1 /* 2 * Copyright 2015-2026 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include "internal/e_os.h" 11 12 #if defined(__TANDEM) && defined(_SPT_MODEL_) 13 #include <spthread.h> 14 #include <spt_extensions.h> /* timeval */ 15 #endif 16 17 #include "internal/cryptlib.h" 18 #include "internal/ssl_unwrap.h" 19 #include <openssl/rand.h> 20 #include "../ssl_local.h" 21 #include "statem_local.h" 22 #include <assert.h> 23 24 /* 25 * This file implements the SSL/TLS/DTLS state machines. 26 * 27 * There are two primary state machines: 28 * 29 * 1) Message flow state machine 30 * 2) Handshake state machine 31 * 32 * The Message flow state machine controls the reading and sending of messages 33 * including handling of non-blocking IO events, flushing of the underlying 34 * write BIO, handling unexpected messages, etc. It is itself broken into two 35 * separate sub-state machines which control reading and writing respectively. 36 * 37 * The Handshake state machine keeps track of the current SSL/TLS handshake 38 * state. Transitions of the handshake state are the result of events that 39 * occur within the Message flow state machine. 40 * 41 * Overall it looks like this: 42 * 43 * --------------------------------------------- ------------------- 44 * | | | | 45 * | Message flow state machine | | | 46 * | | | | 47 * | -------------------- -------------------- | Transition | Handshake state | 48 * | | MSG_FLOW_READING | | MSG_FLOW_WRITING | | Event | machine | 49 * | | sub-state | | sub-state | |----------->| | 50 * | | machine for | | machine for | | | | 51 * | | reading messages | | writing messages | | | | 52 * | -------------------- -------------------- | | | 53 * | | | | 54 * --------------------------------------------- ------------------- 55 * 56 */ 57 58 /* Sub state machine return values */ 59 typedef enum { 60 /* Something bad happened or NBIO */ 61 SUB_STATE_ERROR, 62 /* Sub state finished go to the next sub state */ 63 SUB_STATE_FINISHED, 64 /* Sub state finished and handshake was completed */ 65 SUB_STATE_END_HANDSHAKE 66 } SUB_STATE_RETURN; 67 68 static int state_machine(SSL_CONNECTION *s, int server); 69 static void init_read_state_machine(SSL_CONNECTION *s); 70 static SUB_STATE_RETURN read_state_machine(SSL_CONNECTION *s); 71 static void init_write_state_machine(SSL_CONNECTION *s); 72 static SUB_STATE_RETURN write_state_machine(SSL_CONNECTION *s); 73 74 OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl) 75 { 76 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(ssl); 77 78 if (sc == NULL) 79 return TLS_ST_BEFORE; 80 81 return sc->statem.hand_state; 82 } 83 84 int SSL_in_init(const SSL *s) 85 { 86 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s); 87 88 if (sc == NULL) 89 return 0; 90 91 return sc->statem.in_init; 92 } 93 94 int SSL_is_init_finished(const SSL *s) 95 { 96 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s); 97 98 if (sc == NULL) 99 return 0; 100 101 return !(sc->statem.in_init) && (sc->statem.hand_state == TLS_ST_OK); 102 } 103 104 int SSL_in_before(const SSL *s) 105 { 106 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s); 107 108 if (sc == NULL) 109 return 0; 110 111 /* 112 * Historically being "in before" meant before anything had happened. In the 113 * current code though we remain in the "before" state for a while after we 114 * have started the handshake process (e.g. as a server waiting for the 115 * first message to arrive). There "in before" is taken to mean "in before" 116 * and not started any handshake process yet. 117 */ 118 return (sc->statem.hand_state == TLS_ST_BEFORE) 119 && (sc->statem.state == MSG_FLOW_UNINITED); 