d1_clnt.c revision 296465
1/* ssl/d1_clnt.c */ 2/* 3 * DTLS implementation written by Nagendra Modadugu 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 5 */ 6/* ==================================================================== 7 * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in 18 * the documentation and/or other materials provided with the 19 * distribution. 20 * 21 * 3. All advertising materials mentioning features or use of this 22 * software must display the following acknowledgment: 23 * "This product includes software developed by the OpenSSL Project 24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 25 * 26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27 * endorse or promote products derived from this software without 28 * prior written permission. For written permission, please contact 29 * openssl-core@OpenSSL.org. 30 * 31 * 5. Products derived from this software may not be called "OpenSSL" 32 * nor may "OpenSSL" appear in their names without prior written 33 * permission of the OpenSSL Project. 34 * 35 * 6. Redistributions of any form whatsoever must retain the following 36 * acknowledgment: 37 * "This product includes software developed by the OpenSSL Project 38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51 * OF THE POSSIBILITY OF SUCH DAMAGE. 52 * ==================================================================== 53 * 54 * This product includes cryptographic software written by Eric Young 55 * (eay@cryptsoft.com). This product includes software written by Tim 56 * Hudson (tjh@cryptsoft.com). 57 * 58 */ 59/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 60 * All rights reserved. 61 * 62 * This package is an SSL implementation written 63 * by Eric Young (eay@cryptsoft.com). 64 * The implementation was written so as to conform with Netscapes SSL. 65 * 66 * This library is free for commercial and non-commercial use as long as 67 * the following conditions are aheared to. The following conditions 68 * apply to all code found in this distribution, be it the RC4, RSA, 69 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 70 * included with this distribution is covered by the same copyright terms 71 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 72 * 73 * Copyright remains Eric Young's, and as such any Copyright notices in 74 * the code are not to be removed. 75 * If this package is used in a product, Eric Young should be given attribution 76 * as the author of the parts of the library used. 77 * This can be in the form of a textual message at program startup or 78 * in documentation (online or textual) provided with the package. 79 * 80 * Redistribution and use in source and binary forms, with or without 81 * modification, are permitted provided that the following conditions 82 * are met: 83 * 1. Redistributions of source code must retain the copyright 84 * notice, this list of conditions and the following disclaimer. 85 * 2. Redistributions in binary form must reproduce the above copyright 86 * notice, this list of conditions and the following disclaimer in the 87 * documentation and/or other materials provided with the distribution. 88 * 3. All advertising materials mentioning features or use of this software 89 * must display the following acknowledgement: 90 * "This product includes cryptographic software written by 91 * Eric Young (eay@cryptsoft.com)" 92 * The word 'cryptographic' can be left out if the rouines from the library 93 * being used are not cryptographic related :-). 94 * 4. If you include any Windows specific code (or a derivative thereof) from 95 * the apps directory (application code) you must include an acknowledgement: 96 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 97 * 98 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 99 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 100 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 101 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 102 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 103 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 104 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 105 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 106 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 107 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 108 * SUCH DAMAGE. 