]>
Commit | Line | Data |
---|---|---|
36d16f8e | 1 | /* ssl/d1_srvr.c */ |
ae5c8664 | 2 | /* |
36d16f8e | 3 | * DTLS implementation written by Nagendra Modadugu |
ae5c8664 | 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. |
36d16f8e BL |
5 | */ |
6 | /* ==================================================================== | |
52b8dad8 | 7 | * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. |
36d16f8e BL |
8 | * |
9 | * Redistribution and use in source and binary forms, with or without | |
10 | * modification, are permitted provided that the following conditions | |
11 | * are met: | |
12 | * | |
13 | * 1. Redistributions of source code must retain the above copyright | |
ae5c8664 | 14 | * notice, this list of conditions and the following disclaimer. |
36d16f8e BL |
15 | * |
16 | * 2. Redistributions in binary form must reproduce the above copyright | |
17 | * notice, this list of conditions and the following disclaimer in | |
18 | * the documentation and/or other materials provided with the | |
19 | * distribution. | |
20 | * | |
21 | * 3. All advertising materials mentioning features or use of this | |
22 | * software must display the following acknowledgment: | |
23 | * "This product includes software developed by the OpenSSL Project | |
24 | * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" | |
25 | * | |
26 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |
27 | * endorse or promote products derived from this software without | |
28 | * prior written permission. For written permission, please contact | |
29 | * openssl-core@OpenSSL.org. | |
30 | * | |
31 | * 5. Products derived from this software may not be called "OpenSSL" | |
32 | * nor may "OpenSSL" appear in their names without prior written | |
33 | * permission of the OpenSSL Project. | |
34 | * | |
35 | * 6. Redistributions of any form whatsoever must retain the following | |
36 | * acknowledgment: | |
37 | * "This product includes software developed by the OpenSSL Project | |
38 | * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" | |
39 | * | |
40 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |
41 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
42 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
43 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |
44 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
45 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
46 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
47 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
48 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
49 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
50 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |
51 | * OF THE POSSIBILITY OF SUCH DAMAGE. | |
52 | * ==================================================================== | |
53 | * | |
54 | * This product includes cryptographic software written by Eric Young | |
55 | * (eay@cryptsoft.com). This product includes software written by Tim | |
56 | * Hudson (tjh@cryptsoft.com). | |
57 | * | |
58 | */ | |
59 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | |
60 | * All rights reserved. | |
61 | * | |
62 | * This package is an SSL implementation written | |
63 | * by Eric Young (eay@cryptsoft.com). | |
64 | * The implementation was written so as to conform with Netscapes SSL. | |
ae5c8664 | 65 | * |
36d16f8e BL |
66 | * This library is free for commercial and non-commercial use as long as |
67 | * the following conditions are aheared to. The following conditions | |
68 | * apply to all code found in this distribution, be it the RC4, RSA, | |
69 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation | |
70 | * included with this distribution is covered by the same copyright terms | |
71 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). | |
ae5c8664 | 72 | * |
36d16f8e BL |
73 | * Copyright remains Eric Young's, and as such any Copyright notices in |
74 | * the code are not to be removed. | |
75 | * If this package is used in a product, Eric Young should be given attribution | |
76 | * as the author of the parts of the library used. | |
77 | * This can be in the form of a textual message at program startup or | |
78 | * in documentation (online or textual) provided with the package. | |
ae5c8664 | 79 | * |
36d16f8e BL |
80 | * Redistribution and use in source and binary forms, with or without |
81 | * modification, are permitted provided that the following conditions | |
