3 * Written by Matt Caswell for the OpenSSL project.
5 /* ====================================================================
6 * Copyright (c) 1998-2015 The OpenSSL Project. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * openssl-core@openssl.org.
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
34 * 6. Redistributions of any form whatsoever must retain the following
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
59 #include <openssl/rand.h>
63 * This file implements the SSL/TLS/DTLS state machines.
65 * There are two primary state machines:
67 * 1) Message flow state machine
68 * 2) Handshake state machine
70 * The Message flow state machine controls the reading and sending of messages
71 * including handling of non-blocking IO events, flushing of the underlying
72 * write BIO, handling unexpected messages, etc. It is itself broken into two
73 * separate sub-state machines which control reading and writing respectively.
75 * The Handshake state machine keeps track of the current SSL/TLS handshake
76 * state. Transitions of the handshake state are the result of events that
77 * occur within the Message flow state machine.
79 * Overall it looks like this:
81 * --------------------------------------------- -------------------
83 * | Message flow state machine | | |
85 * | -------------------- -------------------- | Transition | Handshake state |
86 * | | MSG_FLOW_READING | | MSG_FLOW_WRITING | | Event | machine |
87 * | | sub-state | | sub-state | |----------->| |
88 * | | machine for | | machine for | | | |
89 * | | reading messages | | writing messages | | | |
90 * | -------------------- -------------------- | | |
92 * --------------------------------------------- -------------------
96 /* Sub state machine return values */
97 enum SUB_STATE_RETURN {
98 /* Something bad happened or NBIO */
100 /* Sub state finished go to the next sub state */
102 /* Sub state finished and handshake was completed */
103 SUB_STATE_END_HANDSHAKE
106 static int state_machine(SSL *s, int server);
107 static void init_read_state_machine(SSL *s);
108 static enum SUB_STATE_RETURN read_state_machine(SSL *s);
109 static void init_write_state_machine(SSL *s);
110 static enum SUB_STATE_RETURN write_state_machine(SSL *s);
111 static inline int cert_req_allowed(SSL *s);
112 static inline int key_exchange_skip_allowed(SSL *s);
113 static int client_read_transition(SSL *s, int mt);
114 static enum WRITE_TRAN client_write_transition(SSL *s);
115 static enum WORK_STATE client_pre_work(SSL *s, enum WORK_STATE wst);
116 static enum WORK_STATE client_post_work(SSL *s, enum WORK_STATE wst);
117 static int client_construct_message(SSL *s);
118 static unsigned long client_max_message_size(SSL *s);
119 static enum MSG_PROCESS_RETURN client_process_message(SSL *s,
121 static enum WORK_STATE client_post_process_message(SSL *s, enum WORK_STATE wst);
122 static int server_read_transition(SSL *s, int mt);
123 static inline int send_server_key_exchange(SSL *s);
124 static inline int send_certificate_request(SSL *s);
125 static enum WRITE_TRAN server_write_transition(SSL *s);
126 static enum WORK_STATE server_pre_work(SSL *s, enum WORK_STATE wst);
127 static enum WORK_STATE server_post_work(SSL *s, enum WORK_STATE wst);
128 static int server_construct_message(SSL *s);
129 static unsigned long server_max_message_size(SSL *s);
130 static enum MSG_PROCESS_RETURN server_process_message(SSL *s, unsigned long len);
131 static enum WORK_STATE server_post_process_message(SSL *s, enum WORK_STATE wst);
134 * Clear the state machine state and reset back to MSG_FLOW_UNINITED
136 void statem_clear(SSL *s)
138 s->statem.state = MSG_FLOW_UNINITED;
142 * Set the state machine up ready for a renegotiation handshake
144 void statem_set_renegotiate(SSL *s)
146 s->statem.state = MSG_FLOW_RENEGOTIATE;
150 * Put the state machine into an error state. This is a permanent error for
151 * the current connection.
153 void statem_set_error(SSL *s)
155 s->statem.state = MSG_FLOW_ERROR;
156 /* TODO: This is temporary - remove me */
157 s->state = SSL_ST_ERR;
160 int ssl3_connect(SSL *s) {
161 return state_machine(s, 0);
164 int dtls1_connect(SSL *s)
166 return state_machine(s, 0);
169 int ssl3_accept(SSL *s)
171 return state_machine(s, 1);
175 * The main message flow state machine. We start in the MSG_FLOW_UNINITED or
176 * MSG_FLOW_RENEGOTIATE state and finish in MSG_FLOW_FINISHED. Valid states and
177 * transitions are as follows:
179 * MSG_FLOW_UNINITED MSG_FLOW_RENEGOTIATE
181 * +-----------------------+
183 * MSG_FLOW_WRITING <---> MSG_FLOW_READING
191 * We may exit at any point due to an error or NBIO event. If an NBIO event
192 * occurs then we restart at the point we left off when we are recalled.
193 * MSG_FLOW_WRITING and MSG_FLOW_READING have sub-state machines associated with them.
195 * In addition to the above there is also the MSG_FLOW_ERROR state. We can move
196 * into that state at any point in the event that an irrecoverable error occurs.
198 * Valid return values are:
202 static int state_machine(SSL *s, int server) {
204 unsigned long Time = (unsigned long)time(NULL);
205 void (*cb) (const SSL *ssl, int type, int val) = NULL;
206 STATEM *st = &s->statem;
210 if (st->state == MSG_FLOW_ERROR) {
211 /* Shouldn't have been called if we're already in the error state */
215 RAND_add(&Time, sizeof(Time), 0);
219 if (s->info_callback != NULL)
220 cb = s->info_callback;
221 else if (s->ctx->info_callback != NULL)
222 cb = s->ctx->info_callback;
225 if (!SSL_in_init(s) || SSL_in_before(s)) {
230 #ifndef OPENSSL_NO_SCTP
231 if (SSL_IS_DTLS(s)) {
233 * Notify SCTP BIO socket to enter handshake mode and prevent stream
234 * identifier other than 0. Will be ignored if no SCTP is used.
