d1_clnt.c revision 271304
1/* ssl/d1_clnt.c */ 2/* 3 * DTLS implementation written by Nagendra Modadugu 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 5 */ 6/* ==================================================================== 7 * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in 18 * the documentation and/or other materials provided with the 19 * distribution. 20 * 21 * 3. All advertising materials mentioning features or use of this 22 * software must display the following acknowledgment: 23 * "This product includes software developed by the OpenSSL Project 24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 25 * 26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27 * endorse or promote products derived from this software without 28 * prior written permission. For written permission, please contact 29 * openssl-core@OpenSSL.org. 30 * 31 * 5. Products derived from this software may not be called "OpenSSL" 32 * nor may "OpenSSL" appear in their names without prior written 33 * permission of the OpenSSL Project. 34 * 35 * 6. Redistributions of any form whatsoever must retain the following 36 * acknowledgment: 37 * "This product includes software developed by the OpenSSL Project 38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51 * OF THE POSSIBILITY OF SUCH DAMAGE. 52 * ==================================================================== 53 * 54 * This product includes cryptographic software written by Eric Young 55 * (eay@cryptsoft.com). This product includes software written by Tim 56 * Hudson (tjh@cryptsoft.com). 57 * 58 */ 59/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 60 * All rights reserved. 61 * 62 * This package is an SSL implementation written 63 * by Eric Young (eay@cryptsoft.com). 64 * The implementation was written so as to conform with Netscapes SSL. 65 * 66 * This library is free for commercial and non-commercial use as long as 67 * the following conditions are aheared to. The following conditions 68 * apply to all code found in this distribution, be it the RC4, RSA, 69 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 70 * included with this distribution is covered by the same copyright terms 71 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 72 * 73 * Copyright remains Eric Young's, and as such any Copyright notices in 74 * the code are not to be removed. 75 * If this package is used in a product, Eric Young should be given attribution 76 * as the author of the parts of the library used. 77 * This can be in the form of a textual message at program startup or 78 * in documentation (online or textual) provided with the package. 79 * 80 * Redistribution and use in source and binary forms, with or without 81 * modification, are permitted provided that the following conditions 82 * are met: 83 * 1. Redistributions of source code must retain the copyright 84 * notice, this list of conditions and the following disclaimer. 85 * 2. Redistributions in binary form must reproduce the above copyright 86 * notice, this list of conditions and the following disclaimer in the 87 * documentation and/or other materials provided with the distribution. 88 * 3. All advertising materials mentioning features or use of this software 89 * must display the following acknowledgement: 90 * "This product includes cryptographic software written by 91 * Eric Young (eay@cryptsoft.com)" 92 * The word 'cryptographic' can be left out if the rouines from the library 93 * being used are not cryptographic related :-). 94 * 4. If you include any Windows specific code (or a derivative thereof) from 95 * the apps directory (application code) you must include an acknowledgement: 96 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 97 * 98 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 99 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 100 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 101 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 102 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 103 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 104 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 105 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 106 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 107 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 108 * SUCH DAMAGE. 109 * 110 * The licence and distribution terms for any publically available version or 111 * derivative of this code cannot be changed. i.e. this code cannot simply be 112 * copied and put under another distribution licence 113 * [including the GNU Public Licence.] 114 */ 115 116#include <stdio.h> 117#include "ssl_locl.h" 118#ifndef OPENSSL_NO_KRB5 119#include "kssl_lcl.h" 120#endif 121#include <openssl/buffer.h> 122#include <openssl/rand.h> 123#include <openssl/objects.h> 124#include <openssl/evp.h> 125#include <openssl/md5.h> 126#include <openssl/bn.h> 127#ifndef OPENSSL_NO_DH 128#include <openssl/dh.h> 129#endif 130 131static const SSL_METHOD *dtls1_get_client_method(int ver); 132static int dtls1_get_hello_verify(SSL *s); 133 134static const SSL_METHOD *dtls1_get_client_method(int ver) 135 { 136 if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER) 137 return(DTLSv1_client_method()); 138 else 139 return(NULL); 140 } 141 142IMPLEMENT_dtls1_meth_func(DTLSv1_client_method, 143 ssl_undefined_function, 144 dtls1_connect, 145 dtls1_get_client_method) 146 147int dtls1_connect(SSL *s) 148 { 149 BUF_MEM *buf=NULL; 150 unsigned long Time=(unsigned long)time(NULL); 151 void (*cb)(const SSL *ssl,int type,int val)=NULL; 152 int ret= -1; 153 int new_state,state,skip=0; 154#ifndef OPENSSL_NO_SCTP 155 unsigned char sctpauthkey[64]; 156 char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)]; 157#endif 158 159 RAND_add(&Time,sizeof(Time),0); 160 ERR_clear_error(); 161 clear_sys_error(); 162 163 if (s->info_callback != NULL) 164 cb=s->info_callback; 165 else if (s->ctx->info_callback != NULL) 166 cb=s->ctx->info_callback; 167 168 s->in_handshake++; 169 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 170 171#ifndef OPENSSL_NO_SCTP 172 /* Notify SCTP BIO socket to enter handshake 173 * mode and prevent stream identifier other 174 * than 0. Will be ignored if no SCTP is used. 175 */ 176 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, s->in_handshake, NULL); 177#endif 178 179#ifndef OPENSSL_NO_HEARTBEATS 180 /* If we're awaiting a HeartbeatResponse, pretend we 181 * already got and don't await it anymore, because 182 * Heartbeats don't make sense during handshakes anyway. 