summaryrefslogtreecommitdiff
path: root/src/lib/libssl/d1_clnt.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/d1_clnt.c')
-rw-r--r--src/lib/libssl/d1_clnt.c1160
1 files changed, 0 insertions, 1160 deletions
diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c
deleted file mode 100644
index b087535ce1..0000000000
--- a/src/lib/libssl/d1_clnt.c
+++ /dev/null
@@ -1,1160 +0,0 @@
1/* $OpenBSD: d1_clnt.c,v 1.47 2015/07/15 18:35:34 beck Exp $ */
2/*
3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
5 */
6/* ====================================================================
7 * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
19 * distribution.
20 *
21 * 3. All advertising materials mentioning features or use of this
22 * software must display the following acknowledgment:
23 * "This product includes software developed by the OpenSSL Project
24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25 *
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 * endorse or promote products derived from this software without
28 * prior written permission. For written permission, please contact
29 * openssl-core@OpenSSL.org.
30 *
31 * 5. Products derived from this software may not be called "OpenSSL"
32 * nor may "OpenSSL" appear in their names without prior written
33 * permission of the OpenSSL Project.
34 *
35 * 6. Redistributions of any form whatsoever must retain the following
36 * acknowledgment:
37 * "This product includes software developed by the OpenSSL Project
38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
53 *
54 * This product includes cryptographic software written by Eric Young
55 * (eay@cryptsoft.com). This product includes software written by Tim
56 * Hudson (tjh@cryptsoft.com).
57 *
58 */
59/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
60 * All rights reserved.
61 *
62 * This package is an SSL implementation written
63 * by Eric Young (eay@cryptsoft.com).
64 * The implementation was written so as to conform with Netscapes SSL.
65 *
66 * This library is free for commercial and non-commercial use as long as
67 * the following conditions are aheared to. The following conditions
68 * apply to all code found in this distribution, be it the RC4, RSA,
69 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
70 * included with this distribution is covered by the same copyright terms
71 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
72 *
73 * Copyright remains Eric Young's, and as such any Copyright notices in
74 * the code are not to be removed.
75 * If this package is used in a product, Eric Young should be given attribution
76 * as the author of the parts of the library used.
77 * This can be in the form of a textual message at program startup or
78 * in documentation (online or textual) provided with the package.
79 *
80 * Redistribution and use in source and binary forms, with or without
81 * modification, are permitted provided that the following conditions
82 * are met:
83 * 1. Redistributions of source code must retain the copyright
84 * notice, this list of conditions and the following disclaimer.
85 * 2. Redistributions in binary form must reproduce the above copyright
86 * notice, this list of conditions and the following disclaimer in the
87 * documentation and/or other materials provided with the distribution.
88 * 3. All advertising materials mentioning features or use of this software
89 * must display the following acknowledgement:
90 * "This product includes cryptographic software written by
91 * Eric Young (eay@cryptsoft.com)"
92 * The word 'cryptographic' can be left out if the rouines from the library
93 * being used are not cryptographic related :-).
94 * 4. If you include any Windows specific code (or a derivative thereof) from
95 * the apps directory (application code) you must include an acknowledgement:
96 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
97 *
98 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
99 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
100 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
101 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
102 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
103 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
104 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
105 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
106 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
107 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
108 * SUCH DAMAGE.
109 *
110 * The licence and distribution terms for any publically available version or
111 * derivative of this code cannot be changed. i.e. this code cannot simply be
112 * copied and put under another distribution licence
113 * [including the GNU Public Licence.]
