summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjsing <>2017-10-12 15:52:50 +0000
committerjsing <>2017-10-12 15:52:50 +0000
commit6492e6ac4af9a012fb3257450b5bb92e7a5b4554 (patch)
tree1093c3d22332b5684b872848e862f8389752b31e
parent791837ff802d1b53615622a89e9ac0b79a61eb27 (diff)
downloadopenbsd-6492e6ac4af9a012fb3257450b5bb92e7a5b4554.tar.gz
openbsd-6492e6ac4af9a012fb3257450b5bb92e7a5b4554.tar.bz2
openbsd-6492e6ac4af9a012fb3257450b5bb92e7a5b4554.zip
Fold dtls1_accept() into ssl_accept(), removing a lot of duplicated code.
With review/feedback from inoguchi@
Diffstat
-rw-r--r--src/lib/libssl/d1_meth.c4
-rw-r--r--src/lib/libssl/d1_srvr.c538
-rw-r--r--src/lib/libssl/ssl_locl.h4
-rw-r--r--src/lib/libssl/ssl_srvr.c153
4 files changed, 143 insertions, 556 deletions
diff --git a/src/lib/libssl/d1_meth.c b/src/lib/libssl/d1_meth.c
index e513c4a9be..9ecca0027c 100644
--- a/src/lib/libssl/d1_meth.c
+++ b/src/lib/libssl/d1_meth.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_meth.c,v 1.14 2017/10/10 15:13:26 jsing Exp $ */ 1/* $OpenBSD: d1_meth.c,v 1.15 2017/10/12 15:52:50 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -72,7 +72,7 @@ static const SSL_METHOD_INTERNAL DTLSv1_method_internal_data = {
72 .ssl_new = dtls1_new, 72 .ssl_new = dtls1_new,
73 .ssl_clear = dtls1_clear, 73 .ssl_clear = dtls1_clear,
74 .ssl_free = dtls1_free, 74 .ssl_free = dtls1_free,
75 .ssl_accept = dtls1_accept, 75 .ssl_accept = ssl3_accept,
76 .ssl_connect = ssl3_connect, 76 .ssl_connect = ssl3_connect,
77 .ssl_read = ssl3_read, 77 .ssl_read = ssl3_read,
78 .ssl_peek = ssl3_peek, 78 .ssl_peek = ssl3_peek,
diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c
index 05c92be46c..57b8ea0e24 100644
--- a/src/lib/libssl/d1_srvr.c
+++ b/src/lib/libssl/d1_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_srvr.c,v 1.90 2017/10/08 16:56:51 jsing Exp $ */ 1/* $OpenBSD: d1_srvr.c,v 1.91 2017/10/12 15:52:50 jsing Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -125,8 +125,6 @@
125#include <openssl/objects.h> 125#include <openssl/objects.h>
126#include <openssl/x509.h> 126#include <openssl/x509.h>
127 127
128static int dtls1_send_hello_verify_request(SSL *s);
129
130static const SSL_METHOD_INTERNAL DTLSv1_server_method_internal_data = { 128static const SSL_METHOD_INTERNAL DTLSv1_server_method_internal_data = {
131 .version = DTLS1_VERSION, 129 .version = DTLS1_VERSION,
132 .min_version = DTLS1_VERSION, 130 .min_version = DTLS1_VERSION,
@@ -134,7 +132,7 @@ static const SSL_METHOD_INTERNAL DTLSv1_server_method_internal_data = {
134 .ssl_new = dtls1_new, 132 .ssl_new = dtls1_new,
135 .ssl_clear = dtls1_clear, 133 .ssl_clear = dtls1_clear,
136 .ssl_free = dtls1_free, 134 .ssl_free = dtls1_free,
137 .ssl_accept = dtls1_accept, 135 .ssl_accept = ssl3_accept,
138 .ssl_connect = ssl_undefined_function, 136 .ssl_connect = ssl_undefined_function,
139 .ssl_read = ssl3_read, 137 .ssl_read = ssl3_read,
140 .ssl_peek = ssl3_peek, 138 .ssl_peek = ssl3_peek,
@@ -176,538 +174,6 @@ dtls1_get_server_method(int ver)
176} 174}
177 175
178int 176int
179dtls1_accept(SSL *s)
180{
181 void (*cb)(const SSL *ssl, int type, int val) = NULL;
182 unsigned long alg_k;
183 int ret = -1;
184 int new_state, state, skip = 0;
185 int listen;
186
187 ERR_clear_error();
188 errno = 0;
189
190 if (s->internal->info_callback != NULL)
