12139Sjp161948 /* ssl/d1_srvr.c */
22139Sjp161948 /*
32139Sjp161948 * DTLS implementation written by Nagendra Modadugu
42139Sjp161948 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
52139Sjp161948 */
62139Sjp161948 /* ====================================================================
72139Sjp161948 * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved.
82139Sjp161948 *
92139Sjp161948 * Redistribution and use in source and binary forms, with or without
102139Sjp161948 * modification, are permitted provided that the following conditions
112139Sjp161948 * are met:
122139Sjp161948 *
132139Sjp161948 * 1. Redistributions of source code must retain the above copyright
142139Sjp161948 * notice, this list of conditions and the following disclaimer.
152139Sjp161948 *
162139Sjp161948 * 2. Redistributions in binary form must reproduce the above copyright
172139Sjp161948 * notice, this list of conditions and the following disclaimer in
182139Sjp161948 * the documentation and/or other materials provided with the
192139Sjp161948 * distribution.
202139Sjp161948 *
212139Sjp161948 * 3. All advertising materials mentioning features or use of this
222139Sjp161948 * software must display the following acknowledgment:
232139Sjp161948 * "This product includes software developed by the OpenSSL Project
242139Sjp161948 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
252139Sjp161948 *
262139Sjp161948 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
272139Sjp161948 * endorse or promote products derived from this software without
282139Sjp161948 * prior written permission. For written permission, please contact
292139Sjp161948 * openssl-core@OpenSSL.org.
302139Sjp161948 *
312139Sjp161948 * 5. Products derived from this software may not be called "OpenSSL"
322139Sjp161948 * nor may "OpenSSL" appear in their names without prior written
332139Sjp161948 * permission of the OpenSSL Project.
342139Sjp161948 *
352139Sjp161948 * 6. Redistributions of any form whatsoever must retain the following
362139Sjp161948 * acknowledgment:
372139Sjp161948 * "This product includes software developed by the OpenSSL Project
382139Sjp161948 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
392139Sjp161948 *
402139Sjp161948 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
412139Sjp161948 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
422139Sjp161948 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
432139Sjp161948 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
442139Sjp161948 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
452139Sjp161948 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
462139Sjp161948 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
472139Sjp161948 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
482139Sjp161948 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
492139Sjp161948 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
502139Sjp161948 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
512139Sjp161948 * OF THE POSSIBILITY OF SUCH DAMAGE.
522139Sjp161948 * ====================================================================
532139Sjp161948 *
542139Sjp161948 * This product includes cryptographic software written by Eric Young
552139Sjp161948 * (eay@cryptsoft.com). This product includes software written by Tim
562139Sjp161948 * Hudson (tjh@cryptsoft.com).
572139Sjp161948 *
582139Sjp161948 */
592139Sjp161948 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
602139Sjp161948 * All rights reserved.
612139Sjp161948 *
622139Sjp161948 * This package is an SSL implementation written
632139Sjp161948 * by Eric Young (eay@cryptsoft.com).
642139Sjp161948 * The implementation was written so as to conform with Netscapes SSL.
652139Sjp161948 *
662139Sjp161948 * This library is free for commercial and non-commercial use as long as
672139Sjp161948 * the following conditions are aheared to. The following conditions
682139Sjp161948 * apply to all code found in this distribution, be it the RC4, RSA,
692139Sjp161948 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
702139Sjp161948 * included with this distribution is covered by the same copyright terms
712139Sjp161948 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
722139Sjp161948 *
732139Sjp161948 * Copyright remains Eric Young's, and as such any Copyright notices in
742139Sjp161948 * the code are not to be removed.
752139Sjp161948 * If this package is used in a product, Eric Young should be given attribution
762139Sjp161948 * as the author of the parts of the library used.
772139Sjp161948 * This can be in the form of a textual message at program startup or
782139Sjp161948 * in documentation (online or textual) provided with the package.
792139Sjp161948 *
802139Sjp161948 * Redistribution and use in source and binary forms, with or without
812139Sjp161948 * modification, are permitted provided that the following conditions
822139Sjp161948 * are met:
832139Sjp161948 * 1. Redistributions of source code must retain the copyright
842139Sjp161948 * notice, this list of conditions and the following disclaimer.
852139Sjp161948 * 2. Redistributions in binary form must reproduce the above copyright
862139Sjp161948 * notice, this list of conditions and the following disclaimer in the
872139Sjp161948 * documentation and/or other materials provided with the distribution.
882139Sjp161948 * 3. All advertising materials mentioning features or use of this software
892139Sjp161948 * must display the following acknowledgement:
902139Sjp161948 * "This product includes cryptographic software written by
912139Sjp161948 * Eric Young (eay@cryptsoft.com)"
922139Sjp161948 * The word 'cryptographic' can be left out if the rouines from the library
932139Sjp161948 * being used are not cryptographic related :-).
942139Sjp161948 * 4. If you include any Windows specific code (or a derivative thereof) from
952139Sjp161948 * the apps directory (application code) you must include an acknowledgement:
962139Sjp161948 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
972139Sjp161948 *
982139Sjp161948 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
992139Sjp161948 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1002139Sjp161948 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1012139Sjp161948 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
1022139Sjp161948 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1032139Sjp161948 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1042139Sjp161948 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1052139Sjp161948 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1062139Sjp161948 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1072139Sjp161948 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1082139Sjp161948 * SUCH DAMAGE.
1092139Sjp161948 *
1102139Sjp161948 * The licence and distribution terms for any publically available version or
1112139Sjp161948 * derivative of this code cannot be changed. i.e. this code cannot simply be
1122139Sjp161948 * copied and put under another distribution licence
1132139Sjp161948 * [including the GNU Public Licence.]
