projects / openssl.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
PR: 1833
[openssl.git] / ssl / d1_clnt.c
diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
index c53eae17067e41422aefa8b373d7622530492333..255c19d7614ca6041c68bdf9ef46e3236fa815a4 100644 (file)
--- a/ssl/d1_clnt.c
+++ b/ssl/d1_clnt.c
@@ -4,7 +4,7 @@
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
  */
 /* ====================================================================
- * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -115,51 +115,39 @@
 
 #include <stdio.h>
 #include "ssl_locl.h"
+#ifndef OPENSSL_NO_KRB5
+#include "kssl_lcl.h"
+#endif
 #include <openssl/buffer.h>
 #include <openssl/rand.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/md5.h>
+#include <openssl/bn.h>
+#ifndef OPENSSL_NO_DH
+#include <openssl/dh.h>
+#endif
 
-static SSL_METHOD *dtls1_get_client_method(int ver);
+static const SSL_METHOD *dtls1_get_client_method(int ver);
 static int dtls1_get_hello_verify(SSL *s);
 
-static SSL_METHOD *dtls1_get_client_method(int ver)
+static const SSL_METHOD *dtls1_get_client_method(int ver)
        {
-       if (ver == DTLS1_VERSION)
+       if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER)
                return(DTLSv1_client_method());
        else
                return(NULL);
        }
 
-SSL_METHOD *DTLSv1_client_method(void)
-       {
-       static int init=1;
-       static SSL_METHOD DTLSv1_client_data;
-
-       if (init)
-               {
-               CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
-
-               if (init)
-                       {
-                       memcpy((char *)&DTLSv1_client_data,(char *)dtlsv1_base_method(),
-                               sizeof(SSL_METHOD));
-                       DTLSv1_client_data.ssl_connect=dtls1_connect;
-                       DTLSv1_client_data.get_ssl_method=dtls1_get_client_method;
-                       init=0;
-                       }
-               
-               CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
-               }
-       return(&DTLSv1_client_data);
-       }
+IMPLEMENT_dtls1_meth_func(DTLSv1_client_method,
+                       ssl_undefined_function,
+                       dtls1_connect,
+                       dtls1_get_client_method)
 
 int dtls1_connect(SSL *s)
        {
        BUF_MEM *buf=NULL;
-       unsigned long Time=time(NULL),l;
-       long num1;
+       unsigned long Time=(unsigned long)time(NULL);
        void (*cb)(const SSL *ssl,int type,int val)=NULL;
        int ret= -1;
        int new_state,state,skip=0;;
@@ -183,7 +171,7 @@ int dtls1_connect(SSL *s)
                switch(s->state)
                        {
                case SSL_ST_RENEGOTIATE:
-                       s->new_session=1;
+                       s->renegotiate=1;
                        s->state=SSL_ST_CONNECT;
                        s->ctx->stats.sess_connect_renegotiate++;
                        /* break */
@@ -195,9 +183,10 @@ int dtls1_connect(SSL *s)
                        s->server=0;
                        if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
 
-                       if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00))
+                       if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00) &&
+                           (s->version & 0xff00 ) != (DTLS1_BAD_VER & 0xff00))
                                {
-                               SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR);
+                               SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR);
                                ret = -1;
                                goto end;
                                }
@@ -228,17 +217,24 @@ int dtls1_connect(SSL *s)
 
                        /* don't push the buffering BIO quite yet */
 
-                       ssl3_init_finished_mac(s);
-
                        s->state=SSL3_ST_CW_CLNT_HELLO_A;
                        s->ctx->stats.sess_connect++;
                        s->init_num=0;
+                       /* mark client_random uninitialized */
+                       memset(s->s3->client_random,0,sizeof(s->s3->client_random));
+                       s->d1->send_cookie = 0;
+                       s->hit = 0;
                        break;
 
                case SSL3_ST_CW_CLNT_HELLO_A:
                case SSL3_ST_CW_CLNT_HELLO_B:
 
                        s->shutdown=0;
+
+                       /* every DTLS ClientHello resets Finished MAC */
+                       ssl3_init_finished_mac(s);
+
+                       dtls1_start_timer(s);
                        ret=dtls1_client_hello(s);
                        if (ret <= 0) goto end;
 
