mischief/openbsd-src
1
0
Fork 0
mirror of https://github.com/openbsd/src.git synced 2025-01-10 06:47:55 -08:00
Code

Fold dtls1_accept() into ssl_accept(), removing a lot of duplicated code.

Browse Source 
With review/feedback from inoguchi@
This commit is contained in:
jsing 2017-10-12 15:52:50 +00:00
parent b188829478
commit b04c66583e
4 changed files with 144 additions and 557 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/libssl/d1_meth.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: d1_meth.c,v 1.14 2017/10/10 15:13:26 jsing Exp $ */
/* $OpenBSD: d1_meth.c,v 1.15 2017/10/12 15:52:50 jsing Exp $ */
/*
* DTLS implementation written by Nagendra Modadugu
* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@ -72,7 +72,7 @@ static const SSL_METHOD_INTERNAL DTLSv1_method_internal_data = {
.ssl_new = dtls1_new,
.ssl_clear = dtls1_clear,
.ssl_free = dtls1_free,
.ssl_accept = dtls1_accept,
.ssl_accept = ssl3_accept,
.ssl_connect = ssl3_connect,
.ssl_read = ssl3_read,
.ssl_peek = ssl3_peek,

538
lib/libssl/d1_srvr.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: d1_srvr.c,v 1.90 2017/10/08 16:56:51 jsing Exp $ */
/* $OpenBSD: d1_srvr.c,v 1.91 2017/10/12 15:52:50 jsing Exp $ */
/*
* DTLS implementation written by Nagendra Modadugu
* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@ -125,8 +125,6 @@
#include <openssl/objects.h>
#include <openssl/x509.h>
static int dtls1_send_hello_verify_request(SSL *s);
static const SSL_METHOD_INTERNAL DTLSv1_server_method_internal_data = {
.version = DTLS1_VERSION,
.min_version = DTLS1_VERSION,
@ -134,7 +132,7 @@ static const SSL_METHOD_INTERNAL DTLSv1_server_method_internal_data = {
.ssl_new = dtls1_new,
.ssl_clear = dtls1_clear,
.ssl_free = dtls1_free,
.ssl_accept = dtls1_accept,
.ssl_accept = ssl3_accept,
.ssl_connect = ssl_undefined_function,
.ssl_read = ssl3_read,
.ssl_peek = ssl3_peek,
@ -175,538 +173,6 @@ dtls1_get_server_method(int ver)
return (NULL);
}
int
dtls1_accept(SSL *s)
{
void (*cb)(const SSL *ssl, int type, int val) = NULL;
unsigned long alg_k;
int ret = -1;
int new_state, state, skip = 0;
int listen;
ERR_clear_error();
errno = 0;
if (s->internal->info_callback != NULL)
cb = s->internal->info_callback;
else if (s->ctx->internal->info_callback != NULL)
cb = s->ctx->internal->info_callback;
listen = D1I(s)->listen;
/* init things to blank */
s->internal->in_handshake++;
if (!SSL_in_init(s) || SSL_in_before(s))
SSL_clear(s);
D1I(s)->listen = listen;
if (s->cert == NULL) {
SSLerror(s, SSL_R_NO_CERTIFICATE_SET);
ret = -1;
goto end;
}
for (;;) {
state = S3I(s)->hs.state;
switch (S3I(s)->hs.state) {
case SSL_ST_RENEGOTIATE:
s->internal->renegotiate = 1;
/* S3I(s)->hs.state=SSL_ST_ACCEPT; */
case SSL_ST_BEFORE:
case SSL_ST_ACCEPT:
case SSL_ST_BEFORE|SSL_ST_ACCEPT:
case SSL_ST_OK|SSL_ST_ACCEPT:
s->server = 1;
if (cb != NULL)
cb(s, SSL_CB_HANDSHAKE_START, 1);
if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) {
SSLerror(s, ERR_R_INTERNAL_ERROR);
ret = -1;
goto end;
}
s->internal->type = SSL_ST_ACCEPT;
if (!ssl3_setup_init_buffer(s)) {
ret = -1;
goto end;
}
if (!ssl3_setup_buffers(s)) {
ret = -1;
goto end;
}
s->internal->init_num = 0;
if (S3I(s)->hs.state != SSL_ST_RENEGOTIATE) {
/*
* Ok, we now need to push on a buffering BIO
* so that the output is sent in a way that
* TCP likes :-)
* ...but not with SCTP :-)
*/
if (!ssl_init_wbio_buffer(s, 1)) {
ret = -1;
goto end;
}
if (!tls1_init_finished_mac(s)) {
ret = -1;
goto end;
}
S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A;
s->ctx->internal->stats.sess_accept++;
} else {
/*
* S3I(s)->hs.state == SSL_ST_RENEGOTIATE,
* we will just send a HelloRequest.
