "tls13_internal.h" 24 25 /* Based on RFC 8446 and inspired by s2n's TLS 1.2 state machine. */ 26 27 struct tls13_handshake_action { 28 uint8_t handshake_type; 29 uint8_t sender; 30 uint8_t handshake_complete; 31 uint8_t send_preserve_transcript_hash; 32 uint8_t recv_preserve_transcript_hash; 33 34 int (*send)(struct tls13_ctx *ctx, CBB *cbb); 35 int (*sent)(struct tls13_ctx *ctx); 36 int (*recv)(struct tls13_ctx *ctx, CBS *cbs); 37 }; 38 39 static enum tls13_message_type 40 tls13_handshake_active_state(struct tls13_ctx *ctx); 41 42 static const struct tls13_handshake_action * 43 tls13_handshake_active_action(struct tls13_ctx *ctx); 44 static int tls13_handshake_advance_state_machine(struct tls13_ctx *ctx); 45 46 static int tls13_handshake_send_action(struct tls13_ctx *ctx, 47 const struct tls13_handshake_action *action); 48 static int tls13_handshake_recv_action(struct tls13_ctx *ctx, 49 const struct tls13_handshake_action *action); 50 51 static int tls13_handshake_set_legacy_state(struct tls13_ctx *ctx); 52 static int tls13_handshake_legacy_info_callback(struct tls13_ctx *ctx); 53 54 static const struct tls13_handshake_action state_machine[] = { 55 [CLIENT_HELLO] = { 56 .handshake_type = TLS13_MT_CLIENT_HELLO, 57 .sender = TLS13_HS_CLIENT, 58 .send = tls13_client_hello_send, 59 .sent = tls13_client_hello_sent, 60 .recv = tls13_client_hello_recv, 61 }, 62 [CLIENT_HELLO_RETRY] = { 63 .handshake_type = TLS13_MT_CLIENT_HELLO, 64 .sender = TLS13_HS_CLIENT, 65 .send = tls13_client_hello_retry_send, 66 .recv = tls13_client_hello_retry_recv, 67 }, 68 [CLIENT_END_OF_EARLY_DATA] = { 69 .handshake_type = TLS13_MT_END_OF_EARLY_DATA, 70 .sender = TLS13_HS_CLIENT, 71 .send = tls13_client_end_of_early_data_send, 72 .recv = tls13_client_end_of_early_data_recv, 73 }, 74 [CLIENT_CERTIFICATE] = { 75 .handshake_type = TLS13_MT_CERTIFICATE, 76 .sender = TLS13_HS_CLIENT, 77 .send_preserve_transcript_hash = 1, 78 .send = tls13_client_certificate_send, 79 .recv = tls13_client_certificate_recv, 80 }, 81 [CLIENT_CERTIFICATE_VERIFY] = { 82 .handshake_type = TLS13_MT_CERTIFICATE_VERIFY, 83 .sender = TLS13_HS_CLIENT, 84 .recv_preserve_transcript_hash = 1, 85 .send = tls13_client_certificate_verify_send, 86 .recv = tls13_client_certificate_verify_recv, 87 }, 88 [CLIENT_FINISHED] = { 89 .handshake_type = TLS13_MT_FINISHED, 90 .sender = TLS13_HS_CLIENT, 91 .recv_preserve_transcript_hash = 1, 92 .send = tls13_client_finished_send, 93 .sent = tls13_client_finished_sent, 94 .recv = tls13_client_finished_recv, 95 }, 96 [SERVER_HELLO] = { 97 .handshake_type = TLS13_MT_SERVER_HELLO, 98 .sender = TLS13_HS_SERVER, 99 .send = tls13_server_hello_send, 100 .sent = tls13_server_hello_sent, 101 .recv = tls13_server_hello_recv, 102 }, 103 [SERVER_HELLO_RETRY_REQUEST] = { 104 .handshake_type = TLS13_MT_SERVER_HELLO, 105 .sender = TLS13_HS_SERVER, 106 .send = tls13_server_hello_retry_request_send, 107 .recv = tls13_server_hello_retry_request_recv, 108 .sent = tls13_server_hello_retry_request_sent, 109 }, 110 [SERVER_ENCRYPTED_EXTENSIONS] = { 111 .handshake_type = TLS13_MT_ENCRYPTED_EXTENSIONS, 112 .sender = TLS13_HS_SERVER, 113 .send = tls13_server_encrypted_extensions_send, 114 .recv = tls13_server_encrypted_extensions_recv, 115 }, 116 [SERVER_CERTIFICATE] = { 117 .handshake_type = TLS13_MT_CERTIFICATE, 118 .sender = TLS13_HS_SERVER, 119 .send_preserve_transcript_hash = 1, 120 .send = tls13_server_certificate_send, 121 .recv = tls13_server_certificate_recv, 122 }, 123 [SERVER_CERTIFICATE_REQUEST] = { 124 .handshake_type = TLS13_MT_CERTIFICATE_REQUEST, 125 .sender = TLS13_HS_SERVER, 126 .send = tls13_server_certificate_request_send, 127 .recv = tls13_server_certificate_request_recv, 128 }, 129 [SERVER_CERTIFICATE_VERIFY] = { 130 .handshake_type = TLS13_MT_CERTIFICATE_VERIFY, 131 .sender = TLS13_HS_SERVER, 132 .recv_preserve_transcript_hash = 1, 133 .send = tls13_server_certificate_verify_send, 134 .recv = tls13_server_certificate_verify_recv, 135 }, 136 [SERVER_FINISHED] = { 137 .handshake_type = TLS13_MT_FINISHED, 138 .sender = TLS13_HS_SERVER, 139 .recv_preserve_transcript_hash = 1, 140 .send_preserve_transcript_hash = 1, 141 .send = tls13_server_finished_send, 142 .sent = tls13_server_finished_sent, 143 .recv = tls13_server_finished_recv, 144 }, 145 [APPLICATION_DATA] = { 146 .handshake_complete = 1, 147 }, 148 }; 149 150 const enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = { 151 [INITIAL] = { 152 CLIENT_HELLO, 153 SERVER_HELLO_RETRY_REQUEST, 154 CLIENT_HELLO_RETRY, 155 SERVER_HELLO, 156 }, 157 [NEGOTIATED] = { 158 CLIENT_HELLO, 159 SERVER_HELLO_RETRY_REQUEST, 160 CLIENT_HELLO_RETRY, 161 SERVER_HELLO, 162 SERVER_ENCRYPTED_EXTENSIONS, 163 SERVER_CERTIFICATE_REQUEST, 164 SERVER_CERTIFICATE, 165 SERVER_CERTIFICATE_VERIFY, 166 SERVER_FINISHED, 167 CLIENT_CERTIFICATE, 168 CLIENT_FINISHED, 169 APPLICATION_DATA, 170 }, 171 [NEGOTIATED | WITHOUT_HRR] = { 172 CLIENT_HELLO, 173 SERVER_HELLO, 174 SERVER_ENCRYPTED_EXTENSIONS, 175 SERVER_CERTIFICATE_REQUEST, 176 SERVER_CERTIFICATE, 177 SERVER_CERTIFICATE_VERIFY, 178 SERVER_FINISHED, 179 CLIENT_CERTIFICATE, 180 CLIENT_FINISHED, 181 APPLICATION_DATA, 182 }, 183 [NEGOTIATED | WITHOUT_CR] = { 184 CLIENT_HELLO, 185 SERVER_HELLO_RETRY_REQUEST, 186 CLIENT_HELLO_RETRY, 187 SERVER_HELLO, 188 SERVER_ENCRYPTED_EXTENSIONS, 189 SERVER_CERTIFICATE, 190 SERVER_CERTIFICATE_VERIFY, 191 SERVER_FINISHED, 192 CLIENT_FINISHED, 193 APPLICATION_DATA, 194 }, 195 [NEGOTIATED | WITHOUT_HRR | WITHOUT_CR] = { 196 CLIENT_HELLO, 197 SERVER_HELLO, 198 SERVER_ENCRYPTED_EXTENSIONS, 199 SERVER_CERTIFICATE, 200 SERVER_CERTIFICATE_VERIFY, 201 SERVER_FINISHED, 202 CLIENT_FINISHED, 203 APPLICATION_DATA, 204 }, 205 [NEGOTIATED | WITH_PSK] = { 206 CLIENT_HELLO, 207 SERVER_HELLO_RETRY_REQUEST, 208 CLIENT_HELLO_RETRY, 209 SERVER_HELLO, 210 SERVER_ENCRYPTED_EXTENSIONS, 211 SERVER_FINISHED, 212 CLIENT_FINISHED, 213 APPLICATION_DATA, 214 }, 215 [NEGOTIATED | WITHOUT_HRR | WITH_PSK] = { 216 CLIENT_HELLO, 217 SERVER_HELLO, 218 SERVER_ENCRYPTED_EXTENSIONS, 219 SERVER_FINISHED, 220 CLIENT_FINISHED, 221 APPLICATION_DATA, 222 }, 223 [NEGOTIATED | WITH_CCV] = { 224 CLIENT_HELLO, 225 SERVER_HELLO_RETRY_REQUEST, 226 CLIENT_HELLO_RETRY, 227 SERVER_HELLO, 228 SERVER_ENCRYPTED_EXTENSIONS, 229 SERVER_CERTIFICATE_REQUEST, 