“8356c43e42dc6d86905f63176caded55bffb4515”上不存在“src/opennebula/one_client.h”
d1_srvr.c 26.1 KB
Newer Older
B
Ben Laurie 已提交
1 2 3 4 5 6
/* ssl/d1_srvr.c */
/* 
 * DTLS implementation written by Nagendra Modadugu
 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
 */
/* ====================================================================
7
 * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
B
Ben Laurie 已提交
8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */

#include <stdio.h>
#include "ssl_locl.h"
#include <openssl/buffer.h>
#include <openssl/rand.h>
#include <openssl/objects.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
#include <openssl/md5.h>
124
#include <openssl/bn.h>
N
make  
Nils Larsch 已提交
125 126 127
#ifndef OPENSSL_NO_DH
#include <openssl/dh.h>
#endif
B
Ben Laurie 已提交
128

129
static const SSL_METHOD *dtls1_get_server_method(int ver);
B
Ben Laurie 已提交
130 131
static int dtls1_send_hello_verify_request(SSL *s);

132
static const SSL_METHOD *dtls1_get_server_method(int ver)
B
Ben Laurie 已提交
133 134 135
	{
	if (ver == DTLS1_VERSION)
		return(DTLSv1_server_method());
136 137
	else if (ver == DTLS1_2_VERSION)
		return(DTLSv1_2_server_method());
B
Ben Laurie 已提交
138 139 140 141
	else
		return(NULL);
	}

D
Dr. Stephen Henson 已提交
142 143
IMPLEMENT_dtls1_meth_func(DTLS1_VERSION,
			DTLSv1_server_method,
144 145
			dtls1_accept,
			ssl_undefined_function,
D
Dr. Stephen Henson 已提交
146 147
			dtls1_get_server_method,
			DTLSv1_enc_data)
B
Ben Laurie 已提交
148

149 150 151 152 153 154 155
IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION,
			DTLSv1_2_server_method,
			dtls1_accept,
			ssl_undefined_function,
			dtls1_get_server_method,
			DTLSv1_2_enc_data)

D
Dr. Stephen Henson 已提交
156 157 158 159 160 161 162
IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION,
			DTLS_server_method,
			dtls1_accept,
			ssl_undefined_function,
			dtls1_get_server_method,
			DTLSv1_2_enc_data)

B
Ben Laurie 已提交
163 164 165
int dtls1_accept(SSL *s)
	{
	BUF_MEM *buf;
166
	unsigned long Time=(unsigned long)time(NULL);
B
Ben Laurie 已提交
167
	void (*cb)(const SSL *ssl,int type,int val)=NULL;
168
	unsigned long alg_k;
B
Ben Laurie 已提交
169 170
	int ret= -1;
	int new_state,state,skip=0;
171
	int listen;
D
Dr. Stephen Henson 已提交
172 173 174 175
#ifndef OPENSSL_NO_SCTP
	unsigned char sctpauthkey[64];
	char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
#endif
B
Ben Laurie 已提交
176 177 178 179 180 181 182 183 184

	RAND_add(&Time,sizeof(Time),0);
	ERR_clear_error();
	clear_sys_error();

	if (s->info_callback != NULL)
		cb=s->info_callback;
	else if (s->ctx->info_callback != NULL)
		cb=s->ctx->info_callback;
185 186
	
	listen = s->d1->listen;
B
Ben Laurie 已提交
187 188 189 190 191

	/* init things to blank */
	s->in_handshake++;
	if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);

D
Dr. Stephen Henson 已提交
192
	s->d1->listen = listen;
D
Dr. Stephen Henson 已提交
193 194 195 196 197 198 199
#ifndef OPENSSL_NO_SCTP
	/* Notify SCTP BIO socket to enter handshake
	 * mode and prevent stream identifier other
	 * than 0. Will be ignored if no SCTP is used.
	 */
	BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, s->in_handshake, NULL);
#endif
D
Dr. Stephen Henson 已提交
200

B
Ben Laurie 已提交
201 202
	if (s->cert == NULL)
		{
B
Bodo Möller 已提交
203
		SSLerr(SSL_F_DTLS1_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
B
Ben Laurie 已提交
204 205 206
		return(-1);
		}

