3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
6 /* ====================================================================
7 * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
21 * 3. All advertising materials mentioning features or use of this
22 * software must display the following acknowledgment:
23 * "This product includes software developed by the OpenSSL Project
24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 * endorse or promote products derived from this software without
28 * prior written permission. For written permission, please contact
29 * openssl-core@OpenSSL.org.
31 * 5. Products derived from this software may not be called "OpenSSL"
32 * nor may "OpenSSL" appear in their names without prior written
33 * permission of the OpenSSL Project.
35 * 6. Redistributions of any form whatsoever must retain the following
37 * "This product includes software developed by the OpenSSL Project
38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
54 * This product includes cryptographic software written by Eric Young
55 * (eay@cryptsoft.com). This product includes software written by Tim
56 * Hudson (tjh@cryptsoft.com).
59 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
60 * All rights reserved.
62 * This package is an SSL implementation written
63 * by Eric Young (eay@cryptsoft.com).
64 * The implementation was written so as to conform with Netscapes SSL.
66 * This library is free for commercial and non-commercial use as long as
67 * the following conditions are aheared to. The following conditions
68 * apply to all code found in this distribution, be it the RC4, RSA,
69 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
70 * included with this distribution is covered by the same copyright terms
71 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
73 * Copyright remains Eric Young's, and as such any Copyright notices in
74 * the code are not to be removed.
75 * If this package is used in a product, Eric Young should be given attribution
76 * as the author of the parts of the library used.
77 * This can be in the form of a textual message at program startup or
78 * in documentation (online or textual) provided with the package.
80 * Redistribution and use in source and binary forms, with or without
81 * modification, are permitted provided that the following conditions
83 * 1. Redistributions of source code must retain the copyright
84 * notice, this list of conditions and the following disclaimer.
85 * 2. Redistributions in binary form must reproduce the above copyright
86 * notice, this list of conditions and the following disclaimer in the
87 * documentation and/or other materials provided with the distribution.
88 * 3. All advertising materials mentioning features or use of this software
89 * must display the following acknowledgement:
90 * "This product includes cryptographic software written by
91 * Eric Young (eay@cryptsoft.com)"
92 * The word 'cryptographic' can be left out if the rouines from the library
93 * being used are not cryptographic related :-).
94 * 4. If you include any Windows specific code (or a derivative thereof) from
95 * the apps directory (application code) you must include an acknowledgement:
96 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
98 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
99 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
100 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
