083333eedb681f7ae2514ea0bfefc777c923fab6
[openssl.git] / ssl / d1_clnt.c
1 /* ssl/d1_clnt.c */
2 /*
3  * DTLS implementation written by Nagendra Modadugu
4  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
5  */
6 /* ====================================================================
7  * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  *
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  *
16  * 2. Redistributions in binary form must reproduce the above copyright
17  *    notice, this list of conditions and the following disclaimer in
18  *    the documentation and/or other materials provided with the
19  *    distribution.
20  *
21  * 3. All advertising materials mentioning features or use of this
22  *    software must display the following acknowledgment:
23  *    "This product includes software developed by the OpenSSL Project
24  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25  *
26  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27  *    endorse or promote products derived from this software without
28  *    prior written permission. For written permission, please contact
29  *    openssl-core@OpenSSL.org.
30  *
31  * 5. Products derived from this software may not be called "OpenSSL"
32  *    nor may "OpenSSL" appear in their names without prior written
33  *    permission of the OpenSSL Project.
34  *
35  * 6. Redistributions of any form whatsoever must retain the following
36  *    acknowledgment:
37  *    "This product includes software developed by the OpenSSL Project
38  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
44  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51  * OF THE POSSIBILITY OF SUCH DAMAGE.
52  * ====================================================================
53  *
54  * This product includes cryptographic software written by Eric Young
55  * (eay@cryptsoft.com).  This product includes software written by Tim
56  * Hudson (tjh@cryptsoft.com).
57  *
58  */
59 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
60  * All rights reserved.
61  *
62  * This package is an SSL implementation written
63  * by Eric Young (eay@cryptsoft.com).
64  * The implementation was written so as to conform with Netscapes SSL.
65  *
66  * This library is free for commercial and non-commercial use as long as
67  * the following conditions are aheared to.  The following conditions
68  * apply to all code found in this distribution, be it the RC4, RSA,
69  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
70  * included with this distribution is covered by the same copyright terms
71  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
72  *
73  * Copyright remains Eric Young's, and as such any Copyright notices in
74  * the code are not to be removed.
75  * If this package is used in a product, Eric Young should be given attribution
76  * as the author of the parts of the library used.
77  * This can be in the form of a textual message at program startup or
78  * in documentation (online or textual) provided with the package.
79  *
80  * Redistribution and use in source and binary forms, with or without
81  * modification, are permitted provided that the following conditions
82  * are met:
83  * 1. Redistributions of source code must retain the copyright
84  *    notice, this list of conditions and the following disclaimer.
85  * 2. Redistributions in binary form must reproduce the above copyright
86  *    notice, this list of conditions and the following disclaimer in the
87  *    documentation and/or other materials provided with the distribution.
88  * 3. All advertising materials mentioning features or use of this software
89  *    must display the following acknowledgement:
90  *    "This product includes cryptographic software written by
91  *     Eric Young (eay@cryptsoft.com)"
92  *    The word 'cryptographic' can be left out if the rouines from the library
93  *    being used are not cryptographic related :-).
94  * 4. If you include any Windows specific code (or a derivative thereof) from
95  *    the apps directory (application code) you must include an acknowledgement:
96  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
97  *
98  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
99  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
100  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
101  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
102  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
103  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
104  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
105  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
106  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
107  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
108  * SUCH DAMAGE.
109  *
110  * The licence and distribution terms for any publically available version or
111  * derivative of this code cannot be changed.  i.e. this code cannot simply be
112  * copied and put under another distribution licence
113  * [including the GNU Public Licence.]
