1/* ssl/d1_clnt.c */ 2/* 3 * DTLS implementation written by Nagendra Modadugu 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 5 */ 6/* ==================================================================== 7 * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in 18 * the documentation and/or other materials provided with the 19 * distribution. 20 * 21 * 3. All advertising materials mentioning features or use of this 22 * software must display the following acknowledgment: 23 * "This product includes software developed by the OpenSSL Project 24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 25 * 26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27 * endorse or promote products derived from this software without 28 * prior written permission. For written permission, please contact 29 * openssl-core@OpenSSL.org. 30 * 31 * 5. Products derived from this software may not be called "OpenSSL" 32 * nor may "OpenSSL" appear in their names without prior written 33 * permission of the OpenSSL Project. 34 * 35 * 6. Redistributions of any form whatsoever must retain the following 36 * acknowledgment: 37 * "This product includes software developed by the OpenSSL Project 38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51 * OF THE POSSIBILITY OF SUCH DAMAGE. 52 * ==================================================================== 53 * 54 * This product includes cryptographic software written by Eric Young 55 * (eay@cryptsoft.com). This product includes software written by Tim 56 * Hudson (tjh@cryptsoft.com). 57 * 58 */ 59/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 60 * All rights reserved. 61 * 62 * This package is an SSL implementation written 63 * by Eric Young (eay@cryptsoft.com). 64 * The implementation was written so as to conform with Netscapes SSL. 65 * 66 * This library is free for commercial and non-commercial use as long as 67 * the following conditions are aheared to. The following conditions 68 * apply to all code found in this distribution, be it the RC4, RSA, 69 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 70 * included with this distribution is covered by the same copyright terms 71 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 72 * 73 * Copyright remains Eric Young's, and as such any Copyright notices in 74 * the code are not to be removed. 75 * If this package is used in a product, Eric Young should be given attribution 76 * as the author of the parts of the library used. 77 * This can be in the form of a textual message at program startup or 78 * in documentation (online or textual) provided with the package. 79 * 80 * Redistribution and use in source and binary forms, with or without 81 * modification, are permitted provided that the following conditions 82 * are met: 83 * 1. Redistributions of source code must retain the copyright 84 * notice, this list of conditions and the following disclaimer. 85 * 2. Redistributions in binary form must reproduce the above copyright 86 * notice, this list of conditions and the following disclaimer in the 87 * documentation and/or other materials provided with the distribution. 88 * 3. All advertising materials mentioning features or use of this software 89 * must display the following acknowledgement: 90 * "This product includes cryptographic software written by 91 * Eric Young (eay@cryptsoft.com)" 92 * The word 'cryptographic' can be left out if the rouines from the library 93 * being used are not cryptographic related :-). 94 * 4. If you include any Windows specific code (or a derivative thereof) from 95 * the apps directory (application code) you must include an acknowledgement: 96 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 97 * 98 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 99 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 100 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 101 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 102 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 103 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 104 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 105 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 106 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 107 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 108 * SUCH DAMAGE. 109 * 110 * The licence and distribution terms for any publically available version or 111 * derivative of this code cannot be changed. i.e. this code cannot simply be 112 * copied and put under another distribution licence 113 * [including the GNU Public Licence.] 114 */ 115 116#include <stdio.h> 117#include "ssl_locl.h" 118#ifndef OPENSSL_NO_KRB5 119#include "kssl_lcl.h" 120#endif 121#include <openssl/buffer.h> 122#include <openssl/rand.h> 123#include <openssl/objects.h> 124#include <openssl/evp.h> 125#include <openssl/md5.h> 126#include <openssl/bn.h> 127#ifndef OPENSSL_NO_DH 128#include <openssl/dh.h> 129#endif 130 131static const SSL_METHOD *dtls1_get_client_method(int ver); 132static int dtls1_get_hello_verify(SSL *s); 133 134static const SSL_METHOD *dtls1_get_client_method(int ver) 135 { 136 if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER) 137 return(DTLSv1_client_method()); 138 else 139 return(NULL); 140 } 141 142IMPLEMENT_dtls1_meth_func(DTLSv1_client_method, 143 ssl_undefined_function, 144 dtls1_connect, 145 dtls1_get_client_method) 146 147int dtls1_connect(SSL *s) 148 { 149 BUF_MEM *buf=NULL; 150 unsigned long Time=(unsigned long)time(NULL); 151 void (*cb)(const SSL *ssl,int type,int val)=NULL; 152 int ret= -1; 153 int new_state,state,skip=0; 154#ifndef OPENSSL_NO_SCTP 155 unsigned char sctpauthkey[64]; 156 char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)]; 157#endif 158 159 RAND_add(&Time,sizeof(Time),0); 160 ERR_clear_error(); 161 clear_sys_error(); 162 163 if (s->info_callback != NULL) 164 cb=s->info_callback; 165 else if (s->ctx->info_callback != NULL) 166 cb=s->ctx->info_callback; 167 168 s->in_handshake++; 169 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); 170 171#ifndef OPENSSL_NO_SCTP 172 /* Notify SCTP BIO socket to enter handshake 173 * mode and prevent stream identifier other 174 * than 0. Will be ignored if no SCTP is used. 175 */ 176 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, s->in_handshake, NULL); 177#endif 178 179#ifndef OPENSSL_NO_HEARTBEATS 180 /* If we're awaiting a HeartbeatResponse, pretend we 181 * already got and don't await it anymore, because 182 * Heartbeats don't make sense during handshakes anyway. 