d1_srvr.c revision 237657
1/* ssl/d1_srvr.c */ 2/* 3 * DTLS implementation written by Nagendra Modadugu 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 5 */ 6/* ==================================================================== 7 * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in 18 * the documentation and/or other materials provided with the 19 * distribution. 20 * 21 * 3. All advertising materials mentioning features or use of this 22 * software must display the following acknowledgment: 23 * "This product includes software developed by the OpenSSL Project 24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 25 * 26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27 * endorse or promote products derived from this software without 28 * prior written permission. For written permission, please contact 29 * openssl-core@OpenSSL.org. 30 * 31 * 5. Products derived from this software may not be called "OpenSSL" 32 * nor may "OpenSSL" appear in their names without prior written 33 * permission of the OpenSSL Project. 34 * 35 * 6. Redistributions of any form whatsoever must retain the following 36 * acknowledgment: 37 * "This product includes software developed by the OpenSSL Project 38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51 * OF THE POSSIBILITY OF SUCH DAMAGE. 52 * ==================================================================== 53 * 54 * This product includes cryptographic software written by Eric Young 55 * (eay@cryptsoft.com). This product includes software written by Tim 56 * Hudson (tjh@cryptsoft.com). 57 * 58 */ 59/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 60 * All rights reserved. 61 * 62 * This package is an SSL implementation written 63 * by Eric Young (eay@cryptsoft.com). 64 * The implementation was written so as to conform with Netscapes SSL. 65 * 66 * This library is free for commercial and non-commercial use as long as 67 * the following conditions are aheared to. The following conditions 68 * apply to all code found in this distribution, be it the RC4, RSA, 69 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 70 * included with this distribution is covered by the same copyright terms 71 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 72 * 73 * Copyright remains Eric Young's, and as such any Copyright notices in 74 * the code are not to be removed. 75 * If this package is used in a product, Eric Young should be given attribution 76 * as the author of the parts of the library used. 77 * This can be in the form of a textual message at program startup or 78 * in documentation (online or textual) provided with the package. 79 * 80 * Redistribution and use in source and binary forms, with or without 81 * modification, are permitted provided that the following conditions 82 * are met: 83 * 1. Redistributions of source code must retain the copyright 84 * notice, this list of conditions and the following disclaimer. 85 * 2. Redistributions in binary form must reproduce the above copyright 86 * notice, this list of conditions and the following disclaimer in the 87 * documentation and/or other materials provided with the distribution. 88 * 3. All advertising materials mentioning features or use of this software 89 * must display the following acknowledgement: 90 * "This product includes cryptographic software written by 91 * Eric Young (eay@cryptsoft.com)" 92 * The word 'cryptographic' can be left out if the rouines from the library 93 * being used are not cryptographic related :-). 94 * 4. If you include any Windows specific code (or a derivative thereof) from 95 * the apps directory (application code) you must include an acknowledgement: 96 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 97 * 98 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 99 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 100 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 101 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 102 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 103 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 104 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 105 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 106 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 107 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 108 * SUCH DAMAGE. 109 * 110 * The licence and distribution terms for any publically available version or 111 * derivative of this code cannot be changed. i.e. this code cannot simply be 112 * copied and put under another distribution licence 113 * [including the GNU Public Licence.] 