114  */
115
116 #include <stdio.h>
117 #include "ssl_locl.h"
118 #include <openssl/buffer.h>
119 #include <openssl/rand.h>
120 #include <openssl/objects.h>
121 #include <openssl/evp.h>
122 #include <openssl/md5.h>
123 #include <openssl/bn.h>
124 #ifndef OPENSSL_NO_DH
125 # include <openssl/dh.h>
126 #endif
127
128 static const SSL_METHOD *dtls1_get_client_method(int ver);
129 static int dtls1_get_hello_verify(SSL *s);
130
131 static const SSL_METHOD *dtls1_get_client_method(int ver)
132 {
133     if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER)
134         return (DTLSv1_client_method());
135     else if (ver == DTLS1_2_VERSION)
136         return (DTLSv1_2_client_method());
137     else
138         return (NULL);
139 }
140
141 IMPLEMENT_dtls1_meth_func(DTLS1_VERSION,
142                           DTLSv1_client_method,
143                           ssl_undefined_function,
144                           dtls1_connect,
145                           dtls1_get_client_method, DTLSv1_enc_data)
146
147     IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION,
148                           DTLSv1_2_client_method,
149                           ssl_undefined_function,
150                           dtls1_connect,
151                           dtls1_get_client_method, DTLSv1_2_enc_data)
152
153     IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION,
154                           DTLS_client_method,
155                           ssl_undefined_function,
156                           dtls1_connect,
157                           dtls1_get_client_method, DTLSv1_2_enc_data)
158
159 int dtls1_connect(SSL *s)
160 {
161     BUF_MEM *buf = NULL;
162     unsigned long Time = (unsigned long)time(NULL);
163     void (*cb) (const SSL *ssl, int type, int val) = NULL;
164     int ret = -1;
165     int new_state, state, skip = 0;
166 #ifndef OPENSSL_NO_SCTP
167     unsigned char sctpauthkey[64];
168     char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
169 #endif
170
171     RAND_add(&Time, sizeof(Time), 0);
172     ERR_clear_error();
173     clear_sys_error();
174
175     if (s->info_callback != NULL)
176         cb = s->info_callback;
177     else if (s->ctx->info_callback != NULL)
178         cb = s->ctx->info_callback;
179
180     s->in_handshake++;
181     if (!SSL_in_init(s) || SSL_in_before(s)) {
182         if (!SSL_clear(s))
183             return -1;
184     }
185
186 #ifndef OPENSSL_NO_SCTP
187     /*
188      * Notify SCTP BIO socket to enter handshake mode and prevent stream
189      * identifier other than 0. Will be ignored if no SCTP is used.
190      */
191     BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE,
192              s->in_handshake, NULL);
193 #endif
194
195 #ifndef OPENSSL_NO_HEARTBEATS
196     /*
197      * If we're awaiting a HeartbeatResponse, pretend we already got and
198      * don't await it anymore, because Heartbeats don't make sense during
199      * handshakes anyway.
200      */
201     if (s->tlsext_hb_pending) {
202         dtls1_stop_timer(s);
203         s->tlsext_hb_pending = 0;
204         s->tlsext_hb_seq++;
205     }
206 #endif
207
208     for (;;) {
209         state = s->state;
210
211         switch (s->state) {
212         case SSL_ST_RENEGOTIATE:
213             s->renegotiate = 1;
214             s->state = SSL_ST_CONNECT;
215             s->ctx->stats.sess_connect_renegotiate++;
216             /* break */
217         case SSL_ST_BEFORE:
218         case SSL_ST_CONNECT:
219         case SSL_ST_BEFORE | SSL_ST_CONNECT:
220         case SSL_ST_OK | SSL_ST_CONNECT:
221
222             s->server = 0;
223             if (cb != NULL)
224                 cb(s, SSL_CB_HANDSHAKE_START, 1);
225
226             if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00) &&
227                 (s->version & 0xff00) != (DTLS1_BAD_VER & 0xff00)) {
228                 SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR);
229                 ret = -1;
230                 s->state = SSL_ST_ERR;
231                 goto end;
232             }
233
234             /* s->version=SSL3_VERSION; */
235             s->type = SSL_ST_CONNECT;
236
237             if (s->init_buf == NULL) {
238                 if ((buf = BUF_MEM_new()) == NULL) {
239                     ret = -1;
240                     s->state = SSL_ST_ERR;
241                     goto end;
242                 }
243                 if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
244                     ret = -1;
245                     s->state = SSL_ST_ERR;
246                     goto end;
247                 }
248                 s->init_buf = buf;
249                 buf = NULL;
250             }
251
252             if (!ssl3_setup_buffers(s)) {
253                 ret = -1;
254                 s->state = SSL_ST_ERR;
255                 goto end;
256             }
257
258             /* setup buffing BIO */
259             if (!ssl_init_wbio_buffer(s, 0)) {
260                 ret = -1;
261                 s->state = SSL_ST_ERR;
262                 goto end;
263             }
264
265             /* don't push the buffering BIO quite yet */
266
267             s->state = SSL3_ST_CW_CLNT_HELLO_A;
268             s->ctx->stats.sess_connect++;
269             s->init_num = 0;
270             /* mark client_random uninitialized */
271             memset(s->s3->client_random, 0, sizeof(s->s3->client_random));
272             s->d1->send_cookie = 0;
273             s->hit = 0;
274             /*
275              * Should have been reset by ssl3_get_finished, too.
