1 /* 2 * Copyright 2015-2025 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include "internal/e_os.h" 11 12 #if defined(__TANDEM) && defined(_SPT_MODEL_) 13 #include <spthread.h> 14 #include <spt_extensions.h> /* timeval */ 15 #endif 16 17 #include "internal/cryptlib.h" 18 #include "internal/ssl_unwrap.h" 19 #include <openssl/rand.h> 20 #include "../ssl_local.h" 21 #include "statem_local.h" 22 #include <assert.h> 23 24 /* 25 * This file implements the SSL/TLS/DTLS state machines. 26 * 27 * There are two primary state machines: 28 * 29 * 1) Message flow state machine 30 * 2) Handshake state machine 31 * 32 * The Message flow state machine controls the reading and sending of messages 33 * including handling of non-blocking IO events, flushing of the underlying 34 * write BIO, handling unexpected messages, etc. It is itself broken into two 35 * separate sub-state machines which control reading and writing respectively. 36 * 37 * The Handshake state machine keeps track of the current SSL/TLS handshake 38 * state. Transitions of the handshake state are the result of events that 39 * occur within the Message flow state machine. 40 * 41 * Overall it looks like this: 42 * 43 * --------------------------------------------- ------------------- 44 * | | | | 45 * | Message flow state machine | | | 46 * | | | | 47 * | -------------------- -------------------- | Transition | Handshake state | 48 * | | MSG_FLOW_READING | | MSG_FLOW_WRITING | | Event | machine | 49 * | | sub-state | | sub-state | |----------->| | 50 * | | machine for | | machine for | | | | 51 * | | reading messages | | writing messages | | | | 52 * | -------------------- -------------------- | | | 53 * | | | | 54 * --------------------------------------------- ------------------- 55 * 56 */ 57 58 /* Sub state machine return values */ 59 typedef enum { 60 /* Something bad happened or NBIO */ 61 SUB_STATE_ERROR, 62 /* Sub state finished go to the next sub state */ 63 SUB_STATE_FINISHED, 64 /* Sub state finished and handshake was completed */ 65 SUB_STATE_END_HANDSHAKE 66 } SUB_STATE_RETURN; 67 68 static int state_machine(SSL_CONNECTION *s, int server); 69 static void init_read_state_machine(SSL_CONNECTION *s); 70 static SUB_STATE_RETURN read_state_machine(SSL_CONNECTION *s); 71 static void init_write_state_machine(SSL_CONNECTION *s); 72 static SUB_STATE_RETURN write_state_machine(SSL_CONNECTION *s); 73 74 OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl) 75 { 76 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(ssl); 77 78 if (sc == NULL) 79 return TLS_ST_BEFORE; 80 81 return sc->statem.hand_state; 82 } 83 84 int SSL_in_init(const SSL *s) 85 { 86 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s); 87 88 if (sc == NULL) 89 return 0; 90 91 return sc->statem.in_init; 92 } 93 94 int SSL_is_init_finished(const SSL *s) 95 { 96 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s); 97 98 if (sc == NULL) 99 return 0; 100 101 return !(sc->statem.in_init) && (sc->statem.hand_state == TLS_ST_OK); 102 } 103 104 int SSL_in_before(const SSL *s) 105 { 106 const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s); 107 108 if (sc == NULL) 109 return 0; 110 111 /* 112 * Historically being "in before" meant before anything had happened. In the 113 * current code though we remain in the "before" state for a while after we 114 * have started the handshake process (e.g. as a server waiting for the 115 * first message to arrive). There "in before" is taken to mean "in before" 116 * and not started any handshake process yet. 117 */ 118 return (sc->statem.hand_state == TLS_ST_BEFORE) 119 && (sc->statem.state == MSG_FLOW_UNINITED); 120 } 121 122 OSSL_HANDSHAKE_STATE ossl_statem_get_state(SSL_CONNECTION *s) 123 { 124 return s != NULL ? s->statem.hand_state : TLS_ST_BEFORE; 125 } 126 127 /* 128 * Clear the state machine state and reset back to MSG_FLOW_UNINITED 129 */ 130 void ossl_statem_clear(SSL_CONNECTION *s) 131 { 132 s->statem.state = MSG_FLOW_UNINITED; 133 s->statem.hand_state = TLS_ST_BEFORE; 134 ossl_statem_set_in_init(s, 1); 135 s->statem.no_cert_verify = 0; 136 } 137 138 /* 139 * Set the state machine up ready for a renegotiation handshake 140 */ 141 void ossl_statem_set_renegotiate(SSL_CONNECTION *s) 142 { 143 ossl_statem_set_in_init(s, 1); 144 s->statem.request_state = TLS_ST_SW_HELLO_REQ; 145 } 146 147 void ossl_statem_send_fatal(SSL_CONNECTION *s, int al) 148 { 149 /* We shouldn't call SSLfatal() twice. Once is enough */ 150 if (s->statem.in_init && s->statem.state == MSG_FLOW_ERROR) 151 return; 152 ossl_statem_set_in_init(s, 1); 153 s->statem.state = MSG_FLOW_ERROR; 154 if (al != SSL_AD_NO_ALERT) 155 ssl3_send_alert(s, SSL3_AL_FATAL, al); 156 } 157 158 /* 159 * Error reporting building block that's used instead of ERR_set_error(). 160 * In addition to what ERR_set_error() does, this puts the state machine 161 * into an error state and sends an alert if appropriate. 162 * This is a permanent error for the current connection. 163 */ 164 void ossl_statem_fatal(SSL_CONNECTION *s, int al, int reason, 165 const char *fmt, ...) 166 { 167 va_list args; 168 169 va_start(args, fmt); 170 ERR_vset_error(ERR_LIB_SSL, reason, fmt, args); 171 va_end(args); 172 173 ossl_statem_send_fatal(s, al); 174 } 175 176 /* 177 * This macro should only be called if we are already expecting to be in 178 * a fatal error state. We verify that we are, and set it if not (this would 179 * indicate a bug). 180 */ 181 #define check_fatal(s) \ 182 do { \ 183 if (!ossl_assert((s)->statem.in_init \ 184 && (s)->statem.state == MSG_FLOW_ERROR)) \ 185 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_FATAL); \ 186 } while (0) 187 188 /* 189 * Discover whether the current connection is in the error state. 190 * 191 * Valid return values are: 192 * 1: Yes 193 * 0: No 194 */ 195 int ossl_statem_in_error(const SSL_CONNECTION *s) 196 { 197 if (s->statem.state == MSG_FLOW_ERROR) 198 return 1; 199 200 return 0; 201 } 202 203 void ossl_statem_set_in_init(SSL_CONNECTION *s, int init) 204 { 205 s->statem.in_init = init; 206 if (s->rlayer.rrlmethod != NULL && s->rlayer.rrlmethod->set_in_init != NULL) 207 s->rlayer.rrlmethod->set_in_init(s->rlayer.rrl, init); 208 } 209 210 int ossl_statem_get_in_handshake(SSL_CONNECTION *s) 211 { 212 return s->statem.in_handshake; 213 } 214 215 void ossl_statem_set_in_handshake(SSL_CONNECTION *s, int inhand) 216 { 217 if (inhand) 218 s->statem.in_handshake++; 219 else 220 s->statem.in_handshake--; 221 } 222 223 /* Are we in a sensible state to skip over unreadable early data? */ 224 int ossl_statem_skip_early_data(SSL_CONNECTION *s) 225 { 226 if (s->ext.early_data != SSL_EARLY_DATA_REJECTED) 227 return 0; 228 229 if (!s->server 230 || s->statem.hand_state != TLS_ST_EARLY_DATA 231 || s->hello_retry_request == SSL_HRR_COMPLETE) 232 return 0; 233 234 return 1; 235 } 236 237 /* 238 * Called when we are in SSL_read*(), SSL_write*(), or SSL_accept() 239 * /SSL_connect()/SSL_do_handshake(). Used to test whether we are in an early 240 * data state and whether we should attempt to move the handshake on if so. 241 * |sending| is 1 if we are attempting to send data (SSL_write*()), 0 if we are 242 * attempting to read data (SSL_read*()), or -1 if we are in SSL_do_handshake() 243 * or similar. 