1 /* $OpenBSD: tls13_handshake.c,v 1.22 2019/01/23 23:29:56 tb Exp $ */ 2 /* 3 * Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org> 4 * Copyright (c) 2019 Joel Sing <jsing@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <stddef.h> 20 21 #include "ssl_locl.h" 22 #include "tls13_handshake.h" 23 #include "tls13_internal.h" 24 25 /* Based on RFC 8446 and inspired by s2n's TLS 1.2 state machine. */ 26 27 /* Record types */ 28 #define TLS13_HANDSHAKE 1 29 #define TLS13_APPLICATION_DATA 2 30 31 struct tls13_handshake_action { 32 uint8_t record_type; 33 uint8_t handshake_type; 34 uint8_t sender; 35 uint8_t handshake_complete; 36 37 int (*send)(struct tls13_ctx *ctx); 38 int (*recv)(struct tls13_ctx *ctx); 39 }; 40 41 enum tls13_message_type tls13_handshake_active_state(struct tls13_ctx *ctx); 42 43 int tls13_accept(struct tls13_ctx *ctx); 44 45 struct tls13_handshake_action * 46 tls13_handshake_active_action(struct tls13_ctx *ctx); 47 int tls13_handshake_advance_state_machine(struct tls13_ctx *ctx); 48 49 int tls13_handshake_send_action(struct tls13_ctx *ctx, 50 struct tls13_handshake_action *action); 51 int tls13_handshake_recv_action(struct tls13_ctx *ctx, 52 struct tls13_handshake_action *action); 53 54 struct tls13_handshake_action state_machine[] = { 55 [CLIENT_HELLO] = { 56 .record_type = TLS13_HANDSHAKE, 57 .handshake_type = TLS13_MT_CLIENT_HELLO, 58 .sender = TLS13_HS_CLIENT, 59 .send = tls13_client_hello_send, 60 .recv = tls13_client_hello_recv, 61 }, 62 [CLIENT_HELLO_RETRY] = { 63 .record_type = TLS13_HANDSHAKE, 64 .handshake_type = TLS13_MT_CLIENT_HELLO, 65 .sender = TLS13_HS_CLIENT, 66 .send = tls13_client_hello_retry_send, 67 .recv = tls13_client_hello_retry_recv, 68 }, 69 [CLIENT_END_OF_EARLY_DATA] = { 70 .record_type = TLS13_HANDSHAKE, 71 .handshake_type = TLS13_MT_END_OF_EARLY_DATA, 72 .sender = TLS13_HS_CLIENT, 73 .send = tls13_client_end_of_early_data_send, 74 .recv = tls13_client_end_of_early_data_recv, 75 }, 76 [CLIENT_CERTIFICATE] = { 77 .record_type = TLS13_HANDSHAKE, 78 .handshake_type = TLS13_MT_CERTIFICATE, 79 .sender = TLS13_HS_CLIENT, 80 .send = tls13_client_certificate_send, 81 .recv = tls13_client_certificate_recv, 82 }, 83 [CLIENT_CERTIFICATE_VERIFY] = { 84 .record_type = TLS13_HANDSHAKE, 85 .handshake_type = TLS13_MT_CERTIFICATE_VERIFY, 86 .sender = TLS13_HS_CLIENT, 87 .send = tls13_client_certificate_verify_send, 88 .recv = tls13_client_certificate_verify_recv, 89 }, 90 [CLIENT_FINISHED] = { 91 .record_type = TLS13_HANDSHAKE, 92 .handshake_type = TLS13_MT_FINISHED, 93 .sender = TLS13_HS_CLIENT, 94 .send = tls13_client_finished_send, 95 .recv = tls13_client_finished_recv, 96 }, 97 [CLIENT_KEY_UPDATE] = { 98 .record_type = TLS13_HANDSHAKE, 99 .handshake_type = TLS13_MT_KEY_UPDATE, 100 .sender = TLS13_HS_CLIENT, 101 .send = tls13_client_key_update_send, 102 .recv = tls13_client_key_update_recv, 103 }, 104 [SERVER_HELLO] = { 105 .record_type = TLS13_HANDSHAKE, 106 .handshake_type = TLS13_MT_SERVER_HELLO, 107 .sender = TLS13_HS_SERVER, 108 .send = tls13_server_hello_send, 109 .recv = tls13_server_hello_recv, 110 }, 111 [SERVER_ENCRYPTED_EXTENSIONS] = { 112 .record_type = TLS13_HANDSHAKE, 113 .handshake_type = TLS13_MT_ENCRYPTED_EXTENSIONS, 114 .sender = TLS13_HS_SERVER, 115 .send = tls13_server_encrypted_extensions_send, 116 .recv = tls13_server_encrypted_extensions_recv, 117 }, 118 [SERVER_CERTIFICATE] = { 119 .record_type = TLS13_HANDSHAKE, 120 .handshake_type = TLS13_MT_CERTIFICATE, 121 .sender = TLS13_HS_SERVER, 122 .send = tls13_server_certificate_send, 123 .recv = tls13_server_certificate_recv, 124 }, 125 [SERVER_CERTIFICATE_REQUEST] = { 126 .record_type = TLS13_HANDSHAKE, 127 .handshake_type = TLS13_MT_CERTIFICATE, 128 .sender = TLS13_HS_SERVER, 129 .send = tls13_server_certificate_request_send, 130 .recv = tls13_server_certificate_request_recv, 131 }, 132 [SERVER_CERTIFICATE_VERIFY] = { 133 .record_type = TLS13_HANDSHAKE, 134 .handshake_type = TLS13_MT_CERTIFICATE_VERIFY, 135 .sender = TLS13_HS_SERVER, 136 .send = tls13_server_certificate_verify_send, 137 .recv = tls13_server_certificate_verify_recv, 138 }, 139 [SERVER_FINISHED] = { 140 .record_type = TLS13_HANDSHAKE, 141 .handshake_type = TLS13_MT_FINISHED, 142 .sender = TLS13_HS_SERVER, 143 .send = tls13_server_finished_send, 144 .recv = tls13_server_finished_recv, 145 }, 146 [APPLICATION_DATA] = { 147 .record_type = TLS13_APPLICATION_DATA, 148 .handshake_complete = 1, 149 }, 150 }; 151 152 enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = { 153 [INITIAL] = { 154 CLIENT_HELLO, 155 SERVER_HELLO, 156 }, 157 [NEGOTIATED] = { 158 CLIENT_HELLO, 159 SERVER_HELLO, 160 SERVER_ENCRYPTED_EXTENSIONS, 161 SERVER_CERTIFICATE_REQUEST, 162 SERVER_CERTIFICATE, 163 SERVER_CERTIFICATE_VERIFY, 164 SERVER_FINISHED, 165 CLIENT_CERTIFICATE, 166 CLIENT_FINISHED, 167 APPLICATION_DATA, 168 }, 169 [NEGOTIATED | WITH_HRR] = { 170 CLIENT_HELLO, 171 SERVER_HELLO, 172 CLIENT_HELLO_RETRY, 173 SERVER_ENCRYPTED_EXTENSIONS, 174 SERVER_CERTIFICATE_REQUEST, 175 SERVER_CERTIFICATE, 176 SERVER_CERTIFICATE_VERIFY, 177 SERVER_FINISHED, 178 CLIENT_CERTIFICATE, 179 CLIENT_FINISHED, 180 APPLICATION_DATA, 181 }, 182 [NEGOTIATED | WITHOUT_CR] = { 183 CLIENT_HELLO, 184 SERVER_HELLO, 185 SERVER_ENCRYPTED_EXTENSIONS, 186 SERVER_CERTIFICATE, 187 SERVER_CERTIFICATE_VERIFY, 188 SERVER_FINISHED, 189 CLIENT_FINISHED, 190 APPLICATION_DATA, 191 }, 192 [NEGOTIATED | WITH_HRR | WITHOUT_CR] = { 193 CLIENT_HELLO, 194 SERVER_HELLO, 195 CLIENT_HELLO_RETRY, 196 SERVER_ENCRYPTED_EXTENSIONS, 197 SERVER_CERTIFICATE, 198 SERVER_CERTIFICATE_VERIFY, 199 SERVER_FINISHED, 200 CLIENT_FINISHED, 201 APPLICATION_DATA, 202 }, 203 [NEGOTIATED | WITH_PSK] = { 204 CLIENT_HELLO, 205 SERVER_HELLO, 206 SERVER_ENCRYPTED_EXTENSIONS, 207 SERVER_FINISHED, 208 CLIENT_FINISHED, 209 APPLICATION_DATA, 210 }, 211 [NEGOTIATED | WITH_HRR | WITH_PSK] = { 212 CLIENT_HELLO, 213 SERVER_HELLO, 214 CLIENT_HELLO_RETRY, 215 SERVER_ENCRYPTED_EXTENSIONS, 216 SERVER_FINISHED, 217 CLIENT_FINISHED, 218 APPLICATION_DATA, 219 }, 220 [NEGOTIATED | WITH_CCV] = { 221 CLIENT_HELLO, 222 SERVER_HELLO, 223 SERVER_ENCRYPTED_EXTENSIONS, 224 SERVER_CERTIFICATE_REQUEST, 225 SERVER_CERTIFICATE, 226 SERVER_CERTIFICATE_VERIFY, 227 SERVER_FINISHED, 228 CLIENT_CERTIFICATE, 229 CLIENT_CERTIFICATE_VERIFY, 230 CLIENT_FINISHED, 231 APPLICATION_DATA, 232 }, 233 [NEGOTIATED | WITH_HRR | WITH_CCV] = { 234 CLIENT_HELLO, 235 SERVER_HELLO, 236 CLIENT_HELLO_RETRY, 237 SERVER_ENCRYPTED_EXTENSIONS, 238 SERVER_CERTIFICATE_REQUEST, 239 SERVER_CERTIFICATE, 240 SERVER_CERTIFICATE_VERIFY, 241 SERVER_FINISHED, 242 CLIENT_CERTIFICATE, 243 CLIENT_CERTIFICATE_VERIFY, 244 CLIENT_FINISHED, 245 