1 | /*
|
---|
2 | * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
|
---|
3 | *
|
---|
4 | * Licensed under the OpenSSL license (the "License"). You may not use
|
---|
5 | * this file except in compliance with the License. You can obtain a copy
|
---|
6 | * in the file LICENSE in the source distribution or at
|
---|
7 | * https://www.openssl.org/source/license.html
|
---|
8 | */
|
---|
9 |
|
---|
10 | #include <openssl/rand.h>
|
---|
11 | #include "../ssl_locl.h"
|
---|
12 | #include "statem_locl.h"
|
---|
13 |
|
---|
14 | /*
|
---|
15 | * This file implements the SSL/TLS/DTLS state machines.
|
---|
16 | *
|
---|
17 | * There are two primary state machines:
|
---|
18 | *
|
---|
19 | * 1) Message flow state machine
|
---|
20 | * 2) Handshake state machine
|
---|
21 | *
|
---|
22 | * The Message flow state machine controls the reading and sending of messages
|
---|
23 | * including handling of non-blocking IO events, flushing of the underlying
|
---|
24 | * write BIO, handling unexpected messages, etc. It is itself broken into two
|
---|
25 | * separate sub-state machines which control reading and writing respectively.
|
---|
26 | *
|
---|
27 | * The Handshake state machine keeps track of the current SSL/TLS handshake
|
---|
28 | * state. Transitions of the handshake state are the result of events that
|
---|
29 | * occur within the Message flow state machine.
|
---|
30 | *
|
---|
31 | * Overall it looks like this:
|
---|
32 | *
|
---|
33 | * --------------------------------------------- -------------------
|
---|
34 | * | | | |
|
---|
35 | * | Message flow state machine | | |
|
---|
36 | * | | | |
|
---|
37 | * | -------------------- -------------------- | Transition | Handshake state |
|
---|
38 | * | | MSG_FLOW_READING | | MSG_FLOW_WRITING | | Event | machine |
|
---|
39 | * | | sub-state | | sub-state | |----------->| |
|
---|
40 | * | | machine for | | machine for | | | |
|
---|
41 | * | | reading messages | | writing messages | | | |
|
---|
42 | * | -------------------- -------------------- | | |
|
---|
43 | * | | | |
|
---|
44 | * --------------------------------------------- -------------------
|
---|
45 | *
|
---|
46 | */
|
---|
47 |
|
---|
48 | /* Sub state machine return values */
|
---|
49 | typedef enum {
|
---|
50 | /* Something bad happened or NBIO */
|
---|
51 | SUB_STATE_ERROR,
|
---|
52 | /* Sub state finished go to the next sub state */
|
---|
53 | SUB_STATE_FINISHED,
|
---|
54 | /* Sub state finished and handshake was completed */
|
---|
55 | SUB_STATE_END_HANDSHAKE
|
---|
56 | } SUB_STATE_RETURN;
|
---|
57 |
|
---|
58 | static int state_machine(SSL *s, int server);
|
---|
59 | static void init_read_state_machine(SSL *s);
|
---|
60 | static SUB_STATE_RETURN read_state_machine(SSL *s);
|
---|
61 | static void init_write_state_machine(SSL *s);
|
---|
62 | static SUB_STATE_RETURN write_state_machine(SSL *s);
|
---|
63 |
|
---|
64 | OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl)
|
---|
65 | {
|
---|
66 | return ssl->statem.hand_state;
|
---|
67 | }
|
---|
68 |
|
---|
69 | int SSL_in_init(SSL *s)
|
---|
70 | {
|
---|
71 | return s->statem.in_init;
|
---|
72 | }
|
---|
73 |
|
---|
74 | int SSL_is_init_finished(SSL *s)
|
---|
75 | {
|
---|
76 | return !(s->statem.in_init) && (s->statem.hand_state == TLS_ST_OK);
|
---|
77 | }
|
---|
78 |
|
---|
79 | int SSL_in_before(SSL *s)
|
---|
80 | {
|
---|
81 | /*
|
---|
82 | * Historically being "in before" meant before anything had happened. In the
|
---|
83 | * current code though we remain in the "before" state for a while after we
|
---|
84 | * have started the handshake process (e.g. as a server waiting for the
|
---|
85 | * first message to arrive). There "in before" is taken to mean "in before"
|
---|
86 | * and not started any handshake process yet.
|
---|
87 | */
|
---|
88 | return (s->statem.hand_state == TLS_ST_BEFORE)
|
---|
89 | && (s->statem.state == MSG_FLOW_UNINITED);
|
---|
90 | }
|
---|
91 |
|
---|
92 | /*
|
---|
93 | * Clear the state machine state and reset back to MSG_FLOW_UNINITED
|
---|
94 | */
|
---|
95 | void ossl_statem_clear(SSL *s)
|
---|
96 | {
|
---|
97 | s->statem.state = MSG_FLOW_UNINITED;
|
---|
98 | s->statem.hand_state = TLS_ST_BEFORE;
|
---|
99 | s->statem.in_init = 1;
|
---|
100 | s->statem.no_cert_verify = 0;
|
---|
101 | }
|
---|
102 |
|
---|
103 | /*
|
---|
104 | * Set the state machine up ready for a renegotiation handshake
|
---|
105 | */
|
---|
106 | void ossl_statem_set_renegotiate(SSL *s)
|
---|
107 | {
|
---|
108 | s->statem.state = MSG_FLOW_RENEGOTIATE;
|
---|
109 | s->statem.in_init = 1;
|
---|
110 | }
|
---|
111 |
|
---|
112 | /*
|
---|
113 | * Put the state machine into an error state. This is a permanent error for
|
---|
114 | * the current connection.
