12139Sjp161948 /* ssl/d1_clnt.c */
22139Sjp161948 /*
32139Sjp161948 * DTLS implementation written by Nagendra Modadugu
42139Sjp161948 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
52139Sjp161948 */
62139Sjp161948 /* ====================================================================
72139Sjp161948 * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved.
82139Sjp161948 *
92139Sjp161948 * Redistribution and use in source and binary forms, with or without
102139Sjp161948 * modification, are permitted provided that the following conditions
112139Sjp161948 * are met:
122139Sjp161948 *
132139Sjp161948 * 1. Redistributions of source code must retain the above copyright
142139Sjp161948 * notice, this list of conditions and the following disclaimer.
152139Sjp161948 *
162139Sjp161948 * 2. Redistributions in binary form must reproduce the above copyright
172139Sjp161948 * notice, this list of conditions and the following disclaimer in
182139Sjp161948 * the documentation and/or other materials provided with the
192139Sjp161948 * distribution.
202139Sjp161948 *
212139Sjp161948 * 3. All advertising materials mentioning features or use of this
222139Sjp161948 * software must display the following acknowledgment:
232139Sjp161948 * "This product includes software developed by the OpenSSL Project
242139Sjp161948 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
252139Sjp161948 *
262139Sjp161948 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
272139Sjp161948 * endorse or promote products derived from this software without
282139Sjp161948 * prior written permission. For written permission, please contact
292139Sjp161948 * openssl-core@OpenSSL.org.
302139Sjp161948 *
312139Sjp161948 * 5. Products derived from this software may not be called "OpenSSL"
322139Sjp161948 * nor may "OpenSSL" appear in their names without prior written
332139Sjp161948 * permission of the OpenSSL Project.
342139Sjp161948 *
352139Sjp161948 * 6. Redistributions of any form whatsoever must retain the following
362139Sjp161948 * acknowledgment:
372139Sjp161948 * "This product includes software developed by the OpenSSL Project
382139Sjp161948 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
392139Sjp161948 *
402139Sjp161948 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
412139Sjp161948 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
422139Sjp161948 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
432139Sjp161948 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
442139Sjp161948 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
452139Sjp161948 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
462139Sjp161948 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
472139Sjp161948 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
482139Sjp161948 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
492139Sjp161948 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
502139Sjp161948 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
512139Sjp161948 * OF THE POSSIBILITY OF SUCH DAMAGE.
522139Sjp161948 * ====================================================================
532139Sjp161948 *
542139Sjp161948 * This product includes cryptographic software written by Eric Young
552139Sjp161948 * (eay@cryptsoft.com). This product includes software written by Tim
562139Sjp161948 * Hudson (tjh@cryptsoft.com).
572139Sjp161948 *
582139Sjp161948 */
592139Sjp161948 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
602139Sjp161948 * All rights reserved.
612139Sjp161948 *
622139Sjp161948 * This package is an SSL implementation written
632139Sjp161948 * by Eric Young (eay@cryptsoft.com).
642139Sjp161948 * The implementation was written so as to conform with Netscapes SSL.
652139Sjp161948 *
662139Sjp161948 * This library is free for commercial and non-commercial use as long as
672139Sjp161948 * the following conditions are aheared to. The following conditions
682139Sjp161948 * apply to all code found in this distribution, be it the RC4, RSA,
692139Sjp161948 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
702139Sjp161948 * included with this distribution is covered by the same copyright terms
712139Sjp161948 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
722139Sjp161948 *
732139Sjp161948 * Copyright remains Eric Young's, and as such any Copyright notices in
742139Sjp161948 * the code are not to be removed.
752139Sjp161948 * If this package is used in a product, Eric Young should be given attribution
762139Sjp161948 * as the author of the parts of the library used.
772139Sjp161948 * This can be in the form of a textual message at program startup or
782139Sjp161948 * in documentation (online or textual) provided with the package.
792139Sjp161948 *
802139Sjp161948 * Redistribution and use in source and binary forms, with or without
812139Sjp161948 * modification, are permitted provided that the following conditions
822139Sjp161948 * are met:
832139Sjp161948 * 1. Redistributions of source code must retain the copyright
842139Sjp161948 * notice, this list of conditions and the following disclaimer.
852139Sjp161948 * 2. Redistributions in binary form must reproduce the above copyright
862139Sjp161948 * notice, this list of conditions and the following disclaimer in the
872139Sjp161948 * documentation and/or other materials provided with the distribution.
882139Sjp161948 * 3. All advertising materials mentioning features or use of this software
892139Sjp161948 * must display the following acknowledgement:
902139Sjp161948 * "This product includes cryptographic software written by
912139Sjp161948 * Eric Young (eay@cryptsoft.com)"
922139Sjp161948 * The word 'cryptographic' can be left out if the rouines from the library
932139Sjp161948 * being used are not cryptographic related :-).
942139Sjp161948 * 4. If you include any Windows specific code (or a derivative thereof) from
952139Sjp161948 * the apps directory (application code) you must include an acknowledgement:
962139Sjp161948 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
972139Sjp161948 *
982139Sjp161948 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
992139Sjp161948 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1002139Sjp161948 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1012139Sjp161948 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
1022139Sjp161948 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1032139Sjp161948 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1042139Sjp161948 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1052139Sjp161948 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1062139Sjp161948 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1072139Sjp161948 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1082139Sjp161948 * SUCH DAMAGE.
1092139Sjp161948 *
1102139Sjp161948 * The licence and distribution terms for any publically available version or
1112139Sjp161948 * derivative of this code cannot be changed. i.e. this code cannot simply be
1122139Sjp161948 * copied and put under another distribution licence
1132139Sjp161948 * [including the GNU Public Licence.]