109 * 110 * The licence and distribution terms for any publically available version or 111 * derivative of this code cannot be changed. i.e. this code cannot simply be 112 * copied and put under another distribution licence 113 * [including the GNU Public Licence.] 114 */ 115 116#include <stdio.h> 117#include "ssl_locl.h" 118#include "kssl_lcl.h" 119#include <openssl/buffer.h> 120#include <openssl/rand.h> 121#include <openssl/objects.h> 122#include <openssl/evp.h> 123#include <openssl/md5.h> 124#ifndef OPENSSL_NO_DH 125# include <openssl/dh.h> 126#endif 127 128static SSL_METHOD *dtls1_get_client_method(int ver); 129static int dtls1_get_hello_verify(SSL *s); 130 131static SSL_METHOD *dtls1_get_client_method(int ver) 132{ 133 if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER) 134 return (DTLSv1_client_method()); 135 else 136 return (NULL); 137} 138 139IMPLEMENT_dtls1_meth_func(DTLSv1_client_method, 140 ssl_undefined_function, 141 dtls1_connect, dtls1_get_client_method) 142 143int dtls1_connect(SSL *s) 144{ 145 BUF_MEM *buf = NULL; 146 unsigned long Time = (unsigned long)time(NULL); 147 void (*cb) (const SSL *ssl, int type, int val) = NULL; 148 int ret = -1; 149 int new_state, state, skip = 0;; 150 151 RAND_add(&Time, sizeof(Time), 0); 152 ERR_clear_error(); 153 clear_sys_error(); 154 155 if (s->info_callback != NULL) 156 cb = s->info_callback; 157 else if (s->ctx->info_callback != NULL) 158 cb = s->ctx->info_callback; 159 160 s->in_handshake++; 161 if (!SSL_in_init(s) || SSL_in_before(s)) 162 SSL_clear(s); 163 164 for (;;) { 165 state = s->state; 166 167 switch (s->state) { 168 case SSL_ST_RENEGOTIATE: 169 s->new_session = 1; 170 s->state = SSL_ST_CONNECT; 171 s->ctx->stats.sess_connect_renegotiate++; 172 /* break */ 173 case SSL_ST_BEFORE: 174 case SSL_ST_CONNECT: 175 case SSL_ST_BEFORE | SSL_ST_CONNECT: 176 case SSL_ST_OK | SSL_ST_CONNECT: 177 178 s->server = 0; 179 if (cb != NULL) 180 cb(s, SSL_CB_HANDSHAKE_START, 1); 181 182 if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00) && 183 (s->version & 0xff00) != (DTLS1_BAD_VER & 0xff00)) { 184 SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR); 185 ret = -1; 186 goto end; 187 } 188 189 /* s->version=SSL3_VERSION; */ 190 s->type = SSL_ST_CONNECT; 191 192 if (s->init_buf == NULL) { 193 if ((buf = BUF_MEM_new()) == NULL) { 194 ret = -1; 195 goto end; 196 } 197 if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) { 198 ret = -1; 199 goto end; 200 } 201 s->init_buf = buf; 202 buf = NULL; 203 } 204 205 if (!ssl3_setup_buffers(s)) { 206 ret = -1; 207 goto end; 208 } 209 210 /* setup buffing BIO */ 211 if (!ssl_init_wbio_buffer(s, 0)) { 212 ret = -1; 213 goto end; 214 } 215 216 /* don't push the buffering BIO quite yet */ 217 218 s->state = SSL3_ST_CW_CLNT_HELLO_A; 219 s->ctx->stats.sess_connect++; 220 s->init_num = 0; 221 /* mark client_random uninitialized */ 222 memset(s->s3->client_random, 0, sizeof(s->s3->client_random)); 223 s->d1->send_cookie = 0; 224 s->hit = 0; 225 break; 226 227 case SSL3_ST_CW_CLNT_HELLO_A: 228 case SSL3_ST_CW_CLNT_HELLO_B: 229 230 s->shutdown = 0; 231 232 /* every DTLS ClientHello resets Finished MAC */ 233 ssl3_init_finished_mac(s); 234 235 dtls1_start_timer(s); 236 ret = dtls1_client_hello(s); 237 if (ret <= 0) 238 goto end; 239 240 if (s->d1->send_cookie) { 241 s->state = SSL3_ST_CW_FLUSH; 242 s->s3->tmp.next_state = SSL3_ST_CR_SRVR_HELLO_A; 243 } else 244 s->state = SSL3_ST_CR_SRVR_HELLO_A; 245 246 s->init_num = 0; 247 248 /* turn on buffering for the next lot of output */ 249 if (s->bbio != s->wbio) 250 s->wbio = BIO_push(s->bbio, s->wbio); 251 252 break; 253 254 case SSL3_ST_CR_SRVR_HELLO_A: 255 case SSL3_ST_CR_SRVR_HELLO_B: 256 ret = ssl3_get_server_hello(s); 257 if (ret <= 0) 258 goto end; 259 else { 260 if (s->hit) 261 s->state = SSL3_ST_CR_FINISHED_A; 262 else 263 s->state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A; 264 } 265 s->init_num = 0; 266 break; 267 