*/
s->ctx->internal->stats.sess_accept_renegotiate++;
S3I(s)->hs.state = SSL3_ST_SW_HELLO_REQ_A;
}
break;
case SSL3_ST_SW_HELLO_REQ_A:
case SSL3_ST_SW_HELLO_REQ_B:
s->internal->shutdown = 0;
dtls1_clear_record_buffer(s);
dtls1_start_timer(s);
ret = ssl3_send_hello_request(s);
if (ret <= 0)
goto end;
S3I(s)->hs.next_state = SSL3_ST_SR_CLNT_HELLO_A;
S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
s->internal->init_num = 0;
if (!tls1_init_finished_mac(s)) {
ret = -1;
goto end;
}
break;
case SSL3_ST_SW_HELLO_REQ_C:
S3I(s)->hs.state = SSL_ST_OK;
break;
case SSL3_ST_SR_CLNT_HELLO_A:
case SSL3_ST_SR_CLNT_HELLO_B:
case SSL3_ST_SR_CLNT_HELLO_C:
s->internal->shutdown = 0;
ret = ssl3_get_client_hello(s);
if (ret <= 0)
goto end;
dtls1_stop_timer(s);
if (ret == 1 && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
S3I(s)->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;
else
S3I(s)->hs.state = SSL3_ST_SW_SRVR_HELLO_A;
s->internal->init_num = 0;
/* Reflect ClientHello sequence to remain stateless while listening */
if (listen) {
memcpy(S3I(s)->write_sequence, S3I(s)->read_sequence, sizeof(S3I(s)->write_sequence));
}
/* If we're just listening, stop here */
if (listen && S3I(s)->hs.state == SSL3_ST_SW_SRVR_HELLO_A) {
ret = 2;
D1I(s)->listen = 0;
/* Set expected sequence numbers
* to continue the handshake.
*/
D1I(s)->handshake_read_seq = 2;
D1I(s)->handshake_write_seq = 1;
D1I(s)->next_handshake_write_seq = 1;
goto end;
}
break;
case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
ret = dtls1_send_hello_verify_request(s);
if (ret <= 0)
goto end;
S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
S3I(s)->hs.next_state = SSL3_ST_SR_CLNT_HELLO_A;
/* HelloVerifyRequest resets Finished MAC */
if (!tls1_init_finished_mac(s)) {
ret = -1;
goto end;
}
break;
case SSL3_ST_SW_SRVR_HELLO_A:
case SSL3_ST_SW_SRVR_HELLO_B:
s->internal->renegotiate = 2;
dtls1_start_timer(s);
ret = ssl3_send_server_hello(s);
if (ret <= 0)
goto end;
if (s->internal->hit) {
if (s->internal->tlsext_ticket_expected)
S3I(s)->hs.state = SSL3_ST_SW_SESSION_TICKET_A;
else
S3I(s)->hs.state = SSL3_ST_SW_CHANGE_A;
} else {
S3I(s)->hs.state = SSL3_ST_SW_CERT_A;
}
s->internal->init_num = 0;
break;
case SSL3_ST_SW_CERT_A:
case SSL3_ST_SW_CERT_B:
/* Check if it is anon DH or anon ECDH. */
if (!(S3I(s)->hs.new_cipher->algorithm_auth &
SSL_aNULL)) {
dtls1_start_timer(s);
ret = ssl3_send_server_certificate(s);
if (ret <= 0)
goto end;
if (s->internal->tlsext_status_expected)
S3I(s)->hs.state = SSL3_ST_SW_CERT_STATUS_A;
else
S3I(s)->hs.state = SSL3_ST_SW_KEY_EXCH_A;
} else {
skip = 1;
S3I(s)->hs.state = SSL3_ST_SW_KEY_EXCH_A;
}
s->internal->init_num = 0;
break;
case SSL3_ST_SW_KEY_EXCH_A:
case SSL3_ST_SW_KEY_EXCH_B:
alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;
/*
* Only send if using a DH key exchange.
