1 /* $OpenBSD: tls13_handshake.c,v 1.71 2022/04/19 17:01:43 tb Exp $ */
3 * Copyright (c) 2018-2021 Theo Buehler <tb@openbsd.org>
4 * Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22 #include "tls13_handshake.h"
23 #include "tls13_internal.h"
25 /* Based on RFC 8446 and inspired by s2n's TLS 1.2 state machine. */
27 struct tls13_handshake_action
{
28 uint8_t handshake_type
;
30 uint8_t handshake_complete
;
31 uint8_t send_preserve_transcript_hash
;
32 uint8_t recv_preserve_transcript_hash
;
34 int (*send
)(struct tls13_ctx
*ctx
, CBB
*cbb
);
35 int (*sent
)(struct tls13_ctx
*ctx
);
36 int (*recv
)(struct tls13_ctx
*ctx
, CBS
*cbs
);
39 static enum tls13_message_type
40 tls13_handshake_active_state(struct tls13_ctx
*ctx
);
42 static const struct tls13_handshake_action
*
43 tls13_handshake_active_action(struct tls13_ctx
*ctx
);
44 static int tls13_handshake_advance_state_machine(struct tls13_ctx
*ctx
);
46 static int tls13_handshake_send_action(struct tls13_ctx
*ctx
,
47 const struct tls13_handshake_action
*action
);
48 static int tls13_handshake_recv_action(struct tls13_ctx
*ctx
,
49 const struct tls13_handshake_action
*action
);
51 static int tls13_handshake_set_legacy_state(struct tls13_ctx
*ctx
);
52 static int tls13_handshake_legacy_info_callback(struct tls13_ctx
*ctx
);
54 static const struct tls13_handshake_action state_machine
[] = {
56 .handshake_type
= TLS13_MT_CLIENT_HELLO
,
57 .sender
= TLS13_HS_CLIENT
,
58 .send
= tls13_client_hello_send
,
59 .sent
= tls13_client_hello_sent
,
60 .recv
= tls13_client_hello_recv
,
62 [CLIENT_HELLO_RETRY
] = {
63 .handshake_type
= TLS13_MT_CLIENT_HELLO
,
64 .sender
= TLS13_HS_CLIENT
,
65 .send
= tls13_client_hello_retry_send
,
66 .recv
= tls13_client_hello_retry_recv
,
68 [CLIENT_END_OF_EARLY_DATA
] = {
69 .handshake_type
= TLS13_MT_END_OF_EARLY_DATA
,
70 .sender
= TLS13_HS_CLIENT
,
71 .send
= tls13_client_end_of_early_data_send
,
72 .recv
= tls13_client_end_of_early_data_recv
,
74 [CLIENT_CERTIFICATE
] = {
75 .handshake_type
= TLS13_MT_CERTIFICATE
,
76 .sender
= TLS13_HS_CLIENT
,
77 .send_preserve_transcript_hash
= 1,
78 .send
= tls13_client_certificate_send
,
79 .recv
= tls13_client_certificate_recv
,
81 [CLIENT_CERTIFICATE_VERIFY
] = {
82 .handshake_type
= TLS13_MT_CERTIFICATE_VERIFY
,
83 .sender
= TLS13_HS_CLIENT
,
84 .recv_preserve_transcript_hash
= 1,
85 .send
= tls13_client_certificate_verify_send
,
86 .recv
= tls13_client_certificate_verify_recv
,
89 .handshake_type
= TLS13_MT_FINISHED
,
90 .sender
= TLS13_HS_CLIENT
,
91 .recv_preserve_transcript_hash
= 1,
92 .send
= tls13_client_finished_send
,
93 .sent