114 */
115
116#include <limits.h>
117#include <stdio.h>
118
119#include "ssl_locl.h"
120
121#include <openssl/bn.h>
122#include <openssl/buffer.h>
123#include <openssl/dh.h>
124#include <openssl/evp.h>
125#include <openssl/md5.h>
126#include <openssl/objects.h>
127
128#include "bytestring.h"
129
130static const SSL_METHOD *dtls1_get_client_method(int ver);
131static int dtls1_get_hello_verify(SSL *s);
132
133const SSL_METHOD DTLSv1_client_method_data = {
134 .version = DTLS1_VERSION,
135 .ssl_new = dtls1_new,
136 .ssl_clear = dtls1_clear,
137 .ssl_free = dtls1_free,
138 .ssl_accept = ssl_undefined_function,
139 .ssl_connect = dtls1_connect,
140 .ssl_read = ssl3_read,
141 .ssl_peek = ssl3_peek,
142 .ssl_write = ssl3_write,
143 .ssl_shutdown = dtls1_shutdown,
144 .ssl_renegotiate = ssl3_renegotiate,
145 .ssl_renegotiate_check = ssl3_renegotiate_check,
146 .ssl_get_message = dtls1_get_message,
147 .ssl_read_bytes = dtls1_read_bytes,
148 .ssl_write_bytes = dtls1_write_app_data_bytes,
149 .ssl_dispatch_alert = dtls1_dispatch_alert,
150 .ssl_ctrl = dtls1_ctrl,
151 .ssl_ctx_ctrl = ssl3_ctx_ctrl,
152 .get_cipher_by_char = ssl3_get_cipher_by_char,
153 .put_cipher_by_char = ssl3_put_cipher_by_char,
154 .ssl_pending = ssl3_pending,
155 .num_ciphers = ssl3_num_ciphers,
156 .get_cipher = dtls1_get_cipher,
157 .get_ssl_method = dtls1_get_client_method,
158 .get_timeout = dtls1_default_timeout,
159 .ssl3_enc = &DTLSv1_enc_data,
160 .ssl_version = ssl_undefined_void_function,
161 .ssl_callback_ctrl = ssl3_callback_ctrl,
162 .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl,
163};
164
165const SSL_METHOD *
166DTLSv1_client_method(void)
167{
168 return &DTLSv1_client_method_data;
169}
170
171static const SSL_METHOD *
172dtls1_get_client_method(int ver)
173{
174 if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER)
175 return (DTLSv1_client_method());
176 return (NULL);
177}
178
179int
180dtls1_connect(SSL *s)
181{
182 void (*cb)(const SSL *ssl, int type, int val) = NULL;
183 int ret = -1;
184 int new_state, state, skip = 0;
185
186 ERR_clear_error();
187 errno = 0;
188
189 if (s->info_callback != NULL)
190 cb = s->info_callback;
191 else if (s->ctx->info_callback != NULL)
192 cb = s->ctx->info_callback;
193
194 s->in_handshake++;
195 if (!SSL_in_init(s) || SSL_in_before(s))
196 SSL_clear(s);
197
198
199 for (;;) {
200 state = s->state;
201
202 switch (s->state) {
203 case SSL_ST_RENEGOTIATE:
204 s->renegotiate = 1;
205 s->state = SSL_ST_CONNECT;
206 s->ctx->stats.sess_connect_renegotiate++;
207 /* break */
208 case SSL_ST_BEFORE:
209 case SSL_ST_CONNECT:
210 case SSL_ST_BEFORE|SSL_ST_CONNECT:
211 case SSL_ST_OK|SSL_ST_CONNECT:
212
213 s->server = 0;
214 if (cb != NULL)
215 cb(s, SSL_CB_HANDSHAKE_START, 1);
216
217 if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00) &&
218 (s->version & 0xff00 ) != (DTLS1_BAD_VER & 0xff00)) {
219 SSLerr(SSL_F_DTLS1_CONNECT,
220 ERR_R_INTERNAL_ERROR);
221 ret = -1;
222 goto end;
223 }
224
225 /* s->version=SSL3_VERSION; */
226 s->type = SSL_ST_CONNECT;
227
228 if (!ssl3_setup_init_buffer(s)) {
229 ret = -1;
230 goto end;
231 }
232 if (!ssl3_setup_buffers(s)) {
233 ret = -1;
234 goto end;
235 }
236 if (!ssl_init_wbio_buffer(s, 0)) {
237 ret = -1;
238 goto end;
239 }
240
241 /* don't push the buffering BIO quite yet */
242
243 s->state = SSL3_ST_CW_CLNT_HELLO_A;
244 s->ctx->stats.sess_connect++;
245 s->init_num = 0;
246 /* mark client_random uninitialized */
247 memset(s->s3->client_random, 0,
248 sizeof(s->s3->client_random));
249 s->d1->send_cookie = 0;
250 s->hit = 0;
251 break;
252
253
254 case SSL3_ST_CW_CLNT_HELLO_A:
255 case SSL3_ST_CW_CLNT_HELLO_B:
256
257 s->shutdown = 0;
258
259 /* every DTLS ClientHello resets Finished MAC */
260 if (!ssl3_init_finished_mac(s)) {
261 ret = -1;
262 goto end;
263 }
264
265 dtls1_start_timer(s);
266 ret = dtls1_client_hello(s);
