Path: blob/main/crypto/openssl/ssl/statem/statem.c
104927 views
/*1* Copyright 2015-2025 The OpenSSL Project Authors. All Rights Reserved.2*3* Licensed under the Apache License 2.0 (the "License"). You may not use4* this file except in compliance with the License. You can obtain a copy5* in the file LICENSE in the source distribution or at6* https://www.openssl.org/source/license.html7*/89#include "internal/e_os.h"1011#if defined(__TANDEM) && defined(_SPT_MODEL_)12#include <spthread.h>13#include <spt_extensions.h> /* timeval */14#endif1516#include "internal/cryptlib.h"17#include "internal/ssl_unwrap.h"18#include <openssl/rand.h>19#include "../ssl_local.h"20#include "statem_local.h"21#include <assert.h>2223/*24* This file implements the SSL/TLS/DTLS state machines.25*26* There are two primary state machines:27*28* 1) Message flow state machine29* 2) Handshake state machine30*31* The Message flow state machine controls the reading and sending of messages32* including handling of non-blocking IO events, flushing of the underlying33* write BIO, handling unexpected messages, etc. It is itself broken into two34* separate sub-state machines which control reading and writing respectively.35*36* The Handshake state machine keeps track of the current SSL/TLS handshake37* state. Transitions of the handshake state are the result of events that38* occur within the Message flow state machine.39*40* Overall it looks like this:41*42* --------------------------------------------- -------------------43* | | | |44* | Message flow state machine | | |45* | | | |46* | -------------------- -------------------- | Transition | Handshake state |47* | | MSG_FLOW_READING | | MSG_FLOW_WRITING | | Event | machine |48* | | sub-state | | sub-state | |----------->| |49* | | machine for | | machine for | | | |50* | | reading messages | | writing messages | | | |51* | -------------------- -------------------- | | |52* | | | |53* --------------------------------------------- -------------------54*55*/5657/* Sub state machine return values */58typedef enum {59/* Something bad happened or NBIO */60SUB_STATE_ERROR,61/* Sub state finished go to the next sub state */62SUB_STATE_FINISHED,63/* Sub state finished and handshake was completed */64SUB_STATE_END_HANDSHAKE65} SUB_STATE_RETURN;6667static int state_machine(SSL_CONNECTION *s, int server);68static void init_read_state_machine(SSL_CONNECTION *s);69static SUB_STATE_RETURN read_state_machine(SSL_CONNECTION *s);70static void init_write_state_machine(SSL_CONNECTION *s);71static SUB_STATE_RETURN write_state_machine(SSL_CONNECTION *s);7273OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl)74{75const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(ssl);7677if (sc == NULL)78return TLS_ST_BEFORE;7980return sc->statem.hand_state;81}8283int SSL_in_init(const SSL *s)84{85const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);8687if (sc == NULL)88return 0;8990return sc->statem.in_init;91}9293int SSL_is_init_finished(const SSL *s)94{95const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);9697if (sc == NULL)98return 0;99100return !