ssl/d1_srvr.c

   1 /* ssl/d1_srvr.c */
   2 /*
   3  * DTLS implementation written by Nagendra Modadugu
   4  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
   5  */
   6 /* ====================================================================
   7  * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
   8  *
   9  * Redistribution and use in source and binary forms, with or without
  10  * modification, are permitted provided that the following conditions
  11  * are met:
  12  *
  13  * 1. Redistributions of source code must retain the above copyright
  14  *    notice, this list of conditions and the following disclaimer.
  15  *
  16  * 2. Redistributions in binary form must reproduce the above copyright
  17  *    notice, this list of conditions and the following disclaimer in
  18  *    the documentation and/or other materials provided with the
  19  *    distribution.
  20  *
  21  * 3. All advertising materials mentioning features or use of this
  22  *    software must display the following acknowledgment:
  23  *    "This product includes software developed by the OpenSSL Project
  24  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  25  *
  26  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  27  *    endorse or promote products derived from this software without
  28  *    prior written permission. For written permission, please contact
  29  *    openssl-core@OpenSSL.org.
  30  *
  31  * 5. Products derived from this software may not be called "OpenSSL"
  32  *    nor may "OpenSSL" appear in their names without prior written
  33  *    permission of the OpenSSL Project.
  34  *
  35  * 6. Redistributions of any form whatsoever must retain the following
  36  *    acknowledgment:
  37  *    "This product includes software developed by the OpenSSL Project
  38  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  39  *
  40  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  41  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  43  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
  44  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  45  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  46  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  47  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  49  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  50  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  51  * OF THE POSSIBILITY OF SUCH DAMAGE.
  52  * ====================================================================
  53  *
  54  * This product includes cryptographic software written by Eric Young
  55  * (eay@cryptsoft.com).  This product includes software written by Tim
  56  * Hudson (tjh@cryptsoft.com).
  57  *
  58  */
  59 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  60  * All rights reserved.
  61  *
  62  * This package is an SSL implementation written
  63  * by Eric Young (eay@cryptsoft.com).
  64  * The implementation was written so as to conform with Netscapes SSL.
  65  *
  66  * This library is free for commercial and non-commercial use as long as
  67  * the following conditions are aheared to.  The following conditions
  68  * apply to all code found in this distribution, be it the RC4, RSA,
  69  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
  70  * included with this distribution is covered by the same copyright terms
  71  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  72  *
  73  * Copyright remains Eric Young's, and as such any Copyright notices in
  74  * the code are not to be removed.
  75  * If this package is used in a product, Eric Young should be given attribution
  76  * as the author of the parts of the library used.
  77  * This can be in the form of a textual message at program startup or
  78  * in documentation (online or textual) provided with the package.
  79  *
  80  * Redistribution and use in source and binary forms, with or without
  81  * modification, are permitted provided that the following conditions
  82  * are met:
  83  * 1. Redistributions of source code must retain the copyright
  84  *    notice, this list of conditions and the following disclaimer.
  85  * 2. Redistributions in binary form must reproduce the above copyright
  86  *    notice, this list of conditions and the following disclaimer in the
  87  *    documentation and/or other materials provided with the distribution.
  88  * 3. All advertising materials mentioning features or use of this software
  89  *    must display the following acknowledgement:
  90  *    "This product includes cryptographic software written by
  91  *     Eric Young (eay@cryptsoft.com)"
  92  *    The word 'cryptographic' can be left out if the rouines from the library
  93  *    being used are not cryptographic related :-).
  94  * 4. If you include any Windows specific code (or a derivative thereof) from
  95  *    the apps directory (application code) you must include an acknowledgement:
  96  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  97  *
  98  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  99  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 100  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 101  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 102  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 103  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 104  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 105  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 106  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 107  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 108  * SUCH DAMAGE.
 109  *
 110  * The licence and distribution terms for any publically available version or
 111  * derivative of this code cannot be changed.  i.e. this code cannot simply be
 112  * copied and put under another distribution licence
 113  * [including the GNU Public Licence.]