114 */ 115 116#include <stdio.h> 117#include "ssl_locl.h" 118#include <openssl/buffer.h> 119#include <openssl/rand.h> 120#include <openssl/objects.h> 121#include <openssl/evp.h> 122#include <openssl/x509.h> 123#include <openssl/md5.h> 124#ifndef OPENSSL_NO_DH 125#include <openssl/dh.h> 126#endif 127 128static SSL_METHOD *dtls1_get_server_method(int ver); 129static int dtls1_send_hello_verify_request(SSL *s); 130 131static SSL_METHOD *dtls1_get_server_method(int ver) 132 { 133 if (ver == DTLS1_VERSION) 134 return(DTLSv1_server_method()); 135 else 136 return(NULL); 137 } 138 139IMPLEMENT_dtls1_meth_func(DTLSv1_server_method, 140 dtls1_accept, 141 ssl_undefined_function, 142 dtls1_get_server_method) 143 144int dtls1_accept(SSL *s) 145 { 146 BUF_MEM *buf; 147 unsigned long l,Time=(unsigned long)time(NULL); 148 void (*cb)(const SSL *ssl,int type,int val)=NULL; 149 int ret= -1; 150 int new_state,state,skip=0; 151 int listen; 152 153 RAND_add(&Time,sizeof(Time),0); 154 ERR_clear_error(); 155 clear_sys_error(); 156 157 if (s->info_callback != NULL) 158 cb=s->info_callback; 159 else if (s->ctx->info_callback != NULL) 160 cb=s->ctx->info_callback; 161 162 listen = s->d1->listen; 163 164 /* init things to blank */ 165 s->in_handshake++; 166 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 167 168 s->d1->listen = listen; 169 170 if (s->cert == NULL) 171 { 172 SSLerr(SSL_F_DTLS1_ACCEPT,SSL_R_NO_CERTIFICATE_SET); 173 return(-1); 174 } 175 176 for (;;) 177 { 178 state=s->state; 179 180 switch (s->state) 181 { 182 case SSL_ST_RENEGOTIATE: 183 s->new_session=1; 184 /* s->state=SSL_ST_ACCEPT; */ 185 186 case SSL_ST_BEFORE: 187 case SSL_ST_ACCEPT: 188 case SSL_ST_BEFORE|SSL_ST_ACCEPT: 189 case SSL_ST_OK|SSL_ST_ACCEPT: 190 191 s->server=1; 192 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); 193 194 if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) 195 { 196 SSLerr(SSL_F_DTLS1_ACCEPT, ERR_R_INTERNAL_ERROR); 197 return -1; 198 } 199 s->type=SSL_ST_ACCEPT; 200 201 if (s->init_buf == NULL) 202 { 203 if ((buf=BUF_MEM_new()) == NULL) 204 { 205 ret= -1; 206 goto end; 207 } 208 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) 209 { 210 ret= -1; 211 goto end; 212 } 213 s->init_buf=buf; 214 } 215 216 if (!ssl3_setup_buffers(s)) 217 { 218 ret= -1; 219 goto end; 220 } 221 222 s->init_num=0; 223 224 if (s->state != SSL_ST_RENEGOTIATE) 225 { 226 /* Ok, we now need to push on a buffering BIO so that 227 * the output is sent in a way that TCP likes :-) 228 */ 229 if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; } 230 231 ssl3_init_finished_mac(s); 232 s->state=SSL3_ST_SR_CLNT_HELLO_A; 233 s->ctx->stats.sess_accept++; 234 } 235 else 236 { 237 /* s->state == SSL_ST_RENEGOTIATE, 238 * we will just send a HelloRequest */ 239 s->ctx->stats.sess_accept_renegotiate++; 240 s->state=SSL3_ST_SW_HELLO_REQ_A; 241 } 242 243 break; 244 245 case SSL3_ST_SW_HELLO_REQ_A: 246 case SSL3_ST_SW_HELLO_REQ_B: 247 248 s->shutdown=0; 249 dtls1_start_timer(s); 250 ret=dtls1_send_hello_request(s); 251 if (ret <= 0) goto end; 252 s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C; 253 s->state=SSL3_ST_SW_FLUSH; 254 s->init_num=0; 255 256 ssl3_init_finished_mac(s); 257 break; 258 259 case SSL3_ST_SW_HELLO_REQ_C: 260 s->state=SSL_ST_OK; 261 break; 262 263 case SSL3_ST_SR_CLNT_HELLO_A: 264 case SSL3_ST_SR_CLNT_HELLO_B: 265 case SSL3_ST_SR_CLNT_HELLO_C: 266 267 s->shutdown=0; 268 ret=ssl3_get_client_hello(s); 269 if (ret <= 0) goto end; 270 dtls1_stop_timer(s); 271 272 if (ret == 1 && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)) 273 s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A; 274 else 275 s->state = SSL3_ST_SW_SRVR_HELLO_A; 276 277 s->init_num=0; 278 279 /* Reflect ClientHello sequence to remain stateless while listening */ 280 if (listen) 281 { 282 memcpy(s->s3->write_sequence, s->s3->read_sequence, sizeof(s->s3->write_sequence)); 283 } 284 285 /* If we're just listening, stop here */ 286 if (listen && s->state == SSL3_ST_SW_SRVR_HELLO_A) 287 { 288 ret = 2; 289 s->d1->listen = 0; 290 /* Set expected sequence numbers 291 * to continue the handshake. 