@@ -264,6 +260,7 @@ int dtls1_connect(SSL *s)
                        if (ret <= 0) goto end;
                        else
                                {
+                               dtls1_stop_timer(s);
                                if (s->hit)
                                        s->state=SSL3_ST_CR_FINISHED_A;
                                else
@@ -278,6 +275,7 @@ int dtls1_connect(SSL *s)
                        ret = dtls1_get_hello_verify(s);
                        if ( ret <= 0)
                                goto end;
+                       dtls1_stop_timer(s);
                        if ( s->d1->send_cookie) /* start again, with a cookie */
                                s->state=SSL3_ST_CW_CLNT_HELLO_A;
                        else
@@ -287,15 +285,44 @@ int dtls1_connect(SSL *s)
 
                case SSL3_ST_CR_CERT_A:
                case SSL3_ST_CR_CERT_B:
-                       /* Check if it is anon DH */
-                       if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
+#ifndef OPENSSL_NO_TLSEXT
+                       ret=ssl3_check_finished(s);
+                       if (ret <= 0) goto end;
+                       if (ret == 2)
+                               {
+                               s->hit = 1;
+                               if (s->tlsext_ticket_expected)
+                                       s->state=SSL3_ST_CR_SESSION_TICKET_A;
+                               else
+                                       s->state=SSL3_ST_CR_FINISHED_A;
+                               s->init_num=0;
+                               break;
+                               }
+#endif
+                       /* Check if it is anon DH or PSK */
+                       if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
+                           !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
                                {
                                ret=ssl3_get_server_certificate(s);
                                if (ret <= 0) goto end;
+#ifndef OPENSSL_NO_TLSEXT
+                               if (s->tlsext_status_expected)
+                                       s->state=SSL3_ST_CR_CERT_STATUS_A;
+                               else
+                                       s->state=SSL3_ST_CR_KEY_EXCH_A;
+                               }
+                       else
+                               {
+                               skip = 1;
+                               s->state=SSL3_ST_CR_KEY_EXCH_A;
+                               }
+#else
                                }
                        else
                                skip=1;
+
                        s->state=SSL3_ST_CR_KEY_EXCH_A;
+#endif
                        s->init_num=0;
                        break;
 
@@ -339,6 +366,7 @@ int dtls1_connect(SSL *s)
                case SSL3_ST_CW_CERT_B:
                case SSL3_ST_CW_CERT_C:
                case SSL3_ST_CW_CERT_D:
+                       dtls1_start_timer(s);
                        ret=dtls1_send_client_certificate(s);
                        if (ret <= 0) goto end;
                        s->state=SSL3_ST_CW_KEY_EXCH_A;
@@ -347,9 +375,9 @@ int dtls1_connect(SSL *s)
 
                case SSL3_ST_CW_KEY_EXCH_A:
                case SSL3_ST_CW_KEY_EXCH_B:
+                       dtls1_start_timer(s);
                        ret=dtls1_send_client_key_exchange(s);
                        if (ret <= 0) goto end;
-                       l=s->s3->tmp.new_cipher->algorithms;
                        /* EAY EAY EAY need to check for DH fix cert
                         * sent back */
                        /* For TLS, cert_req is set to 2, so a cert chain
@@ -369,6 +397,7 @@ int dtls1_connect(SSL *s)
 
                case SSL3_ST_CW_CERT_VRFY_A:
                case SSL3_ST_CW_CERT_VRFY_B:
+                       dtls1_start_timer(s);
                        ret=dtls1_send_client_verify(s);
                        if (ret <= 0) goto end;
                        s->state=SSL3_ST_CW_CHANGE_A;
@@ -378,6 +407,7 @@ int dtls1_connect(SSL *s)
 
                case SSL3_ST_CW_CHANGE_A:
                case SSL3_ST_CW_CHANGE_B:
+                       dtls1_start_timer(s);
                        ret=dtls1_send_change_cipher_spec(s,
                                SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
                        if (ret <= 0) goto end;
@@ -385,11 +415,15 @@ int dtls1_connect(SSL *s)
                        s->init_num=0;
 
