d1_srvr.c 40 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561
  1. /* ssl/d1_srvr.c */
  2. /*
  3. * DTLS implementation written by Nagendra Modadugu
  4. * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
  5. */
  6. /* ====================================================================
  7. * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved.
  8. *
  9. * Redistribution and use in source and binary forms, with or without
  10. * modification, are permitted provided that the following conditions
  11. * are met:
  12. *
  13. * 1. Redistributions of source code must retain the above copyright
  14. * notice, this list of conditions and the following disclaimer.
  15. *
  16. * 2. Redistributions in binary form must reproduce the above copyright
  17. * notice, this list of conditions and the following disclaimer in
  18. * the documentation and/or other materials provided with the
  19. * distribution.
  20. *
  21. * 3. All advertising materials mentioning features or use of this
  22. * software must display the following acknowledgment:
  23. * "This product includes software developed by the OpenSSL Project
  24. * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  25. *
  26. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  27. * endorse or promote products derived from this software without
  28. * prior written permission. For written permission, please contact
  29. * openssl-core@OpenSSL.org.
  30. *
  31. * 5. Products derived from this software may not be called "OpenSSL"
  32. * nor may "OpenSSL" appear in their names without prior written
  33. * permission of the OpenSSL Project.
  34. *
  35. * 6. Redistributions of any form whatsoever must retain the following
  36. * acknowledgment:
  37. * "This product includes software developed by the OpenSSL Project
  38. * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  39. *
  40. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  41. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  42. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  43. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  44. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  45. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  46. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  47. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  49. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  50. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  51. * OF THE POSSIBILITY OF SUCH DAMAGE.
  52. * ====================================================================
  53. *
  54. * This product includes cryptographic software written by Eric Young
  55. * (eay@cryptsoft.com). This product includes software written by Tim
  56. * Hudson (tjh@cryptsoft.com).
  57. *
  58. */
  59. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  60. * All rights reserved.
  61. *
  62. * This package is an SSL implementation written
  63. * by Eric Young (eay@cryptsoft.com).
  64. * The implementation was written so as to conform with Netscapes SSL.
  65. *
  66. * This library is free for commercial and non-commercial use as long as
  67. * the following conditions are aheared to. The following conditions
  68. * apply to all code found in this distribution, be it the RC4, RSA,
  69. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  70. * included with this distribution is covered by the same copyright terms
  71. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  72. *
  73. * Copyright remains Eric Young's, and as such any Copyright notices in
  74. * the code are not to be removed.
  75. * If this package is used in a product, Eric Young should be given attribution
  76. * as the author of the parts of the library used.
  77. * This can be in the form of a textual message at program startup or
  78. * in documentation (online or textual) provided with the package.
  79. *
  80. * Redistribution and use in source and binary forms, with or without
  81. * modification, are permitted provided that the following conditions
  82. * are met:
  83. * 1. Redistributions of source code must retain the copyright
  84. * notice, this list of conditions and the following disclaimer.
  85. * 2. Redistributions in binary form must reproduce the above copyright
  86. * notice, this list of conditions and the following disclaimer in the
  87. * documentation and/or other materials provided with the distribution.
  88. * 3. All advertising materials mentioning features or use of this software
  89. * must display the following acknowledgement:
  90. * "This product includes cryptographic software written by
  91. * Eric Young (eay@cryptsoft.com)"
  92. * The word 'cryptographic' can be left out if the rouines from the library
  93. * being used are not cryptographic related :-).
  94. * 4. If you include any Windows specific code (or a derivative thereof) from
  95. * the apps directory (application code) you must include an acknowledgement:
  96. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  97. *
  98. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  99. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  100. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  101. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  102. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  103. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  104. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  105. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  106. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  107. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  108. * SUCH DAMAGE.
  109. *
  110. * The licence and distribution terms for any publically available version or
  111. * derivative of this code cannot be changed. i.e. this code cannot simply be
  112. * copied and put under another distribution licence
  113. * [including the GNU Public Licence.]
  114. */
  115. #include <stdio.h>
  116. #include "ssl_locl.h"
  117. #include <openssl/buffer.h>
  118. #include <openssl/rand.h>
  119. #include <openssl/objects.h>
