1160814Ssimon/* ssl/d1_clnt.c */ 2280304Sjkim/* 3160814Ssimon * DTLS implementation written by Nagendra Modadugu 4280304Sjkim * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 5160814Ssimon */ 6160814Ssimon/* ==================================================================== 7238405Sjkim * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. 8160814Ssimon * 9160814Ssimon * Redistribution and use in source and binary forms, with or without 10160814Ssimon * modification, are permitted provided that the following conditions 11160814Ssimon * are met: 12160814Ssimon * 13160814Ssimon * 1. Redistributions of source code must retain the above copyright 14280304Sjkim * notice, this list of conditions and the following disclaimer. 15160814Ssimon * 16160814Ssimon * 2. Redistributions in binary form must reproduce the above copyright 17160814Ssimon * notice, this list of conditions and the following disclaimer in 18160814Ssimon * the documentation and/or other materials provided with the 19160814Ssimon * distribution. 20160814Ssimon * 21160814Ssimon * 3. All advertising materials mentioning features or use of this 22160814Ssimon * software must display the following acknowledgment: 23160814Ssimon * "This product includes software developed by the OpenSSL Project 24160814Ssimon * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 25160814Ssimon * 26160814Ssimon * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27160814Ssimon * endorse or promote products derived from this software without 28160814Ssimon * prior written permission. For written permission, please contact 29160814Ssimon * openssl-core@OpenSSL.org. 30160814Ssimon * 31160814Ssimon * 5. Products derived from this software may not be called "OpenSSL" 32160814Ssimon * nor may "OpenSSL" appear in their names without prior written 33160814Ssimon * permission of the OpenSSL Project. 34160814Ssimon * 35160814Ssimon * 6. Redistributions of any form whatsoever must retain the following 36160814Ssimon * acknowledgment: 37160814Ssimon * "This product includes software developed by the OpenSSL Project 38160814Ssimon * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 39160814Ssimon * 40160814Ssimon * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41160814Ssimon * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42160814Ssimon * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43160814Ssimon * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44160814Ssimon * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45160814Ssimon * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46160814Ssimon * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47160814Ssimon * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48160814Ssimon * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49160814Ssimon * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50160814Ssimon * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51160814Ssimon * OF THE POSSIBILITY OF SUCH DAMAGE. 52160814Ssimon * ==================================================================== 53160814Ssimon * 54160814Ssimon * This product includes cryptographic software written by Eric Young 55160814Ssimon * (eay@cryptsoft.com). This product includes software written by Tim 56160814Ssimon * Hudson (tjh@cryptsoft.com). 57160814Ssimon * 58160814Ssimon */ 59160814Ssimon/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 60160814Ssimon * All rights reserved. 61160814Ssimon * 62160814Ssimon * This package is an SSL implementation written 63160814Ssimon * by Eric Young (eay@cryptsoft.com). 64160814Ssimon * The implementation was written so as to conform with Netscapes SSL. 65280304Sjkim * 66160814Ssimon * This library is free for commercial and non-commercial use as long as 67160814Ssimon * the following conditions are aheared to. The following conditions 68160814Ssimon * apply to all code found in this distribution, be it the RC4, RSA, 69160814Ssimon * lhash, DES, etc., code; not just the SSL code. The SSL documentation 70160814Ssimon * included with this distribution is covered by the same copyright terms 71160814Ssimon * except that the holder is Tim Hudson (tjh@cryptsoft.com). 72280304Sjkim * 73160814Ssimon * Copyright remains Eric Young's, and as such any Copyright notices in 74160814Ssimon * the code are not to be removed. 75160814Ssimon * If this package is used in a product, Eric Young should be given attribution 76160814Ssimon * as the author of the parts of the library used. 77160814Ssimon * This can be in the form of a textual message at program startup or 78160814Ssimon * in documentation (online or textual) provided with the package. 79280304Sjkim * 80160814Ssimon * Redistribution and use in source and binary forms, with or without 81160814Ssimon * modification, are permitted provided that the following conditions 82160814Ssimon * are met: 83160814Ssimon * 1. Redistributions of source code must retain the copyright 84160814Ssimon * notice, this list of conditions and the following disclaimer. 85160814Ssimon * 2. Redistributions in binary form must reproduce the above copyright 86160814Ssimon * notice, this list of conditions and the following disclaimer in the 87160814Ssimon * documentation and/or other materials provided with the distribution. 88160814Ssimon * 3. All advertising materials mentioning features or use of this software 89160814Ssimon * must display the following acknowledgement: 90160814Ssimon * "This product includes cryptographic software written by 91160814Ssimon * Eric Young (eay@cryptsoft.com)" 92160814Ssimon * The word 'cryptographic' can be left out if the rouines from the library 93160814Ssimon * being used are not cryptographic related :-). 94280304Sjkim * 4. If you include any Windows specific code (or a derivative thereof) from 95160814Ssimon * the apps directory (application code) you must include an acknowledgement: 96160814Ssimon * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 97280304Sjkim * 98160814Ssimon * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 99160814Ssimon * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 100160814Ssimon * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 101160814Ssimon * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 102160814Ssimon * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 103160814Ssimon * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 104160814Ssimon * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 105160814Ssimon * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 106160814Ssimon * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 107160814Ssimon * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 108160814Ssimon * SUCH DAMAGE. 109280304Sjkim * 110160814Ssimon * The licence and distribution terms for any publically available version or 111160814Ssimon * derivative of this code cannot be changed. i.e. this code cannot simply be 112160814Ssimon * copied and put under another distribution licence 113160814Ssimon * [including the GNU Public Licence.] 114160814Ssimon */ 115160814Ssimon 116160814Ssimon#include <stdio.h> 117160814Ssimon#include "ssl_locl.h" 118238405Sjkim#ifndef OPENSSL_NO_KRB5 119280304Sjkim# include "kssl_lcl.h" 120238405Sjkim#endif 121160814Ssimon#include <openssl/buffer.h> 122160814Ssimon#include <openssl/rand.h> 123160814Ssimon#include <openssl/objects.h> 124160814Ssimon#include <openssl/evp.h> 125160814Ssimon#include <openssl/md5.h> 126238405Sjkim#include <openssl/bn.h> 127160814Ssimon#ifndef OPENSSL_NO_DH 128280304Sjkim# include <openssl/dh.h> 129160814Ssimon#endif 130160814Ssimon 131238405Sjkimstatic const SSL_METHOD *dtls1_get_client_method(int ver); 132160814Ssimonstatic int dtls1_get_hello_verify(SSL *s); 133160814Ssimon 134238405Sjkimstatic const SSL_METHOD *dtls1_get_client_method(int ver) 135280304Sjkim{ 136280304Sjkim if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER) 137280304Sjkim return (DTLSv1_client_method()); 138280304Sjkim else 139280304Sjkim return (NULL); 140280304Sjkim} 141160814Ssimon 142160814SsimonIMPLEMENT_dtls1_meth_func(DTLSv1_client_method, 143280304Sjkim ssl_undefined_function, 144280304Sjkim dtls1_connect, dtls1_get_client_method) 145160814Ssimon 146160814Ssimonint dtls1_connect(SSL *s) 147280304Sjkim{ 148280304Sjkim BUF_MEM *buf = NULL; 149280304Sjkim unsigned long Time = (unsigned long)time(NULL); 150280304Sjkim void (*cb) (const SSL *ssl, int type, int val) = NULL; 151280304Sjkim int ret = -1; 152280304Sjkim int new_state, state, skip = 0; 153238405Sjkim#ifndef OPENSSL_NO_SCTP 154280304Sjkim unsigned char sctpauthkey[64]; 155280304Sjkim char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)]; 156238405Sjkim#endif 157160814Ssimon 158280304Sjkim RAND_add(&Time, sizeof(Time), 0); 159280304Sjkim ERR_clear_error(); 160280304Sjkim clear_sys_error(); 161160814Ssimon 162280304Sjkim if (s->info_callback != NULL) 163280304Sjkim cb = s->info_callback; 164280304Sjkim else if (s->ctx->info_callback != NULL) 165280304Sjkim cb = s->ctx->info_callback; 166160814Ssimon 167280304Sjkim s->in_handshake++; 168280304Sjkim if (!SSL_in_init(s) || SSL_in_before(s)) 169280304Sjkim SSL_clear(s); 170280304Sjkim 171238405Sjkim#ifndef OPENSSL_NO_SCTP 172280304Sjkim /* 173280304Sjkim * Notify SCTP BIO socket to enter handshake mode and prevent stream 174280304Sjkim * identifier other than 0. Will be ignored if no SCTP is used. 175280304Sjkim */ 176280304Sjkim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, 177280304Sjkim s->in_handshake, NULL); 178238405Sjkim#endif 179238405Sjkim 180238405Sjkim#ifndef OPENSSL_NO_HEARTBEATS 181280304Sjkim /* 182280304Sjkim * If we're awaiting a HeartbeatResponse, pretend we already got and 183280304Sjkim * don't await it anymore, because Heartbeats don't make sense during 184280304Sjkim * handshakes anyway. 185280304Sjkim */ 186280304Sjkim if (s->tlsext_hb_pending) { 187280304Sjkim dtls1_stop_timer(s); 188280304Sjkim s->tlsext_hb_pending = 0; 189280304Sjkim s->tlsext_hb_seq++; 190280304Sjkim } 191238405Sjkim#endif 192238405Sjkim 193280304Sjkim for (;;) { 194280304Sjkim state = s->state; 195160814Ssimon 196280304Sjkim switch (s->state) { 197280304Sjkim case SSL_ST_RENEGOTIATE: 198280304Sjkim s->renegotiate = 1; 199280304Sjkim s->state = SSL_ST_CONNECT; 200280304Sjkim s->ctx->stats.sess_connect_renegotiate++; 201280304Sjkim /* break */ 202280304Sjkim case SSL_ST_BEFORE: 203280304Sjkim case SSL_ST_CONNECT: 204280304Sjkim case SSL_ST_BEFORE | SSL_ST_CONNECT: 205280304Sjkim case SSL_ST_OK | SSL_ST_CONNECT: 206160814Ssimon 207280304Sjkim s->server = 0; 208280304Sjkim if (cb != NULL) 209280304Sjkim cb(s, SSL_CB_HANDSHAKE_START, 1); 210160814Ssimon 211280304Sjkim if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00) && 212280304Sjkim (s->version & 0xff00) != (DTLS1_BAD_VER & 0xff00)) { 213280304Sjkim SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR); 214280304Sjkim ret = -1; 215284285Sjkim s->state = SSL_ST_ERR; 216280304Sjkim goto end; 217280304Sjkim } 218160814Ssimon 219280304Sjkim /* s->version=SSL3_VERSION; */ 220280304Sjkim s->type = SSL_ST_CONNECT; 221160814Ssimon 222280304Sjkim if (s->init_buf == NULL) { 223280304Sjkim if ((buf = BUF_MEM_new()) == NULL) { 224280304Sjkim ret = -1; 225284285Sjkim s->state = SSL_ST_ERR; 226280304Sjkim goto end; 227280304Sjkim } 228280304Sjkim if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) { 229280304Sjkim ret = -1; 230284285Sjkim s->state = SSL_ST_ERR; 231280304Sjkim goto end; 232280304Sjkim } 233280304Sjkim s->init_buf = buf; 234280304Sjkim buf = NULL; 235280304Sjkim } 236160814Ssimon 237280304Sjkim if (!ssl3_setup_buffers(s)) { 238280304Sjkim ret = -1; 239284285Sjkim s->state = SSL_ST_ERR; 240280304Sjkim goto end; 241280304Sjkim } 242160814Ssimon 243280304Sjkim /* setup buffing BIO */ 244280304Sjkim if (!ssl_init_wbio_buffer(s, 0)) { 245280304Sjkim ret = -1; 246284285Sjkim s->state = SSL_ST_ERR; 247280304Sjkim goto end; 248280304Sjkim } 249160814Ssimon 250280304Sjkim /* don't push the buffering BIO quite yet */ 251160814Ssimon 252280304Sjkim s->state = SSL3_ST_CW_CLNT_HELLO_A; 253280304Sjkim s->ctx->stats.sess_connect++; 254280304Sjkim s->init_num = 0; 255280304Sjkim /* mark client_random uninitialized */ 256280304Sjkim memset(s->s3->client_random, 0, sizeof(s->s3->client_random)); 257280304Sjkim s->d1->send_cookie = 0; 258280304Sjkim s->hit = 0; 259280304Sjkim s->d1->change_cipher_spec_ok = 0; 260280304Sjkim /* 261280304Sjkim * Should have been reset by ssl3_get_finished, too. 262280304Sjkim */ 263280304Sjkim s->s3->change_cipher_spec = 0; 264280304Sjkim break; 265280304Sjkim 266238405Sjkim#ifndef OPENSSL_NO_SCTP 267280304Sjkim case DTLS1_SCTP_ST_CR_READ_SOCK: 268238405Sjkim 269280304Sjkim if (BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) { 270280304Sjkim s->s3->in_read_app_data = 2; 271280304Sjkim s->rwstate = SSL_READING; 272280304Sjkim BIO_clear_retry_flags(SSL_get_rbio(s)); 273280304Sjkim BIO_set_retry_read(SSL_get_rbio(s)); 274280304Sjkim ret = -1; 275280304Sjkim goto end; 276280304Sjkim } 277238405Sjkim 278280304Sjkim s->state = s->s3->tmp.next_state; 279280304Sjkim break; 280238405Sjkim 281280304Sjkim case DTLS1_SCTP_ST_CW_WRITE_SOCK: 282280304Sjkim /* read app data until dry event */ 283238405Sjkim 284280304Sjkim ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s)); 285280304Sjkim if (ret < 0) 286280304Sjkim goto end; 287238405Sjkim 288280304Sjkim if (ret == 0) { 289280304Sjkim s->s3->in_read_app_data = 2; 290280304Sjkim s->rwstate = SSL_READING; 291280304Sjkim BIO_clear_retry_flags(SSL_get_rbio(s)); 292280304Sjkim BIO_set_retry_read(SSL_get_rbio(s)); 293280304Sjkim ret = -1; 294280304Sjkim goto end; 295280304Sjkim } 296238405Sjkim 297280304Sjkim s->state = s->d1->next_state; 298280304Sjkim break; 299238405Sjkim#endif 300238405Sjkim 301280304Sjkim case SSL3_ST_CW_CLNT_HELLO_A: 302280304Sjkim s->shutdown = 0; 303194206Ssimon 304280304Sjkim /* every DTLS ClientHello resets Finished MAC */ 305280304Sjkim ssl3_init_finished_mac(s); 306194206Ssimon 307291721Sjkim case SSL3_ST_CW_CLNT_HELLO_B: 308280304Sjkim dtls1_start_timer(s); 309280304Sjkim ret = dtls1_client_hello(s); 310280304Sjkim if (ret <= 0) 311280304Sjkim goto end; 312160814Ssimon 313280304Sjkim if (s->d1->send_cookie) { 314280304Sjkim s->state = SSL3_ST_CW_FLUSH; 315280304Sjkim s->s3->tmp.next_state = SSL3_ST_CR_SRVR_HELLO_A; 316280304Sjkim } else 317280304Sjkim s->state = SSL3_ST_CR_SRVR_HELLO_A; 318160814Ssimon 319280304Sjkim s->init_num = 0; 320160814Ssimon 321238405Sjkim#ifndef OPENSSL_NO_SCTP 322280304Sjkim /* Disable buffering for SCTP */ 323280304Sjkim if (!BIO_dgram_is_sctp(SSL_get_wbio(s))) { 324238405Sjkim#endif 325280304Sjkim /* 326280304Sjkim * turn on buffering for the next lot of output 327280304Sjkim */ 328280304Sjkim if (s->bbio != s->wbio) 329280304Sjkim s->wbio = BIO_push(s->bbio, s->wbio); 330238405Sjkim#ifndef OPENSSL_NO_SCTP 331280304Sjkim } 332238405Sjkim#endif 333160814Ssimon 334280304Sjkim break; 335160814Ssimon 336280304Sjkim case SSL3_ST_CR_SRVR_HELLO_A: 337280304Sjkim case SSL3_ST_CR_SRVR_HELLO_B: 338280304Sjkim ret = ssl3_get_server_hello(s); 339280304Sjkim if (ret <= 0) 340280304Sjkim goto end; 341280304Sjkim else { 342280304Sjkim if (s->hit) { 343238405Sjkim#ifndef OPENSSL_NO_SCTP 344280304Sjkim /* 345280304Sjkim * Add new shared key for SCTP-Auth, will be ignored if 346280304Sjkim * no SCTP used. 347280304Sjkim */ 348280304Sjkim snprintf((char *)labelbuffer, 349280304Sjkim sizeof(DTLS1_SCTP_AUTH_LABEL), 350280304Sjkim DTLS1_SCTP_AUTH_LABEL); 351238405Sjkim 352291721Sjkim if (SSL_export_keying_material(s, sctpauthkey, 353280304Sjkim sizeof(sctpauthkey), 354280304Sjkim labelbuffer, 355280304Sjkim sizeof(labelbuffer), NULL, 0, 356291721Sjkim 0) <= 0) { 357291721Sjkim ret = -1; 358291721Sjkim s->state = SSL_ST_ERR; 359291721Sjkim goto end; 360291721Sjkim } 361238405Sjkim 362280304Sjkim BIO_ctrl(SSL_get_wbio(s), 363280304Sjkim BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, 364280304Sjkim sizeof(sctpauthkey), sctpauthkey); 365238405Sjkim#endif 366238405Sjkim 367280304Sjkim s->state = SSL3_ST_CR_FINISHED_A; 368291721Sjkim if (s->tlsext_ticket_expected) { 369291721Sjkim /* receive renewed session ticket */ 370291721Sjkim s->state = SSL3_ST_CR_SESSION_TICKET_A; 371291721Sjkim } 372280304Sjkim } else 373280304Sjkim s->state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A; 374280304Sjkim } 375280304Sjkim s->init_num = 0; 376280304Sjkim break; 377160814Ssimon 378280304Sjkim case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A: 379280304Sjkim case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B: 380160814Ssimon 381280304Sjkim ret = dtls1_get_hello_verify(s); 382280304Sjkim if (ret <= 0) 383280304Sjkim goto end; 384280304Sjkim dtls1_stop_timer(s); 385280304Sjkim if (s->d1->send_cookie) /* start again, with a cookie */ 386280304Sjkim s->state = SSL3_ST_CW_CLNT_HELLO_A; 387280304Sjkim else 388280304Sjkim s->state = SSL3_ST_CR_CERT_A; 389280304Sjkim s->init_num = 0; 390280304Sjkim break; 391160814Ssimon 392280304Sjkim case SSL3_ST_CR_CERT_A: 393280304Sjkim case SSL3_ST_CR_CERT_B: 394280304Sjkim /* Check if it is anon DH or PSK */ 395280304Sjkim if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && 396280304Sjkim !