101 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
102 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
103 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
104 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
105 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
106 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
107 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
110 * The licence and distribution terms for any publically available version or
111 * derivative of this code cannot be changed. i.e. this code cannot simply be
112 * copied and put under another distribution licence
113 * [including the GNU Public Licence.]
117 #include "ssl_locl.h"
118 #include "kssl_lcl.h"
119 #include <openssl/buffer.h>
120 #include <openssl/rand.h>
121 #include <openssl/objects.h>
122 #include <openssl/evp.h>
123 #include <openssl/md5.h>
124 #ifndef OPENSSL_NO_DH
125 #include <openssl/dh.h>
128 static SSL_METHOD
*dtls1_get_client_method(int ver
);
129 static int dtls1_get_hello_verify(SSL
*s
);
131 static SSL_METHOD
*dtls1_get_client_method(int ver
)
133 if (ver
== DTLS1_VERSION
|| ver
== DTLS1_BAD_VER
)
134 return(DTLSv1_client_method());
139 IMPLEMENT_dtls1_meth_func(DTLSv1_client_method
,
140 ssl_undefined_function
,
142 dtls1_get_client_method
)
144 int dtls1_connect(SSL
*s
)
147 unsigned long Time
=(unsigned long)time(NULL
);
148 void (*cb
)(const SSL
*ssl
,int type
,int val
)=NULL
;
150 int new_state
,state
,skip
=0;;
152 RAND_add(&Time
,sizeof(Time
),0);
156 if (s
->info_callback
!= NULL
)
158 else if (s
->ctx
->info_callback
!= NULL
)
159 cb
=s
->ctx
->info_callback
;
162 if (!SSL_in_init(s
) || SSL_in_before(s
)) SSL_clear(s
);
170 case SSL_ST_RENEGOTIATE
:
172 s
->state
=SSL_ST_CONNECT
;
173 s
->ctx
->stats
.sess_connect_renegotiate
++;
177 case SSL_ST_BEFORE
|SSL_ST_CONNECT
:
178 case SSL_ST_OK
|SSL_ST_CONNECT
:
181 if (cb
!= NULL
) cb(s
,SSL_CB_HANDSHAKE_START
,1);
183 if ((s
->version
& 0xff00 ) != (DTLS1_VERSION
& 0xff00) &&
184 (s
->version
& 0xff00 ) != (DTLS1_BAD_VER
& 0xff00))
186 SSLerr(SSL_F_DTLS1_CONNECT
, ERR_R_INTERNAL_ERROR
);
191 /* s->version=SSL3_VERSION; */
192 s
->type
=SSL_ST_CONNECT
;
194 if (s
->init_buf
== NULL
)
196 if ((buf
=BUF_MEM_new()) == NULL
)
201 if (!BUF_MEM_grow(buf
,SSL3_RT_MAX_PLAIN_LENGTH
))
210 if (!ssl3_setup_buffers(s
)) { ret
= -1; goto end
; }
212 /* setup buffing BIO */
213 if (!ssl_init_wbio_buffer(s
,0)) { ret
= -1; goto end
; }
215 /* don't push the buffering BIO quite yet */
217 s
->state
=SSL3_ST_CW_CLNT_HELLO_A
;
218 s
->ctx
->stats
.sess_connect
++;
220 /* mark client_random uninitialized */
221 memset(s
->s3
->client_random
,0,sizeof(s
->s3
->client_random
));
222 s
->d1
->send_cookie
= 0;
226 case SSL3_ST_CW_CLNT_HELLO_A
:
227 case SSL3_ST_CW_CLNT_HELLO_B
:
231 /* every DTLS ClientHello resets Finished MAC */
232 ssl3_init_finished_mac(s
);
234 dtls1_start_timer(s
);
235 ret
=dtls1_client_hello(s
);
236 if (ret
<= 0) goto end
;
238 if ( s
->d1
->send_cookie
)
240 s
->state
=SSL3_ST_CW_FLUSH
;
241 s
->s3
->tmp
.next_state
=SSL3_ST_CR_SRVR_HELLO_A
;
244 s
->state
=SSL3_ST_CR_SRVR_HELLO_A
;
248 /* turn on buffering for the next lot of output */
249 if (s
->bbio
!= s
->wbio
)
250 s
->wbio
=BIO_push(s
->bbio
,s
->wbio
);
254 case SSL3_ST_CR_SRVR_HELLO_A
:
255 case SSL3_ST_CR_SRVR_HELLO_B
:
256 ret
=ssl3_get_server_hello(s
);
257 if (ret
<= 0) goto end
;
261 s
->state
