3 * Written by Matt Caswell for the OpenSSL project.
5 /* ====================================================================
6 * Copyright (c) 1998-2015 The OpenSSL Project. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * openssl-core@openssl.org.
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
34 * 6. Redistributions of any form whatsoever must retain the following
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
59 #include <openssl/rand.h>
63 * This file implements the SSL/TLS/DTLS state machines.
65 * There are two primary state machines:
67 * 1) Message flow state machine
68 * 2) Handshake state machine
70 * The Message flow state machine controls the reading and sending of messages
71 * including handling of non-blocking IO events, flushing of the underlying
72 * write BIO, handling unexpected messages, etc. It is itself broken into two
73 * separate sub-state machines which control reading and writing respectively.
75 * The Handshake state machine keeps track of the current SSL/TLS handshake
76 * state. Transitions of the handshake state are the result of events that
77 * occur within the Message flow state machine.
79 * Overall it looks like this:
81 * --------------------------------------------- -------------------
83 * | Message flow state machine | | |
85 * | -------------------- -------------------- | Transition | Handshake state |
86 * | | MSG_FLOW_READING | | MSG_FLOW_WRITING | | Event | machine |
87 * | | sub-state | | sub-state | |----------->| |
88 * | | machine for | | machine for | | | |
89 * | | reading messages | | writing messages | | | |
90 * | -------------------- -------------------- | | |
92 * --------------------------------------------- -------------------
96 /* Sub state machine return values */
97 enum SUB_STATE_RETURN
{
98 /* Something bad happened or NBIO */
100 /* Sub state finished go to the next sub state */
102 /* Sub state finished and handshake was completed */
103 SUB_STATE_END_HANDSHAKE
106 static int state_machine(SSL
*s
, int server
);
107 static void init_read_state_machine(SSL
*s
);
108 static enum SUB_STATE_RETURN
read_state_machine(SSL
*s
);
109 static void init_write_state_machine(SSL
*s
);
110 static enum SUB_STATE_RETURN
write_state_machine(SSL
*s
);
111 static inline int cert_req_allowed(SSL
*s
);
112 static inline int key_exchange_skip_allowed(SSL
*s
);
113 static int client_read_transition(SSL
*s
, int mt
);
114 static enum WRITE_TRAN
client_write_transition(SSL
*s
);
115 static enum WORK_STATE
client_pre_work(SSL
*s
, enum WORK_STATE wst
);
116 static enum WORK_STATE
client_post_work(SSL
*s
, enum WORK_STATE wst
);
117 static int client_construct_message(SSL
*s
);
118 static unsigned long client_max_message_size(SSL
*s
);
119 static enum MSG_PROCESS_RETURN
client_process_message(SSL
*s
, PACKET
*pkt
);
120 static enum WORK_STATE
client_post_process_message(SSL
*s
, enum WORK_STATE wst
);
121 static int server_read_transition(SSL
*s
, int mt
);
122 static inline int send_server_key_exchange(SSL
*s
);
123 static inline int send_certificate_request(SSL
*s
);
124 static enum WRITE_TRAN
server_write_transition(SSL
*s
);
125 static enum WORK_STATE
server_pre_work(SSL
*s
, enum WORK_STATE wst
);
126 static enum WORK_STATE
server_post_work(SSL
*s
, enum WORK_STATE wst
);
127 static int server_construct_message(SSL
*s
);
128 static unsigned long server_max_message_size(SSL
*s
);
129 static enum MSG_PROCESS_RETURN
server_process_message(SSL
*s
, PACKET
*pkt
);
130 static enum WORK_STATE
server_post_process_message(SSL
*s
, enum WORK_STATE wst
);
133 enum HANDSHAKE_STATE
SSL_state(const SSL
*ssl
)
135 return ssl
->statem
.hand_state
;
138 void SSL_set_state(SSL
*ssl
, enum HANDSHAKE_STATE state
)
141 * This function seems like a really bad idea. Should we remove it
144 ssl
->statem
.hand_state
= state
;
147 int SSL_in_init(SSL
*s
)
149 return s
->statem
.in_init
;
152 int SSL_is_init_finished(SSL
*s
)
154 return !(s
->statem
.in_init
) && (s
->statem
.hand_state
== TLS_ST_OK
);
157 int SSL_in_before(SSL
*s
)
160 * Historically being "in before" meant before anything had happened. In the
161 * current code though we remain in the "before" state for a while after we
162 * have started the handshake process (e.g. as a server waiting for the
163 * first message to arrive). There "in before" is taken to mean "in before"
164 * and not started any handshake process yet.
166 return (s
->statem
.hand_state
== TLS_ST_BEFORE
)
167 && (s
->statem
.state
== MSG_FLOW_UNINITED
);
171 * Clear the state machine state and reset back to MSG_FLOW_UNINITED
173 void statem_clear(SSL
*s
)
175 s
->statem
.state
= MSG_FLOW_UNINITED
;
176 s
->statem
.hand_state
= TLS_ST_BEFORE
;
177 s
->statem
.in_init
= 1;
181 * Set the state machine up ready for a renegotiation handshake
183 void statem_set_renegotiate(SSL
*s
)
185 s
->statem
.state
= MSG_FLOW_RENEGOTIATE
;
186 s
->statem
.in_init
= 1;
190 * Put the state machine into an error state. This is a permanent error for
191 * the current connection.
193 void statem_set_error(SSL
*s
)
195 s
->statem
.state
= MSG_FLOW_ERROR
;
199 * Discover whether the current connection is in the error state.
201 * Valid return values are:
205 int statem_in_error(const SSL
*s
)
207 if (s
->statem
.state
== MSG_FLOW_ERROR
)
213 void statem_set_in_init(SSL
*s
, int init
)
215 s
->statem
.in_init
= init
;
218 int ssl3_connect(SSL
*s
) {
219 return state_machine(s
, 0);
222 int dtls1_connect(SSL
*s
)
224 return state_machine(s
, 0);
227 int ssl3_accept(SSL
*s
)
229 return state_machine(s
, 1);
232 int dtls1_accept(SSL
*s
)
234 return state_machine(s
, 1);
238 * The main message flow state machine. We start in the MSG_FLOW_UNINITED or
239 * MSG_FLOW_RENEGOTIATE state and finish in MSG_FLOW_FINISHED. Valid states and
240 * transitions are as follows:
242 * MSG_FLOW_UNINITED MSG_FLOW_RENEGOTIATE
244 * +-----------------------+
246 * MSG_FLOW_WRITING <---> MSG_FLOW_READING
254 * We may exit at any point due to an error or NBIO event. If an NBIO event
255 * occurs then we restart at the point we left off when we are recalled.
256 * MSG_FLOW_WRITING and MSG_FLOW_READING have sub-state machines associated with them.
258 * In addition to the above there is also the MSG_FLOW_ERROR state. We can move
259 * into that state at any point in the event that an irrecoverable error occurs.
261 * Valid return values are:
265 static int state_machine(SSL
*s
, int server
) {
267 unsigned long Time
= (unsigned long)time(NULL
);
268 void (*cb
) (const SSL
*ssl
, int type
, int val
) = NULL
;
269 STATEM
*st
= &s
->statem
;
273 if (st
->state
== MSG_FLOW_ERROR
) {
274 /* Shouldn't have been called if we're already in the error state */
278 RAND_add(&Time
, sizeof(Time
), 0);
282 if (s
->info_callback
!= NULL
)
283 cb
= s
->info_callback
;
284 else if (s
->ctx
->info_callback
!= NULL
)
285 cb
= s
->ctx
->info_callback
;
288 if (!SSL_in_init(s
) || SSL_in_before(s
)) {
293 #ifndef OPENSSL_NO_SCTP
294 if (SSL_IS_DTLS(s
)) {
296 * Notify SCTP BIO socket to enter handshake mode and prevent stream
297 * identifier other than 0. Will be ignored if no SCTP is used.
