sl@0: /* ssl/d1_srvr.c */
sl@0: /* 
sl@0:  * DTLS implementation written by Nagendra Modadugu
sl@0:  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
sl@0:  */
sl@0: /* ====================================================================
sl@0:  * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
sl@0:  *
sl@0:  * Redistribution and use in source and binary forms, with or without
sl@0:  * modification, are permitted provided that the following conditions
sl@0:  * are met:
sl@0:  *
sl@0:  * 1. Redistributions of source code must retain the above copyright
sl@0:  *    notice, this list of conditions and the following disclaimer. 
sl@0:  *
sl@0:  * 2. Redistributions in binary form must reproduce the above copyright
sl@0:  *    notice, this list of conditions and the following disclaimer in
sl@0:  *    the documentation and/or other materials provided with the
sl@0:  *    distribution.
sl@0:  *
sl@0:  * 3. All advertising materials mentioning features or use of this
sl@0:  *    software must display the following acknowledgment:
sl@0:  *    "This product includes software developed by the OpenSSL Project
sl@0:  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
sl@0:  *
sl@0:  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
sl@0:  *    endorse or promote products derived from this software without
sl@0:  *    prior written permission. For written permission, please contact
sl@0:  *    openssl-core@OpenSSL.org.
sl@0:  *
sl@0:  * 5. Products derived from this software may not be called "OpenSSL"
sl@0:  *    nor may "OpenSSL" appear in their names without prior written
sl@0:  *    permission of the OpenSSL Project.
sl@0:  *
sl@0:  * 6. Redistributions of any form whatsoever must retain the following
sl@0:  *    acknowledgment:
sl@0:  *    "This product includes software developed by the OpenSSL Project
sl@0:  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
sl@0:  *
sl@0:  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
sl@0:  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
sl@0:  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
sl@0:  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
sl@0:  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
sl@0:  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
sl@0:  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
sl@0:  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
sl@0:  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
sl@0:  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
sl@0:  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
sl@0:  * OF THE POSSIBILITY OF SUCH DAMAGE.
sl@0:  * ====================================================================
sl@0:  *
sl@0:  * This product includes cryptographic software written by Eric Young
sl@0:  * (eay@cryptsoft.com).  This product includes software written by Tim
sl@0:  * Hudson (tjh@cryptsoft.com).
sl@0:  *
sl@0:  */
sl@0: /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
sl@0:  * All rights reserved.
sl@0:  *
sl@0:  * This package is an SSL implementation written
sl@0:  * by Eric Young (eay@cryptsoft.com).
sl@0:  * The implementation was written so as to conform with Netscapes SSL.
sl@0:  * 
sl@0:  * This library is free for commercial and non-commercial use as long as
sl@0:  * the following conditions are aheared to.  The following conditions
sl@0:  * apply to all code found in this distribution, be it the RC4, RSA,
sl@0:  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
sl@0:  * included with this distribution is covered by the same copyright terms
sl@0:  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
sl@0:  * 
sl@0:  * Copyright remains Eric Young's, and as such any Copyright notices in
sl@0:  * the code are not to be removed.
sl@0:  * If this package is used in a product, Eric Young should be given attribution
sl@0:  * as the author of the parts of the library used.
sl@0:  * This can be in the form of a textual message at program startup or
sl@0:  * in documentation (online or textual) provided with the package.
sl@0:  * 
sl@0:  * Redistribution and use in source and binary forms, with or without
sl@0:  * modification, are permitted provided that the following conditions
sl@0:  * are met:
sl@0:  * 1. Redistributions of source code must retain the copyright
sl@0:  *    notice, this list of conditions and the following disclaimer.
sl@0:  * 2. Redistributions in binary form must reproduce the above copyright
sl@0:  *    notice, this list of conditions and the following disclaimer in the
sl@0:  *    documentation and/or other materials provided with the distribution.
sl@0:  * 3. All advertising materials mentioning features or use of this software
sl@0:  *    must display the following acknowledgement:
sl@0:  *    "This product includes cryptographic software written by
sl@0:  *     Eric Young (eay@cryptsoft.com)"
sl@0:  *    The word 'cryptographic' can be left out if the rouines from the library
sl@0:  *    being used are not cryptographic related :-).
sl@0:  * 4. If you include any Windows specific code (or a derivative thereof) from 
sl@0:  *    the apps directory (application code) you must include an acknowledgement:
sl@0:  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
sl@0:  * 
sl@0:  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
sl@0:  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
sl@0:  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
sl@0:  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
sl@0:  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
sl@0:  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
sl@0:  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
sl@0:  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
sl@0:  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
sl@0:  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
sl@0:  * SUCH DAMAGE.
sl@0:  * 
sl@0:  * The licence and distribution terms for any publically available version or
sl@0:  * derivative of this code cannot be changed.  i.e. this code cannot simply be
sl@0:  * copied and put under another distribution licence
sl@0:  * [including the GNU Public Licence.]
sl@0:  */
sl@0: /*
sl@0:  © Portions copyright (c) 2006 Nokia Corporation.  All rights reserved.
