d1_srvr.c 40 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552
  1. /* ssl/d1_srvr.c */
  2. /*
  3. * DTLS implementation written by Nagendra Modadugu
  4. * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
  5. */
  6. /* ====================================================================
  7. * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved.
  8. *
  9. * Redistribution and use in source and binary forms, with or without
  10. * modification, are permitted provided that the following conditions
  11. * are met:
  12. *
  13. * 1. Redistributions of source code must retain the above copyright
  14. * notice, this list of conditions and the following disclaimer.
  15. *
  16. * 2. Redistributions in binary form must reproduce the above copyright
  17. * notice, this list of conditions and the following disclaimer in
  18. * the documentation and/or other materials provided with the
  19. * distribution.
  20. *
  21. * 3. All advertising materials mentioning features or use of this
  22. * software must display the following acknowledgment:
  23. * "This product includes software developed by the OpenSSL Project
  24. * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  25. *
  26. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  27. * endorse or promote products derived from this software without
  28. * prior written permission. For written permission, please contact
  29. * openssl-core@OpenSSL.org.
  30. *
  31. * 5. Products derived from this software may not be called "OpenSSL"
  32. * nor may "OpenSSL" appear in their names without prior written
  33. * permission of the OpenSSL Project.
  34. *
  35. * 6. Redistributions of any form whatsoever must retain the following
  36. * acknowledgment:
  37. * "This product includes software developed by the OpenSSL Project
  38. * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  39. *
  40. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  41. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  42. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  43. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  44. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  45. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  46. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  47. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  49. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  50. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  51. * OF THE POSSIBILITY OF SUCH DAMAGE.
  52. * ====================================================================
  53. *
  54. * This product includes cryptographic software written by Eric Young
  55. * (eay@cryptsoft.com). This product includes software written by Tim
  56. * Hudson (tjh@cryptsoft.com).
  57. *
  58. */
  59. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  60. * All rights reserved.
  61. *
  62. * This package is an SSL implementation written
  63. * by Eric Young (eay@cryptsoft.com).
  64. * The implementation was written so as to conform with Netscapes SSL.
  65. *
  66. * This library is free for commercial and non-commercial use as long as
  67. * the following conditions are aheared to. The following conditions
  68. * apply to all code found in this distribution, be it the RC4, RSA,
  69. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  70. * included with this distribution is covered by the same copyright terms
  71. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  72. *
  73. * Copyright remains Eric Young's, and as such any Copyright notices in
  74. * the code are not to be removed.
  75. * If this package is used in a product, Eric Young should be given attribution
  76. * as the author of the parts of the library used.
  77. * This can be in the form of a textual message at program startup or
  78. * in documentation (online or textual) provided with the package.
  79. *
  80. * Redistribution and use in source and binary forms, with or without
  81. * modification, are permitted provided that the following conditions
  82. * are met:
  83. * 1. Redistributions of source code must retain the copyright
  84. * notice, this list of conditions and the following disclaimer.
  85. * 2. Redistributions in binary form must reproduce the above copyright
  86. * notice, this list of conditions and the following disclaimer in the
  87. * documentation and/or other materials provided with the distribution.
  88. * 3. All advertising materials mentioning features or use of this software
  89. * must display the following acknowledgement:
  90. * "This product includes cryptographic software written by
  91. * Eric Young (eay@cryptsoft.com)"
  92. * The word 'cryptographic' can be left out if the rouines from the library
  93. * being used are not cryptographic related :-).
  94. * 4. If you include any Windows specific code (or a derivative thereof) from
  95. * the apps directory (application code) you must include an acknowledgement:
  96. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  97. *
  98. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  99. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  100. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  101. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  102. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  103. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  104. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  105. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  106. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  107. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  108. * SUCH DAMAGE.
  109. *
  110. * The licence and distribution terms for any publically available version or
  111. * derivative of this code cannot be changed. i.e. this code cannot simply be
  112. * copied and put under another distribution licence
  113. * [including the GNU Public Licence.]
  114. */
  115. #include <stdio.h>
  116. #include "ssl_locl.h"
  117. #include <openssl/buffer.h>
  118. #include <openssl/rand.h>
