1 /* $OpenBSD: tls13_handshake.c,v 1.69 2021/07/01 17:53:39 jsing Exp $ */ 2 /* 3 * Copyright (c) 2018-2021 Theo Buehler <tb@openbsd.org> 4 * Copyright (c) 2019 Joel Sing <jsing@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <stddef.h> 20 21 #include "ssl_locl.h" 22 #include "tls13_handshake.h" 23 #include "tls13_internal.h" 24 25 /* Based on RFC 8446 and inspired by s2n's TLS 1.2 state machine. */ 26 27 struct tls13_handshake_action { 28 uint8_t handshake_type; 29 uint8_t sender; 30 uint8_t handshake_complete; 31 uint8_t send_preserve_transcript_hash; 32 uint8_t recv_preserve_transcript_hash; 33 34 int (*send)(struct tls13_ctx *ctx, CBB *cbb); 35 int (*sent)(struct tls13_ctx *ctx); 36 int (*recv)(struct tls13_ctx *ctx, CBS *cbs); 37 }; 38 39 static enum tls13_message_type 40 tls13_handshake_active_state(struct tls13_ctx *ctx); 41 42 static const struct tls13_handshake_action * 43 tls13_handshake_active_action(struct tls13_ctx *ctx); 44 static int tls13_handshake_advance_state_machine(struct tls13_ctx *ctx); 45 46 static int tls13_handshake_send_action(struct tls13_ctx *ctx, 47 const struct tls13_handshake_action *action); 48 static int tls13_handshake_recv_action(struct tls13_ctx *ctx, 49 const struct tls13_handshake_action *action); 50 51 static int tls13_handshake_set_legacy_state(struct tls13_ctx *ctx); 52 static int tls13_handshake_legacy_info_callback(struct tls13_ctx *ctx); 53 54 static const struct tls13_handshake_action state_machine[] = { 55 [CLIENT_HELLO] = { 56 .handshake_type = TLS13_MT_CLIENT_HELLO, 57 .sender = TLS13_HS_CLIENT, 58 .send = tls13_client_hello_send, 59 .sent = tls13_client_hello_sent, 60 .recv = tls13_client_hello_recv, 61 }, 62 [CLIENT_HELLO_RETRY] = { 63 .handshake_type = TLS13_MT_CLIENT_HELLO, 64 .sender = TLS13_HS_CLIENT, 65 .send = tls13_client_hello_retry_send, 66 .recv = tls13_client_hello_retry_recv, 67 }, 68 [CLIENT_END_OF_EARLY_DATA] = { 69 .handshake_type = TLS13_MT_END_OF_EARLY_DATA, 70 .sender = TLS13_HS_CLIENT, 71 .send = tls13_client_end_of_early_data_send, 72 .recv = tls13_client_end_of_early_data_recv, 73 }, 74 [CLIENT_CERTIFICATE] = { 75 .handshake_type = TLS13_MT_CERTIFICATE, 76 .sender = TLS13_HS_CLIENT, 77 .send_preserve_transcript_hash = 1, 78 .send = tls13_client_certificate_send, 79 .recv = tls13_client_certificate_recv, 80 }, 81 [CLIENT_CERTIFICATE_VERIFY] = { 82 .handshake_type = TLS13_MT_CERTIFICATE_VERIFY, 83 .sender = TLS13_HS_CLIENT, 84 .recv_preserve_transcript_hash = 1, 85 .send = tls13_client_certificate_verify_send, 86 .recv = tls13_client_certificate_verify_recv, 87 }, 88 [CLIENT_FINISHED] = { 89 .handshake_type = TLS13_MT_FINISHED, 90 .sender = TLS13_HS_CLIENT, 91 .recv_preserve_transcript_hash = 1, 92 .send = tls13_client_finished_send, 93 .sent = tls13_client_finished_sent, 94 .recv = tls13_client_finished_recv, 95 }, 96 [SERVER_HELLO] = { 97 .handshake_type = TLS13_MT_SERVER_HELLO, 98 .sender = TLS13_HS_SERVER, 99 .send = tls13_server_hello_send, 100 .sent = tls13_server_hello_sent, 101 .recv = tls13_server_hello_recv, 102 }, 103 [SERVER_HELLO_RETRY_REQUEST] = { 104 .handshake_type = TLS13_MT_SERVER_HELLO, 105 .sender = TLS13_HS_SERVER, 106 .send = tls13_server_hello_retry_request_send, 107 .recv = tls13_server_hello_retry_request_recv, 108 .sent = tls13_server_hello_retry_request_sent, 109 }, 110 [SERVER_ENCRYPTED_EXTENSIONS] = { 111 .handshake_type = TLS13_MT_ENCRYPTED_EXTENSIONS, 112 .sender = TLS13_HS_SERVER, 113 .send = tls13_server_encrypted_extensions_send, 114 .recv = tls13_server_encrypted_extensions_recv, 115 }, 116 [SERVER_CERTIFICATE] = { 117 .handshake_type = TLS13_MT_CERTIFICATE, 118 .sender = TLS13_HS_SERVER, 119 .send_preserve_transcript_hash = 1, 120 .send = tls13_server_certificate_send, 121 .recv = tls13_server_certificate_recv, 122 }, 123 [SERVER_CERTIFICATE_REQUEST] = { 124 .handshake_type = TLS13_MT_CERTIFICATE_REQUEST, 125 .sender = TLS13_HS_SERVER, 126 .send = tls13_server_certificate_request_send, 127 .recv = tls13_server_certificate_request_recv, 128 }, 129 [SERVER_CERTIFICATE_VERIFY] = { 130 .handshake_type = TLS13_MT_CERTIFICATE_VERIFY, 131 .sender = TLS13_HS_SERVER, 132 .recv_preserve_transcript_hash = 1, 133 .send = tls13_server_certificate_verify_send, 134 .recv = tls13_server_certificate_verify_recv, 135 }, 136 [SERVER_FINISHED] = { 137 .handshake_type = TLS13_MT_FINISHED, 138 .sender = TLS13_HS_SERVER, 139 .recv_preserve_transcript_hash = 1, 140 .send_preserve_transcript_hash = 1, 141 .send = tls13_server_finished_send, 142 .sent = tls13_server_finished_sent, 143 .recv = tls13_server_finished_recv, 144 }, 145 [APPLICATION_DATA] = { 146 .handshake_complete = 1, 147 }, 148 }; 149 150 const enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = { 151 [INITIAL] = { 152 CLIENT_HELLO, 153 SERVER_HELLO_RETRY_REQUEST, 154 CLIENT_HELLO_RETRY, 155 SERVER_HELLO, 156 }, 157 [NEGOTIATED] = { 158 CLIENT_HELLO, 159 SERVER_HELLO_RETRY_REQUEST, 160 CLIENT_HELLO_RETRY, 161 SERVER_HELLO, 162 SERVER_ENCRYPTED_EXTENSIONS, 163 SERVER_CERTIFICATE_REQUEST, 164 SERVER_CERTIFICATE, 165 SERVER_CERTIFICATE_VERIFY, 166 SERVER_FINISHED, 167 CLIENT_CERTIFICATE, 168 CLIENT_FINISHED, 169 APPLICATION_DATA, 170 }, 171 [NEGOTIATED | WITHOUT_HRR] = { 172 CLIENT_HELLO, 173 SERVER_HELLO, 174 SERVER_ENCRYPTED_EXTENSIONS, 175 SERVER_CERTIFICATE_REQUEST, 176 SERVER_CERTIFICATE, 177 SERVER_CERTIFICATE_VERIFY, 178 SERVER_FINISHED, 179 CLIENT_CERTIFICATE, 180 CLIENT_FINISHED, 181 APPLICATION_DATA, 182 }, 183 [NEGOTIATED | WITHOUT_CR] = { 184 CLIENT_HELLO, 185 SERVER_HELLO_RETRY_REQUEST, 186 CLIENT_HELLO_RETRY, 187 SERVER_HELLO, 188 SERVER_ENCRYPTED_EXTENSIONS, 189 SERVER_CERTIFICATE, 190 SERVER_CERTIFICATE_VERIFY, 191 SERVER_FINISHED, 192 CLIENT_FINISHED, 193 APPLICATION_DATA, 194 }, 195 [NEGOTIATED | WITHOUT_HRR | WITHOUT_CR] = { 196 CLIENT_HELLO, 197 SERVER_HELLO, 198 SERVER_ENCRYPTED_EXTENSIONS, 199 SERVER_CERTIFICATE, 200 SERVER_CERTIFICATE_VERIFY, 201 SERVER_FINISHED, 202 CLIENT_FINISHED, 203 APPLICATION_DATA, 204 }, 205 [NEGOTIATED | WITH_PSK] = { 206 CLIENT_HELLO, 207 SERVER_HELLO_RETRY_REQUEST, 208 CLIENT_HELLO_RETRY, 209 SERVER_HELLO, 210 SERVER_ENCRYPTED_EXTENSIONS, 211 SERVER_FINISHED, 212 CLIENT_FINISHED, 213 APPLICATION_DATA, 