make sure eivlen is initialised
[openssl.git] / ssl / d1_srvr.c
1 /* ssl/d1_srvr.c */
2 /* 
3  * DTLS implementation written by Nagendra Modadugu
4  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
5  */
6 /* ====================================================================
7  * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  *
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer. 
15  *
16  * 2. Redistributions in binary form must reproduce the above copyright
17  *    notice, this list of conditions and the following disclaimer in
18  *    the documentation and/or other materials provided with the
19  *    distribution.
20  *
21  * 3. All advertising materials mentioning features or use of this
22  *    software must display the following acknowledgment:
23  *    "This product includes software developed by the OpenSSL Project
24  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25  *
26  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27  *    endorse or promote products derived from this software without
28  *    prior written permission. For written permission, please contact
29  *    openssl-core@OpenSSL.org.
30  *
31  * 5. Products derived from this software may not be called "OpenSSL"
32  *    nor may "OpenSSL" appear in their names without prior written
33  *    permission of the OpenSSL Project.
34  *
35  * 6. Redistributions of any form whatsoever must retain the following
36  *    acknowledgment:
37  *    "This product includes software developed by the OpenSSL Project
38  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
44  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51  * OF THE POSSIBILITY OF SUCH DAMAGE.
52  * ====================================================================
53  *
54  * This product includes cryptographic software written by Eric Young
55  * (eay@cryptsoft.com).  This product includes software written by Tim
56  * Hudson (tjh@cryptsoft.com).
57  *
58  */
59 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
60  * All rights reserved.
61  *
62  * This package is an SSL implementation written
63  * by Eric Young (eay@cryptsoft.com).
64  * The implementation was written so as to conform with Netscapes SSL.
65  * 
66  * This library is free for commercial and non-commercial use as long as
67  * the following conditions are aheared to.  The following conditions
68  * apply to all code found in this distribution, be it the RC4, RSA,
69  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
70  * included with this distribution is covered by the same copyright terms
71  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
72  * 
73  * Copyright remains Eric Young's, and as such any Copyright notices in
74  * the code are not to be removed.
75  * If this package is used in a product, Eric Young should be given attribution
76  * as the author of the parts of the library used.
77  * This can be in the form of a textual message at program startup or
78  * in documentation (online or textual) provided with the package.
79  * 
80  * Redistribution and use in source and binary forms, with or without
81  * modification, are permitted provided that the following conditions
82  * are met:
83  * 1. Redistributions of source code must retain the copyright
84  *    notice, this list of conditions and the following disclaimer.
85  * 2. Redistributions in binary form must reproduce the above copyright
86  *    notice, this list of conditions and the following disclaimer in the
87  *    documentation and/or other materials provided with the distribution.
88  * 3. All advertising materials mentioning features or use of this software
89  *    must display the following acknowledgement:
90  *    "This product includes cryptographic software written by
91  *     Eric Young (eay@cryptsoft.com)"
92  *    The word 'cryptographic' can be left out if the rouines from the library
93  *    being used are not cryptographic related :-).
94  * 4. If you include any Windows specific code (or a derivative thereof) from 
95  *    the apps directory (application code) you must include an acknowledgement:
96  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
97  * 
98  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
99  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
100  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
101  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
102  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
103  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
104  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
105  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
106  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
107  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
108  * SUCH DAMAGE.
109  * 
110  * The licence and distribution terms for any publically available version or
111  * derivative of this code cannot be changed.  i.e. this code cannot simply be
112  * copied and put under another distribution licence
113  * [including the GNU Public Licence.]
114  */
115
116 #include <stdio.h>
117 #include "ssl_locl.h"
118 #include <openssl/buffer.h>
119 #include <openssl/rand.h>
120 #include <openssl/objects.h>
121 #include <openssl/evp.h>
122 #include <openssl/x509.h>
123 #include <openssl/md5.h>
124 #include <openssl/bn.h>
125 #ifndef OPENSSL_NO_DH
126 #include <openssl/dh.h>
127 #endif
128
129 static const SSL_METHOD *dtls1_get_server_method(int ver);
130 static int dtls1_send_hello_verify_request(SSL *s);
131
132 static const SSL_METHOD *dtls1_get_server_method(int ver)
133         {
134         if (ver == DTLS1_VERSION)
135                 return(DTLSv1_server_method());
136         else
137                 return(NULL);
138         }
139
140 IMPLEMENT_dtls1_meth_func(DTLSv1_server_method,
141                         dtls1_accept,
142                         ssl_undefined_function,
143                         dtls1_get_server_method)
144
145 int dtls1_accept(SSL *s)
146         {
147         BUF_MEM *buf;
148         unsigned long Time=(unsigned long)time(NULL);
149         void (*cb)(const SSL *ssl,int type,int val)=NULL;
150         unsigned long alg_k;
151         int ret= -1;
152         int new_state,state,skip=0;
153         int listen;
154
155         RAND_add(&Time,sizeof(Time),0);
156         ERR_clear_error();
157         clear_sys_error();
158
159         if (s->info_callback != NULL)
160                 cb=s->info_callback;
161         else if (s->ctx->info_callback != NULL)
162                 cb=s->ctx->info_callback;
163         
164         listen = s->d1->listen;
165
166         /* init things to blank */
167         s->in_handshake++;
168         if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
169
170         s->d1->listen = listen;
171
172         if (s->cert == NULL)
173                 {
174                 SSLerr(SSL_F_DTLS1_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
175                 return(-1);
176                 }
177
178         for (;;)
179                 {
180                 state=s->state;
181
182                 switch (s->state)
183                         {
184                 case SSL_ST_RENEGOTIATE:
185                         s->renegotiate=1;
186                         /* s->state=SSL_ST_ACCEPT; */
187
188                 case SSL_ST_BEFORE:
189                 case SSL_ST_ACCEPT:
190                 case SSL_ST_BEFORE|SSL_ST_ACCEPT:
191                 case SSL_ST_OK|SSL_ST_ACCEPT:
192
193                         s->server=1;
194                         if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
195
196                         if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00))
197                                 {
198                                 SSLerr(SSL_F_DTLS1_ACCEPT, ERR_R_INTERNAL_ERROR);
199                                 return -1;
200                                 }
201                         s->type=SSL_ST_ACCEPT;
202
203                         if (s->init_buf == NULL)
204                                 {
205                                 if ((buf=BUF_MEM_new()) == NULL)
206                                         {
207                                         ret= -1;
208                                         goto end;
209                                         }
210                                 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
211                                         {
212                                         ret= -1;
213                                         goto end;
214                                         }
215                                 s->init_buf=buf;
216                                 }
217
218                         if (!ssl3_setup_buffers(s))
219                                 {
220                                 ret= -1;
221                                 goto end;
222                                 }
