3 * Written by Matt Caswell for the OpenSSL project.
5 /* ====================================================================
6 * Copyright (c) 1998-2015 The OpenSSL Project. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * openssl-core@openssl.org.
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
34 * 6. Redistributions of any form whatsoever must retain the following
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
59 #include <openssl/rand.h>
63 * This file implements the SSL/TLS/DTLS state machines.
65 * There are two primary state machines:
67 * 1) Message flow state machine
68 * 2) Handshake state machine
70 * The Message flow state machine controls the reading and sending of messages
71 * including handling of non-blocking IO events, flushing of the underlying
72 * write BIO, handling unexpected messages, etc. It is itself broken into two
73 * separate sub-state machines which control reading and writing respectively.
75 * The Handshake state machine keeps track of the current SSL/TLS handshake
76 * state. Transitions of the handshake state are the result of events that
77 * occur within the Message flow state machine.
79 * Overall it looks like this:
81 * --------------------------------------------- -------------------
83 * | Message flow state machine | | |
85 * | -------------------- -------------------- | Transition | Handshake state |
86 * | | MSG_FLOW_READING | | MSG_FLOW_WRITING | | Event | machine |
87 * | | sub-state | | sub-state | |----------->| |
88 * | | machine for | | machine for | | | |
89 * | | reading messages | | writing messages | | | |
90 * | -------------------- -------------------- | | |
92 * --------------------------------------------- -------------------
96 /* Sub state machine return values */
97 enum SUB_STATE_RETURN {
98 /* Something bad happened or NBIO */
100 /* Sub state finished go to the next sub state */
102 /* Sub state finished and handshake was completed */
103 SUB_STATE_END_HANDSHAKE
106 static int state_machine(SSL *s, int server);
107 static void init_read_state_machine(SSL *s);
108 static enum SUB_STATE_RETURN read_state_machine(SSL *s);
109 static void init_write_state_machine(SSL *s);
110 static enum SUB_STATE_RETURN write_state_machine(SSL *s);
111 static inline int cert_req_allowed(SSL *s);
112 static inline int key_exchange_skip_allowed(SSL *s);
113 static int client_read_transition(SSL *s, int mt);
114 static enum WRITE_TRAN client_write_transition(SSL *s);
115 static enum WORK_STATE client_pre_work(SSL *s, enum WORK_STATE wst);
116 static enum WORK_STATE client_post_work(SSL *s, enum WORK_STATE wst);
117 static int client_construct_message(SSL *s);
118 static unsigned long client_max_message_size(SSL *s);
119 static enum MSG_PROCESS_RETURN client_process_message(SSL *s,
121 static enum WORK_STATE client_post_process_message(SSL *s, enum WORK_STATE wst);
124 * Clear the state machine state and reset back to MSG_FLOW_UNINITED
126 void statem_clear(SSL *s)
128 s->statem.state = MSG_FLOW_UNINITED;
132 * Set the state machine up ready for a renegotiation handshake
134 void statem_set_renegotiate(SSL *s)
136 s->statem.state = MSG_FLOW_RENEGOTIATE;
140 * Put the state machine into an error state. This is a permanent error for
141 * the current connection.
143 void statem_set_error(SSL *s)
145 s->statem.state = MSG_FLOW_ERROR;
146 /* TODO: This is temporary - remove me */
147 s->state = SSL_ST_ERR;
150 int ssl3_connect(SSL *s) {
151 return state_machine(s, 0);
155 * The main message flow state machine. We start in the MSG_FLOW_UNINITED or
156 * MSG_FLOW_RENEGOTIATE state and finish in MSG_FLOW_FINISHED. Valid states and
157 * transitions are as follows:
159 * MSG_FLOW_UNINITED MSG_FLOW_RENEGOTIATE
161 * +-----------------------+
163 * MSG_FLOW_WRITING <---> MSG_FLOW_READING
171 * We may exit at any point due to an error or NBIO event. If an NBIO event
172 * occurs then we restart at the point we left off when we are recalled.
173 * MSG_FLOW_WRITING and MSG_FLOW_READING have sub-state machines associated with them.
175 * In addition to the above there is also the MSG_FLOW_ERROR state. We can move
176 * into that state at any point in the event that an irrecoverable error occurs.
