1*e71b7053SJung-uk Kim /* 2*e71b7053SJung-uk Kim * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. 3*e71b7053SJung-uk Kim * 4*e71b7053SJung-uk Kim * Licensed under the OpenSSL license (the "License"). You may not use 5*e71b7053SJung-uk Kim * this file except in compliance with the License. You can obtain a copy 6*e71b7053SJung-uk Kim * in the file LICENSE in the source distribution or at 7*e71b7053SJung-uk Kim * https://www.openssl.org/source/license.html 8*e71b7053SJung-uk Kim */ 9*e71b7053SJung-uk Kim 10*e71b7053SJung-uk Kim #include "internal/cryptlib.h" 11*e71b7053SJung-uk Kim #include <openssl/rand.h> 12*e71b7053SJung-uk Kim #include "../ssl_locl.h" 13*e71b7053SJung-uk Kim #include "statem_locl.h" 14*e71b7053SJung-uk Kim #include <assert.h> 15*e71b7053SJung-uk Kim 16*e71b7053SJung-uk Kim /* 17*e71b7053SJung-uk Kim * This file implements the SSL/TLS/DTLS state machines. 18*e71b7053SJung-uk Kim * 19*e71b7053SJung-uk Kim * There are two primary state machines: 20*e71b7053SJung-uk Kim * 21*e71b7053SJung-uk Kim * 1) Message flow state machine 22*e71b7053SJung-uk Kim * 2) Handshake state machine 23*e71b7053SJung-uk Kim * 24*e71b7053SJung-uk Kim * The Message flow state machine controls the reading and sending of messages 25*e71b7053SJung-uk Kim * including handling of non-blocking IO events, flushing of the underlying 26*e71b7053SJung-uk Kim * write BIO, handling unexpected messages, etc. It is itself broken into two 27*e71b7053SJung-uk Kim * separate sub-state machines which control reading and writing respectively. 28*e71b7053SJung-uk Kim * 29*e71b7053SJung-uk Kim * The Handshake state machine keeps track of the current SSL/TLS handshake 30*e71b7053SJung-uk Kim * state. Transitions of the handshake state are the result of events that 31*e71b7053SJung-uk Kim * occur within the Message flow state machine. 32*e71b7053SJung-uk Kim * 33*e71b7053SJung-uk Kim * Overall it looks like this: 34*e71b7053SJung-uk Kim * 35*e71b7053SJung-uk Kim * --------------------------------------------- ------------------- 36*e71b7053SJung-uk Kim * | | | | 37*e71b7053SJung-uk Kim * | Message flow state machine | | | 38*e71b7053SJung-uk Kim * | | | | 39*e71b7053SJung-uk Kim * | -------------------- -------------------- | Transition | Handshake state | 40*e71b7053SJung-uk Kim * | | MSG_FLOW_READING | | MSG_FLOW_WRITING | | Event | machine | 41*e71b7053SJung-uk Kim * | | sub-state | | sub-state | |----------->| | 42*e71b7053SJung-uk Kim * | | machine for | | machine for | | | | 43*e71b7053SJung-uk Kim * | | reading messages | | writing messages | | | | 44*e71b7053SJung-uk Kim * | -------------------- -------------------- | | | 45*e71b7053SJung-uk Kim * | | | | 46*e71b7053SJung-uk Kim * --------------------------------------------- ------------------- 47*e71b7053SJung-uk Kim * 48*e71b7053SJung-uk Kim */ 49*e71b7053SJung-uk Kim 50*e71b7053SJung-uk Kim /* Sub state machine return values */ 51*e71b7053SJung-uk Kim typedef enum { 52*e71b7053SJung-uk Kim /* Something bad happened or NBIO */ 53*e71b7053SJung-uk Kim SUB_STATE_ERROR, 54*e71b7053SJung-uk Kim /* Sub state finished go to the next sub state */ 55*e71b7053SJung-uk Kim SUB_STATE_FINISHED, 56*e71b7053SJung-uk Kim /* Sub state finished and handshake was completed */ 57*e71b7053SJung-uk Kim SUB_STATE_END_HANDSHAKE 58*e71b7053SJung-uk Kim } SUB_STATE_RETURN; 59*e71b7053SJung-uk Kim 60*e71b7053SJung-uk Kim static int state_machine(SSL *s, int server); 61*e71b7053SJung-uk Kim static void init_read_state_machine(SSL *s); 62*e71b7053SJung-uk Kim static SUB_STATE_RETURN read_state_machine(SSL *s); 63*e71b7053SJung-uk Kim static void init_write_state_machine(SSL *s); 64*e71b7053SJung-uk Kim static SUB_STATE_RETURN write_state_machine(SSL *s); 65*e71b7053SJung-uk Kim 66*e71b7053SJung-uk Kim OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl) 67*e71b7053SJung-uk Kim { 68*e71b7053SJung-uk Kim return ssl->statem.hand_state; 69*e71b7053SJung-uk Kim } 70*e71b7053SJung-uk Kim 71*e71b7053SJung-uk Kim int SSL_in_init(const SSL *s) 72*e71b7053SJung-uk Kim { 73*e71b7053SJung-uk Kim return s->statem.in_init; 74*e71b7053SJung-uk Kim } 75*e71b7053SJung-uk Kim 76*e71b7053SJung-uk Kim int SSL_is_init_finished(const SSL *s) 77*e71b7053SJung-uk Kim { 78*e71b7053SJung-uk Kim return !(s->statem.in_init) && (s->statem.hand_state == TLS_ST_OK); 79*e71b7053SJung-uk Kim } 80*e71b7053SJung-uk Kim 81*e71b7053SJung-uk Kim int SSL_in_before(const SSL *s) 82*e71b7053SJung-uk Kim { 83*e71b7053SJung-uk Kim /* 84*e71b7053SJung-uk Kim * Historically being "in before" meant before anything had happened. In the 85*e71b7053SJung-uk Kim * current code though we remain in the "before" state for a while after we 86*e71b7053SJung-uk Kim * have started the handshake process (e.g. as a server waiting for the 87*e71b7053SJung-uk Kim * first message to arrive). There "in before" is taken to mean "in before" 88*e71b7053SJung-uk Kim * and not started any handshake process yet. 89*e71b7053SJung-uk Kim */ 90*e71b7053SJung-uk Kim return (s->statem.hand_state == TLS_ST_BEFORE) 91*e71b7053SJung-uk Kim && (s->statem.state == MSG_FLOW_UNINITED); 92*e71b7053SJung-uk Kim } 93*e71b7053SJung-uk Kim 94*e71b7053SJung-uk Kim /* 95*e71b7053SJung-uk Kim * Clear the state machine state and reset back to MSG_FLOW_UNINITED 96*e71b7053SJung-uk Kim */ 97*e71b7053SJung-uk Kim void ossl_statem_clear(SSL *s) 98*e71b7053SJung-uk Kim { 99*e71b7053SJung-uk Kim s->statem.state = MSG_FLOW_UNINITED; 100*e71b7053SJung-uk Kim s->statem.hand_state = TLS_ST_BEFORE; 101*e71b7053SJung-uk Kim s->statem.in_init = 1; 102*e71b7053SJung-uk Kim s->statem.no_cert_verify = 0; 103*e71b7053SJung-uk Kim } 104*e71b7053SJung-uk Kim 105*e71b7053SJung-uk Kim /* 106*e71b7053SJung-uk Kim * Set the state machine up ready for a renegotiation handshake 107*e71b7053SJung-uk Kim */ 108*e71b7053SJung-uk Kim void ossl_statem_set_renegotiate(SSL *s) 109*e71b7053SJung-uk Kim { 110*e71b7053SJung-uk Kim s->statem.in_init = 1; 111*e71b7053SJung-uk Kim s->statem.request_state = TLS_ST_SW_HELLO_REQ; 112*e71b7053SJung-uk Kim } 113*e71b7053SJung-uk Kim 114*e71b7053SJung-uk Kim /* 115*e71b7053SJung-uk Kim * Put the state machine into an error state and send an alert if appropriate. 