2
0

statem.c 30 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972
  1. /*
  2. * Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include "internal/cryptlib.h"
  10. #include <openssl/rand.h>
  11. #include "../ssl_local.h"
  12. #include "statem_local.h"
  13. #include <assert.h>
  14. /*
  15. * This file implements the SSL/TLS/DTLS state machines.
  16. *
  17. * There are two primary state machines:
  18. *
  19. * 1) Message flow state machine
  20. * 2) Handshake state machine
  21. *
  22. * The Message flow state machine controls the reading and sending of messages
  23. * including handling of non-blocking IO events, flushing of the underlying
  24. * write BIO, handling unexpected messages, etc. It is itself broken into two
  25. * separate sub-state machines which control reading and writing respectively.
  26. *
  27. * The Handshake state machine keeps track of the current SSL/TLS handshake
  28. * state. Transitions of the handshake state are the result of events that
  29. * occur within the Message flow state machine.
  30. *
  31. * Overall it looks like this:
  32. *
  33. * --------------------------------------------- -------------------
  34. * | | | |
  35. * | Message flow state machine | | |
  36. * | | | |
  37. * | -------------------- -------------------- | Transition | Handshake state |
  38. * | | MSG_FLOW_READING | | MSG_FLOW_WRITING | | Event | machine |
  39. * | | sub-state | | sub-state | |----------->| |
  40. * | | machine for | | machine for | | | |
  41. * | | reading messages | | writing messages | | | |
  42. * | -------------------- -------------------- | | |
  43. * | | | |
  44. * --------------------------------------------- -------------------
  45. *
  46. */
  47. /* Sub state machine return values */
  48. typedef enum {
  49. /* Something bad happened or NBIO */
  50. SUB_STATE_ERROR,
  51. /* Sub state finished go to the next sub state */
  52. SUB_STATE_FINISHED,
  53. /* Sub state finished and handshake was completed */
  54. SUB_STATE_END_HANDSHAKE
  55. } SUB_STATE_RETURN;
  56. static int state_machine(SSL *s, int server);
  57. static void init_read_state_machine(SSL *s);
  58. static SUB_STATE_RETURN read_state_machine(SSL *s);
  59. static void init_write_state_machine(SSL *s);
  60. static SUB_STATE_RETURN write_state_machine(SSL *s);
  61. OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl)
  62. {
  63. return ssl->statem.hand_state;
  64. }
  65. int SSL_in_init(const SSL *s)
  66. {
  67. return s->statem.in_init;
  68. }
  69. int SSL_is_init_finished(const SSL *s)
  70. {
  71. return !(s->statem.in_init) && (s->statem.hand_state == TLS_ST_OK);
  72. }
  73. int SSL_in_before(const SSL *s)
  74. {
  75. /*
  76. * Historically being "in before" meant before anything had happened. In the
  77. * current code though we remain in the "before" state for a while after we
  78. * have started the handshake process (e.g. as a server waiting for the
  79. * first message to arrive). There "in before" is taken to mean "in before"
  80. * and not started any handshake process yet.
  81. */
  82. return (s->statem.hand_state == TLS_ST_BEFORE)
  83. && (s->statem.state == MSG_FLOW_UNINITED);
  84. }
  85. /*
  86. * Clear the state machine state and reset back to MSG_FLOW_UNINITED
  87. */
  88. void ossl_statem_clear(SSL *s)
  89. {
  90. s->statem.state = MSG_FLOW_UNINITED;
  91. s->statem.hand_state = TLS_ST_BEFORE;
  92. s->statem.in_init = 1;
  93. s->statem.no_cert_verify = 0;
  94. }
  95. /*
  96. * Set the state machine up ready for a renegotiation handshake
  97. */
  98. void ossl_statem_set_renegotiate(SSL *s)
  99. {
  100. s->statem.in_init = 1;
  101. s->statem.request_state = TLS_ST_SW_HELLO_REQ;
  102. }
  103. /*
  104. * Put the state machine into an error state and send an alert if appropriate.
  105. * This is a permanent error for the current connection.