183 */ 184 if (s->tlsext_hb_pending) 185 { 186 dtls1_stop_timer(s); 187 s->tlsext_hb_pending = 0; 188 s->tlsext_hb_seq++; 189 } 190#endif 191 192 for (;;) 193 { 194 state=s->state; 195 196 switch(s->state) 197 { 198 case SSL_ST_RENEGOTIATE: 199 s->renegotiate=1; 200 s->state=SSL_ST_CONNECT; 201 s->ctx->stats.sess_connect_renegotiate++; 202 /* break */ 203 case SSL_ST_BEFORE: 204 case SSL_ST_CONNECT: 205 case SSL_ST_BEFORE|SSL_ST_CONNECT: 206 case SSL_ST_OK|SSL_ST_CONNECT: 207 208 s->server=0; 209 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); 210 211 if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00) && 212 (s->version & 0xff00 ) != (DTLS1_BAD_VER & 0xff00)) 213 { 214 SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR); 215 ret = -1; 216 goto end; 217 } 218 219 /* s->version=SSL3_VERSION; */ 220 s->type=SSL_ST_CONNECT; 221 222 if (s->init_buf == NULL) 223 { 224 if ((buf=BUF_MEM_new()) == NULL) 225 { 226 ret= -1; 227 goto end; 228 } 229 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH)) 230 { 231 ret= -1; 232 goto end; 233 } 234 s->init_buf=buf; 235 buf=NULL; 236 } 237 238 if (!ssl3_setup_buffers(s)) { ret= -1; goto end; } 239 240 /* setup buffing BIO */ 241 if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; } 242 243 /* don't push the buffering BIO quite yet */ 244 245 s->state=SSL3_ST_CW_CLNT_HELLO_A; 246 s->ctx->stats.sess_connect++; 247 s->init_num=0; 248 /* mark client_random uninitialized */ 249 memset(s->s3->client_random,0,sizeof(s->s3->client_random)); 250 s->d1->send_cookie = 0; 251 s->hit = 0; 252 break; 253 254#ifndef OPENSSL_NO_SCTP 255 case DTLS1_SCTP_ST_CR_READ_SOCK: 256 257 if (BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) 258 { 259 s->s3->in_read_app_data=2; 260 s->rwstate=SSL_READING; 261 BIO_clear_retry_flags(SSL_get_rbio(s)); 262 BIO_set_retry_read(SSL_get_rbio(s)); 263 ret = -1; 264 goto end; 265 } 266 267 s->state=s->s3->tmp.next_state; 268 break; 269 270 case DTLS1_SCTP_ST_CW_WRITE_SOCK: 271 /* read app data until dry event */ 272 273 ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s)); 274 if (ret < 0) goto end; 275 276 if (ret == 0) 277 { 278 s->s3->in_read_app_data=2; 279 s->rwstate=SSL_READING; 280 BIO_clear_retry_flags(SSL_get_rbio(s)); 281 BIO_set_retry_read(SSL_get_rbio(s)); 282 ret = -1; 283 goto end; 284 } 285 286 s->state=s->d1->next_state; 287 break; 288#endif 289 290 case SSL3_ST_CW_CLNT_HELLO_A: 291 case SSL3_ST_CW_CLNT_HELLO_B: 292 293 s->shutdown=0; 294 295 /* every DTLS ClientHello resets Finished MAC */ 296 ssl3_init_finished_mac(s); 297 298 dtls1_start_timer(s); 299 ret=dtls1_client_hello(s); 300 if (ret <= 0) goto end; 301 302 if ( s->d1->send_cookie) 303 { 304 s->state=SSL3_ST_CW_FLUSH; 305 s->s3->tmp.next_state=SSL3_ST_CR_SRVR_HELLO_A; 306 } 307 else 308 s->state=SSL3_ST_CR_SRVR_HELLO_A; 309 310 s->init_num=0; 311 312#ifndef OPENSSL_NO_SCTP 313 /* Disable buffering for SCTP */ 314 if (!BIO_dgram_is_sctp(SSL_get_wbio(s))) 315 { 316#endif 317 /* turn on buffering for the next lot of output */ 318 if (s->bbio != s->wbio) 319 s->wbio=BIO_push(s->bbio,s->wbio); 320#ifndef OPENSSL_NO_SCTP 321 } 322#endif 323 324 break; 325 326 case SSL3_ST_CR_SRVR_HELLO_A: 327 case SSL3_ST_CR_SRVR_HELLO_B: 328 ret=ssl3_get_server_hello(s); 329 if (ret <= 0) goto end; 330 else 331 { 332 if (s->hit) 333 { 334#ifndef OPENSSL_NO_SCTP 335 /* Add new shared key for SCTP-Auth, 336 * will be ignored if no SCTP used. 337 */ 338 snprintf((char*) labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL), 339 DTLS1_SCTP_AUTH_LABEL); 340 341 SSL_export_keying_material(s, sctpauthkey, 342 sizeof(sctpauthkey), labelbuffer, 343 sizeof(labelbuffer), NULL, 0, 0); 344 345 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, 346 sizeof(sctpauthkey), sctpauthkey); 347#endif 348 349 s->state=SSL3_ST_CR_FINISHED_A; 350 } 351 else 352 s->state=DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A; 353 } 354 s->init_num=0; 355 break; 356 357 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A: 358 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B: 359 360 ret = dtls1_get_hello_verify(s); 361 if ( ret <= 0) 362 goto end; 363 dtls1_stop_timer(s); 364 if ( s->d1->send_cookie) /* start again, with a cookie */ 365 s->state=SSL3_ST_CW_CLNT_HELLO_A; 366 else 367 s->state = SSL3_ST_CR_CERT_A; 368 s->init_num = 0; 369 break; 370 371 case SSL3_ST_CR_CERT_A: 372 case SSL3_ST_CR_CERT_B: 373#ifndef OPENSSL_NO_TLSEXT 374 ret=ssl3_check_finished(s); 375 if (ret <= 0) goto end; 376 if (ret == 2) 377 { 378 s->hit = 1; 379 if (s->tlsext_ticket_expected) 380 s->state=SSL3_ST_CR_SESSION_TICKET_A; 381 else 382 s->state=SSL3_ST_CR_FINISHED_A; 383 s->init_num=0; 384 break; 385 } 386#endif 387 /* Check if it is anon DH or PSK */ 388 if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && 389 !