1 files changed, 2 insertions, 536 deletions
diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c
index 05c92be46c..57b8ea0e24 100644
--- a/src/lib/libssl/d1_srvr.c
+++ b/src/lib/libssl/d1_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_srvr.c,v 1.90 2017/10/08 16:56:51 jsing Exp $ */
+/* $OpenBSD: d1_srvr.c,v 1.91 2017/10/12 15:52:50 jsing Exp $ */
 /*
 * DTLS implementation written by Nagendra Modadugu
 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -125,8 +125,6 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
-static int dtls1_send_hello_verify_request(SSL *s);
 static const SSL_METHOD_INTERNAL DTLSv1_server_method_internal_data = {
        .version = DTLS1_VERSION,
        .min_version = DTLS1_VERSION,
@@ -134,7 +132,7 @@ static const SSL_METHOD_INTERNAL DTLSv1_server_method_internal_data = {
        .ssl_new = dtls1_new,
        .ssl_clear = dtls1_clear,
        .ssl_free = dtls1_free,
-        .ssl_accept = dtls1_accept,
+        .ssl_accept = ssl3_accept,
        .ssl_connect = ssl_undefined_function,
        .ssl_read = ssl3_read,
        .ssl_peek = ssl3_peek,
@@ -176,538 +174,6 @@ dtls1_get_server_method(int ver)
 }
 int
-dtls1_accept(SSL *s)
-{
-        void (*cb)(const SSL *ssl, int type, int val) = NULL;
-        unsigned long alg_k;
-        int ret = -1;
-        int new_state, state, skip = 0;
-        int listen;
-        ERR_clear_error();
-        errno = 0;
-        if (s->internal->info_callback != NULL)
-                cb = s->internal->info_callback;
-        else if (s->ctx->internal->info_callback != NULL)
-                cb = s->ctx->internal->info_callback;
-        listen = D1I(s)->listen;
-        /* init things to blank */
-        s->internal->in_handshake++;
-        if (!SSL_in_init(s) || SSL_in_before(s))
-                SSL_clear(s);
-        D1I(s)->listen = listen;
-        if (s->cert == NULL) {
-                SSLerror(s, SSL_R_NO_CERTIFICATE_SET);
-                ret = -1;
-                goto end;
-        }
-        for (;;) {
-                state = S3I(s)->hs.state;
-                switch (S3I(s)->hs.state) {
-                case SSL_ST_RENEGOTIATE:
-                        s->internal->renegotiate = 1;
-                        /* S3I(s)->hs.state=SSL_ST_ACCEPT; */
-                case SSL_ST_BEFORE:
-                case SSL_ST_ACCEPT:
-                case SSL_ST_BEFORE|SSL_ST_ACCEPT:
-                case SSL_ST_OK|SSL_ST_ACCEPT:
-                        s->server = 1;
-                        if (cb != NULL)
-                                cb(s, SSL_CB_HANDSHAKE_START, 1);
-                        if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) {
-                                SSLerror(s, ERR_R_INTERNAL_ERROR);
-                                ret = -1;
-                                goto end;
-                        }
-                        s->internal->type = SSL_ST_ACCEPT;
-                        if (!ssl3_setup_init_buffer(s)) {
-                                ret = -1;
-                                goto end;
-                        }
-                        if (!ssl3_setup_buffers(s)) {
-                                ret = -1;
-                                goto end;
-                        }
-                        s->internal->init_num = 0;
-                        if (S3I(s)->hs.state != SSL_ST_RENEGOTIATE) {
-                                /*
-                                 * Ok, we now need to push on a buffering BIO
-                                 * so that the output is sent in a way that
-                                 * TCP likes :-)
-                                 * ...but not with SCTP :-)
-                                 */
-                                if (!ssl_init_wbio_buffer(s, 1)) {
-                                        ret = -1;
-                                        goto end;
-                                }
-                                if (!tls1_init_finished_mac(s)) {
-                                        ret = -1;
-                                        goto end;
-                                }
-                                S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A;
-                                s->ctx->internal->stats.sess_accept++;
-                        } else {
-                                /*
-                                 * S3I(s)->hs.state == SSL_ST_RENEGOTIATE,
-                                 * we will just send a HelloRequest.