214 }, 215 [NEGOTIATED | WITHOUT_HRR | WITH_PSK] = { 216 CLIENT_HELLO, 217 SERVER_HELLO, 218 SERVER_ENCRYPTED_EXTENSIONS, 219 SERVER_FINISHED, 220 CLIENT_FINISHED, 221 APPLICATION_DATA, 222 }, 223 [NEGOTIATED | WITH_CCV] = { 224 CLIENT_HELLO, 225 SERVER_HELLO_RETRY_REQUEST, 226 CLIENT_HELLO_RETRY, 227 SERVER_HELLO, 228 SERVER_ENCRYPTED_EXTENSIONS, 229 SERVER_CERTIFICATE_REQUEST, 230 SERVER_CERTIFICATE, 231 SERVER_CERTIFICATE_VERIFY, 232 SERVER_FINISHED, 233 CLIENT_CERTIFICATE, 234 CLIENT_CERTIFICATE_VERIFY, 235 CLIENT_FINISHED, 236 APPLICATION_DATA, 237 }, 238 [NEGOTIATED | WITHOUT_HRR | WITH_CCV] = { 239 CLIENT_HELLO, 240 SERVER_HELLO, 241 SERVER_ENCRYPTED_EXTENSIONS, 242 SERVER_CERTIFICATE_REQUEST, 243 SERVER_CERTIFICATE, 244 SERVER_CERTIFICATE_VERIFY, 245 SERVER_FINISHED, 246 CLIENT_CERTIFICATE, 247 CLIENT_CERTIFICATE_VERIFY, 248 CLIENT_FINISHED, 249 APPLICATION_DATA, 250 }, 251 }; 252 253 const size_t handshake_count = sizeof(handshakes) / sizeof(handshakes[0]); 254 255 #ifndef TLS13_DEBUG 256 #define DEBUGF(...) 257 #else 258 #define DEBUGF(...) fprintf(stderr, __VA_ARGS__) 259 260 static const char * 261 tls13_handshake_mode_name(uint8_t mode) 262 { 263 switch (mode) { 264 case TLS13_HS_CLIENT: 265 return "Client"; 266 case TLS13_HS_SERVER: 267 return "Server"; 268 } 269 return "Unknown"; 270 } 271 272 static const char * 273 tls13_handshake_message_name(uint8_t msg_type) 274 { 275 switch (msg_type) { 276 case TLS13_MT_CLIENT_HELLO: 277 return "ClientHello"; 278 case TLS13_MT_SERVER_HELLO: 279 return "ServerHello"; 280 case TLS13_MT_NEW_SESSION_TICKET: 281 return "NewSessionTicket"; 282 case TLS13_MT_END_OF_EARLY_DATA: 283 return "EndOfEarlyData"; 284 case TLS13_MT_ENCRYPTED_EXTENSIONS: 285 return "EncryptedExtensions"; 286 case TLS13_MT_CERTIFICATE: 287 return "Certificate"; 288 case TLS13_MT_CERTIFICATE_REQUEST: 289 return "CertificateRequest"; 290 case TLS13_MT_CERTIFICATE_VERIFY: 291 return "CertificateVerify"; 292 case TLS13_MT_FINISHED: 293 return "Finished"; 294 case TLS13_MT_KEY_UPDATE: 295 return "KeyUpdate"; 296 } 297 return "Unknown"; 298 } 299 #endif 300 301 static enum tls13_message_type 302 tls13_handshake_active_state(struct tls13_ctx *ctx) 303 { 304 struct tls13_handshake_stage hs = ctx->handshake_stage; 305 306 if (hs.hs_type >= handshake_count) 307 return INVALID; 308 if (hs.message_number >= TLS13_NUM_MESSAGE_TYPES) 309 return INVALID; 310 311 return handshakes[hs.hs_type][hs.message_number]; 312 } 313 314 static const struct tls13_handshake_action * 315 tls13_handshake_active_action(struct tls13_ctx *ctx) 316 { 317 enum tls13_message_type mt = tls13_handshake_active_state(ctx); 318 319 if (mt == INVALID) 320 return NULL; 321 322 return &state_machine[mt]; 323 } 324 325 static int 326 tls13_handshake_advance_state_machine(struct tls13_ctx *ctx) 327 { 328 if (++ctx->handshake_stage.message_number >= TLS13_NUM_MESSAGE_TYPES) 329 return 0; 330 331 return 1; 332 } 333 334 int 335 tls13_handshake_msg_record(struct tls13_ctx *ctx) 336 { 337 CBS cbs; 338 339 tls13_handshake_msg_data(ctx->hs_msg, &cbs); 340 return tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs)); 341 } 342 343 int 344 tls13_handshake_perform(struct tls13_ctx *ctx) 345 { 346 const struct tls13_handshake_action *action; 347 int ret; 348 349 if (!ctx->handshake_started) { 350 /* 351 * Set legacy state to connect/accept and call info callback 352 * to signal that the handshake started. 