236 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE,
237 s->in_handshake, NULL);
241 #ifndef OPENSSL_NO_HEARTBEATS
243 * If we're awaiting a HeartbeatResponse, pretend we already got and
244 * don't await it anymore, because Heartbeats don't make sense during
247 if (s->tlsext_hb_pending) {
250 s->tlsext_hb_pending = 0;
255 /* Initialise state machine */
257 if (st->state == MSG_FLOW_RENEGOTIATE) {
260 s->ctx->stats.sess_connect_renegotiate++;
263 if (st->state == MSG_FLOW_UNINITED || st->state == MSG_FLOW_RENEGOTIATE) {
264 /* TODO: Temporary - fix this */
266 s->state = SSL_ST_ACCEPT;
268 s->state = SSL_ST_CONNECT;
270 if (st->state == MSG_FLOW_UNINITED) {
271 st->hand_state = TLS_ST_BEFORE;
276 cb(s, SSL_CB_HANDSHAKE_START, 1);
278 if (SSL_IS_DTLS(s)) {
279 if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00) &&
281 || (s->version & 0xff00) != (DTLS1_BAD_VER & 0xff00))) {
282 SSLerr(SSL_F_STATE_MACHINE, ERR_R_INTERNAL_ERROR);
286 if ((s->version >> 8) != SSL3_VERSION_MAJOR
287 && s->version != TLS_ANY_VERSION) {
288 SSLerr(SSL_F_STATE_MACHINE, ERR_R_INTERNAL_ERROR);
293 if (!SSL_IS_DTLS(s)) {
294 if (s->version != TLS_ANY_VERSION &&
295 !ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL)) {
296 SSLerr(SSL_F_STATE_MACHINE, SSL_R_VERSION_TOO_LOW);
302 s->type = SSL_ST_ACCEPT;
304 s->type = SSL_ST_CONNECT;
306 if (s->init_buf == NULL) {
307 if ((buf = BUF_MEM_new()) == NULL) {
310 if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
317 if (!ssl3_setup_buffers(s)) {
323 * Should have been reset by tls_process_finished, too.
325 s->s3->change_cipher_spec = 0;
327 if (!server || st->state != MSG_FLOW_RENEGOTIATE) {
329 * Ok, we now need to push on a buffering BIO ...but not with
332 #ifndef OPENSSL_NO_SCTP
333 if (!SSL_IS_DTLS(s) || !BIO_dgram_is_sctp(SSL_get_wbio(s)))
335 if (!ssl_init_wbio_buffer(s, server ? 1 : 0)) {
339 ssl3_init_finished_mac(s);
343 if (st->state != MSG_FLOW_RENEGOTIATE) {
344 s->ctx->stats.sess_accept++;
345 } else if (!s->s3->send_connection_binding &&
347 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
349 * Server attempting to renegotiate with client that doesn't
350 * support secure renegotiation.
352 SSLerr(SSL_F_STATE_MACHINE,
353 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
354 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
359 * s->state == SSL_ST_RENEGOTIATE, we will just send a
362 s->ctx->stats.sess_accept_renegotiate++;
365 s->ctx->stats.sess_connect++;
367 /* mark client_random uninitialized */
368 memset(s->s3->client_random, 0, sizeof(s->s3->client_random));
371 s->s3->tmp.cert_request = 0;
373 if (SSL_IS_DTLS(s)) {
378 st->state = MSG_FLOW_WRITING;
379 init_write_state_machine(s);
380 st->read_state_first_init = 1;
383 while(st->state != MSG_FLOW_FINISHED) {
384 if(st->state == MSG_FLOW_READING) {
385 ssret = read_state_machine(s);
386 if (ssret == SUB_STATE_FINISHED) {
387 st->state = MSG_FLOW_WRITING;
388 init_write_state_machine(s);
393 } else if (st->state == MSG_FLOW_WRITING) {
394 ssret = write_state_machine(s);
395 if (ssret == SUB_STATE_FINISHED) {
396 st->state = MSG_FLOW_READING;
397 init_read_state_machine(s);
398 } else if (ssret == SUB_STATE_END_HANDSHAKE) {
399 st->state = MSG_FLOW_FINISHED;
411 st->state = MSG_FLOW_UNINITED;
417 #ifndef OPENSSL_NO_SCTP
418 if (SSL_IS_DTLS(s)) {
420 * Notify SCTP BIO socket to leave handshake mode and allow stream
421 * identifier other than 0. Will be ignored if no SCTP is used.
423 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE,
424 s->in_handshake, NULL);
431 cb(s, SSL_CB_ACCEPT_EXIT, ret);
433 cb(s, SSL_CB_CONNECT_EXIT, ret);
439 * Initialise the MSG_FLOW_READING sub-state machine
441 static void init_read_state_machine(SSL *s)
443 STATEM *st = &s->statem;
445 st->read_state = READ_STATE_HEADER;
449 * This function implements the sub-state machine when the message flow is in
450 * MSG_FLOW_READING. The valid sub-states and transitions are:
452 * READ_STATE_HEADER <--+<-------------+
455 * READ_STATE_BODY -----+-->READ_STATE_POST_PROCESS
457 * +----------------------------+
459 * [SUB_STATE_FINISHED]
461 * READ_STATE_HEADER has the responsibility for reading in the message header
462 * and transitioning the state of the handshake state machine.
464 * READ_STATE_BODY reads in the rest of the message and then subsequently
467 * READ_STATE_POST_PROCESS is an optional step that may occur if some post
468 * processing activity performed on the message may block.
470 * Any of the above states could result in an NBIO event occuring in which case
471 * control returns to the calling application. When this function is recalled we
472 * will resume in the same state where we left off.
474 static enum SUB_STATE_RETURN read_state_machine(SSL *s) {
475 STATEM *st = &s->statem;
478 int (*transition)(SSL *s, int mt);
479 enum MSG_PROCESS_RETURN (*process_message)(SSL *s, unsigned long n);
480 enum WORK_STATE (*post_process_message)(SSL *s, enum WORK_STATE wst);
481 unsigned long (*max_message_size)(SSL *s);
482 void (*cb) (const SSL *ssl, int type, int val) = NULL;
484 if (s->info_callback != NULL)
485 cb = s->info_callback;
486 else if (s->ctx->info_callback != NULL)
487 cb = s->ctx->info_callback;
490 transition = server_read_transition;
491 process_message = server_process_message;
492 max_message_size = server_max_message_size;
493 post_process_message = server_post_process_message;
495 transition = client_read_transition;
496 process_message = client_process_message;
497 max_message_size = client_max_message_size;
498 post_process_message = client_post_process_message;
501 if (st->read_state_first_init) {
503 st->read_state_first_init = 0;
507 switch(st->read_state) {
508 case READ_STATE_HEADER:
510 /* Get the state the peer wants to move to */
511 if (SSL_IS_DTLS(s)) {
513 * In DTLS we get the whole message in one go - header and body
515 ret = dtls_get_message(s, &mt, &len);
517 ret = tls_get_message_header(s, &mt);
521 /* Could be non-blocking IO */
522 return SUB_STATE_ERROR;
526 /* Notify callback of an impending state change */
528 cb(s, SSL_CB_ACCEPT_LOOP, 1);
530 cb(s, SSL_CB_CONNECT_LOOP, 1);
533 * Validate that we are allowed to move to the new state and move
534 * to that state if so
536 if(!transition(s, mt)) {
537 ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE);
538 SSLerr(SSL_F_READ_STATE_MACHINE, SSL_R_UNEXPECTED_MESSAGE);
539 return SUB_STATE_ERROR;
542 if (s->s3->tmp.message_size > max_message_size(s)) {
543 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
544 SSLerr(SSL_F_READ_STATE_MACHINE, SSL_R_EXCESSIVE_MESSAGE_SIZE);
545 return SUB_STATE_ERROR;
548 st->read_state = READ_STATE_BODY;
551 case READ_STATE_BODY:
552 if (!SSL_IS_DTLS(s)) {
553 /* We already got this above for DTLS */
554 ret = tls_get_message_body(s, &len);
556 /* Could be non-blocking IO */
557 return SUB_STATE_ERROR;
562 ret = process_message(s, len);
563 if (ret == MSG_PROCESS_ERROR) {
564 return SUB_STATE_ERROR;
567 if (ret == MSG_PROCESS_FINISHED_READING) {
568 if (SSL_IS_DTLS(s)) {
571 return SUB_STATE_FINISHED;
574 if (ret == MSG_PROCESS_CONTINUE_PROCESSING) {
575 st->read_state = READ_STATE_POST_PROCESS;
576 st->read_state_work = WORK_MORE_A;
578 st->read_state = READ_STATE_HEADER;
582 case READ_STATE_POST_PROCESS:
583 st->read_state_work = post_process_message(s, st->read_state_work);
584 switch(st->read_state_work) {
586 return SUB_STATE_ERROR;
588 case WORK_FINISHED_CONTINUE:
589 st->read_state = READ_STATE_HEADER;
592 case WORK_FINISHED_STOP:
593 if (SSL_IS_DTLS(s)) {
596 return SUB_STATE_FINISHED;
601 /* Shouldn't happen */
602 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
603 SSLerr(SSL_F_READ_STATE_MACHINE, ERR_R_INTERNAL_ERROR);
605 return SUB_STATE_ERROR;
611 * Send a previously constructed message to the peer.
