1 files changed, 0 insertions, 723 deletions
diff --git a/src/lib/libssl/tls13_handshake.c b/src/lib/libssl/tls13_handshake.c
deleted file mode 100644
index 0dc2333708..0000000000
--- a/src/lib/libssl/tls13_handshake.c
+++ /dev/null
@@ -1,723 +0,0 @@
-/*      $OpenBSD: tls13_handshake.c,v 1.73 2024/02/03 19:57:14 tb Exp $ */
-/*
- * Copyright (c) 2018-2021 Theo Buehler <tb@openbsd.org>
- * Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-#include <stddef.h>
-#include "ssl_local.h"
-#include "tls13_handshake.h"
-#include "tls13_internal.h"
-/* Based on RFC 8446 and inspired by s2n's TLS 1.2 state machine. */
-struct tls13_handshake_action {
-        uint8_t handshake_type;
-        uint8_t sender;
-        uint8_t handshake_complete;
-        uint8_t send_preserve_transcript_hash;
-        uint8_t recv_preserve_transcript_hash;
-        int (*send)(struct tls13_ctx *ctx, CBB *cbb);
-        int (*sent)(struct tls13_ctx *ctx);
-        int (*recv)(struct tls13_ctx *ctx, CBS *cbs);
-};
-static enum tls13_message_type
-    tls13_handshake_active_state(struct tls13_ctx *ctx);
-static const struct tls13_handshake_action *
-    tls13_handshake_active_action(struct tls13_ctx *ctx);
-static int tls13_handshake_advance_state_machine(struct tls13_ctx *ctx);
-static int tls13_handshake_send_action(struct tls13_ctx *ctx,
-    const struct tls13_handshake_action *action);
-static int tls13_handshake_recv_action(struct tls13_ctx *ctx,
-    const struct tls13_handshake_action *action);
-static int tls13_handshake_set_legacy_state(struct tls13_ctx *ctx);
-static int tls13_handshake_legacy_info_callback(struct tls13_ctx *ctx);
-static const struct tls13_handshake_action state_machine[] = {
-        [CLIENT_HELLO] = {
-                .handshake_type = TLS13_MT_CLIENT_HELLO,
-                .sender = TLS13_HS_CLIENT,
-                .send = tls13_client_hello_send,
-                .sent = tls13_client_hello_sent,
-                .recv = tls13_client_hello_recv,
-        },
-        [CLIENT_HELLO_RETRY] = {
-                .handshake_type = TLS13_MT_CLIENT_HELLO,
-                .sender = TLS13_HS_CLIENT,
-                .send = tls13_client_hello_retry_send,
-                .recv = tls13_client_hello_retry_recv,
-        },
-        [CLIENT_END_OF_EARLY_DATA] = {
-                .handshake_type = TLS13_MT_END_OF_EARLY_DATA,
-                .sender = TLS13_HS_CLIENT,
-                .send = tls13_client_end_of_early_data_send,
-                .recv = tls13_client_end_of_early_data_recv,
-        },
-        [CLIENT_CERTIFICATE] = {
-                .handshake_type = TLS13_MT_CERTIFICATE,
-                .sender = TLS13_HS_CLIENT,
-                .send_preserve_transcript_hash = 1,
-                .send = tls13_client_certificate_send,
-                .recv = tls13_client_certificate_recv,
-        },
-        [CLIENT_CERTIFICATE_VERIFY] = {
-                .handshake_type = TLS13_MT_CERTIFICATE_VERIFY,
-                .sender = TLS13_HS_CLIENT,
-                .recv_preserve_transcript_hash = 1,
-                .send = tls13_client_certificate_verify_send,
-                .recv = tls13_client_certificate_verify_recv,
-        },
-        [CLIENT_FINISHED] = {
-                .handshake_type = TLS13_MT_FINISHED,
-                .sender = TLS13_HS_CLIENT,
-                .recv_preserve_transcript_hash = 1,
-                .send = tls13_client_finished_send,
-                .sent = tls13_client_finished_sent,
-                .recv = tls13_client_finished_recv,
-        },
-        [SERVER_HELLO] = {
-                .handshake_type = TLS13_MT_SERVER_HELLO,
-                .sender = TLS13_HS_SERVER,
-                .send = tls13_server_hello_send,
-                .sent = tls13_server_hello_sent,
-                .recv = tls13_server_hello_recv,
-        },
-        [SERVER_HELLO_RETRY_REQUEST] = {
-                .handshake_type = TLS13_MT_SERVER_HELLO,
-                .sender = TLS13_HS_SERVER,
-                .send = tls13_server_hello_retry_request_send,
-                .recv = tls13_server_hello_retry_request_recv,
-                .sent = tls13_server_hello_retry_request_sent,
-        },
-        [SERVER_ENCRYPTED_EXTENSIONS] = {
-                .handshake_type = TLS13_MT_ENCRYPTED_EXTENSIONS,
-                .sender = TLS13_HS_SERVER,
-                .send = tls13_server_encrypted_extensions_send,
-                .recv = tls13_server_encrypted_extensions_recv,
-        },
-        [SERVER_CERTIFICATE] = {
-                .handshake_type = TLS13_MT_CERTIFICATE,
-                .sender = TLS13_HS_SERVER,
-                .send_preserve_transcript_hash = 1,
-                .send = tls13_server_certificate_send,
-                .recv = tls13_server_certificate_recv,
-        },
-        [SERVER_CERTIFICATE_REQUEST] = {
-                .handshake_type = TLS13_MT_CERTIFICATE_REQUEST,
-                .sender = TLS13_HS_SERVER,
-                .send = tls13_server_certificate_request_send,
-                .recv = tls13_server_certificate_request_recv,
-        },
-        [SERVER_CERTIFICATE_VERIFY] = {
-                .handshake_type = TLS13_MT_CERTIFICATE_VERIFY,
-                .sender = TLS13_HS_SERVER,
-                .recv_preserve_transcript_hash = 1,
-                .send = tls13_server_certificate_verify_send,
-                .recv = tls13_server_certificate_verify_recv,
-        },
-        [SERVER_FINISHED] = {
-                .handshake_type = TLS13_MT_FINISHED,
-                .sender = TLS13_HS_SERVER,
-                .recv_preserve_transcript_hash = 1,
-                .send_preserve_transcript_hash = 1,
-                .send = tls13_server_finished_send,
-                .sent = tls13_server_finished_sent,
-                .recv = tls13_server_finished_recv,
-        },
-        [APPLICATION_DATA] = {
-                .handshake_complete = 1,
-        },
-};
-const enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {
-        [INITIAL] = {
-                CLIENT_HELLO,
-                SERVER_HELLO_RETRY_REQUEST,
-                CLIENT_HELLO_RETRY,
-                SERVER_HELLO,
-        },
-        [NEGOTIATED] = {
-                CLIENT_HELLO,
-                SERVER_HELLO_RETRY_REQUEST,
-                CLIENT_HELLO_RETRY,
