Remove versions test from dtls1_buffer_message
[openssl.git] / ssl / d1_srvr.c
1 /* ssl/d1_srvr.c */
2 /* 
3  * DTLS implementation written by Nagendra Modadugu
4  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
5  */
6 /* ====================================================================
7  * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  *
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer. 
15  *
16  * 2. Redistributions in binary form must reproduce the above copyright
17  *    notice, this list of conditions and the following disclaimer in
18  *    the documentation and/or other materials provided with the
19  *    distribution.
20  *
21  * 3. All advertising materials mentioning features or use of this
22  *    software must display the following acknowledgment:
23  *    "This product includes software developed by the OpenSSL Project
24  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25  *
26  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27  *    endorse or promote products derived from this software without
28  *    prior written permission. For written permission, please contact
29  *    openssl-core@OpenSSL.org.
30  *
31  * 5. Products derived from this software may not be called "OpenSSL"
32  *    nor may "OpenSSL" appear in their names without prior written
33  *    permission of the OpenSSL Project.
34  *
35  * 6. Redistributions of any form whatsoever must retain the following
36  *    acknowledgment:
37  *    "This product includes software developed by the OpenSSL Project
38  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
44  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51  * OF THE POSSIBILITY OF SUCH DAMAGE.
52  * ====================================================================
53  *
54  * This product includes cryptographic software written by Eric Young
55  * (eay@cryptsoft.com).  This product includes software written by Tim
56  * Hudson (tjh@cryptsoft.com).
57  *
58  */
59 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
60  * All rights reserved.
61  *
62  * This package is an SSL implementation written
63  * by Eric Young (eay@cryptsoft.com).
64  * The implementation was written so as to conform with Netscapes SSL.
65  * 
66  * This library is free for commercial and non-commercial use as long as
67  * the following conditions are aheared to.  The following conditions
68  * apply to all code found in this distribution, be it the RC4, RSA,
69  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
70  * included with this distribution is covered by the same copyright terms
71  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
72  * 
73  * Copyright remains Eric Young's, and as such any Copyright notices in
74  * the code are not to be removed.
75  * If this package is used in a product, Eric Young should be given attribution
76  * as the author of the parts of the library used.
77  * This can be in the form of a textual message at program startup or
78  * in documentation (online or textual) provided with the package.
79  * 
80  * Redistribution and use in source and binary forms, with or without
81  * modification, are permitted provided that the following conditions
82  * are met:
83  * 1. Redistributions of source code must retain the copyright
84  *    notice, this list of conditions and the following disclaimer.
85  * 2. Redistributions in binary form must reproduce the above copyright
86  *    notice, this list of conditions and the following disclaimer in the
87  *    documentation and/or other materials provided with the distribution.
88  * 3. All advertising materials mentioning features or use of this software
89  *    must display the following acknowledgement:
90  *    "This product includes cryptographic software written by
91  *     Eric Young (eay@cryptsoft.com)"
92  *    The word 'cryptographic' can be left out if the rouines from the library
93  *    being used are not cryptographic related :-).
94  * 4. If you include any Windows specific code (or a derivative thereof) from 
95  *    the apps directory (application code) you must include an acknowledgement:
96  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
97  * 
98  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
99  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
100  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
101  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
102  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
103  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
104  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
105  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
106  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
107  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
108  * SUCH DAMAGE.
109  * 
110  * The licence and distribution terms for any publically available version or
111  * derivative of this code cannot be changed.  i.e. this code cannot simply be
112  * copied and put under another distribution licence
113  * [including the GNU Public Licence.]