  120. #include <openssl/evp.h>
  121. #include <openssl/x509.h>
  122. #include <openssl/md5.h>
  123. #include <openssl/bn.h>
  124. #ifndef OPENSSL_NO_DH
  125. #include <openssl/dh.h>
  126. #endif
  127. static const SSL_METHOD *dtls1_get_server_method(int ver);
  128. static int dtls1_send_hello_verify_request(SSL *s);
  129. static const SSL_METHOD *dtls1_get_server_method(int ver)
  130. {
  131. if (ver == DTLS1_VERSION)
  132. return(DTLSv1_server_method());
  133. else
  134. return(NULL);
  135. }
  136. IMPLEMENT_dtls1_meth_func(DTLSv1_server_method,
  137. dtls1_accept,
  138. ssl_undefined_function,
  139. dtls1_get_server_method)
  140. int dtls1_accept(SSL *s)
  141. {
  142. BUF_MEM *buf;
  143. unsigned long Time=(unsigned long)time(NULL);
  144. void (*cb)(const SSL *ssl,int type,int val)=NULL;
  145. unsigned long alg_k;
  146. int ret= -1;
  147. int new_state,state,skip=0;
  148. int listen;
  149. RAND_add(&Time,sizeof(Time),0);
  150. ERR_clear_error();
  151. clear_sys_error();
  152. if (s->info_callback != NULL)
  153. cb=s->info_callback;
  154. else if (s->ctx->info_callback != NULL)
  155. cb=s->ctx->info_callback;
  156. listen = s->d1->listen;
  157. /* init things to blank */
  158. s->in_handshake++;
  159. if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
  160. s->d1->listen = listen;
  161. if (s->cert == NULL)
  162. {
  163. SSLerr(SSL_F_DTLS1_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
  164. return(-1);
  165. }
  166. for (;;)
  167. {
  168. state=s->state;
  169. switch (s->state)
  170. {
  171. case SSL_ST_RENEGOTIATE:
  172. s->renegotiate=1;
  173. /* s->state=SSL_ST_ACCEPT; */
  174. case SSL_ST_BEFORE:
  175. case SSL_ST_ACCEPT:
  176. case SSL_ST_BEFORE|SSL_ST_ACCEPT:
  177. case SSL_ST_OK|SSL_ST_ACCEPT:
  178. s->server=1;
  179. if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
  180. if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00))
  181. {
  182. SSLerr(SSL_F_DTLS1_ACCEPT, ERR_R_INTERNAL_ERROR);
  183. return -1;
  184. }
  185. s->type=SSL_ST_ACCEPT;
  186. if (s->init_buf == NULL)
  187. {
  188. if ((buf=BUF_MEM_new()) == NULL)
  189. {
  190. ret= -1;
  191. goto end;
  192. }
  193. if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
  194. {
  195. ret= -1;
  196. goto end;
  197. }
  198. s->init_buf=buf;
  199. }
  200. if (!ssl3_setup_buffers(s))
  201. {
  202. ret= -1;
  203. goto end;
  204. }
  205. s->init_num=0;
  206. if (s->state != SSL_ST_RENEGOTIATE)
  207. {
  208. /* Ok, we now need to push on a buffering BIO so that
  209. * the output is sent in a way that TCP likes :-)
  210. */
  211. if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; }
  212. ssl3_init_finished_mac(s);
  213. s->state=SSL3_ST_SR_CLNT_HELLO_A;
  214. s->ctx->stats.sess_accept++;
  215. }
  216. else
  217. {
  218. /* s->state == SSL_ST_RENEGOTIATE,
  219. * we will just send a HelloRequest */
  220. s->ctx->stats.sess_accept_renegotiate++;
  221. s->state=SSL3_ST_SW_HELLO_REQ_A;
  222. }
  223. break;
  224. case SSL3_ST_SW_HELLO_REQ_A:
  225. case SSL3_ST_SW_HELLO_REQ_B:
  226. s->shutdown=0;
  227. dtls1_start_timer(s);
  228. ret=dtls1_send_hello_request(s);
  229. if (ret <= 0) goto end;
  230. s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C;
  231. s->state=SSL3_ST_SW_FLUSH;
  232. s->init_num=0;
  233. ssl3_init_finished_mac(s);
  234. break;
  235. case SSL3_ST_SW_HELLO_REQ_C:
  236. s->state=SSL_ST_OK;
  237. break;
  238. case SSL3_ST_SR_CLNT_HELLO_A:
  239. case SSL3_ST_SR_CLNT_HELLO_B:
  240. case SSL3_ST_SR_CLNT_HELLO_C:
  241. s->shutdown=0;
  242. ret=ssl3_get_client_hello(s);
  243. if (ret <= 0) goto end;
  244. dtls1_stop_timer(s);
  245. if (ret == 1 && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
  246. s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;
  247. else
  248. s->state = SSL3_ST_SW_SRVR_HELLO_A;
  249. s->init_num=0;
  250. /* Reflect ClientHello sequence to remain stateless while listening */
  251. if (listen)
  252. {
  253. memcpy(s->s3->write_sequence, s->s3->read_sequence, sizeof(s->s3->write_sequence));
  254. }
  255. /* If we're just listening, stop here */
  256. if (listen && s->state == SSL3_ST_SW_SRVR_HELLO_A)
  257. {
  258. ret = 2;
  259. s->d1->listen = 0;
  260. /* Set expected sequence numbers
  261. * to continue the handshake.
  262. */
  263. s->d1->handshake_read_seq = 2;
  264. s->d1->handshake_write_seq = 1;
  265. s->d1->next_handshake_write_seq = 1;
  266. goto end;
  267. }
  268. break;
  269. case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
  270. case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
  271. ret = dtls1_send_hello_verify_request(s);
  272. if ( ret <= 0) goto end;
  273. s->state=SSL3_ST_SW_FLUSH;
  274. s->s3->tmp.next_state=SSL3_ST_SR_CLNT_HELLO_A;
  275. /* HelloVerifyRequest resets Finished MAC */
  276. if (s->version != DTLS1_BAD_VER)
  277. ssl3_init_finished_mac(s);
  278. break;
  279. case SSL3_ST_SW_SRVR_HELLO_A:
  280. case SSL3_ST_SW_SRVR_HELLO_B:
  281. s->renegotiate = 2;
  282. dtls1_start_timer(s);
  283. ret=dtls1_send_server_hello(s);
  284. if (ret <= 0) goto end;
  285. #ifndef OPENSSL_NO_TLSEXT
  286. if (s->hit)
  287. {
  288. if (s->tlsext_ticket_expected)
  289. s->state=SSL3_ST_SW_SESSION_TICKET_A;
  290. else
  291. s->state=SSL3_ST_SW_CHANGE_A;
  292. }
  293. #else
  294. if (s->hit)
  295. s->state=SSL3_ST_SW_CHANGE_A;
  296. #endif
  297. else
  298. s->state=SSL3_ST_SW_CERT_A;
  299. s->init_num=0;
  300. break;
  301. case SSL3_ST_SW_CERT_A:
  302. case SSL3_ST_SW_CERT_B:
  303. /* Check if it is anon DH or normal PSK */
  304. if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
  305. && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
  306. {
  307. dtls1_start_timer(s);
  308. ret=dtls1_send_server_certificate(s);
  309. if (ret <= 0) goto end;
  310. #ifndef OPENSSL_NO_TLSEXT
  311. if (s->tlsext_status_expected)
  312. s->state=SSL3_ST_SW_CERT_STATUS_A;
  313. else
  314. s->state=SSL3_ST_SW_KEY_EXCH_A;
  315. }
  316. else
  317. {
  318. skip = 1;
  319. s->state=SSL3_ST_SW_KEY_EXCH_A;
