First skeleton of the TLS 1.3 state machine. Based on RFC 8446 and

inspired by s2n's state machine. Lots of help and input from jsing.

ok beck, jsing

3 files changed, 607 insertions, 4 deletions

diff --git a/lib/libssl/Makefile b/lib/libssl/Makefile
index 762ca0d18d9..3969b453a5e 100644
--- a/lib/libssl/Makefile
+++ b/lib/libssl/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.41 2018/11/07 19:43:12 beck Exp $
+# $OpenBSD: Makefile,v 1.42 2018/11/08 23:54:59 tb Exp $
 
 .include <bsd.own.mk>
 .ifndef NOMAN
@@ -34,7 +34,7 @@ SRCS= \
 	ssl_asn1.c ssl_txt.c ssl_algs.c \
 	bio_ssl.c ssl_err.c ssl_methods.c \
 	ssl_packet.c ssl_tlsext.c ssl_versions.c pqueue.c ssl_init.c \
-	tls13_key_schedule.c
+	tls13_handshake.c tls13_key_schedule.c
 SRCS+=	s3_cbc.c
 SRCS+=	bs_ber.c bs_cbb.c bs_cbs.c
 
diff --git a/lib/libssl/tls13_handshake.c b/lib/libssl/tls13_handshake.c
new file mode 100644
index 00000000000..e383d969f30
--- /dev/null
+++ b/lib/libssl/tls13_handshake.c
@@ -0,0 +1,538 @@
+/*	$OpenBSD: tls13_handshake.c,v 1.1 2018/11/08 23:54:59 tb Exp $	*/
+/*
+ * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <stddef.h>
+
+#include "tls13_internal.h"
+
+/* Based on RFC 8446 and inspired by s2n's TLS 1.2 state machine. */
+
+/* Record types */
+#define TLS13_HANDSHAKE		1
+#define TLS13_APPLICATION_DATA	2
+
+/* Indexing into the state machine */
+struct tls13_handshake {
+	uint8_t			hs_type;
+#define INITIAL				0x00
+#define NEGOTIATED			0x01
+#define WITH_CERT_REQ			0x02
+#define WITH_HELLO_RET_REQ		0x04
+#define WITH_PSK			0x08
+	int			message_number;
+};
+
+struct tls13_ctx {
+	uint8_t			mode;
+#define TLS13_HS_MODE_CLIENT	0
+#define TLS13_HS_MODE_SERVER	1
+	struct tls13_handshake	handshake;
+};
+
+struct tls13_handshake_action {
+	uint8_t			record_type;
+	uint8_t			handshake_type;
+
+	uint8_t			writer;
+#define TLS13_HS_CLIENT_WRITES	1
+#define TLS13_HS_SERVER_WRITES	2
+#define TLS13_HS_BOTH_WRITE	(TLS13_HS_CLIENT_WRITES|TLS13_HS_SERVER_WRITES)
+
+	int 			(*handler[2])(struct tls13_ctx *ctx);
+};
+
+enum tls13_message_type tls13_handshake_active_state(struct tls13_ctx *ctx);
+int tls13_handshake_get_writer(struct tls13_ctx *ctx);
+
+int tls13_advance_state_machine(struct tls13_ctx *ctx);
+
+int tls13_connect(struct tls13_ctx *ctx);
+int tls13_accept(struct tls13_ctx *ctx);
+
+int tls13_handshake_advance_state_machine(struct tls13_ctx *ctx);
+
+int tls13_handshake_write_action(struct tls13_ctx *ctx);
+int tls13_handshake_read_action(struct tls13_ctx *ctx);
+
+enum tls13_message_type {
