ef8f25bbe6f2b31c3e49b1d98bf4a924edcfb8ea
[openssl.git] / ssl / d1_clnt.c
1 /* ssl/d1_clnt.c */
2 /*
3  * DTLS implementation written by Nagendra Modadugu
4  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
5  */
6 /* ====================================================================
7  * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  *
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  *
16  * 2. Redistributions in binary form must reproduce the above copyright
17  *    notice, this list of conditions and the following disclaimer in
18  *    the documentation and/or other materials provided with the
19  *    distribution.
20  *
21  * 3. All advertising materials mentioning features or use of this
22  *    software must display the following acknowledgment:
23  *    "This product includes software developed by the OpenSSL Project
24  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25  *
26  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27  *    endorse or promote products derived from this software without
28  *    prior written permission. For written permission, please contact
29  *    openssl-core@OpenSSL.org.
30  *
31  * 5. Products derived from this software may not be called "OpenSSL"
32  *    nor may "OpenSSL" appear in their names without prior written
33  *    permission of the OpenSSL Project.
34  *
35  * 6. Redistributions of any form whatsoever must retain the following
36  *    acknowledgment:
37  *    "This product includes software developed by the OpenSSL Project
38  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
44  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51  * OF THE POSSIBILITY OF SUCH DAMAGE.
52  * ====================================================================
53  *
54  * This product includes cryptographic software written by Eric Young
55  * (eay@cryptsoft.com).  This product includes software written by Tim
56  * Hudson (tjh@cryptsoft.com).
57  *
58  */
59 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
60  * All rights reserved.
61  *
62  * This package is an SSL implementation written
63  * by Eric Young (eay@cryptsoft.com).
64  * The implementation was written so as to conform with Netscapes SSL.
65  *
66  * This library is free for commercial and non-commercial use as long as
67  * the following conditions are aheared to.  The following conditions
68  * apply to all code found in this distribution, be it the RC4, RSA,
69  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
70  * included with this distribution is covered by the same copyright terms
71  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
72  *
73  * Copyright remains Eric Young's, and as such any Copyright notices in
74  * the code are not to be removed.
75  * If this package is used in a product, Eric Young should be given attribution
76  * as the author of the parts of the library used.
77  * This can be in the form of a textual message at program startup or
78  * in documentation (online or textual) provided with the package.
79  *
80  * Redistribution and use in source and binary forms, with or without
81  * modification, are permitted provided that the following conditions
82  * are met:
83  * 1. Redistributions of source code must retain the copyright
84  *    notice, this list of conditions and the following disclaimer.
85  * 2. Redistributions in binary form must reproduce the above copyright
86  *    notice, this list of conditions and the following disclaimer in the
87  *    documentation and/or other materials provided with the distribution.
88  * 3. All advertising materials mentioning features or use of this software
89  *    must display the following acknowledgement:
90  *    "This product includes cryptographic software written by
91  *     Eric Young (eay@cryptsoft.com)"
92  *    The word 'cryptographic' can be left out if the rouines from the library
93  *    being used are not cryptographic related :-).
94  * 4. If you include any Windows specific code (or a derivative thereof) from
95  *    the apps directory (application code) you must include an acknowledgement:
96  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
97  *
98  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
99  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
100  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
101  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
102  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
103  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
104  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
105  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
106  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
107  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
108  * SUCH DAMAGE.
109  *
110  * The licence and distribution terms for any publically available version or
111  * derivative of this code cannot be changed.  i.e. this code cannot simply be
112  * copied and put under another distribution licence
113  * [including the GNU Public Licence.]