1142139Sjp161948 */
1152139Sjp161948
1162139Sjp161948 #include <stdio.h>
1172139Sjp161948 #include "ssl_locl.h"
1182139Sjp161948 #include "kssl_lcl.h"
1192139Sjp161948 #include <openssl/buffer.h>
1202139Sjp161948 #include <openssl/rand.h>
1212139Sjp161948 #include <openssl/objects.h>
1222139Sjp161948 #include <openssl/evp.h>
1232139Sjp161948 #include <openssl/md5.h>
1242139Sjp161948 #ifndef OPENSSL_NO_DH
1252139Sjp161948 #include <openssl/dh.h>
1262139Sjp161948 #endif
1272139Sjp161948
1282139Sjp161948 static SSL_METHOD *dtls1_get_client_method(int ver);
1292139Sjp161948 static int dtls1_get_hello_verify(SSL *s);
1302139Sjp161948
dtls1_get_client_method(int ver)1312139Sjp161948 static SSL_METHOD *dtls1_get_client_method(int ver)
1322139Sjp161948 {
1332139Sjp161948 if (ver == DTLS1_VERSION)
1342139Sjp161948 return(DTLSv1_client_method());
1352139Sjp161948 else
1362139Sjp161948 return(NULL);
1372139Sjp161948 }
1382139Sjp161948
IMPLEMENT_dtls1_meth_func(DTLSv1_client_method,ssl_undefined_function,dtls1_connect,dtls1_get_client_method)1392139Sjp161948 IMPLEMENT_dtls1_meth_func(DTLSv1_client_method,
1402139Sjp161948 ssl_undefined_function,
1412139Sjp161948 dtls1_connect,
1422139Sjp161948 dtls1_get_client_method)
1432139Sjp161948
1442139Sjp161948 int dtls1_connect(SSL *s)
1452139Sjp161948 {
1462139Sjp161948 BUF_MEM *buf=NULL;
147*5434Sjp161948 unsigned long Time=(unsigned long)time(NULL),l;
1482139Sjp161948 long num1;
1492139Sjp161948 void (*cb)(const SSL *ssl,int type,int val)=NULL;
1502139Sjp161948 int ret= -1;
1512139Sjp161948 int new_state,state,skip=0;;
1522139Sjp161948
1532139Sjp161948 RAND_add(&Time,sizeof(Time),0);
1542139Sjp161948 ERR_clear_error();
1552139Sjp161948 clear_sys_error();
1562139Sjp161948
1572139Sjp161948 if (s->info_callback != NULL)
1582139Sjp161948 cb=s->info_callback;
1592139Sjp161948 else if (s->ctx->info_callback != NULL)
1602139Sjp161948 cb=s->ctx->info_callback;
1612139Sjp161948
1622139Sjp161948 s->in_handshake++;
1632139Sjp161948 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
1642139Sjp161948
1652139Sjp161948 for (;;)
1662139Sjp161948 {
1672139Sjp161948 state=s->state;
1682139Sjp161948
1692139Sjp161948 switch(s->state)
1702139Sjp161948 {
1712139Sjp161948 case SSL_ST_RENEGOTIATE:
1722139Sjp161948 s->new_session=1;
1732139Sjp161948 s->state=SSL_ST_CONNECT;
1742139Sjp161948 s->ctx->stats.sess_connect_renegotiate++;
1752139Sjp161948 /* break */
1762139Sjp161948 case SSL_ST_BEFORE:
1772139Sjp161948 case SSL_ST_CONNECT:
1782139Sjp161948 case SSL_ST_BEFORE|SSL_ST_CONNECT:
1792139Sjp161948 case SSL_ST_OK|SSL_ST_CONNECT:
1802139Sjp161948
1812139Sjp161948 s->server=0;
1822139Sjp161948 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
1832139Sjp161948
1842139Sjp161948 if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00))
1852139Sjp161948 {
1862139Sjp161948 SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR);
1872139Sjp161948 ret = -1;
1882139Sjp161948 goto end;
1892139Sjp161948 }
1902139Sjp161948
1912139Sjp161948 /* s->version=SSL3_VERSION; */
1922139Sjp161948 s->type=SSL_ST_CONNECT;
1932139Sjp161948
1942139Sjp161948 if (s->init_buf == NULL)
1952139Sjp161948 {
1962139Sjp161948 if ((buf=BUF_MEM_new()) == NULL)
1972139Sjp161948 {
1982139Sjp161948 ret= -1;
1992139Sjp161948 goto end;
2002139Sjp161948 }
2012139Sjp161948 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
2022139Sjp161948 {
2032139Sjp161948 ret= -1;
2042139Sjp161948 goto end;
2052139Sjp161948 }
2062139Sjp161948 s->init_buf=buf;
2072139Sjp161948 buf=NULL;
2082139Sjp161948 }
2092139Sjp161948
2102139Sjp161948 if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
2112139Sjp161948
2122139Sjp161948 /* setup buffing BIO */
2132139Sjp161948 if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
2142139Sjp161948
2152139Sjp161948 /* don't push the buffering BIO quite yet */
2162139Sjp161948
2172139Sjp161948 s->state=SSL3_ST_CW_CLNT_HELLO_A;
2182139Sjp161948 s->ctx->stats.sess_connect++;
2192139Sjp161948 s->init_num=0;
220*5434Sjp161948 /* mark client_random uninitialized */
221*5434Sjp161948 memset(s->s3->client_random,0,sizeof(s->s3->client_random));
2222139Sjp161948 break;
2232139Sjp161948
2242139Sjp161948 case SSL3_ST_CW_CLNT_HELLO_A:
2252139Sjp161948 case SSL3_ST_CW_CLNT_HELLO_B:
2262139Sjp161948
2272139Sjp161948 s->shutdown=0;
228*5434Sjp161948
229*5434Sjp161948 /* every DTLS ClientHello resets Finished MAC */
230*5434Sjp161948 ssl3_init_finished_mac(s);
231*5434Sjp161948
2322139Sjp161948 ret=dtls1_client_hello(s);
2332139Sjp161948 if (ret <= 0) goto end;
2342139Sjp161948
2352139Sjp161948 if ( s->d1->send_cookie)
2362139Sjp161948 {
2372139Sjp161948 s->state=SSL3_ST_CW_FLUSH;
2382139Sjp161948 s->s3->tmp.next_state=SSL3_ST_CR_SRVR_HELLO_A;
2392139Sjp161948 }
2402139Sjp161948 else
2412139Sjp161948 s->state=SSL3_ST_CR_SRVR_HELLO_A;
2422139Sjp161948
2432139Sjp161948 s->init_num=0;
2442139Sjp161948
2452139Sjp161948 /* turn on buffering for the next lot of output */
2462139Sjp161948 if (s->bbio != s->wbio)
2472139Sjp161948 s->wbio=BIO_push(s->bbio,s->wbio);
2482139Sjp161948
2492139Sjp161948 break;
2502139Sjp161948
2512139Sjp161948 case SSL3_ST_CR_SRVR_HELLO_A:
2522139Sjp161948 case SSL3_ST_CR_SRVR_HELLO_B:
2532139Sjp161948 ret=ssl3_get_server_hello(s);
2542139Sjp161948 if (ret <= 0) goto end;
2552139Sjp161948 else
2562139Sjp161948 {
2572139Sjp161948 if (s->hit)
2582139Sjp161948 s->state=SSL3_ST_CR_FINISHED_A;
2592139Sjp161948 else
2602139Sjp161948 s->state=DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
2612139Sjp161948 }
2622139Sjp161948 s->init_num=0;
