3 * Written by Matt Caswell for the OpenSSL project.
5 /* ====================================================================
6 * Copyright (c) 1998-2015 The OpenSSL Project. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * openssl-core@openssl.org.
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
34 * 6. Redistributions of any form whatsoever must retain the following
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
59 #include <openssl/rand.h>
63 * This file implements the SSL/TLS/DTLS state machines.
65 * There are two primary state machines:
67 * 1) Message flow state machine
68 * 2) Handshake state machine
70 * The Message flow state machine controls the reading and sending of messages
71 * including handling of non-blocking IO events, flushing of the underlying
72 * write BIO, handling unexpected messages, etc. It is itself broken into two
73 * separate sub-state machines which control reading and writing respectively.
75 * The Handshake state machine keeps track of the current SSL/TLS handshake
76 * state. Transitions of the handshake state are the result of events that
77 * occur within the Message flow state machine.
79 * Overall it looks like this:
81 * --------------------------------------------- -------------------
83 * | Message flow state machine | | |
85 * | -------------------- -------------------- | Transition | Handshake state |
86 * | | MSG_FLOW_READING | | MSG_FLOW_WRITING | | Event | machine |
87 * | | sub-state | | sub-state | |----------->| |
88 * | | machine for | | machine for | | | |
89 * | | reading messages | | writing messages | | | |
90 * | -------------------- -------------------- | | |
92 * --------------------------------------------- -------------------
96 /* Sub state machine return values */
97 enum SUB_STATE_RETURN {
98 /* Something bad happened or NBIO */
100 /* Sub state finished go to the next sub state */
102 /* Sub state finished and handshake was completed */
103 SUB_STATE_END_HANDSHAKE
106 static int state_machine(SSL *s, int server);
107 static void init_read_state_machine(SSL *s);
108 static enum SUB_STATE_RETURN read_state_machine(SSL *s);
109 static void init_write_state_machine(SSL *s);
110 static enum SUB_STATE_RETURN write_state_machine(SSL *s);
111 static inline int cert_req_allowed(SSL *s);
112 static inline int key_exchange_skip_allowed(SSL *s);
113 static int client_read_transition(SSL *s, int mt);
114 static enum WRITE_TRAN client_write_transition(SSL *s);
115 static enum WORK_STATE client_pre_work(SSL *s, enum WORK_STATE wst);
116 static enum WORK_STATE client_post_work(SSL *s, enum WORK_STATE wst);
117 static int client_construct_message(SSL *s);
118 static unsigned long client_max_message_size(SSL *s);
119 static enum MSG_PROCESS_RETURN client_process_message(SSL *s,
121 static enum WORK_STATE client_post_process_message(SSL *s, enum WORK_STATE wst);
124 * Clear the state machine state and reset back to MSG_FLOW_UNINITED
126 void statem_clear(SSL *s)
128 s->statem.state = MSG_FLOW_UNINITED;
132 * Set the state machine up ready for a renegotiation handshake
134 void statem_set_renegotiate(SSL *s)
136 s->statem.state = MSG_FLOW_RENEGOTIATE;
140 * Put the state machine into an error state. This is a permanent error for
141 * the current connection.
143 void statem_set_error(SSL *s)
145 s->statem.state = MSG_FLOW_ERROR;
146 /* TODO: This is temporary - remove me */
147 s->state = SSL_ST_ERR;
150 int ssl3_connect(SSL *s) {
151 return state_machine(s, 0);
155 * The main message flow state machine. We start in the MSG_FLOW_UNINITED or
156 * MSG_FLOW_RENEGOTIATE state and finish in MSG_FLOW_FINISHED. Valid states and
157 * transitions are as follows:
159 * MSG_FLOW_UNINITED MSG_FLOW_RENEGOTIATE
161 * +-----------------------+
163 * MSG_FLOW_WRITING <---> MSG_FLOW_READING
171 * We may exit at any point due to an error or NBIO event. If an NBIO event
172 * occurs then we restart at the point we left off when we are recalled.
173 * MSG_FLOW_WRITING and MSG_FLOW_READING have sub-state machines associated with them.
175 * In addition to the above there is also the MSG_FLOW_ERROR state. We can move
176 * into that state at any point in the event that an irrecoverable error occurs.