299 BIO_ctrl(SSL_get_wbio(s
), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE
,
300 s
->in_handshake
, NULL
);
304 #ifndef OPENSSL_NO_HEARTBEATS
306 * If we're awaiting a HeartbeatResponse, pretend we already got and
307 * don't await it anymore, because Heartbeats don't make sense during
310 if (s
->tlsext_hb_pending
) {
313 s
->tlsext_hb_pending
= 0;
318 /* Initialise state machine */
320 if (st
->state
== MSG_FLOW_RENEGOTIATE
) {
323 s
->ctx
->stats
.sess_connect_renegotiate
++;
326 if (st
->state
== MSG_FLOW_UNINITED
|| st
->state
== MSG_FLOW_RENEGOTIATE
) {
327 if (st
->state
== MSG_FLOW_UNINITED
) {
328 st
->hand_state
= TLS_ST_BEFORE
;
333 cb(s
, SSL_CB_HANDSHAKE_START
, 1);
335 if (SSL_IS_DTLS(s
)) {
336 if ((s
->version
& 0xff00) != (DTLS1_VERSION
& 0xff00) &&
338 || (s
->version
& 0xff00) != (DTLS1_BAD_VER
& 0xff00))) {
339 SSLerr(SSL_F_STATE_MACHINE
, ERR_R_INTERNAL_ERROR
);
343 if ((s
->version
>> 8) != SSL3_VERSION_MAJOR
344 && s
->version
!= TLS_ANY_VERSION
) {
345 SSLerr(SSL_F_STATE_MACHINE
, ERR_R_INTERNAL_ERROR
);
350 if (!SSL_IS_DTLS(s
)) {
351 if (s
->version
!= TLS_ANY_VERSION
&&
352 !ssl_security(s
, SSL_SECOP_VERSION
, 0, s
->version
, NULL
)) {
353 SSLerr(SSL_F_STATE_MACHINE
, SSL_R_VERSION_TOO_LOW
);
358 if (s
->init_buf
== NULL
) {
359 if ((buf
= BUF_MEM_new()) == NULL
) {
362 if (!BUF_MEM_grow(buf
, SSL3_RT_MAX_PLAIN_LENGTH
)) {
369 if (!ssl3_setup_buffers(s
)) {
375 * Should have been reset by tls_process_finished, too.
377 s
->s3
->change_cipher_spec
= 0;
379 if (!server
|| st
->state
!= MSG_FLOW_RENEGOTIATE
) {
381 * Ok, we now need to push on a buffering BIO ...but not with
384 #ifndef OPENSSL_NO_SCTP
385 if (!SSL_IS_DTLS(s
) || !BIO_dgram_is_sctp(SSL_get_wbio(s
)))
387 if (!ssl_init_wbio_buffer(s
, server
? 1 : 0)) {
391 ssl3_init_finished_mac(s
);
395 if (st
->state
!= MSG_FLOW_RENEGOTIATE
) {
396 s
->ctx
->stats
.sess_accept
++;
397 } else if (!s
->s3
->send_connection_binding
&&
399 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
)) {
401 * Server attempting to renegotiate with client that doesn't
402 * support secure renegotiation.
404 SSLerr(SSL_F_STATE_MACHINE
,
405 SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED
);
406 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_HANDSHAKE_FAILURE
);
411 * s->state == SSL_ST_RENEGOTIATE, we will just send a
414 s
->ctx
->stats
.sess_accept_renegotiate
++;
417 s
->ctx
->stats
.sess_connect
++;
419 /* mark client_random uninitialized */
420 memset(s
->s3
->client_random
, 0, sizeof(s
->s3
->client_random
));
423 s
->s3
->tmp
.cert_request
= 0;
425 if (SSL_IS_DTLS(s
)) {
430 st
->state
= MSG_FLOW_WRITING
;
431 init_write_state_machine(s
);
432 st
->read_state_first_init
= 1;
435 while(st
->state
!= MSG_FLOW_FINISHED
) {
436 if(st
->state
== MSG_FLOW_READING
) {
437 ssret
= read_state_machine(s
);
438 if (ssret
== SUB_STATE_FINISHED
) {
439 st
->state
= MSG_FLOW_WRITING
;
440 init_write_state_machine(s
);
445 } else if (st
->state
== MSG_FLOW_WRITING
) {
446 ssret
= write_state_machine(s
);
447 if (ssret
== SUB_STATE_FINISHED
) {
448 st
->state
= MSG_FLOW_READING
;
449 init_read_state_machine(s
);
450 } else if (ssret
== SUB_STATE_END_HANDSHAKE
) {
451 st
->state
= MSG_FLOW_FINISHED
;
463 st
->state
= MSG_FLOW_UNINITED
;
469 #ifndef OPENSSL_NO_SCTP
470 if (SSL_IS_DTLS(s
)) {
472 * Notify SCTP BIO socket to leave handshake mode and allow stream
473 * identifier other than 0. Will be ignored if no SCTP is used.
475 BIO_ctrl(SSL_get_wbio(s
), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE
,
476 s
->in_handshake
, NULL
);
483 cb(s
, SSL_CB_ACCEPT_EXIT
, ret
);
485 cb(s
, SSL_CB_CONNECT_EXIT
, ret
);
491 * Initialise the MSG_FLOW_READING sub-state machine
493 static void init_read_state_machine(SSL
*s
)
495 STATEM
*st
= &s
->statem
;
497 st
->read_state
= READ_STATE_HEADER
;
501 * This function implements the sub-state machine when the message flow is in
502 * MSG_FLOW_READING. The valid sub-states and transitions are:
504 * READ_STATE_HEADER <--+<-------------+
507 * READ_STATE_BODY -----+-->READ_STATE_POST_PROCESS
509 * +----------------------------+
511 * [SUB_STATE_FINISHED]
513 * READ_STATE_HEADER has the responsibility for reading in the message header
514 * and transitioning the state of the handshake state machine.
516 * READ_STATE_BODY reads in the rest of the message and then subsequently
519 * READ_STATE_POST_PROCESS is an optional step that may occur if some post
520 * processing activity performed on the message may block.
522 * Any of the above states could result in an NBIO event occuring in which case
523 * control returns to the calling application. When this function is recalled we
524 * will resume in the same state where we left off.
526 static enum SUB_STATE_RETURN
read_state_machine(SSL
*s
) {
527 STATEM
*st
= &s
->statem
;
530 int (*transition
)(SSL
*s
, int mt
);
532 enum MSG_PROCESS_RETURN (*process_message
)(SSL
*s
, PACKET
*pkt
);
533 enum WORK_STATE (*post_process_message
)(SSL
*s
, enum WORK_STATE wst
);
534 unsigned long (*max_message_size
)(SSL
*s
);
535 void (*cb
) (const SSL
*ssl
, int type
, int val
) = NULL
;
537 if (s
->info_callback
!= NULL
)
538 cb
= s
->info_callback
;
539 else if (s
->ctx
->info_callback
!= NULL
)
540 cb
= s
->ctx
->info_callback
;
543 transition
= server_read_transition
;
544 process_message
= server_process_message
;
545 max_message_size
= server_max_message_size
;
546 post_process_message
= server_post_process_message
;
548 transition
= client_read_transition
;
549 process_message
= client_process_message
;
550 max_message_size
= client_max_message_size
;
551 post_process_message
= client_post_process_message
;
554 if (st
->read_state_first_init
) {
556 st
->read_state_first_init
= 0;
560 switch(st
->read_state
) {
561 case READ_STATE_HEADER
:
563 /* Get the state the peer wants to move to */
564 if (SSL_IS_DTLS(s
)) {
566 * In DTLS we get the whole message in one go - header and body
568 ret
= dtls_get_message(s
, &mt
, &len
);
570 ret
= tls_get_message_header(s
, &mt
);
574 /* Could be non-blocking IO */
575 return SUB_STATE_ERROR
;
579 /* Notify callback of an impending state change */
581 cb(s
, SSL_CB_ACCEPT_LOOP
, 1);
583 cb(s
, SSL_CB_CONNECT_LOOP
, 1);
586 * Validate that we are allowed to move to the new state and move
587 * to that state if so
589 if(!transition(s
, mt
)) {
590 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL3_AD_UNEXPECTED_MESSAGE
);
591 SSLerr(SSL_F_READ_STATE_MACHINE
, SSL_R_UNEXPECTED_MESSAGE
);
592 return SUB_STATE_ERROR
;
595 if (s
->s3
->tmp
.message_size
> max_message_size(s
)) {
596 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_ILLEGAL_PARAMETER
);
597 SSLerr(SSL_F_READ_STATE_MACHINE
, SSL_R_EXCESSIVE_MESSAGE_SIZE
);
598 return SUB_STATE_ERROR
;
601 st
->read_state
= READ_STATE_BODY
;
604 case READ_STATE_BODY
:
605 if (!SSL_IS_DTLS(s
)) {
606 /* We already got this above for DTLS */
607 ret
= tls_get_message_body(s
, &len
);
609 /* Could be non-blocking IO */
610 return SUB_STATE_ERROR
;
615 if (!PACKET_buf_init(&pkt
, s
->init_msg
, len
)) {
616 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_INTERNAL_ERROR
);
617 SSLerr(SSL_F_READ_STATE_MACHINE
, ERR_R_INTERNAL_ERROR
);
618 return SUB_STATE_ERROR
;
620 ret
= process_message(s
, &pkt
);
621 if (ret
== MSG_PROCESS_ERROR
) {
622 return SUB_STATE_ERROR
;
625 if (ret
== MSG_PROCESS_FINISHED_READING
) {
626 if (SSL_IS_DTLS(s
)) {
629 return SUB_STATE_FINISHED
;
632 if (ret
== MSG_PROCESS_CONTINUE_PROCESSING
) {
633 st
->read_state
= READ_STATE_POST_PROCESS
;
634 st
->read_state_work
= WORK_MORE_A
;
636 st
->read_state
= READ_STATE_HEADER
;
640 case READ_STATE_POST_PROCESS
:
641 st
->read_state_work
= post_process_message(s
, st
->read_state_work
);
642 switch(st
->read_state_work
) {
644 return SUB_STATE_ERROR
;
646 case WORK_FINISHED_CONTINUE
:
647 st
->read_state
= READ_STATE_HEADER
;
650 case WORK_FINISHED_STOP
:
651 if (SSL_IS_DTLS(s
)) {
654 return SUB_STATE_FINISHED
;
659 /* Shouldn't happen */
660 ssl3_send_alert(s
, SSL3_AL_FATAL
, SSL_AD_INTERNAL_ERROR
);
661 SSLerr(SSL_F_READ_STATE_MACHINE
, ERR_R_INTERNAL_ERROR
);
663 return SUB_STATE_ERROR
;
669 * Send a previously constructed message to the peer.
