d1_pkt.c revision 296465
1/* ssl/d1_pkt.c */ 2/* 3 * DTLS implementation written by Nagendra Modadugu 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 5 */ 6/* ==================================================================== 7 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in 18 * the documentation and/or other materials provided with the 19 * distribution. 20 * 21 * 3. All advertising materials mentioning features or use of this 22 * software must display the following acknowledgment: 23 * "This product includes software developed by the OpenSSL Project 24 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 25 * 26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27 * endorse or promote products derived from this software without 28 * prior written permission. For written permission, please contact 29 * openssl-core@openssl.org. 30 * 31 * 5. Products derived from this software may not be called "OpenSSL" 32 * nor may "OpenSSL" appear in their names without prior written 33 * permission of the OpenSSL Project. 34 * 35 * 6. Redistributions of any form whatsoever must retain the following 36 * acknowledgment: 37 * "This product includes software developed by the OpenSSL Project 38 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51 * OF THE POSSIBILITY OF SUCH DAMAGE. 52 * ==================================================================== 53 * 54 * This product includes cryptographic software written by Eric Young 55 * (eay@cryptsoft.com). This product includes software written by Tim 56 * Hudson (tjh@cryptsoft.com). 57 * 58 */ 59/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 60 * All rights reserved. 61 * 62 * This package is an SSL implementation written 63 * by Eric Young (eay@cryptsoft.com). 64 * The implementation was written so as to conform with Netscapes SSL. 65 * 66 * This library is free for commercial and non-commercial use as long as 67 * the following conditions are aheared to. The following conditions 68 * apply to all code found in this distribution, be it the RC4, RSA, 69 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 70 * included with this distribution is covered by the same copyright terms 71 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 72 * 73 * Copyright remains Eric Young's, and as such any Copyright notices in 74 * the code are not to be removed. 75 * If this package is used in a product, Eric Young should be given attribution 76 * as the author of the parts of the library used. 77 * This can be in the form of a textual message at program startup or 78 * in documentation (online or textual) provided with the package. 79 * 80 * Redistribution and use in source and binary forms, with or without 81 * modification, are permitted provided that the following conditions 82 * are met: 83 * 1. Redistributions of source code must retain the copyright 84 * notice, this list of conditions and the following disclaimer. 85 * 2. Redistributions in binary form must reproduce the above copyright 86 * notice, this list of conditions and the following disclaimer in the 87 * documentation and/or other materials provided with the distribution. 88 * 3. All advertising materials mentioning features or use of this software 89 * must display the following acknowledgement: 90 * "This product includes cryptographic software written by 91 * Eric Young (eay@cryptsoft.com)" 92 * The word 'cryptographic' can be left out if the rouines from the library 93 * being used are not cryptographic related :-). 94 * 4. If you include any Windows specific code (or a derivative thereof) from 95 * the apps directory (application code) you must include an acknowledgement: 96 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 97 * 98 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 99 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 100 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 101 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 102 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 103 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 104 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 105 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 106 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 107 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 108 * SUCH DAMAGE. 109 * 110 * The licence and distribution terms for any publically available version or 111 * derivative of this code cannot be changed. i.e. this code cannot simply be 112 * copied and put under another distribution licence 113 * [including the GNU Public Licence.] 114 */ 115 116#include <stdio.h> 117#include <errno.h> 118#define USE_SOCKETS 119#include "ssl_locl.h" 120#include <openssl/evp.h> 121#include <openssl/buffer.h> 122#include <openssl/pqueue.h> 123#include <openssl/rand.h> 124 125static int have_handshake_fragment(SSL *s, int type, unsigned char *buf, 126 int len, int peek); 127static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap, 128 PQ_64BIT * seq_num); 129static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap); 130static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, 131 unsigned int *is_next_epoch); 132#if 0 133static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr, 134 unsigned short *priority, 135 unsigned long *offset); 136#endif 137static int dtls1_buffer_record(SSL *s, record_pqueue *q, PQ_64BIT * priority); 138static int dtls1_process_record(SSL *s); 139#if PQ_64BIT_IS_INTEGER 140static PQ_64BIT bytes_to_long_long(unsigned char *bytes, PQ_64BIT * num); 141#endif 142 143/* copy buffered record into SSL structure */ 144static int dtls1_copy_record(SSL *s, pitem *item) 145{ 146 DTLS1_RECORD_DATA *rdata; 147 148 rdata = (DTLS1_RECORD_DATA *)item->data; 149 150 if (s->s3->rbuf.buf != NULL) 