+	CLIENT_HELLO,
+	CLIENT_HELLO_RETRY,
+	CLIENT_END_OF_EARLY_DATA,
+	CLIENT_CERTIFICATE,
+	CLIENT_CERTIFICATE_VERIFY,
+	CLIENT_FINISHED,
+	CLIENT_KEY_UPDATE,
+	SERVER_HELLO,
+	SERVER_NEW_SESSION_TICKET,
+	SERVER_ENCRYPTED_EXTENSIONS,
+	SERVER_CERTIFICATE,
+	SERVER_CERTIFICATE_VERIFY,
+	SERVER_CERTIFICATE_REQUEST,
+	SERVER_FINISHED,
+	SERVER_KEY_UPDATE,
+	SERVER_MESSAGE_HASH,
+	APPLICATION_DATA,
+};
+
+struct tls13_handshake_action state_machine[] = {
+	[CLIENT_HELLO] = {
+		TLS13_HANDSHAKE,
+		TLS13_MT_CLIENT_HELLO,
+		TLS13_HS_CLIENT_WRITES,
+		{tls13_client_hello_send, tls13_client_hello_recv},
+	},
+	[CLIENT_HELLO_RETRY] = {
+		TLS13_HANDSHAKE,
+		TLS13_MT_CLIENT_HELLO,
+		TLS13_HS_CLIENT_WRITES,
+		{tls13_client_hello_retry_send, tls13_client_hello_retry_recv},
+	},
+	[CLIENT_END_OF_EARLY_DATA] = {
+		TLS13_HANDSHAKE,
+		TLS13_MT_END_OF_EARLY_DATA,
+		TLS13_HS_CLIENT_WRITES,
+		{tls13_client_end_of_early_data_send,
+		    tls13_client_end_of_early_data_recv},
+	},
+	[CLIENT_CERTIFICATE] = {
+		TLS13_HANDSHAKE,
+		TLS13_MT_CERTIFICATE,
+		TLS13_HS_CLIENT_WRITES,
+		{tls13_client_certificate_send,
+		    tls13_client_certificate_recv},
+	},
+	[CLIENT_CERTIFICATE_VERIFY] = {
+		TLS13_HANDSHAKE,
+		TLS13_MT_CERTIFICATE_VERIFY,
+		TLS13_HS_CLIENT_WRITES,
+		{tls13_client_certificate_verify_send,
+		    tls13_client_certificate_verify_recv},
+	},
+	[CLIENT_FINISHED] = {
+		TLS13_HANDSHAKE,
+		TLS13_MT_FINISHED,
+		TLS13_HS_CLIENT_WRITES,
+		{tls13_client_finished_recv, tls13_client_finished_send}
+	},
+	[CLIENT_KEY_UPDATE] = {
+		TLS13_HANDSHAKE,
+		TLS13_MT_KEY_UPDATE,
+		TLS13_HS_CLIENT_WRITES,
+		{tls13_client_key_update_send, tls13_client_key_update_recv},
+	},
+	[SERVER_HELLO] = {
+		TLS13_HANDSHAKE,
+		TLS13_MT_SERVER_HELLO,
+		TLS13_HS_SERVER_WRITES,
+		{tls13_server_hello_recv, tls13_server_hello_send},
+	},
+	[SERVER_NEW_SESSION_TICKET] = {
+		TLS13_HANDSHAKE,
+		TLS13_MT_NEW_SESSION_TICKET,
+		TLS13_HS_SERVER_WRITES,
+		{tls13_server_new_session_ticket_recv,
+		    tls13_server_new_session_ticket_send},
+	},
+	[SERVER_ENCRYPTED_EXTENSIONS] = {
+		TLS13_HANDSHAKE,
+		TLS13_MT_ENCRYPTED_EXTENSIONS,
+		TLS13_HS_SERVER_WRITES,
+		{tls13_server_encrypted_extensions_recv,
+		    tls13_server_encrypted_extensions_send},
+	},
+	[SERVER_CERTIFICATE] = {
+		TLS13_HANDSHAKE,
+		TLS13_MT_CERTIFICATE,
+		TLS13_HS_SERVER_WRITES,
+		{tls13_server_certificate_recv, tls13_server_certificate_send},
+	},
+	[SERVER_CERTIFICATE_REQUEST] = {
+		TLS13_HANDSHAKE,
+		TLS13_MT_CERTIFICATE,
+		TLS13_HS_SERVER_WRITES,
