d1_clnt.c revision 306230
1/* ssl/d1_clnt.c */ 2/* 3 * DTLS implementation written by Nagendra Modadugu 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 5 */ 6/* ==================================================================== 7 * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in 18 * the documentation and/or other materials provided with the 19 * distribution. 20 * 21 * 3. All advertising materials mentioning features or use of this 22 * software must display the following acknowledgment: 23 * "This product includes software developed by the OpenSSL Project 24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 25 * 26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27 * endorse or promote products derived from this software without 28 * prior written permission. For written permission, please contact 29 * openssl-core@OpenSSL.org. 30 * 31 * 5. Products derived from this software may not be called "OpenSSL" 32 * nor may "OpenSSL" appear in their names without prior written 33 * permission of the OpenSSL Project. 34 * 35 * 6. Redistributions of any form whatsoever must retain the following 36 * acknowledgment: 37 * "This product includes software developed by the OpenSSL Project 38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51 * OF THE POSSIBILITY OF SUCH DAMAGE. 52 * ==================================================================== 53 * 54 * This product includes cryptographic software written by Eric Young 55 * (eay@cryptsoft.com). This product includes software written by Tim 56 * Hudson (tjh@cryptsoft.com). 57 * 58 */ 59/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 60 * All rights reserved. 61 * 62 * This package is an SSL implementation written 63 * by Eric Young (eay@cryptsoft.com). 64 * The implementation was written so as to conform with Netscapes SSL. 65 * 66 * This library is free for commercial and non-commercial use as long as 67 * the following conditions are aheared to. The following conditions 68 * apply to all code found in this distribution, be it the RC4, RSA, 69 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 70 * included with this distribution is covered by the same copyright terms 71 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 72 * 73 * Copyright remains Eric Young's, and as such any Copyright notices in 74 * the code are not to be removed. 75 * If this package is used in a product, Eric Young should be given attribution 76 * as the author of the parts of the library used. 77 * This can be in the form of a textual message at program startup or 78 * in documentation (online or textual) provided with the package. 79 * 80 * Redistribution and use in source and binary forms, with or without 81 * modification, are permitted provided that the following conditions 82 * are met: 83 * 1. Redistributions of source code must retain the copyright 84 * notice, this list of conditions and the following disclaimer. 85 * 2. Redistributions in binary form must reproduce the above copyright 86 * notice, this list of conditions and the following disclaimer in the 87 * documentation and/or other materials provided with the distribution. 88 * 3. All advertising materials mentioning features or use of this software 89 * must display the following acknowledgement: 90 * "This product includes cryptographic software written by 91 * Eric Young (eay@cryptsoft.com)" 92 * The word 'cryptographic' can be left out if the rouines from the library 93 * being used are not cryptographic related :-). 94 * 4. If you include any Windows specific code (or a derivative thereof) from 95 * the apps directory (application code) you must include an acknowledgement: 96 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 97 * 98 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 99 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 100 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 101 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 102 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 103 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 104 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 105 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 106 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 107 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 108 * SUCH DAMAGE. 