Home | History | Annotate | Download | only in ssl
      1 /* ssl/d1_clnt.c */
      2 /*
      3  * DTLS implementation written by Nagendra Modadugu
      4  * (nagendra (at) cs.stanford.edu) for the OpenSSL project 2005.
      5  */
      6 /* ====================================================================
      7  * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
      8  *
      9  * Redistribution and use in source and binary forms, with or without
     10  * modification, are permitted provided that the following conditions
     11  * are met:
     12  *
     13  * 1. Redistributions of source code must retain the above copyright
     14  *    notice, this list of conditions and the following disclaimer.
     15  *
     16  * 2. Redistributions in binary form must reproduce the above copyright
     17  *    notice, this list of conditions and the following disclaimer in
     18  *    the documentation and/or other materials provided with the
     19  *    distribution.
     20  *
     21  * 3. All advertising materials mentioning features or use of this
     22  *    software must display the following acknowledgment:
     23  *    "This product includes software developed by the OpenSSL Project
     24  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
     25  *
     26  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
     27  *    endorse or promote products derived from this software without
     28  *    prior written permission. For written permission, please contact
     29  *    openssl-core (at) OpenSSL.org.
     30  *
     31  * 5. Products derived from this software may not be called "OpenSSL"
     32  *    nor may "OpenSSL" appear in their names without prior written
     33  *    permission of the OpenSSL Project.
     34  *
     35  * 6. Redistributions of any form whatsoever must retain the following
     36  *    acknowledgment:
     37  *    "This product includes software developed by the OpenSSL Project
     38  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
     39  *
     40  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
     41  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     43  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
     44  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
     45  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
     46  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
     47  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
     49  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
     50  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
     51  * OF THE POSSIBILITY OF SUCH DAMAGE.
     52  * ====================================================================
     53  *
     54  * This product includes cryptographic software written by Eric Young
     55  * (eay (at) cryptsoft.com).  This product includes software written by Tim
     56  * Hudson (tjh (at) cryptsoft.com).
     57  *
     58  */
     59 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com)
     60  * All rights reserved.
     61  *
     62  * This package is an SSL implementation written
     63  * by Eric Young (eay (at) cryptsoft.com).
     64  * The implementation was written so as to conform with Netscapes SSL.
     65  *
     66  * This library is free for commercial and non-commercial use as long as
     67  * the following conditions are aheared to.  The following conditions
     68  * apply to all code found in this distribution, be it the RC4, RSA,
     69  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
     70  * included with this distribution is covered by the same copyright terms
     71  * except that the holder is Tim Hudson (tjh (at) cryptsoft.com).
     72  *
     73  * Copyright remains Eric Young's, and as such any Copyright notices in
     74  * the code are not to be removed.
     75  * If this package is used in a product, Eric Young should be given attribution
     76  * as the author of the parts of the library used.
     77  * This can be in the form of a textual message at program startup or
     78  * in documentation (online or textual) provided with the package.
     79  *
     80  * Redistribution and use in source and binary forms, with or without
     81  * modification, are permitted provided that the following conditions
     82  * are met:
     83  * 1. Redistributions of source code must retain the copyright
     84  *    notice, this list of conditions and the following disclaimer.
     85  * 2. Redistributions in binary form must reproduce the above copyright
     86  *    notice, this list of conditions and the following disclaimer in the
     87  *    documentation and/or other materials provided with the distribution.
     88  * 3. All advertising materials mentioning features or use of this software
     89  *    must display the following acknowledgement:
     90  *    "This product includes cryptographic software written by
     91  *     Eric Young (eay (at) cryptsoft.com)"
     92  *    The word 'cryptographic' can be left out if the rouines from the library
     93  *    being used are not cryptographic related :-).
     94  * 4. If you include any Windows specific code (or a derivative thereof) from
     95  *    the apps directory (application code) you must include an acknowledgement:
     96  *    "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)"
     97  *
     98  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
     99  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
    100  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
    101  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
    102  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
    103  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
    104  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
    105  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
    106  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
    107  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
    108  * SUCH DAMAGE.
    109  *
    110  * The licence and distribution terms for any publically available version or
    111  * derivative of this code cannot be changed.  i.e. this code cannot simply be
    112  * copied and put under another distribution licence
    113  * [including the GNU Public Licence.]
    114  */
    115 
    116 #include <stdio.h>
    117 #include "ssl_locl.h"
    118 #ifndef OPENSSL_NO_KRB5
    119 #include "kssl_lcl.h"
    120 #endif
    121 #include <openssl/buffer.h>
    122 #include <openssl/rand.h>
    123 #include <openssl/objects.h>
    124 #include <openssl/evp.h>
    125 #include <openssl/md5.h>
    126 #include <openssl/bn.h>
    127 #ifndef OPENSSL_NO_DH
    128 #include <openssl/dh.h>
    129 #endif
    130 
    131 static const SSL_METHOD *dtls1_get_client_method(int ver);
    132 static int dtls1_get_hello_verify(SSL *s);
    133 
    134 static const SSL_METHOD *dtls1_get_client_method(int ver)
    135 	{
    136 	if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER)
    137 		return(DTLSv1_client_method());
    138 	else
    139 		return(NULL);
    140 	}
    141 
    142 IMPLEMENT_dtls1_meth_func(DTLSv1_client_method,
    143 			ssl_undefined_function,
    144 			dtls1_connect,
    145 			dtls1_get_client_method)
    146 
    147 int dtls1_connect(SSL *s)
    148 	{
    149 	BUF_MEM *buf=NULL;
    150 	unsigned long Time=(unsigned long)time(NULL);
    151 	void (*cb)(const SSL *ssl,int type,int val)=NULL;
    152 	int ret= -1;
    153 	int new_state,state,skip=0;
    154 #ifndef OPENSSL_NO_SCTP
    155 	unsigned char sctpauthkey[64];
    156 	char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
    157 #endif
    158 
    159 	RAND_add(&Time,sizeof(Time),0);
    160 	ERR_clear_error();
    161 	clear_sys_error();
    162 
    163 	if (s->info_callback != NULL)
    164 		cb=s->info_callback;
    165 	else if (s->ctx->info_callback != NULL)
    166 		cb=s->ctx->info_callback;
    167 
    168 	s->in_handshake++;
    169 	if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
    170 
    171 #ifndef OPENSSL_NO_SCTP
    172 	/* Notify SCTP BIO socket to enter handshake
    173 	 * mode and prevent stream identifier other
    174 	 * than 0. Will be ignored if no SCTP is used.
    175 	 */
    176 	BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, s->in_handshake, NULL);
    177 #endif
    178 
    179 #ifndef OPENSSL_NO_HEARTBEATS
    180 	/* If we're awaiting a HeartbeatResponse, pretend we
    181 	 * already got and don't await it anymore, because
    182 	 * Heartbeats don't make sense during handshakes anyway.