 114  */
 115
 116 #include <stdio.h>
 117 #include "ssl_locl.h"
 118 #include <openssl/buffer.h>
 119 #include <openssl/rand.h>
 120 #include <openssl/objects.h>
 121 #include <openssl/evp.h>
 122 #include <openssl/x509.h>
 123 #include <openssl/md5.h>
 124 #include <openssl/bn.h>
 125 #ifndef OPENSSL_NO_DH
 126 #include <openssl/dh.h>
 127 #endif
 128
 129 static SSL_METHOD *dtls1_get_server_method(int ver);
 130 static int dtls1_send_hello_verify_request(SSL *s);
 131
 132 static SSL_METHOD *dtls1_get_server_method(int ver)
 133         {
 134         if (ver == DTLS1_VERSION)
 135                 return(DTLSv1_server_method());
 136         else
 137                 return(NULL);
 138         }
 139
 140 SSL_METHOD *DTLSv1_server_method(void)
 141         {
 142         static int init=1;
 143         static SSL_METHOD DTLSv1_server_data;
 144
 145         if (init)
 146                 {
 147                 CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
 148
 149                 if (init)
 150                         {
 151                         memcpy((char *)&DTLSv1_server_data,(char *)dtlsv1_base_method(),
 152                                 sizeof(SSL_METHOD));
 153                         DTLSv1_server_data.ssl_accept=dtls1_accept;
 154                         DTLSv1_server_data.get_ssl_method=dtls1_get_server_method;
 155                         init=0;
 156                         }
 157
 158                 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
 159                 }
 160         return(&DTLSv1_server_data);
 161         }
 162
 163 int dtls1_accept(SSL *s)
 164         {
 165         BUF_MEM *buf;
 166         unsigned long l,Time=time(NULL);
 167         void (*cb)(const SSL *ssl,int type,int val)=NULL;
 168         long num1;
 169         int ret= -1;
 170         int new_state,state,skip=0;
 171
 172         RAND_add(&Time,sizeof(Time),0);
 173         ERR_clear_error();
 174         clear_sys_error();
 175
 176         if (s->info_callback != NULL)
 177                 cb=s->info_callback;
 178         else if (s->ctx->info_callback != NULL)
 179                 cb=s->ctx->info_callback;
 180
 181         /* init things to blank */
 182         s->in_handshake++;
 183         if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
 184
 185         if (s->cert == NULL)
 186                 {
 187                 SSLerr(SSL_F_DTLS1_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
 188                 return(-1);
 189                 }
 190
 191         for (;;)
 192                 {
 193                 state=s->state;
 194
 195                 switch (s->state)
 196                         {
 197                 case SSL_ST_RENEGOTIATE:
 198                         s->new_session=1;
 199                         /* s->state=SSL_ST_ACCEPT; */
 200
 201                 case SSL_ST_BEFORE:
 202                 case SSL_ST_ACCEPT:
 203                 case SSL_ST_BEFORE|SSL_ST_ACCEPT:
 204                 case SSL_ST_OK|SSL_ST_ACCEPT:
 205
 206                         s->server=1;
 207                         if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
 208
 209                         if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00))
 210                                 {
 211                                 SSLerr(SSL_F_DTLS1_ACCEPT, ERR_R_INTERNAL_ERROR);
 212                                 return -1;
 213                                 }
 214                         s->type=SSL_ST_ACCEPT;
 215
 216                         if (s->init_buf == NULL)
 217                                 {
 218                                 if ((buf=BUF_MEM_new()) == NULL)
 219                                         {
 220                                         ret= -1;
 221                                         goto end;
 222                                         }
 223                                 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
 224                                         {
 225                                         ret= -1;
 226                                         goto end;
 227                                         }
 228                                 s->init_buf=buf;
 229                                 }
 230
 231                         if (!ssl3_setup_buffers(s))
 232                                 {
 233                                 ret= -1;
 234                                 goto end;
 235                                 }
 236
 237                         s->init_num=0;
 238
 239                         if (s->state != SSL_ST_RENEGOTIATE)
 240                                 {
 241                                 /* Ok, we now need to push on a buffering BIO so that
 242                                  * the output is sent in a way that TCP likes :-)
 243                                  */
 244                                 if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; }
 245
 246                                 ssl3_init_finished_mac(s);
 247                                 s->state=SSL3_ST_SR_CLNT_HELLO_A;
 248                                 s->ctx->stats.sess_accept++;
 249                                 }
 250                         else
 251                                 {
 252                                 /* s->state == SSL_ST_RENEGOTIATE,
 253                                  * we will just send a HelloRequest */
 254                                 s->ctx->stats.sess_accept_renegotiate++;
 255                                 s->state=SSL3_ST_SW_HELLO_REQ_A;
 256                                 }
 257
 258             if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
 259                 s->d1->send_cookie = 1;
 260             else
 261                 s->d1->send_cookie = 0;
 262
 263                         break;
 264
 265                 case SSL3_ST_SW_HELLO_REQ_A:
 266                 case SSL3_ST_SW_HELLO_REQ_B:
 267
 268                         s->shutdown=0;
 269                         ret=dtls1_send_hello_request(s);
 270                         if (ret <= 0) goto end;
 271                         s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C;
 272                         s->state=SSL3_ST_SW_FLUSH;
 273                         s->init_num=0;
 274
 275                         ssl3_init_finished_mac(s);
 276                         break;
 277
 278                 case SSL3_ST_SW_HELLO_REQ_C:
 279                         s->state=SSL_ST_OK;
 280                         break;
 281
 282                 case SSL3_ST_SR_CLNT_HELLO_A:
 283                 case SSL3_ST_SR_CLNT_HELLO_B:
 284                 case SSL3_ST_SR_CLNT_HELLO_C:
 285
 286                         s->shutdown=0;
 287                         ret=ssl3_get_client_hello(s);
 288                         if (ret <= 0) goto end;
 289                         s->new_session = 2;
 290
 291                         if ( s->d1->send_cookie)
 292                                 s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;
 293                         else
 294                                 s->state = SSL3_ST_SW_SRVR_HELLO_A;
 295
 296                         s->init_num=0;
 297                         break;
 298
 299                 case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
 300                 case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
 301
 302                         ret = dtls1_send_hello_verify_request(s);
 303                         if ( ret <= 0) goto end;
 304                         s->d1->send_cookie = 0;
 305                         s->state=SSL3_ST_SW_FLUSH;
 306                         s->s3->tmp.next_state=SSL3_ST_SR_CLNT_HELLO_A;
 307                         break;
 308
 309                 case SSL3_ST_SW_SRVR_HELLO_A:
 310                 case SSL3_ST_SW_SRVR_HELLO_B:
 311                         ret=dtls1_send_server_hello(s);
 312                         if (ret <= 0) goto end;
 313
 314                         if (s->hit)
 315                                 s->state=SSL3_ST_SW_CHANGE_A;
 316                         else
 317                                 s->state=SSL3_ST_SW_CERT_A;
 318                         s->init_num=0;
 319                         break;
 320
 321                 case SSL3_ST_SW_CERT_A:
 322                 case SSL3_ST_SW_CERT_B:
 323                         /* Check if it is anon DH */
 324                         if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
 325                                 {
 326                                 ret=dtls1_send_server_certificate(s);
 327                                 if (ret <= 0) goto end;
 328                                 }
 329                         else
 330                                 skip=1;
 331                         s->state=SSL3_ST_SW_KEY_EXCH_A;
 332                         s->init_num=0;
 333                         break;
 334
 335                 case SSL3_ST_SW_KEY_EXCH_A:
 336                 case SSL3_ST_SW_KEY_EXCH_B:
 337                         l=s->s3->tmp.new_cipher->algorithms;
 338
 339                         /* clear this, it may get reset by
 340                          * send_server_key_exchange */
 341                         if ((s->options & SSL_OP_EPHEMERAL_RSA)
 342 #ifndef OPENSSL_NO_KRB5
 343                                 && !(l & SSL_KRB5)
 344 #endif /* OPENSSL_NO_KRB5 */
 345                                 )
 346                                 /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
 347                                  * even when forbidden by protocol specs
 348                                  * (handshake may fail as clients are not required to
 349                                  * be able to handle this) */
 350                                 s->s3->tmp.use_rsa_tmp=1;
 351                         else
 352                                 s->s3->tmp.use_rsa_tmp=0;
 353
 354                         /* only send if a DH key exchange, fortezza or
 355                          * RSA but we have a sign only certificate */
 356                         if (s->s3->tmp.use_rsa_tmp
 357                             || (l & (SSL_DH|SSL_kFZA))
 358                             || ((l & SSL_kRSA)
 359                                 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
 360                                     || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
 361                                         && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
 362                                         )
 363                                     )
 364                                 )
 365                             )
 366                                 {
 367                                 ret=dtls1_send_server_key_exchange(s);
 368                                 if (ret <= 0) goto end;
 369                                 }
 370                         else
 371                                 skip=1;
 372
 373                         s->state=SSL3_ST_SW_CERT_REQ_A;
 374                         s->init_num=0;
 375                         break;
 376
 377                 case SSL3_ST_SW_CERT_REQ_A:
 378                 case SSL3_ST_SW_CERT_REQ_B:
 379                         if (/* don't request cert unless asked for it: */
 380                                 !(s->verify_mode & SSL_VERIFY_PEER) ||
 381                                 /* if SSL_VERIFY_CLIENT_ONCE is set,
 382                                  * don't request cert during re-negotiation: */
 383                                 ((s->session->peer != NULL) &&
 384                                  (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
 385                                 /* never request cert in anonymous ciphersuites
 386                                  * (see section "Certificate request" in SSL 3 drafts
 387                                  * and in RFC 2246): */
 388                                 ((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) &&
 389                                  /* ... except when the application insists on verification
 390                                   * (against the specs, but s3_clnt.c accepts this for SSL 3) */
 391                                  !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
 392                                  /* never request cert in Kerberos ciphersuites */
 393                                 (s->s3->tmp.new_cipher->algorithms & SSL_aKRB5))
 394                                 {
 395                                 /* no cert request */
 396                                 skip=1;
 397                                 s->s3->tmp.cert_request=0;
 398                                 s->state=SSL3_ST_SW_SRVR_DONE_A;
 399                                 }
 400                         else
 401                                 {
 402                                 s->s3->tmp.cert_request=1;
 403                                 ret=dtls1_send_certificate_request(s);
 404                                 if (ret <= 0) goto end;
 405 #ifndef NETSCAPE_HANG_BUG