223
224                         s->init_num=0;
225
226                         if (s->state != SSL_ST_RENEGOTIATE)
227                                 {
228                                 /* Ok, we now need to push on a buffering BIO so that
229                                  * the output is sent in a way that TCP likes :-)
230                                  */
231                                 if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; }
232
233                                 ssl3_init_finished_mac(s);
234                                 s->state=SSL3_ST_SR_CLNT_HELLO_A;
235                                 s->ctx->stats.sess_accept++;
236                                 }
237                         else
238                                 {
239                                 /* s->state == SSL_ST_RENEGOTIATE,
240                                  * we will just send a HelloRequest */
241                                 s->ctx->stats.sess_accept_renegotiate++;
242                                 s->state=SSL3_ST_SW_HELLO_REQ_A;
243                                 }
244
245                         break;
246
247                 case SSL3_ST_SW_HELLO_REQ_A:
248                 case SSL3_ST_SW_HELLO_REQ_B:
249
250                         s->shutdown=0;
251                         dtls1_start_timer(s);
252                         ret=dtls1_send_hello_request(s);
253                         if (ret <= 0) goto end;
254                         s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C;
255                         s->state=SSL3_ST_SW_FLUSH;
256                         s->init_num=0;
257
258                         ssl3_init_finished_mac(s);
259                         break;
260
261                 case SSL3_ST_SW_HELLO_REQ_C:
262                         s->state=SSL_ST_OK;
263                         break;
264
265                 case SSL3_ST_SR_CLNT_HELLO_A:
266                 case SSL3_ST_SR_CLNT_HELLO_B:
267                 case SSL3_ST_SR_CLNT_HELLO_C:
268
269                         s->shutdown=0;
270                         ret=ssl3_get_client_hello(s);
271                         if (ret <= 0) goto end;
272                         dtls1_stop_timer(s);
273
274                         if (ret == 1 && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
275                                 s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;
276                         else
277                                 s->state = SSL3_ST_SW_SRVR_HELLO_A;
278
279                         s->init_num=0;
280
281                         /* Reflect ClientHello sequence to remain stateless while listening */
282                         if (listen)
283                                 {
284                                 memcpy(s->s3->write_sequence, s->s3->read_sequence, sizeof(s->s3->write_sequence));
285                                 }
286
287                         /* If we're just listening, stop here */
288                         if (listen && s->state == SSL3_ST_SW_SRVR_HELLO_A)
289                                 {
290                                 ret = 2;
291                                 s->d1->listen = 0;
292                                 /* Set expected sequence numbers
293                                  * to continue the handshake.
294                                  */
295                                 s->d1->handshake_read_seq = 2;
296                                 s->d1->handshake_write_seq = 1;
297                                 s->d1->next_handshake_write_seq = 1;
298                                 goto end;
299                                 }
300                         
301                         break;
302                         
303                 case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
304                 case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
305
306                         ret = dtls1_send_hello_verify_request(s);
307                         if ( ret <= 0) goto end;
308                         s->state=SSL3_ST_SW_FLUSH;
309                         s->s3->tmp.next_state=SSL3_ST_SR_CLNT_HELLO_A;
310
311                         /* HelloVerifyRequest resets Finished MAC */
312                         if (s->version != DTLS1_BAD_VER)
313                                 ssl3_init_finished_mac(s);
314                         break;
315                         
316                 case SSL3_ST_SW_SRVR_HELLO_A:
317                 case SSL3_ST_SW_SRVR_HELLO_B:
318                         s->renegotiate = 2;
319                         dtls1_start_timer(s);
320                         ret=dtls1_send_server_hello(s);
321                         if (ret <= 0) goto end;
322
323 #ifndef OPENSSL_NO_TLSEXT
324                         if (s->hit)
325                                 {
326                                 if (s->tlsext_ticket_expected)
327                                         s->state=SSL3_ST_SW_SESSION_TICKET_A;
328                                 else
329                                         s->state=SSL3_ST_SW_CHANGE_A;
330                                 }
331 #else
332                         if (s->hit)
333                                         s->state=SSL3_ST_SW_CHANGE_A;
334 #endif
335                         else
336                                 s->state=SSL3_ST_SW_CERT_A;
337                         s->init_num=0;
338                         break;
339
340                 case SSL3_ST_SW_CERT_A:
341                 case SSL3_ST_SW_CERT_B:
342                         /* Check if it is anon DH or normal PSK */
343                         if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
344                                 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
345                                 {
346                                 dtls1_start_timer(s);
347                                 ret=dtls1_send_server_certificate(s);
348                                 if (ret <= 0) goto end;
349 #ifndef OPENSSL_NO_TLSEXT
350                                 if (s->tlsext_status_expected)
351                                         s->state=SSL3_ST_SW_CERT_STATUS_A;
352                                 else
353                                         s->state=SSL3_ST_SW_KEY_EXCH_A;
354                                 }
355                         else
356                                 {
357                                 skip = 1;
358                                 s->state=SSL3_ST_SW_KEY_EXCH_A;
359                                 }
360 #else
361                                 }
362                         else
363                                 skip=1;
364
365                         s->state=SSL3_ST_SW_KEY_EXCH_A;
366 #endif
367                         s->init_num=0;
368                         break;
369
370                 case SSL3_ST_SW_KEY_EXCH_A:
371                 case SSL3_ST_SW_KEY_EXCH_B:
372                         alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
373
374                         /* clear this, it may get reset by
375                          * send_server_key_exchange */
376                         if ((s->options & SSL_OP_EPHEMERAL_RSA)
377 #ifndef OPENSSL_NO_KRB5
378                                 && !(alg_k & SSL_kKRB5)
379 #endif /* OPENSSL_NO_KRB5 */
380                                 )
381                                 /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
382                                  * even when forbidden by protocol specs
383                                  * (handshake may fail as clients are not required to
384                                  * be able to handle this) */
385                                 s->s3->tmp.use_rsa_tmp=1;
386                         else
387                                 s->s3->tmp.use_rsa_tmp=0;
388
389                         /* only send if a DH key exchange or
390                          * RSA but we have a sign only certificate */
391                         if (s->s3->tmp.use_rsa_tmp
392                         /* PSK: send ServerKeyExchange if PSK identity
393                          * hint if provided */
394 #ifndef OPENSSL_NO_PSK
395                             || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
396 #endif
397                             || (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
398                             || (alg_k & SSL_kEECDH)
399                             || ((alg_k & SSL_kRSA)
400                                 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
401                                     || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
402                                         && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
403                                         )
404                                     )