-                SERVER_HELLO,
-                SERVER_ENCRYPTED_EXTENSIONS,
-                SERVER_CERTIFICATE_REQUEST,
-                SERVER_CERTIFICATE,
-                SERVER_CERTIFICATE_VERIFY,
-                SERVER_FINISHED,
-                CLIENT_CERTIFICATE,
-                CLIENT_FINISHED,
-                APPLICATION_DATA,
-        },
-        [NEGOTIATED | WITHOUT_HRR] = {
-                CLIENT_HELLO,
-                SERVER_HELLO,
-                SERVER_ENCRYPTED_EXTENSIONS,
-                SERVER_CERTIFICATE_REQUEST,
-                SERVER_CERTIFICATE,
-                SERVER_CERTIFICATE_VERIFY,
-                SERVER_FINISHED,
-                CLIENT_CERTIFICATE,
-                CLIENT_FINISHED,
-                APPLICATION_DATA,
-        },
-        [NEGOTIATED | WITHOUT_CR] = {
-                CLIENT_HELLO,
-                SERVER_HELLO_RETRY_REQUEST,
-                CLIENT_HELLO_RETRY,
-                SERVER_HELLO,
-                SERVER_ENCRYPTED_EXTENSIONS,
-                SERVER_CERTIFICATE,
-                SERVER_CERTIFICATE_VERIFY,
-                SERVER_FINISHED,
-                CLIENT_FINISHED,
-                APPLICATION_DATA,
-        },
-        [NEGOTIATED | WITHOUT_HRR | WITHOUT_CR] = {
-                CLIENT_HELLO,
-                SERVER_HELLO,
-                SERVER_ENCRYPTED_EXTENSIONS,
-                SERVER_CERTIFICATE,
-                SERVER_CERTIFICATE_VERIFY,
-                SERVER_FINISHED,
-                CLIENT_FINISHED,
-                APPLICATION_DATA,
-        },
-        [NEGOTIATED | WITH_PSK] = {
-                CLIENT_HELLO,
-                SERVER_HELLO_RETRY_REQUEST,
-                CLIENT_HELLO_RETRY,
-                SERVER_HELLO,
-                SERVER_ENCRYPTED_EXTENSIONS,
-                SERVER_FINISHED,
-                CLIENT_FINISHED,
-                APPLICATION_DATA,
-        },
-        [NEGOTIATED | WITHOUT_HRR | WITH_PSK] = {
-                CLIENT_HELLO,
-                SERVER_HELLO,
-                SERVER_ENCRYPTED_EXTENSIONS,
-                SERVER_FINISHED,
-                CLIENT_FINISHED,
-                APPLICATION_DATA,
-        },
-        [NEGOTIATED | WITH_CCV] = {
-                CLIENT_HELLO,
-                SERVER_HELLO_RETRY_REQUEST,
-                CLIENT_HELLO_RETRY,
-                SERVER_HELLO,
-                SERVER_ENCRYPTED_EXTENSIONS,
-                SERVER_CERTIFICATE_REQUEST,
-                SERVER_CERTIFICATE,
-                SERVER_CERTIFICATE_VERIFY,
-                SERVER_FINISHED,
-                CLIENT_CERTIFICATE,
-                CLIENT_CERTIFICATE_VERIFY,
-                CLIENT_FINISHED,
-                APPLICATION_DATA,
-        },
-        [NEGOTIATED | WITHOUT_HRR | WITH_CCV] = {
-                CLIENT_HELLO,
-                SERVER_HELLO,
-                SERVER_ENCRYPTED_EXTENSIONS,
-                SERVER_CERTIFICATE_REQUEST,
-                SERVER_CERTIFICATE,
-                SERVER_CERTIFICATE_VERIFY,
-                SERVER_FINISHED,
-                CLIENT_CERTIFICATE,
-                CLIENT_CERTIFICATE_VERIFY,
-                CLIENT_FINISHED,
-                APPLICATION_DATA,
-        },
-};
-const size_t handshake_count = sizeof(handshakes) / sizeof(handshakes[0]);
-#ifndef TLS13_DEBUG
-#define DEBUGF(...)
-#else
-#define DEBUGF(...) fprintf(stderr, __VA_ARGS__)
-static const char *
-tls13_handshake_mode_name(uint8_t mode)
-{
-        switch (mode) {
-        case TLS13_HS_CLIENT:
-                return "Client";
-        case TLS13_HS_SERVER:
-                return "Server";
-        }
-        return "Unknown";
-}
-static const char *
-tls13_handshake_message_name(uint8_t msg_type)
-{
-        switch (msg_type) {
-        case TLS13_MT_CLIENT_HELLO:
-                return "ClientHello";
-        case TLS13_MT_SERVER_HELLO:
-                return "ServerHello";
-        case TLS13_MT_NEW_SESSION_TICKET:
-                return "NewSessionTicket";
-        case TLS13_MT_END_OF_EARLY_DATA:
-                return "EndOfEarlyData";
-        case TLS13_MT_ENCRYPTED_EXTENSIONS:
-                return "EncryptedExtensions";
-        case TLS13_MT_CERTIFICATE:
-                return "Certificate";
-        case TLS13_MT_CERTIFICATE_REQUEST:
-                return "CertificateRequest";
-        case TLS13_MT_CERTIFICATE_VERIFY:
-                return "CertificateVerify";
-        case TLS13_MT_FINISHED:
-                return "Finished";
-        }
-        return "Unknown";
-}
-#endif
-static enum tls13_message_type
-tls13_handshake_active_state(struct tls13_ctx *ctx)
-{
-        struct tls13_handshake_stage hs = ctx->handshake_stage;
-        if (hs.hs_type >= handshake_count)
-                return INVALID;
-        if (hs.message_number >= TLS13_NUM_MESSAGE_TYPES)
-                return INVALID;
-        return handshakes[hs.hs_type][hs.message_number];
-}
-static const struct tls13_handshake_action *
-tls13_handshake_active_action(struct tls13_ctx *ctx)
-{
-        enum tls13_message_type mt = tls13_handshake_active_state(ctx);
-        if (mt == INVALID)
-                return NULL;
-        return &state_machine[mt];
-}
-static int
-tls13_handshake_advance_state_machine(struct tls13_ctx *ctx)
-{
-        if (++ctx->handshake_stage.message_number >= TLS13_NUM_MESSAGE_TYPES)
-                return 0;
-        return 1;
-}
-static int
-tls13_handshake_end_of_flight(struct tls13_ctx *ctx,
-    const struct tls13_handshake_action *previous)
-{
-        const struct tls13_handshake_action *current;
-        if ((current = tls13_handshake_active_action(ctx)) == NULL)
-                return 1;
-        return current->sender != previous->sender;
-}
-int
-tls13_handshake_msg_record(struct tls13_ctx *ctx)
-{
-        CBS cbs;
-        tls13_handshake_msg_data(ctx->hs_msg, &cbs);
-        return tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs));
-}
-int
-tls13_handshake_perform(struct tls13_ctx *ctx)
-{
-        const struct tls13_handshake_action *action;
-        int sending;
-        int ret;
-        if (!ctx->handshake_started) {
-                /*
-                 * Set legacy state to connect/accept and call info callback
-                 * to signal that the handshake started.
