Home | History | Annotate | Download | only in ssl
      1 /* ssl/d1_clnt.c */
      2 /*
      3  * DTLS implementation written by Nagendra Modadugu
      4  * (nagendra (at) cs.stanford.edu) for the OpenSSL project 2005.
      5  */
      6 /* ====================================================================
      7  * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
      8  *
      9  * Redistribution and use in source and binary forms, with or without
     10  * modification, are permitted provided that the following conditions
     11  * are met:
     12  *
     13  * 1. Redistributions of source code must retain the above copyright
     14  *    notice, this list of conditions and the following disclaimer.
     15  *
     16  * 2. Redistributions in binary form must reproduce the above copyright
     17  *    notice, this list of conditions and the following disclaimer in
     18  *    the documentation and/or other materials provided with the
     19  *    distribution.
     20  *
     21  * 3. All advertising materials mentioning features or use of this
     22  *    software must display the following acknowledgment:
     23  *    "This product includes software developed by the OpenSSL Project
     24  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
     25  *
     26  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
     27  *    endorse or promote products derived from this software without
     28  *    prior written permission. For written permission, please contact
     29  *    openssl-core (at) OpenSSL.org.
     30  *
     31  * 5. Products derived from this software may not be called "OpenSSL"
     32  *    nor may "OpenSSL" appear in their names without prior written
     33  *    permission of the OpenSSL Project.
     34  *
     35  * 6. Redistributions of any form whatsoever must retain the following
     36  *    acknowledgment:
     37  *    "This product includes software developed by the OpenSSL Project
     38  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
     39  *
     40  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
     41  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     43  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
     44  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
     45  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
     46  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
     47  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
     49  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
     50  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
     51  * OF THE POSSIBILITY OF SUCH DAMAGE.
     52  * ====================================================================
     53  *
     54  * This product includes cryptographic software written by Eric Young
     55  * (eay (at) cryptsoft.com).  This product includes software written by Tim
     56  * Hudson (tjh (at) cryptsoft.com).
     57  *
     58  */
     59 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com)
     60  * All rights reserved.
     61  *
     62  * This package is an SSL implementation written
     63  * by Eric Young (eay (at) cryptsoft.com).
     64  * The implementation was written so as to conform with Netscapes SSL.
     65  *
     66  * This library is free for commercial and non-commercial use as long as
     67  * the following conditions are aheared to.  The following conditions
     68  * apply to all code found in this distribution, be it the RC4, RSA,
     69  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
     70  * included with this distribution is covered by the same copyright terms
     71  * except that the holder is Tim Hudson (tjh (at) cryptsoft.com).
     72  *
     73  * Copyright remains Eric Young's, and as such any Copyright notices in
     74  * the code are not to be removed.
     75  * If this package is used in a product, Eric Young should be given attribution
     76  * as the author of the parts of the library used.
     77  * This can be in the form of a textual message at program startup or
     78  * in documentation (online or textual) provided with the package.
     79  *
     80  * Redistribution and use in source and binary forms, with or without
     81  * modification, are permitted provided that the following conditions
     82  * are met:
     83  * 1. Redistributions of source code must retain the copyright
     84  *    notice, this list of conditions and the following disclaimer.
     85  * 2. Redistributions in binary form must reproduce the above copyright
     86  *    notice, this list of conditions and the following disclaimer in the
     87  *    documentation and/or other materials provided with the distribution.
     88  * 3. All advertising materials mentioning features or use of this software
     89  *    must display the following acknowledgement:
     90  *    "This product includes cryptographic software written by
     91  *     Eric Young (eay (at) cryptsoft.com)"
     92  *    The word 'cryptographic' can be left out if the rouines from the library
     93  *    being used are not cryptographic related :-).
     94  * 4. If you include any Windows specific code (or a derivative thereof) from
     95  *    the apps directory (application code) you must include an acknowledgement:
     96  *    "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)"
     97  *
     98  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
     99  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
    100  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
    101  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
    102  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
    103  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
    104  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
    105  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
    106  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
    107  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
    108  * SUCH DAMAGE.
    109  *
    110  * The licence and distribution terms for any publically available version or
    111  * derivative of this code cannot be changed.  i.e. this code cannot simply be
    112  * copied and put under another distribution licence
    113  * [including the GNU Public Licence.]
    114  */
    115 
    116 #include <stdio.h>
    117 #include "ssl_locl.h"
    118 #ifndef OPENSSL_NO_KRB5
    119 #include "kssl_lcl.h"
    120 #endif
    121 #include <openssl/buffer.h>
    122 #include <openssl/rand.h>
    123 #include <openssl/objects.h>
    124 #include <openssl/evp.h>
    125 #include <openssl/md5.h>
    126 #include <openssl/bn.h>
    127 #ifndef OPENSSL_NO_DH
    128 #include <openssl/dh.h>
    129 #endif
    130 
    131 static const SSL_METHOD *dtls1_get_client_method(int ver);
    132 static int dtls1_get_hello_verify(SSL *s);
    133 
    134 static const SSL_METHOD *dtls1_get_client_method(int ver)
    135 	{
    136 	if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER)
    137 		return(DTLSv1_client_method());
    138 	else
    139 		return(NULL);
    140 	}
    141 
    142 IMPLEMENT_dtls1_meth_func(DTLSv1_client_method,
    143 			ssl_undefined_function,
    144 			dtls1_connect,
    145 			dtls1_get_client_method)
    146 
    147 int dtls1_connect(SSL *s)
    148 	{
    149 	BUF_MEM *buf=NULL;
    150 	unsigned long Time=(unsigned long)time(NULL);
    151 	void (*cb)(const SSL *ssl,int type,int val)=NULL;
    152 	int ret= -1;
    153 	int new_state,state,skip=0;
    154 #ifndef OPENSSL_NO_SCTP
    155 	unsigned char sctpauthkey[64];
    156 	char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
    157 #endif
    158 
    159 	RAND_add(&Time,sizeof(Time),0);
    160 	ERR_clear_error();
    161 	clear_sys_error();
    162 
    163 	if (s->info_callback != NULL)
    164 		cb=s->info_callback;
    165 	else if (s->ctx->info_callback != NULL)
    166 		cb=s->ctx->info_callback;
    167 
    168 	s->in_handshake++;
    169 	if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
    170 
    171 #ifndef OPENSSL_NO_SCTP
    172 	/* Notify SCTP BIO socket to enter handshake
    173 	 * mode and prevent stream identifier other
    174 	 * than 0. Will be ignored if no SCTP is used.
    175 	 */
    176 	BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, s->in_handshake, NULL);
    177 #endif
    178 
    179 #ifndef OPENSSL_NO_HEARTBEATS
    180 	/* If we're awaiting a HeartbeatResponse, pretend we
    181 	 * already got and don't await it anymore, because
    182 	 * Heartbeats don't make sense during handshakes anyway.
