Line data Source code
1 : /* ssl/d1_both.c */
2 : /*
3 : * DTLS implementation written by Nagendra Modadugu
4 : * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
5 : */
6 : /* ====================================================================
7 : * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
8 : *
9 : * Redistribution and use in source and binary forms, with or without
10 : * modification, are permitted provided that the following conditions
11 : * are met:
12 : *
13 : * 1. Redistributions of source code must retain the above copyright
14 : * notice, this list of conditions and the following disclaimer.
15 : *
16 : * 2. Redistributions in binary form must reproduce the above copyright
17 : * notice, this list of conditions and the following disclaimer in
18 : * the documentation and/or other materials provided with the
19 : * distribution.
20 : *
21 : * 3. All advertising materials mentioning features or use of this
22 : * software must display the following acknowledgment:
23 : * "This product includes software developed by the OpenSSL Project
24 : * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
25 : *
26 : * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 : * endorse or promote products derived from this software without
28 : * prior written permission. For written permission, please contact
29 : * openssl-core@openssl.org.
30 : *
31 : * 5. Products derived from this software may not be called "OpenSSL"
32 : * nor may "OpenSSL" appear in their names without prior written
33 : * permission of the OpenSSL Project.
34 : *
35 : * 6. Redistributions of any form whatsoever must retain the following
36 : * acknowledgment:
37 : * "This product includes software developed by the OpenSSL Project
38 : * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
39 : *
40 : * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 : * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 : * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 : * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 : * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 : * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 : * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 : * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 : * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 : * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 : * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 : * OF THE POSSIBILITY OF SUCH DAMAGE.
52 : * ====================================================================
53 : *
54 : * This product includes cryptographic software written by Eric Young
55 : * (eay@cryptsoft.com). This product includes software written by Tim
56 : * Hudson (tjh@cryptsoft.com).
57 : *
58 : */
59 : /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
60 : * All rights reserved.
61 : *
62 : * This package is an SSL implementation written
63 : * by Eric Young (eay@cryptsoft.com).
64 : * The implementation was written so as to conform with Netscapes SSL.
65 : *
66 : * This library is free for commercial and non-commercial use as long as
67 : * the following conditions are aheared to. The following conditions
68 : * apply to all code found in this distribution, be it the RC4, RSA,
69 : * lhash, DES, etc., code; not just the SSL code. The SSL documentation
70 : * included with this distribution is covered by the same copyright terms
71 : * except that the holder is Tim Hudson (tjh@cryptsoft.com).
72 : *
73 : * Copyright remains Eric Young's, and as such any Copyright notices in
74 : * the code are not to be removed.
75 : * If this package is used in a product, Eric Young should be given attribution
76 : * as the author of the parts of the library used.
77 : * This can be in the form of a textual message at program startup or
78 : * in documentation (online or textual) provided with the package.
79 : *
80 : * Redistribution and use in source and binary forms, with or without
81 : * modification, are permitted provided that the following conditions
82 : * are met:
83 : * 1. Redistributions of source code must retain the copyright
84 : * notice, this list of conditions and the following disclaimer.
85 : * 2. Redistributions in binary form must reproduce the above copyright
86 : * notice, this list of conditions and the following disclaimer in the
87 : * documentation and/or other materials provided with the distribution.
88 : * 3. All advertising materials mentioning features or use of this software
89 : * must display the following acknowledgement:
90 : * "This product includes cryptographic software written by
91 : * Eric Young (eay@cryptsoft.com)"
92 : * The word 'cryptographic' can be left out if the rouines from the library
93 : * being used are not cryptographic related :-).
94 : * 4. If you include any Windows specific code (or a derivative thereof) from
95 : * the apps directory (application code) you must include an acknowledgement:
96 : * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
97 : *
98 : * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
99 : * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
100 : * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
101 : * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
102 : * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
103 : * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
104 : * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
105 : * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
106 : * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
107 : * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
108 : * SUCH DAMAGE.
109 : *
110 : * The licence and distribution terms for any publically available version or
111 : * derivative of this code cannot be changed. i.e. this code cannot simply be
112 : * copied and put under another distribution licence
113 : * [including the GNU Public Licence.]
114 : */
115 :
116 : #include <limits.h>
117 : #include <string.h>
118 : #include <stdio.h>
119 : #include "ssl_locl.h"
120 : #include <openssl/buffer.h>
121 : #include <openssl/rand.h>
122 : #include <openssl/objects.h>
123 : #include <openssl/evp.h>
124 : #include <openssl/x509.h>
125 :
126 : #define RSMBLY_BITMASK_SIZE(msg_len) (((msg_len) + 7) / 8)
127 :
128 : #define RSMBLY_BITMASK_MARK(bitmask, start, end) { \
129 : if ((end) - (start) <= 8) { \
130 : long ii; \
131 : for (ii = (start); ii < (end); ii++) bitmask[((ii) >> 3)] |= (1 << ((ii) & 7)); \
132 : } else { \
133 : long ii; \
134 : bitmask[((start) >> 3)] |= bitmask_start_values[((start) & 7)]; \
135 : for (ii = (((start) >> 3) + 1); ii < ((((end) - 1)) >> 3); ii++) bitmask[ii] = 0xff; \
136 : bitmask[(((end) - 1) >> 3)] |= bitmask_end_values[((end) & 7)]; \
137 : } }
138 :
139 : #define RSMBLY_BITMASK_IS_COMPLETE(bitmask, msg_len, is_complete) { \
140 : long ii; \
141 : OPENSSL_assert((msg_len) > 0); \
142 : is_complete = 1; \
143 : if (bitmask[(((msg_len) - 1) >> 3)] != bitmask_end_values[((msg_len) & 7)]) is_complete = 0; \
144 : if (is_complete) for (ii = (((msg_len) - 1) >> 3) - 1; ii >= 0 ; ii--) \
145 : if (bitmask[ii] != 0xff) { is_complete = 0; break; } }
146 :
147 : #if 0
148 : # define RSMBLY_BITMASK_PRINT(bitmask, msg_len) { \
149 : long ii; \
150 : printf("bitmask: "); for (ii = 0; ii < (msg_len); ii++) \
151 : printf("%d ", (bitmask[ii >> 3] & (1 << (ii & 7))) >> (ii & 7)); \
152 : printf("\n"); }
153 : #endif
154 :
155 : static unsigned char bitmask_start_values[] =
156 : { 0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80 };
157 : static unsigned char bitmask_end_values[] =
158 : { 0xff, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f };
159 :
160 : /* XDTLS: figure out the right values */
161 : static const unsigned int g_probable_mtu[] = { 1500, 512, 256 };
162 :
163 : static void dtls1_fix_message_header(SSL *s, unsigned long frag_off,
164 : unsigned long frag_len);
165 : static unsigned char *dtls1_write_message_header(SSL *s, unsigned char *p);
166 : static void dtls1_set_message_header_int(SSL *s, unsigned char mt,
167 : unsigned long len,
168 : unsigned short seq_num,
169 : unsigned long frag_off,
170 : unsigned long frag_len);
171 : static long dtls1_get_message_fragment(SSL *s, int st1, int stn, long max,
172 : int *ok);
173 :
174 0 : static hm_fragment *dtls1_hm_fragment_new(unsigned long frag_len,
175 : int reassembly)
176 : {
177 : hm_fragment *frag = NULL;
178 : unsigned char *buf = NULL;
179 : unsigned char *bitmask = NULL;
180 :
181 0 : frag = (hm_fragment *)OPENSSL_malloc(sizeof(hm_fragment));
182 0 : if (frag == NULL)
183 : return NULL;
184 :
185 0 : if (frag_len) {
186 0 : buf = (unsigned char *)OPENSSL_malloc(frag_len);
187 0 : if (buf == NULL) {
188 0 : OPENSSL_free(frag);
189 0 : return NULL;
190 : }
191 : }
192 :
193 : /* zero length fragment gets zero frag->fragment */
194 0 : frag->fragment = buf;
195 :
196 : /* Initialize reassembly bitmask if necessary */
197 0 : if (reassembly) {
198 0 : bitmask =
199 0 : (unsigned char *)OPENSSL_malloc(RSMBLY_BITMASK_SIZE(frag_len));
200 0 : if (bitmask == NULL) {
201 0 : if (buf != NULL)
202 0 : OPENSSL_free(buf);
203 0 : OPENSSL_free(frag);
204 0 : return NULL;
205 : }
206 : memset(bitmask, 0, RSMBLY_BITMASK_SIZE(frag_len));
207 : }
208 :
209 0 : frag->reassembly = bitmask;
210 :
211 0 : return frag;
212 : }
213 :
214 0 : void dtls1_hm_fragment_free(hm_fragment *frag)
215 : {
216 :
217 0 : if (frag->msg_header.is_ccs) {
218 0 : EVP_CIPHER_CTX_free(frag->msg_header.