  106. */
  107. void ossl_statem_fatal(SSL *s, int al, int func, int reason, const char *file,
  108. int line)
  109. {
  110. ERR_put_error(ERR_LIB_SSL, func, reason, file, line);
  111. /* We shouldn't call SSLfatal() twice. Once is enough */
  112. if (s->statem.in_init && s->statem.state == MSG_FLOW_ERROR)
  113. return;
  114. s->statem.in_init = 1;
  115. s->statem.state = MSG_FLOW_ERROR;
  116. if (al != SSL_AD_NO_ALERT
  117. && s->statem.enc_write_state != ENC_WRITE_STATE_INVALID)
  118. ssl3_send_alert(s, SSL3_AL_FATAL, al);
  119. }
  120. /*
  121. * This macro should only be called if we are already expecting to be in
  122. * a fatal error state. We verify that we are, and set it if not (this would
  123. * indicate a bug).
  124. */
  125. #define check_fatal(s, f) \
  126. do { \
  127. if (!ossl_assert((s)->statem.in_init \
  128. && (s)->statem.state == MSG_FLOW_ERROR)) \
  129. SSLfatal(s, SSL_AD_INTERNAL_ERROR, (f), \
  130. SSL_R_MISSING_FATAL); \
  131. } while (0)
  132. /*
  133. * Discover whether the current connection is in the error state.
  134. *
  135. * Valid return values are:
  136. * 1: Yes
  137. * 0: No
  138. */
  139. int ossl_statem_in_error(const SSL *s)
  140. {
  141. if (s->statem.state == MSG_FLOW_ERROR)
  142. return 1;
  143. return 0;
  144. }
  145. void ossl_statem_set_in_init(SSL *s, int init)
  146. {
  147. s->statem.in_init = init;
  148. }
  149. int ossl_statem_get_in_handshake(SSL *s)
  150. {
  151. return s->statem.in_handshake;
  152. }
  153. void ossl_statem_set_in_handshake(SSL *s, int inhand)
  154. {
  155. if (inhand)
  156. s->statem.in_handshake++;
  157. else
  158. s->statem.in_handshake--;
  159. }
  160. /* Are we in a sensible state to skip over unreadable early data? */
  161. int ossl_statem_skip_early_data(SSL *s)
  162. {
  163. if (s->ext.early_data != SSL_EARLY_DATA_REJECTED)
  164. return 0;
  165. if (!s->server
  166. || s->statem.hand_state != TLS_ST_EARLY_DATA
  167. || s->hello_retry_request == SSL_HRR_COMPLETE)
  168. return 0;
  169. return 1;
  170. }
  171. /*
  172. * Called when we are in SSL_read*(), SSL_write*(), or SSL_accept()
  173. * /SSL_connect()/SSL_do_handshake(). Used to test whether we are in an early
  174. * data state and whether we should attempt to move the handshake on if so.
  175. * |sending| is 1 if we are attempting to send data (SSL_write*()), 0 if we are
  176. * attempting to read data (SSL_read*()), or -1 if we are in SSL_do_handshake()
  177. * or similar.
  178. */
  179. void ossl_statem_check_finish_init(SSL *s, int sending)
  180. {
  181. if (sending == -1) {
  182. if (s->statem.hand_state == TLS_ST_PENDING_EARLY_DATA_END
  183. || s->statem.hand_state == TLS_ST_EARLY_DATA) {
  184. ossl_statem_set_in_init(s, 1);
  185. if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY) {
  186. /*
  187. * SSL_connect() or SSL_do_handshake() has been called directly.
  188. * We don't allow any more writing of early data.
  189. */
  190. s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING;
  191. }
  192. }
  193. } else if (!s->server) {
  194. if ((sending && (s->statem.hand_state == TLS_ST_PENDING_EARLY_DATA_END
  195. || s->statem.hand_state == TLS_ST_EARLY_DATA)
  196. && s->early_data_state != SSL_EARLY_DATA_WRITING)
  197. || (!sending && s->statem.hand_state == TLS_ST_EARLY_DATA)) {
  198. ossl_statem_set_in_init(s, 1);
  199. /*
  200. * SSL_write() has been called directly. We don't allow any more
  201. * writing of early data.
  202. */
  203. if (sending && s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY)
  204. s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING;
  205. }
  206. } else {
  207. if (s->early_data_state == SSL_EARLY_DATA_FINISHED_READING
  208. && s->statem.hand_state == TLS_ST_EARLY_DATA)
  209. ossl_statem_set_in_init(s, 1);
  210. }
  211. }
  212. void ossl_statem_set_hello_verify_done(SSL *s)
  213. {
  214. s->statem.state = MSG_FLOW_UNINITED;
  215. s->statem.in_init = 1;
  216. /*
  217. * This will get reset (briefly) back to TLS_ST_BEFORE when we enter
  218. * state_machine() because |state| is MSG_FLOW_UNINITED, but until then any
  219. * calls to SSL_in_before() will return false. Also calls to
  220. * SSL_state_string() and SSL_state_string_long() will return something
  221. * sensible.