613 static int statem_do_write(SSL *s)
615 STATEM *st = &s->statem;
617 if (st->hand_state == TLS_ST_CW_CHANGE
618 || st->hand_state == TLS_ST_SW_CHANGE) {
620 return dtls1_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC);
622 return ssl3_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC);
624 return ssl_do_write(s);
629 * Initialise the MSG_FLOW_WRITING sub-state machine
631 static void init_write_state_machine(SSL *s)
633 STATEM *st = &s->statem;
635 st->write_state = WRITE_STATE_TRANSITION;
639 * This function implements the sub-state machine when the message flow is in
640 * MSG_FLOW_WRITING. The valid sub-states and transitions are:
642 * +-> WRITE_STATE_TRANSITION ------> [SUB_STATE_FINISHED]
645 * | WRITE_STATE_PRE_WORK -----> [SUB_STATE_END_HANDSHAKE]
651 * | WRITE_STATE_POST_WORK
655 * WRITE_STATE_TRANSITION transitions the state of the handshake state machine
657 * WRITE_STATE_PRE_WORK performs any work necessary to prepare the later
658 * sending of the message. This could result in an NBIO event occuring in
659 * which case control returns to the calling application. When this function
660 * is recalled we will resume in the same state where we left off.
662 * WRITE_STATE_SEND sends the message and performs any work to be done after
665 * WRITE_STATE_POST_WORK performs any work necessary after the sending of the
666 * message has been completed. As for WRITE_STATE_PRE_WORK this could also
667 * result in an NBIO event.
669 static enum SUB_STATE_RETURN write_state_machine(SSL *s)
671 STATEM *st = &s->statem;
673 enum WRITE_TRAN (*transition)(SSL *s);
674 enum WORK_STATE (*pre_work)(SSL *s, enum WORK_STATE wst);
675 enum WORK_STATE (*post_work)(SSL *s, enum WORK_STATE wst);
676 int (*construct_message)(SSL *s);
677 void (*cb) (const SSL *ssl, int type, int val) = NULL;
679 if (s->info_callback != NULL)
680 cb = s->info_callback;
681 else if (s->ctx->info_callback != NULL)
682 cb = s->ctx->info_callback;
685 transition = server_write_transition;
686 pre_work = server_pre_work;
687 post_work = server_post_work;
688 construct_message = server_construct_message;
690 transition = client_write_transition;
691 pre_work = client_pre_work;
692 post_work = client_post_work;
693 construct_message = client_construct_message;
697 switch(st->write_state) {
698 case WRITE_STATE_TRANSITION:
700 /* Notify callback of an impending state change */
702 cb(s, SSL_CB_ACCEPT_LOOP, 1);
704 cb(s, SSL_CB_CONNECT_LOOP, 1);
706 switch(transition(s)) {
707 case WRITE_TRAN_CONTINUE:
708 st->write_state = WRITE_STATE_PRE_WORK;
709 st->write_state_work = WORK_MORE_A;
712 case WRITE_TRAN_FINISHED:
713 return SUB_STATE_FINISHED;
717 return SUB_STATE_ERROR;
721 case WRITE_STATE_PRE_WORK:
722 switch(st->write_state_work = pre_work(s, st->write_state_work)) {
724 return SUB_STATE_ERROR;
726 case WORK_FINISHED_CONTINUE:
727 st->write_state = WRITE_STATE_SEND;
730 case WORK_FINISHED_STOP:
731 return SUB_STATE_END_HANDSHAKE;
733 if(construct_message(s) == 0)
734 return SUB_STATE_ERROR;
738 case WRITE_STATE_SEND:
739 if (SSL_IS_DTLS(s) && st->use_timer) {
740 dtls1_start_timer(s);
742 ret = statem_do_write(s);
744 return SUB_STATE_ERROR;
746 st->write_state = WRITE_STATE_POST_WORK;
747 st->write_state_work = WORK_MORE_A;
750 case WRITE_STATE_POST_WORK:
751 switch(st->write_state_work = post_work(s, st->write_state_work)) {
753 return SUB_STATE_ERROR;
755 case WORK_FINISHED_CONTINUE:
756 st->write_state = WRITE_STATE_TRANSITION;
759 case WORK_FINISHED_STOP:
760 return SUB_STATE_END_HANDSHAKE;
765 return SUB_STATE_ERROR;
771 * Flush the write BIO
773 static int statem_flush(SSL *s)
775 s->rwstate = SSL_WRITING;
776 if (BIO_flush(s->wbio) <= 0) {
779 s->rwstate = SSL_NOTHING;
785 * Called by the record layer to determine whether application data is
786 * allowed to be sent in the current handshake state or not.
789 * 1: Yes (application data allowed)
790 * 0: No (application data not allowed)
792 int statem_app_data_allowed(SSL *s)
794 STATEM *st = &s->statem;
796 if (st->state == MSG_FLOW_UNINITED || st->state == MSG_FLOW_RENEGOTIATE)
799 if (!s->s3->in_read_app_data || (s->s3->total_renegotiations == 0))
804 * If we're a server and we haven't got as far as writing our
805 * ServerHello yet then we allow app data
807 if (st->hand_state == TLS_ST_BEFORE
808 || st->hand_state == TLS_ST_SR_CLNT_HELLO)
812 * If we're a client and we haven't read the ServerHello yet then we
815 if (st->hand_state == TLS_ST_CW_CLNT_HELLO)
823 #ifndef OPENSSL_NO_SCTP
825 * Set flag used by SCTP to determine whether we are in the read sock state
827 void statem_set_sctp_read_sock(SSL *s, int read_sock)
829 s->statem.in_sctp_read_sock = read_sock;
833 * Called by the record layer to determine whether we are in the read sock
837 * 1: Yes (we are in the read sock state)
838 * 0: No (we are not in the read sock state)
840 int statem_in_sctp_read_sock(SSL *s)
842 return s->statem.in_sctp_read_sock;
847 * Is a CertificateRequest message allowed at the moment or not?
