Remove SSL_OP_TLS_BLOCK_PADDING_BUG
[openssl.git] / ssl / d1_clnt.c
1 /* ssl/d1_clnt.c */
2 /*
3  * DTLS implementation written by Nagendra Modadugu
4  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
5  */
6 /* ====================================================================
7  * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  *
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  *
16  * 2. Redistributions in binary form must reproduce the above copyright
17  *    notice, this list of conditions and the following disclaimer in
18  *    the documentation and/or other materials provided with the
19  *    distribution.
20  *
21  * 3. All advertising materials mentioning features or use of this
22  *    software must display the following acknowledgment:
23  *    "This product includes software developed by the OpenSSL Project
24  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25  *
26  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27  *    endorse or promote products derived from this software without
28  *    prior written permission. For written permission, please contact
29  *    openssl-core@OpenSSL.org.
30  *
31  * 5. Products derived from this software may not be called "OpenSSL"
32  *    nor may "OpenSSL" appear in their names without prior written
33  *    permission of the OpenSSL Project.
34  *
35  * 6. Redistributions of any form whatsoever must retain the following
36  *    acknowledgment:
37  *    "This product includes software developed by the OpenSSL Project
38  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
44  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51  * OF THE POSSIBILITY OF SUCH DAMAGE.
52  * ====================================================================
53  *
54  * This product includes cryptographic software written by Eric Young
55  * (eay@cryptsoft.com).  This product includes software written by Tim
56  * Hudson (tjh@cryptsoft.com).
57  *
58  */
59 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
60  * All rights reserved.
61  *
62  * This package is an SSL implementation written
63  * by Eric Young (eay@cryptsoft.com).
64  * The implementation was written so as to conform with Netscapes SSL.
65  *
66  * This library is free for commercial and non-commercial use as long as
67  * the following conditions are aheared to.  The following conditions
68  * apply to all code found in this distribution, be it the RC4, RSA,
69  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
70  * included with this distribution is covered by the same copyright terms
71  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
72  *
73  * Copyright remains Eric Young's, and as such any Copyright notices in
74  * the code are not to be removed.
75  * If this package is used in a product, Eric Young should be given attribution
76  * as the author of the parts of the library used.
77  * This can be in the form of a textual message at program startup or
78  * in documentation (online or textual) provided with the package.
79  *
80  * Redistribution and use in source and binary forms, with or without
81  * modification, are permitted provided that the following conditions
82  * are met:
83  * 1. Redistributions of source code must retain the copyright
84  *    notice, this list of conditions and the following disclaimer.
85  * 2. Redistributions in binary form must reproduce the above copyright
86  *    notice, this list of conditions and the following disclaimer in the
87  *    documentation and/or other materials provided with the distribution.
88  * 3. All advertising materials mentioning features or use of this software
89  *    must display the following acknowledgement:
90  *    "This product includes cryptographic software written by
91  *     Eric Young (eay@cryptsoft.com)"
92  *    The word 'cryptographic' can be left out if the rouines from the library
93  *    being used are not cryptographic related :-).
94  * 4. If you include any Windows specific code (or a derivative thereof) from
95  *    the apps directory (application code) you must include an acknowledgement:
96  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
97  *
98  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
99  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
100  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
101  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
102  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
103  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
104  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
105  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
106  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
107  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
108  * SUCH DAMAGE.
109  *
110  * The licence and distribution terms for any publically available version or
111  * derivative of this code cannot be changed.  i.e. this code cannot simply be
112  * copied and put under another distribution licence
113  * [including the GNU Public Licence.]