D
Dr. Stephen Henson 已提交
207 208 209 210 211 212 213 214 215 216 217 218 219
#ifndef OPENSSL_NO_HEARTBEATS
	/* If we're awaiting a HeartbeatResponse, pretend we
	 * already got and don't await it anymore, because
	 * Heartbeats don't make sense during handshakes anyway.
	 */
	if (s->tlsext_hb_pending)
		{
		dtls1_stop_timer(s);
		s->tlsext_hb_pending = 0;
		s->tlsext_hb_seq++;
		}
#endif

B
Ben Laurie 已提交
220 221 222 223 224 225 226
	for (;;)
		{
		state=s->state;

		switch (s->state)
			{
		case SSL_ST_RENEGOTIATE:
D
Dr. Stephen Henson 已提交
227
			s->renegotiate=1;
B
Ben Laurie 已提交
228 229 230 231 232 233 234 235 236 237 238 239
			/* s->state=SSL_ST_ACCEPT; */

		case SSL_ST_BEFORE:
		case SSL_ST_ACCEPT:
		case SSL_ST_BEFORE|SSL_ST_ACCEPT:
		case SSL_ST_OK|SSL_ST_ACCEPT:

			s->server=1;
			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);

			if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00))
				{
B
Bodo Möller 已提交
240
				SSLerr(SSL_F_DTLS1_ACCEPT, ERR_R_INTERNAL_ERROR);
B
Ben Laurie 已提交
241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266
				return -1;
				}
			s->type=SSL_ST_ACCEPT;

			if (s->init_buf == NULL)
				{
				if ((buf=BUF_MEM_new()) == NULL)
					{
					ret= -1;
					goto end;
					}
				if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
					{
					ret= -1;
					goto end;
					}
				s->init_buf=buf;
				}

			if (!ssl3_setup_buffers(s))
				{
				ret= -1;
				goto end;
				}

			s->init_num=0;
267 268 269
			s->d1->change_cipher_spec_ok = 0;
			/* Should have been reset by ssl3_get_finished, too. */
			s->s3->change_cipher_spec = 0;
B
Ben Laurie 已提交
270 271 272 273 274

			if (s->state != SSL_ST_RENEGOTIATE)
				{
				/* Ok, we now need to push on a buffering BIO so that
				 * the output is sent in a way that TCP likes :-)
D
Dr. Stephen Henson 已提交
275
				 * ...but not with SCTP :-)
B
Ben Laurie 已提交
276
				 */
D
Dr. Stephen Henson 已提交
277 278 279 280
#ifndef OPENSSL_NO_SCTP
				if (!BIO_dgram_is_sctp(SSL_get_wbio(s)))
#endif
					if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; }
B
Ben Laurie 已提交
281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299

				ssl3_init_finished_mac(s);
				s->state=SSL3_ST_SR_CLNT_HELLO_A;
				s->ctx->stats.sess_accept++;
				}
			else
				{
				/* s->state == SSL_ST_RENEGOTIATE,
				 * we will just send a HelloRequest */
				s->ctx->stats.sess_accept_renegotiate++;
				s->state=SSL3_ST_SW_HELLO_REQ_A;
				}

			break;

		case SSL3_ST_SW_HELLO_REQ_A:
		case SSL3_ST_SW_HELLO_REQ_B:

			s->shutdown=0;
300
			dtls1_clear_record_buffer(s);
D
Dr. Stephen Henson 已提交
301
			dtls1_start_timer(s);
D
Dr. Stephen Henson 已提交
302
			ret=ssl3_send_hello_request(s);
B
Ben Laurie 已提交
303
			if (ret <= 0) goto end;
304
			s->s3->tmp.next_state=SSL3_ST_SR_CLNT_HELLO_A;
B
Ben Laurie 已提交
305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321
			s->state=SSL3_ST_SW_FLUSH;
			s->init_num=0;

			ssl3_init_finished_mac(s);
			break;

		case SSL3_ST_SW_HELLO_REQ_C:
			s->state=SSL_ST_OK;
			break;

		case SSL3_ST_SR_CLNT_HELLO_A:
		case SSL3_ST_SR_CLNT_HELLO_B:
		case SSL3_ST_SR_CLNT_HELLO_C:

			s->shutdown=0;
			ret=ssl3_get_client_hello(s);
			if (ret <= 0) goto end;
D
Dr. Stephen Henson 已提交
322
			dtls1_stop_timer(s);
B
Ben Laurie 已提交
323

