summaryrefslogtreecommitdiff
path: root/src/lib/libssl/d1_clnt.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/d1_clnt.c')
-rw-r--r--src/lib/libssl/d1_clnt.c1222
1 files changed, 0 insertions, 1222 deletions
diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c
deleted file mode 100644
index cf25183de5..0000000000
--- a/src/lib/libssl/d1_clnt.c
+++ /dev/null
@@ -1,1222 +0,0 @@
1/* $OpenBSD: d1_clnt.c,v 1.43 2015/02/09 10:53:28 jsing Exp $ */
2/*
3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
5 */
6/* ====================================================================
7 * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
19 * distribution.
20 *
21 * 3. All advertising materials mentioning features or use of this
22 * software must display the following acknowledgment:
23 * "This product includes software developed by the OpenSSL Project
24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25 *
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 * endorse or promote products derived from this software without
28 * prior written permission. For written permission, please contact
29 * openssl-core@OpenSSL.org.
30 *
31 * 5. Products derived from this software may not be called "OpenSSL"
32 * nor may "OpenSSL" appear in their names without prior written
33 * permission of the OpenSSL Project.
34 *
35 * 6. Redistributions of any form whatsoever must retain the following
36 * acknowledgment:
37 * "This product includes software developed by the OpenSSL Project
38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
53 *
54 * This product includes cryptographic software written by Eric Young
55 * (eay@cryptsoft.com). This product includes software written by Tim
56 * Hudson (tjh@cryptsoft.com).
57 *
58 */
59/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
60 * All rights reserved.
61 *
62 * This package is an SSL implementation written
63 * by Eric Young (eay@cryptsoft.com).
64 * The implementation was written so as to conform with Netscapes SSL.
65 *
66 * This library is free for commercial and non-commercial use as long as
67 * the following conditions are aheared to. The following conditions
68 * apply to all code found in this distribution, be it the RC4, RSA,
69 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
70 * included with this distribution is covered by the same copyright terms
71 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
72 *
73 * Copyright remains Eric Young's, and as such any Copyright notices in
74 * the code are not to be removed.
75 * If this package is used in a product, Eric Young should be given attribution
76 * as the author of the parts of the library used.
77 * This can be in the form of a textual message at program startup or
78 * in documentation (online or textual) provided with the package.
79 *
80 * Redistribution and use in source and binary forms, with or without
81 * modification, are permitted provided that the following conditions
82 * are met:
83 * 1. Redistributions of source code must retain the copyright
84 * notice, this list of conditions and the following disclaimer.
85 * 2. Redistributions in binary form must reproduce the above copyright
86 * notice, this list of conditions and the following disclaimer in the
87 * documentation and/or other materials provided with the distribution.
88 * 3. All advertising materials mentioning features or use of this software
89 * must display the following acknowledgement:
90 * "This product includes cryptographic software written by
91 * Eric Young (eay@cryptsoft.com)"
92 * The word 'cryptographic' can be left out if the rouines from the library
93 * being used are not cryptographic related :-).
94 * 4. If you include any Windows specific code (or a derivative thereof) from
95 * the apps directory (application code) you must include an acknowledgement:
96 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
97 *
98 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
99 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
100 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
101 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
102 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
