d1_pkt.c (215697) | d1_pkt.c (237657) |
---|---|
1/* ssl/d1_pkt.c */ 2/* 3 * DTLS implementation written by Nagendra Modadugu 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 5 */ 6/* ==================================================================== 7 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. 8 * --- 125 unchanged lines hidden (view full) --- 134 unsigned short *priority, unsigned long *offset); 135#endif 136static int dtls1_buffer_record(SSL *s, record_pqueue *q, 137 PQ_64BIT *priority); 138static int dtls1_process_record(SSL *s); 139#if PQ_64BIT_IS_INTEGER 140static PQ_64BIT bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num); 141#endif | 1/* ssl/d1_pkt.c */ 2/* 3 * DTLS implementation written by Nagendra Modadugu 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 5 */ 6/* ==================================================================== 7 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. 8 * --- 125 unchanged lines hidden (view full) --- 134 unsigned short *priority, unsigned long *offset); 135#endif 136static int dtls1_buffer_record(SSL *s, record_pqueue *q, 137 PQ_64BIT *priority); 138static int dtls1_process_record(SSL *s); 139#if PQ_64BIT_IS_INTEGER 140static PQ_64BIT bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num); 141#endif |
142static void dtls1_clear_timeouts(SSL *s); | |
143 144/* copy buffered record into SSL structure */ 145static int 146dtls1_copy_record(SSL *s, pitem *item) 147 { 148 DTLS1_RECORD_DATA *rdata; 149 150 rdata = (DTLS1_RECORD_DATA *)item->data; --- 179 unchanged lines hidden (view full) --- 330{ 331 int al; 332 int clear=0; 333 int enc_err; 334 SSL_SESSION *sess; 335 SSL3_RECORD *rr; 336 unsigned int mac_size; 337 unsigned char md[EVP_MAX_MD_SIZE]; | 142 143/* copy buffered record into SSL structure */ 144static int 145dtls1_copy_record(SSL *s, pitem *item) 146 { 147 DTLS1_RECORD_DATA *rdata; 148 149 rdata = (DTLS1_RECORD_DATA *)item->data; --- 179 unchanged lines hidden (view full) --- 329{ 330 int al; 331 int clear=0; 332 int enc_err; 333 SSL_SESSION *sess; 334 SSL3_RECORD *rr; 335 unsigned int mac_size; 336 unsigned char md[EVP_MAX_MD_SIZE]; |
337 int decryption_failed_or_bad_record_mac = 0; 338 unsigned char *mac = NULL; |
|
338 339 340 rr= &(s->s3->rrec); 341 sess = s->session; 342 343 /* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, 344 * and we have that many bytes in s->packet 345 */ --- 18 unchanged lines hidden (view full) --- 364 } 365 366 /* decrypt in place in 'rr->input' */ 367 rr->data=rr->input; 368 369 enc_err = s->method->ssl3_enc->enc(s,0); 370 if (enc_err <= 0) 371 { | 339 340 341 rr= &(s->s3->rrec); 342 sess = s->session; 343 344 /* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, 345 * and we have that many bytes in s->packet 346 */ --- 18 unchanged lines hidden (view full) --- 365 } 366 367 /* decrypt in place in 'rr->input' */ 368 rr->data=rr->input; 369 370 enc_err = s->method->ssl3_enc->enc(s,0); 371 if (enc_err <= 0) 372 { |
372 if (enc_err == 0) 373 /* SSLerr() and ssl3_send_alert() have been called */ 374 goto err; 375 376 /* otherwise enc_err == -1 */ 377 goto err; | 373 /* To minimize information leaked via timing, we will always 374 * perform all computations before discarding the message. 375 */ 376 decryption_failed_or_bad_record_mac = 1; |
378 } 379 380#ifdef TLS_DEBUG 381printf("dec %d\n",rr->length); 382{ unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); } 383printf("\n"); 384#endif 385 --- 9 unchanged lines hidden (view full) --- 395 396 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size) 397 { 398#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */ 399 al=SSL_AD_RECORD_OVERFLOW; 400 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); 401 goto f_err; 402#else | 377 } 378 379#ifdef TLS_DEBUG 380printf("dec %d\n",rr->length); 381{ unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); } 382printf("\n"); 383#endif 384 --- 9 unchanged lines hidden (view full) --- 394 395 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size) 396 { 397#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */ 398 al=SSL_AD_RECORD_OVERFLOW; 399 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); 400 goto f_err; 401#else |
403 goto err; | 402 decryption_failed_or_bad_record_mac = 1; |
404#endif 405 } 406 /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ | 403#endif 404 } 405 /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ |
407 if (rr->length < mac_size) | 406 if (rr->length >= mac_size) |
408 { | 407 { |
409#if 0 /* OK only for stream ciphers */ 410 al=SSL_AD_DECODE_ERROR; 411 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT); 412 goto f_err; 413#else 414 goto err; 415#endif | 408 rr->length -= mac_size; 409 mac = &rr->data[rr->length]; |
