d1_clnt.c 39 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535
  1. /* ssl/d1_clnt.c */
  2. /*
  3. * DTLS implementation written by Nagendra Modadugu
  4. * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
  5. */
  6. /* ====================================================================
  7. * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved.
  8. *
  9. * Redistribution and use in source and binary forms, with or without
  10. * modification, are permitted provided that the following conditions
  11. * are met:
  12. *
  13. * 1. Redistributions of source code must retain the above copyright
  14. * notice, this list of conditions and the following disclaimer.
  15. *
  16. * 2. Redistributions in binary form must reproduce the above copyright
  17. * notice, this list of conditions and the following disclaimer in
  18. * the documentation and/or other materials provided with the
  19. * distribution.
  20. *
  21. * 3. All advertising materials mentioning features or use of this
  22. * software must display the following acknowledgment:
  23. * "This product includes software developed by the OpenSSL Project
  24. * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  25. *
  26. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  27. * endorse or promote products derived from this software without
  28. * prior written permission. For written permission, please contact
  29. * openssl-core@OpenSSL.org.
  30. *
  31. * 5. Products derived from this software may not be called "OpenSSL"
  32. * nor may "OpenSSL" appear in their names without prior written
  33. * permission of the OpenSSL Project.
  34. *
  35. * 6. Redistributions of any form whatsoever must retain the following
  36. * acknowledgment:
  37. * "This product includes software developed by the OpenSSL Project
  38. * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  39. *
  40. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  41. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  42. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  43. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  44. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  45. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  46. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  47. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  49. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  50. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  51. * OF THE POSSIBILITY OF SUCH DAMAGE.
  52. * ====================================================================
  53. *
  54. * This product includes cryptographic software written by Eric Young
  55. * (eay@cryptsoft.com). This product includes software written by Tim
  56. * Hudson (tjh@cryptsoft.com).
  57. *
  58. */
  59. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  60. * All rights reserved.
  61. *
  62. * This package is an SSL implementation written
  63. * by Eric Young (eay@cryptsoft.com).
  64. * The implementation was written so as to conform with Netscapes SSL.
  65. *
  66. * This library is free for commercial and non-commercial use as long as
  67. * the following conditions are aheared to. The following conditions
  68. * apply to all code found in this distribution, be it the RC4, RSA,
  69. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  70. * included with this distribution is covered by the same copyright terms
  71. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  72. *
  73. * Copyright remains Eric Young's, and as such any Copyright notices in
  74. * the code are not to be removed.
  75. * If this package is used in a product, Eric Young should be given attribution
  76. * as the author of the parts of the library used.
  77. * This can be in the form of a textual message at program startup or
  78. * in documentation (online or textual) provided with the package.
  79. *
  80. * Redistribution and use in source and binary forms, with or without
  81. * modification, are permitted provided that the following conditions
  82. * are met:
  83. * 1. Redistributions of source code must retain the copyright
  84. * notice, this list of conditions and the following disclaimer.
  85. * 2. Redistributions in binary form must reproduce the above copyright
  86. * notice, this list of conditions and the following disclaimer in the
  87. * documentation and/or other materials provided with the distribution.
  88. * 3. All advertising materials mentioning features or use of this software
  89. * must display the following acknowledgement:
  90. * "This product includes cryptographic software written by
  91. * Eric Young (eay@cryptsoft.com)"
  92. * The word 'cryptographic' can be left out if the rouines from the library
  93. * being used are not cryptographic related :-).
  94. * 4. If you include any Windows specific code (or a derivative thereof) from
  95. * the apps directory (application code) you must include an acknowledgement:
  96. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  97. *
  98. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  99. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  100. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  101. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  102. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  103. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  104. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  105. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  106. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  107. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  108. * SUCH DAMAGE.
  109. *