114  */
115
116 #include <stdio.h>
117 #include "ssl_locl.h"
118 #include <openssl/buffer.h>
119 #include <openssl/rand.h>
120 #include <openssl/objects.h>
121 #include <openssl/evp.h>
122 #include <openssl/md5.h>
123 #include <openssl/bn.h>
124 #ifndef OPENSSL_NO_DH
125 # include <openssl/dh.h>
126 #endif
127
128 static const SSL_METHOD *dtls1_get_client_method(int ver);
129 static int dtls1_get_hello_verify(SSL *s);
130
131 static const SSL_METHOD *dtls1_get_client_method(int ver)
132 {
133     if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER)
134         return (DTLSv1_client_method());
135     else if (ver == DTLS1_2_VERSION)
136         return (DTLSv1_2_client_method());
137     else
138         return (NULL);
139 }
140
141 IMPLEMENT_dtls1_meth_func(DTLS1_VERSION,
142                           DTLSv1_client_method,
143                           ssl_undefined_function,
144                           dtls1_connect,
145                           dtls1_get_client_method, DTLSv1_enc_data)
146
147     IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION,
148                           DTLSv1_2_client_method,
149                           ssl_undefined_function,
150                           dtls1_connect,
151                           dtls1_get_client_method, DTLSv1_2_enc_data)
152
153     IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION,
154                           DTLS_client_method,
155                           ssl_undefined_function,
156                           dtls1_connect,
157                           dtls1_get_client_method, DTLSv1_2_enc_data)
158
159 int dtls1_connect(SSL *s)
160 {
161     BUF_MEM *buf = NULL;
162     unsigned long Time = (unsigned long)time(NULL);
163     void (*cb) (const SSL *ssl, int type, int val) = NULL;
164     int ret = -1;
165     int new_state, state, skip = 0;
166 #ifndef OPENSSL_NO_SCTP
167     unsigned char sctpauthkey[64];
168     char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
169 #endif
170
171     RAND_add(&Time, sizeof(Time), 0);
172     ERR_clear_error();
173     clear_sys_error();
174
175     if (s->info_callback != NULL)
176         cb = s->info_callback;
177     else if (s->ctx->info_callback != NULL)
178         cb = s->ctx->info_callback;
179
180     s->in_handshake++;
181     if (!SSL_in_init(s) || SSL_in_before(s)) {
182         if (!SSL_clear(s))
183             return -1;
184     }
185
186 #ifndef OPENSSL_NO_SCTP
187     /*
188      * Notify SCTP BIO socket to enter handshake mode and prevent stream
189      * identifier other than 0. Will be ignored if no SCTP is used.
190      */
191     BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE,
192              s->in_handshake, NULL);
193 #endif
194
195 #ifndef OPENSSL_NO_HEARTBEATS
196     /*
197      * If we're awaiting a HeartbeatResponse, pretend we already got and
198      * don't await it anymore, because Heartbeats don't make sense during
199      * handshakes anyway.
200      */
201     if (s->tlsext_hb_pending) {
202         dtls1_stop_timer(s);
203         s->tlsext_hb_pending = 0;
204         s->tlsext_hb_seq++;
205     }
206 #endif
207
208     for (;;) {
209         state = s->state;
210
211         switch (s->state) {
212         case SSL_ST_RENEGOTIATE:
213             s->renegotiate = 1;
214             s->state = SSL_ST_CONNECT;
215             s->ctx->stats.sess_connect_renegotiate++;
216             /* break */
217         case SSL_ST_BEFORE:
218         case SSL_ST_CONNECT:
219         case SSL_ST_BEFORE | SSL_ST_CONNECT:
220         case SSL_ST_OK | SSL_ST_CONNECT:
221
222             s->server = 0;
223             if (cb != NULL)
224                 cb(s, SSL_CB_HANDSHAKE_START, 1);
225
226             if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00) &&
227                 (s->version & 0xff00) != (DTLS1_BAD_VER & 0xff00)) {
228                 SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR);
229                 ret = -1;
230                 s->state = SSL_ST_ERR;
231                 goto end;
232             }
233
234             /* s->version=SSL3_VERSION; */
235             s->type = SSL_ST_CONNECT;
236
237             if (s->init_buf == NULL) {
238                 if ((buf = BUF_MEM_new()) == NULL) {
239                     ret = -1;
240                     s->state = SSL_ST_ERR;
241                     goto end;
242                 }
243                 if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
244                     ret = -1;
245                     s->state = SSL_ST_ERR;
246                     goto end;
247                 }
248                 s->init_buf = buf;
249                 buf = NULL;
250             }
251
252             if (!ssl3_setup_buffers(s)) {
253                 ret = -1;
254                 s->state = SSL_ST_ERR;
255                 goto end;
256             }
257
258             /* setup buffing BIO */
259             if (!ssl_init_wbio_buffer(s, 0)) {
260                 ret = -1;
261                 s->state = SSL_ST_ERR;
262                 goto end;
263             }
264
265             /* don't push the buffering BIO quite yet */
266
267             s->state = SSL3_ST_CW_CLNT_HELLO_A;
268             s->ctx->stats.sess_connect++;
269             s->init_num = 0;
270             /* mark client_random uninitialized */
271             memset(s->s3->client_random, 0, sizeof(s->s3->client_random));
272             s->d1->send_cookie = 0;
273             s->hit = 0;
274             s->d1->change_cipher_spec_ok = 0;
275             /*
276              * Should have been reset by ssl3_get_finished, too.
