From: Matt Caswell Date: Wed, 29 Jul 2015 13:23:56 +0000 (+0100) Subject: Add initial state machine rewrite code X-Git-Tag: OpenSSL_1_1_0-pre1~378 X-Git-Url: https://git.openssl.org/?p=openssl.git;a=commitdiff_plain;h=f8e0a5573820bd7318782d4954c6643ff7e58102;ds=sidebyside Add initial state machine rewrite code This is the first drop of the new state machine code. The rewrite has the following objectives: - Remove duplication of state code between client and server - Remove duplication of state code between TLS and DTLS - Simplify transitions and bring the logic together in a single location so that it is easier to validate - Remove duplication of code between each of the message handling functions - Receive a message first and then work out whether that is a valid transition - not the other way around (the other way causes lots of issues where we are expecting one type of message next but actually get something else) - Separate message flow state from handshake state (in order to better understand each) - message flow state = when to flush buffers; handling restarts in the event of NBIO events; handling the common flow of steps for reading a message and the common flow of steps for writing a message etc - handshake state = what handshake message are we working on now - Control complexity: only the state machine can change state: keep all the state changes local to a file This builds on previous state machine related work: - Surface CCS processing in the state machine - Version negotiation rewrite Reviewed-by: Tim Hudson Reviewed-by: Richard Levitte --- diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index fb626279af..7788f098e6 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -1928,6 +1928,7 @@ void ERR_load_SSL_strings(void); # define SSL_F_DTLS1_SEND_SERVER_HELLO 266 # define SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE 267 # define SSL_F_DTLS1_WRITE_APP_DATA_BYTES 268 +# define SSL_F_READ_STATE_MACHINE 352 # define SSL_F_SSL3_ACCEPT 128 # define SSL_F_SSL3_ADD_CERT_TO_BUF 296 # define SSL_F_SSL3_CALLBACK_CTRL 233 @@ -2085,6 +2086,7 @@ void ERR_load_SSL_strings(void); # define SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 206 # define SSL_F_SSL_VERIFY_CERT_CHAIN 207 # define SSL_F_SSL_WRITE 208 +# define SSL_F_STATE_MACHINE 353 # define SSL_F_TLS12_CHECK_PEER_SIGALG 333 # define SSL_F_TLS1_CERT_VERIFY_MAC 286 # define SSL_F_TLS1_CHANGE_CIPHER_STATE 209 diff --git a/ssl/Makefile b/ssl/Makefile index 7953da4f8f..536ddcc200 100644 --- a/ssl/Makefile +++ b/ssl/Makefile @@ -26,7 +26,8 @@ LIBSRC= \ ssl_ciph.c ssl_stat.c ssl_rsa.c \ ssl_asn1.c ssl_txt.c ssl_algs.c ssl_conf.c \ bio_ssl.c ssl_err.c t1_reneg.c tls_srp.c t1_trce.c ssl_utst.c \ - record/ssl3_buffer.c record/ssl3_record.c record/dtls1_bitmap.c + record/ssl3_buffer.c record/ssl3_record.c record/dtls1_bitmap.c \ + statem.c LIBOBJ= \ s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o record/rec_layer_s3.o \ s3_both.o s3_cbc.o s3_msg.o \ @@ -37,7 +38,8 @@ LIBOBJ= \ ssl_ciph.o ssl_stat.o ssl_rsa.o \ ssl_asn1.o ssl_txt.o ssl_algs.o ssl_conf.o \ bio_ssl.o ssl_err.o t1_reneg.o tls_srp.o t1_trce.o ssl_utst.o \ - record/ssl3_buffer.o record/ssl3_record.o record/dtls1_bitmap.o + record/ssl3_buffer.o record/ssl3_record.o record/dtls1_bitmap.o \ + statem.o SRC= $(LIBSRC) @@ -781,6 +783,26 @@ ssl_utst.o: ../include/openssl/stack.h ../include/openssl/symhacks.h ssl_utst.o: ../include/openssl/tls1.h ../include/openssl/x509.h ssl_utst.o: ../include/openssl/x509_vfy.h packet_locl.h record/record.h ssl_utst.o: ssl_locl.h ssl_utst.c +statem.