353 */ 354 if (!tls13_handshake_set_legacy_state(ctx)) 355 return TLS13_IO_FAILURE; 356 if (!tls13_handshake_legacy_info_callback(ctx)) 357 return TLS13_IO_FAILURE; 358 359 ctx->handshake_started = 1; 360 361 /* Set legacy state for initial ClientHello read or write. */ 362 if (!tls13_handshake_set_legacy_state(ctx)) 363 return TLS13_IO_FAILURE; 364 } 365 366 for (;;) { 367 if ((action = tls13_handshake_active_action(ctx)) == NULL) 368 return TLS13_IO_FAILURE; 369 370 if (action->handshake_complete) { 371 ctx->handshake_completed = 1; 372 tls13_record_layer_handshake_completed(ctx->rl); 373 374 if (!tls13_handshake_set_legacy_state(ctx)) 375 return TLS13_IO_FAILURE; 376 if (!tls13_handshake_legacy_info_callback(ctx)) 377 return TLS13_IO_FAILURE; 378 379 return TLS13_IO_SUCCESS; 380 } 381 382 DEBUGF("%s %s %s\n", tls13_handshake_mode_name(ctx->mode), 383 (action->sender == ctx->mode) ? "sending" : "receiving", 384 tls13_handshake_message_name(action->handshake_type)); 385 386 if (ctx->alert != 0) 387 return tls13_send_alert(ctx->rl, ctx->alert); 388 389 if (action->sender == ctx->mode) 390 ret = tls13_handshake_send_action(ctx, action); 391 else 392 ret = tls13_handshake_recv_action(ctx, action); 393 394 if (ctx->alert != 0) 395 return tls13_send_alert(ctx->rl, ctx->alert); 396 397 if (ret <= 0) { 398 DEBUGF("%s %s returned %d\n", 399 tls13_handshake_mode_name(ctx->mode), 400 (action->sender == ctx->mode) ? "send" : "recv", 401 ret); 402 return ret; 403 } 404 405 if (!tls13_handshake_legacy_info_callback(ctx)) 406 return TLS13_IO_FAILURE; 407 408 if (!tls13_handshake_advance_state_machine(ctx)) 409 return TLS13_IO_FAILURE; 410 411 if (!tls13_handshake_set_legacy_state(ctx)) 412 return TLS13_IO_FAILURE; 413 } 414 } 415 416 static int 417 tls13_handshake_send_action(struct tls13_ctx *ctx, 418 const struct tls13_handshake_action *action) 419 { 420 ssize_t ret; 421 CBB cbb; 422 423 if (ctx->send_dummy_ccs) { 424 if ((ret = tls13_send_dummy_ccs(ctx->rl)) != TLS13_IO_SUCCESS) 425 return ret; 426 ctx->send_dummy_ccs = 0; 427 if (ctx->send_dummy_ccs_after) { 428 ctx->send_dummy_ccs_after = 0; 429 return TLS13_IO_SUCCESS; 430 } 431 } 432 433 /* If we have no handshake message, we need to build one. */ 434 if (ctx->hs_msg == NULL) { 435 if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL) 436 return TLS13_IO_FAILURE; 437 if (!tls13_handshake_msg_start(ctx->hs_msg, &cbb, 438 action->handshake_type)) 439 return TLS13_IO_FAILURE; 440 if (!action->send(ctx, &cbb)) 441 return TLS13_IO_FAILURE; 442 if (!tls13_handshake_msg_finish(ctx->hs_msg)) 443 return TLS13_IO_FAILURE; 444 } 445 446 if ((ret = tls13_handshake_msg_send(ctx->hs_msg, ctx->rl)) <= 0) 447 return ret; 448 449 if (!tls13_handshake_msg_record(ctx)) 450 return TLS13_IO_FAILURE; 