114  */
115
116 #include <stdio.h>
117 #include "ssl_locl.h"
118 #include <openssl/buffer.h>
119 #include <openssl/rand.h>
120 #include <openssl/objects.h>
121 #include <openssl/evp.h>
122 #include <openssl/x509.h>
123 #include <openssl/md5.h>
124 #include <openssl/bn.h>
125 #ifndef OPENSSL_NO_DH
126 #include <openssl/dh.h>
127 #endif
128
129 static const SSL_METHOD *dtls1_get_server_method(int ver);
130 static int dtls1_send_hello_verify_request(SSL *s);
131
132 static const SSL_METHOD *dtls1_get_server_method(int ver)
133         {
134         if (ver == DTLS1_VERSION)
135                 return(DTLSv1_server_method());
136         else
137                 return(NULL);
138         }
139
140 IMPLEMENT_dtls1_meth_func(DTLS1_VERSION,
141                         DTLSv1_server_method,
142                         dtls1_accept,
143                         ssl_undefined_function,
144                         dtls1_get_server_method,
145                         DTLSv1_enc_data)
146
147 int dtls1_accept(SSL *s)
148         {
149         BUF_MEM *buf;
150         unsigned long Time=(unsigned long)time(NULL);
151         void (*cb)(const SSL *ssl,int type,int val)=NULL;
152         unsigned long alg_k;
153         int ret= -1;
154         int new_state,state,skip=0;
155         int listen;
156 #ifndef OPENSSL_NO_SCTP
157         unsigned char sctpauthkey[64];
158         char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
159 #endif
160
161         RAND_add(&Time,sizeof(Time),0);
162         ERR_clear_error();
163         clear_sys_error();
164
165         if (s->info_callback != NULL)
166                 cb=s->info_callback;
167         else if (s->ctx->info_callback != NULL)
168                 cb=s->ctx->info_callback;
169         
170         listen = s->d1->listen;
171
172         /* init things to blank */
173         s->in_handshake++;
174         if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
175
176         s->d1->listen = listen;
177 #ifndef OPENSSL_NO_SCTP
178         /* Notify SCTP BIO socket to enter handshake
179          * mode and prevent stream identifier other
180          * than 0. Will be ignored if no SCTP is used.
181          */
182         BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, s->in_handshake, NULL);
183 #endif
184
185         if (s->cert == NULL)
186                 {
187                 SSLerr(SSL_F_DTLS1_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
188                 return(-1);
189                 }
190
191 #ifndef OPENSSL_NO_HEARTBEATS
192         /* If we're awaiting a HeartbeatResponse, pretend we
193          * already got and don't await it anymore, because
194          * Heartbeats don't make sense during handshakes anyway.
195          */
196         if (s->tlsext_hb_pending)
197                 {
198                 dtls1_stop_timer(s);
199                 s->tlsext_hb_pending = 0;
200                 s->tlsext_hb_seq++;
201                 }
202 #endif
203
204         for (;;)
205                 {
206                 state=s->state;
207
208                 switch (s->state)
209                         {
210                 case SSL_ST_RENEGOTIATE:
211                         s->renegotiate=1;
212                         /* s->state=SSL_ST_ACCEPT; */
213
214                 case SSL_ST_BEFORE:
215                 case SSL_ST_ACCEPT:
216                 case SSL_ST_BEFORE|SSL_ST_ACCEPT:
217                 case SSL_ST_OK|SSL_ST_ACCEPT:
218
219                         s->server=1;
220                         if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
221
222                         if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00))
223                                 {
224                                 SSLerr(SSL_F_DTLS1_ACCEPT, ERR_R_INTERNAL_ERROR);
225                                 return -1;
226                                 }
227                         s->type=SSL_ST_ACCEPT;
228
229                         if (s->init_buf == NULL)
230                                 {
231                                 if ((buf=BUF_MEM_new()) == NULL)
232                                         {
233                                         ret= -1;