(sc->statem.in_init) && (sc->statem.hand_state == TLS_ST_OK);101}102103int SSL_in_before(const SSL *s)104{105const SSL_CONNECTION *sc = SSL_CONNECTION_FROM_CONST_SSL(s);106107if (sc == NULL)108return 0;109110/*111* Historically being "in before" meant before anything had happened. In the112* current code though we remain in the "before" state for a while after we113* have started the handshake process (e.g. as a server waiting for the114* first message to arrive). There "in before" is taken to mean "in before"115* and not started any handshake process yet.116*/117return (sc->statem.hand_state == TLS_ST_BEFORE)118&& (sc->statem.state == MSG_FLOW_UNINITED);119}120121OSSL_HANDSHAKE_STATE ossl_statem_get_state(SSL_CONNECTION *s)122{123return s != NULL ? s->statem.hand_state : TLS_ST_BEFORE;124}125126/*127* Clear the state machine state and reset back to MSG_FLOW_UNINITED128*/129void ossl_statem_clear(SSL_CONNECTION *s)130{131s->statem.state = MSG_FLOW_UNINITED;132s->statem.hand_state = TLS_ST_BEFORE;133ossl_statem_set_in_init(s, 1);134s->statem.no_cert_verify = 0;135}136137/*138* Set the state machine up ready for a renegotiation handshake139*/140void ossl_statem_set_renegotiate(SSL_CONNECTION *s)141{142ossl_statem_set_in_init(s, 1);143s->statem.request_state = TLS_ST_SW_HELLO_REQ;144}145146void ossl_statem_send_fatal(SSL_CONNECTION *s, int al)147{148/* We shouldn't call SSLfatal() twice. Once is enough */149if (s->statem.in_init && s->statem.state == MSG_FLOW_ERROR)150return;151ossl_statem_set_in_init(s, 1);152s->statem.state = MSG_FLOW_ERROR;153if (al != SSL_AD_NO_ALERT)154ssl3_send_alert(s, SSL3_AL_FATAL, al);155}156157/*158* Error reporting building block that's used instead of ERR_set_error().159* In addition to what ERR_set_error() does, this puts the state machine160* into an error state and sends an alert if appropriate.161* This is a permanent error for the current connection.162*/163void ossl_statem_fatal(SSL_CONNECTION *s, int al, int reason,164const char *fmt, ...)165{166va_list args;167168va_start(args, fmt);169ERR_vset_error(ERR_LIB_SSL, reason, fmt, args);170va_end(args);171172ossl_statem_send_fatal(s, al);173}174175/*176* This macro should only be called if we are already expecting to be in177* a fatal error state. We verify that we are, and set it if not (this would178* indicate a bug).179*/180#define check_fatal(s) \181do { \182if (!ossl_assert((s)->statem.in_init \183&& (s)->statem.state == MSG_FLOW_ERROR)) \184SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_FATAL); \185} while (0)186187/*188* Discover whether the current connection is in the error state.189*190* Valid return values are:191* 1: Yes192* 0: No193*/194int ossl_statem_in_error(const SSL_CONNECTION *s)195{196if (s->statem.state == MSG_FLOW_ERROR)197return 1;198199return 0;200}201202void ossl_statem_set_in_init(SSL_CONNECTION *s, int init)203{204s->statem.in_init = init;205if (s->rlayer.rrlmethod != NULL && s->rlayer.rrlmethod->set_in_init != NULL)206s->rlayer.rrlmethod->set_in_init(s->rlayer.rrl, init);207}208209int ossl_statem_get_in_handshake(SSL_CONNECTION *s)210{211return s->statem.in_handshake;212}213214void ossl_statem_set_in_handshake(SSL_CONNECTION *s, int inhand)215{216if (inhand)217s->statem.in_handshake++;218else219s->statem.in_handshake--;220}221222/* Are we in a sensible state to skip over unreadable early data? */223int ossl_statem_skip_early_data(SSL_CONNECTION *s)224{225if (s->ext.early_data != SSL_EARLY_DATA_REJECTED)226return 0;227228if (!s->server229|| s->statem.hand_state != TLS_ST_EARLY_DATA230|| s->hello_retry_request == SSL_HRR_COMPLETE)231return 0;232233return 1;234}235236/*237* Called when we are in SSL_read*(), SSL_write*(), or SSL_accept()238* /SSL_connect()/SSL_do_handshake(). Used to test whether we are in an early239* data state and whether we should attempt to move the handshake on if so.240* |sending| is 1 if we are attempting to send data (SSL_write*()), 0 if we are241* attempting to read data (SSL_read*()), or -1 if we are in SSL_do_handshake()242* or similar.243*/244int ossl_statem_check_finish_init(SSL_CONNECTION *s, int sending)245{246if (sending == -1) {247if (s->statem.hand_state == TLS_ST_PENDING_EARLY_DATA_END248|| s->statem.hand_state == TLS_ST_EARLY_DATA) {249ossl_statem_set_in_init(s, 1);250if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY) {251/*252* SSL_connect() or SSL_do_handshake() has been called directly.253* We don't allow any more writing of early data.254*/255s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING;256}257}258} else if (!s->server) {259if ((sending && (s->statem.hand_state == TLS_ST_PENDING_EARLY_DATA_END || s->statem.hand_state == TLS_ST_EARLY_DATA)260&& s->early_data_state != SSL_EARLY_DATA_WRITING)261|| (!sending && s->statem.hand_state == TLS_ST_EARLY_DATA)) {262ossl_statem_set_in_init(s, 1);263/*264* SSL_write() has been called directly. We don't allow any more265* writing of early data.266*/267if (sending && s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY)268s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING;269}270} else {271if (s->early_data_state == SSL_EARLY_DATA_FINISHED_READING272&& s->statem.hand_state == TLS_ST_EARLY_DATA)273ossl_statem_set_in_init(s, 1);274}275return 1;276}277278void ossl_statem_set_hello_verify_done(SSL_CONNECTION *s)279{280s->statem.state = MSG_FLOW_UNINITED;281ossl_statem_set_in_init(s, 1);282/*283* This will get reset (briefly) back to TLS_ST_BEFORE when we enter284* state_machine() because |state| is MSG_FLOW_UNINITED, but until then any285* calls to SSL_in_before() will return false. Also calls to286* SSL_state_string() and SSL_state_string_long() will return something287* sensible.288*/289s->statem.hand_state = TLS_ST_SR_CLNT_HELLO;290}291292int ossl_statem_connect(SSL *s)293{294SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);295296if (sc == NULL)297return -1;298299return state_machine(sc, 0);300}301302int ossl_statem_accept(SSL *s)303{304SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);305306if (sc == NULL)307return -1;308309return state_machine(sc, 1);310}311312typedef void (*info_cb)(const SSL *, int, int);313314static info_cb get_callback(SSL_CONNECTION *s)315{316SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);317318if (s->info_callback != NULL)319return s->info_callback;320else if (sctx->info_callback != NULL)321return sctx->info_callback;322323return NULL;324}325326/*327* The main message flow state machine. We start in the MSG_FLOW_UNINITED or328* MSG_FLOW_FINISHED state and finish in MSG_FLOW_FINISHED. Valid states and329* transitions are as follows:330*331* MSG_FLOW_UNINITED MSG_FLOW_FINISHED332* | |333* +-----------------------+334* v335* MSG_FLOW_WRITING <---> MSG_FLOW_READING336* |337* V338* MSG_FLOW_FINISHED339* |340* V341* [SUCCESS]342*343* We may exit at any point due to an error or NBIO event. If an NBIO event344* occurs then we restart at the point we left off when we are recalled.345* MSG_FLOW_WRITING and MSG_FLOW_READING have sub-state machines associated with them.346*347* In addition to the above there is also the MSG_FLOW_ERROR state. We can move348* into that state at any point in the event that an irrecoverable error occurs.349*350* Valid return values are:351* 1: Success352* <=0: NBIO or error353*/354static int state_machine(SSL_CONNECTION *s, int server)355{356BUF_MEM *buf = NULL;357void (*cb)(const SSL *ssl, int type, int val) = NULL;358OSSL_STATEM *st = &s->statem;359int ret = -1;360int ssret;361SSL *ssl = SSL_CONNECTION_GET_SSL(s);362SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s);363364if (st->state == MSG_FLOW_ERROR) {365/* Shouldn't have been called if we're already in the error state */366return -1;367}368369ERR_clear_error();370clear_sys_error();371372cb = get_callback(s);373374st->in_handshake++;375if (!SSL_in_init(ssl) || SSL_in_before(ssl)) {376/*377* If we are stateless then we already called SSL_clear() - don't do378* it again and clear the STATELESS flag itself.379*/380if ((s->s3.flags & TLS1_FLAGS_STATELESS) == 0 && !SSL_clear(ssl))381return -1;382}383#ifndef OPENSSL_NO_SCTP384if (SSL_CONNECTION_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(ssl))) {385/*386* Notify SCTP BIO socket to enter handshake mode and prevent stream387* identifier other than 0.388*/389BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE,390st->in_handshake, NULL);391}392#endif393394/* Initialise state machine */395if (st->state == MSG_FLOW_UNINITED396|| st->state == MSG_FLOW_FINISHED) {397if (st->state == MSG_FLOW_UNINITED) {398st->hand_state = TLS_ST_BEFORE;399st->request_state = TLS_ST_BEFORE;400}401402s->server = server;403if (cb != NULL) {404if (SSL_IS_FIRST_HANDSHAKE(s) || !SSL_CONNECTION_IS_TLS13(s))405cb(ussl, SSL_CB_HANDSHAKE_START, 1);406}407408/*409* Fatal errors in this block don't send an alert because we have410* failed to even initialise properly. Sending an alert is probably411* doomed to failure.412*/413414if (SSL_CONNECTION_IS_DTLS(s)) {415if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00) && (server || (s->version & 0xff00) != (DTLS1_BAD_VER & 0xff00))) {416SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR);417goto end;418}419} else {420if ((s->version >> 8) != SSL3_VERSION_MAJOR) {421SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR);422goto end;423}424}425426if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL)) {427SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR);428goto end;429}430431if (s->init_buf == NULL) {432if ((buf = BUF_MEM_new()) == NULL) {433SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR);434goto end;435}436if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {437SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR);438goto end;439}440s->init_buf = buf;441buf = NULL;442}443444s->init_num = 0;445446/*447* Should have been reset by tls_process_finished, too.448*/449s->s3.change_cipher_spec = 0;450451/*452* Ok, we now need to push on a buffering BIO ...but not with453* SCTP454*/455#ifndef OPENSSL_NO_SCTP456if (!SSL_CONNECTION_IS_DTLS(s) || !BIO_dgram_is_sctp(SSL_get_wbio(ssl)))457#endif458if (!ssl_init_wbio_buffer(s)) {459SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR);460goto end;461}462463if ((SSL_in_before(ssl))464|| s->renegotiate) {465if (!tls_setup_handshake(s)) {466/* SSLfatal() already called */467goto end;468}469470if (SSL_IS_FIRST_HANDSHAKE(s))471st->read_state_first_init = 1;472}473474st->state = MSG_FLOW_WRITING;475init_write_state_machine(s);476}477478while (st->state != MSG_FLOW_FINISHED) {479if (st->state == MSG_FLOW_READING) {480ssret = read_state_machine(s);481if (ssret == SUB_STATE_FINISHED) {482st->state = MSG_FLOW_WRITING;483init_write_state_machine(s);484} else {485/* NBIO or error */486goto end;487}488} else if (st->state == MSG_FLOW_WRITING) {489ssret = write_state_machine(s);490if (ssret == SUB_STATE_FINISHED) {491st->state = MSG_FLOW_READING;492init_read_state_machine(s);493} else if (ssret == SUB_STATE_END_HANDSHAKE) {494st->state = MSG_FLOW_FINISHED;495} else {496/* NBIO or error */497goto end;498}499} else {500/* Error */501check_fatal(s);502ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);503goto end;504}505}506507ret = 1;508509end:510st->in_handshake--;511512#ifndef OPENSSL_NO_SCTP513if (SSL_CONNECTION_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(ssl))) {514/*515* Notify SCTP BIO socket to leave handshake mode and allow stream516* identifier other than 0.517*/518BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE,519st->in_handshake, NULL);520}521#endif522523BUF_MEM_free(buf);524if (cb != NULL) {525if (server)526cb(ussl, SSL_CB_ACCEPT_EXIT, ret);527else528cb(ussl, SSL_CB_CONNECT_EXIT, ret);529}530return ret;531}532533/*534* Initialise the MSG_FLOW_READING sub-state machine535*/536static void init_read_state_machine(SSL_CONNECTION *s)537{538OSSL_STATEM *st = &s->statem;539540st->read_state = READ_STATE_HEADER;541}542543static int grow_init_buf(SSL_CONNECTION *s, size_t size)544{545546size_t msg_offset = (char *)s->init_msg - s->init_buf->data;547548if (!BUF_MEM_grow_clean(s->init_buf, (int)size))549return 0;550551if (size < msg_offset)552return 0;553554s->init_msg = s->init_buf->data + msg_offset;555556return 1;557}558559/*560* This function implements the sub-state machine when the message flow is in561* MSG_FLOW_READING. The valid sub-states and transitions are:562*563* READ_STATE_HEADER <--+<-------------+564* | | |565* v | |566* READ_STATE_BODY -----+-->READ_STATE_POST_PROCESS567* | |568* +----------------------------+569* v570* [SUB_STATE_FINISHED]571*572* READ_STATE_HEADER has the responsibility for reading in the message header573* and transitioning the state of the handshake state machine.574*575* READ_STATE_BODY reads in the rest of the message and then subsequently576* processes it.577*578* READ_STATE_POST_PROCESS is an optional step that may occur if some post579* processing activity performed on the message may block.580*581* Any of the above states could result in an NBIO event occurring in which case582* control returns to the calling application. When this function is recalled we583* will resume in the same state where we left off.584*/585static SUB_STATE_RETURN read_state_machine(SSL_CONNECTION *s)586{587OSSL_STATEM *st = &s->statem;588int ret, mt;589size_t len = 0;590int (*transition)(SSL_CONNECTION *s, int mt);591PACKET pkt;592MSG_PROCESS_RETURN (*process_message)(SSL_CONNECTION *s, PACKET *pkt);593WORK_STATE (*post_process_message)(SSL_CONNECTION *s, WORK_STATE wst);594size_t (*max_message_size)(SSL_CONNECTION *s);595void (*cb)(const SSL *ssl, int type, int val) = NULL;596SSL *ssl = SSL_CONNECTION_GET_USER_SSL(s);597598cb = get_callback(s);599600if (s->server) {601transition = ossl_statem_server_read_transition;602process_message = ossl_statem_server_process_message;603max_message_size = ossl_statem_server_max_message_size;604post_process_message = ossl_statem_server_post_process_message;605} else {606transition = ossl_statem_client_read_transition;607process_message = ossl_statem_client_process_message;608max_message_size = ossl_statem_client_max_message_size;609post_process_message = ossl_statem_client_post_process_message;610}611612if (st->read_state_first_init) {613s->first_packet = 1;614st->read_state_first_init = 0;615}616617while (1) {618switch (st->read_state) {619case READ_STATE_HEADER:620/* Get the state the peer wants to move to */621if (SSL_CONNECTION_IS_DTLS(s)) {622/*623* In DTLS we get