  320. }
  321. #else
  322. }
  323. else
  324. skip=1;
  325. s->state=SSL3_ST_SW_KEY_EXCH_A;
  326. #endif
  327. s->init_num=0;
  328. break;
  329. case SSL3_ST_SW_KEY_EXCH_A:
  330. case SSL3_ST_SW_KEY_EXCH_B:
  331. alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
  332. /* clear this, it may get reset by
  333. * send_server_key_exchange */
  334. if ((s->options & SSL_OP_EPHEMERAL_RSA)
  335. #ifndef OPENSSL_NO_KRB5
  336. && !(alg_k & SSL_kKRB5)
  337. #endif /* OPENSSL_NO_KRB5 */
  338. )
  339. /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
  340. * even when forbidden by protocol specs
  341. * (handshake may fail as clients are not required to
  342. * be able to handle this) */
  343. s->s3->tmp.use_rsa_tmp=1;
  344. else
  345. s->s3->tmp.use_rsa_tmp=0;
  346. /* only send if a DH key exchange or
  347. * RSA but we have a sign only certificate */
  348. if (s->s3->tmp.use_rsa_tmp
  349. /* PSK: send ServerKeyExchange if PSK identity
  350. * hint if provided */
  351. #ifndef OPENSSL_NO_PSK
  352. || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
  353. #endif
  354. || (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
  355. || (alg_k & SSL_kEECDH)
  356. || ((alg_k & SSL_kRSA)
  357. && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
  358. || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
  359. && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
  360. )
  361. )
  362. )
  363. )
  364. {
  365. dtls1_start_timer(s);
  366. ret=dtls1_send_server_key_exchange(s);
  367. if (ret <= 0) goto end;
  368. }
  369. else
  370. skip=1;
  371. s->state=SSL3_ST_SW_CERT_REQ_A;
  372. s->init_num=0;
  373. break;
  374. case SSL3_ST_SW_CERT_REQ_A:
  375. case SSL3_ST_SW_CERT_REQ_B:
  376. if (/* don't request cert unless asked for it: */
  377. !(s->verify_mode & SSL_VERIFY_PEER) ||
  378. /* if SSL_VERIFY_CLIENT_ONCE is set,
  379. * don't request cert during re-negotiation: */
  380. ((s->session->peer != NULL) &&
  381. (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
  382. /* never request cert in anonymous ciphersuites
  383. * (see section "Certificate request" in SSL 3 drafts
  384. * and in RFC 2246): */
  385. ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
  386. /* ... except when the application insists on verification
  387. * (against the specs, but s3_clnt.c accepts this for SSL 3) */
  388. !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
  389. /* never request cert in Kerberos ciphersuites */
  390. (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)
  391. /* With normal PSK Certificates and
  392. * Certificate Requests are omitted */
  393. || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
  394. {
  395. /* no cert request */
  396. skip=1;
  397. s->s3->tmp.cert_request=0;
  398. s->state=SSL3_ST_SW_SRVR_DONE_A;
  399. }
  400. else
  401. {
  402. s->s3->tmp.cert_request=1;
  403. dtls1_start_timer(s);
  404. ret=dtls1_send_certificate_request(s);
  405. if (ret <= 0) goto end;
  406. #ifndef NETSCAPE_HANG_BUG
  407. s->state=SSL3_ST_SW_SRVR_DONE_A;
  408. #else
  409. s->state=SSL3_ST_SW_FLUSH;
  410. s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
  411. #endif
  412. s->init_num=0;
  413. }
  414. break;
  415. case SSL3_ST_SW_SRVR_DONE_A:
  416. case SSL3_ST_SW_SRVR_DONE_B:
  417. dtls1_start_timer(s);
  418. ret=dtls1_send_server_done(s);
  419. if (ret <= 0) goto end;
  420. s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
  421. s->state=SSL3_ST_SW_FLUSH;
  422. s->init_num=0;
  423. break;
  424. case SSL3_ST_SW_FLUSH:
  425. s->rwstate=SSL_WRITING;
  426. if (BIO_flush(s->wbio) <= 0)
  427. {
  428. ret= -1;
  429. goto end;
  430. }
  431. s->rwstate=SSL_NOTHING;
  432. s->state=s->s3->tmp.next_state;
  433. break;
  434. case SSL3_ST_SR_CERT_A:
  435. case SSL3_ST_SR_CERT_B:
  436. /* Check for second client hello (MS SGC) */
  437. ret = ssl3_check_client_hello(s);
  438. if (ret <= 0)
  439. goto end;
  440. dtls1_stop_timer(s);
  441. if (ret == 2)
  442. s->state = SSL3_ST_SR_CLNT_HELLO_C;
  443. else {
  444. /* could be sent for a DH cert, even if we
  445. * have not asked for it :-) */
  446. ret=ssl3_get_client_certificate(s);
  447. if (ret <= 0) goto end;
  448. dtls1_stop_timer(s);
  449. s->init_num=0;
  450. s->state=SSL3_ST_SR_KEY_EXCH_A;
  451. }
  452. break;
  453. case SSL3_ST_SR_KEY_EXCH_A:
  454. case SSL3_ST_SR_KEY_EXCH_B:
  455. ret=ssl3_get_client_key_exchange(s);
  456. if (ret <= 0) goto end;
  457. dtls1_stop_timer(s);
  458. s->state=SSL3_ST_SR_CERT_VRFY_A;
  459. s->init_num=0;
  460. if (ret == 2)
  461. {
  462. /* For the ECDH ciphersuites when
  463. * the client sends its ECDH pub key in
  464. * a certificate, the CertificateVerify
  465. * message is not sent.
  466. */
  467. s->state=SSL3_ST_SR_FINISHED_A;
  468. s->init_num = 0;
  469. }
  470. else
  471. {
  472. s->state=SSL3_ST_SR_CERT_VRFY_A;
  473. s->init_num=0;
  474. /* We need to get hashes here so if there is
  475. * a client cert, it can be verified */
  476. s->method->ssl3_enc->cert_verify_mac(s,
  477. NID_md5,
  478. &(s->s3->tmp.cert_verify_md[0]));
  479. s->method->ssl3_enc->cert_verify_mac(s,
  480. NID_sha1,
  481. &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]));
  482. }
  483. break;
  484. case SSL3_ST_SR_CERT_VRFY_A:
  485. case SSL3_ST_SR_CERT_VRFY_B:
  486. s->d1->change_cipher_spec_ok = 1;
  487. /* we should decide if we expected this one */
  488. ret=ssl3_get_cert_verify(s);
  489. if (ret <= 0) goto end;
  490. dtls1_stop_timer(s);
  491. s->state=SSL3_ST_SR_FINISHED_A;
  492. s->init_num=0;
  493. break;
  494. case SSL3_ST_SR_FINISHED_A:
  495. case SSL3_ST_SR_FINISHED_B:
  496. s->d1->change_cipher_spec_ok = 1;
  497. ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
  498. SSL3_ST_SR_FINISHED_B);
  499. if (ret <= 0) goto end;
  500. dtls1_stop_timer(s);
  501. if (s->hit)
  502. s->state=SSL_ST_OK;
  503. #ifndef OPENSSL_NO_TLSEXT
  504. else if (s->tlsext_ticket_expected)
  505. s->state=SSL3_ST_SW_SESSION_TICKET_A;
  506. #endif
  507. else