268 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A: 269 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B: 270 271 ret = dtls1_get_hello_verify(s); 272 if (ret <= 0) 273 goto end; 274 dtls1_stop_timer(s); 275 if (s->d1->send_cookie) /* start again, with a cookie */ 276 s->state = SSL3_ST_CW_CLNT_HELLO_A; 277 else 278 s->state = SSL3_ST_CR_CERT_A; 279 s->init_num = 0; 280 break; 281 282 case SSL3_ST_CR_CERT_A: 283 case SSL3_ST_CR_CERT_B: 284#ifndef OPENSSL_NO_TLSEXT 285 ret = ssl3_check_finished(s); 286 if (ret <= 0) 287 goto end; 288 if (ret == 2) { 289 s->hit = 1; 290 if (s->tlsext_ticket_expected) 291 s->state = SSL3_ST_CR_SESSION_TICKET_A; 292 else 293 s->state = SSL3_ST_CR_FINISHED_A; 294 s->init_num = 0; 295 break; 296 } 297#endif 298 /* Check if it is anon DH */ 299 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) { 300 ret = ssl3_get_server_certificate(s); 301 if (ret <= 0) 302 goto end; 303#ifndef OPENSSL_NO_TLSEXT 304 if (s->tlsext_status_expected) 305 s->state = SSL3_ST_CR_CERT_STATUS_A; 306 else 307 s->state = SSL3_ST_CR_KEY_EXCH_A; 308 } else { 309 skip = 1; 310 s->state = SSL3_ST_CR_KEY_EXCH_A; 311 } 312#else 313 } else 314 skip = 1; 315 316 s->state = SSL3_ST_CR_KEY_EXCH_A; 317#endif 318 s->init_num = 0; 319 break; 320 321 case SSL3_ST_CR_KEY_EXCH_A: 322 case SSL3_ST_CR_KEY_EXCH_B: 323 ret = ssl3_get_key_exchange(s); 324 if (ret <= 0) 325 goto end; 326 s->state = SSL3_ST_CR_CERT_REQ_A; 327 s->init_num = 0; 328 329 /* 330 * at this point we check that we have the required stuff from 331 * the server 332 */ 333 if (!ssl3_check_cert_and_algorithm(s)) { 334 ret = -1; 335 goto end; 336 } 337 break; 338 339 case SSL3_ST_CR_CERT_REQ_A: 340 case SSL3_ST_CR_CERT_REQ_B: 341 ret = ssl3_get_certificate_request(s); 342 if (ret <= 0) 343 goto end; 344 s->state = SSL3_ST_CR_SRVR_DONE_A; 345 s->init_num = 0; 346 break; 347 348 case SSL3_ST_CR_SRVR_DONE_A: 349 case SSL3_ST_CR_SRVR_DONE_B: 350 ret = ssl3_get_server_done(s); 351 if (ret <= 0) 352 goto end; 353 dtls1_stop_timer(s); 354 if (s->s3->tmp.cert_req) 355 s->state = SSL3_ST_CW_CERT_A; 356 else 357 s->state = SSL3_ST_CW_KEY_EXCH_A; 358 s->init_num = 0; 359 360 break; 361 362 case SSL3_ST_CW_CERT_A: 363 case SSL3_ST_CW_CERT_B: 364 case SSL3_ST_CW_CERT_C: 365 case SSL3_ST_CW_CERT_D: 366 dtls1_start_timer(s); 367 ret = dtls1_send_client_certificate(s); 368 if (ret <= 0) 369 goto end; 370 s->state = SSL3_ST_CW_KEY_EXCH_A; 371 s->init_num = 0; 372 break; 373 374 case SSL3_ST_CW_KEY_EXCH_A: 375 case SSL3_ST_CW_KEY_EXCH_B: 376 dtls1_start_timer(s); 377 ret = dtls1_send_client_key_exchange(s); 378 if (ret <= 0) 379 goto end; 380 /* 381 * EAY EAY EAY need to check for DH fix cert sent back 382 */ 383 /* 384 * For TLS, cert_req is set to 2, so a cert chain of nothing is 385 * sent, but no verify packet is sent 386 */ 387 if (s->s3->tmp.cert_req == 1) { 388 s->state = SSL3_ST_CW_CERT_VRFY_A; 389 } else { 390 s->state = SSL3_ST_CW_CHANGE_A; 391 s->s3->change_cipher_spec = 0; 392 } 393 394 s->init_num = 0; 395 break; 396 397 case SSL3_ST_CW_CERT_VRFY_A: 398 case SSL3_ST_CW_CERT_VRFY_B: 399 dtls1_start_timer(s); 400 ret = dtls1_send_client_verify(s); 401 if (ret <= 0) 402 goto end; 403 s->state = SSL3_ST_CW_CHANGE_A; 404 s->init_num = 0; 405 s->s3->change_cipher_spec = 0; 406 break; 407 408 case SSL3_ST_CW_CHANGE_A: 409 case SSL3_ST_CW_CHANGE_B: 410 if (!s->hit) 411 dtls1_start_timer(s); 412 ret = dtls1_send_change_cipher_spec(s, 413 SSL3_ST_CW_CHANGE_A, 414 SSL3_ST_CW_CHANGE_B); 415 if (ret <= 0) 416 goto end; 417 s->state = SSL3_ST_CW_FINISHED_A; 418 s->init_num = 0; 419 420 s->session->cipher = s->s3->tmp.new_cipher; 421#ifdef OPENSSL_NO_COMP 422 s->session->compress_meth = 0; 423#else 424 if (s->s3->tmp.new_compression == NULL) 425 s->session->compress_meth = 0; 426 else 427 s->session->compress_meth = s->s3->tmp.new_compression->id; 428#endif 429 if (!s->method->ssl3_enc->setup_key_block(s)) { 430 ret = -1; 431 goto end; 432 } 433 434 if (!s->method->ssl3_enc->change_cipher_state(s, 435 SSL3_CHANGE_CIPHER_CLIENT_WRITE)) 436 { 437 ret = -1; 438 goto end; 439 } 440 441 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); 