  110. * The licence and distribution terms for any publically available version or
  111. * derivative of this code cannot be changed. i.e. this code cannot simply be
  112. * copied and put under another distribution licence
  113. * [including the GNU Public Licence.]
  114. */
  115. #include <stdio.h>
  116. #include "ssl_locl.h"
  117. #ifndef OPENSSL_NO_KRB5
  118. #include "kssl_lcl.h"
  119. #endif
  120. #include <openssl/buffer.h>
  121. #include <openssl/rand.h>
  122. #include <openssl/objects.h>
  123. #include <openssl/evp.h>
  124. #include <openssl/md5.h>
  125. #include <openssl/bn.h>
  126. #ifndef OPENSSL_NO_DH
  127. #include <openssl/dh.h>
  128. #endif
  129. static const SSL_METHOD *dtls1_get_client_method(int ver);
  130. static int dtls1_get_hello_verify(SSL *s);
  131. static const SSL_METHOD *dtls1_get_client_method(int ver)
  132. {
  133. if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER)
  134. return(DTLSv1_client_method());
  135. else
  136. return(NULL);
  137. }
  138. IMPLEMENT_dtls1_meth_func(DTLSv1_client_method,
  139. ssl_undefined_function,
  140. dtls1_connect,
  141. dtls1_get_client_method)
  142. int dtls1_connect(SSL *s)
  143. {
  144. BUF_MEM *buf=NULL;
  145. unsigned long Time=(unsigned long)time(NULL);
  146. void (*cb)(const SSL *ssl,int type,int val)=NULL;
  147. int ret= -1;
  148. int new_state,state,skip=0;;
  149. RAND_add(&Time,sizeof(Time),0);
  150. ERR_clear_error();
  151. clear_sys_error();
  152. if (s->info_callback != NULL)
  153. cb=s->info_callback;
  154. else if (s->ctx->info_callback != NULL)
  155. cb=s->ctx->info_callback;
  156. s->in_handshake++;
  157. if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
  158. for (;;)
  159. {
  160. state=s->state;
  161. switch(s->state)
  162. {
  163. case SSL_ST_RENEGOTIATE:
  164. s->renegotiate=1;
  165. s->state=SSL_ST_CONNECT;
  166. s->ctx->stats.sess_connect_renegotiate++;
  167. /* break */
  168. case SSL_ST_BEFORE:
  169. case SSL_ST_CONNECT:
  170. case SSL_ST_BEFORE|SSL_ST_CONNECT:
  171. case SSL_ST_OK|SSL_ST_CONNECT:
  172. s->server=0;
  173. if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
  174. if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00) &&
  175. (s->version & 0xff00 ) != (DTLS1_BAD_VER & 0xff00))
  176. {
  177. SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR);
  178. ret = -1;
  179. goto end;
  180. }
  181. /* s->version=SSL3_VERSION; */
  182. s->type=SSL_ST_CONNECT;
  183. if (s->init_buf == NULL)
  184. {
  185. if ((buf=BUF_MEM_new()) == NULL)
  186. {
  187. ret= -1;
  188. goto end;
  189. }
  190. if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
  191. {
  192. ret= -1;
  193. goto end;
  194. }
  195. s->init_buf=buf;
  196. buf=NULL;
  197. }
  198. if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
  199. /* setup buffing BIO */
  200. if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
  201. /* don't push the buffering BIO quite yet */
  202. s->state=SSL3_ST_CW_CLNT_HELLO_A;
  203. s->ctx->stats.sess_connect++;
  204. s->init_num=0;
  205. /* mark client_random uninitialized */
  206. memset(s->s3->client_random,0,sizeof(s->s3->client_random));
  207. s->d1->send_cookie = 0;
  208. s->hit = 0;
  209. break;
  210. case SSL3_ST_CW_CLNT_HELLO_A:
  211. case SSL3_ST_CW_CLNT_HELLO_B:
  212. s->shutdown=0;
  213. /* every DTLS ClientHello resets Finished MAC */
  214. ssl3_init_finished_mac(s);
  215. dtls1_start_timer(s);
  216. ret=dtls1_client_hello(s);
  217. if (ret <= 0) goto end;
  218. if ( s->d1->send_cookie)
  219. {
  220. s->state=SSL3_ST_CW_FLUSH;
  221. s->s3->tmp.next_state=SSL3_ST_CR_SRVR_HELLO_A;
  222. }
  223. else
  224. s->state=SSL3_ST_CR_SRVR_HELLO_A;
  225. s->init_num=0;
  226. /* turn on buffering for the next lot of output */
  227. if (s->bbio != s->wbio)
  228. s->wbio=BIO_push(s->bbio,s->wbio);
  229. break;
  230. case SSL3_ST_CR_SRVR_HELLO_A:
  231. case SSL3_ST_CR_SRVR_HELLO_B:
  232. ret=ssl3_get_server_hello(s);
  233. if (ret <= 0) goto end;
  234. else
  235. {
  236. dtls1_stop_timer(s);
  237. if (s->hit)
  238. s->state=SSL3_ST_CR_FINISHED_A;
  239. else
  240. s->state=DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
  241. }
  242. s->init_num=0;
  243. break;
  244. case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A:
  245. case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B:
  246. ret = dtls1_get_hello_verify(s);
  247. if ( ret <= 0)
  248. goto end;
  249. dtls1_stop_timer(s);
  250. if ( s->d1->send_cookie) /* start again, with a cookie */
  251. s->state=SSL3_ST_CW_CLNT_HELLO_A;
  252. else
  253. s->state = SSL3_ST_CR_CERT_A;
  254. s->init_num = 0;
  255. break;
  256. case SSL3_ST_CR_CERT_A:
  257. case SSL3_ST_CR_CERT_B:
  258. #ifndef OPENSSL_NO_TLSEXT
  259. ret=ssl3_check_finished(s);
  260. if (ret <= 0) goto end;
  261. if (ret == 2)
  262. {
  263. s->hit = 1;
  264. if (s->tlsext_ticket_expected)
  265. s->state=SSL3_ST_CR_SESSION_TICKET_A;
  266. else
  267. s->state=SSL3_ST_CR_FINISHED_A;
  268. s->init_num=0;
  269. break;
  270. }
  271. #endif
  272. /* Check if it is anon DH or PSK */
  273. if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
  274. !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
  275. {
  276. ret=ssl3_get_server_certificate(s);
  277. if (ret <= 0) goto end;
  278. #ifndef OPENSSL_NO_TLSEXT
  279. if (s->tlsext_status_expected)
  280. s->state=SSL3_ST_CR_CERT_STATUS_A;
  281. else
  282. s->state=SSL3_ST_CR_KEY_EXCH_A;
  283. }
  284. else
  285. {
  286. skip = 1;
  287. s->state=SSL3_ST_CR_KEY_EXCH_A;
  288. }
  289. #else
  290. }
  291. else
  292. skip=1;
  293. s->state=SSL3_ST_CR_KEY_EXCH_A;
  294. #endif
