1 files changed, 0 insertions, 697 deletions
diff --git a/src/lib/libssl/tls13_handshake.c b/src/lib/libssl/tls13_handshake.c
deleted file mode 100644
index 310a2116b8..0000000000
--- a/src/lib/libssl/tls13_handshake.c
+++ /dev/null
@@ -1,697 +0,0 @@
-/*      $OpenBSD: tls13_handshake.c,v 1.69 2021/07/01 17:53:39 jsing Exp $      */
-/*
- * Copyright (c) 2018-2021 Theo Buehler <tb@openbsd.org>
- * Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-#include <stddef.h>
-#include "ssl_locl.h"
-#include "tls13_handshake.h"
-#include "tls13_internal.h"
-/* Based on RFC 8446 and inspired by s2n's TLS 1.2 state machine. */
-struct tls13_handshake_action {
-        uint8_t handshake_type;
-        uint8_t sender;
-        uint8_t handshake_complete;
-        uint8_t send_preserve_transcript_hash;
-        uint8_t recv_preserve_transcript_hash;
-        int (*send)(struct tls13_ctx *ctx, CBB *cbb);
-        int (*sent)(struct tls13_ctx *ctx);
-        int (*recv)(struct tls13_ctx *ctx, CBS *cbs);
-};
-static enum tls13_message_type
-    tls13_handshake_active_state(struct tls13_ctx *ctx);
-static const struct tls13_handshake_action *
-    tls13_handshake_active_action(struct tls13_ctx *ctx);
-static int tls13_handshake_advance_state_machine(struct tls13_ctx *ctx);
-static int tls13_handshake_send_action(struct tls13_ctx *ctx,
-    const struct tls13_handshake_action *action);
-static int tls13_handshake_recv_action(struct tls13_ctx *ctx,
-    const struct tls13_handshake_action *action);
-static int tls13_handshake_set_legacy_state(struct tls13_ctx *ctx);
-static int tls13_handshake_legacy_info_callback(struct tls13_ctx *ctx);
-static const struct tls13_handshake_action state_machine[] = {
-        [CLIENT_HELLO] = {
-                .handshake_type = TLS13_MT_CLIENT_HELLO,
-                .sender = TLS13_HS_CLIENT,
-                .send = tls13_client_hello_send,
-                .sent = tls13_client_hello_sent,
-                .recv = tls13_client_hello_recv,
-        },
-        [CLIENT_HELLO_RETRY] = {
-                .handshake_type = TLS13_MT_CLIENT_HELLO,
-                .sender = TLS13_HS_CLIENT,
-                .send = tls13_client_hello_retry_send,
-                .recv = tls13_client_hello_retry_recv,
-        },
-        [CLIENT_END_OF_EARLY_DATA] = {
-                .handshake_type = TLS13_MT_END_OF_EARLY_DATA,
-                .sender = TLS13_HS_CLIENT,
-                .send = tls13_client_end_of_early_data_send,
-                .recv = tls13_client_end_of_early_data_recv,
-        },
-        [CLIENT_CERTIFICATE] = {
-                .handshake_type = TLS13_MT_CERTIFICATE,
-                .sender = TLS13_HS_CLIENT,
-                .send_preserve_transcript_hash = 1,
-                .send = tls13_client_certificate_send,
-                .recv = tls13_client_certificate_recv,
-        },
-        [CLIENT_CERTIFICATE_VERIFY] = {
-                .handshake_type = TLS13_MT_CERTIFICATE_VERIFY,
-                .sender = TLS13_HS_CLIENT,
-                .recv_preserve_transcript_hash = 1,
-                .send = tls13_client_certificate_verify_send,
-                .recv = tls13_client_certificate_verify_recv,
-        },
-        [CLIENT_FINISHED] = {
-                .handshake_type = TLS13_MT_FINISHED,
-                .sender = TLS13_HS_CLIENT,
-                .recv_preserve_transcript_hash = 1,
-                .send = tls13_client_finished_send,
-                .sent = tls13_client_finished_sent,
-                .recv = tls13_client_finished_recv,
-        },
-        [SERVER_HELLO] = {
-                .handshake_type = TLS13_MT_SERVER_HELLO,
-                .sender = TLS13_HS_SERVER,
-                .send = tls13_server_hello_send,
-                .sent = tls13_server_hello_sent,
-                .recv = tls13_server_hello_recv,
-        },
-        [SERVER_HELLO_RETRY_REQUEST] = {
-                .handshake_type = TLS13_MT_SERVER_HELLO,
-                .sender = TLS13_HS_SERVER,
-                .send = tls13_server_hello_retry_request_send,
-                .recv = tls13_server_hello_retry_request_recv,
-                .sent = tls13_server_hello_retry_request_sent,
-        },
-        [SERVER_ENCRYPTED_EXTENSIONS] = {
-                .handshake_type = TLS13_MT_ENCRYPTED_EXTENSIONS,
-                .sender = TLS13_HS_SERVER,
-                .send = tls13_server_encrypted_extensions_send,
-                .recv = tls13_server_encrypted_extensions_recv,
-        },
-        [SERVER_CERTIFICATE] = {
-                .handshake_type = TLS13_MT_CERTIFICATE,
-                .sender = TLS13_HS_SERVER,
-                .send_preserve_transcript_hash = 1,
-                .send = tls13_server_certificate_send,
-                .recv = tls13_server_certificate_recv,
-        },
-        [SERVER_CERTIFICATE_REQUEST] = {
-                .handshake_type = TLS13_MT_CERTIFICATE_REQUEST,
-                .sender = TLS13_HS_SERVER,
-                .send = tls13_server_certificate_request_send,
-                .recv = tls13_server_certificate_request_recv,
-        },
-        [SERVER_CERTIFICATE_VERIFY] = {
-                .handshake_type = TLS13_MT_CERTIFICATE_VERIFY,
-                .sender = TLS13_HS_SERVER,
-                .recv_preserve_transcript_hash = 1,
-                .send = tls13_server_certificate_verify_send,
-                .recv = tls13_server_certificate_verify_recv,
-        },
-        [SERVER_FINISHED] = {
-                .handshake_type = TLS13_MT_FINISHED,
-                .sender = TLS13_HS_SERVER,
-                .recv_preserve_transcript_hash = 1,
-                .send_preserve_transcript_hash = 1,
-                .send = tls13_server_finished_send,
-                .sent = tls13_server_finished_sent,
-                .recv = tls13_server_finished_recv,
-        },
-        [APPLICATION_DATA] = {
-                .handshake_complete = 1,
-        },
-};
-const enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {
-        [INITIAL] = {
-                CLIENT_HELLO,
-                SERVER_HELLO_RETRY_REQUEST,
-                CLIENT_HELLO_RETRY,
-                SERVER_HELLO,