219 : saved_retransmit_state.enc_write_ctx);
220 0 : EVP_MD_CTX_destroy(frag->msg_header.
221 : saved_retransmit_state.write_hash);
222 : }
223 0 : if (frag->fragment)
224 0 : OPENSSL_free(frag->fragment);
225 0 : if (frag->reassembly)
226 0 : OPENSSL_free(frag->reassembly);
227 0 : OPENSSL_free(frag);
228 0 : }
229 :
230 0 : static int dtls1_query_mtu(SSL *s)
231 : {
232 0 : if (s->d1->link_mtu) {
233 0 : s->d1->mtu =
234 0 : s->d1->link_mtu - BIO_dgram_get_mtu_overhead(SSL_get_wbio(s));
235 0 : s->d1->link_mtu = 0;
236 : }
237 :
238 : /* AHA! Figure out the MTU, and stick to the right size */
239 0 : if (s->d1->mtu < dtls1_min_mtu(s)) {
240 0 : if (!(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) {
241 0 : s->d1->mtu =
242 0 : BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
243 :
244 : /*
245 : * I've seen the kernel return bogus numbers when it doesn't know
246 : * (initial write), so just make sure we have a reasonable number
247 : */
248 0 : if (s->d1->mtu < dtls1_min_mtu(s)) {
249 : /* Set to min mtu */
250 0 : s->d1->mtu = dtls1_min_mtu(s);
251 0 : BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SET_MTU,
252 0 : s->d1->mtu, NULL);
253 : }
254 : } else
255 : return 0;
256 : }
257 : return 1;
258 : }
259 :
260 : /*
261 : * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
262 : * SSL3_RT_CHANGE_CIPHER_SPEC)
263 : */
264 0 : int dtls1_do_write(SSL *s, int type)
265 : {
266 : int ret;
267 : unsigned int curr_mtu;
268 : int retry = 1;
269 : unsigned int len, frag_off, mac_size, blocksize, used_len;
270 :
271 0 : if (!dtls1_query_mtu(s))
272 : return -1;
273 :
274 0 : OPENSSL_assert(s->d1->mtu >= dtls1_min_mtu(s)); /* should have something
275 : * reasonable now */
276 :
277 0 : if (s->init_off == 0 && type == SSL3_RT_HANDSHAKE)
278 0 : OPENSSL_assert(s->init_num ==
279 : (int)s->d1->w_msg_hdr.msg_len +
280 : DTLS1_HM_HEADER_LENGTH);
281 :
282 0 : if (s->write_hash) {
283 0 : if (s->enc_write_ctx
284 0 : && EVP_CIPHER_CTX_mode(s->enc_write_ctx) == EVP_CIPH_GCM_MODE)
285 : mac_size = 0;
286 : else
287 0 : mac_size = EVP_MD_CTX_size(s->write_hash);
288 : } else
289 : mac_size = 0;
290 :
291 0 : if (s->enc_write_ctx &&
292 0 : (EVP_CIPHER_CTX_mode(s->enc_write_ctx) == EVP_CIPH_CBC_MODE))
293 0 : blocksize = 2 * EVP_CIPHER_block_size(s->enc_write_ctx->cipher);
294 : else
295 : blocksize = 0;
296 :
297 : frag_off = 0;
298 : /* s->init_num shouldn't ever be < 0...but just in case */
299 0 : while (s->init_num > 0) {
300 0 : used_len = BIO_wpending(SSL_get_wbio(s)) + DTLS1_RT_HEADER_LENGTH
301 0 : + mac_size + blocksize;
302 0 : if (s->d1->mtu > used_len)
303 0 : curr_mtu = s->d1->mtu - used_len;
304 : else
305 : curr_mtu = 0;
306 :
307 0 : if (curr_mtu <= DTLS1_HM_HEADER_LENGTH) {
308 : /*
309 : * grr.. we could get an error if MTU picked was wrong
310 : */
311 0 : ret = BIO_flush(SSL_get_wbio(s));
312 0 : if (ret <= 0)
313 : return ret;
314 0 : used_len = DTLS1_RT_HEADER_LENGTH + mac_size + blocksize;
315 0 : if (s->d1->mtu > used_len + DTLS1_HM_HEADER_LENGTH) {
316 0 : curr_mtu = s->d1->mtu - used_len;
317 : } else {
318 : /* Shouldn't happen */
319 : return -1;
320 : }
321 : }
322 :
323 : /*
324 : * We just checked that s->init_num > 0 so this cast should be safe
325 : */
326 0 : if (((unsigned int)s->init_num) > curr_mtu)
327 : len = curr_mtu;
328 : else
329 : len = s->init_num;
330 :
331 : /* Shouldn't ever happen */
332 0 : if (len > INT_MAX)
333 : len = INT_MAX;
334 :
335 : /*
336 : * XDTLS: this function is too long. split out the CCS part
337 : */
338 0 : if (type == SSL3_RT_HANDSHAKE) {
339 0 : if (s->init_off != 0) {
340 0 : OPENSSL_assert(s->init_off > DTLS1_HM_HEADER_LENGTH);
341 0 : s->init_off -= DTLS1_HM_HEADER_LENGTH;
342 0 : s->init_num += DTLS1_HM_HEADER_LENGTH;
343 :
344 : /*
345 : * We just checked that s->init_num > 0 so this cast should
346 : * be safe
347 : */
348 0 : if (((unsigned int)s->init_num) > curr_mtu)
349 : len = curr_mtu;
350 : else
351 : len = s->init_num;
352 : }
353 :
354 : /* Shouldn't ever happen */
355 0 : if (len > INT_MAX)
356 : len = INT_MAX;
357 :
358 0 : if (len < DTLS1_HM_HEADER_LENGTH) {
359 : /*
360 : * len is so small that we really can't do anything sensible
361 : * so fail
362 : */
363 : return -1;
364 : }
365 0 : dtls1_fix_message_header(s, frag_off,
366 0 : len - DTLS1_HM_HEADER_LENGTH);
367 :
368 0 : dtls1_write_message_header(s,
369 0 : (unsigned char *)&s->init_buf->
370 0 : data[s->init_off]);
371 : }
372 :
373 0 : ret = dtls1_write_bytes(s, type, &s->init_buf->data[s->init_off],
374 : len);
375 0 : if (ret < 0) {
376 : /*
377 : * might need to update MTU here, but we don't know which
378 : * previous packet caused the failure -- so can't really
379 : * retransmit anything. continue as if everything is fine and
380 : * wait for an alert to handle the retransmit
381 : */
382 0 : if (retry && BIO_ctrl(SSL_get_wbio(s),
383 : BIO_CTRL_DGRAM_MTU_EXCEEDED, 0, NULL) > 0) {
384 0 : if (!(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) {
385 0 : if (!dtls1_query_mtu(s))
386 : return -1;
387 : /* Have one more go */
388 : retry = 0;
389 : } else
390 : return -1;
391 : } else {
392 : return (-1);
393 : }
394 : } else {
395 :
396 : /*
397 : * bad if this assert fails, only part of the handshake message
398 : * got sent. but why would this happen?