116*e71b7053SJung-uk Kim * This is a permanent error for the current connection. 117*e71b7053SJung-uk Kim */ 118*e71b7053SJung-uk Kim void ossl_statem_fatal(SSL *s, int al, int func, int reason, const char *file, 119*e71b7053SJung-uk Kim int line) 120*e71b7053SJung-uk Kim { 121*e71b7053SJung-uk Kim /* We shouldn't call SSLfatal() twice. Once is enough */ 122*e71b7053SJung-uk Kim assert(s->statem.state != MSG_FLOW_ERROR); 123*e71b7053SJung-uk Kim s->statem.in_init = 1; 124*e71b7053SJung-uk Kim s->statem.state = MSG_FLOW_ERROR; 125*e71b7053SJung-uk Kim ERR_put_error(ERR_LIB_SSL, func, reason, file, line); 126*e71b7053SJung-uk Kim if (al != SSL_AD_NO_ALERT 127*e71b7053SJung-uk Kim && s->statem.enc_write_state != ENC_WRITE_STATE_INVALID) 128*e71b7053SJung-uk Kim ssl3_send_alert(s, SSL3_AL_FATAL, al); 129*e71b7053SJung-uk Kim } 130*e71b7053SJung-uk Kim 131*e71b7053SJung-uk Kim /* 132*e71b7053SJung-uk Kim * This macro should only be called if we are already expecting to be in 133*e71b7053SJung-uk Kim * a fatal error state. We verify that we are, and set it if not (this would 134*e71b7053SJung-uk Kim * indicate a bug). 135*e71b7053SJung-uk Kim */ 136*e71b7053SJung-uk Kim #define check_fatal(s, f) \ 137*e71b7053SJung-uk Kim do { \ 138*e71b7053SJung-uk Kim if (!ossl_assert((s)->statem.in_init \ 139*e71b7053SJung-uk Kim && (s)->statem.state == MSG_FLOW_ERROR)) \ 140*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, (f), \ 141*e71b7053SJung-uk Kim SSL_R_MISSING_FATAL); \ 142*e71b7053SJung-uk Kim } while (0) 143*e71b7053SJung-uk Kim 144*e71b7053SJung-uk Kim /* 145*e71b7053SJung-uk Kim * Discover whether the current connection is in the error state. 146*e71b7053SJung-uk Kim * 147*e71b7053SJung-uk Kim * Valid return values are: 148*e71b7053SJung-uk Kim * 1: Yes 149*e71b7053SJung-uk Kim * 0: No 150*e71b7053SJung-uk Kim */ 151*e71b7053SJung-uk Kim int ossl_statem_in_error(const SSL *s) 152*e71b7053SJung-uk Kim { 153*e71b7053SJung-uk Kim if (s->statem.state == MSG_FLOW_ERROR) 154*e71b7053SJung-uk Kim return 1; 155*e71b7053SJung-uk Kim 156*e71b7053SJung-uk Kim return 0; 157*e71b7053SJung-uk Kim } 158*e71b7053SJung-uk Kim 159*e71b7053SJung-uk Kim void ossl_statem_set_in_init(SSL *s, int init) 160*e71b7053SJung-uk Kim { 161*e71b7053SJung-uk Kim s->statem.in_init = init; 162*e71b7053SJung-uk Kim } 163*e71b7053SJung-uk Kim 164*e71b7053SJung-uk Kim int ossl_statem_get_in_handshake(SSL *s) 165*e71b7053SJung-uk Kim { 166*e71b7053SJung-uk Kim return s->statem.in_handshake; 167*e71b7053SJung-uk Kim } 168*e71b7053SJung-uk Kim 169*e71b7053SJung-uk Kim void ossl_statem_set_in_handshake(SSL *s, int inhand) 170*e71b7053SJung-uk Kim { 171*e71b7053SJung-uk Kim if (inhand) 172*e71b7053SJung-uk Kim s->statem.in_handshake++; 173*e71b7053SJung-uk Kim else 174*e71b7053SJung-uk Kim s->statem.in_handshake--; 175*e71b7053SJung-uk Kim } 176*e71b7053SJung-uk Kim 177*e71b7053SJung-uk Kim /* Are we in a sensible state to skip over unreadable early data? */ 178*e71b7053SJung-uk Kim int ossl_statem_skip_early_data(SSL *s) 179*e71b7053SJung-uk Kim { 180*e71b7053SJung-uk Kim if (s->ext.early_data != SSL_EARLY_DATA_REJECTED) 181*e71b7053SJung-uk Kim return 0; 182*e71b7053SJung-uk Kim 183*e71b7053SJung-uk Kim if (!s->server 184*e71b7053SJung-uk Kim || s->statem.hand_state != TLS_ST_EARLY_DATA 185*e71b7053SJung-uk Kim || s->hello_retry_request == SSL_HRR_COMPLETE) 186*e71b7053SJung-uk Kim return 0; 187*e71b7053SJung-uk Kim 188*e71b7053SJung-uk Kim return 1; 189*e71b7053SJung-uk Kim } 190*e71b7053SJung-uk Kim 191*e71b7053SJung-uk Kim /* 192*e71b7053SJung-uk Kim * Called when we are in SSL_read*(), SSL_write*(), or SSL_accept() 193*e71b7053SJung-uk Kim * /SSL_connect()/SSL_do_handshake(). Used to test whether we are in an early 194*e71b7053SJung-uk Kim * data state and whether we should attempt to move the handshake on if so. 195*e71b7053SJung-uk Kim * |sending| is 1 if we are attempting to send data (SSL_write*()), 0 if we are 196*e71b7053SJung-uk Kim * attempting to read data (SSL_read*()), or -1 if we are in SSL_do_handshake() 197*e71b7053SJung-uk Kim * or similar. 198*e71b7053SJung-uk Kim */ 199*e71b7053SJung-uk Kim void ossl_statem_check_finish_init(SSL *s, int sending) 200*e71b7053SJung-uk Kim { 201*e71b7053SJung-uk Kim if (sending == -1) { 202*e71b7053SJung-uk Kim if (s->statem.hand_state == TLS_ST_PENDING_EARLY_DATA_END 203*e71b7053SJung-uk Kim || s->statem.hand_state == TLS_ST_EARLY_DATA) { 204*e71b7053SJung-uk Kim ossl_statem_set_in_init(s, 1); 205*e71b7053SJung-uk Kim if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY) { 206*e71b7053SJung-uk Kim /* 207*e71b7053SJung-uk Kim * SSL_connect() or SSL_do_handshake() has been called directly. 208*e71b7053SJung-uk Kim * We don't allow any more writing of early data. 209*e71b7053SJung-uk Kim */ 210*e71b7053SJung-uk Kim s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING; 211*e71b7053SJung-uk Kim } 212*e71b7053SJung-uk Kim } 213*e71b7053SJung-uk Kim } else if (!s->server) { 214*e71b7053SJung-uk Kim if ((sending && (s->statem.hand_state == TLS_ST_PENDING_EARLY_DATA_END 215*e71b7053SJung-uk Kim || s->statem.hand_state == TLS_ST_EARLY_DATA) 216*e71b7053SJung-uk Kim && s->early_data_state != SSL_EARLY_DATA_WRITING) 217*e71b7053SJung-uk Kim || (!sending && s->statem.hand_state == TLS_ST_EARLY_DATA)) { 218*e71b7053SJung-uk Kim ossl_statem_set_in_init(s, 1); 219*e71b7053SJung-uk Kim /* 220*e71b7053SJung-uk Kim * SSL_write() has been called directly. We don't allow any more 221*e71b7053SJung-uk Kim * writing of early data. 222*e71b7053SJung-uk Kim */ 223*e71b7053SJung-uk Kim if (sending && s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY) 224*e71b7053SJung-uk Kim s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING; 225*e71b7053SJung-uk Kim } 226*e71b7053SJung-uk