statem.c 30 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970
  1. /*
  2. * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include "internal/cryptlib.h"
  10. #include <openssl/rand.h>
  11. #include "../ssl_locl.h"
  12. #include "statem_locl.h"
  13. #include <assert.h>
  14. /*
  15. * This file implements the SSL/TLS/DTLS state machines.
  16. *
  17. * There are two primary state machines:
  18. *
  19. * 1) Message flow state machine
  20. * 2) Handshake state machine
  21. *
  22. * The Message flow state machine controls the reading and sending of messages
  23. * including handling of non-blocking IO events, flushing of the underlying
  24. * write BIO, handling unexpected messages, etc. It is itself broken into two
  25. * separate sub-state machines which control reading and writing respectively.
  26. *
  27. * The Handshake state machine keeps track of the current SSL/TLS handshake
  28. * state. Transitions of the handshake state are the result of events that
  29. * occur within the Message flow state machine.
  30. *
  31. * Overall it looks like this:
  32. *
  33. * --------------------------------------------- -------------------
  34. * | | | |
  35. * | Message flow state machine | | |
  36. * | | | |
  37. * | -------------------- -------------------- | Transition | Handshake state |
  38. * | | MSG_FLOW_READING | | MSG_FLOW_WRITING | | Event | machine |
  39. * | | sub-state | | sub-state | |----------->| |
  40. * | | machine for | | machine for | | | |
  41. * | | reading messages | | writing messages | | | |
  42. * | -------------------- -------------------- | | |
  43. * | | | |
  44. * --------------------------------------------- -------------------
  45. *
  46. */
  47. /* Sub state machine return values */
  48. typedef enum {
  49. /* Something bad happened or NBIO */
  50. SUB_STATE_ERROR,
  51. /* Sub state finished go to the next sub state */
  52. SUB_STATE_FINISHED,
  53. /* Sub state finished and handshake was completed */
  54. SUB_STATE_END_HANDSHAKE
  55. } SUB_STATE_RETURN;
  56. static int state_machine(SSL *s, int server);
  57. static void init_read_state_machine(SSL *s);
  58. static SUB_STATE_RETURN read_state_machine(SSL *s);
  59. static void init_write_state_machine(SSL *s);
  60. static SUB_STATE_RETURN write_state_machine(SSL *s);
  61. OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl)
  62. {
  63. return ssl->statem.hand_state;
  64. }
  65. int SSL_in_init(const SSL *s)
  66. {
  67. return s->statem.in_init;
  68. }
  69. int SSL_is_init_finished(const SSL *s)
  70. {
  71. return !(s->statem.in_init) && (s->statem.hand_state == TLS_ST_OK);
  72. }
  73. int SSL_in_before(const SSL *s)
  74. {
  75. /*
  76. * Historically being "in before" meant before anything had happened. In the
  77. * current code though we remain in the "before" state for a while after we
  78. * have started the handshake process (e.g. as a server waiting for the
  79. * first message to arrive). There "in before" is taken to mean "in before"
  80. * and not started any handshake process yet.
  81. */
  82. return (s->statem.hand_state == TLS_ST_BEFORE)
  83. && (s->statem.state == MSG_FLOW_UNINITED);
  84. }
  85. /*
  86. * Clear the state machine state and reset back to MSG_FLOW_UNINITED
  87. */
  88. void ossl_statem_clear(SSL *s)
  89. {
  90. s->statem.state = MSG_FLOW_UNINITED;
  91. s->statem.hand_state = TLS_ST_BEFORE;
  92. s->statem.in_init = 1;
  93. s->statem.no_cert_verify = 0;
  94. }
  95. /*
  96. * Set the state machine up ready for a renegotiation handshake
  97. */
  98. void ossl_statem_set_renegotiate(SSL *s)
  99. {
  100. s->statem.in_init = 1;
  101. s->statem.request_state = TLS_ST_SW_HELLO_REQ;
  102. }
  103. /*
  104. * Put the state machine into an error state and send an alert if appropriate.
  105. * This is a permanent error for the current connection.