399 : */
400 0 : OPENSSL_assert(len == (unsigned int)ret);
401 :
402 0 : if (type == SSL3_RT_HANDSHAKE && !s->d1->retransmitting) {
403 : /*
404 : * should not be done for 'Hello Request's, but in that case
405 : * we'll ignore the result anyway
406 : */
407 0 : unsigned char *p =
408 0 : (unsigned char *)&s->init_buf->data[s->init_off];
409 : const struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
410 : int xlen;
411 :
412 0 : if (frag_off == 0 && s->version != DTLS1_BAD_VER) {
413 : /*
414 : * reconstruct message header is if it is being sent in
415 : * single fragment
416 : */
417 0 : *p++ = msg_hdr->type;
418 0 : l2n3(msg_hdr->msg_len, p);
419 0 : s2n(msg_hdr->seq, p);
420 0 : l2n3(0, p);
421 0 : l2n3(msg_hdr->msg_len, p);
422 : p -= DTLS1_HM_HEADER_LENGTH;
423 0 : xlen = ret;
424 : } else {
425 0 : p += DTLS1_HM_HEADER_LENGTH;
426 0 : xlen = ret - DTLS1_HM_HEADER_LENGTH;
427 : }
428 :
429 0 : ssl3_finish_mac(s, p, xlen);
430 : }
431 :
432 0 : if (ret == s->init_num) {
433 0 : if (s->msg_callback)
434 0 : s->msg_callback(1, s->version, type, s->init_buf->data,
435 0 : (size_t)(s->init_off + s->init_num), s,
436 : s->msg_callback_arg);
437 :
438 0 : s->init_off = 0; /* done writing this message */
439 0 : s->init_num = 0;
440 :
441 0 : return (1);
442 : }
443 0 : s->init_off += ret;
444 0 : s->init_num -= ret;
445 0 : frag_off += (ret -= DTLS1_HM_HEADER_LENGTH);
446 : }
447 : }
448 : return (0);
449 : }
450 :
451 : /*
452 : * Obtain handshake message of message type 'mt' (any if mt == -1), maximum
453 : * acceptable body length 'max'. Read an entire handshake message. Handshake
454 : * messages arrive in fragments.
455 : */
456 0 : long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
457 : {
458 : int i, al;
459 : struct hm_header_st *msg_hdr;
460 : unsigned char *p;
461 : unsigned long msg_len;
462 :
463 : /*
464 : * s3->tmp is used to store messages that are unexpected, caused by the
465 : * absence of an optional handshake message
466 : */
467 0 : if (s->s3->tmp.reuse_message) {
468 0 : s->s3->tmp.reuse_message = 0;
469 0 : if ((mt >= 0) && (s->s3->tmp.message_type != mt)) {
470 : al = SSL_AD_UNEXPECTED_MESSAGE;
471 0 : SSLerr(SSL_F_DTLS1_GET_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
472 0 : goto f_err;
473 : }
474 0 : *ok = 1;
475 0 : s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
476 0 : s->init_num = (int)s->s3->tmp.message_size;
477 0 : return s->init_num;
478 : }
479 :
480 0 : msg_hdr = &s->d1->r_msg_hdr;
481 : memset(msg_hdr, 0x00, sizeof(struct hm_header_st));
482 :
483 : again:
484 0 : i = dtls1_get_message_fragment(s, st1, stn, max, ok);
485 0 : if (i == DTLS1_HM_BAD_FRAGMENT || i == DTLS1_HM_FRAGMENT_RETRY) {
486 : /* bad fragment received */
487 : goto again;
488 0 : } else if (i <= 0 && !*ok) {
489 0 : return i;
490 : }
491 :
492 0 : if (mt >= 0 && s->s3->tmp.message_type != mt) {
493 : al = SSL_AD_UNEXPECTED_MESSAGE;
494 0 : SSLerr(SSL_F_DTLS1_GET_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
495 0 : goto f_err;
496 : }
497 :
498 0 : p = (unsigned char *)s->init_buf->data;
499 0 : msg_len = msg_hdr->msg_len;
500 :
501 : /* reconstruct message header */
502 0 : *(p++) = msg_hdr->type;
503 0 : l2n3(msg_len, p);
504 0 : s2n(msg_hdr->seq, p);
505 0 : l2n3(0, p);
506 0 : l2n3(msg_len, p);
507 0 : if (s->version != DTLS1_BAD_VER) {
508 : p -= DTLS1_HM_HEADER_LENGTH;
509 0 : msg_len += DTLS1_HM_HEADER_LENGTH;
510 : }
511 :
512 0 : ssl3_finish_mac(s, p, msg_len);
513 0 : if (s->msg_callback)
514 0 : s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
515 : p, msg_len, s, s->msg_callback_arg);
516 :
517 : memset(msg_hdr, 0x00, sizeof(struct hm_header_st));
518 :
519 : /* Don't change sequence numbers while listening */
520 0 : if (!s->d1->listen)
521 0 : s->d1->handshake_read_seq++;
522 :
523 0 : s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
524 0 : return s->init_num;
525 :
526 : f_err:
527 0 : ssl3_send_alert(s, SSL3_AL_FATAL, al);
528 0 : *ok = 0;
529 0 : return -1;
530 : }
531 :
532 0 : static int dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr,
533 : int max)
534 : {
535 : size_t frag_off, frag_len, msg_len;
536 :
537 0 : msg_len = msg_hdr->msg_len;
538 0 : frag_off = msg_hdr->frag_off;
539 0 : frag_len = msg_hdr->frag_len;
540 :
541 : /* sanity checking */
542 0 : if ((frag_off + frag_len) > msg_len) {
543 0 : SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, SSL_R_EXCESSIVE_MESSAGE_SIZE);
544 0 : return SSL_AD_ILLEGAL_PARAMETER;
545 : }
546 :
547 0 : if ((frag_off + frag_len) > (unsigned long)max) {
548 0 : SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, SSL_R_EXCESSIVE_MESSAGE_SIZE);
549 0 : return SSL_AD_ILLEGAL_PARAMETER;
550 : }
551 :
552 0 : if (s->d1->r_msg_hdr.frag_off == 0) { /* first fragment */
553 : /*
554 : * msg_len is limited to 2^24, but is effectively checked against max
555 : * above
556 : */
557 0 : if (!BUF_MEM_grow_clean
558 0 : (s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH)) {
559 0 : SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, ERR_R_BUF_LIB);
560 0 : return SSL_AD_INTERNAL_ERROR;
561 : }
562 :
563 0 : s->s3->tmp.message_size = msg_len;
564 0 : s->d1->r_msg_hdr.msg_len = msg_len;
565 0 : s->s3->tmp.message_type = msg_hdr->type;
566 0 : s->d1->r_msg_hdr.type = msg_hdr->type;
567 0 : s->d1->r_msg_hdr.seq = msg_hdr->seq;
568 0 : } else if (msg_len != s->d1->r_msg_hdr.msg_len) {
569 : /*
570 : * They must be playing with us! BTW, failure to enforce upper limit
571 : * would open possibility for buffer overrun.
