e32c4c10137217c0e7704d38e655aea6949b3e2d
[openssl.git] / ssl / d1_srvr.c
1 /* ssl/d1_srvr.c */
2 /*
3  * DTLS implementation written by Nagendra Modadugu
4  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
5  */
6 /* ====================================================================
7  * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  *
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  *
16  * 2. Redistributions in binary form must reproduce the above copyright
17  *    notice, this list of conditions and the following disclaimer in
18  *    the documentation and/or other materials provided with the
19  *    distribution.
20  *
21  * 3. All advertising materials mentioning features or use of this
22  *    software must display the following acknowledgment:
23  *    "This product includes software developed by the OpenSSL Project
24  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25  *
26  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27  *    endorse or promote products derived from this software without
28  *    prior written permission. For written permission, please contact
29  *    openssl-core@OpenSSL.org.
30  *
31  * 5. Products derived from this software may not be called "OpenSSL"
32  *    nor may "OpenSSL" appear in their names without prior written
33  *    permission of the OpenSSL Project.
34  *
35  * 6. Redistributions of any form whatsoever must retain the following
36  *    acknowledgment:
37  *    "This product includes software developed by the OpenSSL Project
38  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
44  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51  * OF THE POSSIBILITY OF SUCH DAMAGE.
52  * ====================================================================
53  *
54  * This product includes cryptographic software written by Eric Young
55  * (eay@cryptsoft.com).  This product includes software written by Tim
56  * Hudson (tjh@cryptsoft.com).
57  *
58  */
59 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
60  * All rights reserved.
61  *
62  * This package is an SSL implementation written
63  * by Eric Young (eay@cryptsoft.com).
64  * The implementation was written so as to conform with Netscapes SSL.
65  *
66  * This library is free for commercial and non-commercial use as long as
67  * the following conditions are aheared to.  The following conditions
68  * apply to all code found in this distribution, be it the RC4, RSA,
69  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
70  * included with this distribution is covered by the same copyright terms
71  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
72  *
73  * Copyright remains Eric Young's, and as such any Copyright notices in
74  * the code are not to be removed.
75  * If this package is used in a product, Eric Young should be given attribution
76  * as the author of the parts of the library used.
77  * This can be in the form of a textual message at program startup or
78  * in documentation (online or textual) provided with the package.
79  *
80  * Redistribution and use in source and binary forms, with or without
81  * modification, are permitted provided that the following conditions
82  * are met:
83  * 1. Redistributions of source code must retain the copyright
84  *    notice, this list of conditions and the following disclaimer.
85  * 2. Redistributions in binary form must reproduce the above copyright
86  *    notice, this list of conditions and the following disclaimer in the
87  *    documentation and/or other materials provided with the distribution.
88  * 3. All advertising materials mentioning features or use of this software
89  *    must display the following acknowledgement:
90  *    "This product includes cryptographic software written by
91  *     Eric Young (eay@cryptsoft.com)"
92  *    The word 'cryptographic' can be left out if the rouines from the library
93  *    being used are not cryptographic related :-).
94  * 4. If you include any Windows specific code (or a derivative thereof) from
95  *    the apps directory (application code) you must include an acknowledgement:
96  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
97  *
98  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
99  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
100  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
101  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
102  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
103  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
104  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
105  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
106  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
107  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
108  * SUCH DAMAGE.
109  *
110  * The licence and distribution terms for any publically available version or
111  * derivative of this code cannot be changed.  i.e. this code cannot simply be
112  * copied and put under another distribution licence
113  * [including the GNU Public Licence.]