267 if (ret <= 0)
268 goto end;
269
270 if (s->d1->send_cookie) {
271 s->state = SSL3_ST_CW_FLUSH;
272 s->s3->tmp.next_state = SSL3_ST_CR_SRVR_HELLO_A;
273 } else
274 s->state = SSL3_ST_CR_SRVR_HELLO_A;
275
276 s->init_num = 0;
277
278 /* turn on buffering for the next lot of output */
279 if (s->bbio != s->wbio)
280 s->wbio = BIO_push(s->bbio, s->wbio);
281 break;
282
283 case SSL3_ST_CR_SRVR_HELLO_A:
284 case SSL3_ST_CR_SRVR_HELLO_B:
285 ret = ssl3_get_server_hello(s);
286 if (ret <= 0)
287 goto end;
288 else {
289 if (s->hit) {
290
291 s->state = SSL3_ST_CR_FINISHED_A;
292 } else
293 s->state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
294 }
295 s->init_num = 0;
296 break;
297
298 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A:
299 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B:
300
301 ret = dtls1_get_hello_verify(s);
302 if (ret <= 0)
303 goto end;
304 dtls1_stop_timer(s);
305 if ( s->d1->send_cookie) /* start again, with a cookie */
306 s->state = SSL3_ST_CW_CLNT_HELLO_A;
307 else
308 s->state = SSL3_ST_CR_CERT_A;
309 s->init_num = 0;
310 break;
311
312 case SSL3_ST_CR_CERT_A:
313 case SSL3_ST_CR_CERT_B:
314 ret = ssl3_check_finished(s);
315 if (ret <= 0)
316 goto end;
317 if (ret == 2) {
318 s->hit = 1;
319 if (s->tlsext_ticket_expected)
320 s->state = SSL3_ST_CR_SESSION_TICKET_A;
321 else
322 s->state = SSL3_ST_CR_FINISHED_A;
323 s->init_num = 0;
324 break;
325 }
326 /* Check if it is anon DH. */
327 if (!(s->s3->tmp.new_cipher->algorithm_auth &
328 SSL_aNULL)) {
329 ret = ssl3_get_server_certificate(s);
330 if (ret <= 0)
331 goto end;
332 if (s->tlsext_status_expected)
333 s->state = SSL3_ST_CR_CERT_STATUS_A;
334 else
335 s->state = SSL3_ST_CR_KEY_EXCH_A;
336 } else {
337 skip = 1;
338 s->state = SSL3_ST_CR_KEY_EXCH_A;
339 }
340 s->init_num = 0;
341 break;
342
343 case SSL3_ST_CR_KEY_EXCH_A:
344 case SSL3_ST_CR_KEY_EXCH_B:
345 ret = ssl3_get_key_exchange(s);
346 if (ret <= 0)
347 goto end;
348 s->state = SSL3_ST_CR_CERT_REQ_A;
349 s->init_num = 0;
350
351 /* at this point we check that we have the
352 * required stuff from the server */
353 if (!ssl3_check_cert_and_algorithm(s)) {
354 ret = -1;
355 goto end;
356 }
357 break;
358
359 case SSL3_ST_CR_CERT_REQ_A:
360 case SSL3_ST_CR_CERT_REQ_B:
361 ret = ssl3_get_certificate_request(s);
362 if (ret <= 0)
363 goto end;
364 s->state = SSL3_ST_CR_SRVR_DONE_A;
365 s->init_num = 0;
366 break;
367
368 case SSL3_ST_CR_SRVR_DONE_A:
369 case SSL3_ST_CR_SRVR_DONE_B:
370 ret = ssl3_get_server_done(s);
371 if (ret <= 0)
372 goto end;
373 dtls1_stop_timer(s);
374 if (s->s3->tmp.cert_req)
375 s->s3->tmp.next_state = SSL3_ST_CW_CERT_A;
376 else
377 s->s3->tmp.next_state = SSL3_ST_CW_KEY_EXCH_A;
378 s->init_num = 0;
379
380 s->state = s->s3->tmp.next_state;
381 break;
382
383 case SSL3_ST_CW_CERT_A:
384 case SSL3_ST_CW_CERT_B:
385 case SSL3_ST_CW_CERT_C:
386 case SSL3_ST_CW_CERT_D:
387 dtls1_start_timer(s);
388 ret = dtls1_send_client_certificate(s);
389 if (ret <= 0)
390 goto end;
391 s->state = SSL3_ST_CW_KEY_EXCH_A;
392 s->init_num = 0;
393 break;
394
395 case SSL3_ST_CW_KEY_EXCH_A:
396 case SSL3_ST_CW_KEY_EXCH_B:
397 dtls1_start_timer(s);
398 ret = dtls1_send_client_key_exchange(s);
399 if (ret <= 0)
400 goto end;
401
402
403 /* EAY EAY EAY need to check for DH fix cert
404 * sent back */
405 /* For TLS, cert_req is set to 2, so a cert chain
406 * of nothing is sent, but no verify packet is sent */
407 if (s->s3->tmp.cert_req == 1) {
408 s->state = SSL3_ST_CW_CERT_VRFY_A;
409 } else {
410 s->state = SSL3_ST_CW_CHANGE_A;
411 s->s3->change_cipher_spec = 0;
412 }
413
414 s->init_num = 0;
415 break;
416
417 case SSL3_ST_CW_CERT_VRFY_A:
418 case SSL3_ST_CW_CERT_VRFY_B:
419 dtls1_start_timer(s);
420 ret = dtls1_send_client_verify(s);
421 if (ret <= 0)
422 goto end;
423 s->state = SSL3_ST_CW_CHANGE_A;