|
---|
115 | */
|
---|
116 | void ossl_statem_set_error(SSL *s)
|
---|
117 | {
|
---|
118 | s->statem.state = MSG_FLOW_ERROR;
|
---|
119 | }
|
---|
120 |
|
---|
121 | /*
|
---|
122 | * Discover whether the current connection is in the error state.
|
---|
123 | *
|
---|
124 | * Valid return values are:
|
---|
125 | * 1: Yes
|
---|
126 | * 0: No
|
---|
127 | */
|
---|
128 | int ossl_statem_in_error(const SSL *s)
|
---|
129 | {
|
---|
130 | if (s->statem.state == MSG_FLOW_ERROR)
|
---|
131 | return 1;
|
---|
132 |
|
---|
133 | return 0;
|
---|
134 | }
|
---|
135 |
|
---|
136 | void ossl_statem_set_in_init(SSL *s, int init)
|
---|
137 | {
|
---|
138 | s->statem.in_init = init;
|
---|
139 | }
|
---|
140 |
|
---|
141 | int ossl_statem_get_in_handshake(SSL *s)
|
---|
142 | {
|
---|
143 | return s->statem.in_handshake;
|
---|
144 | }
|
---|
145 |
|
---|
146 | void ossl_statem_set_in_handshake(SSL *s, int inhand)
|
---|
147 | {
|
---|
148 | if (inhand)
|
---|
149 | s->statem.in_handshake++;
|
---|
150 | else
|
---|
151 | s->statem.in_handshake--;
|
---|
152 | }
|
---|
153 |
|
---|
154 | void ossl_statem_set_hello_verify_done(SSL *s)
|
---|
155 | {
|
---|
156 | s->statem.state = MSG_FLOW_UNINITED;
|
---|
157 | s->statem.in_init = 1;
|
---|
158 | /*
|
---|
159 | * This will get reset (briefly) back to TLS_ST_BEFORE when we enter
|
---|
160 | * state_machine() because |state| is MSG_FLOW_UNINITED, but until then any
|
---|
161 | * calls to SSL_in_before() will return false. Also calls to
|
---|
162 | * SSL_state_string() and SSL_state_string_long() will return something
|
---|
163 | * sensible.
|
---|
164 | */
|
---|
165 | s->statem.hand_state = TLS_ST_SR_CLNT_HELLO;
|
---|
166 | }
|
---|
167 |
|
---|
168 | int ossl_statem_connect(SSL *s)
|
---|
169 | {
|
---|
170 | return state_machine(s, 0);
|
---|
171 | }
|
---|
172 |
|
---|
173 | int ossl_statem_accept(SSL *s)
|
---|
174 | {
|
---|
175 | return state_machine(s, 1);
|
---|
176 | }
|
---|
177 |
|
---|
178 | typedef void (*info_cb) (const SSL *, int, int);
|
---|
179 |
|
---|
180 | static info_cb get_callback(SSL *s)
|
---|
181 | {
|
---|
182 | if (s->info_callback != NULL)
|
---|
183 | return s->info_callback;
|
---|
184 | else if (s->ctx->info_callback != NULL)
|
---|
185 | return s->ctx->info_callback;
|
---|
186 |
|
---|
187 | return NULL;
|
---|
188 | }
|
---|
189 |
|
---|
190 | /*
|
---|
191 | * The main message flow state machine. We start in the MSG_FLOW_UNINITED or
|
---|
192 | * MSG_FLOW_RENEGOTIATE state and finish in MSG_FLOW_FINISHED. Valid states and
|
---|
193 | * transitions are as follows:
|
---|
194 | *
|
---|
195 | * MSG_FLOW_UNINITED MSG_FLOW_RENEGOTIATE
|
---|
196 | * | |
|
---|
197 | * +-----------------------+
|
---|
198 | * v
|
---|
199 | * MSG_FLOW_WRITING <---> MSG_FLOW_READING
|
---|
200 | * |
|
---|
201 | * V
|
---|
202 | * MSG_FLOW_FINISHED
|
---|
203 | * |
|
---|
204 | * V
|
---|
205 | * [SUCCESS]
|
---|
206 | *
|
---|
207 | * We may exit at any point due to an error or NBIO event. If an NBIO event
|
---|
208 | * occurs then we restart at the point we left off when we are recalled.
|
---|
209 | * MSG_FLOW_WRITING and MSG_FLOW_READING have sub-state machines associated with them.
|
---|
210 | *
|
---|
211 | * In addition to the above there is also the MSG_FLOW_ERROR state. We can move
|
---|
212 | * into that state at any point in the event that an irrecoverable error occurs.
