d1_clnt.c revision 291719
1160814Ssimon/* ssl/d1_clnt.c */ 2280297Sjkim/* 3160814Ssimon * DTLS implementation written by Nagendra Modadugu 4280297Sjkim * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 5160814Ssimon */ 6160814Ssimon/* ==================================================================== 7238405Sjkim * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. 8160814Ssimon * 9160814Ssimon * Redistribution and use in source and binary forms, with or without 10160814Ssimon * modification, are permitted provided that the following conditions 11160814Ssimon * are met: 12160814Ssimon * 13160814Ssimon * 1. Redistributions of source code must retain the above copyright 14280297Sjkim * notice, this list of conditions and the following disclaimer. 15160814Ssimon * 16160814Ssimon * 2. Redistributions in binary form must reproduce the above copyright 17160814Ssimon * notice, this list of conditions and the following disclaimer in 18160814Ssimon * the documentation and/or other materials provided with the 19160814Ssimon * distribution. 20160814Ssimon * 21160814Ssimon * 3. All advertising materials mentioning features or use of this 22160814Ssimon * software must display the following acknowledgment: 23160814Ssimon * "This product includes software developed by the OpenSSL Project 24160814Ssimon * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 25160814Ssimon * 26160814Ssimon * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27160814Ssimon * endorse or promote products derived from this software without 28160814Ssimon * prior written permission. For written permission, please contact 29160814Ssimon * openssl-core@OpenSSL.org. 30160814Ssimon * 31160814Ssimon * 5. Products derived from this software may not be called "OpenSSL" 32160814Ssimon * nor may "OpenSSL" appear in their names without prior written 33160814Ssimon * permission of the OpenSSL Project. 34160814Ssimon * 35160814Ssimon * 6. Redistributions of any form whatsoever must retain the following 36160814Ssimon * acknowledgment: 37160814Ssimon * "This product includes software developed by the OpenSSL Project 38160814Ssimon * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 39160814Ssimon * 40160814Ssimon * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41160814Ssimon * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42160814Ssimon * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43160814Ssimon * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44160814Ssimon * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45160814Ssimon * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46160814Ssimon * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47160814Ssimon * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48160814Ssimon * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49160814Ssimon * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50160814Ssimon * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51160814Ssimon * OF THE POSSIBILITY OF SUCH DAMAGE. 52160814Ssimon * ==================================================================== 53160814Ssimon * 54160814Ssimon * This product includes cryptographic software written by Eric Young 55160814Ssimon * (eay@cryptsoft.com). This product includes software written by Tim 56160814Ssimon * Hudson (tjh@cryptsoft.com). 57160814Ssimon * 58160814Ssimon */ 59160814Ssimon/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 60160814Ssimon * All rights reserved. 61160814Ssimon * 62160814Ssimon * This package is an SSL implementation written 63160814Ssimon * by Eric Young (eay@cryptsoft.com). 64160814Ssimon * The implementation was written so as to conform with Netscapes SSL. 65280297Sjkim * 66160814Ssimon * This library is free for commercial and non-commercial use as long as 67160814Ssimon * the following conditions are aheared to. The following conditions 68160814Ssimon * apply to all code found in this distribution, be it the RC4, RSA, 69160814Ssimon * lhash, DES, etc., code; not just the SSL code. The SSL documentation 70160814Ssimon * included with this distribution is covered by the same copyright terms 71160814Ssimon * except that the holder is Tim Hudson (tjh@cryptsoft.com). 