424 s->init_num = 0;
425 s->s3->change_cipher_spec = 0;
426 break;
427
428 case SSL3_ST_CW_CHANGE_A:
429 case SSL3_ST_CW_CHANGE_B:
430 if (!s->hit)
431 dtls1_start_timer(s);
432 ret = dtls1_send_change_cipher_spec(s,
433 SSL3_ST_CW_CHANGE_A, SSL3_ST_CW_CHANGE_B);
434 if (ret <= 0)
435 goto end;
436
437 s->state = SSL3_ST_CW_FINISHED_A;
438 s->init_num = 0;
439
440 s->session->cipher = s->s3->tmp.new_cipher;
441 if (!s->method->ssl3_enc->setup_key_block(s)) {
442 ret = -1;
443 goto end;
444 }
445
446 if (!s->method->ssl3_enc->change_cipher_state(s,
447 SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
448 ret = -1;
449 goto end;
450 }
451
452
453 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
454 break;
455
456 case SSL3_ST_CW_FINISHED_A:
457 case SSL3_ST_CW_FINISHED_B:
458 if (!s->hit)
459 dtls1_start_timer(s);
460 ret = dtls1_send_finished(s,
461 SSL3_ST_CW_FINISHED_A, SSL3_ST_CW_FINISHED_B,
462 s->method->ssl3_enc->client_finished_label,
463 s->method->ssl3_enc->client_finished_label_len);
464 if (ret <= 0)
465 goto end;
466 s->state = SSL3_ST_CW_FLUSH;
467
468 /* clear flags */
469 s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
470 if (s->hit) {
471 s->s3->tmp.next_state = SSL_ST_OK;
472 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) {
473 s->state = SSL_ST_OK;
474 s->s3->flags |= SSL3_FLAGS_POP_BUFFER;
475 s->s3->delay_buf_pop_ret = 0;
476 }
477 } else {
478
479 /* Allow NewSessionTicket if ticket expected */
480 if (s->tlsext_ticket_expected)
481 s->s3->tmp.next_state =
482 SSL3_ST_CR_SESSION_TICKET_A;
483 else
484 s->s3->tmp.next_state =
485 SSL3_ST_CR_FINISHED_A;
486 }
487 s->init_num = 0;
488 break;
489
490 case SSL3_ST_CR_SESSION_TICKET_A:
491 case SSL3_ST_CR_SESSION_TICKET_B:
492 ret = ssl3_get_new_session_ticket(s);
493 if (ret <= 0)
494 goto end;
495 s->state = SSL3_ST_CR_FINISHED_A;
496 s->init_num = 0;
497 break;
498
499 case SSL3_ST_CR_CERT_STATUS_A:
500 case SSL3_ST_CR_CERT_STATUS_B:
501 ret = ssl3_get_cert_status(s);
502 if (ret <= 0)
503 goto end;
504 s->state = SSL3_ST_CR_KEY_EXCH_A;
505 s->init_num = 0;
506 break;
507
508 case SSL3_ST_CR_FINISHED_A:
509 case SSL3_ST_CR_FINISHED_B:
510 s->d1->change_cipher_spec_ok = 1;
511 ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A,
512 SSL3_ST_CR_FINISHED_B);
513 if (ret <= 0)
514 goto end;
515 dtls1_stop_timer(s);
516
517 if (s->hit)
518 s->state = SSL3_ST_CW_CHANGE_A;
519 else
520 s->state = SSL_ST_OK;
521
522
523 s->init_num = 0;
524 break;
525
526 case SSL3_ST_CW_FLUSH:
527 s->rwstate = SSL_WRITING;
528 if (BIO_flush(s->wbio) <= 0) {
529 /* If the write error was fatal, stop trying */
530 if (!BIO_should_retry(s->wbio)) {
531 s->rwstate = SSL_NOTHING;
532 s->state = s->s3->tmp.next_state;
533 }
534
535 ret = -1;
536 goto end;
537 }
538 s->rwstate = SSL_NOTHING;
539 s->state = s->s3->tmp.next_state;
540 break;
541
542 case SSL_ST_OK:
543 /* clean a few things up */
544 ssl3_cleanup_key_block(s);
545
546 /* If we are not 'joining' the last two packets,
547 * remove the buffering now */
548 if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
549 ssl_free_wbio_buffer(s);
550 /* else do it later in ssl3_write */
551
552 s->init_num = 0;
553 s->renegotiate = 0;
554 s->new_session = 0;
555
556 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
557 if (s->hit)
558 s->ctx->stats.sess_hit++;
559
560 ret = 1;
561 /* s->server=0; */
562 s->handshake_func = dtls1_connect;
563 s->ctx->stats.sess_connect_good++;
564
565 if (cb != NULL)
566 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
567
568 /* done with handshaking */
569 s->d1->handshake_read_seq = 0;
570 s->d1->next_handshake_write_seq = 0;
571 goto end;
572 /* break; */
573
574 default:
575 SSLerr(SSL_F_DTLS1_CONNECT, SSL_R_UNKNOWN_STATE);
576 ret = -1;
577 goto end;
578 /* break; */
579 }
580
581 /* did we do anything */