= tls13_client_finished_sent
,
94 .recv
= tls13_client_finished_recv
,
97 .handshake_type
= TLS13_MT_SERVER_HELLO
,
98 .sender
= TLS13_HS_SERVER
,
99 .send
= tls13_server_hello_send
,
100 .sent
= tls13_server_hello_sent
,
101 .recv
= tls13_server_hello_recv
,
103 [SERVER_HELLO_RETRY_REQUEST
] = {
104 .handshake_type
= TLS13_MT_SERVER_HELLO
,
105 .sender
= TLS13_HS_SERVER
,
106 .send
= tls13_server_hello_retry_request_send
,
107 .recv
= tls13_server_hello_retry_request_recv
,
108 .sent
= tls13_server_hello_retry_request_sent
,
110 [SERVER_ENCRYPTED_EXTENSIONS
] = {
111 .handshake_type
= TLS13_MT_ENCRYPTED_EXTENSIONS
,
112 .sender
= TLS13_HS_SERVER
,
113 .send
= tls13_server_encrypted_extensions_send
,
114 .recv
= tls13_server_encrypted_extensions_recv
,
116 [SERVER_CERTIFICATE
] = {
117 .handshake_type
= TLS13_MT_CERTIFICATE
,
118 .sender
= TLS13_HS_SERVER
,
119 .send_preserve_transcript_hash
= 1,
120 .send
= tls13_server_certificate_send
,
121 .recv
= tls13_server_certificate_recv
,
123 [SERVER_CERTIFICATE_REQUEST
] = {
124 .handshake_type
= TLS13_MT_CERTIFICATE_REQUEST
,
125 .sender
= TLS13_HS_SERVER
,
126 .send
= tls13_server_certificate_request_send
,
127 .recv
= tls13_server_certificate_request_recv
,
129 [SERVER_CERTIFICATE_VERIFY
] = {
130 .handshake_type
= TLS13_MT_CERTIFICATE_VERIFY
,
131 .sender
= TLS13_HS_SERVER
,
132 .recv_preserve_transcript_hash
= 1,
133 .send
= tls13_server_certificate_verify_send
,
134 .recv
= tls13_server_certificate_verify_recv
,
136 [SERVER_FINISHED
] = {
137 .handshake_type
= TLS13_MT_FINISHED
,
138 .sender
= TLS13_HS_SERVER
,
139 .recv_preserve_transcript_hash
= 1,
140 .send_preserve_transcript_hash
= 1,
141 .send
= tls13_server_finished_send
,
142 .sent
= tls13_server_finished_sent
,
143 .recv
= tls13_server_finished_recv
,
145 [APPLICATION_DATA
] = {
146 .handshake_complete
= 1,
150 const enum tls13_message_type handshakes
[][TLS13_NUM_MESSAGE_TYPES
] = {
153 SERVER_HELLO_RETRY_REQUEST
,
159 SERVER_HELLO_RETRY_REQUEST
,
162 SERVER_ENCRYPTED_EXTENSIONS
,
163 SERVER_CERTIFICATE_REQUEST
,
165 SERVER_CERTIFICATE_VERIFY
,
171 [NEGOTIATED
| WITHOUT_HRR
] = {
174 SERVER_ENCRYPTED_EXTENSIONS
,
175 SERVER_CERTIFICATE_REQUEST
,
177 SERVER_CERTIFICATE_VERIFY
,
183 [NEGOTIATED
| WITHOUT_CR
] = {
185 SERVER_HELLO_RETRY_REQUEST
,
188 SERVER_ENCRYPTED_EXTENSIONS
,
190 SERVER_CERTIFICATE_VERIFY
,
195 [NEGOTIATED
| WITHOUT_HRR
| WITHOUT_CR
] = {
198 SERVER_ENCRYPTED_EXTENSIONS
,
200 SERVER_CERTIFICATE_VERIFY
,
205 [NEGOTIATED
| WITH_PSK
] = {
207 SERVER_HELLO_RETRY_REQUEST
,
210 SERVER_ENCRYPTED_EXTENSIONS
,
215 [NEGOTIATED
| WITHOUT_HRR
| WITH_PSK
] = {