853 static inline int cert_req_allowed(SSL *s)
855 /* TLS does not like anon-DH with client cert */
856 if (s->version > SSL3_VERSION
857 && (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL))
864 * Are we allowed to skip the ServerKeyExchange message?
870 static inline int key_exchange_skip_allowed(SSL *s)
872 long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
875 * Can't skip server key exchange if this is an ephemeral
878 if (alg_k & (SSL_kDHE | SSL_kECDHE)) {
886 * client_read_transition() encapsulates the logic for the allowed handshake
887 * state transitions when the client is reading messages from the server. The
888 * message type that the server has sent is provided in |mt|. The current state
889 * is in |s->statem.hand_state|.
892 * 1: Success (transition allowed)
893 * 0: Error (transition not allowed)
895 static int client_read_transition(SSL *s, int mt)
897 STATEM *st = &s->statem;
899 switch(st->hand_state) {
900 case TLS_ST_CW_CLNT_HELLO:
901 if (mt == SSL3_MT_SERVER_HELLO) {
902 st->hand_state = TLS_ST_CR_SRVR_HELLO;
906 if (SSL_IS_DTLS(s)) {
907 if (mt == DTLS1_MT_HELLO_VERIFY_REQUEST) {
908 st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST;
914 case TLS_ST_CR_SRVR_HELLO:
916 if (s->tlsext_ticket_expected) {
917 if (mt == SSL3_MT_NEWSESSION_TICKET) {
918 st->hand_state = TLS_ST_CR_SESSION_TICKET;
921 } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
922 st->hand_state = TLS_ST_CR_CHANGE;
926 if (SSL_IS_DTLS(s) && mt == DTLS1_MT_HELLO_VERIFY_REQUEST) {
927 st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST;
929 } else if (!(s->s3->tmp.new_cipher->algorithm_auth
930 & (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
931 if (mt == SSL3_MT_CERTIFICATE) {
932 st->hand_state = TLS_ST_CR_CERT;
936 if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) {
937 st->hand_state = TLS_ST_CR_KEY_EXCH;
939 } else if (key_exchange_skip_allowed(s)) {
940 if (mt == SSL3_MT_CERTIFICATE_REQUEST
941 && cert_req_allowed(s)) {
942 st->hand_state = TLS_ST_CR_CERT_REQ;
944 } else if (mt == SSL3_MT_SERVER_DONE) {
945 st->hand_state = TLS_ST_CR_SRVR_DONE;
954 if (s->tlsext_status_expected) {
955 if (mt == SSL3_MT_CERTIFICATE_STATUS) {
956 st->hand_state = TLS_ST_CR_CERT_STATUS;
960 if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) {
961 st->hand_state = TLS_ST_CR_KEY_EXCH;
963 } else if (key_exchange_skip_allowed(s)) {
964 if (mt == SSL3_MT_CERTIFICATE_REQUEST && cert_req_allowed(s)) {
965 st->hand_state = TLS_ST_CR_CERT_REQ;
967 } else if (mt == SSL3_MT_SERVER_DONE) {
968 st->hand_state = TLS_ST_CR_SRVR_DONE;
975 case TLS_ST_CR_CERT_STATUS:
976 if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) {
977 st->hand_state = TLS_ST_CR_KEY_EXCH;
979 } else if (key_exchange_skip_allowed(s)) {
980 if (mt == SSL3_MT_CERTIFICATE_REQUEST && cert_req_allowed(s)) {
981 st->hand_state = TLS_ST_CR_CERT_REQ;
983 } else if (mt == SSL3_MT_SERVER_DONE) {
984 st->hand_state = TLS_ST_CR_SRVR_DONE;
990 case TLS_ST_CR_KEY_EXCH:
991 if (mt == SSL3_MT_CERTIFICATE_REQUEST && cert_req_allowed(s)) {
992 st->hand_state = TLS_ST_CR_CERT_REQ;
994 } else if (mt == SSL3_MT_SERVER_DONE) {
995 st->hand_state = TLS_ST_CR_SRVR_DONE;
1000 case TLS_ST_CR_CERT_REQ:
1001 if (mt == SSL3_MT_SERVER_DONE) {
1002 st->hand_state = TLS_ST_CR_SRVR_DONE;
1007 case TLS_ST_CW_FINISHED:
1008 if (mt == SSL3_MT_NEWSESSION_TICKET && s->tlsext_ticket_expected) {
1009 st->hand_state = TLS_ST_CR_SESSION_TICKET;
1011 } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
1012 st->hand_state = TLS_ST_CR_CHANGE;
1017 case TLS_ST_CR_SESSION_TICKET:
1018 if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
1019 st->hand_state = TLS_ST_CR_CHANGE;
1024 case TLS_ST_CR_CHANGE:
1025 if (mt == SSL3_MT_FINISHED) {
1026 st->hand_state = TLS_ST_CR_FINISHED;
1035 /* No valid transition found */
1040 * client_write_transition() works out what handshake state to move to next
1041 * when the client is writing messages to be sent to the server.
1043 static enum WRITE_TRAN client_write_transition(SSL *s)
1045 STATEM *st = &s->statem;
1047 switch(st->hand_state) {
1049 /* Renegotiation - fall through */
1051 st->hand_state = TLS_ST_CW_CLNT_HELLO;
1052 return WRITE_TRAN_CONTINUE;
1054 case TLS_ST_CW_CLNT_HELLO:
1056 * No transition at the end of writing because we don't know what
1059 return WRITE_TRAN_FINISHED;
1061 case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
1062 st->hand_state = TLS_ST_CW_CLNT_HELLO;
1063 return WRITE_TRAN_CONTINUE;
1065 case TLS_ST_CR_SRVR_DONE:
1066 if (s->s3->tmp.cert_req)
1067 st->hand_state = TLS_ST_CW_CERT;
1069 st->hand_state = TLS_ST_CW_KEY_EXCH;
1070 return WRITE_TRAN_CONTINUE;
1072 case TLS_ST_CW_CERT:
1073 st->hand_state = TLS_ST_CW_KEY_EXCH;
1074 return WRITE_TRAN_CONTINUE;
1076 case TLS_ST_CW_KEY_EXCH:
1078 * For TLS, cert_req is set to 2, so a cert chain of nothing is
1079 * sent, but no verify packet is sent
1082 * XXX: For now, we do not support client authentication in ECDH
1083 * cipher suites with ECDH (rather than ECDSA) certificates. We
1084 * need to skip the certificate verify message when client's
1085 * ECDH public key is sent inside the client certificate.
