1 /* $OpenBSD: tls13_handshake.c,v 1.55 2020/05/02 00:30:55 inoguchi Exp $ */ 2 /* 3 * Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org> 4 * Copyright (c) 2019 Joel Sing <jsing@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <stddef.h> 20 21 #include "ssl_locl.h" 22 #include "tls13_handshake.h" 23 #include "tls13_internal.h" 24 25 /* Based on RFC 8446 and inspired by s2n's TLS 1.2 state machine. */ 26 27 struct tls13_handshake_action { 28 uint8_t handshake_type; 29 uint8_t sender; 30 uint8_t handshake_complete; 31 uint8_t send_preserve_transcript_hash; 32 uint8_t recv_preserve_transcript_hash; 33 34 int (*send)(struct tls13_ctx *ctx, CBB *cbb); 35 int (*sent)(struct tls13_ctx *ctx); 36 int (*recv)(struct tls13_ctx *ctx, CBS *cbs); 37 }; 38 39 static const enum tls13_message_type 40 tls13_handshake_active_state(struct tls13_ctx *ctx); 41 42 static const struct tls13_handshake_action * 43 tls13_handshake_active_action(struct tls13_ctx *ctx); 44 static int tls13_handshake_advance_state_machine(struct tls13_ctx *ctx); 45 46 static int tls13_handshake_send_action(struct tls13_ctx *ctx, 47 const struct tls13_handshake_action *action); 48 static int tls13_handshake_recv_action(struct tls13_ctx *ctx, 49 const struct tls13_handshake_action *action); 50 51 static const struct tls13_handshake_action state_machine[] = { 52 [CLIENT_HELLO] = { 53 .handshake_type = TLS13_MT_CLIENT_HELLO, 54 .sender = TLS13_HS_CLIENT, 55 .send = tls13_client_hello_send, 56 .sent = tls13_client_hello_sent, 57 .recv = tls13_client_hello_recv, 58 }, 59 [CLIENT_HELLO_RETRY] = { 60 .handshake_type = TLS13_MT_CLIENT_HELLO, 61 .sender = TLS13_HS_CLIENT, 62 .send = tls13_client_hello_retry_send, 63 .recv = tls13_client_hello_retry_recv, 64 }, 65 [CLIENT_END_OF_EARLY_DATA] = { 66 .handshake_type = TLS13_MT_END_OF_EARLY_DATA, 67 .sender = TLS13_HS_CLIENT, 68 .send = tls13_client_end_of_early_data_send, 69 .recv = tls13_client_end_of_early_data_recv, 70 }, 71 [CLIENT_CERTIFICATE] = { 72 .handshake_type = TLS13_MT_CERTIFICATE, 73 .sender = TLS13_HS_CLIENT, 74 .send_preserve_transcript_hash = 1, 75 .send = tls13_client_certificate_send, 76 .recv = tls13_client_certificate_recv, 77 }, 78 [CLIENT_CERTIFICATE_VERIFY] = { 79 .handshake_type = TLS13_MT_CERTIFICATE_VERIFY, 80 .sender = TLS13_HS_CLIENT, 81 .recv_preserve_transcript_hash = 1, 82 .send = tls13_client_certificate_verify_send, 83 .recv = tls13_client_certificate_verify_recv, 84 }, 85 [CLIENT_FINISHED] = { 86 .handshake_type = TLS13_MT_FINISHED, 87 .sender = TLS13_HS_CLIENT, 88 .recv_preserve_transcript_hash = 1, 89 .send = tls13_client_finished_send, 90 .sent = tls13_client_finished_sent, 91 .recv = tls13_client_finished_recv, 92 }, 93 [SERVER_HELLO] = { 94 .handshake_type = TLS13_MT_SERVER_HELLO, 95 .sender = TLS13_HS_SERVER, 96 .send = tls13_server_hello_send, 97 .sent = tls13_server_hello_sent, 98 .recv = tls13_server_hello_recv, 99 }, 100 [SERVER_HELLO_RETRY_REQUEST] = { 101 .handshake_type = TLS13_MT_SERVER_HELLO, 102 .sender = TLS13_HS_SERVER, 103 .send = tls13_server_hello_retry_request_send, 104 .recv = tls13_server_hello_retry_request_recv, 105 }, 106 [SERVER_ENCRYPTED_EXTENSIONS] = { 107 .handshake_type = TLS13_MT_ENCRYPTED_EXTENSIONS, 108 .sender = TLS13_HS_SERVER, 109 .send = tls13_server_encrypted_extensions_send, 110 .recv = tls13_server_encrypted_extensions_recv, 111 }, 112 [SERVER_CERTIFICATE] = { 113 .handshake_type = TLS13_MT_CERTIFICATE, 114 .sender = TLS13_HS_SERVER, 115 .send_preserve_transcript_hash = 1, 116 .send = tls13_server_certificate_send, 117 .recv = tls13_server_certificate_recv, 118 }, 119 [SERVER_CERTIFICATE_REQUEST] = { 120 .handshake_type = TLS13_MT_CERTIFICATE_REQUEST, 121 .sender = TLS13_HS_SERVER, 122 .send = tls13_server_certificate_request_send, 123 .recv = tls13_server_certificate_request_recv, 124 }, 125 [SERVER_CERTIFICATE_VERIFY] = { 126 .handshake_type = TLS13_MT_CERTIFICATE_VERIFY, 127 .sender = TLS13_HS_SERVER, 128 .recv_preserve_transcript_hash = 1, 129 .send = tls13_server_certificate_verify_send, 130 .recv = tls13_server_certificate_verify_recv, 131 }, 132 [SERVER_FINISHED] = { 133 .handshake_type = TLS13_MT_FINISHED, 134 .sender = TLS13_HS_SERVER, 135 .recv_preserve_transcript_hash = 1, 136 .send_preserve_transcript_hash = 1, 137 .send = tls13_server_finished_send, 138 .sent = tls13_server_finished_sent, 139 .recv = tls13_server_finished_recv, 140 }, 141 [APPLICATION_DATA] = { 142 .handshake_complete = 1, 143 }, 144 }; 145 146 const enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = { 147 [INITIAL] = { 148 CLIENT_HELLO, 149 SERVER_HELLO_RETRY_REQUEST, 150 CLIENT_HELLO_RETRY, 151 SERVER_HELLO, 152 }, 153 [NEGOTIATED] = { 154 CLIENT_HELLO, 155 SERVER_HELLO_RETRY_REQUEST, 156 CLIENT_HELLO_RETRY, 157 SERVER_HELLO, 158 SERVER_ENCRYPTED_EXTENSIONS, 159 SERVER_CERTIFICATE_REQUEST, 160 SERVER_CERTIFICATE, 161 SERVER_CERTIFICATE_VERIFY, 162 SERVER_FINISHED, 163 CLIENT_CERTIFICATE, 164 CLIENT_FINISHED, 165 APPLICATION_DATA, 166 }, 167 [NEGOTIATED | WITHOUT_HRR] = { 168 CLIENT_HELLO, 169 SERVER_HELLO, 170 SERVER_ENCRYPTED_EXTENSIONS, 171 SERVER_CERTIFICATE_REQUEST, 172 SERVER_CERTIFICATE, 173 SERVER_CERTIFICATE_VERIFY, 174 SERVER_FINISHED, 175 CLIENT_CERTIFICATE, 176 CLIENT_FINISHED, 177 APPLICATION_DATA, 178 }, 179 [NEGOTIATED | WITHOUT_CR] = { 180 CLIENT_HELLO, 181 SERVER_HELLO_RETRY_REQUEST, 182 CLIENT_HELLO_RETRY, 183 SERVER_HELLO, 184 SERVER_ENCRYPTED_EXTENSIONS, 185 SERVER_CERTIFICATE, 186 SERVER_CERTIFICATE_VERIFY, 187 SERVER_FINISHED, 188 CLIENT_FINISHED, 189 APPLICATION_DATA, 190 }, 191 [NEGOTIATED | WITHOUT_HRR | WITHOUT_CR] = { 192 CLIENT_HELLO, 193 SERVER_HELLO, 194 SERVER_ENCRYPTED_EXTENSIONS, 195 SERVER_CERTIFICATE, 196 SERVER_CERTIFICATE_VERIFY, 197 SERVER_FINISHED, 198 CLIENT_FINISHED, 199 APPLICATION_DATA, 200 }, 201 [NEGOTIATED | WITH_PSK] = { 202 CLIENT_HELLO, 203 SERVER_HELLO_RETRY_REQUEST, 204 CLIENT_HELLO_RETRY, 205 SERVER_HELLO, 206 SERVER_ENCRYPTED_EXTENSIONS, 207 SERVER_FINISHED, 208 CLIENT_FINISHED, 209 APPLICATION_DATA, 210 }, 211 [NEGOTIATED | WITHOUT_HRR | WITH_PSK] = { 212 CLIENT_HELLO, 