191 cb = s->internal->info_callback;
192 else if (s->ctx->internal->info_callback != NULL)
193 cb = s->ctx->internal->info_callback;
194
195 listen = D1I(s)->listen;
196
197 /* init things to blank */
198 s->internal->in_handshake++;
199 if (!SSL_in_init(s) || SSL_in_before(s))
200 SSL_clear(s);
201
202 D1I(s)->listen = listen;
203
204 if (s->cert == NULL) {
205 SSLerror(s, SSL_R_NO_CERTIFICATE_SET);
206 ret = -1;
207 goto end;
208 }
209
210 for (;;) {
211 state = S3I(s)->hs.state;
212
213 switch (S3I(s)->hs.state) {
214 case SSL_ST_RENEGOTIATE:
215 s->internal->renegotiate = 1;
216 /* S3I(s)->hs.state=SSL_ST_ACCEPT; */
217
218 case SSL_ST_BEFORE:
219 case SSL_ST_ACCEPT:
220 case SSL_ST_BEFORE|SSL_ST_ACCEPT:
221 case SSL_ST_OK|SSL_ST_ACCEPT:
222 s->server = 1;
223 if (cb != NULL)
224 cb(s, SSL_CB_HANDSHAKE_START, 1);
225
226 if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) {
227 SSLerror(s, ERR_R_INTERNAL_ERROR);
228 ret = -1;
229 goto end;
230 }
231 s->internal->type = SSL_ST_ACCEPT;
232
233 if (!ssl3_setup_init_buffer(s)) {
234 ret = -1;
235 goto end;
236 }
237 if (!ssl3_setup_buffers(s)) {
238 ret = -1;
239 goto end;
240 }
241
242 s->internal->init_num = 0;
243
244 if (S3I(s)->hs.state != SSL_ST_RENEGOTIATE) {
245 /*
246 * Ok, we now need to push on a buffering BIO
247 * so that the output is sent in a way that
248 * TCP likes :-)
249 * ...but not with SCTP :-)
250 */
251 if (!ssl_init_wbio_buffer(s, 1)) {
252 ret = -1;
253 goto end;
254 }
255 if (!tls1_init_finished_mac(s)) {
256 ret = -1;
257 goto end;
258 }
259
260 S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A;
261 s->ctx->internal->stats.sess_accept++;
262 } else {
263 /*
264 * S3I(s)->hs.state == SSL_ST_RENEGOTIATE,
265 * we will just send a HelloRequest.
266 */
267 s->ctx->internal->stats.sess_accept_renegotiate++;
268 S3I(s)->hs.state = SSL3_ST_SW_HELLO_REQ_A;
269 }
270 break;
271
272 case SSL3_ST_SW_HELLO_REQ_A:
273 case SSL3_ST_SW_HELLO_REQ_B:
274 s->internal->shutdown = 0;
275 dtls1_clear_record_buffer(s);
276 dtls1_start_timer(s);
277 ret = ssl3_send_hello_request(s);
278 if (ret <= 0)
279 goto end;
280 S3I(s)->hs.next_state = SSL3_ST_SR_CLNT_HELLO_A;
281 S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
282 s->internal->init_num = 0;
283
284 if (!tls1_init_finished_mac(s)) {
285 ret = -1;
286 goto end;
287 }
288 break;
289
290 case SSL3_ST_SW_HELLO_REQ_C:
291 S3I(s)->hs.state = SSL_ST_OK;
292 break;
293
294 case SSL3_ST_SR_CLNT_HELLO_A:
295 case SSL3_ST_SR_CLNT_HELLO_B:
296 case SSL3_ST_SR_CLNT_HELLO_C:
297 s->internal->shutdown = 0;
298 ret = ssl3_get_client_hello(s);
299 if (ret <= 0)
300 goto end;
301 dtls1_stop_timer(s);
302
303 if (ret == 1 && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
304 S3I(s)->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;
305 else
306 S3I(s)->hs.state = SSL3_ST_SW_SRVR_HELLO_A;
307
308 s->internal->init_num = 0;
309
310 /* Reflect ClientHello sequence to remain stateless while listening */
311 if (listen) {
312 memcpy(S3I(s)->write_sequence, S3I(s)->read_sequence, sizeof(S3I(s)->write_sequence));
313 }
314
315 /* If we're just listening, stop here */
316 if (listen && S3I(s)->hs.state == SSL3_ST_SW_SRVR_HELLO_A) {
317 ret = 2;
318 D1I(s)->listen = 0;
319 /* Set expected sequence numbers
320 * to continue the handshake.