  119. #include <openssl/objects.h>
  120. #include <openssl/evp.h>
  121. #include <openssl/x509.h>
  122. #include <openssl/md5.h>
  123. #include <openssl/bn.h>
  124. #ifndef OPENSSL_NO_DH
  125. #include <openssl/dh.h>
  126. #endif
  127. static const SSL_METHOD *dtls1_get_server_method(int ver);
  128. static int dtls1_send_hello_verify_request(SSL *s);
  129. static const SSL_METHOD *dtls1_get_server_method(int ver)
  130. {
  131. if (ver == DTLS1_VERSION)
  132. return(DTLSv1_server_method());
  133. else
  134. return(NULL);
  135. }
  136. IMPLEMENT_dtls1_meth_func(DTLSv1_server_method,
  137. dtls1_accept,
  138. ssl_undefined_function,
  139. dtls1_get_server_method)
  140. int dtls1_accept(SSL *s)
  141. {
  142. BUF_MEM *buf;
  143. unsigned long Time=(unsigned long)time(NULL);
  144. void (*cb)(const SSL *ssl,int type,int val)=NULL;
  145. unsigned long alg_k;
  146. int ret= -1;
  147. int new_state,state,skip=0;
  148. RAND_add(&Time,sizeof(Time),0);
  149. ERR_clear_error();
  150. clear_sys_error();
  151. if (s->info_callback != NULL)
  152. cb=s->info_callback;
  153. else if (s->ctx->info_callback != NULL)
  154. cb=s->ctx->info_callback;
  155. /* init things to blank */
  156. s->in_handshake++;
  157. if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
  158. if (s->cert == NULL)
  159. {
  160. SSLerr(SSL_F_DTLS1_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
  161. return(-1);
  162. }
  163. for (;;)
  164. {
  165. state=s->state;
  166. switch (s->state)
  167. {
  168. case SSL_ST_RENEGOTIATE:
  169. s->renegotiate=1;
  170. /* s->state=SSL_ST_ACCEPT; */
  171. case SSL_ST_BEFORE:
  172. case SSL_ST_ACCEPT:
  173. case SSL_ST_BEFORE|SSL_ST_ACCEPT:
  174. case SSL_ST_OK|SSL_ST_ACCEPT:
  175. s->server=1;
  176. if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
  177. if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00))
  178. {
  179. SSLerr(SSL_F_DTLS1_ACCEPT, ERR_R_INTERNAL_ERROR);
  180. return -1;
  181. }
  182. s->type=SSL_ST_ACCEPT;
  183. if (s->init_buf == NULL)
  184. {
  185. if ((buf=BUF_MEM_new()) == NULL)
  186. {
  187. ret= -1;
  188. goto end;
  189. }
  190. if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
  191. {
  192. ret= -1;
  193. goto end;
  194. }
  195. s->init_buf=buf;
  196. }
  197. if (!ssl3_setup_buffers(s))
  198. {
  199. ret= -1;
  200. goto end;
  201. }
  202. s->init_num=0;
  203. if (s->state != SSL_ST_RENEGOTIATE)
  204. {
  205. /* Ok, we now need to push on a buffering BIO so that
  206. * the output is sent in a way that TCP likes :-)
  207. */
  208. if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; }
  209. ssl3_init_finished_mac(s);
  210. s->state=SSL3_ST_SR_CLNT_HELLO_A;
  211. s->ctx->stats.sess_accept++;
  212. }
  213. else
  214. {
  215. /* s->state == SSL_ST_RENEGOTIATE,
  216. * we will just send a HelloRequest */
  217. s->ctx->stats.sess_accept_renegotiate++;
  218. s->state=SSL3_ST_SW_HELLO_REQ_A;
  219. }
  220. break;
  221. case SSL3_ST_SW_HELLO_REQ_A:
  222. case SSL3_ST_SW_HELLO_REQ_B:
  223. s->shutdown=0;
  224. dtls1_start_timer(s);
  225. ret=dtls1_send_hello_request(s);
  226. if (ret <= 0) goto end;
  227. s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C;
  228. s->state=SSL3_ST_SW_FLUSH;
  229. s->init_num=0;
  230. ssl3_init_finished_mac(s);
  231. break;
  232. case SSL3_ST_SW_HELLO_REQ_C:
  233. s->state=SSL_ST_OK;
  234. break;
  235. case SSL3_ST_SR_CLNT_HELLO_A:
  236. case SSL3_ST_SR_CLNT_HELLO_B:
  237. case SSL3_ST_SR_CLNT_HELLO_C:
  238. s->shutdown=0;
  239. ret=ssl3_get_client_hello(s);
  240. if (ret <= 0) goto end;
  241. dtls1_stop_timer(s);
  242. if (ret == 1 && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
  243. s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;
  244. else
  245. s->state = SSL3_ST_SW_SRVR_HELLO_A;
  246. s->init_num=0;
  247. /* If we're just listening, stop here */
  248. if (s->d1->listen && s->state == SSL3_ST_SW_SRVR_HELLO_A)
  249. {
  250. ret = 2;
  251. s->d1->listen = 0;
  252. goto end;
  253. }
  254. break;
  255. case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
  256. case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
  257. dtls1_start_timer(s);
  258. ret = dtls1_send_hello_verify_request(s);
  259. if ( ret <= 0) goto end;
  260. s->state=SSL3_ST_SW_FLUSH;
  261. s->s3->tmp.next_state=SSL3_ST_SR_CLNT_HELLO_A;
  262. /* HelloVerifyRequest resets Finished MAC */
  263. if (s->version != DTLS1_BAD_VER)
  264. ssl3_init_finished_mac(s);
  265. break;
  266. case SSL3_ST_SW_SRVR_HELLO_A:
  267. case SSL3_ST_SW_SRVR_HELLO_B:
  268. s->renegotiate = 2;
  269. dtls1_start_timer(s);
  270. ret=dtls1_send_server_hello(s);
  271. if (ret <= 0) goto end;
  272. #ifndef OPENSSL_NO_TLSEXT
  273. if (s->hit)
  274. {
  275. if (s->tlsext_ticket_expected)
  276. s->state=SSL3_ST_SW_SESSION_TICKET_A;
  277. else
  278. s->state=SSL3_ST_SW_CHANGE_A;
  279. }
  280. #else
  281. if (s->hit)
  282. s->state=SSL3_ST_SW_CHANGE_A;
  283. #endif
  284. else
  285. s->state=SSL3_ST_SW_CERT_A;
  286. s->init_num=0;
  287. break;
  288. case SSL3_ST_SW_CERT_A:
  289. case SSL3_ST_SW_CERT_B:
  290. /* Check if it is anon DH or normal PSK */
  291. if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
  292. && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
  293. {
  294. dtls1_start_timer(s);
  295. ret=dtls1_send_server_certificate(s);
  296. if (ret <= 0) goto end;
  297. #ifndef OPENSSL_NO_TLSEXT
  298. if (s->tlsext_status_expected)
  299. s->state=SSL3_ST_SW_CERT_STATUS_A;
  300. else
  301. s->state=SSL3_ST_SW_KEY_EXCH_A;
  302. }
  303. else
  304. {
  305. skip = 1;
  306. s->state=SSL3_ST_SW_KEY_EXCH_A;
  307. }
  308. #else
  309. }
  310. else
  311. skip=1;
  312. s->state=SSL3_ST_SW_KEY_EXCH_A;
  313. #endif
  314. s->init_num=0;
  315. break;
  316. case SSL3_ST_SW_KEY_EXCH_A:
  317. case SSL3_ST_SW_KEY_EXCH_B:
  318. alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
  319. /* clear this, it may get reset by
  320. * send_server_key_exchange */
  321. if ((s->options & SSL_OP_EPHEMERAL_RSA)