82 | * are met: | |
83 | * 1. Redistributions of source code must retain the copyright | |
84 | * notice, this list of conditions and the following disclaimer. | |
85 | * 2. Redistributions in binary form must reproduce the above copyright | |
86 | * notice, this list of conditions and the following disclaimer in the | |
87 | * documentation and/or other materials provided with the distribution. | |
88 | * 3. All advertising materials mentioning features or use of this software | |
89 | * must display the following acknowledgement: | |
90 | * "This product includes cryptographic software written by | |
91 | * Eric Young (eay@cryptsoft.com)" | |
92 | * The word 'cryptographic' can be left out if the rouines from the library | |
93 | * being used are not cryptographic related :-). | |
ae5c8664 | 94 | * 4. If you include any Windows specific code (or a derivative thereof) from |
36d16f8e BL |
95 | * the apps directory (application code) you must include an acknowledgement: |
96 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" | |
ae5c8664 | 97 | * |
36d16f8e BL |
98 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
99 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
100 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
101 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |
102 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
103 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
104 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
105 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
106 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
107 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
108 | * SUCH DAMAGE. | |
ae5c8664 | 109 | * |
36d16f8e BL |
110 | * The licence and distribution terms for any publically available version or |
111 | * derivative of this code cannot be changed. i.e. this code cannot simply be | |
112 | * copied and put under another distribution licence | |
113 | * [including the GNU Public Licence.] | |
114 | */ | |
115 | ||
116 | #include <stdio.h> | |
117 | #include "ssl_locl.h" | |
118 | #include <openssl/buffer.h> | |
119 | #include <openssl/rand.h> | |
120 | #include <openssl/objects.h> | |
121 | #include <openssl/evp.h> | |
122 | #include <openssl/x509.h> | |
123 | #include <openssl/md5.h> | |
1e26a8ba | 124 | #include <openssl/bn.h> |
3eeaab4b | 125 | #ifndef OPENSSL_NO_DH |
ae5c8664 | 126 | # include <openssl/dh.h> |
3eeaab4b | 127 | #endif |
36d16f8e | 128 | |
4ebb342f | 129 | static const SSL_METHOD *dtls1_get_server_method(int ver); |
36d16f8e BL |
130 | static int dtls1_send_hello_verify_request(SSL *s); |
131 | ||
4ebb342f | 132 | static const SSL_METHOD *dtls1_get_server_method(int ver) |
ae5c8664 | 133 | { |
0c0f1361 MC |
134 | if (ver == DTLS_ANY_VERSION) |
135 | return DTLS_server_method(); | |
136 | else if (ver == DTLS1_VERSION) | |
137 | return DTLSv1_server_method(); | |
ae5c8664 | 138 | else if (ver == DTLS1_2_VERSION) |
0c0f1361 | 139 | return DTLSv1_2_server_method(); |
ae5c8664 | 140 | else |
0c0f1361 | 141 | return NULL; |
ae5c8664 | 142 | } |
36d16f8e | 143 | |
da1247d6 | 144 | IMPLEMENT_dtls1_meth_func(DTLS1_VERSION, |
ae5c8664 MC |
145 | DTLSv1_server_method, |
146 | dtls1_accept, | |
147 | ssl_undefined_function, | |
148 | dtls1_get_server_method, DTLSv1_enc_data) | |
149 | ||
0c0f1361 | 150 | IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, |
ae5c8664 MC |
151 | DTLSv1_2_server_method, |
152 | dtls1_accept, | |
153 | ssl_undefined_function, | |
154 | dtls1_get_server_method, DTLSv1_2_enc_data) | |
155 | ||
0c0f1361 | 156 | IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION, |
ae5c8664 MC |
157 | DTLS_server_method, |
158 | dtls1_accept, | |
159 | ssl_undefined_function, | |
160 | dtls1_get_server_method, DTLSv1_2_enc_data) | |
65a87d3c | 161 | |
36d16f8e | 162 | int dtls1_accept(SSL *s) |
ae5c8664 MC |
163 | { |
164 | BUF_MEM *buf; | |
165 | unsigned long Time = (unsigned long)time(NULL); | |
166 | void (*cb) (const SSL *ssl, int type, int val) = NULL; | |
167 | unsigned long alg_k; | |
168 | int ret = -1; | |
169 | int new_state, state, skip = 0; | |
170 | int listen; | |
e065e6cd | 171 | #ifndef OPENSSL_NO_SCTP |
ae5c8664 MC |
172 | unsigned char sctpauthkey[64]; |
173 | char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)]; | |
e065e6cd | 174 | #endif |
36d16f8e | 175 | |
ae5c8664 MC |
176 | RAND_add(&Time, sizeof(Time), 0); |
177 | ERR_clear_error(); | |