218 SERVER_ENCRYPTED_EXTENSIONS
,
223 [NEGOTIATED
| WITH_CCV
] = {
225 SERVER_HELLO_RETRY_REQUEST
,
228 SERVER_ENCRYPTED_EXTENSIONS
,
229 SERVER_CERTIFICATE_REQUEST
,
231 SERVER_CERTIFICATE_VERIFY
,
234 CLIENT_CERTIFICATE_VERIFY
,
238 [NEGOTIATED
| WITHOUT_HRR
| WITH_CCV
] = {
241 SERVER_ENCRYPTED_EXTENSIONS
,
242 SERVER_CERTIFICATE_REQUEST
,
244 SERVER_CERTIFICATE_VERIFY
,
247 CLIENT_CERTIFICATE_VERIFY
,
253 const size_t handshake_count
= sizeof(handshakes
) / sizeof(handshakes
[0]);
258 #define DEBUGF(...) fprintf(stderr, __VA_ARGS__)
261 tls13_handshake_mode_name(uint8_t mode
)
264 case TLS13_HS_CLIENT
:
266 case TLS13_HS_SERVER
:
273 tls13_handshake_message_name(uint8_t msg_type
)
276 case TLS13_MT_CLIENT_HELLO
:
277 return "ClientHello";
278 case TLS13_MT_SERVER_HELLO
:
279 return "ServerHello";
280 case TLS13_MT_NEW_SESSION_TICKET
:
281 return "NewSessionTicket";
282 case TLS13_MT_END_OF_EARLY_DATA
:
283 return "EndOfEarlyData";
284 case TLS13_MT_ENCRYPTED_EXTENSIONS
:
285 return "EncryptedExtensions";
286 case TLS13_MT_CERTIFICATE
:
287 return "Certificate";
288 case TLS13_MT_CERTIFICATE_REQUEST
:
289 return "CertificateRequest";
290 case TLS13_MT_CERTIFICATE_VERIFY
:
291 return "CertificateVerify";
292 case TLS13_MT_FINISHED
:
299 static enum tls13_message_type
300 tls13_handshake_active_state(struct tls13_ctx
*ctx
)
302 struct tls13_handshake_stage hs
= ctx
->handshake_stage
;
304 if (hs
.hs_type
>= handshake_count
)
306 if (hs
.message_number
>= TLS13_NUM_MESSAGE_TYPES
)
309 return handshakes
[hs
.hs_type
][hs
.message_number
];
312 static const struct tls13_handshake_action
*
313 tls13_handshake_active_action(struct tls13_ctx
*ctx
)
315 enum tls13_message_type mt
= tls13_handshake_active_state(ctx
);
320 return &state_machine
[mt
];
324 tls13_handshake_advance_state_machine(struct tls13_ctx
*ctx
)
326 if (++ctx
->handshake_stage
.message_number
>= TLS13_NUM_MESSAGE_TYPES
)
333 tls13_handshake_end_of_flight(struct tls13_ctx
*ctx
,
334 const struct tls13_handshake_action
*previous
)
336 const struct tls13_handshake_action
*current
;
338 if ((current
= tls13_handshake_active_action(ctx
)) == NULL
)
341 return current
->sender
!= previous
->sender
;
345 tls13_handshake_msg_record(struct tls13_ctx
*ctx
)
349 tls13_handshake_msg_data(ctx
->hs_msg
, &cbs
);
350 return tls1_transcript_record(ctx
->ssl
, CBS_data(&cbs
), CBS_len(&cbs
));
354 tls13_handshake_perform(struct tls13_ctx
*ctx
)
356 const struct tls13_handshake_action
*action
;
360 if (!ctx
->handshake_started
) {
362 * Set legacy state to connect/accept and call info callback
363 * to signal that the handshake started.