178 * Valid return values are:
182 static int state_machine(SSL *s, int server) {
184 unsigned long Time = (unsigned long)time(NULL);
185 void (*cb) (const SSL *ssl, int type, int val) = NULL;
186 STATEM *st = &s->statem;
190 if (st->state == MSG_FLOW_ERROR) {
191 /* Shouldn't have been called if we're already in the error state */
195 RAND_add(&Time, sizeof(Time), 0);
199 if (s->info_callback != NULL)
200 cb = s->info_callback;
201 else if (s->ctx->info_callback != NULL)
202 cb = s->ctx->info_callback;
205 if (!SSL_in_init(s) || SSL_in_before(s)) {
210 #ifndef OPENSSL_NO_HEARTBEATS
212 * If we're awaiting a HeartbeatResponse, pretend we already got and
213 * don't await it anymore, because Heartbeats don't make sense during
216 if (s->tlsext_hb_pending) {
219 s->tlsext_hb_pending = 0;
224 /* Initialise state machine */
226 if (st->state == MSG_FLOW_RENEGOTIATE) {
229 s->ctx->stats.sess_connect_renegotiate++;
232 if (st->state == MSG_FLOW_UNINITED || st->state == MSG_FLOW_RENEGOTIATE) {
233 /* TODO: Temporary - fix this */
235 s->state = SSL_ST_ACCEPT;
237 s->state = SSL_ST_CONNECT;
239 if (st->state == MSG_FLOW_UNINITED) {
240 st->hand_state = TLS_ST_BEFORE;
245 cb(s, SSL_CB_HANDSHAKE_START, 1);
247 if (SSL_IS_DTLS(s)) {
248 if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00) &&
250 || (s->version & 0xff00) != (DTLS1_BAD_VER & 0xff00))) {
251 SSLerr(SSL_F_STATE_MACHINE, ERR_R_INTERNAL_ERROR);
255 if ((s->version >> 8) != SSL3_VERSION_MAJOR
256 && s->version != TLS_ANY_VERSION) {
257 SSLerr(SSL_F_STATE_MACHINE, ERR_R_INTERNAL_ERROR);
262 if (s->version != TLS_ANY_VERSION &&
263 !ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL)) {
264 SSLerr(SSL_F_STATE_MACHINE, SSL_R_VERSION_TOO_LOW);
269 s->type = SSL_ST_ACCEPT;
271 s->type = SSL_ST_CONNECT;
273 if (s->init_buf == NULL) {
274 if ((buf = BUF_MEM_new()) == NULL) {
277 if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
284 if (!ssl3_setup_buffers(s)) {
290 * Should have been reset by tls_process_finished, too.
292 s->s3->change_cipher_spec = 0;
294 if (!server || st->state != MSG_FLOW_RENEGOTIATE) {
296 * Ok, we now need to push on a buffering BIO ...but not with
299 #ifndef OPENSSL_NO_SCTP
300 if (!SSL_IS_DTLS(s) || !BIO_dgram_is_sctp(SSL_get_wbio(s)))
302 if (!ssl_init_wbio_buffer(s, server ? 1 : 0)) {
306 ssl3_init_finished_mac(s);
310 if (st->state != MSG_FLOW_RENEGOTIATE) {
311 s->ctx->stats.sess_accept++;
312 } else if (!s->s3->send_connection_binding &&
314 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
316 * Server attempting to renegotiate with client that doesn't
317 * support secure renegotiation.
319 SSLerr(SSL_F_STATE_MACHINE,
320 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
321 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
326 * s->state == SSL_ST_RENEGOTIATE, we will just send a
329 s->ctx->stats.sess_accept_renegotiate++;
332 s->ctx->stats.sess_connect++;
334 /* mark client_random uninitialized */
335 memset(s->s3->client_random, 0, sizeof(s->s3->client_random));
338 s->s3->tmp.cert_request = 0;
340 if (SSL_IS_DTLS(s)) {
345 st->state = MSG_FLOW_WRITING;
346 init_write_state_machine(s);
347 st->read_state_first_init = 1;
350 while(st->state != MSG_FLOW_FINISHED) {
351 if(st->state == MSG_FLOW_READING) {
352 ssret = read_state_machine(s);
353 if (ssret == SUB_STATE_FINISHED) {
354 st->state = MSG_FLOW_WRITING;
355 init_write_state_machine(s);
360 } else if (st->state == MSG_FLOW_WRITING) {
361 ssret = write_state_machine(s);
362 if (ssret == SUB_STATE_FINISHED) {
363 st->state = MSG_FLOW_READING;
364 init_read_state_machine(s);
365 } else if (ssret == SUB_STATE_END_HANDSHAKE) {
366 st->state = MSG_FLOW_FINISHED;
378 st->state = MSG_FLOW_UNINITED;
386 cb(s, SSL_CB_ACCEPT_EXIT, ret);
388 cb(s, SSL_CB_CONNECT_EXIT, ret);
394 * Initialise the MSG_FLOW_READING sub-state machine
396 static void init_read_state_machine(SSL *s)
398 STATEM *st = &s->statem;
400 st->read_state = READ_STATE_HEADER;
404 * This function implements the sub-state machine when the message flow is in
405 * MSG_FLOW_READING. The valid sub-states and transitions are:
407 * READ_STATE_HEADER <--+<-------------+
410 * READ_STATE_BODY -----+-->READ_STATE_POST_PROCESS
412 * +----------------------------+
414 * [SUB_STATE_FINISHED]
416 * READ_STATE_HEADER has the responsibility for reading in the message header
417 * and transitioning the state of the handshake state machine.
