Commit 49ae7423 authored by Matt Caswell's avatar Matt Caswell
Browse files

Remove redundant code 



Clean up and remove lots of code that is now no longer needed due to the
move to the new state machine.

Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
parent c130dd8e

apps/s_server.c

+1 −1
Original line number Diff line number Diff line
@@ -2428,7 +2428,7 @@ static int init_ssl_connection(SSL *con) 
#ifdef CERT_CB_TEST_RETRY

    {

        while (i <= 0 && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP

               && SSL_state(con) == SSL3_ST_SR_CLNT_HELLO_C) {

               && SSL_state(con) == TLS_ST_SR_CLNT_HELLO) {

            BIO_printf(bio_err,

                       "LOOKUP from certificate callback during accept\n");

            i = SSL_accept(con);

include/openssl/ssl.h

+60 −7
Original line number Diff line number Diff line
@@ -920,6 +920,59 @@ extern "C" { 
# define SSL_CTX_get_app_data(ctx)       (SSL_CTX_get_ex_data(ctx,0))

# define SSL_CTX_set_app_data(ctx,arg)   (SSL_CTX_set_ex_data(ctx,0,(char *)arg))





/*

 * The valid handshake states (one for each type message sent and one for each

 * type of message received). There are also two "special" states:

 * TLS = TLS or DTLS state

 * DTLS = DTLS specific state

 * CR/SR = Client Read/Server Read

 * CW/SW = Client Write/Server Write

 *

 * The "special" states are:

 * TLS_ST_BEFORE = No handshake has been initiated yet

 * TLS_ST_OK = A handshake has been successfully completed

 */

enum HANDSHAKE_STATE {

    TLS_ST_BEFORE,

    TLS_ST_OK,

    DTLS_ST_CR_HELLO_VERIFY_REQUEST,

    TLS_ST_CR_SRVR_HELLO,

    TLS_ST_CR_CERT,

    TLS_ST_CR_CERT_STATUS,

    TLS_ST_CR_KEY_EXCH,

    TLS_ST_CR_CERT_REQ,

    TLS_ST_CR_SRVR_DONE,

    TLS_ST_CR_SESSION_TICKET,

    TLS_ST_CR_CHANGE,

    TLS_ST_CR_FINISHED,

    TLS_ST_CW_CLNT_HELLO,

    TLS_ST_CW_CERT,

    TLS_ST_CW_KEY_EXCH,

    TLS_ST_CW_CERT_VRFY,

    TLS_ST_CW_CHANGE,

    TLS_ST_CW_NEXT_PROTO,

    TLS_ST_CW_FINISHED,

    TLS_ST_SW_HELLO_REQ,

    TLS_ST_SR_CLNT_HELLO,

    DTLS_ST_SW_HELLO_VERIFY_REQUEST,

    TLS_ST_SW_SRVR_HELLO,

    TLS_ST_SW_CERT,

    TLS_ST_SW_KEY_EXCH,

    TLS_ST_SW_CERT_REQ,

    TLS_ST_SW_SRVR_DONE,

    TLS_ST_SR_CERT,

    TLS_ST_SR_KEY_EXCH,

    TLS_ST_SR_CERT_VRFY,

    TLS_ST_SR_NEXT_PROTO,

    TLS_ST_SR_CHANGE,

    TLS_ST_SR_FINISHED,

    TLS_ST_SW_SESSION_TICKET,

    TLS_ST_SW_CERT_STATUS,

    TLS_ST_SW_CHANGE,

    TLS_ST_SW_FINISHED

};



/*

 * The following are the possible values for ssl->state are are used to

 * indicate where we are up to in the SSL connection establishment. The
@@ -953,11 +1006,11 @@ extern "C" { 


/* Is the SSL_connection established? */

# define SSL_get_state(a)                SSL_state(a)

# define SSL_is_init_finished(a)         (SSL_state(a) == SSL_ST_OK)

# define SSL_in_init(a)                  (SSL_state(a)&SSL_ST_INIT)

# define SSL_in_before(a)                (SSL_state(a)&SSL_ST_BEFORE)

# define SSL_in_connect_init(a)          (SSL_state(a)&SSL_ST_CONNECT)

# define SSL_in_accept_init(a)           (SSL_state(a)&SSL_ST_ACCEPT)

# define SSL_in_connect_init(a)          (SSL_in_init(a) && !a->server)

# define SSL_in_accept_init(a)           (SSL_in_init(a) && a->server)

int SSL_in_init(SSL *s);

int SSL_in_before(SSL *s);

int SSL_is_init_finished(SSL *s);