1142139Sjp161948 */
1152139Sjp161948
1162139Sjp161948 #include <stdio.h>
1172139Sjp161948 #include "ssl_locl.h"
1182139Sjp161948 #include <openssl/buffer.h>
1192139Sjp161948 #include <openssl/rand.h>
1202139Sjp161948 #include <openssl/objects.h>
1212139Sjp161948 #include <openssl/evp.h>
1222139Sjp161948 #include <openssl/x509.h>
1232139Sjp161948 #include <openssl/md5.h>
1242139Sjp161948 #ifndef OPENSSL_NO_DH
1252139Sjp161948 #include <openssl/dh.h>
1262139Sjp161948 #endif
1272139Sjp161948
1282139Sjp161948 static SSL_METHOD *dtls1_get_server_method(int ver);
1292139Sjp161948 static int dtls1_send_hello_verify_request(SSL *s);
1302139Sjp161948
dtls1_get_server_method(int ver)1312139Sjp161948 static SSL_METHOD *dtls1_get_server_method(int ver)
1322139Sjp161948 {
1332139Sjp161948 if (ver == DTLS1_VERSION)
1342139Sjp161948 return(DTLSv1_server_method());
1352139Sjp161948 else
1362139Sjp161948 return(NULL);
1372139Sjp161948 }
1382139Sjp161948
IMPLEMENT_dtls1_meth_func(DTLSv1_server_method,dtls1_accept,ssl_undefined_function,dtls1_get_server_method)1392139Sjp161948 IMPLEMENT_dtls1_meth_func(DTLSv1_server_method,
1402139Sjp161948 dtls1_accept,
1412139Sjp161948 ssl_undefined_function,
1422139Sjp161948 dtls1_get_server_method)
1432139Sjp161948
1442139Sjp161948 int dtls1_accept(SSL *s)
1452139Sjp161948 {
1462139Sjp161948 BUF_MEM *buf;
147*5434Sjp161948 unsigned long l,Time=(unsigned long)time(NULL);
1482139Sjp161948 void (*cb)(const SSL *ssl,int type,int val)=NULL;
1492139Sjp161948 long num1;
1502139Sjp161948 int ret= -1;
1512139Sjp161948 int new_state,state,skip=0;
1522139Sjp161948
1532139Sjp161948 RAND_add(&Time,sizeof(Time),0);
1542139Sjp161948 ERR_clear_error();
1552139Sjp161948 clear_sys_error();
1562139Sjp161948
1572139Sjp161948 if (s->info_callback != NULL)
1582139Sjp161948 cb=s->info_callback;
1592139Sjp161948 else if (s->ctx->info_callback != NULL)
1602139Sjp161948 cb=s->ctx->info_callback;
1612139Sjp161948
1622139Sjp161948 /* init things to blank */
1632139Sjp161948 s->in_handshake++;
1642139Sjp161948 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
1652139Sjp161948
1662139Sjp161948 if (s->cert == NULL)
1672139Sjp161948 {
1682139Sjp161948 SSLerr(SSL_F_DTLS1_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
1692139Sjp161948 return(-1);
1702139Sjp161948 }
1712139Sjp161948
1722139Sjp161948 for (;;)
1732139Sjp161948 {
1742139Sjp161948 state=s->state;
1752139Sjp161948
1762139Sjp161948 switch (s->state)
1772139Sjp161948 {
1782139Sjp161948 case SSL_ST_RENEGOTIATE:
1792139Sjp161948 s->new_session=1;
1802139Sjp161948 /* s->state=SSL_ST_ACCEPT; */
1812139Sjp161948
1822139Sjp161948 case SSL_ST_BEFORE:
1832139Sjp161948 case SSL_ST_ACCEPT:
1842139Sjp161948 case SSL_ST_BEFORE|SSL_ST_ACCEPT:
1852139Sjp161948 case SSL_ST_OK|SSL_ST_ACCEPT:
1862139Sjp161948
1872139Sjp161948 s->server=1;
1882139Sjp161948 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
1892139Sjp161948
1902139Sjp161948 if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00))
1912139Sjp161948 {
1922139Sjp161948 SSLerr(SSL_F_DTLS1_ACCEPT, ERR_R_INTERNAL_ERROR);
1932139Sjp161948 return -1;
1942139Sjp161948 }
1952139Sjp161948 s->type=SSL_ST_ACCEPT;
1962139Sjp161948
1972139Sjp161948 if (s->init_buf == NULL)
1982139Sjp161948 {
1992139Sjp161948 if ((buf=BUF_MEM_new()) == NULL)
2002139Sjp161948 {
2012139Sjp161948 ret= -1;
2022139Sjp161948 goto end;
2032139Sjp161948 }
2042139Sjp161948 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
2052139Sjp161948 {
2062139Sjp161948 ret= -1;
2072139Sjp161948 goto end;
2082139Sjp161948 }
2092139Sjp161948 s->init_buf=buf;
2102139Sjp161948 }
2112139Sjp161948
2122139Sjp161948 if (!ssl3_setup_buffers(s))
2132139Sjp161948 {
2142139Sjp161948 ret= -1;
2152139Sjp161948 goto end;
2162139Sjp161948 }
2172139Sjp161948
2182139Sjp161948 s->init_num=0;
2192139Sjp161948
2202139Sjp161948 if (s->state != SSL_ST_RENEGOTIATE)
2212139Sjp161948 {
2222139Sjp161948 /* Ok, we now need to push on a buffering BIO so that
2232139Sjp161948 * the output is sent in a way that TCP likes :-)
2242139Sjp161948 */
2252139Sjp161948 if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; }
2262139Sjp161948
2272139Sjp161948 ssl3_init_finished_mac(s);
2282139Sjp161948 s->state=SSL3_ST_SR_CLNT_HELLO_A;
2292139Sjp161948 s->ctx->stats.sess_accept++;
2302139Sjp161948 }
2312139Sjp161948 else
2322139Sjp161948 {
2332139Sjp161948 /* s->state == SSL_ST_RENEGOTIATE,
2342139Sjp161948 * we will just send a HelloRequest */
2352139Sjp161948 s->ctx->stats.sess_accept_renegotiate++;
2362139Sjp161948 s->state=SSL3_ST_SW_HELLO_REQ_A;
2372139Sjp161948 }
2382139Sjp161948
2392139Sjp161948 if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
2402139Sjp161948 s->d1->send_cookie = 1;
2412139Sjp161948 else
2422139Sjp161948 s->d1->send_cookie = 0;
2432139Sjp161948
2442139Sjp161948 break;
2452139Sjp161948
2462139Sjp161948 case SSL3_ST_SW_HELLO_REQ_A:
2472139Sjp161948 case SSL3_ST_SW_HELLO_REQ_B:
2482139Sjp161948
2492139Sjp161948 s->shutdown=0;
2502139Sjp161948 ret=dtls1_send_hello_request(s);
2512139Sjp161948 if (ret <= 0) goto end;
2522139Sjp161948 s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C;
2532139Sjp161948 s->state=SSL3_ST_SW_FLUSH;
2542139Sjp161948 s->init_num=0;
2552139Sjp161948
2562139Sjp161948 ssl3_init_finished_mac(s);
2572139Sjp161948 break;
2582139Sjp161948
2592139Sjp161948 case SSL3_ST_SW_HELLO_REQ_C:
2602139Sjp161948 s->state=SSL_ST_OK;
2612139Sjp161948 break;
2622139Sjp161948
2632139Sjp161948 case SSL3_ST_SR_CLNT_HELLO_A:
2642139Sjp161948 case SSL3_ST_SR_CLNT_HELLO_B:
2652139Sjp161948 case SSL3_ST_SR_CLNT_HELLO_C:
2662139Sjp161948
2672139Sjp161948 s->shutdown=0;
2682139Sjp161948 ret=ssl3_get_client_hello(s);
2692139Sjp161948 if (ret <= 0) goto end;
2702139Sjp161948 s->new_session = 2;
2712139Sjp161948