  295. s->init_num=0;
  296. break;
  297. case SSL3_ST_CR_KEY_EXCH_A:
  298. case SSL3_ST_CR_KEY_EXCH_B:
  299. ret=ssl3_get_key_exchange(s);
  300. if (ret <= 0) goto end;
  301. s->state=SSL3_ST_CR_CERT_REQ_A;
  302. s->init_num=0;
  303. /* at this point we check that we have the
  304. * required stuff from the server */
  305. if (!ssl3_check_cert_and_algorithm(s))
  306. {
  307. ret= -1;
  308. goto end;
  309. }
  310. break;
  311. case SSL3_ST_CR_CERT_REQ_A:
  312. case SSL3_ST_CR_CERT_REQ_B:
  313. ret=ssl3_get_certificate_request(s);
  314. if (ret <= 0) goto end;
  315. s->state=SSL3_ST_CR_SRVR_DONE_A;
  316. s->init_num=0;
  317. break;
  318. case SSL3_ST_CR_SRVR_DONE_A:
  319. case SSL3_ST_CR_SRVR_DONE_B:
  320. ret=ssl3_get_server_done(s);
  321. if (ret <= 0) goto end;
  322. if (s->s3->tmp.cert_req)
  323. s->state=SSL3_ST_CW_CERT_A;
  324. else
  325. s->state=SSL3_ST_CW_KEY_EXCH_A;
  326. s->init_num=0;
  327. break;
  328. case SSL3_ST_CW_CERT_A:
  329. case SSL3_ST_CW_CERT_B:
  330. case SSL3_ST_CW_CERT_C:
  331. case SSL3_ST_CW_CERT_D:
  332. dtls1_start_timer(s);
  333. ret=dtls1_send_client_certificate(s);
  334. if (ret <= 0) goto end;
  335. s->state=SSL3_ST_CW_KEY_EXCH_A;
  336. s->init_num=0;
  337. break;
  338. case SSL3_ST_CW_KEY_EXCH_A:
  339. case SSL3_ST_CW_KEY_EXCH_B:
  340. dtls1_start_timer(s);
  341. ret=dtls1_send_client_key_exchange(s);
  342. if (ret <= 0) goto end;
  343. /* EAY EAY EAY need to check for DH fix cert
  344. * sent back */
  345. /* For TLS, cert_req is set to 2, so a cert chain
  346. * of nothing is sent, but no verify packet is sent */
  347. if (s->s3->tmp.cert_req == 1)
  348. {
  349. s->state=SSL3_ST_CW_CERT_VRFY_A;
  350. }
  351. else
  352. {
  353. s->state=SSL3_ST_CW_CHANGE_A;
  354. s->s3->change_cipher_spec=0;
  355. }
  356. s->init_num=0;
  357. break;
  358. case SSL3_ST_CW_CERT_VRFY_A:
  359. case SSL3_ST_CW_CERT_VRFY_B:
  360. dtls1_start_timer(s);
  361. ret=dtls1_send_client_verify(s);
  362. if (ret <= 0) goto end;
  363. s->state=SSL3_ST_CW_CHANGE_A;
  364. s->init_num=0;
  365. s->s3->change_cipher_spec=0;
  366. break;
  367. case SSL3_ST_CW_CHANGE_A:
  368. case SSL3_ST_CW_CHANGE_B:
  369. dtls1_start_timer(s);
  370. ret=dtls1_send_change_cipher_spec(s,
  371. SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
  372. if (ret <= 0) goto end;
  373. s->state=SSL3_ST_CW_FINISHED_A;
  374. s->init_num=0;
  375. s->session->cipher=s->s3->tmp.new_cipher;
  376. #ifdef OPENSSL_NO_COMP
  377. s->session->compress_meth=0;
  378. #else
  379. if (s->s3->tmp.new_compression == NULL)
  380. s->session->compress_meth=0;
  381. else
  382. s->session->compress_meth=
  383. s->s3->tmp.new_compression->id;
  384. #endif
  385. if (!s->method->ssl3_enc->setup_key_block(s))
  386. {
  387. ret= -1;
  388. goto end;
  389. }
  390. if (!s->method->ssl3_enc->change_cipher_state(s,
  391. SSL3_CHANGE_CIPHER_CLIENT_WRITE))
  392. {
  393. ret= -1;
  394. goto end;
  395. }
  396. dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
  397. break;
  398. case SSL3_ST_CW_FINISHED_A:
  399. case SSL3_ST_CW_FINISHED_B:
  400. dtls1_start_timer(s);
  401. ret=dtls1_send_finished(s,
  402. SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B,
  403. s->method->ssl3_enc->client_finished_label,
  404. s->method->ssl3_enc->client_finished_label_len);
  405. if (ret <= 0) goto end;
  406. s->state=SSL3_ST_CW_FLUSH;
  407. /* clear flags */
  408. s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
  409. if (s->hit)
  410. {
  411. s->s3->tmp.next_state=SSL_ST_OK;
  412. if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)
  413. {
  414. s->state=SSL_ST_OK;
  415. s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
  416. s->s3->delay_buf_pop_ret=0;
  417. }
  418. }
  419. else
  420. {
  421. #ifndef OPENSSL_NO_TLSEXT
  422. /* Allow NewSessionTicket if ticket expected */
  423. if (s->tlsext_ticket_expected)
  424. s->s3->tmp.next_state=SSL3_ST_CR_SESSION_TICKET_A;
  425. else
  426. #endif
  427. s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A;
  428. }
  429. s->init_num=0;
  430. break;
  431. #ifndef OPENSSL_NO_TLSEXT
  432. case SSL3_ST_CR_SESSION_TICKET_A:
  433. case SSL3_ST_CR_SESSION_TICKET_B:
  434. ret=ssl3_get_new_session_ticket(s);
  435. if (ret <= 0) goto end;
  436. s->state=SSL3_ST_CR_FINISHED_A;
  437. s->init_num=0;
  438. break;
  439. case SSL3_ST_CR_CERT_STATUS_A:
  440. case SSL3_ST_CR_CERT_STATUS_B:
  441. ret=ssl3_get_cert_status(s);
  442. if (ret <= 0) goto end;
  443. s->state=SSL3_ST_CR_KEY_EXCH_A;
  444. s->init_num=0;
  445. break;
  446. #endif
  447. case SSL3_ST_CR_FINISHED_A:
  448. case SSL3_ST_CR_FINISHED_B:
  449. s->d1->change_cipher_spec_ok = 1;
  450. ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
  451. SSL3_ST_CR_FINISHED_B);
  452. if (ret <= 0) goto end;
  453. dtls1_stop_timer(s);
  454. if (s->hit)
  455. s->state=SSL3_ST_CW_CHANGE_A;
  456. else
  457. s->state=SSL_ST_OK;
  458. s->init_num=0;
  459. break;
  460. case SSL3_ST_CW_FLUSH:
  461. s->rwstate=SSL_WRITING;
  462. if (BIO_flush(s->wbio) <= 0)
  463. {
  464. ret= -1;
  465. goto end;
  466. }
  467. s->rwstate=SSL_NOTHING;
  468. s->state=s->s3->tmp.next_state;
  469. break;
  470. case SSL_ST_OK:
  471. /* clean a few things up */
  472. ssl3_cleanup_key_block(s);
  473. #if 0
  474. if (s->init_buf != NULL)
  475. {
  476. BUF_MEM_free(s->init_buf);
  477. s->init_buf=NULL;
  478. }
  479. #endif
  480. /* If we are not 'joining' the last two packets,
  481. * remove the buffering now */
  482. if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
  483. ssl_free_wbio_buffer(s);
  484. /* else do it later in ssl3_write */
