1 /* ssl/d1_srvr.c */ 2 /* 3 * DTLS implementation written by Nagendra Modadugu 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 5 */ 6 /* ==================================================================== 7 * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in 18 * the documentation and/or other materials provided with the 19 * distribution. 20 * 21 * 3. All advertising materials mentioning features or use of this 22 * software must display the following acknowledgment: 23 * "This product includes software developed by the OpenSSL Project 24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 25 * 26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27 * endorse or promote products derived from this software without 28 * prior written permission. For written permission, please contact 29 * openssl-core@OpenSSL.org. 30 * 31 * 5. Products derived from this software may not be called "OpenSSL" 32 * nor may "OpenSSL" appear in their names without prior written 33 * permission of the OpenSSL Project. 34 * 35 * 6. Redistributions of any form whatsoever must retain the following 36 * acknowledgment: 37 * "This product includes software developed by the OpenSSL Project 38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51 * OF THE POSSIBILITY OF SUCH DAMAGE. 52 * ==================================================================== 53 * 54 * This product includes cryptographic software written by Eric Young 55 * (eay@cryptsoft.com). This product includes software written by Tim 56 * Hudson (tjh@cryptsoft.com). 57 * 58 */ 59 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 60 * All rights reserved. 61 * 62 * This package is an SSL implementation written 63 * by Eric Young (eay@cryptsoft.com). 64 * The implementation was written so as to conform with Netscapes SSL. 65 * 66 * This library is free for commercial and non-commercial use as long as 67 * the following conditions are aheared to. The following conditions 68 * apply to all code found in this distribution, be it the RC4, RSA, 69 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 70 * included with this distribution is covered by the same copyright terms 71 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 72 * 73 * Copyright remains Eric Young's, and as such any Copyright notices in 74 * the code are not to be removed. 75 * If this package is used in a product, Eric Young should be given attribution 76 * as the author of the parts of the library used. 77 * This can be in the form of a textual message at program startup or 78 * in documentation (online or textual) provided with the package. 79 * 80 * Redistribution and use in source and binary forms, with or without 81 * modification, are permitted provided that the following conditions 82 * are met: 83 * 1. Redistributions of source code must retain the copyright 84 * notice, this list of conditions and the following disclaimer. 85 * 2. Redistributions in binary form must reproduce the above copyright 86 * notice, this list of conditions and the following disclaimer in the 87 * documentation and/or other materials provided with the distribution. 88 * 3. All advertising materials mentioning features or use of this software 89 * must display the following acknowledgement: 90 * "This product includes cryptographic software written by 91 * Eric Young (eay@cryptsoft.com)" 92 * The word 'cryptographic' can be left out if the rouines from the library 93 * being used are not cryptographic related :-). 