114  */
115
116 #include <stdio.h>
117 #include "ssl_locl.h"
118 #include <openssl/buffer.h>
119 #include <openssl/rand.h>
120 #include <openssl/objects.h>
121 #include <openssl/evp.h>
122 #include <openssl/md5.h>
123 #include <openssl/bn.h>
124 #ifndef OPENSSL_NO_DH
125 # include <openssl/dh.h>
126 #endif
127
128 static const SSL_METHOD *dtls1_get_client_method(int ver);
129 #if 0
130 static int dtls1_get_hello_verify(SSL *s);
131 #endif
132
133 static const SSL_METHOD *dtls1_get_client_method(int ver)
134 {
135     if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER)
136         return (DTLSv1_client_method());
137     else if (ver == DTLS1_2_VERSION)
138         return (DTLSv1_2_client_method());
139     else
140         return (NULL);
141 }
142
143 IMPLEMENT_dtls1_meth_func(DTLS1_VERSION,
144                           DTLSv1_client_method,
145                           ssl_undefined_function,
146                           dtls1_connect,
147                           dtls1_get_client_method, DTLSv1_enc_data)
148
149     IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION,
150                           DTLSv1_2_client_method,
151                           ssl_undefined_function,
152                           dtls1_connect,
153                           dtls1_get_client_method, DTLSv1_2_enc_data)
154
155     IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION,
156                           DTLS_client_method,
157                           ssl_undefined_function,
158                           dtls1_connect,
159                           dtls1_get_client_method, DTLSv1_2_enc_data)
160
161 #if 0
162 int dtls1_connect(SSL *s)
163 {
164     BUF_MEM *buf = NULL;
165     unsigned long Time = (unsigned long)time(NULL);
166     void (*cb) (const SSL *ssl, int type, int val) = NULL;
167     int ret = -1;
168     int new_state, state, skip = 0;
169 #ifndef OPENSSL_NO_SCTP
170     unsigned char sctpauthkey[64];
171     char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
172 #endif
173
174     RAND_add(&Time, sizeof(Time), 0);
175     ERR_clear_error();
176     clear_sys_error();
177
178     if (s->info_callback != NULL)
179         cb = s->info_callback;
180     else if (s->ctx->info_callback != NULL)
181         cb = s->ctx->info_callback;
182
183     s->in_handshake++;
184     if (!SSL_in_init(s) || SSL_in_before(s)) {
185         if (!SSL_clear(s))
186             return -1;
187     }
188
189 #ifndef OPENSSL_NO_SCTP
190     /*
191      * Notify SCTP BIO socket to enter handshake mode and prevent stream
192      * identifier other than 0. Will be ignored if no SCTP is used.
193      */
194     BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE,
195              s->in_handshake, NULL);
196 #endif
197
198 #ifndef OPENSSL_NO_HEARTBEATS
199     /*
200      * If we're awaiting a HeartbeatResponse, pretend we already got and
201      * don't await it anymore, because Heartbeats don't make sense during
202      * handshakes anyway.
203      */
204     if (s->tlsext_hb_pending) {
205         dtls1_stop_timer(s);
206         s->tlsext_hb_pending = 0;
207         s->tlsext_hb_seq++;
208     }
209 #endif
210
211     for (;;) {
212         state = s->state;
213
214         switch (s->state) {
215         case SSL_ST_RENEGOTIATE:
216             s->renegotiate = 1;
217             s->state = SSL_ST_CONNECT;
218             s->ctx->stats.sess_connect_renegotiate++;
219             /* break */
220         case SSL_ST_BEFORE:
221         case SSL_ST_CONNECT:
222         case SSL_ST_BEFORE | SSL_ST_CONNECT:
223         case SSL_ST_OK | SSL_ST_CONNECT:
224
225             s->server = 0;
226             if (cb != NULL)
227                 cb(s, SSL_CB_HANDSHAKE_START, 1);
228
229             if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00) &&
230                 (s->version & 0xff00) != (DTLS1_BAD_VER & 0xff00)) {
231                 SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR);
232                 ret = -1;
233                 s->state = SSL_ST_ERR;
234                 goto end;
235             }
236
237             /* s->version=SSL3_VERSION; */
238             s->type = SSL_ST_CONNECT;
239
240             if (s->init_buf == NULL) {
241                 if ((buf = BUF_MEM_new()) == NULL) {
242                     ret = -1;
243                     s->state = SSL_ST_ERR;
244                     goto end;
245                 }
246                 if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
247                     ret = -1;
248                     s->state = SSL_ST_ERR;
249                     goto end;
250                 }
251                 s->init_buf = buf;
252                 buf = NULL;
253             }
254
255             if (!ssl3_setup_buffers(s)) {
256                 ret = -1;
257                 s->state = SSL_ST_ERR;
258                 goto end;
259             }
260
261             /* setup buffing BIO */
262             if (!ssl_init_wbio_buffer(s, 0)) {
263                 ret = -1;
264                 s->state = SSL_ST_ERR;
265                 goto end;
266             }
267
268             /* don't push the buffering BIO quite yet */
269
270             s->state = SSL3_ST_CW_CLNT_HELLO_A;
271             s->ctx->stats.sess_connect++;
272             s->init_num = 0;
273             /* mark client_random uninitialized */
274             memset(s->s3->client_random, 0, sizeof(s->s3->client_random));
275             s->d1->send_cookie = 0;
276             s->hit = 0;
277             /*
278              * Should have been reset by ssl3_get_finished, too.