277              */
278             s->s3->change_cipher_spec = 0;
279             break;
280
281 #ifndef OPENSSL_NO_SCTP
282         case DTLS1_SCTP_ST_CR_READ_SOCK:
283
284             if (BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
285                 s->s3->in_read_app_data = 2;
286                 s->rwstate = SSL_READING;
287                 BIO_clear_retry_flags(SSL_get_rbio(s));
288                 BIO_set_retry_read(SSL_get_rbio(s));
289                 ret = -1;
290                 goto end;
291             }
292
293             s->state = s->s3->tmp.next_state;
294             break;
295
296         case DTLS1_SCTP_ST_CW_WRITE_SOCK:
297             /* read app data until dry event */
298
299             ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s));
300             if (ret < 0)
301                 goto end;
302
303             if (ret == 0) {
304                 s->s3->in_read_app_data = 2;
305                 s->rwstate = SSL_READING;
306                 BIO_clear_retry_flags(SSL_get_rbio(s));
307                 BIO_set_retry_read(SSL_get_rbio(s));
308                 ret = -1;
309                 goto end;
310             }
311
312             s->state = s->d1->next_state;
313             break;
314 #endif
315
316         case SSL3_ST_CW_CLNT_HELLO_A:
317         case SSL3_ST_CW_CLNT_HELLO_B:
318
319             s->shutdown = 0;
320
321             /* every DTLS ClientHello resets Finished MAC */
322             ssl3_init_finished_mac(s);
323
324             dtls1_start_timer(s);
325             ret = ssl3_client_hello(s);
326             if (ret <= 0)
327                 goto end;
328
329             if (s->d1->send_cookie) {
330                 s->state = SSL3_ST_CW_FLUSH;
331                 s->s3->tmp.next_state = SSL3_ST_CR_SRVR_HELLO_A;
332             } else
333                 s->state = SSL3_ST_CR_SRVR_HELLO_A;
334
335             s->init_num = 0;
336
337 #ifndef OPENSSL_NO_SCTP
338             /* Disable buffering for SCTP */
339             if (!BIO_dgram_is_sctp(SSL_get_wbio(s))) {
340 #endif
341                 /*
342                  * turn on buffering for the next lot of output
343                  */
344                 if (s->bbio != s->wbio)
345                     s->wbio = BIO_push(s->bbio, s->wbio);
346 #ifndef OPENSSL_NO_SCTP
347             }
348 #endif
349
350             break;
351
352         case SSL3_ST_CR_SRVR_HELLO_A:
353         case SSL3_ST_CR_SRVR_HELLO_B:
354             ret = ssl3_get_server_hello(s);
355             if (ret <= 0)
356                 goto end;
357             else {
358                 if (s->hit) {
359 #ifndef OPENSSL_NO_SCTP
360                     /*
361                      * Add new shared key for SCTP-Auth, will be ignored if
362                      * no SCTP used.
