Home | History | Annotate | Download | only in ssl
      1 /* ssl/d1_srvr.c */
      2 /*
      3  * DTLS implementation written by Nagendra Modadugu
      4  * (nagendra (at) cs.stanford.edu) for the OpenSSL project 2005.
      5  */
      6 /* ====================================================================
      7  * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
      8  *
      9  * Redistribution and use in source and binary forms, with or without
     10  * modification, are permitted provided that the following conditions
     11  * are met:
     12  *
     13  * 1. Redistributions of source code must retain the above copyright
     14  *    notice, this list of conditions and the following disclaimer.
     15  *
     16  * 2. Redistributions in binary form must reproduce the above copyright
     17  *    notice, this list of conditions and the following disclaimer in
     18  *    the documentation and/or other materials provided with the
     19  *    distribution.
     20  *
     21  * 3. All advertising materials mentioning features or use of this
     22  *    software must display the following acknowledgment:
     23  *    "This product includes software developed by the OpenSSL Project
     24  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
     25  *
     26  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
     27  *    endorse or promote products derived from this software without
     28  *    prior written permission. For written permission, please contact
     29  *    openssl-core (at) OpenSSL.org.
     30  *
     31  * 5. Products derived from this software may not be called "OpenSSL"
     32  *    nor may "OpenSSL" appear in their names without prior written
     33  *    permission of the OpenSSL Project.
     34  *
     35  * 6. Redistributions of any form whatsoever must retain the following
     36  *    acknowledgment:
     37  *    "This product includes software developed by the OpenSSL Project
     38  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
     39  *
     40  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
     41  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     43  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
     44  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
     45  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
     46  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
     47  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
     49  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
     50  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
     51  * OF THE POSSIBILITY OF SUCH DAMAGE.
     52  * ====================================================================
     53  *
     54  * This product includes cryptographic software written by Eric Young
     55  * (eay (at) cryptsoft.com).  This product includes software written by Tim
     56  * Hudson (tjh (at) cryptsoft.com).
     57  *
     58  */
     59 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com)
     60  * All rights reserved.
     61  *
     62  * This package is an SSL implementation written
     63  * by Eric Young (eay (at) cryptsoft.com).
     64  * The implementation was written so as to conform with Netscapes SSL.
     65  *
     66  * This library is free for commercial and non-commercial use as long as
     67  * the following conditions are aheared to.  The following conditions
     68  * apply to all code found in this distribution, be it the RC4, RSA,
     69  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
     70  * included with this distribution is covered by the same copyright terms
     71  * except that the holder is Tim Hudson (tjh (at) cryptsoft.com).
     72  *
     73  * Copyright remains Eric Young's, and as such any Copyright notices in
     74  * the code are not to be removed.
     75  * If this package is used in a product, Eric Young should be given attribution
     76  * as the author of the parts of the library used.
     77  * This can be in the form of a textual message at program startup or
     78  * in documentation (online or textual) provided with the package.
     79  *
     80  * Redistribution and use in source and binary forms, with or without
     81  * modification, are permitted provided that the following conditions
     82  * are met:
     83  * 1. Redistributions of source code must retain the copyright
     84  *    notice, this list of conditions and the following disclaimer.
     85  * 2. Redistributions in binary form must reproduce the above copyright
     86  *    notice, this list of conditions and the following disclaimer in the
     87  *    documentation and/or other materials provided with the distribution.
     88  * 3. All advertising materials mentioning features or use of this software
     89  *    must display the following acknowledgement:
     90  *    "This product includes cryptographic software written by
     91  *     Eric Young (eay (at) cryptsoft.com)"
     92  *    The word 'cryptographic' can be left out if the rouines from the library
     93  *    being used are not cryptographic related :-).
     94  * 4. If you include any Windows specific code (or a derivative thereof) from
     95  *    the apps directory (application code) you must include an acknowledgement:
     96  *    "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)"
     97  *
     98  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
     99  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
    100  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
    101  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
    102  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
    103  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
    104  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
    105  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
    106  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
    107  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
    108  * SUCH DAMAGE.
    109  *
    110  * The licence and distribution terms for any publically available version or
    111  * derivative of this code cannot be changed.  i.e. this code cannot simply be
    112  * copied and put under another distribution licence
    113  * [including the GNU Public Licence.]
    114  */
    115 
    116 #include <stdio.h>
    117 #include "ssl_locl.h"
    118 #include <openssl/buffer.h>
    119 #include <openssl/rand.h>
    120 #include <openssl/objects.h>
    121 #include <openssl/evp.h>
    122 #include <openssl/x509.h>
    123 #include <openssl/md5.h>
    124 #include <openssl/bn.h>
    125 #ifndef OPENSSL_NO_DH
    126 #include <openssl/dh.h>
    127 #endif
    128 
    129 static const SSL_METHOD *dtls1_get_server_method(int ver);
    130 static int dtls1_send_hello_verify_request(SSL *s);
    131 
    132 static const SSL_METHOD *dtls1_get_server_method(int ver)
    133 	{
    134 	if (ver == DTLS1_VERSION)
    135 		return(DTLSv1_server_method());
    136 	else
    137 		return(NULL);
    138 	}
    139 
    140 IMPLEMENT_dtls1_meth_func(DTLSv1_server_method,
    141 			dtls1_accept,
    142 			ssl_undefined_function,
    143 			dtls1_get_server_method)
    144 
    145 int dtls1_accept(SSL *s)
    146 	{
    147 	BUF_MEM *buf;
    148 	unsigned long Time=(unsigned long)time(NULL);
    149 	void (*cb)(const SSL *ssl,int type,int val)=NULL;
    150 	unsigned long alg_k;
    151 	int ret= -1;
    152 	int new_state,state,skip=0;
    153 	int listen;
    154 #ifndef OPENSSL_NO_SCTP
    155 	unsigned char sctpauthkey[64];
    156 	char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
    157 #endif
    158 
    159 	RAND_add(&Time,sizeof(Time),0);
    160 	ERR_clear_error();
    161 	clear_sys_error();
    162 
    163 	if (s->info_callback != NULL)
    164 		cb=s->info_callback;
    165 	else if (s->ctx->info_callback != NULL)
    166 		cb=s->ctx->info_callback;
    167 
    168 	listen = s->d1->listen;
    169 
    170 	/* init things to blank */
    171 	s->in_handshake++;
    172 	if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
    173 
    174 	s->d1->listen = listen;
    175 #ifndef OPENSSL_NO_SCTP
    176 	/* Notify SCTP BIO socket to enter handshake
    177 	 * mode and prevent stream identifier other
    178 	 * than 0. Will be ignored if no SCTP is used.
    179 	 */
    180 	BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, s->in_handshake, NULL);
    181 #endif
    182 
    183 	if (s->cert == NULL)
    184 		{
    185 		SSLerr(SSL_F_DTLS1_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
    186 		return(-1);
    187 		}
    188 
    189 #ifndef OPENSSL_NO_HEARTBEATS
    190 	/* If we're awaiting a HeartbeatResponse, pretend we
    191 	 * already got and don't await it anymore, because
    192 	 * Heartbeats don't make sense during handshakes anyway.
