1/* ssl/d1_both.c */
2/*
3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
5 */
6/* ====================================================================
7 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
8 *
--- 109 unchanged lines hidden (view full) ---
118#include <stdio.h>
119#include "ssl_locl.h"
120#include <openssl/buffer.h>
121#include <openssl/rand.h>
122#include <openssl/objects.h>
123#include <openssl/evp.h>
124#include <openssl/x509.h>
125
126#define RSMBLY_BITMASK_SIZE(msg_len) (((msg_len) + 7) / 8)
127
128#define RSMBLY_BITMASK_MARK(bitmask, start, end) { \
129 if ((end) - (start) <= 8) { \
130 long ii; \
131 for (ii = (start); ii < (end); ii++) bitmask[((ii) >> 3)] |= (1 << ((ii) & 7)); \
132 } else { \
133 long ii; \
134 bitmask[((start) >> 3)] |= bitmask_start_values[((start) & 7)]; \
135 for (ii = (((start) >> 3) + 1); ii < ((((end) - 1)) >> 3); ii++) bitmask[ii] = 0xff; \
136 bitmask[(((end) - 1) >> 3)] |= bitmask_end_values[((end) & 7)]; \
137 } }
138
139#define RSMBLY_BITMASK_IS_COMPLETE(bitmask, msg_len, is_complete) { \
140 long ii; \
141 OPENSSL_assert((msg_len) > 0); \
142 is_complete = 1; \
143 if (bitmask[(((msg_len) - 1) >> 3)] != bitmask_end_values[((msg_len) & 7)]) is_complete = 0; \
144 if (is_complete) for (ii = (((msg_len) - 1) >> 3) - 1; ii >= 0 ; ii--) \
145 if (bitmask[ii] != 0xff) { is_complete = 0; break; } }
146
147#if 0
148#define RSMBLY_BITMASK_PRINT(bitmask, msg_len) { \
149 long ii; \
150 printf("bitmask: "); for (ii = 0; ii < (msg_len); ii++) \
151 printf("%d ", (bitmask[ii >> 3] & (1 << (ii & 7))) >> (ii & 7)); \
152 printf("\n"); }
153#endif
154
155static unsigned char bitmask_start_values[] = {0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80};
156static unsigned char bitmask_end_values[] = {0x00, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f};
157
158/* XDTLS: figure out the right values */
159static unsigned int g_probable_mtu[] = {1500 - 28, 512 - 28, 256 - 28};
160
161static unsigned int dtls1_min_mtu(void);
162static unsigned int dtls1_guess_mtu(unsigned int curr_mtu);
163static void dtls1_fix_message_header(SSL *s, unsigned long frag_off,
164 unsigned long frag_len);
165static unsigned char *dtls1_write_message_header(SSL *s,
166 unsigned char *p);
167static void dtls1_set_message_header_int(SSL *s, unsigned char mt,
168 unsigned long len, unsigned short seq_num, unsigned long frag_off,
169 unsigned long frag_len);
170static long dtls1_get_message_fragment(SSL *s, int st1, int stn,
171 long max, int *ok);
172
173static hm_fragment *
174dtls1_hm_fragment_new(unsigned long frag_len, int reassembly)
175 {
176 hm_fragment *frag = NULL;
177 unsigned char *buf = NULL;
178 unsigned char *bitmask = NULL;
179
180 frag = (hm_fragment *)OPENSSL_malloc(sizeof(hm_fragment));
181 if ( frag == NULL)
182 return NULL;
183
184 if (frag_len)
185 {
186 buf = (unsigned char *)OPENSSL_malloc(frag_len);
187 if ( buf == NULL)
188 {
189 OPENSSL_free(frag);
190 return NULL;
191 }
192 }
193
194 /* zero length fragment gets zero frag->fragment */
195 frag->fragment = buf;
196
197 /* Initialize reassembly bitmask if necessary */
198 if (reassembly)
199 {
200 bitmask = (unsigned char *)OPENSSL_malloc(RSMBLY_BITMASK_SIZE(frag_len));
201 if (bitmask == NULL)
202 {
203 if (buf != NULL) OPENSSL_free(buf);
204 OPENSSL_free(frag);
205 return NULL;
206 }
207 memset(bitmask, 0, RSMBLY_BITMASK_SIZE(frag_len));
208 }
209
210 frag->reassembly = bitmask;
211
212 return frag;
213 }
214
215static void
216dtls1_hm_fragment_free(hm_fragment *frag)
217 {
218 if (frag->fragment) OPENSSL_free(frag->fragment);
219 if (frag->reassembly) OPENSSL_free(frag->reassembly);
220 OPENSSL_free(frag);
221 }
222
223/* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC) */
224int dtls1_do_write(SSL *s, int type)
225 {
226 int ret;
227 int curr_mtu;
--- 178 unchanged lines hidden (view full) ---
406 * maximum acceptable body length 'max'.
