1160814Ssimon/* ssl/d1_clnt.c */ 2280297Sjkim/* 3160814Ssimon * DTLS implementation written by Nagendra Modadugu 4280297Sjkim * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 5160814Ssimon */ 6160814Ssimon/* ==================================================================== 7238405Sjkim * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. 8160814Ssimon * 9160814Ssimon * Redistribution and use in source and binary forms, with or without 10160814Ssimon * modification, are permitted provided that the following conditions 11160814Ssimon * are met: 12160814Ssimon * 13160814Ssimon * 1. Redistributions of source code must retain the above copyright 14280297Sjkim * notice, this list of conditions and the following disclaimer. 15160814Ssimon * 16160814Ssimon * 2. Redistributions in binary form must reproduce the above copyright 17160814Ssimon * notice, this list of conditions and the following disclaimer in 18160814Ssimon * the documentation and/or other materials provided with the 19160814Ssimon * distribution. 20160814Ssimon * 21160814Ssimon * 3. All advertising materials mentioning features or use of this 22160814Ssimon * software must display the following acknowledgment: 23160814Ssimon * "This product includes software developed by the OpenSSL Project 24160814Ssimon * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 25160814Ssimon * 26160814Ssimon * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27160814Ssimon * endorse or promote products derived from this software without 28160814Ssimon * prior written permission. For written permission, please contact 29160814Ssimon * openssl-core@OpenSSL.org. 30160814Ssimon * 31160814Ssimon * 5. Products derived from this software may not be called "OpenSSL" 32160814Ssimon * nor may "OpenSSL" appear in their names without prior written 33160814Ssimon * permission of the OpenSSL Project. 34160814Ssimon * 35160814Ssimon * 6. Redistributions of any form whatsoever must retain the following 36160814Ssimon * acknowledgment: 37160814Ssimon * "This product includes software developed by the OpenSSL Project 38160814Ssimon * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 39160814Ssimon * 40160814Ssimon * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41160814Ssimon * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42160814Ssimon * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43160814Ssimon * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44160814Ssimon * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45160814Ssimon * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46160814Ssimon * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47160814Ssimon * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48160814Ssimon * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49160814Ssimon * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50160814Ssimon * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51160814Ssimon * OF THE POSSIBILITY OF SUCH DAMAGE. 52160814Ssimon * ==================================================================== 53160814Ssimon * 54160814Ssimon * This product includes cryptographic software written by Eric Young 55160814Ssimon * (eay@cryptsoft.com). This product includes software written by Tim 56160814Ssimon * Hudson (tjh@cryptsoft.com). 57160814Ssimon * 58160814Ssimon */ 59160814Ssimon/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 60160814Ssimon * All rights reserved. 61160814Ssimon * 62160814Ssimon * This package is an SSL implementation written 63160814Ssimon * by Eric Young (eay@cryptsoft.com). 64160814Ssimon * The implementation was written so as to conform with Netscapes SSL. 65280297Sjkim * 66160814Ssimon * This library is free for commercial and non-commercial use as long as 67160814Ssimon * the following conditions are aheared to. The following conditions 68160814Ssimon * apply to all code found in this distribution, be it the RC4, RSA, 69160814Ssimon * lhash, DES, etc., code; not just the SSL code. The SSL documentation 70160814Ssimon * included with this distribution is covered by the same copyright terms 71160814Ssimon * except that the holder is Tim Hudson (tjh@cryptsoft.com). 72280297Sjkim * 73160814Ssimon * Copyright remains Eric Young's, and as such any Copyright notices in 74160814Ssimon * the code are not to be removed. 