Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / boringssl / d9e397b599b13d642138480a28c14db7a136bf05 / . / src / ssl / d1_clnt.c
blob: 3f9e8144894a8eac473187f6512e9f7bf77daf9b [file] [log] [blame]
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame^]1/*
2 * DTLS implementation written by Nagendra Modadugu
3 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * openssl-core@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
59 * All rights reserved.
60 *
61 * This package is an SSL implementation written
62 * by Eric Young (eay@cryptsoft.com).
63 * The implementation was written so as to conform with Netscapes SSL.
64 *
65 * This library is free for commercial and non-commercial use as long as
66 * the following conditions are aheared to. The following conditions
67 * apply to all code found in this distribution, be it the RC4, RSA,
68 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
69 * included with this distribution is covered by the same copyright terms
70 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
71 *
72 * Copyright remains Eric Young's, and as such any Copyright notices in
73 * the code are not to be removed.
74 * If this package is used in a product, Eric Young should be given attribution
75 * as the author of the parts of the library used.
76 * This can be in the form of a textual message at program startup or
77 * in documentation (online or textual) provided with the package.
78 *
79 * Redistribution and use in source and binary forms, with or without
80 * modification, are permitted provided that the following conditions
81 * are met:
82 * 1. Redistributions of source code must retain the copyright
83 * notice, this list of conditions and the following disclaimer.
84 * 2. Redistributions in binary form must reproduce the above copyright
85 * notice, this list of conditions and the following disclaimer in the
86 * documentation and/or other materials provided with the distribution.
87 * 3. All advertising materials mentioning features or use of this software
88 * must display the following acknowledgement:
89 * "This product includes cryptographic software written by
90 * Eric Young (eay@cryptsoft.com)"
91 * The word 'cryptographic' can be left out if the rouines from the library
92 * being used are not cryptographic related :-).
93 * 4. If you include any Windows specific code (or a derivative thereof) from
94 * the apps directory (application code) you must include an acknowledgement:
95 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
96 *
97 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
98 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
99 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
100 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
101 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
102 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
103 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
104 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
105 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
106 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
107 * SUCH DAMAGE.
108 *
109 * The licence and distribution terms for any publically available version or
110 * derivative of this code cannot be changed. i.e. this code cannot simply be
111 * copied and put under another distribution licence
112 * [including the GNU Public Licence.]
113 */
114
115#include <assert.h>
116#include <stdio.h>
117
118#include <openssl/bn.h>
119#include <openssl/buf.h>
120#include <openssl/dh.h>
121#include <openssl/evp.h>