2722139Sjp161948 if ( s->d1->send_cookie)
2732139Sjp161948 s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;
2742139Sjp161948 else
2752139Sjp161948 s->state = SSL3_ST_SW_SRVR_HELLO_A;
2762139Sjp161948
2772139Sjp161948 s->init_num=0;
2782139Sjp161948 break;
2792139Sjp161948
2802139Sjp161948 case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
2812139Sjp161948 case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
2822139Sjp161948
2832139Sjp161948 ret = dtls1_send_hello_verify_request(s);
2842139Sjp161948 if ( ret <= 0) goto end;
2852139Sjp161948 s->d1->send_cookie = 0;
2862139Sjp161948 s->state=SSL3_ST_SW_FLUSH;
2872139Sjp161948 s->s3->tmp.next_state=SSL3_ST_SR_CLNT_HELLO_A;
288*5434Sjp161948
289*5434Sjp161948 /* HelloVerifyRequests resets Finished MAC */
290*5434Sjp161948 if (s->client_version != DTLS1_BAD_VER)
291*5434Sjp161948 ssl3_init_finished_mac(s);
2922139Sjp161948 break;
2932139Sjp161948
2942139Sjp161948 case SSL3_ST_SW_SRVR_HELLO_A:
2952139Sjp161948 case SSL3_ST_SW_SRVR_HELLO_B:
2962139Sjp161948 ret=dtls1_send_server_hello(s);
2972139Sjp161948 if (ret <= 0) goto end;
2982139Sjp161948
2992139Sjp161948 if (s->hit)
3002139Sjp161948 s->state=SSL3_ST_SW_CHANGE_A;
3012139Sjp161948 else
3022139Sjp161948 s->state=SSL3_ST_SW_CERT_A;
3032139Sjp161948 s->init_num=0;
3042139Sjp161948 break;
3052139Sjp161948
3062139Sjp161948 case SSL3_ST_SW_CERT_A:
3072139Sjp161948 case SSL3_ST_SW_CERT_B:
3082139Sjp161948 /* Check if it is anon DH */
3092139Sjp161948 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
3102139Sjp161948 {
3112139Sjp161948 ret=dtls1_send_server_certificate(s);
3122139Sjp161948 if (ret <= 0) goto end;
3132139Sjp161948 }
3142139Sjp161948 else
3152139Sjp161948 skip=1;
3162139Sjp161948 s->state=SSL3_ST_SW_KEY_EXCH_A;
3172139Sjp161948 s->init_num=0;
3182139Sjp161948 break;
3192139Sjp161948
3202139Sjp161948 case SSL3_ST_SW_KEY_EXCH_A:
3212139Sjp161948 case SSL3_ST_SW_KEY_EXCH_B:
3222139Sjp161948 l=s->s3->tmp.new_cipher->algorithms;
3232139Sjp161948
3242139Sjp161948 /* clear this, it may get reset by
3252139Sjp161948 * send_server_key_exchange */
3262139Sjp161948 if ((s->options & SSL_OP_EPHEMERAL_RSA)
3272139Sjp161948 #ifndef OPENSSL_NO_KRB5
3282139Sjp161948 && !(l & SSL_KRB5)
3292139Sjp161948 #endif /* OPENSSL_NO_KRB5 */
3302139Sjp161948 )
3312139Sjp161948 /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
3322139Sjp161948 * even when forbidden by protocol specs
3332139Sjp161948 * (handshake may fail as clients are not required to
3342139Sjp161948 * be able to handle this) */
3352139Sjp161948 s->s3->tmp.use_rsa_tmp=1;
3362139Sjp161948 else
3372139Sjp161948 s->s3->tmp.use_rsa_tmp=0;
3382139Sjp161948
3392139Sjp161948 /* only send if a DH key exchange, fortezza or
3402139Sjp161948 * RSA but we have a sign only certificate */
3412139Sjp161948 if (s->s3->tmp.use_rsa_tmp
3422139Sjp161948 || (l & (SSL_DH|SSL_kFZA))
3432139Sjp161948 || ((l & SSL_kRSA)
3442139Sjp161948 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
3452139Sjp161948 || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
3462139Sjp161948 && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
3472139Sjp161948 )
3482139Sjp161948 )
3492139Sjp161948 )
3502139Sjp161948 )
3512139Sjp161948 {
3522139Sjp161948 ret=dtls1_send_server_key_exchange(s);
3532139Sjp161948 if (ret <= 0) goto end;
3542139Sjp161948 }
3552139Sjp161948 else
3562139Sjp161948 skip=1;
3572139Sjp161948
3582139Sjp161948 s->state=SSL3_ST_SW_CERT_REQ_A;
3592139Sjp161948 s->init_num=0;
3602139Sjp161948 break;
3612139Sjp161948
3622139Sjp161948 case SSL3_ST_SW_CERT_REQ_A:
3632139Sjp161948 case SSL3_ST_SW_CERT_REQ_B:
3642139Sjp161948 if (/* don't request cert unless asked for it: */
3652139Sjp161948 !(s->verify_mode & SSL_VERIFY_PEER) ||
3662139Sjp161948 /* if SSL_VERIFY_CLIENT_ONCE is set,
3672139Sjp161948 * don't request cert during re-negotiation: */
3682139Sjp161948 ((s->session->peer != NULL) &&
3692139Sjp161948 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
3702139Sjp161948 /* never request cert in anonymous ciphersuites
3712139Sjp161948 * (see section "Certificate request" in SSL 3 drafts
3722139Sjp161948 * and in RFC 2246): */
3732139Sjp161948 ((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) &&
3742139Sjp161948 /* ... except when the application insists on verification
3752139Sjp161948 * (against the specs, but s3_clnt.c accepts this for SSL 3) */
3762139Sjp161948 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
3772139Sjp161948 /* never request cert in Kerberos ciphersuites */
3782139Sjp161948 (s->s3->tmp.new_cipher->algorithms & SSL_aKRB5))
3792139Sjp161948 {
3802139Sjp161948 /* no cert request */
3812139Sjp161948 skip=1;
3822139Sjp161948 s->s3->tmp.cert_request=0;
3832139Sjp161948 s->state=SSL3_ST_SW_SRVR_DONE_A;
3842139Sjp161948 }
3852139Sjp161948 else
3862139Sjp161948 {
3872139Sjp161948 s->s3->tmp.cert_request=1;
3882139Sjp161948 ret=dtls1_send_certificate_request(s);
3892139Sjp161948 if (ret <= 0) goto end;
3902139Sjp161948 #ifndef NETSCAPE_HANG_BUG
3912139Sjp161948 s->state=SSL3_ST_SW_SRVR_DONE_A;
3922139Sjp161948 #else
3932139Sjp161948 s->state=SSL3_ST_SW_FLUSH;
3942139Sjp161948 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
3952139Sjp161948 #endif
3962139Sjp161948 s->init_num=0;
3972139Sjp161948 }
3982139Sjp161948 break;
3992139Sjp161948
4002139Sjp161948 case SSL3_ST_SW_SRVR_DONE_A:
4012139Sjp161948 case SSL3_ST_SW_SRVR_DONE_B:
4022139Sjp161948 ret=dtls1_send_server_done(s);
4032139Sjp161948 if (ret <= 0) goto end;
4042139Sjp161948 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
4052139Sjp161948 s->state=SSL3_ST_SW_FLUSH;
4062139Sjp161948 s->init_num=0;
4072139Sjp161948 break;
4082139Sjp161948
4092139Sjp161948 case SSL3_ST_SW_FLUSH:
4102139Sjp161948 /* number of bytes to be flushed */