75160814Ssimon * If this package is used in a product, Eric Young should be given attribution 76160814Ssimon * as the author of the parts of the library used. 77160814Ssimon * This can be in the form of a textual message at program startup or 78160814Ssimon * in documentation (online or textual) provided with the package. 79280297Sjkim * 80160814Ssimon * Redistribution and use in source and binary forms, with or without 81160814Ssimon * modification, are permitted provided that the following conditions 82160814Ssimon * are met: 83160814Ssimon * 1. Redistributions of source code must retain the copyright 84160814Ssimon * notice, this list of conditions and the following disclaimer. 85160814Ssimon * 2. Redistributions in binary form must reproduce the above copyright 86160814Ssimon * notice, this list of conditions and the following disclaimer in the 87160814Ssimon * documentation and/or other materials provided with the distribution. 88160814Ssimon * 3. All advertising materials mentioning features or use of this software 89160814Ssimon * must display the following acknowledgement: 90160814Ssimon * "This product includes cryptographic software written by 91160814Ssimon * Eric Young (eay@cryptsoft.com)" 92160814Ssimon * The word 'cryptographic' can be left out if the rouines from the library 93160814Ssimon * being used are not cryptographic related :-). 94280297Sjkim * 4. If you include any Windows specific code (or a derivative thereof) from 95160814Ssimon * the apps directory (application code) you must include an acknowledgement: 96160814Ssimon * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 97280297Sjkim * 98160814Ssimon * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 99160814Ssimon * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 100160814Ssimon * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 101160814Ssimon * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 102160814Ssimon * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 103160814Ssimon * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 104160814Ssimon * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 105160814Ssimon * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 106160814Ssimon * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 107160814Ssimon * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 108160814Ssimon * SUCH DAMAGE. 109280297Sjkim * 110160814Ssimon * The licence and distribution terms for any publically available version or 111160814Ssimon * derivative of this code cannot be changed. i.e. this code cannot simply be 112160814Ssimon * copied and put under another distribution licence 113160814Ssimon * [including the GNU Public Licence.] 114160814Ssimon */ 115160814Ssimon 116160814Ssimon#include <stdio.h> 117160814Ssimon#include "ssl_locl.h" 118238405Sjkim#ifndef OPENSSL_NO_KRB5 119280297Sjkim# include "kssl_lcl.h" 120238405Sjkim#endif 121160814Ssimon#include <openssl/buffer.h> 122160814Ssimon#include <openssl/rand.h> 123160814Ssimon#include <openssl/objects.h> 124160814Ssimon#include <openssl/evp.h> 125160814Ssimon#include <openssl/md5.h> 126238405Sjkim#include <openssl/bn.h> 127160814Ssimon#ifndef OPENSSL_NO_DH 128280297Sjkim# include <openssl/dh.h> 129160814Ssimon#endif 130160814Ssimon 131238405Sjkimstatic const SSL_METHOD *dtls1_get_client_method(int ver); 132160814Ssimonstatic int dtls1_get_hello_verify(SSL *s); 133160814Ssimon 134238405Sjkimstatic const SSL_METHOD *dtls1_get_client_method(int ver) 135280297Sjkim{ 136291719Sjkim if (ver == DTLS_ANY_VERSION) 137291719Sjkim return DTLS_client_method(); 138291719Sjkim else if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER) 139291719Sjkim return DTLSv1_client_method(); 140290207Sjkim else if (ver == DTLS1_2_VERSION) 141291719Sjkim return DTLSv1_2_client_method(); 142280297Sjkim else 143291719Sjkim return NULL; 144280297Sjkim} 145160814Ssimon 146290207SjkimIMPLEMENT_dtls1_meth_func(DTLS1_VERSION, 147290207Sjkim DTLSv1_client_method, 148280297Sjkim ssl_undefined_function, 149290207Sjkim dtls1_connect, 150290207Sjkim dtls1_get_client_method, DTLSv1_enc_data) 151160814Ssimon 152291719SjkimIMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, 153290207Sjkim