  322. #ifndef OPENSSL_NO_KRB5
  323. && !(alg_k & SSL_kKRB5)
  324. #endif /* OPENSSL_NO_KRB5 */
  325. )
  326. /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
  327. * even when forbidden by protocol specs
  328. * (handshake may fail as clients are not required to
  329. * be able to handle this) */
  330. s->s3->tmp.use_rsa_tmp=1;
  331. else
  332. s->s3->tmp.use_rsa_tmp=0;
  333. /* only send if a DH key exchange or
  334. * RSA but we have a sign only certificate */
  335. if (s->s3->tmp.use_rsa_tmp
  336. /* PSK: send ServerKeyExchange if PSK identity
  337. * hint if provided */
  338. #ifndef OPENSSL_NO_PSK
  339. || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
  340. #endif
  341. || (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
  342. || (alg_k & SSL_kEECDH)
  343. || ((alg_k & SSL_kRSA)
  344. && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
  345. || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
  346. && EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
  347. )
  348. )
  349. )
  350. )
  351. {
  352. dtls1_start_timer(s);
  353. ret=dtls1_send_server_key_exchange(s);
  354. if (ret <= 0) goto end;
  355. }
  356. else
  357. skip=1;
  358. s->state=SSL3_ST_SW_CERT_REQ_A;
  359. s->init_num=0;
  360. break;
  361. case SSL3_ST_SW_CERT_REQ_A:
  362. case SSL3_ST_SW_CERT_REQ_B:
  363. if (/* don't request cert unless asked for it: */
  364. !(s->verify_mode & SSL_VERIFY_PEER) ||
  365. /* if SSL_VERIFY_CLIENT_ONCE is set,
  366. * don't request cert during re-negotiation: */
  367. ((s->session->peer != NULL) &&
  368. (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
  369. /* never request cert in anonymous ciphersuites
  370. * (see section "Certificate request" in SSL 3 drafts
  371. * and in RFC 2246): */
  372. ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
  373. /* ... except when the application insists on verification
  374. * (against the specs, but s3_clnt.c accepts this for SSL 3) */
  375. !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
  376. /* never request cert in Kerberos ciphersuites */
  377. (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)
  378. /* With normal PSK Certificates and
  379. * Certificate Requests are omitted */
  380. || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
  381. {
  382. /* no cert request */
  383. skip=1;
  384. s->s3->tmp.cert_request=0;
  385. s->state=SSL3_ST_SW_SRVR_DONE_A;
  386. }
  387. else
  388. {
  389. s->s3->tmp.cert_request=1;
  390. dtls1_start_timer(s);
  391. ret=dtls1_send_certificate_request(s);
  392. if (ret <= 0) goto end;
  393. #ifndef NETSCAPE_HANG_BUG
  394. s->state=SSL3_ST_SW_SRVR_DONE_A;
  395. #else
  396. s->state=SSL3_ST_SW_FLUSH;
  397. s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
  398. #endif
  399. s->init_num=0;
  400. }
  401. break;
  402. case SSL3_ST_SW_SRVR_DONE_A:
  403. case SSL3_ST_SW_SRVR_DONE_B:
  404. dtls1_start_timer(s);
  405. ret=dtls1_send_server_done(s);
  406. if (ret <= 0) goto end;
  407. s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
  408. s->state=SSL3_ST_SW_FLUSH;
  409. s->init_num=0;
  410. break;
  411. case SSL3_ST_SW_FLUSH:
  412. s->rwstate=SSL_WRITING;
  413. if (BIO_flush(s->wbio) <= 0)
  414. {
  415. ret= -1;
  416. goto end;
  417. }
  418. s->rwstate=SSL_NOTHING;
  419. s->state=s->s3->tmp.next_state;
  420. break;
  421. case SSL3_ST_SR_CERT_A:
  422. case SSL3_ST_SR_CERT_B:
  423. /* Check for second client hello (MS SGC) */
  424. ret = ssl3_check_client_hello(s);
  425. if (ret <= 0)
  426. goto end;
  427. dtls1_stop_timer(s);
  428. if (ret == 2)
  429. s->state = SSL3_ST_SR_CLNT_HELLO_C;
  430. else {
  431. /* could be sent for a DH cert, even if we
  432. * have not asked for it :-) */
  433. ret=ssl3_get_client_certificate(s);
  434. if (ret <= 0) goto end;
  435. dtls1_stop_timer(s);
  436. s->init_num=0;
  437. s->state=SSL3_ST_SR_KEY_EXCH_A;
  438. }
  439. break;
  440. case SSL3_ST_SR_KEY_EXCH_A:
  441. case SSL3_ST_SR_KEY_EXCH_B:
  442. ret=ssl3_get_client_key_exchange(s);
  443. if (ret <= 0) goto end;
  444. dtls1_stop_timer(s);
  445. s->state=SSL3_ST_SR_CERT_VRFY_A;
  446. s->init_num=0;
  447. if (ret == 2)
  448. {
  449. /* For the ECDH ciphersuites when
  450. * the client sends its ECDH pub key in
  451. * a certificate, the CertificateVerify
  452. * message is not sent.
  453. */
  454. s->state=SSL3_ST_SR_FINISHED_A;
  455. s->init_num = 0;
  456. }
  457. else
  458. {
  459. s->state=SSL3_ST_SR_CERT_VRFY_A;
  460. s->init_num=0;
  461. /* We need to get hashes here so if there is
  462. * a client cert, it can be verified */
  463. s->method->ssl3_enc->cert_verify_mac(s,
  464. NID_md5,
  465. &(s->s3->tmp.cert_verify_md[0]));
  466. s->method->ssl3_enc->cert_verify_mac(s,
  467. NID_sha1,
  468. &(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]));
  469. }
  470. break;
  471. case SSL3_ST_SR_CERT_VRFY_A:
  472. case SSL3_ST_SR_CERT_VRFY_B:
  473. s->d1->change_cipher_spec_ok = 1;
  474. /* we should decide if we expected this one */
  475. ret=ssl3_get_cert_verify(s);
  476. if (ret <= 0) goto end;
  477. dtls1_stop_timer(s);
  478. s->state=SSL3_ST_SR_FINISHED_A;
  479. s->init_num=0;
  480. break;
  481. case SSL3_ST_SR_FINISHED_A:
  482. case SSL3_ST_SR_FINISHED_B:
  483. s->d1->change_cipher_spec_ok = 1;
  484. ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
  485. SSL3_ST_SR_FINISHED_B);
  486. if (ret <= 0) goto end;
  487. dtls1_stop_timer(s);
  488. if (s->hit)
  489. s->state=SSL_ST_OK;
  490. #ifndef OPENSSL_NO_TLSEXT
  491. else if (s->tlsext_ticket_expected)
  492. s->state=SSL3_ST_SW_SESSION_TICKET_A;
  493. #endif
  494. else
  495. s->state=SSL3_ST_SW_CHANGE_A;
  496. s->init_num=0;
  497. break;
  498. #ifndef OPENSSL_NO_TLSEXT
  499. case SSL3_ST_SW_SESSION_TICKET_A:
  500. case SSL3_ST_SW_SESSION_TICKET_B:
  501. ret=dtls1_send_newsession_ticket(s);
  502. if (ret <= 0) goto end;
  503. s->state=SSL3_ST_SW_CHANGE_A;
  504. s->init_num=0;
  505. break;
  506. case SSL3_ST_SW_CERT_STATUS_A:
  507. case SSL3_ST_SW_CERT_STATUS_B:
  508. ret=ssl3_send_cert_status(s);
  509. if (ret <= 0) goto end;
  510. s->state=SSL3_ST_SW_KEY_EXCH_A;
  511. s->init_num=0;
  512. break;
  513. #endif
  514. case SSL3_ST_SW_CHANGE_A:
  515. case SSL3_ST_SW_CHANGE_B:
  516. s->session->cipher=s->s3->tmp.new_cipher;
  517. if (!s->method->ssl3_enc->setup_key_block(s))
  518. { ret= -1; goto end; }
  519. ret=dtls1_send_change_cipher_spec(s,
  520. SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B);
  521. if (ret <= 0) goto end;
  522. s->state=SSL3_ST_SW_FINISHED_A;
  523. s->init_num=0;
  524. if (!s->method->ssl3_enc->change_cipher_state(s,
  525. SSL3_CHANGE_CIPHER_SERVER_WRITE))
  526. {
  527. ret= -1;
  528. goto end;
  529. }
  530. dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
  531. break;
  532. case SSL3_ST_SW_FINISHED_A:
  533. case SSL3_ST_SW_FINISHED_B:
  534. ret=dtls1_send_finished(s,
  535. SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B,
  536. s->method->ssl3_enc->server_finished_label,
  537. s->method->ssl3_enc->server_finished_label_len);
  538. if (ret <= 0) goto end;
  539. s->state=SSL3_ST_SW_FLUSH;
  540. if (s->hit)
  541. s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
  542. else
  543. s->s3->tmp.next_state=SSL_ST_OK;
  544. s->init_num=0;
  545. break;
  546. case SSL_ST_OK:
  547. /* clean a few things up */
  548. ssl3_cleanup_key_block(s);
  549. #if 0
  550. BUF_MEM_free(s->init_buf);
  551. s->init_buf=NULL;
  552. #endif
  553. /* remove buffering on output */
  554. ssl_free_wbio_buffer(s);
  555. s->init_num=0;
  556. if (s->renegotiate == 2) /* skipped if we just sent a HelloRequest */
  557. {
  558. /* actually not necessarily a 'new' session unless
  559. * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
  560. s->renegotiate=0;
  561. s->new_session=0;
  562. ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
  563. s->ctx->stats.sess_accept_good++;
  564. /* s->server=1; */
  565. s->handshake_func=dtls1_accept;
  566. if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
  567. }
  568. ret = 1;
  569. /* done handshaking, next message is client hello */
  570. s->d1->handshake_read_seq = 0;
  571. /* next message is server hello */
  572. s->d1->handshake_write_seq = 0;
  573. s->d1->next_handshake_write_seq = 0;
  574. goto end;
  575. /* break; */
  576. default:
  577. SSLerr(SSL_F_DTLS1_ACCEPT,SSL_R_UNKNOWN_STATE);
  578. ret= -1;
  579. goto end;
  580. /* break; */
  581. }
  582. if (!s->s3->tmp.reuse_message && !skip)
  583. {
  584. if (s->debug)
  585. {
  586. if ((ret=BIO_flush(s->wbio)) <= 0)
  587. goto end;
  588. }
  589. if ((cb != NULL) && (s->state != state))
  590. {
  591. new_state=s->state;
  592. s->state=state;
  593. cb(s,SSL_CB_ACCEPT_LOOP,1);
  594. s->state=new_state;
  595. }
  596. }
  597. skip=0;
  598. }
  599. end:
  600. /* BIO_flush(s->wbio); */
  601. s->in_handshake--;
  602. if (cb != NULL)
  603. cb(s,SSL_CB_ACCEPT_EXIT,ret);
  604. return(ret);
  605. }
  606. int dtls1_send_hello_request(SSL *s)
  607. {
  608. unsigned char *p;
  609. if (s->state == SSL3_ST_SW_HELLO_REQ_A)
  610. {
  611. p=(unsigned char *)s->init_buf->data;
  612. p = dtls1_set_message_header(s, p, SSL3_MT_HELLO_REQUEST, 0, 0, 0);
  613. s->state=SSL3_ST_SW_HELLO_REQ_B;
  614. /* number of bytes to write */
  615. s->init_num=DTLS1_HM_HEADER_LENGTH;
  616. s->init_off=0;
  617. /* no need to buffer this message, since there are no retransmit
  618. * requests for it */
  619. }
  620. /* SSL3_ST_SW_HELLO_REQ_B */
  621. return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
  622. }
  623. int dtls1_send_hello_verify_request(SSL *s)
  624. {
  625. unsigned int msg_len;
  626. unsigned char *msg, *buf, *p;
  627. if (s->state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A)
  628. {
  629. buf = (unsigned char *)s->init_buf->data;
  630. msg = p = &(buf[DTLS1_HM_HEADER_LENGTH]);
  631. *(p++) = s->version >> 8;
  632. *(p++) = s->version & 0xFF;
  633. if (s->ctx->app_gen_cookie_cb == NULL ||
  634. s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
  635. &(s->d1->cookie_len)) == 0)
  636. {
  637. SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST,ERR_R_INTERNAL_ERROR);
  638. return 0;
  639. }
  640. *(p++) = (unsigned char) s->d1->cookie_len;
  641. memcpy(p, s->d1->cookie, s->d1->cookie_len);
  642. p += s->d1->cookie_len;
  643. msg_len = p - msg;
  644. dtls1_set_message_header(s, buf,
  645. DTLS1_MT_HELLO_VERIFY_REQUEST, msg_len, 0, msg_len);
  646. s->state=DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B;
  647. /* number of bytes to write */
  648. s->init_num=p-buf;
  649. s->init_off=0;
  650. /* buffer the message to handle re-xmits */
  651. dtls1_buffer_message(s, 0);
  652. }
  653. /* s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */
  654. return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
  655. }
  656. int dtls1_send_server_hello(SSL *s)
  657. {
  658. unsigned char *buf;
  659. unsigned char *p,*d;
  660. int i;
  661. unsigned int sl;
  662. unsigned long l,Time;
  663. if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
  664. {
  665. buf=(unsigned char *)s->init_buf->data;
  666. p=s->s3->server_random;
  667. Time=(unsigned long)time(NULL); /* Time */
  668. l2n(Time,p);
  669. RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
  670. /* Do the message type and length last */
  671. d=p= &(buf[DTLS1_HM_HEADER_LENGTH]);
  672. *(p++)=s->version>>8;
  673. *(p++)=s->version&0xff;
  674. /* Random stuff */
  675. memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
  676. p+=SSL3_RANDOM_SIZE;
  677. /* now in theory we have 3 options to sending back the
  678. * session id. If it is a re-use, we send back the
  679. * old session-id, if it is a new session, we send
  680. * back the new session-id or we send back a 0 length
  681. * session-id if we want it to be single use.
  682. * Currently I will not implement the '0' length session-id
  683. * 12-Jan-98 - I'll now support the '0' length stuff.
