1 /* $OpenBSD: tls13_handshake.c,v 1.27 2019/02/13 16:28:28 jsing Exp $ */ 2 /* 3 * Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org> 4 * Copyright (c) 2019 Joel Sing <jsing@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <stddef.h> 20 21 #include "ssl_locl.h" 22 #include "tls13_handshake.h" 23 #include "tls13_internal.h" 24 25 /* Based on RFC 8446 and inspired by s2n's TLS 1.2 state machine. */ 26 27 /* Record types */ 28 #define TLS13_HANDSHAKE 1 29 #define TLS13_APPLICATION_DATA 2 30 31 struct tls13_handshake_action { 32 uint8_t record_type; 33 uint8_t handshake_type; 34 uint8_t sender; 35 uint8_t handshake_complete; 36 uint8_t preserve_transcript_hash; 37 38 int (*send)(struct tls13_ctx *ctx); 39 int (*recv)(struct tls13_ctx *ctx); 40 }; 41 42 enum tls13_message_type tls13_handshake_active_state(struct tls13_ctx *ctx); 43 44 int tls13_accept(struct tls13_ctx *ctx); 45 46 struct tls13_handshake_action * 47 tls13_handshake_active_action(struct tls13_ctx *ctx); 48 int tls13_handshake_advance_state_machine(struct tls13_ctx *ctx); 49 50 int tls13_handshake_send_action(struct tls13_ctx *ctx, 51 struct tls13_handshake_action *action); 52 int tls13_handshake_recv_action(struct tls13_ctx *ctx, 53 struct tls13_handshake_action *action); 54 55 struct tls13_handshake_action state_machine[] = { 56 [CLIENT_HELLO] = { 57 .record_type = TLS13_HANDSHAKE, 58 .handshake_type = TLS13_MT_CLIENT_HELLO, 59 .sender = TLS13_HS_CLIENT, 60 .send = tls13_client_hello_send, 61 .recv = tls13_client_hello_recv, 62 }, 63 [CLIENT_HELLO_RETRY] = { 64 .record_type = TLS13_HANDSHAKE, 65 .handshake_type = TLS13_MT_CLIENT_HELLO, 66 .sender = TLS13_HS_CLIENT, 67 .send = tls13_client_hello_retry_send, 68 .recv = tls13_client_hello_retry_recv, 69 }, 70 [CLIENT_END_OF_EARLY_DATA] = { 71 .record_type = TLS13_HANDSHAKE, 72 .handshake_type = TLS13_MT_END_OF_EARLY_DATA, 73 .sender = TLS13_HS_CLIENT, 74 .send = tls13_client_end_of_early_data_send, 75 .recv = tls13_client_end_of_early_data_recv, 76 }, 77 [CLIENT_CERTIFICATE] = { 78 .record_type = TLS13_HANDSHAKE, 79 .handshake_type = TLS13_MT_CERTIFICATE, 80 .sender = TLS13_HS_CLIENT, 81 .send = tls13_client_certificate_send, 82 .recv = tls13_client_certificate_recv, 83 }, 84 [CLIENT_CERTIFICATE_VERIFY] = { 85 .record_type = TLS13_HANDSHAKE, 86 .handshake_type = TLS13_MT_CERTIFICATE_VERIFY, 87 .sender = TLS13_HS_CLIENT, 88 .send = tls13_client_certificate_verify_send, 89 .recv = tls13_client_certificate_verify_recv, 90 }, 91 [CLIENT_FINISHED] = { 92 .record_type = TLS13_HANDSHAKE, 93 .handshake_type = TLS13_MT_FINISHED, 94 .sender = TLS13_HS_CLIENT, 95 .send = tls13_client_finished_send, 96 .recv = tls13_client_finished_recv, 97 }, 98 [CLIENT_KEY_UPDATE] = { 99 .record_type = TLS13_HANDSHAKE, 100 .handshake_type = TLS13_MT_KEY_UPDATE, 101 .sender = TLS13_HS_CLIENT, 102 .send = tls13_client_key_update_send, 103 .recv = tls13_client_key_update_recv, 104 }, 105 [SERVER_HELLO] = { 106 .record_type = TLS13_HANDSHAKE, 107 .handshake_type = TLS13_MT_SERVER_HELLO, 108 .sender = TLS13_HS_SERVER, 109 .send = tls13_server_hello_send, 110 .recv = tls13_server_hello_recv, 