Symaptic: os/ossrv/ssl/libssl/src/d1_srvr.c@bde4ae8d615e (annotated)

sl@0	1	/* ssl/d1_srvr.c */
sl@0	2	/*
sl@0	3	* DTLS implementation written by Nagendra Modadugu
sl@0	4	* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
sl@0	5	*/
sl@0	6	/* ====================================================================
sl@0	7	* Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved.
sl@0	8	*
sl@0	9	* Redistribution and use in source and binary forms, with or without
sl@0	10	* modification, are permitted provided that the following conditions
sl@0	11	* are met:
sl@0	12	*
sl@0	13	* 1. Redistributions of source code must retain the above copyright
sl@0	14	* notice, this list of conditions and the following disclaimer.
sl@0	15	*
sl@0	16	* 2. Redistributions in binary form must reproduce the above copyright
sl@0	17	* notice, this list of conditions and the following disclaimer in
sl@0	18	* the documentation and/or other materials provided with the
sl@0	19	* distribution.
sl@0	20	*
sl@0	21	* 3. All advertising materials mentioning features or use of this
sl@0	22	* software must display the following acknowledgment:
sl@0	23	* "This product includes software developed by the OpenSSL Project
sl@0	24	* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
sl@0	25	*
sl@0	26	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
sl@0	27	* endorse or promote products derived from this software without
sl@0	28	* prior written permission. For written permission, please contact
sl@0	29	* openssl-core@OpenSSL.org.
sl@0	30	*
sl@0	31	* 5. Products derived from this software may not be called "OpenSSL"
sl@0	32	* nor may "OpenSSL" appear in their names without prior written
sl@0	33	* permission of the OpenSSL Project.
sl@0	34	*
sl@0	35	* 6. Redistributions of any form whatsoever must retain the following
sl@0	36	* acknowledgment:
sl@0	37	* "This product includes software developed by the OpenSSL Project
sl@0	38	* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
sl@0	39	*
sl@0	40	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
sl@0	41	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
sl@0	42	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
sl@0	43	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
sl@0	44	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
sl@0	45	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
sl@0	46	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
sl@0	47	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
sl@0	48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
sl@0	49	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
sl@0	50	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
sl@0	51	* OF THE POSSIBILITY OF SUCH DAMAGE.
sl@0	52	* ====================================================================
sl@0	53	*
sl@0	54	* This product includes cryptographic software written by Eric Young
sl@0	55	* (eay@cryptsoft.com). This product includes software written by Tim
sl@0	56	* Hudson (tjh@cryptsoft.com).
sl@0	57	*
sl@0	58	*/
sl@0	59	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
sl@0	60	* All rights reserved.
sl@0	61	*
sl@0	62	* This package is an SSL implementation written
sl@0	63	* by Eric Young (eay@cryptsoft.com).
sl@0	64	* The implementation was written so as to conform with Netscapes SSL.
sl@0	65	*
sl@0	66	* This library is free for commercial and non-commercial use as long as
sl@0	67	* the following conditions are aheared to. The following conditions
sl@0	68	* apply to all code found in this distribution, be it the RC4, RSA,
sl@0	69	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
sl@0	70	* included with this distribution is covered by the same copyright terms
sl@0	71	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
sl@0	72	*
sl@0	73	* Copyright remains Eric Young's, and as such any Copyright notices in
sl@0	74	* the code are not to be removed.
sl@0	75	* If this package is used in a product, Eric Young should be given attribution
sl@0	76	* as the author of the parts of the library used.
sl@0	77	* This can be in the form of a textual message at program startup or
sl@0	78	* in documentation (online or textual) provided with the package.
sl@0	79	*
sl@0	80	* Redistribution and use in source and binary forms, with or without
sl@0	81	* modification, are permitted provided that the following conditions
sl@0	82	* are met:
sl@0	83	* 1. Redistributions of source code must retain the copyright
sl@0	84	* notice, this list of conditions and the following disclaimer.
sl@0	85	* 2. Redistributions in binary form must reproduce the above copyright
sl@0	86	* notice, this list of conditions and the following disclaimer in the
sl@0	87	* documentation and/or other materials provided with the distribution.
sl@0	88	* 3. All advertising materials mentioning features or use of this software
sl@0	89	* must display the following acknowledgement:
sl@0	90	* "This product includes cryptographic software written by
sl@0	91	* Eric Young (eay@cryptsoft.com)"
sl@0	92	* The word 'cryptographic' can be left out if the rouines from the library
sl@0	93	* being used are not cryptographic related :-).
sl@0	94	* 4. If you include any Windows specific code (or a derivative thereof) from
sl@0	95	* the apps directory (application code) you must include an acknowledgement:
sl@0	96	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
sl@0	97	*
sl@0	98	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
sl@0	99	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
sl@0	100	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
sl@0	101	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
sl@0	102	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
sl@0	103	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
sl@0	104	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
sl@0	105	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
sl@0	106	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
sl@0	107	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
sl@0	108	* SUCH DAMAGE.
sl@0	109	*
sl@0	110	* The licence and distribution terms for any publically available version or
sl@0	111	* derivative of this code cannot be changed. i.e. this code cannot simply be
sl@0	112	* copied and put under another distribution licence
sl@0	113	* [including the GNU Public Licence.]
sl@0	114	*/
sl@0	115	/*
sl@0	116	© Portions copyright (c) 2006 Nokia Corporation. All rights reserved.