                        s->session->cipher=s->s3->tmp.new_cipher;
+#ifdef OPENSSL_NO_COMP
+                       s->session->compress_meth=0;
+#else
                        if (s->s3->tmp.new_compression == NULL)
                                s->session->compress_meth=0;
                        else
                                s->session->compress_meth=
                                        s->s3->tmp.new_compression->id;
+#endif
                        if (!s->method->ssl3_enc->setup_key_block(s))
                                {
                                ret= -1;
@@ -408,6 +442,7 @@ int dtls1_connect(SSL *s)
 
                case SSL3_ST_CW_FINISHED_A:
                case SSL3_ST_CW_FINISHED_B:
+                       dtls1_start_timer(s);
                        ret=dtls1_send_finished(s,
                                SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B,
                                s->method->ssl3_enc->client_finished_label,
@@ -429,17 +464,43 @@ int dtls1_connect(SSL *s)
                                }
                        else
                                {
+#ifndef OPENSSL_NO_TLSEXT
+                               /* Allow NewSessionTicket if ticket expected */
+                               if (s->tlsext_ticket_expected)
+                                       s->s3->tmp.next_state=SSL3_ST_CR_SESSION_TICKET_A;
+                               else
+#endif
+                               
                                s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A;
                                }
                        s->init_num=0;
                        break;
 
+#ifndef OPENSSL_NO_TLSEXT
+               case SSL3_ST_CR_SESSION_TICKET_A:
+               case SSL3_ST_CR_SESSION_TICKET_B:
+                       ret=ssl3_get_new_session_ticket(s);
+                       if (ret <= 0) goto end;
+                       s->state=SSL3_ST_CR_FINISHED_A;
+                       s->init_num=0;
+               break;
+
+               case SSL3_ST_CR_CERT_STATUS_A:
+               case SSL3_ST_CR_CERT_STATUS_B:
+                       ret=ssl3_get_cert_status(s);
+                       if (ret <= 0) goto end;
+                       s->state=SSL3_ST_CR_KEY_EXCH_A;
+                       s->init_num=0;
+               break;
+#endif
+
                case SSL3_ST_CR_FINISHED_A:
                case SSL3_ST_CR_FINISHED_B:
-
+                       s->d1->change_cipher_spec_ok = 1;
                        ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
                                SSL3_ST_CR_FINISHED_B);
                        if (ret <= 0) goto end;
+                       dtls1_stop_timer(s);
 
                        if (s->hit)
                                s->state=SSL3_ST_CW_CHANGE_A;
@@ -449,16 +510,13 @@ int dtls1_connect(SSL *s)
                        break;
 
                case SSL3_ST_CW_FLUSH:
-                       /* number of bytes to be flushed */
-                       num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
-                       if (num1 > 0)
+                       s->rwstate=SSL_WRITING;
+                       if (BIO_flush(s->wbio) <= 0)
                                {
-                               s->rwstate=SSL_WRITING;
-                               num1=BIO_flush(s->wbio);
-                               if (num1 <= 0) { ret= -1; goto end; }
-                               s->rwstate=SSL_NOTHING;
+                               ret= -1;
+                               goto end;
                                }
-
+                       s->rwstate=SSL_NOTHING;
                        s->state=s->s3->tmp.next_state;
                        break;
 
@@ -481,6 +539,7 @@ int dtls1_connect(SSL *s)
                        /* else do it later in ssl3_write */
 
                        s->init_num=0;
+                       s->renegotiate=0;
                        s->new_session=0;
 
                        ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
@@ -495,11 +554,12 @@ int dtls1_connect(SSL *s)
 
                        /* done with handshaking */
                        s->d1->handshake_read_seq  = 0;
+                       s->d1->next_handshake_write_seq = 0;
                        goto end;
                        /* break; */
                        
                default:
-                       SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE);
+                       SSLerr(SSL_F_DTLS1_CONNECT,SSL_R_UNKNOWN_STATE);
                        ret= -1;
                        goto end;
                        /* break; */
@@ -537,15 +597,21 @@ int dtls1_client_hello(SSL *s)
        {
        unsigned char *buf;
        unsigned char *p,*d;
-       int i,j;
+       unsigned int i,j;
        unsigned long Time,l;
        SSL_COMP *comp;
 