321 */
322 D1I(s)->handshake_read_seq = 2;
323 D1I(s)->handshake_write_seq = 1;
324 D1I(s)->next_handshake_write_seq = 1;
325 goto end;
326 }
327
328 break;
329
330 case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
331 case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
332 ret = dtls1_send_hello_verify_request(s);
333 if (ret <= 0)
334 goto end;
335 S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
336 S3I(s)->hs.next_state = SSL3_ST_SR_CLNT_HELLO_A;
337
338 /* HelloVerifyRequest resets Finished MAC */
339 if (!tls1_init_finished_mac(s)) {
340 ret = -1;
341 goto end;
342 }
343 break;
344
345 case SSL3_ST_SW_SRVR_HELLO_A:
346 case SSL3_ST_SW_SRVR_HELLO_B:
347 s->internal->renegotiate = 2;
348 dtls1_start_timer(s);
349 ret = ssl3_send_server_hello(s);
350 if (ret <= 0)
351 goto end;
352 if (s->internal->hit) {
353 if (s->internal->tlsext_ticket_expected)
354 S3I(s)->hs.state = SSL3_ST_SW_SESSION_TICKET_A;
355 else
356 S3I(s)->hs.state = SSL3_ST_SW_CHANGE_A;
357 } else {
358 S3I(s)->hs.state = SSL3_ST_SW_CERT_A;
359 }
360 s->internal->init_num = 0;
361 break;
362
363 case SSL3_ST_SW_CERT_A:
364 case SSL3_ST_SW_CERT_B:
365 /* Check if it is anon DH or anon ECDH. */
366 if (!(S3I(s)->hs.new_cipher->algorithm_auth &
367 SSL_aNULL)) {
368 dtls1_start_timer(s);
369 ret = ssl3_send_server_certificate(s);
370 if (ret <= 0)
371 goto end;
372 if (s->internal->tlsext_status_expected)
373 S3I(s)->hs.state = SSL3_ST_SW_CERT_STATUS_A;
374 else
375 S3I(s)->hs.state = SSL3_ST_SW_KEY_EXCH_A;
376 } else {
377 skip = 1;
378 S3I(s)->hs.state = SSL3_ST_SW_KEY_EXCH_A;
379 }
380 s->internal->init_num = 0;
381 break;
382
383 case SSL3_ST_SW_KEY_EXCH_A:
384 case SSL3_ST_SW_KEY_EXCH_B:
385 alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;
386
387 /*
388 * Only send if using a DH key exchange.
389 *
390 * For ECC ciphersuites, we send a ServerKeyExchange
391 * message only if the cipher suite is ECDHE. In other
392 * cases, the server certificate contains the server's
393 * public key for key exchange.
394 */
395 if (alg_k & (SSL_kDHE|SSL_kECDHE)) {
396 dtls1_start_timer(s);
397 ret = ssl3_send_server_key_exchange(s);
398 if (ret <= 0)
399 goto end;
400 } else
401 skip = 1;
402
403 S3I(s)->hs.state = SSL3_ST_SW_CERT_REQ_A;
404 s->internal->init_num = 0;
405 break;
406
407 case SSL3_ST_SW_CERT_REQ_A:
408 case SSL3_ST_SW_CERT_REQ_B:
409 /*
410 * Determine whether or not we need to request a
411 * certificate.
412 *
413 * Do not request a certificate if:
414 *
415 * - We did not ask for it (SSL_VERIFY_PEER is unset).
416 *
417 * - SSL_VERIFY_CLIENT_ONCE is set and we are
418 * renegotiating.
419 *
420 * - We are using an anonymous ciphersuites
421 * (see section "Certificate request" in SSL 3 drafts
422 * and in RFC 2246) ... except when the application
423 * insists on verification (against the specs, but
424 * s3_clnt.c accepts this for SSL 3).
425 */
426 if (!(s->verify_mode & SSL_VERIFY_PEER) ||
427 ((s->session->peer != NULL) &&
428 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
429 ((S3I(s)->hs.new_cipher->algorithm_auth &
430 SSL_aNULL) && !(s->verify_mode &
431 SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
432 /* No cert request. */
433 skip = 1;
434 S3I(s)->tmp.cert_request = 0;
435 S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_A;
436 } else {
437 S3I(s)->tmp.cert_request = 1;
438 dtls1_start_timer(s);
439 ret = ssl3_send_certificate_request(s);
440 if (ret <= 0)
441 goto end;
442 S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_A;
443 s->internal->init_num = 0;
444 }
445 break;
446
447 case SSL3_ST_SW_SRVR_DONE_A:
448 case SSL3_ST_SW_SRVR_DONE_B:
449 dtls1_start_timer(s);
450 ret = ssl3_send_server_done(s);
451 if (ret <= 0)
452 goto end;
453 S3I(s)->hs.next_state = SSL3_ST_SR_CERT_A;
454 S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
455 s->internal->init_num = 0;
456 break;
457
458 case SSL3_ST_SW_FLUSH:
459 /*
460 * This code originally checked to see if
461 * any data was pending using BIO_CTRL_INFO
462 * and then flushed. This caused problems
463 * as documented in PR#1939. The proposed
464 * fix doesn't completely resolve this issue
465 * as buggy implementations of BIO_CTRL_PENDING
466 * still exist. So instead we just flush
467 * unconditionally.
