xref: /openbsd-src/lib/libssl/tls13_handshake.c (revision c90a81c56dcebd6a1b73fe4aff9b03385b8e63b3) 
1 /*	$OpenBSD: tls13_handshake.c,v 1.7 2018/11/11 06:49:35 beck Exp $	*/
2 /*
3  * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
4  *
5  * Permission to use, copy, modify, and distribute this software for any
6  * purpose with or without fee is hereby granted, provided that the above
7  * copyright notice and this permission notice appear in all copies.
8  *
9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16  */
17 
18 #include <stddef.h>
19 
20 #include "tls13_internal.h"
21 
22 /* Based on RFC 8446 and inspired by s2n's TLS 1.2 state machine. */
23 
24 /* Record types */
25 #define TLS13_HANDSHAKE		1
26 #define TLS13_APPLICATION_DATA	2
27 
28 /* Indexing into the state machine */
29 struct tls13_handshake {
30 	uint8_t			hs_type;
31 #define INITIAL				0x00
32 #define NEGOTIATED			0x01
33 #define WITH_CERT_REQ			0x02
34 #define WITH_HELLO_RET_REQ		0x04
35 #define WITH_PSK			0x08
36 	int			message_number;
37 };
38 
39 struct tls13_ctx {
40 	uint8_t			mode;
41 	struct tls13_handshake	handshake;
42 };
43 
44 struct tls13_handshake_action {
45 	uint8_t			record_type;
46 	uint8_t			handshake_type;
47 
48 	uint8_t			sender;
49 #define TLS13_HS_CLIENT		1
50 #define TLS13_HS_SERVER		2
51 #define TLS13_HS_BOTH		(TLS13_HS_CLIENT | TLS13_HS_SERVER)
52 
53 	int (*send)(struct tls13_ctx *ctx);
54 	int (*recv)(struct tls13_ctx *ctx);
55 };
56 
57 enum tls13_message_type tls13_handshake_active_state(struct tls13_ctx *ctx);
58 
59 int tls13_connect(struct tls13_ctx *ctx);
60 int tls13_accept(struct tls13_ctx *ctx);
61 
62 int tls13_handshake_advance_state_machine(struct tls13_ctx *ctx);
63 
64 int tls13_handshake_send_action(struct tls13_ctx *ctx,
65     struct tls13_handshake_action *action);
66 int tls13_handshake_recv_action(struct tls13_ctx *ctx,
67     struct tls13_handshake_action *action);
68 
69 enum tls13_message_type {
70 	INVALID,
71 	CLIENT_HELLO,
72 	CLIENT_HELLO_RETRY,
73 	CLIENT_END_OF_EARLY_DATA,
74 	CLIENT_CERTIFICATE,
75 	CLIENT_CERTIFICATE_VERIFY,
76 	CLIENT_FINISHED,
77 	CLIENT_KEY_UPDATE,
78 	SERVER_HELLO,
79 	SERVER_NEW_SESSION_TICKET,
80 	SERVER_ENCRYPTED_EXTENSIONS,
81 	SERVER_CERTIFICATE,
82 	SERVER_CERTIFICATE_VERIFY,
83 	SERVER_CERTIFICATE_REQUEST,
84 	SERVER_FINISHED,
85 	SERVER_KEY_UPDATE,
86 	SERVER_MESSAGE_HASH,
87 	APPLICATION_DATA,
88 };
89 
90 struct tls13_handshake_action state_machine[] = {
91 	[CLIENT_HELLO] = {
92 		.record_type = TLS13_HANDSHAKE,
93 		.handshake_type = TLS13_MT_CLIENT_HELLO,
94 		.sender = TLS13_HS_CLIENT,
95 		.send = tls13_client_hello_send,
96 		.recv = tls13_client_hello_recv,
97 	},
98 	[CLIENT_HELLO_RETRY] = {
99 		.record_type = TLS13_HANDSHAKE,