+		{tls13_server_certificate_request_recv,
+		    tls13_server_certificate_request_send},
+	},
+	[SERVER_CERTIFICATE_VERIFY] = {
+		TLS13_HANDSHAKE,
+		TLS13_MT_CERTIFICATE_VERIFY,
+		TLS13_HS_SERVER_WRITES,
+		{tls13_server_certificate_verify_send,
+		    tls13_server_certificate_verify_recv},
+	},
+	[SERVER_FINISHED] = {
+		TLS13_HANDSHAKE,
+		TLS13_MT_FINISHED,
+		TLS13_HS_SERVER_WRITES,
+		{tls13_server_finished_recv, tls13_server_finished_send}
+	},
+	[SERVER_KEY_UPDATE] = {
+		TLS13_HANDSHAKE,
+		TLS13_MT_KEY_UPDATE,
+		TLS13_HS_SERVER_WRITES,
+		{tls13_server_key_update_recv, tls13_server_key_update_send},
+	},
+	[SERVER_MESSAGE_HASH] = {
+		TLS13_HANDSHAKE,
+		TLS13_MT_MESSAGE_HASH,
+		TLS13_HS_SERVER_WRITES,
+		{tls13_server_message_hash_recv,
+		    tls13_server_message_hash_send},
+	},
+	[APPLICATION_DATA] = {
+		TLS13_APPLICATION_DATA,
+		0,
+		TLS13_HS_BOTH_WRITE,
+		{NULL, NULL},
+	},
+};
+
+static enum tls13_message_type handshakes[][16] = {
+	[INITIAL] = {
+		CLIENT_HELLO,
+		SERVER_HELLO,
+	},
+	[NEGOTIATED] = {
+		CLIENT_HELLO,
+		SERVER_HELLO, 
+		SERVER_ENCRYPTED_EXTENSIONS,
+		SERVER_CERTIFICATE,
+		SERVER_CERTIFICATE_VERIFY,
+		SERVER_FINISHED,
+		CLIENT_FINISHED,
+		APPLICATION_DATA,
+	},
+	[NEGOTIATED | WITH_HELLO_RET_REQ] = {
+		CLIENT_HELLO,
+		SERVER_HELLO, 
+		CLIENT_HELLO_RETRY,
+		SERVER_ENCRYPTED_EXTENSIONS,
+		SERVER_CERTIFICATE,
+		SERVER_CERTIFICATE_VERIFY,
+		SERVER_FINISHED,
+		CLIENT_FINISHED,
+		APPLICATION_DATA,
+	},
+	[NEGOTIATED | WITH_CERT_REQ] = {
+		CLIENT_HELLO,
+		SERVER_HELLO, 
+		SERVER_ENCRYPTED_EXTENSIONS,
+		SERVER_CERTIFICATE_REQUEST,
+		SERVER_CERTIFICATE,
+		SERVER_CERTIFICATE_VERIFY,
+		SERVER_FINISHED,
+		CLIENT_FINISHED,
+		APPLICATION_DATA,
+	},
+	[NEGOTIATED | WITH_HELLO_RET_REQ | WITH_CERT_REQ] = {
+		CLIENT_HELLO,
+		SERVER_HELLO, 
+		CLIENT_HELLO_RETRY,
+		SERVER_ENCRYPTED_EXTENSIONS,
+		SERVER_CERTIFICATE_REQUEST,
+		SERVER_CERTIFICATE,
+		SERVER_CERTIFICATE_VERIFY,
+		SERVER_FINISHED,
+		CLIENT_FINISHED,
+		APPLICATION_DATA,
+	},
+	[NEGOTIATED | WITH_PSK] = {
+		CLIENT_HELLO,
+		SERVER_HELLO,
+		SERVER_ENCRYPTED_EXTENSIONS,
+		SERVER_FINISHED,
+		CLIENT_FINISHED,
+		APPLICATION_DATA,
+	},
+	[NEGOTIATED | WITH_HELLO_RET_REQ | WITH_PSK] = {
+		CLIENT_HELLO,
+		SERVER_HELLO,
+		CLIENT_HELLO_RETRY,
+		SERVER_ENCRYPTED_EXTENSIONS,
+		SERVER_FINISHED,
+		CLIENT_FINISHED,
+		APPLICATION_DATA,
+	},
+};
+
+enum tls13_message_type
+tls13_handshake_active_state(struct tls13_ctx *ctx)
+{
+	struct tls13_handshake hs = ctx->handshake;
