[331] | 1 | /*
|
---|
| 2 | * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
|
---|
| 3 | *
|
---|
| 4 | * Licensed under the OpenSSL license (the "License"). You may not use
|
---|
| 5 | * this file except in compliance with the License. You can obtain a copy
|
---|
| 6 | * in the file LICENSE in the source distribution or at
|
---|
| 7 | * https://www.openssl.org/source/license.html
|
---|
| 8 | */
|
---|
| 9 |
|
---|
| 10 | #include <openssl/rand.h>
|
---|
| 11 | #include "../ssl_locl.h"
|
---|
| 12 | #include "statem_locl.h"
|
---|
| 13 |
|
---|
| 14 | /*
|
---|
| 15 | * This file implements the SSL/TLS/DTLS state machines.
|
---|
| 16 | *
|
---|
| 17 | * There are two primary state machines:
|
---|
| 18 | *
|
---|
| 19 | * 1) Message flow state machine
|
---|
| 20 | * 2) Handshake state machine
|
---|
| 21 | *
|
---|
| 22 | * The Message flow state machine controls the reading and sending of messages
|
---|
| 23 | * including handling of non-blocking IO events, flushing of the underlying
|
---|
| 24 | * write BIO, handling unexpected messages, etc. It is itself broken into two
|
---|
| 25 | * separate sub-state machines which control reading and writing respectively.
|
---|
| 26 | *
|
---|
| 27 | * The Handshake state machine keeps track of the current SSL/TLS handshake
|
---|
| 28 | * state. Transitions of the handshake state are the result of events that
|
---|
| 29 | * occur within the Message flow state machine.
|
---|
| 30 | *
|
---|
| 31 | * Overall it looks like this:
|
---|
| 32 | *
|
---|
| 33 | * --------------------------------------------- -------------------
|
---|
| 34 | * | | | |
|
---|
| 35 | * | Message flow state machine | | |
|
---|
| 36 | * | | | |
|
---|
| 37 | * | -------------------- -------------------- | Transition | Handshake state |
|
---|
| 38 | * | | MSG_FLOW_READING | | MSG_FLOW_WRITING | | Event | machine |
|
---|
| 39 | * | | sub-state | | sub-state | |----------->| |
|
---|
| 40 | * | | machine for | | machine for | | | |
|
---|
| 41 | * | | reading messages | | writing messages | | | |
|
---|
| 42 | * | -------------------- -------------------- | | |
|
---|
| 43 | * | | | |
|
---|
| 44 | * --------------------------------------------- -------------------
|
---|
| 45 | *
|
---|
| 46 | */
|
---|
| 47 |
|
---|
| 48 | /* Sub state machine return values */
|
---|
| 49 | typedef enum {
|
---|
| 50 | /* Something bad happened or NBIO */
|
---|
| 51 | SUB_STATE_ERROR,
|
---|
| 52 | /* Sub state finished go to the next sub state */
|
---|
| 53 | SUB_STATE_FINISHED,
|
---|
| 54 | /* Sub state finished and handshake was completed */
|
---|
| 55 | SUB_STATE_END_HANDSHAKE
|
---|
| 56 | } SUB_STATE_RETURN;
|
---|
| 57 |
|
---|
| 58 | static int state_machine(SSL *s, int server);
|
---|
| 59 | static void init_read_state_machine(SSL *s);
|
---|
| 60 | static SUB_STATE_RETURN read_state_machine(SSL *s);
|
---|
| 61 | static void init_write_state_machine(SSL *s);
|
---|
| 62 | static SUB_STATE_RETURN write_state_machine(SSL *s);
|
---|
| 63 |
|
---|
| 64 | OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl)
|
---|
| 65 | {
|
---|
| 66 | return ssl->statem.hand_state;
|
---|
| 67 | }
|
---|
| 68 |
|
---|
| 69 | int SSL_in_init(SSL *s)
|
---|
| 70 | {
|
---|
| 71 | return s->statem.in_init;
|
---|
| 72 | }
|
---|
| 73 |
|
---|
| 74 | int SSL_is_init_finished(SSL *s)
|
---|
| 75 | {
|
---|
| 76 | return !(s->statem.in_init) && (s->statem.hand_state == TLS_ST_OK);
|
---|
| 77 | }
|
---|
| 78 |
|
---|
| 79 | int SSL_in_before(SSL *s)
|
---|
| 80 | {
|
---|
| 81 | /*
|
---|
| 82 | * Historically being "in before" meant before anything had happened. In the
|
---|
| 83 | * current code though we remain in the "before" state for a while after we
|
---|
| 84 | * have started the handshake process (e.g. as a server waiting for the
|
---|
| 85 | * first message to arrive). There "in before" is taken to mean "in before"
|
---|
| 86 | * and not started any handshake process yet.
|
---|
| 87 | */
|
---|
| 88 | return (s->statem.hand_state == TLS_ST_BEFORE)
|
---|
| 89 | && (s->statem.state == MSG_FLOW_UNINITED);
|
---|
| 90 | }
|
---|
| 91 |
|
---|
| 92 | /*
|
---|
| 93 | * Clear the state machine state and reset back to MSG_FLOW_UNINITED
|
---|
| 94 | */
|
---|
| 95 | void ossl_statem_clear(SSL *s)
|
---|
| 96 | {
|
---|
| 97 | s->statem.state = MSG_FLOW_UNINITED;
|
---|
| 98 | s->statem.hand_state = TLS_ST_BEFORE;
|
---|
| 99 | s->statem.in_init = 1;
|
---|
| 100 | s->statem.no_cert_verify = 0;
|
---|
| 101 | }
|
---|
| 102 |
|
---|
| 103 | /*
|
---|
| 104 | * Set the state machine up ready for a renegotiation handshake
|
---|
| 105 | */
|
---|
| 106 | void ossl_statem_set_renegotiate(SSL *s)
|
---|
| 107 | {
|
---|
| 108 | s->statem.state = MSG_FLOW_RENEGOTIATE;
|
---|
| 109 | s->statem.in_init = 1;
|
---|
| 110 | }
|
---|
| 111 |
|
---|
| 112 | /*
|
---|
| 113 | * Put the state machine into an error state. This is a permanent error for
|
---|
| 114 | * the current connection.