-        },
-        [NEGOTIATED] = {
-                CLIENT_HELLO,
-                SERVER_HELLO_RETRY_REQUEST,
-                CLIENT_HELLO_RETRY,
-                SERVER_HELLO,
-                SERVER_ENCRYPTED_EXTENSIONS,
-                SERVER_CERTIFICATE_REQUEST,
-                SERVER_CERTIFICATE,
-                SERVER_CERTIFICATE_VERIFY,
-                SERVER_FINISHED,
-                CLIENT_CERTIFICATE,
-                CLIENT_FINISHED,
-                APPLICATION_DATA,
-        },
-        [NEGOTIATED | WITHOUT_HRR] = {
-                CLIENT_HELLO,
-                SERVER_HELLO,
-                SERVER_ENCRYPTED_EXTENSIONS,
-                SERVER_CERTIFICATE_REQUEST,
-                SERVER_CERTIFICATE,
-                SERVER_CERTIFICATE_VERIFY,
-                SERVER_FINISHED,
-                CLIENT_CERTIFICATE,
-                CLIENT_FINISHED,
-                APPLICATION_DATA,
-        },
-        [NEGOTIATED | WITHOUT_CR] = {
-                CLIENT_HELLO,
-                SERVER_HELLO_RETRY_REQUEST,
-                CLIENT_HELLO_RETRY,
-                SERVER_HELLO,
-                SERVER_ENCRYPTED_EXTENSIONS,
-                SERVER_CERTIFICATE,
-                SERVER_CERTIFICATE_VERIFY,
-                SERVER_FINISHED,
-                CLIENT_FINISHED,
-                APPLICATION_DATA,
-        },
-        [NEGOTIATED | WITHOUT_HRR | WITHOUT_CR] = {
-                CLIENT_HELLO,
-                SERVER_HELLO,
-                SERVER_ENCRYPTED_EXTENSIONS,
-                SERVER_CERTIFICATE,
-                SERVER_CERTIFICATE_VERIFY,
-                SERVER_FINISHED,
-                CLIENT_FINISHED,
-                APPLICATION_DATA,
-        },
-        [NEGOTIATED | WITH_PSK] = {
-                CLIENT_HELLO,
-                SERVER_HELLO_RETRY_REQUEST,
-                CLIENT_HELLO_RETRY,
-                SERVER_HELLO,
-                SERVER_ENCRYPTED_EXTENSIONS,
-                SERVER_FINISHED,
-                CLIENT_FINISHED,
-                APPLICATION_DATA,
-        },
-        [NEGOTIATED | WITHOUT_HRR | WITH_PSK] = {
-                CLIENT_HELLO,
-                SERVER_HELLO,
-                SERVER_ENCRYPTED_EXTENSIONS,
-                SERVER_FINISHED,
-                CLIENT_FINISHED,
-                APPLICATION_DATA,
-        },
-        [NEGOTIATED | WITH_CCV] = {
-                CLIENT_HELLO,
-                SERVER_HELLO_RETRY_REQUEST,
-                CLIENT_HELLO_RETRY,
-                SERVER_HELLO,
-                SERVER_ENCRYPTED_EXTENSIONS,
-                SERVER_CERTIFICATE_REQUEST,
-                SERVER_CERTIFICATE,
-                SERVER_CERTIFICATE_VERIFY,
-                SERVER_FINISHED,
-                CLIENT_CERTIFICATE,
-                CLIENT_CERTIFICATE_VERIFY,
-                CLIENT_FINISHED,
-                APPLICATION_DATA,
-        },
-        [NEGOTIATED | WITHOUT_HRR | WITH_CCV] = {
-                CLIENT_HELLO,
-                SERVER_HELLO,
-                SERVER_ENCRYPTED_EXTENSIONS,
-                SERVER_CERTIFICATE_REQUEST,
-                SERVER_CERTIFICATE,
-                SERVER_CERTIFICATE_VERIFY,
-                SERVER_FINISHED,
-                CLIENT_CERTIFICATE,
-                CLIENT_CERTIFICATE_VERIFY,
-                CLIENT_FINISHED,
-                APPLICATION_DATA,
-        },
-};
-const size_t handshake_count = sizeof(handshakes) / sizeof(handshakes[0]);
-#ifndef TLS13_DEBUG
-#define DEBUGF(...)
-#else
-#define DEBUGF(...) fprintf(stderr, __VA_ARGS__)
-static const char *
-tls13_handshake_mode_name(uint8_t mode)
-{
-        switch (mode) {
-        case TLS13_HS_CLIENT:
-                return "Client";
-        case TLS13_HS_SERVER:
-                return "Server";
-        }
-        return "Unknown";
-}
-static const char *
-tls13_handshake_message_name(uint8_t msg_type)
-{
-        switch (msg_type) {
-        case TLS13_MT_CLIENT_HELLO:
-                return "ClientHello";
-        case TLS13_MT_SERVER_HELLO:
-                return "ServerHello";
-        case TLS13_MT_NEW_SESSION_TICKET:
-                return "NewSessionTicket";
-        case TLS13_MT_END_OF_EARLY_DATA:
-                return "EndOfEarlyData";
-        case TLS13_MT_ENCRYPTED_EXTENSIONS:
-                return "EncryptedExtensions";
-        case TLS13_MT_CERTIFICATE:
-                return "Certificate";
-        case TLS13_MT_CERTIFICATE_REQUEST:
-                return "CertificateRequest";
-        case TLS13_MT_CERTIFICATE_VERIFY:
-                return "CertificateVerify";
-        case TLS13_MT_FINISHED:
-                return "Finished";
-        case TLS13_MT_KEY_UPDATE:
-                return "KeyUpdate";
-        }
-        return "Unknown";
-}
-#endif
-static enum tls13_message_type
-tls13_handshake_active_state(struct tls13_ctx *ctx)
-{
-        struct tls13_handshake_stage hs = ctx->handshake_stage;
-        if (hs.hs_type >= handshake_count)
-                return INVALID;
-        if (hs.message_number >= TLS13_NUM_MESSAGE_TYPES)
-                return INVALID;
-        return handshakes[hs.hs_type][hs.message_number];
-}
-static const struct tls13_handshake_action *
-tls13_handshake_active_action(struct tls13_ctx *ctx)
-{
-        enum tls13_message_type mt = tls13_handshake_active_state(ctx);
-        if (mt == INVALID)
-                return NULL;
-        return &state_machine[mt];
-}
-static int
-tls13_handshake_advance_state_machine(struct tls13_ctx *ctx)
-{
-        if (++ctx->handshake_stage.message_number >= TLS13_NUM_MESSAGE_TYPES)
-                return 0;
-        return 1;
-}
-int
-tls13_handshake_msg_record(struct tls13_ctx *ctx)
-{
-        CBS cbs;
-        tls13_handshake_msg_data(ctx->hs_msg, &cbs);
-        return tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs));
-}
-int
-tls13_handshake_perform(struct tls13_ctx *ctx)
-{
-        const struct tls13_handshake_action *action;
-        int ret;
-        if (!ctx->handshake_started) {
-                /*
-                 * Set legacy state to connect/accept and call info callback
-                 * to signal that the handshake started.