276              */
277             s->s3->change_cipher_spec = 0;
278             break;
279
280 #ifndef OPENSSL_NO_SCTP
281         case DTLS1_SCTP_ST_CR_READ_SOCK:
282
283             if (BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
284                 s->s3->in_read_app_data = 2;
285                 s->rwstate = SSL_READING;
286                 BIO_clear_retry_flags(SSL_get_rbio(s));
287                 BIO_set_retry_read(SSL_get_rbio(s));
288                 ret = -1;
289                 goto end;
290             }
291
292             s->state = s->s3->tmp.next_state;
293             break;
294
295         case DTLS1_SCTP_ST_CW_WRITE_SOCK:
296             /* read app data until dry event */
297
298             ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s));
299             if (ret < 0)
300                 goto end;
301
302             if (ret == 0) {
303                 s->s3->in_read_app_data = 2;
304                 s->rwstate = SSL_READING;
305                 BIO_clear_retry_flags(SSL_get_rbio(s));
306                 BIO_set_retry_read(SSL_get_rbio(s));
307                 ret = -1;
308                 goto end;
309             }
310
311             s->state = s->d1->next_state;
312             break;
313 #endif
314
315         case SSL3_ST_CW_CLNT_HELLO_A:
316         case SSL3_ST_CW_CLNT_HELLO_B:
317
318             s->shutdown = 0;
319
320             /* every DTLS ClientHello resets Finished MAC */
321             ssl3_init_finished_mac(s);
322
323             dtls1_start_timer(s);
324             ret = ssl3_client_hello(s);
325             if (ret <= 0)
326                 goto end;
327
328             if (s->d1->send_cookie) {
329                 s->state = SSL3_ST_CW_FLUSH;
330                 s->s3->tmp.next_state = SSL3_ST_CR_SRVR_HELLO_A;
331             } else
332                 s->state = SSL3_ST_CR_SRVR_HELLO_A;
333
334             s->init_num = 0;
335
336 #ifndef OPENSSL_NO_SCTP
337             /* Disable buffering for SCTP */
338             if (!BIO_dgram_is_sctp(SSL_get_wbio(s))) {
339 #endif
340                 /*
341                  * turn on buffering for the next lot of output
342                  */
343                 if (s->bbio != s->wbio)
344                     s->wbio = BIO_push(s->bbio, s->wbio);
345 #ifndef OPENSSL_NO_SCTP
346             }
347 #endif
348
349             break;
350
351         case SSL3_ST_CR_SRVR_HELLO_A:
352         case SSL3_ST_CR_SRVR_HELLO_B:
353             ret = ssl3_get_server_hello(s);
354             if (ret <= 0)
355                 goto end;
356             else {
357                 if (s->hit) {
358 #ifndef OPENSSL_NO_SCTP
359                     /*
360                      * Add new shared key for SCTP-Auth, will be ignored if
361                      * no SCTP used.
