Unexport the handshake's internal state.
Code which manages to constrain itself on this will limit our ability to
rework the handshake. I believe, at this point, we only need to expose
one bit of information (there's some code that compares SSL_state to
SSL_ST_OK), if even that.
BUG=177
Change-Id: Ie1c43006737db0b974811f1819755c629ae68e7b
Reviewed-on: https://boringssl-review.googlesource.com/13826
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 497093d..7f4e87c 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -3589,7 +3589,10 @@
typedef struct ssl_conf_ctx_st SSL_CONF_CTX;
-/* SSL_state returns the current state of the handshake state machine. */
+/* SSL_state returns |SSL_ST_INIT| if a handshake is in progress and |SSL_ST_OK|
+ * otherwise.
+ *
+ * Use |SSL_is_init| instead. */
OPENSSL_EXPORT int SSL_state(const SSL *ssl);
#define SSL_get_state(ssl) SSL_state(ssl)
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index c946b77..5a26681 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2094,12 +2094,7 @@
}
int SSL_state(const SSL *ssl) {
- if (ssl->s3->hs == NULL) {
- assert(ssl->s3->initial_handshake_complete);
- return SSL_ST_OK;
- }
-
- return ssl->s3->hs->state;
+ return SSL_in_init(ssl) ? SSL_ST_INIT : SSL_ST_OK;
}
void SSL_set_state(SSL *ssl, int state) { }
@@ -2345,11 +2340,12 @@
}
int SSL_is_init_finished(const SSL *ssl) {
- return SSL_state(ssl) == SSL_ST_OK;
+ return !SSL_in_init(ssl);
}
int SSL_in_init(const SSL *ssl) {
- return (SSL_state(ssl) & SSL_ST_INIT) != 0;
+ SSL_HANDSHAKE *hs = ssl->s3->hs;
+ return hs != NULL && hs->state != SSL_ST_OK;
}
int SSL_in_false_start(const SSL *ssl) {
diff --git a/ssl/ssl_session.c b/ssl/ssl_session.c
index b71b994..c30fe6e 100644
--- a/ssl/ssl_session.c
+++ b/ssl/ssl_session.c
@@ -898,7 +898,9 @@
int SSL_set_session(SSL *ssl, SSL_SESSION *session) {
/* SSL_set_session may only be called before the handshake has started. */
- if (SSL_state(ssl) != SSL_ST_INIT || ssl->s3->initial_handshake_complete) {
+ if (ssl->s3->initial_handshake_complete ||
+ ssl->s3->hs == NULL ||
+ ssl->s3->hs->state != SSL_ST_INIT) {
abort();
}
diff --git a/ssl/ssl_stat.c b/ssl/ssl_stat.c
index 479288a..571b4a9 100644
--- a/ssl/ssl_stat.c
+++ b/ssl/ssl_stat.c
@@ -83,11 +83,22 @@
#include <openssl/ssl.h>
+#include <assert.h>
+
#include "internal.h"
+static int ssl_state(const SSL *ssl) {
+ if (ssl->s3->hs == NULL) {
+ assert(ssl->s3->initial_handshake_complete);
+ return SSL_ST_OK;
+ }
+
+ return ssl->s3->hs->state;
+}
+
const char *SSL_state_string_long(const SSL *ssl) {
- switch (SSL_state(ssl)) {
+ switch (ssl_state(ssl)) {
case SSL_ST_ACCEPT:
return "before accept initialization";
@@ -203,7 +214,7 @@
}
const char *SSL_state_string(const SSL *ssl) {
- switch (SSL_state(ssl)) {
+ switch (ssl_state(ssl)) {
case SSL_ST_ACCEPT:
return "AINIT ";