94 * 4. If you include any Windows specific code (or a derivative thereof) from 95 * the apps directory (application code) you must include an acknowledgement: 96 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 97 * 98 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 99 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 100 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 101 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 102 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 103 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 104 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 105 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 106 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 107 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 108 * SUCH DAMAGE. 109 * 110 * The licence and distribution terms for any publically available version or 111 * derivative of this code cannot be changed. i.e. this code cannot simply be 112 * copied and put under another distribution licence 113 * [including the GNU Public Licence.] 114 */ 115 116 #include <stdio.h> 117 #include "ssl_locl.h" 118 #include <openssl/buffer.h> 119 #include <openssl/rand.h> 120 #include <openssl/objects.h> 121 #include <openssl/evp.h> 122 #include <openssl/x509.h> 123 #include <openssl/md5.h> 124 #ifndef OPENSSL_NO_DH 125 #include <openssl/dh.h> 126 #endif 127 128 static SSL_METHOD *dtls1_get_server_method(int ver); 129 static int dtls1_send_hello_verify_request(SSL *s); 130 131 static SSL_METHOD *dtls1_get_server_method(int ver) 132 { 133 if (ver == DTLS1_VERSION) 134 return(DTLSv1_server_method()); 135 else 136 return(NULL); 137 } 138 139 IMPLEMENT_dtls1_meth_func(DTLSv1_server_method, 140 dtls1_accept, 141 ssl_undefined_function, 142 dtls1_get_server_method) 143 144 int dtls1_accept(SSL *s) 145 { 146 BUF_MEM *buf; 147 unsigned long l,Time=time(NULL); 148 void (*cb)(const SSL *ssl,int type,int val)=NULL; 149 long num1; 150 int ret= -1; 151 int new_state,state,skip=0; 152 153 RAND_add(&Time,sizeof(Time),0); 154 ERR_clear_error(); 155 clear_sys_error(); 156 157 if (s->info_callback != NULL) 158 cb=s->info_callback; 159 else if (s->ctx->info_callback != NULL) 160 cb=s->ctx->info_callback; 161 162 /* init things to blank */ 163 s->in_handshake++; 164 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 165 166 if (s->cert == NULL) 167 { 168 SSLerr(SSL_F_DTLS1_ACCEPT,SSL_R_NO_CERTIFICATE_SET); 169 return(-1); 170 } 171 172 for (;;) 173 { 174 state=s->state; 175 176 switch (s->state) 177 { 178 case SSL_ST_RENEGOTIATE: 179 s->new_session=1; 180 /* s->state=SSL_ST_ACCEPT; */ 181 182 case SSL_ST_BEFORE: 183 case SSL_ST_ACCEPT: 184 case SSL_ST_BEFORE|SSL_ST_ACCEPT: 185 case SSL_ST_OK|SSL_ST_ACCEPT: 186 187 s->server=1; 188 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); 189 190 if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) 191 { 192 SSLerr(SSL_F_DTLS1_ACCEPT, ERR_R_INTERNAL_ERROR); 193 return -1; 194 } 195 s->type=SSL_ST_ACCEPT; 196 197 if (s->init_buf == NULL) 198 { 199 if ((buf=BUF_MEM_new()) == NULL) 200 { 201 ret= -1; 202 goto end; 203 } 204 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) 205 { 206 ret= -1; 207 goto end; 208 } 209 s->init_buf=buf; 210 } 211 212 if (!ssl3_setup_buffers(s)) 213 { 214 ret= -1; 215 goto end; 216 } 217 218 s->init_num=0; 219 220 if (s->state != SSL_ST_RENEGOTIATE) 221 { 222 /* Ok, we now need to push on a buffering BIO so that 223 * the output is sent in a way that TCP likes :-) 224 */ 225 if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; } 226 227 ssl3_init_finished_mac(s); 228 s->state=SSL3_ST_SR_CLNT_HELLO_A; 229 s->ctx->stats.sess_accept++; 230 } 231 else 232 { 233 /* s->state == SSL_ST_RENEGOTIATE, 234 * we will just send a HelloRequest */ 235 s->ctx->stats.sess_accept_renegotiate++; 236 s->state=SSL3_ST_SW_HELLO_REQ_A; 237 } 238 239 if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)) 240 s->d1->send_cookie = 1; 241 else 242 s->d1->send_cookie = 0; 243 244 break; 245 246 case SSL3_ST_SW_HELLO_REQ_A: 247 case SSL3_ST_SW_HELLO_REQ_B: 248 249 s->shutdown=0; 250 ret=dtls1_send_hello_request(s); 251 if (ret <= 0) goto end; 252 s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C; 253 s->state=SSL3_ST_SW_FLUSH; 254 s->init_num=0; 255 256 ssl3_init_finished_mac(s); 257 break; 258 259 case SSL3_ST_SW_HELLO_REQ_C: 260 s->state=SSL_ST_OK; 261 break; 262 263 case SSL3_ST_SR_CLNT_HELLO_A: 264 case SSL3_ST_SR_CLNT_HELLO_B: 265 case SSL3_ST_SR_CLNT_HELLO_C: 266 267 s->shutdown=0; 268 ret=ssl3_get_client_hello(s); 269 if (ret <= 0) goto end; 270 s->new_session = 2; 271 272 if ( s->d1->send_cookie) 273 s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A; 274 else 275 s->state = SSL3_ST_SW_SRVR_HELLO_A; 276 277 s->init_num=0; 278 break; 279 280 case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A: 281 case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B: 282 283 ret = dtls1_send_hello_verify_request(s); 284 if ( ret <= 0) goto end; 285 s->d1->send_cookie = 0; 286 s->state=SSL3_ST_SW_FLUSH; 287 s->s3->tmp.next_state=SSL3_ST_SR_CLNT_HELLO_A; 288 break; 289 290 case SSL3_ST_SW_SRVR_HELLO_A: 291 case SSL3_ST_SW_SRVR_HELLO_B: 292 ret=dtls1_send_server_hello(s); 293 if (ret <= 0) goto end; 294 295 if (s->hit) 296 s->state=SSL3_ST_SW_CHANGE_A; 297 else 298 s->state=SSL3_ST_SW_CERT_A; 299 s->init_num=0; 300 break; 301 302 case SSL3_ST_SW_CERT_A: 303 case SSL3_ST_SW_CERT_B: 304 /* Check if it is anon DH */ 305 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) 306 { 307 ret=dtls1_send_server_certificate(s); 308 if (ret <= 0) goto end; 309 } 310 else 311 skip=1; 312 s->state=SSL3_ST_SW_KEY_EXCH_A; 313 s->init_num=0; 314 break; 315 316 case SSL3_ST_SW_KEY_EXCH_A: 317 case SSL3_ST_SW_KEY_EXCH_B: 318 l=s->s3->tmp.new_cipher->algorithms; 319 320 /* clear this, it may get reset by 321 * send_server_key_exchange */ 322 if ((s->options & SSL_OP_EPHEMERAL_RSA) 323 #ifndef OPENSSL_NO_KRB5 324 && !(l & SSL_KRB5) 325 #endif /* OPENSSL_NO_KRB5 */ 326 ) 327 /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key 328 * even when forbidden by protocol specs 329 * (handshake may fail as clients are not required to 330 * be able to handle this) */ 331 s->s3->tmp.use_rsa_tmp=1; 332 else 333 s->s3->tmp.use_rsa_tmp=0; 334 335 /* only send if a DH key exchange, fortezza or 336 * RSA but we have a sign only certificate */ 337 if (s->s3->tmp.use_rsa_tmp 338 || (l & (SSL_DH|SSL_kFZA)) 339 || ((l & SSL_kRSA) 340 && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL 341 || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) 342 && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher) 343 ) 344 ) 345 ) 346 ) 347 { 348 ret=dtls1_send_server_key_exchange(s); 349 if (ret <= 0) goto end; 350 } 351 else 352 skip=1; 353 354 s->state=SSL3_ST_SW_CERT_REQ_A; 355 s->init_num=0; 356 break; 357 358 case SSL3_ST_SW_CERT_REQ_A: 359 case SSL3_ST_SW_CERT_REQ_B: 360 if (/* don't request cert unless asked for it: */ 361 !(s->verify_mode & SSL_VERIFY_PEER) || 362 /* if SSL_VERIFY_CLIENT_ONCE is set, 363 * don't request cert during re-negotiation: */ 364 ((s->session->peer != NULL) && 365 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || 366 /* never request cert in anonymous ciphersuites 367 * (see section "Certificate request" in SSL 3 drafts 368 * and in RFC 2246): */ 369 ((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) && 370 /* ... except when the application insists on verification 371 * (against the specs, but s3_clnt.c accepts this for SSL 3) */ 372 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || 373 /* never request cert in Kerberos ciphersuites */ 374 (s->s3->tmp.new_cipher->algorithms & SSL_aKRB5)) 375 { 376 /* no cert request */ 377 skip=1; 378 s->s3->tmp.cert_request=0; 379 s->state=SSL3_ST_SW_SRVR_DONE_A; 380 } 381 else 382 { 383 s->s3->tmp.cert_request=1; 384 ret=dtls1_send_certificate_request(s); 385 if (ret <= 0) goto end; 386 #ifndef NETSCAPE_HANG_BUG 387 s->state=SSL3_ST_SW_SRVR_DONE_A; 388 #else 389 s->state=SSL3_ST_SW_FLUSH; 390 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; 391 #endif 392 s->init_num=0; 393 } 394 break; 395 396 case SSL3_ST_SW_SRVR_DONE_A: 397 case SSL3_ST_SW_SRVR_DONE_B: 398 ret=dtls1_send_server_done(s); 399 if (ret <= 0) goto end; 400 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; 401 s->state=SSL3_ST_SW_FLUSH; 402 s->init_num=0; 403 break; 404 405 case SSL3_ST_SW_FLUSH: 406 /* number of bytes to be flushed */ 407 num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL); 408 if (num1 > 0) 409 { 410 s->rwstate=SSL_WRITING; 411 num1=BIO_flush(s->wbio); 412 if (num1 <= 0) { ret= -1; goto end; } 413 s->rwstate=SSL_NOTHING; 414 } 415 416 s->state=s->s3->tmp.next_state; 417 break; 418 419 case SSL3_ST_SR_CERT_A: 420 case SSL3_ST_SR_CERT_B: 421 /* Check for second client hello (MS SGC) */ 422 ret = ssl3_check_client_hello(s); 423 if (ret <= 0) 424 goto end; 425 if (ret == 2) 426 s->state = SSL3_ST_SR_CLNT_HELLO_C; 427 else { 428 /* could be sent for a DH cert, even if we 429 * have not asked for it :-) */ 430 ret=ssl3_get_client_certificate(s); 431 if (ret <= 0) goto end; 432 s->init_num=0; 433 s->state=SSL3_ST_SR_KEY_EXCH_A; 434 } 435 break; 436 437 case SSL3_ST_SR_KEY_EXCH_A: 438 case SSL3_ST_SR_KEY_EXCH_B: 439 ret=ssl3_get_client_key_exchange(s); 440 if (ret <= 0) goto end; 441 s->state=SSL3_ST_SR_CERT_VRFY_A; 442 s->init_num=0; 443 444 /* We need to get hashes here so if there is 445 * a client cert, it can be verified */ 446 s->method->ssl3_enc->cert_verify_mac(s, 447 &(s->s3->finish_dgst1), 448 &(s->s3->tmp.cert_verify_md[0])); 449 s->method->ssl3_enc->cert_verify_mac(s, 450 &(s->s3->finish_dgst2), 451 &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH])); 452 453 break; 454 455 case SSL3_ST_SR_CERT_VRFY_A: 456 case SSL3_ST_SR_CERT_VRFY_B: 457 458 /* we should decide if we expected this one */ 459 ret=ssl3_get_cert_verify(s); 460 if (ret <= 0) goto end; 461 462 s->state=SSL3_ST_SR_FINISHED_A; 463 s->init_num=0; 464 break; 465 466 case SSL3_ST_SR_FINISHED_A: 467 case SSL3_ST_SR_FINISHED_B: 468 ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A, 469 SSL3_ST_SR_FINISHED_B); 470 if (ret <= 0) goto end; 471 if (s->hit) 472 s->state=SSL_ST_OK; 473 else 474 s->state=SSL3_ST_SW_CHANGE_A; 475 s->init_num=0; 476 break; 477 478 case SSL3_ST_SW_CHANGE_A: 479 case SSL3_ST_SW_CHANGE_B: 480 481 s->session->cipher=s->s3->tmp.new_cipher; 482 if (!s->method->ssl3_enc->setup_key_block(s)) 483 { ret= -1; goto end; } 484 485 ret=dtls1_send_change_cipher_spec(s, 486 SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B); 487 488 if (ret <= 0) goto end; 489 s->state=SSL3_ST_SW_FINISHED_A; 490 s->init_num=0; 491 492 if (!s->method->ssl3_enc->change_cipher_state(s, 493 SSL3_CHANGE_CIPHER_SERVER_WRITE)) 494 { 495 ret= -1; 496 goto end; 497 } 498 499 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); 500 break; 501 502 case SSL3_ST_SW_FINISHED_A: 503 case SSL3_ST_SW_FINISHED_B: 504 ret=dtls1_send_finished(s, 505 SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B, 506 s->method->ssl3_enc->server_finished_label, 507 s->method->ssl3_enc->server_finished_label_len); 508 if (ret <= 0) goto end; 509 s->state=SSL3_ST_SW_FLUSH; 510 if (s->hit) 511 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; 512 else 513 s->s3->tmp.next_state=SSL_ST_OK; 514 s->init_num=0; 