292 */ 293 s->d1->handshake_read_seq = 2; 294 s->d1->handshake_write_seq = 1; 295 s->d1->next_handshake_write_seq = 1; 296 goto end; 297 } 298 299 break; 300 301 case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A: 302 case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B: 303 304 ret = dtls1_send_hello_verify_request(s); 305 if ( ret <= 0) goto end; 306 s->state=SSL3_ST_SW_FLUSH; 307 s->s3->tmp.next_state=SSL3_ST_SR_CLNT_HELLO_A; 308 309 /* HelloVerifyRequests resets Finished MAC */ 310 if (s->client_version != DTLS1_BAD_VER) 311 ssl3_init_finished_mac(s); 312 break; 313 314 case SSL3_ST_SW_SRVR_HELLO_A: 315 case SSL3_ST_SW_SRVR_HELLO_B: 316 s->new_session = 2; 317 dtls1_start_timer(s); 318 ret=dtls1_send_server_hello(s); 319 if (ret <= 0) goto end; 320 321#ifndef OPENSSL_NO_TLSEXT 322 if (s->hit) 323 { 324 if (s->tlsext_ticket_expected) 325 s->state=SSL3_ST_SW_SESSION_TICKET_A; 326 else 327 s->state=SSL3_ST_SW_CHANGE_A; 328 } 329#else 330 if (s->hit) 331 s->state=SSL3_ST_SW_CHANGE_A; 332#endif 333 else 334 s->state=SSL3_ST_SW_CERT_A; 335 s->init_num=0; 336 break; 337 338 case SSL3_ST_SW_CERT_A: 339 case SSL3_ST_SW_CERT_B: 340 /* Check if it is anon DH */ 341 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) 342 { 343 dtls1_start_timer(s); 344 ret=dtls1_send_server_certificate(s); 345 if (ret <= 0) goto end; 346#ifndef OPENSSL_NO_TLSEXT 347 if (s->tlsext_status_expected) 348 s->state=SSL3_ST_SW_CERT_STATUS_A; 349 else 350 s->state=SSL3_ST_SW_KEY_EXCH_A; 351 } 352 else 353 { 354 skip = 1; 355 s->state=SSL3_ST_SW_KEY_EXCH_A; 356 } 357#else 358 } 359 else 360 skip=1; 361 362 s->state=SSL3_ST_SW_KEY_EXCH_A; 363#endif 364 s->init_num=0; 365 break; 366 367 case SSL3_ST_SW_KEY_EXCH_A: 368 case SSL3_ST_SW_KEY_EXCH_B: 369 l=s->s3->tmp.new_cipher->algorithms; 370 371 /* clear this, it may get reset by 372 * send_server_key_exchange */ 373 if ((s->options & SSL_OP_EPHEMERAL_RSA) 374#ifndef OPENSSL_NO_KRB5 375 && !(l & SSL_KRB5) 376#endif /* OPENSSL_NO_KRB5 */ 377 ) 378 /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key 379 * even when forbidden by protocol specs 380 * (handshake may fail as clients are not required to 381 * be able to handle this) */ 382 s->s3->tmp.use_rsa_tmp=1; 383 else 384 s->s3->tmp.use_rsa_tmp=0; 385 386 /* only send if a DH key exchange, fortezza or 387 * RSA but we have a sign only certificate */ 388 if (s->s3->tmp.use_rsa_tmp 389 || (l & (SSL_DH|SSL_kFZA)) 390 || ((l & SSL_kRSA) 391 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL 392 || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) 393 && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher) 394 ) 395 ) 396 ) 397 ) 398 { 399 dtls1_start_timer(s); 400 ret=dtls1_send_server_key_exchange(s); 401 if (ret <= 0) goto end; 402 } 403 else 404 skip=1; 405 406 s->state=SSL3_ST_SW_CERT_REQ_A; 407 s->init_num=0; 408 break; 409 410 case SSL3_ST_SW_CERT_REQ_A: 411 case SSL3_ST_SW_CERT_REQ_B: 412 if (/* don't request cert unless asked for it: */ 413 !(s->verify_mode & SSL_VERIFY_PEER) || 414 /* if SSL_VERIFY_CLIENT_ONCE is set, 415 * don't request cert during re-negotiation: */ 416 ((s->session->peer != NULL) && 417 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || 418 /* never request cert in anonymous ciphersuites 419 * (see section "Certificate request" in SSL 3 drafts 420 * and in RFC 2246): */ 421 ((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) && 422 /* ... except when the application insists on verification 423 * (against the specs, but s3_clnt.c accepts this for SSL 3) */ 424 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || 425 /* never request cert in Kerberos ciphersuites */ 426 (s->s3->tmp.new_cipher->algorithms & SSL_aKRB5)) 427 { 428 /* no cert request */ 429 skip=1; 430 s->s3->tmp.cert_request=0; 431 s->state=SSL3_ST_SW_SRVR_DONE_A; 432 } 433 else 434 { 435 s->s3->tmp.cert_request=1; 436 dtls1_start_timer(s); 437 ret=dtls1_send_certificate_request(s); 438 if (ret <= 0) goto end; 439#ifndef NETSCAPE_HANG_BUG 440 s->state=SSL3_ST_SW_SRVR_DONE_A; 441#else 442 s->state=SSL3_ST_SW_FLUSH; 443 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; 444#endif 445 s->init_num=0; 446 } 447 break; 448 449 case SSL3_ST_SW_SRVR_DONE_A: 450 case SSL3_ST_SW_SRVR_DONE_B: 451 dtls1_start_timer(s); 452 ret=dtls1_send_server_done(s); 453 if (ret <= 0) goto end; 454 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; 455 s->state=SSL3_ST_SW_FLUSH; 456 s->init_num=0; 457 break; 458 459 case SSL3_ST_SW_FLUSH: 460 s->rwstate=SSL_WRITING; 461 if (BIO_flush(s->wbio) <= 0) 462 { 463 ret= -1; 464 goto end; 465 } 466 s->rwstate=SSL_NOTHING; 467 s->state=s->s3->tmp.next_state; 468 break; 469 470 case SSL3_ST_SR_CERT_A: 