    183 	 */
    184 	if (s->tlsext_hb_pending)
    185 		{
    186 		dtls1_stop_timer(s);
    187 		s->tlsext_hb_pending = 0;
    188 		s->tlsext_hb_seq++;
    189 		}
    190 #endif
    191 
    192 	for (;;)
    193 		{
    194 		state=s->state;
    195 
    196 		switch(s->state)
    197 			{
    198 		case SSL_ST_RENEGOTIATE:
    199 			s->renegotiate=1;
    200 			s->state=SSL_ST_CONNECT;
    201 			s->ctx->stats.sess_connect_renegotiate++;
    202 			/* break */
    203 		case SSL_ST_BEFORE:
    204 		case SSL_ST_CONNECT:
    205 		case SSL_ST_BEFORE|SSL_ST_CONNECT:
    206 		case SSL_ST_OK|SSL_ST_CONNECT:
    207 
    208 			s->server=0;
    209 			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
    210 
    211 			if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00) &&
    212 			    (s->version & 0xff00 ) != (DTLS1_BAD_VER & 0xff00))
    213 				{
    214 				SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR);
    215 				ret = -1;
    216 				goto end;
    217 				}
    218 
    219 			/* s->version=SSL3_VERSION; */
    220 			s->type=SSL_ST_CONNECT;
    221 
    222 			if (s->init_buf == NULL)
    223 				{
    224 				if ((buf=BUF_MEM_new()) == NULL)
    225 					{
    226 					ret= -1;
    227 					goto end;
    228 					}
    229 				if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
    230 					{
    231 					ret= -1;
    232 					goto end;
    233 					}
    234 				s->init_buf=buf;
    235 				buf=NULL;
    236 				}
    237 
    238 			if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
    239 
    240 			/* setup buffing BIO */
    241 			if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
    242 
    243 			/* don't push the buffering BIO quite yet */
    244 
    245 			s->state=SSL3_ST_CW_CLNT_HELLO_A;
    246 			s->ctx->stats.sess_connect++;
    247 			s->init_num=0;
    248 			/* mark client_random uninitialized */
    249 			memset(s->s3->client_random,0,sizeof(s->s3->client_random));
    250 			s->d1->send_cookie = 0;
    251 			s->hit = 0;
    252 			break;
    253 
    254 #ifndef OPENSSL_NO_SCTP
    255 		case DTLS1_SCTP_ST_CR_READ_SOCK:
    256 
    257 			if (BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s)))
    258 			{
    259 				s->s3->in_read_app_data=2;
    260 				s->rwstate=SSL_READING;
    261 				BIO_clear_retry_flags(SSL_get_rbio(s));
    262 				BIO_set_retry_read(SSL_get_rbio(s));
    263 				ret = -1;
    264 				goto end;
    265 			}
    266 
    267 			s->state=s->s3->tmp.next_state;
    268 			break;
    269 
    270 		case DTLS1_SCTP_ST_CW_WRITE_SOCK:
    271 			/* read app data until dry event */
    272 
    273 			ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s));
    274 			if (ret < 0) goto end;
    275 
    276 			if (ret == 0)
    277 			{
    278 				s->s3->in_read_app_data=2;
    279 				s->rwstate=SSL_READING;
    280 				BIO_clear_retry_flags(SSL_get_rbio(s));
    281 				BIO_set_retry_read(SSL_get_rbio(s));
    282 				ret = -1;
    283 				goto end;
    284 			}
    285 
    286 			s->state=s->d1->next_state;
    287 			break;
    288 #endif
    289 
    290 		case SSL3_ST_CW_CLNT_HELLO_A:
    291 		case SSL3_ST_CW_CLNT_HELLO_B:
    292 
    293 			s->shutdown=0;
    294 
    295 			/* every DTLS ClientHello resets Finished MAC */
    296 			ssl3_init_finished_mac(s);
    297 
    298 			dtls1_start_timer(s);
    299 			ret=dtls1_client_hello(s);
    300 			if (ret <= 0) goto end;
    301 
    302 			if ( s->d1->send_cookie)
    303 				{
    304 				s->state=SSL3_ST_CW_FLUSH;
    305 				s->s3->tmp.next_state=SSL3_ST_CR_SRVR_HELLO_A;
    306 				}
    307 			else
    308 				s->state=SSL3_ST_CR_SRVR_HELLO_A;
    309 
    310 			s->init_num=0;
    311 
    312 #ifndef OPENSSL_NO_SCTP
    313 			/* Disable buffering for SCTP */
    314 			if (!BIO_dgram_is_sctp(SSL_get_wbio(s)))
    315 				{
    316 #endif
    317 				/* turn on buffering for the next lot of output */
    318 				if (s->bbio != s->wbio)
    319 					s->wbio=BIO_push(s->bbio,s->wbio);
    320 #ifndef OPENSSL_NO_SCTP
    321 				}
    322 #endif
    323 
    324 			break;
    325 
    326 		case SSL3_ST_CR_SRVR_HELLO_A:
    327 		case SSL3_ST_CR_SRVR_HELLO_B:
    328 			ret=ssl3_get_server_hello(s);
    329 			if (ret <= 0) goto end;
    330 			else
    331 				{
    332 				if (s->hit)
    333 					{
    334 #ifndef OPENSSL_NO_SCTP
    335 					/* Add new shared key for SCTP-Auth,
    336 					 * will be ignored if no SCTP used.
    337 					 */
    338 					snprintf((char*) labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
    339 					         DTLS1_SCTP_AUTH_LABEL);
    340 
    341 					SSL_export_keying_material(s, sctpauthkey,
    342 					                           sizeof(sctpauthkey), labelbuffer,
    343 					                           sizeof(labelbuffer), NULL, 0, 0);
    344 
    345 					BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
    346 							 sizeof(sctpauthkey), sctpauthkey);
    347 #endif
    348 
    349 					s->state=SSL3_ST_CR_FINISHED_A;
    350 					}
    351 				else
    352 					s->state=DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
    353 				}
    354 			s->init_num=0;
    355 			break;
    356 
    357 		case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A:
    358 		case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B:
    359 
    360 			ret = dtls1_get_hello_verify(s);
    361 			if ( ret <= 0)
    362 				goto end;
    363 			dtls1_stop_timer(s);
    364 			if ( s->d1->send_cookie) /* start again, with a cookie */
    365 				s->state=SSL3_ST_CW_CLNT_HELLO_A;
    366 			else
    367 				s->state = SSL3_ST_CR_CERT_A;
    368 			s->init_num = 0;
    369 			break;
    370 
    371 		case SSL3_ST_CR_CERT_A:
    372 		case SSL3_ST_CR_CERT_B:
    373 #ifndef OPENSSL_NO_TLSEXT
    374 			ret=ssl3_check_finished(s);
    375 			if (ret <= 0) goto end;
    376 			if (ret == 2)
    377 				{
    378 				s->hit = 1;
    379 				if (s->tlsext_ticket_expected)
    380 					s->state=SSL3_ST_CR_SESSION_TICKET_A;
    381 				else
    382 					s->state=SSL3_ST_CR_FINISHED_A;
    383 				s->init_num=0;
    384 				break;
    385 				}
    386 #endif
    387 			/* Check if it is anon DH or PSK */
    388 			if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
    389 			    !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
    390 				{
    391 				ret=ssl3_get_server_certificate(s);
    392 				if (ret <= 0) goto end;
    393 #ifndef OPENSSL_NO_TLSEXT
    394 				if (s->tlsext_status_expected)
    395 					s->state=SSL3_ST_CR_CERT_STATUS_A;
    396 				else
    397 					s->state=SSL3_ST_CR_KEY_EXCH_A;
    398 				}
    399 			else
    400 				{
    401 				skip = 1;
    402 				s->state=SSL3_ST_CR_KEY_EXCH_A;
    403 				}
    404 #else
    405 				}
    406 			else
    407 				skip=1;
    408 
    409 			s->state=SSL3_ST_CR_KEY_EXCH_A;
    410 #endif
    411 			s->init_num=0;
    412 			break;
    413 
    414 		case SSL3_ST_CR_KEY_EXCH_A:
    415 		case SSL3_ST_CR_KEY_EXCH_B:
    416 			ret=ssl3_get_key_exchange(s);
    417 			if (ret <= 0) goto end;
    418 			s->state=SSL3_ST_CR_CERT_REQ_A;
    419 			s->init_num=0;
    420 
    421 			/* at this point we check that we have the
    422 			 * required stuff from the server */
    423 			if (!ssl3_check_cert_and_algorithm(s))
    424 				{
    425 				ret= -1;
    426 				goto end;
    427 				}
    428 			break;
    429 
    430 		case SSL3_ST_CR_CERT_REQ_A:
    431 		case SSL3_ST_CR_CERT_REQ_B:
    432 			ret=ssl3_get_certificate_request(s);
    433 			if (ret <= 0) goto end;
    434 			s->state=SSL3_ST_CR_SRVR_DONE_A;
    435 			s->init_num=0;
    436 			break;
    437 
    438 		case SSL3_ST_CR_SRVR_DONE_A:
    439 		case SSL3_ST_CR_SRVR_DONE_B:
    440 			ret=ssl3_get_server_done(s);
    441 			if (ret <= 0) goto end;
    442 			dtls1_stop_timer(s);
    443 			if (s->s3->tmp.cert_req)
    444 				s->s3->tmp.next_state=SSL3_ST_CW_CERT_A;
    445 			else
    446 				s->s3->tmp.next_state=SSL3_ST_CW_KEY_EXCH_A;
    447 			s->init_num=0;
    448 
    449 #ifndef OPENSSL_NO_SCTP
    450 			if (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
    451 			    state == SSL_ST_RENEGOTIATE)
    452 				s->state=DTLS1_SCTP_ST_CR_READ_SOCK;
    453 			else
    454 #endif
    455 			s->state=s->s3->tmp.next_state;
    456 			break;
    457 
    458 		case SSL3_ST_CW_CERT_A:
    459 		case SSL3_ST_CW_CERT_B:
    460 		case SSL3_ST_CW_CERT_C:
    461 		case SSL3_ST_CW_CERT_D:
    462 			dtls1_start_timer(s);
    463 			ret=dtls1_send_client_certificate(s);
    464 			if (ret <= 0) goto end;
    465 			s->state=SSL3_ST_CW_KEY_EXCH_A;
    466 			s->init_num=0;
    467 			break;
    468 
    469 		case SSL3_ST_CW_KEY_EXCH_A:
    470 		case SSL3_ST_CW_KEY_EXCH_B:
    471 			dtls1_start_timer(s);
    472 			ret=dtls1_send_client_key_exchange(s);
    473 			if (ret <= 0) goto end;
    474 
    475 #ifndef OPENSSL_NO_SCTP
    476 			/* Add new shared key for SCTP-Auth,
    477 			 * will be ignored if no SCTP used.
