d1_clnt.c 29 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143
  1. /* ssl/d1_clnt.c */
  2. /*
  3. * DTLS implementation written by Nagendra Modadugu
  4. * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
  5. */
  6. /* ====================================================================
  7. * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved.
  8. *
  9. * Redistribution and use in source and binary forms, with or without
  10. * modification, are permitted provided that the following conditions
  11. * are met:
  12. *
  13. * 1. Redistributions of source code must retain the above copyright
  14. * notice, this list of conditions and the following disclaimer.
  15. *
  16. * 2. Redistributions in binary form must reproduce the above copyright
  17. * notice, this list of conditions and the following disclaimer in
  18. * the documentation and/or other materials provided with the
  19. * distribution.
  20. *
  21. * 3. All advertising materials mentioning features or use of this
  22. * software must display the following acknowledgment:
  23. * "This product includes software developed by the OpenSSL Project
  24. * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  25. *
  26. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  27. * endorse or promote products derived from this software without
  28. * prior written permission. For written permission, please contact
  29. * openssl-core@OpenSSL.org.
  30. *
  31. * 5. Products derived from this software may not be called "OpenSSL"
  32. * nor may "OpenSSL" appear in their names without prior written
  33. * permission of the OpenSSL Project.
  34. *
  35. * 6. Redistributions of any form whatsoever must retain the following
  36. * acknowledgment:
  37. * "This product includes software developed by the OpenSSL Project
  38. * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  39. *
  40. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  41. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  42. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  43. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  44. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  45. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  46. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  47. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  49. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  50. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  51. * OF THE POSSIBILITY OF SUCH DAMAGE.
  52. * ====================================================================
  53. *
  54. * This product includes cryptographic software written by Eric Young
  55. * (eay@cryptsoft.com). This product includes software written by Tim
  56. * Hudson (tjh@cryptsoft.com).
  57. *
  58. */
  59. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  60. * All rights reserved.
  61. *
  62. * This package is an SSL implementation written
  63. * by Eric Young (eay@cryptsoft.com).
  64. * The implementation was written so as to conform with Netscapes SSL.
  65. *
  66. * This library is free for commercial and non-commercial use as long as
  67. * the following conditions are aheared to. The following conditions
  68. * apply to all code found in this distribution, be it the RC4, RSA,
  69. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  70. * included with this distribution is covered by the same copyright terms
  71. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  72. *
  73. * Copyright remains Eric Young's, and as such any Copyright notices in
  74. * the code are not to be removed.
  75. * If this package is used in a product, Eric Young should be given attribution
  76. * as the author of the parts of the library used.
  77. * This can be in the form of a textual message at program startup or
  78. * in documentation (online or textual) provided with the package.
  79. *
  80. * Redistribution and use in source and binary forms, with or without
  81. * modification, are permitted provided that the following conditions
  82. * are met:
  83. * 1. Redistributions of source code must retain the copyright
  84. * notice, this list of conditions and the following disclaimer.
  85. * 2. Redistributions in binary form must reproduce the above copyright
  86. * notice, this list of conditions and the following disclaimer in the
  87. * documentation and/or other materials provided with the distribution.
  88. * 3. All advertising materials mentioning features or use of this software
  89. * must display the following acknowledgement:
  90. * "This product includes cryptographic software written by
  91. * Eric Young (eay@cryptsoft.com)"
  92. * The word 'cryptographic' can be left out if the rouines from the library
  93. * being used are not cryptographic related :-).
  94. * 4. If you include any Windows specific code (or a derivative thereof) from
  95. * the apps directory (application code) you must include an acknowledgement:
  96. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  97. *
  98. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  99. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  100. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  101. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  102. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  103. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  104. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  105. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  106. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  107. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  108. * SUCH DAMAGE.
  109. *
  110. * The licence and distribution terms for any publically available version or
  111. * derivative of this code cannot be changed. i.e. this code cannot simply be
  112. * copied and put under another distribution licence
  113. * [including the GNU Public Licence.]
