1 /* 2 * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #if defined(__TANDEM) && defined(_SPT_MODEL_) 11 # include <spthread.h> 12 # include <spt_extensions.h> /* timeval */ 13 #endif 14 15 #include "internal/cryptlib.h" 16 #include <openssl/rand.h> 17 #include "../ssl_local.h" 18 #include "statem_local.h" 19 #include <assert.h> 20 21 /* 22 * This file implements the SSL/TLS/DTLS state machines. 23 * 24 * There are two primary state machines: 25 * 26 * 1) Message flow state machine 27 * 2) Handshake state machine 28 * 29 * The Message flow state machine controls the reading and sending of messages 30 * including handling of non-blocking IO events, flushing of the underlying 31 * write BIO, handling unexpected messages, etc. It is itself broken into two 32 * separate sub-state machines which control reading and writing respectively. 33 * 34 * The Handshake state machine keeps track of the current SSL/TLS handshake 35 * state. Transitions of the handshake state are the result of events that 36 * occur within the Message flow state machine. 37 * 38 * Overall it looks like this: 39 * 40 * --------------------------------------------- ------------------- 41 * | | | | 42 * | Message flow state machine | | | 43 * | | | | 44 * | -------------------- -------------------- | Transition | Handshake state | 45 * | | MSG_FLOW_READING | | MSG_FLOW_WRITING | | Event | machine | 46 * | | sub-state | | sub-state | |----------->| | 47 * | | machine for | | machine for | | | | 48 * | | reading messages | | writing messages | | | | 49 * | -------------------- -------------------- | | | 50 * | | | | 51 * --------------------------------------------- ------------------- 52 * 53 */ 54 55 /* Sub state machine return values */ 56 typedef enum { 57 /* Something bad happened or NBIO */ 58 SUB_STATE_ERROR, 59 /* Sub state finished go to the next sub state */ 60 SUB_STATE_FINISHED, 61 /* Sub state finished and handshake was completed */ 62 SUB_STATE_END_HANDSHAKE 63 } SUB_STATE_RETURN; 64 65 static int state_machine(SSL *s, int server); 66 static void init_read_state_machine(SSL *s); 67 static SUB_STATE_RETURN read_state_machine(SSL *s); 68 static void init_write_state_machine(SSL *s); 69 static SUB_STATE_RETURN write_state_machine(SSL *s); 70 71 OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl) 72 { 73 return ssl->statem.hand_state; 74 } 75 76 int SSL_in_init(const SSL *s) 77 { 78 return s->statem.in_init; 79 } 80 81 int SSL_is_init_finished(const SSL *s) 82 { 83 return !(s->statem.in_init) && (s->statem.hand_state == TLS_ST_OK); 84 } 85 86 int SSL_in_before(const SSL *s) 87 { 88 /* 89 * Historically being "in before" meant before anything had happened. In the 90 * current code though we remain in the "before" state for a while after we 91 * have started the handshake process (e.g. as a server waiting for the 92 * first message to arrive). There "in before" is taken to mean "in before" 93 * and not started any handshake process yet. 94 */ 95 return (s->statem.hand_state == TLS_ST_BEFORE) 96 && (s->statem.state == MSG_FLOW_UNINITED); 97 } 98 99 /* 100 * Clear the state machine state and reset back to MSG_FLOW_UNINITED 101 */ 102 void ossl_statem_clear(SSL *s) 103 { 104 s->statem.state = MSG_FLOW_UNINITED; 105 s->statem.hand_state = TLS_ST_BEFORE; 106 s->statem.in_init = 1; 107 s->statem.no_cert_verify = 0; 108 } 109 110 /* 111 * Set the state machine up ready for a renegotiation handshake 112 */ 113 void ossl_statem_set_renegotiate(SSL *s) 114 { 115 s->statem.in_init = 1; 116 s->statem.request_state = TLS_ST_SW_HELLO_REQ; 117 } 118 119 void ossl_statem_send_fatal(SSL *s, int al) 120 { 121 /* We shouldn't call SSLfatal() twice. Once is enough */ 122 if (s->statem.in_init && s->statem.state == MSG_FLOW_ERROR) 123 return; 124 s->statem.in_init = 1; 125 s->statem.state = MSG_FLOW_ERROR; 126 if (al != SSL_AD_NO_ALERT 127 && s->statem.enc_write_state != ENC_WRITE_STATE_INVALID) 128 ssl3_send_alert(s, SSL3_AL_FATAL, al); 129 } 130 131 /* 132 * Error reporting building block that's used instead of ERR_set_error(). 133 * In addition to what ERR_set_error() does, this puts the state machine 134 * into an error state and sends an alert if appropriate. 135 * This is a permanent error for the current connection. 136 */ 137 void ossl_statem_fatal(SSL *s, int al, int reason, const char *fmt, ...) 138 { 139 va_list args; 140 141 va_start(args, fmt); 142 ERR_vset_error(ERR_LIB_SSL, reason, fmt, args); 143 va_end(args); 144 145 ossl_statem_send_fatal(s, al); 146 } 147 148 /* 149 * This macro should only be called if we are already expecting to be in 150 * a fatal error state. We verify that we are, and set it if not (this would 151 * indicate a bug). 152 */ 153 #define check_fatal(s) \ 154 do { \ 155 if (!ossl_assert((s)->statem.in_init \ 156 && (s)->statem.state == MSG_FLOW_ERROR)) \ 157 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_FATAL); \ 158 } while (0) 159 160 /* 161 * Discover whether the current connection is in the error state. 162 * 163 * Valid return values are: 164 * 1: Yes 165 * 0: No 166 */ 167 int ossl_statem_in_error(const SSL *s) 168 { 169 if (s->statem.state == MSG_FLOW_ERROR) 170 return 1; 171 172 return 0; 173 } 174 175 void ossl_statem_set_in_init(SSL *s, int init) 176 { 177 s->statem.in_init = init; 178 } 179 180 int ossl_statem_get_in_handshake(SSL *s) 181 { 182 return s->statem.in_handshake; 183 } 184 185 void ossl_statem_set_in_handshake(SSL *s, int inhand) 186 { 187 if (inhand) 188 s->statem.in_handshake++; 189 else 190 s->statem.in_handshake--; 191 } 192 193 /* Are we in a sensible state to skip over unreadable early data? */ 194 int ossl_statem_skip_early_data(SSL *s) 195 { 196 if (s->ext.early_data != SSL_EARLY_DATA_REJECTED) 197 return 0; 198 199 if (!s->server 200 || s->statem.hand_state != TLS_ST_EARLY_DATA 201 || s->hello_retry_request == SSL_HRR_COMPLETE) 202 return 0; 203 204 return 1; 205 } 206 207 /* 208 * Called when we are in SSL_read*(), SSL_write*(), or SSL_accept() 209 * /SSL_connect()/SSL_do_handshake(). Used to test whether we are in an early 210 * data state and whether we should attempt to move the handshake on if so. 211 * |sending| is 1 if we are attempting to send data (SSL_write*()), 0 if we are 212 * attempting to read data (SSL_read*()), or -1 if we are in SSL_do_handshake() 213 * or similar. 214 */ 215 void ossl_statem_check_finish_init(SSL *s, int sending) 216 { 217 if (sending == -1) { 218 if (s->statem.hand_state == TLS_ST_PENDING_EARLY_DATA_END 219 || s->statem.hand_state == TLS_ST_EARLY_DATA) { 220 ossl_statem_set_in_init(s, 1); 221 if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY) { 222 /* 223 * SSL_connect() or SSL_do_handshake() has been called directly. 