1160814Ssimon/* ssl/d1_srvr.c */ 2280304Sjkim/* 3160814Ssimon * DTLS implementation written by Nagendra Modadugu 4280304Sjkim * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 5160814Ssimon */ 6160814Ssimon/* ==================================================================== 7238405Sjkim * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. 8160814Ssimon * 9160814Ssimon * Redistribution and use in source and binary forms, with or without 10160814Ssimon * modification, are permitted provided that the following conditions 11160814Ssimon * are met: 12160814Ssimon * 13160814Ssimon * 1. Redistributions of source code must retain the above copyright 14280304Sjkim * notice, this list of conditions and the following disclaimer. 15160814Ssimon * 16160814Ssimon * 2. Redistributions in binary form must reproduce the above copyright 17160814Ssimon * notice, this list of conditions and the following disclaimer in 18160814Ssimon * the documentation and/or other materials provided with the 19160814Ssimon * distribution. 20160814Ssimon * 21160814Ssimon * 3. All advertising materials mentioning features or use of this 22160814Ssimon * software must display the following acknowledgment: 23160814Ssimon * "This product includes software developed by the OpenSSL Project 24160814Ssimon * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 25160814Ssimon * 26160814Ssimon * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27160814Ssimon * endorse or promote products derived from this software without 28160814Ssimon * prior written permission. For written permission, please contact 29160814Ssimon * openssl-core@OpenSSL.org. 30160814Ssimon * 31160814Ssimon * 5. Products derived from this software may not be called "OpenSSL" 32160814Ssimon * nor may "OpenSSL" appear in their names without prior written 33160814Ssimon * permission of the OpenSSL Project. 34160814Ssimon * 35160814Ssimon * 6. Redistributions of any form whatsoever must retain the following 36160814Ssimon * acknowledgment: 37160814Ssimon * "This product includes software developed by the OpenSSL Project 38160814Ssimon * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 39160814Ssimon * 40160814Ssimon * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41160814Ssimon * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42160814Ssimon * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43160814Ssimon * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44160814Ssimon * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45160814Ssimon * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46160814Ssimon * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47160814Ssimon * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48160814Ssimon * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49160814Ssimon * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50160814Ssimon * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51160814Ssimon * OF THE POSSIBILITY OF SUCH DAMAGE. 52160814Ssimon * ==================================================================== 53160814Ssimon * 54160814Ssimon * This product includes cryptographic software written by Eric Young 55160814Ssimon * (eay@cryptsoft.com). This product includes software written by Tim 56160814Ssimon * Hudson (tjh@cryptsoft.com). 57160814Ssimon * 58160814Ssimon */ 59160814Ssimon/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 60160814Ssimon * All rights reserved. 61160814Ssimon * 62160814Ssimon * This package is an SSL implementation written 63160814Ssimon * by Eric Young (eay@cryptsoft.com). 64160814Ssimon * The implementation was written so as to conform with Netscapes SSL. 65280304Sjkim * 66160814Ssimon * This library is free for commercial and non-commercial use as long as 67160814Ssimon * the following conditions are aheared to. The following conditions 68160814Ssimon * apply to all code found in this distribution, be it the RC4, RSA, 69160814Ssimon * lhash, DES, etc., code; not just the SSL code. The SSL documentation 70160814Ssimon * included with this distribution is covered by the same copyright terms 71160814Ssimon * except that the holder is Tim Hudson (tjh@cryptsoft.com). 72280304Sjkim * 73160814Ssimon * Copyright remains Eric Young's, and as such any Copyright notices in 74160814Ssimon * the code are not to be removed. 75160814Ssimon * If this package is used in a product, Eric Young should be given attribution 76160814Ssimon * as the author of the parts of the library used. 77160814Ssimon * This can be in the form of a textual message at program startup or 78160814Ssimon * in documentation (online or textual) provided with the package. 79280304Sjkim * 80160814Ssimon * Redistribution and use in source and binary forms, with or without 81160814Ssimon * modification, are permitted provided that the following conditions 82160814Ssimon * are met: 83160814Ssimon * 1. Redistributions of source code must retain the copyright 84160814Ssimon * notice, this list of conditions and the following disclaimer. 85160814Ssimon * 2. Redistributions in binary form must reproduce the above copyright 86160814Ssimon * notice, this list of conditions and the following disclaimer in the 87160814Ssimon * documentation and/or other materials provided with the distribution. 88160814Ssimon * 3. All advertising materials mentioning features or use of this software 89160814Ssimon * must display the following acknowledgement: 90160814Ssimon * "This product includes cryptographic software written by 91160814Ssimon * Eric Young (eay@cryptsoft.com)" 92160814Ssimon * The word 'cryptographic' can be left out if the rouines from the library 93160814Ssimon * being used are not cryptographic related :-). 94280304Sjkim * 4. If you include any Windows specific code (or a derivative thereof) from 95160814Ssimon * the apps directory (application code) you must include an acknowledgement: 96160814Ssimon * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 97280304Sjkim * 98160814Ssimon * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 99160814Ssimon * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 100160814Ssimon * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 101160814Ssimon * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 102160814Ssimon * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 103160814Ssimon * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 104160814Ssimon * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 105160814Ssimon * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 106160814Ssimon * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 107160814Ssimon * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 108160814Ssimon * SUCH DAMAGE. 109280304Sjkim * 110160814Ssimon * The licence and distribution terms for any publically available version or 111160814Ssimon * derivative of this code cannot be changed. i.e. this code cannot simply be 112160814Ssimon * copied and put under another distribution licence 113160814Ssimon * [including the GNU Public Licence.] 114160814Ssimon */ 115160814Ssimon 116160814Ssimon#include <stdio.h> 117160814Ssimon#include "ssl_locl.h" 118160814Ssimon#include <openssl/buffer.h> 119160814Ssimon#include <openssl/rand.h> 120160814Ssimon#include <openssl/objects.h> 121160814Ssimon#include <openssl/evp.h> 122160814Ssimon#include <openssl/x509.h> 123160814Ssimon#include <openssl/md5.h> 124238405Sjkim#include <openssl/bn.h> 125160814Ssimon#ifndef OPENSSL_NO_DH 126280304Sjkim# include <openssl/dh.h> 127160814Ssimon#endif 128160814Ssimon 129238405Sjkimstatic const SSL_METHOD *dtls1_get_server_method(int ver); 130160814Ssimonstatic int dtls1_send_hello_verify_request(SSL *s); 131160814Ssimon 132238405Sjkimstatic const SSL_METHOD *dtls1_get_server_method(int ver) 133280304Sjkim{ 134280304Sjkim if (ver == DTLS1_VERSION) 135280304Sjkim return (DTLSv1_server_method()); 136280304Sjkim else 137280304Sjkim return (NULL); 138280304Sjkim} 139160814Ssimon 140160814SsimonIMPLEMENT_dtls1_meth_func(DTLSv1_server_method, 141280304Sjkim dtls1_accept, 142280304Sjkim ssl_undefined_function, dtls1_get_server_method) 143160814Ssimon 144160814Ssimonint dtls1_accept(SSL *s) 145280304Sjkim{ 146280304Sjkim BUF_MEM *buf; 147280304Sjkim unsigned long Time = (unsigned long)time(NULL); 148280304Sjkim void (*cb) (const SSL *ssl, int type, int val) = NULL; 149280304Sjkim unsigned long alg_k; 150280304Sjkim int ret = -1; 151280304Sjkim int new_state, state, skip = 0; 152280304Sjkim int listen; 153238405Sjkim#ifndef OPENSSL_NO_SCTP 154280304Sjkim unsigned char sctpauthkey[64]; 155280304Sjkim char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)]; 156238405Sjkim#endif 157160814Ssimon 