d1_both.c revision 238405
1259701Sdim/* ssl/d1_both.c */ 2259701Sdim/* 3259701Sdim * DTLS implementation written by Nagendra Modadugu 4259701Sdim * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 5259701Sdim */ 6259701Sdim/* ==================================================================== 7259701Sdim * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. 8259701Sdim * 9259701Sdim * Redistribution and use in source and binary forms, with or without 10259701Sdim * modification, are permitted provided that the following conditions 11259701Sdim * are met: 12259701Sdim * 13259701Sdim * 1. Redistributions of source code must retain the above copyright 14259701Sdim * notice, this list of conditions and the following disclaimer. 15259701Sdim * 16259701Sdim * 2. Redistributions in binary form must reproduce the above copyright 17259701Sdim * notice, this list of conditions and the following disclaimer in 18259701Sdim * the documentation and/or other materials provided with the 19259701Sdim * distribution. 20259701Sdim * 21259701Sdim * 3. All advertising materials mentioning features or use of this 22259701Sdim * software must display the following acknowledgment: 23259701Sdim * "This product includes software developed by the OpenSSL Project 24259701Sdim * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 25259701Sdim * 26259701Sdim * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27259701Sdim * endorse or promote products derived from this software without 28259701Sdim * prior written permission. For written permission, please contact 29259701Sdim * openssl-core@openssl.org. 30259701Sdim * 31259701Sdim * 5. Products derived from this software may not be called "OpenSSL" 32259701Sdim * nor may "OpenSSL" appear in their names without prior written 33259701Sdim * permission of the OpenSSL Project. 34259701Sdim * 35259701Sdim * 6. Redistributions of any form whatsoever must retain the following 36259701Sdim * acknowledgment: 37259701Sdim * "This product includes software developed by the OpenSSL Project 38259701Sdim * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 39259701Sdim * 40259701Sdim * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41259701Sdim * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42259701Sdim * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43259701Sdim * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44259701Sdim * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45259701Sdim * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46259701Sdim * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47259701Sdim * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48259701Sdim * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49259701Sdim * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50259701Sdim * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51259701Sdim * OF THE POSSIBILITY OF SUCH DAMAGE. 52259701Sdim * ==================================================================== 53259701Sdim * 54259701Sdim * This product includes cryptographic software written by Eric Young 55259701Sdim * (eay@cryptsoft.com). This product includes software written by Tim 56259701Sdim * Hudson (tjh@cryptsoft.com). 57259701Sdim * 58259701Sdim */ 59259701Sdim/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 60259701Sdim * All rights reserved. 61259701Sdim * 62259701Sdim * This package is an SSL implementation written 63259701Sdim * by Eric Young (eay@cryptsoft.com). 64259701Sdim * The implementation was written so as to conform with Netscapes SSL. 65259701Sdim * 66259701Sdim * This library is free for commercial and non-commercial use as long as 67259701Sdim * the following conditions are aheared to. The following conditions 68259701Sdim * apply to all code found in this distribution, be it the RC4, RSA, 69259701Sdim * lhash, DES, etc., code; not just the SSL code. The SSL documentation 70259701Sdim * included with this distribution is covered by the same copyright terms 71259701Sdim * except that the holder is Tim Hudson (tjh@cryptsoft.com). 72259701Sdim * 73259701Sdim * Copyright remains Eric Young's, and as such any Copyright notices in 74259701Sdim * the code are not to be removed. 75259701Sdim * If this package is used in a product, Eric Young should be given attribution 76259701Sdim * as the author of the parts of the library used. 77259701Sdim * This can be in the form of a textual message at program startup or 78259701Sdim * in documentation (online or textual) provided with the package. 79259701Sdim * 80259701Sdim * Redistribution and use in source and binary forms, with or without 81259701Sdim * modification, are permitted provided that the following conditions 82259701Sdim * are met: 83259701Sdim * 1. Redistributions of source code must retain the copyright 84259701Sdim * notice, this list of conditions and the following disclaimer. 85259701Sdim * 2. Redistributions in binary form must reproduce the above copyright 86259701Sdim * notice, this list of conditions and the following disclaimer in the 87259701Sdim * documentation and/or other materials provided with the distribution. 88259701Sdim * 3. All advertising materials mentioning features or use of this software 89259701Sdim * must display the following acknowledgement: 90259701Sdim * "This product includes cryptographic software written by 91259701Sdim * Eric Young (eay@cryptsoft.com)" 92259701Sdim * The word 'cryptographic' can be left out if the rouines from the library 93259701Sdim * being used are not cryptographic related :-). 94259701Sdim * 4. If you include any Windows specific code (or a derivative thereof) from 95259701Sdim * the apps directory (application code) you must include an acknowledgement: 96259701Sdim * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 97259701Sdim * 98259701Sdim * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 99259701Sdim * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 100259701Sdim * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 101259701Sdim * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 102259701Sdim * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 103259701Sdim * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 104259701Sdim * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 105259701Sdim * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 106259701Sdim * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 107259701Sdim * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 108259701Sdim * SUCH DAMAGE. 