224 * We don't allow any more writing of early data. 225 */ 226 s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING; 227 } 228 } 229 } else if (!s->server) { 230 if ((sending && (s->statem.hand_state == TLS_ST_PENDING_EARLY_DATA_END 231 || s->statem.hand_state == TLS_ST_EARLY_DATA) 232 && s->early_data_state != SSL_EARLY_DATA_WRITING) 233 || (!sending && s->statem.hand_state == TLS_ST_EARLY_DATA)) { 234 ossl_statem_set_in_init(s, 1); 235 /* 236 * SSL_write() has been called directly. We don't allow any more 237 * writing of early data. 238 */ 239 if (sending && s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY) 240 s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING; 241 } 242 } else { 243 if (s->early_data_state == SSL_EARLY_DATA_FINISHED_READING 244 && s->statem.hand_state == TLS_ST_EARLY_DATA) 245 ossl_statem_set_in_init(s, 1); 246 } 247 } 248 249 void ossl_statem_set_hello_verify_done(SSL *s) 250 { 251 s->statem.state = MSG_FLOW_UNINITED; 252 s->statem.in_init = 1; 253 /* 254 * This will get reset (briefly) back to TLS_ST_BEFORE when we enter 255 * state_machine() because |state| is MSG_FLOW_UNINITED, but until then any 256 * calls to SSL_in_before() will return false. Also calls to 257 * SSL_state_string() and SSL_state_string_long() will return something 258 * sensible. 259 */ 260 s->statem.hand_state = TLS_ST_SR_CLNT_HELLO; 261 } 262 263 int ossl_statem_connect(SSL *s) 264 { 265 return state_machine(s, 0); 266 } 267 268 int ossl_statem_accept(SSL *s) 269 { 270 return state_machine(s, 1); 271 } 272 273 typedef void (*info_cb) (const SSL *, int, int); 274 275 static info_cb get_callback(SSL *s) 276 { 277 if (s->info_callback != NULL) 278 return s->info_callback; 279 else if (s->ctx->info_callback != NULL) 280 return s->ctx->info_callback; 281 282 return NULL; 283 } 284 285 /* 286 * The main message flow state machine. We start in the MSG_FLOW_UNINITED or 287 * MSG_FLOW_FINISHED state and finish in MSG_FLOW_FINISHED. Valid states and 288 * transitions are as follows: 289 * 290 * MSG_FLOW_UNINITED MSG_FLOW_FINISHED 291 * | | 292 * +-----------------------+ 293 * v 294 * MSG_FLOW_WRITING <---> MSG_FLOW_READING 295 * | 296 * V 297 * MSG_FLOW_FINISHED 298 * | 299 * V 300 * [SUCCESS] 301 * 302 * We may exit at any point due to an error or NBIO event. If an NBIO event 303 * occurs then we restart at the point we left off when we are recalled. 304 * MSG_FLOW_WRITING and MSG_FLOW_READING have sub-state machines associated with them. 305 * 306 * In addition to the above there is also the MSG_FLOW_ERROR state. We can move 307 * into that state at any point in the event that an irrecoverable error occurs. 308 * 309 * Valid return values are: 310 * 1: Success 311 * <=0: NBIO or error 312 */ 313 static int state_machine(SSL *s, int server) 314 { 315 BUF_MEM *buf = NULL; 316 void (*cb) (const SSL *ssl, int type, int val) = NULL; 317 OSSL_STATEM *st = &s->statem; 318 int ret = -1; 319 int ssret; 320 321 if (st->state == MSG_FLOW_ERROR) { 322 /* Shouldn't have been called if we're already in the error state */ 323 return -1; 324 } 325 326 ERR_clear_error(); 327 clear_sys_error(); 328 329 cb = get_callback(s); 330 331 st->in_handshake++; 332 if (!SSL_in_init(s) || SSL_in_before(s)) { 333 /* 334 * If we are stateless then we already called SSL_clear() - don't do 335 * it again and clear the STATELESS flag itself. 336 */ 337 if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0 && !SSL_clear(s)) 338 return -1; 339 } 340 #ifndef OPENSSL_NO_SCTP 341 if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))) { 342 /* 343 * Notify SCTP BIO socket to enter handshake mode and prevent stream 344 * identifier other than 0. 