158280304Sjkim RAND_add(&Time, sizeof(Time), 0); 159280304Sjkim ERR_clear_error(); 160280304Sjkim clear_sys_error(); 161160814Ssimon 162280304Sjkim if (s->info_callback != NULL) 163280304Sjkim cb = s->info_callback; 164280304Sjkim else if (s->ctx->info_callback != NULL) 165280304Sjkim cb = s->ctx->info_callback; 166160814Ssimon 167280304Sjkim listen = s->d1->listen; 168160814Ssimon 169280304Sjkim /* init things to blank */ 170280304Sjkim s->in_handshake++; 171280304Sjkim if (!SSL_in_init(s) || SSL_in_before(s)) 172280304Sjkim SSL_clear(s); 173280304Sjkim 174280304Sjkim s->d1->listen = listen; 175238405Sjkim#ifndef OPENSSL_NO_SCTP 176280304Sjkim /* 177280304Sjkim * Notify SCTP BIO socket to enter handshake mode and prevent stream 178280304Sjkim * identifier other than 0. Will be ignored if no SCTP is used. 179280304Sjkim */ 180280304Sjkim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, 181280304Sjkim s->in_handshake, NULL); 182238405Sjkim#endif 183237657Sjkim 184280304Sjkim if (s->cert == NULL) { 185280304Sjkim SSLerr(SSL_F_DTLS1_ACCEPT, SSL_R_NO_CERTIFICATE_SET); 186280304Sjkim return (-1); 187280304Sjkim } 188238405Sjkim#ifndef OPENSSL_NO_HEARTBEATS 189280304Sjkim /* 190280304Sjkim * If we're awaiting a HeartbeatResponse, pretend we already got and 191280304Sjkim * don't await it anymore, because Heartbeats don't make sense during 192280304Sjkim * handshakes anyway. 193280304Sjkim */ 194280304Sjkim if (s->tlsext_hb_pending) { 195280304Sjkim dtls1_stop_timer(s); 196280304Sjkim s->tlsext_hb_pending = 0; 197280304Sjkim s->tlsext_hb_seq++; 198280304Sjkim } 199238405Sjkim#endif 200238405Sjkim 201280304Sjkim for (;;) { 202280304Sjkim state = s->state; 203160814Ssimon 204280304Sjkim switch (s->state) { 205280304Sjkim case SSL_ST_RENEGOTIATE: 206280304Sjkim s->renegotiate = 1; 207280304Sjkim /* s->state=SSL_ST_ACCEPT; */ 208160814Ssimon 209280304Sjkim case SSL_ST_BEFORE: 210280304Sjkim case SSL_ST_ACCEPT: 211280304Sjkim case SSL_ST_BEFORE | SSL_ST_ACCEPT: 212280304Sjkim case SSL_ST_OK | SSL_ST_ACCEPT: 213160814Ssimon 214280304Sjkim s->server = 1; 215280304Sjkim if (cb != NULL) 216280304Sjkim cb(s, SSL_CB_HANDSHAKE_START, 1); 217160814Ssimon 218280304Sjkim if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) { 219280304Sjkim SSLerr(SSL_F_DTLS1_ACCEPT, ERR_R_INTERNAL_ERROR); 220280304Sjkim return -1; 221280304Sjkim } 222280304Sjkim s->type = SSL_ST_ACCEPT; 223160814Ssimon 224280304Sjkim if (s->init_buf == NULL) { 225280304Sjkim if ((buf = BUF_MEM_new()) == NULL) { 226280304Sjkim ret = -1; 227284285Sjkim s->state = SSL_ST_ERR; 228280304Sjkim goto end; 229280304Sjkim } 230280304Sjkim if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) { 231280304Sjkim BUF_MEM_free(buf); 232280304Sjkim ret = -1; 233284285Sjkim s->state = SSL_ST_ERR; 234280304Sjkim goto end; 235280304Sjkim } 236280304Sjkim s->init_buf = buf; 237280304Sjkim } 238160814Ssimon 239280304Sjkim if (!ssl3_setup_buffers(s)) { 240280304Sjkim ret = -1; 241284285Sjkim s->state = SSL_ST_ERR; 242280304Sjkim goto end; 243280304Sjkim } 244160814Ssimon 245280304Sjkim s->init_num = 0; 246280304Sjkim s->d1->change_cipher_spec_ok = 0; 247280304Sjkim /* 248280304Sjkim * Should have been reset by ssl3_get_finished, too. 249280304Sjkim */ 250280304Sjkim s->s3->change_cipher_spec = 0; 251160814Ssimon 252280304Sjkim if (s->state != SSL_ST_RENEGOTIATE) { 253280304Sjkim /* 254280304Sjkim * Ok, we now need to push on a buffering BIO so that the 255280304Sjkim * output is sent in a way that TCP likes :-) ...but not with 256280304Sjkim * SCTP :-) 257280304Sjkim */ 258238405Sjkim#ifndef OPENSSL_NO_SCTP 259280304Sjkim if (!BIO_dgram_is_sctp(SSL_get_wbio(s))) 260238405Sjkim#endif 261280304Sjkim if (!ssl_init_wbio_buffer(s, 1)) { 262280304Sjkim ret = -1; 263284285Sjkim s->state = SSL_ST_ERR; 264280304Sjkim goto end; 265280304Sjkim } 266160814Ssimon 267280304Sjkim ssl3_init_finished_mac(s); 268280304Sjkim s->state = SSL3_ST_SR_CLNT_HELLO_A; 269280304Sjkim s->ctx->stats.sess_accept++; 270291721Sjkim } else if (!s->s3->send_connection_binding && 271291721Sjkim !(s->options & 272291721Sjkim SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { 273291721Sjkim /* 274291721Sjkim * Server attempting to renegotiate with client that doesn't 275291721Sjkim * support secure renegotiation. 276291721Sjkim */ 277291721Sjkim SSLerr(SSL_F_DTLS1_ACCEPT, 278291721Sjkim SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 279291721Sjkim ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 280291721Sjkim ret = -1; 281291721Sjkim s->state = SSL_ST_ERR; 282291721Sjkim goto end; 283280304Sjkim } else { 284280304Sjkim /* 285280304Sjkim * s->state == SSL_ST_RENEGOTIATE, we will just send a 286280304Sjkim * HelloRequest 287280304Sjkim */ 288280304Sjkim s->ctx->stats.sess_accept_renegotiate++; 289280304Sjkim s->state = SSL3_ST_SW_HELLO_REQ_A; 290280304Sjkim } 291160814Ssimon 292280304Sjkim break; 293160814Ssimon 294280304Sjkim case SSL3_ST_SW_HELLO_REQ_A: 295280304Sjkim case SSL3_ST_SW_HELLO_REQ_B: 296160814Ssimon 297280304Sjkim s->shutdown = 0; 298306196Sjkim dtls1_clear_sent_buffer(s); 299280304Sjkim dtls1_start_timer(s); 300280304Sjkim ret = dtls1_send_hello_request(s); 301280304Sjkim if (ret <= 0) 302280304Sjkim goto end; 303280304Sjkim s->s3->tmp.next_state = SSL3_ST_SR_CLNT_HELLO_A; 304280304Sjkim s->state = SSL3_ST_SW_FLUSH; 305280304Sjkim s->init_num = 0; 306160814Ssimon 307280304Sjkim ssl3_init_finished_mac(s); 308280304Sjkim break; 309160814Ssimon 310280304Sjkim case SSL3_ST_SW_HELLO_REQ_C: 311280304Sjkim s->state = SSL_ST_OK; 312280304Sjkim break; 313160814Ssimon 314280304Sjkim case SSL3_ST_SR_CLNT_HELLO_A: 315280304Sjkim case SSL3_ST_SR_CLNT_HELLO_B: 316280304Sjkim case SSL3_ST_SR_CLNT_HELLO_C: 317160814Ssimon 318280304Sjkim s->shutdown = 0; 319280304Sjkim ret = ssl3_get_client_hello(s); 320280304Sjkim if (ret <= 0) 321280304Sjkim goto end; 322280304Sjkim dtls1_stop_timer(s); 323160814Ssimon 324280304Sjkim if (ret == 1 && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)) 325280304Sjkim s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A; 326280304Sjkim else 327280304Sjkim s->state = SSL3_ST_SW_SRVR_HELLO_A; 328160814Ssimon 329280304Sjkim s->init_num = 0; 330205128Ssimon 331280304Sjkim /* 332280304Sjkim * Reflect ClientHello sequence to remain stateless while 333280304Sjkim * listening 334280304Sjkim */ 335280304Sjkim if (listen) { 336280304Sjkim memcpy(s->s3->write_sequence, s->s3->read_sequence, 337280304Sjkim sizeof(s->s3->write_sequence)); 338280304Sjkim } 339237657Sjkim 340280304Sjkim /* If we're just listening, stop here */ 341280304Sjkim if (listen && s->state == SSL3_ST_SW_SRVR_HELLO_A) { 342280304Sjkim ret = 2; 343280304Sjkim s->d1->listen = 0; 344280304Sjkim /* 345280304Sjkim * Set expected sequence numbers to continue the handshake. 346280304Sjkim */ 347280304Sjkim s->d1->handshake_read_seq = 2; 348280304Sjkim s->d1->handshake_write_seq = 1; 349280304Sjkim s->d1->next_handshake_write_seq = 1; 350280304Sjkim goto end; 351280304Sjkim } 352160814Ssimon 353280304Sjkim break; 354194206Ssimon 355280304Sjkim case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A: 356280304Sjkim case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B: 357280304Sjkim 358280304Sjkim ret = dtls1_send_hello_verify_request(s); 359280304Sjkim if (ret <= 0) 360280304Sjkim goto end; 361280304Sjkim s->state = SSL3_ST_SW_FLUSH; 362280304Sjkim s->s3->tmp.next_state = SSL3_ST_SR_CLNT_HELLO_A; 363280304Sjkim 364280304Sjkim /* HelloVerifyRequest resets Finished MAC */ 365280304Sjkim if (s->version != DTLS1_BAD_VER) 366280304Sjkim ssl3_init_finished_mac(s); 367280304Sjkim break; 368280304Sjkim 369238405Sjkim#ifndef OPENSSL_NO_SCTP 370280304Sjkim case DTLS1_SCTP_ST_SR_READ_SOCK: 371238405Sjkim 372280304Sjkim if (BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) { 373280304Sjkim s->s3->in_read_app_data = 2; 374280304Sjkim s->rwstate = SSL_READING; 375280304Sjkim BIO_clear_retry_flags(SSL_get_rbio(s)); 376280304Sjkim BIO_set_retry_read(SSL_get_rbio(s)); 377280304Sjkim ret = -1; 378280304Sjkim goto end; 379280304Sjkim } 380280304Sjkim 381280304Sjkim s->state = SSL3_ST_SR_FINISHED_A; 382280304Sjkim break; 383280304Sjkim 384280304Sjkim case DTLS1_SCTP_ST_SW_WRITE_SOCK: 385280304Sjkim ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s)); 386280304Sjkim if (ret < 0) 387280304Sjkim goto end; 388280304Sjkim 389280304Sjkim if (ret == 0) { 390280304Sjkim if (s->d1->next_state != SSL_ST_OK) { 391280304Sjkim s->s3->in_read_app_data = 2; 392280304Sjkim s->rwstate = SSL_READING; 393280304Sjkim BIO_clear_retry_flags(SSL_get_rbio(s)); 394280304Sjkim BIO_set_retry_read(SSL_get_rbio(s)); 395280304Sjkim ret = -1; 