sl@0	117	*/
sl@0	118
sl@0	119	#include <stdio.h>
sl@0	120	#include "ssl_locl.h"
sl@0	121	#include <openssl/buffer.h>
sl@0	122	#include <openssl/rand.h>
sl@0	123	#include <openssl/objects.h>
sl@0	124	#include <openssl/evp.h>
sl@0	125	#include <openssl/x509.h>
sl@0	126	#include <openssl/md5.h>
sl@0	127	#ifndef OPENSSL_NO_DH
sl@0	128	#include <openssl/dh.h>
sl@0	129	#endif
sl@0	130
sl@0	131	#if (defined(SYMBIAN) && (defined(__WINSCW__) \|\| defined(__WINS__)))
sl@0	132	#include "libssl_wsd.h"
sl@0	133	#endif
sl@0	134
sl@0	135	#ifdef EMULATOR
sl@0	136
sl@0	137	GET_STATIC_VAR_FROM_TLS(DTLSv1_server_method_data,d1_srvr,SSL_METHOD)
sl@0	138
sl@0	139	#define DTLSv1_server_method_data (*GET_WSD_VAR_NAME(DTLSv1_server_method_data,d1_srvr,s)())
sl@0	140
sl@0	141	#endif
sl@0	142
sl@0	143	static SSL_METHOD *dtls1_get_server_method(int ver);
sl@0	144	static int dtls1_send_hello_verify_request(SSL *s);
sl@0	145
sl@0	146	static SSL_METHOD *dtls1_get_server_method(int ver)
sl@0	147	{
sl@0	148	if (ver == DTLS1_VERSION)
sl@0	149	return(DTLSv1_server_method());
sl@0	150	else
sl@0	151	return(NULL);
sl@0	152	}
sl@0	153
sl@0	154	EXPORT_C IMPLEMENT_dtls1_meth_func(DTLSv1_server_method,
sl@0	155	dtls1_accept,
sl@0	156	ssl_undefined_function,
sl@0	157	dtls1_get_server_method)
sl@0	158
sl@0	159	int dtls1_accept(SSL *s)
sl@0	160	{
sl@0	161	BUF_MEM *buf;
sl@0	162	unsigned long l,Time=(unsigned long)time(NULL);
sl@0	163	void (cb)(const SSL ssl,int type,int val)=NULL;
sl@0	164	long num1;
sl@0	165	int ret= -1;
sl@0	166	int new_state,state,skip=0;
sl@0	167
sl@0	168	RAND_add(&Time,sizeof(Time),0);
sl@0	169	ERR_clear_error();
sl@0	170	clear_sys_error();
sl@0	171
sl@0	172	if (s->info_callback != NULL)
sl@0	173	cb=s->info_callback;
sl@0	174	else if (s->ctx->info_callback != NULL)
sl@0	175	cb=s->ctx->info_callback;
sl@0	176
sl@0	177	/* init things to blank */
sl@0	178	s->in_handshake++;
sl@0	179	if (!SSL_in_init(s) \|\| SSL_in_before(s)) SSL_clear(s);
sl@0	180
sl@0	181	if (s->cert == NULL)
sl@0	182	{
sl@0	183	SSLerr(SSL_F_DTLS1_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
sl@0	184	return(-1);
sl@0	185	}
sl@0	186
sl@0	187	for (;;)
sl@0	188	{
sl@0	189	state=s->state;
sl@0	190
sl@0	191	switch (s->state)
sl@0	192	{
sl@0	193	case SSL_ST_RENEGOTIATE:
sl@0	194	s->new_session=1;
sl@0	195	/* s->state=SSL_ST_ACCEPT; */
sl@0	196
sl@0	197	case SSL_ST_BEFORE:
sl@0	198	case SSL_ST_ACCEPT:
sl@0	199	case SSL_ST_BEFORE\|SSL_ST_ACCEPT:
sl@0	200	case SSL_ST_OK\|SSL_ST_ACCEPT:
sl@0	201
sl@0	202	s->server=1;
sl@0	203	if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
sl@0	204
sl@0	205	if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00))
sl@0	206	{
sl@0	207	SSLerr(SSL_F_DTLS1_ACCEPT, ERR_R_INTERNAL_ERROR);
sl@0	208	return -1;
sl@0	209	}
sl@0	210	s->type=SSL_ST_ACCEPT;
sl@0	211
sl@0	212	if (s->init_buf == NULL)
sl@0	213	{
sl@0	214	if ((buf=BUF_MEM_new()) == NULL)
sl@0	215	{
sl@0	216	ret= -1;
sl@0	217	goto end;
sl@0	218	}
sl@0	219	if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
sl@0	220	{
sl@0	221	ret= -1;
sl@0	222	goto end;
sl@0	223	}
sl@0	224	s->init_buf=buf;
sl@0	225	}
sl@0	226
sl@0	227	if (!ssl3_setup_buffers(s))
sl@0	228	{
sl@0	229	ret= -1;
sl@0	230	goto end;
sl@0	231	}
sl@0	232
sl@0	233	s->init_num=0;
sl@0	234
sl@0	235	if (s->state != SSL_ST_RENEGOTIATE)
sl@0	236	{
sl@0	237	/* Ok, we now need to push on a buffering BIO so that
sl@0	238	* the output is sent in a way that TCP likes :-)
sl@0	239	*/
sl@0	240	if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; }
sl@0	241
sl@0	242	ssl3_init_finished_mac(s);
sl@0	243	s->state=SSL3_ST_SR_CLNT_HELLO_A;
sl@0	244	s->ctx->stats.sess_accept++;
sl@0	245	}
sl@0	246	else
sl@0	247	{
sl@0	248	/* s->state == SSL_ST_RENEGOTIATE,
sl@0	249	* we will just send a HelloRequest */
sl@0	250	s->ctx->stats.sess_accept_renegotiate++;
sl@0	251	s->state=SSL3_ST_SW_HELLO_REQ_A;
sl@0	252	}
sl@0	253
sl@0	254	if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
sl@0	255	s->d1->send_cookie = 1;
sl@0	256	else
sl@0	257	s->d1->send_cookie = 0;
sl@0	258
sl@0	259	break;
sl@0	260
sl@0	261	case SSL3_ST_SW_HELLO_REQ_A:
sl@0	262	case SSL3_ST_SW_HELLO_REQ_B:
sl@0	263
sl@0	264	s->shutdown=0;
sl@0	265	ret=dtls1_send_hello_request(s);
sl@0	266	if (ret <= 0) goto end;
sl@0	267	s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C;
sl@0	268	s->state=SSL3_ST_SW_FLUSH;
sl@0	269	s->init_num=0;
sl@0	270
sl@0	271	ssl3_init_finished_mac(s);
sl@0	272	break;
sl@0	273
sl@0	274	case SSL3_ST_SW_HELLO_REQ_C:
sl@0	275	s->state=SSL_ST_OK;
sl@0	276	break;
sl@0	277
sl@0	278	case SSL3_ST_SR_CLNT_HELLO_A:
sl@0	279	case SSL3_ST_SR_CLNT_HELLO_B:
sl@0	280	case SSL3_ST_SR_CLNT_HELLO_C:
sl@0	281