the whole message in one go - header and body624*/625ret = dtls_get_message(s, &mt);626} else {627ret = tls_get_message_header(s, &mt);628}629630if (ret == 0) {631/* Could be non-blocking IO */632return SUB_STATE_ERROR;633}634635if (cb != NULL) {636/* Notify callback of an impending state change */637if (s->server)638cb(ssl, SSL_CB_ACCEPT_LOOP, 1);639else640cb(ssl, SSL_CB_CONNECT_LOOP, 1);641}642/*643* Validate that we are allowed to move to the new state and move644* to that state if so645*/646if (!transition(s, mt))647return SUB_STATE_ERROR;648649if (s->s3.tmp.message_size > max_message_size(s)) {650SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,651SSL_R_EXCESSIVE_MESSAGE_SIZE);652return SUB_STATE_ERROR;653}654655/* dtls_get_message already did this */656if (!SSL_CONNECTION_IS_DTLS(s)657&& s->s3.tmp.message_size > 0658&& !grow_init_buf(s, s->s3.tmp.message_size + SSL3_HM_HEADER_LENGTH)) {659SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BUF_LIB);660return SUB_STATE_ERROR;661}662663st->read_state = READ_STATE_BODY;664/* Fall through */665666case READ_STATE_BODY:667if (SSL_CONNECTION_IS_DTLS(s)) {668/*669* Actually we already have the body, but we give DTLS the670* opportunity to do any further processing.671*/672ret = dtls_get_message_body(s, &len);673} else {674ret = tls_get_message_body(s, &len);675}676if (ret == 0) {677/* Could be non-blocking IO */678return SUB_STATE_ERROR;679}680681s->first_packet = 0;682if (!PACKET_buf_init(&pkt, s->init_msg, len)) {683SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);684return SUB_STATE_ERROR;685}686ret = process_message(s, &pkt);687688/* Discard the packet data */689s->init_num = 0;690691switch (ret) {692case MSG_PROCESS_ERROR:693check_fatal(s);694return SUB_STATE_ERROR;695696case MSG_PROCESS_FINISHED_READING:697if (SSL_CONNECTION_IS_DTLS(s)) {698dtls1_stop_timer(s);699}700return SUB_STATE_FINISHED;701702case MSG_PROCESS_CONTINUE_PROCESSING:703st->read_state = READ_STATE_POST_PROCESS;704st->read_state_work = WORK_MORE_A;705break;706707default:708st->read_state = READ_STATE_HEADER;709break;710}711break;712713case READ_STATE_POST_PROCESS:714st->read_state_work = post_process_message(s, st->read_state_work);715switch (st->read_state_work) {716case WORK_ERROR:717check_fatal(s);718/* Fall through */719case WORK_MORE_A:720case WORK_MORE_B:721case WORK_MORE_C:722return SUB_STATE_ERROR;723724case WORK_FINISHED_CONTINUE:725st->read_state = READ_STATE_HEADER;726break;727728case WORK_FINISHED_SWAP:729case WORK_FINISHED_STOP:730if (SSL_CONNECTION_IS_DTLS(s)) {731dtls1_stop_timer(s);732}733return SUB_STATE_FINISHED;734}735break;736737default:738/* Shouldn't happen */739SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);740return SUB_STATE_ERROR;741}742}743}744745/*746* Send a previously constructed message to the peer.747*/748static int statem_do_write(SSL_CONNECTION *s)749{750OSSL_STATEM *st = &s->statem;751752if (st->hand_state == TLS_ST_CW_CHANGE753|| st->hand_state == TLS_ST_SW_CHANGE) {754if (SSL_CONNECTION_IS_DTLS(s))755return dtls1_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC);756else757return ssl3_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC);758} else {759return ssl_do_write(s);760}761}762763/*764* Initialise the MSG_FLOW_WRITING sub-state machine765*/766static void init_write_state_machine(SSL_CONNECTION *s)767{768OSSL_STATEM *st = &s->statem;769770st->write_state = WRITE_STATE_TRANSITION;771}772773/*774* This function implements the sub-state machine when the message