407 * Read an entire handshake message. Handshake messages arrive in
408 * fragments.
409 */
410long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
411 {
412 int i, al;
413 struct hm_header_st *msg_hdr;
414 unsigned char *p;
415 unsigned long msg_len;
416
417 /* s3->tmp is used to store messages that are unexpected, caused
418 * by the absence of an optional handshake message */
419 if (s->s3->tmp.reuse_message)
420 {
421 s->s3->tmp.reuse_message=0;
422 if ((mt >= 0) && (s->s3->tmp.message_type != mt))
423 {
424 al=SSL_AD_UNEXPECTED_MESSAGE;
425 SSLerr(SSL_F_DTLS1_GET_MESSAGE,SSL_R_UNEXPECTED_MESSAGE);
426 goto f_err;
427 }
428 *ok=1;
429 s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
430 s->init_num = (int)s->s3->tmp.message_size;
431 return s->init_num;
432 }
433
434 msg_hdr = &s->d1->r_msg_hdr;
435 memset(msg_hdr, 0x00, sizeof(struct hm_header_st));
436
437again:
438 i = dtls1_get_message_fragment(s, st1, stn, max, ok);
439 if ( i == DTLS1_HM_BAD_FRAGMENT ||
440 i == DTLS1_HM_FRAGMENT_RETRY) /* bad fragment received */
441 goto again;
442 else if ( i <= 0 && !*ok)
443 return i;
444
445 p = (unsigned char *)s->init_buf->data;
446 msg_len = msg_hdr->msg_len;
447
448 /* reconstruct message header */
449 *(p++) = msg_hdr->type;
450 l2n3(msg_len,p);
451 s2n (msg_hdr->seq,p);
452 l2n3(0,p);
453 l2n3(msg_len,p);
454 if (s->version != DTLS1_BAD_VER) {
455 p -= DTLS1_HM_HEADER_LENGTH;
456 msg_len += DTLS1_HM_HEADER_LENGTH;
457 }
458
459 ssl3_finish_mac(s, p, msg_len);
460 if (s->msg_callback)
461 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
462 p, msg_len,
463 s, s->msg_callback_arg);
464
465 memset(msg_hdr, 0x00, sizeof(struct hm_header_st));
466
467 s->d1->handshake_read_seq++;
468 /* we just read a handshake message from the other side:
469 * this means that we don't need to retransmit of the
470 * buffered messages.
471 * XDTLS: may be able clear out this
472 * buffer a little sooner (i.e if an out-of-order
473 * handshake message/record is received at the record
474 * layer.
475 * XDTLS: exception is that the server needs to
476 * know that change cipher spec and finished messages
477 * have been received by the client before clearing this
478 * buffer. this can simply be done by waiting for the
479 * first data segment, but is there a better way? */
480 dtls1_clear_record_buffer(s);
481
482 s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
483 return s->init_num;
484
485f_err:
486 ssl3_send_alert(s,SSL3_AL_FATAL,al);
487 *ok = 0;
488 return -1;
489 }
490
491
--- 59 unchanged lines hidden (view full) ---
551 int al;
552
553 *ok = 0;
554 item = pqueue_peek(s->d1->buffered_messages);
555 if ( item == NULL)
556 return 0;
557
558 frag = (hm_fragment *)item->data;
559
560 /* Don't return if reassembly still in progress */
561 if (frag->reassembly != NULL)
562 return 0;
563
564 if ( s->d1->handshake_read_seq == frag->msg_header.seq)
565 {
566 unsigned long frag_len = frag->msg_header.frag_len;
567 pqueue_pop(s->d1->buffered_messages);
568
569 al=dtls1_preprocess_fragment(s,&frag->msg_header,max);
570
--- 19 unchanged lines hidden (view full) ---
590 return -1;
591 }
592 else
593 return 0;
594 }
595
596
597static int
598dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
599 {
600 hm_fragment *frag = NULL;
601 pitem *item = NULL;
602 int i = -1, is_complete;
603 PQ_64BIT seq64;
604 unsigned long frag_len = msg_hdr->frag_len, max_len;
605
606 if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
607 goto err;
608
609 /* Determine maximum allowed message size. Depends on (user set)
610 * maximum certificate length, but 16k is minimum.
