search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dmake: do not set MAKEFLAGS=k
[unleashed/tickless.git] / lib / libssl / d1_srvr.c
blobae90ee2093e92375bbe6776017f058e6e09dc120
1 /* $OpenBSD: d1_srvr.c,v 1.88 2017/05/07 04:22:24 beck Exp $ */
2 /*
3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
5 */
6 /* ====================================================================
7 * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
19 * distribution.
20 *
21 * 3. All advertising materials mentioning features or use of this
22 * software must display the following acknowledgment:
23 * "This product includes software developed by the OpenSSL Project
24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25 *
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 * endorse or promote products derived from this software without
28 * prior written permission. For written permission, please contact
29 * openssl-core@OpenSSL.org.
30 *
31 * 5. Products derived from this software may not be called "OpenSSL"
32 * nor may "OpenSSL" appear in their names without prior written
33 * permission of the OpenSSL Project.
34 *
35 * 6. Redistributions of any form whatsoever must retain the following
36 * acknowledgment:
37 * "This product includes software developed by the OpenSSL Project
38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
53 *
54 * This product includes cryptographic software written by Eric Young
55 * (eay@cryptsoft.com). This product includes software written by Tim
56 * Hudson (tjh@cryptsoft.com).
57 *
58 */
59 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
60 * All rights reserved.
61 *
62 * This package is an SSL implementation written
63 * by Eric Young (eay@cryptsoft.com).
64 * The implementation was written so as to conform with Netscapes SSL.
65 *
66 * This library is free for commercial and non-commercial use as long as
67 * the following conditions are aheared to. The following conditions
68 * apply to all code found in this distribution, be it the RC4, RSA,
69 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
70 * included with this distribution is covered by the same copyright terms
71 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
72 *
73 * Copyright remains Eric Young's, and as such any Copyright notices in
74 * the code are not to be removed.
75 * If this package is used in a product, Eric Young should be given attribution
76 * as the author of the parts of the library used.
77 * This can be in the form of a textual message at program startup or
78 * in documentation (online or textual) provided with the package.
79 *
80 * Redistribution and use in source and binary forms, with or without
81 * modification, are permitted provided that the following conditions
82 * are met:
83 * 1. Redistributions of source code must retain the copyright
84 * notice, this list of conditions and the following disclaimer.
85 * 2. Redistributions in binary form must reproduce the above copyright
86 * notice, this list of conditions and the following disclaimer in the
87 * documentation and/or other materials provided with the distribution.
88 * 3. All advertising materials mentioning features or use of this software
89 * must display the following acknowledgement:
90 * "This product includes cryptographic software written by
91 * Eric Young (eay@cryptsoft.com)"
92 * The word 'cryptographic' can be left out if the rouines from the library
93 * being used are not cryptographic related :-).
94 * 4. If you include any Windows specific code (or a derivative thereof) from
95 * the apps directory (application code) you must include an acknowledgement:
96 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
97 *
98 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
99 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
100 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
101 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
102 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
103 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
104 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
105 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
106 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
107 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
108 * SUCH DAMAGE.
109 *
110 * The licence and distribution terms for any publically available version or
111 * derivative of this code cannot be changed. i.e. this code cannot simply be
112 * copied and put under another distribution licence
113 * [including the GNU Public Licence.]