  106. */
  107. void ossl_statem_fatal(SSL *s, int al, int func, int reason, const char *file,
  108. int line)
  109. {
  110. ERR_put_error(ERR_LIB_SSL, func, reason, file, line);
  111. /* We shouldn't call SSLfatal() twice. Once is enough */
  112. if (s->statem.in_init && s->statem.state == MSG_FLOW_ERROR)
  113. return;
  114. s->statem.in_init = 1;
  115. s->statem.state = MSG_FLOW_ERROR;
  116. if (al != SSL_AD_NO_ALERT
  117. && s->statem.enc_write_state != ENC_WRITE_STATE_INVALID)
  118. ssl3_send_alert(s, SSL3_AL_FATAL, al);
  119. }
  120. /*
  121. * This macro should only be called if we are already expecting to be in
  122. * a fatal error state. We verify that we are, and set it if not (this would
  123. * indicate a bug).
  124. */
  125. #define check_fatal(s, f) \
  126. do { \
  127. if (!ossl_assert((s)->statem.in_init \
  128. && (s)->statem.state == MSG_FLOW_ERROR)) \
  129. SSLfatal(s, SSL_AD_INTERNAL_ERROR, (f), \
  130. SSL_R_MISSING_FATAL); \
  131. } while (0)
  132. /*
  133. * Discover whether the current connection is in the error state.
  134. *
  135. * Valid return values are:
  136. * 1: Yes
  137. * 0: No
  138. */
  139. int ossl_statem_in_error(const SSL *s)
  140. {
  141. if (s->statem.state == MSG_FLOW_ERROR)
  142. return 1;
  143. return 0;
  144. }
  145. void ossl_statem_set_in_init(SSL *s, int init)
  146. {
  147. s->statem.in_init = init;
  148. }
  149. int ossl_statem_get_in_handshake(SSL *s)
  150. {
  151. return s->statem.in_handshake;
  152. }
  153. void ossl_statem_set_in_handshake(SSL *s, int inhand)
  154. {
  155. if (inhand)
  156. s->statem.in_handshake++;
  157. else
  158. s->statem.in_handshake--;
  159. }
  160. /* Are we in a sensible state to skip over unreadable early data? */
  161. int ossl_statem_skip_early_data(SSL *s)
  162. {
  163. if (s->ext.early_data != SSL_EARLY_DATA_REJECTED)
  164. return 0;
  165. if (!s->server
  166. || s->statem.hand_state != TLS_ST_EARLY_DATA
  167. || s->hello_retry_request == SSL_HRR_COMPLETE)
  168. return 0;
  169. return 1;
  170. }
  171. /*
  172. * Called when we are in SSL_read*(), SSL_write*(), or SSL_accept()
  173. * /SSL_connect()/SSL_do_handshake(). Used to test whether we are in an early
  174. * data state and whether we should attempt to move the handshake on if so.
  175. * |sending| is 1 if we are attempting to send data (SSL_write*()), 0 if we are
  176. * attempting to read data (SSL_read*()), or -1 if we are in SSL_do_handshake()
  177. * or similar.
  178. */
  179. void ossl_statem_check_finish_init(SSL *s, int sending)
  180. {
  181. if (sending == -1) {
  182. if (s->statem.hand_state == TLS_ST_PENDING_EARLY_DATA_END
  183. || s->statem.hand_state == TLS_ST_EARLY_DATA) {
  184. ossl_statem_set_in_init(s, 1);
  185. if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY) {
  186. /*
  187. * SSL_connect() or SSL_do_handshake() has been called directly.
  188. * We don't allow any more writing of early data.
  189. */
  190. s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING;
  191. }
  192. }
  193. } else if (!s->server) {
  194. if ((sending && (s->statem.hand_state == TLS_ST_PENDING_EARLY_DATA_END
  195. || s->statem.hand_state == TLS_ST_EARLY_DATA)
  196. && s->early_data_state != SSL_EARLY_DATA_WRITING)
  197. || (!sending && s->statem.hand_state == TLS_ST_EARLY_DATA)) {
  198. ossl_statem_set_in_init(s, 1);
  199. /*
  200. * SSL_write() has been called directly. We don't allow any more
  201. * writing of early data.
  202. */
  203. if (sending && s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY)
  204. s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING;
  205. }
  206. } else {
  207. if (s->early_data_state == SSL_EARLY_DATA_FINISHED_READING
  208. && s->statem.hand_state == TLS_ST_EARLY_DATA)
  209. ossl_statem_set_in_init(s, 1);
  210. }
  211. }
  212. void ossl_statem_set_hello_verify_done(SSL *s)
  213. {
  214. s->statem.state = MSG_FLOW_UNINITED;
  215. s->statem.in_init = 1;
  216. /*
  217. * This will get reset (briefly) back to TLS_ST_BEFORE when we enter
  218. * state_machine() because |state| is MSG_FLOW_UNINITED, but until then any
  219. * calls to SSL_in_before() will return false. Also calls to
  220. * SSL_state_string() and SSL_state_string_long() will return something
  221. * sensible.
