diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2013-03-11 15:34:28 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2013-09-18 13:46:02 +0100 |
| commit | 741c9959f621a383055816cb3db37a61fee889e5 (patch) | |
| tree | e2f34100481b3e36c1c240e5fbd84fe837aa5a26 /ssl | |
| parent | 7c23127fde8fe94af914961eb7702caa7f256a05 (diff) | |
DTLS revision.
Revise DTLS code. There was a *lot* of code duplication in the
DTLS code that generates records. This makes it harder to maintain and
sometimes a TLS update is omitted by accident from the DTLS code.
Specifically almost all of the record generation functions have code like
this:
some_pointer = buffer + HANDSHAKE_HEADER_LENGTH;
... Record creation stuff ...
set_handshake_header(ssl, SSL_MT_SOMETHING, message_len);
...
write_handshake_message(ssl);
Where the "Record creation stuff" is identical between SSL/TLS and DTLS or
in some cases has very minor differences.
By adding a few fields to SSL3_ENC to include the header length, some flags
and function pointers for handshake header setting and handshake writing the
code can cope with both cases.
(cherry picked from commit 173e72e64c6a07ae97660c322396b66215009f33)
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/d1_both.c | 78 | ||||
| -rw-r--r-- | ssl/d1_clnt.c | 899 | ||||
| -rw-r--r-- | ssl/d1_lib.c | 23 | ||||
| -rw-r--r-- | ssl/d1_srvr.c | 842 | ||||
| -rw-r--r-- | ssl/s3_both.c | 31 | ||||
| -rw-r--r-- | ssl/s3_clnt.c | 90 | ||||
| -rw-r--r-- | ssl/s3_lib.c | 20 | ||||
| -rw-r--r-- | ssl/s3_srvr.c | 132 | ||||
| -rw-r--r-- | ssl/ssl3.h | 2 | ||||
| -rw-r--r-- | ssl/ssl_locl.h | 45 | ||||
| -rw-r--r-- | ssl/t1_lib.c | 42 |
11 files changed, 233 insertions, 1971 deletions
diff --git a/ssl/d1_both.c b/ssl/d1_both.c index bb9be8ad65..ee945cbd3a 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -896,63 +896,6 @@ f_err: return(-1); } -int dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen) - { - unsigned char *p,*d; - int i; - unsigned long l; - - if (s->state == a) - { - d=(unsigned char *)s->init_buf->data; - p= &(d[DTLS1_HM_HEADER_LENGTH]); - - i=s->method->ssl3_enc->final_finish_mac(s, - sender,slen,s->s3->tmp.finish_md); - s->s3->tmp.finish_md_len = i; - memcpy(p, s->s3->tmp.finish_md, i); - p+=i; - l=i; - - /* Copy the finished so we can use it for - * renegotiation checks - */ - if(s->type == SSL_ST_CONNECT) - { - OPENSSL_assert(i <= EVP_MAX_MD_SIZE); - memcpy(s->s3->previous_client_finished, - s->s3->tmp.finish_md, i); - s->s3->previous_client_finished_len=i; - } - else - { - OPENSSL_assert(i <= EVP_MAX_MD_SIZE); - memcpy(s->s3->previous_server_finished, - s->s3->tmp.finish_md, i); - s->s3->previous_server_finished_len=i; - } - -#ifdef OPENSSL_SYS_WIN16 - /* MSVC 1.5 does not clear the top bytes of the word unless - * I do this. - */ - l&=0xffff; -#endif - - d = dtls1_set_message_header(s, d, SSL3_MT_FINISHED, l, 0, l); - s->init_num=(int)l+DTLS1_HM_HEADER_LENGTH; - s->init_off=0; - - /* buffer the message to handle re-xmits */ - dtls1_buffer_message(s, 0); - - s->state=b; - } - - /* SSL3_ST_SEND_xxxxxx_HELLO_B */ - return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); - } - /* for these 2 messages, we need to * ssl->enc_read_ctx re-init * ssl->s3->read_sequence zero @@ -993,27 +936,6 @@ int dtls1_send_change_cipher_spec(SSL *s, int a, int b) return(dtls1_do_write(s,SSL3_RT_CHANGE_CIPHER_SPEC)); } -unsigned long dtls1_output_cert_chain(SSL *s, CERT_PKEY *cpk) - { - unsigned char *p; - unsigned long l= 3 + DTLS1_HM_HEADER_LENGTH; - BUF_MEM *buf=s->init_buf; - - if (!ssl_add_cert_chain(s, cpk, &l)) - return 0; - - l-= (3 + DTLS1_HM_HEADER_LENGTH); - - p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH]); - l2n3(l,p); - l+=3; - p=(unsigned char *)&(buf->data[0]); - p = dtls1_set_message_header(s, p, SSL3_MT_CERTIFICATE, l, 0, l); - - l+=DTLS1_HM_HEADER_LENGTH; - return(l); - } - int dtls1_read_failed(SSL *s, int code) { if ( code > 0) diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c index 4af8ffda4d..f2f991e6f7 100644 --- a/ssl/d1_clnt.c +++ b/ssl/d1_clnt.c @@ -296,7 +296,7 @@ int dtls1_connect(SSL *s) ssl3_init_finished_mac(s); dtls1_start_timer(s); - ret=dtls1_client_hello(s); + ret=ssl3_client_hello(s); if (ret <= 0) goto end; if ( s->d1->send_cookie) @@ -460,7 +460,7 @@ int dtls1_connect(SSL *s) case SSL3_ST_CW_CERT_C: case SSL3_ST_CW_CERT_D: dtls1_start_timer(s); - ret=dtls1_send_client_certificate(s); + ret=ssl3_send_client_certificate(s); if (ret <= 0) goto end; s->state=SSL3_ST_CW_KEY_EXCH_A; s->init_num=0; @@ -469,7 +469,7 @@ int dtls1_connect(SSL *s) case SSL3_ST_CW_KEY_EXCH_A: case SSL3_ST_CW_KEY_EXCH_B: dtls1_start_timer(s); - ret=dtls1_send_client_key_exchange(s); + ret=ssl3_send_client_key_exchange(s); if (ret <= 0) goto end; #ifndef OPENSSL_NO_SCTP @@ -515,7 +515,7 @@ int dtls1_connect(SSL *s) case SSL3_ST_CW_CERT_VRFY_A: case SSL3_ST_CW_CERT_VRFY_B: dtls1_start_timer(s); - ret=dtls1_send_client_verify(s); + ret=ssl3_send_client_verify(s); if (ret <= 0) goto end; #ifndef OPENSSL_NO_SCTP if (BIO_dgram_is_sctp(SSL_get_wbio(s))) @@ -578,7 +578,7 @@ int dtls1_connect(SSL *s) case SSL3_ST_CW_FINISHED_B: if (!s->hit) dtls1_start_timer(s); - ret=dtls1_send_finished(s, + ret=ssl3_send_finished(s, SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B, s->method->ssl3_enc->client_finished_label, s->method->ssl3_enc->client_finished_label_len); @@ -768,133 +768,6 @@ end: return(ret); } -int dtls1_client_hello(SSL *s) - { - unsigned char *buf; - unsigned char *p,*d; - unsigned int i,j; - unsigned long Time,l; - SSL_COMP *comp; - - buf=(unsigned char *)s->init_buf->data; - if (s->state == SSL3_ST_CW_CLNT_HELLO_A) - { - SSL_SESSION *sess = s->session; - if ((s->session == NULL) || - (s->session->ssl_version != s->version) || -#ifdef OPENSSL_NO_TLSEXT - !sess->session_id_length || -#else - (!sess->session_id_length && !sess->tlsext_tick) || -#endif - (s->session->not_resumable)) - { - if (!ssl_get_new_session(s,0)) - goto err; - } - /* else use the pre-loaded session */ - - p=s->s3->client_random; - - /* if client_random is initialized, reuse it, we are - * required to use same upon reply to HelloVerify */ - for (i=0;p[i]=='\0' && i<sizeof(s->s3->client_random);i++) ; - if (i==sizeof(s->s3->client_random)) - { - Time=(unsigned long)time(NULL); /* Time */ - l2n(Time,p); - RAND_pseudo_bytes(p,sizeof(s->s3->client_random)-4); - } - - /* Do the message type and length last */ - d=p= &(buf[DTLS1_HM_HEADER_LENGTH]); - - *(p++)=s->version>>8; - *(p++)=s->version&0xff; - s->client_version=s->version; - - /* Random stuff */ - memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); - p+=SSL3_RANDOM_SIZE; - - /* Session ID */ - if (s->new_session) - i=0; - else - i=s->session->session_id_length; - *(p++)=i; - if (i != 0) - { - if (i > sizeof s->session->session_id) - { - SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); - goto