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +statem.o: ../include/openssl/bn.h ../include/openssl/buffer.h +statem.o: ../include/openssl/comp.h ../include/openssl/crypto.h +statem.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h +statem.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +statem.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +statem.o: ../include/openssl/err.h ../include/openssl/evp.h +statem.o: ../include/openssl/hmac.h ../include/openssl/lhash.h +statem.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +statem.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +statem.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +statem.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +statem.o: ../include/openssl/pqueue.h ../include/openssl/rand.h +statem.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +statem.o: ../include/openssl/sha.h ../include/openssl/srtp.h +statem.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +statem.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +statem.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +statem.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h packet_locl.h +statem.o: record/record.h ssl_locl.h statem.c t1_clnt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h t1_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h t1_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h diff --git a/ssl/s3_both.c b/ssl/s3_both.c index dbc2eee7c6..d8a2da1362 100644 --- a/ssl/s3_both.c +++ b/ssl/s3_both.c @@ -478,6 +478,7 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) return n; f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); + statem_set_error(s); *ok = 0; return 0; } diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 5e7b618e49..292fb1b3cc 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -5132,6 +5132,7 @@ int ssl3_renegotiate_check(SSL *s) */ /* SSL_ST_ACCEPT */ s->state = SSL_ST_RENEGOTIATE; + statem_set_renegotiate(s); s->s3->renegotiate = 0; s->s3->num_renegotiations++; s->s3->total_renegotiations++; diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index 8e95827533..864501b80c 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -112,6 +112,7 @@ static ERR_STRING_DATA SSL_str_functs[] = { {ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE), "dtls1_send_server_key_exchange"}, {ERR_FUNC(SSL_F_DTLS1_WRITE_APP_DATA_BYTES), "dtls1_write_app_data_bytes"}, + {ERR_FUNC(SSL_F_READ_STATE_MACHINE), "READ_STATE_MACHINE"}, {ERR_FUNC(SSL_F_SSL3_ACCEPT), "ssl3_accept"}, {ERR_FUNC(SSL_F_SSL3_ADD_CERT_TO_BUF), "SSL3_ADD_CERT_TO_BUF"}, {ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL), "ssl3_callback_ctrl"}, @@ -313,6 +314,7 @@ static ERR_STRING_DATA SSL_str_functs[] = { {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE), "SSL_use_RSAPrivateKey_file"}, {ERR_FUNC(SSL_F_SSL_VERIFY_CERT_CHAIN), "ssl_verify_cert_chain"}, {ERR_FUNC(SSL_F_SSL_WRITE), "SSL_write"}, + {ERR_FUNC(SSL_F_STATE_MACHINE), "STATE_MACHINE"}, {ERR_FUNC(SSL_F_TLS12_CHECK_PEER_SIGALG), "tls12_check_peer_sigalg"}, {ERR_FUNC(SSL_F_TLS1_CERT_VERIFY_MAC), "tls1_cert_verify_mac"}, {ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE), "tls1_change_cipher_state"}, diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index e80d5f172c..bc5676adb9 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -218,6 +218,7 @@ int SSL_clear(SSL *s) s->type = 0; s->state = SSL_ST_BEFORE | ((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT); + statem_clear(s); s->version = s->method->version; s->client_version = s->version; diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index c2f4d440b6..4a759e38a9 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -717,6 +717,137 @@ struct ssl_comp_st { DECLARE_STACK_OF(SSL_COMP) DECLARE_LHASH_OF(SSL_SESSION); +/* + * The valid handshake states (one for each type message sent and one for each + * type of message received). There are also two "special" states: + * TLS = TLS or DTLS state + * DTLS = DTLS specific state + * CR/SR = Client Read/Server Read + * CW/SW = Client Write/Server Write + * + * The "special" states are: + * TLS_ST_BEFORE = No handshake has been initiated yet + * TLS_ST_OK = A handshake has been successfully completed + */ +enum HANDSHAKE_STATE { + TLS_ST_BEFORE, + TLS_ST_OK, + DTLS_ST_CR_HELLO_VERIFY_REQUEST, + TLS_ST_CR_SRVR_HELLO, + TLS_ST_CR_CERT, + TLS_ST_CR_CERT_STATUS, + TLS_ST_CR_KEY_EXCH, + TLS_ST_CR_CERT_REQ, + TLS_ST_CR_SRVR_DONE, + TLS_ST_CR_SESSION_TICKET, + TLS_ST_CR_CHANGE, + TLS_ST_CR_FINISHED, + TLS_ST_CW_CLNT_HELLO, + TLS_ST_CW_CERT, + TLS_ST_CW_KEY_EXCH, + TLS_ST_CW_CERT_VRFY, + TLS_ST_CW_CHANGE, + TLS_ST_CW_NEXT_PROTO, + TLS_ST_CW_FINISHED, + TLS_ST_SW_HELLO_REQ, + TLS_ST_SR_CLNT_HELLO, + DTLS_ST_SW_HELLO_VERIFY_REQUEST, + TLS_ST_SW_SRVR_HELLO, + TLS_ST_SW_CERT, + TLS_ST_SW_KEY_EXCH, + TLS_ST_SW_CERT_REQ, + TLS_ST_SW_SRVR_DONE, + TLS_ST_SR_CERT, + TLS_ST_SR_KEY_EXCH, + TLS_ST_SR_CERT_VRFY, + TLS_ST_SR_NEXT_PROTO, + TLS_ST_SR_CHANGE, + TLS_ST_SR_FINISHED, + TLS_ST_SW_SESSION_TICKET, + TLS_ST_SW_CERT_STATUS, + TLS_ST_SW_CHANGE, + TLS_ST_SW_FINISHED +}; + +/* + * Valid return codes used for functions performing work prior to or after + * sending or receiving a message + */ +enum WORK_STATE { + /* Something went wrong */ + WORK_ERROR, + /* We're done working and there shouldn't be anything else to do after */ + WORK_FINISHED_STOP, + /* We're done working move onto the next thing */ + WORK_FINISHED_CONTINUE, + /* We're working on phase A */ + WORK_MORE_A, + /* We're working on phase B */ + WORK_MORE_B +}; + +/* Write transition return codes */ +enum WRITE_TRAN { + /* Something went wrong */ + WRITE_TRAN_ERROR, + /* A transition was successfully completed and we should continue */ + WRITE_TRAN_CONTINUE, + /* There is no more write work to be done */ + WRITE_TRAN_FINISHED +}; + +/* Message processing return codes */ +enum MSG_PROCESS_RETURN { + MSG_PROCESS_ERROR, + MSG_PROCESS_FINISHED_READING, + MSG_PROCESS_CONTINUE_PROCESSING, + MSG_PROCESS_CONTINUE_READING +}; + +/* Message flow states */ +enum MSG_FLOW_STATE { + /* No handshake in progress */ + MSG_FLOW_UNINITED, + /* A permanent error with this connection */ + MSG_FLOW_ERROR, + /* We are about to renegotiate */ + MSG_FLOW_RENEGOTIATE, + /* We are reading messages */ + MSG_FLOW_READING, + /* We are writing messages */ + MSG_FLOW_WRITING, + /* Handshake has finished */ + MSG_FLOW_FINISHED +}; + +/* Read states */ +enum READ_STATE { + READ_STATE_HEADER, + READ_STATE_BODY, + READ_STATE_POST_PROCESS +}; + +/* Write states */ +enum WRITE_STATE { + WRITE_STATE_TRANSITION, + WRITE_STATE_PRE_WORK, + WRITE_STATE_SEND, + WRITE_STATE_POST_WORK +}; + +struct statem_st { + enum MSG_FLOW_STATE state; + enum WRITE_STATE write_state; + enum WORK_STATE write_state_work; + enum READ_STATE read_state; + enum WORK_STATE read_state_work; + enum HANDSHAKE_STATE hand_state; + int read_state_first_init; + int use_timer; +}; +typedef struct statem_st STATEM; + + struct ssl_ctx_st { const SSL_METHOD *method; STACK_OF(SSL_CIPHER) *cipher_list; @@ -1012,6 +1143,8 @@ struct ssl_st { int shutdown; /* where we are */ int state; + STATEM statem; + BUF_MEM *init_buf; /* buffer used during init */ void *init_msg; /* pointer to handshake message body, set by * ssl3_get_message() */ @@ -1951,6 +2084,10 @@ __owur int ssl3_new(SSL *s); void ssl3_free(SSL *s); __owur int ssl3_accept(SSL *s); __owur int ssl3_connect(SSL *s); +void statem_clear(SSL *s); +void statem_set_renegotiate(SSL *s); +void statem_set_error(SSL *s); +__owur int statem_client_app_data_allowed(SSL *s); __owur int ssl3_read(SSL *s, void *buf, int len); __owur int ssl3_peek(SSL *s, void *buf, int len); __owur int ssl3_write(SSL *s, const void *buf, int len); diff --git a/ssl/statem.c b/ssl/statem.c new file mode 100644 index 0000000000..ef0799e407 --- /dev/null +++ b/ssl/statem.c @@ -0,0 +1,725 @@ +/* ssl/statem.c */ +/* + * Written by Matt Caswell for the OpenSSL project. + */ +/* ==================================================================== + * Copyright (c) 1998-2015 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#include +#include "ssl_locl.h" + +/* + * This file implements the SSL/TLS/DTLS state machines. + * + * There are two primary state machines: + * + * 1) Message flow state machine + * 2) Handshake state machine + * + * The Message flow state machine controls the reading and sending of messages + * including handling of non-blocking IO events, flushing of the underlying + * write BIO, handling unexpected messages, etc. It is itself broken into two + * separate sub-state machines which control reading and writing respectively. + * + * The Handshake state machine keeps track of the current SSL/TLS handshake + * state. Transitions of the handshake state are the result of events that + * occur within the Message flow state machine. + * + * Overall it looks like this: + * + * --------------------------------------------- ------------------- + * | | | | + * | Message flow state machine | | | + * | | | | + * | -------------------- -------------------- | Transition | Handshake state | + * | | MSG_FLOW_READING | | MSG_FLOW_WRITING | | Event | machine | + * | | sub-state | | sub-state | |----------->| | + * | | machine for | | machine for | | | | + * | | reading messages | | writing messages | | | | + * | -------------------- -------------------- | | | + * | | | | + * --------------------------------------------- ------------------- + * + */ + +/* Sub state machine return values */ +enum SUB_STATE_RETURN { + /* Something bad happened or NBIO */ + SUB_STATE_ERROR, + /* Sub state finished go to the next sub state */ + SUB_STATE_FINISHED, + /* Sub state finished and handshake was completed */ + SUB_STATE_END_HANDSHAKE +}; + +int state_machine(SSL *s, int server); +static void init_read_state_machine(SSL *s); +static enum SUB_STATE_RETURN read_state_machine(SSL *s); +static void init_write_state_machine(SSL *s); +static enum SUB_STATE_RETURN write_state_machine(SSL *s); + +/* + * Clear the state machine state and reset back to MSG_FLOW_UNINITED + */ +void statem_clear(SSL *s) +{ + s->statem.state = MSG_FLOW_UNINITED; +} + +/* + * Set the state machine up ready for a renegotiation handshake + */ +void statem_set_renegotiate(SSL *s) +{ + s->statem.state = MSG_FLOW_RENEGOTIATE; +} + +/* + * Put the state machine into an error state. This is a permanent error for + * the current connection. + */ +void statem_set_error(SSL *s) +{ + s->statem.state = MSG_FLOW_ERROR; + /* TODO: This is temporary - remove me */ + s->state = SSL_ST_ERR; +} + +/* + * The main message flow state machine. We start in the MSG_FLOW_UNINITED or + * MSG_FLOW_RENEGOTIATE state and