279              */
280             s->s3->change_cipher_spec = 0;
281             break;
282
283 #ifndef OPENSSL_NO_SCTP
284         case DTLS1_SCTP_ST_CR_READ_SOCK:
285
286             if (BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
287                 s->s3->in_read_app_data = 2;
288                 s->rwstate = SSL_READING;
289                 BIO_clear_retry_flags(SSL_get_rbio(s));
290                 BIO_set_retry_read(SSL_get_rbio(s));
291                 ret = -1;
292                 goto end;
293             }
294
295             s->state = s->s3->tmp.next_state;
296             break;
297
298         case DTLS1_SCTP_ST_CW_WRITE_SOCK:
299             /* read app data until dry event */
300
301             ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s));
302             if (ret < 0)
303                 goto end;
304
305             if (ret == 0) {
306                 s->s3->in_read_app_data = 2;
307                 s->rwstate = SSL_READING;
308                 BIO_clear_retry_flags(SSL_get_rbio(s));
309                 BIO_set_retry_read(SSL_get_rbio(s));
310                 ret = -1;
311                 goto end;
312             }
313
314             s->state = s->d1->next_state;
315             break;
316 #endif
317
318         case SSL3_ST_CW_CLNT_HELLO_A:
319         case SSL3_ST_CW_CLNT_HELLO_B:
320
321             s->shutdown = 0;
322
323             /* every DTLS ClientHello resets Finished MAC */
324             ssl3_init_finished_mac(s);
325
326             dtls1_start_timer(s);
327             ret = ssl3_client_hello(s);
328             if (ret <= 0)
329                 goto end;
330
331             if (s->d1->send_cookie) {
332                 s->state = SSL3_ST_CW_FLUSH;
333                 s->s3->tmp.next_state = SSL3_ST_CR_SRVR_HELLO_A;
334             } else
335                 s->state = SSL3_ST_CR_SRVR_HELLO_A;
336
337             s->init_num = 0;
338
339 #ifndef OPENSSL_NO_SCTP
340             /* Disable buffering for SCTP */
341             if (!BIO_dgram_is_sctp(SSL_get_wbio(s))) {
342 #endif
343                 /*
344                  * turn on buffering for the next lot of output
345                  */
346                 if (s->bbio != s->wbio)
347                     s->wbio = BIO_push(s->bbio, s->wbio);
348 #ifndef OPENSSL_NO_SCTP
349             }
350 #endif
351
352             break;
353
354         case SSL3_ST_CR_SRVR_HELLO_A:
355         case SSL3_ST_CR_SRVR_HELLO_B:
356             ret = ssl3_get_server_hello(s);
357             if (ret <= 0)
358                 goto end;
359             else {
360                 if (s->hit) {
361 #ifndef OPENSSL_NO_SCTP
362                     /*
363                      * Add new shared key for SCTP-Auth, will be ignored if
364                      * no SCTP used.