244 */ 245 int ossl_statem_check_finish_init(SSL_CONNECTION *s, int sending) 246 { 247 if (sending == -1) { 248 if (s->statem.hand_state == TLS_ST_PENDING_EARLY_DATA_END 249 || s->statem.hand_state == TLS_ST_EARLY_DATA) { 250 ossl_statem_set_in_init(s, 1); 251 if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY) { 252 /* 253 * SSL_connect() or SSL_do_handshake() has been called directly. 254 * We don't allow any more writing of early data. 255 */ 256 s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING; 257 } 258 } 259 } else if (!s->server) { 260 if ((sending && (s->statem.hand_state == TLS_ST_PENDING_EARLY_DATA_END || s->statem.hand_state == TLS_ST_EARLY_DATA) 261 && s->early_data_state != SSL_EARLY_DATA_WRITING) 262 || (!sending && s->statem.hand_state == TLS_ST_EARLY_DATA)) { 263 ossl_statem_set_in_init(s, 1); 264 /* 265 * SSL_write() has been called directly. We don't allow any more 266 * writing of early data. 267 */ 268 if (sending && s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY) 269 s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING; 270 } 271 } else { 272 if (s->early_data_state == SSL_EARLY_DATA_FINISHED_READING 273 && s->statem.hand_state == TLS_ST_EARLY_DATA) 274 ossl_statem_set_in_init(s, 1); 275 } 276 return 1; 277 } 278 279 void ossl_statem_set_hello_verify_done(SSL_CONNECTION *s) 280 { 281 s->statem.state = MSG_FLOW_UNINITED; 282 ossl_statem_set_in_init(s, 1); 283 /* 284 * This will get reset (briefly) back to TLS_ST_BEFORE when we enter 285 * state_machine() because |state| is MSG_FLOW_UNINITED, but until then any 286 * calls to SSL_in_before() will return false. Also calls to 287 * SSL_state_string() and SSL_state_string_long() will return something 288 * sensible. 289 */ 290 s->statem.hand_state = TLS_ST_SR_CLNT_HELLO; 291 } 292 293 int ossl_statem_connect(SSL *s) 294 { 295 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); 296 297 if (sc == NULL) 298 return -1; 299 300 return state_machine(sc, 0); 301 } 302 303 int ossl_statem_accept(SSL *s) 304 { 305 SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s); 306 307 if (sc == NULL) 308 return -1; 309 310 return state_machine(sc, 1); 311 } 312 313 typedef void (*info_cb)(const SSL *, int, int); 314 315 static info_cb get_callback(SSL_CONNECTION *s) 316 { 317 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 318 319 if (s->info_callback != NULL) 320 return s->info_callback; 321 else if (sctx->info_callback != NULL) 322 return sctx->info_callback; 323 324 return NULL; 325 } 326 327 /* 328 * The main message flow state machine. We start in the MSG_FLOW_UNINITED or 329 * MSG_FLOW_FINISHED state and finish in MSG_FLOW_FINISHED. Valid states and 330 * transitions are as follows: 331 * 332 * MSG_FLOW_UNINITED MSG_FLOW_FINISHED 333 * | | 334 * +-----------------------+ 335 * v 336 * MSG_FLOW_WRITING <---> MSG_FLOW_READING 337 * | 338 * V 339 * MSG_FLOW_FINISHED 340 * | 341 * V 342 * [SUCCESS] 343 * 344 * We may exit at any point due to an error or NBIO event. If an NBIO event 345 * occurs then we restart at the point we left off when we are recalled. 346 * MSG_FLOW_WRITING and MSG_FLOW_READING have sub-state machines associated with them. 347 * 348 * In addition to the above there is also the MSG_FLOW_ERROR state. We can move 349 * into that state at any point in the event that an irrecoverable error occurs. 350 * 351 * Valid return values are: 352 * 1: Success 353 * <=0: NBIO or error 354 */ 355 static int state_machine(SSL_CONNECTION *s, int server) 356 { 357 BUF_MEM *buf = NULL; 358 void (*cb)(const SSL *ssl, int type, int val) = NULL; 359 OSSL_STATEM *st = &s->statem; 360 int ret = -1; 361 int ssret; 362 SSL *ssl = SSL_CONNECTION_GET_SSL(s); 363 SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s); 364 365 if (st->state == MSG_FLOW_ERROR) { 366 /* Shouldn't have been called if we're already in the error state */ 367 return -1; 368 } 369 370 ERR_clear_error(); 371 clear_sys_error(); 372 373 cb = get_callback(s); 374 375 st->in_handshake++; 376 if (!SSL_in_init(ssl) || SSL_in_before(ssl)) { 377 /* 378 * If we are stateless then we already called SSL_clear() - don't do 379 * it again and clear the STATELESS flag itself. 