1087 if (s->s3->tmp.cert_req == 1) {
1088 st->hand_state = TLS_ST_CW_CERT_VRFY;
1090 st->hand_state = TLS_ST_CW_CHANGE;
1092 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {
1093 st->hand_state = TLS_ST_CW_CHANGE;
1095 return WRITE_TRAN_CONTINUE;
1097 case TLS_ST_CW_CERT_VRFY:
1098 st->hand_state = TLS_ST_CW_CHANGE;
1099 return WRITE_TRAN_CONTINUE;
1101 case TLS_ST_CW_CHANGE:
1102 #if defined(OPENSSL_NO_NEXTPROTONEG)
1103 st->hand_state = TLS_ST_CW_FINISHED;
1105 if (!SSL_IS_DTLS(s) && s->s3->next_proto_neg_seen)
1106 st->hand_state = TLS_ST_CW_NEXT_PROTO;
1108 st->hand_state = TLS_ST_CW_FINISHED;
1110 return WRITE_TRAN_CONTINUE;
1112 #if !defined(OPENSSL_NO_NEXTPROTONEG)
1113 case TLS_ST_CW_NEXT_PROTO:
1114 st->hand_state = TLS_ST_CW_FINISHED;
1115 return WRITE_TRAN_CONTINUE;
1118 case TLS_ST_CW_FINISHED:
1120 st->hand_state = TLS_ST_OK;
1121 /* TODO: This needs removing */
1122 s->state = SSL_ST_OK;
1123 return WRITE_TRAN_CONTINUE;
1125 return WRITE_TRAN_FINISHED;
1128 case TLS_ST_CR_FINISHED:
1130 st->hand_state = TLS_ST_CW_CHANGE;
1131 return WRITE_TRAN_CONTINUE;
1133 st->hand_state = TLS_ST_OK;
1134 /* TODO: This needs removing */
1135 s->state = SSL_ST_OK;
1136 return WRITE_TRAN_CONTINUE;
1140 /* Shouldn't happen */
1141 return WRITE_TRAN_ERROR;
1146 * Perform any pre work that needs to be done prior to sending a message from
1147 * the client to the server.
1149 static enum WORK_STATE client_pre_work(SSL *s, enum WORK_STATE wst)
1151 STATEM *st = &s->statem;
1153 switch(st->hand_state) {
1154 case TLS_ST_CW_CLNT_HELLO:
1156 if (SSL_IS_DTLS(s)) {
1157 /* every DTLS ClientHello resets Finished MAC */
1158 ssl3_init_finished_mac(s);
1162 case TLS_ST_CW_CERT:
1163 return tls_prepare_client_certificate(s, wst);
1165 case TLS_ST_CW_CHANGE:
1166 if (SSL_IS_DTLS(s)) {
1169 * We're into the last flight so we don't retransmit these
1170 * messages unless we need to.
1174 #ifndef OPENSSL_NO_SCTP
1175 if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
1176 return dtls_wait_for_dry(s);
1179 return WORK_FINISHED_CONTINUE;
1182 return tls_finish_handshake(s, wst);
1185 /* No pre work to be done */
1189 return WORK_FINISHED_CONTINUE;
1193 * Perform any work that needs to be done after sending a message from the
1194 * client to the server.
1196 static enum WORK_STATE client_post_work(SSL *s, enum WORK_STATE wst)
1198 STATEM *st = &s->statem;
1202 switch(st->hand_state) {
1203 case TLS_ST_CW_CLNT_HELLO:
1204 if (SSL_IS_DTLS(s) && s->d1->cookie_len > 0 && statem_flush(s) != 1)
1206 #ifndef OPENSSL_NO_SCTP
1207 /* Disable buffering for SCTP */
1208 if (!SSL_IS_DTLS(s) || !BIO_dgram_is_sctp(SSL_get_wbio(s))) {
1211 * turn on buffering for the next lot of output
1213 if (s->bbio != s->wbio)
1214 s->wbio = BIO_push(s->bbio, s->wbio);
1215 #ifndef OPENSSL_NO_SCTP
1218 if (SSL_IS_DTLS(s)) {
1219 /* Treat the next message as the first packet */
1220 s->first_packet = 1;
1224 case TLS_ST_CW_KEY_EXCH:
1225 if (tls_client_key_exchange_post_work(s) == 0)
1229 case TLS_ST_CW_CHANGE:
1230 s->session->cipher = s->s3->tmp.new_cipher;
1231 #ifdef OPENSSL_NO_COMP
1232 s->session->compress_meth = 0;
1234 if (s->s3->tmp.new_compression == NULL)
1235 s->session->compress_meth = 0;
1237 s->session->compress_meth = s->s3->tmp.new_compression->id;
1239 if (!s->method->ssl3_enc->setup_key_block(s))
1242 if (!s->method->ssl3_enc->change_cipher_state(s,
1243 SSL3_CHANGE_CIPHER_CLIENT_WRITE))
1246 if (SSL_IS_DTLS(s)) {
1247 #ifndef OPENSSL_NO_SCTP
1250 * Change to new shared key of SCTP-Auth, will be ignored if
1253 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
1258 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
1262 case TLS_ST_CW_FINISHED:
1263 #ifndef OPENSSL_NO_SCTP
1264 if (wst == WORK_MORE_A && SSL_IS_DTLS(s) && s->hit == 0) {
1266 * Change to new shared key of SCTP-Auth, will be ignored if
1269 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
1273 if (statem_flush(s) != 1)
1276 if (s->hit && tls_finish_handshake(s, WORK_MORE_A) != 1)
1281 /* No post work to be done */
1285 return WORK_FINISHED_CONTINUE;
1289 * Construct a message to be sent from the client to the server.
1291 * Valid return values are:
1295 static int client_construct_message(SSL *s)
1297 STATEM *st = &s->statem;
1299 switch(st->hand_state) {
1300 case TLS_ST_CW_CLNT_HELLO:
1301 return tls_construct_client_hello(s);
1303 case TLS_ST_CW_CERT:
1304 return tls_construct_client_certificate(s);
1306 case TLS_ST_CW_KEY_EXCH:
1307 return tls_construct_client_key_exchange(s);
1309 case TLS_ST_CW_CERT_VRFY:
1310 return tls_construct_client_verify(s);
1312 case TLS_ST_CW_CHANGE:
1314 return dtls_construct_change_cipher_spec(s);
1316 return tls_construct_change_cipher_spec(s);
1318 #if !defined(OPENSSL_NO_NEXTPROTONEG)
1319 case TLS_ST_CW_NEXT_PROTO:
1320 return tls_construct_next_proto(s);
1322 case TLS_ST_CW_FINISHED:
1323 return tls_construct_finished(s,
1325 ssl3_enc->client_finished_label,
1327 ssl3_enc->client_finished_label_len);
1330 /* Shouldn't happen */
1337 /* The spec allows for a longer length than this, but we limit it */
1338 #define HELLO_VERIFY_REQUEST_MAX_LENGTH 258
1339 #define SERVER_HELLO_MAX_LENGTH 20000
1340 #define SERVER_KEY_EXCH_MAX_LENGTH 102400
1341 #define SERVER_HELLO_DONE_MAX_LENGTH 0
1342 #define CCS_MAX_LENGTH 1
1343 /* Max should actually be 36 but we are generous */
1344 #define FINISHED_MAX_LENGTH 64
1347 * Returns the maximum allowed length for the current message that we are
1348 * reading. Excludes the message header.