122#include <openssl/md5.h>
123#include <openssl/mem.h>
124#include <openssl/obj.h>
125#include <openssl/rand.h>
126
127#include "ssl_locl.h"
128
129static int dtls1_get_hello_verify(SSL *s);
130
131int dtls1_connect(SSL *s) {
132 BUF_MEM *buf = NULL;
133 void (*cb)(const SSL *ssl, int type, int val) = NULL;
134 int ret = -1;
135 int new_state, state, skip = 0;
136
137 assert(s->handshake_func == dtls1_connect);
138 assert(!s->server);
139 assert(SSL_IS_DTLS(s));
140
141 ERR_clear_error();
142 ERR_clear_system_error();
143
144 if (s->info_callback != NULL) {
145 cb = s->info_callback;
146 } else if (s->ctx->info_callback != NULL) {
147 cb = s->ctx->info_callback;
148 }
149
150 s->in_handshake++;
151
152 for (;;) {
153 state = s->state;
154
155 switch (s->state) {
156 case SSL_ST_RENEGOTIATE:
157 s->renegotiate = 1;
158 s->state = SSL_ST_CONNECT;
159 s->ctx->stats.sess_connect_renegotiate++;
160 /* break */
161 case SSL_ST_CONNECT:
162 case SSL_ST_BEFORE | SSL_ST_CONNECT:
163 if (cb != NULL) {
164 cb(s, SSL_CB_HANDSHAKE_START, 1);
165 }
166
167 if (s->init_buf == NULL) {
168 buf = BUF_MEM_new();
169 if (buf == NULL ||
170 !BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
171 ret = -1;
172 goto end;
173 }
174 s->init_buf = buf;
175 buf = NULL;
176 }
177
178 if (!ssl3_setup_buffers(s) ||
179 !ssl_init_wbio_buffer(s, 0)) {
180 ret = -1;
181 goto end;
182 }
183
184 /* don't push the buffering BIO quite yet */
185
186 s->state = SSL3_ST_CW_CLNT_HELLO_A;
187 s->ctx->stats.sess_connect++;
188 s->init_num = 0;
189 s->d1->send_cookie = 0;
190 s->hit = 0;
191 break;
192
193 case SSL3_ST_CW_CLNT_HELLO_A:
194 case SSL3_ST_CW_CLNT_HELLO_B:
195 s->shutdown = 0;
196
197 /* every DTLS ClientHello resets Finished MAC */
198 if (!ssl3_init_finished_mac(s)) {
199 OPENSSL_PUT_ERROR(SSL, dtls1_connect, ERR_R_INTERNAL_ERROR);
200 ret = -1;
201 goto end;
202 }
203
204 dtls1_start_timer(s);
205 ret = ssl3_send_client_hello(s);
206 if (ret <= 0) {
207 goto end;
208 }
209
210 if (s->d1->send_cookie) {
211 s->state = SSL3_ST_CW_FLUSH;
212 s->s3->tmp.next_state = SSL3_ST_CR_SRVR_HELLO_A;
213 } else {
214 s->state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
215 }
216
217 s->init_num = 0;
218 /* turn on buffering for the next lot of output */
219 if (s->bbio != s->wbio) {
220 s->wbio = BIO_push(s->bbio, s->wbio);
221 }
222
223 break;
224
225 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A:
226 case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B:
227 ret = dtls1_get_hello_verify(s);
228 if (ret <= 0) {
229 goto end;
230 }
231 if (s->d1->send_cookie) {
232 /* start again, with a cookie */
233 dtls1_stop_timer(s);
234 s->state = SSL3_ST_CW_CLNT_HELLO_A;
235 } else {
236 s->state = SSL3_ST_CR_SRVR_HELLO_A;
237 }
238 s->init_num = 0;
239 break;
240
241 case SSL3_ST_CR_SRVR_HELLO_A:
242 case SSL3_ST_CR_SRVR_HELLO_B:
243 ret = ssl3_get_server_hello(s);
244 if (ret <= 0) {
245 goto end;
246 }
247
248 if (s->hit) {
249 s->state = SSL3_ST_CR_FINISHED_A;
250 if (s->tlsext_ticket_expected) {
251 /* receive renewed session ticket */
252 s->state = SSL3_ST_CR_SESSION_TICKET_A;
253 }
254 } else {
255 s->state = SSL3_ST_CR_CERT_A;
256 }
257 s->init_num = 0;
258 break;
259
260 case SSL3_ST_CR_CERT_A:
261 case SSL3_ST_CR_CERT_B:
262 if (ssl_cipher_has_server_public_key(s->s3->tmp.new_cipher)) {
263 ret = ssl3_get_server_certificate(s);
264 if (ret <= 0) {
265 goto end;
266 }
267 if (s->s3->tmp.certificate_status_expected) {
268 s->state = SSL3_ST_CR_CERT_STATUS_A;
269 } else {
270 s->state = SSL3_ST_CR_KEY_EXCH_A;