468 */
469 s->internal->rwstate = SSL_WRITING;
470 if (BIO_flush(s->wbio) <= 0) {
471 /* If the write error was fatal, stop trying */
472 if (!BIO_should_retry(s->wbio)) {
473 s->internal->rwstate = SSL_NOTHING;
474 S3I(s)->hs.state = S3I(s)->hs.next_state;
475 }
476
477 ret = -1;
478 goto end;
479 }
480 s->internal->rwstate = SSL_NOTHING;
481 S3I(s)->hs.state = S3I(s)->hs.next_state;
482 break;
483
484 case SSL3_ST_SR_CERT_A:
485 case SSL3_ST_SR_CERT_B:
486 if (S3I(s)->tmp.cert_request) {
487 ret = ssl3_get_client_certificate(s);
488 if (ret <= 0)
489 goto end;
490 }
491 s->internal->init_num = 0;
492 S3I(s)->hs.state = SSL3_ST_SR_KEY_EXCH_A;
493 break;
494
495 case SSL3_ST_SR_KEY_EXCH_A:
496 case SSL3_ST_SR_KEY_EXCH_B:
497 ret = ssl3_get_client_key_exchange(s);
498 if (ret <= 0)
499 goto end;
500
501 S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A;
502 s->internal->init_num = 0;
503
504 if (ret == 2) {
505 /*
506 * For the ECDH ciphersuites when
507 * the client sends its ECDH pub key in
508 * a certificate, the CertificateVerify
509 * message is not sent.
510 * Also for GOST ciphersuites when
511 * the client uses its key from the certificate
512 * for key exchange.
513 */
514 S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A;
515 s->internal->init_num = 0;
516 } else if (SSL_USE_SIGALGS(s)) {
517 S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A;
518 s->internal->init_num = 0;
519 if (!s->session->peer)
520 break;
521 /*
522 * For sigalgs freeze the handshake buffer
523 * at this point and digest cached records.
524 */
525 if (!S3I(s)->handshake_buffer) {
526 SSLerror(s, ERR_R_INTERNAL_ERROR);
527 ret = -1;
528 goto end;
529 }
530 s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE;
531 if (!tls1_digest_cached_records(s)) {
532 ret = -1;
533 goto end;
534 }
535 } else {
536 S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A;
537 s->internal->init_num = 0;
538
539 /*
540 * We need to get hashes here so if there is
541 * a client cert, it can be verified.
542 */
543 if (S3I(s)->handshake_buffer) {
544 if (!tls1_digest_cached_records(s)) {
545 ret = -1;
546 goto end;
547 }
548 }
549 if (!tls1_handshake_hash_value(s,
550 S3I(s)->tmp.cert_verify_md,
551 sizeof(S3I(s)->tmp.cert_verify_md),
552 NULL)) {
553 ret = -1;
554 goto end;
555 }
556 }
557 break;
558
559 case SSL3_ST_SR_CERT_VRFY_A:
560 case SSL3_ST_SR_CERT_VRFY_B:
561 D1I(s)->change_cipher_spec_ok = 1;
562 /* we should decide if we expected this one */
563 ret = ssl3_get_cert_verify(s);
564 if (ret <= 0)
565 goto end;
566 S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A;
567 s->internal->init_num = 0;
568 break;
569
570 case SSL3_ST_SR_FINISHED_A:
571 case SSL3_ST_SR_FINISHED_B:
572 D1I(s)->change_cipher_spec_ok = 1;
573 ret = ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A,
574 SSL3_ST_SR_FINISHED_B);
575 if (ret <= 0)
576 goto end;
577 dtls1_stop_timer(s);
578 if (s->internal->hit)
579 S3I(s)->hs.state = SSL_ST_OK;
580 else if (s->internal->tlsext_ticket_expected)
581 S3I(s)->hs.state = SSL3_ST_SW_SESSION_TICKET_A;
582 else
583 S3I(s)->hs.state = SSL3_ST_SW_CHANGE_A;
584 s->internal->init_num = 0;
585 break;
586
587 case SSL3_ST_SW_SESSION_TICKET_A:
588 case SSL3_ST_SW_SESSION_TICKET_B:
589 ret = ssl3_send_newsession_ticket(s);
590 if (ret <= 0)
591 goto end;
592 S3I(s)->hs.state = SSL3_ST_SW_CHANGE_A;
593 s->internal->init_num = 0;
594 break;
595
596 case SSL3_ST_SW_CERT_STATUS_A:
597 case SSL3_ST_SW_CERT_STATUS_B:
598 ret = ssl3_send_cert_status(s);
599 if (ret <= 0)
600 goto end;
601 S3I(s)->hs.state = SSL3_ST_SW_KEY_EXCH_A;
602 s->internal->init_num = 0;
603 break;
604
605 case SSL3_ST_SW_CHANGE_A:
606 case SSL3_ST_SW_CHANGE_B:
607 s->session->cipher = S3I(s)->hs.new_cipher;
608 if (!tls1_setup_key_block(s)) {
609 ret = -1;
610 goto end;
611 }
612
613 ret = ssl3_send_change_cipher_spec(s,
614 SSL3_ST_SW_CHANGE_A, SSL3_ST_SW_CHANGE_B);
615 if (ret <= 0)
616 goto end;
617 S3I(s)->hs.state = SSL3_ST_SW_FINISHED_A;
618 s->internal->init_num = 0;
619
620 if (!tls1_change_cipher_state(s,