|
---|
213 | *
|
---|
214 | * Valid return values are:
|
---|
215 | * 1: Success
|
---|
216 | * <=0: NBIO or error
|
---|
217 | */
|
---|
218 | static int state_machine(SSL *s, int server)
|
---|
219 | {
|
---|
220 | BUF_MEM *buf = NULL;
|
---|
221 | unsigned long Time = (unsigned long)time(NULL);
|
---|
222 | void (*cb) (const SSL *ssl, int type, int val) = NULL;
|
---|
223 | OSSL_STATEM *st = &s->statem;
|
---|
224 | int ret = -1;
|
---|
225 | int ssret;
|
---|
226 |
|
---|
227 | if (st->state == MSG_FLOW_ERROR) {
|
---|
228 | /* Shouldn't have been called if we're already in the error state */
|
---|
229 | return -1;
|
---|
230 | }
|
---|
231 |
|
---|
232 | RAND_add(&Time, sizeof(Time), 0);
|
---|
233 | ERR_clear_error();
|
---|
234 | clear_sys_error();
|
---|
235 |
|
---|
236 | cb = get_callback(s);
|
---|
237 |
|
---|
238 | st->in_handshake++;
|
---|
239 | if (!SSL_in_init(s) || SSL_in_before(s)) {
|
---|
240 | if (!SSL_clear(s))
|
---|
241 | return -1;
|
---|
242 | }
|
---|
243 | #ifndef OPENSSL_NO_SCTP
|
---|
244 | if (SSL_IS_DTLS(s)) {
|
---|
245 | /*
|
---|
246 | * Notify SCTP BIO socket to enter handshake mode and prevent stream
|
---|
247 | * identifier other than 0. Will be ignored if no SCTP is used.
|
---|
248 | */
|
---|
249 | BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE,
|
---|
250 | st->in_handshake, NULL);
|
---|
251 | }
|
---|
252 | #endif
|
---|
253 |
|
---|
254 | #ifndef OPENSSL_NO_HEARTBEATS
|
---|
255 | /*
|
---|
256 | * If we're awaiting a HeartbeatResponse, pretend we already got and
|
---|
257 | * don't await it anymore, because Heartbeats don't make sense during
|
---|
258 | * handshakes anyway.
|
---|
259 | */
|
---|
260 | if (s->tlsext_hb_pending) {
|
---|
261 | if (SSL_IS_DTLS(s))
|
---|
262 | dtls1_stop_timer(s);
|
---|
263 | s->tlsext_hb_pending = 0;
|
---|
264 | s->tlsext_hb_seq++;
|
---|
265 | }
|
---|
266 | #endif
|
---|
267 |
|
---|
268 | /* Initialise state machine */
|
---|
269 |
|
---|
270 | if (st->state == MSG_FLOW_RENEGOTIATE) {
|
---|
271 | s->renegotiate = 1;
|
---|
272 | if (!server)
|
---|
273 | s->ctx->stats.sess_connect_renegotiate++;
|
---|
274 | }
|
---|
275 |
|
---|
276 | if (st->state == MSG_FLOW_UNINITED || st->state == MSG_FLOW_RENEGOTIATE) {
|
---|
277 | if (st->state == MSG_FLOW_UNINITED) {
|
---|
278 | st->hand_state = TLS_ST_BEFORE;
|
---|
279 | }
|
---|
280 |
|
---|
281 | s->server = server;
|
---|
282 | if (cb != NULL)
|
---|
283 | cb(s, SSL_CB_HANDSHAKE_START, 1);
|
---|
284 |
|
---|
285 | if (SSL_IS_DTLS(s)) {
|
---|
286 | if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00) &&
|
---|
287 | (server || (s->version & 0xff00) != (DTLS1_BAD_VER & 0xff00))) {
|
---|
288 | SSLerr(SSL_F_STATE_MACHINE, ERR_R_INTERNAL_ERROR);
|
---|
289 | goto end;
|
---|
290 | }
|
---|
291 | } else {
|
---|
292 | if ((s->version >> 8) != SSL3_VERSION_MAJOR) {
|
---|
293 | SSLerr(SSL_F_STATE_MACHINE, ERR_R_INTERNAL_ERROR);
|
---|
294 | goto end;
|
---|
295 | }
|
---|
296 | }
|
---|
297 |
|
---|
298 | if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL)) {
|
---|
299 | SSLerr(SSL_F_STATE_MACHINE, SSL_R_VERSION_TOO_LOW);
|
---|
300 | goto end;
|
---|
301 | }
|
---|
302 |
|
---|
303 | if (s->init_buf == NULL) {
|
---|
304 | if ((buf = BUF_MEM_new()) == NULL) {
|
---|
305 | goto end;
|
---|
306 | }
|
---|
307 | if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
|
---|
308 | goto end;
|
---|
309 | }
|
---|
310 | s->init_buf = buf;
|
---|
311 | buf = NULL;
|
---|
312 | }
|
---|
313 |
|
---|
314 | if (!ssl3_setup_buffers(s)) {
|
---|
315 | goto end;
|
---|
316 | }
|
---|
317 | s->init_num = 0;
|
---|
318 |
|
---|
319 | /*
|
---|
320 | * Should have been reset by tls_process_finished, too.