2632139Sjp161948 break;
2642139Sjp161948
2652139Sjp161948 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A:
2662139Sjp161948 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B:
2672139Sjp161948
2682139Sjp161948 ret = dtls1_get_hello_verify(s);
2692139Sjp161948 if ( ret <= 0)
2702139Sjp161948 goto end;
2712139Sjp161948 if ( s->d1->send_cookie) /* start again, with a cookie */
2722139Sjp161948 s->state=SSL3_ST_CW_CLNT_HELLO_A;
2732139Sjp161948 else
2742139Sjp161948 s->state = SSL3_ST_CR_CERT_A;
2752139Sjp161948 s->init_num = 0;
2762139Sjp161948 break;
2772139Sjp161948
2782139Sjp161948 case SSL3_ST_CR_CERT_A:
2792139Sjp161948 case SSL3_ST_CR_CERT_B:
2802139Sjp161948 /* Check if it is anon DH */
2812139Sjp161948 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
2822139Sjp161948 {
2832139Sjp161948 ret=ssl3_get_server_certificate(s);
2842139Sjp161948 if (ret <= 0) goto end;
2852139Sjp161948 }
2862139Sjp161948 else
2872139Sjp161948 skip=1;
2882139Sjp161948 s->state=SSL3_ST_CR_KEY_EXCH_A;
2892139Sjp161948 s->init_num=0;
2902139Sjp161948 break;
2912139Sjp161948
2922139Sjp161948 case SSL3_ST_CR_KEY_EXCH_A:
2932139Sjp161948 case SSL3_ST_CR_KEY_EXCH_B:
2942139Sjp161948 ret=ssl3_get_key_exchange(s);
2952139Sjp161948 if (ret <= 0) goto end;
2962139Sjp161948 s->state=SSL3_ST_CR_CERT_REQ_A;
2972139Sjp161948 s->init_num=0;
2982139Sjp161948
2992139Sjp161948 /* at this point we check that we have the
3002139Sjp161948 * required stuff from the server */
3012139Sjp161948 if (!ssl3_check_cert_and_algorithm(s))
3022139Sjp161948 {
3032139Sjp161948 ret= -1;
3042139Sjp161948 goto end;
3052139Sjp161948 }
3062139Sjp161948 break;
3072139Sjp161948
3082139Sjp161948 case SSL3_ST_CR_CERT_REQ_A:
3092139Sjp161948 case SSL3_ST_CR_CERT_REQ_B:
3102139Sjp161948 ret=ssl3_get_certificate_request(s);
3112139Sjp161948 if (ret <= 0) goto end;
3122139Sjp161948 s->state=SSL3_ST_CR_SRVR_DONE_A;
3132139Sjp161948 s->init_num=0;
3142139Sjp161948 break;
3152139Sjp161948
3162139Sjp161948 case SSL3_ST_CR_SRVR_DONE_A:
3172139Sjp161948 case SSL3_ST_CR_SRVR_DONE_B:
3182139Sjp161948 ret=ssl3_get_server_done(s);
3192139Sjp161948 if (ret <= 0) goto end;
3202139Sjp161948 if (s->s3->tmp.cert_req)
3212139Sjp161948 s->state=SSL3_ST_CW_CERT_A;
3222139Sjp161948 else
3232139Sjp161948 s->state=SSL3_ST_CW_KEY_EXCH_A;
3242139Sjp161948 s->init_num=0;
3252139Sjp161948
3262139Sjp161948 break;
3272139Sjp161948
3282139Sjp161948 case SSL3_ST_CW_CERT_A:
3292139Sjp161948 case SSL3_ST_CW_CERT_B:
3302139Sjp161948 case SSL3_ST_CW_CERT_C:
3312139Sjp161948 case SSL3_ST_CW_CERT_D:
3322139Sjp161948 ret=dtls1_send_client_certificate(s);
3332139Sjp161948 if (ret <= 0) goto end;
3342139Sjp161948 s->state=SSL3_ST_CW_KEY_EXCH_A;
3352139Sjp161948 s->init_num=0;
3362139Sjp161948 break;
3372139Sjp161948
3382139Sjp161948 case SSL3_ST_CW_KEY_EXCH_A:
3392139Sjp161948 case SSL3_ST_CW_KEY_EXCH_B:
3402139Sjp161948 ret=dtls1_send_client_key_exchange(s);
3412139Sjp161948 if (ret <= 0) goto end;
3422139Sjp161948 l=s->s3->tmp.new_cipher->algorithms;
3432139Sjp161948 /* EAY EAY EAY need to check for DH fix cert
3442139Sjp161948 * sent back */
3452139Sjp161948 /* For TLS, cert_req is set to 2, so a cert chain
3462139Sjp161948 * of nothing is sent, but no verify packet is sent */
3472139Sjp161948 if (s->s3->tmp.cert_req == 1)
3482139Sjp161948 {
3492139Sjp161948 s->state=SSL3_ST_CW_CERT_VRFY_A;
3502139Sjp161948 }
3512139Sjp161948 else
3522139Sjp161948 {
3532139Sjp161948 s->state=SSL3_ST_CW_CHANGE_A;
3542139Sjp161948 s->s3->change_cipher_spec=0;
3552139Sjp161948 }
3562139Sjp161948
3572139Sjp161948 s->init_num=0;
3582139Sjp161948 break;
3592139Sjp161948
3602139Sjp161948 case SSL3_ST_CW_CERT_VRFY_A:
3612139Sjp161948 case SSL3_ST_CW_CERT_VRFY_B:
3622139Sjp161948 ret=dtls1_send_client_verify(s);
3632139Sjp161948 if (ret <= 0) goto end;
3642139Sjp161948 s->state=SSL3_ST_CW_CHANGE_A;
3652139Sjp161948 s->init_num=0;
3662139Sjp161948 s->s3->change_cipher_spec=0;
3672139Sjp161948 break;
3682139Sjp161948
3692139Sjp161948 case SSL3_ST_CW_CHANGE_A:
3702139Sjp161948 case SSL3_ST_CW_CHANGE_B:
3712139Sjp161948 ret=dtls1_send_change_cipher_spec(s,
3722139Sjp161948 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
3732139Sjp161948 if (ret <= 0) goto end;
3742139Sjp161948 s->state=SSL3_ST_CW_FINISHED_A;
3752139Sjp161948 s->init_num=0;
3762139Sjp161948
3772139Sjp161948 s->session->cipher=s->s3->tmp.new_cipher;
3782139Sjp161948 #ifdef OPENSSL_NO_COMP
3792139Sjp161948 s->session->compress_meth=0;
3802139Sjp161948 #else
3812139Sjp161948 if (s->s3->tmp.new_compression == NULL)
3822139Sjp161948 s->session->compress_meth=0;
3832139Sjp161948 else
3842139Sjp161948 s->session->compress_meth=
3852139Sjp161948 s->s3->tmp.new_compression->id;
3862139Sjp161948 #endif
3872139Sjp161948 if (!s->method->ssl3_enc->setup_key_block(s))
3882139Sjp161948 {
3892139Sjp161948 ret= -1;
3902139Sjp161948 goto end;
3912139Sjp161948 }
3922139Sjp161948
3932139Sjp161948 if (!s->method->ssl3_enc->change_cipher_state(s,
3942139Sjp161948 SSL3_CHANGE_CIPHER_CLIENT_WRITE))
3952139Sjp161948 {
3962139Sjp161948 ret= -1;
3972139Sjp161948 goto end;
3982139Sjp161948 }
3992139Sjp161948
4002139Sjp161948 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
4012139Sjp161948 break;
4022139Sjp161948
4032139Sjp161948 case SSL3_ST_CW_FINISHED_A:
4042139Sjp161948 case SSL3_ST_CW_FINISHED_B:
4052139Sjp161948 ret=dtls1_send_finished(s,
4062139Sjp161948 SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B,
4072139Sjp161948 s->method->ssl3_enc->client_finished_label,