109259701Sdim * 110259701Sdim * The licence and distribution terms for any publically available version or 111259701Sdim * derivative of this code cannot be changed. i.e. this code cannot simply be 112259701Sdim * copied and put under another distribution licence 113259701Sdim * [including the GNU Public Licence.] 114259701Sdim */ 115259701Sdim 116259701Sdim#include <limits.h> 117259701Sdim#include <string.h> 118259701Sdim#include <stdio.h> 119259701Sdim#include "ssl_locl.h" 120259701Sdim#include <openssl/buffer.h> 121259701Sdim#include <openssl/rand.h> 122259701Sdim#include <openssl/objects.h> 123259701Sdim#include <openssl/evp.h> 124259701Sdim#include <openssl/x509.h> 125259701Sdim 126259701Sdim#define RSMBLY_BITMASK_SIZE(msg_len) (((msg_len) + 7) / 8) 127259701Sdim 128259701Sdim#define RSMBLY_BITMASK_MARK(bitmask, start, end) { \ 129259701Sdim if ((end) - (start) <= 8) { \ 130259701Sdim long ii; \ 131259701Sdim for (ii = (start); ii < (end); ii++) bitmask[((ii) >> 3)] |= (1 << ((ii) & 7)); \ 132259701Sdim } else { \ 133259701Sdim long ii; \ 134259701Sdim bitmask[((start) >> 3)] |= bitmask_start_values[((start) & 7)]; \ 135259701Sdim for (ii = (((start) >> 3) + 1); ii < ((((end) - 1)) >> 3); ii++) bitmask[ii] = 0xff; \ 136259701Sdim bitmask[(((end) - 1) >> 3)] |= bitmask_end_values[((end) & 7)]; \ 137259701Sdim } } 138259701Sdim 139259701Sdim#define RSMBLY_BITMASK_IS_COMPLETE(bitmask, msg_len, is_complete) { \ 140259701Sdim long ii; \ 141259701Sdim OPENSSL_assert((msg_len) > 0); \ 142259701Sdim is_complete = 1; \ 143259701Sdim if (bitmask[(((msg_len) - 1) >> 3)] != bitmask_end_values[((msg_len) & 7)]) is_complete = 0; \ 144259701Sdim if (is_complete) for (ii = (((msg_len) - 1) >> 3) - 1; ii >= 0 ; ii--) \ 145259701Sdim if (bitmask[ii] != 0xff) { is_complete = 0; break; } } 146259701Sdim 147259701Sdim#if 0 148259701Sdim#define RSMBLY_BITMASK_PRINT(bitmask, msg_len) { \ 149259701Sdim long ii; \ 150259701Sdim printf("bitmask: "); for (ii = 0; ii < (msg_len); ii++) \ 151259701Sdim printf("%d ", (bitmask[ii >> 3] & (1 << (ii & 7))) >> (ii & 7)); \ 152259701Sdim printf("\n"); } 153259701Sdim#endif 154259701Sdim 155259701Sdimstatic unsigned char bitmask_start_values[] = {0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80}; 156259701Sdimstatic unsigned char bitmask_end_values[] = {0xff, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f}; 157259701Sdim 158259701Sdim/* XDTLS: figure out the right values */ 159259701Sdimstatic unsigned int g_probable_mtu[] = {1500 - 28, 512 - 28, 256 - 28}; 160259701Sdim 161259701Sdimstatic unsigned int dtls1_guess_mtu(unsigned int curr_mtu); 162259701Sdimstatic void dtls1_fix_message_header(SSL *s, unsigned long frag_off, 163259701Sdim unsigned long frag_len); 164259701Sdimstatic unsigned char *dtls1_write_message_header(SSL *s, 165259701Sdim unsigned char *p); 166259701Sdimstatic void dtls1_set_message_header_int(SSL *s, unsigned char mt, 167259701Sdim unsigned long len, unsigned short seq_num, unsigned long frag_off, 168259701Sdim unsigned long frag_len); 169259701Sdimstatic long dtls1_get_message_fragment(SSL *s, int st1, int stn, 170259701Sdim long max, int *ok); 171259701Sdim 172259701Sdimstatic hm_fragment * 173259701Sdimdtls1_hm_fragment_new(unsigned long frag_len, int reassembly) 174259701Sdim { 175259701Sdim hm_fragment *frag = NULL; 176259701Sdim unsigned char *buf = NULL; 177259701Sdim unsigned char *bitmask = NULL; 178259701Sdim 179259701Sdim frag = (hm_fragment *)OPENSSL_malloc(sizeof(hm_fragment)); 180259701Sdim if ( frag == NULL) 181259701Sdim return NULL; 182259701Sdim 183259701Sdim if (frag_len) 184259701Sdim { 185259701Sdim buf = (unsigned char *)OPENSSL_malloc(frag_len); 186259701Sdim if ( buf == NULL) 187259701Sdim { 188259701Sdim OPENSSL_free(frag); 189259701Sdim return NULL; 190259701Sdim } 191259701Sdim } 192259701Sdim 193259701Sdim /* zero length fragment gets zero frag->fragment */ 194259701Sdim frag->fragment = buf; 195259701Sdim 196259701Sdim /* Initialize reassembly bitmask if necessary */ 197259701Sdim if (reassembly) 198259701Sdim { 199259701Sdim bitmask = (unsigned char *)OPENSSL_malloc(RSMBLY_BITMASK_SIZE(frag_len)); 200259701Sdim if (bitmask == NULL) 201259701Sdim { 202259701Sdim if (buf != NULL) OPENSSL_free(buf); 203259701Sdim OPENSSL_free(frag); 204259701Sdim return NULL; 205259701Sdim } 206259701Sdim memset(bitmask, 0, RSMBLY_BITMASK_SIZE(frag_len)); 207259701Sdim } 208259701Sdim 209259701Sdim frag->reassembly = bitmask; 210259701Sdim 211259701Sdim return frag; 212259701Sdim } 213259701Sdim 214259701Sdimstatic void 215259701Sdimdtls1_hm_fragment_free(hm_fragment *frag) 216259701Sdim { 217259701Sdim if (frag->fragment) OPENSSL_free(frag->fragment); 218259701Sdim if (frag->reassembly) OPENSSL_free(frag->reassembly); 219259701Sdim OPENSSL_free(frag); 220259701Sdim } 221259701Sdim 222259701Sdim/* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC) */ 223259701Sdimint dtls1_do_write(SSL *s, int type) 224259701Sdim { 225259701Sdim int ret; 226259701Sdim int curr_mtu; 227259701Sdim unsigned int len, frag_off, mac_size, blocksize; 228259701Sdim 229259701Sdim /* AHA! Figure out the MTU, and stick to the right size */ 230259701Sdim if (s->d1->mtu < dtls1_min_mtu() && !(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) 231259701Sdim { 232259701Sdim s->d1->mtu = 233259701Sdim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL); 234259701Sdim 235259701Sdim /* I've seen the kernel return bogus numbers when it doesn't know 236259701Sdim * (initial write), so just make sure we have a reasonable number */ 237259701Sdim if (s->d1->mtu < dtls1_min_mtu()) 238259701Sdim { 239259701Sdim s->d1->mtu = 0; 240259701Sdim s->d1->mtu = dtls1_guess_mtu(s->d1->mtu); 241259701Sdim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SET_MTU, 242259701Sdim s->d1->mtu, NULL); 243259701Sdim } 244259701Sdim } 245259701Sdim#if 0 246259701Sdim mtu = s->d1->mtu; 247259701Sdim 248259701Sdim fprintf(stderr, "using MTU = %d\n", mtu); 249259701Sdim 250259701Sdim mtu -= (DTLS1_HM_HEADER_LENGTH + DTLS1_RT_HEADER_LENGTH); 251259701Sdim 252259701Sdim curr_mtu = mtu - BIO_wpending(SSL_get_wbio(s)); 253259701Sdim 254259701Sdim if ( curr_mtu > 0) 255259701Sdim mtu = curr_mtu; 256259701Sdim else if ( ( ret = BIO_flush(SSL_get_wbio(s))) <= 0) 257259701Sdim return ret; 258259701Sdim 259259701Sdim if ( BIO_wpending(SSL_get_wbio(s)) + s->init_num >= mtu) 260259701Sdim { 261259701Sdim ret = BIO_flush(SSL_get_wbio(s)); 262259701Sdim if ( ret <= 0) 263259701Sdim return ret; 264259701Sdim mtu = s->d1->mtu - (DTLS1_HM_HEADER_LENGTH + DTLS1_RT_HEADER_LENGTH); 