+	return handshakes[hs.hs_type][hs.message_number];
+}
+
+int
+tls13_handshake_get_writer(struct tls13_ctx *ctx)
+{
+	enum tls13_message_type mt = tls13_handshake_active_state(ctx);
+	return state_machine[mt].writer;
+}
+
+int
+tls13_connect(struct tls13_ctx *ctx)
+{
+	ctx->mode = TLS13_HS_MODE_CLIENT;
+	
+	while (tls13_handshake_get_writer(ctx) != TLS13_HS_BOTH_WRITE) {
+		if (tls13_handshake_get_writer(ctx) == TLS13_HS_MODE_CLIENT) {
+			if (!tls13_handshake_write_action(ctx))
+				return 0;
+		} else {
+			if (!tls13_handshake_read_action(ctx))
+				return 0;
+		}
+		if (!tls13_handshake_advance_state_machine(ctx))
+			return 0;
+	}
+
+	return 1;
+}
+
+int
+tls13_accept(struct tls13_ctx *ctx)
+{
+	ctx->mode = TLS13_HS_MODE_SERVER;
+
+	while (tls13_handshake_get_writer(ctx) != TLS13_HS_BOTH_WRITE) {
+		if (tls13_handshake_get_writer(ctx) == TLS13_HS_MODE_CLIENT) {
+			if (!tls13_handshake_write_action(ctx))
+				return 0;
+		} else {
+			if (!tls13_handshake_read_action(ctx))
+				return 0;
+		}
+		if (!tls13_handshake_advance_state_machine(ctx))
+			return 0;
+	}
+
+	return 1;
+}
+
+int
+tls13_advance_state_machine(struct tls13_ctx *ctx)
+{
+	if (tls13_handshake_get_writer(ctx) == TLS13_HS_BOTH_WRITE)
+		return 0;
+	ctx->handshake.message_number++;
+	return 1;
+}
+
+int
+tls13_handshake_write_action(struct tls13_ctx *ctx)
+{
+	return 1;
+}
+
+int
+tls13_handshake_read_action(struct tls13_ctx *ctx)
+{
+	return 1;
+}
+
+int
+tls13_client_hello_send(struct tls13_ctx *ctx)
+{
+	return 1;
+}
+
+int
+tls13_client_hello_recv(struct tls13_ctx *ctx)
+{
+	return 1;
+}
+
+int
+tls13_client_hello_retry_send(struct tls13_ctx *ctx)
+{
+	return 1;
+}
+
+int
+tls13_client_hello_retry_recv(struct tls13_ctx *ctx)
+{
+	return 1;
+}
+
+
+int
+tls13_client_end_of_early_data_send(struct tls13_ctx *ctx)
+{
+	return 1;
+}
+
+int
+tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx)
+{
+	return 1;
+}
+
+int
+tls13_client_certificate_send(struct tls13_ctx *ctx)
+{
+	return 1;
+}
+
+int
+tls13_client_certificate_recv(struct tls13_ctx *ctx)
+{
+	return 1;
+}
+
+int
+tls13_client_certificate_verify_send(struct tls13_ctx *ctx)
+{
+	return 1;
+}
+
+int
+tls13_client_certificate_verify_recv(struct tls13_ctx *ctx)
+{
+	return 1;
+}
+
+int
+tls13_client_finished_recv(struct tls13_ctx *ctx)
+{
+	return 1;
+}
+
+int
+tls13_client_finished_send(struct tls13_ctx *ctx)
+{
+	return 1;
+}
+
+int
+tls13_client_key_update_send(struct tls13_ctx *ctx)
+{
+	return 1;
+}
+
+int
+tls13_client_key_update_recv(struct tls13_ctx *ctx)
+{
+	return 1;