4082139Sjp161948 s->method->ssl3_enc->client_finished_label_len);
4092139Sjp161948 if (ret <= 0) goto end;
4102139Sjp161948 s->state=SSL3_ST_CW_FLUSH;
4112139Sjp161948
4122139Sjp161948 /* clear flags */
4132139Sjp161948 s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
4142139Sjp161948 if (s->hit)
4152139Sjp161948 {
4162139Sjp161948 s->s3->tmp.next_state=SSL_ST_OK;
4172139Sjp161948 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)
4182139Sjp161948 {
4192139Sjp161948 s->state=SSL_ST_OK;
4202139Sjp161948 s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
4212139Sjp161948 s->s3->delay_buf_pop_ret=0;
4222139Sjp161948 }
4232139Sjp161948 }
4242139Sjp161948 else
4252139Sjp161948 {
4262139Sjp161948 s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A;
4272139Sjp161948 }
4282139Sjp161948 s->init_num=0;
429*5434Sjp161948 /* mark client_random uninitialized */
430*5434Sjp161948 memset (s->s3->client_random,0,sizeof(s->s3->client_random));
431*5434Sjp161948
4322139Sjp161948 break;
4332139Sjp161948
4342139Sjp161948 case SSL3_ST_CR_FINISHED_A:
4352139Sjp161948 case SSL3_ST_CR_FINISHED_B:
4362139Sjp161948
4372139Sjp161948 ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
4382139Sjp161948 SSL3_ST_CR_FINISHED_B);
4392139Sjp161948 if (ret <= 0) goto end;
4402139Sjp161948
4412139Sjp161948 if (s->hit)
4422139Sjp161948 s->state=SSL3_ST_CW_CHANGE_A;
4432139Sjp161948 else
4442139Sjp161948 s->state=SSL_ST_OK;
4452139Sjp161948 s->init_num=0;
4462139Sjp161948 break;
4472139Sjp161948
4482139Sjp161948 case SSL3_ST_CW_FLUSH:
4492139Sjp161948 /* number of bytes to be flushed */
4502139Sjp161948 num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
4512139Sjp161948 if (num1 > 0)
4522139Sjp161948 {
4532139Sjp161948 s->rwstate=SSL_WRITING;
4542139Sjp161948 num1=BIO_flush(s->wbio);
4552139Sjp161948 if (num1 <= 0) { ret= -1; goto end; }
4562139Sjp161948 s->rwstate=SSL_NOTHING;
4572139Sjp161948 }
4582139Sjp161948
4592139Sjp161948 s->state=s->s3->tmp.next_state;
4602139Sjp161948 break;
4612139Sjp161948
4622139Sjp161948 case SSL_ST_OK:
4632139Sjp161948 /* clean a few things up */
4642139Sjp161948 ssl3_cleanup_key_block(s);
4652139Sjp161948
4662139Sjp161948 #if 0
4672139Sjp161948 if (s->init_buf != NULL)
4682139Sjp161948 {
4692139Sjp161948 BUF_MEM_free(s->init_buf);
4702139Sjp161948 s->init_buf=NULL;
4712139Sjp161948 }
4722139Sjp161948 #endif
4732139Sjp161948
4742139Sjp161948 /* If we are not 'joining' the last two packets,
4752139Sjp161948 * remove the buffering now */
4762139Sjp161948 if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
4772139Sjp161948 ssl_free_wbio_buffer(s);
4782139Sjp161948 /* else do it later in ssl3_write */
4792139Sjp161948
4802139Sjp161948 s->init_num=0;
4812139Sjp161948 s->new_session=0;
4822139Sjp161948
4832139Sjp161948 ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
4842139Sjp161948 if (s->hit) s->ctx->stats.sess_hit++;
4852139Sjp161948
4862139Sjp161948 ret=1;
4872139Sjp161948 /* s->server=0; */
4882139Sjp161948 s->handshake_func=dtls1_connect;
4892139Sjp161948 s->ctx->stats.sess_connect_good++;
4902139Sjp161948
4912139Sjp161948 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
4922139Sjp161948
4932139Sjp161948 /* done with handshaking */
4942139Sjp161948 s->d1->handshake_read_seq = 0;
4952139Sjp161948 goto end;
4962139Sjp161948 /* break; */
4972139Sjp161948
4982139Sjp161948 default:
4992139Sjp161948 SSLerr(SSL_F_DTLS1_CONNECT,SSL_R_UNKNOWN_STATE);
5002139Sjp161948 ret= -1;
5012139Sjp161948 goto end;
5022139Sjp161948 /* break; */
5032139Sjp161948 }
5042139Sjp161948
5052139Sjp161948 /* did we do anything */
5062139Sjp161948 if (!s->s3->tmp.reuse_message && !skip)
5072139Sjp161948 {
5082139Sjp161948 if (s->debug)
5092139Sjp161948 {
5102139Sjp161948 if ((ret=BIO_flush(s->wbio)) <= 0)
5112139Sjp161948 goto end;
5122139Sjp161948 }
5132139Sjp161948
5142139Sjp161948 if ((cb != NULL) && (s->state != state))
5152139Sjp161948 {
5162139Sjp161948 new_state=s->state;
5172139Sjp161948 s->state=state;
5182139Sjp161948 cb(s,SSL_CB_CONNECT_LOOP,1);
5192139Sjp161948 s->state=new_state;
5202139Sjp161948 }
5212139Sjp161948 }
5222139Sjp161948 skip=0;
5232139Sjp161948 }
5242139Sjp161948 end:
5252139Sjp161948 s->in_handshake--;
5262139Sjp161948 if (buf != NULL)
5272139Sjp161948 BUF_MEM_free(buf);
5282139Sjp161948 if (cb != NULL)
5292139Sjp161948 cb(s,SSL_CB_CONNECT_EXIT,ret);
5302139Sjp161948 return(ret);
5312139Sjp161948 }
5322139Sjp161948
dtls1_client_hello(SSL * s)5332139Sjp161948 int dtls1_client_hello(SSL *s)
5342139Sjp161948 {
5352139Sjp161948 unsigned char *buf;
5362139Sjp161948 unsigned char *p,*d;
5372139Sjp161948 unsigned int i,j;
5382139Sjp161948 unsigned long Time,l;
5392139Sjp161948 SSL_COMP *comp;
5402139Sjp161948
5412139Sjp161948 buf=(unsigned char *)s->init_buf->data;
5422139Sjp161948 if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
5432139Sjp161948 {
5442139Sjp161948 if ((s->session == NULL) ||
5452139Sjp161948 (s->session->ssl_version != s->version) ||
5462139Sjp161948 (s->session->not_resumable))
5472139Sjp161948 {
5482139Sjp161948 if (!ssl_get_new_session(s,0))
5492139Sjp161948 goto err;
5502139Sjp161948 }
5512139Sjp161948 /* else use the pre-loaded session */
5522139Sjp161948
5532139Sjp161948 p=s->s3->client_random;
554*5434Sjp161948 /* if client_random is initialized, reuse it, we are
555*5434Sjp161948 * required to use same upon reply to HelloVerify */
556*5434Sjp161948 for (i=0;p[i]=='\0' && i<sizeof(s->s3->client_random);i++) ;
557*5434Sjp161948 if (i==sizeof(s->s3->client_random))
558*5434Sjp161948 {