  684. */
  685. if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER))
  686. s->session->session_id_length=0;
  687. sl=s->session->session_id_length;
  688. if (sl > sizeof s->session->session_id)
  689. {
  690. SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
  691. return -1;
  692. }
  693. *(p++)=sl;
  694. memcpy(p,s->session->session_id,sl);
  695. p+=sl;
  696. /* put the cipher */
  697. if (s->s3->tmp.new_cipher == NULL)
  698. return -1;
  699. i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p);
  700. p+=i;
  701. /* put the compression method */
  702. #ifdef OPENSSL_NO_COMP
  703. *(p++)=0;
  704. #else
  705. if (s->s3->tmp.new_compression == NULL)
  706. *(p++)=0;
  707. else
  708. *(p++)=s->s3->tmp.new_compression->id;
  709. #endif
  710. #ifndef OPENSSL_NO_TLSEXT
  711. if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
  712. {
  713. SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);
  714. return -1;
  715. }
  716. #endif
  717. /* do the header */
  718. l=(p-d);
  719. d=buf;
  720. d = dtls1_set_message_header(s, d, SSL3_MT_SERVER_HELLO, l, 0, l);
  721. s->state=SSL3_ST_SW_SRVR_HELLO_B;
  722. /* number of bytes to write */
  723. s->init_num=p-buf;
  724. s->init_off=0;
  725. /* buffer the message to handle re-xmits */
  726. dtls1_buffer_message(s, 0);
  727. }
  728. /* SSL3_ST_SW_SRVR_HELLO_B */
  729. return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
  730. }
  731. int dtls1_send_server_done(SSL *s)
  732. {
  733. unsigned char *p;
  734. if (s->state == SSL3_ST_SW_SRVR_DONE_A)
  735. {
  736. p=(unsigned char *)s->init_buf->data;
  737. /* do the header */
  738. p = dtls1_set_message_header(s, p, SSL3_MT_SERVER_DONE, 0, 0, 0);
  739. s->state=SSL3_ST_SW_SRVR_DONE_B;
  740. /* number of bytes to write */
  741. s->init_num=DTLS1_HM_HEADER_LENGTH;
  742. s->init_off=0;
  743. /* buffer the message to handle re-xmits */
  744. dtls1_buffer_message(s, 0);
  745. }
  746. /* SSL3_ST_SW_SRVR_DONE_B */
  747. return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
  748. }
  749. int dtls1_send_server_key_exchange(SSL *s)
  750. {
  751. #ifndef OPENSSL_NO_RSA
  752. unsigned char *q;
  753. int j,num;
  754. RSA *rsa;
  755. unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
  756. unsigned int u;
  757. #endif
  758. #ifndef OPENSSL_NO_DH
  759. DH *dh=NULL,*dhp;
  760. #endif
  761. #ifndef OPENSSL_NO_ECDH
  762. EC_KEY *ecdh=NULL, *ecdhp;
  763. unsigned char *encodedPoint = NULL;
  764. int encodedlen = 0;
  765. int curve_id = 0;
  766. BN_CTX *bn_ctx = NULL;
  767. #endif
  768. EVP_PKEY *pkey;
  769. unsigned char *p,*d;
  770. int al,i;
  771. unsigned long type;
  772. int n;
  773. CERT *cert;
  774. BIGNUM *r[4];
  775. int nr[4],kn;
  776. BUF_MEM *buf;
  777. EVP_MD_CTX md_ctx;
  778. EVP_MD_CTX_init(&md_ctx);
  779. if (s->state == SSL3_ST_SW_KEY_EXCH_A)
  780. {
  781. type=s->s3->tmp.new_cipher->algorithm_mkey;
  782. cert=s->cert;
  783. buf=s->init_buf;
  784. r[0]=r[1]=r[2]=r[3]=NULL;
  785. n=0;
  786. #ifndef OPENSSL_NO_RSA
  787. if (type & SSL_kRSA)
  788. {
  789. rsa=cert->rsa_tmp;
  790. if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL))
  791. {
  792. rsa=s->cert->rsa_tmp_cb(s,
  793. SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
  794. SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
  795. if(rsa == NULL)
  796. {
  797. al=SSL_AD_HANDSHAKE_FAILURE;
  798. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
  799. goto f_err;
  800. }
  801. RSA_up_ref(rsa);
  802. cert->rsa_tmp=rsa;
  803. }
  804. if (rsa == NULL)
  805. {
  806. al=SSL_AD_HANDSHAKE_FAILURE;
  807. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY);
  808. goto f_err;
  809. }
  810. r[0]=rsa->n;
  811. r[1]=rsa->e;
  812. s->s3->tmp.use_rsa_tmp=1;
  813. }
  814. else
  815. #endif
  816. #ifndef OPENSSL_NO_DH
  817. if (type & SSL_kEDH)
  818. {
  819. dhp=cert->dh_tmp;
  820. if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
  821. dhp=s->cert->dh_tmp_cb(s,
  822. SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
  823. SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
  824. if (dhp == NULL)
  825. {
  826. al=SSL_AD_HANDSHAKE_FAILURE;
  827. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
  828. goto f_err;
  829. }
  830. if (s->s3->tmp.dh != NULL)
  831. {
  832. DH_free(dh);
  833. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
  834. goto err;
  835. }
  836. if ((dh=DHparams_dup(dhp)) == NULL)
  837. {
  838. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
  839. goto err;
  840. }
  841. s->s3->tmp.dh=dh;
  842. if ((dhp->pub_key == NULL ||
  843. dhp->priv_key == NULL ||
  844. (s->options & SSL_OP_SINGLE_DH_USE)))
  845. {
  846. if(!DH_generate_key(dh))
  847. {
  848. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,
  849. ERR_R_DH_LIB);
  850. goto err;
  851. }
  852. }
  853. else
  854. {
  855. dh->pub_key=BN_dup(dhp->pub_key);
  856. dh->priv_key=BN_dup(dhp->priv_key);
  857. if ((dh->pub_key == NULL) ||
  858. (dh->priv_key == NULL))
  859. {
  860. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
  861. goto err;
  862. }
  863. }
  864. r[0]=dh->p;
  865. r[1]=dh->g;
  866. r[2]=dh->pub_key;
  867. }
  868. else
  869. #endif
  870. #ifndef OPENSSL_NO_ECDH
  871. if (type & SSL_kEECDH)
  872. {
  873. const EC_GROUP *group;
  874. ecdhp=cert->ecdh_tmp;
  875. if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL))
  876. {
  877. ecdhp=s->cert->ecdh_tmp_cb(s,
  878. SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
  879. SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
  880. }
  881. if (ecdhp == NULL)
  882. {
  883. al=SSL_AD_HANDSHAKE_FAILURE;
  884. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY);
  885. goto f_err;
  886. }
  887. if (s->s3->tmp.ecdh != NULL)
  888. {
  889. EC_KEY_free(s->s3->tmp.ecdh);
  890. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
  891. goto err;
  892. }
  893. /* Duplicate the ECDH structure. */
  894. if (ecdhp == NULL)
  895. {
  896. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
  897. goto err;
  898. }
  899. if (!EC_KEY_up_ref(ecdhp))
  900. {
  901. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
  902. goto err;
  903. }
  904. ecdh = ecdhp;
  905. s->s3->tmp.ecdh=ecdh;
  906. if ((EC_KEY_get0_public_key(ecdh) == NULL) ||
  907. (EC_KEY_get0_private_key(ecdh) == NULL) ||
  908. (s->options & SSL_OP_SINGLE_ECDH_USE))
  909. {
  910. if(!EC_KEY_generate_key(ecdh))
  911. {
  912. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
  913. goto err;
  914. }
  915. }
  916. if (((group = EC_KEY_get0_group(ecdh)) == NULL) ||
  917. (EC_KEY_get0_public_key(ecdh) == NULL) ||
  918. (EC_KEY_get0_private_key(ecdh) == NULL))
  919. {
  920. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
  921. goto err;
  922. }
  923. if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
  924. (EC_GROUP_get_degree(group) > 163))
  925. {
  926. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
  927. goto err;
  928. }
  929. /* XXX: For now, we only support ephemeral ECDH
  930. * keys over named (not generic) curves. For
  931. * supported named curves, curve_id is non-zero.