Kim } else { 227*e71b7053SJung-uk Kim if (s->early_data_state == SSL_EARLY_DATA_FINISHED_READING 228*e71b7053SJung-uk Kim && s->statem.hand_state == TLS_ST_EARLY_DATA) 229*e71b7053SJung-uk Kim ossl_statem_set_in_init(s, 1); 230*e71b7053SJung-uk Kim } 231*e71b7053SJung-uk Kim } 232*e71b7053SJung-uk Kim 233*e71b7053SJung-uk Kim void ossl_statem_set_hello_verify_done(SSL *s) 234*e71b7053SJung-uk Kim { 235*e71b7053SJung-uk Kim s->statem.state = MSG_FLOW_UNINITED; 236*e71b7053SJung-uk Kim s->statem.in_init = 1; 237*e71b7053SJung-uk Kim /* 238*e71b7053SJung-uk Kim * This will get reset (briefly) back to TLS_ST_BEFORE when we enter 239*e71b7053SJung-uk Kim * state_machine() because |state| is MSG_FLOW_UNINITED, but until then any 240*e71b7053SJung-uk Kim * calls to SSL_in_before() will return false. Also calls to 241*e71b7053SJung-uk Kim * SSL_state_string() and SSL_state_string_long() will return something 242*e71b7053SJung-uk Kim * sensible. 243*e71b7053SJung-uk Kim */ 244*e71b7053SJung-uk Kim s->statem.hand_state = TLS_ST_SR_CLNT_HELLO; 245*e71b7053SJung-uk Kim } 246*e71b7053SJung-uk Kim 247*e71b7053SJung-uk Kim int ossl_statem_connect(SSL *s) 248*e71b7053SJung-uk Kim { 249*e71b7053SJung-uk Kim return state_machine(s, 0); 250*e71b7053SJung-uk Kim } 251*e71b7053SJung-uk Kim 252*e71b7053SJung-uk Kim int ossl_statem_accept(SSL *s) 253*e71b7053SJung-uk Kim { 254*e71b7053SJung-uk Kim return state_machine(s, 1); 255*e71b7053SJung-uk Kim } 256*e71b7053SJung-uk Kim 257*e71b7053SJung-uk Kim typedef void (*info_cb) (const SSL *, int, int); 258*e71b7053SJung-uk Kim 259*e71b7053SJung-uk Kim static info_cb get_callback(SSL *s) 260*e71b7053SJung-uk Kim { 261*e71b7053SJung-uk Kim if (s->info_callback != NULL) 262*e71b7053SJung-uk Kim return s->info_callback; 263*e71b7053SJung-uk Kim else if (s->ctx->info_callback != NULL) 264*e71b7053SJung-uk Kim return s->ctx->info_callback; 265*e71b7053SJung-uk Kim 266*e71b7053SJung-uk Kim return NULL; 267*e71b7053SJung-uk Kim } 268*e71b7053SJung-uk Kim 269*e71b7053SJung-uk Kim /* 270*e71b7053SJung-uk Kim * The main message flow state machine. We start in the MSG_FLOW_UNINITED or 271*e71b7053SJung-uk Kim * MSG_FLOW_FINISHED state and finish in MSG_FLOW_FINISHED. Valid states and 272*e71b7053SJung-uk Kim * transitions are as follows: 273*e71b7053SJung-uk Kim * 274*e71b7053SJung-uk Kim * MSG_FLOW_UNINITED MSG_FLOW_FINISHED 275*e71b7053SJung-uk Kim * | | 276*e71b7053SJung-uk Kim * +-----------------------+ 277*e71b7053SJung-uk Kim * v 278*e71b7053SJung-uk Kim * MSG_FLOW_WRITING <---> MSG_FLOW_READING 279*e71b7053SJung-uk Kim * | 280*e71b7053SJung-uk Kim * V 281*e71b7053SJung-uk Kim * MSG_FLOW_FINISHED 282*e71b7053SJung-uk Kim * | 283*e71b7053SJung-uk Kim * V 284*e71b7053SJung-uk Kim * [SUCCESS] 285*e71b7053SJung-uk Kim * 286*e71b7053SJung-uk Kim * We may exit at any point due to an error or NBIO event. If an NBIO event 287*e71b7053SJung-uk Kim * occurs then we restart at the point we left off when we are recalled. 288*e71b7053SJung-uk Kim * MSG_FLOW_WRITING and MSG_FLOW_READING have sub-state machines associated with them. 289*e71b7053SJung-uk Kim * 290*e71b7053SJung-uk Kim * In addition to the above there is also the MSG_FLOW_ERROR state. We can move 291*e71b7053SJung-uk Kim * into that state at any point in the event that an irrecoverable error occurs. 292*e71b7053SJung-uk Kim * 293*e71b7053SJung-uk Kim * Valid return values are: 294*e71b7053SJung-uk Kim * 1: Success 295*e71b7053SJung-uk Kim * <=0: NBIO or error 296*e71b7053SJung-uk Kim */ 297*e71b7053SJung-uk Kim static int state_machine(SSL *s, int server) 298*e71b7053SJung-uk Kim { 299*e71b7053SJung-uk Kim BUF_MEM *buf = NULL; 300*e71b7053SJung-uk Kim void (*cb) (const SSL *ssl, int type, int val) = NULL; 301*e71b7053SJung-uk Kim OSSL_STATEM *st = &s->statem; 302*e71b7053SJung-uk Kim int ret = -1; 303*e71b7053SJung-uk Kim int ssret; 304*e71b7053SJung-uk Kim 305*e71b7053SJung-uk Kim if (st->state == MSG_FLOW_ERROR) { 306*e71b7053SJung-uk Kim /* Shouldn't have been called if we're already in the error state */ 307*e71b7053SJung-uk Kim return -1; 308*e71b7053SJung-uk Kim } 309*e71b7053SJung-uk Kim 310*e71b7053SJung-uk Kim ERR_clear_error(); 311*e71b7053SJung-uk Kim clear_sys_error(); 312*e71b7053SJung-uk Kim 313*e71b7053SJung-uk Kim cb = get_callback(s); 314*e71b7053SJung-uk Kim 315*e71b7053SJung-uk Kim st->in_handshake++; 316*e71b7053SJung-uk Kim if (!SSL_in_init(s) || SSL_in_before(s)) { 317*e71b7053SJung-uk Kim /* 318*e71b7053SJung-uk Kim * If we are stateless then we already called SSL_clear() - don't do 319*e71b7053SJung-uk Kim * it again and clear the STATELESS flag itself. 320*e71b7053SJung-uk Kim */ 321*e71b7053SJung-uk Kim if ((s->s3->flags & TLS1_FLAGS_STATELESS) == 0 && !SSL_clear(s)) 322*e71b7053SJung-uk Kim return -1; 323*e71b7053SJung-uk Kim } 324*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SCTP 325*e71b7053SJung-uk Kim if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))) { 326*e71b7053SJung-uk Kim /* 327*e71b7053SJung-uk Kim * Notify SCTP BIO socket to enter handshake mode and prevent stream 328*e71b7053SJung-uk Kim * identifier other than 0. 329*e71b7053SJung-uk Kim */ 330*e71b7053SJung-uk Kim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, 331*e71b7053SJung-uk Kim st->in_handshake, NULL); 332*e71b7053SJung-uk Kim } 333*e71b7053SJung-uk Kim #endif 334*e71b7053SJung-uk Kim 335*e71b7053SJung-uk Kim /* Initialise state machine */ 336*e71b7053SJung-uk Kim if (st->state == MSG_FLOW_UNINITED 337*e71b7053SJung-uk Kim || st->state == MSG_FLOW_FINISHED) { 338*e71b7053SJung-uk Kim if (st->state == MSG_FLOW_UNINITED) { 339*e71b7053SJung-uk Kim st->hand_state = TLS_ST_BEFORE; 340*e71b7053SJung-uk Kim st->request_state = TLS_ST_BEFORE; 341*e71b7053SJung-uk Kim } 342*e71b7053SJung-uk Kim 343*e71b7053SJung-uk Kim s->server = server; 344*e71b7053SJung-uk Kim if (cb != NULL) 345*e71b7053SJung-uk Kim cb(s, SSL_CB_HANDSHAKE_START, 1); 346*e71b7053SJung-uk Kim 347*e71b7053SJung-uk Kim /* 348*e71b7053SJung-uk Kim * Fatal errors in this block don't send an alert because we have 349*e71b7053SJung-uk Kim * failed to even initialise properly. Sending an alert is probably 350*e71b7053SJung-uk Kim * doomed to failure. 