    183 	 */
    184 	if (s->tlsext_hb_pending)
    185 		{
    186 		dtls1_stop_timer(s);
    187 		s->tlsext_hb_pending = 0;
    188 		s->tlsext_hb_seq++;
    189 		}
    190 #endif
    191 
    192 	for (;;)
    193 		{
    194 		state=s->state;
    195 
    196 		switch(s->state)
    197 			{
    198 		case SSL_ST_RENEGOTIATE:
    199 			s->renegotiate=1;
    200 			s->state=SSL_ST_CONNECT;
    201 			s->ctx->stats.sess_connect_renegotiate++;
    202 			/* break */
    203 		case SSL_ST_BEFORE:
    204 		case SSL_ST_CONNECT:
    205 		case SSL_ST_BEFORE|SSL_ST_CONNECT:
    206 		case SSL_ST_OK|SSL_ST_CONNECT:
    207 
    208 			s->server=0;
    209 			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
    210 
    211 			if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00) &&
    212 			    (s->version & 0xff00 ) != (DTLS1_BAD_VER & 0xff00))
    213 				{
    214 				SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR);
    215 				ret = -1;
    216 				goto end;
    217 				}
    218 
    219 			/* s->version=SSL3_VERSION; */
    220 			s->type=SSL_ST_CONNECT;
    221 
    222 			if (s->init_buf == NULL)
    223 				{
    224 				if ((buf=BUF_MEM_new()) == NULL)
    225 					{
    226 					ret= -1;
    227 					goto end;
    228 					}
    229 				if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
    230 					{
    231 					ret= -1;
    232 					goto end;
    233 					}
    234 				s->init_buf=buf;
    235 				buf=NULL;
    236 				}
    237 
    238 			if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
    239 
    240 			/* setup buffing BIO */
    241 			if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
    242 
    243 			/* don't push the buffering BIO quite yet */
    244 
    245 			s->state=SSL3_ST_CW_CLNT_HELLO_A;
    246 			s->ctx->stats.sess_connect++;
    247 			s->init_num=0;
    248 			/* mark client_random uninitialized */
    249 			memset(s->s3->client_random,0,sizeof(s->s3->client_random));
    250 			s->d1->send_cookie = 0;
    251 			s->hit = 0;
    252 			break;
    253 
    254 #ifndef OPENSSL_NO_SCTP
    255 		case DTLS1_SCTP_ST_CR_READ_SOCK:
    256 
    257 			if (BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s)))
    258 			{
    259 				s->s3->in_read_app_data=2;
    260 				s->rwstate=SSL_READING;
    261 				BIO_clear_retry_flags(SSL_get_rbio(s));
    262 				BIO_set_retry_read(SSL_get_rbio(s));
    263 				ret = -1;
    264 				goto end;
    265 			}
    266 
    267 			s->state=s->s3->tmp.next_state;
    268 			break;
    269 
    270 		case DTLS1_SCTP_ST_CW_WRITE_SOCK:
    271 			/* read app data until dry event */
    272 
    273 			ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s));
    274 			if (ret < 0) goto end;
    275 
    276 			if (ret == 0)
    277 			{
    278 				s->s3->in_read_app_data=2;
    279 				s->rwstate=SSL_READING;
    280 				BIO_clear_retry_flags(SSL_get_rbio(s));
    281 				BIO_set_retry_read(SSL_get_rbio(s));
    282 				ret = -1;
    283 				goto end;
    284 			}
    285 
    286 			s->state=s->d1->next_state;
    287 			break;
    288 #endif
    289 
    290 		case SSL3_ST_CW_CLNT_HELLO_A:
    291 		case SSL3_ST_CW_CLNT_HELLO_B:
    292 
    293 			s->shutdown=0;
    294 
    295 			/* every DTLS ClientHello resets Finished MAC */
    296 			ssl3_init_finished_mac(s);
    297 
    298 			dtls1_start_timer(s);
    299 			ret=dtls1_client_hello(s);
    300 			if (ret <= 0) goto end;
    301 
    302 			if ( s->d1->send_cookie)
    303 				{
    304 				s->state=SSL3_ST_CW_FLUSH;
    305 				s->s3->tmp.next_state=SSL3_ST_CR_SRVR_HELLO_A;
    306 				}
    307 			else
    308 				s->state=SSL3_ST_CR_SRVR_HELLO_A;
    309 
    310 			s->init_num=0;
    311 
    312 #ifndef OPENSSL_NO_SCTP
    313 			/* Disable buffering for SCTP */
    314 			if (!BIO_dgram_is_sctp(SSL_get_wbio(s)))
    315 				{
    316 #endif
    317 				/* turn on buffering for the next lot of output */
    318 				if (s->bbio != s->wbio)
    319 					s->wbio=BIO_push(s->bbio,s->wbio);
    320 #ifndef OPENSSL_NO_SCTP
    321 				}
    322 #endif
    323 
    324 			break;
    325 
    326 		case SSL3_ST_CR_SRVR_HELLO_A:
    327 		case SSL3_ST_CR_SRVR_HELLO_B:
    328 			ret=ssl3_get_server_hello(s);
    329 			if (ret <= 0) goto end;
    330 			else
    331 				{
    332 				if (s->hit)
    333 					{
    334 #ifndef OPENSSL_NO_SCTP
    335 					/* Add new shared key for SCTP-Auth,
    336 					 * will be ignored if no SCTP used.
    337 					 */
    338 					snprintf((char*) labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
    339 					         DTLS1_SCTP_AUTH_LABEL);
    340 
    341 					SSL_export_keying_material(s, sctpauthkey,
    342 					                           sizeof(sctpauthkey), labelbuffer,
    343 					                           sizeof(labelbuffer), NULL, 0, 0);
    344 
    345 					BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
    346 							 sizeof(sctpauthkey), sctpauthkey);
    347 #endif
    348 
    349 					s->state=SSL3_ST_CR_FINISHED_A;
    350 					}
    351 				else
    352 					s->state=DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
    353 				}
    354 			s->init_num=0;
    355 			break;
    356 
    357 		case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A:
    358 		case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B:
    359 
    360 			ret = dtls1_get_hello_verify(s);
    361 			if ( ret <= 0)
    362 				goto end;
    363 			dtls1_stop_timer(s);
    364 			if ( s->d1->send_cookie) /* start again, with a cookie */
    365 				s->state=SSL3_ST_CW_CLNT_HELLO_A;
    366 			else
    367 				s->state = SSL3_ST_CR_CERT_A;
    368 			s->init_num = 0;
    369 			break;
    370 
    371 		case SSL3_ST_CR_CERT_A:
    372 		case SSL3_ST_CR_CERT_B:
    373 #ifndef OPENSSL_NO_TLSEXT
    374 			ret=ssl3_check_finished(s);
    375 			if (ret <= 0) goto end;
    376 			if (ret == 2)
    377 				{
    378 				s->hit = 1;
    379 				if (s->tlsext_ticket_expected)
    380 					s->state=SSL3_ST_CR_SESSION_TICKET_A;
    381 				else
    382 					s->state=SSL3_ST_CR_FINISHED_A;
    383 				s->init_num=0;
    384 				break;
    385 				}
    386 #endif
    387 			/* Check if it is anon DH or PSK */
    388 			if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
    389 			    !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
    390 				{
    391 				ret=ssl3_get_server_certificate(s);
    392 				if (ret <= 0) goto end;
    393 #ifndef OPENSSL_NO_TLSEXT
    394 				if (s->tlsext_status_expected)
    395 					s->state=SSL3_ST_CR_CERT_STATUS_A;
    396 				else
    397 					s->state=SSL3_ST_CR_KEY_EXCH_A;
    398 				}
    399 			else
    400 				{
    401 				skip = 1;
    402 				s->state=SSL3_ST_CR_KEY_EXCH_A;
    403 				}
    404 #else
    405 				}
    406 			else
    407 				skip=1;
    408 
    409 			s->state=SSL3_ST_CR_KEY_EXCH_A;
    410 #endif
    411 			s->init_num=0;
    412 			break;
    413 
    414 		case SSL3_ST_CR_KEY_EXCH_A:
    415 		case SSL3_ST_CR_KEY_EXCH_B:
    416 			ret=ssl3_get_key_exchange(s);
    417 			if (ret <= 0) goto end;
    418 			s->state=SSL3_ST_CR_CERT_REQ_A;
    419 			s->init_num=0;
    420 
    421 			/* at this point we check that we have the
    422 			 * required stuff from the server */
    423 			if (!ssl3_check_cert_and_algorithm(s))
    424 				{
    425 				ret= -1;
    426 				goto end;
    427 				}
    428 			break;
    429 
    430 		case SSL3_ST_CR_CERT_REQ_A:
    431 		case SSL3_ST_CR_CERT_REQ_B:
    432 			ret=ssl3_get_certificate_request(s);
    433 			if (ret <= 0) goto end;
    434 			s->state=SSL3_ST_CR_SRVR_DONE_A;
    435 			s->init_num=0;
    436 			break;
    437 
    438 		case SSL3_ST_CR_SRVR_DONE_A:
    439 		case SSL3_ST_CR_SRVR_DONE_B:
    440 			ret=ssl3_get_server_done(s);
    441 			if (ret <= 0) goto end;
    442 			dtls1_stop_timer(s);
    443 			if (s->s3->tmp.cert_req)
    444 				s->s3->tmp.next_state=SSL3_ST_CW_CERT_A;
    445 			else
    446 				s->s3->tmp.next_state=SSL3_ST_CW_KEY_EXCH_A;
    447 			s->init_num=0;
    448 
    449 #ifndef OPENSSL_NO_SCTP
    450 			if (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
    451 			    state == SSL_ST_RENEGOTIATE)
    452 				s->state=DTLS1_SCTP_ST_CR_READ_SOCK;
    453 			else
    454 #endif
    455 			s->state=s->s3->tmp.next_state;
    456 			break;
    457 
    458 		case SSL3_ST_CW_CERT_A:
    459 		case SSL3_ST_CW_CERT_B:
    460 		case SSL3_ST_CW_CERT_C:
    461 		case SSL3_ST_CW_CERT_D:
    462 			dtls1_start_timer(s);
    463 			ret=dtls1_send_client_certificate(s);
    464 			if (ret <= 0) goto end;
    465 			s->state=SSL3_ST_CW_KEY_EXCH_A;
    466 			s->init_num=0;
    467 			break;
    468 
    469 		case SSL3_ST_CW_KEY_EXCH_A:
    470 		case SSL3_ST_CW_KEY_EXCH_B:
    471 			dtls1_start_timer(s);
    472 			ret=dtls1_send_client_key_exchange(s);
    473 			if (ret <= 0) goto end;
    474 
    475 #ifndef OPENSSL_NO_SCTP
    476 			/* Add new shared key for SCTP-Auth,
    477 			 * will be ignored if no SCTP used.