  508. s->state=SSL3_ST_SW_CHANGE_A;
  509. s->init_num=0;
  510. break;
  511. #ifndef OPENSSL_NO_TLSEXT
  512. case SSL3_ST_SW_SESSION_TICKET_A:
  513. case SSL3_ST_SW_SESSION_TICKET_B:
  514. ret=dtls1_send_newsession_ticket(s);
  515. if (ret <= 0) goto end;
  516. s->state=SSL3_ST_SW_CHANGE_A;
  517. s->init_num=0;
  518. break;
  519. case SSL3_ST_SW_CERT_STATUS_A:
  520. case SSL3_ST_SW_CERT_STATUS_B:
  521. ret=ssl3_send_cert_status(s);
  522. if (ret <= 0) goto end;
  523. s->state=SSL3_ST_SW_KEY_EXCH_A;
  524. s->init_num=0;
  525. break;
  526. #endif
  527. case SSL3_ST_SW_CHANGE_A:
  528. case SSL3_ST_SW_CHANGE_B:
  529. s->session->cipher=s->s3->tmp.new_cipher;
  530. if (!s->method->ssl3_enc->setup_key_block(s))
  531. { ret= -1; goto end; }
  532. ret=dtls1_send_change_cipher_spec(s,
  533. SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B);
  534. if (ret <= 0) goto end;
  535. s->state=SSL3_ST_SW_FINISHED_A;
  536. s->init_num=0;
  537. if (!s->method->ssl3_enc->change_cipher_state(s,
  538. SSL3_CHANGE_CIPHER_SERVER_WRITE))
  539. {
  540. ret= -1;
  541. goto end;
  542. }
  543. dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
  544. break;
  545. case SSL3_ST_SW_FINISHED_A:
  546. case SSL3_ST_SW_FINISHED_B:
  547. ret=dtls1_send_finished(s,
  548. SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B,
  549. s->method->ssl3_enc->server_finished_label,
  550. s->method->ssl3_enc->server_finished_label_len);
  551. if (ret <= 0) goto end;
  552. s->state=SSL3_ST_SW_FLUSH;
  553. if (s->hit)
  554. s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
  555. else
  556. s->s3->tmp.next_state=SSL_ST_OK;
  557. s->init_num=0;
  558. break;
  559. case SSL_ST_OK:
  560. /* clean a few things up */
  561. ssl3_cleanup_key_block(s);
  562. #if 0
  563. BUF_MEM_free(s->init_buf);
  564. s->init_buf=NULL;
  565. #endif
  566. /* remove buffering on output */
  567. ssl_free_wbio_buffer(s);
  568. s->init_num=0;
  569. if (s->renegotiate == 2) /* skipped if we just sent a HelloRequest */
  570. {
  571. s->renegotiate=0;
  572. s->new_session=0;
  573. ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
  574. s->ctx->stats.sess_accept_good++;
  575. /* s->server=1; */
  576. s->handshake_func=dtls1_accept;
  577. if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
  578. }
  579. ret = 1;
  580. /* done handshaking, next message is client hello */
  581. s->d1->handshake_read_seq = 0;
  582. /* next message is server hello */
  583. s->d1->handshake_write_seq = 0;
  584. s->d1->next_handshake_write_seq = 0;
  585. goto end;
  586. /* break; */
  587. default:
  588. SSLerr(SSL_F_DTLS1_ACCEPT,SSL_R_UNKNOWN_STATE);
  589. ret= -1;
  590. goto end;
  591. /* break; */
  592. }
  593. if (!s->s3->tmp.reuse_message && !skip)
  594. {
  595. if (s->debug)
  596. {
  597. if ((ret=BIO_flush(s->wbio)) <= 0)
  598. goto end;
  599. }
  600. if ((cb != NULL) && (s->state != state))
  601. {
  602. new_state=s->state;
  603. s->state=state;
  604. cb(s,SSL_CB_ACCEPT_LOOP,1);
  605. s->state=new_state;
  606. }
  607. }
  608. skip=0;
  609. }
  610. end:
  611. /* BIO_flush(s->wbio); */
  612. s->in_handshake--;
  613. if (cb != NULL)
  614. cb(s,SSL_CB_ACCEPT_EXIT,ret);
  615. return(ret);
  616. }
  617. int dtls1_send_hello_request(SSL *s)
  618. {
  619. unsigned char *p;
  620. if (s->state == SSL3_ST_SW_HELLO_REQ_A)
  621. {
  622. p=(unsigned char *)s->init_buf->data;
  623. p = dtls1_set_message_header(s, p, SSL3_MT_HELLO_REQUEST, 0, 0, 0);
  624. s->state=SSL3_ST_SW_HELLO_REQ_B;
  625. /* number of bytes to write */
  626. s->init_num=DTLS1_HM_HEADER_LENGTH;
  627. s->init_off=0;
  628. /* no need to buffer this message, since there are no retransmit
  629. * requests for it */
  630. }
  631. /* SSL3_ST_SW_HELLO_REQ_B */
  632. return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
  633. }
  634. int dtls1_send_hello_verify_request(SSL *s)
  635. {
  636. unsigned int msg_len;
  637. unsigned char *msg, *buf, *p;
  638. if (s->state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A)
  639. {
  640. buf = (unsigned char *)s->init_buf->data;
  641. msg = p = &(buf[DTLS1_HM_HEADER_LENGTH]);
  642. *(p++) = s->version >> 8;
  643. *(p++) = s->version & 0xFF;
  644. if (s->ctx->app_gen_cookie_cb == NULL ||
  645. s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
  646. &(s->d1->cookie_len)) == 0)
  647. {
  648. SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST,ERR_R_INTERNAL_ERROR);
  649. return 0;
  650. }
  651. *(p++) = (unsigned char) s->d1->cookie_len;
  652. memcpy(p, s->d1->cookie, s->d1->cookie_len);
  653. p += s->d1->cookie_len;
  654. msg_len = p - msg;
  655. dtls1_set_message_header(s, buf,
  656. DTLS1_MT_HELLO_VERIFY_REQUEST, msg_len, 0, msg_len);
  657. s->state=DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B;
  658. /* number of bytes to write */
  659. s->init_num=p-buf;
  660. s->init_off=0;
  661. }
  662. /* s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */
  663. return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
  664. }
  665. int dtls1_send_server_hello(SSL *s)
  666. {
  667. unsigned char *buf;
  668. unsigned char *p,*d;
  669. int i;
  670. unsigned int sl;
  671. unsigned long l,Time;
  672. if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
  673. {
  674. buf=(unsigned char *)s->init_buf->data;
  675. p=s->s3->server_random;
  676. Time=(unsigned long)time(NULL); /* Time */
  677. l2n(Time,p);
  678. RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
  679. /* Do the message type and length last */
  680. d=p= &(buf[DTLS1_HM_HEADER_LENGTH]);
  681. *(p++)=s->version>>8;
  682. *(p++)=s->version&0xff;
  683. /* Random stuff */
  684. memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
  685. p+=SSL3_RANDOM_SIZE;
  686. /* now in theory we have 3 options to sending back the
  687. * session id. If it is a re-use, we send back the
  688. * old session-id, if it is a new session, we send
  689. * back the new session-id or we send back a 0 length
  690. * session-id if we want it to be single use.