178 | clear_sys_error(); | |
179 | ||
180 | if (s->info_callback != NULL) | |
181 | cb = s->info_callback; | |
182 | else if (s->ctx->info_callback != NULL) | |
183 | cb = s->ctx->info_callback; | |
36d16f8e | 184 | |
ae5c8664 | 185 | listen = s->d1->listen; |
36d16f8e | 186 | |
ae5c8664 MC |
187 | /* init things to blank */ |
188 | s->in_handshake++; | |
189 | if (!SSL_in_init(s) || SSL_in_before(s)) | |
190 | SSL_clear(s); | |
36d16f8e | 191 | |
ae5c8664 | 192 | s->d1->listen = listen; |
e065e6cd | 193 | #ifndef OPENSSL_NO_SCTP |
ae5c8664 MC |
194 | /* |
195 | * Notify SCTP BIO socket to enter handshake mode and prevent stream | |
196 | * identifier other than 0. Will be ignored if no SCTP is used. | |
197 | */ | |
198 | BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, | |
199 | s->in_handshake, NULL); | |
e065e6cd | 200 | #endif |
f1c8db9f | 201 | |
ae5c8664 MC |
202 | if (s->cert == NULL) { |
203 | SSLerr(SSL_F_DTLS1_ACCEPT, SSL_R_NO_CERTIFICATE_SET); | |
204 | return (-1); | |
205 | } | |
bd6941cf | 206 | #ifndef OPENSSL_NO_HEARTBEATS |
ae5c8664 MC |
207 | /* |
208 | * If we're awaiting a HeartbeatResponse, pretend we already got and | |
209 | * don't await it anymore, because Heartbeats don't make sense during | |
210 | * handshakes anyway. | |
211 | */ | |
212 | if (s->tlsext_hb_pending) { | |
213 | dtls1_stop_timer(s); | |
214 | s->tlsext_hb_pending = 0; | |
215 | s->tlsext_hb_seq++; | |
216 | } | |
bd6941cf DSH |
217 | #endif |
218 | ||
ae5c8664 MC |
219 | for (;;) { |
220 | state = s->state; | |
221 | ||
222 | switch (s->state) { | |
223 | case SSL_ST_RENEGOTIATE: | |
224 | s->renegotiate = 1; | |
225 | /* s->state=SSL_ST_ACCEPT; */ | |
226 | ||
227 | case SSL_ST_BEFORE: | |
228 | case SSL_ST_ACCEPT: | |
229 | case SSL_ST_BEFORE | SSL_ST_ACCEPT: | |
230 | case SSL_ST_OK | SSL_ST_ACCEPT: | |
231 | ||
232 | s->server = 1; | |
233 | if (cb != NULL) | |
234 | cb(s, SSL_CB_HANDSHAKE_START, 1); | |
235 | ||
236 | if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) { | |
237 | SSLerr(SSL_F_DTLS1_ACCEPT, ERR_R_INTERNAL_ERROR); | |
238 | return -1; | |
239 | } | |
240 | s->type = SSL_ST_ACCEPT; | |
241 | ||
242 | if (s->init_buf == NULL) { | |
243 | if ((buf = BUF_MEM_new()) == NULL) { | |
244 | ret = -1; | |
feb96e91 | 245 | s->state = SSL_ST_ERR; |
ae5c8664 MC |
246 | goto end; |
247 | } | |
248 | if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) { | |
249 | BUF_MEM_free(buf); | |
250 | ret = -1; | |
feb96e91 | 251 | s->state = SSL_ST_ERR; |
ae5c8664 MC |
252 | goto end; |
253 | } | |
254 | s->init_buf = buf; | |
255 | } | |
256 | ||
257 | if (!ssl3_setup_buffers(s)) { | |
258 | ret = -1; | |
feb96e91 | 259 | s->state = SSL_ST_ERR; |
ae5c8664 MC |
260 | goto end; |
261 | } | |
262 | ||
263 | s->init_num = 0; | |
264 | s->d1->change_cipher_spec_ok = 0; | |
265 | /* | |
266 | * Should have been reset by ssl3_get_finished, too. | |
267 | */ | |
268 | s->s3->change_cipher_spec = 0; | |
269 | ||
270 | if (s->state != SSL_ST_RENEGOTIATE) { | |
271 | /* | |
272 | * Ok, we now need to push on a buffering BIO so that the | |
273 | * output is sent in a way that TCP likes :-) ...but not with | |
274 | * SCTP :-) | |
275 | */ | |
e065e6cd | 276 | #ifndef OPENSSL_NO_SCTP |
ae5c8664 | 277 | if (!BIO_dgram_is_sctp(SSL_get_wbio(s))) |
e065e6cd | 278 | #endif |
ae5c8664 MC |
279 | if (!ssl_init_wbio_buffer(s, 1)) { |
280 | ret = -1; | |
feb96e91 | 281 | s->state = SSL_ST_ERR; |
ae5c8664 MC |
282 | goto end; |
283 | } | |
284 | ||
348681ff BE |
285 | if (!ssl3_init_finished_mac(s)) { |
286 | ret = -1; | |
287 | s->state = SSL_ST_ERR; | |
288 | goto end; | |
289 | } | |
290 | ||
ae5c8664 MC |
291 | s->state = SSL3_ST_SR_CLNT_HELLO_A; |
292 | s->ctx->stats.sess_accept++; | |
d40ec4ab MC |
293 | } else if (!s->s3->send_connection_binding && |
294 | !(s->options & | |
295 | SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { | |
296 | /* | |
297 | * Server attempting to renegotiate with client that doesn't | |
298 | * support secure renegotiation. | |
299 | */ | |
300 | SSLerr(SSL_F_DTLS1_ACCEPT, | |
301 | SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); | |
302 | ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); | |
303 | ret = -1; | |
304 | s->state = SSL_ST_ERR; | |
305 | goto end; | |
ae5c8664 MC |
306 | } else { |
307 | /* | |
308 | * s->state == SSL_ST_RENEGOTIATE, we will just send a | |
309 | * HelloRequest | |
310 | */ | |
311 | s->ctx->stats.sess_accept_renegotiate++; | |
