Don't add write errors into bytecounts
[openssl.git] / ssl / d1_clnt.c
1 /* ssl/d1_clnt.c */
2 /*
3  * DTLS implementation written by Nagendra Modadugu
4  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
5  */
6 /* ====================================================================
7  * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  *
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  *
16  * 2. Redistributions in binary form must reproduce the above copyright
17  *    notice, this list of conditions and the following disclaimer in
18  *    the documentation and/or other materials provided with the
19  *    distribution.
20  *
21  * 3. All advertising materials mentioning features or use of this
22  *    software must display the following acknowledgment:
23  *    "This product includes software developed by the OpenSSL Project
24  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25  *
26  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27  *    endorse or promote products derived from this software without
28  *    prior written permission. For written permission, please contact
29  *    openssl-core@OpenSSL.org.
30  *
31  * 5. Products derived from this software may not be called "OpenSSL"
32  *    nor may "OpenSSL" appear in their names without prior written
33  *    permission of the OpenSSL Project.
34  *
35  * 6. Redistributions of any form whatsoever must retain the following
36  *    acknowledgment:
37  *    "This product includes software developed by the OpenSSL Project
38  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
44  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51  * OF THE POSSIBILITY OF SUCH DAMAGE.
52  * ====================================================================
53  *
54  * This product includes cryptographic software written by Eric Young
55  * (eay@cryptsoft.com).  This product includes software written by Tim
56  * Hudson (tjh@cryptsoft.com).
57  *
58  */
59 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
60  * All rights reserved.
61  *
62  * This package is an SSL implementation written
63  * by Eric Young (eay@cryptsoft.com).
64  * The implementation was written so as to conform with Netscapes SSL.
65  *
66  * This library is free for commercial and non-commercial use as long as
67  * the following conditions are aheared to.  The following conditions
68  * apply to all code found in this distribution, be it the RC4, RSA,
69  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
70  * included with this distribution is covered by the same copyright terms
71  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
72  *
73  * Copyright remains Eric Young's, and as such any Copyright notices in
74  * the code are not to be removed.
75  * If this package is used in a product, Eric Young should be given attribution
76  * as the author of the parts of the library used.
77  * This can be in the form of a textual message at program startup or
78  * in documentation (online or textual) provided with the package.
79  *
80  * Redistribution and use in source and binary forms, with or without
81  * modification, are permitted provided that the following conditions
82  * are met:
83  * 1. Redistributions of source code must retain the copyright
84  *    notice, this list of conditions and the following disclaimer.
85  * 2. Redistributions in binary form must reproduce the above copyright
86  *    notice, this list of conditions and the following disclaimer in the
87  *    documentation and/or other materials provided with the distribution.
88  * 3. All advertising materials mentioning features or use of this software
89  *    must display the following acknowledgement:
90  *    "This product includes cryptographic software written by
91  *     Eric Young (eay@cryptsoft.com)"
92  *    The word 'cryptographic' can be left out if the rouines from the library
93  *    being used are not cryptographic related :-).
94  * 4. If you include any Windows specific code (or a derivative thereof) from
95  *    the apps directory (application code) you must include an acknowledgement:
96  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
97  *
98  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
99  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
100  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
101  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
102  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
103  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
104  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
105  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
106  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
107  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
108  * SUCH DAMAGE.
109  *
110  * The licence and distribution terms for any publically available version or
111  * derivative of this code cannot be changed.  i.e. this code cannot simply be
112  * copied and put under another distribution licence
113  * [including the GNU Public Licence.]