419 * READ_STATE_BODY reads in the rest of the message and then subsequently
422 * READ_STATE_POST_PROCESS is an optional step that may occur if some post
423 * processing activity performed on the message may block.
425 * Any of the above states could result in an NBIO event occuring in which case
426 * control returns to the calling application. When this function is recalled we
427 * will resume in the same state where we left off.
429 static enum SUB_STATE_RETURN read_state_machine(SSL *s) {
430 STATEM *st = &s->statem;
433 int (*transition)(SSL *s, int mt);
434 enum MSG_PROCESS_RETURN (*process_message)(SSL *s, unsigned long n);
435 enum WORK_STATE (*post_process_message)(SSL *s, enum WORK_STATE wst);
436 unsigned long (*max_message_size)(SSL *s);
437 void (*cb) (const SSL *ssl, int type, int val) = NULL;
439 if (s->info_callback != NULL)
440 cb = s->info_callback;
441 else if (s->ctx->info_callback != NULL)
442 cb = s->ctx->info_callback;
445 /* TODO: Fill these in later when we've implemented them */
447 process_message = NULL;
448 post_process_message = NULL;
449 max_message_size = NULL;
451 transition = client_read_transition;
452 process_message = client_process_message;
453 max_message_size = client_max_message_size;
454 post_process_message = client_post_process_message;
457 if (st->read_state_first_init) {
459 st->read_state_first_init = 0;
463 switch(st->read_state) {
464 case READ_STATE_HEADER:
466 /* Get the state the peer wants to move to */
467 if (SSL_IS_DTLS(s)) {
469 * In DTLS we get the whole message in one go - header and body
471 ret = dtls_get_message(s, &mt, &len);
473 ret = tls_get_message_header(s, &mt);
477 /* Could be non-blocking IO */
478 return SUB_STATE_ERROR;
482 /* Notify callback of an impending state change */
484 cb(s, SSL_CB_ACCEPT_LOOP, 1);
486 cb(s, SSL_CB_CONNECT_LOOP, 1);
489 * Validate that we are allowed to move to the new state and move
490 * to that state if so
492 if(!transition(s, mt)) {
493 ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE);
494 SSLerr(SSL_F_READ_STATE_MACHINE, SSL_R_UNEXPECTED_MESSAGE);
495 return SUB_STATE_ERROR;
498 if (s->s3->tmp.message_size > max_message_size(s)) {
499 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
500 SSLerr(SSL_F_READ_STATE_MACHINE, SSL_R_EXCESSIVE_MESSAGE_SIZE);
501 return SUB_STATE_ERROR;
504 st->read_state = READ_STATE_BODY;
507 case READ_STATE_BODY:
508 if (!SSL_IS_DTLS(s)) {
509 /* We already got this above for DTLS */
510 ret = tls_get_message_body(s, &len);
512 /* Could be non-blocking IO */
513 return SUB_STATE_ERROR;
518 ret = process_message(s, len);
519 if (ret == MSG_PROCESS_ERROR) {
520 return SUB_STATE_ERROR;
523 if (ret == MSG_PROCESS_FINISHED_READING) {
524 if (SSL_IS_DTLS(s)) {
527 return SUB_STATE_FINISHED;
530 if (ret == MSG_PROCESS_CONTINUE_PROCESSING) {
531 st->read_state = READ_STATE_POST_PROCESS;
532 st->read_state_work = WORK_MORE_A;
534 st->read_state = READ_STATE_HEADER;
538 case READ_STATE_POST_PROCESS:
539 st->read_state_work = post_process_message(s, st->read_state_work);
540 switch(st->read_state_work) {
542 return SUB_STATE_ERROR;
544 case WORK_FINISHED_CONTINUE:
545 st->read_state = READ_STATE_HEADER;
548 case WORK_FINISHED_STOP:
549 if (SSL_IS_DTLS(s)) {
552 return SUB_STATE_FINISHED;
557 /* Shouldn't happen */
558 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
559 SSLerr(SSL_F_READ_STATE_MACHINE, ERR_R_INTERNAL_ERROR);
561 return SUB_STATE_ERROR;
567 * Send a previously constructed message to the peer.