351*e71b7053SJung-uk Kim */ 352*e71b7053SJung-uk Kim 353*e71b7053SJung-uk Kim if (SSL_IS_DTLS(s)) { 354*e71b7053SJung-uk Kim if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00) && 355*e71b7053SJung-uk Kim (server || (s->version & 0xff00) != (DTLS1_BAD_VER & 0xff00))) { 356*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE, 357*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 358*e71b7053SJung-uk Kim goto end; 359*e71b7053SJung-uk Kim } 360*e71b7053SJung-uk Kim } else { 361*e71b7053SJung-uk Kim if ((s->version >> 8) != SSL3_VERSION_MAJOR) { 362*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE, 363*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 364*e71b7053SJung-uk Kim goto end; 365*e71b7053SJung-uk Kim } 366*e71b7053SJung-uk Kim } 367*e71b7053SJung-uk Kim 368*e71b7053SJung-uk Kim if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL)) { 369*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE, 370*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 371*e71b7053SJung-uk Kim goto end; 372*e71b7053SJung-uk Kim } 373*e71b7053SJung-uk Kim 374*e71b7053SJung-uk Kim if (s->init_buf == NULL) { 375*e71b7053SJung-uk Kim if ((buf = BUF_MEM_new()) == NULL) { 376*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE, 377*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 378*e71b7053SJung-uk Kim goto end; 379*e71b7053SJung-uk Kim } 380*e71b7053SJung-uk Kim if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) { 381*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE, 382*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 383*e71b7053SJung-uk Kim goto end; 384*e71b7053SJung-uk Kim } 385*e71b7053SJung-uk Kim s->init_buf = buf; 386*e71b7053SJung-uk Kim buf = NULL; 387*e71b7053SJung-uk Kim } 388*e71b7053SJung-uk Kim 389*e71b7053SJung-uk Kim if (!ssl3_setup_buffers(s)) { 390*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE, 391*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 392*e71b7053SJung-uk Kim goto end; 393*e71b7053SJung-uk Kim } 394*e71b7053SJung-uk Kim s->init_num = 0; 395*e71b7053SJung-uk Kim 396*e71b7053SJung-uk Kim /* 397*e71b7053SJung-uk Kim * Should have been reset by tls_process_finished, too. 398*e71b7053SJung-uk Kim */ 399*e71b7053SJung-uk Kim s->s3->change_cipher_spec = 0; 400*e71b7053SJung-uk Kim 401*e71b7053SJung-uk Kim /* 402*e71b7053SJung-uk Kim * Ok, we now need to push on a buffering BIO ...but not with 403*e71b7053SJung-uk Kim * SCTP 404*e71b7053SJung-uk Kim */ 405*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SCTP 406*e71b7053SJung-uk Kim if (!SSL_IS_DTLS(s) || !BIO_dgram_is_sctp(SSL_get_wbio(s))) 407*e71b7053SJung-uk Kim #endif 408*e71b7053SJung-uk Kim if (!ssl_init_wbio_buffer(s)) { 409*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE, 410*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 411*e71b7053SJung-uk Kim goto end; 412*e71b7053SJung-uk Kim } 413*e71b7053SJung-uk Kim 414*e71b7053SJung-uk Kim if ((SSL_in_before(s)) 415*e71b7053SJung-uk Kim || s->renegotiate) { 416*e71b7053SJung-uk Kim if (!tls_setup_handshake(s)) { 417*e71b7053SJung-uk Kim /* SSLfatal() already called */ 418*e71b7053SJung-uk Kim goto end; 419*e71b7053SJung-uk Kim } 420*e71b7053SJung-uk Kim 421*e71b7053SJung-uk Kim if (SSL_IS_FIRST_HANDSHAKE(s)) 422*e71b7053SJung-uk Kim st->read_state_first_init = 1; 423*e71b7053SJung-uk Kim } 424*e71b7053SJung-uk Kim 425*e71b7053SJung-uk Kim st->state = MSG_FLOW_WRITING; 426*e71b7053SJung-uk Kim init_write_state_machine(s); 427*e71b7053SJung-uk Kim } 428*e71b7053SJung-uk Kim 429*e71b7053SJung-uk Kim while (st->state != MSG_FLOW_FINISHED) { 430*e71b7053SJung-uk Kim if (st->state == MSG_FLOW_READING) { 431*e71b7053SJung-uk Kim ssret = read_state_machine(s); 432*e71b7053SJung-uk Kim if (ssret == SUB_STATE_FINISHED) { 433*e71b7053SJung-uk Kim st->state = MSG_FLOW_WRITING; 434*e71b7053SJung-uk Kim init_write_state_machine(s); 435*e71b7053SJung-uk Kim } else { 436*e71b7053SJung-uk Kim /* NBIO or error */ 437*e71b7053SJung-uk Kim goto end; 438*e71b7053SJung-uk Kim } 439*e71b7053SJung-uk Kim } else if (st->state == MSG_FLOW_WRITING) { 440*e71b7053SJung-uk Kim ssret = write_state_machine(s); 441*e71b7053SJung-uk Kim if (ssret == SUB_STATE_FINISHED) { 442*e71b7053SJung-uk Kim st->state = MSG_FLOW_READING; 443*e71b7053SJung-uk Kim init_read_state_machine(s); 444*e71b7053SJung-uk Kim } else if (ssret == SUB_STATE_END_HANDSHAKE) { 445*e71b7053SJung-uk Kim st->state = MSG_FLOW_FINISHED; 446*e71b7053SJung-uk Kim } else { 447*e71b7053SJung-uk Kim /* NBIO or error */ 448*e71b7053SJung-uk Kim goto end; 449*e71b7053SJung-uk Kim } 450*e71b7053SJung-uk Kim } else { 451*e71b7053SJung-uk Kim /* Error */ 452*e71b7053SJung-uk Kim check_fatal(s, SSL_F_STATE_MACHINE); 453*e71b7053SJung-uk Kim SSLerr(SSL_F_STATE_MACHINE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 454*e71b7053SJung-uk Kim goto end; 455*e71b7053SJung-uk Kim } 456*e71b7053SJung-uk Kim } 457*e71b7053SJung-uk Kim 458*e71b7053SJung-uk Kim ret = 1; 459*e71b7053SJung-uk Kim 460*e71b7053SJung-uk Kim end: 461*e71b7053SJung-uk Kim st->in_handshake--; 462*e71b7053SJung-uk Kim 463*e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SCTP 464*e71b7053SJung-uk Kim if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))) { 465*e71b7053SJung-uk Kim /* 466*e71b7053SJung-uk Kim * Notify SCTP BIO socket to leave handshake mode and allow stream 467*e71b7053SJung-uk Kim * identifier other than 0. 