  932. */
  933. if ((curve_id =
  934. tls1_ec_nid2curve_id(EC_GROUP_get_curve_name(group)))
  935. == 0)
  936. {
  937. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
  938. goto err;
  939. }
  940. /* Encode the public key.
  941. * First check the size of encoding and
  942. * allocate memory accordingly.
  943. */
  944. encodedlen = EC_POINT_point2oct(group,
  945. EC_KEY_get0_public_key(ecdh),
  946. POINT_CONVERSION_UNCOMPRESSED,
  947. NULL, 0, NULL);
  948. encodedPoint = (unsigned char *)
  949. OPENSSL_malloc(encodedlen*sizeof(unsigned char));
  950. bn_ctx = BN_CTX_new();
  951. if ((encodedPoint == NULL) || (bn_ctx == NULL))
  952. {
  953. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
  954. goto err;
  955. }
  956. encodedlen = EC_POINT_point2oct(group,
  957. EC_KEY_get0_public_key(ecdh),
  958. POINT_CONVERSION_UNCOMPRESSED,
  959. encodedPoint, encodedlen, bn_ctx);
  960. if (encodedlen == 0)
  961. {
  962. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
  963. goto err;
  964. }
  965. BN_CTX_free(bn_ctx); bn_ctx=NULL;
  966. /* XXX: For now, we only support named (not
  967. * generic) curves in ECDH ephemeral key exchanges.
  968. * In this situation, we need four additional bytes
  969. * to encode the entire ServerECDHParams
  970. * structure.
  971. */
  972. n = 4 + encodedlen;
  973. /* We'll generate the serverKeyExchange message
  974. * explicitly so we can set these to NULLs
  975. */
  976. r[0]=NULL;
  977. r[1]=NULL;
  978. r[2]=NULL;
  979. r[3]=NULL;
  980. }
  981. else
  982. #endif /* !OPENSSL_NO_ECDH */
  983. #ifndef OPENSSL_NO_PSK
  984. if (type & SSL_kPSK)
  985. {
  986. /* reserve size for record length and PSK identity hint*/
  987. n+=2+strlen(s->ctx->psk_identity_hint);
  988. }
  989. else
  990. #endif /* !OPENSSL_NO_PSK */
  991. {
  992. al=SSL_AD_HANDSHAKE_FAILURE;
  993. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
  994. goto f_err;
  995. }
  996. for (i=0; r[i] != NULL; i++)
  997. {
  998. nr[i]=BN_num_bytes(r[i]);
  999. n+=2+nr[i];
  1000. }
  1001. if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
  1002. && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
  1003. {
  1004. if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher))
  1005. == NULL)
  1006. {
  1007. al=SSL_AD_DECODE_ERROR;
  1008. goto f_err;
  1009. }
  1010. kn=EVP_PKEY_size(pkey);
  1011. }
  1012. else
  1013. {
  1014. pkey=NULL;
  1015. kn=0;
  1016. }
  1017. if (!BUF_MEM_grow_clean(buf,n+DTLS1_HM_HEADER_LENGTH+kn))
  1018. {
  1019. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF);
  1020. goto err;
  1021. }
  1022. d=(unsigned char *)s->init_buf->data;
  1023. p= &(d[DTLS1_HM_HEADER_LENGTH]);
  1024. for (i=0; r[i] != NULL; i++)
  1025. {
  1026. s2n(nr[i],p);
  1027. BN_bn2bin(r[i],p);
  1028. p+=nr[i];
  1029. }
  1030. #ifndef OPENSSL_NO_ECDH
  1031. if (type & SSL_kEECDH)
  1032. {
  1033. /* XXX: For now, we only support named (not generic) curves.