 406                                 s->state=SSL3_ST_SW_SRVR_DONE_A;
 407 #else
 408                                 s->state=SSL3_ST_SW_FLUSH;
 409                                 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
 410 #endif
 411                                 s->init_num=0;
 412                                 }
 413                         break;
 414
 415                 case SSL3_ST_SW_SRVR_DONE_A:
 416                 case SSL3_ST_SW_SRVR_DONE_B:
 417                         ret=dtls1_send_server_done(s);
 418                         if (ret <= 0) goto end;
 419                         s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
 420                         s->state=SSL3_ST_SW_FLUSH;
 421                         s->init_num=0;
 422                         break;
 423
 424                 case SSL3_ST_SW_FLUSH:
 425                         /* number of bytes to be flushed */
 426                         num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
 427                         if (num1 > 0)
 428                                 {
 429                                 s->rwstate=SSL_WRITING;
 430                                 num1=BIO_flush(s->wbio);
 431                                 if (num1 <= 0) { ret= -1; goto end; }
 432                                 s->rwstate=SSL_NOTHING;
 433                                 }
 434
 435                         s->state=s->s3->tmp.next_state;
 436                         break;
 437
 438                 case SSL3_ST_SR_CERT_A:
 439                 case SSL3_ST_SR_CERT_B:
 440                         /* Check for second client hello (MS SGC) */
 441                         ret = ssl3_check_client_hello(s);
 442                         if (ret <= 0)
 443                                 goto end;
 444                         if (ret == 2)
 445                                 s->state = SSL3_ST_SR_CLNT_HELLO_C;
 446                         else {
 447                                 /* could be sent for a DH cert, even if we
 448                                  * have not asked for it :-) */
 449                                 ret=ssl3_get_client_certificate(s);
 450                                 if (ret <= 0) goto end;
 451                                 s->init_num=0;
 452                                 s->state=SSL3_ST_SR_KEY_EXCH_A;
 453                         }
 454                         break;
 455
 456                 case SSL3_ST_SR_KEY_EXCH_A:
 457                 case SSL3_ST_SR_KEY_EXCH_B:
 458                         ret=ssl3_get_client_key_exchange(s);
 459                         if (ret <= 0) goto end;
 460                         s->state=SSL3_ST_SR_CERT_VRFY_A;
 461                         s->init_num=0;
 462
 463                         /* We need to get hashes here so if there is
 464                          * a client cert, it can be verified */
 465                         s->method->ssl3_enc->cert_verify_mac(s,
 466                                 &(s->s3->finish_dgst1),
 467                                 &(s->s3->tmp.cert_verify_md[0]));
 468                         s->method->ssl3_enc->cert_verify_mac(s,
 469                                 &(s->s3->finish_dgst2),
 470                                 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]));
 471
 472                         break;
 473
 474                 case SSL3_ST_SR_CERT_VRFY_A:
 475                 case SSL3_ST_SR_CERT_VRFY_B:
 476
 477                         /* we should decide if we expected this one */
 478                         ret=ssl3_get_cert_verify(s);
 479                         if (ret <= 0) goto end;
 480
 481                         s->state=SSL3_ST_SR_FINISHED_A;
 482                         s->init_num=0;
 483                         break;
 484
 485                 case SSL3_ST_SR_FINISHED_A:
 486                 case SSL3_ST_SR_FINISHED_B:
 487                         ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
 488                                 SSL3_ST_SR_FINISHED_B);
 489                         if (ret <= 0) goto end;
 490                         if (s->hit)
 491                                 s->state=SSL_ST_OK;
 492                         else
 493                                 s->state=SSL3_ST_SW_CHANGE_A;
 494                         s->init_num=0;
 495                         break;
 496
 497                 case SSL3_ST_SW_CHANGE_A:
 498                 case SSL3_ST_SW_CHANGE_B:
 499
 500                         s->session->cipher=s->s3->tmp.new_cipher;
 501                         if (!s->method->ssl3_enc->setup_key_block(s))
 502                                 { ret= -1; goto end; }
 503
 504                         ret=dtls1_send_change_cipher_spec(s,
 505                                 SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B);
 506
 507                         if (ret <= 0) goto end;
 508                         s->state=SSL3_ST_SW_FINISHED_A;
 509                         s->init_num=0;
 510
 511                         if (!s->method->ssl3_enc->change_cipher_state(s,
 512                                 SSL3_CHANGE_CIPHER_SERVER_WRITE))
 513                                 {
 514                                 ret= -1;
 515                                 goto end;
 516                                 }
 517
 518                         dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
 519                         break;
 520
 521                 case SSL3_ST_SW_FINISHED_A:
 522                 case SSL3_ST_SW_FINISHED_B:
 523                         ret=dtls1_send_finished(s,
 524                                 SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B,
 525                                 s->method->ssl3_enc->server_finished_label,
 526                                 s->method->ssl3_enc->server_finished_label_len);
 527                         if (ret <= 0) goto end;
 528                         s->state=SSL3_ST_SW_FLUSH;
 529                         if (s->hit)
 530                                 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
 531                         else
 532                                 s->s3->tmp.next_state=SSL_ST_OK;
 533                         s->init_num=0;
 534                         break;
 535
 536                 case SSL_ST_OK:
 537                         /* clean a few things up */
 538                         ssl3_cleanup_key_block(s);
 539
 540 #if 0
 541                         BUF_MEM_free(s->init_buf);
 542                         s->init_buf=NULL;
 543 #endif
 544