    478 			 */
    479 			snprintf((char*) labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
    480 			         DTLS1_SCTP_AUTH_LABEL);
    481 
    482 			SSL_export_keying_material(s, sctpauthkey,
    483 			                           sizeof(sctpauthkey), labelbuffer,
    484 			                           sizeof(labelbuffer), NULL, 0, 0);
    485 
    486 			BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
    487 					 sizeof(sctpauthkey), sctpauthkey);
    488 #endif
    489 
    490 			/* EAY EAY EAY need to check for DH fix cert
    491 			 * sent back */
    492 			/* For TLS, cert_req is set to 2, so a cert chain
    493 			 * of nothing is sent, but no verify packet is sent */
    494 			if (s->s3->tmp.cert_req == 1)
    495 				{
    496 				s->state=SSL3_ST_CW_CERT_VRFY_A;
    497 				}
    498 			else
    499 				{
    500 #ifndef OPENSSL_NO_SCTP
    501 				if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
    502 					{
    503 					s->d1->next_state=SSL3_ST_CW_CHANGE_A;
    504 					s->state=DTLS1_SCTP_ST_CW_WRITE_SOCK;
    505 					}
    506 				else
    507 #endif
    508 					s->state=SSL3_ST_CW_CHANGE_A;
    509 				s->s3->change_cipher_spec=0;
    510 				}
    511 
    512 			s->init_num=0;
    513 			break;
    514 
    515 		case SSL3_ST_CW_CERT_VRFY_A:
    516 		case SSL3_ST_CW_CERT_VRFY_B:
    517 			dtls1_start_timer(s);
    518 			ret=dtls1_send_client_verify(s);
    519 			if (ret <= 0) goto end;
    520 #ifndef OPENSSL_NO_SCTP
    521 			if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
    522 			{
    523 				s->d1->next_state=SSL3_ST_CW_CHANGE_A;
    524 				s->state=DTLS1_SCTP_ST_CW_WRITE_SOCK;
    525 			}
    526 			else
    527 #endif
    528 				s->state=SSL3_ST_CW_CHANGE_A;
    529 			s->init_num=0;
    530 			s->s3->change_cipher_spec=0;
    531 			break;
    532 
    533 		case SSL3_ST_CW_CHANGE_A:
    534 		case SSL3_ST_CW_CHANGE_B:
    535 			if (!s->hit)
    536 				dtls1_start_timer(s);
    537 			ret=dtls1_send_change_cipher_spec(s,
    538 				SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
    539 			if (ret <= 0) goto end;
    540 
    541 #ifndef OPENSSL_NO_SCTP
    542 			/* Change to new shared key of SCTP-Auth,
    543 			 * will be ignored if no SCTP used.
    544 			 */
    545 			BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
    546 #endif
    547 
    548 			s->state=SSL3_ST_CW_FINISHED_A;
    549 			s->init_num=0;
    550 
    551 			s->session->cipher=s->s3->tmp.new_cipher;
    552 #ifdef OPENSSL_NO_COMP
    553 			s->session->compress_meth=0;
    554 #else
    555 			if (s->s3->tmp.new_compression == NULL)
    556 				s->session->compress_meth=0;
    557 			else
    558 				s->session->compress_meth=
    559 					s->s3->tmp.new_compression->id;
    560 #endif
    561 			if (!s->method->ssl3_enc->setup_key_block(s))
    562 				{
    563 				ret= -1;
    564 				goto end;
    565 				}
    566 
    567 			if (!s->method->ssl3_enc->change_cipher_state(s,
    568 				SSL3_CHANGE_CIPHER_CLIENT_WRITE))
    569 				{
    570 				ret= -1;
    571 				goto end;
    572 				}
    573 
    574 			dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
    575 			break;
    576 
    577 		case SSL3_ST_CW_FINISHED_A:
    578 		case SSL3_ST_CW_FINISHED_B:
    579 			if (!s->hit)
    580 				dtls1_start_timer(s);
    581 			ret=dtls1_send_finished(s,
    582 				SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B,
    583 				s->method->ssl3_enc->client_finished_label,
    584 				s->method->ssl3_enc->client_finished_label_len);
    585 			if (ret <= 0) goto end;
    586 			s->state=SSL3_ST_CW_FLUSH;
    587 
    588 			/* clear flags */
    589 			s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
    590 			if (s->hit)
    591 				{
    592 				s->s3->tmp.next_state=SSL_ST_OK;
    593 #ifndef OPENSSL_NO_SCTP
    594 				if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
    595 					{
    596 						s->d1->next_state = s->s3->tmp.next_state;
    597 						s->s3->tmp.next_state=DTLS1_SCTP_ST_CW_WRITE_SOCK;
    598 					}
    599 #endif
    600 				if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)
    601 					{
    602 					s->state=SSL_ST_OK;
    603 #ifndef OPENSSL_NO_SCTP
    604 					if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
    605 						{
    606 							s->d1->next_state = SSL_ST_OK;
    607 							s->state=DTLS1_SCTP_ST_CW_WRITE_SOCK;
    608 						}
    609 #endif
    610 					s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
    611 					s->s3->delay_buf_pop_ret=0;
    612 					}
    613 				}
    614 			else
    615 				{
    616 #ifndef OPENSSL_NO_TLSEXT
    617 				/* Allow NewSessionTicket if ticket expected */
    618 				if (s->tlsext_ticket_expected)
    619 					s->s3->tmp.next_state=SSL3_ST_CR_SESSION_TICKET_A;
    620 				else
    621 #endif
    622 
    623 				s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A;
    624 				}
    625 			s->init_num=0;
    626 			break;
    627 
    628 #ifndef OPENSSL_NO_TLSEXT
    629 		case SSL3_ST_CR_SESSION_TICKET_A:
    630 		case SSL3_ST_CR_SESSION_TICKET_B:
    631 			ret=ssl3_get_new_session_ticket(s);
    632 			if (ret <= 0) goto end;
    633 			s->state=SSL3_ST_CR_FINISHED_A;
    634 			s->init_num=0;
    635 		break;
    636 
    637 		case SSL3_ST_CR_CERT_STATUS_A:
    638 		case SSL3_ST_CR_CERT_STATUS_B:
    639 			ret=ssl3_get_cert_status(s);
    640 			if (ret <= 0) goto end;
    641 			s->state=SSL3_ST_CR_KEY_EXCH_A;
    642 			s->init_num=0;
    643 		break;
    644 #endif
    645 
    646 		case SSL3_ST_CR_FINISHED_A:
    647 		case SSL3_ST_CR_FINISHED_B:
    648 			s->d1->change_cipher_spec_ok = 1;
    649 			ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
    650 				SSL3_ST_CR_FINISHED_B);
    651 			if (ret <= 0) goto end;
    652 			dtls1_stop_timer(s);
    653 
    654 			if (s->hit)
    655 				s->state=SSL3_ST_CW_CHANGE_A;
    656 			else
    657 				s->state=SSL_ST_OK;
    658 
    659 #ifndef OPENSSL_NO_SCTP
    660 			if (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
    661 				state == SSL_ST_RENEGOTIATE)
    662 				{
    663 				s->d1->next_state=s->state;
    664 				s->state=DTLS1_SCTP_ST_CW_WRITE_SOCK;
    665 				}
    666 #endif
    667 
    668 			s->init_num=0;
    669 			break;
    670 
    671 		case SSL3_ST_CW_FLUSH:
    672 			s->rwstate=SSL_WRITING;
    673 			if (BIO_flush(s->wbio) <= 0)
    674 				{
    675 				/* If the write error was fatal, stop trying */
    676 				if (!BIO_should_retry(s->wbio))
    677 					{
    678 					s->rwstate=SSL_NOTHING;
    679 					s->state=s->s3->tmp.next_state;
    680 					}
    681 
    682 				ret= -1;
    683 				goto end;
    684 				}
    685 			s->rwstate=SSL_NOTHING;
    686 			s->state=s->s3->tmp.next_state;
    687 			break;
    688 
    689 		case SSL_ST_OK:
    690 			/* clean a few things up */