  485. s->init_num=0;
  486. s->renegotiate=0;
  487. s->new_session=0;
  488. ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
  489. if (s->hit) s->ctx->stats.sess_hit++;
  490. ret=1;
  491. /* s->server=0; */
  492. s->handshake_func=dtls1_connect;
  493. s->ctx->stats.sess_connect_good++;
  494. if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
  495. /* done with handshaking */
  496. s->d1->handshake_read_seq = 0;
  497. s->d1->next_handshake_write_seq = 0;
  498. goto end;
  499. /* break; */
  500. default:
  501. SSLerr(SSL_F_DTLS1_CONNECT,SSL_R_UNKNOWN_STATE);
  502. ret= -1;
  503. goto end;
  504. /* break; */
  505. }
  506. /* did we do anything */
  507. if (!s->s3->tmp.reuse_message && !skip)
  508. {
  509. if (s->debug)
  510. {
  511. if ((ret=BIO_flush(s->wbio)) <= 0)
  512. goto end;
  513. }
  514. if ((cb != NULL) && (s->state != state))
  515. {
  516. new_state=s->state;
  517. s->state=state;
  518. cb(s,SSL_CB_CONNECT_LOOP,1);
  519. s->state=new_state;
  520. }
  521. }
  522. skip=0;
  523. }
  524. end:
  525. s->in_handshake--;
  526. if (buf != NULL)
  527. BUF_MEM_free(buf);
  528. if (cb != NULL)
  529. cb(s,SSL_CB_CONNECT_EXIT,ret);
  530. return(ret);
  531. }
  532. int dtls1_client_hello(SSL *s)
  533. {
  534. unsigned char *buf;
  535. unsigned char *p,*d;
  536. unsigned int i,j;
  537. unsigned long Time,l;
  538. SSL_COMP *comp;
  539. buf=(unsigned char *)s->init_buf->data;
  540. if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
  541. {
  542. SSL_SESSION *sess = s->session;
  543. if ((s->session == NULL) ||
  544. (s->session->ssl_version != s->version) ||
  545. #ifdef OPENSSL_NO_TLSEXT
  546. !sess->session_id_length ||
  547. #else
  548. (!sess->session_id_length && !sess->tlsext_tick) ||
  549. #endif
  550. (s->session->not_resumable))
  551. {
  552. if (!ssl_get_new_session(s,0))
  553. goto err;
  554. }
  555. /* else use the pre-loaded session */
  556. p=s->s3->client_random;
  557. /* if client_random is initialized, reuse it, we are
  558. * required to use same upon reply to HelloVerify */
  559. for (i=0;p[i]=='\0' && i<sizeof(s->s3->client_random);i++) ;
  560. if (i==sizeof(s->s3->client_random))
  561. {
  562. Time=(unsigned long)time(NULL); /* Time */
  563. l2n(Time,p);
  564. RAND_pseudo_bytes(p,sizeof(s->s3->client_random)-4);
  565. }
  566. /* Do the message type and length last */
  567. d=p= &(buf[DTLS1_HM_HEADER_LENGTH]);
  568. *(p++)=s->version>>8;
  569. *(p++)=s->version&0xff;
  570. s->client_version=s->version;
  571. /* Random stuff */
  572. memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
  573. p+=SSL3_RANDOM_SIZE;
  574. /* Session ID */
  575. if (s->new_session)
  576. i=0;
  577. else
  578. i=s->session->session_id_length;
  579. *(p++)=i;
  580. if (i != 0)
  581. {
  582. if (i > sizeof s->session->session_id)
  583. {
  584. SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
  585. goto err;
  586. }
  587. memcpy(p,s->session->session_id,i);
  588. p+=i;
  589. }
  590. /* cookie stuff */
  591. if ( s->d1->cookie_len > sizeof(s->d1->cookie))
  592. {
  593. SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
  594. goto err;
  595. }
  596. *(p++) = s->d1->cookie_len;
  597. memcpy(p, s->d1->cookie, s->d1->cookie_len);
  598. p += s->d1->cookie_len;
  599. /* Ciphers supported */
  600. i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0);
  601. if (i == 0)
  602. {
  603. SSLerr(SSL_F_DTLS1_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
  604. goto err;
  605. }
  606. s2n(i,p);
  607. p+=i;
  608. /* COMPRESSION */
  609. if (s->ctx->comp_methods == NULL)
  610. j=0;
  611. else
  612. j=sk_SSL_COMP_num(s->ctx->comp_methods);
  613. *(p++)=1+j;
  614. for (i=0; i<j; i++)
  615. {
  616. comp=sk_SSL_COMP_value(s->ctx->comp_methods,i);
  617. *(p++)=comp->id;
  618. }
  619. *(p++)=0; /* Add the NULL method */
  620. #ifndef OPENSSL_NO_TLSEXT
  621. if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
  622. {
  623. SSLerr(SSL_F_DTLS1_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
  624. goto err;
  625. }
  626. #endif
  627. l=(p-d);
  628. d=buf;
  629. d = dtls1_set_message_header(s, d, SSL3_MT_CLIENT_HELLO, l, 0, l);
  630. s->state=SSL3_ST_CW_CLNT_HELLO_B;
  631. /* number of bytes to write */
  632. s->init_num=p-buf;
  633. s->init_off=0;
  634. /* buffer the message to handle re-xmits */
  635. dtls1_buffer_message(s, 0);
  636. }
  637. /* SSL3_ST_CW_CLNT_HELLO_B */
  638. return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
  639. err:
  640. return(-1);
  641. }
  642. static int dtls1_get_hello_verify(SSL *s)
  643. {
  644. int n, al, ok = 0;
  645. unsigned char *data;
  646. unsigned int cookie_len;
  647. n=s->method->ssl_get_message(s,
  648. DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A,
  649. DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B,
  650. -1,
  651. s->max_cert_list,
  652. &ok);
  653. if (!ok) return((int)n);
  654. if (s->s3->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST)
  655. {
  656. s->d1->send_cookie = 0;
  657. s->s3->tmp.reuse_message=1;
  658. return(1);
  659. }
  660. data = (unsigned char *)s->init_msg;
  661. if ((data[0] != (s->version>>8)) || (data[1] != (s->version&0xff)))
  662. {
  663. SSLerr(SSL_F_DTLS1_GET_HELLO_VERIFY,SSL_R_WRONG_SSL_VERSION);
  664. s->version=(s->version&0xff00)|data[1];
  665. al = SSL_AD_PROTOCOL_VERSION;
  666. goto f_err;
  667. }
  668. data+=2;
  669. cookie_len = *(data++);
  670. if ( cookie_len > sizeof(s->d1->cookie))
  671. {
  672. al=SSL_AD_ILLEGAL_PARAMETER;
  673. goto f_err;
  674. }
  675. memcpy(s->d1->cookie, data, cookie_len);