572 : */
573 0 : SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, SSL_R_EXCESSIVE_MESSAGE_SIZE);
574 0 : return SSL_AD_ILLEGAL_PARAMETER;
575 : }
576 :
577 : return 0; /* no error */
578 : }
579 :
580 0 : static int dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
581 : {
582 : /*-
583 : * (0) check whether the desired fragment is available
584 : * if so:
585 : * (1) copy over the fragment to s->init_buf->data[]
586 : * (2) update s->init_num
587 : */
588 : pitem *item;
589 : hm_fragment *frag;
590 : int al;
591 :
592 0 : *ok = 0;
593 0 : item = pqueue_peek(s->d1->buffered_messages);
594 0 : if (item == NULL)
595 : return 0;
596 :
597 0 : frag = (hm_fragment *)item->data;
598 :
599 : /* Don't return if reassembly still in progress */
600 0 : if (frag->reassembly != NULL)
601 : return 0;
602 :
603 0 : if (s->d1->handshake_read_seq == frag->msg_header.seq) {
604 0 : unsigned long frag_len = frag->msg_header.frag_len;
605 0 : pqueue_pop(s->d1->buffered_messages);
606 :
607 0 : al = dtls1_preprocess_fragment(s, &frag->msg_header, max);
608 :
609 0 : if (al == 0) { /* no alert */
610 0 : unsigned char *p =
611 0 : (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
612 0 : memcpy(&p[frag->msg_header.frag_off], frag->fragment,
613 : frag->msg_header.frag_len);
614 : }
615 :
616 0 : dtls1_hm_fragment_free(frag);
617 0 : pitem_free(item);
618 :
619 0 : if (al == 0) {
620 0 : *ok = 1;
621 0 : return frag_len;
622 : }
623 :
624 0 : ssl3_send_alert(s, SSL3_AL_FATAL, al);
625 0 : s->init_num = 0;
626 0 : *ok = 0;
627 0 : return -1;
628 : } else
629 : return 0;
630 : }
631 :
632 : /*
633 : * dtls1_max_handshake_message_len returns the maximum number of bytes
634 : * permitted in a DTLS handshake message for |s|. The minimum is 16KB, but
635 : * may be greater if the maximum certificate list size requires it.
636 : */
637 : static unsigned long dtls1_max_handshake_message_len(const SSL *s)
638 : {
639 : unsigned long max_len =
640 : DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;
641 0 : if (max_len < (unsigned long)s->max_cert_list)
642 : return s->max_cert_list;
643 : return max_len;
644 : }
645 :
646 : static int
647 0 : dtls1_reassemble_fragment(SSL *s, const struct hm_header_st *msg_hdr, int *ok)
648 : {
649 : hm_fragment *frag = NULL;
650 : pitem *item = NULL;
651 : int i = -1, is_complete;
652 : unsigned char seq64be[8];
653 0 : unsigned long frag_len = msg_hdr->frag_len;
654 :
655 0 : if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len ||
656 : msg_hdr->msg_len > dtls1_max_handshake_message_len(s))
657 : goto err;
658 :
659 0 : if (frag_len == 0)
660 : return DTLS1_HM_FRAGMENT_RETRY;
661 :
662 : /* Try to find item in queue */
663 : memset(seq64be, 0, sizeof(seq64be));
664 0 : seq64be[6] = (unsigned char)(msg_hdr->seq >> 8);
665 0 : seq64be[7] = (unsigned char)msg_hdr->seq;
666 0 : item = pqueue_find(s->d1->buffered_messages, seq64be);
667 :
668 0 : if (item == NULL) {
669 0 : frag = dtls1_hm_fragment_new(msg_hdr->msg_len, 1);
670 0 : if (frag == NULL)
671 : goto err;
672 0 : memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
673 0 : frag->msg_header.frag_len = frag->msg_header.msg_len;
674 0 : frag->msg_header.frag_off = 0;
675 : } else {
676 0 : frag = (hm_fragment *)item->data;
677 0 : if (frag->msg_header.msg_len != msg_hdr->msg_len) {
678 : item = NULL;
679 : frag = NULL;
680 : goto err;
681 : }
682 : }
683 :
684 : /*
685 : * If message is already reassembled, this must be a retransmit and can
686 : * be dropped. In this case item != NULL and so frag does not need to be
687 : * freed.
688 : */
689 0 : if (frag->reassembly == NULL) {
690 : unsigned char devnull[256];
691 :
692 0 : while (frag_len) {
693 0 : i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
694 : devnull,
695 : frag_len >
696 0 : sizeof(devnull) ? sizeof(devnull) :
697 : frag_len, 0);
698 0 : if (i <= 0)
699 : goto err;
700 0 : frag_len -= i;
701 : }
702 0 : return DTLS1_HM_FRAGMENT_RETRY;
703 : }
704 :
705 : /* read the body of the fragment (header has already been read */
706 0 : i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
707 0 : frag->fragment + msg_hdr->frag_off,
708 : frag_len, 0);
709 0 : if ((unsigned long)i != frag_len)
710 : i = -1;
711 0 : if (i <= 0)
712 : goto err;
713 :
714 0 : RSMBLY_BITMASK_MARK(frag->reassembly, (long)msg_hdr->frag_off,
715 : (long)(msg_hdr->frag_off + frag_len));
716 :
717 0 : RSMBLY_BITMASK_IS_COMPLETE(frag->reassembly, (long)msg_hdr->msg_len,
718 : is_complete);
719 :
720 0 : if (is_complete) {
721 0 : OPENSSL_free(frag->reassembly);
722 0 : frag->reassembly = NULL;
723 : }
724 :
725 0 : if (item == NULL) {
726 0 : item = pitem_new(seq64be, frag);
727 0 : if (item == NULL) {
728 : i = -1;
729 : goto err;
730 : }
731 :
732 0 : item = pqueue_insert(s->d1->buffered_messages, item);
733 : /*
734 : * pqueue_insert fails iff a duplicate item is inserted. However,
735 : * |item| cannot be a duplicate. If it were, |pqueue_find|, above,
736 : * would have returned it and control would never have reached this
737 : * branch.
738 : */
739 0 : OPENSSL_assert(item != NULL);
740 : }
741 :
742 : return DTLS1_HM_FRAGMENT_RETRY;
743 :
744 : err:
745 0 : if (frag != NULL && item == NULL)
746 0 : dtls1_hm_fragment_free(frag);
747 0 : *ok = 0;
748 0 : return i;
749 : }
750 :
751 : static int
752 0 : dtls1_process_out_of_seq_message(SSL *s, const struct hm_header_st *msg_hdr,
753 : int *ok)
754 : {
755 : int i = -1;
756 : hm_fragment *frag = NULL;
757 : pitem *item = NULL;
758 : unsigned char seq64be[8];
759 0 : unsigned long frag_len = msg_hdr->frag_len;
760 :
761 0 : if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len)
762 : goto err;
763 :
764 : /* Try to find item in queue, to prevent duplicate entries */
765 : memset(seq64be, 0, sizeof(seq64be));
766 0 : seq64be[6] = (unsigned char)(msg_hdr->seq >> 8);
767 0 : seq64be[7] = (unsigned char)msg_hdr->seq;
768 0 : item = pqueue_find(s->d1->buffered_messages, seq64be);
769 :
770 : /*
771 : * If we already have an entry and this one is a fragment, don't discard
772 : * it and rather try to reassemble it.
773 : */
774 0 : if (item != NULL && frag_len != msg_hdr->msg_len)
775 : item = NULL;
776 :
777 : /*
778 : * Discard the message if sequence number was already there, is too far
779 : * in the future, already in the queue or if we received a FINISHED
780 : * before the SERVER_HELLO, which then must be a stale retransmit.