sl@0	282	s->shutdown=0;
sl@0	283	ret=ssl3_get_client_hello(s);
sl@0	284	if (ret <= 0) goto end;
sl@0	285	s->new_session = 2;
sl@0	286
sl@0	287	if ( s->d1->send_cookie)
sl@0	288	s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;
sl@0	289	else
sl@0	290	s->state = SSL3_ST_SW_SRVR_HELLO_A;
sl@0	291
sl@0	292	s->init_num=0;
sl@0	293	break;
sl@0	294
sl@0	295	case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
sl@0	296	case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
sl@0	297
sl@0	298	ret = dtls1_send_hello_verify_request(s);
sl@0	299	if ( ret <= 0) goto end;
sl@0	300	s->d1->send_cookie = 0;
sl@0	301	s->state=SSL3_ST_SW_FLUSH;
sl@0	302	s->s3->tmp.next_state=SSL3_ST_SR_CLNT_HELLO_A;
sl@0	303
sl@0	304	/* HelloVerifyRequests resets Finished MAC */
sl@0	305	if (s->client_version != DTLS1_BAD_VER)
sl@0	306	ssl3_init_finished_mac(s);
sl@0	307	break;
sl@0	308
sl@0	309	case SSL3_ST_SW_SRVR_HELLO_A:
sl@0	310	case SSL3_ST_SW_SRVR_HELLO_B:
sl@0	311	ret=dtls1_send_server_hello(s);
sl@0	312	if (ret <= 0) goto end;
sl@0	313
sl@0	314	if (s->hit)
sl@0	315	s->state=SSL3_ST_SW_CHANGE_A;
sl@0	316	else
sl@0	317	s->state=SSL3_ST_SW_CERT_A;
sl@0	318	s->init_num=0;
sl@0	319	break;
sl@0	320
sl@0	321	case SSL3_ST_SW_CERT_A:
sl@0	322	case SSL3_ST_SW_CERT_B:
sl@0	323	/* Check if it is anon DH */
sl@0	324	if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
sl@0	325	{
sl@0	326	ret=dtls1_send_server_certificate(s);
sl@0	327	if (ret <= 0) goto end;
sl@0	328	}
sl@0	329	else
sl@0	330	skip=1;
sl@0	331	s->state=SSL3_ST_SW_KEY_EXCH_A;
sl@0	332	s->init_num=0;
sl@0	333	break;
sl@0	334
sl@0	335	case SSL3_ST_SW_KEY_EXCH_A:
sl@0	336	case SSL3_ST_SW_KEY_EXCH_B:
sl@0	337	l=s->s3->tmp.new_cipher->algorithms;
sl@0	338
sl@0	339	/* clear this, it may get reset by
sl@0	340	* send_server_key_exchange */
sl@0	341	if ((s->options & SSL_OP_EPHEMERAL_RSA)
sl@0	342	#ifndef OPENSSL_NO_KRB5
sl@0	343	&& !(l & SSL_KRB5)
sl@0	344	#endif /* OPENSSL_NO_KRB5 */
sl@0	345	)
sl@0	346	/* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
sl@0	347	* even when forbidden by protocol specs
sl@0	348	* (handshake may fail as clients are not required to
sl@0	349	* be able to handle this) */
sl@0	350	s->s3->tmp.use_rsa_tmp=1;
sl@0	351	else
sl@0	352	s->s3->tmp.use_rsa_tmp=0;
sl@0	353
sl@0	354	/* only send if a DH key exchange, fortezza or
sl@0	355	* RSA but we have a sign only certificate */
sl@0	356	if (s->s3->tmp.use_rsa_tmp
sl@0	357	\|\| (l & (SSL_DH\|SSL_kFZA))
sl@0	358	\|\| ((l & SSL_kRSA)
sl@0	359	&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
sl@0	360	\|\| (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
sl@0	361	&& EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
sl@0	362	)
sl@0	363	)
sl@0	364	)
sl@0	365	)
sl@0	366	{
sl@0	367	ret=dtls1_send_server_key_exchange(s);
sl@0	368	if (ret <= 0) goto end;
sl@0	369	}
sl@0	370	else
sl@0	371	skip=1;
sl@0	372
sl@0	373	s->state=SSL3_ST_SW_CERT_REQ_A;
sl@0	374	s->init_num=0;
sl@0	375	break;
sl@0	376
sl@0	377	case SSL3_ST_SW_CERT_REQ_A:
sl@0	378	case SSL3_ST_SW_CERT_REQ_B:
sl@0	379	if (/* don't request cert unless asked for it: */
sl@0	380	!(s->verify_mode & SSL_VERIFY_PEER) \|\|
sl@0	381	/* if SSL_VERIFY_CLIENT_ONCE is set,
sl@0	382	* don't request cert during re-negotiation: */
sl@0	383	((s->session->peer != NULL) &&
sl@0	384	(s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) \|\|
sl@0	385	/* never request cert in anonymous ciphersuites
sl@0	386	* (see section "Certificate request" in SSL 3 drafts
sl@0	387	* and in RFC 2246): */
sl@0	388	((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) &&
sl@0	389	/* ... except when the application insists on verification
sl@0	390	* (against the specs, but s3_clnt.c accepts this for SSL 3) */
sl@0	391	!(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) \|\|
sl@0	392	/* never request cert in Kerberos ciphersuites */
sl@0	393	(s->s3->tmp.new_cipher->algorithms & SSL_aKRB5))
sl@0	394	{
sl@0	395	/* no cert request */
sl@0	396	skip=1;
sl@0	397	s->s3->tmp.cert_request=0;
sl@0	398	s->state=SSL3_ST_SW_SRVR_DONE_A;
sl@0	399	}
sl@0	400	else
sl@0	401	{
sl@0	402	s->s3->tmp.cert_request=1;
sl@0	403	ret=dtls1_send_certificate_request(s);
sl@0	404	if (ret <= 0) goto end;
sl@0	405	#ifndef NETSCAPE_HANG_BUG
sl@0	406	s->state=SSL3_ST_SW_SRVR_DONE_A;
sl@0	407	#else
sl@0	408	s->state=SSL3_ST_SW_FLUSH;
sl@0	409	s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
sl@0	410	#endif
sl@0	411	s->init_num=0;
sl@0	412	}
sl@0	413	break;
sl@0	414
sl@0	415	case SSL3_ST_SW_SRVR_DONE_A:
sl@0	416	case SSL3_ST_SW_SRVR_DONE_B:
sl@0	417	ret=dtls1_send_server_done(s);
sl@0	418	if (ret <= 0) goto end;