103 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
104 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
105 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
106 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
107 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
108 * SUCH DAMAGE.
109 *
110 * The licence and distribution terms for any publically available version or
111 * derivative of this code cannot be changed. i.e. this code cannot simply be
112 * copied and put under another distribution licence
113 * [including the GNU Public Licence.]
114 */
115
116#include <stdio.h>
117
118#include "ssl_locl.h"
119
120#include <openssl/bn.h>
121#include <openssl/buffer.h>
122#include <openssl/dh.h>
123#include <openssl/evp.h>
124#include <openssl/md5.h>
125#include <openssl/objects.h>
126
127static const SSL_METHOD *dtls1_get_client_method(int ver);
128static int dtls1_get_hello_verify(SSL *s);
129
130const SSL_METHOD DTLSv1_client_method_data = {
131 .version = DTLS1_VERSION,
132 .ssl_new = dtls1_new,
133 .ssl_clear = dtls1_clear,
134 .ssl_free = dtls1_free,
135 .ssl_accept = ssl_undefined_function,
136 .ssl_connect = dtls1_connect,
137 .ssl_read = ssl3_read,
138 .ssl_peek = ssl3_peek,
139 .ssl_write = ssl3_write,
140 .ssl_shutdown = dtls1_shutdown,
141 .ssl_renegotiate = ssl3_renegotiate,
142 .ssl_renegotiate_check = ssl3_renegotiate_check,
143 .ssl_get_message = dtls1_get_message,
144 .ssl_read_bytes = dtls1_read_bytes,
145 .ssl_write_bytes = dtls1_write_app_data_bytes,
146 .ssl_dispatch_alert = dtls1_dispatch_alert,
147 .ssl_ctrl = dtls1_ctrl,
148 .ssl_ctx_ctrl = ssl3_ctx_ctrl,
149 .get_cipher_by_char = ssl3_get_cipher_by_char,
150 .put_cipher_by_char = ssl3_put_cipher_by_char,
151 .ssl_pending = ssl3_pending,
152 .num_ciphers = ssl3_num_ciphers,
153 .get_cipher = dtls1_get_cipher,
154 .get_ssl_method = dtls1_get_client_method,
155 .get_timeout = dtls1_default_timeout,
156 .ssl3_enc = &DTLSv1_enc_data,
157 .ssl_version = ssl_undefined_void_function,
158 .ssl_callback_ctrl = ssl3_callback_ctrl,
159 .ssl_ctx_callback_ctrl = ssl3_ctx_callback_ctrl,
160};
161
162const SSL_METHOD *
163DTLSv1_client_method(void)
164{
165 return &DTLSv1_client_method_data;
166}
167
168static const SSL_METHOD *
169dtls1_get_client_method(int ver)
170{
171 if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER)
172 return (DTLSv1_client_method());
173 return (NULL);
174}
175
176int
177dtls1_connect(SSL *s)
178{
179 BUF_MEM *buf = NULL;
180 void (*cb)(const SSL *ssl, int type, int val) = NULL;
181 int ret = -1;
182 int new_state, state, skip = 0;
183
184 ERR_clear_error();
185 errno = 0;
186
187 if (s->info_callback != NULL)
188 cb = s->info_callback;
189 else if (s->ctx->info_callback != NULL)
190 cb = s->ctx->info_callback;
191
192 s->in_handshake++;
193 if (!SSL_in_init(s) || SSL_in_before(s))
194 SSL_clear(s);
195
196
197 for (;;) {
198 state = s->state;
199
200 switch (s->state) {
201 case SSL_ST_RENEGOTIATE:
202 s->renegotiate = 1;
203 s->state = SSL_ST_CONNECT;
204 s->ctx->stats.sess_connect_renegotiate++;
205 /* break */
206 case SSL_ST_BEFORE:
207 case SSL_ST_CONNECT:
208 case SSL_ST_BEFORE|SSL_ST_CONNECT:
209 case SSL_ST_OK|SSL_ST_CONNECT:
210
211 s->server = 0;
212 if (cb != NULL)
213 cb(s, SSL_CB_HANDSHAKE_START, 1);
214
215 if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00) &&
216 (s->version & 0xff00 ) != (DTLS1_BAD_VER & 0xff00)) {
217 SSLerr(SSL_F_DTLS1_CONNECT,
218 ERR_R_INTERNAL_ERROR);
219 ret = -1;
220 goto end;
221 }
222
223 /* s->version=SSL3_VERSION; */
224 s->type = SSL_ST_CONNECT;
225
226 if (s->init_buf == NULL) {
227 if ((buf = BUF_MEM_new()) == NULL) {
228 ret = -1;
229 goto end;
230 }
231 if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
232 ret = -1;
233 goto end;
234 }
235 s->init_buf = buf;
236 buf = NULL;
237 }
238
239 if (!ssl3_setup_buffers(s)) {
240 ret = -1;
241 goto end;
242 }
243
244 /* setup buffing BIO */
245 if (!ssl_init_wbio_buffer(s, 0)) {
246 ret = -1;
247 goto end;
248 }
249
250 /* don't push the buffering BIO quite yet */
251
252 s->state = SSL3_ST_CW_CLNT_HELLO_A;
253 s->ctx->stats.sess_connect++;
254 s->init_num = 0;
255 /* mark client_random uninitialized */
256 memset(s->s3->client_random, 0,