405                                 )
406                             )
407                                 {
408                                 dtls1_start_timer(s);
409                                 ret=dtls1_send_server_key_exchange(s);
410                                 if (ret <= 0) goto end;
411                                 }
412                         else
413                                 skip=1;
414
415                         s->state=SSL3_ST_SW_CERT_REQ_A;
416                         s->init_num=0;
417                         break;
418
419                 case SSL3_ST_SW_CERT_REQ_A:
420                 case SSL3_ST_SW_CERT_REQ_B:
421                         if (/* don't request cert unless asked for it: */
422                                 !(s->verify_mode & SSL_VERIFY_PEER) ||
423                                 /* if SSL_VERIFY_CLIENT_ONCE is set,
424                                  * don't request cert during re-negotiation: */
425                                 ((s->session->peer != NULL) &&
426                                  (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
427                                 /* never request cert in anonymous ciphersuites
428                                  * (see section "Certificate request" in SSL 3 drafts
429                                  * and in RFC 2246): */
430                                 ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
431                                  /* ... except when the application insists on verification
432                                   * (against the specs, but s3_clnt.c accepts this for SSL 3) */
433                                  !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
434                                  /* never request cert in Kerberos ciphersuites */
435                                 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)
436                                 /* With normal PSK Certificates and
437                                  * Certificate Requests are omitted */
438                                 || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
439                                 {
440                                 /* no cert request */
441                                 skip=1;
442                                 s->s3->tmp.cert_request=0;
443                                 s->state=SSL3_ST_SW_SRVR_DONE_A;
444                                 }
445                         else
446                                 {
447                                 s->s3->tmp.cert_request=1;
448                                 dtls1_start_timer(s);
449                                 ret=dtls1_send_certificate_request(s);
450                                 if (ret <= 0) goto end;
451 #ifndef NETSCAPE_HANG_BUG
452                                 s->state=SSL3_ST_SW_SRVR_DONE_A;
453 #else
454                                 s->state=SSL3_ST_SW_FLUSH;
455                                 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
456 #endif
457                                 s->init_num=0;
458                                 }
459                         break;
460
461                 case SSL3_ST_SW_SRVR_DONE_A:
462                 case SSL3_ST_SW_SRVR_DONE_B:
463                         dtls1_start_timer(s);
464                         ret=dtls1_send_server_done(s);
465                         if (ret <= 0) goto end;
466                         s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
467                         s->state=SSL3_ST_SW_FLUSH;
468                         s->init_num=0;
469                         break;
470                 
471                 case SSL3_ST_SW_FLUSH:
472                         s->rwstate=SSL_WRITING;
473                         if (BIO_flush(s->wbio) <= 0)
474                                 {
475                                 ret= -1;
476                                 goto end;
477                                 }
478                         s->rwstate=SSL_NOTHING;
479                         s->state=s->s3->tmp.next_state;
480                         break;
481
482                 case SSL3_ST_SR_CERT_A:
483                 case SSL3_ST_SR_CERT_B:
484                         /* Check for second client hello (MS SGC) */
485                         ret = ssl3_check_client_hello(s);
486                         if (ret <= 0)
487                                 goto end;
488                         dtls1_stop_timer(s);
489                         if (ret == 2)
490                                 s->state = SSL3_ST_SR_CLNT_HELLO_C;
491                         else {
492                                 /* could be sent for a DH cert, even if we
493                                  * have not asked for it :-) */
494                                 ret=ssl3_get_client_certificate(s);
495                                 if (ret <= 0) goto end;
496                                 dtls1_stop_timer(s);
497                                 s->init_num=0;
498                                 s->state=SSL3_ST_SR_KEY_EXCH_A;
499                         }
500                         break;
501
502                 case SSL3_ST_SR_KEY_EXCH_A:
503                 case SSL3_ST_SR_KEY_EXCH_B:
504                         ret=ssl3_get_client_key_exchange(s);
505                         if (ret <= 0) goto end;
506                         dtls1_stop_timer(s);
507                         s->state=SSL3_ST_SR_CERT_VRFY_A;
508                         s->init_num=0;
509
510                         if (ret == 2)
511                                 {
512                                 /* For the ECDH ciphersuites when
513                                  * the client sends its ECDH pub key in
514                                  * a certificate, the CertificateVerify
515                                  * message is not sent.
516                                  */
517                                 s->state=SSL3_ST_SR_FINISHED_A;
518                                 s->init_num = 0;
519                                 }
520                         else
521                                 {
522                                 s->state=SSL3_ST_SR_CERT_VRFY_A;
523                                 s->init_num=0;
524
525                                 /* We need to get hashes here so if there is
526                                  * a client cert, it can be verified */ 
527                                 s->method->ssl3_enc->cert_verify_mac(s,
528                                         NID_md5,
529                                         &(s->s3->tmp.cert_verify_md[0]));
530                                 s->method->ssl3_enc->cert_verify_mac(s,
531                                         NID_sha1,
532                                         &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]));
533                                 }
534                         break;
535
536                 case SSL3_ST_SR_CERT_VRFY_A:
537                 case SSL3_ST_SR_CERT_VRFY_B:
538
539                         s->d1->change_cipher_spec_ok = 1;
540                         /* we should decide if we expected this one */
541                         ret=ssl3_get_cert_verify(s);
542                         if (ret <= 0) goto end;
543                         dtls1_stop_timer(s);
544
545                         s->state=SSL3_ST_SR_FINISHED_A;
546                         s->init_num=0;
547                         break;
548
549                 case SSL3_ST_SR_FINISHED_A:
550                 case SSL3_ST_SR_FINISHED_B:
551                         s->d1->change_cipher_spec_ok = 1;
552                         ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
553                                 SSL3_ST_SR_FINISHED_B);
554                         if (ret <= 0) goto end;
555                         dtls1_stop_timer(s);
556                         if (s->hit)
557                                 s->state=SSL_ST_OK;
558 #ifndef OPENSSL_NO_TLSEXT
559                         else if (s->tlsext_ticket_expected)
560                                 s->state=SSL3_ST_SW_SESSION_TICKET_A;
561 #endif
562                         else
563                                 s->state=SSL3_ST_SW_CHANGE_A;
564                         s->init_num=0;
565                         break;
566
567 #ifndef OPENSSL_NO_TLSEXT
568                 case SSL3_ST_SW_SESSION_TICKET_A:
569                 case SSL3_ST_SW_SESSION_TICKET_B:
570                         ret=dtls1_send_newsession_ticket(s);
571                         if (ret <= 0) goto end;
572                         s->state=SSL3_ST_SW_CHANGE_A;
573                         s->init_num=0;
574                         break;
575
576                 case SSL3_ST_SW_CERT_STATUS_A:
577                 case SSL3_ST_SW_CERT_STATUS_B:
578                         ret=ssl3_send_cert_status(s);