D
Dr. Stephen Henson 已提交
324
			if (ret == 1 && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
B
Ben Laurie 已提交
325 326 327 328 329
				s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;
			else
				s->state = SSL3_ST_SW_SRVR_HELLO_A;

			s->init_num=0;
D
Dr. Stephen Henson 已提交
330

D
Dr. Stephen Henson 已提交
331 332 333 334 335 336
			/* Reflect ClientHello sequence to remain stateless while listening */
			if (listen)
				{
				memcpy(s->s3->write_sequence, s->s3->read_sequence, sizeof(s->s3->write_sequence));
				}

D
Dr. Stephen Henson 已提交
337
			/* If we're just listening, stop here */
338
			if (listen && s->state == SSL3_ST_SW_SRVR_HELLO_A)
D
Dr. Stephen Henson 已提交
339 340 341
				{
				ret = 2;
				s->d1->listen = 0;
D
Dr. Stephen Henson 已提交
342 343 344 345 346 347
				/* Set expected sequence numbers
				 * to continue the handshake.
				 */
				s->d1->handshake_read_seq = 2;
				s->d1->handshake_write_seq = 1;
				s->d1->next_handshake_write_seq = 1;
D
Dr. Stephen Henson 已提交
348 349 350
				goto end;
				}
			
B
Ben Laurie 已提交
351 352 353 354 355 356 357 358 359
			break;
			
		case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
		case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:

			ret = dtls1_send_hello_verify_request(s);
			if ( ret <= 0) goto end;
			s->state=SSL3_ST_SW_FLUSH;
			s->s3->tmp.next_state=SSL3_ST_SR_CLNT_HELLO_A;
360 361

			/* HelloVerifyRequest resets Finished MAC */
362 363
			if (s->version != DTLS1_BAD_VER)
				ssl3_init_finished_mac(s);
B
Ben Laurie 已提交
364 365
			break;
			
D
Dr. Stephen Henson 已提交
366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402
#ifndef OPENSSL_NO_SCTP
		case DTLS1_SCTP_ST_SR_READ_SOCK:
			
			if (BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s)))		
				{
				s->s3->in_read_app_data=2;
				s->rwstate=SSL_READING;
				BIO_clear_retry_flags(SSL_get_rbio(s));
				BIO_set_retry_read(SSL_get_rbio(s));
				ret = -1;
				goto end;
				}
			
			s->state=SSL3_ST_SR_FINISHED_A;
			break;
			
		case DTLS1_SCTP_ST_SW_WRITE_SOCK:
			ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s));
			if (ret < 0) goto end;
			
			if (ret == 0)
				{
				if (s->d1->next_state != SSL_ST_OK)
					{
					s->s3->in_read_app_data=2;
					s->rwstate=SSL_READING;
					BIO_clear_retry_flags(SSL_get_rbio(s));
					BIO_set_retry_read(SSL_get_rbio(s));
					ret = -1;
					goto end;
					}
				}

			s->state=s->d1->next_state;
			break;
#endif

B
Ben Laurie 已提交
403 404
		case SSL3_ST_SW_SRVR_HELLO_A:
		case SSL3_ST_SW_SRVR_HELLO_B:
D
Dr. Stephen Henson 已提交
405
			s->renegotiate = 2;
D
Dr. Stephen Henson 已提交
406
			dtls1_start_timer(s);
D
Dr. Stephen Henson 已提交
407
			ret=ssl3_send_server_hello(s);
B
Ben Laurie 已提交
408 409 410
			if (ret <= 0) goto end;

			if (s->hit)
D
Dr. Stephen Henson 已提交
411
				{
D
Dr. Stephen Henson 已提交
412 413 414 415 416 417 418 419 420 421 422 423 424 425 426
#ifndef OPENSSL_NO_SCTP
				/* Add new shared key for SCTP-Auth,
				 * will be ignored if no SCTP used.
				 */
				snprintf((char*) labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
				         DTLS1_SCTP_AUTH_LABEL);

				SSL_export_keying_material(s, sctpauthkey,
				                           sizeof(sctpauthkey), labelbuffer,
				                           sizeof(labelbuffer), NULL, 0, 0);
				
				BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                         sizeof(sctpauthkey), sctpauthkey);
#endif
#ifndef OPENSSL_NO_TLSEXT
D
Dr. Stephen Henson 已提交
427 428 429 430 431
				if (s->tlsext_ticket_expected)
					s->state=SSL3_ST_SW_SESSION_TICKET_A;
				else
					s->state=SSL3_ST_SW_CHANGE_A;
#else
D
Dr. Stephen Henson 已提交
432
				s->state=SSL3_ST_SW_CHANGE_A;
D
Dr. Stephen Henson 已提交
433
#endif
D
Dr. Stephen Henson 已提交
434
				}
B
Ben Laurie 已提交
435 436 437 438 439 440 441
			else
				s->state=SSL3_ST_SW_CERT_A;
			s->init_num=0;
			break;

		case SSL3_ST_SW_CERT_A:
		case SSL3_ST_SW_CERT_B:
D
Dr. Stephen Henson 已提交
442 443 444
			/* Check if it is anon DH or normal PSK */
			if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
				&& !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
B
Ben Laurie 已提交
445
				{
D
Dr. Stephen Henson 已提交
446
				dtls1_start_timer(s);
D
Dr. Stephen Henson 已提交
447
				ret=ssl3_send_server_certificate(s);
B
Ben Laurie 已提交
448
				if (ret <= 0) goto end;
D
Dr. Stephen Henson 已提交
449 450 451 452 453 454 455 456 457 458 459 460
#ifndef OPENSSL_NO_TLSEXT
				if (s->tlsext_status_expected)
					s->state=SSL3_ST_SW_CERT_STATUS_A;
				else
					s->state=SSL3_ST_SW_KEY_EXCH_A;
				}
			else
				{
				skip = 1;
				s->state=SSL3_ST_SW_KEY_EXCH_A;
				}
#else
B
Ben Laurie 已提交
461 462 463
				}
			else
				skip=1;
D
Dr. Stephen Henson 已提交
464

B
Ben Laurie 已提交
465
			s->state=SSL3_ST_SW_KEY_EXCH_A;
D
Dr. Stephen Henson 已提交
466
#endif
B
Ben Laurie 已提交
467 468 469 470 471
			s->init_num=0;
			break;

		case SSL3_ST_SW_KEY_EXCH_A:
		case SSL3_ST_SW_KEY_EXCH_B:
472
			alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
B
Ben Laurie 已提交
473 474 475 476 477

			/* clear this, it may get reset by
			 * send_server_key_exchange */
			if ((s->options & SSL_OP_EPHEMERAL_RSA)
#ifndef OPENSSL_NO_KRB5
478
				&& !(alg_k & SSL_kKRB5)
B
Ben Laurie 已提交
479 480 481 482 483 484 485 486 487 488
#endif /* OPENSSL_NO_KRB5 */
				)
				/* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
				 * even when forbidden by protocol specs
				 * (handshake may fail as clients are not required to
				 * be able to handle this) */
				s->s3->tmp.use_rsa_tmp=1;
			else
				s->s3->tmp.use_rsa_tmp=0;

489
			/* only send if a DH key exchange or
B
Ben Laurie 已提交
490 491
			 * RSA but we have a sign only certificate */
			if (s->s3->tmp.use_rsa_tmp
D
Dr. Stephen Henson 已提交
492 493 494 495 496
			/* PSK: send ServerKeyExchange if PSK identity
			 * hint if provided */
#ifndef OPENSSL_NO_PSK
			    || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
#endif
497
			    || (alg_k & (SSL_kDHE|SSL_kDHr|SSL_kDHd))
498
			    || (alg_k & SSL_kECDHE)
499
			    || ((alg_k & SSL_kRSA)
B
Ben Laurie 已提交
500 501 502 503 504 505 506 507
				&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
				    || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
					&& EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
					)
				    )
				)
			    )
				{
D
Dr. Stephen Henson 已提交
508
				dtls1_start_timer(s);
D
Dr. Stephen Henson 已提交
509
				ret=ssl3_send_server_key_exchange(s);
B
Ben Laurie 已提交
510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529
				if (ret <= 0) goto end;
				}
			else
				skip=1;

			s->state=SSL3_ST_SW_CERT_REQ_A;
			s->init_num=0;
			break;