363                      */
364                     snprintf((char *)labelbuffer,
365                              sizeof(DTLS1_SCTP_AUTH_LABEL),
366                              DTLS1_SCTP_AUTH_LABEL);
367
368                     SSL_export_keying_material(s, sctpauthkey,
369                                                sizeof(sctpauthkey),
370                                                labelbuffer,
371                                                sizeof(labelbuffer), NULL, 0,
372                                                0);
373
374                     BIO_ctrl(SSL_get_wbio(s),
375                              BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
376                              sizeof(sctpauthkey), sctpauthkey);
377 #endif
378
379                     s->state = SSL3_ST_CR_FINISHED_A;
380                 } else
381                     s->state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
382             }
383             s->init_num = 0;
384             break;
385
386         case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A:
387         case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B:
388
389             ret = dtls1_get_hello_verify(s);
390             if (ret <= 0)
391                 goto end;
392             dtls1_stop_timer(s);
393             if (s->d1->send_cookie) /* start again, with a cookie */
394                 s->state = SSL3_ST_CW_CLNT_HELLO_A;
395             else
396                 s->state = SSL3_ST_CR_CERT_A;
397             s->init_num = 0;
398             break;
399
400         case SSL3_ST_CR_CERT_A:
401         case SSL3_ST_CR_CERT_B:
402             /* Check if it is anon DH or PSK */
403             if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
404                 !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
405                 ret = ssl3_get_server_certificate(s);
406                 if (ret <= 0)
407                     goto end;
408
409                 if (s->tlsext_status_expected)
410                     s->state = SSL3_ST_CR_CERT_STATUS_A;
411                 else
412                     s->state = SSL3_ST_CR_KEY_EXCH_A;
413             } else {
414                 skip = 1;
415                 s->state = SSL3_ST_CR_KEY_EXCH_A;
416             }
417
418             s->init_num = 0;
419             break;
420
421         case SSL3_ST_CR_KEY_EXCH_A:
422         case SSL3_ST_CR_KEY_EXCH_B:
423             ret = ssl3_get_key_exchange(s);
424             if (ret <= 0)
425                 goto end;
426             s->state = SSL3_ST_CR_CERT_REQ_A;
427             s->init_num = 0;
428
429             /*
430              * at this point we check that we have the required stuff from
431              * the server
432              */
433             if (!ssl3_check_cert_and_algorithm(s)) {
434                 ret = -1;
435                 s->state = SSL_ST_ERR;
436                 goto end;
437             }
438             break;
439
440         case SSL3_ST_CR_CERT_REQ_A:
441         case SSL3_ST_CR_CERT_REQ_B:
442             ret = ssl3_get_certificate_request(s);
443             if (ret <= 0)
444                 goto end;
445             s->state = SSL3_ST_CR_SRVR_DONE_A;
446             s->init_num = 0;
447             break;
448
449         case SSL3_ST_CR_SRVR_DONE_A:
450         case SSL3_ST_CR_SRVR_DONE_B:
451             ret = ssl3_get_server_done(s);
452             if (ret <= 0)
453                 goto end;
454             dtls1_stop_timer(s);
455             if (s->s3->tmp.cert_req)
456                 s->s3->tmp.next_state = SSL3_ST_CW_CERT_A;
457             else
458                 s->s3->tmp.next_state = SSL3_ST_CW_KEY_EXCH_A;
459             s->init_num = 0;
460
461 #ifndef OPENSSL_NO_SCTP
462             if (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
463                 state == SSL_ST_RENEGOTIATE)
464                 s->state = DTLS1_SCTP_ST_CR_READ_SOCK;
465             else
466 #endif
467                 s->state = s->s3->tmp.next_state;
468             break;
469
470         case SSL3_ST_CW_CERT_A:
471         case SSL3_ST_CW_CERT_B:
472         case SSL3_ST_CW_CERT_C:
473         case SSL3_ST_CW_CERT_D:
474             dtls1_start_timer(s);
475             ret = ssl3_send_client_certificate(s);
476             if (ret <= 0)
477                 goto end;
478             s->state = SSL3_ST_CW_KEY_EXCH_A;
479             s->init_num = 0;
480             break;
481
482         case SSL3_ST_CW_KEY_EXCH_A:
483         case SSL3_ST_CW_KEY_EXCH_B:
484             dtls1_start_timer(s);
485             ret = ssl3_send_client_key_exchange(s);
486             if (ret <= 0)
487                 goto end;
488
489 #ifndef OPENSSL_NO_SCTP
490             /*
491              * Add new shared key for SCTP-Auth, will be ignored if no SCTP
492              * used.