100 		.handshake_type = TLS13_MT_CLIENT_HELLO,
101 		.sender = TLS13_HS_CLIENT,
102 		.send = tls13_client_hello_retry_send,
103 		.recv = tls13_client_hello_retry_recv,
104 	},
105 	[CLIENT_END_OF_EARLY_DATA] = {
106 		.record_type = TLS13_HANDSHAKE,
107 		.handshake_type = TLS13_MT_END_OF_EARLY_DATA,
108 		.sender = TLS13_HS_CLIENT,
109 		.send = tls13_client_end_of_early_data_send,
110 		.recv = tls13_client_end_of_early_data_recv,
111 	},
112 	[CLIENT_CERTIFICATE] = {
113 		.record_type = TLS13_HANDSHAKE,
114 		.handshake_type = TLS13_MT_CERTIFICATE,
115 		.sender = TLS13_HS_CLIENT,
116 		.send = tls13_client_certificate_send,
117 		.recv = tls13_client_certificate_recv,
118 	},
119 	[CLIENT_CERTIFICATE_VERIFY] = {
120 		.record_type = TLS13_HANDSHAKE,
121 		.handshake_type = TLS13_MT_CERTIFICATE_VERIFY,
122 		.sender = TLS13_HS_CLIENT,
123 		.send = tls13_client_certificate_verify_send,
124 		.recv = tls13_client_certificate_verify_recv,
125 	},
126 	[CLIENT_FINISHED] = {
127 		.record_type = TLS13_HANDSHAKE,
128 		.handshake_type = TLS13_MT_FINISHED,
129 		.sender = TLS13_HS_CLIENT,
130 		.send = tls13_client_finished_send,
131 		.recv = tls13_client_finished_recv,
132 	},
133 	[CLIENT_KEY_UPDATE] = {
134 		.record_type = TLS13_HANDSHAKE,
135 		.handshake_type = TLS13_MT_KEY_UPDATE,
136 		.sender = TLS13_HS_CLIENT,
137 		.send = tls13_client_key_update_send,
138 		.recv = tls13_client_key_update_recv,
139 	},
140 	[SERVER_HELLO] = {
141 		.record_type = TLS13_HANDSHAKE,
142 		.handshake_type = TLS13_MT_SERVER_HELLO,
143 		.sender = TLS13_HS_SERVER,
144 		.send = tls13_server_hello_send,
145 		.recv = tls13_server_hello_recv,
146 	},
147 	[SERVER_NEW_SESSION_TICKET] = {
148 		.record_type = TLS13_HANDSHAKE,
149 		.handshake_type = TLS13_MT_NEW_SESSION_TICKET,
150 		.sender = TLS13_HS_SERVER,
151 		.send = tls13_server_new_session_ticket_send,
152 		.recv = tls13_server_new_session_ticket_recv,
153 	},
154 	[SERVER_ENCRYPTED_EXTENSIONS] = {
155 		.record_type = TLS13_HANDSHAKE,
156 		.handshake_type = TLS13_MT_ENCRYPTED_EXTENSIONS,
157 		.sender = TLS13_HS_SERVER,
158 		.send = tls13_server_encrypted_extensions_send,
159 		.recv = tls13_server_encrypted_extensions_recv,
160 	},
161 	[SERVER_CERTIFICATE] = {
162 		.record_type = TLS13_HANDSHAKE,
163 		.handshake_type = TLS13_MT_CERTIFICATE,
164 		.sender = TLS13_HS_SERVER,
165 		.send = tls13_server_certificate_send,
166 		.recv = tls13_server_certificate_recv,
167 	},
168 	[SERVER_CERTIFICATE_REQUEST] = {
169 		.record_type = TLS13_HANDSHAKE,
170 		.handshake_type = TLS13_MT_CERTIFICATE,
171 		.sender = TLS13_HS_SERVER,
172 		.send = tls13_server_certificate_request_send,
173 		.recv = tls13_server_certificate_request_recv,
174 	},