230 SERVER_CERTIFICATE, 231 SERVER_CERTIFICATE_VERIFY, 232 SERVER_FINISHED, 233 CLIENT_CERTIFICATE, 234 CLIENT_CERTIFICATE_VERIFY, 235 CLIENT_FINISHED, 236 APPLICATION_DATA, 237 }, 238 [NEGOTIATED | WITHOUT_HRR | WITH_CCV] = { 239 CLIENT_HELLO, 240 SERVER_HELLO, 241 SERVER_ENCRYPTED_EXTENSIONS, 242 SERVER_CERTIFICATE_REQUEST, 243 SERVER_CERTIFICATE, 244 SERVER_CERTIFICATE_VERIFY, 245 SERVER_FINISHED, 246 CLIENT_CERTIFICATE, 247 CLIENT_CERTIFICATE_VERIFY, 248 CLIENT_FINISHED, 249 APPLICATION_DATA, 250 }, 251 }; 252 253 const size_t handshake_count = sizeof(handshakes) / sizeof(handshakes[0]); 254 255 #ifndef TLS13_DEBUG 256 #define DEBUGF(...) 257 #else 258 #define DEBUGF(...) fprintf(stderr, __VA_ARGS__) 259 260 static const char * 261 tls13_handshake_mode_name(uint8_t mode) 262 { 263 switch (mode) { 264 case TLS13_HS_CLIENT: 265 return "Client"; 266 case TLS13_HS_SERVER: 267 return "Server"; 268 } 269 return "Unknown"; 270 } 271 272 static const char * 273 tls13_handshake_message_name(uint8_t msg_type) 274 { 275 switch (msg_type) { 276 case TLS13_MT_CLIENT_HELLO: 277 return "ClientHello"; 278 case TLS13_MT_SERVER_HELLO: 279 return "ServerHello"; 280 case TLS13_MT_NEW_SESSION_TICKET: 281 return "NewSessionTicket"; 282 case TLS13_MT_END_OF_EARLY_DATA: 283 return "EndOfEarlyData"; 284 case TLS13_MT_ENCRYPTED_EXTENSIONS: 285 return "EncryptedExtensions"; 286 case TLS13_MT_CERTIFICATE: 287 return "Certificate"; 288 case TLS13_MT_CERTIFICATE_REQUEST: 289 return "CertificateRequest"; 290 case TLS13_MT_CERTIFICATE_VERIFY: 291 return "CertificateVerify"; 292 case TLS13_MT_FINISHED: 293 return "Finished"; 294 } 295 return "Unknown"; 296 } 297 #endif 298 299 static enum tls13_message_type 300 tls13_handshake_active_state(struct tls13_ctx *ctx) 301 { 302 struct tls13_handshake_stage hs = ctx->handshake_stage; 303 304 if (hs.hs_type >= handshake_count) 305 return INVALID; 306 if (hs.message_number >= TLS13_NUM_MESSAGE_TYPES) 307 return INVALID; 308 309 return handshakes[hs.hs_type][hs.message_number]; 310 } 311 312 static const struct tls13_handshake_action * 313 tls13_handshake_active_action(struct tls13_ctx *ctx) 314 { 315 enum tls13_message_type mt = tls13_handshake_active_state(ctx); 316 317 if (mt == INVALID) 318 return NULL; 319 320 return &state_machine[mt]; 321 } 322 323 static int 324 tls13_handshake_advance_state_machine(struct tls13_ctx *ctx) 325 { 326 if (++ctx->handshake_stage.message_number >= TLS13_NUM_MESSAGE_TYPES) 327 return 0; 328 329 return 1; 330 } 331 332 static int 333 tls13_handshake_end_of_flight(struct tls13_ctx *ctx, 334 const struct tls13_handshake_action *previous) 335 { 336 const struct tls13_handshake_action *current; 337 338 if ((current = tls13_handshake_active_action(ctx)) == NULL) 339 return 1; 340 341 return current->sender != previous->sender; 342 } 343 344 int 345 tls13_handshake_msg_record(struct tls13_ctx *ctx) 346 { 347 CBS cbs; 348 349 tls13_handshake_msg_data(ctx->hs_msg, &cbs); 350 return tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs)); 351 } 352 353 int 354 tls13_handshake_perform(struct tls13_ctx *ctx) 355 { 356 const struct tls13_handshake_action *action; 357 int sending; 358 int ret; 359 360 if (!ctx->handshake_started) { 361 /* 362 * Set legacy state to connect/accept and call info callback 363 * to signal that the handshake started. 