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { 397280304Sjkim ret = ssl3_get_server_certificate(s); 398280304Sjkim if (ret <= 0) 399280304Sjkim goto end; 400205128Ssimon#ifndef OPENSSL_NO_TLSEXT 401280304Sjkim if (s->tlsext_status_expected) 402280304Sjkim s->state = SSL3_ST_CR_CERT_STATUS_A; 403280304Sjkim else 404280304Sjkim s->state = SSL3_ST_CR_KEY_EXCH_A; 405280304Sjkim } else { 406280304Sjkim skip = 1; 407280304Sjkim s->state = SSL3_ST_CR_KEY_EXCH_A; 408280304Sjkim } 409205128Ssimon#else 410280304Sjkim } else 411280304Sjkim skip = 1; 412205128Ssimon 413280304Sjkim s->state = SSL3_ST_CR_KEY_EXCH_A; 414205128Ssimon#endif 415280304Sjkim s->init_num = 0; 416280304Sjkim break; 417160814Ssimon 418280304Sjkim case SSL3_ST_CR_KEY_EXCH_A: 419280304Sjkim case SSL3_ST_CR_KEY_EXCH_B: 420280304Sjkim ret = ssl3_get_key_exchange(s); 421280304Sjkim if (ret <= 0) 422280304Sjkim goto end; 423280304Sjkim s->state = SSL3_ST_CR_CERT_REQ_A; 424280304Sjkim s->init_num = 0; 425160814Ssimon 426280304Sjkim /* 427280304Sjkim * at this point we check that we have the required stuff from 428280304Sjkim * the server 429280304Sjkim */ 430280304Sjkim if (!ssl3_check_cert_and_algorithm(s)) { 431280304Sjkim ret = -1; 432284285Sjkim s->state = SSL_ST_ERR; 433280304Sjkim goto end; 434280304Sjkim } 435280304Sjkim break; 436160814Ssimon 437280304Sjkim case SSL3_ST_CR_CERT_REQ_A: 438280304Sjkim case SSL3_ST_CR_CERT_REQ_B: 439280304Sjkim ret = ssl3_get_certificate_request(s); 440280304Sjkim if (ret <= 0) 441280304Sjkim goto end; 442280304Sjkim s->state = SSL3_ST_CR_SRVR_DONE_A; 443280304Sjkim s->init_num = 0; 444280304Sjkim break; 445160814Ssimon 446280304Sjkim case SSL3_ST_CR_SRVR_DONE_A: 447280304Sjkim case SSL3_ST_CR_SRVR_DONE_B: 448280304Sjkim ret = ssl3_get_server_done(s); 449280304Sjkim if (ret <= 0) 450280304Sjkim goto end; 451280304Sjkim dtls1_stop_timer(s); 452280304Sjkim if (s->s3->tmp.cert_req) 453280304Sjkim s->s3->tmp.next_state = SSL3_ST_CW_CERT_A; 454280304Sjkim else 455280304Sjkim s->s3->tmp.next_state = SSL3_ST_CW_KEY_EXCH_A; 456280304Sjkim s->init_num = 0; 457160814Ssimon 458280304Sjkim#ifndef OPENSSL_NO_SCTP 459280304Sjkim if (BIO_dgram_is_sctp(SSL_get_wbio(s)) && 460280304Sjkim state == SSL_ST_RENEGOTIATE) 461280304Sjkim s->state = DTLS1_SCTP_ST_CR_READ_SOCK; 462280304Sjkim else 463280304Sjkim#endif 464280304Sjkim s->state = s->s3->tmp.next_state; 465280304Sjkim break; 466160814Ssimon 467280304Sjkim case SSL3_ST_CW_CERT_A: 468280304Sjkim case SSL3_ST_CW_CERT_B: 469280304Sjkim case SSL3_ST_CW_CERT_C: 470280304Sjkim case SSL3_ST_CW_CERT_D: 471280304Sjkim dtls1_start_timer(s); 472280304Sjkim ret = dtls1_send_client_certificate(s); 473280304Sjkim if (ret <= 0) 474280304Sjkim goto end; 475280304Sjkim s->state = SSL3_ST_CW_KEY_EXCH_A; 476280304Sjkim s->init_num = 0; 477280304Sjkim break; 478160814Ssimon 479280304Sjkim case SSL3_ST_CW_KEY_EXCH_A: 480280304Sjkim case SSL3_ST_CW_KEY_EXCH_B: 481280304Sjkim dtls1_start_timer(s); 482280304Sjkim ret = dtls1_send_client_key_exchange(s); 483280304Sjkim if (ret <= 0) 484280304Sjkim goto end; 485238405Sjkim 486238405Sjkim#ifndef OPENSSL_NO_SCTP 487280304Sjkim /* 488280304Sjkim * Add new shared key for SCTP-Auth, will be ignored if no SCTP 489280304Sjkim * used. 490280304Sjkim */ 491280304Sjkim snprintf((char *)labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL), 492280304Sjkim DTLS1_SCTP_AUTH_LABEL); 493238405Sjkim 494291721Sjkim if (SSL_export_keying_material(s, sctpauthkey, 495280304Sjkim sizeof(sctpauthkey), labelbuffer, 496291721Sjkim sizeof(labelbuffer), NULL, 0, 0) <= 0) { 497291721Sjkim ret = -1; 498291721Sjkim s->state = SSL_ST_ERR; 499291721Sjkim goto end; 500291721Sjkim } 501238405Sjkim 502280304Sjkim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, 503280304Sjkim sizeof(sctpauthkey), sctpauthkey); 504238405Sjkim#endif 505238405Sjkim 506280304Sjkim /* 507280304Sjkim * EAY EAY EAY need to check for DH fix cert sent back 508280304Sjkim */ 509280304Sjkim /* 510280304Sjkim * For TLS, cert_req is set to 2, so a cert chain of nothing is 511280304Sjkim * sent, but no verify packet is sent 512280304Sjkim */ 513280304Sjkim if (s->s3->tmp.cert_req == 1) { 514280304Sjkim s->state = SSL3_ST_CW_CERT_VRFY_A; 515280304Sjkim } else { 516238405Sjkim#ifndef OPENSSL_NO_SCTP 517280304Sjkim if (BIO_dgram_is_sctp(SSL_get_wbio(s))) { 518280304Sjkim s->d1->next_state = SSL3_ST_CW_CHANGE_A; 519280304Sjkim s->state = DTLS1_SCTP_ST_CW_WRITE_SOCK; 520280304Sjkim } else 521238405Sjkim#endif 522280304Sjkim s->state = SSL3_ST_CW_CHANGE_A; 523280304Sjkim } 524160814Ssimon 525280304Sjkim s->init_num = 0; 526280304Sjkim break; 527160814Ssimon 528280304Sjkim case SSL3_ST_CW_CERT_VRFY_A: 529280304Sjkim case SSL3_ST_CW_CERT_VRFY_B: 530280304Sjkim dtls1_start_timer(s); 531280304Sjkim ret = dtls1_send_client_verify(s); 532280304Sjkim if (ret <= 0) 533280304Sjkim goto end; 534238405Sjkim#ifndef OPENSSL_NO_SCTP 535280304Sjkim if (BIO_dgram_is_sctp(SSL_get_wbio(s))) { 536280304Sjkim s->d1->next_state = SSL3_ST_CW_CHANGE_A; 537280304Sjkim s->state = DTLS1_SCTP_ST_CW_WRITE_SOCK; 538280304Sjkim } else 539238405Sjkim#endif 540280304Sjkim s->state = SSL3_ST_CW_CHANGE_A; 541280304Sjkim s->init_num = 0; 542280304Sjkim break; 543160814Ssimon 544280304Sjkim case SSL3_ST_CW_CHANGE_A: 545280304Sjkim case SSL3_ST_CW_CHANGE_B: 546280304Sjkim if (!s->hit) 547280304Sjkim dtls1_start_timer(s); 548280304Sjkim ret = dtls1_send_change_cipher_spec(s, 549280304Sjkim SSL3_ST_CW_CHANGE_A, 550280304Sjkim SSL3_ST_CW_CHANGE_B); 551280304Sjkim if (ret <= 0) 552280304Sjkim goto end; 553238405Sjkim 554280304Sjkim s->state = SSL3_ST_CW_FINISHED_A; 555280304Sjkim s->init_num = 0; 556160814Ssimon 557280304Sjkim s->session->cipher = s->s3->tmp.new_cipher; 558160814Ssimon#ifdef OPENSSL_NO_COMP 559280304Sjkim s->session->compress_meth = 0; 560160814Ssimon#else 561280304Sjkim if (s->s3->tmp.new_compression == NULL) 562280304Sjkim s->session->compress_meth = 0; 563280304Sjkim else 564280304Sjkim s->session->compress_meth = s->s3->tmp.new_compression->id; 565160814Ssimon#endif 566280304Sjkim if (!s->method->ssl3_enc->setup_key_block(s)) { 567280304Sjkim ret = -1; 568284285Sjkim s->state = SSL_ST_ERR; 569280304Sjkim goto end; 570280304Sjkim } 571160814Ssimon 572280304Sjkim if (!s->method->ssl3_enc->change_cipher_state(s, 573280304Sjkim SSL3_CHANGE_CIPHER_CLIENT_WRITE)) 574280304Sjkim { 575280304Sjkim ret = -1; 576284285Sjkim s->state = SSL_ST_ERR; 577280304Sjkim goto end; 578280304Sjkim } 579264331Sjkim#ifndef OPENSSL_NO_SCTP 580280304Sjkim if (s->hit) { 581280304Sjkim /* 582280304Sjkim * Change to new shared key of SCTP-Auth, will be ignored if 583280304Sjkim * no SCTP used. 584280304Sjkim */ 585280304Sjkim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 586280304Sjkim 0, NULL); 587280304Sjkim } 588264331Sjkim#endif 589264331Sjkim 590280304Sjkim dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); 591280304Sjkim break; 592160814Ssimon 593280304Sjkim case SSL3_ST_CW_FINISHED_A: 594280304Sjkim case SSL3_ST_CW_FINISHED_B: 595280304Sjkim if (!s->hit) 596280304Sjkim dtls1_start_timer(s); 597280304Sjkim ret = dtls1_send_finished(s, 598280304Sjkim SSL3_ST_CW_FINISHED_A, 599280304Sjkim SSL3_ST_CW_FINISHED_B, 600280304Sjkim s->method-> 601280304Sjkim ssl3_enc->client_finished_label, 602280304Sjkim s->method-> 603280304Sjkim ssl3_enc->client_finished_label_len); 604280304Sjkim if (ret <= 0) 605280304Sjkim goto end; 606280304Sjkim s->state = SSL3_ST_CW_FLUSH; 607160814Ssimon 608280304Sjkim /* clear flags */ 609280304Sjkim s->s3->flags &= ~SSL3_FLAGS_POP_BUFFER; 610280304Sjkim if (s->hit) { 611280304Sjkim s->s3->tmp.next_state = SSL_ST_OK; 612238405Sjkim#ifndef OPENSSL_NO_SCTP 613280304Sjkim if (BIO_dgram_is_sctp(SSL_get_wbio(s))) { 614280304Sjkim s->d1->next_state = s->s3->tmp.next_state; 615280304Sjkim s->s3->tmp.next_state = DTLS1_SCTP_ST_CW_WRITE_SOCK; 616280304Sjkim } 617238405Sjkim#endif 618280304Sjkim if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) { 619280304Sjkim s->state = SSL_ST_OK; 620238405Sjkim#ifndef OPENSSL_NO_SCTP 621280304Sjkim if (BIO_dgram_is_sctp(SSL_get_wbio(s))) { 622280304Sjkim s->d1->next_state = SSL_ST_OK; 623280304Sjkim s->state = DTLS1_SCTP_ST_CW_WRITE_SOCK; 624280304Sjkim } 625238405Sjkim#endif 626280304Sjkim s->s3->flags |= SSL3_FLAGS_POP_BUFFER; 627280304Sjkim s->s3->delay_buf_pop_ret = 0; 628280304Sjkim } 629280304Sjkim } else { 630264331Sjkim#ifndef OPENSSL_NO_SCTP 631280304Sjkim /* 632280304Sjkim * Change to new shared key of SCTP-Auth, will be ignored if 633280304Sjkim * no SCTP used. 634280304Sjkim */ 635280304Sjkim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 636280304Sjkim 0, NULL); 637264331Sjkim#endif 638264331Sjkim 639205128Ssimon#ifndef OPENSSL_NO_TLSEXT 640280304Sjkim /* 641280304Sjkim * Allow NewSessionTicket if ticket expected 642280304Sjkim */ 643280304Sjkim if (s->tlsext_ticket_expected) 644280304Sjkim s->s3->tmp.next_state = SSL3_ST_CR_SESSION_TICKET_A; 645280304Sjkim else 646205128Ssimon#endif 647160814Ssimon 648280304Sjkim s->s3->tmp.next_state = SSL3_ST_CR_FINISHED_A; 649280304Sjkim } 650280304Sjkim s->init_num = 0; 651280304Sjkim break; 652280304Sjkim 653205128Ssimon#ifndef OPENSSL_NO_TLSEXT 654280304Sjkim case SSL3_ST_CR_SESSION_TICKET_A: 655280304Sjkim case SSL3_ST_CR_SESSION_TICKET_B: 656280304Sjkim ret = ssl3_get_new_session_ticket(s); 657280304Sjkim if (ret <= 0) 658280304Sjkim goto end; 659280304Sjkim s->state = SSL3_ST_CR_FINISHED_A; 660280304Sjkim s->init_num = 0; 661280304Sjkim break; 662205128Ssimon 663280304Sjkim case SSL3_ST_CR_CERT_STATUS_A: 664280304Sjkim case SSL3_ST_CR_CERT_STATUS_B: 665280304Sjkim ret = ssl3_get_cert_status(s); 666280304Sjkim if (ret <= 0) 667280304Sjkim goto end; 668280304Sjkim s->state = SSL3_ST_CR_KEY_EXCH_A; 669280304Sjkim s->init_num = 0; 670280304Sjkim break; 671205128Ssimon#endif 672205128Ssimon 673280304Sjkim case SSL3_ST_CR_FINISHED_A: 674280304Sjkim case SSL3_ST_CR_FINISHED_B: 675280304Sjkim s->d1->change_cipher_spec_ok = 1; 676280304Sjkim ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A, 677280304Sjkim SSL3_ST_CR_FINISHED_B); 678280304Sjkim if (ret <= 0) 679280304Sjkim goto end; 680280304Sjkim dtls1_stop_timer(s); 681160814Ssimon 682280304Sjkim if (s->hit) 683280304Sjkim s->state = SSL3_ST_CW_CHANGE_A; 684280304Sjkim else 685280304Sjkim s->state = SSL_ST_OK; 686238405Sjkim 687238405Sjkim#ifndef OPENSSL_NO_SCTP 688280304Sjkim if (BIO_dgram_is_sctp(SSL_get_wbio(s)) && 689280304Sjkim state == SSL_ST_RENEGOTIATE) { 690280304Sjkim s->d1->next_state = s->state; 691280304Sjkim s->state = DTLS1_SCTP_ST_CW_WRITE_SOCK; 692280304Sjkim } 693238405Sjkim#endif 694238405Sjkim 695280304Sjkim s->init_num = 0; 696280304Sjkim break; 697160814Ssimon 698280304Sjkim case SSL3_ST_CW_FLUSH: 699280304Sjkim s->rwstate = SSL_WRITING; 700280304Sjkim if (BIO_flush(s->wbio) <= 0) { 701280304Sjkim /* 702280304Sjkim * If the write error was fatal, stop trying 703280304Sjkim */ 704280304Sjkim if (!BIO_should_retry(s->wbio)) { 705280304Sjkim s->rwstate = SSL_NOTHING; 706280304Sjkim s->state = s->s3->tmp.next_state; 707280304Sjkim } 708160814Ssimon 709280304Sjkim ret = -1; 710280304Sjkim goto end; 711280304Sjkim } 712280304Sjkim s->rwstate = SSL_NOTHING; 713280304Sjkim s->state = s->s3->tmp.next_state; 714280304Sjkim break; 715160814Ssimon 716280304Sjkim case SSL_ST_OK: 717280304Sjkim /* clean a few things up */ 718280304Sjkim ssl3_cleanup_key_block(s); 719280304Sjkim 720160814Ssimon#if 0 721280304Sjkim if (s->init_buf != NULL) { 722280304Sjkim BUF_MEM_free(s->init_buf); 723280304Sjkim s->init_buf = NULL; 724280304Sjkim } 725160814Ssimon#endif 726160814Ssimon 727280304Sjkim /* 728280304Sjkim * If we are not 'joining' the last two packets, remove the 729280304Sjkim * buffering now 730280304Sjkim */ 731280304Sjkim if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER)) 732280304Sjkim ssl_free_wbio_buffer(s); 733280304Sjkim /* else do it later in ssl3_write */ 734160814Ssimon 735280304Sjkim s->init_num = 0; 736280304Sjkim s->renegotiate = 0; 737280304Sjkim s->new_session = 0; 738160814Ssimon 739280304Sjkim ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); 740280304Sjkim if (s->hit) 741280304Sjkim s->ctx->stats.sess_hit++; 742160814Ssimon 743280304Sjkim ret = 1; 744280304Sjkim /* s->server=0; */ 745280304Sjkim s->handshake_func = dtls1_connect; 746280304Sjkim s->ctx->stats.sess_connect_good++; 747160814Ssimon 748280304Sjkim if (cb != NULL) 749280304Sjkim cb(s, SSL_CB_HANDSHAKE_DONE, 1); 750160814Ssimon 751280304Sjkim /* done with handshaking */ 752280304Sjkim s->d1->handshake_read_seq = 0; 753280304Sjkim s->d1->next_handshake_write_seq = 0; 754306230Sdelphij dtls1_clear_received_buffer(s); 755280304Sjkim goto end; 756280304Sjkim /* break; */ 757160814Ssimon 758284285Sjkim case SSL_ST_ERR: 759280304Sjkim default: 760280304Sjkim SSLerr(SSL_F_DTLS1_CONNECT, SSL_R_UNKNOWN_STATE); 761280304Sjkim ret = -1; 762280304Sjkim goto end; 763280304Sjkim /* break; */ 764280304Sjkim } 765160814Ssimon 766280304Sjkim /* did we do anything */ 767280304Sjkim if (!s->s3->tmp.reuse_message && !skip) { 768280304Sjkim if (s->debug) { 769280304Sjkim if ((ret = BIO_flush(s->wbio)) <= 0) 770280304Sjkim goto end; 771280304Sjkim } 772280304Sjkim 773280304Sjkim if ((cb != NULL) && (s->state != state)) { 774280304Sjkim new_state = s->state; 775280304Sjkim s->state = state; 776280304Sjkim cb(s, SSL_CB_CONNECT_LOOP, 1); 777280304Sjkim s->state = new_state; 778280304Sjkim } 779280304Sjkim } 780280304Sjkim skip = 0; 781280304Sjkim } 782280304Sjkim end: 783280304Sjkim s->in_handshake--; 784280304Sjkim 785238405Sjkim#ifndef OPENSSL_NO_SCTP 786280304Sjkim /* 787280304Sjkim * Notify SCTP BIO socket to leave handshake mode and allow stream 788280304Sjkim * identifier other than 0. Will be ignored if no SCTP is used. 789280304Sjkim */ 790280304Sjkim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, 791280304Sjkim s->in_handshake, NULL); 792238405Sjkim#endif 793238405Sjkim 794280304Sjkim if (buf != NULL) 795280304Sjkim BUF_MEM_free(buf); 796280304Sjkim if (cb != NULL) 797280304Sjkim cb(s, SSL_CB_CONNECT_EXIT, ret); 798280304Sjkim return (ret); 799280304Sjkim} 800160814Ssimon 801160814Ssimonint dtls1_client_hello(SSL *s) 802280304Sjkim{ 803280304Sjkim unsigned char *buf; 804280304Sjkim unsigned char *p, *d; 805280304Sjkim unsigned int i, j; 806280304Sjkim unsigned long l; 807280304Sjkim SSL_COMP *comp; 808160814Ssimon 809280304Sjkim buf = (unsigned char *)s->init_buf->data; 810280304Sjkim if (s->state == SSL3_ST_CW_CLNT_HELLO_A) { 811280304Sjkim SSL_SESSION *sess = s->session; 812280304Sjkim if ((s->session == NULL) || (s->session->ssl_version != s->version) || 813205128Ssimon#ifdef OPENSSL_NO_TLSEXT 814280304Sjkim !sess->session_id_length || 815205128Ssimon#else 816280304Sjkim (!sess->session_id_length && !sess->tlsext_tick) || 817205128Ssimon#endif 818280304Sjkim (s->session->not_resumable)) { 819280304Sjkim if (!ssl_get_new_session(s, 0)) 820280304Sjkim goto err; 821280304Sjkim } 822280304Sjkim /* else use the pre-loaded session */ 823160814Ssimon 824280304Sjkim p = s->s3->client_random; 825238405Sjkim 826280304Sjkim /* 827280304Sjkim * if client_random is initialized, reuse it, we are required to use 828280304Sjkim * same upon reply to HelloVerify 829280304Sjkim */ 830280304Sjkim for (i = 0; p[i] == '\0' && i < sizeof(s->s3->client_random); i++) ; 831280304Sjkim if (i == sizeof(s->s3->client_random)) 832280304Sjkim ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random)); 833160814Ssimon 834280304Sjkim /* Do the message type and length last */ 835280304Sjkim d = p = &(buf[DTLS1_HM_HEADER_LENGTH]); 836160814Ssimon 837280304Sjkim *(p++) = s->version >> 8; 838280304Sjkim *(p++) = s->version & 0xff; 839280304Sjkim s->client_version = s->version; 840160814Ssimon 841280304Sjkim /* Random stuff */ 842280304Sjkim memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE); 843280304Sjkim p += SSL3_RANDOM_SIZE; 844160814Ssimon 845280304Sjkim /* Session ID */ 846280304Sjkim if (s->new_session) 847280304Sjkim i = 0; 848280304Sjkim else 849280304Sjkim i = s->session->session_id_length; 850280304Sjkim *(p++) = i; 851280304Sjkim if (i != 0) { 852280304Sjkim if (i > sizeof s->session->session_id) { 853280304Sjkim SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 854280304Sjkim goto err; 855280304Sjkim } 856280304Sjkim memcpy(p, s->session->session_id, i); 857280304Sjkim p += i; 858280304Sjkim } 859160814Ssimon 860280304Sjkim /* cookie stuff */ 861280304Sjkim if (s->d1->cookie_len > sizeof(s->d1->cookie)) { 862280304Sjkim SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 