120 } 121 122 OSSL_HANDSHAKE_STATE ossl_statem_get_state(SSL_CONNECTION *s) 123 { 124 return s != NULL ? s->statem.hand_state : TLS_ST_BEFORE; 125 } 126 127 /* 128 * Clear the state machine state and reset back to MSG_FLOW_UNINITED 129 */ 130 void ossl_statem_clear(SSL_CONNECTION *s) 131 { 132 s->statem.state = MSG_FLOW_UNINITED; 133 s->statem.hand_state = TLS_ST_BEFORE; 134 ossl_statem_set_in_init(s, 1); 135 s->statem.no_cert_verify = 0; 136 } 137 138 /* 139 * Set the state machine up ready for a renegotiation handshake 140 */ 141 void ossl_statem_set_renegotiate(SSL_CONNECTION *s) 142 { 143 ossl_statem_set_in_init(s, 1); 144 s->statem.request_state = TLS_ST_SW_HELLO_REQ; 145 } 146 147 void ossl_statem_send_fatal(SSL_CONNECTION *s, int al) 148 { 149 /* We shouldn't call SSLfatal() twice. Once is enough */ 150 if (s->statem.in_init && s->statem.state == MSG_FLOW_ERROR) 151 return; 152 ossl_statem_set_in_init(s, 1); 153 s->statem.state = MSG_FLOW_ERROR; 154 if (al != SSL_AD_NO_ALERT && s->rlayer.wrlmethod != NULL) 155 ssl3_send_alert(s, SSL3_AL_FATAL, al); 156 } 157 158 /* 159 * Error reporting building block that's used instead of ERR_set_error(). 160 * In addition to what ERR_set_error() does, this puts the state machine 161 * into an error state and sends an alert if appropriate. 162 * This is a permanent error for the current connection. 163 */ 164 void ossl_statem_fatal(SSL_CONNECTION *s, int al, int reason, 165 const char *fmt, ...) 166 { 167 va_list args; 168 169 va_start(args, fmt); 170 ERR_vset_error(ERR_LIB_SSL, reason, fmt, args); 171 va_end(args); 172 173 ossl_statem_send_fatal(s, al); 174 } 175 176 /* 177 * This macro should only be called if we are already expecting to be in 178 * a fatal error state. We verify that we are, and set it if not (this would 179 * indicate a bug). 180 */ 181 #define check_fatal(s) \ 182 do { \ 183 if (!ossl_assert((s)->statem.in_init \ 184 && (s)->statem.state == MSG_FLOW_ERROR)) \ 185 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_FATAL); \ 186 } while (0) 187 188 /* 189 * Discover whether the current connection is in the error state. 190 * 191 * Valid return values are: 192 * 1: Yes 193 * 0: No 194 */ 195 int ossl_statem_in_error(const SSL_CONNECTION *s) 196 { 197 if (s->statem.state == MSG_FLOW_ERROR) 198 return 1; 199 200 return 0; 201 } 202 203 void ossl_statem_set_in_init(SSL_CONNECTION *s, int init) 204 { 205 s->statem.in_init = init; 206 if (s->rlayer.rrlmethod != NULL && s->rlayer.rrlmethod->set_in_init != NULL) 207 s->rlayer.rrlmethod->set_in_init(s->rlayer.rrl, init); 208 } 209 210 int ossl_statem_get_in_handshake(SSL_CONNECTION *s) 211 { 212 return s->statem.in_handshake; 213 } 214 215 void ossl_statem_set_in_handshake(SSL_CONNECTION *s, int inhand) 216 { 217 if (inhand) 218 s->statem.in_handshake++; 219 else 220 s->statem.in_handshake--; 221 } 222 223 /* Are we in a sensible state to skip over unreadable early data? */ 224 int ossl_statem_skip_early_data(SSL_CONNECTION *s) 225 { 226 if (s->ext.early_data != SSL_EARLY_DATA_REJECTED) 227 return 0; 228 229 if (!s->server 230 || s->statem.hand_state != TLS_ST_EARLY_DATA 231 || s->hello_retry_request == SSL_HRR_COMPLETE) 232 return 0; 233 234 return 1; 235 } 236 237 /* 238 * Called when we are in SSL_read*(), SSL_write*(), or SSL_accept() 239 * /SSL_connect()/SSL_do_handshake(). Used to test whether we are in an early 240 * data state and whether we should attempt to move the handshake on if so. 241 * |sending| is 1 if we are attempting to send data (SSL_write*()), 0 if we are 242 * attempting to read data (SSL_read*()), or -1 if we are in SSL_do_handshake() 243 * or similar. 