364 */ 365 if (!tls13_handshake_set_legacy_state(ctx)) 366 return TLS13_IO_FAILURE; 367 if (!tls13_handshake_legacy_info_callback(ctx)) 368 return TLS13_IO_FAILURE; 369 370 ctx->handshake_started = 1; 371 372 /* Set legacy state for initial ClientHello read or write. */ 373 if (!tls13_handshake_set_legacy_state(ctx)) 374 return TLS13_IO_FAILURE; 375 } 376 377 for (;;) { 378 if ((action = tls13_handshake_active_action(ctx)) == NULL) 379 return TLS13_IO_FAILURE; 380 381 if (ctx->need_flush) { 382 if ((ret = tls13_record_layer_flush(ctx->rl)) != 383 TLS13_IO_SUCCESS) 384 return ret; 385 ctx->need_flush = 0; 386 } 387 388 if (action->handshake_complete) { 389 ctx->handshake_completed = 1; 390 tls13_record_layer_handshake_completed(ctx->rl); 391 392 if (!tls13_handshake_set_legacy_state(ctx)) 393 return TLS13_IO_FAILURE; 394 if (!tls13_handshake_legacy_info_callback(ctx)) 395 return TLS13_IO_FAILURE; 396 397 return TLS13_IO_SUCCESS; 398 } 399 400 sending = action->sender == ctx->mode; 401 402 DEBUGF("%s %s %s\n", tls13_handshake_mode_name(ctx->mode), 403 sending ? "sending" : "receiving", 404 tls13_handshake_message_name(action->handshake_type)); 405 406 if (ctx->alert != 0) 407 return tls13_send_alert(ctx->rl, ctx->alert); 408 409 if (sending) 410 ret = tls13_handshake_send_action(ctx, action); 411 else 412 ret = tls13_handshake_recv_action(ctx, action); 413 414 if (ctx->alert != 0) 415 return tls13_send_alert(ctx->rl, ctx->alert); 416 417 if (ret <= 0) { 418 DEBUGF("%s %s returned %d\n", 419 tls13_handshake_mode_name(ctx->mode), 420 (action->sender == ctx->mode) ? "send" : "recv", 421 ret); 422 return ret; 423 } 424 425 if (!tls13_handshake_legacy_info_callback(ctx)) 426 return TLS13_IO_FAILURE; 427 428 if (!tls13_handshake_advance_state_machine(ctx)) 429 return TLS13_IO_FAILURE; 430 431 if (sending) 432 ctx->need_flush = tls13_handshake_end_of_flight(ctx, 433 action); 434 435 if (!tls13_handshake_set_legacy_state(ctx)) 436 return TLS13_IO_FAILURE; 437 } 438 } 439 440 static int 441 tls13_handshake_send_action(struct tls13_ctx *ctx, 442 const struct tls13_handshake_action *action) 443 { 444 ssize_t ret; 445 CBB cbb; 446 447 if (ctx->send_dummy_ccs) { 448 if ((ret = tls13_send_dummy_ccs(ctx->rl)) != TLS13_IO_SUCCESS) 449 return ret; 450 ctx->send_dummy_ccs = 0; 451 if (ctx->send_dummy_ccs_after) { 452 ctx->send_dummy_ccs_after = 0; 453 return TLS13_IO_SUCCESS; 454 } 455 } 456 457 /* If we have no handshake message, we need to build one. */ 458 if (ctx->hs_msg == NULL) { 459 if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL) 460 return TLS13_IO_FAILURE; 461 if (!tls13_handshake_msg_start(ctx->hs_msg, &cbb, 462 action->handshake_type)) 463 return TLS13_IO_FAILURE; 464 if (!action->send(ctx, &cbb)) 465 return TLS13_IO_FAILURE; 466 if (!tls13_handshake_msg_finish(ctx->hs_msg)) 467 return TLS13_IO_FAILURE; 468 } 469 470 if ((ret = tls13_handshake_msg_send(ctx->hs_msg, ctx->rl)) <= 0) 471 return