257 sizeof(s->s3->client_random));
258 s->d1->send_cookie = 0;
259 s->hit = 0;
260 break;
261
262
263 case SSL3_ST_CW_CLNT_HELLO_A:
264 case SSL3_ST_CW_CLNT_HELLO_B:
265
266 s->shutdown = 0;
267
268 /* every DTLS ClientHello resets Finished MAC */
269 if (!ssl3_init_finished_mac(s)) {
270 ret = -1;
271 goto end;
272 }
273
274 dtls1_start_timer(s);
275 ret = dtls1_client_hello(s);
276 if (ret <= 0)
277 goto end;
278
279 if (s->d1->send_cookie) {
280 s->state = SSL3_ST_CW_FLUSH;
281 s->s3->tmp.next_state = SSL3_ST_CR_SRVR_HELLO_A;
282 } else
283 s->state = SSL3_ST_CR_SRVR_HELLO_A;
284
285 s->init_num = 0;
286
287 /* turn on buffering for the next lot of output */
288 if (s->bbio != s->wbio)
289 s->wbio = BIO_push(s->bbio, s->wbio);
290 break;
291
292 case SSL3_ST_CR_SRVR_HELLO_A:
293 case SSL3_ST_CR_SRVR_HELLO_B:
294 ret = ssl3_get_server_hello(s);
295 if (ret <= 0)
296 goto end;
297 else {
298 if (s->hit) {
299
300 s->state = SSL3_ST_CR_FINISHED_A;
301 } else
302 s->state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
303 }
304 s->init_num = 0;
305 break;
306
307 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A:
308 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B:
309
310 ret = dtls1_get_hello_verify(s);
311 if (ret <= 0)
312 goto end;
313 dtls1_stop_timer(s);
314 if ( s->d1->send_cookie) /* start again, with a cookie */
315 s->state = SSL3_ST_CW_CLNT_HELLO_A;
316 else
317 s->state = SSL3_ST_CR_CERT_A;
318 s->init_num = 0;
319 break;
320
321 case SSL3_ST_CR_CERT_A:
322 case SSL3_ST_CR_CERT_B:
323 ret = ssl3_check_finished(s);
324 if (ret <= 0)
325 goto end;
326 if (ret == 2) {
327 s->hit = 1;
328 if (s->tlsext_ticket_expected)
329 s->state = SSL3_ST_CR_SESSION_TICKET_A;
330 else
331 s->state = SSL3_ST_CR_FINISHED_A;
332 s->init_num = 0;
333 break;
334 }
335 /* Check if it is anon DH. */
336 if (!(s->s3->tmp.new_cipher->algorithm_auth &
337 SSL_aNULL)) {
338 ret = ssl3_get_server_certificate(s);
339 if (ret <= 0)
340 goto end;
341 if (s->tlsext_status_expected)
342 s->state = SSL3_ST_CR_CERT_STATUS_A;
343 else
344 s->state = SSL3_ST_CR_KEY_EXCH_A;
345 } else {
346 skip = 1;
347 s->state = SSL3_ST_CR_KEY_EXCH_A;
348 }
349 s->init_num = 0;
350 break;
351
352 case SSL3_ST_CR_KEY_EXCH_A:
353 case SSL3_ST_CR_KEY_EXCH_B:
354 ret = ssl3_get_key_exchange(s);
355 if (ret <= 0)
356 goto end;
357 s->state = SSL3_ST_CR_CERT_REQ_A;
358 s->init_num = 0;
359
360 /* at this point we check that we have the
361 * required stuff from the server */
362 if (!ssl3_check_cert_and_algorithm(s)) {
363 ret = -1;
364 goto end;
365 }
366 break;
367
368 case SSL3_ST_CR_CERT_REQ_A:
369 case SSL3_ST_CR_CERT_REQ_B:
370 ret = ssl3_get_certificate_request(s);
371 if (ret <= 0)
372 goto end;
373 s->state = SSL3_ST_CR_SRVR_DONE_A;
374 s->init_num = 0;
375 break;
376
377 case SSL3_ST_CR_SRVR_DONE_A:
378 case SSL3_ST_CR_SRVR_DONE_B:
379 ret = ssl3_get_server_done(s);
380 if (ret <= 0)
381 goto end;
382 dtls1_stop_timer(s);
383 if (s->s3->tmp.cert_req)
384 s->s3->tmp.next_state = SSL3_ST_CW_CERT_A;
385 else
386 s->s3->tmp.next_state = SSL3_ST_CW_KEY_EXCH_A;
387 s->init_num = 0;
388
389 s->state = s->s3->tmp.next_state;
390 break;
391
392 case SSL3_ST_CW_CERT_A:
393 case SSL3_ST_CW_CERT_B:
394 case SSL3_ST_CW_CERT_C:
395 case SSL3_ST_CW_CERT_D:
396 dtls1_start_timer(s);
397 ret = dtls1_send_client_certificate(s);
398 if (ret <= 0)
399 goto end;
400 s->state = SSL3_ST_CW_KEY_EXCH_A;
401 s->init_num = 0;
402 break;
403
404 case SSL3_ST_CW_KEY_EXCH_A:
405 case SSL3_ST_CW_KEY_EXCH_B:
406 dtls1_start_timer(s);
407 ret = dtls1_send_client_key_exchange(s);
408 if (ret <= 0)
409 goto end;
410
411
412 /* EAY EAY EAY need to check for DH fix cert
413 * sent back */
414 /* For TLS, cert_req is set to 2, so a cert chain
415 * of nothing is sent, but no verify packet is sent */
416 if (s->s3->tmp.cert_req == 1) {
417 s->state = SSL3_ST_CW_CERT_VRFY_A;
418 } else {
419 s->state = SSL3_ST_CW_CHANGE_A;
420 s->s3->change_cipher_spec = 0;
421 }
422
423 s->init_num = 0;
424 break;
425
426 case SSL3_ST_CW_CERT_VRFY_A:
427 case SSL3_ST_CW_CERT_VRFY_B:
428 dtls1_start_timer(s);
429 ret = dtls1_send_client_verify(s);
430 if (ret <= 0)
431 goto end;
432 s->state = SSL3_ST_CW_CHANGE_A;