-                                 */
-                                s->ctx->internal->stats.sess_accept_renegotiate++;
-                                S3I(s)->hs.state = SSL3_ST_SW_HELLO_REQ_A;
-                        }
-                        break;
-                case SSL3_ST_SW_HELLO_REQ_A:
-                case SSL3_ST_SW_HELLO_REQ_B:
-                        s->internal->shutdown = 0;
-                        dtls1_clear_record_buffer(s);
-                        dtls1_start_timer(s);
-                        ret = ssl3_send_hello_request(s);
-                        if (ret <= 0)
-                                goto end;
-                        S3I(s)->hs.next_state = SSL3_ST_SR_CLNT_HELLO_A;
-                        S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
-                        s->internal->init_num = 0;
-                        if (!tls1_init_finished_mac(s)) {
-                                ret = -1;
-                                goto end;
-                        }
-                        break;
-                case SSL3_ST_SW_HELLO_REQ_C:
-                        S3I(s)->hs.state = SSL_ST_OK;
-                        break;
-                case SSL3_ST_SR_CLNT_HELLO_A:
-                case SSL3_ST_SR_CLNT_HELLO_B:
-                case SSL3_ST_SR_CLNT_HELLO_C:
-                        s->internal->shutdown = 0;
-                        ret = ssl3_get_client_hello(s);
-                        if (ret <= 0)
-                                goto end;
-                        dtls1_stop_timer(s);
-                        if (ret == 1 && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
-                                S3I(s)->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;
-                        else
-                                S3I(s)->hs.state = SSL3_ST_SW_SRVR_HELLO_A;
-                        s->internal->init_num = 0;
-                        /* Reflect ClientHello sequence to remain stateless while listening */
-                        if (listen) {
-                                memcpy(S3I(s)->write_sequence, S3I(s)->read_sequence, sizeof(S3I(s)->write_sequence));
-                        }
-                        /* If we're just listening, stop here */
-                        if (listen && S3I(s)->hs.state == SSL3_ST_SW_SRVR_HELLO_A) {
-                                ret = 2;
-                                D1I(s)->listen = 0;
-                                /* Set expected sequence numbers
-                                 * to continue the handshake.
-                                 */
-                                D1I(s)->handshake_read_seq = 2;
-                                D1I(s)->handshake_write_seq = 1;
-                                D1I(s)->next_handshake_write_seq = 1;
-                                goto end;
-                        }
-                        break;
-                case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
-                case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
-                        ret = dtls1_send_hello_verify_request(s);
-                        if (ret <= 0)
-                                goto end;
-                        S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
-                        S3I(s)->hs.next_state = SSL3_ST_SR_CLNT_HELLO_A;
-                        /* HelloVerifyRequest resets Finished MAC */
-                        if (!tls1_init_finished_mac(s)) {
-                                ret = -1;
-                                goto end;
-                        }
-                        break;
-                case SSL3_ST_SW_SRVR_HELLO_A:
-                case SSL3_ST_SW_SRVR_HELLO_B:
-                        s->internal->renegotiate = 2;
-                        dtls1_start_timer(s);
-                        ret = ssl3_send_server_hello(s);
-                        if (ret <= 0)
-                                goto end;
-                        if (s->internal->hit) {
-                                if (s->internal->tlsext_ticket_expected)
-                                        S3I(s)->hs.state = SSL3_ST_SW_SESSION_TICKET_A;
-                                else
-                                        S3I(s)->hs.state = SSL3_ST_SW_CHANGE_A;
-                        } else {
-                                S3I(s)->hs.state = SSL3_ST_SW_CERT_A;
-                        }
-                        s->internal->init_num = 0;
-                        break;
-                case SSL3_ST_SW_CERT_A:
-                case SSL3_ST_SW_CERT_B:
-                        /* Check if it is anon DH or anon ECDH. */
-                        if (!(S3I(s)->hs.new_cipher->algorithm_auth &
-                            SSL_aNULL)) {
-                                dtls1_start_timer(s);
-                                ret = ssl3_send_server_certificate(s);
-                                if (ret <= 0)
-                                        goto end;
-                                if (s->internal->tlsext_status_expected)
-                                        S3I(s)->hs.state = SSL3_ST_SW_CERT_STATUS_A;
-                                else
-                                        S3I(s)->hs.state = SSL3_ST_SW_KEY_EXCH_A;
-                        } else {
-                                skip = 1;
-                                S3I(s)->hs.state = SSL3_ST_SW_KEY_EXCH_A;
-                        }
-                        s->internal->init_num = 0;
-                        break;
-                case SSL3_ST_SW_KEY_EXCH_A:
-                case SSL3_ST_SW_KEY_EXCH_B:
-                        alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;
-                        /*
-                         * Only send if using a DH key exchange.
-                         *
-                         * For ECC ciphersuites, we send a ServerKeyExchange
-                         * message only if the cipher suite is ECDHE. In other
-                         * cases, the server certificate contains the server's
-                         * public key for key exchange.
-                         */
-                        if (alg_k & (SSL_kDHE|SSL_kECDHE)) {
-                                dtls1_start_timer(s);
-                                ret = ssl3_send_server_key_exchange(s);
-                                if (ret <= 0)
-                                        goto end;
-                        } else
-                                skip = 1;
-                        S3I(s)->hs.state = SSL3_ST_SW_CERT_REQ_A;
-                        s->internal->init_num = 0;
-                        break;
-                case SSL3_ST_SW_CERT_REQ_A:
-                case SSL3_ST_SW_CERT_REQ_B:
-                        /*
-                         * Determine whether or not we need to request a
-                         * certificate.
-                         *
-                         * Do not request a certificate if:
-                         *
-                         * - We did not ask for it (SSL_VERIFY_PEER is unset).
-                         *
-                         * - SSL_VERIFY_CLIENT_ONCE is set and we are
-                         *   renegotiating.
-                         *
-                         * - We are using an anonymous ciphersuites
-                         *   (see section "Certificate request" in SSL 3 drafts
-                         *   and in RFC 2246) ... except when the application
-                         *   insists on verification (against the specs, but
-                         *   s3_clnt.c accepts this for SSL 3).