=SSL3_ST_CR_FINISHED_A
;
263 s
->state
=DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A
;
268 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A
:
269 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B
:
271 ret
= dtls1_get_hello_verify(s
);
275 if ( s
->d1
->send_cookie
) /* start again, with a cookie */
276 s
->state
=SSL3_ST_CW_CLNT_HELLO_A
;
278 s
->state
= SSL3_ST_CR_CERT_A
;
282 case SSL3_ST_CR_CERT_A
:
283 case SSL3_ST_CR_CERT_B
:
284 #ifndef OPENSSL_NO_TLSEXT
285 ret
=ssl3_check_finished(s
);
286 if (ret
<= 0) goto end
;
290 if (s
->tlsext_ticket_expected
)
291 s
->state
=SSL3_ST_CR_SESSION_TICKET_A
;
293 s
->state
=SSL3_ST_CR_FINISHED_A
;
298 /* Check if it is anon DH */
299 if (!(s
->s3
->tmp
.new_cipher
->algorithms
& SSL_aNULL
))
301 ret
=ssl3_get_server_certificate(s
);
302 if (ret
<= 0) goto end
;
303 #ifndef OPENSSL_NO_TLSEXT
304 if (s
->tlsext_status_expected
)
305 s
->state
=SSL3_ST_CR_CERT_STATUS_A
;
307 s
->state
=SSL3_ST_CR_KEY_EXCH_A
;
312 s
->state
=SSL3_ST_CR_KEY_EXCH_A
;
319 s
->state
=SSL3_ST_CR_KEY_EXCH_A
;
324 case SSL3_ST_CR_KEY_EXCH_A
:
325 case SSL3_ST_CR_KEY_EXCH_B
:
326 ret
=ssl3_get_key_exchange(s
);
327 if (ret
<= 0) goto end
;
328 s
->state
=SSL3_ST_CR_CERT_REQ_A
;
331 /* at this point we check that we have the
332 * required stuff from the server */
333 if (!ssl3_check_cert_and_algorithm(s
))
340 case SSL3_ST_CR_CERT_REQ_A
:
341 case SSL3_ST_CR_CERT_REQ_B
:
342 ret
=ssl3_get_certificate_request(s
);
343 if (ret
<= 0) goto end
;
344 s
->state
=SSL3_ST_CR_SRVR_DONE_A
;
348 case SSL3_ST_CR_SRVR_DONE_A
:
349 case SSL3_ST_CR_SRVR_DONE_B
:
350 ret
=ssl3_get_server_done(s
);
351 if (ret
<= 0) goto end
;
353 if (s
->s3
->tmp
.cert_req
)
354 s
->state
=SSL3_ST_CW_CERT_A
;
356 s
->state
=SSL3_ST_CW_KEY_EXCH_A
;
361 case SSL3_ST_CW_CERT_A
:
362 case SSL3_ST_CW_CERT_B
:
363 case SSL3_ST_CW_CERT_C
:
364 case SSL3_ST_CW_CERT_D
:
365 dtls1_start_timer(s
);
366 ret
=dtls1_send_client_certificate(s
);
367 if (ret
<= 0) goto end
;
368 s
->state
=SSL3_ST_CW_KEY_EXCH_A
;
372 case SSL3_ST_CW_KEY_EXCH_A
:
373 case SSL3_ST_CW_KEY_EXCH_B
:
374 dtls1_start_timer(s
);
375 ret
=dtls1_send_client_key_exchange(s
);
376 if (ret
<= 0) goto end
;
377 /* EAY EAY EAY need to check for DH fix cert
379 /* For TLS, cert_req is set to 2, so a cert chain
380 * of nothing is sent, but no verify packet is sent */
381 if (s
->s3
->tmp
.cert_req
== 1)
383 s
->state
=SSL3_ST_CW_CERT_VRFY_A
;
387 s
->state
=SSL3_ST_CW_CHANGE_A
;
388 s
->s3
->change_cipher_spec
=0;
394 case SSL3_ST_CW_CERT_VRFY_A
:
395 case SSL3_ST_CW_CERT_VRFY_B
:
396 dtls1_start_timer(s
);
397 ret
=dtls1_send_client_verify(s
);
398 if (ret
<= 0) goto end
;
399 s
->state
=SSL3_ST_CW_CHANGE_A
;
401 s
->s3
->change_cipher_spec
=0;
404 case SSL3_ST_CW_CHANGE_A
:
405 case SSL3_ST_CW_CHANGE_B
:
407 dtls1_start_timer(s
);
408 ret
=dtls1_send_change_cipher_spec(s
,
409 SSL3_ST_CW_CHANGE_A
,SSL3_ST_CW_CHANGE_B
);
410 if (ret
<= 0) goto end
;
411 s
->state
=SSL3_ST_CW_FINISHED_A
;
414 s
->session
->cipher
=s
->s3
->tmp
.new_cipher
;
415 #ifdef OPENSSL_NO_COMP
416 s
->session
->compress_meth
=0;
418 if (s
->s3
->tmp
.new_compression
== NULL
)
419 s
->session
->compress_meth
=0;
421 s
->session
->compress_meth
=
422 s
->s3
->tmp
.new_compression
->id
;
424 if (!s
->method
->ssl3_enc
->setup_key_block(s
))
430 if (!s
->method
->ssl3_enc
->change_cipher_state(s
,
431 SSL3_CHANGE_CIPHER_CLIENT_WRITE