178 * Valid return values are:
182 static int state_machine(SSL *s, int server) {
184 unsigned long Time = (unsigned long)time(NULL);
185 void (*cb) (const SSL *ssl, int type, int val) = NULL;
186 STATEM *st = &s->statem;
190 if (st->state == MSG_FLOW_ERROR) {
191 /* Shouldn't have been called if we're already in the error state */
195 RAND_add(&Time, sizeof(Time), 0);
199 if (s->info_callback != NULL)
200 cb = s->info_callback;
201 else if (s->ctx->info_callback != NULL)
202 cb = s->ctx->info_callback;
205 if (!SSL_in_init(s) || SSL_in_before(s)) {
210 #ifndef OPENSSL_NO_HEARTBEATS
212 * If we're awaiting a HeartbeatResponse, pretend we already got and
213 * don't await it anymore, because Heartbeats don't make sense during
216 if (s->tlsext_hb_pending) {
219 s->tlsext_hb_pending = 0;
224 /* Initialise state machine */
226 if (st->state == MSG_FLOW_RENEGOTIATE) {
229 s->ctx->stats.sess_connect_renegotiate++;
232 if (st->state == MSG_FLOW_UNINITED || st->state == MSG_FLOW_RENEGOTIATE) {
233 /* TODO: Temporary - fix this */
235 s->state = SSL_ST_ACCEPT;
237 s->state = SSL_ST_CONNECT;
239 if (st->state == MSG_FLOW_UNINITED) {
240 st->hand_state = TLS_ST_BEFORE;
245 cb(s, SSL_CB_HANDSHAKE_START, 1);
247 if (SSL_IS_DTLS(s)) {
248 if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00) &&
250 || (s->version & 0xff00) != (DTLS1_BAD_VER & 0xff00))) {
251 SSLerr(SSL_F_STATE_MACHINE, ERR_R_INTERNAL_ERROR);
255 if ((s->version >> 8) != SSL3_VERSION_MAJOR
256 && s->version != TLS_ANY_VERSION) {
257 SSLerr(SSL_F_STATE_MACHINE, ERR_R_INTERNAL_ERROR);
262 if (s->version != TLS_ANY_VERSION &&
263 !ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL)) {
264 SSLerr(SSL_F_STATE_MACHINE, SSL_R_VERSION_TOO_LOW);
269 s->type = SSL_ST_ACCEPT;
271 s->type = SSL_ST_CONNECT;
273 if (s->init_buf == NULL) {
274 if ((buf = BUF_MEM_new()) == NULL) {
277 if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
284 if (!ssl3_setup_buffers(s)) {
290 * Should have been reset by tls_process_finished, too.
292 s->s3->change_cipher_spec = 0;
294 if (!server || st->state != MSG_FLOW_RENEGOTIATE) {
296 * Ok, we now need to push on a buffering BIO ...but not with
299 #ifndef OPENSSL_NO_SCTP
300 if (!SSL_IS_DTLS(s) || !BIO_dgram_is_sctp(SSL_get_wbio(s)))
302 if (!ssl_init_wbio_buffer(s, server ? 1 : 0)) {
306 ssl3_init_finished_mac(s);
310 if (st->state != MSG_FLOW_RENEGOTIATE) {
311 s->ctx->stats.sess_accept++;
312 } else if (!s->s3->send_connection_binding &&
314 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
316 * Server attempting to renegotiate with client that doesn't
317 * support secure renegotiation.
319 SSLerr(SSL_F_STATE_MACHINE,
320 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
321 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
326 * s->state == SSL_ST_RENEGOTIATE, we will just send a
329 s->ctx->stats.sess_accept_renegotiate++;
332 s->ctx->stats.sess_connect++;
334 /* mark client_random uninitialized */
335 memset(s->s3->client_random, 0, sizeof(s->s3->client_random));
338 s->s3->tmp.cert_request = 0;
340 if (SSL_IS_DTLS(s)) {
345 st->state = MSG_FLOW_WRITING;
346 init_write_state_machine(s);
347 st->read_state_first_init = 1;
350 while(st->state != MSG_FLOW_FINISHED) {
351 if(st->state == MSG_FLOW_READING) {
352 ssret = read_state_machine(s);
353 if (ssret == SUB_STATE_FINISHED) {
354 st->state = MSG_FLOW_WRITING;
355 init_write_state_machine(s);
360 } else if (st->state == MSG_FLOW_WRITING) {
361 ssret = write_state_machine(s);
362 if (ssret == SUB_STATE_FINISHED) {
363 st->state = MSG_FLOW_READING;
364 init_read_state_machine(s);
365 } else if (ssret == SUB_STATE_END_HANDSHAKE) {
366 st->state = MSG_FLOW_FINISHED;
378 st->state = MSG_FLOW_UNINITED;
386 cb(s, SSL_CB_ACCEPT_EXIT, ret);
388 cb(s, SSL_CB_CONNECT_EXIT, ret);
394 * Initialise the MSG_FLOW_READING sub-state machine
396 static void init_read_state_machine(SSL *s)
398 STATEM *st = &s->statem;
400 st->read_state = READ_STATE_HEADER;
404 * This function implements the sub-state machine when the message flow is in
405 * MSG_FLOW_READING. The valid sub-states and transitions are:
407 * READ_STATE_HEADER <--+<-------------+
410 * READ_STATE_BODY -----+-->READ_STATE_POST_PROCESS
412 * +----------------------------+
414 * [SUB_STATE_FINISHED]
416 * READ_STATE_HEADER has the responsibility for reading in the message header
417 * and transitioning the state of the handshake state machine.