611 */
612 if (DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH < s->max_cert_list)
613 max_len = s->max_cert_list;
614 else
615 max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;
616
617 if ((msg_hdr->frag_off+frag_len) > max_len)
618 goto err;
619
620 /* Try to find item in queue */
621 pq_64bit_init(&seq64);
622 pq_64bit_assign_word(&seq64, msg_hdr->seq);
623 item = pqueue_find(s->d1->buffered_messages, seq64);
624 pq_64bit_free(&seq64);
625
626 if (item == NULL)
627 {
628 frag = dtls1_hm_fragment_new(msg_hdr->msg_len, 1);
629 if ( frag == NULL)
630 goto err;
631 memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
632 frag->msg_header.frag_len = frag->msg_header.msg_len;
633 frag->msg_header.frag_off = 0;
634 }
635 else
636 frag = (hm_fragment*) item->data;
637
638 /* If message is already reassembled, this must be a
639 * retransmit and can be dropped.
640 */
641 if (frag->reassembly == NULL)
642 {
643 unsigned char devnull [256];
644
645 while (frag_len)
646 {
647 i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
648 devnull,
649 frag_len>sizeof(devnull)?sizeof(devnull):frag_len,0);
650 if (i<=0) goto err;
651 frag_len -= i;
652 }
653 return DTLS1_HM_FRAGMENT_RETRY;
654 }
655
656 /* read the body of the fragment (header has already been read */
657 i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
658 frag->fragment + msg_hdr->frag_off,frag_len,0);
659 if (i<=0 || (unsigned long)i!=frag_len)
660 goto err;
661
662 RSMBLY_BITMASK_MARK(frag->reassembly, (long)msg_hdr->frag_off,
663 (long)(msg_hdr->frag_off + frag_len));
664
665 RSMBLY_BITMASK_IS_COMPLETE(frag->reassembly, (long)msg_hdr->msg_len,
666 is_complete);
667
668 if (is_complete)
669 {
670 OPENSSL_free(frag->reassembly);
671 frag->reassembly = NULL;
672 }
673
674 if (item == NULL)
675 {
676 pq_64bit_init(&seq64);
677 pq_64bit_assign_word(&seq64, msg_hdr->seq);
678 item = pitem_new(seq64, frag);
679 pq_64bit_free(&seq64);
680
681 if (item == NULL)
682 {
683 goto err;
684 i = -1;
685 }
686
687 pqueue_insert(s->d1->buffered_messages, item);
688 }
689
690 return DTLS1_HM_FRAGMENT_RETRY;
691
692err:
693 if (frag != NULL) dtls1_hm_fragment_free(frag);
694 if (item != NULL) OPENSSL_free(item);
695 *ok = 0;
696 return i;
697 }
698
699
700static int
701dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
702{
703 int i=-1;
704 hm_fragment *frag = NULL;
705 pitem *item = NULL;
706 PQ_64BIT seq64;
707 unsigned long frag_len = msg_hdr->frag_len;
708
709 if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
710 goto err;
711
712 /* Try to find item in queue, to prevent duplicate entries */
713 pq_64bit_init(&seq64);
714 pq_64bit_assign_word(&seq64, msg_hdr->seq);
715 item = pqueue_find(s->d1->buffered_messages, seq64);
716 pq_64bit_free(&seq64);
717
718 /* If we already have an entry and this one is a fragment,
719 * don't discard it and rather try to reassemble it.
720 */
721 if (item != NULL && frag_len < msg_hdr->msg_len)
722 item = NULL;
723
724 /* Discard the message if sequence number was already there, is
725 * too far in the future, already in the queue or if we received
726 * a FINISHED before the SERVER_HELLO, which then must be a stale
727 * retransmit.