  676. s->d1->cookie_len = cookie_len;
  677. s->d1->send_cookie = 1;
  678. return 1;
  679. f_err:
  680. ssl3_send_alert(s, SSL3_AL_FATAL, al);
  681. return -1;
  682. }
  683. int dtls1_send_client_key_exchange(SSL *s)
  684. {
  685. unsigned char *p,*d;
  686. int n;
  687. unsigned long alg_k;
  688. #ifndef OPENSSL_NO_RSA
  689. unsigned char *q;
  690. EVP_PKEY *pkey=NULL;
  691. #endif
  692. #ifndef OPENSSL_NO_KRB5
  693. KSSL_ERR kssl_err;
  694. #endif /* OPENSSL_NO_KRB5 */
  695. #ifndef OPENSSL_NO_ECDH
  696. EC_KEY *clnt_ecdh = NULL;
  697. const EC_POINT *srvr_ecpoint = NULL;
  698. EVP_PKEY *srvr_pub_pkey = NULL;
  699. unsigned char *encodedPoint = NULL;
  700. int encoded_pt_len = 0;
  701. BN_CTX * bn_ctx = NULL;
  702. #endif
  703. if (s->state == SSL3_ST_CW_KEY_EXCH_A)
  704. {
  705. d=(unsigned char *)s->init_buf->data;
  706. p= &(d[DTLS1_HM_HEADER_LENGTH]);
  707. alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
  708. /* Fool emacs indentation */
  709. if (0) {}
  710. #ifndef OPENSSL_NO_RSA
  711. else if (alg_k & SSL_kRSA)
  712. {
  713. RSA *rsa;
  714. unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
  715. if (s->session->sess_cert->peer_rsa_tmp != NULL)
  716. rsa=s->session->sess_cert->peer_rsa_tmp;
  717. else
  718. {
  719. pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
  720. if ((pkey == NULL) ||
  721. (pkey->type != EVP_PKEY_RSA) ||
  722. (pkey->pkey.rsa == NULL))
  723. {
  724. SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
  725. goto err;
  726. }
  727. rsa=pkey->pkey.rsa;
  728. EVP_PKEY_free(pkey);
  729. }
  730. tmp_buf[0]=s->client_version>>8;
  731. tmp_buf[1]=s->client_version&0xff;
  732. if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
  733. goto err;
  734. s->session->master_key_length=sizeof tmp_buf;
  735. q=p;
  736. /* Fix buf for TLS and [incidentally] DTLS */
  737. if (s->version > SSL3_VERSION)
  738. p+=2;
  739. n=RSA_public_encrypt(sizeof tmp_buf,
  740. tmp_buf,p,rsa,RSA_PKCS1_PADDING);
  741. #ifdef PKCS1_CHECK
  742. if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++;
  743. if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70;
  744. #endif
  745. if (n <= 0)
  746. {
  747. SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT);
  748. goto err;
  749. }
  750. /* Fix buf for TLS and [incidentally] DTLS */
  751. if (s->version > SSL3_VERSION)
  752. {
  753. s2n(n,q);
  754. n+=2;
  755. }
  756. s->session->master_key_length=
  757. s->method->ssl3_enc->generate_master_secret(s,
  758. s->session->master_key,
  759. tmp_buf,sizeof tmp_buf);
  760. OPENSSL_cleanse(tmp_buf,sizeof tmp_buf);
  761. }
  762. #endif
  763. #ifndef OPENSSL_NO_KRB5
  764. else if (alg_k & SSL_kKRB5)
  765. {
  766. krb5_error_code krb5rc;
  767. KSSL_CTX *kssl_ctx = s->kssl_ctx;
  768. /* krb5_data krb5_ap_req; */
  769. krb5_data *enc_ticket;
  770. krb5_data authenticator, *authp = NULL;
  771. EVP_CIPHER_CTX ciph_ctx;
  772. const EVP_CIPHER *enc = NULL;
  773. unsigned char iv[EVP_MAX_IV_LENGTH];
  774. unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
  775. unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH
  776. + EVP_MAX_IV_LENGTH];
  777. int padl, outl = sizeof(epms);
  778. EVP_CIPHER_CTX_init(&ciph_ctx);
  779. #ifdef KSSL_DEBUG
  780. printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
  781. alg_k, SSL_kKRB5);
  782. #endif /* KSSL_DEBUG */
  783. authp = NULL;
  784. #ifdef KRB5SENDAUTH
  785. if (KRB5SENDAUTH) authp = &authenticator;
  786. #endif /* KRB5SENDAUTH */
  787. krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp,
  788. &kssl_err);
  789. enc = kssl_map_enc(kssl_ctx->enctype);
  790. if (enc == NULL)
  791. goto err;
  792. #ifdef KSSL_DEBUG
  793. {
  794. printf("kssl_cget_tkt rtn %d\n", krb5rc);
  795. if (krb5rc && kssl_err.text)
  796. printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
  797. }
  798. #endif /* KSSL_DEBUG */
  799. if (krb5rc)
  800. {
  801. ssl3_send_alert(s,SSL3_AL_FATAL,
  802. SSL_AD_HANDSHAKE_FAILURE);
  803. SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
  804. kssl_err.reason);
  805. goto err;
  806. }
  807. /* 20010406 VRS - Earlier versions used KRB5 AP_REQ
  808. ** in place of RFC 2712 KerberosWrapper, as in:
  809. **
  810. ** Send ticket (copy to *p, set n = length)
  811. ** n = krb5_ap_req.length;
  812. ** memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
  813. ** if (krb5_ap_req.data)
  814. ** kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
  815. **
  816. ** Now using real RFC 2712 KerberosWrapper
  817. ** (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
  818. ** Note: 2712 "opaque" types are here replaced
  819. ** with a 2-byte length followed by the value.
  820. ** Example:
  821. ** KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
  822. ** Where "xx xx" = length bytes. Shown here with
  823. ** optional authenticator omitted.
  824. */
  825. /* KerberosWrapper.Ticket */
  826. s2n(enc_ticket->length,p);
  827. memcpy(p, enc_ticket->data, enc_ticket->length);
  828. p+= enc_ticket->length;
  829. n = enc_ticket->length + 2;
  830. /* KerberosWrapper.Authenticator */
  831. if (authp && authp->length)
  832. {
  833. s2n(authp->length,p);
  834. memcpy(p, authp->data, authp->length);
  835. p+= authp->length;
  836. n+= authp->length + 2;
  837. free(authp->data);
  838. authp->data = NULL;
  839. authp->length = 0;
  840. }
  841. else
  842. {
  843. s2n(0,p);/* null authenticator length */
  844. n+=2;
  845. }
  846. if (RAND_bytes(tmp_buf,sizeof tmp_buf) <= 0)
  847. goto err;
  848. /* 20010420 VRS. Tried it this way; failed.