sl@0:  */
sl@0:  
sl@0: #include <stdio.h>
sl@0: #include "ssl_locl.h"
sl@0: #include <openssl/buffer.h>
sl@0: #include <openssl/rand.h>
sl@0: #include <openssl/objects.h>
sl@0: #include <openssl/evp.h>
sl@0: #include <openssl/x509.h>
sl@0: #include <openssl/md5.h>
sl@0: #ifndef OPENSSL_NO_DH
sl@0: #include <openssl/dh.h>
sl@0: #endif
sl@0: 
sl@0: #if (defined(SYMBIAN) && (defined(__WINSCW__) || defined(__WINS__)))
sl@0: #include "libssl_wsd.h"
sl@0: #endif
sl@0: 
sl@0: #ifdef EMULATOR
sl@0: 	
sl@0: 	GET_STATIC_VAR_FROM_TLS(DTLSv1_server_method_data,d1_srvr,SSL_METHOD)
sl@0: 	
sl@0: 	#define DTLSv1_server_method_data (*GET_WSD_VAR_NAME(DTLSv1_server_method_data,d1_srvr,s)())
sl@0: 	
sl@0: #endif
sl@0: 
sl@0: static SSL_METHOD *dtls1_get_server_method(int ver);
sl@0: static int dtls1_send_hello_verify_request(SSL *s);
sl@0: 
sl@0: static SSL_METHOD *dtls1_get_server_method(int ver)
sl@0: 	{
sl@0: 	if (ver == DTLS1_VERSION)
sl@0: 		return(DTLSv1_server_method());
sl@0: 	else
sl@0: 		return(NULL);
sl@0: 	}
sl@0: 
sl@0: EXPORT_C IMPLEMENT_dtls1_meth_func(DTLSv1_server_method,
sl@0: 			dtls1_accept,
sl@0: 			ssl_undefined_function,
sl@0: 			dtls1_get_server_method)
sl@0: 
sl@0: int dtls1_accept(SSL *s)
sl@0: 	{
sl@0: 	BUF_MEM *buf;
sl@0: 	unsigned long l,Time=(unsigned long)time(NULL);
sl@0: 	void (*cb)(const SSL *ssl,int type,int val)=NULL;
sl@0: 	long num1;
sl@0: 	int ret= -1;
sl@0: 	int new_state,state,skip=0;
sl@0: 
sl@0: 	RAND_add(&Time,sizeof(Time),0);
sl@0: 	ERR_clear_error();
sl@0: 	clear_sys_error();
sl@0: 
sl@0: 	if (s->info_callback != NULL)
sl@0: 		cb=s->info_callback;
sl@0: 	else if (s->ctx->info_callback != NULL)
sl@0: 		cb=s->ctx->info_callback;
sl@0: 
sl@0: 	/* init things to blank */
sl@0: 	s->in_handshake++;
sl@0: 	if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
sl@0: 
sl@0: 	if (s->cert == NULL)
sl@0: 		{
sl@0: 		SSLerr(SSL_F_DTLS1_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
sl@0: 		return(-1);
sl@0: 		}
sl@0: 
sl@0: 	for (;;)
sl@0: 		{
sl@0: 		state=s->state;
sl@0: 
sl@0: 		switch (s->state)
sl@0: 			{
sl@0: 		case SSL_ST_RENEGOTIATE:
sl@0: 			s->new_session=1;
sl@0: 			/* s->state=SSL_ST_ACCEPT; */
sl@0: 
sl@0: 		case SSL_ST_BEFORE:
sl@0: 		case SSL_ST_ACCEPT:
sl@0: 		case SSL_ST_BEFORE|SSL_ST_ACCEPT:
sl@0: 		case SSL_ST_OK|SSL_ST_ACCEPT:
sl@0: 
sl@0: 			s->server=1;
sl@0: 			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
sl@0: 
sl@0: 			if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00))
sl@0: 				{
sl@0: 				SSLerr(SSL_F_DTLS1_ACCEPT, ERR_R_INTERNAL_ERROR);
sl@0: 				return -1;
sl@0: 				}
sl@0: 			s->type=SSL_ST_ACCEPT;
sl@0: 
sl@0: 			if (s->init_buf == NULL)
sl@0: 				{
sl@0: 				if ((buf=BUF_MEM_new()) == NULL)
sl@0: 					{
sl@0: 					ret= -1;
sl@0: 					goto end;
sl@0: 					}
sl@0: 				if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
sl@0: 					{
sl@0: 					ret= -1;
sl@0: 					goto end;
sl@0: 					}
sl@0: 				s->init_buf=buf;
sl@0: 				}
sl@0: 
sl@0: 			if (!ssl3_setup_buffers(s))
sl@0: 				{
sl@0: 				ret= -1;
sl@0: 				goto end;
sl@0: 				}
sl@0: 
sl@0: 			s->init_num=0;
sl@0: 
sl@0: 			if (s->state != SSL_ST_RENEGOTIATE)
sl@0: 				{
sl@0: 				/* Ok, we now need to push on a buffering BIO so that
sl@0: 				 * the output is sent in a way that TCP likes :-)
sl@0: 				 */
sl@0: 				if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; }
sl@0: 
sl@0: 				ssl3_init_finished_mac(s);
sl@0: 				s->state=SSL3_ST_SR_CLNT_HELLO_A;
sl@0: 				s->ctx->stats.sess_accept++;
sl@0: 				}
sl@0: 			else
sl@0: 				{
sl@0: 				/* s->state == SSL_ST_RENEGOTIATE,
sl@0: 				 * we will just send a HelloRequest */
sl@0: 				s->ctx->stats.sess_accept_renegotiate++;
sl@0: 				s->state=SSL3_ST_SW_HELLO_REQ_A;
sl@0: 				}
sl@0: 
sl@0:             if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
sl@0:                 s->d1->send_cookie = 1;
sl@0:             else
sl@0:                 s->d1->send_cookie = 0;
sl@0: 
sl@0: 			break;
sl@0: 
sl@0: 		case SSL3_ST_SW_HELLO_REQ_A:
sl@0: 		case SSL3_ST_SW_HELLO_REQ_B:
sl@0: 
sl@0: 			s->shutdown=0;
sl@0: 			ret=dtls1_send_hello_request(s);
sl@0: 			if (ret <= 0) goto end;
sl@0: 			s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C;
sl@0: 			s->state=SSL3_ST_SW_FLUSH;
sl@0: 			s->init_num=0;
sl@0: 
sl@0: 			ssl3_init_finished_mac(s);
sl@0: 			break;
sl@0: 
sl@0: 		case SSL3_ST_SW_HELLO_REQ_C:
sl@0: 			s->state=SSL_ST_OK;
sl@0: 			break;
sl@0: 
sl@0: 		case SSL3_ST_SR_CLNT_HELLO_A:
sl@0: 		case SSL3_ST_SR_CLNT_HELLO_B:
sl@0: 		case SSL3_ST_SR_CLNT_HELLO_C:
sl@0: 
sl@0: 			s->shutdown=0;