468*e71b7053SJung-uk Kim */ 469*e71b7053SJung-uk Kim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, 470*e71b7053SJung-uk Kim st->in_handshake, NULL); 471*e71b7053SJung-uk Kim } 472*e71b7053SJung-uk Kim #endif 473*e71b7053SJung-uk Kim 474*e71b7053SJung-uk Kim BUF_MEM_free(buf); 475*e71b7053SJung-uk Kim if (cb != NULL) { 476*e71b7053SJung-uk Kim if (server) 477*e71b7053SJung-uk Kim cb(s, SSL_CB_ACCEPT_EXIT, ret); 478*e71b7053SJung-uk Kim else 479*e71b7053SJung-uk Kim cb(s, SSL_CB_CONNECT_EXIT, ret); 480*e71b7053SJung-uk Kim } 481*e71b7053SJung-uk Kim return ret; 482*e71b7053SJung-uk Kim } 483*e71b7053SJung-uk Kim 484*e71b7053SJung-uk Kim /* 485*e71b7053SJung-uk Kim * Initialise the MSG_FLOW_READING sub-state machine 486*e71b7053SJung-uk Kim */ 487*e71b7053SJung-uk Kim static void init_read_state_machine(SSL *s) 488*e71b7053SJung-uk Kim { 489*e71b7053SJung-uk Kim OSSL_STATEM *st = &s->statem; 490*e71b7053SJung-uk Kim 491*e71b7053SJung-uk Kim st->read_state = READ_STATE_HEADER; 492*e71b7053SJung-uk Kim } 493*e71b7053SJung-uk Kim 494*e71b7053SJung-uk Kim static int grow_init_buf(SSL *s, size_t size) { 495*e71b7053SJung-uk Kim 496*e71b7053SJung-uk Kim size_t msg_offset = (char *)s->init_msg - s->init_buf->data; 497*e71b7053SJung-uk Kim 498*e71b7053SJung-uk Kim if (!BUF_MEM_grow_clean(s->init_buf, (int)size)) 499*e71b7053SJung-uk Kim return 0; 500*e71b7053SJung-uk Kim 501*e71b7053SJung-uk Kim if (size < msg_offset) 502*e71b7053SJung-uk Kim return 0; 503*e71b7053SJung-uk Kim 504*e71b7053SJung-uk Kim s->init_msg = s->init_buf->data + msg_offset; 505*e71b7053SJung-uk Kim 506*e71b7053SJung-uk Kim return 1; 507*e71b7053SJung-uk Kim } 508*e71b7053SJung-uk Kim 509*e71b7053SJung-uk Kim /* 510*e71b7053SJung-uk Kim * This function implements the sub-state machine when the message flow is in 511*e71b7053SJung-uk Kim * MSG_FLOW_READING. The valid sub-states and transitions are: 512*e71b7053SJung-uk Kim * 513*e71b7053SJung-uk Kim * READ_STATE_HEADER <--+<-------------+ 514*e71b7053SJung-uk Kim * | | | 515*e71b7053SJung-uk Kim * v | | 516*e71b7053SJung-uk Kim * READ_STATE_BODY -----+-->READ_STATE_POST_PROCESS 517*e71b7053SJung-uk Kim * | | 518*e71b7053SJung-uk Kim * +----------------------------+ 519*e71b7053SJung-uk Kim * v 520*e71b7053SJung-uk Kim * [SUB_STATE_FINISHED] 521*e71b7053SJung-uk Kim * 522*e71b7053SJung-uk Kim * READ_STATE_HEADER has the responsibility for reading in the message header 523*e71b7053SJung-uk Kim * and transitioning the state of the handshake state machine. 524*e71b7053SJung-uk Kim * 525*e71b7053SJung-uk Kim * READ_STATE_BODY reads in the rest of the message and then subsequently 526*e71b7053SJung-uk Kim * processes it. 527*e71b7053SJung-uk Kim * 528*e71b7053SJung-uk Kim * READ_STATE_POST_PROCESS is an optional step that may occur if some post 529*e71b7053SJung-uk Kim * processing activity performed on the message may block. 530*e71b7053SJung-uk Kim * 531*e71b7053SJung-uk Kim * Any of the above states could result in an NBIO event occurring in which case 532*e71b7053SJung-uk Kim * control returns to the calling application. When this function is recalled we 533*e71b7053SJung-uk Kim * will resume in the same state where we left off. 534*e71b7053SJung-uk Kim */ 535*e71b7053SJung-uk Kim static SUB_STATE_RETURN read_state_machine(SSL *s) 536*e71b7053SJung-uk Kim { 537*e71b7053SJung-uk Kim OSSL_STATEM *st = &s->statem; 538*e71b7053SJung-uk Kim int ret, mt; 539*e71b7053SJung-uk Kim size_t len = 0; 540*e71b7053SJung-uk Kim int (*transition) (SSL *s, int mt); 541*e71b7053SJung-uk Kim PACKET pkt; 542*e71b7053SJung-uk Kim MSG_PROCESS_RETURN(*process_message) (SSL *s, PACKET *pkt); 543*e71b7053SJung-uk Kim WORK_STATE(*post_process_message) (SSL *s, WORK_STATE wst); 544*e71b7053SJung-uk Kim size_t (*max_message_size) (SSL *s); 545*e71b7053SJung-uk Kim void (*cb) (const SSL *ssl, int type, int val) = NULL; 546*e71b7053SJung-uk Kim 547*e71b7053SJung-uk Kim cb = get_callback(s); 548*e71b7053SJung-uk Kim 549*e71b7053SJung-uk Kim if (s->server) { 550*e71b7053SJung-uk Kim transition = ossl_statem_server_read_transition; 551*e71b7053SJung-uk Kim process_message = ossl_statem_server_process_message; 552*e71b7053SJung-uk Kim max_message_size = ossl_statem_server_max_message_size; 553*e71b7053SJung-uk Kim post_process_message = ossl_statem_server_post_process_message; 554*e71b7053SJung-uk Kim } else { 555*e71b7053SJung-uk Kim transition = ossl_statem_client_read_transition; 556*e71b7053SJung-uk Kim process_message = ossl_statem_client_process_message; 557*e71b7053SJung-uk Kim max_message_size = ossl_statem_client_max_message_size; 558*e71b7053SJung-uk Kim post_process_message = ossl_statem_client_post_process_message; 559*e71b7053SJung-uk Kim } 560*e71b7053SJung-uk Kim 561*e71b7053SJung-uk Kim if (st->read_state_first_init) { 562*e71b7053SJung-uk Kim s->first_packet = 1; 563*e71b7053SJung-uk Kim st->read_state_first_init = 0; 564*e71b7053SJung-uk Kim } 565*e71b7053SJung-uk Kim 566*e71b7053SJung-uk Kim while (1) { 567*e71b7053SJung-uk Kim switch (st->read_state) { 568*e71b7053SJung-uk Kim case READ_STATE_HEADER: 569*e71b7053SJung-uk Kim /* Get the state the peer wants to move to */ 570*e71b7053SJung-uk Kim if (SSL_IS_DTLS(s)) { 571*e71b7053SJung-uk Kim /* 572*e71b7053SJung-uk Kim * In DTLS we get the whole message in one go - header and body 573*e71b7053SJung-uk Kim */ 574*e71b7053SJung-uk Kim ret = dtls_get_message(s, &mt, &len); 575*e71b7053SJung-uk Kim } else { 576*e71b7053SJung-uk Kim ret = tls_get_message_header(s, &mt); 577*e71b7053SJung-uk Kim } 578*e71b7053SJung-uk Kim 579*e71b7053SJung-uk Kim if (ret == 0) { 580*e71b7053SJung-uk Kim /* Could be non-blocking IO */ 581*e71b7053SJung-uk Kim return SUB_STATE_ERROR; 582*e71b7053SJung-uk Kim } 583*e71b7053SJung-uk Kim 584*e71b7053SJung-uk Kim if (cb != NULL) { 585*e71b7053SJung-uk Kim /* Notify callback of an impending state change */ 586*e71b7053SJung-uk Kim if (s->server) 587*e71b7053SJung-uk Kim cb(s, SSL_CB_ACCEPT_LOOP, 1); 588*e71b7053SJung-uk Kim else 589*e71b7053SJung-uk Kim cb(s, SSL_CB_CONNECT_LOOP, 1); 590*e71b7053SJung-uk Kim } 591*e71b7053SJung-uk Kim /* 592*e71b7053SJung-uk Kim * Validate that we are allowed to move to the new state and move 593*e71b7053SJung-uk Kim * to that state if so 594*e71b7053SJung-uk Kim */ 595*e71b7053SJung-uk Kim if (!transition(s, mt)) 