863280304Sjkim goto err; 864280304Sjkim } 865280304Sjkim *(p++) = s->d1->cookie_len; 866280304Sjkim memcpy(p, s->d1->cookie, s->d1->cookie_len); 867280304Sjkim p += s->d1->cookie_len; 868160814Ssimon 869280304Sjkim /* Ciphers supported */ 870280304Sjkim i = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &(p[2]), 0); 871280304Sjkim if (i == 0) { 872280304Sjkim SSLerr(SSL_F_DTLS1_CLIENT_HELLO, SSL_R_NO_CIPHERS_AVAILABLE); 873280304Sjkim goto err; 874280304Sjkim } 875280304Sjkim s2n(i, p); 876280304Sjkim p += i; 877205128Ssimon 878280304Sjkim /* COMPRESSION */ 879280304Sjkim if (s->ctx->comp_methods == NULL) 880280304Sjkim j = 0; 881280304Sjkim else 882280304Sjkim j = sk_SSL_COMP_num(s->ctx->comp_methods); 883280304Sjkim *(p++) = 1 + j; 884280304Sjkim for (i = 0; i < j; i++) { 885280304Sjkim comp = sk_SSL_COMP_value(s->ctx->comp_methods, i); 886280304Sjkim *(p++) = comp->id; 887280304Sjkim } 888280304Sjkim *(p++) = 0; /* Add the NULL method */ 889280304Sjkim 890205128Ssimon#ifndef OPENSSL_NO_TLSEXT 891280304Sjkim /* TLS extensions */ 892280304Sjkim if (ssl_prepare_clienthello_tlsext(s) <= 0) { 893280304Sjkim SSLerr(SSL_F_DTLS1_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); 894280304Sjkim goto err; 895280304Sjkim } 896280304Sjkim if ((p = 897280304Sjkim ssl_add_clienthello_tlsext(s, p, 898280304Sjkim buf + SSL3_RT_MAX_PLAIN_LENGTH)) == 899280304Sjkim NULL) { 900280304Sjkim SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 901280304Sjkim goto err; 902280304Sjkim } 903269686Sjkim#endif 904205128Ssimon 905280304Sjkim l = (p - d); 906280304Sjkim d = buf; 907160814Ssimon 908280304Sjkim d = dtls1_set_message_header(s, d, SSL3_MT_CLIENT_HELLO, l, 0, l); 909160814Ssimon 910280304Sjkim s->state = SSL3_ST_CW_CLNT_HELLO_B; 911280304Sjkim /* number of bytes to write */ 912280304Sjkim s->init_num = p - buf; 913280304Sjkim s->init_off = 0; 914160814Ssimon 915280304Sjkim /* buffer the message to handle re-xmits */ 916280304Sjkim dtls1_buffer_message(s, 0); 917280304Sjkim } 918160814Ssimon 919280304Sjkim /* SSL3_ST_CW_CLNT_HELLO_B */ 920280304Sjkim return (dtls1_do_write(s, SSL3_RT_HANDSHAKE)); 921280304Sjkim err: 922280304Sjkim return (-1); 923280304Sjkim} 924160814Ssimon 925160814Ssimonstatic int dtls1_get_hello_verify(SSL *s) 926280304Sjkim{ 927280304Sjkim int n, al, ok = 0; 928280304Sjkim unsigned char *data; 929280304Sjkim unsigned int cookie_len; 930160814Ssimon 931280304Sjkim n = s->method->ssl_get_message(s, 932280304Sjkim DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A, 933280304Sjkim DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, 934280304Sjkim -1, s->max_cert_list, &ok); 935160814Ssimon 936280304Sjkim if (!ok) 937280304Sjkim return ((int)n); 938160814Ssimon 939280304Sjkim if (s->s3->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) { 940280304Sjkim s->d1->send_cookie = 0; 941280304Sjkim s->s3->tmp.reuse_message = 1; 942280304Sjkim return (1); 943280304Sjkim } 944160814Ssimon 945280304Sjkim data = (unsigned char *)s->init_msg; 946160814Ssimon 947280304Sjkim if ((data[0] != (s->version >> 8)) || (data[1] != (s->version & 0xff))) { 948280304Sjkim SSLerr(SSL_F_DTLS1_GET_HELLO_VERIFY, SSL_R_WRONG_SSL_VERSION); 949280304Sjkim s->version = (s->version & 0xff00) | data[1]; 950280304Sjkim al = SSL_AD_PROTOCOL_VERSION; 951280304Sjkim goto f_err; 952280304Sjkim } 953280304Sjkim data += 2; 954160814Ssimon 955280304Sjkim cookie_len = *(data++); 956280304Sjkim if (cookie_len > sizeof(s->d1->cookie)) { 957280304Sjkim al = SSL_AD_ILLEGAL_PARAMETER; 958280304Sjkim goto f_err; 959280304Sjkim } 960160814Ssimon 961280304Sjkim memcpy(s->d1->cookie, data, cookie_len); 962280304Sjkim s->d1->cookie_len = cookie_len; 963160814Ssimon 964280304Sjkim s->d1->send_cookie = 1; 965280304Sjkim return 1; 966160814Ssimon 967280304Sjkim f_err: 968280304Sjkim ssl3_send_alert(s, SSL3_AL_FATAL, al); 969284285Sjkim s->state = SSL_ST_ERR; 970280304Sjkim return -1; 971280304Sjkim} 972160814Ssimon 973160814Ssimonint dtls1_send_client_key_exchange(SSL *s) 974280304Sjkim{ 975280304Sjkim unsigned char *p, *d; 976280304Sjkim int n; 977280304Sjkim unsigned long alg_k; 978160814Ssimon#ifndef OPENSSL_NO_RSA 979280304Sjkim unsigned char *q; 980280304Sjkim EVP_PKEY *pkey = NULL; 981160814Ssimon#endif 982160814Ssimon#ifndef OPENSSL_NO_KRB5 983280304Sjkim KSSL_ERR kssl_err; 984280304Sjkim#endif /* OPENSSL_NO_KRB5 */ 985238405Sjkim#ifndef OPENSSL_NO_ECDH 986280304Sjkim EC_KEY *clnt_ecdh = NULL; 987280304Sjkim const EC_POINT *srvr_ecpoint = NULL; 988280304Sjkim EVP_PKEY *srvr_pub_pkey = NULL; 989280304Sjkim unsigned char *encodedPoint = NULL; 990280304Sjkim int encoded_pt_len = 0; 991280304Sjkim BN_CTX *bn_ctx = NULL; 992238405Sjkim#endif 993160814Ssimon 994280304Sjkim if (s->state == SSL3_ST_CW_KEY_EXCH_A) { 995280304Sjkim d = (unsigned char *)s->init_buf->data; 996280304Sjkim p = &(d[DTLS1_HM_HEADER_LENGTH]); 997160814Ssimon 998280304Sjkim alg_k = s->s3->tmp.new_cipher->algorithm_mkey; 999280304Sjkim 1000280304Sjkim /* Fool emacs indentation */ 1001280304Sjkim if (0) { 1002280304Sjkim } 1003160814Ssimon#ifndef OPENSSL_NO_RSA 1004280304Sjkim else if (alg_k & SSL_kRSA) { 1005280304Sjkim RSA *rsa; 1006280304Sjkim unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 1007160814Ssimon 1008280304Sjkim if (s->session->sess_cert == NULL) { 1009280304Sjkim /* 1010280304Sjkim * We should always have a server certificate with SSL_kRSA. 1011280304Sjkim */ 1012280304Sjkim SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1013280304Sjkim ERR_R_INTERNAL_ERROR); 1014280304Sjkim goto err; 1015280304Sjkim } 1016269686Sjkim 1017280304Sjkim if (s->session->sess_cert->peer_rsa_tmp != NULL) 1018280304Sjkim rsa = s->session->sess_cert->peer_rsa_tmp; 1019280304Sjkim else { 1020280304Sjkim pkey = 1021280304Sjkim X509_get_pubkey(s->session-> 1022280304Sjkim sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC]. 1023280304Sjkim x509); 1024280304Sjkim if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) 1025280304Sjkim || (pkey->pkey.rsa == NULL)) { 1026280304Sjkim SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1027280304Sjkim ERR_R_INTERNAL_ERROR); 1028280304Sjkim goto err; 1029280304Sjkim } 1030280304Sjkim rsa = pkey->pkey.rsa; 1031280304Sjkim EVP_PKEY_free(pkey); 1032280304Sjkim } 1033160814Ssimon 1034280304Sjkim tmp_buf[0] = s->client_version >> 8; 1035280304Sjkim tmp_buf[1] = s->client_version & 0xff; 1036280304Sjkim if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <= 0) 1037280304Sjkim goto err; 1038160814Ssimon 1039280304Sjkim s->session->master_key_length = sizeof tmp_buf; 1040160814Ssimon 1041280304Sjkim q = p; 1042280304Sjkim /* Fix buf for TLS and [incidentally] DTLS */ 1043280304Sjkim if (s->version > SSL3_VERSION) 1044280304Sjkim p += 2; 1045280304Sjkim n = RSA_public_encrypt(sizeof tmp_buf, 1046280304Sjkim tmp_buf, p, rsa, RSA_PKCS1_PADDING); 1047280304Sjkim# ifdef PKCS1_CHECK 1048280304Sjkim if (s->options & SSL_OP_PKCS1_CHECK_1) 1049280304Sjkim p[1]++; 1050280304Sjkim if (s->options & SSL_OP_PKCS1_CHECK_2) 1051280304Sjkim tmp_buf[0] = 0x70; 1052280304Sjkim# endif 1053280304Sjkim if (n <= 0) { 1054280304Sjkim SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1055280304Sjkim SSL_R_BAD_RSA_ENCRYPT); 1056280304Sjkim goto err; 1057280304Sjkim } 1058160814Ssimon 1059280304Sjkim /* Fix buf for TLS and [incidentally] DTLS */ 1060280304Sjkim if (s->version > SSL3_VERSION) { 1061280304Sjkim s2n(n, q); 1062280304Sjkim n += 2; 1063280304Sjkim } 1064280304Sjkim 1065280304Sjkim s->session->master_key_length = 1066280304Sjkim s->method->ssl3_enc->generate_master_secret(s, 1067280304Sjkim s-> 1068280304Sjkim session->master_key, 1069280304Sjkim tmp_buf, 1070280304Sjkim sizeof tmp_buf); 1071280304Sjkim OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); 1072280304Sjkim } 1073160814Ssimon#endif 1074160814Ssimon#ifndef OPENSSL_NO_KRB5 1075280304Sjkim else if (alg_k & SSL_kKRB5) { 1076280304Sjkim krb5_error_code krb5rc; 1077280304Sjkim KSSL_CTX *kssl_ctx = s->kssl_ctx; 1078280304Sjkim /* krb5_data krb5_ap_req; */ 1079280304Sjkim krb5_data *enc_ticket; 1080280304Sjkim krb5_data authenticator, *authp = NULL; 1081280304Sjkim EVP_CIPHER_CTX ciph_ctx; 1082280304Sjkim const EVP_CIPHER *enc = NULL; 1083280304Sjkim unsigned char iv[EVP_MAX_IV_LENGTH]; 1084280304Sjkim unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 1085280304Sjkim unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH + EVP_MAX_IV_LENGTH]; 