442 break; 443 444 case SSL3_ST_CW_FINISHED_A: 445 case SSL3_ST_CW_FINISHED_B: 446 if (!s->hit) 447 dtls1_start_timer(s); 448 ret = dtls1_send_finished(s, 449 SSL3_ST_CW_FINISHED_A, 450 SSL3_ST_CW_FINISHED_B, 451 s->method-> 452 ssl3_enc->client_finished_label, 453 s->method-> 454 ssl3_enc->client_finished_label_len); 455 if (ret <= 0) 456 goto end; 457 s->state = SSL3_ST_CW_FLUSH; 458 459 /* clear flags */ 460 s->s3->flags &= ~SSL3_FLAGS_POP_BUFFER; 461 if (s->hit) { 462 s->s3->tmp.next_state = SSL_ST_OK; 463 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) { 464 s->state = SSL_ST_OK; 465 s->s3->flags |= SSL3_FLAGS_POP_BUFFER; 466 s->s3->delay_buf_pop_ret = 0; 467 } 468 } else { 469#ifndef OPENSSL_NO_TLSEXT 470 /* 471 * Allow NewSessionTicket if ticket expected 472 */ 473 if (s->tlsext_ticket_expected) 474 s->s3->tmp.next_state = SSL3_ST_CR_SESSION_TICKET_A; 475 else 476#endif 477 478 s->s3->tmp.next_state = SSL3_ST_CR_FINISHED_A; 479 } 480 s->init_num = 0; 481 482 break; 483 484#ifndef OPENSSL_NO_TLSEXT 485 case SSL3_ST_CR_SESSION_TICKET_A: 486 case SSL3_ST_CR_SESSION_TICKET_B: 487 ret = ssl3_get_new_session_ticket(s); 488 if (ret <= 0) 489 goto end; 490 s->state = SSL3_ST_CR_FINISHED_A; 491 s->init_num = 0; 492 break; 493 494 case SSL3_ST_CR_CERT_STATUS_A: 495 case SSL3_ST_CR_CERT_STATUS_B: 496 ret = ssl3_get_cert_status(s); 497 if (ret <= 0) 498 goto end; 499 s->state = SSL3_ST_CR_KEY_EXCH_A; 500 s->init_num = 0; 501 break; 502#endif 503 504 case SSL3_ST_CR_FINISHED_A: 505 case SSL3_ST_CR_FINISHED_B: 506 s->d1->change_cipher_spec_ok = 1; 507 ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A, 508 SSL3_ST_CR_FINISHED_B); 509 if (ret <= 0) 510 goto end; 511 dtls1_stop_timer(s); 512 513 if (s->hit) 514 s->state = SSL3_ST_CW_CHANGE_A; 515 else 516 s->state = SSL_ST_OK; 517 s->init_num = 0; 518 break; 519 520 case SSL3_ST_CW_FLUSH: 521 s->rwstate = SSL_WRITING; 522 if (BIO_flush(s->wbio) <= 0) { 523 ret = -1; 524 goto end; 525 } 526 s->rwstate = SSL_NOTHING; 527 s->state = s->s3->tmp.next_state; 528 break; 529 530 case SSL_ST_OK: 531 /* clean a few things up */ 532 ssl3_cleanup_key_block(s); 533 534#if 0 535 if (s->init_buf != NULL) { 536 BUF_MEM_free(s->init_buf); 537 s->init_buf = NULL; 538 } 539#endif 540 541 /* 542 * If we are not 'joining' the last two packets, remove the 543 * buffering now 544 */ 545 if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER)) 546 ssl_free_wbio_buffer(s); 547 /* else do it later in ssl3_write */ 548 549 s->init_num = 0; 550 s->new_session = 0; 551 552 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); 553 if (s->hit) 554 s->ctx->stats.sess_hit++; 555 556 ret = 1; 557 /* s->server=0; */ 558 s->handshake_func = dtls1_connect; 559 s->ctx->stats.sess_connect_good++; 560 561 if (cb != NULL) 562 cb(s, SSL_CB_HANDSHAKE_DONE, 1); 563 564 /* done with handshaking */ 565 s->d1->handshake_read_seq = 0; 566 s->d1->next_handshake_write_seq = 0; 567 goto end; 568 /* break; */ 569 570 default: 571 SSLerr(SSL_F_DTLS1_CONNECT, SSL_R_UNKNOWN_STATE); 572 ret = -1; 573 goto end; 574 /* break; */ 575 } 576 577 /* did we do anything */ 578 if (!s->s3->tmp.reuse_message && !skip) { 579 if (s->debug) { 580 if ((ret = BIO_flush(s->wbio)) <= 0) 581 goto end; 582 } 583 584 if ((cb != NULL) && (s->state != state)) { 585 new_state = s->state; 586 s->state = state; 587 cb(s, SSL_CB_CONNECT_LOOP, 1); 588 s->state = new_state; 589 } 590 } 591 skip = 0; 592 } 593 end: 594 s->in_handshake--; 595 if (buf != NULL) 596 BUF_MEM_free(buf); 597 if (cb != NULL) 598 cb(s, SSL_CB_CONNECT_EXIT, ret); 599 return (ret); 600} 601 602int dtls1_client_hello(SSL *s) 603{ 604 unsigned char *buf; 605 unsigned char *p, *d; 606 unsigned int i, j; 607 unsigned long Time, l; 608 SSL_COMP *comp; 609 610 buf = (unsigned char *)s->init_buf->data; 611 if (s->state == SSL3_ST_CW_CLNT_HELLO_A) { 612 SSL_SESSION *sess = s->session; 613 if ((s->session == NULL) || (s->session->ssl_version != s->version) || 614#ifdef OPENSSL_NO_TLSEXT 615 !sess->session_id_length || 616#else 617 (!sess->session_id_length && !sess->tlsext_tick) || 618#endif 619 (s->session->not_resumable)) { 620 if (!ssl_get_new_session(s, 0)) 621 goto err; 622 } 623 /* else use the pre-loaded session */ 624 625 p = s->s3->client_random; 626 /* 627 * if client_random is initialized, reuse it, we are required to use 628 * same upon reply to HelloVerify 629 */ 630 for (i = 0; p[i] == '\0' && i < sizeof(s->s3->client_random); i++) ; 631 if (i == sizeof(s->s3->client_random)) { 632 Time = (unsigned long)time(NULL); /* Time */ 633 l2n(Time, p); 634 RAND_pseudo_bytes(p, SSL3_RANDOM_SIZE - 4); 635 } 636 637 /* Do the message type and length last */ 638 d = p = &(buf[DTLS1_HM_HEADER_LENGTH]); 639 640 *(p++) = s->version >> 8; 641 *(p++) = s->version & 0xff; 642 s->client_version = s->version; 643 644 /* Random stuff */ 645 memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE); 646 p += SSL3_RANDOM_SIZE; 647 648 /* Session ID */ 649 if (s->new_session) 650 i = 0; 651 else 652 i = s->session->session_id_length; 653 *(p++) = i; 654 if (i != 0) { 655 if (i > sizeof s->session->session_id) { 656 SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 657 goto err; 658 } 659 memcpy(p, s->session->session_id, i); 660 p += i; 661 } 662 663 /* cookie stuff */ 664 if (s->d1->cookie_len > sizeof(s->d1->cookie)) { 665 SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 666 goto err; 667 } 668 *(p++) = s->d1->cookie_len; 669 memcpy(p, s->d1->cookie, s->d1->cookie_len); 670 p += s->d1->cookie_len; 671 672 /* Ciphers supported */ 673 i = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &(p[2]), 0); 674 if (i == 0) { 675 SSLerr(SSL_F_DTLS1_CLIENT_HELLO, SSL_R_NO_CIPHERS_AVAILABLE); 676 goto err; 677 } 678 s2n(i, p); 679 p += i; 680 681 /* COMPRESSION */ 682 if (s->ctx->comp_methods == NULL) 683 j = 0; 684 else 685 j = sk_SSL_COMP_num(s->ctx->comp_methods); 686 *(p++) = 1 + j; 687 for (i = 0; i < j; i++) { 688 comp = sk_SSL_COMP_value(s->ctx->comp_methods, i); 689 *(p++) = comp->id; 690 } 691 *(p++) = 0; /* Add the NULL method */ 692 693#ifndef OPENSSL_NO_TLSEXT 694 if ((p = 695 ssl_add_clienthello_tlsext(s, p, 696 buf + SSL3_RT_MAX_PLAIN_LENGTH)) == 697 NULL) { 698 SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 699 goto err; 700 } 701#endif 702 703 l = (p - d); 704 d = buf; 705 706 d = dtls1_set_message_header(s, d, SSL3_MT_CLIENT_HELLO, l, 0, l); 707 708 s->state = SSL3_ST_CW_CLNT_HELLO_B; 709 /* number of bytes to write */ 710 s->init_num = p - buf; 711 s->init_off = 0; 712 713 /* buffer the message to handle re-xmits */ 714 dtls1_buffer_message(s, 0); 715 } 716 717 /* SSL3_ST_CW_CLNT_HELLO_B */ 718 return (dtls1_do_write(s, SSL3_RT_HANDSHAKE)); 719 err: 720 return (-1); 721} 722 723static int dtls1_get_hello_verify(SSL *s) 724{ 725 int n, al, ok = 0; 726 unsigned char *data; 727 unsigned int cookie_len; 728 729 n = s->method->ssl_get_message(s, 730 DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A, 731 DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, 732 -1, s->max_cert_list, &ok); 733 734 if (!ok) 735 return ((int)n); 736 737 if (s->s3->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) { 738 s->d1->send_cookie = 0; 739 s->s3->tmp.reuse_message = 1; 740 return (1); 741 } 742 743 data = (unsigned char *)s->init_msg; 744 745 if ((data[0] != (s->version >> 8)) || (data[1] != (s->version & 0xff))) { 746 SSLerr(SSL_F_DTLS1_GET_HELLO_VERIFY, SSL_R_WRONG_SSL_VERSION); 747 s->version = (s->version & 0xff00) | data[1]; 748 al = SSL_AD_PROTOCOL_VERSION; 749 goto f_err; 750 } 751 data += 2; 752 753 cookie_len = *(data++); 754 if (cookie_len > sizeof(s->d1->cookie)) { 755 al = SSL_AD_ILLEGAL_PARAMETER; 756 goto f_err; 757 } 758 759 memcpy(s->d1->cookie, data, cookie_len); 760 s->d1->cookie_len = cookie_len; 761 762 s->d1->send_cookie = 1; 763 return 1; 764 765 f_err: 766 ssl3_send_alert(s, SSL3_AL_FATAL, al); 767 return -1; 768} 769 770int dtls1_send_client_key_exchange(SSL *s) 771{ 772 unsigned char *p, *d; 773 int n; 774 unsigned long l; 775#ifndef OPENSSL_NO_RSA 776 unsigned char *q; 777 EVP_PKEY *pkey = NULL; 778#endif 779#ifndef OPENSSL_NO_KRB5 780 KSSL_ERR kssl_err; 781#endif /* OPENSSL_NO_KRB5 */ 782 783 if (s->state == SSL3_ST_CW_KEY_EXCH_A) { 784 d = (unsigned char *)s->init_buf->data; 785 p = &(d[DTLS1_HM_HEADER_LENGTH]); 786 787 l = s->s3->tmp.new_cipher->algorithms; 788 789 /* Fool emacs indentation */ 790 if (0) { 791 } 792#ifndef OPENSSL_NO_RSA 793 else if (l & SSL_kRSA) { 794 RSA *rsa; 795 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 796 797 if (s->session->sess_cert == NULL) { 798 /* 799 * We should always have a server certificate with SSL_kRSA. 800 */ 801 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 802 ERR_R_INTERNAL_ERROR); 803 goto err; 804 } 805 806 if (s->session->sess_cert->peer_rsa_tmp != NULL) 807 rsa = s->session->sess_cert->peer_rsa_tmp; 808 else { 809 pkey = 810 X509_get_pubkey(s->session-> 811 sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC]. 812 x509); 813 if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) 814 || (pkey->pkey.rsa == NULL)) { 815 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 816 ERR_R_INTERNAL_ERROR); 817 goto err; 818 } 819 rsa = pkey->pkey.rsa; 820 EVP_PKEY_free(pkey); 821 } 822 823 tmp_buf[0] = s->client_version >> 8; 824 tmp_buf[1] = s->client_version & 0xff; 825 if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <= 0) 826 goto err; 827 828 s->session->master_key_length = sizeof tmp_buf; 829 830 q = p; 831 /* Fix buf for TLS and [incidentally] DTLS */ 832 if (s->version > SSL3_VERSION) 833 p += 2; 834 n = RSA_public_encrypt(sizeof tmp_buf, 835 tmp_buf, p, rsa, RSA_PKCS1_PADDING); 836# ifdef PKCS1_CHECK 837 if (s->options & SSL_OP_PKCS1_CHECK_1) 838 p[1]++; 839 if (s->options & SSL_OP_PKCS1_CHECK_2) 840 tmp_buf[0] = 0x70; 841# endif 842 if (n <= 0) { 843 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 844 SSL_R_BAD_RSA_ENCRYPT); 845 goto err; 846 } 847 848 /* Fix buf for TLS and [incidentally] DTLS */ 849 if (s->version > SSL3_VERSION) { 850 s2n(n, q); 851 n += 2; 852 } 853 854 s->session->master_key_length = 855 s->method->ssl3_enc->generate_master_secret(s, 856 s-> 857 session->master_key, 858 tmp_buf, 859 sizeof tmp_buf); 860 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); 861 } 862#endif 863#ifndef OPENSSL_NO_KRB5 864 else if (l & SSL_kKRB5) { 865 krb5_error_code krb5rc; 866 KSSL_CTX *kssl_ctx = s->kssl_ctx; 867 /* krb5_data krb5_ap_req; */ 868 krb5_data *enc_ticket; 869 krb5_data authenticator, *authp = NULL; 870 EVP_CIPHER_CTX ciph_ctx; 871 EVP_CIPHER *enc = NULL; 872 unsigned char iv[EVP_MAX_IV_LENGTH]; 873 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 874 unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH + EVP_MAX_IV_LENGTH]; 875 int padl, outl = sizeof(epms); 876 877 EVP_CIPHER_CTX_init(&ciph_ctx); 878 879# ifdef KSSL_DEBUG 880 printf("ssl3_send_client_key_exchange(%lx & %lx)\n", 881 l, SSL_kKRB5); 882# endif /* KSSL_DEBUG */ 883 884 authp = NULL; 885# ifdef KRB5SENDAUTH 886 if (KRB5SENDAUTH) 887 authp = &authenticator; 888# endif /* KRB5SENDAUTH */ 889 890 krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp, &kssl_err); 891 enc = kssl_map_enc(kssl_ctx->enctype); 892 if (enc == NULL) 893 goto err; 894# ifdef KSSL_DEBUG 895 { 896 printf("kssl_cget_tkt rtn %d\n", krb5rc); 897 if (krb5rc && kssl_err.text) 898 printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text); 899 } 900# endif /* KSSL_DEBUG */ 901 902 if (krb5rc) { 903 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 904 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, kssl_err.reason); 905 goto err; 906 } 907 908 /*- 909 * 20010406 VRS - Earlier versions used KRB5 AP_REQ 910 ** in place of RFC 2712 KerberosWrapper, as in: 911 ** 912 ** Send ticket (copy to *p, set n = length) 913 ** n = krb5_ap_req.length; 914 ** memcpy(p, krb5_ap_req.data, krb5_ap_req.length); 915 ** if (krb5_ap_req.data) 916 ** kssl_krb5_free_data_contents(NULL,&krb5_ap_req); 917 ** 918 ** Now using real RFC 2712 KerberosWrapper 919 ** (Thanks to Simon Wilkinson <sxw@sxw.org.uk>) 920 ** Note: 2712 "opaque" types are here replaced 921 ** with a 2-byte length followed by the value. 922 ** Example: 923 ** KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms 924 ** Where "xx xx" = length bytes. Shown here with 925 ** optional authenticator omitted. 