109 * 110 * The licence and distribution terms for any publically available version or 111 * derivative of this code cannot be changed. i.e. this code cannot simply be 112 * copied and put under another distribution licence 113 * [including the GNU Public Licence.] 114 */ 115 116#include <stdio.h> 117#include "ssl_locl.h" 118#include "kssl_lcl.h" 119#include <openssl/buffer.h> 120#include <openssl/rand.h> 121#include <openssl/objects.h> 122#include <openssl/evp.h> 123#include <openssl/md5.h> 124#ifndef OPENSSL_NO_DH 125# include <openssl/dh.h> 126#endif 127 128static SSL_METHOD *dtls1_get_client_method(int ver); 129static int dtls1_get_hello_verify(SSL *s); 130 131static SSL_METHOD *dtls1_get_client_method(int ver) 132{ 133 if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER) 134 return (DTLSv1_client_method()); 135 else 136 return (NULL); 137} 138 139IMPLEMENT_dtls1_meth_func(DTLSv1_client_method, 140 ssl_undefined_function, 141 dtls1_connect, dtls1_get_client_method) 142 143int dtls1_connect(SSL *s) 144{ 145 BUF_MEM *buf = NULL; 146 unsigned long Time = (unsigned long)time(NULL); 147 void (*cb) (const SSL *ssl, int type, int val) = NULL; 148 int ret = -1; 149 int new_state, state, skip = 0;; 150 151 RAND_add(&Time, sizeof(Time), 0); 152 ERR_clear_error(); 153 clear_sys_error(); 154 155 if (s->info_callback != NULL) 156 cb = s->info_callback; 157 else if (s->ctx->info_callback != NULL) 158 cb = s->ctx->info_callback; 159 160 s->in_handshake++; 161 if (!SSL_in_init(s) || SSL_in_before(s)) 162 SSL_clear(s); 163 164 for (;;) { 165 state = s->state; 166 167 switch (s->state) { 168 case SSL_ST_RENEGOTIATE: 169 s->new_session = 1; 170 s->state = SSL_ST_CONNECT; 171 s->ctx->stats.sess_connect_renegotiate++; 172 /* break */ 173 case SSL_ST_BEFORE: 174 case SSL_ST_CONNECT: 175 case SSL_ST_BEFORE | SSL_ST_CONNECT: 176 case SSL_ST_OK | SSL_ST_CONNECT: 177 178 s->server = 0; 179 if (cb != NULL) 180 cb(s, SSL_CB_HANDSHAKE_START, 1); 181 182 if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00) && 183 (s->version & 0xff00) != (DTLS1_BAD_VER & 0xff00)) { 184 SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR); 185 ret = -1; 186 goto end; 187 } 188 189 /* s->version=SSL3_VERSION; */ 190 s->type = SSL_ST_CONNECT; 191 192 if (s->init_buf == NULL) { 193 if ((buf = BUF_MEM_new()) == NULL) { 194 ret = -1; 195 goto end; 196 } 197 if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) { 198 ret = -1; 199 goto end; 200 } 201 s->init_buf = buf; 202 buf = NULL; 203 } 204 205 if (!ssl3_setup_buffers(s)) { 206 ret = -1; 207 goto end; 208 } 209 210 /* setup buffing BIO */ 211 if (!ssl_init_wbio_buffer(s, 0)) { 212 ret = -1; 213 goto end; 214 } 215 216 /* don't push the buffering BIO quite yet */ 217 218 s->state = SSL3_ST_CW_CLNT_HELLO_A; 219 s->ctx->stats.sess_connect++; 220 s->init_num = 0; 221 /* mark client_random uninitialized */ 222 memset(s->s3->client_random, 0, sizeof(s->s3->client_random)); 223 s->d1->send_cookie = 0; 224 s->hit = 0; 225 break; 226 227 case SSL3_ST_CW_CLNT_HELLO_A: 228 case SSL3_ST_CW_CLNT_HELLO_B: 229 230 s->shutdown = 0; 231 232 /* every DTLS ClientHello resets Finished MAC */ 233 ssl3_init_finished_mac(s); 234 235 dtls1_start_timer(s); 236 ret = dtls1_client_hello(s); 237 if (ret <= 0) 238 goto end; 239 240 if (s->d1->send_cookie) { 241 s->state = SSL3_ST_CW_FLUSH; 242 s->s3->tmp.next_state = SSL3_ST_CR_SRVR_HELLO_A; 243 } else 244 s->state = SSL3_ST_CR_SRVR_HELLO_A; 245 246 s->init_num = 0; 247 248 /* turn on buffering for the next lot of output */ 249 if (s->bbio != s->wbio) 250 s->wbio = BIO_push(s->bbio, s->wbio); 251 252 break; 253 254 case SSL3_ST_CR_SRVR_HELLO_A: 255 case SSL3_ST_CR_SRVR_HELLO_B: 256 ret = ssl3_get_server_hello(s); 257 if (ret <= 0) 258 goto end; 259 else { 260 if (s->hit) 261 s->state = SSL3_ST_CR_FINISHED_A; 262 else 263 s->state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A; 264 } 265 s->init_num = 0; 266 break; 267 268 