2
0

d1_clnt.c 29 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875
  1. /* ssl/d1_clnt.c */
  2. /*
  3. * DTLS implementation written by Nagendra Modadugu
  4. * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
  5. */
  6. /* ====================================================================
  7. * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved.
  8. *
  9. * Redistribution and use in source and binary forms, with or without
  10. * modification, are permitted provided that the following conditions
  11. * are met:
  12. *
  13. * 1. Redistributions of source code must retain the above copyright
  14. * notice, this list of conditions and the following disclaimer.
  15. *
  16. * 2. Redistributions in binary form must reproduce the above copyright
  17. * notice, this list of conditions and the following disclaimer in
  18. * the documentation and/or other materials provided with the
  19. * distribution.
  20. *
  21. * 3. All advertising materials mentioning features or use of this
  22. * software must display the following acknowledgment:
  23. * "This product includes software developed by the OpenSSL Project
  24. * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  25. *
  26. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  27. * endorse or promote products derived from this software without
  28. * prior written permission. For written permission, please contact
  29. * openssl-core@OpenSSL.org.
  30. *
  31. * 5. Products derived from this software may not be called "OpenSSL"
  32. * nor may "OpenSSL" appear in their names without prior written
  33. * permission of the OpenSSL Project.
  34. *
  35. * 6. Redistributions of any form whatsoever must retain the following
  36. * acknowledgment:
  37. * "This product includes software developed by the OpenSSL Project
  38. * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  39. *
  40. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  41. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  42. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  43. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  44. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  45. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  46. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  47. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  49. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  50. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  51. * OF THE POSSIBILITY OF SUCH DAMAGE.
  52. * ====================================================================
  53. *
  54. * This product includes cryptographic software written by Eric Young
  55. * (eay@cryptsoft.com). This product includes software written by Tim
  56. * Hudson (tjh@cryptsoft.com).
  57. *
  58. */
  59. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  60. * All rights reserved.
  61. *
  62. * This package is an SSL implementation written
  63. * by Eric Young (eay@cryptsoft.com).
  64. * The implementation was written so as to conform with Netscapes SSL.
  65. *
  66. * This library is free for commercial and non-commercial use as long as
  67. * the following conditions are aheared to. The following conditions
  68. * apply to all code found in this distribution, be it the RC4, RSA,
  69. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  70. * included with this distribution is covered by the same copyright terms
  71. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  72. *
  73. * Copyright remains Eric Young's, and as such any Copyright notices in
  74. * the code are not to be removed.
  75. * If this package is used in a product, Eric Young should be given attribution
  76. * as the author of the parts of the library used.
  77. * This can be in the form of a textual message at program startup or
  78. * in documentation (online or textual) provided with the package.
  79. *
  80. * Redistribution and use in source and binary forms, with or without
  81. * modification, are permitted provided that the following conditions
  82. * are met:
  83. * 1. Redistributions of source code must retain the copyright
  84. * notice, this list of conditions and the following disclaimer.
  85. * 2. Redistributions in binary form must reproduce the above copyright
  86. * notice, this list of conditions and the following disclaimer in the
  87. * documentation and/or other materials provided with the distribution.
  88. * 3. All advertising materials mentioning features or use of this software
  89. * must display the following acknowledgement:
  90. * "This product includes cryptographic software written by
  91. * Eric Young (eay@cryptsoft.com)"
  92. * The word 'cryptographic' can be left out if the rouines from the library
  93. * being used are not cryptographic related :-).
  94. * 4. If you include any Windows specific code (or a derivative thereof) from
  95. * the apps directory (application code) you must include an acknowledgement:
  96. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  97. *
  98. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  99. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  100. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  101. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  102. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  103. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  104. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  105. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  106. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  107. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  108. * SUCH DAMAGE.
  109. *
  110. * The licence and distribution terms for any publically available version or
  111. * derivative of this code cannot be changed. i.e. this code cannot simply be
  112. * copied and put under another distribution licence
  113. * [including the GNU Public Licence.]