|
---|
| 115 | */
|
---|
| 116 | void ossl_statem_set_error(SSL *s)
|
---|
| 117 | {
|
---|
| 118 | s->statem.state = MSG_FLOW_ERROR;
|
---|
| 119 | }
|
---|
| 120 |
|
---|
| 121 | /*
|
---|
| 122 | * Discover whether the current connection is in the error state.
|
---|
| 123 | *
|
---|
| 124 | * Valid return values are:
|
---|
| 125 | * 1: Yes
|
---|
| 126 | * 0: No
|
---|
| 127 | */
|
---|
| 128 | int ossl_statem_in_error(const SSL *s)
|
---|
| 129 | {
|
---|
| 130 | if (s->statem.state == MSG_FLOW_ERROR)
|
---|
| 131 | return 1;
|
---|
| 132 |
|
---|
| 133 | return 0;
|
---|
| 134 | }
|
---|
| 135 |
|
---|
| 136 | void ossl_statem_set_in_init(SSL *s, int init)
|
---|
| 137 | {
|
---|
| 138 | s->statem.in_init = init;
|
---|
| 139 | }
|
---|
| 140 |
|
---|
| 141 | int ossl_statem_get_in_handshake(SSL *s)
|
---|
| 142 | {
|
---|
| 143 | return s->statem.in_handshake;
|
---|
| 144 | }
|
---|
| 145 |
|
---|
| 146 | void ossl_statem_set_in_handshake(SSL *s, int inhand)
|
---|
| 147 | {
|
---|
| 148 | if (inhand)
|
---|
| 149 | s->statem.in_handshake++;
|
---|
| 150 | else
|
---|
| 151 | s->statem.in_handshake--;
|
---|
| 152 | }
|
---|
| 153 |
|
---|
| 154 | void ossl_statem_set_hello_verify_done(SSL *s)
|
---|
| 155 | {
|
---|
| 156 | s->statem.state = MSG_FLOW_UNINITED;
|
---|
| 157 | s->statem.in_init = 1;
|
---|
| 158 | /*
|
---|
| 159 | * This will get reset (briefly) back to TLS_ST_BEFORE when we enter
|
---|
| 160 | * state_machine() because |state| is MSG_FLOW_UNINITED, but until then any
|
---|
| 161 | * calls to SSL_in_before() will return false. Also calls to
|
---|
| 162 | * SSL_state_string() and SSL_state_string_long() will return something
|
---|
| 163 | * sensible.
|
---|
| 164 | */
|
---|
| 165 | s->statem.hand_state = TLS_ST_SR_CLNT_HELLO;
|
---|
| 166 | }
|
---|
| 167 |
|
---|
| 168 | int ossl_statem_connect(SSL *s)
|
---|
| 169 | {
|
---|
| 170 | return state_machine(s, 0);
|
---|
| 171 | }
|
---|
| 172 |
|
---|
| 173 | int ossl_statem_accept(SSL *s)
|
---|
| 174 | {
|
---|
| 175 | return state_machine(s, 1);
|
---|
| 176 | }
|
---|
| 177 |
|
---|
| 178 | typedef void (*info_cb) (const SSL *, int, int);
|
---|
| 179 |
|
---|
| 180 | static info_cb get_callback(SSL *s)
|
---|
| 181 | {
|
---|
| 182 | if (s->info_callback != NULL)
|
---|
| 183 | return s->info_callback;
|
---|
| 184 | else if (s->ctx->info_callback != NULL)
|
---|
| 185 | return s->ctx->info_callback;
|
---|
| 186 |
|
---|
| 187 | return NULL;
|
---|
| 188 | }
|
---|
| 189 |
|
---|
| 190 | /*
|
---|
| 191 | * The main message flow state machine. We start in the MSG_FLOW_UNINITED or
|
---|
| 192 | * MSG_FLOW_RENEGOTIATE state and finish in MSG_FLOW_FINISHED. Valid states and
|
---|
| 193 | * transitions are as follows:
|
---|
| 194 | *
|
---|
| 195 | * MSG_FLOW_UNINITED MSG_FLOW_RENEGOTIATE
|
---|
| 196 | * | |
|
---|
| 197 | * +-----------------------+
|
---|
| 198 | * v
|
---|
| 199 | * MSG_FLOW_WRITING <---> MSG_FLOW_READING
|
---|
| 200 | * |
|
---|
| 201 | * V
|
---|
| 202 | * MSG_FLOW_FINISHED
|
---|
| 203 | * |
|
---|
| 204 | * V
|
---|
| 205 | * [SUCCESS]
|
---|
| 206 | *
|
---|
| 207 | * We may exit at any point due to an error or NBIO event. If an NBIO event
|
---|
| 208 | * occurs then we restart at the point we left off when we are recalled.
|
---|
| 209 | * MSG_FLOW_WRITING and MSG_FLOW_READING have sub-state machines associated with them.
|
---|
| 210 | *
|
---|
| 211 | * In addition to the above there is also the MSG_FLOW_ERROR state. We can move
|
---|
| 212 | * into that state at any point in the event that an irrecoverable error occurs.