175 	[SERVER_CERTIFICATE_VERIFY] = {
176 		.record_type = TLS13_HANDSHAKE,
177 		.handshake_type = TLS13_MT_CERTIFICATE_VERIFY,
178 		.sender = TLS13_HS_SERVER,
179 		.send = tls13_server_certificate_verify_send,
180 		.recv = tls13_server_certificate_verify_recv,
181 	},
182 	[SERVER_FINISHED] = {
183 		.record_type = TLS13_HANDSHAKE,
184 		.handshake_type = TLS13_MT_FINISHED,
185 		.sender = TLS13_HS_SERVER,
186 		.send = tls13_server_finished_send,
187 		.recv = tls13_server_finished_recv,
188 	},
189 	[SERVER_KEY_UPDATE] = {
190 		.record_type = TLS13_HANDSHAKE,
191 		.handshake_type = TLS13_MT_KEY_UPDATE,
192 		.sender = TLS13_HS_SERVER,
193 		.send = tls13_server_key_update_send,
194 		.recv = tls13_server_key_update_recv,
195 	},
196 	[SERVER_MESSAGE_HASH] = {
197 		.record_type = TLS13_HANDSHAKE,
198 		.handshake_type = TLS13_MT_MESSAGE_HASH,
199 		.sender = TLS13_HS_SERVER,
200 		.send = tls13_server_message_hash_send,
201 		.recv = tls13_server_message_hash_recv,
202 	},
203 	[APPLICATION_DATA] = {
204 		.record_type = TLS13_APPLICATION_DATA,
205 		.handshake_type = 0,
206 		.sender = TLS13_HS_BOTH,
207 		.send = NULL,
208 		.recv = NULL,
209 	},
210 };
211 
212 static enum tls13_message_type handshakes[][16] = {
213 	[INITIAL] = {
214 		CLIENT_HELLO,
215 		SERVER_HELLO,
216 	},
217 	[NEGOTIATED] = {
218 		CLIENT_HELLO,
219 		SERVER_HELLO,
220 		SERVER_ENCRYPTED_EXTENSIONS,
221 		SERVER_CERTIFICATE,
222 		SERVER_CERTIFICATE_VERIFY,
223 		SERVER_FINISHED,
224 		CLIENT_FINISHED,
225 		APPLICATION_DATA,
226 	},
227 	[NEGOTIATED | WITH_HELLO_RET_REQ] = {
228 		CLIENT_HELLO,
229 		SERVER_HELLO,
230 		CLIENT_HELLO_RETRY,
231 		SERVER_ENCRYPTED_EXTENSIONS,
232 		SERVER_CERTIFICATE,
233 		SERVER_CERTIFICATE_VERIFY,
234 		SERVER_FINISHED,
235 		CLIENT_FINISHED,
236 		APPLICATION_DATA,
237 	},
238 	[NEGOTIATED | WITH_CERT_REQ] = {
239 		CLIENT_HELLO,
240 		SERVER_HELLO,
241 		SERVER_ENCRYPTED_EXTENSIONS,
242 		SERVER_CERTIFICATE_REQUEST,
243 		SERVER_CERTIFICATE,
244 		SERVER_CERTIFICATE_VERIFY,
245 		SERVER_FINISHED,
246 		CLIENT_FINISHED,
247 		APPLICATION_DATA,
248 	},
249 	[NEGOTIATED | WITH_HELLO_RET_REQ | WITH_CERT_REQ] = {
250 		CLIENT_HELLO,
251 		SERVER_HELLO,
252 		CLIENT_HELLO_RETRY,
253 		SERVER_ENCRYPTED_EXTENSIONS,
254 		SERVER_CERTIFICATE_REQUEST,
255 		SERVER_CERTIFICATE,
256 		SERVER_CERTIFICATE_VERIFY,
257 		SERVER_FINISHED,
258 		CLIENT_FINISHED,
259 		APPLICATION_DATA,
260 	},
261 	[NEGOTIATED | WITH_PSK] = {
262 		CLIENT_HELLO,
263 		SERVER_HELLO,
264 		SERVER_ENCRYPTED_EXTENSIONS,
265 		SERVER_FINISHED,
266 		CLIENT_FINISHED,
267 		APPLICATION_DATA,
268 	},
269 	[NEGOTIATED | WITH_HELLO_RET_REQ | WITH_PSK] = {
270 		CLIENT_HELLO,
271 		SERVER_HELLO,
272 		CLIENT_HELLO_RETRY,
