projects / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Validate ClientHello extension field length
[openssl.git] / ssl / d1_srvr.c
1 /* ssl/d1_srvr.c */
2 /*
3  * DTLS implementation written by Nagendra Modadugu
4  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
5  */
6 /* ====================================================================
7  * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  *
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  *
16  * 2. Redistributions in binary form must reproduce the above copyright
17  *    notice, this list of conditions and the following disclaimer in
18  *    the documentation and/or other materials provided with the
19  *    distribution.
20  *
21  * 3. All advertising materials mentioning features or use of this
22  *    software must display the following acknowledgment:
23  *    "This product includes software developed by the OpenSSL Project
24  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25  *
26  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27  *    endorse or promote products derived from this software without
28  *    prior written permission. For written permission, please contact
29  *    openssl-core@OpenSSL.org.
30  *
31  * 5. Products derived from this software may not be called "OpenSSL"
32  *    nor may "OpenSSL" appear in their names without prior written
33  *    permission of the OpenSSL Project.
34  *
35  * 6. Redistributions of any form whatsoever must retain the following
36  *    acknowledgment:
37  *    "This product includes software developed by the OpenSSL Project
38  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
44  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51  * OF THE POSSIBILITY OF SUCH DAMAGE.
52  * ====================================================================
53  *
54  * This product includes cryptographic software written by Eric Young
55  * (eay@cryptsoft.com).  This product includes software written by Tim
56  * Hudson (tjh@cryptsoft.com).
57  *
58  */
59 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
60  * All rights reserved.
61  *
62  * This package is an SSL implementation written
63  * by Eric Young (eay@cryptsoft.com).
64  * The implementation was written so as to conform with Netscapes SSL.
65  *
66  * This library is free for commercial and non-commercial use as long as
67  * the following conditions are aheared to.  The following conditions
68  * apply to all code found in this distribution, be it the RC4, RSA,
69  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
70  * included with this distribution is covered by the same copyright terms
71  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
72  *
73  * Copyright remains Eric Young's, and as such any Copyright notices in
74  * the code are not to be removed.
75  * If this package is used in a product, Eric Young should be given attribution
76  * as the author of the parts of the library used.
77  * This can be in the form of a textual message at program startup or
78  * in documentation (online or textual) provided with the package.
79  *
80  * Redistribution and use in source and binary forms, with or without
81  * modification, are permitted provided that the following conditions
82  * are met:
83  * 1. Redistributions of source code must retain the copyright
84  *    notice, this list of conditions and the following disclaimer.
85  * 2. Redistributions in binary form must reproduce the above copyright
86  *    notice, this list of conditions and the following disclaimer in the
87  *    documentation and/or other materials provided with the distribution.
88  * 3. All advertising materials mentioning features or use of this software
89  *    must display the following acknowledgement:
90  *    "This product includes cryptographic software written by
91  *     Eric Young (eay@cryptsoft.com)"
92  *    The word 'cryptographic' can be left out if the rouines from the library
93  *    being used are not cryptographic related :-).
94  * 4. If you include any Windows specific code (or a derivative thereof) from
95  *    the apps directory (application code) you must include an acknowledgement:
96  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
97  *
98  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
99  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
100  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
101  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
102  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
103  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
104  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
105  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
106  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
107  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
108  * SUCH DAMAGE.
109  *
110  * The licence and distribution terms for any publically available version or
111  * derivative of this code cannot be changed.  i.e. this code cannot simply be
112  * copied and put under another distribution licence
113  * [including the GNU Public Licence.]
114  */
115
116 #include <stdio.h>
117 #include "ssl_locl.h"
118 #include <openssl/buffer.h>
119 #include <openssl/rand.h>
120 #include <openssl/objects.h>
121 #include <openssl/evp.h>
122 #include <openssl/x509.h>
123 #include <openssl/md5.h>
124 #include <openssl/bn.h>
125 #ifndef OPENSSL_NO_DH
126 # include <openssl/dh.h>
127 #endif
128
129 static const SSL_METHOD *dtls1_get_server_method(int ver);
130 static int dtls1_send_hello_verify_request(SSL *s);
131
132 static const SSL_METHOD *dtls1_get_server_method(int ver)
133 {
134     if (ver == DTLS1_VERSION)
135         return (DTLSv1_server_method());
136     else
137         return (NULL);
138 }
139
140 IMPLEMENT_dtls1_meth_func(DTLSv1_server_method,
141                           dtls1_accept,
142                           ssl_undefined_function, dtls1_get_server_method)
143
144 int dtls1_accept(SSL *s)
145 {
146     BUF_MEM *buf;
147     unsigned long Time = (unsigned long)time(NULL);
148     void (*cb) (const SSL *ssl, int type, int val) = NULL;
149     unsigned long alg_k;
150     int ret = -1;
151     int new_state, state, skip = 0;
152     int listen;
153 #ifndef OPENSSL_NO_SCTP
154     unsigned char sctpauthkey[64];
155     char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
156 #endif
157
158     RAND_add(&Time, sizeof(Time), 0);
159     ERR_clear_error();
160     clear_sys_error();
161
162     if (s->info_callback != NULL)
163         cb = s->info_callback;
164     else if (s->ctx->info_callback != NULL)
165         cb = s->ctx->info_callback;
166
167     listen = s->d1->listen;
168
169     /* init things to blank */
170     s->in_handshake++;
171     if (!SSL_in_init(s) || SSL_in_before(s))
172         SSL_clear(s);
173
174     s->d1->listen = listen;
175 #ifndef OPENSSL_NO_SCTP
176     /*
177      * Notify SCTP BIO socket to enter handshake mode and prevent stream
178      * identifier other than 0. Will be ignored if no SCTP is used.
179      */
180     BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE,
181              s->in_handshake, NULL);
182 #endif
183
184     if (s->cert == NULL) {
185         SSLerr(SSL_F_DTLS1_ACCEPT, SSL_R_NO_CERTIFICATE_SET);
186         return (-1);
187     }
188 #ifndef OPENSSL_NO_HEARTBEATS
189     /*
190      * If we're awaiting a HeartbeatResponse, pretend we already got and
191      * don't await it anymore, because Heartbeats don't make sense during
192      * handshakes anyway.
193      */
194     if (s->tlsext_hb_pending) {
195         dtls1_stop_timer(s);
196         s->tlsext_hb_pending = 0;
197         s->tlsext_hb_seq++;
198     }
199 #endif
200
201     for (;;) {
202         state = s->state;
203
204         switch (s->state) {
205         case SSL_ST_RENEGOTIATE:
206             s->renegotiate = 1;
207             /* s->state=SSL_ST_ACCEPT; */
208
209         case SSL_ST_BEFORE:
210         case SSL_ST_ACCEPT:
211         case SSL_ST_BEFORE | SSL_ST_ACCEPT:
212         case SSL_ST_OK | SSL_ST_ACCEPT:
213
214             s->server = 1;
215             if (cb != NULL)
216                 cb(s, SSL_CB_HANDSHAKE_START, 1);
217
218             if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) {
219                 SSLerr(SSL_F_DTLS1_ACCEPT, ERR_R_INTERNAL_ERROR);
220                 return -1;
221             }
222             s->type = SSL_ST_ACCEPT;
223
224             if (s->init_buf == NULL) {
225                 if ((buf = BUF_MEM_new()) == NULL) {
226                     ret = -1;
227                     s->state = SSL_ST_ERR;
228                     goto end;
229                 }
230                 if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
231                     BUF_MEM_free(buf);
232                     ret = -1;
233                     s->state = SSL_ST_ERR;
234                     goto end;
235                 }
236                 s->init_buf = buf;
237             }
238
239             if (!ssl3_setup_buffers(s)) {
240                 ret = -1;
241                 s->state = SSL_ST_ERR;
242                 goto end;
243             }
244
245             s->init_num = 0;
246             s->d1->change_cipher_spec_ok = 0;
247             /*
248              * Should have been reset by ssl3_get_finished, too.