380 */ 381 if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0 && !SSL_clear(ssl)) 382 return -1; 383 } 384 #ifndef OPENSSL_NO_SCTP 385 if (SSL_CONNECTION_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(ssl))) { 386 /* 387 * Notify SCTP BIO socket to enter handshake mode and prevent stream 388 * identifier other than 0. 389 */ 390 BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, 391 st->in_handshake, NULL); 392 } 393 #endif 394 395 /* Initialise state machine */ 396 if (st->state == MSG_FLOW_UNINITED 397 || st->state == MSG_FLOW_FINISHED) { 398 if (st->state == MSG_FLOW_UNINITED) { 399 st->hand_state = TLS_ST_BEFORE; 400 st->request_state = TLS_ST_BEFORE; 401 } 402 403 s->server = server; 404 if (cb != NULL) { 405 if (SSL_IS_FIRST_HANDSHAKE(s) || !SSL_CONNECTION_IS_TLS13(s)) 406 cb(ussl, SSL_CB_HANDSHAKE_START, 1); 407 } 408 409 /* 410 * Fatal errors in this block don't send an alert because we have 411 * failed to even initialise properly. Sending an alert is probably 412 * doomed to failure. 413 */ 414 415 if (SSL_CONNECTION_IS_DTLS(s)) { 416 if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00) && (server || (s->version & 0xff00) != (DTLS1_BAD_VER & 0xff00))) { 417 SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR); 418 goto end; 419 } 420 } else { 421 if ((s->version >> 8) != SSL3_VERSION_MAJOR) { 422 SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR); 423 goto end; 424 } 425 } 426 427 if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL)) { 428 SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR); 429 goto end; 430 } 431 432 if (s->init_buf == NULL) { 433 if ((buf = BUF_MEM_new()) == NULL) { 434 SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR); 435 goto end; 436 } 437 if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) { 438 SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR); 439 goto end; 440 } 441 s->init_buf = buf; 442 buf = NULL; 443 } 444 445 s->init_num = 0; 446 447 /* 448 * Should have been reset by tls_process_finished, too. 449 */ 450 s->s3.change_cipher_spec = 0; 451 452 /* 453 * Ok, we now need to push on a buffering BIO ...but not with 454 * SCTP 455 */ 456 #ifndef OPENSSL_NO_SCTP 457 if (!SSL_CONNECTION_IS_DTLS(s) || !BIO_dgram_is_sctp(SSL_get_wbio(ssl))) 458 #endif 459 if (!ssl_init_wbio_buffer(s)) { 460 SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR); 461 goto end; 462 } 463 464 if ((SSL_in_before(ssl)) 465 || s->renegotiate) { 466 if (!tls_setup_handshake(s)) { 467 /* SSLfatal() already called */ 468 goto end; 469 } 470 471 if (SSL_IS_FIRST_HANDSHAKE(s)) 472 st->read_state_first_init = 1; 473 } 474 475 st->state = MSG_FLOW_WRITING; 476 init_write_state_machine(s); 477 } 478 479 while (st->state != MSG_FLOW_FINISHED) { 480 if (st->state == MSG_FLOW_READING) { 481 ssret = read_state_machine(s); 482 if (ssret == SUB_STATE_FINISHED) { 483 st->state = MSG_FLOW_WRITING; 484 init_write_state_machine(s); 485 } else { 486 /* NBIO or error */ 487 goto end; 488 } 489 } else if (st->state == MSG_FLOW_WRITING) { 490 ssret = write_state_machine(s); 491 if (ssret == SUB_STATE_FINISHED) { 492 st->state = MSG_FLOW_READING; 493 init_read_state_machine(s); 494 } else if (ssret == SUB_STATE_END_HANDSHAKE) { 495 st->state = MSG_FLOW_FINISHED; 496 } else { 497 /* NBIO or error */ 498 goto end; 499 } 500 } else { 501 /* Error */ 502 check_fatal(s); 503 ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 504 goto end; 505 } 506 } 507 508 ret = 1; 509 510 end: 511 st->in_handshake--; 512 513 #ifndef OPENSSL_NO_SCTP 514 if (SSL_CONNECTION_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(ssl))) { 515 /* 516 * Notify SCTP BIO socket to leave handshake mode and allow stream 517 * identifier other than 0. 