234                                         goto end;
235                                         }
236                                 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
237                                         {
238                                         ret= -1;
239                                         goto end;
240                                         }
241                                 s->init_buf=buf;
242                                 }
243
244                         if (!ssl3_setup_buffers(s))
245                                 {
246                                 ret= -1;
247                                 goto end;
248                                 }
249
250                         s->init_num=0;
251
252                         if (s->state != SSL_ST_RENEGOTIATE)
253                                 {
254                                 /* Ok, we now need to push on a buffering BIO so that
255                                  * the output is sent in a way that TCP likes :-)
256                                  * ...but not with SCTP :-)
257                                  */
258 #ifndef OPENSSL_NO_SCTP
259                                 if (!BIO_dgram_is_sctp(SSL_get_wbio(s)))
260 #endif
261                                         if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; }
262
263                                 ssl3_init_finished_mac(s);
264                                 s->state=SSL3_ST_SR_CLNT_HELLO_A;
265                                 s->ctx->stats.sess_accept++;
266                                 }
267                         else
268                                 {
269                                 /* s->state == SSL_ST_RENEGOTIATE,
270                                  * we will just send a HelloRequest */
271                                 s->ctx->stats.sess_accept_renegotiate++;
272                                 s->state=SSL3_ST_SW_HELLO_REQ_A;
273                                 }
274
275                         break;
276
277                 case SSL3_ST_SW_HELLO_REQ_A:
278                 case SSL3_ST_SW_HELLO_REQ_B:
279
280                         s->shutdown=0;
281                         dtls1_start_timer(s);
282                         ret=ssl3_send_hello_request(s);
283                         if (ret <= 0) goto end;
284                         s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C;
285                         s->state=SSL3_ST_SW_FLUSH;
286                         s->init_num=0;
287
288                         ssl3_init_finished_mac(s);
289                         break;
290
291                 case SSL3_ST_SW_HELLO_REQ_C:
292                         s->state=SSL_ST_OK;
293                         break;
294
295                 case SSL3_ST_SR_CLNT_HELLO_A:
296                 case SSL3_ST_SR_CLNT_HELLO_B:
297                 case SSL3_ST_SR_CLNT_HELLO_C:
298
299                         s->shutdown=0;
300                         ret=ssl3_get_client_hello(s);
301                         if (ret <= 0) goto end;
302                         dtls1_stop_timer(s);
303
304                         if (ret == 1 && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
305                                 s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;
306                         else
307                                 s->state = SSL3_ST_SW_SRVR_HELLO_A;
308
309                         s->init_num=0;
310
311                         /* Reflect ClientHello sequence to remain stateless while listening */
312                         if (listen)
313                                 {
314                                 memcpy(s->s3->write_sequence, s->s3->read_sequence, sizeof(s->s3->write_sequence));
315                                 }
316
317                         /* If we're just listening, stop here */
318                         if (listen && s->state == SSL3_ST_SW_SRVR_HELLO_A)
319                                 {
320                                 ret = 2;
321                                 s->d1->listen = 0;
322                                 /* Set expected sequence numbers
323                                  * to continue the handshake.