451 452 if (action->send_preserve_transcript_hash) { 453 if (!tls1_transcript_hash_value(ctx->ssl, 454 ctx->hs->tls13.transcript_hash, 455 sizeof(ctx->hs->tls13.transcript_hash), 456 &ctx->hs->tls13.transcript_hash_len)) 457 return TLS13_IO_FAILURE; 458 } 459 460 if (ctx->handshake_message_sent_cb != NULL) 461 ctx->handshake_message_sent_cb(ctx); 462 463 tls13_handshake_msg_free(ctx->hs_msg); 464 ctx->hs_msg = NULL; 465 466 if (action->sent != NULL && !action->sent(ctx)) 467 return TLS13_IO_FAILURE; 468 469 if (ctx->send_dummy_ccs_after) { 470 ctx->send_dummy_ccs = 1; 471 if ((ret = tls13_send_dummy_ccs(ctx->rl)) != TLS13_IO_SUCCESS) 472 return ret; 473 ctx->send_dummy_ccs = 0; 474 ctx->send_dummy_ccs_after = 0; 475 } 476 477 return TLS13_IO_SUCCESS; 478 } 479 480 static int 481 tls13_handshake_recv_action(struct tls13_ctx *ctx, 482 const struct tls13_handshake_action *action) 483 { 484 uint8_t msg_type; 485 ssize_t ret; 486 CBS cbs; 487 488 if (ctx->hs_msg == NULL) { 489 if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL) 490 return TLS13_IO_FAILURE; 491 } 492 493 if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) <= 0) 494 return ret; 495 496 if (action->recv_preserve_transcript_hash) { 497 if (!tls1_transcript_hash_value(ctx->ssl, 498 ctx->hs->tls13.transcript_hash, 499 sizeof(ctx->hs->tls13.transcript_hash), 500 &ctx->hs->tls13.transcript_hash_len)) 501 return TLS13_IO_FAILURE; 502 } 503 504 if (!tls13_handshake_msg_record(ctx)) 505 return TLS13_IO_FAILURE; 506 507 if (ctx->handshake_message_recv_cb != NULL) 508 ctx->handshake_message_recv_cb(ctx); 509 510 /* 511 * In TLSv1.3 there is no way to know if you're going to receive a 512 * certificate request message or not, hence we have to special case it 513 * here. The receive handler also knows how to deal with this situation. 514 */ 515 msg_type = tls13_handshake_msg_type(ctx->hs_msg); 516 if (msg_type != action->handshake_type && 517 (msg_type != TLS13_MT_CERTIFICATE || 518 action->handshake_type != TLS13_MT_CERTIFICATE_REQUEST)) 519 return tls13_send_alert(ctx->rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 520 521 if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs)) 522 return TLS13_IO_FAILURE; 523 524 ret = TLS13_IO_FAILURE; 525 if (action->recv(ctx, &cbs)) { 526 if (CBS_len(&cbs) != 0) { 527 tls13_set_errorx(ctx, TLS13_ERR_TRAILING_DATA, 0, 528 "trailing data in handshake message", NULL); 529 ctx->alert = TLS13_ALERT_DECODE_ERROR; 530 } else { 531 ret = TLS13_IO_SUCCESS; 532 } 533 } 534 535 tls13_handshake_msg_free(ctx->hs_msg); 536 ctx->hs_msg = NULL; 537 538 if (ctx->ssl->method->version < TLS1_3_VERSION) 539 return TLS13_IO_USE_LEGACY; 540 541 return ret; 542 } 543 544 struct tls13_handshake_legacy_state { 545 int recv; 546 int send; 547 }; 548 549 static const struct tls13_handshake_legacy_state legacy_states[] = { 550 [CLIENT_HELLO] = { 551 .recv = SSL3_ST_SR_CLNT_HELLO_A, 552 .send = SSL3_ST_CW_CLNT_HELLO_A, 553 }, 554 [SERVER_HELLO_RETRY_REQUEST] = { 555 .recv = SSL3_ST_CR_SRVR_HELLO_A, 556 .send = SSL3_ST_SW_SRVR_HELLO_A, 557 }, 558 [CLIENT_HELLO_RETRY] = { 