72280297Sjkim * 73160814Ssimon * Copyright remains Eric Young's, and as such any Copyright notices in 74160814Ssimon * the code are not to be removed. 75160814Ssimon * If this package is used in a product, Eric Young should be given attribution 76160814Ssimon * as the author of the parts of the library used. 77160814Ssimon * This can be in the form of a textual message at program startup or 78160814Ssimon * in documentation (online or textual) provided with the package. 79280297Sjkim * 80160814Ssimon * Redistribution and use in source and binary forms, with or without 81160814Ssimon * modification, are permitted provided that the following conditions 82160814Ssimon * are met: 83160814Ssimon * 1. Redistributions of source code must retain the copyright 84160814Ssimon * notice, this list of conditions and the following disclaimer. 85160814Ssimon * 2. Redistributions in binary form must reproduce the above copyright 86160814Ssimon * notice, this list of conditions and the following disclaimer in the 87160814Ssimon * documentation and/or other materials provided with the distribution. 88160814Ssimon * 3. All advertising materials mentioning features or use of this software 89160814Ssimon * must display the following acknowledgement: 90160814Ssimon * "This product includes cryptographic software written by 91160814Ssimon * Eric Young (eay@cryptsoft.com)" 92160814Ssimon * The word 'cryptographic' can be left out if the rouines from the library 93160814Ssimon * being used are not cryptographic related :-). 94280297Sjkim * 4. If you include any Windows specific code (or a derivative thereof) from 95160814Ssimon * the apps directory (application code) you must include an acknowledgement: 96160814Ssimon * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 97280297Sjkim * 98160814Ssimon * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 99160814Ssimon * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 100160814Ssimon * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 101160814Ssimon * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 102160814Ssimon * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 103160814Ssimon * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 104160814Ssimon * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 105160814Ssimon * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 106160814Ssimon * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 107160814Ssimon * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 108160814Ssimon * SUCH DAMAGE. 109280297Sjkim * 110160814Ssimon * The licence and distribution terms for any publically available version or 111160814Ssimon * derivative of this code cannot be changed. i.e. this code cannot simply be 112160814Ssimon * copied and put under another distribution licence 113160814Ssimon * [including the GNU Public Licence.] 114160814Ssimon */ 115160814Ssimon 116160814Ssimon#include <stdio.h> 117160814Ssimon#include "ssl_locl.h" 118238405Sjkim#ifndef OPENSSL_NO_KRB5 119280297Sjkim# include "kssl_lcl.h" 120238405Sjkim#endif 121160814Ssimon#include <openssl/buffer.h> 122160814Ssimon#include <openssl/rand.h> 123160814Ssimon#include <openssl/objects.h> 124160814Ssimon#include <openssl/evp.h> 125160814Ssimon#include <openssl/md5.h> 126238405Sjkim#include <openssl/bn.h> 127160814Ssimon#ifndef OPENSSL_NO_DH 128280297Sjkim# include <openssl/dh.h> 129160814Ssimon#endif 130160814Ssimon 131238405Sjkimstatic const SSL_METHOD *dtls1_get_client_method(int ver); 132160814Ssimonstatic int dtls1_get_hello_verify(SSL *s); 133160814Ssimon 134238405Sjkimstatic const SSL_METHOD *dtls1_get_client_method(int ver) 135280297Sjkim{ 136291719Sjkim if (ver == DTLS_ANY_VERSION) 137291719Sjkim return DTLS_client_method(); 138291719Sjkim else if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER) 139291719Sjkim return DTLSv1_client_method(); 140290207Sjkim else if (ver == DTLS1_2_VERSION) 141291719Sjkim return DTLSv1_2_client_method(); 142280297Sjkim else 143291719Sjkim return NULL; 144280297Sjkim} 145160814Ssimon 146290207SjkimIMPLEMENT_dtls1_meth_func(DTLS1_VERSION, 147290207Sjkim DTLSv1_client_method, 148280297Sjkim ssl_undefined_function, 149290207Sjkim dtls1_connect, 150290207Sjkim dtls1_get_client_method, DTLSv1_enc_data) 151160814Ssimon 