324                                  */
325                                 s->d1->handshake_read_seq = 2;
326                                 s->d1->handshake_write_seq = 1;
327                                 s->d1->next_handshake_write_seq = 1;
328                                 goto end;
329                                 }
330                         
331                         break;
332                         
333                 case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
334                 case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
335
336                         ret = dtls1_send_hello_verify_request(s);
337                         if ( ret <= 0) goto end;
338                         s->state=SSL3_ST_SW_FLUSH;
339                         s->s3->tmp.next_state=SSL3_ST_SR_CLNT_HELLO_A;
340
341                         /* HelloVerifyRequest resets Finished MAC */
342                         if (s->version != DTLS1_BAD_VER)
343                                 ssl3_init_finished_mac(s);
344                         break;
345                         
346 #ifndef OPENSSL_NO_SCTP
347                 case DTLS1_SCTP_ST_SR_READ_SOCK:
348                         
349                         if (BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s)))                
350                                 {
351                                 s->s3->in_read_app_data=2;
352                                 s->rwstate=SSL_READING;
353                                 BIO_clear_retry_flags(SSL_get_rbio(s));
354                                 BIO_set_retry_read(SSL_get_rbio(s));
355                                 ret = -1;
356                                 goto end;
357                                 }
358                         
359                         s->state=SSL3_ST_SR_FINISHED_A;
360                         break;
361                         
362                 case DTLS1_SCTP_ST_SW_WRITE_SOCK:
363                         ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s));
364                         if (ret < 0) goto end;
365                         
366                         if (ret == 0)
367                                 {
368                                 if (s->d1->next_state != SSL_ST_OK)
369                                         {
370                                         s->s3->in_read_app_data=2;
371                                         s->rwstate=SSL_READING;
372                                         BIO_clear_retry_flags(SSL_get_rbio(s));
373                                         BIO_set_retry_read(SSL_get_rbio(s));
374                                         ret = -1;
375                                         goto end;
376                                         }
377                                 }
378
379                         s->state=s->d1->next_state;
380                         break;
381 #endif
382
383                 case SSL3_ST_SW_SRVR_HELLO_A:
384                 case SSL3_ST_SW_SRVR_HELLO_B:
385                         s->renegotiate = 2;
386                         dtls1_start_timer(s);
387                         ret=ssl3_send_server_hello(s);
388                         if (ret <= 0) goto end;
389
390                         if (s->hit)
391                                 {
392 #ifndef OPENSSL_NO_SCTP
393                                 /* Add new shared key for SCTP-Auth,
394                                  * will be ignored if no SCTP used.
395                                  */
396                                 snprintf((char*) labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
397                                          DTLS1_SCTP_AUTH_LABEL);
398
399                                 SSL_export_keying_material(s, sctpauthkey,
400                                                            sizeof(sctpauthkey), labelbuffer,
401                                                            sizeof(labelbuffer), NULL, 0, 0);
402                                 
403                                 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
404                          sizeof(sctpauthkey), sctpauthkey);
405 #endif
406 #ifndef OPENSSL_NO_TLSEXT
407                                 if (s->tlsext_ticket_expected)
408                                         s->state=SSL3_ST_SW_SESSION_TICKET_A;
409                                 else
410                                         s->state=SSL3_ST_SW_CHANGE_A;
411 #else
412                                 s->state=SSL3_ST_SW_CHANGE_A;
413 #endif
414                                 }
415                         else
416                                 s->state=SSL3_ST_SW_CERT_A;
417                         s->init_num=0;
418                         break;
419
420                 case SSL3_ST_SW_CERT_A:
421                 case SSL3_ST_SW_CERT_B:
422                         /* Check if it is anon DH or normal PSK */
423                         if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
424                                 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
425                                 {
426                                 dtls1_start_timer(s);
427                                 ret=ssl3_send_server_certificate(s);
428                                 if (ret <= 0) goto end;
429 #ifndef OPENSSL_NO_TLSEXT
430                                 if (s->tlsext_status_expected)
431                                         s->state=SSL3_ST_SW_CERT_STATUS_A;