114  */
115
116 #include <stdio.h>
117 #include "ssl_locl.h"
118 #include <openssl/buffer.h>
119 #include <openssl/rand.h>
120 #include <openssl/objects.h>
121 #include <openssl/evp.h>
122 #include <openssl/x509.h>
123 #include <openssl/md5.h>
124 #include <openssl/bn.h>
125 #ifndef OPENSSL_NO_DH
126 # include <openssl/dh.h>
127 #endif
128
129 static const SSL_METHOD *dtls1_get_server_method(int ver);
130 static int dtls1_send_hello_verify_request(SSL *s);
131
132 static const SSL_METHOD *dtls1_get_server_method(int ver)
133 {
134     if (ver == DTLS1_VERSION)
135         return (DTLSv1_server_method());
136     else if (ver == DTLS1_2_VERSION)
137         return (DTLSv1_2_server_method());
138     else
139         return (NULL);
140 }
141
142 IMPLEMENT_dtls1_meth_func(DTLS1_VERSION,
143                           DTLSv1_server_method,
144                           dtls1_accept,
145                           ssl_undefined_function,
146                           dtls1_get_server_method, DTLSv1_enc_data)
147
148     IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION,
149                           DTLSv1_2_server_method,
150                           dtls1_accept,
151                           ssl_undefined_function,
152                           dtls1_get_server_method, DTLSv1_2_enc_data)
153
154     IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION,
155                           DTLS_server_method,
156                           dtls1_accept,
157                           ssl_undefined_function,
158                           dtls1_get_server_method, DTLSv1_2_enc_data)
159
160 int dtls1_accept(SSL *s)
161 {
162     BUF_MEM *buf;
163     unsigned long Time = (unsigned long)time(NULL);
164     void (*cb) (const SSL *ssl, int type, int val) = NULL;
165     unsigned long alg_k;
166     int ret = -1;
167     int new_state, state, skip = 0;
168 #ifndef OPENSSL_NO_SCTP
169     unsigned char sctpauthkey[64];
170     char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
171 #endif
172
173     RAND_add(&Time, sizeof(Time), 0);
174     ERR_clear_error();
175     clear_sys_error();
176
177     if (s->info_callback != NULL)
178         cb = s->info_callback;
179     else if (s->ctx->info_callback != NULL)
180         cb = s->ctx->info_callback;
181
182     /* init things to blank */
183     s->in_handshake++;
184     if (!SSL_in_init(s) || SSL_in_before(s)) {
185         if (!SSL_clear(s))
186             return -1;
187     }
188
189 #ifndef OPENSSL_NO_SCTP
190     /*
191      * Notify SCTP BIO socket to enter handshake mode and prevent stream
192      * identifier other than 0. Will be ignored if no SCTP is used.
193      */
194     BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE,
195              s->in_handshake, NULL);
196 #endif
197
198 #ifndef OPENSSL_NO_HEARTBEATS
199     /*
200      * If we're awaiting a HeartbeatResponse, pretend we already got and
201      * don't await it anymore, because Heartbeats don't make sense during
202      * handshakes anyway.
203      */
204     if (s->tlsext_hb_pending) {
205         dtls1_stop_timer(s);
206         s->tlsext_hb_pending = 0;
207         s->tlsext_hb_seq++;
208     }
209 #endif
210
211     for (;;) {
212         state = s->state;
213
214         switch (s->state) {
215         case SSL_ST_RENEGOTIATE:
216             s->renegotiate = 1;
217             /* s->state=SSL_ST_ACCEPT; */
218
219         case SSL_ST_BEFORE:
220         case SSL_ST_ACCEPT:
221         case SSL_ST_BEFORE | SSL_ST_ACCEPT:
222         case SSL_ST_OK | SSL_ST_ACCEPT:
223
224             s->server = 1;
225             if (cb != NULL)
226                 cb(s, SSL_CB_HANDSHAKE_START, 1);
227
228             if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) {
229                 SSLerr(SSL_F_DTLS1_ACCEPT, ERR_R_INTERNAL_ERROR);
230                 return -1;
231             }
232             s->type = SSL_ST_ACCEPT;
233
234             if (s->init_buf == NULL) {
235                 if ((buf = BUF_MEM_new()) == NULL) {
236                     ret = -1;
237                     s->state = SSL_ST_ERR;
238                     goto end;
239                 }
240                 if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
241                     BUF_MEM_free(buf);
242                     ret = -1;
243                     s->state = SSL_ST_ERR;
244                     goto end;
245                 }
246                 s->init_buf = buf;
247             }
248
249             if (!ssl3_setup_buffers(s)) {
250                 ret = -1;
251                 s->state = SSL_ST_ERR;
252                 goto end;
253             }
254
255             s->init_num = 0;
256             /*
257              * Should have been reset by ssl3_get_finished, too.