-                 */
-                if (!tls13_handshake_set_legacy_state(ctx))
-                        return TLS13_IO_FAILURE;
-                if (!tls13_handshake_legacy_info_callback(ctx))
-                        return TLS13_IO_FAILURE;
-                ctx->handshake_started = 1;
-                /* Set legacy state for initial ClientHello read or write. */
-                if (!tls13_handshake_set_legacy_state(ctx))
-                        return TLS13_IO_FAILURE;
-        }
-        for (;;) {
-                if ((action = tls13_handshake_active_action(ctx)) == NULL)
-                        return TLS13_IO_FAILURE;
-                if (ctx->need_flush) {
-                        if ((ret = tls13_record_layer_flush(ctx->rl)) !=
-                            TLS13_IO_SUCCESS)
-                                return ret;
-                        ctx->need_flush = 0;
-                }
-                if (action->handshake_complete) {
-                        ctx->handshake_completed = 1;
-                        tls13_record_layer_handshake_completed(ctx->rl);
-                        if (!tls13_handshake_set_legacy_state(ctx))
-                                return TLS13_IO_FAILURE;
-                        if (!tls13_handshake_legacy_info_callback(ctx))
-                                return TLS13_IO_FAILURE;
-                        return TLS13_IO_SUCCESS;
-                }
-                sending = action->sender == ctx->mode;
-                DEBUGF("%s %s %s\n", tls13_handshake_mode_name(ctx->mode),
-                    sending ? "sending" : "receiving",
-                    tls13_handshake_message_name(action->handshake_type));
-                if (ctx->alert != 0)
-                        return tls13_send_alert(ctx->rl, ctx->alert);
-                if (sending)
-                        ret = tls13_handshake_send_action(ctx, action);
-                else
-                        ret = tls13_handshake_recv_action(ctx, action);
-                if (ctx->alert != 0)
-                        return tls13_send_alert(ctx->rl, ctx->alert);
-                if (ret <= 0) {
-                        DEBUGF("%s %s returned %d\n",
-                            tls13_handshake_mode_name(ctx->mode),
-                            (action->sender == ctx->mode) ? "send" : "recv",
-                            ret);
-                        return ret;
-                }
-                if (!tls13_handshake_legacy_info_callback(ctx))
-                        return TLS13_IO_FAILURE;
-                if (!tls13_handshake_advance_state_machine(ctx))
-                        return TLS13_IO_FAILURE;
-                if (sending)
-                        ctx->need_flush = tls13_handshake_end_of_flight(ctx,
-                            action);
-                if (!tls13_handshake_set_legacy_state(ctx))
-                        return TLS13_IO_FAILURE;
-        }
-}
-static int
-tls13_handshake_send_action(struct tls13_ctx *ctx,
-    const struct tls13_handshake_action *action)
-{
-        ssize_t ret;
-        CBB cbb;
-        if (ctx->send_dummy_ccs) {
-                if ((ret = tls13_send_dummy_ccs(ctx->rl)) != TLS13_IO_SUCCESS)
-                        return ret;
-                ctx->send_dummy_ccs = 0;
-                if (ctx->send_dummy_ccs_after) {
-                        ctx->send_dummy_ccs_after = 0;
-                        return TLS13_IO_SUCCESS;
-                }
-        }
-        /* If we have no handshake message, we need to build one. */
-        if (ctx->hs_msg == NULL) {
-                if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL)
-                        return TLS13_IO_FAILURE;
-                if (!tls13_handshake_msg_start(ctx->hs_msg, &cbb,
-                    action->handshake_type))
-                        return TLS13_IO_FAILURE;
-                if (!action->send(ctx, &cbb))
-                        return TLS13_IO_FAILURE;
-                if (!tls13_handshake_msg_finish(ctx->hs_msg))
-                        return TLS13_IO_FAILURE;
-        }
-        if ((ret = tls13_handshake_msg_send(ctx->hs_msg, ctx->rl)) <= 0)
-                return ret;
-        if (!tls13_handshake_msg_record(ctx))
-                return TLS13_IO_FAILURE;
-        if (action->send_preserve_transcript_hash) {
-                if (!tls1_transcript_hash_value(ctx->ssl,
-                    ctx->hs->tls13.transcript_hash,
-                    sizeof(ctx->hs->tls13.transcript_hash),
-                    &ctx->hs->tls13.transcript_hash_len))
-                        return TLS13_IO_FAILURE;
-        }
-        if (ctx->handshake_message_sent_cb != NULL)
-                ctx->handshake_message_sent_cb(ctx);
-        tls13_handshake_msg_free(ctx->hs_msg);
-        ctx->hs_msg = NULL;
-        if (action->sent != NULL && !action->sent(ctx))
-                return TLS13_IO_FAILURE;
-        if (ctx->send_dummy_ccs_after) {
-                ctx->send_dummy_ccs = 1;
-                if ((ret = tls13_send_dummy_ccs(ctx->rl)) != TLS13_IO_SUCCESS)
-                        return ret;
-                ctx->send_dummy_ccs = 0;
-                ctx->send_dummy_ccs_after = 0;
-        }
-        return TLS13_IO_SUCCESS;
-}
-static int
-tls13_handshake_recv_action(struct tls13_ctx *ctx,
-    const struct tls13_handshake_action *action)
-{
-        uint8_t msg_type;
-        ssize_t ret;
-        CBS cbs;
-        if (ctx->hs_msg == NULL) {
-                if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL)
-                        return TLS13_IO_FAILURE;
-        }
-        if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) <= 0)
-                return ret;
-        if (action->recv_preserve_transcript_hash) {
-                if (!tls1_transcript_hash_value(ctx->ssl,
-                    ctx->hs->tls13.transcript_hash,
-                    sizeof(ctx->hs->tls13.transcript_hash),
-                    &ctx->hs->tls13.transcript_hash_len))
-                        return TLS13_IO_FAILURE;
-        }
-        if (!tls13_handshake_msg_record(ctx))
-                return TLS13_IO_FAILURE;
-        if (ctx->handshake_message_recv_cb != NULL)
-                ctx->handshake_message_recv_cb(ctx);
-        /*
-         * In TLSv1.3 there is no way to know if you're going to receive a
-         * certificate request message or not, hence we have to special case it
-         * here. The receive handler also knows how to deal with this situation.