))
437 dtls1_reset_seq_numbers(s
, SSL3_CC_WRITE
);
440 case SSL3_ST_CW_FINISHED_A
:
441 case SSL3_ST_CW_FINISHED_B
:
443 dtls1_start_timer(s
);
444 ret
=dtls1_send_finished(s
,
445 SSL3_ST_CW_FINISHED_A
,SSL3_ST_CW_FINISHED_B
,
446 s
->method
->ssl3_enc
->client_finished_label
,
447 s
->method
->ssl3_enc
->client_finished_label_len
);
448 if (ret
<= 0) goto end
;
449 s
->state
=SSL3_ST_CW_FLUSH
;
452 s
->s3
->flags
&= ~SSL3_FLAGS_POP_BUFFER
;
455 s
->s3
->tmp
.next_state
=SSL_ST_OK
;
456 if (s
->s3
->flags
& SSL3_FLAGS_DELAY_CLIENT_FINISHED
)
459 s
->s3
->flags
|=SSL3_FLAGS_POP_BUFFER
;
460 s
->s3
->delay_buf_pop_ret
=0;
465 #ifndef OPENSSL_NO_TLSEXT
466 /* Allow NewSessionTicket if ticket expected */
467 if (s
->tlsext_ticket_expected
)
468 s
->s3
->tmp
.next_state
=SSL3_ST_CR_SESSION_TICKET_A
;
472 s
->s3
->tmp
.next_state
=SSL3_ST_CR_FINISHED_A
;
478 #ifndef OPENSSL_NO_TLSEXT
479 case SSL3_ST_CR_SESSION_TICKET_A
:
480 case SSL3_ST_CR_SESSION_TICKET_B
:
481 ret
=ssl3_get_new_session_ticket(s
);
482 if (ret
<= 0) goto end
;
483 s
->state
=SSL3_ST_CR_FINISHED_A
;
487 case SSL3_ST_CR_CERT_STATUS_A
:
488 case SSL3_ST_CR_CERT_STATUS_B
:
489 ret
=ssl3_get_cert_status(s
);
490 if (ret
<= 0) goto end
;
491 s
->state
=SSL3_ST_CR_KEY_EXCH_A
;
496 case SSL3_ST_CR_FINISHED_A
:
497 case SSL3_ST_CR_FINISHED_B
:
498 s
->d1
->change_cipher_spec_ok
= 1;
499 ret
=ssl3_get_finished(s
,SSL3_ST_CR_FINISHED_A
,
500 SSL3_ST_CR_FINISHED_B
);
501 if (ret
<= 0) goto end
;
505 s
->state
=SSL3_ST_CW_CHANGE_A
;
511 case SSL3_ST_CW_FLUSH
:
512 s
->rwstate
=SSL_WRITING
;
513 if (BIO_flush(s
->wbio
) <= 0)
518 s
->rwstate
=SSL_NOTHING
;
519 s
->state
=s
->s3
->tmp
.next_state
;
523 /* clean a few things up */
524 ssl3_cleanup_key_block(s
);
527 if (s
->init_buf
!= NULL
)
529 BUF_MEM_free(s
->init_buf
);
534 /* If we are not 'joining' the last two packets,
535 * remove the buffering now */
536 if (!(s
->s3
->flags
& SSL3_FLAGS_POP_BUFFER
))
537 ssl_free_wbio_buffer(s
);
538 /* else do it later in ssl3_write */
543 ssl_update_cache(s
,SSL_SESS_CACHE_CLIENT
);
544 if (s
->hit
) s
->ctx
->stats
.sess_hit
++;
548 s
->handshake_func
=dtls1_connect
;
549 s
->ctx
->stats
.sess_connect_good
++;
551 if (cb
!= NULL
) cb(s
,SSL_CB_HANDSHAKE_DONE
,1);
553 /* done with handshaking */
554 s
->d1
->handshake_read_seq
= 0;
555 s
->d1
->next_handshake_write_seq
= 0;
560 SSLerr(SSL_F_DTLS1_CONNECT
,SSL_R_UNKNOWN_STATE
);
566 /* did we do anything */
567 if (!s
->s3
->tmp
.reuse_message
&& !skip
)
571 if ((ret
=BIO_flush(s
->wbio
)) <= 0)
575 if ((cb
!= NULL
) && (s
->state
!= state
))
579 cb(s
,SSL_CB_CONNECT_LOOP
,1);
590 cb(s
,SSL_CB_CONNECT_EXIT
,ret
);
594 int dtls1_client_hello(SSL
*s
)
599 unsigned long Time
,l
;
602 buf
=(unsigned char *)s
->init_buf
->data
;
603 if (s
->state
== SSL3_ST_CW_CLNT_HELLO_A
)
605 SSL_SESSION
*sess
= s
->session
;
606 if ((s
->session
== NULL
) ||
607 (s
->session
->ssl_version
!= s
->version
) ||
608 #ifdef OPENSSL_NO_TLSEXT
609 !sess
->session_id_length
||
611 (!sess
->session_id_length
&& !sess
->tlsext_tick
) ||
613 (s
->session
->not_resumable
))
615 if (!ssl_get_new_session(s
,0))
618 /* else use the pre-loaded session */
620 p
=s
->s3
->client_random
;
621 /* if client_random is initialized, reuse it, we are
622 * required to use same upon reply to HelloVerify */
623 for (i
=0;p
[i
]=='\0' && i
<sizeof(s
->s3
->client_random
);i
++) ;
624 if (i
==sizeof(s
->s3