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A: 269 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B: 270 271 ret = dtls1_get_hello_verify(s); 272 if (ret <= 0) 273 goto end; 274 dtls1_stop_timer(s); 275 if (s->d1->send_cookie) /* start again, with a cookie */ 276 s->state = SSL3_ST_CW_CLNT_HELLO_A; 277 else 278 s->state = SSL3_ST_CR_CERT_A; 279 s->init_num = 0; 280 break; 281 282 case SSL3_ST_CR_CERT_A: 283 case SSL3_ST_CR_CERT_B: 284#ifndef OPENSSL_NO_TLSEXT 285 ret = ssl3_check_finished(s); 286 if (ret <= 0) 287 goto end; 288 if (ret == 2) { 289 s->hit = 1; 290 if (s->tlsext_ticket_expected) 291 s->state = SSL3_ST_CR_SESSION_TICKET_A; 292 else 293 s->state = SSL3_ST_CR_FINISHED_A; 294 s->init_num = 0; 295 break; 296 } 297#endif 298 /* Check if it is anon DH */ 299 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) { 300 ret = ssl3_get_server_certificate(s); 301 if (ret <= 0) 302 goto end; 303#ifndef OPENSSL_NO_TLSEXT 304 if (s->tlsext_status_expected) 305 s->state = SSL3_ST_CR_CERT_STATUS_A; 306 else 307 s->state = SSL3_ST_CR_KEY_EXCH_A; 308 } else { 309 skip = 1; 310 s->state = SSL3_ST_CR_KEY_EXCH_A; 311 } 312#else 313 } else 314 skip = 1; 315 316 s->state = SSL3_ST_CR_KEY_EXCH_A; 317#endif 318 s->init_num = 0; 319 break; 320 321 case SSL3_ST_CR_KEY_EXCH_A: 322 case SSL3_ST_CR_KEY_EXCH_B: 323 ret = ssl3_get_key_exchange(s); 324 if (ret <= 0) 325 goto end; 326 s->state = SSL3_ST_CR_CERT_REQ_A; 327 s->init_num = 0; 328 329 /* 330 * at this point we check that we have the required stuff from 331 * the server 332 */ 333 if (!ssl3_check_cert_and_algorithm(s)) { 334 ret = -1; 335 goto end; 336 } 337 break; 338 339 case SSL3_ST_CR_CERT_REQ_A: 340 case SSL3_ST_CR_CERT_REQ_B: 341 ret = ssl3_get_certificate_request(s); 342 if (ret <= 0) 343 goto end; 344 s->state = SSL3_ST_CR_SRVR_DONE_A; 345 s->init_num = 0; 346 break; 347 348 case SSL3_ST_CR_SRVR_DONE_A: 349 case SSL3_ST_CR_SRVR_DONE_B: 350 ret = ssl3_get_server_done(s); 351 if (ret <= 0) 352 goto end; 353 dtls1_stop_timer(s); 354 if (s->s3->tmp.cert_req) 355 s->state = SSL3_ST_CW_CERT_A; 356 else 357 s->state = SSL3_ST_CW_KEY_EXCH_A; 358 s->init_num = 0; 359 360 break; 361 362 case SSL3_ST_CW_CERT_A: 363 case SSL3_ST_CW_CERT_B: 364 case SSL3_ST_CW_CERT_C: 365 case SSL3_ST_CW_CERT_D: 366 dtls1_start_timer(s); 367 ret = dtls1_send_client_certificate(s); 368 if (ret <= 0) 369 goto end; 370 s->state = SSL3_ST_CW_KEY_EXCH_A; 371 s->init_num = 0; 372 break; 373 374 case SSL3_ST_CW_KEY_EXCH_A: 375 case SSL3_ST_CW_KEY_EXCH_B: 376 dtls1_start_timer(s); 377 ret = dtls1_send_client_key_exchange(s); 378 if (ret <= 0) 379 goto end; 380 /* 381 * EAY EAY EAY need to check for DH fix cert sent back 382 */ 383 /* 384 * For TLS, cert_req is set to 2, so a cert chain of nothing is 385 * sent, but no verify packet is sent 386 */ 387 if (s->s3->tmp.cert_req == 1) { 388 s->state = SSL3_ST_CW_CERT_VRFY_A; 389 } else { 390 s->state = SSL3_ST_CW_CHANGE_A; 391 s->s3->change_cipher_spec = 0; 392 } 393 394 s->init_num = 0; 395 break; 396 397 case SSL3_ST_CW_CERT_VRFY_A: 398 case SSL3_ST_CW_CERT_VRFY_B: 399 dtls1_start_timer(s); 400 ret = dtls1_send_client_verify(s); 401 if (ret <= 0) 402 goto end; 403 s->state = SSL3_ST_CW_CHANGE_A; 404 s->init_num = 0; 405 s->s3->change_cipher_spec = 0; 406 break; 407 408 case SSL3_ST_CW_CHANGE_A: 409 case SSL3_ST_CW_CHANGE_B: 410 if (!s->hit) 411 dtls1_start_timer(s); 412 ret = dtls1_send_change_cipher_spec(s, 413 SSL3_ST_CW_CHANGE_A, 414 SSL3_ST_CW_CHANGE_B); 415 if (ret <= 0) 416 goto end; 417 s->state = SSL3_ST_CW_FINISHED_A; 418 s->init_num = 0; 419 420 s->session->cipher = s->s3->tmp.new_cipher; 421#ifdef OPENSSL_NO_COMP 422 s->session->compress_meth = 0; 423#else 424 if (s->s3->tmp.new_compression == NULL) 425 s->session->compress_meth = 0; 426 else 427 s->session->compress_meth = s->s3->tmp.new_compression->id; 428#endif 429 if (!s->method->ssl3_enc->setup_key_block(s)) { 430 ret = -1; 431 goto end; 432 } 433 434 if (!s->method->ssl3_enc->change_cipher_state(s, 435 SSL3_CHANGE_CIPHER_CLIENT_WRITE)) 436 { 437 ret = -1; 438 goto end; 439 } 440 441 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); 