-         */
-        msg_type = tls13_handshake_msg_type(ctx->hs_msg);
-        if (msg_type != action->handshake_type &&
-            (msg_type != TLS13_MT_CERTIFICATE ||
-             action->handshake_type != TLS13_MT_CERTIFICATE_REQUEST))
-                return tls13_send_alert(ctx->rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
-        if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
-                return TLS13_IO_FAILURE;
-        ret = TLS13_IO_FAILURE;
-        if (!action->recv(ctx, &cbs))
-                goto err;
-        if (CBS_len(&cbs) != 0) {
-                tls13_set_errorx(ctx, TLS13_ERR_TRAILING_DATA, 0,
-                    "trailing data in handshake message", NULL);
-                ctx->alert = TLS13_ALERT_DECODE_ERROR;
-                goto err;
-        }
-        ret = TLS13_IO_SUCCESS;
-        if (ctx->ssl->method->version < TLS1_3_VERSION)
-                ret = TLS13_IO_USE_LEGACY;
- err:
-        tls13_handshake_msg_free(ctx->hs_msg);
-        ctx->hs_msg = NULL;
-        return ret;
-}
-struct tls13_handshake_legacy_state {
-        int recv;
-        int send;
-};
-static const struct tls13_handshake_legacy_state legacy_states[] = {
-        [CLIENT_HELLO] = {
-                .recv = SSL3_ST_SR_CLNT_HELLO_A,
-                .send = SSL3_ST_CW_CLNT_HELLO_A,
-        },
-        [SERVER_HELLO_RETRY_REQUEST] = {
-                .recv = SSL3_ST_CR_SRVR_HELLO_A,
-                .send = SSL3_ST_SW_SRVR_HELLO_A,
-        },
-        [CLIENT_HELLO_RETRY] = {
-                .recv = SSL3_ST_SR_CLNT_HELLO_A,
-                .send = SSL3_ST_CW_CLNT_HELLO_A,
-        },
-        [SERVER_HELLO] = {
-                .recv = SSL3_ST_CR_SRVR_HELLO_A,
-                .send = SSL3_ST_SW_SRVR_HELLO_A,
-        },
-        [SERVER_ENCRYPTED_EXTENSIONS] = {
-                .send = 0,
-                .recv = 0,
-        },
-        [SERVER_CERTIFICATE_REQUEST] = {
-                .recv = SSL3_ST_CR_CERT_REQ_A,
-                .send = SSL3_ST_SW_CERT_REQ_A,
-        },
-        [SERVER_CERTIFICATE] = {
-                .recv = SSL3_ST_CR_CERT_A,
-                .send = SSL3_ST_SW_CERT_A,
-        },
-        [SERVER_CERTIFICATE_VERIFY] = {
-                .send = 0,
-                .recv = 0,
-        },
-        [SERVER_FINISHED] = {
-                .recv = SSL3_ST_CR_FINISHED_A,
-                .send = SSL3_ST_SW_FINISHED_A,
-        },
-        [CLIENT_END_OF_EARLY_DATA] = {
-                .send = 0,
-                .recv = 0,
-        },
-        [CLIENT_CERTIFICATE] = {
-                .recv = SSL3_ST_SR_CERT_VRFY_A,
-                .send = SSL3_ST_CW_CERT_VRFY_B,
-        },
-        [CLIENT_CERTIFICATE_VERIFY] = {
-                .send = 0,
-                .recv = 0,
-        },
-        [CLIENT_FINISHED] = {
-                .recv = SSL3_ST_SR_FINISHED_A,
-                .send = SSL3_ST_CW_FINISHED_A,
-        },
-        [APPLICATION_DATA] = {
-                .recv = 0,
-                .send = 0,
-        },
-};
-CTASSERT(sizeof(state_machine) / sizeof(state_machine[0]) ==
-    sizeof(legacy_states) / sizeof(legacy_states[0]));
-static int
-tls13_handshake_legacy_state(struct tls13_ctx *ctx, int *out_state)
-{
-        const struct tls13_handshake_action *action;
-        enum tls13_message_type mt;
-        *out_state = 0;
-        if (!ctx->handshake_started) {
-                if (ctx->mode == TLS13_HS_CLIENT)
-                        *out_state = SSL_ST_CONNECT;
-                else
-                        *out_state = SSL_ST_ACCEPT;
-                return 1;
-        }
-        if (ctx->handshake_completed) {
-                *out_state = SSL_ST_OK;
-                return 1;
-        }
-        if ((mt = tls13_handshake_active_state(ctx)) == INVALID)
-                return 0;
-        if ((action = tls13_handshake_active_action(ctx)) == NULL)
-                return 0;
-        if (action->sender == ctx->mode)
-                *out_state = legacy_states[mt].send;
-        else
-                *out_state = legacy_states[mt].recv;
-        return 1;
-}
-static int
-tls13_handshake_info_position(struct tls13_ctx *ctx)
-{
-        if (!ctx->handshake_started)
-                return TLS13_INFO_HANDSHAKE_STARTED;
-        if (ctx->handshake_completed)
-                return TLS13_INFO_HANDSHAKE_COMPLETED;
-        if (ctx->mode == TLS13_HS_CLIENT)
-                return TLS13_INFO_CONNECT_LOOP;
-        else
-                return TLS13_INFO_ACCEPT_LOOP;
-}
-static int
-tls13_handshake_legacy_info_callback(struct tls13_ctx *ctx)
-{
-        int state, where;
-        if (!tls13_handshake_legacy_state(ctx, &state))
-                return 0;
-        /* Do nothing if there's no corresponding legacy state. */
-        if (state == 0)
-                return 1;
-        if (ctx->info_cb != NULL) {
-                where = tls13_handshake_info_position(ctx);
-                ctx->info_cb(ctx, where, 1);
-        }
-        return 1;
-}
-static int
-tls13_handshake_set_legacy_state(struct tls13_ctx *ctx)
-{
-        int state;
-        if (!tls13_handshake_legacy_state(ctx, &state))
-                return 0;
-        /* Do nothing if there's no corresponding legacy state. */
-        if (state == 0)
-                return 1;
-        ctx->hs->state = state;
-        return 1;
-}

diff --git a/src/lib/libssl/tls13_handshake.c b/src/lib/libssl/tls13_handshake.c deleted file mode 100644 index 0dc2333708..0000000000 --- a/src/lib/libssl/tls13_handshake.c +++ /dev/null
@@ -1,723 +0,0 @@
1	/* $OpenBSD: tls13_handshake.c,v 1.73 2024/02/03 19:57:14 tb Exp $ */
2	/*
3	* Copyright (c) 2018-2021 Theo Buehler <tb@openbsd.org>
4	* Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
5	*
6	* Permission to use, copy, modify, and distribute this software for any
7	* purpose with or without fee is hereby granted, provided that the above
8	* copyright notice and this permission notice appear in all copies.