249              */
250             s->s3->change_cipher_spec = 0;
251
252             if (s->state != SSL_ST_RENEGOTIATE) {
253                 /*
254                  * Ok, we now need to push on a buffering BIO so that the
255                  * output is sent in a way that TCP likes :-) ...but not with
256                  * SCTP :-)
257                  */
258 #ifndef OPENSSL_NO_SCTP
259                 if (!BIO_dgram_is_sctp(SSL_get_wbio(s)))
260 #endif
261                     if (!ssl_init_wbio_buffer(s, 1)) {
262                         ret = -1;
263                         s->state = SSL_ST_ERR;
264                         goto end;
265                     }
266
267                 ssl3_init_finished_mac(s);
268                 s->state = SSL3_ST_SR_CLNT_HELLO_A;
269                 s->ctx->stats.sess_accept++;
270             } else {
271                 /*
272                  * s->state == SSL_ST_RENEGOTIATE, we will just send a
273                  * HelloRequest
274                  */
275                 s->ctx->stats.sess_accept_renegotiate++;
276                 s->state = SSL3_ST_SW_HELLO_REQ_A;
277             }
278
279             break;
280
281         case SSL3_ST_SW_HELLO_REQ_A:
282         case SSL3_ST_SW_HELLO_REQ_B:
283
284             s->shutdown = 0;
285             dtls1_clear_record_buffer(s);
286             dtls1_start_timer(s);
287             ret = dtls1_send_hello_request(s);
288             if (ret <= 0)
289                 goto end;
290             s->s3->tmp.next_state = SSL3_ST_SR_CLNT_HELLO_A;
291             s->state = SSL3_ST_SW_FLUSH;
292             s->init_num = 0;
293
294             ssl3_init_finished_mac(s);
295             break;
296
297         case SSL3_ST_SW_HELLO_REQ_C:
298             s->state = SSL_ST_OK;
299             break;
300
301         case SSL3_ST_SR_CLNT_HELLO_A:
302         case SSL3_ST_SR_CLNT_HELLO_B:
303         case SSL3_ST_SR_CLNT_HELLO_C:
304
305             s->shutdown = 0;
306             ret = ssl3_get_client_hello(s);
307             if (ret <= 0)
308                 goto end;
309             dtls1_stop_timer(s);
310
311             if (ret == 1 && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
312                 s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;
313             else
314                 s->state = SSL3_ST_SW_SRVR_HELLO_A;
315
316             s->init_num = 0;
317
318             /*
319              * Reflect ClientHello sequence to remain stateless while
320              * listening
321              */
322             if (listen) {
323                 memcpy(s->s3->write_sequence, s->s3->read_sequence,
324                        sizeof(s->s3->write_sequence));
325             }
326
327             /* If we're just listening, stop here */
328             if (listen && s->state == SSL3_ST_SW_SRVR_HELLO_A) {
329                 ret = 2;
330                 s->d1->listen = 0;
331                 /*
332                  * Set expected sequence numbers to continue the handshake.
333                  */
334                 s->d1->handshake_read_seq = 2;
335                 s->d1->handshake_write_seq = 1;
336                 s->d1->next_handshake_write_seq = 1;
337                 goto end;
338             }
339
340             break;
341
342         case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
343         case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
344
345             ret = dtls1_send_hello_verify_request(s);
346             if (ret <= 0)
347                 goto end;
348             s->state = SSL3_ST_SW_FLUSH;
349             s->s3->tmp.next_state = SSL3_ST_SR_CLNT_HELLO_A;
350
351             /* HelloVerifyRequest resets Finished MAC */
352             if (s->version != DTLS1_BAD_VER)
353                 ssl3_init_finished_mac(s);
354             break;
355
356 #ifndef OPENSSL_NO_SCTP
357         case DTLS1_SCTP_ST_SR_READ_SOCK:
358
359             if (BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
360                 s->s3->in_read_app_data = 2;
361                 s->rwstate = SSL_READING;
362                 BIO_clear_retry_flags(SSL_get_rbio(s));
363                 BIO_set_retry_read(SSL_get_rbio(s));
364                 ret = -1;
365                 goto end;
366             }
367
368             s->state = SSL3_ST_SR_FINISHED_A;
369             break;
370
371         case DTLS1_SCTP_ST_SW_WRITE_SOCK:
372             ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s));
373             if (ret < 0)
374                 goto end;
375
376             if (ret == 0) {
377                 if (s->d1->next_state != SSL_ST_OK) {
378                     s->s3->in_read_app_data = 2;
379                     s->rwstate = SSL_READING;
380                     BIO_clear_retry_flags(SSL_get_rbio(s));
381                     BIO_set_retry_read(SSL_get_rbio(s));
382                     ret = -1;
383                     goto end;
384                 }
385             }
386
387             s->state = s->d1->next_state;
388             break;
389 #endif
390
391         case SSL3_ST_SW_SRVR_HELLO_A:
392         case SSL3_ST_SW_SRVR_HELLO_B:
393             s->renegotiate = 2;
394             dtls1_start_timer(s);
395             ret = dtls1_send_server_hello(s);
396             if (ret <= 0)
397                 goto end;
398
399             if (s->hit) {
400 #ifndef OPENSSL_NO_SCTP
401                 /*
402                  * Add new shared key for SCTP-Auth, will be ignored if no
403                  * SCTP used.
404                  */
405                 snprintf((char *)labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
406                          DTLS1_SCTP_AUTH_LABEL);
407
408                 if (SSL_export_keying_material(s, sctpauthkey,
409                         sizeof(sctpauthkey), labelbuffer,
410                         sizeof(labelbuffer), NULL, 0, 0) <= 0) {
411                     ret = -1;
412                     s->state = SSL_ST_ERR;
413                     goto end;
414                 }
415
416                 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
417                          sizeof(sctpauthkey), sctpauthkey);
418 #endif
419 #ifndef OPENSSL_NO_TLSEXT
420                 if (s->tlsext_ticket_expected)
421                     s->state = SSL3_ST_SW_SESSION_TICKET_A;
422                 else
423                     s->state = SSL3_ST_SW_CHANGE_A;
424 #else
425                 s->state = SSL3_ST_SW_CHANGE_A;
426 #endif
427             } else
428                 s->state = SSL3_ST_SW_CERT_A;
429             s->init_num = 0;
430             break;
431
432         case SSL3_ST_SW_CERT_A:
433         case SSL3_ST_SW_CERT_B:
434             /* Check if it is anon DH or normal PSK */
435             if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
436                 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
437                 dtls1_start_timer(s);
438                 ret = dtls1_send_server_certificate(s);
439                 if (ret <= 0)
440                     goto end;
441 #ifndef OPENSSL_NO_TLSEXT
442                 if (s->tlsext_status_expected)
443                     s->state = SSL3_ST_SW_CERT_STATUS_A;
444                 else
445                     s->state = SSL3_ST_SW_KEY_EXCH_A;
446             } else {
447                 skip = 1;
448                 s->state = SSL3_ST_SW_KEY_EXCH_A;
449             }
450 #else
451             } else
452                 skip = 1;
453
454             s->state = SSL3_ST_SW_KEY_EXCH_A;
455 #endif
456             s->init_num = 0;
457             break;
458
459         case SSL3_ST_SW_KEY_EXCH_A:
460         case SSL3_ST_SW_KEY_EXCH_B:
461             alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
462
463             /*
464              * clear this, it may get reset by
465              * send_server_key_exchange
466              */
467             s->s3->tmp.use_rsa_tmp = 0;
468
469             /*
470              * only send if a DH key exchange or RSA but we have a sign only
471              * certificate
472              */
473             if (0
474                 /*
475                  * PSK: send ServerKeyExchange if PSK identity hint if
476                  * provided
477                  */
478 #ifndef OPENSSL_NO_PSK
479                 || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
480 #endif
481                 || (alg_k & SSL_kEDH)
482                 || (alg_k & SSL_kEECDH)
483                 || ((alg_k & SSL_kRSA)
484                     && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
485                         || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
486                             && EVP_PKEY_size(s->cert->pkeys
487                                              [SSL_PKEY_RSA_ENC].privatekey) *