  114. */
  115. #include <stdio.h>
  116. #include "ssl_locl.h"
  117. #include <openssl/buffer.h>
  118. #include <openssl/rand.h>
  119. #include <openssl/objects.h>
  120. #include <openssl/evp.h>
  121. #include <openssl/md5.h>
  122. #include <openssl/bn.h>
  123. #ifndef OPENSSL_NO_DH
  124. #include <openssl/dh.h>
  125. #endif
  126. static const SSL_METHOD *dtls1_get_client_method(int ver);
  127. static int dtls1_get_hello_verify(SSL *s);
  128. static const SSL_METHOD *dtls1_get_client_method(int ver)
  129. {
  130. if (ver == DTLS1_VERSION)
  131. return(DTLSv1_client_method());
  132. else
  133. return(NULL);
  134. }
  135. IMPLEMENT_dtls1_meth_func(DTLSv1_client_method,
  136. ssl_undefined_function,
  137. dtls1_connect,
  138. dtls1_get_client_method)
  139. int dtls1_connect(SSL *s)
  140. {
  141. BUF_MEM *buf=NULL;
  142. unsigned long Time=(unsigned long)time(NULL),l;
  143. long num1;
  144. void (*cb)(const SSL *ssl,int type,int val)=NULL;
  145. int ret= -1;
  146. int new_state,state,skip=0;;
  147. RAND_add(&Time,sizeof(Time),0);
  148. ERR_clear_error();
  149. clear_sys_error();
  150. if (s->info_callback != NULL)
  151. cb=s->info_callback;
  152. else if (s->ctx->info_callback != NULL)
  153. cb=s->ctx->info_callback;
  154. s->in_handshake++;
  155. if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
  156. for (;;)
  157. {
  158. state=s->state;
  159. switch(s->state)
  160. {
  161. case SSL_ST_RENEGOTIATE:
  162. s->new_session=1;
  163. s->state=SSL_ST_CONNECT;
  164. s->ctx->stats.sess_connect_renegotiate++;
  165. /* break */
  166. case SSL_ST_BEFORE:
  167. case SSL_ST_CONNECT:
  168. case SSL_ST_BEFORE|SSL_ST_CONNECT:
  169. case SSL_ST_OK|SSL_ST_CONNECT:
  170. s->server=0;
  171. if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
  172. if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00))
  173. {
  174. SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR);
  175. ret = -1;
  176. goto end;
  177. }
  178. /* s->version=SSL3_VERSION; */
  179. s->type=SSL_ST_CONNECT;
  180. if (s->init_buf == NULL)
  181. {
  182. if ((buf=BUF_MEM_new()) == NULL)
  183. {
  184. ret= -1;
  185. goto end;
  186. }
  187. if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
  188. {
  189. ret= -1;
  190. goto end;
  191. }
  192. s->init_buf=buf;
  193. buf=NULL;
  194. }
  195. if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
  196. /* setup buffing BIO */
  197. if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
  198. /* don't push the buffering BIO quite yet */
  199. ssl3_init_finished_mac(s);
  200. s->state=SSL3_ST_CW_CLNT_HELLO_A;
  201. s->ctx->stats.sess_connect++;
  202. s->init_num=0;
  203. break;
  204. case SSL3_ST_CW_CLNT_HELLO_A:
  205. case SSL3_ST_CW_CLNT_HELLO_B:
  206. s->shutdown=0;
  207. ret=dtls1_client_hello(s);
  208. if (ret <= 0) goto end;
  209. if ( s->d1->send_cookie)
  210. {
  211. s->state=SSL3_ST_CW_FLUSH;
  212. s->s3->tmp.next_state=SSL3_ST_CR_SRVR_HELLO_A;
  213. }
  214. else
  215. s->state=SSL3_ST_CR_SRVR_HELLO_A;
  216. s->init_num=0;
  217. /* turn on buffering for the next lot of output */
  218. if (s->bbio != s->wbio)
  219. s->wbio=BIO_push(s->bbio,s->wbio);
  220. break;
  221. case SSL3_ST_CR_SRVR_HELLO_A:
  222. case SSL3_ST_CR_SRVR_HELLO_B:
  223. ret=ssl3_get_server_hello(s);
  224. if (ret <= 0) goto end;
  225. else
  226. {
  227. if (s->hit)
  228. s->state=SSL3_ST_CR_FINISHED_A;
  229. else
  230. s->state=DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
  231. }
  232. s->init_num=0;
  233. break;
  234. case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A:
  235. case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B:
  236. ret = dtls1_get_hello_verify(s);
  237. if ( ret <= 0)