559*5434Sjp161948 Time=(unsigned long)time(NULL); /* Time */
560*5434Sjp161948 l2n(Time,p);
561*5434Sjp161948 RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4);
562*5434Sjp161948 }
5632139Sjp161948
5642139Sjp161948 /* Do the message type and length last */
5652139Sjp161948 d=p= &(buf[DTLS1_HM_HEADER_LENGTH]);
5662139Sjp161948
5672139Sjp161948 *(p++)=s->version>>8;
5682139Sjp161948 *(p++)=s->version&0xff;
5692139Sjp161948 s->client_version=s->version;
5702139Sjp161948
5712139Sjp161948 /* Random stuff */
5722139Sjp161948 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
5732139Sjp161948 p+=SSL3_RANDOM_SIZE;
5742139Sjp161948
5752139Sjp161948 /* Session ID */
5762139Sjp161948 if (s->new_session)
5772139Sjp161948 i=0;
5782139Sjp161948 else
5792139Sjp161948 i=s->session->session_id_length;
5802139Sjp161948 *(p++)=i;
5812139Sjp161948 if (i != 0)
5822139Sjp161948 {
5832139Sjp161948 if (i > sizeof s->session->session_id)
5842139Sjp161948 {
5852139Sjp161948 SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
5862139Sjp161948 goto err;
5872139Sjp161948 }
5882139Sjp161948 memcpy(p,s->session->session_id,i);
5892139Sjp161948 p+=i;
5902139Sjp161948 }
5912139Sjp161948
5922139Sjp161948 /* cookie stuff */
5932139Sjp161948 if ( s->d1->cookie_len > sizeof(s->d1->cookie))
5942139Sjp161948 {
5952139Sjp161948 SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
5962139Sjp161948 goto err;
5972139Sjp161948 }
5982139Sjp161948 *(p++) = s->d1->cookie_len;
5992139Sjp161948 memcpy(p, s->d1->cookie, s->d1->cookie_len);
6002139Sjp161948 p += s->d1->cookie_len;
6012139Sjp161948
6022139Sjp161948 /* Ciphers supported */
6032139Sjp161948 i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0);
6042139Sjp161948 if (i == 0)
6052139Sjp161948 {
6062139Sjp161948 SSLerr(SSL_F_DTLS1_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
6072139Sjp161948 goto err;
6082139Sjp161948 }
6092139Sjp161948 s2n(i,p);
6102139Sjp161948 p+=i;
6112139Sjp161948
6122139Sjp161948 /* COMPRESSION */
6132139Sjp161948 if (s->ctx->comp_methods == NULL)
6142139Sjp161948 j=0;
6152139Sjp161948 else
6162139Sjp161948 j=sk_SSL_COMP_num(s->ctx->comp_methods);
6172139Sjp161948 *(p++)=1+j;
6182139Sjp161948 for (i=0; i<j; i++)
6192139Sjp161948 {
6202139Sjp161948 comp=sk_SSL_COMP_value(s->ctx->comp_methods,i);
6212139Sjp161948 *(p++)=comp->id;
6222139Sjp161948 }
6232139Sjp161948 *(p++)=0; /* Add the NULL method */
6242139Sjp161948
6252139Sjp161948 l=(p-d);
6262139Sjp161948 d=buf;
6272139Sjp161948
6282139Sjp161948 d = dtls1_set_message_header(s, d, SSL3_MT_CLIENT_HELLO, l, 0, l);
6292139Sjp161948
6302139Sjp161948 s->state=SSL3_ST_CW_CLNT_HELLO_B;
6312139Sjp161948 /* number of bytes to write */
6322139Sjp161948 s->init_num=p-buf;
6332139Sjp161948 s->init_off=0;
6342139Sjp161948
6352139Sjp161948 /* buffer the message to handle re-xmits */
6362139Sjp161948 dtls1_buffer_message(s, 0);
6372139Sjp161948 }
6382139Sjp161948
6392139Sjp161948 /* SSL3_ST_CW_CLNT_HELLO_B */
6402139Sjp161948 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
6412139Sjp161948 err:
6422139Sjp161948 return(-1);
6432139Sjp161948 }
6442139Sjp161948
dtls1_get_hello_verify(SSL * s)6452139Sjp161948 static int dtls1_get_hello_verify(SSL *s)
6462139Sjp161948 {
6472139Sjp161948 int n, al, ok = 0;
6482139Sjp161948 unsigned char *data;
6492139Sjp161948 unsigned int cookie_len;
6502139Sjp161948
6512139Sjp161948 n=s->method->ssl_get_message(s,
6522139Sjp161948 DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A,
6532139Sjp161948 DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B,
6542139Sjp161948 -1,
6552139Sjp161948 s->max_cert_list,
6562139Sjp161948 &ok);
6572139Sjp161948
6582139Sjp161948 if (!ok) return((int)n);
6592139Sjp161948
6602139Sjp161948 if (s->s3->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST)
6612139Sjp161948 {
6622139Sjp161948 s->d1->send_cookie = 0;
6632139Sjp161948 s->s3->tmp.reuse_message=1;
6642139Sjp161948 return(1);
6652139Sjp161948 }
6662139Sjp161948
6672139Sjp161948 data = (unsigned char *)s->init_msg;
6682139Sjp161948
6692139Sjp161948 if ((data[0] != (s->version>>8)) || (data[1] != (s->version&0xff)))
6702139Sjp161948 {
6712139Sjp161948 SSLerr(SSL_F_DTLS1_GET_HELLO_VERIFY,SSL_R_WRONG_SSL_VERSION);
6722139Sjp161948 s->version=(s->version&0xff00)|data[1];
6732139Sjp161948 al = SSL_AD_PROTOCOL_VERSION;
6742139Sjp161948 goto f_err;
6752139Sjp161948 }
6762139Sjp161948 data+=2;
6772139Sjp161948
6782139Sjp161948 cookie_len = *(data++);
6792139Sjp161948 if ( cookie_len > sizeof(s->d1->cookie))
6802139Sjp161948 {
6812139Sjp161948 al=SSL_AD_ILLEGAL_PARAMETER;
6822139Sjp161948 goto f_err;
6832139Sjp161948 }
6842139Sjp161948
6852139Sjp161948 memcpy(s->d1->cookie, data, cookie_len);
6862139Sjp161948 s->d1->cookie_len = cookie_len;
6872139Sjp161948
6882139Sjp161948 s->d1->send_cookie = 1;
6892139Sjp161948 return 1;
6902139Sjp161948
6912139Sjp161948 f_err:
6922139Sjp161948 ssl3_send_alert(s, SSL3_AL_FATAL, al);
6932139Sjp161948 return -1;
6942139Sjp161948 }
6952139Sjp161948
dtls1_send_client_key_exchange(SSL * s)6962139Sjp161948 int dtls1_send_client_key_exchange(SSL *s)
6972139Sjp161948 {
6982139Sjp161948 unsigned char *p,*d;
6992139Sjp161948 int n;
7002139Sjp161948 unsigned long l;
7012139Sjp161948 #ifndef OPENSSL_NO_RSA
7022139Sjp161948 unsigned char *q;
7032139Sjp161948 EVP_PKEY *pkey=NULL;
7042139Sjp161948 #endif
7052139Sjp161948 #ifndef OPENSSL_NO_KRB5
7062139Sjp161948 KSSL_ERR kssl_err;
7072139Sjp161948 #endif /* OPENSSL_NO_KRB5 */
7082139Sjp161948
7092139Sjp161948 if (s->state == SSL3_ST_CW_KEY_EXCH_A)
7102139Sjp161948 {