->client_random
))
626 Time
=(unsigned long)time(NULL
); /* Time */
628 RAND_pseudo_bytes(p
,SSL3_RANDOM_SIZE
-4);
631 /* Do the message type and length last */
632 d
=p
= &(buf
[DTLS1_HM_HEADER_LENGTH
]);
634 *(p
++)=s
->version
>>8;
635 *(p
++)=s
->version
&0xff;
636 s
->client_version
=s
->version
;
639 memcpy(p
,s
->s3
->client_random
,SSL3_RANDOM_SIZE
);
646 i
=s
->session
->session_id_length
;
650 if (i
> sizeof s
->session
->session_id
)
652 SSLerr(SSL_F_DTLS1_CLIENT_HELLO
, ERR_R_INTERNAL_ERROR
);
655 memcpy(p
,s
->session
->session_id
,i
);
660 if ( s
->d1
->cookie_len
> sizeof(s
->d1
->cookie
))
662 SSLerr(SSL_F_DTLS1_CLIENT_HELLO
, ERR_R_INTERNAL_ERROR
);
665 *(p
++) = s
->d1
->cookie_len
;
666 memcpy(p
, s
->d1
->cookie
, s
->d1
->cookie_len
);
667 p
+= s
->d1
->cookie_len
;
669 /* Ciphers supported */
670 i
=ssl_cipher_list_to_bytes(s
,SSL_get_ciphers(s
),&(p
[2]),0);
673 SSLerr(SSL_F_DTLS1_CLIENT_HELLO
,SSL_R_NO_CIPHERS_AVAILABLE
);
680 if (s
->ctx
->comp_methods
== NULL
)
683 j
=sk_SSL_COMP_num(s
->ctx
->comp_methods
);
687 comp
=sk_SSL_COMP_value(s
->ctx
->comp_methods
,i
);
690 *(p
++)=0; /* Add the NULL method */
692 #ifndef OPENSSL_NO_TLSEXT
693 if ((p
= ssl_add_clienthello_tlsext(s
, p
, buf
+SSL3_RT_MAX_PLAIN_LENGTH
)) == NULL
)
695 SSLerr(SSL_F_DTLS1_CLIENT_HELLO
,ERR_R_INTERNAL_ERROR
);
703 d
= dtls1_set_message_header(s
, d
, SSL3_MT_CLIENT_HELLO
, l
, 0, l
);
705 s
->state
=SSL3_ST_CW_CLNT_HELLO_B
;
706 /* number of bytes to write */
710 /* buffer the message to handle re-xmits */
711 dtls1_buffer_message(s
, 0);
714 /* SSL3_ST_CW_CLNT_HELLO_B */
715 return(dtls1_do_write(s
,SSL3_RT_HANDSHAKE
));
720 static int dtls1_get_hello_verify(SSL
*s
)
724 unsigned int cookie_len
;
726 n
=s
->method
->ssl_get_message(s
,
727 DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A
,
728 DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B
,
733 if (!ok
) return((int)n
);
735 if (s
->s3
->tmp
.message_type
!= DTLS1_MT_HELLO_VERIFY_REQUEST
)
737 s
->d1
->send_cookie
= 0;
738 s
->s3
->tmp
.reuse_message
=1;
742 data
= (unsigned char *)s
->init_msg
;
744 if ((data
[0] != (s
->version
>>8)) || (data
[1] != (s
->version
&0xff)))
746 SSLerr(SSL_F_DTLS1_GET_HELLO_VERIFY
,SSL_R_WRONG_SSL_VERSION
);
747 s
->version
=(s
->version
&0xff00)|data
[1];
748 al
= SSL_AD_PROTOCOL_VERSION
;
753 cookie_len
= *(data
++);
754 if ( cookie_len
> sizeof(s
->d1
->cookie
))
756 al
=SSL_AD_ILLEGAL_PARAMETER
;
760 memcpy(s
->d1
->cookie
, data
, cookie_len
);
761 s
->d1
->cookie_len
= cookie_len
;
763 s
->d1
->send_cookie
= 1;
767 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
771 int dtls1_send_client_key_exchange(SSL
*s
)
776 #ifndef OPENSSL_NO_RSA
780 #ifndef OPENSSL_NO_KRB5
782 #endif /* OPENSSL_NO_KRB5 */
784 if (s
->state
== SSL3_ST_CW_KEY_EXCH_A
)
786 d
=(unsigned char *)s
->init_buf
->data
;
787 p
= &(d
[DTLS1_HM_HEADER_LENGTH
]);
789 l
=s
->s3
->tmp
.new_cipher
->algorithms
;
791 /* Fool emacs indentation */
793 #ifndef OPENSSL_NO_RSA
794 else if (l
& SSL_kRSA
)
797 unsigned char tmp_buf
[SSL_MAX_MASTER_KEY_LENGTH
];
799 if (s
->session
->sess_cert
== NULL
)
801 /* We should always have a server certificate with SSL_kRSA. */
802 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE
,ERR_R_INTERNAL_ERROR
);
806 if (s
->session
->sess_cert
->peer_rsa_tmp
!= NULL
)
807 rsa
=s
->session
->sess_cert
->peer_rsa_tmp
;
810 pkey
=X509_get_pubkey(s
->session
->sess_cert