396280304Sjkim goto end; 397280304Sjkim } 398280304Sjkim } 399280304Sjkim 400280304Sjkim s->state = s->d1->next_state; 401280304Sjkim break; 402238405Sjkim#endif 403238405Sjkim 404280304Sjkim case SSL3_ST_SW_SRVR_HELLO_A: 405280304Sjkim case SSL3_ST_SW_SRVR_HELLO_B: 406280304Sjkim s->renegotiate = 2; 407280304Sjkim dtls1_start_timer(s); 408280304Sjkim ret = dtls1_send_server_hello(s); 409280304Sjkim if (ret <= 0) 410280304Sjkim goto end; 411160814Ssimon 412280304Sjkim if (s->hit) { 413238405Sjkim#ifndef OPENSSL_NO_SCTP 414280304Sjkim /* 415280304Sjkim * Add new shared key for SCTP-Auth, will be ignored if no 416280304Sjkim * SCTP used. 417280304Sjkim */ 418280304Sjkim snprintf((char *)labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL), 419280304Sjkim DTLS1_SCTP_AUTH_LABEL); 420238405Sjkim 421291721Sjkim if (SSL_export_keying_material(s, sctpauthkey, 422291721Sjkim sizeof(sctpauthkey), labelbuffer, 423291721Sjkim sizeof(labelbuffer), NULL, 0, 0) <= 0) { 424291721Sjkim ret = -1; 425291721Sjkim s->state = SSL_ST_ERR; 426291721Sjkim goto end; 427291721Sjkim } 428280304Sjkim 429280304Sjkim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, 430238405Sjkim sizeof(sctpauthkey), sctpauthkey); 431238405Sjkim#endif 432238405Sjkim#ifndef OPENSSL_NO_TLSEXT 433280304Sjkim if (s->tlsext_ticket_expected) 434280304Sjkim s->state = SSL3_ST_SW_SESSION_TICKET_A; 435280304Sjkim else 436280304Sjkim s->state = SSL3_ST_SW_CHANGE_A; 437205128Ssimon#else 438280304Sjkim s->state = SSL3_ST_SW_CHANGE_A; 439205128Ssimon#endif 440280304Sjkim } else 441280304Sjkim s->state = SSL3_ST_SW_CERT_A; 442280304Sjkim s->init_num = 0; 443280304Sjkim break; 444160814Ssimon 445280304Sjkim case SSL3_ST_SW_CERT_A: 446280304Sjkim case SSL3_ST_SW_CERT_B: 447280304Sjkim /* Check if it is anon DH or normal PSK */ 448280304Sjkim if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 449280304Sjkim && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { 450280304Sjkim dtls1_start_timer(s); 451280304Sjkim ret = dtls1_send_server_certificate(s); 452280304Sjkim if (ret <= 0) 453280304Sjkim goto end; 454205128Ssimon#ifndef OPENSSL_NO_TLSEXT 455280304Sjkim if (s->tlsext_status_expected) 456280304Sjkim s->state = SSL3_ST_SW_CERT_STATUS_A; 457280304Sjkim else 458280304Sjkim s->state = SSL3_ST_SW_KEY_EXCH_A; 459280304Sjkim } else { 460280304Sjkim skip = 1; 461280304Sjkim s->state = SSL3_ST_SW_KEY_EXCH_A; 462280304Sjkim } 463205128Ssimon#else 464280304Sjkim } else 465280304Sjkim skip = 1; 466205128Ssimon 467280304Sjkim s->state = SSL3_ST_SW_KEY_EXCH_A; 468205128Ssimon#endif 469280304Sjkim s->init_num = 0; 470280304Sjkim break; 471160814Ssimon 472280304Sjkim case SSL3_ST_SW_KEY_EXCH_A: 473280304Sjkim case SSL3_ST_SW_KEY_EXCH_B: 474280304Sjkim alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 475160814Ssimon 476280304Sjkim /* 477280304Sjkim * clear this, it may get reset by 478280304Sjkim * send_server_key_exchange 479280304Sjkim */ 480280304Sjkim s->s3->tmp.use_rsa_tmp = 0; 481160814Ssimon 482280304Sjkim /* 483280304Sjkim * only send if a DH key exchange or RSA but we have a sign only 484280304Sjkim * certificate 485280304Sjkim */ 486280304Sjkim if (0 487280304Sjkim /* 488280304Sjkim * PSK: send ServerKeyExchange if PSK identity hint if 489280304Sjkim * provided 490280304Sjkim */ 491238405Sjkim#ifndef OPENSSL_NO_PSK 492280304Sjkim || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint) 493238405Sjkim#endif 494284285Sjkim || (alg_k & SSL_kEDH) 495280304Sjkim || (alg_k & SSL_kEECDH) 496280304Sjkim || ((alg_k & SSL_kRSA) 497280304Sjkim && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL 498280304Sjkim || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) 499280304Sjkim && EVP_PKEY_size(s->cert->pkeys 500280304Sjkim [SSL_PKEY_RSA_ENC].privatekey) * 501280304Sjkim 8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher) 502280304Sjkim ) 503280304Sjkim ) 504280304Sjkim ) 505280304Sjkim ) { 506280304Sjkim dtls1_start_timer(s); 507280304Sjkim ret = dtls1_send_server_key_exchange(s); 508280304Sjkim if (ret <= 0) 509280304Sjkim goto end; 510280304Sjkim } else 511280304Sjkim skip = 1; 512160814Ssimon 513280304Sjkim s->state = SSL3_ST_SW_CERT_REQ_A; 514280304Sjkim s->init_num = 0; 515280304Sjkim break; 516160814Ssimon 517280304Sjkim case SSL3_ST_SW_CERT_REQ_A: 518280304Sjkim case SSL3_ST_SW_CERT_REQ_B: 519280304Sjkim if ( /* don't request cert unless asked for it: */ 520280304Sjkim !(s->verify_mode & SSL_VERIFY_PEER) || 521280304Sjkim /* 522280304Sjkim * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert 523280304Sjkim * during re-negotiation: 524280304Sjkim */ 525280304Sjkim ((s->session->peer != NULL) && 526280304Sjkim (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || 527280304Sjkim /* 528280304Sjkim * never request cert in anonymous ciphersuites (see 529280304Sjkim * section "Certificate request" in SSL 3 drafts and in 530280304Sjkim * RFC 2246): 531280304Sjkim */ 532280304Sjkim ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && 533280304Sjkim /* 534280304Sjkim * ... except when the application insists on 535280304Sjkim * verification (against the specs, but s3_clnt.c accepts 536280304Sjkim * this for SSL 3) 537280304Sjkim */ 538280304Sjkim !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || 539280304Sjkim /* 540280304Sjkim * never request cert in Kerberos ciphersuites 541280304Sjkim */ 542280304Sjkim (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) 543280304Sjkim /* 544280304Sjkim * With normal PSK Certificates and Certificate Requests 545280304Sjkim * are omitted 546280304Sjkim */ 547280304Sjkim || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { 548280304Sjkim /* no cert request */ 549280304Sjkim skip = 1; 550280304Sjkim s->s3->tmp.cert_request = 0; 551280304Sjkim s->state = SSL3_ST_SW_SRVR_DONE_A; 552238405Sjkim#ifndef OPENSSL_NO_SCTP 553280304Sjkim if (BIO_dgram_is_sctp(SSL_get_wbio(s))) { 554280304Sjkim s->d1->next_state = SSL3_ST_SW_SRVR_DONE_A; 555280304Sjkim s->state = DTLS1_SCTP_ST_SW_WRITE_SOCK; 556280304Sjkim } 557238405Sjkim#endif 558280304Sjkim } else { 559280304Sjkim s->s3->tmp.cert_request = 1; 560280304Sjkim dtls1_start_timer(s); 561280304Sjkim ret = dtls1_send_certificate_request(s); 562280304Sjkim if (ret <= 0) 563280304Sjkim goto end; 564160814Ssimon#ifndef NETSCAPE_HANG_BUG 565280304Sjkim s->state = SSL3_ST_SW_SRVR_DONE_A; 566280304Sjkim# ifndef OPENSSL_NO_SCTP 567280304Sjkim if (BIO_dgram_is_sctp(SSL_get_wbio(s))) { 568280304Sjkim s->d1->next_state = SSL3_ST_SW_SRVR_DONE_A; 569280304Sjkim s->state = DTLS1_SCTP_ST_SW_WRITE_SOCK; 570280304Sjkim } 571280304Sjkim# endif 572160814Ssimon#else 573280304Sjkim s->state = SSL3_ST_SW_FLUSH; 574280304Sjkim s->s3->tmp.next_state = SSL3_ST_SR_CERT_A; 575280304Sjkim# ifndef OPENSSL_NO_SCTP 576280304Sjkim if (BIO_dgram_is_sctp(SSL_get_wbio(s))) { 577280304Sjkim s->d1->next_state = s->s3->tmp.next_state; 578280304Sjkim s->s3->tmp.next_state = DTLS1_SCTP_ST_SW_WRITE_SOCK; 579280304Sjkim } 580280304Sjkim# endif 581160814Ssimon#endif 582280304Sjkim s->init_num = 0; 583280304Sjkim } 584280304Sjkim break; 585160814Ssimon 586280304Sjkim case SSL3_ST_SW_SRVR_DONE_A: 587280304Sjkim case SSL3_ST_SW_SRVR_DONE_B: 588280304Sjkim dtls1_start_timer(s); 589280304Sjkim ret = dtls1_send_server_done(s); 590280304Sjkim if (ret <= 0) 591280304Sjkim goto end; 592280304Sjkim s->s3->tmp.next_state = SSL3_ST_SR_CERT_A; 593280304Sjkim s->state = SSL3_ST_SW_FLUSH; 594280304Sjkim s->init_num = 0; 595280304Sjkim break; 596160814Ssimon 597280304Sjkim case SSL3_ST_SW_FLUSH: 598280304Sjkim s->rwstate = SSL_WRITING; 599280304Sjkim if (BIO_flush(s->wbio) <= 0) { 600280304Sjkim /* 601280304Sjkim * If the write error was fatal, stop trying 602280304Sjkim */ 603280304Sjkim if (!BIO_should_retry(s->wbio)) { 604280304Sjkim s->rwstate = SSL_NOTHING; 605280304Sjkim s->state = s->s3->tmp.next_state; 606280304Sjkim } 607160814Ssimon 608280304Sjkim ret = -1; 609280304Sjkim goto end; 610280304Sjkim } 611280304Sjkim s->rwstate = SSL_NOTHING; 612280304Sjkim s->state = s->s3->tmp.next_state; 613280304Sjkim break; 614280304Sjkim 615280304Sjkim case SSL3_ST_SR_CERT_A: 616280304Sjkim case SSL3_ST_SR_CERT_B: 617280304Sjkim /* Check for second client hello (MS SGC) */ 618280304Sjkim ret = ssl3_check_client_hello(s); 619280304Sjkim if (ret <= 0) 620280304Sjkim goto end; 621280304Sjkim if (ret == 2) { 622280304Sjkim dtls1_stop_timer(s); 623280304Sjkim s->state = SSL3_ST_SR_CLNT_HELLO_C; 624280304Sjkim } else { 625280304Sjkim if (s->s3->tmp.cert_request) { 626280304Sjkim ret = ssl3_get_client_certificate(s); 627280304Sjkim if (ret <= 0) 628280304Sjkim goto end; 629280304Sjkim } 630280304Sjkim s->init_num = 0; 631280304Sjkim