419 * READ_STATE_BODY reads in the rest of the message and then subsequently
422 * READ_STATE_POST_PROCESS is an optional step that may occur if some post
423 * processing activity performed on the message may block.
425 * Any of the above states could result in an NBIO event occuring in which case
426 * control returns to the calling application. When this function is recalled we
427 * will resume in the same state where we left off.
429 static enum SUB_STATE_RETURN read_state_machine(SSL *s) {
430 STATEM *st = &s->statem;
433 int (*transition)(SSL *s, int mt);
434 enum MSG_PROCESS_RETURN (*process_message)(SSL *s, unsigned long n);
435 enum WORK_STATE (*post_process_message)(SSL *s, enum WORK_STATE wst);
436 unsigned long (*max_message_size)(SSL *s);
437 void (*cb) (const SSL *ssl, int type, int val) = NULL;
439 if (s->info_callback != NULL)
440 cb = s->info_callback;
441 else if (s->ctx->info_callback != NULL)
442 cb = s->ctx->info_callback;
445 /* TODO: Fill these in later when we've implemented them */
447 process_message = NULL;
448 post_process_message = NULL;
449 max_message_size = NULL;
451 transition = client_read_transition;
452 process_message = client_process_message;
453 max_message_size = client_max_message_size;
454 post_process_message = client_post_process_message;
457 if (st->read_state_first_init) {
459 st->read_state_first_init = 0;
463 switch(st->read_state) {
464 case READ_STATE_HEADER:
466 /* Get the state the peer wants to move to */
467 ret = tls_get_message_header(s, &mt);
470 /* Could be non-blocking IO */
471 return SUB_STATE_ERROR;
475 /* Notify callback of an impending state change */
477 cb(s, SSL_CB_ACCEPT_LOOP, 1);
479 cb(s, SSL_CB_CONNECT_LOOP, 1);
482 * Validate that we are allowed to move to the new state and move
483 * to that state if so
485 if(!transition(s, mt)) {
486 ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE);
487 SSLerr(SSL_F_READ_STATE_MACHINE, SSL_R_UNEXPECTED_MESSAGE);
488 return SUB_STATE_ERROR;
491 if (s->s3->tmp.message_size > max_message_size(s)) {
492 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
493 SSLerr(SSL_F_READ_STATE_MACHINE, SSL_R_EXCESSIVE_MESSAGE_SIZE);
494 return SUB_STATE_ERROR;
497 st->read_state = READ_STATE_BODY;
500 case READ_STATE_BODY:
501 if (!SSL_IS_DTLS(s)) {
502 /* We already got this above for DTLS */
503 ret = tls_get_message_body(s, &len);
505 /* Could be non-blocking IO */
506 return SUB_STATE_ERROR;
511 ret = process_message(s, len);
512 if (ret == MSG_PROCESS_ERROR) {
513 return SUB_STATE_ERROR;
516 if (ret == MSG_PROCESS_FINISHED_READING) {
517 if (SSL_IS_DTLS(s)) {
520 return SUB_STATE_FINISHED;
523 if (ret == MSG_PROCESS_CONTINUE_PROCESSING) {
524 st->read_state = READ_STATE_POST_PROCESS;
525 st->read_state_work = WORK_MORE_A;
527 st->read_state = READ_STATE_HEADER;
531 case READ_STATE_POST_PROCESS:
532 st->read_state_work = post_process_message(s, st->read_state_work);
533 switch(st->read_state_work) {
535 return SUB_STATE_ERROR;
537 case WORK_FINISHED_CONTINUE:
538 st->read_state = READ_STATE_HEADER;
541 case WORK_FINISHED_STOP:
542 if (SSL_IS_DTLS(s)) {
545 return SUB_STATE_FINISHED;
550 /* Shouldn't happen */
551 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
552 SSLerr(SSL_F_READ_STATE_MACHINE, ERR_R_INTERNAL_ERROR);
554 return SUB_STATE_ERROR;
560 * Send a previously constructed message to the peer.