488                             8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
489                         )
490                     )
491                 )
492                 ) {
493                 dtls1_start_timer(s);
494                 ret = dtls1_send_server_key_exchange(s);
495                 if (ret <= 0)
496                     goto end;
497             } else
498                 skip = 1;
499
500             s->state = SSL3_ST_SW_CERT_REQ_A;
501             s->init_num = 0;
502             break;
503
504         case SSL3_ST_SW_CERT_REQ_A:
505         case SSL3_ST_SW_CERT_REQ_B:
506             if (                /* don't request cert unless asked for it: */
507                    !(s->verify_mode & SSL_VERIFY_PEER) ||
508                    /*
509                     * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert
510                     * during re-negotiation:
511                     */
512                    ((s->session->peer != NULL) &&
513                     (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
514                    /*
515                     * never request cert in anonymous ciphersuites (see
516                     * section "Certificate request" in SSL 3 drafts and in
517                     * RFC 2246):
518                     */
519                    ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
520                     /*
521                      * ... except when the application insists on
522                      * verification (against the specs, but s3_clnt.c accepts
523                      * this for SSL 3)
524                      */
525                     !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
526                    /*
527                     * never request cert in Kerberos ciphersuites
528                     */
529                    (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)
530                    /*
531                     * With normal PSK Certificates and Certificate Requests
532                     * are omitted
533                     */
534                    || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
535                 /* no cert request */
536                 skip = 1;
537                 s->s3->tmp.cert_request = 0;
538                 s->state = SSL3_ST_SW_SRVR_DONE_A;
539 #ifndef OPENSSL_NO_SCTP
540                 if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
541                     s->d1->next_state = SSL3_ST_SW_SRVR_DONE_A;
542                     s->state = DTLS1_SCTP_ST_SW_WRITE_SOCK;
543                 }
544 #endif
545             } else {
546                 s->s3->tmp.cert_request = 1;
547                 dtls1_start_timer(s);
548                 ret = dtls1_send_certificate_request(s);
549                 if (ret <= 0)
550                     goto end;
551 #ifndef NETSCAPE_HANG_BUG
552                 s->state = SSL3_ST_SW_SRVR_DONE_A;
553 # ifndef OPENSSL_NO_SCTP
554                 if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
555                     s->d1->next_state = SSL3_ST_SW_SRVR_DONE_A;
556                     s->state = DTLS1_SCTP_ST_SW_WRITE_SOCK;
557                 }
558 # endif
559 #else
560                 s->state = SSL3_ST_SW_FLUSH;
561                 s->s3->tmp.next_state = SSL3_ST_SR_CERT_A;
562 # ifndef OPENSSL_NO_SCTP
563                 if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
564                     s->d1->next_state = s->s3->tmp.next_state;
565                     s->s3->tmp.next_state = DTLS1_SCTP_ST_SW_WRITE_SOCK;
566                 }
567 # endif
568 #endif
569                 s->init_num = 0;
570             }
571             break;
572
573         case SSL3_ST_SW_SRVR_DONE_A:
574         case SSL3_ST_SW_SRVR_DONE_B:
575             dtls1_start_timer(s);
576             ret = dtls1_send_server_done(s);
577             if (ret <= 0)
578                 goto end;
579             s->s3->tmp.next_state = SSL3_ST_SR_CERT_A;
580             s->state = SSL3_ST_SW_FLUSH;
581             s->init_num = 0;
582             break;
583
584         case SSL3_ST_SW_FLUSH:
585             s->rwstate = SSL_WRITING;
586             if (BIO_flush(s->wbio) <= 0) {
587                 /*
588                  * If the write error was fatal, stop trying
589                  */
590                 if (!BIO_should_retry(s->wbio)) {
591                     s->rwstate = SSL_NOTHING;
592                     s->state = s->s3->tmp.next_state;
593                 }
594
595                 ret = -1;
596                 goto end;
597             }
598             s->rwstate = SSL_NOTHING;
599             s->state = s->s3->tmp.next_state;
600             break;
601
602         case SSL3_ST_SR_CERT_A:
603         case SSL3_ST_SR_CERT_B:
604             /* Check for second client hello (MS SGC) */
605             ret = ssl3_check_client_hello(s);
606             if (ret <= 0)
607                 goto end;
608             if (ret == 2) {
609                 dtls1_stop_timer(s);
610                 s->state = SSL3_ST_SR_CLNT_HELLO_C;
611             } else {
612                 if (s->s3->tmp.cert_request) {
613                     ret = ssl3_get_client_certificate(s);
614                     if (ret <= 0)
615                         goto end;
616                 }
617                 s->init_num = 0;
618                 s->state = SSL3_ST_SR_KEY_EXCH_A;
619             }
620             break;
621
622         case SSL3_ST_SR_KEY_EXCH_A:
623         case SSL3_ST_SR_KEY_EXCH_B:
624             ret = ssl3_get_client_key_exchange(s);
625             if (ret <= 0)
626                 goto end;
627 #ifndef OPENSSL_NO_SCTP
628             /*
629              * Add new shared key for SCTP-Auth, will be ignored if no SCTP
630              * used.
631              */
632             snprintf((char *)labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
633                      DTLS1_SCTP_AUTH_LABEL);
634
635             if (SSL_export_keying_material(s, sctpauthkey,
636                                        sizeof(sctpauthkey), labelbuffer,
637                                        sizeof(labelbuffer), NULL, 0, 0) <= 0) {
638                 ret = -1;
639                 s->state = SSL_ST_ERR;
640                 goto end;
641             }
642
643             BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
644                      sizeof(sctpauthkey), sctpauthkey);
645 #endif
646
647             s->state = SSL3_ST_SR_CERT_VRFY_A;
648             s->init_num = 0;
649
650             if (ret == 2) {
651                 /*
652                  * For the ECDH ciphersuites when the client sends its ECDH
653                  * pub key in a certificate, the CertificateVerify message is
654                  * not sent.
655                  */
656                 s->state = SSL3_ST_SR_FINISHED_A;
657                 s->init_num = 0;
658             } else {
659                 s->state = SSL3_ST_SR_CERT_VRFY_A;
660                 s->init_num = 0;
661
662                 /*
663                  * We need to get hashes here so if there is a client cert,
664                  * it can be verified
665                  */
666                 s->method->ssl3_enc->cert_verify_mac(s,
667                                                      NID_md5,
668                                                      &(s->s3->
669                                                        tmp.cert_verify_md
670                                                        [0]));
671                 s->method->ssl3_enc->cert_verify_mac(s, NID_sha1,
672                                                      &(s->s3->
673                                                        tmp.cert_verify_md
674                                                        [MD5_DIGEST_LENGTH]));
675             }
676             break;
677
678         case SSL3_ST_SR_CERT_VRFY_A:
679         case SSL3_ST_SR_CERT_VRFY_B:
680             ret = ssl3_get_cert_verify(s);
681             if (ret <= 0)
682                 goto end;
683 #ifndef OPENSSL_NO_SCTP
684             if (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
685                 state == SSL_ST_RENEGOTIATE)
686                 s->state = DTLS1_SCTP_ST_SR_READ_SOCK;
687             else
688 #endif
689                 s->state = SSL3_ST_SR_FINISHED_A;
690             s->init_num = 0;
691             break;
692
693         case SSL3_ST_SR_FINISHED_A:
694         case SSL3_ST_SR_FINISHED_B:
695             /*
696              * Enable CCS. Receiving a CCS clears the flag, so make
697              * sure not to re-enable it to ban duplicates. This *should* be the
698              * first time we have received one - but we check anyway to be
699              * cautious.