345 */ 346 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, 347 st->in_handshake, NULL); 348 } 349 #endif 350 351 /* Initialise state machine */ 352 if (st->state == MSG_FLOW_UNINITED 353 || st->state == MSG_FLOW_FINISHED) { 354 if (st->state == MSG_FLOW_UNINITED) { 355 st->hand_state = TLS_ST_BEFORE; 356 st->request_state = TLS_ST_BEFORE; 357 } 358 359 s->server = server; 360 if (cb != NULL) { 361 if (SSL_IS_FIRST_HANDSHAKE(s) || !SSL_IS_TLS13(s)) 362 cb(s, SSL_CB_HANDSHAKE_START, 1); 363 } 364 365 /* 366 * Fatal errors in this block don't send an alert because we have 367 * failed to even initialise properly. Sending an alert is probably 368 * doomed to failure. 369 */ 370 371 if (SSL_IS_DTLS(s)) { 372 if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00) && 373 (server || (s->version & 0xff00) != (DTLS1_BAD_VER & 0xff00))) { 374 SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR); 375 goto end; 376 } 377 } else { 378 if ((s->version >> 8) != SSL3_VERSION_MAJOR) { 379 SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR); 380 goto end; 381 } 382 } 383 384 if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL)) { 385 SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR); 386 goto end; 387 } 388 389 if (s->init_buf == NULL) { 390 if ((buf = BUF_MEM_new()) == NULL) { 391 SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR); 392 goto end; 393 } 394 if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) { 395 SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR); 396 goto end; 397 } 398 s->init_buf = buf; 399 buf = NULL; 400 } 401 402 if (!ssl3_setup_buffers(s)) { 403 SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR); 404 goto end; 405 } 406 s->init_num = 0; 407 408 /* 409 * Should have been reset by tls_process_finished, too. 410 */ 411 s->s3.change_cipher_spec = 0; 412 413 /* 414 * Ok, we now need to push on a buffering BIO ...but not with 415 * SCTP 416 */ 417 #ifndef OPENSSL_NO_SCTP 418 if (!SSL_IS_DTLS(s) || !BIO_dgram_is_sctp(SSL_get_wbio(s))) 419 #endif 420 if (!ssl_init_wbio_buffer(s)) { 421 SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR); 422 goto end; 423 } 424 425 if ((SSL_in_before(s)) 426 || s->renegotiate) { 427 if (!tls_setup_handshake(s)) { 428 /* SSLfatal() already called */ 429 goto end; 430 } 431 432 if (SSL_IS_FIRST_HANDSHAKE(s)) 433 st->read_state_first_init = 1; 434 } 435 436 st->state = MSG_FLOW_WRITING; 437 init_write_state_machine(s); 438 } 439 440 while (st->state != MSG_FLOW_FINISHED) { 441 if (st->state == MSG_FLOW_READING) { 442 ssret = read_state_machine(s); 443 if (ssret == SUB_STATE_FINISHED) { 444 st->state = MSG_FLOW_WRITING; 445 init_write_state_machine(s); 446 } else { 447 /* NBIO or error */ 448 goto end; 449 } 450 } else if (st->state == MSG_FLOW_WRITING) { 451 ssret = write_state_machine(s); 452 if (ssret == SUB_STATE_FINISHED) { 453 st->state = MSG_FLOW_READING; 454 init_read_state_machine(s); 455 } else if (ssret == SUB_STATE_END_HANDSHAKE) { 456 st->state = MSG_FLOW_FINISHED; 457 } else { 458 /* NBIO or error */ 459 goto end; 460 } 461 } else { 462 /* Error */ 463 check_fatal(s); 464 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 465 goto end; 466 } 467 } 468 469 ret = 1; 470 471 end: 472 st->in_handshake--; 473 474 #ifndef OPENSSL_NO_SCTP 475 if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))) { 476 /* 477 * Notify SCTP BIO socket to leave handshake mode and allow stream 478 * identifier other than 0. 