  222. */
  223. s->statem.hand_state = TLS_ST_SR_CLNT_HELLO;
  224. }
  225. int ossl_statem_connect(SSL *s)
  226. {
  227. return state_machine(s, 0);
  228. }
  229. int ossl_statem_accept(SSL *s)
  230. {
  231. return state_machine(s, 1);
  232. }
  233. typedef void (*info_cb) (const SSL *, int, int);
  234. static info_cb get_callback(SSL *s)
  235. {
  236. if (s->info_callback != NULL)
  237. return s->info_callback;
  238. else if (s->ctx->info_callback != NULL)
  239. return s->ctx->info_callback;
  240. return NULL;
  241. }
  242. /*
  243. * The main message flow state machine. We start in the MSG_FLOW_UNINITED or
  244. * MSG_FLOW_FINISHED state and finish in MSG_FLOW_FINISHED. Valid states and
  245. * transitions are as follows:
  246. *
  247. * MSG_FLOW_UNINITED MSG_FLOW_FINISHED
  248. * | |
  249. * +-----------------------+
  250. * v
  251. * MSG_FLOW_WRITING <---> MSG_FLOW_READING
  252. * |
  253. * V
  254. * MSG_FLOW_FINISHED
  255. * |
  256. * V
  257. * [SUCCESS]
  258. *
  259. * We may exit at any point due to an error or NBIO event. If an NBIO event
  260. * occurs then we restart at the point we left off when we are recalled.
  261. * MSG_FLOW_WRITING and MSG_FLOW_READING have sub-state machines associated with them.
  262. *
  263. * In addition to the above there is also the MSG_FLOW_ERROR state. We can move
  264. * into that state at any point in the event that an irrecoverable error occurs.
  265. *
  266. * Valid return values are:
  267. * 1: Success
  268. * <=0: NBIO or error
  269. */
  270. static int state_machine(SSL *s, int server)
  271. {
  272. BUF_MEM *buf = NULL;
  273. void (*cb) (const SSL *ssl, int type, int val) = NULL;
  274. OSSL_STATEM *st = &s->statem;
  275. int ret = -1;
  276. int ssret;
  277. if (st->state == MSG_FLOW_ERROR) {
  278. /* Shouldn't have been called if we're already in the error state */
  279. return -1;
  280. }
  281. ERR_clear_error();
  282. clear_sys_error();
  283. cb = get_callback(s);
  284. st->in_handshake++;
  285. if (!SSL_in_init(s) || SSL_in_before(s)) {
  286. /*
  287. * If we are stateless then we already called SSL_clear() - don't do
  288. * it again and clear the STATELESS flag itself.
  289. */
  290. if ((s->s3->flags & TLS1_FLAGS_STATELESS) == 0 && !SSL_clear(s))
  291. return -1;
  292. }
  293. #ifndef OPENSSL_NO_SCTP
  294. if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))) {
  295. /*
  296. * Notify SCTP BIO socket to enter handshake mode and prevent stream
  297. * identifier other than 0.
  298. */
  299. BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE,
  300. st->in_handshake, NULL);
  301. }
  302. #endif
  303. /* Initialise state machine */
  304. if (st->state == MSG_FLOW_UNINITED
  305. || st->state == MSG_FLOW_FINISHED) {
  306. if (st->state == MSG_FLOW_UNINITED) {
  307. st->hand_state = TLS_ST_BEFORE;
  308. st->request_state = TLS_ST_BEFORE;
  309. }
  310. s->server = server;
  311. if (cb != NULL) {
  312. if (SSL_IS_FIRST_HANDSHAKE(s) || !SSL_IS_TLS13(s))
  313. cb(s, SSL_CB_HANDSHAKE_START, 1);
  314. }
  315. /*
  316. * Fatal errors in this block don't send an alert because we have
  317. * failed to even initialise properly. Sending an alert is probably
  318. * doomed to failure.