926 */ 927 928 /* KerberosWrapper.Ticket */ 929 s2n(enc_ticket->length, p); 930 memcpy(p, enc_ticket->data, enc_ticket->length); 931 p += enc_ticket->length; 932 n = enc_ticket->length + 2; 933 934 /* KerberosWrapper.Authenticator */ 935 if (authp && authp->length) { 936 s2n(authp->length, p); 937 memcpy(p, authp->data, authp->length); 938 p += authp->length; 939 n += authp->length + 2; 940 941 free(authp->data); 942 authp->data = NULL; 943 authp->length = 0; 944 } else { 945 s2n(0, p); /* null authenticator length */ 946 n += 2; 947 } 948 949 if (RAND_bytes(tmp_buf, sizeof tmp_buf) <= 0) 950 goto err; 951 952 /*- 953 * 20010420 VRS. Tried it this way; failed. 954 * EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL); 955 * EVP_CIPHER_CTX_set_key_length(&ciph_ctx, 956 * kssl_ctx->length); 957 * EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv); 958 */ 959 960 memset(iv, 0, sizeof iv); /* per RFC 1510 */ 961 EVP_EncryptInit_ex(&ciph_ctx, enc, NULL, kssl_ctx->key, iv); 962 EVP_EncryptUpdate(&ciph_ctx, epms, &outl, tmp_buf, 963 sizeof tmp_buf); 964 EVP_EncryptFinal_ex(&ciph_ctx, &(epms[outl]), &padl); 965 outl += padl; 966 if (outl > sizeof epms) { 967 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 968 ERR_R_INTERNAL_ERROR); 969 goto err; 970 } 971 EVP_CIPHER_CTX_cleanup(&ciph_ctx); 972 973 /* KerberosWrapper.EncryptedPreMasterSecret */ 974 s2n(outl, p); 975 memcpy(p, epms, outl); 976 p += outl; 977 n += outl + 2; 978 979 s->session->master_key_length = 980 s->method->ssl3_enc->generate_master_secret(s, 981 s-> 982 session->master_key, 983 tmp_buf, 984 sizeof tmp_buf); 985 986 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); 987 OPENSSL_cleanse(epms, outl); 988 } 989#endif 990#ifndef OPENSSL_NO_DH 991 else if (l & (SSL_kEDH | SSL_kDHr | SSL_kDHd)) { 992 DH *dh_srvr, *dh_clnt; 993 994 if (s->session->sess_cert == NULL) { 995 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); 996 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 997 SSL_R_UNEXPECTED_MESSAGE); 998 goto err; 999 } 1000 1001 if (s->session->sess_cert->peer_dh_tmp != NULL) 1002 dh_srvr = s->session->sess_cert->peer_dh_tmp; 1003 else { 1004 /* we get them from the cert */ 1005 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 1006 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1007 SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); 1008 goto err; 1009 } 1010 1011 /* generate a new random key */ 1012 if ((dh_clnt = DHparams_dup(dh_srvr)) == NULL) { 1013 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB); 1014 goto err; 1015 } 1016 if (!DH_generate_key(dh_clnt)) { 1017 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB); 1018 goto err; 1019 } 1020 1021 /* 1022 * use the 'p' output buffer for the DH key, but make sure to 1023 * clear it out afterwards 1024 */ 1025 1026 n = DH_compute_key(p, dh_srvr->pub_key, dh_clnt); 1027 1028 if (n <= 0) { 1029 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB); 1030 goto err; 1031 } 1032 1033 /* generate master key from the result */ 1034 s->session->master_key_length = 1035 s->method->ssl3_enc->generate_master_secret(s, 1036 s-> 1037 session->master_key, 1038 p, n); 1039 /* clean up */ 1040 memset(p, 0, n); 1041 1042 /* send off the data */ 1043 n = BN_num_bytes(dh_clnt->pub_key); 1044 s2n(n, p); 1045 BN_bn2bin(dh_clnt->pub_key, p); 1046 n += 2; 1047 1048 DH_free(dh_clnt); 1049 1050 /* perhaps clean things up a bit EAY EAY EAY EAY */ 1051 } 1052#endif 1053 else { 1054 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 1055 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1056 ERR_R_INTERNAL_ERROR); 1057 goto err; 1058 } 1059 1060 d = dtls1_set_message_header(s, d, 1061 SSL3_MT_CLIENT_KEY_EXCHANGE, n, 0, n); 1062 /*- 1063 *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE; 1064 l2n3(n,d); 1065 l2n(s->d1->handshake_write_seq,d); 1066 s->d1->handshake_write_seq++; 1067 */ 1068 1069 s->state = SSL3_ST_CW_KEY_EXCH_B; 1070 /* number of bytes to write */ 1071 s->init_num = n + DTLS1_HM_HEADER_LENGTH; 1072 s->init_off = 0; 1073 1074 /* buffer the message to handle