4112139Sjp161948 num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
4122139Sjp161948 if (num1 > 0)
4132139Sjp161948 {
4142139Sjp161948 s->rwstate=SSL_WRITING;
4152139Sjp161948 num1=BIO_flush(s->wbio);
4162139Sjp161948 if (num1 <= 0) { ret= -1; goto end; }
4172139Sjp161948 s->rwstate=SSL_NOTHING;
4182139Sjp161948 }
4192139Sjp161948
4202139Sjp161948 s->state=s->s3->tmp.next_state;
4212139Sjp161948 break;
4222139Sjp161948
4232139Sjp161948 case SSL3_ST_SR_CERT_A:
4242139Sjp161948 case SSL3_ST_SR_CERT_B:
4252139Sjp161948 /* Check for second client hello (MS SGC) */
4262139Sjp161948 ret = ssl3_check_client_hello(s);
4272139Sjp161948 if (ret <= 0)
4282139Sjp161948 goto end;
4292139Sjp161948 if (ret == 2)
4302139Sjp161948 s->state = SSL3_ST_SR_CLNT_HELLO_C;
4312139Sjp161948 else {
4322139Sjp161948 /* could be sent for a DH cert, even if we
4332139Sjp161948 * have not asked for it :-) */
4342139Sjp161948 ret=ssl3_get_client_certificate(s);
4352139Sjp161948 if (ret <= 0) goto end;
4362139Sjp161948 s->init_num=0;
4372139Sjp161948 s->state=SSL3_ST_SR_KEY_EXCH_A;
4382139Sjp161948 }
4392139Sjp161948 break;
4402139Sjp161948
4412139Sjp161948 case SSL3_ST_SR_KEY_EXCH_A:
4422139Sjp161948 case SSL3_ST_SR_KEY_EXCH_B:
4432139Sjp161948 ret=ssl3_get_client_key_exchange(s);
4442139Sjp161948 if (ret <= 0) goto end;
4452139Sjp161948 s->state=SSL3_ST_SR_CERT_VRFY_A;
4462139Sjp161948 s->init_num=0;
4472139Sjp161948
4482139Sjp161948 /* We need to get hashes here so if there is
4492139Sjp161948 * a client cert, it can be verified */
4502139Sjp161948 s->method->ssl3_enc->cert_verify_mac(s,
4512139Sjp161948 &(s->s3->finish_dgst1),
4522139Sjp161948 &(s->s3->tmp.cert_verify_md[0]));
4532139Sjp161948 s->method->ssl3_enc->cert_verify_mac(s,
4542139Sjp161948 &(s->s3->finish_dgst2),
4552139Sjp161948 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]));
4562139Sjp161948
4572139Sjp161948 break;
4582139Sjp161948
4592139Sjp161948 case SSL3_ST_SR_CERT_VRFY_A:
4602139Sjp161948 case SSL3_ST_SR_CERT_VRFY_B:
4612139Sjp161948
4622139Sjp161948 /* we should decide if we expected this one */
4632139Sjp161948 ret=ssl3_get_cert_verify(s);
4642139Sjp161948 if (ret <= 0) goto end;
4652139Sjp161948
4662139Sjp161948 s->state=SSL3_ST_SR_FINISHED_A;
4672139Sjp161948 s->init_num=0;
4682139Sjp161948 break;
4692139Sjp161948
4702139Sjp161948 case SSL3_ST_SR_FINISHED_A:
4712139Sjp161948 case SSL3_ST_SR_FINISHED_B:
4722139Sjp161948 ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
4732139Sjp161948 SSL3_ST_SR_FINISHED_B);
4742139Sjp161948 if (ret <= 0) goto end;
4752139Sjp161948 if (s->hit)
4762139Sjp161948 s->state=SSL_ST_OK;
4772139Sjp161948 else
4782139Sjp161948 s->state=SSL3_ST_SW_CHANGE_A;
4792139Sjp161948 s->init_num=0;
4802139Sjp161948 break;
4812139Sjp161948
4822139Sjp161948 case SSL3_ST_SW_CHANGE_A:
4832139Sjp161948 case SSL3_ST_SW_CHANGE_B:
4842139Sjp161948
4852139Sjp161948 s->session->cipher=s->s3->tmp.new_cipher;
4862139Sjp161948 if (!s->method->ssl3_enc->setup_key_block(s))
4872139Sjp161948 { ret= -1; goto end; }
4882139Sjp161948
4892139Sjp161948 ret=dtls1_send_change_cipher_spec(s,
4902139Sjp161948 SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B);
4912139Sjp161948
4922139Sjp161948 if (ret <= 0) goto end;
4932139Sjp161948 s->state=SSL3_ST_SW_FINISHED_A;
4942139Sjp161948 s->init_num=0;
4952139Sjp161948
4962139Sjp161948 if (!s->method->ssl3_enc->change_cipher_state(s,
4972139Sjp161948 SSL3_CHANGE_CIPHER_SERVER_WRITE))
4982139Sjp161948 {
4992139Sjp161948 ret= -1;
5002139Sjp161948 goto end;
5012139Sjp161948 }
5022139Sjp161948
5032139Sjp161948 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
5042139Sjp161948 break;
5052139Sjp161948
5062139Sjp161948 case SSL3_ST_SW_FINISHED_A:
5072139Sjp161948 case SSL3_ST_SW_FINISHED_B:
5082139Sjp161948 ret=dtls1_send_finished(s,
5092139Sjp161948 SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B,
5102139Sjp161948 s->method->ssl3_enc->server_finished_label,
5112139Sjp161948 s->method->ssl3_enc->server_finished_label_len);
5122139Sjp161948 if (ret <= 0) goto end;
5132139Sjp161948 s->state=SSL3_ST_SW_FLUSH;
5142139Sjp161948 if (s->hit)
5152139Sjp161948 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
5162139Sjp161948 else
5172139Sjp161948 s->s3->tmp.next_state=SSL_ST_OK;
5182139Sjp161948 s->init_num=0;
5192139Sjp161948 break;
5202139Sjp161948
5212139Sjp161948 case SSL_ST_OK:
5222139Sjp161948 /* clean a few things up */
5232139Sjp161948 ssl3_cleanup_key_block(s);
5242139Sjp161948
5252139Sjp161948 #if 0
5262139Sjp161948 BUF_MEM_free(s->init_buf);
5272139Sjp161948 s->init_buf=NULL;
5282139Sjp161948 #endif
5292139Sjp161948
5302139Sjp161948 /* remove buffering on output */
5312139Sjp161948 ssl_free_wbio_buffer(s);
5322139Sjp161948
5332139Sjp161948 s->init_num=0;
5342139Sjp161948
5352139Sjp161948 if (s->new_session == 2) /* skipped if we just sent a HelloRequest */
5362139Sjp161948 {
5372139Sjp161948 /* actually not necessarily a 'new' session unless
5382139Sjp161948 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
5392139Sjp161948
5402139Sjp161948 s->new_session=0;
5412139Sjp161948
5422139Sjp161948 ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
5432139Sjp161948
5442139Sjp161948 s->ctx->stats.sess_accept_good++;
5452139Sjp161948 /* s->server=1; */
5462139Sjp161948 s->handshake_func=dtls1_accept;
5472139Sjp161948
5482139Sjp161948 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
5492139Sjp161948 }
5502139Sjp161948
5512139Sjp161948 ret = 1;
5522139Sjp161948
5532139Sjp161948 /* done handshaking, next message is client hello */
5542139Sjp161948 s->d1->handshake_read_seq = 0;
5552139Sjp161948 /* next message is server hello */
5562139Sjp161948 s->d1->handshake_write_seq = 0;
5572139Sjp161948 goto end;
5582139Sjp161948 /* break; */