  114. */
  115. #include <stdio.h>
  116. #include "ssl_locl.h"
  117. #ifndef OPENSSL_NO_KRB5
  118. # include "kssl_lcl.h"
  119. #endif
  120. #include <openssl/buffer.h>
  121. #include <openssl/rand.h>
  122. #include <openssl/objects.h>
  123. #include <openssl/evp.h>
  124. #include <openssl/md5.h>
  125. #include <openssl/bn.h>
  126. #ifndef OPENSSL_NO_DH
  127. # include <openssl/dh.h>
  128. #endif
  129. static const SSL_METHOD *dtls1_get_client_method(int ver);
  130. static int dtls1_get_hello_verify(SSL *s);
  131. static const SSL_METHOD *dtls1_get_client_method(int ver)
  132. {
  133. if (ver == DTLS_ANY_VERSION)
  134. return DTLS_client_method();
  135. else if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER)
  136. return DTLSv1_client_method();
  137. else if (ver == DTLS1_2_VERSION)
  138. return DTLSv1_2_client_method();
  139. else
  140. return NULL;
  141. }
  142. IMPLEMENT_dtls1_meth_func(DTLS1_VERSION,
  143. DTLSv1_client_method,
  144. ssl_undefined_function,
  145. dtls1_connect,
  146. dtls1_get_client_method, DTLSv1_enc_data)
  147. IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION,
  148. DTLSv1_2_client_method,
  149. ssl_undefined_function,
  150. dtls1_connect,
  151. dtls1_get_client_method, DTLSv1_2_enc_data)
  152. IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION,
  153. DTLS_client_method,
  154. ssl_undefined_function,
  155. dtls1_connect,
  156. dtls1_get_client_method, DTLSv1_2_enc_data)
  157. int dtls1_connect(SSL *s)
  158. {
  159. BUF_MEM *buf = NULL;
  160. unsigned long Time = (unsigned long)time(NULL);
  161. void (*cb) (const SSL *ssl, int type, int val) = NULL;
  162. int ret = -1;
  163. int new_state, state, skip = 0;
  164. #ifndef OPENSSL_NO_SCTP
  165. unsigned char sctpauthkey[64];
  166. char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
  167. #endif
  168. RAND_add(&Time, sizeof(Time), 0);
  169. ERR_clear_error();
  170. clear_sys_error();
  171. if (s->info_callback != NULL)
  172. cb = s->info_callback;
  173. else if (s->ctx->info_callback != NULL)
  174. cb = s->ctx->info_callback;
  175. s->in_handshake++;
  176. if (!SSL_in_init(s) || SSL_in_before(s))
  177. SSL_clear(s);
  178. #ifndef OPENSSL_NO_SCTP
  179. /*
  180. * Notify SCTP BIO socket to enter handshake mode and prevent stream
  181. * identifier other than 0. Will be ignored if no SCTP is used.
  182. */
  183. BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE,
  184. s->in_handshake, NULL);
  185. #endif
  186. #ifndef OPENSSL_NO_HEARTBEATS
  187. /*
  188. * If we're awaiting a HeartbeatResponse, pretend we already got and
  189. * don't await it anymore, because Heartbeats don't make sense during
  190. * handshakes anyway.
  191. */
  192. if (s->tlsext_hb_pending) {
  193. dtls1_stop_timer(s);
  194. s->tlsext_hb_pending = 0;
  195. s->tlsext_hb_seq++;
  196. }
  197. #endif
  198. for (;;) {
  199. state = s->state;
  200. switch (s->state) {
  201. case SSL_ST_RENEGOTIATE:
  202. s->renegotiate = 1;
  203. s->state = SSL_ST_CONNECT;
  204. s->ctx->stats.sess_connect_renegotiate++;
  205. /* break */
  206. case SSL_ST_BEFORE:
  207. case SSL_ST_CONNECT:
  208. case SSL_ST_BEFORE | SSL_ST_CONNECT:
  209. case SSL_ST_OK | SSL_ST_CONNECT:
  210. s->server = 0;
  211. if (cb != NULL)
  212. cb(s, SSL_CB_HANDSHAKE_START, 1);
  213. if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00) &&
  214. (s->version & 0xff00) != (DTLS1_BAD_VER & 0xff00)) {
  215. SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR);
  216. ret = -1;
  217. s->state = SSL_ST_ERR;
  218. goto end;
  219. }
  220. /* s->version=SSL3_VERSION; */
  221. s->type = SSL_ST_CONNECT;
  222. if (s->init_buf == NULL) {
  223. if ((buf = BUF_MEM_new()) == NULL) {
  224. ret = -1;
  225. s->state = SSL_ST_ERR;
  226. goto end;
  227. }
  228. if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
  229. ret = -1;
  230. s->state = SSL_ST_ERR;
  231. goto end;
  232. }
  233. s->init_buf = buf;
  234. buf = NULL;
  235. }
  236. if (!ssl3_setup_buffers(s)) {
  237. ret = -1;
  238. s->state = SSL_ST_ERR;
  239. goto end;
  240. }
  241. /* setup buffing BIO */
  242. if (!ssl_init_wbio_buffer(s, 0)) {
  243. ret = -1;
  244. s->state = SSL_ST_ERR;
  245. goto end;
  246. }
  247. /* don't push the buffering BIO quite yet */
  248. s->state = SSL3_ST_CW_CLNT_HELLO_A;
  249. s->ctx->stats.sess_connect++;
  250. s->init_num = 0;
  251. /* mark client_random uninitialized */
  252. memset(s->s3->client_random, 0, sizeof(s->s3->client_random));
  253. s->d1->send_cookie = 0;
  254. s->hit = 0;
  255. s->d1->change_cipher_spec_ok = 0;
  256. /*
  257. * Should have been reset by ssl3_get_finished, too.