1350 static unsigned long client_max_message_size(SSL *s)
1352 STATEM *st = &s->statem;
1354 switch(st->hand_state) {
1355 case TLS_ST_CR_SRVR_HELLO:
1356 return SERVER_HELLO_MAX_LENGTH;
1358 case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
1359 return HELLO_VERIFY_REQUEST_MAX_LENGTH;
1361 case TLS_ST_CR_CERT:
1362 return s->max_cert_list;
1364 case TLS_ST_CR_CERT_STATUS:
1365 return SSL3_RT_MAX_PLAIN_LENGTH;
1367 case TLS_ST_CR_KEY_EXCH:
1368 return SERVER_KEY_EXCH_MAX_LENGTH;
1370 case TLS_ST_CR_CERT_REQ:
1371 return SSL3_RT_MAX_PLAIN_LENGTH;
1373 case TLS_ST_CR_SRVR_DONE:
1374 return SERVER_HELLO_DONE_MAX_LENGTH;
1376 case TLS_ST_CR_CHANGE:
1377 return CCS_MAX_LENGTH;
1379 case TLS_ST_CR_SESSION_TICKET:
1380 return SSL3_RT_MAX_PLAIN_LENGTH;
1382 case TLS_ST_CR_FINISHED:
1383 return FINISHED_MAX_LENGTH;
1386 /* Shouldn't happen */
1394 * Process a message that the client has been received from the server.
1396 static enum MSG_PROCESS_RETURN client_process_message(SSL *s, unsigned long len)
1398 STATEM *st = &s->statem;
1400 switch(st->hand_state) {
1401 case TLS_ST_CR_SRVR_HELLO:
1402 return tls_process_server_hello(s, len);
1404 case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
1405 return dtls_process_hello_verify(s, len);
1407 case TLS_ST_CR_CERT:
1408 return tls_process_server_certificate(s, len);
1410 case TLS_ST_CR_CERT_STATUS:
1411 return tls_process_cert_status(s, len);
1413 case TLS_ST_CR_KEY_EXCH:
1414 return tls_process_key_exchange(s, len);
1416 case TLS_ST_CR_CERT_REQ:
1417 return tls_process_certificate_request(s, len);
1419 case TLS_ST_CR_SRVR_DONE:
1420 return tls_process_server_done(s, len);
1422 case TLS_ST_CR_CHANGE:
1423 return tls_process_change_cipher_spec(s, len);
1425 case TLS_ST_CR_SESSION_TICKET:
1426 return tls_process_new_session_ticket(s, len);
1428 case TLS_ST_CR_FINISHED:
1429 return tls_process_finished(s, len);
1432 /* Shouldn't happen */
1436 return MSG_PROCESS_ERROR;
1440 * Perform any further processing required following the receipt of a message
1443 static enum WORK_STATE client_post_process_message(SSL *s, enum WORK_STATE wst)
1445 STATEM *st = &s->statem;
1447 switch(st->hand_state) {
1448 #ifndef OPENSSL_NO_SCTP
1449 case TLS_ST_CR_SRVR_DONE:
1450 /* We only get here if we are using SCTP and we are renegotiating */
1451 if (BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
1452 s->s3->in_read_app_data = 2;
1453 s->rwstate = SSL_READING;
1454 BIO_clear_retry_flags(SSL_get_rbio(s));
1455 BIO_set_retry_read(SSL_get_rbio(s));
1456 statem_set_sctp_read_sock(s, 1);
1459 statem_set_sctp_read_sock(s, 0);
1460 return WORK_FINISHED_STOP;
1463 case TLS_ST_CR_FINISHED:
1465 return tls_finish_handshake(s, wst);
1467 return WORK_FINISHED_STOP;
1472 /* Shouldn't happen */
1478 * server_read_transition() encapsulates the logic for the allowed handshake
1479 * state transitions when the server is reading messages from the client. The
1480 * message type that the client has sent is provided in |mt|. The current state
1481 * is in |s->statem.hand_state|.
1483 * Valid return values are:
1484 * 1: Success (transition allowed)
1485 * 0: Error (transition not allowed)
1487 static int server_read_transition(SSL *s, int mt)
1489 STATEM *st = &s->statem;
1491 switch(st->hand_state) {
1493 if (mt == SSL3_MT_CLIENT_HELLO) {
1494 st->hand_state = TLS_ST_SR_CLNT_HELLO;
1499 case TLS_ST_SW_SRVR_DONE:
1501 * If we get a CKE message after a ServerDone then either
1502 * 1) We didn't request a Certificate
1504 * 2) If we did request one then
1505 * a) We allow no Certificate to be returned
1507 * b) We are running SSL3 (in TLS1.0+ the client must return a 0
1508 * list if we requested a certificate)
1510 if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE
1511 && (!s->s3->tmp.cert_request
1512 || (!((s->verify_mode & SSL_VERIFY_PEER) &&
1513 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
1514 && (s->version == SSL3_VERSION)))) {
1515 st->hand_state = TLS_ST_SR_KEY_EXCH;
1517 } else if (s->s3->tmp.cert_request) {
1518 if (mt == SSL3_MT_CERTIFICATE) {
1519 st->hand_state = TLS_ST_SR_CERT;
1525 case TLS_ST_SR_CERT:
1526 if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
1527 st->hand_state = TLS_ST_SR_KEY_EXCH;
1532 case TLS_ST_SR_KEY_EXCH:
1534 * We should only process a CertificateVerify message if we have
1535 * received a Certificate from the client. If so then |s->session->peer|
1536 * will be non NULL. In some instances a CertificateVerify message is
1537 * not required even if the peer has sent a Certificate (e.g. such as in
1538 * the case of static DH). In that case |s->no_cert_verify| should be
1541 if (s->session->peer == NULL || s->no_cert_verify) {
1542 if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
1544 * For the ECDH ciphersuites when the client sends its ECDH
1545 * pub key in a certificate, the CertificateVerify message is
1546 * not sent. Also for GOST ciphersuites when the client uses
1547 * its key from the certificate for key exchange.