781 : */
782 0 : if (msg_hdr->seq <= s->d1->handshake_read_seq ||
783 0 : msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL ||
784 0 : (s->d1->handshake_read_seq == 0 && msg_hdr->type == SSL3_MT_FINISHED))
785 0 : {
786 : unsigned char devnull[256];
787 :
788 0 : while (frag_len) {
789 0 : i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
790 : devnull,
791 : frag_len >
792 0 : sizeof(devnull) ? sizeof(devnull) :
793 : frag_len, 0);
794 0 : if (i <= 0)
795 : goto err;
796 0 : frag_len -= i;
797 : }
798 : } else {
799 0 : if (frag_len != msg_hdr->msg_len)
800 0 : return dtls1_reassemble_fragment(s, msg_hdr, ok);
801 :
802 0 : if (frag_len > dtls1_max_handshake_message_len(s))
803 : goto err;
804 :
805 0 : frag = dtls1_hm_fragment_new(frag_len, 0);
806 0 : if (frag == NULL)
807 : goto err;
808 :
809 0 : memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
810 :
811 0 : if (frag_len) {
812 : /*
813 : * read the body of the fragment (header has already been read
814 : */
815 0 : i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
816 : frag->fragment, frag_len, 0);
817 0 : if ((unsigned long)i != frag_len)
818 : i = -1;
819 0 : if (i <= 0)
820 : goto err;
821 : }
822 :
823 0 : item = pitem_new(seq64be, frag);
824 0 : if (item == NULL)
825 : goto err;
826 :
827 0 : item = pqueue_insert(s->d1->buffered_messages, item);
828 : /*
829 : * pqueue_insert fails iff a duplicate item is inserted. However,
830 : * |item| cannot be a duplicate. If it were, |pqueue_find|, above,
831 : * would have returned it. Then, either |frag_len| !=
832 : * |msg_hdr->msg_len| in which case |item| is set to NULL and it will
833 : * have been processed with |dtls1_reassemble_fragment|, above, or
834 : * the record will have been discarded.
835 : */
836 0 : OPENSSL_assert(item != NULL);
837 : }
838 :
839 : return DTLS1_HM_FRAGMENT_RETRY;
840 :
841 : err:
842 0 : if (frag != NULL && item == NULL)
843 0 : dtls1_hm_fragment_free(frag);
844 0 : *ok = 0;
845 0 : return i;
846 : }
847 :
848 : static long
849 0 : dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
850 : {
851 : unsigned char wire[DTLS1_HM_HEADER_LENGTH];
852 : unsigned long len, frag_off, frag_len;
853 : int i, al;
854 : struct hm_header_st msg_hdr;
855 :
856 : redo:
857 : /* see if we have the required fragment already */
858 0 : if ((frag_len = dtls1_retrieve_buffered_fragment(s, max, ok)) || *ok) {
859 0 : if (*ok)
860 0 : s->init_num = frag_len;
861 0 : return frag_len;
862 : }
863 :
864 : /* read handshake message header */
865 0 : i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, wire,
866 : DTLS1_HM_HEADER_LENGTH, 0);
867 0 : if (i <= 0) { /* nbio, or an error */
868 0 : s->rwstate = SSL_READING;
869 0 : *ok = 0;
870 0 : return i;
871 : }
872 : /* Handshake fails if message header is incomplete */
873 0 : if (i != DTLS1_HM_HEADER_LENGTH) {
874 : al = SSL_AD_UNEXPECTED_MESSAGE;
875 0 : SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT, SSL_R_UNEXPECTED_MESSAGE);
876 : goto f_err;
877 : }
878 :
879 : /* parse the message fragment header */
880 0 : dtls1_get_message_header(wire, &msg_hdr);
881 :
882 0 : len = msg_hdr.msg_len;
883 0 : frag_off = msg_hdr.frag_off;
884 0 : frag_len = msg_hdr.frag_len;
885 :
886 : /*
887 : * We must have at least frag_len bytes left in the record to be read.
888 : * Fragments must not span records.
889 : */
890 0 : if (frag_len > s->s3->rrec.length) {
891 : al = SSL3_AD_ILLEGAL_PARAMETER;
892 0 : SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT, SSL_R_BAD_LENGTH);
893 : goto f_err;
894 : }
895 :
896 : /*
897 : * if this is a future (or stale) message it gets buffered
898 : * (or dropped)--no further processing at this time
899 : * While listening, we accept seq 1 (ClientHello with cookie)
900 : * although we're still expecting seq 0 (ClientHello)
901 : */
902 0 : if (msg_hdr.seq != s->d1->handshake_read_seq
903 0 : && !(s->d1->listen && msg_hdr.seq == 1))
904 0 : return dtls1_process_out_of_seq_message(s, &msg_hdr, ok);
905 :
906 0 : if (frag_len && frag_len < len)
907 0 : return dtls1_reassemble_fragment(s, &msg_hdr, ok);
908 :
909 0 : if (!s->server && s->d1->r_msg_hdr.frag_off == 0 &&
910 0 : wire[0] == SSL3_MT_HELLO_REQUEST) {
911 : /*
912 : * The server may always send 'Hello Request' messages -- we are
913 : * doing a handshake anyway now, so ignore them if their format is
914 : * correct. Does not count for 'Finished' MAC.
915 : */
916 0 : if (wire[1] == 0 && wire[2] == 0 && wire[3] == 0) {
917 0 : if (s->msg_callback)
918 0 : s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
919 : wire, DTLS1_HM_HEADER_LENGTH, s,
920 : s->msg_callback_arg);
921 :
922 0 : s->init_num = 0;
923 : goto redo;
924 : } else { /* Incorrectly formated Hello request */
925 :
926 : al = SSL_AD_UNEXPECTED_MESSAGE;
927 0 : SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,
928 : SSL_R_UNEXPECTED_MESSAGE);
929 : goto f_err;
930 : }
931 : }
932 :
933 0 : if ((al = dtls1_preprocess_fragment(s, &msg_hdr, max)))
934 : goto f_err;
935 :
936 0 : if (frag_len > 0) {
937 0 : unsigned char *p =
938 0 : (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
939 :
940 0 : i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE,
941 : &p[frag_off], frag_len, 0);
942 :
943 : /*
944 : * This shouldn't ever fail due to NBIO because we already checked
945 : * that we have enough data in the record
946 : */
947 0 : if (i <= 0) {
948 0 : s->rwstate = SSL_READING;
949 0 : *ok = 0;
950 0 : return i;
951 : }
952 : } else
953 : i = 0;
954 :
955 : /*
956 : * XDTLS: an incorrectly formatted fragment should cause the handshake
957 : * to fail
958 : */
959 0 : if (i != (int)frag_len) {
960 : al = SSL3_AD_ILLEGAL_PARAMETER;
961 0 : SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT, SSL3_AD_ILLEGAL_PARAMETER);
962 : goto f_err;
963 : }
964 :
965 0 : *ok = 1;
966 0 : s->state = stn;
967 :
968 : /*
969 : * Note that s->init_num is *not* used as current offset in
970 : * s->init_buf->data, but as a counter summing up fragments' lengths: as
971 : * soon as they sum up to handshake packet length, we assume we have got
972 : * all the fragments.