-                 */
-                if (!tls13_handshake_set_legacy_state(ctx))
-                        return TLS13_IO_FAILURE;
-                if (!tls13_handshake_legacy_info_callback(ctx))
-                        return TLS13_IO_FAILURE;
-                ctx->handshake_started = 1;
-                /* Set legacy state for initial ClientHello read or write. */
-                if (!tls13_handshake_set_legacy_state(ctx))
-                        return TLS13_IO_FAILURE;
-        }
-        for (;;) {
-                if ((action = tls13_handshake_active_action(ctx)) == NULL)
-                        return TLS13_IO_FAILURE;
-                if (action->handshake_complete) {
-                        ctx->handshake_completed = 1;
-                        tls13_record_layer_handshake_completed(ctx->rl);
-                        if (!tls13_handshake_set_legacy_state(ctx))
-                                return TLS13_IO_FAILURE;
-                        if (!tls13_handshake_legacy_info_callback(ctx))
-                                return TLS13_IO_FAILURE;
-                        return TLS13_IO_SUCCESS;
-                }
-                DEBUGF("%s %s %s\n", tls13_handshake_mode_name(ctx->mode),
-                    (action->sender == ctx->mode) ? "sending" : "receiving",
-                    tls13_handshake_message_name(action->handshake_type));
-                if (ctx->alert != 0)
-                        return tls13_send_alert(ctx->rl, ctx->alert);
-                if (action->sender == ctx->mode)
-                        ret = tls13_handshake_send_action(ctx, action);
-                else
-                        ret = tls13_handshake_recv_action(ctx, action);
-                if (ctx->alert != 0)
-                        return tls13_send_alert(ctx->rl, ctx->alert);
-                if (ret <= 0) {
-                        DEBUGF("%s %s returned %d\n",
-                            tls13_handshake_mode_name(ctx->mode),
-                            (action->sender == ctx->mode) ? "send" : "recv",
-                            ret);
-                        return ret;
-                }
-                if (!tls13_handshake_legacy_info_callback(ctx))
-                        return TLS13_IO_FAILURE;
-                if (!tls13_handshake_advance_state_machine(ctx))
-                        return TLS13_IO_FAILURE;
-                if (!tls13_handshake_set_legacy_state(ctx))
-                        return TLS13_IO_FAILURE;
-        }
-}
-static int
-tls13_handshake_send_action(struct tls13_ctx *ctx,
-    const struct tls13_handshake_action *action)
-{
-        ssize_t ret;
-        CBB cbb;
-        if (ctx->send_dummy_ccs) {
-                if ((ret = tls13_send_dummy_ccs(ctx->rl)) != TLS13_IO_SUCCESS)
-                        return ret;
-                ctx->send_dummy_ccs = 0;
-                if (ctx->send_dummy_ccs_after) {
-                        ctx->send_dummy_ccs_after = 0;
-                        return TLS13_IO_SUCCESS;
-                }
-        }
-        /* If we have no handshake message, we need to build one. */
-        if (ctx->hs_msg == NULL) {
-                if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL)
-                        return TLS13_IO_FAILURE;
-                if (!tls13_handshake_msg_start(ctx->hs_msg, &cbb,
-                    action->handshake_type))
-                        return TLS13_IO_FAILURE;
-                if (!action->send(ctx, &cbb))
-                        return TLS13_IO_FAILURE;
-                if (!tls13_handshake_msg_finish(ctx->hs_msg))
-                        return TLS13_IO_FAILURE;
-        }
-        if ((ret = tls13_handshake_msg_send(ctx->hs_msg, ctx->rl)) <= 0)
-                return ret;
-        if (!tls13_handshake_msg_record(ctx))
-                return TLS13_IO_FAILURE;
-        if (action->send_preserve_transcript_hash) {
-                if (!tls1_transcript_hash_value(ctx->ssl,
-                    ctx->hs->tls13.transcript_hash,
-                    sizeof(ctx->hs->tls13.transcript_hash),
-                    &ctx->hs->tls13.transcript_hash_len))
-                        return TLS13_IO_FAILURE;
-        }
-        if (ctx->handshake_message_sent_cb != NULL)
-                ctx->handshake_message_sent_cb(ctx);
-        tls13_handshake_msg_free(ctx->hs_msg);
-        ctx->hs_msg = NULL;
-        if (action->sent != NULL && !action->sent(ctx))
-                return TLS13_IO_FAILURE;
-        if (ctx->send_dummy_ccs_after) {
-                ctx->send_dummy_ccs = 1;
-                if ((ret = tls13_send_dummy_ccs(ctx->rl)) != TLS13_IO_SUCCESS)
-                        return ret;
-                ctx->send_dummy_ccs = 0;
-                ctx->send_dummy_ccs_after = 0;
-        }
-        return TLS13_IO_SUCCESS;
-}
-static int
-tls13_handshake_recv_action(struct tls13_ctx *ctx,
-    const struct tls13_handshake_action *action)
-{
-        uint8_t msg_type;
-        ssize_t ret;
-        CBS cbs;
-        if (ctx->hs_msg == NULL) {
-                if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL)
-                        return TLS13_IO_FAILURE;
-        }
-        if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) <= 0)
-                return ret;
-        if (action->recv_preserve_transcript_hash) {
-                if (!tls1_transcript_hash_value(ctx->ssl,
-                    ctx->hs->tls13.transcript_hash,
-                    sizeof(ctx->hs->tls13.transcript_hash),
-                    &ctx->hs->tls13.transcript_hash_len))
-                        return TLS13_IO_FAILURE;
-        }
-        if (!tls13_handshake_msg_record(ctx))
-                return TLS13_IO_FAILURE;
-        if (ctx->handshake_message_recv_cb != NULL)
-                ctx->handshake_message_recv_cb(ctx);
-        /*
-         * In TLSv1.3 there is no way to know if you're going to receive a
-         * certificate request message or not, hence we have to special case it
-         * here. The receive handler also knows how to deal with this situation.