|
---|
321 | */
|
---|
322 | s->s3->change_cipher_spec = 0;
|
---|
323 |
|
---|
324 | /*
|
---|
325 | * Ok, we now need to push on a buffering BIO ...but not with
|
---|
326 | * SCTP
|
---|
327 | */
|
---|
328 | #ifndef OPENSSL_NO_SCTP
|
---|
329 | if (!SSL_IS_DTLS(s) || !BIO_dgram_is_sctp(SSL_get_wbio(s)))
|
---|
330 | #endif
|
---|
331 | if (!ssl_init_wbio_buffer(s)) {
|
---|
332 | goto end;
|
---|
333 | }
|
---|
334 |
|
---|
335 | if (!server || st->state != MSG_FLOW_RENEGOTIATE) {
|
---|
336 | if (!ssl3_init_finished_mac(s)) {
|
---|
337 | ossl_statem_set_error(s);
|
---|
338 | goto end;
|
---|
339 | }
|
---|
340 | }
|
---|
341 |
|
---|
342 | if (server) {
|
---|
343 | if (st->state != MSG_FLOW_RENEGOTIATE) {
|
---|
344 | s->ctx->stats.sess_accept++;
|
---|
345 | } else if (!s->s3->send_connection_binding &&
|
---|
346 | !(s->options &
|
---|
347 | SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
|
---|
348 | /*
|
---|
349 | * Server attempting to renegotiate with client that doesn't
|
---|
350 | * support secure renegotiation.
|
---|
351 | */
|
---|
352 | SSLerr(SSL_F_STATE_MACHINE,
|
---|
353 | SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
|
---|
354 | ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
|
---|
355 | ossl_statem_set_error(s);
|
---|
356 | goto end;
|
---|
357 | } else {
|
---|
358 | /*
|
---|
359 | * st->state == MSG_FLOW_RENEGOTIATE, we will just send a
|
---|
360 | * HelloRequest
|
---|
361 | */
|
---|
362 | s->ctx->stats.sess_accept_renegotiate++;
|
---|
363 | }
|
---|
364 |
|
---|
365 | s->s3->tmp.cert_request = 0;
|
---|
366 | } else {
|
---|
367 | s->ctx->stats.sess_connect++;
|
---|
368 |
|
---|
369 | /* mark client_random uninitialized */
|
---|
370 | memset(s->s3->client_random, 0, sizeof(s->s3->client_random));
|
---|
371 | s->hit = 0;
|
---|
372 |
|
---|
373 | s->s3->tmp.cert_req = 0;
|
---|
374 |
|
---|
375 | if (SSL_IS_DTLS(s)) {
|
---|
376 | st->use_timer = 1;
|
---|
377 | }
|
---|
378 | }
|
---|
379 |
|
---|
380 | st->state = MSG_FLOW_WRITING;
|
---|
381 | init_write_state_machine(s);
|
---|
382 | st->read_state_first_init = 1;
|
---|
383 | }
|
---|
384 |
|
---|
385 | while (st->state != MSG_FLOW_FINISHED) {
|
---|
386 | if (st->state == MSG_FLOW_READING) {
|
---|
387 | ssret = read_state_machine(s);
|
---|
388 | if (ssret == SUB_STATE_FINISHED) {
|
---|
389 | st->state = MSG_FLOW_WRITING;
|
---|
390 | init_write_state_machine(s);
|
---|
391 | } else {
|
---|
392 | /* NBIO or error */
|
---|
393 | goto end;
|
---|
394 | }
|
---|
395 | } else if (st->state == MSG_FLOW_WRITING) {
|
---|
396 | ssret = write_state_machine(s);
|
---|
397 | if (ssret == SUB_STATE_FINISHED) {
|
---|
398 | st->state = MSG_FLOW_READING;
|
---|
399 | init_read_state_machine(s);
|
---|
400 | } else if (ssret == SUB_STATE_END_HANDSHAKE) {
|
---|
401 | st->state = MSG_FLOW_FINISHED;
|
---|
402 | } else {
|
---|
403 | /* NBIO or error */
|
---|
404 | goto end;
|
---|
405 | }
|
---|
406 | } else {
|
---|
407 | /* Error */
|
---|
408 | ossl_statem_set_error(s);
|
---|
409 | goto end;
|
---|
410 | }
|
---|
411 | }
|
---|
412 |
|
---|
413 | st->state = MSG_FLOW_UNINITED;
|
---|
414 | ret = 1;
|
---|
415 |
|
---|
416 | end:
|
---|
417 | st->in_handshake--;
|
---|
418 |
|
---|
419 | #ifndef OPENSSL_NO_SCTP
|
---|
420 | if (SSL_IS_DTLS(s)) {
|
---|
421 | /*
|
---|
422 | * Notify SCTP BIO socket to leave handshake mode and allow stream
|
---|
423 | * identifier other than 0. Will be ignored if no SCTP is used.