  849. ** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
  850. ** EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
  851. ** kssl_ctx->length);
  852. ** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
  853. */
  854. memset(iv, 0, sizeof iv); /* per RFC 1510 */
  855. EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,
  856. kssl_ctx->key,iv);
  857. EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf,
  858. sizeof tmp_buf);
  859. EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl);
  860. outl += padl;
  861. if (outl > (int)sizeof epms)
  862. {
  863. SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
  864. goto err;
  865. }
  866. EVP_CIPHER_CTX_cleanup(&ciph_ctx);
  867. /* KerberosWrapper.EncryptedPreMasterSecret */
  868. s2n(outl,p);
  869. memcpy(p, epms, outl);
  870. p+=outl;
  871. n+=outl + 2;
  872. s->session->master_key_length=
  873. s->method->ssl3_enc->generate_master_secret(s,
  874. s->session->master_key,
  875. tmp_buf, sizeof tmp_buf);
  876. OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
  877. OPENSSL_cleanse(epms, outl);
  878. }
  879. #endif
  880. #ifndef OPENSSL_NO_DH
  881. else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
  882. {
  883. DH *dh_srvr,*dh_clnt;
  884. if (s->session->sess_cert->peer_dh_tmp != NULL)
  885. dh_srvr=s->session->sess_cert->peer_dh_tmp;
  886. else
  887. {
  888. /* we get them from the cert */
  889. ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
  890. SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
  891. goto err;
  892. }
  893. /* generate a new random key */
  894. if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL)
  895. {
  896. SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
  897. goto err;
  898. }
  899. if (!DH_generate_key(dh_clnt))
  900. {
  901. SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
  902. goto err;
  903. }
  904. /* use the 'p' output buffer for the DH key, but
  905. * make sure to clear it out afterwards */
  906. n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt);
  907. if (n <= 0)
  908. {
  909. SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
  910. goto err;
  911. }
  912. /* generate master key from the result */
  913. s->session->master_key_length=
  914. s->method->ssl3_enc->generate_master_secret(s,
  915. s->session->master_key,p,n);
  916. /* clean up */
  917. memset(p,0,n);
  918. /* send off the data */
  919. n=BN_num_bytes(dh_clnt->pub_key);
  920. s2n(n,p);
  921. BN_bn2bin(dh_clnt->pub_key,p);
  922. n+=2;
  923. DH_free(dh_clnt);
  924. /* perhaps clean things up a bit EAY EAY EAY EAY*/
  925. }
  926. #endif
  927. #ifndef OPENSSL_NO_ECDH
  928. else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe))
  929. {
  930. const EC_GROUP *srvr_group = NULL;
  931. EC_KEY *tkey;
  932. int ecdh_clnt_cert = 0;
  933. int field_size = 0;
  934. /* Did we send out the client's
  935. * ECDH share for use in premaster
  936. * computation as part of client certificate?
  937. * If so, set ecdh_clnt_cert to 1.
  938. */
  939. if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL))
  940. {
  941. /* XXX: For now, we do not support client
  942. * authentication using ECDH certificates.
  943. * To add such support, one needs to add
  944. * code that checks for appropriate
  945. * conditions and sets ecdh_clnt_cert to 1.
  946. * For example, the cert have an ECC
  947. * key on the same curve as the server's
  948. * and the key should be authorized for
  949. * key agreement.
  950. *
  951. * One also needs to add code in ssl3_connect
  952. * to skip sending the certificate verify
  953. * message.
  954. *
  955. * if ((s->cert->key->privatekey != NULL) &&
  956. * (s->cert->key->privatekey->type ==
  957. * EVP_PKEY_EC) && ...)
  958. * ecdh_clnt_cert = 1;
  959. */
  960. }
  961. if (s->session->sess_cert->peer_ecdh_tmp != NULL)
  962. {
  963. tkey = s->session->sess_cert->peer_ecdh_tmp;
  964. }
  965. else
  966. {
  967. /* Get the Server Public Key from Cert */
  968. srvr_pub_pkey = X509_get_pubkey(s->session-> \
  969. sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
  970. if ((srvr_pub_pkey == NULL) ||
  971. (srvr_pub_pkey->type != EVP_PKEY_EC) ||
  972. (srvr_pub_pkey->pkey.ec == NULL))
  973. {
  974. SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
  975. ERR_R_INTERNAL_ERROR);
  976. goto err;
  977. }
  978. tkey = srvr_pub_pkey->pkey.ec;
  979. }
  980. srvr_group = EC_KEY_get0_group(tkey);
  981. srvr_ecpoint = EC_KEY_get0_public_key(tkey);
  982. if ((srvr_group == NULL) || (srvr_ecpoint == NULL))
  983. {
  984. SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
  985. ERR_R_INTERNAL_ERROR);
  986. goto err;
  987. }
  988. if ((clnt_ecdh=EC_KEY_new()) == NULL)
  989. {
  990. SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
  991. goto err;
  992. }
  993. if (!EC_KEY_set_group(clnt_ecdh, srvr_group))
  994. {
  995. SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
  996. goto err;
  997. }
  998. if (ecdh_clnt_cert)
  999. {
  1000. /* Reuse key info from our certificate
  1001. * We only need our private key to perform
  1002. * the ECDH computation.