        buf=(unsigned char *)s->init_buf->data;
        if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
                {
+               SSL_SESSION *sess = s->session;
                if ((s->session == NULL) ||
                        (s->session->ssl_version != s->version) ||
+#ifdef OPENSSL_NO_TLSEXT
+                       !sess->session_id_length ||
+#else
+                       (!sess->session_id_length && !sess->tlsext_tick) ||
+#endif
                        (s->session->not_resumable))
                        {
                        if (!ssl_get_new_session(s,0))
@@ -554,9 +620,16 @@ int dtls1_client_hello(SSL *s)
                /* else use the pre-loaded session */
 
                p=s->s3->client_random;
-               Time=time(NULL);                        /* Time */
-               l2n(Time,p);
-               RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
+
+               /* if client_random is initialized, reuse it, we are
+                * required to use same upon reply to HelloVerify */
+               for (i=0;p[i]=='\0' && i<sizeof(s->s3->client_random);i++) ;
+               if (i==sizeof(s->s3->client_random))
+                       {
+                       Time=(unsigned long)time(NULL); /* Time */
+                       l2n(Time,p);
+                       RAND_pseudo_bytes(p,sizeof(s->s3->client_random)-4);
+                       }
 
                /* Do the message type and length last */
                d=p= &(buf[DTLS1_HM_HEADER_LENGTH]);
@@ -579,7 +652,7 @@ int dtls1_client_hello(SSL *s)
                        {
                        if (i > sizeof s->session->session_id)
                                {
-                               SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
+                               SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
                                goto err;
                                }
                        memcpy(p,s->session->session_id,i);
@@ -589,7 +662,7 @@ int dtls1_client_hello(SSL *s)
                /* cookie stuff */
                if ( s->d1->cookie_len > sizeof(s->d1->cookie))
                        {
-                       SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
+                       SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
                        goto err;
                        }
                *(p++) = s->d1->cookie_len;
@@ -597,10 +670,10 @@ int dtls1_client_hello(SSL *s)
                p += s->d1->cookie_len;
 
                /* Ciphers supported */
-               i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]));
+               i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0);
                if (i == 0)
                        {
-                       SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
+                       SSLerr(SSL_F_DTLS1_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
                        goto err;
                        }
                s2n(i,p);
@@ -618,7 +691,15 @@ int dtls1_client_hello(SSL *s)
                        *(p++)=comp->id;
                        }
                *(p++)=0; /* Add the NULL method */
-               
+
+#ifndef OPENSSL_NO_TLSEXT
+               if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
+                       {
+                       SSLerr(SSL_F_DTLS1_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
+                       goto err;
+                       }
+#endif         
+
                l=(p-d);
                d=buf;
 
@@ -665,7 +746,7 @@ static int dtls1_get_hello_verify(SSL *s)
 
        if ((data[0] != (s->version>>8)) || (data[1] != (s->version&0xff)))
                {
-               SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION);
+               SSLerr(SSL_F_DTLS1_GET_HELLO_VERIFY,SSL_R_WRONG_SSL_VERSION);
                s->version=(s->version&0xff00)|data[1];
                al = SSL_AD_PROTOCOL_VERSION;
                goto f_err;
@@ -694,7 +775,7 @@ int dtls1_send_client_key_exchange(SSL *s)
        {
        unsigned char *p,*d;
        int n;
-       unsigned long l;
+       unsigned long alg_k;
 #ifndef OPENSSL_NO_RSA
        unsigned char *q;
        EVP_PKEY *pkey=NULL;
@@ -702,18 +783,26 @@ int dtls1_send_client_key_exchange(SSL *s)
 #ifndef OPENSSL_NO_KRB5
         KSSL_ERR kssl_err;
 #endif /* OPENSSL_NO_KRB5 */
+#ifndef OPENSSL_NO_ECDH
+       EC_KEY *clnt_ecdh = NULL;
+       const EC_POINT *srvr_ecpoint = NULL;
+       EVP_PKEY *srvr_pub_pkey = NULL;
+       unsigned char *encodedPoint = NULL;
+       int encoded_pt_len = 0;
+       BN_CTX * bn_ctx = NULL;
+#endif
 
        if (s->state == SSL3_ST_CW_KEY_EXCH_A)
                {
                d=(unsigned char *)s->init_buf->data;
                p= &(d[DTLS1_HM_HEADER_LENGTH]);
-
-               l=s->s3->tmp.new_cipher->algorithms;
+               
+               alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
 