621 SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
622 ret = -1;
623 goto end;
624 }
625
626 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
627 break;
628
629 case SSL3_ST_SW_FINISHED_A:
630 case SSL3_ST_SW_FINISHED_B:
631 ret = ssl3_send_finished(s,
632 SSL3_ST_SW_FINISHED_A, SSL3_ST_SW_FINISHED_B,
633 TLS_MD_SERVER_FINISH_CONST,
634 TLS_MD_SERVER_FINISH_CONST_SIZE);
635 if (ret <= 0)
636 goto end;
637 S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
638 if (s->internal->hit)
639 S3I(s)->hs.next_state = SSL3_ST_SR_FINISHED_A;
640 else
641 S3I(s)->hs.next_state = SSL_ST_OK;
642 s->internal->init_num = 0;
643 break;
644
645 case SSL_ST_OK:
646 /* clean a few things up */
647 tls1_cleanup_key_block(s);
648
649 /* remove buffering on output */
650 ssl_free_wbio_buffer(s);
651
652 s->internal->init_num = 0;
653
654 /* Skipped if we just sent a HelloRequest. */
655 if (s->internal->renegotiate == 2) {
656 s->internal->renegotiate = 0;
657 s->internal->new_session = 0;
658
659 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
660
661 s->ctx->internal->stats.sess_accept_good++;
662 /* s->server=1; */
663 s->internal->handshake_func = dtls1_accept;
664
665 if (cb != NULL)
666 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
667 }
668
669 ret = 1;
670
671 /* done handshaking, next message is client hello */
672 D1I(s)->handshake_read_seq = 0;
673 /* next message is server hello */
674 D1I(s)->handshake_write_seq = 0;
675 D1I(s)->next_handshake_write_seq = 0;
676 goto end;
677 /* break; */
678
679 default:
680 SSLerror(s, SSL_R_UNKNOWN_STATE);
681 ret = -1;
682 goto end;
683 /* break; */
684 }
685
686 if (!S3I(s)->tmp.reuse_message && !skip) {
687 if (s->internal->debug) {
688 if ((ret = BIO_flush(s->wbio)) <= 0)
689 goto end;
690 }
691
692 if ((cb != NULL) && (S3I(s)->hs.state != state)) {
693 new_state = S3I(s)->hs.state;
694 S3I(s)->hs.state = state;
695 cb(s, SSL_CB_ACCEPT_LOOP, 1);
696 S3I(s)->hs.state = new_state;
697 }
698 }
699 skip = 0;
700 }
701end:
702 /* BIO_flush(s->wbio); */
703 s->internal->in_handshake--;
704 if (cb != NULL)
705 cb(s, SSL_CB_ACCEPT_EXIT, ret);
706
707 return (ret);
708}
709
710int
711dtls1_send_hello_verify_request(SSL *s) 177dtls1_send_hello_verify_request(SSL *s)
712{ 178{
713 CBB cbb, verify, cookie; 179 CBB cbb, verify, cookie;
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 5e3872ba49..044822c32c 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.199 2017/10/12 15:44:18 jsing Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.200 2017/10/12 15:52:50 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1209,6 +1209,7 @@ int ssl3_check_cert_and_algorithm(SSL *s);
1209int ssl3_check_finished(SSL *s); 1209int ssl3_check_finished(SSL *s);
1210 1210
1211/* some server-only functions */ 1211/* some server-only functions */
1212int dtls1_send_hello_verify_request(SSL *s);
1212int ssl3_get_client_hello(SSL *s); 1213int ssl3_get_client_hello(SSL *s);
1213int ssl3_send_server_hello(SSL *s); 1214int ssl3_send_server_hello(SSL *s);
1214int ssl3_send_hello_request(SSL *s); 1215int ssl3_send_hello_request(SSL *s);
@@ -1224,7 +1225,6 @@ void tls1_free(SSL *s);
1224void tls1_clear(SSL *s); 1225void tls1_clear(SSL *s);
1225 1226
1226int dtls1_new(SSL *s); 1227int dtls1_new(SSL *s);
1227int dtls1_accept(SSL *s);
1228void dtls1_free(SSL *s); 1228void dtls1_free(SSL *s);
1229void dtls1_clear(SSL *s); 1229void dtls1_clear(SSL *s);
1230long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg); 1230long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg);
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 5e10fa01f4..5d741cdc81 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_srvr.c,v 1.25 2017/10/11 16:51:39 jsing Exp $ */ 1/* $OpenBSD: ssl_srvr.c,v 1.26 2017/10/12 15:52:50 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -175,6 +175,7 @@ ssl3_accept(SSL *s)
175 unsigned long alg_k; 175 unsigned long alg_k;
176 int ret = -1; 176 int ret = -1;
177 int new_state, state, skip = 0; 177 int new_state, state, skip = 0;
178 int listen;
178 179