s->state = SSL3_ST_SR_KEY_EXCH_A; 632280304Sjkim } 633280304Sjkim break; 634280304Sjkim 635280304Sjkim case SSL3_ST_SR_KEY_EXCH_A: 636280304Sjkim case SSL3_ST_SR_KEY_EXCH_B: 637280304Sjkim ret = ssl3_get_client_key_exchange(s); 638280304Sjkim if (ret <= 0) 639280304Sjkim goto end; 640238405Sjkim#ifndef OPENSSL_NO_SCTP 641280304Sjkim /* 642280304Sjkim * Add new shared key for SCTP-Auth, will be ignored if no SCTP 643280304Sjkim * used. 644280304Sjkim */ 645280304Sjkim snprintf((char *)labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL), 646280304Sjkim DTLS1_SCTP_AUTH_LABEL); 647238405Sjkim 648291721Sjkim if (SSL_export_keying_material(s, sctpauthkey, 649280304Sjkim sizeof(sctpauthkey), labelbuffer, 650291721Sjkim sizeof(labelbuffer), NULL, 0, 0) <= 0) { 651291721Sjkim ret = -1; 652291721Sjkim s->state = SSL_ST_ERR; 653291721Sjkim goto end; 654291721Sjkim } 655238405Sjkim 656280304Sjkim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, 657280304Sjkim sizeof(sctpauthkey), sctpauthkey); 658238405Sjkim#endif 659238405Sjkim 660280304Sjkim s->state = SSL3_ST_SR_CERT_VRFY_A; 661280304Sjkim s->init_num = 0; 662160814Ssimon 663280304Sjkim if (ret == 2) { 664280304Sjkim /* 665280304Sjkim * For the ECDH ciphersuites when the client sends its ECDH 666280304Sjkim * pub key in a certificate, the CertificateVerify message is 667280304Sjkim * not sent. 668280304Sjkim */ 669280304Sjkim s->state = SSL3_ST_SR_FINISHED_A; 670280304Sjkim s->init_num = 0; 671280304Sjkim } else { 672280304Sjkim s->state = SSL3_ST_SR_CERT_VRFY_A; 673280304Sjkim s->init_num = 0; 674160814Ssimon 675280304Sjkim /* 676280304Sjkim * We need to get hashes here so if there is a client cert, 677280304Sjkim * it can be verified 678280304Sjkim */ 679280304Sjkim s->method->ssl3_enc->cert_verify_mac(s, 680280304Sjkim NID_md5, 681280304Sjkim &(s->s3-> 682280304Sjkim tmp.cert_verify_md 683280304Sjkim [0])); 684280304Sjkim s->method->ssl3_enc->cert_verify_mac(s, NID_sha1, 685280304Sjkim &(s->s3-> 686280304Sjkim tmp.cert_verify_md 687280304Sjkim [MD5_DIGEST_LENGTH])); 688280304Sjkim } 689280304Sjkim break; 690160814Ssimon 691280304Sjkim case SSL3_ST_SR_CERT_VRFY_A: 692280304Sjkim case SSL3_ST_SR_CERT_VRFY_B: 693280304Sjkim ret = ssl3_get_cert_verify(s); 694280304Sjkim if (ret <= 0) 695280304Sjkim goto end; 696238405Sjkim#ifndef OPENSSL_NO_SCTP 697280304Sjkim if (BIO_dgram_is_sctp(SSL_get_wbio(s)) && 698280304Sjkim state == SSL_ST_RENEGOTIATE) 699280304Sjkim s->state = DTLS1_SCTP_ST_SR_READ_SOCK; 700280304Sjkim else 701280304Sjkim#endif 702280304Sjkim s->state = SSL3_ST_SR_FINISHED_A; 703280304Sjkim s->init_num = 0; 704280304Sjkim break; 705160814Ssimon 706280304Sjkim case SSL3_ST_SR_FINISHED_A: 707280304Sjkim case SSL3_ST_SR_FINISHED_B: 708280304Sjkim /* 709284285Sjkim * Enable CCS. Receiving a CCS clears the flag, so make 710284285Sjkim * sure not to re-enable it to ban duplicates. This *should* be the 711284285Sjkim * first time we have received one - but we check anyway to be 712284285Sjkim * cautious. 713280304Sjkim * s->s3->change_cipher_spec is set when a CCS is 714280304Sjkim * processed in d1_pkt.c, and remains set until 715280304Sjkim * the client's Finished message is read. 716280304Sjkim */ 717280304Sjkim if (!s->s3->change_cipher_spec) 718280304Sjkim s->d1->change_cipher_spec_ok = 1; 719280304Sjkim ret = ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A, 720280304Sjkim SSL3_ST_SR_FINISHED_B); 721280304Sjkim if (ret <= 0) 722280304Sjkim goto end; 723280304Sjkim dtls1_stop_timer(s); 724280304Sjkim if (s->hit) 725280304Sjkim s->state = SSL_ST_OK; 726205128Ssimon#ifndef OPENSSL_NO_TLSEXT 727280304Sjkim else if (s->tlsext_ticket_expected) 728280304Sjkim s->state = SSL3_ST_SW_SESSION_TICKET_A; 729205128Ssimon#endif 730280304Sjkim else 731280304Sjkim s->state = SSL3_ST_SW_CHANGE_A; 732280304Sjkim s->init_num = 0; 733280304Sjkim break; 734160814Ssimon 735205128Ssimon#ifndef OPENSSL_NO_TLSEXT 736280304Sjkim case SSL3_ST_SW_SESSION_TICKET_A: 737280304Sjkim case SSL3_ST_SW_SESSION_TICKET_B: 738280304Sjkim ret = dtls1_send_newsession_ticket(s); 739280304Sjkim if (ret <= 0) 740280304Sjkim goto end; 741280304Sjkim s->state = SSL3_ST_SW_CHANGE_A; 742280304Sjkim s->init_num = 0; 743280304Sjkim break; 744205128Ssimon 745280304Sjkim case SSL3_ST_SW_CERT_STATUS_A: 746280304Sjkim case SSL3_ST_SW_CERT_STATUS_B: 747280304Sjkim ret = ssl3_send_cert_status(s); 748280304Sjkim if (ret <= 0) 749280304Sjkim goto end; 750280304Sjkim s->state = SSL3_ST_SW_KEY_EXCH_A; 751280304Sjkim s->init_num = 0; 752280304Sjkim break; 753205128Ssimon 754205128Ssimon#endif 755205128Ssimon 756280304Sjkim case SSL3_ST_SW_CHANGE_A: 757280304Sjkim case SSL3_ST_SW_CHANGE_B: 758160814Ssimon 759280304Sjkim s->session->cipher = s->s3->tmp.new_cipher; 760280304Sjkim if (!s->method->ssl3_enc->setup_key_block(s)) { 761280304Sjkim ret = -1; 762284285Sjkim s->state = SSL_ST_ERR; 763280304Sjkim goto end; 764280304Sjkim } 765160814Ssimon 766280304Sjkim ret = dtls1_send_change_cipher_spec(s, 767280304Sjkim SSL3_ST_SW_CHANGE_A, 768280304Sjkim SSL3_ST_SW_CHANGE_B); 769160814Ssimon 770280304Sjkim if (ret <= 0) 771280304Sjkim goto end; 772238405Sjkim 773238405Sjkim#ifndef OPENSSL_NO_SCTP 774280304Sjkim if (!s->hit) { 775280304Sjkim /* 776280304Sjkim * Change to new shared key of SCTP-Auth, will be ignored if 777280304Sjkim * no SCTP used. 778280304Sjkim */ 779280304Sjkim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 780280304Sjkim 0, NULL); 781280304Sjkim } 782238405Sjkim#endif 783238405Sjkim 784280304Sjkim s->state = SSL3_ST_SW_FINISHED_A; 785280304Sjkim s->init_num = 0; 786160814Ssimon 787280304Sjkim if (!s->method->ssl3_enc->change_cipher_state(s, 788280304Sjkim SSL3_CHANGE_CIPHER_SERVER_WRITE)) 789280304Sjkim { 790280304Sjkim ret = -1; 791284285Sjkim s->state = SSL_ST_ERR; 792280304Sjkim goto end; 793280304Sjkim } 794160814Ssimon 795280304Sjkim dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); 796280304Sjkim break; 797160814Ssimon 798280304Sjkim case SSL3_ST_SW_FINISHED_A: 799280304Sjkim case SSL3_ST_SW_FINISHED_B: 800280304Sjkim ret = dtls1_send_finished(s, 801280304Sjkim SSL3_ST_SW_FINISHED_A, 802280304Sjkim SSL3_ST_SW_FINISHED_B, 803280304Sjkim s->method-> 804280304Sjkim ssl3_enc->server_finished_label, 805280304Sjkim s->method-> 806280304Sjkim ssl3_enc->server_finished_label_len); 807280304Sjkim if (ret <= 0) 808280304Sjkim goto end; 809280304Sjkim s->state = SSL3_ST_SW_FLUSH; 810280304Sjkim if (s->hit) { 811280304Sjkim s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A; 812264331Sjkim 813264331Sjkim#ifndef OPENSSL_NO_SCTP 814280304Sjkim /* 815280304Sjkim * Change to new shared key of SCTP-Auth, will be ignored if 816280304Sjkim * no SCTP used. 817280304Sjkim */ 818280304Sjkim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 819280304Sjkim 0, NULL); 820264331Sjkim#endif 821280304Sjkim } else { 822280304Sjkim s->s3->tmp.next_state = SSL_ST_OK; 823238405Sjkim#ifndef OPENSSL_NO_SCTP 824280304Sjkim if (BIO_dgram_is_sctp(SSL_get_wbio(s))) { 825280304Sjkim s->d1->next_state = s->s3->tmp.next_state; 826280304Sjkim s->s3->tmp.next_state = DTLS1_SCTP_ST_SW_WRITE_SOCK; 827280304Sjkim } 828238405Sjkim#endif 829280304Sjkim } 830280304Sjkim s->init_num = 0; 831280304Sjkim break; 832160814Ssimon 833280304Sjkim case SSL_ST_OK: 834280304Sjkim /* clean a few things up */ 835280304Sjkim ssl3_cleanup_key_block(s); 836160814Ssimon 837160814Ssimon#if 0 838280304Sjkim BUF_MEM_free(s->init_buf); 839280304Sjkim s->init_buf = NULL; 840160814Ssimon#endif 841160814Ssimon 842280304Sjkim /* remove buffering on output */ 843280304Sjkim ssl_free_wbio_buffer(s); 844160814Ssimon 845280304Sjkim s->init_num = 0; 846160814Ssimon 847280304Sjkim if (s->renegotiate == 2) { /* skipped if we just sent a 848280304Sjkim * HelloRequest */ 849280304Sjkim s->renegotiate = 0; 850280304Sjkim s->new_session = 0; 851160814Ssimon 852280304Sjkim ssl_update_cache(s, SSL_SESS_CACHE_SERVER); 853160814Ssimon 854280304Sjkim s->ctx->stats.sess_accept_good++; 855280304Sjkim /* s->server=1; */ 856280304Sjkim s->handshake_func = dtls1_accept; 857160814Ssimon 858280304Sjkim if (cb != NULL) 859280304Sjkim cb(s, SSL_CB_HANDSHAKE_DONE, 1); 860280304Sjkim } 861160814Ssimon 862280304Sjkim ret = 1; 863160814Ssimon 864280304Sjkim /* done handshaking, next message is client hello */ 865280304Sjkim s->d1->handshake_read_seq = 0; 866280304Sjkim /* next message is server hello */ 867280304Sjkim s->d1->handshake_write_seq = 0; 868280304Sjkim s->d1->next_handshake_write_seq = 0; 869306196Sjkim dtls1_clear_received_buffer(s); 870280304Sjkim goto end; 871280304Sjkim /* break; */ 872160814Ssimon 873284285Sjkim case SSL_ST_ERR: 874280304Sjkim default: 875280304Sjkim