579                         if (ret <= 0) goto end;
580                         s->state=SSL3_ST_SW_KEY_EXCH_A;
581                         s->init_num=0;
582                         break;
583
584 #endif
585
586                 case SSL3_ST_SW_CHANGE_A:
587                 case SSL3_ST_SW_CHANGE_B:
588
589                         s->session->cipher=s->s3->tmp.new_cipher;
590                         if (!s->method->ssl3_enc->setup_key_block(s))
591                                 { ret= -1; goto end; }
592
593                         ret=dtls1_send_change_cipher_spec(s,
594                                 SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B);
595
596                         if (ret <= 0) goto end;
597                         s->state=SSL3_ST_SW_FINISHED_A;
598                         s->init_num=0;
599
600                         if (!s->method->ssl3_enc->change_cipher_state(s,
601                                 SSL3_CHANGE_CIPHER_SERVER_WRITE))
602                                 {
603                                 ret= -1;
604                                 goto end;
605                                 }
606
607                         dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
608                         break;
609
610                 case SSL3_ST_SW_FINISHED_A:
611                 case SSL3_ST_SW_FINISHED_B:
612                         ret=dtls1_send_finished(s,
613                                 SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B,
614                                 s->method->ssl3_enc->server_finished_label,
615                                 s->method->ssl3_enc->server_finished_label_len);
616                         if (ret <= 0) goto end;
617                         s->state=SSL3_ST_SW_FLUSH;
618                         if (s->hit)
619                                 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
620                         else
621                                 s->s3->tmp.next_state=SSL_ST_OK;
622                         s->init_num=0;
623                         break;
624
625                 case SSL_ST_OK:
626                         /* clean a few things up */
627                         ssl3_cleanup_key_block(s);
628
629 #if 0
630                         BUF_MEM_free(s->init_buf);
631                         s->init_buf=NULL;
632 #endif
633
634                         /* remove buffering on output */
635                         ssl_free_wbio_buffer(s);
636
637                         s->init_num=0;
638
639                         if (s->renegotiate == 2) /* skipped if we just sent a HelloRequest */
640                                 {
641                                 s->renegotiate=0;
642                                 s->new_session=0;
643                                 
644                                 ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
645                                 
646                                 s->ctx->stats.sess_accept_good++;
647                                 /* s->server=1; */
648                                 s->handshake_func=dtls1_accept;
649
650                                 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
651                                 }
652                         
653                         ret = 1;
654
655                         /* done handshaking, next message is client hello */
656                         s->d1->handshake_read_seq = 0;
657                         /* next message is server hello */
658                         s->d1->handshake_write_seq = 0;
659                         s->d1->next_handshake_write_seq = 0;
660                         goto end;
661                         /* break; */
662
663                 default:
664                         SSLerr(SSL_F_DTLS1_ACCEPT,SSL_R_UNKNOWN_STATE);
665                         ret= -1;
666                         goto end;
667                         /* break; */
668                         }
669                 
670                 if (!s->s3->tmp.reuse_message && !skip)
671                         {
672                         if (s->debug)
673                                 {
674                                 if ((ret=BIO_flush(s->wbio)) <= 0)
675                                         goto end;
676                                 }
677
678
679                         if ((cb != NULL) && (s->state != state))
680                                 {
681                                 new_state=s->state;
682                                 s->state=state;
683                                 cb(s,SSL_CB_ACCEPT_LOOP,1);
684                                 s->state=new_state;
685                                 }
686                         }
687                 skip=0;
688                 }
689 end:
690         /* BIO_flush(s->wbio); */
691
692         s->in_handshake--;
693         if (cb != NULL)
694                 cb(s,SSL_CB_ACCEPT_EXIT,ret);
695         return(ret);
696         }
697
698 int dtls1_send_hello_request(SSL *s)
699         {
700         unsigned char *p;
701
702         if (s->state == SSL3_ST_SW_HELLO_REQ_A)
703                 {
704                 p=(unsigned char *)s->init_buf->data;
705                 p = dtls1_set_message_header(s, p, SSL3_MT_HELLO_REQUEST, 0, 0, 0);
706
707                 s->state=SSL3_ST_SW_HELLO_REQ_B;
708                 /* number of bytes to write */
709                 s->init_num=DTLS1_HM_HEADER_LENGTH;
710                 s->init_off=0;
711
712                 /* no need to buffer this message, since there are no retransmit 
713                  * requests for it */
714                 }
715
716         /* SSL3_ST_SW_HELLO_REQ_B */
717         return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
718         }
719
720 int dtls1_send_hello_verify_request(SSL *s)
721         {
722         unsigned int msg_len;
723         unsigned char *msg, *buf, *p;
724
725         if (s->state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A)
726                 {
727                 buf = (unsigned char *)s->init_buf->data;
728
729                 msg = p = &(buf[DTLS1_HM_HEADER_LENGTH]);
730                 *(p++) = s->version >> 8;
731                 *(p++) = s->version & 0xFF;
732
733                 if (s->ctx->app_gen_cookie_cb == NULL ||
734                      s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
735                          &(s->d1->cookie_len)) == 0)
736                         {
737                         SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST,ERR_R_INTERNAL_ERROR);
738                         return 0;
739                         }
740
741                 *(p++) = (unsigned char) s->d1->cookie_len;
742                 memcpy(p, s->d1->cookie, s->d1->cookie_len);
743                 p += s->d1->cookie_len;
744                 msg_len = p - msg;
745
746                 dtls1_set_message_header(s, buf,
747                         DTLS1_MT_HELLO_VERIFY_REQUEST, msg_len, 0, msg_len);
748
749                 s->state=DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B;
750                 /* number of bytes to write */
751                 s->init_num=p-buf;
752                 s->init_off=0;
753                 }
754
755         /* s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */
756         return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
757         }
758
759 int dtls1_send_server_hello(SSL *s)
760         {
761         unsigned char *buf;
762         unsigned char *p,*d;
763         int i;
764         unsigned int sl;
765         unsigned long l,Time;
766
767         if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
768                 {
769                 buf=(unsigned char *)s->init_buf->data;
770                 p=s->s3->server_random;
771                 Time=(unsigned long)time(NULL);                 /* Time */
772                 l2n(Time,p);
773                 RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
774                 /* Do the message type and length last */
775                 d=p= &(buf[DTLS1_HM_HEADER_LENGTH]);
776
777                 *(p++)=s->version>>8;
778                 *(p++)=s->version&0xff;
779
780                 /* Random stuff */
781                 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
782                 p+=SSL3_RANDOM_SIZE;
783
784                 /* now in theory we have 3 options to sending back the
785                  * session id.  If it is a re-use, we send back the
786                  * old session-id, if it is a new session, we send
787                  * back the new session-id or we send back a 0 length
788                  * session-id if we want it to be single use.
789                  * Currently I will not implement the '0' length session-id
790                  * 12-Jan-98 - I'll now support the '0' length stuff.