258              */
259             s->s3->change_cipher_spec = 0;
260
261             if (s->state != SSL_ST_RENEGOTIATE) {
262                 /*
263                  * Ok, we now need to push on a buffering BIO so that the
264                  * output is sent in a way that TCP likes :-) ...but not with
265                  * SCTP :-)
266                  */
267 #ifndef OPENSSL_NO_SCTP
268                 if (!BIO_dgram_is_sctp(SSL_get_wbio(s)))
269 #endif
270                     if (!ssl_init_wbio_buffer(s, 1)) {
271                         ret = -1;
272                         s->state = SSL_ST_ERR;
273                         goto end;
274                     }
275
276                 ssl3_init_finished_mac(s);
277                 s->state = SSL3_ST_SR_CLNT_HELLO_A;
278                 s->ctx->stats.sess_accept++;
279             } else {
280                 /*
281                  * s->state == SSL_ST_RENEGOTIATE, we will just send a
282                  * HelloRequest
283                  */
284                 s->ctx->stats.sess_accept_renegotiate++;
285                 s->state = SSL3_ST_SW_HELLO_REQ_A;
286             }
287
288             break;
289
290         case SSL3_ST_SW_HELLO_REQ_A:
291         case SSL3_ST_SW_HELLO_REQ_B:
292
293             s->shutdown = 0;
294             dtls1_clear_record_buffer(s);
295             dtls1_start_timer(s);
296             ret = ssl3_send_hello_request(s);
297             if (ret <= 0)
298                 goto end;
299             s->s3->tmp.next_state = SSL3_ST_SR_CLNT_HELLO_A;
300             s->state = SSL3_ST_SW_FLUSH;
301             s->init_num = 0;
302
303             ssl3_init_finished_mac(s);
304             break;
305
306         case SSL3_ST_SW_HELLO_REQ_C:
307             s->state = SSL_ST_OK;
308             break;
309
310         case SSL3_ST_SR_CLNT_HELLO_A:
311         case SSL3_ST_SR_CLNT_HELLO_B:
312         case SSL3_ST_SR_CLNT_HELLO_C:
313
314             s->shutdown = 0;
315             ret = ssl3_get_client_hello(s);
316             if (ret <= 0)
317                 goto end;
318             dtls1_stop_timer(s);
319
320             if (ret == 1 && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
321                 s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;
322             else
323                 s->state = SSL3_ST_SW_SRVR_HELLO_A;
324
325             s->init_num = 0;
326             break;
327
328         case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
329         case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
330
331             ret = dtls1_send_hello_verify_request(s);
332             if (ret <= 0)
333                 goto end;
334             s->state = SSL3_ST_SW_FLUSH;
335             s->s3->tmp.next_state = SSL3_ST_SR_CLNT_HELLO_A;
336
337             /* HelloVerifyRequest resets Finished MAC */
338             if (s->version != DTLS1_BAD_VER)
339                 ssl3_init_finished_mac(s);
340             break;
341
342 #ifndef OPENSSL_NO_SCTP
343         case DTLS1_SCTP_ST_SR_READ_SOCK:
344
345             if (BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
346                 s->s3->in_read_app_data = 2;
347                 s->rwstate = SSL_READING;
348                 BIO_clear_retry_flags(SSL_get_rbio(s));
349                 BIO_set_retry_read(SSL_get_rbio(s));
350                 ret = -1;
351                 goto end;
352             }
353
354             s->state = SSL3_ST_SR_CHANGE_A;
355             break;
356
357         case DTLS1_SCTP_ST_SW_WRITE_SOCK:
358             ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s));
359             if (ret < 0)
360                 goto end;
361
362             if (ret == 0) {
363                 if (s->d1->next_state != SSL_ST_OK) {
364                     s->s3->in_read_app_data = 2;
365                     s->rwstate = SSL_READING;
366                     BIO_clear_retry_flags(SSL_get_rbio(s));
367                     BIO_set_retry_read(SSL_get_rbio(s));
368                     ret = -1;
369                     goto end;
370                 }
371             }
372
373             s->state = s->d1->next_state;