 545                         /* remove buffering on output */
 546                         ssl_free_wbio_buffer(s);
 547
 548                         s->init_num=0;
 549
 550                         if (s->new_session == 2) /* skipped if we just sent a HelloRequest */
 551                                 {
 552                                 /* actually not necessarily a 'new' session unless
 553                                  * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
 554
 555                                 s->new_session=0;
 556
 557                                 ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
 558
 559                                 s->ctx->stats.sess_accept_good++;
 560                                 /* s->server=1; */
 561                                 s->handshake_func=dtls1_accept;
 562
 563                                 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
 564                                 }
 565
 566                         ret = 1;
 567
 568                         /* done handshaking, next message is client hello */
 569                         s->d1->handshake_read_seq = 0;
 570                         /* next message is server hello */
 571                         s->d1->handshake_write_seq = 0;
 572                         goto end;
 573                         /* break; */
 574
 575                 default:
 576                         SSLerr(SSL_F_DTLS1_ACCEPT,SSL_R_UNKNOWN_STATE);
 577                         ret= -1;
 578                         goto end;
 579                         /* break; */
 580                         }
 581
 582                 if (!s->s3->tmp.reuse_message && !skip)
 583                         {
 584                         if (s->debug)
 585                                 {
 586                                 if ((ret=BIO_flush(s->wbio)) <= 0)
 587                                         goto end;
 588                                 }
 589
 590
 591                         if ((cb != NULL) && (s->state != state))
 592                                 {
 593                                 new_state=s->state;
 594                                 s->state=state;
 595                                 cb(s,SSL_CB_ACCEPT_LOOP,1);
 596                                 s->state=new_state;
 597                                 }
 598                         }
 599                 skip=0;
 600                 }
 601 end:
 602         /* BIO_flush(s->wbio); */
 603
 604         s->in_handshake--;
 605         if (cb != NULL)
 606                 cb(s,SSL_CB_ACCEPT_EXIT,ret);
 607         return(ret);
 608         }
 609
 610 int dtls1_send_hello_request(SSL *s)
 611         {
 612         unsigned char *p;
 613
 614         if (s->state == SSL3_ST_SW_HELLO_REQ_A)
 615                 {
 616                 p=(unsigned char *)s->init_buf->data;
 617                 p = dtls1_set_message_header(s, p, SSL3_MT_HELLO_REQUEST, 0, 0, 0);
 618
 619                 s->state=SSL3_ST_SW_HELLO_REQ_B;
 620                 /* number of bytes to write */
 621                 s->init_num=DTLS1_HM_HEADER_LENGTH;
 622                 s->init_off=0;
 623
 624                 /* no need to buffer this message, since there are no retransmit
 625                  * requests for it */
 626                 }
 627
 628         /* SSL3_ST_SW_HELLO_REQ_B */
 629         return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
 630         }
 631
 632 int dtls1_send_hello_verify_request(SSL *s)
 633         {
 634         unsigned int msg_len;
 635         unsigned char *msg, *buf, *p;
 636
 637         if (s->state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A)
 638                 {
 639                 buf = (unsigned char *)s->init_buf->data;
 640
 641                 msg = p = &(buf[DTLS1_HM_HEADER_LENGTH]);
 642                 *(p++) = s->version >> 8;
 643                 *(p++) = s->version & 0xFF;
 644
 645                 *(p++) = (unsigned char) s->d1->cookie_len;
 646         if ( s->ctx->app_gen_cookie_cb != NULL &&
 647             s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
 648                 &(s->d1->cookie_len)) == 0)
 649             {
 650                         SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST,ERR_R_INTERNAL_ERROR);
 651             return 0;
 652             }
 653         /* else the cookie is assumed to have
 654          * been initialized by the application */
 655
 656                 memcpy(p, s->d1->cookie, s->d1->cookie_len);
 657                 p += s->d1->cookie_len;
 658                 msg_len = p - msg;
 659
 660                 dtls1_set_message_header(s, buf,
 661                         DTLS1_MT_HELLO_VERIFY_REQUEST, msg_len, 0, msg_len);
 662
 663                 s->state=DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B;
 664                 /* number of bytes to write */
 665                 s->init_num=p-buf;
 666                 s->init_off=0;
 667
 668                 /* buffer the message to handle re-xmits */
 669                 dtls1_buffer_message(s, 0);
 670                 }
 671
 672         /* s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */
 673         return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
 674         }
 675
 676 int dtls1_send_server_hello(SSL *s)
 677         {
 678         unsigned char *buf;
 679         unsigned char *p,*d;
 680         int i,sl;
 681         unsigned long l,Time;
 682
 683         if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
 684                 {
 685                 buf=(unsigned char *)s->init_buf->data;
 686                 p=s->s3->server_random;
 687                 Time=time(NULL);                        /* Time */
 688                 l2n(Time,p);
 689                 RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
 690                 /* Do the message type and length last */
 691                 d=p= &(buf[DTLS1_HM_HEADER_LENGTH]);
 692
 693                 *(p++)=s->version>>8;
 694                 *(p++)=s->version&0xff;
 695
 696                 /* Random stuff */
 697                 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
 698                 p+=SSL3_RANDOM_SIZE;
 699
 700                 /* now in theory we have 3 options to sending back the
 701                  * session id.  If it is a re-use, we send back the
 702                  * old session-id, if it is a new session, we send
 703                  * back the new session-id or we send back a 0 length
 704                  * session-id if we want it to be single use.