791                  */
792                 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER))
793                         s->session->session_id_length=0;
794
795                 sl=s->session->session_id_length;
796                 if (sl > sizeof s->session->session_id)
797                         {
798                         SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
799                         return -1;
800                         }
801                 *(p++)=sl;
802                 memcpy(p,s->session->session_id,sl);
803                 p+=sl;
804
805                 /* put the cipher */
806                 if (s->s3->tmp.new_cipher == NULL)
807                         return -1;
808                 i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p);
809                 p+=i;
810
811                 /* put the compression method */
812 #ifdef OPENSSL_NO_COMP
813                 *(p++)=0;
814 #else
815                 if (s->s3->tmp.new_compression == NULL)
816                         *(p++)=0;
817                 else
818                         *(p++)=s->s3->tmp.new_compression->id;
819 #endif
820
821 #ifndef OPENSSL_NO_TLSEXT
822                 if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
823                         {
824                         SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);
825                         return -1;
826                         }
827 #endif
828
829                 /* do the header */
830                 l=(p-d);
831                 d=buf;
832
833                 d = dtls1_set_message_header(s, d, SSL3_MT_SERVER_HELLO, l, 0, l);
834
835                 s->state=SSL3_ST_SW_SRVR_HELLO_B;
836                 /* number of bytes to write */
837                 s->init_num=p-buf;
838                 s->init_off=0;
839
840                 /* buffer the message to handle re-xmits */
841                 dtls1_buffer_message(s, 0);
842                 }
843
844         /* SSL3_ST_SW_SRVR_HELLO_B */
845         return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
846         }
847
848 int dtls1_send_server_done(SSL *s)
849         {
850         unsigned char *p;
851
852         if (s->state == SSL3_ST_SW_SRVR_DONE_A)
853                 {
854                 p=(unsigned char *)s->init_buf->data;
855
856                 /* do the header */
857                 p = dtls1_set_message_header(s, p, SSL3_MT_SERVER_DONE, 0, 0, 0);
858
859                 s->state=SSL3_ST_SW_SRVR_DONE_B;
860                 /* number of bytes to write */
861                 s->init_num=DTLS1_HM_HEADER_LENGTH;
862                 s->init_off=0;
863
864                 /* buffer the message to handle re-xmits */
865                 dtls1_buffer_message(s, 0);
866                 }
867
868         /* SSL3_ST_SW_SRVR_DONE_B */
869         return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
870         }
871
872 int dtls1_send_server_key_exchange(SSL *s)
873         {
874 #ifndef OPENSSL_NO_RSA
875         unsigned char *q;
876         int j,num;
877         RSA *rsa;
878         unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
879         unsigned int u;
880 #endif
881 #ifndef OPENSSL_NO_DH
882         DH *dh=NULL,*dhp;
883 #endif
884 #ifndef OPENSSL_NO_ECDH
885         EC_KEY *ecdh=NULL, *ecdhp;
886         unsigned char *encodedPoint = NULL;
887         int encodedlen = 0;
888         int curve_id = 0;
889         BN_CTX *bn_ctx = NULL; 
890 #endif
891         EVP_PKEY *pkey;
892         unsigned char *p,*d;
893         int al,i;
894         unsigned long type;
895         int n;
896         CERT *cert;
897         BIGNUM *r[4];
898         int nr[4],kn;
899         BUF_MEM *buf;
900         EVP_MD_CTX md_ctx;
901
902         EVP_MD_CTX_init(&md_ctx);
903         if (s->state == SSL3_ST_SW_KEY_EXCH_A)
904                 {
905                 type=s->s3->tmp.new_cipher->algorithm_mkey;
906                 cert=s->cert;
907
908                 buf=s->init_buf;
909
910                 r[0]=r[1]=r[2]=r[3]=NULL;
911                 n=0;
912 #ifndef OPENSSL_NO_RSA
913                 if (type & SSL_kRSA)
914                         {
915                         rsa=cert->rsa_tmp;
916                         if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL))
917                                 {
918                                 rsa=s->cert->rsa_tmp_cb(s,
919                                       SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
920                                       SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
921                                 if(rsa == NULL)
922                                 {
923                                         al=SSL_AD_HANDSHAKE_FAILURE;
924                                         SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
925                                         goto f_err;
926                                 }
927                                 RSA_up_ref(rsa);
928                                 cert->rsa_tmp=rsa;
929                                 }
930                         if (rsa == NULL)
931                                 {
932                                 al=SSL_AD_HANDSHAKE_FAILURE;
933                                 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY);
934                                 goto f_err;
935                                 }
936                         r[0]=rsa->n;
937                         r[1]=rsa->e;
938                         s->s3->tmp.use_rsa_tmp=1;
939                         }
940                 else
941 #endif
942 #ifndef OPENSSL_NO_DH
943                         if (type & SSL_kEDH)
944                         {
945                         dhp=cert->dh_tmp;
946                         if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
947                                 dhp=s->cert->dh_tmp_cb(s,
948                                       SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
949                                       SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
950                         if (dhp == NULL)
951                                 {
952                                 al=SSL_AD_HANDSHAKE_FAILURE;
953                                 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
954                                 goto f_err;
955                                 }
956
957                         if (s->s3->tmp.dh != NULL)
958                                 {
959                                 DH_free(dh);
960                                 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
961                                 goto err;
962                                 }
963
964                         if ((dh=DHparams_dup(dhp)) == NULL)
965                                 {
966                                 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
967                                 goto err;
968                                 }
969
970                         s->s3->tmp.dh=dh;
971                         if ((dhp->pub_key == NULL ||
972                              dhp->priv_key == NULL ||
973                              (s->options & SSL_OP_SINGLE_DH_USE)))
974                                 {
975                                 if(!DH_generate_key(dh))
976                                     {
977                                     SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,
978                                            ERR_R_DH_LIB);
979                                     goto err;
980                                     }
981                                 }
982                         else
983                                 {
984                                 dh->pub_key=BN_dup(dhp->pub_key);
985                                 dh->priv_key=BN_dup(dhp->priv_key);
986                                 if ((dh->pub_key == NULL) ||
987                                         (dh->priv_key == NULL))
988                                         {
989                                         SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
990                                         goto err;
991                                         }
992                                 }
993                         r[0]=dh->p;
994                         r[1]=dh->g;
995                         r[2]=dh->pub_key;
996                         }
997                 else 
998 #endif
999 #ifndef OPENSSL_NO_ECDH
1000                         if (type & SSL_kEECDH)
1001                         {
1002                         const EC_GROUP *group;
1003
1004                         ecdhp=cert->ecdh_tmp;
1005                         if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL))
1006                                 {
1007                                 ecdhp=s->cert->ecdh_tmp_cb(s,
1008                                       SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
1009                                       SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
1010                                 }
1011                         if (ecdhp == NULL)
1012                                 {
1013                                 al=SSL_AD_HANDSHAKE_FAILURE;
1014                                 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY);
1015                                 goto f_err;
1016                                 }
1017
1018                         if (s->s3->tmp.ecdh != NULL)
1019                                 {
1020                                 EC_KEY_free(s->s3->tmp.ecdh); 
1021                                 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1022                                 goto err;
1023                                 }
1024
1025                         /* Duplicate the ECDH structure. */
1026                         if (ecdhp == NULL)
1027                                 {
1028                                 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1029                                 goto err;
1030                                 }
1031                         if ((ecdh = EC_KEY_dup(ecdhp)) == NULL)
1032                                 {
1033                                 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1034                                 goto err;
1035                                 }
1036
1037                         s->s3->tmp.ecdh=ecdh;
1038                         if ((EC_KEY_get0_public_key(ecdh) == NULL) ||
1039                             (EC_KEY_get0_private_key(ecdh) == NULL) ||
1040                             (s->options & SSL_OP_SINGLE_ECDH_USE))
1041                                 {
1042                                 if(!EC_KEY_generate_key(ecdh))
1043                                     {
1044                                     SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1045                                     goto err;
1046                                     }
1047                                 }
1048
1049                         if (((group = EC_KEY_get0_group(ecdh)) == NULL) ||
1050                             (EC_KEY_get0_public_key(ecdh)  == NULL) ||
1051                             (EC_KEY_get0_private_key(ecdh) == NULL))
1052                                 {
1053                                 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1054                                 goto err;
1055                                 }
1056
1057                         if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
1058                             (EC_GROUP_get_degree(group) > 163)) 
1059                                 {
1060                                 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
1061                                 goto err;
1062                                 }
1063
1064                         /* XXX: For now, we only support ephemeral ECDH
1065                          * keys over named (not generic) curves. For 
1066                          * supported named curves, curve_id is non-zero.