179 ERR_clear_error(); 180 ERR_clear_error();
180 errno = 0; 181 errno = 0;
@@ -184,11 +185,17 @@ ssl3_accept(SSL *s)
184 else if (s->ctx->internal->info_callback != NULL) 185 else if (s->ctx->internal->info_callback != NULL)
185 cb = s->ctx->internal->info_callback; 186 cb = s->ctx->internal->info_callback;
186 187
188 if (SSL_IS_DTLS(s))
189 listen = D1I(s)->listen;
190
187 /* init things to blank */ 191 /* init things to blank */
188 s->internal->in_handshake++; 192 s->internal->in_handshake++;
189 if (!SSL_in_init(s) || SSL_in_before(s)) 193 if (!SSL_in_init(s) || SSL_in_before(s))
190 SSL_clear(s); 194 SSL_clear(s);
191 195
196 if (SSL_IS_DTLS(s))
197 D1I(s)->listen = listen;
198
192 if (s->cert == NULL) { 199 if (s->cert == NULL) {
193 SSLerror(s, SSL_R_NO_CERTIFICATE_SET); 200 SSLerror(s, SSL_R_NO_CERTIFICATE_SET);
194 ret = -1; 201 ret = -1;
@@ -211,10 +218,18 @@ ssl3_accept(SSL *s)
211 if (cb != NULL) 218 if (cb != NULL)
212 cb(s, SSL_CB_HANDSHAKE_START, 1); 219 cb(s, SSL_CB_HANDSHAKE_START, 1);
213 220
214 if ((s->version >> 8) != 3) { 221 if (SSL_IS_DTLS(s)) {
215 SSLerror(s, ERR_R_INTERNAL_ERROR); 222 if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) {
216 ret = -1; 223 SSLerror(s, ERR_R_INTERNAL_ERROR);
217 goto end; 224 ret = -1;
225 goto end;
226 }
227 } else {
228 if ((s->version >> 8) != 3) {
229 SSLerror(s, ERR_R_INTERNAL_ERROR);
230 ret = -1;
231 goto end;
232 }
218 } 233 }
219 s->internal->type = SSL_ST_ACCEPT; 234 s->internal->type = SSL_ST_ACCEPT;
220 235
@@ -246,7 +261,7 @@ ssl3_accept(SSL *s)
246 261
247 S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A; 262 S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A;
248 s->ctx->internal->stats.sess_accept++; 263 s->ctx->internal->stats.sess_accept++;
249 } else if (!S3I(s)->send_connection_binding) { 264 } else if (!SSL_IS_DTLS(s) && !S3I(s)->send_connection_binding) {
250 /* 265 /*
251 * Server attempting to renegotiate with 266 * Server attempting to renegotiate with
252 * client that doesn't support secure 267 * client that doesn't support secure
@@ -270,10 +285,17 @@ ssl3_accept(SSL *s)
270 case SSL3_ST_SW_HELLO_REQ_A: 285 case SSL3_ST_SW_HELLO_REQ_A:
271 case SSL3_ST_SW_HELLO_REQ_B: 286 case SSL3_ST_SW_HELLO_REQ_B:
272 s->internal->shutdown = 0; 287 s->internal->shutdown = 0;
288 if (SSL_IS_DTLS(s)) {
289 dtls1_clear_record_buffer(s);
290 dtls1_start_timer(s);
291 }
273 ret = ssl3_send_hello_request(s); 292 ret = ssl3_send_hello_request(s);
274 if (ret <= 0) 293 if (ret <= 0)
275 goto end; 294 goto end;
276 S3I(s)->hs.next_state = SSL3_ST_SW_HELLO_REQ_C; 295 if (SSL_IS_DTLS(s))
296 S3I(s)->hs.next_state = SSL3_ST_SR_CLNT_HELLO_A;
297 else
298 S3I(s)->hs.next_state = SSL3_ST_SW_HELLO_REQ_C;
277 S3I(s)->hs.state = SSL3_ST_SW_FLUSH; 299 S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
278 s->internal->init_num = 0; 300 s->internal->init_num = 0;
279 301
@@ -291,19 +313,77 @@ ssl3_accept(SSL *s)
291 case SSL3_ST_SR_CLNT_HELLO_B: 313 case SSL3_ST_SR_CLNT_HELLO_B:
292 case SSL3_ST_SR_CLNT_HELLO_C: 314 case SSL3_ST_SR_CLNT_HELLO_C:
293 s->internal->shutdown = 0; 315 s->internal->shutdown = 0;
294 if (s->internal->rwstate != SSL_X509_LOOKUP) { 316 if (SSL_IS_DTLS(s)) {
295 ret = ssl3_get_client_hello(s); 317 ret = ssl3_get_client_hello(s);
296 if (ret <= 0) 318 if (ret <= 0)
297 goto end; 319 goto end;
320 dtls1_stop_timer(s);
321
322 if (ret == 1 &&
323 (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
324 S3I(s)->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;
325 else
326 S3I(s)->hs.state = SSL3_ST_SW_SRVR_HELLO_A;
327
328 s->internal->init_num = 0;
329
330 /*
331 * Reflect ClientHello sequence to remain
332 * stateless while listening.
333 */
334 if (listen) {
335 memcpy(S3I(s)->write_sequence,
336 S3I(s)->read_sequence,
337 sizeof(S3I(s)->write_sequence));
338 }
339
340 /* If we're just listening, stop here */
341 if (listen && S3I(s)->hs.state == SSL3_ST_SW_SRVR_HELLO_A) {
342 ret = 2;
343 D1I(s)->listen = 0;
344 /*
345 * Set expected sequence numbers to
346 * continue the handshake.