SSLerr(SSL_F_DTLS1_ACCEPT, SSL_R_UNKNOWN_STATE); 876280304Sjkim ret = -1; 877280304Sjkim goto end; 878280304Sjkim /* break; */ 879280304Sjkim } 880280304Sjkim 881280304Sjkim if (!s->s3->tmp.reuse_message && !skip) { 882280304Sjkim if (s->debug) { 883280304Sjkim if ((ret = BIO_flush(s->wbio)) <= 0) 884280304Sjkim goto end; 885280304Sjkim } 886280304Sjkim 887280304Sjkim if ((cb != NULL) && (s->state != state)) { 888280304Sjkim new_state = s->state; 889280304Sjkim s->state = state; 890280304Sjkim cb(s, SSL_CB_ACCEPT_LOOP, 1); 891280304Sjkim s->state = new_state; 892280304Sjkim } 893280304Sjkim } 894280304Sjkim skip = 0; 895280304Sjkim } 896280304Sjkim end: 897280304Sjkim /* BIO_flush(s->wbio); */ 898280304Sjkim 899280304Sjkim s->in_handshake--; 900238405Sjkim#ifndef OPENSSL_NO_SCTP 901280304Sjkim /* 902280304Sjkim * Notify SCTP BIO socket to leave handshake mode and prevent stream 903280304Sjkim * identifier other than 0. Will be ignored if no SCTP is used. 904280304Sjkim */ 905280304Sjkim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, 906280304Sjkim s->in_handshake, NULL); 907238405Sjkim#endif 908238405Sjkim 909280304Sjkim if (cb != NULL) 910280304Sjkim cb(s, SSL_CB_ACCEPT_EXIT, ret); 911280304Sjkim return (ret); 912280304Sjkim} 913160814Ssimon 914160814Ssimonint dtls1_send_hello_request(SSL *s) 915280304Sjkim{ 916280304Sjkim unsigned char *p; 917160814Ssimon 918280304Sjkim if (s->state == SSL3_ST_SW_HELLO_REQ_A) { 919280304Sjkim p = (unsigned char *)s->init_buf->data; 920280304Sjkim p = dtls1_set_message_header(s, p, SSL3_MT_HELLO_REQUEST, 0, 0, 0); 921160814Ssimon 922280304Sjkim s->state = SSL3_ST_SW_HELLO_REQ_B; 923280304Sjkim /* number of bytes to write */ 924280304Sjkim s->init_num = DTLS1_HM_HEADER_LENGTH; 925280304Sjkim s->init_off = 0; 926160814Ssimon 927280304Sjkim /* 928280304Sjkim * no need to buffer this message, since there are no retransmit 929280304Sjkim * requests for it 930280304Sjkim */ 931280304Sjkim } 932160814Ssimon 933280304Sjkim /* SSL3_ST_SW_HELLO_REQ_B */ 934280304Sjkim return (dtls1_do_write(s, SSL3_RT_HANDSHAKE)); 935280304Sjkim} 936160814Ssimon 937160814Ssimonint dtls1_send_hello_verify_request(SSL *s) 938280304Sjkim{ 939280304Sjkim unsigned int msg_len; 940280304Sjkim unsigned char *msg, *buf, *p; 941160814Ssimon 942280304Sjkim if (s->state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A) { 943280304Sjkim buf = (unsigned char *)s->init_buf->data; 944160814Ssimon 945280304Sjkim msg = p = &(buf[DTLS1_HM_HEADER_LENGTH]); 946280304Sjkim *(p++) = s->version >> 8; 947280304Sjkim *(p++) = s->version & 0xFF; 948160814Ssimon 949280304Sjkim if (s->ctx->app_gen_cookie_cb == NULL || 950280304Sjkim s->ctx->app_gen_cookie_cb(s, s->d1->cookie, 951280304Sjkim &(s->d1->cookie_len)) == 0) { 952280304Sjkim SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST, 953280304Sjkim ERR_R_INTERNAL_ERROR); 954284285Sjkim s->state = SSL_ST_ERR; 955280304Sjkim return 0; 956280304Sjkim } 957160814Ssimon 958280304Sjkim *(p++) = (unsigned char)s->d1->cookie_len; 959280304Sjkim memcpy(p, s->d1->cookie, s->d1->cookie_len); 960280304Sjkim p += s->d1->cookie_len; 961280304Sjkim msg_len = p - msg; 962160814Ssimon 963280304Sjkim dtls1_set_message_header(s, buf, 964280304Sjkim DTLS1_MT_HELLO_VERIFY_REQUEST, msg_len, 0, 965280304Sjkim msg_len); 966160814Ssimon 967280304Sjkim s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B; 968280304Sjkim /* number of bytes to write */ 969280304Sjkim s->init_num = p - buf; 970280304Sjkim s->init_off = 0; 971280304Sjkim } 972160814Ssimon 973280304Sjkim /* s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */ 974280304Sjkim return (dtls1_do_write(s, SSL3_RT_HANDSHAKE)); 975280304Sjkim} 976160814Ssimon 977160814Ssimonint dtls1_send_server_hello(SSL *s) 978280304Sjkim{ 979280304Sjkim unsigned char *buf; 980280304Sjkim unsigned char *p, *d; 981280304Sjkim int i; 982280304Sjkim unsigned int sl; 983280304Sjkim unsigned long l; 984160814Ssimon 985280304Sjkim if (s->state == SSL3_ST_SW_SRVR_HELLO_A) { 986280304Sjkim buf = (unsigned char *)s->init_buf->data; 987280304Sjkim p = s->s3->server_random; 988280304Sjkim ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE); 989280304Sjkim /* Do the message type and length last */ 990280304Sjkim d = p = &(buf[DTLS1_HM_HEADER_LENGTH]); 991160814Ssimon 992280304Sjkim *(p++) = s->version >> 8; 993280304Sjkim *(p++) = s->version & 0xff; 994160814Ssimon 995280304Sjkim /* Random stuff */ 996280304Sjkim memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE); 997280304Sjkim p += SSL3_RANDOM_SIZE; 998160814Ssimon 999280304Sjkim /* 1000280304Sjkim * now in theory we have 3 options to sending back the session id. 1001280304Sjkim * If it is a re-use, we send back the old session-id, if it is a new 1002280304Sjkim * session, we send back the new session-id or we send back a 0 1003280304Sjkim * length session-id if we want it to be single use. Currently I will 1004280304Sjkim * not implement the '0' length session-id 12-Jan-98 - I'll now 1005280304Sjkim * support the '0' length stuff. 1006280304Sjkim */ 1007280304Sjkim if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)) 1008280304Sjkim s->session->session_id_length = 0; 1009160814Ssimon 1010280304Sjkim sl = s->session->session_id_length; 1011280304Sjkim if (sl > sizeof s->session->session_id) { 1012280304Sjkim SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR); 1013280304Sjkim return -1; 1014280304Sjkim } 1015280304Sjkim *(p++) = sl; 1016280304Sjkim memcpy(p, s->session->session_id, sl); 1017280304Sjkim p += sl; 1018160814Ssimon 1019280304Sjkim /* put the cipher */ 1020280304Sjkim if (s->s3->tmp.new_cipher == NULL) 1021280304Sjkim return -1; 1022280304Sjkim i = ssl3_put_cipher_by_char(s->s3->tmp.new_cipher, p); 1023280304Sjkim p += i; 1024160814Ssimon 1025280304Sjkim /* put the compression method */ 1026160814Ssimon#ifdef OPENSSL_NO_COMP 1027280304Sjkim *(p++) = 0; 1028160814Ssimon#else 1029280304Sjkim if (s->s3->tmp.new_compression == NULL) 1030280304Sjkim *(p++) = 0; 1031280304Sjkim else 1032280304Sjkim *(p++) = s->s3->tmp.new_compression->id; 1033160814Ssimon#endif 1034160814Ssimon 1035205128Ssimon#ifndef OPENSSL_NO_TLSEXT 1036280304Sjkim if (ssl_prepare_serverhello_tlsext(s) <= 0) { 1037280304Sjkim SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT); 1038280304Sjkim return -1; 1039280304Sjkim } 1040280304Sjkim if ((p = 1041280304Sjkim ssl_add_serverhello_tlsext(s, p, 1042280304Sjkim buf + SSL3_RT_MAX_PLAIN_LENGTH)) == 1043280304Sjkim NULL) { 1044280304Sjkim SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR); 1045280304Sjkim return -1; 1046280304Sjkim } 1047205128Ssimon#endif 1048205128Ssimon 1049280304Sjkim /* do the header */ 1050280304Sjkim l = (p - d); 1051280304Sjkim d = buf; 1052160814Ssimon 1053280304Sjkim d = dtls1_set_message_header(s, d, SSL3_MT_SERVER_HELLO, l, 0, l); 1054160814Ssimon 1055280304Sjkim s->state = SSL3_ST_SW_SRVR_HELLO_B; 1056280304Sjkim /* number of bytes to write */ 1057280304Sjkim s->init_num = p - buf; 1058280304Sjkim s->init_off = 0; 1059160814Ssimon 1060280304Sjkim /* buffer the message to handle re-xmits */ 1061280304Sjkim dtls1_buffer_message(s, 0); 1062280304Sjkim } 1063160814Ssimon 1064280304Sjkim /* SSL3_ST_SW_SRVR_HELLO_B */ 1065280304Sjkim return (dtls1_do_write(s, SSL3_RT_HANDSHAKE)); 1066280304Sjkim} 1067160814Ssimon 1068160814Ssimonint dtls1_send_server_done(SSL *s) 1069280304Sjkim{ 1070280304Sjkim unsigned char *p; 1071160814Ssimon 1072280304Sjkim if (s->state == SSL3_ST_SW_SRVR_DONE_A) { 1073280304Sjkim p = (unsigned char *)s->init_buf->data; 1074160814Ssimon 1075280304Sjkim /* do the header */ 1076280304Sjkim p = dtls1_set_message_header(s, p, SSL3_MT_SERVER_DONE, 0, 0, 0); 1077160814Ssimon 1078280304Sjkim s->state = SSL3_ST_SW_SRVR_DONE_B; 1079280304Sjkim /* number of bytes to write */ 1080280304Sjkim s->init_num = DTLS1_HM_HEADER_LENGTH; 1081280304Sjkim s->init_off = 0; 1082160814Ssimon 1083280304Sjkim /* buffer the message to handle re-xmits */ 1084280304Sjkim dtls1_buffer_message(s, 0); 1085280304Sjkim } 1086160814Ssimon 1087280304Sjkim /* SSL3_ST_SW_SRVR_DONE_B */ 1088280304Sjkim return (dtls1_do_write(s, SSL3_RT_HANDSHAKE)); 1089280304Sjkim} 1090160814Ssimon 1091160814Ssimonint dtls1_send_server_key_exchange(SSL *s) 1092280304Sjkim{ 1093160814Ssimon#ifndef OPENSSL_NO_RSA 1094280304Sjkim unsigned char *q; 1095280304Sjkim int j, num; 1096280304Sjkim RSA *rsa; 1097280304Sjkim unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; 1098280304Sjkim unsigned int u; 1099160814Ssimon#endif 1100160814Ssimon#ifndef OPENSSL_NO_DH 1101280304Sjkim DH *dh = NULL, *dhp; 1102160814Ssimon#endif 1103238405Sjkim#ifndef OPENSSL_NO_ECDH 