 705                  * Currently I will not implement the '0' length session-id
 706                  * 12-Jan-98 - I'll now support the '0' length stuff.
 707                  */
 708                 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER))
 709                         s->session->session_id_length=0;
 710
 711                 sl=s->session->session_id_length;
 712                 if (sl > sizeof s->session->session_id)
 713                         {
 714                         SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
 715                         return -1;
 716                         }
 717                 *(p++)=sl;
 718                 memcpy(p,s->session->session_id,sl);
 719                 p+=sl;
 720
 721                 /* put the cipher */
 722                 i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p);
 723                 p+=i;
 724
 725                 /* put the compression method */
 726                 if (s->s3->tmp.new_compression == NULL)
 727                         *(p++)=0;
 728                 else
 729                         *(p++)=s->s3->tmp.new_compression->id;
 730
 731                 /* do the header */
 732                 l=(p-d);
 733                 d=buf;
 734
 735                 d = dtls1_set_message_header(s, d, SSL3_MT_SERVER_HELLO, l, 0, l);
 736
 737                 s->state=SSL3_ST_CW_CLNT_HELLO_B;
 738                 /* number of bytes to write */
 739                 s->init_num=p-buf;
 740                 s->init_off=0;
 741
 742                 /* buffer the message to handle re-xmits */
 743                 dtls1_buffer_message(s, 0);
 744                 }
 745
 746         /* SSL3_ST_CW_CLNT_HELLO_B */
 747         return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
 748         }
 749
 750 int dtls1_send_server_done(SSL *s)
 751         {
 752         unsigned char *p;
 753
 754         if (s->state == SSL3_ST_SW_SRVR_DONE_A)
 755                 {
 756                 p=(unsigned char *)s->init_buf->data;
 757
 758                 /* do the header */
 759                 p = dtls1_set_message_header(s, p, SSL3_MT_SERVER_DONE, 0, 0, 0);
 760
 761                 s->state=SSL3_ST_SW_SRVR_DONE_B;
 762                 /* number of bytes to write */
 763                 s->init_num=DTLS1_HM_HEADER_LENGTH;
 764                 s->init_off=0;
 765
 766                 /* buffer the message to handle re-xmits */
 767                 dtls1_buffer_message(s, 0);
 768                 }
 769
 770         /* SSL3_ST_CW_CLNT_HELLO_B */
 771         return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
 772         }
 773
 774 int dtls1_send_server_key_exchange(SSL *s)
 775         {
 776 #ifndef OPENSSL_NO_RSA
 777         unsigned char *q;
 778         int j,num;
 779         RSA *rsa;
 780         unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
 781         unsigned int u;
 782 #endif
 783 #ifndef OPENSSL_NO_DH
 784         DH *dh=NULL,*dhp;
 785 #endif
 786         EVP_PKEY *pkey;
 787         unsigned char *p,*d;
 788         int al,i;
 789         unsigned long type;
 790         int n;
 791         CERT *cert;
 792         BIGNUM *r[4];
 793         int nr[4],kn;
 794         BUF_MEM *buf;
 795         EVP_MD_CTX md_ctx;
 796
 797         EVP_MD_CTX_init(&md_ctx);
 798         if (s->state == SSL3_ST_SW_KEY_EXCH_A)
 799                 {
 800                 type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK;
 801                 cert=s->cert;
 802
 803                 buf=s->init_buf;
 804
 805                 r[0]=r[1]=r[2]=r[3]=NULL;
 806                 n=0;
 807 #ifndef OPENSSL_NO_RSA
 808                 if (type & SSL_kRSA)
 809                         {
 810                         rsa=cert->rsa_tmp;
 811                         if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL))
 812                                 {
 813                                 rsa=s->cert->rsa_tmp_cb(s,
 814                                       SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
 815                                       SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
 816                                 if(rsa == NULL)
 817                                 {
 818                                         al=SSL_AD_HANDSHAKE_FAILURE;
 819                                         SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
 820                                         goto f_err;
 821                                 }
 822                                 RSA_up_ref(rsa);
 823                                 cert->rsa_tmp=rsa;
 824                                 }
 825                         if (rsa == NULL)
 826                                 {
 827                                 al=SSL_AD_HANDSHAKE_FAILURE;
 828                                 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY);
 829                                 goto f_err;
 830                                 }
 831                         r[0]=rsa->n;
 832                         r[1]=rsa->e;
 833                         s->s3->tmp.use_rsa_tmp=1;
 834                         }
 835                 else
 836 #endif
 837 #ifndef OPENSSL_NO_DH
 838                         if (type & SSL_kEDH)
 839                         {
 840                         dhp=cert->dh_tmp;
 841                         if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
 842                                 dhp=s->cert->dh_tmp_cb(s,
 843                                       SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
 844                                       SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
 845                         if (dhp == NULL)
 846                                 {
 847                                 al=SSL_AD_HANDSHAKE_FAILURE;
 848                                 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
 849                                 goto f_err;
 850                                 }
 851
 852                         if (s->s3->tmp.dh != NULL)
 853                                 {
 854                                 DH_free(dh);
 855                                 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
 856                                 goto err;
 857                                 }
 858
 859                         if ((dh=DHparams_dup(dhp)) == NULL)