365 if (!tls13_handshake_set_legacy_state(ctx
))
366 return TLS13_IO_FAILURE
;
367 if (!tls13_handshake_legacy_info_callback(ctx
))
368 return TLS13_IO_FAILURE
;
370 ctx
->handshake_started
= 1;
372 /* Set legacy state for initial ClientHello read or write. */
373 if (!tls13_handshake_set_legacy_state(ctx
))
374 return TLS13_IO_FAILURE
;
378 if ((action
= tls13_handshake_active_action(ctx
)) == NULL
)
379 return TLS13_IO_FAILURE
;
381 if (ctx
->need_flush
) {
382 if ((ret
= tls13_record_layer_flush(ctx
->rl
)) !=
388 if (action
->handshake_complete
) {
389 ctx
->handshake_completed
= 1;
390 tls13_record_layer_handshake_completed(ctx
->rl
);
392 if (!tls13_handshake_set_legacy_state(ctx
))
393 return TLS13_IO_FAILURE
;
394 if (!tls13_handshake_legacy_info_callback(ctx
))
395 return TLS13_IO_FAILURE
;
397 return TLS13_IO_SUCCESS
;
400 sending
= action
->sender
== ctx
->mode
;
402 DEBUGF("%s %s %s\n", tls13_handshake_mode_name(ctx
->mode
),
403 sending
? "sending" : "receiving",
404 tls13_handshake_message_name(action
->handshake_type
));
407 return tls13_send_alert(ctx
->rl
, ctx
->alert
);
410 ret
= tls13_handshake_send_action(ctx
, action
);
412 ret
= tls13_handshake_recv_action(ctx
, action
);
415 return tls13_send_alert(ctx
->rl
, ctx
->alert
);
418 DEBUGF("%s %s returned %d\n",
419 tls13_handshake_mode_name(ctx
->mode
),
420 (action
->sender
== ctx
->mode
) ? "send" : "recv",
425 if (!tls13_handshake_legacy_info_callback(ctx
))
426 return TLS13_IO_FAILURE
;
428 if (!tls13_handshake_advance_state_machine(ctx
))
429 return TLS13_IO_FAILURE
;
432 ctx
->need_flush
= tls13_handshake_end_of_flight(ctx
,
435 if (!tls13_handshake_set_legacy_state(ctx
))
436 return TLS13_IO_FAILURE
;
441 tls13_handshake_send_action(struct tls13_ctx
*ctx
,
442 const struct tls13_handshake_action
*action
)
447 if (ctx
->send_dummy_ccs
) {
448 if ((ret
= tls13_send_dummy_ccs(ctx
->rl
)) != TLS13_IO_SUCCESS
)
450 ctx
->send_dummy_ccs
= 0;
451 if (ctx
->send_dummy_ccs_after
) {
452 ctx
->send_dummy_ccs_after
= 0;
453 return TLS13_IO_SUCCESS
;
457 /* If we have no handshake message, we need to build one. */
458 if (ctx
->hs_msg
== NULL
) {
459 if ((ctx
->hs_msg
= tls13_handshake_msg_new()) == NULL
)
460 return TLS13_IO_FAILURE
;
461 if (!tls13_handshake_msg_start(ctx
->hs_msg
, &cbb
,
462 action
->handshake_type
))
463 return TLS13_IO_FAILURE
;
464 if (!action
->send(ctx
, &cbb
))
465 return TLS13_IO_FAILURE
;
466 if (!tls13_handshake_msg_finish(ctx
->hs_msg
))
467 return TLS13_IO_FAILURE
;
470 if ((ret
= tls13_handshake_msg_send(ctx
->hs_msg
, ctx
->rl
)) <= 0)
473 if (!tls13_handshake_msg_record(ctx
))