433 s->init_num = 0;
434 s->s3->change_cipher_spec = 0;
435 break;
436
437 case SSL3_ST_CW_CHANGE_A:
438 case SSL3_ST_CW_CHANGE_B:
439 if (!s->hit)
440 dtls1_start_timer(s);
441 ret = dtls1_send_change_cipher_spec(s,
442 SSL3_ST_CW_CHANGE_A, SSL3_ST_CW_CHANGE_B);
443 if (ret <= 0)
444 goto end;
445
446 s->state = SSL3_ST_CW_FINISHED_A;
447 s->init_num = 0;
448
449 s->session->cipher = s->s3->tmp.new_cipher;
450 if (!s->method->ssl3_enc->setup_key_block(s)) {
451 ret = -1;
452 goto end;
453 }
454
455 if (!s->method->ssl3_enc->change_cipher_state(s,
456 SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
457 ret = -1;
458 goto end;
459 }
460
461
462 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
463 break;
464
465 case SSL3_ST_CW_FINISHED_A:
466 case SSL3_ST_CW_FINISHED_B:
467 if (!s->hit)
468 dtls1_start_timer(s);
469 ret = dtls1_send_finished(s,
470 SSL3_ST_CW_FINISHED_A, SSL3_ST_CW_FINISHED_B,
471 s->method->ssl3_enc->client_finished_label,
472 s->method->ssl3_enc->client_finished_label_len);
473 if (ret <= 0)
474 goto end;
475 s->state = SSL3_ST_CW_FLUSH;
476
477 /* clear flags */
478 s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
479 if (s->hit) {
480 s->s3->tmp.next_state = SSL_ST_OK;
481 if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED) {
482 s->state = SSL_ST_OK;
483 s->s3->flags |= SSL3_FLAGS_POP_BUFFER;
484 s->s3->delay_buf_pop_ret = 0;
485 }
486 } else {
487
488 /* Allow NewSessionTicket if ticket expected */
489 if (s->tlsext_ticket_expected)
490 s->s3->tmp.next_state =
491 SSL3_ST_CR_SESSION_TICKET_A;
492 else
493 s->s3->tmp.next_state =
494 SSL3_ST_CR_FINISHED_A;
495 }
496 s->init_num = 0;
497 break;
498
499 case SSL3_ST_CR_SESSION_TICKET_A:
500 case SSL3_ST_CR_SESSION_TICKET_B:
501 ret = ssl3_get_new_session_ticket(s);
502 if (ret <= 0)
503 goto end;
504 s->state = SSL3_ST_CR_FINISHED_A;
505 s->init_num = 0;
506 break;
507
508 case SSL3_ST_CR_CERT_STATUS_A:
509 case SSL3_ST_CR_CERT_STATUS_B:
510 ret = ssl3_get_cert_status(s);
511 if (ret <= 0)
512 goto end;
513 s->state = SSL3_ST_CR_KEY_EXCH_A;
514 s->init_num = 0;
515 break;
516
517 case SSL3_ST_CR_FINISHED_A:
518 case SSL3_ST_CR_FINISHED_B:
519 s->d1->change_cipher_spec_ok = 1;
520 ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A,
521 SSL3_ST_CR_FINISHED_B);
522 if (ret <= 0)
523 goto end;
524 dtls1_stop_timer(s);
525
526 if (s->hit)
527 s->state = SSL3_ST_CW_CHANGE_A;
528 else
529 s->state = SSL_ST_OK;
530
531
532 s->init_num = 0;
533 break;
534
535 case SSL3_ST_CW_FLUSH:
536 s->rwstate = SSL_WRITING;
537 if (BIO_flush(s->wbio) <= 0) {
538 /* If the write error was fatal, stop trying */
539 if (!BIO_should_retry(s->wbio)) {
540 s->rwstate = SSL_NOTHING;
541 s->state = s->s3->tmp.next_state;
542 }
543
544 ret = -1;
545 goto end;
546 }
547 s->rwstate = SSL_NOTHING;
548 s->state = s->s3->tmp.next_state;
549 break;
550
551 case SSL_ST_OK:
552 /* clean a few things up */
553 ssl3_cleanup_key_block(s);
554
555 /* If we are not 'joining' the last two packets,
556 * remove the buffering now */
557 if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
558 ssl_free_wbio_buffer(s);
559 /* else do it later in ssl3_write */
560
561 s->init_num = 0;
562 s->renegotiate = 0;
563 s->new_session = 0;
564
565 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
566 if (s->hit)
567 s->ctx->stats.sess_hit++;
568
569 ret = 1;
570 /* s->server=0; */
571 s->handshake_func = dtls1_connect;
572 s->ctx->stats.sess_connect_good++;
573
574 if (cb != NULL)
575 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
576
577 /* done with handshaking */
578 s->d1->handshake_read_seq = 0;
579 s->d1->next_handshake_write_seq = 0;
580 goto end;
581 /* break; */
582
583 default:
584 SSLerr(SSL_F_DTLS1_CONNECT, SSL_R_UNKNOWN_STATE);
585 ret = -1;
586 goto end;
587 /* break; */
588 }
589
590 /* did we do anything */
591 if (!s->s3->tmp.reuse_message && !skip) {
592 if (s->debug) {
593 if ((ret = BIO_flush(s->wbio)) <= 0)
594 goto end;
595 }
596
597 if ((cb != NULL) && (s->state != state)) {
598 new_state = s->state;
599 s->state = state;
600 cb(s, SSL_CB_CONNECT_LOOP, 1);
601 s->state = new_state;
602 }
603 }
604 skip = 0;
605 }
606end:
607 s->in_handshake--;
608
609