479 */ 480 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, 481 st->in_handshake, NULL); 482 } 483 #endif 484 485 BUF_MEM_free(buf); 486 if (cb != NULL) { 487 if (server) 488 cb(s, SSL_CB_ACCEPT_EXIT, ret); 489 else 490 cb(s, SSL_CB_CONNECT_EXIT, ret); 491 } 492 return ret; 493 } 494 495 /* 496 * Initialise the MSG_FLOW_READING sub-state machine 497 */ 498 static void init_read_state_machine(SSL *s) 499 { 500 OSSL_STATEM *st = &s->statem; 501 502 st->read_state = READ_STATE_HEADER; 503 } 504 505 static int grow_init_buf(SSL *s, size_t size) { 506 507 size_t msg_offset = (char *)s->init_msg - s->init_buf->data; 508 509 if (!BUF_MEM_grow_clean(s->init_buf, (int)size)) 510 return 0; 511 512 if (size < msg_offset) 513 return 0; 514 515 s->init_msg = s->init_buf->data + msg_offset; 516 517 return 1; 518 } 519 520 /* 521 * This function implements the sub-state machine when the message flow is in 522 * MSG_FLOW_READING. The valid sub-states and transitions are: 523 * 524 * READ_STATE_HEADER <--+<-------------+ 525 * | | | 526 * v | | 527 * READ_STATE_BODY -----+-->READ_STATE_POST_PROCESS 528 * | | 529 * +----------------------------+ 530 * v 531 * [SUB_STATE_FINISHED] 532 * 533 * READ_STATE_HEADER has the responsibility for reading in the message header 534 * and transitioning the state of the handshake state machine. 535 * 536 * READ_STATE_BODY reads in the rest of the message and then subsequently 537 * processes it. 538 * 539 * READ_STATE_POST_PROCESS is an optional step that may occur if some post 540 * processing activity performed on the message may block. 541 * 542 * Any of the above states could result in an NBIO event occurring in which case 543 * control returns to the calling application. When this function is recalled we 544 * will resume in the same state where we left off. 545 */ 546 static SUB_STATE_RETURN read_state_machine(SSL *s) 547 { 548 OSSL_STATEM *st = &s->statem; 549 int ret, mt; 550 size_t len = 0; 551 int (*transition) (SSL *s, int mt); 552 PACKET pkt; 553 MSG_PROCESS_RETURN(*process_message) (SSL *s, PACKET *pkt); 554 WORK_STATE(*post_process_message) (SSL *s, WORK_STATE wst); 555 size_t (*max_message_size) (SSL *s); 556 void (*cb) (const SSL *ssl, int type, int val) = NULL; 557 558 cb = get_callback(s); 559 560 if (s->server) { 561 transition = ossl_statem_server_read_transition; 562 process_message = ossl_statem_server_process_message; 563 max_message_size = ossl_statem_server_max_message_size; 564 post_process_message = ossl_statem_server_post_process_message; 565 } else { 566 transition = ossl_statem_client_read_transition; 567 process_message = ossl_statem_client_process_message; 568 max_message_size = ossl_statem_client_max_message_size; 569 post_process_message = ossl_statem_client_post_process_message; 570 } 571 572 if (st->read_state_first_init) { 573 s->first_packet = 1; 574 st->read_state_first_init = 0; 575 } 576 577 while (1) { 578 switch (st->read_state) { 579 case READ_STATE_HEADER: 580 /* Get the state the peer wants to move to */ 581 if (SSL_IS_DTLS(s)) { 582 /* 583 * In DTLS we get the whole message in one go - header and body 584 */ 585 ret = dtls_get_message(s, &mt); 586 } else { 587 ret = tls_get_message_header(s, &mt); 588 } 589 590 if (ret == 0) { 591 /* Could be non-blocking IO */ 592 return SUB_STATE_ERROR; 593 } 594 595 if (cb != NULL) { 596 /* Notify callback of an impending state change */ 597 if (s->server) 598 cb(s, SSL_CB_ACCEPT_LOOP, 1); 599 else 600 cb(s, SSL_CB_CONNECT_LOOP, 