728 */
729 if (msg_hdr->seq <= s->d1->handshake_read_seq ||
730 msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL ||
731 (s->d1->handshake_read_seq == 0 && msg_hdr->type == SSL3_MT_FINISHED))
--- 4 unchanged lines hidden (view full) ---
736 {
737 i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
738 devnull,
739 frag_len>sizeof(devnull)?sizeof(devnull):frag_len,0);
740 if (i<=0) goto err;
741 frag_len -= i;
742 }
743 }
744 else
745 {
746 if (frag_len && frag_len < msg_hdr->msg_len)
747 return dtls1_reassemble_fragment(s, msg_hdr, ok);
748
749 frag = dtls1_hm_fragment_new(frag_len, 0);
750 if ( frag == NULL)
751 goto err;
752
753 memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
754
755 if (frag_len)
756 {
757 /* read the body of the fragment (header has already been read) */
758 i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
759 frag->fragment,frag_len,0);
760 if (i<=0 || (unsigned long)i!=frag_len)
761 goto err;
762 }
763
764 pq_64bit_init(&seq64);
765 pq_64bit_assign_word(&seq64, msg_hdr->seq);
766
767 item = pitem_new(seq64, frag);
768 pq_64bit_free(&seq64);
769 if ( item == NULL)
770 goto err;
771
772 pqueue_insert(s->d1->buffered_messages, item);
773 }
774
775 return DTLS1_HM_FRAGMENT_RETRY;
776
777err:
778 if ( frag != NULL) dtls1_hm_fragment_free(frag);
779 if ( item != NULL) OPENSSL_free(item);
780 *ok = 0;
781 return i;
782 }
783
784
785static long
786dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
787 {
788 unsigned char wire[DTLS1_HM_HEADER_LENGTH];
789 unsigned long len, frag_off, frag_len;
790 int i,al;
791 struct hm_header_st msg_hdr;
792
793 /* see if we have the required fragment already */
794 if ((frag_len = dtls1_retrieve_buffered_fragment(s,max,ok)) || *ok)
795 {
796 if (*ok) s->init_num = frag_len;
797 return frag_len;
798 }
799
800 /* read handshake message header */
801 i=s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,wire,
802 DTLS1_HM_HEADER_LENGTH, 0);
803 if (i <= 0) /* nbio, or an error */
804 {
--- 8 unchanged lines hidden (view full) ---
813
814 /*
815 * if this is a future (or stale) message it gets buffered
816 * (or dropped)--no further processing at this time
817 */
818 if ( msg_hdr.seq != s->d1->handshake_read_seq)
819 return dtls1_process_out_of_seq_message(s, &msg_hdr, ok);
820
821 len = msg_hdr.msg_len;
822 frag_off = msg_hdr.frag_off;
823 frag_len = msg_hdr.frag_len;
824
825 if (frag_len && frag_len < len)
826 return dtls1_reassemble_fragment(s, &msg_hdr, ok);
827
828 if (!s->server && s->d1->r_msg_hdr.frag_off == 0 &&
829 wire[0] == SSL3_MT_HELLO_REQUEST)
830 {
831 /* The server may always send 'Hello Request' messages --
832 * we are doing a handshake anyway now, so ignore them
833 * if their format is correct. Does not count for
834 * 'Finished' MAC. */
835 if (wire[1] == 0 && wire[2] == 0 && wire[3] == 0)
--- 43 unchanged lines hidden (view full) ---
879 OPENSSL_assert(i == (int)frag_len);
880
881 *ok = 1;
882
883 /* Note that s->init_num is *not* used as current offset in
884 * s->init_buf->data, but as a counter summing up fragments'
885 * lengths: as soon as they sum up to handshake packet
886 * length, we assume we have got all the fragments. */
887 s->init_num = frag_len;
888 return frag_len;
889
890f_err:
891 ssl3_send_alert(s,SSL3_AL_FATAL,al);
892 s->init_num = 0;
893
894 *ok=0;
895 return(-1);
--- 137 unchanged lines hidden (view full) ---
1033
1034 if (!X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,x,NULL))
1035 {
1036 SSLerr(SSL_F_DTLS1_OUTPUT_CERT_CHAIN,ERR_R_X509_LIB);
1037 return(0);
1038 }
1039
1040 X509_verify_cert(&xs_ctx);
1041 /* Don't leave errors in the queue */
1042 ERR_clear_error();
1043 for (i=0; i < sk_X509_num(xs_ctx.chain); i++)
1044 {
1045 x = sk_X509_value(xs_ctx.chain, i);
1046
1047 if (!dtls1_add_cert_to_buf(buf, &l, x))
1048 {
1049 X509_STORE_CTX_cleanup(&xs_ctx);
1050 return 0;
--- 106 unchanged lines hidden (view full) ---
1157 pitem *item;
1158 hm_fragment *frag;
1159 PQ_64BIT seq64;
1160
1161 /* this function is called immediately after a message has
1162 * been serialized */
1163 OPENSSL_assert(s->init_off == 0);
1164
1165 frag = dtls1_hm_fragment_new(s->init_num, 0);