DTLSv1_2_client_method, 154290207Sjkim ssl_undefined_function, 155290207Sjkim dtls1_connect, 156290207Sjkim dtls1_get_client_method, DTLSv1_2_enc_data) 157290207Sjkim 158291719SjkimIMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION, 159290207Sjkim DTLS_client_method, 160290207Sjkim ssl_undefined_function, 161290207Sjkim dtls1_connect, 162290207Sjkim dtls1_get_client_method, DTLSv1_2_enc_data) 163290207Sjkim 164160814Ssimonint dtls1_connect(SSL *s) 165280297Sjkim{ 166280297Sjkim BUF_MEM *buf = NULL; 167280297Sjkim unsigned long Time = (unsigned long)time(NULL); 168280297Sjkim void (*cb) (const SSL *ssl, int type, int val) = NULL; 169280297Sjkim int ret = -1; 170280297Sjkim int new_state, state, skip = 0; 171238405Sjkim#ifndef OPENSSL_NO_SCTP 172280297Sjkim unsigned char sctpauthkey[64]; 173280297Sjkim char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)]; 174238405Sjkim#endif 175160814Ssimon 176280297Sjkim RAND_add(&Time, sizeof(Time), 0); 177280297Sjkim ERR_clear_error(); 178280297Sjkim clear_sys_error(); 179160814Ssimon 180280297Sjkim if (s->info_callback != NULL) 181280297Sjkim cb = s->info_callback; 182280297Sjkim else if (s->ctx->info_callback != NULL) 183280297Sjkim cb = s->ctx->info_callback; 184160814Ssimon 185280297Sjkim s->in_handshake++; 186280297Sjkim if (!SSL_in_init(s) || SSL_in_before(s)) 187280297Sjkim SSL_clear(s); 188280297Sjkim 189238405Sjkim#ifndef OPENSSL_NO_SCTP 190280297Sjkim /* 191280297Sjkim * Notify SCTP BIO socket to enter handshake mode and prevent stream 192280297Sjkim * identifier other than 0. Will be ignored if no SCTP is used. 193280297Sjkim */ 194280297Sjkim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, 195280297Sjkim s->in_handshake, NULL); 196238405Sjkim#endif 197238405Sjkim 198238405Sjkim#ifndef OPENSSL_NO_HEARTBEATS 199280297Sjkim /* 200280297Sjkim * If we're awaiting a HeartbeatResponse, pretend we already got and 201280297Sjkim * don't await it anymore, because Heartbeats don't make sense during 202280297Sjkim * handshakes anyway. 203280297Sjkim */ 204280297Sjkim if (s->tlsext_hb_pending) { 205280297Sjkim dtls1_stop_timer(s); 206280297Sjkim s->tlsext_hb_pending = 0; 207280297Sjkim s->tlsext_hb_seq++; 208280297Sjkim } 209238405Sjkim#endif 210238405Sjkim 211280297Sjkim for (;;) { 212280297Sjkim state = s->state; 213160814Ssimon 214280297Sjkim switch (s->state) { 215280297Sjkim case SSL_ST_RENEGOTIATE: 216280297Sjkim s->renegotiate = 1; 217280297Sjkim s->state = SSL_ST_CONNECT; 218280297Sjkim s->ctx->stats.sess_connect_renegotiate++; 219280297Sjkim /* break */ 220280297Sjkim case SSL_ST_BEFORE: 221280297Sjkim case SSL_ST_CONNECT: 222280297Sjkim case SSL_ST_BEFORE | SSL_ST_CONNECT: 223280297Sjkim case SSL_ST_OK | SSL_ST_CONNECT: 224160814Ssimon 225280297Sjkim s->server = 0; 226280297Sjkim if (cb != NULL) 227280297Sjkim cb(s, SSL_CB_HANDSHAKE_START, 1); 228160814Ssimon 229280297Sjkim if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00) && 230280297Sjkim (s->version & 0xff00) != (DTLS1_BAD_VER & 0xff00)) { 231280297Sjkim SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR); 232280297Sjkim ret = -1; 233284283Sjkim s->state = SSL_ST_ERR; 234280297Sjkim goto end; 235280297Sjkim } 236160814Ssimon 237280297Sjkim /* s->version=SSL3_VERSION; */ 238280297Sjkim s->type = SSL_ST_CONNECT; 239160814Ssimon 240280297Sjkim if (s->init_buf == NULL) { 241280297Sjkim if ((buf = BUF_MEM_new()) == NULL) { 242280297Sjkim ret = -1; 243284283Sjkim s->state = SSL_ST_ERR; 244280297Sjkim goto end; 245280297Sjkim } 246280297Sjkim if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) { 247280297Sjkim ret = -1; 248284283Sjkim s->state = SSL_ST_ERR; 249280297Sjkim goto end; 250280297Sjkim } 251280297Sjkim s->init_buf = buf; 252280297Sjkim buf = NULL; 253280297Sjkim } 254160814Ssimon 255280297Sjkim if (!ssl3_setup_buffers(s)) { 256280297Sjkim ret = -1; 257284283Sjkim s->state = SSL_ST_ERR; 258280297Sjkim goto end; 259280297Sjkim } 260160814Ssimon 261280297Sjkim /* setup buffing BIO */ 262280297Sjkim if (!ssl_init_wbio_buffer(s, 0)) { 263280297Sjkim ret = -1; 264284283Sjkim s->state = SSL_ST_ERR; 265280297Sjkim goto end; 266280297Sjkim } 267160814Ssimon 268280297Sjkim /* don't push the buffering BIO quite yet */ 269160814Ssimon 270280297Sjkim s->state = SSL3_ST_CW_CLNT_HELLO_A; 