finish in MSG_FLOW_FINISHED. Valid states and + * transitions are as follows: + * + * MSG_FLOW_UNINITED MSG_FLOW_RENEGOTIATE + * | | + * +-----------------------+ + * v + * MSG_FLOW_WRITING <---> MSG_FLOW_READING + * | + * V + * MSG_FLOW_FINISHED + * | + * V + * [SUCCESS] + * + * We may exit at any point due to an error or NBIO event. If an NBIO event + * occurs then we restart at the point we left off when we are recalled. + * MSG_FLOW_WRITING and MSG_FLOW_READING have sub-state machines associated with them. + * + * In addition to the above there is also the MSG_FLOW_ERROR state. We can move + * into that state at any point in the event that an irrecoverable error occurs. + * + * Valid return values are: + * 1: Success + * <=0: NBIO or error + */ +int state_machine(SSL *s, int server) { + BUF_MEM *buf = NULL; + unsigned long Time = (unsigned long)time(NULL); + void (*cb) (const SSL *ssl, int type, int val) = NULL; + STATEM *st = &s->statem; + int ret = -1; + int ssret; + + if (st->state == MSG_FLOW_ERROR) { + /* Shouldn't have been called if we're already in the error state */ + return -1; + } + + RAND_add(&Time, sizeof(Time), 0); + ERR_clear_error(); + clear_sys_error(); + + if (s->info_callback != NULL) + cb = s->info_callback; + else if (s->ctx->info_callback != NULL) + cb = s->ctx->info_callback; + + s->in_handshake++; + if (!SSL_in_init(s) || SSL_in_before(s)) { + if (!SSL_clear(s)) + return -1; + } + +#ifndef OPENSSL_NO_HEARTBEATS + /* + * If we're awaiting a HeartbeatResponse, pretend we already got and + * don't await it anymore, because Heartbeats don't make sense during + * handshakes anyway. + */ + if (s->tlsext_hb_pending) { + if (SSL_IS_DTLS(s)) + dtls1_stop_timer(s); + s->tlsext_hb_pending = 0; + s->tlsext_hb_seq++; + } +#endif + + /* Initialise state machine */ + + if (st->state == MSG_FLOW_RENEGOTIATE) { + s->renegotiate = 1; + if (!server) + s->ctx->stats.sess_connect_renegotiate++; + } + + if (st->state == MSG_FLOW_UNINITED || st->state == MSG_FLOW_RENEGOTIATE) { + /* TODO: Temporary - fix this */ + if (server) + s->state = SSL_ST_ACCEPT; + else + s->state = SSL_ST_CONNECT; + + if (st->state == MSG_FLOW_UNINITED) { + st->hand_state = TLS_ST_BEFORE; + } + + s->server = server; + if (cb != NULL) + cb(s, SSL_CB_HANDSHAKE_START, 1); + + if (SSL_IS_DTLS(s)) { + if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00) && + (server + || (s->version & 0xff00) != (DTLS1_BAD_VER & 0xff00))) { + SSLerr(SSL_F_STATE_MACHINE, ERR_R_INTERNAL_ERROR); + goto end; + } + } else { + if ((s->version >> 8) != SSL3_VERSION_MAJOR + && s->version != TLS_ANY_VERSION) { + SSLerr(SSL_F_STATE_MACHINE, ERR_R_INTERNAL_ERROR); + goto end; + } + } + + if (s->version != TLS_ANY_VERSION && + !ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL)) { + SSLerr(SSL_F_STATE_MACHINE, SSL_R_VERSION_TOO_LOW); + goto end; + } + + if (server) + s->type = SSL_ST_ACCEPT; + else + s->type = SSL_ST_CONNECT; + + if (s->init_buf == NULL) { + if ((buf = BUF_MEM_new()) == NULL) { + goto end; + } + if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) { + goto end; + } + s->init_buf = buf; + buf = NULL; + } + + if (!ssl3_setup_buffers(s)) { + goto end; + } + s->init_num = 0; + + /* + * Should have been reset by tls_process_finished, too. + */ + s->s3->change_cipher_spec = 0; + + if (!server || st->state != MSG_FLOW_RENEGOTIATE) { + /* + * Ok, we now need to push on a buffering BIO ...but not with + * SCTP + */ +#ifndef OPENSSL_NO_SCTP + if (!SSL_IS_DTLS(s) || !BIO_dgram_is_sctp(SSL_get_wbio(s))) +#endif + if (!ssl_init_wbio_buffer(s, server ? 