sl@0: 			ret=ssl3_get_client_hello(s);
sl@0: 			if (ret <= 0) goto end;
sl@0: 			s->new_session = 2;
sl@0: 
sl@0: 			if ( s->d1->send_cookie)
sl@0: 				s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;
sl@0: 			else
sl@0: 				s->state = SSL3_ST_SW_SRVR_HELLO_A;
sl@0: 
sl@0: 			s->init_num=0;
sl@0: 			break;
sl@0: 			
sl@0: 		case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
sl@0: 		case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
sl@0: 
sl@0: 			ret = dtls1_send_hello_verify_request(s);
sl@0: 			if ( ret <= 0) goto end;
sl@0: 			s->d1->send_cookie = 0;
sl@0: 			s->state=SSL3_ST_SW_FLUSH;
sl@0: 			s->s3->tmp.next_state=SSL3_ST_SR_CLNT_HELLO_A;
sl@0: 
sl@0: 			/* HelloVerifyRequests resets Finished MAC */
sl@0: 			if (s->client_version != DTLS1_BAD_VER)
sl@0: 				ssl3_init_finished_mac(s);
sl@0: 			break;
sl@0: 			
sl@0: 		case SSL3_ST_SW_SRVR_HELLO_A:
sl@0: 		case SSL3_ST_SW_SRVR_HELLO_B:
sl@0: 			ret=dtls1_send_server_hello(s);
sl@0: 			if (ret <= 0) goto end;
sl@0: 
sl@0: 			if (s->hit)
sl@0: 				s->state=SSL3_ST_SW_CHANGE_A;
sl@0: 			else
sl@0: 				s->state=SSL3_ST_SW_CERT_A;
sl@0: 			s->init_num=0;
sl@0: 			break;
sl@0: 
sl@0: 		case SSL3_ST_SW_CERT_A:
sl@0: 		case SSL3_ST_SW_CERT_B:
sl@0: 			/* Check if it is anon DH */
sl@0: 			if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
sl@0: 				{
sl@0: 				ret=dtls1_send_server_certificate(s);
sl@0: 				if (ret <= 0) goto end;
sl@0: 				}
sl@0: 			else
sl@0: 				skip=1;
sl@0: 			s->state=SSL3_ST_SW_KEY_EXCH_A;
sl@0: 			s->init_num=0;
sl@0: 			break;
sl@0: 
sl@0: 		case SSL3_ST_SW_KEY_EXCH_A:
sl@0: 		case SSL3_ST_SW_KEY_EXCH_B:
sl@0: 			l=s->s3->tmp.new_cipher->algorithms;
sl@0: 
sl@0: 			/* clear this, it may get reset by
sl@0: 			 * send_server_key_exchange */
sl@0: 			if ((s->options & SSL_OP_EPHEMERAL_RSA)
sl@0: #ifndef OPENSSL_NO_KRB5
sl@0: 				&& !(l & SSL_KRB5)
sl@0: #endif /* OPENSSL_NO_KRB5 */
sl@0: 				)
sl@0: 				/* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
sl@0: 				 * even when forbidden by protocol specs
sl@0: 				 * (handshake may fail as clients are not required to
sl@0: 				 * be able to handle this) */
sl@0: 				s->s3->tmp.use_rsa_tmp=1;
sl@0: 			else
sl@0: 				s->s3->tmp.use_rsa_tmp=0;
sl@0: 
sl@0: 			/* only send if a DH key exchange, fortezza or
sl@0: 			 * RSA but we have a sign only certificate */
sl@0: 			if (s->s3->tmp.use_rsa_tmp
sl@0: 			    || (l & (SSL_DH|SSL_kFZA))
sl@0: 			    || ((l & SSL_kRSA)
sl@0: 				&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
sl@0: 				    || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
sl@0: 					&& EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
sl@0: 					)
sl@0: 				    )
sl@0: 				)
sl@0: 			    )
sl@0: 				{
sl@0: 				ret=dtls1_send_server_key_exchange(s);
sl@0: 				if (ret <= 0) goto end;
sl@0: 				}
sl@0: 			else
sl@0: 				skip=1;
sl@0: 
sl@0: 			s->state=SSL3_ST_SW_CERT_REQ_A;
sl@0: 			s->init_num=0;
sl@0: 			break;
sl@0: 
sl@0: 		case SSL3_ST_SW_CERT_REQ_A:
sl@0: 		case SSL3_ST_SW_CERT_REQ_B:
sl@0: 			if (/* don't request cert unless asked for it: */
sl@0: 				!(s->verify_mode & SSL_VERIFY_PEER) ||
sl@0: 				/* if SSL_VERIFY_CLIENT_ONCE is set,
sl@0: 				 * don't request cert during re-negotiation: */
sl@0: 				((s->session->peer != NULL) &&
sl@0: 				 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
sl@0: 				/* never request cert in anonymous ciphersuites
sl@0: 				 * (see section "Certificate request" in SSL 3 drafts
sl@0: 				 * and in RFC 2246): */
sl@0: 				((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) &&
sl@0: 				 /* ... except when the application insists on verification
sl@0: 				  * (against the specs, but s3_clnt.c accepts this for SSL 3) */
sl@0: 				 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
sl@0:                                  /* never request cert in Kerberos ciphersuites */
sl@0:                                 (s->s3->tmp.new_cipher->algorithms & SSL_aKRB5))
sl@0: 				{
sl@0: 				/* no cert request */
sl@0: 				skip=1;
sl@0: 				s->s3->tmp.cert_request=0;
sl@0: 				s->state=SSL3_ST_SW_SRVR_DONE_A;
sl@0: 				}
sl@0: 			else
sl@0: 				{
sl@0: 				s->s3->tmp.cert_request=1;
sl@0: 				ret=dtls1_send_certificate_request(s);
sl@0: 				if (ret <= 0) goto end;
sl@0: #ifndef NETSCAPE_HANG_BUG
sl@0: 				s->state=SSL3_ST_SW_SRVR_DONE_A;
sl@0: #else
sl@0: 				s->state=SSL3_ST_SW_FLUSH;
sl@0: 				s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
sl@0: #endif
sl@0: 				s->init_num=0;
sl@0: 				}
sl@0: 			break;
sl@0: 
sl@0: 		case SSL3_ST_SW_SRVR_DONE_A:
sl@0: 		case SSL3_ST_SW_SRVR_DONE_B:
sl@0: 			ret=dtls1_send_server_done(s);
sl@0: 			if (ret <= 0) goto end;
sl@0: 			s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
sl@0: 			s->state=SSL3_ST_SW_FLUSH;
sl@0: 			s->init_num=0;
sl@0: 			break;
sl@0: 		
sl@0: 		case SSL3_ST_SW_FLUSH:
sl@0: 			/* number of bytes to be flushed */
sl@0: 			num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
sl@0: 			if (num1 > 0)
sl@0: 				{
sl@0: 				s->rwstate=SSL_WRITING;
sl@0: 				num1=BIO_flush(s->wbio);
sl@0: 				if (num1 <= 0) { ret= -1; goto end; }
sl@0: 				s->rwstate=SSL_NOTHING;
sl@0: 				}
sl@0: 
sl@0: 			s->state=s->s3->tmp.next_state;
sl@0: 			break;
sl@0: 
sl@0: 		case SSL3_ST_SR_CERT_A:
sl@0: 		case SSL3_ST_SR_CERT_B:
sl@0: 			/* Check for second client hello (MS SGC) */
sl@0: 			ret = ssl3_check_client_hello(s);
sl@0: 			if (ret <= 0)
sl@0: 				goto end;
sl@0: 			if (ret == 2)
sl@0: 				s->state = SSL3_ST_SR_CLNT_HELLO_C;
sl@0: 			else {
sl@0: 				/* could be sent for a DH cert, even if we
sl@0: 				 * have not asked for it :-) */
sl@0: 				ret=ssl3_get_client_certificate(s);
sl@0: 				if (ret <= 0) goto end;
sl@0: 				s->init_num=0;
sl@0: 				s->state=SSL3_ST_SR_KEY_EXCH_A;
sl@0: 			}
sl@0: 			break;
sl@0: 
sl@0: 		case SSL3_ST_SR_KEY_EXCH_A:
sl@0: 		case SSL3_ST_SR_KEY_EXCH_B:
sl@0: 			ret=ssl3_get_client_key_exchange(s);
sl@0: 			if (ret <= 0) goto end;
sl@0: 			s->state=SSL3_ST_SR_CERT_VRFY_A;
sl@0: 			s->init_num=0;
sl@0: 
sl@0: 			/* We need to get hashes here so if there is
sl@0: 			 * a client cert, it can be verified */ 
sl@0: 			s->method->ssl3_enc->cert_verify_mac(s,
sl@0: 				&(s->s3->finish_dgst1),
sl@0: 				&(s->s3->tmp.cert_verify_md[0]));
sl@0: 			s->method->ssl3_enc->cert_verify_mac(s,
sl@0: 				&(s->s3->finish_dgst2),
sl@0: 				&(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]));
sl@0: 
sl@0: 			break;
sl@0: 
sl@0: 		case SSL3_ST_SR_CERT_VRFY_A:
sl@0: 		case SSL3_ST_SR_CERT_VRFY_B:
sl@0: 
sl@0: 			/* we should decide if we expected this one */
sl@0: 			ret=ssl3_get_cert_verify(s);
sl@0: 			if (ret <= 0) goto end;
sl@0: 
sl@0: 			s->state=SSL3_ST_SR_FINISHED_A;
sl@0: 			s->init_num=0;
sl@0: 			break;
sl@0: 
sl@0: 		case SSL3_ST_SR_FINISHED_A:
sl@0: 		case SSL3_ST_SR_FINISHED_B:
sl@0: 			ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
sl@0: 				SSL3_ST_SR_FINISHED_B);
sl@0: 			if (ret <= 0) goto end;
sl@0: 			if (s->hit)
sl@0: 				s->state=SSL_ST_OK;
sl@0: 			else
sl@0: 				s->state=SSL3_ST_SW_CHANGE_A;
sl@0: 			s->init_num=0;
sl@0: 			break;
sl@0: 
sl@0: 		case SSL3_ST_SW_CHANGE_A:
sl@0: 		case SSL3_ST_SW_CHANGE_B:
sl@0: 
sl@0: 			s->session->cipher=s->s3->tmp.new_cipher;
sl@0: 			if (!s->method->ssl3_enc->setup_key_block(s))
sl@0: 				{ ret= -1; goto end; }
sl@0: 
sl@0: 			ret=dtls1_send_change_cipher_spec(s,
sl@0: 				SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B);
sl@0: 
sl@0: 			if (ret <= 0) goto end;
sl@0: 			s->state=SSL3_ST_SW_FINISHED_A;
sl@0: 			s->init_num=0;
sl@0: 
sl@0: 			if (!s->method->ssl3_enc->change_cipher_state(s,
sl@0: 				SSL3_CHANGE_CIPHER_SERVER_WRITE))
sl@0: 				{
sl@0: 				ret= -1;
sl@0: 				goto end;
sl@0: 				}
sl@0: 
sl@0: 			dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
sl@0: 			break;
sl@0: 
sl@0: 		case SSL3_ST_SW_FINISHED_A:
sl@0: 		case SSL3_ST_SW_FINISHED_B:
sl@0: 			ret=dtls1_send_finished(s,
sl@0: 				SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B,
sl@0: 				s->method->ssl3_enc->server_finished_label,
sl@0: 				s->method->ssl3_enc->server_finished_label_len);
sl@0: 			if (ret <= 0) goto end;
sl@0: 			s->state=SSL3_ST_SW_FLUSH;
sl@0: 			if (s->hit)
sl@0: 				s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
sl@0: 			else
sl@0: 				s->s3->tmp.next_state=SSL_ST_OK;
sl@0: 			s->init_num=0;
sl@0: 			break;
sl@0: 
sl@0: 		case SSL_ST_OK:
sl@0: 			/* clean a few things up */
sl@0: 			ssl3_cleanup_key_block(s);
sl@0: 
sl@0: #if 0
sl@0: 			BUF_MEM_free(s->init_buf);
sl@0: 			s->init_buf=NULL;
sl@0: #endif
sl@0: 
sl@0: 			/* remove buffering on output */
sl@0: 			ssl_free_wbio_buffer(s);
sl@0: 
sl@0: 			s->init_num=0;
sl@0: 
sl@0: 			if (s->new_session == 2) /* skipped if we just sent a HelloRequest */
sl@0: 				{
sl@0: 				/* actually not necessarily a 'new' session unless
sl@0: 				 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
sl@0: 				
sl@0: 				s->new_session=0;
sl@0: 				
sl@0: 				ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
sl@0: 				
sl@0: 				s->ctx->stats.sess_accept_good++;
sl@0: 				/* s->server=1; */
sl@0: 				s->handshake_func=dtls1_accept;
sl@0: 