-                         */
-                        if (!(s->verify_mode & SSL_VERIFY_PEER) ||
-                            ((s->session->peer != NULL) &&
-                             (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
-                            ((S3I(s)->hs.new_cipher->algorithm_auth &
-                             SSL_aNULL) && !(s->verify_mode &
-                             SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
-                                /* No cert request. */
-                                skip = 1;
-                                S3I(s)->tmp.cert_request = 0;
-                                S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_A;
-                        } else {
-                                S3I(s)->tmp.cert_request = 1;
-                                dtls1_start_timer(s);
-                                ret = ssl3_send_certificate_request(s);
-                                if (ret <= 0)
-                                        goto end;
-                                S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_A;
-                                s->internal->init_num = 0;
-                        }
-                        break;
-                case SSL3_ST_SW_SRVR_DONE_A:
-                case SSL3_ST_SW_SRVR_DONE_B:
-                        dtls1_start_timer(s);
-                        ret = ssl3_send_server_done(s);
-                        if (ret <= 0)
-                                goto end;
-                        S3I(s)->hs.next_state = SSL3_ST_SR_CERT_A;
-                        S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
-                        s->internal->init_num = 0;
-                        break;
-                case SSL3_ST_SW_FLUSH:
-                        /*
-                         * This code originally checked to see if
-                         * any data was pending using BIO_CTRL_INFO
-                         * and then flushed. This caused problems
-                         * as documented in PR#1939. The proposed
-                         * fix doesn't completely resolve this issue
-                         * as buggy implementations of BIO_CTRL_PENDING
-                         * still exist. So instead we just flush
-                         * unconditionally.
-                         */
-                        s->internal->rwstate = SSL_WRITING;
-                        if (BIO_flush(s->wbio) <= 0) {
-                                /* If the write error was fatal, stop trying */
-                                if (!BIO_should_retry(s->wbio)) {
-                                        s->internal->rwstate = SSL_NOTHING;
-                                        S3I(s)->hs.state = S3I(s)->hs.next_state;
-                                }
-                                ret = -1;
-                                goto end;
-                        }
-                        s->internal->rwstate = SSL_NOTHING;
-                        S3I(s)->hs.state = S3I(s)->hs.next_state;
-                        break;
-                case SSL3_ST_SR_CERT_A:
-                case SSL3_ST_SR_CERT_B:
-                        if (S3I(s)->tmp.cert_request) {
-                                ret = ssl3_get_client_certificate(s);
-                                if (ret <= 0)
-                                        goto end;
-                        }
-                        s->internal->init_num = 0;
-                        S3I(s)->hs.state = SSL3_ST_SR_KEY_EXCH_A;
-                        break;
-                case SSL3_ST_SR_KEY_EXCH_A:
-                case SSL3_ST_SR_KEY_EXCH_B:
-                        ret = ssl3_get_client_key_exchange(s);
-                        if (ret <= 0)
-                                goto end;
-                        S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A;
-                        s->internal->init_num = 0;
-                        if (ret == 2) {
-                                /*
-                                 * For the ECDH ciphersuites when
-                                 * the client sends its ECDH pub key in
-                                 * a certificate, the CertificateVerify
-                                 * message is not sent.
-                                 * Also for GOST ciphersuites when
-                                 * the client uses its key from the certificate
-                                 * for key exchange.
-                                 */
-                                S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A;
-                                s->internal->init_num = 0;
-                        } else if (SSL_USE_SIGALGS(s)) {
-                                S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A;
-                                s->internal->init_num = 0;
-                                if (!s->session->peer)
-                                        break;
-                                /*
-                                 * For sigalgs freeze the handshake buffer
-                                 * at this point and digest cached records.
-                                 */
-                                if (!S3I(s)->handshake_buffer) {
-                                        SSLerror(s, ERR_R_INTERNAL_ERROR);
-                                        ret = -1;
-                                        goto end;
-                                }
-                                s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE;
-                                if (!tls1_digest_cached_records(s)) {
-                                        ret = -1;
-                                        goto end;
-                                }
-                        } else {
-                                S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A;
-                                s->internal->init_num = 0;
-                                /*
-                                 * We need to get hashes here so if there is
-                                 * a client cert, it can be verified.