183 */ 184 if (s->tlsext_hb_pending) 185 { 186 dtls1_stop_timer(s); 187 s->tlsext_hb_pending = 0; 188 s->tlsext_hb_seq++; 189 } 190#endif 191 192 for (;;) 193 { 194 state=s->state; 195 196 switch(s->state) 197 { 198 case SSL_ST_RENEGOTIATE: 199 s->renegotiate=1; 200 s->state=SSL_ST_CONNECT; 201 s->ctx->stats.sess_connect_renegotiate++; 202 /* break */ 203 case SSL_ST_BEFORE: 204 case SSL_ST_CONNECT: 205 case SSL_ST_BEFORE|SSL_ST_CONNECT: 206 case SSL_ST_OK|SSL_ST_CONNECT: 207 208 s->server=0; 209 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); 210 211 if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00) && 212 (s->version & 0xff00 ) != (DTLS1_BAD_VER & 0xff00)) 213 { 214 SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR); 215 ret = -1; 216 goto end; 217 } 218 219 /* s->version=SSL3_VERSION; */ 220 s->type=SSL_ST_CONNECT; 221 222 if (s->init_buf == NULL) 223 { 224 if ((buf=BUF_MEM_new()) == NULL) 225 { 226 ret= -1; 227 goto end; 228 } 229 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) 230 { 231 ret= -1; 232 goto end; 233 } 234 s->init_buf=buf; 235 buf=NULL; 236 } 237 238 if (!ssl3_setup_buffers(s)) { ret= -1; goto end; } 239 240 /* setup buffing BIO */ 241 if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; } 242 243 /* don't push the buffering BIO quite yet */ 244 245 s->state=SSL3_ST_CW_CLNT_HELLO_A; 246 s->ctx->stats.sess_connect++; 247 s->init_num=0; 248 /* mark client_random uninitialized */ 249 memset(s->s3->client_random,0,sizeof(s->s3->client_random)); 250 s->d1->send_cookie = 0; 251 s->hit = 0; 252 break; 253 254#ifndef OPENSSL_NO_SCTP 255 case DTLS1_SCTP_ST_CR_READ_SOCK: 256 257 if (BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) 258 { 259 s->s3->in_read_app_data=2; 260 s->rwstate=SSL_READING; 261 BIO_clear_retry_flags(SSL_get_rbio(s)); 262 BIO_set_retry_read(SSL_get_rbio(s)); 263 ret = -1; 264 goto end; 265 } 266 267 s->state=s->s3->tmp.next_state; 268 break; 269 270 case DTLS1_SCTP_ST_CW_WRITE_SOCK: 271 /* read app data until dry event */ 272 273 ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s)); 274 if (ret < 0) goto end; 275 276 if (ret == 0) 277 { 278 s->s3->in_read_app_data=2; 279 s->rwstate=SSL_READING; 280 BIO_clear_retry_flags(SSL_get_rbio(s)); 281 BIO_set_retry_read(SSL_get_rbio(s)); 282 ret = -1; 283 goto end; 284 } 285 286 s->state=s->d1->next_state; 287 break; 288#endif 289 290 case SSL3_ST_CW_CLNT_HELLO_A: 291 case SSL3_ST_CW_CLNT_HELLO_B: 292 293 s->shutdown=0; 294 295 /* every DTLS ClientHello resets Finished MAC */ 296 ssl3_init_finished_mac(s); 297 298 dtls1_start_timer(s); 299 ret=dtls1_client_hello(s); 300 if (ret <= 0) goto end; 301 302 if ( s->d1->send_cookie) 303 { 304 s->state=SSL3_ST_CW_FLUSH; 305 s->s3->tmp.next_state=SSL3_ST_CR_SRVR_HELLO_A; 306 } 307 else 308 s->state=SSL3_ST_CR_SRVR_HELLO_A; 309 310 s->init_num=0; 311 312#ifndef OPENSSL_NO_SCTP 313 /* Disable buffering for SCTP */ 314 if (!BIO_dgram_is_sctp(SSL_get_wbio(s))) 315 { 316#endif 317 /* turn on buffering for the next lot of output */ 318 if (s->bbio != s->wbio) 319 s->wbio=BIO_push(s->bbio,s->wbio); 320#ifndef OPENSSL_NO_SCTP 321 } 322#endif 323 324 break; 325 326 case SSL3_ST_CR_SRVR_HELLO_A: 327 case SSL3_ST_CR_SRVR_HELLO_B: 328 ret=ssl3_get_server_hello(s); 329 if (ret <= 0) goto end; 330 else 331 { 332 if (s->hit) 333 { 334#ifndef OPENSSL_NO_SCTP 335 /* Add new shared key for SCTP-Auth, 336 * will be ignored if no SCTP used. 337 */ 338 snprintf((char*) labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL), 339 DTLS1_SCTP_AUTH_LABEL); 340 341 SSL_export_keying_material(s, sctpauthkey, 342 sizeof(sctpauthkey), labelbuffer, 343 sizeof(labelbuffer), NULL, 0, 0); 344 345 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, 346 sizeof(sctpauthkey), sctpauthkey); 347#endif 348 349 s->state=SSL3_ST_CR_FINISHED_A; 350 } 351 else 352 s->state=DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A; 353 } 354 s->init_num=0; 355 break; 356 357 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A: 358 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B: 359 360 ret = dtls1_get_hello_verify(s); 361 if ( ret <= 0) 362 goto end; 363 dtls1_stop_timer(s); 364 if ( s->d1->send_cookie) /* start again, with a cookie */ 365 s->state=SSL3_ST_CW_CLNT_HELLO_A; 366 else 367 s->state = SSL3_ST_CR_CERT_A; 368 s->init_num = 0; 369 break; 370 371 case SSL3_ST_CR_CERT_A: 372 case SSL3_ST_CR_CERT_B: 373#ifndef OPENSSL_NO_TLSEXT 374 ret=ssl3_check_finished(s); 375 if (ret <= 0) goto end; 376 if (ret == 2) 377 { 378 s->hit = 1; 379 if (s->tlsext_ticket_expected) 380 s->state=SSL3_ST_CR_SESSION_TICKET_A; 381 else 382 s->state=SSL3_ST_CR_FINISHED_A; 383 s->init_num=0; 384 break; 385 } 386#endif 387 /* Check if it is anon DH or PSK */ 388 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && 389 !