374             break;
375 #endif
376
377         case SSL3_ST_SW_SRVR_HELLO_A:
378         case SSL3_ST_SW_SRVR_HELLO_B:
379             s->renegotiate = 2;
380             dtls1_start_timer(s);
381             ret = ssl3_send_server_hello(s);
382             if (ret <= 0)
383                 goto end;
384
385             if (s->hit) {
386 #ifndef OPENSSL_NO_SCTP
387                 /*
388                  * Add new shared key for SCTP-Auth, will be ignored if no
389                  * SCTP used.
390                  */
391                 snprintf((char *)labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
392                          DTLS1_SCTP_AUTH_LABEL);
393
394                 if (SSL_export_keying_material(s, sctpauthkey,
395                         sizeof(sctpauthkey), labelbuffer,
396                         sizeof(labelbuffer), NULL, 0, 0) <= 0) {
397                     ret = -1;
398                     s->state = SSL_ST_ERR;
399                     goto end;
400                 }
401
402                 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
403                          sizeof(sctpauthkey), sctpauthkey);
404 #endif
405                 if (s->tlsext_ticket_expected)
406                     s->state = SSL3_ST_SW_SESSION_TICKET_A;
407                 else
408                     s->state = SSL3_ST_SW_CHANGE_A;
409             } else
410                 s->state = SSL3_ST_SW_CERT_A;
411             s->init_num = 0;
412             break;
413
414         case SSL3_ST_SW_CERT_A:
415         case SSL3_ST_SW_CERT_B:
416             /* Check if it is anon DH or normal PSK */
417             if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
418                 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
419                 dtls1_start_timer(s);
420                 ret = ssl3_send_server_certificate(s);
421                 if (ret <= 0)
422                     goto end;
423
424                 if (s->tlsext_status_expected)
425                     s->state = SSL3_ST_SW_CERT_STATUS_A;
426                 else
427                     s->state = SSL3_ST_SW_KEY_EXCH_A;
428             } else {
429                 skip = 1;
430                 s->state = SSL3_ST_SW_KEY_EXCH_A;
431             }
432             s->init_num = 0;
433             break;
434
435         case SSL3_ST_SW_KEY_EXCH_A:
436         case SSL3_ST_SW_KEY_EXCH_B:
437             alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
438
439             /*
440              * clear this, it may get reset by
441              * send_server_key_exchange
442              */
443             s->s3->tmp.use_rsa_tmp = 0;
444
445             /*
446              * only send if a DH key exchange or RSA but we have a sign only
447              * certificate
448              */
449             if (0
450                 /*
451                  * PSK: send ServerKeyExchange if PSK identity hint if
452                  * provided
453                  */
454 #ifndef OPENSSL_NO_PSK
455                 || ((alg_k & SSL_kPSK) && s->cert->psk_identity_hint)
456 #endif
457                 || (alg_k & SSL_kDHE)
458                 || (alg_k & SSL_kECDHE)
459                 || ((alg_k & SSL_kRSA)
460                     && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
461                         || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
462                             && EVP_PKEY_size(s->cert->pkeys
463                                              [SSL_PKEY_RSA_ENC].privatekey) *
464                             8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
465                         )
466                     )
467                 )
468                 ) {
469                 dtls1_start_timer(s);
470                 ret = ssl3_send_server_key_exchange(s);
471                 if (ret <= 0)
472                     goto end;
473             } else
474                 skip = 1;
475
476             s->state = SSL3_ST_SW_CERT_REQ_A;
477             s->init_num = 0;
478             break;
479
480         case SSL3_ST_SW_CERT_REQ_A:
481         case SSL3_ST_SW_CERT_REQ_B:
482             if (                /* don't request cert unless asked for it: */
483                    !(s->verify_mode & SSL_VERIFY_PEER) ||
484                    /*
485                     * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert
486                     * during re-negotiation:
487                     */
488                    ((s->session->peer != NULL) &&
489                     (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
490                    /*
491                     * never request cert in anonymous ciphersuites (see
492                     * section "Certificate request" in SSL 3 drafts and in
493                     * RFC 2246):
494                     */
495                    ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
496                    /*
497                     * ... except when the application insists on
498                     * verification (against the specs, but s3_clnt.c accepts
499                     * this for SSL 3)
500                     */
501                    !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
502                    /*
503                     * With normal PSK Certificates and Certificate Requests
504                     * are omitted
505                     */
506                    || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
507                 /* no cert request */
508                 skip = 1;
509                 s->s3->tmp.cert_request = 0;
510                 s->state = SSL3_ST_SW_SRVR_DONE_A;
511 #ifndef OPENSSL_NO_SCTP
512                 if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
513                     s->d1->next_state = SSL3_ST_SW_SRVR_DONE_A;
514                     s->state = DTLS1_SCTP_ST_SW_WRITE_SOCK;
515                 }
516 #endif
517             } else {
518                 s->s3->tmp.cert_request = 1;
519                 dtls1_start_timer(s);
520                 ret = ssl3_send_certificate_request(s);
521                 if (ret <= 0)
522                     goto end;
523                 s->state = SSL3_ST_SW_SRVR_DONE_A;
524 # ifndef OPENSSL_NO_SCTP
525                 if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
526                     s->d1->next_state = SSL3_ST_SW_SRVR_DONE_A;
527                     s->state = DTLS1_SCTP_ST_SW_WRITE_SOCK;
528                 }
529 # endif
530                 s->init_num = 0;
531             }
532             break;
533
534         case SSL3_ST_SW_SRVR_DONE_A:
535         case SSL3_ST_SW_SRVR_DONE_B:
536             dtls1_start_timer(s);
537             ret = ssl3_send_server_done(s);
538             if (ret <= 0)
539                 goto end;
540             s->s3->tmp.next_state = SSL3_ST_SR_CERT_A;
541             s->state = SSL3_ST_SW_FLUSH;
542             s->init_num = 0;
543             break;
544
545         case SSL3_ST_SW_FLUSH:
546             s->rwstate = SSL_WRITING;
547             if (BIO_flush(s->wbio) <= 0) {
548                 /*
549                  * If the write error was fatal, stop trying
550                  */
551                 if (!BIO_should_retry(s->wbio)) {
552                     s->rwstate = SSL_NOTHING;
553                     s->state = s->s3->tmp.next_state;
554                 }
555
556                 ret = -1;
557                 goto end;
558             }
559             s->rwstate = SSL_NOTHING;
560             s->state = s->s3->tmp.next_state;
561             break;
562
563         case SSL3_ST_SR_CERT_A:
564         case SSL3_ST_SR_CERT_B:
565             if (s->s3->tmp.cert_request) {
566                 ret = ssl3_get_client_certificate(s);
567                 if (ret <= 0)
568                     goto end;
569             }
570             s->init_num = 0;
571             s->state = SSL3_ST_SR_KEY_EXCH_A;
572             break;
573
574         case SSL3_ST_SR_KEY_EXCH_A:
575         case SSL3_ST_SR_KEY_EXCH_B:
576             ret = ssl3_get_client_key_exchange(s);
577             if (ret <= 0)
578                 goto end;
579 #ifndef OPENSSL_NO_SCTP
580             /*
581              * Add new shared key for SCTP-Auth, will be ignored if no SCTP
582              * used.