265259701Sdim } 266259701Sdim#endif 267259701Sdim 268259701Sdim OPENSSL_assert(s->d1->mtu >= dtls1_min_mtu()); /* should have something reasonable now */ 269259701Sdim 270259701Sdim if ( s->init_off == 0 && type == SSL3_RT_HANDSHAKE) 271259701Sdim OPENSSL_assert(s->init_num == 272259701Sdim (int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH); 273259701Sdim 274259701Sdim if (s->write_hash) 275259701Sdim mac_size = EVP_MD_CTX_size(s->write_hash); 276259701Sdim else 277259701Sdim mac_size = 0; 278259701Sdim 279259701Sdim if (s->enc_write_ctx && 280259701Sdim (EVP_CIPHER_mode( s->enc_write_ctx->cipher) & EVP_CIPH_CBC_MODE)) 281259701Sdim blocksize = 2 * EVP_CIPHER_block_size(s->enc_write_ctx->cipher); 282259701Sdim else 283259701Sdim blocksize = 0; 284259701Sdim 285259701Sdim frag_off = 0; 286259701Sdim while( s->init_num) 287259701Sdim { 288259701Sdim curr_mtu = s->d1->mtu - BIO_wpending(SSL_get_wbio(s)) - 289259701Sdim DTLS1_RT_HEADER_LENGTH - mac_size - blocksize; 290259701Sdim 291259701Sdim if ( curr_mtu <= DTLS1_HM_HEADER_LENGTH) 292259701Sdim { 293259701Sdim /* grr.. we could get an error if MTU picked was wrong */ 294259701Sdim ret = BIO_flush(SSL_get_wbio(s)); 295259701Sdim if ( ret <= 0) 296259701Sdim return ret; 297259701Sdim curr_mtu = s->d1->mtu - DTLS1_RT_HEADER_LENGTH - 298259701Sdim mac_size - blocksize; 299259701Sdim } 300259701Sdim 301259701Sdim if ( s->init_num > curr_mtu) 302259701Sdim len = curr_mtu; 303259701Sdim else 304259701Sdim len = s->init_num; 305259701Sdim 306259701Sdim 307259701Sdim /* XDTLS: this function is too long. split out the CCS part */ 308259701Sdim if ( type == SSL3_RT_HANDSHAKE) 309259701Sdim { 310259701Sdim if ( s->init_off != 0) 311259701Sdim { 312259701Sdim OPENSSL_assert(s->init_off > DTLS1_HM_HEADER_LENGTH); 313259701Sdim s->init_off -= DTLS1_HM_HEADER_LENGTH; 314259701Sdim s->init_num += DTLS1_HM_HEADER_LENGTH; 315259701Sdim 316259701Sdim /* write atleast DTLS1_HM_HEADER_LENGTH bytes */ 317259701Sdim if ( len <= DTLS1_HM_HEADER_LENGTH) 318259701Sdim len += DTLS1_HM_HEADER_LENGTH; 319259701Sdim } 320259701Sdim 321259701Sdim dtls1_fix_message_header(s, frag_off, 322259701Sdim len - DTLS1_HM_HEADER_LENGTH); 323259701Sdim 324259701Sdim dtls1_write_message_header(s, (unsigned char *)&s->init_buf->data[s->init_off]); 325259701Sdim 326259701Sdim OPENSSL_assert(len >= DTLS1_HM_HEADER_LENGTH); 327259701Sdim } 328259701Sdim 329259701Sdim ret=dtls1_write_bytes(s,type,&s->init_buf->data[s->init_off], 330259701Sdim len); 331259701Sdim if (ret < 0) 332259701Sdim { 333259701Sdim /* might need to update MTU here, but we don't know 334259701Sdim * which previous packet caused the failure -- so can't 335259701Sdim * really retransmit anything. continue as if everything 336259701Sdim * is fine and wait for an alert to handle the 337259701Sdim * retransmit 338259701Sdim */ 339259701Sdim if ( BIO_ctrl(SSL_get_wbio(s), 340259701Sdim BIO_CTRL_DGRAM_MTU_EXCEEDED, 0, NULL) > 0 ) 341259701Sdim s->d1->mtu = BIO_ctrl(SSL_get_wbio(s), 342259701Sdim BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL); 343259701Sdim else 344259701Sdim return(-1); 345259701Sdim } 346259701Sdim else 347259701Sdim { 348259701Sdim 349259701Sdim /* bad if this assert fails, only part of the handshake 350259701Sdim * message got sent. but why would this happen? */ 351259701Sdim OPENSSL_assert(len == (unsigned int)ret); 352259701Sdim 353259701Sdim if (type == SSL3_RT_HANDSHAKE && ! s->d1->retransmitting) 354259701Sdim { 355259701Sdim /* should not be done for 'Hello Request's, but in that case 356259701Sdim * we'll ignore the result anyway */ 357259701Sdim unsigned char *p = (unsigned char *)&s->init_buf->data[s->init_off]; 358259701Sdim const struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; 359259701Sdim int xlen; 360259701Sdim 361259701Sdim if (frag_off == 0 && s->version != DTLS1_BAD_VER) 362259701Sdim { 363259701Sdim /* reconstruct message header is if it 364259701Sdim * is being sent in single fragment */ 365259701Sdim *p++ = msg_hdr->type; 366259701Sdim l2n3(msg_hdr->msg_len,p); 367259701Sdim s2n (msg_hdr->seq,p); 368259701Sdim l2n3(0,p); 369259701Sdim l2n3(msg_hdr->msg_len,p); 370259701Sdim p -= DTLS1_HM_HEADER_LENGTH; 371259701Sdim xlen = ret; 372259701Sdim } 373259701Sdim else 374259701Sdim { 375259701Sdim p += DTLS1_HM_HEADER_LENGTH; 376259701Sdim xlen = ret - DTLS1_HM_HEADER_LENGTH; 377259701Sdim } 378259701Sdim 379259701Sdim ssl3_finish_mac(s, p, xlen); 380259701Sdim } 381259701Sdim 382259701Sdim if (ret == s->init_num) 383259701Sdim { 384259701Sdim if (s->msg_callback) 385259701Sdim s->msg_callback(1, s->version, type, s->init_buf->data, 386259701Sdim (size_t)(s->init_off + s->init_num), s, 387259701Sdim s->msg_callback_arg); 388259701Sdim 389259701Sdim s->init_off = 0; /* done writing this message */ 390259701Sdim s->init_num = 0; 391259701Sdim 392259701Sdim return(1); 393259701Sdim } 394259701Sdim s->init_off+=ret; 395259701Sdim s->init_num-=ret; 396259701Sdim frag_off += (ret -= DTLS1_HM_HEADER_LENGTH); 397259701Sdim } 398259701Sdim } 399259701Sdim return(0); 400259701Sdim } 401259701Sdim 402259701Sdim 403259701Sdim/* Obtain handshake message of message type 'mt' (any if mt == -1), 404259701Sdim * maximum acceptable body length 'max'. 405259701Sdim * Read an entire handshake message. Handshake messages arrive in 406259701Sdim * fragments. 407259701Sdim */ 408259701Sdimlong dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) 409259701Sdim { 410259701Sdim int i, al; 411259701Sdim struct hm_header_st *msg_hdr; 412259701Sdim unsigned char *p; 413259701Sdim unsigned long msg_len; 414259701Sdim 415259701Sdim /* s3->tmp is used to store messages that are unexpected, caused 416259701Sdim * by the absence of an optional handshake message */ 417259701Sdim if (s->s3->tmp.reuse_message) 418259701Sdim { 419259701Sdim s->s3->tmp.reuse_message=0; 420259701Sdim if ((mt >= 0) && (s->s3->tmp.message_type != mt)) 421259701Sdim { 422259701Sdim al=SSL_AD_UNEXPECTED_MESSAGE; 423259701Sdim SSLerr(SSL_F_DTLS1_GET_MESSAGE,SSL_R_UNEXPECTED_MESSAGE); 424259701Sdim goto f_err; 425259701Sdim } 426259701Sdim *ok=1; 427259701Sdim s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH; 428259701Sdim s->init_num = (int)s->s3->tmp.message_size; 429259701Sdim return s->init_num; 430259701Sdim } 431259701Sdim 432259701Sdim msg_hdr = &s->d1->r_msg_hdr; 433259701Sdim memset(msg_hdr, 0x00, sizeof(struct hm_header_st)); 434259701Sdim 435259701Sdimagain: 436259701Sdim i = dtls1_get_message_fragment(s, st1, stn, max, ok); 437259701Sdim if ( i == DTLS1_HM_BAD_FRAGMENT || 438259701Sdim i == DTLS1_HM_FRAGMENT_RETRY) /* bad fragment received */ 439259701Sdim goto again; 440259701Sdim else if ( i <= 0 && !