		case SSL3_ST_SW_CERT_REQ_A:
		case SSL3_ST_SW_CERT_REQ_B:
			if (/* don't request cert unless asked for it: */
				!(s->verify_mode & SSL_VERIFY_PEER) ||
				/* if SSL_VERIFY_CLIENT_ONCE is set,
				 * don't request cert during re-negotiation: */
				((s->session->peer != NULL) &&
				 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
				/* never request cert in anonymous ciphersuites
				 * (see section "Certificate request" in SSL 3 drafts
				 * and in RFC 2246): */
530
				((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
B
Ben Laurie 已提交
531 532 533
				 /* ... except when the application insists on verification
				  * (against the specs, but s3_clnt.c accepts this for SSL 3) */
				 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
534
				 /* never request cert in Kerberos ciphersuites */
D
Dr. Stephen Henson 已提交
535 536 537 538
				(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)
				/* With normal PSK Certificates and
				 * Certificate Requests are omitted */
				|| (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
B
Ben Laurie 已提交
539 540 541 542 543
				{
				/* no cert request */
				skip=1;
				s->s3->tmp.cert_request=0;
				s->state=SSL3_ST_SW_SRVR_DONE_A;
D
Dr. Stephen Henson 已提交
544 545 546 547 548 549 550
#ifndef OPENSSL_NO_SCTP
				if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
					{
					s->d1->next_state = SSL3_ST_SW_SRVR_DONE_A;
					s->state = DTLS1_SCTP_ST_SW_WRITE_SOCK;
					}
#endif
B
Ben Laurie 已提交
551 552 553 554
				}
			else
				{
				s->s3->tmp.cert_request=1;
D
Dr. Stephen Henson 已提交
555
				dtls1_start_timer(s);
D
Dr. Stephen Henson 已提交
556
				ret=ssl3_send_certificate_request(s);
B
Ben Laurie 已提交
557 558 559
				if (ret <= 0) goto end;
#ifndef NETSCAPE_HANG_BUG
				s->state=SSL3_ST_SW_SRVR_DONE_A;
D
Dr. Stephen Henson 已提交
560 561 562 563 564 565 566
#ifndef OPENSSL_NO_SCTP
				if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
					{
					s->d1->next_state = SSL3_ST_SW_SRVR_DONE_A;
					s->state = DTLS1_SCTP_ST_SW_WRITE_SOCK;
					}
#endif
B
Ben Laurie 已提交
567 568 569
#else
				s->state=SSL3_ST_SW_FLUSH;
				s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
D
Dr. Stephen Henson 已提交
570 571 572 573 574 575 576
#ifndef OPENSSL_NO_SCTP
				if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
					{
					s->d1->next_state = s->s3->tmp.next_state;
					s->s3->tmp.next_state=DTLS1_SCTP_ST_SW_WRITE_SOCK;
					}
#endif
B
Ben Laurie 已提交
577 578 579 580 581 582 583
#endif
				s->init_num=0;
				}
			break;

		case SSL3_ST_SW_SRVR_DONE_A:
		case SSL3_ST_SW_SRVR_DONE_B:
D
Dr. Stephen Henson 已提交
584
			dtls1_start_timer(s);
D
Dr. Stephen Henson 已提交
585
			ret=ssl3_send_server_done(s);
B
Ben Laurie 已提交
586 587 588 589 590 591
			if (ret <= 0) goto end;
			s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
			s->state=SSL3_ST_SW_FLUSH;
			s->init_num=0;
			break;
		
D
Dr. Stephen Henson 已提交
592
		case SSL3_ST_SW_FLUSH:
D
Dr. Stephen Henson 已提交
593 594
			s->rwstate=SSL_WRITING;
			if (BIO_flush(s->wbio) <= 0)
B
Ben Laurie 已提交
595
				{
D
Dr. Stephen Henson 已提交
596 597 598 599 600 601 602
				/* If the write error was fatal, stop trying */
				if (!BIO_should_retry(s->wbio))
					{
					s->rwstate=SSL_NOTHING;
					s->state=s->s3->tmp.next_state;
					}
				
D
Dr. Stephen Henson 已提交
603 604
				ret= -1;
				goto end;
B
Ben Laurie 已提交
605
				}
D
Dr. Stephen Henson 已提交
606
			s->rwstate=SSL_NOTHING;
B
Ben Laurie 已提交
607 608 609 610 611 612 613 614 615 616
			s->state=s->s3->tmp.next_state;
			break;

		case SSL3_ST_SR_CERT_A:
		case SSL3_ST_SR_CERT_B:
			/* Check for second client hello (MS SGC) */
			ret = ssl3_check_client_hello(s);
			if (ret <= 0)
				goto end;
			if (ret == 2)
D
Dr. Stephen Henson 已提交
617 618
				{
				dtls1_stop_timer(s);
B
Ben Laurie 已提交
619
				s->state = SSL3_ST_SR_CLNT_HELLO_C;
D
Dr. Stephen Henson 已提交
620
				}
B
Ben Laurie 已提交
621
			else {
622 623 624 625 626
				if (s->s3->tmp.cert_request)
					{
					ret=ssl3_get_client_certificate(s);
					if (ret <= 0) goto end;
					}
B
Ben Laurie 已提交
627 628 629 630 631 632 633 634 635
				s->init_num=0;
				s->state=SSL3_ST_SR_KEY_EXCH_A;
			}
			break;