+}
+
+int
+tls13_server_hello_recv(struct tls13_ctx *ctx)
+{
+	return 1;
+}
+
+int
+tls13_server_hello_send(struct tls13_ctx *ctx)
+{
+	return 1;
+}
+
+int
+tls13_server_new_session_ticket_recv(struct tls13_ctx *ctx)
+{
+	return 1;
+}
+
+int
+tls13_server_new_session_ticket_send(struct tls13_ctx *ctx)
+{
+	return 1;
+}
+
+int
+tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx)
+{
+	return 1;
+}
+
+int
+tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx)
+{
+	return 1;
+}
+
+int
+tls13_server_certificate_recv(struct tls13_ctx *ctx)
+{
+	return 1;
+}
+
+int
+tls13_server_certificate_send(struct tls13_ctx *ctx)
+{
+	return 1;
+}
+
+int
+tls13_server_certificate_request_recv(struct tls13_ctx *ctx)
+{
+	return 1;
+}
+
+int
+tls13_server_certificate_request_send(struct tls13_ctx *ctx)
+{
+	return 1;
+}
+
+int
+tls13_server_certificate_verify_send(struct tls13_ctx *ctx)
+{
+	return 1;
+}
+
+int
+tls13_server_certificate_verify_recv(struct tls13_ctx *ctx)
+{
+	return 1;
+}
+
+int
+tls13_server_finished_recv(struct tls13_ctx *ctx)
+{
+	return 1;
+}
+
+int
+tls13_server_finished_send(struct tls13_ctx *ctx)
+{
+	return 1;
+}
+
+int
+tls13_server_key_update_recv(struct tls13_ctx *ctx)
+{
+	return 1;
+}
+
+int
+tls13_server_key_update_send(struct tls13_ctx *ctx)
+{
+	return 1;
+}
+
+int
+tls13_server_message_hash_recv(struct tls13_ctx *ctx)
+{
+	return 1;
+}
+
+int
+tls13_server_message_hash_send(struct tls13_ctx *ctx)
+{
+	return 1;
+}
diff --git a/lib/libssl/tls13_internal.h b/lib/libssl/tls13_internal.h
index 6172ac25c9c..0c48c87c89f 100644
--- a/lib/libssl/tls13_internal.h
+++ b/lib/libssl/tls13_internal.h
@@ -1,5 +1,7 @@
-/* $OpenBSD: tls13_internal.h,v 1.2 2018/11/08 20:38:25 tb Exp $ */
-/* Copyright (c) 2018, Bob Beck <beck@openbsd.org>
+/* $OpenBSD: tls13_internal.h,v 1.3 2018/11/08 23:54:59 tb Exp $ */
+/*
+ * Copyright (c) 2018, Bob Beck <beck@openbsd.org>
+ * Copyright (c) 2018, Theo Buehler <tb@openbsd.org>
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -58,3 +60,66 @@ int tls13_derive_handshake_secrets(struct tls13_secrets *secrets,
     const struct tls13_secret *context);
 int tls13_derive_application_secrets(struct tls13_secrets *secrets,
     const EVP_MD *digest, const struct tls13_secret *context);
+
+struct tls13_ctx;
+
+/*
+ * RFC 8446, Section B.3
+ *
+ * Values listed as "_RESERVED" were used in previous versions of TLS and are
+ * listed here for completeness.  TLS 1.3 implementations MUST NOT send them but
+ * might receive them from older TLS implementations.