610 if (buf != NULL)
611 BUF_MEM_free(buf);
612 if (cb != NULL)
613 cb(s, SSL_CB_CONNECT_EXIT, ret);
614 return (ret);
615}
616
617int
618dtls1_client_hello(SSL *s)
619{
620 unsigned char *bufend, *d, *p;
621 unsigned int i;
622
623 if (s->state == SSL3_ST_CW_CLNT_HELLO_A) {
624 SSL_SESSION *sess = s->session;
625
626 if ((s->session == NULL) ||
627 (s->session->ssl_version != s->version) ||
628 (!sess->session_id_length && !sess->tlsext_tick) ||
629 (s->session->not_resumable)) {
630 if (!ssl_get_new_session(s, 0))
631 goto err;
632 }
633 /* else use the pre-loaded session */
634
635 p = s->s3->client_random;
636
637 /* if client_random is initialized, reuse it, we are
638 * required to use same upon reply to HelloVerify */
639 for (i = 0; p[i]=='\0' && i < sizeof(s->s3->client_random); i++)
640 ;
641 if (i == sizeof(s->s3->client_random))
642 arc4random_buf(p, sizeof(s->s3->client_random));
643
644 d = p = ssl3_handshake_msg_start(s, SSL3_MT_CLIENT_HELLO);
645
646 *(p++) = s->version >> 8;
647 *(p++) = s->version&0xff;
648 s->client_version = s->version;
649
650 /* Random stuff */
651 memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
652 p += SSL3_RANDOM_SIZE;
653
654 /* Session ID */
655 if (s->new_session)
656 i = 0;
657 else
658 i = s->session->session_id_length;
659 *(p++) = i;
660 if (i != 0) {
661 if (i > sizeof s->session->session_id) {
662 SSLerr(SSL_F_DTLS1_CLIENT_HELLO,
663 ERR_R_INTERNAL_ERROR);
664 goto err;
665 }
666 memcpy(p, s->session->session_id, i);
667 p += i;
668 }
669
670 /* cookie stuff */
671 if (s->d1->cookie_len > sizeof(s->d1->cookie)) {
672 SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
673 goto err;
674 }
675 *(p++) = s->d1->cookie_len;
676 memcpy(p, s->d1->cookie, s->d1->cookie_len);
677 p += s->d1->cookie_len;
678
679 /* Ciphers supported */
680 i = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &p[2]);
681 if (i == 0) {
682 SSLerr(SSL_F_DTLS1_CLIENT_HELLO,
683 SSL_R_NO_CIPHERS_AVAILABLE);
684 goto err;
685 }
686 s2n(i, p);
687 p += i;
688
689 /* add in (no) COMPRESSION */
690 *(p++) = 1;
691 *(p++) = 0; /* Add the NULL method */
692
693 bufend = (unsigned char *)s->init_buf->data +
694 SSL3_RT_MAX_PLAIN_LENGTH;
695 if ((p = ssl_add_clienthello_tlsext(s, p, bufend)) == NULL) {
696 SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
697 goto err;
698 }
699
700 ssl3_handshake_msg_finish(s, p - d);
701
702 s->state = SSL3_ST_CW_CLNT_HELLO_B;
703 }
704
705 /* SSL3_ST_CW_CLNT_HELLO_B */
706 return (ssl3_handshake_write(s));
707err:
708 return (-1);
709}
710
711static int
712dtls1_get_hello_verify(SSL *s)
713{
714 int n, al, ok = 0;
715 unsigned char *data;
716 unsigned int cookie_len;
717
718 n = s->method->ssl_get_message(s, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A,
719 DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, -1, s->max_cert_list, &ok);
720
721 if (!ok)
722 return ((int)n);
723
724 if (s->s3->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) {
725 s->d1->send_cookie = 0;
726 s->s3->tmp.reuse_message = 1;
727 return (1);
728 }
729
730 if (2 > n)
731 goto truncated;
732 data = (unsigned char *)s->init_msg;
733
734 if ((data[0] != (s->version >> 8)) || (data[1] != (s->version&0xff))) {
735 SSLerr(SSL_F_DTLS1_GET_HELLO_VERIFY, SSL_R_WRONG_SSL_VERSION);
736 s->version = (s->version & 0xff00) | data[1];
737 al = SSL_AD_PROTOCOL_VERSION;
738 goto f_err;
739 }
740 data += 2;
741
742 if (2 + 1 > n)
743 goto truncated;
744 cookie_len = *(data++);
745 if (2 + 1 + cookie_len > n)
746 goto truncated;
747 if (cookie_len > sizeof(s->d1->cookie)) {
748 al = SSL_AD_ILLEGAL_PARAMETER;
749 goto f_err;
750 }
751
752 memcpy(s->d1->cookie, data, cookie_len);
753 s->d1->cookie_len = cookie_len;
754
755 s->d1->send_cookie = 1;
756 return 1;
757
758truncated:
759 al = SSL_AD_DECODE_ERROR;
760f_err:
761 ssl3_send_alert(s, SSL3_AL_FATAL, al);
762 return -1;
763}
764
765int
766dtls1_send_client_key_exchange(SSL *s)
767{
768 unsigned char *p, *q;
769 int n;
770 unsigned long alg_k;
771 EVP_PKEY *pkey = NULL;
772 EC_KEY *clnt_ecdh = NULL;
773 const EC_POINT *srvr_ecpoint = NULL;
774 EVP_PKEY *srvr_pub_pkey = NULL;
775 unsigned char *encodedPoint = NULL;
776 int encoded_pt_len = 0;