sl@0	419	s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
sl@0	420	s->state=SSL3_ST_SW_FLUSH;
sl@0	421	s->init_num=0;
sl@0	422	break;
sl@0	423
sl@0	424	case SSL3_ST_SW_FLUSH:
sl@0	425	/* number of bytes to be flushed */
sl@0	426	num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
sl@0	427	if (num1 > 0)
sl@0	428	{
sl@0	429	s->rwstate=SSL_WRITING;
sl@0	430	num1=BIO_flush(s->wbio);
sl@0	431	if (num1 <= 0) { ret= -1; goto end; }
sl@0	432	s->rwstate=SSL_NOTHING;
sl@0	433	}
sl@0	434
sl@0	435	s->state=s->s3->tmp.next_state;
sl@0	436	break;
sl@0	437
sl@0	438	case SSL3_ST_SR_CERT_A:
sl@0	439	case SSL3_ST_SR_CERT_B:
sl@0	440	/* Check for second client hello (MS SGC) */
sl@0	441	ret = ssl3_check_client_hello(s);
sl@0	442	if (ret <= 0)
sl@0	443	goto end;
sl@0	444	if (ret == 2)
sl@0	445	s->state = SSL3_ST_SR_CLNT_HELLO_C;
sl@0	446	else {
sl@0	447	/* could be sent for a DH cert, even if we
sl@0	448	* have not asked for it :-) */
sl@0	449	ret=ssl3_get_client_certificate(s);
sl@0	450	if (ret <= 0) goto end;
sl@0	451	s->init_num=0;
sl@0	452	s->state=SSL3_ST_SR_KEY_EXCH_A;
sl@0	453	}
sl@0	454	break;
sl@0	455
sl@0	456	case SSL3_ST_SR_KEY_EXCH_A:
sl@0	457	case SSL3_ST_SR_KEY_EXCH_B:
sl@0	458	ret=ssl3_get_client_key_exchange(s);
sl@0	459	if (ret <= 0) goto end;
sl@0	460	s->state=SSL3_ST_SR_CERT_VRFY_A;
sl@0	461	s->init_num=0;
sl@0	462
sl@0	463	/* We need to get hashes here so if there is
sl@0	464	* a client cert, it can be verified */
sl@0	465	s->method->ssl3_enc->cert_verify_mac(s,
sl@0	466	&(s->s3->finish_dgst1),
sl@0	467	&(s->s3->tmp.cert_verify_md[0]));
sl@0	468	s->method->ssl3_enc->cert_verify_mac(s,
sl@0	469	&(s->s3->finish_dgst2),
sl@0	470	&(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]));
sl@0	471
sl@0	472	break;
sl@0	473
sl@0	474	case SSL3_ST_SR_CERT_VRFY_A:
sl@0	475	case SSL3_ST_SR_CERT_VRFY_B:
sl@0	476
sl@0	477	/* we should decide if we expected this one */
sl@0	478	ret=ssl3_get_cert_verify(s);
sl@0	479	if (ret <= 0) goto end;
sl@0	480
sl@0	481	s->state=SSL3_ST_SR_FINISHED_A;
sl@0	482	s->init_num=0;
sl@0	483	break;
sl@0	484
sl@0	485	case SSL3_ST_SR_FINISHED_A:
sl@0	486	case SSL3_ST_SR_FINISHED_B:
sl@0	487	ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
sl@0	488	SSL3_ST_SR_FINISHED_B);
sl@0	489	if (ret <= 0) goto end;
sl@0	490	if (s->hit)
sl@0	491	s->state=SSL_ST_OK;
sl@0	492	else
sl@0	493	s->state=SSL3_ST_SW_CHANGE_A;
sl@0	494	s->init_num=0;
sl@0	495	break;
sl@0	496
sl@0	497	case SSL3_ST_SW_CHANGE_A:
sl@0	498	case SSL3_ST_SW_CHANGE_B:
sl@0	499
sl@0	500	s->session->cipher=s->s3->tmp.new_cipher;
sl@0	501	if (!s->method->ssl3_enc->setup_key_block(s))
sl@0	502	{ ret= -1; goto end; }
sl@0	503
sl@0	504	ret=dtls1_send_change_cipher_spec(s,
sl@0	505	SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B);
sl@0	506
sl@0	507	if (ret <= 0) goto end;
sl@0	508	s->state=SSL3_ST_SW_FINISHED_A;
sl@0	509	s->init_num=0;
sl@0	510
sl@0	511	if (!s->method->ssl3_enc->change_cipher_state(s,
sl@0	512	SSL3_CHANGE_CIPHER_SERVER_WRITE))
sl@0	513	{
sl@0	514	ret= -1;
sl@0	515	goto end;
sl@0	516	}
sl@0	517
sl@0	518	dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
sl@0	519	break;
sl@0	520
sl@0	521	case SSL3_ST_SW_FINISHED_A:
sl@0	522	case SSL3_ST_SW_FINISHED_B:
sl@0	523	ret=dtls1_send_finished(s,
sl@0	524	SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B,
sl@0	525	s->method->ssl3_enc->server_finished_label,
sl@0	526	s->method->ssl3_enc->server_finished_label_len);
sl@0	527	if (ret <= 0) goto end;
sl@0	528	s->state=SSL3_ST_SW_FLUSH;
sl@0	529	if (s->hit)
sl@0	530	s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
sl@0	531	else
sl@0	532	s->s3->tmp.next_state=SSL_ST_OK;
sl@0	533	s->init_num=0;
sl@0	534	break;
sl@0	535
sl@0	536	case SSL_ST_OK:
sl@0	537	/* clean a few things up */
sl@0	538	ssl3_cleanup_key_block(s);
sl@0	539
sl@0	540	#if 0
sl@0	541	BUF_MEM_free(s->init_buf);
sl@0	542	s->init_buf=NULL;
sl@0	543	#endif
sl@0	544
sl@0	545	/* remove buffering on output */
sl@0	546	ssl_free_wbio_buffer(s);
sl@0	547
sl@0	548	s->init_num=0;
sl@0	549
sl@0	550	if (s->new_session == 2) /* skipped if we just sent a HelloRequest */
sl@0	551	{
sl@0	552	/* actually not necessarily a 'new' session unless
sl@0	553	* SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
sl@0	554
sl@0	555	s->new_session=0;
sl@0	556
sl@0	557	ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
sl@0	558
sl@0	559	s->ctx->stats.sess_accept_good++;
sl@0	560	/* s->server=1; */
sl@0	561	s->handshake_func=dtls1_accept;
sl@0	562
sl@0	563	if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
sl@0	564	}
sl@0	565
sl@0	566	ret = 1;
sl@0	567
sl@0	568	/* done handshaking, next message is client hello */
sl@0	569	s->d1->handshake_read_seq = 0;
