&& (sc->statem.state == MSG_FLOW_UNINITED);
}
+OSSL_HANDSHAKE_STATE ossl_statem_get_state(SSL_CONNECTION *s)
+{
+ return s != NULL ? s->statem.hand_state : TLS_ST_BEFORE;
+}
+
/*
* Clear the state machine state and reset back to MSG_FLOW_UNINITED
*/
{
s->statem.state = MSG_FLOW_UNINITED;
s->statem.hand_state = TLS_ST_BEFORE;
- s->statem.in_init = 1;
+ ossl_statem_set_in_init(s, 1);
s->statem.no_cert_verify = 0;
+ s->statem.ignore_fatal = 0;
}
/*
*/
void ossl_statem_set_renegotiate(SSL_CONNECTION *s)
{
- s->statem.in_init = 1;
+ ossl_statem_set_in_init(s, 1);
s->statem.request_state = TLS_ST_SW_HELLO_REQ;
}
void ossl_statem_send_fatal(SSL_CONNECTION *s, int al)
{
+ /*
+ * Some public APIs may call internal functions that fatal error,
+ * which doesn't make sense outside the state machine. Those APIs
+ * that can handle a failure set this flag to avoid errors sending
+ * alerts. Example: getting a wire-formatted certificate for
+ * compression.
+ */
+ if (s->statem.ignore_fatal)
+ return;
/* We shouldn't call SSLfatal() twice. Once is enough */
if (s->statem.in_init && s->statem.state == MSG_FLOW_ERROR)
return;
- s->statem.in_init = 1;
+ ossl_statem_set_in_init(s, 1);
s->statem.state = MSG_FLOW_ERROR;
- if (al != SSL_AD_NO_ALERT
- && s->statem.enc_write_state != ENC_WRITE_STATE_INVALID)
+ if (al != SSL_AD_NO_ALERT)
ssl3_send_alert(s, SSL3_AL_FATAL, al);
}
void ossl_statem_set_in_init(SSL_CONNECTION *s, int init)
{
s->statem.in_init = init;
+ if (s->rlayer.rrlmethod != NULL && s->rlayer.rrlmethod->set_in_init != NULL)
+ s->rlayer.rrlmethod->set_in_init(s->rlayer.rrl, init);
}
int ossl_statem_get_in_handshake(SSL_CONNECTION *s)
void ossl_statem_set_hello_verify_done(SSL_CONNECTION *s)
{
s->statem.state = MSG_FLOW_UNINITED;
- s->statem.in_init = 1;
+ ossl_statem_set_in_init(s, 1);
/*
* This will get reset (briefly) back to TLS_ST_BEFORE when we enter
* state_machine() because |state| is MSG_FLOW_UNINITED, but until then any
WORK_STATE(*pre_work) (SSL_CONNECTION *s, WORK_STATE wst);
WORK_STATE(*post_work) (SSL_CONNECTION *s, WORK_STATE wst);
int (*get_construct_message_f) (SSL_CONNECTION *s,
- int (**confunc) (SSL_CONNECTION *s,
- WPACKET *pkt),
+ CON_FUNC_RETURN (**confunc) (SSL_CONNECTION *s,
+ WPACKET *pkt),
int *mt);
void (*cb) (const SSL *ssl, int type, int val) = NULL;
- int (*confunc) (SSL_CONNECTION *s, WPACKET *pkt);
+ CON_FUNC_RETURN (*confunc) (SSL_CONNECTION *s, WPACKET *pkt);
int mt;
WPACKET pkt;
SSL *ssl = SSL_CONNECTION_GET_SSL(s);
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return SUB_STATE_ERROR;
}
- if (confunc != NULL && !confunc(s, &pkt)) {
- WPACKET_cleanup(&pkt);
- check_fatal(s);
- return SUB_STATE_ERROR;
+ if (confunc != NULL) {
+ CON_FUNC_RETURN tmpret;
+
+ tmpret = confunc(s, &pkt);
+ if (tmpret == CON_FUNC_ERROR) {
+ WPACKET_cleanup(&pkt);
+ check_fatal(s);
+ return SUB_STATE_ERROR;
+ } else if (tmpret == CON_FUNC_DONT_SEND) {
+ /*
+ * The construction function decided not to construct the
+ * message after all and continue. Skip sending.
+ */
+ WPACKET_cleanup(&pkt);
+ st->write_state = WRITE_STATE_POST_WORK;
+ st->write_state_work = WORK_MORE_A;
+ break;
+ } /* else success */
}
if (!ssl_close_construct_packet(s, &pkt, mt)
|| !WPACKET_finish(&pkt)) {