7112139Sjp161948 d=(unsigned char *)s->init_buf->data;
7122139Sjp161948 p= &(d[DTLS1_HM_HEADER_LENGTH]);
7132139Sjp161948
7142139Sjp161948 l=s->s3->tmp.new_cipher->algorithms;
7152139Sjp161948
7162139Sjp161948 /* Fool emacs indentation */
7172139Sjp161948 if (0) {}
7182139Sjp161948 #ifndef OPENSSL_NO_RSA
7192139Sjp161948 else if (l & SSL_kRSA)
7202139Sjp161948 {
7212139Sjp161948 RSA *rsa;
7222139Sjp161948 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
7232139Sjp161948
7242139Sjp161948 if (s->session->sess_cert->peer_rsa_tmp != NULL)
7252139Sjp161948 rsa=s->session->sess_cert->peer_rsa_tmp;
7262139Sjp161948 else
7272139Sjp161948 {
7282139Sjp161948 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
7292139Sjp161948 if ((pkey == NULL) ||
7302139Sjp161948 (pkey->type != EVP_PKEY_RSA) ||
7312139Sjp161948 (pkey->pkey.rsa == NULL))
7322139Sjp161948 {
7332139Sjp161948 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
7342139Sjp161948 goto err;
7352139Sjp161948 }
7362139Sjp161948 rsa=pkey->pkey.rsa;
7372139Sjp161948 EVP_PKEY_free(pkey);
7382139Sjp161948 }
7392139Sjp161948
7402139Sjp161948 tmp_buf[0]=s->client_version>>8;
7412139Sjp161948 tmp_buf[1]=s->client_version&0xff;
7422139Sjp161948 if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
7432139Sjp161948 goto err;
7442139Sjp161948
7452139Sjp161948 s->session->master_key_length=sizeof tmp_buf;
7462139Sjp161948
7472139Sjp161948 q=p;
748*5434Sjp161948 /* Fix buf for TLS and [incidentally] DTLS */
7492139Sjp161948 if (s->version > SSL3_VERSION)
7502139Sjp161948 p+=2;
7512139Sjp161948 n=RSA_public_encrypt(sizeof tmp_buf,
7522139Sjp161948 tmp_buf,p,rsa,RSA_PKCS1_PADDING);
7532139Sjp161948 #ifdef PKCS1_CHECK
7542139Sjp161948 if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++;
7552139Sjp161948 if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70;
7562139Sjp161948 #endif
7572139Sjp161948 if (n <= 0)
7582139Sjp161948 {
7592139Sjp161948 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT);
7602139Sjp161948 goto err;
7612139Sjp161948 }
7622139Sjp161948
763*5434Sjp161948 /* Fix buf for TLS and [incidentally] DTLS */
7642139Sjp161948 if (s->version > SSL3_VERSION)
7652139Sjp161948 {
7662139Sjp161948 s2n(n,q);
7672139Sjp161948 n+=2;
7682139Sjp161948 }
7692139Sjp161948
7702139Sjp161948 s->session->master_key_length=
7712139Sjp161948 s->method->ssl3_enc->generate_master_secret(s,
7722139Sjp161948 s->session->master_key,
7732139Sjp161948 tmp_buf,sizeof tmp_buf);
7742139Sjp161948 OPENSSL_cleanse(tmp_buf,sizeof tmp_buf);
7752139Sjp161948 }
7762139Sjp161948 #endif
7772139Sjp161948 #ifndef OPENSSL_NO_KRB5
7782139Sjp161948 else if (l & SSL_kKRB5)
7792139Sjp161948 {
7802139Sjp161948 krb5_error_code krb5rc;
7812139Sjp161948 KSSL_CTX *kssl_ctx = s->kssl_ctx;
7822139Sjp161948 /* krb5_data krb5_ap_req; */
7832139Sjp161948 krb5_data *enc_ticket;
7842139Sjp161948 krb5_data authenticator, *authp = NULL;
7852139Sjp161948 EVP_CIPHER_CTX ciph_ctx;
7862139Sjp161948 EVP_CIPHER *enc = NULL;
7872139Sjp161948 unsigned char iv[EVP_MAX_IV_LENGTH];
7882139Sjp161948 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
7892139Sjp161948 unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH
7902139Sjp161948 + EVP_MAX_IV_LENGTH];
7912139Sjp161948 int padl, outl = sizeof(epms);
7922139Sjp161948
7932139Sjp161948 EVP_CIPHER_CTX_init(&ciph_ctx);
7942139Sjp161948
7952139Sjp161948 #ifdef KSSL_DEBUG
7962139Sjp161948 printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
7972139Sjp161948 l, SSL_kKRB5);
7982139Sjp161948 #endif /* KSSL_DEBUG */
7992139Sjp161948
8002139Sjp161948 authp = NULL;
8012139Sjp161948 #ifdef KRB5SENDAUTH
8022139Sjp161948 if (KRB5SENDAUTH) authp = &authenticator;
8032139Sjp161948 #endif /* KRB5SENDAUTH */
8042139Sjp161948
8052139Sjp161948 krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp,
8062139Sjp161948 &kssl_err);
8072139Sjp161948 enc = kssl_map_enc(kssl_ctx->enctype);
8082139Sjp161948 if (enc == NULL)
8092139Sjp161948 goto err;
8102139Sjp161948 #ifdef KSSL_DEBUG
8112139Sjp161948 {
8122139Sjp161948 printf("kssl_cget_tkt rtn %d\n", krb5rc);
8132139Sjp161948 if (krb5rc && kssl_err.text)
8142139Sjp161948 printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
8152139Sjp161948 }
8162139Sjp161948 #endif /* KSSL_DEBUG */
8172139Sjp161948
8182139Sjp161948 if (krb5rc)
8192139Sjp161948 {
8202139Sjp161948 ssl3_send_alert(s,SSL3_AL_FATAL,
8212139Sjp161948 SSL_AD_HANDSHAKE_FAILURE);
8222139Sjp161948 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
8232139Sjp161948 kssl_err.reason);
8242139Sjp161948 goto err;
8252139Sjp161948 }
8262139Sjp161948
8272139Sjp161948 /* 20010406 VRS - Earlier versions used KRB5 AP_REQ
8282139Sjp161948 ** in place of RFC 2712 KerberosWrapper, as in:
8292139Sjp161948 **
8302139Sjp161948 ** Send ticket (copy to *p, set n = length)
8312139Sjp161948 ** n = krb5_ap_req.length;
8322139Sjp161948 ** memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
8332139Sjp161948 ** if (krb5_ap_req.data)
8342139Sjp161948 ** kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
8352139Sjp161948 **
8362139Sjp161948 ** Now using real RFC 2712 KerberosWrapper
8372139Sjp161948 ** (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
8382139Sjp161948 ** Note: 2712 "opaque" types are here replaced
8392139Sjp161948 ** with a 2-byte length followed by the value.
8402139Sjp161948 ** Example:
8412139Sjp161948 ** KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
8422139Sjp161948 ** Where "xx xx" = length bytes. Shown here with
8432139Sjp161948 ** optional authenticator omitted.