1166
1167 memcpy(frag->fragment, s->init_buf->data, s->init_num);
1168
1169 if ( is_ccs)
1170 {
1171 OPENSSL_assert(s->d1->w_msg_hdr.msg_len +
1172 DTLS1_CCS_HEADER_LENGTH <= (unsigned int)s->init_num);
1173 }
--- 249 unchanged lines hidden ---
2/*
3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
5 */
6/* ====================================================================
7 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
8 *
--- 109 unchanged lines hidden (view full) ---
118#include <stdio.h>
119#include "ssl_locl.h"
120#include <openssl/buffer.h>
121#include <openssl/rand.h>
122#include <openssl/objects.h>
123#include <openssl/evp.h>
124#include <openssl/x509.h>
125
126#define RSMBLY_BITMASK_SIZE(msg_len) (((msg_len) + 7) / 8)
127
128#define RSMBLY_BITMASK_MARK(bitmask, start, end) { \
129 if ((end) - (start) <= 8) { \
130 long ii; \
131 for (ii = (start); ii < (end); ii++) bitmask[((ii) >> 3)] |= (1 << ((ii) & 7)); \
132 } else { \
133 long ii; \
134 bitmask[((start) >> 3)] |= bitmask_start_values[((start) & 7)]; \
135 for (ii = (((start) >> 3) + 1); ii < ((((end) - 1)) >> 3); ii++) bitmask[ii] = 0xff; \
136 bitmask[(((end) - 1) >> 3)] |= bitmask_end_values[((end) & 7)]; \
137 } }
138
139#define RSMBLY_BITMASK_IS_COMPLETE(bitmask, msg_len, is_complete) { \
140 long ii; \
141 OPENSSL_assert((msg_len) > 0); \
142 is_complete = 1; \
143 if (bitmask[(((msg_len) - 1) >> 3)] != bitmask_end_values[((msg_len) & 7)]) is_complete = 0; \
144 if (is_complete) for (ii = (((msg_len) - 1) >> 3) - 1; ii >= 0 ; ii--) \
145 if (bitmask[ii] != 0xff) { is_complete = 0; break; } }
146
147#if 0
148#define RSMBLY_BITMASK_PRINT(bitmask, msg_len) { \
149 long ii; \
150 printf("bitmask: "); for (ii = 0; ii < (msg_len); ii++) \
151 printf("%d ", (bitmask[ii >> 3] & (1 << (ii & 7))) >> (ii & 7)); \
152 printf("\n"); }
153#endif
154
155static unsigned char bitmask_start_values[] = {0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80};
156static unsigned char bitmask_end_values[] = {0x00, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f};
157
158/* XDTLS: figure out the right values */
159static unsigned int g_probable_mtu[] = {1500 - 28, 512 - 28, 256 - 28};
160
161static unsigned int dtls1_min_mtu(void);
162static unsigned int dtls1_guess_mtu(unsigned int curr_mtu);
163static void dtls1_fix_message_header(SSL *s, unsigned long frag_off,
164 unsigned long frag_len);
165static unsigned char *dtls1_write_message_header(SSL *s,
166 unsigned char *p);
167static void dtls1_set_message_header_int(SSL *s, unsigned char mt,
168 unsigned long len, unsigned short seq_num, unsigned long frag_off,
169 unsigned long frag_len);
170static long dtls1_get_message_fragment(SSL *s, int st1, int stn,
171 long max, int *ok);
172
173static hm_fragment *
174dtls1_hm_fragment_new(unsigned long frag_len, int reassembly)
175 {
176 hm_fragment *frag = NULL;
177 unsigned char *buf = NULL;
178 unsigned char *bitmask = NULL;
179
180 frag = (hm_fragment *)OPENSSL_malloc(sizeof(hm_fragment));
181 if ( frag == NULL)
182 return NULL;
183
184 if (frag_len)
185 {
186 buf = (unsigned char *)OPENSSL_malloc(frag_len);
187 if ( buf == NULL)
188 {
189 OPENSSL_free(frag);
190 return NULL;
191 }
192 }
193
194 /* zero length fragment gets zero frag->fragment */
195 frag->fragment = buf;
196
197 /* Initialize reassembly bitmask if necessary */
198 if (reassembly)
199 {
200 bitmask = (unsigned char *)OPENSSL_malloc(RSMBLY_BITMASK_SIZE(frag_len));
201 if (bitmask == NULL)
202 {
203 if (buf != NULL) OPENSSL_free(buf);
204 OPENSSL_free(frag);
205 return NULL;
206 }
207 memset(bitmask, 0, RSMBLY_BITMASK_SIZE(frag_len));
208 }
209
210 frag->reassembly = bitmask;
211
212 return frag;
213 }
214
215static void
216dtls1_hm_fragment_free(hm_fragment *frag)
217 {
218 if (frag->fragment) OPENSSL_free(frag->fragment);
219 if (frag->reassembly) OPENSSL_free(frag->reassembly);
220 OPENSSL_free(frag);
221 }
222
223/* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC) */
224int dtls1_do_write(SSL *s, int type)
225 {
226 int ret;
227 int curr_mtu;
--- 178 unchanged lines hidden (view full) ---
406 * maximum acceptable body length 'max'.