416 } | 410 } |
417 rr->length-=mac_size; | 411 else 412 rr->length = 0; |
418 s->method->ssl3_enc->mac(s,md,0); | 413 s->method->ssl3_enc->mac(s,md,0); |
419 if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0) | 414 if (mac == NULL || memcmp(md, mac, mac_size) != 0) |
420 { | 415 { |
421 goto err; | 416 decryption_failed_or_bad_record_mac = 1; |
422 } 423 } 424 | 417 } 418 } 419 |
420 if (decryption_failed_or_bad_record_mac) 421 { 422 /* decryption failed, silently discard message */ 423 rr->length = 0; 424 s->packet_length = 0; 425 goto err; 426 } 427 |
|
425 /* r->length is now just compressed */ 426 if (s->expand != NULL) 427 { 428 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) 429 { 430 al=SSL_AD_RECORD_OVERFLOW; 431 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG); 432 goto f_err; --- 177 unchanged lines hidden (view full) --- 610 goto again; /* get another record */ 611 } 612 613 /* just read a 0 length packet */ 614 if (rr->length == 0) goto again; 615 616 /* If this record is from the next epoch (either HM or ALERT), 617 * and a handshake is currently in progress, buffer it since it | 428 /* r->length is now just compressed */ 429 if (s->expand != NULL) 430 { 431 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) 432 { 433 al=SSL_AD_RECORD_OVERFLOW; 434 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG); 435 goto f_err; --- 177 unchanged lines hidden (view full) --- 613 goto again; /* get another record */ 614 } 615 616 /* just read a 0 length packet */ 617 if (rr->length == 0) goto again; 618 619 /* If this record is from the next epoch (either HM or ALERT), 620 * and a handshake is currently in progress, buffer it since it |
618 * cannot be processed at this time. */ | 621 * cannot be processed at this time. However, do not buffer 622 * anything while listening. 623 */ |
619 if (is_next_epoch) 620 { | 624 if (is_next_epoch) 625 { |
621 if (SSL_in_init(s) || s->in_handshake) | 626 if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen) |
622 { 623 dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), &rr->seq_num); 624 } 625 rr->length = 0; 626 s->packet_length = 0; 627 goto again; 628 } 629 630 if (!dtls1_process_record(s)) 631 { 632 rr->length = 0; 633 s->packet_length=0; /* dump this record */ 634 goto again; /* get another record */ 635 } 636 | 627 { 628 dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), &rr->seq_num); 629 } 630 rr->length = 0; 631 s->packet_length = 0; 632 goto again; 633 } 634 635 if (!dtls1_process_record(s)) 636 { 637 rr->length = 0; 638 s->packet_length=0; /* dump this record */ 639 goto again; /* get another record */ 640 } 641 |
637 dtls1_clear_timeouts(s); /* done waiting */ | |
638 return(1); 639 640 } 641 642/* Return up to 'len' payload bytes received in 'type' records. 643 * 'type' is one of the following: 644 * 645 * - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us) --- 452 unchanged lines hidden (view full) --- 1098 goto start; 1099 } 1100 1101 /* If we are server, we may have a repeated FINISHED of the 1102 * client here, then retransmit our CCS and FINISHED. 1103 */ 1104 if (msg_hdr.type == SSL3_MT_FINISHED) 1105 { | 642 return(1); 643 644 } 645 646/* Return up to 'len' payload bytes received in 'type' records. 647 * 'type' is one of the following: 648 * 649 * - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us) --- 452 unchanged lines hidden (view full) --- 1102 goto start; 1103 } 1104 1105 /* If we are server, we may have a repeated FINISHED of the 1106 * client here, then retransmit our CCS and FINISHED. 1107 */ 1108 if (msg_hdr.type == SSL3_MT_FINISHED) 1109 { |
1110 if (dtls1_check_timeout_num(s) < 0) 1111 return -1; 1112 |
|
1106 dtls1_retransmit_buffered_messages(s); 1107 rr->length = 0; 1108 goto start; 1109 } 1110 1111 if (((s->state&SSL_ST_MASK) == SSL_ST_OK) && 1112 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) 1113 { --- 687 unchanged lines hidden (view full) --- 1801 (((PQ_64BIT)bytes[5]) << 16) | 1802 (((PQ_64BIT)bytes[6]) << 8) | 1803 (((PQ_64BIT)bytes[7]) ); 1804 1805 *num = _num ; 1806 return _num; 1807 } 1808#endif | 1113 dtls1_retransmit_buffered_messages(s); 1114 rr->length = 0; 1115 goto start; 1116 } 1117 1118 if (((s->state&SSL_ST_MASK) == SSL_ST_OK) && 1119 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) 1120 { --- 687 unchanged lines hidden (view full) --- 1808 (((PQ_64BIT)bytes[5]) << 16) | 1809 (((PQ_64BIT)bytes[6]) << 8) | 1810 (((PQ_64BIT)bytes[7]) ); 1811 1812 *num = _num ; 1813 return _num; 1814 } 1815#endif |
1809 1810 1811static void 1812dtls1_clear_timeouts(SSL *s) 1813 { 1814 memset(&(s->d1->timeout), 0x00, sizeof(struct dtls1_timeout_st)); 1815 } | |