362                      */
363                     snprintf((char *)labelbuffer,
364                              sizeof(DTLS1_SCTP_AUTH_LABEL),
365                              DTLS1_SCTP_AUTH_LABEL);
366
367                     if (SSL_export_keying_material(s, sctpauthkey,
368                                                sizeof(sctpauthkey),
369                                                labelbuffer,
370                                                sizeof(labelbuffer), NULL, 0,
371                                                0) <= 0) {
372                         ret = -1;
373                         s->state = SSL_ST_ERR;
374                         goto end;
375                     }
376
377                     BIO_ctrl(SSL_get_wbio(s),
378                              BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
379                              sizeof(sctpauthkey), sctpauthkey);
380 #endif
381
382                     s->state = SSL3_ST_CR_CHANGE_A;
383                     if (s->tlsext_ticket_expected) {
384                         /* receive renewed session ticket */
385                         s->state = SSL3_ST_CR_SESSION_TICKET_A;
386                     }
387                 } else
388                     s->state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
389             }
390             s->init_num = 0;
391             break;
392
393         case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A:
394         case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B:
395
396             ret = dtls1_get_hello_verify(s);
397             if (ret <= 0)
398                 goto end;
399             dtls1_stop_timer(s);
400             if (s->d1->send_cookie) /* start again, with a cookie */
401                 s->state = SSL3_ST_CW_CLNT_HELLO_A;
402             else
403                 s->state = SSL3_ST_CR_CERT_A;
404             s->init_num = 0;
405             break;
406
407         case SSL3_ST_CR_CERT_A:
408         case SSL3_ST_CR_CERT_B:
409             /* Check if it is anon DH or PSK */
410             if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
411                 !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
412                 ret = ssl3_get_server_certificate(s);
413                 if (ret <= 0)
414                     goto end;
415
416                 if (s->tlsext_status_expected)
417                     s->state = SSL3_ST_CR_CERT_STATUS_A;
418                 else
419                     s->state = SSL3_ST_CR_KEY_EXCH_A;
420             } else {
421                 skip = 1;
422                 s->state = SSL3_ST_CR_KEY_EXCH_A;
423             }
424
425             s->init_num = 0;
426             break;
427
428         case SSL3_ST_CR_KEY_EXCH_A:
429         case SSL3_ST_CR_KEY_EXCH_B:
430             ret = ssl3_get_key_exchange(s);
431             if (ret <= 0)
432                 goto end;
433             s->state = SSL3_ST_CR_CERT_REQ_A;
434             s->init_num = 0;
435
436             /*
437              * at this point we check that we have the required stuff from
438              * the server
439              */
440             if (!ssl3_check_cert_and_algorithm(s)) {
441                 ret = -1;
442                 s->state = SSL_ST_ERR;
443                 goto end;
444             }
445             break;
446
447         case SSL3_ST_CR_CERT_REQ_A:
448         case SSL3_ST_CR_CERT_REQ_B:
449             ret = ssl3_get_certificate_request(s);
450             if (ret <= 0)
451                 goto end;
452             s->state = SSL3_ST_CR_SRVR_DONE_A;
453             s->init_num = 0;
454             break;
455
456         case SSL3_ST_CR_SRVR_DONE_A:
457         case SSL3_ST_CR_SRVR_DONE_B:
458             ret = ssl3_get_server_done(s);
459             if (ret <= 0)
460                 goto end;
461             dtls1_stop_timer(s);
462             if (s->s3->tmp.cert_req)
463                 s->s3->tmp.next_state = SSL3_ST_CW_CERT_A;
464             else
465                 s->s3->tmp.next_state = SSL3_ST_CW_KEY_EXCH_A;
466             s->init_num = 0;
467
468 #ifndef OPENSSL_NO_SCTP
469             if (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
470                 state == SSL_ST_RENEGOTIATE)
471                 s->state = DTLS1_SCTP_ST_CR_READ_SOCK;
472             else
473 #endif
474                 s->state = s->s3->tmp.next_state;
475             break;
476
477         case SSL3_ST_CW_CERT_A:
478         case SSL3_ST_CW_CERT_B:
479         case SSL3_ST_CW_CERT_C:
480         case SSL3_ST_CW_CERT_D:
481             dtls1_start_timer(s);
482             ret = ssl3_send_client_certificate(s);
483             if (ret <= 0)
484                 goto end;
485             s->state = SSL3_ST_CW_KEY_EXCH_A;
486             s->init_num = 0;
487             break;
488
489         case SSL3_ST_CW_KEY_EXCH_A:
490         case SSL3_ST_CW_KEY_EXCH_B:
491             dtls1_start_timer(s);
492             ret = ssl3_send_client_key_exchange(s);
493             if (ret <= 0)
494                 goto end;
495
496 #ifndef OPENSSL_NO_SCTP
497             /*
498              * Add new shared key for SCTP-Auth, will be ignored if no SCTP
499              * used.