442 break; 443 444 case SSL3_ST_CW_FINISHED_A: 445 case SSL3_ST_CW_FINISHED_B: 446 if (!s->hit) 447 dtls1_start_timer(s); 448 ret = dtls1_send_finished(s, 449 SSL3_ST_CW_FINISHED_A, 450 SSL3_ST_CW_FINISHED_B, 451 s->method-> 452 ssl3_enc->client_finished_label, 453 s->method-> 454 ssl3_enc->client_finished_label_len); 455 if (ret <= 0) 456 goto end; 457 s->state = SSL3_ST_CW_FLUSH; 458 459 /* clear flags */ 460 s->s3->flags &= ~SSL3_FLAGS_POP_BUFFER; 461 if (s->hit) { 462 s->s3->tmp.next_state = SSL_ST_OK; 463 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) { 464 s->state = SSL_ST_OK; 465 s->s3->flags |= SSL3_FLAGS_POP_BUFFER; 466 s->s3->delay_buf_pop_ret = 0; 467 } 468 } else { 469#ifndef OPENSSL_NO_TLSEXT 470 /* 471 * Allow NewSessionTicket if ticket expected 472 */ 473 if (s->tlsext_ticket_expected) 474 s->s3->tmp.next_state = SSL3_ST_CR_SESSION_TICKET_A; 475 else 476#endif 477 478 s->s3->tmp.next_state = SSL3_ST_CR_FINISHED_A; 479 } 480 s->init_num = 0; 481 482 break; 483 484#ifndef OPENSSL_NO_TLSEXT 485 case SSL3_ST_CR_SESSION_TICKET_A: 486 case SSL3_ST_CR_SESSION_TICKET_B: 487 ret = ssl3_get_new_session_ticket(s); 488 if (ret <= 0) 489 goto end; 490 s->state = SSL3_ST_CR_FINISHED_A; 491 s->init_num = 0; 492 break; 493 494 case SSL3_ST_CR_CERT_STATUS_A: 495 case SSL3_ST_CR_CERT_STATUS_B: 496 ret = ssl3_get_cert_status(s); 497 if (ret <= 0) 498 goto end; 499 s->state = SSL3_ST_CR_KEY_EXCH_A; 500 s->init_num = 0; 501 break; 502#endif 503 504 case SSL3_ST_CR_FINISHED_A: 505 case SSL3_ST_CR_FINISHED_B: 506 s->d1->change_cipher_spec_ok = 1; 507 ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A, 508 SSL3_ST_CR_FINISHED_B); 509 if (ret <= 0) 510 goto end; 511 dtls1_stop_timer(s); 512 513 if (s->hit) 514 s->state = SSL3_ST_CW_CHANGE_A; 515 else 516 s->state = SSL_ST_OK; 517 s->init_num = 0; 518 break; 519 520 case SSL3_ST_CW_FLUSH: 521 s->rwstate = SSL_WRITING; 522 if (BIO_flush(s->wbio) <= 0) { 523 ret = -1; 524 goto end; 525 } 526 s->rwstate = SSL_NOTHING; 527 s->state = s->s3->tmp.next_state; 528 break; 529 530 case SSL_ST_OK: 531 /* clean a few things up */ 532 ssl3_cleanup_key_block(s); 533 534#if 0 535 if (s->init_buf != NULL) { 536 BUF_MEM_free(s->init_buf); 537 s->init_buf = NULL; 538 } 539#endif 540 541 /* 542 * If we are not 'joining' the last two packets, remove the 543 * buffering now 544 */ 545 if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER)) 546 ssl_free_wbio_buffer(s); 547 /* else do it later in ssl3_write */ 548 549 s->init_num = 0; 550 s->new_session = 0; 551 552 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); 553 if (s->hit) 554 s->ctx->stats.sess_hit++; 555 556 ret = 1; 557 /* s->server=0; */ 558 s->handshake_func = dtls1_connect; 559 s->ctx->stats.sess_connect_good++; 560 561 if (cb != NULL) 562 cb(s, SSL_CB_HANDSHAKE_DONE, 1); 563 564 /* done with handshaking */ 565 s->d1->handshake_read_seq = 0; 566 s->d1->next_handshake_write_seq = 0; 567 dtls1_clear_received_buffer(s); 568 goto end; 569 /* break; */ 570 571 default: 572 SSLerr(SSL_F_DTLS1_CONNECT, SSL_R_UNKNOWN_STATE); 573 ret = -1; 574 goto end; 575 /* break; */ 576 } 577 578 /* did we do anything */ 579 if (!s->s3->tmp.reuse_message && !skip) { 580 if (s->debug) { 581 if ((ret = BIO_flush(s->wbio)) <= 0) 582 goto end; 583 } 584 585 if ((cb != NULL) && (s->state != state)) { 586 new_state = s->state; 587 s->state = state; 588 cb(s, SSL_CB_CONNECT_LOOP, 1); 589 s->state = new_state; 590 } 591 } 592 skip = 0; 593 } 594 end: 595 s->in_handshake--; 596 if (buf != NULL) 597 BUF_MEM_free(buf); 598 if (cb != NULL) 599 cb(s, SSL_CB_CONNECT_EXIT, ret); 600 return (ret); 601} 602 603int dtls1_client_hello(SSL *s) 604{ 605 unsigned char *buf; 606 unsigned char *p, *d; 607 unsigned int i, j; 608 unsigned long Time, l; 609 SSL_COMP *comp; 610 611 buf = (unsigned char *)s->init_buf->data; 612 if (s->state == SSL3_ST_CW_CLNT_HELLO_A) { 613 SSL_SESSION *sess = s->session; 614 if ((s->session == NULL) || (s->session->ssl_version != s->version) || 615#ifdef OPENSSL_NO_TLSEXT 616 !sess->session_id_length || 617#else 618 (!sess->session_id_length && !sess->tlsext_tick) || 