    193 	 */
    194 	if (s->tlsext_hb_pending)
    195 		{
    196 		dtls1_stop_timer(s);
    197 		s->tlsext_hb_pending = 0;
    198 		s->tlsext_hb_seq++;
    199 		}
    200 #endif
    201 
    202 	for (;;)
    203 		{
    204 		state=s->state;
    205 
    206 		switch (s->state)
    207 			{
    208 		case SSL_ST_RENEGOTIATE:
    209 			s->renegotiate=1;
    210 			/* s->state=SSL_ST_ACCEPT; */
    211 
    212 		case SSL_ST_BEFORE:
    213 		case SSL_ST_ACCEPT:
    214 		case SSL_ST_BEFORE|SSL_ST_ACCEPT:
    215 		case SSL_ST_OK|SSL_ST_ACCEPT:
    216 
    217 			s->server=1;
    218 			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
    219 
    220 			if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00))
    221 				{
    222 				SSLerr(SSL_F_DTLS1_ACCEPT, ERR_R_INTERNAL_ERROR);
    223 				return -1;
    224 				}
    225 			s->type=SSL_ST_ACCEPT;
    226 
    227 			if (s->init_buf == NULL)
    228 				{
    229 				if ((buf=BUF_MEM_new()) == NULL)
    230 					{
    231 					ret= -1;
    232 					goto end;
    233 					}
    234 				if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
    235 					{
    236 					ret= -1;
    237 					goto end;
    238 					}
    239 				s->init_buf=buf;
    240 				}
    241 
    242 			if (!ssl3_setup_buffers(s))
    243 				{
    244 				ret= -1;
    245 				goto end;
    246 				}
    247 
    248 			s->init_num=0;
    249 
    250 			if (s->state != SSL_ST_RENEGOTIATE)
    251 				{
    252 				/* Ok, we now need to push on a buffering BIO so that
    253 				 * the output is sent in a way that TCP likes :-)
    254 				 * ...but not with SCTP :-)
    255 				 */
    256 #ifndef OPENSSL_NO_SCTP
    257 				if (!BIO_dgram_is_sctp(SSL_get_wbio(s)))
    258 #endif
    259 					if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; }
    260 
    261 				ssl3_init_finished_mac(s);
    262 				s->state=SSL3_ST_SR_CLNT_HELLO_A;
    263 				s->ctx->stats.sess_accept++;
    264 				}
    265 			else
    266 				{
    267 				/* s->state == SSL_ST_RENEGOTIATE,
    268 				 * we will just send a HelloRequest */
    269 				s->ctx->stats.sess_accept_renegotiate++;
    270 				s->state=SSL3_ST_SW_HELLO_REQ_A;
    271 				}
    272 
    273 			break;
    274 
    275 		case SSL3_ST_SW_HELLO_REQ_A:
    276 		case SSL3_ST_SW_HELLO_REQ_B:
    277 
    278 			s->shutdown=0;
    279 			dtls1_start_timer(s);
    280 			ret=dtls1_send_hello_request(s);
    281 			if (ret <= 0) goto end;
    282 			s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C;
    283 			s->state=SSL3_ST_SW_FLUSH;
    284 			s->init_num=0;
    285 
    286 			ssl3_init_finished_mac(s);
    287 			break;
    288 
    289 		case SSL3_ST_SW_HELLO_REQ_C:
    290 			s->state=SSL_ST_OK;
    291 			break;
    292 
    293 		case SSL3_ST_SR_CLNT_HELLO_A:
    294 		case SSL3_ST_SR_CLNT_HELLO_B:
    295 		case SSL3_ST_SR_CLNT_HELLO_C:
    296 
    297 			s->shutdown=0;
    298 			ret=ssl3_get_client_hello(s);
    299 			if (ret <= 0) goto end;
    300 			dtls1_stop_timer(s);
    301 
    302 			if (ret == 1 && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
    303 				s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;
    304 			else
    305 				s->state = SSL3_ST_SW_SRVR_HELLO_A;
    306 
    307 			s->init_num=0;
    308 
    309 			/* Reflect ClientHello sequence to remain stateless while listening */
    310 			if (listen)
    311 				{
    312 				memcpy(s->s3->write_sequence, s->s3->read_sequence, sizeof(s->s3->write_sequence));
    313 				}
    314 
    315 			/* If we're just listening, stop here */
    316 			if (listen && s->state == SSL3_ST_SW_SRVR_HELLO_A)
    317 				{
    318 				ret = 2;
    319 				s->d1->listen = 0;
    320 				/* Set expected sequence numbers
    321 				 * to continue the handshake.
    322 				 */
    323 				s->d1->handshake_read_seq = 2;
    324 				s->d1->handshake_write_seq = 1;
    325 				s->d1->next_handshake_write_seq = 1;
    326 				goto end;
    327 				}
    328 
    329 			break;
    330 
    331 		case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
    332 		case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
    333 
    334 			ret = dtls1_send_hello_verify_request(s);
    335 			if ( ret <= 0) goto end;
    336 			s->state=SSL3_ST_SW_FLUSH;
    337 			s->s3->tmp.next_state=SSL3_ST_SR_CLNT_HELLO_A;
    338 
    339 			/* HelloVerifyRequest resets Finished MAC */
    340 			if (s->version != DTLS1_BAD_VER)
    341 				ssl3_init_finished_mac(s);
    342 			break;
    343 
    344 #ifndef OPENSSL_NO_SCTP
    345 		case DTLS1_SCTP_ST_SR_READ_SOCK:
    346 
    347 			if (BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s)))
    348 				{
    349 				s->s3->in_read_app_data=2;
    350 				s->rwstate=SSL_READING;
    351 				BIO_clear_retry_flags(SSL_get_rbio(s));
    352 				BIO_set_retry_read(SSL_get_rbio(s));
    353 				ret = -1;
    354 				goto end;
    355 				}
    356 
    357 			s->state=SSL3_ST_SR_FINISHED_A;
    358 			break;
    359 
    360 		case DTLS1_SCTP_ST_SW_WRITE_SOCK:
    361 			ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s));
    362 			if (ret < 0) goto end;
    363 
    364 			if (ret == 0)
    365 				{
    366 				if (s->d1->next_state != SSL_ST_OK)
    367 					{
    368 					s->s3->in_read_app_data=2;
    369 					s->rwstate=SSL_READING;
    370 					BIO_clear_retry_flags(SSL_get_rbio(s));
    371 					BIO_set_retry_read(SSL_get_rbio(s));
    372 					ret = -1;
    373 					goto end;
    374 					}
    375 				}
    376 
    377 			s->state=s->d1->next_state;
    378 			break;
    379 #endif
    380 
    381 		case SSL3_ST_SW_SRVR_HELLO_A:
    382 		case SSL3_ST_SW_SRVR_HELLO_B:
    383 			s->renegotiate = 2;
    384 			dtls1_start_timer(s);
    385 			ret=dtls1_send_server_hello(s);
    386 			if (ret <= 0) goto end;
    387 
    388 			if (s->hit)
    389 				{
    390 #ifndef OPENSSL_NO_SCTP
    391 				/* Add new shared key for SCTP-Auth,
    392 				 * will be ignored if no SCTP used.