  319. */
  320. if (SSL_IS_DTLS(s)) {
  321. if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00) &&
  322. (server || (s->version & 0xff00) != (DTLS1_BAD_VER & 0xff00))) {
  323. SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE,
  324. ERR_R_INTERNAL_ERROR);
  325. goto end;
  326. }
  327. } else {
  328. if ((s->version >> 8) != SSL3_VERSION_MAJOR) {
  329. SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE,
  330. ERR_R_INTERNAL_ERROR);
  331. goto end;
  332. }
  333. }
  334. if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL)) {
  335. SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE,
  336. ERR_R_INTERNAL_ERROR);
  337. goto end;
  338. }
  339. if (s->init_buf == NULL) {
  340. if ((buf = BUF_MEM_new()) == NULL) {
  341. SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE,
  342. ERR_R_INTERNAL_ERROR);
  343. goto end;
  344. }
  345. if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
  346. SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE,
  347. ERR_R_INTERNAL_ERROR);
  348. goto end;
  349. }
  350. s->init_buf = buf;
  351. buf = NULL;
  352. }
  353. if (!ssl3_setup_buffers(s)) {
  354. SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE,
  355. ERR_R_INTERNAL_ERROR);
  356. goto end;
  357. }
  358. s->init_num = 0;
  359. /*
  360. * Should have been reset by tls_process_finished, too.
  361. */
  362. s->s3->change_cipher_spec = 0;
  363. /*
  364. * Ok, we now need to push on a buffering BIO ...but not with
  365. * SCTP
  366. */
  367. #ifndef OPENSSL_NO_SCTP
  368. if (!SSL_IS_DTLS(s) || !BIO_dgram_is_sctp(SSL_get_wbio(s)))
  369. #endif
  370. if (!ssl_init_wbio_buffer(s)) {
  371. SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE,
  372. ERR_R_INTERNAL_ERROR);
  373. goto end;
  374. }
  375. if ((SSL_in_before(s))
  376. || s->renegotiate) {
  377. if (!tls_setup_handshake(s)) {
  378. /* SSLfatal() already called */
  379. goto end;
  380. }
  381. if (SSL_IS_FIRST_HANDSHAKE(s))
  382. st->read_state_first_init = 1;
  383. }
  384. st->state = MSG_FLOW_WRITING;
  385. init_write_state_machine(s);
  386. }
  387. while (st->state != MSG_FLOW_FINISHED) {
  388. if (st->state == MSG_FLOW_READING) {
  389. ssret = read_state_machine(s);
  390. if (ssret == SUB_STATE_FINISHED) {
  391. st->state = MSG_FLOW_WRITING;
  392. init_write_state_machine(s);
  393. } else {
  394. /* NBIO or error */
  395. goto end;
  396. }
  397. } else if (st->state == MSG_FLOW_WRITING) {
  398. ssret = write_state_machine(s);
  399. if (ssret == SUB_STATE_FINISHED) {
  400. st->state = MSG_FLOW_READING;
  401. init_read_state_machine(s);
  402. } else if (ssret == SUB_STATE_END_HANDSHAKE) {
  403. st->state = MSG_FLOW_FINISHED;
  404. } else {
  405. /* NBIO or error */
  406. goto end;
  407. }
  408. } else {
  409. /* Error */
  410. check_fatal(s, SSL_F_STATE_MACHINE);
  411. SSLerr(SSL_F_STATE_MACHINE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
  412. goto end;
  413. }
  414. }
  415. ret = 1;
  416. end:
  417. st->in_handshake--;
  418. #ifndef OPENSSL_NO_SCTP
  419. if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))) {
  420. /*
  421. * Notify SCTP BIO socket to leave handshake mode and allow stream
  422. * identifier other than 0.