619#endif 620 (s->session->not_resumable)) { 621 if (!ssl_get_new_session(s, 0)) 622 goto err; 623 } 624 /* else use the pre-loaded session */ 625 626 p = s->s3->client_random; 627 /* 628 * if client_random is initialized, reuse it, we are required to use 629 * same upon reply to HelloVerify 630 */ 631 for (i = 0; p[i] == '\0' && i < sizeof(s->s3->client_random); i++) ; 632 if (i == sizeof(s->s3->client_random)) { 633 Time = (unsigned long)time(NULL); /* Time */ 634 l2n(Time, p); 635 RAND_pseudo_bytes(p, SSL3_RANDOM_SIZE - 4); 636 } 637 638 /* Do the message type and length last */ 639 d = p = &(buf[DTLS1_HM_HEADER_LENGTH]); 640 641 *(p++) = s->version >> 8; 642 *(p++) = s->version & 0xff; 643 s->client_version = s->version; 644 645 /* Random stuff */ 646 memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE); 647 p += SSL3_RANDOM_SIZE; 648 649 /* Session ID */ 650 if (s->new_session) 651 i = 0; 652 else 653 i = s->session->session_id_length; 654 *(p++) = i; 655 if (i != 0) { 656 if (i > sizeof s->session->session_id) { 657 SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 658 goto err; 659 } 660 memcpy(p, s->session->session_id, i); 661 p += i; 662 } 663 664 /* cookie stuff */ 665 if (s->d1->cookie_len > sizeof(s->d1->cookie)) { 666 SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 667 goto err; 668 } 669 *(p++) = s->d1->cookie_len; 670 memcpy(p, s->d1->cookie, s->d1->cookie_len); 671 p += s->d1->cookie_len; 672 673 /* Ciphers supported */ 674 i = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &(p[2]), 0); 675 if (i == 0) { 676 SSLerr(SSL_F_DTLS1_CLIENT_HELLO, SSL_R_NO_CIPHERS_AVAILABLE); 677 goto err; 678 } 679 s2n(i, p); 680 p += i; 681 682 /* COMPRESSION */ 683 if (s->ctx->comp_methods == NULL) 684 j = 0; 685 else 686 j = sk_SSL_COMP_num(s->ctx->comp_methods); 687 *(p++) = 1 + j; 688 for (i = 0; i < j; i++) { 689 comp = sk_SSL_COMP_value(s->ctx->comp_methods, i); 690 *(p++) = comp->id; 691 } 692 *(p++) = 0; /* Add the NULL method */ 693 694#ifndef OPENSSL_NO_TLSEXT 695 if ((p = 696 ssl_add_clienthello_tlsext(s, p, 697 buf + SSL3_RT_MAX_PLAIN_LENGTH)) == 698 NULL) { 699 SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 700 goto err; 701 } 702#endif 703 704 l = (p - d); 705 d = buf; 706 707 d = dtls1_set_message_header(s, d, SSL3_MT_CLIENT_HELLO, l, 0, l); 708 709 s->state = SSL3_ST_CW_CLNT_HELLO_B; 710 /* number of bytes to write */ 711 s->init_num = p - buf; 712 s->init_off = 0; 713 714 /* buffer the message to handle re-xmits */ 715 dtls1_buffer_message(s, 0); 716 } 717 718 /* SSL3_ST_CW_CLNT_HELLO_B */ 719 return (dtls1_do_write(s, SSL3_RT_HANDSHAKE)); 720 err: 721 return (-1); 722} 723 724static int dtls1_get_hello_verify(SSL *s) 725{ 726 int n, al, ok = 0; 727 unsigned char *data; 728 unsigned int cookie_len; 729 730 n = s->method->ssl_get_message(s, 731 DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A, 732 DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, 733 -1, s->max_cert_list, &ok); 734 735 if (!ok) 736 return ((int)n); 737 738 if (s->s3->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) { 739 s->d1->send_cookie = 0; 740 s->s3->tmp.reuse_message = 1; 741 return (1); 742 } 743 744 data = (unsigned char *)s->init_msg; 745 746 if ((data[0] != (s->version >> 8)) || (data[1] != (s->version & 0xff))) { 747 SSLerr(SSL_F_DTLS1_GET_HELLO_VERIFY, SSL_R_WRONG_SSL_VERSION); 748 s->version = (s->version & 0xff00) | data[1]; 749 al = SSL_AD_PROTOCOL_VERSION; 750 goto f_err; 751 } 752 data += 2; 753 754 cookie_len = *(data++); 755 if (cookie_len > sizeof(s->d1->cookie)) { 756 al = SSL_AD_ILLEGAL_PARAMETER; 757 goto f_err; 758 } 759 760 memcpy(s->d1->cookie, data, cookie_len); 761 s->d1->cookie_len = cookie_len; 762 763 s->d1->send_cookie = 1; 764 return 1; 765 766 f_err: 767 ssl3_send_alert(s, SSL3_AL_FATAL, al); 768 return -1; 769} 770 771int dtls1_send_client_key_exchange(SSL *s) 772{ 773 unsigned char *p, *d; 774 int n; 775 unsigned long l; 776#ifndef OPENSSL_NO_RSA 777 unsigned char *q; 778 EVP_PKEY *pkey = NULL; 779#endif 780#ifndef OPENSSL_NO_KRB5 781 KSSL_ERR kssl_err; 782#endif /* OPENSSL_NO_KRB5 */ 783 784 if (s->state == SSL3_ST_CW_KEY_EXCH_A) { 785 d = (unsigned char *)s->init_buf->data; 786 p = &(d[DTLS1_HM_HEADER_LENGTH]); 787 788 l = s->s3->tmp.new_cipher->algorithms; 789 790 /* Fool emacs indentation */ 791 if (0) { 792 } 793#ifndef OPENSSL_NO_RSA 794 else if (l & SSL_kRSA) { 795 RSA *rsa; 796 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 797 798 if (s->session->sess_cert == NULL) { 799 /* 800 * We should always have a server certificate with SSL_kRSA. 801 */ 802 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 803 ERR_R_INTERNAL_ERROR); 804 goto err; 805 } 806 807 if (s->session->sess_cert->peer_rsa_tmp != NULL) 808 rsa = s->session->sess_cert->peer_rsa_tmp; 809 else { 810 pkey = 811 X509_get_pubkey(s->session-> 812 sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC]. 813 x509); 814 if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) 815 || (pkey->pkey.rsa == NULL)) { 816 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 817 ERR_R_INTERNAL_ERROR); 818 goto err; 819 } 820 rsa = pkey->pkey.rsa; 821 EVP_PKEY_free(pkey); 822 } 823 824 tmp_buf[0] = s->client_version >> 8; 825 tmp_buf[1] = s->client_version & 0xff; 826 if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <= 0) 827 goto err; 828 829 s->session->master_key_length = sizeof tmp_buf; 830 831 q = p; 832 /* Fix buf for TLS and [incidentally] DTLS */ 833 if (s->version > SSL3_VERSION) 834 p += 2; 835 n = RSA_public_encrypt(sizeof tmp_buf, 836 tmp_buf, p, rsa, RSA_PKCS1_PADDING); 837# ifdef PKCS1_CHECK 838 if (s->options & SSL_OP_PKCS1_CHECK_1) 839 p[1]++; 840 if (s->options & SSL_OP_PKCS1_CHECK_2) 841 tmp_buf[0] = 0x70; 842# endif 843 if (n <= 0) { 844 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 845 SSL_R_BAD_RSA_ENCRYPT); 846 goto err; 847 } 848 849 /* Fix buf for TLS and [incidentally] DTLS */ 850 if (s->version > SSL3_VERSION) { 851 s2n(n, q); 852 n += 2; 853 } 854 855 s->session->master_key_length = 856 s->method->ssl3_enc->generate_master_secret(s, 857 s-> 858 session->master_key, 859 tmp_buf, 860 sizeof tmp_buf); 861 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); 862 } 863#endif 864#ifndef OPENSSL_NO_KRB5 865 else if (l & SSL_kKRB5) { 866 krb5_error_code krb5rc; 867 KSSL_CTX *kssl_ctx = s->kssl_ctx; 868 /* krb5_data krb5_ap_req; */ 869 krb5_data *enc_ticket; 870 krb5_data authenticator, *authp = NULL; 871 EVP_CIPHER_CTX ciph_ctx; 872 EVP_CIPHER *enc = NULL; 873 unsigned char iv[EVP_MAX_IV_LENGTH]; 874 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 875 unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH + EVP_MAX_IV_LENGTH]; 876 int padl, outl = sizeof(epms); 877 878 EVP_CIPHER_CTX_init(&ciph_ctx); 879 880# ifdef KSSL_DEBUG 881 printf("ssl3_send_client_key_exchange(%lx & %lx)\n", 882 l, SSL_kKRB5); 883# endif /* KSSL_DEBUG */ 884 885 authp = NULL; 886# ifdef KRB5SENDAUTH 887 if (KRB5SENDAUTH) 888 authp = &authenticator; 889# endif /* KRB5SENDAUTH */ 890 891 krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp, &kssl_err); 892 enc = kssl_map_enc(kssl_ctx->enctype); 893 if (enc == NULL) 894 goto err; 895# ifdef KSSL_DEBUG 896 { 897 printf("kssl_cget_tkt rtn %d\n", krb5rc); 898 if (krb5rc && kssl_err.text) 899 printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text); 900 } 901# endif /* KSSL_DEBUG */ 902 903 if (krb5rc) { 904 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 905 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, kssl_err.reason); 906 goto err; 907 } 908 909 /*- 910 * 20010406 VRS - Earlier versions used KRB5 AP_REQ 911 ** in place of RFC 2712 KerberosWrapper, as in: 912 ** 913 ** Send ticket (copy to *p, set n = length) 914 ** n = krb5_ap_req.length; 915 ** memcpy(p, krb5_ap_req.data, krb5_ap_req.length); 916 ** if (krb5_ap_req.data) 917 ** kssl_krb5_free_data_contents(NULL,&krb5_ap_req); 918 ** 919 ** Now using real RFC 2712 KerberosWrapper 920 ** (Thanks to Simon Wilkinson <sxw@sxw.org.uk>) 921 ** Note: 2712 "opaque" types are here replaced 922 ** with a 2-byte length followed by the value. 923 ** Example: 924 ** KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms 925 ** Where "xx xx" = length bytes. Shown here with 926 ** optional authenticator omitted. 