569 static int statem_do_write(SSL *s)
571 STATEM *st = &s->statem;
573 if (st->hand_state == TLS_ST_CW_CHANGE
574 || st->hand_state == TLS_ST_SW_CHANGE) {
576 return dtls1_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC);
578 return ssl3_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC);
580 return ssl_do_write(s);
585 * Initialise the MSG_FLOW_WRITING sub-state machine
587 static void init_write_state_machine(SSL *s)
589 STATEM *st = &s->statem;
591 st->write_state = WRITE_STATE_TRANSITION;
595 * This function implements the sub-state machine when the message flow is in
596 * MSG_FLOW_WRITING. The valid sub-states and transitions are:
598 * +-> WRITE_STATE_TRANSITION ------> [SUB_STATE_FINISHED]
601 * | WRITE_STATE_PRE_WORK -----> [SUB_STATE_END_HANDSHAKE]
607 * | WRITE_STATE_POST_WORK
611 * WRITE_STATE_TRANSITION transitions the state of the handshake state machine
613 * WRITE_STATE_PRE_WORK performs any work necessary to prepare the later
614 * sending of the message. This could result in an NBIO event occuring in
615 * which case control returns to the calling application. When this function
616 * is recalled we will resume in the same state where we left off.
618 * WRITE_STATE_SEND sends the message and performs any work to be done after
621 * WRITE_STATE_POST_WORK performs any work necessary after the sending of the
622 * message has been completed. As for WRITE_STATE_PRE_WORK this could also
623 * result in an NBIO event.
625 static enum SUB_STATE_RETURN write_state_machine(SSL *s)
627 STATEM *st = &s->statem;
629 enum WRITE_TRAN (*transition)(SSL *s);
630 enum WORK_STATE (*pre_work)(SSL *s, enum WORK_STATE wst);
631 enum WORK_STATE (*post_work)(SSL *s, enum WORK_STATE wst);
632 int (*construct_message)(SSL *s);
633 void (*cb) (const SSL *ssl, int type, int val) = NULL;
635 if (s->info_callback != NULL)
636 cb = s->info_callback;
637 else if (s->ctx->info_callback != NULL)
638 cb = s->ctx->info_callback;
641 /* TODO: Fill these in later when we've implemented them */
645 construct_message = NULL;
647 transition = client_write_transition;
648 pre_work = client_pre_work;
649 post_work = client_post_work;
650 construct_message = client_construct_message;
654 switch(st->write_state) {
655 case WRITE_STATE_TRANSITION:
657 /* Notify callback of an impending state change */
659 cb(s, SSL_CB_ACCEPT_LOOP, 1);
661 cb(s, SSL_CB_CONNECT_LOOP, 1);
663 switch(transition(s)) {
664 case WRITE_TRAN_CONTINUE:
665 st->write_state = WRITE_STATE_PRE_WORK;
666 st->write_state_work = WORK_MORE_A;
669 case WRITE_TRAN_FINISHED:
670 return SUB_STATE_FINISHED;
674 return SUB_STATE_ERROR;
678 case WRITE_STATE_PRE_WORK:
679 switch(st->write_state_work = pre_work(s, st->write_state_work)) {
681 return SUB_STATE_ERROR;
683 case WORK_FINISHED_CONTINUE:
684 st->write_state = WRITE_STATE_SEND;
687 case WORK_FINISHED_STOP:
688 return SUB_STATE_END_HANDSHAKE;
690 if(construct_message(s) == 0)
691 return SUB_STATE_ERROR;
695 case WRITE_STATE_SEND:
696 if (SSL_IS_DTLS(s) && st->use_timer) {
697 dtls1_start_timer(s);
699 ret = statem_do_write(s);
701 return SUB_STATE_ERROR;
703 st->write_state = WRITE_STATE_POST_WORK;
704 st->write_state_work = WORK_MORE_A;
707 case WRITE_STATE_POST_WORK:
708 switch(st->write_state_work = post_work(s, st->write_state_work)) {
710 return SUB_STATE_ERROR;
712 case WORK_FINISHED_CONTINUE:
713 st->write_state = WRITE_STATE_TRANSITION;
716 case WORK_FINISHED_STOP:
717 return SUB_STATE_END_HANDSHAKE;
722 return SUB_STATE_ERROR;
728 * Flush the write BIO
730 static int statem_flush(SSL *s)
732 s->rwstate = SSL_WRITING;
733 if (BIO_flush(s->wbio) <= 0) {
736 s->rwstate = SSL_NOTHING;
742 * Called by the record layer to determine whether application data is
743 * allowed to be sent in the current handshake state or not.