559 .recv = SSL3_ST_SR_CLNT_HELLO_A, 560 .send = SSL3_ST_CW_CLNT_HELLO_A, 561 }, 562 [SERVER_HELLO] = { 563 .recv = SSL3_ST_CR_SRVR_HELLO_A, 564 .send = SSL3_ST_SW_SRVR_HELLO_A, 565 }, 566 [SERVER_ENCRYPTED_EXTENSIONS] = { 567 .send = 0, 568 .recv = 0, 569 }, 570 [SERVER_CERTIFICATE_REQUEST] = { 571 .recv = SSL3_ST_CR_CERT_REQ_A, 572 .send = SSL3_ST_SW_CERT_REQ_A, 573 }, 574 [SERVER_CERTIFICATE] = { 575 .recv = SSL3_ST_CR_CERT_A, 576 .send = SSL3_ST_SW_CERT_A, 577 }, 578 [SERVER_CERTIFICATE_VERIFY] = { 579 .send = 0, 580 .recv = 0, 581 }, 582 [SERVER_FINISHED] = { 583 .recv = SSL3_ST_CR_FINISHED_A, 584 .send = SSL3_ST_SW_FINISHED_A, 585 }, 586 [CLIENT_END_OF_EARLY_DATA] = { 587 .send = 0, 588 .recv = 0, 589 }, 590 [CLIENT_CERTIFICATE] = { 591 .recv = SSL3_ST_SR_CERT_VRFY_A, 592 .send = SSL3_ST_CW_CERT_VRFY_B, 593 }, 594 [CLIENT_CERTIFICATE_VERIFY] = { 595 .send = 0, 596 .recv = 0, 597 }, 598 [CLIENT_FINISHED] = { 599 .recv = SSL3_ST_SR_FINISHED_A, 600 .send = SSL3_ST_CW_FINISHED_A, 601 }, 602 [APPLICATION_DATA] = { 603 .recv = 0, 604 .send = 0, 605 }, 606 }; 607 608 CTASSERT(sizeof(state_machine) / sizeof(state_machine[0]) == 609 sizeof(legacy_states) / sizeof(legacy_states[0])); 610 611 static int 612 tls13_handshake_legacy_state(struct tls13_ctx *ctx, int *out_state) 613 { 614 const struct tls13_handshake_action *action; 615 enum tls13_message_type mt; 616 617 *out_state = 0; 618 619 if (!ctx->handshake_started) { 620 if (ctx->mode == TLS13_HS_CLIENT) 621 *out_state = SSL_ST_CONNECT; 622 else 623 *out_state = SSL_ST_ACCEPT; 624 625 return 1; 626 } 627 628 if (ctx->handshake_completed) { 629 *out_state = SSL_ST_OK; 630 return 1; 631 } 632 633 if ((mt = tls13_handshake_active_state(ctx)) == INVALID) 634 return 0; 635 636 if ((action = tls13_handshake_active_action(ctx)) == NULL) 637 return 0; 638 639 if (action->sender == ctx->mode) 640 *out_state = legacy_states[mt].send; 641 else 642 *out_state = legacy_states[mt].recv; 643 644 return 1; 645 } 646 647 static int 648 tls13_handshake_info_position(struct tls13_ctx *ctx) 649 { 650 if (!ctx->handshake_started) 651 return TLS13_INFO_HANDSHAKE_STARTED; 652 653 if (ctx->handshake_completed) 654 return TLS13_INFO_HANDSHAKE_COMPLETED; 655 656 if (ctx->mode == TLS13_HS_CLIENT) 657 return TLS13_INFO_CONNECT_LOOP; 658 else 659 return TLS13_INFO_ACCEPT_LOOP; 660 } 661 662 static int 663 tls13_handshake_legacy_info_callback(struct tls13_ctx *ctx) 664 { 665 int state, where; 666 667 if (!tls13_handshake_legacy_state(ctx, &state)) 668 return 0; 669 670 /* Do nothing if there's no corresponding legacy state. */ 671 if (state == 0) 672 return 1; 673 674 if (ctx->info_cb != NULL) { 675 where = tls13_handshake_info_position(ctx); 676 ctx->info_cb(ctx, where, 1); 677 } 678 679 return 1; 680 } 681 682 static int 683 tls13_handshake_set_legacy_state(struct tls13_ctx *ctx) 684 { 685 int state; 686 687 if (!tls13_handshake_legacy_state(ctx, &state)) 688 return 0; 689 690 /* Do nothing if there's no corresponding legacy state. */ 691 if (state == 0) 692 return 1; 693 694 ctx->hs->state = state; 695 696 return 1; 697 } 698