114  */
115
116 #include <stdio.h>
117 #include "ssl_locl.h"
118 #include <openssl/buffer.h>
119 #include <openssl/rand.h>
120 #include <openssl/objects.h>
121 #include <openssl/evp.h>
122 #include <openssl/md5.h>
123 #include <openssl/bn.h>
124 #ifndef OPENSSL_NO_DH
125 # include <openssl/dh.h>
126 #endif
127
128 static const SSL_METHOD *dtls1_get_client_method(int ver);
129 static int dtls1_get_hello_verify(SSL *s);
130
131 static const SSL_METHOD *dtls1_get_client_method(int ver)
132 {
133     if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER)
134         return (DTLSv1_client_method());
135     else if (ver == DTLS1_2_VERSION)
136         return (DTLSv1_2_client_method());
137     else
138         return (NULL);
139 }
140
141 IMPLEMENT_dtls1_meth_func(DTLS1_VERSION,
142                           DTLSv1_client_method,
143                           ssl_undefined_function,
144                           dtls1_connect,
145                           dtls1_get_client_method, DTLSv1_enc_data)
146
147     IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION,
148                           DTLSv1_2_client_method,
149                           ssl_undefined_function,
150                           dtls1_connect,
151                           dtls1_get_client_method, DTLSv1_2_enc_data)
152
153     IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION,
154                           DTLS_client_method,
155                           ssl_undefined_function,
156                           dtls1_connect,
157                           dtls1_get_client_method, DTLSv1_2_enc_data)
158
159 int dtls1_connect(SSL *s)
160 {
161     BUF_MEM *buf = NULL;
162     unsigned long Time = (unsigned long)time(NULL);
163     void (*cb) (const SSL *ssl, int type, int val) = NULL;
164     int ret = -1;
165     int new_state, state, skip = 0;
166 #ifndef OPENSSL_NO_SCTP
167     unsigned char sctpauthkey[64];
168     char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
169 #endif
170
171     RAND_add(&Time, sizeof(Time), 0);
172     ERR_clear_error();
173     clear_sys_error();
174
175     if (s->info_callback != NULL)
176         cb = s->info_callback;
177     else if (s->ctx->info_callback != NULL)
178         cb = s->ctx->info_callback;
179
180     s->in_handshake++;
181     if (!SSL_in_init(s) || SSL_in_before(s)) {
182         if (!SSL_clear(s))
183             return -1;
184     }
185
186 #ifndef OPENSSL_NO_SCTP
187     /*
188      * Notify SCTP BIO socket to enter handshake mode and prevent stream
189      * identifier other than 0. Will be ignored if no SCTP is used.
190      */
191     BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE,
192              s->in_handshake, NULL);
193 #endif
194
195 #ifndef OPENSSL_NO_HEARTBEATS
196     /*
197      * If we're awaiting a HeartbeatResponse, pretend we already got and
198      * don't await it anymore, because Heartbeats don't make sense during
199      * handshakes anyway.
200      */
201     if (s->tlsext_hb_pending) {
202         dtls1_stop_timer(s);
203         s->tlsext_hb_pending = 0;
204         s->tlsext_hb_seq++;
205     }
206 #endif
207
208     for (;;) {
209         state = s->state;
210
211         switch (s->state) {
212         case SSL_ST_RENEGOTIATE:
213             s->renegotiate = 1;
214             s->state = SSL_ST_CONNECT;
215             s->ctx->stats.sess_connect_renegotiate++;
216             /* break */
217         case SSL_ST_BEFORE:
218         case SSL_ST_CONNECT:
219         case SSL_ST_BEFORE | SSL_ST_CONNECT:
220         case SSL_ST_OK | SSL_ST_CONNECT:
221
222             s->server = 0;
223             if (cb != NULL)
224                 cb(s, SSL_CB_HANDSHAKE_START, 1);
225
226             if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00) &&
227                 (s->version & 0xff00) != (DTLS1_BAD_VER & 0xff00)) {
228                 SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR);
229                 ret = -1;
230                 s->state = SSL_ST_ERR;
231                 goto end;
232             }
233
234             /* s->version=SSL3_VERSION; */
235             s->type = SSL_ST_CONNECT;
236
237             if (s->init_buf == NULL) {
238                 if ((buf = BUF_MEM_new()) == NULL) {
239                     ret = -1;
240                     s->state = SSL_ST_ERR;
241                     goto end;
242                 }
243                 if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
244                     ret = -1;
245                     s->state = SSL_ST_ERR;
246                     goto end;
247                 }
248                 s->init_buf = buf;
249                 buf = NULL;
250             }
251
252             if (!ssl3_setup_buffers(s)) {
253                 ret = -1;
254                 s->state = SSL_ST_ERR;
255                 goto end;
256             }
257
258             /* setup buffing BIO */
259             if (!ssl_init_wbio_buffer(s, 0)) {
260                 ret = -1;
261                 s->state = SSL_ST_ERR;
262                 goto end;
263             }
264
265             /* don't push the buffering BIO quite yet */
266
267             s->state = SSL3_ST_CW_CLNT_HELLO_A;
268             s->ctx->stats.sess_connect++;
269             s->init_num = 0;
270             /* mark client_random uninitialized */
271             memset(s->s3->client_random, 0, sizeof(s->s3->client_random));
272             s->d1->send_cookie = 0;
273             s->hit = 0;
274             s->d1->change_cipher_spec_ok = 0;
275             /*
276              * Should have been reset by ssl3_get_finished, too.