|
---|
| 213 | *
|
---|
| 214 | * Valid return values are:
|
---|
| 215 | * 1: Success
|
---|
| 216 | * <=0: NBIO or error
|
---|
| 217 | */
|
---|
| 218 | static int state_machine(SSL *s, int server)
|
---|
| 219 | {
|
---|
| 220 | BUF_MEM *buf = NULL;
|
---|
| 221 | unsigned long Time = (unsigned long)time(NULL);
|
---|
| 222 | void (*cb) (const SSL *ssl, int type, int val) = NULL;
|
---|
| 223 | OSSL_STATEM *st = &s->statem;
|
---|
| 224 | int ret = -1;
|
---|
| 225 | int ssret;
|
---|
| 226 |
|
---|
| 227 | if (st->state == MSG_FLOW_ERROR) {
|
---|
| 228 | /* Shouldn't have been called if we're already in the error state */
|
---|
| 229 | return -1;
|
---|
| 230 | }
|
---|
| 231 |
|
---|
| 232 | RAND_add(&Time, sizeof(Time), 0);
|
---|
| 233 | ERR_clear_error();
|
---|
| 234 | clear_sys_error();
|
---|
| 235 |
|
---|
| 236 | cb = get_callback(s);
|
---|
| 237 |
|
---|
| 238 | st->in_handshake++;
|
---|
| 239 | if (!SSL_in_init(s) || SSL_in_before(s)) {
|
---|
| 240 | if (!SSL_clear(s))
|
---|
| 241 | return -1;
|
---|
| 242 | }
|
---|
| 243 | #ifndef OPENSSL_NO_SCTP
|
---|
| 244 | if (SSL_IS_DTLS(s)) {
|
---|
| 245 | /*
|
---|
| 246 | * Notify SCTP BIO socket to enter handshake mode and prevent stream
|
---|
| 247 | * identifier other than 0. Will be ignored if no SCTP is used.
|
---|
| 248 | */
|
---|
| 249 | BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE,
|
---|
| 250 | st->in_handshake, NULL);
|
---|
| 251 | }
|
---|
| 252 | #endif
|
---|
| 253 |
|
---|
| 254 | #ifndef OPENSSL_NO_HEARTBEATS
|
---|
| 255 | /*
|
---|
| 256 | * If we're awaiting a HeartbeatResponse, pretend we already got and
|
---|
| 257 | * don't await it anymore, because Heartbeats don't make sense during
|
---|
| 258 | * handshakes anyway.
|
---|
| 259 | */
|
---|
| 260 | if (s->tlsext_hb_pending) {
|
---|
| 261 | if (SSL_IS_DTLS(s))
|
---|
| 262 | dtls1_stop_timer(s);
|
---|
| 263 | s->tlsext_hb_pending = 0;
|
---|
| 264 | s->tlsext_hb_seq++;
|
---|
| 265 | }
|
---|
| 266 | #endif
|
---|
| 267 |
|
---|
| 268 | /* Initialise state machine */
|
---|
| 269 |
|
---|
| 270 | if (st->state == MSG_FLOW_RENEGOTIATE) {
|
---|
| 271 | s->renegotiate = 1;
|
---|
| 272 | if (!server)
|
---|
| 273 | s->ctx->stats.sess_connect_renegotiate++;
|
---|
| 274 | }
|
---|
| 275 |
|
---|
| 276 | if (st->state == MSG_FLOW_UNINITED || st->state == MSG_FLOW_RENEGOTIATE) {
|
---|
| 277 | if (st->state == MSG_FLOW_UNINITED) {
|
---|
| 278 | st->hand_state = TLS_ST_BEFORE;
|
---|
| 279 | }
|
---|
| 280 |
|
---|
| 281 | s->server = server;
|
---|
| 282 | if (cb != NULL)
|
---|
| 283 | cb(s, SSL_CB_HANDSHAKE_START, 1);
|
---|
| 284 |
|
---|
| 285 | if (SSL_IS_DTLS(s)) {
|
---|
| 286 | if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00) &&
|
---|
| 287 | (server || (s->version & 0xff00) != (DTLS1_BAD_VER & 0xff00))) {
|
---|
| 288 | SSLerr(SSL_F_STATE_MACHINE, ERR_R_INTERNAL_ERROR);
|
---|
| 289 | goto end;
|
---|
| 290 | }
|
---|
| 291 | } else {
|
---|
| 292 | if ((s->version >> 8) != SSL3_VERSION_MAJOR) {
|
---|
| 293 | SSLerr(SSL_F_STATE_MACHINE, ERR_R_INTERNAL_ERROR);
|
---|
| 294 | goto end;
|
---|
| 295 | }
|
---|
| 296 | }
|
---|
| 297 |
|
---|
| 298 | if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL)) {
|
---|
| 299 | SSLerr(SSL_F_STATE_MACHINE, SSL_R_VERSION_TOO_LOW);
|
---|
| 300 | goto end;
|
---|
| 301 | }
|
---|
| 302 |
|
---|
| 303 | if (s->init_buf == NULL) {
|
---|
| 304 | if ((buf = BUF_MEM_new()) == NULL) {
|
---|
| 305 | goto end;
|
---|
| 306 | }
|
---|
| 307 | if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
|
---|
| 308 | goto end;
|
---|
| 309 | }
|
---|
| 310 | s->init_buf = buf;
|
---|
| 311 | buf = NULL;
|
---|
| 312 | }
|
---|
| 313 |
|
---|
| 314 | if (!ssl3_setup_buffers(s)) {
|
---|
| 315 | goto end;
|
---|
| 316 | }
|
---|
| 317 | s->init_num = 0;
|
---|
| 318 |
|
---|
| 319 | /*
|
---|
| 320 | * Should have been reset by tls_process_finished, too.