APPLICATION_DATA, 246 }, 247 }; 248 249 const size_t handshake_count = sizeof(handshakes) / sizeof(handshakes[0]); 250 251 enum tls13_message_type 252 tls13_handshake_active_state(struct tls13_ctx *ctx) 253 { 254 struct tls13_handshake_stage hs = ctx->handshake_stage; 255 256 if (hs.hs_type >= handshake_count) 257 return INVALID; 258 if (hs.message_number >= TLS13_NUM_MESSAGE_TYPES) 259 return INVALID; 260 261 return handshakes[hs.hs_type][hs.message_number]; 262 } 263 264 struct tls13_handshake_action * 265 tls13_handshake_active_action(struct tls13_ctx *ctx) 266 { 267 enum tls13_message_type mt = tls13_handshake_active_state(ctx); 268 269 if (mt == INVALID) 270 return NULL; 271 272 return &state_machine[mt]; 273 } 274 275 int 276 tls13_handshake_advance_state_machine(struct tls13_ctx *ctx) 277 { 278 if (++ctx->handshake_stage.message_number >= TLS13_NUM_MESSAGE_TYPES) 279 return 0; 280 281 return 1; 282 } 283 284 int 285 tls13_handshake_perform(struct tls13_ctx *ctx) 286 { 287 struct tls13_handshake_action *action; 288 int ret; 289 290 for (;;) { 291 if ((action = tls13_handshake_active_action(ctx)) == NULL) 292 return TLS13_IO_FAILURE; 293 294 if (action->handshake_complete) 295 return TLS13_IO_SUCCESS; 296 297 if (action->sender == ctx->mode) { 298 if ((ret = tls13_handshake_send_action(ctx, action)) <= 0) 299 return ret; 300 } else { 301 if ((ret = tls13_handshake_recv_action(ctx, action)) <= 0) 302 return ret; 303 } 304 305 if (!tls13_handshake_advance_state_machine(ctx)) 306 return TLS13_IO_FAILURE; 307 } 308 } 309 310 int 311 tls13_accept(struct tls13_ctx *ctx) 312 { 313 ctx->mode = TLS13_HS_SERVER; 314 315 return tls13_handshake_perform(ctx); 316 } 317 318 int 319 tls13_handshake_send_action(struct tls13_ctx *ctx, 320 struct tls13_handshake_action *action) 321 { 322 ssize_t ret; 323 CBS cbs; 324 325 /* If we have no handshake message, we need to build one. */ 326 if (ctx->hs_msg == NULL) { 327 if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL) 328 return TLS13_IO_FAILURE; 329 330 /* XXX - provide CBB. */ 331 if (!action->send(ctx)) 332 return TLS13_IO_FAILURE; 333 } 334 335 if ((ret = tls13_handshake_msg_send(ctx->hs_msg, ctx->rl)) <= 0) 336 return ret; 337 338 tls13_handshake_msg_data(ctx->hs_msg, &cbs); 339 if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs))) 340 return TLS13_IO_FAILURE; 341 342 tls13_handshake_msg_free(ctx->hs_msg); 343 ctx->hs_msg = NULL; 344 345 return TLS13_IO_SUCCESS; 346 } 347 348 int 349 tls13_handshake_recv_action(struct tls13_ctx *ctx, 350 struct tls13_handshake_action *action) 351 { 352 uint8_t msg_type; 353 ssize_t ret; 354 CBS cbs; 355 356 if (ctx->hs_msg == NULL) { 357 if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL) 358 return TLS13_IO_FAILURE; 359 } 360 361 if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) <= 0) 362 return ret; 363 364 tls13_handshake_msg_data(ctx->hs_msg, &cbs); 365 if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs))) 366 return TLS13_IO_FAILURE; 367 368 /* 369 * In TLSv1.3 there is no way to know if you're going to receive a 370 * certificate request message or not, hence we have to special case it 371 * here. The receive handler also knows how to deal with this situation. 