471 case SSL3_ST_SR_CERT_B: 472 /* Check for second client hello (MS SGC) */ 473 ret = ssl3_check_client_hello(s); 474 if (ret <= 0) 475 goto end; 476 if (ret == 2) 477 { 478 dtls1_stop_timer(s); 479 s->state = SSL3_ST_SR_CLNT_HELLO_C; 480 } 481 else { 482 /* could be sent for a DH cert, even if we 483 * have not asked for it :-) */ 484 ret=ssl3_get_client_certificate(s); 485 if (ret <= 0) goto end; 486 s->init_num=0; 487 s->state=SSL3_ST_SR_KEY_EXCH_A; 488 } 489 break; 490 491 case SSL3_ST_SR_KEY_EXCH_A: 492 case SSL3_ST_SR_KEY_EXCH_B: 493 ret=ssl3_get_client_key_exchange(s); 494 if (ret <= 0) goto end; 495 s->state=SSL3_ST_SR_CERT_VRFY_A; 496 s->init_num=0; 497 498 /* We need to get hashes here so if there is 499 * a client cert, it can be verified */ 500 s->method->ssl3_enc->cert_verify_mac(s, 501 &(s->s3->finish_dgst1), 502 &(s->s3->tmp.cert_verify_md[0])); 503 s->method->ssl3_enc->cert_verify_mac(s, 504 &(s->s3->finish_dgst2), 505 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH])); 506 507 break; 508 509 case SSL3_ST_SR_CERT_VRFY_A: 510 case SSL3_ST_SR_CERT_VRFY_B: 511 512 s->d1->change_cipher_spec_ok = 1; 513 /* we should decide if we expected this one */ 514 ret=ssl3_get_cert_verify(s); 515 if (ret <= 0) goto end; 516 517 s->state=SSL3_ST_SR_FINISHED_A; 518 s->init_num=0; 519 break; 520 521 case SSL3_ST_SR_FINISHED_A: 522 case SSL3_ST_SR_FINISHED_B: 523 s->d1->change_cipher_spec_ok = 1; 524 ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A, 525 SSL3_ST_SR_FINISHED_B); 526 if (ret <= 0) goto end; 527 dtls1_stop_timer(s); 528 if (s->hit) 529 s->state=SSL_ST_OK; 530#ifndef OPENSSL_NO_TLSEXT 531 else if (s->tlsext_ticket_expected) 532 s->state=SSL3_ST_SW_SESSION_TICKET_A; 533#endif 534 else 535 s->state=SSL3_ST_SW_CHANGE_A; 536 s->init_num=0; 537 break; 538 539#ifndef OPENSSL_NO_TLSEXT 540 case SSL3_ST_SW_SESSION_TICKET_A: 541 case SSL3_ST_SW_SESSION_TICKET_B: 542 ret=dtls1_send_newsession_ticket(s); 543 if (ret <= 0) goto end; 544 s->state=SSL3_ST_SW_CHANGE_A; 545 s->init_num=0; 546 break; 547 548 case SSL3_ST_SW_CERT_STATUS_A: 549 case SSL3_ST_SW_CERT_STATUS_B: 550 ret=ssl3_send_cert_status(s); 551 if (ret <= 0) goto end; 552 s->state=SSL3_ST_SW_KEY_EXCH_A; 553 s->init_num=0; 554 break; 555 556#endif 557 558 case SSL3_ST_SW_CHANGE_A: 559 case SSL3_ST_SW_CHANGE_B: 560 561 s->session->cipher=s->s3->tmp.new_cipher; 562 if (!s->method->ssl3_enc->setup_key_block(s)) 563 { ret= -1; goto end; } 564 565 ret=dtls1_send_change_cipher_spec(s, 566 SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B); 567 568 if (ret <= 0) goto end; 569 s->state=SSL3_ST_SW_FINISHED_A; 570 s->init_num=0; 571 572 if (!s->method->ssl3_enc->change_cipher_state(s, 573 SSL3_CHANGE_CIPHER_SERVER_WRITE)) 574 { 575 ret= -1; 576 goto end; 577 } 578 579 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); 580 break; 581 582 case SSL3_ST_SW_FINISHED_A: 583 case SSL3_ST_SW_FINISHED_B: 584 ret=dtls1_send_finished(s, 585 SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B, 586 s->method->ssl3_enc->server_finished_label, 587 s->method->ssl3_enc->server_finished_label_len); 588 if (ret <= 0) goto end; 589 s->state=SSL3_ST_SW_FLUSH; 590 if (s->hit) 591 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; 592 else 593 s->s3->tmp.next_state=SSL_ST_OK; 594 s->init_num=0; 595 break; 596 597 case SSL_ST_OK: 598 /* clean a few things up */ 599 ssl3_cleanup_key_block(s); 600 601#if 0 602 BUF_MEM_free(s->init_buf); 603 s->init_buf=NULL; 604#endif 605 606 /* remove buffering on output */ 607 ssl_free_wbio_buffer(s); 608 609 s->init_num=0; 610 611 if (s->new_session == 2) /* skipped if we just sent a HelloRequest */ 612 { 613 /* actually not necessarily a 'new' session unless 614 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */ 615 616 s->new_session=0; 617 618 ssl_update_cache(s,SSL_SESS_CACHE_SERVER); 619 620 s->ctx->stats.sess_accept_good++; 621 /* s->server=1; */ 622 s->handshake_func=dtls1_accept; 623 624 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); 625 } 626 627 ret = 1; 628 629 /* done handshaking, next message is client hello */ 630 s->d1->handshake_read_seq = 0; 631 /* next message is server hello */ 632 s->d1->handshake_write_seq = 0; 633 s->d1->next_handshake_write_seq = 0; 634 goto end; 635 /* break; */ 636 637 default: 638 SSLerr(SSL_F_DTLS1_ACCEPT,SSL_R_UNKNOWN_STATE); 639 ret= -1; 640 goto end; 641 /* break; */ 642 } 643 644 if (!s->s3->tmp.reuse_message && !skip) 645 { 646 