493              */
494             snprintf((char *)labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
495                      DTLS1_SCTP_AUTH_LABEL);
496
497             SSL_export_keying_material(s, sctpauthkey,
498                                        sizeof(sctpauthkey), labelbuffer,
499                                        sizeof(labelbuffer), NULL, 0, 0);
500
501             BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
502                      sizeof(sctpauthkey), sctpauthkey);
503 #endif
504
505             /*
506              * EAY EAY EAY need to check for DH fix cert sent back
507              */
508             /*
509              * For TLS, cert_req is set to 2, so a cert chain of nothing is
510              * sent, but no verify packet is sent
511              */
512             if (s->s3->tmp.cert_req == 1) {
513                 s->state = SSL3_ST_CW_CERT_VRFY_A;
514             } else {
515 #ifndef OPENSSL_NO_SCTP
516                 if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
517                     s->d1->next_state = SSL3_ST_CW_CHANGE_A;
518                     s->state = DTLS1_SCTP_ST_CW_WRITE_SOCK;
519                 } else
520 #endif
521                     s->state = SSL3_ST_CW_CHANGE_A;
522             }
523
524             s->init_num = 0;
525             break;
526
527         case SSL3_ST_CW_CERT_VRFY_A:
528         case SSL3_ST_CW_CERT_VRFY_B:
529             dtls1_start_timer(s);
530             ret = ssl3_send_client_verify(s);
531             if (ret <= 0)
532                 goto end;
533 #ifndef OPENSSL_NO_SCTP
534             if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
535                 s->d1->next_state = SSL3_ST_CW_CHANGE_A;
536                 s->state = DTLS1_SCTP_ST_CW_WRITE_SOCK;
537             } else
538 #endif
539                 s->state = SSL3_ST_CW_CHANGE_A;
540             s->init_num = 0;
541             break;
542
543         case SSL3_ST_CW_CHANGE_A:
544         case SSL3_ST_CW_CHANGE_B:
545             if (!s->hit)
546                 dtls1_start_timer(s);
547             ret = dtls1_send_change_cipher_spec(s,
548                                                 SSL3_ST_CW_CHANGE_A,
549                                                 SSL3_ST_CW_CHANGE_B);
550             if (ret <= 0)
551                 goto end;
552
553             s->state = SSL3_ST_CW_FINISHED_A;
554             s->init_num = 0;
555
556             s->session->cipher = s->s3->tmp.new_cipher;
557 #ifdef OPENSSL_NO_COMP
558             s->session->compress_meth = 0;
559 #else
560             if (s->s3->tmp.new_compression == NULL)
561                 s->session->compress_meth = 0;
562             else
563                 s->session->compress_meth = s->s3->tmp.new_compression->id;
564 #endif
565             if (!s->method->ssl3_enc->setup_key_block(s)) {
566                 ret = -1;
567                 s->state = SSL_ST_ERR;
568                 goto end;
569             }
570
571             if (!s->method->ssl3_enc->change_cipher_state(s,
572                                                           SSL3_CHANGE_CIPHER_CLIENT_WRITE))
573             {
574                 ret = -1;
575                 s->state = SSL_ST_ERR;
576                 goto end;
577             }
578 #ifndef OPENSSL_NO_SCTP
579             if (s->hit) {
580                 /*
581                  * Change to new shared key of SCTP-Auth, will be ignored if
582                  * no SCTP used.