    691 			ssl3_cleanup_key_block(s);
    692 
    693 #if 0
    694 			if (s->init_buf != NULL)
    695 				{
    696 				BUF_MEM_free(s->init_buf);
    697 				s->init_buf=NULL;
    698 				}
    699 #endif
    700 
    701 			/* If we are not 'joining' the last two packets,
    702 			 * remove the buffering now */
    703 			if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
    704 				ssl_free_wbio_buffer(s);
    705 			/* else do it later in ssl3_write */
    706 
    707 			s->init_num=0;
    708 			s->renegotiate=0;
    709 			s->new_session=0;
    710 
    711 			ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
    712 			if (s->hit) s->ctx->stats.sess_hit++;
    713 
    714 			ret=1;
    715 			/* s->server=0; */
    716 			s->handshake_func=dtls1_connect;
    717 			s->ctx->stats.sess_connect_good++;
    718 
    719 			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
    720 
    721 			/* done with handshaking */
    722 			s->d1->handshake_read_seq  = 0;
    723 			s->d1->next_handshake_write_seq = 0;
    724 			goto end;
    725 			/* break; */
    726 
    727 		default:
    728 			SSLerr(SSL_F_DTLS1_CONNECT,SSL_R_UNKNOWN_STATE);
    729 			ret= -1;
    730 			goto end;
    731 			/* break; */
    732 			}
    733 
    734 		/* did we do anything */
    735 		if (!s->s3->tmp.reuse_message && !skip)
    736 			{
    737 			if (s->debug)
    738 				{
    739 				if ((ret=BIO_flush(s->wbio)) <= 0)
    740 					goto end;
    741 				}
    742 
    743 			if ((cb != NULL) && (s->state != state))
    744 				{
    745 				new_state=s->state;
    746 				s->state=state;
    747 				cb(s,SSL_CB_CONNECT_LOOP,1);
    748 				s->state=new_state;
    749 				}
    750 			}
    751 		skip=0;
    752 		}
    753 end:
    754 	s->in_handshake--;
    755 
    756 #ifndef OPENSSL_NO_SCTP
    757 	/* Notify SCTP BIO socket to leave handshake
    758 	 * mode and allow stream identifier other
    759 	 * than 0. Will be ignored if no SCTP is used.
    760 	 */
    761 	BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, s->in_handshake, NULL);
    762 #endif
    763 
    764 	if (buf != NULL)
    765 		BUF_MEM_free(buf);
    766 	if (cb != NULL)
    767 		cb(s,SSL_CB_CONNECT_EXIT,ret);
    768 	return(ret);
    769 	}
    770 
    771 int dtls1_client_hello(SSL *s)
    772 	{
    773 	unsigned char *buf;
    774 	unsigned char *p,*d;
    775 	unsigned int i,j;
    776 	unsigned long Time,l;
    777 	SSL_COMP *comp;
    778 
    779 	buf=(unsigned char *)s->init_buf->data;
    780 	if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
    781 		{
    782 		SSL_SESSION *sess = s->session;
    783 		if ((s->session == NULL) ||
    784 			(s->session->ssl_version != s->version) ||
    785 #ifdef OPENSSL_NO_TLSEXT
    786 			!sess->session_id_length ||
    787 #else
    788 			(!sess->session_id_length && !sess->tlsext_tick) ||
    789 #endif
    790 			(s->session->not_resumable))
    791 			{
    792 		        if (!s->session_creation_enabled)
    793 				{
    794 				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
    795 				SSLerr(SSL_F_DTLS1_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED);
    796 				goto err;
    797 				}
    798 			if (!ssl_get_new_session(s,0))
    799 				goto err;
    800 			}
    801 		/* else use the pre-loaded session */
    802 
    803 		p=s->s3->client_random;
    804 
    805 		/* if client_random is initialized, reuse it, we are
    806 		 * required to use same upon reply to HelloVerify */
    807 		for (i=0;p[i]=='\0' && i<sizeof(s->s3->client_random);i++) ;
    808 		if (i==sizeof(s->s3->client_random))
    809 			{
    810 			Time=(unsigned long)time(NULL);	/* Time */
    811 			l2n(Time,p);
    812 			RAND_pseudo_bytes(p,sizeof(s->s3->client_random)-4);
    813 			}
    814 
    815 		/* Do the message type and length last */
    816 		d=p= &(buf[DTLS1_HM_HEADER_LENGTH]);
    817 
    818 		*(p++)=s->version>>8;
    819 		*(p++)=s->version&0xff;
    820 		s->client_version=s->version;
    821 
    822 		/* Random stuff */
    823 		memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
    824 		p+=SSL3_RANDOM_SIZE;
    825 
    826 		/* Session ID */
    827 		if (s->new_session)
    828 			i=0;
    829 		else
    830 			i=s->session->session_id_length;
    831 		*(p++)=i;
    832 		if (i != 0)
    833 			{
    834 			if (i > sizeof s->session->session_id)
    835 				{
    836 				SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
    837 				goto err;
    838 				}
    839 			memcpy(p,s->session->session_id,i);
    840 			p+=i;
    841 			}
    842 
    843 		/* cookie stuff */
    844 		if ( s->d1->cookie_len > sizeof(s->d1->cookie))
    845 			{
    846 			SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
    847 			goto err;
    848 			}
    849 		*(p++) = s->d1->cookie_len;
    850 		memcpy(p, s->d1->cookie, s->d1->cookie_len);
    851 		p += s->d1->cookie_len;
    852 
    853 		/* Ciphers supported */
    854 		i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0);
    855 		if (i == 0)
    856 			{
    857 			SSLerr(SSL_F_DTLS1_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
    858 			goto err;
    859 			}
    860 		s2n(i,p);
    861 		p+=i;
    862 
    863 		/* COMPRESSION */
    864 		if (s->ctx->comp_methods == NULL)
    865 			j=0;
    866 		else
    867 			j=sk_SSL_COMP_num(s->ctx->comp_methods);
    868 		*(p++)=1+j;
    869 		for (i=0; i<j; i++)
    870 			{
    871 			comp=sk_SSL_COMP_value(s->ctx->comp_methods,i);
    872 			*(p++)=comp->id;
    873 			}
    874 		*(p++)=0; /* Add the NULL method */
    875 
    876 #ifndef OPENSSL_NO_TLSEXT
    877 		if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
    878 			{
    879 			SSLerr(SSL_F_DTLS1_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
    880 			goto err;
    881 			}
    882 #endif
    883 
    884 		l=(p-d);
    885 		d=buf;
    886 
    887 		d = dtls1_set_message_header(s, d, SSL3_MT_CLIENT_HELLO, l, 0, l);
    888 
    889 		s->state=SSL3_ST_CW_CLNT_HELLO_B;
    890 		/* number of bytes to write */
    891 		s->init_num=p-buf;
    892 		s->init_off=0;
    893 
    894 		/* buffer the message to handle re-xmits */
    895 		dtls1_buffer_message(s, 0);
    896 		}
    897 
    898 	/* SSL3_ST_CW_CLNT_HELLO_B */
    899 	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
    900 err:
    901 	return(-1);
    902 	}
    903 
    904 static int dtls1_get_hello_verify(SSL *s)
    905 	{
    906 	int n, al, ok = 0;
    907 	unsigned char *data;
    908 	unsigned int cookie_len;
    909 
    910 	n=s->method->ssl_get_message(s,
    911 		DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A,
    912 		DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B,
    913 		-1,
    914 		s->max_cert_list,
    915 		&ok);
    916 
    917 	if (!ok) return((int)n);
    918 
