1 /* $OpenBSD: tls13_handshake.c,v 1.70 2021/09/16 19:25:30 jsing Exp $ */ 2 /* 3 * Copyright (c) 2018-2021 Theo Buehler <tb@openbsd.org> 4 * Copyright (c) 2019 Joel Sing <jsing@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <stddef.h> 20 21 #include "ssl_locl.h" 22 #include "tls13_handshake.h" 23 #include "tls13_internal.h" 24 25 /* Based on RFC 8446 and inspired by s2n's TLS 1.2 state machine. */ 26 27 struct tls13_handshake_action { 28 uint8_t handshake_type; 29 uint8_t sender; 30 uint8_t handshake_complete; 31 uint8_t send_preserve_transcript_hash; 32 uint8_t recv_preserve_transcript_hash; 33 34 int (*send)(struct tls13_ctx *ctx, CBB *cbb); 35 int (*sent)(struct tls13_ctx *ctx); 36 int (*recv)(struct tls13_ctx *ctx, CBS *cbs); 37 }; 38 39 static enum tls13_message_type 40 tls13_handshake_active_state(struct tls13_ctx *ctx); 41 42 static const struct tls13_handshake_action * 43 tls13_handshake_active_action(struct tls13_ctx *ctx); 44 static int tls13_handshake_advance_state_machine(struct tls13_ctx *ctx); 45 46 static int tls13_handshake_send_action(struct tls13_ctx *ctx, 47 const struct tls13_handshake_action *action); 48 static int tls13_handshake_recv_action(struct tls13_ctx *ctx, 49 const struct tls13_handshake_action *action); 50 51 static int tls13_handshake_set_legacy_state(struct tls13_ctx *ctx); 52 static int tls13_handshake_legacy_info_callback(struct tls13_ctx *ctx); 53 54 static const struct tls13_handshake_action state_machine[] = { 55 [CLIENT_HELLO] = { 56 .handshake_type = TLS13_MT_CLIENT_HELLO, 57 .sender = TLS13_HS_CLIENT, 58 .send = tls13_client_hello_send, 59 .sent = tls13_client_hello_sent, 60 .recv = tls13_client_hello_recv, 61 }, 62 [CLIENT_HELLO_RETRY] = { 63 .handshake_type = TLS13_MT_CLIENT_HELLO, 64 .sender = TLS13_HS_CLIENT, 65 .send = tls13_client_hello_retry_send, 66 .recv = tls13_client_hello_retry_recv, 67 }, 68 [CLIENT_END_OF_EARLY_DATA] = { 69 .handshake_type = TLS13_MT_END_OF_EARLY_DATA, 70 .sender = TLS13_HS_CLIENT, 71 .send = tls13_client_end_of_early_data_send, 72 .recv = tls13_client_end_of_early_data_recv, 73 }, 74 [CLIENT_CERTIFICATE] = { 75 .handshake_type = TLS13_MT_CERTIFICATE, 76 .sender = TLS13_HS_CLIENT, 77 .send_preserve_transcript_hash = 1, 78 .send = tls13_client_certificate_send, 79 .recv = tls13_client_certificate_recv, 80 }, 81 [CLIENT_CERTIFICATE_VERIFY] = { 82 .handshake_type = TLS13_MT_CERTIFICATE_VERIFY, 83 .sender = TLS13_HS_CLIENT, 84 .recv_preserve_transcript_hash = 1, 85 .send = tls13_client_certificate_verify_send, 86 .recv = tls13_client_certificate_verify_recv, 87 }, 88 [CLIENT_FINISHED] = { 89 .handshake_type = TLS13_MT_FINISHED, 90 .sender = TLS13_HS_CLIENT, 91 .recv_preserve_transcript_hash = 1, 92 .send = tls13_client_finished_send, 