152291719SjkimIMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, 153290207Sjkim DTLSv1_2_client_method, 154290207Sjkim ssl_undefined_function, 155290207Sjkim dtls1_connect, 156290207Sjkim dtls1_get_client_method, DTLSv1_2_enc_data) 157290207Sjkim 158291719SjkimIMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION, 159290207Sjkim DTLS_client_method, 160290207Sjkim ssl_undefined_function, 161290207Sjkim dtls1_connect, 162290207Sjkim dtls1_get_client_method, DTLSv1_2_enc_data) 163290207Sjkim 164160814Ssimonint dtls1_connect(SSL *s) 165280297Sjkim{ 166280297Sjkim BUF_MEM *buf = NULL; 167280297Sjkim unsigned long Time = (unsigned long)time(NULL); 168280297Sjkim void (*cb) (const SSL *ssl, int type, int val) = NULL; 169280297Sjkim int ret = -1; 170280297Sjkim int new_state, state, skip = 0; 171238405Sjkim#ifndef OPENSSL_NO_SCTP 172280297Sjkim unsigned char sctpauthkey[64]; 173280297Sjkim char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)]; 174238405Sjkim#endif 175160814Ssimon 176280297Sjkim RAND_add(&Time, sizeof(Time), 0); 177280297Sjkim ERR_clear_error(); 178280297Sjkim clear_sys_error(); 179160814Ssimon 180280297Sjkim if (s->info_callback != NULL) 181280297Sjkim cb = s->info_callback; 182280297Sjkim else if (s->ctx->info_callback != NULL) 183280297Sjkim cb = s->ctx->info_callback; 184160814Ssimon 185280297Sjkim s->in_handshake++; 186280297Sjkim if (!SSL_in_init(s) || SSL_in_before(s)) 187280297Sjkim SSL_clear(s); 188280297Sjkim 189238405Sjkim#ifndef OPENSSL_NO_SCTP 190280297Sjkim /* 191280297Sjkim * Notify SCTP BIO socket to enter handshake mode and prevent stream 192280297Sjkim * identifier other than 0. Will be ignored if no SCTP is used. 193280297Sjkim */ 194280297Sjkim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, 195280297Sjkim s->in_handshake, NULL); 196238405Sjkim#endif 197238405Sjkim 198238405Sjkim#ifndef OPENSSL_NO_HEARTBEATS 199280297Sjkim /* 200280297Sjkim * If we're awaiting a HeartbeatResponse, pretend we already got and 201280297Sjkim * don't await it anymore, because Heartbeats don't make sense during 202280297Sjkim * handshakes anyway. 203280297Sjkim */ 204280297Sjkim if (s->tlsext_hb_pending) { 205280297Sjkim dtls1_stop_timer(s); 206280297Sjkim s->tlsext_hb_pending = 0; 207280297Sjkim s->tlsext_hb_seq++; 208280297Sjkim } 209238405Sjkim#endif 210238405Sjkim 211280297Sjkim for (;;) { 212280297Sjkim state = s->state; 213160814Ssimon 214280297Sjkim switch (s->state) { 215280297Sjkim case SSL_ST_RENEGOTIATE: 216280297Sjkim s->renegotiate = 1; 217280297Sjkim s->state = SSL_ST_CONNECT; 218280297Sjkim s->ctx->stats.sess_connect_renegotiate++; 219280297Sjkim /* break */ 220280297Sjkim case SSL_ST_BEFORE: 221280297Sjkim case SSL_ST_CONNECT: 222280297Sjkim case SSL_ST_BEFORE | SSL_ST_CONNECT: 223280297Sjkim case SSL_ST_OK | SSL_ST_CONNECT: 224160814Ssimon 225280297Sjkim s->server = 0; 226280297Sjkim if (cb != NULL) 227280297Sjkim cb(s, SSL_CB_HANDSHAKE_START, 1); 228160814Ssimon 229280297Sjkim if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00) && 230280297Sjkim (s->version & 0xff00) != (DTLS1_BAD_VER & 0xff00)) { 231280297Sjkim SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR); 232280297Sjkim ret = -1; 233284283Sjkim s->state = SSL_ST_ERR; 234280297Sjkim goto end; 235280297Sjkim } 236160814Ssimon 237280297Sjkim /* s->version=SSL3_VERSION; */ 238280297Sjkim s->type = SSL_ST_CONNECT; 239160814Ssimon 240280297Sjkim if (s->init_buf == NULL) { 241280297Sjkim if ((buf = BUF_MEM_new()) == NULL) { 242280297Sjkim ret = -1; 243284283Sjkim s->state = SSL_ST_ERR; 244280297Sjkim goto end; 245280297Sjkim } 246280297Sjkim if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) { 247280297Sjkim ret = -1; 248284283Sjkim s->state = SSL_ST_ERR; 249280297Sjkim goto end; 250280297Sjkim } 251280297Sjkim s->init_buf = buf; 252280297Sjkim buf = NULL; 253280297Sjkim } 254160814Ssimon 255280297Sjkim if (!ssl3_setup_buffers(s)) { 256280297Sjkim ret = -1; 257284283Sjkim s->state = SSL_ST_ERR; 258280297Sjkim goto end; 259280297Sjkim } 260160814Ssimon 261280297Sjkim /* setup buffing BIO */ 262280297Sjkim if (!ssl_init_wbio_buffer(s, 0)) { 263280297Sjkim ret = -1; 264284283Sjkim s->state = SSL_ST_ERR; 265280297Sjkim goto end; 266280297Sjkim } 267160814Ssimon 268280297Sjkim /* don't push