365                      */
366                     snprintf((char *)labelbuffer,
367                              sizeof(DTLS1_SCTP_AUTH_LABEL),
368                              DTLS1_SCTP_AUTH_LABEL);
369
370                     if (SSL_export_keying_material(s, sctpauthkey,
371                                                sizeof(sctpauthkey),
372                                                labelbuffer,
373                                                sizeof(labelbuffer), NULL, 0,
374                                                0) <= 0) {
375                         ret = -1;
376                         s->state = SSL_ST_ERR;
377                         goto end;
378                     }
379
380                     BIO_ctrl(SSL_get_wbio(s),
381                              BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
382                              sizeof(sctpauthkey), sctpauthkey);
383 #endif
384
385                     s->state = SSL3_ST_CR_CHANGE_A;
386                     if (s->tlsext_ticket_expected) {
387                         /* receive renewed session ticket */
388                         s->state = SSL3_ST_CR_SESSION_TICKET_A;
389                     }
390                 } else
391                     s->state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
392             }
393             s->init_num = 0;
394             break;
395
396         case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A:
397         case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B:
398
399             ret = dtls1_get_hello_verify(s);
400             if (ret <= 0)
401                 goto end;
402             dtls1_stop_timer(s);
403             if (s->d1->send_cookie) /* start again, with a cookie */
404                 s->state = SSL3_ST_CW_CLNT_HELLO_A;
405             else
406                 s->state = SSL3_ST_CR_CERT_A;
407             s->init_num = 0;
408             break;
409
410         case SSL3_ST_CR_CERT_A:
411         case SSL3_ST_CR_CERT_B:
412             /* Check if it is anon DH or PSK */
413             if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
414                 !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
415                 ret = ssl3_get_server_certificate(s);
416                 if (ret <= 0)
417                     goto end;
418
419                 if (s->tlsext_status_expected)
420                     s->state = SSL3_ST_CR_CERT_STATUS_A;
421                 else
422                     s->state = SSL3_ST_CR_KEY_EXCH_A;
423             } else {
424                 skip = 1;
425                 s->state = SSL3_ST_CR_KEY_EXCH_A;
426             }
427
428             s->init_num = 0;
429             break;
430
431         case SSL3_ST_CR_KEY_EXCH_A:
432         case SSL3_ST_CR_KEY_EXCH_B:
433             ret = ssl3_get_key_exchange(s);
434             if (ret <= 0)
435                 goto end;
436             s->state = SSL3_ST_CR_CERT_REQ_A;
437             s->init_num = 0;
438
439             /*
440              * at this point we check that we have the required stuff from
441              * the server
442              */
443             if (!ssl3_check_cert_and_algorithm(s)) {
444                 ret = -1;
445                 s->state = SSL_ST_ERR;
446                 goto end;
447             }
448             break;
449
450         case SSL3_ST_CR_CERT_REQ_A:
451         case SSL3_ST_CR_CERT_REQ_B:
452             ret = ssl3_get_certificate_request(s);
453             if (ret <= 0)
454                 goto end;
455             s->state = SSL3_ST_CR_SRVR_DONE_A;
456             s->init_num = 0;
457             break;
458
459         case SSL3_ST_CR_SRVR_DONE_A:
460         case SSL3_ST_CR_SRVR_DONE_B:
461             ret = ssl3_get_server_done(s);
462             if (ret <= 0)
463                 goto end;
464             dtls1_stop_timer(s);
465             if (s->s3->tmp.cert_req)
466                 s->s3->tmp.next_state = SSL3_ST_CW_CERT_A;
467             else
468                 s->s3->tmp.next_state = SSL3_ST_CW_KEY_EXCH_A;
469             s->init_num = 0;
470
471 #ifndef OPENSSL_NO_SCTP
472             if (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
473                 state == SSL_ST_RENEGOTIATE)
474                 s->state = DTLS1_SCTP_ST_CR_READ_SOCK;
475             else
476 #endif
477                 s->state = s->s3->tmp.next_state;
478             break;
479
480         case SSL3_ST_CW_CERT_A:
481         case SSL3_ST_CW_CERT_B:
482         case SSL3_ST_CW_CERT_C:
483         case SSL3_ST_CW_CERT_D:
484             dtls1_start_timer(s);
485             ret = ssl3_send_client_certificate(s);
486             if (ret <= 0)
487                 goto end;
488             s->state = SSL3_ST_CW_KEY_EXCH_A;
489             s->init_num = 0;
490             break;
491
492         case SSL3_ST_CW_KEY_EXCH_A:
493         case SSL3_ST_CW_KEY_EXCH_B:
494             dtls1_start_timer(s);
495             ret = ssl3_send_client_key_exchange(s);
496             if (ret <= 0)
497                 goto end;
498
499 #ifndef OPENSSL_NO_SCTP
500             /*
501              * Add new shared key for SCTP-Auth, will be ignored if no SCTP
502              * used.