-                                 */
-                                if (S3I(s)->handshake_buffer) {
-                                        if (!tls1_digest_cached_records(s)) {
-                                                ret = -1;
-                                                goto end;
-                                        }
-                                }
-                                if (!tls1_handshake_hash_value(s,
-                                    S3I(s)->tmp.cert_verify_md,
-                                    sizeof(S3I(s)->tmp.cert_verify_md),
-                                    NULL)) {
-                                        ret = -1;
-                                        goto end;
-                                }
-                        }
-                        break;
-                case SSL3_ST_SR_CERT_VRFY_A:
-                case SSL3_ST_SR_CERT_VRFY_B:
-                        D1I(s)->change_cipher_spec_ok = 1;
-                        /* we should decide if we expected this one */
-                        ret = ssl3_get_cert_verify(s);
-                        if (ret <= 0)
-                                goto end;
-                        S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A;
-                        s->internal->init_num = 0;
-                        break;
-                case SSL3_ST_SR_FINISHED_A:
-                case SSL3_ST_SR_FINISHED_B:
-                        D1I(s)->change_cipher_spec_ok = 1;
-                        ret = ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A,
-                            SSL3_ST_SR_FINISHED_B);
-                        if (ret <= 0)
-                                goto end;
-                        dtls1_stop_timer(s);
-                        if (s->internal->hit)
-                                S3I(s)->hs.state = SSL_ST_OK;
-                        else if (s->internal->tlsext_ticket_expected)
-                                S3I(s)->hs.state = SSL3_ST_SW_SESSION_TICKET_A;
-                        else
-                                S3I(s)->hs.state = SSL3_ST_SW_CHANGE_A;
-                        s->internal->init_num = 0;
-                        break;
-                case SSL3_ST_SW_SESSION_TICKET_A:
-                case SSL3_ST_SW_SESSION_TICKET_B:
-                        ret = ssl3_send_newsession_ticket(s);
-                        if (ret <= 0)
-                                goto end;
-                        S3I(s)->hs.state = SSL3_ST_SW_CHANGE_A;
-                        s->internal->init_num = 0;
-                        break;
-                case SSL3_ST_SW_CERT_STATUS_A:
-                case SSL3_ST_SW_CERT_STATUS_B:
-                        ret = ssl3_send_cert_status(s);
-                        if (ret <= 0)
-                                goto end;
-                        S3I(s)->hs.state = SSL3_ST_SW_KEY_EXCH_A;
-                        s->internal->init_num = 0;
-                        break;
-                case SSL3_ST_SW_CHANGE_A:
-                case SSL3_ST_SW_CHANGE_B:
-                        s->session->cipher = S3I(s)->hs.new_cipher;
-                        if (!tls1_setup_key_block(s)) {
-                                ret = -1;
-                                goto end;
-                        }
-                        ret = ssl3_send_change_cipher_spec(s,
-                            SSL3_ST_SW_CHANGE_A, SSL3_ST_SW_CHANGE_B);
-                        if (ret <= 0)
-                                goto end;
-                        S3I(s)->hs.state = SSL3_ST_SW_FINISHED_A;
-                        s->internal->init_num = 0;
-                        if (!tls1_change_cipher_state(s,
-                            SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
-                                ret = -1;
-                                goto end;
-                        }
-                        dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
-                        break;
-                case SSL3_ST_SW_FINISHED_A:
-                case SSL3_ST_SW_FINISHED_B:
-                        ret = ssl3_send_finished(s,
-                            SSL3_ST_SW_FINISHED_A, SSL3_ST_SW_FINISHED_B,
-                            TLS_MD_SERVER_FINISH_CONST,
-                            TLS_MD_SERVER_FINISH_CONST_SIZE);
-                        if (ret <= 0)
-                                goto end;
-                        S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
-                        if (s->internal->hit)
-                                S3I(s)->hs.next_state = SSL3_ST_SR_FINISHED_A;
-                        else
-                                S3I(s)->hs.next_state = SSL_ST_OK;
-                        s->internal->init_num = 0;
-                        break;
-                case SSL_ST_OK:
-                        /* clean a few things up */
-                        tls1_cleanup_key_block(s);
-                        /* remove buffering on output */
-                        ssl_free_wbio_buffer(s);
-                        s->internal->init_num = 0;
-                        /* Skipped if we just sent a HelloRequest. */
-                        if (s->internal->renegotiate == 2) {
-                                s->internal->renegotiate = 0;
-                                s->internal->new_session = 0;
-                                ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
-                                s->ctx->internal->stats.sess_accept_good++;