1549 st->hand_state = TLS_ST_SR_CHANGE;
1553 if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
1554 st->hand_state = TLS_ST_SR_CERT_VRFY;
1560 case TLS_ST_SR_CERT_VRFY:
1561 if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
1562 st->hand_state = TLS_ST_SR_CHANGE;
1567 case TLS_ST_SR_CHANGE:
1568 #ifndef OPENSSL_NO_NEXTPROTONEG
1569 if (s->s3->next_proto_neg_seen) {
1570 if (mt == SSL3_MT_NEXT_PROTO) {
1571 st->hand_state = TLS_ST_SR_NEXT_PROTO;
1576 if (mt == SSL3_MT_FINISHED) {
1577 st->hand_state = TLS_ST_SR_FINISHED;
1580 #ifndef OPENSSL_NO_NEXTPROTONEG
1585 #ifndef OPENSSL_NO_NEXTPROTONEG
1586 case TLS_ST_SR_NEXT_PROTO:
1587 if (mt == SSL3_MT_FINISHED) {
1588 st->hand_state = TLS_ST_SR_FINISHED;
1594 case TLS_ST_SW_FINISHED:
1595 if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
1596 st->hand_state = TLS_ST_SR_CHANGE;
1605 /* No valid transition found */
1610 * Should we send a ServerKeyExchange message?
1612 * Valid return values are:
1616 static inline int send_server_key_exchange(SSL *s)
1618 unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
1621 * only send a ServerKeyExchange if DH, fortezza or RSA but we have a
1622 * sign only certificate PSK: may send PSK identity hints For
1623 * ECC ciphersuites, we send a serverKeyExchange message only if
1624 * the cipher suite is either ECDH-anon or ECDHE. In other cases,
1625 * the server certificate contains the server's public key for
1628 if ( (alg_k & SSL_kDHE)
1629 || (alg_k & SSL_kECDHE)
1630 || ((alg_k & SSL_kRSA)
1631 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
1632 || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
1633 && EVP_PKEY_size(s->cert->pkeys
1634 [SSL_PKEY_RSA_ENC].privatekey) *
1635 8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
1640 * PSK: send ServerKeyExchange if PSK identity hint if
1643 #ifndef OPENSSL_NO_PSK
1644 /* Only send SKE if we have identity hint for plain PSK */
1645 || ((alg_k & (SSL_kPSK | SSL_kRSAPSK))
1646 && s->cert->psk_identity_hint)
1647 /* For other PSK always send SKE */
1648 || (alg_k & (SSL_PSK & (SSL_kDHEPSK | SSL_kECDHEPSK)))
1650 #ifndef OPENSSL_NO_SRP
1651 /* SRP: send ServerKeyExchange */
1652 || (alg_k & SSL_kSRP)
1662 * Should we send a CertificateRequest message?
1664 * Valid return values are:
1668 static inline int send_certificate_request(SSL *s)
1671 /* don't request cert unless asked for it: */
1672 s->verify_mode & SSL_VERIFY_PEER
1674 * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert
1675 * during re-negotiation:
1677 && ((s->session->peer == NULL) ||
1678 !(s->verify_mode & SSL_VERIFY_CLIENT_ONCE))
1680 * never request cert in anonymous ciphersuites (see
1681 * section "Certificate request" in SSL 3 drafts and in
1684 && (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
1686 * ... except when the application insists on
1687 * verification (against the specs, but s3_clnt.c accepts
1690 || (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
1691 /* don't request certificate for SRP auth */
1692 && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aSRP)
1694 * With normal PSK Certificates and Certificate Requests
1697 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) {
1705 * server_write_transition() works out what handshake state to move to next
1706 * when the server is writing messages to be sent to the client.
1708 static enum WRITE_TRAN server_write_transition(SSL *s)
1710 STATEM *st = &s->statem;
1712 switch(st->hand_state) {
1714 /* Just go straight to trying to read from the client */;
1715 return WRITE_TRAN_FINISHED;
1718 /* We must be trying to renegotiate */
1719 st->hand_state = TLS_ST_SW_HELLO_REQ;
1720 return WRITE_TRAN_CONTINUE;
1722 case TLS_ST_SW_HELLO_REQ:
1723 st->hand_state = TLS_ST_OK;
1724 /* TODO: This needs removing */
1725 s->state = SSL_ST_OK;
1726 return WRITE_TRAN_CONTINUE;
1728 case TLS_ST_SR_CLNT_HELLO:
1729 st->hand_state = TLS_ST_SW_SRVR_HELLO;
1730 return WRITE_TRAN_CONTINUE;
1732 case TLS_ST_SW_SRVR_HELLO:
1734 if (s->tlsext_ticket_expected)
1735 st->hand_state = TLS_ST_SW_SESSION_TICKET;
1737 st->hand_state = TLS_ST_SW_CHANGE;
1739 /* Check if it is anon DH or anon ECDH, */
1740 /* normal PSK or SRP */
1741 if (!(s->s3->tmp.new_cipher->algorithm_auth &
1742 (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
1743 st->hand_state = TLS_ST_SW_CERT;
1744 } else if (send_server_key_exchange(s)) {
1745 st->hand_state = TLS_ST_SW_KEY_EXCH;
1746 } else if (send_certificate_request(s)) {
1747 st->hand_state = TLS_ST_SW_CERT_REQ;
1749 st->hand_state = TLS_ST_SW_SRVR_DONE;
1752 return WRITE_TRAN_CONTINUE;
1754 case TLS_ST_SW_CERT:
1755 if (s->tlsext_status_expected) {
1756 st->hand_state = TLS_ST_SW_CERT_STATUS;
1757 return WRITE_TRAN_CONTINUE;
1761 case TLS_ST_SW_CERT_STATUS:
1762 if (send_server_key_exchange(s)) {
1763 st->hand_state = TLS_ST_SW_KEY_EXCH;
1764 return WRITE_TRAN_CONTINUE;
1768 case TLS_ST_SW_KEY_EXCH:
1769 if (send_certificate_request(s)) {
1770 st->hand_state = TLS_ST_SW_CERT_REQ;
1771 return WRITE_TRAN_CONTINUE;
1775 case TLS_ST_SW_CERT_REQ:
1776 st->hand_state = TLS_ST_SW_SRVR_DONE;
1777 return WRITE_TRAN_CONTINUE;
1779 case TLS_ST_SW_SRVR_DONE:
1780 return WRITE_TRAN_FINISHED;
1782 case TLS_ST_SR_FINISHED:
1784 st->hand_state = TLS_ST_OK;
1785 /* TODO: This needs removing */
1786 s->state = SSL_ST_OK;
1787 return WRITE_TRAN_CONTINUE;
1788 } else if (s->tlsext_ticket_expected) {
1789 st->hand_state = TLS_ST_SW_SESSION_TICKET;
1791 st->hand_state = TLS_ST_SW_CHANGE;
1793 return WRITE_TRAN_CONTINUE;
1795 case TLS_ST_SW_SESSION_TICKET:
1796 st->hand_state = TLS_ST_SW_CHANGE;
1797 return WRITE_TRAN_CONTINUE;
1799 case TLS_ST_SW_CHANGE:
1800 st->hand_state = TLS_ST_SW_FINISHED;
1801 return WRITE_TRAN_CONTINUE;
1803 case TLS_ST_SW_FINISHED:
1805 return WRITE_TRAN_FINISHED;
1807 st->hand_state = TLS_ST_OK;
1808 /* TODO: This needs removing */
1809 s->state = SSL_ST_OK;
1810 return WRITE_TRAN_CONTINUE;
1813 /* Shouldn't happen */
1814 return WRITE_TRAN_ERROR;
1819 * Perform any pre work that needs to be done prior to sending a message from
1820 * the server to the client.