271280297Sjkim s->ctx->stats.sess_connect++; 272280297Sjkim s->init_num = 0; 273280297Sjkim /* mark client_random uninitialized */ 274280297Sjkim memset(s->s3->client_random, 0, sizeof(s->s3->client_random)); 275280297Sjkim s->d1->send_cookie = 0; 276280297Sjkim s->hit = 0; 277280297Sjkim s->d1->change_cipher_spec_ok = 0; 278280297Sjkim /* 279280297Sjkim * Should have been reset by ssl3_get_finished, too. 280280297Sjkim */ 281280297Sjkim s->s3->change_cipher_spec = 0; 282280297Sjkim break; 283280297Sjkim 284238405Sjkim#ifndef OPENSSL_NO_SCTP 285280297Sjkim case DTLS1_SCTP_ST_CR_READ_SOCK: 286238405Sjkim 287280297Sjkim if (BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) { 288280297Sjkim s->s3->in_read_app_data = 2; 289280297Sjkim s->rwstate = SSL_READING; 290280297Sjkim BIO_clear_retry_flags(SSL_get_rbio(s)); 291280297Sjkim BIO_set_retry_read(SSL_get_rbio(s)); 292280297Sjkim ret = -1; 293280297Sjkim goto end; 294280297Sjkim } 295238405Sjkim 296280297Sjkim s->state = s->s3->tmp.next_state; 297280297Sjkim break; 298238405Sjkim 299280297Sjkim case DTLS1_SCTP_ST_CW_WRITE_SOCK: 300280297Sjkim /* read app data until dry event */ 301238405Sjkim 302280297Sjkim ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s)); 303280297Sjkim if (ret < 0) 304280297Sjkim goto end; 305238405Sjkim 306280297Sjkim if (ret == 0) { 307280297Sjkim s->s3->in_read_app_data = 2; 308280297Sjkim s->rwstate = SSL_READING; 309280297Sjkim BIO_clear_retry_flags(SSL_get_rbio(s)); 310280297Sjkim BIO_set_retry_read(SSL_get_rbio(s)); 311280297Sjkim ret = -1; 312280297Sjkim goto end; 313280297Sjkim } 314238405Sjkim 315280297Sjkim s->state = s->d1->next_state; 316280297Sjkim break; 317238405Sjkim#endif 318238405Sjkim 319280297Sjkim case SSL3_ST_CW_CLNT_HELLO_A: 320280297Sjkim s->shutdown = 0; 321194206Ssimon 322280297Sjkim /* every DTLS ClientHello resets Finished MAC */ 323325335Sjkim if (!ssl3_init_finished_mac(s)) { 324325335Sjkim ret = -1; 325325335Sjkim s->state = SSL_ST_ERR; 326325335Sjkim goto end; 327325335Sjkim } 328194206Ssimon 329325335Sjkim /* fall thru */ 330291719Sjkim case SSL3_ST_CW_CLNT_HELLO_B: 331280297Sjkim dtls1_start_timer(s); 332290207Sjkim ret = ssl3_client_hello(s); 333280297Sjkim if (ret <= 0) 334280297Sjkim goto end; 335160814Ssimon 336280297Sjkim if (s->d1->send_cookie) { 337280297Sjkim s->state = SSL3_ST_CW_FLUSH; 338280297Sjkim s->s3->tmp.next_state = SSL3_ST_CR_SRVR_HELLO_A; 339280297Sjkim } else 340280297Sjkim s->state = SSL3_ST_CR_SRVR_HELLO_A; 341160814Ssimon 342280297Sjkim s->init_num = 0; 343160814Ssimon 344238405Sjkim#ifndef OPENSSL_NO_SCTP 345280297Sjkim /* Disable buffering for SCTP */ 346280297Sjkim if (!BIO_dgram_is_sctp(SSL_get_wbio(s))) { 347238405Sjkim#endif 348280297Sjkim /* 349280297Sjkim * turn on buffering for the next lot of output 350280297Sjkim */ 351280297Sjkim if (s->bbio != s->wbio) 352280297Sjkim s->wbio = BIO_push(s->bbio, s->wbio); 353238405Sjkim#ifndef OPENSSL_NO_SCTP 354280297Sjkim } 355238405Sjkim#endif 356160814Ssimon 357280297Sjkim break; 358160814Ssimon 359280297Sjkim case SSL3_ST_CR_SRVR_HELLO_A: 360280297Sjkim case SSL3_ST_CR_SRVR_HELLO_B: 361280297Sjkim ret = ssl3_get_server_hello(s); 362280297Sjkim if (ret <= 0) 363280297Sjkim goto end; 364280297Sjkim else { 365280297Sjkim if (s->hit) { 366238405Sjkim#ifndef OPENSSL_NO_SCTP 367280297Sjkim /* 368280297Sjkim * Add new shared key for SCTP-Auth, will be ignored if 369280297Sjkim * no SCTP used. 370280297Sjkim */ 371280297Sjkim snprintf((char *)labelbuffer, 372280297Sjkim sizeof(DTLS1_SCTP_AUTH_LABEL), 373280297Sjkim DTLS1_SCTP_AUTH_LABEL); 374238405Sjkim 375291719Sjkim if (SSL_export_keying_material(s, sctpauthkey, 376280297Sjkim sizeof(sctpauthkey), 377280297Sjkim labelbuffer, 378280297Sjkim sizeof(labelbuffer), NULL, 0, 379291719Sjkim 0) <= 0) { 380291719Sjkim ret = -1; 381291719Sjkim s->state = SSL_ST_ERR; 382291719Sjkim goto end; 383291719Sjkim } 384238405Sjkim 385280297Sjkim BIO_ctrl(SSL_get_wbio(s), 386280297Sjkim BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, 387280297Sjkim sizeof(sctpauthkey), sctpauthkey); 388238405Sjkim#endif 389238405Sjkim 390280297Sjkim s->state = SSL3_ST_CR_FINISHED_A; 391291719Sjkim if (s->tlsext_ticket_expected) { 392291719Sjkim /* receive renewed session ticket */ 