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) 390 { 391 ret=ssl3_get_server_certificate(s); 392 if (ret <= 0) goto end; 393#ifndef OPENSSL_NO_TLSEXT 394 if (s->tlsext_status_expected) 395 s->state=SSL3_ST_CR_CERT_STATUS_A; 396 else 397 s->state=SSL3_ST_CR_KEY_EXCH_A; 398 } 399 else 400 { 401 skip = 1; 402 s->state=SSL3_ST_CR_KEY_EXCH_A; 403 } 404#else 405 } 406 else 407 skip=1; 408 409 s->state=SSL3_ST_CR_KEY_EXCH_A; 410#endif 411 s->init_num=0; 412 break; 413 414 case SSL3_ST_CR_KEY_EXCH_A: 415 case SSL3_ST_CR_KEY_EXCH_B: 416 ret=ssl3_get_key_exchange(s); 417 if (ret <= 0) goto end; 418 s->state=SSL3_ST_CR_CERT_REQ_A; 419 s->init_num=0; 420 421 /* at this point we check that we have the 422 * required stuff from the server */ 423 if (!ssl3_check_cert_and_algorithm(s)) 424 { 425 ret= -1; 426 goto end; 427 } 428 break; 429 430 case SSL3_ST_CR_CERT_REQ_A: 431 case SSL3_ST_CR_CERT_REQ_B: 432 ret=ssl3_get_certificate_request(s); 433 if (ret <= 0) goto end; 434 s->state=SSL3_ST_CR_SRVR_DONE_A; 435 s->init_num=0; 436 break; 437 438 case SSL3_ST_CR_SRVR_DONE_A: 439 case SSL3_ST_CR_SRVR_DONE_B: 440 ret=ssl3_get_server_done(s); 441 if (ret <= 0) goto end; 442 dtls1_stop_timer(s); 443 if (s->s3->tmp.cert_req) 444 s->s3->tmp.next_state=SSL3_ST_CW_CERT_A; 445 else 446 s->s3->tmp.next_state=SSL3_ST_CW_KEY_EXCH_A; 447 s->init_num=0; 448 449#ifndef OPENSSL_NO_SCTP 450 if (BIO_dgram_is_sctp(SSL_get_wbio(s)) && 451 state == SSL_ST_RENEGOTIATE) 452 s->state=DTLS1_SCTP_ST_CR_READ_SOCK; 453 else 454#endif 455 s->state=s->s3->tmp.next_state; 456 break; 457 458 case SSL3_ST_CW_CERT_A: 459 case SSL3_ST_CW_CERT_B: 460 case SSL3_ST_CW_CERT_C: 461 case SSL3_ST_CW_CERT_D: 462 dtls1_start_timer(s); 463 ret=dtls1_send_client_certificate(s); 464 if (ret <= 0) goto end; 465 s->state=SSL3_ST_CW_KEY_EXCH_A; 466 s->init_num=0; 467 break; 468 469 case SSL3_ST_CW_KEY_EXCH_A: 470 case SSL3_ST_CW_KEY_EXCH_B: 471 dtls1_start_timer(s); 472 ret=dtls1_send_client_key_exchange(s); 473 if (ret <= 0) goto end; 474 475#ifndef OPENSSL_NO_SCTP 476 /* Add new shared key for SCTP-Auth, 477 * will be ignored if no SCTP used. 478 */ 479 snprintf((char*) labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL), 480 DTLS1_SCTP_AUTH_LABEL); 481 482 SSL_export_keying_material(s, sctpauthkey, 483 sizeof(sctpauthkey), labelbuffer, 484 sizeof(labelbuffer), NULL, 0, 0); 485 486 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, 487 sizeof(sctpauthkey), sctpauthkey); 488#endif 489 490 /* EAY EAY EAY need to check for DH fix cert 491 * sent back */ 492 /* For TLS, cert_req is set to 2, so a cert chain 493 * of nothing is sent, but no verify packet is sent */ 494 if (s->s3->tmp.cert_req == 1) 495 { 496 s->state=SSL3_ST_CW_CERT_VRFY_A; 497 } 498 else 499 { 500#ifndef OPENSSL_NO_SCTP 501 if (BIO_dgram_is_sctp(SSL_get_wbio(s))) 502 { 503 s->d1->next_state=SSL3_ST_CW_CHANGE_A; 504 s->state=DTLS1_SCTP_ST_CW_WRITE_SOCK; 505 } 506 else 507#endif 508 s->state=SSL3_ST_CW_CHANGE_A; 509 s->s3->change_cipher_spec=0; 510 } 511 512 s->init_num=0; 513 break; 514 515 case SSL3_ST_CW_CERT_VRFY_A: 516 case SSL3_ST_CW_CERT_VRFY_B: 517 dtls1_start_timer(s); 518 ret=dtls1_send_client_verify(s); 519 if (ret <= 0) goto end; 520#ifndef OPENSSL_NO_SCTP 521 if (BIO_dgram_is_sctp(SSL_get_wbio(s))) 522 { 523 s->d1->next_state=SSL3_ST_CW_CHANGE_A; 524 s->state=DTLS1_SCTP_ST_CW_WRITE_SOCK; 525 } 526 else 527#endif 528 s->state=SSL3_ST_CW_CHANGE_A; 529 s->init_num=0; 530 s->s3->change_cipher_spec=0; 531 break; 532 533 case SSL3_ST_CW_CHANGE_A: 534 case SSL3_ST_CW_CHANGE_B: 535 if (!s->hit) 536 dtls1_start_timer(s); 537 ret=dtls1_send_change_cipher_spec(s, 538 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); 539 if (ret <= 0) goto end; 540 541#ifndef OPENSSL_NO_SCTP 542 /* Change to new shared key of SCTP-Auth, 543 * will be ignored if no SCTP used. 544 */ 545 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL); 546#endif 547 548 s->state=SSL3_ST_CW_FINISHED_A; 549 s->init_num=0; 550 551 s->session->cipher=s->s3->tmp.new_cipher; 552#ifdef OPENSSL_NO_COMP 553 s->session->compress_meth=0; 554#else 555 if (s->s3->tmp.new_compression == NULL) 556 s->session->compress_meth=0; 557 else 558 s->session->compress_meth= 559 s->s3->tmp.new_compression->id; 560#endif 561 if (!s->method->ssl3_enc->setup_key_block(s)) 562 { 563 ret= -1; 564 goto end; 565 } 566 567 if (!s->method->ssl3_enc->change_cipher_state(s, 568 SSL3_CHANGE_CIPHER_CLIENT_WRITE)) 569 { 570 ret= -1; 571 goto end; 572 } 573 574 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); 575 break; 576 577 case SSL3_ST_CW_FINISHED_A: 578 case SSL3_ST_CW_FINISHED_B: 579 if (!s->hit) 580 dtls1_start_timer(s); 581 ret=dtls1_send_finished(s, 582 SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B, 583 s->method->ssl3_enc->client_finished_label, 584 s->method->ssl3_enc->client_finished_label_len); 585 if (ret <= 0) goto end; 586 s->state=SSL3_ST_CW_FLUSH; 587 588 /* clear flags */ 589 s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; 590 if (s->hit) 591 { 592 s->s3->tmp.next_state=SSL_ST_OK; 593#ifndef OPENSSL_NO_SCTP 594 if (BIO_dgram_is_sctp(SSL_get_wbio(s))) 595 { 596 s->d1->next_state = s->s3->tmp.next_state; 597 s->s3->tmp.next_state=DTLS1_SCTP_ST_CW_WRITE_SOCK; 598 } 599#endif 600 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) 601 { 602 s->state=SSL_ST_OK; 603#ifndef OPENSSL_NO_SCTP 604 if (BIO_dgram_is_sctp(SSL_get_wbio(s))) 605 { 606 s->d1->next_state = SSL_ST_OK; 607 s->state=DTLS1_SCTP_ST_CW_WRITE_SOCK; 608 } 609#endif 610 s->s3->flags|=SSL3_FLAGS_POP_BUFFER; 611 s->s3->delay_buf_pop_ret=0; 612 } 613 } 614 else 615 { 616#ifndef OPENSSL_NO_TLSEXT 617 /* Allow NewSessionTicket if ticket expected */ 618 if (s->tlsext_ticket_expected) 619 s->s3->tmp.next_state=SSL3_ST_CR_SESSION_TICKET_A; 620 else 621#endif 622 623 s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A; 624 } 625 s->init_num=0; 626 break; 627 628#ifndef OPENSSL_NO_TLSEXT 629 case SSL3_ST_CR_SESSION_TICKET_A: 630 case SSL3_ST_CR_SESSION_TICKET_B: 631 ret=ssl3_get_new_session_ticket(s); 632 if (ret <= 0) goto end; 633 s->state=SSL3_ST_CR_FINISHED_A; 634 s->init_num=0; 635 break; 636 637 case SSL3_ST_CR_CERT_STATUS_A: 638 case SSL3_ST_CR_CERT_STATUS_B: 639 ret=ssl3_get_cert_status(s); 640 if (ret <= 0) goto end; 641 s->state=SSL3_ST_CR_KEY_EXCH_A; 642 s->init_num=0; 643 break; 644#endif 645 646 case SSL3_ST_CR_FINISHED_A: 647 case SSL3_ST_CR_FINISHED_B: 648 s->d1->change_cipher_spec_ok = 1; 649 ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A, 650 SSL3_ST_CR_FINISHED_B); 651 if (ret <= 0) goto end; 652 dtls1_stop_timer(s); 653 654 if (s->hit) 655 s->state=SSL3_ST_CW_CHANGE_A; 656 else 657 s->state=SSL_ST_OK; 658 659#ifndef OPENSSL_NO_SCTP 660 if (BIO_dgram_is_sctp(SSL_get_wbio(s)) && 661 state == SSL_ST_RENEGOTIATE) 662 { 663 s->d1->next_state=s->state; 664 s->state=DTLS1_SCTP_ST_CW_WRITE_SOCK; 665 } 666#endif 667 668 s->init_num=0; 669 break; 670 671 case SSL3_ST_CW_FLUSH: 672 s->rwstate=SSL_WRITING; 673 if (BIO_flush(s->wbio) <= 0) 674 { 675 /* If the write error was fatal, stop trying */ 676 if (!BIO_should_retry(s->wbio)) 677 { 678 s->rwstate=SSL_NOTHING; 679 s->state=s->s3->tmp.next_state; 680 } 681 682 ret= -1; 683 goto end; 684 } 685 s->rwstate=SSL_NOTHING; 686 s->state=s->s3->tmp.next_state; 687 break; 688 689 case SSL_ST_OK: 690 /* clean a few things up */ 691 ssl3_cleanup_key_block(s); 692 693#if 0 694 if (s->init_buf != NULL) 695 { 696 BUF_MEM_free(s->init_buf); 697 s->init_buf=NULL; 698 } 699#endif 700 701 /* If we are not 'joining' the last two packets, 702 * remove the buffering now */ 703 if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER)) 704 ssl_free_wbio_buffer(s); 705 /* else do it later in ssl3_write */ 706 707 s->init_num=0; 708 s->renegotiate=0; 709 s->new_session=0; 710 711 ssl_update_cache(s,SSL_SESS_CACHE_CLIENT); 712 if (s->hit) s->ctx->stats.sess_hit++; 713 714 ret=1; 715 /* s->server=0; */ 716 s->handshake_func=dtls1_connect; 717 s->ctx->stats.sess_connect_good++; 718 719 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); 720 721 /* done with handshaking */ 722 s->d1->handshake_read_seq = 0; 723 s->d1->next_handshake_write_seq = 0; 724 goto end; 725 /* break; */ 726 727 default: 728 SSLerr(SSL_F_DTLS1_CONNECT,SSL_R_UNKNOWN_STATE); 729 ret= -1; 730 goto end; 731 /* break; */ 732 } 733 734 /* did we do anything */ 735 if (!s->s3->tmp.reuse_message && !skip) 736 { 737 if (s->debug) 738 { 739 if ((ret=BIO_flush(s->wbio)) <= 0) 740 goto end; 741 } 742 743 if ((cb != NULL) && (s->state != state)) 744 { 745 new_state=s->state; 746 s->state=state; 747 cb(s,SSL_CB_CONNECT_LOOP,1); 748 s->state=new_state; 749 } 750 } 751 skip=0; 752 } 753end: 754 s->in_handshake--; 755 756#ifndef OPENSSL_NO_SCTP 757 /* Notify SCTP BIO socket to leave handshake 758 * mode and allow stream identifier other 759 * than 0. Will be ignored if no SCTP is used. 760 */ 761 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, s->in_handshake, NULL); 762#endif 763 764 if (buf != NULL) 765 BUF_MEM_free(buf); 766 if (cb != NULL) 767 cb(s,SSL_CB_CONNECT_EXIT,ret); 768 return(ret); 769 } 770 771int dtls1_client_hello(SSL *s) 772 { 773 unsigned char *buf; 774 unsigned char *p,*d; 775 unsigned int i,j; 776 unsigned long Time,l; 777 SSL_COMP *comp; 778 779 buf=(unsigned char *)s->init_buf->data; 780 if (s->state == SSL3_ST_CW_CLNT_HELLO_A) 781 { 782 SSL_SESSION *sess = s->session; 783 if ((s->session == NULL) || 784 (s->session->ssl_version != s->version) || 785#ifdef OPENSSL_NO_TLSEXT 786 !sess->session_id_length || 787#else 788 (!sess->session_id_length && !sess->tlsext_tick) || 789#endif 790 (s->session->not_resumable)) 791 { 792 if (!s->session_creation_enabled) 793 { 794 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 795 SSLerr(SSL_F_DTLS1_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED); 796 goto err; 797 } 798 if (!ssl_get_new_session(s,0)) 799 goto err; 800 } 801 /* else use the pre-loaded session */ 802 803 p=s->s3->client_random; 804 805 /* if client_random is initialized, reuse it, we are 806 * required to use same upon reply to HelloVerify */ 807 for (i=0;p[i]=='\0' && i<sizeof(s->s3->client_random);i++) ; 808 if (i==sizeof(s->s3->client_random)) 809 { 810 Time=(unsigned long)time(NULL); /* Time */ 811 l2n(Time,p); 812 RAND_pseudo_bytes(p,sizeof(s->s3->client_random)-4); 813 } 814 815 /* Do the message type and length last */ 816 d=p= &(buf[DTLS1_HM_HEADER_LENGTH]); 817 818 *(p++)=s->version>>8; 819 *(p++)=s->version&0xff; 820 s->client_version=s->version; 821 822 /* Random stuff */ 823 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); 824 p+=SSL3_RANDOM_SIZE; 825 826 /* Session ID */ 827 if (s->new_session) 828 i=0; 829 else 830 i=s->session->session_id_length; 831 *(p++)=i; 832 if (i != 0) 833 { 834 if (i > sizeof s->session->session_id) 835 { 836 SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 837 goto err; 838 } 839 memcpy(p,s->session->session_id,i); 840 p+=i; 841 } 842 843 /* cookie stuff */ 844 if ( s->d1->cookie_len > sizeof(s->d1->cookie)) 845 { 846 SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); 847 goto err; 848 } 849 *(p++) = s->d1->cookie_len; 850 memcpy(p, s->d1->cookie, s->d1->cookie_len); 851 p += s->d1->cookie_len; 852 853 /* Ciphers supported */ 854 i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0); 855 if (i == 0) 856 { 857 