flow is in775* MSG_FLOW_WRITING. The valid sub-states and transitions are:776*777* +-> WRITE_STATE_TRANSITION ------> [SUB_STATE_FINISHED]778* | |779* | v780* | WRITE_STATE_PRE_WORK -----> [SUB_STATE_END_HANDSHAKE]781* | |782* | v783* | WRITE_STATE_SEND784* | |785* | v786* | WRITE_STATE_POST_WORK787* | |788* +-------------+789*790* WRITE_STATE_TRANSITION transitions the state of the handshake state machine791792* WRITE_STATE_PRE_WORK performs any work necessary to prepare the later793* sending of the message. This could result in an NBIO event occurring in794* which case control returns to the calling application. When this function795* is recalled we will resume in the same state where we left off.796*797* WRITE_STATE_SEND sends the message and performs any work to be done after798* sending.799*800* WRITE_STATE_POST_WORK performs any work necessary after the sending of the801* message has been completed. As for WRITE_STATE_PRE_WORK this could also802* result in an NBIO event.803*/804static SUB_STATE_RETURN write_state_machine(SSL_CONNECTION *s)805{806OSSL_STATEM *st = &s->statem;807int ret;808WRITE_TRAN (*transition)(SSL_CONNECTION *s);809WORK_STATE (*pre_work)(SSL_CONNECTION *s, WORK_STATE wst);810WORK_STATE (*post_work)(SSL_CONNECTION *s, WORK_STATE wst);811int (*get_construct_message_f)(SSL_CONNECTION *s,812CON_FUNC_RETURN (**confunc)(SSL_CONNECTION *s,813WPACKET *pkt),814int *mt);815void (*cb)(const SSL *ssl, int type, int val) = NULL;816CON_FUNC_RETURN (*confunc)(SSL_CONNECTION *s, WPACKET *pkt);817int mt;818WPACKET pkt;819SSL *ssl = SSL_CONNECTION_GET_USER_SSL(s);820821cb = get_callback(s);822823if (s->server) {824transition = ossl_statem_server_write_transition;825pre_work = ossl_statem_server_pre_work;826post_work = ossl_statem_server_post_work;827get_construct_message_f = ossl_statem_server_construct_message;828} else {829transition = ossl_statem_client_write_transition;830pre_work = ossl_statem_client_pre_work;831post_work = ossl_statem_client_post_work;832get_construct_message_f = ossl_statem_client_construct_message;833}834835while (1) {836switch (st->write_state) {837case WRITE_STATE_TRANSITION:838if (cb != NULL) {839/* Notify callback of an impending state change */840if (s->server)841cb(ssl, SSL_CB_ACCEPT_LOOP, 1);842else843cb(ssl, SSL_CB_CONNECT_LOOP, 1);844}845switch (transition(s)) {846case WRITE_TRAN_CONTINUE:847st->write_state = WRITE_STATE_PRE_WORK;848st->write_state_work = WORK_MORE_A;849break;850851case WRITE_TRAN_FINISHED:852return SUB_STATE_FINISHED;853854case WRITE_TRAN_ERROR:855check_fatal(s);856return SUB_STATE_ERROR;857}858break;859860case WRITE_STATE_PRE_WORK:861switch (st->write_state_work = pre_work(s, st->write_state_work)) {862case WORK_ERROR:863check_fatal(s);864/* Fall through */865case WORK_MORE_A:866case WORK_MORE_B:867case WORK_MORE_C:868return SUB_STATE_ERROR;869870case WORK_FINISHED_CONTINUE:871st->write_state = WRITE_STATE_SEND;872break;873874case WORK_FINISHED_SWAP:875return SUB_STATE_FINISHED;876877case WORK_FINISHED_STOP:878return SUB_STATE_END_HANDSHAKE;879}880if (!get_construct_message_f(s, &confunc, &mt)) {881/* SSLfatal() already called */882return SUB_STATE_ERROR;883}884if (mt == SSL3_MT_DUMMY) {885/* Skip construction and sending. This isn't a "real" state */886st->write_state = WRITE_STATE_POST_WORK;887st->write_state_work = WORK_MORE_A;888break;889}890if (!WPACKET_init(&pkt, s->init_buf)891|| !ssl_set_handshake_header(s, &pkt, mt)) {892WPACKET_cleanup(&pkt);893SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);894return