244 */ 245 int ossl_statem_check_finish_init(SSL_CONNECTION *s, int sending) 246 { 247 if (sending == -1) { 248 if (s->statem.hand_state == TLS_ST_PENDING_EARLY_DATA_END 249 || s->statem.hand_state == TLS_ST_EARLY_DATA) { 250 ossl_statem_set_in_init(s, 1); 251 if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY) { 252 /* 253 * SSL_connect() or SSL_do_handshake() has been called directly. 254 * We don't allow any more writing of early data. 255 */ 256 s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING; 257 } 258 } 259 } else if (!s->server) { 260 if ((sending && (s->statem.hand_state == TLS_ST_PENDING_EARLY_DATA_END || s->statem.hand_state == TLS_ST_EARLY_DATA) 261 && s->early_data_state != SSL_EARLY_DATA_WRITING) 262 || (!sending && s->statem.hand_state == TLS_ST_EARLY_DATA)) { 263 ossl_statem_set_in_init(s, 1); 264 /* 265 * SSL_write() has been called directly. We don't allow any more 266 * writing of early data. 267 */ 268 if (sending && s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY) 269 s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING; 270 } 271 } else { 272 if (s->early_data_state == SSL_EARLY_DATA_FINISHED_READING 273 && s->statem.hand_state == TLS_ST_EARLY_DATA) 274 ossl_statem_set_in_init(s, 1); 275 } 276 return 1; 277 } 278 279 void ossl_statem_set_hello_verify_done(SSL_CONNECTION *s) 280 { 281 s->statem.state = MSG_FLOW_UNINITED; 282 ossl_statem_set_in_init(s, 1); 283 /* 284 * This will get reset (briefly) back to TLS_ST_BEFORE when we enter 285 * state_machine() because |state| is MSG_FLOW_UNINITED, but until then any 286 * calls to SSL_in_before() will return false. Also calls to 287 * SSL_state_string() and SSL_state_string_long() will return something 288 * sensible. 289 */ 290 s->statem.hand_state = TLS_ST_SR_CLNT_HELLO; 291 } 292 293 int ossl_statem_connect(SSL *s) 294 { 295 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); 296 297 if (sc == NULL) 298 return -1; 299 300 return state_machine(sc, 0); 301 } 302 303 int ossl_statem_accept(SSL *s) 304 { 305 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); 306 307 if (sc == NULL) 308 return -1; 309 310 return state_machine(sc, 1); 311 } 312 313 typedef void (*info_cb)(const SSL *, int, int); 314 315 static info_cb get_callback(SSL_CONNECTION *s) 316 { 317 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 318 319 if (s->info_callback != NULL) 320 return s->info_callback; 321 else if (sctx->info_callback != NULL) 322 return sctx->info_callback; 323 324 return NULL; 325 } 326 327 /* 328 * The main message flow state machine. We start in the MSG_FLOW_UNINITED or 329 * MSG_FLOW_FINISHED state and finish in MSG_FLOW_FINISHED. Valid states and 330 * transitions are as follows: 331 * 332 * MSG_FLOW_UNINITED MSG_FLOW_FINISHED 333 * | | 334 * +-----------------------+ 335 * v 336 * MSG_FLOW_WRITING <---> MSG_FLOW_READING 337 * | 338 * V 339 * MSG_FLOW_FINISHED 340 * | 341 * V 342 * [SUCCESS] 343 * 344 * We may exit at any point due to an error or NBIO event. If an NBIO event 345 * occurs then we restart at the point we left off when we are recalled. 346 * MSG_FLOW_WRITING and MSG_FLOW_READING have sub-state machines associated with them. 347 * 348 * In addition to the above there is also the MSG_FLOW_ERROR state. We can move 349 * into that state at any point in the event that an irrecoverable error occurs. 