582 if (!s->s3->tmp.reuse_message && !skip) {
583 if (s->debug) {
584 if ((ret = BIO_flush(s->wbio)) <= 0)
585 goto end;
586 }
587
588 if ((cb != NULL) && (s->state != state)) {
589 new_state = s->state;
590 s->state = state;
591 cb(s, SSL_CB_CONNECT_LOOP, 1);
592 s->state = new_state;
593 }
594 }
595 skip = 0;
596 }
597
598end:
599 s->in_handshake--;
600 if (cb != NULL)
601 cb(s, SSL_CB_CONNECT_EXIT, ret);
602
603 return (ret);
604}
605
606int
607dtls1_client_hello(SSL *s)
608{
609 unsigned char *bufend, *d, *p;
610 unsigned int i;
611
612 if (s->state == SSL3_ST_CW_CLNT_HELLO_A) {
613 SSL_SESSION *sess = s->session;
614
615 if ((s->session == NULL) ||
616 (s->session->ssl_version != s->version) ||
617 (!sess->session_id_length && !sess->tlsext_tick) ||
618 (s->session->not_resumable)) {
619 if (!ssl_get_new_session(s, 0))
620 goto err;
621 }
622 /* else use the pre-loaded session */
623
624 p = s->s3->client_random;
625
626 /* if client_random is initialized, reuse it, we are
627 * required to use same upon reply to HelloVerify */
628 for (i = 0; p[i]=='\0' && i < sizeof(s->s3->client_random); i++)
629 ;
630 if (i == sizeof(s->s3->client_random))
631 arc4random_buf(p, sizeof(s->s3->client_random));
632
633 d = p = ssl3_handshake_msg_start(s, SSL3_MT_CLIENT_HELLO);
634
635 *(p++) = s->version >> 8;
636 *(p++) = s->version&0xff;
637 s->client_version = s->version;
638
639 /* Random stuff */
640 memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
641 p += SSL3_RANDOM_SIZE;
642
643 /* Session ID */
644 if (s->new_session)
645 i = 0;
646 else
647 i = s->session->session_id_length;
648 *(p++) = i;
649 if (i != 0) {
650 if (i > sizeof s->session->session_id) {
651 SSLerr(SSL_F_DTLS1_CLIENT_HELLO,
652 ERR_R_INTERNAL_ERROR);
653 goto err;
654 }
655 memcpy(p, s->session->session_id, i);
656 p += i;
657 }
658
659 /* cookie stuff */
660 if (s->d1->cookie_len > sizeof(s->d1->cookie)) {
661 SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
662 goto err;
663 }
664 *(p++) = s->d1->cookie_len;
665 memcpy(p, s->d1->cookie, s->d1->cookie_len);
666 p += s->d1->cookie_len;
667
668 /* Ciphers supported */
669 i = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &p[2]);
670 if (i == 0) {
671 SSLerr(SSL_F_DTLS1_CLIENT_HELLO,
672 SSL_R_NO_CIPHERS_AVAILABLE);
673 goto err;
674 }
675 s2n(i, p);
676 p += i;
677
678 /* add in (no) COMPRESSION */
679 *(p++) = 1;
680 *(p++) = 0; /* Add the NULL method */
681
682 bufend = (unsigned char *)s->init_buf->data +
683 SSL3_RT_MAX_PLAIN_LENGTH;
684 if ((p = ssl_add_clienthello_tlsext(s, p, bufend)) == NULL) {
685 SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
686 goto err;
687 }
688
689 ssl3_handshake_msg_finish(s, p - d);
690
691 s->state = SSL3_ST_CW_CLNT_HELLO_B;
692 }
693
694 /* SSL3_ST_CW_CLNT_HELLO_B */
695 return (ssl3_handshake_write(s));
696err:
697 return (-1);
698}
699
700static int
701dtls1_get_hello_verify(SSL *s)
702{
703 long n;
704 int al, ok = 0;
705 size_t cookie_len;
706 uint16_t ssl_version;
707 CBS hello_verify_request, cookie;
708
709 n = s->method->ssl_get_message(s, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A,
710 DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, -1, s->max_cert_list, &ok);
711
712 if (!ok)
713 return ((int)n);
714
715 if (s->s3->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) {
716 s->d1->send_cookie = 0;
717 s->s3->tmp.reuse_message = 1;
718 return (1);
719 }
720
721 if (n < 0)
722 goto truncated;
723
724 CBS_init(&hello_verify_request, s->init_msg, n);
725
726 if (!CBS_get_u16(&hello_verify_request, &ssl_version))
727 goto truncated;
728
729 if (ssl_version != s->version) {
730 SSLerr(SSL_F_DTLS1_GET_HELLO_VERIFY, SSL_R_WRONG_SSL_VERSION);
731 s->version = (s->version & 0xff00) | (ssl_version & 0xff);
732 al = SSL_AD_PROTOCOL_VERSION;
733 goto f_err;
734 }
735
736 if (!CBS_get_u8_length_prefixed(&hello_verify_request, &cookie))