500              */
501             snprintf((char *)labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
502                      DTLS1_SCTP_AUTH_LABEL);
503
504             if (SSL_export_keying_material(s, sctpauthkey,
505                                        sizeof(sctpauthkey), labelbuffer,
506                                        sizeof(labelbuffer), NULL, 0, 0) <= 0) {
507                 ret = -1;
508                 s->state = SSL_ST_ERR;
509                 goto end;
510             }
511
512             BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
513                      sizeof(sctpauthkey), sctpauthkey);
514 #endif
515
516             /*
517              * EAY EAY EAY need to check for DH fix cert sent back
518              */
519             /*
520              * For TLS, cert_req is set to 2, so a cert chain of nothing is
521              * sent, but no verify packet is sent
522              */
523             if (s->s3->tmp.cert_req == 1) {
524                 s->state = SSL3_ST_CW_CERT_VRFY_A;
525             } else {
526 #ifndef OPENSSL_NO_SCTP
527                 if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
528                     s->d1->next_state = SSL3_ST_CW_CHANGE_A;
529                     s->state = DTLS1_SCTP_ST_CW_WRITE_SOCK;
530                 } else
531 #endif
532                     s->state = SSL3_ST_CW_CHANGE_A;
533             }
534
535             s->init_num = 0;
536             break;
537
538         case SSL3_ST_CW_CERT_VRFY_A:
539         case SSL3_ST_CW_CERT_VRFY_B:
540             dtls1_start_timer(s);
541             ret = ssl3_send_client_verify(s);
542             if (ret <= 0)
543                 goto end;
544 #ifndef OPENSSL_NO_SCTP
545             if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
546                 s->d1->next_state = SSL3_ST_CW_CHANGE_A;
547                 s->state = DTLS1_SCTP_ST_CW_WRITE_SOCK;
548             } else
549 #endif
550                 s->state = SSL3_ST_CW_CHANGE_A;
551             s->init_num = 0;
552             break;
553
554         case SSL3_ST_CW_CHANGE_A:
555         case SSL3_ST_CW_CHANGE_B:
556             if (!s->hit)
557                 dtls1_start_timer(s);
558             ret = dtls1_send_change_cipher_spec(s,
559                                                 SSL3_ST_CW_CHANGE_A,
560                                                 SSL3_ST_CW_CHANGE_B);
561             if (ret <= 0)
562                 goto end;
563
564             s->state = SSL3_ST_CW_FINISHED_A;
565             s->init_num = 0;
566
567             s->session->cipher = s->s3->tmp.new_cipher;
568 #ifdef OPENSSL_NO_COMP
569             s->session->compress_meth = 0;
570 #else
571             if (s->s3->tmp.new_compression == NULL)
572                 s->session->compress_meth = 0;
573             else
574                 s->session->compress_meth = s->s3->tmp.new_compression->id;
575 #endif
576             if (!s->method->ssl3_enc->setup_key_block(s)) {
577                 ret = -1;
578                 s->state = SSL_ST_ERR;
579                 goto end;
580             }
581
582             if (!s->method->ssl3_enc->change_cipher_state(s,
583                                                           SSL3_CHANGE_CIPHER_CLIENT_WRITE))
584             {
585                 ret = -1;
586                 s->state = SSL_ST_ERR;
587                 goto end;
588             }
589 #ifndef OPENSSL_NO_SCTP
590             if (s->hit) {
591                 /*
592                  * Change to new shared key of SCTP-Auth, will be ignored if
593                  * no SCTP used.