671 static int statem_do_write(SSL
*s
)
673 STATEM
*st
= &s
->statem
;
675 if (st
->hand_state
== TLS_ST_CW_CHANGE
676 || st
->hand_state
== TLS_ST_SW_CHANGE
) {
678 return dtls1_do_write(s
, SSL3_RT_CHANGE_CIPHER_SPEC
);
680 return ssl3_do_write(s
, SSL3_RT_CHANGE_CIPHER_SPEC
);
682 return ssl_do_write(s
);
687 * Initialise the MSG_FLOW_WRITING sub-state machine
689 static void init_write_state_machine(SSL
*s
)
691 STATEM
*st
= &s
->statem
;
693 st
->write_state
= WRITE_STATE_TRANSITION
;
697 * This function implements the sub-state machine when the message flow is in
698 * MSG_FLOW_WRITING. The valid sub-states and transitions are:
700 * +-> WRITE_STATE_TRANSITION ------> [SUB_STATE_FINISHED]
703 * | WRITE_STATE_PRE_WORK -----> [SUB_STATE_END_HANDSHAKE]
709 * | WRITE_STATE_POST_WORK
713 * WRITE_STATE_TRANSITION transitions the state of the handshake state machine
715 * WRITE_STATE_PRE_WORK performs any work necessary to prepare the later
716 * sending of the message. This could result in an NBIO event occuring in
717 * which case control returns to the calling application. When this function
718 * is recalled we will resume in the same state where we left off.
720 * WRITE_STATE_SEND sends the message and performs any work to be done after
723 * WRITE_STATE_POST_WORK performs any work necessary after the sending of the
724 * message has been completed. As for WRITE_STATE_PRE_WORK this could also
725 * result in an NBIO event.
727 static enum SUB_STATE_RETURN
write_state_machine(SSL
*s
)
729 STATEM
*st
= &s
->statem
;
731 enum WRITE_TRAN (*transition
)(SSL
*s
);
732 enum WORK_STATE (*pre_work
)(SSL
*s
, enum WORK_STATE wst
);
733 enum WORK_STATE (*post_work
)(SSL
*s
, enum WORK_STATE wst
);
734 int (*construct_message
)(SSL
*s
);
735 void (*cb
) (const SSL
*ssl
, int type
, int val
) = NULL
;
737 if (s
->info_callback
!= NULL
)
738 cb
= s
->info_callback
;
739 else if (s
->ctx
->info_callback
!= NULL
)
740 cb
= s
->ctx
->info_callback
;
743 transition
= server_write_transition
;
744 pre_work
= server_pre_work
;
745 post_work
= server_post_work
;
746 construct_message
= server_construct_message
;
748 transition
= client_write_transition
;
749 pre_work
= client_pre_work
;
750 post_work
= client_post_work
;
751 construct_message
= client_construct_message
;
755 switch(st
->write_state
) {
756 case WRITE_STATE_TRANSITION
:
758 /* Notify callback of an impending state change */
760 cb(s
, SSL_CB_ACCEPT_LOOP
, 1);
762 cb(s
, SSL_CB_CONNECT_LOOP
, 1);
764 switch(transition(s
)) {
765 case WRITE_TRAN_CONTINUE
:
766 st
->write_state
= WRITE_STATE_PRE_WORK
;
767 st
->write_state_work
= WORK_MORE_A
;
770 case WRITE_TRAN_FINISHED
:
771 return SUB_STATE_FINISHED
;
775 return SUB_STATE_ERROR
;
779 case WRITE_STATE_PRE_WORK
:
780 switch(st
->write_state_work
= pre_work(s
, st
->write_state_work
)) {
782 return SUB_STATE_ERROR
;
784 case WORK_FINISHED_CONTINUE
:
785 st
->write_state
= WRITE_STATE_SEND
;
788 case WORK_FINISHED_STOP
:
789 return SUB_STATE_END_HANDSHAKE
;
791 if(construct_message(s
) == 0)
792 return SUB_STATE_ERROR
;
796 case WRITE_STATE_SEND
:
797 if (SSL_IS_DTLS(s
) && st
->use_timer
) {
798 dtls1_start_timer(s
);
800 ret
= statem_do_write(s
);
802 return SUB_STATE_ERROR
;
804 st
->write_state
= WRITE_STATE_POST_WORK
;
805 st
->write_state_work
= WORK_MORE_A
;
808 case WRITE_STATE_POST_WORK
:
809 switch(st
->write_state_work
= post_work(s
, st
->write_state_work
)) {
811 return SUB_STATE_ERROR
;
813 case WORK_FINISHED_CONTINUE
:
814 st
->write_state
= WRITE_STATE_TRANSITION
;
817 case WORK_FINISHED_STOP
:
818 return SUB_STATE_END_HANDSHAKE
;
823 return SUB_STATE_ERROR
;
829 * Flush the write BIO
831 static int statem_flush(SSL
*s
)
833 s
->rwstate
= SSL_WRITING
;
834 if (BIO_flush(s
->wbio
) <= 0) {
837 s
->rwstate
= SSL_NOTHING
;
843 * Called by the record layer to determine whether application data is
844 * allowed to be sent in the current handshake state or not.
847 * 1: Yes (application data allowed)
848 * 0: No (application data not allowed)
850 int statem_app_data_allowed(SSL
*s
)
852 STATEM
*st
= &s
->statem
;
854 if (st
->state
== MSG_FLOW_UNINITED
|| st
->state
== MSG_FLOW_RENEGOTIATE
)
857 if (!s
->s3
->in_read_app_data
|| (s
->s3
->total_renegotiations
== 0))
862 * If we're a server and we haven't got as far as writing our
863 * ServerHello yet then we allow app data
865 if (st
->hand_state
== TLS_ST_BEFORE
866 || st
->hand_state
== TLS_ST_SR_CLNT_HELLO
)
870 * If we're a client and we haven't read the ServerHello yet then we
873 if (st
->hand_state
== TLS_ST_CW_CLNT_HELLO
)
881 #ifndef OPENSSL_NO_SCTP
883 * Set flag used by SCTP to determine whether we are in the read sock state
885 void statem_set_sctp_read_sock(SSL
*s
, int read_sock
)
887 s
->statem
.in_sctp_read_sock
= read_sock
;
891 * Called by the record layer to determine whether we are in the read sock
895 * 1: Yes (we are in the read sock state)
896 * 0: No (we are not in the read sock state)
898 int statem_in_sctp_read_sock(SSL
*s
)
900 return s
->statem
.in_sctp_read_sock
;
905 * Is a CertificateRequest message allowed at the moment or not?
911 static inline int cert_req_allowed(SSL
*s
)
913 /* TLS does not like anon-DH with client cert */
914 if (s
->version
> SSL3_VERSION
915 && (s
->s3
->tmp
.new_cipher
->algorithm_auth
& SSL_aNULL
))
922 * Are we allowed to skip the ServerKeyExchange message?