277              */
278             s->s3->change_cipher_spec = 0;
279             break;
280
281 #ifndef OPENSSL_NO_SCTP
282         case DTLS1_SCTP_ST_CR_READ_SOCK:
283
284             if (BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
285                 s->s3->in_read_app_data = 2;
286                 s->rwstate = SSL_READING;
287                 BIO_clear_retry_flags(SSL_get_rbio(s));
288                 BIO_set_retry_read(SSL_get_rbio(s));
289                 ret = -1;
290                 goto end;
291             }
292
293             s->state = s->s3->tmp.next_state;
294             break;
295
296         case DTLS1_SCTP_ST_CW_WRITE_SOCK:
297             /* read app data until dry event */
298
299             ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s));
300             if (ret < 0)
301                 goto end;
302
303             if (ret == 0) {
304                 s->s3->in_read_app_data = 2;
305                 s->rwstate = SSL_READING;
306                 BIO_clear_retry_flags(SSL_get_rbio(s));
307                 BIO_set_retry_read(SSL_get_rbio(s));
308                 ret = -1;
309                 goto end;
310             }
311
312             s->state = s->d1->next_state;
313             break;
314 #endif
315
316         case SSL3_ST_CW_CLNT_HELLO_A:
317         case SSL3_ST_CW_CLNT_HELLO_B:
318
319             s->shutdown = 0;
320
321             /* every DTLS ClientHello resets Finished MAC */
322             ssl3_init_finished_mac(s);
323
324             dtls1_start_timer(s);
325             ret = ssl3_client_hello(s);
326             if (ret <= 0)
327                 goto end;
328
329             if (s->d1->send_cookie) {
330                 s->state = SSL3_ST_CW_FLUSH;
331                 s->s3->tmp.next_state = SSL3_ST_CR_SRVR_HELLO_A;
332             } else
333                 s->state = SSL3_ST_CR_SRVR_HELLO_A;
334
335             s->init_num = 0;
336
337 #ifndef OPENSSL_NO_SCTP
338             /* Disable buffering for SCTP */
339             if (!BIO_dgram_is_sctp(SSL_get_wbio(s))) {
340 #endif
341                 /*
342                  * turn on buffering for the next lot of output
343                  */
344                 if (s->bbio != s->wbio)
345                     s->wbio = BIO_push(s->bbio, s->wbio);
346 #ifndef OPENSSL_NO_SCTP
347             }
348 #endif
349
350             break;
351
352         case SSL3_ST_CR_SRVR_HELLO_A:
353         case SSL3_ST_CR_SRVR_HELLO_B:
354             ret = ssl3_get_server_hello(s);
355             if (ret <= 0)
356                 goto end;
357             else {
358                 if (s->hit) {
359 #ifndef OPENSSL_NO_SCTP
360                     /*
361                      * Add new shared key for SCTP-Auth, will be ignored if
362                      * no SCTP used.