372 */ 373 msg_type = tls13_handshake_msg_type(ctx->hs_msg); 374 if (msg_type != action->handshake_type && 375 (msg_type != TLS13_MT_CERTIFICATE || 376 action->handshake_type != TLS13_MT_CERTIFICATE_REQUEST)) { 377 /* XXX send unexpected message alert */ 378 return TLS13_IO_FAILURE; 379 } 380 381 /* XXX provide CBS and check all consumed. */ 382 ret = action->recv(ctx); 383 384 tls13_handshake_msg_free(ctx->hs_msg); 385 ctx->hs_msg = NULL; 386 387 return ret; 388 } 389 390 int 391 tls13_client_hello_recv(struct tls13_ctx *ctx) 392 { 393 return 0; 394 } 395 396 int 397 tls13_client_hello_retry_send(struct tls13_ctx *ctx) 398 { 399 return 0; 400 } 401 402 int 403 tls13_client_hello_retry_recv(struct tls13_ctx *ctx) 404 { 405 return 0; 406 } 407 408 409 int 410 tls13_client_end_of_early_data_send(struct tls13_ctx *ctx) 411 { 412 return 0; 413 } 414 415 int 416 tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx) 417 { 418 return 0; 419 } 420 421 int 422 tls13_client_certificate_send(struct tls13_ctx *ctx) 423 { 424 return 0; 425 } 426 427 int 428 tls13_client_certificate_recv(struct tls13_ctx *ctx) 429 { 430 return 0; 431 } 432 433 int 434 tls13_client_certificate_verify_send(struct tls13_ctx *ctx) 435 { 436 return 0; 437 } 438 439 int 440 tls13_client_certificate_verify_recv(struct tls13_ctx *ctx) 441 { 442 return 0; 443 } 444 445 int 446 tls13_client_finished_recv(struct tls13_ctx *ctx) 447 { 448 return 0; 449 } 450 451 int 452 tls13_client_finished_send(struct tls13_ctx *ctx) 453 { 454 return 0; 455 } 456 457 int 458 tls13_client_key_update_send(struct tls13_ctx *ctx) 459 { 460 return 0; 461 } 462 463 int 464 tls13_client_key_update_recv(struct tls13_ctx *ctx) 465 { 466 return 0; 467 } 468 469 int 470 tls13_server_hello_recv(struct tls13_ctx *ctx) 471 { 472 ctx->handshake_stage.hs_type |= NEGOTIATED; 473 474 return 0; 475 } 476 477 int 478 tls13_server_hello_send(struct tls13_ctx *ctx) 479 { 480 ctx->handshake_stage.hs_type |= NEGOTIATED; 481 482 return 0; 483 } 484 485 int 486 tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx) 487 { 488 return 0; 489 } 490 491 int 492 tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx) 493 { 494 return 0; 495 } 496 497 int 498 tls13_server_certificate_recv(struct tls13_ctx *ctx) 499 { 500 return 0; 501 } 502 503 int 504 tls13_server_certificate_send(struct tls13_ctx *ctx) 505 { 506 return 0; 507 } 508 509 int 510 tls13_server_certificate_request_recv(struct tls13_ctx *ctx) 511 { 512 /* 513 * Thanks to poor state design in the RFC, this function can be called 514 * when we actually have a certificate message instead of a certificate 515 * request... in that case we call the certificate handler after 516 * switching state, to avoid advancing state. 517 */ 518 if (tls13_handshake_msg_type(ctx->hs_msg) == TLS13_MT_CERTIFICATE) { 519 ctx->handshake_stage.hs_type |= WITHOUT_CR; 520 return tls13_server_certificate_recv(ctx); 521 } 522 523 return 0; 524 } 525 526 int 527 tls13_server_certificate_request_send(struct tls13_ctx *ctx) 528 { 529 return 0; 530 } 531 532 int 533 tls13_server_certificate_verify_send(struct tls13_ctx *ctx) 534 { 535 return 0; 536 } 537 538 int 539 tls13_server_certificate_verify_recv(struct tls13_ctx *ctx) 540 { 541 return 0; 542 } 543 544 int 545 tls13_server_finished_recv(struct tls13_ctx *ctx) 546 { 547 return 0; 548 } 549 550 int 551 tls13_server_finished_send(struct tls13_ctx *ctx) 552 { 553 return 0; 554 } 555