-                                /* s->server=1; */
-                                s->internal->handshake_func = dtls1_accept;
-                                if (cb != NULL)
-                                        cb(s, SSL_CB_HANDSHAKE_DONE, 1);
-                        }
-                        ret = 1;
-                        /* done handshaking, next message is client hello */
-                        D1I(s)->handshake_read_seq = 0;
-                        /* next message is server hello */
-                        D1I(s)->handshake_write_seq = 0;
-                        D1I(s)->next_handshake_write_seq = 0;
-                        goto end;
-                        /* break; */
-                default:
-                        SSLerror(s, SSL_R_UNKNOWN_STATE);
-                        ret = -1;
-                        goto end;
-                        /* break; */
-                }
-                if (!S3I(s)->tmp.reuse_message && !skip) {
-                        if (s->internal->debug) {
-                                if ((ret = BIO_flush(s->wbio)) <= 0)
-                                        goto end;
-                        }
-                        if ((cb != NULL) && (S3I(s)->hs.state != state)) {
-                                new_state = S3I(s)->hs.state;
-                                S3I(s)->hs.state = state;
-                                cb(s, SSL_CB_ACCEPT_LOOP, 1);
-                                S3I(s)->hs.state = new_state;
-                        }
-                }
-                skip = 0;
-        }
-end:
-        /* BIO_flush(s->wbio); */
-        s->internal->in_handshake--;
-        if (cb != NULL)
-                cb(s, SSL_CB_ACCEPT_EXIT, ret);
-        return (ret);
-}
-int
 dtls1_send_hello_verify_request(SSL *s)
 {
        CBB cbb, verify, cookie;

diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c index 05c92be46c..57b8ea0e24 100644 --- a/src/lib/libssl/d1_srvr.c +++ b/src/lib/libssl/d1_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: d1_srvr.c,v 1.90 2017/10/08 16:56:51 jsing Exp $ */	1	/* $OpenBSD: d1_srvr.c,v 1.91 2017/10/12 15:52:50 jsing Exp $ */
2	/*	2	/*
3	* DTLS implementation written by Nagendra Modadugu	3	* DTLS implementation written by Nagendra Modadugu
4	* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.	4	* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -125,8 +125,6 @@
125	#include <openssl/objects.h>	125	#include <openssl/objects.h>
126	#include <openssl/x509.h>	126	#include <openssl/x509.h>
127		127
128	static int dtls1_send_hello_verify_request(SSL *s);
129
130	static const SSL_METHOD_INTERNAL DTLSv1_server_method_internal_data = {	128	static const SSL_METHOD_INTERNAL DTLSv1_server_method_internal_data = {
131	.version = DTLS1_VERSION,	129	.version = DTLS1_VERSION,
132	.min_version = DTLS1_VERSION,	130	.min_version = DTLS1_VERSION,
@@ -134,7 +132,7 @@ static const SSL_METHOD_INTERNAL DTLSv1_server_method_internal_data = {
134	.ssl_new = dtls1_new,	132	.ssl_new = dtls1_new,
135	.ssl_clear = dtls1_clear,	133	.ssl_clear = dtls1_clear,
136	.ssl_free = dtls1_free,	134	.ssl_free = dtls1_free,
137	.ssl_accept = dtls1_accept,	135	.ssl_accept = ssl3_accept,
138	.ssl_connect = ssl_undefined_function,	136	.ssl_connect = ssl_undefined_function,
139	.ssl_read = ssl3_read,	137	.ssl_read = ssl3_read,
140	.ssl_peek = ssl3_peek,	138	.ssl_peek = ssl3_peek,
@@ -176,538 +174,6 @@ dtls1_get_server_method(int ver)
176	}	174	}
177		175
178	int	176	int
179	dtls1_accept(SSL *s)
180	{
181	void (cb)(const SSL ssl, int type, int val) = NULL;
182	unsigned long alg_k;
183	int ret = -1;
184	int new_state, state, skip = 0;
185	int listen;
186
187	ERR_clear_error();
188	errno = 0;
189
190	if (s->internal->info_callback != NULL)
191	cb = s->internal->info_callback;
192	else if (s->ctx->internal->info_callback != NULL)
193	cb = s->ctx->internal->info_callback;
194
195	listen = D1I(s)->listen;
196
197	/* init things to blank */
198	s->internal->in_handshake++;
199	if (!SSL_in_init(s) \|\| SSL_in_before(s))
200	SSL_clear(s);
201
202	D1I(s)->listen = listen;
203
204	if (s->cert == NULL) {
205	SSLerror(s, SSL_R_NO_CERTIFICATE_SET);
206	ret = -1;
207	goto end;
208	}
209
210	for (;;) {
211	state = S3I(s)->hs.state;
212
213	switch (S3I(s)->hs.state) {
214	case SSL_ST_RENEGOTIATE:
215	s->internal->renegotiate = 1;
216	/* S3I(s)->hs.state=SSL_ST_ACCEPT; */
217
218	case SSL_ST_BEFORE:
219	case SSL_ST_ACCEPT:
220	case SSL_ST_BEFORE\|SSL_ST_ACCEPT:
221	case SSL_ST_OK\|SSL_ST_ACCEPT:
222	s->server = 1;
223	if (cb != NULL)
224	cb(s, SSL_CB_HANDSHAKE_START, 1);
225
226	if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) {
227	SSLerror(s, ERR_R_INTERNAL_ERROR);
228	ret = -1;
229	goto end;
230	}
231	s->internal->type = SSL_ST_ACCEPT;
232
233	if (!ssl3_setup_init_buffer(s)) {
234	ret = -1;
235	goto end;
236	}
237	if (!ssl3_setup_buffers(s)) {
238	ret = -1;
239	goto end;
240	}
241
242	s->internal->init_num = 0;
243
244	if (S3I(s)->hs.state != SSL_ST_RENEGOTIATE) {
245	/*
246	* Ok, we now need to push on a buffering BIO
247	* so that the output is sent in a way that
248	* TCP likes :-)
249	* ...but not with SCTP :-)
250	*/
251	if (!ssl_init_wbio_buffer(s, 1)) {
252	ret = -1;
253	goto end;
254	}
255	if (!tls1_init_finished_mac(s)) {
256	ret = -1;
257	goto end;
258	}
259
260	S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A;
261	s->ctx->internal->stats.sess_accept++;
262	} else {
263	/*
264	* S3I(s)->hs.state == SSL_ST_RENEGOTIATE,
265	* we will just send a HelloRequest.