    919 	if (s->s3->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST)
    920 		{
    921 		s->d1->send_cookie = 0;
    922 		s->s3->tmp.reuse_message=1;
    923 		return(1);
    924 		}
    925 
    926 	data = (unsigned char *)s->init_msg;
    927 
    928 	if ((data[0] != (s->version>>8)) || (data[1] != (s->version&0xff)))
    929 		{
    930 		SSLerr(SSL_F_DTLS1_GET_HELLO_VERIFY,SSL_R_WRONG_SSL_VERSION);
    931 		s->version=(s->version&0xff00)|data[1];
    932 		al = SSL_AD_PROTOCOL_VERSION;
    933 		goto f_err;
    934 		}
    935 	data+=2;
    936 
    937 	cookie_len = *(data++);
    938 	if ( cookie_len > sizeof(s->d1->cookie))
    939 		{
    940 		al=SSL_AD_ILLEGAL_PARAMETER;
    941 		goto f_err;
    942 		}
    943 
    944 	memcpy(s->d1->cookie, data, cookie_len);
    945 	s->d1->cookie_len = cookie_len;
    946 
    947 	s->d1->send_cookie = 1;
    948 	return 1;
    949 
    950 f_err:
    951 	ssl3_send_alert(s, SSL3_AL_FATAL, al);
    952 	return -1;
    953 	}
    954 
    955 int dtls1_send_client_key_exchange(SSL *s)
    956 	{
    957 	unsigned char *p,*d;
    958 	int n;
    959 	unsigned long alg_k;
    960 #ifndef OPENSSL_NO_RSA
    961 	unsigned char *q;
    962 	EVP_PKEY *pkey=NULL;
    963 #endif
    964 #ifndef OPENSSL_NO_KRB5
    965         KSSL_ERR kssl_err;
    966 #endif /* OPENSSL_NO_KRB5 */
    967 #ifndef OPENSSL_NO_ECDH
    968 	EC_KEY *clnt_ecdh = NULL;
    969 	const EC_POINT *srvr_ecpoint = NULL;
    970 	EVP_PKEY *srvr_pub_pkey = NULL;
    971 	unsigned char *encodedPoint = NULL;
    972 	int encoded_pt_len = 0;
    973 	BN_CTX * bn_ctx = NULL;
    974 #endif
    975 
    976 	if (s->state == SSL3_ST_CW_KEY_EXCH_A)
    977 		{
    978 		d=(unsigned char *)s->init_buf->data;
    979 		p= &(d[DTLS1_HM_HEADER_LENGTH]);
    980 
    981 		alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
    982 
    983                 /* Fool emacs indentation */
    984                 if (0) {}
    985 #ifndef OPENSSL_NO_RSA
    986 		else if (alg_k & SSL_kRSA)
    987 			{
    988 			RSA *rsa;
    989 			unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
    990 
    991 			if (s->session->sess_cert->peer_rsa_tmp != NULL)
    992 				rsa=s->session->sess_cert->peer_rsa_tmp;
    993 			else
    994 				{
    995 				pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
    996 				if ((pkey == NULL) ||
    997 					(pkey->type != EVP_PKEY_RSA) ||
    998 					(pkey->pkey.rsa == NULL))
    999 					{
   1000 					SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
   1001 					goto err;
   1002 					}
   1003 				rsa=pkey->pkey.rsa;
   1004 				EVP_PKEY_free(pkey);
   1005 				}
   1006 
   1007 			tmp_buf[0]=s->client_version>>8;
   1008 			tmp_buf[1]=s->client_version&0xff;
   1009 			if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
   1010 					goto err;
   1011 
   1012 			s->session->master_key_length=sizeof tmp_buf;
   1013 
   1014 			q=p;
   1015 			/* Fix buf for TLS and [incidentally] DTLS */
   1016 			if (s->version > SSL3_VERSION)
   1017 				p+=2;
   1018 			n=RSA_public_encrypt(sizeof tmp_buf,
   1019 				tmp_buf,p,rsa,RSA_PKCS1_PADDING);
   1020 #ifdef PKCS1_CHECK
   1021 			if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++;
   1022 			if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70;
   1023 #endif
   1024 			if (n <= 0)
   1025 				{
   1026 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT);
   1027 				goto err;
   1028 				}
   1029 
   1030 			/* Fix buf for TLS and [incidentally] DTLS */
   1031 			if (s->version > SSL3_VERSION)
   1032 				{
   1033 				s2n(n,q);
   1034 				n+=2;
   1035 				}
   1036 
   1037 			s->session->master_key_length=
   1038 				s->method->ssl3_enc->generate_master_secret(s,
   1039 					s->session->master_key,
   1040 					tmp_buf,sizeof tmp_buf);
   1041 			OPENSSL_cleanse(tmp_buf,sizeof tmp_buf);
   1042 			}
   1043 #endif
   1044 #ifndef OPENSSL_NO_KRB5
   1045 		else if (alg_k & SSL_kKRB5)
   1046                         {
   1047                         krb5_error_code	krb5rc;
   1048                         KSSL_CTX	*kssl_ctx = s->kssl_ctx;
   1049                         /*  krb5_data	krb5_ap_req;  */
   1050                         krb5_data	*enc_ticket;
   1051                         krb5_data	authenticator, *authp = NULL;
   1052 			EVP_CIPHER_CTX	ciph_ctx;
   1053 			const EVP_CIPHER *enc = NULL;
   1054 			unsigned char	iv[EVP_MAX_IV_LENGTH];
   1055 			unsigned char	tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
   1056 			unsigned char	epms[SSL_MAX_MASTER_KEY_LENGTH
   1057 						+ EVP_MAX_IV_LENGTH];
   1058 			int 		padl, outl = sizeof(epms);
   1059 
   1060 			EVP_CIPHER_CTX_init(&ciph_ctx);
   1061 
   1062 #ifdef KSSL_DEBUG
   1063                         printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
   1064                                 alg_k, SSL_kKRB5);
   1065 #endif	/* KSSL_DEBUG */
   1066 
   1067 			authp = NULL;
   1068 #ifdef KRB5SENDAUTH
   1069 			if (KRB5SENDAUTH)  authp = &authenticator;
   1070 #endif	/* KRB5SENDAUTH */
   1071 
   1072                         krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp,
   1073 				&kssl_err);
   1074 			enc = kssl_map_enc(kssl_ctx->enctype);
   1075                         if (enc == NULL)
   1076                             goto err;
   1077 #ifdef KSSL_DEBUG
   1078                         {
   1079                         printf("kssl_cget_tkt rtn %d\n", krb5rc);
   1080                         if (krb5rc && kssl_err.text)
   1081 			  printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
   1082                         }
   1083 #endif	/* KSSL_DEBUG */
   1084 
   1085                         if (krb5rc)
   1086                                 {
   1087                                 ssl3_send_alert(s,SSL3_AL_FATAL,
   1088 						SSL_AD_HANDSHAKE_FAILURE);
   1089                                 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
   1090 						kssl_err.reason);
   1091                                 goto err;
   1092                                 }
   1093 
   1094 			/*  20010406 VRS - Earlier versions used KRB5 AP_REQ
   1095 			**  in place of RFC 2712 KerberosWrapper, as in:
   1096 			**
   1097                         **  Send ticket (copy to *p, set n = length)
   1098                         **  n = krb5_ap_req.length;
   1099                         **  memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
   1100                         **  if (krb5_ap_req.data)
   1101                         **    kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
   1102                         **
   1103 			**  Now using real RFC 2712 KerberosWrapper
   1104 			**  (Thanks to Simon Wilkinson <sxw (at) sxw.org.uk>)
   1105 			**  Note: 2712 "opaque" types are here replaced
   1106 			**  with a 2-byte length followed by the value.