432                                 else
433                                         s->state=SSL3_ST_SW_KEY_EXCH_A;
434                                 }
435                         else
436                                 {
437                                 skip = 1;
438                                 s->state=SSL3_ST_SW_KEY_EXCH_A;
439                                 }
440 #else
441                                 }
442                         else
443                                 skip=1;
444
445                         s->state=SSL3_ST_SW_KEY_EXCH_A;
446 #endif
447                         s->init_num=0;
448                         break;
449
450                 case SSL3_ST_SW_KEY_EXCH_A:
451                 case SSL3_ST_SW_KEY_EXCH_B:
452                         alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
453
454                         /* clear this, it may get reset by
455                          * send_server_key_exchange */
456                         if ((s->options & SSL_OP_EPHEMERAL_RSA)
457 #ifndef OPENSSL_NO_KRB5
458                                 && !(alg_k & SSL_kKRB5)
459 #endif /* OPENSSL_NO_KRB5 */
460                                 )
461                                 /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
462                                  * even when forbidden by protocol specs
463                                  * (handshake may fail as clients are not required to
464                                  * be able to handle this) */
465                                 s->s3->tmp.use_rsa_tmp=1;
466                         else
467                                 s->s3->tmp.use_rsa_tmp=0;
468
469                         /* only send if a DH key exchange or
470                          * RSA but we have a sign only certificate */
471                         if (s->s3->tmp.use_rsa_tmp
472                         /* PSK: send ServerKeyExchange if PSK identity
473                          * hint if provided */
474 #ifndef OPENSSL_NO_PSK
475                             || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
476 #endif
477                             || (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
478                             || (alg_k & SSL_kEECDH)
479                             || ((alg_k & SSL_kRSA)
480                                 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
481                                     || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
482                                         && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
483                                         )
484                                     )
485                                 )
486                             )
487                                 {
488                                 dtls1_start_timer(s);
489                                 ret=ssl3_send_server_key_exchange(s);
490                                 if (ret <= 0) goto end;
491                                 }
492                         else
493                                 skip=1;
494
495                         s->state=SSL3_ST_SW_CERT_REQ_A;
496                         s->init_num=0;
497                         break;
498
499                 case SSL3_ST_SW_CERT_REQ_A:
500                 case SSL3_ST_SW_CERT_REQ_B:
501                         if (/* don't request cert unless asked for it: */
502                                 !(s->verify_mode & SSL_VERIFY_PEER) ||
503                                 /* if SSL_VERIFY_CLIENT_ONCE is set,
504                                  * don't request cert during re-negotiation: */
505                                 ((s->session->peer != NULL) &&
506                                  (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
507                                 /* never request cert in anonymous ciphersuites
508                                  * (see section "Certificate request" in SSL 3 drafts
509                                  * and in RFC 2246): */
510                                 ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
511                                  /* ... except when the application insists on verification
512                                   * (against the specs, but s3_clnt.c accepts this for SSL 3) */
513                                  !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
514                                  /* never request cert in Kerberos ciphersuites */
515                                 (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)
516                                 /* With normal PSK Certificates and
517                                  * Certificate Requests are omitted */
518                                 || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
519                                 {
520                                 /* no cert request */
521                                 skip=1;
522                                 s->s3->tmp.cert_request=0;
523                                 s->state=SSL3_ST_SW_SRVR_DONE_A;
524 #ifndef OPENSSL_NO_SCTP
525                                 if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
526                                         {
527                                         s->d1->next_state = SSL3_ST_SW_SRVR_DONE_A;
528                                         s->state = DTLS1_SCTP_ST_SW_WRITE_SOCK;