->peer_pkeys
[SSL_PKEY_RSA_ENC
].x509
);
811 if ((pkey
== NULL
) ||
812 (pkey
->type
!= EVP_PKEY_RSA
) ||
813 (pkey
->pkey
.rsa
== NULL
))
815 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE
,ERR_R_INTERNAL_ERROR
);
822 tmp_buf
[0]=s
->client_version
>>8;
823 tmp_buf
[1]=s
->client_version
&0xff;
824 if (RAND_bytes(&(tmp_buf
[2]),sizeof tmp_buf
-2) <= 0)
827 s
->session
->master_key_length
=sizeof tmp_buf
;
830 /* Fix buf for TLS and [incidentally] DTLS */
831 if (s
->version
> SSL3_VERSION
)
833 n
=RSA_public_encrypt(sizeof tmp_buf
,
834 tmp_buf
,p
,rsa
,RSA_PKCS1_PADDING
);
836 if (s
->options
& SSL_OP_PKCS1_CHECK_1
) p
[1]++;
837 if (s
->options
& SSL_OP_PKCS1_CHECK_2
) tmp_buf
[0]=0x70;
841 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE
,SSL_R_BAD_RSA_ENCRYPT
);
845 /* Fix buf for TLS and [incidentally] DTLS */
846 if (s
->version
> SSL3_VERSION
)
852 s
->session
->master_key_length
=
853 s
->method
->ssl3_enc
->generate_master_secret(s
,
854 s
->session
->master_key
,
855 tmp_buf
,sizeof tmp_buf
);
856 OPENSSL_cleanse(tmp_buf
,sizeof tmp_buf
);
859 #ifndef OPENSSL_NO_KRB5
860 else if (l
& SSL_kKRB5
)
862 krb5_error_code krb5rc
;
863 KSSL_CTX
*kssl_ctx
= s
->kssl_ctx
;
864 /* krb5_data krb5_ap_req; */
865 krb5_data
*enc_ticket
;
866 krb5_data authenticator
, *authp
= NULL
;
867 EVP_CIPHER_CTX ciph_ctx
;
868 EVP_CIPHER
*enc
= NULL
;
869 unsigned char iv
[EVP_MAX_IV_LENGTH
];
870 unsigned char tmp_buf
[SSL_MAX_MASTER_KEY_LENGTH
];
871 unsigned char epms
[SSL_MAX_MASTER_KEY_LENGTH
872 + EVP_MAX_IV_LENGTH
];
873 int padl
, outl
= sizeof(epms
);
875 EVP_CIPHER_CTX_init(&ciph_ctx
);
878 printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
880 #endif /* KSSL_DEBUG */
884 if (KRB5SENDAUTH
) authp
= &authenticator
;
885 #endif /* KRB5SENDAUTH */
887 krb5rc
= kssl_cget_tkt(kssl_ctx
, &enc_ticket
, authp
,
889 enc
= kssl_map_enc(kssl_ctx
->enctype
);
894 printf("kssl_cget_tkt rtn %d\n", krb5rc
);
895 if (krb5rc
&& kssl_err
.text
)
896 printf("kssl_cget_tkt kssl_err=%s\n", kssl_err
.text
);
898 #endif /* KSSL_DEBUG */
902 ssl3_send_alert(s
,SSL3_AL_FATAL
,
903 SSL_AD_HANDSHAKE_FAILURE
);
904 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE
,
910 * 20010406 VRS - Earlier versions used KRB5 AP_REQ
911 ** in place of RFC 2712 KerberosWrapper, as in:
913 ** Send ticket (copy to *p, set n = length)
914 ** n = krb5_ap_req.length;
915 ** memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
916 ** if (krb5_ap_req.data)
917 ** kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
919 ** Now using real RFC 2712 KerberosWrapper
920 ** (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
921 ** Note: 2712 "opaque" types are here replaced
922 ** with a 2-byte length followed by the value.
924 ** KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
925 ** Where "xx xx" = length bytes. Shown here with
926 ** optional authenticator omitted.
929 /* KerberosWrapper.Ticket */
930 s2n(enc_ticket
->length
,p
);
931 memcpy(p
, enc_ticket
->data
, enc_ticket
->length
);
932 p
+= enc_ticket
->length
;
933 n
= enc_ticket
->length
+ 2;
935 /* KerberosWrapper.Authenticator */
936 if (authp
&& authp
->length
)
938 s2n(authp
->length
,p
);
939 memcpy(p
, authp
->data
, authp
->length
);
941 n
+= authp
->length
+ 2;
949 s2n(0,p
);/* null authenticator length */
953 if (RAND_bytes(tmp_buf
,sizeof tmp_buf
) <= 0)
957 * 20010420 VRS. Tried it this way; failed.