re-xmits */ 1075 dtls1_buffer_message(s, 0); 1076 } 1077 1078 /* SSL3_ST_CW_KEY_EXCH_B */ 1079 return (dtls1_do_write(s, SSL3_RT_HANDSHAKE)); 1080 err: 1081 return (-1); 1082} 1083 1084int dtls1_send_client_verify(SSL *s) 1085{ 1086 unsigned char *p, *d; 1087 unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; 1088 EVP_PKEY *pkey; 1089#ifndef OPENSSL_NO_RSA 1090 unsigned u = 0; 1091#endif 1092 unsigned long n; 1093#ifndef OPENSSL_NO_DSA 1094 int j; 1095#endif 1096 1097 if (s->state == SSL3_ST_CW_CERT_VRFY_A) { 1098 d = (unsigned char *)s->init_buf->data; 1099 p = &(d[DTLS1_HM_HEADER_LENGTH]); 1100 pkey = s->cert->key->privatekey; 1101 1102 s->method->ssl3_enc->cert_verify_mac(s, &(s->s3->finish_dgst2), 1103 &(data[MD5_DIGEST_LENGTH])); 1104 1105#ifndef OPENSSL_NO_RSA 1106 if (pkey->type == EVP_PKEY_RSA) { 1107 s->method->ssl3_enc->cert_verify_mac(s, 1108 &(s->s3->finish_dgst1), 1109 &(data[0])); 1110 if (RSA_sign 1111 (NID_md5_sha1, data, MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, 1112 &(p[2]), &u, pkey->pkey.rsa) <= 0) { 1113 SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY, ERR_R_RSA_LIB); 1114 goto err; 1115 } 1116 s2n(u, p); 1117 n = u + 2; 1118 } else 1119#endif 1120#ifndef OPENSSL_NO_DSA 1121 if (pkey->type == EVP_PKEY_DSA) { 1122 if (!DSA_sign(pkey->save_type, 1123 &(data[MD5_DIGEST_LENGTH]), 1124 SHA_DIGEST_LENGTH, &(p[2]), 1125 (unsigned int *)&j, pkey->pkey.dsa)) { 1126 SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY, ERR_R_DSA_LIB); 1127 goto err; 1128 } 1129 s2n(j, p); 1130 n = j + 2; 1131 } else 1132#endif 1133 { 1134 SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR); 1135 goto err; 1136 } 1137 1138 d = dtls1_set_message_header(s, d, 1139 SSL3_MT_CERTIFICATE_VERIFY, n, 0, n); 1140 1141 s->init_num = (int)n + DTLS1_HM_HEADER_LENGTH; 1142 s->init_off = 0; 1143 1144 /* buffer the message to handle re-xmits */ 1145 dtls1_buffer_message(s, 0); 1146 1147 s->state = SSL3_ST_CW_CERT_VRFY_B; 1148 } 1149 1150 /* s->state = SSL3_ST_CW_CERT_VRFY_B */ 1151 return (dtls1_do_write(s, SSL3_RT_HANDSHAKE)); 1152 err: 1153 return (-1); 1154} 1155 1156int dtls1_send_client_certificate(SSL *s) 1157{ 1158 X509 *x509 = NULL; 1159 EVP_PKEY *pkey = NULL; 1160 int i; 1161 unsigned long l; 1162 1163 if (s->state == SSL3_ST_CW_CERT_A) { 1164 if ((s->cert == NULL) || 1165 (s->cert->key->x509 == NULL) || 1166 (s->cert->key->privatekey == NULL)) 1167 s->state = SSL3_ST_CW_CERT_B; 1168 else 1169 s->state = SSL3_ST_CW_CERT_C; 1170 } 1171 1172 /* We need to get a client cert */ 1173 if (s->state == SSL3_ST_CW_CERT_B) { 1174 /* 1175 * If we get an error, we need to ssl->rwstate=SSL_X509_LOOKUP; 1176 * return(-1); We then get retied later 1177 */ 1178 i = 0; 1179 i = ssl_do_client_cert_cb(s, &x509, &pkey); 1180 if (i < 0) { 1181 s->rwstate = SSL_X509_LOOKUP; 1182 return (-1); 1183 } 1184 s->rwstate = SSL_NOTHING; 1185 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) { 1186 s->state = SSL3_ST_CW_CERT_B; 1187 if (!SSL_use_certificate(s, x509) || !SSL_use_PrivateKey(s, pkey)) 1188 i = 0; 1189 } else if (i == 1) { 1190 i = 0; 1191 SSLerr(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE, 1192 SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); 1193 } 1194 1195 if (x509 != NULL) 1196 X509_free(x509); 1197 if (pkey != NULL) 1198 EVP_PKEY_free(pkey); 1199 if (i == 0) { 1200 if (s->version == SSL3_VERSION) { 1201 s->s3->tmp.cert_req = 0; 1202 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_CERTIFICATE); 1203 return (1); 1204 } else { 1205 s->s3->tmp.cert_req = 2; 1206 } 1207 } 1208 1209 /* Ok, we have a cert */ 1210 s->state = SSL3_ST_CW_CERT_C; 1211 } 1212 1213 if (s->state == SSL3_ST_CW_CERT_C) { 1214 s->state = SSL3_ST_CW_CERT_D; 1215 l = dtls1_output_cert_chain(s, 1216 (s->s3->tmp.cert_req == 1217 2) ? NULL : s->cert->key->x509); 1218 s->init_num = (int)l; 1219 s->init_off = 0; 1220 1221 /* set header called by dtls1_output_cert_chain() */ 1222 1223 /* buffer the message to handle re-xmits */ 1224 dtls1_buffer_message(s, 0); 1225 } 1226 /* SSL3_ST_CW_CERT_D */ 1227 return (dtls1_do_write(s, SSL3_RT_HANDSHAKE)); 1228} 1229