529                                         }
530 #endif
531                                 }
532                         else
533                                 {
534                                 s->s3->tmp.cert_request=1;
535                                 dtls1_start_timer(s);
536                                 ret=ssl3_send_certificate_request(s);
537                                 if (ret <= 0) goto end;
538 #ifndef NETSCAPE_HANG_BUG
539                                 s->state=SSL3_ST_SW_SRVR_DONE_A;
540 #ifndef OPENSSL_NO_SCTP
541                                 if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
542                                         {
543                                         s->d1->next_state = SSL3_ST_SW_SRVR_DONE_A;
544                                         s->state = DTLS1_SCTP_ST_SW_WRITE_SOCK;
545                                         }
546 #endif
547 #else
548                                 s->state=SSL3_ST_SW_FLUSH;
549                                 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
550 #ifndef OPENSSL_NO_SCTP
551                                 if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
552                                         {
553                                         s->d1->next_state = s->s3->tmp.next_state;
554                                         s->s3->tmp.next_state=DTLS1_SCTP_ST_SW_WRITE_SOCK;
555                                         }
556 #endif
557 #endif
558                                 s->init_num=0;
559                                 }
560                         break;
561
562                 case SSL3_ST_SW_SRVR_DONE_A:
563                 case SSL3_ST_SW_SRVR_DONE_B:
564                         dtls1_start_timer(s);
565                         ret=ssl3_send_server_done(s);
566                         if (ret <= 0) goto end;
567                         s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
568                         s->state=SSL3_ST_SW_FLUSH;
569                         s->init_num=0;
570                         break;
571                 
572                 case SSL3_ST_SW_FLUSH:
573                         s->rwstate=SSL_WRITING;
574                         if (BIO_flush(s->wbio) <= 0)
575                                 {
576                                 /* If the write error was fatal, stop trying */
577                                 if (!BIO_should_retry(s->wbio))
578                                         {
579                                         s->rwstate=SSL_NOTHING;
580                                         s->state=s->s3->tmp.next_state;
581                                         }
582                                 
583                                 ret= -1;
584                                 goto end;
585                                 }
586                         s->rwstate=SSL_NOTHING;
587                         s->state=s->s3->tmp.next_state;
588                         break;
589
590                 case SSL3_ST_SR_CERT_A:
591                 case SSL3_ST_SR_CERT_B:
592                         /* Check for second client hello (MS SGC) */
593                         ret = ssl3_check_client_hello(s);
594                         if (ret <= 0)
595                                 goto end;
596                         if (ret == 2)
597                                 {
598                                 dtls1_stop_timer(s);
599                                 s->state = SSL3_ST_SR_CLNT_HELLO_C;
600                                 }
601                         else {
602                                 /* could be sent for a DH cert, even if we
603                                  * have not asked for it :-) */
604                                 ret=ssl3_get_client_certificate(s);
605                                 if (ret <= 0) goto end;
606                                 s->init_num=0;
607                                 s->state=SSL3_ST_SR_KEY_EXCH_A;
608                         }
609                         break;
610
611                 case SSL3_ST_SR_KEY_EXCH_A:
612                 case SSL3_ST_SR_KEY_EXCH_B:
613                         ret=ssl3_get_client_key_exchange(s);
614                         if (ret <= 0) goto end;
615 #ifndef OPENSSL_NO_SCTP
616                         /* Add new shared key for SCTP-Auth,
617                          * will be ignored if no SCTP used.
618                          */
619                         snprintf((char *) labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
620                                  DTLS1_SCTP_AUTH_LABEL);
621
622                         SSL_export_keying_material(s, sctpauthkey,
623                                                    sizeof(sctpauthkey), labelbuffer,
624                                                    sizeof(labelbuffer), NULL, 0, 0);
625
626                         BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
627                                  sizeof(sctpauthkey), sctpauthkey);
628 #endif
629
630                         s->state=SSL3_ST_SR_CERT_VRFY_A;
631                         s->init_num=0;
632
633                         if (ret == 2)
634                                 {
635                                 /* For the ECDH ciphersuites when
636                                  * the client sends its ECDH pub key in
637                                  * a certificate, the CertificateVerify
638                                  * message is not sent.