1 : 0)) { + goto end; + } + + ssl3_init_finished_mac(s); + } + + if (server) { + if (st->state != MSG_FLOW_RENEGOTIATE) { + s->ctx->stats.sess_accept++; + } else if (!s->s3->send_connection_binding && + !(s->options & + SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { + /* + * Server attempting to renegotiate with client that doesn't + * support secure renegotiation. + */ + SSLerr(SSL_F_STATE_MACHINE, + SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); + statem_set_error(s); + goto end; + } else { + /* + * s->state == SSL_ST_RENEGOTIATE, we will just send a + * HelloRequest + */ + s->ctx->stats.sess_accept_renegotiate++; + } + } else { + s->ctx->stats.sess_connect++; + + /* mark client_random uninitialized */ + memset(s->s3->client_random, 0, sizeof(s->s3->client_random)); + s->hit = 0; + + s->s3->tmp.cert_request = 0; + + if (SSL_IS_DTLS(s)) { + st->use_timer = 1; + } + } + + st->state = MSG_FLOW_WRITING; + init_write_state_machine(s); + st->read_state_first_init = 1; + } + + while(st->state != MSG_FLOW_FINISHED) { + if(st->state == MSG_FLOW_READING) { + ssret = read_state_machine(s); + if (ssret == SUB_STATE_FINISHED) { + st->state = MSG_FLOW_WRITING; + init_write_state_machine(s); + } else { + /* NBIO or error */ + goto end; + } + } else if (st->state == MSG_FLOW_WRITING) { + ssret = write_state_machine(s); + if (ssret == SUB_STATE_FINISHED) { + st->state = MSG_FLOW_READING; + init_read_state_machine(s); + } else if (ssret == SUB_STATE_END_HANDSHAKE) { + st->state = MSG_FLOW_FINISHED; + } else { + /* NBIO or error */ + goto end; + } + } else { + /* Error */ + statem_set_error(s); + goto end; + } + } + + st->state = MSG_FLOW_UNINITED; + ret = 1; + + end: + s->in_handshake--; + BUF_MEM_free(buf); + if (cb != NULL) { + if (server) + cb(s, SSL_CB_ACCEPT_EXIT, ret); + else + cb(s, SSL_CB_CONNECT_EXIT, ret); + } + return ret; +} + +/* + * Initialise the MSG_FLOW_READING sub-state machine + */ +static void init_read_state_machine(SSL *s) +{ + STATEM *st = &s->statem; + + st->read_state = READ_STATE_HEADER; +} + +/* + * This function implements the sub-state machine when the message flow is in + * MSG_FLOW_READING. The valid sub-states and transitions are: + * + * READ_STATE_HEADER <--+<-------------+ + * | | | + * v | | + * READ_STATE_BODY -----+-->READ_STATE_POST_PROCESS + * | | + * +----------------------------+ + * v + * [SUB_STATE_FINISHED] + * + * READ_STATE_HEADER has the responsibility for reading in the message header + * and transitioning the state of the handshake state machine. + * + * READ_STATE_BODY reads in the rest of the message and then subsequently + * processes it. + * + * READ_STATE_POST_PROCESS is an optional step that may occur if some post + * processing activity performed on the message may block. + * + * Any of the above states could result in an NBIO event occuring in which case + * control returns to the calling application. When this function is recalled we + * will resume in the same state where we left off. + */ +static enum SUB_STATE_RETURN read_state_machine(SSL *s) { + STATEM *st = &s->statem; + int ret, mt; + unsigned long len; + int (*transition)(SSL *s, int mt); + enum MSG_PROCESS_RETURN (*process_message)(SSL *s, unsigned long n); + enum WORK_STATE (*post_process_message)(SSL *s, enum WORK_STATE wst); + unsigned long (*max_message_size)(SSL *s); + void (*cb) (const SSL *ssl, int type, int val) = NULL; + + if (s->info_callback != NULL) + cb = s->info_callback; + else if (s->ctx->info_callback != NULL) + cb = s->ctx->info_callback; + + if(s->server) { + /* TODO: Fill these in later when we've implemented them */ + transition = NULL; + process_message = NULL; + post_process_message = NULL; + max_message_size = NULL; + } else { + /* TODO: Fill these in later when we've implemented them */ + transition = NULL; + process_message = NULL; + post_process_message = NULL; + max_message_size = NULL; + } + + if (st->read_state_first_init) { + s->first_packet = 1; + st->read_state_first_init = 0; + } + + while(1) { + switch(st->read_state) { + case READ_STATE_HEADER: + s->init_num = 0; + /* Get the state the peer wants to move to */ + ret = tls_get_message_header(s, &mt); + + if (ret == 0) { + /* Could be non-blocking IO */ + return SUB_STATE_ERROR; + } + + if (cb != NULL) { + /* Notify callback of an impending state change */ + if (s->server) + cb(s, SSL_CB_ACCEPT_LOOP, 1); + else + cb(s, SSL_CB_CONNECT_LOOP, 1); + } + /* + * Validate that we are allowed to move to the new state and move + * to that state if so + */ + if(!transition(s, mt)) { + ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE); + SSLerr(SSL_F_READ_STATE_MACHINE, SSL_R_UNEXPECTED_MESSAGE); + return SUB_STATE_ERROR; + } + + if (s->s3->tmp.message_size > max_message_size(s)) { + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); + SSLerr(SSL_F_READ_STATE_MACHINE, SSL_R_EXCESSIVE_MESSAGE_SIZE); + return SUB_STATE_ERROR; + } + + st->read_state = READ_STATE_BODY; + /* Fall through */ + + case READ_STATE_BODY: + if (!SSL_IS_DTLS(s)) { + /* We already got this above for DTLS */ + ret = tls_get_message_body(s, &len); + if (ret == 0) { + /* Could be non-blocking IO */ + return SUB_STATE_ERROR; + } + } + + s->first_packet = 0; + ret = process_message(s, len); + if (ret == MSG_PROCESS_ERROR) { + return SUB_STATE_ERROR; + } + + if (ret == MSG_PROCESS_FINISHED_READING) { + if (SSL_IS_DTLS(s)) { + dtls1_stop_timer(s); + } + return SUB_STATE_FINISHED; + } + + if (ret == MSG_PROCESS_CONTINUE_PROCESSING) { + st->read_state = READ_STATE_POST_PROCESS; + st->read_state_work = WORK_MORE_A; + } else { + st->read_state = READ_STATE_HEADER; + } + break; + + case READ_STATE_POST_PROCESS: + st->read_state_work = post_process_message(s, st->read_state_work); + switch(st->read_state_work) { + default: + return SUB_STATE_ERROR; + + case WORK_FINISHED_CONTINUE: + st->read_state = READ_STATE_HEADER; + break; + + case WORK_FINISHED_STOP: + if (SSL_IS_DTLS(s)) { + dtls1_stop_timer(s); + } + return SUB_STATE_FINISHED; + } + break; + + default: + /* Shouldn't happen */ + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); + SSLerr(SSL_F_READ_STATE_MACHINE, ERR_R_INTERNAL_ERROR); + statem_set_error(s); + return SUB_STATE_ERROR; + } + } +} + +/* + * Send a previously constructed message to the peer. + */ +static int statem_do_write(SSL *s) +{ + STATEM *st = &s->statem; + + if (st->hand_state == TLS_ST_CW_CHANGE + || st->hand_state == TLS_ST_SW_CHANGE) { + if (SSL_IS_DTLS(s)) + return dtls1_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC); + else + return ssl3_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC); + } else { + return ssl_do_write(s); + } +} + +/* + * Initialise the MSG_FLOW_WRITING sub-state machine + */ +static void init_write_state_machine(SSL *s) +{ + STATEM *st = &s->statem; + + st->write_state = WRITE_STATE_TRANSITION; +} + +/* + * This function implements the sub-state machine when the message flow is in + * MSG_FLOW_WRITING. The valid sub-states and transitions are: + * + * +-> WRITE_STATE_TRANSITION ------> [SUB_STATE_FINISHED] + * | | + * | v + * | WRITE_STATE_PRE_WORK -----> [SUB_STATE_END_HANDSHAKE] + * | | + * | v + * | WRITE_STATE_SEND + * | | + * | v + * | WRITE_STATE_POST_WORK + * | | + * +-------------+ + * + * WRITE_STATE_TRANSITION transitions the state of the handshake state machine + + * WRITE_STATE_PRE_WORK performs any work necessary to prepare the later + * sending of the message. This could result in an NBIO event occuring in + * which case control returns to the calling application. When this function + * is recalled we will resume in the same state where we left off. + * + * WRITE_STATE_SEND sends the message and performs any work to be done after + * sending. + * + * WRITE_STATE_POST_WORK performs any work necessary after the sending of the + * message has been completed. As for WRITE_STATE_PRE_WORK this could also + * result in an NBIO event. + */ +static enum SUB_STATE_RETURN write_state_machine(SSL *s) +{ + STATEM *st = &s->statem; + int ret; + enum WRITE_TRAN (*transition)(SSL *s); + enum WORK_STATE (*pre_work)(SSL *s, enum WORK_STATE wst); + enum WORK_STATE (*post_work)(SSL *s, enum WORK_STATE wst); + int (*construct_message)(SSL *s); + void (*cb) (const SSL *ssl, int type, int val) = NULL; + + if (s->info_callback != NULL) + cb = s->info_callback; + else if (s->ctx->info_callback != NULL) + cb = s->ctx->info_callback; + + if(s->server) { + /* TODO: Fill these in later when we've implemented them */ + transition = NULL; + pre_work = NULL; + post_work = NULL; + construct_message = NULL; + } else { + /* TODO: Fill these in later when we've implemented them */ + transition = NULL; + pre_work = NULL; + post_work = NULL; + construct_message = NULL; + } + + while(1) { + switch(st->write_state) { + case WRITE_STATE_TRANSITION: + if (cb != NULL) { + /* Notify callback of an impending state change */ + if (s->server) + cb(s, SSL_CB_ACCEPT_LOOP, 1); + else + cb(s, SSL_CB_CONNECT_LOOP, 1); + } + switch(transition(s)) { + case WRITE_TRAN_CONTINUE: + st->write_state = WRITE_STATE_PRE_WORK; + st->write_state_work = WORK_MORE_A; + break; + + case WRITE_TRAN_FINISHED: + return SUB_STATE_FINISHED; + break; + + default: + return SUB_STATE_ERROR; + } + break; + + case WRITE_STATE_PRE_WORK: + switch(st->write_state_work = pre_work(s, st->write_state_work)) { + default: + return SUB_STATE_ERROR; + + case WORK_FINISHED_CONTINUE: + st->write_state = WRITE_STATE_SEND; + break; + + case WORK_FINISHED_STOP: + return SUB_STATE_END_HANDSHAKE; + } + if(construct_message(s) == 0) + return SUB_STATE_ERROR; + + /* Fall through */ + + case WRITE_STATE_SEND: + if (SSL_IS_DTLS(s) && st->use_timer) { + dtls1_start_timer(s); + } + ret = statem_do_write(s); + if (ret <= 0) { + return SUB_STATE_ERROR; + } + st->write_state = WRITE_STATE_POST_WORK; + st->write_state_work = WORK_MORE_A; + /* Fall through */ + + case WRITE_STATE_POST_WORK: + switch(st->write_state_work = post_work(s, st->write_state_work)) { + default: + return SUB_STATE_ERROR; + + case WORK_FINISHED_CONTINUE: + st->write_state = WRITE_STATE_TRANSITION; + break; + + case WORK_FINISHED_STOP: + return SUB_STATE_END_HANDSHAKE; + } + break; + + default: + return SUB_STATE_ERROR; + } + } +} + +/* + * Called by the record layer to determine whether application data is + * allowed to be sent in the current handshake state or not. + * + * Return values are: + * 1: Yes (application data allowed) + * 0: No (application data not allowed) + */ +int statem_client_app_data_allowed(SSL *s) +{ + STATEM *st = &s->statem; + + if(st->hand_state != TLS_ST_BEFORE && + st->hand_state != TLS_ST_OK && + st->hand_state != TLS_ST_CW_CLNT_HELLO) + return 0; + + return 1; +}