ret; 472 473 if (!tls13_handshake_msg_record(ctx)) 474 return TLS13_IO_FAILURE; 475 476 if (action->send_preserve_transcript_hash) { 477 if (!tls1_transcript_hash_value(ctx->ssl, 478 ctx->hs->tls13.transcript_hash, 479 sizeof(ctx->hs->tls13.transcript_hash), 480 &ctx->hs->tls13.transcript_hash_len)) 481 return TLS13_IO_FAILURE; 482 } 483 484 if (ctx->handshake_message_sent_cb != NULL) 485 ctx->handshake_message_sent_cb(ctx); 486 487 tls13_handshake_msg_free(ctx->hs_msg); 488 ctx->hs_msg = NULL; 489 490 if (action->sent != NULL && !action->sent(ctx)) 491 return TLS13_IO_FAILURE; 492 493 if (ctx->send_dummy_ccs_after) { 494 ctx->send_dummy_ccs = 1; 495 if ((ret = tls13_send_dummy_ccs(ctx->rl)) != TLS13_IO_SUCCESS) 496 return ret; 497 ctx->send_dummy_ccs = 0; 498 ctx->send_dummy_ccs_after = 0; 499 } 500 501 return TLS13_IO_SUCCESS; 502 } 503 504 static int 505 tls13_handshake_recv_action(struct tls13_ctx *ctx, 506 const struct tls13_handshake_action *action) 507 { 508 uint8_t msg_type; 509 ssize_t ret; 510 CBS cbs; 511 512 if (ctx->hs_msg == NULL) { 513 if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL) 514 return TLS13_IO_FAILURE; 515 } 516 517 if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) <= 0) 518 return ret; 519 520 if (action->recv_preserve_transcript_hash) { 521 if (!tls1_transcript_hash_value(ctx->ssl, 522 ctx->hs->tls13.transcript_hash, 523 sizeof(ctx->hs->tls13.transcript_hash), 524 &ctx->hs->tls13.transcript_hash_len)) 525 return TLS13_IO_FAILURE; 526 } 527 528 if (!tls13_handshake_msg_record(ctx)) 529 return TLS13_IO_FAILURE; 530 531 if (ctx->handshake_message_recv_cb != NULL) 532 ctx->handshake_message_recv_cb(ctx); 533 534 /* 535 * In TLSv1.3 there is no way to know if you're going to receive a 536 * certificate request message or not, hence we have to special case it 537 * here. The receive handler also knows how to deal with this situation. 538 */ 539 msg_type = tls13_handshake_msg_type(ctx->hs_msg); 540 if (msg_type != action->handshake_type && 541 (msg_type != TLS13_MT_CERTIFICATE || 542 action->handshake_type != TLS13_MT_CERTIFICATE_REQUEST)) 543 return tls13_send_alert(ctx->rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 544 545 if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs)) 546 return TLS13_IO_FAILURE; 547 548 ret = TLS13_IO_FAILURE; 549 if (action->recv(ctx, &cbs)) { 550 if (CBS_len(&cbs) != 0) { 551 tls13_set_errorx(ctx, TLS13_ERR_TRAILING_DATA, 0, 552 "trailing data in handshake message", NULL); 553 ctx->alert = TLS13_ALERT_DECODE_ERROR; 554 } else { 555 ret = TLS13_IO_SUCCESS; 556 } 557 } 558 559 tls13_handshake_msg_free(ctx->hs_msg); 560 ctx->hs_msg = NULL; 561 562 if (ctx->ssl->method->version < TLS1_3_VERSION) 563 return TLS13_IO_USE_LEGACY; 564 565 return ret; 566 } 567 568 struct tls13_handshake_legacy_state { 569 int recv; 570 int send; 571 }; 572 573 static const struct tls13_handshake_legacy_state legacy_states[] = { 574 [CLIENT_HELLO] = { 575 .recv = SSL3_ST_SR_CLNT_HELLO_A, 576 .send = SSL3_ST_CW_CLNT_HELLO_A, 577 }, 578 [SERVER_HELLO_RETRY_REQUEST] = { 579 .recv = SSL3_ST_CR_SRVR_HELLO_A, 580 .send = SSL3_ST_SW_SRVR_HELLO_A, 