639                                  */
640                                 s->state=SSL3_ST_SR_FINISHED_A;
641                                 s->init_num = 0;
642                                 }
643                         else
644                                 {
645                                 s->state=SSL3_ST_SR_CERT_VRFY_A;
646                                 s->init_num=0;
647
648                                 /* We need to get hashes here so if there is
649                                  * a client cert, it can be verified */ 
650                                 s->method->ssl3_enc->cert_verify_mac(s,
651                                         NID_md5,
652                                         &(s->s3->tmp.cert_verify_md[0]));
653                                 s->method->ssl3_enc->cert_verify_mac(s,
654                                         NID_sha1,
655                                         &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]));
656                                 }
657                         break;
658
659                 case SSL3_ST_SR_CERT_VRFY_A:
660                 case SSL3_ST_SR_CERT_VRFY_B:
661
662                         s->d1->change_cipher_spec_ok = 1;
663                         /* we should decide if we expected this one */
664                         ret=ssl3_get_cert_verify(s);
665                         if (ret <= 0) goto end;
666 #ifndef OPENSSL_NO_SCTP
667                         if (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
668                             state == SSL_ST_RENEGOTIATE)
669                                 s->state=DTLS1_SCTP_ST_SR_READ_SOCK;
670                         else
671 #endif                  
672                                 s->state=SSL3_ST_SR_FINISHED_A;
673                         s->init_num=0;
674                         break;
675
676                 case SSL3_ST_SR_FINISHED_A:
677                 case SSL3_ST_SR_FINISHED_B:
678                         s->d1->change_cipher_spec_ok = 1;
679                         ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
680                                 SSL3_ST_SR_FINISHED_B);
681                         if (ret <= 0) goto end;
682                         dtls1_stop_timer(s);
683                         if (s->hit)
684                                 s->state=SSL_ST_OK;
685 #ifndef OPENSSL_NO_TLSEXT
686                         else if (s->tlsext_ticket_expected)
687                                 s->state=SSL3_ST_SW_SESSION_TICKET_A;
688 #endif
689                         else
690                                 s->state=SSL3_ST_SW_CHANGE_A;
691                         s->init_num=0;
692                         break;
693
694 #ifndef OPENSSL_NO_TLSEXT
695                 case SSL3_ST_SW_SESSION_TICKET_A:
696                 case SSL3_ST_SW_SESSION_TICKET_B:
697                         ret=ssl3_send_newsession_ticket(s);
698                         if (ret <= 0) goto end;
699                         s->state=SSL3_ST_SW_CHANGE_A;
700                         s->init_num=0;
701                         break;
702
703                 case SSL3_ST_SW_CERT_STATUS_A:
704                 case SSL3_ST_SW_CERT_STATUS_B:
705                         ret=ssl3_send_cert_status(s);
706                         if (ret <= 0) goto end;
707                         s->state=SSL3_ST_SW_KEY_EXCH_A;
708                         s->init_num=0;
709                         break;
710
711 #endif
712
713                 case SSL3_ST_SW_CHANGE_A:
714                 case SSL3_ST_SW_CHANGE_B:
715
716                         s->session->cipher=s->s3->tmp.new_cipher;
717                         if (!s->method->ssl3_enc->setup_key_block(s))
718                                 { ret= -1; goto end; }
719
720                         ret=dtls1_send_change_cipher_spec(s,
721                                 SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B);
722
723                         if (ret <= 0) goto end;
724
725 #ifndef OPENSSL_NO_SCTP
726                         /* Change to new shared key of SCTP-Auth,
727                          * will be ignored if no SCTP used.
728                          */
729                         BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
730 #endif
731
732                         s->state=SSL3_ST_SW_FINISHED_A;
733                         s->init_num=0;
734
735                         if (!s->method->ssl3_enc->change_cipher_state(s,
736                                 SSL3_CHANGE_CIPHER_SERVER_WRITE))
737                                 {
738                                 ret= -1;
739                                 goto end;
740                                 }
741
742                         dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
743                         break;
744
745                 case SSL3_ST_SW_FINISHED_A:
746                 case SSL3_ST_SW_FINISHED_B:
747                         ret=ssl3_send_finished(s,
748                                 SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B,
749                                 s->method->ssl3_enc->server_finished_label,
750                                 s->method->ssl3_enc->server_finished_label_len);
751                         if (ret <= 0) goto end;
752                         s->state=SSL3_ST_SW_FLUSH;
753                         if (s->hit)
754                                 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
755                         else