393291719Sjkim s->state = SSL3_ST_CR_SESSION_TICKET_A; 394291719Sjkim } 395280297Sjkim } else 396280297Sjkim s->state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A; 397280297Sjkim } 398280297Sjkim s->init_num = 0; 399280297Sjkim break; 400160814Ssimon 401280297Sjkim case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A: 402280297Sjkim case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B: 403160814Ssimon 404280297Sjkim ret = dtls1_get_hello_verify(s); 405280297Sjkim if (ret <= 0) 406280297Sjkim goto end; 407280297Sjkim dtls1_stop_timer(s); 408280297Sjkim if (s->d1->send_cookie) /* start again, with a cookie */ 409280297Sjkim s->state = SSL3_ST_CW_CLNT_HELLO_A; 410280297Sjkim else 411280297Sjkim s->state = SSL3_ST_CR_CERT_A; 412280297Sjkim s->init_num = 0; 413280297Sjkim break; 414160814Ssimon 415280297Sjkim case SSL3_ST_CR_CERT_A: 416280297Sjkim case SSL3_ST_CR_CERT_B: 417280297Sjkim /* Check if it is anon DH or PSK */ 418280297Sjkim if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && 419280297Sjkim !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { 420280297Sjkim ret = ssl3_get_server_certificate(s); 421280297Sjkim if (ret <= 0) 422280297Sjkim goto end; 423205128Ssimon#ifndef OPENSSL_NO_TLSEXT 424280297Sjkim if (s->tlsext_status_expected) 425280297Sjkim s->state = SSL3_ST_CR_CERT_STATUS_A; 426280297Sjkim else 427280297Sjkim s->state = SSL3_ST_CR_KEY_EXCH_A; 428280297Sjkim } else { 429280297Sjkim skip = 1; 430280297Sjkim s->state = SSL3_ST_CR_KEY_EXCH_A; 431280297Sjkim } 432205128Ssimon#else 433280297Sjkim } else 434280297Sjkim skip = 1; 435205128Ssimon 436280297Sjkim s->state = SSL3_ST_CR_KEY_EXCH_A; 437205128Ssimon#endif 438280297Sjkim s->init_num = 0; 439280297Sjkim break; 440160814Ssimon 441280297Sjkim case SSL3_ST_CR_KEY_EXCH_A: 442280297Sjkim case SSL3_ST_CR_KEY_EXCH_B: 443280297Sjkim ret = ssl3_get_key_exchange(s); 444280297Sjkim if (ret <= 0) 445280297Sjkim goto end; 446280297Sjkim s->state = SSL3_ST_CR_CERT_REQ_A; 447280297Sjkim s->init_num = 0; 448160814Ssimon 449280297Sjkim /* 450280297Sjkim * at this point we check that we have the required stuff from 451280297Sjkim * the server 452280297Sjkim */ 453280297Sjkim if (!ssl3_check_cert_and_algorithm(s)) { 454280297Sjkim ret = -1; 455284283Sjkim s->state = SSL_ST_ERR; 456280297Sjkim goto end; 457280297Sjkim } 458280297Sjkim break; 459160814Ssimon 460280297Sjkim case SSL3_ST_CR_CERT_REQ_A: 461280297Sjkim case SSL3_ST_CR_CERT_REQ_B: 462280297Sjkim ret = ssl3_get_certificate_request(s); 463280297Sjkim if (ret <= 0) 464280297Sjkim goto end; 465280297Sjkim s->state = SSL3_ST_CR_SRVR_DONE_A; 466280297Sjkim s->init_num = 0; 467280297Sjkim break; 468160814Ssimon 469280297Sjkim case SSL3_ST_CR_SRVR_DONE_A: 470280297Sjkim case SSL3_ST_CR_SRVR_DONE_B: 471280297Sjkim ret = ssl3_get_server_done(s); 472280297Sjkim if (ret <= 0) 473280297Sjkim goto end; 474280297Sjkim dtls1_stop_timer(s); 475280297Sjkim if (s->s3->tmp.cert_req) 476280297Sjkim s->s3->tmp.next_state = SSL3_ST_CW_CERT_A; 477280297Sjkim else 478280297Sjkim s->s3->tmp.next_state = SSL3_ST_CW_KEY_EXCH_A; 479280297Sjkim s->init_num = 0; 480160814Ssimon 481280297Sjkim#ifndef OPENSSL_NO_SCTP 482280297Sjkim if (BIO_dgram_is_sctp(SSL_get_wbio(s)) && 483280297Sjkim state == SSL_ST_RENEGOTIATE) 484280297Sjkim s->state = DTLS1_SCTP_ST_CR_READ_SOCK; 485280297Sjkim else 486280297Sjkim#endif 487280297Sjkim s->state = s->s3->tmp.next_state; 488280297Sjkim break; 489160814Ssimon 490280297Sjkim case SSL3_ST_CW_CERT_A: 491280297Sjkim case SSL3_ST_CW_CERT_B: 492280297Sjkim case SSL3_ST_CW_CERT_C: 493280297Sjkim case SSL3_ST_CW_CERT_D: 494280297Sjkim dtls1_start_timer(s); 495290207Sjkim ret = ssl3_send_client_certificate(s); 496280297Sjkim if (ret <= 0) 497280297Sjkim goto end; 498280297Sjkim s->state = SSL3_ST_CW_KEY_EXCH_A; 499280297Sjkim s->init_num = 0; 500280297Sjkim break; 501160814Ssimon 502280297Sjkim case SSL3_ST_CW_KEY_EXCH_A: 503280297Sjkim case SSL3_ST_CW_KEY_EXCH_B: 504280297Sjkim dtls1_start_timer(s); 505290207Sjkim ret = ssl3_send_client_key_exchange(s); 506280297Sjkim if (ret <= 0) 507280297Sjkim goto end; 508238405Sjkim 509238405Sjkim#ifndef OPENSSL_NO_SCTP 510280297Sjkim /* 511280297Sjkim * Add new shared key for SCTP-Auth, will be ignored if no SCTP 512280297Sjkim * used. 513280297Sjkim */ 514280297Sjkim snprintf((char *)labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL), 515280297Sjkim DTLS1_SCTP_AUTH_LABEL); 516238405Sjkim 517291719Sjkim if (SSL_export_keying_material(s, sctpauthkey, 518280297Sjkim sizeof(sctpauthkey), labelbuffer, 519291719Sjkim sizeof(labelbuffer), NULL, 0, 0) <= 0) { 520291719Sjkim ret = -1; 521291719Sjkim s->state = SSL_ST_ERR; 522291719Sjkim goto end; 523291719Sjkim } 524238405Sjkim 525280297Sjkim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, 526280297Sjkim sizeof(sctpauthkey), sctpauthkey); 527238405Sjkim#endif 528238405Sjkim 529280297Sjkim /* 530280297Sjkim * EAY EAY EAY need to check for DH fix cert sent back 531280297Sjkim */ 532280297Sjkim /* 533280297Sjkim * For TLS, cert_req is set to 2, so a cert chain of nothing is 534280297Sjkim * sent, but no verify packet is sent 535280297Sjkim */ 536280297Sjkim if (s->s3->tmp.cert_req == 1) { 537280297Sjkim s->state = SSL3_ST_CW_CERT_VRFY_A; 538280297Sjkim } else { 539238405Sjkim#ifndef OPENSSL_NO_SCTP 540280297Sjkim if (BIO_dgram_is_sctp(SSL_get_wbio(s))) { 541280297Sjkim s->d1->next_state = SSL3_ST_CW_CHANGE_A; 542280297Sjkim s->state = DTLS1_SCTP_ST_CW_WRITE_SOCK; 543280297Sjkim } else 544238405Sjkim#endif 545280297Sjkim s->state = SSL3_ST_CW_CHANGE_A; 546280297Sjkim } 547160814Ssimon 548280297Sjkim s->init_num = 0; 549280297Sjkim break; 550160814Ssimon 551280297Sjkim case SSL3_ST_CW_CERT_VRFY_A: 552280297Sjkim case SSL3_ST_CW_CERT_VRFY_B: 553280297Sjkim dtls1_start_timer(s); 554290207Sjkim ret = ssl3_send_client_verify(s); 555280297Sjkim if (ret <= 0) 556280297Sjkim goto end; 557238405Sjkim#ifndef OPENSSL_NO_SCTP 558280297Sjkim if (BIO_dgram_is_sctp(SSL_get_wbio(s))) { 559280297Sjkim s->d1->next_state = SSL3_ST_CW_CHANGE_A; 560280297Sjkim s->state = DTLS1_SCTP_ST_CW_WRITE_SOCK; 561280297Sjkim } else 562238405Sjkim#endif 563280297Sjkim s->state = SSL3_ST_CW_CHANGE_A; 564280297Sjkim s->init_num = 0; 565280297Sjkim break; 566160814Ssimon 567280297Sjkim case SSL3_ST_CW_CHANGE_A: 568280297Sjkim case SSL3_ST_CW_CHANGE_B: 569280297Sjkim if (!s->hit) 570280297Sjkim dtls1_start_timer(s); 571280297Sjkim ret = dtls1_send_change_cipher_spec(s, 572280297Sjkim SSL3_ST_CW_CHANGE_A, 573280297Sjkim SSL3_ST_CW_CHANGE_B); 574280297Sjkim if (ret <= 0) 575280297Sjkim goto end; 576238405Sjkim 577280297Sjkim s->state = SSL3_ST_CW_FINISHED_A; 578280297Sjkim s->init_num = 0; 579160814Ssimon 580280297Sjkim s->session->cipher = s->s3->tmp.new_cipher; 581160814Ssimon#ifdef OPENSSL_NO_COMP 582280297Sjkim s->session->compress_meth = 0; 583160814Ssimon#else 584280297Sjkim if (s->s3->tmp.new_compression == NULL) 585280297Sjkim s->session->compress_meth = 0; 586280297Sjkim else 587280297Sjkim s->session->compress_meth = s->s3->tmp.new_compression->id; 588160814Ssimon#endif 589280297Sjkim if (!s->method->ssl3_enc->setup_key_block(s)) { 590280297Sjkim ret = -1; 591284283Sjkim s->state = SSL_ST_ERR; 592280297Sjkim goto end; 593280297Sjkim } 594160814Ssimon 595280297Sjkim if (!s->method->ssl3_enc->change_cipher_state(s, 596280297Sjkim SSL3_CHANGE_CIPHER_CLIENT_WRITE)) 597280297Sjkim { 598280297Sjkim ret = -1; 599284283Sjkim s->state = SSL_ST_ERR; 600280297Sjkim goto end; 601280297Sjkim } 602261037Sjkim#ifndef OPENSSL_NO_SCTP 603280297Sjkim if (s->hit) { 604280297Sjkim /* 605280297Sjkim * Change to new shared key of SCTP-Auth, will be ignored if 606280297Sjkim * no SCTP used. 607280297Sjkim */ 608280297Sjkim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 609280297Sjkim 0, NULL); 610280297Sjkim } 611261037Sjkim#endif 612261037Sjkim 613280297Sjkim dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); 614280297Sjkim break; 615160814Ssimon 616280297Sjkim case SSL3_ST_CW_FINISHED_A: 617280297Sjkim case SSL3_ST_CW_FINISHED_B: 618280297Sjkim if (!s->hit) 619280297Sjkim dtls1_start_timer(s); 620290207Sjkim ret = ssl3_send_finished(s, 621290207Sjkim SSL3_ST_CW_FINISHED_A, 622290207Sjkim SSL3_ST_CW_FINISHED_B, 623290207Sjkim s->method-> 624290207Sjkim ssl3_enc->client_finished_label, 625290207Sjkim s->method-> 626290207Sjkim ssl3_enc->client_finished_label_len); 627280297Sjkim if (ret <= 0) 628280297Sjkim goto end; 629280297Sjkim s->state = SSL3_ST_CW_FLUSH; 630160814Ssimon 631280297Sjkim /* clear flags */ 