407 * Read an entire handshake message. Handshake messages arrive in
408 * fragments.
409 */
410long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
411 {
412 int i, al;
413 struct hm_header_st *msg_hdr;
414 unsigned char *p;
415 unsigned long msg_len;
416
417 /* s3->tmp is used to store messages that are unexpected, caused
418 * by the absence of an optional handshake message */
419 if (s->s3->tmp.reuse_message)
420 {
421 s->s3->tmp.reuse_message=0;
422 if ((mt >= 0) && (s->s3->tmp.message_type != mt))
423 {
424 al=SSL_AD_UNEXPECTED_MESSAGE;
425 SSLerr(SSL_F_DTLS1_GET_MESSAGE,SSL_R_UNEXPECTED_MESSAGE);
426 goto f_err;
427 }
428 *ok=1;
429 s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
430 s->init_num = (int)s->s3->tmp.message_size;
431 return s->init_num;
432 }
433
434 msg_hdr = &s->d1->r_msg_hdr;
435 memset(msg_hdr, 0x00, sizeof(struct hm_header_st));
436
437again:
438 i = dtls1_get_message_fragment(s, st1, stn, max, ok);
439 if ( i == DTLS1_HM_BAD_FRAGMENT ||
440 i == DTLS1_HM_FRAGMENT_RETRY) /* bad fragment received */
441 goto again;
442 else if ( i <= 0 && !*ok)
443 return i;
444
445 p = (unsigned char *)s->init_buf->data;
446 msg_len = msg_hdr->msg_len;
447
448 /* reconstruct message header */
449 *(p++) = msg_hdr->type;
450 l2n3(msg_len,p);
451 s2n (msg_hdr->seq,p);
452 l2n3(0,p);
453 l2n3(msg_len,p);
454 if (s->version != DTLS1_BAD_VER) {
455 p -= DTLS1_HM_HEADER_LENGTH;
456 msg_len += DTLS1_HM_HEADER_LENGTH;
457 }
458
459 ssl3_finish_mac(s, p, msg_len);
460 if (s->msg_callback)
461 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
462 p, msg_len,
463 s, s->msg_callback_arg);
464
465 memset(msg_hdr, 0x00, sizeof(struct hm_header_st));
466
467 s->d1->handshake_read_seq++;
468 /* we just read a handshake message from the other side:
469 * this means that we don't need to retransmit of the
470 * buffered messages.
471 * XDTLS: may be able clear out this
472 * buffer a little sooner (i.e if an out-of-order
473 * handshake message/record is received at the record
474 * layer.
475 * XDTLS: exception is that the server needs to
476 * know that change cipher spec and finished messages
477 * have been received by the client before clearing this
478 * buffer. this can simply be done by waiting for the
479 * first data segment, but is there a better way? */
480 dtls1_clear_record_buffer(s);
481
482 s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
483 return s->init_num;
484
485f_err:
486 ssl3_send_alert(s,SSL3_AL_FATAL,al);
487 *ok = 0;
488 return -1;
489 }
490
491
--- 59 unchanged lines hidden (view full) ---
551 int al;
552
553 *ok = 0;
554 item = pqueue_peek(s->d1->buffered_messages);
555 if ( item == NULL)
556 return 0;
557
558 frag = (hm_fragment *)item->data;
559
560 /* Don't return if reassembly still in progress */
561 if (frag->reassembly != NULL)
562 return 0;
563
564 if ( s->d1->handshake_read_seq == frag->msg_header.seq)
565 {
566 unsigned long frag_len = frag->msg_header.frag_len;
567 pqueue_pop(s->d1->buffered_messages);
568
569 al=dtls1_preprocess_fragment(s,&frag->msg_header,max);
570
--- 19 unchanged lines hidden (view full) ---
590 return -1;
591 }
592 else
593 return 0;
594 }
595
596
597static int
598dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
599 {
600 hm_fragment *frag = NULL;
601 pitem *item = NULL;
602 int i = -1, is_complete;
603 PQ_64BIT seq64;
604 unsigned long frag_len = msg_hdr->frag_len, max_len;
605
606 if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
607 goto err;
608
609 /* Determine maximum allowed message size. Depends on (user set)
610 * maximum certificate length, but 16k is minimum.