737 goto truncated;
738
739 if (!CBS_write_bytes(&cookie, s->d1->cookie,
740 sizeof(s->d1->cookie), &cookie_len)) {
741 s->d1->cookie_len = 0;
742 al = SSL_AD_ILLEGAL_PARAMETER;
743 goto f_err;
744 }
745 s->d1->cookie_len = cookie_len;
746 s->d1->send_cookie = 1;
747
748 return 1;
749
750truncated:
751 al = SSL_AD_DECODE_ERROR;
752f_err:
753 ssl3_send_alert(s, SSL3_AL_FATAL, al);
754 return -1;
755}
756
757int
758dtls1_send_client_key_exchange(SSL *s)
759{
760 unsigned char *p, *q;
761 int n;
762 unsigned long alg_k;
763 EVP_PKEY *pkey = NULL;
764 EC_KEY *clnt_ecdh = NULL;
765 const EC_POINT *srvr_ecpoint = NULL;
766 EVP_PKEY *srvr_pub_pkey = NULL;
767 unsigned char *encodedPoint = NULL;
768 int encoded_pt_len = 0;
769 BN_CTX * bn_ctx = NULL;
770
771 if (s->state == SSL3_ST_CW_KEY_EXCH_A) {
772 p = ssl3_handshake_msg_start(s, SSL3_MT_CLIENT_KEY_EXCHANGE);
773
774 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
775
776 if (s->session->sess_cert == NULL) {
777 ssl3_send_alert(s, SSL3_AL_FATAL,
778 SSL_AD_HANDSHAKE_FAILURE);
779 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
780 ERR_R_INTERNAL_ERROR);
781 goto err;
782 }
783
784 if (alg_k & SSL_kRSA) {
785 RSA *rsa;
786 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
787
788 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
789 if ((pkey == NULL) ||
790 (pkey->type != EVP_PKEY_RSA) ||
791 (pkey->pkey.rsa == NULL)) {
792 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
793 ERR_R_INTERNAL_ERROR);
794 goto err;
795 }
796 rsa = pkey->pkey.rsa;
797 EVP_PKEY_free(pkey);
798
799 tmp_buf[0] = s->client_version >> 8;
800 tmp_buf[1] = s->client_version&0xff;
801 arc4random_buf(&tmp_buf[2], sizeof(tmp_buf) - 2);
802
803 s->session->master_key_length = sizeof tmp_buf;
804
805 q = p;
806 /* Fix buf for TLS and [incidentally] DTLS */
807 if (s->version > SSL3_VERSION)
808 p += 2;
809 n = RSA_public_encrypt(sizeof tmp_buf,
810 tmp_buf, p, rsa, RSA_PKCS1_PADDING);
811 if (n <= 0) {
812 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
813 SSL_R_BAD_RSA_ENCRYPT);
814 goto err;
815 }
816
817 /* Fix buf for TLS and [incidentally] DTLS */
818 if (s->version > SSL3_VERSION) {
819 s2n(n, q);
820 n += 2;
821 }
822
823 s->session->master_key_length =
824 s->method->ssl3_enc->generate_master_secret(s,
825 s->session->master_key,
826 tmp_buf, sizeof tmp_buf);
827 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
828 } else if (alg_k & SSL_kDHE) {
829 DH *dh_srvr, *dh_clnt;
830
831 if (s->session->sess_cert->peer_dh_tmp != NULL)
832 dh_srvr = s->session->sess_cert->peer_dh_tmp;
833 else {
834 /* we get them from the cert */
835 ssl3_send_alert(s, SSL3_AL_FATAL,
836 SSL_AD_HANDSHAKE_FAILURE);
837 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
838 SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
839 goto err;
840 }
841
842 /* generate a new random key */
843 if ((dh_clnt = DHparams_dup(dh_srvr)) == NULL) {
844 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
845 ERR_R_DH_LIB);
846 goto err;
847 }
848 if (!DH_generate_key(dh_clnt)) {
849 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
850 ERR_R_DH_LIB);
851 goto err;
852 }
853
854 /* use the 'p' output buffer for the DH key, but
855 * make sure to clear it out afterwards */
856
857 n = DH_compute_key(p, dh_srvr->pub_key, dh_clnt);
858
859 if (n <= 0) {
860 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
861 ERR_R_DH_LIB);
862 goto err;
863 }
864
865 /* generate master key from the result */
866 s->session->master_key_length =
867 s->method->ssl3_enc->generate_master_secret(
868 s, s->session->master_key, p, n);
869 /* clean up */
870 memset(p, 0, n);
871
872 /* send off the data */
873 n = BN_num_bytes(dh_clnt->pub_key);
874 s2n(n, p);
875 BN_bn2bin(dh_clnt->pub_key, p);
876 n += 2;
877
878 DH_free(dh_clnt);
879