363                      */
364                     snprintf((char *)labelbuffer,
365                              sizeof(DTLS1_SCTP_AUTH_LABEL),
366                              DTLS1_SCTP_AUTH_LABEL);
367
368                     SSL_export_keying_material(s, sctpauthkey,
369                                                sizeof(sctpauthkey),
370                                                labelbuffer,
371                                                sizeof(labelbuffer), NULL, 0,
372                                                0);
373
374                     BIO_ctrl(SSL_get_wbio(s),
375                              BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
376                              sizeof(sctpauthkey), sctpauthkey);
377 #endif
378
379                     s->state = SSL3_ST_CR_FINISHED_A;
380                 } else
381                     s->state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
382             }
383             s->init_num = 0;
384             break;
385
386         case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A:
387         case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B:
388
389             ret = dtls1_get_hello_verify(s);
390             if (ret <= 0)
391                 goto end;
392             dtls1_stop_timer(s);
393             if (s->d1->send_cookie) /* start again, with a cookie */
394                 s->state = SSL3_ST_CW_CLNT_HELLO_A;
395             else
396                 s->state = SSL3_ST_CR_CERT_A;
397             s->init_num = 0;
398             break;
399
400         case SSL3_ST_CR_CERT_A:
401         case SSL3_ST_CR_CERT_B:
402             /* Check if it is anon DH or PSK */
403             if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
404                 !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
405                 ret = ssl3_get_server_certificate(s);
406                 if (ret <= 0)
407                     goto end;
408 #ifndef OPENSSL_NO_TLSEXT
409                 if (s->tlsext_status_expected)
410                     s->state = SSL3_ST_CR_CERT_STATUS_A;
411                 else
412                     s->state = SSL3_ST_CR_KEY_EXCH_A;
413             } else {
414                 skip = 1;
415                 s->state = SSL3_ST_CR_KEY_EXCH_A;
416             }
417 #else
418             } else
419                 skip = 1;
420
421             s->state = SSL3_ST_CR_KEY_EXCH_A;
422 #endif
423             s->init_num = 0;
424             break;
425
426         case SSL3_ST_CR_KEY_EXCH_A:
427         case SSL3_ST_CR_KEY_EXCH_B:
428             ret = ssl3_get_key_exchange(s);
429             if (ret <= 0)
430                 goto end;
431             s->state = SSL3_ST_CR_CERT_REQ_A;
432             s->init_num = 0;
433
434             /*
435              * at this point we check that we have the required stuff from
436              * the server
437              */
438             if (!ssl3_check_cert_and_algorithm(s)) {
439                 ret = -1;
440                 s->state = SSL_ST_ERR;
441                 goto end;
442             }
443             break;
444
445         case SSL3_ST_CR_CERT_REQ_A:
446         case SSL3_ST_CR_CERT_REQ_B:
447             ret = ssl3_get_certificate_request(s);
448             if (ret <= 0)
449                 goto end;
450             s->state = SSL3_ST_CR_SRVR_DONE_A;
451             s->init_num = 0;
452             break;
453
454         case SSL3_ST_CR_SRVR_DONE_A:
455         case SSL3_ST_CR_SRVR_DONE_B:
456             ret = ssl3_get_server_done(s);
457             if (ret <= 0)
458                 goto end;
459             dtls1_stop_timer(s);
460             if (s->s3->tmp.cert_req)
461                 s->s3->tmp.next_state = SSL3_ST_CW_CERT_A;
462             else
463                 s->s3->tmp.next_state = SSL3_ST_CW_KEY_EXCH_A;
464             s->init_num = 0;
465
466 #ifndef OPENSSL_NO_SCTP
467             if (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
468                 state == SSL_ST_RENEGOTIATE)
469                 s->state = DTLS1_SCTP_ST_CR_READ_SOCK;
470             else
471 #endif
472                 s->state = s->s3->tmp.next_state;
473             break;
474
475         case SSL3_ST_CW_CERT_A:
476         case SSL3_ST_CW_CERT_B:
477         case SSL3_ST_CW_CERT_C:
478         case SSL3_ST_CW_CERT_D:
479             dtls1_start_timer(s);
480             ret = ssl3_send_client_certificate(s);
481             if (ret <= 0)
482                 goto end;
483             s->state = SSL3_ST_CW_KEY_EXCH_A;
484             s->init_num = 0;
485             break;
486
487         case SSL3_ST_CW_KEY_EXCH_A:
488         case SSL3_ST_CW_KEY_EXCH_B:
489             dtls1_start_timer(s);
490             ret = ssl3_send_client_key_exchange(s);
491             if (ret <= 0)
492                 goto end;
493
494 #ifndef OPENSSL_NO_SCTP
495             /*
496              * Add new shared key for SCTP-Auth, will be ignored if no SCTP
497              * used.