9	*
10	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17	*/
18
19	#include <stddef.h>
20
21	#include "ssl_local.h"
22	#include "tls13_handshake.h"
23	#include "tls13_internal.h"
24
25	/* Based on RFC 8446 and inspired by s2n's TLS 1.2 state machine. */
26
27	struct tls13_handshake_action {
28	uint8_t handshake_type;
29	uint8_t sender;
30	uint8_t handshake_complete;
31	uint8_t send_preserve_transcript_hash;
32	uint8_t recv_preserve_transcript_hash;
33
34	int (send)(struct tls13_ctx ctx, CBB *cbb);
35	int (sent)(struct tls13_ctx ctx);
36	int (recv)(struct tls13_ctx ctx, CBS *cbs);
37	};
38
39	static enum tls13_message_type
40	tls13_handshake_active_state(struct tls13_ctx *ctx);
41
42	static const struct tls13_handshake_action *
43	tls13_handshake_active_action(struct tls13_ctx *ctx);
44	static int tls13_handshake_advance_state_machine(struct tls13_ctx *ctx);
45
46	static int tls13_handshake_send_action(struct tls13_ctx *ctx,
47	const struct tls13_handshake_action *action);
48	static int tls13_handshake_recv_action(struct tls13_ctx *ctx,
49	const struct tls13_handshake_action *action);
50
51	static int tls13_handshake_set_legacy_state(struct tls13_ctx *ctx);
52	static int tls13_handshake_legacy_info_callback(struct tls13_ctx *ctx);
53
54	static const struct tls13_handshake_action state_machine[] = {
55	[CLIENT_HELLO] = {
56	.handshake_type = TLS13_MT_CLIENT_HELLO,
57	.sender = TLS13_HS_CLIENT,
58	.send = tls13_client_hello_send,
59	.sent = tls13_client_hello_sent,
60	.recv = tls13_client_hello_recv,
61	},
62	[CLIENT_HELLO_RETRY] = {
63	.handshake_type = TLS13_MT_CLIENT_HELLO,
64	.sender = TLS13_HS_CLIENT,
65	.send = tls13_client_hello_retry_send,
66	.recv = tls13_client_hello_retry_recv,
67	},
68	[CLIENT_END_OF_EARLY_DATA] = {
69	.handshake_type = TLS13_MT_END_OF_EARLY_DATA,
70	.sender = TLS13_HS_CLIENT,
71	.send = tls13_client_end_of_early_data_send,
72	.recv = tls13_client_end_of_early_data_recv,
73	},
74	[CLIENT_CERTIFICATE] = {
75	.handshake_type = TLS13_MT_CERTIFICATE,
76	.sender = TLS13_HS_CLIENT,
77	.send_preserve_transcript_hash = 1,
78	.send = tls13_client_certificate_send,
79	.recv = tls13_client_certificate_recv,
80	},
81	[CLIENT_CERTIFICATE_VERIFY] = {
82	.handshake_type = TLS13_MT_CERTIFICATE_VERIFY,
83	.sender = TLS13_HS_CLIENT,
84	.recv_preserve_transcript_hash = 1,
85	.send = tls13_client_certificate_verify_send,
86	.recv = tls13_client_certificate_verify_recv,
87	},
88	[CLIENT_FINISHED] = {
89	.handshake_type = TLS13_MT_FINISHED,
90	.sender = TLS13_HS_CLIENT,
91	.recv_preserve_transcript_hash = 1,
92	.send = tls13_client_finished_send,
93	.sent = tls13_client_finished_sent,
94	.recv = tls13_client_finished_recv,
95	},
96	[SERVER_HELLO] = {
97	.handshake_type = TLS13_MT_SERVER_HELLO,
98	.sender = TLS13_HS_SERVER,
99	.send = tls13_server_hello_send,
100	.sent = tls13_server_hello_sent,
101	.recv = tls13_server_hello_recv,
102	},
103	[SERVER_HELLO_RETRY_REQUEST] = {
104	.handshake_type = TLS13_MT_SERVER_HELLO,
105	.sender = TLS13_HS_SERVER,
106	.send = tls13_server_hello_retry_request_send,
107	.recv = tls13_server_hello_retry_request_recv,
108	.sent = tls13_server_hello_retry_request_sent,
109	},
110	[SERVER_ENCRYPTED_EXTENSIONS] = {
111	.handshake_type = TLS13_MT_ENCRYPTED_EXTENSIONS,
112	.sender = TLS13_HS_SERVER,
113	.send = tls13_server_encrypted_extensions_send,
114	.recv = tls13_server_encrypted_extensions_recv,
115	},
116	[SERVER_CERTIFICATE] = {
117	.handshake_type = TLS13_MT_CERTIFICATE,
118	.sender = TLS13_HS_SERVER,
119	.send_preserve_transcript_hash = 1,
120	.send = tls13_server_certificate_send,
121	.recv = tls13_server_certificate_recv,
122	},
123	[SERVER_CERTIFICATE_REQUEST] = {
124	.handshake_type = TLS13_MT_CERTIFICATE_REQUEST,
125	.sender = TLS13_HS_SERVER,
126	.send = tls13_server_certificate_request_send,
127	.recv = tls13_server_certificate_request_recv,
128	},
129	[SERVER_CERTIFICATE_VERIFY] = {
130	.handshake_type = TLS13_MT_CERTIFICATE_VERIFY,
131	.sender = TLS13_HS_SERVER,
132	.recv_preserve_transcript_hash = 1,
133	.send = tls13_server_certificate_verify_send,
134	.recv = tls13_server_certificate_verify_recv,
135	},
136	[SERVER_FINISHED] = {
137	.handshake_type = TLS13_MT_FINISHED,
138	.sender = TLS13_HS_SERVER,
139	.recv_preserve_transcript_hash = 1,
140	.send_preserve_transcript_hash = 1,
141	.send = tls13_server_finished_send,
142	.sent = tls13_server_finished_sent,
143	.recv = tls13_server_finished_recv,
144	},
145	[APPLICATION_DATA] = {
146	.handshake_complete = 1,
147	},
148	};
149
150	const enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {
151	[INITIAL] = {
152	CLIENT_HELLO,
153	SERVER_HELLO_RETRY_REQUEST,
154	CLIENT_HELLO_RETRY,
155	SERVER_HELLO,
156	},
157	[NEGOTIATED] = {
158	CLIENT_HELLO,
159	SERVER_HELLO_RETRY_REQUEST,
160	CLIENT_HELLO_RETRY,
161	SERVER_HELLO,
162	SERVER_ENCRYPTED_EXTENSIONS,
163	SERVER_CERTIFICATE_REQUEST,
164	SERVER_CERTIFICATE,