583              */
584             snprintf((char *)labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
585                      DTLS1_SCTP_AUTH_LABEL);
586
587             if (SSL_export_keying_material(s, sctpauthkey,
588                                        sizeof(sctpauthkey), labelbuffer,
589                                        sizeof(labelbuffer), NULL, 0, 0) <= 0) {
590                 ret = -1;
591                 s->state = SSL_ST_ERR;
592                 goto end;
593             }
594
595             BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
596                      sizeof(sctpauthkey), sctpauthkey);
597 #endif
598
599             s->state = SSL3_ST_SR_CERT_VRFY_A;
600             s->init_num = 0;
601
602             if (ret == 2) {
603                 /*
604                  * For the ECDH ciphersuites when the client sends its ECDH
605                  * pub key in a certificate, the CertificateVerify message is
606                  * not sent.
607                  */
608                 s->state = SSL3_ST_SR_CHANGE_A;
609                 s->init_num = 0;
610             } else if (SSL_USE_SIGALGS(s)) {
611                 s->state = SSL3_ST_SR_CERT_VRFY_A;
612                 s->init_num = 0;
613                 if (!s->session->peer)
614                     break;
615                 if (!s->s3->handshake_buffer) {
616                     SSLerr(SSL_F_DTLS1_ACCEPT, ERR_R_INTERNAL_ERROR);
617                     s->state = SSL_ST_ERR;
618                     return -1;
619                 }
620                 /*
621                  * For sigalgs freeze the handshake buffer. If we support
622                  * extms we've done this already.
623                  */
624                 if (!ssl3_digest_cached_records(s, 1)) {
625                     s->state = SSL_ST_ERR;
626                     return -1;
627                 }
628             } else {
629                 s->state = SSL3_ST_SR_CERT_VRFY_A;
630                 s->init_num = 0;
631
632                 /*
633                  * We need to get hashes here so if there is a client cert,
634                  * it can be verified
635                  */
636                 s->method->ssl3_enc->cert_verify_mac(s,
637                                                      NID_md5,
638                                                      &(s->s3->
639                                                        tmp.cert_verify_md
640                                                        [0]));
641                 s->method->ssl3_enc->cert_verify_mac(s, NID_sha1,
642                                                      &(s->s3->
643                                                        tmp.cert_verify_md
644                                                        [MD5_DIGEST_LENGTH]));
645             }
646             break;
647
648         case SSL3_ST_SR_CERT_VRFY_A:
649         case SSL3_ST_SR_CERT_VRFY_B:
650             ret = ssl3_get_cert_verify(s);
651             if (ret <= 0)
652                 goto end;
653 #ifndef OPENSSL_NO_SCTP
654             if (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
655                 state == SSL_ST_RENEGOTIATE)
656                 s->state = DTLS1_SCTP_ST_SR_READ_SOCK;
657             else
658 #endif
659                 s->state = SSL3_ST_SR_CHANGE_A;
660             s->init_num = 0;
661             break;
662
663         case SSL3_ST_SR_CHANGE_A:
664         case SSL3_ST_SR_CHANGE_B:
665             ret = ssl3_get_change_cipher_spec(s, SSL3_ST_SR_CHANGE_A,
666                                               SSL3_ST_SR_CHANGE_B);
667             if (ret <= 0)
668                 goto end;
669