|
---|
424 | */
|
---|
425 | BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE,
|
---|
426 | st->in_handshake, NULL);
|
---|
427 | }
|
---|
428 | #endif
|
---|
429 |
|
---|
430 | BUF_MEM_free(buf);
|
---|
431 | if (cb != NULL) {
|
---|
432 | if (server)
|
---|
433 | cb(s, SSL_CB_ACCEPT_EXIT, ret);
|
---|
434 | else
|
---|
435 | cb(s, SSL_CB_CONNECT_EXIT, ret);
|
---|
436 | }
|
---|
437 | return ret;
|
---|
438 | }
|
---|
439 |
|
---|
440 | /*
|
---|
441 | * Initialise the MSG_FLOW_READING sub-state machine
|
---|
442 | */
|
---|
443 | static void init_read_state_machine(SSL *s)
|
---|
444 | {
|
---|
445 | OSSL_STATEM *st = &s->statem;
|
---|
446 |
|
---|
447 | st->read_state = READ_STATE_HEADER;
|
---|
448 | }
|
---|
449 |
|
---|
450 | static int grow_init_buf(SSL *s, size_t size) {
|
---|
451 |
|
---|
452 | size_t msg_offset = (char *)s->init_msg - s->init_buf->data;
|
---|
453 |
|
---|
454 | if (!BUF_MEM_grow_clean(s->init_buf, (int)size))
|
---|
455 | return 0;
|
---|
456 |
|
---|
457 | if (size < msg_offset)
|
---|
458 | return 0;
|
---|
459 |
|
---|
460 | s->init_msg = s->init_buf->data + msg_offset;
|
---|
461 |
|
---|
462 | return 1;
|
---|
463 | }
|
---|
464 |
|
---|
465 | /*
|
---|
466 | * This function implements the sub-state machine when the message flow is in
|
---|
467 | * MSG_FLOW_READING. The valid sub-states and transitions are:
|
---|
468 | *
|
---|
469 | * READ_STATE_HEADER <--+<-------------+
|
---|
470 | * | | |
|
---|
471 | * v | |
|
---|
472 | * READ_STATE_BODY -----+-->READ_STATE_POST_PROCESS
|
---|
473 | * | |
|
---|
474 | * +----------------------------+
|
---|
475 | * v
|
---|
476 | * [SUB_STATE_FINISHED]
|
---|
477 | *
|
---|
478 | * READ_STATE_HEADER has the responsibility for reading in the message header
|
---|
479 | * and transitioning the state of the handshake state machine.
|
---|
480 | *
|
---|
481 | * READ_STATE_BODY reads in the rest of the message and then subsequently
|
---|
482 | * processes it.
|
---|
483 | *
|
---|
484 | * READ_STATE_POST_PROCESS is an optional step that may occur if some post
|
---|
485 | * processing activity performed on the message may block.
|
---|
486 | *
|
---|
487 | * Any of the above states could result in an NBIO event occurring in which case
|
---|
488 | * control returns to the calling application. When this function is recalled we
|
---|
489 | * will resume in the same state where we left off.
|
---|
490 | */
|
---|
491 | static SUB_STATE_RETURN read_state_machine(SSL *s)
|
---|
492 | {
|
---|
493 | OSSL_STATEM *st = &s->statem;
|
---|
494 | int ret, mt;
|
---|
495 | unsigned long len = 0;
|
---|
496 | int (*transition) (SSL *s, int mt);
|
---|
497 | PACKET pkt;
|
---|
498 | MSG_PROCESS_RETURN(*process_message) (SSL *s, PACKET *pkt);
|
---|
499 | WORK_STATE(*post_process_message) (SSL *s, WORK_STATE wst);
|
---|
500 | unsigned long (*max_message_size) (SSL *s);
|
---|
501 | void (*cb) (const SSL *ssl, int type, int val) = NULL;
|
---|
502 |
|
---|
503 | cb = get_callback(s);
|
---|
504 |
|
---|
505 | if (s->server) {
|
---|
506 | transition = ossl_statem_server_read_transition;
|
---|
507 | process_message = ossl_statem_server_process_message;
|
---|
508 | max_message_size = ossl_statem_server_max_message_size;
|
---|
509 | post_process_message = ossl_statem_server_post_process_message;
|
---|
510 | } else {
|
---|
511 | transition = ossl_statem_client_read_transition;
|
---|
512 | process_message = ossl_statem_client_process_message;
|
---|
513 | max_message_size = ossl_statem_client_max_message_size;
|
---|
514 | post_process_message = ossl_statem_client_post_process_message;
|
---|
515 | }
|
---|
516 |
|
---|
517 | if (st->read_state_first_init) {
|
---|
518 | s->first_packet = 1;
|
---|
519 | st->read_state_first_init = 0;
|
---|
520 | }
|
---|
521 |
|
---|
522 | while (1) {
|
---|
523 | switch (st->read_state) {
|
---|
524 | case READ_STATE_HEADER:
|
---|
525 | /* Get the state the peer wants to move to */
|
---|
526 | if (SSL_IS_DTLS(s)) {
|
---|
527 | /*
|
---|