sl@0: 				if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
sl@0: 				}
sl@0: 			
sl@0: 			ret = 1;
sl@0: 
sl@0: 			/* done handshaking, next message is client hello */
sl@0: 			s->d1->handshake_read_seq = 0;
sl@0: 			/* next message is server hello */
sl@0: 			s->d1->handshake_write_seq = 0;
sl@0: 			goto end;
sl@0: 			/* break; */
sl@0: 
sl@0: 		default:
sl@0: 			SSLerr(SSL_F_DTLS1_ACCEPT,SSL_R_UNKNOWN_STATE);
sl@0: 			ret= -1;
sl@0: 			goto end;
sl@0: 			/* break; */
sl@0: 			}
sl@0: 		
sl@0: 		if (!s->s3->tmp.reuse_message && !skip)
sl@0: 			{
sl@0: 			if (s->debug)
sl@0: 				{
sl@0: 				if ((ret=BIO_flush(s->wbio)) <= 0)
sl@0: 					goto end;
sl@0: 				}
sl@0: 
sl@0: 
sl@0: 			if ((cb != NULL) && (s->state != state))
sl@0: 				{
sl@0: 				new_state=s->state;
sl@0: 				s->state=state;
sl@0: 				cb(s,SSL_CB_ACCEPT_LOOP,1);
sl@0: 				s->state=new_state;
sl@0: 				}
sl@0: 			}
sl@0: 		skip=0;
sl@0: 		}
sl@0: end:
sl@0: 	/* BIO_flush(s->wbio); */
sl@0: 
sl@0: 	s->in_handshake--;
sl@0: 	if (cb != NULL)
sl@0: 		cb(s,SSL_CB_ACCEPT_EXIT,ret);
sl@0: 	return(ret);
sl@0: 	}
sl@0: 
sl@0: int dtls1_send_hello_request(SSL *s)
sl@0: 	{
sl@0: 	unsigned char *p;
sl@0: 
sl@0: 	if (s->state == SSL3_ST_SW_HELLO_REQ_A)
sl@0: 		{
sl@0: 		p=(unsigned char *)s->init_buf->data;
sl@0: 		p = dtls1_set_message_header(s, p, SSL3_MT_HELLO_REQUEST, 0, 0, 0);
sl@0: 
sl@0: 		s->state=SSL3_ST_SW_HELLO_REQ_B;
sl@0: 		/* number of bytes to write */
sl@0: 		s->init_num=DTLS1_HM_HEADER_LENGTH;
sl@0: 		s->init_off=0;
sl@0: 
sl@0: 		/* no need to buffer this message, since there are no retransmit 
sl@0: 		 * requests for it */
sl@0: 		}
sl@0: 
sl@0: 	/* SSL3_ST_SW_HELLO_REQ_B */
sl@0: 	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
sl@0: 	}
sl@0: 
sl@0: int dtls1_send_hello_verify_request(SSL *s)
sl@0: 	{
sl@0: 	unsigned int msg_len;
sl@0: 	unsigned char *msg, *buf, *p;
sl@0: 
sl@0: 	if (s->state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A)
sl@0: 		{
sl@0: 		buf = (unsigned char *)s->init_buf->data;
sl@0: 
sl@0: 		msg = p = &(buf[DTLS1_HM_HEADER_LENGTH]);
sl@0: 		if (s->client_version == DTLS1_BAD_VER)
sl@0: 			*(p++) = DTLS1_BAD_VER>>8,
sl@0: 			*(p++) = DTLS1_BAD_VER&0xff;
sl@0: 		else
sl@0: 			*(p++) = s->version >> 8,
sl@0: 			*(p++) = s->version & 0xFF;
sl@0: 
sl@0: 		if (s->ctx->app_gen_cookie_cb != NULL &&
sl@0: 		    s->ctx->app_gen_cookie_cb(s, s->d1->cookie, 
sl@0: 		    &(s->d1->cookie_len)) == 0)
sl@0: 			{
sl@0: 			SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST,ERR_R_INTERNAL_ERROR);
sl@0: 			return 0;
sl@0: 			}
sl@0: 		/* else the cookie is assumed to have 
sl@0: 		 * been initialized by the application */
sl@0: 
sl@0: 		*(p++) = (unsigned char) s->d1->cookie_len;
sl@0: 		memcpy(p, s->d1->cookie, s->d1->cookie_len);
sl@0: 		p += s->d1->cookie_len;
sl@0: 		msg_len = p - msg;
sl@0: 
sl@0: 		dtls1_set_message_header(s, buf,
sl@0: 			DTLS1_MT_HELLO_VERIFY_REQUEST, msg_len, 0, msg_len);
sl@0: 
sl@0: 		s->state=DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B;
sl@0: 		/* number of bytes to write */
sl@0: 		s->init_num=p-buf;
sl@0: 		s->init_off=0;
sl@0: 
sl@0: 		/* buffer the message to handle re-xmits */
sl@0: 		dtls1_buffer_message(s, 0);
sl@0: 		}
sl@0: 
sl@0: 	/* s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */
sl@0: 	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
sl@0: 	}
sl@0: 
sl@0: int dtls1_send_server_hello(SSL *s)
sl@0: 	{
sl@0: 	unsigned char *buf;
sl@0: 	unsigned char *p,*d;
sl@0: 	int i;
sl@0: 	unsigned int sl;
sl@0: 	unsigned long l,Time;
sl@0: 
sl@0: 	if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
sl@0: 		{
sl@0: 		buf=(unsigned char *)s->init_buf->data;
sl@0: 		p=s->s3->server_random;
sl@0: 		Time=(unsigned long)time(NULL);			/* Time */
sl@0: 		l2n(Time,p);
sl@0: 		RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
sl@0: 		/* Do the message type and length last */
sl@0: 		d=p= &(buf[DTLS1_HM_HEADER_LENGTH]);
sl@0: 
sl@0: 		if (s->client_version == DTLS1_BAD_VER)
sl@0: 			*(p++)=DTLS1_BAD_VER>>8,
sl@0: 			*(p++)=DTLS1_BAD_VER&0xff;
sl@0: 		else
sl@0: 			*(p++)=s->version>>8,
sl@0: 			*(p++)=s->version&0xff;
sl@0: 
sl@0: 		/* Random stuff */
sl@0: 		memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
sl@0: 		p+=SSL3_RANDOM_SIZE;
sl@0: 
sl@0: 		/* now in theory we have 3 options to sending back the
sl@0: 		 * session id.  If it is a re-use, we send back the
sl@0: 		 * old session-id, if it is a new session, we send
sl@0: 		 * back the new session-id or we send back a 0 length
sl@0: 		 * session-id if we want it to be single use.