1086280304Sjkim int padl, outl = sizeof(epms); 1087160814Ssimon 1088280304Sjkim EVP_CIPHER_CTX_init(&ciph_ctx); 1089160814Ssimon 1090280304Sjkim# ifdef KSSL_DEBUG 1091280304Sjkim printf("ssl3_send_client_key_exchange(%lx & %lx)\n", 1092280304Sjkim alg_k, SSL_kKRB5); 1093280304Sjkim# endif /* KSSL_DEBUG */ 1094160814Ssimon 1095280304Sjkim authp = NULL; 1096280304Sjkim# ifdef KRB5SENDAUTH 1097280304Sjkim if (KRB5SENDAUTH) 1098280304Sjkim authp = &authenticator; 1099280304Sjkim# endif /* KRB5SENDAUTH */ 1100160814Ssimon 1101280304Sjkim krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp, &kssl_err); 1102280304Sjkim enc = kssl_map_enc(kssl_ctx->enctype); 1103280304Sjkim if (enc == NULL) 1104280304Sjkim goto err; 1105280304Sjkim# ifdef KSSL_DEBUG 1106280304Sjkim { 1107280304Sjkim printf("kssl_cget_tkt rtn %d\n", krb5rc); 1108280304Sjkim if (krb5rc && kssl_err.text) 1109280304Sjkim printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text); 1110280304Sjkim } 1111280304Sjkim# endif /* KSSL_DEBUG */ 1112160814Ssimon 1113280304Sjkim if (krb5rc) { 1114280304Sjkim ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 1115280304Sjkim SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, kssl_err.reason); 1116280304Sjkim goto err; 1117280304Sjkim } 1118160814Ssimon 1119280304Sjkim /*- 1120280304Sjkim * 20010406 VRS - Earlier versions used KRB5 AP_REQ 1121280304Sjkim ** in place of RFC 2712 KerberosWrapper, as in: 1122280304Sjkim ** 1123280304Sjkim ** Send ticket (copy to *p, set n = length) 1124280304Sjkim ** n = krb5_ap_req.length; 1125280304Sjkim ** memcpy(p, krb5_ap_req.data, krb5_ap_req.length); 1126280304Sjkim ** if (krb5_ap_req.data) 1127280304Sjkim ** kssl_krb5_free_data_contents(NULL,&krb5_ap_req); 1128280304Sjkim ** 1129280304Sjkim ** Now using real RFC 2712 KerberosWrapper 1130280304Sjkim ** (Thanks to Simon Wilkinson <sxw@sxw.org.uk>) 1131280304Sjkim ** Note: 2712 "opaque" types are here replaced 1132280304Sjkim ** with a 2-byte length followed by the value. 1133280304Sjkim ** Example: 1134280304Sjkim ** KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms 1135280304Sjkim ** Where "xx xx" = length bytes. Shown here with 1136280304Sjkim ** optional authenticator omitted. 1137280304Sjkim */ 1138160814Ssimon 1139280304Sjkim /* KerberosWrapper.Ticket */ 1140280304Sjkim s2n(enc_ticket->length, p); 1141280304Sjkim memcpy(p, enc_ticket->data, enc_ticket->length); 1142280304Sjkim p += enc_ticket->length; 1143280304Sjkim n = enc_ticket->length + 2; 1144160814Ssimon 1145280304Sjkim /* KerberosWrapper.Authenticator */ 1146280304Sjkim if (authp && authp->length) { 1147280304Sjkim s2n(authp->length, p); 1148280304Sjkim memcpy(p, authp->data, authp->length); 1149280304Sjkim p += authp->length; 1150280304Sjkim n += authp->length + 2; 1151160814Ssimon 1152280304Sjkim free(authp->data); 1153280304Sjkim authp->data = NULL; 1154280304Sjkim authp->length = 0; 1155280304Sjkim } else { 1156280304Sjkim s2n(0, p); /* null authenticator length */ 1157280304Sjkim n += 2; 1158280304Sjkim } 1159160814Ssimon 1160280304Sjkim if (RAND_bytes(tmp_buf, sizeof tmp_buf) <= 0) 1161280304Sjkim goto err; 1162160814Ssimon 1163280304Sjkim /*- 1164280304Sjkim * 20010420 VRS. Tried it this way; failed. 1165280304Sjkim * EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL); 1166280304Sjkim * EVP_CIPHER_CTX_set_key_length(&ciph_ctx, 1167280304Sjkim * kssl_ctx->length); 1168280304Sjkim * EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv); 1169280304Sjkim */ 1170160814Ssimon 1171280304Sjkim memset(iv, 0, sizeof iv); /* per RFC 1510 */ 1172280304Sjkim EVP_EncryptInit_ex(&ciph_ctx, enc, NULL, kssl_ctx->key, iv); 1173280304Sjkim EVP_EncryptUpdate(&ciph_ctx, epms, &outl, tmp_buf, 1174280304Sjkim sizeof tmp_buf); 1175280304Sjkim EVP_EncryptFinal_ex(&ciph_ctx, &(epms[outl]), &padl); 1176280304Sjkim outl += padl; 1177280304Sjkim if (outl > (int)sizeof epms) { 1178280304Sjkim SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1179280304Sjkim ERR_R_INTERNAL_ERROR); 1180280304Sjkim goto err; 1181280304Sjkim } 1182280304Sjkim EVP_CIPHER_CTX_cleanup(&ciph_ctx); 1183160814Ssimon 1184280304Sjkim /* KerberosWrapper.EncryptedPreMasterSecret */ 1185280304Sjkim s2n(outl, p); 1186280304Sjkim memcpy(p, epms, outl); 1187280304Sjkim p += outl; 1188280304Sjkim n += outl + 2; 1189280304Sjkim 1190280304Sjkim s->session->master_key_length = 1191280304Sjkim s->method->ssl3_enc->generate_master_secret(s, 1192280304Sjkim s-> 1193280304Sjkim session->master_key, 1194280304Sjkim tmp_buf, 1195280304Sjkim sizeof tmp_buf); 1196280304Sjkim 1197280304Sjkim OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); 1198280304Sjkim OPENSSL_cleanse(epms, outl); 1199280304Sjkim } 1200160814Ssimon#endif 1201160814Ssimon#ifndef OPENSSL_NO_DH 1202280304Sjkim else if (alg_k & (SSL_kEDH | SSL_kDHr | SSL_kDHd)) { 1203280304Sjkim DH *dh_srvr, *dh_clnt; 1204160814Ssimon 1205280304Sjkim if (s->session->sess_cert == NULL) { 1206280304Sjkim ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); 1207280304Sjkim SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1208280304Sjkim SSL_R_UNEXPECTED_MESSAGE); 1209280304Sjkim goto err; 1210280304Sjkim } 1211269686Sjkim 1212280304Sjkim if (s->session->sess_cert->peer_dh_tmp != NULL) 1213280304Sjkim dh_srvr = s->session->sess_cert->peer_dh_tmp; 1214280304Sjkim else { 1215280304Sjkim /* we get them from the cert */ 1216280304Sjkim ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 1217280304Sjkim SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1218280304Sjkim SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); 1219280304Sjkim goto err; 1220280304Sjkim } 1221160814Ssimon 1222280304Sjkim /* generate a new random key */ 1223280304Sjkim if ((dh_clnt = DHparams_dup(dh_srvr)) == NULL) { 1224280304Sjkim SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB); 1225280304Sjkim goto err; 1226280304Sjkim } 1227280304Sjkim if (!DH_generate_key(dh_clnt)) { 1228280304Sjkim SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB); 1229280304Sjkim goto err; 1230280304Sjkim } 1231160814Ssimon 1232280304Sjkim /* 1233280304Sjkim * use the 'p' output buffer for the DH key, but make sure to 1234280304Sjkim * clear it out afterwards 1235280304Sjkim */ 1236160814Ssimon 1237280304Sjkim n = DH_compute_key(p, dh_srvr->pub_key, dh_clnt); 1238160814Ssimon 1239280304Sjkim if (n <= 0) { 1240280304Sjkim SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB); 1241280304Sjkim goto err; 1242280304Sjkim } 1243160814Ssimon 1244280304Sjkim /* generate master key from the result */ 1245280304Sjkim s->session->master_key_length = 1246280304Sjkim s->method->ssl3_enc->generate_master_secret(s, 1247280304Sjkim s-> 1248280304Sjkim session->master_key, 1249280304Sjkim p, n); 1250280304Sjkim /* clean up */ 1251280304Sjkim memset(p, 0, n); 1252160814Ssimon 1253280304Sjkim /* send off the data */ 1254280304Sjkim n = BN_num_bytes(dh_clnt->pub_key); 1255280304Sjkim s2n(n, p); 1256280304Sjkim BN_bn2bin(dh_clnt->pub_key, p); 1257280304Sjkim n += 2; 1258160814Ssimon 1259280304Sjkim DH_free(dh_clnt); 1260280304Sjkim 1261280304Sjkim /* perhaps clean things up a bit EAY EAY EAY EAY */ 1262280304Sjkim } 1263160814Ssimon#endif 1264280304Sjkim#ifndef OPENSSL_NO_ECDH 1265280304Sjkim else if (alg_k & (SSL_kEECDH | SSL_kECDHr | SSL_kECDHe)) { 1266280304Sjkim const EC_GROUP *srvr_group = NULL; 1267280304Sjkim EC_KEY *tkey; 1268280304Sjkim int ecdh_clnt_cert = 0; 1269280304Sjkim int field_size = 0; 1270238405Sjkim 1271280304Sjkim if (s->session->sess_cert == NULL) { 1272280304Sjkim ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); 1273280304Sjkim SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1274280304Sjkim SSL_R_UNEXPECTED_MESSAGE); 1275280304Sjkim goto err; 1276280304Sjkim } 1277269686Sjkim 1278280304Sjkim /* 1279280304Sjkim * Did we send out the client's ECDH share for use in premaster 1280280304Sjkim * computation as part of client certificate? If so, set 1281280304Sjkim * ecdh_clnt_cert to 1. 1282280304Sjkim */ 1283280304Sjkim if ((alg_k & (SSL_kECDHr | SSL_kECDHe)) && (s->cert != NULL)) { 1284280304Sjkim /* 1285280304Sjkim * XXX: For now, we do not support client authentication 1286280304Sjkim * using ECDH certificates. To add such support, one needs to 1287280304Sjkim * add code that checks for appropriate conditions and sets 1288280304Sjkim * ecdh_clnt_cert to 1. For example, the cert have an ECC key 1289280304Sjkim * on the same curve as the server's and the key should be 1290280304Sjkim * authorized for key agreement. One also needs to add code 1291280304Sjkim * in ssl3_connect to skip sending the certificate verify 1292280304Sjkim * message. if ((s->cert->key->privatekey != NULL) && 1293280304Sjkim * (s->cert->key->privatekey->type == EVP_PKEY_EC) && ...) 