312 | s->state = SSL3_ST_SW_HELLO_REQ_A; | |
313 | } | |
314 | ||
315 | break; | |
316 | ||
317 | case SSL3_ST_SW_HELLO_REQ_A: | |
318 | case SSL3_ST_SW_HELLO_REQ_B: | |
319 | ||
320 | s->shutdown = 0; | |
26f2c577 | 321 | dtls1_clear_sent_buffer(s); |
ae5c8664 MC |
322 | dtls1_start_timer(s); |
323 | ret = ssl3_send_hello_request(s); | |
324 | if (ret <= 0) | |
325 | goto end; | |
326 | s->s3->tmp.next_state = SSL3_ST_SR_CLNT_HELLO_A; | |
327 | s->state = SSL3_ST_SW_FLUSH; | |
328 | s->init_num = 0; | |
329 | ||
348681ff BE |
330 | if (!ssl3_init_finished_mac(s)) { |
331 | ret = -1; | |
332 | s->state = SSL_ST_ERR; | |
333 | goto end; | |
334 | } | |
ae5c8664 MC |
335 | break; |
336 | ||
337 | case SSL3_ST_SW_HELLO_REQ_C: | |
338 | s->state = SSL_ST_OK; | |
339 | break; | |
340 | ||
341 | case SSL3_ST_SR_CLNT_HELLO_A: | |
342 | case SSL3_ST_SR_CLNT_HELLO_B: | |
343 | case SSL3_ST_SR_CLNT_HELLO_C: | |
344 | ||
345 | s->shutdown = 0; | |
346 | ret = ssl3_get_client_hello(s); | |
347 | if (ret <= 0) | |
348 | goto end; | |
349 | dtls1_stop_timer(s); | |
350 | ||
351 | if (ret == 1 && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)) | |
352 | s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A; | |
353 | else | |
354 | s->state = SSL3_ST_SW_SRVR_HELLO_A; | |
355 | ||
356 | s->init_num = 0; | |
357 | ||
ae5c8664 MC |
358 | /* If we're just listening, stop here */ |
359 | if (listen && s->state == SSL3_ST_SW_SRVR_HELLO_A) { | |
360 | ret = 2; | |
361 | s->d1->listen = 0; | |
362 | /* | |
363 | * Set expected sequence numbers to continue the handshake. | |
364 | */ | |
365 | s->d1->handshake_read_seq = 2; | |
366 | s->d1->handshake_write_seq = 1; | |
367 | s->d1->next_handshake_write_seq = 1; | |
368 | goto end; | |
369 | } | |
370 | ||
371 | break; | |
372 | ||
373 | case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A: | |
374 | case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B: | |
375 | ||
376 | ret = dtls1_send_hello_verify_request(s); | |
377 | if (ret <= 0) | |
378 | goto end; | |
379 | s->state = SSL3_ST_SW_FLUSH; | |
380 | s->s3->tmp.next_state = SSL3_ST_SR_CLNT_HELLO_A; | |
381 | ||
382 | /* HelloVerifyRequest resets Finished MAC */ | |
383 | if (s->version != DTLS1_BAD_VER) | |
348681ff BE |
384 | if (!ssl3_init_finished_mac(s)) { |
385 | ret = -1; | |
386 | s->state = SSL_ST_ERR; | |
387 | goto end; | |
388 | } | |
ae5c8664 MC |
389 | break; |
390 | ||
e065e6cd | 391 | #ifndef OPENSSL_NO_SCTP |
ae5c8664 MC |
392 | case DTLS1_SCTP_ST_SR_READ_SOCK: |
393 | ||
394 | if (BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) { | |
395 | s->s3->in_read_app_data = 2; | |
396 | s->rwstate = SSL_READING; | |
397 | BIO_clear_retry_flags(SSL_get_rbio(s)); | |
398 | BIO_set_retry_read(SSL_get_rbio(s)); | |
399 | ret = -1; | |
400 | goto end; | |
401 | } | |
402 | ||
403 | s->state = SSL3_ST_SR_FINISHED_A; | |
404 | break; | |
405 | ||
406 | case DTLS1_SCTP_ST_SW_WRITE_SOCK: | |
407 | ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s)); | |
408 | if (ret < 0) | |
409 | goto end; | |
410 | ||
411 | if (ret == 0) { | |
412 | if (s->d1->next_state != SSL_ST_OK) { | |
413 | s->s3->in_read_app_data = 2; | |
414 | s->rwstate = SSL_READING; | |
415 | BIO_clear_retry_flags(SSL_get_rbio(s)); | |
416 | BIO_set_retry_read(SSL_get_rbio(s)); | |
417 | ret = -1; | |
418 | goto end; | |
419 | } | |
420 | } | |
421 | ||
422 | s->state = s->d1->next_state; | |
423 | break; | |
e065e6cd DSH |
424 | #endif |
425 | ||
ae5c8664 MC |
426 | case SSL3_ST_SW_SRVR_HELLO_A: |
427 | case SSL3_ST_SW_SRVR_HELLO_B: | |
428 | s->renegotiate = 2; | |
429 | dtls1_start_timer(s); | |
430 | ret = ssl3_send_server_hello(s); | |
431 | if (ret <= 0) | |
432 | goto end; | |
36d16f8e | 433 | |
ae5c8664 | 434 | if (s->hit) { |
e065e6cd | 435 | #ifndef OPENSSL_NO_SCTP |
ae5c8664 MC |
436 | /* |
437 | * Add new shared key for SCTP-Auth, will be ignored if no | |
438 | * SCTP used. | |
439 | */ | |
440 | snprintf((char *)labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL), | |
441 | DTLS1_SCTP_AUTH_LABEL); | |
442 | ||
b3a62dc0 MC |
443 | if (SSL_export_keying_material(s, sctpauthkey, |
444 | sizeof(sctpauthkey), labelbuffer, | |
445 | sizeof(labelbuffer), NULL, 0, 0) <= 0) { | |
446 | ret = -1; | |
447 | s->state = SSL_ST_ERR; | |
448 | goto end; | |
449 | } | |
ae5c8664 MC |
450 | |
451 | BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, | |
e065e6cd DSH |