670             s->state = SSL3_ST_SR_FINISHED_A;
671             s->init_num = 0;
672             break;
673
674         case SSL3_ST_SR_FINISHED_A:
675         case SSL3_ST_SR_FINISHED_B:
676             ret = ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A,
677                                     SSL3_ST_SR_FINISHED_B);
678             if (ret <= 0)
679                 goto end;
680             dtls1_stop_timer(s);
681             if (s->hit)
682                 s->state = SSL_ST_OK;
683             else if (s->tlsext_ticket_expected)
684                 s->state = SSL3_ST_SW_SESSION_TICKET_A;
685             else
686                 s->state = SSL3_ST_SW_CHANGE_A;
687             s->init_num = 0;
688             break;
689
690         case SSL3_ST_SW_SESSION_TICKET_A:
691         case SSL3_ST_SW_SESSION_TICKET_B:
692             ret = ssl3_send_newsession_ticket(s);
693             if (ret <= 0)
694                 goto end;
695             s->state = SSL3_ST_SW_CHANGE_A;
696             s->init_num = 0;
697             break;
698
699         case SSL3_ST_SW_CERT_STATUS_A:
700         case SSL3_ST_SW_CERT_STATUS_B:
701             ret = ssl3_send_cert_status(s);
702             if (ret <= 0)
703                 goto end;
704             s->state = SSL3_ST_SW_KEY_EXCH_A;
705             s->init_num = 0;
706             break;
707
708         case SSL3_ST_SW_CHANGE_A:
709         case SSL3_ST_SW_CHANGE_B:
710
711             s->session->cipher = s->s3->tmp.new_cipher;
712             if (!s->method->ssl3_enc->setup_key_block(s)) {
713                 ret = -1;
714                 s->state = SSL_ST_ERR;
715                 goto end;
716             }
717
718             ret = dtls1_send_change_cipher_spec(s,
719                                                 SSL3_ST_SW_CHANGE_A,
720                                                 SSL3_ST_SW_CHANGE_B);
721
722             if (ret <= 0)
723                 goto end;
724
725 #ifndef OPENSSL_NO_SCTP
726             if (!s->hit) {
727                 /*
728                  * Change to new shared key of SCTP-Auth, will be ignored if
729                  * no SCTP used.
730                  */
731                 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
732                          0, NULL);
733             }
734 #endif
735
736             s->state = SSL3_ST_SW_FINISHED_A;
737             s->init_num = 0;
738
739             if (!s->method->ssl3_enc->change_cipher_state(s,
740                                                           SSL3_CHANGE_CIPHER_SERVER_WRITE))
741             {
742                 ret = -1;
743                 s->state = SSL_ST_ERR;
744                 goto end;
745             }
746
747             dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
748             break;
749
750         case SSL3_ST_SW_FINISHED_A:
751         case SSL3_ST_SW_FINISHED_B:
752             ret = ssl3_send_finished(s,
753                                      SSL3_ST_SW_FINISHED_A,
754                                      SSL3_ST_SW_FINISHED_B,
755                                      s->method->
756                                      ssl3_enc->server_finished_label,
757                                      s->method->
758                                      ssl3_enc->server_finished_label_len);
759             if (ret <= 0)
760                 goto end;
761             s->state = SSL3_ST_SW_FLUSH;
762             if (s->hit) {
763                 s->s3->tmp.next_state = SSL3_ST_SR_CHANGE_A;
764
765 #ifndef OPENSSL_NO_SCTP
766                 /*
767                  * Change to new shared key of SCTP-Auth, will be ignored if
768                  * no SCTP used.
