Path: blob/main/crypto/openssl/ssl/statem/statem.c
48266 views
/*1* Copyright 2015-2025 The OpenSSL Project Authors. All Rights Reserved.2*3* Licensed under the Apache License 2.0 (the "License"). You may not use4* this file except in compliance with the License. You can obtain a copy5* in the file LICENSE in the source distribution or at6* https://www.openssl.org/source/license.html7*/89#include "internal/e_os.h"1011#if defined(__TANDEM) && defined(_SPT_MODEL_)12# include <spthread.h>13# include <spt_extensions.h> /* timeval */14#endif1516#include "internal/cryptlib.h"17#include "internal/ssl_unwrap.h"18#include <openssl/rand.h>19#include "../ssl_local.h"20#include "statem_local.h"21#include <assert.h>2223/*24* This file implements the SSL/TLS/DTLS state machines.25*26* There are two primary state machines:27*28* 1) Message flow state machine29* 2) Handshake state machine30*31* The Message flow state machine controls the reading and sending of messages32* including handling of non-blocking IO events, flushing of the underlying33* write BIO, handling unexpected messages, etc. It is itself broken into two34* separate sub-state machines which control reading and writing respectively.35*36* The Handshake state machine keeps track of the current SSL/TLS handshake37* state. Transitions of the handshake state are the result of events that38* occur within the Message flow state machine.39*40* Overall it looks like this:41*42* --------------------------------------------- -------------------43* | | | |44* | Message flow state machine | | |45* | | | |46* | -------------------- -------------------- | Transition | Handshake state |47* | | MSG_FLOW_READING | | MSG_FLOW_WRITING | | Event | machine |48* | | sub-state | | sub-state | |----------->| |49* | | machine for | | machine for | | | |50* | | reading messages | | writing messages | | | |51* | -------------------- -------------------- | | |52* | | | |53* --------------------------------------------- -------------------54*55*/5657/* Sub state machine return values */58typedef enum {59/* Something bad happened or NBIO */60SUB_STATE_ERROR,61/* Sub state finished go to the next sub state */62SUB_STATE_FINISHED,63/* Sub state finished and handshake was completed */64SUB_STATE_END_HANDSHAKE65} SUB_STATE_RETURN;6667static int state_machine(SSL_CONNECTION *s, int server);68static void init_read_state_machine(SSL_CONNECTION *s);69static SUB_STATE_RETURN read_state_machine(SSL_CONNECTION *s);70static void init_write_state_machine(SSL_CONNECTION *s);71static SUB_STATE_RETURN write_state_machine(SSL_CONNECTION *s);7273OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl)74{75const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(ssl);7677if (sc == NULL)78return TLS_ST_BEFORE;7980return sc->statem.hand_state;81}8283int SSL_in_init(const SSL *s)84{85const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);8687if (sc == NULL)88return 0;8990return sc->statem.in_init;91}9293int SSL_is_init_finished(const SSL *s)94{95const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);9697if (sc == NULL)98return 0;99100return !