		case SSL3_ST_SR_KEY_EXCH_A:
		case SSL3_ST_SR_KEY_EXCH_B:
			ret=ssl3_get_client_key_exchange(s);
			if (ret <= 0) goto end;
D
Dr. Stephen Henson 已提交
636 637 638 639 640 641 642 643 644 645 646 647 648 649 650
#ifndef OPENSSL_NO_SCTP
			/* Add new shared key for SCTP-Auth,
			 * will be ignored if no SCTP used.
			 */
			snprintf((char *) labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
			         DTLS1_SCTP_AUTH_LABEL);

			SSL_export_keying_material(s, sctpauthkey,
			                           sizeof(sctpauthkey), labelbuffer,
			                           sizeof(labelbuffer), NULL, 0, 0);

			BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
			         sizeof(sctpauthkey), sctpauthkey);
#endif

B
Ben Laurie 已提交
651 652 653
			s->state=SSL3_ST_SR_CERT_VRFY_A;
			s->init_num=0;

D
Dr. Stephen Henson 已提交
654 655 656 657 658 659 660 661 662 663
			if (ret == 2)
				{
				/* For the ECDH ciphersuites when
				 * the client sends its ECDH pub key in
				 * a certificate, the CertificateVerify
				 * message is not sent.
				 */
				s->state=SSL3_ST_SR_FINISHED_A;
				s->init_num = 0;
				}
664 665 666 667 668 669 670 671 672 673 674
			else if (SSL_USE_SIGALGS(s))
				{
				s->state=SSL3_ST_SR_CERT_VRFY_A;
				s->init_num=0;
				if (!s->session->peer)
					break;
				/* For sigalgs freeze the handshake buffer
				 * at this point and digest cached records.
				 */
				if (!s->s3->handshake_buffer)
					{
675
					SSLerr(SSL_F_DTLS1_ACCEPT,ERR_R_INTERNAL_ERROR);
676 677 678 679 680 681
					return -1;
					}
				s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE;
				if (!ssl3_digest_cached_records(s))
					return -1;
				}
D
Dr. Stephen Henson 已提交
682 683 684 685
			else
				{
				s->state=SSL3_ST_SR_CERT_VRFY_A;
				s->init_num=0;
B
Ben Laurie 已提交
686

D
Dr. Stephen Henson 已提交
687 688 689 690 691 692 693 694 695
				/* We need to get hashes here so if there is
				 * a client cert, it can be verified */ 
				s->method->ssl3_enc->cert_verify_mac(s,
					NID_md5,
					&(s->s3->tmp.cert_verify_md[0]));
				s->method->ssl3_enc->cert_verify_mac(s,
					NID_sha1,
					&(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]));
				}
B
Ben Laurie 已提交
696 697 698 699
			break;

		case SSL3_ST_SR_CERT_VRFY_A:
		case SSL3_ST_SR_CERT_VRFY_B:
700 701 702 703 704 705 706 707
			/*
			 * This *should* be the first time we enable CCS, but be
			 * extra careful about surrounding code changes. We need
			 * to set this here because we don't know if we're
			 * expecting a CertificateVerify or not.
			 */
			if (!s->s3->change_cipher_spec)
				s->d1->change_cipher_spec_ok = 1;
B
Ben Laurie 已提交
708 709 710
			/* we should decide if we expected this one */
			ret=ssl3_get_cert_verify(s);
			if (ret <= 0) goto end;
D
Dr. Stephen Henson 已提交
711 712 713 714 715 716 717
#ifndef OPENSSL_NO_SCTP
			if (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
			    state == SSL_ST_RENEGOTIATE)
				s->state=DTLS1_SCTP_ST_SR_READ_SOCK;
			else
#endif			
				s->state=SSL3_ST_SR_FINISHED_A;
B
Ben Laurie 已提交
718 719 720 721 722
			s->init_num=0;
			break;