746 * 1: Yes (application data allowed)
747 * 0: No (application data not allowed)
749 int statem_app_data_allowed(SSL *s)
751 STATEM *st = &s->statem;
753 if (!s->s3->in_read_app_data || (s->s3->total_renegotiations == 0))
757 if (st->state == MSG_FLOW_UNINITED || st->state == MSG_FLOW_RENEGOTIATE)
760 if(st->hand_state == TLS_ST_CW_CLNT_HELLO)
767 * This is the old check for code still using the old state machine. This
768 * will be removed by later commits
770 if (((s->state & SSL_ST_CONNECT) && SSL_IS_DTLS(s) &&
771 (s->state >= SSL3_ST_CW_CLNT_HELLO_A) &&
772 (s->state <= SSL3_ST_CR_SRVR_HELLO_A)) ||
773 ((s->state & SSL_ST_ACCEPT) &&
774 (s->state <= SSL3_ST_SW_HELLO_REQ_A) &&
775 (s->state >= SSL3_ST_SR_CLNT_HELLO_A))
783 #ifndef OPENSSL_NO_SCTP
785 * Set flag used by SCTP to determine whether we are in the read sock state
787 void statem_set_sctp_read_sock(SSL *s, int read_sock)
789 s->statem.in_sctp_read_sock = read_sock;
793 * Called by the record layer to determine whether we are in the read sock
797 * 1: Yes (we are in the read sock state)
798 * 0: No (we are not in the read sock state)
800 int statem_in_sctp_read_sock(SSL *s)
802 return s->statem.in_sctp_read_sock;
807 * Is a CertificateRequest message allowed at the moment or not?
813 static inline int cert_req_allowed(SSL *s)
815 /* TLS does not like anon-DH with client cert */
816 if (s->version > SSL3_VERSION
817 && (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL))
824 * Are we allowed to skip the ServerKeyExchange message?
830 static inline int key_exchange_skip_allowed(SSL *s)
832 long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
835 * Can't skip server key exchange if this is an ephemeral
838 if (alg_k & (SSL_kDHE | SSL_kECDHE)) {
846 * client_read_transition() encapsulates the logic for the allowed handshake
847 * state transitions when the client is reading messages from the server. The
848 * message type that the server has sent is provided in |mt|. The current state
849 * is in |s->statem.hand_state|.
852 * 1: Success (transition allowed)
853 * 0: Error (transition not allowed)
855 static int client_read_transition(SSL *s, int mt)
857 STATEM *st = &s->statem;
859 switch(st->hand_state) {
860 case TLS_ST_CW_CLNT_HELLO:
861 if (mt == SSL3_MT_SERVER_HELLO) {
862 st->hand_state = TLS_ST_CR_SRVR_HELLO;
866 if (SSL_IS_DTLS(s)) {
867 if (mt == DTLS1_MT_HELLO_VERIFY_REQUEST) {
868 st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST;
874 case TLS_ST_CR_SRVR_HELLO:
876 if (s->tlsext_ticket_expected) {
877 if (mt == SSL3_MT_NEWSESSION_TICKET) {
878 st->hand_state = TLS_ST_CR_SESSION_TICKET;
881 } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
882 st->hand_state = TLS_ST_CR_CHANGE;
886 if (!(s->s3->tmp.new_cipher->algorithm_auth
887 & (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
888 if (mt == SSL3_MT_CERTIFICATE) {
889 st->hand_state = TLS_ST_CR_CERT;
893 if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) {
894 st->hand_state = TLS_ST_CR_KEY_EXCH;
896 } else if (key_exchange_skip_allowed(s)) {