(sc->statem.in_init) && (sc->statem.hand_state == TLS_ST_OK);101}102103int SSL_in_before(const SSL *s)104{105const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);106107if (sc == NULL)108return 0;109110/*111* Historically being "in before" meant before anything had happened. In the112* current code though we remain in the "before" state for a while after we113* have started the handshake process (e.g. as a server waiting for the114* first message to arrive). There "in before" is taken to mean "in before"115* and not started any handshake process yet.116*/117return (sc->statem.hand_state == TLS_ST_BEFORE)118&& (sc->statem.state == MSG_FLOW_UNINITED);119}120121OSSL_HANDSHAKE_STATE ossl_statem_get_state(SSL_CONNECTION *s)122{123return s != NULL ? s->statem.hand_state : TLS_ST_BEFORE;124}125126/*127* Clear the state machine state and reset back to MSG_FLOW_UNINITED128*/129void ossl_statem_clear(SSL_CONNECTION *s)130{131s->statem.state = MSG_FLOW_UNINITED;132s->statem.hand_state = TLS_ST_BEFORE;133ossl_statem_set_in_init(s, 1);134s->statem.no_cert_verify = 0;135}136137/*138* Set the state machine up ready for a renegotiation handshake139*/140void ossl_statem_set_renegotiate(SSL_CONNECTION *s)141{142ossl_statem_set_in_init(s, 1);143s->statem.request_state = TLS_ST_SW_HELLO_REQ;144}145146void ossl_statem_send_fatal(SSL_CONNECTION *s, int al)147{148/* We shouldn't call SSLfatal() twice. Once is enough */149if (s->statem.in_init && s->statem.state == MSG_FLOW_ERROR)150return;151ossl_statem_set_in_init(s, 1);152s->statem.state = MSG_FLOW_ERROR;153if (al != SSL_AD_NO_ALERT)154ssl3_send_alert(s, SSL3_AL_FATAL, al);155}156157/*158* Error reporting building block that's used instead of ERR_set_error().159* In addition to what ERR_set_error() does, this puts the state machine160* into an error state and sends an alert if appropriate.161* This is a permanent error for the current connection.162*/163void ossl_statem_fatal(SSL_CONNECTION *s, int al, int reason,164const char *fmt, ...)165{166va_list args;167168va_start(args, fmt);169ERR_vset_error(ERR_LIB_SSL, reason, fmt, args);170va_end(args);171172ossl_statem_send_fatal(s, al);173}174175/*176* This macro should only be called if we are already expecting to be in177* a fatal error state. We verify that we are, and set it if not (this would178* indicate a bug).179*/180#define check_fatal(s) \181do { \182if (!ossl_assert((s)->statem.in_init \183&& (s)->statem.state == MSG_FLOW_ERROR)) \184SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_FATAL); \185} while (0)186187/*188* Discover whether the current connection is in the error state.189*190* Valid return values are:191* 1: Yes192* 0: No193*/194int ossl_statem_in_error(const SSL_CONNECTION *s)195{196if (s->statem.state == MSG_FLOW_ERROR)197return 1;198199return 0;200}201202void ossl_statem_set_in_init(SSL_CONNECTION *s, int init)203{204s->statem.in_init = init;205if (s->rlayer.rrlmethod != NULL && s->rlayer.rrlmethod->set_in_init != NULL)206s->rlayer.rrlmethod->set_in_init(s->rlayer.rrl, init);207}208209int ossl_statem_get_in_handshake(SSL_CONNECTION *s)210{211return s->statem.in_handshake;212}213214void ossl_statem_set_in_handshake(SSL_CONNECTION *s, int inhand)215{216if (inhand)217s->statem.in_handshake++;218else219s->statem.in_handshake--;220}221222/* Are we in a sensible state to skip over unreadable early data? */223int ossl_statem_skip_early_data(SSL_CONNECTION *s)224{225if (s->ext.early_data != SSL_EARLY_DATA_REJECTED)226return 0;227228if (!s->server229|| s->statem.hand_state != TLS_ST_EARLY_DATA230|| s->hello_retry_request == SSL_HRR_COMPLETE)231return 0;232233return 1;234}235236/*237* Called when we are in SSL_read*(), SSL_write*(), or SSL_accept()238* /SSL_connect()/SSL_do_handshake(). Used to test whether we are in an early239* data state and whether we should attempt to move the handshake on if so.240* |sending| is 1 if we are attempting to send data (SSL_write*()), 