  258. */
  259. s->s3->change_cipher_spec = 0;
  260. break;
  261. #ifndef OPENSSL_NO_SCTP
  262. case DTLS1_SCTP_ST_CR_READ_SOCK:
  263. if (BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
  264. s->s3->in_read_app_data = 2;
  265. s->rwstate = SSL_READING;
  266. BIO_clear_retry_flags(SSL_get_rbio(s));
  267. BIO_set_retry_read(SSL_get_rbio(s));
  268. ret = -1;
  269. goto end;
  270. }
  271. s->state = s->s3->tmp.next_state;
  272. break;
  273. case DTLS1_SCTP_ST_CW_WRITE_SOCK:
  274. /* read app data until dry event */
  275. ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s));
  276. if (ret < 0)
  277. goto end;
  278. if (ret == 0) {
  279. s->s3->in_read_app_data = 2;
  280. s->rwstate = SSL_READING;
  281. BIO_clear_retry_flags(SSL_get_rbio(s));
  282. BIO_set_retry_read(SSL_get_rbio(s));
  283. ret = -1;
  284. goto end;
  285. }
  286. s->state = s->d1->next_state;
  287. break;
  288. #endif
  289. case SSL3_ST_CW_CLNT_HELLO_A:
  290. s->shutdown = 0;
  291. /* every DTLS ClientHello resets Finished MAC */
  292. if (!ssl3_init_finished_mac(s)) {
  293. ret = -1;
  294. s->state = SSL_ST_ERR;
  295. goto end;
  296. }
  297. /* fall thru */
  298. case SSL3_ST_CW_CLNT_HELLO_B:
  299. dtls1_start_timer(s);
  300. ret = ssl3_client_hello(s);
  301. if (ret <= 0)
  302. goto end;
  303. if (s->d1->send_cookie) {
  304. s->state = SSL3_ST_CW_FLUSH;
  305. s->s3->tmp.next_state = SSL3_ST_CR_SRVR_HELLO_A;
  306. } else
  307. s->state = SSL3_ST_CR_SRVR_HELLO_A;
  308. s->init_num = 0;
  309. #ifndef OPENSSL_NO_SCTP
  310. /* Disable buffering for SCTP */
  311. if (!BIO_dgram_is_sctp(SSL_get_wbio(s))) {
  312. #endif
  313. /*
  314. * turn on buffering for the next lot of output
  315. */
  316. if (s->bbio != s->wbio)
  317. s->wbio = BIO_push(s->bbio, s->wbio);
  318. #ifndef OPENSSL_NO_SCTP
  319. }
  320. #endif
  321. break;
  322. case SSL3_ST_CR_SRVR_HELLO_A:
  323. case SSL3_ST_CR_SRVR_HELLO_B:
  324. ret = ssl3_get_server_hello(s);
  325. if (ret <= 0)
  326. goto end;
  327. else {
  328. if (s->hit) {
  329. #ifndef OPENSSL_NO_SCTP
  330. /*
  331. * Add new shared key for SCTP-Auth, will be ignored if
  332. * no SCTP used.