 860                                 {
 861                                 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
 862                                 goto err;
 863                                 }
 864
 865                         s->s3->tmp.dh=dh;
 866                         if ((dhp->pub_key == NULL ||
 867                              dhp->priv_key == NULL ||
 868                              (s->options & SSL_OP_SINGLE_DH_USE)))
 869                                 {
 870                                 if(!DH_generate_key(dh))
 871                                     {
 872                                     SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,
 873                                            ERR_R_DH_LIB);
 874                                     goto err;
 875                                     }
 876                                 }
 877                         else
 878                                 {
 879                                 dh->pub_key=BN_dup(dhp->pub_key);
 880                                 dh->priv_key=BN_dup(dhp->priv_key);
 881                                 if ((dh->pub_key == NULL) ||
 882                                         (dh->priv_key == NULL))
 883                                         {
 884                                         SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
 885                                         goto err;
 886                                         }
 887                                 }
 888                         r[0]=dh->p;
 889                         r[1]=dh->g;
 890                         r[2]=dh->pub_key;
 891                         }
 892                 else
 893 #endif
 894                         {
 895                         al=SSL_AD_HANDSHAKE_FAILURE;
 896                         SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
 897                         goto f_err;
 898                         }
 899                 for (i=0; r[i] != NULL; i++)
 900                         {
 901                         nr[i]=BN_num_bytes(r[i]);
 902                         n+=2+nr[i];
 903                         }
 904
 905                 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
 906                         {
 907                         if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher))
 908                                 == NULL)
 909                                 {
 910                                 al=SSL_AD_DECODE_ERROR;
 911                                 goto f_err;
 912                                 }
 913                         kn=EVP_PKEY_size(pkey);
 914                         }
 915                 else
 916                         {
 917                         pkey=NULL;
 918                         kn=0;
 919                         }
 920
 921                 if (!BUF_MEM_grow_clean(buf,n+DTLS1_HM_HEADER_LENGTH+kn))
 922                         {
 923                         SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF);
 924                         goto err;
 925                         }
 926                 d=(unsigned char *)s->init_buf->data;
 927                 p= &(d[DTLS1_HM_HEADER_LENGTH]);
 928
 929                 for (i=0; r[i] != NULL; i++)
 930                         {
 931                         s2n(nr[i],p);
 932                         BN_bn2bin(r[i],p);
 933                         p+=nr[i];
 934                         }
 935
 936                 /* not anonymous */
 937                 if (pkey != NULL)
 938                         {
 939                         /* n is the length of the params, they start at
 940                          * &(d[DTLS1_HM_HEADER_LENGTH]) and p points to the space
 941                          * at the end. */
 942 #ifndef OPENSSL_NO_RSA
 943                         if (pkey->type == EVP_PKEY_RSA)
 944                                 {
 945                                 q=md_buf;
 946                                 j=0;
 947                                 for (num=2; num > 0; num--)
 948                                         {
 949                                         EVP_DigestInit_ex(&md_ctx,(num == 2)
 950                                                 ?s->ctx->md5:s->ctx->sha1, NULL);
 951                                         EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
 952                                         EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
 953                                         EVP_DigestUpdate(&md_ctx,&(d[DTLS1_HM_HEADER_LENGTH]),n);
 954                                         EVP_DigestFinal_ex(&md_ctx,q,
 955                                                 (unsigned int *)&i);
 956                                         q+=i;
 957                                         j+=i;
 958                                         }
 959                                 if (RSA_sign(NID_md5_sha1, md_buf, j,
 960                                         &(p[2]), &u, pkey->pkey.rsa) <= 0)
 961                                         {
 962                                         SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA);
 963                                         goto err;
 964                                         }
 965                                 s2n(u,p);
 966                                 n+=u+2;
 967                                 }
 968                         else
 969 #endif
 970 #if !defined(OPENSSL_NO_DSA)
 971                                 if (pkey->type == EVP_PKEY_DSA)
 972                                 {
 973                                 /* lets do DSS */
 974                                 EVP_SignInit_ex(&md_ctx,EVP_dss1(), NULL);
 975                                 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
 976                                 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
 977                                 EVP_SignUpdate(&md_ctx,&(d[DTLS1_HM_HEADER_LENGTH]),n);
 978                                 if (!EVP_SignFinal(&md_ctx,&(p[2]),
 979                                         (unsigned int *)&i,pkey))
 980                                         {
 981                                         SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA);
 982                                         goto err;
 983                                         }
 984                                 s2n(i,p);