350 * 351 * Valid return values are: 352 * 1: Success 353 * <=0: NBIO or error 354 */ 355 static int state_machine(SSL_CONNECTION *s, int server) 356 { 357 BUF_MEM *buf = NULL; 358 void (*cb)(const SSL *ssl, int type, int val) = NULL; 359 OSSL_STATEM *st = &s->statem; 360 int ret = -1; 361 int ssret; 362 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 363 SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s); 364 365 if (st->state == MSG_FLOW_ERROR) { 366 /* Shouldn't have been called if we're already in the error state */ 367 return -1; 368 } 369 370 ERR_clear_error(); 371 clear_sys_error(); 372 373 cb = get_callback(s); 374 375 st->in_handshake++; 376 if (!SSL_in_init(ssl) || SSL_in_before(ssl)) { 377 /* 378 * If we are stateless then we already called SSL_clear() - don't do 379 * it again and clear the STATELESS flag itself. 380 */ 381 if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0 && !SSL_clear(ssl)) 382 return -1; 383 } 384 #ifndef OPENSSL_NO_SCTP 385 if (SSL_CONNECTION_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(ssl))) { 386 /* 387 * Notify SCTP BIO socket to enter handshake mode and prevent stream 388 * identifier other than 0. 389 */ 390 BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, 391 st->in_handshake, NULL); 392 } 393 #endif 394 395 /* Initialise state machine */ 396 if (st->state == MSG_FLOW_UNINITED 397 || st->state == MSG_FLOW_FINISHED) { 398 if (st->state == MSG_FLOW_UNINITED) { 399 st->hand_state = TLS_ST_BEFORE; 400 st->request_state = TLS_ST_BEFORE; 401 } 402 403 s->server = server; 404 if (cb != NULL) { 405 if (SSL_IS_FIRST_HANDSHAKE(s) || !SSL_CONNECTION_IS_TLS13(s)) 406 cb(ussl, SSL_CB_HANDSHAKE_START, 1); 407 } 408 409 /* 410 * Fatal errors in this block don't send an alert because we have 411 * failed to even initialise properly. Sending an alert is probably 412 * doomed to failure. 413 */ 414 415 if (SSL_CONNECTION_IS_DTLS(s)) { 416 if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00) && (server || (s->version & 0xff00) != (DTLS1_BAD_VER & 0xff00))) { 417 SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR); 418 goto end; 419 } 420 } else { 421 if ((s->version >> 8) != SSL3_VERSION_MAJOR) { 422 SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR); 423 goto end; 424 } 425 } 426 427 if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL)) { 428 SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR); 429 goto end; 430 } 431 432 if (s->init_buf == NULL) { 433 if ((buf = BUF_MEM_new()) == NULL) { 434 SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR); 435 goto end; 436 } 437 if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) { 438 SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR); 439 goto end; 440 } 441 s->init_buf = buf; 442 buf = NULL; 443 } 444 445 s->init_num = 0; 446 447 /* 448 * Should have been reset by tls_process_finished, too. 449 */ 450 s->s3.change_cipher_spec = 0; 451 452 /* 453 * Ok, we now need to push on a buffering BIO ...but not with 454 * SCTP 455 */ 456 #ifndef OPENSSL_NO_SCTP 457 if (!SSL_CONNECTION_IS_DTLS(s) || !BIO_dgram_is_sctp(SSL_get_wbio(ssl))) 458 #endif 459 if (!ssl_init_wbio_buffer(s)) { 460 SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR); 461 goto end; 462 } 463 464 if ((SSL_in_before(ssl)) 465 || s->renegotiate) { 466 if (!tls_setup_handshake(s)) { 467 /* SSLfatal() already called */ 468 goto end; 469 } 470 471 if (SSL_IS_FIRST_HANDSHAKE(s)) 472 st->read_state_first_init = 1; 473 } 474 475 st->state = MSG_FLOW_WRITING; 476 init_write_state_machine(s); 477 } 478 479 while (st->state != MSG_FLOW_FINISHED) { 480 if (st->state == MSG_FLOW_READING) { 481 ssret = read_state_machine(s); 482 if (ssret == SUB_STATE_FINISHED) { 483 st->state = MSG_FLOW_WRITING; 484 init_write_state_machine(s); 485 } else { 486 /* NBIO or error */ 487 goto end; 488 } 489 } else if (st->state == MSG_FLOW_WRITING) { 490 ssret = write_state_machine(s); 491 if (ssret == SUB_STATE_FINISHED) { 492 st->state = MSG_FLOW_READING; 493 init_read_state_machine(s); 494 } else if (ssret == SUB_STATE_END_HANDSHAKE) { 495 st->state = MSG_FLOW_FINISHED; 496 } else { 497 /* NBIO or error */ 498 goto end; 499 } 500 } else { 501 /* Error */ 502 check_fatal(s); 503 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 504 goto end; 505 } 506 } 507 508 ret = 1; 509 510 end: 511 st->in_handshake--; 512 513 #ifndef OPENSSL_NO_SCTP 514 if (SSL_CONNECTION_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(ssl))) { 515 /* 516 * Notify SCTP BIO socket to leave handshake mode and allow stream 517 * identifier other than 0. 518 */ 519 BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, 520 st->in_handshake, NULL); 521 } 522 #endif 523 524 BUF_MEM_free(buf); 525 if (cb != NULL) { 526 if (server) 527 cb(ussl, SSL_CB_ACCEPT_EXIT, ret); 528 else 529 cb(ussl, SSL_CB_CONNECT_EXIT, ret); 530 } 531 return ret; 532 } 533 534 /* 535 * Initialise the MSG_FLOW_READING sub-state machine 536 */ 537 static void init_read_state_machine(SSL_CONNECTION *s) 538 { 539 OSSL_STATEM *st = &s->statem; 540 541 st->read_state = READ_STATE_HEADER; 542 } 543 544 /* 545 * This function implements the sub-state machine when the message flow is in 546 * MSG_FLOW_READING. The valid sub-states and transitions are: 547 * 548 * READ_STATE_HEADER <--+<-------------+ 549 * | | | 550 * v | | 551 * READ_STATE_BODY -----+-->READ_STATE_POST_PROCESS 552 * | | 553 * +----------------------------+ 554 * v 555 * [SUB_STATE_FINISHED] 556 * 557 * READ_STATE_HEADER has the responsibility for reading in the message header 558 * and transitioning the state of the handshake state machine. 559 * 560 * READ_STATE_BODY reads in the rest of the message and then subsequently 561 * processes it. 562 * 563 * READ_STATE_POST_PROCESS is an optional step that may occur if some post 564 * processing activity performed on the message may block. 565 * 566 * Any of the above states could result in an NBIO event occurring in which case 567 * control returns to the calling application. When this function is recalled we 568 * will resume in the same state where we left off. 569 */ 570 static SUB_STATE_RETURN read_state_machine(SSL_CONNECTION *s) 571 { 572 OSSL_STATEM *st = &s->statem; 573 int ret, mt; 574 size_t len = 0; 575 int (*transition)(SSL_CONNECTION *s, int mt); 576 PACKET pkt; 577 MSG_PROCESS_RETURN (*process_message)(SSL_CONNECTION *s, PACKET *pkt); 578 WORK_STATE (*post_process_message)(SSL_CONNECTION *s, WORK_STATE wst); 579 size_t (*max_message_size)(SSL_CONNECTION *s); 580 void (*cb)(const SSL *ssl, int type, int val) = NULL; 581 SSL *ssl = SSL_CONNECTION_GET_USER_SSL(s); 582 583 cb = get_callback(s); 584 585 if (s->server) { 586 transition = ossl_statem_server_read_transition; 587 process_message = ossl_statem_server_process_message; 588 max_message_size = ossl_statem_server_max_message_size; 589 post_process_message = ossl_statem_server_post_process_message; 590 } else { 591 transition = ossl_statem_client_read_transition; 592 process_message = ossl_statem_client_process_message; 593 max_message_size = ossl_statem_client_max_message_size; 594 post_process_message = ossl_statem_client_post_process_message; 595 } 596 597 if (st->read_state_first_init) { 598 s->first_packet = 1; 599 st->read_state_first_init = 0; 600 } 601 602 while (1) { 603 switch (st->read_state) { 604 case READ_STATE_HEADER: 605 /* Get the state the peer wants to move to */ 606 if (SSL_CONNECTION_IS_DTLS(s)) { 607 /* 608 * In DTLS we get the whole message in one go - header and body 609 */ 610 ret = dtls_get_message(s, &mt); 611 } else { 612 ret = tls_get_message_header(s, &mt); 613 } 614 615 if (ret == 0) { 616 /* Could be non-blocking IO */ 617 return SUB_STATE_ERROR; 618 } 619 620 if (cb != NULL) { 621 /* Notify callback of an impending state change */ 622 if (s->server) 623 cb(ssl, SSL_CB_ACCEPT_LOOP, 1); 624 else 625 cb(ssl, SSL_CB_CONNECT_LOOP, 1); 626 } 627 /* 628 * Validate that we are allowed to move to the new state and move 629 * to that state if so 630 */ 631 if (!transition(s, mt)) 632 return SUB_STATE_ERROR; 633 634 if (s->s3.tmp.message_size > max_message_size(s)) { 635 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 636 SSL_R_EXCESSIVE_MESSAGE_SIZE); 637 return SUB_STATE_ERROR; 638 } 639 640 st->read_state = READ_STATE_BODY; 641 /* Fall through */ 642 643 case READ_STATE_BODY: 644 if (SSL_CONNECTION_IS_DTLS(s)) { 645 /* 646 * Actually we already have the body, but we give DTLS the 647 * opportunity to do any further processing. 648 */ 649 ret = dtls_get_message_body(s, &len); 650 } else { 651 ret = tls_get_message_body(s, &len); 652 } 653 if (ret == 0) { 654 /* Could be non-blocking IO */ 655 return SUB_STATE_ERROR; 656 } 657 658 s->first_packet = 0; 659 if (!PACKET_buf_init(&pkt, s->init_msg, len)) { 660 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 661 return SUB_STATE_ERROR; 662 } 663 ret = process_message(s, &pkt); 664 665 /* Discard the packet data */ 666 s->init_num = 0; 667 668 switch (ret) { 669 case MSG_PROCESS_ERROR: 670 check_fatal(s); 671 return SUB_STATE_ERROR; 672 673 case MSG_PROCESS_FINISHED_READING: 674 if (SSL_CONNECTION_IS_DTLS(s)) { 675 dtls1_stop_timer(s); 676 } 677 return SUB_STATE_FINISHED; 678 679 case MSG_PROCESS_CONTINUE_PROCESSING: 680 st->read_state = READ_STATE_POST_PROCESS; 681 st->read_state_work = WORK_MORE_A; 682 break; 683 684 default: 685 st->read_state = READ_STATE_HEADER; 686 break; 687 } 688 break; 689 690 case READ_STATE_POST_PROCESS: 691 st->read_state_work = post_process_message(s, st->read_state_work); 692 switch (st->read_state_work) { 693 case WORK_ERROR: 694 check_fatal(s); 695 /* Fall through */ 696 case WORK_MORE_A: 697 case WORK_MORE_B: 698 case WORK_MORE_C: 699 return SUB_STATE_ERROR; 700 701 case WORK_FINISHED_CONTINUE: 702 st->read_state = READ_STATE_HEADER; 703 break; 704 705 case WORK_FINISHED_SWAP: 706 case WORK_FINISHED_STOP: 707 if (SSL_CONNECTION_IS_DTLS(s)) { 708 dtls1_stop_timer(s); 709 } 710 return SUB_STATE_FINISHED; 711 } 712 break; 713 714 default: 715 /* Shouldn't happen */ 716 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 717 return SUB_STATE_ERROR; 718 } 719 } 720 } 721 722 /* 723 * Send a previously constructed message to the peer. 724 */ 725 static int statem_do_write(SSL_CONNECTION *s) 726 { 727 OSSL_STATEM *st = &s->statem; 728 729 if (st->hand_state == TLS_ST_CW_CHANGE 730 || st->hand_state == TLS_ST_SW_CHANGE) { 731 if (SSL_CONNECTION_IS_DTLS(s)) 732 return dtls1_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC); 733 else 734 return ssl3_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC); 735 } else { 736 return ssl_do_write(s); 737 } 738 } 739 740 /* 741 * Initialise the MSG_FLOW_WRITING sub-state machine 742 */ 743 static void init_write_state_machine(SSL_CONNECTION *s) 744 { 745 OSSL_STATEM *st = &s->statem; 746 747 st->write_state = WRITE_STATE_TRANSITION; 748 } 749 750 /* 751 * This function implements the sub-state machine when the message flow is in 752 * MSG_FLOW_WRITING. The valid sub-states and transitions are: 753 * 754 * +-> WRITE_STATE_TRANSITION ------> [SUB_STATE_FINISHED] 755 * | | 756 * | v 757 * | WRITE_STATE_PRE_WORK -----> [SUB_STATE_END_HANDSHAKE] 