the buffering BIO quite yet */ 269160814Ssimon 270280297Sjkim s->state = SSL3_ST_CW_CLNT_HELLO_A; 271280297Sjkim s->ctx->stats.sess_connect++; 272280297Sjkim s->init_num = 0; 273280297Sjkim /* mark client_random uninitialized */ 274280297Sjkim memset(s->s3->client_random, 0, sizeof(s->s3->client_random)); 275280297Sjkim s->d1->send_cookie = 0; 276280297Sjkim s->hit = 0; 277280297Sjkim s->d1->change_cipher_spec_ok = 0; 278280297Sjkim /* 279280297Sjkim * Should have been reset by ssl3_get_finished, too. 280280297Sjkim */ 281280297Sjkim s->s3->change_cipher_spec = 0; 282280297Sjkim break; 283280297Sjkim 284238405Sjkim#ifndef OPENSSL_NO_SCTP 285280297Sjkim case DTLS1_SCTP_ST_CR_READ_SOCK: 286238405Sjkim 287280297Sjkim if (BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) { 288280297Sjkim s->s3->in_read_app_data = 2; 289280297Sjkim s->rwstate = SSL_READING; 290280297Sjkim BIO_clear_retry_flags(SSL_get_rbio(s)); 291280297Sjkim BIO_set_retry_read(SSL_get_rbio(s)); 292280297Sjkim ret = -1; 293280297Sjkim goto end; 294280297Sjkim } 295238405Sjkim 296280297Sjkim s->state = s->s3->tmp.next_state; 297280297Sjkim break; 298238405Sjkim 299280297Sjkim case DTLS1_SCTP_ST_CW_WRITE_SOCK: 300280297Sjkim /* read app data until dry event */ 301238405Sjkim 302280297Sjkim ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s)); 303280297Sjkim if (ret < 0) 304280297Sjkim goto end; 305238405Sjkim 306280297Sjkim if (ret == 0) { 307280297Sjkim s->s3->in_read_app_data = 2; 308280297Sjkim s->rwstate = SSL_READING; 309280297Sjkim BIO_clear_retry_flags(SSL_get_rbio(s)); 310280297Sjkim BIO_set_retry_read(SSL_get_rbio(s)); 311280297Sjkim ret = -1; 312280297Sjkim goto end; 313280297Sjkim } 314238405Sjkim 315280297Sjkim s->state = s->d1->next_state; 316280297Sjkim break; 317238405Sjkim#endif 318238405Sjkim 319280297Sjkim case SSL3_ST_CW_CLNT_HELLO_A: 320280297Sjkim s->shutdown = 0; 321194206Ssimon 322280297Sjkim /* every DTLS ClientHello resets Finished MAC */ 323280297Sjkim ssl3_init_finished_mac(s); 324194206Ssimon 325291719Sjkim case SSL3_ST_CW_CLNT_HELLO_B: 326280297Sjkim dtls1_start_timer(s); 327290207Sjkim ret = ssl3_client_hello(s); 328280297Sjkim if (ret <= 0) 329280297Sjkim goto end; 330160814Ssimon 331280297Sjkim if (s->d1->send_cookie) { 332280297Sjkim s->state = SSL3_ST_CW_FLUSH; 333280297Sjkim s->s3->tmp.next_state = SSL3_ST_CR_SRVR_HELLO_A; 334280297Sjkim } else 335280297Sjkim s->state = SSL3_ST_CR_SRVR_HELLO_A; 336160814Ssimon 337280297Sjkim s->init_num = 0; 338160814Ssimon 339238405Sjkim#ifndef OPENSSL_NO_SCTP 340280297Sjkim /* Disable buffering for SCTP */ 341280297Sjkim if (!BIO_dgram_is_sctp(SSL_get_wbio(s))) { 342238405Sjkim#endif 343280297Sjkim /* 344280297Sjkim * turn on buffering for the next lot of output 345280297Sjkim */ 346280297Sjkim if (s->bbio != s->wbio) 347280297Sjkim s->wbio = BIO_push(s->bbio, s->wbio); 348238405Sjkim#ifndef OPENSSL_NO_SCTP 349280297Sjkim } 350238405Sjkim#endif 351160814Ssimon 352280297Sjkim break; 353160814Ssimon 354280297Sjkim case SSL3_ST_CR_SRVR_HELLO_A: 355280297Sjkim case SSL3_ST_CR_SRVR_HELLO_B: 356280297Sjkim ret = ssl3_get_server_hello(s); 357280297Sjkim if (ret <= 0) 358280297Sjkim goto end; 359280297Sjkim else { 360280297Sjkim if (s->hit) { 361238405Sjkim#ifndef OPENSSL_NO_SCTP 362280297Sjkim /* 363280297Sjkim * Add new shared key for SCTP-Auth, will be ignored if 364280297Sjkim * no SCTP used. 365280297Sjkim */ 366280297Sjkim snprintf((char *)labelbuffer, 367280297Sjkim sizeof(DTLS1_SCTP_AUTH_LABEL), 368280297Sjkim DTLS1_SCTP_AUTH_LABEL); 369238405Sjkim 370291719Sjkim if (SSL_export_keying_material(s, sctpauthkey, 371280297Sjkim sizeof(sctpauthkey), 372280297Sjkim labelbuffer, 373280297Sjkim sizeof(labelbuffer), NULL, 0, 374291719Sjkim 0) <= 0) { 375291719Sjkim ret = -1; 376291719Sjkim s->state = SSL_ST_ERR; 377291719Sjkim goto end; 378291719Sjkim } 379238405Sjkim 380280297Sjkim BIO_ctrl(SSL_get_wbio(s), 381280297Sjkim BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, 382280297Sjkim sizeof(sctpauthkey), sctpauthkey); 383238405Sjkim#endif 384238405Sjkim 385280297Sjkim s->state = SSL3_ST_CR_FINISHED_A; 386291719Sjkim if (s->tlsext_ticket_expected) { 387291719Sjkim /* receive renewed session ticket */ 388291719Sjkim s->state = SSL3_ST_CR_SESSION_TICKET_A; 389291719Sjkim } 390280297Sjkim } else 391280297Sjkim s->state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A; 392280297Sjkim } 393280297Sjkim s->init_num = 0; 394280297Sjkim break; 395160814Ssimon 396280297Sjkim case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A: 397280297Sjkim case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B: 398160814Ssimon 399280297Sjkim ret = dtls1_get_hello_verify(s); 400280297Sjkim if (ret <= 0) 401280297Sjkim goto end; 402280297Sjkim dtls1_stop_timer(s); 403280297Sjkim if (s->d1->send_cookie) /* start again, with a cookie */ 404280297Sjkim s->state = SSL3_ST_CW_CLNT_HELLO_A; 405280297Sjkim else 406280297Sjkim s->state = SSL3_ST_CR_CERT_A; 407280297Sjkim s->init_num = 0; 408280297Sjkim break; 409160814Ssimon 410280297Sjkim case SSL3_ST_CR_CERT_A: 411280297Sjkim case SSL3_ST_CR_CERT_B: 412280297Sjkim /* Check if it is anon DH or PSK */ 413280297Sjkim if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && 414280297Sjkim !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { 415280297Sjkim ret = ssl3_get_server_certificate(s); 416280297Sjkim if (ret <= 0) 417280297Sjkim goto end; 418205128Ssimon#ifndef OPENSSL_NO_TLSEXT 419280297Sjkim if (s->tlsext_status_expected) 420280297Sjkim s->state = SSL3_ST_CR_CERT_STATUS_A; 421280297Sjkim else 422280297Sjkim s->state = SSL3_ST_CR_KEY_EXCH_A; 423280297Sjkim } else { 424280297Sjkim skip = 1; 425280297Sjkim s->state = SSL3_ST_CR_KEY_EXCH_A; 426280297Sjkim } 427205128Ssimon#else 428280297Sjkim } else 429280297Sjkim skip = 1; 430205128Ssimon 431280297Sjkim s->state = SSL3_ST_CR_KEY_EXCH_A; 432205128Ssimon#endif 433280297Sjkim s->init_num = 0; 434280297Sjkim break; 435160814Ssimon 436280297Sjkim case SSL3_ST_CR_KEY_EXCH_A: 437280297Sjkim case SSL3_ST_CR_KEY_EXCH_B: 438280297Sjkim ret = ssl3_get_key_exchange(s); 439280297Sjkim if (ret <= 0) 440280297Sjkim goto end; 441280297Sjkim s->state = SSL3_ST_CR_CERT_REQ_A; 442280297Sjkim s->init_num = 0; 443160814Ssimon 444280297Sjkim /* 445280297Sjkim * at this point we check that we have the required stuff from 446280297Sjkim * the server 447280297Sjkim */ 448280297Sjkim if (!ssl3_check_cert_and_algorithm(s)) { 449280297Sjkim ret = -1; 450284283Sjkim s->state = SSL_ST_ERR; 451280297Sjkim goto end; 452280297Sjkim } 453280297Sjkim break; 454160814Ssimon 455280297Sjkim case SSL3_ST_CR_CERT_REQ_A: 456280297Sjkim case SSL3_ST_CR_CERT_REQ_B: 457280297Sjkim ret = ssl3_get_certificate_request(s); 458280297Sjkim if (ret <= 0) 459280297Sjkim goto end; 460280297Sjkim s->state = SSL3_ST_CR_SRVR_DONE_A; 461280297Sjkim s->init_num = 0; 462280297Sjkim break; 463160814Ssimon 464280297Sjkim case SSL3_ST_CR_SRVR_DONE_A: 465280297Sjkim case SSL3_ST_CR_SRVR_DONE_B: 466280297Sjkim ret = ssl3_get_server_done(s); 467280297Sjkim if (ret <= 0) 468280297Sjkim goto end; 469280297Sjkim dtls1_stop_timer(s); 470280297Sjkim if (s->s3->tmp.cert_req) 471280297Sjkim s->s3->tmp.next_state = SSL3_ST_CW_CERT_A; 472280297Sjkim else 473280297Sjkim s->s3->tmp.next_state = SSL3_ST_CW_KEY_EXCH_A; 474280297Sjkim s->init_num = 0; 475160814Ssimon 476280297Sjkim#ifndef OPENSSL_NO_SCTP 477280297Sjkim if (BIO_dgram_is_sctp(SSL_get_wbio(s)) && 478280297Sjkim state == SSL_ST_RENEGOTIATE) 479280297Sjkim s->state = DTLS1_SCTP_ST_CR_READ_SOCK; 480280297Sjkim else 481280297Sjkim#endif 482280297Sjkim s->state = s->s3->tmp.next_state; 483280297Sjkim break; 484160814Ssimon 485280297Sjkim case SSL3_ST_CW_CERT_A: 486280297Sjkim case SSL3_ST_CW_CERT_B: 487280297Sjkim case SSL3_ST_CW_CERT_C: 488280297Sjkim case SSL3_ST_CW_CERT_D: 489280297Sjkim dtls1_start_timer(s); 490290207Sjkim ret = ssl3_send_client_certificate(s); 491280297Sjkim if (ret <= 0) 492280297Sjkim goto end; 493280297Sjkim s->state = SSL3_ST_CW_KEY_EXCH_A; 494280297Sjkim s->init_num = 0; 495280297Sjkim break; 496160814Ssimon 497280297Sjkim case SSL3_ST_CW_KEY_EXCH_A: 498280297Sjkim case SSL3_ST_CW_KEY_EXCH_B: 499280297Sjkim dtls1_start_timer(s); 500290207Sjkim ret = ssl3_send_client_key_exchange(s); 501280297Sjkim if (ret <= 0) 502280297Sjkim goto end; 503238405Sjkim 504238405Sjkim#ifndef OPENSSL_NO_SCTP 505280297Sjkim /* 506280297Sjkim * Add new shared key for SCTP-Auth, will be ignored if no SCTP 507280297Sjkim * used. 508280297Sjkim */ 509280297Sjkim snprintf((char *)labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL), 510280297Sjkim DTLS1_SCTP_AUTH_LABEL); 511238405Sjkim 512291719Sjkim if (SSL_export_keying_material(s, sctpauthkey, 513280297Sjkim sizeof(sctpauthkey), labelbuffer, 514291719Sjkim sizeof(labelbuffer), NULL, 0, 0) <= 0) { 515291719Sjkim ret = -1; 516291719Sjkim s->state = SSL_ST_ERR; 517291719Sjkim goto end; 518291719Sjkim } 519238405Sjkim 520280297Sjkim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, 521280297Sjkim sizeof(sctpauthkey), sctpauthkey); 522238405Sjkim#endif 523238405Sjkim 524280297Sjkim /* 525280297Sjkim * EAY EAY EAY need to check for DH fix cert sent back 526280297Sjkim */ 527280297Sjkim /* 528280297Sjkim * For TLS, cert_req is set to 2, so a cert chain of nothing is 529280297Sjkim * sent, but no verify packet is sent 530280297Sjkim */ 531280297Sjkim if (s->s3->tmp.cert_req == 1) { 532280297Sjkim s->state = SSL3_ST_CW_CERT_VRFY_A; 533280297Sjkim } else { 534238405Sjkim#ifndef OPENSSL_NO_SCTP 535280297Sjkim if (BIO_dgram_is_sctp(SSL_get_wbio(s))) { 536280297Sjkim s->d1->next_state = SSL3_ST_CW_CHANGE_A; 537280297Sjkim s->state = DTLS1_SCTP_ST_CW_WRITE_SOCK; 538280297Sjkim } else 539238405Sjkim#endif 540280297Sjkim s->state = SSL3_ST_CW_CHANGE_A; 541280297Sjkim } 542160814Ssimon 543280297Sjkim s->init_num = 0; 544280297Sjkim break; 545160814Ssimon 546280297Sjkim case SSL3_ST_CW_CERT_VRFY_A: 547280297Sjkim case SSL3_ST_CW_CERT_VRFY_B: 548280297Sjkim dtls1_start_timer(s); 549290207Sjkim ret = ssl3_send_client_verify(s); 550280297Sjkim if (ret <= 0) 551280297Sjkim goto end; 552238405Sjkim#ifndef OPENSSL_NO_SCTP 553280297Sjkim if (BIO_dgram_is_sctp(SSL_get_wbio(s))) { 554280297Sjkim s->d1->next_state = SSL3_ST_CW_CHANGE_A; 555280297Sjkim s->state = DTLS1_SCTP_ST_CW_WRITE_SOCK; 556280297Sjkim } else 557238405Sjkim#endif 558280297Sjkim s->state = SSL3_ST_CW_CHANGE_A; 559280297Sjkim s->init_num = 0; 560280297Sjkim break; 561160814Ssimon 562280297Sjkim case SSL3_ST_CW_CHANGE_A: 563280297Sjkim case SSL3_ST_CW_CHANGE_B: 564280297Sjkim if (!s->hit) 565280297Sjkim dtls1_start_timer(s); 566280297Sjkim ret = dtls1_send_change_cipher_spec(s, 567280297Sjkim SSL3_ST_CW_CHANGE_A, 568280297Sjkim SSL3_ST_CW_CHANGE_B); 569280297Sjkim if (ret <= 0) 570280297Sjkim goto end; 571238405Sjkim 572280297Sjkim s->state = SSL3_ST_CW_FINISHED_A; 573280297Sjkim s->init_num = 0; 574160814Ssimon 575280297Sjkim s->session->cipher = s->s3->tmp.new_cipher; 576160814Ssimon#ifdef OPENSSL_NO_COMP 577280297Sjkim s->session->compress_meth = 0; 578160814Ssimon#else 579280297Sjkim if (s->s3->tmp.new_compression == NULL) 580280297Sjkim s->session->compress_meth = 0; 581280297Sjkim else 582280297Sjkim s->session->compress_meth = s->s3->tmp.new_compression->id; 583160814Ssimon#endif 584280297Sjkim if (!s->method->ssl3_enc->setup_key_block(s)) { 585280297Sjkim ret = -1; 586284283Sjkim s->state = SSL_ST_ERR; 587280297Sjkim goto end; 588280297Sjkim } 589160814Ssimon 590280297Sjkim if (!s->method->ssl3_enc->change_cipher_state(s, 591280297Sjkim SSL3_CHANGE_CIPHER_CLIENT_WRITE)) 592280297Sjkim { 593280297Sjkim ret = -1; 594284283Sjkim s->state = SSL_ST_ERR; 595280297Sjkim goto end; 596280297Sjkim } 597261037Sjkim#ifndef OPENSSL_NO_SCTP 598280297Sjkim if (s->hit) { 599280297Sjkim /* 600280297Sjkim * Change to new shared key of SCTP-Auth, will be ignored if 601280297Sjkim * no SCTP used. 602280297Sjkim */ 603280297Sjkim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 604280297Sjkim 0, NULL); 605280297Sjkim } 606261037Sjkim#endif 607261037Sjkim 608280297Sjkim dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); 609280297Sjkim break; 610160814Ssimon 611280297Sjkim case SSL3_ST_CW_FINISHED_A: 612280297Sjkim case SSL3_ST_CW_FINISHED_B: 613280297Sjkim if (!s->hit) 614280297Sjkim dtls1_start_timer(s); 615290207Sjkim ret = ssl3_send_finished(s, 616290207Sjkim SSL3_ST_CW_FINISHED_A, 617290207Sjkim SSL3_ST_CW_FINISHED_B, 618290207Sjkim s->method-> 619290207Sjkim ssl3_enc->client_finished_label, 620290207Sjkim s->method-> 621290207Sjkim ssl3_enc->client_finished_label_len); 622280297Sjkim if (ret <= 0) 623280297Sjkim goto end; 624280297Sjkim s->state = SSL3_ST_CW_FLUSH; 625160814Ssimon 626280297Sjkim /* clear flags */ 627280297Sjkim s->s3->flags &= ~SSL3_FLAGS_POP_BUFFER; 628280297Sjkim if (s->hit) { 629280297Sjkim s->s3->tmp.next_state = SSL_ST_OK; 630238405Sjkim#ifndef OPENSSL_NO_SCTP 631280297Sjkim if (BIO_dgram_is_sctp(SSL_get_wbio(s))) { 632280297Sjkim s->d1->next_state = s->s3->tmp.next_state; 633280297Sjkim s->s3->tmp.next_state = DTLS1_SCTP_ST_CW_WRITE_SOCK; 634280297Sjkim } 635238405Sjkim#endif 636280297Sjkim if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) { 637280297Sjkim s->state = SSL_ST_OK; 638238405Sjkim#ifndef OPENSSL_NO_SCTP 639280297Sjkim if (BIO_dgram_is_sctp(SSL_get_wbio(s))) { 640280297Sjkim s->d1->next_state = SSL_ST_OK; 641280297Sjkim s->state = DTLS1_SCTP_ST_CW_WRITE_SOCK; 642280297Sjkim } 643238405Sjkim#endif 644280297Sjkim s->s3->flags |= SSL3_FLAGS_POP_BUFFER; 645280297Sjkim s->s3->delay_buf_pop_ret = 0; 646280297Sjkim } 647280297Sjkim } else { 648261037Sjkim#ifndef OPENSSL_NO_SCTP 649280297Sjkim /* 650280297Sjkim * Change to new shared key of SCTP-Auth, will be ignored if 651280297Sjkim * no SCTP used. 652280297Sjkim */ 653280297Sjkim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 654280297Sjkim 0, NULL); 655261037Sjkim#endif 656261037Sjkim 657205128Ssimon#ifndef OPENSSL_NO_TLSEXT 658280297Sjkim /* 659280297Sjkim * Allow NewSessionTicket if ticket expected 660280297Sjkim */ 661280297Sjkim if (s->tlsext_ticket_expected) 662280297Sjkim s->s3->tmp.next_state = SSL3_ST_CR_SESSION_TICKET_A; 663280297Sjkim else 664205128Ssimon#endif 665160814Ssimon 666280297Sjkim s->s3->tmp.next_state = SSL3_ST_CR_FINISHED_A; 667280297Sjkim } 668280297Sjkim s->init_num = 0; 669280297Sjkim break; 670280297Sjkim 671205128Ssimon#ifndef OPENSSL_NO_TLSEXT 672280297Sjkim case SSL3_ST_CR_SESSION_TICKET_A: 673280297Sjkim case SSL3_ST_CR_SESSION_TICKET_B: 674280297Sjkim ret = ssl3_get_new_session_ticket(s); 675280297Sjkim if (ret <= 0) 676280297Sjkim goto end; 677280297Sjkim s->state = SSL3_ST_CR_FINISHED_A; 678280297Sjkim s->init_num = 0; 679280297Sjkim break; 680205128Ssimon 681280297Sjkim case SSL3_ST_CR_CERT_STATUS_A: 682280297Sjkim case SSL3_ST_CR_CERT_STATUS_B: 683280297Sjkim ret = ssl3_get_cert_status(s); 684280297Sjkim if (ret <= 0) 685280297Sjkim goto end; 686280297Sjkim s->state = SSL3_ST_CR_KEY_EXCH_A; 687280297Sjkim s->init_num = 0; 688280297Sjkim break; 689205128Ssimon#endif 690205128Ssimon 691280297Sjkim case SSL3_ST_CR_FINISHED_A: 692280297Sjkim case SSL3_ST_CR_FINISHED_B: 693280297Sjkim s->d1->change_cipher_spec_ok = 1; 694280297Sjkim ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A, 695280297Sjkim SSL3_ST_CR_FINISHED_B); 696280297Sjkim if (ret <= 0) 697280297Sjkim goto end; 698280297Sjkim dtls1_stop_timer(s); 699160814Ssimon 700280297Sjkim if (s->hit) 701280297Sjkim s->state = SSL3_ST_CW_CHANGE_A; 702280297Sjkim else 703280297Sjkim s->state = SSL_ST_OK; 704238405Sjkim 705238405Sjkim#ifndef OPENSSL_NO_SCTP 706280297Sjkim if (BIO_dgram_is_sctp(SSL_get_wbio(s)) && 707280297Sjkim state == SSL_ST_RENEGOTIATE) { 708280297Sjkim s->d1->next_state = s->state; 709280297Sjkim s->state = DTLS1_SCTP_ST_CW_WRITE_SOCK; 710280297Sjkim } 711238405Sjkim#endif 712238405Sjkim 713280297Sjkim s->init_num = 0; 714280297Sjkim break; 715160814Ssimon 716280297Sjkim case SSL3_ST_CW_FLUSH: 717280297Sjkim s->rwstate = SSL_WRITING; 718280297Sjkim if (BIO_flush(s->wbio) <= 0) { 719280297Sjkim /* 720280297Sjkim * If the write error was fatal, stop trying 721280297Sjkim */ 722280297Sjkim if (!BIO_should_retry(s->wbio)) { 723280297Sjkim s->rwstate = SSL_NOTHING; 724280297Sjkim s->state = s->s3->tmp.next_state; 725280297Sjkim } 726160814Ssimon 727280297Sjkim ret = -1; 728280297Sjkim goto end; 729280297Sjkim } 730280297Sjkim s->rwstate = SSL_NOTHING; 731280297Sjkim s->state = s->s3->tmp.next_state; 732280297Sjkim break; 733160814Ssimon 734280297Sjkim case SSL_ST_OK: 735280297Sjkim /* clean a few things up */ 736280297Sjkim ssl3_cleanup_key_block(s); 737280297Sjkim 738160814Ssimon#if 0 739280297Sjkim if (s->init_buf != NULL) { 740280297Sjkim BUF_MEM_free(s->init_buf); 741280297Sjkim s->init_buf = NULL; 742280297Sjkim } 743160814Ssimon#endif 744160814Ssimon 745280297Sjkim /* 746280297Sjkim * If we are not 'joining' the last two packets, remove the 747280297Sjkim * buffering now 748280297Sjkim */ 749280297Sjkim if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER)) 750280297Sjkim ssl_free_wbio_buffer(s); 751280297Sjkim /* else do it later in ssl3_write */ 752160814Ssimon 753280297Sjkim s->init_num = 0; 754280297Sjkim s->renegotiate = 0; 755280297Sjkim s->new_session = 0; 756160814Ssimon 757280297Sjkim ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); 758280297Sjkim if (s->hit) 759280297Sjkim s->ctx->stats.sess_hit++; 760160814Ssimon 761280297Sjkim ret = 1; 762280297Sjkim /* s->server=0; */ 763280297Sjkim s->handshake_func = dtls1_connect; 764280297Sjkim s->ctx->stats.sess_connect_good++; 765160814Ssimon 766280297Sjkim if (cb != NULL) 767280297Sjkim cb(s, SSL_CB_HANDSHAKE_DONE, 1); 768160814Ssimon 769280297Sjkim /* done with handshaking */ 770280297Sjkim s->d1->handshake_read_seq = 0; 771280297Sjkim s->d1->next_handshake_write_seq = 0; 772280297Sjkim goto end; 773280297Sjkim /* break; */ 774160814Ssimon 775284283Sjkim case SSL_ST_ERR: 776280297Sjkim default: 777280297Sjkim SSLerr(SSL_F_DTLS1_CONNECT, SSL_R_UNKNOWN_STATE); 778280297Sjkim ret = -1; 779280297Sjkim goto end; 780280297Sjkim /* break; */ 781280297Sjkim } 782160814Ssimon 783280297Sjkim /* did we do anything */ 784280297Sjkim if (!s->s3->tmp.reuse_message && !skip) { 785280297Sjkim if (s->debug) { 786280297Sjkim if ((ret = BIO_flush(s->wbio)) <= 0) 787280297Sjkim goto end; 788280297Sjkim } 789280297Sjkim 790280297Sjkim if ((cb != NULL) && (s->state != state)) { 791280297Sjkim new_state = s->state; 792280297Sjkim s->state = state; 793280297Sjkim cb(s, SSL_CB_CONNECT_LOOP, 1); 794280297Sjkim s->state = new_state; 795280297Sjkim } 796280297Sjkim } 797280297Sjkim skip = 0; 798280297Sjkim } 799280297Sjkim end: 800280297Sjkim s->in_handshake--; 801280297Sjkim 802238405Sjkim#ifndef OPENSSL_NO_SCTP 803280297Sjkim /* 804280297Sjkim * Notify SCTP BIO socket to leave handshake mode and allow stream 805280297Sjkim * identifier other than 0. Will be ignored if no SCTP is used. 806280297Sjkim */ 807280297Sjkim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, 808280297Sjkim s->in_handshake, NULL); 809238405Sjkim#endif 810238405Sjkim 811280297Sjkim if (buf != NULL) 812280297Sjkim BUF_MEM_free(buf); 813280297Sjkim if (cb != NULL) 814280297Sjkim cb(s, SSL_CB_CONNECT_EXIT, ret); 815280297Sjkim return (ret); 816280297Sjkim} 817160814Ssimon 818160814Ssimonstatic int dtls1_get_hello_verify(SSL *s) 819280297Sjkim{ 820280297Sjkim int n, al, ok = 0; 821280297Sjkim unsigned char *data; 822280297Sjkim unsigned int cookie_len; 823160814Ssimon 824290207Sjkim s->first_packet = 1; 825280297Sjkim n = s->method->ssl_get_message(s, 826280297Sjkim DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A, 827280297Sjkim DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, 828280297Sjkim -1, s->max_cert_list, &ok); 829290207Sjkim s->first_packet = 0; 830160814Ssimon 831280297Sjkim if (!ok) 832280297Sjkim return ((int)n); 833160814Ssimon 834280297Sjkim if (s->s3->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) { 835280297Sjkim s->d1->send_cookie = 0; 836280297Sjkim s->s3->tmp.reuse_message = 1; 837280297Sjkim return (1); 838280297Sjkim } 839160814Ssimon 840280297Sjkim data = (unsigned char *)s->init_msg; 841290207Sjkim#if 0 842290207Sjkim if (s->method->version != DTLS_ANY_VERSION && 843290207Sjkim ((data[0] != (s->version >> 8)) || (data[1] != (s->version & 0xff)))) 844290207Sjkim { 845280297Sjkim SSLerr(SSL_F_DTLS1_GET_HELLO_VERIFY, SSL_R_WRONG_SSL_VERSION); 846280297Sjkim s->version = (s->version & 0xff00) | data[1]; 847280297Sjkim al = SSL_AD_PROTOCOL_VERSION; 848280297Sjkim goto f_err; 849280297Sjkim } 850290207Sjkim#endif 851280297Sjkim data += 2; 852160814Ssimon 853280297Sjkim cookie_len = *(data++); 854280297Sjkim if (cookie_len > sizeof(s->d1->cookie)) { 855280297Sjkim al = SSL_AD_ILLEGAL_PARAMETER; 856280297Sjkim goto f_err; 857280297Sjkim } 858160814Ssimon 859280297Sjkim memcpy(s->d1->cookie, data, cookie_len); 860280297Sjkim s->d1->cookie_len = cookie_len; 861160814Ssimon 862280297Sjkim s->d1->send_cookie = 1; 863280297Sjkim return 1; 864160814Ssimon 865280297Sjkim f_err: 866280297Sjkim ssl3_send_alert(s, SSL3_AL_FATAL, al); 867284283Sjkim s->state = SSL_ST_ERR; 868280297Sjkim return -1; 869280297Sjkim} 870