0 if we are241* attempting to read data (SSL_read*()), or -1 if we are in SSL_do_handshake()242* or similar.243*/244int ossl_statem_check_finish_init(SSL_CONNECTION *s, int sending)245{246if (sending == -1) {247if (s->statem.hand_state == TLS_ST_PENDING_EARLY_DATA_END248|| s->statem.hand_state == TLS_ST_EARLY_DATA) {249ossl_statem_set_in_init(s, 1);250if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY) {251/*252* SSL_connect() or SSL_do_handshake() has been called directly.253* We don't allow any more writing of early data.254*/255s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING;256}257}258} else if (!s->server) {259if ((sending && (s->statem.hand_state == TLS_ST_PENDING_EARLY_DATA_END260|| s->statem.hand_state == TLS_ST_EARLY_DATA)261&& s->early_data_state != SSL_EARLY_DATA_WRITING)262|| (!sending && s->statem.hand_state == TLS_ST_EARLY_DATA)) {263ossl_statem_set_in_init(s, 1);264/*265* SSL_write() has been called directly. We don't allow any more266* writing of early data.267*/268if (sending && s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY)269s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING;270}271} else {272if (s->early_data_state == SSL_EARLY_DATA_FINISHED_READING273&& s->statem.hand_state == TLS_ST_EARLY_DATA)274ossl_statem_set_in_init(s, 1);275}276return 1;277}278279void ossl_statem_set_hello_verify_done(SSL_CONNECTION *s)280{281s->statem.state = MSG_FLOW_UNINITED;282ossl_statem_set_in_init(s, 1);283/*284* This will get reset (briefly) back to TLS_ST_BEFORE when we enter285* state_machine() because |state| is MSG_FLOW_UNINITED, but until then any286* calls to SSL_in_before() will return false. Also calls to287* SSL_state_string() and SSL_state_string_long() will return something288* sensible.289*/290s->statem.hand_state = TLS_ST_SR_CLNT_HELLO;291}292293int ossl_statem_connect(SSL *s)294{295SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);296297if (sc == NULL)298return -1;299300return state_machine(sc, 0);301}302303int ossl_statem_accept(SSL *s)304{305SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);306307if (sc == NULL)308return -1;309310return state_machine(sc, 1);311}312313typedef void (*info_cb) (const SSL *, int, int);314315static info_cb get_callback(SSL_CONNECTION *s)316{317SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);318319if (s->info_callback != NULL)320return s->info_callback;321else if (sctx->info_callback != NULL)322return sctx->info_callback;323324return NULL;325}326327/*328* The main message flow state machine. We start in the MSG_FLOW_UNINITED or329* MSG_FLOW_FINISHED state and finish in MSG_FLOW_FINISHED. Valid states and330* transitions are as follows:331*332* MSG_FLOW_UNINITED MSG_FLOW_FINISHED333* | |334* +-----------------------+335* v336* MSG_FLOW_WRITING <---> MSG_FLOW_READING337* |338* V339* MSG_FLOW_FINISHED340* |341* V342* [SUCCESS]343*344* We may exit at any point due to an error or NBIO event. If an NBIO event345* occurs then we restart at the point we left off when we are recalled.346* MSG_FLOW_WRITING and MSG_FLOW_READING have sub-state machines associated with them.347*348* In addition to the above there is also the MSG_FLOW_ERROR state. We can move349* into that state at any point in the event that an irrecoverable error occurs.350*351* Valid return values are:352* 1: Success353* <=0: NBIO or error354*/355static int state_machine(SSL_CONNECTION *s, int server)356{357BUF_MEM *buf = NULL;358void (*cb) (const SSL *ssl, int type, int val) = NULL;359OSSL_STATEM *st = &s->statem;360int ret = -1;361int ssret;362SSL *ssl = SSL_CONNECTION_GET_SSL(s);363SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s);364365if (st->state == MSG_FLOW_ERROR) {366/* Shouldn't have been called if we're already in the error state */367return -1;368}369370ERR_clear_error();371clear_sys_error();372373cb = get_callback(s);374375st->in_handshake++;376if (!SSL_in_init(ssl) || SSL_in_before(ssl)) {377/*378* If we are stateless then we already called SSL_clear() - don't do379* it again and clear the STATELESS flag itself.380*/381if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0 && !SSL_clear(ssl))382return -1;383}384#ifndef OPENSSL_NO_SCTP385if (SSL_CONNECTION_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(ssl))) {386/*387* Notify SCTP BIO socket to enter handshake mode and prevent stream388* identifier other than 0.389*/390BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE,391st->in_handshake, NULL);392}393#endif394395/* Initialise state machine */396if (st->state == MSG_FLOW_UNINITED397|| st->state == MSG_FLOW_FINISHED) {398if (st->state == MSG_FLOW_UNINITED) {399st->hand_state = TLS_ST_BEFORE;400st->request_state = TLS_ST_BEFORE;401}402403s->server = server;404if (cb != NULL) {405if (SSL_IS_FIRST_HANDSHAKE(s) || !SSL_CONNECTION_IS_TLS13(s))406cb(ussl, SSL_CB_HANDSHAKE_START, 1);407}408409/*410* Fatal errors in this block don't send an alert because we have411* failed to even initialise properly. Sending an alert is probably412* doomed to failure.413*/414415if (SSL_CONNECTION_IS_DTLS(s)) {416if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00) &&417(server || (s->version & 0xff00) != (DTLS1_BAD_VER & 0xff00))) {418SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR);419goto end;420}421} else {422if ((s->version >> 8) != SSL3_VERSION_MAJOR) {423SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR);424goto end;425}426}427428if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL)) {429SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR);430goto end;431}432433if (s->init_buf == NULL) {434if ((buf = BUF_MEM_new()) == NULL) {435SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR);436goto end;437}438if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {439SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR);440goto end;441}442s->init_buf = buf;443buf = NULL;444}445446s->init_num = 0;447448/*449* Should have been reset by tls_process_finished, too.450*/451s->s3.change_cipher_spec = 0;452453/*454* Ok, we now need to push on a buffering BIO ...but not with455* SCTP456*/457#ifndef OPENSSL_NO_SCTP458if (!SSL_CONNECTION_IS_DTLS(s) || !BIO_dgram_is_sctp(SSL_get_wbio(ssl)))459#endif460if (!ssl_init_wbio_buffer(s)) {461SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR);462goto end;463}464465if ((SSL_in_before(ssl))466|| s->renegotiate) {467if (!tls_setup_handshake(s)) {468/* SSLfatal() already called */469goto end;470}471472if (SSL_IS_FIRST_HANDSHAKE(s))473st->read_state_first_init = 1;474}475476st->state = MSG_FLOW_WRITING;477init_write_state_machine(s);478}479480while (st->state != MSG_FLOW_FINISHED) {481if (st->state == MSG_FLOW_READING) {482ssret = read_state_machine(s);483if (ssret == SUB_STATE_FINISHED) {484st->state = MSG_FLOW_WRITING;485init_write_state_machine(s);486} else {487/* NBIO or error */488goto end;489}490} else if (st->state == MSG_FLOW_WRITING) {491ssret = write_state_machine(s);492if (ssret == SUB_STATE_FINISHED) {493st->state = MSG_FLOW_READING;494init_read_state_machine(s);495} else if (ssret == SUB_STATE_END_HANDSHAKE) {496st->state = MSG_FLOW_FINISHED;497} else {498/* NBIO or error */499goto end;500}501} else {502/* Error */503check_fatal(s);504ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);505goto end;506}507}508509ret = 1;510511end:512st->in_handshake--;513514#ifndef OPENSSL_NO_SCTP515if (SSL_CONNECTION_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(ssl))) {516/*517* Notify SCTP BIO socket to leave handshake mode and allow stream518* identifier other than 0.519*/520BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE,521st->in_handshake, NULL);522}523#endif524525BUF_MEM_free(buf);526if (cb != NULL) {527if (server)528cb(ussl, SSL_CB_ACCEPT_EXIT, ret);529else530cb(ussl, SSL_CB_CONNECT_EXIT, ret);531}532return ret;533}534535/*536* Initialise the MSG_FLOW_READING sub-state machine537*/538static void init_read_state_machine(SSL_CONNECTION *s)539{540OSSL_STATEM *st = &s->statem;541542st->read_state = READ_STATE_HEADER;543}544545static int grow_init_buf(SSL_CONNECTION *s, size_t size) {546547size_t msg_offset = (char *)s->init_msg - s->init_buf->data;548549if (!BUF_MEM_grow_clean(s->init_buf, (int)size))550return 0;551552if (size < msg_offset)553return 0;554555s->init_msg = s->init_buf->data + msg_offset;556557return 1;558}559560/*561* This function implements the sub-state machine when the message flow is in562* MSG_FLOW_READING. The valid sub-states and transitions are:563*564* READ_STATE_HEADER <--+<-------------+565* | | |566* v | |567* READ_STATE_BODY -----+-->READ_STATE_POST_PROCESS568* | |569* +----------------------------+570* v571* [SUB_STATE_FINISHED]572*573* READ_STATE_HEADER has the responsibility for reading in the message header574* and transitioning the state of the handshake state machine.575*576* READ_STATE_BODY reads in the rest of the message and then subsequently577* processes it.578*579* READ_STATE_POST_PROCESS is an optional step that may occur if some post580* processing activity performed on the message may block.581*582* Any of the above states could result in an NBIO event occurring in which case583* control returns to the calling application. When this function is recalled we584* will resume in the same state where we left off.585*/586static SUB_STATE_RETURN read_state_machine(SSL_CONNECTION *s)587{588OSSL_STATEM *st = &s->statem;589int ret, mt;590size_t len = 0;591int (*transition) (SSL_CONNECTION *s, int mt);592PACKET pkt;593MSG_PROCESS_RETURN(*process_message) (SSL_CONNECTION *s, PACKET *pkt);594WORK_STATE(*post_process_message) (SSL_CONNECTION *s, WORK_STATE wst);595size_t (*max_message_size) (SSL_CONNECTION *s);596void (*cb) (const SSL *ssl, int type, int val) = NULL;597SSL *ssl = SSL_CONNECTION_GET_USER_SSL(s);598599cb = get_callback(s);600601if (s->server) {602transition = ossl_statem_server_read_transition;603process_message = ossl_statem_server_process_message;604max_message_size = ossl_statem_server_max_message_size;605post_process_message = ossl_statem_server_post_process_message;606} else {607transition = ossl_statem_client_read_transition;608process_message = ossl_statem_client_process_message;609max_message_size = ossl_statem_client_max_message_size;610post_process_message = ossl_statem_client_post_process_message;611}612613if (st->read_state_first_init) {614s->first_packet = 1;615st->read_state_first_init = 0;616}617618while (1) {619switch (st->read_state) {620case READ_STATE_HEADER:621/* Get the state the peer wants to move to */622if (SSL_CONNECTION_IS_DTLS(s)) {623/*624* In DTLS we