973 : */
974 0 : s->init_num = frag_len;
975 0 : return frag_len;
976 :
977 : f_err:
978 0 : ssl3_send_alert(s, SSL3_AL_FATAL, al);
979 0 : s->init_num = 0;
980 :
981 0 : *ok = 0;
982 : return (-1);
983 : }
984 :
985 : /*-
986 : * for these 2 messages, we need to
987 : * ssl->enc_read_ctx re-init
988 : * ssl->s3->read_sequence zero
989 : * ssl->s3->read_mac_secret re-init
990 : * ssl->session->read_sym_enc assign
991 : * ssl->session->read_compression assign
992 : * ssl->session->read_hash assign
993 : */
994 0 : int dtls1_send_change_cipher_spec(SSL *s, int a, int b)
995 : {
996 : unsigned char *p;
997 :
998 0 : if (s->state == a) {
999 0 : p = (unsigned char *)s->init_buf->data;
1000 0 : *p++ = SSL3_MT_CCS;
1001 0 : s->d1->handshake_write_seq = s->d1->next_handshake_write_seq;
1002 0 : s->init_num = DTLS1_CCS_HEADER_LENGTH;
1003 :
1004 0 : if (s->version == DTLS1_BAD_VER) {
1005 0 : s->d1->next_handshake_write_seq++;
1006 0 : s2n(s->d1->handshake_write_seq, p);
1007 0 : s->init_num += 2;
1008 : }
1009 :
1010 0 : s->init_off = 0;
1011 :
1012 : dtls1_set_message_header_int(s, SSL3_MT_CCS, 0,
1013 0 : s->d1->handshake_write_seq, 0, 0);
1014 :
1015 : /* buffer the message to handle re-xmits */
1016 0 : dtls1_buffer_message(s, 1);
1017 :
1018 0 : s->state = b;
1019 : }
1020 :
1021 : /* SSL3_ST_CW_CHANGE_B */
1022 0 : return (dtls1_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC));
1023 : }
1024 :
1025 0 : int dtls1_read_failed(SSL *s, int code)
1026 : {
1027 0 : if (code > 0) {
1028 0 : fprintf(stderr, "invalid state reached %s:%d", __FILE__, __LINE__);
1029 0 : return 1;
1030 : }
1031 :
1032 0 : if (!dtls1_is_timer_expired(s)) {
1033 : /*
1034 : * not a timeout, none of our business, let higher layers handle
1035 : * this. in fact it's probably an error
1036 : */
1037 : return code;
1038 : }
1039 : #ifndef OPENSSL_NO_HEARTBEATS
1040 : /* done, no need to send a retransmit */
1041 0 : if (!SSL_in_init(s) && !s->tlsext_hb_pending)
1042 : #else
1043 : /* done, no need to send a retransmit */
1044 : if (!SSL_in_init(s))
1045 : #endif
1046 : {
1047 0 : BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ);
1048 0 : return code;
1049 : }
1050 : #if 0 /* for now, each alert contains only one
1051 : * record number */
1052 : item = pqueue_peek(state->rcvd_records);
1053 : if (item) {
1054 : /* send an alert immediately for all the missing records */
1055 : } else
1056 : #endif
1057 :
1058 : #if 0 /* no more alert sending, just retransmit the
1059 : * last set of messages */
1060 : if (state->timeout.read_timeouts >= DTLS1_TMO_READ_COUNT)
1061 : ssl3_send_alert(s, SSL3_AL_WARNING,
1062 : DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
1063 : #endif
1064 :
1065 0 : return dtls1_handle_timeout(s);
1066 : }
1067 :
1068 0 : int dtls1_get_queue_priority(unsigned short seq, int is_ccs)
1069 : {
1070 : /*
1071 : * The index of the retransmission queue actually is the message sequence
1072 : * number, since the queue only contains messages of a single handshake.
1073 : * However, the ChangeCipherSpec has no message sequence number and so
1074 : * using only the sequence will result in the CCS and Finished having the
1075 : * same index. To prevent this, the sequence number is multiplied by 2.
1076 : * In case of a CCS 1 is subtracted. This does not only differ CSS and
1077 : * Finished, it also maintains the order of the index (important for
1078 : * priority queues) and fits in the unsigned short variable.
1079 : */
1080 0 : return seq * 2 - is_ccs;
1081 : }
1082 :
1083 0 : int dtls1_retransmit_buffered_messages(SSL *s)
1084 : {
1085 0 : pqueue sent = s->d1->sent_messages;
1086 : piterator iter;
1087 : pitem *item;
1088 : hm_fragment *frag;
1089 0 : int found = 0;
1090 :
1091 0 : iter = pqueue_iterator(sent);
1092 :
1093 0 : for (item = pqueue_next(&iter); item != NULL; item = pqueue_next(&iter)) {
1094 0 : frag = (hm_fragment *)item->data;
1095 0 : if (dtls1_retransmit_message(s, (unsigned short)
1096 : dtls1_get_queue_priority
1097 0 : (frag->msg_header.seq,
1098 0 : frag->msg_header.is_ccs), 0,
1099 0 : &found) <= 0 && found) {
1100 0 : fprintf(stderr, "dtls1_retransmit_message() failed\n");
1101 0 : return -1;
1102 : }
1103 : }
1104 :
1105 : return 1;
1106 : }
1107 :
1108 0 : int dtls1_buffer_message(SSL *s, int is_ccs)
1109 : {
1110 : pitem *item;
1111 : hm_fragment *frag;
1112 : unsigned char seq64be[8];
1113 :
1114 : /*
1115 : * this function is called immediately after a message has been
1116 : * serialized
1117 : */
1118 0 : OPENSSL_assert(s->init_off == 0);
1119 :
1120 0 : frag = dtls1_hm_fragment_new(s->init_num, 0);
1121 0 : if (!frag)
1122 : return 0;
1123 :
1124 0 : memcpy(frag->fragment, s->init_buf->data, s->init_num);
1125 :
1126 0 : if (is_ccs) {
1127 : /* For DTLS1_BAD_VER the header length is non-standard */
1128 0 : OPENSSL_assert(s->d1->w_msg_hdr.msg_len +
1129 : ((s->version==DTLS1_BAD_VER)?3:DTLS1_CCS_HEADER_LENGTH)
1130 : == (unsigned int)s->init_num);
1131 : } else {
1132 0 : OPENSSL_assert(s->d1->w_msg_hdr.msg_len +
1133 : DTLS1_HM_HEADER_LENGTH == (unsigned int)s->init_num);
1134 : }
1135 :
1136 0 : frag->msg_header.msg_len = s->d1->w_msg_hdr.msg_len;
1137 0 : frag->msg_header.seq = s->d1->w_msg_hdr.seq;
1138 0 : frag->msg_header.type = s->d1->w_msg_hdr.type;
1139 0 : frag->msg_header.frag_off = 0;
1140 0 : frag->msg_header.frag_len = s->d1->w_msg_hdr.msg_len;
1141 0 : frag->msg_header.is_ccs = is_ccs;
1142 :
1143 : /* save current state */
1144 0 : frag->msg_header.saved_retransmit_state.enc_write_ctx = s->enc_write_ctx;
1145 0 : frag->msg_header.saved_retransmit_state.write_hash = s->write_hash;
1146 0 : frag->msg_header.saved_retransmit_state.compress = s->compress;
1147 0 : frag->msg_header.saved_retransmit_state.session = s->session;
1148 0 : frag->msg_header.saved_retransmit_state.epoch = s->d1->w_epoch;
1149 :
1150 : memset(seq64be, 0, sizeof(seq64be));
1151 0 : seq64be[6] =
1152 0 : (unsigned
1153 : char)(dtls1_get_queue_priority(frag->msg_header.seq,
1154 0 : frag->msg_header.is_ccs) >> 8);
1155 0 : seq64be[7] =
1156 0 : (unsigned
1157 : char)(dtls1_get_queue_priority(frag->msg_header.seq,
1158 : frag->msg_header.is_ccs));
1159 :
1160 0 : item = pitem_new(seq64be, frag);
1161 0 : if (item == NULL) {
1162 0 : dtls1_hm_fragment_free(frag);