700              * s->s3->change_cipher_spec is set when a CCS is
701              * processed in d1_pkt.c, and remains set until
702              * the client's Finished message is read.
703              */
704             if (!s->s3->change_cipher_spec)
705                 s->d1->change_cipher_spec_ok = 1;
706             ret = ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A,
707                                     SSL3_ST_SR_FINISHED_B);
708             if (ret <= 0)
709                 goto end;
710             dtls1_stop_timer(s);
711             if (s->hit)
712                 s->state = SSL_ST_OK;
713 #ifndef OPENSSL_NO_TLSEXT
714             else if (s->tlsext_ticket_expected)
715                 s->state = SSL3_ST_SW_SESSION_TICKET_A;
716 #endif
717             else
718                 s->state = SSL3_ST_SW_CHANGE_A;
719             s->init_num = 0;
720             break;
721
722 #ifndef OPENSSL_NO_TLSEXT
723         case SSL3_ST_SW_SESSION_TICKET_A:
724         case SSL3_ST_SW_SESSION_TICKET_B:
725             ret = dtls1_send_newsession_ticket(s);
726             if (ret <= 0)
727                 goto end;
728             s->state = SSL3_ST_SW_CHANGE_A;
729             s->init_num = 0;
730             break;
731
732         case SSL3_ST_SW_CERT_STATUS_A:
733         case SSL3_ST_SW_CERT_STATUS_B:
734             ret = ssl3_send_cert_status(s);
735             if (ret <= 0)
736                 goto end;
737             s->state = SSL3_ST_SW_KEY_EXCH_A;
738             s->init_num = 0;
739             break;
740
741 #endif
742
743         case SSL3_ST_SW_CHANGE_A:
744         case SSL3_ST_SW_CHANGE_B:
745
746             s->session->cipher = s->s3->tmp.new_cipher;
747             if (!s->method->ssl3_enc->setup_key_block(s)) {
748                 ret = -1;
749                 s->state = SSL_ST_ERR;
750                 goto end;
751             }
752
753             ret = dtls1_send_change_cipher_spec(s,
754                                                 SSL3_ST_SW_CHANGE_A,
755                                                 SSL3_ST_SW_CHANGE_B);
756
757             if (ret <= 0)
758                 goto end;
759
760 #ifndef OPENSSL_NO_SCTP
761             if (!s->hit) {
762                 /*
763                  * Change to new shared key of SCTP-Auth, will be ignored if
764                  * no SCTP used.
765                  */
766                 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
767                          0, NULL);
768             }
769 #endif
770
771             s->state = SSL3_ST_SW_FINISHED_A;
772             s->init_num = 0;
773
774             if (!s->method->ssl3_enc->change_cipher_state(s,
775                                                           SSL3_CHANGE_CIPHER_SERVER_WRITE))
776             {
777                 ret = -1;
778                 s->state = SSL_ST_ERR;
779                 goto end;
780             }
781
782             dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
783             break;
784
785         case SSL3_ST_SW_FINISHED_A:
786         case SSL3_ST_SW_FINISHED_B:
787             ret = dtls1_send_finished(s,
788                                       SSL3_ST_SW_FINISHED_A,
789                                       SSL3_ST_SW_FINISHED_B,
790                                       s->method->
791                                       ssl3_enc->server_finished_label,
792                                       s->method->
793                                       ssl3_enc->server_finished_label_len);
794             if (ret <= 0)
795                 goto end;
796             s->state = SSL3_ST_SW_FLUSH;
797             if (s->hit) {
798                 s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A;
799
800 #ifndef OPENSSL_NO_SCTP
801                 /*
802                  * Change to new shared key of SCTP-Auth, will be ignored if
803                  * no SCTP used.
804                  */
805                 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
806                          0, NULL);
807 #endif
808             } else {
809                 s->s3->tmp.next_state = SSL_ST_OK;
810 #ifndef OPENSSL_NO_SCTP
811                 if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
812                     s->d1->next_state = s->s3->tmp.next_state;
813                     s->s3->tmp.next_state = DTLS1_SCTP_ST_SW_WRITE_SOCK;
814                 }
815 #endif
816             }
817             s->init_num = 0;
818             break;
819
820         case SSL_ST_OK:
821             /* clean a few things up */
822             ssl3_cleanup_key_block(s);
823
824 #if 0
825             BUF_MEM_free(s->init_buf);
826             s->init_buf = NULL;
827 #endif
828
829             /* remove buffering on output */
830             ssl_free_wbio_buffer(s);
831
832             s->init_num = 0;
833
834             if (s->renegotiate == 2) { /* skipped if we just sent a
835                                         * HelloRequest */
836                 s->renegotiate = 0;
837                 s->new_session = 0;
838
839                 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
840
841                 s->ctx->stats.sess_accept_good++;
842                 /* s->server=1; */
843                 s->handshake_func = dtls1_accept;
844
845                 if (cb != NULL)
846                     cb(s, SSL_CB_HANDSHAKE_DONE, 1);
847             }
848
849             ret = 1;
850
851             /* done handshaking, next message is client hello */
852             s->d1->handshake_read_seq = 0;
853             /* next message is server hello */
854             s->d1->handshake_write_seq = 0;
855             s->d1->next_handshake_write_seq = 0;
856             goto end;
857             /* break; */
858
859         case SSL_ST_ERR:
860         default:
861             SSLerr(SSL_F_DTLS1_ACCEPT, SSL_R_UNKNOWN_STATE);
862             ret = -1;
863             goto end;
864             /* break; */
865         }
866
867         if (!s->s3->tmp.reuse_message && !skip) {
868             if (s->debug) {
869                 if ((ret = BIO_flush(s->wbio)) <= 0)
870                     goto end;
871             }
872
873             if ((cb != NULL) && (s->state != state)) {
874                 new_state = s->state;
875                 s->state = state;
876                 cb(s, SSL_CB_ACCEPT_LOOP, 1);
877                 s->state = new_state;
878             }
879         }
880         skip = 0;
881     }
882  end:
883     /* BIO_flush(s->wbio); */
884
885     s->in_handshake--;
886 #ifndef OPENSSL_NO_SCTP
887     /*
888      * Notify SCTP BIO socket to leave handshake mode and prevent stream
889      * identifier other than 0. Will be ignored if no SCTP is used.