562 static int statem_do_write(SSL *s)
564 STATEM *st = &s->statem;
566 if (st->hand_state == TLS_ST_CW_CHANGE
567 || st->hand_state == TLS_ST_SW_CHANGE) {
569 return dtls1_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC);
571 return ssl3_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC);
573 return ssl_do_write(s);
578 * Initialise the MSG_FLOW_WRITING sub-state machine
580 static void init_write_state_machine(SSL *s)
582 STATEM *st = &s->statem;
584 st->write_state = WRITE_STATE_TRANSITION;
588 * This function implements the sub-state machine when the message flow is in
589 * MSG_FLOW_WRITING. The valid sub-states and transitions are:
591 * +-> WRITE_STATE_TRANSITION ------> [SUB_STATE_FINISHED]
594 * | WRITE_STATE_PRE_WORK -----> [SUB_STATE_END_HANDSHAKE]
600 * | WRITE_STATE_POST_WORK
604 * WRITE_STATE_TRANSITION transitions the state of the handshake state machine
606 * WRITE_STATE_PRE_WORK performs any work necessary to prepare the later
607 * sending of the message. This could result in an NBIO event occuring in
608 * which case control returns to the calling application. When this function
609 * is recalled we will resume in the same state where we left off.
611 * WRITE_STATE_SEND sends the message and performs any work to be done after
614 * WRITE_STATE_POST_WORK performs any work necessary after the sending of the
615 * message has been completed. As for WRITE_STATE_PRE_WORK this could also
616 * result in an NBIO event.
618 static enum SUB_STATE_RETURN write_state_machine(SSL *s)
620 STATEM *st = &s->statem;
622 enum WRITE_TRAN (*transition)(SSL *s);
623 enum WORK_STATE (*pre_work)(SSL *s, enum WORK_STATE wst);
624 enum WORK_STATE (*post_work)(SSL *s, enum WORK_STATE wst);
625 int (*construct_message)(SSL *s);
626 void (*cb) (const SSL *ssl, int type, int val) = NULL;
628 if (s->info_callback != NULL)
629 cb = s->info_callback;
630 else if (s->ctx->info_callback != NULL)
631 cb = s->ctx->info_callback;
634 /* TODO: Fill these in later when we've implemented them */
638 construct_message = NULL;
640 transition = client_write_transition;
641 pre_work = client_pre_work;
642 post_work = client_post_work;
643 construct_message = client_construct_message;
647 switch(st->write_state) {
648 case WRITE_STATE_TRANSITION:
650 /* Notify callback of an impending state change */
652 cb(s, SSL_CB_ACCEPT_LOOP, 1);
654 cb(s, SSL_CB_CONNECT_LOOP, 1);
656 switch(transition(s)) {
657 case WRITE_TRAN_CONTINUE:
658 st->write_state = WRITE_STATE_PRE_WORK;
659 st->write_state_work = WORK_MORE_A;
662 case WRITE_TRAN_FINISHED:
663 return SUB_STATE_FINISHED;
667 return SUB_STATE_ERROR;
671 case WRITE_STATE_PRE_WORK:
672 switch(st->write_state_work = pre_work(s, st->write_state_work)) {
674 return SUB_STATE_ERROR;
676 case WORK_FINISHED_CONTINUE:
677 st->write_state = WRITE_STATE_SEND;
680 case WORK_FINISHED_STOP:
681 return SUB_STATE_END_HANDSHAKE;
683 if(construct_message(s) == 0)
684 return SUB_STATE_ERROR;
688 case WRITE_STATE_SEND:
689 if (SSL_IS_DTLS(s) && st->use_timer) {
690 dtls1_start_timer(s);
692 ret = statem_do_write(s);
694 return SUB_STATE_ERROR;
696 st->write_state = WRITE_STATE_POST_WORK;
697 st->write_state_work = WORK_MORE_A;
700 case WRITE_STATE_POST_WORK:
701 switch(st->write_state_work = post_work(s, st->write_state_work)) {
703 return SUB_STATE_ERROR;
705 case WORK_FINISHED_CONTINUE:
706 st->write_state = WRITE_STATE_TRANSITION;
709 case WORK_FINISHED_STOP:
710 return SUB_STATE_END_HANDSHAKE;
715 return SUB_STATE_ERROR;
721 * Flush the write BIO
723 static int statem_flush(SSL *s)
725 s->rwstate = SSL_WRITING;
726 if (BIO_flush(s->wbio) <= 0) {
729 s->rwstate = SSL_NOTHING;
735 * Called by the record layer to determine whether application data is
736 * allowed to be sent in the current handshake state or not.