sl@0	570	/* next message is server hello */
sl@0	571	s->d1->handshake_write_seq = 0;
sl@0	572	goto end;
sl@0	573	/* break; */
sl@0	574
sl@0	575	default:
sl@0	576	SSLerr(SSL_F_DTLS1_ACCEPT,SSL_R_UNKNOWN_STATE);
sl@0	577	ret= -1;
sl@0	578	goto end;
sl@0	579	/* break; */
sl@0	580	}
sl@0	581
sl@0	582	if (!s->s3->tmp.reuse_message && !skip)
sl@0	583	{
sl@0	584	if (s->debug)
sl@0	585	{
sl@0	586	if ((ret=BIO_flush(s->wbio)) <= 0)
sl@0	587	goto end;
sl@0	588	}
sl@0	589
sl@0	590
sl@0	591	if ((cb != NULL) && (s->state != state))
sl@0	592	{
sl@0	593	new_state=s->state;
sl@0	594	s->state=state;
sl@0	595	cb(s,SSL_CB_ACCEPT_LOOP,1);
sl@0	596	s->state=new_state;
sl@0	597	}
sl@0	598	}
sl@0	599	skip=0;
sl@0	600	}
sl@0	601	end:
sl@0	602	/* BIO_flush(s->wbio); */
sl@0	603
sl@0	604	s->in_handshake--;
sl@0	605	if (cb != NULL)
sl@0	606	cb(s,SSL_CB_ACCEPT_EXIT,ret);
sl@0	607	return(ret);
sl@0	608	}
sl@0	609
sl@0	610	int dtls1_send_hello_request(SSL *s)
sl@0	611	{
sl@0	612	unsigned char *p;
sl@0	613
sl@0	614	if (s->state == SSL3_ST_SW_HELLO_REQ_A)
sl@0	615	{
sl@0	616	p=(unsigned char *)s->init_buf->data;
sl@0	617	p = dtls1_set_message_header(s, p, SSL3_MT_HELLO_REQUEST, 0, 0, 0);
sl@0	618
sl@0	619	s->state=SSL3_ST_SW_HELLO_REQ_B;
sl@0	620	/* number of bytes to write */
sl@0	621	s->init_num=DTLS1_HM_HEADER_LENGTH;
sl@0	622	s->init_off=0;
sl@0	623
sl@0	624	/* no need to buffer this message, since there are no retransmit
sl@0	625	* requests for it */
sl@0	626	}
sl@0	627
sl@0	628	/* SSL3_ST_SW_HELLO_REQ_B */
sl@0	629	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
sl@0	630	}
sl@0	631
sl@0	632	int dtls1_send_hello_verify_request(SSL *s)
sl@0	633	{
sl@0	634	unsigned int msg_len;
sl@0	635	unsigned char msg, buf, *p;
sl@0	636
sl@0	637	if (s->state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A)
sl@0	638	{
sl@0	639	buf = (unsigned char *)s->init_buf->data;
sl@0	640
sl@0	641	msg = p = &(buf[DTLS1_HM_HEADER_LENGTH]);
sl@0	642	if (s->client_version == DTLS1_BAD_VER)
sl@0	643	*(p++) = DTLS1_BAD_VER>>8,
sl@0	644	*(p++) = DTLS1_BAD_VER&0xff;
sl@0	645	else
sl@0	646	*(p++) = s->version >> 8,
sl@0	647	*(p++) = s->version & 0xFF;
sl@0	648
sl@0	649	if (s->ctx->app_gen_cookie_cb != NULL &&
sl@0	650	s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
sl@0	651	&(s->d1->cookie_len)) == 0)
sl@0	652	{
sl@0	653	SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST,ERR_R_INTERNAL_ERROR);
sl@0	654	return 0;
sl@0	655	}
sl@0	656	/* else the cookie is assumed to have
sl@0	657	* been initialized by the application */
sl@0	658
sl@0	659	*(p++) = (unsigned char) s->d1->cookie_len;
sl@0	660	memcpy(p, s->d1->cookie, s->d1->cookie_len);
sl@0	661	p += s->d1->cookie_len;
sl@0	662	msg_len = p - msg;
sl@0	663
sl@0	664	dtls1_set_message_header(s, buf,
sl@0	665	DTLS1_MT_HELLO_VERIFY_REQUEST, msg_len, 0, msg_len);
sl@0	666
sl@0	667	s->state=DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B;
sl@0	668	/* number of bytes to write */
sl@0	669	s->init_num=p-buf;
sl@0	670	s->init_off=0;
sl@0	671
sl@0	672	/* buffer the message to handle re-xmits */
sl@0	673	dtls1_buffer_message(s, 0);
sl@0	674	}
sl@0	675
sl@0	676	/* s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */
sl@0	677	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
sl@0	678	}
sl@0	679
sl@0	680	int dtls1_send_server_hello(SSL *s)
sl@0	681	{
sl@0	682	unsigned char *buf;
sl@0	683	unsigned char p,d;
sl@0	684	int i;
sl@0	685	unsigned int sl;
sl@0	686	unsigned long l,Time;
sl@0	687
sl@0	688	if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
sl@0	689	{
sl@0	690	buf=(unsigned char *)s->init_buf->data;
sl@0	691	p=s->s3->server_random;
sl@0	692	Time=(unsigned long)time(NULL); /* Time */
sl@0	693	l2n(Time,p);
sl@0	694	RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
sl@0	695	/* Do the message type and length last */
sl@0	696	d=p= &(buf[DTLS1_HM_HEADER_LENGTH]);
sl@0	697
sl@0	698	if (s->client_version == DTLS1_BAD_VER)
sl@0	699	*(p++)=DTLS1_BAD_VER>>8,
sl@0	700	*(p++)=DTLS1_BAD_VER&0xff;
sl@0	701	else
sl@0	702	*(p++)=s->version>>8,
sl@0	703	*(p++)=s->version&0xff;
sl@0	704
sl@0	705	/* Random stuff */
sl@0	706	memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
sl@0	707	p+=SSL3_RANDOM_SIZE;
sl@0	708
sl@0	709	/* now in theory we have 3 options to sending back the
sl@0	710	* session id. If it is a re-use, we send back the
sl@0	711	* old session-id, if it is a new session, we send
sl@0	712	* back the new session-id or we send back a 0 length
sl@0	713	* session-id if we want it to be single use.
sl@0	714	* Currently I will not implement the '0' length session-id
sl@0	715	* 12-Jan-98 - I'll now support the '0' length stuff.