  222. */
  223. s->statem.hand_state = TLS_ST_SR_CLNT_HELLO;
  224. }
  225. int ossl_statem_connect(SSL *s)
  226. {
  227. return state_machine(s, 0);
  228. }
  229. int ossl_statem_accept(SSL *s)
  230. {
  231. return state_machine(s, 1);
  232. }
  233. typedef void (*info_cb) (const SSL *, int, int);
  234. static info_cb get_callback(SSL *s)
  235. {
  236. if (s->info_callback != NULL)
  237. return s->info_callback;
  238. else if (s->ctx->info_callback != NULL)
  239. return s->ctx->info_callback;
  240. return NULL;
  241. }
  242. /*
  243. * The main message flow state machine. We start in the MSG_FLOW_UNINITED or
  244. * MSG_FLOW_FINISHED state and finish in MSG_FLOW_FINISHED. Valid states and
  245. * transitions are as follows:
  246. *
  247. * MSG_FLOW_UNINITED MSG_FLOW_FINISHED
  248. * | |
  249. * +-----------------------+
  250. * v
  251. * MSG_FLOW_WRITING <---> MSG_FLOW_READING
  252. * |
  253. * V
  254. * MSG_FLOW_FINISHED
  255. * |
  256. * V
  257. * [SUCCESS]
  258. *
  259. * We may exit at any point due to an error or NBIO event. If an NBIO event
  260. * occurs then we restart at the point we left off when we are recalled.
  261. * MSG_FLOW_WRITING and MSG_FLOW_READING have sub-state machines associated with them.
  262. *
  263. * In addition to the above there is also the MSG_FLOW_ERROR state. We can move
  264. * into that state at any point in the event that an irrecoverable error occurs.
  265. *
  266. * Valid return values are:
  267. * 1: Success
  268. * <=0: NBIO or error
  269. */
  270. static int state_machine(SSL *s, int server)
  271. {
  272. BUF_MEM *buf = NULL;
  273. void (*cb) (const SSL *ssl, int type, int val) = NULL;
  274. OSSL_STATEM *st = &s->statem;
  275. int ret = -1;
  276. int ssret;
  277. if (st->state == MSG_FLOW_ERROR) {
  278. /* Shouldn't have been called if we're already in the error state */
  279. return -1;
  280. }
  281. ERR_clear_error();
  282. clear_sys_error();
  283. cb = get_callback(s);
  284. st->in_handshake++;
  285. if (!SSL_in_init(s) || SSL_in_before(s)) {
  286. /*
  287. * If we are stateless then we already called SSL_clear() - don't do
  288. * it again and clear the STATELESS flag itself.
  289. */
  290. if ((s->s3->flags & TLS1_FLAGS_STATELESS) == 0 && !SSL_clear(s))
  291. return -1;
  292. }
  293. #ifndef OPENSSL_NO_SCTP
  294. if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))) {
  295. /*
  296. * Notify SCTP BIO socket to enter handshake mode and prevent stream
  297. * identifier other than 0.
  298. */
  299. BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE,
  300. st->in_handshake, NULL);
  301. }
  302. #endif
  303. /* Initialise state machine */
  304. if (st->state == MSG_FLOW_UNINITED
  305. || st->state == MSG_FLOW_FINISHED) {
  306. if (st->state == MSG_FLOW_UNINITED) {
  307. st->hand_state = TLS_ST_BEFORE;
  308. st->request_state = TLS_ST_BEFORE;
  309. }
  310. s->server = server;
  311. if (cb != NULL)
  312. cb(s, SSL_CB_HANDSHAKE_START, 1);
  313. /*
  314. * Fatal errors in this block don't send an alert because we have
  315. * failed to even initialise properly. Sending an alert is probably
  316. * doomed to failure.