  1034. * In this situation, the serverKeyExchange message has:
  1035. * [1 byte CurveType], [2 byte CurveName]
  1036. * [1 byte length of encoded point], followed by
  1037. * the actual encoded point itself
  1038. */
  1039. *p = NAMED_CURVE_TYPE;
  1040. p += 1;
  1041. *p = 0;
  1042. p += 1;
  1043. *p = curve_id;
  1044. p += 1;
  1045. *p = encodedlen;
  1046. p += 1;
  1047. memcpy((unsigned char*)p,
  1048. (unsigned char *)encodedPoint,
  1049. encodedlen);
  1050. OPENSSL_free(encodedPoint);
  1051. p += encodedlen;
  1052. }
  1053. #endif
  1054. #ifndef OPENSSL_NO_PSK
  1055. if (type & SSL_kPSK)
  1056. {
  1057. /* copy PSK identity hint */
  1058. s2n(strlen(s->ctx->psk_identity_hint), p);
  1059. strncpy((char *)p, s->ctx->psk_identity_hint, strlen(s->ctx->psk_identity_hint));
  1060. p+=strlen(s->ctx->psk_identity_hint);
  1061. }
  1062. #endif
  1063. /* not anonymous */
  1064. if (pkey != NULL)
  1065. {
  1066. /* n is the length of the params, they start at
  1067. * &(d[DTLS1_HM_HEADER_LENGTH]) and p points to the space
  1068. * at the end. */
  1069. #ifndef OPENSSL_NO_RSA
  1070. if (pkey->type == EVP_PKEY_RSA)
  1071. {
  1072. q=md_buf;
  1073. j=0;
  1074. for (num=2; num > 0; num--)
  1075. {
  1076. EVP_DigestInit_ex(&md_ctx,(num == 2)
  1077. ?s->ctx->md5:s->ctx->sha1, NULL);
  1078. EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
  1079. EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
  1080. EVP_DigestUpdate(&md_ctx,&(d[DTLS1_HM_HEADER_LENGTH]),n);
  1081. EVP_DigestFinal_ex(&md_ctx,q,
  1082. (unsigned int *)&i);
  1083. q+=i;
  1084. j+=i;
  1085. }
  1086. if (RSA_sign(NID_md5_sha1, md_buf, j,
  1087. &(p[2]), &u, pkey->pkey.rsa) <= 0)
  1088. {
  1089. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA);
  1090. goto err;
  1091. }
  1092. s2n(u,p);
  1093. n+=u+2;
  1094. }
  1095. else
  1096. #endif
  1097. #if !defined(OPENSSL_NO_DSA)
  1098. if (pkey->type == EVP_PKEY_DSA)
  1099. {
  1100. /* lets do DSS */
  1101. EVP_SignInit_ex(&md_ctx,EVP_dss1(), NULL);
  1102. EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
  1103. EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
  1104. EVP_SignUpdate(&md_ctx,&(d[DTLS1_HM_HEADER_LENGTH]),n);
  1105. if (!EVP_SignFinal(&md_ctx,&(p[2]),
  1106. (unsigned int *)&i,pkey))
  1107. {
  1108. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA);
  1109. goto err;
  1110. }
  1111. s2n(i,p);
  1112. n+=i+2;
  1113. }
  1114. else
  1115. #endif
  1116. #if !defined(OPENSSL_NO_ECDSA)
  1117. if (pkey->type == EVP_PKEY_EC)
  1118. {
  1119. /* let's do ECDSA */
  1120. EVP_SignInit_ex(&md_ctx,EVP_ecdsa(), NULL);
  1121. EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
  1122. EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
  1123. EVP_SignUpdate(&md_ctx,&(d[4]),n);
  1124. if (!EVP_SignFinal(&md_ctx,&(p[2]),
  1125. (unsigned int *)&i,pkey))
  1126. {
  1127. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_ECDSA);
  1128. goto err;
  1129. }
  1130. s2n(i,p);
  1131. n+=i+2;
  1132. }
  1133. else
  1134. #endif
  1135. {
  1136. /* Is this error check actually needed? */
  1137. al=SSL_AD_HANDSHAKE_FAILURE;
  1138. SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE);
  1139. goto f_err;
  1140. }
  1141. }
  1142. d = dtls1_set_message_header(s, d,
  1143. SSL3_MT_SERVER_KEY_EXCHANGE, n, 0, n);
  1144. /* we should now have things packed up, so lets send
  1145. * it off */
  1146. s->init_num=n+DTLS1_HM_HEADER_LENGTH;
  1147. s->init_off=0;
  1148. /* buffer the message to handle re-xmits */
  1149. dtls1_buffer_message(s, 0);
  1150. }
  1151. s->state = SSL3_ST_SW_KEY_EXCH_B;
  1152. EVP_MD_CTX_cleanup(&md_ctx);
  1153. return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
  1154. f_err:
  1155. ssl3_send_alert(s,SSL3_AL_FATAL,al);
  1156. err:
  1157. #ifndef OPENSSL_NO_ECDH
  1158. if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
  1159. BN_CTX_free(bn_ctx);
  1160. #endif
  1161. EVP_MD_CTX_cleanup(&md_ctx);
  1162. return(-1);
  1163. }
  1164. int dtls1_send_certificate_request(SSL *s)
  1165. {
  1166. unsigned char *p,*d;
  1167. int i,j,nl,off,n;
  1168. STACK_OF(X509_NAME) *sk=NULL;
  1169. X509_NAME *name;
  1170. BUF_MEM *buf;
  1171. unsigned int msg_len;
  1172. if (s->state == SSL3_ST_SW_CERT_REQ_A)
  1173. {
  1174. buf=s->init_buf;
  1175. d=p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH]);
  1176. /* get the list of acceptable cert types */
  1177. p++;
  1178. n=ssl3_get_req_cert_type(s,p);
  1179. d[0]=n;
  1180. p+=n;
  1181. n++;
  1182. off=n;
  1183. p+=2;
  1184. n+=2;
  1185. sk=SSL_get_client_CA_list(s);
  1186. nl=0;
  1187. if (sk != NULL)
  1188. {
  1189. for (i=0; i<sk_X509_NAME_num(sk); i++)
  1190. {
  1191. name=sk_X509_NAME_value(sk,i);
  1192. j=i2d_X509_NAME(name,NULL);
  1193. if (!BUF_MEM_grow_clean(buf,DTLS1_HM_HEADER_LENGTH+n+j+2))
  1194. {
  1195. SSLerr(SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
  1196. goto err;
  1197. }
  1198. p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH+n]);
  1199. if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
  1200. {
  1201. s2n(j,p);
  1202. i2d_X509_NAME(name,&p);
  1203. n+=2+j;
  1204. nl+=2+j;
  1205. }
  1206. else
  1207. {
  1208. d=p;
  1209. i2d_X509_NAME(name,&p);
  1210. j-=2; s2n(j,d); j+=2;
  1211. n+=j;
  1212. nl+=j;
  1213. }
  1214. }
  1215. }
  1216. /* else no CA names */
  1217. p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH+off]);
  1218. s2n(nl,p);
  1219. d=(unsigned char *)buf->data;
  1220. *(d++)=SSL3_MT_CERTIFICATE_REQUEST;
  1221. l2n3(n,d);
  1222. s2n(s->d1->handshake_write_seq,d);