93 .sent = tls13_client_finished_sent, 94 .recv = tls13_client_finished_recv, 95 }, 96 [SERVER_HELLO] = { 97 .handshake_type = TLS13_MT_SERVER_HELLO, 98 .sender = TLS13_HS_SERVER, 99 .send = tls13_server_hello_send, 100 .sent = tls13_server_hello_sent, 101 .recv = tls13_server_hello_recv, 102 }, 103 [SERVER_HELLO_RETRY_REQUEST] = { 104 .handshake_type = TLS13_MT_SERVER_HELLO, 105 .sender = TLS13_HS_SERVER, 106 .send = tls13_server_hello_retry_request_send, 107 .recv = tls13_server_hello_retry_request_recv, 108 .sent = tls13_server_hello_retry_request_sent, 109 }, 110 [SERVER_ENCRYPTED_EXTENSIONS] = { 111 .handshake_type = TLS13_MT_ENCRYPTED_EXTENSIONS, 112 .sender = TLS13_HS_SERVER, 113 .send = tls13_server_encrypted_extensions_send, 114 .recv = tls13_server_encrypted_extensions_recv, 115 }, 116 [SERVER_CERTIFICATE] = { 117 .handshake_type = TLS13_MT_CERTIFICATE, 118 .sender = TLS13_HS_SERVER, 119 .send_preserve_transcript_hash = 1, 120 .send = tls13_server_certificate_send, 121 .recv = tls13_server_certificate_recv, 122 }, 123 [SERVER_CERTIFICATE_REQUEST] = { 124 .handshake_type = TLS13_MT_CERTIFICATE_REQUEST, 125 .sender = TLS13_HS_SERVER, 126 .send = tls13_server_certificate_request_send, 127 .recv = tls13_server_certificate_request_recv, 128 }, 129 [SERVER_CERTIFICATE_VERIFY] = { 130 .handshake_type = TLS13_MT_CERTIFICATE_VERIFY, 131 .sender = TLS13_HS_SERVER, 132 .recv_preserve_transcript_hash = 1, 133 .send = tls13_server_certificate_verify_send, 134 .recv = tls13_server_certificate_verify_recv, 135 }, 136 [SERVER_FINISHED] = { 137 .handshake_type = TLS13_MT_FINISHED, 138 .sender = TLS13_HS_SERVER, 139 .recv_preserve_transcript_hash = 1, 140 .send_preserve_transcript_hash = 1, 141 .send = tls13_server_finished_send, 142 .sent = tls13_server_finished_sent, 143 .recv = tls13_server_finished_recv, 144 }, 145 [APPLICATION_DATA] = { 146 .handshake_complete = 1, 147 }, 148 }; 149 150 const enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = { 151 [INITIAL] = { 152 CLIENT_HELLO, 153 SERVER_HELLO_RETRY_REQUEST, 154 CLIENT_HELLO_RETRY, 155 SERVER_HELLO, 156 }, 157 [NEGOTIATED] = { 158 CLIENT_HELLO, 159 SERVER_HELLO_RETRY_REQUEST, 160 CLIENT_HELLO_RETRY, 161 SERVER_HELLO, 162 SERVER_ENCRYPTED_EXTENSIONS, 163 SERVER_CERTIFICATE_REQUEST, 164 SERVER_CERTIFICATE, 165 SERVER_CERTIFICATE_VERIFY, 166 SERVER_FINISHED, 167 CLIENT_CERTIFICATE, 168 CLIENT_FINISHED, 169 APPLICATION_DATA, 170 }, 171 [NEGOTIATED | WITHOUT_HRR] = { 172 CLIENT_HELLO, 173 SERVER_HELLO, 174 SERVER_ENCRYPTED_EXTENSIONS, 175 SERVER_CERTIFICATE_REQUEST, 176 SERVER_CERTIFICATE, 177 SERVER_CERTIFICATE_VERIFY, 178 SERVER_FINISHED, 179 CLIENT_CERTIFICATE, 180 CLIENT_FINISHED, 181 APPLICATION_DATA, 182 }, 183 [NEGOTIATED | WITHOUT_CR] = { 184 CLIENT_HELLO, 185 SERVER_HELLO_RETRY_REQUEST, 186 CLIENT_HELLO_RETRY, 187 SERVER_HELLO, 188 SERVER_ENCRYPTED_EXTENSIONS, 189 SERVER_CERTIFICATE, 190 SERVER_CERTIFICATE_VERIFY, 191 SERVER_FINISHED, 192 CLIENT_FINISHED, 193 APPLICATION_DATA, 194 }, 195 [NEGOTIATED | WITHOUT_HRR | WITHOUT_CR] = { 196 CLIENT_HELLO, 197 SERVER_HELLO, 198 SERVER_ENCRYPTED_EXTENSIONS, 199 SERVER_CERTIFICATE, 200 SERVER_CERTIFICATE_VERIFY, 201 SERVER_FINISHED, 202 CLIENT_FINISHED, 203 APPLICATION_DATA, 204 }, 205 [NEGOTIATED | WITH_PSK] = { 206 CLIENT_HELLO, 207 SERVER_HELLO_RETRY_REQUEST, 208 CLIENT_HELLO_RETRY, 209 SERVER_HELLO, 210 SERVER_ENCRYPTED_EXTENSIONS, 211 SERVER_FINISHED, 212 CLIENT_FINISHED, 213 APPLICATION_DATA, 214 }, 215 [NEGOTIATED | WITHOUT_HRR | WITH_PSK] = { 216 CLIENT_HELLO, 217 SERVER_HELLO, 218 SERVER_ENCRYPTED_EXTENSIONS, 219 SERVER_FINISHED, 220 CLIENT_FINISHED, 221 APPLICATION_DATA, 222 }, 223 [NEGOTIATED | WITH_CCV] = { 224 CLIENT_HELLO, 225 SERVER_HELLO_RETRY_REQUEST, 226 CLIENT_HELLO_RETRY, 227 SERVER_HELLO, 228 SERVER_ENCRYPTED_EXTENSIONS, 229 SERVER_CERTIFICATE_REQUEST, 230 SERVER_CERTIFICATE, 231 SERVER_CERTIFICATE_VERIFY, 232 SERVER_FINISHED, 233 CLIENT_CERTIFICATE, 234 CLIENT_CERTIFICATE_VERIFY, 235 CLIENT_FINISHED, 236 APPLICATION_DATA, 237 }, 238 [NEGOTIATED | WITHOUT_HRR | WITH_CCV] = { 239 CLIENT_HELLO, 240 SERVER_HELLO, 241 SERVER_ENCRYPTED_EXTENSIONS, 242 SERVER_CERTIFICATE_REQUEST, 243 SERVER_CERTIFICATE, 244 SERVER_CERTIFICATE_VERIFY, 245 SERVER_FINISHED, 246 CLIENT_CERTIFICATE, 247 CLIENT_CERTIFICATE_VERIFY, 248 CLIENT_FINISHED, 249 APPLICATION_DATA, 250 }, 251 }; 252 253 const size_t handshake_count = sizeof(handshakes) / sizeof(handshakes[0]); 254 255 #ifndef TLS13_DEBUG 256 #define DEBUGF(...) 257 #else 258 #define DEBUGF(...) fprintf(stderr, __VA_ARGS__) 259 260 static const char * 261 tls13_handshake_mode_name(uint8_t mode) 262 { 263 switch (mode) { 264 case TLS13_HS_CLIENT: 265 return "Client"; 266 case TLS13_HS_SERVER: 267 return "Server"; 268 } 269 return "Unknown"; 270 } 271 272 static const char * 273 tls13_handshake_message_name(uint8_t msg_type) 274 { 275 switch (msg_type) { 276 case TLS13_MT_CLIENT_HELLO: 277 return "ClientHello"; 278 case TLS13_MT_SERVER_HELLO: 279 return "ServerHello"; 280 case TLS13_MT_NEW_SESSION_TICKET: 281 return "NewSessionTicket"; 282 case TLS13_MT_END_OF_EARLY_DATA: 283 return "EndOfEarlyData"; 284 case TLS13_MT_ENCRYPTED_EXTENSIONS: 285 return "EncryptedExtensions"; 286 case TLS13_MT_CERTIFICATE: 287 return "Certificate"; 288 case TLS13_MT_CERTIFICATE_REQUEST: 289 return "CertificateRequest"; 290 case TLS13_MT_CERTIFICATE_VERIFY: 291 return "CertificateVerify"; 292 case TLS13_MT_FINISHED: 293 return "Finished"; 294 case