                 /* Fool emacs indentation */
                 if (0) {}
 #ifndef OPENSSL_NO_RSA
-               else if (l & SSL_kRSA)
+               else if (alg_k & SSL_kRSA)
                        {
                        RSA *rsa;
                        unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
@@ -727,7 +816,7 @@ int dtls1_send_client_key_exchange(SSL *s)
                                        (pkey->type != EVP_PKEY_RSA) ||
                                        (pkey->pkey.rsa == NULL))
                                        {
-                                       SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
+                                       SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
                                        goto err;
                                        }
                                rsa=pkey->pkey.rsa;
@@ -742,7 +831,7 @@ int dtls1_send_client_key_exchange(SSL *s)
                        s->session->master_key_length=sizeof tmp_buf;
 
                        q=p;
-                       /* Fix buf for TLS and beyond */
+                       /* Fix buf for TLS and [incidentally] DTLS */
                        if (s->version > SSL3_VERSION)
                                p+=2;
                        n=RSA_public_encrypt(sizeof tmp_buf,
@@ -753,11 +842,11 @@ int dtls1_send_client_key_exchange(SSL *s)
 #endif
                        if (n <= 0)
                                {
-                               SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT);
+                               SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT);
                                goto err;
                                }
 
-                       /* Fix buf for TLS and beyond */
+                       /* Fix buf for TLS and [incidentally] DTLS */
                        if (s->version > SSL3_VERSION)
                                {
                                s2n(n,q);
@@ -772,7 +861,7 @@ int dtls1_send_client_key_exchange(SSL *s)
                        }
 #endif
 #ifndef OPENSSL_NO_KRB5
-               else if (l & SSL_kKRB5)
+               else if (alg_k & SSL_kKRB5)
                         {
                         krb5_error_code        krb5rc;
                         KSSL_CTX       *kssl_ctx = s->kssl_ctx;
@@ -780,7 +869,7 @@ int dtls1_send_client_key_exchange(SSL *s)
                         krb5_data      *enc_ticket;
                         krb5_data      authenticator, *authp = NULL;
                        EVP_CIPHER_CTX  ciph_ctx;
-                       EVP_CIPHER      *enc = NULL;
+                       const EVP_CIPHER *enc = NULL;
                        unsigned char   iv[EVP_MAX_IV_LENGTH];
                        unsigned char   tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
                        unsigned char   epms[SSL_MAX_MASTER_KEY_LENGTH 
@@ -791,7 +880,7 @@ int dtls1_send_client_key_exchange(SSL *s)
 
 #ifdef KSSL_DEBUG
                         printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
-                                l, SSL_kKRB5);
+                                alg_k, SSL_kKRB5);
 #endif /* KSSL_DEBUG */
 
                        authp = NULL;
@@ -816,7 +905,7 @@ int dtls1_send_client_key_exchange(SSL *s)
                                 {
                                 ssl3_send_alert(s,SSL3_AL_FATAL,
                                                SSL_AD_HANDSHAKE_FAILURE);
-                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+                                SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
                                                kssl_err.reason);
                                 goto err;
                                 }
@@ -881,9 +970,9 @@ int dtls1_send_client_key_exchange(SSL *s)
                                sizeof tmp_buf);
                        EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl);
                        outl += padl;
-                       if (outl > sizeof epms)
+                       if (outl > (int)sizeof epms)
                                {
-                               SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+                               SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
                                goto err;
                                }
                        EVP_CIPHER_CTX_cleanup(&ciph_ctx);
@@ -904,7 +993,7 @@ int dtls1_send_client_key_exchange(SSL *s)
                         }
 #endif
 #ifndef OPENSSL_NO_DH
-               else if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
+               else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
                        {
                        DH *dh_srvr,*dh_clnt;
 
@@ -914,19 +1003,19 @@ int dtls1_send_client_key_exchange(SSL *s)
                                {
                                /* we get them from the cert */
                                ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
-                               SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
+                               SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
                                goto err;
                                }
                        
                        /* generate a new random key */
                        if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL)
                                {
-                               SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
+                               SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
                                goto err;
                                }
                        if (!DH_generate_key(dh_clnt))
                                {
-                               SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
+                               SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
                                goto err;
                                }
 
@@ -937,7 +1026,7 @@ int dtls1_send_client_key_exchange(SSL *s)
 
                        if (n <= 0)
                                {
-                               SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
+                               SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
                                goto err;
                                }
 