    393 				 */
    394 				snprintf((char*) labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
    395 				         DTLS1_SCTP_AUTH_LABEL);
    396 
    397 				SSL_export_keying_material(s, sctpauthkey,
    398 				                           sizeof(sctpauthkey), labelbuffer,
    399 				                           sizeof(labelbuffer), NULL, 0, 0);
    400 
    401 				BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
    402                          sizeof(sctpauthkey), sctpauthkey);
    403 #endif
    404 #ifndef OPENSSL_NO_TLSEXT
    405 				if (s->tlsext_ticket_expected)
    406 					s->state=SSL3_ST_SW_SESSION_TICKET_A;
    407 				else
    408 					s->state=SSL3_ST_SW_CHANGE_A;
    409 #else
    410 				s->state=SSL3_ST_SW_CHANGE_A;
    411 #endif
    412 				}
    413 			else
    414 				s->state=SSL3_ST_SW_CERT_A;
    415 			s->init_num=0;
    416 			break;
    417 
    418 		case SSL3_ST_SW_CERT_A:
    419 		case SSL3_ST_SW_CERT_B:
    420 			/* Check if it is anon DH or normal PSK */
    421 			if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
    422 				&& !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
    423 				{
    424 				dtls1_start_timer(s);
    425 				ret=dtls1_send_server_certificate(s);
    426 				if (ret <= 0) goto end;
    427 #ifndef OPENSSL_NO_TLSEXT
    428 				if (s->tlsext_status_expected)
    429 					s->state=SSL3_ST_SW_CERT_STATUS_A;
    430 				else
    431 					s->state=SSL3_ST_SW_KEY_EXCH_A;
    432 				}
    433 			else
    434 				{
    435 				skip = 1;
    436 				s->state=SSL3_ST_SW_KEY_EXCH_A;
    437 				}
    438 #else
    439 				}
    440 			else
    441 				skip=1;
    442 
    443 			s->state=SSL3_ST_SW_KEY_EXCH_A;
    444 #endif
    445 			s->init_num=0;
    446 			break;
    447 
    448 		case SSL3_ST_SW_KEY_EXCH_A:
    449 		case SSL3_ST_SW_KEY_EXCH_B:
    450 			alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
    451 
    452 			/* clear this, it may get reset by
    453 			 * send_server_key_exchange */
    454 			if ((s->options & SSL_OP_EPHEMERAL_RSA)
    455 #ifndef OPENSSL_NO_KRB5
    456 				&& !(alg_k & SSL_kKRB5)
    457 #endif /* OPENSSL_NO_KRB5 */
    458 				)
    459 				/* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
    460 				 * even when forbidden by protocol specs
    461 				 * (handshake may fail as clients are not required to
    462 				 * be able to handle this) */
    463 				s->s3->tmp.use_rsa_tmp=1;
    464 			else
    465 				s->s3->tmp.use_rsa_tmp=0;
    466 
    467 			/* only send if a DH key exchange or
    468 			 * RSA but we have a sign only certificate */
    469 			if (s->s3->tmp.use_rsa_tmp
    470 			/* PSK: send ServerKeyExchange if PSK identity
    471 			 * hint if provided */
    472 #ifndef OPENSSL_NO_PSK
    473 			    || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
    474 #endif
    475 			    || (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
    476 			    || (alg_k & SSL_kEECDH)
    477 			    || ((alg_k & SSL_kRSA)
    478 				&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
    479 				    || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
    480 					&& EVP_PKEY_size(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)
    481 					)
    482 				    )
    483 				)
    484 			    )
    485 				{
    486 				dtls1_start_timer(s);
    487 				ret=dtls1_send_server_key_exchange(s);
    488 				if (ret <= 0) goto end;
    489 				}
    490 			else
    491 				skip=1;
    492 
    493 			s->state=SSL3_ST_SW_CERT_REQ_A;
    494 			s->init_num=0;
    495 			break;
    496 
    497 		case SSL3_ST_SW_CERT_REQ_A:
    498 		case SSL3_ST_SW_CERT_REQ_B:
    499 			if (/* don't request cert unless asked for it: */
    500 				!(s->verify_mode & SSL_VERIFY_PEER) ||
    501 				/* if SSL_VERIFY_CLIENT_ONCE is set,
    502 				 * don't request cert during re-negotiation: */
    503 				((s->session->peer != NULL) &&
    504 				 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
    505 				/* never request cert in anonymous ciphersuites
    506 				 * (see section "Certificate request" in SSL 3 drafts
    507 				 * and in RFC 2246): */
    508 				((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
    509 				 /* ... except when the application insists on verification
    510 				  * (against the specs, but s3_clnt.c accepts this for SSL 3) */
    511 				 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
    512 				 /* never request cert in Kerberos ciphersuites */
    513 				(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)
    514 				/* With normal PSK Certificates and
    515 				 * Certificate Requests are omitted */
    516 				|| (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
    517 				{
    518 				/* no cert request */
    519 				skip=1;
    520 				s->s3->tmp.cert_request=0;
    521 				s->state=SSL3_ST_SW_SRVR_DONE_A;
    522 #ifndef OPENSSL_NO_SCTP
    523 				if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
    524 					{
    525 					s->d1->next_state = SSL3_ST_SW_SRVR_DONE_A;
    526 					s->state = DTLS1_SCTP_ST_SW_WRITE_SOCK;
    527 					}
    528 #endif
    529 				}
    530 			else
    531 				{
    532 				s->s3->tmp.cert_request=1;
    533 				dtls1_start_timer(s);
    534 				ret=dtls1_send_certificate_request(s);
    535 				if (ret <= 0) goto end;
    536 #ifndef NETSCAPE_HANG_BUG
    537 				s->state=SSL3_ST_SW_SRVR_DONE_A;
    538 #ifndef OPENSSL_NO_SCTP
    539 				if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
    540 					{
    541 					s->d1->next_state = SSL3_ST_SW_SRVR_DONE_A;
    542 					s->state = DTLS1_SCTP_ST_SW_WRITE_SOCK;
    543 					}
    544 #endif
    545 #else
    546 				s->state=SSL3_ST_SW_FLUSH;
    547 				s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
    548 #ifndef OPENSSL_NO_SCTP
    549 				if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
    550 					{
    551 					s->d1->next_state = s->s3->tmp.next_state;
    552 					s->s3->tmp.next_state=DTLS1_SCTP_ST_SW_WRITE_SOCK;
    553 					}
    554 #endif
    555 #endif
    556 				s->init_num=0;
    557 				}
    558 			break;
    559 
    560 		case SSL3_ST_SW_SRVR_DONE_A:
    561 		case SSL3_ST_SW_SRVR_DONE_B:
    562 			dtls1_start_timer(s);
    563 			ret=dtls1_send_server_done(s);
    564 			if (ret <= 0) goto end;
    565 			s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
    566 			s->state=SSL3_ST_SW_FLUSH;
    567 			s->init_num=0;
    568 			break;
    569 
    570 		case SSL3_ST_SW_FLUSH:
    571 			s->rwstate=SSL_WRITING;
    572 			if (BIO_flush(s->wbio) <= 0)
    573 				{
    574 				/* If the write error was fatal, stop trying */
    575 				if (!BIO_should_retry(s->wbio))
    576 					{
    577 					s->rwstate=SSL_NOTHING;
    578 					s->state=s->s3->tmp.next_state;
    579 					}
    580 
    581 				ret= -1;
    582 				goto end;
    583 				}
    584 			s->rwstate=SSL_NOTHING;
    585 			s->state=s->s3->tmp.next_state;
    586 			break;
    587 
    588 		case SSL3_ST_SR_CERT_A:
    589 		case SSL3_ST_SR_CERT_B:
    590 			/* Check for second client hello (MS SGC) */
    591 			ret = ssl3_check_client_hello(s);
    592 			if (ret <= 0)
    593 				goto end;
    594 			if (ret == 2)
    595 				{
    596 				dtls1_stop_timer(s);
    597 				s->state = SSL3_ST_SR_CLNT_HELLO_C;
    598 				}
    599 			else {
    600 				/* could be sent for a DH cert, even if we
    601 				 * have not asked for it :-) */
    602 				ret=ssl3_get_client_certificate(s);
    603 				if (ret <= 0) goto end;
    604 				s->init_num=0;
    605 				s->state=SSL3_ST_SR_KEY_EXCH_A;
    606 			}
    607 			break;
    608 
    609 		case SSL3_ST_SR_KEY_EXCH_A:
    610 		case SSL3_ST_SR_KEY_EXCH_B:
    611 			ret=ssl3_get_client_key_exchange(s);
    612 			if (ret <= 0) goto end;
    613 #ifndef OPENSSL_NO_SCTP
    614 			/* Add new shared key for SCTP-Auth,
    615 			 * will be ignored if no SCTP used.
    616 			 */
    617 			snprintf((char *) labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
    618 			         DTLS1_SCTP_AUTH_LABEL);
    619 
    620 			SSL_export_keying_material(s, sctpauthkey,
    621 			                           sizeof(sctpauthkey), labelbuffer,
    622 			                           sizeof(labelbuffer), NULL, 0, 0);
    623 
    624 			BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
    625 			         sizeof(sctpauthkey), sctpauthkey);
    626 #endif
    627 
    628 			s->state=SSL3_ST_SR_CERT_VRFY_A;
    629 			s->init_num=0;
    630 
    631 			if (ret == 2)
    632 				{
    633 				/* For the ECDH ciphersuites when
    634 				 * the client sends its ECDH pub key in
    635 				 * a certificate, the CertificateVerify
    636 				 * message is not sent.