111 }, 112 [SERVER_ENCRYPTED_EXTENSIONS] = { 113 .record_type = TLS13_HANDSHAKE, 114 .handshake_type = TLS13_MT_ENCRYPTED_EXTENSIONS, 115 .sender = TLS13_HS_SERVER, 116 .send = tls13_server_encrypted_extensions_send, 117 .recv = tls13_server_encrypted_extensions_recv, 118 }, 119 [SERVER_CERTIFICATE] = { 120 .record_type = TLS13_HANDSHAKE, 121 .handshake_type = TLS13_MT_CERTIFICATE, 122 .sender = TLS13_HS_SERVER, 123 .send = tls13_server_certificate_send, 124 .recv = tls13_server_certificate_recv, 125 }, 126 [SERVER_CERTIFICATE_REQUEST] = { 127 .record_type = TLS13_HANDSHAKE, 128 .handshake_type = TLS13_MT_CERTIFICATE, 129 .sender = TLS13_HS_SERVER, 130 .send = tls13_server_certificate_request_send, 131 .recv = tls13_server_certificate_request_recv, 132 }, 133 [SERVER_CERTIFICATE_VERIFY] = { 134 .record_type = TLS13_HANDSHAKE, 135 .handshake_type = TLS13_MT_CERTIFICATE_VERIFY, 136 .sender = TLS13_HS_SERVER, 137 .preserve_transcript_hash = 1, 138 .send = tls13_server_certificate_verify_send, 139 .recv = tls13_server_certificate_verify_recv, 140 }, 141 [SERVER_FINISHED] = { 142 .record_type = TLS13_HANDSHAKE, 143 .handshake_type = TLS13_MT_FINISHED, 144 .sender = TLS13_HS_SERVER, 145 .preserve_transcript_hash = 1, 146 .send = tls13_server_finished_send, 147 .recv = tls13_server_finished_recv, 148 }, 149 [APPLICATION_DATA] = { 150 .record_type = TLS13_APPLICATION_DATA, 151 .handshake_complete = 1, 152 }, 153 }; 154 155 enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = { 156 [INITIAL] = { 157 CLIENT_HELLO, 158 SERVER_HELLO, 159 }, 160 [NEGOTIATED] = { 161 CLIENT_HELLO, 162 SERVER_HELLO, 163 SERVER_ENCRYPTED_EXTENSIONS, 164 SERVER_CERTIFICATE_REQUEST, 165 SERVER_CERTIFICATE, 166 SERVER_CERTIFICATE_VERIFY, 167 SERVER_FINISHED, 168 CLIENT_CERTIFICATE, 169 CLIENT_FINISHED, 170 APPLICATION_DATA, 171 }, 172 [NEGOTIATED | WITH_HRR] = { 173 CLIENT_HELLO, 174 SERVER_HELLO, 175 CLIENT_HELLO_RETRY, 176 SERVER_ENCRYPTED_EXTENSIONS, 177 SERVER_CERTIFICATE_REQUEST, 178 SERVER_CERTIFICATE, 179 SERVER_CERTIFICATE_VERIFY, 180 SERVER_FINISHED, 181 CLIENT_CERTIFICATE, 182 CLIENT_FINISHED, 183 APPLICATION_DATA, 184 }, 185 [NEGOTIATED | WITHOUT_CR] = { 186 CLIENT_HELLO, 187 SERVER_HELLO, 188 SERVER_ENCRYPTED_EXTENSIONS, 189 SERVER_CERTIFICATE, 190 SERVER_CERTIFICATE_VERIFY, 191 SERVER_FINISHED, 192 CLIENT_FINISHED, 193 APPLICATION_DATA, 194 }, 195 [NEGOTIATED | WITH_HRR | WITHOUT_CR] = { 196 CLIENT_HELLO, 197 SERVER_HELLO, 198 CLIENT_HELLO_RETRY, 199 SERVER_ENCRYPTED_EXTENSIONS, 200 SERVER_CERTIFICATE, 201 SERVER_CERTIFICATE_VERIFY, 202 SERVER_FINISHED, 203 CLIENT_FINISHED, 204 APPLICATION_DATA, 205 }, 206 [NEGOTIATED | WITH_PSK] = { 207 CLIENT_HELLO, 208 SERVER_HELLO, 209 SERVER_ENCRYPTED_EXTENSIONS, 210 SERVER_FINISHED, 211 CLIENT_FINISHED, 212 APPLICATION_DATA, 213 }, 214 [NEGOTIATED | WITH_HRR | WITH_PSK] = { 215 CLIENT_HELLO, 216 SERVER_HELLO, 217 CLIENT_HELLO_RETRY, 218 SERVER_ENCRYPTED_EXTENSIONS, 219 SERVER_FINISHED, 220 CLIENT_FINISHED, 221 APPLICATION_DATA, 222 }, 223 [NEGOTIATED | WITH_CCV] = { 224 CLIENT_HELLO, 225 SERVER_HELLO, 226 SERVER_ENCRYPTED_EXTENSIONS, 227 