sl@0: 		 * Currently I will not implement the '0' length session-id
sl@0: 		 * 12-Jan-98 - I'll now support the '0' length stuff.
sl@0: 		 */
sl@0: 		if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER))
sl@0: 			s->session->session_id_length=0;
sl@0: 
sl@0: 		sl=s->session->session_id_length;
sl@0: 		if (sl > sizeof s->session->session_id)
sl@0: 			{
sl@0: 			SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
sl@0: 			return -1;
sl@0: 			}
sl@0: 		*(p++)=sl;
sl@0: 		memcpy(p,s->session->session_id,sl);
sl@0: 		p+=sl;
sl@0: 
sl@0: 		/* put the cipher */
sl@0: 		i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p);
sl@0: 		p+=i;
sl@0: 
sl@0: 		/* put the compression method */
sl@0: #ifdef OPENSSL_NO_COMP
sl@0: 		*(p++)=0;
sl@0: #else
sl@0: 		if (s->s3->tmp.new_compression == NULL)
sl@0: 			*(p++)=0;
sl@0: 		else
sl@0: 			*(p++)=s->s3->tmp.new_compression->id;
sl@0: #endif
sl@0: 
sl@0: 		/* do the header */
sl@0: 		l=(p-d);
sl@0: 		d=buf;
sl@0: 
sl@0: 		d = dtls1_set_message_header(s, d, SSL3_MT_SERVER_HELLO, l, 0, l);
sl@0: 
sl@0: 		s->state=SSL3_ST_CW_CLNT_HELLO_B;
sl@0: 		/* number of bytes to write */
sl@0: 		s->init_num=p-buf;
sl@0: 		s->init_off=0;
sl@0: 
sl@0: 		/* buffer the message to handle re-xmits */
sl@0: 		dtls1_buffer_message(s, 0);
sl@0: 		}
sl@0: 
sl@0: 	/* SSL3_ST_CW_CLNT_HELLO_B */
sl@0: 	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
sl@0: 	}
sl@0: 
sl@0: int dtls1_send_server_done(SSL *s)
sl@0: 	{
sl@0: 	unsigned char *p;
sl@0: 
sl@0: 	if (s->state == SSL3_ST_SW_SRVR_DONE_A)
sl@0: 		{
sl@0: 		p=(unsigned char *)s->init_buf->data;
sl@0: 
sl@0: 		/* do the header */
sl@0: 		p = dtls1_set_message_header(s, p, SSL3_MT_SERVER_DONE, 0, 0, 0);
sl@0: 
sl@0: 		s->state=SSL3_ST_SW_SRVR_DONE_B;
sl@0: 		/* number of bytes to write */
sl@0: 		s->init_num=DTLS1_HM_HEADER_LENGTH;
sl@0: 		s->init_off=0;
sl@0: 
sl@0: 		/* buffer the message to handle re-xmits */
sl@0: 		dtls1_buffer_message(s, 0);
sl@0: 		}
sl@0: 
sl@0: 	/* SSL3_ST_CW_CLNT_HELLO_B */
sl@0: 	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
sl@0: 	}
sl@0: 
sl@0: int dtls1_send_server_key_exchange(SSL *s)
sl@0: 	{
sl@0: #ifndef OPENSSL_NO_RSA
sl@0: 	unsigned char *q;
sl@0: 	int j,num;
sl@0: 	RSA *rsa;
sl@0: 	unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
sl@0: 	unsigned int u;
sl@0: #endif
sl@0: #ifndef OPENSSL_NO_DH
sl@0: 	DH *dh=NULL,*dhp;
sl@0: #endif
sl@0: 	EVP_PKEY *pkey;
sl@0: 	unsigned char *p,*d;
sl@0: 	int al,i;
sl@0: 	unsigned long type;
sl@0: 	int n;
sl@0: 	CERT *cert;
sl@0: 	BIGNUM *r[4];
sl@0: 	int nr[4],kn;
sl@0: 	BUF_MEM *buf;
sl@0: 	EVP_MD_CTX md_ctx;
sl@0: 
sl@0: 	EVP_MD_CTX_init(&md_ctx);
sl@0: 	if (s->state == SSL3_ST_SW_KEY_EXCH_A)
sl@0: 		{
sl@0: 		type=s->s3->tmp.new_cipher->algorithms & SSL_MKEY_MASK;
sl@0: 		cert=s->cert;
sl@0: 
sl@0: 		buf=s->init_buf;
sl@0: 
sl@0: 		r[0]=r[1]=r[2]=r[3]=NULL;
sl@0: 		n=0;
sl@0: #ifndef OPENSSL_NO_RSA
sl@0: 		if (type & SSL_kRSA)
sl@0: 			{
sl@0: 			rsa=cert->rsa_tmp;
sl@0: 			if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL))
sl@0: 				{
sl@0: 				rsa=s->cert->rsa_tmp_cb(s,
sl@0: 				      SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
sl@0: 				      SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
sl@0: 				if(rsa == NULL)
sl@0: 				{
sl@0: 					al=SSL_AD_HANDSHAKE_FAILURE;
sl@0: 					SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
sl@0: 					goto f_err;
sl@0: 				}
sl@0: 				RSA_up_ref(rsa);
sl@0: 				cert->rsa_tmp=rsa;
sl@0: 				}
sl@0: 			if (rsa == NULL)
sl@0: 				{
sl@0: 				al=SSL_AD_HANDSHAKE_FAILURE;
sl@0: 				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY);
sl@0: 				goto f_err;
sl@0: 				}
sl@0: 			r[0]=rsa->n;
sl@0: 			r[1]=rsa->e;
sl@0: 			s->s3->tmp.use_rsa_tmp=1;
sl@0: 			}
sl@0: 		else
sl@0: #endif
sl@0: #ifndef OPENSSL_NO_DH
sl@0: 			if (type & SSL_kEDH)
sl@0: 			{
sl@0: 			dhp=cert->dh_tmp;
sl@0: 			if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
sl@0: 				dhp=s->cert->dh_tmp_cb(s,
sl@0: 				      SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
sl@0: 				      SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
sl@0: 			if (dhp == NULL)
sl@0: 				{
sl@0: 				al=SSL_AD_HANDSHAKE_FAILURE;
sl@0: 				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