1); 601 } 602 /* 603 * Validate that we are allowed to move to the new state and move 604 * to that state if so 605 */ 606 if (!transition(s, mt)) 607 return SUB_STATE_ERROR; 608 609 if (s->s3.tmp.message_size > max_message_size(s)) { 610 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 611 SSL_R_EXCESSIVE_MESSAGE_SIZE); 612 return SUB_STATE_ERROR; 613 } 614 615 /* dtls_get_message already did this */ 616 if (!SSL_IS_DTLS(s) 617 && s->s3.tmp.message_size > 0 618 && !grow_init_buf(s, s->s3.tmp.message_size 619 + SSL3_HM_HEADER_LENGTH)) { 620 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BUF_LIB); 621 return SUB_STATE_ERROR; 622 } 623 624 st->read_state = READ_STATE_BODY; 625 /* Fall through */ 626 627 case READ_STATE_BODY: 628 if (SSL_IS_DTLS(s)) { 629 /* 630 * Actually we already have the body, but we give DTLS the 631 * opportunity to do any further processing. 632 */ 633 ret = dtls_get_message_body(s, &len); 634 } else { 635 ret = tls_get_message_body(s, &len); 636 } 637 if (ret == 0) { 638 /* Could be non-blocking IO */ 639 return SUB_STATE_ERROR; 640 } 641 642 s->first_packet = 0; 643 if (!PACKET_buf_init(&pkt, s->init_msg, len)) { 644 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 645 return SUB_STATE_ERROR; 646 } 647 ret = process_message(s, &pkt); 648 649 /* Discard the packet data */ 650 s->init_num = 0; 651 652 switch (ret) { 653 case MSG_PROCESS_ERROR: 654 check_fatal(s); 655 return SUB_STATE_ERROR; 656 657 case MSG_PROCESS_FINISHED_READING: 658 if (SSL_IS_DTLS(s)) { 659 dtls1_stop_timer(s); 660 } 661 return SUB_STATE_FINISHED; 662 663 case MSG_PROCESS_CONTINUE_PROCESSING: 664 st->read_state = READ_STATE_POST_PROCESS; 665 st->read_state_work = WORK_MORE_A; 666 break; 667 668 default: 669 st->read_state = READ_STATE_HEADER; 670 break; 671 } 672 break; 673 674 case READ_STATE_POST_PROCESS: 675 st->read_state_work = post_process_message(s, st->read_state_work); 676 switch (st->read_state_work) { 677 case WORK_ERROR: 678 check_fatal(s); 679 /* Fall through */ 680 case WORK_MORE_A: 681 case WORK_MORE_B: 682 case WORK_MORE_C: 683 return SUB_STATE_ERROR; 684 685 case WORK_FINISHED_CONTINUE: 686 st->read_state = READ_STATE_HEADER; 687 break; 688 689 case WORK_FINISHED_STOP: 690 if (SSL_IS_DTLS(s)) { 691 dtls1_stop_timer(s); 692 } 693 return SUB_STATE_FINISHED; 694 } 695 break; 696 697 default: 698 /* Shouldn't happen */ 699 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 700 return SUB_STATE_ERROR; 701 } 702 } 703 } 704 705 /* 706 * Send a previously constructed message to the peer. 707 */ 708 static int statem_do_write(SSL *s) 709 { 710 OSSL_STATEM *st = &s->statem; 711 712 if (st->hand_state == TLS_ST_CW_CHANGE 713 || st->hand_state == TLS_ST_SW_CHANGE) { 714 if (SSL_IS_DTLS(s)) 715 return dtls1_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC); 716 else 717 return ssl3_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC); 718 } else { 719 return ssl_do_write(s); 720 } 721 } 722 723 /* 724 * Initialise the MSG_FLOW_WRITING sub-state machine 725 */ 726 static void init_write_state_machine(SSL *s) 727 { 728 OSSL_STATEM *st = &s->statem; 729 730 st->write_state = WRITE_STATE_TRANSITION; 731 } 732 733 /* 734 * This function implements the sub-state machine when the message flow is in 735 * MSG_FLOW_WRITING. The valid sub-states and transitions are: 736 * 737 * +-> WRITE_STATE_TRANSITION ------> [SUB_STATE_FINISHED] 738 * | | 739 * | v 740 * | WRITE_STATE_PRE_WORK -----> [SUB_STATE_END_HANDSHAKE] 741 * | | 742 * | v 743 * | WRITE_STATE_SEND 744 * | | 745 * | v 746 * | WRITE_STATE_POST_WORK 747 * | | 748 * +-------------+ 749 * 750 * WRITE_STATE_TRANSITION transitions the state of the handshake state machine 751 752 * WRITE_STATE_PRE_WORK performs any work necessary to prepare the later 753 * sending of the message. This could result in an NBIO event occurring in 754 * which case control returns to the calling application. When this function 755 * is recalled we will resume in the same state where we left off. 756 * 757 * WRITE_STATE_SEND sends the message and performs any work to be done after 758 * sending. 759 * 760 * WRITE_STATE_POST_WORK performs any work necessary after the sending of the 761 * message has been completed. As for WRITE_STATE_PRE_WORK this could also 762 * result in an NBIO event. 763 */ 764 static SUB_STATE_RETURN write_state_machine(SSL *s) 765 { 766 OSSL_STATEM *st = &s->statem; 767 int ret; 768 WRITE_TRAN(*transition) (SSL *s); 769 WORK_STATE(*pre_work) (SSL *s, WORK_STATE wst); 770 WORK_STATE(*post_work) (SSL *s, WORK_STATE wst); 771 int (*get_construct_message_f) (SSL *s, WPACKET *pkt, 772 int (**confunc) (SSL *s, WPACKET *pkt), 773 int *mt); 774 void (*cb) (const SSL *ssl, int type, int val) = NULL; 775 int (*confunc) (SSL *s, WPACKET *pkt); 776 int mt; 777 WPACKET pkt; 778 779 cb = get_callback(s); 780 781 if (s->server) { 782 transition = ossl_statem_server_write_transition; 783 pre_work = ossl_statem_server_pre_work; 784 post_work = ossl_statem_server_post_work; 785 get_construct_message_f = ossl_statem_server_construct_message; 786 } else { 787 transition = ossl_statem_client_write_transition; 788 pre_work = ossl_statem_client_pre_work; 789 post_work = ossl_statem_client_post_work; 790 get_construct_message_f = ossl_statem_client_construct_message; 791 } 792 793 while (1) { 794 switch (st->write_state) { 795 case WRITE_STATE_TRANSITION: 796 if (cb != NULL) { 797 /* Notify callback of an impending state change */ 798 if (s->server) 799 cb(s, SSL_CB_ACCEPT_LOOP, 1); 800 else 801 cb(s, SSL_CB_CONNECT_LOOP, 1); 802 } 803 switch (transition(s)) { 804 case WRITE_TRAN_CONTINUE: 805 st->write_state = WRITE_STATE_PRE_WORK; 806 st->write_state_work = WORK_MORE_A; 807 break; 808 809 case WRITE_TRAN_FINISHED: 810 return SUB_STATE_FINISHED; 811 break; 812 813 case WRITE_TRAN_ERROR: 814 check_fatal(s); 815 return SUB_STATE_ERROR; 816 } 817 break; 818 819 case WRITE_STATE_PRE_WORK: 820 switch (st->write_state_work = pre_work(s, st->write_state_work)) { 821 case WORK_ERROR: 822 check_fatal(s); 823 /* Fall through */ 824 case WORK_MORE_A: 825 case WORK_MORE_B: 826 case WORK_MORE_C: 827 return SUB_STATE_ERROR; 828 829 case WORK_FINISHED_CONTINUE: 830 st->write_state = WRITE_STATE_SEND; 831 break; 832 833 case WORK_FINISHED_STOP: 834 return SUB_STATE_END_HANDSHAKE; 835 } 836 if (!get_construct_message_f(s, &pkt, &confunc, &mt)) { 837 /* SSLfatal() already called */ 838 return SUB_STATE_ERROR; 839 } 840 if (mt == SSL3_MT_DUMMY) { 841 /* Skip construction and sending. This isn't a "real" state */ 842 st->write_state = WRITE_STATE_POST_WORK; 843 st->write_state_work = WORK_MORE_A; 844 break; 845 } 846 if (!WPACKET_init(&pkt, s->init_buf) 847 || !ssl_set_handshake_header(s, &pkt, mt)) { 848 WPACKET_cleanup(&pkt); 849 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 850 return SUB_STATE_ERROR; 851 } 852 if (confunc != NULL) { 853 int tmpret; 854 855 tmpret = confunc(s, &pkt); 856 if (tmpret <= 0) { 857 WPACKET_cleanup(&pkt); 858 check_fatal(s); 859 return SUB_STATE_ERROR; 860 } else if (tmpret == 2) { 861 /* 862 * The construction function decided not to construct the 863 * message after all and continue. Skip sending. 