  317. */
  318. if (SSL_IS_DTLS(s)) {
  319. if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00) &&
  320. (server || (s->version & 0xff00) != (DTLS1_BAD_VER & 0xff00))) {
  321. SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE,
  322. ERR_R_INTERNAL_ERROR);
  323. goto end;
  324. }
  325. } else {
  326. if ((s->version >> 8) != SSL3_VERSION_MAJOR) {
  327. SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE,
  328. ERR_R_INTERNAL_ERROR);
  329. goto end;
  330. }
  331. }
  332. if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL)) {
  333. SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE,
  334. ERR_R_INTERNAL_ERROR);
  335. goto end;
  336. }
  337. if (s->init_buf == NULL) {
  338. if ((buf = BUF_MEM_new()) == NULL) {
  339. SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE,
  340. ERR_R_INTERNAL_ERROR);
  341. goto end;
  342. }
  343. if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
  344. SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE,
  345. ERR_R_INTERNAL_ERROR);
  346. goto end;
  347. }
  348. s->init_buf = buf;
  349. buf = NULL;
  350. }
  351. if (!ssl3_setup_buffers(s)) {
  352. SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE,
  353. ERR_R_INTERNAL_ERROR);
  354. goto end;
  355. }
  356. s->init_num = 0;
  357. /*
  358. * Should have been reset by tls_process_finished, too.
  359. */
  360. s->s3->change_cipher_spec = 0;
  361. /*
  362. * Ok, we now need to push on a buffering BIO ...but not with
  363. * SCTP
  364. */
  365. #ifndef OPENSSL_NO_SCTP
  366. if (!SSL_IS_DTLS(s) || !BIO_dgram_is_sctp(SSL_get_wbio(s)))
  367. #endif
  368. if (!ssl_init_wbio_buffer(s)) {
  369. SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE,
  370. ERR_R_INTERNAL_ERROR);
  371. goto end;
  372. }
  373. if ((SSL_in_before(s))
  374. || s->renegotiate) {
  375. if (!tls_setup_handshake(s)) {
  376. /* SSLfatal() already called */
  377. goto end;
  378. }
  379. if (SSL_IS_FIRST_HANDSHAKE(s))
  380. st->read_state_first_init = 1;
  381. }
  382. st->state = MSG_FLOW_WRITING;
  383. init_write_state_machine(s);
  384. }
  385. while (st->state != MSG_FLOW_FINISHED) {
  386. if (st->state == MSG_FLOW_READING) {
  387. ssret = read_state_machine(s);
  388. if (ssret == SUB_STATE_FINISHED) {
  389. st->state = MSG_FLOW_WRITING;
  390. init_write_state_machine(s);
  391. } else {
  392. /* NBIO or error */
  393. goto end;
  394. }
  395. } else if (st->state == MSG_FLOW_WRITING) {
  396. ssret = write_state_machine(s);
  397. if (ssret == SUB_STATE_FINISHED) {
  398. st->state = MSG_FLOW_READING;
  399. init_read_state_machine(s);
  400. } else if (ssret == SUB_STATE_END_HANDSHAKE) {
  401. st->state = MSG_FLOW_FINISHED;
  402. } else {
  403. /* NBIO or error */
  404. goto end;
  405. }
  406. } else {
  407. /* Error */
  408. check_fatal(s, SSL_F_STATE_MACHINE);
  409. SSLerr(SSL_F_STATE_MACHINE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
  410. goto end;
  411. }
  412. }
  413. ret = 1;
  414. end:
  415. st->in_handshake--;
  416. #ifndef OPENSSL_NO_SCTP
  417. if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))) {
  418. /*
  419. * Notify SCTP BIO socket to leave handshake mode and allow stream
  420. * identifier other than 0.