928 static inline int key_exchange_skip_allowed(SSL
*s
)
930 long alg_k
= s
->s3
->tmp
.new_cipher
->algorithm_mkey
;
933 * Can't skip server key exchange if this is an ephemeral
936 if (alg_k
& (SSL_kDHE
| SSL_kECDHE
)) {
944 * client_read_transition() encapsulates the logic for the allowed handshake
945 * state transitions when the client is reading messages from the server. The
946 * message type that the server has sent is provided in |mt|. The current state
947 * is in |s->statem.hand_state|.
950 * 1: Success (transition allowed)
951 * 0: Error (transition not allowed)
953 static int client_read_transition(SSL
*s
, int mt
)
955 STATEM
*st
= &s
->statem
;
957 switch(st
->hand_state
) {
958 case TLS_ST_CW_CLNT_HELLO
:
959 if (mt
== SSL3_MT_SERVER_HELLO
) {
960 st
->hand_state
= TLS_ST_CR_SRVR_HELLO
;
964 if (SSL_IS_DTLS(s
)) {
965 if (mt
== DTLS1_MT_HELLO_VERIFY_REQUEST
) {
966 st
->hand_state
= DTLS_ST_CR_HELLO_VERIFY_REQUEST
;
972 case TLS_ST_CR_SRVR_HELLO
:
974 if (s
->tlsext_ticket_expected
) {
975 if (mt
== SSL3_MT_NEWSESSION_TICKET
) {
976 st
->hand_state
= TLS_ST_CR_SESSION_TICKET
;
979 } else if (mt
== SSL3_MT_CHANGE_CIPHER_SPEC
) {
980 st
->hand_state
= TLS_ST_CR_CHANGE
;
984 if (SSL_IS_DTLS(s
) && mt
== DTLS1_MT_HELLO_VERIFY_REQUEST
) {
985 st
->hand_state
= DTLS_ST_CR_HELLO_VERIFY_REQUEST
;
987 } else if (!(s
->s3
->tmp
.new_cipher
->algorithm_auth
988 & (SSL_aNULL
| SSL_aSRP
| SSL_aPSK
))) {
989 if (mt
== SSL3_MT_CERTIFICATE
) {
990 st
->hand_state
= TLS_ST_CR_CERT
;
994 if (mt
== SSL3_MT_SERVER_KEY_EXCHANGE
) {
995 st
->hand_state
= TLS_ST_CR_KEY_EXCH
;
997 } else if (key_exchange_skip_allowed(s
)) {
998 if (mt
== SSL3_MT_CERTIFICATE_REQUEST
999 && cert_req_allowed(s
)) {
1000 st
->hand_state
= TLS_ST_CR_CERT_REQ
;
1002 } else if (mt
== SSL3_MT_SERVER_DONE
) {
1003 st
->hand_state
= TLS_ST_CR_SRVR_DONE
;
1011 case TLS_ST_CR_CERT
:
1012 if (s
->tlsext_status_expected
) {
1013 if (mt
== SSL3_MT_CERTIFICATE_STATUS
) {
1014 st
->hand_state
= TLS_ST_CR_CERT_STATUS
;
1018 if (mt
== SSL3_MT_SERVER_KEY_EXCHANGE
) {
1019 st
->hand_state
= TLS_ST_CR_KEY_EXCH
;
1021 } else if (key_exchange_skip_allowed(s
)) {
1022 if (mt
== SSL3_MT_CERTIFICATE_REQUEST
&& cert_req_allowed(s
)) {
1023 st
->hand_state
= TLS_ST_CR_CERT_REQ
;
1025 } else if (mt
== SSL3_MT_SERVER_DONE
) {
1026 st
->hand_state
= TLS_ST_CR_SRVR_DONE
;
1033 case TLS_ST_CR_CERT_STATUS
:
1034 if (mt
== SSL3_MT_SERVER_KEY_EXCHANGE
) {
1035 st
->hand_state
= TLS_ST_CR_KEY_EXCH
;
1037 } else if (key_exchange_skip_allowed(s
)) {
1038 if (mt
== SSL3_MT_CERTIFICATE_REQUEST
&& cert_req_allowed(s
)) {
1039 st
->hand_state
= TLS_ST_CR_CERT_REQ
;
1041 } else if (mt
== SSL3_MT_SERVER_DONE
) {
1042 st
->hand_state
= TLS_ST_CR_SRVR_DONE
;
1048 case TLS_ST_CR_KEY_EXCH
:
1049 if (mt
== SSL3_MT_CERTIFICATE_REQUEST
&& cert_req_allowed(s
)) {
1050 st
->hand_state
= TLS_ST_CR_CERT_REQ
;
1052 } else if (mt
== SSL3_MT_SERVER_DONE
) {
1053 st
->hand_state
= TLS_ST_CR_SRVR_DONE
;
1058 case TLS_ST_CR_CERT_REQ
:
1059 if (mt
== SSL3_MT_SERVER_DONE
) {
1060 st
->hand_state
= TLS_ST_CR_SRVR_DONE
;
1065 case TLS_ST_CW_FINISHED
:
1066 if (mt
== SSL3_MT_NEWSESSION_TICKET
&& s
->tlsext_ticket_expected
) {
1067 st
->hand_state
= TLS_ST_CR_SESSION_TICKET
;
1069 } else if (mt
== SSL3_MT_CHANGE_CIPHER_SPEC
) {
1070 st
->hand_state
= TLS_ST_CR_CHANGE
;
1075 case TLS_ST_CR_SESSION_TICKET
:
1076 if (mt
== SSL3_MT_CHANGE_CIPHER_SPEC
) {
1077 st
->hand_state
= TLS_ST_CR_CHANGE
;
1082 case TLS_ST_CR_CHANGE
:
1083 if (mt
== SSL3_MT_FINISHED
) {
1084 st
->hand_state
= TLS_ST_CR_FINISHED
;
1093 /* No valid transition found */
1098 * client_write_transition() works out what handshake state to move to next
1099 * when the client is writing messages to be sent to the server.
1101 static enum WRITE_TRAN
client_write_transition(SSL
*s
)
1103 STATEM
*st
= &s
->statem
;
1105 switch(st
->hand_state
) {
1107 /* Renegotiation - fall through */
1109 st
->hand_state
= TLS_ST_CW_CLNT_HELLO
;
1110 return WRITE_TRAN_CONTINUE
;
1112 case TLS_ST_CW_CLNT_HELLO
:
1114 * No transition at the end of writing because we don't know what
1117 return WRITE_TRAN_FINISHED
;
1119 case DTLS_ST_CR_HELLO_VERIFY_REQUEST
:
1120 st
->hand_state
= TLS_ST_CW_CLNT_HELLO
;
1121 return WRITE_TRAN_CONTINUE
;
1123 case TLS_ST_CR_SRVR_DONE
:
1124 if (s
->s3
->tmp
.cert_req
)
1125 st
->hand_state
= TLS_ST_CW_CERT
;
1127 st
->hand_state
= TLS_ST_CW_KEY_EXCH
;
1128 return WRITE_TRAN_CONTINUE
;
1130 case TLS_ST_CW_CERT
:
1131 st
->hand_state
= TLS_ST_CW_KEY_EXCH
;
1132 return WRITE_TRAN_CONTINUE
;
1134 case TLS_ST_CW_KEY_EXCH
:
1136 * For TLS, cert_req is set to 2, so a cert chain of nothing is
1137 * sent, but no verify packet is sent
1140 * XXX: For now, we do not support client authentication in ECDH
1141 * cipher suites with ECDH (rather than ECDSA) certificates. We
1142 * need to skip the certificate verify message when client's
1143 * ECDH public key is sent inside the client certificate.
1145 if (s
->s3
->tmp
.cert_req
== 1) {
1146 st
->hand_state
= TLS_ST_CW_CERT_VRFY
;
1148 st
->hand_state
= TLS_ST_CW_CHANGE
;
1150 if (s
->s3
->flags
& TLS1_FLAGS_SKIP_CERT_VERIFY
) {
1151 st
->hand_state
= TLS_ST_CW_CHANGE
;
1153 return WRITE_TRAN_CONTINUE
;
1155 case TLS_ST_CW_CERT_VRFY
:
1156 st
->hand_state
= TLS_ST_CW_CHANGE
;
1157 return WRITE_TRAN_CONTINUE
;
1159 case TLS_ST_CW_CHANGE
:
1160 #if defined(OPENSSL_NO_NEXTPROTONEG)
1161 st
->hand_state
= TLS_ST_CW_FINISHED
;
1163 if (!SSL_IS_DTLS(s
) && s
->s3
->next_proto_neg_seen
)
1164 st
->hand_state
= TLS_ST_CW_NEXT_PROTO
;
1166 st
->hand_state
= TLS_ST_CW_FINISHED
;
1168 return WRITE_TRAN_CONTINUE
;
1170 #if !defined(OPENSSL_NO_NEXTPROTONEG)
1171 case TLS_ST_CW_NEXT_PROTO
:
1172 st
->hand_state
= TLS_ST_CW_FINISHED
;
1173 return WRITE_TRAN_CONTINUE
;
1176 case TLS_ST_CW_FINISHED
:
1178 st
->hand_state
= TLS_ST_OK
;
1179 statem_set_in_init(s
, 0);
1180 return WRITE_TRAN_CONTINUE
;
1182 return WRITE_TRAN_FINISHED
;
1185 case TLS_ST_CR_FINISHED
:
1187 st
->hand_state
= TLS_ST_CW_CHANGE
;
1188 return WRITE_TRAN_CONTINUE
;
1190 st
->hand_state
= TLS_ST_OK
;
1191 statem_set_in_init(s
, 0);
1192 return WRITE_TRAN_CONTINUE
;
1196 /* Shouldn't happen */
1197 return WRITE_TRAN_ERROR
;
1202 * Perform any pre work that needs to be done prior to sending a message from
1203 * the client to the server.