  423. */
  424. BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE,
  425. st->in_handshake, NULL);
  426. }
  427. #endif
  428. BUF_MEM_free(buf);
  429. if (cb != NULL) {
  430. if (server)
  431. cb(s, SSL_CB_ACCEPT_EXIT, ret);
  432. else
  433. cb(s, SSL_CB_CONNECT_EXIT, ret);
  434. }
  435. return ret;
  436. }
  437. /*
  438. * Initialise the MSG_FLOW_READING sub-state machine
  439. */
  440. static void init_read_state_machine(SSL *s)
  441. {
  442. OSSL_STATEM *st = &s->statem;
  443. st->read_state = READ_STATE_HEADER;
  444. }
  445. static int grow_init_buf(SSL *s, size_t size) {
  446. size_t msg_offset = (char *)s->init_msg - s->init_buf->data;
  447. if (!BUF_MEM_grow_clean(s->init_buf, (int)size))
  448. return 0;
  449. if (size < msg_offset)
  450. return 0;
  451. s->init_msg = s->init_buf->data + msg_offset;
  452. return 1;
  453. }
  454. /*
  455. * This function implements the sub-state machine when the message flow is in
  456. * MSG_FLOW_READING. The valid sub-states and transitions are:
  457. *
  458. * READ_STATE_HEADER <--+<-------------+
  459. * | | |
  460. * v | |
  461. * READ_STATE_BODY -----+-->READ_STATE_POST_PROCESS
  462. * | |
  463. * +----------------------------+
  464. * v
  465. * [SUB_STATE_FINISHED]
  466. *
  467. * READ_STATE_HEADER has the responsibility for reading in the message header
  468. * and transitioning the state of the handshake state machine.
  469. *
  470. * READ_STATE_BODY reads in the rest of the message and then subsequently
  471. * processes it.
  472. *
  473. * READ_STATE_POST_PROCESS is an optional step that may occur if some post
  474. * processing activity performed on the message may block.
  475. *
  476. * Any of the above states could result in an NBIO event occurring in which case
  477. * control returns to the calling application. When this function is recalled we
  478. * will resume in the same state where we left off.
  479. */
  480. static SUB_STATE_RETURN read_state_machine(SSL *s)
  481. {
  482. OSSL_STATEM *st = &s->statem;
  483. int ret, mt;
  484. size_t len = 0;
  485. int (*transition) (SSL *s, int mt);
  486. PACKET pkt;
  487. MSG_PROCESS_RETURN(*process_message) (SSL *s, PACKET *pkt);
  488. WORK_STATE(*post_process_message) (SSL *s, WORK_STATE wst);
  489. size_t (*max_message_size) (SSL *s);
  490. void (*cb) (const SSL *ssl, int type, int val) = NULL;
  491. cb = get_callback(s);
  492. if (s->server) {
  493. transition = ossl_statem_server_read_transition;
  494. process_message = ossl_statem_server_process_message;
  495. max_message_size = ossl_statem_server_max_message_size;
  496. post_process_message = ossl_statem_server_post_process_message;
  497. } else {
  498. transition = ossl_statem_client_read_transition;
  499. process_message = ossl_statem_client_process_message;
  500. max_message_size = ossl_statem_client_max_message_size;
  501. post_process_message = ossl_statem_client_post_process_message;
  502. }
  503. if (st->read_state_first_init) {
  504. s->first_packet = 1;
  505. st->read_state_first_init = 0;
  506. }
  507. while (1) {
  508. switch (st->read_state) {
  509. case READ_STATE_HEADER:
  510. /* Get the state the peer wants to move to */
  511. if (SSL_IS_DTLS(s)) {
  512. /*
  513. * In DTLS we get the whole message in one go - header and body
  514. */
  515. ret = dtls_get_message(s, &mt, &len);
  516. } else {
  517. ret = tls_get_message_header(s, &mt);
  518. }
  519. if (ret == 0) {
  520. /* Could be non-blocking IO */
  521. return SUB_STATE_ERROR;
  522. }
  523. if (cb != NULL) {
  524. /* Notify callback of an impending state change */
  525. if (s->server)
  526. cb(s, SSL_CB_ACCEPT_LOOP, 1);
  527. else
  528. cb(s, SSL_CB_CONNECT_LOOP, 1);
  529. }
  530. /*
  531. * Validate that we are allowed to move to the new state and move
  532. * to that state if so
  533. */
  534. if (!transition(s, mt))
  535. return SUB_STATE_ERROR;
  536. if (s->s3->tmp.message_size > max_message_size(s)) {
  537. SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_READ_STATE_MACHINE,