@@ -958,11 +1047,279 @@ int dtls1_send_client_key_exchange(SSL *s)
 
                        /* perhaps clean things up a bit EAY EAY EAY EAY*/
                        }
+#endif
+#ifndef OPENSSL_NO_ECDH 
+               else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe))
+                       {
+                       const EC_GROUP *srvr_group = NULL;
+                       EC_KEY *tkey;
+                       int ecdh_clnt_cert = 0;
+                       int field_size = 0;
+
+                       /* Did we send out the client's
+                        * ECDH share for use in premaster
+                        * computation as part of client certificate?
+                        * If so, set ecdh_clnt_cert to 1.
+                        */
+                       if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL)) 
+                               {
+                               /* XXX: For now, we do not support client
+                                * authentication using ECDH certificates.
+                                * To add such support, one needs to add
+                                * code that checks for appropriate 
+                                * conditions and sets ecdh_clnt_cert to 1.
+                                * For example, the cert have an ECC
+                                * key on the same curve as the server's
+                                * and the key should be authorized for
+                                * key agreement.
+                                *
+                                * One also needs to add code in ssl3_connect
+                                * to skip sending the certificate verify
+                                * message.
+                                *
+                                * if ((s->cert->key->privatekey != NULL) &&
+                                *     (s->cert->key->privatekey->type ==
+                                *      EVP_PKEY_EC) && ...)
+                                * ecdh_clnt_cert = 1;
+                                */
+                               }
+
+                       if (s->session->sess_cert->peer_ecdh_tmp != NULL)
+                               {
+                               tkey = s->session->sess_cert->peer_ecdh_tmp;
+                               }
+                       else
+                               {
+                               /* Get the Server Public Key from Cert */
+                               srvr_pub_pkey = X509_get_pubkey(s->session-> \
+                                   sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
+                               if ((srvr_pub_pkey == NULL) ||
+                                   (srvr_pub_pkey->type != EVP_PKEY_EC) ||
+                                   (srvr_pub_pkey->pkey.ec == NULL))
+                                       {
+                                       SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
+                                           ERR_R_INTERNAL_ERROR);
+                                       goto err;
+                                       }
+
+                               tkey = srvr_pub_pkey->pkey.ec;
+                               }
+
+                       srvr_group   = EC_KEY_get0_group(tkey);
+                       srvr_ecpoint = EC_KEY_get0_public_key(tkey);
+
+                       if ((srvr_group == NULL) || (srvr_ecpoint == NULL))
+                               {
+                               SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
+                                   ERR_R_INTERNAL_ERROR);
+                               goto err;
+                               }
+
+                       if ((clnt_ecdh=EC_KEY_new()) == NULL) 
+                               {
+                               SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
+                               goto err;
+                               }
+
+                       if (!EC_KEY_set_group(clnt_ecdh, srvr_group))
+                               {
+                               SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
+                               goto err;
+                               }
+                       if (ecdh_clnt_cert) 
+                               { 
+                               /* Reuse key info from our certificate
+                                * We only need our private key to perform
+                                * the ECDH computation.
+                                */
+                               const BIGNUM *priv_key;
+                               tkey = s->cert->key->privatekey->pkey.ec;
+                               priv_key = EC_KEY_get0_private_key(tkey);
+                               if (priv_key == NULL)
+                                       {
+                                       SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
+                                       goto err;
+                                       }
+                               if (!EC_KEY_set_private_key(clnt_ecdh, priv_key))
+                                       {
+                                       SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
+                                       goto err;
+                                       }
+                               }
+                       else 
+                               {
+                               /* Generate a new ECDH key pair */
+                               if (!(EC_KEY_generate_key(clnt_ecdh)))
+                                       {
+                                       SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB);
+                                       goto err;
+                                       }
+                               }
+
+                       /* use the 'p' output buffer for the ECDH key, but
+                        * make sure to clear it out afterwards
+                        */
+
+                       field_size = EC_GROUP_get_degree(srvr_group);
+                       if (field_size <= 0)
+                               {
+                               SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 
+                                      ERR_R_ECDH_LIB);
+                               goto err;
+                               }
+                       n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL);
+                       if (n <= 0)
+                               {
+                               SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 
+                                      ERR_R_ECDH_LIB);
+                               goto err;
+                               }
+
+                       /* generate master key from the result */
+                       s->session->master_key_length = s->method->ssl3_enc \
+                           -> generate_master_secret(s, 
+                               s->session->master_key,
+                               p, n);
+