5592139Sjp161948
5602139Sjp161948 default:
5612139Sjp161948 SSLerr(SSL_F_DTLS1_ACCEPT,SSL_R_UNKNOWN_STATE);
5622139Sjp161948 ret= -1;
5632139Sjp161948 goto end;
5642139Sjp161948 /* break; */
5652139Sjp161948 }
5662139Sjp161948
5672139Sjp161948 if (!s->s3->tmp.reuse_message && !skip)
5682139Sjp161948 {
5692139Sjp161948 if (s->debug)
5702139Sjp161948 {
5712139Sjp161948 if ((ret=BIO_flush(s->wbio)) <= 0)
5722139Sjp161948 goto end;
5732139Sjp161948 }
5742139Sjp161948
5752139Sjp161948
5762139Sjp161948 if ((cb != NULL) && (s->state != state))
5772139Sjp161948 {
5782139Sjp161948 new_state=s->state;
5792139Sjp161948 s->state=state;
5802139Sjp161948 cb(s,SSL_CB_ACCEPT_LOOP,1);
5812139Sjp161948 s->state=new_state;
5822139Sjp161948 }
5832139Sjp161948 }
5842139Sjp161948 skip=0;
5852139Sjp161948 }
5862139Sjp161948 end:
5872139Sjp161948 /* BIO_flush(s->wbio); */
5882139Sjp161948
5892139Sjp161948 s->in_handshake--;
5902139Sjp161948 if (cb != NULL)
5912139Sjp161948 cb(s,SSL_CB_ACCEPT_EXIT,ret);
5922139Sjp161948 return(ret);
5932139Sjp161948 }
5942139Sjp161948
dtls1_send_hello_request(SSL * s)5952139Sjp161948 int dtls1_send_hello_request(SSL *s)
5962139Sjp161948 {
5972139Sjp161948 unsigned char *p;
5982139Sjp161948
5992139Sjp161948 if (s->state == SSL3_ST_SW_HELLO_REQ_A)
6002139Sjp161948 {
6012139Sjp161948 p=(unsigned char *)s->init_buf->data;
6022139Sjp161948 p = dtls1_set_message_header(s, p, SSL3_MT_HELLO_REQUEST, 0, 0, 0);
6032139Sjp161948
6042139Sjp161948 s->state=SSL3_ST_SW_HELLO_REQ_B;
6052139Sjp161948 /* number of bytes to write */
6062139Sjp161948 s->init_num=DTLS1_HM_HEADER_LENGTH;
6072139Sjp161948 s->init_off=0;
6082139Sjp161948
6092139Sjp161948 /* no need to buffer this message, since there are no retransmit
6102139Sjp161948 * requests for it */
6112139Sjp161948 }
6122139Sjp161948
6132139Sjp161948 /* SSL3_ST_SW_HELLO_REQ_B */
6142139Sjp161948 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
6152139Sjp161948 }
6162139Sjp161948
dtls1_send_hello_verify_request(SSL * s)6172139Sjp161948 int dtls1_send_hello_verify_request(SSL *s)
6182139Sjp161948 {
6192139Sjp161948 unsigned int msg_len;
6202139Sjp161948 unsigned char *msg, *buf, *p;
6212139Sjp161948
6222139Sjp161948 if (s->state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A)
6232139Sjp161948 {
6242139Sjp161948 buf = (unsigned char *)s->init_buf->data;
6252139Sjp161948
6262139Sjp161948 msg = p = &(buf[DTLS1_HM_HEADER_LENGTH]);
627*5434Sjp161948 if (s->client_version == DTLS1_BAD_VER)
628*5434Sjp161948 *(p++) = DTLS1_BAD_VER>>8,
629*5434Sjp161948 *(p++) = DTLS1_BAD_VER&0xff;
630*5434Sjp161948 else
631*5434Sjp161948 *(p++) = s->version >> 8,
632*5434Sjp161948 *(p++) = s->version & 0xFF;
633*5434Sjp161948
634*5434Sjp161948 if (s->ctx->app_gen_cookie_cb != NULL &&
635*5434Sjp161948 s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
636*5434Sjp161948 &(s->d1->cookie_len)) == 0)
637*5434Sjp161948 {
638*5434Sjp161948 SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST,ERR_R_INTERNAL_ERROR);
639*5434Sjp161948 return 0;
640*5434Sjp161948 }
641*5434Sjp161948 /* else the cookie is assumed to have
642*5434Sjp161948 * been initialized by the application */
6432139Sjp161948
6442139Sjp161948 *(p++) = (unsigned char) s->d1->cookie_len;
6452139Sjp161948 memcpy(p, s->d1->cookie, s->d1->cookie_len);
6462139Sjp161948 p += s->d1->cookie_len;
6472139Sjp161948 msg_len = p - msg;
6482139Sjp161948
6492139Sjp161948 dtls1_set_message_header(s, buf,
6502139Sjp161948 DTLS1_MT_HELLO_VERIFY_REQUEST, msg_len, 0, msg_len);
6512139Sjp161948
6522139Sjp161948 s->state=DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B;
6532139Sjp161948 /* number of bytes to write */
6542139Sjp161948 s->init_num=p-buf;
6552139Sjp161948 s->init_off=0;
6562139Sjp161948
6572139Sjp161948 /* buffer the message to handle re-xmits */
6582139Sjp161948 dtls1_buffer_message(s, 0);
6592139Sjp161948 }
6602139Sjp161948
6612139Sjp161948 /* s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */
6622139Sjp161948 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
6632139Sjp161948 }
6642139Sjp161948
dtls1_send_server_hello(SSL * s)6652139Sjp161948 int dtls1_send_server_hello(SSL *s)
6662139Sjp161948 {
6672139Sjp161948 unsigned char *buf;
6682139Sjp161948 unsigned char *p,*d;
6692139Sjp161948 int i;
6702139Sjp161948 unsigned int sl;
6712139Sjp161948 unsigned long l,Time;
6722139Sjp161948
6732139Sjp161948 if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
6742139Sjp161948 {
6752139Sjp161948 buf=(unsigned char *)s->init_buf->data;
6762139Sjp161948 p=s->s3->server_random;
677*5434Sjp161948 Time=(unsigned long)time(NULL); /* Time */
6782139Sjp161948 l2n(Time,p);
6792139Sjp161948 RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
6802139Sjp161948 /* Do the message type and length last */
6812139Sjp161948 d=p= &(buf[DTLS1_HM_HEADER_LENGTH]);
6822139Sjp161948
683*5434Sjp161948 if (s->client_version == DTLS1_BAD_VER)
684*5434Sjp161948 *(p++)=DTLS1_BAD_VER>>8,
685*5434Sjp161948 *(p++)=DTLS1_BAD_VER&0xff;
686*5434Sjp161948 else
687*5434Sjp161948 *(p++)=s->version>>8,
688*5434Sjp161948 *(p++)=s->version&0xff;
6892139Sjp161948
6902139Sjp161948 /* Random stuff */
6912139Sjp161948 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
6922139Sjp161948 p+=SSL3_RANDOM_SIZE;
6932139Sjp161948
6942139Sjp161948 /* now in theory we have 3 options to sending back the
6952139Sjp161948 * session id. If it is a re-use, we send back the
6962139Sjp161948 * old session-id, if it is a new session, we send
6972139Sjp161948 * back the new session-id or we send back a 0 length
6982139Sjp161948 * session-id if we want it to be single use.
6992139Sjp161948 * Currently I will not implement the '0' length session-id
7002139Sjp161948 * 12-Jan-98 - I'll now support the '0' length stuff.