err; - } - memcpy(p,s->session->session_id,i); - p+=i; - } - - /* cookie stuff */ - if ( s->d1->cookie_len > sizeof(s->d1->cookie)) - { - SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); - goto err; - } - *(p++) = s->d1->cookie_len; - memcpy(p, s->d1->cookie, s->d1->cookie_len); - p += s->d1->cookie_len; - - /* Ciphers supported */ - i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0); - if (i == 0) - { - SSLerr(SSL_F_DTLS1_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); - goto err; - } - s2n(i,p); - p+=i; - - /* COMPRESSION */ - if (s->ctx->comp_methods == NULL) - j=0; - else - j=sk_SSL_COMP_num(s->ctx->comp_methods); - *(p++)=1+j; - for (i=0; i<j; i++) - { - comp=sk_SSL_COMP_value(s->ctx->comp_methods,i); - *(p++)=comp->id; - } - *(p++)=0; /* Add the NULL method */ - -#ifndef OPENSSL_NO_TLSEXT - if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) - { - SSLerr(SSL_F_DTLS1_CLIENT_HELLO,ERR_R_INTERNAL_ERROR); - goto err; - } -#endif - - l=(p-d); - d=buf; - - d = dtls1_set_message_header(s, d, SSL3_MT_CLIENT_HELLO, l, 0, l); - - s->state=SSL3_ST_CW_CLNT_HELLO_B; - /* number of bytes to write */ - s->init_num=p-buf; - s->init_off=0; - - /* buffer the message to handle re-xmits */ - dtls1_buffer_message(s, 0); - } - - /* SSL3_ST_CW_CLNT_HELLO_B */ - return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); -err: - return(-1); - } - static int dtls1_get_hello_verify(SSL *s) { int n, al, ok = 0; @@ -946,765 +819,3 @@ f_err: return -1; } -int dtls1_send_client_key_exchange(SSL *s) - { - unsigned char *p,*d; - int n; - unsigned long alg_k; -#ifndef OPENSSL_NO_RSA - unsigned char *q; - EVP_PKEY *pkey=NULL; -#endif -#ifndef OPENSSL_NO_KRB5 - KSSL_ERR kssl_err; -#endif /* OPENSSL_NO_KRB5 */ -#ifndef OPENSSL_NO_ECDH - EC_KEY *clnt_ecdh = NULL; - const EC_POINT *srvr_ecpoint = NULL; - EVP_PKEY *srvr_pub_pkey = NULL; - unsigned char *encodedPoint = NULL; - int encoded_pt_len = 0; - BN_CTX * bn_ctx = NULL; -#endif - - if (s->state == SSL3_ST_CW_KEY_EXCH_A) - { - d=(unsigned char *)s->init_buf->data; - p= &(d[DTLS1_HM_HEADER_LENGTH]); - - alg_k=s->s3->tmp.new_cipher->algorithm_mkey; - - /* Fool emacs indentation */ - if (0) {} -#ifndef OPENSSL_NO_RSA - else if (alg_k & SSL_kRSA) - { - RSA *rsa; - unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; - - if (s->session->sess_cert->peer_rsa_tmp != NULL) - rsa=s->session->sess_cert->peer_rsa_tmp; - else - { - pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); - if ((pkey == NULL) || - (pkey->type != EVP_PKEY_RSA) || - (pkey->pkey.rsa == NULL)) - { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); - goto err; - } - rsa=pkey->pkey.rsa; - EVP_PKEY_free(pkey); - } - - tmp_buf[0]=s->client_version>>8; - tmp_buf[1]=s->client_version&0xff; - if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) - goto err; - - s->session->master_key_length=sizeof tmp_buf; - - q=p; - /* Fix buf for TLS and [incidentally] DTLS */ - if (s->version > SSL3_VERSION) - p+=2; - n=RSA_public_encrypt(sizeof tmp_buf, - tmp_buf,p,rsa,RSA_PKCS1_PADDING); -#ifdef PKCS1_CHECK - if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++; - if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70; -#endif - if (n <= 0) - { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT); - goto err; - } - - /* Fix buf for TLS and [incidentally] DTLS */ - if (s->version > SSL3_VERSION) - { - s2n(n,q); - n+=2; - } - - s->session->master_key_length= - s->method->ssl3_enc->generate_master_secret(s, - s->session->master_key, - tmp_buf,sizeof tmp_buf); - OPENSSL_cleanse(tmp_buf,sizeof tmp_buf); - } -#endif -#ifndef OPENSSL_NO_KRB5 - else if (alg_k & SSL_kKRB5) - { - krb5_error_code krb5rc; - KSSL_CTX *kssl_ctx = s->kssl_ctx; - /* krb5_data krb5_ap_req; */ - krb5_data *enc_ticket; - krb5_data authenticator, *authp = NULL; - EVP_CIPHER_CTX ciph_ctx; - const EVP_CIPHER *enc = NULL; - unsigned char iv[EVP_MAX_IV_LENGTH]; - unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; - unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH - + EVP_MAX_IV_LENGTH]; - int padl, outl = sizeof(epms); - - EVP_CIPHER_CTX_init(&ciph_ctx); - -#ifdef KSSL_DEBUG - printf("ssl3_send_client_key_exchange(%lx & %lx)\n", - alg_k, SSL_kKRB5); -#endif /* KSSL_DEBUG */ - - authp = NULL; -#ifdef KRB5SENDAUTH - if (KRB5SENDAUTH) authp = &authenticator; -#endif /* KRB5SENDAUTH */ - - krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp, - &kssl_err); - enc = kssl_map_enc(kssl_ctx->enctype); - if (enc == NULL) - goto err; -#ifdef KSSL_DEBUG - { - printf("kssl_cget_tkt rtn %d\n", krb5rc); - if (krb5rc && kssl_err.text) - printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text); - } -#endif /* KSSL_DEBUG */ - - if (krb5rc) - { - ssl3_send_alert(s,SSL3_AL_FATAL, - SSL_AD_HANDSHAKE_FAILURE); - SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, - kssl_err.reason); - goto err; - } - - /* 20010406 VRS - Earlier versions used KRB5 AP_REQ - ** in place of RFC 2712 KerberosWrapper, as in: - ** - ** Send ticket (copy to *p, set n = length) - ** n = krb5_ap_req.length; - ** memcpy(p, krb5_ap_req.data, krb5_ap_req.length); - ** if (krb5_ap_req.data) - ** kssl_krb5_free_data_contents(NULL,&krb5_ap_req); - ** - ** Now using real RFC 2712 KerberosWrapper - ** (Thanks to Simon Wilkinson <sxw@sxw.org.uk>) - ** Note: 2712 "opaque" types are here replaced - ** with a 2-byte length followed by the value. - ** Example: - ** KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms - ** Where "xx xx" = length bytes. Shown here with - ** optional authenticator omitted. - */ - - /* KerberosWrapper.Ticket */ - s2n(enc_ticket->length,p); - memcpy(p, enc_ticket->data, enc_ticket->length); - p+= enc_ticket->length; - n = enc_ticket->length + 2; - - /* KerberosWrapper.Authenticator */ - if (authp && authp->length) - { - s2n(authp->length,p); - memcpy(p, authp->data, authp->length); - p+= authp->length; - n+= authp->length + 2; - - free(authp->data); - authp->data = NULL; - authp->length = 0; - } - else - { - s2n(0,p);/* null authenticator length */ - n+=2; - } - - if (RAND_bytes(tmp_buf,sizeof tmp_buf) <= 0) - goto err; - - /* 20010420 VRS. Tried it this way; failed. - ** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL); - ** EVP_CIPHER_CTX_set_key_length(&ciph_ctx, - ** kssl_ctx->length); - ** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv); - */ - - memset(iv, 0, sizeof iv); /* per RFC 1510 */ - EVP_EncryptInit_ex(&ciph_ctx,enc, NULL, - kssl_ctx->key,iv); - EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf, - sizeof tmp_buf); - EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl); - outl += padl; - if (outl > (int)sizeof epms) - { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); - goto err; - } - EVP_CIPHER_CTX_cleanup(&ciph_ctx); - - /* KerberosWrapper.EncryptedPreMasterSecret */ - s2n(outl,p); - memcpy(p, epms, outl); - p+=outl; - n+=outl + 