756                                 {
757                                 s->s3->tmp.next_state=SSL_ST_OK;
758 #ifndef OPENSSL_NO_SCTP
759                                 if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
760                                         {
761                                         s->d1->next_state = s->s3->tmp.next_state;
762                                         s->s3->tmp.next_state=DTLS1_SCTP_ST_SW_WRITE_SOCK;
763                                         }
764 #endif
765                                 }
766                         s->init_num=0;
767                         break;
768
769                 case SSL_ST_OK:
770                         /* clean a few things up */
771                         ssl3_cleanup_key_block(s);
772
773 #if 0
774                         BUF_MEM_free(s->init_buf);
775                         s->init_buf=NULL;
776 #endif
777
778                         /* remove buffering on output */
779                         ssl_free_wbio_buffer(s);
780
781                         s->init_num=0;
782
783                         if (s->renegotiate == 2) /* skipped if we just sent a HelloRequest */
784                                 {
785                                 s->renegotiate=0;
786                                 s->new_session=0;
787                                 
788                                 ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
789                                 
790                                 s->ctx->stats.sess_accept_good++;
791                                 /* s->server=1; */
792                                 s->handshake_func=dtls1_accept;
793
794                                 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
795                                 }
796                         
797                         ret = 1;
798
799                         /* done handshaking, next message is client hello */
800                         s->d1->handshake_read_seq = 0;
801                         /* next message is server hello */
802                         s->d1->handshake_write_seq = 0;
803                         s->d1->next_handshake_write_seq = 0;
804                         goto end;
805                         /* break; */
806
807                 default:
808                         SSLerr(SSL_F_DTLS1_ACCEPT,SSL_R_UNKNOWN_STATE);
809                         ret= -1;
810                         goto end;
811                         /* break; */
812                         }
813                 
814                 if (!s->s3->tmp.reuse_message && !skip)
815                         {
816                         if (s->debug)
817                                 {
818                                 if ((ret=BIO_flush(s->wbio)) <= 0)
819                                         goto end;
820                                 }
821
822
823                         if ((cb != NULL) && (s->state != state))
824                                 {
825                                 new_state=s->state;
826                                 s->state=state;
827                                 cb(s,SSL_CB_ACCEPT_LOOP,1);
828                                 s->state=new_state;
829                                 }
830                         }
831                 skip=0;
832                 }
833 end:
834         /* BIO_flush(s->wbio); */
835
836         s->in_handshake--;
837 #ifndef OPENSSL_NO_SCTP
838                 /* Notify SCTP BIO socket to leave handshake
839                  * mode and prevent stream identifier other
840                  * than 0. Will be ignored if no SCTP is used.
841                  */
842                 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, s->in_handshake, NULL);
843 #endif
844
845         if (cb != NULL)
846                 cb(s,SSL_CB_ACCEPT_EXIT,ret);
847         return(ret);
848         }
849
850 int dtls1_send_hello_verify_request(SSL *s)
851         {
852         unsigned int msg_len;
853         unsigned char *msg, *buf, *p;
854
855         if (s->state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A)
856                 {
857                 buf = (unsigned char *)s->init_buf->data;
858
859                 msg = p = &(buf[DTLS1_HM_HEADER_LENGTH]);
860                 *(p++) = s->version >> 8;
861                 *(p++) = s->version & 0xFF;
862
863                 if (s->ctx->app_gen_cookie_cb == NULL ||
864                      s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
865                          &(s->d1->cookie_len)) == 0)
866                         {
867                         SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST,ERR_R_INTERNAL_ERROR);
868                         return 0;
869                         }
870
871                 *(p++) = (unsigned char) s->d1->cookie_len;
872                 memcpy(p, s->d1->cookie, s->d1->cookie_len);
873                 p += s->d1->cookie_len;
874                 msg_len = p - msg;
875
876                 dtls1_set_message_header(s, buf,
877                         DTLS1_MT_HELLO_VERIFY_REQUEST, msg_len, 0, msg_len);
878
879                 s->state=DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B;
880                 /* number of bytes to write */
881                 s->init_num=p-buf;
882                 s->init_off=0;
883                 }
884
885         /* s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */
886         return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
887         }