  691. * Currently I will not implement the '0' length session-id
  692. * 12-Jan-98 - I'll now support the '0' length stuff.
  693. */
  694. if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER))
  695. s->session->session_id_length=0;
  696. sl=s->session->session_id_length;
  697. if (sl > sizeof s->session->session_id)
  698. {
  699. SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
  700. return -1;
  701. }
  702. *(p++)=sl;
  703. memcpy(p,s->session->session_id,sl);
  704. p+=sl;
  705. /* put the cipher */
  706. if (s->s3->tmp.new_cipher == NULL)
  707. return -1;
  708. i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p);
  709. p+=i;
  710. /* put the compression method */
  711. #ifdef OPENSSL_NO_COMP
  712. *(p++)=0;
  713. #else
  714. if (s->s3->tmp.new_compression == NULL)
  715. *(p++)=0;
  716. else
  717. *(p++)=s->s3->tmp.new_compression->id;
  718. #endif
  719. #ifndef OPENSSL_NO_TLSEXT
  720. if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
  721. {
  722. SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);
  723. return -1;
  724. }
  725. #endif
  726. /* do the header */
  727. l=(p-d);
  728. d=buf;
  729. d = dtls1_set_message_header(s, d, SSL3_MT_SERVER_HELLO, l, 0, l);
  730. s->state=SSL3_ST_SW_SRVR_HELLO_B;
  731. /* number of bytes to write */
  732. s->init_num=p-buf;
  733. s->init_off=0;
  734. /* buffer the message to handle re-xmits */
  735. dtls1_buffer_message(s, 0);
  736. }
  737. /* SSL3_ST_SW_SRVR_HELLO_B */
  738. return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
  739. }
  740. int dtls1_send_server_done(SSL *s)
  741. {
  742. unsigned char *p;
  743. if (s->state == SSL3_ST_SW_SRVR_DONE_A)
  744. {
  745. p=(unsigned char *)s->init_buf->data;
  746. /* do the header */
  747. p = dtls1_set_message_header(s, p, SSL3_MT_SERVER_DONE, 0, 0, 0);
  748. s->state=SSL3_ST_SW_SRVR_DONE_B;
  749. /* number of bytes to write */
  750. s->init_num=DTLS1_HM_HEADER_LENGTH;
  751. s->init_off=0;
  752. /* buffer the message to handle re-xmits */
  753. dtls1_buffer_message(s, 0);
  754. }
  755. /* SSL3_ST_SW_SRVR_DONE_B */
  756. return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
  757. }
  758. int dtls1_send_server_key_exchange(SSL *s)
  759. {
  760. #ifndef OPENSSL_NO_RSA
  761. unsigned char *q;
  762. int j,num;
  763. RSA *rsa;
  764. unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
  765. unsigned int u;
  766. #endif
  767. #ifndef OPENSSL_NO_DH
  768. DH *dh=NULL,*dhp;
  769. #endif
  770. #ifndef OPENSSL_NO_ECDH
  771. EC_KEY *ecdh=NULL, *ecdhp;
  772. unsigned char *encodedPoint = NULL;
  773. int encodedlen = 0;
  774. int curve_id = 0;
  775. BN_CTX *bn_ctx = NULL;
  776. #endif
  777. EVP_PKEY *pkey;
  778. unsigned char *p,*d;
  779. int al,i;
  780. unsigned long type;
  781. int n;
  782. CERT *cert;
  783. BIGNUM *r[4];
  784. int nr[4],kn;
  785. BUF_MEM *buf;
  786. EVP_MD_CTX md_ctx;
  787. EVP_MD_CTX_init(&md_ctx);
  788. if (s->state == SSL3_ST_SW_KEY_EXCH_A)
  789. {
  790. type=s->s3->tmp.new_cipher->algorithm_mkey;
  791. cert=s->cert;
  792. buf=s->init_buf;
  793. r[0]=r[1]=r[2]=r[3]=NULL;
  794. n=0;
  795. #ifndef OPENSSL_NO_RSA
  796. if (type & SSL_kRSA)
  797. {
  798. rsa=cert->rsa_tmp;
  799. if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL))
  800. {
  801. rsa=s->cert->rsa_tmp_cb(s,
  802. SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
  803. SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
  804. if(rsa == NULL)
  805. {
  806. al=SSL_AD_HANDSHAKE_FAILURE;
  807. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
  808. goto f_err;
  809. }
  810. RSA_up_ref(rsa);
  811. cert->rsa_tmp=rsa;
  812. }
  813. if (rsa == NULL)
  814. {
  815. al=SSL_AD_HANDSHAKE_FAILURE;
  816. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY);
  817. goto f_err;
  818. }
  819. r[0]=rsa->n;
  820. r[1]=rsa->e;
  821. s->s3->tmp.use_rsa_tmp=1;
  822. }
  823. else
  824. #endif
  825. #ifndef OPENSSL_NO_DH
  826. if (type & SSL_kEDH)
  827. {
  828. dhp=cert->dh_tmp;
  829. if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
  830. dhp=s->cert->dh_tmp_cb(s,
  831. SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
  832. SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
  833. if (dhp == NULL)
  834. {
  835. al=SSL_AD_HANDSHAKE_FAILURE;
  836. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
  837. goto f_err;
  838. }
  839. if (s->s3->tmp.dh != NULL)
  840. {
  841. DH_free(dh);
  842. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
  843. goto err;
  844. }
  845. if ((dh=DHparams_dup(dhp)) == NULL)
  846. {
  847. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
  848. goto err;
  849. }
  850. s->s3->tmp.dh=dh;
  851. if ((dhp->pub_key == NULL ||
  852. dhp->priv_key == NULL ||
  853. (s->options & SSL_OP_SINGLE_DH_USE)))
  854. {
  855. if(!DH_generate_key(dh))
  856. {
  857. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,
  858. ERR_R_DH_LIB);
  859. goto err;
  860. }
  861. }
  862. else
  863. {
  864. dh->pub_key=BN_dup(dhp->pub_key);
  865. dh->priv_key=BN_dup(dhp->priv_key);
  866. if ((dh->pub_key == NULL) ||
  867. (dh->priv_key == NULL))
  868. {
  869. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
  870. goto err;
  871. }
  872. }
  873. r[0]=dh->p;
  874. r[1]=dh->g;
  875. r[2]=dh->pub_key;
  876. }
  877. else
  878. #endif
  879. #ifndef OPENSSL_NO_ECDH
  880. if (type & SSL_kEECDH)
  881. {
  882. const EC_GROUP *group;
  883. ecdhp=cert->ecdh_tmp;
  884. if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL))
  885. {
  886. ecdhp=s->cert->ecdh_tmp_cb(s,
  887. SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
  888. SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
  889. }
  890. if (ecdhp == NULL)
  891. {
  892. al=SSL_AD_HANDSHAKE_FAILURE;
  893. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY);
  894. goto f_err;
  895. }
  896. if (s->s3->tmp.ecdh != NULL)
  897. {
  898. EC_KEY_free(s->s3->tmp.ecdh);
  899. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
  900. goto err;
  901. }
  902. /* Duplicate the ECDH structure. */
  903. if (ecdhp == NULL)
  904. {
  905. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
  906. goto err;
  907. }
  908. if ((ecdh = EC_KEY_dup(ecdhp)) == NULL)
  909. {
  910. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
  911. goto err;
  912. }
  913. s->s3->tmp.ecdh=ecdh;
  914. if ((EC_KEY_get0_public_key(ecdh) == NULL) ||
  915. (EC_KEY_get0_private_key(ecdh) == NULL) ||
  916. (s->options & SSL_OP_SINGLE_ECDH_USE))
  917. {
  918. if(!EC_KEY_generate_key(ecdh))
  919. {
  920. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
  921. goto err;
  922. }
  923. }
  924. if (((group = EC_KEY_get0_group(ecdh)) == NULL) ||
  925. (EC_KEY_get0_public_key(ecdh) == NULL) ||
  926. (EC_KEY_get0_private_key(ecdh) == NULL))
  927. {
  928. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
  929. goto err;
  930. }
  931. if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
  932. (EC_GROUP_get_degree(group) > 163))
  933. {
  934. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
  935. goto err;
  936. }
  937. /* XXX: For now, we only support ephemeral ECDH
  938. * keys over named (not generic) curves. For
  939. * supported named curves, curve_id is non-zero.