1067                          */
1068                         if ((curve_id = 
1069                             tls1_ec_nid2curve_id(EC_GROUP_get_curve_name(group)))
1070                             == 0)
1071                                 {
1072                                 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1073                                 goto err;
1074                                 }
1075
1076                         /* Encode the public key.
1077                          * First check the size of encoding and
1078                          * allocate memory accordingly.
1079                          */
1080                         encodedlen = EC_POINT_point2oct(group, 
1081                             EC_KEY_get0_public_key(ecdh),
1082                             POINT_CONVERSION_UNCOMPRESSED, 
1083                             NULL, 0, NULL);
1084
1085                         encodedPoint = (unsigned char *) 
1086                             OPENSSL_malloc(encodedlen*sizeof(unsigned char)); 
1087                         bn_ctx = BN_CTX_new();
1088                         if ((encodedPoint == NULL) || (bn_ctx == NULL))
1089                                 {
1090                                 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
1091                                 goto err;
1092                                 }
1093
1094
1095                         encodedlen = EC_POINT_point2oct(group, 
1096                             EC_KEY_get0_public_key(ecdh), 
1097                             POINT_CONVERSION_UNCOMPRESSED, 
1098                             encodedPoint, encodedlen, bn_ctx);
1099
1100                         if (encodedlen == 0) 
1101                                 {
1102                                 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
1103                                 goto err;
1104                                 }
1105
1106                         BN_CTX_free(bn_ctx);  bn_ctx=NULL;
1107
1108                         /* XXX: For now, we only support named (not 
1109                          * generic) curves in ECDH ephemeral key exchanges.
1110                          * In this situation, we need four additional bytes
1111                          * to encode the entire ServerECDHParams
1112                          * structure. 
1113                          */
1114                         n = 4 + encodedlen;
1115
1116                         /* We'll generate the serverKeyExchange message
1117                          * explicitly so we can set these to NULLs
1118                          */
1119                         r[0]=NULL;
1120                         r[1]=NULL;
1121                         r[2]=NULL;
1122                         r[3]=NULL;
1123                         }
1124                 else 
1125 #endif /* !OPENSSL_NO_ECDH */
1126 #ifndef OPENSSL_NO_PSK
1127                         if (type & SSL_kPSK)
1128                                 {
1129                                 /* reserve size for record length and PSK identity hint*/
1130                                 n+=2+strlen(s->ctx->psk_identity_hint);
1131                                 }
1132                         else
1133 #endif /* !OPENSSL_NO_PSK */
1134                         {
1135                         al=SSL_AD_HANDSHAKE_FAILURE;
1136                         SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
1137                         goto f_err;
1138                         }
1139                 for (i=0; r[i] != NULL; i++)
1140                         {
1141                         nr[i]=BN_num_bytes(r[i]);
1142                         n+=2+nr[i];
1143                         }
1144
1145                 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
1146                         && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
1147                         {
1148                         if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher, NULL))
1149                                 == NULL)
1150                                 {
1151                                 al=SSL_AD_DECODE_ERROR;
1152                                 goto f_err;
1153                                 }
1154                         kn=EVP_PKEY_size(pkey);
1155                         }
1156                 else
1157                         {
1158                         pkey=NULL;
1159                         kn=0;
1160                         }
1161
1162                 if (!BUF_MEM_grow_clean(buf,n+DTLS1_HM_HEADER_LENGTH+kn))
1163                         {
1164                         SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF);
1165                         goto err;
1166                         }
1167                 d=(unsigned char *)s->init_buf->data;
1168                 p= &(d[DTLS1_HM_HEADER_LENGTH]);
1169
1170                 for (i=0; r[i] != NULL; i++)
1171                         {
1172                         s2n(nr[i],p);
1173                         BN_bn2bin(r[i],p);
1174                         p+=nr[i];
1175                         }
1176
1177 #ifndef OPENSSL_NO_ECDH
1178                 if (type & SSL_kEECDH) 
1179                         {
1180                         /* XXX: For now, we only support named (not generic) curves.