  421. */
  422. BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE,
  423. st->in_handshake, NULL);
  424. }
  425. #endif
  426. BUF_MEM_free(buf);
  427. if (cb != NULL) {
  428. if (server)
  429. cb(s, SSL_CB_ACCEPT_EXIT, ret);
  430. else
  431. cb(s, SSL_CB_CONNECT_EXIT, ret);
  432. }
  433. return ret;
  434. }
  435. /*
  436. * Initialise the MSG_FLOW_READING sub-state machine
  437. */
  438. static void init_read_state_machine(SSL *s)
  439. {
  440. OSSL_STATEM *st = &s->statem;
  441. st->read_state = READ_STATE_HEADER;
  442. }
  443. static int grow_init_buf(SSL *s, size_t size) {
  444. size_t msg_offset = (char *)s->init_msg - s->init_buf->data;
  445. if (!BUF_MEM_grow_clean(s->init_buf, (int)size))
  446. return 0;
  447. if (size < msg_offset)
  448. return 0;
  449. s->init_msg = s->init_buf->data + msg_offset;
  450. return 1;
  451. }
  452. /*
  453. * This function implements the sub-state machine when the message flow is in
  454. * MSG_FLOW_READING. The valid sub-states and transitions are:
  455. *
  456. * READ_STATE_HEADER <--+<-------------+
  457. * | | |
  458. * v | |
  459. * READ_STATE_BODY -----+-->READ_STATE_POST_PROCESS
  460. * | |
  461. * +----------------------------+
  462. * v
  463. * [SUB_STATE_FINISHED]
  464. *
  465. * READ_STATE_HEADER has the responsibility for reading in the message header
  466. * and transitioning the state of the handshake state machine.
  467. *
  468. * READ_STATE_BODY reads in the rest of the message and then subsequently
  469. * processes it.
  470. *
  471. * READ_STATE_POST_PROCESS is an optional step that may occur if some post
  472. * processing activity performed on the message may block.
  473. *
  474. * Any of the above states could result in an NBIO event occurring in which case
  475. * control returns to the calling application. When this function is recalled we
  476. * will resume in the same state where we left off.
  477. */
  478. static SUB_STATE_RETURN read_state_machine(SSL *s)
  479. {
  480. OSSL_STATEM *st = &s->statem;
  481. int ret, mt;
  482. size_t len = 0;
  483. int (*transition) (SSL *s, int mt);
  484. PACKET pkt;
  485. MSG_PROCESS_RETURN(*process_message) (SSL *s, PACKET *pkt);
  486. WORK_STATE(*post_process_message) (SSL *s, WORK_STATE wst);
  487. size_t (*max_message_size) (SSL *s);
  488. void (*cb) (const SSL *ssl, int type, int val) = NULL;
  489. cb = get_callback(s);
  490. if (s->server) {
  491. transition = ossl_statem_server_read_transition;
  492. process_message = ossl_statem_server_process_message;
  493. max_message_size = ossl_statem_server_max_message_size;
  494. post_process_message = ossl_statem_server_post_process_message;
  495. } else {
  496. transition = ossl_statem_client_read_transition;
  497. process_message = ossl_statem_client_process_message;
  498. max_message_size = ossl_statem_client_max_message_size;
  499. post_process_message = ossl_statem_client_post_process_message;
  500. }
  501. if (st->read_state_first_init) {
  502. s->first_packet = 1;
  503. st->read_state_first_init = 0;
  504. }
  505. while (1) {
  506. switch (st->read_state) {
  507. case READ_STATE_HEADER:
  508. /* Get the state the peer wants to move to */
  509. if (SSL_IS_DTLS(s)) {
  510. /*
  511. * In DTLS we get the whole message in one go - header and body
  512. */
  513. ret = dtls_get_message(s, &mt, &len);
  514. } else {
  515. ret = tls_get_message_header(s, &mt);
  516. }
  517. if (ret == 0) {
  518. /* Could be non-blocking IO */
  519. return SUB_STATE_ERROR;
  520. }
  521. if (cb != NULL) {
  522. /* Notify callback of an impending state change */
  523. if (s->server)
  524. cb(s, SSL_CB_ACCEPT_LOOP, 1);
  525. else
  526. cb(s, SSL_CB_CONNECT_LOOP, 1);
  527. }
  528. /*
  529. * Validate that we are allowed to move to the new state and move
  530. * to that state if so
  531. */
  532. if (!transition(s, mt))
  533. return SUB_STATE_ERROR;
  534. if (s->s3->tmp.message_size > max_message_size(s)) {
  535. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_READ_STATE_MACHINE,