958 * EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
959 * EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
961 * EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
964 memset(iv
, 0, sizeof iv
); /* per RFC 1510 */
965 EVP_EncryptInit_ex(&ciph_ctx
,enc
, NULL
,
967 EVP_EncryptUpdate(&ciph_ctx
,epms
,&outl
,tmp_buf
,
969 EVP_EncryptFinal_ex(&ciph_ctx
,&(epms
[outl
]),&padl
);
971 if (outl
> sizeof epms
)
973 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE
, ERR_R_INTERNAL_ERROR
);
976 EVP_CIPHER_CTX_cleanup(&ciph_ctx
);
978 /* KerberosWrapper.EncryptedPreMasterSecret */
980 memcpy(p
, epms
, outl
);
984 s
->session
->master_key_length
=
985 s
->method
->ssl3_enc
->generate_master_secret(s
,
986 s
->session
->master_key
,
987 tmp_buf
, sizeof tmp_buf
);
989 OPENSSL_cleanse(tmp_buf
, sizeof tmp_buf
);
990 OPENSSL_cleanse(epms
, outl
);
993 #ifndef OPENSSL_NO_DH
994 else if (l
& (SSL_kEDH
|SSL_kDHr
|SSL_kDHd
))
996 DH
*dh_srvr
,*dh_clnt
;
998 if (s
->session
->sess_cert
== NULL
)
1000 ssl3_send_alert(s
,SSL3_AL_FATAL
,SSL_AD_UNEXPECTED_MESSAGE
);
1001 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE
,SSL_R_UNEXPECTED_MESSAGE
);
1005 if (s
->session
->sess_cert
->peer_dh_tmp
!= NULL
)
1006 dh_srvr
=s
->session
->sess_cert
->peer_dh_tmp
;
1009 /* we get them from the cert */
1010 ssl3_send_alert(s
,SSL3_AL_FATAL
,SSL_AD_HANDSHAKE_FAILURE
);
1011 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE
,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS
);
1015 /* generate a new random key */
1016 if ((dh_clnt
=DHparams_dup(dh_srvr
)) == NULL
)
1018 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE
,ERR_R_DH_LIB
);
1021 if (!DH_generate_key(dh_clnt
))
1023 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE
,ERR_R_DH_LIB
);
1027 /* use the 'p' output buffer for the DH key, but
1028 * make sure to clear it out afterwards */
1030 n
=DH_compute_key(p
,dh_srvr
->pub_key
,dh_clnt
);
1034 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE
,ERR_R_DH_LIB
);
1038 /* generate master key from the result */
1039 s
->session
->master_key_length
=
1040 s
->method
->ssl3_enc
->generate_master_secret(s
,
1041 s
->session
->master_key
,p
,n
);
1045 /* send off the data */
1046 n
=BN_num_bytes(dh_clnt
->pub_key
);
1048 BN_bn2bin(dh_clnt
->pub_key
,p
);
1053 /* perhaps clean things up a bit EAY EAY EAY EAY*/
1058 ssl3_send_alert(s
,SSL3_AL_FATAL
,SSL_AD_HANDSHAKE_FAILURE
);
1059 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE
,ERR_R_INTERNAL_ERROR
);
1063 d
= dtls1_set_message_header(s
, d
,
1064 SSL3_MT_CLIENT_KEY_EXCHANGE
, n
, 0, n
);
1066 *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE;
1068 l2n(s->d1->handshake_write_seq,d);
1069 s->d1->handshake_write_seq++;
1072 s
->state
=SSL3_ST_CW_KEY_EXCH_B
;
1073 /* number of bytes to write */
1074 s
->init_num
=n
+DTLS1_HM_HEADER_LENGTH
;
1077 /* buffer the message to handle re-xmits */
1078 dtls1_buffer_message(s
, 0);
1081 /* SSL3_ST_CW_KEY_EXCH_B */
1082 return(dtls1_do_write(s
,SSL3_RT_HANDSHAKE
));
1087 int dtls1_send_client_verify(SSL
*s
)
1089 unsigned char *p
,*d
;
1090 unsigned char data
[MD5_DIGEST_LENGTH