271 }
272 } else {
273 skip = 1;
274 s->state = SSL3_ST_CR_KEY_EXCH_A;
275 }
276 s->init_num = 0;
277 break;
278
279 case SSL3_ST_CR_KEY_EXCH_A:
280 case SSL3_ST_CR_KEY_EXCH_B:
281 ret = ssl3_get_server_key_exchange(s);
282 if (ret <= 0) {
283 goto end;
284 }
285 s->state = SSL3_ST_CR_CERT_REQ_A;
286 s->init_num = 0;
287
288 /* at this point we check that we have the
289 * required stuff from the server */
290 if (!ssl3_check_cert_and_algorithm(s)) {
291 ret = -1;
292 goto end;
293 }
294 break;
295
296 case SSL3_ST_CR_CERT_REQ_A:
297 case SSL3_ST_CR_CERT_REQ_B:
298 ret = ssl3_get_certificate_request(s);
299 if (ret <= 0) {
300 goto end;
301 }
302 s->state = SSL3_ST_CR_SRVR_DONE_A;
303 s->init_num = 0;
304 break;
305
306 case SSL3_ST_CR_SRVR_DONE_A:
307 case SSL3_ST_CR_SRVR_DONE_B:
308 ret = ssl3_get_server_done(s);
309 if (ret <= 0) {
310 goto end;
311 }
312 dtls1_stop_timer(s);
313 if (s->s3->tmp.cert_req) {
314 s->s3->tmp.next_state = SSL3_ST_CW_CERT_A;
315 } else {
316 s->s3->tmp.next_state = SSL3_ST_CW_KEY_EXCH_A;
317 }
318 s->init_num = 0;
319 s->state = s->s3->tmp.next_state;
320 break;
321
322 case SSL3_ST_CW_CERT_A:
323 case SSL3_ST_CW_CERT_B:
324 case SSL3_ST_CW_CERT_C:
325 case SSL3_ST_CW_CERT_D:
326 dtls1_start_timer(s);
327 ret = ssl3_send_client_certificate(s);
328 if (ret <= 0) {
329 goto end;
330 }
331 s->state = SSL3_ST_CW_KEY_EXCH_A;
332 s->init_num = 0;
333 break;
334
335 case SSL3_ST_CW_KEY_EXCH_A:
336 case SSL3_ST_CW_KEY_EXCH_B:
337 dtls1_start_timer(s);
338 ret = ssl3_send_client_key_exchange(s);
339 if (ret <= 0) {
340 goto end;
341 }
342 /* For TLS, cert_req is set to 2, so a cert chain
343 * of nothing is sent, but no verify packet is sent */
344 if (s->s3->tmp.cert_req == 1) {
345 s->state = SSL3_ST_CW_CERT_VRFY_A;
346 } else {
347 s->state = SSL3_ST_CW_CHANGE_A;
348 s->s3->change_cipher_spec = 0;
349 }
350
351 s->init_num = 0;
352 break;
353
354 case SSL3_ST_CW_CERT_VRFY_A:
355 case SSL3_ST_CW_CERT_VRFY_B:
356 dtls1_start_timer(s);
357 ret = ssl3_send_cert_verify(s);
358 if (ret <= 0) {
359 goto end;
360 }
361 s->state = SSL3_ST_CW_CHANGE_A;
362 s->init_num = 0;
363 s->s3->change_cipher_spec = 0;
364 break;
365
366 case SSL3_ST_CW_CHANGE_A:
367 case SSL3_ST_CW_CHANGE_B:
368 if (!s->hit) {
369 dtls1_start_timer(s);
370 }
371 ret = dtls1_send_change_cipher_spec(s, SSL3_ST_CW_CHANGE_A,
372 SSL3_ST_CW_CHANGE_B);
373 if (ret <= 0) {
374 goto end;
375 }
376
377 s->state = SSL3_ST_CW_FINISHED_A;
378 s->init_num = 0;
379
380 s->session->cipher = s->s3->tmp.new_cipher;
381 if (!s->enc_method->setup_key_block(s) ||
382 !s->enc_method->change_cipher_state(
383 s, SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
384 ret = -1;
385 goto end;
386 }
387
388 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
389 break;
390
391 case SSL3_ST_CW_FINISHED_A:
392 case SSL3_ST_CW_FINISHED_B:
393 if (!s->hit) {
394 dtls1_start_timer(s);
395 }
396
397 ret =
398 ssl3_send_finished(s, SSL3_ST_CW_FINISHED_A, SSL3_ST_CW_FINISHED_B,
399 s->enc_method->client_finished_label,
400 s->enc_method->client_finished_label_len);
401 if (ret <= 0) {
402 goto end;
403 }
404 s->state = SSL3_ST_CW_FLUSH;
405
406 if (s->hit) {
407 s->s3->tmp.next_state = SSL_ST_OK;
408 } else {
409 /* Allow NewSessionTicket if ticket expected */
410 if (s->tlsext_ticket_expected) {
411 s->s3->tmp.next_state = SSL3_ST_CR_SESSION_TICKET_A;
412 } else {
413 s->s3->tmp.next_state = SSL3_ST_CR_FINISHED_A;
414 }
415 }
416 s->init_num = 0;
417 break;
418
419 case SSL3_ST_CR_SESSION_TICKET_A:
420 case SSL3_ST_CR_SESSION_TICKET_B:
421 ret = ssl3_get_new_session_ticket(s);
422 if (ret <= 0) {
423 goto end;
424 }
425 s->state = SSL3_ST_CR_FINISHED_A;
426 s->init_num = 0;
427 break;
428
429 case SSL3_ST_CR_CERT_STATUS_A:
430 case SSL3_ST_CR_CERT_STATUS_B:
431 ret = ssl3_get_cert_status(s);
432 if (ret <= 0) {
433 goto end;
434 }
435 s->state = SSL3_ST_CR_KEY_EXCH_A;
436 s->init_num = 0;
437 break;
438
439 case SSL3_ST_CR_FINISHED_A:
440 case SSL3_ST_CR_FINISHED_B:
441 s->d1->change_cipher_spec_ok = 1;
442 ret =
443 ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A, SSL3_ST_CR_FINISHED_B);
444 if (ret <= 0) {
445 goto end;
446 }
447 dtls1_stop_timer(s);
448
449 if (s->hit) {
450 s->state = SSL3_ST_CW_CHANGE_A;
451 } else {
452 s->state = SSL_ST_OK;
453 }
454
455 s->init_num = 0;
456 break;
457
458 case SSL3_ST_CW_FLUSH:
459 s->rwstate = SSL_WRITING;
460 if (BIO_flush(s->wbio) <= 0) {
461 /* If the write error was fatal, stop trying */
462 if (!BIO_should_retry(s->wbio)) {
463 s->rwstate = SSL_NOTHING;
464 s->state = s->s3->tmp.next_state;
465 }
466
467 ret = -1;
468 goto end;
469 }
470 s->rwstate = SSL_NOTHING;
471 s->state = s->s3->tmp.next_state;
472 break;
473
474 case SSL_ST_OK:
475 /* clean a few things up */
476 ssl3_cleanup_key_block(s);
477
478 /* Remove write buffering now. */
479 ssl_free_wbio_buffer(s);
480
481 s->init_num = 0;
482 s->renegotiate = 0;
483 s->new_session = 0;
484
485 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
486 if (s->hit) {
487 s->ctx->stats.sess_hit++;
488 }
489
490 ret = 1;
491 s->ctx->stats.sess_connect_good++;
492
493 if (cb != NULL)
494 cb(s, SSL_CB_HANDSHAKE_DONE, 1);
495
496 /* done with handshaking */
497 s->d1->handshake_read_seq = 0;
498 s->d1->next_handshake_write_seq = 0;
499 goto end;
500
501 default:
502 OPENSSL_PUT_ERROR(SSL, dtls1_connect, SSL_R_UNKNOWN_STATE);
503 ret = -1;
504 goto end;
505 }
506
507 /* did we do anything? */
508 if (!s->s3->tmp.reuse_message && !skip) {
509 if ((cb != NULL) && (s->state != state)) {
510 new_state = s->state;
511 s->state = state;
512 cb(s, SSL_CB_CONNECT_LOOP, 1);
513 s->state = new_state;
514 }
515 }
516 skip = 0;
517 }
518
519end:
520 s->in_handshake--;
521
522 if (buf != NULL) {
523 BUF_MEM_free(buf);
524 }
525 if (cb != NULL) {
526 cb(s, SSL_CB_CONNECT_EXIT, ret);
527 }
528 return ret;
529}
530
531static int dtls1_get_hello_verify(SSL *s) {
532 long n;
533 int al, ok = 0;
534 CBS hello_verify_request, cookie;
535 uint16_t server_version;
536
537 n = s->method->ssl_get_message(
538 s, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B,
539 -1,
540 /* Use the same maximum size as ssl3_get_server_hello. */
541 20000, SSL_GET_MESSAGE_HASH_MESSAGE, &ok);
542
543 if (!ok) {
544 return n;
545 }
546
547 if (s->s3->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) {
548 s->d1->send_cookie = 0;
549 s->s3->tmp.reuse_message = 1;
550 return 1;
551 }
552
553 CBS_init(&hello_verify_request, s->init_msg, n);
554
555 if (!CBS_get_u16(&hello_verify_request, &server_version) ||
556 !CBS_get_u8_length_prefixed(&hello_verify_request, &cookie) ||
557 CBS_len(&hello_verify_request) != 0) {
558 al = SSL_AD_DECODE_ERROR;
559 OPENSSL_PUT_ERROR(SSL, ssl3_get_cert_status, SSL_R_DECODE_ERROR);
560 goto f_err;
561 }
562
563 if (CBS_len(&cookie) > sizeof(s->d1->cookie)) {
564 al = SSL_AD_ILLEGAL_PARAMETER;
565 goto f_err;
566 }
567
568 memcpy(s->d1->cookie, CBS_data(&cookie), CBS_len(&cookie));
569 s->d1->cookie_len = CBS_len(&cookie);
570
571 s->d1->send_cookie = 1;
572 return 1;
573
574f_err:
575 ssl3_send_alert(s, SSL3_AL_FATAL, al);
576 return -1;
577}