594                  */
595                 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
596                          0, NULL);
597             }
598 #endif
599
600             dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
601             break;
602
603         case SSL3_ST_CW_FINISHED_A:
604         case SSL3_ST_CW_FINISHED_B:
605             if (!s->hit)
606                 dtls1_start_timer(s);
607             ret = ssl3_send_finished(s,
608                                      SSL3_ST_CW_FINISHED_A,
609                                      SSL3_ST_CW_FINISHED_B,
610                                      s->method->
611                                      ssl3_enc->client_finished_label,
612                                      s->method->
613                                      ssl3_enc->client_finished_label_len);
614             if (ret <= 0)
615                 goto end;
616             s->state = SSL3_ST_CW_FLUSH;
617
618             if (s->hit) {
619                 s->s3->tmp.next_state = SSL_ST_OK;
620 #ifndef OPENSSL_NO_SCTP
621                 if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
622                     s->d1->next_state = s->s3->tmp.next_state;
623                     s->s3->tmp.next_state = DTLS1_SCTP_ST_CW_WRITE_SOCK;
624                 }
625 #endif
626             } else {
627 #ifndef OPENSSL_NO_SCTP
628                 /*
629                  * Change to new shared key of SCTP-Auth, will be ignored if
630                  * no SCTP used.
631                  */
632                 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
633                          0, NULL);
634 #endif
635
636                 /*
637                  * Allow NewSessionTicket if ticket expected
638                  */
639                 if (s->tlsext_ticket_expected)
640                     s->s3->tmp.next_state = SSL3_ST_CR_SESSION_TICKET_A;
641                 else
642                     s->s3->tmp.next_state = SSL3_ST_CR_CHANGE_A;
643             }
644             s->init_num = 0;
645             break;
646
647         case SSL3_ST_CR_SESSION_TICKET_A:
648         case SSL3_ST_CR_SESSION_TICKET_B:
649             ret = ssl3_get_new_session_ticket(s);
650             if (ret <= 0)
651                 goto end;
652             s->state = SSL3_ST_CR_CHANGE_A;
653             s->init_num = 0;
654             break;
655
656         case SSL3_ST_CR_CERT_STATUS_A:
657         case SSL3_ST_CR_CERT_STATUS_B:
658             ret = ssl3_get_cert_status(s);
659             if (ret <= 0)
660                 goto end;
661             s->state = SSL3_ST_CR_KEY_EXCH_A;
662             s->init_num = 0;
663             break;
664
665         case SSL3_ST_CR_CHANGE_A:
666         case SSL3_ST_CR_CHANGE_B:
667             ret = ssl3_get_change_cipher_spec(s, SSL3_ST_CR_CHANGE_A,
668                                               SSL3_ST_CR_CHANGE_B);
669             if (ret <= 0)
670                 goto end;
671
672             s->state = SSL3_ST_CR_FINISHED_A;
673             s->init_num = 0;
674             break;
675
676         case SSL3_ST_CR_FINISHED_A:
677         case SSL3_ST_CR_FINISHED_B:
678             ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A,
679                                     SSL3_ST_CR_FINISHED_B);
680             if (ret <= 0)
681                 goto end;
682             dtls1_stop_timer(s);
683
684             if (s->hit)
685                 s->state = SSL3_ST_CW_CHANGE_A;
686             else
687                 s->state = SSL_ST_OK;
688
689 #ifndef OPENSSL_NO_SCTP
690             if (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
691                 state == SSL_ST_RENEGOTIATE) {
692                 s->d1->next_state = s->state;
693                 s->state = DTLS1_SCTP_ST_CW_WRITE_SOCK;
694             }
695 #endif
696
697             s->init_num = 0;
698             break;
699
700         case SSL3_ST_CW_FLUSH:
701             s->rwstate = SSL_WRITING;