1294280304Sjkim * ecdh_clnt_cert = 1; 1295280304Sjkim */ 1296280304Sjkim } 1297238405Sjkim 1298280304Sjkim if (s->session->sess_cert->peer_ecdh_tmp != NULL) { 1299280304Sjkim tkey = s->session->sess_cert->peer_ecdh_tmp; 1300280304Sjkim } else { 1301280304Sjkim /* Get the Server Public Key from Cert */ 1302280304Sjkim srvr_pub_pkey = 1303280304Sjkim X509_get_pubkey(s->session-> 1304280304Sjkim sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); 1305280304Sjkim if ((srvr_pub_pkey == NULL) 1306280304Sjkim || (srvr_pub_pkey->type != EVP_PKEY_EC) 1307280304Sjkim || (srvr_pub_pkey->pkey.ec == NULL)) { 1308280304Sjkim SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1309280304Sjkim ERR_R_INTERNAL_ERROR); 1310280304Sjkim goto err; 1311280304Sjkim } 1312238405Sjkim 1313280304Sjkim tkey = srvr_pub_pkey->pkey.ec; 1314280304Sjkim } 1315238405Sjkim 1316280304Sjkim srvr_group = EC_KEY_get0_group(tkey); 1317280304Sjkim srvr_ecpoint = EC_KEY_get0_public_key(tkey); 1318238405Sjkim 1319280304Sjkim if ((srvr_group == NULL) || (srvr_ecpoint == NULL)) { 1320280304Sjkim SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1321280304Sjkim ERR_R_INTERNAL_ERROR); 1322280304Sjkim goto err; 1323280304Sjkim } 1324238405Sjkim 1325280304Sjkim if ((clnt_ecdh = EC_KEY_new()) == NULL) { 1326280304Sjkim SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1327280304Sjkim ERR_R_MALLOC_FAILURE); 1328280304Sjkim goto err; 1329280304Sjkim } 1330238405Sjkim 1331280304Sjkim if (!EC_KEY_set_group(clnt_ecdh, srvr_group)) { 1332280304Sjkim SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB); 1333280304Sjkim goto err; 1334280304Sjkim } 1335280304Sjkim if (ecdh_clnt_cert) { 1336280304Sjkim /* 1337280304Sjkim * Reuse key info from our certificate We only need our 1338280304Sjkim * private key to perform the ECDH computation. 1339280304Sjkim */ 1340280304Sjkim const BIGNUM *priv_key; 1341280304Sjkim tkey = s->cert->key->privatekey->pkey.ec; 1342280304Sjkim priv_key = EC_KEY_get0_private_key(tkey); 1343280304Sjkim if (priv_key == NULL) { 1344280304Sjkim SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1345280304Sjkim ERR_R_MALLOC_FAILURE); 1346280304Sjkim goto err; 1347280304Sjkim } 1348280304Sjkim if (!EC_KEY_set_private_key(clnt_ecdh, priv_key)) { 1349280304Sjkim SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1350280304Sjkim ERR_R_EC_LIB); 1351280304Sjkim goto err; 1352280304Sjkim } 1353280304Sjkim } else { 1354280304Sjkim /* Generate a new ECDH key pair */ 1355280304Sjkim if (!(EC_KEY_generate_key(clnt_ecdh))) { 1356280304Sjkim SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1357280304Sjkim ERR_R_ECDH_LIB); 1358280304Sjkim goto err; 1359280304Sjkim } 1360280304Sjkim } 1361238405Sjkim 1362280304Sjkim /* 1363280304Sjkim * use the 'p' output buffer for the ECDH key, but make sure to 1364280304Sjkim * clear it out afterwards 1365280304Sjkim */ 1366238405Sjkim 1367280304Sjkim field_size = EC_GROUP_get_degree(srvr_group); 1368280304Sjkim if (field_size <= 0) { 1369280304Sjkim SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB); 1370280304Sjkim goto err; 1371280304Sjkim } 1372280304Sjkim n = ECDH_compute_key(p, (field_size + 7) / 8, srvr_ecpoint, 1373280304Sjkim clnt_ecdh, NULL); 1374280304Sjkim if (n <= 0) { 1375280304Sjkim SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB); 1376280304Sjkim goto err; 1377280304Sjkim } 1378238405Sjkim 1379280304Sjkim /* generate master key from the result */ 1380280304Sjkim s->session->master_key_length = 1381280304Sjkim s->method->ssl3_enc->generate_master_secret(s, 1382280304Sjkim s-> 1383280304Sjkim session->master_key, 1384280304Sjkim p, n); 1385238405Sjkim 1386280304Sjkim memset(p, 0, n); /* clean up */ 1387238405Sjkim 1388280304Sjkim if (ecdh_clnt_cert) { 1389280304Sjkim /* Send empty client key exch message */ 1390280304Sjkim n = 0; 1391280304Sjkim } else { 1392280304Sjkim /* 1393280304Sjkim * First check the size of encoding and allocate memory 1394280304Sjkim * accordingly. 1395280304Sjkim */ 1396280304Sjkim encoded_pt_len = 1397280304Sjkim EC_POINT_point2oct(srvr_group, 1398280304Sjkim EC_KEY_get0_public_key(clnt_ecdh), 1399280304Sjkim POINT_CONVERSION_UNCOMPRESSED, 1400280304Sjkim NULL, 0, NULL); 1401238405Sjkim 1402280304Sjkim encodedPoint = (unsigned char *) 1403280304Sjkim OPENSSL_malloc(encoded_pt_len * sizeof(unsigned char)); 1404280304Sjkim bn_ctx = BN_CTX_new(); 1405280304Sjkim if ((encodedPoint == NULL) || (bn_ctx == NULL)) { 1406280304Sjkim SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1407280304Sjkim ERR_R_MALLOC_FAILURE); 1408280304Sjkim goto err; 1409280304Sjkim } 1410238405Sjkim 1411280304Sjkim /* Encode the public key */ 1412280304Sjkim n = EC_POINT_point2oct(srvr_group, 1413280304Sjkim EC_KEY_get0_public_key(clnt_ecdh), 1414280304Sjkim POINT_CONVERSION_UNCOMPRESSED, 1415280304Sjkim encodedPoint, encoded_pt_len, bn_ctx); 1416238405Sjkim 1417280304Sjkim *p = n; /* length of encoded point */ 1418280304Sjkim /* Encoded point will be copied here */ 1419280304Sjkim p += 1; 1420280304Sjkim /* copy the point */ 1421280304Sjkim memcpy((unsigned char *)p, encodedPoint, n); 1422280304Sjkim /* increment n to account for length field */ 1423280304Sjkim n += 1; 1424280304Sjkim } 1425238405Sjkim 1426280304Sjkim /* Free allocated memory */ 1427280304Sjkim BN_CTX_free(bn_ctx); 1428280304Sjkim if (encodedPoint != NULL) 1429280304Sjkim OPENSSL_free(encodedPoint); 1430280304Sjkim if (clnt_ecdh != NULL) 1431280304Sjkim EC_KEY_free(clnt_ecdh); 1432280304Sjkim EVP_PKEY_free(srvr_pub_pkey); 1433280304Sjkim } 1434280304Sjkim#endif /* !OPENSSL_NO_ECDH */ 1435238405Sjkim 1436238405Sjkim#ifndef OPENSSL_NO_PSK 1437280304Sjkim else if (alg_k & SSL_kPSK) { 1438280304Sjkim char identity[PSK_MAX_IDENTITY_LEN]; 1439280304Sjkim unsigned char *t = NULL; 1440280304Sjkim unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN * 2 + 4]; 1441280304Sjkim unsigned int pre_ms_len = 0, psk_len = 0; 1442280304Sjkim int psk_err = 1; 1443238405Sjkim 1444280304Sjkim n = 0; 1445280304Sjkim if (s->psk_client_callback == NULL) { 1446280304Sjkim SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1447280304Sjkim SSL_R_PSK_NO_CLIENT_CB); 1448280304Sjkim goto err; 1449280304Sjkim } 1450238405Sjkim 1451280304Sjkim psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint, 1452280304Sjkim identity, PSK_MAX_IDENTITY_LEN, 1453280304Sjkim psk_or_pre_ms, 1454280304Sjkim sizeof(psk_or_pre_ms)); 1455280304Sjkim if (psk_len > PSK_MAX_PSK_LEN) { 1456280304Sjkim SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1457280304Sjkim ERR_R_INTERNAL_ERROR); 1458280304Sjkim goto psk_err; 1459280304Sjkim } else if (psk_len == 0) { 1460280304Sjkim SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1461280304Sjkim SSL_R_PSK_IDENTITY_NOT_FOUND); 1462280304Sjkim goto psk_err; 1463280304Sjkim } 1464238405Sjkim 1465280304Sjkim /* create PSK pre_master_secret */ 1466280304Sjkim pre_ms_len = 2 + psk_len + 2 + psk_len; 1467280304Sjkim t = psk_or_pre_ms; 1468280304Sjkim memmove(psk_or_pre_ms + psk_len + 4, psk_or_pre_ms, psk_len); 1469280304Sjkim s2n(psk_len, t); 1470280304Sjkim memset(t, 0, psk_len); 1471280304Sjkim t += psk_len; 1472280304Sjkim s2n(psk_len, t); 1473238405Sjkim 1474280304Sjkim if (s->session->psk_identity_hint != NULL) 1475280304Sjkim OPENSSL_free(s->session->psk_identity_hint); 1476280304Sjkim s->session->psk_identity_hint = 1477280304Sjkim BUF_strdup(s->ctx->psk_identity_hint); 1478280304Sjkim if (s->ctx->psk_identity_hint != NULL 1479280304Sjkim && s->session->psk_identity_hint == NULL) { 1480280304Sjkim SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1481280304Sjkim ERR_R_MALLOC_FAILURE); 1482280304Sjkim goto psk_err; 1483280304Sjkim } 1484238405Sjkim 1485280304Sjkim if (s->session->psk_identity != NULL) 1486280304Sjkim OPENSSL_free(s->session->psk_identity); 1487280304Sjkim s->session->psk_identity = BUF_strdup(identity); 1488280304Sjkim if (s->session->psk_identity == NULL) { 1489280304Sjkim SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1490280304Sjkim ERR_R_MALLOC_FAILURE); 1491280304Sjkim goto psk_err; 1492280304Sjkim } 1493238405Sjkim 1494280304Sjkim s->session->master_key_length = 1495280304Sjkim s->method->ssl3_enc->generate_master_secret(s, 1496280304Sjkim s-> 1497280304Sjkim session->master_key, 1498280304Sjkim psk_or_pre_ms, 1499280304Sjkim pre_ms_len); 1500280304Sjkim n = strlen(identity); 1501280304Sjkim s2n(n, p); 1502280304Sjkim memcpy(p, identity, n); 1503280304Sjkim n += 2; 1504280304Sjkim psk_err = 0; 1505280304Sjkim psk_err: 1506280304Sjkim OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN); 1507280304Sjkim OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); 1508280304Sjkim if (psk_err != 0) { 1509280304Sjkim ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 1510280304Sjkim goto err; 1511280304Sjkim } 1512280304Sjkim } 1513238405Sjkim#endif 1514280304Sjkim else { 1515280304Sjkim ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 1516280304Sjkim SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1517280304Sjkim ERR_R_INTERNAL_ERROR); 1518280304Sjkim goto err; 1519280304Sjkim } 1520160814Ssimon 1521280304Sjkim d = dtls1_set_message_header(s, d, 1522280304Sjkim SSL3_MT_CLIENT_KEY_EXCHANGE, n, 0, n); 1523280304Sjkim /*- 1524280304Sjkim *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE; 1525280304Sjkim l2n3(n,d); 1526280304Sjkim l2n(s->d1->handshake_write_seq,d); 1527280304Sjkim s->d1->handshake_write_seq++; 1528280304Sjkim */ 1529280304Sjkim 1530280304Sjkim s->state = SSL3_ST_CW_KEY_EXCH_B; 1531280304Sjkim /* number of bytes to write */ 1532280304Sjkim s->init_num = n + DTLS1_HM_HEADER_LENGTH; 1533280304Sjkim s->init_off = 0; 1534280304Sjkim 1535280304Sjkim /* buffer the message to handle re-xmits */ 1536280304Sjkim dtls1_buffer_message(s, 0); 1537280304Sjkim } 1538280304Sjkim 1539280304Sjkim /* SSL3_ST_CW_KEY_EXCH_B */ 1540280304Sjkim return (dtls1_do_write(s, SSL3_RT_HANDSHAKE)); 1541280304Sjkim err: 1542238405Sjkim#ifndef OPENSSL_NO_ECDH 1543280304Sjkim BN_CTX_free(bn_ctx); 1544280304Sjkim if (encodedPoint != NULL) 1545280304Sjkim OPENSSL_free(encodedPoint); 1546280304Sjkim if (clnt_ecdh != NULL) 1547280304Sjkim EC_KEY_free(clnt_ecdh); 1548280304Sjkim EVP_PKEY_free(srvr_pub_pkey); 1549238405Sjkim#endif 1550280304Sjkim return (-1); 1551280304Sjkim} 1552160814Ssimon 1553160814Ssimonint dtls1_send_client_verify(SSL *s) 1554280304Sjkim{ 1555280304Sjkim unsigned char *p, *d; 1556280304Sjkim unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; 1557280304Sjkim EVP_PKEY *pkey; 1558160814Ssimon#ifndef OPENSSL_NO_RSA 1559280304Sjkim unsigned u = 0; 1560160814Ssimon#endif 1561280304Sjkim unsigned long n; 1562238405Sjkim#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA) 1563280304Sjkim int j; 1564160814Ssimon#endif 1565160814Ssimon 1566280304Sjkim if (s->state == SSL3_ST_CW_CERT_VRFY_A) { 1567280304Sjkim d = (unsigned char *)s->init_buf->data; 1568280304Sjkim p = &(d[DTLS1_HM_HEADER_LENGTH]); 1569280304Sjkim pkey = s->cert->key->privatekey; 1570160814Ssimon 1571280304Sjkim s->method->ssl3_enc->cert_verify_mac(s, 1572280304Sjkim NID_sha1, 1573280304Sjkim &(data[MD5_DIGEST_LENGTH])); 1574160814Ssimon 1575160814Ssimon#ifndef OPENSSL_NO_RSA 1576280304Sjkim if (pkey->type == EVP_PKEY_RSA) { 1577280304Sjkim s->method->ssl3_enc->cert_verify_mac(s, NID_md5, &(data[0])); 1578280304Sjkim if (RSA_sign(NID_md5_sha1, data, 1579280304Sjkim MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, 1580280304Sjkim &(p[2]), &u, pkey->pkey.rsa) <= 0) { 1581280304Sjkim SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY, ERR_R_RSA_LIB); 1582280304Sjkim goto err; 1583280304Sjkim } 1584280304Sjkim s2n(u, p); 1585280304Sjkim n = u + 2; 1586280304Sjkim } else 1587160814Ssimon#endif 1588160814Ssimon#ifndef OPENSSL_NO_DSA 1589280304Sjkim if (pkey->type == EVP_PKEY_DSA) { 1590280304Sjkim if (!DSA_sign(pkey->save_type, 1591280304Sjkim &(data[MD5_DIGEST_LENGTH]), 1592280304Sjkim SHA_DIGEST_LENGTH, &(p[2]), 1593280304Sjkim (unsigned int *)&j, pkey->pkey.dsa)) { 1594280304Sjkim SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY, ERR_R_DSA_LIB); 1595280304Sjkim goto err; 1596280304Sjkim } 1597280304Sjkim s2n(j, p); 1598280304Sjkim n = j + 2; 1599280304Sjkim } else 1600160814Ssimon#endif 1601238405Sjkim#ifndef OPENSSL_NO_ECDSA 1602280304Sjkim if (pkey->type == EVP_PKEY_EC) { 1603280304Sjkim if (!ECDSA_sign(pkey->save_type, 1604280304Sjkim &(data[MD5_DIGEST_LENGTH]), 1605280304Sjkim SHA_DIGEST_LENGTH, &(p[2]), 1606280304Sjkim (unsigned int *)&j, pkey->pkey.ec)) { 1607280304Sjkim SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY, ERR_R_ECDSA_LIB); 1608280304Sjkim goto err; 1609280304Sjkim } 1610280304Sjkim s2n(j, p); 1611280304Sjkim n = j + 2; 1612280304Sjkim } else 1613238405Sjkim#endif 1614280304Sjkim { 1615280304Sjkim SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR); 1616280304Sjkim goto err; 1617280304Sjkim } 1618160814Ssimon 1619280304Sjkim d = dtls1_set_message_header(s, d, 1620280304Sjkim SSL3_MT_CERTIFICATE_VERIFY, n, 0, n); 1621160814Ssimon 1622280304Sjkim s->init_num = (int)n + DTLS1_HM_HEADER_LENGTH; 1623280304Sjkim s->init_off = 0; 1624160814Ssimon 1625280304Sjkim /* buffer the message to handle re-xmits */ 1626280304Sjkim dtls1_buffer_message(s, 0); 1627160814Ssimon 1628280304Sjkim s->state = SSL3_ST_CW_CERT_VRFY_B; 1629280304Sjkim } 1630160814Ssimon 1631280304Sjkim /* s->state = SSL3_ST_CW_CERT_VRFY_B */ 1632280304Sjkim return (dtls1_do_write(s, SSL3_RT_HANDSHAKE)); 1633280304Sjkim err: 1634280304Sjkim return (-1); 1635280304Sjkim} 1636160814Ssimon 1637160814Ssimonint dtls1_send_client_certificate(SSL *s) 1638280304Sjkim{ 1639280304Sjkim X509 *x509 = NULL; 1640280304Sjkim EVP_PKEY *pkey = NULL; 1641280304Sjkim int i; 1642280304Sjkim unsigned long l; 1643160814Ssimon 1644280304Sjkim if (s->state == SSL3_ST_CW_CERT_A) { 1645280304Sjkim if ((s->cert == NULL) || 1646280304Sjkim (s->cert->key->x509 == NULL) || 1647280304Sjkim (s->cert->key->privatekey == NULL)) 1648280304Sjkim s->state = SSL3_ST_CW_CERT_B; 1649280304Sjkim else 1650280304Sjkim s->state = SSL3_ST_CW_CERT_C; 1651280304Sjkim } 1652160814Ssimon 1653280304Sjkim /* We need to get a client cert */ 1654280304Sjkim if (s->state == SSL3_ST_CW_CERT_B) { 1655280304Sjkim /* 1656280304Sjkim * If we get an error, we need to ssl->rwstate=SSL_X509_LOOKUP; 1657280304Sjkim * return(-1); We then get retied later 1658280304Sjkim */ 1659280304Sjkim i = 0; 1660280304Sjkim i = ssl_do_client_cert_cb(s, &x509, &pkey); 1661280304Sjkim if (i < 0) { 1662280304Sjkim s->rwstate = SSL_X509_LOOKUP; 1663280304Sjkim return (-1); 1664280304Sjkim } 1665280304Sjkim s->rwstate = SSL_NOTHING; 1666280304Sjkim if ((i == 1) && (pkey != NULL) && (x509 != NULL)) { 1667280304Sjkim s->state = SSL3_ST_CW_CERT_B; 1668280304Sjkim if (!SSL_use_certificate(s, x509) || !SSL_use_PrivateKey(s, pkey)) 1669280304Sjkim i = 0; 1670280304Sjkim } else if (i == 1) { 1671280304Sjkim i = 0; 1672280304Sjkim SSLerr(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE, 1673280304Sjkim SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); 1674280304Sjkim } 1675160814Ssimon 1676280304Sjkim if (x509 != NULL) 1677280304Sjkim X509_free(x509); 1678280304Sjkim if (pkey != NULL) 1679280304Sjkim EVP_PKEY_free(pkey); 1680280304Sjkim if (i == 0) { 1681280304Sjkim if (s->version == SSL3_VERSION) { 1682280304Sjkim s->s3->tmp.cert_req = 0; 1683280304Sjkim ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_CERTIFICATE); 1684280304Sjkim return (1); 1685280304Sjkim } else { 1686280304Sjkim s->s3->tmp.cert_req = 2; 1687280304Sjkim } 1688280304Sjkim } 1689160814Ssimon 1690280304Sjkim /* Ok, we have a cert */ 1691280304Sjkim s->state = SSL3_ST_CW_CERT_C; 1692280304Sjkim } 1693160814Ssimon 1694280304Sjkim if (s->state == SSL3_ST_CW_CERT_C) { 1695280304Sjkim s->state = SSL3_ST_CW_CERT_D; 1696280304Sjkim l = dtls1_output_cert_chain(s, 1697280304Sjkim (s->s3->tmp.cert_req == 1698280304Sjkim 2) ? NULL : s->cert->key->x509); 1699280304Sjkim if (!l) { 1700280304Sjkim SSLerr(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR); 1701280304Sjkim ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 1702280304Sjkim return 0; 1703280304Sjkim } 1704280304Sjkim s->init_num = (int)l; 1705280304Sjkim s->init_off = 0; 1706160814Ssimon 1707280304Sjkim /* set header called by dtls1_output_cert_chain() */ 1708160814Ssimon 1709280304Sjkim /* buffer the message to handle re-xmits */ 1710280304Sjkim dtls1_buffer_message(s, 0); 1711280304Sjkim } 1712280304Sjkim /* SSL3_ST_CW_CERT_D */ 1713280304Sjkim return (dtls1_do_write(s, SSL3_RT_HANDSHAKE)); 1714280304Sjkim} 1715