*
* For ECC ciphersuites, we send a ServerKeyExchange
* message only if the cipher suite is ECDHE. In other
* cases, the server certificate contains the server's
* public key for key exchange.
*/
if (alg_k & (SSL_kDHE|SSL_kECDHE)) {
dtls1_start_timer(s);
ret = ssl3_send_server_key_exchange(s);
if (ret <= 0)
goto end;
} else
skip = 1;
S3I(s)->hs.state = SSL3_ST_SW_CERT_REQ_A;
s->internal->init_num = 0;
break;
case SSL3_ST_SW_CERT_REQ_A:
case SSL3_ST_SW_CERT_REQ_B:
/*
* Determine whether or not we need to request a
* certificate.
*
* Do not request a certificate if:
*
* - We did not ask for it (SSL_VERIFY_PEER is unset).
*
* - SSL_VERIFY_CLIENT_ONCE is set and we are
* renegotiating.
*
* - We are using an anonymous ciphersuites
* (see section "Certificate request" in SSL 3 drafts
* and in RFC 2246) ... except when the application
* insists on verification (against the specs, but
* s3_clnt.c accepts this for SSL 3).
*/
if (!(s->verify_mode & SSL_VERIFY_PEER) ||
((s->session->peer != NULL) &&
(s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
((S3I(s)->hs.new_cipher->algorithm_auth &
SSL_aNULL) && !(s->verify_mode &
SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
/* No cert request. */
skip = 1;
S3I(s)->tmp.cert_request = 0;
S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_A;
} else {
S3I(s)->tmp.cert_request = 1;
dtls1_start_timer(s);
ret = ssl3_send_certificate_request(s);
if (ret <= 0)
goto end;
S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_A;
s->internal->init_num = 0;
}
break;
case SSL3_ST_SW_SRVR_DONE_A:
case SSL3_ST_SW_SRVR_DONE_B:
dtls1_start_timer(s);
ret = ssl3_send_server_done(s);
if (ret <= 0)
goto end;
S3I(s)->hs.next_state = SSL3_ST_SR_CERT_A;
S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
s->internal->init_num = 0;
break;
case SSL3_ST_SW_FLUSH:
/*
* This code originally checked to see if
* any data was pending using BIO_CTRL_INFO
* and then flushed. This caused problems
* as documented in PR#1939. The proposed
* fix doesn't completely resolve this issue
* as buggy implementations of BIO_CTRL_PENDING
* still exist. So instead we just flush
* unconditionally.
*/
s->internal->rwstate = SSL_WRITING;
if (BIO_flush(s->wbio) <= 0) {
/* If the write error was fatal, stop trying */
if (!BIO_should_retry(s->wbio)) {
s->internal->rwstate = SSL_NOTHING;
S3I(s)->hs.state = S3I(s)->hs.next_state;
}
ret = -1;
goto end;
}
s->internal->rwstate = SSL_NOTHING;
S3I(s)->hs.state = S3I(s)->hs.next_state;
break;
case SSL3_ST_SR_CERT_A:
case SSL3_ST_SR_CERT_B:
if (S3I(s)->tmp.cert_request) {
ret = ssl3_get_client_certificate(s);
if (ret <= 0)
goto end;
}
s->internal->init_num = 0;
S3I(s)->hs.state = SSL3_ST_SR_KEY_EXCH_A;
break;
case SSL3_ST_SR_KEY_EXCH_A:
case SSL3_ST_SR_KEY_EXCH_B:
ret = ssl3_get_client_key_exchange(s);
if (ret <= 0)
goto end;
S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A;
s->internal->init_num = 0;
if (ret == 2) {
/*
* For the ECDH ciphersuites when
* the client sends its ECDH pub key in
* a certificate, the CertificateVerify
* message is not sent.
* Also for GOST ciphersuites when
* the client uses its key from the certificate
* for key exchange.