+ */
+#define	TLS13_MT_HELLO_REQUEST_RESERVED		0
+#define	TLS13_MT_CLIENT_HELLO			1
+#define	TLS13_MT_SERVER_HELLO			2
+#define	TLS13_MT_HELLO_VERIFY_REQUEST_RESERVED	3
+#define	TLS13_MT_NEW_SESSION_TICKET		4
+#define	TLS13_MT_END_OF_EARLY_DATA		5
+#define	TLS13_MT_HELLO_RETRY_REQUEST_RESERVED	6
+#define	TLS13_MT_ENCRYPTED_EXTENSIONS		8
+#define	TLS13_MT_CERTIFICATE			11
+#define	TLS13_MT_SERVER_KEY_EXCHANGE_RESERVED	12
+#define	TLS13_MT_CERTIFICATE_REQUEST		13
+#define	TLS13_MT_SERVER_HELLO_DONE_RESERVED	14
+#define	TLS13_MT_CERTIFICATE_VERIFY		15
+#define	TLS13_MT_CLIENT_KEY_EXCHANGE_RESERVED	16
+#define	TLS13_MT_FINISHED			20
+#define	TLS13_MT_CERTIFICATE_URL_RESERVED	21
+#define	TLS13_MT_CERTIFICATE_STATUS_RESERVED	22
+#define	TLS13_MT_SUPPLEMENTAL_DATA_RESERVED	23
+#define	TLS13_MT_KEY_UPDATE			24
+#define	TLS13_MT_MESSAGE_HASH			254
+
+int tls13_client_hello_send(struct tls13_ctx *ctx);
+int tls13_client_hello_recv(struct tls13_ctx *ctx);
+int tls13_client_hello_retry_send(struct tls13_ctx *ctx);
+int tls13_client_hello_retry_recv(struct tls13_ctx *ctx);
+int tls13_client_end_of_early_data_send(struct tls13_ctx *ctx);
+int tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx);
+int tls13_client_certificate_send(struct tls13_ctx *ctx);
+int tls13_client_certificate_recv(struct tls13_ctx *ctx);
+int tls13_client_certificate_verify_send(struct tls13_ctx *ctx);
+int tls13_client_certificate_verify_recv(struct tls13_ctx *ctx);
+int tls13_client_finished_recv(struct tls13_ctx *ctx);
+int tls13_client_finished_send(struct tls13_ctx *ctx);
+int tls13_client_key_update_send(struct tls13_ctx *ctx);
+int tls13_client_key_update_recv(struct tls13_ctx *ctx);
+int tls13_server_hello_recv(struct tls13_ctx *ctx);
+int tls13_server_hello_send(struct tls13_ctx *ctx);
+int tls13_server_new_session_ticket_recv(struct tls13_ctx *ctx);
+int tls13_server_new_session_ticket_send(struct tls13_ctx *ctx);
+int tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx);
+int tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx);
+int tls13_server_certificate_recv(struct tls13_ctx *ctx);
+int tls13_server_certificate_send(struct tls13_ctx *ctx);
+int tls13_server_certificate_request_recv(struct tls13_ctx *ctx);
+int tls13_server_certificate_request_send(struct tls13_ctx *ctx);
+int tls13_server_certificate_verify_send(struct tls13_ctx *ctx);
+int tls13_server_certificate_verify_recv(struct tls13_ctx *ctx);
+int tls13_server_finished_recv(struct tls13_ctx *ctx);
+int tls13_server_finished_send(struct tls13_ctx *ctx);
+int tls13_server_key_update_recv(struct tls13_ctx *ctx);
+int tls13_server_key_update_send(struct tls13_ctx *ctx);
+int tls13_server_message_hash_recv(struct tls13_ctx *ctx);
+int tls13_server_message_hash_send(struct tls13_ctx *ctx);