474 return TLS13_IO_FAILURE
;
476 if (action
->send_preserve_transcript_hash
) {
477 if (!tls1_transcript_hash_value(ctx
->ssl
,
478 ctx
->hs
->tls13
.transcript_hash
,
479 sizeof(ctx
->hs
->tls13
.transcript_hash
),
480 &ctx
->hs
->tls13
.transcript_hash_len
))
481 return TLS13_IO_FAILURE
;
484 if (ctx
->handshake_message_sent_cb
!= NULL
)
485 ctx
->handshake_message_sent_cb(ctx
);
487 tls13_handshake_msg_free(ctx
->hs_msg
);
490 if (action
->sent
!= NULL
&& !action
->sent(ctx
))
491 return TLS13_IO_FAILURE
;
493 if (ctx
->send_dummy_ccs_after
) {
494 ctx
->send_dummy_ccs
= 1;
495 if ((ret
= tls13_send_dummy_ccs(ctx
->rl
)) != TLS13_IO_SUCCESS
)
497 ctx
->send_dummy_ccs
= 0;
498 ctx
->send_dummy_ccs_after
= 0;
501 return TLS13_IO_SUCCESS
;
505 tls13_handshake_recv_action(struct tls13_ctx
*ctx
,
506 const struct tls13_handshake_action
*action
)
512 if (ctx
->hs_msg
== NULL
) {
513 if ((ctx
->hs_msg
= tls13_handshake_msg_new()) == NULL
)
514 return TLS13_IO_FAILURE
;
517 if ((ret
= tls13_handshake_msg_recv(ctx
->hs_msg
, ctx
->rl
)) <= 0)
520 if (action
->recv_preserve_transcript_hash
) {
521 if (!tls1_transcript_hash_value(ctx
->ssl
,
522 ctx
->hs
->tls13
.transcript_hash
,
523 sizeof(ctx
->hs
->tls13
.transcript_hash
),
524 &ctx
->hs
->tls13
.transcript_hash_len
))
525 return TLS13_IO_FAILURE
;
528 if (!tls13_handshake_msg_record(ctx
))
529 return TLS13_IO_FAILURE
;
531 if (ctx
->handshake_message_recv_cb
!= NULL
)
532 ctx
->handshake_message_recv_cb(ctx
);
535 * In TLSv1.3 there is no way to know if you're going to receive a
536 * certificate request message or not, hence we have to special case it
537 * here. The receive handler also knows how to deal with this situation.
539 msg_type
= tls13_handshake_msg_type(ctx
->hs_msg
);
540 if (msg_type
!= action
->handshake_type
&&
541 (msg_type
!= TLS13_MT_CERTIFICATE
||
542 action
->handshake_type
!= TLS13_MT_CERTIFICATE_REQUEST
))
543 return tls13_send_alert(ctx
->rl
, TLS13_ALERT_UNEXPECTED_MESSAGE
);
545 if (!tls13_handshake_msg_content(ctx
->hs_msg
, &cbs
))
546 return TLS13_IO_FAILURE
;
548 ret
= TLS13_IO_FAILURE
;
549 if (action
->recv(ctx
, &cbs
)) {
550 if (CBS_len(&cbs
) != 0) {
551 tls13_set_errorx(ctx
, TLS13_ERR_TRAILING_DATA
, 0,
552 "trailing data in handshake message", NULL
);
553 ctx
->alert
= TLS13_ALERT_DECODE_ERROR
;
555 ret
= TLS13_IO_SUCCESS
;
559 tls13_handshake_msg_free(ctx
->hs_msg
);
562 if (ctx
->ssl
->method
->version
< TLS1_3_VERSION
)
563 return TLS13_IO_USE_LEGACY
;
568 struct tls13_handshake_legacy_state
{
573 static const struct tls13_handshake_legacy_state legacy_states
[] = {
575 .recv