213 SERVER_HELLO, 214 SERVER_ENCRYPTED_EXTENSIONS, 215 SERVER_FINISHED, 216 CLIENT_FINISHED, 217 APPLICATION_DATA, 218 }, 219 [NEGOTIATED | WITH_CCV] = { 220 CLIENT_HELLO, 221 SERVER_HELLO_RETRY_REQUEST, 222 CLIENT_HELLO_RETRY, 223 SERVER_HELLO, 224 SERVER_ENCRYPTED_EXTENSIONS, 225 SERVER_CERTIFICATE_REQUEST, 226 SERVER_CERTIFICATE, 227 SERVER_CERTIFICATE_VERIFY, 228 SERVER_FINISHED, 229 CLIENT_CERTIFICATE, 230 CLIENT_CERTIFICATE_VERIFY, 231 CLIENT_FINISHED, 232 APPLICATION_DATA, 233 }, 234 [NEGOTIATED | WITHOUT_HRR | WITH_CCV] = { 235 CLIENT_HELLO, 236 SERVER_HELLO, 237 SERVER_ENCRYPTED_EXTENSIONS, 238 SERVER_CERTIFICATE_REQUEST, 239 SERVER_CERTIFICATE, 240 SERVER_CERTIFICATE_VERIFY, 241 SERVER_FINISHED, 242 CLIENT_CERTIFICATE, 243 CLIENT_CERTIFICATE_VERIFY, 244 CLIENT_FINISHED, 245 APPLICATION_DATA, 246 }, 247 }; 248 249 const size_t handshake_count = sizeof(handshakes) / sizeof(handshakes[0]); 250 251 static const enum tls13_message_type 252 tls13_handshake_active_state(struct tls13_ctx *ctx) 253 { 254 struct tls13_handshake_stage hs = ctx->handshake_stage; 255 256 if (hs.hs_type >= handshake_count) 257 return INVALID; 258 if (hs.message_number >= TLS13_NUM_MESSAGE_TYPES) 259 return INVALID; 260 261 return handshakes[hs.hs_type][hs.message_number]; 262 } 263 264 static const struct tls13_handshake_action * 265 tls13_handshake_active_action(struct tls13_ctx *ctx) 266 { 267 enum tls13_message_type mt = tls13_handshake_active_state(ctx); 268 269 if (mt == INVALID) 270 return NULL; 271 272 return &state_machine[mt]; 273 } 274 275 static int 276 tls13_handshake_advance_state_machine(struct tls13_ctx *ctx) 277 { 278 if (++ctx->handshake_stage.message_number >= TLS13_NUM_MESSAGE_TYPES) 279 return 0; 280 281 return 1; 282 } 283 284 int 285 tls13_handshake_msg_record(struct tls13_ctx *ctx) 286 { 287 CBS cbs; 288 289 tls13_handshake_msg_data(ctx->hs_msg, &cbs); 290 return tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs)); 291 } 292 293 int 294 tls13_handshake_perform(struct tls13_ctx *ctx) 295 { 296 const struct tls13_handshake_action *action; 297 int ret; 298 299 for (;;) { 300 if ((action = tls13_handshake_active_action(ctx)) == NULL) 301 return TLS13_IO_FAILURE; 302 303 if (action->handshake_complete) { 304 ctx->handshake_completed = 1; 305 tls13_record_layer_handshake_completed(ctx->rl); 306 return TLS13_IO_SUCCESS; 307 } 308 309 if (ctx->alert) 310 return tls13_send_alert(ctx->rl, ctx->alert); 311 312 if (action->sender == ctx->mode) { 313 if ((ret = tls13_handshake_send_action(ctx, action)) <= 0) 314 return ret; 315 } else { 316 if ((ret = tls13_handshake_recv_action(ctx, action)) <= 0) 317 return ret; 318 } 319 320 if (!tls13_handshake_advance_state_machine(ctx)) 321 return TLS13_IO_FAILURE; 322 } 323 } 324 325 static int 326 tls13_handshake_send_action(struct tls13_ctx *ctx, 327 const struct tls13_handshake_action *action) 328 { 329 ssize_t ret; 330 CBB cbb; 331 332 /* If we have no handshake message, we need to build one. */ 333 if (ctx->hs_msg == NULL) { 334 