1104280304Sjkim EC_KEY *ecdh = NULL, *ecdhp; 1105280304Sjkim unsigned char *encodedPoint = NULL; 1106280304Sjkim int encodedlen = 0; 1107280304Sjkim int curve_id = 0; 1108280304Sjkim BN_CTX *bn_ctx = NULL; 1109238405Sjkim#endif 1110280304Sjkim EVP_PKEY *pkey; 1111280304Sjkim unsigned char *p, *d; 1112280304Sjkim int al, i; 1113280304Sjkim unsigned long type; 1114280304Sjkim int n; 1115280304Sjkim CERT *cert; 1116280304Sjkim BIGNUM *r[4]; 1117280304Sjkim int nr[4], kn; 1118280304Sjkim BUF_MEM *buf; 1119280304Sjkim EVP_MD_CTX md_ctx; 1120160814Ssimon 1121280304Sjkim EVP_MD_CTX_init(&md_ctx); 1122280304Sjkim if (s->state == SSL3_ST_SW_KEY_EXCH_A) { 1123280304Sjkim type = s->s3->tmp.new_cipher->algorithm_mkey; 1124280304Sjkim cert = s->cert; 1125160814Ssimon 1126280304Sjkim buf = s->init_buf; 1127160814Ssimon 1128280304Sjkim r[0] = r[1] = r[2] = r[3] = NULL; 1129280304Sjkim n = 0; 1130160814Ssimon#ifndef OPENSSL_NO_RSA 1131280304Sjkim if (type & SSL_kRSA) { 1132280304Sjkim rsa = cert->rsa_tmp; 1133280304Sjkim if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) { 1134280304Sjkim rsa = s->cert->rsa_tmp_cb(s, 1135280304Sjkim SSL_C_IS_EXPORT(s->s3-> 1136280304Sjkim tmp.new_cipher), 1137280304Sjkim SSL_C_EXPORT_PKEYLENGTH(s->s3-> 1138280304Sjkim tmp.new_cipher)); 1139280304Sjkim if (rsa == NULL) { 1140280304Sjkim al = SSL_AD_HANDSHAKE_FAILURE; 1141280304Sjkim SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, 1142280304Sjkim SSL_R_ERROR_GENERATING_TMP_RSA_KEY); 1143280304Sjkim goto f_err; 1144280304Sjkim } 1145280304Sjkim RSA_up_ref(rsa); 1146280304Sjkim cert->rsa_tmp = rsa; 1147280304Sjkim } 1148280304Sjkim if (rsa == NULL) { 1149280304Sjkim al = SSL_AD_HANDSHAKE_FAILURE; 1150280304Sjkim SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, 1151280304Sjkim SSL_R_MISSING_TMP_RSA_KEY); 1152280304Sjkim goto f_err; 1153280304Sjkim } 1154280304Sjkim r[0] = rsa->n; 1155280304Sjkim r[1] = rsa->e; 1156280304Sjkim s->s3->tmp.use_rsa_tmp = 1; 1157280304Sjkim } else 1158160814Ssimon#endif 1159160814Ssimon#ifndef OPENSSL_NO_DH 1160280304Sjkim if (type & SSL_kEDH) { 1161280304Sjkim dhp = cert->dh_tmp; 1162280304Sjkim if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) 1163280304Sjkim dhp = s->cert->dh_tmp_cb(s, 1164280304Sjkim SSL_C_IS_EXPORT(s->s3-> 1165280304Sjkim tmp.new_cipher), 1166280304Sjkim SSL_C_EXPORT_PKEYLENGTH(s->s3-> 1167280304Sjkim tmp.new_cipher)); 1168280304Sjkim if (dhp == NULL) { 1169280304Sjkim al = SSL_AD_HANDSHAKE_FAILURE; 1170280304Sjkim SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, 1171280304Sjkim SSL_R_MISSING_TMP_DH_KEY); 1172280304Sjkim goto f_err; 1173280304Sjkim } 1174160814Ssimon 1175280304Sjkim if (s->s3->tmp.dh != NULL) { 1176280304Sjkim DH_free(dh); 1177280304Sjkim SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, 1178280304Sjkim ERR_R_INTERNAL_ERROR); 1179280304Sjkim goto err; 1180280304Sjkim } 1181160814Ssimon 1182280304Sjkim if ((dh = DHparams_dup(dhp)) == NULL) { 1183280304Sjkim SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB); 1184280304Sjkim goto err; 1185280304Sjkim } 1186160814Ssimon 1187280304Sjkim s->s3->tmp.dh = dh; 1188280304Sjkim if ((dhp->pub_key == NULL || 1189280304Sjkim dhp->priv_key == NULL || 1190280304Sjkim (s->options & SSL_OP_SINGLE_DH_USE))) { 1191280304Sjkim if (!DH_generate_key(dh)) { 1192280304Sjkim SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, 1193280304Sjkim ERR_R_DH_LIB); 1194280304Sjkim goto err; 1195280304Sjkim } 1196280304Sjkim } else { 1197280304Sjkim dh->pub_key = BN_dup(dhp->pub_key); 1198280304Sjkim dh->priv_key = BN_dup(dhp->priv_key); 1199280304Sjkim if ((dh->pub_key == NULL) || (dh->priv_key == NULL)) { 1200280304Sjkim SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, 1201280304Sjkim ERR_R_DH_LIB); 1202280304Sjkim goto err; 1203280304Sjkim } 1204280304Sjkim } 1205280304Sjkim r[0] = dh->p; 1206280304Sjkim r[1] = dh->g; 1207280304Sjkim r[2] = dh->pub_key; 1208280304Sjkim } else 1209160814Ssimon#endif 1210238405Sjkim#ifndef OPENSSL_NO_ECDH 1211280304Sjkim if (type & SSL_kEECDH) { 1212280304Sjkim const EC_GROUP *group; 1213238405Sjkim 1214280304Sjkim ecdhp = cert->ecdh_tmp; 1215280304Sjkim if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL)) { 1216280304Sjkim ecdhp = s->cert->ecdh_tmp_cb(s, 1217280304Sjkim SSL_C_IS_EXPORT(s->s3-> 1218280304Sjkim tmp.new_cipher), 1219280304Sjkim SSL_C_EXPORT_PKEYLENGTH(s-> 1220280304Sjkim s3->tmp.new_cipher)); 1221280304Sjkim } 1222280304Sjkim if (ecdhp == NULL) { 1223280304Sjkim al = SSL_AD_HANDSHAKE_FAILURE; 1224280304Sjkim SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, 1225280304Sjkim SSL_R_MISSING_TMP_ECDH_KEY); 1226280304Sjkim goto f_err; 1227280304Sjkim } 1228238405Sjkim 1229280304Sjkim if (s->s3->tmp.ecdh != NULL) { 1230280304Sjkim EC_KEY_free(s->s3->tmp.ecdh); 1231280304Sjkim SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, 1232280304Sjkim ERR_R_INTERNAL_ERROR); 1233280304Sjkim goto err; 1234280304Sjkim } 1235238405Sjkim 1236280304Sjkim /* Duplicate the ECDH structure. */ 1237280304Sjkim if (ecdhp == NULL) { 1238280304Sjkim SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB); 1239280304Sjkim goto err; 1240280304Sjkim } 1241280304Sjkim if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) { 1242280304Sjkim SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB); 1243280304Sjkim goto err; 1244280304Sjkim } 1245238405Sjkim 1246280304Sjkim s->s3->tmp.ecdh = ecdh; 1247280304Sjkim if ((EC_KEY_get0_public_key(ecdh) == NULL) || 1248280304Sjkim (EC_KEY_get0_private_key(ecdh) == NULL) || 1249280304Sjkim (s->options & SSL_OP_SINGLE_ECDH_USE)) { 1250280304Sjkim if (!EC_KEY_generate_key(ecdh)) { 1251280304Sjkim SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, 1252280304Sjkim ERR_R_ECDH_LIB); 1253280304Sjkim goto err; 1254280304Sjkim } 1255280304Sjkim } 1256238405Sjkim 1257280304Sjkim if (((group = EC_KEY_get0_group(ecdh)) == NULL) || 1258280304Sjkim (EC_KEY_get0_public_key(ecdh) == NULL) || 1259280304Sjkim (EC_KEY_get0_private_key(ecdh) == NULL)) { 1260280304Sjkim SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB); 1261280304Sjkim goto err; 1262280304Sjkim } 1263238405Sjkim 1264280304Sjkim if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && 1265280304Sjkim (EC_GROUP_get_degree(group) > 163)) { 1266280304Sjkim SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, 1267280304Sjkim SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER); 1268280304Sjkim goto err; 1269280304Sjkim } 1270238405Sjkim 1271280304Sjkim /* 1272280304Sjkim * XXX: For now, we only support ephemeral ECDH keys over named 1273280304Sjkim * (not generic) curves. For supported named curves, curve_id is 1274280304Sjkim * non-zero. 1275280304Sjkim */ 1276280304Sjkim if ((curve_id = 1277280304Sjkim tls1_ec_nid2curve_id(EC_GROUP_get_curve_name(group))) 1278280304Sjkim == 0) { 1279280304Sjkim SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, 1280280304Sjkim SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); 1281280304Sjkim goto err; 1282280304Sjkim } 1283238405Sjkim 1284280304Sjkim /* 1285280304Sjkim * Encode the public key. First check the size of encoding and 1286280304Sjkim * allocate memory accordingly. 1287280304Sjkim */ 1288280304Sjkim encodedlen = EC_POINT_point2oct(group, 1289280304Sjkim EC_KEY_get0_public_key(ecdh), 1290280304Sjkim POINT_CONVERSION_UNCOMPRESSED, 1291280304Sjkim NULL, 0, NULL); 1292238405Sjkim 1293280304Sjkim encodedPoint = (unsigned char *) 1294280304Sjkim OPENSSL_malloc(encodedlen * sizeof(unsigned char)); 1295280304Sjkim bn_ctx = BN_CTX_new(); 1296280304Sjkim if ((encodedPoint == NULL) || (bn_ctx == NULL)) { 1297280304Sjkim SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, 1298280304Sjkim ERR_R_MALLOC_FAILURE); 1299280304Sjkim goto err; 1300280304Sjkim } 1301238405Sjkim 1302280304Sjkim encodedlen = EC_POINT_point2oct(group, 1303280304Sjkim EC_KEY_get0_public_key(ecdh), 1304280304Sjkim POINT_CONVERSION_UNCOMPRESSED, 1305280304Sjkim encodedPoint, encodedlen, bn_ctx); 1306238405Sjkim 1307280304Sjkim if (encodedlen == 0) { 1308280304Sjkim SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB); 1309280304Sjkim goto err; 1310280304Sjkim } 1311238405Sjkim 1312280304Sjkim BN_CTX_free(bn_ctx); 1313280304Sjkim bn_ctx = NULL; 1314238405Sjkim 1315280304Sjkim /* 1316280304Sjkim * XXX: For now, we only support named (not generic) curves in 1317280304Sjkim * ECDH ephemeral key exchanges. In this situation, we need four 1318280304Sjkim * additional bytes to encode the entire ServerECDHParams 1319280304Sjkim * structure. 