528 | * In DTLS we get the whole message in one go - header and body
|
---|
529 | */
|
---|
530 | ret = dtls_get_message(s, &mt, &len);
|
---|
531 | } else {
|
---|
532 | ret = tls_get_message_header(s, &mt);
|
---|
533 | }
|
---|
534 |
|
---|
535 | if (ret == 0) {
|
---|
536 | /* Could be non-blocking IO */
|
---|
537 | return SUB_STATE_ERROR;
|
---|
538 | }
|
---|
539 |
|
---|
540 | if (cb != NULL) {
|
---|
541 | /* Notify callback of an impending state change */
|
---|
542 | if (s->server)
|
---|
543 | cb(s, SSL_CB_ACCEPT_LOOP, 1);
|
---|
544 | else
|
---|
545 | cb(s, SSL_CB_CONNECT_LOOP, 1);
|
---|
546 | }
|
---|
547 | /*
|
---|
548 | * Validate that we are allowed to move to the new state and move
|
---|
549 | * to that state if so
|
---|
550 | */
|
---|
551 | if (!transition(s, mt)) {
|
---|
552 | ossl_statem_set_error(s);
|
---|
553 | return SUB_STATE_ERROR;
|
---|
554 | }
|
---|
555 |
|
---|
556 | if (s->s3->tmp.message_size > max_message_size(s)) {
|
---|
557 | ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
---|
558 | SSLerr(SSL_F_READ_STATE_MACHINE, SSL_R_EXCESSIVE_MESSAGE_SIZE);
|
---|
559 | return SUB_STATE_ERROR;
|
---|
560 | }
|
---|
561 |
|
---|
562 | /* dtls_get_message already did this */
|
---|
563 | if (!SSL_IS_DTLS(s)
|
---|
564 | && s->s3->tmp.message_size > 0
|
---|
565 | && !grow_init_buf(s, s->s3->tmp.message_size
|
---|
566 | + SSL3_HM_HEADER_LENGTH)) {
|
---|
567 | ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
|
---|
568 | SSLerr(SSL_F_READ_STATE_MACHINE, ERR_R_BUF_LIB);
|
---|
569 | return SUB_STATE_ERROR;
|
---|
570 | }
|
---|
571 |
|
---|
572 | st->read_state = READ_STATE_BODY;
|
---|
573 | /* Fall through */
|
---|
574 |
|
---|
575 | case READ_STATE_BODY:
|
---|
576 | if (!SSL_IS_DTLS(s)) {
|
---|
577 | /* We already got this above for DTLS */
|
---|
578 | ret = tls_get_message_body(s, &len);
|
---|
579 | if (ret == 0) {
|
---|
580 | /* Could be non-blocking IO */
|
---|
581 | return SUB_STATE_ERROR;
|
---|
582 | }
|
---|
583 | }
|
---|
584 |
|
---|
585 | s->first_packet = 0;
|
---|
586 | if (!PACKET_buf_init(&pkt, s->init_msg, len)) {
|
---|
587 | ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
|
---|
588 | SSLerr(SSL_F_READ_STATE_MACHINE, ERR_R_INTERNAL_ERROR);
|
---|
589 | return SUB_STATE_ERROR;
|
---|
590 | }
|
---|
591 | ret = process_message(s, &pkt);
|
---|
592 |
|
---|
593 | /* Discard the packet data */
|
---|
594 | s->init_num = 0;
|
---|
595 |
|
---|
596 | switch (ret) {
|
---|
597 | case MSG_PROCESS_ERROR:
|
---|
598 | return SUB_STATE_ERROR;
|
---|
599 |
|
---|
600 | case MSG_PROCESS_FINISHED_READING:
|
---|
601 | if (SSL_IS_DTLS(s)) {
|
---|
602 | dtls1_stop_timer(s);
|
---|
603 | }
|
---|
604 | return SUB_STATE_FINISHED;
|
---|
605 |
|
---|
606 | case MSG_PROCESS_CONTINUE_PROCESSING:
|
---|
607 | st->read_state = READ_STATE_POST_PROCESS;
|
---|
608 | st->read_state_work = WORK_MORE_A;
|
---|
609 | break;
|
---|
610 |
|
---|
611 | default:
|
---|
612 | st->read_state = READ_STATE_HEADER;
|
---|
613 | break;
|
---|
614 | }
|
---|
615 | break;
|
---|
616 |
|
---|
617 | case READ_STATE_POST_PROCESS:
|
---|
618 | st->read_state_work = post_process_message(s, st->read_state_work);
|
---|
619 | switch (st->read_state_work) {
|
---|
620 | default:
|
---|
621 | return SUB_STATE_ERROR;
|
---|
622 |
|
---|
623 | case WORK_FINISHED_CONTINUE:
|
---|
624 | st->read_state = READ_STATE_HEADER;
|
---|
625 | break;
|
---|
626 |
|
---|
627 | case WORK_FINISHED_STOP:
|
---|
628 | if (SSL_IS_DTLS(s)) {
|
---|
629 | dtls1_stop_timer(s);
|
---|
630 | }
|
---|
631 | return SUB_STATE_FINISHED;
|
---|
632 | }
|
---|
633 | break;
|
---|
634 |
|
---|
635 | default:
|
---|
636 | /* Shouldn't happen */
|
---|
637 | ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
|
---|
638 | SSLerr(SSL_F_READ_STATE_MACHINE, ERR_R_INTERNAL_ERROR);
|
---|
639 | ossl_statem_set_error(s);
|
---|
640 | return SUB_STATE_ERROR;
|
---|
641 | }
|
---|
642 | }
|
---|
643 | }
|
---|
644 |
|
---|
645 | /*
|
---|
646 | * Send a previously constructed message to the peer.