*ok) 441259701Sdim return i; 442259701Sdim 443259701Sdim p = (unsigned char *)s->init_buf->data; 444259701Sdim msg_len = msg_hdr->msg_len; 445259701Sdim 446259701Sdim /* reconstruct message header */ 447259701Sdim *(p++) = msg_hdr->type; 448259701Sdim l2n3(msg_len,p); 449259701Sdim s2n (msg_hdr->seq,p); 450259701Sdim l2n3(0,p); 451259701Sdim l2n3(msg_len,p); 452259701Sdim if (s->version != DTLS1_BAD_VER) { 453259701Sdim p -= DTLS1_HM_HEADER_LENGTH; 454 msg_len += DTLS1_HM_HEADER_LENGTH; 455 } 456 457 ssl3_finish_mac(s, p, msg_len); 458 if (s->msg_callback) 459 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 460 p, msg_len, 461 s, s->msg_callback_arg); 462 463 memset(msg_hdr, 0x00, sizeof(struct hm_header_st)); 464 465 /* Don't change sequence numbers while listening */ 466 if (!s->d1->listen) 467 s->d1->handshake_read_seq++; 468 469 s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH; 470 return s->init_num; 471 472f_err: 473 ssl3_send_alert(s,SSL3_AL_FATAL,al); 474 *ok = 0; 475 return -1; 476 } 477 478 479static int dtls1_preprocess_fragment(SSL *s,struct hm_header_st *msg_hdr,int max) 480 { 481 size_t frag_off,frag_len,msg_len; 482 483 msg_len = msg_hdr->msg_len; 484 frag_off = msg_hdr->frag_off; 485 frag_len = msg_hdr->frag_len; 486 487 /* sanity checking */ 488 if ( (frag_off+frag_len) > msg_len) 489 { 490 SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT,SSL_R_EXCESSIVE_MESSAGE_SIZE); 491 return SSL_AD_ILLEGAL_PARAMETER; 492 } 493 494 if ( (frag_off+frag_len) > (unsigned long)max) 495 { 496 SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT,SSL_R_EXCESSIVE_MESSAGE_SIZE); 497 return SSL_AD_ILLEGAL_PARAMETER; 498 } 499 500 if ( s->d1->r_msg_hdr.frag_off == 0) /* first fragment */ 501 { 502 /* msg_len is limited to 2^24, but is effectively checked 503 * against max above */ 504 if (!BUF_MEM_grow_clean(s->init_buf,msg_len+DTLS1_HM_HEADER_LENGTH)) 505 { 506 SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT,ERR_R_BUF_LIB); 507 return SSL_AD_INTERNAL_ERROR; 508 } 509 510 s->s3->tmp.message_size = msg_len; 511 s->d1->r_msg_hdr.msg_len = msg_len; 512 s->s3->tmp.message_type = msg_hdr->type; 513 s->d1->r_msg_hdr.type = msg_hdr->type; 514 s->d1->r_msg_hdr.seq = msg_hdr->seq; 515 } 516 else if (msg_len != s->d1->r_msg_hdr.msg_len) 517 { 518 /* They must be playing with us! BTW, failure to enforce 519 * upper limit would open possibility for buffer overrun. */ 520 SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT,SSL_R_EXCESSIVE_MESSAGE_SIZE); 521 return SSL_AD_ILLEGAL_PARAMETER; 522 } 523 524 return 0; /* no error */ 525 } 526 527 528static int 529dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok) 530 { 531 /* (0) check whether the desired fragment is available 532 * if so: 533 * (1) copy over the fragment to s->init_buf->data[] 534 * (2) update s->init_num 535 */ 536 pitem *item; 537 hm_fragment *frag; 538 int al; 539 540 *ok = 0; 541 item = pqueue_peek(s->d1->buffered_messages); 542 if ( item == NULL) 543 return 0; 544 545 frag = (hm_fragment *)item->data; 546 547 /* Don't return if reassembly still in progress */ 548 if (frag->reassembly != NULL) 549 return 0; 550 551 if ( s->d1->handshake_read_seq == frag->msg_header.seq) 552 { 553 unsigned long frag_len = frag->msg_header.frag_len; 554 pqueue_pop(s->d1->buffered_messages); 555 556 al=dtls1_preprocess_fragment(s,&frag->msg_header,max); 557 558 if (al==0) /* no alert */ 559 { 560 unsigned char *p = (unsigned char *)s->init_buf->data+DTLS1_HM_HEADER_LENGTH; 561 memcpy(&p[frag->msg_header.frag_off], 562 frag->fragment,frag->msg_header.frag_len); 563 } 564 565 dtls1_hm_fragment_free(frag); 566 pitem_free(item); 567 568 if (al==0) 569 { 570 *ok = 1; 571 return frag_len; 572 } 573 574 ssl3_send_alert(s,SSL3_AL_FATAL,al); 575 s->init_num = 0; 576 *ok = 0; 577 return -1; 578 } 579 else 580 return 0; 581 } 582 583 584static int 585dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) 586 { 587 hm_fragment *frag = NULL; 588 pitem *item = NULL; 589 int i = -1, is_complete; 590 unsigned char seq64be[8]; 591 unsigned long frag_len = msg_hdr->frag_len, max_len; 592 593 if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len) 594 goto err; 595 596 /* Determine maximum allowed message size. Depends on (user set) 597 * maximum certificate length, but 16k is minimum. 598 */ 599 if (DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH < s->max_cert_list) 600 max_len = s->max_cert_list; 601 else 602 max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; 603 604 if ((msg_hdr->frag_off+frag_len) > max_len) 605 goto err; 606 607 /* Try to find item in queue */ 608 memset(seq64be,0,sizeof(seq64be)); 609 seq64be[6] = (unsigned char) (msg_hdr->seq>>8); 610 seq64be[7] = (unsigned char) msg_hdr->seq; 611 item = pqueue_find(s->d1->buffered_messages, seq64be); 612 613 if (item == NULL) 614 { 615 frag = dtls1_hm_fragment_new(msg_hdr->msg_len, 1); 616 if ( frag == NULL) 617 goto err; 618 memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); 619 frag->msg_header.frag_len = frag->msg_header.msg_len; 620 frag->msg_header.frag_off = 0; 621 } 622 else 623 frag = (hm_fragment*) item->data; 624 625 /* If message is already reassembled, this must be a 626 * retransmit and can be dropped. 627 */ 628 if (frag->reassembly == NULL) 629 { 630 unsigned char devnull [256]; 631 632 while (frag_len) 633 { 634 i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE, 635 devnull, 636 frag_len>sizeof(devnull)?sizeof(devnull):frag_len,0); 637 if (i<=0) goto err; 638 frag_len -= i; 639 } 640 return DTLS1_HM_FRAGMENT_RETRY; 641 } 642 643 /* read the body of the fragment (header has already been read */ 644 i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE, 645 frag->fragment + msg_hdr->frag_off,frag_len,0); 646 if (i<=0 || (unsigned long)i!