  1003. */
  1004. const BIGNUM *priv_key;
  1005. tkey = s->cert->key->privatekey->pkey.ec;
  1006. priv_key = EC_KEY_get0_private_key(tkey);
  1007. if (priv_key == NULL)
  1008. {
  1009. SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
  1010. goto err;
  1011. }
  1012. if (!EC_KEY_set_private_key(clnt_ecdh, priv_key))
  1013. {
  1014. SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
  1015. goto err;
  1016. }
  1017. }
  1018. else
  1019. {
  1020. /* Generate a new ECDH key pair */
  1021. if (!(EC_KEY_generate_key(clnt_ecdh)))
  1022. {
  1023. SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB);
  1024. goto err;
  1025. }
  1026. }
  1027. /* use the 'p' output buffer for the ECDH key, but
  1028. * make sure to clear it out afterwards
  1029. */
  1030. field_size = EC_GROUP_get_degree(srvr_group);
  1031. if (field_size <= 0)
  1032. {
  1033. SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
  1034. ERR_R_ECDH_LIB);
  1035. goto err;
  1036. }
  1037. n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL);
  1038. if (n <= 0)
  1039. {
  1040. SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
  1041. ERR_R_ECDH_LIB);
  1042. goto err;
  1043. }
  1044. /* generate master key from the result */
  1045. s->session->master_key_length = s->method->ssl3_enc \
  1046. -> generate_master_secret(s,
  1047. s->session->master_key,
  1048. p, n);
  1049. memset(p, 0, n); /* clean up */
  1050. if (ecdh_clnt_cert)
  1051. {
  1052. /* Send empty client key exch message */
  1053. n = 0;
  1054. }
  1055. else
  1056. {
  1057. /* First check the size of encoding and
  1058. * allocate memory accordingly.
  1059. */
  1060. encoded_pt_len =
  1061. EC_POINT_point2oct(srvr_group,
  1062. EC_KEY_get0_public_key(clnt_ecdh),
  1063. POINT_CONVERSION_UNCOMPRESSED,
  1064. NULL, 0, NULL);
  1065. encodedPoint = (unsigned char *)
  1066. OPENSSL_malloc(encoded_pt_len *
  1067. sizeof(unsigned char));
  1068. bn_ctx = BN_CTX_new();
  1069. if ((encodedPoint == NULL) ||
  1070. (bn_ctx == NULL))
  1071. {
  1072. SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
  1073. goto err;
  1074. }
  1075. /* Encode the public key */
  1076. n = EC_POINT_point2oct(srvr_group,
  1077. EC_KEY_get0_public_key(clnt_ecdh),
  1078. POINT_CONVERSION_UNCOMPRESSED,
  1079. encodedPoint, encoded_pt_len, bn_ctx);
  1080. *p = n; /* length of encoded point */
  1081. /* Encoded point will be copied here */
  1082. p += 1;
  1083. /* copy the point */
  1084. memcpy((unsigned char *)p, encodedPoint, n);
  1085. /* increment n to account for length field */
  1086. n += 1;
  1087. }
  1088. /* Free allocated memory */
  1089. BN_CTX_free(bn_ctx);
  1090. if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
  1091. if (clnt_ecdh != NULL)
  1092. EC_KEY_free(clnt_ecdh);
  1093. EVP_PKEY_free(srvr_pub_pkey);
  1094. }
  1095. #endif /* !OPENSSL_NO_ECDH */
  1096. #ifndef OPENSSL_NO_PSK
  1097. else if (alg_k & SSL_kPSK)
  1098. {
  1099. char identity[PSK_MAX_IDENTITY_LEN];
  1100. unsigned char *t = NULL;
  1101. unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4];
  1102. unsigned int pre_ms_len = 0, psk_len = 0;
  1103. int psk_err = 1;
  1104. n = 0;
  1105. if (s->psk_client_callback == NULL)
  1106. {
  1107. SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
  1108. SSL_R_PSK_NO_CLIENT_CB);
  1109. goto err;
  1110. }
  1111. psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint,
  1112. identity, PSK_MAX_IDENTITY_LEN,
  1113. psk_or_pre_ms, sizeof(psk_or_pre_ms));
  1114. if (psk_len > PSK_MAX_PSK_LEN)
  1115. {
  1116. SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
  1117. ERR_R_INTERNAL_ERROR);
  1118. goto psk_err;
  1119. }
  1120. else if (psk_len == 0)
  1121. {
  1122. SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
  1123. SSL_R_PSK_IDENTITY_NOT_FOUND);
  1124. goto psk_err;
  1125. }
  1126. /* create PSK pre_master_secret */
  1127. pre_ms_len = 2+psk_len+2+psk_len;
  1128. t = psk_or_pre_ms;
  1129. memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len);
  1130. s2n(psk_len, t);
  1131. memset(t, 0, psk_len);
  1132. t+=psk_len;
  1133. s2n(psk_len, t);
  1134. if (s->session->psk_identity_hint != NULL)
  1135. OPENSSL_free(s->session->psk_identity_hint);
  1136. s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint);
  1137. if (s->ctx->psk_identity_hint != NULL &&
  1138. s->session->psk_identity_hint == NULL)
  1139. {
  1140. SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
  1141. ERR_R_MALLOC_FAILURE);
  1142. goto psk_err;
  1143. }
  1144. if (s->session->psk_identity != NULL)
  1145. OPENSSL_free(s->session->psk_identity);
  1146. s->session->psk_identity = BUF_strdup(identity);
  1147. if (s->session->psk_identity == NULL)
  1148. {
  1149. SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
  1150. ERR_R_MALLOC_FAILURE);
  1151. goto psk_err;
  1152. }
  1153. s->session->master_key_length =
  1154. s->method->ssl3_enc->generate_master_secret(s,
  1155. s->session->master_key,
  1156. psk_or_pre_ms, pre_ms_len);
  1157. n = strlen(identity);
  1158. s2n(n, p);
  1159. memcpy(p, identity, n);
  1160. n+=2;
  1161. psk_err = 0;
  1162. psk_err:
  1163. OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN);
  1164. OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
  1165. if (psk_err != 0)
  1166. {
  1167. ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
  1168. goto err;
  1169. }
  1170. }
  1171. #endif
  1172. else
  1173. {
  1174. ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
  1175. SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