8442139Sjp161948 */
8452139Sjp161948
8462139Sjp161948 /* KerberosWrapper.Ticket */
8472139Sjp161948 s2n(enc_ticket->length,p);
8482139Sjp161948 memcpy(p, enc_ticket->data, enc_ticket->length);
8492139Sjp161948 p+= enc_ticket->length;
8502139Sjp161948 n = enc_ticket->length + 2;
8512139Sjp161948
8522139Sjp161948 /* KerberosWrapper.Authenticator */
8532139Sjp161948 if (authp && authp->length)
8542139Sjp161948 {
8552139Sjp161948 s2n(authp->length,p);
8562139Sjp161948 memcpy(p, authp->data, authp->length);
8572139Sjp161948 p+= authp->length;
8582139Sjp161948 n+= authp->length + 2;
8592139Sjp161948
8602139Sjp161948 free(authp->data);
8612139Sjp161948 authp->data = NULL;
8622139Sjp161948 authp->length = 0;
8632139Sjp161948 }
8642139Sjp161948 else
8652139Sjp161948 {
8662139Sjp161948 s2n(0,p);/* null authenticator length */
8672139Sjp161948 n+=2;
8682139Sjp161948 }
8692139Sjp161948
8702139Sjp161948 if (RAND_bytes(tmp_buf,sizeof tmp_buf) <= 0)
8712139Sjp161948 goto err;
8722139Sjp161948
8732139Sjp161948 /* 20010420 VRS. Tried it this way; failed.
8742139Sjp161948 ** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
8752139Sjp161948 ** EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
8762139Sjp161948 ** kssl_ctx->length);
8772139Sjp161948 ** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
8782139Sjp161948 */
8792139Sjp161948
8802139Sjp161948 memset(iv, 0, sizeof iv); /* per RFC 1510 */
8812139Sjp161948 EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,
8822139Sjp161948 kssl_ctx->key,iv);
8832139Sjp161948 EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf,
8842139Sjp161948 sizeof tmp_buf);
8852139Sjp161948 EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl);
8862139Sjp161948 outl += padl;
8872139Sjp161948 if (outl > sizeof epms)
8882139Sjp161948 {
8892139Sjp161948 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
8902139Sjp161948 goto err;
8912139Sjp161948 }
8922139Sjp161948 EVP_CIPHER_CTX_cleanup(&ciph_ctx);
8932139Sjp161948
8942139Sjp161948 /* KerberosWrapper.EncryptedPreMasterSecret */
8952139Sjp161948 s2n(outl,p);
8962139Sjp161948 memcpy(p, epms, outl);
8972139Sjp161948 p+=outl;
8982139Sjp161948 n+=outl + 2;
8992139Sjp161948
9002139Sjp161948 s->session->master_key_length=
9012139Sjp161948 s->method->ssl3_enc->generate_master_secret(s,
9022139Sjp161948 s->session->master_key,
9032139Sjp161948 tmp_buf, sizeof tmp_buf);
9042139Sjp161948
9052139Sjp161948 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
9062139Sjp161948 OPENSSL_cleanse(epms, outl);
9072139Sjp161948 }
9082139Sjp161948 #endif
9092139Sjp161948 #ifndef OPENSSL_NO_DH
9102139Sjp161948 else if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
9112139Sjp161948 {
9122139Sjp161948 DH *dh_srvr,*dh_clnt;
9132139Sjp161948
9142139Sjp161948 if (s->session->sess_cert->peer_dh_tmp != NULL)
9152139Sjp161948 dh_srvr=s->session->sess_cert->peer_dh_tmp;
9162139Sjp161948 else
9172139Sjp161948 {
9182139Sjp161948 /* we get them from the cert */
9192139Sjp161948 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
9202139Sjp161948 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
9212139Sjp161948 goto err;
9222139Sjp161948 }
9232139Sjp161948
9242139Sjp161948 /* generate a new random key */
9252139Sjp161948 if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL)
9262139Sjp161948 {
9272139Sjp161948 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
9282139Sjp161948 goto err;
9292139Sjp161948 }
9302139Sjp161948 if (!DH_generate_key(dh_clnt))
9312139Sjp161948 {
9322139Sjp161948 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
9332139Sjp161948 goto err;
9342139Sjp161948 }
9352139Sjp161948
9362139Sjp161948 /* use the 'p' output buffer for the DH key, but
9372139Sjp161948 * make sure to clear it out afterwards */
9382139Sjp161948
9392139Sjp161948 n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt);
9402139Sjp161948
9412139Sjp161948 if (n <= 0)
9422139Sjp161948 {
9432139Sjp161948 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
9442139Sjp161948 goto err;
9452139Sjp161948 }
9462139Sjp161948
9472139Sjp161948 /* generate master key from the result */
9482139Sjp161948 s->session->master_key_length=
9492139Sjp161948 s->method->ssl3_enc->generate_master_secret(s,
9502139Sjp161948 s->session->master_key,p,n);
9512139Sjp161948 /* clean up */
9522139Sjp161948 memset(p,0,n);
9532139Sjp161948
9542139Sjp161948 /* send off the data */
9552139Sjp161948 n=BN_num_bytes(dh_clnt->pub_key);
9562139Sjp161948 s2n(n,p);
9572139Sjp161948 BN_bn2bin(dh_clnt->pub_key,p);
9582139Sjp161948 n+=2;
9592139Sjp161948
9602139Sjp161948 DH_free(dh_clnt);
9612139Sjp161948
9622139Sjp161948 /* perhaps clean things up a bit EAY EAY EAY EAY*/
9632139Sjp161948 }
9642139Sjp161948 #endif
9652139Sjp161948 else
9662139Sjp161948 {
9672139Sjp161948 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
9682139Sjp161948 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
9692139Sjp161948 goto err;
9702139Sjp161948 }
9712139Sjp161948
9722139Sjp161948 d = dtls1_set_message_header(s, d,
9732139Sjp161948 SSL3_MT_CLIENT_KEY_EXCHANGE, n, 0, n);
9742139Sjp161948 /*
9752139Sjp161948 *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE;
9762139Sjp161948 l2n3(n,d);
9772139Sjp161948 l2n(s->d1->handshake_write_seq,d);
9782139Sjp161948 s->d1->handshake_write_seq++;
9792139Sjp161948 */
9802139Sjp161948
9812139Sjp161948 s->state=SSL3_ST_CW_KEY_EXCH_B;
9822139Sjp161948 /* number of bytes to write */
9832139Sjp161948 s->init_num=n+DTLS1_HM_HEADER_LENGTH;
9842139Sjp161948 s->init_off=0;
9852139Sjp161948
9862139Sjp161948 /* buffer the message to handle re-xmits */
9872139Sjp161948 dtls1_buffer_message(s, 0);
9882139Sjp161948 }
9892139Sjp161948
9902139Sjp161948 /* SSL3_ST_CW_KEY_EXCH_B */
9912139Sjp161948 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
9922139Sjp161948 err:
9932139Sjp161948 return(-1);
9942139Sjp161948 }
9952139Sjp161948
dtls1_send_client_verify(SSL * s)9962139Sjp161948 int dtls1_send_client_verify(SSL *s)
9972139Sjp161948 {