266	*/
267	s->ctx->internal->stats.sess_accept_renegotiate++;
268	S3I(s)->hs.state = SSL3_ST_SW_HELLO_REQ_A;
269	}
270	break;
271
272	case SSL3_ST_SW_HELLO_REQ_A:
273	case SSL3_ST_SW_HELLO_REQ_B:
274	s->internal->shutdown = 0;
275	dtls1_clear_record_buffer(s);
276	dtls1_start_timer(s);
277	ret = ssl3_send_hello_request(s);
278	if (ret <= 0)
279	goto end;
280	S3I(s)->hs.next_state = SSL3_ST_SR_CLNT_HELLO_A;
281	S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
282	s->internal->init_num = 0;
283
284	if (!tls1_init_finished_mac(s)) {
285	ret = -1;
286	goto end;
287	}
288	break;
289
290	case SSL3_ST_SW_HELLO_REQ_C:
291	S3I(s)->hs.state = SSL_ST_OK;
292	break;
293
294	case SSL3_ST_SR_CLNT_HELLO_A:
295	case SSL3_ST_SR_CLNT_HELLO_B:
296	case SSL3_ST_SR_CLNT_HELLO_C:
297	s->internal->shutdown = 0;
298	ret = ssl3_get_client_hello(s);
299	if (ret <= 0)
300	goto end;
301	dtls1_stop_timer(s);
302
303	if (ret == 1 && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
304	S3I(s)->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;
305	else
306	S3I(s)->hs.state = SSL3_ST_SW_SRVR_HELLO_A;
307
308	s->internal->init_num = 0;
309
310	/* Reflect ClientHello sequence to remain stateless while listening */
311	if (listen) {
312	memcpy(S3I(s)->write_sequence, S3I(s)->read_sequence, sizeof(S3I(s)->write_sequence));
313	}
314
315	/* If we're just listening, stop here */
316	if (listen && S3I(s)->hs.state == SSL3_ST_SW_SRVR_HELLO_A) {
317	ret = 2;
318	D1I(s)->listen = 0;
319	/* Set expected sequence numbers
320	* to continue the handshake.
321	*/
322	D1I(s)->handshake_read_seq = 2;
323	D1I(s)->handshake_write_seq = 1;
324	D1I(s)->next_handshake_write_seq = 1;
325	goto end;
326	}
327
328	break;
329
330	case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
331	case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
332	ret = dtls1_send_hello_verify_request(s);
333	if (ret <= 0)
334	goto end;
335	S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
336	S3I(s)->hs.next_state = SSL3_ST_SR_CLNT_HELLO_A;
337
338	/* HelloVerifyRequest resets Finished MAC */
339	if (!tls1_init_finished_mac(s)) {
340	ret = -1;
341	goto end;
342	}
343	break;
344
345	case SSL3_ST_SW_SRVR_HELLO_A:
346	case SSL3_ST_SW_SRVR_HELLO_B:
347	s->internal->renegotiate = 2;
348	dtls1_start_timer(s);
349	ret = ssl3_send_server_hello(s);
350	if (ret <= 0)
351	goto end;
352	if (s->internal->hit) {
353	if (s->internal->tlsext_ticket_expected)
354	S3I(s)->hs.state = SSL3_ST_SW_SESSION_TICKET_A;
355	else
356	S3I(s)->hs.state = SSL3_ST_SW_CHANGE_A;
357	} else {
358	S3I(s)->hs.state = SSL3_ST_SW_CERT_A;
359	}
360	s->internal->init_num = 0;
361	break;
362
363	case SSL3_ST_SW_CERT_A:
364	case SSL3_ST_SW_CERT_B:
365	/* Check if it is anon DH or anon ECDH. */
366	if (!(S3I(s)->hs.new_cipher->algorithm_auth &
367	SSL_aNULL)) {
368	dtls1_start_timer(s);
369	ret = ssl3_send_server_certificate(s);
370	if (ret <= 0)
371	goto end;
372	if (s->internal->tlsext_status_expected)
373	S3I(s)->hs.state = SSL3_ST_SW_CERT_STATUS_A;
374	else
375	S3I(s)->hs.state = SSL3_ST_SW_KEY_EXCH_A;
376	} else {
377	skip = 1;
378	S3I(s)->hs.state = SSL3_ST_SW_KEY_EXCH_A;
379	}
380	s->internal->init_num = 0;
381	break;
382
383	case SSL3_ST_SW_KEY_EXCH_A:
384	case SSL3_ST_SW_KEY_EXCH_B:
385	alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;
386
387	/*
388	* Only send if using a DH key exchange.
389	*
390	* For ECC ciphersuites, we send a ServerKeyExchange
391	* message only if the cipher suite is ECDHE. In other
392	* cases, the server certificate contains the server's
393	* public key for key exchange.
394	*/
395	if (alg_k & (SSL_kDHE\|SSL_kECDHE)) {
396	dtls1_start_timer(s);
397	ret = ssl3_send_server_key_exchange(s);
398	if (ret <= 0)
399	goto end;
400	} else
401	skip = 1;
402
403	S3I(s)->hs.state = SSL3_ST_SW_CERT_REQ_A;
404	s->internal->init_num = 0;
405	break;
406
407	case SSL3_ST_SW_CERT_REQ_A:
408	case SSL3_ST_SW_CERT_REQ_B:
409	/*
410	* Determine whether or not we need to request a
411	* certificate.
412	*
413	* Do not request a certificate if:
414	*
415	* - We did not ask for it (SSL_VERIFY_PEER is unset).
416	*
417	* - SSL_VERIFY_CLIENT_ONCE is set and we are
418	* renegotiating.