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) 390 { 391 ret=ssl3_get_server_certificate(s); 392 if (ret <= 0) goto end; 393#ifndef OPENSSL_NO_TLSEXT 394 if (s->tlsext_status_expected) 395 s->state=SSL3_ST_CR_CERT_STATUS_A; 396 else 397 s->state=SSL3_ST_CR_KEY_EXCH_A; 398 } 399 else 400 { 401 skip = 1; 402 s->state=SSL3_ST_CR_KEY_EXCH_A; 403 } 404#else 405 } 406 else 407 skip=1; 408 409 s->state=SSL3_ST_CR_KEY_EXCH_A; 410#endif 411 s->init_num=0; 412 break; 413 414 case SSL3_ST_CR_KEY_EXCH_A: 415 case SSL3_ST_CR_KEY_EXCH_B: 416 ret=ssl3_get_key_exchange(s); 417 if (ret <= 0) goto end; 418 s->state=SSL3_ST_CR_CERT_REQ_A; 419 s->init_num=0; 420 421 /* at this point we check that we have the 422 * required stuff from the server */ 423 if (!ssl3_check_cert_and_algorithm(s)) 424 { 425 ret= -1; 426 goto end; 427 } 428 break; 429 430 case SSL3_ST_CR_CERT_REQ_A: 431 case SSL3_ST_CR_CERT_REQ_B: 432 ret=ssl3_get_certificate_request(s); 433 if (ret <= 0) goto end; 434 s->state=SSL3_ST_CR_SRVR_DONE_A; 435 s->init_num=0; 436 break; 437 438 case SSL3_ST_CR_SRVR_DONE_A: 439 case SSL3_ST_CR_SRVR_DONE_B: 440 ret=ssl3_get_server_done(s); 441 if (ret <= 0) goto end; 442 dtls1_stop_timer(s); 443 if (s->s3->tmp.cert_req) 444 s->s3->tmp.next_state=SSL3_ST_CW_CERT_A; 445 else 446 s->s3->tmp.next_state=SSL3_ST_CW_KEY_EXCH_A; 447 s->init_num=0; 448 449#ifndef OPENSSL_NO_SCTP 450 if (BIO_dgram_is_sctp(SSL_get_wbio(s)) && 451 state == SSL_ST_RENEGOTIATE) 452 s->state=DTLS1_SCTP_ST_CR_READ_SOCK; 453 else 454#endif 455 s->state=s->s3->tmp.next_state; 456 break; 457 458 case SSL3_ST_CW_CERT_A: 459 case SSL3_ST_CW_CERT_B: 460 case SSL3_ST_CW_CERT_C: 461 case SSL3_ST_CW_CERT_D: 462 dtls1_start_timer(s); 463 ret=dtls1_send_client_certificate(s); 464 if (ret <= 0) goto end; 465 s->state=SSL3_ST_CW_KEY_EXCH_A; 466 s->init_num=0; 467 break; 468 469 case SSL3_ST_CW_KEY_EXCH_A: 470 case SSL3_ST_CW_KEY_EXCH_B: 471 dtls1_start_timer(s); 472 ret=dtls1_send_client_key_exchange(s); 473 if (ret <= 0) goto end; 474 475#ifndef OPENSSL_NO_SCTP 476 /* Add new shared key for SCTP-Auth, 477 * will be ignored if no SCTP used. 478 */ 479 snprintf((char*) labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL), 480 DTLS1_SCTP_AUTH_LABEL); 481 482 SSL_export_keying_material(s, sctpauthkey, 483 sizeof(sctpauthkey), labelbuffer, 484 sizeof(labelbuffer), NULL, 0, 0); 485 486 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, 487 sizeof(sctpauthkey), sctpauthkey); 488#endif 489 490 /* EAY EAY EAY need to check for DH fix cert 491 * sent back */ 492 /* For TLS, cert_req is set to 2, so a cert chain 493 * of nothing is sent, but no verify packet is sent */ 494 if (s->s3->tmp.cert_req == 1) 495 { 496 s->state=SSL3_ST_CW_CERT_VRFY_A; 497 } 498 else 499 { 500#ifndef OPENSSL_NO_SCTP 501 if (BIO_dgram_is_sctp(SSL_get_wbio(s))) 502 { 503 s->d1->next_state=SSL3_ST_CW_CHANGE_A; 504 s->state=DTLS1_SCTP_ST_CW_WRITE_SOCK; 505 } 506 else 507#endif 508 s->state=SSL3_ST_CW_CHANGE_A; 509 s->s3->change_cipher_spec=0; 510 } 511 512 s->init_num=0; 513 break; 514 515 case SSL3_ST_CW_CERT_VRFY_A: 516 case SSL3_ST_CW_CERT_VRFY_B: 517 dtls1_start_timer(s); 518 ret=dtls1_send_client_verify(s); 519 if (ret <= 0) goto end; 520#ifndef OPENSSL_NO_SCTP 521 if (BIO_dgram_is_sctp(SSL_get_wbio(s))) 522 { 523 s->d1->next_state=SSL3_ST_CW_CHANGE_A; 524 s->state=DTLS1_SCTP_ST_CW_WRITE_SOCK; 525 } 526 else 527#endif 528 s->state=SSL3_ST_CW_CHANGE_A; 529 s->init_num=0; 530 s->s3->change_cipher_spec=0; 531 break; 532 533 case SSL3_ST_CW_CHANGE_A: 534 case SSL3_ST_CW_CHANGE_B: 535 if (!s->hit) 536 dtls1_start_timer(s); 537 ret=dtls1_send_change_cipher_spec(s, 538 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); 539 if (ret <= 0) goto end; 540 541#ifndef OPENSSL_NO_SCTP 542 /* Change to new shared key of SCTP-Auth, 543 * will be ignored if no SCTP used. 544 */ 545 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL); 546#endif 547 548 s->state=SSL3_ST_CW_FINISHED_A; 549 s->init_num=0; 550 551 s->session->cipher=s->s3->tmp.new_cipher; 552#ifdef OPENSSL_NO_COMP 553 s->session->compress_meth=0; 554#else 555 if (s->s3->tmp.new_compression == NULL) 556 s->session->compress_meth=0; 557 else 558 s->session->compress_meth= 559 s->s3->tmp.new_compression->id; 560#endif 561 if (!s->method->ssl3_enc->setup_key_block(s)) 562 { 563 ret= -1; 564 goto end; 565 } 566 567 if (!s->method->ssl3_enc->change_cipher_state(s, 568 SSL3_CHANGE_CIPHER_CLIENT_WRITE)) 569 { 570 ret= -1; 571 goto end; 572 } 573 574 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); 575 break; 576 577 case SSL3_ST_CW_FINISHED_A: 578 case SSL3_ST_CW_FINISHED_B: 579 if (!s->hit) 580 dtls1_start_timer(s); 581 ret=dtls1_send_finished(s, 582 SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B, 583 s->method->ssl3_enc->client_finished_label, 584 s->method->ssl3_enc->client_finished_label_len); 585 if (ret <= 0) goto end; 586 s->state=SSL3_ST_CW_FLUSH; 587 588 /* clear flags */ 589 s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; 590 if (s->hit) 591 { 592 s->s3->tmp.next_state=SSL_ST_OK; 593#ifndef OPENSSL_NO_SCTP 594 if (BIO_dgram_is_sctp(SSL_get_wbio(s))) 595 { 596 s->d1->next_state = s->s3->tmp.next_state; 597 s->s3->tmp.next_state=DTLS1_SCTP_ST_CW_WRITE_SOCK; 598 } 599#endif 600 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) 601 { 602 s->state=SSL_ST_OK; 603#ifndef OPENSSL_NO_SCTP 604 if (BIO_dgram_is_sctp(SSL_get_wbio(s))) 605 { 606 s->d1->next_state = SSL_ST_OK; 607 s->state=DTLS1_SCTP_ST_CW_WRITE_SOCK; 608 } 609#endif 610 s->s3->flags|=SSL3_FLAGS_POP_BUFFER; 611 s->s3->delay_buf_pop_ret=0; 612 } 613 } 614 else 615 { 616#ifndef OPENSSL_NO_TLSEXT 617 /* Allow NewSessionTicket if ticket expected */ 618 if (s->tlsext_ticket_expected) 619 s->s3->tmp.next_state=SSL3_ST_CR_SESSION_TICKET_A; 620 else 621#endif 622 623 s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A; 