1205 static enum WORK_STATE
client_pre_work(SSL
*s
, enum WORK_STATE wst
)
1207 STATEM
*st
= &s
->statem
;
1209 switch(st
->hand_state
) {
1210 case TLS_ST_CW_CLNT_HELLO
:
1212 if (SSL_IS_DTLS(s
)) {
1213 /* every DTLS ClientHello resets Finished MAC */
1214 ssl3_init_finished_mac(s
);
1218 case TLS_ST_CW_CERT
:
1219 return tls_prepare_client_certificate(s
, wst
);
1221 case TLS_ST_CW_CHANGE
:
1222 if (SSL_IS_DTLS(s
)) {
1225 * We're into the last flight so we don't retransmit these
1226 * messages unless we need to.
1230 #ifndef OPENSSL_NO_SCTP
1231 if (BIO_dgram_is_sctp(SSL_get_wbio(s
)))
1232 return dtls_wait_for_dry(s
);
1235 return WORK_FINISHED_CONTINUE
;
1238 return tls_finish_handshake(s
, wst
);
1241 /* No pre work to be done */
1245 return WORK_FINISHED_CONTINUE
;
1249 * Perform any work that needs to be done after sending a message from the
1250 * client to the server.
1252 static enum WORK_STATE
client_post_work(SSL
*s
, enum WORK_STATE wst
)
1254 STATEM
*st
= &s
->statem
;
1258 switch(st
->hand_state
) {
1259 case TLS_ST_CW_CLNT_HELLO
:
1260 if (SSL_IS_DTLS(s
) && s
->d1
->cookie_len
> 0 && statem_flush(s
) != 1)
1262 #ifndef OPENSSL_NO_SCTP
1263 /* Disable buffering for SCTP */
1264 if (!SSL_IS_DTLS(s
) || !BIO_dgram_is_sctp(SSL_get_wbio(s
))) {
1267 * turn on buffering for the next lot of output
1269 if (s
->bbio
!= s
->wbio
)
1270 s
->wbio
= BIO_push(s
->bbio
, s
->wbio
);
1271 #ifndef OPENSSL_NO_SCTP
1274 if (SSL_IS_DTLS(s
)) {
1275 /* Treat the next message as the first packet */
1276 s
->first_packet
= 1;
1280 case TLS_ST_CW_KEY_EXCH
:
1281 if (tls_client_key_exchange_post_work(s
) == 0)
1285 case TLS_ST_CW_CHANGE
:
1286 s
->session
->cipher
= s
->s3
->tmp
.new_cipher
;
1287 #ifdef OPENSSL_NO_COMP
1288 s
->session
->compress_meth
= 0;
1290 if (s
->s3
->tmp
.new_compression
== NULL
)
1291 s
->session
->compress_meth
= 0;
1293 s
->session
->compress_meth
= s
->s3
->tmp
.new_compression
->id
;
1295 if (!s
->method
->ssl3_enc
->setup_key_block(s
))
1298 if (!s
->method
->ssl3_enc
->change_cipher_state(s
,
1299 SSL3_CHANGE_CIPHER_CLIENT_WRITE
))
1302 if (SSL_IS_DTLS(s
)) {
1303 #ifndef OPENSSL_NO_SCTP
1306 * Change to new shared key of SCTP-Auth, will be ignored if
1309 BIO_ctrl(SSL_get_wbio(s
), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY
,
1314 dtls1_reset_seq_numbers(s
, SSL3_CC_WRITE
);
1318 case TLS_ST_CW_FINISHED
:
1319 #ifndef OPENSSL_NO_SCTP
1320 if (wst
== WORK_MORE_A
&& SSL_IS_DTLS(s
) && s
->hit
== 0) {
1322 * Change to new shared key of SCTP-Auth, will be ignored if
1325 BIO_ctrl(SSL_get_wbio(s
), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY
,
1329 if (statem_flush(s
) != 1)
1332 if (s
->hit
&& tls_finish_handshake(s
, WORK_MORE_A
) != 1)
1337 /* No post work to be done */
1341 return WORK_FINISHED_CONTINUE
;
1345 * Construct a message to be sent from the client to the server.
1347 * Valid return values are:
1351 static int client_construct_message(SSL
*s
)
1353 STATEM
*st
= &s
->statem
;
1355 switch(st
->hand_state
) {
1356 case TLS_ST_CW_CLNT_HELLO
:
1357 return tls_construct_client_hello(s
);
1359 case TLS_ST_CW_CERT
:
1360 return tls_construct_client_certificate(s
);
1362 case TLS_ST_CW_KEY_EXCH
:
1363 return tls_construct_client_key_exchange(s
);
1365 case TLS_ST_CW_CERT_VRFY
:
1366 return tls_construct_client_verify(s
);
1368 case TLS_ST_CW_CHANGE
:
1370 return dtls_construct_change_cipher_spec(s
);
1372 return tls_construct_change_cipher_spec(s
);
1374 #if !defined(OPENSSL_NO_NEXTPROTONEG)
1375 case TLS_ST_CW_NEXT_PROTO
:
1376 return tls_construct_next_proto(s
);
1378 case TLS_ST_CW_FINISHED
:
1379 return tls_construct_finished(s
,
1381 ssl3_enc
->client_finished_label
,
1383 ssl3_enc
->client_finished_label_len
);
1386 /* Shouldn't happen */
1393 /* The spec allows for a longer length than this, but we limit it */
1394 #define HELLO_VERIFY_REQUEST_MAX_LENGTH 258
1395 #define SERVER_HELLO_MAX_LENGTH 20000
1396 #define SERVER_KEY_EXCH_MAX_LENGTH 102400
1397 #define SERVER_HELLO_DONE_MAX_LENGTH 0
1398 #define CCS_MAX_LENGTH 1
1399 /* Max should actually be 36 but we are generous */
1400 #define FINISHED_MAX_LENGTH 64
1403 * Returns the maximum allowed length for the current message that we are
1404 * reading. Excludes the message header.
1406 static unsigned long client_max_message_size(SSL
*s
)
1408 STATEM
*st
= &s
->statem
;
1410 switch(st
->hand_state
) {
1411 case TLS_ST_CR_SRVR_HELLO
:
1412 return SERVER_HELLO_MAX_LENGTH
;
1414 case DTLS_ST_CR_HELLO_VERIFY_REQUEST
:
1415 return HELLO_VERIFY_REQUEST_MAX_LENGTH
;
1417 case TLS_ST_CR_CERT
:
1418 return s
->max_cert_list
;
1420 case TLS_ST_CR_CERT_STATUS
:
1421 return SSL3_RT_MAX_PLAIN_LENGTH
;
1423 case TLS_ST_CR_KEY_EXCH
:
1424 return SERVER_KEY_EXCH_MAX_LENGTH
;
1426 case TLS_ST_CR_CERT_REQ
:
1427 return SSL3_RT_MAX_PLAIN_LENGTH
;
1429 case TLS_ST_CR_SRVR_DONE
:
1430 return SERVER_HELLO_DONE_MAX_LENGTH
;
1432 case TLS_ST_CR_CHANGE
:
1433 return CCS_MAX_LENGTH
;
1435 case TLS_ST_CR_SESSION_TICKET
:
1436 return SSL3_RT_MAX_PLAIN_LENGTH
;
1438 case TLS_ST_CR_FINISHED
:
1439 return FINISHED_MAX_LENGTH
;
1442 /* Shouldn't happen */
1450 * Process a message that the client has been received from the server.