  333. */
  334. snprintf((char *)labelbuffer,
  335. sizeof(DTLS1_SCTP_AUTH_LABEL),
  336. DTLS1_SCTP_AUTH_LABEL);
  337. if (SSL_export_keying_material(s, sctpauthkey,
  338. sizeof(sctpauthkey),
  339. labelbuffer,
  340. sizeof(labelbuffer), NULL, 0,
  341. 0) <= 0) {
  342. ret = -1;
  343. s->state = SSL_ST_ERR;
  344. goto end;
  345. }
  346. BIO_ctrl(SSL_get_wbio(s),
  347. BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
  348. sizeof(sctpauthkey), sctpauthkey);
  349. #endif
  350. s->state = SSL3_ST_CR_FINISHED_A;
  351. if (s->tlsext_ticket_expected) {
  352. /* receive renewed session ticket */
  353. s->state = SSL3_ST_CR_SESSION_TICKET_A;
  354. }
  355. } else
  356. s->state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
  357. }
  358. s->init_num = 0;
  359. break;
  360. case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A:
  361. case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B:
  362. ret = dtls1_get_hello_verify(s);
  363. if (ret <= 0)
  364. goto end;
  365. dtls1_stop_timer(s);
  366. if (s->d1->send_cookie) /* start again, with a cookie */
  367. s->state = SSL3_ST_CW_CLNT_HELLO_A;
  368. else
  369. s->state = SSL3_ST_CR_CERT_A;
  370. s->init_num = 0;
  371. break;
  372. case SSL3_ST_CR_CERT_A:
  373. case SSL3_ST_CR_CERT_B:
  374. /* Check if it is anon DH or PSK */
  375. if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
  376. !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
  377. ret = ssl3_get_server_certificate(s);
  378. if (ret <= 0)
  379. goto end;
  380. #ifndef OPENSSL_NO_TLSEXT
  381. if (s->tlsext_status_expected)
  382. s->state = SSL3_ST_CR_CERT_STATUS_A;
  383. else
  384. s->state = SSL3_ST_CR_KEY_EXCH_A;
  385. } else {
  386. skip = 1;
  387. s->state = SSL3_ST_CR_KEY_EXCH_A;
  388. }
  389. #else
  390. } else
  391. skip = 1;
  392. s->state = SSL3_ST_CR_KEY_EXCH_A;
  393. #endif
  394. s->init_num = 0;
  395. break;
  396. case SSL3_ST_CR_KEY_EXCH_A:
  397. case SSL3_ST_CR_KEY_EXCH_B:
  398. ret = ssl3_get_key_exchange(s);
  399. if (ret <= 0)
  400. goto end;
  401. s->state = SSL3_ST_CR_CERT_REQ_A;
  402. s->init_num = 0;
  403. /*
  404. * at this point we check that we have the required stuff from
  405. * the server
  406. */
  407. if (!ssl3_check_cert_and_algorithm(s)) {
  408. ret = -1;
  409. s->state = SSL_ST_ERR;
  410. goto end;
  411. }
  412. break;
  413. case SSL3_ST_CR_CERT_REQ_A:
  414. case SSL3_ST_CR_CERT_REQ_B:
  415. ret = ssl3_get_certificate_request(s);
  416. if (ret <= 0)
  417. goto end;
  418. s->state = SSL3_ST_CR_SRVR_DONE_A;
  419. s->init_num = 0;
  420. break;
  421. case SSL3_ST_CR_SRVR_DONE_A:
  422. case SSL3_ST_CR_SRVR_DONE_B:
  423. ret = ssl3_get_server_done(s);
  424. if (ret <= 0)
  425. goto end;
  426. dtls1_stop_timer(s);
  427. if (s->s3->tmp.cert_req)
  428. s->s3->tmp.next_state = SSL3_ST_CW_CERT_A;
  429. else
  430. s->s3->tmp.next_state = SSL3_ST_CW_KEY_EXCH_A;
  431. s->init_num = 0;
  432. #ifndef OPENSSL_NO_SCTP
  433. if (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
  434. state == SSL_ST_RENEGOTIATE)
  435. s->state = DTLS1_SCTP_ST_CR_READ_SOCK;
  436. else
  437. #endif
  438. s->state = s->s3->tmp.next_state;
  439. break;
  440. case SSL3_ST_CW_CERT_A:
  441. case SSL3_ST_CW_CERT_B:
  442. case SSL3_ST_CW_CERT_C:
  443. case SSL3_ST_CW_CERT_D:
  444. dtls1_start_timer(s);
  445. ret = ssl3_send_client_certificate(s);
  446. if (ret <= 0)
  447. goto end;
  448. s->state = SSL3_ST_CW_KEY_EXCH_A;
  449. s->init_num = 0;
  450. break;
  451. case SSL3_ST_CW_KEY_EXCH_A:
  452. case SSL3_ST_CW_KEY_EXCH_B:
  453. dtls1_start_timer(s);
  454. ret = ssl3_send_client_key_exchange(s);
  455. if (ret <= 0)
  456. goto end;
  457. #ifndef OPENSSL_NO_SCTP
  458. /*
  459. * Add new shared key for SCTP-Auth, will be ignored if no SCTP
  460. * used.