452 | sizeof(sctpauthkey), sctpauthkey); |
453 | #endif | |
454 | #ifndef OPENSSL_NO_TLSEXT | |
ae5c8664 MC |
455 | if (s->tlsext_ticket_expected) |
456 | s->state = SSL3_ST_SW_SESSION_TICKET_A; | |
457 | else | |
458 | s->state = SSL3_ST_SW_CHANGE_A; | |
593222af | 459 | #else |
ae5c8664 | 460 | s->state = SSL3_ST_SW_CHANGE_A; |
593222af | 461 | #endif |
ae5c8664 MC |
462 | } else |
463 | s->state = SSL3_ST_SW_CERT_A; | |
464 | s->init_num = 0; | |
465 | break; | |
466 | ||
467 | case SSL3_ST_SW_CERT_A: | |
468 | case SSL3_ST_SW_CERT_B: | |
469 | /* Check if it is anon DH or normal PSK */ | |
470 | if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) | |
471 | && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { | |
472 | dtls1_start_timer(s); | |
473 | ret = ssl3_send_server_certificate(s); | |
474 | if (ret <= 0) | |
475 | goto end; | |
593222af | 476 | #ifndef OPENSSL_NO_TLSEXT |
ae5c8664 MC |
477 | if (s->tlsext_status_expected) |
478 | s->state = SSL3_ST_SW_CERT_STATUS_A; | |
479 | else | |
480 | s->state = SSL3_ST_SW_KEY_EXCH_A; | |
481 | } else { | |
482 | skip = 1; | |
483 | s->state = SSL3_ST_SW_KEY_EXCH_A; | |
484 | } | |
593222af | 485 | #else |
ae5c8664 MC |
486 | } else |
487 | skip = 1; | |
593222af | 488 | |
ae5c8664 | 489 | s->state = SSL3_ST_SW_KEY_EXCH_A; |
593222af | 490 | #endif |
ae5c8664 MC |
491 | s->init_num = 0; |
492 | break; | |
493 | ||
494 | case SSL3_ST_SW_KEY_EXCH_A: | |
495 | case SSL3_ST_SW_KEY_EXCH_B: | |
496 | alg_k = s->s3->tmp.new_cipher->algorithm_mkey; | |
497 | ||
498 | /* | |
499 | * clear this, it may get reset by | |
500 | * send_server_key_exchange | |
501 | */ | |
502 | s->s3->tmp.use_rsa_tmp = 0; | |
503 | ||
504 | /* | |
505 | * only send if a DH key exchange or RSA but we have a sign only | |
506 | * certificate | |
507 | */ | |
508 | if (0 | |
509 | /* | |
510 | * PSK: send ServerKeyExchange if PSK identity hint if | |
511 | * provided | |
512 | */ | |
e1f09dfd | 513 | #ifndef OPENSSL_NO_PSK |
ae5c8664 | 514 | || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint) |
e1f09dfd | 515 | #endif |
fe82be2b | 516 | || (alg_k & SSL_kDHE) |
ae5c8664 MC |
517 | || (alg_k & SSL_kEECDH) |
518 | || ((alg_k & SSL_kRSA) | |
519 | && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL | |
520 | || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) | |
323d39e8 | 521 | && EVP_PKEY_size(s->cert->pkeys |
ae5c8664 MC |
522 | [SSL_PKEY_RSA_ENC].privatekey) * |
523 | 8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher) | |
524 | ) | |
525 | ) | |
526 | ) | |
527 | ) { | |
528 | dtls1_start_timer(s); | |
529 | ret = ssl3_send_server_key_exchange(s); | |
530 | if (ret <= 0) | |
531 | goto end; | |
532 | } else | |
533 | skip = 1; | |
534 | ||
535 | s->state = SSL3_ST_SW_CERT_REQ_A; | |
536 | s->init_num = 0; | |
537 | break; | |
538 | ||
539 | case SSL3_ST_SW_CERT_REQ_A: | |
540 | case SSL3_ST_SW_CERT_REQ_B: | |
541 | if ( /* don't request cert unless asked for it: */ | |
542 | !(s->verify_mode & SSL_VERIFY_PEER) || | |
543 | /* | |
544 | * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert | |
545 | * during re-negotiation: | |
546 | */ | |
547 | ((s->session->peer != NULL) && | |
548 | (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || | |
549 | /* | |
550 | * never request cert in anonymous ciphersuites (see | |
551 | * section "Certificate request" in SSL 3 drafts and in | |
552 | * RFC 2246): | |
553 | */ | |
554 | ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && | |
555 | /* | |
556 | * ... except when the application insists on | |
557 | * verification (against the specs, but s3_clnt.c accepts | |
558 | * this for SSL 3) | |
559 | */ | |
560 | !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || | |
561 | /* | |
562 | * never request cert in Kerberos ciphersuites | |
563 | */ | |
564 | (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) | |
565 | /* | |
566 | * With normal PSK Certificates and Certificate Requests | |
567 | * are omitted | |
568 | */ | |
569 | || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { | |
570 | /* no cert request */ | |
571 | skip = 1; | |
572 | s->s3->tmp.cert_request = 0; | |
573 | s->state = SSL3_ST_SW_SRVR_DONE_A; | |
e065e6cd | 574 | #ifndef OPENSSL_NO_SCTP |
ae5c8664 MC |
575 | if (BIO_dgram_is_sctp(SSL_get_wbio(s))) { |
576 | s->d1->next_state = SSL3_ST_SW_SRVR_DONE_A; | |
577 | s->state = DTLS1_SCTP_ST_SW_WRITE_SOCK; | |
578 | } | |
e065e6cd | 579 | #endif |
ae5c8664 MC |