+SHA_DIGEST_LENGTH
];
1092 #ifndef OPENSSL_NO_RSA
1096 #ifndef OPENSSL_NO_DSA
1100 if (s
->state
== SSL3_ST_CW_CERT_VRFY_A
)
1102 d
=(unsigned char *)s
->init_buf
->data
;
1103 p
= &(d
[DTLS1_HM_HEADER_LENGTH
]);
1104 pkey
=s
->cert
->key
->privatekey
;
1106 s
->method
->ssl3_enc
->cert_verify_mac(s
,&(s
->s3
->finish_dgst2
),
1107 &(data
[MD5_DIGEST_LENGTH
]));
1109 #ifndef OPENSSL_NO_RSA
1110 if (pkey
->type
== EVP_PKEY_RSA
)
1112 s
->method
->ssl3_enc
->cert_verify_mac(s
,
1113 &(s
->s3
->finish_dgst1
),&(data
[0]));
1114 if (RSA_sign(NID_md5_sha1
, data
,
1115 MD5_DIGEST_LENGTH
+SHA_DIGEST_LENGTH
,
1116 &(p
[2]), &u
, pkey
->pkey
.rsa
) <= 0 )
1118 SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY
,ERR_R_RSA_LIB
);
1126 #ifndef OPENSSL_NO_DSA
1127 if (pkey
->type
== EVP_PKEY_DSA
)
1129 if (!DSA_sign(pkey
->save_type
,
1130 &(data
[MD5_DIGEST_LENGTH
]),
1131 SHA_DIGEST_LENGTH
,&(p
[2]),
1132 (unsigned int *)&j
,pkey
->pkey
.dsa
))
1134 SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY
,ERR_R_DSA_LIB
);
1143 SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY
,ERR_R_INTERNAL_ERROR
);
1147 d
= dtls1_set_message_header(s
, d
,
1148 SSL3_MT_CERTIFICATE_VERIFY
, n
, 0, n
) ;
1150 s
->init_num
=(int)n
+DTLS1_HM_HEADER_LENGTH
;
1153 /* buffer the message to handle re-xmits */
1154 dtls1_buffer_message(s
, 0);
1156 s
->state
= SSL3_ST_CW_CERT_VRFY_B
;
1159 /* s->state = SSL3_ST_CW_CERT_VRFY_B */
1160 return(dtls1_do_write(s
,SSL3_RT_HANDSHAKE
));
1165 int dtls1_send_client_certificate(SSL
*s
)
1168 EVP_PKEY
*pkey
=NULL
;
1172 if (s
->state
== SSL3_ST_CW_CERT_A
)
1174 if ((s
->cert
== NULL
) ||
1175 (s
->cert
->key
->x509
== NULL
) ||
1176 (s
->cert
->key
->privatekey
== NULL
))
1177 s
->state
=SSL3_ST_CW_CERT_B
;
1179 s
->state
=SSL3_ST_CW_CERT_C
;
1182 /* We need to get a client cert */
1183 if (s
->state
== SSL3_ST_CW_CERT_B
)
1185 /* If we get an error, we need to
1186 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
1187 * We then get retied later */
1189 i
= ssl_do_client_cert_cb(s
, &x509
, &pkey
);
1192 s
->rwstate
=SSL_X509_LOOKUP
;
1195 s
->rwstate
=SSL_NOTHING
;
1196 if ((i
== 1) && (pkey
!= NULL
) && (x509
!= NULL
))
1198 s
->state
=SSL3_ST_CW_CERT_B
;
1199 if ( !SSL_use_certificate(s
,x509
) ||
1200 !SSL_use_PrivateKey(s
,pkey
))
1206 SSLerr(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE
,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK
);
1209 if (x509
!= NULL
) X509_free(x509
);
1210 if (pkey
!= NULL
) EVP_PKEY_free(pkey
);
1213 if (s
->version
== SSL3_VERSION
)
1215 s
->s3
->tmp
.cert_req
=0;
1216 ssl3_send_alert(s
,SSL3_AL_WARNING
,SSL_AD_NO_CERTIFICATE
);
1221 s
->s3
->tmp
.cert_req
=2;
1225 /* Ok, we have a cert */
1226 s
->state
=SSL3_ST_CW_CERT_C
;
1229 if (s
->state
== SSL3_ST_CW_CERT_C
)
1231 s
->state
=SSL3_ST_CW_CERT_D
;
1232 l
=dtls1_output_cert_chain(s
,
1233 (s
->s3
->tmp
.cert_req
== 2)?NULL
:s
->cert
->key
->x509
);
1237 /* set header called by dtls1_output_cert_chain() */
1239 /* buffer the message to handle re-xmits */
1240 dtls1_buffer_message(s
, 0);
1242 /* SSL3_ST_CW_CERT_D */
1243 return(dtls1_do_write(s
,SSL3_RT_HANDSHAKE
));