sl@0: 				goto f_err;
sl@0: 				}
sl@0: 
sl@0: 			if (s->s3->tmp.dh != NULL)
sl@0: 				{
sl@0: 				DH_free(dh);
sl@0: 				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
sl@0: 				goto err;
sl@0: 				}
sl@0: 
sl@0: 			if ((dh=DHparams_dup(dhp)) == NULL)
sl@0: 				{
sl@0: 				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
sl@0: 				goto err;
sl@0: 				}
sl@0: 
sl@0: 			s->s3->tmp.dh=dh;
sl@0: 			if ((dhp->pub_key == NULL ||
sl@0: 			     dhp->priv_key == NULL ||
sl@0: 			     (s->options & SSL_OP_SINGLE_DH_USE)))
sl@0: 				{
sl@0: 				if(!DH_generate_key(dh))
sl@0: 				    {
sl@0: 				    SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,
sl@0: 					   ERR_R_DH_LIB);
sl@0: 				    goto err;
sl@0: 				    }
sl@0: 				}
sl@0: 			else
sl@0: 				{
sl@0: 				dh->pub_key=BN_dup(dhp->pub_key);
sl@0: 				dh->priv_key=BN_dup(dhp->priv_key);
sl@0: 				if ((dh->pub_key == NULL) ||
sl@0: 					(dh->priv_key == NULL))
sl@0: 					{
sl@0: 					SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
sl@0: 					goto err;
sl@0: 					}
sl@0: 				}
sl@0: 			r[0]=dh->p;
sl@0: 			r[1]=dh->g;
sl@0: 			r[2]=dh->pub_key;
sl@0: 			}
sl@0: 		else 
sl@0: #endif
sl@0: 			{
sl@0: 			al=SSL_AD_HANDSHAKE_FAILURE;
sl@0: 			SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
sl@0: 			goto f_err;
sl@0: 			}
sl@0: 		for (i=0; r[i] != NULL; i++)
sl@0: 			{
sl@0: 			nr[i]=BN_num_bytes(r[i]);
sl@0: 			n+=2+nr[i];
sl@0: 			}
sl@0: 
sl@0: 		if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL))
sl@0: 			{
sl@0: 			if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher))
sl@0: 				== NULL)
sl@0: 				{
sl@0: 				al=SSL_AD_DECODE_ERROR;
sl@0: 				goto f_err;
sl@0: 				}
sl@0: 			kn=EVP_PKEY_size(pkey);
sl@0: 			}
sl@0: 		else
sl@0: 			{
sl@0: 			pkey=NULL;
sl@0: 			kn=0;
sl@0: 			}
sl@0: 
sl@0: 		if (!BUF_MEM_grow_clean(buf,n+DTLS1_HM_HEADER_LENGTH+kn))
sl@0: 			{
sl@0: 			SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF);
sl@0: 			goto err;
sl@0: 			}
sl@0: 		d=(unsigned char *)s->init_buf->data;
sl@0: 		p= &(d[DTLS1_HM_HEADER_LENGTH]);
sl@0: 
sl@0: 		for (i=0; r[i] != NULL; i++)
sl@0: 			{
sl@0: 			s2n(nr[i],p);
sl@0: 			BN_bn2bin(r[i],p);
sl@0: 			p+=nr[i];
sl@0: 			}
sl@0: 
sl@0: 		/* not anonymous */
sl@0: 		if (pkey != NULL)
sl@0: 			{
sl@0: 			/* n is the length of the params, they start at
sl@0: 			 * &(d[DTLS1_HM_HEADER_LENGTH]) and p points to the space
sl@0: 			 * at the end. */
sl@0: #ifndef OPENSSL_NO_RSA
sl@0: 			if (pkey->type == EVP_PKEY_RSA)
sl@0: 				{
sl@0: 				q=md_buf;
sl@0: 				j=0;
sl@0: 				for (num=2; num > 0; num--)
sl@0: 					{
sl@0: 					EVP_DigestInit_ex(&md_ctx,(num == 2)
sl@0: 						?s->ctx->md5:s->ctx->sha1, NULL);
sl@0: 					EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
sl@0: 					EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
sl@0: 					EVP_DigestUpdate(&md_ctx,&(d[DTLS1_HM_HEADER_LENGTH]),n);
sl@0: 					EVP_DigestFinal_ex(&md_ctx,q,
sl@0: 						(unsigned int *)&i);
sl@0: 					q+=i;
sl@0: 					j+=i;
sl@0: 					}
sl@0: 				if (RSA_sign(NID_md5_sha1, md_buf, j,
sl@0: 					&(p[2]), &u, pkey->pkey.rsa) <= 0)
sl@0: 					{
sl@0: 					SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA);
sl@0: 					goto err;
sl@0: 					}
sl@0: 				s2n(u,p);
sl@0: 				n+=u+2;
sl@0: 				}
sl@0: 			else
sl@0: #endif
sl@0: #if !defined(OPENSSL_NO_DSA)
sl@0: 				if (pkey->type == EVP_PKEY_DSA)
sl@0: 				{
sl@0: 				/* lets do DSS */
sl@0: 				EVP_SignInit_ex(&md_ctx,EVP_dss1(), NULL);
sl@0: 				EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
sl@0: 				EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
sl@0: 				EVP_SignUpdate(&md_ctx,&(d[DTLS1_HM_HEADER_LENGTH]),n);
sl@0: 				if (!EVP_SignFinal(&md_ctx,&(p[2]),
sl@0: 					(unsigned int *)&i,pkey))
sl@0: 					{
sl@0: 					SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA);
sl@0: 					goto err;
sl@0: 					}
sl@0: 				s2n(i,p);
sl@0: 				n+=i+2;
sl@0: 				}
sl@0: 			else
sl@0: #endif
sl@0: 				{
sl@0: 				/* Is this error check actually needed? */
sl@0: 				al=SSL_AD_HANDSHAKE_FAILURE;
sl@0: 				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE);
sl@0: 				goto f_err;
sl@0: 				}
sl@0: 			}
sl@0: 
sl@0: 		d = dtls1_set_message_header(s, d,
sl@0: 			SSL3_MT_SERVER_KEY_EXCHANGE, n, 0, n);