583                  */
584                 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
585                          0, NULL);
586             }
587 #endif
588
589             dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
590             break;
591
592         case SSL3_ST_CW_FINISHED_A:
593         case SSL3_ST_CW_FINISHED_B:
594             if (!s->hit)
595                 dtls1_start_timer(s);
596             ret = ssl3_send_finished(s,
597                                      SSL3_ST_CW_FINISHED_A,
598                                      SSL3_ST_CW_FINISHED_B,
599                                      s->method->
600                                      ssl3_enc->client_finished_label,
601                                      s->method->
602                                      ssl3_enc->client_finished_label_len);
603             if (ret <= 0)
604                 goto end;
605             s->state = SSL3_ST_CW_FLUSH;
606
607             /* clear flags */
608             s->s3->flags &= ~SSL3_FLAGS_POP_BUFFER;
609             if (s->hit) {
610                 s->s3->tmp.next_state = SSL_ST_OK;
611 #ifndef OPENSSL_NO_SCTP
612                 if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
613                     s->d1->next_state = s->s3->tmp.next_state;
614                     s->s3->tmp.next_state = DTLS1_SCTP_ST_CW_WRITE_SOCK;
615                 }
616 #endif
617                 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) {
618                     s->state = SSL_ST_OK;
619 #ifndef OPENSSL_NO_SCTP
620                     if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
621                         s->d1->next_state = SSL_ST_OK;
622                         s->state = DTLS1_SCTP_ST_CW_WRITE_SOCK;
623                     }
624 #endif
625                     s->s3->flags |= SSL3_FLAGS_POP_BUFFER;
626                     s->s3->delay_buf_pop_ret = 0;
627                 }
628             } else {
629 #ifndef OPENSSL_NO_SCTP
630                 /*
631                  * Change to new shared key of SCTP-Auth, will be ignored if
632                  * no SCTP used.
633                  */
634                 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
635                          0, NULL);
636 #endif
637
638                 /*
639                  * Allow NewSessionTicket if ticket expected
640                  */
641                 if (s->tlsext_ticket_expected)
642                     s->s3->tmp.next_state = SSL3_ST_CR_SESSION_TICKET_A;
643                 else
644                     s->s3->tmp.next_state = SSL3_ST_CR_FINISHED_A;
645             }
646             s->init_num = 0;
647             break;
648
649         case SSL3_ST_CR_SESSION_TICKET_A:
650         case SSL3_ST_CR_SESSION_TICKET_B:
651             ret = ssl3_get_new_session_ticket(s);
652             if (ret <= 0)
653                 goto end;
654             s->state = SSL3_ST_CR_FINISHED_A;
655             s->init_num = 0;
656             break;
657
658         case SSL3_ST_CR_CERT_STATUS_A:
659         case SSL3_ST_CR_CERT_STATUS_B:
660             ret = ssl3_get_cert_status(s);
661             if (ret <= 0)
662                 goto end;
663             s->state = SSL3_ST_CR_KEY_EXCH_A;
664             s->init_num = 0;
665             break;
666
667         case SSL3_ST_CR_FINISHED_A:
668         case SSL3_ST_CR_FINISHED_B:
669             s->d1->change_cipher_spec_ok = 1;
670             ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A,
671                                     SSL3_ST_CR_FINISHED_B);
672             if (ret <= 0)
673                 goto end;
674             dtls1_stop_timer(s);
675
676             if (s->hit)
677                 s->state = SSL3_ST_CW_CHANGE_A;
678             else
679                 s->state = SSL_ST_OK;
680
681 #ifndef OPENSSL_NO_SCTP
682             if (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
683                 state == SSL_ST_RENEGOTIATE) {
684                 s->d1->next_state = s->state;
685                 s->state = DTLS1_SCTP_ST_CW_WRITE_SOCK;
686             }
687 #endif
688
689             s->init_num = 0;
690             break;
691
692         case SSL3_ST_CW_FLUSH:
693             s->rwstate = SSL_WRITING;
694             if (BIO_flush(s->wbio) <= 0) {
695                 /*
696                  * If the write error was fatal, stop trying
697                  */
698                 if (!BIO_should_retry(s->wbio)) {
699                     s->rwstate = SSL_NOTHING;
700                     s->state = s->s3->tmp.next_state;
701                 }
702
703                 ret = -1;
704                 goto end;
705             }
706             s->rwstate = SSL_NOTHING;
707             s->state = s->s3->tmp.next_state;
708             break;
709
710         case SSL_ST_OK:
711             /* clean a few things up */
712             ssl3_cleanup_key_block(s);
713
714             /*
715              * If we are not 'joining' the last two packets, remove the
716              * buffering now
717              */
718             if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
719                 ssl_free_wbio_buffer(s);
720             /* else do it later in ssl3_write */
721
722             s->init_num = 0;
723             s->renegotiate = 0;
724             s->new_session = 0;
725
726             ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
727             if (s->hit)
728                 s->ctx->stats.sess_hit++;
729
730             ret = 1;
731             /* s->server=0; */
732             s->handshake_func = dtls1_connect;
733             s->ctx->stats.sess_connect_good++;
734
735             if (cb != NULL)
736                 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
737
738             /* done with handshaking */
739             s->d1->handshake_read_seq = 0;
740             s->d1->next_handshake_write_seq = 0;
741             goto end;
742             /* break; */
743
744         case SSL_ST_ERR:
745         default:
746             SSLerr(SSL_F_DTLS1_CONNECT, SSL_R_UNKNOWN_STATE);
747             ret = -1;
748             goto end;
749             /* break; */
750         }
751
752         /* did we do anything */
753         if (!s->s3->tmp.reuse_message && !skip) {
754             if (s->debug) {
755                 if ((ret = BIO_flush(s->wbio)) <= 0)
756                     goto end;
757             }
758
759             if ((cb != NULL) && (s->state != state)) {
760                 new_state = s->state;
761                 s->state = state;
762                 cb(s, SSL_CB_CONNECT_LOOP, 1);
763                 s->state = new_state;
764             }
765         }
766         skip = 0;
767     }
768  end:
769     s->in_handshake--;
770
771 #ifndef OPENSSL_NO_SCTP
772     /*
773      * Notify SCTP BIO socket to leave handshake mode and allow stream
774      * identifier other than 0. Will be ignored if no SCTP is used.
775      */
776     BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE,
777              s->in_handshake, NULL);
778 #endif
779
780     BUF_MEM_free(buf);
781     if (cb != NULL)
782         cb(s, SSL_CB_CONNECT_EXIT, ret);
783     return (ret);
784 }
785
786 static int dtls1_get_hello_verify(SSL *s)
787 {
788     int n, al, ok = 0;
789     unsigned char *data;
790     unsigned int cookie_len;
791
792     s->first_packet = 1;
793     n = s->method->ssl_get_message(s,
794                                    DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A,
795                                    DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B,
796                                    -1, s->max_cert_list, &ok);
797     s->first_packet = 0;
798
799     if (!ok)
800         return ((int)n);
801
802     if (s->s3->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) {
803         s->d1->send_cookie = 0;
804         s->s3->tmp.reuse_message = 1;
805         return (1);
806     }
807
808     data = (unsigned char *)s->init_msg;
809     data += 2;
810
811     cookie_len = *(data++);
812     if (cookie_len > sizeof(s->d1->cookie)) {
813         al = SSL_AD_ILLEGAL_PARAMETER;
814         goto f_err;
815     }
816
817     memcpy(s->d1->cookie, data, cookie_len);
818     s->d1->cookie_len = cookie_len;
819
820     s->d1->send_cookie = 1;
821     return 1;
822
823  f_err:
824     ssl3_send_alert(s, SSL3_AL_FATAL, al);
825     s->state = SSL_ST_ERR;
826     return -1;
827 }