739 * 1: Yes (application data allowed)
740 * 0: No (application data not allowed)
742 int statem_app_data_allowed(SSL *s)
744 STATEM *st = &s->statem;
746 if (!s->s3->in_read_app_data || (s->s3->total_renegotiations == 0))
750 if (st->state == MSG_FLOW_UNINITED || st->state == MSG_FLOW_RENEGOTIATE)
753 if(st->hand_state == TLS_ST_CW_CLNT_HELLO)
760 * This is the old check for code still using the old state machine. This
761 * will be removed by later commits
763 if (((s->state & SSL_ST_CONNECT) && SSL_IS_DTLS(s) &&
764 (s->state >= SSL3_ST_CW_CLNT_HELLO_A) &&
765 (s->state <= SSL3_ST_CR_SRVR_HELLO_A)) ||
766 ((s->state & SSL_ST_ACCEPT) &&
767 (s->state <= SSL3_ST_SW_HELLO_REQ_A) &&
768 (s->state >= SSL3_ST_SR_CLNT_HELLO_A))
776 #ifndef OPENSSL_NO_SCTP
778 * Set flag used by SCTP to determine whether we are in the read sock state
780 void statem_set_sctp_read_sock(SSL *s, int read_sock)
782 s->statem.in_sctp_read_sock = read_sock;
786 * Called by the record layer to determine whether we are in the read sock
790 * 1: Yes (we are in the read sock state)
791 * 0: No (we are not in the read sock state)
793 int statem_in_sctp_read_sock(SSL *s)
795 return s->statem.in_sctp_read_sock;
800 * Is a CertificateRequest message allowed at the moment or not?
806 static inline int cert_req_allowed(SSL *s)
808 /* TLS does not like anon-DH with client cert */
809 if (s->version > SSL3_VERSION
810 && (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL))
817 * Are we allowed to skip the ServerKeyExchange message?
823 static inline int key_exchange_skip_allowed(SSL *s)
825 long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
828 * Can't skip server key exchange if this is an ephemeral
831 if (alg_k & (SSL_kDHE | SSL_kECDHE)) {
839 * client_read_transition() encapsulates the logic for the allowed handshake
840 * state transitions when the client is reading messages from the server. The
841 * message type that the server has sent is provided in |mt|. The current state
842 * is in |s->statem.hand_state|.
845 * 1: Success (transition allowed)
846 * 0: Error (transition not allowed)
848 static int client_read_transition(SSL *s, int mt)
850 STATEM *st = &s->statem;
852 switch(st->hand_state) {
853 case TLS_ST_CW_CLNT_HELLO:
854 if (mt == SSL3_MT_SERVER_HELLO) {
855 st->hand_state = TLS_ST_CR_SRVR_HELLO;
859 if (SSL_IS_DTLS(s)) {
860 if (mt == DTLS1_MT_HELLO_VERIFY_REQUEST) {
861 st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST;
867 case TLS_ST_CR_SRVR_HELLO:
869 if (s->tlsext_ticket_expected) {
870 if (mt == SSL3_MT_NEWSESSION_TICKET) {
871 st->hand_state = TLS_ST_CR_SESSION_TICKET;
874 } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
875 st->hand_state = TLS_ST_CR_CHANGE;
879 if (!(s->s3->tmp.new_cipher->algorithm_auth
880 & (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
881 if (mt == SSL3_MT_CERTIFICATE) {
882 st->hand_state = TLS_ST_CR_CERT;
886 if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) {
887 st->hand_state = TLS_ST_CR_KEY_EXCH;
889 } else if (key_exchange_skip_allowed(s)) {