  538. SSL_R_EXCESSIVE_MESSAGE_SIZE);
  539. return SUB_STATE_ERROR;
  540. }
  541. /* dtls_get_message already did this */
  542. if (!SSL_IS_DTLS(s)
  543. && s->s3->tmp.message_size > 0
  544. && !grow_init_buf(s, s->s3->tmp.message_size
  545. + SSL3_HM_HEADER_LENGTH)) {
  546. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_READ_STATE_MACHINE,
  547. ERR_R_BUF_LIB);
  548. return SUB_STATE_ERROR;
  549. }
  550. st->read_state = READ_STATE_BODY;
  551. /* Fall through */
  552. case READ_STATE_BODY:
  553. if (!SSL_IS_DTLS(s)) {
  554. /* We already got this above for DTLS */
  555. ret = tls_get_message_body(s, &len);
  556. if (ret == 0) {
  557. /* Could be non-blocking IO */
  558. return SUB_STATE_ERROR;
  559. }
  560. }
  561. s->first_packet = 0;
  562. if (!PACKET_buf_init(&pkt, s->init_msg, len)) {
  563. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_READ_STATE_MACHINE,
  564. ERR_R_INTERNAL_ERROR);
  565. return SUB_STATE_ERROR;
  566. }
  567. ret = process_message(s, &pkt);
  568. /* Discard the packet data */
  569. s->init_num = 0;
  570. switch (ret) {
  571. case MSG_PROCESS_ERROR:
  572. check_fatal(s, SSL_F_READ_STATE_MACHINE);
  573. return SUB_STATE_ERROR;
  574. case MSG_PROCESS_FINISHED_READING:
  575. if (SSL_IS_DTLS(s)) {
  576. dtls1_stop_timer(s);
  577. }
  578. return SUB_STATE_FINISHED;
  579. case MSG_PROCESS_CONTINUE_PROCESSING:
  580. st->read_state = READ_STATE_POST_PROCESS;
  581. st->read_state_work = WORK_MORE_A;
  582. break;
  583. default:
  584. st->read_state = READ_STATE_HEADER;
  585. break;
  586. }
  587. break;
  588. case READ_STATE_POST_PROCESS:
  589. st->read_state_work = post_process_message(s, st->read_state_work);
  590. switch (st->read_state_work) {
  591. case WORK_ERROR:
  592. check_fatal(s, SSL_F_READ_STATE_MACHINE);
  593. /* Fall through */
  594. case WORK_MORE_A:
  595. case WORK_MORE_B:
  596. case WORK_MORE_C:
  597. return SUB_STATE_ERROR;
  598. case WORK_FINISHED_CONTINUE:
  599. st->read_state = READ_STATE_HEADER;
  600. break;
  601. case WORK_FINISHED_STOP:
  602. if (SSL_IS_DTLS(s)) {
  603. dtls1_stop_timer(s);
  604. }
  605. return SUB_STATE_FINISHED;
  606. }
  607. break;
  608. default:
  609. /* Shouldn't happen */
  610. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_READ_STATE_MACHINE,
  611. ERR_R_INTERNAL_ERROR);
  612. return SUB_STATE_ERROR;
  613. }
  614. }
  615. }
  616. /*
  617. * Send a previously constructed message to the peer.
  618. */
  619. static int statem_do_write(SSL *s)
  620. {
  621. OSSL_STATEM *st = &s->statem;
  622. if (st->hand_state == TLS_ST_CW_CHANGE
  623. || st->hand_state == TLS_ST_SW_CHANGE) {
  624. if (SSL_IS_DTLS(s))
  625. return dtls1_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC);
  626. else
  627. return ssl3_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC);
  628. } else {
  629. return ssl_do_write(s);
  630. }
  631. }
  632. /*
  633. * Initialise the MSG_FLOW_WRITING sub-state machine
  634. */
  635. static void init_write_state_machine(SSL *s)
  636. {
  637. OSSL_STATEM *st = &s->statem;
  638. st->write_state = WRITE_STATE_TRANSITION;
  639. }
  640. /*
  641. * This function implements the sub-state machine when the message flow is in
  642. * MSG_FLOW_WRITING. The valid sub-states and transitions are:
  643. *
  644. * +-> WRITE_STATE_TRANSITION ------> [SUB_STATE_FINISHED]
  645. * | |
  646. * | v
  647. * | WRITE_STATE_PRE_WORK -----> [SUB_STATE_END_HANDSHAKE]
  648. * | |
  649. * | v
  650. * | WRITE_STATE_SEND
  651. * | |
  652. * | v
  653. * | WRITE_STATE_POST_WORK
  654. * | |
  655. * +-------------+
  656. *
  657. * WRITE_STATE_TRANSITION transitions the state of the handshake state machine
  658. * WRITE_STATE_PRE_WORK performs any work necessary to prepare the later
  659. * sending of the message. This could result in an NBIO event occurring in
  660. * which case control returns to the calling application. When this function
  661. * is recalled we will resume in the same state where we left off.