518 */ 519 BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, 520 st->in_handshake, NULL); 521 } 522 #endif 523 524 BUF_MEM_free(buf); 525 if (cb != NULL) { 526 if (server) 527 cb(ussl, SSL_CB_ACCEPT_EXIT, ret); 528 else 529 cb(ussl, SSL_CB_CONNECT_EXIT, ret); 530 } 531 return ret; 532 } 533 534 /* 535 * Initialise the MSG_FLOW_READING sub-state machine 536 */ 537 static void init_read_state_machine(SSL_CONNECTION *s) 538 { 539 OSSL_STATEM *st = &s->statem; 540 541 st->read_state = READ_STATE_HEADER; 542 } 543 544 static int grow_init_buf(SSL_CONNECTION *s, size_t size) 545 { 546 547 size_t msg_offset = (char *)s->init_msg - s->init_buf->data; 548 549 if (!BUF_MEM_grow_clean(s->init_buf, (int)size)) 550 return 0; 551 552 if (size < msg_offset) 553 return 0; 554 555 s->init_msg = s->init_buf->data + msg_offset; 556 557 return 1; 558 } 559 560 /* 561 * This function implements the sub-state machine when the message flow is in 562 * MSG_FLOW_READING. The valid sub-states and transitions are: 563 * 564 * READ_STATE_HEADER <--+<-------------+ 565 * | | | 566 * v | | 567 * READ_STATE_BODY -----+-->READ_STATE_POST_PROCESS 568 * | | 569 * +----------------------------+ 570 * v 571 * [SUB_STATE_FINISHED] 572 * 573 * READ_STATE_HEADER has the responsibility for reading in the message header 574 * and transitioning the state of the handshake state machine. 575 * 576 * READ_STATE_BODY reads in the rest of the message and then subsequently 577 * processes it. 578 * 579 * READ_STATE_POST_PROCESS is an optional step that may occur if some post 580 * processing activity performed on the message may block. 581 * 582 * Any of the above states could result in an NBIO event occurring in which case 583 * control returns to the calling application. When this function is recalled we 584 * will resume in the same state where we left off. 585 */ 586 static SUB_STATE_RETURN read_state_machine(SSL_CONNECTION *s) 587 { 588 OSSL_STATEM *st = &s->statem; 589 int ret, mt; 590 size_t len = 0; 591 int (*transition)(SSL_CONNECTION *s, int mt); 592 PACKET pkt; 593 MSG_PROCESS_RETURN (*process_message)(SSL_CONNECTION *s, PACKET *pkt); 594 WORK_STATE (*post_process_message)(SSL_CONNECTION *s, WORK_STATE wst); 595 size_t (*max_message_size)(SSL_CONNECTION *s); 596 void (*cb)(const SSL *ssl, int type, int val) = NULL; 597 SSL *ssl = SSL_CONNECTION_GET_USER_SSL(s); 598 599 cb = get_callback(s); 600 601 if (s->server) { 602 transition = ossl_statem_server_read_transition; 603 process_message = ossl_statem_server_process_message; 604 max_message_size = ossl_statem_server_max_message_size; 605 post_process_message = ossl_statem_server_post_process_message; 606 } else { 607 transition = ossl_statem_client_read_transition; 608 process_message = ossl_statem_client_process_message; 609 max_message_size = ossl_statem_client_max_message_size; 610 post_process_message = ossl_statem_client_post_process_message; 611 } 612 613 if (st->read_state_first_init) { 614 s->first_packet = 1; 615 st->read_state_first_init = 0; 616 } 617 618 while (1) { 619 switch (st->read_state) { 620 case READ_STATE_HEADER: 621 /* Get the state the peer wants to move to */ 622 if (SSL_CONNECTION_IS_DTLS(s)) { 623 /* 624 * In DTLS we get the whole message in one go - header and body 625 */ 626 ret = dtls_get_message(s, &mt); 627 } else { 628 ret = tls_get_message_header(s, &mt); 629 } 630 631 if (ret == 0) { 632 /* Could be non-blocking IO */ 633 return SUB_STATE_ERROR; 634 } 635 636 if (cb != NULL) { 637 /* Notify callback of an impending state change */ 638 if (s->server) 639 cb(ssl, SSL_CB_ACCEPT_LOOP, 1); 640 else 641 cb(ssl, SSL_CB_CONNECT_LOOP, 1); 642 } 643 /* 644 * Validate that we are allowed to move to the new state and move 645 * to that state if so 646 */ 647 if (!transition(s, mt)) 648 return SUB_STATE_ERROR; 649 650 if (s->s3.tmp.message_size > max_message_size(s)) { 651 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, 652 SSL_R_EXCESSIVE_MESSAGE_SIZE); 653 return SUB_STATE_ERROR; 654 } 655 656 /* dtls_get_message already did this */ 657 if (!SSL_CONNECTION_IS_DTLS(s) 658 && s->s3.tmp.message_size > 0 659 && !grow_init_buf(s, s->s3.tmp.message_size + SSL3_HM_HEADER_LENGTH)) { 660 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BUF_LIB); 661 return SUB_STATE_ERROR; 662 } 663 664 st->read_state = READ_STATE_BODY; 665 /* Fall through */ 666 667 case READ_STATE_BODY: 668 if (SSL_CONNECTION_IS_DTLS(s)) { 669 /* 670 * Actually we already have the body, but we give DTLS the 671 * opportunity to do any further processing. 672 */ 673 ret = dtls_get_message_body(s, &len); 674 } else { 675 ret = tls_get_message_body(s, &len); 676 } 677 if (ret == 0) { 678 /* Could be non-blocking IO */ 679 return SUB_STATE_ERROR; 680 } 681 682 s->first_packet = 0; 683 if (!PACKET_buf_init(&pkt, s->init_msg, len)) { 684 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 685 return SUB_STATE_ERROR; 686 } 687 ret = process_message(s, &pkt); 688 689 /* Discard the packet data */ 690 s->init_num = 0; 691 692 switch (ret) { 693 case MSG_PROCESS_ERROR: 694 check_fatal(s); 695 return SUB_STATE_ERROR; 696 697 case MSG_PROCESS_FINISHED_READING: 698 if (SSL_CONNECTION_IS_DTLS(s)) { 699 dtls1_stop_timer(s); 700 } 701 return SUB_STATE_FINISHED; 702 703 case MSG_PROCESS_CONTINUE_PROCESSING: 704 st->read_state = READ_STATE_POST_PROCESS; 705 st->read_state_work = WORK_MORE_A; 706 break; 707 708 default: 709 st->read_state = READ_STATE_HEADER; 710 break; 711 } 712 break; 713 714 case READ_STATE_POST_PROCESS: 715 st->read_state_work = post_process_message(s, st->read_state_work); 716 switch (st->read_state_work) { 717 case WORK_ERROR: 718 check_fatal(s); 719 /* Fall through */ 720 case WORK_MORE_A: 721 case WORK_MORE_B: 722 case WORK_MORE_C: 723 return SUB_STATE_ERROR; 724 725 case WORK_FINISHED_CONTINUE: 726 st->read_state = READ_STATE_HEADER; 727 break; 728 729 case WORK_FINISHED_SWAP: 730 case WORK_FINISHED_STOP: 731 if (SSL_CONNECTION_IS_DTLS(s)) { 732 dtls1_stop_timer(s); 733 } 734 return SUB_STATE_FINISHED; 735 } 736 break; 737 738 default: 739 /* Shouldn't happen */ 740 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 741 return SUB_STATE_ERROR; 742 } 743 } 744 } 745 746 /* 747 * Send a previously constructed message to the peer. 748 */ 749 static int statem_do_write(SSL_CONNECTION *s) 750 { 751 OSSL_STATEM *st = &s->statem; 752 753 if (st->hand_state == TLS_ST_CW_CHANGE 754 || st->hand_state == TLS_ST_SW_CHANGE) { 755 if (SSL_CONNECTION_IS_DTLS(s)) 756 return dtls1_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC); 757 else 758 return ssl3_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC); 759 } else { 760 return ssl_do_write(s); 761 } 762 } 763 764 /* 765 * Initialise the MSG_FLOW_WRITING sub-state machine 766 */ 767 static void init_write_state_machine(SSL_CONNECTION *s) 768 { 769 OSSL_STATEM *st = &s->statem; 770 771 st->write_state = WRITE_STATE_TRANSITION; 772 } 773 774 /* 775 * This function implements the sub-state machine when the message flow is in 776 * MSG_FLOW_WRITING. The valid sub-states and transitions are: 777 * 778 * +-> WRITE_STATE_TRANSITION ------> [SUB_STATE_FINISHED] 779 * | | 780 * | v 781 * | WRITE_STATE_PRE_WORK -----> [SUB_STATE_END_HANDSHAKE] 782 * | | 783 * | v 784 * | WRITE_STATE_SEND 785 * | | 786 * | v 787 * | WRITE_STATE_POST_WORK 788 * | | 789 * +-------------+ 790 * 791 * WRITE_STATE_TRANSITION transitions the state of the handshake state machine 792 793 * WRITE_STATE_PRE_WORK performs any work necessary to prepare the later 794 * sending of the message. This could result in an NBIO event occurring in 795 * which case control returns to the calling application. When this function 796 * is recalled we will resume in the same state where we left off. 797 * 798 * WRITE_STATE_SEND sends the message and performs any work to be done after 799 * sending. 800 * 801 * WRITE_STATE_POST_WORK performs any work necessary after the sending of the 802 * message has been completed. As for WRITE_STATE_PRE_WORK this could also 803 * result in an NBIO event. 804 */ 805 static SUB_STATE_RETURN write_state_machine(SSL_CONNECTION *s) 806 { 807 OSSL_STATEM *st = &s->statem; 808 int ret; 809 WRITE_TRAN (*transition)(SSL_CONNECTION *s); 810 WORK_STATE (*pre_work)(SSL_CONNECTION *s, WORK_STATE wst); 811 WORK_STATE (*post_work)(SSL_CONNECTION *s, WORK_STATE wst); 812 int (*get_construct_message_f)(SSL_CONNECTION *s, 813 CON_FUNC_RETURN (**confunc)(SSL_CONNECTION *s, 814 WPACKET *pkt), 815 int *mt); 816 void (*cb)(const SSL *ssl, int type, int val) = NULL; 817 CON_FUNC_RETURN (*confunc)(SSL_CONNECTION *s, WPACKET *pkt); 818 int mt; 819 WPACKET pkt; 820 SSL *ssl = SSL_CONNECTION_GET_USER_SSL(s); 821 822 cb = get_callback(s); 823 824 if (s->server) { 825 transition = ossl_statem_server_write_transition; 826 pre_work = ossl_statem_server_pre_work; 827 post_work = ossl_statem_server_post_work; 828 get_construct_message_f = ossl_statem_server_construct_message; 829 } else { 830 transition = ossl_statem_client_write_transition; 831 pre_work = ossl_statem_client_pre_work; 832 post_work = ossl_statem_client_post_work; 833 get_construct_message_f = ossl_statem_client_construct_message; 834 } 835 836 while (1) { 837 switch (st->write_state) { 838 case WRITE_STATE_TRANSITION: 839 if (cb != NULL) { 840 /* Notify callback of an impending state change */ 841 if (s->server) 842 cb(ssl, SSL_CB_ACCEPT_LOOP, 1); 843 else 844 cb(ssl, SSL_CB_CONNECT_LOOP, 1); 845 } 846 switch (transition(s)) { 847 case WRITE_TRAN_CONTINUE: 848 st->write_state = WRITE_STATE_PRE_WORK; 849 st->write_state_work = WORK_MORE_A; 850 break; 851 852 case WRITE_TRAN_FINISHED: 853 return SUB_STATE_FINISHED; 854 855 case WRITE_TRAN_ERROR: 856 check_fatal(s); 857 return SUB_STATE_ERROR; 858 } 859 break; 860 861 case WRITE_STATE_PRE_WORK: 862 switch (st->write_state_work = pre_work(s, st->write_state_work)) { 863 case WORK_ERROR: 864 check_fatal(s); 865 /* Fall through */ 866 case WORK_MORE_A: 867 case WORK_MORE_B: 868 case WORK_MORE_C: 869 return SUB_STATE_ERROR; 870 871 case WORK_FINISHED_CONTINUE: 872 st->write_state = WRITE_STATE_SEND; 873 break; 874 875 case WORK_FINISHED_SWAP: 876 return SUB_STATE_FINISHED; 877 878 case WORK_FINISHED_STOP: 879 return SUB_STATE_END_HANDSHAKE; 880 } 881 if (!get_construct_message_f(s, &confunc, &mt)) { 882 /* SSLfatal() already called */ 883 return SUB_STATE_ERROR; 884 } 885 if (mt == SSL3_MT_DUMMY) { 886 /* Skip construction and sending. This isn't a "real" state */ 887 st->write_state = WRITE_STATE_POST_WORK; 888 st->write_state_work = WORK_MORE_A; 889 break; 890 } 891 if (!WPACKET_init(&pkt, s->init_buf) 892 || !ssl_set_handshake_header(s, &pkt, mt)) { 893 WPACKET_cleanup(&pkt); 894 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 895 return SUB_STATE_ERROR; 896 } 897 if (confunc != NULL) { 898 CON_FUNC_RETURN tmpret; 899 900 tmpret = confunc(s, &pkt); 901 if (tmpret == CON_FUNC_ERROR) { 902 WPACKET_cleanup(&pkt); 903 check_fatal(s); 904 return SUB_STATE_ERROR; 905 } else if (tmpret == CON_FUNC_DONT_SEND) { 906 /* 907 * The construction function decided not to construct the 908 * message after all and continue. Skip sending. 