758 * | | 759 * | v 760 * | WRITE_STATE_SEND 761 * | | 762 * | v 763 * | WRITE_STATE_POST_WORK 764 * | | 765 * +-------------+ 766 * 767 * WRITE_STATE_TRANSITION transitions the state of the handshake state machine 768 769 * WRITE_STATE_PRE_WORK performs any work necessary to prepare the later 770 * sending of the message. This could result in an NBIO event occurring in 771 * which case control returns to the calling application. When this function 772 * is recalled we will resume in the same state where we left off. 773 * 774 * WRITE_STATE_SEND sends the message and performs any work to be done after 775 * sending. 776 * 777 * WRITE_STATE_POST_WORK performs any work necessary after the sending of the 778 * message has been completed. As for WRITE_STATE_PRE_WORK this could also 779 * result in an NBIO event. 780 */ 781 static SUB_STATE_RETURN write_state_machine(SSL_CONNECTION *s) 782 { 783 OSSL_STATEM *st = &s->statem; 784 int ret; 785 WRITE_TRAN (*transition)(SSL_CONNECTION *s); 786 WORK_STATE (*pre_work)(SSL_CONNECTION *s, WORK_STATE wst); 787 WORK_STATE (*post_work)(SSL_CONNECTION *s, WORK_STATE wst); 788 int (*get_construct_message_f)(SSL_CONNECTION *s, 789 CON_FUNC_RETURN (**confunc)(SSL_CONNECTION *s, 790 WPACKET *pkt), 791 int *mt); 792 void (*cb)(const SSL *ssl, int type, int val) = NULL; 793 CON_FUNC_RETURN (*confunc)(SSL_CONNECTION *s, WPACKET *pkt); 794 int mt; 795 WPACKET pkt; 796 SSL *ssl = SSL_CONNECTION_GET_USER_SSL(s); 797 798 cb = get_callback(s); 799 800 if (s->server) { 801 transition = ossl_statem_server_write_transition; 802 pre_work = ossl_statem_server_pre_work; 803 post_work = ossl_statem_server_post_work; 804 get_construct_message_f = ossl_statem_server_construct_message; 805 } else { 806 transition = ossl_statem_client_write_transition; 807 pre_work = ossl_statem_client_pre_work; 808 post_work = ossl_statem_client_post_work; 809 get_construct_message_f = ossl_statem_client_construct_message; 810 } 811 812 while (1) { 813 switch (st->write_state) { 814 case WRITE_STATE_TRANSITION: 815 if (cb != NULL) { 816 /* Notify callback of an impending state change */ 817 if (s->server) 818 cb(ssl, SSL_CB_ACCEPT_LOOP, 1); 819 else 820 cb(ssl, SSL_CB_CONNECT_LOOP, 1); 821 } 822 switch (transition(s)) { 823 case WRITE_TRAN_CONTINUE: 824 st->write_state = WRITE_STATE_PRE_WORK; 825 st->write_state_work = WORK_MORE_A; 826 break; 827 828 case WRITE_TRAN_FINISHED: 829 return SUB_STATE_FINISHED; 830 831 case WRITE_TRAN_ERROR: 832 check_fatal(s); 833 return SUB_STATE_ERROR; 834 } 835 break; 836 837 case WRITE_STATE_PRE_WORK: 838 switch (st->write_state_work = pre_work(s, st->write_state_work)) { 839 case WORK_ERROR: 840 check_fatal(s); 841 /* Fall through */ 842 case WORK_MORE_A: 843 case WORK_MORE_B: 844 case WORK_MORE_C: 845 return SUB_STATE_ERROR; 846 847 case WORK_FINISHED_CONTINUE: 848 st->write_state = WRITE_STATE_SEND; 849 break; 850 851 case WORK_FINISHED_SWAP: 852 return SUB_STATE_FINISHED; 853 854 case WORK_FINISHED_STOP: 855 return SUB_STATE_END_HANDSHAKE; 856 } 857 if (!get_construct_message_f(s, &confunc, &mt)) { 858 /* SSLfatal() already called */ 859 return SUB_STATE_ERROR; 860 } 861 if (mt == SSL3_MT_DUMMY) { 862 /* Skip construction and sending. This isn't a "real" state */ 863 st->write_state = WRITE_STATE_POST_WORK; 864 st->write_state_work = WORK_MORE_A; 865 break; 866 } 867 if (!WPACKET_init(&pkt, s->init_buf) 868 || !ssl_set_handshake_header(s, &pkt, mt)) { 869 WPACKET_cleanup(&pkt); 870 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 871 return SUB_STATE_ERROR; 872 } 873 if (confunc != NULL) { 874 CON_FUNC_RETURN tmpret; 875 876 tmpret = confunc(s, &pkt); 877 if (tmpret == CON_FUNC_ERROR) { 878 WPACKET_cleanup(&pkt); 879 check_fatal(s); 880 return SUB_STATE_ERROR; 881 } else if (tmpret == CON_FUNC_DONT_SEND) { 882 /* 883 * The construction function decided not to construct the 884 * message after all and continue. Skip sending. 