-         */
-        msg_type = tls13_handshake_msg_type(ctx->hs_msg);
-        if (msg_type != action->handshake_type &&
-            (msg_type != TLS13_MT_CERTIFICATE ||
-             action->handshake_type != TLS13_MT_CERTIFICATE_REQUEST))
-                return tls13_send_alert(ctx->rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
-        if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
-                return TLS13_IO_FAILURE;
-        ret = TLS13_IO_FAILURE;
-        if (action->recv(ctx, &cbs)) {
-                if (CBS_len(&cbs) != 0) {
-                        tls13_set_errorx(ctx, TLS13_ERR_TRAILING_DATA, 0,
-                            "trailing data in handshake message", NULL);
-                        ctx->alert = TLS13_ALERT_DECODE_ERROR;
-                } else {
-                        ret = TLS13_IO_SUCCESS;
-                }
-        }
-        tls13_handshake_msg_free(ctx->hs_msg);
-        ctx->hs_msg = NULL;
-        if (ctx->ssl->method->version < TLS1_3_VERSION)
-                return TLS13_IO_USE_LEGACY;
-        return ret;
-}
-struct tls13_handshake_legacy_state {
-        int recv;
-        int send;
-};
-static const struct tls13_handshake_legacy_state legacy_states[] = {
-        [CLIENT_HELLO] = {
-                .recv = SSL3_ST_SR_CLNT_HELLO_A,
-                .send = SSL3_ST_CW_CLNT_HELLO_A,
-        },
-        [SERVER_HELLO_RETRY_REQUEST] = {
-                .recv = SSL3_ST_CR_SRVR_HELLO_A,
-                .send = SSL3_ST_SW_SRVR_HELLO_A,
-        },
-        [CLIENT_HELLO_RETRY] = {
-                .recv = SSL3_ST_SR_CLNT_HELLO_A,
-                .send = SSL3_ST_CW_CLNT_HELLO_A,
-        },
-        [SERVER_HELLO] = {
-                .recv = SSL3_ST_CR_SRVR_HELLO_A,
-                .send = SSL3_ST_SW_SRVR_HELLO_A,
-        },
-        [SERVER_ENCRYPTED_EXTENSIONS] = {
-                .send = 0,
-                .recv = 0,
-        },
-        [SERVER_CERTIFICATE_REQUEST] = {
-                .recv = SSL3_ST_CR_CERT_REQ_A,
-                .send = SSL3_ST_SW_CERT_REQ_A,
-        },
-        [SERVER_CERTIFICATE] = {
-                .recv = SSL3_ST_CR_CERT_A,
-                .send = SSL3_ST_SW_CERT_A,
-        },
-        [SERVER_CERTIFICATE_VERIFY] = {
-                .send = 0,
-                .recv = 0,
-        },
-        [SERVER_FINISHED] = {
-                .recv = SSL3_ST_CR_FINISHED_A,
-                .send = SSL3_ST_SW_FINISHED_A,
-        },
-        [CLIENT_END_OF_EARLY_DATA] = {
-                .send = 0,
-                .recv = 0,
-        },
-        [CLIENT_CERTIFICATE] = {
-                .recv = SSL3_ST_SR_CERT_VRFY_A,
-                .send = SSL3_ST_CW_CERT_VRFY_B,
-        },
-        [CLIENT_CERTIFICATE_VERIFY] = {
-                .send = 0,
-                .recv = 0,
-        },
-        [CLIENT_FINISHED] = {
-                .recv = SSL3_ST_SR_FINISHED_A,
-                .send = SSL3_ST_CW_FINISHED_A,
-        },
-        [APPLICATION_DATA] = {
-                .recv = 0,
-                .send = 0,
-        },
-};
-CTASSERT(sizeof(state_machine) / sizeof(state_machine[0]) ==
-    sizeof(legacy_states) / sizeof(legacy_states[0]));
-static int
-tls13_handshake_legacy_state(struct tls13_ctx *ctx, int *out_state)
-{
-        const struct tls13_handshake_action *action;
-        enum tls13_message_type mt;
-        *out_state = 0;
-        if (!ctx->handshake_started) {
-                if (ctx->mode == TLS13_HS_CLIENT)
-                        *out_state = SSL_ST_CONNECT;
-                else
-                        *out_state = SSL_ST_ACCEPT;
-                return 1;
-        }
-        if (ctx->handshake_completed) {
-                *out_state = SSL_ST_OK;
-                return 1;
-        }
-        if ((mt = tls13_handshake_active_state(ctx)) == INVALID)
-                return 0;
-        if ((action = tls13_handshake_active_action(ctx)) == NULL)
-                return 0;
-        if (action->sender == ctx->mode)
-                *out_state = legacy_states[mt].send;
-        else
-                *out_state = legacy_states[mt].recv;
-        return 1;
-}
-static int
-tls13_handshake_info_position(struct tls13_ctx *ctx)
-{
-        if (!ctx->handshake_started)
-                return TLS13_INFO_HANDSHAKE_STARTED;
-        if (ctx->handshake_completed)
-                return TLS13_INFO_HANDSHAKE_COMPLETED;
-        if (ctx->mode == TLS13_HS_CLIENT)
-                return TLS13_INFO_CONNECT_LOOP;
-        else
-                return TLS13_INFO_ACCEPT_LOOP;
-}
-static int
-tls13_handshake_legacy_info_callback(struct tls13_ctx *ctx)
-{
-        int state, where;
-        if (!tls13_handshake_legacy_state(ctx, &state))
-                return 0;
-        /* Do nothing if there's no corresponding legacy state. */
-        if (state == 0)
-                return 1;
-        if (ctx->info_cb != NULL) {
-                where = tls13_handshake_info_position(ctx);
-                ctx->info_cb(ctx, where, 1);
-        }
-        return 1;
-}
-static int
-tls13_handshake_set_legacy_state(struct tls13_ctx *ctx)
-{
-        int state;
-        if (!tls13_handshake_legacy_state(ctx, &state))
-                return 0;
-        /* Do nothing if there's no corresponding legacy state. */
-        if (state == 0)
-                return 1;
-        ctx->hs->state = state;
-        return 1;
-}

diff --git a/src/lib/libssl/tls13_handshake.c b/src/lib/libssl/tls13_handshake.c deleted file mode 100644 index 310a2116b8..0000000000 --- a/src/lib/libssl/tls13_handshake.c +++ /dev/null
@@ -1,697 +0,0 @@
1	/* $OpenBSD: tls13_handshake.c,v 1.69 2021/07/01 17:53:39 jsing Exp $ */
2	/*
3	* Copyright (c) 2018-2021 Theo Buehler <tb@openbsd.org>
4	* Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
5	*
6	* Permission to use, copy, modify, and distribute this software for any
7	* purpose with or without fee is hereby granted, provided that the above
8	* copyright notice and this permission notice appear in all copies.