890 if (mt == SSL3_MT_CERTIFICATE_REQUEST
891 && cert_req_allowed(s)) {
892 st->hand_state = TLS_ST_CR_CERT_REQ;
894 } else if (mt == SSL3_MT_SERVER_DONE) {
895 st->hand_state = TLS_ST_CR_SRVR_DONE;
904 if (s->tlsext_status_expected) {
905 if (mt == SSL3_MT_CERTIFICATE_STATUS) {
906 st->hand_state = TLS_ST_CR_CERT_STATUS;
910 if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) {
911 st->hand_state = TLS_ST_CR_KEY_EXCH;
913 } else if (key_exchange_skip_allowed(s)) {
914 if (mt == SSL3_MT_CERTIFICATE_REQUEST && cert_req_allowed(s)) {
915 st->hand_state = TLS_ST_CR_CERT_REQ;
917 } else if (mt == SSL3_MT_SERVER_DONE) {
918 st->hand_state = TLS_ST_CR_SRVR_DONE;
925 case TLS_ST_CR_CERT_STATUS:
926 if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) {
927 st->hand_state = TLS_ST_CR_KEY_EXCH;
929 } else if (key_exchange_skip_allowed(s)) {
930 if (mt == SSL3_MT_CERTIFICATE_REQUEST && cert_req_allowed(s)) {
931 st->hand_state = TLS_ST_CR_CERT_REQ;
933 } else if (mt == SSL3_MT_SERVER_DONE) {
934 st->hand_state = TLS_ST_CR_SRVR_DONE;
940 case TLS_ST_CR_KEY_EXCH:
941 if (mt == SSL3_MT_CERTIFICATE_REQUEST && cert_req_allowed(s)) {
942 st->hand_state = TLS_ST_CR_CERT_REQ;
944 } else if (mt == SSL3_MT_SERVER_DONE) {
945 st->hand_state = TLS_ST_CR_SRVR_DONE;
950 case TLS_ST_CR_CERT_REQ:
951 if (mt == SSL3_MT_SERVER_DONE) {
952 st->hand_state = TLS_ST_CR_SRVR_DONE;
957 case TLS_ST_CW_FINISHED:
958 if (mt == SSL3_MT_NEWSESSION_TICKET && s->tlsext_ticket_expected) {
959 st->hand_state = TLS_ST_CR_SESSION_TICKET;
961 } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
962 st->hand_state = TLS_ST_CR_CHANGE;
967 case TLS_ST_CR_SESSION_TICKET:
968 if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
969 st->hand_state = TLS_ST_CR_CHANGE;
974 case TLS_ST_CR_CHANGE:
975 if (mt == SSL3_MT_FINISHED) {
976 st->hand_state = TLS_ST_CR_FINISHED;
985 /* No valid transition found */
990 * client_write_transition() works out what handshake state to move to next
991 * when the client is writing messages to be sent to the server.
993 static enum WRITE_TRAN client_write_transition(SSL *s)
995 STATEM *st = &s->statem;
997 switch(st->hand_state) {
999 /* Renegotiation - fall through */
1001 st->hand_state = TLS_ST_CW_CLNT_HELLO;
1002 return WRITE_TRAN_CONTINUE;
1004 case TLS_ST_CW_CLNT_HELLO:
1006 * No transition at the end of writing because we don't know what
1009 return WRITE_TRAN_FINISHED;
1011 case TLS_ST_CR_SRVR_DONE:
1012 if (s->s3->tmp.cert_req)
1013 st->hand_state = TLS_ST_CW_CERT;
1015 st->hand_state = TLS_ST_CW_KEY_EXCH;
1016 return WRITE_TRAN_CONTINUE;
1018 case TLS_ST_CW_CERT:
1019 st->hand_state = TLS_ST_CW_KEY_EXCH;
1020 return WRITE_TRAN_CONTINUE;
1022 case TLS_ST_CW_KEY_EXCH:
1024 * For TLS, cert_req is set to 2, so a cert chain of nothing is
1025 * sent, but no verify packet is sent
1028 * XXX: For now, we do not support client authentication in ECDH
1029 * cipher suites with ECDH (rather than ECDSA) certificates. We
1030 * need to skip the certificate verify message when client's
1031 * ECDH public key is sent inside the client certificate.