  662. *
  663. * WRITE_STATE_SEND sends the message and performs any work to be done after
  664. * sending.
  665. *
  666. * WRITE_STATE_POST_WORK performs any work necessary after the sending of the
  667. * message has been completed. As for WRITE_STATE_PRE_WORK this could also
  668. * result in an NBIO event.
  669. */
  670. static SUB_STATE_RETURN write_state_machine(SSL *s)
  671. {
  672. OSSL_STATEM *st = &s->statem;
  673. int ret;
  674. WRITE_TRAN(*transition) (SSL *s);
  675. WORK_STATE(*pre_work) (SSL *s, WORK_STATE wst);
  676. WORK_STATE(*post_work) (SSL *s, WORK_STATE wst);
  677. int (*get_construct_message_f) (SSL *s, WPACKET *pkt,
  678. int (**confunc) (SSL *s, WPACKET *pkt),
  679. int *mt);
  680. void (*cb) (const SSL *ssl, int type, int val) = NULL;
  681. int (*confunc) (SSL *s, WPACKET *pkt);
  682. int mt;
  683. WPACKET pkt;
  684. cb = get_callback(s);
  685. if (s->server) {
  686. transition = ossl_statem_server_write_transition;
  687. pre_work = ossl_statem_server_pre_work;
  688. post_work = ossl_statem_server_post_work;
  689. get_construct_message_f = ossl_statem_server_construct_message;
  690. } else {
  691. transition = ossl_statem_client_write_transition;
  692. pre_work = ossl_statem_client_pre_work;
  693. post_work = ossl_statem_client_post_work;
  694. get_construct_message_f = ossl_statem_client_construct_message;
  695. }
  696. while (1) {
  697. switch (st->write_state) {
  698. case WRITE_STATE_TRANSITION:
  699. if (cb != NULL) {
  700. /* Notify callback of an impending state change */
  701. if (s->server)
  702. cb(s, SSL_CB_ACCEPT_LOOP, 1);
  703. else
  704. cb(s, SSL_CB_CONNECT_LOOP, 1);
  705. }
  706. switch (transition(s)) {
  707. case WRITE_TRAN_CONTINUE:
  708. st->write_state = WRITE_STATE_PRE_WORK;
  709. st->write_state_work = WORK_MORE_A;
  710. break;
  711. case WRITE_TRAN_FINISHED:
  712. return SUB_STATE_FINISHED;
  713. break;
  714. case WRITE_TRAN_ERROR:
  715. check_fatal(s, SSL_F_WRITE_STATE_MACHINE);
  716. return SUB_STATE_ERROR;
  717. }
  718. break;
  719. case WRITE_STATE_PRE_WORK:
  720. switch (st->write_state_work = pre_work(s, st->write_state_work)) {
  721. case WORK_ERROR:
  722. check_fatal(s, SSL_F_WRITE_STATE_MACHINE);
  723. /* Fall through */
  724. case WORK_MORE_A:
  725. case WORK_MORE_B:
  726. case WORK_MORE_C:
  727. return SUB_STATE_ERROR;
  728. case WORK_FINISHED_CONTINUE:
  729. st->write_state = WRITE_STATE_SEND;
  730. break;
  731. case WORK_FINISHED_STOP:
  732. return SUB_STATE_END_HANDSHAKE;
  733. }
  734. if (!get_construct_message_f(s, &pkt, &confunc, &mt)) {
  735. /* SSLfatal() already called */
  736. return SUB_STATE_ERROR;
  737. }
  738. if (mt == SSL3_MT_DUMMY) {
  739. /* Skip construction and sending. This isn't a "real" state */
  740. st->write_state = WRITE_STATE_POST_WORK;
  741. st->write_state_work = WORK_MORE_A;
  742. break;
  743. }
  744. if (!WPACKET_init(&pkt, s->init_buf)
  745. || !ssl_set_handshake_header(s, &pkt, mt)) {
  746. WPACKET_cleanup(&pkt);
  747. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_WRITE_STATE_MACHINE,
  748. ERR_R_INTERNAL_ERROR);
  749. return SUB_STATE_ERROR;
  750. }
  751. if (confunc != NULL && !confunc(s, &pkt)) {
  752. WPACKET_cleanup(&pkt);
  753. check_fatal(s, SSL_F_WRITE_STATE_MACHINE);
  754. return SUB_STATE_ERROR;
  755. }
  756. if (!ssl_close_construct_packet(s, &pkt, mt)