503              */
504             snprintf((char *)labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
505                      DTLS1_SCTP_AUTH_LABEL);
506
507             if (SSL_export_keying_material(s, sctpauthkey,
508                                        sizeof(sctpauthkey), labelbuffer,
509                                        sizeof(labelbuffer), NULL, 0, 0) <= 0) {
510                 ret = -1;
511                 s->state = SSL_ST_ERR;
512                 goto end;
513             }
514
515             BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
516                      sizeof(sctpauthkey), sctpauthkey);
517 #endif
518
519             /*
520              * EAY EAY EAY need to check for DH fix cert sent back
521              */
522             /*
523              * For TLS, cert_req is set to 2, so a cert chain of nothing is
524              * sent, but no verify packet is sent
525              */
526             if (s->s3->tmp.cert_req == 1) {
527                 s->state = SSL3_ST_CW_CERT_VRFY_A;
528             } else {
529 #ifndef OPENSSL_NO_SCTP
530                 if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
531                     s->d1->next_state = SSL3_ST_CW_CHANGE_A;
532                     s->state = DTLS1_SCTP_ST_CW_WRITE_SOCK;
533                 } else
534 #endif
535                     s->state = SSL3_ST_CW_CHANGE_A;
536             }
537
538             s->init_num = 0;
539             break;
540
541         case SSL3_ST_CW_CERT_VRFY_A:
542         case SSL3_ST_CW_CERT_VRFY_B:
543             dtls1_start_timer(s);
544             ret = ssl3_send_client_verify(s);
545             if (ret <= 0)
546                 goto end;
547 #ifndef OPENSSL_NO_SCTP
548             if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
549                 s->d1->next_state = SSL3_ST_CW_CHANGE_A;
550                 s->state = DTLS1_SCTP_ST_CW_WRITE_SOCK;
551             } else
552 #endif
553                 s->state = SSL3_ST_CW_CHANGE_A;
554             s->init_num = 0;
555             break;
556
557         case SSL3_ST_CW_CHANGE_A:
558         case SSL3_ST_CW_CHANGE_B:
559             if (!s->hit)
560                 dtls1_start_timer(s);
561             ret = dtls1_send_change_cipher_spec(s,
562                                                 SSL3_ST_CW_CHANGE_A,
563                                                 SSL3_ST_CW_CHANGE_B);
564             if (ret <= 0)
565                 goto end;
566
567             s->state = SSL3_ST_CW_FINISHED_A;
568             s->init_num = 0;
569
570             s->session->cipher = s->s3->tmp.new_cipher;
571 #ifdef OPENSSL_NO_COMP
572             s->session->compress_meth = 0;
573 #else
574             if (s->s3->tmp.new_compression == NULL)
575                 s->session->compress_meth = 0;
576             else
577                 s->session->compress_meth = s->s3->tmp.new_compression->id;
578 #endif
579             if (!s->method->ssl3_enc->setup_key_block(s)) {
580                 ret = -1;
581                 s->state = SSL_ST_ERR;
582                 goto end;
583             }
584
585             if (!s->method->ssl3_enc->change_cipher_state(s,
586                                                           SSL3_CHANGE_CIPHER_CLIENT_WRITE))
587             {
588                 ret = -1;
589                 s->state = SSL_ST_ERR;
590                 goto end;
591             }
592 #ifndef OPENSSL_NO_SCTP
593             if (s->hit) {
594                 /*
595                  * Change to new shared key of SCTP-Auth, will be ignored if
596                  * no SCTP used.