1452 static enum MSG_PROCESS_RETURN
client_process_message(SSL
*s
, PACKET
*pkt
)
1454 STATEM
*st
= &s
->statem
;
1456 switch(st
->hand_state
) {
1457 case TLS_ST_CR_SRVR_HELLO
:
1458 return tls_process_server_hello(s
, pkt
);
1460 case DTLS_ST_CR_HELLO_VERIFY_REQUEST
:
1461 return dtls_process_hello_verify(s
, pkt
);
1463 case TLS_ST_CR_CERT
:
1464 return tls_process_server_certificate(s
, pkt
);
1466 case TLS_ST_CR_CERT_STATUS
:
1467 return tls_process_cert_status(s
, pkt
);
1469 case TLS_ST_CR_KEY_EXCH
:
1470 return tls_process_key_exchange(s
, pkt
);
1472 case TLS_ST_CR_CERT_REQ
:
1473 return tls_process_certificate_request(s
, pkt
);
1475 case TLS_ST_CR_SRVR_DONE
:
1476 return tls_process_server_done(s
, pkt
);
1478 case TLS_ST_CR_CHANGE
:
1479 return tls_process_change_cipher_spec(s
, pkt
);
1481 case TLS_ST_CR_SESSION_TICKET
:
1482 return tls_process_new_session_ticket(s
, pkt
);
1484 case TLS_ST_CR_FINISHED
:
1485 return tls_process_finished(s
, pkt
);
1488 /* Shouldn't happen */
1492 return MSG_PROCESS_ERROR
;
1496 * Perform any further processing required following the receipt of a message
1499 static enum WORK_STATE
client_post_process_message(SSL
*s
, enum WORK_STATE wst
)
1501 STATEM
*st
= &s
->statem
;
1503 switch(st
->hand_state
) {
1504 #ifndef OPENSSL_NO_SCTP
1505 case TLS_ST_CR_SRVR_DONE
:
1506 /* We only get here if we are using SCTP and we are renegotiating */
1507 if (BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s
))) {
1508 s
->s3
->in_read_app_data
= 2;
1509 s
->rwstate
= SSL_READING
;
1510 BIO_clear_retry_flags(SSL_get_rbio(s
));
1511 BIO_set_retry_read(SSL_get_rbio(s
));
1512 statem_set_sctp_read_sock(s
, 1);
1515 statem_set_sctp_read_sock(s
, 0);
1516 return WORK_FINISHED_STOP
;
1519 case TLS_ST_CR_FINISHED
:
1521 return tls_finish_handshake(s
, wst
);
1523 return WORK_FINISHED_STOP
;
1528 /* Shouldn't happen */
1534 * server_read_transition() encapsulates the logic for the allowed handshake
1535 * state transitions when the server is reading messages from the client. The
1536 * message type that the client has sent is provided in |mt|. The current state
1537 * is in |s->statem.hand_state|.
1539 * Valid return values are:
1540 * 1: Success (transition allowed)
1541 * 0: Error (transition not allowed)
1543 static int server_read_transition(SSL
*s
, int mt
)
1545 STATEM
*st
= &s
->statem
;
1547 switch(st
->hand_state
) {
1549 case DTLS_ST_SW_HELLO_VERIFY_REQUEST
:
1550 if (mt
== SSL3_MT_CLIENT_HELLO
) {
1551 st
->hand_state
= TLS_ST_SR_CLNT_HELLO
;
1556 case TLS_ST_SW_SRVR_DONE
:
1558 * If we get a CKE message after a ServerDone then either
1559 * 1) We didn't request a Certificate
1561 * 2) If we did request one then
1562 * a) We allow no Certificate to be returned
1564 * b) We are running SSL3 (in TLS1.0+ the client must return a 0
1565 * list if we requested a certificate)
1567 if (mt
== SSL3_MT_CLIENT_KEY_EXCHANGE
1568 && (!s
->s3
->tmp
.cert_request
1569 || (!((s
->verify_mode
& SSL_VERIFY_PEER
) &&
1570 (s
->verify_mode
& SSL_VERIFY_FAIL_IF_NO_PEER_CERT
))
1571 && (s
->version
== SSL3_VERSION
)))) {
1572 st
->hand_state
= TLS_ST_SR_KEY_EXCH
;
1574 } else if (s
->s3
->tmp
.cert_request
) {
1575 if (mt
== SSL3_MT_CERTIFICATE
) {
1576 st
->hand_state
= TLS_ST_SR_CERT
;
1582 case TLS_ST_SR_CERT
:
1583 if (mt
== SSL3_MT_CLIENT_KEY_EXCHANGE
) {
1584 st
->hand_state
= TLS_ST_SR_KEY_EXCH
;
1589 case TLS_ST_SR_KEY_EXCH
:
1591 * We should only process a CertificateVerify message if we have
1592 * received a Certificate from the client. If so then |s->session->peer|
1593 * will be non NULL. In some instances a CertificateVerify message is
1594 * not required even if the peer has sent a Certificate (e.g. such as in
1595 * the case of static DH). In that case |s->no_cert_verify| should be
1598 if (s
->session
->peer
== NULL
|| s
->no_cert_verify
) {
1599 if (mt
== SSL3_MT_CHANGE_CIPHER_SPEC
) {
1601 * For the ECDH ciphersuites when the client sends its ECDH
1602 * pub key in a certificate, the CertificateVerify message is
1603 * not sent. Also for GOST ciphersuites when the client uses
1604 * its key from the certificate for key exchange.
1606 st
->hand_state
= TLS_ST_SR_CHANGE
;
1610 if (mt
== SSL3_MT_CERTIFICATE_VERIFY
) {
1611 st
->hand_state
= TLS_ST_SR_CERT_VRFY
;
1617 case TLS_ST_SR_CERT_VRFY
:
1618 if (mt
== SSL3_MT_CHANGE_CIPHER_SPEC
) {
1619 st
->hand_state
= TLS_ST_SR_CHANGE
;
1624 case TLS_ST_SR_CHANGE
:
1625 #ifndef OPENSSL_NO_NEXTPROTONEG
1626 if (s
->s3
->next_proto_neg_seen
) {
1627 if (mt
== SSL3_MT_NEXT_PROTO
) {
1628 st
->hand_state
= TLS_ST_SR_NEXT_PROTO
;
1633 if (mt
== SSL3_MT_FINISHED
) {
1634 st
->hand_state
= TLS_ST_SR_FINISHED
;
1637 #ifndef OPENSSL_NO_NEXTPROTONEG
1642 #ifndef OPENSSL_NO_NEXTPROTONEG
1643 case TLS_ST_SR_NEXT_PROTO
:
1644 if (mt
== SSL3_MT_FINISHED
) {
1645 st
->hand_state
= TLS_ST_SR_FINISHED
;
1651 case TLS_ST_SW_FINISHED
:
1652 if (mt
== SSL3_MT_CHANGE_CIPHER_SPEC
) {
1653 st
->hand_state
= TLS_ST_SR_CHANGE
;
1662 /* No valid transition found */
1667 * Should we send a ServerKeyExchange message?
1669 * Valid return values are:
1673 static inline int send_server_key_exchange(SSL
*s
)
1675 unsigned long alg_k
= s
->s3
->tmp
.new_cipher
->algorithm_mkey
;
1678 * only send a ServerKeyExchange if DH, fortezza or RSA but we have a
1679 * sign only certificate PSK: may send PSK identity hints For
1680 * ECC ciphersuites, we send a serverKeyExchange message only if
1681 * the cipher suite is either ECDH-anon or ECDHE. In other cases,
1682 * the server certificate contains the server's public key for
1685 if ( (alg_k
& SSL_kDHE
)
1686 || (alg_k
& SSL_kECDHE
)
1687 || ((alg_k
& SSL_kRSA
)
1688 && (s
->cert
->pkeys
[SSL_PKEY_RSA_ENC
].privatekey
== NULL
1689 || (SSL_C_IS_EXPORT(s
->s3
->tmp
.new_cipher
)
1690 && EVP_PKEY_size(s
->cert
->pkeys
1691 [SSL_PKEY_RSA_ENC
].privatekey
) *
1692 8 > SSL_C_EXPORT_PKEYLENGTH(s
->s3
->tmp
.new_cipher
)
1697 * PSK: send ServerKeyExchange if PSK identity hint if
1700 #ifndef OPENSSL_NO_PSK
1701 /* Only send SKE if we have identity hint for plain PSK */
1702 || ((alg_k
& (SSL_kPSK
| SSL_kRSAPSK
))
1703 && s
->cert
->psk_identity_hint
)
1704 /* For other PSK always send SKE */
1705 || (alg_k
& (SSL_PSK
& (SSL_kDHEPSK
| SSL_kECDHEPSK
)))
1707 #ifndef OPENSSL_NO_SRP
1708 /* SRP: send ServerKeyExchange */
1709 || (alg_k
& SSL_kSRP
)
1719 * Should we send a CertificateRequest message?