TLS13_MT_KEY_UPDATE: 295 return "KeyUpdate"; 296 } 297 return "Unknown"; 298 } 299 #endif 300 301 static enum tls13_message_type 302 tls13_handshake_active_state(struct tls13_ctx *ctx) 303 { 304 struct tls13_handshake_stage hs = ctx->handshake_stage; 305 306 if (hs.hs_type >= handshake_count) 307 return INVALID; 308 if (hs.message_number >= TLS13_NUM_MESSAGE_TYPES) 309 return INVALID; 310 311 return handshakes[hs.hs_type][hs.message_number]; 312 } 313 314 static const struct tls13_handshake_action * 315 tls13_handshake_active_action(struct tls13_ctx *ctx) 316 { 317 enum tls13_message_type mt = tls13_handshake_active_state(ctx); 318 319 if (mt == INVALID) 320 return NULL; 321 322 return &state_machine[mt]; 323 } 324 325 static int 326 tls13_handshake_advance_state_machine(struct tls13_ctx *ctx) 327 { 328 if (++ctx->handshake_stage.message_number >= TLS13_NUM_MESSAGE_TYPES) 329 return 0; 330 331 return 1; 332 } 333 334 static int 335 tls13_handshake_end_of_flight(struct tls13_ctx *ctx, 336 const struct tls13_handshake_action *previous) 337 { 338 const struct tls13_handshake_action *current; 339 340 if ((current = tls13_handshake_active_action(ctx)) == NULL) 341 return 1; 342 343 return current->sender != previous->sender; 344 } 345 346 int 347 tls13_handshake_msg_record(struct tls13_ctx *ctx) 348 { 349 CBS cbs; 350 351 tls13_handshake_msg_data(ctx->hs_msg, &cbs); 352 return tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs)); 353 } 354 355 int 356 tls13_handshake_perform(struct tls13_ctx *ctx) 357 { 358 const struct tls13_handshake_action *action; 359 int sending; 360 int ret; 361 362 if (!ctx->handshake_started) { 363 /* 364 * Set legacy state to connect/accept and call info callback 365 * to signal that the handshake started. 366 */ 367 if (!tls13_handshake_set_legacy_state(ctx)) 368 return TLS13_IO_FAILURE; 369 if (!tls13_handshake_legacy_info_callback(ctx)) 370 return TLS13_IO_FAILURE; 371 372 ctx->handshake_started = 1; 373 374 /* Set legacy state for initial ClientHello read or write. */ 375 if (!tls13_handshake_set_legacy_state(ctx)) 376 return TLS13_IO_FAILURE; 377 } 378 379 for (;;) { 380 if ((action = tls13_handshake_active_action(ctx)) == NULL) 381 return TLS13_IO_FAILURE; 382 383 if (ctx->need_flush) { 384 if ((ret = tls13_record_layer_flush(ctx->rl)) != 385 TLS13_IO_SUCCESS) 386 return ret; 387 ctx->need_flush = 0; 388 } 389 390 if (action->handshake_complete) { 391 ctx->handshake_completed = 1; 392 tls13_record_layer_handshake_completed(ctx->rl); 393 394 if (!tls13_handshake_set_legacy_state(ctx)) 395 return TLS13_IO_FAILURE; 396 if (!tls13_handshake_legacy_info_callback(ctx)) 397 return TLS13_IO_FAILURE; 398 399 return TLS13_IO_SUCCESS; 400 } 401 402 sending = action->sender == ctx->mode; 403 404 DEBUGF("%s %s %s\n", tls13_handshake_mode_name(ctx->mode), 405 sending ? "sending" : "receiving", 406 tls13_handshake_message_name(action->handshake_type)); 407 408 if (ctx->alert != 0) 409 return tls13_send_alert(ctx->rl, ctx->alert); 410 411 if (sending) 412 ret = tls13_handshake_send_action(ctx, action); 413 else 414 ret = tls13_handshake_recv_action(ctx, action); 415 416 if (ctx->alert != 0) 417 return tls13_send_alert(ctx->rl, ctx->alert); 418 419 if (ret <= 0) { 420 DEBUGF("%s %s returned %d\n", 421 tls13_handshake_mode_name(ctx->mode), 422 (action->sender == ctx->mode) ? "send" : "recv", 423 ret); 424 return ret; 425 } 426 427 if (!tls13_handshake_legacy_info_callback(ctx)) 428 return TLS13_IO_FAILURE; 429 430 if (!tls13_handshake_advance_state_machine(ctx)) 431 return TLS13_IO_FAILURE; 432 433 if (sending) 434 ctx->need_flush = tls13_handshake_end_of_flight(ctx, 435 action); 436 437 if (!tls13_handshake_set_legacy_state(ctx)) 438 return TLS13_IO_FAILURE; 439 } 440 } 441 442 static int 443 tls13_handshake_send_action(struct tls13_ctx *ctx, 444 const struct tls13_handshake_action *action) 445 { 446 ssize_t ret; 447 CBB cbb; 448 449 if (ctx->send_dummy_ccs) { 450 if ((ret = tls13_send_dummy_ccs(ctx->rl)) != TLS13_IO_SUCCESS) 451 return ret; 452 ctx->send_dummy_ccs = 0; 453 if (ctx->send_dummy_ccs_after) { 454 ctx->send_dummy_ccs_after = 0; 455 return TLS13_IO_SUCCESS; 456 } 457 } 458 459 /* If we have no handshake message, we need to build one. */ 460 if (ctx->hs_msg == NULL) { 461 if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL) 462 return TLS13_IO_FAILURE; 463 if (!tls13_handshake_msg_start(ctx->hs_msg, &cbb, 464 action->handshake_type)) 465 return TLS13_IO_FAILURE; 466 if (!action->send(ctx, &cbb)) 467 return TLS13_IO_FAILURE; 468 if (!tls13_handshake_msg_finish(ctx->hs_msg)) 469 return TLS13_IO_FAILURE; 470 } 471 472 if ((ret = tls13_handshake_msg_send(ctx->hs_msg, ctx->rl)) <= 0) 473 return ret; 474 475 if (!tls13_handshake_msg_record(ctx)) 476 return TLS13_IO_FAILURE; 477 478 if (action->send_preserve_transcript_hash) { 479 if (!tls1_transcript_hash_value(ctx->ssl, 480 ctx->hs->tls13.transcript_hash, 481 sizeof(ctx->hs->tls13.transcript_hash), 482 &ctx->hs->tls13.transcript_hash_len)) 483 return TLS13_IO_FAILURE; 484 } 485 486 if (ctx->handshake_message_sent_cb != NULL) 487 ctx->handshake_message_sent_cb(ctx); 488 489 tls13_handshake_msg_free(ctx->hs_msg); 490 ctx->hs_msg = NULL; 491 492 if (action->sent != NULL && !action->sent(ctx)) 493 return TLS13_IO_FAILURE; 494 495 if (ctx->send_dummy_ccs_after) { 496 ctx->send_dummy_ccs = 1; 497 if ((ret = tls13_send_dummy_ccs(ctx->rl)) != TLS13_IO_SUCCESS) 498 return ret; 499 ctx->send_dummy_ccs = 0; 500 