597                  */
598                 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
599                          0, NULL);
600             }
601 #endif
602
603             dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
604             break;
605
606         case SSL3_ST_CW_FINISHED_A:
607         case SSL3_ST_CW_FINISHED_B:
608             if (!s->hit)
609                 dtls1_start_timer(s);
610             ret = ssl3_send_finished(s,
611                                      SSL3_ST_CW_FINISHED_A,
612                                      SSL3_ST_CW_FINISHED_B,
613                                      s->method->
614                                      ssl3_enc->client_finished_label,
615                                      s->method->
616                                      ssl3_enc->client_finished_label_len);
617             if (ret <= 0)
618                 goto end;
619             s->state = SSL3_ST_CW_FLUSH;
620
621             if (s->hit) {
622                 s->s3->tmp.next_state = SSL_ST_OK;
623 #ifndef OPENSSL_NO_SCTP
624                 if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
625                     s->d1->next_state = s->s3->tmp.next_state;
626                     s->s3->tmp.next_state = DTLS1_SCTP_ST_CW_WRITE_SOCK;
627                 }
628 #endif
629             } else {
630 #ifndef OPENSSL_NO_SCTP
631                 /*
632                  * Change to new shared key of SCTP-Auth, will be ignored if
633                  * no SCTP used.
634                  */
635                 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
636                          0, NULL);
637 #endif
638
639                 /*
640                  * Allow NewSessionTicket if ticket expected
641                  */
642                 if (s->tlsext_ticket_expected)
643                     s->s3->tmp.next_state = SSL3_ST_CR_SESSION_TICKET_A;
644                 else
645                     s->s3->tmp.next_state = SSL3_ST_CR_CHANGE_A;
646             }
647             s->init_num = 0;
648             break;
649
650         case SSL3_ST_CR_SESSION_TICKET_A:
651         case SSL3_ST_CR_SESSION_TICKET_B:
652             ret = ssl3_get_new_session_ticket(s);
653             if (ret <= 0)
654                 goto end;
655             s->state = SSL3_ST_CR_CHANGE_A;
656             s->init_num = 0;
657             break;
658
659         case SSL3_ST_CR_CERT_STATUS_A:
660         case SSL3_ST_CR_CERT_STATUS_B:
661             ret = ssl3_get_cert_status(s);
662             if (ret <= 0)
663                 goto end;
664             s->state = SSL3_ST_CR_KEY_EXCH_A;
665             s->init_num = 0;
666             break;
667
668         case SSL3_ST_CR_CHANGE_A:
669         case SSL3_ST_CR_CHANGE_B:
670             ret = ssl3_get_change_cipher_spec(s, SSL3_ST_CR_CHANGE_A,
671                                               SSL3_ST_CR_CHANGE_B);
672             if (ret <= 0)
673                 goto end;
674
675             s->state = SSL3_ST_CR_FINISHED_A;
676             s->init_num = 0;
677             break;
678
679         case SSL3_ST_CR_FINISHED_A:
680         case SSL3_ST_CR_FINISHED_B:
681             ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A,
682                                     SSL3_ST_CR_FINISHED_B);
683             if (ret <= 0)
684                 goto end;
685             dtls1_stop_timer(s);
686
687             if (s->hit)
688                 s->state = SSL3_ST_CW_CHANGE_A;
689             else
690                 s->state = SSL_ST_OK;
691
692 #ifndef OPENSSL_NO_SCTP
693             if (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
694                 state == SSL_ST_RENEGOTIATE) {
695                 s->d1->next_state = s->state;
696                 s->state = DTLS1_SCTP_ST_CW_WRITE_SOCK;
697             }
698 #endif
699
700             s->init_num = 0;
701             break;
702
703         case SSL3_ST_CW_FLUSH:
704             s->rwstate = SSL_WRITING;