SSLerr(SSL_F_DTLS1_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); 858 goto err; 859 } 860 s2n(i,p); 861 p+=i; 862 863 /* COMPRESSION */ 864 if (s->ctx->comp_methods == NULL) 865 j=0; 866 else 867 j=sk_SSL_COMP_num(s->ctx->comp_methods); 868 *(p++)=1+j; 869 for (i=0; i<j; i++) 870 { 871 comp=sk_SSL_COMP_value(s->ctx->comp_methods,i); 872 *(p++)=comp->id; 873 } 874 *(p++)=0; /* Add the NULL method */ 875 876#ifndef OPENSSL_NO_TLSEXT 877 if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) 878 { 879 SSLerr(SSL_F_DTLS1_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); 880 goto err; 881 } 882#endif 883 884 l=(p-d); 885 d=buf; 886 887 d = dtls1_set_message_header(s, d, SSL3_MT_CLIENT_HELLO, l, 0, l); 888 889 s->state=SSL3_ST_CW_CLNT_HELLO_B; 890 /* number of bytes to write */ 891 s->init_num=p-buf; 892 s->init_off=0; 893 894 /* buffer the message to handle re-xmits */ 895 dtls1_buffer_message(s, 0); 896 } 897 898 /* SSL3_ST_CW_CLNT_HELLO_B */ 899 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); 900err: 901 return(-1); 902 } 903 904static int dtls1_get_hello_verify(SSL *s) 905 { 906 int n, al, ok = 0; 907 unsigned char *data; 908 unsigned int cookie_len; 909 910 n=s->method->ssl_get_message(s, 911 DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A, 912 DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, 913 -1, 914 s->max_cert_list, 915 &ok); 916 917 if (!ok) return((int)n); 918 919 if (s->s3->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) 920 { 921 s->d1->send_cookie = 0; 922 s->s3->tmp.reuse_message=1; 923 return(1); 924 } 925 926 data = (unsigned char *)s->init_msg; 927 928 if ((data[0] != (s->version>>8)) || (data[1] != (s->version&0xff))) 929 { 930 SSLerr(SSL_F_DTLS1_GET_HELLO_VERIFY,SSL_R_WRONG_SSL_VERSION); 931 s->version=(s->version&0xff00)|data[1]; 932 al = SSL_AD_PROTOCOL_VERSION; 933 goto f_err; 934 } 935 data+=2; 936 937 cookie_len = *(data++); 938 if ( cookie_len > sizeof(s->d1->cookie)) 939 { 940 al=SSL_AD_ILLEGAL_PARAMETER; 941 goto f_err; 942 } 943 944 memcpy(s->d1->cookie, data, cookie_len); 945 s->d1->cookie_len = cookie_len; 946 947 s->d1->send_cookie = 1; 948 return 1; 949 950f_err: 951 ssl3_send_alert(s, SSL3_AL_FATAL, al); 952 return -1; 953 } 954 955int dtls1_send_client_key_exchange(SSL *s) 956 { 957 unsigned char *p,*d; 958 int n; 959 unsigned long alg_k; 960#ifndef OPENSSL_NO_RSA 961 unsigned char *q; 962 EVP_PKEY *pkey=NULL; 963#endif 964#ifndef OPENSSL_NO_KRB5 965 KSSL_ERR kssl_err; 966#endif /* OPENSSL_NO_KRB5 */ 967#ifndef OPENSSL_NO_ECDH 968 EC_KEY *clnt_ecdh = NULL; 969 const EC_POINT *srvr_ecpoint = NULL; 970 EVP_PKEY *srvr_pub_pkey = NULL; 971 unsigned char *encodedPoint = NULL; 972 int encoded_pt_len = 0; 973 BN_CTX * bn_ctx = NULL; 974#endif 975 976 if (s->state == SSL3_ST_CW_KEY_EXCH_A) 977 { 978 d=(unsigned char *)s->init_buf->data; 979 p= &(d[DTLS1_HM_HEADER_LENGTH]); 980 981 alg_k=s->s3->tmp.new_cipher->algorithm_mkey; 982 983 /* Fool emacs indentation */ 984 if (0) {} 985#ifndef OPENSSL_NO_RSA 986 else if (alg_k & SSL_kRSA) 987 { 988 RSA *rsa; 989 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 990 991 if (s->session->sess_cert->peer_rsa_tmp != NULL) 992 rsa=s->session->sess_cert->peer_rsa_tmp; 993 else 994 { 995 pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); 996 if ((pkey == NULL) || 997 (pkey->type != EVP_PKEY_RSA) || 998 (pkey->pkey.rsa == NULL)) 999 { 1000 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 1001 goto err; 1002 } 1003 rsa=pkey->pkey.rsa; 1004 EVP_PKEY_free(pkey); 1005 } 1006 1007 tmp_buf[0]=s->client_version>>8; 1008 tmp_buf[1]=s->client_version&0xff; 1009 if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) 1010 goto err; 1011 1012 s->session->master_key_length=sizeof tmp_buf; 1013 1014 q=p; 1015 /* Fix buf for TLS and [incidentally] DTLS */ 1016 if (s->version > SSL3_VERSION) 1017 p+=2; 1018 n=RSA_public_encrypt(sizeof tmp_buf, 1019 tmp_buf,p,rsa,RSA_PKCS1_PADDING); 1020#ifdef PKCS1_CHECK 1021 if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++; 1022 if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70; 1023#endif 1024 if (n <= 0) 1025 { 1026 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT); 1027 goto err; 1028 } 1029 1030 /* Fix buf for TLS and [incidentally] DTLS */ 1031 if (s->version > SSL3_VERSION) 1032 { 1033 s2n(n,q); 1034 n+=2; 1035 } 1036 1037 s->session->master_key_length= 1038 s->method->ssl3_enc->generate_master_secret(s, 1039 s->session->master_key, 1040 tmp_buf,sizeof tmp_buf); 1041 OPENSSL_cleanse(tmp_buf,sizeof tmp_buf); 1042 } 1043#endif 1044#ifndef OPENSSL_NO_KRB5 1045 else if (alg_k & SSL_kKRB5) 1046 { 1047 krb5_error_code krb5rc; 1048 KSSL_CTX *kssl_ctx = s->kssl_ctx; 1049 /* krb5_data krb5_ap_req; */ 1050 krb5_data *enc_ticket; 1051 krb5_data authenticator, *authp = NULL; 1052 EVP_CIPHER_CTX ciph_ctx; 1053 const EVP_CIPHER *enc = NULL; 1054 unsigned char iv[EVP_MAX_IV_LENGTH]; 1055 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; 1056 unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH 1057 + EVP_MAX_IV_LENGTH]; 1058 int padl, outl = sizeof(epms); 1059 1060 EVP_CIPHER_CTX_init(&ciph_ctx); 1061 1062#ifdef KSSL_DEBUG 1063 printf("ssl3_send_client_key_exchange(%lx & %lx)\n", 1064 alg_k, SSL_kKRB5); 1065#endif /* KSSL_DEBUG */ 1066 1067 authp = NULL; 1068#ifdef KRB5SENDAUTH 1069 if (KRB5SENDAUTH) authp = &authenticator; 1070#endif /* KRB5SENDAUTH */ 1071 1072 krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp, 1073 &kssl_err); 1074 enc = kssl_map_enc(kssl_ctx->enctype); 1075 if (enc == NULL) 1076 goto err; 1077#ifdef KSSL_DEBUG 1078 { 1079 printf("kssl_cget_tkt rtn %d\n", krb5rc); 1080 if (krb5rc && kssl_err.text) 1081 printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text); 1082 } 1083#endif /* KSSL_DEBUG */ 1084 1085 if (krb5rc) 1086 { 1087 ssl3_send_alert(s,SSL3_AL_FATAL, 1088 SSL_AD_HANDSHAKE_FAILURE); 1089 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1090 kssl_err.reason); 1091 goto err; 1092 } 1093 1094 /* 20010406 VRS - Earlier versions used KRB5 AP_REQ 1095 ** in place of RFC 2712 KerberosWrapper, as in: 1096 ** 1097 ** Send ticket (copy to *p, set n = length) 1098 ** n = krb5_ap_req.length; 1099 ** memcpy(p, krb5_ap_req.data, krb5_ap_req.length); 1100 ** if (krb5_ap_req.data) 1101 ** kssl_krb5_free_data_contents(NULL,&krb5_ap_req); 1102 ** 1103 ** Now using real RFC 2712 KerberosWrapper 1104 ** (Thanks to Simon Wilkinson <sxw@sxw.org.uk>) 1105 ** Note: 2712 "opaque" types are here replaced 1106 ** with a 2-byte length followed by the value. 