|
---|
647 | */
|
---|
648 | static int statem_do_write(SSL *s)
|
---|
649 | {
|
---|
650 | OSSL_STATEM *st = &s->statem;
|
---|
651 |
|
---|
652 | if (st->hand_state == TLS_ST_CW_CHANGE
|
---|
653 | || st->hand_state == TLS_ST_SW_CHANGE) {
|
---|
654 | if (SSL_IS_DTLS(s))
|
---|
655 | return dtls1_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC);
|
---|
656 | else
|
---|
657 | return ssl3_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC);
|
---|
658 | } else {
|
---|
659 | return ssl_do_write(s);
|
---|
660 | }
|
---|
661 | }
|
---|
662 |
|
---|
663 | /*
|
---|
664 | * Initialise the MSG_FLOW_WRITING sub-state machine
|
---|
665 | */
|
---|
666 | static void init_write_state_machine(SSL *s)
|
---|
667 | {
|
---|
668 | OSSL_STATEM *st = &s->statem;
|
---|
669 |
|
---|
670 | st->write_state = WRITE_STATE_TRANSITION;
|
---|
671 | }
|
---|
672 |
|
---|
673 | /*
|
---|
674 | * This function implements the sub-state machine when the message flow is in
|
---|
675 | * MSG_FLOW_WRITING. The valid sub-states and transitions are:
|
---|
676 | *
|
---|
677 | * +-> WRITE_STATE_TRANSITION ------> [SUB_STATE_FINISHED]
|
---|
678 | * | |
|
---|
679 | * | v
|
---|
680 | * | WRITE_STATE_PRE_WORK -----> [SUB_STATE_END_HANDSHAKE]
|
---|
681 | * | |
|
---|
682 | * | v
|
---|
683 | * | WRITE_STATE_SEND
|
---|
684 | * | |
|
---|
685 | * | v
|
---|
686 | * | WRITE_STATE_POST_WORK
|
---|
687 | * | |
|
---|
688 | * +-------------+
|
---|
689 | *
|
---|
690 | * WRITE_STATE_TRANSITION transitions the state of the handshake state machine
|
---|
691 |
|
---|
692 | * WRITE_STATE_PRE_WORK performs any work necessary to prepare the later
|
---|
693 | * sending of the message. This could result in an NBIO event occurring in
|
---|
694 | * which case control returns to the calling application. When this function
|
---|
695 | * is recalled we will resume in the same state where we left off.
|
---|
696 | *
|
---|
697 | * WRITE_STATE_SEND sends the message and performs any work to be done after
|
---|
698 | * sending.
|
---|
699 | *
|
---|
700 | * WRITE_STATE_POST_WORK performs any work necessary after the sending of the
|
---|
701 | * message has been completed. As for WRITE_STATE_PRE_WORK this could also
|
---|
702 | * result in an NBIO event.
|
---|
703 | */
|
---|
704 | static SUB_STATE_RETURN write_state_machine(SSL *s)
|
---|
705 | {
|
---|
706 | OSSL_STATEM *st = &s->statem;
|
---|
707 | int ret;
|
---|
708 | WRITE_TRAN(*transition) (SSL *s);
|
---|
709 | WORK_STATE(*pre_work) (SSL *s, WORK_STATE wst);
|
---|
710 | WORK_STATE(*post_work) (SSL *s, WORK_STATE wst);
|
---|
711 | int (*construct_message) (SSL *s);
|
---|
712 | void (*cb) (const SSL *ssl, int type, int val) = NULL;
|
---|
713 |
|
---|
714 | cb = get_callback(s);
|
---|
715 |
|
---|
716 | if (s->server) {
|
---|
717 | transition = ossl_statem_server_write_transition;
|
---|
718 | pre_work = ossl_statem_server_pre_work;
|
---|
719 | post_work = ossl_statem_server_post_work;
|
---|
720 | construct_message = ossl_statem_server_construct_message;
|
---|
721 | } else {
|
---|
722 | transition = ossl_statem_client_write_transition;
|
---|
723 | pre_work = ossl_statem_client_pre_work;
|
---|
724 | post_work = ossl_statem_client_post_work;
|
---|
725 | construct_message = ossl_statem_client_construct_message;
|
---|
726 | }
|
---|
727 |
|
---|
728 | while (1) {
|
---|
729 | switch (st->write_state) {
|
---|
730 | case WRITE_STATE_TRANSITION:
|
---|
731 | if (cb != NULL) {
|
---|
732 | /* Notify callback of an impending state change */
|
---|
733 | if (s->server)
|
---|
734 | cb(s, SSL_CB_ACCEPT_LOOP, 1);
|
---|
735 | else
|
---|
736 | cb(s, SSL_CB_CONNECT_LOOP, 1);
|
---|
737 | }
|
---|
738 | switch (transition(s)) {
|
---|
739 | case WRITE_TRAN_CONTINUE:
|
---|
740 | st->write_state = WRITE_STATE_PRE_WORK;
|
---|
741 | st->write_state_work = WORK_MORE_A;
|
---|
742 | break;
|
---|
743 |
|
---|
744 | case WRITE_TRAN_FINISHED:
|
---|
745 | return SUB_STATE_FINISHED;
|
---|
746 | break;
|
---|
747 |
|
---|
748 | default:
|
---|
749 | return SUB_STATE_ERROR;