    478 			 */
    479 			snprintf((char*) labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
    480 			         DTLS1_SCTP_AUTH_LABEL);
    481 
    482 			SSL_export_keying_material(s, sctpauthkey,
    483 			                           sizeof(sctpauthkey), labelbuffer,
    484 			                           sizeof(labelbuffer), NULL, 0, 0);
    485 
    486 			BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
    487 					 sizeof(sctpauthkey), sctpauthkey);
    488 #endif
    489 
    490 			/* EAY EAY EAY need to check for DH fix cert
    491 			 * sent back */
    492 			/* For TLS, cert_req is set to 2, so a cert chain
    493 			 * of nothing is sent, but no verify packet is sent */
    494 			if (s->s3->tmp.cert_req == 1)
    495 				{
    496 				s->state=SSL3_ST_CW_CERT_VRFY_A;
    497 				}
    498 			else
    499 				{
    500 #ifndef OPENSSL_NO_SCTP
    501 				if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
    502 					{
    503 					s->d1->next_state=SSL3_ST_CW_CHANGE_A;
    504 					s->state=DTLS1_SCTP_ST_CW_WRITE_SOCK;
    505 					}
    506 				else
    507 #endif
    508 					s->state=SSL3_ST_CW_CHANGE_A;
    509 				s->s3->change_cipher_spec=0;
    510 				}
    511 
    512 			s->init_num=0;
    513 			break;
    514 
    515 		case SSL3_ST_CW_CERT_VRFY_A:
    516 		case SSL3_ST_CW_CERT_VRFY_B:
    517 			dtls1_start_timer(s);
    518 			ret=dtls1_send_client_verify(s);
    519 			if (ret <= 0) goto end;
    520 #ifndef OPENSSL_NO_SCTP
    521 			if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
    522 			{
    523 				s->d1->next_state=SSL3_ST_CW_CHANGE_A;
    524 				s->state=DTLS1_SCTP_ST_CW_WRITE_SOCK;
    525 			}
    526 			else
    527 #endif
    528 				s->state=SSL3_ST_CW_CHANGE_A;
    529 			s->init_num=0;
    530 			s->s3->change_cipher_spec=0;
    531 			break;
    532 
    533 		case SSL3_ST_CW_CHANGE_A:
    534 		case SSL3_ST_CW_CHANGE_B:
    535 			if (!s->hit)
    536 				dtls1_start_timer(s);
    537 			ret=dtls1_send_change_cipher_spec(s,
    538 				SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
    539 			if (ret <= 0) goto end;
    540 
    541 			s->state=SSL3_ST_CW_FINISHED_A;
    542 			s->init_num=0;
    543 
    544 			s->session->cipher=s->s3->tmp.new_cipher;
    545 #ifdef OPENSSL_NO_COMP
    546 			s->session->compress_meth=0;
    547 #else
    548 			if (s->s3->tmp.new_compression == NULL)
    549 				s->session->compress_meth=0;
    550 			else
    551 				s->session->compress_meth=
    552 					s->s3->tmp.new_compression->id;
    553 #endif
    554 			if (!s->method->ssl3_enc->setup_key_block(s))
    555 				{
    556 				ret= -1;
    557 				goto end;
    558 				}
    559 
    560 			if (!s->method->ssl3_enc->change_cipher_state(s,
    561 				SSL3_CHANGE_CIPHER_CLIENT_WRITE))
    562 				{
    563 				ret= -1;
    564 				goto end;
    565 				}
    566 
    567 #ifndef OPENSSL_NO_SCTP
    568 				if (s->hit)
    569 					{
    570 					/* Change to new shared key of SCTP-Auth,
    571 					 * will be ignored if no SCTP used.
    572 					 */
    573 					BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
    574 					}
    575 #endif
    576 
    577 			dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
    578 			break;
    579 
    580 		case SSL3_ST_CW_FINISHED_A:
    581 		case SSL3_ST_CW_FINISHED_B:
    582 			if (!s->hit)
    583 				dtls1_start_timer(s);
    584 			ret=dtls1_send_finished(s,
    585 				SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B,
    586 				s->method->ssl3_enc->client_finished_label,
    587 				s->method->ssl3_enc->client_finished_label_len);
    588 			if (ret <= 0) goto end;
    589 			s->state=SSL3_ST_CW_FLUSH;
    590 
    591 			/* clear flags */
    592 			s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER;
    593 			if (s->hit)
    594 				{
    595 				s->s3->tmp.next_state=SSL_ST_OK;
    596 #ifndef OPENSSL_NO_SCTP
    597 				if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
    598 					{
    599 						s->d1->next_state = s->s3->tmp.next_state;
    600 						s->s3->tmp.next_state=DTLS1_SCTP_ST_CW_WRITE_SOCK;
    601 					}
    602 #endif
    603 				if (s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)
    604 					{
    605 					s->state=SSL_ST_OK;
    606 #ifndef OPENSSL_NO_SCTP
    607 					if (BIO_dgram_is_sctp(SSL_get_wbio(s)))
    608 						{
    609 							s->d1->next_state = SSL_ST_OK;
    610 							s->state=DTLS1_SCTP_ST_CW_WRITE_SOCK;
    611 						}
    612 #endif
    613 					s->s3->flags|=SSL3_FLAGS_POP_BUFFER;
    614 					s->s3->delay_buf_pop_ret=0;
    615 					}
    616 				}
    617 			else
    618 				{
    619 #ifndef OPENSSL_NO_SCTP
    620 				/* Change to new shared key of SCTP-Auth,
    621 				 * will be ignored if no SCTP used.