  940. */
  941. if ((curve_id =
  942. tls1_ec_nid2curve_id(EC_GROUP_get_curve_name(group)))
  943. == 0)
  944. {
  945. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
  946. goto err;
  947. }
  948. /* Encode the public key.
  949. * First check the size of encoding and
  950. * allocate memory accordingly.
  951. */
  952. encodedlen = EC_POINT_point2oct(group,
  953. EC_KEY_get0_public_key(ecdh),
  954. POINT_CONVERSION_UNCOMPRESSED,
  955. NULL, 0, NULL);
  956. encodedPoint = (unsigned char *)
  957. OPENSSL_malloc(encodedlen*sizeof(unsigned char));
  958. bn_ctx = BN_CTX_new();
  959. if ((encodedPoint == NULL) || (bn_ctx == NULL))
  960. {
  961. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
  962. goto err;
  963. }
  964. encodedlen = EC_POINT_point2oct(group,
  965. EC_KEY_get0_public_key(ecdh),
  966. POINT_CONVERSION_UNCOMPRESSED,
  967. encodedPoint, encodedlen, bn_ctx);
  968. if (encodedlen == 0)
  969. {
  970. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
  971. goto err;
  972. }
  973. BN_CTX_free(bn_ctx); bn_ctx=NULL;
  974. /* XXX: For now, we only support named (not
  975. * generic) curves in ECDH ephemeral key exchanges.
  976. * In this situation, we need four additional bytes
  977. * to encode the entire ServerECDHParams
  978. * structure.
  979. */
  980. n = 4 + encodedlen;
  981. /* We'll generate the serverKeyExchange message
  982. * explicitly so we can set these to NULLs
  983. */
  984. r[0]=NULL;
  985. r[1]=NULL;
  986. r[2]=NULL;
  987. r[3]=NULL;
  988. }
  989. else
  990. #endif /* !OPENSSL_NO_ECDH */
  991. #ifndef OPENSSL_NO_PSK
  992. if (type & SSL_kPSK)
  993. {
  994. /* reserve size for record length and PSK identity hint*/
  995. n+=2+strlen(s->ctx->psk_identity_hint);
  996. }
  997. else
  998. #endif /* !OPENSSL_NO_PSK */
  999. {
  1000. al=SSL_AD_HANDSHAKE_FAILURE;
  1001. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
  1002. goto f_err;
  1003. }
  1004. for (i=0; r[i] != NULL; i++)
  1005. {
  1006. nr[i]=BN_num_bytes(r[i]);
  1007. n+=2+nr[i];
  1008. }
  1009. if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
  1010. && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
  1011. {
  1012. if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher, NULL))
  1013. == NULL)
  1014. {
  1015. al=SSL_AD_DECODE_ERROR;
  1016. goto f_err;
  1017. }
  1018. kn=EVP_PKEY_size(pkey);
  1019. }
  1020. else
  1021. {
  1022. pkey=NULL;
  1023. kn=0;
  1024. }
  1025. if (!BUF_MEM_grow_clean(buf,n+DTLS1_HM_HEADER_LENGTH+kn))
  1026. {
  1027. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF);
  1028. goto err;
  1029. }
  1030. d=(unsigned char *)s->init_buf->data;
  1031. p= &(d[DTLS1_HM_HEADER_LENGTH]);
  1032. for (i=0; r[i] != NULL; i++)
  1033. {
  1034. s2n(nr[i],p);
  1035. BN_bn2bin(r[i],p);
  1036. p+=nr[i];
  1037. }
  1038. #ifndef OPENSSL_NO_ECDH
  1039. if (type & SSL_kEECDH)
  1040. {
  1041. /* XXX: For now, we only support named (not generic) curves.