114 */
115
116 #include <stdio.h>
117
118 #include "ssl_locl.h"
119
120 #include <openssl/bn.h>
121 #include <openssl/buffer.h>
122 #include <openssl/dh.h>
123 #include <openssl/evp.h>
124 #include <openssl/md5.h>
125 #include <openssl/objects.h>
126 #include <openssl/x509.h>
127
128 static int dtls1_send_hello_verify_request(SSL *s);
129
130 static const SSL_METHOD_INTERNAL DTLSv1_server_method_internal_data = {
131 .version = DTLS1_VERSION,
132 .min_version = DTLS1_VERSION,
133 .max_version = DTLS1_VERSION,
134 .ssl_new = dtls1_new,
135 .ssl_clear = dtls1_clear,
136 .ssl_free = dtls1_free,
137 .ssl_accept = dtls1_accept,
138 .ssl_connect = ssl_undefined_function,
139 .ssl_read = ssl3_read,
140 .ssl_peek = ssl3_peek,
141 .ssl_write = ssl3_write,
142 .ssl_shutdown = dtls1_shutdown,
143 .ssl_pending = ssl3_pending,
144 .get_ssl_method = dtls1_get_server_method,
145 .get_timeout = dtls1_default_timeout,
146 .ssl_version = ssl_undefined_void_function,
147 .ssl_renegotiate = ssl3_renegotiate,
148 .ssl_renegotiate_check = ssl3_renegotiate_check,
149 .ssl_get_message = dtls1_get_message,
150 .ssl_read_bytes = dtls1_read_bytes,
151 .ssl_write_bytes = dtls1_write_app_data_bytes,
152 .ssl3_enc = &DTLSv1_enc_data,
153 };
154
155 static const SSL_METHOD DTLSv1_server_method_data = {
156 .ssl_dispatch_alert = dtls1_dispatch_alert,
157 .num_ciphers = ssl3_num_ciphers,
158 .get_cipher = dtls1_get_cipher,
159 .get_cipher_by_char = ssl3_get_cipher_by_char,
160 .put_cipher_by_char = ssl3_put_cipher_by_char,
161 .internal = &DTLSv1_server_method_internal_data,
162 };
163
164 const SSL_METHOD *
165 DTLSv1_server_method(void)
166 {
167 return &DTLSv1_server_method_data;
168 }
169
170 const SSL_METHOD *
171 dtls1_get_server_method(int ver)
172 {
173 if (ver == DTLS1_VERSION)
174 return (DTLSv1_server_method());
175 return (NULL);
176 }
177
178 int
179 dtls1_accept(SSL *s)
180 {
181 void (*cb)(const SSL *ssl, int type, int val) = NULL;
182 unsigned long alg_k;
183 int ret = -1;
184 int new_state, state, skip = 0;
185 int listen;
186
187 ERR_clear_error();
188 errno = 0;
189
190 if (s->internal->info_callback != NULL)
191 cb = s->internal->info_callback;
192 else if (s->ctx->internal->info_callback != NULL)
193 cb = s->ctx->internal->info_callback;
194
195 listen = D1I(s)->listen;
196
197 /* init things to blank */
198 s->internal->in_handshake++;
199 if (!SSL_in_init(s) || SSL_in_before(s))
200 SSL_clear(s);
201
202 D1I(s)->listen = listen;
203
204 if (s->cert == NULL) {
205 SSLerror(s, SSL_R_NO_CERTIFICATE_SET);
206 ret = -1;
207 goto end;
208 }
209
210 for (;;) {
211 state = S3I(s)->hs.state;
212
213 switch (S3I(s)->hs.state) {
214 case SSL_ST_RENEGOTIATE:
215 s->internal->renegotiate = 1;
216 /* S3I(s)->hs.state=SSL_ST_ACCEPT; */
217
218 case SSL_ST_BEFORE:
219 case SSL_ST_ACCEPT:
220 case SSL_ST_BEFORE|SSL_ST_ACCEPT:
221 case SSL_ST_OK|SSL_ST_ACCEPT:
222
223 s->server = 1;
224 if (cb != NULL)
225 cb(s, SSL_CB_HANDSHAKE_START, 1);
226
227 if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) {
228 SSLerror(s, ERR_R_INTERNAL_ERROR);
229 ret = -1;
230 goto end;
231 }
232 s->internal->type = SSL_ST_ACCEPT;
233
234 if (!ssl3_setup_init_buffer(s)) {
235 ret = -1;
236 goto end;
237 }
238 if (!ssl3_setup_buffers(s)) {
239 ret = -1;
240 goto end;
241 }
242
243 s->internal->init_num = 0;
244
245 if (S3I(s)->hs.state != SSL_ST_RENEGOTIATE) {