   1107 			**  Example:
   1108 			**  KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
   1109 			**  Where "xx xx" = length bytes.  Shown here with
   1110 			**  optional authenticator omitted.
   1111 			*/
   1112 
   1113 			/*  KerberosWrapper.Ticket		*/
   1114 			s2n(enc_ticket->length,p);
   1115 			memcpy(p, enc_ticket->data, enc_ticket->length);
   1116 			p+= enc_ticket->length;
   1117 			n = enc_ticket->length + 2;
   1118 
   1119 			/*  KerberosWrapper.Authenticator	*/
   1120 			if (authp  &&  authp->length)
   1121 				{
   1122 				s2n(authp->length,p);
   1123 				memcpy(p, authp->data, authp->length);
   1124 				p+= authp->length;
   1125 				n+= authp->length + 2;
   1126 
   1127 				free(authp->data);
   1128 				authp->data = NULL;
   1129 				authp->length = 0;
   1130 				}
   1131 			else
   1132 				{
   1133 				s2n(0,p);/*  null authenticator length	*/
   1134 				n+=2;
   1135 				}
   1136 
   1137 			if (RAND_bytes(tmp_buf,sizeof tmp_buf) <= 0)
   1138 			    goto err;
   1139 
   1140 			/*  20010420 VRS.  Tried it this way; failed.
   1141 			**	EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
   1142 			**	EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
   1143 			**				kssl_ctx->length);
   1144 			**	EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
   1145 			*/
   1146 
   1147 			memset(iv, 0, sizeof iv);  /* per RFC 1510 */
   1148 			EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,
   1149 				kssl_ctx->key,iv);
   1150 			EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf,
   1151 				sizeof tmp_buf);
   1152 			EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl);
   1153 			outl += padl;
   1154 			if (outl > (int)sizeof epms)
   1155 				{
   1156 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
   1157 				goto err;
   1158 				}
   1159 			EVP_CIPHER_CTX_cleanup(&ciph_ctx);
   1160 
   1161 			/*  KerberosWrapper.EncryptedPreMasterSecret	*/
   1162 			s2n(outl,p);
   1163 			memcpy(p, epms, outl);
   1164 			p+=outl;
   1165 			n+=outl + 2;
   1166 
   1167                         s->session->master_key_length=
   1168                                 s->method->ssl3_enc->generate_master_secret(s,
   1169 					s->session->master_key,
   1170 					tmp_buf, sizeof tmp_buf);
   1171 
   1172 			OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
   1173 			OPENSSL_cleanse(epms, outl);
   1174                         }
   1175 #endif
   1176 #ifndef OPENSSL_NO_DH
   1177 		else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
   1178 			{
   1179 			DH *dh_srvr,*dh_clnt;
   1180 
   1181 			if (s->session->sess_cert->peer_dh_tmp != NULL)
   1182 				dh_srvr=s->session->sess_cert->peer_dh_tmp;
   1183 			else
   1184 				{
   1185 				/* we get them from the cert */
   1186 				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
   1187 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
   1188 				goto err;
   1189 				}
   1190 
   1191 			/* generate a new random key */
   1192 			if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL)
   1193 				{
   1194 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
   1195 				goto err;
   1196 				}
   1197 			if (!DH_generate_key(dh_clnt))
   1198 				{
   1199 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
   1200 				goto err;
   1201 				}
   1202 
   1203 			/* use the 'p' output buffer for the DH key, but
   1204 			 * make sure to clear it out afterwards */
   1205 
   1206 			n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt);
   1207 
   1208 			if (n <= 0)
   1209 				{
   1210 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
   1211 				goto err;
   1212 				}
   1213 
   1214 			/* generate master key from the result */
   1215 			s->session->master_key_length=
   1216 				s->method->ssl3_enc->generate_master_secret(s,
   1217 					s->session->master_key,p,n);
   1218 			/* clean up */
   1219 			memset(p,0,n);
   1220 
   1221 			/* send off the data */
   1222 			n=BN_num_bytes(dh_clnt->pub_key);
   1223 			s2n(n,p);
   1224 			BN_bn2bin(dh_clnt->pub_key,p);
   1225 			n+=2;
   1226 
   1227 			DH_free(dh_clnt);
   1228 
   1229 			/* perhaps clean things up a bit EAY EAY EAY EAY*/
   1230 			}
   1231 #endif
   1232 #ifndef OPENSSL_NO_ECDH
   1233 		else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe))
   1234 			{
   1235 			const EC_GROUP *srvr_group = NULL;
   1236 			EC_KEY *tkey;
   1237 			int ecdh_clnt_cert = 0;
   1238 			int field_size = 0;
   1239 
   1240 			/* Did we send out the client's
   1241 			 * ECDH share for use in premaster
   1242 			 * computation as part of client certificate?
   1243 			 * If so, set ecdh_clnt_cert to 1.
   1244 			 */
   1245 			if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL))
   1246 				{
   1247 				/* XXX: For now, we do not support client
   1248 				 * authentication using ECDH certificates.
   1249 				 * To add such support, one needs to add
   1250 				 * code that checks for appropriate
   1251 				 * conditions and sets ecdh_clnt_cert to 1.
   1252 				 * For example, the cert have an ECC
   1253 				 * key on the same curve as the server's
   1254 				 * and the key should be authorized for
   1255 				 * key agreement.
   1256 				 *
   1257 				 * One also needs to add code in ssl3_connect
   1258 				 * to skip sending the certificate verify
   1259 				 * message.
   1260 				 *
   1261 				 * if ((s->cert->key->privatekey != NULL) &&
   1262 				 *     (s->cert->key->privatekey->type ==
   1263 				 *      EVP_PKEY_EC) && ...)
   1264 				 * ecdh_clnt_cert = 1;
   1265 				 */
   1266 				}
   1267 
   1268 			if (s->session->sess_cert->peer_ecdh_tmp != NULL)
   1269 				{
   1270 				tkey = s->session->sess_cert->peer_ecdh_tmp;
   1271 				}
   1272 			else
   1273 				{
   1274 				/* Get the Server Public Key from Cert */
   1275 				srvr_pub_pkey = X509_get_pubkey(s->session-> \
   1276 				    sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
   1277 				if ((srvr_pub_pkey == NULL) ||
   1278 				    (srvr_pub_pkey->type != EVP_PKEY_EC) ||
   1279 				    (srvr_pub_pkey->pkey.ec == NULL))
   1280 					{
   1281 					SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
   1282 					    ERR_R_INTERNAL_ERROR);
   1283 					goto err;
   1284 					}
   1285 
   1286 				tkey = srvr_pub_pkey->pkey.ec;
   1287 				}
   1288 
   1289 			srvr_group   = EC_KEY_get0_group(tkey);
   1290 			srvr_ecpoint = EC_KEY_get0_public_key(tkey);
   1291 
   1292 			if ((srvr_group == NULL) || (srvr_ecpoint == NULL))
   1293 				{
   1294 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
   1295 				    ERR_R_INTERNAL_ERROR);
   1296 				goto err;
   1297 				}
   1298 
   1299 			if ((clnt_ecdh=EC_KEY_new()) == NULL)
   1300 				{
   1301 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
   1302 				goto err;
   1303 				}
   1304 
   1305 			if (!EC_KEY_set_group(clnt_ecdh, srvr_group))
   1306 				{
   1307 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
   1308 				goto err;
   1309 				}
   1310 			if (ecdh_clnt_cert)
   1311 				{
   1312 				/* Reuse key info from our certificate
   1313 				 * We only need our private key to perform
   1314 				 * the ECDH computation.