7012139Sjp161948 */
7022139Sjp161948 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER))
7032139Sjp161948 s->session->session_id_length=0;
7042139Sjp161948
7052139Sjp161948 sl=s->session->session_id_length;
7062139Sjp161948 if (sl > sizeof s->session->session_id)
7072139Sjp161948 {
7082139Sjp161948 SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
7092139Sjp161948 return -1;
7102139Sjp161948 }
7112139Sjp161948 *(p++)=sl;
7122139Sjp161948 memcpy(p,s->session->session_id,sl);
7132139Sjp161948 p+=sl;
7142139Sjp161948
7152139Sjp161948 /* put the cipher */
7162139Sjp161948 i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p);
7172139Sjp161948 p+=i;
7182139Sjp161948
7192139Sjp161948 /* put the compression method */
7202139Sjp161948 #ifdef OPENSSL_NO_COMP
7212139Sjp161948 *(p++)=0;
7222139Sjp161948 #else
7232139Sjp161948 if (s->s3->tmp.new_compression == NULL)
7242139Sjp161948 *(p++)=0;
7252139Sjp161948 else
7262139Sjp161948 *(p++)=s->s3->tmp.new_compression->id;
7272139Sjp161948 #endif
7282139Sjp161948
7292139Sjp161948 /* do the header */
7302139Sjp161948 l=(p-d);
7312139Sjp161948 d=buf;
7322139Sjp161948
7332139Sjp161948 d = dtls1_set_message_header(s, d, SSL3_MT_SERVER_HELLO, l, 0, l);
7342139Sjp161948
7352139Sjp161948 s->state=SSL3_ST_CW_CLNT_HELLO_B;
7362139Sjp161948 /* number of bytes to write */
7372139Sjp161948 s->init_num=p-buf;
7382139Sjp161948 s->init_off=0;
7392139Sjp161948
7402139Sjp161948 /* buffer the message to handle re-xmits */
7412139Sjp161948 dtls1_buffer_message(s, 0);
7422139Sjp161948 }
7432139Sjp161948
7442139Sjp161948 /* SSL3_ST_CW_CLNT_HELLO_B */
7452139Sjp161948 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
7462139Sjp161948 }
7472139Sjp161948
dtls1_send_server_done(SSL * s)7482139Sjp161948 int dtls1_send_server_done(SSL *s)
7492139Sjp161948 {
7502139Sjp161948 unsigned char *p;
7512139Sjp161948
7522139Sjp161948 if (s->state == SSL3_ST_SW_SRVR_DONE_A)
7532139Sjp161948 {
7542139Sjp161948 p=(unsigned char *)s->init_buf->data;
7552139Sjp161948
7562139Sjp161948 /* do the header */
7572139Sjp161948 p = dtls1_set_message_header(s, p, SSL3_MT_SERVER_DONE, 0, 0, 0);
7582139Sjp161948
7592139Sjp161948 s->state=SSL3_ST_SW_SRVR_DONE_B;
7602139Sjp161948 /* number of bytes to write */
7612139Sjp161948 s->init_num=DTLS1_HM_HEADER_LENGTH;
7622139Sjp161948 s->init_off=0;
7632139Sjp161948
7642139Sjp161948 /* buffer the message to handle re-xmits */
7652139Sjp161948 dtls1_buffer_message(s, 0);
7662139Sjp161948 }
7672139Sjp161948
7682139Sjp161948 /* SSL3_ST_CW_CLNT_HELLO_B */
7692139Sjp161948 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
7702139Sjp161948 }
7712139Sjp161948
dtls1_send_server_key_exchange(SSL * s)7722139Sjp161948 int dtls1_send_server_key_exchange(SSL *s)
7732139Sjp161948 {
7742139Sjp161948 #ifndef OPENSSL_NO_RSA
7752139Sjp161948 unsigned char *q;
7762139Sjp161948 int j,num;
7772139Sjp161948 RSA *rsa;
7782139Sjp161948 unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
7792139Sjp161948 unsigned int u;
7802139Sjp161948 #endif
7812139Sjp161948 #ifndef OPENSSL_NO_DH
7822139Sjp161948 DH *dh=NULL,*dhp;
7832139Sjp161948 #endif
7842139Sjp161948 EVP_PKEY *pkey;
7852139Sjp161948 unsigned char *p,*d;
7862139Sjp161948 int al,i;
7872139Sjp161948 unsigned long type;
7882139Sjp161948 int n;
7892139Sjp161948 CERT *cert;
7902139Sjp161948 BIGNUM *r[4];
7912139Sjp161948 int nr[4],kn;
7922139Sjp161948 BUF_MEM *buf;
7932139Sjp161948 EVP_MD_CTX md_ctx;
7942139Sjp161948
7952139Sjp161948 EVP_MD_CTX_init(&md_ctx);
7962139Sjp161948 if (s->state == SSL3_ST_SW_KEY_EXCH_A)
7972139Sjp161948 {
7982139Sjp161948 type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK;
7992139Sjp161948 cert=s->cert;
8002139Sjp161948
8012139Sjp161948 buf=s->init_buf;
8022139Sjp161948
8032139Sjp161948 r[0]=r[1]=r[2]=r[3]=NULL;
8042139Sjp161948 n=0;
8052139Sjp161948 #ifndef OPENSSL_NO_RSA
8062139Sjp161948 if (type & SSL_kRSA)
8072139Sjp161948 {
8082139Sjp161948 rsa=cert->rsa_tmp;
8092139Sjp161948 if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL))
8102139Sjp161948 {
8112139Sjp161948 rsa=s->cert->rsa_tmp_cb(s,
8122139Sjp161948 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
8132139Sjp161948 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
8142139Sjp161948 if(rsa == NULL)
8152139Sjp161948 {
8162139Sjp161948 al=SSL_AD_HANDSHAKE_FAILURE;
8172139Sjp161948 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
8182139Sjp161948 goto f_err;
8192139Sjp161948 }
8202139Sjp161948 RSA_up_ref(rsa);
8212139Sjp161948 cert->rsa_tmp=rsa;
8222139Sjp161948 }
8232139Sjp161948 if (rsa == NULL)
8242139Sjp161948 {
8252139Sjp161948 al=SSL_AD_HANDSHAKE_FAILURE;
8262139Sjp161948 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY);
8272139Sjp161948 goto f_err;
8282139Sjp161948 }
8292139Sjp161948 r[0]=rsa->n;
8302139Sjp161948 r[1]=rsa->e;
8312139Sjp161948 s->s3->tmp.use_rsa_tmp=1;
8322139Sjp161948 }
8332139Sjp161948 else
8342139Sjp161948 #endif
8352139Sjp161948 #ifndef OPENSSL_NO_DH
8362139Sjp161948 if (type & SSL_kEDH)
8372139Sjp161948 {
8382139Sjp161948 dhp=cert->dh_tmp;
8392139Sjp161948 if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
8402139Sjp161948 dhp=s->cert->dh_tmp_cb(s,
8412139Sjp161948 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
8422139Sjp161948 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
8432139Sjp161948 if (dhp == NULL)
8442139Sjp161948 {
8452139Sjp161948 al=SSL_AD_HANDSHAKE_FAILURE;
8462139Sjp161948 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
8472139Sjp161948 goto f_err;