777 BN_CTX * bn_ctx = NULL;
778
779 if (s->state == SSL3_ST_CW_KEY_EXCH_A) {
780 p = ssl3_handshake_msg_start(s, SSL3_MT_CLIENT_KEY_EXCHANGE);
781
782 alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
783
784 if (s->session->sess_cert == NULL) {
785 ssl3_send_alert(s, SSL3_AL_FATAL,
786 SSL_AD_HANDSHAKE_FAILURE);
787 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
788 ERR_R_INTERNAL_ERROR);
789 goto err;
790 }
791
792 if (alg_k & SSL_kRSA) {
793 RSA *rsa;
794 unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
795
796 pkey = X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
797 if ((pkey == NULL) ||
798 (pkey->type != EVP_PKEY_RSA) ||
799 (pkey->pkey.rsa == NULL)) {
800 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
801 ERR_R_INTERNAL_ERROR);
802 goto err;
803 }
804 rsa = pkey->pkey.rsa;
805 EVP_PKEY_free(pkey);
806
807 tmp_buf[0] = s->client_version >> 8;
808 tmp_buf[1] = s->client_version&0xff;
809 arc4random_buf(&tmp_buf[2], sizeof(tmp_buf) - 2);
810
811 s->session->master_key_length = sizeof tmp_buf;
812
813 q = p;
814 /* Fix buf for TLS and [incidentally] DTLS */
815 if (s->version > SSL3_VERSION)
816 p += 2;
817 n = RSA_public_encrypt(sizeof tmp_buf,
818 tmp_buf, p, rsa, RSA_PKCS1_PADDING);
819 if (n <= 0) {
820 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
821 SSL_R_BAD_RSA_ENCRYPT);
822 goto err;
823 }
824
825 /* Fix buf for TLS and [incidentally] DTLS */
826 if (s->version > SSL3_VERSION) {
827 s2n(n, q);
828 n += 2;
829 }
830
831 s->session->master_key_length =
832 s->method->ssl3_enc->generate_master_secret(s,
833 s->session->master_key,
834 tmp_buf, sizeof tmp_buf);
835 OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
836 } else if (alg_k & SSL_kDHE) {
837 DH *dh_srvr, *dh_clnt;
838
839 if (s->session->sess_cert->peer_dh_tmp != NULL)
840 dh_srvr = s->session->sess_cert->peer_dh_tmp;
841 else {
842 /* we get them from the cert */
843 ssl3_send_alert(s, SSL3_AL_FATAL,
844 SSL_AD_HANDSHAKE_FAILURE);
845 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
846 SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
847 goto err;
848 }
849
850 /* generate a new random key */
851 if ((dh_clnt = DHparams_dup(dh_srvr)) == NULL) {
852 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
853 ERR_R_DH_LIB);
854 goto err;
855 }
856 if (!DH_generate_key(dh_clnt)) {
857 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
858 ERR_R_DH_LIB);
859 goto err;
860 }
861
862 /* use the 'p' output buffer for the DH key, but
863 * make sure to clear it out afterwards */
864
865 n = DH_compute_key(p, dh_srvr->pub_key, dh_clnt);
866
867 if (n <= 0) {
868 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
869 ERR_R_DH_LIB);
870 goto err;
871 }
872
873 /* generate master key from the result */
874 s->session->master_key_length =
875 s->method->ssl3_enc->generate_master_secret(
876 s, s->session->master_key, p, n);
877 /* clean up */
878 memset(p, 0, n);
879
880 /* send off the data */
881 n = BN_num_bytes(dh_clnt->pub_key);
882 s2n(n, p);
883 BN_bn2bin(dh_clnt->pub_key, p);
884 n += 2;
885
886 DH_free(dh_clnt);
887
888 /* perhaps clean things up a bit EAY EAY EAY EAY*/
889 } else if (alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)) {
890 const EC_GROUP *srvr_group = NULL;
891 EC_KEY *tkey;
892 int ecdh_clnt_cert = 0;
893 int field_size = 0;
894
895 /* Did we send out the client's
896 * ECDH share for use in premaster
897 * computation as part of client certificate?
898 * If so, set ecdh_clnt_cert to 1.
899 */
900 if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) &&
901 (s->cert != NULL)) {
902 /* XXX: For now, we do not support client
903 * authentication using ECDH certificates.
904 * To add such support, one needs to add
905 * code that checks for appropriate
906 * conditions and sets ecdh_clnt_cert to 1.
907 * For example, the cert have an ECC
908 * key on the same curve as the server's
909 * and the key should be authorized for
910 * key agreement.
911 *
912 * One also needs to add code in ssl3_connect
913 * to skip sending the certificate verify
914 * message.
915 *
916 * if ((s->cert->key->privatekey != NULL) &&
917 * (s->cert->key->privatekey->type ==
918 * EVP_PKEY_EC) && ...)