*/
S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A;
s->internal->init_num = 0;
} else if (SSL_USE_SIGALGS(s)) {
S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A;
s->internal->init_num = 0;
if (!s->session->peer)
break;
/*
* For sigalgs freeze the handshake buffer
* at this point and digest cached records.
*/
if (!S3I(s)->handshake_buffer) {
SSLerror(s, ERR_R_INTERNAL_ERROR);
ret = -1;
goto end;
}
s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE;
if (!tls1_digest_cached_records(s)) {
ret = -1;
goto end;
}
} else {
S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A;
s->internal->init_num = 0;
/*
* We need to get hashes here so if there is
* a client cert, it can be verified.
*/
if (S3I(s)->handshake_buffer) {
if (!tls1_digest_cached_records(s)) {
ret = -1;
goto end;
}
}
if (!tls1_handshake_hash_value(s,
S3I(s)->tmp.cert_verify_md,
sizeof(S3I(s)->tmp.cert_verify_md),
NULL)) {
ret = -1;
goto end;
}
}
break;
case SSL3_ST_SR_CERT_VRFY_A:
case SSL3_ST_SR_CERT_VRFY_B:
D1I(s)->change_cipher_spec_ok = 1;
/* we should decide if we expected this one */
ret = ssl3_get_cert_verify(s);
if (ret <= 0)
goto end;
S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A;
s->internal->init_num = 0;
break;
case SSL3_ST_SR_FINISHED_A:
case SSL3_ST_SR_FINISHED_B:
D1I(s)->change_cipher_spec_ok = 1;
ret = ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A,
SSL3_ST_SR_FINISHED_B);
if (ret <= 0)
goto end;
dtls1_stop_timer(s);
if (s->internal->hit)
S3I(s)->hs.state = SSL_ST_OK;
else if (s->internal->tlsext_ticket_expected)
S3I(s)->hs.state = SSL3_ST_SW_SESSION_TICKET_A;
else
S3I(s)->hs.state = SSL3_ST_SW_CHANGE_A;
s->internal->init_num = 0;
break;
case SSL3_ST_SW_SESSION_TICKET_A:
case SSL3_ST_SW_SESSION_TICKET_B:
ret = ssl3_send_newsession_ticket(s);
if (ret <= 0)
goto end;
S3I(s)->hs.state = SSL3_ST_SW_CHANGE_A;
s->internal->init_num = 0;
break;
case SSL3_ST_SW_CERT_STATUS_A:
case SSL3_ST_SW_CERT_STATUS_B:
ret = ssl3_send_cert_status(s);
if (ret <= 0)
goto end;
S3I(s)->hs.state = SSL3_ST_SW_KEY_EXCH_A;
s->internal->init_num = 0;
break;
case SSL3_ST_SW_CHANGE_A:
case SSL3_ST_SW_CHANGE_B:
s->session->cipher = S3I(s)->hs.new_cipher;
if (!tls1_setup_key_block(s)) {
ret = -1;
goto end;
}
ret = ssl3_send_change_cipher_spec(s,
SSL3_ST_SW_CHANGE_A, SSL3_ST_SW_CHANGE_B);
if (ret <= 0)
goto end;
S3I(s)->hs.state = SSL3_ST_SW_FINISHED_A;
s->internal->init_num = 0;
if (!tls1_change_cipher_state(s,
SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
ret = -1;
goto end;
}
dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
break;
case SSL3_ST_SW_FINISHED_A:
case SSL3_ST_SW_FINISHED_B:
ret = ssl3_send_finished(s,
SSL3_ST_SW_FINISHED_A, SSL3_ST_SW_FINISHED_B,
TLS_MD_SERVER_FINISH_CONST,
TLS_MD_SERVER_FINISH_CONST_SIZE);
if (ret <= 0)
goto end;
S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
if (s->internal->hit)
S3I(s)->hs.next_state = SSL3_ST_SR_FINISHED_A;
else
S3I(s)->hs.next_state = SSL_ST_OK;
s->internal->init_num = 0;
break;
case SSL_ST_OK:
/* clean a few things up */
tls1_cleanup_key_block(s);
/* remove buffering on output */