1320280304Sjkim */ 1321280304Sjkim n = 4 + encodedlen; 1322238405Sjkim 1323280304Sjkim /* 1324280304Sjkim * We'll generate the serverKeyExchange message explicitly so we 1325280304Sjkim * can set these to NULLs 1326280304Sjkim */ 1327280304Sjkim r[0] = NULL; 1328280304Sjkim r[1] = NULL; 1329280304Sjkim r[2] = NULL; 1330280304Sjkim r[3] = NULL; 1331280304Sjkim } else 1332280304Sjkim#endif /* !OPENSSL_NO_ECDH */ 1333238405Sjkim#ifndef OPENSSL_NO_PSK 1334280304Sjkim if (type & SSL_kPSK) { 1335280304Sjkim /* 1336280304Sjkim * reserve size for record length and PSK identity hint 1337280304Sjkim */ 1338280304Sjkim n += 2 + strlen(s->ctx->psk_identity_hint); 1339280304Sjkim } else 1340280304Sjkim#endif /* !OPENSSL_NO_PSK */ 1341280304Sjkim { 1342280304Sjkim al = SSL_AD_HANDSHAKE_FAILURE; 1343280304Sjkim SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, 1344280304Sjkim SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 1345280304Sjkim goto f_err; 1346280304Sjkim } 1347280304Sjkim for (i = 0; r[i] != NULL; i++) { 1348280304Sjkim nr[i] = BN_num_bytes(r[i]); 1349280304Sjkim n += 2 + nr[i]; 1350280304Sjkim } 1351160814Ssimon 1352280304Sjkim if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) 1353280304Sjkim && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { 1354280304Sjkim if ((pkey = ssl_get_sign_pkey(s, s->s3->tmp.new_cipher, NULL)) 1355280304Sjkim == NULL) { 1356280304Sjkim al = SSL_AD_DECODE_ERROR; 1357280304Sjkim goto f_err; 1358280304Sjkim } 1359280304Sjkim kn = EVP_PKEY_size(pkey); 1360280304Sjkim } else { 1361280304Sjkim pkey = NULL; 1362280304Sjkim kn = 0; 1363280304Sjkim } 1364160814Ssimon 1365280304Sjkim if (!BUF_MEM_grow_clean(buf, n + DTLS1_HM_HEADER_LENGTH + kn)) { 1366280304Sjkim SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_BUF); 1367280304Sjkim goto err; 1368280304Sjkim } 1369280304Sjkim d = (unsigned char *)s->init_buf->data; 1370280304Sjkim p = &(d[DTLS1_HM_HEADER_LENGTH]); 1371160814Ssimon 1372280304Sjkim for (i = 0; r[i] != NULL; i++) { 1373280304Sjkim s2n(nr[i], p); 1374280304Sjkim BN_bn2bin(r[i], p); 1375280304Sjkim p += nr[i]; 1376280304Sjkim } 1377160814Ssimon 1378238405Sjkim#ifndef OPENSSL_NO_ECDH 1379280304Sjkim if (type & SSL_kEECDH) { 1380280304Sjkim /* 1381280304Sjkim * XXX: For now, we only support named (not generic) curves. In 1382280304Sjkim * this situation, the serverKeyExchange message has: [1 byte 1383280304Sjkim * CurveType], [2 byte CurveName] [1 byte length of encoded 1384280304Sjkim * point], followed by the actual encoded point itself 1385280304Sjkim */ 1386280304Sjkim *p = NAMED_CURVE_TYPE; 1387280304Sjkim p += 1; 1388280304Sjkim *p = 0; 1389280304Sjkim p += 1; 1390280304Sjkim *p = curve_id; 1391280304Sjkim p += 1; 1392280304Sjkim *p = encodedlen; 1393280304Sjkim p += 1; 1394280304Sjkim memcpy((unsigned char *)p, 1395280304Sjkim (unsigned char *)encodedPoint, encodedlen); 1396280304Sjkim OPENSSL_free(encodedPoint); 1397280304Sjkim encodedPoint = NULL; 1398280304Sjkim p += encodedlen; 1399280304Sjkim } 1400238405Sjkim#endif 1401238405Sjkim 1402238405Sjkim#ifndef OPENSSL_NO_PSK 1403280304Sjkim if (type & SSL_kPSK) { 1404280304Sjkim /* copy PSK identity hint */ 1405280304Sjkim s2n(strlen(s->ctx->psk_identity_hint), p); 1406280304Sjkim strncpy((char *)p, s->ctx->psk_identity_hint, 1407280304Sjkim strlen(s->ctx->psk_identity_hint)); 1408280304Sjkim p += strlen(s->ctx->psk_identity_hint); 1409280304Sjkim } 1410238405Sjkim#endif 1411238405Sjkim 1412280304Sjkim /* not anonymous */ 1413280304Sjkim if (pkey != NULL) { 1414280304Sjkim /* 1415280304Sjkim * n is the length of the params, they start at 1416280304Sjkim * &(d[DTLS1_HM_HEADER_LENGTH]) and p points to the space at the 1417280304Sjkim * end. 1418280304Sjkim */ 1419160814Ssimon#ifndef OPENSSL_NO_RSA 1420280304Sjkim if (pkey->type == EVP_PKEY_RSA) { 1421280304Sjkim q = md_buf; 1422280304Sjkim j = 0; 1423280304Sjkim for (num = 2; num > 0; num--) { 1424280304Sjkim EVP_DigestInit_ex(&md_ctx, (num == 2) 1425280304Sjkim ? s->ctx->md5 : s->ctx->sha1, NULL); 1426280304Sjkim EVP_DigestUpdate(&md_ctx, &(s->s3->client_random[0]), 1427280304Sjkim SSL3_RANDOM_SIZE); 1428280304Sjkim EVP_DigestUpdate(&md_ctx, &(s->s3->server_random[0]), 1429280304Sjkim SSL3_RANDOM_SIZE); 1430280304Sjkim EVP_DigestUpdate(&md_ctx, &(d[DTLS1_HM_HEADER_LENGTH]), 1431280304Sjkim n); 1432280304Sjkim EVP_DigestFinal_ex(&md_ctx, q, (unsigned int *)&i); 1433280304Sjkim q += i; 1434280304Sjkim j += i; 1435280304Sjkim } 1436280304Sjkim if (RSA_sign(NID_md5_sha1, md_buf, j, 1437280304Sjkim &(p[2]), &u, pkey->pkey.rsa) <= 0) { 1438280304Sjkim SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_RSA); 1439280304Sjkim goto err; 1440280304Sjkim } 1441280304Sjkim s2n(u, p); 1442280304Sjkim n += u + 2; 1443280304Sjkim } else 1444160814Ssimon#endif 1445160814Ssimon#if !defined(OPENSSL_NO_DSA) 1446280304Sjkim if (pkey->type == EVP_PKEY_DSA) { 1447280304Sjkim /* lets do DSS */ 1448280304Sjkim EVP_SignInit_ex(&md_ctx, EVP_dss1(), NULL); 1449280304Sjkim EVP_SignUpdate(&md_ctx, &(s->s3->client_random[0]), 1450280304Sjkim SSL3_RANDOM_SIZE); 1451280304Sjkim EVP_SignUpdate(&md_ctx, &(s->s3->server_random[0]), 1452280304Sjkim SSL3_RANDOM_SIZE); 1453280304Sjkim EVP_SignUpdate(&md_ctx, &(d[DTLS1_HM_HEADER_LENGTH]), n); 1454280304Sjkim if (!EVP_SignFinal(&md_ctx, &(p[2]), 1455280304Sjkim (unsigned int *)&i, pkey)) { 1456280304Sjkim SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_DSA); 1457280304Sjkim goto err; 1458280304Sjkim } 1459280304Sjkim s2n(i, p); 1460280304Sjkim n += i + 2; 1461280304Sjkim } else 1462160814Ssimon#endif 1463238405Sjkim#if !defined(OPENSSL_NO_ECDSA) 1464280304Sjkim if (pkey->type == EVP_PKEY_EC) { 1465280304Sjkim /* let's do ECDSA */ 1466280304Sjkim EVP_SignInit_ex(&md_ctx, EVP_ecdsa(), NULL); 1467280304Sjkim EVP_SignUpdate(&md_ctx, &(s->s3->client_random[0]), 1468280304Sjkim SSL3_RANDOM_SIZE); 1469280304Sjkim EVP_SignUpdate(&md_ctx, &(s->s3->server_random[0]), 1470280304Sjkim SSL3_RANDOM_SIZE); 1471280304Sjkim EVP_SignUpdate(&md_ctx, &(d[DTLS1_HM_HEADER_LENGTH]), n); 1472280304Sjkim if (!EVP_SignFinal(&md_ctx, &(p[2]), 1473280304Sjkim (unsigned int *)&i, pkey)) { 1474280304Sjkim SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, 1475280304Sjkim ERR_LIB_ECDSA); 1476280304Sjkim goto err; 1477280304Sjkim } 1478280304Sjkim s2n(i, p); 1479280304Sjkim n += i + 2; 1480280304Sjkim } else 1481238405Sjkim#endif 1482280304Sjkim { 1483280304Sjkim /* Is this error check actually needed? */ 1484280304Sjkim al = SSL_AD_HANDSHAKE_FAILURE; 1485280304Sjkim SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, 1486280304Sjkim SSL_R_UNKNOWN_PKEY_TYPE); 1487280304Sjkim goto f_err; 1488280304Sjkim } 1489280304Sjkim } 1490160814Ssimon 1491280304Sjkim d = dtls1_set_message_header(s, d, 1492280304Sjkim SSL3_MT_SERVER_KEY_EXCHANGE, n, 0, n); 1493160814Ssimon 1494280304Sjkim /* 1495280304Sjkim * we should now have things packed up, so lets send it off 1496280304Sjkim */ 1497280304Sjkim s->init_num = n + DTLS1_HM_HEADER_LENGTH; 1498280304Sjkim s->init_off = 0; 1499160814Ssimon 1500280304Sjkim /* buffer the message to handle re-xmits */ 1501280304Sjkim dtls1_buffer_message(s, 0); 1502280304Sjkim } 1503160814Ssimon 1504280304Sjkim s->state = SSL3_ST_SW_KEY_EXCH_B; 1505280304Sjkim EVP_MD_CTX_cleanup(&md_ctx); 1506280304Sjkim return (dtls1_do_write(s, SSL3_RT_HANDSHAKE)); 1507280304Sjkim f_err: 1508280304Sjkim ssl3_send_alert(s, SSL3_AL_FATAL, al); 1509280304Sjkim err: 1510238405Sjkim#ifndef OPENSSL_NO_ECDH 1511280304Sjkim if (encodedPoint != NULL) 1512280304Sjkim OPENSSL_free(encodedPoint); 1513280304Sjkim BN_CTX_free(bn_ctx); 1514238405Sjkim#endif 1515280304Sjkim EVP_MD_CTX_cleanup(&md_ctx); 1516280304Sjkim return (-1); 1517280304Sjkim} 1518160814Ssimon 1519160814Ssimonint dtls1_send_certificate_request(SSL *s) 1520280304Sjkim{ 1521280304Sjkim unsigned char *p, *d; 1522280304Sjkim int i, j, nl, off, n; 1523280304Sjkim STACK_OF(X509_NAME) *sk = NULL; 1524280304Sjkim X509_NAME *name; 1525280304Sjkim BUF_MEM *buf; 1526280304Sjkim unsigned int msg_len; 1527160814Ssimon 1528280304Sjkim if (s->state == SSL3_ST_SW_CERT_REQ_A) { 1529280304Sjkim buf = s->init_buf; 1530160814Ssimon 1531280304Sjkim d = p = (unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH]); 1532160814Ssimon 1533280304Sjkim /* get the list of acceptable cert types */ 1534280304Sjkim p++; 1535280304Sjkim n = ssl3_get_req_cert_type(s, p); 1536280304Sjkim d[0] = n; 1537280304Sjkim p += n; 1538280304Sjkim n++; 1539160814Ssimon 1540280304Sjkim off = n; 1541280304Sjkim p += 2; 1542280304Sjkim n += 2; 1543160814Ssimon 1544280304Sjkim sk = SSL_get_client_CA_list(s); 1545280304Sjkim nl = 0; 1546280304Sjkim if (sk != NULL) { 1547280304Sjkim for (i = 0; i < sk_X509_NAME_num(sk); i++) { 1548280304Sjkim name = sk_X509_NAME_value(sk, i); 