   1315 				 */
   1316 				const BIGNUM *priv_key;
   1317 				tkey = s->cert->key->privatekey->pkey.ec;
   1318 				priv_key = EC_KEY_get0_private_key(tkey);
   1319 				if (priv_key == NULL)
   1320 					{
   1321 					SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
   1322 					goto err;
   1323 					}
   1324 				if (!EC_KEY_set_private_key(clnt_ecdh, priv_key))
   1325 					{
   1326 					SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
   1327 					goto err;
   1328 					}
   1329 				}
   1330 			else
   1331 				{
   1332 				/* Generate a new ECDH key pair */
   1333 				if (!(EC_KEY_generate_key(clnt_ecdh)))
   1334 					{
   1335 					SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB);
   1336 					goto err;
   1337 					}
   1338 				}
   1339 
   1340 			/* use the 'p' output buffer for the ECDH key, but
   1341 			 * make sure to clear it out afterwards
   1342 			 */
   1343 
   1344 			field_size = EC_GROUP_get_degree(srvr_group);
   1345 			if (field_size <= 0)
   1346 				{
   1347 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
   1348 				       ERR_R_ECDH_LIB);
   1349 				goto err;
   1350 				}
   1351 			n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL);
   1352 			if (n <= 0)
   1353 				{
   1354 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
   1355 				       ERR_R_ECDH_LIB);
   1356 				goto err;
   1357 				}
   1358 
   1359 			/* generate master key from the result */
   1360 			s->session->master_key_length = s->method->ssl3_enc \
   1361 			    -> generate_master_secret(s,
   1362 				s->session->master_key,
   1363 				p, n);
   1364 
   1365 			memset(p, 0, n); /* clean up */
   1366 
   1367 			if (ecdh_clnt_cert)
   1368 				{
   1369 				/* Send empty client key exch message */
   1370 				n = 0;
   1371 				}
   1372 			else
   1373 				{
   1374 				/* First check the size of encoding and
   1375 				 * allocate memory accordingly.
   1376 				 */
   1377 				encoded_pt_len =
   1378 				    EC_POINT_point2oct(srvr_group,
   1379 					EC_KEY_get0_public_key(clnt_ecdh),
   1380 					POINT_CONVERSION_UNCOMPRESSED,
   1381 					NULL, 0, NULL);
   1382 
   1383 				encodedPoint = (unsigned char *)
   1384 				    OPENSSL_malloc(encoded_pt_len *
   1385 					sizeof(unsigned char));
   1386 				bn_ctx = BN_CTX_new();
   1387 				if ((encodedPoint == NULL) ||
   1388 				    (bn_ctx == NULL))
   1389 					{
   1390 					SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
   1391 					goto err;
   1392 					}
   1393 
   1394 				/* Encode the public key */
   1395 				n = EC_POINT_point2oct(srvr_group,
   1396 				    EC_KEY_get0_public_key(clnt_ecdh),
   1397 				    POINT_CONVERSION_UNCOMPRESSED,
   1398 				    encodedPoint, encoded_pt_len, bn_ctx);
   1399 
   1400 				*p = n; /* length of encoded point */
   1401 				/* Encoded point will be copied here */
   1402 				p += 1;
   1403 				/* copy the point */
   1404 				memcpy((unsigned char *)p, encodedPoint, n);
   1405 				/* increment n to account for length field */
   1406 				n += 1;
   1407 				}
   1408 
   1409 			/* Free allocated memory */
   1410 			BN_CTX_free(bn_ctx);
   1411 			if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
   1412 			if (clnt_ecdh != NULL)
   1413 				 EC_KEY_free(clnt_ecdh);
   1414 			EVP_PKEY_free(srvr_pub_pkey);
   1415 			}
   1416 #endif /* !OPENSSL_NO_ECDH */
   1417 
   1418 #ifndef OPENSSL_NO_PSK
   1419 		else if (alg_k & SSL_kPSK)
   1420 			{
   1421 			char identity[PSK_MAX_IDENTITY_LEN];
   1422 			unsigned char *t = NULL;
   1423 			unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4];
   1424 			unsigned int pre_ms_len = 0, psk_len = 0;
   1425 			int psk_err = 1;
   1426 
   1427 			n = 0;
   1428 			if (s->psk_client_callback == NULL)
   1429 				{
   1430 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
   1431 					SSL_R_PSK_NO_CLIENT_CB);
   1432 				goto err;
   1433 				}
   1434 
   1435 			psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint,
   1436 				identity, PSK_MAX_IDENTITY_LEN,
   1437 				psk_or_pre_ms, sizeof(psk_or_pre_ms));
   1438 			if (psk_len > PSK_MAX_PSK_LEN)
   1439 				{
   1440 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
   1441 					ERR_R_INTERNAL_ERROR);
   1442 				goto psk_err;
   1443 				}
   1444 			else if (psk_len == 0)
   1445 				{
   1446 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
   1447 					SSL_R_PSK_IDENTITY_NOT_FOUND);
   1448 				goto psk_err;
   1449 				}
   1450 
   1451 			/* create PSK pre_master_secret */
   1452 			pre_ms_len = 2+psk_len+2+psk_len;
   1453 			t = psk_or_pre_ms;
   1454 			memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len);
   1455 			s2n(psk_len, t);
   1456 			memset(t, 0, psk_len);
   1457 			t+=psk_len;
   1458 			s2n(psk_len, t);
   1459 
   1460 			if (s->session->psk_identity_hint != NULL)
   1461 				OPENSSL_free(s->session->psk_identity_hint);
   1462 			s->session->psk_identity_hint = BUF_strdup(s->ctx->psk_identity_hint);
   1463 			if (s->ctx->psk_identity_hint != NULL &&
   1464 				s->session->psk_identity_hint == NULL)
   1465 				{
   1466 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
   1467 					ERR_R_MALLOC_FAILURE);
   1468 				goto psk_err;
   1469 				}
   1470 
   1471 			if (s->session->psk_identity != NULL)
   1472 				OPENSSL_free(s->session->psk_identity);
   1473 			s->session->psk_identity = BUF_strdup(identity);
   1474 			if (s->session->psk_identity == NULL)
   1475 				{
   1476 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
   1477 					ERR_R_MALLOC_FAILURE);
   1478 				goto psk_err;
   1479 				}
   1480 
   1481 			s->session->master_key_length =
   1482 				s->method->ssl3_enc->generate_master_secret(s,
   1483 					s->session->master_key,
   1484 					psk_or_pre_ms, pre_ms_len);
   1485 			n = strlen(identity);
   1486 			s2n(n, p);
   1487 			memcpy(p, identity, n);
   1488 			n+=2;
   1489 			psk_err = 0;
   1490 		psk_err:
   1491 			OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN);
   1492 			OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
   1493 			if (psk_err != 0)
   1494 				{
   1495 				ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
   1496 				goto err;
   1497 				}
   1498 			}
   1499 #endif
   1500 		else
   1501 			{