515 break; 516 517 case SSL_ST_OK: 518 /* clean a few things up */ 519 ssl3_cleanup_key_block(s); 520 521 #if 0 522 BUF_MEM_free(s->init_buf); 523 s->init_buf=NULL; 524 #endif 525 526 /* remove buffering on output */ 527 ssl_free_wbio_buffer(s); 528 529 s->init_num=0; 530 531 if (s->new_session == 2) /* skipped if we just sent a HelloRequest */ 532 { 533 /* actually not necessarily a 'new' session unless 534 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */ 535 536 s->new_session=0; 537 538 ssl_update_cache(s,SSL_SESS_CACHE_SERVER); 539 540 s->ctx->stats.sess_accept_good++; 541 /* s->server=1; */ 542 s->handshake_func=dtls1_accept; 543 544 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); 545 } 546 547 ret = 1; 548 549 /* done handshaking, next message is client hello */ 550 s->d1->handshake_read_seq = 0; 551 /* next message is server hello */ 552 s->d1->handshake_write_seq = 0; 553 goto end; 554 /* break; */ 555 556 default: 557 SSLerr(SSL_F_DTLS1_ACCEPT,SSL_R_UNKNOWN_STATE); 558 ret= -1; 559 goto end; 560 /* break; */ 561 } 562 563 if (!s->s3->tmp.reuse_message && !skip) 564 { 565 if (s->debug) 566 { 567 if ((ret=BIO_flush(s->wbio)) <= 0) 568 goto end; 569 } 570 571 572 if ((cb != NULL) && (s->state != state)) 573 { 574 new_state=s->state; 575 s->state=state; 576 cb(s,SSL_CB_ACCEPT_LOOP,1); 577 s->state=new_state; 578 } 579 } 580 skip=0; 581 } 582 end: 583 /* BIO_flush(s->wbio); */ 584 585 s->in_handshake--; 586 if (cb != NULL) 587 cb(s,SSL_CB_ACCEPT_EXIT,ret); 588 return(ret); 589 } 590 591 int dtls1_send_hello_request(SSL *s) 592 { 593 unsigned char *p; 594 595 if (s->state == SSL3_ST_SW_HELLO_REQ_A) 596 { 597 p=(unsigned char *)s->init_buf->data; 598 p = dtls1_set_message_header(s, p, SSL3_MT_HELLO_REQUEST, 0, 0, 0); 599 600 s->state=SSL3_ST_SW_HELLO_REQ_B; 601 /* number of bytes to write */ 602 s->init_num=DTLS1_HM_HEADER_LENGTH; 603 s->init_off=0; 604 605 /* no need to buffer this message, since there are no retransmit 606 * requests for it */ 607 } 608 609 /* SSL3_ST_SW_HELLO_REQ_B */ 610 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); 611 } 612 613 int dtls1_send_hello_verify_request(SSL *s) 614 { 615 unsigned int msg_len; 616 unsigned char *msg, *buf, *p; 617 618 if (s->state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A) 619 { 620 buf = (unsigned char *)s->init_buf->data; 621 622 msg = p = &(buf[DTLS1_HM_HEADER_LENGTH]); 623 *(p++) = s->version >> 8; 624 *(p++) = s->version & 0xFF; 625 626 *(p++) = (unsigned char) s->d1->cookie_len; 627 if ( s->ctx->app_gen_cookie_cb != NULL && 628 s->ctx->app_gen_cookie_cb(s, s->d1->cookie, 629 &(s->d1->cookie_len)) == 0) 630 { 631 SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST,ERR_R_INTERNAL_ERROR); 632 return 0; 633 } 634 /* else the cookie is assumed to have 635 * been initialized by the application */ 636 637 memcpy(p, s->d1->cookie, s->d1->cookie_len); 638 p += s->d1->cookie_len; 639 msg_len = p - msg; 640 641 dtls1_set_message_header(s, buf, 642 DTLS1_MT_HELLO_VERIFY_REQUEST, msg_len, 0, msg_len); 643 644 s->state=DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B; 645 /* number of bytes to write */ 646 s->init_num=p-buf; 647 s->init_off=0; 648 649 /* buffer the message to handle re-xmits */ 650 dtls1_buffer_message(s, 0); 651 } 652 653 /* s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */ 654 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); 655 } 656 657 int dtls1_send_server_hello(SSL *s) 658 { 659 unsigned char *buf; 660 unsigned char *p,*d; 661 int i; 662 unsigned int sl; 663 unsigned long l,Time; 664 665 if (s->state == SSL3_ST_SW_SRVR_HELLO_A) 666 { 667 buf=(unsigned char *)s->init_buf->data; 668 p=s->s3->server_random; 669 Time=time(NULL); /* Time */ 670 l2n(Time,p); 671 RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)); 672 /* Do the message type and length last */ 673 d=p= &(buf[DTLS1_HM_HEADER_LENGTH]); 674 675 *(p++)=s->version>>8; 676 *(p++)=s->version&0xff; 677 678 /* Random stuff */ 679 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); 680 p+=SSL3_RANDOM_SIZE; 681 682 /* now in theory we have 3 options to sending back the 683 * session id. If it is a re-use, we send back the 684 * old session-id, if it is a new session, we send 685 * back the new session-id or we send back a 0 length 686 * session-id if we want it to be single use. 687 * Currently I will not implement the '0' length session-id 688 * 12-Jan-98 - I'll now support the '0' length stuff. 689 */ 690 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)) 691 s->session->session_id_length=0; 692 693 sl=s->session->session_id_length; 694 if (sl > sizeof s->session->session_id) 695 { 696 SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR); 697 return -1; 698 } 699 *(p++)=sl; 700 memcpy(p,s->session->session_id,sl); 701 p+=sl; 702 703 /* put the cipher */ 704 i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p); 705 p+=i; 706 707 /* put the compression method */ 708 #ifdef OPENSSL_NO_COMP 709 *(p++)=0; 710 #else 711 if (s->s3->tmp.new_compression == NULL) 712 *(p++)=0; 713 else 714 *(p++)=s->s3->tmp.new_compression->id; 715 #endif 716 717 /* do the header */ 718 l=(p-d); 719 d=buf; 720 721 d = dtls1_set_message_header(s, d, SSL3_MT_SERVER_HELLO, l, 0, l); 722 723 s->state=SSL3_ST_CW_CLNT_HELLO_B; 724 /* number of bytes to write */ 725 s->init_num=p-buf; 726 s->init_off=0; 727 728 /* buffer the message to handle re-xmits */ 729 dtls1_buffer_message(s, 0); 730 } 731 732 /* SSL3_ST_CW_CLNT_HELLO_B */ 733 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); 734 } 735 736 int dtls1_send_server_done(SSL *s) 737 { 738 unsigned char *p; 739 740 if (s->state == SSL3_ST_SW_SRVR_DONE_A) 741 { 742 p=(unsigned char *)s->init_buf->data; 743 744 /* do the header */ 745 p = dtls1_set_message_header(s, p, SSL3_MT_SERVER_DONE, 0, 0, 0); 746 747 s->state=SSL3_ST_SW_SRVR_DONE_B; 748 /* number of bytes to write */ 749 s->init_num=DTLS1_HM_HEADER_LENGTH; 750 s->init_off=0; 751 752 /* buffer the message to handle re-xmits */ 753 dtls1_buffer_message(s, 0); 754 } 755 756 /* SSL3_ST_CW_CLNT_HELLO_B */ 757 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); 758 } 759 760 int dtls1_send_server_key_exchange(SSL *s) 761 { 762 #ifndef OPENSSL_NO_RSA 763 unsigned char *q; 764 int j,num; 765 RSA *rsa; 766 unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 767 unsigned int u; 768 #endif 769 #ifndef OPENSSL_NO_DH 770 DH *dh=NULL,*dhp; 771 #endif 772 EVP_PKEY *pkey; 773 unsigned char *p,*d; 774 int al,i; 775 unsigned long type; 776 int n; 777 CERT *cert; 778 BIGNUM *r[4]; 779 int nr[4],kn; 780 BUF_MEM *buf; 781 EVP_MD_CTX md_ctx; 782 783 EVP_MD_CTX_init(&md_ctx); 784 if (s->state == SSL3_ST_SW_KEY_EXCH_A) 785 { 786 type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK; 787 cert=s->cert; 788 789 buf=s->init_buf; 790 791 r[0]=r[1]=r[2]=r[3]=NULL; 792 n=0; 793 #ifndef OPENSSL_NO_RSA 794 if (type & SSL_kRSA) 795 { 796 rsa=cert->rsa_tmp; 797 if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL)) 798 { 799 rsa=s->cert->rsa_tmp_cb(s, 800 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 801 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 802 if(rsa == NULL) 803 { 804 al=SSL_AD_HANDSHAKE_FAILURE; 805 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY); 806 goto f_err; 807 } 808 RSA_up_ref(rsa); 809 cert->rsa_tmp=rsa; 810 } 811 if (rsa == NULL) 812 { 813 al=SSL_AD_HANDSHAKE_FAILURE; 814 