2; - - s->session->master_key_length= - s->method->ssl3_enc->generate_master_secret(s, - s->session->master_key, - tmp_buf, sizeof tmp_buf); - - OPENSSL_cleanse(tmp_buf, sizeof tmp_buf); - OPENSSL_cleanse(epms, outl); - } -#endif -#ifndef OPENSSL_NO_DH - else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) - { - DH *dh_srvr,*dh_clnt; - - if (s->session->sess_cert->peer_dh_tmp != NULL) - dh_srvr=s->session->sess_cert->peer_dh_tmp; - else - { - /* we get them from the cert */ - ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); - SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS); - goto err; - } - - /* generate a new random key */ - if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL) - { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); - goto err; - } - if (!DH_generate_key(dh_clnt)) - { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); - goto err; - } - - /* use the 'p' output buffer for the DH key, but - * make sure to clear it out afterwards */ - - n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt); - - if (n <= 0) - { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); - goto err; - } - - /* generate master key from the result */ - s->session->master_key_length= - s->method->ssl3_enc->generate_master_secret(s, - s->session->master_key,p,n); - /* clean up */ - memset(p,0,n); - - /* send off the data */ - n=BN_num_bytes(dh_clnt->pub_key); - s2n(n,p); - BN_bn2bin(dh_clnt->pub_key,p); - n+=2; - - DH_free(dh_clnt); - - /* perhaps clean things up a bit EAY EAY EAY EAY*/ - } -#endif -#ifndef OPENSSL_NO_ECDH - else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) - { - const EC_GROUP *srvr_group = NULL; - EC_KEY *tkey; - int ecdh_clnt_cert = 0; - int field_size = 0; - - /* Did we send out the client's - * ECDH share for use in premaster - * computation as part of client certificate? - * If so, set ecdh_clnt_cert to 1. - */ - if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL)) - { - /* XXX: For now, we do not support client - * authentication using ECDH certificates. - * To add such support, one needs to add - * code that checks for appropriate - * conditions and sets ecdh_clnt_cert to 1. - * For example, the cert have an ECC - * key on the same curve as the server's - * and the key should be authorized for - * key agreement. - * - * One also needs to add code in ssl3_connect - * to skip sending the certificate verify - * message. - * - * if ((s->cert->key->privatekey != NULL) && - * (s->cert->key->privatekey->type == - * EVP_PKEY_EC) && ...) - * ecdh_clnt_cert = 1; - */ - } - - if (s->session->sess_cert->peer_ecdh_tmp != NULL) - { - tkey = s->session->sess_cert->peer_ecdh_tmp; - } - else - { - /* Get the Server Public Key from Cert */ - srvr_pub_pkey = X509_get_pubkey(s->session-> \ - sess_cert->peer_pkeys[SSL_PKEY_ECC].x509); - if ((srvr_pub_pkey == NULL) || - (srvr_pub_pkey->type != EVP_PKEY_EC) || - (srvr_pub_pkey->pkey.ec == NULL)) - { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto err; - } - - tkey = srvr_pub_pkey->pkey.ec; - } - - srvr_group = EC_KEY_get0_group(tkey); - srvr_ecpoint = EC_KEY_get0_public_key(tkey); - - if ((srvr_group == NULL) || (srvr_ecpoint == NULL)) - { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto err; - } - - if ((clnt_ecdh=EC_KEY_new()) == NULL) - { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); - goto err; - } - - if (!EC_KEY_set_group(clnt_ecdh, srvr_group)) - { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB); - goto