  461. */
  462. snprintf((char *)labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
  463. DTLS1_SCTP_AUTH_LABEL);
  464. if (SSL_export_keying_material(s, sctpauthkey,
  465. sizeof(sctpauthkey), labelbuffer,
  466. sizeof(labelbuffer), NULL, 0, 0) <= 0) {
  467. ret = -1;
  468. s->state = SSL_ST_ERR;
  469. goto end;
  470. }
  471. BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
  472. sizeof(sctpauthkey), sctpauthkey);
  473. #endif
  474. /*
  475. * EAY EAY EAY need to check for DH fix cert sent back
  476. */
  477. /*
  478. * For TLS, cert_req is set to 2, so a cert chain of nothing is
  479. * sent, but no verify packet is sent
  480. */
  481. if (s->s3->tmp.cert_req == 1) {
  482. s->state = SSL3_ST_CW_CERT_VRFY_A;
  483. } else {
  484. #ifndef OPENSSL_NO_SCTP
  485. if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
  486. s->d1->next_state = SSL3_ST_CW_CHANGE_A;
  487. s->state = DTLS1_SCTP_ST_CW_WRITE_SOCK;
  488. } else
  489. #endif
  490. s->state = SSL3_ST_CW_CHANGE_A;
  491. }
  492. s->init_num = 0;
  493. break;
  494. case SSL3_ST_CW_CERT_VRFY_A:
  495. case SSL3_ST_CW_CERT_VRFY_B:
  496. dtls1_start_timer(s);
  497. ret = ssl3_send_client_verify(s);
  498. if (ret <= 0)
  499. goto end;
  500. #ifndef OPENSSL_NO_SCTP
  501. if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
  502. s->d1->next_state = SSL3_ST_CW_CHANGE_A;
  503. s->state = DTLS1_SCTP_ST_CW_WRITE_SOCK;
  504. } else
  505. #endif
  506. s->state = SSL3_ST_CW_CHANGE_A;
  507. s->init_num = 0;
  508. break;
  509. case SSL3_ST_CW_CHANGE_A:
  510. case SSL3_ST_CW_CHANGE_B:
  511. if (!s->hit)
  512. dtls1_start_timer(s);
  513. ret = dtls1_send_change_cipher_spec(s,
  514. SSL3_ST_CW_CHANGE_A,
  515. SSL3_ST_CW_CHANGE_B);
  516. if (ret <= 0)
  517. goto end;
  518. s->state = SSL3_ST_CW_FINISHED_A;
  519. s->init_num = 0;
  520. s->session->cipher = s->s3->tmp.new_cipher;
  521. #ifdef OPENSSL_NO_COMP
  522. s->session->compress_meth = 0;
  523. #else
  524. if (s->s3->tmp.new_compression == NULL)
  525. s->session->compress_meth = 0;
  526. else
  527. s->session->compress_meth = s->s3->tmp.new_compression->id;
  528. #endif
  529. if (!s->method->ssl3_enc->setup_key_block(s)) {
  530. ret = -1;
  531. s->state = SSL_ST_ERR;
  532. goto end;
  533. }
  534. if (!s->method->ssl3_enc->change_cipher_state(s,
  535. SSL3_CHANGE_CIPHER_CLIENT_WRITE))
  536. {
  537. ret = -1;
  538. s->state = SSL_ST_ERR;
  539. goto end;
  540. }
  541. #ifndef OPENSSL_NO_SCTP
  542. if (s->hit) {
  543. /*
  544. * Change to new shared key of SCTP-Auth, will be ignored if
  545. * no SCTP used.