=frag_len) 647 goto err; 648 649 RSMBLY_BITMASK_MARK(frag->reassembly, (long)msg_hdr->frag_off, 650 (long)(msg_hdr->frag_off + frag_len)); 651 652 RSMBLY_BITMASK_IS_COMPLETE(frag->reassembly, (long)msg_hdr->msg_len, 653 is_complete); 654 655 if (is_complete) 656 { 657 OPENSSL_free(frag->reassembly); 658 frag->reassembly = NULL; 659 } 660 661 if (item == NULL) 662 { 663 memset(seq64be,0,sizeof(seq64be)); 664 seq64be[6] = (unsigned char)(msg_hdr->seq>>8); 665 seq64be[7] = (unsigned char)(msg_hdr->seq); 666 667 item = pitem_new(seq64be, frag); 668 if (item == NULL) 669 { 670 goto err; 671 i = -1; 672 } 673 674 pqueue_insert(s->d1->buffered_messages, item); 675 } 676 677 return DTLS1_HM_FRAGMENT_RETRY; 678 679err: 680 if (frag != NULL) dtls1_hm_fragment_free(frag); 681 if (item != NULL) OPENSSL_free(item); 682 *ok = 0; 683 return i; 684 } 685 686 687static int 688dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok) 689{ 690 int i=-1; 691 hm_fragment *frag = NULL; 692 pitem *item = NULL; 693 unsigned char seq64be[8]; 694 unsigned long frag_len = msg_hdr->frag_len; 695 696 if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len) 697 goto err; 698 699 /* Try to find item in queue, to prevent duplicate entries */ 700 memset(seq64be,0,sizeof(seq64be)); 701 seq64be[6] = (unsigned char) (msg_hdr->seq>>8); 702 seq64be[7] = (unsigned char) msg_hdr->seq; 703 item = pqueue_find(s->d1->buffered_messages, seq64be); 704 705 /* If we already have an entry and this one is a fragment, 706 * don't discard it and rather try to reassemble it. 707 */ 708 if (item != NULL && frag_len < msg_hdr->msg_len) 709 item = NULL; 710 711 /* Discard the message if sequence number was already there, is 712 * too far in the future, already in the queue or if we received 713 * a FINISHED before the SERVER_HELLO, which then must be a stale 714 * retransmit. 715 */ 716 if (msg_hdr->seq <= s->d1->handshake_read_seq || 717 msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL || 718 (s->d1->handshake_read_seq == 0 && msg_hdr->type == SSL3_MT_FINISHED)) 719 { 720 unsigned char devnull [256]; 721 722 while (frag_len) 723 { 724 i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE, 725 devnull, 726 frag_len>sizeof(devnull)?sizeof(devnull):frag_len,0); 727 if (i<=0) goto err; 728 frag_len -= i; 729 } 730 } 731 else 732 { 733 if (frag_len && frag_len < msg_hdr->msg_len) 734 return dtls1_reassemble_fragment(s, msg_hdr, ok); 735 736 frag = dtls1_hm_fragment_new(frag_len, 0); 737 if ( frag == NULL) 738 goto err; 739 740 memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); 741 742 if (frag_len) 743 { 744 /* read the body of the fragment (header has already been read */ 745 i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE, 746 frag->fragment,frag_len,0); 747 if (i<=0 || (unsigned long)i!=frag_len) 748 goto err; 749 } 750 751 memset(seq64be,0,sizeof(seq64be)); 752 seq64be[6] = (unsigned char)(msg_hdr->seq>>8); 753 seq64be[7] = (unsigned char)(msg_hdr->seq); 754 755 item = pitem_new(seq64be, frag); 756 if ( item == NULL) 757 goto err; 758 759 pqueue_insert(s->d1->buffered_messages, item); 760 } 761 762 return DTLS1_HM_FRAGMENT_RETRY; 763 764err: 765 if ( frag != NULL) dtls1_hm_fragment_free(frag); 766 if ( item != NULL) OPENSSL_free(item); 767 *ok = 0; 768 return i; 769 } 770 771 772static long 773dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) 774 { 775 unsigned char wire[DTLS1_HM_HEADER_LENGTH]; 776 unsigned long len, frag_off, frag_len; 777 int i,al; 778 struct hm_header_st msg_hdr; 779 780 /* see if we have the required fragment already */ 781 if ((frag_len = dtls1_retrieve_buffered_fragment(s,max,ok)) || *ok) 782 { 783 if (*ok) s->init_num = frag_len; 784 return frag_len; 785 } 786 787 /* read handshake message header */ 788 i=s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,wire, 789 DTLS1_HM_HEADER_LENGTH, 0); 790 if (i <= 0) /* nbio, or an error */ 791 { 792 s->rwstate=SSL_READING; 793 *ok = 0; 794 return i; 795 } 796 /* Handshake fails if message header is incomplete */ 797 if (i != DTLS1_HM_HEADER_LENGTH) 798 { 799 al=SSL_AD_UNEXPECTED_MESSAGE; 800 SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL_R_UNEXPECTED_MESSAGE); 801 goto f_err; 802 } 803 804 /* parse the message fragment header */ 805 dtls1_get_message_header(wire, &msg_hdr); 806 807 /* 808 * if this is a future (or stale) message it gets buffered 809 * (or dropped)--no further processing at this time 810 * While listening, we accept seq 1 (ClientHello with cookie) 811 * although we're still expecting seq 0 (ClientHello) 812 */ 813 if (msg_hdr.seq != s->d1->handshake_read_seq && !(s->d1->listen && msg_hdr.seq == 1)) 814 return dtls1_process_out_of_seq_message(s, &msg_hdr, ok); 815 816 len = msg_hdr.msg_len; 817 frag_off = msg_hdr.frag_off; 818 frag_len = msg_hdr.frag_len; 819 820 if (frag_len && frag_len < len) 821 return dtls1_reassemble_fragment(s, &msg_hdr, ok); 822 823 if (!s->server && s->d1->r_msg_hdr.frag_off == 0 && 824 wire[0] == SSL3_MT_HELLO_REQUEST) 825 { 826 /* The server may always send 'Hello Request' messages -- 827 * we are doing a handshake anyway now, so ignore them 828 * if their format is correct. Does not count for 829 * 'Finished' MAC. */ 830 if (wire[1] == 0 && wire[2] == 0 && wire[3] == 0) 831 { 832 if (s->msg_callback) 833 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 834 wire, DTLS1_HM_HEADER_LENGTH, s, 835 s->msg_callback_arg); 836 837 s->init_num = 0; 838 return dtls1_get_message_fragment(s, st1, stn, 839 max, ok); 840 } 841 else /* Incorrectly formated Hello request */ 842 { 843 al=SSL_AD_UNEXPECTED_MESSAGE; 844 SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL_R_UNEXPECTED_MESSAGE); 845 goto f_err; 846 } 847 } 848 849 if ((al=dtls1_preprocess_fragment(s,&msg_hdr,max))) 850 goto f_err; 851 852 /* XDTLS: ressurect this when restart is in place */ 853 s->state=stn; 854 855 if ( frag_len > 0) 856 { 857 unsigned char *p=(unsigned char *)s->init_buf->data+DTLS1_HM_HEADER_LENGTH; 858 859 i=s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE, 860 &p[frag_off],frag_len,0); 861 /* XDTLS: fix this--message fragments cannot span multiple packets */ 862 if (i <= 0) 863 { 864 s->rwstate=SSL_READING; 865 *ok = 0; 866 return i; 867 } 868 } 869 else 870 i = 0; 871 872 /* XDTLS: an incorrectly formatted fragment should cause the 873 * handshake to fail */ 874 if (i != (int)frag_len) 875 { 876 al=SSL3_AD_ILLEGAL_PARAMETER; 877 SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL3_AD_ILLEGAL_PARAMETER); 878 goto f_err; 879 } 880 881 *ok = 1; 882 883 /* Note that s->init_num is *not* used as current offset in 884 * s->init_buf->data, but as a counter summing up fragments' 885 * lengths: as soon as they sum up to handshake packet 886 * length, we assume we have got all the fragments. */ 887 s->init_num = frag_len; 888 return frag_len; 889 890f_err: 891 ssl3_send_alert(s,SSL3_AL_FATAL,al); 892 s->init_num = 0; 893 894 *ok=0; 895 return(-1); 896 } 897 898int dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen) 899 { 900 unsigned char *p,*d; 901 int i; 902 unsigned long l; 903 904 if (s->state == a) 905 { 906 d=(unsigned char *)s->init_buf->data; 907 