  238. goto end;
  239. if ( s->d1->send_cookie) /* start again, with a cookie */
  240. s->state=SSL3_ST_CW_CLNT_HELLO_A;
  241. else
  242. s->state = SSL3_ST_CR_CERT_A;
  243. s->init_num = 0;
  244. break;
  245. case SSL3_ST_CR_CERT_A:
  246. case SSL3_ST_CR_CERT_B:
  247. /* Check if it is anon DH */
  248. if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
  249. {
  250. ret=ssl3_get_server_certificate(s);
  251. if (ret <= 0) goto end;
  252. }
  253. else
  254. skip=1;
  255. s->state=SSL3_ST_CR_KEY_EXCH_A;
  256. s->init_num=0;
  257. break;
  258. case SSL3_ST_CR_KEY_EXCH_A:
  259. case SSL3_ST_CR_KEY_EXCH_B:
  260. ret=ssl3_get_key_exchange(s);
  261. if (ret <= 0) goto end;
  262. s->state=SSL3_ST_CR_CERT_REQ_A;
  263. s->init_num=0;
  264. /* at this point we check that we have the
  265. * required stuff from the server */
  266. if (!ssl3_check_cert_and_algorithm(s))
  267. {
  268. ret= -1;
  269. goto end;
  270. }
  271. break;
  272. case SSL3_ST_CR_CERT_REQ_A:
  273. case SSL3_ST_CR_CERT_REQ_B:
  274. ret=ssl3_get_certificate_request(s);
  275. if (ret <= 0) goto end;
  276. s->state=SSL3_ST_CR_SRVR_DONE_A;
  277. s->init_num=0;
  278. break;
  279. case SSL3_ST_CR_SRVR_DONE_A:
  280. case SSL3_ST_CR_SRVR_DONE_B:
  281. ret=ssl3_get_server_done(s);
  282. if (ret <= 0) goto end;
  283. if (s->s3->tmp.cert_req)
  284. s->state=SSL3_ST_CW_CERT_A;
  285. else
  286. s->state=SSL3_ST_CW_KEY_EXCH_A;
  287. s->init_num=0;
  288. break;
  289. case SSL3_ST_CW_CERT_A:
  290. case SSL3_ST_CW_CERT_B:
  291. case SSL3_ST_CW_CERT_C:
  292. case SSL3_ST_CW_CERT_D:
  293. ret=dtls1_send_client_certificate(s);
  294. if (ret <= 0) goto end;
  295. s->state=SSL3_ST_CW_KEY_EXCH_A;
  296. s->init_num=0;
  297. break;
  298. case SSL3_ST_CW_KEY_EXCH_A:
  299. case SSL3_ST_CW_KEY_EXCH_B:
  300. ret=dtls1_send_client_key_exchange(s);
  301. if (ret <= 0) goto end;
  302. l=s->s3->tmp.new_cipher->algorithms;
  303. /* EAY EAY EAY need to check for DH fix cert
  304. * sent back */
  305. /* For TLS, cert_req is set to 2, so a cert chain
  306. * of nothing is sent, but no verify packet is sent */
  307. if (s->s3->tmp.cert_req == 1)
  308. {
  309. s->state=SSL3_ST_CW_CERT_VRFY_A;
  310. }
  311. else
  312. {
  313. s->state=SSL3_ST_CW_CHANGE_A;
  314. s->s3->change_cipher_spec=0;
  315. }
  316. s->init_num=0;
  317. break;
  318. case SSL3_ST_CW_CERT_VRFY_A:
  319. case SSL3_ST_CW_CERT_VRFY_B:
  320. ret=dtls1_send_client_verify(s);
  321. if (ret <= 0) goto end;
  322. s->state=SSL3_ST_CW_CHANGE_A;
  323. s->init_num=0;
  324. s->s3->change_cipher_spec=0;
  325. break;
  326. case SSL3_ST_CW_CHANGE_A:
  327. case SSL3_ST_CW_CHANGE_B:
  328. ret=dtls1_send_change_cipher_spec(s,
  329. SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
  330. if (ret <= 0) goto end;
  331. s->state=SSL3_ST_CW_FINISHED_A;
  332. s->init_num=0;
  333. s->session->cipher=s->s3->tmp.new_cipher;
  334. #ifdef OPENSSL_NO_COMP
  335. s->session->compress_meth=0;
  336. #else
  337. if (s->s3->tmp.new_compression == NULL)
  338. s->session->compress_meth=0;
  339. else
  340. s->session->compress_meth=
  341. s->s3->tmp.new_compression->id;
  342. #endif
  343. if (!s->method->ssl3_enc->setup_key_block(s))
  344. {
  345. ret= -1;
  346. goto end;
  347. }
  348. if (!s->method->ssl3_enc->change_cipher_state(s,
  349. SSL3_CHANGE_CIPHER_CLIENT_WRITE))
  350. {
  351. ret= -1;
  352. goto end;
  353. }
  354. dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
  355. break;
  356. case SSL3_ST_CW_FINISHED_A:
  357. case SSL3_ST_CW_FINISHED_B:
  358. ret=dtls1_send_finished(s,
  359. SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B,
  360. s->method->ssl3_enc->client_finished_label,
  361. s->method->ssl3_enc->client_finished_label_len);