    637 				 */
    638 				s->state=SSL3_ST_SR_FINISHED_A;
    639 				s->init_num = 0;
    640 				}
    641 			else
    642 				{
    643 				s->state=SSL3_ST_SR_CERT_VRFY_A;
    644 				s->init_num=0;
    645 
    646 				/* We need to get hashes here so if there is
    647 				 * a client cert, it can be verified */
    648 				s->method->ssl3_enc->cert_verify_mac(s,
    649 					NID_md5,
    650 					&(s->s3->tmp.cert_verify_md[0]));
    651 				s->method->ssl3_enc->cert_verify_mac(s,
    652 					NID_sha1,
    653 					&(s->s3->tmp.cert_verify_md[MD5_DIGEST_LENGTH]));
    654 				}
    655 			break;
    656 
    657 		case SSL3_ST_SR_CERT_VRFY_A:
    658 		case SSL3_ST_SR_CERT_VRFY_B:
    659 
    660 			s->d1->change_cipher_spec_ok = 1;
    661 			/* we should decide if we expected this one */
    662 			ret=ssl3_get_cert_verify(s);
    663 			if (ret <= 0) goto end;
    664 #ifndef OPENSSL_NO_SCTP
    665 			if (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
    666 			    state == SSL_ST_RENEGOTIATE)
    667 				s->state=DTLS1_SCTP_ST_SR_READ_SOCK;
    668 			else
    669 #endif
    670 				s->state=SSL3_ST_SR_FINISHED_A;
    671 			s->init_num=0;
    672 			break;
    673 
    674 		case SSL3_ST_SR_FINISHED_A:
    675 		case SSL3_ST_SR_FINISHED_B:
    676 			s->d1->change_cipher_spec_ok = 1;
    677 			ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
    678 				SSL3_ST_SR_FINISHED_B);
    679 			if (ret <= 0) goto end;
    680 			dtls1_stop_timer(s);
    681 			if (s->hit)
    682 				s->state=SSL_ST_OK;
    683 #ifndef OPENSSL_NO_TLSEXT
    684 			else if (s->tlsext_ticket_expected)
    685 				s->state=SSL3_ST_SW_SESSION_TICKET_A;
    686 #endif
    687 			else
    688 				s->state=SSL3_ST_SW_CHANGE_A;
    689 			s->init_num=0;
    690 			break;
    691 
    692 #ifndef OPENSSL_NO_TLSEXT
    693 		case SSL3_ST_SW_SESSION_TICKET_A:
    694 		case SSL3_ST_SW_SESSION_TICKET_B:
    695 			ret=dtls1_send_newsession_ticket(s);
    696 			if (ret <= 0) goto end;
    697 			s->state=SSL3_ST_SW_CHANGE_A;
    698 			s->init_num=0;
    699 			break;
    700 
    701 		case SSL3_ST_SW_CERT_STATUS_A:
    702 		case SSL3_ST_SW_CERT_STATUS_B:
    703 			ret=ssl3_send_cert_status(s);
    704 			if (ret <= 0) goto end;
    705 			s->state=SSL3_ST_SW_KEY_EXCH_A;
    706 			s->init_num=0;
    707 			break;
    708 
    709 #endif
    710 
    711 		case SSL3_ST_SW_CHANGE_A:
    712 		case SSL3_ST_SW_CHANGE_B:
    713 
    714 			s->session->cipher=s->s3->tmp.new_cipher;
    715 			if (!s->method->ssl3_enc->setup_key_block(s))
    716 				{ ret= -1; goto end; }
    717 
    718 			ret=dtls1_send_change_cipher_spec(s,
    719 				SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B);
    720 
    721 			if (ret <= 0) goto end;
    722 
    723 #ifndef OPENSSL_NO_SCTP
    724 			/* Change to new shared key of SCTP-Auth,
    725 			 * will be ignored if no SCTP used.
    726 			 */
    727 			BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
    728 #endif
    729 
    730 			s->state=SSL3_ST_SW_FINISHED_A;
    731 			s->init_num=0;
    732 
    733 			if (!s->method->ssl3_enc->change_cipher_state(s,
    734 				SSL3_CHANGE_CIPHER_SERVER_WRITE))
    735 				{
    736 				ret= -1;
    737 				goto end;
    738 				}
    739 
    740 			dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
    741 			break;
    742 
    743 		case SSL3_ST_SW_FINISHED_A:
    744 		case SSL3_ST_SW_FINISHED_B:
    745 			ret=dtls1_send_finished(s,
    746 				SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B,
    747 				s->method->ssl3_enc->server_finished_label,
    748 				s->method->ssl3_enc->server_finished_label_len);
    749 			if (ret <= 0) goto end;
    750 			s->state=SSL3_ST_SW_FLUSH;
    751 			if (s->hit)
    752 				s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
    753 			else
    754 				{
    755 				s->s3->tmp.next_state=SSL_ST_OK;
    756 #ifndef OPENSSL_NO_SCTP
    757 				if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
    758 					{
    759 					s->d1->next_state = s->s3->tmp.next_state;
    760 					s->s3->tmp.next_state=DTLS1_SCTP_ST_SW_WRITE_SOCK;
    761 					}
    762 #endif
    763 				}
    764 			s->init_num=0;
    765 			break;
    766 
    767 		case SSL_ST_OK:
    768 			/* clean a few things up */
    769 			ssl3_cleanup_key_block(s);
    770 
    771 #if 0
    772 			BUF_MEM_free(s->init_buf);
    773 			s->init_buf=NULL;
    774 #endif
    775 
    776 			/* remove buffering on output */
    777 			ssl_free_wbio_buffer(s);
    778 
    779 			s->init_num=0;
    780 
    781 			if (s->renegotiate == 2) /* skipped if we just sent a HelloRequest */
    782 				{
    783 				s->renegotiate=0;
    784 				s->new_session=0;
    785 
    786 				ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
    787 
    788 				s->ctx->stats.sess_accept_good++;
    789 				/* s->server=1; */
    790 				s->handshake_func=dtls1_accept;
    791 
    792 				if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
    793 				}
    794 
    795 			ret = 1;
    796 
    797 			/* done handshaking, next message is client hello */
    798 			s->d1->handshake_read_seq = 0;
    799 			/* next message is server hello */
    800 			s->d1->handshake_write_seq = 0;
    801 			s->d1->next_handshake_write_seq = 0;
    802 			goto end;
    803 			/* break; */
    804 
    805 		default:
    806 			SSLerr(SSL_F_DTLS1_ACCEPT,SSL_R_UNKNOWN_STATE);
    807 			ret= -1;
    808 			goto end;
    809 			/* break; */
    810 			}
    811 
    812 		if (!s->s3->tmp.reuse_message && !skip)
    813 			{
    814 			if (s->debug)
    815 				{
    816 				if ((ret=BIO_flush(s->wbio)) <= 0)
    817 					goto end;
    818 				}
    819 
    820 
    821 			if ((cb != NULL) && (s->state != state))
    822 				{
    823 				new_state=s->state;
    824 				s->state=state;
    825 				cb(s,SSL_CB_ACCEPT_LOOP,1);
    826 				s->state=new_state;
    827 				}
    828 			}
    829 		skip=0;
    830 		}
    831 end:
    832 	/* BIO_flush(s->wbio); */
    833 
    834 	s->in_handshake--;
    835 #ifndef OPENSSL_NO_SCTP
    836 		/* Notify SCTP BIO socket to leave handshake
    837 		 * mode and prevent stream identifier other
    838 		 * than 0. Will be ignored if no SCTP is used.