927 */ 928 929 /* KerberosWrapper.Ticket */ 930 s2n(enc_ticket->length, p); 931 memcpy(p, enc_ticket->data, enc_ticket->length); 932 p += enc_ticket->length; 933 n = enc_ticket->length + 2; 934 935 /* KerberosWrapper.Authenticator */ 936 if (authp && authp->length) { 937 s2n(authp->length, p); 938 memcpy(p, authp->data, authp->length); 939 p += authp->length; 940 n += authp->length + 2; 941 942 free(authp->data); 943 authp->data = NULL; 944 authp->length = 0; 945 } else { 946 s2n(0, p); /* null authenticator length */ 947 n += 2; 948 } 949 950 if (RAND_bytes(tmp_buf, sizeof tmp_buf) <= 0) 951 goto err; 952 953 /*- 954 * 20010420 VRS. Tried it this way; failed. 955 * EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL); 956 * EVP_CIPHER_CTX_set_key_length(&ciph_ctx, 957 * kssl_ctx->length); 958 * EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv); 959 */ 960 961 memset(iv, 0, sizeof iv); /* per RFC 1510 */ 962 EVP_EncryptInit_ex(&ciph_ctx, enc, NULL, kssl_ctx->key, iv); 963 EVP_EncryptUpdate(&ciph_ctx, epms, &outl, tmp_buf, 964 sizeof tmp_buf); 965 EVP_EncryptFinal_ex(&ciph_ctx, &(epms[outl]), &padl); 966 outl += padl; 967 if (outl > sizeof epms) { 968 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 969 ERR_R_INTERNAL_ERROR); 970 goto err; 971 } 972 EVP_CIPHER_CTX_cleanup(&ciph_ctx); 973 974 /* KerberosWrapper.EncryptedPreMasterSecret */ 975 s2n(outl, p); 976 memcpy(p, epms, outl); 977 p += outl; 978 n += outl + 2; 979 980 s->session->master_key_length = 981 s->method->ssl3_enc->generate_master_secret(s, 982 s-> 983 session->master_key, 984 tmp_buf, 985 sizeof tmp_buf); 986 987 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); 988 OPENSSL_cleanse(epms, outl); 989 } 990#endif 991#ifndef OPENSSL_NO_DH 992 else if (l & (SSL_kEDH | SSL_kDHr | SSL_kDHd)) { 993 DH *dh_srvr, *dh_clnt; 994 995 if (s->session->sess_cert == NULL) { 996 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); 997 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 998 SSL_R_UNEXPECTED_MESSAGE); 999 goto err; 1000 } 1001 1002 if (s->session->sess_cert->peer_dh_tmp != NULL) 1003 dh_srvr = s->session->sess_cert->peer_dh_tmp; 1004 else { 1005 /* we get them from the cert */ 1006 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 1007 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1008 SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); 1009 goto err; 1010 } 1011 1012 /* generate a new random key */ 1013 if ((dh_clnt = DHparams_dup(dh_srvr)) == NULL) { 1014 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB); 1015 goto err; 1016 } 1017 if (!DH_generate_key(dh_clnt)) { 1018 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB); 1019 goto err; 1020 } 1021 1022 /* 1023 * use the 'p' output buffer for the DH key, but make sure to 1024 * clear it out afterwards 1025 */ 1026 1027 n = DH_compute_key(p, dh_srvr->pub_key, dh_clnt); 1028 1029 if (n <= 0) { 1030 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB); 1031 goto err; 1032 } 1033 1034 /* generate master key from the result */ 1035 s->session->master_key_length = 1036 s->method->ssl3_enc->generate_master_secret(s, 1037 s-> 1038 session->master_key, 1039 p, n); 1040 /* clean up */ 1041 memset(p, 0, n); 1042 1043 /* send off the data */ 1044 n = BN_num_bytes(dh_clnt->pub_key); 1045 s2n(n, p); 1046 BN_bn2bin(dh_clnt->pub_key, p); 1047 n += 2; 1048 1049 DH_free(dh_clnt); 1050 1051 /* perhaps clean things up a bit EAY EAY EAY EAY */ 1052 } 1053#endif 1054 else { 1055 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 1056 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1057 ERR_R_INTERNAL_ERROR); 1058 goto err; 1059 } 1060 1061 d = dtls1_set_message_header(s, d, 1062 SSL3_MT_CLIENT_KEY_EXCHANGE, n, 0, n); 1063 /*- 1064 *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE; 1065 l2n3(n,d); 1066 l2n(s->d1->handshake_write_seq,d); 1067 s->d1->handshake_write_seq++; 1068 */ 1069 1070 s->state = SSL3_ST_CW_KEY_EXCH_B; 1071 /* number of bytes to write */ 1072 s->init_num = n + DTLS1_HM_HEADER_LENGTH; 1073 s->init_off = 0; 1074 1075 /* buffer the message to