890      */
891     BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE,
892              s->in_handshake, NULL);
893 #endif
894
895     if (cb != NULL)
896         cb(s, SSL_CB_ACCEPT_EXIT, ret);
897     return (ret);
898 }
899
900 int dtls1_send_hello_request(SSL *s)
901 {
902     unsigned char *p;
903
904     if (s->state == SSL3_ST_SW_HELLO_REQ_A) {
905         p = (unsigned char *)s->init_buf->data;
906         p = dtls1_set_message_header(s, p, SSL3_MT_HELLO_REQUEST, 0, 0, 0);
907
908         s->state = SSL3_ST_SW_HELLO_REQ_B;
909         /* number of bytes to write */
910         s->init_num = DTLS1_HM_HEADER_LENGTH;
911         s->init_off = 0;
912
913         /*
914          * no need to buffer this message, since there are no retransmit
915          * requests for it
916          */
917     }
918
919     /* SSL3_ST_SW_HELLO_REQ_B */
920     return (dtls1_do_write(s, SSL3_RT_HANDSHAKE));
921 }
922
923 int dtls1_send_hello_verify_request(SSL *s)
924 {
925     unsigned int msg_len;
926     unsigned char *msg, *buf, *p;
927
928     if (s->state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A) {
929         buf = (unsigned char *)s->init_buf->data;
930
931         msg = p = &(buf[DTLS1_HM_HEADER_LENGTH]);
932         *(p++) = s->version >> 8;
933         *(p++) = s->version & 0xFF;
934
935         if (s->ctx->app_gen_cookie_cb == NULL ||
936             s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
937                                       &(s->d1->cookie_len)) == 0) {
938             SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST,
939                    ERR_R_INTERNAL_ERROR);
940             s->state = SSL_ST_ERR;
941             return 0;
942         }
943
944         *(p++) = (unsigned char)s->d1->cookie_len;
945         memcpy(p, s->d1->cookie, s->d1->cookie_len);
946         p += s->d1->cookie_len;
947         msg_len = p - msg;
948
949         dtls1_set_message_header(s, buf,
950                                  DTLS1_MT_HELLO_VERIFY_REQUEST, msg_len, 0,
951                                  msg_len);
952
953         s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B;
954         /* number of bytes to write */
955         s->init_num = p - buf;
956         s->init_off = 0;
957     }
958
959     /* s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */
960     return (dtls1_do_write(s, SSL3_RT_HANDSHAKE));
961 }
962
963 int dtls1_send_server_hello(SSL *s)
964 {
965     unsigned char *buf;
966     unsigned char *p, *d;
967     int i;
968     unsigned int sl;
969     unsigned long l;
970
971     if (s->state == SSL3_ST_SW_SRVR_HELLO_A) {
972         buf = (unsigned char *)s->init_buf->data;
973         p = s->s3->server_random;
974         ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE);
975         /* Do the message type and length last */
976         d = p = &(buf[DTLS1_HM_HEADER_LENGTH]);
977
978         *(p++) = s->version >> 8;
979         *(p++) = s->version & 0xff;
980
981         /* Random stuff */
982         memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE);
983         p += SSL3_RANDOM_SIZE;
984
985         /*
986          * now in theory we have 3 options to sending back the session id.
987          * If it is a re-use, we send back the old session-id, if it is a new
988          * session, we send back the new session-id or we send back a 0
989          * length session-id if we want it to be single use. Currently I will
990          * not implement the '0' length session-id 12-Jan-98 - I'll now
991          * support the '0' length stuff.
992          */
993         if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER))
994             s->session->session_id_length = 0;
995
996         sl = s->session->session_id_length;
997         if (sl > sizeof s->session->session_id) {
998             SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
999             return -1;
1000         }
1001         *(p++) = sl;
1002         memcpy(p, s->session->session_id, sl);
1003         p += sl;
1004
1005         /* put the cipher */
1006         if (s->s3->tmp.new_cipher == NULL)
1007             return -1;
1008         i = ssl3_put_cipher_by_char(s->s3->tmp.new_cipher, p);
1009         p += i;
1010
1011         /* put the compression method */
1012 #ifdef OPENSSL_NO_COMP
1013         *(p++) = 0;
1014 #else
1015         if (s->s3->tmp.new_compression == NULL)
1016             *(p++) = 0;
1017         else
1018             *(p++) = s->s3->tmp.new_compression->id;
1019 #endif
1020
1021 #ifndef OPENSSL_NO_TLSEXT
1022         if (ssl_prepare_serverhello_tlsext(s) <= 0) {
1023             SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT);
1024             return -1;
1025         }
1026         if ((p =
1027              ssl_add_serverhello_tlsext(s, p,
1028                                         buf + SSL3_RT_MAX_PLAIN_LENGTH)) ==
1029             NULL) {
1030             SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
1031             return -1;
1032         }
1033 #endif
1034
1035         /* do the header */
1036         l = (p - d);
1037         d = buf;
1038
1039         d = dtls1_set_message_header(s, d, SSL3_MT_SERVER_HELLO, l, 0, l);
1040
1041         s->state = SSL3_ST_SW_SRVR_HELLO_B;
1042         /* number of bytes to write */
1043         s->init_num = p - buf;
1044         s->init_off = 0;
1045
1046         /* buffer the message to handle re-xmits */
1047         dtls1_buffer_message(s, 0);
1048     }
1049
1050     /* SSL3_ST_SW_SRVR_HELLO_B */
1051     return (dtls1_do_write(s, SSL3_RT_HANDSHAKE));
1052 }
1053
1054 int dtls1_send_server_done(SSL *s)
1055 {
1056     unsigned char *p;
1057
1058     if (s->state == SSL3_ST_SW_SRVR_DONE_A) {
1059         p = (unsigned char *)s->init_buf->data;
1060
1061         /* do the header */
1062         p = dtls1_set_message_header(s, p, SSL3_MT_SERVER_DONE, 0, 0, 0);
1063
1064         s->state = SSL3_ST_SW_SRVR_DONE_B;
1065         /* number of bytes to write */
1066         s->init_num = DTLS1_HM_HEADER_LENGTH;
1067         s->init_off = 0;
1068
1069         /* buffer the message to handle re-xmits */
1070         dtls1_buffer_message(s, 0);
1071     }
1072
1073     /* SSL3_ST_SW_SRVR_DONE_B */
1074     return (dtls1_do_write(s, SSL3_RT_HANDSHAKE));
1075 }
1076
1077 int dtls1_send_server_key_exchange(SSL *s)
1078 {
1079 #ifndef OPENSSL_NO_RSA
1080     unsigned char *q;
1081     int j, num;
1082     RSA *rsa;
1083     unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
1084     unsigned int u;
1085 #endif
1086 #ifndef OPENSSL_NO_DH
1087     DH *dh = NULL, *dhp;
1088 #endif
1089 #ifndef OPENSSL_NO_ECDH
1090     EC_KEY *ecdh = NULL, *ecdhp;
1091     unsigned char *encodedPoint = NULL;
1092     int encodedlen = 0;
1093     int curve_id = 0;
1094     BN_CTX *bn_ctx = NULL;
1095 #endif
1096     EVP_PKEY *pkey;
1097     unsigned char *p, *d;
1098     int al, i;
1099     unsigned long type;
1100     int n;
1101     CERT *cert;
1102     BIGNUM *r[4];
1103     int nr[4], kn;
1104     BUF_MEM *buf;
1105     EVP_MD_CTX md_ctx;
1106
1107     EVP_MD_CTX_init(&md_ctx);
1108     if (s->state == SSL3_ST_SW_KEY_EXCH_A) {
1109         type = s->s3->tmp.new_cipher->algorithm_mkey;
1110         cert = s->cert;
1111
1112         buf = s->init_buf;
1113
1114         r[0] = r[1] = r[2] = r[3] = NULL;
1115         n = 0;
1116 #ifndef OPENSSL_NO_RSA
1117         if (type & SSL_kRSA) {
1118             rsa = cert->rsa_tmp;
1119             if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) {
1120                 rsa = s->cert->rsa_tmp_cb(s,
1121                                           SSL_C_IS_EXPORT(s->s3->
1122                                                           tmp.new_cipher),
1123                                           SSL_C_EXPORT_PKEYLENGTH(s->s3->
1124                                                                   tmp.new_cipher));
1125                 if (rsa == NULL) {
1126                     al = SSL_AD_HANDSHAKE_FAILURE;
1127                     SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,
1128                            SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
1129                     goto f_err;
1130                 }
1131                 RSA_up_ref(rsa);
1132                 cert->rsa_tmp = rsa;
1133             }
1134             if (rsa == NULL) {
1135                 al = SSL_AD_HANDSHAKE_FAILURE;
1136                 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,
1137                        SSL_R_MISSING_TMP_RSA_KEY);
1138                 goto f_err;
1139             }
1140             r[0] = rsa->n;
1141             r[1] = rsa->e;
1142             s->s3->tmp.use_rsa_tmp = 1;
1143         } else
1144 #endif
1145 #ifndef OPENSSL_NO_DH
1146         if (type & SSL_kEDH) {
1147             dhp = cert->dh_tmp;
1148             if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
1149                 dhp = s->cert->dh_tmp_cb(s,
1150                                          SSL_C_IS_EXPORT(s->s3->
1151                                                          tmp.new_cipher),
1152                                          SSL_C_EXPORT_PKEYLENGTH(s->s3->
1153                                                                  tmp.new_cipher));
1154             if (dhp == NULL) {
1155                 al = SSL_AD_HANDSHAKE_FAILURE;
1156                 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,
1157                        SSL_R_MISSING_TMP_DH_KEY);
1158                 goto f_err;
1159             }
1160
1161             if (s->s3->tmp.dh != NULL) {
1162                 DH_free(dh);
1163                 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,
1164                        ERR_R_INTERNAL_ERROR);
1165                 goto err;
1166             }
1167
1168             if ((dh = DHparams_dup(dhp)) == NULL) {