165	SERVER_CERTIFICATE_VERIFY,
166	SERVER_FINISHED,
167	CLIENT_CERTIFICATE,
168	CLIENT_FINISHED,
169	APPLICATION_DATA,
170	},
171	[NEGOTIATED \| WITHOUT_HRR] = {
172	CLIENT_HELLO,
173	SERVER_HELLO,
174	SERVER_ENCRYPTED_EXTENSIONS,
175	SERVER_CERTIFICATE_REQUEST,
176	SERVER_CERTIFICATE,
177	SERVER_CERTIFICATE_VERIFY,
178	SERVER_FINISHED,
179	CLIENT_CERTIFICATE,
180	CLIENT_FINISHED,
181	APPLICATION_DATA,
182	},
183	[NEGOTIATED \| WITHOUT_CR] = {
184	CLIENT_HELLO,
185	SERVER_HELLO_RETRY_REQUEST,
186	CLIENT_HELLO_RETRY,
187	SERVER_HELLO,
188	SERVER_ENCRYPTED_EXTENSIONS,
189	SERVER_CERTIFICATE,
190	SERVER_CERTIFICATE_VERIFY,
191	SERVER_FINISHED,
192	CLIENT_FINISHED,
193	APPLICATION_DATA,
194	},
195	[NEGOTIATED \| WITHOUT_HRR \| WITHOUT_CR] = {
196	CLIENT_HELLO,
197	SERVER_HELLO,
198	SERVER_ENCRYPTED_EXTENSIONS,
199	SERVER_CERTIFICATE,
200	SERVER_CERTIFICATE_VERIFY,
201	SERVER_FINISHED,
202	CLIENT_FINISHED,
203	APPLICATION_DATA,
204	},
205	[NEGOTIATED \| WITH_PSK] = {
206	CLIENT_HELLO,
207	SERVER_HELLO_RETRY_REQUEST,
208	CLIENT_HELLO_RETRY,
209	SERVER_HELLO,
210	SERVER_ENCRYPTED_EXTENSIONS,
211	SERVER_FINISHED,
212	CLIENT_FINISHED,
213	APPLICATION_DATA,
214	},
215	[NEGOTIATED \| WITHOUT_HRR \| WITH_PSK] = {
216	CLIENT_HELLO,
217	SERVER_HELLO,
218	SERVER_ENCRYPTED_EXTENSIONS,
219	SERVER_FINISHED,
220	CLIENT_FINISHED,
221	APPLICATION_DATA,
222	},
223	[NEGOTIATED \| WITH_CCV] = {
224	CLIENT_HELLO,
225	SERVER_HELLO_RETRY_REQUEST,
226	CLIENT_HELLO_RETRY,
227	SERVER_HELLO,
228	SERVER_ENCRYPTED_EXTENSIONS,
229	SERVER_CERTIFICATE_REQUEST,
230	SERVER_CERTIFICATE,
231	SERVER_CERTIFICATE_VERIFY,
232	SERVER_FINISHED,
233	CLIENT_CERTIFICATE,
234	CLIENT_CERTIFICATE_VERIFY,
235	CLIENT_FINISHED,
236	APPLICATION_DATA,
237	},
238	[NEGOTIATED \| WITHOUT_HRR \| WITH_CCV] = {
239	CLIENT_HELLO,
240	SERVER_HELLO,
241	SERVER_ENCRYPTED_EXTENSIONS,
242	SERVER_CERTIFICATE_REQUEST,
243	SERVER_CERTIFICATE,
244	SERVER_CERTIFICATE_VERIFY,
245	SERVER_FINISHED,
246	CLIENT_CERTIFICATE,
247	CLIENT_CERTIFICATE_VERIFY,
248	CLIENT_FINISHED,
249	APPLICATION_DATA,
250	},
251	};
252
253	const size_t handshake_count = sizeof(handshakes) / sizeof(handshakes[0]);
254
255	#ifndef TLS13_DEBUG
256	#define DEBUGF(...)
257	#else
258	#define DEBUGF(...) fprintf(stderr, __VA_ARGS__)
259
260	static const char *
261	tls13_handshake_mode_name(uint8_t mode)
262	{
263	switch (mode) {
264	case TLS13_HS_CLIENT:
265	return "Client";
266	case TLS13_HS_SERVER:
267	return "Server";
268	}
269	return "Unknown";
270	}
271
272	static const char *
273	tls13_handshake_message_name(uint8_t msg_type)
274	{
275	switch (msg_type) {
276	case TLS13_MT_CLIENT_HELLO:
277	return "ClientHello";
278	case TLS13_MT_SERVER_HELLO:
279	return "ServerHello";
280	case TLS13_MT_NEW_SESSION_TICKET:
281	return "NewSessionTicket";
282	case TLS13_MT_END_OF_EARLY_DATA:
283	return "EndOfEarlyData";
284	case TLS13_MT_ENCRYPTED_EXTENSIONS:
285	return "EncryptedExtensions";
286	case TLS13_MT_CERTIFICATE:
287	return "Certificate";
288	case TLS13_MT_CERTIFICATE_REQUEST:
289	return "CertificateRequest";
290	case TLS13_MT_CERTIFICATE_VERIFY:
291	return "CertificateVerify";
292	case TLS13_MT_FINISHED:
293	return "Finished";
294	}
295	return "Unknown";
296	}
297	#endif
298
299	static enum tls13_message_type
300	tls13_handshake_active_state(struct tls13_ctx *ctx)
301	{
302	struct tls13_handshake_stage hs = ctx->handshake_stage;
303
304	if (hs.hs_type >= handshake_count)
305	return INVALID;
306	if (hs.message_number >= TLS13_NUM_MESSAGE_TYPES)
307	return INVALID;
308
309	return handshakes[hs.hs_type][hs.message_number];
310	}
311
312	static const struct tls13_handshake_action *
313	tls13_handshake_active_action(struct tls13_ctx *ctx)
314	{
315	enum tls13_message_type mt = tls13_handshake_active_state(ctx);
316
317	if (mt == INVALID)
318	return NULL;
319
320	return &state_machine[mt];
321	}
322
323	static int
324	tls13_handshake_advance_state_machine(struct tls13_ctx *ctx)
325	{
326	if (++ctx->handshake_stage.message_number >= TLS13_NUM_MESSAGE_TYPES)
327	return 0;
328
329	return 1;
330	}
331
332	static int
333	tls13_handshake_end_of_flight(struct tls13_ctx *ctx,
334	const struct tls13_handshake_action *previous)
335	{
336	const struct tls13_handshake_action *current;
337
338	if ((current = tls13_handshake_active_action(ctx)) == NULL)
339	return 1;
340
341	return current->sender != previous->sender;
342	}
343
344	int
345	tls13_handshake_msg_record(struct tls13_ctx *ctx)
346	{
347	CBS cbs;
348
349	tls13_handshake_msg_data(ctx->hs_msg, &cbs);
350	return tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs));
351	}
352
353	int
354	tls13_handshake_perform(struct tls13_ctx *ctx)
355	{
356	const struct tls13_handshake_action *action;
357	int sending;
358	int ret;
359
360	if (!ctx->handshake_started) {
361	/*
362	* Set legacy state to connect/accept and call info callback
363	* to signal that the handshake started.