897 if (mt == SSL3_MT_CERTIFICATE_REQUEST
898 && cert_req_allowed(s)) {
899 st->hand_state = TLS_ST_CR_CERT_REQ;
901 } else if (mt == SSL3_MT_SERVER_DONE) {
902 st->hand_state = TLS_ST_CR_SRVR_DONE;
911 if (s->tlsext_status_expected) {
912 if (mt == SSL3_MT_CERTIFICATE_STATUS) {
913 st->hand_state = TLS_ST_CR_CERT_STATUS;
917 if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) {
918 st->hand_state = TLS_ST_CR_KEY_EXCH;
920 } else if (key_exchange_skip_allowed(s)) {
921 if (mt == SSL3_MT_CERTIFICATE_REQUEST && cert_req_allowed(s)) {
922 st->hand_state = TLS_ST_CR_CERT_REQ;
924 } else if (mt == SSL3_MT_SERVER_DONE) {
925 st->hand_state = TLS_ST_CR_SRVR_DONE;
932 case TLS_ST_CR_CERT_STATUS:
933 if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) {
934 st->hand_state = TLS_ST_CR_KEY_EXCH;
936 } else if (key_exchange_skip_allowed(s)) {
937 if (mt == SSL3_MT_CERTIFICATE_REQUEST && cert_req_allowed(s)) {
938 st->hand_state = TLS_ST_CR_CERT_REQ;
940 } else if (mt == SSL3_MT_SERVER_DONE) {
941 st->hand_state = TLS_ST_CR_SRVR_DONE;
947 case TLS_ST_CR_KEY_EXCH:
948 if (mt == SSL3_MT_CERTIFICATE_REQUEST && cert_req_allowed(s)) {
949 st->hand_state = TLS_ST_CR_CERT_REQ;
951 } else if (mt == SSL3_MT_SERVER_DONE) {
952 st->hand_state = TLS_ST_CR_SRVR_DONE;
957 case TLS_ST_CR_CERT_REQ:
958 if (mt == SSL3_MT_SERVER_DONE) {
959 st->hand_state = TLS_ST_CR_SRVR_DONE;
964 case TLS_ST_CW_FINISHED:
965 if (mt == SSL3_MT_NEWSESSION_TICKET && s->tlsext_ticket_expected) {
966 st->hand_state = TLS_ST_CR_SESSION_TICKET;
968 } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
969 st->hand_state = TLS_ST_CR_CHANGE;
974 case TLS_ST_CR_SESSION_TICKET:
975 if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
976 st->hand_state = TLS_ST_CR_CHANGE;
981 case TLS_ST_CR_CHANGE:
982 if (mt == SSL3_MT_FINISHED) {
983 st->hand_state = TLS_ST_CR_FINISHED;
992 /* No valid transition found */
997 * client_write_transition() works out what handshake state to move to next
998 * when the client is writing messages to be sent to the server.
1000 static enum WRITE_TRAN client_write_transition(SSL *s)
1002 STATEM *st = &s->statem;
1004 switch(st->hand_state) {
1006 /* Renegotiation - fall through */
1008 st->hand_state = TLS_ST_CW_CLNT_HELLO;
1009 return WRITE_TRAN_CONTINUE;
1011 case TLS_ST_CW_CLNT_HELLO:
1013 * No transition at the end of writing because we don't know what
1016 return WRITE_TRAN_FINISHED;
1018 case TLS_ST_CR_SRVR_DONE:
1019 if (s->s3->tmp.cert_req)
1020 st->hand_state = TLS_ST_CW_CERT;
1022 st->hand_state = TLS_ST_CW_KEY_EXCH;
1023 return WRITE_TRAN_CONTINUE;
1025 case TLS_ST_CW_CERT:
1026 st->hand_state = TLS_ST_CW_KEY_EXCH;
1027 return WRITE_TRAN_CONTINUE;
1029 case TLS_ST_CW_KEY_EXCH:
1031 * For TLS, cert_req is set to 2, so a cert chain of nothing is
1032 * sent, but no verify packet is sent
1035 * XXX: For now, we do not support client authentication in ECDH
1036 * cipher suites with ECDH (rather than ECDSA) certificates. We
1037 * need to skip the certificate verify message when client's
1038 * ECDH public key is sent inside the client certificate.