885 */ 886 WPACKET_cleanup(&pkt); 887 st->write_state = WRITE_STATE_POST_WORK; 888 st->write_state_work = WORK_MORE_A; 889 break; 890 } /* else success */ 891 } 892 if (!ssl_close_construct_packet(s, &pkt, mt) 893 || !WPACKET_finish(&pkt)) { 894 WPACKET_cleanup(&pkt); 895 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 896 return SUB_STATE_ERROR; 897 } 898 899 /* Fall through */ 900 901 case WRITE_STATE_SEND: 902 if (SSL_CONNECTION_IS_DTLS(s) && st->use_timer) { 903 dtls1_start_timer(s); 904 } 905 ret = statem_do_write(s); 906 if (ret <= 0) { 907 return SUB_STATE_ERROR; 908 } 909 st->write_state = WRITE_STATE_POST_WORK; 910 st->write_state_work = WORK_MORE_A; 911 /* Fall through */ 912 913 case WRITE_STATE_POST_WORK: 914 switch (st->write_state_work = post_work(s, st->write_state_work)) { 915 case WORK_ERROR: 916 check_fatal(s); 917 /* Fall through */ 918 case WORK_MORE_A: 919 case WORK_MORE_B: 920 case WORK_MORE_C: 921 return SUB_STATE_ERROR; 922 923 case WORK_FINISHED_CONTINUE: 924 st->write_state = WRITE_STATE_TRANSITION; 925 break; 926 927 case WORK_FINISHED_SWAP: 928 return SUB_STATE_FINISHED; 929 930 case WORK_FINISHED_STOP: 931 return SUB_STATE_END_HANDSHAKE; 932 } 933 break; 934 935 default: 936 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 937 return SUB_STATE_ERROR; 938 } 939 } 940 } 941 942 /* 943 * Flush the write BIO 944 */ 945 int statem_flush(SSL_CONNECTION *s) 946 { 947 s->rwstate = SSL_WRITING; 948 if (BIO_flush(s->wbio) <= 0) { 949 return 0; 950 } 951 s->rwstate = SSL_NOTHING; 952 953 return 1; 954 } 955 956 /* 957 * Called by the record layer to determine whether application data is 958 * allowed to be received in the current handshake state or not. 959 * 960 * Return values are: 961 * 1: Yes (application data allowed) 962 * 0: No (application data not allowed) 963 */ 964 int ossl_statem_app_data_allowed(SSL_CONNECTION *s) 965 { 966 OSSL_STATEM *st = &s->statem; 967 968 if (st->state == MSG_FLOW_UNINITED) 969 return 0; 970 971 if (!s->s3.in_read_app_data || (s->s3.total_renegotiations == 0)) 972 return 0; 973 974 if (s->server) { 975 /* 976 * If we're a server and we haven't got as far as writing our 977 * ServerHello yet then we allow app data 978 */ 979 if (st->hand_state == TLS_ST_BEFORE 980 || st->hand_state == TLS_ST_SR_CLNT_HELLO) 981 return 1; 982 } else { 983 /* 984 * If we're a client and we haven't read the ServerHello yet then we 985 * allow app data 986 */ 987 if (st->hand_state == TLS_ST_CW_CLNT_HELLO) 988 return 1; 989 } 990 991 return 0; 992 } 993 994 /* 995 * This function returns 1 if TLS exporter is ready to export keying 996 * material, or 0 if otherwise. 997 */ 998 int ossl_statem_export_allowed(SSL_CONNECTION *s) 999 { 1000 return s->s3.previous_server_finished_len != 0 1001 && s->statem.hand_state != TLS_ST_SW_FINISHED; 1002 } 1003 1004 /* 1005 * Return 1 if early TLS exporter is ready to export keying material, 1006 * or 0 if otherwise. 1007 */ 1008 int ossl_statem_export_early_allowed(SSL_CONNECTION *s) 1009 { 1010 /* 1011 * The early exporter secret is only present on the server if we 1012 * have accepted early_data. It is present on the client as long 1013 * as we have sent early_data. 1014 */ 1015 return s->ext.early_data == SSL_EARLY_DATA_ACCEPTED 1016 || (!s->server && s->ext.early_data != SSL_EARLY_DATA_NOT_SENT); 1017 } 1018