919 * ecdh_clnt_cert = 1;
920 */
921 }
922
923 if (s->session->sess_cert->peer_ecdh_tmp != NULL) {
924 tkey = s->session->sess_cert->peer_ecdh_tmp;
925 } else {
926 /* Get the Server Public Key from Cert */
927 srvr_pub_pkey = X509_get_pubkey(s->session-> \
928 sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
929 if ((srvr_pub_pkey == NULL) ||
930 (srvr_pub_pkey->type != EVP_PKEY_EC) ||
931 (srvr_pub_pkey->pkey.ec == NULL)) {
932 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
933 ERR_R_INTERNAL_ERROR);
934 goto err;
935 }
936
937 tkey = srvr_pub_pkey->pkey.ec;
938 }
939
940 srvr_group = EC_KEY_get0_group(tkey);
941 srvr_ecpoint = EC_KEY_get0_public_key(tkey);
942
943 if ((srvr_group == NULL) || (srvr_ecpoint == NULL)) {
944 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
945 ERR_R_INTERNAL_ERROR);
946 goto err;
947 }
948
949 if ((clnt_ecdh = EC_KEY_new()) == NULL) {
950 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
951 ERR_R_MALLOC_FAILURE);
952 goto err;
953 }
954
955 if (!EC_KEY_set_group(clnt_ecdh, srvr_group)) {
956 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
957 ERR_R_EC_LIB);
958 goto err;
959 }
960 if (ecdh_clnt_cert) {
961 /* Reuse key info from our certificate
962 * We only need our private key to perform
963 * the ECDH computation.
964 */
965 const BIGNUM *priv_key;
966 tkey = s->cert->key->privatekey->pkey.ec;
967 priv_key = EC_KEY_get0_private_key(tkey);
968 if (priv_key == NULL) {
969 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
970 ERR_R_MALLOC_FAILURE);
971 goto err;
972 }
973 if (!EC_KEY_set_private_key(clnt_ecdh, priv_key)) {
974 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
975 ERR_R_EC_LIB);
976 goto err;
977 }
978 } else {
979 /* Generate a new ECDH key pair */
980 if (!(EC_KEY_generate_key(clnt_ecdh))) {
981 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
982 ERR_R_ECDH_LIB);
983 goto err;
984 }
985 }
986
987 /* use the 'p' output buffer for the ECDH key, but
988 * make sure to clear it out afterwards
989 */
990
991 field_size = EC_GROUP_get_degree(srvr_group);
992 if (field_size <= 0) {
993 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
994 ERR_R_ECDH_LIB);
995 goto err;
996 }
997 n = ECDH_compute_key(p, (field_size + 7)/8, srvr_ecpoint, clnt_ecdh, NULL);
998 if (n <= 0) {
999 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
1000 ERR_R_ECDH_LIB);
1001 goto err;
1002 }
1003
1004 /* generate master key from the result */
1005 s->session->master_key_length =
1006 s->method->ssl3_enc->generate_master_secret(
1007 s, s->session->master_key, p, n);
1008 memset(p, 0, n); /* clean up */
1009
1010 if (ecdh_clnt_cert) {
1011 /* Send empty client key exch message */
1012 n = 0;
1013 } else {
1014 /* First check the size of encoding and
1015 * allocate memory accordingly.
1016 */
1017 encoded_pt_len = EC_POINT_point2oct(srvr_group,
1018 EC_KEY_get0_public_key(clnt_ecdh),
1019 POINT_CONVERSION_UNCOMPRESSED,
1020 NULL, 0, NULL);
1021
1022 encodedPoint = malloc(encoded_pt_len);
1023
1024 bn_ctx = BN_CTX_new();
1025 if ((encodedPoint == NULL) ||
1026 (bn_ctx == NULL)) {
1027 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
1028 ERR_R_MALLOC_FAILURE);
1029 goto err;
1030 }
1031
1032 /* Encode the public key */
1033 n = EC_POINT_point2oct(srvr_group,
1034 EC_KEY_get0_public_key(clnt_ecdh),
1035 POINT_CONVERSION_UNCOMPRESSED,
1036 encodedPoint, encoded_pt_len, bn_ctx);
1037
1038 *p = n; /* length of encoded point */
1039 /* Encoded point will be copied here */
1040 p += 1;
1041
1042 /* copy the point */
1043 memcpy((unsigned char *)p, encodedPoint, n);
1044 /* increment n to account for length field */
1045 n += 1;
1046
1047 }
1048
1049 /* Free allocated memory */
1050 BN_CTX_free(bn_ctx);
1051 free(encodedPoint);
1052 EC_KEY_free(clnt_ecdh);
1053 EVP_PKEY_free(srvr_pub_pkey);
1054 }
1055
1056 else {
1057 ssl3_send_alert(s, SSL3_AL_FATAL,
1058 SSL_AD_HANDSHAKE_FAILURE);
1059 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
1060 ERR_R_INTERNAL_ERROR);
1061 goto err;
1062 }
1063
1064 ssl3_handshake_msg_finish(s, n);
1065
1066 s->state = SSL3_ST_CW_KEY_EXCH_B;
1067 }
1068