364	*/
365	if (!tls13_handshake_set_legacy_state(ctx))
366	return TLS13_IO_FAILURE;
367	if (!tls13_handshake_legacy_info_callback(ctx))
368	return TLS13_IO_FAILURE;
369
370	ctx->handshake_started = 1;
371
372	/* Set legacy state for initial ClientHello read or write. */
373	if (!tls13_handshake_set_legacy_state(ctx))
374	return TLS13_IO_FAILURE;
375	}
376
377	for (;;) {
378	if ((action = tls13_handshake_active_action(ctx)) == NULL)
379	return TLS13_IO_FAILURE;
380
381	if (ctx->need_flush) {
382	if ((ret = tls13_record_layer_flush(ctx->rl)) !=
383	TLS13_IO_SUCCESS)
384	return ret;
385	ctx->need_flush = 0;
386	}
387
388	if (action->handshake_complete) {
389	ctx->handshake_completed = 1;
390	tls13_record_layer_handshake_completed(ctx->rl);
391
392	if (!tls13_handshake_set_legacy_state(ctx))
393	return TLS13_IO_FAILURE;
394	if (!tls13_handshake_legacy_info_callback(ctx))
395	return TLS13_IO_FAILURE;
396
397	return TLS13_IO_SUCCESS;
398	}
399
400	sending = action->sender == ctx->mode;
401
402	DEBUGF("%s %s %s\n", tls13_handshake_mode_name(ctx->mode),
403	sending ? "sending" : "receiving",
404	tls13_handshake_message_name(action->handshake_type));
405
406	if (ctx->alert != 0)
407	return tls13_send_alert(ctx->rl, ctx->alert);
408
409	if (sending)
410	ret = tls13_handshake_send_action(ctx, action);
411	else
412	ret = tls13_handshake_recv_action(ctx, action);
413
414	if (ctx->alert != 0)
415	return tls13_send_alert(ctx->rl, ctx->alert);
416
417	if (ret <= 0) {
418	DEBUGF("%s %s returned %d\n",
419	tls13_handshake_mode_name(ctx->mode),
420	(action->sender == ctx->mode) ? "send" : "recv",
421	ret);
422	return ret;
423	}
424
425	if (!tls13_handshake_legacy_info_callback(ctx))
426	return TLS13_IO_FAILURE;
427
428	if (!tls13_handshake_advance_state_machine(ctx))
429	return TLS13_IO_FAILURE;
430
431	if (sending)
432	ctx->need_flush = tls13_handshake_end_of_flight(ctx,
433	action);
434
435	if (!tls13_handshake_set_legacy_state(ctx))
436	return TLS13_IO_FAILURE;
437	}
438	}
439
440	static int
441	tls13_handshake_send_action(struct tls13_ctx *ctx,
442	const struct tls13_handshake_action *action)
443	{
444	ssize_t ret;
445	CBB cbb;
446
447	if (ctx->send_dummy_ccs) {
448	if ((ret = tls13_send_dummy_ccs(ctx->rl)) != TLS13_IO_SUCCESS)
449	return ret;
450	ctx->send_dummy_ccs = 0;
451	if (ctx->send_dummy_ccs_after) {
452	ctx->send_dummy_ccs_after = 0;
453	return TLS13_IO_SUCCESS;
454	}
455	}
456
457	/* If we have no handshake message, we need to build one. */
458	if (ctx->hs_msg == NULL) {
459	if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL)
460	return TLS13_IO_FAILURE;
461	if (!tls13_handshake_msg_start(ctx->hs_msg, &cbb,
462	action->handshake_type))
463	return TLS13_IO_FAILURE;
464	if (!action->send(ctx, &cbb))
465	return TLS13_IO_FAILURE;
466	if (!tls13_handshake_msg_finish(ctx->hs_msg))
467	return TLS13_IO_FAILURE;
468	}
469
470	if ((ret = tls13_handshake_msg_send(ctx->hs_msg, ctx->rl)) <= 0)
471	return ret;
472
473	if (!tls13_handshake_msg_record(ctx))
474	return TLS13_IO_FAILURE;
475
476	if (action->send_preserve_transcript_hash) {
477	if (!tls1_transcript_hash_value(ctx->ssl,
478	ctx->hs->tls13.transcript_hash,
479	sizeof(ctx->hs->tls13.transcript_hash),
480	&ctx->hs->tls13.transcript_hash_len))
481	return TLS13_IO_FAILURE;
482	}
483
484	if (ctx->handshake_message_sent_cb != NULL)
485	ctx->handshake_message_sent_cb(ctx);
486
487	tls13_handshake_msg_free(ctx->hs_msg);
488	ctx->hs_msg = NULL;
489
490	if (action->sent != NULL && !action->sent(ctx))
491	return TLS13_IO_FAILURE;
492
493	if (ctx->send_dummy_ccs_after) {
494	ctx->send_dummy_ccs = 1;
495	if ((ret = tls13_send_dummy_ccs(ctx->rl)) != TLS13_IO_SUCCESS)
496	return ret;
497	ctx->send_dummy_ccs = 0;
498	ctx->send_dummy_ccs_after = 0;
499	}
500
501	return TLS13_IO_SUCCESS;
502	}
503
504	static int
505	tls13_handshake_recv_action(struct tls13_ctx *ctx,
506	const struct tls13_handshake_action *action)
507	{
508	uint8_t msg_type;
509	ssize_t ret;
510	CBS cbs;
511
512	if (ctx->hs_msg == NULL) {
513	if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL)
514	return TLS13_IO_FAILURE;
515	}
516
517	if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) <= 0)
518	return ret;
519
520	if (action->recv_preserve_transcript_hash) {
521	if (!tls1_transcript_hash_value(ctx->ssl,
522	ctx->hs->tls13.transcript_hash,
523	sizeof(ctx->hs->tls13.transcript_hash),
524	&ctx->hs->tls13.transcript_hash_len))
525	return TLS13_IO_FAILURE;
526	}
527
528	if (!tls13_handshake_msg_record(ctx))
529	return TLS13_IO_FAILURE;
530
531	if (ctx->handshake_message_recv_cb != NULL)
532	ctx->handshake_message_recv_cb(ctx);
533
534	/*
535	* In TLSv1.3 there is no way to know if you're going to receive a
536	* certificate request message or not, hence we have to special case it
537	* here. The receive handler also knows how to deal with this situation.