580 | } else { |
581 | s->s3->tmp.cert_request = 1; | |
582 | dtls1_start_timer(s); | |
583 | ret = ssl3_send_certificate_request(s); | |
584 | if (ret <= 0) | |
585 | goto end; | |
36d16f8e | 586 | #ifndef NETSCAPE_HANG_BUG |
ae5c8664 MC |
587 | s->state = SSL3_ST_SW_SRVR_DONE_A; |
588 | # ifndef OPENSSL_NO_SCTP | |
589 | if (BIO_dgram_is_sctp(SSL_get_wbio(s))) { | |
590 | s->d1->next_state = SSL3_ST_SW_SRVR_DONE_A; | |
591 | s->state = DTLS1_SCTP_ST_SW_WRITE_SOCK; | |
592 | } | |
593 | # endif | |
36d16f8e | 594 | #else |
ae5c8664 MC |
595 | s->state = SSL3_ST_SW_FLUSH; |
596 | s->s3->tmp.next_state = SSL3_ST_SR_CERT_A; | |
597 | # ifndef OPENSSL_NO_SCTP | |
598 | if (BIO_dgram_is_sctp(SSL_get_wbio(s))) { | |
599 | s->d1->next_state = s->s3->tmp.next_state; | |
600 | s->s3->tmp.next_state = DTLS1_SCTP_ST_SW_WRITE_SOCK; | |
601 | } | |
602 | # endif | |
36d16f8e | 603 | #endif |
ae5c8664 MC |
604 | s->init_num = 0; |
605 | } | |
606 | break; | |
607 | ||
608 | case SSL3_ST_SW_SRVR_DONE_A: | |
609 | case SSL3_ST_SW_SRVR_DONE_B: | |
610 | dtls1_start_timer(s); | |
611 | ret = ssl3_send_server_done(s); | |
612 | if (ret <= 0) | |
613 | goto end; | |
614 | s->s3->tmp.next_state = SSL3_ST_SR_CERT_A; | |
615 | s->state = SSL3_ST_SW_FLUSH; | |
616 | s->init_num = 0; | |
617 | break; | |
618 | ||
619 | case SSL3_ST_SW_FLUSH: | |
620 | s->rwstate = SSL_WRITING; | |
621 | if (BIO_flush(s->wbio) <= 0) { | |
622 | /* | |
623 | * If the write error was fatal, stop trying | |
624 | */ | |
625 | if (!BIO_should_retry(s->wbio)) { | |
626 | s->rwstate = SSL_NOTHING; | |
627 | s->state = s->s3->tmp.next_state; | |
628 | } | |
629 | ||
630 | ret = -1; | |
631 | goto end; | |
632 | } | |
633 | s->rwstate = SSL_NOTHING; | |
634 | s->state = s->s3->tmp.next_state; | |
635 | break; | |
636 | ||
637 | case SSL3_ST_SR_CERT_A: | |
638 | case SSL3_ST_SR_CERT_B: | |
639 | if (s->s3->tmp.cert_request) { | |
640 | ret = ssl3_get_client_certificate(s); | |
641 | if (ret <= 0) | |
642 | goto end; | |
643 | } | |
644 | s->init_num = 0; | |
645 | s->state = SSL3_ST_SR_KEY_EXCH_A; | |
646 | break; | |
647 | ||
648 | case SSL3_ST_SR_KEY_EXCH_A: | |
649 | case SSL3_ST_SR_KEY_EXCH_B: | |
650 | ret = ssl3_get_client_key_exchange(s); | |
651 | if (ret <= 0) | |
652 | goto end; | |
e065e6cd | 653 | #ifndef OPENSSL_NO_SCTP |
ae5c8664 MC |
654 | /* |
655 | * Add new shared key for SCTP-Auth, will be ignored if no SCTP | |
656 | * used. | |
657 | */ | |
658 | snprintf((char *)labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL), | |
659 | DTLS1_SCTP_AUTH_LABEL); | |
660 | ||
b3a62dc0 | 661 | if (SSL_export_keying_material(s, sctpauthkey, |
ae5c8664 | 662 | sizeof(sctpauthkey), labelbuffer, |
b3a62dc0 MC |
663 | sizeof(labelbuffer), NULL, 0, 0) <= 0) { |
664 | ret = -1; | |
665 | s->state = SSL_ST_ERR; | |
666 | goto end; | |
667 | } | |
ae5c8664 MC |
668 | |
669 | BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, | |
670 | sizeof(sctpauthkey), sctpauthkey); | |
e065e6cd DSH |
671 | #endif |
672 | ||
ae5c8664 MC |
673 | s->state = SSL3_ST_SR_CERT_VRFY_A; |
674 | s->init_num = 0; | |
675 | ||
676 | if (ret == 2) { | |
677 | /* | |
678 | * For the ECDH ciphersuites when the client sends its ECDH | |
679 | * pub key in a certificate, the CertificateVerify message is | |
680 | * not sent. | |
681 | */ | |
682 | s->state = SSL3_ST_SR_FINISHED_A; | |
683 | s->init_num = 0; | |
684 | } else if (SSL_USE_SIGALGS(s)) { | |
685 | s->state = SSL3_ST_SR_CERT_VRFY_A; | |
686 | s->init_num = 0; | |
687 | if (!s->session->peer) | |
688 | break; | |
689 | /* | |
690 | * For sigalgs freeze the handshake buffer at this point and | |
691 | * digest cached records. | |
692 | */ | |
693 | if (!s->s3->handshake_buffer) { | |
694 | SSLerr(SSL_F_DTLS1_ACCEPT, ERR_R_INTERNAL_ERROR); | |
feb96e91 | 695 | s->state = SSL_ST_ERR; |
ae5c8664 MC |
696 | return -1; |
697 | } | |
698 | s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE; | |
feb96e91 MC |
699 | if (!ssl3_digest_cached_records(s)) { |
700 | s->state = SSL_ST_ERR; | |
ae5c8664 | 701 | return -1; |
feb96e91 | 702 | } |
ae5c8664 MC |
703 | } else { |
704 | s->state = SSL3_ST_SR_CERT_VRFY_A; | |
705 | s->init_num = 0; | |
706 | ||
707 | /* | |
708 | * We need to get hashes here so if there is a client cert, | |
709 | * it can be verified | |
710 | */ | |
711 | s->method->ssl3_enc->cert_verify_mac(s, | |
712 | NID_md5, | |
713 | &(s->s3-> | |
714 | tmp.cert_verify_md | |
715 | [0])); | |