+                       memset(p, 0, n); /* clean up */
+
+                       if (ecdh_clnt_cert) 
+                               {
+                               /* Send empty client key exch message */
+                               n = 0;
+                               }
+                       else 
+                               {
+                               /* First check the size of encoding and
+                                * allocate memory accordingly.
+                                */
+                               encoded_pt_len = 
+                                   EC_POINT_point2oct(srvr_group, 
+                                       EC_KEY_get0_public_key(clnt_ecdh), 
+                                       POINT_CONVERSION_UNCOMPRESSED, 
+                                       NULL, 0, NULL);
+
+                               encodedPoint = (unsigned char *) 
+                                   OPENSSL_malloc(encoded_pt_len * 
+                                       sizeof(unsigned char)); 
+                               bn_ctx = BN_CTX_new();
+                               if ((encodedPoint == NULL) || 
+                                   (bn_ctx == NULL)) 
+                                       {
+                                       SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
+                                       goto err;
+                                       }
+
+                               /* Encode the public key */
+                               n = EC_POINT_point2oct(srvr_group, 
+                                   EC_KEY_get0_public_key(clnt_ecdh), 
+                                   POINT_CONVERSION_UNCOMPRESSED, 
+                                   encodedPoint, encoded_pt_len, bn_ctx);
+
+                               *p = n; /* length of encoded point */
+                               /* Encoded point will be copied here */
+                               p += 1; 
+                               /* copy the point */
+                               memcpy((unsigned char *)p, encodedPoint, n);
+                               /* increment n to account for length field */
+                               n += 1; 
+                               }
+
+                       /* Free allocated memory */
+                       BN_CTX_free(bn_ctx);
+                       if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
+                       if (clnt_ecdh != NULL) 
+                                EC_KEY_free(clnt_ecdh);
+                       EVP_PKEY_free(srvr_pub_pkey);
+                       }
+#endif /* !OPENSSL_NO_ECDH */
+
+#ifndef OPENSSL_NO_PSK
+               else if (alg_k & SSL_kPSK)
+                       {
+                       char identity[PSK_MAX_IDENTITY_LEN];
+                       unsigned char *t = NULL;
+                       unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4];
+                       unsigned int pre_ms_len = 0, psk_len = 0;
+                       int psk_err = 1;
+
+                       n = 0;
+                       if (s->psk_client_callback == NULL)
+                               {
+                               SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
+                                       SSL_R_PSK_NO_CLIENT_CB);
+                               goto err;
+                               }
+
+                       psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint,
+                               identity, PSK_MAX_IDENTITY_LEN,
+                               psk_or_pre_ms, sizeof(psk_or_pre_ms));
+                       if (psk_len > PSK_MAX_PSK_LEN)
+                               {
+                               SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
+                                       ERR_R_INTERNAL_ERROR);
+                               goto psk_err;
+                               }
+                       else if (psk_len == 0)
+                               {
+                               SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
+                                       SSL_R_PSK_IDENTITY_NOT_FOUND);
+                               goto psk_err;
+                               }
+
+                       /* create PSK pre_master_secret */
+                       pre_ms_len = 2+psk_len+2+psk_len;
+                       t = psk_or_pre_ms;
+                       memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len);
+                       s2n(psk_len, t);
+                       memset(t, 0, psk_len);
+                       t+=psk_len;
+                       s2n(psk_len, t);
+
+                       if (s->session->psk_identity_hint != NULL)
+                               OPENSSL_free(s->session->psk_identity_hint);
+                       s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint);
+                       if (s->ctx->psk_identity_hint != NULL &&
+                               s->session->psk_identity_hint == NULL)
+                               {
+                               SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
+                                       ERR_R_MALLOC_FAILURE);
+                               goto psk_err;
+                               }
+
+                       if (s->session->psk_identity != NULL)
+                               OPENSSL_free(s->session->psk_identity);
+                       s->session->psk_identity = BUF_strdup(identity);
+                       if (s->session->psk_identity == NULL)
+                               {
+                               SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
+                                       ERR_R_MALLOC_FAILURE);
+                               goto psk_err;
+                               }
+
+                       s->session->master_key_length =
+                               s->method->ssl3_enc->generate_master_secret(s,
+                                       s->session->master_key,
+                                       psk_or_pre_ms, pre_ms_len); 
+                       n = strlen(identity);
+                       s2n(n, p);
+                       memcpy(p, identity, n);
+                       n+=2;
+                       psk_err = 0;
+               psk_err:
+                       OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN);
+                       OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
+                       if (psk_err != 0)
+                               {
+                               ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
+                               goto err;
+                               }
+                       }
 #endif
                else
                        {
                        ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
-                       SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
+                       SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
                        goto err;
                        }
                