581 }, 582 [CLIENT_HELLO_RETRY] = { 583 .recv = SSL3_ST_SR_CLNT_HELLO_A, 584 .send = SSL3_ST_CW_CLNT_HELLO_A, 585 }, 586 [SERVER_HELLO] = { 587 .recv = SSL3_ST_CR_SRVR_HELLO_A, 588 .send = SSL3_ST_SW_SRVR_HELLO_A, 589 }, 590 [SERVER_ENCRYPTED_EXTENSIONS] = { 591 .send = 0, 592 .recv = 0, 593 }, 594 [SERVER_CERTIFICATE_REQUEST] = { 595 .recv = SSL3_ST_CR_CERT_REQ_A, 596 .send = SSL3_ST_SW_CERT_REQ_A, 597 }, 598 [SERVER_CERTIFICATE] = { 599 .recv = SSL3_ST_CR_CERT_A, 600 .send = SSL3_ST_SW_CERT_A, 601 }, 602 [SERVER_CERTIFICATE_VERIFY] = { 603 .send = 0, 604 .recv = 0, 605 }, 606 [SERVER_FINISHED] = { 607 .recv = SSL3_ST_CR_FINISHED_A, 608 .send = SSL3_ST_SW_FINISHED_A, 609 }, 610 [CLIENT_END_OF_EARLY_DATA] = { 611 .send = 0, 612 .recv = 0, 613 }, 614 [CLIENT_CERTIFICATE] = { 615 .recv = SSL3_ST_SR_CERT_VRFY_A, 616 .send = SSL3_ST_CW_CERT_VRFY_B, 617 }, 618 [CLIENT_CERTIFICATE_VERIFY] = { 619 .send = 0, 620 .recv = 0, 621 }, 622 [CLIENT_FINISHED] = { 623 .recv = SSL3_ST_SR_FINISHED_A, 624 .send = SSL3_ST_CW_FINISHED_A, 625 }, 626 [APPLICATION_DATA] = { 627 .recv = 0, 628 .send = 0, 629 }, 630 }; 631 632 CTASSERT(sizeof(state_machine) / sizeof(state_machine[0]) == 633 sizeof(legacy_states) / sizeof(legacy_states[0])); 634 635 static int 636 tls13_handshake_legacy_state(struct tls13_ctx *ctx, int *out_state) 637 { 638 const struct tls13_handshake_action *action; 639 enum tls13_message_type mt; 640 641 *out_state = 0; 642 643 if (!ctx->handshake_started) { 644 if (ctx->mode == TLS13_HS_CLIENT) 645 *out_state = SSL_ST_CONNECT; 646 else 647 *out_state = SSL_ST_ACCEPT; 648 649 return 1; 650 } 651 652 if (ctx->handshake_completed) { 653 *out_state = SSL_ST_OK; 654 return 1; 655 } 656 657 if ((mt = tls13_handshake_active_state(ctx)) == INVALID) 658 return 0; 659 660 if ((action = tls13_handshake_active_action(ctx)) == NULL) 661 return 0; 662 663 if (action->sender == ctx->mode) 664 *out_state = legacy_states[mt].send; 665 else 666 *out_state = legacy_states[mt].recv; 667 668 return 1; 669 } 670 671 static int 672 tls13_handshake_info_position(struct tls13_ctx *ctx) 673 { 674 if (!ctx->handshake_started) 675 return TLS13_INFO_HANDSHAKE_STARTED; 676 677 if (ctx->handshake_completed) 678 return TLS13_INFO_HANDSHAKE_COMPLETED; 679 680 if (ctx->mode == TLS13_HS_CLIENT) 681 return TLS13_INFO_CONNECT_LOOP; 682 else 683 return TLS13_INFO_ACCEPT_LOOP; 684 } 685 686 static int 687 tls13_handshake_legacy_info_callback(struct tls13_ctx *ctx) 688 { 689 int state, where; 690 691 if (!tls13_handshake_legacy_state(ctx, &state)) 692 return 0; 693 694 /* Do nothing if there's no corresponding legacy state. */ 695 if (state == 0) 696 return 1; 697 698 if (ctx->info_cb != NULL) { 699 where = tls13_handshake_info_position(ctx); 700 ctx->info_cb(ctx, where, 1); 701 } 702 703 return 1; 704 } 705 706 static int 707 tls13_handshake_set_legacy_state(struct tls13_ctx *ctx) 708 { 709 int state; 710 711 if (!tls13_handshake_legacy_state(ctx, &state)) 712 return 0; 713 714 /* Do nothing if there's no corresponding legacy state. */ 715 if (state == 0) 716 return 1; 717 718 ctx->hs->state = state; 719 720 return 1; 721 } 722