		case SSL3_ST_SR_FINISHED_A:
		case SSL3_ST_SR_FINISHED_B:
723 724 725 726 727 728 729 730 731 732 733 734
			/*
			 * Enable CCS for resumed handshakes.
			 * In a full handshake, we end up here through
			 * SSL3_ST_SR_CERT_VRFY_B, so change_cipher_spec_ok was
			 * already set. Receiving a CCS clears the flag, so make
			 * sure not to re-enable it to ban duplicates.
			 * s->s3->change_cipher_spec is set when a CCS is
			 * processed in d1_pkt.c, and remains set until
			 * the client's Finished message is read.
			 */
			if (!s->s3->change_cipher_spec)
				s->d1->change_cipher_spec_ok = 1;
B
Ben Laurie 已提交
735 736 737
			ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
				SSL3_ST_SR_FINISHED_B);
			if (ret <= 0) goto end;
D
Dr. Stephen Henson 已提交
738
			dtls1_stop_timer(s);
B
Ben Laurie 已提交
739 740
			if (s->hit)
				s->state=SSL_ST_OK;
D
Dr. Stephen Henson 已提交
741 742 743 744
#ifndef OPENSSL_NO_TLSEXT
			else if (s->tlsext_ticket_expected)
				s->state=SSL3_ST_SW_SESSION_TICKET_A;
#endif
B
Ben Laurie 已提交
745 746 747 748 749
			else
				s->state=SSL3_ST_SW_CHANGE_A;
			s->init_num=0;
			break;

D
Dr. Stephen Henson 已提交
750 751 752
#ifndef OPENSSL_NO_TLSEXT
		case SSL3_ST_SW_SESSION_TICKET_A:
		case SSL3_ST_SW_SESSION_TICKET_B:
D
Dr. Stephen Henson 已提交
753
			ret=ssl3_send_newsession_ticket(s);
D
Dr. Stephen Henson 已提交
754 755 756 757 758 759 760 761 762 763 764 765 766 767 768
			if (ret <= 0) goto end;
			s->state=SSL3_ST_SW_CHANGE_A;
			s->init_num=0;
			break;

		case SSL3_ST_SW_CERT_STATUS_A:
		case SSL3_ST_SW_CERT_STATUS_B:
			ret=ssl3_send_cert_status(s);
			if (ret <= 0) goto end;
			s->state=SSL3_ST_SW_KEY_EXCH_A;
			s->init_num=0;
			break;

#endif

B
Ben Laurie 已提交
769 770 771 772 773 774 775 776 777 778 779
		case SSL3_ST_SW_CHANGE_A:
		case SSL3_ST_SW_CHANGE_B:

			s->session->cipher=s->s3->tmp.new_cipher;
			if (!s->method->ssl3_enc->setup_key_block(s))
				{ ret= -1; goto end; }

			ret=dtls1_send_change_cipher_spec(s,
				SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B);

			if (ret <= 0) goto end;
D
Dr. Stephen Henson 已提交
780 781

#ifndef OPENSSL_NO_SCTP
R
Robin Seggelmann 已提交
782 783 784 785 786 787 788
			if (!s->hit)
				{
				/* Change to new shared key of SCTP-Auth,
				 * will be ignored if no SCTP used.
				 */
				BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
				}
D
Dr. Stephen Henson 已提交
789 790
#endif

B
Ben Laurie 已提交
791 792 793 794 795 796 797 798 799 800 801 802 803 804 805
			s->state=SSL3_ST_SW_FINISHED_A;
			s->init_num=0;

			if (!s->method->ssl3_enc->change_cipher_state(s,
				SSL3_CHANGE_CIPHER_SERVER_WRITE))
				{
				ret= -1;
				goto end;
				}

			dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
			break;

		case SSL3_ST_SW_FINISHED_A:
		case SSL3_ST_SW_FINISHED_B:
D
Dr. Stephen Henson 已提交
806
			ret=ssl3_send_finished(s,
B
Ben Laurie 已提交
807 808 809 810 811 812
				SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B,
				s->method->ssl3_enc->server_finished_label,
				s->method->ssl3_enc->server_finished_label_len);
			if (ret <= 0) goto end;
			s->state=SSL3_ST_SW_FLUSH;
			if (s->hit)
R
Robin Seggelmann 已提交
813
				{
B
Ben Laurie 已提交
814
				s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
R
Robin Seggelmann 已提交
815 816 817 818 819 820 821 822