716 | s->method->ssl3_enc->cert_verify_mac(s, NID_sha1, | |
717 | &(s->s3-> | |
718 | tmp.cert_verify_md | |
719 | [MD5_DIGEST_LENGTH])); | |
720 | } | |
721 | break; | |
722 | ||
723 | case SSL3_ST_SR_CERT_VRFY_A: | |
724 | case SSL3_ST_SR_CERT_VRFY_B: | |
ae5c8664 MC |
725 | ret = ssl3_get_cert_verify(s); |
726 | if (ret <= 0) | |
727 | goto end; | |
e065e6cd | 728 | #ifndef OPENSSL_NO_SCTP |
ae5c8664 MC |
729 | if (BIO_dgram_is_sctp(SSL_get_wbio(s)) && |
730 | state == SSL_ST_RENEGOTIATE) | |
731 | s->state = DTLS1_SCTP_ST_SR_READ_SOCK; | |
732 | else | |
733 | #endif | |
734 | s->state = SSL3_ST_SR_FINISHED_A; | |
735 | s->init_num = 0; | |
736 | break; | |
737 | ||
738 | case SSL3_ST_SR_FINISHED_A: | |
739 | case SSL3_ST_SR_FINISHED_B: | |
740 | /* | |
464774d7 MC |
741 | * Enable CCS. Receiving a CCS clears the flag, so make |
742 | * sure not to re-enable it to ban duplicates. This *should* be the | |
743 | * first time we have received one - but we check anyway to be | |
744 | * cautious. | |
ae5c8664 MC |
745 | * s->s3->change_cipher_spec is set when a CCS is |
746 | * processed in d1_pkt.c, and remains set until | |
747 | * the client's Finished message is read. | |
748 | */ | |
749 | if (!s->s3->change_cipher_spec) | |
750 | s->d1->change_cipher_spec_ok = 1; | |
751 | ret = ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A, | |
752 | SSL3_ST_SR_FINISHED_B); | |
753 | if (ret <= 0) | |
754 | goto end; | |
755 | dtls1_stop_timer(s); | |
756 | if (s->hit) | |
757 | s->state = SSL_ST_OK; | |
593222af | 758 | #ifndef OPENSSL_NO_TLSEXT |
ae5c8664 MC |
759 | else if (s->tlsext_ticket_expected) |
760 | s->state = SSL3_ST_SW_SESSION_TICKET_A; | |
593222af | 761 | #endif |
ae5c8664 MC |
762 | else |
763 | s->state = SSL3_ST_SW_CHANGE_A; | |
764 | s->init_num = 0; | |
765 | break; | |
36d16f8e | 766 | |
593222af | 767 | #ifndef OPENSSL_NO_TLSEXT |
ae5c8664 MC |
768 | case SSL3_ST_SW_SESSION_TICKET_A: |
769 | case SSL3_ST_SW_SESSION_TICKET_B: | |
770 | ret = ssl3_send_newsession_ticket(s); | |
771 | if (ret <= 0) | |
772 | goto end; | |
773 | s->state = SSL3_ST_SW_CHANGE_A; | |
774 | s->init_num = 0; | |
775 | break; | |
776 | ||
777 | case SSL3_ST_SW_CERT_STATUS_A: | |
778 | case SSL3_ST_SW_CERT_STATUS_B: | |
779 | ret = ssl3_send_cert_status(s); | |
780 | if (ret <= 0) | |
781 | goto end; | |
782 | s->state = SSL3_ST_SW_KEY_EXCH_A; | |
783 | s->init_num = 0; | |
784 | break; | |
593222af DSH |
785 | |
786 | #endif | |
787 | ||
ae5c8664 MC |
788 | case SSL3_ST_SW_CHANGE_A: |
789 | case SSL3_ST_SW_CHANGE_B: | |
36d16f8e | 790 | |
ae5c8664 MC |
791 | s->session->cipher = s->s3->tmp.new_cipher; |
792 | if (!s->method->ssl3_enc->setup_key_block(s)) { | |
793 | ret = -1; | |
feb96e91 | 794 | s->state = SSL_ST_ERR; |
ae5c8664 MC |
795 | goto end; |
796 | } | |
36d16f8e | 797 | |
ae5c8664 MC |
798 | ret = dtls1_send_change_cipher_spec(s, |
799 | SSL3_ST_SW_CHANGE_A, | |
800 | SSL3_ST_SW_CHANGE_B); | |
36d16f8e | 801 | |
ae5c8664 MC |
802 | if (ret <= 0) |
803 | goto end; | |
e065e6cd DSH |
804 | |
805 | #ifndef OPENSSL_NO_SCTP | |
ae5c8664 MC |
806 | if (!s->hit) { |
807 | /* | |
808 | * Change to new shared key of SCTP-Auth, will be ignored if | |
809 | * no SCTP used. | |
810 | */ | |
811 | BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, | |
812 | 0, NULL); | |
813 | } | |
e065e6cd DSH |
814 | #endif |
815 | ||
ae5c8664 MC |
816 | s->state = SSL3_ST_SW_FINISHED_A; |
817 | s->init_num = 0; | |
818 | ||
819 | if (!s->method->ssl3_enc->change_cipher_state(s, | |
820 | SSL3_CHANGE_CIPHER_SERVER_WRITE)) | |
821 | { | |
822 | ret = -1; | |
feb96e91 | 823 | s->state = SSL_ST_ERR; |
ae5c8664 MC |
824 | goto end; |
825 | } | |
826 | ||
827 | dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); | |
828 | break; | |
829 | ||
830 | case SSL3_ST_SW_FINISHED_A: | |
831 | case SSL3_ST_SW_FINISHED_B: | |
832 | ret = ssl3_send_finished(s, | |
833 | SSL3_ST_SW_FINISHED_A, | |
834 | SSL3_ST_SW_FINISHED_B, | |
835 | s->method-> | |
836 | ssl3_enc->server_finished_label, | |
837 | s->method-> | |
838 | ssl3_enc->server_finished_label_len); | |
839 | if (ret <= 0) | |
840 | goto end; | |
841 | s->state = SSL3_ST_SW_FLUSH; | |
842 | if (s->hit) { | |
843 | s->s3->tmp.next_state = SSL3_ST_SR_FINISHED_A; | |
9fb523ad RS |
844 | |
845 | #ifndef OPENSSL_NO_SCTP | |
ae5c8664 MC |
846 | /* |
847 | * Change to new shared key of SCTP-Auth, will be ignored if | |
848 | * no SCTP used. | |