    839 		 */
    840 		BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, s->in_handshake, NULL);
    841 #endif
    842 
    843 	if (cb != NULL)
    844 		cb(s,SSL_CB_ACCEPT_EXIT,ret);
    845 	return(ret);
    846 	}
    847 
    848 int dtls1_send_hello_request(SSL *s)
    849 	{
    850 	unsigned char *p;
    851 
    852 	if (s->state == SSL3_ST_SW_HELLO_REQ_A)
    853 		{
    854 		p=(unsigned char *)s->init_buf->data;
    855 		p = dtls1_set_message_header(s, p, SSL3_MT_HELLO_REQUEST, 0, 0, 0);
    856 
    857 		s->state=SSL3_ST_SW_HELLO_REQ_B;
    858 		/* number of bytes to write */
    859 		s->init_num=DTLS1_HM_HEADER_LENGTH;
    860 		s->init_off=0;
    861 
    862 		/* no need to buffer this message, since there are no retransmit
    863 		 * requests for it */
    864 		}
    865 
    866 	/* SSL3_ST_SW_HELLO_REQ_B */
    867 	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
    868 	}
    869 
    870 int dtls1_send_hello_verify_request(SSL *s)
    871 	{
    872 	unsigned int msg_len;
    873 	unsigned char *msg, *buf, *p;
    874 
    875 	if (s->state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A)
    876 		{
    877 		buf = (unsigned char *)s->init_buf->data;
    878 
    879 		msg = p = &(buf[DTLS1_HM_HEADER_LENGTH]);
    880 		*(p++) = s->version >> 8;
    881 		*(p++) = s->version & 0xFF;
    882 
    883 		if (s->ctx->app_gen_cookie_cb == NULL ||
    884 		     s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
    885 			 &(s->d1->cookie_len)) == 0)
    886 			{
    887 			SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST,ERR_R_INTERNAL_ERROR);
    888 			return 0;
    889 			}
    890 
    891 		*(p++) = (unsigned char) s->d1->cookie_len;
    892 		memcpy(p, s->d1->cookie, s->d1->cookie_len);
    893 		p += s->d1->cookie_len;
    894 		msg_len = p - msg;
    895 
    896 		dtls1_set_message_header(s, buf,
    897 			DTLS1_MT_HELLO_VERIFY_REQUEST, msg_len, 0, msg_len);
    898 
    899 		s->state=DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B;
    900 		/* number of bytes to write */
    901 		s->init_num=p-buf;
    902 		s->init_off=0;
    903 		}
    904 
    905 	/* s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */
    906 	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
    907 	}
    908 
    909 int dtls1_send_server_hello(SSL *s)
    910 	{
    911 	unsigned char *buf;
    912 	unsigned char *p,*d;
    913 	int i;
    914 	unsigned int sl;
    915 	unsigned long l,Time;
    916 
    917 	if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
    918 		{
    919 		buf=(unsigned char *)s->init_buf->data;
    920 		p=s->s3->server_random;
    921 		Time=(unsigned long)time(NULL);			/* Time */
    922 		l2n(Time,p);
    923 		RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4);
    924 		/* Do the message type and length last */
    925 		d=p= &(buf[DTLS1_HM_HEADER_LENGTH]);
    926 
    927 		*(p++)=s->version>>8;
    928 		*(p++)=s->version&0xff;
    929 
    930 		/* Random stuff */
    931 		memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
    932 		p+=SSL3_RANDOM_SIZE;
    933 
    934 		/* now in theory we have 3 options to sending back the
    935 		 * session id.  If it is a re-use, we send back the
    936 		 * old session-id, if it is a new session, we send
    937 		 * back the new session-id or we send back a 0 length
    938 		 * session-id if we want it to be single use.
    939 		 * Currently I will not implement the '0' length session-id
    940 		 * 12-Jan-98 - I'll now support the '0' length stuff.
    941 		 */
    942 		if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER))
    943 			s->session->session_id_length=0;
    944 
    945 		sl=s->session->session_id_length;
    946 		if (sl > sizeof s->session->session_id)
    947 			{
    948 			SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
    949 			return -1;
    950 			}
    951 		*(p++)=sl;
    952 		memcpy(p,s->session->session_id,sl);
    953 		p+=sl;
    954 
    955 		/* put the cipher */
    956 		if (s->s3->tmp.new_cipher == NULL)
    957 			return -1;
    958 		i=ssl3_put_cipher_by_char(s->s3->tmp.new_cipher,p);
    959 		p+=i;
    960 
    961 		/* put the compression method */
    962 #ifdef OPENSSL_NO_COMP
    963 		*(p++)=0;
    964 #else
    965 		if (s->s3->tmp.new_compression == NULL)
    966 			*(p++)=0;
    967 		else
    968 			*(p++)=s->s3->tmp.new_compression->id;
    969 #endif
    970 
    971 #ifndef OPENSSL_NO_TLSEXT
    972 		if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
    973 			{
    974 			SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);
    975 			return -1;
    976 			}
    977 #endif
    978 
    979 		/* do the header */
    980 		l=(p-d);
    981 		d=buf;
    982 
    983 		d = dtls1_set_message_header(s, d, SSL3_MT_SERVER_HELLO, l, 0, l);
    984 
    985 		s->state=SSL3_ST_SW_SRVR_HELLO_B;
    986 		/* number of bytes to write */
    987 		s->init_num=p-buf;
    988 		s->init_off=0;
    989 
    990 		/* buffer the message to handle re-xmits */
    991 		dtls1_buffer_message(s, 0);
    992 		}
    993 
    994 	/* SSL3_ST_SW_SRVR_HELLO_B */
    995 	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
    996 	}
    997 
    998 int dtls1_send_server_done(SSL *s)
    999 	{
   1000 	unsigned char *p;
   1001 
   1002 	if (s->state == SSL3_ST_SW_SRVR_DONE_A)
   1003 		{
   1004 		p=(unsigned char *)s->init_buf->data;
   1005 
   1006 		/* do the header */
   1007 		p = dtls1_set_message_header(s, p, SSL3_MT_SERVER_DONE, 0, 0, 0);
   1008 
   1009 		s->state=SSL3_ST_SW_SRVR_DONE_B;
   1010 		/* number of bytes to write */
   1011 		s->init_num=DTLS1_HM_HEADER_LENGTH;
   1012 		s->init_off=0;
   1013 
   1014 		/* buffer the message to handle re-xmits */
   1015 		dtls1_buffer_message(s, 0);
   1016 		}
   1017 
   1018 	/* SSL3_ST_SW_SRVR_DONE_B */
   1019 	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
   1020 	}
   1021 
   1022 int dtls1_send_server_key_exchange(SSL *s)
   1023 	{
   1024 #ifndef OPENSSL_NO_RSA
   1025 	unsigned char *q;
   1026 	int j,num;
   1027 	RSA *rsa;
   1028 	unsigned char md_buf[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
   1029 	unsigned int u;
   1030 #endif
   1031 #ifndef OPENSSL_NO_DH
   1032 	DH *dh=NULL,*dhp;
   1033 #endif
   1034 #ifndef OPENSSL_NO_ECDH
   1035 	EC_KEY *ecdh=NULL, *ecdhp;
   1036 	unsigned char *encodedPoint = NULL;
   1037 	int encodedlen = 0;
   1038 	int curve_id = 0;
   1039 	BN_CTX *bn_ctx = NULL;
   1040 #endif
   1041 	EVP_PKEY *pkey;
   1042 	unsigned char *p,*d;
   1043 	int al,i;
   1044 	unsigned long type;
   1045 	int n;
   1046 	CERT *cert;
   1047 	BIGNUM *r[4];
   1048 	int nr[4],kn;
   1049 	BUF_MEM *buf;
   1050 	EVP_MD_CTX md_ctx;
   1051 
   1052 	EVP_MD_CTX_init(&md_ctx);
   1053 	if (s->state == SSL3_ST_SW_KEY_EXCH_A)
   1054 		{
   1055 		type=s->s3->tmp.new_cipher->algorithm_mkey;
   1056 		cert=s->cert;
   1057 
   1058 		buf=s->init_buf;
   1059 
   1060 		r[0]=r[1]=r[2]=r[3]=NULL;
   1061 		n=0;
   1062 #ifndef OPENSSL_NO_RSA
   1063 		if (type & SSL_kRSA)
   1064 			{
   1065 			rsa=cert->rsa_tmp;
   1066 			if ((rsa == NULL) && (s->cert->rsa_tmp_cb != NULL))
   1067 				{
   1068 				rsa=s->cert->rsa_tmp_cb(s,
   1069 				      SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
   1070 				      SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
   1071 				if(rsa == NULL)
   1072 				{
   1073 					al=SSL_AD_HANDSHAKE_FAILURE;
   1074 					SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
   1075 					goto f_err;
   1076 				}
   1077 				RSA_up_ref(rsa);
   1078 				cert->rsa_tmp=rsa;
   1079 				}
   1080 			if (rsa == NULL)
   1081 				{
   1082 				al=SSL_AD_HANDSHAKE_FAILURE;
   1083 				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY);