ctx->send_dummy_ccs_after = 0; 501 } 502 503 return TLS13_IO_SUCCESS; 504 } 505 506 static int 507 tls13_handshake_recv_action(struct tls13_ctx *ctx, 508 const struct tls13_handshake_action *action) 509 { 510 uint8_t msg_type; 511 ssize_t ret; 512 CBS cbs; 513 514 if (ctx->hs_msg == NULL) { 515 if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL) 516 return TLS13_IO_FAILURE; 517 } 518 519 if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) <= 0) 520 return ret; 521 522 if (action->recv_preserve_transcript_hash) { 523 if (!tls1_transcript_hash_value(ctx->ssl, 524 ctx->hs->tls13.transcript_hash, 525 sizeof(ctx->hs->tls13.transcript_hash), 526 &ctx->hs->tls13.transcript_hash_len)) 527 return TLS13_IO_FAILURE; 528 } 529 530 if (!tls13_handshake_msg_record(ctx)) 531 return TLS13_IO_FAILURE; 532 533 if (ctx->handshake_message_recv_cb != NULL) 534 ctx->handshake_message_recv_cb(ctx); 535 536 /* 537 * In TLSv1.3 there is no way to know if you're going to receive a 538 * certificate request message or not, hence we have to special case it 539 * here. The receive handler also knows how to deal with this situation. 540 */ 541 msg_type = tls13_handshake_msg_type(ctx->hs_msg); 542 if (msg_type != action->handshake_type && 543 (msg_type != TLS13_MT_CERTIFICATE || 544 action->handshake_type != TLS13_MT_CERTIFICATE_REQUEST)) 545 return tls13_send_alert(ctx->rl, TLS13_ALERT_UNEXPECTED_MESSAGE); 546 547 if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs)) 548 return TLS13_IO_FAILURE; 549 550 ret = TLS13_IO_FAILURE; 551 if (action->recv(ctx, &cbs)) { 552 if (CBS_len(&cbs) != 0) { 553 tls13_set_errorx(ctx, TLS13_ERR_TRAILING_DATA, 0, 554 "trailing data in handshake message", NULL); 555 ctx->alert = TLS13_ALERT_DECODE_ERROR; 556 } else { 557 ret = TLS13_IO_SUCCESS; 558 } 559 } 560 561 tls13_handshake_msg_free(ctx->hs_msg); 562 ctx->hs_msg = NULL; 563 564 if (ctx->ssl->method->version < TLS1_3_VERSION) 565 return TLS13_IO_USE_LEGACY; 566 567 return ret; 568 } 569 570 struct tls13_handshake_legacy_state { 571 int recv; 572 int send; 573 }; 574 575 static const struct tls13_handshake_legacy_state legacy_states[] = { 576 [CLIENT_HELLO] = { 577 .recv = SSL3_ST_SR_CLNT_HELLO_A, 578 .send = SSL3_ST_CW_CLNT_HELLO_A, 579 }, 580 [SERVER_HELLO_RETRY_REQUEST] = { 581 .recv = SSL3_ST_CR_SRVR_HELLO_A, 582 .send = SSL3_ST_SW_SRVR_HELLO_A, 583 }, 584 [CLIENT_HELLO_RETRY] = { 585 .recv = SSL3_ST_SR_CLNT_HELLO_A, 586 .send = SSL3_ST_CW_CLNT_HELLO_A, 587 }, 588 [SERVER_HELLO] = { 589 .recv = SSL3_ST_CR_SRVR_HELLO_A, 590 .send = SSL3_ST_SW_SRVR_HELLO_A, 591 }, 592 [SERVER_ENCRYPTED_EXTENSIONS] = { 593 .send = 0, 594 .recv = 0, 595 }, 596 [SERVER_CERTIFICATE_REQUEST] = { 597 .recv = SSL3_ST_CR_CERT_REQ_A, 598 .send = SSL3_ST_SW_CERT_REQ_A, 