246 /* Ok, we now need to push on a buffering BIO so that
247 * the output is sent in a way that TCP likes :-)
248 * ...but not with SCTP :-)
249 */
250 if (!ssl_init_wbio_buffer(s, 1)) {
251 ret = -1;
252 goto end;
253 }
254
255 if (!tls1_init_finished_mac(s)) {
256 ret = -1;
257 goto end;
258 }
259
260 S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A;
261 s->ctx->internal->stats.sess_accept++;
262 } else {
263 /* S3I(s)->hs.state == SSL_ST_RENEGOTIATE,
264 * we will just send a HelloRequest */
265 s->ctx->internal->stats.sess_accept_renegotiate++;
266 S3I(s)->hs.state = SSL3_ST_SW_HELLO_REQ_A;
267 }
268
269 break;
270
271 case SSL3_ST_SW_HELLO_REQ_A:
272 case SSL3_ST_SW_HELLO_REQ_B:
273
274 s->internal->shutdown = 0;
275 dtls1_clear_record_buffer(s);
276 dtls1_start_timer(s);
277 ret = ssl3_send_hello_request(s);
278 if (ret <= 0)
279 goto end;
280 S3I(s)->hs.next_state = SSL3_ST_SR_CLNT_HELLO_A;
281 S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
282 s->internal->init_num = 0;
283
284 if (!tls1_init_finished_mac(s)) {
285 ret = -1;
286 goto end;
287 }
288 break;
289
290 case SSL3_ST_SW_HELLO_REQ_C:
291 S3I(s)->hs.state = SSL_ST_OK;
292 break;
293
294 case SSL3_ST_SR_CLNT_HELLO_A:
295 case SSL3_ST_SR_CLNT_HELLO_B:
296 case SSL3_ST_SR_CLNT_HELLO_C:
297
298 s->internal->shutdown = 0;
299 ret = ssl3_get_client_hello(s);
300 if (ret <= 0)
301 goto end;
302 dtls1_stop_timer(s);
303
304 if (ret == 1 && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
305 S3I(s)->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;
306 else
307 S3I(s)->hs.state = SSL3_ST_SW_SRVR_HELLO_A;
308
309 s->internal->init_num = 0;
310
311 /* Reflect ClientHello sequence to remain stateless while listening */
312 if (listen) {
313 memcpy(S3I(s)->write_sequence, S3I(s)->read_sequence, sizeof(S3I(s)->write_sequence));
314 }
315
316 /* If we're just listening, stop here */
317 if (listen && S3I(s)->hs.state == SSL3_ST_SW_SRVR_HELLO_A) {
318 ret = 2;
319 D1I(s)->listen = 0;
320 /* Set expected sequence numbers
321 * to continue the handshake.
322 */
323 D1I(s)->handshake_read_seq = 2;
324 D1I(s)->handshake_write_seq = 1;
325 D1I(s)->next_handshake_write_seq = 1;
326 goto end;
327 }
328
329 break;
330
331 case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
332 case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
333
334 ret = dtls1_send_hello_verify_request(s);
335 if (ret <= 0)
336 goto end;
337 S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
338 S3I(s)->hs.next_state = SSL3_ST_SR_CLNT_HELLO_A;
339
340 /* HelloVerifyRequest resets Finished MAC */
341 if (!tls1_init_finished_mac(s)) {
342 ret = -1;
343 goto end;
344 }
345 break;
346
347
348 case SSL3_ST_SW_SRVR_HELLO_A:
349 case SSL3_ST_SW_SRVR_HELLO_B:
350 s->internal->renegotiate = 2;
351 dtls1_start_timer(s);
352 ret = ssl3_send_server_hello(s);
353 if (ret <= 0)
354 goto end;
355
356 if (s->internal->hit) {
357 if (s->internal->tlsext_ticket_expected)
358 S3I(s)->hs.state = SSL3_ST_SW_SESSION_TICKET_A;
359 else
360 S3I(s)->hs.state = SSL3_ST_SW_CHANGE_A;
361 } else
362 S3I(s)->hs.state = SSL3_ST_SW_CERT_A;
363 s->internal->init_num = 0;
364 break;
365
366 case SSL3_ST_SW_CERT_A:
367 case SSL3_ST_SW_CERT_B:
368 /* Check if it is anon DH. */
369 if (!(S3I(s)->hs.new_cipher->algorithm_auth &
370 SSL_aNULL)) {
371 dtls1_start_timer(s);
372 ret = ssl3_send_server_certificate(s);
373 if (ret <= 0)
374 goto end;