 985                                 n+=i+2;
 986                                 }
 987                         else
 988 #endif
 989                                 {
 990                                 /* Is this error check actually needed? */
 991                                 al=SSL_AD_HANDSHAKE_FAILURE;
 992                                 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE);
 993                                 goto f_err;
 994                                 }
 995                         }
 996
 997                 d = dtls1_set_message_header(s, d,
 998                         SSL3_MT_SERVER_KEY_EXCHANGE, n, 0, n);
 999
1000                 /* we should now have things packed up, so lets send
1001                  * it off */
1002                 s->init_num=n+DTLS1_HM_HEADER_LENGTH;
1003                 s->init_off=0;
1004
1005                 /* buffer the message to handle re-xmits */
1006                 dtls1_buffer_message(s, 0);
1007                 }
1008
1009         s->state = SSL3_ST_SW_KEY_EXCH_B;
1010         EVP_MD_CTX_cleanup(&md_ctx);
1011         return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
1012 f_err:
1013         ssl3_send_alert(s,SSL3_AL_FATAL,al);
1014 err:
1015         EVP_MD_CTX_cleanup(&md_ctx);
1016         return(-1);
1017         }
1018
1019 int dtls1_send_certificate_request(SSL *s)
1020         {
1021         unsigned char *p,*d;
1022         int i,j,nl,off,n;
1023         STACK_OF(X509_NAME) *sk=NULL;
1024         X509_NAME *name;
1025         BUF_MEM *buf;
1026
1027         if (s->state == SSL3_ST_SW_CERT_REQ_A)
1028                 {
1029                 buf=s->init_buf;
1030
1031                 d=p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH]);
1032
1033                 /* get the list of acceptable cert types */
1034                 p++;
1035                 n=ssl3_get_req_cert_type(s,p);
1036                 d[0]=n;
1037                 p+=n;
1038                 n++;
1039
1040                 off=n;
1041                 p+=2;
1042                 n+=2;
1043
1044                 sk=SSL_get_client_CA_list(s);
1045                 nl=0;
1046                 if (sk != NULL)
1047                         {
1048                         for (i=0; i<sk_X509_NAME_num(sk); i++)
1049                                 {
1050                                 name=sk_X509_NAME_value(sk,i);
1051                                 j=i2d_X509_NAME(name,NULL);
1052                                 if (!BUF_MEM_grow_clean(buf,DTLS1_HM_HEADER_LENGTH+n+j+2))
1053                                         {
1054                                         SSLerr(SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
1055                                         goto err;
1056                                         }
1057                                 p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH+n]);
1058                                 if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
1059                                         {
1060                                         s2n(j,p);
1061                                         i2d_X509_NAME(name,&p);
1062                                         n+=2+j;
1063                                         nl+=2+j;
1064                                         }
1065                                 else
1066                                         {
1067                                         d=p;
1068                                         i2d_X509_NAME(name,&p);
1069                                         j-=2; s2n(j,d); j+=2;
1070                                         n+=j;
1071                                         nl+=j;
1072                                         }
1073                                 }
1074                         }
1075                 /* else no CA names */
1076                 p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH+off]);
1077                 s2n(nl,p);
1078
1079                 d=(unsigned char *)buf->data;
1080                 *(d++)=SSL3_MT_CERTIFICATE_REQUEST;
1081                 l2n3(n,d);
1082                 s2n(s->d1->handshake_write_seq,d);
1083                 s->d1->handshake_write_seq++;
1084
1085                 /* we should now have things packed up, so lets send
1086                  * it off */
1087
1088                 s->init_num=n+DTLS1_HM_HEADER_LENGTH;
1089                 s->init_off=0;
1090 #ifdef NETSCAPE_HANG_BUG
1091 /* XXX: what to do about this? */
1092                 p=(unsigned char *)s->init_buf->data + s->init_num;
1093
1094                 /* do the header */
1095                 *(p++)=SSL3_MT_SERVER_DONE;
1096                 *(p++)=0;
1097                 *(p++)=0;
1098                 *(p++)=0;
1099                 s->init_num += 4;
1100 #endif
1101
1102                 /* XDTLS:  set message header ? */
1103                 /* buffer the message to handle re-xmits */
1104                 dtls1_buffer_message(s, 0);
1105
1106                 s->state = SSL3_ST_SW_CERT_REQ_B;
1107                 }
1108
1109         /* SSL3_ST_SW_CERT_REQ_B */
1110         return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
1111 err:
1112         return(-1);
1113         }
1114
1115 int dtls1_send_server_certificate(SSL *s)
1116         {
1117         unsigned long l;
1118         X509 *x;
1119
1120         if (s->state == SSL3_ST_SW_CERT_A)
1121                 {
1122                 x=ssl_get_server_send_cert(s);
1123                 if (x == NULL &&
1124                         /* VRS: allow null cert if auth == KRB5 */
1125                         (s->s3->tmp.new_cipher->algorithms
1126                                 & (SSL_MKEY_MASK|SSL_AUTH_MASK))
1127                         != (SSL_aKRB5|SSL_kKRB5))
1128                         {
1129                         SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
1130                         return(0);
1131                         }
1132
1133                 l=dtls1_output_cert_chain(s,x);
1134                 s->state=SSL3_ST_SW_CERT_B;
1135                 s->init_num=(int)l;
1136                 s->init_off=0;
1137
1138                 /* buffer the message to handle re-xmits */
1139                 dtls1_buffer_message(s, 0);
1140                 }
1141
1142         /* SSL3_ST_SW_CERT_B */
1143         return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
1144         }