  536. SSL_R_EXCESSIVE_MESSAGE_SIZE);
  537. return SUB_STATE_ERROR;
  538. }
  539. /* dtls_get_message already did this */
  540. if (!SSL_IS_DTLS(s)
  541. && s->s3->tmp.message_size > 0
  542. && !grow_init_buf(s, s->s3->tmp.message_size
  543. + SSL3_HM_HEADER_LENGTH)) {
  544. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_READ_STATE_MACHINE,
  545. ERR_R_BUF_LIB);
  546. return SUB_STATE_ERROR;
  547. }
  548. st->read_state = READ_STATE_BODY;
  549. /* Fall through */
  550. case READ_STATE_BODY:
  551. if (!SSL_IS_DTLS(s)) {
  552. /* We already got this above for DTLS */
  553. ret = tls_get_message_body(s, &len);
  554. if (ret == 0) {
  555. /* Could be non-blocking IO */
  556. return SUB_STATE_ERROR;
  557. }
  558. }
  559. s->first_packet = 0;
  560. if (!PACKET_buf_init(&pkt, s->init_msg, len)) {
  561. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_READ_STATE_MACHINE,
  562. ERR_R_INTERNAL_ERROR);
  563. return SUB_STATE_ERROR;
  564. }
  565. ret = process_message(s, &pkt);
  566. /* Discard the packet data */
  567. s->init_num = 0;
  568. switch (ret) {
  569. case MSG_PROCESS_ERROR:
  570. check_fatal(s, SSL_F_READ_STATE_MACHINE);
  571. return SUB_STATE_ERROR;
  572. case MSG_PROCESS_FINISHED_READING:
  573. if (SSL_IS_DTLS(s)) {
  574. dtls1_stop_timer(s);
  575. }
  576. return SUB_STATE_FINISHED;
  577. case MSG_PROCESS_CONTINUE_PROCESSING:
  578. st->read_state = READ_STATE_POST_PROCESS;
  579. st->read_state_work = WORK_MORE_A;
  580. break;
  581. default:
  582. st->read_state = READ_STATE_HEADER;
  583. break;
  584. }
  585. break;
  586. case READ_STATE_POST_PROCESS:
  587. st->read_state_work = post_process_message(s, st->read_state_work);
  588. switch (st->read_state_work) {
  589. case WORK_ERROR:
  590. check_fatal(s, SSL_F_READ_STATE_MACHINE);
  591. /* Fall through */
  592. case WORK_MORE_A:
  593. case WORK_MORE_B:
  594. case WORK_MORE_C:
  595. return SUB_STATE_ERROR;
  596. case WORK_FINISHED_CONTINUE:
  597. st->read_state = READ_STATE_HEADER;
  598. break;
  599. case WORK_FINISHED_STOP:
  600. if (SSL_IS_DTLS(s)) {
  601. dtls1_stop_timer(s);
  602. }
  603. return SUB_STATE_FINISHED;
  604. }
  605. break;
  606. default:
  607. /* Shouldn't happen */
  608. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_READ_STATE_MACHINE,
  609. ERR_R_INTERNAL_ERROR);
  610. return SUB_STATE_ERROR;
  611. }
  612. }
  613. }
  614. /*
  615. * Send a previously constructed message to the peer.
  616. */
  617. static int statem_do_write(SSL *s)
  618. {
  619. OSSL_STATEM *st = &s->statem;
  620. if (st->hand_state == TLS_ST_CW_CHANGE
  621. || st->hand_state == TLS_ST_SW_CHANGE) {
  622. if (SSL_IS_DTLS(s))
  623. return dtls1_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC);
  624. else
  625. return ssl3_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC);
  626. } else {
  627. return ssl_do_write(s);
  628. }
  629. }
  630. /*
  631. * Initialise the MSG_FLOW_WRITING sub-state machine
  632. */
  633. static void init_write_state_machine(SSL *s)
  634. {
  635. OSSL_STATEM *st = &s->statem;
  636. st->write_state = WRITE_STATE_TRANSITION;
  637. }
  638. /*
  639. * This function implements the sub-state machine when the message flow is in
  640. * MSG_FLOW_WRITING. The valid sub-states and transitions are:
  641. *
  642. * +-> WRITE_STATE_TRANSITION ------> [SUB_STATE_FINISHED]
  643. * | |
  644. * | v
  645. * | WRITE_STATE_PRE_WORK -----> [SUB_STATE_END_HANDSHAKE]
  646. * | |
  647. * | v
  648. * | WRITE_STATE_SEND
  649. * | |
  650. * | v
  651. * | WRITE_STATE_POST_WORK
  652. * | |
  653. * +-------------+
  654. *
  655. * WRITE_STATE_TRANSITION transitions the state of the handshake state machine
  656. * WRITE_STATE_PRE_WORK performs any work necessary to prepare the later
  657. * sending of the message. This could result in an NBIO event occurring in
  658. * which case control returns to the calling application. When this function
  659. * is recalled we will resume in the same state where we left off.