1549280304Sjkim j = i2d_X509_NAME(name, NULL); 1550280304Sjkim if (!BUF_MEM_grow_clean 1551280304Sjkim (buf, DTLS1_HM_HEADER_LENGTH + n + j + 2)) { 1552280304Sjkim SSLerr(SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST, 1553280304Sjkim ERR_R_BUF_LIB); 1554280304Sjkim goto err; 1555280304Sjkim } 1556280304Sjkim p = (unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH + n]); 1557280304Sjkim if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) { 1558280304Sjkim s2n(j, p); 1559280304Sjkim i2d_X509_NAME(name, &p); 1560280304Sjkim n += 2 + j; 1561280304Sjkim nl += 2 + j; 1562280304Sjkim } else { 1563280304Sjkim d = p; 1564280304Sjkim i2d_X509_NAME(name, &p); 1565280304Sjkim j -= 2; 1566280304Sjkim s2n(j, d); 1567280304Sjkim j += 2; 1568280304Sjkim n += j; 1569280304Sjkim nl += j; 1570280304Sjkim } 1571280304Sjkim } 1572280304Sjkim } 1573280304Sjkim /* else no CA names */ 1574280304Sjkim p = (unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH + off]); 1575280304Sjkim s2n(nl, p); 1576160814Ssimon 1577280304Sjkim d = (unsigned char *)buf->data; 1578280304Sjkim *(d++) = SSL3_MT_CERTIFICATE_REQUEST; 1579280304Sjkim l2n3(n, d); 1580280304Sjkim s2n(s->d1->handshake_write_seq, d); 1581280304Sjkim s->d1->handshake_write_seq++; 1582160814Ssimon 1583280304Sjkim /* 1584280304Sjkim * we should now have things packed up, so lets send it off 1585280304Sjkim */ 1586160814Ssimon 1587280304Sjkim s->init_num = n + DTLS1_HM_HEADER_LENGTH; 1588280304Sjkim s->init_off = 0; 1589160814Ssimon#ifdef NETSCAPE_HANG_BUG 1590160814Ssimon/* XXX: what to do about this? */ 1591280304Sjkim p = (unsigned char *)s->init_buf->data + s->init_num; 1592160814Ssimon 1593280304Sjkim /* do the header */ 1594280304Sjkim *(p++) = SSL3_MT_SERVER_DONE; 1595280304Sjkim *(p++) = 0; 1596280304Sjkim *(p++) = 0; 1597280304Sjkim *(p++) = 0; 1598280304Sjkim s->init_num += 4; 1599160814Ssimon#endif 1600160814Ssimon 1601280304Sjkim /* XDTLS: set message header ? */ 1602280304Sjkim msg_len = s->init_num - DTLS1_HM_HEADER_LENGTH; 1603280304Sjkim dtls1_set_message_header(s, (void *)s->init_buf->data, 1604280304Sjkim SSL3_MT_CERTIFICATE_REQUEST, msg_len, 0, 1605280304Sjkim msg_len); 1606194206Ssimon 1607280304Sjkim /* buffer the message to handle re-xmits */ 1608280304Sjkim dtls1_buffer_message(s, 0); 1609160814Ssimon 1610280304Sjkim s->state = SSL3_ST_SW_CERT_REQ_B; 1611280304Sjkim } 1612160814Ssimon 1613280304Sjkim /* SSL3_ST_SW_CERT_REQ_B */ 1614280304Sjkim return (dtls1_do_write(s, SSL3_RT_HANDSHAKE)); 1615280304Sjkim err: 1616280304Sjkim return (-1); 1617280304Sjkim} 1618160814Ssimon 1619160814Ssimonint dtls1_send_server_certificate(SSL *s) 1620280304Sjkim{ 1621280304Sjkim unsigned long l; 1622280304Sjkim X509 *x; 1623160814Ssimon 1624280304Sjkim if (s->state == SSL3_ST_SW_CERT_A) { 1625280304Sjkim x = ssl_get_server_send_cert(s); 1626280304Sjkim if (x == NULL) { 1627280304Sjkim /* VRS: allow null cert if auth == KRB5 */ 1628280304Sjkim if ((s->s3->tmp.new_cipher->algorithm_mkey != SSL_kKRB5) || 1629280304Sjkim (s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5)) { 1630280304Sjkim SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE, 1631280304Sjkim ERR_R_INTERNAL_ERROR); 1632280304Sjkim return (0); 1633280304Sjkim } 1634280304Sjkim } 1635160814Ssimon 1636280304Sjkim l = dtls1_output_cert_chain(s, x); 1637280304Sjkim if (!l) { 1638280304Sjkim SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR); 1639280304Sjkim return (0); 1640280304Sjkim } 1641280304Sjkim s->state = SSL3_ST_SW_CERT_B; 1642280304Sjkim s->init_num = (int)l; 1643280304Sjkim s->init_off = 0; 1644160814Ssimon 1645280304Sjkim /* buffer the message to handle re-xmits */ 1646280304Sjkim dtls1_buffer_message(s, 0); 1647280304Sjkim } 1648160814Ssimon 1649280304Sjkim /* SSL3_ST_SW_CERT_B */ 1650280304Sjkim return (dtls1_do_write(s, SSL3_RT_HANDSHAKE)); 1651280304Sjkim} 1652205128Ssimon 1653205128Ssimon#ifndef OPENSSL_NO_TLSEXT 1654205128Ssimonint dtls1_send_newsession_ticket(SSL *s) 1655280304Sjkim{ 1656280304Sjkim if (s->state == SSL3_ST_SW_SESSION_TICKET_A) { 1657280304Sjkim unsigned char *p, *senc, *macstart; 1658280304Sjkim int len, slen; 1659280304Sjkim unsigned int hlen, msg_len; 1660280304Sjkim EVP_CIPHER_CTX ctx; 1661280304Sjkim HMAC_CTX hctx; 1662280304Sjkim SSL_CTX *tctx = s->initial_ctx; 1663280304Sjkim unsigned char iv[EVP_MAX_IV_LENGTH]; 1664280304Sjkim unsigned char key_name[16]; 1665205128Ssimon 1666280304Sjkim /* get session encoding length */ 1667280304Sjkim slen = i2d_SSL_SESSION(s->session, NULL); 1668280304Sjkim /* 1669280304Sjkim * Some length values are 16 bits, so forget it if session is too 1670280304Sjkim * long 1671280304Sjkim */ 1672280304Sjkim if (slen > 0xFF00) 1673280304Sjkim return -1; 1674280304Sjkim /* 1675280304Sjkim * Grow buffer if need be: the length calculation is as follows 12 1676280304Sjkim * (DTLS handshake message header) + 4 (ticket lifetime hint) + 2 1677280304Sjkim * (ticket length) + 16 (key name) + max_iv_len (iv length) + 1678280304Sjkim * session_length + max_enc_block_size (max encrypted session length) 1679280304Sjkim * + max_md_size (HMAC). 1680280304Sjkim */ 1681280304Sjkim if (!BUF_MEM_grow(s->init_buf, 1682280304Sjkim DTLS1_HM_HEADER_LENGTH + 22 + EVP_MAX_IV_LENGTH + 1683280304Sjkim EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE + slen)) 1684280304Sjkim return -1; 1685280304Sjkim senc = OPENSSL_malloc(slen); 1686280304Sjkim if (!senc) 1687280304Sjkim return -1; 1688280304Sjkim p = senc; 1689280304Sjkim i2d_SSL_SESSION(s->session, &p); 1690205128Ssimon 1691280304Sjkim p = (unsigned char *)&(s->init_buf->data[DTLS1_HM_HEADER_LENGTH]); 1692280304Sjkim EVP_CIPHER_CTX_init(&ctx); 1693280304Sjkim HMAC_CTX_init(&hctx); 1694280304Sjkim /* 1695280304Sjkim * Initialize HMAC and cipher contexts. If callback present it does 1696280304Sjkim * all the work otherwise use generated values from parent ctx. 1697280304Sjkim */ 1698280304Sjkim if (tctx->tlsext_ticket_key_cb) { 1699280304Sjkim if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx, 1700280304Sjkim &hctx, 1) < 0) { 1701280304Sjkim OPENSSL_free(senc); 1702280304Sjkim return -1; 1703280304Sjkim } 1704280304Sjkim } else { 1705306196Sjkim if (RAND_bytes(iv, 16) <= 0) { 1706306196Sjkim OPENSSL_free(senc); 1707306196Sjkim return -1; 1708306196Sjkim } 1709280304Sjkim EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 1710280304Sjkim tctx->tlsext_tick_aes_key, iv); 1711280304Sjkim HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 1712280304Sjkim tlsext_tick_md(), NULL); 1713280304Sjkim memcpy(key_name, tctx->tlsext_tick_key_name, 16); 1714280304Sjkim } 1715280304Sjkim l2n(s->session->tlsext_tick_lifetime_hint, p); 1716280304Sjkim /* Skip ticket length for now */ 1717280304Sjkim p += 2; 1718280304Sjkim /* Output key name */ 1719280304Sjkim macstart = p; 1720280304Sjkim memcpy(p, key_name, 16); 1721280304Sjkim p += 16; 1722280304Sjkim /* output IV */ 1723280304Sjkim memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx)); 1724280304Sjkim p += EVP_CIPHER_CTX_iv_length(&ctx); 1725280304Sjkim /* Encrypt session data */ 1726280304Sjkim EVP_EncryptUpdate(&ctx, p, &len, senc, slen); 1727280304Sjkim p += len; 1728280304Sjkim EVP_EncryptFinal(&ctx, p, &len); 1729280304Sjkim p += len; 1730280304Sjkim EVP_CIPHER_CTX_cleanup(&ctx); 1731205128Ssimon 1732280304Sjkim HMAC_Update(&hctx, macstart, p - macstart); 1733280304Sjkim HMAC_Final(&hctx, p, &hlen); 1734280304Sjkim HMAC_CTX_cleanup(&hctx); 1735205128Ssimon 1736280304Sjkim p += hlen; 1737280304Sjkim /* Now write out lengths: p points to end of data written */ 1738280304Sjkim /* Total length */ 1739280304Sjkim len = p - (unsigned char *)(s->init_buf->data); 1740280304Sjkim /* Ticket length */ 1741280304Sjkim p = (unsigned char *)&(s->init_buf->data[DTLS1_HM_HEADER_LENGTH]) + 4; 1742280304Sjkim s2n(len - DTLS1_HM_HEADER_LENGTH - 6, p); 1743205128Ssimon 1744280304Sjkim /* number of bytes to write */ 1745280304Sjkim s->init_num = len; 1746280304Sjkim s->state = SSL3_ST_SW_SESSION_TICKET_B; 1747280304Sjkim s->init_off = 0; 1748280304Sjkim OPENSSL_free(senc); 1749205128Ssimon 1750280304Sjkim /* XDTLS: set message header ? */ 1751280304Sjkim msg_len = s->init_num - DTLS1_HM_HEADER_LENGTH; 1752280304Sjkim dtls1_set_message_header(s, (void *)s->init_buf->data, 1753280304Sjkim SSL3_MT_NEWSESSION_TICKET, msg_len, 0, 1754280304Sjkim msg_len); 1755205128Ssimon 1756280304Sjkim /* buffer the message to handle re-xmits */ 1757280304Sjkim dtls1_buffer_message(s, 0); 1758280304Sjkim } 1759205128Ssimon 1760280304Sjkim /* SSL3_ST_SW_SESSION_TICKET_B */ 1761280304Sjkim return (dtls1_do_write(s, SSL3_RT_HANDSHAKE)); 1762280304Sjkim} 1763205128Ssimon#endif 1764