1169                 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB);
1170                 goto err;
1171             }
1172
1173             s->s3->tmp.dh = dh;
1174             if ((dhp->pub_key == NULL ||
1175                  dhp->priv_key == NULL ||
1176                  (s->options & SSL_OP_SINGLE_DH_USE))) {
1177                 if (!DH_generate_key(dh)) {
1178                     SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,
1179                            ERR_R_DH_LIB);
1180                     goto err;
1181                 }
1182             } else {
1183                 dh->pub_key = BN_dup(dhp->pub_key);
1184                 dh->priv_key = BN_dup(dhp->priv_key);
1185                 if ((dh->pub_key == NULL) || (dh->priv_key == NULL)) {
1186                     SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,
1187                            ERR_R_DH_LIB);
1188                     goto err;
1189                 }
1190             }
1191             r[0] = dh->p;
1192             r[1] = dh->g;
1193             r[2] = dh->pub_key;
1194         } else
1195 #endif
1196 #ifndef OPENSSL_NO_ECDH
1197         if (type & SSL_kEECDH) {
1198             const EC_GROUP *group;
1199
1200             ecdhp = cert->ecdh_tmp;
1201             if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL)) {
1202                 ecdhp = s->cert->ecdh_tmp_cb(s,
1203                                              SSL_C_IS_EXPORT(s->s3->
1204                                                              tmp.new_cipher),
1205                                              SSL_C_EXPORT_PKEYLENGTH(s->
1206                                                                      s3->tmp.new_cipher));
1207             }
1208             if (ecdhp == NULL) {
1209                 al = SSL_AD_HANDSHAKE_FAILURE;
1210                 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,
1211                        SSL_R_MISSING_TMP_ECDH_KEY);
1212                 goto f_err;
1213             }
1214
1215             if (s->s3->tmp.ecdh != NULL) {
1216                 EC_KEY_free(s->s3->tmp.ecdh);
1217                 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,
1218                        ERR_R_INTERNAL_ERROR);
1219                 goto err;
1220             }
1221
1222             /* Duplicate the ECDH structure. */
1223             if (ecdhp == NULL) {
1224                 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
1225                 goto err;
1226             }
1227             if ((ecdh = EC_KEY_dup(ecdhp)) == NULL) {
1228                 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
1229                 goto err;
1230             }
1231
1232             s->s3->tmp.ecdh = ecdh;
1233             if ((EC_KEY_get0_public_key(ecdh) == NULL) ||
1234                 (EC_KEY_get0_private_key(ecdh) == NULL) ||
1235                 (s->options & SSL_OP_SINGLE_ECDH_USE)) {
1236                 if (!EC_KEY_generate_key(ecdh)) {
1237                     SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,
1238                            ERR_R_ECDH_LIB);
1239                     goto err;
1240                 }
1241             }
1242
1243             if (((group = EC_KEY_get0_group(ecdh)) == NULL) ||
1244                 (EC_KEY_get0_public_key(ecdh) == NULL) ||
1245                 (EC_KEY_get0_private_key(ecdh) == NULL)) {
1246                 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
1247                 goto err;
1248             }
1249
1250             if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
1251                 (EC_GROUP_get_degree(group) > 163)) {
1252                 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,
1253                        SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1254                 goto err;
1255             }
1256
1257             /*
1258              * XXX: For now, we only support ephemeral ECDH keys over named
1259              * (not generic) curves. For supported named curves, curve_id is
1260              * non-zero.
1261              */
1262             if ((curve_id =
1263                  tls1_ec_nid2curve_id(EC_GROUP_get_curve_name(group)))
1264                 == 0) {
1265                 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,
1266                        SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1267                 goto err;
1268             }
1269
1270             /*
1271              * Encode the public key. First check the size of encoding and
1272              * allocate memory accordingly.
1273              */
1274             encodedlen = EC_POINT_point2oct(group,
1275                                             EC_KEY_get0_public_key(ecdh),
1276                                             POINT_CONVERSION_UNCOMPRESSED,
1277                                             NULL, 0, NULL);
1278
1279             encodedPoint = (unsigned char *)
1280                 OPENSSL_malloc(encodedlen * sizeof(unsigned char));
1281             bn_ctx = BN_CTX_new();
1282             if ((encodedPoint == NULL) || (bn_ctx == NULL)) {
1283                 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,
1284                        ERR_R_MALLOC_FAILURE);
1285                 goto err;
1286             }
1287
1288             encodedlen = EC_POINT_point2oct(group,
1289                                             EC_KEY_get0_public_key(ecdh),
1290                                             POINT_CONVERSION_UNCOMPRESSED,
1291                                             encodedPoint, encodedlen, bn_ctx);
1292
1293             if (encodedlen == 0) {
1294                 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_R_ECDH_LIB);
1295                 goto err;
1296             }
1297
1298             BN_CTX_free(bn_ctx);
1299             bn_ctx = NULL;
1300
1301             /*
1302              * XXX: For now, we only support named (not generic) curves in
1303              * ECDH ephemeral key exchanges. In this situation, we need four
1304              * additional bytes to encode the entire ServerECDHParams
1305              * structure.
1306              */
1307             n = 4 + encodedlen;
1308
1309             /*
1310              * We'll generate the serverKeyExchange message explicitly so we
1311              * can set these to NULLs
1312              */
1313             r[0] = NULL;
1314             r[1] = NULL;
1315             r[2] = NULL;
1316             r[3] = NULL;
1317         } else
1318 #endif                          /* !OPENSSL_NO_ECDH */
1319 #ifndef OPENSSL_NO_PSK
1320         if (type & SSL_kPSK) {
1321             /*
1322              * reserve size for record length and PSK identity hint
1323              */
1324             n += 2 + strlen(s->ctx->psk_identity_hint);
1325         } else
1326 #endif                          /* !OPENSSL_NO_PSK */
1327         {
1328             al = SSL_AD_HANDSHAKE_FAILURE;
1329             SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,
1330                    SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
1331             goto f_err;
1332         }
1333         for (i = 0; r[i] != NULL; i++) {
1334             nr[i] = BN_num_bytes(r[i]);
1335             n += 2 + nr[i];
1336         }
1337
1338         if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
1339             && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
1340             if ((pkey = ssl_get_sign_pkey(s, s->s3->tmp.new_cipher, NULL))
1341                 == NULL) {
1342                 al = SSL_AD_DECODE_ERROR;
1343                 goto f_err;
1344             }
1345             kn = EVP_PKEY_size(pkey);
1346         } else {
1347             pkey = NULL;
1348             kn = 0;
1349         }
1350
1351         if (!BUF_MEM_grow_clean(buf, n + DTLS1_HM_HEADER_LENGTH + kn)) {
1352             SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_BUF);
1353             goto err;
1354         }
1355         d = (unsigned char *)s->init_buf->data;
1356         p = &(d[DTLS1_HM_HEADER_LENGTH]);
1357
1358         for (i = 0; r[i] != NULL; i++) {
1359             s2n(nr[i], p);
1360             BN_bn2bin(r[i], p);
1361             p += nr[i];
1362         }
1363
1364 #ifndef OPENSSL_NO_ECDH
1365         if (type & SSL_kEECDH) {
1366             /*
1367              * XXX: For now, we only support named (not generic) curves. In
1368              * this situation, the serverKeyExchange message has: [1 byte
1369              * CurveType], [2 byte CurveName] [1 byte length of encoded
1370              * point], followed by the actual encoded point itself
1371              */
1372             *p = NAMED_CURVE_TYPE;
1373             p += 1;
1374             *p = 0;
1375             p += 1;
1376             *p = curve_id;
1377             p += 1;
1378             *p = encodedlen;
1379             p += 1;
1380             memcpy((unsigned char *)p,
1381                    (unsigned char *)encodedPoint, encodedlen);
1382             OPENSSL_free(encodedPoint);
1383             encodedPoint = NULL;
1384             p += encodedlen;
1385         }
1386 #endif
1387
1388 #ifndef OPENSSL_NO_PSK
1389         if (type & SSL_kPSK) {
1390             /* copy PSK identity hint */
1391             s2n(strlen(s->ctx->psk_identity_hint), p);
1392             strncpy((char *)p, s->ctx->psk_identity_hint,
1393                     strlen(s->ctx->psk_identity_hint));
1394             p += strlen(s->ctx->psk_identity_hint);
1395         }
1396 #endif
1397
1398         /* not anonymous */
1399         if (pkey != NULL) {
1400             /*
1401              * n is the length of the params, they start at
1402              * &(d[DTLS1_HM_HEADER_LENGTH]) and p points to the space at the
1403              * end.