@@ -987,6 +1344,13 @@ int dtls1_send_client_key_exchange(SSL *s)
        /* SSL3_ST_CW_KEY_EXCH_B */
        return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
 err:
+#ifndef OPENSSL_NO_ECDH
+       BN_CTX_free(bn_ctx);
+       if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
+       if (clnt_ecdh != NULL) 
+               EC_KEY_free(clnt_ecdh);
+       EVP_PKEY_free(srvr_pub_pkey);
+#endif
        return(-1);
        }
 
@@ -999,7 +1363,7 @@ int dtls1_send_client_verify(SSL *s)
        unsigned u=0;
 #endif
        unsigned long n;
-#ifndef OPENSSL_NO_DSA
+#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
        int j;
 #endif
 
@@ -1009,19 +1373,21 @@ int dtls1_send_client_verify(SSL *s)
                p= &(d[DTLS1_HM_HEADER_LENGTH]);
                pkey=s->cert->key->privatekey;
 
-               s->method->ssl3_enc->cert_verify_mac(s,&(s->s3->finish_dgst2),
+               s->method->ssl3_enc->cert_verify_mac(s,
+               NID_sha1,
                        &(data[MD5_DIGEST_LENGTH]));
 
 #ifndef OPENSSL_NO_RSA
                if (pkey->type == EVP_PKEY_RSA)
                        {
                        s->method->ssl3_enc->cert_verify_mac(s,
-                               &(s->s3->finish_dgst1),&(data[0]));
+                               NID_md5,
+                               &(data[0]));
                        if (RSA_sign(NID_md5_sha1, data,
                                         MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
                                        &(p[2]), &u, pkey->pkey.rsa) <= 0 )
                                {
-                               SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB);
+                               SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB);
                                goto err;
                                }
                        s2n(u,p);
@@ -1037,7 +1403,24 @@ int dtls1_send_client_verify(SSL *s)
                                SHA_DIGEST_LENGTH,&(p[2]),
                                (unsigned int *)&j,pkey->pkey.dsa))
                                {
-                               SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB);
+                               SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB);
+                               goto err;
+                               }
+                       s2n(j,p);
+                       n=j+2;
+                       }
+               else
+#endif
+#ifndef OPENSSL_NO_ECDSA
+                       if (pkey->type == EVP_PKEY_EC)
+                       {
+                       if (!ECDSA_sign(pkey->save_type,
+                               &(data[MD5_DIGEST_LENGTH]),
+                               SHA_DIGEST_LENGTH,&(p[2]),
+                               (unsigned int *)&j,pkey->pkey.ec))
+                               {
+                               SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,
+                                   ERR_R_ECDSA_LIB);
                                goto err;
                                }
                        s2n(j,p);
@@ -1046,7 +1429,7 @@ int dtls1_send_client_verify(SSL *s)
                else
 #endif
                        {
-                       SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR);
+                       SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR);
                        goto err;
                        }
 
@@ -1092,8 +1475,7 @@ int dtls1_send_client_certificate(SSL *s)
                 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
                 * We then get retied later */
                i=0;
-               if (s->ctx->client_cert_cb != NULL)
-                       i=s->ctx->client_cert_cb(s,&(x509),&(pkey));
+               i = ssl_do_client_cert_cb(s, &x509, &pkey);
                if (i < 0)
                        {
                        s->rwstate=SSL_X509_LOOKUP;
@@ -1110,7 +1492,7 @@ int dtls1_send_client_certificate(SSL *s)
                else if (i == 1)
                        {
                        i=0;
-                       SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
+                       SSLerr(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
                        }
 
                if (x509 != NULL) X509_free(x509);
Unnamed repository; edit this file 'description' to name the repository.