1163 0 : return 0;
1164 : }
1165 : #if 0
1166 : fprintf(stderr, "buffered messge: \ttype = %xx\n", msg_buf->type);
1167 : fprintf(stderr, "\t\t\t\t\tlen = %d\n", msg_buf->len);
1168 : fprintf(stderr, "\t\t\t\t\tseq_num = %d\n", msg_buf->seq_num);
1169 : #endif
1170 :
1171 0 : pqueue_insert(s->d1->sent_messages, item);
1172 0 : return 1;
1173 : }
1174 :
1175 : int
1176 0 : dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
1177 : int *found)
1178 : {
1179 : int ret;
1180 : /* XDTLS: for now assuming that read/writes are blocking */
1181 : pitem *item;
1182 : hm_fragment *frag;
1183 : unsigned long header_length;
1184 : unsigned char seq64be[8];
1185 : struct dtls1_retransmit_state saved_state;
1186 : unsigned char save_write_sequence[8];
1187 :
1188 : /*-
1189 : OPENSSL_assert(s->init_num == 0);
1190 : OPENSSL_assert(s->init_off == 0);
1191 : */
1192 :
1193 : /* XDTLS: the requested message ought to be found, otherwise error */
1194 : memset(seq64be, 0, sizeof(seq64be));
1195 0 : seq64be[6] = (unsigned char)(seq >> 8);
1196 0 : seq64be[7] = (unsigned char)seq;
1197 :
1198 0 : item = pqueue_find(s->d1->sent_messages, seq64be);
1199 0 : if (item == NULL) {
1200 0 : fprintf(stderr, "retransmit: message %d non-existant\n", seq);
1201 0 : *found = 0;
1202 0 : return 0;
1203 : }
1204 :
1205 0 : *found = 1;
1206 0 : frag = (hm_fragment *)item->data;
1207 :
1208 0 : if (frag->msg_header.is_ccs)
1209 : header_length = DTLS1_CCS_HEADER_LENGTH;
1210 : else
1211 : header_length = DTLS1_HM_HEADER_LENGTH;
1212 :
1213 0 : memcpy(s->init_buf->data, frag->fragment,
1214 0 : frag->msg_header.msg_len + header_length);
1215 0 : s->init_num = frag->msg_header.msg_len + header_length;
1216 :
1217 0 : dtls1_set_message_header_int(s, frag->msg_header.type,
1218 : frag->msg_header.msg_len,
1219 0 : frag->msg_header.seq, 0,
1220 : frag->msg_header.frag_len);
1221 :
1222 : /* save current state */
1223 0 : saved_state.enc_write_ctx = s->enc_write_ctx;
1224 0 : saved_state.write_hash = s->write_hash;
1225 0 : saved_state.compress = s->compress;
1226 0 : saved_state.session = s->session;
1227 0 : saved_state.epoch = s->d1->w_epoch;
1228 : saved_state.epoch = s->d1->w_epoch;
1229 :
1230 0 : s->d1->retransmitting = 1;
1231 :
1232 : /* restore state in which the message was originally sent */
1233 0 : s->enc_write_ctx = frag->msg_header.saved_retransmit_state.enc_write_ctx;
1234 0 : s->write_hash = frag->msg_header.saved_retransmit_state.write_hash;
1235 0 : s->compress = frag->msg_header.saved_retransmit_state.compress;
1236 0 : s->session = frag->msg_header.saved_retransmit_state.session;
1237 0 : s->d1->w_epoch = frag->msg_header.saved_retransmit_state.epoch;
1238 :
1239 0 : if (frag->msg_header.saved_retransmit_state.epoch ==
1240 0 : saved_state.epoch - 1) {
1241 0 : memcpy(save_write_sequence, s->s3->write_sequence,
1242 : sizeof(s->s3->write_sequence));
1243 0 : memcpy(s->s3->write_sequence, s->d1->last_write_sequence,
1244 : sizeof(s->s3->write_sequence));
1245 : }
1246 :
1247 0 : ret = dtls1_do_write(s, frag->msg_header.is_ccs ?
1248 : SSL3_RT_CHANGE_CIPHER_SPEC : SSL3_RT_HANDSHAKE);
1249 :
1250 : /* restore current state */
1251 0 : s->enc_write_ctx = saved_state.enc_write_ctx;
1252 0 : s->write_hash = saved_state.write_hash;
1253 0 : s->compress = saved_state.compress;
1254 0 : s->session = saved_state.session;
1255 0 : s->d1->w_epoch = saved_state.epoch;
1256 :
1257 0 : if (frag->msg_header.saved_retransmit_state.epoch ==
1258 : saved_state.epoch - 1) {
1259 0 : memcpy(s->d1->last_write_sequence, s->s3->write_sequence,
1260 : sizeof(s->s3->write_sequence));
1261 0 : memcpy(s->s3->write_sequence, save_write_sequence,
1262 : sizeof(s->s3->write_sequence));
1263 : }
1264 :
1265 0 : s->d1->retransmitting = 0;
1266 :
1267 0 : (void)BIO_flush(SSL_get_wbio(s));
1268 0 : return ret;
1269 : }
1270 :
1271 : /* call this function when the buffered messages are no longer needed */
1272 0 : void dtls1_clear_record_buffer(SSL *s)
1273 : {
1274 : pitem *item;
1275 :
1276 0 : for (item = pqueue_pop(s->d1->sent_messages);
1277 0 : item != NULL; item = pqueue_pop(s->d1->sent_messages)) {
1278 0 : dtls1_hm_fragment_free((hm_fragment *)item->data);
1279 0 : pitem_free(item);
1280 : }
1281 0 : }
1282 :
1283 0 : unsigned char *dtls1_set_message_header(SSL *s, unsigned char *p,
1284 : unsigned char mt, unsigned long len,
1285 : unsigned long frag_off,
1286 : unsigned long frag_len)
1287 : {
1288 : /* Don't change sequence numbers while listening */
1289 0 : if (frag_off == 0 && !s->d1->listen) {
1290 0 : s->d1->handshake_write_seq = s->d1->next_handshake_write_seq;
1291 0 : s->d1->next_handshake_write_seq++;
1292 : }
1293 :
1294 0 : dtls1_set_message_header_int(s, mt, len, s->d1->handshake_write_seq,
1295 : frag_off, frag_len);
1296 :
1297 0 : return p += DTLS1_HM_HEADER_LENGTH;
1298 : }
1299 :
1300 : /* don't actually do the writing, wait till the MTU has been retrieved */
1301 : static void
1302 : dtls1_set_message_header_int(SSL *s, unsigned char mt,
1303 : unsigned long len, unsigned short seq_num,
1304 : unsigned long frag_off, unsigned long frag_len)
1305 : {
1306 : struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
1307 :
1308 0 : msg_hdr->type = mt;
1309 0 : msg_hdr->msg_len = len;
1310 0 : msg_hdr->seq = seq_num;
1311 0 : msg_hdr->frag_off = frag_off;
1312 0 : msg_hdr->frag_len = frag_len;
1313 : }
1314 :
1315 : static void
1316 : dtls1_fix_message_header(SSL *s, unsigned long frag_off,
1317 : unsigned long frag_len)
1318 : {
1319 : struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
1320 :
1321 0 : msg_hdr->frag_off = frag_off;
1322 0 : msg_hdr->frag_len = frag_len;
1323 : }
1324 :
1325 0 : static unsigned char *dtls1_write_message_header(SSL *s, unsigned char *p)
1326 : {
1327 0 : struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
1328 :
1329 0 : *p++ = msg_hdr->type;
1330 0 : l2n3(msg_hdr->msg_len, p);
1331 :
1332 0 : s2n(msg_hdr->seq, p);
1333 0 : l2n3(msg_hdr->frag_off, p);
1334 0 : l2n3(msg_hdr->frag_len, p);
1335 :
1336 0 : return p;
1337 : }
1338 :
1339 0 : unsigned int dtls1_link_min_mtu(void)
1340 : {
1341 0 : return (g_probable_mtu[(sizeof(g_probable_mtu) /
1342 : sizeof(g_probable_mtu[0])) - 1]);
1343 : }
1344 :
1345 0 : unsigned int dtls1_min_mtu(SSL *s)
1346 : {