8482139Sjp161948 }
8492139Sjp161948
8502139Sjp161948 if (s->s3->tmp.dh != NULL)
8512139Sjp161948 {
8522139Sjp161948 DH_free(dh);
8532139Sjp161948 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
8542139Sjp161948 goto err;
8552139Sjp161948 }
8562139Sjp161948
8572139Sjp161948 if ((dh=DHparams_dup(dhp)) == NULL)
8582139Sjp161948 {
8592139Sjp161948 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
8602139Sjp161948 goto err;
8612139Sjp161948 }
8622139Sjp161948
8632139Sjp161948 s->s3->tmp.dh=dh;
8642139Sjp161948 if ((dhp->pub_key == NULL ||
8652139Sjp161948 dhp->priv_key == NULL ||
8662139Sjp161948 (s->options & SSL_OP_SINGLE_DH_USE)))
8672139Sjp161948 {
8682139Sjp161948 if(!DH_generate_key(dh))
8692139Sjp161948 {
8702139Sjp161948 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,
8712139Sjp161948 ERR_R_DH_LIB);
8722139Sjp161948 goto err;
8732139Sjp161948 }
8742139Sjp161948 }
8752139Sjp161948 else
8762139Sjp161948 {
8772139Sjp161948 dh->pub_key=BN_dup(dhp->pub_key);
8782139Sjp161948 dh->priv_key=BN_dup(dhp->priv_key);
8792139Sjp161948 if ((dh->pub_key == NULL) ||
8802139Sjp161948 (dh->priv_key == NULL))
8812139Sjp161948 {
8822139Sjp161948 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
8832139Sjp161948 goto err;
8842139Sjp161948 }
8852139Sjp161948 }
8862139Sjp161948 r[0]=dh->p;
8872139Sjp161948 r[1]=dh->g;
8882139Sjp161948 r[2]=dh->pub_key;
8892139Sjp161948 }
8902139Sjp161948 else
8912139Sjp161948 #endif
8922139Sjp161948 {
8932139Sjp161948 al=SSL_AD_HANDSHAKE_FAILURE;
8942139Sjp161948 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
8952139Sjp161948 goto f_err;
8962139Sjp161948 }
8972139Sjp161948 for (i=0; r[i] != NULL; i++)
8982139Sjp161948 {
8992139Sjp161948 nr[i]=BN_num_bytes(r[i]);
9002139Sjp161948 n+=2+nr[i];
9012139Sjp161948 }
9022139Sjp161948
9032139Sjp161948 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
9042139Sjp161948 {
9052139Sjp161948 if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher))
9062139Sjp161948 == NULL)
9072139Sjp161948 {
9082139Sjp161948 al=SSL_AD_DECODE_ERROR;
9092139Sjp161948 goto f_err;
9102139Sjp161948 }
9112139Sjp161948 kn=EVP_PKEY_size(pkey);
9122139Sjp161948 }
9132139Sjp161948 else
9142139Sjp161948 {
9152139Sjp161948 pkey=NULL;
9162139Sjp161948 kn=0;
9172139Sjp161948 }
9182139Sjp161948
9192139Sjp161948 if (!BUF_MEM_grow_clean(buf,n+DTLS1_HM_HEADER_LENGTH+kn))
9202139Sjp161948 {
9212139Sjp161948 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF);
9222139Sjp161948 goto err;
9232139Sjp161948 }
9242139Sjp161948 d=(unsigned char *)s->init_buf->data;
9252139Sjp161948 p= &(d[DTLS1_HM_HEADER_LENGTH]);
9262139Sjp161948
9272139Sjp161948 for (i=0; r[i] != NULL; i++)
9282139Sjp161948 {
9292139Sjp161948 s2n(nr[i],p);
9302139Sjp161948 BN_bn2bin(r[i],p);
9312139Sjp161948 p+=nr[i];
9322139Sjp161948 }
9332139Sjp161948
9342139Sjp161948 /* not anonymous */
9352139Sjp161948 if (pkey != NULL)
9362139Sjp161948 {
9372139Sjp161948 /* n is the length of the params, they start at
9382139Sjp161948 * &(d[DTLS1_HM_HEADER_LENGTH]) and p points to the space
9392139Sjp161948 * at the end. */
9402139Sjp161948 #ifndef OPENSSL_NO_RSA
9412139Sjp161948 if (pkey->type == EVP_PKEY_RSA)
9422139Sjp161948 {
9432139Sjp161948 q=md_buf;
9442139Sjp161948 j=0;
9452139Sjp161948 for (num=2; num > 0; num--)
9462139Sjp161948 {
9472139Sjp161948 EVP_DigestInit_ex(&md_ctx,(num == 2)
9482139Sjp161948 ?s->ctx->md5:s->ctx->sha1, NULL);
9492139Sjp161948 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
9502139Sjp161948 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
9512139Sjp161948 EVP_DigestUpdate(&md_ctx,&(d[DTLS1_HM_HEADER_LENGTH]),n);
9522139Sjp161948 EVP_DigestFinal_ex(&md_ctx,q,
9532139Sjp161948 (unsigned int *)&i);
9542139Sjp161948 q+=i;
9552139Sjp161948 j+=i;
9562139Sjp161948 }
9572139Sjp161948 if (RSA_sign(NID_md5_sha1, md_buf, j,
9582139Sjp161948 &(p[2]), &u, pkey->pkey.rsa) <= 0)
9592139Sjp161948 {
9602139Sjp161948 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA);
9612139Sjp161948 goto err;
9622139Sjp161948 }
9632139Sjp161948 s2n(u,p);
9642139Sjp161948 n+=u+2;
9652139Sjp161948 }
9662139Sjp161948 else
9672139Sjp161948 #endif
9682139Sjp161948 #if !defined(OPENSSL_NO_DSA)
9692139Sjp161948 if (pkey->type == EVP_PKEY_DSA)
9702139Sjp161948 {
9712139Sjp161948 /* lets do DSS */
9722139Sjp161948 EVP_SignInit_ex(&md_ctx,EVP_dss1(), NULL);
9732139Sjp161948 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
9742139Sjp161948 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
9752139Sjp161948 EVP_SignUpdate(&md_ctx,&(d[DTLS1_HM_HEADER_LENGTH]),n);
9762139Sjp161948 if (!EVP_SignFinal(&md_ctx,&(p[2]),
9772139Sjp161948 (unsigned int *)&i,pkey))
9782139Sjp161948 {
9792139Sjp161948 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA);
9802139Sjp161948 goto err;
9812139Sjp161948 }
9822139Sjp161948 s2n(i,p);
9832139Sjp161948 n+=i+2;
9842139Sjp161948 }
9852139Sjp161948 else
9862139Sjp161948 #endif
9872139Sjp161948 {
9882139Sjp161948 /* Is this error check actually needed? */
9892139Sjp161948 al=SSL_AD_HANDSHAKE_FAILURE;
9902139Sjp161948 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE);
9912139Sjp161948 goto f_err;
9922139Sjp161948 }
9932139Sjp161948 }
9942139Sjp161948
9952139Sjp161948 d = dtls1_set_message_header(s, d,
9962139Sjp161948 SSL3_MT_SERVER_KEY_EXCHANGE, n, 0, n);
9972139Sjp161948
9982139Sjp161948 /* we should now have things packed up, so lets send
9992139Sjp161948 * it off */
10002139Sjp161948 s->init_num=n+DTLS1_HM_HEADER_LENGTH;
10012139Sjp161948 s->init_off=0;