538	*/
539	msg_type = tls13_handshake_msg_type(ctx->hs_msg);
540	if (msg_type != action->handshake_type &&
541	(msg_type != TLS13_MT_CERTIFICATE \|\|
542	action->handshake_type != TLS13_MT_CERTIFICATE_REQUEST))
543	return tls13_send_alert(ctx->rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
544
545	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
546	return TLS13_IO_FAILURE;
547
548	ret = TLS13_IO_FAILURE;
549	if (!action->recv(ctx, &cbs))
550	goto err;
551
552	if (CBS_len(&cbs) != 0) {
553	tls13_set_errorx(ctx, TLS13_ERR_TRAILING_DATA, 0,
554	"trailing data in handshake message", NULL);
555	ctx->alert = TLS13_ALERT_DECODE_ERROR;
556	goto err;
557	}
558
559	ret = TLS13_IO_SUCCESS;
560	if (ctx->ssl->method->version < TLS1_3_VERSION)
561	ret = TLS13_IO_USE_LEGACY;
562
563	err:
564	tls13_handshake_msg_free(ctx->hs_msg);
565	ctx->hs_msg = NULL;
566
567	return ret;
568	}
569
570	struct tls13_handshake_legacy_state {
571	int recv;
572	int send;
573	};
574
575	static const struct tls13_handshake_legacy_state legacy_states[] = {
576	[CLIENT_HELLO] = {
577	.recv = SSL3_ST_SR_CLNT_HELLO_A,
578	.send = SSL3_ST_CW_CLNT_HELLO_A,
579	},
580	[SERVER_HELLO_RETRY_REQUEST] = {
581	.recv = SSL3_ST_CR_SRVR_HELLO_A,
582	.send = SSL3_ST_SW_SRVR_HELLO_A,
583	},
584	[CLIENT_HELLO_RETRY] = {
585	.recv = SSL3_ST_SR_CLNT_HELLO_A,
586	.send = SSL3_ST_CW_CLNT_HELLO_A,
587	},
588	[SERVER_HELLO] = {
589	.recv = SSL3_ST_CR_SRVR_HELLO_A,
590	.send = SSL3_ST_SW_SRVR_HELLO_A,
591	},
592	[SERVER_ENCRYPTED_EXTENSIONS] = {
593	.send = 0,
594	.recv = 0,
595	},
596	[SERVER_CERTIFICATE_REQUEST] = {
597	.recv = SSL3_ST_CR_CERT_REQ_A,
598	.send = SSL3_ST_SW_CERT_REQ_A,
599	},
600	[SERVER_CERTIFICATE] = {
601	.recv = SSL3_ST_CR_CERT_A,
602	.send = SSL3_ST_SW_CERT_A,
603	},
604	[SERVER_CERTIFICATE_VERIFY] = {
605	.send = 0,
606	.recv = 0,
607	},
608	[SERVER_FINISHED] = {
609	.recv = SSL3_ST_CR_FINISHED_A,
610	.send = SSL3_ST_SW_FINISHED_A,
611	},
612	[CLIENT_END_OF_EARLY_DATA] = {
613	.send = 0,
614	.recv = 0,
615	},
616	[CLIENT_CERTIFICATE] = {
617	.recv = SSL3_ST_SR_CERT_VRFY_A,
618	.send = SSL3_ST_CW_CERT_VRFY_B,
619	},
620	[CLIENT_CERTIFICATE_VERIFY] = {
621	.send = 0,
622	.recv = 0,
623	},
624	[CLIENT_FINISHED] = {
625	.recv = SSL3_ST_SR_FINISHED_A,
626	.send = SSL3_ST_CW_FINISHED_A,
627	},
628	[APPLICATION_DATA] = {
629	.recv = 0,
630	.send = 0,
631	},
632	};
633
634	CTASSERT(sizeof(state_machine) / sizeof(state_machine[0]) ==
635	sizeof(legacy_states) / sizeof(legacy_states[0]));
636
637	static int
638	tls13_handshake_legacy_state(struct tls13_ctx ctx, int out_state)
639	{
640	const struct tls13_handshake_action *action;
641	enum tls13_message_type mt;
642
643	*out_state = 0;
644
645	if (!ctx->handshake_started) {
646	if (ctx->mode == TLS13_HS_CLIENT)
647	*out_state = SSL_ST_CONNECT;
648	else
649	*out_state = SSL_ST_ACCEPT;
650
651	return 1;
652	}
653
654	if (ctx->handshake_completed) {
655	*out_state = SSL_ST_OK;
656	return 1;
657	}
658
659	if ((mt = tls13_handshake_active_state(ctx)) == INVALID)
660	return 0;
661
662	if ((action = tls13_handshake_active_action(ctx)) == NULL)
663	return 0;
664
665	if (action->sender == ctx->mode)
666	*out_state = legacy_states[mt].send;
667	else
668	*out_state = legacy_states[mt].recv;
669
670	return 1;
671	}
672
673	static int
674	tls13_handshake_info_position(struct tls13_ctx *ctx)
675	{
676	if (!ctx->handshake_started)
677	return TLS13_INFO_HANDSHAKE_STARTED;
678
679	if (ctx->handshake_completed)
680	return TLS13_INFO_HANDSHAKE_COMPLETED;
681
682	if (ctx->mode == TLS13_HS_CLIENT)
683	return TLS13_INFO_CONNECT_LOOP;
684	else
685	return TLS13_INFO_ACCEPT_LOOP;
686	}
687
688	static int
689	tls13_handshake_legacy_info_callback(struct tls13_ctx *ctx)
690	{
691	int state, where;
692
693	if (!tls13_handshake_legacy_state(ctx, &state))
694	return 0;
695
696	/* Do nothing if there's no corresponding legacy state. */
697	if (state == 0)
698	return 1;
699
700	if (ctx->info_cb != NULL) {
701	where = tls13_handshake_info_position(ctx);
702	ctx->info_cb(ctx, where, 1);
703	}
704
705	return 1;
706	}
707
708	static int
709	tls13_handshake_set_legacy_state(struct tls13_ctx *ctx)
710	{
711	int state;
712
713	if (!tls13_handshake_legacy_state(ctx, &state))
714	return 0;
715
716	/* Do nothing if there's no corresponding legacy state. */
717	if (state == 0)
718	return 1;
719
720	ctx->hs->state = state;
721
722	return 1;
723	}