1721 * Valid return values are:
1725 static inline int send_certificate_request(SSL
*s
)
1728 /* don't request cert unless asked for it: */
1729 s
->verify_mode
& SSL_VERIFY_PEER
1731 * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert
1732 * during re-negotiation:
1734 && ((s
->session
->peer
== NULL
) ||
1735 !(s
->verify_mode
& SSL_VERIFY_CLIENT_ONCE
))
1737 * never request cert in anonymous ciphersuites (see
1738 * section "Certificate request" in SSL 3 drafts and in
1741 && (!(s
->s3
->tmp
.new_cipher
->algorithm_auth
& SSL_aNULL
)
1743 * ... except when the application insists on
1744 * verification (against the specs, but s3_clnt.c accepts
1747 || (s
->verify_mode
& SSL_VERIFY_FAIL_IF_NO_PEER_CERT
))
1748 /* don't request certificate for SRP auth */
1749 && !(s
->s3
->tmp
.new_cipher
->algorithm_auth
& SSL_aSRP
)
1751 * With normal PSK Certificates and Certificate Requests
1754 && !(s
->s3
->tmp
.new_cipher
->algorithm_mkey
& SSL_PSK
)) {
1762 * server_write_transition() works out what handshake state to move to next
1763 * when the server is writing messages to be sent to the client.
1765 static enum WRITE_TRAN
server_write_transition(SSL
*s
)
1767 STATEM
*st
= &s
->statem
;
1769 switch(st
->hand_state
) {
1771 /* Just go straight to trying to read from the client */;
1772 return WRITE_TRAN_FINISHED
;
1775 /* We must be trying to renegotiate */
1776 st
->hand_state
= TLS_ST_SW_HELLO_REQ
;
1777 return WRITE_TRAN_CONTINUE
;
1779 case TLS_ST_SW_HELLO_REQ
:
1780 st
->hand_state
= TLS_ST_OK
;
1781 statem_set_in_init(s
, 0);
1782 return WRITE_TRAN_CONTINUE
;
1784 case TLS_ST_SR_CLNT_HELLO
:
1785 if (SSL_IS_DTLS(s
) && !s
->d1
->cookie_verified
1786 && (SSL_get_options(s
) & SSL_OP_COOKIE_EXCHANGE
))
1787 st
->hand_state
= DTLS_ST_SW_HELLO_VERIFY_REQUEST
;
1789 st
->hand_state
= TLS_ST_SW_SRVR_HELLO
;
1790 return WRITE_TRAN_CONTINUE
;
1792 case DTLS_ST_SW_HELLO_VERIFY_REQUEST
:
1793 return WRITE_TRAN_FINISHED
;
1795 case TLS_ST_SW_SRVR_HELLO
:
1797 if (s
->tlsext_ticket_expected
)
1798 st
->hand_state
= TLS_ST_SW_SESSION_TICKET
;
1800 st
->hand_state
= TLS_ST_SW_CHANGE
;
1802 /* Check if it is anon DH or anon ECDH, */
1803 /* normal PSK or SRP */
1804 if (!(s
->s3
->tmp
.new_cipher
->algorithm_auth
&
1805 (SSL_aNULL
| SSL_aSRP
| SSL_aPSK
))) {
1806 st
->hand_state
= TLS_ST_SW_CERT
;
1807 } else if (send_server_key_exchange(s
)) {
1808 st
->hand_state
= TLS_ST_SW_KEY_EXCH
;
1809 } else if (send_certificate_request(s
)) {
1810 st
->hand_state
= TLS_ST_SW_CERT_REQ
;
1812 st
->hand_state
= TLS_ST_SW_SRVR_DONE
;
1815 return WRITE_TRAN_CONTINUE
;
1817 case TLS_ST_SW_CERT
:
1818 if (s
->tlsext_status_expected
) {
1819 st
->hand_state
= TLS_ST_SW_CERT_STATUS
;
1820 return WRITE_TRAN_CONTINUE
;
1824 case TLS_ST_SW_CERT_STATUS
:
1825 if (send_server_key_exchange(s
)) {
1826 st
->hand_state
= TLS_ST_SW_KEY_EXCH
;
1827 return WRITE_TRAN_CONTINUE
;
1831 case TLS_ST_SW_KEY_EXCH
:
1832 if (send_certificate_request(s
)) {
1833 st
->hand_state
= TLS_ST_SW_CERT_REQ
;
1834 return WRITE_TRAN_CONTINUE
;
1838 case TLS_ST_SW_CERT_REQ
:
1839 st
->hand_state
= TLS_ST_SW_SRVR_DONE
;
1840 return WRITE_TRAN_CONTINUE
;
1842 case TLS_ST_SW_SRVR_DONE
:
1843 return WRITE_TRAN_FINISHED
;
1845 case TLS_ST_SR_FINISHED
:
1847 st
->hand_state
= TLS_ST_OK
;
1848 statem_set_in_init(s
, 0);
1849 return WRITE_TRAN_CONTINUE
;
1850 } else if (s
->tlsext_ticket_expected
) {
1851 st
->hand_state
= TLS_ST_SW_SESSION_TICKET
;
1853 st
->hand_state
= TLS_ST_SW_CHANGE
;
1855 return WRITE_TRAN_CONTINUE
;
1857 case TLS_ST_SW_SESSION_TICKET
:
1858 st
->hand_state
= TLS_ST_SW_CHANGE
;
1859 return WRITE_TRAN_CONTINUE
;
1861 case TLS_ST_SW_CHANGE
:
1862 st
->hand_state
= TLS_ST_SW_FINISHED
;
1863 return WRITE_TRAN_CONTINUE
;
1865 case TLS_ST_SW_FINISHED
:
1867 return WRITE_TRAN_FINISHED
;
1869 st
->hand_state
= TLS_ST_OK
;
1870 statem_set_in_init(s
, 0);
1871 return WRITE_TRAN_CONTINUE
;
1874 /* Shouldn't happen */
1875 return WRITE_TRAN_ERROR
;
1880 * Perform any pre work that needs to be done prior to sending a message from
1881 * the server to the client.
1883 static enum WORK_STATE
server_pre_work(SSL
*s
, enum WORK_STATE wst
)
1885 STATEM
*st
= &s
->statem
;
1887 switch(st
->hand_state
) {
1888 case TLS_ST_SW_HELLO_REQ
:
1891 dtls1_clear_record_buffer(s
);
1894 case DTLS_ST_SW_HELLO_VERIFY_REQUEST
:
1896 if (SSL_IS_DTLS(s
)) {
1897 dtls1_clear_record_buffer(s
);
1898 /* We don't buffer this message so don't use the timer */
1903 case TLS_ST_SW_SRVR_HELLO
:
1904 if (SSL_IS_DTLS(s
)) {
1906 * Messages we write from now on should be bufferred and
1907 * retransmitted if necessary, so we need to use the timer now
1913 case TLS_ST_SW_SRVR_DONE
:
1914 #ifndef OPENSSL_NO_SCTP
1915 if (SSL_IS_DTLS(s
) && BIO_dgram_is_sctp(SSL_get_wbio(s
)))
1916 return dtls_wait_for_dry(s
);
1918 return WORK_FINISHED_CONTINUE
;
1920 case TLS_ST_SW_SESSION_TICKET
:
1921 if (SSL_IS_DTLS(s
)) {
1923 * We're into the last flight. We don't retransmit the last flight
1924 * unless we need to, so we don't use the timer
1930 case TLS_ST_SW_CHANGE
:
1931 s
->session
->cipher
= s
->s3
->tmp
.new_cipher
;
1932 if (!s
->method
->ssl3_enc
->setup_key_block(s
)) {
1933 statem_set_error(s
);
1936 if (SSL_IS_DTLS(s
)) {
1938 * We're into the last flight. We don't retransmit the last flight
1939 * unless we need to, so we don't use the timer. This might have
1940 * already been set to 0 if we sent a NewSessionTicket message,
1941 * but we'll set it again here in case we didn't.
1945 return WORK_FINISHED_CONTINUE
;
1948 return tls_finish_handshake(s
, wst
);
1951 /* No pre work to be done */
1955 return WORK_FINISHED_CONTINUE
;
1959 * Perform any work that needs to be done after sending a message from the
1960 * server to the client.