10022139Sjp161948
10032139Sjp161948 /* buffer the message to handle re-xmits */
10042139Sjp161948 dtls1_buffer_message(s, 0);
10052139Sjp161948 }
10062139Sjp161948
10072139Sjp161948 s->state = SSL3_ST_SW_KEY_EXCH_B;
10082139Sjp161948 EVP_MD_CTX_cleanup(&md_ctx);
10092139Sjp161948 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
10102139Sjp161948 f_err:
10112139Sjp161948 ssl3_send_alert(s,SSL3_AL_FATAL,al);
10122139Sjp161948 err:
10132139Sjp161948 EVP_MD_CTX_cleanup(&md_ctx);
10142139Sjp161948 return(-1);
10152139Sjp161948 }
10162139Sjp161948
dtls1_send_certificate_request(SSL * s)10172139Sjp161948 int dtls1_send_certificate_request(SSL *s)
10182139Sjp161948 {
10192139Sjp161948 unsigned char *p,*d;
10202139Sjp161948 int i,j,nl,off,n;
10212139Sjp161948 STACK_OF(X509_NAME) *sk=NULL;
10222139Sjp161948 X509_NAME *name;
10232139Sjp161948 BUF_MEM *buf;
1024*5434Sjp161948 unsigned int msg_len;
10252139Sjp161948
10262139Sjp161948 if (s->state == SSL3_ST_SW_CERT_REQ_A)
10272139Sjp161948 {
10282139Sjp161948 buf=s->init_buf;
10292139Sjp161948
10302139Sjp161948 d=p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH]);
10312139Sjp161948
10322139Sjp161948 /* get the list of acceptable cert types */
10332139Sjp161948 p++;
10342139Sjp161948 n=ssl3_get_req_cert_type(s,p);
10352139Sjp161948 d[0]=n;
10362139Sjp161948 p+=n;
10372139Sjp161948 n++;
10382139Sjp161948
10392139Sjp161948 off=n;
10402139Sjp161948 p+=2;
10412139Sjp161948 n+=2;
10422139Sjp161948
10432139Sjp161948 sk=SSL_get_client_CA_list(s);
10442139Sjp161948 nl=0;
10452139Sjp161948 if (sk != NULL)
10462139Sjp161948 {
10472139Sjp161948 for (i=0; i<sk_X509_NAME_num(sk); i++)
10482139Sjp161948 {
10492139Sjp161948 name=sk_X509_NAME_value(sk,i);
10502139Sjp161948 j=i2d_X509_NAME(name,NULL);
10512139Sjp161948 if (!BUF_MEM_grow_clean(buf,DTLS1_HM_HEADER_LENGTH+n+j+2))
10522139Sjp161948 {
10532139Sjp161948 SSLerr(SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
10542139Sjp161948 goto err;
10552139Sjp161948 }
10562139Sjp161948 p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH+n]);
10572139Sjp161948 if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
10582139Sjp161948 {
10592139Sjp161948 s2n(j,p);
10602139Sjp161948 i2d_X509_NAME(name,&p);
10612139Sjp161948 n+=2+j;
10622139Sjp161948 nl+=2+j;
10632139Sjp161948 }
10642139Sjp161948 else
10652139Sjp161948 {
10662139Sjp161948 d=p;
10672139Sjp161948 i2d_X509_NAME(name,&p);
10682139Sjp161948 j-=2; s2n(j,d); j+=2;
10692139Sjp161948 n+=j;
10702139Sjp161948 nl+=j;
10712139Sjp161948 }
10722139Sjp161948 }
10732139Sjp161948 }
10742139Sjp161948 /* else no CA names */
10752139Sjp161948 p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH+off]);
10762139Sjp161948 s2n(nl,p);
10772139Sjp161948
10782139Sjp161948 d=(unsigned char *)buf->data;
10792139Sjp161948 *(d++)=SSL3_MT_CERTIFICATE_REQUEST;
10802139Sjp161948 l2n3(n,d);
10812139Sjp161948 s2n(s->d1->handshake_write_seq,d);
10822139Sjp161948 s->d1->handshake_write_seq++;
10832139Sjp161948
10842139Sjp161948 /* we should now have things packed up, so lets send
10852139Sjp161948 * it off */
10862139Sjp161948
10872139Sjp161948 s->init_num=n+DTLS1_HM_HEADER_LENGTH;
10882139Sjp161948 s->init_off=0;
10892139Sjp161948 #ifdef NETSCAPE_HANG_BUG
10902139Sjp161948 /* XXX: what to do about this? */
10912139Sjp161948 p=(unsigned char *)s->init_buf->data + s->init_num;
10922139Sjp161948
10932139Sjp161948 /* do the header */
10942139Sjp161948 *(p++)=SSL3_MT_SERVER_DONE;
10952139Sjp161948 *(p++)=0;
10962139Sjp161948 *(p++)=0;
10972139Sjp161948 *(p++)=0;
10982139Sjp161948 s->init_num += 4;
10992139Sjp161948 #endif
11002139Sjp161948
11012139Sjp161948 /* XDTLS: set message header ? */
1102*5434Sjp161948 msg_len = s->init_num - DTLS1_HM_HEADER_LENGTH;
1103*5434Sjp161948 dtls1_set_message_header(s, (void *)s->init_buf->data,
1104*5434Sjp161948 SSL3_MT_CERTIFICATE_REQUEST, msg_len, 0, msg_len);
1105*5434Sjp161948
11062139Sjp161948 /* buffer the message to handle re-xmits */
11072139Sjp161948 dtls1_buffer_message(s, 0);
11082139Sjp161948
11092139Sjp161948 s->state = SSL3_ST_SW_CERT_REQ_B;
11102139Sjp161948 }
11112139Sjp161948
11122139Sjp161948 /* SSL3_ST_SW_CERT_REQ_B */
11132139Sjp161948 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
11142139Sjp161948 err:
11152139Sjp161948 return(-1);
11162139Sjp161948 }
11172139Sjp161948
dtls1_send_server_certificate(SSL * s)11182139Sjp161948 int dtls1_send_server_certificate(SSL *s)
11192139Sjp161948 {
11202139Sjp161948 unsigned long l;
11212139Sjp161948 X509 *x;
11222139Sjp161948
11232139Sjp161948 if (s->state == SSL3_ST_SW_CERT_A)
11242139Sjp161948 {
11252139Sjp161948 x=ssl_get_server_send_cert(s);
11262139Sjp161948 if (x == NULL &&
11272139Sjp161948 /* VRS: allow null cert if auth == KRB5 */
11282139Sjp161948 (s->s3->tmp.new_cipher->algorithms
11292139Sjp161948 & (SSL_MKEY_MASK|SSL_AUTH_MASK))
11302139Sjp161948 != (SSL_aKRB5|SSL_kKRB5))
11312139Sjp161948 {
11322139Sjp161948 SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
11332139Sjp161948 return(0);
11342139Sjp161948 }
11352139Sjp161948
11362139Sjp161948 l=dtls1_output_cert_chain(s,x);
11372139Sjp161948 s->state=SSL3_ST_SW_CERT_B;
11382139Sjp161948 s->init_num=(int)l;
11392139Sjp161948 s->init_off=0;
11402139Sjp161948
11412139Sjp161948 /* buffer the message to handle re-xmits */
11422139Sjp161948 dtls1_buffer_message(s, 0);
11432139Sjp161948 }
11442139Sjp161948
11452139Sjp161948 /* SSL3_ST_SW_CERT_B */
11462139Sjp161948 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
11472139Sjp161948 }
1148