SERVER_CERTIFICATE_REQUEST, 228 SERVER_CERTIFICATE, 229 SERVER_CERTIFICATE_VERIFY, 230 SERVER_FINISHED, 231 CLIENT_CERTIFICATE, 232 CLIENT_CERTIFICATE_VERIFY, 233 CLIENT_FINISHED, 234 APPLICATION_DATA, 235 }, 236 [NEGOTIATED | WITH_HRR | WITH_CCV] = { 237 CLIENT_HELLO, 238 SERVER_HELLO, 239 CLIENT_HELLO_RETRY, 240 SERVER_ENCRYPTED_EXTENSIONS, 241 SERVER_CERTIFICATE_REQUEST, 242 SERVER_CERTIFICATE, 243 SERVER_CERTIFICATE_VERIFY, 244 SERVER_FINISHED, 245 CLIENT_CERTIFICATE, 246 CLIENT_CERTIFICATE_VERIFY, 247 CLIENT_FINISHED, 248 APPLICATION_DATA, 249 }, 250 }; 251 252 const size_t handshake_count = sizeof(handshakes) / sizeof(handshakes[0]); 253 254 enum tls13_message_type 255 tls13_handshake_active_state(struct tls13_ctx *ctx) 256 { 257 struct tls13_handshake_stage hs = ctx->handshake_stage; 258 259 if (hs.hs_type >= handshake_count) 260 return INVALID; 261 if (hs.message_number >= TLS13_NUM_MESSAGE_TYPES) 262 return INVALID; 263 264 return handshakes[hs.hs_type][hs.message_number]; 265 } 266 267 struct tls13_handshake_action * 268 tls13_handshake_active_action(struct tls13_ctx *ctx) 269 { 270 enum tls13_message_type mt = tls13_handshake_active_state(ctx); 271 272 if (mt == INVALID) 273 return NULL; 274 275 return &state_machine[mt]; 276 } 277 278 int 279 tls13_handshake_advance_state_machine(struct tls13_ctx *ctx) 280 { 281 if (++ctx->handshake_stage.message_number >= TLS13_NUM_MESSAGE_TYPES) 282 return 0; 283 284 return 1; 285 } 286 287 int 288 tls13_handshake_perform(struct tls13_ctx *ctx) 289 { 290 struct tls13_handshake_action *action; 291 int ret; 292 293 for (;;) { 294 if ((action = tls13_handshake_active_action(ctx)) == NULL) 295 return TLS13_IO_FAILURE; 296 297 if (action->handshake_complete) 298 return TLS13_IO_SUCCESS; 299 300 if (action->sender == ctx->mode) { 301 if ((ret = tls13_handshake_send_action(ctx, action)) <= 0) 302 return ret; 303 } else { 304 if ((ret = tls13_handshake_recv_action(ctx, action)) <= 0) 305 return ret; 306 } 307 308 if (!tls13_handshake_advance_state_machine(ctx)) 309 return TLS13_IO_FAILURE; 310 } 311 } 312 313 int 314 tls13_accept(struct tls13_ctx *ctx) 315 { 316 ctx->mode = TLS13_HS_SERVER; 317 318 return tls13_handshake_perform(ctx); 319 } 320 321 int 322 tls13_handshake_send_action(struct tls13_ctx *ctx, 323 struct tls13_handshake_action *action) 324 { 325 ssize_t ret; 326 CBS cbs; 327 328 /* If we have no handshake message, we need to build one. */ 329 if (ctx->hs_msg == NULL) { 330 if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL) 331 return TLS13_IO_FAILURE; 332 333 /* XXX - provide CBB. */ 334 if (!action->send(ctx)) 335 return TLS13_IO_FAILURE; 336 } 337 338 if ((ret = tls13_handshake_msg_send(ctx->hs_msg, ctx->rl)) <= 0) 339 return ret; 340 341 tls13_handshake_msg_data(ctx->hs_msg, &cbs); 342 if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs))) 343 return TLS13_IO_FAILURE; 344 345 tls13_handshake_msg_free(ctx->hs_msg); 346 ctx->hs_msg = NULL; 347 348 return TLS13_IO_SUCCESS; 349 } 350 351 int 352 tls13_handshake_recv_action(struct tls13_ctx *ctx, 353 struct tls13_handshake_action *action) 354 { 355 uint8_t