  546. */
  547. BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
  548. 0, NULL);
  549. }
  550. #endif
  551. dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
  552. break;
  553. case SSL3_ST_CW_FINISHED_A:
  554. case SSL3_ST_CW_FINISHED_B:
  555. if (!s->hit)
  556. dtls1_start_timer(s);
  557. ret = ssl3_send_finished(s,
  558. SSL3_ST_CW_FINISHED_A,
  559. SSL3_ST_CW_FINISHED_B,
  560. s->method->
  561. ssl3_enc->client_finished_label,
  562. s->method->
  563. ssl3_enc->client_finished_label_len);
  564. if (ret <= 0)
  565. goto end;
  566. s->state = SSL3_ST_CW_FLUSH;
  567. /* clear flags */
  568. s->s3->flags &= ~SSL3_FLAGS_POP_BUFFER;
  569. if (s->hit) {
  570. s->s3->tmp.next_state = SSL_ST_OK;
  571. #ifndef OPENSSL_NO_SCTP
  572. if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
  573. s->d1->next_state = s->s3->tmp.next_state;
  574. s->s3->tmp.next_state = DTLS1_SCTP_ST_CW_WRITE_SOCK;
  575. }
  576. #endif
  577. if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) {
  578. s->state = SSL_ST_OK;
  579. #ifndef OPENSSL_NO_SCTP
  580. if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
  581. s->d1->next_state = SSL_ST_OK;
  582. s->state = DTLS1_SCTP_ST_CW_WRITE_SOCK;
  583. }
  584. #endif
  585. s->s3->flags |= SSL3_FLAGS_POP_BUFFER;
  586. s->s3->delay_buf_pop_ret = 0;
  587. }
  588. } else {
  589. #ifndef OPENSSL_NO_SCTP
  590. /*
  591. * Change to new shared key of SCTP-Auth, will be ignored if
  592. * no SCTP used.
  593. */
  594. BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
  595. 0, NULL);
  596. #endif
  597. #ifndef OPENSSL_NO_TLSEXT
  598. /*
  599. * Allow NewSessionTicket if ticket expected
  600. */
  601. if (s->tlsext_ticket_expected)
  602. s->s3->tmp.next_state = SSL3_ST_CR_SESSION_TICKET_A;
  603. else
  604. #endif
  605. s->s3->tmp.next_state = SSL3_ST_CR_FINISHED_A;
  606. }
  607. s->init_num = 0;
  608. break;
  609. #ifndef OPENSSL_NO_TLSEXT
  610. case SSL3_ST_CR_SESSION_TICKET_A:
  611. case SSL3_ST_CR_SESSION_TICKET_B:
  612. ret = ssl3_get_new_session_ticket(s);
  613. if (ret <= 0)
  614. goto end;
  615. s->state = SSL3_ST_CR_FINISHED_A;
  616. s->init_num = 0;
  617. break;
  618. case SSL3_ST_CR_CERT_STATUS_A:
  619. case SSL3_ST_CR_CERT_STATUS_B:
  620. ret = ssl3_get_cert_status(s);
  621. if (ret <= 0)
  622. goto end;
  623. s->state = SSL3_ST_CR_KEY_EXCH_A;
  624. s->init_num = 0;
  625. break;
  626. #endif
  627. case SSL3_ST_CR_FINISHED_A:
  628. case SSL3_ST_CR_FINISHED_B:
  629. s->d1->change_cipher_spec_ok = 1;
  630. ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A,
  631. SSL3_ST_CR_FINISHED_B);
  632. if (ret <= 0)
  633. goto end;
  634. dtls1_stop_timer(s);
  635. if (s->hit)
  636. s->state = SSL3_ST_CW_CHANGE_A;
  637. else
  638. s->state = SSL_ST_OK;
  639. #ifndef OPENSSL_NO_SCTP
  640. if (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
  641. state == SSL_ST_RENEGOTIATE) {
  642. s->d1->next_state = s->state;
  643. s->state = DTLS1_SCTP_ST_CW_WRITE_SOCK;
  644. }
  645. #endif
  646. s->init_num = 0;
  647. break;
  648. case SSL3_ST_CW_FLUSH:
  649. s->rwstate = SSL_WRITING;
  650. if (BIO_flush(s->wbio) <= 0) {
  651. /*
  652. * If the write error was fatal, stop trying
  653. */
  654. if (!BIO_should_retry(s->wbio)) {
  655. s->rwstate = SSL_NOTHING;
  656. s->state = s->s3->tmp.next_state;
  657. }
  658. ret = -1;
  659. goto end;
  660. }
  661. s->rwstate = SSL_NOTHING;
  662. s->state = s->s3->tmp.next_state;