handle re-xmits */ 1076 dtls1_buffer_message(s, 0); 1077 } 1078 1079 /* SSL3_ST_CW_KEY_EXCH_B */ 1080 return (dtls1_do_write(s, SSL3_RT_HANDSHAKE)); 1081 err: 1082 return (-1); 1083} 1084 1085int dtls1_send_client_verify(SSL *s) 1086{ 1087 unsigned char *p, *d; 1088 unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; 1089 EVP_PKEY *pkey; 1090#ifndef OPENSSL_NO_RSA 1091 unsigned u = 0; 1092#endif 1093 unsigned long n; 1094#ifndef OPENSSL_NO_DSA 1095 int j; 1096#endif 1097 1098 if (s->state == SSL3_ST_CW_CERT_VRFY_A) { 1099 d = (unsigned char *)s->init_buf->data; 1100 p = &(d[DTLS1_HM_HEADER_LENGTH]); 1101 pkey = s->cert->key->privatekey; 1102 1103 s->method->ssl3_enc->cert_verify_mac(s, &(s->s3->finish_dgst2), 1104 &(data[MD5_DIGEST_LENGTH])); 1105 1106#ifndef OPENSSL_NO_RSA 1107 if (pkey->type == EVP_PKEY_RSA) { 1108 s->method->ssl3_enc->cert_verify_mac(s, 1109 &(s->s3->finish_dgst1), 1110 &(data[0])); 1111 if (RSA_sign 1112 (NID_md5_sha1, data, MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, 1113 &(p[2]), &u, pkey->pkey.rsa) <= 0) { 1114 SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY, ERR_R_RSA_LIB); 1115 goto err; 1116 } 1117 s2n(u, p); 1118 n = u + 2; 1119 } else 1120#endif 1121#ifndef OPENSSL_NO_DSA 1122 if (pkey->type == EVP_PKEY_DSA) { 1123 if (!DSA_sign(pkey->save_type, 1124 &(data[MD5_DIGEST_LENGTH]), 1125 SHA_DIGEST_LENGTH, &(p[2]), 1126 (unsigned int *)&j, pkey->pkey.dsa)) { 1127 SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY, ERR_R_DSA_LIB); 1128 goto err; 1129 } 1130 s2n(j, p); 1131 n = j + 2; 1132 } else 1133#endif 1134 { 1135 SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR); 1136 goto err; 1137 } 1138 1139 d = dtls1_set_message_header(s, d, 1140 SSL3_MT_CERTIFICATE_VERIFY, n, 0, n); 1141 1142 s->init_num = (int)n + DTLS1_HM_HEADER_LENGTH; 1143 s->init_off = 0; 1144 1145 /* buffer the message to handle re-xmits */ 1146 dtls1_buffer_message(s, 0); 1147 1148 s->state = SSL3_ST_CW_CERT_VRFY_B; 1149 } 1150 1151 /* s->state = SSL3_ST_CW_CERT_VRFY_B */ 1152 return (dtls1_do_write(s, SSL3_RT_HANDSHAKE)); 1153 err: 1154 return (-1); 1155} 1156 1157int dtls1_send_client_certificate(SSL *s) 1158{ 1159 X509 *x509 = NULL; 1160 EVP_PKEY *pkey = NULL; 1161 int i; 1162 unsigned long l; 1163 1164 if (s->state == SSL3_ST_CW_CERT_A) { 1165 if ((s->cert == NULL) || 1166 (s->cert->key->x509 == NULL) || 1167 (s->cert->key->privatekey == NULL)) 1168 s->state = SSL3_ST_CW_CERT_B; 1169 else 1170 s->state = SSL3_ST_CW_CERT_C; 1171 } 1172 1173 /* We need to get a client cert */ 1174 if (s->state == SSL3_ST_CW_CERT_B) { 1175 /* 1176 * If we get an error, we need to ssl->rwstate=SSL_X509_LOOKUP; 1177 * return(-1); We then get retied later 1178 */ 1179 i = 0; 1180 i = ssl_do_client_cert_cb(s, &x509, &pkey); 1181 if (i < 0) { 1182 s->rwstate = SSL_X509_LOOKUP; 1183 return (-1); 1184 } 1185 s->rwstate = SSL_NOTHING; 1186 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) { 1187 s->state = SSL3_ST_CW_CERT_B; 1188 if (!SSL_use_certificate(s, x509) || !SSL_use_PrivateKey(s, pkey)) 1189 i = 0; 1190 } else if (i == 1) { 1191 i = 0; 1192 SSLerr(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE, 1193 SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); 1194 } 1195 1196 if (x509 != NULL) 1197 X509_free(x509); 1198 if (pkey != NULL) 1199 EVP_PKEY_free(pkey); 1200 if (i == 0) { 1201 if (s->version == SSL3_VERSION) { 1202 s->s3->tmp.cert_req = 0; 1203 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_CERTIFICATE); 1204 return (1); 1205 } else { 1206 s->s3->tmp.cert_req = 2; 1207 } 1208 } 1209 1210 /* Ok, we have a cert */ 1211 s->state = SSL3_ST_CW_CERT_C; 1212 } 1213 1214 if (s->state == SSL3_ST_CW_CERT_C) { 1215 s->state = SSL3_ST_CW_CERT_D; 1216 l = dtls1_output_cert_chain(s, 1217 (s->s3->tmp.cert_req == 1218 2) ? NULL : s->cert->key->x509); 1219 s->init_num = (int)l; 1220 s->init_off = 0; 1221 1222 /* set header called by dtls1_output_cert_chain() */ 1223 1224 /* buffer the message to handle re-xmits */ 1225 dtls1_buffer_message(s, 0); 1226 } 1227 /* SSL3_ST_CW_CERT_D */ 1228 return (dtls1_do_write(s, SSL3_RT_HANDSHAKE)); 1229} 1230