849 | */ | |
850 | BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, | |
851 | 0, NULL); | |
9fb523ad | 852 | #endif |
ae5c8664 MC |
853 | } else { |
854 | s->s3->tmp.next_state = SSL_ST_OK; | |
e065e6cd | 855 | #ifndef OPENSSL_NO_SCTP |
ae5c8664 MC |
856 | if (BIO_dgram_is_sctp(SSL_get_wbio(s))) { |
857 | s->d1->next_state = s->s3->tmp.next_state; | |
858 | s->s3->tmp.next_state = DTLS1_SCTP_ST_SW_WRITE_SOCK; | |
859 | } | |
e065e6cd | 860 | #endif |
ae5c8664 MC |
861 | } |
862 | s->init_num = 0; | |
863 | break; | |
36d16f8e | 864 | |
ae5c8664 MC |
865 | case SSL_ST_OK: |
866 | /* clean a few things up */ | |
867 | ssl3_cleanup_key_block(s); | |
36d16f8e BL |
868 | |
869 | #if 0 | |
ae5c8664 MC |
870 | BUF_MEM_free(s->init_buf); |
871 | s->init_buf = NULL; | |
36d16f8e BL |
872 | #endif |
873 | ||
ae5c8664 MC |
874 | /* remove buffering on output */ |
875 | ssl_free_wbio_buffer(s); | |
876 | ||
877 | s->init_num = 0; | |
878 | ||
879 | if (s->renegotiate == 2) { /* skipped if we just sent a | |
880 | * HelloRequest */ | |
881 | s->renegotiate = 0; | |
882 | s->new_session = 0; | |
883 | ||
884 | ssl_update_cache(s, SSL_SESS_CACHE_SERVER); | |
885 | ||
886 | s->ctx->stats.sess_accept_good++; | |
887 | /* s->server=1; */ | |
888 | s->handshake_func = dtls1_accept; | |
889 | ||
890 | if (cb != NULL) | |
891 | cb(s, SSL_CB_HANDSHAKE_DONE, 1); | |
892 | } | |
893 | ||
894 | ret = 1; | |
895 | ||
896 | /* done handshaking, next message is client hello */ | |
897 | s->d1->handshake_read_seq = 0; | |
898 | /* next message is server hello */ | |
899 | s->d1->handshake_write_seq = 0; | |
900 | s->d1->next_handshake_write_seq = 0; | |
26f2c577 | 901 | dtls1_clear_received_buffer(s); |
ae5c8664 MC |
902 | goto end; |
903 | /* break; */ | |
904 | ||
feb96e91 | 905 | case SSL_ST_ERR: |
ae5c8664 MC |
906 | default: |
907 | SSLerr(SSL_F_DTLS1_ACCEPT, SSL_R_UNKNOWN_STATE); | |
908 | ret = -1; | |
909 | goto end; | |
910 | /* break; */ | |
911 | } | |
912 | ||
913 | if (!s->s3->tmp.reuse_message && !skip) { | |
914 | if (s->debug) { | |
915 | if ((ret = BIO_flush(s->wbio)) <= 0) | |
916 | goto end; | |
917 | } | |
918 | ||
919 | if ((cb != NULL) && (s->state != state)) { | |
920 | new_state = s->state; | |
921 | s->state = state; | |
922 | cb(s, SSL_CB_ACCEPT_LOOP, 1); | |
923 | s->state = new_state; | |
924 | } | |
925 | } | |
926 | skip = 0; | |
927 | } | |
928 | end: | |
929 | /* BIO_flush(s->wbio); */ | |
930 | ||
931 | s->in_handshake--; | |
e065e6cd | 932 | #ifndef OPENSSL_NO_SCTP |
ae5c8664 MC |
933 | /* |
934 | * Notify SCTP BIO socket to leave handshake mode and prevent stream | |
935 | * identifier other than 0. Will be ignored if no SCTP is used. | |
936 | */ | |
937 | BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, | |
938 | s->in_handshake, NULL); | |
e065e6cd DSH |
939 | #endif |
940 | ||
ae5c8664 MC |
941 | if (cb != NULL) |
942 | cb(s, SSL_CB_ACCEPT_EXIT, ret); | |
943 | return (ret); | |
944 | } | |
36d16f8e | 945 | |
36d16f8e | 946 | int dtls1_send_hello_verify_request(SSL *s) |
ae5c8664 MC |
947 | { |
948 | unsigned int msg_len; | |
949 | unsigned char *msg, *buf, *p; | |
950 | ||
951 | if (s->state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A) { | |
952 | buf = (unsigned char *)s->init_buf->data; | |
953 | ||
954 | msg = p = &(buf[DTLS1_HM_HEADER_LENGTH]); | |
955 | /* Always use DTLS 1.0 version: see RFC 6347 */ | |
956 | *(p++) = DTLS1_VERSION >> 8; | |
957 | *(p++) = DTLS1_VERSION & 0xFF; | |
958 | ||
959 | if (s->ctx->app_gen_cookie_cb == NULL || | |
960 | s->ctx->app_gen_cookie_cb(s, s->d1->cookie, | |
961 | &(s->d1->cookie_len)) == 0) { | |
962 | SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST, | |
963 | ERR_R_INTERNAL_ERROR); | |
feb96e91 | 964 | s->state = SSL_ST_ERR; |
ae5c8664 MC |
965 | return 0; |
966 | } | |
967 | ||
968 | *(p++) = (unsigned char)s->d1->cookie_len; | |
969 | memcpy(p, s->d1->cookie, s->d1->cookie_len); | |
970 | p += s->d1->cookie_len; | |
971 | msg_len = p - msg; | |
972 | ||
973 | dtls1_set_message_header(s, buf, | |
974 | DTLS1_MT_HELLO_VERIFY_REQUEST, msg_len, 0, | |
975 | msg_len); | |
976 | ||
977 | s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B; | |
978 | /* number of bytes to write */ | |
979 | s->init_num = p - buf; | |
980 | s->init_off = 0; | |
981 | } | |
982 | ||
983 | /* s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */ | |
984 | return (dtls1_do_write(s, SSL3_RT_HANDSHAKE)); | |
985 | } |