596*e71b7053SJung-uk Kim return SUB_STATE_ERROR; 597*e71b7053SJung-uk Kim 598*e71b7053SJung-uk Kim if (s->s3->tmp.message_size > max_message_size(s)) { 599*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_READ_STATE_MACHINE, 600*e71b7053SJung-uk Kim SSL_R_EXCESSIVE_MESSAGE_SIZE); 601*e71b7053SJung-uk Kim return SUB_STATE_ERROR; 602*e71b7053SJung-uk Kim } 603*e71b7053SJung-uk Kim 604*e71b7053SJung-uk Kim /* dtls_get_message already did this */ 605*e71b7053SJung-uk Kim if (!SSL_IS_DTLS(s) 606*e71b7053SJung-uk Kim && s->s3->tmp.message_size > 0 607*e71b7053SJung-uk Kim && !grow_init_buf(s, s->s3->tmp.message_size 608*e71b7053SJung-uk Kim + SSL3_HM_HEADER_LENGTH)) { 609*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_READ_STATE_MACHINE, 610*e71b7053SJung-uk Kim ERR_R_BUF_LIB); 611*e71b7053SJung-uk Kim return SUB_STATE_ERROR; 612*e71b7053SJung-uk Kim } 613*e71b7053SJung-uk Kim 614*e71b7053SJung-uk Kim st->read_state = READ_STATE_BODY; 615*e71b7053SJung-uk Kim /* Fall through */ 616*e71b7053SJung-uk Kim 617*e71b7053SJung-uk Kim case READ_STATE_BODY: 618*e71b7053SJung-uk Kim if (!SSL_IS_DTLS(s)) { 619*e71b7053SJung-uk Kim /* We already got this above for DTLS */ 620*e71b7053SJung-uk Kim ret = tls_get_message_body(s, &len); 621*e71b7053SJung-uk Kim if (ret == 0) { 622*e71b7053SJung-uk Kim /* Could be non-blocking IO */ 623*e71b7053SJung-uk Kim return SUB_STATE_ERROR; 624*e71b7053SJung-uk Kim } 625*e71b7053SJung-uk Kim } 626*e71b7053SJung-uk Kim 627*e71b7053SJung-uk Kim s->first_packet = 0; 628*e71b7053SJung-uk Kim if (!PACKET_buf_init(&pkt, s->init_msg, len)) { 629*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_READ_STATE_MACHINE, 630*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 631*e71b7053SJung-uk Kim return SUB_STATE_ERROR; 632*e71b7053SJung-uk Kim } 633*e71b7053SJung-uk Kim ret = process_message(s, &pkt); 634*e71b7053SJung-uk Kim 635*e71b7053SJung-uk Kim /* Discard the packet data */ 636*e71b7053SJung-uk Kim s->init_num = 0; 637*e71b7053SJung-uk Kim 638*e71b7053SJung-uk Kim switch (ret) { 639*e71b7053SJung-uk Kim case MSG_PROCESS_ERROR: 640*e71b7053SJung-uk Kim check_fatal(s, SSL_F_READ_STATE_MACHINE); 641*e71b7053SJung-uk Kim return SUB_STATE_ERROR; 642*e71b7053SJung-uk Kim 643*e71b7053SJung-uk Kim case MSG_PROCESS_FINISHED_READING: 644*e71b7053SJung-uk Kim if (SSL_IS_DTLS(s)) { 645*e71b7053SJung-uk Kim dtls1_stop_timer(s); 646*e71b7053SJung-uk Kim } 647*e71b7053SJung-uk Kim return SUB_STATE_FINISHED; 648*e71b7053SJung-uk Kim 649*e71b7053SJung-uk Kim case MSG_PROCESS_CONTINUE_PROCESSING: 650*e71b7053SJung-uk Kim st->read_state = READ_STATE_POST_PROCESS; 651*e71b7053SJung-uk Kim st->read_state_work = WORK_MORE_A; 652*e71b7053SJung-uk Kim break; 653*e71b7053SJung-uk Kim 654*e71b7053SJung-uk Kim default: 655*e71b7053SJung-uk Kim st->read_state = READ_STATE_HEADER; 656*e71b7053SJung-uk Kim break; 657*e71b7053SJung-uk Kim } 658*e71b7053SJung-uk Kim break; 659*e71b7053SJung-uk Kim 660*e71b7053SJung-uk Kim case READ_STATE_POST_PROCESS: 661*e71b7053SJung-uk Kim st->read_state_work = post_process_message(s, st->read_state_work); 662*e71b7053SJung-uk Kim switch (st->read_state_work) { 663*e71b7053SJung-uk Kim case WORK_ERROR: 664*e71b7053SJung-uk Kim check_fatal(s, SSL_F_READ_STATE_MACHINE); 665*e71b7053SJung-uk Kim /* Fall through */ 666*e71b7053SJung-uk Kim case WORK_MORE_A: 667*e71b7053SJung-uk Kim case WORK_MORE_B: 668*e71b7053SJung-uk Kim case WORK_MORE_C: 669*e71b7053SJung-uk Kim return SUB_STATE_ERROR; 670*e71b7053SJung-uk Kim 671*e71b7053SJung-uk Kim case WORK_FINISHED_CONTINUE: 672*e71b7053SJung-uk Kim st->read_state = READ_STATE_HEADER; 673*e71b7053SJung-uk Kim break; 674*e71b7053SJung-uk Kim 675*e71b7053SJung-uk Kim case WORK_FINISHED_STOP: 676*e71b7053SJung-uk Kim if (SSL_IS_DTLS(s)) { 677*e71b7053SJung-uk Kim dtls1_stop_timer(s); 678*e71b7053SJung-uk Kim } 679*e71b7053SJung-uk Kim return SUB_STATE_FINISHED; 680*e71b7053SJung-uk Kim } 681*e71b7053SJung-uk Kim break; 682*e71b7053SJung-uk Kim 683*e71b7053SJung-uk Kim default: 684*e71b7053SJung-uk Kim /* Shouldn't happen */ 685*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_READ_STATE_MACHINE, 686*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 687*e71b7053SJung-uk Kim return SUB_STATE_ERROR; 688*e71b7053SJung-uk Kim } 689*e71b7053SJung-uk Kim } 690*e71b7053SJung-uk Kim } 691*e71b7053SJung-uk Kim 692*e71b7053SJung-uk Kim /* 693*e71b7053SJung-uk Kim * Send a previously constructed message to the peer. 694*e71b7053SJung-uk Kim */ 695*e71b7053SJung-uk Kim static int statem_do_write(SSL *s) 696*e71b7053SJung-uk Kim { 697*e71b7053SJung-uk Kim OSSL_STATEM *st = &s->statem; 698*e71b7053SJung-uk Kim 699*e71b7053SJung-uk Kim if (st->hand_state == TLS_ST_CW_CHANGE 700*e71b7053SJung-uk Kim || st->hand_state == TLS_ST_SW_CHANGE) { 701*e71b7053SJung-uk Kim if (SSL_IS_DTLS(s)) 702*e71b7053SJung-uk Kim return dtls1_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC); 703*e71b7053SJung-uk Kim else 704*e71b7053SJung-uk Kim return ssl3_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC); 705*e71b7053SJung-uk Kim } else { 706*e71b7053SJung-uk Kim return ssl_do_write(s); 707*e71b7053SJung-uk Kim } 708*e71b7053SJung-uk Kim } 709*e71b7053SJung-uk Kim 710*e71b7053SJung-uk Kim /* 711*e71b7053SJung-uk Kim * Initialise the MSG_FLOW_WRITING sub-state machine 712*e71b7053SJung-uk Kim */ 713*e71b7053SJung-uk Kim static void init_write_state_machine(SSL *s) 714*e71b7053SJung-uk Kim { 715*e71b7053SJung-uk Kim OSSL_STATEM *st = &s->statem; 716*e71b7053SJung-uk Kim 717*e71b7053SJung-uk Kim st->write_state = WRITE_STATE_TRANSITION; 718*e71b7053SJung-uk Kim } 719*e71b7053SJung-uk Kim 720*e71b7053SJung-uk Kim /* 721*e71b7053SJung-uk Kim * This function implements the sub-state machine when the message flow is in 722*e71b7053SJung-uk Kim * MSG_FLOW_WRITING. The valid sub-states and transitions are: 723*e71b7053SJung-uk Kim * 724*e71b7053SJung-uk Kim * +-> WRITE_STATE_TRANSITION ------> [SUB_STATE_FINISHED] 725*e71b7053SJung-uk Kim * | | 