    622 				 */
    623 				BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
    624 #endif
    625 
    626 #ifndef OPENSSL_NO_TLSEXT
    627 				/* Allow NewSessionTicket if ticket expected */
    628 				if (s->tlsext_ticket_expected)
    629 					s->s3->tmp.next_state=SSL3_ST_CR_SESSION_TICKET_A;
    630 				else
    631 #endif
    632 
    633 				s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A;
    634 				}
    635 			s->init_num=0;
    636 			break;
    637 
    638 #ifndef OPENSSL_NO_TLSEXT
    639 		case SSL3_ST_CR_SESSION_TICKET_A:
    640 		case SSL3_ST_CR_SESSION_TICKET_B:
    641 			ret=ssl3_get_new_session_ticket(s);
    642 			if (ret <= 0) goto end;
    643 			s->state=SSL3_ST_CR_FINISHED_A;
    644 			s->init_num=0;
    645 		break;
    646 
    647 		case SSL3_ST_CR_CERT_STATUS_A:
    648 		case SSL3_ST_CR_CERT_STATUS_B:
    649 			ret=ssl3_get_cert_status(s);
    650 			if (ret <= 0) goto end;
    651 			s->state=SSL3_ST_CR_KEY_EXCH_A;
    652 			s->init_num=0;
    653 		break;
    654 #endif
    655 
    656 		case SSL3_ST_CR_FINISHED_A:
    657 		case SSL3_ST_CR_FINISHED_B:
    658 			s->d1->change_cipher_spec_ok = 1;
    659 			ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
    660 				SSL3_ST_CR_FINISHED_B);
    661 			if (ret <= 0) goto end;
    662 			dtls1_stop_timer(s);
    663 
    664 			if (s->hit)
    665 				s->state=SSL3_ST_CW_CHANGE_A;
    666 			else
    667 				s->state=SSL_ST_OK;
    668 
    669 #ifndef OPENSSL_NO_SCTP
    670 			if (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
    671 				state == SSL_ST_RENEGOTIATE)
    672 				{
    673 				s->d1->next_state=s->state;
    674 				s->state=DTLS1_SCTP_ST_CW_WRITE_SOCK;
    675 				}
    676 #endif
    677 
    678 			s->init_num=0;
    679 			break;
    680 
    681 		case SSL3_ST_CW_FLUSH:
    682 			s->rwstate=SSL_WRITING;
    683 			if (BIO_flush(s->wbio) <= 0)
    684 				{
    685 				/* If the write error was fatal, stop trying */
    686 				if (!BIO_should_retry(s->wbio))
    687 					{
    688 					s->rwstate=SSL_NOTHING;
    689 					s->state=s->s3->tmp.next_state;
    690 					}
    691 
    692 				ret= -1;
    693 				goto end;
    694 				}
    695 			s->rwstate=SSL_NOTHING;
    696 			s->state=s->s3->tmp.next_state;
    697 			break;
    698 
    699 		case SSL_ST_OK:
    700 			/* clean a few things up */
    701 			ssl3_cleanup_key_block(s);
    702 
    703 #if 0
    704 			if (s->init_buf != NULL)
    705 				{
    706 				BUF_MEM_free(s->init_buf);
    707 				s->init_buf=NULL;
    708 				}
    709 #endif
    710 
    711 			/* If we are not 'joining' the last two packets,
    712 			 * remove the buffering now */
    713 			if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
    714 				ssl_free_wbio_buffer(s);
    715 			/* else do it later in ssl3_write */
    716 
    717 			s->init_num=0;
    718 			s->renegotiate=0;
    719 			s->new_session=0;
    720 
    721 			ssl_update_cache(s,SSL_SESS_CACHE_CLIENT);
    722 			if (s->hit) s->ctx->stats.sess_hit++;
    723 
    724 			ret=1;
    725 			/* s->server=0; */
    726 			s->handshake_func=dtls1_connect;
    727 			s->ctx->stats.sess_connect_good++;
    728 
    729 			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
    730 
    731 			/* done with handshaking */
    732 			s->d1->handshake_read_seq  = 0;
    733 			s->d1->next_handshake_write_seq = 0;
    734 			goto end;
    735 			/* break; */
    736 
    737 		default:
    738 			SSLerr(SSL_F_DTLS1_CONNECT,SSL_R_UNKNOWN_STATE);
    739 			ret= -1;
    740 			goto end;
    741 			/* break; */
    742 			}
    743 
    744 		/* did we do anything */
    745 		if (!s->s3->tmp.reuse_message && !skip)
    746 			{
    747 			if (s->debug)
    748 				{
    749 				if ((ret=BIO_flush(s->wbio)) <= 0)
    750 					goto end;
    751 				}
    752 
    753 			if ((cb != NULL) && (s->state != state))
    754 				{
    755 				new_state=s->state;
    756 				s->state=state;
    757 				cb(s,SSL_CB_CONNECT_LOOP,1);
    758 				s->state=new_state;
    759 				}
    760 			}
    761 		skip=0;
    762 		}
    763 end:
    764 	s->in_handshake--;
    765 
    766 #ifndef OPENSSL_NO_SCTP
    767 	/* Notify SCTP BIO socket to leave handshake
    768 	 * mode and allow stream identifier other
    769 	 * than 0. Will be ignored if no SCTP is used.
    770 	 */
    771 	BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE, s->in_handshake, NULL);
    772 #endif
    773 
    774 	if (buf != NULL)
    775 		BUF_MEM_free(buf);
    776 	if (cb != NULL)
    777 		cb(s,SSL_CB_CONNECT_EXIT,ret);
    778 	return(ret);
    779 	}
    780 
    781 int dtls1_client_hello(SSL *s)
    782 	{
    783 	unsigned char *buf;
    784 	unsigned char *p,*d;
    785 	unsigned int i,j;
    786 	unsigned long l;
    787 	SSL_COMP *comp;
    788 
    789 	buf=(unsigned char *)s->init_buf->data;
    790 	if (s->state == SSL3_ST_CW_CLNT_HELLO_A)
    791 		{
    792 		SSL_SESSION *sess = s->session;
    793 		if ((s->session == NULL) ||
    794 			(s->session->ssl_version != s->version) ||
    795 #ifdef OPENSSL_NO_TLSEXT
    796 			!sess->session_id_length ||
    797 #else
    798 			(!sess->session_id_length && !sess->tlsext_tick) ||
    799 #endif
    800 			(s->session->not_resumable))
    801 			{
    802 		        if (!s->session_creation_enabled)
    803 				{
    804 				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
    805 				SSLerr(SSL_F_DTLS1_CLIENT_HELLO,SSL_R_SESSION_MAY_NOT_BE_CREATED);
    806 				goto err;
    807 				}
    808 			if (!ssl_get_new_session(s,0))
    809 				goto err;
    810 			}
    811 		/* else use the pre-loaded session */
    812 
    813 		p=s->s3->client_random;
    814 
    815 		/* if client_random is initialized, reuse it, we are
    816 		 * required to use same upon reply to HelloVerify */
    817 		for (i=0;p[i]=='\0' && i<sizeof(s->s3->client_random);i++)
    818 			;
    819 		if (i==sizeof(s->s3->client_random))
    820 			ssl_fill_hello_random(s, 0, p,
    821 					      sizeof(s->s3->client_random));
    822 
    823 		/* Do the message type and length last */
    824 		d=p= &(buf[DTLS1_HM_HEADER_LENGTH]);
    825 
    826 		*(p++)=s->version>>8;
    827 		*(p++)=s->version&0xff;
    828 		s->client_version=s->version;
    829 
    830 		/* Random stuff */
    831 		memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
    832 		p+=SSL3_RANDOM_SIZE;
    833 
    834 		/* Session ID */
    835 		if (s->new_session)
    836 			i=0;
    837 		else
    838 			i=s->session->session_id_length;
    839 		*(p++)=i;
    840 		if (i != 0)
    841 			{
    842 			if (i > sizeof s->session->session_id)
    843 				{
    844 				SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
    845 				goto err;
    846 				}
    847 			memcpy(p,s->session->session_id,i);
    848 			p+=i;
    849 			}
    850 
    851 		/* cookie stuff */
    852 		if ( s->d1->cookie_len > sizeof(s->d1->cookie))
    853 			{
    854 			SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
    855 			goto err;
    856 			}
    857 		*(p++) = s->d1->cookie_len;
    858 		memcpy(p, s->d1->cookie, s->d1->cookie_len);
    859 		p += s->d1->cookie_len;
    860 
    861 		/* Ciphers supported */
    862 		i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]),0);
    863 		if (i == 0)
    864 			{
    865 			SSLerr(SSL_F_DTLS1_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
    866 			goto err;
    867 			}
    868 		s2n(i,p);
    869 		p+=i;
    870 
    871 		/* COMPRESSION */
    872 		if (s->ctx->comp_methods == NULL)
    873 			j=0;
    874 		else
    875 			j=sk_SSL_COMP_num(s->ctx->comp_methods);
    876 		*(p++)=1+j;
    877 		for (i=0; i<j; i++)
    878 			{
    879 			comp=sk_SSL_COMP_value(s->ctx->comp_methods,i);
    880 			*(p++)=comp->id;
    881 			}
    882 		*(p++)=0; /* Add the NULL method */
    883 
    884 #ifndef OPENSSL_NO_TLSEXT
    885 		/* TLS extensions*/
    886 		if (ssl_prepare_clienthello_tlsext(s) <= 0)
    887 			{
    888 			SSLerr(SSL_F_DTLS1_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
    889 			goto err;
    890 			}
    891 		if ((p = ssl_add_clienthello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
    892 			{