9	*
10	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17	*/
18
19	#include <stddef.h>
20
21	#include "ssl_locl.h"
22	#include "tls13_handshake.h"
23	#include "tls13_internal.h"
24
25	/* Based on RFC 8446 and inspired by s2n's TLS 1.2 state machine. */
26
27	struct tls13_handshake_action {
28	uint8_t handshake_type;
29	uint8_t sender;
30	uint8_t handshake_complete;
31	uint8_t send_preserve_transcript_hash;
32	uint8_t recv_preserve_transcript_hash;
33
34	int (send)(struct tls13_ctx ctx, CBB *cbb);
35	int (sent)(struct tls13_ctx ctx);
36	int (recv)(struct tls13_ctx ctx, CBS *cbs);
37	};
38
39	static enum tls13_message_type
40	tls13_handshake_active_state(struct tls13_ctx *ctx);
41
42	static const struct tls13_handshake_action *
43	tls13_handshake_active_action(struct tls13_ctx *ctx);
44	static int tls13_handshake_advance_state_machine(struct tls13_ctx *ctx);
45
46	static int tls13_handshake_send_action(struct tls13_ctx *ctx,
47	const struct tls13_handshake_action *action);
48	static int tls13_handshake_recv_action(struct tls13_ctx *ctx,
49	const struct tls13_handshake_action *action);
50
51	static int tls13_handshake_set_legacy_state(struct tls13_ctx *ctx);
52	static int tls13_handshake_legacy_info_callback(struct tls13_ctx *ctx);
53
54	static const struct tls13_handshake_action state_machine[] = {
55	[CLIENT_HELLO] = {
56	.handshake_type = TLS13_MT_CLIENT_HELLO,
57	.sender = TLS13_HS_CLIENT,
58	.send = tls13_client_hello_send,
59	.sent = tls13_client_hello_sent,
60	.recv = tls13_client_hello_recv,
61	},
62	[CLIENT_HELLO_RETRY] = {
63	.handshake_type = TLS13_MT_CLIENT_HELLO,
64	.sender = TLS13_HS_CLIENT,
65	.send = tls13_client_hello_retry_send,
66	.recv = tls13_client_hello_retry_recv,
67	},
68	[CLIENT_END_OF_EARLY_DATA] = {
69	.handshake_type = TLS13_MT_END_OF_EARLY_DATA,
70	.sender = TLS13_HS_CLIENT,
71	.send = tls13_client_end_of_early_data_send,
72	.recv = tls13_client_end_of_early_data_recv,
73	},
74	[CLIENT_CERTIFICATE] = {
75	.handshake_type = TLS13_MT_CERTIFICATE,
76	.sender = TLS13_HS_CLIENT,
77	.send_preserve_transcript_hash = 1,
78	.send = tls13_client_certificate_send,
79	.recv = tls13_client_certificate_recv,
80	},
81	[CLIENT_CERTIFICATE_VERIFY] = {
82	.handshake_type = TLS13_MT_CERTIFICATE_VERIFY,
83	.sender = TLS13_HS_CLIENT,
84	.recv_preserve_transcript_hash = 1,
85	.send = tls13_client_certificate_verify_send,
86	.recv = tls13_client_certificate_verify_recv,
87	},
88	[CLIENT_FINISHED] = {
89	.handshake_type = TLS13_MT_FINISHED,
90	.sender = TLS13_HS_CLIENT,
91	.recv_preserve_transcript_hash = 1,
92	.send = tls13_client_finished_send,
93	.sent = tls13_client_finished_sent,
94	.recv = tls13_client_finished_recv,
95	},
96	[SERVER_HELLO] = {
97	.handshake_type = TLS13_MT_SERVER_HELLO,
98	.sender = TLS13_HS_SERVER,
99	.send = tls13_server_hello_send,
100	.sent = tls13_server_hello_sent,
101	.recv = tls13_server_hello_recv,
102	},
103	[SERVER_HELLO_RETRY_REQUEST] = {
104	.handshake_type = TLS13_MT_SERVER_HELLO,
105	.sender = TLS13_HS_SERVER,
106	.send = tls13_server_hello_retry_request_send,
107	.recv = tls13_server_hello_retry_request_recv,
108	.sent = tls13_server_hello_retry_request_sent,
109	},
110	[SERVER_ENCRYPTED_EXTENSIONS] = {
111	.handshake_type = TLS13_MT_ENCRYPTED_EXTENSIONS,
112	.sender = TLS13_HS_SERVER,
113	.send = tls13_server_encrypted_extensions_send,
114	.recv = tls13_server_encrypted_extensions_recv,
115	},
116	[SERVER_CERTIFICATE] = {
117	.handshake_type = TLS13_MT_CERTIFICATE,
118	.sender = TLS13_HS_SERVER,
119	.send_preserve_transcript_hash = 1,
120	.send = tls13_server_certificate_send,
121	.recv = tls13_server_certificate_recv,
122	},
123	[SERVER_CERTIFICATE_REQUEST] = {
124	.handshake_type = TLS13_MT_CERTIFICATE_REQUEST,
125	.sender = TLS13_HS_SERVER,
126	.send = tls13_server_certificate_request_send,
127	.recv = tls13_server_certificate_request_recv,
128	},
129	[SERVER_CERTIFICATE_VERIFY] = {
130	.handshake_type = TLS13_MT_CERTIFICATE_VERIFY,
131	.sender = TLS13_HS_SERVER,
132	.recv_preserve_transcript_hash = 1,
133	.send = tls13_server_certificate_verify_send,
134	.recv = tls13_server_certificate_verify_recv,
135	},
136	[SERVER_FINISHED] = {
137	.handshake_type = TLS13_MT_FINISHED,
138	.sender = TLS13_HS_SERVER,
139	.recv_preserve_transcript_hash = 1,
140	.send_preserve_transcript_hash = 1,
141	.send = tls13_server_finished_send,
142	.sent = tls13_server_finished_sent,
143	.recv = tls13_server_finished_recv,
144	},
145	[APPLICATION_DATA] = {
146	.handshake_complete = 1,
147	},
148	};
149
150	const enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = {
151	[INITIAL] = {
152	CLIENT_HELLO,
153	SERVER_HELLO_RETRY_REQUEST,
154	CLIENT_HELLO_RETRY,
155	SERVER_HELLO,
156	},
157	[NEGOTIATED] = {
158	CLIENT_HELLO,