726*e71b7053SJung-uk Kim * | v 727*e71b7053SJung-uk Kim * | WRITE_STATE_PRE_WORK -----> [SUB_STATE_END_HANDSHAKE] 728*e71b7053SJung-uk Kim * | | 729*e71b7053SJung-uk Kim * | v 730*e71b7053SJung-uk Kim * | WRITE_STATE_SEND 731*e71b7053SJung-uk Kim * | | 732*e71b7053SJung-uk Kim * | v 733*e71b7053SJung-uk Kim * | WRITE_STATE_POST_WORK 734*e71b7053SJung-uk Kim * | | 735*e71b7053SJung-uk Kim * +-------------+ 736*e71b7053SJung-uk Kim * 737*e71b7053SJung-uk Kim * WRITE_STATE_TRANSITION transitions the state of the handshake state machine 738*e71b7053SJung-uk Kim 739*e71b7053SJung-uk Kim * WRITE_STATE_PRE_WORK performs any work necessary to prepare the later 740*e71b7053SJung-uk Kim * sending of the message. This could result in an NBIO event occurring in 741*e71b7053SJung-uk Kim * which case control returns to the calling application. When this function 742*e71b7053SJung-uk Kim * is recalled we will resume in the same state where we left off. 743*e71b7053SJung-uk Kim * 744*e71b7053SJung-uk Kim * WRITE_STATE_SEND sends the message and performs any work to be done after 745*e71b7053SJung-uk Kim * sending. 746*e71b7053SJung-uk Kim * 747*e71b7053SJung-uk Kim * WRITE_STATE_POST_WORK performs any work necessary after the sending of the 748*e71b7053SJung-uk Kim * message has been completed. As for WRITE_STATE_PRE_WORK this could also 749*e71b7053SJung-uk Kim * result in an NBIO event. 750*e71b7053SJung-uk Kim */ 751*e71b7053SJung-uk Kim static SUB_STATE_RETURN write_state_machine(SSL *s) 752*e71b7053SJung-uk Kim { 753*e71b7053SJung-uk Kim OSSL_STATEM *st = &s->statem; 754*e71b7053SJung-uk Kim int ret; 755*e71b7053SJung-uk Kim WRITE_TRAN(*transition) (SSL *s); 756*e71b7053SJung-uk Kim WORK_STATE(*pre_work) (SSL *s, WORK_STATE wst); 757*e71b7053SJung-uk Kim WORK_STATE(*post_work) (SSL *s, WORK_STATE wst); 758*e71b7053SJung-uk Kim int (*get_construct_message_f) (SSL *s, WPACKET *pkt, 759*e71b7053SJung-uk Kim int (**confunc) (SSL *s, WPACKET *pkt), 760*e71b7053SJung-uk Kim int *mt); 761*e71b7053SJung-uk Kim void (*cb) (const SSL *ssl, int type, int val) = NULL; 762*e71b7053SJung-uk Kim int (*confunc) (SSL *s, WPACKET *pkt); 763*e71b7053SJung-uk Kim int mt; 764*e71b7053SJung-uk Kim WPACKET pkt; 765*e71b7053SJung-uk Kim 766*e71b7053SJung-uk Kim cb = get_callback(s); 767*e71b7053SJung-uk Kim 768*e71b7053SJung-uk Kim if (s->server) { 769*e71b7053SJung-uk Kim transition = ossl_statem_server_write_transition; 770*e71b7053SJung-uk Kim pre_work = ossl_statem_server_pre_work; 771*e71b7053SJung-uk Kim post_work = ossl_statem_server_post_work; 772*e71b7053SJung-uk Kim get_construct_message_f = ossl_statem_server_construct_message; 773*e71b7053SJung-uk Kim } else { 774*e71b7053SJung-uk Kim transition = ossl_statem_client_write_transition; 775*e71b7053SJung-uk Kim pre_work = ossl_statem_client_pre_work; 776*e71b7053SJung-uk Kim post_work = ossl_statem_client_post_work; 777*e71b7053SJung-uk Kim get_construct_message_f = ossl_statem_client_construct_message; 778*e71b7053SJung-uk Kim } 779*e71b7053SJung-uk Kim 780*e71b7053SJung-uk Kim while (1) { 781*e71b7053SJung-uk Kim switch (st->write_state) { 782*e71b7053SJung-uk Kim case WRITE_STATE_TRANSITION: 783*e71b7053SJung-uk Kim if (cb != NULL) { 784*e71b7053SJung-uk Kim /* Notify callback of an impending state change */ 785*e71b7053SJung-uk Kim if (s->server) 786*e71b7053SJung-uk Kim cb(s, SSL_CB_ACCEPT_LOOP, 1); 787*e71b7053SJung-uk Kim else 788*e71b7053SJung-uk Kim cb(s, SSL_CB_CONNECT_LOOP, 1); 789*e71b7053SJung-uk Kim } 790*e71b7053SJung-uk Kim switch (transition(s)) { 791*e71b7053SJung-uk Kim case WRITE_TRAN_CONTINUE: 792*e71b7053SJung-uk Kim st->write_state = WRITE_STATE_PRE_WORK; 793*e71b7053SJung-uk Kim st->write_state_work = WORK_MORE_A; 794*e71b7053SJung-uk Kim break; 795*e71b7053SJung-uk Kim 796*e71b7053SJung-uk Kim case WRITE_TRAN_FINISHED: 797*e71b7053SJung-uk Kim return SUB_STATE_FINISHED; 798*e71b7053SJung-uk Kim break; 799*e71b7053SJung-uk Kim 800*e71b7053SJung-uk Kim case WRITE_TRAN_ERROR: 801*e71b7053SJung-uk Kim check_fatal(s, SSL_F_WRITE_STATE_MACHINE); 802*e71b7053SJung-uk Kim return SUB_STATE_ERROR; 803*e71b7053SJung-uk Kim } 804*e71b7053SJung-uk Kim break; 805*e71b7053SJung-uk Kim 806*e71b7053SJung-uk Kim case WRITE_STATE_PRE_WORK: 807*e71b7053SJung-uk Kim switch (st->write_state_work = pre_work(s, st->write_state_work)) { 808*e71b7053SJung-uk Kim case WORK_ERROR: 809*e71b7053SJung-uk Kim check_fatal(s, SSL_F_WRITE_STATE_MACHINE); 810*e71b7053SJung-uk Kim /* Fall through */ 811*e71b7053SJung-uk Kim case WORK_MORE_A: 812*e71b7053SJung-uk Kim case WORK_MORE_B: 813*e71b7053SJung-uk Kim case WORK_MORE_C: 814*e71b7053SJung-uk Kim return SUB_STATE_ERROR; 815*e71b7053SJung-uk Kim 816*e71b7053SJung-uk Kim case WORK_FINISHED_CONTINUE: 817*e71b7053SJung-uk Kim st->write_state = WRITE_STATE_SEND; 818*e71b7053SJung-uk Kim break; 819*e71b7053SJung-uk Kim 820*e71b7053SJung-uk Kim case WORK_FINISHED_STOP: 821*e71b7053SJung-uk Kim return SUB_STATE_END_HANDSHAKE; 822*e71b7053SJung-uk Kim } 823*e71b7053SJung-uk Kim if (!get_construct_message_f(s, &pkt, &confunc, &mt)) { 824*e71b7053SJung-uk Kim /* SSLfatal() already called */ 825*e71b7053SJung-uk Kim return SUB_STATE_ERROR; 826*e71b7053SJung-uk Kim } 827*e71b7053SJung-uk Kim if (mt == SSL3_MT_DUMMY) { 828*e71b7053SJung-uk Kim /* Skip construction and sending. This isn't a "real" state */ 829*e71b7053SJung-uk Kim st->write_state = WRITE_STATE_POST_WORK; 830*e71b7053SJung-uk Kim st->write_state_work = WORK_MORE_A; 831*e71b7053SJung-uk Kim break; 832*e71b7053SJung-uk Kim } 833*e71b7053SJung-uk Kim if (!WPACKET_init(&pkt, s->init_buf) 834*e71b7053SJung-uk Kim || !ssl_set_handshake_header(s, &pkt, mt)) { 835*e71b7053SJung-uk Kim WPACKET_cleanup(&pkt); 836*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_WRITE_STATE_MACHINE, 837*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 838*e71b7053SJung-uk Kim return SUB_STATE_ERROR; 839*e71b7053SJung-uk Kim } 840*e71b7053SJung-uk Kim if (confunc != NULL && !confunc(s, &pkt)) { 841*e71b7053SJung-uk Kim WPACKET_cleanup(&pkt); 842*e71b7053SJung-uk Kim check_fatal(s, SSL_F_WRITE_STATE_MACHINE); 843*e71b7053SJung-uk Kim return SUB_STATE_ERROR; 844*e71b7053SJung-uk Kim } 845*e71b7053SJung-uk Kim if (!ssl_close_construct_packet(s, &pkt, mt) 846*e71b7053SJung-uk Kim || !WPACKET_finish(&pkt)) { 847*e71b7053SJung-uk Kim WPACKET_cleanup(&pkt); 848*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_WRITE_STATE_MACHINE, 849*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 850*e71b7053SJung-uk Kim return SUB_STATE_ERROR; 851*e71b7053SJung-uk Kim } 852*e71b7053SJung-uk Kim 853*e71b7053SJung-uk Kim /* Fall through */ 854*e71b7053SJung-uk Kim 855*e71b7053SJung-uk Kim case WRITE_STATE_SEND: 856*e71b7053SJung-uk Kim if (SSL_IS_DTLS(s) && st->use_timer) { 857*e71b7053SJung-uk Kim dtls1_start_timer(s); 858*e71b7053SJung-uk Kim } 859*e71b7053SJung-uk Kim ret = statem_do_write(s); 860*e71b7053SJung-uk Kim if (ret <= 0) { 861*e71b7053SJung-uk Kim return SUB_STATE_ERROR; 862*e71b7053SJung-uk Kim } 863*e71b7053SJung-uk Kim st->write_state = WRITE_STATE_POST_WORK; 864*e71b7053SJung-uk Kim st->write_state_work = WORK_MORE_A; 865*e71b7053SJung-uk Kim /* Fall through */ 866*e71b7053SJung-uk Kim 867*e71b7053SJung-uk Kim case WRITE_STATE_POST_WORK: 868*e71b7053SJung-uk Kim switch (st->write_state_work = post_work(s, st->write_state_work)) { 869*e71b7053SJung-uk Kim case WORK_ERROR: 870*e71b7053SJung-uk Kim check_fatal(s, SSL_F_WRITE_STATE_MACHINE); 871*e71b7053SJung-uk Kim /* Fall through */ 872*e71b7053SJung-uk Kim case WORK_MORE_A: 873*e71b7053SJung-uk Kim case WORK_MORE_B: 874*e71b7053SJung-uk Kim case WORK_MORE_C: 875*e71b7053SJung-uk Kim return SUB_STATE_ERROR; 876*e71b7053SJung-uk Kim 877*e71b7053SJung-uk Kim case WORK_FINISHED_CONTINUE: 878*e71b7053SJung-uk Kim st->write_state = WRITE_STATE_TRANSITION; 879*e71b7053SJung-uk Kim break; 880*e71b7053SJung-uk Kim 881*e71b7053SJung-uk Kim case WORK_FINISHED_STOP: 882*e71b7053SJung-uk Kim return SUB_STATE_END_HANDSHAKE; 883*e71b7053SJung-uk Kim } 884*e71b7053SJung-uk Kim break; 885*e71b7053SJung-uk Kim 886*e71b7053SJung-uk Kim default: 887*e71b7053SJung-uk Kim SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_WRITE_STATE_MACHINE, 888*e71b7053SJung-uk Kim ERR_R_INTERNAL_ERROR); 889*e71b7053SJung-uk Kim return SUB_STATE_ERROR; 890*e71b7053SJung-uk Kim } 891*e71b7053SJung-uk Kim } 892*e71b7053SJung-uk Kim } 893*e71b7053SJung-uk Kim 894*e71b7053SJung-uk Kim /* 895*e71b7053SJung-uk Kim * Flush the write BIO 896*e71b7053SJung-uk Kim */ 897*e71b7053SJung-uk Kim int statem_flush(SSL *s) 898*e71b7053SJung-uk Kim { 899*e71b7053SJung-uk Kim s->rwstate = SSL_WRITING; 900*e71b7053SJung-uk Kim if (BIO_flush(s->wbio) <= 0) { 901*e71b7053SJung-uk Kim return 0; 902*e71b7053SJung-uk Kim } 903*e71b7053SJung-uk Kim s->rwstate = SSL_NOTHING; 904*e71b7053SJung-uk Kim 905*e71b7053SJung-uk Kim return 1; 906*e71b7053SJung-uk Kim } 907*e71b7053SJung-uk Kim 908*e71b7053SJung-uk Kim /* 909*e71b7053SJung-uk Kim * Called by the record layer to determine whether application data is 910*e71b7053SJung-uk Kim * allowed to be received in the current handshake state or not. 911*e71b7053SJung-uk Kim * 912*e71b7053SJung-uk Kim * Return values are: 913*e71b7053SJung-uk Kim * 1: Yes (application data allowed) 914*e71b7053SJung-uk Kim * 0: No (application data not allowed) 915*e71b7053SJung-uk Kim */ 916*e71b7053SJung-uk Kim int ossl_statem_app_data_allowed(SSL *s) 917*e71b7053SJung-uk Kim { 918*e71b7053SJung-uk Kim OSSL_STATEM *st = &s->statem; 919*e71b7053SJung-uk Kim 920*e71b7053SJung-uk Kim if (st->state == MSG_FLOW_UNINITED) 921*e71b7053SJung-uk Kim return 0; 922*e71b7053SJung-uk Kim 923*e71b7053SJung-uk Kim if (!s->s3->in_read_app_data || (s->s3->total_renegotiations == 0)) 924*e71b7053SJung-uk Kim return 0; 925*e71b7053SJung-uk Kim 926*e71b7053SJung-uk Kim if (s->server) { 927*e71b7053SJung-uk Kim /* 928*e71b7053SJung-uk Kim * If we're a server and we haven't got as far as writing our 929*e71b7053SJung-uk Kim * ServerHello yet then we allow app data 930*e71b7053SJung-uk Kim */ 931*e71b7053SJung-uk Kim if (st->hand_state == TLS_ST_BEFORE 932*e71b7053SJung-uk Kim || st->hand_state == TLS_ST_SR_CLNT_HELLO) 933*e71b7053SJung-uk Kim return 1; 934*e71b7053SJung-uk Kim } else { 935*e71b7053SJung-uk Kim /* 936*e71b7053SJung-uk Kim * If we're a client and we haven't read the ServerHello yet then we 937*e71b7053SJung-uk Kim * allow app data 938*e71b7053SJung-uk Kim */ 939*e71b7053SJung-uk Kim if (st->hand_state == TLS_ST_CW_CLNT_HELLO) 940*e71b7053SJung-uk Kim return 1; 941*e71b7053SJung-uk Kim } 942*e71b7053SJung-uk Kim 943*e71b7053SJung-uk Kim return 0; 944*e71b7053SJung-uk Kim } 945*e71b7053SJung-uk Kim 946*e71b7053SJung-uk Kim /* 947*e71b7053SJung-uk Kim * This function returns 1 if TLS exporter is ready to export keying 948*e71b7053SJung-uk Kim * material, or 0 if otherwise. 949*e71b7053SJung-uk Kim */ 950*e71b7053SJung-uk Kim int ossl_statem_export_allowed(SSL *s) 951*e71b7053SJung-uk Kim { 952*e71b7053SJung-uk Kim return s->s3->previous_server_finished_len != 0 953*e71b7053SJung-uk Kim && s->statem.hand_state != TLS_ST_SW_FINISHED; 954*e71b7053SJung-uk Kim } 955*e71b7053SJung-uk Kim 956*e71b7053SJung-uk Kim /* 957*e71b7053SJung-uk Kim * Return 1 if early TLS exporter is ready to export keying material, 958*e71b7053SJung-uk Kim * or 0 if otherwise. 959*e71b7053SJung-uk Kim */ 960*e71b7053SJung-uk Kim int ossl_statem_export_early_allowed(SSL *s) 961*e71b7053SJung-uk Kim { 962*e71b7053SJung-uk Kim /* 963*e71b7053SJung-uk Kim * The early exporter secret is only present on the server if we 964*e71b7053SJung-uk Kim * have accepted early_data. It is present on the client as long 965*e71b7053SJung-uk Kim * as we have sent early_data. 966*e71b7053SJung-uk Kim */ 967*e71b7053SJung-uk Kim return s->ext.early_data == SSL_EARLY_DATA_ACCEPTED 968*e71b7053SJung-uk Kim || (!s->server && s->ext.early_data != SSL_EARLY_DATA_NOT_SENT); 969*e71b7053SJung-uk Kim } 970