    893 			SSLerr(SSL_F_DTLS1_CLIENT_HELLO,ERR_R_INTERNAL_ERROR);
    894 			goto err;
    895 			}
    896 #endif
    897 
    898 		l=(p-d);
    899 		d=buf;
    900 
    901 		d = dtls1_set_message_header(s, d, SSL3_MT_CLIENT_HELLO, l, 0, l);
    902 
    903 		s->state=SSL3_ST_CW_CLNT_HELLO_B;
    904 		/* number of bytes to write */
    905 		s->init_num=p-buf;
    906 		s->init_off=0;
    907 
    908 		/* buffer the message to handle re-xmits */
    909 		dtls1_buffer_message(s, 0);
    910 		}
    911 
    912 	/* SSL3_ST_CW_CLNT_HELLO_B */
    913 	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
    914 err:
    915 	return(-1);
    916 	}
    917 
    918 static int dtls1_get_hello_verify(SSL *s)
    919 	{
    920 	int n, al, ok = 0;
    921 	unsigned char *data;
    922 	unsigned int cookie_len;
    923 
    924 	n=s->method->ssl_get_message(s,
    925 		DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A,
    926 		DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B,
    927 		-1,
    928 		s->max_cert_list,
    929 		&ok);
    930 
    931 	if (!ok) return((int)n);
    932 
    933 	if (s->s3->tmp.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST)
    934 		{
    935 		s->d1->send_cookie = 0;
    936 		s->s3->tmp.reuse_message=1;
    937 		return(1);
    938 		}
    939 
    940 	data = (unsigned char *)s->init_msg;
    941 
    942 	if ((data[0] != (s->version>>8)) || (data[1] != (s->version&0xff)))
    943 		{
    944 		SSLerr(SSL_F_DTLS1_GET_HELLO_VERIFY,SSL_R_WRONG_SSL_VERSION);
    945 		s->version=(s->version&0xff00)|data[1];
    946 		al = SSL_AD_PROTOCOL_VERSION;
    947 		goto f_err;
    948 		}
    949 	data+=2;
    950 
    951 	cookie_len = *(data++);
    952 	if ( cookie_len > sizeof(s->d1->cookie))
    953 		{
    954 		al=SSL_AD_ILLEGAL_PARAMETER;
    955 		goto f_err;
    956 		}
    957 
    958 	memcpy(s->d1->cookie, data, cookie_len);
    959 	s->d1->cookie_len = cookie_len;
    960 
    961 	s->d1->send_cookie = 1;
    962 	return 1;
    963 
    964 f_err:
    965 	ssl3_send_alert(s, SSL3_AL_FATAL, al);
    966 	return -1;
    967 	}
    968 
    969 int dtls1_send_client_key_exchange(SSL *s)
    970 	{
    971 	unsigned char *p,*d;
    972 	int n;
    973 	unsigned long alg_k;
    974 #ifndef OPENSSL_NO_RSA
    975 	unsigned char *q;
    976 	EVP_PKEY *pkey=NULL;
    977 #endif
    978 #ifndef OPENSSL_NO_KRB5
    979         KSSL_ERR kssl_err;
    980 #endif /* OPENSSL_NO_KRB5 */
    981 #ifndef OPENSSL_NO_ECDH
    982 	EC_KEY *clnt_ecdh = NULL;
    983 	const EC_POINT *srvr_ecpoint = NULL;
    984 	EVP_PKEY *srvr_pub_pkey = NULL;
    985 	unsigned char *encodedPoint = NULL;
    986 	int encoded_pt_len = 0;
    987 	BN_CTX * bn_ctx = NULL;
    988 #endif
    989 
    990 	if (s->state == SSL3_ST_CW_KEY_EXCH_A)
    991 		{
    992 		d=(unsigned char *)s->init_buf->data;
    993 		p= &(d[DTLS1_HM_HEADER_LENGTH]);
    994 
    995 		alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
    996 
    997                 /* Fool emacs indentation */
    998                 if (0) {}
    999 #ifndef OPENSSL_NO_RSA
   1000 		else if (alg_k & SSL_kRSA)
   1001 			{
   1002 			RSA *rsa;
   1003 			unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
   1004 
   1005 			if (s->session->sess_cert == NULL)
   1006 				{
   1007 				/* We should always have a server certificate with SSL_kRSA. */
   1008 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
   1009 				goto err;
   1010 				}
   1011 
   1012 			if (s->session->sess_cert->peer_rsa_tmp != NULL)
   1013 				rsa=s->session->sess_cert->peer_rsa_tmp;
   1014 			else
   1015 				{
   1016 				pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
   1017 				if ((pkey == NULL) ||
   1018 					(pkey->type != EVP_PKEY_RSA) ||
   1019 					(pkey->pkey.rsa == NULL))
   1020 					{
   1021 					SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
   1022 					goto err;
   1023 					}
   1024 				rsa=pkey->pkey.rsa;
   1025 				EVP_PKEY_free(pkey);
   1026 				}
   1027 
   1028 			tmp_buf[0]=s->client_version>>8;
   1029 			tmp_buf[1]=s->client_version&0xff;
   1030 			if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0)
   1031 					goto err;
   1032 
   1033 			s->session->master_key_length=sizeof tmp_buf;
   1034 
   1035 			q=p;
   1036 			/* Fix buf for TLS and [incidentally] DTLS */
   1037 			if (s->version > SSL3_VERSION)
   1038 				p+=2;
   1039 			n=RSA_public_encrypt(sizeof tmp_buf,
   1040 				tmp_buf,p,rsa,RSA_PKCS1_PADDING);
   1041 #ifdef PKCS1_CHECK
   1042 			if (s->options & SSL_OP_PKCS1_CHECK_1) p[1]++;
   1043 			if (s->options & SSL_OP_PKCS1_CHECK_2) tmp_buf[0]=0x70;
   1044 #endif
   1045 			if (n <= 0)
   1046 				{
   1047 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT);
   1048 				goto err;
   1049 				}
   1050 
   1051 			/* Fix buf for TLS and [incidentally] DTLS */
   1052 			if (s->version > SSL3_VERSION)
   1053 				{
   1054 				s2n(n,q);
   1055 				n+=2;
   1056 				}
   1057 
   1058 			s->session->master_key_length=
   1059 				s->method->ssl3_enc->generate_master_secret(s,
   1060 					s->session->master_key,
   1061 					tmp_buf,sizeof tmp_buf);
   1062 			OPENSSL_cleanse(tmp_buf,sizeof tmp_buf);
   1063 			}
   1064 #endif
   1065 #ifndef OPENSSL_NO_KRB5
   1066 		else if (alg_k & SSL_kKRB5)
   1067                         {
   1068                         krb5_error_code	krb5rc;
   1069                         KSSL_CTX	*kssl_ctx = s->kssl_ctx;
   1070                         /*  krb5_data	krb5_ap_req;  */
   1071                         krb5_data	*enc_ticket;
   1072                         krb5_data	authenticator, *authp = NULL;
   1073 			EVP_CIPHER_CTX	ciph_ctx;
   1074 			const EVP_CIPHER *enc = NULL;
   1075 			unsigned char	iv[EVP_MAX_IV_LENGTH];
   1076 			unsigned char	tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
   1077 			unsigned char	epms[SSL_MAX_MASTER_KEY_LENGTH
   1078 						+ EVP_MAX_IV_LENGTH];
   1079 			int 		padl, outl = sizeof(epms);
   1080 
   1081 			EVP_CIPHER_CTX_init(&ciph_ctx);
   1082 
   1083 #ifdef KSSL_DEBUG
   1084                         printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
   1085                                 alg_k, SSL_kKRB5);
   1086 #endif	/* KSSL_DEBUG */
   1087 
   1088 			authp = NULL;
   1089 #ifdef KRB5SENDAUTH
   1090 			if (KRB5SENDAUTH)  authp = &authenticator;
   1091 #endif	/* KRB5SENDAUTH */
   1092 
   1093                         krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp,
   1094 				&kssl_err);
   1095 			enc = kssl_map_enc(kssl_ctx->enctype);
   1096                         if (enc == NULL)
   1097                             goto err;
   1098 #ifdef KSSL_DEBUG
   1099                         {
   1100                         printf("kssl_cget_tkt rtn %d\n", krb5rc);
   1101                         if (krb5rc && kssl_err.text)
   1102 			  printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
   1103                         }
   1104 #endif	/* KSSL_DEBUG */
   1105 
   1106                         if (krb5rc)
   1107                                 {
   1108                                 ssl3_send_alert(s,SSL3_AL_FATAL,
   1109 						SSL_AD_HANDSHAKE_FAILURE);
   1110                                 SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
   1111 						kssl_err.reason);
   1112                                 goto err;
   1113                                 }
   1114 
   1115 			/*  20010406 VRS - Earlier versions used KRB5 AP_REQ
   1116 			**  in place of RFC 2712 KerberosWrapper, as in:
   1117 			**
   1118                         **  Send ticket (copy to *p, set n = length)
   1119                         **  n = krb5_ap_req.length;
   1120                         **  memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
   1121                         **  if (krb5_ap_req.data)
   1122                         **    kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
   1123                         **
   1124 			**  Now using real RFC 2712 KerberosWrapper
   1125 			**  (Thanks to Simon Wilkinson <sxw (at) sxw.org.uk>)
   1126 			**  Note: 2712 "opaque" types are here replaced
   1127 			**  with a 2-byte length followed by the value.