624 } 625 s->init_num=0; 626 break; 627 628#ifndef OPENSSL_NO_TLSEXT 629 case SSL3_ST_CR_SESSION_TICKET_A: 630 case SSL3_ST_CR_SESSION_TICKET_B: 631 ret=ssl3_get_new_session_ticket(s); 632 if (ret <= 0) goto end; 633 s->state=SSL3_ST_CR_FINISHED_A; 634 s->init_num=0; 635 break; 636 637 case SSL3_ST_CR_CERT_STATUS_A: 638 case SSL3_ST_CR_CERT_STATUS_B: 639 ret=ssl3_get_cert_status(s); 640 if (ret <= 0) goto end; 641 s->state=SSL3_ST_CR_KEY_EXCH_A; 642 s->init_num=0; 643 break; 644#endif 645 646 case SSL3_ST_CR_FINISHED_A: 647 case SSL3_ST_CR_FINISHED_B: 648 s->d1->change_cipher_spec_ok = 1; 649 ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A, 650 SSL3_ST_CR_FINISHED_B); 651 if (ret <= 0) goto end; 652 dtls1_stop_timer(s); 653 654 if (s->hit) 655 s->state=SSL3_ST_CW_CHANGE_A; 656 else 657 s->state=SSL_ST_OK; 658 659#ifndef OPENSSL_NO_SCTP 660 if (BIO_dgram_is_sctp(SSL_get_wbio(s)) && 661 state == SSL_ST_RENEGOTIATE) 662 { 663 s->d1->next_state=s->state; 664 s->state=DTLS1_SCTP_ST_CW_WRITE_SOCK; 665 } 666#endif 667 668 s->init_num=0; 669 break; 670 671 case SSL3_ST_CW_FLUSH: 672 s->rwstate=SSL_WRITING; 673 if (BIO_flush(s->wbio) <= 0) 674 { 675 /* If the write error was fatal, stop trying */ 676 if (!BIO_should_retry(s->wbio)) 677 { 678 s->rwstate=SSL_NOTHING; 679 s->state=s->s3->tmp.next_state; 680 } 681 682 ret= -1; 683 goto end; 684 } 685 s->rwstate=SSL_NOTHING; 686 s->state=s->s3->tmp.next_state; 687 break; 688 689 case SSL_ST_OK: 690 /* clean a few things up */ 691 ssl3_cleanup_key_block(s); 692 693#if 0 694 if (s->init_buf != NULL) 695 { 696 BUF_MEM_free(s->init_buf); 697 s->init_buf=NULL; 698 } 699#endif 700 701 /* If we are not 'joining' the last two packets, 702 * remove the buffering now */ 703 if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER)) 704 ssl_free_wbio_buffer(s); 705 /* else do it later in ssl3_write */ 706 707 s->init_num=0; 708 s->renegotiate=0; 709 s->new_session=0; 710 711 ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); 712 if (s->hit) s->ctx->stats.sess_hit++; 713 714 ret=1; 715 /* s->server=0; */ 716 s->handshake_func=dtls1_connect; 717 s->ctx->stats.sess_connect_good++; 718 719 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); 720 721 /* done with handshaking */ 722 s->d1->handshake_read_seq = 0; 723 s->d1->next_handshake_write_seq = 0; 724 goto end; 725 /* break; */ 726 727 default: 728 SSLerr(SSL_F_DTLS1_CONNECT,SSL_R_UNKNOWN_STATE); 729 ret= -1; 730 goto end; 731 /* break; */ 732 } 733 734 /* did we do anything */ 735 if (!s->s3->tmp.reuse_message && !skip) 736 { 737 if (s->debug) 738 { 739 if ((ret=BIO_flush(s->wbio)) <= 0) 740 goto end; 741 } 742 743 if ((cb != NULL) && (s->state != state)) 744 { 745 new_state=s->state; 746 s->state=state; 747 cb(s,SSL_CB_CONNECT_LOOP,1); 748 s->state=new_state; 749 } 750 } 751 skip=0; 752 } 753end: 754 s->in_handshake--; 755 756#ifndef OPENSSL_NO_SCTP 757 /* Notify SCTP BIO socket to leave handshake 758 * mode and allow stream identifier other 759 * than 0. Will be ignored if no SCTP is used. 760 */ 761 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, s->in_handshake, NULL); 762#endif 763 764 if (buf != NULL) 765 BUF_MEM_free(buf); 766 if (cb != NULL) 767 cb(s,SSL_CB_CONNECT_EXIT,ret); 768 return(ret); 769 } 770 771int dtls1_client_hello(SSL *s) 772 { 773 unsigned char *buf; 774 unsigned char *p,*d; 775 unsigned int i,j; 776 unsigned long Time,l; 777 SSL_COMP *comp; 778 779 buf=(unsigned char *)s->init_buf->data; 780 if (s->state == SSL3_ST_CW_CLNT_HELLO_A) 781 { 782 SSL_SESSION *sess = s->session; 783 if ((s->session == NULL) || 784 (s->session->ssl_version != s->version) || 785#ifdef OPENSSL_NO_TLSEXT 786 !sess->session_id_length || 787#else 788 (!sess->session_id_length && !sess->tlsext_tick) || 789#endif 790 (s->session->not_resumable)) 791 { 792 if (!ssl_get_new_session(s,0)) 793 goto err; 794 } 795 /* else use the pre-loaded session */ 796 797 p=s->s3->client_random; 798 799 /* if client_random is initialized, reuse it, we are 800 * required to use same upon reply to HelloVerify */ 801 for (i=0;p[i]=='\0' && i<sizeof(s->s3->client_random);i++) ; 802 if (i==sizeof(s->s3->client_random)) 803 { 804 Time=(unsigned long)time(NULL); /* Time */ 805 l2n(Time,p); 806 RAND_pseudo_bytes(p,sizeof(s->s3->client_random)-4); 807 } 808 809 /* Do the message type and length last */ 810 d=p= &(buf[DTLS1_HM_HEADER_LENGTH]); 811 812 *(p++)=s->version>>8; 813 *(p++)=s->version&0xff; 814 s->client_version=s->version; 815 816 /* Random stuff */ 817 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); 818 p+=SSL3_RANDOM_SIZE; 819 820 /* Session ID */ 821 if (s->new_session) 822 i=0; 823 else 824 i=s->session->session_id_length; 825 *(p++)=i; 826 if (i != 0) 827 { 828 if (i > sizeof s->session->session_id) 829 { 830 SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 831 goto err; 832 } 833 memcpy(p,s->session->session_id,i); 834 p+=i; 835 } 836 837 /* cookie stuff */ 838 if ( s->d1->cookie_len > sizeof(s->d1->cookie)) 839 { 840 SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 841 goto err; 842 } 843 *(p++) = s->d1->cookie_len; 844 memcpy(p, s->d1->cookie, s->d1->cookie_len); 845 p += s->d1->cookie_len; 846 847 /* Ciphers supported */ 848 i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0); 849 if (i == 0) 850 { 851 SSLerr(SSL_F_DTLS1_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); 852 goto err; 853 } 854 s2n(i,p); 855 p+=i; 856 857 /* COMPRESSION */ 858 if (s->ctx->comp_methods == NULL) 859 j=0; 860 else 861 j=sk_SSL_COMP_num(s->ctx->comp_methods); 862 *(p++)=1+j; 863 for (i=0; i<j; i++) 864 { 865 comp=sk_SSL_COMP_value(s->ctx->comp_methods,i); 866 *(p++)=comp->id; 867 } 868 *(p++)=0; /* Add the