ssl_free_wbio_buffer(s);
s->internal->init_num = 0;
/* Skipped if we just sent a HelloRequest. */
if (s->internal->renegotiate == 2) {
s->internal->renegotiate = 0;
s->internal->new_session = 0;
ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
s->ctx->internal->stats.sess_accept_good++;
/* s->server=1; */
s->internal->handshake_func = dtls1_accept;
if (cb != NULL)
cb(s, SSL_CB_HANDSHAKE_DONE, 1);
}
ret = 1;
/* done handshaking, next message is client hello */
D1I(s)->handshake_read_seq = 0;
/* next message is server hello */
D1I(s)->handshake_write_seq = 0;
D1I(s)->next_handshake_write_seq = 0;
goto end;
/* break; */
default:
SSLerror(s, SSL_R_UNKNOWN_STATE);
ret = -1;
goto end;
/* break; */
}
if (!S3I(s)->tmp.reuse_message && !skip) {
if (s->internal->debug) {
if ((ret = BIO_flush(s->wbio)) <= 0)
goto end;
}
if ((cb != NULL) && (S3I(s)->hs.state != state)) {
new_state = S3I(s)->hs.state;
S3I(s)->hs.state = state;
cb(s, SSL_CB_ACCEPT_LOOP, 1);
S3I(s)->hs.state = new_state;
}
}
skip = 0;
}
end:
/* BIO_flush(s->wbio); */
s->internal->in_handshake--;
if (cb != NULL)
cb(s, SSL_CB_ACCEPT_EXIT, ret);
return (ret);
}
int
dtls1_send_hello_verify_request(SSL *s)
{

4
lib/libssl/ssl_locl.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssl_locl.h,v 1.199 2017/10/12 15:44:18 jsing Exp $ */
/* $OpenBSD: ssl_locl.h,v 1.200 2017/10/12 15:52:50 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -1209,6 +1209,7 @@ int ssl3_check_cert_and_algorithm(SSL *s);
int ssl3_check_finished(SSL *s);
/* some server-only functions */
int dtls1_send_hello_verify_request(SSL *s);
int ssl3_get_client_hello(SSL *s);
int ssl3_send_server_hello(SSL *s);
int ssl3_send_hello_request(SSL *s);
@ -1224,7 +1225,6 @@ void tls1_free(SSL *s);
void tls1_clear(SSL *s);
int dtls1_new(SSL *s);
int dtls1_accept(SSL *s);
void dtls1_free(SSL *s);
void dtls1_clear(SSL *s);
long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg);

155
lib/libssl/ssl_srvr.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssl_srvr.c,v 1.25 2017/10/11 16:51:39 jsing Exp $ */
/* $OpenBSD: ssl_srvr.c,v 1.26 2017/10/12 15:52:50 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -175,6 +175,7 @@ ssl3_accept(SSL *s)
unsigned long alg_k;
int ret = -1;
int new_state, state, skip = 0;
int listen;
ERR_clear_error();
errno = 0;
@ -184,11 +185,17 @@ ssl3_accept(SSL *s)
else if (s->ctx->internal->info_callback != NULL)
cb = s->ctx->internal->info_callback;
if (SSL_IS_DTLS(s))
listen = D1I(s)->listen;
/* init things to blank */
s->internal->in_handshake++;
if (!SSL_in_init(s) || SSL_in_before(s))
SSL_clear(s);
if (SSL_IS_DTLS(s))
D1I(s)->listen = listen;
if (s->cert == NULL) {
SSLerror(s, SSL_R_NO_CERTIFICATE_SET);
ret = -1;
@ -211,10 +218,18 @@ ssl3_accept(SSL *s)
if (cb != NULL)
cb(s, SSL_CB_HANDSHAKE_START, 1);
if ((s->version >> 8) != 3) {
SSLerror(s, ERR_R_INTERNAL_ERROR);
ret = -1;
goto end;
if (SSL_IS_DTLS(s)) {
if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) {
SSLerror(s, ERR_R_INTERNAL_ERROR);
ret = -1;
goto end;
}
} else {
if ((s->version >> 8) != 3) {