702             if (BIO_flush(s->wbio) <= 0) {
703                 /*
704                  * If the write error was fatal, stop trying
705                  */
706                 if (!BIO_should_retry(s->wbio)) {
707                     s->rwstate = SSL_NOTHING;
708                     s->state = s->s3->tmp.next_state;
709                 }
710
711                 ret = -1;
712                 goto end;
713             }
714             s->rwstate = SSL_NOTHING;
715             s->state = s->s3->tmp.next_state;
716             break;
717
718         case SSL_ST_OK:
719             /* clean a few things up */
720             ssl3_cleanup_key_block(s);
721
722             /* Remove the buffering */
723             ssl_free_wbio_buffer(s);
724
725             s->init_num = 0;
726             s->renegotiate = 0;
727             s->new_session = 0;
728
729             ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
730             if (s->hit)
731                 s->ctx->stats.sess_hit++;
732
733             ret = 1;
734             /* s->server=0; */
735             s->handshake_func = dtls1_connect;
736             s->ctx->stats.sess_connect_good++;
737
738             if (cb != NULL)
739                 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
740
741             /* done with handshaking */
742             s->d1->handshake_read_seq = 0;
743             s->d1->next_handshake_write_seq = 0;
744             goto end;
745             /* break; */
746
747         case SSL_ST_ERR:
748         default:
749             SSLerr(SSL_F_DTLS1_CONNECT, SSL_R_UNKNOWN_STATE);
750             ret = -1;
751             goto end;
752             /* break; */
753         }
754
755         /* did we do anything */
756         if (!s->s3->tmp.reuse_message && !skip) {
757             if (s->debug) {
758                 if ((ret = BIO_flush(s->wbio)) <= 0)
759                     goto end;
760             }
761
762             if ((cb != NULL) && (s->state != state)) {
763                 new_state = s->state;
764                 s->state = state;
765                 cb(s, SSL_CB_CONNECT_LOOP, 1);
766                 s->state = new_state;
767             }
768         }
769         skip = 0;
770     }
771  end:
772     s->in_handshake--;
773
774 #ifndef OPENSSL_NO_SCTP
775     /*
776      * Notify SCTP BIO socket to leave handshake mode and allow stream
777      * identifier other than 0. Will be ignored if no SCTP is used.
778      */
779     BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE,
780              s->in_handshake, NULL);
781 #endif
782
783     BUF_MEM_free(buf);
784     if (cb != NULL)
785         cb(s, SSL_CB_CONNECT_EXIT, ret);
786     return (ret);
787 }
788
789 static int dtls1_get_hello_verify(SSL *s)
790 {
791     int n, al, ok = 0;
792     unsigned char *data;
793     unsigned int cookie_len;
794
795     s->first_packet = 1;
796     n = s->method->ssl_get_message(s,
797                                    DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A,
798                                    DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B,
799                                    -1, s->max_cert_list, &ok);
800     s->first_packet = 0;
801
802     if (!ok)
803         return ((int)n);
804
805     if (s->s3->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) {
806         s->d1->send_cookie = 0;
807         s->s3->tmp.reuse_message = 1;
808         return (1);
809     }
810
811     data = (unsigned char *)s->init_msg;
812     data += 2;
813
814     cookie_len = *(data++);
815     if (cookie_len > sizeof(s->d1->cookie)) {
816         al = SSL_AD_ILLEGAL_PARAMETER;
817         goto f_err;
818     }
819
820     memcpy(s->d1->cookie, data, cookie_len);
821     s->d1->cookie_len = cookie_len;
822
823     s->d1->send_cookie = 1;
824     return 1;
825
826  f_err:
827     ssl3_send_alert(s, SSL3_AL_FATAL, al);
828     s->state = SSL_ST_ERR;
829     return -1;
830 }