  1176. goto err;
  1177. }
  1178. d = dtls1_set_message_header(s, d,
  1179. SSL3_MT_CLIENT_KEY_EXCHANGE, n, 0, n);
  1180. /*
  1181. *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE;
  1182. l2n3(n,d);
  1183. l2n(s->d1->handshake_write_seq,d);
  1184. s->d1->handshake_write_seq++;
  1185. */
  1186. s->state=SSL3_ST_CW_KEY_EXCH_B;
  1187. /* number of bytes to write */
  1188. s->init_num=n+DTLS1_HM_HEADER_LENGTH;
  1189. s->init_off=0;
  1190. /* buffer the message to handle re-xmits */
  1191. dtls1_buffer_message(s, 0);
  1192. }
  1193. /* SSL3_ST_CW_KEY_EXCH_B */
  1194. return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
  1195. err:
  1196. #ifndef OPENSSL_NO_ECDH
  1197. BN_CTX_free(bn_ctx);
  1198. if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
  1199. if (clnt_ecdh != NULL)
  1200. EC_KEY_free(clnt_ecdh);
  1201. EVP_PKEY_free(srvr_pub_pkey);
  1202. #endif
  1203. return(-1);
  1204. }
  1205. int dtls1_send_client_verify(SSL *s)
  1206. {
  1207. unsigned char *p,*d;
  1208. unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
  1209. EVP_PKEY *pkey;
  1210. #ifndef OPENSSL_NO_RSA
  1211. unsigned u=0;
  1212. #endif
  1213. unsigned long n;
  1214. #if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
  1215. int j;
  1216. #endif
  1217. if (s->state == SSL3_ST_CW_CERT_VRFY_A)
  1218. {
  1219. d=(unsigned char *)s->init_buf->data;
  1220. p= &(d[DTLS1_HM_HEADER_LENGTH]);
  1221. pkey=s->cert->key->privatekey;
  1222. s->method->ssl3_enc->cert_verify_mac(s,
  1223. NID_sha1,
  1224. &(data[MD5_DIGEST_LENGTH]));
  1225. #ifndef OPENSSL_NO_RSA
  1226. if (pkey->type == EVP_PKEY_RSA)
  1227. {
  1228. s->method->ssl3_enc->cert_verify_mac(s,
  1229. NID_md5,
  1230. &(data[0]));
  1231. if (RSA_sign(NID_md5_sha1, data,
  1232. MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
  1233. &(p[2]), &u, pkey->pkey.rsa) <= 0 )
  1234. {
  1235. SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB);
  1236. goto err;
  1237. }
  1238. s2n(u,p);
  1239. n=u+2;
  1240. }
  1241. else
  1242. #endif
  1243. #ifndef OPENSSL_NO_DSA
  1244. if (pkey->type == EVP_PKEY_DSA)
  1245. {
  1246. if (!DSA_sign(pkey->save_type,
  1247. &(data[MD5_DIGEST_LENGTH]),
  1248. SHA_DIGEST_LENGTH,&(p[2]),
  1249. (unsigned int *)&j,pkey->pkey.dsa))
  1250. {
  1251. SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB);
  1252. goto err;
  1253. }
  1254. s2n(j,p);
  1255. n=j+2;
  1256. }
  1257. else
  1258. #endif
  1259. #ifndef OPENSSL_NO_ECDSA
  1260. if (pkey->type == EVP_PKEY_EC)
  1261. {
  1262. if (!ECDSA_sign(pkey->save_type,
  1263. &(data[MD5_DIGEST_LENGTH]),
  1264. SHA_DIGEST_LENGTH,&(p[2]),
  1265. (unsigned int *)&j,pkey->pkey.ec))
  1266. {
  1267. SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,
  1268. ERR_R_ECDSA_LIB);
  1269. goto err;
  1270. }
  1271. s2n(j,p);
  1272. n=j+2;
  1273. }
  1274. else
  1275. #endif
  1276. {
  1277. SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR);
  1278. goto err;
  1279. }
  1280. d = dtls1_set_message_header(s, d,
  1281. SSL3_MT_CERTIFICATE_VERIFY, n, 0, n) ;
  1282. s->init_num=(int)n+DTLS1_HM_HEADER_LENGTH;
  1283. s->init_off=0;
  1284. /* buffer the message to handle re-xmits */
  1285. dtls1_buffer_message(s, 0);
  1286. s->state = SSL3_ST_CW_CERT_VRFY_B;
  1287. }
  1288. /* s->state = SSL3_ST_CW_CERT_VRFY_B */
  1289. return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
  1290. err:
  1291. return(-1);
  1292. }
  1293. int dtls1_send_client_certificate(SSL *s)
  1294. {
  1295. X509 *x509=NULL;
  1296. EVP_PKEY *pkey=NULL;
  1297. int i;
  1298. unsigned long l;
  1299. if (s->state == SSL3_ST_CW_CERT_A)
  1300. {
  1301. if ((s->cert == NULL) ||
  1302. (s->cert->key->x509 == NULL) ||
  1303. (s->cert->key->privatekey == NULL))
  1304. s->state=SSL3_ST_CW_CERT_B;
  1305. else
  1306. s->state=SSL3_ST_CW_CERT_C;
  1307. }
  1308. /* We need to get a client cert */
  1309. if (s->state == SSL3_ST_CW_CERT_B)
  1310. {
  1311. /* If we get an error, we need to
  1312. * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
  1313. * We then get retied later */
  1314. i=0;
  1315. i = ssl_do_client_cert_cb(s, &x509, &pkey);
  1316. if (i < 0)
  1317. {
  1318. s->rwstate=SSL_X509_LOOKUP;
  1319. return(-1);
  1320. }
  1321. s->rwstate=SSL_NOTHING;
  1322. if ((i == 1) && (pkey != NULL) && (x509 != NULL))
  1323. {
  1324. s->state=SSL3_ST_CW_CERT_B;
  1325. if ( !SSL_use_certificate(s,x509) ||
  1326. !SSL_use_PrivateKey(s,pkey))
  1327. i=0;
  1328. }
  1329. else if (i == 1)
  1330. {
  1331. i=0;
  1332. SSLerr(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
  1333. }
  1334. if (x509 != NULL) X509_free(x509);
  1335. if (pkey != NULL) EVP_PKEY_free(pkey);
  1336. if (i == 0)
  1337. {
  1338. if (s->version == SSL3_VERSION)
  1339. {
  1340. s->s3->tmp.cert_req=0;
  1341. ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE);
  1342. return(1);
  1343. }
  1344. else
  1345. {
  1346. s->s3->tmp.cert_req=2;
  1347. }
  1348. }
  1349. /* Ok, we have a cert */
  1350. s->state=SSL3_ST_CW_CERT_C;
  1351. }
  1352. if (s->state == SSL3_ST_CW_CERT_C)
  1353. {
  1354. s->state=SSL3_ST_CW_CERT_D;
  1355. l=dtls1_output_cert_chain(s,
  1356. (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
  1357. s->init_num=(int)l;
  1358. s->init_off=0;
  1359. /* set header called by dtls1_output_cert_chain() */
  1360. /* buffer the message to handle re-xmits */
  1361. dtls1_buffer_message(s, 0);
  1362. }
  1363. /* SSL3_ST_CW_CERT_D */
  1364. return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
  1365. }