  757. || !WPACKET_finish(&pkt)) {
  758. WPACKET_cleanup(&pkt);
  759. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_WRITE_STATE_MACHINE,
  760. ERR_R_INTERNAL_ERROR);
  761. return SUB_STATE_ERROR;
  762. }
  763. /* Fall through */
  764. case WRITE_STATE_SEND:
  765. if (SSL_IS_DTLS(s) && st->use_timer) {
  766. dtls1_start_timer(s);
  767. }
  768. ret = statem_do_write(s);
  769. if (ret <= 0) {
  770. return SUB_STATE_ERROR;
  771. }
  772. st->write_state = WRITE_STATE_POST_WORK;
  773. st->write_state_work = WORK_MORE_A;
  774. /* Fall through */
  775. case WRITE_STATE_POST_WORK:
  776. switch (st->write_state_work = post_work(s, st->write_state_work)) {
  777. case WORK_ERROR:
  778. check_fatal(s, SSL_F_WRITE_STATE_MACHINE);
  779. /* Fall through */
  780. case WORK_MORE_A:
  781. case WORK_MORE_B:
  782. case WORK_MORE_C:
  783. return SUB_STATE_ERROR;
  784. case WORK_FINISHED_CONTINUE:
  785. st->write_state = WRITE_STATE_TRANSITION;
  786. break;
  787. case WORK_FINISHED_STOP:
  788. return SUB_STATE_END_HANDSHAKE;
  789. }
  790. break;
  791. default:
  792. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_WRITE_STATE_MACHINE,
  793. ERR_R_INTERNAL_ERROR);
  794. return SUB_STATE_ERROR;
  795. }
  796. }
  797. }
  798. /*
  799. * Flush the write BIO
  800. */
  801. int statem_flush(SSL *s)
  802. {
  803. s->rwstate = SSL_WRITING;
  804. if (BIO_flush(s->wbio) <= 0) {
  805. return 0;
  806. }
  807. s->rwstate = SSL_NOTHING;
  808. return 1;
  809. }
  810. /*
  811. * Called by the record layer to determine whether application data is
  812. * allowed to be received in the current handshake state or not.
  813. *
  814. * Return values are:
  815. * 1: Yes (application data allowed)
  816. * 0: No (application data not allowed)
  817. */
  818. int ossl_statem_app_data_allowed(SSL *s)
  819. {
  820. OSSL_STATEM *st = &s->statem;
  821. if (st->state == MSG_FLOW_UNINITED)
  822. return 0;
  823. if (!s->s3->in_read_app_data || (s->s3->total_renegotiations == 0))
  824. return 0;
  825. if (s->server) {
  826. /*
  827. * If we're a server and we haven't got as far as writing our
  828. * ServerHello yet then we allow app data
  829. */
  830. if (st->hand_state == TLS_ST_BEFORE
  831. || st->hand_state == TLS_ST_SR_CLNT_HELLO)
  832. return 1;
  833. } else {
  834. /*
  835. * If we're a client and we haven't read the ServerHello yet then we
  836. * allow app data
  837. */
  838. if (st->hand_state == TLS_ST_CW_CLNT_HELLO)
  839. return 1;
  840. }
  841. return 0;
  842. }
  843. /*
  844. * This function returns 1 if TLS exporter is ready to export keying
  845. * material, or 0 if otherwise.
  846. */
  847. int ossl_statem_export_allowed(SSL *s)
  848. {
  849. return s->s3->previous_server_finished_len != 0
  850. && s->statem.hand_state != TLS_ST_SW_FINISHED;
  851. }
  852. /*
  853. * Return 1 if early TLS exporter is ready to export keying material,
  854. * or 0 if otherwise.
  855. */
  856. int ossl_statem_export_early_allowed(SSL *s)
  857. {
  858. /*
  859. * The early exporter secret is only present on the server if we
  860. * have accepted early_data. It is present on the client as long
  861. * as we have sent early_data.
  862. */
  863. return s->ext.early_data == SSL_EARLY_DATA_ACCEPTED
  864. || (!s->server && s->ext.early_data != SSL_EARLY_DATA_NOT_SENT);
  865. }