/*

 * The following 3 states are kept in ssl->rlayer.rstate when reads fail, you
@@ -1646,8 +1699,8 @@ void SSL_set_info_callback(SSL *ssl, 
                           void (*cb) (const SSL *ssl, int type, int val));

void (*SSL_get_info_callback(const SSL *ssl)) (const SSL *ssl, int type,

                                               int val);

__owur int SSL_state(const SSL *ssl);

void SSL_set_state(SSL *ssl, int state);

__owur enum HANDSHAKE_STATE SSL_state(const SSL *ssl);

void SSL_set_state(SSL *ssl, enum HANDSHAKE_STATE state);



void SSL_set_verify_result(SSL *ssl, long v);

__owur long SSL_get_verify_result(const SSL *ssl);

ssl/d1_both.c

+0 −150
Original line number Diff line number Diff line
@@ -160,8 +160,6 @@ static void dtls1_set_message_header_int(SSL *s, unsigned char mt, 
                                         unsigned short seq_num,

                                         unsigned long frag_off,

                                         unsigned long frag_len);

static long dtls1_get_message_fragment(SSL *s, int st1, int stn, int mt,

                                       int *ok);

static int dtls_get_reassembled_message(SSL *s, long *len);



static hm_fragment *dtls1_hm_fragment_new(unsigned long frag_len,
@@ -438,117 +436,6 @@ int dtls1_do_write(SSL *s, int type) 
    return (0);

}



/*

 * Obtain handshake message of message type 'mt' (any if mt == -1), maximum

 * acceptable body length 'max'. Read an entire handshake message.  Handshake

 * messages arrive in fragments.

 */

long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)

{

    int i, al;

    struct hm_header_st *msg_hdr;

    unsigned char *p;

    unsigned long msg_len;



    /*

     * s3->tmp is used to store messages that are unexpected, caused by the

     * absence of an optional handshake message

     */

    if (s->s3->tmp.reuse_message) {

        if ((mt >= 0) && (s->s3->tmp.message_type != mt)) {

            al = SSL_AD_UNEXPECTED_MESSAGE;

            SSLerr(SSL_F_DTLS1_GET_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);

            goto f_err;

        }

        *ok = 1;





        /*

         * Messages reused from dtls1_listen also have the record header in

         * the buffer which we need to skip over.

         */

        if (s->s3->tmp.reuse_message == DTLS1_SKIP_RECORD_HEADER) {

            s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH

                          + DTLS1_RT_HEADER_LENGTH;

        } else {

            s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH;

        }

        s->init_num = (int)s->s3->tmp.message_size;

        s->s3->tmp.reuse_message = 0;

        return s->init_num;

    }



    msg_hdr = &s->d1->r_msg_hdr;

    memset(msg_hdr, 0, sizeof(*msg_hdr));



 again:

    i = dtls1_get_message_fragment(s, st1, stn, mt, ok);

    if (i == DTLS1_HM_BAD_FRAGMENT || i == DTLS1_HM_FRAGMENT_RETRY) {

        /* bad fragment received */

        goto again;

    } else if (i <= 0 && !*ok) {

        return i;

    }



    if (mt >= 0 && s->s3->tmp.message_type != mt) {

        al = SSL_AD_UNEXPECTED_MESSAGE;

        SSLerr(SSL_F_DTLS1_GET_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);

        goto f_err;

    }



    p = (unsigned char *)s->init_buf->data;



    if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {

        if (s->msg_callback) {

            s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC,

                            p, 1, s, s->msg_callback_arg);

        }

        /*

         * This isn't a real handshake message so skip the processing below.

         * dtls1_get_message_fragment() will never return a CCS if mt == -1,

         * so we are ok to continue in that case.

         */

        return i;

    }



    msg_len = msg_hdr->msg_len;



    /* reconstruct message header */

    *(p++) = msg_hdr->type;

    l2n3(msg_len, p);

    s2n(msg_hdr->seq, p);

    l2n3(0, p);

    l2n3(msg_len, p);

    if (s->version != DTLS1_BAD_VER) {

        p -= DTLS1_HM_HEADER_LENGTH;

        msg_len += DTLS1_HM_HEADER_LENGTH;

    }



    if (msg_len > (unsigned long)max) {

        al = SSL_AD_ILLEGAL_PARAMETER;

        SSLerr(SSL_F_DTLS1_GET_MESSAGE, SSL_R_EXCESSIVE_MESSAGE_SIZE);

        goto f_err;