159	SERVER_HELLO_RETRY_REQUEST,
160	CLIENT_HELLO_RETRY,
161	SERVER_HELLO,
162	SERVER_ENCRYPTED_EXTENSIONS,
163	SERVER_CERTIFICATE_REQUEST,
164	SERVER_CERTIFICATE,
165	SERVER_CERTIFICATE_VERIFY,
166	SERVER_FINISHED,
167	CLIENT_CERTIFICATE,
168	CLIENT_FINISHED,
169	APPLICATION_DATA,
170	},
171	[NEGOTIATED \| WITHOUT_HRR] = {
172	CLIENT_HELLO,
173	SERVER_HELLO,
174	SERVER_ENCRYPTED_EXTENSIONS,
175	SERVER_CERTIFICATE_REQUEST,
176	SERVER_CERTIFICATE,
177	SERVER_CERTIFICATE_VERIFY,
178	SERVER_FINISHED,
179	CLIENT_CERTIFICATE,
180	CLIENT_FINISHED,
181	APPLICATION_DATA,
182	},
183	[NEGOTIATED \| WITHOUT_CR] = {
184	CLIENT_HELLO,
185	SERVER_HELLO_RETRY_REQUEST,
186	CLIENT_HELLO_RETRY,
187	SERVER_HELLO,
188	SERVER_ENCRYPTED_EXTENSIONS,
189	SERVER_CERTIFICATE,
190	SERVER_CERTIFICATE_VERIFY,
191	SERVER_FINISHED,
192	CLIENT_FINISHED,
193	APPLICATION_DATA,
194	},
195	[NEGOTIATED \| WITHOUT_HRR \| WITHOUT_CR] = {
196	CLIENT_HELLO,
197	SERVER_HELLO,
198	SERVER_ENCRYPTED_EXTENSIONS,
199	SERVER_CERTIFICATE,
200	SERVER_CERTIFICATE_VERIFY,
201	SERVER_FINISHED,
202	CLIENT_FINISHED,
203	APPLICATION_DATA,
204	},
205	[NEGOTIATED \| WITH_PSK] = {
206	CLIENT_HELLO,
207	SERVER_HELLO_RETRY_REQUEST,
208	CLIENT_HELLO_RETRY,
209	SERVER_HELLO,
210	SERVER_ENCRYPTED_EXTENSIONS,
211	SERVER_FINISHED,
212	CLIENT_FINISHED,
213	APPLICATION_DATA,
214	},
215	[NEGOTIATED \| WITHOUT_HRR \| WITH_PSK] = {
216	CLIENT_HELLO,
217	SERVER_HELLO,
218	SERVER_ENCRYPTED_EXTENSIONS,
219	SERVER_FINISHED,
220	CLIENT_FINISHED,
221	APPLICATION_DATA,
222	},
223	[NEGOTIATED \| WITH_CCV] = {
224	CLIENT_HELLO,
225	SERVER_HELLO_RETRY_REQUEST,
226	CLIENT_HELLO_RETRY,
227	SERVER_HELLO,
228	SERVER_ENCRYPTED_EXTENSIONS,
229	SERVER_CERTIFICATE_REQUEST,
230	SERVER_CERTIFICATE,
231	SERVER_CERTIFICATE_VERIFY,
232	SERVER_FINISHED,
233	CLIENT_CERTIFICATE,
234	CLIENT_CERTIFICATE_VERIFY,
235	CLIENT_FINISHED,
236	APPLICATION_DATA,
237	},
238	[NEGOTIATED \| WITHOUT_HRR \| WITH_CCV] = {
239	CLIENT_HELLO,
240	SERVER_HELLO,
241	SERVER_ENCRYPTED_EXTENSIONS,
242	SERVER_CERTIFICATE_REQUEST,
243	SERVER_CERTIFICATE,
244	SERVER_CERTIFICATE_VERIFY,
245	SERVER_FINISHED,
246	CLIENT_CERTIFICATE,
247	CLIENT_CERTIFICATE_VERIFY,
248	CLIENT_FINISHED,
249	APPLICATION_DATA,
250	},
251	};
252
253	const size_t handshake_count = sizeof(handshakes) / sizeof(handshakes[0]);
254
255	#ifndef TLS13_DEBUG
256	#define DEBUGF(...)
257	#else
258	#define DEBUGF(...) fprintf(stderr, __VA_ARGS__)
259
260	static const char *
261	tls13_handshake_mode_name(uint8_t mode)
262	{
263	switch (mode) {
264	case TLS13_HS_CLIENT:
265	return "Client";
266	case TLS13_HS_SERVER:
267	return "Server";
268	}
269	return "Unknown";
270	}
271
272	static const char *
273	tls13_handshake_message_name(uint8_t msg_type)
274	{
275	switch (msg_type) {
276	case TLS13_MT_CLIENT_HELLO:
277	return "ClientHello";
278	case TLS13_MT_SERVER_HELLO:
279	return "ServerHello";
280	case TLS13_MT_NEW_SESSION_TICKET:
281	return "NewSessionTicket";
282	case TLS13_MT_END_OF_EARLY_DATA:
283	return "EndOfEarlyData";
284	case TLS13_MT_ENCRYPTED_EXTENSIONS:
285	return "EncryptedExtensions";
286	case TLS13_MT_CERTIFICATE:
287	return "Certificate";
288	case TLS13_MT_CERTIFICATE_REQUEST:
289	return "CertificateRequest";
290	case TLS13_MT_CERTIFICATE_VERIFY:
291	return "CertificateVerify";
292	case TLS13_MT_FINISHED:
293	return "Finished";
294	case TLS13_MT_KEY_UPDATE:
295	return "KeyUpdate";
296	}
297	return "Unknown";
298	}
299	#endif
300
301	static enum tls13_message_type
302	tls13_handshake_active_state(struct tls13_ctx *ctx)
303	{
304	struct tls13_handshake_stage hs = ctx->handshake_stage;
305
306	if (hs.hs_type >= handshake_count)
307	return INVALID;
308	if (hs.message_number >= TLS13_NUM_MESSAGE_TYPES)
309	return INVALID;
310
311	return handshakes[hs.hs_type][hs.message_number];
312	}
313
314	static const struct tls13_handshake_action *
315	tls13_handshake_active_action(struct tls13_ctx *ctx)
316	{
317	enum tls13_message_type mt = tls13_handshake_active_state(ctx);
318
319	if (mt == INVALID)
320	return NULL;
321
322	return &state_machine[mt];
323	}
324
325	static int
326	tls13_handshake_advance_state_machine(struct tls13_ctx *ctx)
327	{
328	if (++ctx->handshake_stage.message_number >= TLS13_NUM_MESSAGE_TYPES)
329	return 0;
330
331	return 1;
332	}
333
334	int
335	tls13_handshake_msg_record(struct tls13_ctx *ctx)
336	{
337	CBS cbs;
338
339	tls13_handshake_msg_data(ctx->hs_msg, &cbs);
340	return tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs));
341	}
342
343	int
344	tls13_handshake_perform(struct tls13_ctx *ctx)
345	{
346	const struct tls13_handshake_action *action;
347	int ret;
348
349	if (!ctx->handshake_started) {
350	/*
351	* Set legacy state to connect/accept and call info callback
352	* to signal that the handshake started.