273 		SERVER_ENCRYPTED_EXTENSIONS,
274 		SERVER_FINISHED,
275 		CLIENT_FINISHED,
276 		APPLICATION_DATA,
277 	},
278 };
279 
280 enum tls13_message_type
281 tls13_handshake_active_state(struct tls13_ctx *ctx)
282 {
283 	struct tls13_handshake hs = ctx->handshake;
284 	return handshakes[hs.hs_type][hs.message_number];
285 }
286 
287 struct tls13_handshake_action *
288 tls13_handshake_active_action(struct tls13_ctx *ctx)
289 {
290 	enum tls13_message_type mt = tls13_handshake_active_state(ctx);
291 	return &state_machine[mt];
292 }
293 
294 int
295 tls13_connect(struct tls13_ctx *ctx)
296 {
297 	struct tls13_handshake_action *action;
298 
299 	ctx->mode = TLS13_HS_CLIENT;
300 
301 	for (;;) {
302 		if ((action = tls13_handshake_active_action(ctx)) == NULL)
303 			return -1;
304 
305 		if (action->sender == TLS13_HS_BOTH)
306 			return 1;
307 
308 		if (action->sender == TLS13_HS_CLIENT) {
309 			if (!tls13_handshake_send_action(ctx, action))
310 				return 0;
311 		} else {
312 			if (!tls13_handshake_recv_action(ctx, action))
313 				return 0;
314 		}
315 
316 		if (!tls13_handshake_advance_state_machine(ctx))
317 			return 0;
318 	}
319 }
320 
321 int
322 tls13_accept(struct tls13_ctx *ctx)
323 {
324 	struct tls13_handshake_action *action;
325 
326 	ctx->mode = TLS13_HS_SERVER;
327 
328 	for (;;) {
329 		if ((action = tls13_handshake_active_action(ctx)) == NULL)
330 			return -1;
331 
332 		if (action->sender == TLS13_HS_BOTH)
333 			return 1;
334 
335 		if (action->sender == TLS13_HS_SERVER) {
336 			if (!tls13_handshake_send_action(ctx, action))
337 				return 0;
338 		} else {
339 			if (!tls13_handshake_recv_action(ctx, action))
340 				return 0;
341 		}
342 
343 		if (!tls13_handshake_advance_state_machine(ctx))
344 			return 0;
345 	}
346 
347 	return 1;
348 }
349 
350 int
351 tls13_handshake_advance_state_machine(struct tls13_ctx *ctx)
352 {
353 	ctx->handshake.message_number++;
354 	return 1;
355 }
356 
357 int
358 tls13_handshake_send_action(struct tls13_ctx *ctx,
359     struct tls13_handshake_action *action)
360 {
361 	return action->send(ctx);
362 }
363 
364 int
365 tls13_handshake_recv_action(struct tls13_ctx *ctx,
366     struct tls13_handshake_action *action)
367 {
368 	return action->recv(ctx);
369 }
370 
371 int
372 tls13_client_hello_send(struct tls13_ctx *ctx)
373 {
374 	return 1;
375 }
376 
377 int
378 tls13_client_hello_recv(struct tls13_ctx *ctx)
379 {
380 	return 1;
381 }
382 
383 int
384 tls13_client_hello_retry_send(struct tls13_ctx *ctx)
385 {
386 	return 1;
387 }
388 
389 int
390 tls13_client_hello_retry_recv(struct tls13_ctx *ctx)
391 {
392 	return 1;
393 }
394 
395 
396 int
397 tls13_client_end_of_early_data_send(struct tls13_ctx *ctx)
398 {
399 	return 1;
400 }
401 
402 int