611 */
612 if (DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH < s->max_cert_list)
613 max_len = s->max_cert_list;
614 else
615 max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;
616
617 if ((msg_hdr->frag_off+frag_len) > max_len)
618 goto err;
619
620 /* Try to find item in queue */
621 pq_64bit_init(&seq64);
622 pq_64bit_assign_word(&seq64, msg_hdr->seq);
623 item = pqueue_find(s->d1->buffered_messages, seq64);
624 pq_64bit_free(&seq64);
625
626 if (item == NULL)
627 {
628 frag = dtls1_hm_fragment_new(msg_hdr->msg_len, 1);
629 if ( frag == NULL)
630 goto err;
631 memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
632 frag->msg_header.frag_len = frag->msg_header.msg_len;
633 frag->msg_header.frag_off = 0;
634 }
635 else
636 frag = (hm_fragment*) item->data;
637
638 /* If message is already reassembled, this must be a
639 * retransmit and can be dropped.
640 */
641 if (frag->reassembly == NULL)
642 {
643 unsigned char devnull [256];
644
645 while (frag_len)
646 {
647 i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
648 devnull,
649 frag_len>sizeof(devnull)?sizeof(devnull):frag_len,0);
650 if (i<=0) goto err;
651 frag_len -= i;
652 }
653 return DTLS1_HM_FRAGMENT_RETRY;
654 }
655
656 /* read the body of the fragment (header has already been read */
657 i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
658 frag->fragment + msg_hdr->frag_off,frag_len,0);
659 if (i<=0 || (unsigned long)i!=frag_len)
660 goto err;
661
662 RSMBLY_BITMASK_MARK(frag->reassembly, (long)msg_hdr->frag_off,
663 (long)(msg_hdr->frag_off + frag_len));
664
665 RSMBLY_BITMASK_IS_COMPLETE(frag->reassembly, (long)msg_hdr->msg_len,
666 is_complete);
667
668 if (is_complete)
669 {
670 OPENSSL_free(frag->reassembly);
671 frag->reassembly = NULL;
672 }
673
674 if (item == NULL)
675 {
676 pq_64bit_init(&seq64);
677 pq_64bit_assign_word(&seq64, msg_hdr->seq);
678 item = pitem_new(seq64, frag);
679 pq_64bit_free(&seq64);
680
681 if (item == NULL)
682 {
683 goto err;
684 i = -1;
685 }
686
687 pqueue_insert(s->d1->buffered_messages, item);
688 }
689
690 return DTLS1_HM_FRAGMENT_RETRY;
691
692err:
693 if (frag != NULL) dtls1_hm_fragment_free(frag);
694 if (item != NULL) OPENSSL_free(item);
695 *ok = 0;
696 return i;
697 }
698
699
700static int
701dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
702{
703 int i=-1;
704 hm_fragment *frag = NULL;
705 pitem *item = NULL;
706 PQ_64BIT seq64;
707 unsigned long frag_len = msg_hdr->frag_len;
708
709 if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
710 goto err;
711
712 /* Try to find item in queue, to prevent duplicate entries */
713 pq_64bit_init(&seq64);
714 pq_64bit_assign_word(&seq64, msg_hdr->seq);
715 item = pqueue_find(s->d1->buffered_messages, seq64);
716 pq_64bit_free(&seq64);
717
718 /* If we already have an entry and this one is a fragment,
719 * don't discard it and rather try to reassemble it.
720 */
721 if (item != NULL && frag_len < msg_hdr->msg_len)
722 item = NULL;
723
724 /* Discard the message if sequence number was already there, is
725 * too far in the future, already in the queue or if we received
726 * a FINISHED before the SERVER_HELLO, which then must be a stale
727 * retransmit.