NULL method */ 869 870#ifndef OPENSSL_NO_TLSEXT 871 if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) 872 { 873 SSLerr(SSL_F_DTLS1_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); 874 goto err; 875 } 876#endif 877 878 l=(p-d); 879 d=buf; 880 881 d = dtls1_set_message_header(s, d, SSL3_MT_CLIENT_HELLO, l, 0, l); 882 883 s->state=SSL3_ST_CW_CLNT_HELLO_B; 884 /* number of bytes to write */ 885 s->init_num=p-buf; 886 s->init_off=0; 887 888 /* buffer the message to handle re-xmits */ 889 dtls1_buffer_message(s, 0); 890 } 891 892 /* SSL3_ST_CW_CLNT_HELLO_B */ 893 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); 894err: 895 return(-1); 896 } 897 898static int dtls1_get_hello_verify(SSL *s) 899 { 900 int n, al, ok = 0; 901 unsigned char *data; 902 unsigned int cookie_len; 903 904 n=s->method->ssl_get_message(s, 905 DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A, 906 DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, 907 -1, 908 s->max_cert_list, 909 &ok); 910 911 if (!ok) return((int)n); 912 913 if (s->s3->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) 914 { 915 s->d1->send_cookie = 0; 916 s->s3->tmp.reuse_message=1; 917 return(1); 918 } 919 920 data = (unsigned char *)s->init_msg; 921 922 if ((data[0] != (s->version>>8)) || (data[1] != (s->version&0xff))) 923 { 924 SSLerr(SSL_F_DTLS1_GET_HELLO_VERIFY,SSL_R_WRONG_SSL_VERSION); 925 s->version=(s->version&0xff00)|data[1]; 926 al = SSL_AD_PROTOCOL_VERSION; 927 goto f_err; 928 } 929 data+=2; 930 931 cookie_len = *(data++); 932 if ( cookie_len > sizeof(s->d1->cookie)) 933 { 934 al=SSL_AD_ILLEGAL_PARAMETER; 935 goto f_err; 936 } 937 938 memcpy(s->d1->cookie, data, cookie_len); 939 s->d1->cookie_len = cookie_len; 940 941 s->d1->send_cookie = 1; 942 return 1; 943 944f_err: 945 ssl3_send_alert(s, SSL3_AL_FATAL, al); 946 return -1; 947 } 948 949int dtls1_send_client_key_exchange(SSL *s) 950 { 951 unsigned char *p,*d; 952 int n; 953 unsigned long alg_k; 954#ifndef OPENSSL_NO_RSA 955 unsigned char *q; 956 EVP_PKEY *pkey=NULL; 957#endif 958#ifndef OPENSSL_NO_KRB5 959 KSSL_ERR kssl_err; 960#endif /* OPENSSL_NO_KRB5 */ 961#ifndef OPENSSL_NO_ECDH 962 EC_KEY *clnt_ecdh = NULL; 963 const EC_POINT *srvr_ecpoint = NULL; 964 EVP_PKEY *srvr_pub_pkey = NULL; 965 unsigned char *encodedPoint = NULL; 966 int encoded_pt_len = 0; 967 BN_CTX * bn_ctx = NULL; 968#endif 969 970 if (s->state == SSL3_ST_CW_KEY_EXCH_A) 971 { 972 d=(unsigned char *)s->init_buf->data; 973 p= &(d[DTLS1_HM_HEADER_LENGTH]); 974 975 alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 976 977 /* Fool emacs indentation */ 978 if (0) {} 979#ifndef OPENSSL_NO_RSA 980 else if (alg_k & SSL_kRSA) 981 { 982 RSA *rsa; 983 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 984 985 if (s->session->sess_cert == NULL) 986 { 987 /* We should always have a server certificate with SSL_kRSA. */ 988 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 989 goto err; 990 } 991 992 if (s->session->sess_cert->peer_rsa_tmp != NULL) 993 rsa=s->session->sess_cert->peer_rsa_tmp; 994 else 995 { 996 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 997 if ((pkey == NULL) || 998 (pkey->type != EVP_PKEY_RSA) || 999 (pkey->pkey.rsa == NULL)) 1000 { 1001 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 1002 goto err; 1003 } 1004 rsa=pkey->pkey.rsa; 1005 EVP_PKEY_free(pkey); 1006 } 1007 1008 tmp_buf[0]=s->client_version>>8; 1009 tmp_buf[1]=s->client_version&0xff; 1010 if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) 1011 goto err; 1012 1013 s->session->master_key_length=sizeof tmp_buf; 1014 1015 q=p; 1016 /* Fix buf for TLS and [incidentally] DTLS */ 1017 if (s->version > SSL3_VERSION) 1018 p+=2; 1019 n=RSA_public_encrypt(sizeof tmp_buf, 1020 tmp_buf,p,rsa,RSA_PKCS1_PADDING); 1021#ifdef PKCS1_CHECK 1022 if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++; 1023 if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70; 1024#endif 1025 if (n <= 0) 1026 { 1027 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT); 1028 goto err; 1029 } 1030 1031 /* Fix buf for TLS and [incidentally] DTLS */ 1032 if (s->version > SSL3_VERSION) 1033 { 1034 s2n(n,q); 1035 n+=2; 1036 } 1037 1038 s->session->master_key_length= 1039 s->method->ssl3_enc->generate_master_secret(s, 1040 s->session->master_key, 1041 tmp_buf,sizeof tmp_buf); 1042 OPENSSL_cleanse(tmp_buf,sizeof tmp_buf); 1043 } 1044#endif 1045#ifndef OPENSSL_NO_KRB5 1046 else if (alg_k & SSL_kKRB5) 1047 { 1048 krb5_error_code krb5rc; 1049 KSSL_CTX *kssl_ctx = s->kssl_ctx; 1050 /* krb5_data krb5_ap_req; */ 1051 krb5_data *enc_ticket; 1052 krb5_data authenticator, *authp = NULL; 1053 EVP_CIPHER_CTX ciph_ctx; 1054 const EVP_CIPHER *enc = NULL; 1055 unsigned char iv[EVP_MAX_IV_LENGTH]; 1056 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 1057 unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH 1058 + EVP_MAX_IV_LENGTH]; 1059 int padl, outl = sizeof(epms); 1060 1061 EVP_CIPHER_CTX_init(&ciph_ctx); 1062 1063#ifdef KSSL_DEBUG 1064 printf("ssl3_send_client_key_exchange(%lx & %lx)\n", 1065 alg_k, SSL_kKRB5); 1066#endif /* KSSL_DEBUG */ 1067 1068 authp = NULL; 1069#ifdef KRB5SENDAUTH 1070 if (KRB5SENDAUTH) authp = &authenticator; 1071#endif /* KRB5SENDAUTH */ 1072 1073 krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp, 1074 &kssl_err); 1075 enc = kssl_map_enc(kssl_ctx->enctype); 1076 if (enc == NULL) 1077 goto err; 1078#ifdef KSSL_DEBUG 1079 { 1080 printf("kssl_cget_tkt rtn %d\n", krb5rc); 1081 if (krb5rc && kssl_err.text) 1082 printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text); 1083 } 1084#endif /* KSSL_DEBUG */ 1085 1086 if (krb5rc) 1087 { 1088 ssl3_send_alert(s,SSL3_AL_FATAL, 1089 SSL_AD_HANDSHAKE_FAILURE); 1090 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1091 kssl_err.reason); 1092 goto err; 1093 } 1094 1095 /* 20010406 VRS - Earlier versions used KRB5 AP_REQ 1096 ** in place of RFC 2712 KerberosWrapper, as in: 1097 ** 1098 ** Send ticket (copy to *p, set n = length) 1099 ** n = krb5_ap_req.length; 1100 ** memcpy(p, krb5_ap_req.data, krb5_ap_req.length); 1101 ** if (krb5_ap_req.data) 1102 ** kssl_krb5_free_data_contents(NULL,&krb5_ap_req); 1103 ** 1104 ** Now using real RFC 2712 KerberosWrapper 1105 ** (Thanks to Simon Wilkinson <sxw@sxw.org.uk>) 1106 ** Note: 2712 "opaque" types are here replaced 1107 ** with a 2-byte length followed by the value. 