sl@0: 
sl@0: 		/* we should now have things packed up, so lets send
sl@0: 		 * it off */
sl@0: 		s->init_num=n+DTLS1_HM_HEADER_LENGTH;
sl@0: 		s->init_off=0;
sl@0: 
sl@0: 		/* buffer the message to handle re-xmits */
sl@0: 		dtls1_buffer_message(s, 0);
sl@0: 		}
sl@0: 
sl@0: 	s->state = SSL3_ST_SW_KEY_EXCH_B;
sl@0: 	EVP_MD_CTX_cleanup(&md_ctx);
sl@0: 	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
sl@0: f_err:
sl@0: 	ssl3_send_alert(s,SSL3_AL_FATAL,al);
sl@0: err:
sl@0: 	EVP_MD_CTX_cleanup(&md_ctx);
sl@0: 	return(-1);
sl@0: 	}
sl@0: 
sl@0: int dtls1_send_certificate_request(SSL *s)
sl@0: 	{
sl@0: 	unsigned char *p,*d;
sl@0: 	int i,j,nl,off,n;
sl@0: 	STACK_OF(X509_NAME) *sk=NULL;
sl@0: 	X509_NAME *name;
sl@0: 	BUF_MEM *buf;
sl@0: 	unsigned int msg_len;
sl@0: 
sl@0: 	if (s->state == SSL3_ST_SW_CERT_REQ_A)
sl@0: 		{
sl@0: 		buf=s->init_buf;
sl@0: 
sl@0: 		d=p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH]);
sl@0: 
sl@0: 		/* get the list of acceptable cert types */
sl@0: 		p++;
sl@0: 		n=ssl3_get_req_cert_type(s,p);
sl@0: 		d[0]=n;
sl@0: 		p+=n;
sl@0: 		n++;
sl@0: 
sl@0: 		off=n;
sl@0: 		p+=2;
sl@0: 		n+=2;
sl@0: 
sl@0: 		sk=SSL_get_client_CA_list(s);
sl@0: 		nl=0;
sl@0: 		if (sk != NULL)
sl@0: 			{
sl@0: 			for (i=0; i<sk_X509_NAME_num(sk); i++)
sl@0: 				{
sl@0: 				name=sk_X509_NAME_value(sk,i);
sl@0: 				j=i2d_X509_NAME(name,NULL);
sl@0: 				if (!BUF_MEM_grow_clean(buf,DTLS1_HM_HEADER_LENGTH+n+j+2))
sl@0: 					{
sl@0: 					SSLerr(SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
sl@0: 					goto err;
sl@0: 					}
sl@0: 				p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH+n]);
sl@0: 				if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
sl@0: 					{
sl@0: 					s2n(j,p);
sl@0: 					i2d_X509_NAME(name,&p);
sl@0: 					n+=2+j;
sl@0: 					nl+=2+j;
sl@0: 					}
sl@0: 				else
sl@0: 					{
sl@0: 					d=p;
sl@0: 					i2d_X509_NAME(name,&p);
sl@0: 					j-=2; s2n(j,d); j+=2;
sl@0: 					n+=j;
sl@0: 					nl+=j;
sl@0: 					}
sl@0: 				}
sl@0: 			}
sl@0: 		/* else no CA names */
sl@0: 		p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH+off]);
sl@0: 		s2n(nl,p);
sl@0: 
sl@0: 		d=(unsigned char *)buf->data;
sl@0: 		*(d++)=SSL3_MT_CERTIFICATE_REQUEST;
sl@0: 		l2n3(n,d);
sl@0: 		s2n(s->d1->handshake_write_seq,d);
sl@0: 		s->d1->handshake_write_seq++;
sl@0: 
sl@0: 		/* we should now have things packed up, so lets send
sl@0: 		 * it off */
sl@0: 
sl@0: 		s->init_num=n+DTLS1_HM_HEADER_LENGTH;
sl@0: 		s->init_off=0;
sl@0: #ifdef NETSCAPE_HANG_BUG
sl@0: /* XXX: what to do about this? */
sl@0: 		p=(unsigned char *)s->init_buf->data + s->init_num;
sl@0: 
sl@0: 		/* do the header */
sl@0: 		*(p++)=SSL3_MT_SERVER_DONE;
sl@0: 		*(p++)=0;
sl@0: 		*(p++)=0;
sl@0: 		*(p++)=0;
sl@0: 		s->init_num += 4;
sl@0: #endif
sl@0: 
sl@0: 		/* XDTLS:  set message header ? */
sl@0: 		msg_len = s->init_num - DTLS1_HM_HEADER_LENGTH;
sl@0: 		dtls1_set_message_header(s, (void *)s->init_buf->data,
sl@0: 			SSL3_MT_CERTIFICATE_REQUEST, msg_len, 0, msg_len);
sl@0: 
sl@0: 		/* buffer the message to handle re-xmits */
sl@0: 		dtls1_buffer_message(s, 0);
sl@0: 
sl@0: 		s->state = SSL3_ST_SW_CERT_REQ_B;
sl@0: 		}
sl@0: 
sl@0: 	/* SSL3_ST_SW_CERT_REQ_B */
sl@0: 	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
sl@0: err:
sl@0: 	return(-1);
sl@0: 	}
sl@0: 
sl@0: int dtls1_send_server_certificate(SSL *s)
sl@0: 	{
sl@0: 	unsigned long l;
sl@0: 	X509 *x;
sl@0: 
sl@0: 	if (s->state == SSL3_ST_SW_CERT_A)
sl@0: 		{
sl@0: 		x=ssl_get_server_send_cert(s);
sl@0: 		if (x == NULL &&
sl@0:                         /* VRS: allow null cert if auth == KRB5 */
sl@0:                         (s->s3->tmp.new_cipher->algorithms
sl@0:                                 & (SSL_MKEY_MASK|SSL_AUTH_MASK))
sl@0:                         != (SSL_aKRB5|SSL_kKRB5))
sl@0: 			{
sl@0: 			SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
sl@0: 			return(0);
sl@0: 			}
sl@0: 
sl@0: 		l=dtls1_output_cert_chain(s,x);
sl@0: 		s->state=SSL3_ST_SW_CERT_B;
sl@0: 		s->init_num=(int)l;
sl@0: 		s->init_off=0;
sl@0: 
sl@0: 		/* buffer the message to handle re-xmits */
sl@0: 		dtls1_buffer_message(s, 0);
sl@0: 		}
sl@0: 
sl@0: 	/* SSL3_ST_SW_CERT_B */
sl@0: 	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
sl@0: 	}