353	*/
354	if (!tls13_handshake_set_legacy_state(ctx))
355	return TLS13_IO_FAILURE;
356	if (!tls13_handshake_legacy_info_callback(ctx))
357	return TLS13_IO_FAILURE;
358
359	ctx->handshake_started = 1;
360
361	/* Set legacy state for initial ClientHello read or write. */
362	if (!tls13_handshake_set_legacy_state(ctx))
363	return TLS13_IO_FAILURE;
364	}
365
366	for (;;) {
367	if ((action = tls13_handshake_active_action(ctx)) == NULL)
368	return TLS13_IO_FAILURE;
369
370	if (action->handshake_complete) {
371	ctx->handshake_completed = 1;
372	tls13_record_layer_handshake_completed(ctx->rl);
373
374	if (!tls13_handshake_set_legacy_state(ctx))
375	return TLS13_IO_FAILURE;
376	if (!tls13_handshake_legacy_info_callback(ctx))
377	return TLS13_IO_FAILURE;
378
379	return TLS13_IO_SUCCESS;
380	}
381
382	DEBUGF("%s %s %s\n", tls13_handshake_mode_name(ctx->mode),
383	(action->sender == ctx->mode) ? "sending" : "receiving",
384	tls13_handshake_message_name(action->handshake_type));
385
386	if (ctx->alert != 0)
387	return tls13_send_alert(ctx->rl, ctx->alert);
388
389	if (action->sender == ctx->mode)
390	ret = tls13_handshake_send_action(ctx, action);
391	else
392	ret = tls13_handshake_recv_action(ctx, action);
393
394	if (ctx->alert != 0)
395	return tls13_send_alert(ctx->rl, ctx->alert);
396
397	if (ret <= 0) {
398	DEBUGF("%s %s returned %d\n",
399	tls13_handshake_mode_name(ctx->mode),
400	(action->sender == ctx->mode) ? "send" : "recv",
401	ret);
402	return ret;
403	}
404
405	if (!tls13_handshake_legacy_info_callback(ctx))
406	return TLS13_IO_FAILURE;
407
408	if (!tls13_handshake_advance_state_machine(ctx))
409	return TLS13_IO_FAILURE;
410
411	if (!tls13_handshake_set_legacy_state(ctx))
412	return TLS13_IO_FAILURE;
413	}
414	}
415
416	static int
417	tls13_handshake_send_action(struct tls13_ctx *ctx,
418	const struct tls13_handshake_action *action)
419	{
420	ssize_t ret;
421	CBB cbb;
422
423	if (ctx->send_dummy_ccs) {
424	if ((ret = tls13_send_dummy_ccs(ctx->rl)) != TLS13_IO_SUCCESS)
425	return ret;
426	ctx->send_dummy_ccs = 0;
427	if (ctx->send_dummy_ccs_after) {
428	ctx->send_dummy_ccs_after = 0;
429	return TLS13_IO_SUCCESS;
430	}
431	}
432
433	/* If we have no handshake message, we need to build one. */
434	if (ctx->hs_msg == NULL) {
435	if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL)
436	return TLS13_IO_FAILURE;
437	if (!tls13_handshake_msg_start(ctx->hs_msg, &cbb,
438	action->handshake_type))
439	return TLS13_IO_FAILURE;
440	if (!action->send(ctx, &cbb))
441	return TLS13_IO_FAILURE;
442	if (!tls13_handshake_msg_finish(ctx->hs_msg))
443	return TLS13_IO_FAILURE;
444	}
445
446	if ((ret = tls13_handshake_msg_send(ctx->hs_msg, ctx->rl)) <= 0)
447	return ret;
448
449	if (!tls13_handshake_msg_record(ctx))
450	return TLS13_IO_FAILURE;
451
452	if (action->send_preserve_transcript_hash) {
453	if (!tls1_transcript_hash_value(ctx->ssl,
454	ctx->hs->tls13.transcript_hash,
455	sizeof(ctx->hs->tls13.transcript_hash),
456	&ctx->hs->tls13.transcript_hash_len))
457	return TLS13_IO_FAILURE;
458	}
459
460	if (ctx->handshake_message_sent_cb != NULL)
461	ctx->handshake_message_sent_cb(ctx);
462
463	tls13_handshake_msg_free(ctx->hs_msg);
464	ctx->hs_msg = NULL;
465
466	if (action->sent != NULL && !action->sent(ctx))
467	return TLS13_IO_FAILURE;
468
469	if (ctx->send_dummy_ccs_after) {
470	ctx->send_dummy_ccs = 1;
471	if ((ret = tls13_send_dummy_ccs(ctx->rl)) != TLS13_IO_SUCCESS)
472	return ret;
473	ctx->send_dummy_ccs = 0;
474	ctx->send_dummy_ccs_after = 0;
475	}
476
477	return TLS13_IO_SUCCESS;
478	}
479
480	static int
481	tls13_handshake_recv_action(struct tls13_ctx *ctx,
482	const struct tls13_handshake_action *action)
483	{
484	uint8_t msg_type;
485	ssize_t ret;
486	CBS cbs;
487
488	if (ctx->hs_msg == NULL) {
489	if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL)
490	return TLS13_IO_FAILURE;
491	}
492
493	if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) <= 0)
494	return ret;
495
496	if (action->recv_preserve_transcript_hash) {
497	if (!tls1_transcript_hash_value(ctx->ssl,
498	ctx->hs->tls13.transcript_hash,
499	sizeof(ctx->hs->tls13.transcript_hash),
500	&ctx->hs->tls13.transcript_hash_len))
501	return TLS13_IO_FAILURE;
502	}
503
504	if (!tls13_handshake_msg_record(ctx))
505	return TLS13_IO_FAILURE;
506
507	if (ctx->handshake_message_recv_cb != NULL)
508	ctx->handshake_message_recv_cb(ctx);
509
510	/*
511	* In TLSv1.3 there is no way to know if you're going to receive a
512	* certificate request message or not, hence we have to special case it
513	* here. The receive handler also knows how to deal with this situation.