  1042. * In this situation, the serverKeyExchange message has:
  1043. * [1 byte CurveType], [2 byte CurveName]
  1044. * [1 byte length of encoded point], followed by
  1045. * the actual encoded point itself
  1046. */
  1047. *p = NAMED_CURVE_TYPE;
  1048. p += 1;
  1049. *p = 0;
  1050. p += 1;
  1051. *p = curve_id;
  1052. p += 1;
  1053. *p = encodedlen;
  1054. p += 1;
  1055. memcpy((unsigned char*)p,
  1056. (unsigned char *)encodedPoint,
  1057. encodedlen);
  1058. OPENSSL_free(encodedPoint);
  1059. p += encodedlen;
  1060. }
  1061. #endif
  1062. #ifndef OPENSSL_NO_PSK
  1063. if (type & SSL_kPSK)
  1064. {
  1065. /* copy PSK identity hint */
  1066. s2n(strlen(s->ctx->psk_identity_hint), p);
  1067. strncpy((char *)p, s->ctx->psk_identity_hint, strlen(s->ctx->psk_identity_hint));
  1068. p+=strlen(s->ctx->psk_identity_hint);
  1069. }
  1070. #endif
  1071. /* not anonymous */
  1072. if (pkey != NULL)
  1073. {
  1074. /* n is the length of the params, they start at
  1075. * &(d[DTLS1_HM_HEADER_LENGTH]) and p points to the space
  1076. * at the end. */
  1077. #ifndef OPENSSL_NO_RSA
  1078. if (pkey->type == EVP_PKEY_RSA)
  1079. {
  1080. q=md_buf;
  1081. j=0;
  1082. for (num=2; num > 0; num--)
  1083. {
  1084. EVP_DigestInit_ex(&md_ctx,(num == 2)
  1085. ?s->ctx->md5:s->ctx->sha1, NULL);
  1086. EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
  1087. EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
  1088. EVP_DigestUpdate(&md_ctx,&(d[DTLS1_HM_HEADER_LENGTH]),n);
  1089. EVP_DigestFinal_ex(&md_ctx,q,
  1090. (unsigned int *)&i);
  1091. q+=i;
  1092. j+=i;
  1093. }
  1094. if (RSA_sign(NID_md5_sha1, md_buf, j,
  1095. &(p[2]), &u, pkey->pkey.rsa) <= 0)
  1096. {
  1097. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA);
  1098. goto err;
  1099. }
  1100. s2n(u,p);
  1101. n+=u+2;
  1102. }
  1103. else
  1104. #endif
  1105. #if !defined(OPENSSL_NO_DSA)
  1106. if (pkey->type == EVP_PKEY_DSA)
  1107. {
  1108. /* lets do DSS */
  1109. EVP_SignInit_ex(&md_ctx,EVP_dss1(), NULL);
  1110. EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
  1111. EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
  1112. EVP_SignUpdate(&md_ctx,&(d[DTLS1_HM_HEADER_LENGTH]),n);
  1113. if (!EVP_SignFinal(&md_ctx,&(p[2]),
  1114. (unsigned int *)&i,pkey))
  1115. {
  1116. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA);
  1117. goto err;
  1118. }
  1119. s2n(i,p);
  1120. n+=i+2;
  1121. }
  1122. else
  1123. #endif
  1124. #if !defined(OPENSSL_NO_ECDSA)
  1125. if (pkey->type == EVP_PKEY_EC)
  1126. {
  1127. /* let's do ECDSA */
  1128. EVP_SignInit_ex(&md_ctx,EVP_ecdsa(), NULL);
  1129. EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
  1130. EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
  1131. EVP_SignUpdate(&md_ctx,&(d[4]),n);
  1132. if (!EVP_SignFinal(&md_ctx,&(p[2]),
  1133. (unsigned int *)&i,pkey))
  1134. {
  1135. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_ECDSA);
  1136. goto err;
  1137. }
  1138. s2n(i,p);
  1139. n+=i+2;
  1140. }
  1141. else
  1142. #endif
  1143. {
  1144. /* Is this error check actually needed? */
  1145. al=SSL_AD_HANDSHAKE_FAILURE;
  1146. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE);
  1147. goto f_err;
  1148. }
  1149. }
  1150. d = dtls1_set_message_header(s, d,
  1151. SSL3_MT_SERVER_KEY_EXCHANGE, n, 0, n);
  1152. /* we should now have things packed up, so lets send
  1153. * it off */
  1154. s->init_num=n+DTLS1_HM_HEADER_LENGTH;
  1155. s->init_off=0;
  1156. /* buffer the message to handle re-xmits */
  1157. dtls1_buffer_message(s, 0);
  1158. }
  1159. s->state = SSL3_ST_SW_KEY_EXCH_B;
  1160. EVP_MD_CTX_cleanup(&md_ctx);
  1161. return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
  1162. f_err:
  1163. ssl3_send_alert(s,SSL3_AL_FATAL,al);
  1164. err:
  1165. #ifndef OPENSSL_NO_ECDH
  1166. if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
  1167. BN_CTX_free(bn_ctx);
  1168. #endif
  1169. EVP_MD_CTX_cleanup(&md_ctx);
  1170. return(-1);
  1171. }
  1172. int dtls1_send_certificate_request(SSL *s)
  1173. {
  1174. unsigned char *p,*d;
  1175. int i,j,nl,off,n;
  1176. STACK_OF(X509_NAME) *sk=NULL;
  1177. X509_NAME *name;
  1178. BUF_MEM *buf;
  1179. unsigned int msg_len;
  1180. if (s->state == SSL3_ST_SW_CERT_REQ_A)
  1181. {
  1182. buf=s->init_buf;
  1183. d=p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH]);
  1184. /* get the list of acceptable cert types */
  1185. p++;
  1186. n=ssl3_get_req_cert_type(s,p);
  1187. d[0]=n;
  1188. p+=n;
  1189. n++;
  1190. off=n;
  1191. p+=2;
  1192. n+=2;
  1193. sk=SSL_get_client_CA_list(s);
  1194. nl=0;
  1195. if (sk != NULL)
  1196. {
  1197. for (i=0; i<sk_X509_NAME_num(sk); i++)
  1198. {
  1199. name=sk_X509_NAME_value(sk,i);
  1200. j=i2d_X509_NAME(name,NULL);
  1201. if (!BUF_MEM_grow_clean(buf,DTLS1_HM_HEADER_LENGTH+n+j+2))
  1202. {
  1203. SSLerr(SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
  1204. goto err;
  1205. }
  1206. p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH+n]);
  1207. if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
  1208. {
  1209. s2n(j,p);
  1210. i2d_X509_NAME(name,&p);
  1211. n+=2+j;
  1212. nl+=2+j;
  1213. }
  1214. else
  1215. {
  1216. d=p;
  1217. i2d_X509_NAME(name,&p);
  1218. j-=2; s2n(j,d); j+=2;
  1219. n+=j;
  1220. nl+=j;
  1221. }
  1222. }
  1223. }
  1224. /* else no CA names */
  1225. p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH+off]);
  1226. s2n(nl,p);
  1227. d=(unsigned char *)buf->data;
  1228. *(d++)=SSL3_MT_CERTIFICATE_REQUEST;
  1229. l2n3(n,d);
  1230. s2n(s->d1->handshake_write_seq,d);