err; - } - if (ecdh_clnt_cert) - { - /* Reuse key info from our certificate - * We only need our private key to perform - * the ECDH computation. - */ - const BIGNUM *priv_key; - tkey = s->cert->key->privatekey->pkey.ec; - priv_key = EC_KEY_get0_private_key(tkey); - if (priv_key == NULL) - { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); - goto err; - } - if (!EC_KEY_set_private_key(clnt_ecdh, priv_key)) - { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB); - goto err; - } - } - else - { - /* Generate a new ECDH key pair */ - if (!(EC_KEY_generate_key(clnt_ecdh))) - { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB); - goto err; - } - } - - /* use the 'p' output buffer for the ECDH key, but - * make sure to clear it out afterwards - */ - - field_size = EC_GROUP_get_degree(srvr_group); - if (field_size <= 0) - { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, - ERR_R_ECDH_LIB); - goto err; - } - n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL); - if (n <= 0) - { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, - ERR_R_ECDH_LIB); - goto err; - } - - /* generate master key from the result */ - s->session->master_key_length = s->method->ssl3_enc \ - -> generate_master_secret(s, - s->session->master_key, - p, n); - - memset(p, 0, n); /* clean up */ - - if (ecdh_clnt_cert) - { - /* Send empty client key exch message */ - n = 0; - } - else - { - /* First check the size of encoding and - * allocate memory accordingly. - */ - encoded_pt_len = - EC_POINT_point2oct(srvr_group, - EC_KEY_get0_public_key(clnt_ecdh), - POINT_CONVERSION_UNCOMPRESSED, - NULL, 0, NULL); - - encodedPoint = (unsigned char *) - OPENSSL_malloc(encoded_pt_len * - sizeof(unsigned char)); - bn_ctx = BN_CTX_new(); - if ((encodedPoint == NULL) || - (bn_ctx == NULL)) - { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); - goto err; - } - - /* Encode the public key */ - n = EC_POINT_point2oct(srvr_group, - EC_KEY_get0_public_key(clnt_ecdh), - POINT_CONVERSION_UNCOMPRESSED, - encodedPoint, encoded_pt_len, bn_ctx); - - *p = n; /* length of encoded point */ - /* Encoded point will be copied here */ - p += 1; - /* copy the point */ - memcpy((unsigned char *)p, encodedPoint, n); - /* increment n to account for length field */ - n += 1; - } - - /* Free allocated memory */ - BN_CTX_free(bn_ctx); - if (encodedPoint != NULL) OPENSSL_free(encodedPoint); - if (clnt_ecdh != NULL) - EC_KEY_free(clnt_ecdh); - EVP_PKEY_free(srvr_pub_pkey); - } -#endif /* !OPENSSL_NO_ECDH */ - -#ifndef OPENSSL_NO_PSK - else if (alg_k & SSL_kPSK) - { - char identity[PSK_MAX_IDENTITY_LEN]; - unsigned char *t = NULL; - unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4]; - unsigned int pre_ms_len = 0, psk_len = 0; - int psk_err = 1; - - n = 0; - if (s->psk_client_callback == NULL) - { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, - SSL_R_PSK_NO_CLIENT_CB); - goto err; - } - - psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint, - identity, PSK_MAX_IDENTITY_LEN, - psk_or_pre_ms, sizeof(psk_or_pre_ms)); - if (psk_len > PSK_MAX_PSK_LEN) - { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto psk_err; - } - else if (psk_len == 0) - { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, - SSL_R_PSK_IDENTITY_NOT_FOUND); - goto psk_err; - } - - /* create PSK pre_master_secret */ - pre_ms_len = 2+psk_len+2+psk_len; - t = psk_or_pre_ms; - memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len); - s2n(psk_len, t); - memset(t, 0, psk_len); - t+=psk_len; - s2n(psk_len, t); - - if (s->session->psk_identity_hint != NULL) - OPENSSL_free(s->session->psk_identity_hint); - s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint); - if (s->ctx->psk_identity_hint != NULL && - s->session->psk_identity_hint == NULL) - { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, - ERR_R_MALLOC_FAILURE); - goto psk_err; - } - - if (s->session->psk_identity != NULL) - OPENSSL_free(s->session->psk_identity); - s->session->psk_identity = BUF_strdup(identity); - if (s->session->psk_identity == NULL) - { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, - ERR_R_MALLOC_FAILURE); - goto psk_err; - } - - s->session->master_key_length = - s->method->ssl3_enc->generate_master_secret(s, - s->session->master_key, - psk_or_pre_ms, pre_ms_len); - n = strlen(identity); - s2n(n, p); - memcpy(p, identity, n); - n+=2; - psk_err = 0; - psk_err: - OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN); - OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); - if (psk_err != 0) - { - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); - goto err; - } - } -#endif - else - { - ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); - SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); - goto err; - } - - d = dtls1_set_message_header(s, d, - SSL3_MT_CLIENT_KEY_EXCHANGE, n, 0, n); - /* - *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE; - l2n3(n,d); - l2n(s->d1->handshake_write_seq,d); - s->d1->handshake_write_seq++; - */ - - s->state=SSL3_ST_CW_KEY_EXCH_B; - /* number of bytes to write */ - s->init_num=n+DTLS1_HM_HEADER_LENGTH; - s->init_off=0; - - /* buffer the message to handle re-xmits */ - dtls1_buffer_message(s, 0); - } - - /* SSL3_ST_CW_KEY_EXCH_B */ - return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); -err: -#ifndef OPENSSL_NO_ECDH - BN_CTX_free(bn_ctx); - if (encodedPoint != NULL) OPENSSL_free(encodedPoint); - if (clnt_ecdh != NULL) - EC_KEY_free(clnt_ecdh); - EVP_PKEY_free(srvr_pub_pkey); -#endif - return(-1); - } - -int dtls1_send_client_verify(SSL *s) - { - unsigned char *p,*d; - unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; - EVP_PKEY *pkey; -#ifndef OPENSSL_NO_RSA - unsigned u=0; -#endif - unsigned long n; -#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA) - int j; -#endif - - if (s->state == SSL3_ST_CW_CERT_VRFY_A) - { - d=(unsigned char *)s->init_buf->data; - p= &(d[DTLS1_HM_HEADER_LENGTH]); - pkey=s->cert->key->privatekey; - - s->method->ssl3_enc->cert_verify_mac(s, - NID_sha1, - &(data[MD5_DIGEST_LENGTH])); - -#ifndef OPENSSL_NO_RSA - if (pkey->type == EVP_PKEY_RSA) - { - s->method->ssl3_enc->cert_verify_mac(s, - NID_md5, - &(data[0])); - if (RSA_sign(NID_md5_sha1, data, - MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH, - &(p[2]), &u, pkey->pkey.rsa) <= 0 ) - { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB); - goto err; - } - s2n(u,p); - n=u+2; - } - else -#endif -#ifndef OPENSSL_NO_DSA - if (pkey->type == EVP_PKEY_DSA) - { - if (!DSA_sign(pkey->save_type, - &(data[MD5_DIGEST_LENGTH]), - SHA_DIGEST_LENGTH,&(p[2]), - (unsigned int *)&j,pkey->pkey.dsa)) - { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB); - goto err; - } - s2n(j,p); - n=j+2; - } - else -#endif -#ifndef OPENSSL_NO_ECDSA - if (pkey->type == EVP_PKEY_EC) - { - if (!ECDSA_sign(pkey->save_type, - &(data[MD5_DIGEST_LENGTH]), - SHA_DIGEST_LENGTH,&(p[2]), - (unsigned