p= &(d[DTLS1_HM_HEADER_LENGTH]); 908 909 i=s->method->ssl3_enc->final_finish_mac(s, 910 sender,slen,s->s3->tmp.finish_md); 911 s->s3->tmp.finish_md_len = i; 912 memcpy(p, s->s3->tmp.finish_md, i); 913 p+=i; 914 l=i; 915 916 /* Copy the finished so we can use it for 917 * renegotiation checks 918 */ 919 if(s->type == SSL_ST_CONNECT) 920 { 921 OPENSSL_assert(i <= EVP_MAX_MD_SIZE); 922 memcpy(s->s3->previous_client_finished, 923 s->s3->tmp.finish_md, i); 924 s->s3->previous_client_finished_len=i; 925 } 926 else 927 { 928 OPENSSL_assert(i <= EVP_MAX_MD_SIZE); 929 memcpy(s->s3->previous_server_finished, 930 s->s3->tmp.finish_md, i); 931 s->s3->previous_server_finished_len=i; 932 } 933 934#ifdef OPENSSL_SYS_WIN16 935 /* MSVC 1.5 does not clear the top bytes of the word unless 936 * I do this. 937 */ 938 l&=0xffff; 939#endif 940 941 d = dtls1_set_message_header(s, d, SSL3_MT_FINISHED, l, 0, l); 942 s->init_num=(int)l+DTLS1_HM_HEADER_LENGTH; 943 s->init_off=0; 944 945 /* buffer the message to handle re-xmits */ 946 dtls1_buffer_message(s, 0); 947 948 s->state=b; 949 } 950 951 /* SSL3_ST_SEND_xxxxxx_HELLO_B */ 952 return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); 953 } 954 955/* for these 2 messages, we need to 956 * ssl->enc_read_ctx re-init 957 * ssl->s3->read_sequence zero 958 * ssl->s3->read_mac_secret re-init 959 * ssl->session->read_sym_enc assign 960 * ssl->session->read_compression assign 961 * ssl->session->read_hash assign 962 */ 963int dtls1_send_change_cipher_spec(SSL *s, int a, int b) 964 { 965 unsigned char *p; 966 967 if (s->state == a) 968 { 969 p=(unsigned char *)s->init_buf->data; 970 *p++=SSL3_MT_CCS; 971 s->d1->handshake_write_seq = s->d1->next_handshake_write_seq; 972 s->init_num=DTLS1_CCS_HEADER_LENGTH; 973 974 if (s->version == DTLS1_BAD_VER) { 975 s->d1->next_handshake_write_seq++; 976 s2n(s->d1->handshake_write_seq,p); 977 s->init_num+=2; 978 } 979 980 s->init_off=0; 981 982 dtls1_set_message_header_int(s, SSL3_MT_CCS, 0, 983 s->d1->handshake_write_seq, 0, 0); 984 985 /* buffer the message to handle re-xmits */ 986 dtls1_buffer_message(s, 1); 987 988 s->state=b; 989 } 990 991 /* SSL3_ST_CW_CHANGE_B */ 992 return(dtls1_do_write(s,SSL3_RT_CHANGE_CIPHER_SPEC)); 993 } 994 995static int dtls1_add_cert_to_buf(BUF_MEM *buf, unsigned long *l, X509 *x) 996 { 997 int n; 998 unsigned char *p; 999 1000 n=i2d_X509(x,NULL); 1001 if (!BUF_MEM_grow_clean(buf,(int)(n+(*l)+3))) 1002 { 1003 SSLerr(SSL_F_DTLS1_ADD_CERT_TO_BUF,ERR_R_BUF_LIB); 1004 return 0; 1005 } 1006 p=(unsigned char *)&(buf->data[*l]); 1007 l2n3(n,p); 1008 i2d_X509(x,&p); 1009 *l+=n+3; 1010 1011 return 1; 1012 } 1013unsigned long dtls1_output_cert_chain(SSL *s, X509 *x) 1014 { 1015 unsigned char *p; 1016 int i; 1017 unsigned long l= 3 + DTLS1_HM_HEADER_LENGTH; 1018 BUF_MEM *buf; 1019 1020 /* TLSv1 sends a chain with nothing in it, instead of an alert */ 1021 buf=s->init_buf; 1022 if (!BUF_MEM_grow_clean(buf,10)) 1023 { 1024 SSLerr(SSL_F_DTLS1_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB); 1025 return(0); 1026 } 1027 if (x != NULL) 1028 { 1029 X509_STORE_CTX xs_ctx; 1030 1031 if (!X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,x,NULL)) 1032 { 1033 SSLerr(SSL_F_DTLS1_OUTPUT_CERT_CHAIN,ERR_R_X509_LIB); 1034 return(0); 1035 } 1036 1037 X509_verify_cert(&xs_ctx); 1038 /* Don't leave errors in the queue */ 1039 ERR_clear_error(); 1040 for (i=0; i < sk_X509_num(xs_ctx.chain); i++) 1041 { 1042 x = sk_X509_value(xs_ctx.chain, i); 1043 1044 if (!dtls1_add_cert_to_buf(buf, &l, x)) 1045 { 1046 X509_STORE_CTX_cleanup(&xs_ctx); 1047 return 0; 1048 } 1049 } 1050 X509_STORE_CTX_cleanup(&xs_ctx); 1051 } 1052 /* Thawte special :-) */ 1053 for (i=0; i<sk_X509_num(s->ctx->extra_certs); i++) 1054 { 1055 x=sk_X509_value(s->ctx->extra_certs,i); 1056 if (!dtls1_add_cert_to_buf(buf, &l, x)) 1057 return 0; 1058 } 1059 1060 l-= (3 + DTLS1_HM_HEADER_LENGTH); 1061 1062 p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH]); 1063 l2n3(l,p); 1064 l+=3; 1065 p=(unsigned char *)&(buf->data[0]); 1066 p = dtls1_set_message_header(s, p, SSL3_MT_CERTIFICATE, l, 0, l); 1067 1068 l+=DTLS1_HM_HEADER_LENGTH; 1069 return(l); 1070 } 1071 1072int dtls1_read_failed(SSL *s, int code) 1073 { 1074 if ( code > 0) 1075 { 1076 fprintf( stderr, "invalid state reached %s:%d", __FILE__, __LINE__); 1077 return 1; 1078 } 1079 1080 if (!dtls1_is_timer_expired(s)) 1081 { 1082 /* not a timeout, none of our business, 1083 let higher layers handle this. in fact it's probably an error */ 1084 return code; 1085 } 1086 1087#ifndef OPENSSL_NO_HEARTBEATS 1088 if (!SSL_in_init(s) && !s->tlsext_hb_pending) /* done, no need to send a retransmit */ 1089#else 1090 if (!SSL_in_init(s)) /* done, no need to send a retransmit */ 1091#endif 1092 { 1093 BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ); 1094 return code; 1095 } 1096 1097#if 0 /* for now, each alert contains only one record number */ 1098 item = pqueue_peek(state->rcvd_records); 1099 if ( item ) 1100 { 1101 /* send an alert immediately for all the missing records */ 1102 } 1103 else 1104#endif 1105 1106#if 0 /* no more alert sending, just retransmit the last set of messages */ 1107 if ( state->timeout.read_timeouts >= DTLS1_TMO_READ_COUNT) 1108 ssl3_send_alert(s,SSL3_AL_WARNING, 1109 DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); 1110#endif 1111 1112 return dtls1_handle_timeout(s); 1113 } 1114 1115int 1116dtls1_get_queue_priority(unsigned short seq, int is_ccs) 1117 { 1118 /* The index of the retransmission queue actually is the message sequence number, 1119 * since the queue only contains messages of a single handshake. However, the 1120 * ChangeCipherSpec has no message sequence number and so using only the sequence 1121 * will result in the CCS and Finished having the same index. To prevent this, 1122 * the sequence number is multiplied by 2. In case of a CCS 1 is subtracted. 1123 * This does not only differ CSS and Finished, it also maintains the order of the 1124 * index (important for priority queues) and fits in the unsigned short variable. 