9982139Sjp161948 unsigned char *p,*d;
9992139Sjp161948 unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
10002139Sjp161948 EVP_PKEY *pkey;
10012139Sjp161948 #ifndef OPENSSL_NO_RSA
10022139Sjp161948 unsigned u=0;
10032139Sjp161948 #endif
10042139Sjp161948 unsigned long n;
10052139Sjp161948 #ifndef OPENSSL_NO_DSA
10062139Sjp161948 int j;
10072139Sjp161948 #endif
10082139Sjp161948
10092139Sjp161948 if (s->state == SSL3_ST_CW_CERT_VRFY_A)
10102139Sjp161948 {
10112139Sjp161948 d=(unsigned char *)s->init_buf->data;
10122139Sjp161948 p= &(d[DTLS1_HM_HEADER_LENGTH]);
10132139Sjp161948 pkey=s->cert->key->privatekey;
10142139Sjp161948
10152139Sjp161948 s->method->ssl3_enc->cert_verify_mac(s,&(s->s3->finish_dgst2),
10162139Sjp161948 &(data[MD5_DIGEST_LENGTH]));
10172139Sjp161948
10182139Sjp161948 #ifndef OPENSSL_NO_RSA
10192139Sjp161948 if (pkey->type == EVP_PKEY_RSA)
10202139Sjp161948 {
10212139Sjp161948 s->method->ssl3_enc->cert_verify_mac(s,
10222139Sjp161948 &(s->s3->finish_dgst1),&(data[0]));
10232139Sjp161948 if (RSA_sign(NID_md5_sha1, data,
10242139Sjp161948 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
10252139Sjp161948 &(p[2]), &u, pkey->pkey.rsa) <= 0 )
10262139Sjp161948 {
10272139Sjp161948 SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB);
10282139Sjp161948 goto err;
10292139Sjp161948 }
10302139Sjp161948 s2n(u,p);
10312139Sjp161948 n=u+2;
10322139Sjp161948 }
10332139Sjp161948 else
10342139Sjp161948 #endif
10352139Sjp161948 #ifndef OPENSSL_NO_DSA
10362139Sjp161948 if (pkey->type == EVP_PKEY_DSA)
10372139Sjp161948 {
10382139Sjp161948 if (!DSA_sign(pkey->save_type,
10392139Sjp161948 &(data[MD5_DIGEST_LENGTH]),
10402139Sjp161948 SHA_DIGEST_LENGTH,&(p[2]),
10412139Sjp161948 (unsigned int *)&j,pkey->pkey.dsa))
10422139Sjp161948 {
10432139Sjp161948 SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB);
10442139Sjp161948 goto err;
10452139Sjp161948 }
10462139Sjp161948 s2n(j,p);
10472139Sjp161948 n=j+2;
10482139Sjp161948 }
10492139Sjp161948 else
10502139Sjp161948 #endif
10512139Sjp161948 {
10522139Sjp161948 SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR);
10532139Sjp161948 goto err;
10542139Sjp161948 }
10552139Sjp161948
10562139Sjp161948 d = dtls1_set_message_header(s, d,
10572139Sjp161948 SSL3_MT_CERTIFICATE_VERIFY, n, 0, n) ;
10582139Sjp161948
10592139Sjp161948 s->init_num=(int)n+DTLS1_HM_HEADER_LENGTH;
10602139Sjp161948 s->init_off=0;
10612139Sjp161948
10622139Sjp161948 /* buffer the message to handle re-xmits */
10632139Sjp161948 dtls1_buffer_message(s, 0);
10642139Sjp161948
10652139Sjp161948 s->state = SSL3_ST_CW_CERT_VRFY_B;
10662139Sjp161948 }
10672139Sjp161948
10682139Sjp161948 /* s->state = SSL3_ST_CW_CERT_VRFY_B */
10692139Sjp161948 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
10702139Sjp161948 err:
10712139Sjp161948 return(-1);
10722139Sjp161948 }
10732139Sjp161948
dtls1_send_client_certificate(SSL * s)10742139Sjp161948 int dtls1_send_client_certificate(SSL *s)
10752139Sjp161948 {
10762139Sjp161948 X509 *x509=NULL;
10772139Sjp161948 EVP_PKEY *pkey=NULL;
10782139Sjp161948 int i;
10792139Sjp161948 unsigned long l;
10802139Sjp161948
10812139Sjp161948 if (s->state == SSL3_ST_CW_CERT_A)
10822139Sjp161948 {
10832139Sjp161948 if ((s->cert == NULL) ||
10842139Sjp161948 (s->cert->key->x509 == NULL) ||
10852139Sjp161948 (s->cert->key->privatekey == NULL))
10862139Sjp161948 s->state=SSL3_ST_CW_CERT_B;
10872139Sjp161948 else
10882139Sjp161948 s->state=SSL3_ST_CW_CERT_C;
10892139Sjp161948 }
10902139Sjp161948
10912139Sjp161948 /* We need to get a client cert */
10922139Sjp161948 if (s->state == SSL3_ST_CW_CERT_B)
10932139Sjp161948 {
10942139Sjp161948 /* If we get an error, we need to
10952139Sjp161948 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
10962139Sjp161948 * We then get retied later */
10972139Sjp161948 i=0;
10982139Sjp161948 if (s->ctx->client_cert_cb != NULL)
10992139Sjp161948 i=s->ctx->client_cert_cb(s,&(x509),&(pkey));
11002139Sjp161948 if (i < 0)
11012139Sjp161948 {
11022139Sjp161948 s->rwstate=SSL_X509_LOOKUP;
11032139Sjp161948 return(-1);
11042139Sjp161948 }
11052139Sjp161948 s->rwstate=SSL_NOTHING;
11062139Sjp161948 if ((i == 1) && (pkey != NULL) && (x509 != NULL))
11072139Sjp161948 {
11082139Sjp161948 s->state=SSL3_ST_CW_CERT_B;
11092139Sjp161948 if ( !SSL_use_certificate(s,x509) ||
11102139Sjp161948 !SSL_use_PrivateKey(s,pkey))
11112139Sjp161948 i=0;
11122139Sjp161948 }
11132139Sjp161948 else if (i == 1)
11142139Sjp161948 {
11152139Sjp161948 i=0;
11162139Sjp161948 SSLerr(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
11172139Sjp161948 }
11182139Sjp161948
11192139Sjp161948 if (x509 != NULL) X509_free(x509);
11202139Sjp161948 if (pkey != NULL) EVP_PKEY_free(pkey);
11212139Sjp161948 if (i == 0)
11222139Sjp161948 {
11232139Sjp161948 if (s->version == SSL3_VERSION)
11242139Sjp161948 {
11252139Sjp161948 s->s3->tmp.cert_req=0;
11262139Sjp161948 ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE);
11272139Sjp161948 return(1);
11282139Sjp161948 }
11292139Sjp161948 else
11302139Sjp161948 {
11312139Sjp161948 s->s3->tmp.cert_req=2;
11322139Sjp161948 }
11332139Sjp161948 }
11342139Sjp161948
11352139Sjp161948 /* Ok, we have a cert */
11362139Sjp161948 s->state=SSL3_ST_CW_CERT_C;
11372139Sjp161948 }
11382139Sjp161948
11392139Sjp161948 if (s->state == SSL3_ST_CW_CERT_C)
11402139Sjp161948 {
11412139Sjp161948 s->state=SSL3_ST_CW_CERT_D;
11422139Sjp161948 l=dtls1_output_cert_chain(s,
11432139Sjp161948 (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
11442139Sjp161948 s->init_num=(int)l;
11452139Sjp161948 s->init_off=0;
11462139Sjp161948
11472139Sjp161948 /* set header called by dtls1_output_cert_chain() */
11482139Sjp161948
11492139Sjp161948 /* buffer the message to handle re-xmits */
11502139Sjp161948 dtls1_buffer_message(s, 0);
11512139Sjp161948 }
11522139Sjp161948 /* SSL3_ST_CW_CERT_D */
11532139Sjp161948 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
11542139Sjp161948 }
11552139Sjp161948
11562139Sjp161948
1157