1107 ** Example: 1108 ** KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms 1109 ** Where "xx xx" = length bytes. Shown here with 1110 ** optional authenticator omitted. 1111 */ 1112 1113 /* KerberosWrapper.Ticket */ 1114 s2n(enc_ticket->length,p); 1115 memcpy(p, enc_ticket->data, enc_ticket->length); 1116 p+= enc_ticket->length; 1117 n = enc_ticket->length + 2; 1118 1119 /* KerberosWrapper.Authenticator */ 1120 if (authp && authp->length) 1121 { 1122 s2n(authp->length,p); 1123 memcpy(p, authp->data, authp->length); 1124 p+= authp->length; 1125 n+= authp->length + 2; 1126 1127 free(authp->data); 1128 authp->data = NULL; 1129 authp->length = 0; 1130 } 1131 else 1132 { 1133 s2n(0,p);/* null authenticator length */ 1134 n+=2; 1135 } 1136 1137 if (RAND_bytes(tmp_buf,sizeof tmp_buf) <= 0) 1138 goto err; 1139 1140 /* 20010420 VRS. Tried it this way; failed. 1141 ** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL); 1142 ** EVP_CIPHER_CTX_set_key_length(&ciph_ctx, 1143 ** kssl_ctx->length); 1144 ** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv); 1145 */ 1146 1147 memset(iv, 0, sizeof iv); /* per RFC 1510 */ 1148 EVP_EncryptInit_ex(&ciph_ctx,enc, NULL, 1149 kssl_ctx->key,iv); 1150 EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf, 1151 sizeof tmp_buf); 1152 EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl); 1153 outl += padl; 1154 if (outl > (int)sizeof epms) 1155 { 1156 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); 1157 goto err; 1158 } 1159 EVP_CIPHER_CTX_cleanup(&ciph_ctx); 1160 1161 /* KerberosWrapper.EncryptedPreMasterSecret */ 1162 s2n(outl,p); 1163 memcpy(p, epms, outl); 1164 p+=outl; 1165 n+=outl + 2; 1166 1167 s->session->master_key_length= 1168 s->method->ssl3_enc->generate_master_secret(s, 1169 s->session->master_key, 1170 tmp_buf, sizeof tmp_buf); 1171 1172 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); 1173 OPENSSL_cleanse(epms, outl); 1174 } 1175#endif 1176#ifndef OPENSSL_NO_DH 1177 else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) 1178 { 1179 DH *dh_srvr,*dh_clnt; 1180 1181 if (s->session->sess_cert->peer_dh_tmp != NULL) 1182 dh_srvr=s->session->sess_cert->peer_dh_tmp; 1183 else 1184 { 1185 /* we get them from the cert */ 1186 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 1187 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); 1188 goto err; 1189 } 1190 1191 /* generate a new random key */ 1192 if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL) 1193 { 1194 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 1195 goto err; 1196 } 1197 if (!DH_generate_key(dh_clnt)) 1198 { 1199 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 1200 goto err; 1201 } 1202 1203 /* use the 'p' output buffer for the DH key, but 1204 * make sure to clear it out afterwards */ 1205 1206 n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt); 1207 1208 if (n <= 0) 1209 { 1210 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 1211 goto err; 1212 } 1213 1214 /* generate master key from the result */ 1215 s->session->master_key_length= 1216 s->method->ssl3_enc->generate_master_secret(s, 1217 s->session->master_key,p,n); 1218 /* clean up */ 1219 memset(p,0,n); 1220 1221 /* send off the data */ 1222 n=BN_num_bytes(dh_clnt->pub_key); 1223 s2n(n,p); 1224 BN_bn2bin(dh_clnt->pub_key,p); 1225 n+=2; 1226 1227 DH_free(dh_clnt); 1228 1229 /* perhaps clean things up a bit EAY EAY EAY EAY*/ 1230 } 1231#endif 1232#ifndef OPENSSL_NO_ECDH 1233 else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) 1234 { 1235 const EC_GROUP *srvr_group = NULL; 1236 EC_KEY *tkey; 1237 int ecdh_clnt_cert = 0; 1238 int field_size = 0; 1239 1240 /* Did we send out the client's 1241 * ECDH share for use in premaster 1242 * computation as part of client certificate? 1243 * If so, set ecdh_clnt_cert to 1. 1244 */ 1245 if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL)) 1246 { 1247 /* XXX: For now, we do not support client 1248 * authentication using ECDH certificates. 1249 * To add such support, one needs to add 1250 * code that checks for appropriate 1251 * conditions and sets ecdh_clnt_cert to 1. 1252 * For example, the cert have an ECC 1253 * key on the same curve as the server's 1254 * and the key should be authorized for 1255 * key agreement. 1256 * 1257 * One also needs to add code in ssl3_connect 1258 * to skip sending the certificate verify 1259 * message. 1260 * 1261 * if ((s->cert->key->privatekey != NULL) && 1262 * (s->cert->key->privatekey->type == 1263 * EVP_PKEY_EC) && ...) 