498              */
499             snprintf((char *)labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
500                      DTLS1_SCTP_AUTH_LABEL);
501
502             SSL_export_keying_material(s, sctpauthkey,
503                                        sizeof(sctpauthkey), labelbuffer,
504                                        sizeof(labelbuffer), NULL, 0, 0);
505
506             BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
507                      sizeof(sctpauthkey), sctpauthkey);
508 #endif
509
510             /*
511              * EAY EAY EAY need to check for DH fix cert sent back
512              */
513             /*
514              * For TLS, cert_req is set to 2, so a cert chain of nothing is
515              * sent, but no verify packet is sent
516              */
517             if (s->s3->tmp.cert_req == 1) {
518                 s->state = SSL3_ST_CW_CERT_VRFY_A;
519             } else {
520 #ifndef OPENSSL_NO_SCTP
521                 if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
522                     s->d1->next_state = SSL3_ST_CW_CHANGE_A;
523                     s->state = DTLS1_SCTP_ST_CW_WRITE_SOCK;
524                 } else
525 #endif
526                     s->state = SSL3_ST_CW_CHANGE_A;
527             }
528
529             s->init_num = 0;
530             break;
531
532         case SSL3_ST_CW_CERT_VRFY_A:
533         case SSL3_ST_CW_CERT_VRFY_B:
534             dtls1_start_timer(s);
535             ret = ssl3_send_client_verify(s);
536             if (ret <= 0)
537                 goto end;
538 #ifndef OPENSSL_NO_SCTP
539             if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
540                 s->d1->next_state = SSL3_ST_CW_CHANGE_A;
541                 s->state = DTLS1_SCTP_ST_CW_WRITE_SOCK;
542             } else
543 #endif
544                 s->state = SSL3_ST_CW_CHANGE_A;
545             s->init_num = 0;
546             break;
547
548         case SSL3_ST_CW_CHANGE_A:
549         case SSL3_ST_CW_CHANGE_B:
550             if (!s->hit)
551                 dtls1_start_timer(s);
552             ret = dtls1_send_change_cipher_spec(s,
553                                                 SSL3_ST_CW_CHANGE_A,
554                                                 SSL3_ST_CW_CHANGE_B);
555             if (ret <= 0)
556                 goto end;
557
558             s->state = SSL3_ST_CW_FINISHED_A;
559             s->init_num = 0;
560
561             s->session->cipher = s->s3->tmp.new_cipher;
562 #ifdef OPENSSL_NO_COMP
563             s->session->compress_meth = 0;
564 #else
565             if (s->s3->tmp.new_compression == NULL)
566                 s->session->compress_meth = 0;
567             else
568                 s->session->compress_meth = s->s3->tmp.new_compression->id;
569 #endif
570             if (!s->method->ssl3_enc->setup_key_block(s)) {
571                 ret = -1;
572                 s->state = SSL_ST_ERR;
573                 goto end;
574             }
575
576             if (!s->method->ssl3_enc->change_cipher_state(s,
577                                                           SSL3_CHANGE_CIPHER_CLIENT_WRITE))
578             {
579                 ret = -1;
580                 s->state = SSL_ST_ERR;
581                 goto end;
582             }
583 #ifndef OPENSSL_NO_SCTP
584             if (s->hit) {
585                 /*
586                  * Change to new shared key of SCTP-Auth, will be ignored if
587                  * no SCTP used.