403 tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx)
404 {
405 	return 1;
406 }
407 
408 int
409 tls13_client_certificate_send(struct tls13_ctx *ctx)
410 {
411 	return 1;
412 }
413 
414 int
415 tls13_client_certificate_recv(struct tls13_ctx *ctx)
416 {
417 	return 1;
418 }
419 
420 int
421 tls13_client_certificate_verify_send(struct tls13_ctx *ctx)
422 {
423 	return 1;
424 }
425 
426 int
427 tls13_client_certificate_verify_recv(struct tls13_ctx *ctx)
428 {
429 	return 1;
430 }
431 
432 int
433 tls13_client_finished_recv(struct tls13_ctx *ctx)
434 {
435 	return 1;
436 }
437 
438 int
439 tls13_client_finished_send(struct tls13_ctx *ctx)
440 {
441 	return 1;
442 }
443 
444 int
445 tls13_client_key_update_send(struct tls13_ctx *ctx)
446 {
447 	return 1;
448 }
449 
450 int
451 tls13_client_key_update_recv(struct tls13_ctx *ctx)
452 {
453 	return 1;
454 }
455 
456 int
457 tls13_server_hello_recv(struct tls13_ctx *ctx)
458 {
459 	ctx->handshake.hs_type |= NEGOTIATED;
460 
461 	return 1;
462 }
463 
464 int
465 tls13_server_hello_send(struct tls13_ctx *ctx)
466 {
467 	ctx->handshake.hs_type |= NEGOTIATED;
468 
469 	return 1;
470 }
471 
472 int
473 tls13_server_new_session_ticket_recv(struct tls13_ctx *ctx)
474 {
475 	return 1;
476 }
477 
478 int
479 tls13_server_new_session_ticket_send(struct tls13_ctx *ctx)
480 {
481 	return 1;
482 }
483 
484 int
485 tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx)
486 {
487 	return 1;
488 }
489 
490 int
491 tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx)
492 {
493 	return 1;
494 }
495 
496 int
497 tls13_server_certificate_recv(struct tls13_ctx *ctx)
498 {
499 	return 1;
500 }
501 
502 int
503 tls13_server_certificate_send(struct tls13_ctx *ctx)
504 {
505 	return 1;
506 }
507 
508 int
509 tls13_server_certificate_request_recv(struct tls13_ctx *ctx)
510 {
511 	return 1;
512 }
513 
514 int
515 tls13_server_certificate_request_send(struct tls13_ctx *ctx)
516 {
517 	return 1;
518 }
519 
520 int
521 tls13_server_certificate_verify_send(struct tls13_ctx *ctx)
522 {
523 	return 1;
524 }
525 
526 int
527 tls13_server_certificate_verify_recv(struct tls13_ctx *ctx)
528 {
529 	return 1;
530 }
531 
532 int
533 tls13_server_finished_recv(struct tls13_ctx *ctx)
534 {
535 	return 1;
536 }
537 
538 int
539 tls13_server_finished_send(struct tls13_ctx *ctx)
540 {
541 	return 1;
542 }
543 
544 int
545 tls13_server_key_update_recv(struct tls13_ctx *ctx)
546 {
547 	return 1;
548 }
549 
550 int
551 tls13_server_key_update_send(struct tls13_ctx *ctx)
552 {
553 	return 1;
554 }
555 
556 int
557 tls13_server_message_hash_recv(struct tls13_ctx *ctx)
558 {
559 	return 1;
560 }
561 
562 int
563 tls13_server_message_hash_send(struct tls13_ctx *ctx)
564 {
565 	return 1;
566 }
567