375 if (s->internal->tlsext_status_expected)
376 S3I(s)->hs.state = SSL3_ST_SW_CERT_STATUS_A;
377 else
378 S3I(s)->hs.state = SSL3_ST_SW_KEY_EXCH_A;
379 } else {
380 skip = 1;
381 S3I(s)->hs.state = SSL3_ST_SW_KEY_EXCH_A;
382 }
383 s->internal->init_num = 0;
384 break;
385
386 case SSL3_ST_SW_KEY_EXCH_A:
387 case SSL3_ST_SW_KEY_EXCH_B:
388 alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;
389
390 /* Only send if using a DH key exchange. */
391 if (alg_k & (SSL_kDHE|SSL_kECDHE)) {
392 dtls1_start_timer(s);
393 ret = ssl3_send_server_key_exchange(s);
394 if (ret <= 0)
395 goto end;
396 } else
397 skip = 1;
398
399 S3I(s)->hs.state = SSL3_ST_SW_CERT_REQ_A;
400 s->internal->init_num = 0;
401 break;
402
403 case SSL3_ST_SW_CERT_REQ_A:
404 case SSL3_ST_SW_CERT_REQ_B:
405 /*
406 * Determine whether or not we need to request a
407 * certificate.
408 *
409 * Do not request a certificate if:
410 *
411 * - We did not ask for it (SSL_VERIFY_PEER is unset).
412 *
413 * - SSL_VERIFY_CLIENT_ONCE is set and we are
414 * renegotiating.
415 *
416 * - We are using an anonymous ciphersuites
417 * (see section "Certificate request" in SSL 3 drafts
418 * and in RFC 2246) ... except when the application
419 * insists on verification (against the specs, but
420 * s3_clnt.c accepts this for SSL 3).
421 */
422 if (!(s->verify_mode & SSL_VERIFY_PEER) ||
423 ((s->session->peer != NULL) &&
424 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
425 ((S3I(s)->hs.new_cipher->algorithm_auth &
426 SSL_aNULL) && !(s->verify_mode &
427 SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
428 /* no cert request */
429 skip = 1;
430 S3I(s)->tmp.cert_request = 0;
431 S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_A;
432 } else {
433 S3I(s)->tmp.cert_request = 1;
434 dtls1_start_timer(s);
435 ret = ssl3_send_certificate_request(s);
436 if (ret <= 0)
437 goto end;
438 S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_A;
439 s->internal->init_num = 0;
440 }
441 break;
442
443 case SSL3_ST_SW_SRVR_DONE_A:
444 case SSL3_ST_SW_SRVR_DONE_B:
445 dtls1_start_timer(s);
446 ret = ssl3_send_server_done(s);
447 if (ret <= 0)
448 goto end;
449 S3I(s)->hs.next_state = SSL3_ST_SR_CERT_A;
450 S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
451 s->internal->init_num = 0;
452 break;
453
454 case SSL3_ST_SW_FLUSH:
455 s->internal->rwstate = SSL_WRITING;
456 if (BIO_flush(s->wbio) <= 0) {
457 /* If the write error was fatal, stop trying */
458 if (!BIO_should_retry(s->wbio)) {
459 s->internal->rwstate = SSL_NOTHING;
460 S3I(s)->hs.state = S3I(s)->hs.next_state;
461 }
462
463 ret = -1;
464 goto end;
465 }
466 s->internal->rwstate = SSL_NOTHING;
467 S3I(s)->hs.state = S3I(s)->hs.next_state;
468 break;
469
470 case SSL3_ST_SR_CERT_A:
471 case SSL3_ST_SR_CERT_B:
472 if (S3I(s)->tmp.cert_request) {
473 ret = ssl3_get_client_certificate(s);
474 if (ret <= 0)
475 goto end;
476 }
477 s->internal->init_num = 0;
478 S3I(s)->hs.state = SSL3_ST_SR_KEY_EXCH_A;
479 break;
480
481 case SSL3_ST_SR_KEY_EXCH_A:
482 case SSL3_ST_SR_KEY_EXCH_B:
483 ret = ssl3_get_client_key_exchange(s);
484 if (ret <= 0)
485 goto end;
486
487 S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A;
488 s->internal->init_num = 0;
489
490 if (ret == 2) {
491 /* For the ECDH ciphersuites when
492 * the client sends its ECDH pub key in
493 * a certificate, the CertificateVerify
494 * message is not sent.