  362. if (ret <= 0) goto end;
  363. s->state=SSL3_ST_CW_FLUSH;
  364. /* clear flags */
  365. s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
  366. if (s->hit)
  367. {
  368. s->s3->tmp.next_state=SSL_ST_OK;
  369. if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)
  370. {
  371. s->state=SSL_ST_OK;
  372. s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
  373. s->s3->delay_buf_pop_ret=0;
  374. }
  375. }
  376. else
  377. {
  378. s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A;
  379. }
  380. s->init_num=0;
  381. break;
  382. case SSL3_ST_CR_FINISHED_A:
  383. case SSL3_ST_CR_FINISHED_B:
  384. ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
  385. SSL3_ST_CR_FINISHED_B);
  386. if (ret <= 0) goto end;
  387. if (s->hit)
  388. s->state=SSL3_ST_CW_CHANGE_A;
  389. else
  390. s->state=SSL_ST_OK;
  391. s->init_num=0;
  392. break;
  393. case SSL3_ST_CW_FLUSH:
  394. /* number of bytes to be flushed */
  395. num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
  396. if (num1 > 0)
  397. {
  398. s->rwstate=SSL_WRITING;
  399. num1=BIO_flush(s->wbio);
  400. if (num1 <= 0) { ret= -1; goto end; }
  401. s->rwstate=SSL_NOTHING;
  402. }
  403. s->state=s->s3->tmp.next_state;
  404. break;
  405. case SSL_ST_OK:
  406. /* clean a few things up */
  407. ssl3_cleanup_key_block(s);
  408. #if 0
  409. if (s->init_buf != NULL)
  410. {
  411. BUF_MEM_free(s->init_buf);
  412. s->init_buf=NULL;
  413. }
  414. #endif
  415. /* If we are not 'joining' the last two packets,
  416. * remove the buffering now */
  417. if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
  418. ssl_free_wbio_buffer(s);
  419. /* else do it later in ssl3_write */
  420. s->init_num=0;
  421. s->new_session=0;
  422. ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
  423. if (s->hit) s->ctx->stats.sess_hit++;
  424. ret=1;
  425. /* s->server=0; */
  426. s->handshake_func=dtls1_connect;
  427. s->ctx->stats.sess_connect_good++;
  428. if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
  429. /* done with handshaking */
  430. s->d1->handshake_read_seq = 0;
  431. goto end;
  432. /* break; */
  433. default:
  434. SSLerr(SSL_F_DTLS1_CONNECT,SSL_R_UNKNOWN_STATE);
  435. ret= -1;
  436. goto end;
  437. /* break; */
  438. }
  439. /* did we do anything */
  440. if (!s->s3->tmp.reuse_message && !skip)
  441. {
  442. if (s->debug)
  443. {
  444. if ((ret=BIO_flush(s->wbio)) <= 0)
  445. goto end;
  446. }
  447. if ((cb != NULL) && (s->state != state))
  448. {
  449. new_state=s->state;
  450. s->state=state;
  451. cb(s,SSL_CB_CONNECT_LOOP,1);
  452. s->state=new_state;
  453. }
  454. }
  455. skip=0;
  456. }
  457. end:
  458. s->in_handshake--;
  459. if (buf != NULL)
  460. BUF_MEM_free(buf);
  461. if (cb != NULL)
  462. cb(s,SSL_CB_CONNECT_EXIT,ret);
  463. return(ret);
  464. }
  465. int dtls1_client_hello(SSL *s)
  466. {
  467. unsigned char *buf;
  468. unsigned char *p,*d;
  469. unsigned int i,j;
  470. unsigned long Time,l;
  471. SSL_COMP *comp;
  472. buf=(unsigned char *)s->init_buf->data;
  473. if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
  474. {
  475. if ((s->session == NULL) ||
  476. (s->session->ssl_version != s->version) ||
  477. (s->session->not_resumable))
  478. {
  479. if (!ssl_get_new_session(s,0))
  480. goto err;
  481. }
  482. /* else use the pre-loaded session */
  483. p=s->s3->client_random;
  484. Time=(unsigned long)time(NULL); /* Time */
  485. l2n(Time,p);
  486. RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
  487. /* Do the message type and length last */
  488. d=p= &(buf[DTLS1_HM_HEADER_LENGTH]);
  489. *(p++)=s->version>>8;
  490. *(p++)=s->version&0xff;
  491. s->client_version=s->version;