sl@0	716	*/
sl@0	717	if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER))
sl@0	718	s->session->session_id_length=0;
sl@0	719
sl@0	720	sl=s->session->session_id_length;
sl@0	721	if (sl > sizeof s->session->session_id)
sl@0	722	{
sl@0	723	SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
sl@0	724	return -1;
sl@0	725	}
sl@0	726	*(p++)=sl;
sl@0	727	memcpy(p,s->session->session_id,sl);
sl@0	728	p+=sl;
sl@0	729
sl@0	730	/* put the cipher */
sl@0	731	i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p);
sl@0	732	p+=i;
sl@0	733
sl@0	734	/* put the compression method */
sl@0	735	#ifdef OPENSSL_NO_COMP
sl@0	736	*(p++)=0;
sl@0	737	#else
sl@0	738	if (s->s3->tmp.new_compression == NULL)
sl@0	739	*(p++)=0;
sl@0	740	else
sl@0	741	*(p++)=s->s3->tmp.new_compression->id;
sl@0	742	#endif
sl@0	743
sl@0	744	/* do the header */
sl@0	745	l=(p-d);
sl@0	746	d=buf;
sl@0	747
sl@0	748	d = dtls1_set_message_header(s, d, SSL3_MT_SERVER_HELLO, l, 0, l);
sl@0	749
sl@0	750	s->state=SSL3_ST_CW_CLNT_HELLO_B;
sl@0	751	/* number of bytes to write */
sl@0	752	s->init_num=p-buf;
sl@0	753	s->init_off=0;
sl@0	754
sl@0	755	/* buffer the message to handle re-xmits */
sl@0	756	dtls1_buffer_message(s, 0);
sl@0	757	}
sl@0	758
sl@0	759	/* SSL3_ST_CW_CLNT_HELLO_B */
sl@0	760	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
sl@0	761	}
sl@0	762
sl@0	763	int dtls1_send_server_done(SSL *s)
sl@0	764	{
sl@0	765	unsigned char *p;
sl@0	766
sl@0	767	if (s->state == SSL3_ST_SW_SRVR_DONE_A)
sl@0	768	{
sl@0	769	p=(unsigned char *)s->init_buf->data;
sl@0	770
sl@0	771	/* do the header */
sl@0	772	p = dtls1_set_message_header(s, p, SSL3_MT_SERVER_DONE, 0, 0, 0);
sl@0	773
sl@0	774	s->state=SSL3_ST_SW_SRVR_DONE_B;
sl@0	775	/* number of bytes to write */
sl@0	776	s->init_num=DTLS1_HM_HEADER_LENGTH;
sl@0	777	s->init_off=0;
sl@0	778
sl@0	779	/* buffer the message to handle re-xmits */
sl@0	780	dtls1_buffer_message(s, 0);
sl@0	781	}
sl@0	782
sl@0	783	/* SSL3_ST_CW_CLNT_HELLO_B */
sl@0	784	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
sl@0	785	}
sl@0	786
sl@0	787	int dtls1_send_server_key_exchange(SSL *s)
sl@0	788	{
sl@0	789	#ifndef OPENSSL_NO_RSA
sl@0	790	unsigned char *q;
sl@0	791	int j,num;
sl@0	792	RSA *rsa;
sl@0	793	unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
sl@0	794	unsigned int u;
sl@0	795	#endif
sl@0	796	#ifndef OPENSSL_NO_DH
sl@0	797	DH dh=NULL,dhp;
sl@0	798	#endif
sl@0	799	EVP_PKEY *pkey;
sl@0	800	unsigned char p,d;
sl@0	801	int al,i;
sl@0	802	unsigned long type;
sl@0	803	int n;
sl@0	804	CERT *cert;
sl@0	805	BIGNUM *r[4];
sl@0	806	int nr[4],kn;
sl@0	807	BUF_MEM *buf;
sl@0	808	EVP_MD_CTX md_ctx;
sl@0	809
sl@0	810	EVP_MD_CTX_init(&md_ctx);
sl@0	811	if (s->state == SSL3_ST_SW_KEY_EXCH_A)
sl@0	812	{
sl@0	813	type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK;
sl@0	814	cert=s->cert;
sl@0	815
sl@0	816	buf=s->init_buf;
sl@0	817
sl@0	818	r[0]=r[1]=r[2]=r[3]=NULL;
sl@0	819	n=0;
sl@0	820	#ifndef OPENSSL_NO_RSA
sl@0	821	if (type & SSL_kRSA)
sl@0	822	{
sl@0	823	rsa=cert->rsa_tmp;
sl@0	824	if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL))
sl@0	825	{
sl@0	826	rsa=s->cert->rsa_tmp_cb(s,
sl@0	827	SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
sl@0	828	SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
sl@0	829	if(rsa == NULL)
sl@0	830	{
sl@0	831	al=SSL_AD_HANDSHAKE_FAILURE;
sl@0	832	SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
sl@0	833	goto f_err;
sl@0	834	}
sl@0	835	RSA_up_ref(rsa);
sl@0	836	cert->rsa_tmp=rsa;
sl@0	837	}
sl@0	838	if (rsa == NULL)
sl@0	839	{
sl@0	840	al=SSL_AD_HANDSHAKE_FAILURE;
sl@0	841	SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY);
sl@0	842	goto f_err;
sl@0	843	}
sl@0	844	r[0]=rsa->n;
sl@0	845	r[1]=rsa->e;
sl@0	846	s->s3->tmp.use_rsa_tmp=1;
sl@0	847	}
sl@0	848	else
sl@0	849	#endif
sl@0	850	#ifndef OPENSSL_NO_DH
sl@0	851	if (type & SSL_kEDH)
sl@0	852	{
sl@0	853	dhp=cert->dh_tmp;
sl@0	854	if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
sl@0	855	dhp=s->cert->dh_tmp_cb(s,
sl@0	856	SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
sl@0	857	SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
sl@0	858	if (dhp == NULL)
sl@0	859	{
sl@0	860	al=SSL_AD_HANDSHAKE_FAILURE;
sl@0	861	SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
sl@0	862	goto f_err;
sl@0	863	}
sl@0	864
sl@0	865	if (s->s3->tmp.dh != NULL)