909 */ 910 WPACKET_cleanup(&pkt); 911 st->write_state = WRITE_STATE_POST_WORK; 912 st->write_state_work = WORK_MORE_A; 913 break; 914 } /* else success */ 915 } 916 if (!ssl_close_construct_packet(s, &pkt, mt) 917 || !WPACKET_finish(&pkt)) { 918 WPACKET_cleanup(&pkt); 919 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 920 return SUB_STATE_ERROR; 921 } 922 923 /* Fall through */ 924 925 case WRITE_STATE_SEND: 926 if (SSL_CONNECTION_IS_DTLS(s) && st->use_timer) { 927 dtls1_start_timer(s); 928 } 929 ret = statem_do_write(s); 930 if (ret <= 0) { 931 return SUB_STATE_ERROR; 932 } 933 st->write_state = WRITE_STATE_POST_WORK; 934 st->write_state_work = WORK_MORE_A; 935 /* Fall through */ 936 937 case WRITE_STATE_POST_WORK: 938 switch (st->write_state_work = post_work(s, st->write_state_work)) { 939 case WORK_ERROR: 940 check_fatal(s); 941 /* Fall through */ 942 case WORK_MORE_A: 943 case WORK_MORE_B: 944 case WORK_MORE_C: 945 return SUB_STATE_ERROR; 946 947 case WORK_FINISHED_CONTINUE: 948 st->write_state = WRITE_STATE_TRANSITION; 949 break; 950 951 case WORK_FINISHED_SWAP: 952 return SUB_STATE_FINISHED; 953 954 case WORK_FINISHED_STOP: 955 return SUB_STATE_END_HANDSHAKE; 956 } 957 break; 958 959 default: 960 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 961 return SUB_STATE_ERROR; 962 } 963 } 964 } 965 966 /* 967 * Flush the write BIO 968 */ 969 int statem_flush(SSL_CONNECTION *s) 970 { 971 s->rwstate = SSL_WRITING; 972 if (BIO_flush(s->wbio) <= 0) { 973 return 0; 974 } 975 s->rwstate = SSL_NOTHING; 976 977 return 1; 978 } 979 980 /* 981 * Called by the record layer to determine whether application data is 982 * allowed to be received in the current handshake state or not. 983 * 984 * Return values are: 985 * 1: Yes (application data allowed) 986 * 0: No (application data not allowed) 987 */ 988 int ossl_statem_app_data_allowed(SSL_CONNECTION *s) 989 { 990 OSSL_STATEM *st = &s->statem; 991 992 if (st->state == MSG_FLOW_UNINITED) 993 return 0; 994 995 if (!s->s3.in_read_app_data || (s->s3.total_renegotiations == 0)) 996 return 0; 997 998 if (s->server) { 999 /* 1000 * If we're a server and we haven't got as far as writing our 1001 * ServerHello yet then we allow app data 1002 */ 1003 if (st->hand_state == TLS_ST_BEFORE 1004 || st->hand_state == TLS_ST_SR_CLNT_HELLO) 1005 return 1; 1006 } else { 1007 /* 1008 * If we're a client and we haven't read the ServerHello yet then we 1009 * allow app data 1010 */ 1011 if (st->hand_state == TLS_ST_CW_CLNT_HELLO) 1012 return 1; 1013 } 1014 1015 return 0; 1016 } 1017 1018 /* 1019 * This function returns 1 if TLS exporter is ready to export keying 1020 * material, or 0 if otherwise. 1021 */ 1022 int ossl_statem_export_allowed(SSL_CONNECTION *s) 1023 { 1024 return s->s3.previous_server_finished_len != 0 1025 && s->statem.hand_state != TLS_ST_SW_FINISHED; 1026 } 1027 1028 /* 1029 * Return 1 if early TLS exporter is ready to export keying material, 1030 * or 0 if otherwise. 1031 */ 1032 int ossl_statem_export_early_allowed(SSL_CONNECTION *s) 1033 { 1034 /* 1035 * The early exporter secret is only present on the server if we 1036 * have accepted early_data. It is present on the client as long 1037 * as we have sent early_data. 1038 */ 1039 return s->ext.early_data == SSL_EARLY_DATA_ACCEPTED 1040 || (!s->server && s->ext.early_data != SSL_EARLY_DATA_NOT_SENT); 1041 } 1042