880 /* perhaps clean things up a bit EAY EAY EAY EAY*/
881 } else if (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) {
882 const EC_GROUP *srvr_group = NULL;
883 EC_KEY *tkey;
884 int field_size = 0;
885
886 if (s->session->sess_cert->peer_ecdh_tmp != NULL) {
887 tkey = s->session->sess_cert->peer_ecdh_tmp;
888 } else {
889 /* Get the Server Public Key from Cert */
890 srvr_pub_pkey = X509_get_pubkey(s->session-> \
891 sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
892 if ((srvr_pub_pkey == NULL) ||
893 (srvr_pub_pkey->type != EVP_PKEY_EC) ||
894 (srvr_pub_pkey->pkey.ec == NULL)) {
895 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
896 ERR_R_INTERNAL_ERROR);
897 goto err;
898 }
899
900 tkey = srvr_pub_pkey->pkey.ec;
901 }
902
903 srvr_group = EC_KEY_get0_group(tkey);
904 srvr_ecpoint = EC_KEY_get0_public_key(tkey);
905
906 if ((srvr_group == NULL) || (srvr_ecpoint == NULL)) {
907 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
908 ERR_R_INTERNAL_ERROR);
909 goto err;
910 }
911
912 if ((clnt_ecdh = EC_KEY_new()) == NULL) {
913 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
914 ERR_R_MALLOC_FAILURE);
915 goto err;
916 }
917
918 if (!EC_KEY_set_group(clnt_ecdh, srvr_group)) {
919 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
920 ERR_R_EC_LIB);
921 goto err;
922 }
923
924 /* Generate a new ECDH key pair */
925 if (!(EC_KEY_generate_key(clnt_ecdh))) {
926 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
927 ERR_R_ECDH_LIB);
928 goto err;
929 }
930
931 /* use the 'p' output buffer for the ECDH key, but
932 * make sure to clear it out afterwards
933 */
934
935 field_size = EC_GROUP_get_degree(srvr_group);
936 if (field_size <= 0) {
937 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
938 ERR_R_ECDH_LIB);
939 goto err;
940 }
941 n = ECDH_compute_key(p, (field_size + 7)/8, srvr_ecpoint, clnt_ecdh, NULL);
942 if (n <= 0) {
943 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
944 ERR_R_ECDH_LIB);
945 goto err;
946 }
947
948 /* generate master key from the result */
949 s->session->master_key_length =
950 s->method->ssl3_enc->generate_master_secret(
951 s, s->session->master_key, p, n);
952 memset(p, 0, n); /* clean up */
953
954 /* First check the size of encoding and
955 * allocate memory accordingly.
956 */
957 encoded_pt_len = EC_POINT_point2oct(srvr_group,
958 EC_KEY_get0_public_key(clnt_ecdh),
959 POINT_CONVERSION_UNCOMPRESSED,
960 NULL, 0, NULL);
961
962 encodedPoint = malloc(encoded_pt_len);
963
964 bn_ctx = BN_CTX_new();
965 if ((encodedPoint == NULL) ||
966 (bn_ctx == NULL)) {
967 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
968 ERR_R_MALLOC_FAILURE);
969 goto err;
970 }
971
972 /* Encode the public key */
973 n = EC_POINT_point2oct(srvr_group,
974 EC_KEY_get0_public_key(clnt_ecdh),
975 POINT_CONVERSION_UNCOMPRESSED,
976 encodedPoint, encoded_pt_len, bn_ctx);
977
978 *p = n; /* length of encoded point */
979 /* Encoded point will be copied here */
980 p += 1;
981
982 /* copy the point */
983 memcpy((unsigned char *)p, encodedPoint, n);
984 /* increment n to account for length field */
985 n += 1;
986
987 /* Free allocated memory */
988 BN_CTX_free(bn_ctx);
989 free(encodedPoint);
990 EC_KEY_free(clnt_ecdh);
991 EVP_PKEY_free(srvr_pub_pkey);
992 }
993
994 else {
995 ssl3_send_alert(s, SSL3_AL_FATAL,
996 SSL_AD_HANDSHAKE_FAILURE);
997 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
998 ERR_R_INTERNAL_ERROR);
999 goto err;
1000 }
1001
1002 ssl3_handshake_msg_finish(s, n);
1003
1004 s->state = SSL3_ST_CW_KEY_EXCH_B;
1005 }
1006
1007 /* SSL3_ST_CW_KEY_EXCH_B */
1008 return (ssl3_handshake_write(s));
1009
1010err:
1011 BN_CTX_free(bn_ctx);
1012 free(encodedPoint);
1013 EC_KEY_free(clnt_ecdh);
1014 EVP_PKEY_free(srvr_pub_pkey);
1015 return (-1);
1016}
1017
1018int
1019dtls1_send_client_verify(SSL *s)
1020{
1021 unsigned char *p;