   1128 			**  Example:
   1129 			**  KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
   1130 			**  Where "xx xx" = length bytes.  Shown here with
   1131 			**  optional authenticator omitted.
   1132 			*/
   1133 
   1134 			/*  KerberosWrapper.Ticket		*/
   1135 			s2n(enc_ticket->length,p);
   1136 			memcpy(p, enc_ticket->data, enc_ticket->length);
   1137 			p+= enc_ticket->length;
   1138 			n = enc_ticket->length + 2;
   1139 
   1140 			/*  KerberosWrapper.Authenticator	*/
   1141 			if (authp  &&  authp->length)
   1142 				{
   1143 				s2n(authp->length,p);
   1144 				memcpy(p, authp->data, authp->length);
   1145 				p+= authp->length;
   1146 				n+= authp->length + 2;
   1147 
   1148 				free(authp->data);
   1149 				authp->data = NULL;
   1150 				authp->length = 0;
   1151 				}
   1152 			else
   1153 				{
   1154 				s2n(0,p);/*  null authenticator length	*/
   1155 				n+=2;
   1156 				}
   1157 
   1158 			if (RAND_bytes(tmp_buf,sizeof tmp_buf) <= 0)
   1159 			    goto err;
   1160 
   1161 			/*  20010420 VRS.  Tried it this way; failed.
   1162 			**	EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
   1163 			**	EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
   1164 			**				kssl_ctx->length);
   1165 			**	EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
   1166 			*/
   1167 
   1168 			memset(iv, 0, sizeof iv);  /* per RFC 1510 */
   1169 			EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,
   1170 				kssl_ctx->key,iv);
   1171 			EVP_EncryptUpdate(&ciph_ctx,epms,&outl,tmp_buf,
   1172 				sizeof tmp_buf);
   1173 			EVP_EncryptFinal_ex(&ciph_ctx,&(epms[outl]),&padl);
   1174 			outl += padl;
   1175 			if (outl > (int)sizeof epms)
   1176 				{
   1177 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
   1178 				goto err;
   1179 				}
   1180 			EVP_CIPHER_CTX_cleanup(&ciph_ctx);
   1181 
   1182 			/*  KerberosWrapper.EncryptedPreMasterSecret	*/
   1183 			s2n(outl,p);
   1184 			memcpy(p, epms, outl);
   1185 			p+=outl;
   1186 			n+=outl + 2;
   1187 
   1188                         s->session->master_key_length=
   1189                                 s->method->ssl3_enc->generate_master_secret(s,
   1190 					s->session->master_key,
   1191 					tmp_buf, sizeof tmp_buf);
   1192 
   1193 			OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
   1194 			OPENSSL_cleanse(epms, outl);
   1195                         }
   1196 #endif
   1197 #ifndef OPENSSL_NO_DH
   1198 		else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
   1199 			{
   1200 			DH *dh_srvr,*dh_clnt;
   1201 
   1202 			if (s->session->sess_cert == NULL)
   1203 				{
   1204 				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
   1205 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
   1206 				goto err;
   1207 				}
   1208 
   1209 			if (s->session->sess_cert->peer_dh_tmp != NULL)
   1210 				dh_srvr=s->session->sess_cert->peer_dh_tmp;
   1211 			else
   1212 				{
   1213 				/* we get them from the cert */
   1214 				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
   1215 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
   1216 				goto err;
   1217 				}
   1218 
   1219 			/* generate a new random key */
   1220 			if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL)
   1221 				{
   1222 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
   1223 				goto err;
   1224 				}
   1225 			if (!DH_generate_key(dh_clnt))
   1226 				{
   1227 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
   1228 				goto err;
   1229 				}
   1230 
   1231 			/* use the 'p' output buffer for the DH key, but
   1232 			 * make sure to clear it out afterwards */
   1233 
   1234 			n=DH_compute_key(p,dh_srvr->pub_key,dh_clnt);
   1235 
   1236 			if (n <= 0)
   1237 				{
   1238 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
   1239 				goto err;
   1240 				}
   1241 
   1242 			/* generate master key from the result */
   1243 			s->session->master_key_length=
   1244 				s->method->ssl3_enc->generate_master_secret(s,
   1245 					s->session->master_key,p,n);
   1246 			/* clean up */
   1247 			memset(p,0,n);
   1248 
   1249 			/* send off the data */
   1250 			n=BN_num_bytes(dh_clnt->pub_key);
   1251 			s2n(n,p);
   1252 			BN_bn2bin(dh_clnt->pub_key,p);
   1253 			n+=2;
   1254 
   1255 			DH_free(dh_clnt);
   1256 
   1257 			/* perhaps clean things up a bit EAY EAY EAY EAY*/
   1258 			}
   1259 #endif
   1260 #ifndef OPENSSL_NO_ECDH
   1261 		else if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe))
   1262 			{
   1263 			const EC_GROUP *srvr_group = NULL;
   1264 			EC_KEY *tkey;
   1265 			int ecdh_clnt_cert = 0;
   1266 			int field_size = 0;
   1267 
   1268 			if (s->session->sess_cert == NULL)
   1269 				{
   1270 				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
   1271 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
   1272 				goto err;
   1273 				}
   1274 
   1275 			/* Did we send out the client's
   1276 			 * ECDH share for use in premaster
   1277 			 * computation as part of client certificate?
   1278 			 * If so, set ecdh_clnt_cert to 1.
   1279 			 */
   1280 			if ((alg_k & (SSL_kECDHr|SSL_kECDHe)) && (s->cert != NULL))
   1281 				{
   1282 				/* XXX: For now, we do not support client
   1283 				 * authentication using ECDH certificates.
   1284 				 * To add such support, one needs to add
   1285 				 * code that checks for appropriate
   1286 				 * conditions and sets ecdh_clnt_cert to 1.
   1287 				 * For example, the cert have an ECC
   1288 				 * key on the same curve as the server's
   1289 				 * and the key should be authorized for
   1290 				 * key agreement.
   1291 				 *
   1292 				 * One also needs to add code in ssl3_connect
   1293 				 * to skip sending the certificate verify
   1294 				 * message.
   1295 				 *
   1296 				 * if ((s->cert->key->privatekey != NULL) &&
   1297 				 *     (s->cert->key->privatekey->type ==
   1298 				 *      EVP_PKEY_EC) && ...)