= SSL3_ST_SR_CLNT_HELLO_A
,
576 .send
= SSL3_ST_CW_CLNT_HELLO_A
,
578 [SERVER_HELLO_RETRY_REQUEST
] = {
579 .recv
= SSL3_ST_CR_SRVR_HELLO_A
,
580 .send
= SSL3_ST_SW_SRVR_HELLO_A
,
582 [CLIENT_HELLO_RETRY
] = {
583 .recv
= SSL3_ST_SR_CLNT_HELLO_A
,
584 .send
= SSL3_ST_CW_CLNT_HELLO_A
,
587 .recv
= SSL3_ST_CR_SRVR_HELLO_A
,
588 .send
= SSL3_ST_SW_SRVR_HELLO_A
,
590 [SERVER_ENCRYPTED_EXTENSIONS
] = {
594 [SERVER_CERTIFICATE_REQUEST
] = {
595 .recv
= SSL3_ST_CR_CERT_REQ_A
,
596 .send
= SSL3_ST_SW_CERT_REQ_A
,
598 [SERVER_CERTIFICATE
] = {
599 .recv
= SSL3_ST_CR_CERT_A
,
600 .send
= SSL3_ST_SW_CERT_A
,
602 [SERVER_CERTIFICATE_VERIFY
] = {
606 [SERVER_FINISHED
] = {
607 .recv
= SSL3_ST_CR_FINISHED_A
,
608 .send
= SSL3_ST_SW_FINISHED_A
,
610 [CLIENT_END_OF_EARLY_DATA
] = {
614 [CLIENT_CERTIFICATE
] = {
615 .recv
= SSL3_ST_SR_CERT_VRFY_A
,
616 .send
= SSL3_ST_CW_CERT_VRFY_B
,
618 [CLIENT_CERTIFICATE_VERIFY
] = {
622 [CLIENT_FINISHED
] = {
623 .recv
= SSL3_ST_SR_FINISHED_A
,
624 .send
= SSL3_ST_CW_FINISHED_A
,
626 [APPLICATION_DATA
] = {
632 CTASSERT(sizeof(state_machine
) / sizeof(state_machine
[0]) ==
633 sizeof(legacy_states
) / sizeof(legacy_states
[0]));
636 tls13_handshake_legacy_state(struct tls13_ctx
*ctx
, int *out_state
)
638 const struct tls13_handshake_action
*action
;
639 enum tls13_message_type mt
;
643 if (!ctx
->handshake_started
) {
644 if (ctx
->mode
== TLS13_HS_CLIENT
)
645 *out_state
= SSL_ST_CONNECT
;
647 *out_state
= SSL_ST_ACCEPT
;
652 if (ctx
->handshake_completed
) {
653 *out_state
= SSL_ST_OK
;
657 if ((mt
= tls13_handshake_active_state(ctx
)) == INVALID
)
660 if ((action
= tls13_handshake_active_action(ctx
)) == NULL
)
663 if (action
->sender
== ctx
->mode
)
664 *out_state
= legacy_states
[mt
].send
;
666 *out_state
= legacy_states
[mt
].recv
;
672 tls13_handshake_info_position(struct tls13_ctx
*ctx
)
674 if (!ctx
->handshake_started
)
675 return TLS13_INFO_HANDSHAKE_STARTED
;
677 if (ctx
->handshake_completed
)
678 return TLS13_INFO_HANDSHAKE_COMPLETED
;
680 if (ctx
->mode
== TLS13_HS_CLIENT
)
681 return TLS13_INFO_CONNECT_LOOP
;
683 return TLS13_INFO_ACCEPT_LOOP
;
687 tls13_handshake_legacy_info_callback(struct tls13_ctx
*ctx
)
691 if (!tls13_handshake_legacy_state(ctx
, &state
))
694 /* Do nothing if there's no corresponding legacy state. */
698 if (ctx
->info_cb
!= NULL
) {
699 where
= tls13_handshake_info_position(ctx
);
700 ctx
->info_cb(ctx
, where
, 1);
707 tls13_handshake_set_legacy_state(struct tls13_ctx
*ctx
)
711 if (!tls13_handshake_legacy_state(ctx
, &state
))
714 /* Do nothing if there's no corresponding legacy state. */
718 ctx
->hs
->state
= state
;