588                  */
589                 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
590                          0, NULL);
591             }
592 #endif
593
594             dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
595             break;
596
597         case SSL3_ST_CW_FINISHED_A:
598         case SSL3_ST_CW_FINISHED_B:
599             if (!s->hit)
600                 dtls1_start_timer(s);
601             ret = ssl3_send_finished(s,
602                                      SSL3_ST_CW_FINISHED_A,
603                                      SSL3_ST_CW_FINISHED_B,
604                                      s->method->
605                                      ssl3_enc->client_finished_label,
606                                      s->method->
607                                      ssl3_enc->client_finished_label_len);
608             if (ret <= 0)
609                 goto end;
610             s->state = SSL3_ST_CW_FLUSH;
611
612             /* clear flags */
613             s->s3->flags &= ~SSL3_FLAGS_POP_BUFFER;
614             if (s->hit) {
615                 s->s3->tmp.next_state = SSL_ST_OK;
616 #ifndef OPENSSL_NO_SCTP
617                 if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
618                     s->d1->next_state = s->s3->tmp.next_state;
619                     s->s3->tmp.next_state = DTLS1_SCTP_ST_CW_WRITE_SOCK;
620                 }
621 #endif
622                 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) {
623                     s->state = SSL_ST_OK;
624 #ifndef OPENSSL_NO_SCTP
625                     if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
626                         s->d1->next_state = SSL_ST_OK;
627                         s->state = DTLS1_SCTP_ST_CW_WRITE_SOCK;
628                     }
629 #endif
630                     s->s3->flags |= SSL3_FLAGS_POP_BUFFER;
631                     s->s3->delay_buf_pop_ret = 0;
632                 }
633             } else {
634 #ifndef OPENSSL_NO_SCTP
635                 /*
636                  * Change to new shared key of SCTP-Auth, will be ignored if
637                  * no SCTP used.
638                  */
639                 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
640                          0, NULL);
641 #endif
642
643 #ifndef OPENSSL_NO_TLSEXT
644                 /*
645                  * Allow NewSessionTicket if ticket expected
646                  */
647                 if (s->tlsext_ticket_expected)
648                     s->s3->tmp.next_state = SSL3_ST_CR_SESSION_TICKET_A;
649                 else
650 #endif
651
652                     s->s3->tmp.next_state = SSL3_ST_CR_FINISHED_A;
653             }
654             s->init_num = 0;
655             break;
656
657 #ifndef OPENSSL_NO_TLSEXT
658         case SSL3_ST_CR_SESSION_TICKET_A:
659         case SSL3_ST_CR_SESSION_TICKET_B:
660             ret = ssl3_get_new_session_ticket(s);
661             if (ret <= 0)
662                 goto end;
663             s->state = SSL3_ST_CR_FINISHED_A;
664             s->init_num = 0;
665             break;
666
667         case SSL3_ST_CR_CERT_STATUS_A:
668         case SSL3_ST_CR_CERT_STATUS_B:
669             ret = ssl3_get_cert_status(s);
670             if (ret <= 0)
671                 goto end;
672             s->state = SSL3_ST_CR_KEY_EXCH_A;
673             s->init_num = 0;
674             break;
675 #endif
676
677         case SSL3_ST_CR_FINISHED_A:
678         case SSL3_ST_CR_FINISHED_B:
679             s->d1->change_cipher_spec_ok = 1;
680             ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A,
681                                     SSL3_ST_CR_FINISHED_B);
682             if (ret <= 0)
683                 goto end;
684             dtls1_stop_timer(s);
685
686             if (s->hit)
687                 s->state = SSL3_ST_CW_CHANGE_A;
688             else
689                 s->state = SSL_ST_OK;
690
691 #ifndef OPENSSL_NO_SCTP
692             if (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
693                 state == SSL_ST_RENEGOTIATE) {
694                 s->d1->next_state = s->state;
695                 s->state = DTLS1_SCTP_ST_CW_WRITE_SOCK;
696             }
697 #endif
698
699             s->init_num = 0;
700             break;