1181                          * In this situation, the serverKeyExchange message has:
1182                          * [1 byte CurveType], [2 byte CurveName]
1183                          * [1 byte length of encoded point], followed by
1184                          * the actual encoded point itself
1185                          */
1186                         *p = NAMED_CURVE_TYPE;
1187                         p += 1;
1188                         *p = 0;
1189                         p += 1;
1190                         *p = curve_id;
1191                         p += 1;
1192                         *p = encodedlen;
1193                         p += 1;
1194                         memcpy((unsigned char*)p, 
1195                             (unsigned char *)encodedPoint, 
1196                             encodedlen);
1197                         OPENSSL_free(encodedPoint);
1198                         p += encodedlen;
1199                         }
1200 #endif
1201
1202 #ifndef OPENSSL_NO_PSK
1203                 if (type & SSL_kPSK)
1204                         {
1205                         /* copy PSK identity hint */
1206                         s2n(strlen(s->ctx->psk_identity_hint), p); 
1207                         strncpy((char *)p, s->ctx->psk_identity_hint, strlen(s->ctx->psk_identity_hint));
1208                         p+=strlen(s->ctx->psk_identity_hint);
1209                         }
1210 #endif
1211
1212                 /* not anonymous */
1213                 if (pkey != NULL)
1214                         {
1215                         /* n is the length of the params, they start at
1216                          * &(d[DTLS1_HM_HEADER_LENGTH]) and p points to the space
1217                          * at the end. */
1218 #ifndef OPENSSL_NO_RSA
1219                         if (pkey->type == EVP_PKEY_RSA)
1220                                 {
1221                                 q=md_buf;
1222                                 j=0;
1223                                 for (num=2; num > 0; num--)
1224                                         {
1225                                         EVP_DigestInit_ex(&md_ctx,(num == 2)
1226                                                 ?s->ctx->md5:s->ctx->sha1, NULL);
1227                                         EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1228                                         EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1229                                         EVP_DigestUpdate(&md_ctx,&(d[DTLS1_HM_HEADER_LENGTH]),n);
1230                                         EVP_DigestFinal_ex(&md_ctx,q,
1231                                                 (unsigned int *)&i);
1232                                         q+=i;
1233                                         j+=i;
1234                                         }
1235                                 if (RSA_sign(NID_md5_sha1, md_buf, j,
1236                                         &(p[2]), &u, pkey->pkey.rsa) <= 0)
1237                                         {
1238                                         SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA);
1239                                         goto err;
1240                                         }
1241                                 s2n(u,p);
1242                                 n+=u+2;
1243                                 }
1244                         else
1245 #endif
1246 #if !defined(OPENSSL_NO_DSA)
1247                                 if (pkey->type == EVP_PKEY_DSA)
1248                                 {
1249                                 /* lets do DSS */
1250                                 EVP_SignInit_ex(&md_ctx,EVP_dss1(), NULL);
1251                                 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1252                                 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1253                                 EVP_SignUpdate(&md_ctx,&(d[DTLS1_HM_HEADER_LENGTH]),n);
1254                                 if (!EVP_SignFinal(&md_ctx,&(p[2]),
1255                                         (unsigned int *)&i,pkey))
1256                                         {
1257                                         SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA);
1258                                         goto err;
1259                                         }
1260                                 s2n(i,p);
1261                                 n+=i+2;
1262                                 }
1263                         else
1264 #endif
1265 #if !defined(OPENSSL_NO_ECDSA)
1266                                 if (pkey->type == EVP_PKEY_EC)
1267                                 {
1268                                 /* let's do ECDSA */
1269                                 EVP_SignInit_ex(&md_ctx,EVP_ecdsa(), NULL);
1270                                 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1271                                 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1272                                 EVP_SignUpdate(&md_ctx,&(d[4]),n);
1273                                 if (!EVP_SignFinal(&md_ctx,&(p[2]),
1274                                         (unsigned int *)&i,pkey))
1275                                         {
1276                                         SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_ECDSA);
1277                                         goto err;
1278                                         }
1279                                 s2n(i,p);
1280                                 n+=i+2;
1281                                 }
1282                         else
1283 #endif
1284                                 {
1285                                 /* Is this error check actually needed? */
1286                                 al=SSL_AD_HANDSHAKE_FAILURE;
1287                                 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE);
1288                                 goto f_err;
1289                                 }
1290                         }
1291
1292                 d = dtls1_set_message_header(s, d,
1293                         SSL3_MT_SERVER_KEY_EXCHANGE, n, 0, n);
1294
1295                 /* we should now have things packed up, so lets send
1296                  * it off */
1297                 s->init_num=n+DTLS1_HM_HEADER_LENGTH;
1298                 s->init_off=0;
1299
1300                 /* buffer the message to handle re-xmits */
1301                 dtls1_buffer_message(s, 0);
1302                 }
1303
1304         s->state = SSL3_ST_SW_KEY_EXCH_B;
1305         EVP_MD_CTX_cleanup(&md_ctx);
1306         return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
1307 f_err:
1308         ssl3_send_alert(s,SSL3_AL_FATAL,al);
1309 err:
1310 #ifndef OPENSSL_NO_ECDH
1311         if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
1312         BN_CTX_free(bn_ctx);
1313 #endif
1314         EVP_MD_CTX_cleanup(&md_ctx);
1315         return(-1);
1316         }
1317
1318 int dtls1_send_certificate_request(SSL *s)
1319         {
1320         unsigned char *p,*d;
1321         int i,j,nl,off,n;
1322         STACK_OF(X509_NAME) *sk=NULL;
1323         X509_NAME *name;
1324         BUF_MEM *buf;
1325         unsigned int msg_len;
1326
1327         if (s->state == SSL3_ST_SW_CERT_REQ_A)
1328                 {
1329                 buf=s->init_buf;
1330
1331                 d=p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH]);
1332
1333                 /* get the list of acceptable cert types */
1334                 p++;
1335                 n=ssl3_get_req_cert_type(s,p);
1336                 d[0]=n;
1337                 p+=n;
1338                 n++;
1339
1340                 off=n;
1341                 p+=2;
1342                 n+=2;
1343
1344                 sk=SSL_get_client_CA_list(s);
1345                 nl=0;
1346                 if (sk != NULL)
1347                         {
1348                         for (i=0; i<sk_X509_NAME_num(sk); i++)
1349                                 {
1350                                 name=sk_X509_NAME_value(sk,i);
1351                                 j=i2d_X509_NAME(name,NULL);
1352                                 if (!BUF_MEM_grow_clean(buf,DTLS1_HM_HEADER_LENGTH+n+j+2))
1353                                         {
1354                                         SSLerr(SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
1355                                         goto err;
1356                                         }
1357                                 p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH+n]);
1358                                 if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
1359                                         {
1360                                         s2n(j,p);
1361                                         i2d_X509_NAME(name,&p);
1362                                         n+=2+j;