1822 static enum WORK_STATE server_pre_work(SSL *s, enum WORK_STATE wst)
1824 STATEM *st = &s->statem;
1826 switch(st->hand_state) {
1827 case TLS_ST_SW_HELLO_REQ:
1831 case TLS_ST_SW_CHANGE:
1832 s->session->cipher = s->s3->tmp.new_cipher;
1833 if (!s->method->ssl3_enc->setup_key_block(s)) {
1834 statem_set_error(s);
1837 return WORK_FINISHED_CONTINUE;
1840 return tls_finish_handshake(s, wst);
1843 /* No pre work to be done */
1847 return WORK_FINISHED_CONTINUE;
1851 * Perform any work that needs to be done after sending a message from the
1852 * server to the client.
1854 static enum WORK_STATE server_post_work(SSL *s, enum WORK_STATE wst)
1856 STATEM *st = &s->statem;
1860 switch(st->hand_state) {
1861 case TLS_ST_SW_HELLO_REQ:
1862 if (statem_flush(s) != 1)
1864 ssl3_init_finished_mac(s);
1867 case TLS_ST_SW_CHANGE:
1868 if (!s->method->ssl3_enc->change_cipher_state(s,
1869 SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
1870 statem_set_error(s);
1875 case TLS_ST_SW_SRVR_DONE:
1876 if (statem_flush(s) != 1)
1880 case TLS_ST_SW_FINISHED:
1881 if (statem_flush(s) != 1)
1886 /* No post work to be done */
1890 return WORK_FINISHED_CONTINUE;
1894 * Construct a message to be sent from the server to the client.
1896 * Valid return values are:
1900 static int server_construct_message(SSL *s)
1902 STATEM *st = &s->statem;
1904 switch(st->hand_state) {
1905 case TLS_ST_SW_HELLO_REQ:
1906 return tls_construct_hello_request(s);
1908 case TLS_ST_SW_SRVR_HELLO:
1909 return tls_construct_server_hello(s);
1911 case TLS_ST_SW_CERT:
1912 return tls_construct_server_certificate(s);
1914 case TLS_ST_SW_KEY_EXCH:
1915 return tls_construct_server_key_exchange(s);
1917 case TLS_ST_SW_CERT_REQ:
1918 return tls_construct_certificate_request(s);
1920 case TLS_ST_SW_SRVR_DONE:
1921 return tls_construct_server_done(s);
1923 case TLS_ST_SW_SESSION_TICKET:
1924 return tls_construct_new_session_ticket(s);
1926 case TLS_ST_SW_CERT_STATUS:
1927 return tls_construct_cert_status(s);
1929 case TLS_ST_SW_CHANGE:
1931 return dtls_construct_change_cipher_spec(s);
1933 return tls_construct_change_cipher_spec(s);
1935 case TLS_ST_SW_FINISHED:
1936 return tls_construct_finished(s,
1938 ssl3_enc->server_finished_label,
1940 ssl3_enc->server_finished_label_len);
1943 /* Shouldn't happen */
1950 #define CLIENT_KEY_EXCH_MAX_LENGTH 2048
1951 #define NEXT_PROTO_MAX_LENGTH 514
1954 * Returns the maximum allowed length for the current message that we are
1955 * reading. Excludes the message header.
1957 static unsigned long server_max_message_size(SSL *s)
1959 STATEM *st = &s->statem;
1961 switch(st->hand_state) {
1962 case TLS_ST_SR_CLNT_HELLO:
1963 return SSL3_RT_MAX_PLAIN_LENGTH;
1965 case TLS_ST_SR_CERT:
1966 return s->max_cert_list;
1968 case TLS_ST_SR_KEY_EXCH:
1969 return CLIENT_KEY_EXCH_MAX_LENGTH;
1971 case TLS_ST_SR_CERT_VRFY:
1972 return SSL3_RT_MAX_PLAIN_LENGTH;
1974 #ifndef OPENSSL_NO_NEXTPROTONEG
1975 case TLS_ST_SR_NEXT_PROTO:
1976 return NEXT_PROTO_MAX_LENGTH;
1979 case TLS_ST_SR_CHANGE:
1980 return CCS_MAX_LENGTH;
1982 case TLS_ST_SR_FINISHED:
1983 return FINISHED_MAX_LENGTH;
1986 /* Shouldn't happen */
1994 * Process a message that the server has received from the client.
1996 static enum MSG_PROCESS_RETURN server_process_message(SSL *s,
1999 STATEM *st = &s->statem;
2001 switch(st->hand_state) {
2002 case TLS_ST_SR_CLNT_HELLO:
2003 return tls_process_client_hello(s, len);
2005 case TLS_ST_SR_CERT:
2006 return tls_process_client_certificate(s, len);
2008 case TLS_ST_SR_KEY_EXCH:
2009 return tls_process_client_key_exchange(s, len);
2011 case TLS_ST_SR_CERT_VRFY:
2012 return tls_process_cert_verify(s, len);
2014 #ifndef OPENSSL_NO_NEXTPROTONEG
2015 case TLS_ST_SR_NEXT_PROTO:
2016 return tls_process_next_proto(s, len);
2019 case TLS_ST_SR_CHANGE:
2020 return tls_process_change_cipher_spec(s, len);
2022 case TLS_ST_SR_FINISHED:
2023 return tls_process_finished(s, len);
2026 /* Shouldn't happen */
2030 return MSG_PROCESS_ERROR;
2034 * Perform any further processing required following the receipt of a message
2037 static enum WORK_STATE server_post_process_message(SSL *s, enum WORK_STATE wst)
2039 STATEM *st = &s->statem;
2041 switch(st->hand_state) {
2042 case TLS_ST_SR_CLNT_HELLO:
2043 return tls_post_process_client_hello(s, wst);
2045 case TLS_ST_SR_KEY_EXCH:
2046 return tls_post_process_client_key_exchange(s, wst);
2048 case TLS_ST_SR_FINISHED:
2050 return tls_finish_handshake(s, wst);
2052 return WORK_FINISHED_STOP;
2057 /* Shouldn't happen */