|
---|
| 321 | */
|
---|
| 322 | s->s3->change_cipher_spec = 0;
|
---|
| 323 |
|
---|
| 324 | /*
|
---|
| 325 | * Ok, we now need to push on a buffering BIO ...but not with
|
---|
| 326 | * SCTP
|
---|
| 327 | */
|
---|
| 328 | #ifndef OPENSSL_NO_SCTP
|
---|
| 329 | if (!SSL_IS_DTLS(s) || !BIO_dgram_is_sctp(SSL_get_wbio(s)))
|
---|
| 330 | #endif
|
---|
| 331 | if (!ssl_init_wbio_buffer(s)) {
|
---|
| 332 | goto end;
|
---|
| 333 | }
|
---|
| 334 |
|
---|
| 335 | if (!server || st->state != MSG_FLOW_RENEGOTIATE) {
|
---|
| 336 | if (!ssl3_init_finished_mac(s)) {
|
---|
| 337 | ossl_statem_set_error(s);
|
---|
| 338 | goto end;
|
---|
| 339 | }
|
---|
| 340 | }
|
---|
| 341 |
|
---|
| 342 | if (server) {
|
---|
| 343 | if (st->state != MSG_FLOW_RENEGOTIATE) {
|
---|
| 344 | s->ctx->stats.sess_accept++;
|
---|
| 345 | } else if (!s->s3->send_connection_binding &&
|
---|
| 346 | !(s->options &
|
---|
| 347 | SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
|
---|
| 348 | /*
|
---|
| 349 | * Server attempting to renegotiate with client that doesn't
|
---|
| 350 | * support secure renegotiation.
|
---|
| 351 | */
|
---|
| 352 | SSLerr(SSL_F_STATE_MACHINE,
|
---|
| 353 | SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
|
---|
| 354 | ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
|
---|
| 355 | ossl_statem_set_error(s);
|
---|
| 356 | goto end;
|
---|
| 357 | } else {
|
---|
| 358 | /*
|
---|
| 359 | * st->state == MSG_FLOW_RENEGOTIATE, we will just send a
|
---|
| 360 | * HelloRequest
|
---|
| 361 | */
|
---|
| 362 | s->ctx->stats.sess_accept_renegotiate++;
|
---|
| 363 | }
|
---|
| 364 |
|
---|
| 365 | s->s3->tmp.cert_request = 0;
|
---|
| 366 | } else {
|
---|
| 367 | s->ctx->stats.sess_connect++;
|
---|
| 368 |
|
---|
| 369 | /* mark client_random uninitialized */
|
---|
| 370 | memset(s->s3->client_random, 0, sizeof(s->s3->client_random));
|
---|
| 371 | s->hit = 0;
|
---|
| 372 |
|
---|
| 373 | s->s3->tmp.cert_req = 0;
|
---|
| 374 |
|
---|
| 375 | if (SSL_IS_DTLS(s)) {
|
---|
| 376 | st->use_timer = 1;
|
---|
| 377 | }
|
---|
| 378 | }
|
---|
| 379 |
|
---|
| 380 | st->state = MSG_FLOW_WRITING;
|
---|
| 381 | init_write_state_machine(s);
|
---|
| 382 | st->read_state_first_init = 1;
|
---|
| 383 | }
|
---|
| 384 |
|
---|
| 385 | while (st->state != MSG_FLOW_FINISHED) {
|
---|
| 386 | if (st->state == MSG_FLOW_READING) {
|
---|
| 387 | ssret = read_state_machine(s);
|
---|
| 388 | if (ssret == SUB_STATE_FINISHED) {
|
---|
| 389 | st->state = MSG_FLOW_WRITING;
|
---|
| 390 | init_write_state_machine(s);
|
---|
| 391 | } else {
|
---|
| 392 | /* NBIO or error */
|
---|
| 393 | goto end;
|
---|
| 394 | }
|
---|
| 395 | } else if (st->state == MSG_FLOW_WRITING) {
|
---|
| 396 | ssret = write_state_machine(s);
|
---|
| 397 | if (ssret == SUB_STATE_FINISHED) {
|
---|
| 398 | st->state = MSG_FLOW_READING;
|
---|
| 399 | init_read_state_machine(s);
|
---|
| 400 | } else if (ssret == SUB_STATE_END_HANDSHAKE) {
|
---|
| 401 | st->state = MSG_FLOW_FINISHED;
|
---|
| 402 | } else {
|
---|
| 403 | /* NBIO or error */
|
---|
| 404 | goto end;
|
---|
| 405 | }
|
---|
| 406 | } else {
|
---|
| 407 | /* Error */
|
---|
| 408 | ossl_statem_set_error(s);
|
---|
| 409 | goto end;
|
---|
| 410 | }
|
---|
| 411 | }
|
---|
| 412 |
|
---|
| 413 | st->state = MSG_FLOW_UNINITED;
|
---|
| 414 | ret = 1;
|
---|
| 415 |
|
---|
| 416 | end:
|
---|
| 417 | st->in_handshake--;
|
---|
| 418 |
|
---|
| 419 | #ifndef OPENSSL_NO_SCTP
|
---|
| 420 | if (SSL_IS_DTLS(s)) {
|
---|
| 421 | /*
|
---|
| 422 | * Notify SCTP BIO socket to leave handshake mode and allow stream
|
---|
| 423 | * identifier other than 0. Will be ignored if no SCTP is used.