1363                                         nl+=2+j;
1364                                         }
1365                                 else
1366                                         {
1367                                         d=p;
1368                                         i2d_X509_NAME(name,&p);
1369                                         j-=2; s2n(j,d); j+=2;
1370                                         n+=j;
1371                                         nl+=j;
1372                                         }
1373                                 }
1374                         }
1375                 /* else no CA names */
1376                 p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH+off]);
1377                 s2n(nl,p);
1378
1379                 d=(unsigned char *)buf->data;
1380                 *(d++)=SSL3_MT_CERTIFICATE_REQUEST;
1381                 l2n3(n,d);
1382                 s2n(s->d1->handshake_write_seq,d);
1383                 s->d1->handshake_write_seq++;
1384
1385                 /* we should now have things packed up, so lets send
1386                  * it off */
1387
1388                 s->init_num=n+DTLS1_HM_HEADER_LENGTH;
1389                 s->init_off=0;
1390 #ifdef NETSCAPE_HANG_BUG
1391 /* XXX: what to do about this? */
1392                 p=(unsigned char *)s->init_buf->data + s->init_num;
1393
1394                 /* do the header */
1395                 *(p++)=SSL3_MT_SERVER_DONE;
1396                 *(p++)=0;
1397                 *(p++)=0;
1398                 *(p++)=0;
1399                 s->init_num += 4;
1400 #endif
1401
1402                 /* XDTLS:  set message header ? */
1403                 msg_len = s->init_num - DTLS1_HM_HEADER_LENGTH;
1404                 dtls1_set_message_header(s, (void *)s->init_buf->data,
1405                         SSL3_MT_CERTIFICATE_REQUEST, msg_len, 0, msg_len);
1406
1407                 /* buffer the message to handle re-xmits */
1408                 dtls1_buffer_message(s, 0);
1409
1410                 s->state = SSL3_ST_SW_CERT_REQ_B;
1411                 }
1412
1413         /* SSL3_ST_SW_CERT_REQ_B */
1414         return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
1415 err:
1416         return(-1);
1417         }
1418
1419 int dtls1_send_server_certificate(SSL *s)
1420         {
1421         unsigned long l;
1422         X509 *x;
1423
1424         if (s->state == SSL3_ST_SW_CERT_A)
1425                 {
1426                 x=ssl_get_server_send_cert(s);
1427                 if (x == NULL)
1428                         {
1429                         /* VRS: allow null cert if auth == KRB5 */
1430                         if ((s->s3->tmp.new_cipher->algorithm_mkey != SSL_kKRB5) ||
1431                             (s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5))
1432                                 {
1433                                 SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
1434                                 return(0);
1435                                 }
1436                         }
1437
1438                 l=dtls1_output_cert_chain(s,x);
1439                 s->state=SSL3_ST_SW_CERT_B;
1440                 s->init_num=(int)l;
1441                 s->init_off=0;
1442
1443                 /* buffer the message to handle re-xmits */
1444                 dtls1_buffer_message(s, 0);
1445                 }
1446
1447         /* SSL3_ST_SW_CERT_B */
1448         return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
1449         }
1450
1451 #ifndef OPENSSL_NO_TLSEXT
1452 int dtls1_send_newsession_ticket(SSL *s)
1453         {
1454         if (s->state == SSL3_ST_SW_SESSION_TICKET_A)
1455                 {
1456                 unsigned char *p, *senc, *macstart;
1457                 int len, slen;
1458                 unsigned int hlen, msg_len;
1459                 EVP_CIPHER_CTX ctx;
1460                 HMAC_CTX hctx;
1461                 SSL_CTX *tctx = s->initial_ctx;
1462                 unsigned char iv[EVP_MAX_IV_LENGTH];
1463                 unsigned char key_name[16];
1464
1465                 /* get session encoding length */
1466                 slen = i2d_SSL_SESSION(s->session, NULL);
1467                 /* Some length values are 16 bits, so forget it if session is
1468                  * too long
1469                  */
1470                 if (slen > 0xFF00)
1471                         return -1;
1472                 /* Grow buffer if need be: the length calculation is as
1473                  * follows 12 (DTLS handshake message header) +
1474                  * 4 (ticket lifetime hint) + 2 (ticket length) +
1475                  * 16 (key name) + max_iv_len (iv length) +
1476                  * session_length + max_enc_block_size (max encrypted session
1477                  * length) + max_md_size (HMAC).
1478                  */
1479                 if (!BUF_MEM_grow(s->init_buf,
1480                         DTLS1_HM_HEADER_LENGTH + 22 + EVP_MAX_IV_LENGTH +
1481                         EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE + slen))
1482                         return -1;
1483                 senc = OPENSSL_malloc(slen);
1484                 if (!senc)
1485                         return -1;
1486                 p = senc;
1487                 i2d_SSL_SESSION(s->session, &p);
1488
1489                 p=(unsigned char *)&(s->init_buf->data[DTLS1_HM_HEADER_LENGTH]);
1490                 EVP_CIPHER_CTX_init(&ctx);
1491                 HMAC_CTX_init(&hctx);
1492                 /* Initialize HMAC and cipher contexts. If callback present
1493                  * it does all the work otherwise use generated values
1494                  * from parent ctx.
1495                  */
1496                 if (tctx->tlsext_ticket_key_cb)
1497                         {
1498                         if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx,
1499                                                          &hctx, 1) < 0)
1500                                 {
1501                                 OPENSSL_free(senc);
1502                                 return -1;
1503                                 }
1504                         }
1505                 else
1506                         {
1507                         RAND_pseudo_bytes(iv, 16);
1508                         EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
1509                                         tctx->tlsext_tick_aes_key, iv);
1510                         HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
1511                                         tlsext_tick_md(), NULL);
1512                         memcpy(key_name, tctx->tlsext_tick_key_name, 16);
1513                         }
1514                 l2n(s->session->tlsext_tick_lifetime_hint, p);
1515                 /* Skip ticket length for now */
1516                 p += 2;
1517                 /* Output key name */
1518                 macstart = p;
1519                 memcpy(p, key_name, 16);
1520                 p += 16;
1521                 /* output IV */
1522                 memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx));
1523                 p += EVP_CIPHER_CTX_iv_length(&ctx);
1524                 /* Encrypt session data */
1525                 EVP_EncryptUpdate(&ctx, p, &len, senc, slen);
1526                 p += len;
1527                 EVP_EncryptFinal(&ctx, p, &len);
1528                 p += len;
1529                 EVP_CIPHER_CTX_cleanup(&ctx);
1530
1531                 HMAC_Update(&hctx, macstart, p - macstart);
1532                 HMAC_Final(&hctx, p, &hlen);
1533                 HMAC_CTX_cleanup(&hctx);
1534
1535                 p += hlen;
1536                 /* Now write out lengths: p points to end of data written */
1537                 /* Total length */
1538                 len = p - (unsigned char *)(s->init_buf->data);
1539                 /* Ticket length */
1540                 p=(unsigned char *)&(s->init_buf->data[DTLS1_HM_HEADER_LENGTH]) + 4;
1541                 s2n(len - DTLS1_HM_HEADER_LENGTH - 6, p);
1542
1543                 /* number of bytes to write */
1544                 s->init_num= len;
1545                 s->state=SSL3_ST_SW_SESSION_TICKET_B;
1546                 s->init_off=0;
1547                 OPENSSL_free(senc);
1548
1549                 /* XDTLS:  set message header ? */
1550                 msg_len = s->init_num - DTLS1_HM_HEADER_LENGTH;
1551                 dtls1_set_message_header(s, (void *)s->init_buf->data,
1552                         SSL3_MT_NEWSESSION_TICKET, msg_len, 0, msg_len);
1553
1554                 /* buffer the message to handle re-xmits */
1555                 dtls1_buffer_message(s, 0);
1556                 }
1557
1558         /* SSL3_ST_SW_SESSION_TICKET_B */
1559         return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
1560         }
1561 #endif