int *)&j,pkey->pkey.ec)) - { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY, - ERR_R_ECDSA_LIB); - goto err; - } - s2n(j,p); - n=j+2; - } - else -#endif - { - SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR); - goto err; - } - - d = dtls1_set_message_header(s, d, - SSL3_MT_CERTIFICATE_VERIFY, n, 0, n) ; - - s->init_num=(int)n+DTLS1_HM_HEADER_LENGTH; - s->init_off=0; - - /* buffer the message to handle re-xmits */ - dtls1_buffer_message(s, 0); - - s->state = SSL3_ST_CW_CERT_VRFY_B; - } - - /* s->state = SSL3_ST_CW_CERT_VRFY_B */ - return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); -err: - return(-1); - } - -int dtls1_send_client_certificate(SSL *s) - { - X509 *x509=NULL; - EVP_PKEY *pkey=NULL; - int i; - unsigned long l; - - if (s->state == SSL3_ST_CW_CERT_A) - { - if ((s->cert == NULL) || - (s->cert->key->x509 == NULL) || - (s->cert->key->privatekey == NULL)) - s->state=SSL3_ST_CW_CERT_B; - else - s->state=SSL3_ST_CW_CERT_C; - } - - /* We need to get a client cert */ - if (s->state == SSL3_ST_CW_CERT_B) - { - /* If we get an error, we need to - * ssl->rwstate=SSL_X509_LOOKUP; return(-1); - * We then get retied later */ - i=0; - i = ssl_do_client_cert_cb(s, &x509, &pkey); - if (i < 0) - { - s->rwstate=SSL_X509_LOOKUP; - return(-1); - } - s->rwstate=SSL_NOTHING; - if ((i == 1) && (pkey != NULL) && (x509 != NULL)) - { - s->state=SSL3_ST_CW_CERT_B; - if ( !SSL_use_certificate(s,x509) || - !SSL_use_PrivateKey(s,pkey)) - i=0; - } - else if (i == 1) - { - i=0; - SSLerr(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); - } - - if (x509 != NULL) X509_free(x509); - if (pkey != NULL) EVP_PKEY_free(pkey); - if (i == 0) - { - if (s->version == SSL3_VERSION) - { - s->s3->tmp.cert_req=0; - ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE); - return(1); - } - else - { - s->s3->tmp.cert_req=2; - } - } - - /* Ok, we have a cert */ - s->state=SSL3_ST_CW_CERT_C; - } - - if (s->state == SSL3_ST_CW_CERT_C) - { - s->state=SSL3_ST_CW_CERT_D; - l=dtls1_output_cert_chain(s, - (s->s3->tmp.cert_req == 2)?NULL:s->cert->key); - s->init_num=(int)l; - s->init_off=0; - - /* set header called by dtls1_output_cert_chain() */ - - /* buffer the message to handle re-xmits */ - dtls1_buffer_message(s, 0); - } - /* SSL3_ST_CW_CERT_D */ - return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); - } - - diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index 106939f241..f03a7ee1d8 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -67,6 +67,8 @@ #endif static void get_current_time(struct timeval *t); +static void dtls1_set_handshake_header(SSL *s, int type, unsigned long len); +static int dtls1_handshake_write(SSL *s); const char dtls1_version_str[]="DTLSv1" OPENSSL_VERSION_PTEXT; int dtls1_listen(SSL *s, struct sockaddr *client); @@ -83,6 +85,10 @@ SSL3_ENC_METHOD DTLSv1_enc_data={ TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, tls1_alert_code, tls1_export_keying_material, + SSL_ENC_FLAG_DTLS|SSL_ENC_FLAG_EXPLICIT_IV, + DTLS1_HM_HEADER_LENGTH, + dtls1_set_handshake_header, + dtls1_handshake_write }; long dtls1_default_timeout(void) @@ -481,3 +487,20 @@ int dtls1_listen(SSL *s, struct sockaddr *client) (void) BIO_dgram_get_peer(SSL_get_rbio(s), client); return 1; } + +static void dtls1_set_handshake_header(SSL *s, int htype, unsigned long len) + { + unsigned char *p = (unsigned char *)s->init_buf->data; + dtls1_set |