347 */
348 D1I(s)->handshake_read_seq = 2;
349 D1I(s)->handshake_write_seq = 1;
350 D1I(s)->next_handshake_write_seq = 1;
351 goto end;
352 }
353 } else {
354 if (s->internal->rwstate != SSL_X509_LOOKUP) {
355 ret = ssl3_get_client_hello(s);
356 if (ret <= 0)
357 goto end;
358 }
359
360 s->internal->renegotiate = 2;
361 S3I(s)->hs.state = SSL3_ST_SW_SRVR_HELLO_A;
362 s->internal->init_num = 0;
298 } 363 }
364 break;
299 365
300 s->internal->renegotiate = 2; 366 case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
301 S3I(s)->hs.state = SSL3_ST_SW_SRVR_HELLO_A; 367 case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
302 s->internal->init_num = 0; 368 ret = dtls1_send_hello_verify_request(s);
369 if (ret <= 0)
370 goto end;
371 S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
372 S3I(s)->hs.next_state = SSL3_ST_SR_CLNT_HELLO_A;
373
374 /* HelloVerifyRequest resets Finished MAC. */
375 if (!tls1_init_finished_mac(s)) {
376 ret = -1;
377 goto end;
378 }
303 break; 379 break;
304 380
305 case SSL3_ST_SW_SRVR_HELLO_A: 381 case SSL3_ST_SW_SRVR_HELLO_A:
306 case SSL3_ST_SW_SRVR_HELLO_B: 382 case SSL3_ST_SW_SRVR_HELLO_B:
383 if (SSL_IS_DTLS(s)) {
384 s->internal->renegotiate = 2;
385 dtls1_start_timer(s);
386 }
307 ret = ssl3_send_server_hello(s); 387 ret = ssl3_send_server_hello(s);
308 if (ret <= 0) 388 if (ret <= 0)
309 goto end; 389 goto end;
@@ -323,6 +403,8 @@ ssl3_accept(SSL *s)
323 /* Check if it is anon DH or anon ECDH. */ 403 /* Check if it is anon DH or anon ECDH. */
324 if (!(S3I(s)->hs.new_cipher->algorithm_auth & 404 if (!(S3I(s)->hs.new_cipher->algorithm_auth &
325 SSL_aNULL)) { 405 SSL_aNULL)) {
406 if (SSL_IS_DTLS(s))
407 dtls1_start_timer(s);
326 ret = ssl3_send_server_certificate(s); 408 ret = ssl3_send_server_certificate(s);
327 if (ret <= 0) 409 if (ret <= 0)
328 goto end; 410 goto end;
@@ -350,6 +432,8 @@ ssl3_accept(SSL *s)
350 * public key for key exchange. 432 * public key for key exchange.
351 */ 433 */
352 if (alg_k & (SSL_kDHE|SSL_kECDHE)) { 434 if (alg_k & (SSL_kDHE|SSL_kECDHE)) {
435 if (SSL_IS_DTLS(s))
436 dtls1_start_timer(s);
353 ret = ssl3_send_server_key_exchange(s); 437 ret = ssl3_send_server_key_exchange(s);
354 if (ret <= 0) 438 if (ret <= 0)
355 goto end; 439 goto end;
@@ -389,7 +473,7 @@ ssl3_accept(SSL *s)
389 skip = 1; 473 skip = 1;
390 S3I(s)->tmp.cert_request = 0; 474 S3I(s)->tmp.cert_request = 0;
391 S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_A; 475 S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_A;
392 if (S3I(s)->handshake_buffer) { 476 if (!SSL_IS_DTLS(s) && S3I(s)->handshake_buffer) {
393 if (!tls1_digest_cached_records(s)) { 477 if (!tls1_digest_cached_records(s)) {
394 ret = -1; 478 ret = -1;
395 goto end; 479 goto end;
@@ -397,6 +481,8 @@ ssl3_accept(SSL *s)
397 } 481 }
398 } else { 482 } else {
399 S3I(s)->tmp.cert_request = 1; 483 S3I(s)->tmp.cert_request = 1;
484 if (SSL_IS_DTLS(s))
485 dtls1_start_timer(s);
400 ret = ssl3_send_certificate_request(s); 486 ret = ssl3_send_certificate_request(s);
401 if (ret <= 0) 487 if (ret <= 0)
402 goto end; 488 goto end;
@@ -407,6 +493,8 @@ ssl3_accept(SSL *s)
407 493
408 case SSL3_ST_SW_SRVR_DONE_A: 494 case SSL3_ST_SW_SRVR_DONE_A:
409 case SSL3_ST_SW_SRVR_DONE_B: 495 case SSL3_ST_SW_SRVR_DONE_B:
496 if (SSL_IS_DTLS(s))
497 dtls1_start_timer(s);
410 ret = ssl3_send_server_done(s); 498 ret = ssl3_send_server_done(s);
411 if (ret <= 0) 499 if (ret <= 0)
412 goto end; 500 goto end;
@@ -428,6 +516,13 @@ ssl3_accept(SSL *s)
428 */ 516 */