SSLerror(s, ERR_R_INTERNAL_ERROR);
ret = -1;
goto end;
}
}
s->internal->type = SSL_ST_ACCEPT;
@ -246,7 +261,7 @@ ssl3_accept(SSL *s)
S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A;
s->ctx->internal->stats.sess_accept++;
} else if (!S3I(s)->send_connection_binding) {
} else if (!SSL_IS_DTLS(s) && !S3I(s)->send_connection_binding) {
/*
* Server attempting to renegotiate with
* client that doesn't support secure
@ -270,10 +285,17 @@ ssl3_accept(SSL *s)
case SSL3_ST_SW_HELLO_REQ_A:
case SSL3_ST_SW_HELLO_REQ_B:
s->internal->shutdown = 0;
if (SSL_IS_DTLS(s)) {
dtls1_clear_record_buffer(s);
dtls1_start_timer(s);
}
ret = ssl3_send_hello_request(s);
if (ret <= 0)
goto end;
S3I(s)->hs.next_state = SSL3_ST_SW_HELLO_REQ_C;
if (SSL_IS_DTLS(s))
S3I(s)->hs.next_state = SSL3_ST_SR_CLNT_HELLO_A;
else
S3I(s)->hs.next_state = SSL3_ST_SW_HELLO_REQ_C;
S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
s->internal->init_num = 0;
@ -291,19 +313,77 @@ ssl3_accept(SSL *s)
case SSL3_ST_SR_CLNT_HELLO_B:
case SSL3_ST_SR_CLNT_HELLO_C:
s->internal->shutdown = 0;
if (s->internal->rwstate != SSL_X509_LOOKUP) {
if (SSL_IS_DTLS(s)) {
ret = ssl3_get_client_hello(s);
if (ret <= 0)
goto end;
}
dtls1_stop_timer(s);
s->internal->renegotiate = 2;
S3I(s)->hs.state = SSL3_ST_SW_SRVR_HELLO_A;
s->internal->init_num = 0;
if (ret == 1 &&
(SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
S3I(s)->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;
else
S3I(s)->hs.state = SSL3_ST_SW_SRVR_HELLO_A;
s->internal->init_num = 0;
/*
* Reflect ClientHello sequence to remain
* stateless while listening.
*/
if (listen) {
memcpy(S3I(s)->write_sequence,
S3I(s)->read_sequence,
sizeof(S3I(s)->write_sequence));
}
/* If we're just listening, stop here */
if (listen && S3I(s)->hs.state == SSL3_ST_SW_SRVR_HELLO_A) {
ret = 2;
D1I(s)->listen = 0;
/*
* Set expected sequence numbers to
* continue the handshake.
*/
D1I(s)->handshake_read_seq = 2;
D1I(s)->handshake_write_seq = 1;
D1I(s)->next_handshake_write_seq = 1;
goto end;
}
} else {
if (s->internal->rwstate != SSL_X509_LOOKUP) {
ret = ssl3_get_client_hello(s);
if (ret <= 0)
goto end;
}
s->internal->renegotiate = 2;
S3I(s)->hs.state = SSL3_ST_SW_SRVR_HELLO_A;
s->internal->init_num = 0;
}
break;
case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
ret = dtls1_send_hello_verify_request(s);
if (ret <= 0)
goto end;
S3I(s)->hs.state = SSL3_ST_SW_FLUSH;
S3I(s)->hs.next_state = SSL3_ST_SR_CLNT_HELLO_A;
/* HelloVerifyRequest resets Finished MAC. */
if (!tls1_init_finished_mac(s)) {
ret = -1;
goto end;
}
break;
case SSL3_ST_SW_SRVR_HELLO_A:
case SSL3_ST_SW_SRVR_HELLO_B:
if (SSL_IS_DTLS(s)) {
s->internal->renegotiate = 2;
dtls1_start_timer(s);
}
ret = ssl3_send_server_hello(s);
if (ret <= 0)
goto end;
@ -323,6 +403,8 @@ ssl3_accept(SSL *s)
/* Check if it is anon DH or anon ECDH. */
if (!(S3I(s)->hs.new_cipher->algorithm_auth &
SSL_aNULL)) {
if (SSL_IS_DTLS(s))
dtls1_start_timer(s);
ret = ssl3_send_server_certificate(s);
if (ret <= 0)
goto end;
@ -350,6 +432,8 @@ ssl3_accept(SSL *s)
* public key for key exchange.