msg_type; 356 ssize_t ret; 357 CBS cbs; 358 359 if (ctx->hs_msg == NULL) { 360 if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL) 361 return TLS13_IO_FAILURE; 362 } 363 364 if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) <= 0) 365 return ret; 366 367 if (action->preserve_transcript_hash) { 368 if (!tls1_transcript_hash_value(ctx->ssl, 369 ctx->hs->transcript_hash, sizeof(ctx->hs->transcript_hash), 370 &ctx->hs->transcript_hash_len)) 371 return TLS13_IO_FAILURE; 372 } 373 374 tls13_handshake_msg_data(ctx->hs_msg, &cbs); 375 if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs))) 376 return TLS13_IO_FAILURE; 377 378 /* 379 * In TLSv1.3 there is no way to know if you're going to receive a 380 * certificate request message or not, hence we have to special case it 381 * here. The receive handler also knows how to deal with this situation. 382 */ 383 msg_type = tls13_handshake_msg_type(ctx->hs_msg); 384 if (msg_type != action->handshake_type && 385 (msg_type != TLS13_MT_CERTIFICATE || 386 action->handshake_type != TLS13_MT_CERTIFICATE_REQUEST)) { 387 /* XXX send unexpected message alert */ 388 return TLS13_IO_FAILURE; 389 } 390 391 /* XXX provide CBS and check all consumed. */ 392 ret = action->recv(ctx); 393 394 tls13_handshake_msg_free(ctx->hs_msg); 395 ctx->hs_msg = NULL; 396 397 return ret; 398 } 399 400 int 401 tls13_client_hello_recv(struct tls13_ctx *ctx) 402 { 403 return 0; 404 } 405 406 int 407 tls13_client_hello_retry_send(struct tls13_ctx *ctx) 408 { 409 return 0; 410 } 411 412 int 413 tls13_client_hello_retry_recv(struct tls13_ctx *ctx) 414 { 415 return 0; 416 } 417 418 419 int 420 tls13_client_end_of_early_data_send(struct tls13_ctx *ctx) 421 { 422 return 0; 423 } 424 425 int 426 tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx) 427 { 428 return 0; 429 } 430 431 int 432 tls13_client_certificate_send(struct tls13_ctx *ctx) 433 { 434 return 0; 435 } 436 437 int 438 tls13_client_certificate_recv(struct tls13_ctx *ctx) 439 { 440 return 0; 441 } 442 443 int 444 tls13_client_certificate_verify_send(struct tls13_ctx *ctx) 445 { 446 return 0; 447 } 448 449 int 450 tls13_client_certificate_verify_recv(struct tls13_ctx *ctx) 451 { 452 return 0; 453 } 454 455 int 456 tls13_client_finished_recv(struct tls13_ctx *ctx) 457 { 458 return 0; 459 } 460 461 int 462 tls13_client_key_update_send(struct tls13_ctx *ctx) 463 { 464 return 0; 465 } 466 467 int 468 tls13_client_key_update_recv(struct tls13_ctx *ctx) 469 { 470 return 0; 471 } 472 473 int 474 tls13_server_hello_send(struct tls13_ctx *ctx) 475 { 476 ctx->handshake_stage.hs_type |= NEGOTIATED; 477 478 return 0; 479 } 480 481 int 482 tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx) 483 { 484 return 0; 485 } 486 487 int 488 tls13_server_certificate_send(struct tls13_ctx *ctx) 489 { 490 return 0; 491 } 492 493 int 494 tls13_server_certificate_request_send(struct tls13_ctx *ctx) 495 { 496 return 0; 497 } 498 499 int 500 tls13_server_certificate_verify_send(struct tls13_ctx *ctx) 501 { 502 return 0; 503 } 504 505 int 506 tls13_server_finished_send(struct tls13_ctx *ctx) 507 { 508 return 0; 509 } 510