1108 ** Example: 1109 ** KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms 1110 ** Where "xx xx" = length bytes. Shown here with 1111 ** optional authenticator omitted. 1112 */ 1113 1114 /* KerberosWrapper.Ticket */ 1115 s2n(enc_ticket->length,p); 1116 memcpy(p, enc_ticket->data, enc_ticket->length); 1117 p+= enc_ticket->length; 1118 n = enc_ticket->length + 2; 1119 1120 /* KerberosWrapper.Authenticator */ 1121 if (authp && authp->length) 1122 { 1123 s2n(authp->length,p); 1124 memcpy(p, authp->data, authp->length); 1125 p+= authp->length; 1126 n+= authp->length + 2; 1127 1128 free(authp->data); 1129 authp->data = NULL; 1130 authp->length = 0; 1131 } 1132 else 1133 { 1134 s2n(0,p);/* null authenticator length */ 1135 n+=2; 1136 } 1137 1138 if (RAND_bytes(tmp_buf,sizeof tmp_buf) <= 0) 1139 goto err; 1140 1141 /* 20010420 VRS. Tried it this way; failed. 1142 ** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL); 1143 ** EVP_CIPHER_CTX_set_key_length(&ciph_ctx, 1144 ** kssl_ctx->length); 1145 ** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv); 1146 */ 1147 1148 memset(iv, 0, sizeof iv); /* per RFC 1510 */ 1149 EVP_EncryptInit_ex(&ciph_ctx,enc, NULL, 1150 kssl_ctx->key,iv); 1151 EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf, 1152 sizeof tmp_buf); 1153 EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl); 1154 outl += padl; 1155 if (outl > (int)sizeof epms) 1156 { 1157 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 1158 goto err; 1159 } 1160 EVP_CIPHER_CTX_cleanup(&ciph_ctx); 1161 1162 /* KerberosWrapper.EncryptedPreMasterSecret */ 1163 s2n(outl,p); 1164 memcpy(p, epms, outl); 1165 p+=outl; 1166 n+=outl + 2; 1167 1168 s->session->master_key_length= 1169 s->method->ssl3_enc->generate_master_secret(s, 1170 s->session->master_key, 1171 tmp_buf, sizeof tmp_buf); 1172 1173 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); 1174 OPENSSL_cleanse(epms, outl); 1175 } 1176#endif 1177#ifndef OPENSSL_NO_DH 1178 else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 1179 { 1180 DH *dh_srvr,*dh_clnt; 1181 1182 if (s->session->sess_cert == NULL) 1183 { 1184 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 1185 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); 1186 goto err; 1187 } 1188 1189 if (s->session->sess_cert->peer_dh_tmp != NULL) 1190 dh_srvr=s->session->sess_cert->peer_dh_tmp; 1191 else 1192 { 1193 /* we get them from the cert */ 1194 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 1195 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); 1196 goto err; 1197 } 1198 1199 /* generate a new random key */ 1200 if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL) 1201 { 1202 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 1203 goto err; 1204 } 1205 if (!DH_generate_key(dh_clnt)) 1206 { 1207 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 1208 goto err; 1209 } 1210 1211 /* use the 'p' output buffer for the DH key, but 1212 * make sure to clear it out afterwards */ 1213 1214 n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt); 1215 1216 if (n <= 0) 1217 { 1218 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 1219 goto err; 1220 } 1221 1222 /* generate master key from the result */ 1223 s->session->master_key_length= 1224 s->method->ssl3_enc->generate_master_secret(s, 1225 s->session->master_key,p,n); 1226 /* clean up */ 1227 memset(p,0,n); 1228 1229 /* send off the data */ 1230 n=BN_num_bytes(dh_clnt->pub_key); 1231 s2n(n,p); 1232 BN_bn2bin(dh_clnt->pub_key,p); 1233 n+=2; 1234 1235 DH_free(dh_clnt); 1236 1237 /* perhaps clean things up a bit EAY EAY EAY EAY*/ 1238 } 1239#endif 1240#ifndef OPENSSL_NO_ECDH 1241 else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) 1242 { 1243 const EC_GROUP *srvr_group = NULL; 1244 EC_KEY *tkey; 1245 int ecdh_clnt_cert = 0; 1246 int field_size = 0; 1247 1248 if (s->session->sess_cert == NULL) 1249 { 1250 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); 1251 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); 1252 goto err; 1253 } 1254 1255 /* Did we send out the client's 1256 * ECDH share for use in premaster 1257 * computation as part of client certificate? 1258 * If so, set ecdh_clnt_cert to 1. 1259 */ 1260 if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL)) 1261 { 1262 /* XXX: For now, we do not support client 1263 * authentication using ECDH certificates. 1264 * To add such support, one needs to add 1265 * code that checks for appropriate 1266 * conditions and sets ecdh_clnt_cert to 1. 1267 * For example, the cert have an ECC 1268 * key on the same curve as the server's 1269 * and the key should be authorized for 1270 * key agreement. 1271 * 1272 * One also needs to add code in ssl3_connect 1273 * to skip sending the certificate verify 1274 * message. 1275 * 1276 * if ((s->cert->key->privatekey != NULL) && 1277 * (s->cert->key->privatekey->type == 1278 * EVP_PKEY_EC) && ...) 