  1231. s->d1->handshake_write_seq++;
  1232. /* we should now have things packed up, so lets send
  1233. * it off */
  1234. s->init_num=n+DTLS1_HM_HEADER_LENGTH;
  1235. s->init_off=0;
  1236. #ifdef NETSCAPE_HANG_BUG
  1237. /* XXX: what to do about this? */
  1238. p=(unsigned char *)s->init_buf->data + s->init_num;
  1239. /* do the header */
  1240. *(p++)=SSL3_MT_SERVER_DONE;
  1241. *(p++)=0;
  1242. *(p++)=0;
  1243. *(p++)=0;
  1244. s->init_num += 4;
  1245. #endif
  1246. /* XDTLS: set message header ? */
  1247. msg_len = s->init_num - DTLS1_HM_HEADER_LENGTH;
  1248. dtls1_set_message_header(s, (void *)s->init_buf->data,
  1249. SSL3_MT_CERTIFICATE_REQUEST, msg_len, 0, msg_len);
  1250. /* buffer the message to handle re-xmits */
  1251. dtls1_buffer_message(s, 0);
  1252. s->state = SSL3_ST_SW_CERT_REQ_B;
  1253. }
  1254. /* SSL3_ST_SW_CERT_REQ_B */
  1255. return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
  1256. err:
  1257. return(-1);
  1258. }
  1259. int dtls1_send_server_certificate(SSL *s)
  1260. {
  1261. unsigned long l;
  1262. X509 *x;
  1263. if (s->state == SSL3_ST_SW_CERT_A)
  1264. {
  1265. x=ssl_get_server_send_cert(s);
  1266. if (x == NULL)
  1267. {
  1268. /* VRS: allow null cert if auth == KRB5 */
  1269. if ((s->s3->tmp.new_cipher->algorithm_mkey != SSL_kKRB5) ||
  1270. (s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5))
  1271. {
  1272. SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
  1273. return(0);
  1274. }
  1275. }
  1276. l=dtls1_output_cert_chain(s,x);
  1277. s->state=SSL3_ST_SW_CERT_B;
  1278. s->init_num=(int)l;
  1279. s->init_off=0;
  1280. /* buffer the message to handle re-xmits */
  1281. dtls1_buffer_message(s, 0);
  1282. }
  1283. /* SSL3_ST_SW_CERT_B */
  1284. return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
  1285. }
  1286. #ifndef OPENSSL_NO_TLSEXT
  1287. int dtls1_send_newsession_ticket(SSL *s)
  1288. {
  1289. if (s->state == SSL3_ST_SW_SESSION_TICKET_A)
  1290. {
  1291. unsigned char *p, *senc, *macstart;
  1292. int len, slen;
  1293. unsigned int hlen, msg_len;
  1294. EVP_CIPHER_CTX ctx;
  1295. HMAC_CTX hctx;
  1296. SSL_CTX *tctx = s->initial_ctx;
  1297. unsigned char iv[EVP_MAX_IV_LENGTH];
  1298. unsigned char key_name[16];
  1299. /* get session encoding length */
  1300. slen = i2d_SSL_SESSION(s->session, NULL);
  1301. /* Some length values are 16 bits, so forget it if session is
  1302. * too long
  1303. */
  1304. if (slen > 0xFF00)
  1305. return -1;
  1306. /* Grow buffer if need be: the length calculation is as
  1307. * follows 12 (DTLS handshake message header) +
  1308. * 4 (ticket lifetime hint) + 2 (ticket length) +
  1309. * 16 (key name) + max_iv_len (iv length) +
  1310. * session_length + max_enc_block_size (max encrypted session
  1311. * length) + max_md_size (HMAC).
  1312. */
  1313. if (!BUF_MEM_grow(s->init_buf,
  1314. DTLS1_HM_HEADER_LENGTH + 22 + EVP_MAX_IV_LENGTH +
  1315. EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE + slen))
  1316. return -1;
  1317. senc = OPENSSL_malloc(slen);
  1318. if (!senc)
  1319. return -1;
  1320. p = senc;
  1321. i2d_SSL_SESSION(s->session, &p);
  1322. p=(unsigned char *)&(s->init_buf->data[DTLS1_HM_HEADER_LENGTH]);
  1323. EVP_CIPHER_CTX_init(&ctx);
  1324. HMAC_CTX_init(&hctx);
  1325. /* Initialize HMAC and cipher contexts. If callback present
  1326. * it does all the work otherwise use generated values
  1327. * from parent ctx.
  1328. */
  1329. if (tctx->tlsext_ticket_key_cb)
  1330. {
  1331. if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx,
  1332. &hctx, 1) < 0)
  1333. {
  1334. OPENSSL_free(senc);
  1335. return -1;
  1336. }
  1337. }
  1338. else
  1339. {
  1340. RAND_pseudo_bytes(iv, 16);
  1341. EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
  1342. tctx->tlsext_tick_aes_key, iv);
  1343. HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
  1344. tlsext_tick_md(), NULL);
  1345. memcpy(key_name, tctx->tlsext_tick_key_name, 16);
  1346. }
  1347. l2n(s->session->tlsext_tick_lifetime_hint, p);
  1348. /* Skip ticket length for now */
  1349. p += 2;
  1350. /* Output key name */
  1351. macstart = p;
  1352. memcpy(p, key_name, 16);
  1353. p += 16;
  1354. /* output IV */
  1355. memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx));
  1356. p += EVP_CIPHER_CTX_iv_length(&ctx);
  1357. /* Encrypt session data */
  1358. EVP_EncryptUpdate(&ctx, p, &len, senc, slen);
  1359. p += len;
  1360. EVP_EncryptFinal(&ctx, p, &len);
  1361. p += len;
  1362. EVP_CIPHER_CTX_cleanup(&ctx);
  1363. HMAC_Update(&hctx, macstart, p - macstart);
  1364. HMAC_Final(&hctx, p, &hlen);
  1365. HMAC_CTX_cleanup(&hctx);
  1366. p += hlen;
  1367. /* Now write out lengths: p points to end of data written */
  1368. /* Total length */
  1369. len = p - (unsigned char *)(s->init_buf->data);
  1370. /* Ticket length */
  1371. p=(unsigned char *)&(s->init_buf->data[DTLS1_HM_HEADER_LENGTH]) + 4;
  1372. s2n(len - DTLS1_HM_HEADER_LENGTH - 6, p);
  1373. /* number of bytes to write */
  1374. s->init_num= len;
  1375. s->state=SSL3_ST_SW_SESSION_TICKET_B;
  1376. s->init_off=0;
  1377. OPENSSL_free(senc);
  1378. /* XDTLS: set message header ? */
  1379. msg_len = s->init_num - DTLS1_HM_HEADER_LENGTH;
  1380. dtls1_set_message_header(s, (void *)s->init_buf->data,
  1381. SSL3_MT_NEWSESSION_TICKET, msg_len, 0, msg_len);
  1382. /* buffer the message to handle re-xmits */
  1383. dtls1_buffer_message(s, 0);
  1384. }
  1385. /* SSL3_ST_SW_SESSION_TICKET_B */
  1386. return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
  1387. }
  1388. #endif