419	*
420	* - We are using an anonymous ciphersuites
421	* (see section "Certificate request" in SSL 3 drafts
422	* and in RFC 2246) ... except when the application
423	* insists on verification (against the specs, but
424	* s3_clnt.c accepts this for SSL 3).
425	*/
426	if (!(s->verify_mode & SSL_VERIFY_PEER) \|\|
427	((s->session->peer != NULL) &&
428	(s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) \|\|
429	((S3I(s)->hs.new_cipher->algorithm_auth &
430	SSL_aNULL) && !(s->verify_mode &
431	SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
432	/* No cert request. */
433	skip = 1;
434	S3I(s)->tmp.cert_request = 0;
435	S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_A;
436	} else {
437	S3I(s)->tmp.cert_request = 1;
438	dtls1_start_timer(s);
439	ret = ssl3_send_certificate_request(s);
440	if (ret <= 0)
441	goto end;
442	S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_A;
443	s->internal->init_num = 0;
444	}
445	break;
446
447	case SSL3_ST_SW_SRVR_DONE_A:
448	case SSL3_ST_SW_SRVR_DONE_B:
449	dtls1_start_timer(s);
450	ret = ssl3_send_server_done(s);
451	if (ret <= 0)
452	goto end;
453	S3I(s)->hs.next_state = SSL3_ST_SR_CERT_A;
454	S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
455	s->internal->init_num = 0;
456	break;
457
458	case SSL3_ST_SW_FLUSH:
459	/*
460	* This code originally checked to see if
461	* any data was pending using BIO_CTRL_INFO
462	* and then flushed. This caused problems
463	* as documented in PR#1939. The proposed
464	* fix doesn't completely resolve this issue
465	* as buggy implementations of BIO_CTRL_PENDING
466	* still exist. So instead we just flush
467	* unconditionally.
468	*/
469	s->internal->rwstate = SSL_WRITING;
470	if (BIO_flush(s->wbio) <= 0) {
471	/* If the write error was fatal, stop trying */
472	if (!BIO_should_retry(s->wbio)) {
473	s->internal->rwstate = SSL_NOTHING;
474	S3I(s)->hs.state = S3I(s)->hs.next_state;
475	}
476
477	ret = -1;
478	goto end;
479	}
480	s->internal->rwstate = SSL_NOTHING;
481	S3I(s)->hs.state = S3I(s)->hs.next_state;
482	break;
483
484	case SSL3_ST_SR_CERT_A:
485	case SSL3_ST_SR_CERT_B:
486	if (S3I(s)->tmp.cert_request) {
487	ret = ssl3_get_client_certificate(s);
488	if (ret <= 0)
489	goto end;
490	}
491	s->internal->init_num = 0;
492	S3I(s)->hs.state = SSL3_ST_SR_KEY_EXCH_A;
493	break;
494
495	case SSL3_ST_SR_KEY_EXCH_A:
496	case SSL3_ST_SR_KEY_EXCH_B:
497	ret = ssl3_get_client_key_exchange(s);
498	if (ret <= 0)
499	goto end;
500
501	S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A;
502	s->internal->init_num = 0;
503
504	if (ret == 2) {
505	/*
506	* For the ECDH ciphersuites when
507	* the client sends its ECDH pub key in
508	* a certificate, the CertificateVerify
509	* message is not sent.
510	* Also for GOST ciphersuites when
511	* the client uses its key from the certificate
512	* for key exchange.
513	*/
514	S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A;
515	s->internal->init_num = 0;
516	} else if (SSL_USE_SIGALGS(s)) {
517	S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A;
518	s->internal->init_num = 0;
519	if (!s->session->peer)
520	break;
521	/*
522	* For sigalgs freeze the handshake buffer
523	* at this point and digest cached records.
524	*/
525	if (!S3I(s)->handshake_buffer) {
526	SSLerror(s, ERR_R_INTERNAL_ERROR);
527	ret = -1;
528	goto end;
529	}
530	s->s3->flags \|= TLS1_FLAGS_KEEP_HANDSHAKE;
531	if (!tls1_digest_cached_records(s)) {
532	ret = -1;
533	goto end;
534	}
535	} else {
536	S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A;
537	s->internal->init_num = 0;
538
539	/*
540	* We need to get hashes here so if there is
541	* a client cert, it can be verified.