get the whole message in one go - header and body625*/626ret = dtls_get_message(s, &mt);627} else {628ret = tls_get_message_header(s, &mt);629}630631if (ret == 0) {632/* Could be non-blocking IO */633return SUB_STATE_ERROR;634}635636if (cb != NULL) {637/* Notify callback of an impending state change */638if (s->server)639cb(ssl, SSL_CB_ACCEPT_LOOP, 1);640else641cb(ssl, SSL_CB_CONNECT_LOOP, 1);642}643/*644* Validate that we are allowed to move to the new state and move645* to that state if so646*/647if (!transition(s, mt))648return SUB_STATE_ERROR;649650if (s->s3.tmp.message_size > max_message_size(s)) {651SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,652SSL_R_EXCESSIVE_MESSAGE_SIZE);653return SUB_STATE_ERROR;654}655656/* dtls_get_message already did this */657if (!SSL_CONNECTION_IS_DTLS(s)658&& s->s3.tmp.message_size > 0659&& !grow_init_buf(s, s->s3.tmp.message_size660+ SSL3_HM_HEADER_LENGTH)) {661SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BUF_LIB);662return SUB_STATE_ERROR;663}664665st->read_state = READ_STATE_BODY;666/* Fall through */667668case READ_STATE_BODY:669if (SSL_CONNECTION_IS_DTLS(s)) {670/*671* Actually we already have the body, but we give DTLS the672* opportunity to do any further processing.673*/674ret = dtls_get_message_body(s, &len);675} else {676ret = tls_get_message_body(s, &len);677}678if (ret == 0) {679/* Could be non-blocking IO */680return SUB_STATE_ERROR;681}682683s->first_packet = 0;684if (!PACKET_buf_init(&pkt, s->init_msg, len)) {685SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);686return SUB_STATE_ERROR;687}688ret = process_message(s, &pkt);689690/* Discard the packet data */691s->init_num = 0;692693switch (ret) {694case MSG_PROCESS_ERROR:695check_fatal(s);696return SUB_STATE_ERROR;697698case MSG_PROCESS_FINISHED_READING:699if (SSL_CONNECTION_IS_DTLS(s)) {700dtls1_stop_timer(s);701}702return SUB_STATE_FINISHED;703704case MSG_PROCESS_CONTINUE_PROCESSING:705st->read_state = READ_STATE_POST_PROCESS;706st->read_state_work = WORK_MORE_A;707break;708709default:710st->read_state = READ_STATE_HEADER;711break;712}713break;714715case READ_STATE_POST_PROCESS:716st->read_state_work = post_process_message(s, st->read_state_work);717switch (st->read_state_work) {718case WORK_ERROR:719check_fatal(s);720/* Fall through */721case WORK_MORE_A:722case WORK_MORE_B:723case WORK_MORE_C:724return SUB_STATE_ERROR;725726case WORK_FINISHED_CONTINUE:727st->read_state = READ_STATE_HEADER;728break;729730case WORK_FINISHED_SWAP:731case WORK_FINISHED_STOP:732if (SSL_CONNECTION_IS_DTLS(s)) {733dtls1_stop_timer(s);734}735return SUB_STATE_FINISHED;736}737break;738739default:740/* Shouldn't happen */741SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);742return SUB_STATE_ERROR;743}744}745}746747/*748* Send a previously constructed message to the peer.749*/750static int statem_do_write(SSL_CONNECTION *s)751{752OSSL_STATEM *st = &s->statem;753754if (st->hand_state == TLS_ST_CW_CHANGE755|| st->hand_state == TLS_ST_SW_CHANGE) {756if (SSL_CONNECTION_IS_DTLS(s))757return dtls1_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC);758else759return ssl3_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC);760} else {761return ssl_do_write(s);762}763}764765/*766* Initialise the MSG_FLOW_WRITING sub-state machine767*/768static void init_write_state_machine(SSL_CONNECTION *s)769{770OSSL_STATEM *st = &s->statem;771772st->write_state = WRITE_STATE_TRANSITION;773}774775/*776* This function implements the sub-state machine when the message