#ifndef OPENSSL_NO_SCTP
				/* Change to new shared key of SCTP-Auth,
				 * will be ignored if no SCTP used.
				 */
				BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
#endif
				}
B
Ben Laurie 已提交
823
			else
D
Dr. Stephen Henson 已提交
824
				{
B
Ben Laurie 已提交
825
				s->s3->tmp.next_state=SSL_ST_OK;
D
Dr. Stephen Henson 已提交
826 827 828 829 830 831 832 833
#ifndef OPENSSL_NO_SCTP
				if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
					{
					s->d1->next_state = s->s3->tmp.next_state;
					s->s3->tmp.next_state=DTLS1_SCTP_ST_SW_WRITE_SOCK;
					}
#endif
				}
B
Ben Laurie 已提交
834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850
			s->init_num=0;
			break;

		case SSL_ST_OK:
			/* clean a few things up */
			ssl3_cleanup_key_block(s);

#if 0
			BUF_MEM_free(s->init_buf);
			s->init_buf=NULL;
#endif

			/* remove buffering on output */
			ssl_free_wbio_buffer(s);

			s->init_num=0;

D
Dr. Stephen Henson 已提交
851
			if (s->renegotiate == 2) /* skipped if we just sent a HelloRequest */
B
Ben Laurie 已提交
852
				{
D
Dr. Stephen Henson 已提交
853
				s->renegotiate=0;
B
Ben Laurie 已提交
854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870
				s->new_session=0;
				
				ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
				
				s->ctx->stats.sess_accept_good++;
				/* s->server=1; */
				s->handshake_func=dtls1_accept;

				if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
				}
			
			ret = 1;

			/* done handshaking, next message is client hello */
			s->d1->handshake_read_seq = 0;
			/* next message is server hello */
			s->d1->handshake_write_seq = 0;
D
Dr. Stephen Henson 已提交
871
			s->d1->next_handshake_write_seq = 0;
B
Ben Laurie 已提交
872 873 874 875
			goto end;
			/* break; */

		default:
B
Bodo Möller 已提交
876
			SSLerr(SSL_F_DTLS1_ACCEPT,SSL_R_UNKNOWN_STATE);
B
Ben Laurie 已提交
877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904
			ret= -1;
			goto end;
			/* break; */
			}
		
		if (!s->s3->tmp.reuse_message && !skip)
			{
			if (s->debug)
				{
				if ((ret=BIO_flush(s->wbio)) <= 0)
					goto end;
				}


			if ((cb != NULL) && (s->state != state))
				{
				new_state=s->state;
				s->state=state;
				cb(s,SSL_CB_ACCEPT_LOOP,1);
				s->state=new_state;
				}
			}
		skip=0;
		}
end:
	/* BIO_flush(s->wbio); */

	s->in_handshake--;
D
Dr. Stephen Henson 已提交
905 906 907 908 909 910 911 912
#ifndef OPENSSL_NO_SCTP
		/* Notify SCTP BIO socket to leave handshake
		 * mode and prevent stream identifier other
		 * than 0. Will be ignored if no SCTP is used.
		 */
		BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, s->in_handshake, NULL);
#endif

B
Ben Laurie 已提交
913 914 915 916 917 918 919 920 921 922 923 924 925 926 927
	if (cb != NULL)
		cb(s,SSL_CB_ACCEPT_EXIT,ret);
	return(ret);
	}

int dtls1_send_hello_verify_request(SSL *s)
	{
	unsigned int msg_len;
	unsigned char *msg, *buf, *p;

	if (s->state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A)
		{
		buf = (unsigned char *)s->init_buf->data;

		msg = p = &(buf[DTLS1_HM_HEADER_LENGTH]);
D
Dr. Stephen Henson 已提交
928 929 930
		/* Always use DTLS 1.0 version: see RFC 6347 */
		*(p++) = DTLS1_VERSION >> 8;
		*(p++) = DTLS1_VERSION & 0xFF;
B
Ben Laurie 已提交
931

D
Dr. Stephen Henson 已提交
932 933 934
		if (s->ctx->app_gen_cookie_cb == NULL ||
		     s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
			 &(s->d1->cookie_len)) == 0)
935 936 937 938
			{
			SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST,ERR_R_INTERNAL_ERROR);
			return 0;
			}
B
Ben Laurie 已提交
939

940
		*(p++) = (unsigned char) s->d1->cookie_len;
B
Ben Laurie 已提交
941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956
		memcpy(p, s->d1->cookie, s->d1->cookie_len);
		p += s->d1->cookie_len;
		msg_len = p - msg;

		dtls1_set_message_header(s, buf,
			DTLS1_MT_HELLO_VERIFY_REQUEST, msg_len, 0, msg_len);

		s->state=DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B;
		/* number of bytes to write */
		s->init_num=p-buf;
		s->init_off=0;
		}

	/* s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */
	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
	}