1125 */ 1126 return seq * 2 - is_ccs; 1127 } 1128 1129int 1130dtls1_retransmit_buffered_messages(SSL *s) 1131 { 1132 pqueue sent = s->d1->sent_messages; 1133 piterator iter; 1134 pitem *item; 1135 hm_fragment *frag; 1136 int found = 0; 1137 1138 iter = pqueue_iterator(sent); 1139 1140 for ( item = pqueue_next(&iter); item != NULL; item = pqueue_next(&iter)) 1141 { 1142 frag = (hm_fragment *)item->data; 1143 if ( dtls1_retransmit_message(s, 1144 (unsigned short)dtls1_get_queue_priority(frag->msg_header.seq, frag->msg_header.is_ccs), 1145 0, &found) <= 0 && found) 1146 { 1147 fprintf(stderr, "dtls1_retransmit_message() failed\n"); 1148 return -1; 1149 } 1150 } 1151 1152 return 1; 1153 } 1154 1155int 1156dtls1_buffer_message(SSL *s, int is_ccs) 1157 { 1158 pitem *item; 1159 hm_fragment *frag; 1160 unsigned char seq64be[8]; 1161 1162 /* this function is called immediately after a message has 1163 * been serialized */ 1164 OPENSSL_assert(s->init_off == 0); 1165 1166 frag = dtls1_hm_fragment_new(s->init_num, 0); 1167 1168 memcpy(frag->fragment, s->init_buf->data, s->init_num); 1169 1170 if ( is_ccs) 1171 { 1172 OPENSSL_assert(s->d1->w_msg_hdr.msg_len + 1173 ((s->version==DTLS1_VERSION)?DTLS1_CCS_HEADER_LENGTH:3) == (unsigned int)s->init_num); 1174 } 1175 else 1176 { 1177 OPENSSL_assert(s->d1->w_msg_hdr.msg_len + 1178 DTLS1_HM_HEADER_LENGTH == (unsigned int)s->init_num); 1179 } 1180 1181 frag->msg_header.msg_len = s->d1->w_msg_hdr.msg_len; 1182 frag->msg_header.seq = s->d1->w_msg_hdr.seq; 1183 frag->msg_header.type = s->d1->w_msg_hdr.type; 1184 frag->msg_header.frag_off = 0; 1185 frag->msg_header.frag_len = s->d1->w_msg_hdr.msg_len; 1186 frag->msg_header.is_ccs = is_ccs; 1187 1188 /* save current state*/ 1189 frag->msg_header.saved_retransmit_state.enc_write_ctx = s->enc_write_ctx; 1190 frag->msg_header.saved_retransmit_state.write_hash = s->write_hash; 1191 frag->msg_header.saved_retransmit_state.compress = s->compress; 1192 frag->msg_header.saved_retransmit_state.session = s->session; 1193 frag->msg_header.saved_retransmit_state.epoch = s->d1->w_epoch; 1194 1195 memset(seq64be,0,sizeof(seq64be)); 1196 seq64be[6] = (unsigned char)(dtls1_get_queue_priority(frag->msg_header.seq, 1197 frag->msg_header.is_ccs)>>8); 1198 seq64be[7] = (unsigned char)(dtls1_get_queue_priority(frag->msg_header.seq, 1199 frag->msg_header.is_ccs)); 1200 1201 item = pitem_new(seq64be, frag); 1202 if ( item == NULL) 1203 { 1204 dtls1_hm_fragment_free(frag); 1205 return 0; 1206 } 1207 1208#if 0 1209 fprintf( stderr, "buffered messge: \ttype = %xx\n", msg_buf->type); 1210 fprintf( stderr, "\t\t\t\t\tlen = %d\n", msg_buf->len); 1211 fprintf( stderr, "\t\t\t\t\tseq_num = %d\n", msg_buf->seq_num); 1212#endif 1213 1214 pqueue_insert(s->d1->sent_messages, item); 1215 return 1; 1216 } 1217 1218int 1219dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off, 1220 int *found) 1221 { 1222 int ret; 1223 /* XDTLS: for now assuming that read/writes are blocking */ 1224 pitem *item; 1225 hm_fragment *frag ; 1226 unsigned long header_length; 1227 unsigned char seq64be[8]; 1228 struct dtls1_retransmit_state saved_state; 1229 unsigned char save_write_sequence[8]; 1230 1231 /* 1232 OPENSSL_assert(s->init_num == 0); 1233 OPENSSL_assert(s->init_off == 0); 1234 */ 1235 1236 /* XDTLS: the requested message ought to be found, otherwise error */ 1237 memset(seq64be,0,sizeof(seq64be)); 1238 seq64be[6] = (unsigned char)(seq>>8); 1239 seq64be[7] = (unsigned char)seq; 1240 1241 item = pqueue_find(s->d1->sent_messages, seq64be); 1242 if ( item == NULL) 1243 { 1244 fprintf(stderr, "retransmit: message %d non-existant\n", seq); 1245 *found = 0; 1246 return 0; 1247 } 1248 1249 *found = 1; 1250 frag = (hm_fragment *)item->data; 1251 1252 if ( frag->msg_header.is_ccs) 1253 header_length = DTLS1_CCS_HEADER_LENGTH; 1254 else 1255 header_length = DTLS1_HM_HEADER_LENGTH; 1256 1257 memcpy(s->init_buf->data, frag->fragment, 1258 frag->msg_header.msg_len + header_length); 1259 s->init_num = frag->msg_header.msg_len + header_length; 1260 1261 dtls1_set_message_header_int(s, frag->msg_header.type, 1262 frag->msg_header.msg_len, frag->msg_header.seq, 0, 1263 frag->msg_header.frag_len); 1264 1265 /* save current state */ 1266 saved_state.enc_write_ctx = s->enc_write_ctx; 1267 saved_state.write_hash = s->write_hash; 1268 saved_state.compress = s->compress; 1269 saved_state.session = s->session; 1270 saved_state.epoch = s->d1->w_epoch; 1271 saved_state.epoch = s->d1->w_epoch; 1272 1273 s->d1->retransmitting = 1; 1274 1275 /* restore state in which the message was originally sent */ 1276 s->enc_write_ctx = frag->msg_header.saved_retransmit_state.enc_write_ctx; 1277 s->write_hash = frag->msg_header.saved_retransmit_state.write_hash; 1278 s->compress = frag->msg_header.saved_retransmit_state.compress; 1279 s->session = frag->msg_header.saved_retransmit_state.session; 1280 s->d1->w_epoch = frag->msg_header.saved_retransmit_state.epoch; 1281 1282 if (frag->msg_header.saved_retransmit_state.epoch == saved_state.epoch - 1) 1283 { 1284 memcpy(save_write_sequence, s->s3->write_sequence, sizeof(s->s3->write_sequence)); 1285 memcpy(s->s3->write_sequence, s->d1->last_write_sequence, sizeof(s->s3->write_sequence)); 1286 } 1287 1288 ret = dtls1_do_write(s, frag->msg_header.is_ccs ? 1289 SSL3_RT_CHANGE_CIPHER_SPEC : SSL3_RT_HANDSHAKE); 1290 1291 /* restore current state */ 1292 s->enc_write_ctx = saved_state.enc_write_ctx; 1293 s->write_hash = saved_state.write_hash; 1294 s->compress = saved_state.compress; 1295 s->session = saved_state.session; 1296 s->d1->w_epoch = saved_state.epoch; 1297 1298 if (frag->msg_header.saved_retransmit_state.epoch == saved_state.epoch - 1) 1299 { 1300 memcpy(s->d1->last_write_sequence, s->s3->write_sequence, sizeof(s->s3->write_sequence)); 1301 memcpy(s->s3->write_sequence, save_write_sequence, sizeof(s->s3->write_sequence)); 1302 } 1303 1304 s->d1->retransmitting = 0; 1305 1306 (void)BIO_flush(SSL_get_wbio(s)); 1307 return ret; 1308 } 1309 1310/* call this function when the buffered messages are no longer needed */ 1311void 1312dtls1_clear_record_buffer(SSL *s) 1313 { 1314 pitem *item; 1315 1316 for(item = pqueue_pop(s->d1->sent_messages); 1317 item != NULL; item = pqueue_pop(s->d1->sent_messages)) 1318 { 1319 dtls1_hm_fragment_free((hm_fragment *)item->data); 1320 pitem_free(item); 1321 } 1322 } 1323 1324 1325unsigned char * 1326dtls1_set_message_header(SSL *s, unsigned char *p, unsigned char mt, 1327 unsigned long len, unsigned long frag_off, unsigned long frag_len) 1328 { 1329 /* Don't change sequence numbers while listening */ 1330 if (frag_off == 0 && !s->d1->listen) 1331 { 1332 s->d1->handshake_write_seq = s->d1->next_handshake_write_seq; 1333 s->d1->next_handshake_write_seq++; 1334 } 1335 1336 dtls1_set_message_header_int(s, mt, len, s->d1->handshake_write_seq, 1337 frag_off, frag_len); 1338 1339 return p += DTLS1_HM_HEADER_LENGTH; 1340 } 1341 1342 1343/* don't actually do the writing, wait till the MTU has been retrieved */ 1344static void 1345dtls1_set_message_header_int(SSL *s, unsigned char mt, 