|
---|
750 | }
|
---|
751 | break;
|
---|
752 |
|
---|
753 | case WRITE_STATE_PRE_WORK:
|
---|
754 | switch (st->write_state_work = pre_work(s, st->write_state_work)) {
|
---|
755 | default:
|
---|
756 | return SUB_STATE_ERROR;
|
---|
757 |
|
---|
758 | case WORK_FINISHED_CONTINUE:
|
---|
759 | st->write_state = WRITE_STATE_SEND;
|
---|
760 | break;
|
---|
761 |
|
---|
762 | case WORK_FINISHED_STOP:
|
---|
763 | return SUB_STATE_END_HANDSHAKE;
|
---|
764 | }
|
---|
765 | if (construct_message(s) == 0)
|
---|
766 | return SUB_STATE_ERROR;
|
---|
767 |
|
---|
768 | /* Fall through */
|
---|
769 |
|
---|
770 | case WRITE_STATE_SEND:
|
---|
771 | if (SSL_IS_DTLS(s) && st->use_timer) {
|
---|
772 | dtls1_start_timer(s);
|
---|
773 | }
|
---|
774 | ret = statem_do_write(s);
|
---|
775 | if (ret <= 0) {
|
---|
776 | return SUB_STATE_ERROR;
|
---|
777 | }
|
---|
778 | st->write_state = WRITE_STATE_POST_WORK;
|
---|
779 | st->write_state_work = WORK_MORE_A;
|
---|
780 | /* Fall through */
|
---|
781 |
|
---|
782 | case WRITE_STATE_POST_WORK:
|
---|
783 | switch (st->write_state_work = post_work(s, st->write_state_work)) {
|
---|
784 | default:
|
---|
785 | return SUB_STATE_ERROR;
|
---|
786 |
|
---|
787 | case WORK_FINISHED_CONTINUE:
|
---|
788 | st->write_state = WRITE_STATE_TRANSITION;
|
---|
789 | break;
|
---|
790 |
|
---|
791 | case WORK_FINISHED_STOP:
|
---|
792 | return SUB_STATE_END_HANDSHAKE;
|
---|
793 | }
|
---|
794 | break;
|
---|
795 |
|
---|
796 | default:
|
---|
797 | return SUB_STATE_ERROR;
|
---|
798 | }
|
---|
799 | }
|
---|
800 | }
|
---|
801 |
|
---|
802 | /*
|
---|
803 | * Flush the write BIO
|
---|
804 | */
|
---|
805 | int statem_flush(SSL *s)
|
---|
806 | {
|
---|
807 | s->rwstate = SSL_WRITING;
|
---|
808 | if (BIO_flush(s->wbio) <= 0) {
|
---|
809 | return 0;
|
---|
810 | }
|
---|
811 | s->rwstate = SSL_NOTHING;
|
---|
812 |
|
---|
813 | return 1;
|
---|
814 | }
|
---|
815 |
|
---|
816 | /*
|
---|
817 | * Called by the record layer to determine whether application data is
|
---|
818 | * allowed to be sent in the current handshake state or not.
|
---|
819 | *
|
---|
820 | * Return values are:
|
---|
821 | * 1: Yes (application data allowed)
|
---|
822 | * 0: No (application data not allowed)
|
---|
823 | */
|
---|
824 | int ossl_statem_app_data_allowed(SSL *s)
|
---|
825 | {
|
---|
826 | OSSL_STATEM *st = &s->statem;
|
---|
827 |
|
---|
828 | if (st->state == MSG_FLOW_UNINITED || st->state == MSG_FLOW_RENEGOTIATE)
|
---|
829 | return 0;
|
---|
830 |
|
---|
831 | if (!s->s3->in_read_app_data || (s->s3->total_renegotiations == 0))
|
---|
832 | return 0;
|
---|
833 |
|
---|
834 | if (s->server) {
|
---|
835 | /*
|
---|
836 | * If we're a server and we haven't got as far as writing our
|
---|
837 | * ServerHello yet then we allow app data
|
---|
838 | */
|
---|
839 | if (st->hand_state == TLS_ST_BEFORE
|
---|
840 | || st->hand_state == TLS_ST_SR_CLNT_HELLO)
|
---|
841 | return 1;
|
---|
842 | } else {
|
---|
843 | /*
|
---|
844 | * If we're a client and we haven't read the ServerHello yet then we
|
---|
845 | * allow app data
|
---|
846 | */
|
---|
847 | if (st->hand_state == TLS_ST_CW_CLNT_HELLO)
|
---|
848 | return 1;
|
---|
849 | }
|
---|
850 |
|
---|
851 | return 0;
|
---|
852 | }
|
---|
853 |
|
---|
854 | #ifndef OPENSSL_NO_SCTP
|
---|
855 | /*
|
---|
856 | * Set flag used by SCTP to determine whether we are in the read sock state
|
---|
857 | */
|
---|
858 | void ossl_statem_set_sctp_read_sock(SSL *s, int read_sock)
|
---|
859 | {
|
---|
860 | s->statem.in_sctp_read_sock = read_sock;
|
---|
861 | }
|
---|
862 |
|
---|
863 | /*
|
---|
864 | * Called by the record layer to determine whether we are in the read sock
|
---|
865 | * state or not.
|
---|
866 | *
|
---|
867 | * Return values are:
|
---|
868 | * 1: Yes (we are in the read sock state)
|
---|
869 | * 0: No (we are not in the read sock state)
|
---|
870 | */
|
---|
871 | int ossl_statem_in_sctp_read_sock(SSL *s)
|
---|
872 | {
|
---|
873 | return s->statem.in_sctp_read_sock;
|
---|
874 | }
|
---|
875 | #endif
|
---|