542	*/
543	if (S3I(s)->handshake_buffer) {
544	if (!tls1_digest_cached_records(s)) {
545	ret = -1;
546	goto end;
547	}
548	}
549	if (!tls1_handshake_hash_value(s,
550	S3I(s)->tmp.cert_verify_md,
551	sizeof(S3I(s)->tmp.cert_verify_md),
552	NULL)) {
553	ret = -1;
554	goto end;
555	}
556	}
557	break;
558
559	case SSL3_ST_SR_CERT_VRFY_A:
560	case SSL3_ST_SR_CERT_VRFY_B:
561	D1I(s)->change_cipher_spec_ok = 1;
562	/* we should decide if we expected this one */
563	ret = ssl3_get_cert_verify(s);
564	if (ret <= 0)
565	goto end;
566	S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A;
567	s->internal->init_num = 0;
568	break;
569
570	case SSL3_ST_SR_FINISHED_A:
571	case SSL3_ST_SR_FINISHED_B:
572	D1I(s)->change_cipher_spec_ok = 1;
573	ret = ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A,
574	SSL3_ST_SR_FINISHED_B);
575	if (ret <= 0)
576	goto end;
577	dtls1_stop_timer(s);
578	if (s->internal->hit)
579	S3I(s)->hs.state = SSL_ST_OK;
580	else if (s->internal->tlsext_ticket_expected)
581	S3I(s)->hs.state = SSL3_ST_SW_SESSION_TICKET_A;
582	else
583	S3I(s)->hs.state = SSL3_ST_SW_CHANGE_A;
584	s->internal->init_num = 0;
585	break;
586
587	case SSL3_ST_SW_SESSION_TICKET_A:
588	case SSL3_ST_SW_SESSION_TICKET_B:
589	ret = ssl3_send_newsession_ticket(s);
590	if (ret <= 0)
591	goto end;
592	S3I(s)->hs.state = SSL3_ST_SW_CHANGE_A;
593	s->internal->init_num = 0;
594	break;
595
596	case SSL3_ST_SW_CERT_STATUS_A:
597	case SSL3_ST_SW_CERT_STATUS_B:
598	ret = ssl3_send_cert_status(s);
599	if (ret <= 0)
600	goto end;
601	S3I(s)->hs.state = SSL3_ST_SW_KEY_EXCH_A;
602	s->internal->init_num = 0;
603	break;
604
605	case SSL3_ST_SW_CHANGE_A:
606	case SSL3_ST_SW_CHANGE_B:
607	s->session->cipher = S3I(s)->hs.new_cipher;
608	if (!tls1_setup_key_block(s)) {
609	ret = -1;
610	goto end;
611	}
612
613	ret = ssl3_send_change_cipher_spec(s,
614	SSL3_ST_SW_CHANGE_A, SSL3_ST_SW_CHANGE_B);
615	if (ret <= 0)
616	goto end;
617	S3I(s)->hs.state = SSL3_ST_SW_FINISHED_A;
618	s->internal->init_num = 0;
619
620	if (!tls1_change_cipher_state(s,
621	SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
622	ret = -1;
623	goto end;
624	}
625
626	dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
627	break;
628
629	case SSL3_ST_SW_FINISHED_A:
630	case SSL3_ST_SW_FINISHED_B:
631	ret = ssl3_send_finished(s,
632	SSL3_ST_SW_FINISHED_A, SSL3_ST_SW_FINISHED_B,
633	TLS_MD_SERVER_FINISH_CONST,
634	TLS_MD_SERVER_FINISH_CONST_SIZE);
635	if (ret <= 0)
636	goto end;
637	S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
638	if (s->internal->hit)
639	S3I(s)->hs.next_state = SSL3_ST_SR_FINISHED_A;
640	else
641	S3I(s)->hs.next_state = SSL_ST_OK;
642	s->internal->init_num = 0;
643	break;
644
645	case SSL_ST_OK:
646	/* clean a few things up */
647	tls1_cleanup_key_block(s);
648
649	/* remove buffering on output */
650	ssl_free_wbio_buffer(s);
651
652	s->internal->init_num = 0;
653
654	/* Skipped if we just sent a HelloRequest. */
655	if (s->internal->renegotiate == 2) {
656	s->internal->renegotiate = 0;
657	s->internal->new_session = 0;
658
659	ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
660
661	s->ctx->internal->stats.sess_accept_good++;
662	/* s->server=1; */
663	s->internal->handshake_func = dtls1_accept;
664
665	if (cb != NULL)
666	cb(s, SSL_CB_HANDSHAKE_DONE, 1);
667	}
668
669	ret = 1;
670
671	/* done handshaking, next message is client hello */
672	D1I(s)->handshake_read_seq = 0;
673	/* next message is server hello */
674	D1I(s)->handshake_write_seq = 0;
675	D1I(s)->next_handshake_write_seq = 0;
676	goto end;
677	/* break; */
678
679	default:
680	SSLerror(s, SSL_R_UNKNOWN_STATE);
681	ret = -1;
682	goto end;
683	/* break; */
684	}
685
686	if (!S3I(s)->tmp.reuse_message && !skip) {
687	if (s->internal->debug) {
688	if ((ret = BIO_flush(s->wbio)) <= 0)
689	goto end;
690	}
691
692	if ((cb != NULL) && (S3I(s)->hs.state != state)) {
693	new_state = S3I(s)->hs.state;
694	S3I(s)->hs.state = state;
695	cb(s, SSL_CB_ACCEPT_LOOP, 1);
696	S3I(s)->hs.state = new_state;
697	}
698	}
699	skip = 0;
700	}
701	end:
702	/* BIO_flush(s->wbio); */
703	s->internal->in_handshake--;
704	if (cb != NULL)
705	cb(s, SSL_CB_ACCEPT_EXIT, ret);
706
707	return (ret);
708	}
709
710	int
711	dtls1_send_hello_verify_request(SSL *s)	177	dtls1_send_hello_verify_request(SSL *s)
712	{	178	{
713	CBB cbb, verify, cookie;	179	CBB cbb, verify, cookie;