  492. /* Random stuff */
  493. memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
  494. p+=SSL3_RANDOM_SIZE;
  495. /* Session ID */
  496. if (s->new_session)
  497. i=0;
  498. else
  499. i=s->session->session_id_length;
  500. *(p++)=i;
  501. if (i != 0)
  502. {
  503. if (i > sizeof s->session->session_id)
  504. {
  505. SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
  506. goto err;
  507. }
  508. memcpy(p,s->session->session_id,i);
  509. p+=i;
  510. }
  511. /* cookie stuff */
  512. if ( s->d1->cookie_len > sizeof(s->d1->cookie))
  513. {
  514. SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
  515. goto err;
  516. }
  517. *(p++) = s->d1->cookie_len;
  518. memcpy(p, s->d1->cookie, s->d1->cookie_len);
  519. p += s->d1->cookie_len;
  520. /* Ciphers supported */
  521. i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0);
  522. if (i == 0)
  523. {
  524. SSLerr(SSL_F_DTLS1_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
  525. goto err;
  526. }
  527. s2n(i,p);
  528. p+=i;
  529. /* COMPRESSION */
  530. if (s->ctx->comp_methods == NULL)
  531. j=0;
  532. else
  533. j=sk_SSL_COMP_num(s->ctx->comp_methods);
  534. *(p++)=1+j;
  535. for (i=0; i<j; i++)
  536. {
  537. comp=sk_SSL_COMP_value(s->ctx->comp_methods,i);
  538. *(p++)=comp->id;
  539. }
  540. *(p++)=0; /* Add the NULL method */
  541. l=(p-d);
  542. d=buf;
  543. d = dtls1_set_message_header(s, d, SSL3_MT_CLIENT_HELLO, l, 0, l);
  544. s->state=SSL3_ST_CW_CLNT_HELLO_B;
  545. /* number of bytes to write */
  546. s->init_num=p-buf;
  547. s->init_off=0;
  548. /* buffer the message to handle re-xmits */
  549. dtls1_buffer_message(s, 0);
  550. }
  551. /* SSL3_ST_CW_CLNT_HELLO_B */
  552. return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
  553. err:
  554. return(-1);
  555. }
  556. static int dtls1_get_hello_verify(SSL *s)
  557. {
  558. int n, al, ok = 0;
  559. unsigned char *data;
  560. unsigned int cookie_len;
  561. n=s->method->ssl_get_message(s,
  562. DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A,
  563. DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B,
  564. -1,
  565. s->max_cert_list,
  566. &ok);
  567. if (!ok) return((int)n);
  568. if (s->s3->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST)
  569. {
  570. s->d1->send_cookie = 0;
  571. s->s3->tmp.reuse_message=1;
  572. return(1);
  573. }
  574. data = (unsigned char *)s->init_msg;
  575. if ((data[0] != (s->version>>8)) || (data[1] != (s->version&0xff)))
  576. {
  577. SSLerr(SSL_F_DTLS1_GET_HELLO_VERIFY,SSL_R_WRONG_SSL_VERSION);
  578. s->version=(s->version&0xff00)|data[1];
  579. al = SSL_AD_PROTOCOL_VERSION;
  580. goto f_err;
  581. }
  582. data+=2;
  583. cookie_len = *(data++);
  584. if ( cookie_len > sizeof(s->d1->cookie))
  585. {
  586. al=SSL_AD_ILLEGAL_PARAMETER;
  587. goto f_err;
  588. }
  589. memcpy(s->d1->cookie, data, cookie_len);
  590. s->d1->cookie_len = cookie_len;
  591. s->d1->send_cookie = 1;
  592. return 1;
  593. f_err:
  594. ssl3_send_alert(s, SSL3_AL_FATAL, al);
  595. return -1;
  596. }
  597. int dtls1_send_client_key_exchange(SSL *s)
  598. {
  599. unsigned char *p,*d;
  600. int n;
  601. unsigned long l;
  602. #ifndef OPENSSL_NO_RSA
  603. unsigned char *q;
  604. EVP_PKEY *pkey=NULL;
  605. #endif
  606. #ifndef OPENSSL_NO_KRB5
  607. KSSL_ERR kssl_err;
  608. #endif /* OPENSSL_NO_KRB5 */
  609. if (s->state == SSL3_ST_CW_KEY_EXCH_A)
  610. {
  611. d=(unsigned char *)s->init_buf->data;
  612. p= &(d[DTLS1_HM_HEADER_LENGTH]);
  613. l=s->s3->tmp.new_cipher->algorithms;
  614. /* Fool emacs indentation */
  615. if (0) {}
  616. #ifndef OPENSSL_NO_RSA
  617. else if (l & SSL_kRSA)
  618. {
  619. RSA *rsa;
  620. unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