429 s->internal->rwstate = SSL_WRITING; 517 s->internal->rwstate = SSL_WRITING;
430 if (BIO_flush(s->wbio) <= 0) { 518 if (BIO_flush(s->wbio) <= 0) {
519 if (SSL_IS_DTLS(s)) {
520 /* If the write error was fatal, stop trying. */
521 if (!BIO_should_retry(s->wbio)) {
522 s->internal->rwstate = SSL_NOTHING;
523 S3I(s)->hs.state = S3I(s)->hs.next_state;
524 }
525 }
431 ret = -1; 526 ret = -1;
432 goto end; 527 goto end;
433 } 528 }
@@ -451,6 +546,12 @@ ssl3_accept(SSL *s)
451 ret = ssl3_get_client_key_exchange(s); 546 ret = ssl3_get_client_key_exchange(s);
452 if (ret <= 0) 547 if (ret <= 0)
453 goto end; 548 goto end;
549
550 if (SSL_IS_DTLS(s)) {
551 S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A;
552 s->internal->init_num = 0;
553 }
554
454 alg_k = S3I(s)->hs.new_cipher->algorithm_mkey; 555 alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;
455 if (ret == 2) { 556 if (ret == 2) {
456 /* 557 /*
@@ -509,7 +610,10 @@ ssl3_accept(SSL *s)
509 610
510 case SSL3_ST_SR_CERT_VRFY_A: 611 case SSL3_ST_SR_CERT_VRFY_A:
511 case SSL3_ST_SR_CERT_VRFY_B: 612 case SSL3_ST_SR_CERT_VRFY_B:
512 s->s3->flags |= SSL3_FLAGS_CCS_OK; 613 if (SSL_IS_DTLS(s))
614 D1I(s)->change_cipher_spec_ok = 1;
615 else
616 s->s3->flags |= SSL3_FLAGS_CCS_OK;
513 617
514 /* we should decide if we expected this one */ 618 /* we should decide if we expected this one */
515 ret = ssl3_get_cert_verify(s); 619 ret = ssl3_get_cert_verify(s);
@@ -521,11 +625,16 @@ ssl3_accept(SSL *s)
521 625
522 case SSL3_ST_SR_FINISHED_A: 626 case SSL3_ST_SR_FINISHED_A:
523 case SSL3_ST_SR_FINISHED_B: 627 case SSL3_ST_SR_FINISHED_B:
524 s->s3->flags |= SSL3_FLAGS_CCS_OK; 628 if (SSL_IS_DTLS(s))
629 D1I(s)->change_cipher_spec_ok = 1;
630 else
631 s->s3->flags |= SSL3_FLAGS_CCS_OK;
525 ret = ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A, 632 ret = ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A,
526 SSL3_ST_SR_FINISHED_B); 633 SSL3_ST_SR_FINISHED_B);
527 if (ret <= 0) 634 if (ret <= 0)
528 goto end; 635 goto end;
636 if (SSL_IS_DTLS(s))
637 dtls1_stop_timer(s);
529 if (s->internal->hit) 638 if (s->internal->hit)
530 S3I(s)->hs.state = SSL_ST_OK; 639 S3I(s)->hs.state = SSL_ST_OK;
531 else if (s->internal->tlsext_ticket_expected) 640 else if (s->internal->tlsext_ticket_expected)
@@ -574,6 +683,8 @@ ssl3_accept(SSL *s)
574 goto end; 683 goto end;
575 } 684 }
576 685
686 if (SSL_IS_DTLS(s))
687 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
577 break; 688 break;
578 689
579 case SSL3_ST_SW_FINISHED_A: 690 case SSL3_ST_SW_FINISHED_A:
@@ -596,8 +707,10 @@ ssl3_accept(SSL *s)
596 /* clean a few things up */ 707 /* clean a few things up */
597 tls1_cleanup_key_block(s); 708 tls1_cleanup_key_block(s);
598 709
599 BUF_MEM_free(s->internal->init_buf); 710 if (!SSL_IS_DTLS(s)) {
600 s->internal->init_buf = NULL; 711 BUF_MEM_free(s->internal->init_buf);
712 s->internal->init_buf = NULL;
713 }
601 714
602 /* remove buffering on output */ 715 /* remove buffering on output */
603 ssl_free_wbio_buffer(s); 716 ssl_free_wbio_buffer(s);
@@ -620,6 +733,14 @@ ssl3_accept(SSL *s)
620 } 733 }
621 734
622 ret = 1; 735 ret = 1;
736
737 if (SSL_IS_DTLS(s)) {
738 /* Done handshaking, next message is client hello. */
739 D1I(s)->handshake_read_seq = 0;
740 /* Next message is server hello. */
741 D1I(s)->handshake_write_seq = 0;
742 D1I(s)->next_handshake_write_seq = 0;
743 }
623 goto end; 744 goto end;
624 /* break; */ 745 /* break; */
625 746
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 08:21:15 +0000