1279 * ecdh_clnt_cert = 1; 1280 */ 1281 } 1282 1283 if (s->session->sess_cert->peer_ecdh_tmp != NULL) 1284 { 1285 tkey = s->session->sess_cert->peer_ecdh_tmp; 1286 } 1287 else 1288 { 1289 /* Get the Server Public Key from Cert */ 1290 srvr_pub_pkey = X509_get_pubkey(s->session-> \ 1291 sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); 1292 if ((srvr_pub_pkey == NULL) || 1293 (srvr_pub_pkey->type != EVP_PKEY_EC) || 1294 (srvr_pub_pkey->pkey.ec == NULL)) 1295 { 1296 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1297 ERR_R_INTERNAL_ERROR); 1298 goto err; 1299 } 1300 1301 tkey = srvr_pub_pkey->pkey.ec; 1302 } 1303 1304 srvr_group = EC_KEY_get0_group(tkey); 1305 srvr_ecpoint = EC_KEY_get0_public_key(tkey); 1306 1307 if ((srvr_group == NULL) || (srvr_ecpoint == NULL)) 1308 { 1309 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1310 ERR_R_INTERNAL_ERROR); 1311 goto err; 1312 } 1313 1314 if ((clnt_ecdh=EC_KEY_new()) == NULL) 1315 { 1316 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 1317 goto err; 1318 } 1319 1320 if (!EC_KEY_set_group(clnt_ecdh, srvr_group)) 1321 { 1322 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB); 1323 goto err; 1324 } 1325 if (ecdh_clnt_cert) 1326 { 1327 /* Reuse key info from our certificate 1328 * We only need our private key to perform 1329 * the ECDH computation. 1330 */ 1331 const BIGNUM *priv_key; 1332 tkey = s->cert->key->privatekey->pkey.ec; 1333 priv_key = EC_KEY_get0_private_key(tkey); 1334 if (priv_key == NULL) 1335 { 1336 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 1337 goto err; 1338 } 1339 if (!EC_KEY_set_private_key(clnt_ecdh, priv_key)) 1340 { 1341 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB); 1342 goto err; 1343 } 1344 } 1345 else 1346 { 1347 /* Generate a new ECDH key pair */ 1348 if (!(EC_KEY_generate_key(clnt_ecdh))) 1349 { 1350 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB); 1351 goto err; 1352 } 1353 } 1354 1355 /* use the 'p' output buffer for the ECDH key, but 1356 * make sure to clear it out afterwards 1357 */ 1358 1359 field_size = EC_GROUP_get_degree(srvr_group); 1360 if (field_size <= 0) 1361 { 1362 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1363 ERR_R_ECDH_LIB); 1364 goto err; 1365 } 1366 n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL); 1367 if (n <= 0) 1368 { 1369 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1370 ERR_R_ECDH_LIB); 1371 goto err; 1372 } 1373 1374 /* generate master key from the result */ 1375 s->session->master_key_length = s->method->ssl3_enc \ 1376 -> generate_master_secret(s, 1377 s->session->master_key, 1378 p, n); 1379 1380 memset(p, 0, n); /* clean up */ 1381 1382 if (ecdh_clnt_cert) 1383 { 1384 /* Send empty client key exch message */ 1385 n = 0; 1386 } 1387 else 1388 { 1389 /* First check the size of encoding and 1390 * allocate memory accordingly. 1391 */ 1392 encoded_pt_len = 1393 EC_POINT_point2oct(srvr_group, 1394 EC_KEY_get0_public_key(clnt_ecdh), 1395 POINT_CONVERSION_UNCOMPRESSED, 1396 NULL, 0, NULL); 1397 1398 encodedPoint = (unsigned char *) 1399 OPENSSL_malloc(encoded_pt_len * 1400 sizeof(unsigned char)); 1401 bn_ctx = BN_CTX_new(); 1402 if ((encodedPoint == NULL) || 1403 (bn_ctx == NULL)) 1404 { 1405 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 1406 goto err; 1407 } 1408 1409 /* Encode the public key */ 1410 n = EC_POINT_point2oct(srvr_group, 1411 EC_KEY_get0_public_key(clnt_ecdh), 1412 POINT_CONVERSION_UNCOMPRESSED, 1413 encodedPoint, encoded_pt_len, bn_ctx); 1414 1415 *p = n; /* length of encoded point */ 1416 /* Encoded point will be copied here */ 1417 p += 1; 1418 /* copy the point */ 1419 memcpy((unsigned char *)p, encodedPoint, n); 1420 /* increment n to account for length field */ 1421 n += 1; 1422 } 1423 1424 /* Free allocated memory */ 1425 BN_CTX_free(bn_ctx); 1426 if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 1427 if (clnt_ecdh != NULL) 1428 EC_KEY_free(clnt_ecdh); 1429 EVP_PKEY_free(srvr_pub_pkey); 1430 } 1431#endif /* !OPENSSL_NO_ECDH */ 1432 1433#ifndef OPENSSL_NO_PSK 1434 else if (alg_k & SSL_kPSK) 1435 { 1436 char identity[PSK_MAX_IDENTITY_LEN]; 1437 unsigned char *t = NULL; 1438 unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4]; 1439 unsigned int pre_ms_len = 0, psk_len = 0; 1440 int psk_err = 1; 1441 1442 n = 0; 1443 if (s->psk_client_callback == NULL) 1444 { 1445 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1446 SSL_R_PSK_NO_CLIENT_CB); 1447 goto err; 1448 } 1449 1450 psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint, 1451 identity, PSK_MAX_IDENTITY_LEN, 1452 psk_or_pre_ms, sizeof(psk_or_pre_ms)); 1453 if (psk_len > PSK_MAX_PSK_LEN) 1454 { 1455 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1456 ERR_R_INTERNAL_ERROR); 1457 goto psk_err; 1458 } 1459 else if (psk_len == 0) 1460 { 1461 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1462 SSL_R_PSK_IDENTITY_NOT_FOUND); 1463 goto psk_err; 1464 } 1465 1466 /* create PSK pre_master_secret */ 1467 pre_ms_len = 2+psk_len+2+psk_len; 1468 t = psk_or_pre_ms; 1469 memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len); 1470 s2n(psk_len, t); 1471 memset(t, 0, psk_len); 1472 t+=psk_len; 1473 s2n(psk_len, t); 1474 1475 if (s->session->psk_identity_hint != NULL) 1476 OPENSSL_free(s->session->psk_identity_hint); 1477 s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint); 1478 if (s->ctx->psk_identity_hint != NULL && 1479 s->session->psk_identity_hint == NULL) 1480 { 1481 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1482 ERR_R_MALLOC_FAILURE); 1483 goto psk_err; 1484 } 1485 1486 if (s->session->psk_identity != NULL) 1487 OPENSSL_free(s->session->psk_identity); 1488 s->session->psk_identity = BUF_strdup(identity); 1489 if (s->session->psk_identity == NULL) 1490 { 1491 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1492 ERR_R_MALLOC_FAILURE); 1493 goto psk_err; 1494 } 1495 1496 s->session->master_key_length = 1497 