1347 0 : return dtls1_link_min_mtu() - BIO_dgram_get_mtu_overhead(SSL_get_wbio(s));
1348 : }
1349 :
1350 : void
1351 0 : dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr)
1352 : {
1353 : memset(msg_hdr, 0x00, sizeof(struct hm_header_st));
1354 0 : msg_hdr->type = *(data++);
1355 0 : n2l3(data, msg_hdr->msg_len);
1356 :
1357 0 : n2s(data, msg_hdr->seq);
1358 0 : n2l3(data, msg_hdr->frag_off);
1359 0 : n2l3(data, msg_hdr->frag_len);
1360 0 : }
1361 :
1362 0 : void dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr)
1363 : {
1364 : memset(ccs_hdr, 0x00, sizeof(struct ccs_header_st));
1365 :
1366 0 : ccs_hdr->type = *(data++);
1367 0 : }
1368 :
1369 0 : int dtls1_shutdown(SSL *s)
1370 : {
1371 : int ret;
1372 : #ifndef OPENSSL_NO_SCTP
1373 : if (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
1374 : !(s->shutdown & SSL_SENT_SHUTDOWN)) {
1375 : ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s));
1376 : if (ret < 0)
1377 : return -1;
1378 :
1379 : if (ret == 0)
1380 : BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SAVE_SHUTDOWN, 1,
1381 : NULL);
1382 : }
1383 : #endif
1384 0 : ret = ssl3_shutdown(s);
1385 : #ifndef OPENSSL_NO_SCTP
1386 : BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SAVE_SHUTDOWN, 0, NULL);
1387 : #endif
1388 0 : return ret;
1389 : }
1390 :
1391 : #ifndef OPENSSL_NO_HEARTBEATS
1392 0 : int dtls1_process_heartbeat(SSL *s)
1393 : {
1394 0 : unsigned char *p = &s->s3->rrec.data[0], *pl;
1395 : unsigned short hbtype;
1396 : unsigned int payload;
1397 : unsigned int padding = 16; /* Use minimum padding */
1398 :
1399 0 : if (s->msg_callback)
1400 0 : s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
1401 0 : &s->s3->rrec.data[0], s->s3->rrec.length,
1402 : s, s->msg_callback_arg);
1403 :
1404 : /* Read type and payload length first */
1405 0 : if (1 + 2 + 16 > s->s3->rrec.length)
1406 : return 0; /* silently discard */
1407 0 : if (s->s3->rrec.length > SSL3_RT_MAX_PLAIN_LENGTH)
1408 : return 0; /* silently discard per RFC 6520 sec. 4 */
1409 :
1410 0 : hbtype = *p++;
1411 0 : n2s(p, payload);
1412 0 : if (1 + 2 + payload + 16 > s->s3->rrec.length)
1413 : return 0; /* silently discard per RFC 6520 sec. 4 */
1414 0 : pl = p;
1415 :
1416 0 : if (hbtype == TLS1_HB_REQUEST) {
1417 : unsigned char *buffer, *bp;
1418 : unsigned int write_length = 1 /* heartbeat type */ +
1419 : 2 /* heartbeat length */ +
1420 : payload + padding;
1421 : int r;
1422 :
1423 0 : if (write_length > SSL3_RT_MAX_PLAIN_LENGTH)
1424 : return 0;
1425 :
1426 : /*
1427 : * Allocate memory for the response, size is 1 byte message type,
1428 : * plus 2 bytes payload length, plus payload, plus padding
1429 : */
1430 0 : buffer = OPENSSL_malloc(write_length);
1431 : bp = buffer;
1432 :
1433 : /* Enter response type, length and copy payload */
1434 0 : *bp++ = TLS1_HB_RESPONSE;
1435 0 : s2n(payload, bp);
1436 0 : memcpy(bp, pl, payload);
1437 0 : bp += payload;
1438 : /* Random padding */
1439 0 : if (RAND_pseudo_bytes(bp, padding) < 0) {
1440 0 : OPENSSL_free(buffer);
1441 0 : return -1;
1442 : }
1443 :
1444 0 : r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length);
1445 :
1446 0 : if (r >= 0 && s->msg_callback)
1447 0 : s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
1448 : buffer, write_length, s, s->msg_callback_arg);
1449 :
1450 0 : OPENSSL_free(buffer);
1451 :
1452 0 : if (r < 0)
1453 0 : return r;
1454 0 : } else if (hbtype == TLS1_HB_RESPONSE) {
1455 : unsigned int seq;
1456 :
1457 : /*
1458 : * We only send sequence numbers (2 bytes unsigned int), and 16
1459 : * random bytes, so we just try to read the sequence number
1460 : */
1461 0 : n2s(pl, seq);
1462 :
1463 0 : if (payload == 18 && seq == s->tlsext_hb_seq) {
1464 0 : dtls1_stop_timer(s);
1465 0 : s->tlsext_hb_seq++;
1466 0 : s->tlsext_hb_pending = 0;
1467 : }
1468 : }
1469 :
1470 : return 0;
1471 : }
1472 :
1473 0 : int dtls1_heartbeat(SSL *s)
1474 : {
1475 : unsigned char *buf, *p;
1476 : int ret = -1;
1477 : unsigned int payload = 18; /* Sequence number + random bytes */
1478 : unsigned int padding = 16; /* Use minimum padding */
1479 :
1480 : /* Only send if peer supports and accepts HB requests... */
1481 0 : if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
1482 : s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) {
1483 0 : SSLerr(SSL_F_DTLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
1484 0 : return -1;
1485 : }
1486 :
1487 : /* ...and there is none in flight yet... */
1488 0 : if (s->tlsext_hb_pending) {
1489 0 : SSLerr(SSL_F_DTLS1_HEARTBEAT, SSL_R_TLS_HEARTBEAT_PENDING);
1490 0 : return -1;
1491 : }
1492 :
1493 : /* ...and no handshake in progress. */
1494 0 : if (SSL_in_init(s) || s->in_handshake) {
1495 0 : SSLerr(SSL_F_DTLS1_HEARTBEAT, SSL_R_UNEXPECTED_MESSAGE);
1496 0 : return -1;
1497 : }
1498 :
1499 : /*
1500 : * Check if padding is too long, payload and padding must not exceed 2^14
1501 : * - 3 = 16381 bytes in total.
1502 : */
1503 : OPENSSL_assert(payload + padding <= 16381);
1504 :
1505 : /*-
1506 : * Create HeartBeat message, we just use a sequence number
1507 : * as payload to distuingish different messages and add
1508 : * some random stuff.
1509 : * - Message Type, 1 byte
1510 : * - Payload Length, 2 bytes (unsigned int)
1511 : * - Payload, the sequence number (2 bytes uint)
1512 : * - Payload, random bytes (16 bytes uint)
1513 : * - Padding
1514 : */
1515 0 : buf = OPENSSL_malloc(1 + 2 + payload + padding);
1516 : p = buf;
1517 : /* Message Type */
1518 0 : *p++ = TLS1_HB_REQUEST;
1519 : /* Payload length (18 bytes here) */
1520 0 : s2n(payload, p);
1521 : /* Sequence number */
1522 0 : s2n(s->tlsext_hb_seq, p);
1523 : /* 16 random bytes */
1524 0 : if (RAND_pseudo_bytes(p, 16) < 0)
1525 : goto err;
1526 0 : p += 16;
1527 : /* Random padding */
1528 0 : if (RAND_pseudo_bytes(p, padding) < 0)
1529 : goto err;
1530 :
1531 0 : ret = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
1532 0 : if (ret >= 0) {
1533 0 : if (s->msg_callback)
1534 0 : s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
1535 : buf, 3 + payload + padding,
1536 : s, s->msg_callback_arg);
1537 :
1538 0 : dtls1_start_timer(s);
1539 0 : s->tlsext_hb_pending = 1;
1540 : }
1541 :
1542 : err:
1543 0 : OPENSSL_free(buf);
1544 :
1545 0 : return ret;
1546 : }
1547 : #endif
|