|
---|
| 424 | */
|
---|
| 425 | BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE,
|
---|
| 426 | st->in_handshake, NULL);
|
---|
| 427 | }
|
---|
| 428 | #endif
|
---|
| 429 |
|
---|
| 430 | BUF_MEM_free(buf);
|
---|
| 431 | if (cb != NULL) {
|
---|
| 432 | if (server)
|
---|
| 433 | cb(s, SSL_CB_ACCEPT_EXIT, ret);
|
---|
| 434 | else
|
---|
| 435 | cb(s, SSL_CB_CONNECT_EXIT, ret);
|
---|
| 436 | }
|
---|
| 437 | return ret;
|
---|
| 438 | }
|
---|
| 439 |
|
---|
| 440 | /*
|
---|
| 441 | * Initialise the MSG_FLOW_READING sub-state machine
|
---|
| 442 | */
|
---|
| 443 | static void init_read_state_machine(SSL *s)
|
---|
| 444 | {
|
---|
| 445 | OSSL_STATEM *st = &s->statem;
|
---|
| 446 |
|
---|
| 447 | st->read_state = READ_STATE_HEADER;
|
---|
| 448 | }
|
---|
| 449 |
|
---|
| 450 | static int grow_init_buf(SSL *s, size_t size) {
|
---|
| 451 |
|
---|
| 452 | size_t msg_offset = (char *)s->init_msg - s->init_buf->data;
|
---|
| 453 |
|
---|
| 454 | if (!BUF_MEM_grow_clean(s->init_buf, (int)size))
|
---|
| 455 | return 0;
|
---|
| 456 |
|
---|
| 457 | if (size < msg_offset)
|
---|
| 458 | return 0;
|
---|
| 459 |
|
---|
| 460 | s->init_msg = s->init_buf->data + msg_offset;
|
---|
| 461 |
|
---|
| 462 | return 1;
|
---|
| 463 | }
|
---|
| 464 |
|
---|
| 465 | /*
|
---|
| 466 | * This function implements the sub-state machine when the message flow is in
|
---|
| 467 | * MSG_FLOW_READING. The valid sub-states and transitions are:
|
---|
| 468 | *
|
---|
| 469 | * READ_STATE_HEADER <--+<-------------+
|
---|
| 470 | * | | |
|
---|
| 471 | * v | |
|
---|
| 472 | * READ_STATE_BODY -----+-->READ_STATE_POST_PROCESS
|
---|
| 473 | * | |
|
---|
| 474 | * +----------------------------+
|
---|
| 475 | * v
|
---|
| 476 | * [SUB_STATE_FINISHED]
|
---|
| 477 | *
|
---|
| 478 | * READ_STATE_HEADER has the responsibility for reading in the message header
|
---|
| 479 | * and transitioning the state of the handshake state machine.
|
---|
| 480 | *
|
---|
| 481 | * READ_STATE_BODY reads in the rest of the message and then subsequently
|
---|
| 482 | * processes it.
|
---|
| 483 | *
|
---|
| 484 | * READ_STATE_POST_PROCESS is an optional step that may occur if some post
|
---|
| 485 | * processing activity performed on the message may block.
|
---|
| 486 | *
|
---|
| 487 | * Any of the above states could result in an NBIO event occurring in which case
|
---|
| 488 | * control returns to the calling application. When this function is recalled we
|
---|
| 489 | * will resume in the same state where we left off.
|
---|
| 490 | */
|
---|
| 491 | static SUB_STATE_RETURN read_state_machine(SSL *s)
|
---|
| 492 | {
|
---|
| 493 | OSSL_STATEM *st = &s->statem;
|
---|
| 494 | int ret, mt;
|
---|
| 495 | unsigned long len = 0;
|
---|
| 496 | int (*transition) (SSL *s, int mt);
|
---|
| 497 | PACKET pkt;
|
---|
| 498 | MSG_PROCESS_RETURN(*process_message) (SSL *s, PACKET *pkt);
|
---|
| 499 | WORK_STATE(*post_process_message) (SSL *s, WORK_STATE wst);
|
---|
| 500 | unsigned long (*max_message_size) (SSL *s);
|
---|
| 501 | void (*cb) (const SSL *ssl, int type, int val) = NULL;
|
---|
| 502 |
|
---|
| 503 | cb = get_callback(s);
|
---|
| 504 |
|
---|
| 505 | if (s->server) {
|
---|
| 506 | transition = ossl_statem_server_read_transition;
|
---|
| 507 | process_message = ossl_statem_server_process_message;
|
---|
| 508 | max_message_size = ossl_statem_server_max_message_size;
|
---|
| 509 | post_process_message = ossl_statem_server_post_process_message;
|
---|
| 510 | } else {
|
---|
| 511 | transition = ossl_statem_client_read_transition;
|
---|
| 512 | process_message = ossl_statem_client_process_message;
|
---|
| 513 | max_message_size = ossl_statem_client_max_message_size;
|
---|
| 514 | post_process_message = ossl_statem_client_post_process_message;
|
---|
| 515 | }
|
---|
| 516 |
|
---|
| 517 | if (st->read_state_first_init) {
|
---|
| 518 | s->first_packet = 1;
|
---|
| 519 | st->read_state_first_init = 0;
|
---|
| 520 | }
|
---|
| 521 |
|
---|
| 522 | while (1) {
|
---|
| 523 | switch (st->read_state) {
|
---|
| 524 | case READ_STATE_HEADER:
|
---|
| 525 | /* Get the state the peer wants to move to */
|
---|
| 526 | if (SSL_IS_DTLS(s)) {
|
---|
| 527 | /*
|
---|