SUB_STATE_ERROR;895}896if (confunc != NULL) {897CON_FUNC_RETURN tmpret;898899tmpret = confunc(s, &pkt);900if (tmpret == CON_FUNC_ERROR) {901WPACKET_cleanup(&pkt);902check_fatal(s);903return SUB_STATE_ERROR;904} else if (tmpret == CON_FUNC_DONT_SEND) {905/*906* The construction function decided not to construct the907* message after all and continue. Skip sending.908*/909WPACKET_cleanup(&pkt);910st->write_state = WRITE_STATE_POST_WORK;911st->write_state_work = WORK_MORE_A;912break;913} /* else success */914}915if (!ssl_close_construct_packet(s, &pkt, mt)916|| !WPACKET_finish(&pkt)) {917WPACKET_cleanup(&pkt);918SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);919return SUB_STATE_ERROR;920}921922/* Fall through */923924case WRITE_STATE_SEND:925if (SSL_CONNECTION_IS_DTLS(s) && st->use_timer) {926dtls1_start_timer(s);927}928ret = statem_do_write(s);929if (ret <= 0) {930return SUB_STATE_ERROR;931}932st->write_state = WRITE_STATE_POST_WORK;933st->write_state_work = WORK_MORE_A;934/* Fall through */935936case WRITE_STATE_POST_WORK:937switch (st->write_state_work = post_work(s, st->write_state_work)) {938case WORK_ERROR:939check_fatal(s);940/* Fall through */941case WORK_MORE_A:942case WORK_MORE_B:943case WORK_MORE_C:944return SUB_STATE_ERROR;945946case WORK_FINISHED_CONTINUE:947st->write_state = WRITE_STATE_TRANSITION;948break;949950case WORK_FINISHED_SWAP:951return SUB_STATE_FINISHED;952953case WORK_FINISHED_STOP:954return SUB_STATE_END_HANDSHAKE;955}956break;957958default:959SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);960return SUB_STATE_ERROR;961}962}963}964965/*966* Flush the write BIO967*/968int statem_flush(SSL_CONNECTION *s)969{970s->rwstate = SSL_WRITING;971if (BIO_flush(s->wbio) <= 0) {972return 0;973}974s->rwstate = SSL_NOTHING;975976return 1;977}978979/*980* Called by the record layer to determine whether application data is981* allowed to be received in the current handshake state or not.982*983* Return values are:984* 1: Yes (application data allowed)985* 0: No (application data not allowed)986*/987int ossl_statem_app_data_allowed(SSL_CONNECTION *s)988{989OSSL_STATEM *st = &s->statem;990991if (st->state == MSG_FLOW_UNINITED)992return 0;993994if (!s->s3.in_read_app_data || (s->s3.total_renegotiations == 0))995return 0;996997if (s->server) {998/*999* If we're a server and we haven't got as far as writing our1000* ServerHello yet then we allow app data1001*/1002if (st->hand_state == TLS_ST_BEFORE1003|| st->hand_state == TLS_ST_SR_CLNT_HELLO)1004return 1;1005} else {1006/*1007* If we're a client and we haven't read the ServerHello yet then we1008* allow app data1009*/1010if (st->hand_state == TLS_ST_CW_CLNT_HELLO)1011return 1;1012}10131014return 0;1015}10161017/*1018* This function returns 1 if TLS exporter is ready to export keying1019* material, or 0 if otherwise.1020*/1021int ossl_statem_export_allowed(SSL_CONNECTION *s)1022{1023return s->s3.previous_server_finished_len != 01024&& s->statem.hand_state != TLS_ST_SW_FINISHED;1025}10261027/*1028* Return 1 if early TLS exporter is ready to export keying material,1029* or 0 if otherwise.1030*/1031int ossl_statem_export_early_allowed(SSL_CONNECTION *s)1032{1033/*1034* The early exporter secret is only present on the server if we1035* have accepted early_data. It is present on the client as long1036* as we have sent early_data.1037*/1038return s->ext.early_data == SSL_EARLY_DATA_ACCEPTED1039|| (!s->server && s->ext.early_data != SSL_EARLY_DATA_NOT_SENT);1040}104110421043