1033 if (s->s3->tmp.cert_req == 1) {
1034 st->hand_state = TLS_ST_CW_CERT_VRFY;
1036 st->hand_state = TLS_ST_CW_CHANGE;
1038 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {
1039 st->hand_state = TLS_ST_CW_CHANGE;
1041 return WRITE_TRAN_CONTINUE;
1043 case TLS_ST_CW_CERT_VRFY:
1044 st->hand_state = TLS_ST_CW_CHANGE;
1045 return WRITE_TRAN_CONTINUE;
1047 case TLS_ST_CW_CHANGE:
1048 #if defined(OPENSSL_NO_NEXTPROTONEG)
1049 st->hand_state = TLS_ST_CW_FINISHED;
1051 if (s->s3->next_proto_neg_seen)
1052 st->hand_state = TLS_ST_CW_NEXT_PROTO;
1054 st->hand_state = TLS_ST_CW_FINISHED;
1056 return WRITE_TRAN_CONTINUE;
1058 #if !defined(OPENSSL_NO_NEXTPROTONEG)
1059 case TLS_ST_CW_NEXT_PROTO:
1060 st->hand_state = TLS_ST_CW_FINISHED;
1061 return WRITE_TRAN_CONTINUE;
1064 case TLS_ST_CW_FINISHED:
1066 st->hand_state = TLS_ST_OK;
1067 /* TODO: This needs removing */
1068 s->state = SSL_ST_OK;
1069 return WRITE_TRAN_CONTINUE;
1071 return WRITE_TRAN_FINISHED;
1074 case TLS_ST_CR_FINISHED:
1076 st->hand_state = TLS_ST_CW_CHANGE;
1077 return WRITE_TRAN_CONTINUE;
1079 st->hand_state = TLS_ST_OK;
1080 /* TODO: This needs removing */
1081 s->state = SSL_ST_OK;
1082 return WRITE_TRAN_CONTINUE;
1086 /* Shouldn't happen */
1087 return WRITE_TRAN_ERROR;
1092 * Perform any pre work that needs to be done prior to sending a message from
1093 * the client to the server.
1095 static enum WORK_STATE client_pre_work(SSL *s, enum WORK_STATE wst)
1097 STATEM *st = &s->statem;
1099 switch(st->hand_state) {
1100 case TLS_ST_CW_CLNT_HELLO:
1104 case TLS_ST_CW_CERT:
1105 return tls_prepare_client_certificate(s, wst);
1108 return tls_finish_handshake(s, wst);
1111 /* No pre work to be done */
1115 return WORK_FINISHED_CONTINUE;
1119 * Perform any work that needs to be done after sending a message from the
1120 * client to the server.
1122 static enum WORK_STATE client_post_work(SSL *s, enum WORK_STATE wst)
1124 STATEM *st = &s->statem;
1128 switch(st->hand_state) {
1129 case TLS_ST_CW_CLNT_HELLO:
1130 /* turn on buffering for the next lot of output */
1131 if (s->bbio != s->wbio)
1132 s->wbio = BIO_push(s->bbio, s->wbio);
1135 case TLS_ST_CW_KEY_EXCH:
1136 if (tls_client_key_exchange_post_work(s) == 0)
1140 case TLS_ST_CW_CHANGE:
1141 s->session->cipher = s->s3->tmp.new_cipher;
1142 #ifdef OPENSSL_NO_COMP
1143 s->session->compress_meth = 0;
1145 if (s->s3->tmp.new_compression == NULL)
1146 s->session->compress_meth = 0;
1148 s->session->compress_meth = s->s3->tmp.new_compression->id;
1150 if (!s->method->ssl3_enc->setup_key_block(s))
1153 if (!s->method->ssl3_enc->change_cipher_state(s,
1154 SSL3_CHANGE_CIPHER_CLIENT_WRITE))
1157 if (SSL_IS_DTLS(s)) {
1158 #ifndef OPENSSL_NO_SCTP
1161 * Change to new shared key of SCTP-Auth, will be ignored if
1164 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
1169 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
1173 case TLS_ST_CW_FINISHED:
1174 #ifndef OPENSSL_NO_SCTP
1175 if (SSL_IS_DTLS(s) && s->hit == 0) {
1177 * Change to new shared key of SCTP-Auth, will be ignored if
1180 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
1184 if (statem_flush(s) != 1)
1187 if (s->hit && tls_finish_handshake(s, WORK_MORE_A) != 1)
1192 /* No post work to be done */
1196 return WORK_FINISHED_CONTINUE;
1200 * Construct a message to be sent from the client to the server.