| 528 | * In DTLS we get the whole message in one go - header and body
|
---|
| 529 | */
|
---|
| 530 | ret = dtls_get_message(s, &mt, &len);
|
---|
| 531 | } else {
|
---|
| 532 | ret = tls_get_message_header(s, &mt);
|
---|
| 533 | }
|
---|
| 534 |
|
---|
| 535 | if (ret == 0) {
|
---|
| 536 | /* Could be non-blocking IO */
|
---|
| 537 | return SUB_STATE_ERROR;
|
---|
| 538 | }
|
---|
| 539 |
|
---|
| 540 | if (cb != NULL) {
|
---|
| 541 | /* Notify callback of an impending state change */
|
---|
| 542 | if (s->server)
|
---|
| 543 | cb(s, SSL_CB_ACCEPT_LOOP, 1);
|
---|
| 544 | else
|
---|
| 545 | cb(s, SSL_CB_CONNECT_LOOP, 1);
|
---|
| 546 | }
|
---|
| 547 | /*
|
---|
| 548 | * Validate that we are allowed to move to the new state and move
|
---|
| 549 | * to that state if so
|
---|
| 550 | */
|
---|
| 551 | if (!transition(s, mt)) {
|
---|
| 552 | ossl_statem_set_error(s);
|
---|
| 553 | return SUB_STATE_ERROR;
|
---|
| 554 | }
|
---|
| 555 |
|
---|
| 556 | if (s->s3->tmp.message_size > max_message_size(s)) {
|
---|
| 557 | ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
---|
| 558 | SSLerr(SSL_F_READ_STATE_MACHINE, SSL_R_EXCESSIVE_MESSAGE_SIZE);
|
---|
| 559 | return SUB_STATE_ERROR;
|
---|
| 560 | }
|
---|
| 561 |
|
---|
| 562 | /* dtls_get_message already did this */
|
---|
| 563 | if (!SSL_IS_DTLS(s)
|
---|
| 564 | && s->s3->tmp.message_size > 0
|
---|
| 565 | && !grow_init_buf(s, s->s3->tmp.message_size
|
---|
| 566 | + SSL3_HM_HEADER_LENGTH)) {
|
---|
| 567 | ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
|
---|
| 568 | SSLerr(SSL_F_READ_STATE_MACHINE, ERR_R_BUF_LIB);
|
---|
| 569 | return SUB_STATE_ERROR;
|
---|
| 570 | }
|
---|
| 571 |
|
---|
| 572 | st->read_state = READ_STATE_BODY;
|
---|
| 573 | /* Fall through */
|
---|
| 574 |
|
---|
| 575 | case READ_STATE_BODY:
|
---|
| 576 | if (!SSL_IS_DTLS(s)) {
|
---|
| 577 | /* We already got this above for DTLS */
|
---|
| 578 | ret = tls_get_message_body(s, &len);
|
---|
| 579 | if (ret == 0) {
|
---|
| 580 | /* Could be non-blocking IO */
|
---|
| 581 | return SUB_STATE_ERROR;
|
---|
| 582 | }
|
---|
| 583 | }
|
---|
| 584 |
|
---|
| 585 | s->first_packet = 0;
|
---|
| 586 | if (!PACKET_buf_init(&pkt, s->init_msg, len)) {
|
---|
| 587 | ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
|
---|
| 588 | SSLerr(SSL_F_READ_STATE_MACHINE, ERR_R_INTERNAL_ERROR);
|
---|
| 589 | return SUB_STATE_ERROR;
|
---|
| 590 | }
|
---|
| 591 | ret = process_message(s, &pkt);
|
---|
| 592 |
|
---|
| 593 | /* Discard the packet data */
|
---|
| 594 | s->init_num = 0;
|
---|
| 595 |
|
---|
| 596 | switch (ret) {
|
---|
| 597 | case MSG_PROCESS_ERROR:
|
---|
| 598 | return SUB_STATE_ERROR;
|
---|
| 599 |
|
---|
| 600 | case MSG_PROCESS_FINISHED_READING:
|
---|
| 601 | if (SSL_IS_DTLS(s)) {
|
---|
| 602 | dtls1_stop_timer(s);
|
---|
| 603 | }
|
---|
| 604 | return SUB_STATE_FINISHED;
|
---|
| 605 |
|
---|
| 606 | case MSG_PROCESS_CONTINUE_PROCESSING:
|
---|
| 607 | st->read_state = READ_STATE_POST_PROCESS;
|
---|
| 608 | st->read_state_work = WORK_MORE_A;
|
---|
| 609 | break;
|
---|
| 610 |
|
---|
| 611 | default:
|
---|
| 612 | st->read_state = READ_STATE_HEADER;
|
---|
| 613 | break;
|
---|
| 614 | }
|
---|
| 615 | break;
|
---|
| 616 |
|
---|
| 617 | case READ_STATE_POST_PROCESS:
|
---|
| 618 | st->read_state_work = post_process_message(s, st->read_state_work);
|
---|
| 619 | switch (st->read_state_work) {
|
---|
| 620 | default:
|
---|
| 621 | return SUB_STATE_ERROR;
|
---|
| 622 |
|
---|
| 623 | case WORK_FINISHED_CONTINUE:
|
---|
| 624 | st->read_state = READ_STATE_HEADER;
|
---|
| 625 | break;
|
---|
| 626 |
|
---|
| 627 | case WORK_FINISHED_STOP:
|
---|
| 628 | if (SSL_IS_DTLS(s)) {
|
---|
| 629 | dtls1_stop_timer(s);
|
---|
| 630 | }
|
---|
| 631 | return SUB_STATE_FINISHED;
|
---|
| 632 | }
|
---|
| 633 | break;
|
---|
| 634 |
|
---|
| 635 | default:
|
---|
| 636 | /* Shouldn't happen */
|
---|
| 637 | ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
|
---|
| 638 | SSLerr(SSL_F_READ_STATE_MACHINE, ERR_R_INTERNAL_ERROR);
|
---|
| 639 | ossl_statem_set_error(s);
|
---|
| 640 | return SUB_STATE_ERROR;
|
---|
| 641 | }
|
---|
| 642 | }
|
---|
| 643 | }
|
---|
| 644 |
|
---|
| 645 | /*
|
---|
| 646 | * Send a previously constructed message to the peer.