495 */
496 S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A;
497 s->internal->init_num = 0;
498 } else if (SSL_USE_SIGALGS(s)) {
499 S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A;
500 s->internal->init_num = 0;
501 if (!s->session->peer)
502 break;
503
504 /*
505 * For sigalgs freeze the handshake buffer
506 * at this point and digest cached records.
507 */
508 if (!S3I(s)->handshake_buffer) {
509 SSLerror(s, ERR_R_INTERNAL_ERROR);
510 ret = -1;
511 goto end;
512 }
513 s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE;
514 if (!tls1_digest_cached_records(s)) {
515 ret = -1;
516 goto end;
517 }
518 } else {
519 S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A;
520 s->internal->init_num = 0;
521
522 /*
523 * We need to get hashes here so if there is
524 * a client cert, it can be verified.
525 */
526 if (S3I(s)->handshake_buffer) {
527 if (!tls1_digest_cached_records(s)) {
528 ret = -1;
529 goto end;
530 }
531 }
532 if (!tls1_handshake_hash_value(s,
533 S3I(s)->tmp.cert_verify_md,
534 sizeof(S3I(s)->tmp.cert_verify_md),
535 NULL)) {
536 ret = -1;
537 goto end;
538 }
539 }
540 break;
541
542 case SSL3_ST_SR_CERT_VRFY_A:
543 case SSL3_ST_SR_CERT_VRFY_B:
544
545 D1I(s)->change_cipher_spec_ok = 1;
546 /* we should decide if we expected this one */
547 ret = ssl3_get_cert_verify(s);
548 if (ret <= 0)
549 goto end;
550 S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A;
551 s->internal->init_num = 0;
552 break;
553
554 case SSL3_ST_SR_FINISHED_A:
555 case SSL3_ST_SR_FINISHED_B:
556 D1I(s)->change_cipher_spec_ok = 1;
557 ret = ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A,
558 SSL3_ST_SR_FINISHED_B);
559 if (ret <= 0)
560 goto end;
561 dtls1_stop_timer(s);
562 if (s->internal->hit)
563 S3I(s)->hs.state = SSL_ST_OK;
564 else if (s->internal->tlsext_ticket_expected)
565 S3I(s)->hs.state = SSL3_ST_SW_SESSION_TICKET_A;
566 else
567 S3I(s)->hs.state = SSL3_ST_SW_CHANGE_A;
568 s->internal->init_num = 0;
569 break;
570
571 case SSL3_ST_SW_SESSION_TICKET_A:
572 case SSL3_ST_SW_SESSION_TICKET_B:
573 ret = ssl3_send_newsession_ticket(s);
574 if (ret <= 0)
575 goto end;
576 S3I(s)->hs.state = SSL3_ST_SW_CHANGE_A;
577 s->internal->init_num = 0;
578 break;
579
580 case SSL3_ST_SW_CERT_STATUS_A:
581 case SSL3_ST_SW_CERT_STATUS_B:
582 ret = ssl3_send_cert_status(s);
583 if (ret <= 0)
584 goto end;
585 S3I(s)->hs.state = SSL3_ST_SW_KEY_EXCH_A;
586 s->internal->init_num = 0;
587 break;
588
589
590 case SSL3_ST_SW_CHANGE_A:
591 case SSL3_ST_SW_CHANGE_B:
592
593 s->session->cipher = S3I(s)->hs.new_cipher;
594 if (!tls1_setup_key_block(s)) {
595 ret = -1;
596 goto end;
597 }
598
599 ret = dtls1_send_change_cipher_spec(s,
600 SSL3_ST_SW_CHANGE_A, SSL3_ST_SW_CHANGE_B);
601
602 if (ret <= 0)
603 goto end;
604
605
606 S3I(s)->hs.state = SSL3_ST_SW_FINISHED_A;
607 s->internal->init_num = 0;
608
609 if (!tls1_change_cipher_state(s,
610 SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
611 ret = -1;
612 goto end;
613 }
614
615 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
616 break;
617