if (s->debug) 647 { 648 if ((ret=BIO_flush(s->wbio)) <= 0) 649 goto end; 650 } 651 652 653 if ((cb != NULL) && (s->state != state)) 654 { 655 new_state=s->state; 656 s->state=state; 657 cb(s,SSL_CB_ACCEPT_LOOP,1); 658 s->state=new_state; 659 } 660 } 661 skip=0; 662 } 663end: 664 /* BIO_flush(s->wbio); */ 665 666 s->in_handshake--; 667 if (cb != NULL) 668 cb(s,SSL_CB_ACCEPT_EXIT,ret); 669 return(ret); 670 } 671 672int dtls1_send_hello_request(SSL *s) 673 { 674 unsigned char *p; 675 676 if (s->state == SSL3_ST_SW_HELLO_REQ_A) 677 { 678 p=(unsigned char *)s->init_buf->data; 679 p = dtls1_set_message_header(s, p, SSL3_MT_HELLO_REQUEST, 0, 0, 0); 680 681 s->state=SSL3_ST_SW_HELLO_REQ_B; 682 /* number of bytes to write */ 683 s->init_num=DTLS1_HM_HEADER_LENGTH; 684 s->init_off=0; 685 686 /* no need to buffer this message, since there are no retransmit 687 * requests for it */ 688 } 689 690 /* SSL3_ST_SW_HELLO_REQ_B */ 691 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); 692 } 693 694int dtls1_send_hello_verify_request(SSL *s) 695 { 696 unsigned int msg_len; 697 unsigned char *msg, *buf, *p; 698 699 if (s->state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A) 700 { 701 buf = (unsigned char *)s->init_buf->data; 702 703 msg = p = &(buf[DTLS1_HM_HEADER_LENGTH]); 704 if (s->client_version == DTLS1_BAD_VER) 705 *(p++) = DTLS1_BAD_VER>>8, 706 *(p++) = DTLS1_BAD_VER&0xff; 707 else 708 *(p++) = s->version >> 8, 709 *(p++) = s->version & 0xFF; 710 711 if (s->ctx->app_gen_cookie_cb == NULL || 712 s->ctx->app_gen_cookie_cb(s, s->d1->cookie, 713 &(s->d1->cookie_len)) == 0) 714 { 715 SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST,ERR_R_INTERNAL_ERROR); 716 return 0; 717 } 718 719 *(p++) = (unsigned char) s->d1->cookie_len; 720 memcpy(p, s->d1->cookie, s->d1->cookie_len); 721 p += s->d1->cookie_len; 722 msg_len = p - msg; 723 724 dtls1_set_message_header(s, buf, 725 DTLS1_MT_HELLO_VERIFY_REQUEST, msg_len, 0, msg_len); 726 727 s->state=DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B; 728 /* number of bytes to write */ 729 s->init_num=p-buf; 730 s->init_off=0; 731 } 732 733 /* s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */ 734 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); 735 } 736 737int dtls1_send_server_hello(SSL *s) 738 { 739 unsigned char *buf; 740 unsigned char *p,*d; 741 int i; 742 unsigned int sl; 743 unsigned long l,Time; 744 745 if (s->state == SSL3_ST_SW_SRVR_HELLO_A) 746 { 747 buf=(unsigned char *)s->init_buf->data; 748 p=s->s3->server_random; 749 Time=(unsigned long)time(NULL); /* Time */ 750 l2n(Time,p); 751 RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4); 752 /* Do the message type and length last */ 753 d=p= &(buf[DTLS1_HM_HEADER_LENGTH]); 754 755 if (s->client_version == DTLS1_BAD_VER) 756 *(p++)=DTLS1_BAD_VER>>8, 757 *(p++)=DTLS1_BAD_VER&0xff; 758 else 759 *(p++)=s->version>>8, 760 *(p++)=s->version&0xff; 761 762 /* Random stuff */ 763 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); 764 p+=SSL3_RANDOM_SIZE; 765 766 /* now in theory we have 3 options to sending back the 767 * session id. If it is a re-use, we send back the 768 * old session-id, if it is a new session, we send 769 * back the new session-id or we send back a 0 length 770 * session-id if we want it to be single use. 771 * Currently I will not implement the '0' length session-id 772 * 12-Jan-98 - I'll now support the '0' length stuff. 773 */ 774 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)) 775 s->session->session_id_length=0; 776 777 sl=s->session->session_id_length; 778 if (sl > sizeof s->session->session_id) 779 { 780 SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR); 781 return -1; 782 } 783 *(p++)=sl; 784 memcpy(p,s->session->session_id,sl); 785 p+=sl; 786 787 /* put the cipher */ 788 if (s->s3->tmp.new_cipher == NULL) 789 return -1; 790 i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p); 791 p+=i; 792 793 /* put the compression method */ 794#ifdef OPENSSL_NO_COMP 795 *(p++)=0; 796#else 797 if (s->s3->tmp.new_compression == NULL) 798 *(p++)=0; 799 else 800 *(p++)=s->s3->tmp.new_compression->id; 801#endif 802 803#ifndef OPENSSL_NO_TLSEXT 804 if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) 805 { 806 SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR); 807 return -1; 808 } 809#endif 810 811 /* do the header */ 812 l=(p-d); 813 d=buf; 814 815 d = dtls1_set_message_header(s, d, SSL3_MT_SERVER_HELLO, l, 0, l); 816 817 