  660. *
  661. * WRITE_STATE_SEND sends the message and performs any work to be done after
  662. * sending.
  663. *
  664. * WRITE_STATE_POST_WORK performs any work necessary after the sending of the
  665. * message has been completed. As for WRITE_STATE_PRE_WORK this could also
  666. * result in an NBIO event.
  667. */
  668. static SUB_STATE_RETURN write_state_machine(SSL *s)
  669. {
  670. OSSL_STATEM *st = &s->statem;
  671. int ret;
  672. WRITE_TRAN(*transition) (SSL *s);
  673. WORK_STATE(*pre_work) (SSL *s, WORK_STATE wst);
  674. WORK_STATE(*post_work) (SSL *s, WORK_STATE wst);
  675. int (*get_construct_message_f) (SSL *s, WPACKET *pkt,
  676. int (**confunc) (SSL *s, WPACKET *pkt),
  677. int *mt);
  678. void (*cb) (const SSL *ssl, int type, int val) = NULL;
  679. int (*confunc) (SSL *s, WPACKET *pkt);
  680. int mt;
  681. WPACKET pkt;
  682. cb = get_callback(s);
  683. if (s->server) {
  684. transition = ossl_statem_server_write_transition;
  685. pre_work = ossl_statem_server_pre_work;
  686. post_work = ossl_statem_server_post_work;
  687. get_construct_message_f = ossl_statem_server_construct_message;
  688. } else {
  689. transition = ossl_statem_client_write_transition;
  690. pre_work = ossl_statem_client_pre_work;
  691. post_work = ossl_statem_client_post_work;
  692. get_construct_message_f = ossl_statem_client_construct_message;
  693. }
  694. while (1) {
  695. switch (st->write_state) {
  696. case WRITE_STATE_TRANSITION:
  697. if (cb != NULL) {
  698. /* Notify callback of an impending state change */
  699. if (s->server)
  700. cb(s, SSL_CB_ACCEPT_LOOP, 1);
  701. else
  702. cb(s, SSL_CB_CONNECT_LOOP, 1);
  703. }
  704. switch (transition(s)) {
  705. case WRITE_TRAN_CONTINUE:
  706. st->write_state = WRITE_STATE_PRE_WORK;
  707. st->write_state_work = WORK_MORE_A;
  708. break;
  709. case WRITE_TRAN_FINISHED:
  710. return SUB_STATE_FINISHED;
  711. break;
  712. case WRITE_TRAN_ERROR:
  713. check_fatal(s, SSL_F_WRITE_STATE_MACHINE);
  714. return SUB_STATE_ERROR;
  715. }
  716. break;
  717. case WRITE_STATE_PRE_WORK:
  718. switch (st->write_state_work = pre_work(s, st->write_state_work)) {
  719. case WORK_ERROR:
  720. check_fatal(s, SSL_F_WRITE_STATE_MACHINE);
  721. /* Fall through */
  722. case WORK_MORE_A:
  723. case WORK_MORE_B:
  724. case WORK_MORE_C:
  725. return SUB_STATE_ERROR;
  726. case WORK_FINISHED_CONTINUE:
  727. st->write_state = WRITE_STATE_SEND;
  728. break;
  729. case WORK_FINISHED_STOP:
  730. return SUB_STATE_END_HANDSHAKE;
  731. }
  732. if (!get_construct_message_f(s, &pkt, &confunc, &mt)) {
  733. /* SSLfatal() already called */
  734. return SUB_STATE_ERROR;
  735. }
  736. if (mt == SSL3_MT_DUMMY) {
  737. /* Skip construction and sending. This isn't a "real" state */
  738. st->write_state = WRITE_STATE_POST_WORK;
  739. st->write_state_work = WORK_MORE_A;
  740. break;
  741. }
  742. if (!WPACKET_init(&pkt, s->init_buf)
  743. || !ssl_set_handshake_header(s, &pkt, mt)) {
  744. WPACKET_cleanup(&pkt);
  745. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_WRITE_STATE_MACHINE,
  746. ERR_R_INTERNAL_ERROR);
  747. return SUB_STATE_ERROR;
  748. }
  749. if (confunc != NULL && !confunc(s, &pkt)) {
  750. WPACKET_cleanup(&pkt);
  751. check_fatal(s, SSL_F_WRITE_STATE_MACHINE);
  752. return SUB_STATE_ERROR;
  753. }
  754. if (!ssl_close_construct_packet(s, &pkt, mt)