*/
if (alg_k & (SSL_kDHE|SSL_kECDHE)) {
if (SSL_IS_DTLS(s))
dtls1_start_timer(s);
ret = ssl3_send_server_key_exchange(s);
if (ret <= 0)
goto end;
@ -389,7 +473,7 @@ ssl3_accept(SSL *s)
skip = 1;
S3I(s)->tmp.cert_request = 0;
S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_A;
if (S3I(s)->handshake_buffer) {
if (!SSL_IS_DTLS(s) && S3I(s)->handshake_buffer) {
if (!tls1_digest_cached_records(s)) {
ret = -1;
goto end;
@ -397,6 +481,8 @@ ssl3_accept(SSL *s)
}
} else {
S3I(s)->tmp.cert_request = 1;
if (SSL_IS_DTLS(s))
dtls1_start_timer(s);
ret = ssl3_send_certificate_request(s);
if (ret <= 0)
goto end;
@ -407,6 +493,8 @@ ssl3_accept(SSL *s)
case SSL3_ST_SW_SRVR_DONE_A:
case SSL3_ST_SW_SRVR_DONE_B:
if (SSL_IS_DTLS(s))
dtls1_start_timer(s);
ret = ssl3_send_server_done(s);
if (ret <= 0)
goto end;
@ -428,6 +516,13 @@ ssl3_accept(SSL *s)
*/
s->internal->rwstate = SSL_WRITING;
if (BIO_flush(s->wbio) <= 0) {
if (SSL_IS_DTLS(s)) {
/* If the write error was fatal, stop trying. */
if (!BIO_should_retry(s->wbio)) {
s->internal->rwstate = SSL_NOTHING;
S3I(s)->hs.state = S3I(s)->hs.next_state;
}
}
ret = -1;
goto end;
}
@ -451,6 +546,12 @@ ssl3_accept(SSL *s)
ret = ssl3_get_client_key_exchange(s);
if (ret <= 0)
goto end;
if (SSL_IS_DTLS(s)) {
S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A;
s->internal->init_num = 0;
}
alg_k = S3I(s)->hs.new_cipher->algorithm_mkey;
if (ret == 2) {
/*
@ -509,7 +610,10 @@ ssl3_accept(SSL *s)
case SSL3_ST_SR_CERT_VRFY_A:
case SSL3_ST_SR_CERT_VRFY_B:
s->s3->flags |= SSL3_FLAGS_CCS_OK;
if (SSL_IS_DTLS(s))
D1I(s)->change_cipher_spec_ok = 1;
else
s->s3->flags |= SSL3_FLAGS_CCS_OK;
/* we should decide if we expected this one */
ret = ssl3_get_cert_verify(s);
@ -521,11 +625,16 @@ ssl3_accept(SSL *s)
case SSL3_ST_SR_FINISHED_A:
case SSL3_ST_SR_FINISHED_B:
s->s3->flags |= SSL3_FLAGS_CCS_OK;
if (SSL_IS_DTLS(s))
D1I(s)->change_cipher_spec_ok = 1;
else
s->s3->flags |= SSL3_FLAGS_CCS_OK;
ret = ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A,
SSL3_ST_SR_FINISHED_B);
if (ret <= 0)
goto end;
if (SSL_IS_DTLS(s))
dtls1_stop_timer(s);
if (s->internal->hit)
S3I(s)->hs.state = SSL_ST_OK;
else if (s->internal->tlsext_ticket_expected)
@ -574,6 +683,8 @@ ssl3_accept(SSL *s)
goto end;
}
if (SSL_IS_DTLS(s))
dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
break;
case SSL3_ST_SW_FINISHED_A:
@ -596,8 +707,10 @@ ssl3_accept(SSL *s)
/* clean a few things up */
tls1_cleanup_key_block(s);
BUF_MEM_free(s->internal->init_buf);
s->internal->init_buf = NULL;
if (!SSL_IS_DTLS(s)) {
BUF_MEM_free(s->internal->init_buf);
s->internal->init_buf = NULL;
}
/* remove buffering on output */
ssl_free_wbio_buffer(s);
@ -620,6 +733,14 @@ ssl3_accept(SSL *s)
}
ret = 1;
if (SSL_IS_DTLS(s)) {
/* Done handshaking, next message is client hello. */
D1I(s)->handshake_read_seq = 0;
/* Next message is server hello. */
D1I(s)->handshake_write_seq = 0;
D1I(s)->next_handshake_write_seq = 0;
}
goto end;
/* break; */