   1299 				 * ecdh_clnt_cert = 1;
   1300 				 */
   1301 				}
   1302 
   1303 			if (s->session->sess_cert->peer_ecdh_tmp != NULL)
   1304 				{
   1305 				tkey = s->session->sess_cert->peer_ecdh_tmp;
   1306 				}
   1307 			else
   1308 				{
   1309 				/* Get the Server Public Key from Cert */
   1310 				srvr_pub_pkey = X509_get_pubkey(s->session-> \
   1311 				    sess_cert->peer_pkeys[SSL_PKEY_ECC].x509);
   1312 				if ((srvr_pub_pkey == NULL) ||
   1313 				    (srvr_pub_pkey->type != EVP_PKEY_EC) ||
   1314 				    (srvr_pub_pkey->pkey.ec == NULL))
   1315 					{
   1316 					SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
   1317 					    ERR_R_INTERNAL_ERROR);
   1318 					goto err;
   1319 					}
   1320 
   1321 				tkey = srvr_pub_pkey->pkey.ec;
   1322 				}
   1323 
   1324 			srvr_group   = EC_KEY_get0_group(tkey);
   1325 			srvr_ecpoint = EC_KEY_get0_public_key(tkey);
   1326 
   1327 			if ((srvr_group == NULL) || (srvr_ecpoint == NULL))
   1328 				{
   1329 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
   1330 				    ERR_R_INTERNAL_ERROR);
   1331 				goto err;
   1332 				}
   1333 
   1334 			if ((clnt_ecdh=EC_KEY_new()) == NULL)
   1335 				{
   1336 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
   1337 				goto err;
   1338 				}
   1339 
   1340 			if (!EC_KEY_set_group(clnt_ecdh, srvr_group))
   1341 				{
   1342 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
   1343 				goto err;
   1344 				}
   1345 			if (ecdh_clnt_cert)
   1346 				{
   1347 				/* Reuse key info from our certificate
   1348 				 * We only need our private key to perform
   1349 				 * the ECDH computation.
   1350 				 */
   1351 				const BIGNUM *priv_key;
   1352 				tkey = s->cert->key->privatekey->pkey.ec;
   1353 				priv_key = EC_KEY_get0_private_key(tkey);
   1354 				if (priv_key == NULL)
   1355 					{
   1356 					SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
   1357 					goto err;
   1358 					}
   1359 				if (!EC_KEY_set_private_key(clnt_ecdh, priv_key))
   1360 					{
   1361 					SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_EC_LIB);
   1362 					goto err;
   1363 					}
   1364 				}
   1365 			else
   1366 				{
   1367 				/* Generate a new ECDH key pair */
   1368 				if (!(EC_KEY_generate_key(clnt_ecdh)))
   1369 					{
   1370 					SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_ECDH_LIB);
   1371 					goto err;
   1372 					}
   1373 				}
   1374 
   1375 			/* use the 'p' output buffer for the ECDH key, but
   1376 			 * make sure to clear it out afterwards
   1377 			 */
   1378 
   1379 			field_size = EC_GROUP_get_degree(srvr_group);
   1380 			if (field_size <= 0)
   1381 				{
   1382 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
   1383 				       ERR_R_ECDH_LIB);
   1384 				goto err;
   1385 				}
   1386 			n=ECDH_compute_key(p, (field_size+7)/8, srvr_ecpoint, clnt_ecdh, NULL);
   1387 			if (n <= 0)
   1388 				{
   1389 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
   1390 				       ERR_R_ECDH_LIB);
   1391 				goto err;
   1392 				}
   1393 
   1394 			/* generate master key from the result */
   1395 			s->session->master_key_length = s->method->ssl3_enc \
   1396 			    -> generate_master_secret(s,
   1397 				s->session->master_key,
   1398 				p, n);
   1399 
   1400 			memset(p, 0, n); /* clean up */
   1401 
   1402 			if (ecdh_clnt_cert)
   1403 				{
   1404 				/* Send empty client key exch message */
   1405 				n = 0;
   1406 				}
   1407 			else
   1408 				{
   1409 				/* First check the size of encoding and
   1410 				 * allocate memory accordingly.
   1411 				 */
   1412 				encoded_pt_len =
   1413 				    EC_POINT_point2oct(srvr_group,
   1414 					EC_KEY_get0_public_key(clnt_ecdh),
   1415 					POINT_CONVERSION_UNCOMPRESSED,
   1416 					NULL, 0, NULL);
   1417 
   1418 				encodedPoint = (unsigned char *)
   1419 				    OPENSSL_malloc(encoded_pt_len *
   1420 					sizeof(unsigned char));
   1421 				bn_ctx = BN_CTX_new();
   1422 				if ((encodedPoint == NULL) ||
   1423 				    (bn_ctx == NULL))
   1424 					{
   1425 					SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
   1426 					goto err;
   1427 					}
   1428 
   1429 				/* Encode the public key */
   1430 				n = EC_POINT_point2oct(srvr_group,
   1431 				    EC_KEY_get0_public_key(clnt_ecdh),
   1432 				    POINT_CONVERSION_UNCOMPRESSED,
   1433 				    encodedPoint, encoded_pt_len, bn_ctx);
   1434 
   1435 				*p = n; /* length of encoded point */
   1436 				/* Encoded point will be copied here */
   1437 				p += 1;
   1438 				/* copy the point */
   1439 				memcpy((unsigned char *)p, encodedPoint, n);
   1440 				/* increment n to account for length field */
   1441 				n += 1;
   1442 				}
   1443 
   1444 			/* Free allocated memory */
   1445 			BN_CTX_free(bn_ctx);
   1446 			if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
   1447 			if (clnt_ecdh != NULL)
   1448 				 EC_KEY_free(clnt_ecdh);
   1449 			EVP_PKEY_free(srvr_pub_pkey);
   1450 			}
   1451 #endif /* !OPENSSL_NO_ECDH */
   1452 
   1453 #ifndef OPENSSL_NO_PSK
   1454 		else if (alg_k & SSL_kPSK)
   1455 			{
   1456 			char identity[PSK_MAX_IDENTITY_LEN];
   1457 			unsigned char *t = NULL;
   1458 			unsigned char psk_or_pre_ms[PSK_MAX_PSK_LEN*2+4];
   1459 			unsigned int pre_ms_len = 0, psk_len = 0;
   1460 			int psk_err = 1;
   1461 
   1462 			n = 0;
   1463 			if (s->psk_client_callback == NULL)
   1464 				{
   1465 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
   1466 					SSL_R_PSK_NO_CLIENT_CB);
   1467 				goto err;
   1468 				}
   1469 
   1470 			psk_len = s->psk_client_callback(s, s->session->psk_identity_hint,
   1471 				identity, PSK_MAX_IDENTITY_LEN,
   1472 				psk_or_pre_ms, sizeof(psk_or_pre_ms));
   1473 			if (psk_len > PSK_MAX_PSK_LEN)
   1474 				{
   1475 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
   1476 					ERR_R_INTERNAL_ERROR);
   1477 				goto psk_err;
   1478 				}
   1479 			else if (psk_len == 0)
   1480 				{
   1481 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
   1482 					SSL_R_PSK_IDENTITY_NOT_FOUND);
   1483 				goto psk_err;
   1484 				}
   1485 
   1486 			/* create PSK pre_master_secret */
   1487 			pre_ms_len = 2+psk_len+2+psk_len;
   1488 			t = psk_or_pre_ms;
   1489 			memmove(psk_or_pre_ms+psk_len+4, psk_or_pre_ms, psk_len);
   1490 			s2n(psk_len, t);
   1491 			memset(t, 0, psk_len);
   1492 			t+=psk_len;
   1493 			s2n(psk_len, t);
   1494 
   1495 			if (s->session->psk_identity != NULL)
   1496 				OPENSSL_free(s->session->psk_identity);
   1497 			s->session->psk_identity = BUF_strdup(identity);
   1498 			if (s->session->psk_identity == NULL)
   1499 				{
   1500 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
   1501 					ERR_R_MALLOC_FAILURE);
   1502 				goto psk_err;
   1503 				}
   1504 
   1505 			s->session->master_key_length =