632280297Sjkim s->s3->flags &= ~SSL3_FLAGS_POP_BUFFER; 633280297Sjkim if (s->hit) { 634280297Sjkim s->s3->tmp.next_state = SSL_ST_OK; 635238405Sjkim#ifndef OPENSSL_NO_SCTP 636280297Sjkim if (BIO_dgram_is_sctp(SSL_get_wbio(s))) { 637280297Sjkim s->d1->next_state = s->s3->tmp.next_state; 638280297Sjkim s->s3->tmp.next_state = DTLS1_SCTP_ST_CW_WRITE_SOCK; 639280297Sjkim } 640238405Sjkim#endif 641280297Sjkim if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) { 642280297Sjkim s->state = SSL_ST_OK; 643238405Sjkim#ifndef OPENSSL_NO_SCTP 644280297Sjkim if (BIO_dgram_is_sctp(SSL_get_wbio(s))) { 645280297Sjkim s->d1->next_state = SSL_ST_OK; 646280297Sjkim s->state = DTLS1_SCTP_ST_CW_WRITE_SOCK; 647280297Sjkim } 648238405Sjkim#endif 649280297Sjkim s->s3->flags |= SSL3_FLAGS_POP_BUFFER; 650280297Sjkim s->s3->delay_buf_pop_ret = 0; 651280297Sjkim } 652280297Sjkim } else { 653261037Sjkim#ifndef OPENSSL_NO_SCTP 654280297Sjkim /* 655280297Sjkim * Change to new shared key of SCTP-Auth, will be ignored if 656280297Sjkim * no SCTP used. 657280297Sjkim */ 658280297Sjkim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 659280297Sjkim 0, NULL); 660261037Sjkim#endif 661261037Sjkim 662205128Ssimon#ifndef OPENSSL_NO_TLSEXT 663280297Sjkim /* 664280297Sjkim * Allow NewSessionTicket if ticket expected 665280297Sjkim */ 666280297Sjkim if (s->tlsext_ticket_expected) 667280297Sjkim s->s3->tmp.next_state = SSL3_ST_CR_SESSION_TICKET_A; 668280297Sjkim else 669205128Ssimon#endif 670160814Ssimon 671280297Sjkim s->s3->tmp.next_state = SSL3_ST_CR_FINISHED_A; 672280297Sjkim } 673280297Sjkim s->init_num = 0; 674280297Sjkim break; 675280297Sjkim 676205128Ssimon#ifndef OPENSSL_NO_TLSEXT 677280297Sjkim case SSL3_ST_CR_SESSION_TICKET_A: 678280297Sjkim case SSL3_ST_CR_SESSION_TICKET_B: 679280297Sjkim ret = ssl3_get_new_session_ticket(s); 680280297Sjkim if (ret <= 0) 681280297Sjkim goto end; 682280297Sjkim s->state = SSL3_ST_CR_FINISHED_A; 683280297Sjkim s->init_num = 0; 684280297Sjkim break; 685205128Ssimon 686280297Sjkim case SSL3_ST_CR_CERT_STATUS_A: 687280297Sjkim case SSL3_ST_CR_CERT_STATUS_B: 688280297Sjkim ret = ssl3_get_cert_status(s); 689280297Sjkim if (ret <= 0) 690280297Sjkim goto end; 691280297Sjkim s->state = SSL3_ST_CR_KEY_EXCH_A; 692280297Sjkim s->init_num = 0; 693280297Sjkim break; 694205128Ssimon#endif 695205128Ssimon 696280297Sjkim case SSL3_ST_CR_FINISHED_A: 697280297Sjkim case SSL3_ST_CR_FINISHED_B: 698280297Sjkim s->d1->change_cipher_spec_ok = 1; 699280297Sjkim ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A, 700280297Sjkim SSL3_ST_CR_FINISHED_B); 701280297Sjkim if (ret <= 0) 702280297Sjkim goto end; 703280297Sjkim dtls1_stop_timer(s); 704160814Ssimon 705280297Sjkim if (s->hit) 706280297Sjkim s->state = SSL3_ST_CW_CHANGE_A; 707280297Sjkim else 708280297Sjkim s->state = SSL_ST_OK; 709238405Sjkim 710238405Sjkim#ifndef OPENSSL_NO_SCTP 711280297Sjkim if (BIO_dgram_is_sctp(SSL_get_wbio(s)) && 712280297Sjkim state == SSL_ST_RENEGOTIATE) { 713280297Sjkim s->d1->next_state = s->state; 714280297Sjkim s->state = DTLS1_SCTP_ST_CW_WRITE_SOCK; 715280297Sjkim } 716238405Sjkim#endif 717238405Sjkim 718280297Sjkim s->init_num = 0; 719280297Sjkim break; 720160814Ssimon 721280297Sjkim case SSL3_ST_CW_FLUSH: 722280297Sjkim s->rwstate = SSL_WRITING; 723280297Sjkim if (BIO_flush(s->wbio) <= 0) { 724280297Sjkim /* 725280297Sjkim * If the write error was fatal, stop trying 726280297Sjkim */ 727280297Sjkim if (!BIO_should_retry(s->wbio)) { 728280297Sjkim s->rwstate = SSL_NOTHING; 729280297Sjkim s->state = s->s3->tmp.next_state; 730280297Sjkim } 731160814Ssimon 732280297Sjkim ret = -1; 733280297Sjkim goto end; 734280297Sjkim } 735280297Sjkim s->rwstate = SSL_NOTHING; 736280297Sjkim s->state = s->s3->tmp.next_state; 737280297Sjkim break; 738160814Ssimon 739280297Sjkim case SSL_ST_OK: 740280297Sjkim /* clean a few things up */ 741280297Sjkim ssl3_cleanup_key_block(s); 742280297Sjkim 743160814Ssimon#if 0 744280297Sjkim if (s->init_buf != NULL) { 745280297Sjkim BUF_MEM_free(s->init_buf); 746280297Sjkim s->init_buf = NULL; 747280297Sjkim } 748160814Ssimon#endif 749160814Ssimon 750280297Sjkim /* 751280297Sjkim * If we are not 'joining' the last two packets, remove the 752280297Sjkim * buffering now 753280297Sjkim */ 754280297Sjkim