if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL) 335 return TLS13_IO_FAILURE; 336 if (!tls13_handshake_msg_start(ctx->hs_msg, &cbb, 337 action->handshake_type)) 338 return TLS13_IO_FAILURE; 339 if (!action->send(ctx, &cbb)) 340 return TLS13_IO_FAILURE; 341 if (!tls13_handshake_msg_finish(ctx->hs_msg)) 342 return TLS13_IO_FAILURE; 343 344 if (ctx->alert) 345 return tls13_send_alert(ctx->rl, ctx->alert); 346 } 347 348 if ((ret = tls13_handshake_msg_send(ctx->hs_msg, ctx->rl)) <= 0) 349 return ret; 350 351 if (!tls13_handshake_msg_record(ctx)) 352 return TLS13_IO_FAILURE; 353 354 if (action->send_preserve_transcript_hash) { 355 if (!tls1_transcript_hash_value(ctx->ssl, 356 ctx->hs->transcript_hash, sizeof(ctx->hs->transcript_hash), 357 &ctx->hs->transcript_hash_len)) 358 return TLS13_IO_FAILURE; 359 } 360 361 if (ctx->handshake_message_sent_cb != NULL) 362 ctx->handshake_message_sent_cb(ctx); 363 364 tls13_handshake_msg_free(ctx->hs_msg); 365 ctx->hs_msg = NULL; 366 367 if (action->sent != NULL && !action->sent(ctx)) 368 return TLS13_IO_FAILURE; 369 370 return TLS13_IO_SUCCESS; 371 } 372 373 static int 374 tls13_handshake_recv_action(struct tls13_ctx *ctx, 375 const struct tls13_handshake_action *action) 376 { 377 uint8_t msg_type; 378 ssize_t ret; 379 CBS cbs; 380 381 if (ctx->hs_msg == NULL) { 382 if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL) 383 return TLS13_IO_FAILURE; 384 } 385 386 if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) <= 0) 387 return ret; 388 389 if (action->recv_preserve_transcript_hash) { 390 if (!tls1_transcript_hash_value(ctx->ssl, 391 ctx->hs->transcript_hash, sizeof(ctx->hs->transcript_hash), 392 &ctx->hs->transcript_hash_len)) 393 return TLS13_IO_FAILURE; 394 } 395 396 if (!tls13_handshake_msg_record(ctx)) 397 return TLS13_IO_FAILURE; 398 399 if (ctx->handshake_message_recv_cb != NULL) 400 ctx->handshake_message_recv_cb(ctx); 401 402 /* 403 * In TLSv1.3 there is no way to know if you're going to receive a 404 * certificate request message or not, hence we have to special case it 405 * here. The receive handler also knows how to deal with this situation. 406 */ 407 msg_type = tls13_handshake_msg_type(ctx->hs_msg); 408 if (msg_type != action->handshake_type && 409 (msg_type != TLS13_MT_CERTIFICATE || 410 action->handshake_type != TLS13_MT_CERTIFICATE_REQUEST)) 411 return tls13_send_alert(ctx->rl, SSL_AD_UNEXPECTED_MESSAGE); 412 413 if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs)) 414 return TLS13_IO_FAILURE; 415 416 ret = TLS13_IO_FAILURE; 417 if (action->recv(ctx, &cbs)) { 418 if (CBS_len(&cbs) != 0) { 419 tls13_set_errorx(ctx, TLS13_ERR_TRAILING_DATA, 0, 420 "trailing data in handshake message", NULL); 421 ctx->alert = SSL_AD_DECODE_ERROR; 422 } else { 423 ret = TLS13_IO_SUCCESS; 424 } 425 } 426 427 if (ctx->alert) 428 ret = tls13_send_alert(ctx->rl, ctx->alert); 429 430 tls13_handshake_msg_free(ctx->hs_msg); 431 ctx->hs_msg = NULL; 432 433 if (ctx->ssl->method->internal->version < TLS1_3_VERSION) 434 return TLS13_IO_USE_LEGACY; 435 436 return ret; 437 } 438