    }



    ssl3_finish_mac(s, p, msg_len);

    if (s->msg_callback)

        s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,

                        p, msg_len, s, s->msg_callback_arg);



    memset(msg_hdr, 0, sizeof(*msg_hdr));



    s->d1->handshake_read_seq++;





    s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH;

    return s->init_num;



 f_err:

    ssl3_send_alert(s, SSL3_AL_FATAL, al);

    *ok = 0;

    return -1;

}



int dtls_get_message(SSL *s, int *mt, unsigned long *len)

{

    struct hm_header_st *msg_hdr;
@@ -925,30 +812,6 @@ dtls1_process_out_of_seq_message(SSL *s, const struct hm_header_st *msg_hdr, 
    return i;

}



static long

dtls1_get_message_fragment(SSL *s, int st1, int stn, int mt, int *ok)

{

    long len;



    do {

        *ok = dtls_get_reassembled_message(s, &len);

        /* A CCS isn't a real handshake message, so if we get one there is no

         * message sequence number to give us confidence that this was really

         * intended to be at this point in the handshake sequence. Therefore we

         * only allow this if we were explicitly looking for it (i.e. if |mt|

         * is -1 we still don't allow it). If we get one when we're not

         * expecting it then probably something got re-ordered or this is a

         * retransmit. We should drop this and try again.

         */

    } while (*ok && mt != SSL3_MT_CHANGE_CIPHER_SPEC

             && s->s3->tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC);



    if (*ok)

        s->state = stn;



    return len;

}



static int dtls_get_reassembled_message(SSL *s, long *len)

{

    unsigned char wire[DTLS1_HM_HEADER_LENGTH];
@@ -1103,19 +966,6 @@ static int dtls_get_reassembled_message(SSL *s, long *len) 
    return 0;

}





int dtls1_send_change_cipher_spec(SSL *s, int a, int b)

{

    if (s->state == a) {

        if (dtls_construct_change_cipher_spec(s) == 0)

            return -1;

    }



    /* SSL3_ST_CW_CHANGE_B */

    return (dtls1_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC));

}





/*-

 * for these 2 messages, we need to

 * ssl->enc_read_ctx                    re-init

ssl/d1_srvr.c

+2 −704

File changed.

Preview size limit exceeded, changes collapsed.

ssl/record/rec_layer_d1.c

+6 −13
Original line number Diff line number Diff line
@@ -283,8 +283,8 @@ int dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) 
#ifndef OPENSSL_NO_SCTP

    /* Store bio_dgram_sctp_rcvinfo struct */

    if (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&

        (s->state == SSL3_ST_SR_FINISHED_A

         || s->state == SSL3_ST_CR_FINISHED_A)) {

        (SSL_state(s) == TLS_ST_SR_FINISHED

         || SSL_state(s) == TLS_ST_CR_FINISHED)) {

        BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SCTP_GET_RCVINFO,

                 sizeof(rdata->recordinfo), &rdata->recordinfo);

    }
@@ -472,7 +472,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, 
     * We are not handshaking and have no data yet, so process data buffered

     * during the last handshake in advance, if any.

     */

    if (s->state == SSL_ST_OK && SSL3_RECORD_get_length(rr) == 0) {

    if (SSL_is_init_finished(s) && SSL3_RECORD_get_length(rr) == 0) {

        pitem *item;

        item = pqueue_pop(s->rlayer.d->buffered_app_data.q);

        if (item) {
@@ -901,9 +901,9 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, 
            goto start;

        }



        if (((s->state & SSL_ST_MASK) == SSL_ST_OK) &&

        if (SSL_is_init_finished(s) &&

            !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) {

            s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;

            statem_set_in_init(s, 1);

            s->renegotiate = 1;

            s->new_session = 1;

        }
@@ -966,14 +966,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, 
         */

        if (s->s3->in_read_app_data &&

            (s->s3->total_renegotiations != 0) &&

            (((s->state & SSL_ST_CONNECT) &&

              (s->state >= SSL3_ST_CW_CLNT_HELLO_A) &&

              (s->state <= SSL3_ST_CR_SRVR_HELLO_A)

             ) || ((s->state & SSL_ST_ACCEPT) &&

                   (s->state <= SSL3_ST_SW_HELLO_REQ_A) &&

                   (s->state >= SSL3_ST_SR_CLNT_HELLO_A)

             )

            )) {

            statem_app_data_allowed(s)) {

            s->s3->in_read_app_data = 2;

            return (-1);

        } else {