   1502 			ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
   1503 			SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
   1504 			goto err;
   1505 			}
   1506 
   1507 		d = dtls1_set_message_header(s, d,
   1508 		SSL3_MT_CLIENT_KEY_EXCHANGE, n, 0, n);
   1509 		/*
   1510 		 *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE;
   1511 		 l2n3(n,d);
   1512 		 l2n(s->d1->handshake_write_seq,d);
   1513 		 s->d1->handshake_write_seq++;
   1514 		*/
   1515 
   1516 		s->state=SSL3_ST_CW_KEY_EXCH_B;
   1517 		/* number of bytes to write */
   1518 		s->init_num=n+DTLS1_HM_HEADER_LENGTH;
   1519 		s->init_off=0;
   1520 
   1521 		/* buffer the message to handle re-xmits */
   1522 		dtls1_buffer_message(s, 0);
   1523 		}
   1524 
   1525 	/* SSL3_ST_CW_KEY_EXCH_B */
   1526 	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
   1527 err:
   1528 #ifndef OPENSSL_NO_ECDH
   1529 	BN_CTX_free(bn_ctx);
   1530 	if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
   1531 	if (clnt_ecdh != NULL)
   1532 		EC_KEY_free(clnt_ecdh);
   1533 	EVP_PKEY_free(srvr_pub_pkey);
   1534 #endif
   1535 	return(-1);
   1536 	}
   1537 
   1538 int dtls1_send_client_verify(SSL *s)
   1539 	{
   1540 	unsigned char *p,*d;
   1541 	unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
   1542 	EVP_PKEY *pkey;
   1543 #ifndef OPENSSL_NO_RSA
   1544 	unsigned u=0;
   1545 #endif
   1546 	unsigned long n;
   1547 #if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
   1548 	int j;
   1549 #endif
   1550 
   1551 	if (s->state == SSL3_ST_CW_CERT_VRFY_A)
   1552 		{
   1553 		d=(unsigned char *)s->init_buf->data;
   1554 		p= &(d[DTLS1_HM_HEADER_LENGTH]);
   1555 		pkey=s->cert->key->privatekey;
   1556 
   1557 		s->method->ssl3_enc->cert_verify_mac(s,
   1558 		NID_sha1,
   1559 			&(data[MD5_DIGEST_LENGTH]));
   1560 
   1561 #ifndef OPENSSL_NO_RSA
   1562 		if (pkey->type == EVP_PKEY_RSA)
   1563 			{
   1564 			s->method->ssl3_enc->cert_verify_mac(s,
   1565 				NID_md5,
   1566 				&(data[0]));
   1567 			if (RSA_sign(NID_md5_sha1, data,
   1568 					 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
   1569 					&(p[2]), &u, pkey->pkey.rsa) <= 0 )
   1570 				{
   1571 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB);
   1572 				goto err;
   1573 				}
   1574 			s2n(u,p);
   1575 			n=u+2;
   1576 			}
   1577 		else
   1578 #endif
   1579 #ifndef OPENSSL_NO_DSA
   1580 			if (pkey->type == EVP_PKEY_DSA)
   1581 			{
   1582 			if (!DSA_sign(pkey->save_type,
   1583 				&(data[MD5_DIGEST_LENGTH]),
   1584 				SHA_DIGEST_LENGTH,&(p[2]),
   1585 				(unsigned int *)&j,pkey->pkey.dsa))
   1586 				{
   1587 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB);
   1588 				goto err;
   1589 				}
   1590 			s2n(j,p);
   1591 			n=j+2;
   1592 			}
   1593 		else
   1594 #endif
   1595 #ifndef OPENSSL_NO_ECDSA
   1596 			if (pkey->type == EVP_PKEY_EC)
   1597 			{
   1598 			if (!ECDSA_sign(pkey->save_type,
   1599 				&(data[MD5_DIGEST_LENGTH]),
   1600 				SHA_DIGEST_LENGTH,&(p[2]),
   1601 				(unsigned int *)&j,pkey->pkey.ec))
   1602 				{
   1603 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,
   1604 				    ERR_R_ECDSA_LIB);
   1605 				goto err;
   1606 				}
   1607 			s2n(j,p);
   1608 			n=j+2;
   1609 			}
   1610 		else
   1611 #endif
   1612 			{
   1613 			SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR);
   1614 			goto err;
   1615 			}
   1616 
   1617 		d = dtls1_set_message_header(s, d,
   1618 			SSL3_MT_CERTIFICATE_VERIFY, n, 0, n) ;
   1619 
   1620 		s->init_num=(int)n+DTLS1_HM_HEADER_LENGTH;
   1621 		s->init_off=0;
   1622 
   1623 		/* buffer the message to handle re-xmits */
   1624 		dtls1_buffer_message(s, 0);
   1625 
   1626 		s->state = SSL3_ST_CW_CERT_VRFY_B;
   1627 		}
   1628 
   1629 	/* s->state = SSL3_ST_CW_CERT_VRFY_B */
   1630 	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
   1631 err:
   1632 	return(-1);
   1633 	}
   1634 
   1635 int dtls1_send_client_certificate(SSL *s)
   1636 	{
   1637 	X509 *x509=NULL;
   1638 	EVP_PKEY *pkey=NULL;
   1639 	int i;
   1640 	unsigned long l;
   1641 
   1642 	if (s->state ==	SSL3_ST_CW_CERT_A)
   1643 		{
   1644 		if ((s->cert == NULL) ||
   1645 			(s->cert->key->x509 == NULL) ||
   1646 			(s->cert->key->privatekey == NULL))
   1647 			s->state=SSL3_ST_CW_CERT_B;
   1648 		else
   1649 			s->state=SSL3_ST_CW_CERT_C;
   1650 		}
   1651 
   1652 	/* We need to get a client cert */
   1653 	if (s->state == SSL3_ST_CW_CERT_B)
   1654 		{
   1655 		/* If we get an error, we need to
   1656 		 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
   1657 		 * We then get retied later */
   1658 		i=0;
   1659 		i = ssl_do_client_cert_cb(s, &x509, &pkey);
   1660 		if (i < 0)
   1661 			{
   1662 			s->rwstate=SSL_X509_LOOKUP;
   1663 			return(-1);
   1664 			}
   1665 		s->rwstate=SSL_NOTHING;
   1666 		if ((i == 1) && (pkey != NULL) && (x509 != NULL))
   1667 			{
   1668 			s->state=SSL3_ST_CW_CERT_B;
   1669 			if (	!SSL_use_certificate(s,x509) ||
   1670 				!SSL_use_PrivateKey(s,pkey))
   1671 				i=0;
   1672 			}
   1673 		else if (i == 1)
   1674 			{
   1675 			i=0;
   1676 			SSLerr(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
   1677 			}
   1678 
   1679 		if (x509 != NULL) X509_free(x509);
   1680 		if (pkey != NULL) EVP_PKEY_free(pkey);
   1681 		if (i == 0)
   1682 			{
   1683 			if (s->version == SSL3_VERSION)
   1684 				{
   1685 				s->s3->tmp.cert_req=0;
   1686 				ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE);
   1687 				return(1);
   1688 				}
   1689 			else
   1690 				{
   1691 				s->s3->tmp.cert_req=2;
   1692 				}
   1693 			}
   1694 
   1695 		/* Ok, we have a cert */
   1696 		s->state=SSL3_ST_CW_CERT_C;
   1697 		}
   1698 
   1699 	if (s->state == SSL3_ST_CW_CERT_C)
   1700 		{
   1701 		s->state=SSL3_ST_CW_CERT_D;
   1702 		l=dtls1_output_cert_chain(s,
   1703 			(s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
   1704 		s->init_num=(int)l;
   1705 		s->init_off=0;
   1706 
   1707 		/* set header called by dtls1_output_cert_chain() */
   1708 
   1709 		/* buffer the message to handle re-xmits */
   1710 		dtls1_buffer_message(s, 0);
   1711 		}
   1712 	/* SSL3_ST_CW_CERT_D */
   1713 	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
   1714 	}
   1715 
   1716 
   1717