  621. if (s->session->sess_cert->peer_rsa_tmp != NULL)
  622. rsa=s->session->sess_cert->peer_rsa_tmp;
  623. else
  624. {
  625. pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
  626. if ((pkey == NULL) ||
  627. (pkey->type != EVP_PKEY_RSA) ||
  628. (pkey->pkey.rsa == NULL))
  629. {
  630. SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
  631. goto err;
  632. }
  633. rsa=pkey->pkey.rsa;
  634. EVP_PKEY_free(pkey);
  635. }
  636. tmp_buf[0]=s->client_version>>8;
  637. tmp_buf[1]=s->client_version&0xff;
  638. if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
  639. goto err;
  640. s->session->master_key_length=sizeof tmp_buf;
  641. q=p;
  642. /* Fix buf for TLS and beyond */
  643. if (s->version > SSL3_VERSION)
  644. p+=2;
  645. n=RSA_public_encrypt(sizeof tmp_buf,
  646. tmp_buf,p,rsa,RSA_PKCS1_PADDING);
  647. #ifdef PKCS1_CHECK
  648. if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++;
  649. if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70;
  650. #endif
  651. if (n <= 0)
  652. {
  653. SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT);
  654. goto err;
  655. }
  656. /* Fix buf for TLS and beyond */
  657. if (s->version > SSL3_VERSION)
  658. {
  659. s2n(n,q);
  660. n+=2;
  661. }
  662. s->session->master_key_length=
  663. s->method->ssl3_enc->generate_master_secret(s,
  664. s->session->master_key,
  665. tmp_buf,sizeof tmp_buf);
  666. OPENSSL_cleanse(tmp_buf,sizeof tmp_buf);
  667. }
  668. #endif
  669. #ifndef OPENSSL_NO_KRB5
  670. else if (l & SSL_kKRB5)
  671. {
  672. krb5_error_code krb5rc;
  673. KSSL_CTX *kssl_ctx = s->kssl_ctx;
  674. /* krb5_data krb5_ap_req; */
  675. krb5_data *enc_ticket;
  676. krb5_data authenticator, *authp = NULL;
  677. EVP_CIPHER_CTX ciph_ctx;
  678. EVP_CIPHER *enc = NULL;
  679. unsigned char iv[EVP_MAX_IV_LENGTH];
  680. unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
  681. unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH
  682. + EVP_MAX_IV_LENGTH];
  683. int padl, outl = sizeof(epms);
  684. EVP_CIPHER_CTX_init(&ciph_ctx);
  685. #ifdef KSSL_DEBUG
  686. printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
  687. l, SSL_kKRB5);
  688. #endif /* KSSL_DEBUG */
  689. authp = NULL;
  690. #ifdef KRB5SENDAUTH
  691. if (KRB5SENDAUTH) authp = &authenticator;
  692. #endif /* KRB5SENDAUTH */
  693. krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp,
  694. &kssl_err);
  695. enc = kssl_map_enc(kssl_ctx->enctype);
  696. if (enc == NULL)
  697. goto err;
  698. #ifdef KSSL_DEBUG
  699. {
  700. printf("kssl_cget_tkt rtn %d\n", krb5rc);
  701. if (krb5rc && kssl_err.text)
  702. printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
  703. }
  704. #endif /* KSSL_DEBUG */
  705. if (krb5rc)
  706. {
  707. ssl3_send_alert(s,SSL3_AL_FATAL,
  708. SSL_AD_HANDSHAKE_FAILURE);
  709. SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
  710. kssl_err.reason);
  711. goto err;
  712. }
  713. /* 20010406 VRS - Earlier versions used KRB5 AP_REQ
  714. ** in place of RFC 2712 KerberosWrapper, as in:
  715. **
  716. ** Send ticket (copy to *p, set n = length)
  717. ** n = krb5_ap_req.length;
  718. ** memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
  719. ** if (krb5_ap_req.data)
  720. ** kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
  721. **
  722. ** Now using real RFC 2712 KerberosWrapper
  723. ** (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
  724. ** Note: 2712 "opaque" types are here replaced
  725. ** with a 2-byte length followed by the value.
  726. ** Example:
  727. ** KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
  728. ** Where "xx xx" = length bytes. Shown here with
  729. ** optional authenticator omitted.