728 */
729 if (msg_hdr->seq <= s->d1->handshake_read_seq ||
730 msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL ||
731 (s->d1->handshake_read_seq == 0 && msg_hdr->type == SSL3_MT_FINISHED))
--- 4 unchanged lines hidden (view full) ---
736 {
737 i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
738 devnull,
739 frag_len>sizeof(devnull)?sizeof(devnull):frag_len,0);
740 if (i<=0) goto err;
741 frag_len -= i;
742 }
743 }
744 else
745 {
746 if (frag_len && frag_len < msg_hdr->msg_len)
747 return dtls1_reassemble_fragment(s, msg_hdr, ok);
748
749 frag = dtls1_hm_fragment_new(frag_len, 0);
750 if ( frag == NULL)
751 goto err;
752
753 memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
754
755 if (frag_len)
756 {
757 /* read the body of the fragment (header has already been read) */
758 i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
759 frag->fragment,frag_len,0);
760 if (i<=0 || (unsigned long)i!=frag_len)
761 goto err;
762 }
763
764 pq_64bit_init(&seq64);
765 pq_64bit_assign_word(&seq64, msg_hdr->seq);
766
767 item = pitem_new(seq64, frag);
768 pq_64bit_free(&seq64);
769 if ( item == NULL)
770 goto err;
771
772 pqueue_insert(s->d1->buffered_messages, item);
773 }
774
775 return DTLS1_HM_FRAGMENT_RETRY;
776
777err:
778 if ( frag != NULL) dtls1_hm_fragment_free(frag);
779 if ( item != NULL) OPENSSL_free(item);
780 *ok = 0;
781 return i;
782 }
783
784
785static long
786dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
787 {
788 unsigned char wire[DTLS1_HM_HEADER_LENGTH];
789 unsigned long len, frag_off, frag_len;
790 int i,al;
791 struct hm_header_st msg_hdr;
792
793 /* see if we have the required fragment already */
794 if ((frag_len = dtls1_retrieve_buffered_fragment(s,max,ok)) || *ok)
795 {
796 if (*ok) s->init_num = frag_len;
797 return frag_len;
798 }
799
800 /* read handshake message header */
801 i=s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,wire,
802 DTLS1_HM_HEADER_LENGTH, 0);
803 if (i <= 0) /* nbio, or an error */
804 {
--- 8 unchanged lines hidden (view full) ---
813
814 /*
815 * if this is a future (or stale) message it gets buffered
816 * (or dropped)--no further processing at this time
817 */
818 if ( msg_hdr.seq != s->d1->handshake_read_seq)
819 return dtls1_process_out_of_seq_message(s, &msg_hdr, ok);
820
821 len = msg_hdr.msg_len;
822 frag_off = msg_hdr.frag_off;
823 frag_len = msg_hdr.frag_len;
824
825 if (frag_len && frag_len < len)
826 return dtls1_reassemble_fragment(s, &msg_hdr, ok);
827
828 if (!s->server && s->d1->r_msg_hdr.frag_off == 0 &&
829 wire[0] == SSL3_MT_HELLO_REQUEST)
830 {
831 /* The server may always send 'Hello Request' messages --
832 * we are doing a handshake anyway now, so ignore them
833 * if their format is correct. Does not count for
834 * 'Finished' MAC. */
835 if (wire[1] == 0 && wire[2] == 0 && wire[3] == 0)
--- 43 unchanged lines hidden (view full) ---
879 OPENSSL_assert(i == (int)frag_len);
880
881 *ok = 1;
882
883 /* Note that s->init_num is *not* used as current offset in
884 * s->init_buf->data, but as a counter summing up fragments'
885 * lengths: as soon as they sum up to handshake packet
886 * length, we assume we have got all the fragments. */
887 s->init_num = frag_len;
888 return frag_len;
889
890f_err:
891 ssl3_send_alert(s,SSL3_AL_FATAL,al);
892 s->init_num = 0;
893
894 *ok=0;
895 return(-1);
--- 137 unchanged lines hidden (view full) ---
1033
1034 if (!X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,x,NULL))
1035 {
1036 SSLerr(SSL_F_DTLS1_OUTPUT_CERT_CHAIN,ERR_R_X509_LIB);
1037 return(0);
1038 }
1039
1040 X509_verify_cert(&xs_ctx);
1041 /* Don't leave errors in the queue */
1042 ERR_clear_error();
1043 for (i=0; i < sk_X509_num(xs_ctx.chain); i++)
1044 {
1045 x = sk_X509_value(xs_ctx.chain, i);
1046
1047 if (!dtls1_add_cert_to_buf(buf, &l, x))
1048 {
1049 X509_STORE_CTX_cleanup(&xs_ctx);
1050 return 0;
--- 106 unchanged lines hidden (view full) ---
1157 pitem *item;
1158 hm_fragment *frag;
1159 PQ_64BIT seq64;
1160
1161 /* this function is called immediately after a message has
1162 * been serialized */
1163 OPENSSL_assert(s->init_off == 0);
1164
1165 frag = dtls1_hm_fragment_new(s->init_num, 0);
1166
1167 memcpy(frag->fragment, s->init_buf->data, s->init_num);
1168
1169 if ( is_ccs)
1170 {
1171 OPENSSL_assert(s->d1->w_msg_hdr.msg_len +
1172 DTLS1_CCS_HEADER_LENGTH <= (unsigned int)s->init_num);
1173 }
--- 249 unchanged lines hidden ---