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY); 815 goto f_err; 816 } 817 r[0]=rsa->n; 818 r[1]=rsa->e; 819 s->s3->tmp.use_rsa_tmp=1; 820 } 821 else 822 #endif 823 #ifndef OPENSSL_NO_DH 824 if (type & SSL_kEDH) 825 { 826 dhp=cert->dh_tmp; 827 if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL)) 828 dhp=s->cert->dh_tmp_cb(s, 829 SSL_C_IS_EXPORT(s->s3->tmp.new_cipher), 830 SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)); 831 if (dhp == NULL) 832 { 833 al=SSL_AD_HANDSHAKE_FAILURE; 834 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY); 835 goto f_err; 836 } 837 838 if (s->s3->tmp.dh != NULL) 839 { 840 DH_free(dh); 841 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 842 goto err; 843 } 844 845 if ((dh=DHparams_dup(dhp)) == NULL) 846 { 847 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB); 848 goto err; 849 } 850 851 s->s3->tmp.dh=dh; 852 if ((dhp->pub_key == NULL || 853 dhp->priv_key == NULL || 854 (s->options & SSL_OP_SINGLE_DH_USE))) 855 { 856 if(!DH_generate_key(dh)) 857 { 858 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, 859 ERR_R_DH_LIB); 860 goto err; 861 } 862 } 863 else 864 { 865 dh->pub_key=BN_dup(dhp->pub_key); 866 dh->priv_key=BN_dup(dhp->priv_key); 867 if ((dh->pub_key == NULL) || 868 (dh->priv_key == NULL)) 869 { 870 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB); 871 goto err; 872 } 873 } 874 r[0]=dh->p; 875 r[1]=dh->g; 876 r[2]=dh->pub_key; 877 } 878 else 879 #endif 880 { 881 al=SSL_AD_HANDSHAKE_FAILURE; 882 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 883 goto f_err; 884 } 885 for (i=0; r[i] != NULL; i++) 886 { 887 nr[i]=BN_num_bytes(r[i]); 888 n+=2+nr[i]; 889 } 890 891 if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) 892 { 893 if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher)) 894 == NULL) 895 { 896 al=SSL_AD_DECODE_ERROR; 897 goto f_err; 898 } 899 kn=EVP_PKEY_size(pkey); 900 } 901 else 902 { 903 pkey=NULL; 904 kn=0; 905 } 906 907 if (!BUF_MEM_grow_clean(buf,n+DTLS1_HM_HEADER_LENGTH+kn)) 908 { 909 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF); 910 goto err; 911 } 912 d=(unsigned char *)s->init_buf->data; 913 p= &(d[DTLS1_HM_HEADER_LENGTH]); 914 915 for (i=0; r[i] != NULL; i++) 916 { 917 s2n(nr[i],p); 918 BN_bn2bin(r[i],p); 919 p+=nr[i]; 920 } 921 922 /* not anonymous */ 923 if (pkey != NULL) 924 { 925 /* n is the length of the params, they start at 926 * &(d[DTLS1_HM_HEADER_LENGTH]) and p points to the space 927 * at the end. */ 928 #ifndef OPENSSL_NO_RSA 929 if (pkey->type == EVP_PKEY_RSA) 930 { 931 q=md_buf; 932 j=0; 933 for (num=2; num > 0; num--) 934 { 935 EVP_DigestInit_ex(&md_ctx,(num == 2) 936 ?s->ctx->md5:s->ctx->sha1, NULL); 937 EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 938 EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 939 EVP_DigestUpdate(&md_ctx,&(d[DTLS1_HM_HEADER_LENGTH]),n); 940 EVP_DigestFinal_ex(&md_ctx,q, 941 (unsigned int *)&i); 942 q+=i; 943 j+=i; 944 } 945 if (RSA_sign(NID_md5_sha1, md_buf, j, 946 &(p[2]), &u, pkey->pkey.rsa) <= 0) 947 { 948 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA); 949 goto err; 950 } 951 s2n(u,p); 952 n+=u+2; 953 } 954 else 955 #endif 956 #if !defined(OPENSSL_NO_DSA) 957 if (pkey->type == EVP_PKEY_DSA) 958 { 959 /* lets do DSS */ 960 EVP_SignInit_ex(&md_ctx,EVP_dss1(), NULL); 961 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 962 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 963 EVP_SignUpdate(&md_ctx,&(d[DTLS1_HM_HEADER_LENGTH]),n); 964 if (!EVP_SignFinal(&md_ctx,&(p[2]), 965 (unsigned int *)&i,pkey)) 966 { 967 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA); 968 goto err; 969 } 970 s2n(i,p); 971 n+=i+2; 972 } 973 else 974 #endif 975 { 976 /* Is this error check actually