flow is in777* MSG_FLOW_WRITING. The valid sub-states and transitions are:778*779* +-> WRITE_STATE_TRANSITION ------> [SUB_STATE_FINISHED]780* | |781* | v782* | WRITE_STATE_PRE_WORK -----> [SUB_STATE_END_HANDSHAKE]783* | |784* | v785* | WRITE_STATE_SEND786* | |787* | v788* | WRITE_STATE_POST_WORK789* | |790* +-------------+791*792* WRITE_STATE_TRANSITION transitions the state of the handshake state machine793794* WRITE_STATE_PRE_WORK performs any work necessary to prepare the later795* sending of the message. This could result in an NBIO event occurring in796* which case control returns to the calling application. When this function797* is recalled we will resume in the same state where we left off.798*799* WRITE_STATE_SEND sends the message and performs any work to be done after800* sending.801*802* WRITE_STATE_POST_WORK performs any work necessary after the sending of the803* message has been completed. As for WRITE_STATE_PRE_WORK this could also804* result in an NBIO event.805*/806static SUB_STATE_RETURN write_state_machine(SSL_CONNECTION *s)807{808OSSL_STATEM *st = &s->statem;809int ret;810WRITE_TRAN(*transition) (SSL_CONNECTION *s);811WORK_STATE(*pre_work) (SSL_CONNECTION *s, WORK_STATE wst);812WORK_STATE(*post_work) (SSL_CONNECTION *s, WORK_STATE wst);813int (*get_construct_message_f) (SSL_CONNECTION *s,814CON_FUNC_RETURN (**confunc) (SSL_CONNECTION *s,815WPACKET *pkt),816int *mt);817void (*cb) (const SSL *ssl, int type, int val) = NULL;818CON_FUNC_RETURN (*confunc) (SSL_CONNECTION *s, WPACKET *pkt);819int mt;820WPACKET pkt;821SSL *ssl = SSL_CONNECTION_GET_USER_SSL(s);822823cb = get_callback(s);824825if (s->server) {826transition = ossl_statem_server_write_transition;827pre_work = ossl_statem_server_pre_work;828post_work = ossl_statem_server_post_work;829get_construct_message_f = ossl_statem_server_construct_message;830} else {831transition = ossl_statem_client_write_transition;832pre_work = ossl_statem_client_pre_work;833post_work = ossl_statem_client_post_work;834get_construct_message_f = ossl_statem_client_construct_message;835}836837while (1) {838switch (st->write_state) {839case WRITE_STATE_TRANSITION:840if (cb != NULL) {841/* Notify callback of an impending state change */842if (s->server)843cb(ssl, SSL_CB_ACCEPT_LOOP, 1);844else845cb(ssl, SSL_CB_CONNECT_LOOP, 1);846}847switch (transition(s)) {848case WRITE_TRAN_CONTINUE:849st->write_state = WRITE_STATE_PRE_WORK;850st->write_state_work = WORK_MORE_A;851break;852853case WRITE_TRAN_FINISHED:854return SUB_STATE_FINISHED;855856case WRITE_TRAN_ERROR:857check_fatal(s);858return SUB_STATE_ERROR;859}860break;861862case WRITE_STATE_PRE_WORK:863switch (st->write_state_work = pre_work(s, st->write_state_work)) {864case WORK_ERROR:865check_fatal(s);866/* Fall through */867case WORK_MORE_A:868case WORK_MORE_B:869case WORK_MORE_C:870return SUB_STATE_ERROR;871872case WORK_FINISHED_CONTINUE:873st->write_state = WRITE_STATE_SEND;874break;875876case WORK_FINISHED_SWAP:877return SUB_STATE_FINISHED;878879case WORK_FINISHED_STOP:880return SUB_STATE_END_HANDSHAKE;881}882if (!get_construct_message_f(s, &confunc, &mt)) {883/* SSLfatal() already called */884return SUB_STATE_ERROR;885}886if (mt == SSL3_MT_DUMMY) {887/* Skip construction and sending. This isn't a "real" state */888st->write_state = WRITE_STATE_POST_WORK;889st->write_state_work = WORK_MORE_A;890break;891}892if (!WPACKET_init(&pkt, s->init_buf)893|| !ssl_set_handshake_header(s, &pkt, mt)) {894WPACKET_cleanup(&pkt);895SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);896return