1404              */
1405 #ifndef OPENSSL_NO_RSA
1406             if (pkey->type == EVP_PKEY_RSA) {
1407                 q = md_buf;
1408                 j = 0;
1409                 for (num = 2; num > 0; num--) {
1410                     EVP_DigestInit_ex(&md_ctx, (num == 2)
1411                                       ? s->ctx->md5 : s->ctx->sha1, NULL);
1412                     EVP_DigestUpdate(&md_ctx, &(s->s3->client_random[0]),
1413                                      SSL3_RANDOM_SIZE);
1414                     EVP_DigestUpdate(&md_ctx, &(s->s3->server_random[0]),
1415                                      SSL3_RANDOM_SIZE);
1416                     EVP_DigestUpdate(&md_ctx, &(d[DTLS1_HM_HEADER_LENGTH]),
1417                                      n);
1418                     EVP_DigestFinal_ex(&md_ctx, q, (unsigned int *)&i);
1419                     q += i;
1420                     j += i;
1421                 }
1422                 if (RSA_sign(NID_md5_sha1, md_buf, j,
1423                              &(p[2]), &u, pkey->pkey.rsa) <= 0) {
1424                     SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_RSA);
1425                     goto err;
1426                 }
1427                 s2n(u, p);
1428                 n += u + 2;
1429             } else
1430 #endif
1431 #if !defined(OPENSSL_NO_DSA)
1432             if (pkey->type == EVP_PKEY_DSA) {
1433                 /* lets do DSS */
1434                 EVP_SignInit_ex(&md_ctx, EVP_dss1(), NULL);
1435                 EVP_SignUpdate(&md_ctx, &(s->s3->client_random[0]),
1436                                SSL3_RANDOM_SIZE);
1437                 EVP_SignUpdate(&md_ctx, &(s->s3->server_random[0]),
1438                                SSL3_RANDOM_SIZE);
1439                 EVP_SignUpdate(&md_ctx, &(d[DTLS1_HM_HEADER_LENGTH]), n);
1440                 if (!EVP_SignFinal(&md_ctx, &(p[2]),
1441                                    (unsigned int *)&i, pkey)) {
1442                     SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_DSA);
1443                     goto err;
1444                 }
1445                 s2n(i, p);
1446                 n += i + 2;
1447             } else
1448 #endif
1449 #if !defined(OPENSSL_NO_ECDSA)
1450             if (pkey->type == EVP_PKEY_EC) {
1451                 /* let's do ECDSA */
1452                 EVP_SignInit_ex(&md_ctx, EVP_ecdsa(), NULL);
1453                 EVP_SignUpdate(&md_ctx, &(s->s3->client_random[0]),
1454                                SSL3_RANDOM_SIZE);
1455                 EVP_SignUpdate(&md_ctx, &(s->s3->server_random[0]),
1456                                SSL3_RANDOM_SIZE);
1457                 EVP_SignUpdate(&md_ctx, &(d[DTLS1_HM_HEADER_LENGTH]), n);
1458                 if (!EVP_SignFinal(&md_ctx, &(p[2]),
1459                                    (unsigned int *)&i, pkey)) {
1460                     SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,
1461                            ERR_LIB_ECDSA);
1462                     goto err;
1463                 }
1464                 s2n(i, p);
1465                 n += i + 2;
1466             } else
1467 #endif
1468             {
1469                 /* Is this error check actually needed? */
1470                 al = SSL_AD_HANDSHAKE_FAILURE;
1471                 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,
1472                        SSL_R_UNKNOWN_PKEY_TYPE);
1473                 goto f_err;
1474             }
1475         }
1476
1477         d = dtls1_set_message_header(s, d,
1478                                      SSL3_MT_SERVER_KEY_EXCHANGE, n, 0, n);
1479
1480         /*
1481          * we should now have things packed up, so lets send it off
1482          */
1483         s->init_num = n + DTLS1_HM_HEADER_LENGTH;
1484         s->init_off = 0;
1485
1486         /* buffer the message to handle re-xmits */
1487         dtls1_buffer_message(s, 0);
1488     }
1489
1490     s->state = SSL3_ST_SW_KEY_EXCH_B;
1491     EVP_MD_CTX_cleanup(&md_ctx);
1492     return (dtls1_do_write(s, SSL3_RT_HANDSHAKE));
1493  f_err:
1494     ssl3_send_alert(s, SSL3_AL_FATAL, al);
1495  err:
1496 #ifndef OPENSSL_NO_ECDH
1497     if (encodedPoint != NULL)
1498         OPENSSL_free(encodedPoint);
1499     BN_CTX_free(bn_ctx);
1500 #endif
1501     EVP_MD_CTX_cleanup(&md_ctx);
1502     return (-1);
1503 }
1504
1505 int dtls1_send_certificate_request(SSL *s)
1506 {
1507     unsigned char *p, *d;
1508     int i, j, nl, off, n;
1509     STACK_OF(X509_NAME) *sk = NULL;
1510     X509_NAME *name;
1511     BUF_MEM *buf;
1512     unsigned int msg_len;
1513
1514     if (s->state == SSL3_ST_SW_CERT_REQ_A) {
1515         buf = s->init_buf;
1516
1517         d = p = (unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH]);
1518
1519         /* get the list of acceptable cert types */
1520         p++;
1521         n = ssl3_get_req_cert_type(s, p);
1522         d[0] = n;
1523         p += n;
1524         n++;
1525
1526         off = n;
1527         p += 2;
1528         n += 2;
1529
1530         sk = SSL_get_client_CA_list(s);
1531         nl = 0;
1532         if (sk != NULL) {
1533             for (i = 0; i < sk_X509_NAME_num(sk); i++) {
1534                 name = sk_X509_NAME_value(sk, i);
1535                 j = i2d_X509_NAME(name, NULL);
1536                 if (!BUF_MEM_grow_clean
1537                     (buf, DTLS1_HM_HEADER_LENGTH + n + j + 2)) {
1538                     SSLerr(SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST,
1539                            ERR_R_BUF_LIB);
1540                     goto err;
1541                 }
1542                 p = (unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH + n]);
1543                 if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) {
1544                     s2n(j, p);
1545                     i2d_X509_NAME(name, &p);
1546                     n += 2 + j;
1547                     nl += 2 + j;
1548                 } else {
1549                     d = p;
1550                     i2d_X509_NAME(name, &p);
1551                     j -= 2;
1552                     s2n(j, d);
1553                     j += 2;
1554                     n += j;
1555                     nl += j;
1556                 }
1557             }
1558         }
1559         /* else no CA names */
1560         p = (unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH + off]);
1561         s2n(nl, p);
1562
1563         d = (unsigned char *)buf->data;
1564         *(d++) = SSL3_MT_CERTIFICATE_REQUEST;
1565         l2n3(n, d);
1566         s2n(s->d1->handshake_write_seq, d);
1567         s->d1->handshake_write_seq++;
1568
1569         /*
1570          * we should now have things packed up, so lets send it off
1571          */
1572