769                  */
770                 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
771                          0, NULL);
772 #endif
773             } else {
774                 s->s3->tmp.next_state = SSL_ST_OK;
775 #ifndef OPENSSL_NO_SCTP
776                 if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
777                     s->d1->next_state = s->s3->tmp.next_state;
778                     s->s3->tmp.next_state = DTLS1_SCTP_ST_SW_WRITE_SOCK;
779                 }
780 #endif
781             }
782             s->init_num = 0;
783             break;
784
785         case SSL_ST_OK:
786             /* clean a few things up */
787             ssl3_cleanup_key_block(s);
788
789             /* remove buffering on output */
790             ssl_free_wbio_buffer(s);
791
792             s->init_num = 0;
793
794             if (s->renegotiate == 2) { /* skipped if we just sent a
795                                         * HelloRequest */
796                 s->renegotiate = 0;
797                 s->new_session = 0;
798
799                 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
800
801                 s->ctx->stats.sess_accept_good++;
802                 /* s->server=1; */
803                 s->handshake_func = dtls1_accept;
804
805                 if (cb != NULL)
806                     cb(s, SSL_CB_HANDSHAKE_DONE, 1);
807             }
808
809             ret = 1;
810
811             /* done handshaking, next message is client hello */
812             s->d1->handshake_read_seq = 0;
813             /* next message is server hello */
814             s->d1->handshake_write_seq = 0;
815             s->d1->next_handshake_write_seq = 0;
816             goto end;
817             /* break; */
818
819         case SSL_ST_ERR:
820         default:
821             SSLerr(SSL_F_DTLS1_ACCEPT, SSL_R_UNKNOWN_STATE);
822             ret = -1;
823             goto end;
824             /* break; */
825         }
826
827         if (!s->s3->tmp.reuse_message && !skip) {
828             if (s->debug) {
829                 if ((ret = BIO_flush(s->wbio)) <= 0)
830                     goto end;
831             }
832
833             if ((cb != NULL) && (s->state != state)) {
834                 new_state = s->state;
835                 s->state = state;
836                 cb(s, SSL_CB_ACCEPT_LOOP, 1);
837                 s->state = new_state;
838             }
839         }
840         skip = 0;
841     }
842  end:
843     /* BIO_flush(s->wbio); */
844
845     s->in_handshake--;
846 #ifndef OPENSSL_NO_SCTP
847     /*
848      * Notify SCTP BIO socket to leave handshake mode and prevent stream
849      * identifier other than 0. Will be ignored if no SCTP is used.
850      */
851     BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE,
852              s->in_handshake, NULL);
853 #endif
854
855     if (cb != NULL)
856         cb(s, SSL_CB_ACCEPT_EXIT, ret);
857     return (ret);
858 }
859
860 unsigned int dtls1_raw_hello_verify_request(unsigned char *buf,
861                                             unsigned char *cookie,
862                                             unsigned char cookie_len)
863 {
864     unsigned int msg_len;
865     unsigned char *p;
866
867     p = buf;
868     /* Always use DTLS 1.0 version: see RFC 6347 */
869     *(p++) = DTLS1_VERSION >> 8;
870     *(p++) = DTLS1_VERSION & 0xFF;
871
872     *(p++) = (unsigned char)cookie_len;
873     memcpy(p, cookie, cookie_len);
874     p += cookie_len;
875     msg_len = p - buf;
876
877     return msg_len;
878 }
879
880
881 int dtls1_send_hello_verify_request(SSL *s)
882 {
883     unsigned int len;
884     unsigned char *buf;
885
886     if (s->state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A) {
887         buf = (unsigned char *)s->init_buf->data;
888
889         if (s->ctx->app_gen_cookie_cb == NULL ||
890             s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
891                                       &(s->d1->cookie_len)) == 0 ||
892             s->d1->cookie_len > 255) {
893             SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST,
894                    SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
895             s->state = SSL_ST_ERR;
896             return 0;
897         }
898
899         len = dtls1_raw_hello_verify_request(&buf[DTLS1_HM_HEADER_LENGTH],
900                                              s->d1->cookie, s->d1->cookie_len);
901
902         dtls1_set_message_header(s, buf, DTLS1_MT_HELLO_VERIFY_REQUEST, len, 0,
903                                  len);
904         len += DTLS1_HM_HEADER_LENGTH;
905
906         s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B;
907         /* number of bytes to write */
908         s->init_num = len;
909         s->init_off = 0;
910     }
911
912     /* s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */
913     return (dtls1_do_write(s, SSL3_RT_HANDSHAKE));
914 }