sl@0	866	{
sl@0	867	DH_free(dh);
sl@0	868	SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
sl@0	869	goto err;
sl@0	870	}
sl@0	871
sl@0	872	if ((dh=DHparams_dup(dhp)) == NULL)
sl@0	873	{
sl@0	874	SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
sl@0	875	goto err;
sl@0	876	}
sl@0	877
sl@0	878	s->s3->tmp.dh=dh;
sl@0	879	if ((dhp->pub_key == NULL \|\|
sl@0	880	dhp->priv_key == NULL \|\|
sl@0	881	(s->options & SSL_OP_SINGLE_DH_USE)))
sl@0	882	{
sl@0	883	if(!DH_generate_key(dh))
sl@0	884	{
sl@0	885	SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,
sl@0	886	ERR_R_DH_LIB);
sl@0	887	goto err;
sl@0	888	}
sl@0	889	}
sl@0	890	else
sl@0	891	{
sl@0	892	dh->pub_key=BN_dup(dhp->pub_key);
sl@0	893	dh->priv_key=BN_dup(dhp->priv_key);
sl@0	894	if ((dh->pub_key == NULL) \|\|
sl@0	895	(dh->priv_key == NULL))
sl@0	896	{
sl@0	897	SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
sl@0	898	goto err;
sl@0	899	}
sl@0	900	}
sl@0	901	r[0]=dh->p;
sl@0	902	r[1]=dh->g;
sl@0	903	r[2]=dh->pub_key;
sl@0	904	}
sl@0	905	else
sl@0	906	#endif
sl@0	907	{
sl@0	908	al=SSL_AD_HANDSHAKE_FAILURE;
sl@0	909	SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
sl@0	910	goto f_err;
sl@0	911	}
sl@0	912	for (i=0; r[i] != NULL; i++)
sl@0	913	{
sl@0	914	nr[i]=BN_num_bytes(r[i]);
sl@0	915	n+=2+nr[i];
sl@0	916	}
sl@0	917
sl@0	918	if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
sl@0	919	{
sl@0	920	if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher))
sl@0	921	== NULL)
sl@0	922	{
sl@0	923	al=SSL_AD_DECODE_ERROR;
sl@0	924	goto f_err;
sl@0	925	}
sl@0	926	kn=EVP_PKEY_size(pkey);
sl@0	927	}
sl@0	928	else
sl@0	929	{
sl@0	930	pkey=NULL;
sl@0	931	kn=0;
sl@0	932	}
sl@0	933
sl@0	934	if (!BUF_MEM_grow_clean(buf,n+DTLS1_HM_HEADER_LENGTH+kn))
sl@0	935	{
sl@0	936	SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF);
sl@0	937	goto err;
sl@0	938	}
sl@0	939	d=(unsigned char *)s->init_buf->data;
sl@0	940	p= &(d[DTLS1_HM_HEADER_LENGTH]);
sl@0	941
sl@0	942	for (i=0; r[i] != NULL; i++)
sl@0	943	{
sl@0	944	s2n(nr[i],p);
sl@0	945	BN_bn2bin(r[i],p);
sl@0	946	p+=nr[i];
sl@0	947	}
sl@0	948
sl@0	949	/* not anonymous */
sl@0	950	if (pkey != NULL)
sl@0	951	{
sl@0	952	/* n is the length of the params, they start at
sl@0	953	* &(d[DTLS1_HM_HEADER_LENGTH]) and p points to the space
sl@0	954	* at the end. */
sl@0	955	#ifndef OPENSSL_NO_RSA
sl@0	956	if (pkey->type == EVP_PKEY_RSA)
sl@0	957	{
sl@0	958	q=md_buf;
sl@0	959	j=0;
sl@0	960	for (num=2; num > 0; num--)
sl@0	961	{
sl@0	962	EVP_DigestInit_ex(&md_ctx,(num == 2)
sl@0	963	?s->ctx->md5:s->ctx->sha1, NULL);
sl@0	964	EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
sl@0	965	EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
sl@0	966	EVP_DigestUpdate(&md_ctx,&(d[DTLS1_HM_HEADER_LENGTH]),n);
sl@0	967	EVP_DigestFinal_ex(&md_ctx,q,
sl@0	968	(unsigned int *)&i);
sl@0	969	q+=i;
sl@0	970	j+=i;
sl@0	971	}
sl@0	972	if (RSA_sign(NID_md5_sha1, md_buf, j,
sl@0	973	&(p[2]), &u, pkey->pkey.rsa) <= 0)
sl@0	974	{
sl@0	975	SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA);
sl@0	976	goto err;
sl@0	977	}
sl@0	978	s2n(u,p);
sl@0	979	n+=u+2;
sl@0	980	}
sl@0	981	else
sl@0	982	#endif
sl@0	983	#if !defined(OPENSSL_NO_DSA)
sl@0	984	if (pkey->type == EVP_PKEY_DSA)
sl@0	985	{
sl@0	986	/* lets do DSS */
sl@0	987	EVP_SignInit_ex(&md_ctx,EVP_dss1(), NULL);
sl@0	988	EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
sl@0	989	EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
sl@0	990	EVP_SignUpdate(&md_ctx,&(d[DTLS1_HM_HEADER_LENGTH]),n);
sl@0	991	if (!EVP_SignFinal(&md_ctx,&(p[2]),
sl@0	992	(unsigned int *)&i,pkey))
sl@0	993	{
sl@0	994	SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA);
sl@0	995	goto err;
sl@0	996	}
sl@0	997	s2n(i,p);
sl@0	998	n+=i+2;
sl@0	999	}
sl@0	1000	else
sl@0	1001	#endif
sl@0	1002	{
sl@0	1003	/* Is this error check actually needed? */
sl@0	1004	al=SSL_AD_HANDSHAKE_FAILURE;
sl@0	1005	SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE);
sl@0	1006	goto f_err;
sl@0	1007	}
sl@0	1008	}
sl@0	1009
sl@0	1010	d = dtls1_set_message_header(s, d,
sl@0	1011	SSL3_MT_SERVER_KEY_EXCHANGE, n, 0, n);
sl@0	1012
sl@0	1013	/* we should now have things packed up, so lets send
sl@0	1014	* it off */
sl@0	1015	s->init_num=n+DTLS1_HM_HEADER_LENGTH;
sl@0	1016	s->init_off=0;
sl@0	1017
sl@0	1018	/* buffer the message to handle re-xmits */