  755. || !WPACKET_finish(&pkt)) {
  756. WPACKET_cleanup(&pkt);
  757. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_WRITE_STATE_MACHINE,
  758. ERR_R_INTERNAL_ERROR);
  759. return SUB_STATE_ERROR;
  760. }
  761. /* Fall through */
  762. case WRITE_STATE_SEND:
  763. if (SSL_IS_DTLS(s) && st->use_timer) {
  764. dtls1_start_timer(s);
  765. }
  766. ret = statem_do_write(s);
  767. if (ret <= 0) {
  768. return SUB_STATE_ERROR;
  769. }
  770. st->write_state = WRITE_STATE_POST_WORK;
  771. st->write_state_work = WORK_MORE_A;
  772. /* Fall through */
  773. case WRITE_STATE_POST_WORK:
  774. switch (st->write_state_work = post_work(s, st->write_state_work)) {
  775. case WORK_ERROR:
  776. check_fatal(s, SSL_F_WRITE_STATE_MACHINE);
  777. /* Fall through */
  778. case WORK_MORE_A:
  779. case WORK_MORE_B:
  780. case WORK_MORE_C:
  781. return SUB_STATE_ERROR;
  782. case WORK_FINISHED_CONTINUE:
  783. st->write_state = WRITE_STATE_TRANSITION;
  784. break;
  785. case WORK_FINISHED_STOP:
  786. return SUB_STATE_END_HANDSHAKE;
  787. }
  788. break;
  789. default:
  790. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_WRITE_STATE_MACHINE,
  791. ERR_R_INTERNAL_ERROR);
  792. return SUB_STATE_ERROR;
  793. }
  794. }
  795. }
  796. /*
  797. * Flush the write BIO
  798. */
  799. int statem_flush(SSL *s)
  800. {
  801. s->rwstate = SSL_WRITING;
  802. if (BIO_flush(s->wbio) <= 0) {
  803. return 0;
  804. }
  805. s->rwstate = SSL_NOTHING;
  806. return 1;
  807. }
  808. /*
  809. * Called by the record layer to determine whether application data is
  810. * allowed to be received in the current handshake state or not.
  811. *
  812. * Return values are:
  813. * 1: Yes (application data allowed)
  814. * 0: No (application data not allowed)
  815. */
  816. int ossl_statem_app_data_allowed(SSL *s)
  817. {
  818. OSSL_STATEM *st = &s->statem;
  819. if (st->state == MSG_FLOW_UNINITED)
  820. return 0;
  821. if (!s->s3->in_read_app_data || (s->s3->total_renegotiations == 0))
  822. return 0;
  823. if (s->server) {
  824. /*
  825. * If we're a server and we haven't got as far as writing our
  826. * ServerHello yet then we allow app data
  827. */
  828. if (st->hand_state == TLS_ST_BEFORE
  829. || st->hand_state == TLS_ST_SR_CLNT_HELLO)
  830. return 1;
  831. } else {
  832. /*
  833. * If we're a client and we haven't read the ServerHello yet then we
  834. * allow app data
  835. */
  836. if (st->hand_state == TLS_ST_CW_CLNT_HELLO)
  837. return 1;
  838. }
  839. return 0;
  840. }
  841. /*
  842. * This function returns 1 if TLS exporter is ready to export keying
  843. * material, or 0 if otherwise.
  844. */
  845. int ossl_statem_export_allowed(SSL *s)
  846. {
  847. return s->s3->previous_server_finished_len != 0
  848. && s->statem.hand_state != TLS_ST_SW_FINISHED;
  849. }
  850. /*
  851. * Return 1 if early TLS exporter is ready to export keying material,
  852. * or 0 if otherwise.
  853. */
  854. int ossl_statem_export_early_allowed(SSL *s)
  855. {
  856. /*
  857. * The early exporter secret is only present on the server if we
  858. * have accepted early_data. It is present on the client as long
  859. * as we have sent early_data.
  860. */
  861. return s->ext.early_data == SSL_EARLY_DATA_ACCEPTED
  862. || (!s->server && s->ext.early_data != SSL_EARLY_DATA_NOT_SENT);
  863. }