  663. break;
  664. case SSL_ST_OK:
  665. /* clean a few things up */
  666. ssl3_cleanup_key_block(s);
  667. #if 0
  668. if (s->init_buf != NULL) {
  669. BUF_MEM_free(s->init_buf);
  670. s->init_buf = NULL;
  671. }
  672. #endif
  673. /*
  674. * If we are not 'joining' the last two packets, remove the
  675. * buffering now
  676. */
  677. if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
  678. ssl_free_wbio_buffer(s);
  679. /* else do it later in ssl3_write */
  680. s->init_num = 0;
  681. s->renegotiate = 0;
  682. s->new_session = 0;
  683. ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
  684. if (s->hit)
  685. s->ctx->stats.sess_hit++;
  686. ret = 1;
  687. /* s->server=0; */
  688. s->handshake_func = dtls1_connect;
  689. s->ctx->stats.sess_connect_good++;
  690. if (cb != NULL)
  691. cb(s, SSL_CB_HANDSHAKE_DONE, 1);
  692. /* done with handshaking */
  693. s->d1->handshake_read_seq = 0;
  694. s->d1->next_handshake_write_seq = 0;
  695. dtls1_clear_received_buffer(s);
  696. goto end;
  697. /* break; */
  698. case SSL_ST_ERR:
  699. default:
  700. SSLerr(SSL_F_DTLS1_CONNECT, SSL_R_UNKNOWN_STATE);
  701. ret = -1;
  702. goto end;
  703. /* break; */
  704. }
  705. /* did we do anything */
  706. if (!s->s3->tmp.reuse_message && !skip) {
  707. if (s->debug) {
  708. if ((ret = BIO_flush(s->wbio)) <= 0)
  709. goto end;
  710. }
  711. if ((cb != NULL) && (s->state != state)) {
  712. new_state = s->state;
  713. s->state = state;
  714. cb(s, SSL_CB_CONNECT_LOOP, 1);
  715. s->state = new_state;
  716. }
  717. }
  718. skip = 0;
  719. }
  720. end:
  721. s->in_handshake--;
  722. #ifndef OPENSSL_NO_SCTP
  723. /*
  724. * Notify SCTP BIO socket to leave handshake mode and allow stream
  725. * identifier other than 0. Will be ignored if no SCTP is used.
  726. */
  727. BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE,
  728. s->in_handshake, NULL);
  729. #endif
  730. if (buf != NULL)
  731. BUF_MEM_free(buf);
  732. if (cb != NULL)
  733. cb(s, SSL_CB_CONNECT_EXIT, ret);
  734. return (ret);
  735. }
  736. static int dtls1_get_hello_verify(SSL *s)
  737. {
  738. int n, al, ok = 0;
  739. unsigned char *data;
  740. unsigned int cookie_len;
  741. s->first_packet = 1;
  742. n = s->method->ssl_get_message(s,
  743. DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A,
  744. DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B,
  745. -1, s->max_cert_list, &ok);
  746. s->first_packet = 0;
  747. if (!ok)
  748. return ((int)n);
  749. if (s->s3->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) {
  750. s->d1->send_cookie = 0;
  751. s->s3->tmp.reuse_message = 1;
  752. return (1);
  753. }
  754. data = (unsigned char *)s->init_msg;
  755. #if 0
  756. if (s->method->version != DTLS_ANY_VERSION &&
  757. ((data[0] != (s->version >> 8)) || (data[1] != (s->version & 0xff))))
  758. {
  759. SSLerr(SSL_F_DTLS1_GET_HELLO_VERIFY, SSL_R_WRONG_SSL_VERSION);
  760. s->version = (s->version & 0xff00) | data[1];
  761. al = SSL_AD_PROTOCOL_VERSION;
  762. goto f_err;
  763. }
  764. #endif
  765. data += 2;
  766. cookie_len = *(data++);
  767. if (cookie_len > sizeof(s->d1->cookie)) {
  768. al = SSL_AD_ILLEGAL_PARAMETER;
  769. goto f_err;
  770. }
  771. memcpy(s->d1->cookie, data, cookie_len);
  772. s->d1->cookie_len = cookie_len;
  773. s->d1->send_cookie = 1;
  774. return 1;
  775. f_err:
  776. ssl3_send_alert(s, SSL3_AL_FATAL, al);
  777. s->state = SSL_ST_ERR;
  778. return -1;
  779. }