1573         s->init_num = n + DTLS1_HM_HEADER_LENGTH;
1574         s->init_off = 0;
1575 #ifdef NETSCAPE_HANG_BUG
1576 /* XXX: what to do about this? */
1577         p = (unsigned char *)s->init_buf->data + s->init_num;
1578
1579         /* do the header */
1580         *(p++) = SSL3_MT_SERVER_DONE;
1581         *(p++) = 0;
1582         *(p++) = 0;
1583         *(p++) = 0;
1584         s->init_num += 4;
1585 #endif
1586
1587         /* XDTLS:  set message header ? */
1588         msg_len = s->init_num - DTLS1_HM_HEADER_LENGTH;
1589         dtls1_set_message_header(s, (void *)s->init_buf->data,
1590                                  SSL3_MT_CERTIFICATE_REQUEST, msg_len, 0,
1591                                  msg_len);
1592
1593         /* buffer the message to handle re-xmits */
1594         dtls1_buffer_message(s, 0);
1595
1596         s->state = SSL3_ST_SW_CERT_REQ_B;
1597     }
1598
1599     /* SSL3_ST_SW_CERT_REQ_B */
1600     return (dtls1_do_write(s, SSL3_RT_HANDSHAKE));
1601  err:
1602     return (-1);
1603 }
1604
1605 int dtls1_send_server_certificate(SSL *s)
1606 {
1607     unsigned long l;
1608     X509 *x;
1609
1610     if (s->state == SSL3_ST_SW_CERT_A) {
1611         x = ssl_get_server_send_cert(s);
1612         if (x == NULL) {
1613             /* VRS: allow null cert if auth == KRB5 */
1614             if ((s->s3->tmp.new_cipher->algorithm_mkey != SSL_kKRB5) ||
1615                 (s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5)) {
1616                 SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE,
1617                        ERR_R_INTERNAL_ERROR);
1618                 return (0);
1619             }
1620         }
1621
1622         l = dtls1_output_cert_chain(s, x);
1623         if (!l) {
1624             SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
1625             return (0);
1626         }
1627         s->state = SSL3_ST_SW_CERT_B;
1628         s->init_num = (int)l;
1629         s->init_off = 0;
1630
1631         /* buffer the message to handle re-xmits */
1632         dtls1_buffer_message(s, 0);
1633     }
1634
1635     /* SSL3_ST_SW_CERT_B */
1636     return (dtls1_do_write(s, SSL3_RT_HANDSHAKE));
1637 }
1638
1639 #ifndef OPENSSL_NO_TLSEXT
1640 int dtls1_send_newsession_ticket(SSL *s)
1641 {
1642     if (s->state == SSL3_ST_SW_SESSION_TICKET_A) {
1643         unsigned char *p, *senc, *macstart;
1644         int len, slen;
1645         unsigned int hlen, msg_len;
1646         EVP_CIPHER_CTX ctx;
1647         HMAC_CTX hctx;
1648         SSL_CTX *tctx = s->initial_ctx;
1649         unsigned char iv[EVP_MAX_IV_LENGTH];
1650         unsigned char key_name[16];
1651
1652         /* get session encoding length */
1653         slen = i2d_SSL_SESSION(s->session, NULL);
1654         /*
1655          * Some length values are 16 bits, so forget it if session is too
1656          * long
1657          */
1658         if (slen > 0xFF00)
1659             return -1;
1660         /*
1661          * Grow buffer if need be: the length calculation is as follows 12
1662          * (DTLS handshake message header) + 4 (ticket lifetime hint) + 2
1663          * (ticket length) + 16 (key name) + max_iv_len (iv length) +
1664          * session_length + max_enc_block_size (max encrypted session length)
1665          * + max_md_size (HMAC).
1666          */
1667         if (!BUF_MEM_grow(s->init_buf,
1668                           DTLS1_HM_HEADER_LENGTH + 22 + EVP_MAX_IV_LENGTH +
1669                           EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE + slen))
1670             return -1;
1671         senc = OPENSSL_malloc(slen);
1672         if (!senc)
1673             return -1;
1674         p = senc;
1675         i2d_SSL_SESSION(s->session, &p);
1676
1677         p = (unsigned char *)&(s->init_buf->data[DTLS1_HM_HEADER_LENGTH]);
1678         EVP_CIPHER_CTX_init(&ctx);
1679         HMAC_CTX_init(&hctx);
1680         /*
1681          * Initialize HMAC and cipher contexts. If callback present it does
1682          * all the work otherwise use generated values from parent ctx.
1683          */
1684         if (tctx->tlsext_ticket_key_cb) {
1685             if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx,
1686                                            &hctx, 1) < 0) {
1687                 OPENSSL_free(senc);
1688                 return -1;
1689             }
1690         } else {
1691             RAND_pseudo_bytes(iv, 16);
1692             EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
1693                                tctx->tlsext_tick_aes_key, iv);
1694             HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
1695                          tlsext_tick_md(), NULL);
1696             memcpy(key_name, tctx->tlsext_tick_key_name, 16);
1697         }
1698         l2n(s->session->tlsext_tick_lifetime_hint, p);
1699         /* Skip ticket length for now */
1700         p += 2;
1701         /* Output key name */
1702         macstart = p;
1703         memcpy(p, key_name, 16);
1704         p += 16;
1705         /* output IV */
1706         memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx));
1707         p += EVP_CIPHER_CTX_iv_length(&ctx);
1708         /* Encrypt session data */
1709         EVP_EncryptUpdate(&ctx, p, &len, senc, slen);
1710         p += len;
1711         EVP_EncryptFinal(&ctx, p, &len);
1712         p += len;
1713         EVP_CIPHER_CTX_cleanup(&ctx);
1714
1715         HMAC_Update(&hctx, macstart, p - macstart);
1716         HMAC_Final(&hctx, p, &hlen);
1717         HMAC_CTX_cleanup(&hctx);
1718
1719         p += hlen;
1720         /* Now write out lengths: p points to end of data written */
1721         /* Total length */
1722         len = p - (unsigned char *)(s->init_buf->data);
1723         /* Ticket length */
1724         p = (unsigned char *)&(s->init_buf->data[DTLS1_HM_HEADER_LENGTH]) + 4;
1725         s2n(len - DTLS1_HM_HEADER_LENGTH - 6, p);
1726
1727         /* number of bytes to write */
1728         s->init_num = len;
1729         s->state = SSL3_ST_SW_SESSION_TICKET_B;
1730         s->init_off = 0;
1731         OPENSSL_free(senc);
1732
1733         /* XDTLS:  set message header ? */
1734         msg_len = s->init_num - DTLS1_HM_HEADER_LENGTH;
1735         dtls1_set_message_header(s, (void *)s->init_buf->data,
1736                                  SSL3_MT_NEWSESSION_TICKET, msg_len, 0,
1737                                  msg_len);
1738
1739         /* buffer the message to handle re-xmits */
1740         dtls1_buffer_message(s, 0);
1741     }
1742
1743     /* SSL3_ST_SW_SESSION_TICKET_B */
1744     return (dtls1_do_write(s, SSL3_RT_HANDSHAKE));
1745 }
1746 #endif
Unnamed repository; edit this file 'description' to name the repository.