618 case SSL3_ST_SW_FINISHED_A:
619 case SSL3_ST_SW_FINISHED_B:
620 ret = ssl3_send_finished(s,
621 SSL3_ST_SW_FINISHED_A, SSL3_ST_SW_FINISHED_B,
622 TLS_MD_SERVER_FINISH_CONST,
623 TLS_MD_SERVER_FINISH_CONST_SIZE);
624 if (ret <= 0)
625 goto end;
626 S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
627 if (s->internal->hit) {
628 S3I(s)->hs.next_state = SSL3_ST_SR_FINISHED_A;
629
630 } else {
631 S3I(s)->hs.next_state = SSL_ST_OK;
632 }
633 s->internal->init_num = 0;
634 break;
635
636 case SSL_ST_OK:
637 /* clean a few things up */
638 tls1_cleanup_key_block(s);
639
640 /* remove buffering on output */
641 ssl_free_wbio_buffer(s);
642
643 s->internal->init_num = 0;
644
645 if (s->internal->renegotiate == 2) /* skipped if we just sent a HelloRequest */
646 {
647 s->internal->renegotiate = 0;
648 s->internal->new_session = 0;
649
650 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
651
652 s->ctx->internal->stats.sess_accept_good++;
653 /* s->server=1; */
654 s->internal->handshake_func = dtls1_accept;
655
656 if (cb != NULL)
657 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
658 }
659
660 ret = 1;
661
662 /* done handshaking, next message is client hello */
663 D1I(s)->handshake_read_seq = 0;
664 /* next message is server hello */
665 D1I(s)->handshake_write_seq = 0;
666 D1I(s)->next_handshake_write_seq = 0;
667 goto end;
668 /* break; */
669
670 default:
671 SSLerror(s, SSL_R_UNKNOWN_STATE);
672 ret = -1;
673 goto end;
674 /* break; */
675 }
676
677 if (!S3I(s)->tmp.reuse_message && !skip) {
678 if (s->internal->debug) {
679 if ((ret = BIO_flush(s->wbio)) <= 0)
680 goto end;
681 }
682
683 if ((cb != NULL) && (S3I(s)->hs.state != state)) {
684 new_state = S3I(s)->hs.state;
685 S3I(s)->hs.state = state;
686 cb(s, SSL_CB_ACCEPT_LOOP, 1);
687 S3I(s)->hs.state = new_state;
688 }
689 }
690 skip = 0;
691 }
692 end:
693 /* BIO_flush(s->wbio); */
694
695 s->internal->in_handshake--;
696
697 if (cb != NULL)
698 cb(s, SSL_CB_ACCEPT_EXIT, ret);
699
700 return (ret);
701 }
702
703 int
704 dtls1_send_hello_verify_request(SSL *s)
705 {
706 CBB cbb, verify, cookie;
707
708 memset(&cbb, 0, sizeof(cbb));
709
710 if (S3I(s)->hs.state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A) {
711 if (s->ctx->internal->app_gen_cookie_cb == NULL ||
712 s->ctx->internal->app_gen_cookie_cb(s, D1I(s)->cookie,
713 &(D1I(s)->cookie_len)) == 0) {
714 SSLerror(s, ERR_R_INTERNAL_ERROR);
715 return 0;
716 }
717
718 if (!ssl3_handshake_msg_start_cbb(s, &cbb, &verify,
719 DTLS1_MT_HELLO_VERIFY_REQUEST))
720 goto err;
721 if (!CBB_add_u16(&verify, s->version))
722 goto err;
723 if (!CBB_add_u8_length_prefixed(&verify, &cookie))
724 goto err;
725 if (!CBB_add_bytes(&cookie, D1I(s)->cookie, D1I(s)->cookie_len))
726 goto err;
727 if (!ssl3_handshake_msg_finish_cbb(s, &cbb))
728 goto err;
729
730 S3I(s)->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B;
731 }
732
733 /* S3I(s)->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */
734 return (ssl3_handshake_write(s));
735
736 err:
737 CBB_cleanup(&cbb);
738
739 return (-1);
740 }
unleashed repo fork