  1223. s->d1->handshake_write_seq++;
  1224. /* we should now have things packed up, so lets send
  1225. * it off */
  1226. s->init_num=n+DTLS1_HM_HEADER_LENGTH;
  1227. s->init_off=0;
  1228. #ifdef NETSCAPE_HANG_BUG
  1229. /* XXX: what to do about this? */
  1230. p=(unsigned char *)s->init_buf->data + s->init_num;
  1231. /* do the header */
  1232. *(p++)=SSL3_MT_SERVER_DONE;
  1233. *(p++)=0;
  1234. *(p++)=0;
  1235. *(p++)=0;
  1236. s->init_num += 4;
  1237. #endif
  1238. /* XDTLS: set message header ? */
  1239. msg_len = s->init_num - DTLS1_HM_HEADER_LENGTH;
  1240. dtls1_set_message_header(s, (void *)s->init_buf->data,
  1241. SSL3_MT_CERTIFICATE_REQUEST, msg_len, 0, msg_len);
  1242. /* buffer the message to handle re-xmits */
  1243. dtls1_buffer_message(s, 0);
  1244. s->state = SSL3_ST_SW_CERT_REQ_B;
  1245. }
  1246. /* SSL3_ST_SW_CERT_REQ_B */
  1247. return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
  1248. err:
  1249. return(-1);
  1250. }
  1251. int dtls1_send_server_certificate(SSL *s)
  1252. {
  1253. unsigned long l;
  1254. X509 *x;
  1255. if (s->state == SSL3_ST_SW_CERT_A)
  1256. {
  1257. x=ssl_get_server_send_cert(s);
  1258. if (x == NULL)
  1259. {
  1260. /* VRS: allow null cert if auth == KRB5 */
  1261. if ((s->s3->tmp.new_cipher->algorithm_mkey != SSL_kKRB5) ||
  1262. (s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5))
  1263. {
  1264. SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
  1265. return(0);
  1266. }
  1267. }
  1268. l=dtls1_output_cert_chain(s,x);
  1269. s->state=SSL3_ST_SW_CERT_B;
  1270. s->init_num=(int)l;
  1271. s->init_off=0;
  1272. /* buffer the message to handle re-xmits */
  1273. dtls1_buffer_message(s, 0);
  1274. }
  1275. /* SSL3_ST_SW_CERT_B */
  1276. return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
  1277. }
  1278. #ifndef OPENSSL_NO_TLSEXT
  1279. int dtls1_send_newsession_ticket(SSL *s)
  1280. {
  1281. if (s->state == SSL3_ST_SW_SESSION_TICKET_A)
  1282. {
  1283. unsigned char *p, *senc, *macstart;
  1284. int len, slen;
  1285. unsigned int hlen, msg_len;
  1286. EVP_CIPHER_CTX ctx;
  1287. HMAC_CTX hctx;
  1288. SSL_CTX *tctx = s->initial_ctx;
  1289. unsigned char iv[EVP_MAX_IV_LENGTH];
  1290. unsigned char key_name[16];
  1291. /* get session encoding length */
  1292. slen = i2d_SSL_SESSION(s->session, NULL);
  1293. /* Some length values are 16 bits, so forget it if session is
  1294. * too long
  1295. */
  1296. if (slen > 0xFF00)
  1297. return -1;
  1298. /* Grow buffer if need be: the length calculation is as
  1299. * follows 12 (DTLS handshake message header) +
  1300. * 4 (ticket lifetime hint) + 2 (ticket length) +
  1301. * 16 (key name) + max_iv_len (iv length) +
  1302. * session_length + max_enc_block_size (max encrypted session
  1303. * length) + max_md_size (HMAC).
  1304. */
  1305. if (!BUF_MEM_grow(s->init_buf,
  1306. DTLS1_HM_HEADER_LENGTH + 22 + EVP_MAX_IV_LENGTH +
  1307. EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE + slen))
  1308. return -1;
  1309. senc = OPENSSL_malloc(slen);
  1310. if (!senc)
  1311. return -1;
  1312. p = senc;
  1313. i2d_SSL_SESSION(s->session, &p);
  1314. p=(unsigned char *)&(s->init_buf->data[DTLS1_HM_HEADER_LENGTH]);
  1315. EVP_CIPHER_CTX_init(&ctx);
  1316. HMAC_CTX_init(&hctx);
  1317. /* Initialize HMAC and cipher contexts. If callback present
  1318. * it does all the work otherwise use generated values
  1319. * from parent ctx.
  1320. */
  1321. if (tctx->tlsext_ticket_key_cb)
  1322. {
  1323. if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx,
  1324. &hctx, 1) < 0)
  1325. {
  1326. OPENSSL_free(senc);
  1327. return -1;
  1328. }
  1329. }
  1330. else
  1331. {
  1332. RAND_pseudo_bytes(iv, 16);
  1333. EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
  1334. tctx->tlsext_tick_aes_key, iv);
  1335. HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
  1336. tlsext_tick_md(), NULL);
  1337. memcpy(key_name, tctx->tlsext_tick_key_name, 16);
  1338. }
  1339. l2n(s->session->tlsext_tick_lifetime_hint, p);
  1340. /* Skip ticket length for now */
  1341. p += 2;
  1342. /* Output key name */
  1343. macstart = p;
  1344. memcpy(p, key_name, 16);
  1345. p += 16;
  1346. /* output IV */
  1347. memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx));
  1348. p += EVP_CIPHER_CTX_iv_length(&ctx);
  1349. /* Encrypt session data */
  1350. EVP_EncryptUpdate(&ctx, p, &len, senc, slen);
  1351. p += len;
  1352. EVP_EncryptFinal(&ctx, p, &len);
  1353. p += len;
  1354. EVP_CIPHER_CTX_cleanup(&ctx);
  1355. HMAC_Update(&hctx, macstart, p - macstart);
  1356. HMAC_Final(&hctx, p, &hlen);
  1357. HMAC_CTX_cleanup(&hctx);
  1358. p += hlen;
  1359. /* Now write out lengths: p points to end of data written */
  1360. /* Total length */
  1361. len = p - (unsigned char *)(s->init_buf->data);
  1362. /* Ticket length */
  1363. p=(unsigned char *)&(s->init_buf->data[DTLS1_HM_HEADER_LENGTH]) + 4;
  1364. s2n(len - DTLS1_HM_HEADER_LENGTH - 6, p);
  1365. /* number of bytes to write */
  1366. s->init_num= len;
  1367. s->state=SSL3_ST_SW_SESSION_TICKET_B;
  1368. s->init_off=0;
  1369. OPENSSL_free(senc);
  1370. /* XDTLS: set message header ? */
  1371. msg_len = s->init_num - DTLS1_HM_HEADER_LENGTH;
  1372. dtls1_set_message_header(s, (void *)s->init_buf->data,
  1373. SSL3_MT_NEWSESSION_TICKET, msg_len, 0, msg_len);
  1374. /* buffer the message to handle re-xmits */
  1375. dtls1_buffer_message(s, 0);
  1376. }
  1377. /* SSL3_ST_SW_SESSION_TICKET_B */
  1378. return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
  1379. }
  1380. #endif