701
702         case SSL3_ST_CW_FLUSH:
703             s->rwstate = SSL_WRITING;
704             if (BIO_flush(s->wbio) <= 0) {
705                 /*
706                  * If the write error was fatal, stop trying
707                  */
708                 if (!BIO_should_retry(s->wbio)) {
709                     s->rwstate = SSL_NOTHING;
710                     s->state = s->s3->tmp.next_state;
711                 }
712
713                 ret = -1;
714                 goto end;
715             }
716             s->rwstate = SSL_NOTHING;
717             s->state = s->s3->tmp.next_state;
718             break;
719
720         case SSL_ST_OK:
721             /* clean a few things up */
722             ssl3_cleanup_key_block(s);
723
724             /*
725              * If we are not 'joining' the last two packets, remove the
726              * buffering now
727              */
728             if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
729                 ssl_free_wbio_buffer(s);
730             /* else do it later in ssl3_write */
731
732             s->init_num = 0;
733             s->renegotiate = 0;
734             s->new_session = 0;
735
736             ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
737             if (s->hit)
738                 s->ctx->stats.sess_hit++;
739
740             ret = 1;
741             /* s->server=0; */
742             s->handshake_func = dtls1_connect;
743             s->ctx->stats.sess_connect_good++;
744
745             if (cb != NULL)
746                 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
747
748             /* done with handshaking */
749             s->d1->handshake_read_seq = 0;
750             s->d1->next_handshake_write_seq = 0;
751             goto end;
752             /* break; */
753
754         case SSL_ST_ERR:
755         default:
756             SSLerr(SSL_F_DTLS1_CONNECT, SSL_R_UNKNOWN_STATE);
757             ret = -1;
758             goto end;
759             /* break; */
760         }
761
762         /* did we do anything */
763         if (!s->s3->tmp.reuse_message && !skip) {
764             if (s->debug) {
765                 if ((ret = BIO_flush(s->wbio)) <= 0)
766                     goto end;
767             }
768
769             if ((cb != NULL) && (s->state != state)) {
770                 new_state = s->state;
771                 s->state = state;
772                 cb(s, SSL_CB_CONNECT_LOOP, 1);
773                 s->state = new_state;
774             }
775         }
776         skip = 0;
777     }
778  end:
779     s->in_handshake--;
780
781 #ifndef OPENSSL_NO_SCTP
782     /*
783      * Notify SCTP BIO socket to leave handshake mode and allow stream
784      * identifier other than 0. Will be ignored if no SCTP is used.
785      */
786     BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE,
787              s->in_handshake, NULL);
788 #endif
789
790     BUF_MEM_free(buf);
791     if (cb != NULL)
792         cb(s, SSL_CB_CONNECT_EXIT, ret);
793     return (ret);
794 }
795
796 static int dtls1_get_hello_verify(SSL *s)
797 {
798     int n, al, ok = 0;
799     unsigned char *data;
800     unsigned int cookie_len;
801
802     s->first_packet = 1;
803     n = s->method->ssl_get_message(s,
804                                    DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A,
805                                    DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B,
806                                    -1, s->max_cert_list, &ok);
807     s->first_packet = 0;
808
809     if (!ok)
810         return ((int)n);
811
812     if (s->s3->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) {
813         s->d1->send_cookie = 0;
814         s->s3->tmp.reuse_message = 1;
815         return (1);
816     }
817
818     data = (unsigned char *)s->init_msg;
819     data += 2;
820
821     cookie_len = *(data++);
822     if (cookie_len > sizeof(s->d1->cookie)) {
823         al = SSL_AD_ILLEGAL_PARAMETER;
824         goto f_err;
825     }
826
827     memcpy(s->d1->cookie, data, cookie_len);
828     s->d1->cookie_len = cookie_len;
829
830     s->d1->send_cookie = 1;
831     return 1;
832
833  f_err:
834     ssl3_send_alert(s, SSL3_AL_FATAL, al);
835     s->state = SSL_ST_ERR;
836     return -1;
837 }