s->method->ssl3_enc->generate_master_secret(s, 1498 s->session->master_key, 1499 psk_or_pre_ms, pre_ms_len); 1500 n = strlen(identity); 1501 s2n(n, p); 1502 memcpy(p, identity, n); 1503 n+=2; 1504 psk_err = 0; 1505 psk_err: 1506 OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN); 1507 OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); 1508 if (psk_err != 0) 1509 { 1510 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 1511 goto err; 1512 } 1513 } 1514#endif 1515 else 1516 { 1517 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 1518 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 1519 goto err; 1520 } 1521 1522 d = dtls1_set_message_header(s, d, 1523 SSL3_MT_CLIENT_KEY_EXCHANGE, n, 0, n); 1524 /* 1525 *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE; 1526 l2n3(n,d); 1527 l2n(s->d1->handshake_write_seq,d); 1528 s->d1->handshake_write_seq++; 1529 */ 1530 1531 s->state=SSL3_ST_CW_KEY_EXCH_B; 1532 /* number of bytes to write */ 1533 s->init_num=n+DTLS1_HM_HEADER_LENGTH; 1534 s->init_off=0; 1535 1536 /* buffer the message to handle re-xmits */ 1537 dtls1_buffer_message(s, 0); 1538 } 1539 1540 /* SSL3_ST_CW_KEY_EXCH_B */ 1541 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); 1542err: 1543#ifndef OPENSSL_NO_ECDH 1544 BN_CTX_free(bn_ctx); 1545 if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 1546 if (clnt_ecdh != NULL) 1547 EC_KEY_free(clnt_ecdh); 1548 EVP_PKEY_free(srvr_pub_pkey); 1549#endif 1550 return(-1); 1551 } 1552 1553int dtls1_send_client_verify(SSL *s) 1554 { 1555 unsigned char *p,*d; 1556 unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 1557 EVP_PKEY *pkey; 1558#ifndef OPENSSL_NO_RSA 1559 unsigned u=0; 1560#endif 1561 unsigned long n; 1562#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA) 1563 int j; 1564#endif 1565 1566 if (s->state == SSL3_ST_CW_CERT_VRFY_A) 1567 { 1568 d=(unsigned char *)s->init_buf->data; 1569 p= &(d[DTLS1_HM_HEADER_LENGTH]); 1570 pkey=s->cert->key->privatekey; 1571 1572 s->method->ssl3_enc->cert_verify_mac(s, 1573 NID_sha1, 1574 &(data[MD5_DIGEST_LENGTH])); 1575 1576#ifndef OPENSSL_NO_RSA 1577 if (pkey->type == EVP_PKEY_RSA) 1578 { 1579 s->method->ssl3_enc->cert_verify_mac(s, 1580 NID_md5, 1581 &(data[0])); 1582 if (RSA_sign(NID_md5_sha1, data, 1583 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, 1584 &(p[2]), &u, pkey->pkey.rsa) <= 0 ) 1585 { 1586 SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB); 1587 goto err; 1588 } 1589 s2n(u,p); 1590 n=u+2; 1591 } 1592 else 1593#endif 1594#ifndef OPENSSL_NO_DSA 1595 if (pkey->type == EVP_PKEY_DSA) 1596 { 1597 if (!DSA_sign(pkey->save_type, 1598 &(data[MD5_DIGEST_LENGTH]), 1599 SHA_DIGEST_LENGTH,&(p[2]), 1600 (unsigned int *)&j,pkey->pkey.dsa)) 1601 { 1602 SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB); 1603 goto err; 1604 } 1605 s2n(j,p); 1606 n=j+2; 1607 } 1608 else 1609#endif 1610#ifndef OPENSSL_NO_ECDSA 1611 if (pkey->type == EVP_PKEY_EC) 1612 { 1613 if (!ECDSA_sign(pkey->save_type, 1614 &(data[MD5_DIGEST_LENGTH]), 1615 SHA_DIGEST_LENGTH,&(p[2]), 1616 (unsigned int *)&j,pkey->pkey.ec)) 1617 { 1618 SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY, 1619 ERR_R_ECDSA_LIB); 1620 goto err; 1621 } 1622 s2n(j,p); 1623 n=j+2; 1624 } 1625 else 1626#endif 1627 { 1628 SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR); 1629 goto err; 1630 } 1631 1632 d = dtls1_set_message_header(s, d, 1633 SSL3_MT_CERTIFICATE_VERIFY, n, 0, n) ; 1634 1635 s->init_num=(int)n+DTLS1_HM_HEADER_LENGTH; 1636 s->init_off=0; 1637 1638 /* buffer the message to handle re-xmits */ 1639 dtls1_buffer_message(s, 0); 1640 1641 s->state = SSL3_ST_CW_CERT_VRFY_B; 1642 } 1643 1644 /* s->state = SSL3_ST_CW_CERT_VRFY_B */ 1645 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); 1646err: 1647 return(-1); 1648 } 1649 1650int dtls1_send_client_certificate(SSL *s) 1651 { 1652 X509 *x509=NULL; 1653 EVP_PKEY *pkey=NULL; 1654 int i; 1655 unsigned long l; 1656 1657 if (s->state == SSL3_ST_CW_CERT_A) 1658 { 1659 if ((s->cert == NULL) || 1660 (s->cert->key->x509 == NULL) || 1661 (s->cert->key->privatekey == NULL)) 1662 s->state=SSL3_ST_CW_CERT_B; 1663 else 1664 s->state=SSL3_ST_CW_CERT_C; 1665 } 1666 1667 /* We need to get a client cert */ 1668 if (s->state == SSL3_ST_CW_CERT_B) 1669 { 1670 /* If we get an error, we need to 1671 * ssl->rwstate=SSL_X509_LOOKUP; return(-1); 1672 * We then get retied later */ 1673 i=0; 1674 i = ssl_do_client_cert_cb(s, &x509, &pkey); 1675 if (i < 0) 1676 { 1677 s->rwstate=SSL_X509_LOOKUP; 1678 return(-1); 1679 } 1680 s->rwstate=SSL_NOTHING; 1681 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) 1682 { 1683 s->state=SSL3_ST_CW_CERT_B; 1684 if ( !SSL_use_certificate(s,x509) || 1685 !SSL_use_PrivateKey(s,pkey)) 1686 i=0; 1687 } 1688 else if (i == 1) 1689 { 1690 i=0; 1691 SSLerr(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); 1692 } 1693 1694 if (x509 != NULL) X509_free(x509); 1695 if (pkey != NULL) EVP_PKEY_free(pkey); 1696 if (i == 0) 1697 { 1698 if (s->version == SSL3_VERSION) 1699 { 1700 s->s3->tmp.cert_req=0; 1701 ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE); 1702 return(1); 1703 } 1704 else 1705 { 1706 s->s3->tmp.cert_req=2; 1707 } 1708 } 1709 1710 /* Ok, we have a cert */ 1711 s->state=SSL3_ST_CW_CERT_C; 1712 } 1713 1714 if (s->state == SSL3_ST_CW_CERT_C) 1715 { 1716 s->state=SSL3_ST_CW_CERT_D; 1717 l=dtls1_output_cert_chain(s, 1718 (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509); 1719 s->init_num=(int)l; 1720 s->init_off=0; 1721 1722 /* set header called by dtls1_output_cert_chain() */ 1723 1724 /* buffer the message to handle re-xmits */ 1725 dtls1_buffer_message(s, 0); 1726 } 1727 /* SSL3_ST_CW_CERT_D */ 1728 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); 1729 } 1730