1264 * ecdh_clnt_cert = 1; 1265 */ 1266 } 1267 1268 if (s->session->sess_cert->peer_ecdh_tmp != NULL) 1269 { 1270 tkey = s->session->sess_cert->peer_ecdh_tmp; 1271 } 1272 else 1273 { 1274 /* Get the Server Public Key from Cert */ 1275 srvr_pub_pkey = X509_get_pubkey(s->session-> \ 1276 sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); 1277 if ((srvr_pub_pkey == NULL) || 1278 (srvr_pub_pkey->type != EVP_PKEY_EC) || 1279 (srvr_pub_pkey->pkey.ec == NULL)) 1280 { 1281 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1282 ERR_R_INTERNAL_ERROR); 1283 goto err; 1284 } 1285 1286 tkey = srvr_pub_pkey->pkey.ec; 1287 } 1288 1289 srvr_group = EC_KEY_get0_group(tkey); 1290 srvr_ecpoint = EC_KEY_get0_public_key(tkey); 1291 1292 if ((srvr_group == NULL) || (srvr_ecpoint == NULL)) 1293 { 1294 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1295 ERR_R_INTERNAL_ERROR); 1296 goto err; 1297 } 1298 1299 if ((clnt_ecdh=EC_KEY_new()) == NULL) 1300 { 1301 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 1302 goto err; 1303 } 1304 1305 if (!EC_KEY_set_group(clnt_ecdh, srvr_group)) 1306 { 1307 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB); 1308 goto err; 1309 } 1310 if (ecdh_clnt_cert) 1311 { 1312 /* Reuse key info from our certificate 1313 * We only need our private key to perform 1314 * the ECDH computation. 1315 */ 1316 const BIGNUM *priv_key; 1317 tkey = s->cert->key->privatekey->pkey.ec; 1318 priv_key = EC_KEY_get0_private_key(tkey); 1319 if (priv_key == NULL) 1320 { 1321 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 1322 goto err; 1323 } 1324 if (!EC_KEY_set_private_key(clnt_ecdh, priv_key)) 1325 { 1326 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB); 1327 goto err; 1328 } 1329 } 1330 else 1331 { 1332 /* Generate a new ECDH key pair */ 1333 if (!(EC_KEY_generate_key(clnt_ecdh))) 1334 { 1335 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB); 1336 goto err; 1337 } 1338 } 1339 1340 /* use the 'p' output buffer for the ECDH key, but 1341 * make sure to clear it out afterwards 1342 */ 1343 1344 field_size = EC_GROUP_get_degree(srvr_group); 1345 if (field_size <= 0) 1346 { 1347 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1348 ERR_R_ECDH_LIB); 1349 goto err; 1350 } 1351 n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL); 1352 if (n <= 0) 1353 { 1354 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1355 ERR_R_ECDH_LIB); 1356 goto err; 1357 } 1358 1359 /* generate master key from the result */ 1360 s->session->master_key_length = s->method->ssl3_enc \ 1361 -> generate_master_secret(s, 1362 s->session->master_key, 1363 p, n); 1364 1365 memset(p, 0, n); /* clean up */ 1366 1367 if (ecdh_clnt_cert) 1368 { 1369 /* Send empty client key exch message */ 1370 n = 0; 1371 } 1372 else 1373 { 1374 /* First check the size of encoding and 1375 * allocate memory accordingly. 1376 */ 1377 encoded_pt_len = 1378 EC_POINT_point2oct(srvr_group, 1379 EC_KEY_get0_public_key(clnt_ecdh), 1380 POINT_CONVERSION_UNCOMPRESSED, 1381 NULL, 0, NULL); 1382 1383 encodedPoint = (unsigned char *) 1384 OPENSSL_malloc(encoded_pt_len * 1385 sizeof(unsigned char)); 1386 bn_ctx = BN_CTX_new(); 1387 if ((encodedPoint == NULL) || 1388 (bn_ctx == NULL)) 1389 { 1390 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); 1391 goto err; 1392 } 1393 1394 /* Encode the public key */ 1395 n = EC_POINT_point2oct(srvr_group, 1396 EC_KEY_get0_public_key(clnt_ecdh), 1397 POINT_CONVERSION_UNCOMPRESSED, 1398 encodedPoint, encoded_pt_len, bn_ctx); 1399 1400 *p = n; /* length of encoded point */ 1401 /* Encoded point will be copied here */ 1402 p += 1; 1403 /* copy the point */ 1404 memcpy((unsigned char *)p, encodedPoint, n); 1405 /* increment n to account for length field */ 1406 n += 1; 1407 } 1408 1409 /* Free allocated memory */ 1410 BN_CTX_free(bn_ctx); 1411 if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 1412 if (clnt_ecdh != NULL) 1413 EC_KEY_free(clnt_ecdh); 1414 EVP_PKEY_free(srvr_pub_pkey); 1415 } 1416#endif /* !OPENSSL_NO_ECDH */ 1417 1418#ifndef OPENSSL_NO_PSK 1419 else if (alg_k & SSL_kPSK) 1420 { 1421 char identity[PSK_MAX_IDENTITY_LEN]; 1422 unsigned char *t = NULL; 1423 unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4]; 1424 unsigned int pre_ms_len = 0, psk_len = 0; 1425 int psk_err = 1; 1426 1427 n = 0; 1428 if (s->psk_client_callback == NULL) 1429 { 1430 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1431 SSL_R_PSK_NO_CLIENT_CB); 1432 goto err; 1433 } 1434 1435 psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint, 1436 identity, PSK_MAX_IDENTITY_LEN, 1437 psk_or_pre_ms, sizeof(psk_or_pre_ms)); 1438 if (psk_len > PSK_MAX_PSK_LEN) 1439 { 1440 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1441 ERR_R_INTERNAL_ERROR); 1442 goto psk_err; 1443 } 1444 else if (psk_len == 0) 1445 { 1446 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1447 SSL_R_PSK_IDENTITY_NOT_FOUND); 1448 goto psk_err; 1449 } 1450 1451 /* create PSK pre_master_secret */ 1452 pre_ms_len = 2+psk_len+2+psk_len; 1453 t = psk_or_pre_ms; 1454 memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len); 1455 s2n(psk_len, t); 1456 memset(t, 0, psk_len); 1457 t+=psk_len; 1458 s2n(psk_len, t); 1459 1460 if (s->session->psk_identity_hint != NULL) 1461 OPENSSL_free(s->session->psk_identity_hint); 1462 s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint); 1463 if (s->ctx->psk_identity_hint != NULL && 1464 s->session->psk_identity_hint == NULL) 1465 { 1466 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1467 ERR_R_MALLOC_FAILURE); 1468 goto psk_err; 1469 } 1470 1471 if (s->session->psk_identity != NULL) 1472 OPENSSL_free(s->session->psk_identity); 1473 s->session->psk_identity = BUF_strdup(identity); 1474 if (s->session->psk_identity == NULL) 1475 { 1476 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, 1477 ERR_R_MALLOC_FAILURE); 1478 goto psk_err; 1479 } 1480 1481 s->session->master_key_length = 1482 s->method->ssl3_enc->generate_master_secret(s, 1483 s->session->master_key, 1484 