   1084 				goto f_err;
   1085 				}
   1086 			r[0]=rsa->n;
   1087 			r[1]=rsa->e;
   1088 			s->s3->tmp.use_rsa_tmp=1;
   1089 			}
   1090 		else
   1091 #endif
   1092 #ifndef OPENSSL_NO_DH
   1093 			if (type & SSL_kEDH)
   1094 			{
   1095 			dhp=cert->dh_tmp;
   1096 			if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
   1097 				dhp=s->cert->dh_tmp_cb(s,
   1098 				      SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
   1099 				      SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
   1100 			if (dhp == NULL)
   1101 				{
   1102 				al=SSL_AD_HANDSHAKE_FAILURE;
   1103 				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
   1104 				goto f_err;
   1105 				}
   1106 
   1107 			if (s->s3->tmp.dh != NULL)
   1108 				{
   1109 				DH_free(dh);
   1110 				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
   1111 				goto err;
   1112 				}
   1113 
   1114 			if ((dh=DHparams_dup(dhp)) == NULL)
   1115 				{
   1116 				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
   1117 				goto err;
   1118 				}
   1119 
   1120 			s->s3->tmp.dh=dh;
   1121 			if ((dhp->pub_key == NULL ||
   1122 			     dhp->priv_key == NULL ||
   1123 			     (s->options & SSL_OP_SINGLE_DH_USE)))
   1124 				{
   1125 				if(!DH_generate_key(dh))
   1126 				    {
   1127 				    SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,
   1128 					   ERR_R_DH_LIB);
   1129 				    goto err;
   1130 				    }
   1131 				}
   1132 			else
   1133 				{
   1134 				dh->pub_key=BN_dup(dhp->pub_key);
   1135 				dh->priv_key=BN_dup(dhp->priv_key);
   1136 				if ((dh->pub_key == NULL) ||
   1137 					(dh->priv_key == NULL))
   1138 					{
   1139 					SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
   1140 					goto err;
   1141 					}
   1142 				}
   1143 			r[0]=dh->p;
   1144 			r[1]=dh->g;
   1145 			r[2]=dh->pub_key;
   1146 			}
   1147 		else
   1148 #endif
   1149 #ifndef OPENSSL_NO_ECDH
   1150 			if (type & SSL_kEECDH)
   1151 			{
   1152 			const EC_GROUP *group;
   1153 
   1154 			ecdhp=cert->ecdh_tmp;
   1155 			if ((ecdhp == NULL) && (s->cert->ecdh_tmp_cb != NULL))
   1156 				{
   1157 				ecdhp=s->cert->ecdh_tmp_cb(s,
   1158 				      SSL_C_IS_EXPORT(s->s3->tmp.new_cipher),
   1159 				      SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher));
   1160 				}
   1161 			if (ecdhp == NULL)
   1162 				{
   1163 				al=SSL_AD_HANDSHAKE_FAILURE;
   1164 				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_ECDH_KEY);
   1165 				goto f_err;
   1166 				}
   1167 
   1168 			if (s->s3->tmp.ecdh != NULL)
   1169 				{
   1170 				EC_KEY_free(s->s3->tmp.ecdh);
   1171 				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
   1172 				goto err;
   1173 				}
   1174 
   1175 			/* Duplicate the ECDH structure. */
   1176 			if (ecdhp == NULL)
   1177 				{
   1178 				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
   1179 				goto err;
   1180 				}
   1181 			if ((ecdh = EC_KEY_dup(ecdhp)) == NULL)
   1182 				{
   1183 				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
   1184 				goto err;
   1185 				}
   1186 
   1187 			s->s3->tmp.ecdh=ecdh;
   1188 			if ((EC_KEY_get0_public_key(ecdh) == NULL) ||
   1189 			    (EC_KEY_get0_private_key(ecdh) == NULL) ||
   1190 			    (s->options & SSL_OP_SINGLE_ECDH_USE))
   1191 				{
   1192 				if(!EC_KEY_generate_key(ecdh))
   1193 				    {
   1194 				    SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
   1195 				    goto err;
   1196 				    }
   1197 				}
   1198 
   1199 			if (((group = EC_KEY_get0_group(ecdh)) == NULL) ||
   1200 			    (EC_KEY_get0_public_key(ecdh)  == NULL) ||
   1201 			    (EC_KEY_get0_private_key(ecdh) == NULL))
   1202 				{
   1203 				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
   1204 				goto err;
   1205 				}
   1206 
   1207 			if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) &&
   1208 			    (EC_GROUP_get_degree(group) > 163))
   1209 				{
   1210 				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER);
   1211 				goto err;
   1212 				}
   1213 
   1214 			/* XXX: For now, we only support ephemeral ECDH
   1215 			 * keys over named (not generic) curves. For
   1216 			 * supported named curves, curve_id is non-zero.
   1217 			 */
   1218 			if ((curve_id =
   1219 			    tls1_ec_nid2curve_id(EC_GROUP_get_curve_name(group)))
   1220 			    == 0)
   1221 				{
   1222 				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
   1223 				goto err;
   1224 				}
   1225 
   1226 			/* Encode the public key.
   1227 			 * First check the size of encoding and
   1228 			 * allocate memory accordingly.
   1229 			 */
   1230 			encodedlen = EC_POINT_point2oct(group,
   1231 			    EC_KEY_get0_public_key(ecdh),
   1232 			    POINT_CONVERSION_UNCOMPRESSED,
   1233 			    NULL, 0, NULL);
   1234 
   1235 			encodedPoint = (unsigned char *)
   1236 			    OPENSSL_malloc(encodedlen*sizeof(unsigned char));
   1237 			bn_ctx = BN_CTX_new();
   1238 			if ((encodedPoint == NULL) || (bn_ctx == NULL))
   1239 				{
   1240 				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
   1241 				goto err;
   1242 				}
   1243 
   1244 
   1245 			encodedlen = EC_POINT_point2oct(group,
   1246 			    EC_KEY_get0_public_key(ecdh),
   1247 			    POINT_CONVERSION_UNCOMPRESSED,
   1248 			    encodedPoint, encodedlen, bn_ctx);
   1249 
   1250 			if (encodedlen == 0)
   1251 				{
   1252 				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_ECDH_LIB);
   1253 				goto err;
   1254 				}
   1255 
   1256 			BN_CTX_free(bn_ctx);  bn_ctx=NULL;
   1257 
   1258 			/* XXX: For now, we only support named (not
   1259 			 * generic) curves in ECDH ephemeral key exchanges.
   1260 			 * In this situation, we need four additional bytes
   1261 			 * to encode the entire ServerECDHParams
   1262 			 * structure.
   1263 			 */
   1264 			n = 4 + encodedlen;
   1265 
   1266 			/* We'll generate the serverKeyExchange message
   1267 			 * explicitly so we can set these to NULLs
   1268 			 */
   1269 			r[0]=NULL;
   1270 			r[1]=NULL;
   1271 			r[2]=NULL;
   1272 			r[3]=NULL;
   1273 			}
   1274 		else
   1275 #endif /* !OPENSSL_NO_ECDH */
   1276 #ifndef OPENSSL_NO_PSK
   1277 			if (type & SSL_kPSK)
   1278 				{
   1279 				/* reserve size for record length and PSK identity hint*/
   1280 				n+=2+strlen(s->ctx->psk_identity_hint);
   1281 				}
   1282 			else
   1283 #endif /* !OPENSSL_NO_PSK */
   1284 			{
   1285 			al=SSL_AD_HANDSHAKE_FAILURE;
   1286 			SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
   1287 			goto f_err;
   1288 			}
   1289 		for (i=0; r[i] != NULL; i++)
   1290 			{
   1291 			nr[i]=BN_num_bytes(r[i]);
   1292 			n+=2+nr[i];
   1293 			}
   1294 
   1295 		if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
   1296 			&& !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
   1297 			{
   1298 			if ((pkey=ssl_get_sign_pkey(s,s->s3->tmp.new_cipher, NULL))
   1299 				== NULL)
   1300 				{
   1301 				al=SSL_AD_DECODE_ERROR;
   1302 				goto f_err;
   1303 				}
   1304 			kn=EVP_PKEY_size(pkey);
   1305 			}
   1306 		else
   1307 			{
   1308 			pkey=NULL;
   1309 			kn=0;
   1310 			}
   1311 
   1312 		if (!BUF_MEM_grow_clean(buf,n+DTLS1_HM_HEADER_LENGTH+kn))
   1313 			{
   1314 			SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF);
   1315 			goto err;
   1316 			}
   1317 		d=(unsigned char *)s->init_buf->data;
   1318 		p= &(d[DTLS1_HM_HEADER_LENGTH]);
   1319 
   1320 		for (i=0; r[i] != NULL; i++)
   1321 			{
   1322 			s2n(nr[i],p);
   1323 			BN_bn2bin(r[i],p);
   1324 			p+=nr[i];
   1325 			}
   1326 
   1327 #ifndef OPENSSL_NO_ECDH
   1328 		if (type & SSL_kEECDH)
   1329 			{
   1330 			/* XXX: For now, we only support named (not generic) curves.