705             if (BIO_flush(s->wbio) <= 0) {
706                 /*
707                  * If the write error was fatal, stop trying
708                  */
709                 if (!BIO_should_retry(s->wbio)) {
710                     s->rwstate = SSL_NOTHING;
711                     s->state = s->s3->tmp.next_state;
712                 }
713
714                 ret = -1;
715                 goto end;
716             }
717             s->rwstate = SSL_NOTHING;
718             s->state = s->s3->tmp.next_state;
719             break;
720
721         case SSL_ST_OK:
722             /* clean a few things up */
723             ssl3_cleanup_key_block(s);
724
725             /* Remove the buffering */
726             ssl_free_wbio_buffer(s);
727
728             s->init_num = 0;
729             s->renegotiate = 0;
730             s->new_session = 0;
731
732             ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
733             if (s->hit)
734                 s->ctx->stats.sess_hit++;
735
736             ret = 1;
737             /* s->server=0; */
738             s->handshake_func = dtls1_connect;
739             s->ctx->stats.sess_connect_good++;
740
741             if (cb != NULL)
742                 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
743
744             /* done with handshaking */
745             s->d1->handshake_read_seq = 0;
746             s->d1->next_handshake_write_seq = 0;
747             goto end;
748             /* break; */
749
750         case SSL_ST_ERR:
751         default:
752             SSLerr(SSL_F_DTLS1_CONNECT, SSL_R_UNKNOWN_STATE);
753             ret = -1;
754             goto end;
755             /* break; */
756         }
757
758         /* did we do anything */
759         if (!s->s3->tmp.reuse_message && !skip) {
760             if (s->debug) {
761                 if ((ret = BIO_flush(s->wbio)) <= 0)
762                     goto end;
763             }
764
765             if ((cb != NULL) && (s->state != state)) {
766                 new_state = s->state;
767                 s->state = state;
768                 cb(s, SSL_CB_CONNECT_LOOP, 1);
769                 s->state = new_state;
770             }
771         }
772         skip = 0;
773     }
774  end:
775     s->in_handshake--;
776
777 #ifndef OPENSSL_NO_SCTP
778     /*
779      * Notify SCTP BIO socket to leave handshake mode and allow stream
780      * identifier other than 0. Will be ignored if no SCTP is used.
781      */
782     BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE,
783              s->in_handshake, NULL);
784 #endif
785
786     BUF_MEM_free(buf);
787     if (cb != NULL)
788         cb(s, SSL_CB_CONNECT_EXIT, ret);
789     return (ret);
790 }
791 #endif
792
793 #if 0
794 static int dtls1_get_hello_verify(SSL *s)
795 {
796     int n, al, ok = 0;
797     unsigned char *data;
798     unsigned int cookie_len;
799
800     /* TODO: CHECK first_packet handling!!! */
801     s->first_packet = 1;
802     n = s->method->ssl_get_message(s,
803                                    DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A,
804                                    DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B,
805                                    -1, s->max_cert_list, &ok);
806     s->first_packet = 0;
807
808     if (!ok)
809         return ((int)n);
810 }
811 #endif
812
813 enum MSG_PROCESS_RETURN dtls_process_hello_verify(SSL *s, unsigned long n)
814 {
815     int al;
816     unsigned char *data;
817     unsigned int cookie_len;
818
819     data = (unsigned char *)s->init_msg;
820     data += 2;
821
822     cookie_len = *(data++);
823     if (cookie_len > sizeof(s->d1->cookie)) {
824         al = SSL_AD_ILLEGAL_PARAMETER;
825         goto f_err;
826     }
827
828     memcpy(s->d1->cookie, data, cookie_len);
829     s->d1->cookie_len = cookie_len;
830
831     return MSG_PROCESS_FINISHED_READING;
832  f_err:
833     ssl3_send_alert(s, SSL3_AL_FATAL, al);
834     statem_set_error(s);
835     return MSG_PROCESS_ERROR;
836 }