|
---|
| 647 | */
|
---|
| 648 | static int statem_do_write(SSL *s)
|
---|
| 649 | {
|
---|
| 650 | OSSL_STATEM *st = &s->statem;
|
---|
| 651 |
|
---|
| 652 | if (st->hand_state == TLS_ST_CW_CHANGE
|
---|
| 653 | || st->hand_state == TLS_ST_SW_CHANGE) {
|
---|
| 654 | if (SSL_IS_DTLS(s))
|
---|
| 655 | return dtls1_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC);
|
---|
| 656 | else
|
---|
| 657 | return ssl3_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC);
|
---|
| 658 | } else {
|
---|
| 659 | return ssl_do_write(s);
|
---|
| 660 | }
|
---|
| 661 | }
|
---|
| 662 |
|
---|
| 663 | /*
|
---|
| 664 | * Initialise the MSG_FLOW_WRITING sub-state machine
|
---|
| 665 | */
|
---|
| 666 | static void init_write_state_machine(SSL *s)
|
---|
| 667 | {
|
---|
| 668 | OSSL_STATEM *st = &s->statem;
|
---|
| 669 |
|
---|
| 670 | st->write_state = WRITE_STATE_TRANSITION;
|
---|
| 671 | }
|
---|
| 672 |
|
---|
| 673 | /*
|
---|
| 674 | * This function implements the sub-state machine when the message flow is in
|
---|
| 675 | * MSG_FLOW_WRITING. The valid sub-states and transitions are:
|
---|
| 676 | *
|
---|
| 677 | * +-> WRITE_STATE_TRANSITION ------> [SUB_STATE_FINISHED]
|
---|
| 678 | * | |
|
---|
| 679 | * | v
|
---|
| 680 | * | WRITE_STATE_PRE_WORK -----> [SUB_STATE_END_HANDSHAKE]
|
---|
| 681 | * | |
|
---|
| 682 | * | v
|
---|
| 683 | * | WRITE_STATE_SEND
|
---|
| 684 | * | |
|
---|
| 685 | * | v
|
---|
| 686 | * | WRITE_STATE_POST_WORK
|
---|
| 687 | * | |
|
---|
| 688 | * +-------------+
|
---|
| 689 | *
|
---|
| 690 | * WRITE_STATE_TRANSITION transitions the state of the handshake state machine
|
---|
| 691 |
|
---|
| 692 | * WRITE_STATE_PRE_WORK performs any work necessary to prepare the later
|
---|
| 693 | * sending of the message. This could result in an NBIO event occurring in
|
---|
| 694 | * which case control returns to the calling application. When this function
|
---|
| 695 | * is recalled we will resume in the same state where we left off.
|
---|
| 696 | *
|
---|
| 697 | * WRITE_STATE_SEND sends the message and performs any work to be done after
|
---|
| 698 | * sending.
|
---|
| 699 | *
|
---|
| 700 | * WRITE_STATE_POST_WORK performs any work necessary after the sending of the
|
---|
| 701 | * message has been completed. As for WRITE_STATE_PRE_WORK this could also
|
---|
| 702 | * result in an NBIO event.
|
---|
| 703 | */
|
---|
| 704 | static SUB_STATE_RETURN write_state_machine(SSL *s)
|
---|
| 705 | {
|
---|
| 706 | OSSL_STATEM *st = &s->statem;
|
---|
| 707 | int ret;
|
---|
| 708 | WRITE_TRAN(*transition) (SSL *s);
|
---|
| 709 | WORK_STATE(*pre_work) (SSL *s, WORK_STATE wst);
|
---|
| 710 | WORK_STATE(*post_work) (SSL *s, WORK_STATE wst);
|
---|
| 711 | int (*construct_message) (SSL *s);
|
---|
| 712 | void (*cb) (const SSL *ssl, int type, int val) = NULL;
|
---|
| 713 |
|
---|
| 714 | cb = get_callback(s);
|
---|
| 715 |
|
---|
| 716 | if (s->server) {
|
---|
| 717 | transition = ossl_statem_server_write_transition;
|
---|
| 718 | pre_work = ossl_statem_server_pre_work;
|
---|
| 719 | post_work = ossl_statem_server_post_work;
|
---|
| 720 | construct_message = ossl_statem_server_construct_message;
|
---|
| 721 | } else {
|
---|
| 722 | transition = ossl_statem_client_write_transition;
|
---|
| 723 | pre_work = ossl_statem_client_pre_work;
|
---|
| 724 | post_work = ossl_statem_client_post_work;
|
---|
| 725 | construct_message = ossl_statem_client_construct_message;
|
---|
| 726 | }
|
---|
| 727 |
|
---|
| 728 | while (1) {
|
---|
| 729 | switch (st->write_state) {
|
---|
| 730 | case WRITE_STATE_TRANSITION:
|
---|
| 731 | if (cb != NULL) {
|
---|
| 732 | /* Notify callback of an impending state change */
|
---|
| 733 | if (s->server)
|
---|
| 734 | cb(s, SSL_CB_ACCEPT_LOOP, 1);
|
---|
| 735 | else
|
---|
| 736 | cb(s, SSL_CB_CONNECT_LOOP, 1);
|
---|
| 737 | }
|
---|
| 738 | switch (transition(s)) {
|
---|
| 739 | case WRITE_TRAN_CONTINUE:
|
---|
| 740 | st->write_state = WRITE_STATE_PRE_WORK;
|
---|
| 741 | st->write_state_work = WORK_MORE_A;
|
---|
| 742 | break;
|
---|
| 743 |
|
---|
| 744 | case WRITE_TRAN_FINISHED:
|
---|
| 745 | return SUB_STATE_FINISHED;
|
---|
| 746 | break;
|
---|
| 747 |
|
---|
| 748 | default:
|
---|
| 749 | return SUB_STATE_ERROR;
|
---|
| 750 | }
|