sl@0	1019	dtls1_buffer_message(s, 0);
sl@0	1020	}
sl@0	1021
sl@0	1022	s->state = SSL3_ST_SW_KEY_EXCH_B;
sl@0	1023	EVP_MD_CTX_cleanup(&md_ctx);
sl@0	1024	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
sl@0	1025	f_err:
sl@0	1026	ssl3_send_alert(s,SSL3_AL_FATAL,al);
sl@0	1027	err:
sl@0	1028	EVP_MD_CTX_cleanup(&md_ctx);
sl@0	1029	return(-1);
sl@0	1030	}
sl@0	1031
sl@0	1032	int dtls1_send_certificate_request(SSL *s)
sl@0	1033	{
sl@0	1034	unsigned char p,d;
sl@0	1035	int i,j,nl,off,n;
sl@0	1036	STACK_OF(X509_NAME) *sk=NULL;
sl@0	1037	X509_NAME *name;
sl@0	1038	BUF_MEM *buf;
sl@0	1039	unsigned int msg_len;
sl@0	1040
sl@0	1041	if (s->state == SSL3_ST_SW_CERT_REQ_A)
sl@0	1042	{
sl@0	1043	buf=s->init_buf;
sl@0	1044
sl@0	1045	d=p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH]);
sl@0	1046
sl@0	1047	/* get the list of acceptable cert types */
sl@0	1048	p++;
sl@0	1049	n=ssl3_get_req_cert_type(s,p);
sl@0	1050	d[0]=n;
sl@0	1051	p+=n;
sl@0	1052	n++;
sl@0	1053
sl@0	1054	off=n;
sl@0	1055	p+=2;
sl@0	1056	n+=2;
sl@0	1057
sl@0	1058	sk=SSL_get_client_CA_list(s);
sl@0	1059	nl=0;
sl@0	1060	if (sk != NULL)
sl@0	1061	{
sl@0	1062	for (i=0; i<sk_X509_NAME_num(sk); i++)
sl@0	1063	{
sl@0	1064	name=sk_X509_NAME_value(sk,i);
sl@0	1065	j=i2d_X509_NAME(name,NULL);
sl@0	1066	if (!BUF_MEM_grow_clean(buf,DTLS1_HM_HEADER_LENGTH+n+j+2))
sl@0	1067	{
sl@0	1068	SSLerr(SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
sl@0	1069	goto err;
sl@0	1070	}
sl@0	1071	p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH+n]);
sl@0	1072	if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
sl@0	1073	{
sl@0	1074	s2n(j,p);
sl@0	1075	i2d_X509_NAME(name,&p);
sl@0	1076	n+=2+j;
sl@0	1077	nl+=2+j;
sl@0	1078	}
sl@0	1079	else
sl@0	1080	{
sl@0	1081	d=p;
sl@0	1082	i2d_X509_NAME(name,&p);
sl@0	1083	j-=2; s2n(j,d); j+=2;
sl@0	1084	n+=j;
sl@0	1085	nl+=j;
sl@0	1086	}
sl@0	1087	}
sl@0	1088	}
sl@0	1089	/* else no CA names */
sl@0	1090	p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH+off]);
sl@0	1091	s2n(nl,p);
sl@0	1092
sl@0	1093	d=(unsigned char *)buf->data;
sl@0	1094	*(d++)=SSL3_MT_CERTIFICATE_REQUEST;
sl@0	1095	l2n3(n,d);
sl@0	1096	s2n(s->d1->handshake_write_seq,d);
sl@0	1097	s->d1->handshake_write_seq++;
sl@0	1098
sl@0	1099	/* we should now have things packed up, so lets send
sl@0	1100	* it off */
sl@0	1101
sl@0	1102	s->init_num=n+DTLS1_HM_HEADER_LENGTH;
sl@0	1103	s->init_off=0;
sl@0	1104	#ifdef NETSCAPE_HANG_BUG
sl@0	1105	/* XXX: what to do about this? */
sl@0	1106	p=(unsigned char *)s->init_buf->data + s->init_num;
sl@0	1107
sl@0	1108	/* do the header */
sl@0	1109	*(p++)=SSL3_MT_SERVER_DONE;
sl@0	1110	*(p++)=0;
sl@0	1111	*(p++)=0;
sl@0	1112	*(p++)=0;
sl@0	1113	s->init_num += 4;
sl@0	1114	#endif
sl@0	1115
sl@0	1116	/* XDTLS: set message header ? */
sl@0	1117	msg_len = s->init_num - DTLS1_HM_HEADER_LENGTH;
sl@0	1118	dtls1_set_message_header(s, (void *)s->init_buf->data,
sl@0	1119	SSL3_MT_CERTIFICATE_REQUEST, msg_len, 0, msg_len);
sl@0	1120
sl@0	1121	/* buffer the message to handle re-xmits */
sl@0	1122	dtls1_buffer_message(s, 0);
sl@0	1123
sl@0	1124	s->state = SSL3_ST_SW_CERT_REQ_B;
sl@0	1125	}
sl@0	1126
sl@0	1127	/* SSL3_ST_SW_CERT_REQ_B */
sl@0	1128	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
sl@0	1129	err:
sl@0	1130	return(-1);
sl@0	1131	}
sl@0	1132
sl@0	1133	int dtls1_send_server_certificate(SSL *s)
sl@0	1134	{
sl@0	1135	unsigned long l;
sl@0	1136	X509 *x;
sl@0	1137
sl@0	1138	if (s->state == SSL3_ST_SW_CERT_A)
sl@0	1139	{
sl@0	1140	x=ssl_get_server_send_cert(s);
sl@0	1141	if (x == NULL &&
sl@0	1142	/* VRS: allow null cert if auth == KRB5 */
sl@0	1143	(s->s3->tmp.new_cipher->algorithms
sl@0	1144	& (SSL_MKEY_MASK\|SSL_AUTH_MASK))
sl@0	1145	!= (SSL_aKRB5\|SSL_kKRB5))
sl@0	1146	{
sl@0	1147	SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
sl@0	1148	return(0);
sl@0	1149	}
sl@0	1150
sl@0	1151	l=dtls1_output_cert_chain(s,x);
sl@0	1152	s->state=SSL3_ST_SW_CERT_B;
sl@0	1153	s->init_num=(int)l;
sl@0	1154	s->init_off=0;
sl@0	1155
sl@0	1156	/* buffer the message to handle re-xmits */
sl@0	1157	dtls1_buffer_message(s, 0);
sl@0	1158	}
sl@0	1159
sl@0	1160	/* SSL3_ST_SW_CERT_B */
sl@0	1161	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
sl@0	1162	}

author	sl@SLION-WIN7.fritz.box
	Fri, 15 Jun 2012 03:10:57 +0200
changeset 0	bde4ae8d615e
permissions	-rw-r--r--