psk_or_pre_ms, pre_ms_len); 1485 n = strlen(identity); 1486 s2n(n, p); 1487 memcpy(p, identity, n); 1488 n+=2; 1489 psk_err = 0; 1490 psk_err: 1491 OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN); 1492 OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); 1493 if (psk_err != 0) 1494 { 1495 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 1496 goto err; 1497 } 1498 } 1499#endif 1500 else 1501 { 1502 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); 1503 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); 1504 goto err; 1505 } 1506 1507 d = dtls1_set_message_header(s, d, 1508 SSL3_MT_CLIENT_KEY_EXCHANGE, n, 0, n); 1509 /* 1510 *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE; 1511 l2n3(n,d); 1512 l2n(s->d1->handshake_write_seq,d); 1513 s->d1->handshake_write_seq++; 1514 */ 1515 1516 s->state=SSL3_ST_CW_KEY_EXCH_B; 1517 /* number of bytes to write */ 1518 s->init_num=n+DTLS1_HM_HEADER_LENGTH; 1519 s->init_off=0; 1520 1521 /* buffer the message to handle re-xmits */ 1522 dtls1_buffer_message(s, 0); 1523 } 1524 1525 /* SSL3_ST_CW_KEY_EXCH_B */ 1526 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); 1527err: 1528#ifndef OPENSSL_NO_ECDH 1529 BN_CTX_free(bn_ctx); 1530 if (encodedPoint != NULL) OPENSSL_free(encodedPoint); 1531 if (clnt_ecdh != NULL) 1532 EC_KEY_free(clnt_ecdh); 1533 EVP_PKEY_free(srvr_pub_pkey); 1534#endif 1535 return(-1); 1536 } 1537 1538int dtls1_send_client_verify(SSL *s) 1539 { 1540 unsigned char *p,*d; 1541 unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 1542 EVP_PKEY *pkey; 1543#ifndef OPENSSL_NO_RSA 1544 unsigned u=0; 1545#endif 1546 unsigned long n; 1547#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA) 1548 int j; 1549#endif 1550 1551 if (s->state == SSL3_ST_CW_CERT_VRFY_A) 1552 { 1553 d=(unsigned char *)s->init_buf->data; 1554 p= &(d[DTLS1_HM_HEADER_LENGTH]); 1555 pkey=s->cert->key->privatekey; 1556 1557 s->method->ssl3_enc->cert_verify_mac(s, 1558 NID_sha1, 1559 &(data[MD5_DIGEST_LENGTH])); 1560 1561#ifndef OPENSSL_NO_RSA 1562 if (pkey->type == EVP_PKEY_RSA) 1563 { 1564 s->method->ssl3_enc->cert_verify_mac(s, 1565 NID_md5, 1566 &(data[0])); 1567 if (RSA_sign(NID_md5_sha1, data, 1568 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, 1569 &(p[2]), &u, pkey->pkey.rsa) <= 0 ) 1570 { 1571 SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB); 1572 goto err; 1573 } 1574 s2n(u,p); 1575 n=u+2; 1576 } 1577 else 1578#endif 1579#ifndef OPENSSL_NO_DSA 1580 if (pkey->type == EVP_PKEY_DSA) 1581 { 1582 if (!DSA_sign(pkey->save_type, 1583 &(data[MD5_DIGEST_LENGTH]), 1584 SHA_DIGEST_LENGTH,&(p[2]), 1585 (unsigned int *)&j,pkey->pkey.dsa)) 1586 { 1587 SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB); 1588 goto err; 1589 } 1590 s2n(j,p); 1591 n=j+2; 1592 } 1593 else 1594#endif 1595#ifndef OPENSSL_NO_ECDSA 1596 if (pkey->type == EVP_PKEY_EC) 1597 { 1598 if (!ECDSA_sign(pkey->save_type, 1599 &(data[MD5_DIGEST_LENGTH]), 1600 SHA_DIGEST_LENGTH,&(p[2]), 1601 (unsigned int *)&j,pkey->pkey.ec)) 1602 { 1603 SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY, 1604 ERR_R_ECDSA_LIB); 1605 goto err; 1606 } 1607 s2n(j,p); 1608 n=j+2; 1609 } 1610 else 1611#endif 1612 { 1613 SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR); 1614 goto err; 1615 } 1616 1617 d = dtls1_set_message_header(s, d, 1618 SSL3_MT_CERTIFICATE_VERIFY, n, 0, n) ; 1619 1620 s->init_num=(int)n+DTLS1_HM_HEADER_LENGTH; 1621 s->init_off=0; 1622 1623 /* buffer the message to handle re-xmits */ 1624 dtls1_buffer_message(s, 0); 1625 1626 s->state = SSL3_ST_CW_CERT_VRFY_B; 1627 } 1628 1629 /* s->state = SSL3_ST_CW_CERT_VRFY_B */ 1630 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); 1631err: 1632 return(-1); 1633 } 1634 1635int dtls1_send_client_certificate(SSL *s) 1636 { 1637 X509 *x509=NULL; 1638 EVP_PKEY *pkey=NULL; 1639 int i; 1640 unsigned long l; 1641 1642 if (s->state == SSL3_ST_CW_CERT_A) 1643 { 1644 if ((s->cert == NULL) || 1645 (s->cert->key->x509 == NULL) || 1646 (s->cert->key->privatekey == NULL)) 1647 s->state=SSL3_ST_CW_CERT_B; 1648 else 1649 s->state=SSL3_ST_CW_CERT_C; 1650 } 1651 1652 /* We need to get a client cert */ 1653 if (s->state == SSL3_ST_CW_CERT_B) 1654 { 1655 /* If we get an error, we need to 1656 * ssl->rwstate=SSL_X509_LOOKUP; return(-1); 1657 * We then get retied later */ 1658 i=0; 1659 i = ssl_do_client_cert_cb(s, &x509, &pkey); 1660 if (i < 0) 1661 { 1662 s->rwstate=SSL_X509_LOOKUP; 1663 return(-1); 1664 } 1665 s->rwstate=SSL_NOTHING; 1666 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) 1667 { 1668 s->state=SSL3_ST_CW_CERT_B; 1669 if ( !SSL_use_certificate(s,x509) || 1670 !SSL_use_PrivateKey(s,pkey)) 1671 i=0; 1672 } 1673 else if (i == 1) 1674 { 1675 i=0; 1676 SSLerr(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); 1677 } 1678 1679 if (x509 != NULL) X509_free(x509); 1680 if (pkey != NULL) EVP_PKEY_free(pkey); 1681 if (i == 0) 1682 { 1683 if (s->version == SSL3_VERSION) 1684 { 1685 s->s3->tmp.cert_req=0; 1686 ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE); 1687 return(1); 1688 } 1689 else 1690 { 1691 s->s3->tmp.cert_req=2; 1692 } 1693 } 1694 1695 /* Ok, we have a cert */ 1696 s->state=SSL3_ST_CW_CERT_C; 1697 } 1698 1699 if (s->state == SSL3_ST_CW_CERT_C) 1700 { 1701 s->state=SSL3_ST_CW_CERT_D; 1702 l=dtls1_output_cert_chain(s, 1703 (s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509); 1704 s->init_num=(int)l; 1705 s->init_off=0; 1706 1707 /* set header called by dtls1_output_cert_chain() */ 1708 1709 /* buffer the message to handle re-xmits */ 1710 dtls1_buffer_message(s, 0); 1711 } 1712 /* SSL3_ST_CW_CERT_D */ 1713 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); 1714 } 1715 1716 1717