1022 unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
1023 EVP_PKEY *pkey;
1024 unsigned u = 0;
1025 unsigned long n;
1026 int j;
1027
1028 if (s->state == SSL3_ST_CW_CERT_VRFY_A) {
1029 p = ssl3_handshake_msg_start(s, SSL3_MT_CERTIFICATE_VERIFY);
1030
1031 pkey = s->cert->key->privatekey;
1032
1033 s->method->ssl3_enc->cert_verify_mac(s, NID_sha1,
1034 &(data[MD5_DIGEST_LENGTH]));
1035
1036 if (pkey->type == EVP_PKEY_RSA) {
1037 s->method->ssl3_enc->cert_verify_mac(s,
1038 NID_md5, &(data[0]));
1039 if (RSA_sign(NID_md5_sha1, data,
1040 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH,
1041 &(p[2]), &u, pkey->pkey.rsa) <= 0 ) {
1042 SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,
1043 ERR_R_RSA_LIB);
1044 goto err;
1045 }
1046 s2n(u, p);
1047 n = u + 2;
1048 } else if (pkey->type == EVP_PKEY_DSA) {
1049 if (!DSA_sign(pkey->save_type,
1050 &(data[MD5_DIGEST_LENGTH]),
1051 SHA_DIGEST_LENGTH, &(p[2]),
1052 (unsigned int *)&j, pkey->pkey.dsa)) {
1053 SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,
1054 ERR_R_DSA_LIB);
1055 goto err;
1056 }
1057 s2n(j, p);
1058 n = j + 2;
1059 } else if (pkey->type == EVP_PKEY_EC) {
1060 if (!ECDSA_sign(pkey->save_type,
1061 &(data[MD5_DIGEST_LENGTH]),
1062 SHA_DIGEST_LENGTH, &(p[2]),
1063 (unsigned int *)&j, pkey->pkey.ec)) {
1064 SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,
1065 ERR_R_ECDSA_LIB);
1066 goto err;
1067 }
1068 s2n(j, p);
1069 n = j + 2;
1070 } else {
1071 SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,
1072 ERR_R_INTERNAL_ERROR);
1073 goto err;
1074 }
1075
1076 ssl3_handshake_msg_finish(s, n);
1077
1078 s->state = SSL3_ST_CW_CERT_VRFY_B;
1079 }
1080
1081 /* s->state = SSL3_ST_CW_CERT_VRFY_B */
1082 return (ssl3_handshake_write(s));
1083
1084err:
1085 return (-1);
1086}
1087
1088int
1089dtls1_send_client_certificate(SSL *s)
1090{
1091 X509 *x509 = NULL;
1092 EVP_PKEY *pkey = NULL;
1093 int i;
1094 unsigned long l;
1095
1096 if (s->state == SSL3_ST_CW_CERT_A) {
1097 if ((s->cert == NULL) || (s->cert->key->x509 == NULL) ||
1098 (s->cert->key->privatekey == NULL))
1099 s->state = SSL3_ST_CW_CERT_B;
1100 else
1101 s->state = SSL3_ST_CW_CERT_C;
1102 }
1103
1104 /* We need to get a client cert */
1105 if (s->state == SSL3_ST_CW_CERT_B) {
1106 /* If we get an error, we need to
1107 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
1108 * We then get retied later */
1109 i = 0;
1110 i = ssl_do_client_cert_cb(s, &x509, &pkey);
1111 if (i < 0) {
1112 s->rwstate = SSL_X509_LOOKUP;
1113 return (-1);
1114 }
1115 s->rwstate = SSL_NOTHING;
1116 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) {
1117 s->state = SSL3_ST_CW_CERT_B;
1118 if (!SSL_use_certificate(s, x509) ||
1119 !SSL_use_PrivateKey(s, pkey))
1120 i = 0;
1121 } else if (i == 1) {
1122 i = 0;
1123 SSLerr(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE,
1124 SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
1125 }
1126
1127 if (x509 != NULL)
1128 X509_free(x509);
1129 EVP_PKEY_free(pkey);
1130 if (i == 0) {
1131 if (s->version == SSL3_VERSION) {
1132 s->s3->tmp.cert_req = 0;
1133 ssl3_send_alert(s, SSL3_AL_WARNING,
1134 SSL_AD_NO_CERTIFICATE);
1135 return (1);
1136 } else {
1137 s->s3->tmp.cert_req = 2;
1138 }
1139 }
1140
1141 /* Ok, we have a cert */
1142 s->state = SSL3_ST_CW_CERT_C;
1143 }
1144
1145 if (s->state == SSL3_ST_CW_CERT_C) {
1146 s->state = SSL3_ST_CW_CERT_D;
1147 l = dtls1_output_cert_chain(s,
1148 (s->s3->tmp.cert_req == 2) ? NULL : s->cert->key->x509);
1149 s->init_num = (int)l;
1150 s->init_off = 0;
1151
1152 /* set header called by dtls1_output_cert_chain() */
1153
1154 /* buffer the message to handle re-xmits */
1155 dtls1_buffer_message(s, 0);
1156 }
1157
1158 /* SSL3_ST_CW_CERT_D */
1159 return (dtls1_do_write(s, SSL3_RT_HANDSHAKE));
1160}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-19 22:54:44 +0000