needed? */ 977 al=SSL_AD_HANDSHAKE_FAILURE; 978 SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE); 979 goto f_err; 980 } 981 } 982 983 d = dtls1_set_message_header(s, d, 984 SSL3_MT_SERVER_KEY_EXCHANGE, n, 0, n); 985 986 /* we should now have things packed up, so lets send 987 * it off */ 988 s->init_num=n+DTLS1_HM_HEADER_LENGTH; 989 s->init_off=0; 990 991 /* buffer the message to handle re-xmits */ 992 dtls1_buffer_message(s, 0); 993 } 994 995 s->state = SSL3_ST_SW_KEY_EXCH_B; 996 EVP_MD_CTX_cleanup(&md_ctx); 997 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); 998 f_err: 999 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1000 err: 1001 EVP_MD_CTX_cleanup(&md_ctx); 1002 return(-1); 1003 } 1004 1005 int dtls1_send_certificate_request(SSL *s) 1006 { 1007 unsigned char *p,*d; 1008 int i,j,nl,off,n; 1009 STACK_OF(X509_NAME) *sk=NULL; 1010 X509_NAME *name; 1011 BUF_MEM *buf; 1012 1013 if (s->state == SSL3_ST_SW_CERT_REQ_A) 1014 { 1015 buf=s->init_buf; 1016 1017 d=p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH]); 1018 1019 /* get the list of acceptable cert types */ 1020 p++; 1021 n=ssl3_get_req_cert_type(s,p); 1022 d[0]=n; 1023 p+=n; 1024 n++; 1025 1026 off=n; 1027 p+=2; 1028 n+=2; 1029 1030 sk=SSL_get_client_CA_list(s); 1031 nl=0; 1032 if (sk != NULL) 1033 { 1034 for (i=0; i<sk_X509_NAME_num(sk); i++) 1035 { 1036 name=sk_X509_NAME_value(sk,i); 1037 j=i2d_X509_NAME(name,NULL); 1038 if (!BUF_MEM_grow_clean(buf,DTLS1_HM_HEADER_LENGTH+n+j+2)) 1039 { 1040 SSLerr(SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB); 1041 goto err; 1042 } 1043 p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH+n]); 1044 if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG)) 1045 { 1046 s2n(j,p); 1047 i2d_X509_NAME(name,&p); 1048 n+=2+j; 1049 nl+=2+j; 1050 } 1051 else 1052 { 1053 d=p; 1054 i2d_X509_NAME(name,&p); 1055 j-=2; s2n(j,d); j+=2; 1056 n+=j; 1057 nl+=j; 1058 } 1059 } 1060 } 1061 /* else no CA names */ 1062 p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH+off]); 1063 s2n(nl,p); 1064 1065 d=(unsigned char *)buf->data; 1066 *(d++)=SSL3_MT_CERTIFICATE_REQUEST; 1067 l2n3(n,d); 1068 s2n(s->d1->handshake_write_seq,d); 1069 s->d1->handshake_write_seq++; 1070 1071 /* we should now have things packed up, so lets send 1072 * it off */ 1073 1074 s->init_num=n+DTLS1_HM_HEADER_LENGTH; 1075 s->init_off=0; 1076 #ifdef NETSCAPE_HANG_BUG 1077 /* XXX: what to do about this? */ 1078 p=(unsigned char *)s->init_buf->data + s->init_num; 1079 1080 /* do the header */ 1081 *(p++)=SSL3_MT_SERVER_DONE; 1082 *(p++)=0; 1083 *(p++)=0; 1084 *(p++)=0; 1085 s->init_num += 4; 1086 #endif 1087 1088 /* XDTLS: set message header ? */ 1089 /* buffer the message to handle re-xmits */ 1090 dtls1_buffer_message(s, 0); 1091 1092 s->state = SSL3_ST_SW_CERT_REQ_B; 1093 } 1094 1095 /* SSL3_ST_SW_CERT_REQ_B */ 1096 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); 1097 err: 1098 return(-1); 1099 } 1100 1101 int dtls1_send_server_certificate(SSL *s) 1102 { 1103 unsigned long l; 1104 X509 *x; 1105 1106 if (s->state == SSL3_ST_SW_CERT_A) 1107 { 1108 x=ssl_get_server_send_cert(s); 1109 if (x == NULL && 1110 /* VRS: allow null cert if auth == KRB5 */ 1111 (s->s3->tmp.new_cipher->algorithms 1112 & (SSL_MKEY_MASK|SSL_AUTH_MASK)) 1113 != (SSL_aKRB5|SSL_kKRB5)) 1114 { 1115 SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR); 1116 return(0); 1117 } 1118 1119 l=dtls1_output_cert_chain(s,x); 1120 s->state=SSL3_ST_SW_CERT_B; 1121 s->init_num=(int)l; 1122 s->init_off=0; 1123 1124 /* buffer the message to handle re-xmits */ 1125 dtls1_buffer_message(s, 0); 1126 } 1127 1128 /* SSL3_ST_SW_CERT_B */ 1129 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); 1130 } 1131