   1331 			 * In this situation, the serverKeyExchange message has:
   1332 			 * [1 byte CurveType], [2 byte CurveName]
   1333 			 * [1 byte length of encoded point], followed by
   1334 			 * the actual encoded point itself
   1335 			 */
   1336 			*p = NAMED_CURVE_TYPE;
   1337 			p += 1;
   1338 			*p = 0;
   1339 			p += 1;
   1340 			*p = curve_id;
   1341 			p += 1;
   1342 			*p = encodedlen;
   1343 			p += 1;
   1344 			memcpy((unsigned char*)p,
   1345 			    (unsigned char *)encodedPoint,
   1346 			    encodedlen);
   1347 			OPENSSL_free(encodedPoint);
   1348 			p += encodedlen;
   1349 			}
   1350 #endif
   1351 
   1352 #ifndef OPENSSL_NO_PSK
   1353 		if (type & SSL_kPSK)
   1354 			{
   1355 			/* copy PSK identity hint */
   1356 			s2n(strlen(s->ctx->psk_identity_hint), p);
   1357 			strncpy((char *)p, s->ctx->psk_identity_hint, strlen(s->ctx->psk_identity_hint));
   1358 			p+=strlen(s->ctx->psk_identity_hint);
   1359 			}
   1360 #endif
   1361 
   1362 		/* not anonymous */
   1363 		if (pkey != NULL)
   1364 			{
   1365 			/* n is the length of the params, they start at
   1366 			 * &(d[DTLS1_HM_HEADER_LENGTH]) and p points to the space
   1367 			 * at the end. */
   1368 #ifndef OPENSSL_NO_RSA
   1369 			if (pkey->type == EVP_PKEY_RSA)
   1370 				{
   1371 				q=md_buf;
   1372 				j=0;
   1373 				for (num=2; num > 0; num--)
   1374 					{
   1375 					EVP_DigestInit_ex(&md_ctx,(num == 2)
   1376 						?s->ctx->md5:s->ctx->sha1, NULL);
   1377 					EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
   1378 					EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
   1379 					EVP_DigestUpdate(&md_ctx,&(d[DTLS1_HM_HEADER_LENGTH]),n);
   1380 					EVP_DigestFinal_ex(&md_ctx,q,
   1381 						(unsigned int *)&i);
   1382 					q+=i;
   1383 					j+=i;
   1384 					}
   1385 				if (RSA_sign(NID_md5_sha1, md_buf, j,
   1386 					&(p[2]), &u, pkey->pkey.rsa) <= 0)
   1387 					{
   1388 					SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA);
   1389 					goto err;
   1390 					}
   1391 				s2n(u,p);
   1392 				n+=u+2;
   1393 				}
   1394 			else
   1395 #endif
   1396 #if !defined(OPENSSL_NO_DSA)
   1397 				if (pkey->type == EVP_PKEY_DSA)
   1398 				{
   1399 				/* lets do DSS */
   1400 				EVP_SignInit_ex(&md_ctx,EVP_dss1(), NULL);
   1401 				EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
   1402 				EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
   1403 				EVP_SignUpdate(&md_ctx,&(d[DTLS1_HM_HEADER_LENGTH]),n);
   1404 				if (!EVP_SignFinal(&md_ctx,&(p[2]),
   1405 					(unsigned int *)&i,pkey))
   1406 					{
   1407 					SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA);
   1408 					goto err;
   1409 					}
   1410 				s2n(i,p);
   1411 				n+=i+2;
   1412 				}
   1413 			else
   1414 #endif
   1415 #if !defined(OPENSSL_NO_ECDSA)
   1416 				if (pkey->type == EVP_PKEY_EC)
   1417 				{
   1418 				/* let's do ECDSA */
   1419 				EVP_SignInit_ex(&md_ctx,EVP_ecdsa(), NULL);
   1420 				EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
   1421 				EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
   1422 				EVP_SignUpdate(&md_ctx,&(d[DTLS1_HM_HEADER_LENGTH]),n);
   1423 				if (!EVP_SignFinal(&md_ctx,&(p[2]),
   1424 					(unsigned int *)&i,pkey))
   1425 					{
   1426 					SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_ECDSA);
   1427 					goto err;
   1428 					}
   1429 				s2n(i,p);
   1430 				n+=i+2;
   1431 				}
   1432 			else
   1433 #endif
   1434 				{
   1435 				/* Is this error check actually needed? */
   1436 				al=SSL_AD_HANDSHAKE_FAILURE;
   1437 				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE);
   1438 				goto f_err;
   1439 				}
   1440 			}
   1441 
   1442 		d = dtls1_set_message_header(s, d,
   1443 			SSL3_MT_SERVER_KEY_EXCHANGE, n, 0, n);
   1444 
   1445 		/* we should now have things packed up, so lets send
   1446 		 * it off */
   1447 		s->init_num=n+DTLS1_HM_HEADER_LENGTH;
   1448 		s->init_off=0;
   1449 
   1450 		/* buffer the message to handle re-xmits */
   1451 		dtls1_buffer_message(s, 0);
   1452 		}
   1453 
   1454 	s->state = SSL3_ST_SW_KEY_EXCH_B;
   1455 	EVP_MD_CTX_cleanup(&md_ctx);
   1456 	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
   1457 f_err:
   1458 	ssl3_send_alert(s,SSL3_AL_FATAL,al);
   1459 err:
   1460 #ifndef OPENSSL_NO_ECDH
   1461 	if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
   1462 	BN_CTX_free(bn_ctx);
   1463 #endif
   1464 	EVP_MD_CTX_cleanup(&md_ctx);
   1465 	return(-1);
   1466 	}
   1467 
   1468 int dtls1_send_certificate_request(SSL *s)
   1469 	{
   1470 	unsigned char *p,*d;
   1471 	int i,j,nl,off,n;
   1472 	STACK_OF(X509_NAME) *sk=NULL;
   1473 	X509_NAME *name;
   1474 	BUF_MEM *buf;
   1475 	unsigned int msg_len;
   1476 
   1477 	if (s->state == SSL3_ST_SW_CERT_REQ_A)
   1478 		{
   1479 		buf=s->init_buf;
   1480 
   1481 		d=p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH]);
   1482 
   1483 		/* get the list of acceptable cert types */
   1484 		p++;
   1485 		n=ssl3_get_req_cert_type(s,p);
   1486 		d[0]=n;
   1487 		p+=n;
   1488 		n++;
   1489 
   1490 		off=n;
   1491 		p+=2;
   1492 		n+=2;
   1493 
   1494 		sk=SSL_get_client_CA_list(s);
   1495 		nl=0;
   1496 		if (sk != NULL)
   1497 			{
   1498 			for (i=0; i<sk_X509_NAME_num(sk); i++)
   1499 				{
   1500 				name=sk_X509_NAME_value(sk,i);
   1501 				j=i2d_X509_NAME(name,NULL);
   1502 				if (!BUF_MEM_grow_clean(buf,DTLS1_HM_HEADER_LENGTH+n+j+2))
   1503 					{
   1504 					SSLerr(SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
   1505 					goto err;
   1506 					}
   1507 				p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH+n]);
   1508 				if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
   1509 					{
   1510 					s2n(j,p);
   1511 					i2d_X509_NAME(name,&p);
   1512 					n+=2+j;
   1513 					nl+=2+j;
   1514 					}
   1515 				else
   1516 					{
   1517 					d=p;
   1518 					i2d_X509_NAME(name,&p);
   1519 					j-=2; s2n(j,d); j+=2;
   1520 					n+=j;
   1521 					nl+=j;
   1522 					}
   1523 				}
   1524 			}
   1525 		/* else no CA names */
   1526 		p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH+off]);
   1527 		s2n(nl,p);
   1528 
   1529 		d=(unsigned char *)buf->data;