if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER)) 755280297Sjkim ssl_free_wbio_buffer(s); 756280297Sjkim /* else do it later in ssl3_write */ 757160814Ssimon 758280297Sjkim s->init_num = 0; 759280297Sjkim s->renegotiate = 0; 760280297Sjkim s->new_session = 0; 761160814Ssimon 762280297Sjkim ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); 763280297Sjkim if (s->hit) 764280297Sjkim s->ctx->stats.sess_hit++; 765160814Ssimon 766280297Sjkim ret = 1; 767280297Sjkim /* s->server=0; */ 768280297Sjkim s->handshake_func = dtls1_connect; 769280297Sjkim s->ctx->stats.sess_connect_good++; 770160814Ssimon 771280297Sjkim if (cb != NULL) 772280297Sjkim cb(s, SSL_CB_HANDSHAKE_DONE, 1); 773160814Ssimon 774280297Sjkim /* done with handshaking */ 775280297Sjkim s->d1->handshake_read_seq = 0; 776280297Sjkim s->d1->next_handshake_write_seq = 0; 777306195Sjkim dtls1_clear_received_buffer(s); 778280297Sjkim goto end; 779280297Sjkim /* break; */ 780160814Ssimon 781284283Sjkim case SSL_ST_ERR: 782280297Sjkim default: 783280297Sjkim SSLerr(SSL_F_DTLS1_CONNECT, SSL_R_UNKNOWN_STATE); 784280297Sjkim ret = -1; 785280297Sjkim goto end; 786280297Sjkim /* break; */ 787280297Sjkim } 788160814Ssimon 789280297Sjkim /* did we do anything */ 790280297Sjkim if (!s->s3->tmp.reuse_message && !skip) { 791280297Sjkim if (s->debug) { 792280297Sjkim if ((ret = BIO_flush(s->wbio)) <= 0) 793280297Sjkim goto end; 794280297Sjkim } 795280297Sjkim 796280297Sjkim if ((cb != NULL) && (s->state != state)) { 797280297Sjkim new_state = s->state; 798280297Sjkim s->state = state; 799280297Sjkim cb(s, SSL_CB_CONNECT_LOOP, 1); 800280297Sjkim s->state = new_state; 801280297Sjkim } 802280297Sjkim } 803280297Sjkim skip = 0; 804280297Sjkim } 805280297Sjkim end: 806280297Sjkim s->in_handshake--; 807280297Sjkim 808238405Sjkim#ifndef OPENSSL_NO_SCTP 809280297Sjkim /* 810280297Sjkim * Notify SCTP BIO socket to leave handshake mode and allow stream 811280297Sjkim * identifier other than 0. Will be ignored if no SCTP is used. 812280297Sjkim */ 813280297Sjkim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, 814280297Sjkim s->in_handshake, NULL); 815238405Sjkim#endif 816238405Sjkim 817280297Sjkim if (buf != NULL) 818280297Sjkim BUF_MEM_free(buf); 819280297Sjkim if (cb != NULL) 820280297Sjkim cb(s, SSL_CB_CONNECT_EXIT, ret); 821280297Sjkim return (ret); 822280297Sjkim} 823160814Ssimon 824160814Ssimonstatic int dtls1_get_hello_verify(SSL *s) 825280297Sjkim{ 826280297Sjkim int n, al, ok = 0; 827280297Sjkim unsigned char *data; 828280297Sjkim unsigned int cookie_len; 829160814Ssimon 830290207Sjkim s->first_packet = 1; 831280297Sjkim n = s->method->ssl_get_message(s, 832280297Sjkim DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A, 833280297Sjkim DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, 834280297Sjkim -1, s->max_cert_list, &ok); 835290207Sjkim s->first_packet = 0; 836160814Ssimon 837280297Sjkim if (!ok) 838280297Sjkim return ((int)n); 839160814Ssimon 840280297Sjkim if (s->s3->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) { 841280297Sjkim s->d1->send_cookie = 0; 842280297Sjkim s->s3->tmp.reuse_message = 1; 843280297Sjkim return (1); 844280297Sjkim } 845160814Ssimon 846280297Sjkim data = (unsigned char *)s->init_msg; 847290207Sjkim#if 0 848290207Sjkim if (s->method->version != DTLS_ANY_VERSION && 849290207Sjkim ((data[0] != (s->version >> 8)) || (data[1] != (s->version & 0xff)))) 850290207Sjkim { 851280297Sjkim SSLerr(SSL_F_DTLS1_GET_HELLO_VERIFY, SSL_R_WRONG_SSL_VERSION); 852280297Sjkim s->version = (s->version & 0xff00) | data[1]; 853280297Sjkim al = SSL_AD_PROTOCOL_VERSION; 854280297Sjkim goto f_err; 855280297Sjkim } 856290207Sjkim#endif 857280297Sjkim data += 2; 858160814Ssimon 859280297Sjkim cookie_len = *(data++); 860280297Sjkim if (cookie_len > sizeof(s->d1->cookie)) { 861280297Sjkim al = SSL_AD_ILLEGAL_PARAMETER; 862280297Sjkim goto f_err; 863280297Sjkim } 864160814Ssimon 865280297Sjkim memcpy(s->d1->cookie, data, cookie_len); 866280297Sjkim s->d1->cookie_len = cookie_len; 867160814Ssimon 868280297Sjkim s->d1->send_cookie = 1; 869280297Sjkim return 1; 870160814Ssimon 871280297Sjkim f_err: 872280297Sjkim ssl3_send_alert(s, SSL3_AL_FATAL, al); 873284283Sjkim s->state = SSL_ST_ERR; 874280297Sjkim return -1; 875280297Sjkim} 876