1069 /* SSL3_ST_CW_KEY_EXCH_B */
1070 return (ssl3_handshake_write(s));
1071
1072err:
1073 BN_CTX_free(bn_ctx);
1074 free(encodedPoint);
1075 EC_KEY_free(clnt_ecdh);
1076 EVP_PKEY_free(srvr_pub_pkey);
1077 return (-1);
1078}
1079
1080int
1081dtls1_send_client_verify(SSL *s)
1082{
1083 unsigned char *p;
1084 unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH];
1085 EVP_PKEY *pkey;
1086 unsigned u = 0;
1087 unsigned long n;
1088 int j;
1089
1090 if (s->state == SSL3_ST_CW_CERT_VRFY_A) {
1091 p = ssl3_handshake_msg_start(s, SSL3_MT_CERTIFICATE_VERIFY);
1092
1093 pkey = s->cert->key->privatekey;
1094
1095 s->method->ssl3_enc->cert_verify_mac(s, NID_sha1,
1096 &(data[MD5_DIGEST_LENGTH]));
1097
1098 if (pkey->type == EVP_PKEY_RSA) {
1099 s->method->ssl3_enc->cert_verify_mac(s,
1100 NID_md5, &(data[0]));
1101 if (RSA_sign(NID_md5_sha1, data,
1102 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH,
1103 &(p[2]), &u, pkey->pkey.rsa) <= 0 ) {
1104 SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,
1105 ERR_R_RSA_LIB);
1106 goto err;
1107 }
1108 s2n(u, p);
1109 n = u + 2;
1110 } else if (pkey->type == EVP_PKEY_DSA) {
1111 if (!DSA_sign(pkey->save_type,
1112 &(data[MD5_DIGEST_LENGTH]),
1113 SHA_DIGEST_LENGTH, &(p[2]),
1114 (unsigned int *)&j, pkey->pkey.dsa)) {
1115 SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,
1116 ERR_R_DSA_LIB);
1117 goto err;
1118 }
1119 s2n(j, p);
1120 n = j + 2;
1121 } else if (pkey->type == EVP_PKEY_EC) {
1122 if (!ECDSA_sign(pkey->save_type,
1123 &(data[MD5_DIGEST_LENGTH]),
1124 SHA_DIGEST_LENGTH, &(p[2]),
1125 (unsigned int *)&j, pkey->pkey.ec)) {
1126 SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,
1127 ERR_R_ECDSA_LIB);
1128 goto err;
1129 }
1130 s2n(j, p);
1131 n = j + 2;
1132 } else {
1133 SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,
1134 ERR_R_INTERNAL_ERROR);
1135 goto err;
1136 }
1137
1138 ssl3_handshake_msg_finish(s, n);
1139
1140 s->state = SSL3_ST_CW_CERT_VRFY_B;
1141 }
1142
1143 /* s->state = SSL3_ST_CW_CERT_VRFY_B */
1144 return (ssl3_handshake_write(s));
1145
1146err:
1147 return (-1);
1148}
1149
1150int
1151dtls1_send_client_certificate(SSL *s)
1152{
1153 X509 *x509 = NULL;
1154 EVP_PKEY *pkey = NULL;
1155 int i;
1156 unsigned long l;
1157
1158 if (s->state == SSL3_ST_CW_CERT_A) {
1159 if ((s->cert == NULL) || (s->cert->key->x509 == NULL) ||
1160 (s->cert->key->privatekey == NULL))
1161 s->state = SSL3_ST_CW_CERT_B;
1162 else
1163 s->state = SSL3_ST_CW_CERT_C;
1164 }
1165
1166 /* We need to get a client cert */
1167 if (s->state == SSL3_ST_CW_CERT_B) {
1168 /* If we get an error, we need to
1169 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
1170 * We then get retied later */
1171 i = 0;
1172 i = ssl_do_client_cert_cb(s, &x509, &pkey);
1173 if (i < 0) {
1174 s->rwstate = SSL_X509_LOOKUP;
1175 return (-1);
1176 }
1177 s->rwstate = SSL_NOTHING;
1178 if ((i == 1) && (pkey != NULL) && (x509 != NULL)) {
1179 s->state = SSL3_ST_CW_CERT_B;
1180 if (!SSL_use_certificate(s, x509) ||
1181 !SSL_use_PrivateKey(s, pkey))
1182 i = 0;
1183 } else if (i == 1) {
1184 i = 0;
1185 SSLerr(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE,
1186 SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
1187 }
1188
1189 if (x509 != NULL)
1190 X509_free(x509);
1191 EVP_PKEY_free(pkey);
1192 if (i == 0) {
1193 if (s->version == SSL3_VERSION) {
1194 s->s3->tmp.cert_req = 0;
1195 ssl3_send_alert(s, SSL3_AL_WARNING,
1196 SSL_AD_NO_CERTIFICATE);
1197 return (1);
1198 } else {
1199 s->s3->tmp.cert_req = 2;
1200 }
1201 }
1202
1203 /* Ok, we have a cert */
1204 s->state = SSL3_ST_CW_CERT_C;
1205 }
1206
1207 if (s->state == SSL3_ST_CW_CERT_C) {
1208 s->state = SSL3_ST_CW_CERT_D;
1209 l = dtls1_output_cert_chain(s,
1210 (s->s3->tmp.cert_req == 2) ? NULL : s->cert->key->x509);
1211 s->init_num = (int)l;
1212 s->init_off = 0;
1213
1214 /* set header called by dtls1_output_cert_chain() */
1215
1216 /* buffer the message to handle re-xmits */
1217 dtls1_buffer_message(s, 0);
1218 }
1219
1220 /* SSL3_ST_CW_CERT_D */
1221 return (dtls1_do_write(s, SSL3_RT_HANDSHAKE));
1222}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-14 19:52:00 +0000