---|
| 751 | break;
|
---|
| 752 |
|
---|
| 753 | case WRITE_STATE_PRE_WORK:
|
---|
| 754 | switch (st->write_state_work = pre_work(s, st->write_state_work)) {
|
---|
| 755 | default:
|
---|
| 756 | return SUB_STATE_ERROR;
|
---|
| 757 |
|
---|
| 758 | case WORK_FINISHED_CONTINUE:
|
---|
| 759 | st->write_state = WRITE_STATE_SEND;
|
---|
| 760 | break;
|
---|
| 761 |
|
---|
| 762 | case WORK_FINISHED_STOP:
|
---|
| 763 | return SUB_STATE_END_HANDSHAKE;
|
---|
| 764 | }
|
---|
| 765 | if (construct_message(s) == 0)
|
---|
| 766 | return SUB_STATE_ERROR;
|
---|
| 767 |
|
---|
| 768 | /* Fall through */
|
---|
| 769 |
|
---|
| 770 | case WRITE_STATE_SEND:
|
---|
| 771 | if (SSL_IS_DTLS(s) && st->use_timer) {
|
---|
| 772 | dtls1_start_timer(s);
|
---|
| 773 | }
|
---|
| 774 | ret = statem_do_write(s);
|
---|
| 775 | if (ret <= 0) {
|
---|
| 776 | return SUB_STATE_ERROR;
|
---|
| 777 | }
|
---|
| 778 | st->write_state = WRITE_STATE_POST_WORK;
|
---|
| 779 | st->write_state_work = WORK_MORE_A;
|
---|
| 780 | /* Fall through */
|
---|
| 781 |
|
---|
| 782 | case WRITE_STATE_POST_WORK:
|
---|
| 783 | switch (st->write_state_work = post_work(s, st->write_state_work)) {
|
---|
| 784 | default:
|
---|
| 785 | return SUB_STATE_ERROR;
|
---|
| 786 |
|
---|
| 787 | case WORK_FINISHED_CONTINUE:
|
---|
| 788 | st->write_state = WRITE_STATE_TRANSITION;
|
---|
| 789 | break;
|
---|
| 790 |
|
---|
| 791 | case WORK_FINISHED_STOP:
|
---|
| 792 | return SUB_STATE_END_HANDSHAKE;
|
---|
| 793 | }
|
---|
| 794 | break;
|
---|
| 795 |
|
---|
| 796 | default:
|
---|
| 797 | return SUB_STATE_ERROR;
|
---|
| 798 | }
|
---|
| 799 | }
|
---|
| 800 | }
|
---|
| 801 |
|
---|
| 802 | /*
|
---|
| 803 | * Flush the write BIO
|
---|
| 804 | */
|
---|
| 805 | int statem_flush(SSL *s)
|
---|
| 806 | {
|
---|
| 807 | s->rwstate = SSL_WRITING;
|
---|
| 808 | if (BIO_flush(s->wbio) <= 0) {
|
---|
| 809 | return 0;
|
---|
| 810 | }
|
---|
| 811 | s->rwstate = SSL_NOTHING;
|
---|
| 812 |
|
---|
| 813 | return 1;
|
---|
| 814 | }
|
---|
| 815 |
|
---|
| 816 | /*
|
---|
| 817 | * Called by the record layer to determine whether application data is
|
---|
| 818 | * allowed to be sent in the current handshake state or not.
|
---|
| 819 | *
|
---|
| 820 | * Return values are:
|
---|
| 821 | * 1: Yes (application data allowed)
|
---|
| 822 | * 0: No (application data not allowed)
|
---|
| 823 | */
|
---|
| 824 | int ossl_statem_app_data_allowed(SSL *s)
|
---|
| 825 | {
|
---|
| 826 | OSSL_STATEM *st = &s->statem;
|
---|
| 827 |
|
---|
| 828 | if (st->state == MSG_FLOW_UNINITED || st->state == MSG_FLOW_RENEGOTIATE)
|
---|
| 829 | return 0;
|
---|
| 830 |
|
---|
| 831 | if (!s->s3->in_read_app_data || (s->s3->total_renegotiations == 0))
|
---|
| 832 | return 0;
|
---|
| 833 |
|
---|
| 834 | if (s->server) {
|
---|
| 835 | /*
|
---|
| 836 | * If we're a server and we haven't got as far as writing our
|
---|
| 837 | * ServerHello yet then we allow app data
|
---|
| 838 | */
|
---|
| 839 | if (st->hand_state == TLS_ST_BEFORE
|
---|
| 840 | || st->hand_state == TLS_ST_SR_CLNT_HELLO)
|
---|
| 841 | return 1;
|
---|
| 842 | } else {
|
---|
| 843 | /*
|
---|
| 844 | * If we're a client and we haven't read the ServerHello yet then we
|
---|
| 845 | * allow app data
|
---|
| 846 | */
|
---|
| 847 | if (st->hand_state == TLS_ST_CW_CLNT_HELLO)
|
---|
| 848 | return 1;
|
---|
| 849 | }
|
---|
| 850 |
|
---|
| 851 | return 0;
|
---|
| 852 | }
|
---|
| 853 |
|
---|
| 854 | #ifndef OPENSSL_NO_SCTP
|
---|
| 855 | /*
|
---|
| 856 | * Set flag used by SCTP to determine whether we are in the read sock state
|
---|
| 857 | */
|
---|
| 858 | void ossl_statem_set_sctp_read_sock(SSL *s, int read_sock)
|
---|
| 859 | {
|
---|
| 860 | s->statem.in_sctp_read_sock = read_sock;
|
---|
| 861 | }
|
---|
| 862 |
|
---|
| 863 | /*
|
---|
| 864 | * Called by the record layer to determine whether we are in the read sock
|
---|
| 865 | * state or not.
|
---|
| 866 | *
|
---|
| 867 | * Return values are:
|
---|
| 868 | * 1: Yes (we are in the read sock state)
|
---|
| 869 | * 0: No (we are not in the read sock state)
|
---|
| 870 | */
|
---|
| 871 | int ossl_statem_in_sctp_read_sock(SSL *s)
|
---|
| 872 | {
|
---|
| 873 | return s->statem.in_sctp_read_sock;
|
---|
| 874 | }
|
---|
| 875 | #endif
|
---|