1040 if (s->s3->tmp.cert_req == 1) {
1041 st->hand_state = TLS_ST_CW_CERT_VRFY;
1043 st->hand_state = TLS_ST_CW_CHANGE;
1045 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {
1046 st->hand_state = TLS_ST_CW_CHANGE;
1048 return WRITE_TRAN_CONTINUE;
1050 case TLS_ST_CW_CERT_VRFY:
1051 st->hand_state = TLS_ST_CW_CHANGE;
1052 return WRITE_TRAN_CONTINUE;
1054 case TLS_ST_CW_CHANGE:
1055 #if defined(OPENSSL_NO_NEXTPROTONEG)
1056 st->hand_state = TLS_ST_CW_FINISHED;
1058 if (s->s3->next_proto_neg_seen)
1059 st->hand_state = TLS_ST_CW_NEXT_PROTO;
1061 st->hand_state = TLS_ST_CW_FINISHED;
1063 return WRITE_TRAN_CONTINUE;
1065 #if !defined(OPENSSL_NO_NEXTPROTONEG)
1066 case TLS_ST_CW_NEXT_PROTO:
1067 st->hand_state = TLS_ST_CW_FINISHED;
1068 return WRITE_TRAN_CONTINUE;
1071 case TLS_ST_CW_FINISHED:
1073 st->hand_state = TLS_ST_OK;
1074 /* TODO: This needs removing */
1075 s->state = SSL_ST_OK;
1076 return WRITE_TRAN_CONTINUE;
1078 return WRITE_TRAN_FINISHED;
1081 case TLS_ST_CR_FINISHED:
1083 st->hand_state = TLS_ST_CW_CHANGE;
1084 return WRITE_TRAN_CONTINUE;
1086 st->hand_state = TLS_ST_OK;
1087 /* TODO: This needs removing */
1088 s->state = SSL_ST_OK;
1089 return WRITE_TRAN_CONTINUE;
1093 /* Shouldn't happen */
1094 return WRITE_TRAN_ERROR;
1099 * Perform any pre work that needs to be done prior to sending a message from
1100 * the client to the server.
1102 static enum WORK_STATE client_pre_work(SSL *s, enum WORK_STATE wst)
1104 STATEM *st = &s->statem;
1106 switch(st->hand_state) {
1107 case TLS_ST_CW_CLNT_HELLO:
1111 case TLS_ST_CW_CERT:
1112 return tls_prepare_client_certificate(s, wst);
1115 return tls_finish_handshake(s, wst);
1118 /* No pre work to be done */
1122 return WORK_FINISHED_CONTINUE;
1126 * Perform any work that needs to be done after sending a message from the
1127 * client to the server.
1129 static enum WORK_STATE client_post_work(SSL *s, enum WORK_STATE wst)
1131 STATEM *st = &s->statem;
1135 switch(st->hand_state) {
1136 case TLS_ST_CW_CLNT_HELLO:
1137 /* turn on buffering for the next lot of output */
1138 if (s->bbio != s->wbio)
1139 s->wbio = BIO_push(s->bbio, s->wbio);
1142 case TLS_ST_CW_KEY_EXCH:
1143 if (tls_client_key_exchange_post_work(s) == 0)
1147 case TLS_ST_CW_CHANGE:
1148 s->session->cipher = s->s3->tmp.new_cipher;
1149 #ifdef OPENSSL_NO_COMP
1150 s->session->compress_meth = 0;
1152 if (s->s3->tmp.new_compression == NULL)
1153 s->session->compress_meth = 0;
1155 s->session->compress_meth = s->s3->tmp.new_compression->id;
1157 if (!s->method->ssl3_enc->setup_key_block(s))
1160 if (!s->method->ssl3_enc->change_cipher_state(s,
1161 SSL3_CHANGE_CIPHER_CLIENT_WRITE))
1164 if (SSL_IS_DTLS(s)) {
1165 #ifndef OPENSSL_NO_SCTP
1168 * Change to new shared key of SCTP-Auth, will be ignored if
1171 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
1176 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
1180 case TLS_ST_CW_FINISHED:
1181 #ifndef OPENSSL_NO_SCTP
1182 if (SSL_IS_DTLS(s) && s->hit == 0) {
1184 * Change to new shared key of SCTP-Auth, will be ignored if
1187 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
1191 if (statem_flush(s) != 1)
1194 if (s->hit && tls_finish_handshake(s, WORK_MORE_A) != 1)
1199 /* No post work to be done */
1203 return WORK_FINISHED_CONTINUE;
1207 * Construct a message to be sent from the client to the server.