1962 static enum WORK_STATE
server_post_work(SSL
*s
, enum WORK_STATE wst
)
1964 STATEM
*st
= &s
->statem
;
1968 switch(st
->hand_state
) {
1969 case TLS_ST_SW_HELLO_REQ
:
1970 if (statem_flush(s
) != 1)
1972 ssl3_init_finished_mac(s
);
1975 case DTLS_ST_SW_HELLO_VERIFY_REQUEST
:
1976 if (statem_flush(s
) != 1)
1978 /* HelloVerifyRequest resets Finished MAC */
1979 if (s
->version
!= DTLS1_BAD_VER
)
1980 ssl3_init_finished_mac(s
);
1982 * The next message should be another ClientHello which we need to
1983 * treat like it was the first packet
1985 s
->first_packet
= 1;
1988 case TLS_ST_SW_SRVR_HELLO
:
1989 #ifndef OPENSSL_NO_SCTP
1990 if (SSL_IS_DTLS(s
) && s
->hit
) {
1991 unsigned char sctpauthkey
[64];
1992 char labelbuffer
[sizeof(DTLS1_SCTP_AUTH_LABEL
)];
1995 * Add new shared key for SCTP-Auth, will be ignored if no
1998 snprintf((char *)labelbuffer
, sizeof(DTLS1_SCTP_AUTH_LABEL
),
1999 DTLS1_SCTP_AUTH_LABEL
);
2001 if (SSL_export_keying_material(s
, sctpauthkey
,
2002 sizeof(sctpauthkey
), labelbuffer
,
2003 sizeof(labelbuffer
), NULL
, 0, 0) <= 0) {
2004 statem_set_error(s
);
2008 BIO_ctrl(SSL_get_wbio(s
), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY
,
2009 sizeof(sctpauthkey
), sctpauthkey
);
2014 case TLS_ST_SW_CHANGE
:
2015 #ifndef OPENSSL_NO_SCTP
2016 if (SSL_IS_DTLS(s
) && !s
->hit
) {
2018 * Change to new shared key of SCTP-Auth, will be ignored if
2021 BIO_ctrl(SSL_get_wbio(s
), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY
,
2025 if (!s
->method
->ssl3_enc
->change_cipher_state(s
,
2026 SSL3_CHANGE_CIPHER_SERVER_WRITE
)) {
2027 statem_set_error(s
);
2032 dtls1_reset_seq_numbers(s
, SSL3_CC_WRITE
);
2035 case TLS_ST_SW_SRVR_DONE
:
2036 if (statem_flush(s
) != 1)
2040 case TLS_ST_SW_FINISHED
:
2041 if (statem_flush(s
) != 1)
2043 #ifndef OPENSSL_NO_SCTP
2044 if (SSL_IS_DTLS(s
) && s
->hit
) {
2046 * Change to new shared key of SCTP-Auth, will be ignored if
2049 BIO_ctrl(SSL_get_wbio(s
), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY
,
2056 /* No post work to be done */
2060 return WORK_FINISHED_CONTINUE
;
2064 * Construct a message to be sent from the server to the client.
2066 * Valid return values are:
2070 static int server_construct_message(SSL
*s
)
2072 STATEM
*st
= &s
->statem
;
2074 switch(st
->hand_state
) {
2075 case DTLS_ST_SW_HELLO_VERIFY_REQUEST
:
2076 return dtls_construct_hello_verify_request(s
);
2078 case TLS_ST_SW_HELLO_REQ
:
2079 return tls_construct_hello_request(s
);
2081 case TLS_ST_SW_SRVR_HELLO
:
2082 return tls_construct_server_hello(s
);
2084 case TLS_ST_SW_CERT
:
2085 return tls_construct_server_certificate(s
);
2087 case TLS_ST_SW_KEY_EXCH
:
2088 return tls_construct_server_key_exchange(s
);
2090 case TLS_ST_SW_CERT_REQ
:
2091 return tls_construct_certificate_request(s
);
2093 case TLS_ST_SW_SRVR_DONE
:
2094 return tls_construct_server_done(s
);
2096 case TLS_ST_SW_SESSION_TICKET
:
2097 return tls_construct_new_session_ticket(s
);
2099 case TLS_ST_SW_CERT_STATUS
:
2100 return tls_construct_cert_status(s
);
2102 case TLS_ST_SW_CHANGE
:
2104 return dtls_construct_change_cipher_spec(s
);
2106 return tls_construct_change_cipher_spec(s
);
2108 case TLS_ST_SW_FINISHED
:
2109 return tls_construct_finished(s
,
2111 ssl3_enc
->server_finished_label
,
2113 ssl3_enc
->server_finished_label_len
);
2116 /* Shouldn't happen */
2123 #define CLIENT_KEY_EXCH_MAX_LENGTH 2048
2124 #define NEXT_PROTO_MAX_LENGTH 514
2127 * Returns the maximum allowed length for the current message that we are
2128 * reading. Excludes the message header.
2130 static unsigned long server_max_message_size(SSL
*s
)
2132 STATEM
*st
= &s
->statem
;
2134 switch(st
->hand_state
) {
2135 case TLS_ST_SR_CLNT_HELLO
:
2136 return SSL3_RT_MAX_PLAIN_LENGTH
;
2138 case TLS_ST_SR_CERT
:
2139 return s
->max_cert_list
;
2141 case TLS_ST_SR_KEY_EXCH
:
2142 return CLIENT_KEY_EXCH_MAX_LENGTH
;
2144 case TLS_ST_SR_CERT_VRFY
:
2145 return SSL3_RT_MAX_PLAIN_LENGTH
;
2147 #ifndef OPENSSL_NO_NEXTPROTONEG
2148 case TLS_ST_SR_NEXT_PROTO
:
2149 return NEXT_PROTO_MAX_LENGTH
;
2152 case TLS_ST_SR_CHANGE
:
2153 return CCS_MAX_LENGTH
;
2155 case TLS_ST_SR_FINISHED
:
2156 return FINISHED_MAX_LENGTH
;
2159 /* Shouldn't happen */
2167 * Process a message that the server has received from the client.
2169 static enum MSG_PROCESS_RETURN
server_process_message(SSL
*s
, PACKET
*pkt
)
2171 STATEM
*st
= &s
->statem
;
2173 switch(st
->hand_state
) {
2174 case TLS_ST_SR_CLNT_HELLO
:
2175 return tls_process_client_hello(s
, pkt
);
2177 case TLS_ST_SR_CERT
:
2178 return tls_process_client_certificate(s
, pkt
);
2180 case TLS_ST_SR_KEY_EXCH
:
2181 return tls_process_client_key_exchange(s
, pkt
);
2183 case TLS_ST_SR_CERT_VRFY
:
2184 return tls_process_cert_verify(s
, pkt
);
2186 #ifndef OPENSSL_NO_NEXTPROTONEG
2187 case TLS_ST_SR_NEXT_PROTO
:
2188 return tls_process_next_proto(s
, pkt
);
2191 case TLS_ST_SR_CHANGE
:
2192 return tls_process_change_cipher_spec(s
, pkt
);
2194 case TLS_ST_SR_FINISHED
:
2195 return tls_process_finished(s
, pkt
);
2198 /* Shouldn't happen */
2202 return MSG_PROCESS_ERROR
;
2206 * Perform any further processing required following the receipt of a message
2209 static enum WORK_STATE
server_post_process_message(SSL
*s
, enum WORK_STATE wst
)
2211 STATEM
*st
= &s
->statem
;
2213 switch(st
->hand_state
) {
2214 case TLS_ST_SR_CLNT_HELLO
:
2215 return tls_post_process_client_hello(s
, wst
);
2217 case TLS_ST_SR_KEY_EXCH
:
2218 return tls_post_process_client_key_exchange(s
, wst
);
2220 case TLS_ST_SR_CERT_VRFY
:
2221 #ifndef OPENSSL_NO_SCTP
2222 if ( /* Is this SCTP? */
2223 BIO_dgram_is_sctp(SSL_get_wbio(s
))
2224 /* Are we renegotiating? */
2226 && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s
))) {
2227 s
->s3
->in_read_app_data
= 2;
2228 s
->rwstate
= SSL_READING
;
2229 BIO_clear_retry_flags(SSL_get_rbio(s
));
2230 BIO_set_retry_read(SSL_get_rbio(s
));
2231 statem_set_sctp_read_sock(s
, 1);
2234 statem_set_sctp_read_sock(s
, 0);
2237 return WORK_FINISHED_CONTINUE
;
2240 case TLS_ST_SR_FINISHED
:
2242 return tls_finish_handshake(s
, wst
);
2244 return WORK_FINISHED_STOP
;
2249 /* Shouldn't happen */