s->state=SSL3_ST_SW_SRVR_HELLO_B; 818 /* number of bytes to write */ 819 s->init_num=p-buf; 820 s->init_off=0; 821 822 /* buffer the message to handle re-xmits */ 823 dtls1_buffer_message(s, 0); 824 } 825 826 /* SSL3_ST_SW_SRVR_HELLO_B */ 827 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); 828 } 829 830int dtls1_send_server_done(SSL *s) 831 { 832 unsigned char *p; 833 834 if (s->state == SSL3_ST_SW_SRVR_DONE_A) 835 { 836 p=(unsigned char *)s->init_buf->data; 837 838 /* do the header */ 839 p = dtls1_set_message_header(s, p, SSL3_MT_SERVER_DONE, 0, 0, 0); 840 841 s->state=SSL3_ST_SW_SRVR_DONE_B; 842 /* number of bytes to write */ 843 s->init_num=DTLS1_HM_HEADER_LENGTH; 844 s->init_off=0; 845 846 /* buffer the message to handle re-xmits */ 847 dtls1_buffer_message(s, 0); 848 } 849 850 /* SSL3_ST_SW_SRVR_DONE_B */ 851 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); 852 } 853 854int dtls1_send_server_key_exchange(SSL *s) 855 { 856#ifndef OPENSSL_NO_RSA 857 unsigned char *q; 858 int j,num; 859 RSA *rsa; 860 unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 861 unsigned int u; 862#endif 863#ifndef OPENSSL_NO_DH 864 DH *dh=NULL,*dhp; 865#endif 866 EVP_PKEY *pkey; 867 unsigned char *p,*d; 868 int al,i; 869 unsigned long type; 870 int n; 871 CERT *cert; 872 BIGNUM *r[4]; 873 int nr[4],kn; 874 BUF_MEM *buf; 875 EVP_MD_CTX md_ctx; 876 877 EVP_MD_CTX_init(&md_ctx); 878 if (s->state == SSL3_ST_SW_KEY_EXCH_A) 879 { 880 type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK; 881 cert=s->cert; 882 883 buf=s->init_buf; 884 885 r[0]=r[1]=r[2]=r[3]=NULL; 886 n=0; 887#ifndef OPENSSL_NO_RSA 888 if (type & SSL_kRSA) 889 { 890 rsa=cert->rsa_tmp; 891 if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) 892 { 893 rsa=s->cert->rsa_tmp_cb(s, 894 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 895 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 896 if(rsa == NULL) 897 { 898 al=SSL_AD_HANDSHAKE_FAILURE; 899 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY); 900 goto f_err; 901 } 902 RSA_up_ref(rsa); 903 cert->rsa_tmp=rsa; 904 } 905 if (rsa == NULL) 906 { 907 al=SSL_AD_HANDSHAKE_FAILURE; 908 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY); 909 goto f_err; 910 } 911 r[0]=rsa->n; 912 r[1]=rsa->e; 913 s->s3->tmp.use_rsa_tmp=1; 914 } 915 else 916#endif 917#ifndef OPENSSL_NO_DH 918 if (type & SSL_kEDH) 919 { 920 dhp=cert->dh_tmp; 921 if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) 922 dhp=s->cert->dh_tmp_cb(s, 923 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 924 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 925 if (dhp == NULL) 926 { 927 al=SSL_AD_HANDSHAKE_FAILURE; 928 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY); 929 goto f_err; 930 } 931 932 if (s->s3->tmp.dh != NULL) 933 { 934 DH_free(dh); 935 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 936 goto err; 937 } 938 939 if ((dh=DHparams_dup(dhp)) == NULL) 940 { 941 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB); 942 goto err; 943 } 944 945 s->s3->tmp.dh=dh; 946 if ((dhp->pub_key == NULL || 947 dhp->priv_key == NULL || 948 (s->options & SSL_OP_SINGLE_DH_USE))) 949 { 950 if(!DH_generate_key(dh)) 951 { 952 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, 953 ERR_R_DH_LIB); 954 goto err; 955 } 956 } 957 else 958 { 959 dh->pub_key=BN_dup(dhp->pub_key); 960 dh->priv_key=BN_dup(dhp->priv_key); 961 if ((dh->pub_key == NULL) || 962 (dh->priv_key == NULL)) 963 { 964 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB); 965 goto err; 966 } 967 } 968 r[0]=dh->p; 969 r[1]=dh->g; 970 r[2]=dh->pub_key; 971 } 972 else 973#endif 974 { 975 al=SSL_AD_HANDSHAKE_FAILURE; 976 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 977 goto f_err; 978 } 979 for (i=0; r[i] != NULL; i++) 980 { 981 nr[i]=BN_num_bytes(r[i]); 982 n+=2+nr[i]; 983 } 984 985 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) 986 { 987 if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher)) 988 == NULL) 989 { 990 al=SSL_AD_DECODE_ERROR; 991 goto f_err; 992 } 993 kn=EVP_PKEY_size(pkey); 994 } 995 else 996 { 997 pkey=NULL; 998 kn=0; 999 } 1000 1001 if (!BUF_MEM_grow_clean(buf,n+DTLS1_HM_HEADER_LENGTH+kn)) 1002 { 1003 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF); 1004 goto err; 1005 } 1006 d=(unsigned char *)s->init_buf->data; 1007 p= &(d[DTLS1_HM_HEADER_LENGTH]); 1008 1009 for (i=0; r[i] != NULL; i++) 1010 { 1011 s2n(nr[i],p); 1012 BN_bn2bin(r[i],p); 1013 p+=nr[i]; 1014 } 1015 1016 /* not anonymous */ 1017 if (pkey != NULL) 1018 { 1019 /* n is the length of the params, they start at 1020 * &(d[DTLS1_HM_HEADER_LENGTH]) and p points to the space 1021 * at the end. */ 1022#ifndef OPENSSL_NO_RSA 1023 if (pkey->type == EVP_PKEY_RSA) 1024 { 1025 q=md_buf; 1026 j=0; 1027 for (num=2; num > 0; num--) 1028 { 1029 EVP_DigestInit_ex(&md_ctx,(num == 2) 1030 ?s->ctx->md5:s->ctx->sha1, NULL); 1031 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1032 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1033 EVP_DigestUpdate(&md_ctx,&(d[DTLS1_HM_HEADER_LENGTH]),n); 1034 EVP_DigestFinal_ex(&md_ctx,q, 1035 (unsigned int *)&i); 1036 q+=i; 1037 j+=i; 1038 } 1039 if (RSA_sign(NID_md5_sha1, md_buf, j, 1040 &(p[2]), &u, pkey->pkey.rsa) <= 0) 1041 { 1042 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA); 1043 goto err; 1044 } 1045 s2n(u,p); 1046 n+=u+2; 1047 } 1048 else 1049#endif 1050#if !defined(OPENSSL_NO_DSA) 1051 if (pkey->type == EVP_PKEY_DSA) 1052 { 1053 /* lets do DSS */ 1054 EVP_SignInit_ex(&md_ctx,EVP_dss1(), NULL); 1055 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1056 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1057 EVP_SignUpdate(&md_ctx,&(d[DTLS1_HM_HEADER_LENGTH]),n); 1058 if (!EVP_SignFinal(&md_ctx,&(p[2]), 1059 (unsigned int *)&i,pkey)) 1060 { 1061 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA); 1062 goto err; 1063 } 1064 s2n(i,p); 1065 n+=i+2; 1066 } 1067 else 1068#endif 1069 { 1070 /* Is this error check actually needed? */ 1071 al=SSL_AD_HANDSHAKE_FAILURE; 1072 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE); 1073 goto f_err; 1074 } 1075 } 1076 1077 d = dtls1_set_message_header(s, d, 1078 SSL3_MT_SERVER_KEY_EXCHANGE, n, 0, n); 1079 1080 /* we should now have things packed up, so lets send 1081 * it off */ 1082 s->init_num=n+DTLS1_HM_HEADER_LENGTH; 1083 s->init_off=0; 1084 1085 /* buffer the message to handle re-xmits */ 1086 dtls1_buffer_message(s, 0); 1087 } 1088 1089 s->state = SSL3_ST_SW_KEY_EXCH_B; 1090 EVP_MD_CTX_cleanup(&md_ctx); 1091 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); 1092f_err: 1093 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1094err: 1095 EVP_MD_CTX_cleanup(&md_ctx); 1096 return(-1); 1097 } 1098 1099int dtls1_send_certificate_request(SSL *s) 1100 { 1101 unsigned char *p,*d; 1102 int i,j,nl,off,n; 1103 STACK_OF(X509_NAME) *sk=NULL; 1104 X509_NAME *name; 1105 BUF_MEM *buf; 1106 unsigned int msg_len; 1107 1108 if (s->state == SSL3_ST_SW_CERT_REQ_A) 1109 { 1110 buf=s->init_buf; 1111 1112 d=p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH]); 1113 1114 /* get the list of acceptable cert types */ 1115 p++; 1116 n=ssl3_get_req_cert_type(s,p); 1117 d[0]=n; 1118 p+=n; 1119 n++; 1120 1121 off=n; 1122 p+=2; 1123 n+=2; 1124 1125 sk=SSL_get_client_CA_list(s); 1126 nl=0; 1127 if (sk != NULL) 1128 { 1129 for (i=0; i<sk_X509_NAME_num(sk); i++) 1130 { 1131 name=sk_X509_NAME_value(sk,i); 1132 j=i2d_X509_NAME(name,NULL); 1133 if (!BUF_MEM_grow_clean(buf,DTLS1_HM_HEADER_LENGTH+n+j+2)) 1134 { 1135 SSLerr(SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB); 1136 goto err; 1137 } 1138 p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH+n]); 1139 if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) 1140 { 1141 s2n(j,p); 1142 i2d_X509_NAME(name,&p); 1143 n+=2+j; 1144 nl+=2+j; 1145 } 1146 else 1147 { 1148 d=p; 1149 i2d_X509_NAME(name,&p); 1150 j-=2; s2n(j,d); j+=2; 1151 n+=j; 1152 nl+=j; 1153 } 1154 } 1155 } 1156 /* else no CA names */ 1157 p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH+off]); 1158 s2n(nl,p); 1159 1160 d=(unsigned char *)buf->data; 1161 *(d++)=SSL3_MT_CERTIFICATE_REQUEST; 1162 l2n3(n,d); 1163 s2n(s->d1->handshake_write_seq,d); 1164 s->d1->handshake_write_seq++; 1165 1166 /* we should now have things packed up, so lets send 1167 * it off */ 1168 1169 s->init_num=n+DTLS1_HM_HEADER_LENGTH; 1170 s->init_off=0; 1171#ifdef NETSCAPE_HANG_BUG 1172/* XXX: what to do about this? */ 1173 p=(unsigned char *)s->init_buf->data + s->init_num; 1174 1175 /* do the header */ 1176 *(p++)=SSL3_MT_SERVER_DONE; 1177 *(p++)=0; 1178 *(p++)=0; 1179 *(p++)=0; 1180 s->init_num += 4; 1181#endif 1182 1183 /* XDTLS: set message header ? */ 1184 msg_len = s->init_num - DTLS1_HM_HEADER_LENGTH; 1185 dtls1_set_message_header(s, (void *)s->init_buf->data, 1186 SSL3_MT_CERTIFICATE_REQUEST, msg_len, 0, msg_len); 1187 1188 /* buffer the message to handle re-xmits */ 1189 dtls1_buffer_message(s, 0); 1190 1191 s->state = SSL3_ST_SW_CERT_REQ_B; 1192 } 1193 1194 /* SSL3_ST_SW_CERT_REQ_B */ 1195 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); 1196err: 1197 return(-1); 1198 } 1199 1200int dtls1_send_server_certificate(SSL *s) 1201 { 1202 unsigned long l; 1203 X509 *x; 1204 1205 if (s->state == SSL3_ST_SW_CERT_A) 1206 { 1207 x=ssl_get_server_send_cert(s); 1208 if (x == NULL && 1209 /* VRS: allow null cert if auth == KRB5 */ 1210 (s->s3->tmp.new_cipher->algorithms 1211 & (SSL_MKEY_MASK|SSL_AUTH_MASK)) 1212 != (SSL_aKRB5|SSL_kKRB5)) 1213 { 1214 SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR); 1215 return(0); 1216 } 1217 1218 l=dtls1_output_cert_chain(s,x); 1219 s->state=SSL3_ST_SW_CERT_B; 1220 s->init_num=(int)l; 1221 s->init_off=0; 1222 1223 /* buffer the message to handle re-xmits */ 1224 dtls1_buffer_message(s, 0); 1225 } 1226 1227 /* SSL3_ST_SW_CERT_B */ 1228 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); 1229 } 1230 1231#ifndef OPENSSL_NO_TLSEXT 1232int dtls1_send_newsession_ticket(SSL *s) 1233 { 1234 if (s->state == SSL3_ST_SW_SESSION_TICKET_A) 1235 { 1236 unsigned char *p, *senc, *macstart; 1237 int len, slen; 1238 unsigned int hlen, msg_len; 1239 EVP_CIPHER_CTX ctx; 1240 HMAC_CTX hctx; 1241 SSL_CTX *tctx = s->initial_ctx; 1242 unsigned char iv[EVP_MAX_IV_LENGTH]; 1243 unsigned char key_name[16]; 1244 1245 /* get session encoding length */ 1246 slen = i2d_SSL_SESSION(s->session, NULL); 1247 /* Some length values are 16 bits, so forget it if session is 1248 * too long 1249 */ 1250 if (slen > 0xFF00) 1251 return -1; 1252 /* Grow buffer if need be: the length calculation is as 1253 * follows 12 (DTLS handshake message header) + 1254 * 4 (ticket lifetime hint) + 2 (ticket length) + 1255 * 16 (key name) + max_iv_len (iv length) + 1256 * session_length + max_enc_block_size (max encrypted session 1257 * length) + max_md_size (HMAC). 1258 */ 1259 if (!BUF_MEM_grow(s->init_buf, 1260 DTLS1_HM_HEADER_LENGTH + 22 + EVP_MAX_IV_LENGTH + 1261 EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE + slen)) 1262 return -1; 1263 senc = OPENSSL_malloc(slen); 1264 if (!senc) 1265 return -1; 1266 p = senc; 1267 i2d_SSL_SESSION(s->session, &p); 1268 1269 p=(unsigned char *)&(s->init_buf->data[DTLS1_HM_HEADER_LENGTH]); 1270 EVP_CIPHER_CTX_init(&ctx); 1271 HMAC_CTX_init(&hctx); 1272 /* Initialize HMAC and cipher contexts. If callback present 1273 * it does all the work otherwise use generated values 1274 * from parent ctx. 1275 */ 1276 if (tctx->tlsext_ticket_key_cb) 1277 { 1278 if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx, 1279 &hctx, 1) < 0) 1280 { 1281 OPENSSL_free(senc); 1282 return -1; 1283 } 1284 } 1285 else 1286 { 1287 RAND_pseudo_bytes(iv, 16); 1288 EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, 1289 tctx->tlsext_tick_aes_key, iv); 1290 HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, 1291 tlsext_tick_md(), NULL); 1292 memcpy(key_name, tctx->tlsext_tick_key_name, 16); 1293 } 1294 l2n(s->session->tlsext_tick_lifetime_hint, p); 1295 /* Skip ticket length for now */ 1296 p += 2; 1297 /* Output key name */ 1298 macstart = p; 1299 memcpy(p, key_name, 16); 1300 p += 16; 1301 /* output IV */ 1302 memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx)); 1303 p += EVP_CIPHER_CTX_iv_length(&ctx); 1304 /* Encrypt session data */ 1305 EVP_EncryptUpdate(&ctx, p, &len, senc, slen); 1306 p += len; 1307 EVP_EncryptFinal(&ctx, p, &len); 1308 p += len; 1309 EVP_CIPHER_CTX_cleanup(&ctx); 1310 1311 HMAC_Update(&hctx, macstart, p - macstart); 1312 HMAC_Final(&hctx, p, &hlen); 1313 HMAC_CTX_cleanup(&hctx); 1314 1315 p += hlen; 1316 /* Now write out lengths: p points to end of data written */ 1317 /* Total length */ 1318 len = p - (unsigned char *)(s->init_buf->data); 1319 /* Ticket length */ 1320 p=(unsigned char *)&(s->init_buf->data[DTLS1_HM_HEADER_LENGTH]) + 4; 1321 s2n(len - DTLS1_HM_HEADER_LENGTH - 6, p); 1322 1323 /* number of bytes to write */ 1324 s->init_num= len; 1325 s->state=SSL3_ST_SW_SESSION_TICKET_B; 1326 s->init_off=0; 1327 OPENSSL_free(senc); 1328 1329 /* XDTLS: set message header ? */ 1330 msg_len = s->init_num - DTLS1_HM_HEADER_LENGTH; 1331 dtls1_set_message_header(s, (void *)s->init_buf->data, 1332 SSL3_MT_NEWSESSION_TICKET, msg_len, 0, msg_len); 1333 1334 /* buffer the message to handle re-xmits */ 1335 dtls1_buffer_message(s, 0); 1336 } 1337 1338 /* SSL3_ST_SW_SESSION_TICKET_B */ 1339 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); 1340 } 1341#endif 1342