1346 unsigned long len, unsigned short seq_num, unsigned long frag_off, 1347 unsigned long frag_len) 1348 { 1349 struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; 1350 1351 msg_hdr->type = mt; 1352 msg_hdr->msg_len = len; 1353 msg_hdr->seq = seq_num; 1354 msg_hdr->frag_off = frag_off; 1355 msg_hdr->frag_len = frag_len; 1356 } 1357 1358static void 1359dtls1_fix_message_header(SSL *s, unsigned long frag_off, 1360 unsigned long frag_len) 1361 { 1362 struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; 1363 1364 msg_hdr->frag_off = frag_off; 1365 msg_hdr->frag_len = frag_len; 1366 } 1367 1368static unsigned char * 1369dtls1_write_message_header(SSL *s, unsigned char *p) 1370 { 1371 struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; 1372 1373 *p++ = msg_hdr->type; 1374 l2n3(msg_hdr->msg_len, p); 1375 1376 s2n(msg_hdr->seq, p); 1377 l2n3(msg_hdr->frag_off, p); 1378 l2n3(msg_hdr->frag_len, p); 1379 1380 return p; 1381 } 1382 1383unsigned int 1384dtls1_min_mtu(void) 1385 { 1386 return (g_probable_mtu[(sizeof(g_probable_mtu) / 1387 sizeof(g_probable_mtu[0])) - 1]); 1388 } 1389 1390static unsigned int 1391dtls1_guess_mtu(unsigned int curr_mtu) 1392 { 1393 unsigned int i; 1394 1395 if ( curr_mtu == 0 ) 1396 return g_probable_mtu[0] ; 1397 1398 for ( i = 0; i < sizeof(g_probable_mtu)/sizeof(g_probable_mtu[0]); i++) 1399 if ( curr_mtu > g_probable_mtu[i]) 1400 return g_probable_mtu[i]; 1401 1402 return curr_mtu; 1403 } 1404 1405void 1406dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr) 1407 { 1408 memset(msg_hdr, 0x00, sizeof(struct hm_header_st)); 1409 msg_hdr->type = *(data++); 1410 n2l3(data, msg_hdr->msg_len); 1411 1412 n2s(data, msg_hdr->seq); 1413 n2l3(data, msg_hdr->frag_off); 1414 n2l3(data, msg_hdr->frag_len); 1415 } 1416 1417void 1418dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr) 1419 { 1420 memset(ccs_hdr, 0x00, sizeof(struct ccs_header_st)); 1421 1422 ccs_hdr->type = *(data++); 1423 } 1424 1425int dtls1_shutdown(SSL *s) 1426 { 1427 int ret; 1428#ifndef OPENSSL_NO_SCTP 1429 if (BIO_dgram_is_sctp(SSL_get_wbio(s)) && 1430 !(s->shutdown & SSL_SENT_SHUTDOWN)) 1431 { 1432 ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s)); 1433 if (ret < 0) return -1; 1434 1435 if (ret == 0) 1436 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SAVE_SHUTDOWN, 1, NULL); 1437 } 1438#endif 1439 ret = ssl3_shutdown(s); 1440#ifndef OPENSSL_NO_SCTP 1441 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SAVE_SHUTDOWN, 0, NULL); 1442#endif 1443 return ret; 1444 } 1445 1446#ifndef OPENSSL_NO_HEARTBEATS 1447int 1448dtls1_process_heartbeat(SSL *s) 1449 { 1450 unsigned char *p = &s->s3->rrec.data[0], *pl; 1451 unsigned short hbtype; 1452 unsigned int payload; 1453 unsigned int padding = 16; /* Use minimum padding */ 1454 1455 /* Read type and payload length first */ 1456 hbtype = *p++; 1457 n2s(p, payload); 1458 pl = p; 1459 1460 if (s->msg_callback) 1461 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, 1462 &s->s3->rrec.data[0], s->s3->rrec.length, 1463 s, s->msg_callback_arg); 1464 1465 if (hbtype == TLS1_HB_REQUEST) 1466 { 1467 unsigned char *buffer, *bp; 1468 int r; 1469 1470 /* Allocate memory for the response, size is 1 byte 1471 * message type, plus 2 bytes payload length, plus 1472 * payload, plus padding 1473 */ 1474 buffer = OPENSSL_malloc(1 + 2 + payload + padding); 1475 bp = buffer; 1476 1477 /* Enter response type, length and copy payload */ 1478 *bp++ = TLS1_HB_RESPONSE; 1479 s2n(payload, bp); 1480 memcpy(bp, pl, payload); 1481 bp += payload; 1482 /* Random padding */ 1483 RAND_pseudo_bytes(bp, padding); 1484 1485 r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding); 1486 1487 if (r >= 0 && s->msg_callback) 1488 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, 1489 buffer, 3 + payload + padding, 1490 s, s->msg_callback_arg); 1491 1492 OPENSSL_free(buffer); 1493 1494 if (r < 0) 1495 return r; 1496 } 1497 else if (hbtype == TLS1_HB_RESPONSE) 1498 { 1499 unsigned int seq; 1500 1501 /* We only send sequence numbers (2 bytes unsigned int), 1502 * and 16 random bytes, so we just try to read the 1503 * sequence number */ 1504 n2s(pl, seq); 1505 1506 if (payload == 18 && seq == s->tlsext_hb_seq) 1507 { 1508 dtls1_stop_timer(s); 1509 s->tlsext_hb_seq++; 1510 s->tlsext_hb_pending = 0; 1511 } 1512 } 1513 1514 return 0; 1515 } 1516 1517int 1518dtls1_heartbeat(SSL *s) 1519 { 1520 unsigned char *buf, *p; 1521 int ret; 1522 unsigned int payload = 18; /* Sequence number + random bytes */ 1523 unsigned int padding = 16; /* Use minimum padding */ 1524 1525 /* Only send if peer supports and accepts HB requests... */ 1526 if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) || 1527 s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) 1528 { 1529 SSLerr(SSL_F_DTLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT); 1530 return -1; 1531 } 1532 1533 /* ...and there is none in flight yet... */ 1534 if (s->tlsext_hb_pending) 1535 { 1536 SSLerr(SSL_F_DTLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING); 1537 return -1; 1538 } 1539 1540 /* ...and no handshake in progress. */ 1541 if (SSL_in_init(s) || s->in_handshake) 1542 { 1543 SSLerr(SSL_F_DTLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE); 1544 return -1; 1545 } 1546 1547 /* Check if padding is too long, payload and padding 1548 * must not exceed 2^14 - 3 = 16381 bytes in total. 1549 */ 1550 OPENSSL_assert(payload + padding <= 16381); 1551 1552 /* Create HeartBeat message, we just use a sequence number 1553 * as payload to distuingish different messages and add 1554 * some random stuff. 1555 * - Message Type, 1 byte 1556 * - Payload Length, 2 bytes (unsigned int) 1557 * - Payload, the sequence number (2 bytes uint) 1558 * - Payload, random bytes (16 bytes uint) 1559 * - Padding 1560 */ 1561 buf = OPENSSL_malloc(1 + 2 + payload + padding); 1562 p = buf; 1563 /* Message Type */ 1564 *p++ = TLS1_HB_REQUEST; 1565 /* Payload length (18 bytes here) */ 1566 s2n(payload, p); 1567 /* Sequence number */ 1568 s2n(s->tlsext_hb_seq, p); 1569 /* 16 random bytes */ 1570 RAND_pseudo_bytes(p, 16); 1571 p += 16; 1572 /* Random padding */ 1573 RAND_pseudo_bytes(p, padding); 1574 1575 ret = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding); 1576 if (ret >= 0) 1577 { 1578 if (s->msg_callback) 1579 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, 1580 buf, 3 + payload + padding, 1581 s, s->msg_callback_arg); 1582 1583 dtls1_start_timer(s); 1584 s->tlsext_hb_pending = 1; 1585 } 1586 1587 OPENSSL_free(buf); 1588 1589 return ret; 1590 } 1591#endif 1592