  730. */
  731. /* KerberosWrapper.Ticket */
  732. s2n(enc_ticket->length,p);
  733. memcpy(p, enc_ticket->data, enc_ticket->length);
  734. p+= enc_ticket->length;
  735. n = enc_ticket->length + 2;
  736. /* KerberosWrapper.Authenticator */
  737. if (authp && authp->length)
  738. {
  739. s2n(authp->length,p);
  740. memcpy(p, authp->data, authp->length);
  741. p+= authp->length;
  742. n+= authp->length + 2;
  743. free(authp->data);
  744. authp->data = NULL;
  745. authp->length = 0;
  746. }
  747. else
  748. {
  749. s2n(0,p);/* null authenticator length */
  750. n+=2;
  751. }
  752. if (RAND_bytes(tmp_buf,sizeof tmp_buf) <= 0)
  753. goto err;
  754. /* 20010420 VRS. Tried it this way; failed.
  755. ** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
  756. ** EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
  757. ** kssl_ctx->length);
  758. ** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
  759. */
  760. memset(iv, 0, sizeof iv); /* per RFC 1510 */
  761. EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,
  762. kssl_ctx->key,iv);
  763. EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf,
  764. sizeof tmp_buf);
  765. EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl);
  766. outl += padl;
  767. if (outl > sizeof epms)
  768. {
  769. SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
  770. goto err;
  771. }
  772. EVP_CIPHER_CTX_cleanup(&ciph_ctx);
  773. /* KerberosWrapper.EncryptedPreMasterSecret */
  774. s2n(outl,p);
  775. memcpy(p, epms, outl);
  776. p+=outl;
  777. n+=outl + 2;
  778. s->session->master_key_length=
  779. s->method->ssl3_enc->generate_master_secret(s,
  780. s->session->master_key,
  781. tmp_buf, sizeof tmp_buf);
  782. OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
  783. OPENSSL_cleanse(epms, outl);
  784. }
  785. #endif
  786. #ifndef OPENSSL_NO_DH
  787. else if (l & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
  788. {
  789. DH *dh_srvr,*dh_clnt;
  790. if (s->session->sess_cert->peer_dh_tmp != NULL)
  791. dh_srvr=s->session->sess_cert->peer_dh_tmp;
  792. else
  793. {
  794. /* we get them from the cert */
  795. ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
  796. SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
  797. goto err;
  798. }
  799. /* generate a new random key */
  800. if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL)
  801. {
  802. SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
  803. goto err;
  804. }
  805. if (!DH_generate_key(dh_clnt))
  806. {
  807. SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
  808. goto err;
  809. }
  810. /* use the 'p' output buffer for the DH key, but
  811. * make sure to clear it out afterwards */
  812. n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt);
  813. if (n <= 0)
  814. {
  815. SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
  816. goto err;
  817. }
  818. /* generate master key from the result */
  819. s->session->master_key_length=
  820. s->method->ssl3_enc->generate_master_secret(s,
  821. s->session->master_key,p,n);
  822. /* clean up */
  823. memset(p,0,n);
  824. /* send off the data */
  825. n=BN_num_bytes(dh_clnt->pub_key);
  826. s2n(n,p);
  827. BN_bn2bin(dh_clnt->pub_key,p);
  828. n+=2;
  829. DH_free(dh_clnt);
  830. /* perhaps clean things up a bit EAY EAY EAY EAY*/
  831. }
  832. #endif
  833. else
  834. {
  835. ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
  836. SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
  837. goto err;
  838. }
  839. d = dtls1_set_message_header(s, d,
  840. SSL3_MT_CLIENT_KEY_EXCHANGE, n, 0, n);
  841. /*
  842. *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE;
  843. l2n3(n,d);
  844. l2n(s->d1->handshake_write_seq,d);
  845. s->d1->handshake_write_seq++;
  846. */
  847. s->state=SSL3_ST_CW_KEY_EXCH_B;
  848. /* number of bytes to write */
  849. s->init_num=n+DTLS1_HM_HEADER_LENGTH;
  850. s->init_off=0;
  851. /* buffer the message to handle re-xmits */
  852. dtls1_buffer_message(s, 0);
  853. }
  854. /* SSL3_ST_CW_KEY_EXCH_B */
  855. return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