599 }, 600 [SERVER_CERTIFICATE] = { 601 .recv = SSL3_ST_CR_CERT_A, 602 .send = SSL3_ST_SW_CERT_A, 603 }, 604 [SERVER_CERTIFICATE_VERIFY] = { 605 .send = 0, 606 .recv = 0, 607 }, 608 [SERVER_FINISHED] = { 609 .recv = SSL3_ST_CR_FINISHED_A, 610 .send = SSL3_ST_SW_FINISHED_A, 611 }, 612 [CLIENT_END_OF_EARLY_DATA] = { 613 .send = 0, 614 .recv = 0, 615 }, 616 [CLIENT_CERTIFICATE] = { 617 .recv = SSL3_ST_SR_CERT_VRFY_A, 618 .send = SSL3_ST_CW_CERT_VRFY_B, 619 }, 620 [CLIENT_CERTIFICATE_VERIFY] = { 621 .send = 0, 622 .recv = 0, 623 }, 624 [CLIENT_FINISHED] = { 625 .recv = SSL3_ST_SR_FINISHED_A, 626 .send = SSL3_ST_CW_FINISHED_A, 627 }, 628 [APPLICATION_DATA] = { 629 .recv = 0, 630 .send = 0, 631 }, 632 }; 633 634 CTASSERT(sizeof(state_machine) / sizeof(state_machine[0]) == 635 sizeof(legacy_states) / sizeof(legacy_states[0])); 636 637 static int 638 tls13_handshake_legacy_state(struct tls13_ctx *ctx, int *out_state) 639 { 640 const struct tls13_handshake_action *action; 641 enum tls13_message_type mt; 642 643 *out_state = 0; 644 645 if (!ctx->handshake_started) { 646 if (ctx->mode == TLS13_HS_CLIENT) 647 *out_state = SSL_ST_CONNECT; 648 else 649 *out_state = SSL_ST_ACCEPT; 650 651 return 1; 652 } 653 654 if (ctx->handshake_completed) { 655 *out_state = SSL_ST_OK; 656 return 1; 657 } 658 659 if ((mt = tls13_handshake_active_state(ctx)) == INVALID) 660 return 0; 661 662 if ((action = tls13_handshake_active_action(ctx)) == NULL) 663 return 0; 664 665 if (action->sender == ctx->mode) 666 *out_state = legacy_states[mt].send; 667 else 668 *out_state = legacy_states[mt].recv; 669 670 return 1; 671 } 672 673 static int 674 tls13_handshake_info_position(struct tls13_ctx *ctx) 675 { 676 if (!ctx->handshake_started) 677 return TLS13_INFO_HANDSHAKE_STARTED; 678 679 if (ctx->handshake_completed) 680 return TLS13_INFO_HANDSHAKE_COMPLETED; 681 682 if (ctx->mode == TLS13_HS_CLIENT) 683 return TLS13_INFO_CONNECT_LOOP; 684 else 685 return TLS13_INFO_ACCEPT_LOOP; 686 } 687 688 static int 689 tls13_handshake_legacy_info_callback(struct tls13_ctx *ctx) 690 { 691 int state, where; 692 693 if (!tls13_handshake_legacy_state(ctx, &state)) 694 return 0; 695 696 /* Do nothing if there's no corresponding legacy state. */ 697 if (state == 0) 698 return 1; 699 700 if (ctx->info_cb != NULL) { 701 where = tls13_handshake_info_position(ctx); 702 ctx->info_cb(ctx, where, 1); 703 } 704 705 return 1; 706 } 707 708 static int 709 tls13_handshake_set_legacy_state(struct tls13_ctx *ctx) 710 { 711 int state; 712 713 if (!tls13_handshake_legacy_state(ctx, &state)) 714 return 0; 715 716 /* Do nothing if there's no corresponding legacy state. */ 717 if (state == 0) 718 return 1; 719 720 ctx->hs->state = state; 721 722 return 1; 723 } 724