SUB_STATE_ERROR;897}898if (confunc != NULL) {899CON_FUNC_RETURN tmpret;900901tmpret = confunc(s, &pkt);902if (tmpret == CON_FUNC_ERROR) {903WPACKET_cleanup(&pkt);904check_fatal(s);905return SUB_STATE_ERROR;906} else if (tmpret == CON_FUNC_DONT_SEND) {907/*908* The construction function decided not to construct the909* message after all and continue. Skip sending.910*/911WPACKET_cleanup(&pkt);912st->write_state = WRITE_STATE_POST_WORK;913st->write_state_work = WORK_MORE_A;914break;915} /* else success */916}917if (!ssl_close_construct_packet(s, &pkt, mt)918|| !WPACKET_finish(&pkt)) {919WPACKET_cleanup(&pkt);920SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);921return SUB_STATE_ERROR;922}923924/* Fall through */925926case WRITE_STATE_SEND:927if (SSL_CONNECTION_IS_DTLS(s) && st->use_timer) {928dtls1_start_timer(s);929}930ret = statem_do_write(s);931if (ret <= 0) {932return SUB_STATE_ERROR;933}934st->write_state = WRITE_STATE_POST_WORK;935st->write_state_work = WORK_MORE_A;936/* Fall through */937938case WRITE_STATE_POST_WORK:939switch (st->write_state_work = post_work(s, st->write_state_work)) {940case WORK_ERROR:941check_fatal(s);942/* Fall through */943case WORK_MORE_A:944case WORK_MORE_B:945case WORK_MORE_C:946return SUB_STATE_ERROR;947948case WORK_FINISHED_CONTINUE:949st->write_state = WRITE_STATE_TRANSITION;950break;951952case WORK_FINISHED_SWAP:953return SUB_STATE_FINISHED;954955case WORK_FINISHED_STOP:956return SUB_STATE_END_HANDSHAKE;957}958break;959960default:961SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);962return SUB_STATE_ERROR;963}964}965}966967/*968* Flush the write BIO969*/970int statem_flush(SSL_CONNECTION *s)971{972s->rwstate = SSL_WRITING;973if (BIO_flush(s->wbio) <= 0) {974return 0;975}976s->rwstate = SSL_NOTHING;977978return 1;979}980981/*982* Called by the record layer to determine whether application data is983* allowed to be received in the current handshake state or not.984*985* Return values are:986* 1: Yes (application data allowed)987* 0: No (application data not allowed)988*/989int ossl_statem_app_data_allowed(SSL_CONNECTION *s)990{991OSSL_STATEM *st = &s->statem;992993if (st->state == MSG_FLOW_UNINITED)994return 0;995996if (!s->s3.in_read_app_data || (s->s3.total_renegotiations == 0))997return 0;998999if (s->server) {1000/*1001* If we're a server and we haven't got as far as writing our1002* ServerHello yet then we allow app data1003*/1004if (st->hand_state == TLS_ST_BEFORE1005|| st->hand_state == TLS_ST_SR_CLNT_HELLO)1006return 1;1007} else {1008/*1009* If we're a client and we haven't read the ServerHello yet then we1010* allow app data1011*/1012if (st->hand_state == TLS_ST_CW_CLNT_HELLO)1013return 1;1014}10151016return 0;1017}10181019/*1020* This function returns 1 if TLS exporter is ready to export keying1021* material, or 0 if otherwise.1022*/1023int ossl_statem_export_allowed(SSL_CONNECTION *s)1024{1025return s->s3.previous_server_finished_len != 01026&& s->statem.hand_state != TLS_ST_SW_FINISHED;1027}10281029/*1030* Return 1 if early TLS exporter is ready to export keying material,1031* or 0 if otherwise.1032*/1033int ossl_statem_export_early_allowed(SSL_CONNECTION *s)1034{1035/*1036* The early exporter secret is only present on the server if we1037* have accepted early_data. It is present on the client as long1038* as we have sent early_data.1039*/1040return s->ext.early_data == SSL_EARLY_DATA_ACCEPTED1041|| (!s->server && s->ext.early_data != SSL_EARLY_DATA_NOT_SENT);1042}104310441045