1202 * Valid return values are:
1206 static int client_construct_message(SSL *s)
1208 STATEM *st = &s->statem;
1210 switch(st->hand_state) {
1211 case TLS_ST_CW_CLNT_HELLO:
1212 return tls_construct_client_hello(s);
1214 case TLS_ST_CW_CERT:
1215 return tls_construct_client_certificate(s);
1217 case TLS_ST_CW_KEY_EXCH:
1218 return tls_construct_client_key_exchange(s);
1220 case TLS_ST_CW_CERT_VRFY:
1221 return tls_construct_client_verify(s);
1223 case TLS_ST_CW_CHANGE:
1224 return tls_construct_change_cipher_spec(s);
1226 #if !defined(OPENSSL_NO_NEXTPROTONEG)
1227 case TLS_ST_CW_NEXT_PROTO:
1228 return tls_construct_next_proto(s);
1230 case TLS_ST_CW_FINISHED:
1231 return tls_construct_finished(s,
1233 ssl3_enc->client_finished_label,
1235 ssl3_enc->client_finished_label_len);
1238 /* Shouldn't happen */
1245 /* The spec allows for a longer length than this, but we limit it */
1246 #define SERVER_HELLO_MAX_LENGTH 20000
1247 #define SERVER_KEY_EXCH_MAX_LENGTH 102400
1248 #define SERVER_HELLO_DONE_MAX_LENGTH 0
1249 #define CCS_MAX_LENGTH 1
1250 /* Max should actually be 36 but we are generous */
1251 #define FINISHED_MAX_LENGTH 64
1254 * Returns the maximum allowed length for the current message that we are
1255 * reading. Excludes the message header.
1257 static unsigned long client_max_message_size(SSL *s)
1259 STATEM *st = &s->statem;
1261 switch(st->hand_state) {
1262 case TLS_ST_CR_SRVR_HELLO:
1263 return SERVER_HELLO_MAX_LENGTH;
1265 case TLS_ST_CR_CERT:
1266 return s->max_cert_list;
1268 case TLS_ST_CR_CERT_STATUS:
1269 return SSL3_RT_MAX_PLAIN_LENGTH;
1271 case TLS_ST_CR_KEY_EXCH:
1272 return SERVER_KEY_EXCH_MAX_LENGTH;
1274 case TLS_ST_CR_CERT_REQ:
1275 return SSL3_RT_MAX_PLAIN_LENGTH;
1277 case TLS_ST_CR_SRVR_DONE:
1278 return SERVER_HELLO_DONE_MAX_LENGTH;
1280 case TLS_ST_CR_CHANGE:
1281 return CCS_MAX_LENGTH;
1283 case TLS_ST_CR_SESSION_TICKET:
1284 return SSL3_RT_MAX_PLAIN_LENGTH;
1286 case TLS_ST_CR_FINISHED:
1287 return FINISHED_MAX_LENGTH;
1290 /* Shouldn't happen */
1298 * Process a message that the client has been received from the server.
1300 static enum MSG_PROCESS_RETURN client_process_message(SSL *s, unsigned long len)
1302 STATEM *st = &s->statem;
1304 switch(st->hand_state) {
1305 case TLS_ST_CR_SRVR_HELLO:
1306 return tls_process_server_hello(s, len);
1308 case TLS_ST_CR_CERT:
1309 return tls_process_server_certificate(s, len);
1311 case TLS_ST_CR_CERT_STATUS:
1312 return tls_process_cert_status(s, len);
1314 case TLS_ST_CR_KEY_EXCH:
1315 return tls_process_key_exchange(s, len);
1317 case TLS_ST_CR_CERT_REQ:
1318 return tls_process_certificate_request(s, len);
1320 case TLS_ST_CR_SRVR_DONE:
1321 return tls_process_server_done(s, len);
1323 case TLS_ST_CR_CHANGE:
1324 return tls_process_change_cipher_spec(s, len);
1326 case TLS_ST_CR_SESSION_TICKET:
1327 return tls_process_new_session_ticket(s, len);
1329 case TLS_ST_CR_FINISHED:
1330 return tls_process_finished(s, len);
1333 /* Shouldn't happen */
1337 return MSG_PROCESS_ERROR;
1341 * Perform any further processing required following the receipt of a message
1344 static enum WORK_STATE client_post_process_message(SSL *s, enum WORK_STATE wst)
1346 STATEM *st = &s->statem;
1348 switch(st->hand_state) {
1349 #ifndef OPENSSL_NO_SCTP
1350 case TLS_ST_CR_SRVR_DONE:
1351 /* We only get here if we are using SCTP and we are renegotiating */
1352 if (BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
1353 s->s3->in_read_app_data = 2;
1354 s->rwstate = SSL_READING;
1355 BIO_clear_retry_flags(SSL_get_rbio(s));
1356 BIO_set_retry_read(SSL_get_rbio(s));
1357 statem_set_sctp_read_sock(s, 1);
1360 statem_set_sctp_read_sock(s, 0);
1361 return WORK_FINISHED_STOP;
1364 case TLS_ST_CR_FINISHED:
1366 return tls_finish_handshake(s, wst);
1368 return WORK_FINISHED_STOP;
1373 /* Shouldn't happen */