  856. err:
  857. return(-1);
  858. }
  859. int dtls1_send_client_verify(SSL *s)
  860. {
  861. unsigned char *p,*d;
  862. unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
  863. EVP_PKEY *pkey;
  864. #ifndef OPENSSL_NO_RSA
  865. unsigned u=0;
  866. #endif
  867. unsigned long n;
  868. #ifndef OPENSSL_NO_DSA
  869. int j;
  870. #endif
  871. if (s->state == SSL3_ST_CW_CERT_VRFY_A)
  872. {
  873. d=(unsigned char *)s->init_buf->data;
  874. p= &(d[DTLS1_HM_HEADER_LENGTH]);
  875. pkey=s->cert->key->privatekey;
  876. s->method->ssl3_enc->cert_verify_mac(s,&(s->s3->finish_dgst2),
  877. &(data[MD5_DIGEST_LENGTH]));
  878. #ifndef OPENSSL_NO_RSA
  879. if (pkey->type == EVP_PKEY_RSA)
  880. {
  881. s->method->ssl3_enc->cert_verify_mac(s,
  882. &(s->s3->finish_dgst1),&(data[0]));
  883. if (RSA_sign(NID_md5_sha1, data,
  884. MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
  885. &(p[2]), &u, pkey->pkey.rsa) <= 0 )
  886. {
  887. SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB);
  888. goto err;
  889. }
  890. s2n(u,p);
  891. n=u+2;
  892. }
  893. else
  894. #endif
  895. #ifndef OPENSSL_NO_DSA
  896. if (pkey->type == EVP_PKEY_DSA)
  897. {
  898. if (!DSA_sign(pkey->save_type,
  899. &(data[MD5_DIGEST_LENGTH]),
  900. SHA_DIGEST_LENGTH,&(p[2]),
  901. (unsigned int *)&j,pkey->pkey.dsa))
  902. {
  903. SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB);
  904. goto err;
  905. }
  906. s2n(j,p);
  907. n=j+2;
  908. }
  909. else
  910. #endif
  911. {
  912. SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR);
  913. goto err;
  914. }
  915. d = dtls1_set_message_header(s, d,
  916. SSL3_MT_CERTIFICATE_VERIFY, n, 0, n) ;
  917. s->init_num=(int)n+DTLS1_HM_HEADER_LENGTH;
  918. s->init_off=0;
  919. /* buffer the message to handle re-xmits */
  920. dtls1_buffer_message(s, 0);
  921. s->state = SSL3_ST_CW_CERT_VRFY_B;
  922. }
  923. /* s->state = SSL3_ST_CW_CERT_VRFY_B */
  924. return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
  925. err:
  926. return(-1);
  927. }
  928. int dtls1_send_client_certificate(SSL *s)
  929. {
  930. X509 *x509=NULL;
  931. EVP_PKEY *pkey=NULL;
  932. int i;
  933. unsigned long l;
  934. if (s->state == SSL3_ST_CW_CERT_A)
  935. {
  936. if ((s->cert == NULL) ||
  937. (s->cert->key->x509 == NULL) ||
  938. (s->cert->key->privatekey == NULL))
  939. s->state=SSL3_ST_CW_CERT_B;
  940. else
  941. s->state=SSL3_ST_CW_CERT_C;
  942. }
  943. /* We need to get a client cert */
  944. if (s->state == SSL3_ST_CW_CERT_B)
  945. {
  946. /* If we get an error, we need to
  947. * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
  948. * We then get retied later */
  949. i=0;
  950. if (s->ctx->client_cert_cb != NULL)
  951. i=s->ctx->client_cert_cb(s,&(x509),&(pkey));
  952. if (i < 0)
  953. {
  954. s->rwstate=SSL_X509_LOOKUP;
  955. return(-1);
  956. }
  957. s->rwstate=SSL_NOTHING;
  958. if ((i == 1) && (pkey != NULL) && (x509 != NULL))
  959. {
  960. s->state=SSL3_ST_CW_CERT_B;
  961. if ( !SSL_use_certificate(s,x509) ||
  962. !SSL_use_PrivateKey(s,pkey))
  963. i=0;
  964. }
  965. else if (i == 1)
  966. {
  967. i=0;
  968. SSLerr(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
  969. }
  970. if (x509 != NULL) X509_free(x509);
  971. if (pkey != NULL) EVP_PKEY_free(pkey);
  972. if (i == 0)
  973. {
  974. if (s->version == SSL3_VERSION)
  975. {
  976. s->s3->tmp.cert_req=0;
  977. ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE);
  978. return(1);
  979. }
  980. else
  981. {
  982. s->s3->tmp.cert_req=2;
  983. }
  984. }
  985. /* Ok, we have a cert */
  986. s->state=SSL3_ST_CW_CERT_C;
  987. }
  988. if (s->state == SSL3_ST_CW_CERT_C)
  989. {
  990. s->state=SSL3_ST_CW_CERT_D;
  991. l=dtls1_output_cert_chain(s,
  992. (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
  993. s->init_num=(int)l;
  994. s->init_off=0;
  995. /* set header called by dtls1_output_cert_chain() */
  996. /* buffer the message to handle re-xmits */
  997. dtls1_buffer_message(s, 0);
  998. }
  999. /* SSL3_ST_CW_CERT_D */
  1000. return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
  1001. }