514	*/
515	msg_type = tls13_handshake_msg_type(ctx->hs_msg);
516	if (msg_type != action->handshake_type &&
517	(msg_type != TLS13_MT_CERTIFICATE \|\|
518	action->handshake_type != TLS13_MT_CERTIFICATE_REQUEST))
519	return tls13_send_alert(ctx->rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
520
521	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
522	return TLS13_IO_FAILURE;
523
524	ret = TLS13_IO_FAILURE;
525	if (action->recv(ctx, &cbs)) {
526	if (CBS_len(&cbs) != 0) {
527	tls13_set_errorx(ctx, TLS13_ERR_TRAILING_DATA, 0,
528	"trailing data in handshake message", NULL);
529	ctx->alert = TLS13_ALERT_DECODE_ERROR;
530	} else {
531	ret = TLS13_IO_SUCCESS;
532	}
533	}
534
535	tls13_handshake_msg_free(ctx->hs_msg);
536	ctx->hs_msg = NULL;
537
538	if (ctx->ssl->method->version < TLS1_3_VERSION)
539	return TLS13_IO_USE_LEGACY;
540
541	return ret;
542	}
543
544	struct tls13_handshake_legacy_state {
545	int recv;
546	int send;
547	};
548
549	static const struct tls13_handshake_legacy_state legacy_states[] = {
550	[CLIENT_HELLO] = {
551	.recv = SSL3_ST_SR_CLNT_HELLO_A,
552	.send = SSL3_ST_CW_CLNT_HELLO_A,
553	},
554	[SERVER_HELLO_RETRY_REQUEST] = {
555	.recv = SSL3_ST_CR_SRVR_HELLO_A,
556	.send = SSL3_ST_SW_SRVR_HELLO_A,
557	},
558	[CLIENT_HELLO_RETRY] = {
559	.recv = SSL3_ST_SR_CLNT_HELLO_A,
560	.send = SSL3_ST_CW_CLNT_HELLO_A,
561	},
562	[SERVER_HELLO] = {
563	.recv = SSL3_ST_CR_SRVR_HELLO_A,
564	.send = SSL3_ST_SW_SRVR_HELLO_A,
565	},
566	[SERVER_ENCRYPTED_EXTENSIONS] = {
567	.send = 0,
568	.recv = 0,
569	},
570	[SERVER_CERTIFICATE_REQUEST] = {
571	.recv = SSL3_ST_CR_CERT_REQ_A,
572	.send = SSL3_ST_SW_CERT_REQ_A,
573	},
574	[SERVER_CERTIFICATE] = {
575	.recv = SSL3_ST_CR_CERT_A,
576	.send = SSL3_ST_SW_CERT_A,
577	},
578	[SERVER_CERTIFICATE_VERIFY] = {
579	.send = 0,
580	.recv = 0,
581	},
582	[SERVER_FINISHED] = {
583	.recv = SSL3_ST_CR_FINISHED_A,
584	.send = SSL3_ST_SW_FINISHED_A,
585	},
586	[CLIENT_END_OF_EARLY_DATA] = {
587	.send = 0,
588	.recv = 0,
589	},
590	[CLIENT_CERTIFICATE] = {
591	.recv = SSL3_ST_SR_CERT_VRFY_A,
592	.send = SSL3_ST_CW_CERT_VRFY_B,
593	},
594	[CLIENT_CERTIFICATE_VERIFY] = {
595	.send = 0,
596	.recv = 0,
597	},
598	[CLIENT_FINISHED] = {
599	.recv = SSL3_ST_SR_FINISHED_A,
600	.send = SSL3_ST_CW_FINISHED_A,
601	},
602	[APPLICATION_DATA] = {
603	.recv = 0,
604	.send = 0,
605	},
606	};
607
608	CTASSERT(sizeof(state_machine) / sizeof(state_machine[0]) ==
609	sizeof(legacy_states) / sizeof(legacy_states[0]));
610
611	static int
612	tls13_handshake_legacy_state(struct tls13_ctx ctx, int out_state)
613	{
614	const struct tls13_handshake_action *action;
615	enum tls13_message_type mt;
616
617	*out_state = 0;
618
619	if (!ctx->handshake_started) {
620	if (ctx->mode == TLS13_HS_CLIENT)
621	*out_state = SSL_ST_CONNECT;
622	else
623	*out_state = SSL_ST_ACCEPT;
624
625	return 1;
626	}
627
628	if (ctx->handshake_completed) {
629	*out_state = SSL_ST_OK;
630	return 1;
631	}
632
633	if ((mt = tls13_handshake_active_state(ctx)) == INVALID)
634	return 0;
635
636	if ((action = tls13_handshake_active_action(ctx)) == NULL)
637	return 0;
638
639	if (action->sender == ctx->mode)
640	*out_state = legacy_states[mt].send;
641	else
642	*out_state = legacy_states[mt].recv;
643
644	return 1;
645	}
646
647	static int
648	tls13_handshake_info_position(struct tls13_ctx *ctx)
649	{
650	if (!ctx->handshake_started)
651	return TLS13_INFO_HANDSHAKE_STARTED;
652
653	if (ctx->handshake_completed)
654	return TLS13_INFO_HANDSHAKE_COMPLETED;
655
656	if (ctx->mode == TLS13_HS_CLIENT)
657	return TLS13_INFO_CONNECT_LOOP;
658	else
659	return TLS13_INFO_ACCEPT_LOOP;
660	}
661
662	static int
663	tls13_handshake_legacy_info_callback(struct tls13_ctx *ctx)
664	{
665	int state, where;
666
667	if (!tls13_handshake_legacy_state(ctx, &state))
668	return 0;
669
670	/* Do nothing if there's no corresponding legacy state. */
671	if (state == 0)
672	return 1;
673
674	if (ctx->info_cb != NULL) {
675	where = tls13_handshake_info_position(ctx);
676	ctx->info_cb(ctx, where, 1);
677	}
678
679	return 1;
680	}
681
682	static int
683	tls13_handshake_set_legacy_state(struct tls13_ctx *ctx)
684	{
685	int state;
686
687	if (!tls13_handshake_legacy_state(ctx, &state))
688	return 0;
689
690	/* Do nothing if there's no corresponding legacy state. */
691	if (state == 0)
692	return 1;
693
694	ctx->hs->state = state;
695
696	return 1;
697	}