864 */ 865 WPACKET_cleanup(&pkt); 866 st->write_state = WRITE_STATE_POST_WORK; 867 st->write_state_work = WORK_MORE_A; 868 break; 869 } /* else success */ 870 } 871 if (!ssl_close_construct_packet(s, &pkt, mt) 872 || !WPACKET_finish(&pkt)) { 873 WPACKET_cleanup(&pkt); 874 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 875 return SUB_STATE_ERROR; 876 } 877 878 /* Fall through */ 879 880 case WRITE_STATE_SEND: 881 if (SSL_IS_DTLS(s) && st->use_timer) { 882 dtls1_start_timer(s); 883 } 884 ret = statem_do_write(s); 885 if (ret <= 0) { 886 return SUB_STATE_ERROR; 887 } 888 st->write_state = WRITE_STATE_POST_WORK; 889 st->write_state_work = WORK_MORE_A; 890 /* Fall through */ 891 892 case WRITE_STATE_POST_WORK: 893 switch (st->write_state_work = post_work(s, st->write_state_work)) { 894 case WORK_ERROR: 895 check_fatal(s); 896 /* Fall through */ 897 case WORK_MORE_A: 898 case WORK_MORE_B: 899 case WORK_MORE_C: 900 return SUB_STATE_ERROR; 901 902 case WORK_FINISHED_CONTINUE: 903 st->write_state = WRITE_STATE_TRANSITION; 904 break; 905 906 case WORK_FINISHED_STOP: 907 return SUB_STATE_END_HANDSHAKE; 908 } 909 break; 910 911 default: 912 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 913 return SUB_STATE_ERROR; 914 } 915 } 916 } 917 918 /* 919 * Flush the write BIO 920 */ 921 int statem_flush(SSL *s) 922 { 923 s->rwstate = SSL_WRITING; 924 if (BIO_flush(s->wbio) <= 0) { 925 return 0; 926 } 927 s->rwstate = SSL_NOTHING; 928 929 return 1; 930 } 931 932 /* 933 * Called by the record layer to determine whether application data is 934 * allowed to be received in the current handshake state or not. 935 * 936 * Return values are: 937 * 1: Yes (application data allowed) 938 * 0: No (application data not allowed) 939 */ 940 int ossl_statem_app_data_allowed(SSL *s) 941 { 942 OSSL_STATEM *st = &s->statem; 943 944 if (st->state == MSG_FLOW_UNINITED) 945 return 0; 946 947 if (!s->s3.in_read_app_data || (s->s3.total_renegotiations == 0)) 948 return 0; 949 950 if (s->server) { 951 /* 952 * If we're a server and we haven't got as far as writing our 953 * ServerHello yet then we allow app data 954 */ 955 if (st->hand_state == TLS_ST_BEFORE 956 || st->hand_state == TLS_ST_SR_CLNT_HELLO) 957 return 1; 958 } else { 959 /* 960 * If we're a client and we haven't read the ServerHello yet then we 961 * allow app data 962 */ 963 if (st->hand_state == TLS_ST_CW_CLNT_HELLO) 964 return 1; 965 } 966 967 return 0; 968 } 969 970 /* 971 * This function returns 1 if TLS exporter is ready to export keying 972 * material, or 0 if otherwise. 973 */ 974 int ossl_statem_export_allowed(SSL *s) 975 { 976 return s->s3.previous_server_finished_len != 0 977 && s->statem.hand_state != TLS_ST_SW_FINISHED; 978 } 979 980 /* 981 * Return 1 if early TLS exporter is ready to export keying material, 982 * or 0 if otherwise. 983 */ 984 int ossl_statem_export_early_allowed(SSL *s) 985 { 986 /* 987 * The early exporter secret is only present on the server if we 988 * have accepted early_data. It is present on the client as long 989 * as we have sent early_data. 990 */ 991 return s->ext.early_data == SSL_EARLY_DATA_ACCEPTED 992 || (!s->server && s->ext.early_data != SSL_EARLY_DATA_NOT_SENT); 993 } 994