   1506 				s->method->ssl3_enc->generate_master_secret(s,
   1507 					s->session->master_key,
   1508 					psk_or_pre_ms, pre_ms_len);
   1509 			n = strlen(identity);
   1510 			s2n(n, p);
   1511 			memcpy(p, identity, n);
   1512 			n+=2;
   1513 			psk_err = 0;
   1514 		psk_err:
   1515 			OPENSSL_cleanse(identity, PSK_MAX_IDENTITY_LEN);
   1516 			OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
   1517 			if (psk_err != 0)
   1518 				{
   1519 				ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
   1520 				goto err;
   1521 				}
   1522 			}
   1523 #endif
   1524 		else
   1525 			{
   1526 			ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
   1527 			SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
   1528 			goto err;
   1529 			}
   1530 
   1531 		d = dtls1_set_message_header(s, d,
   1532 		SSL3_MT_CLIENT_KEY_EXCHANGE, n, 0, n);
   1533 		/*
   1534 		 *(d++)=SSL3_MT_CLIENT_KEY_EXCHANGE;
   1535 		 l2n3(n,d);
   1536 		 l2n(s->d1->handshake_write_seq,d);
   1537 		 s->d1->handshake_write_seq++;
   1538 		*/
   1539 
   1540 		s->state=SSL3_ST_CW_KEY_EXCH_B;
   1541 		/* number of bytes to write */
   1542 		s->init_num=n+DTLS1_HM_HEADER_LENGTH;
   1543 		s->init_off=0;
   1544 
   1545 		/* buffer the message to handle re-xmits */
   1546 		dtls1_buffer_message(s, 0);
   1547 		}
   1548 
   1549 	/* SSL3_ST_CW_KEY_EXCH_B */
   1550 	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
   1551 err:
   1552 #ifndef OPENSSL_NO_ECDH
   1553 	BN_CTX_free(bn_ctx);
   1554 	if (encodedPoint != NULL) OPENSSL_free(encodedPoint);
   1555 	if (clnt_ecdh != NULL)
   1556 		EC_KEY_free(clnt_ecdh);
   1557 	EVP_PKEY_free(srvr_pub_pkey);
   1558 #endif
   1559 	return(-1);
   1560 	}
   1561 
   1562 int dtls1_send_client_verify(SSL *s)
   1563 	{
   1564 	unsigned char *p,*d;
   1565 	unsigned char data[MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
   1566 	EVP_PKEY *pkey;
   1567 #ifndef OPENSSL_NO_RSA
   1568 	unsigned u=0;
   1569 #endif
   1570 	unsigned long n;
   1571 #if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
   1572 	int j;
   1573 #endif
   1574 
   1575 	if (s->state == SSL3_ST_CW_CERT_VRFY_A)
   1576 		{
   1577 		d=(unsigned char *)s->init_buf->data;
   1578 		p= &(d[DTLS1_HM_HEADER_LENGTH]);
   1579 		pkey=s->cert->key->privatekey;
   1580 
   1581 		s->method->ssl3_enc->cert_verify_mac(s,
   1582 		NID_sha1,
   1583 			&(data[MD5_DIGEST_LENGTH]));
   1584 
   1585 #ifndef OPENSSL_NO_RSA
   1586 		if (pkey->type == EVP_PKEY_RSA)
   1587 			{
   1588 			s->method->ssl3_enc->cert_verify_mac(s,
   1589 				NID_md5,
   1590 				&(data[0]));
   1591 			if (RSA_sign(NID_md5_sha1, data,
   1592 					 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
   1593 					&(p[2]), &u, pkey->pkey.rsa) <= 0 )
   1594 				{
   1595 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB);
   1596 				goto err;
   1597 				}
   1598 			s2n(u,p);
   1599 			n=u+2;
   1600 			}
   1601 		else
   1602 #endif
   1603 #ifndef OPENSSL_NO_DSA
   1604 			if (pkey->type == EVP_PKEY_DSA)
   1605 			{
   1606 			if (!DSA_sign(pkey->save_type,
   1607 				&(data[MD5_DIGEST_LENGTH]),
   1608 				SHA_DIGEST_LENGTH,&(p[2]),
   1609 				(unsigned int *)&j,pkey->pkey.dsa))
   1610 				{
   1611 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB);
   1612 				goto err;
   1613 				}
   1614 			s2n(j,p);
   1615 			n=j+2;
   1616 			}
   1617 		else
   1618 #endif
   1619 #ifndef OPENSSL_NO_ECDSA
   1620 			if (pkey->type == EVP_PKEY_EC)
   1621 			{
   1622 			if (!ECDSA_sign(pkey->save_type,
   1623 				&(data[MD5_DIGEST_LENGTH]),
   1624 				SHA_DIGEST_LENGTH,&(p[2]),
   1625 				(unsigned int *)&j,pkey->pkey.ec))
   1626 				{
   1627 				SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,
   1628 				    ERR_R_ECDSA_LIB);
   1629 				goto err;
   1630 				}
   1631 			s2n(j,p);
   1632 			n=j+2;
   1633 			}
   1634 		else
   1635 #endif
   1636 			{
   1637 			SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR);
   1638 			goto err;
   1639 			}
   1640 
   1641 		d = dtls1_set_message_header(s, d,
   1642 			SSL3_MT_CERTIFICATE_VERIFY, n, 0, n) ;
   1643 
   1644 		s->init_num=(int)n+DTLS1_HM_HEADER_LENGTH;
   1645 		s->init_off=0;
   1646 
   1647 		/* buffer the message to handle re-xmits */
   1648 		dtls1_buffer_message(s, 0);
   1649 
   1650 		s->state = SSL3_ST_CW_CERT_VRFY_B;
   1651 		}
   1652 
   1653 	/* s->state = SSL3_ST_CW_CERT_VRFY_B */
   1654 	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
   1655 err:
   1656 	return(-1);
   1657 	}
   1658 
   1659 int dtls1_send_client_certificate(SSL *s)
   1660 	{
   1661 	X509 *x509=NULL;
   1662 	EVP_PKEY *pkey=NULL;
   1663 	int i;
   1664 	unsigned long l;
   1665 
   1666 	if (s->state ==	SSL3_ST_CW_CERT_A)
   1667 		{
   1668 		if ((s->cert == NULL) ||
   1669 			(s->cert->key->x509 == NULL) ||
   1670 			(s->cert->key->privatekey == NULL))
   1671 			s->state=SSL3_ST_CW_CERT_B;
   1672 		else
   1673 			s->state=SSL3_ST_CW_CERT_C;
   1674 		}
   1675 
   1676 	/* We need to get a client cert */
   1677 	if (s->state == SSL3_ST_CW_CERT_B)
   1678 		{
   1679 		/* If we get an error, we need to
   1680 		 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
   1681 		 * We then get retied later */
   1682 		i=0;
   1683 		i = ssl_do_client_cert_cb(s, &x509, &pkey);
   1684 		if (i < 0)
   1685 			{
   1686 			s->rwstate=SSL_X509_LOOKUP;
   1687 			return(-1);
   1688 			}
   1689 		s->rwstate=SSL_NOTHING;
   1690 		if ((i == 1) && (pkey != NULL) && (x509 != NULL))
   1691 			{
   1692 			s->state=SSL3_ST_CW_CERT_B;
   1693 			if (	!SSL_use_certificate(s,x509) ||
   1694 				!SSL_use_PrivateKey(s,pkey))
   1695 				i=0;
   1696 			}
   1697 		else if (i == 1)
   1698 			{
   1699 			i=0;
   1700 			SSLerr(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
   1701 			}
   1702 
   1703 		if (x509 != NULL) X509_free(x509);
   1704 		if (pkey != NULL) EVP_PKEY_free(pkey);
   1705 		if (i == 0)
   1706 			{
   1707 			if (s->version == SSL3_VERSION)
   1708 				{
   1709 				s->s3->tmp.cert_req=0;
   1710 				ssl3_send_alert(s,SSL3_AL_WARNING,SSL_AD_NO_CERTIFICATE);
   1711 				return(1);
   1712 				}
   1713 			else
   1714 				{
   1715 				s->s3->tmp.cert_req=2;
   1716 				}
   1717 			}
   1718 
   1719 		/* Ok, we have a cert */
   1720 		s->state=SSL3_ST_CW_CERT_C;
   1721 		}
   1722 
   1723 	if (s->state == SSL3_ST_CW_CERT_C)
   1724 		{
   1725 		s->state=SSL3_ST_CW_CERT_D;
   1726 		l=dtls1_output_cert_chain(s,
   1727 			(s->s3->tmp.cert_req == 2)?NULL:s->cert->key->x509);
   1728 		s->init_num=(int)l;
   1729 		s->init_off=0;
   1730 
   1731 		/* set header called by dtls1_output_cert_chain() */
   1732 
   1733 		/* buffer the message to handle re-xmits */
   1734 		dtls1_buffer_message(s, 0);
   1735 		}
   1736 	/* SSL3_ST_CW_CERT_D */
   1737 	return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
   1738 	}
   1739