   1530 		*(d++)=SSL3_MT_CERTIFICATE_REQUEST;
   1531 		l2n3(n,d);
   1532 		s2n(s->d1->handshake_write_seq,d);
   1533 		s->d1->handshake_write_seq++;
   1534 
   1535 		/* we should now have things packed up, so lets send
   1536 		 * it off */
   1537 
   1538 		s->init_num=n+DTLS1_HM_HEADER_LENGTH;
   1539 		s->init_off=0;
   1540 #ifdef NETSCAPE_HANG_BUG
   1541 /* XXX: what to do about this? */
   1542 		p=(unsigned char *)s->init_buf->data + s->init_num;
   1543 
   1544 		/* do the header */
   1545 		*(p++)=SSL3_MT_SERVER_DONE;
   1546 		*(p++)=0;
   1547 		*(p++)=0;
   1548 		*(p++)=0;
   1549 		s->init_num += 4;
   1550 #endif
   1551 
   1552 		/* XDTLS:  set message header ? */
   1553 		msg_len = s->init_num - DTLS1_HM_HEADER_LENGTH;
   1554 		dtls1_set_message_header(s, (void *)s->init_buf->data,
   1555 			SSL3_MT_CERTIFICATE_REQUEST, msg_len, 0, msg_len);
   1556 
   1557 		/* buffer the message to handle re-xmits */
   1558 		dtls1_buffer_message(s, 0);
   1559 
   1560 		s->state = SSL3_ST_SW_CERT_REQ_B;
   1561 		}
   1562 
   1563 	/* SSL3_ST_SW_CERT_REQ_B */
   1564 	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
   1565 err:
   1566 	return(-1);
   1567 	}
   1568 
   1569 int dtls1_send_server_certificate(SSL *s)
   1570 	{
   1571 	unsigned long l;
   1572 	X509 *x;
   1573 
   1574 	if (s->state == SSL3_ST_SW_CERT_A)
   1575 		{
   1576 		x=ssl_get_server_send_cert(s);
   1577 		if (x == NULL)
   1578 			{
   1579 			/* VRS: allow null cert if auth == KRB5 */
   1580 			if ((s->s3->tmp.new_cipher->algorithm_mkey != SSL_kKRB5) ||
   1581 			    (s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5))
   1582 				{
   1583 				SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
   1584 				return(0);
   1585 				}
   1586 			}
   1587 
   1588 		l=dtls1_output_cert_chain(s,x);
   1589 		s->state=SSL3_ST_SW_CERT_B;
   1590 		s->init_num=(int)l;
   1591 		s->init_off=0;
   1592 
   1593 		/* buffer the message to handle re-xmits */
   1594 		dtls1_buffer_message(s, 0);
   1595 		}
   1596 
   1597 	/* SSL3_ST_SW_CERT_B */
   1598 	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
   1599 	}
   1600 
   1601 #ifndef OPENSSL_NO_TLSEXT
   1602 int dtls1_send_newsession_ticket(SSL *s)
   1603 	{
   1604 	if (s->state == SSL3_ST_SW_SESSION_TICKET_A)
   1605 		{
   1606 		unsigned char *p, *senc, *macstart;
   1607 		int len, slen;
   1608 		unsigned int hlen, msg_len;
   1609 		EVP_CIPHER_CTX ctx;
   1610 		HMAC_CTX hctx;
   1611 		SSL_CTX *tctx = s->initial_ctx;
   1612 		unsigned char iv[EVP_MAX_IV_LENGTH];
   1613 		unsigned char key_name[16];
   1614 
   1615 		/* get session encoding length */
   1616 		slen = i2d_SSL_SESSION(s->session, NULL);
   1617 		/* Some length values are 16 bits, so forget it if session is
   1618  		 * too long
   1619  		 */
   1620 		if (slen > 0xFF00)
   1621 			return -1;
   1622 		/* Grow buffer if need be: the length calculation is as
   1623  		 * follows 12 (DTLS handshake message header) +
   1624  		 * 4 (ticket lifetime hint) + 2 (ticket length) +
   1625  		 * 16 (key name) + max_iv_len (iv length) +
   1626  		 * session_length + max_enc_block_size (max encrypted session
   1627  		 * length) + max_md_size (HMAC).
   1628  		 */
   1629 		if (!BUF_MEM_grow(s->init_buf,
   1630 			DTLS1_HM_HEADER_LENGTH + 22 + EVP_MAX_IV_LENGTH +
   1631 			EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE + slen))
   1632 			return -1;
   1633 		senc = OPENSSL_malloc(slen);
   1634 		if (!senc)
   1635 			return -1;
   1636 		p = senc;
   1637 		i2d_SSL_SESSION(s->session, &p);
   1638 
   1639 		p=(unsigned char *)&(s->init_buf->data[DTLS1_HM_HEADER_LENGTH]);
   1640 		EVP_CIPHER_CTX_init(&ctx);
   1641 		HMAC_CTX_init(&hctx);
   1642 		/* Initialize HMAC and cipher contexts. If callback present
   1643 		 * it does all the work otherwise use generated values
   1644 		 * from parent ctx.
   1645 		 */
   1646 		if (tctx->tlsext_ticket_key_cb)
   1647 			{
   1648 			if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx,
   1649 							 &hctx, 1) < 0)
   1650 				{
   1651 				OPENSSL_free(senc);
   1652 				return -1;
   1653 				}
   1654 			}
   1655 		else
   1656 			{
   1657 			RAND_pseudo_bytes(iv, 16);
   1658 			EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
   1659 					tctx->tlsext_tick_aes_key, iv);
   1660 			HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
   1661 					tlsext_tick_md(), NULL);
   1662 			memcpy(key_name, tctx->tlsext_tick_key_name, 16);
   1663 			}
   1664 		l2n(s->session->tlsext_tick_lifetime_hint, p);
   1665 		/* Skip ticket length for now */
   1666 		p += 2;
   1667 		/* Output key name */
   1668 		macstart = p;
   1669 		memcpy(p, key_name, 16);
   1670 		p += 16;
   1671 		/* output IV */
   1672 		memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx));
   1673 		p += EVP_CIPHER_CTX_iv_length(&ctx);
   1674 		/* Encrypt session data */
   1675 		EVP_EncryptUpdate(&ctx, p, &len, senc, slen);
   1676 		p += len;
   1677 		EVP_EncryptFinal(&ctx, p, &len);
   1678 		p += len;
   1679 		EVP_CIPHER_CTX_cleanup(&ctx);
   1680 
   1681 		HMAC_Update(&hctx, macstart, p - macstart);
   1682 		HMAC_Final(&hctx, p, &hlen);
   1683 		HMAC_CTX_cleanup(&hctx);
   1684 
   1685 		p += hlen;
   1686 		/* Now write out lengths: p points to end of data written */
   1687 		/* Total length */
   1688 		len = p - (unsigned char *)(s->init_buf->data);
   1689 		/* Ticket length */
   1690 		p=(unsigned char *)&(s->init_buf->data[DTLS1_HM_HEADER_LENGTH]) + 4;
   1691 		s2n(len - DTLS1_HM_HEADER_LENGTH - 6, p);
   1692 
   1693 		/* number of bytes to write */
   1694 		s->init_num= len;
   1695 		s->state=SSL3_ST_SW_SESSION_TICKET_B;
   1696 		s->init_off=0;
   1697 		OPENSSL_free(senc);
   1698 
   1699 		/* XDTLS:  set message header ? */
   1700 		msg_len = s->init_num - DTLS1_HM_HEADER_LENGTH;
   1701 		dtls1_set_message_header(s, (void *)s->init_buf->data,
   1702 			SSL3_MT_NEWSESSION_TICKET, msg_len, 0, msg_len);
   1703 
   1704 		/* buffer the message to handle re-xmits */
   1705 		dtls1_buffer_message(s, 0);
   1706 		}
   1707 
   1708 	/* SSL3_ST_SW_SESSION_TICKET_B */
   1709 	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
   1710 	}
   1711 #endif
   1712