1209 * Valid return values are:
1213 static int client_construct_message(SSL *s)
1215 STATEM *st = &s->statem;
1217 switch(st->hand_state) {
1218 case TLS_ST_CW_CLNT_HELLO:
1219 return tls_construct_client_hello(s);
1221 case TLS_ST_CW_CERT:
1222 return tls_construct_client_certificate(s);
1224 case TLS_ST_CW_KEY_EXCH:
1225 return tls_construct_client_key_exchange(s);
1227 case TLS_ST_CW_CERT_VRFY:
1228 return tls_construct_client_verify(s);
1230 case TLS_ST_CW_CHANGE:
1231 return tls_construct_change_cipher_spec(s);
1233 #if !defined(OPENSSL_NO_NEXTPROTONEG)
1234 case TLS_ST_CW_NEXT_PROTO:
1235 return tls_construct_next_proto(s);
1237 case TLS_ST_CW_FINISHED:
1238 return tls_construct_finished(s,
1240 ssl3_enc->client_finished_label,
1242 ssl3_enc->client_finished_label_len);
1245 /* Shouldn't happen */
1252 /* The spec allows for a longer length than this, but we limit it */
1253 #define SERVER_HELLO_MAX_LENGTH 20000
1254 #define SERVER_KEY_EXCH_MAX_LENGTH 102400
1255 #define SERVER_HELLO_DONE_MAX_LENGTH 0
1256 #define CCS_MAX_LENGTH 1
1257 /* Max should actually be 36 but we are generous */
1258 #define FINISHED_MAX_LENGTH 64
1261 * Returns the maximum allowed length for the current message that we are
1262 * reading. Excludes the message header.
1264 static unsigned long client_max_message_size(SSL *s)
1266 STATEM *st = &s->statem;
1268 switch(st->hand_state) {
1269 case TLS_ST_CR_SRVR_HELLO:
1270 return SERVER_HELLO_MAX_LENGTH;
1272 case TLS_ST_CR_CERT:
1273 return s->max_cert_list;
1275 case TLS_ST_CR_CERT_STATUS:
1276 return SSL3_RT_MAX_PLAIN_LENGTH;
1278 case TLS_ST_CR_KEY_EXCH:
1279 return SERVER_KEY_EXCH_MAX_LENGTH;
1281 case TLS_ST_CR_CERT_REQ:
1282 return SSL3_RT_MAX_PLAIN_LENGTH;
1284 case TLS_ST_CR_SRVR_DONE:
1285 return SERVER_HELLO_DONE_MAX_LENGTH;
1287 case TLS_ST_CR_CHANGE:
1288 return CCS_MAX_LENGTH;
1290 case TLS_ST_CR_SESSION_TICKET:
1291 return SSL3_RT_MAX_PLAIN_LENGTH;
1293 case TLS_ST_CR_FINISHED:
1294 return FINISHED_MAX_LENGTH;
1297 /* Shouldn't happen */
1305 * Process a message that the client has been received from the server.
1307 static enum MSG_PROCESS_RETURN client_process_message(SSL *s, unsigned long len)
1309 STATEM *st = &s->statem;
1311 switch(st->hand_state) {
1312 case TLS_ST_CR_SRVR_HELLO:
1313 return tls_process_server_hello(s, len);
1315 case TLS_ST_CR_CERT:
1316 return tls_process_server_certificate(s, len);
1318 case TLS_ST_CR_CERT_STATUS:
1319 return tls_process_cert_status(s, len);
1321 case TLS_ST_CR_KEY_EXCH:
1322 return tls_process_key_exchange(s, len);
1324 case TLS_ST_CR_CERT_REQ:
1325 return tls_process_certificate_request(s, len);
1327 case TLS_ST_CR_SRVR_DONE:
1328 return tls_process_server_done(s, len);
1330 case TLS_ST_CR_CHANGE:
1331 return tls_process_change_cipher_spec(s, len);
1333 case TLS_ST_CR_SESSION_TICKET:
1334 return tls_process_new_session_ticket(s, len);
1336 case TLS_ST_CR_FINISHED:
1337 return tls_process_finished(s, len);
1340 /* Shouldn't happen */
1344 return MSG_PROCESS_ERROR;
1348 * Perform any further processing required following the receipt of a message
1351 static enum WORK_STATE client_post_process_message(SSL *s, enum WORK_STATE wst)
1353 STATEM *st = &s->statem;
1355 switch(st->hand_state) {
1356 #ifndef OPENSSL_NO_SCTP
1357 case TLS_ST_CR_SRVR_DONE:
1358 /* We only get here if we are using SCTP and we are renegotiating */
1359 if (BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
1360 s->s3->in_read_app_data = 2;
1361 s->rwstate = SSL_READING;
1362 BIO_clear_retry_flags(SSL_get_rbio(s));
1363 BIO_set_retry_read(SSL_get_rbio(s));
1364 statem_set_sctp_read_sock(s, 1);
1367 statem_set_sctp_read_sock(s, 0);
1368 return WORK_FINISHED_STOP;
1371 case TLS_ST_CR_FINISHED:
1373 return tls_finish_handshake(s, wst);
1375 return WORK_FINISHED_STOP;
1380 /* Shouldn't happen */