X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fstatem%2Fstatem.c;h=a5748534878153d70f030f186865aa8a3d99c6d9;hp=97fd797f7e1dea21ebbf0253a69d649275634aa5;hb=b38ede8043439d99a3c6c174f17b91875cce66ac;hpb=f63a17d66dec01c123630682e0b20450b34c086a diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c index 97fd797f7e..a574853487 100644 --- a/ssl/statem/statem.c +++ b/ssl/statem/statem.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,6 +11,7 @@ #include #include "../ssl_locl.h" #include "statem_locl.h" +#include /* * This file implements the SSL/TLS/DTLS state machines. @@ -117,6 +118,8 @@ void ossl_statem_set_renegotiate(SSL *s) void ossl_statem_fatal(SSL *s, int al, int func, int reason, const char *file, int line) { + /* We shouldn't call SSLfatal() twice. Once is enough */ + assert(s->statem.state != MSG_FLOW_ERROR); s->statem.in_init = 1; s->statem.state = MSG_FLOW_ERROR; ERR_put_error(ERR_LIB_SSL, func, reason, file, line); @@ -124,6 +127,19 @@ void ossl_statem_fatal(SSL *s, int al, int func, int reason, const char *file, ssl3_send_alert(s, SSL3_AL_FATAL, al); } +/* + * This macro should only be called if we are already expecting to be in + * a fatal error state. We verify that we are, and set it if not (this would + * indicate a bug). + */ +#define check_fatal(s, f) \ + do { \ + if (!ossl_assert((s)->statem.in_init \ + && (s)->statem.state == MSG_FLOW_ERROR)) \ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, (f), \ + SSL_R_MISSING_FATAL); \ + } while (0) + /* * Discover whether the current connection is in the error state. * @@ -295,7 +311,11 @@ static int state_machine(SSL *s, int server) st->in_handshake++; if (!SSL_in_init(s) || SSL_in_before(s)) { - if (!SSL_clear(s)) + /* + * If we are stateless then we already called SSL_clear() - don't do + * it again and clear the STATELESS flag itself. + */ + if ((s->s3->flags & TLS1_FLAGS_STATELESS) == 0 && !SSL_clear(s)) return -1; } #ifndef OPENSSL_NO_SCTP @@ -321,29 +341,42 @@ static int state_machine(SSL *s, int server) if (cb != NULL) cb(s, SSL_CB_HANDSHAKE_START, 1); + /* + * Fatal errors in this block don't send an alert because we have + * failed to even initialise properly. Sending an alert is probably + * doomed to failure. + */ + if (SSL_IS_DTLS(s)) { if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00) && (server || (s->version & 0xff00) != (DTLS1_BAD_VER & 0xff00))) { - SSLerr(SSL_F_STATE_MACHINE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE, + ERR_R_INTERNAL_ERROR); goto end; } } else { if ((s->version >> 8) != SSL3_VERSION_MAJOR) { - SSLerr(SSL_F_STATE_MACHINE, ERR_R_INTERNAL_ERROR); + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE, + ERR_R_INTERNAL_ERROR); goto end; } } if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL)) { - SSLerr(SSL_F_STATE_MACHINE, SSL_R_VERSION_TOO_LOW); + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE, + ERR_R_INTERNAL_ERROR); goto end; } if (s->init_buf == NULL) { if ((buf = BUF_MEM_new()) == NULL) { + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE, + ERR_R_INTERNAL_ERROR); goto end; } if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) { + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE, + ERR_R_INTERNAL_ERROR); goto end; } s->init_buf = buf; @@ -351,6 +384,8 @@ static int state_machine(SSL *s, int server) } if (!ssl3_setup_buffers(s)) { + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE, + ERR_R_INTERNAL_ERROR); goto end; } s->init_num = 0; @@ -368,13 +403,17 @@ static int state_machine(SSL *s, int server) if (!SSL_IS_DTLS(s) || !BIO_dgram_is_sctp(SSL_get_wbio(s))) #endif if (!ssl_init_wbio_buffer(s)) { + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_STATE_MACHINE, + ERR_R_INTERNAL_ERROR); goto end; } if ((SSL_in_before(s)) || s->renegotiate) { - if (!tls_setup_handshake(s)) + if (!tls_setup_handshake(s)) { + /* SSLfatal() already called */ goto end; + } if (SSL_IS_FIRST_HANDSHAKE(s)) st->read_state_first_init = 1; @@ -407,8 +446,8 @@ static int state_machine(SSL *s, int server) } } else { /* Error */ - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_STATE_MACHINE, - ERR_R_INTERNAL_ERROR); + check_fatal(s, SSL_F_STATE_MACHINE); + SSLerr(SSL_F_STATE_MACHINE, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); goto end; } } @@ -551,6 +590,7 @@ static SUB_STATE_RETURN read_state_machine(SSL *s) * to that state if so */ if (!transition(s, mt)) { + check_fatal(s, SSL_F_READ_STATE_MACHINE); return SUB_STATE_ERROR; } @@ -596,6 +636,7 @@ static SUB_STATE_RETURN read_state_machine(SSL *s) switch (ret) { case MSG_PROCESS_ERROR: + check_fatal(s, SSL_F_READ_STATE_MACHINE); return SUB_STATE_ERROR; case MSG_PROCESS_FINISHED_READING: @@ -619,6 +660,8 @@ static SUB_STATE_RETURN read_state_machine(SSL *s) st->read_state_work = post_process_message(s, st->read_state_work); switch (st->read_state_work) { case WORK_ERROR: + check_fatal(s, SSL_F_READ_STATE_MACHINE); + /* Fall through */ case WORK_MORE_A: case WORK_MORE_B: case WORK_MORE_C: @@ -754,6 +797,7 @@ static SUB_STATE_RETURN write_state_machine(SSL *s) break; case WRITE_TRAN_ERROR: + check_fatal(s, SSL_F_WRITE_STATE_MACHINE); return SUB_STATE_ERROR; } break; @@ -761,6 +805,8 @@ static SUB_STATE_RETURN write_state_machine(SSL *s) case WRITE_STATE_PRE_WORK: switch (st->write_state_work = pre_work(s, st->write_state_work)) { case WORK_ERROR: + check_fatal(s, SSL_F_WRITE_STATE_MACHINE); + /* Fall through */ case WORK_MORE_A: case WORK_MORE_B: case WORK_MORE_C: @@ -792,7 +838,7 @@ static SUB_STATE_RETURN write_state_machine(SSL *s) } if (confunc != NULL && !confunc(s, &pkt)) { WPACKET_cleanup(&pkt); - /* SSLfatal() already called */ + check_fatal(s, SSL_F_WRITE_STATE_MACHINE); return SUB_STATE_ERROR; } if (!ssl_close_construct_packet(s, &pkt, mt) @@ -820,6 +866,8 @@ static SUB_STATE_RETURN write_state_machine(SSL *s) case WRITE_STATE_POST_WORK: switch (st->write_state_work = post_work(s, st->write_state_work)) { case WORK_ERROR: + check_fatal(s, SSL_F_WRITE_STATE_MACHINE); + /* Fall through */ case WORK_MORE_A: case WORK_MORE_B: case WORK_MORE_C: @@ -835,6 +883,8 @@ static SUB_STATE_RETURN write_state_machine(SSL *s) break; default: + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_WRITE_STATE_MACHINE, + ERR_R_INTERNAL_ERROR); return SUB_STATE_ERROR; } } @@ -891,3 +941,28 @@ int ossl_statem_app_data_allowed(SSL *s) return 0; } + +/* + * This function returns 1 if TLS exporter is ready to export keying + * material, or 0 if otherwise. + */ +int ossl_statem_export_allowed(SSL *s) +{ + return s->s3->previous_server_finished_len != 0 + && s->statem.hand_state != TLS_ST_SW_FINISHED; +} + +/* + * Return 1 if early TLS exporter is ready to export keying material, + * or 0 if otherwise. + */ +int ossl_statem_export_early_allowed(SSL *s) +{ + /* + * The early exporter secret is only present on the server if we + * have accepted early_data. It is present on the client as long + * as we have sent early_data. + */ + return s->ext.early_data == SSL_EARLY_DATA_ACCEPTED + || (!s->server && s->ext.early_data != SSL_EARLY_DATA_NOT_SENT); +}