151 OPENSSL_free(s->s3->rbuf.buf); 152 153 s->packet = rdata->packet; 154 s->packet_length = rdata->packet_length; 155 memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER)); 156 memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD)); 157 158 /* Set proper sequence number for mac calculation */ 159 memcpy(&(s->s3->read_sequence[2]), &(rdata->packet[5]), 6); 160 161 return (1); 162} 163 164static int 165dtls1_buffer_record(SSL *s, record_pqueue *queue, PQ_64BIT * priority) 166{ 167 DTLS1_RECORD_DATA *rdata; 168 pitem *item; 169 170 /* Limit the size of the queue to prevent DOS attacks */ 171 if (pqueue_size(queue->q) >= 100) 172 return 0; 173 174 rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); 175 item = pitem_new(*priority, rdata); 176 if (rdata == NULL || item == NULL) { 177 if (rdata != NULL) 178 OPENSSL_free(rdata); 179 if (item != NULL) 180 pitem_free(item); 181 182 SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); 183 return (0); 184 } 185 186 rdata->packet = s->packet; 187 rdata->packet_length = s->packet_length; 188 memcpy(&(rdata->rbuf), &(s->s3->rbuf), sizeof(SSL3_BUFFER)); 189 memcpy(&(rdata->rrec), &(s->s3->rrec), sizeof(SSL3_RECORD)); 190 191 item->data = rdata; 192 193 /* insert should not fail, since duplicates are dropped */ 194 if (pqueue_insert(queue->q, item) == NULL) { 195 OPENSSL_free(rdata); 196 pitem_free(item); 197 return (0); 198 } 199 200 s->packet = NULL; 201 s->packet_length = 0; 202 memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER)); 203 memset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD)); 204 205 if (!ssl3_setup_buffers(s)) { 206 SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); 207 OPENSSL_free(rdata); 208 pitem_free(item); 209 return (0); 210 } 211 212 return (1); 213} 214 215static int dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue) 216{ 217 pitem *item; 218 219 item = pqueue_pop(queue->q); 220 if (item) { 221 dtls1_copy_record(s, item); 222 223 OPENSSL_free(item->data); 224 pitem_free(item); 225 226 return (1); 227 } 228 229 return (0); 230} 231 232/* 233 * retrieve a buffered record that belongs to the new epoch, i.e., not 234 * processed yet 235 */ 236#define dtls1_get_unprocessed_record(s) \ 237 dtls1_retrieve_buffered_record((s), \ 238 &((s)->d1->unprocessed_rcds)) 239 240/* 241 * retrieve a buffered record that belongs to the current epoch, ie, 242 * processed 243 */ 244#define dtls1_get_processed_record(s) \ 245 dtls1_retrieve_buffered_record((s), \ 246 &((s)->d1->processed_rcds)) 247 248static int dtls1_process_buffered_records(SSL *s) 249{ 250 pitem *item; 251 252 item = pqueue_peek(s->d1->unprocessed_rcds.q); 253 if (item) { 254 /* Check if epoch is current. */ 255 if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch) 256 return (1); /* Nothing to do. */ 257 258 /* Process all the records. */ 259 while (pqueue_peek(s->d1->unprocessed_rcds.q)) { 260 dtls1_get_unprocessed_record(s); 261 if (!dtls1_process_record(s)) 262 return (0); 263 dtls1_buffer_record(s, &(s->d1->processed_rcds), 264 &s->s3->rrec.seq_num); 265 } 266 } 267 268 /* 269 * sync epoch numbers once all the unprocessed records have been 270 * processed 271 */ 272 s->d1->processed_rcds.epoch = s->d1->r_epoch; 273 s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1; 274 275 return (1); 276} 277 278#if 0 279 280static int dtls1_get_buffered_record(SSL *s) 281{ 282 pitem *item; 283 PQ_64BIT priority = 284 (((PQ_64BIT) s->d1->handshake_read_seq) << 32) | 285 ((PQ_64BIT) s->d1->r_msg_hdr.frag_off); 286 287 /* if we're not (re)negotiating, nothing buffered */ 288 if (!SSL_in_init(s)) 289 return 0; 290 291 item = pqueue_peek(s->d1->rcvd_records); 292 if (item && item->priority == priority) { 293 /* 294 * Check if we've received the record of interest. It must be a 295 * handshake record, since data records as passed up without 296 * buffering 297 */ 298 DTLS1_RECORD_DATA *rdata; 299 item = pqueue_pop(s->d1->rcvd_records); 300 rdata = (DTLS1_RECORD_DATA *)item->data; 301 302 if (s->s3->rbuf.buf != NULL) 303 OPENSSL_free(s->s3->rbuf.buf); 304 305 s->packet = rdata->packet; 306 s->packet_length = rdata->packet_length; 307 memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER)); 308 memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD)); 309 310 OPENSSL_free(item->data); 311 pitem_free(item); 312 313 /* s->d1->next_expected_seq_num++; */ 314 return (1); 315 } 316 317 return 0; 318} 319 320#endif 321 322static int dtls1_process_record(SSL *s) 323{ 324 int i, al; 325 int enc_err; 326 SSL_SESSION *sess; 327 SSL3_RECORD *rr; 328 unsigned int mac_size, orig_len; 329 unsigned char md[EVP_MAX_MD_SIZE]; 330 331 rr = &(s->s3->rrec); 332 sess = s->session; 333 334 /* 335 * At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, 336 * and we have that many bytes in s->packet 337 */ 338 rr->input = &(s->packet[DTLS1_RT_HEADER_LENGTH]); 339 340 /* 341 * ok, we can now read from 's->packet' data into 'rr' rr->input points 342 * at rr->length bytes, which need to be copied into rr->data by either 343 * the decryption or by the decompression When the data is 'copied' into 344 * the rr->data buffer, rr->input will be pointed at the new buffer 345 */ 346 347 /* 348 * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length 349 * bytes of encrypted compressed stuff. 350 */ 351 352 /* check is not needed I believe */ 353 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { 354 al = SSL_AD_RECORD_OVERFLOW; 355 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); 356 goto f_err; 357 } 358 359 /* decrypt in place in 'rr->input' */ 360 rr->data = rr->input; 361 362 enc_err = s->method->ssl3_enc->enc(s, 0); 363 /*- 364 * enc_err is: 365 * 0: (in non-constant time) if the record is publically invalid. 366 * 1: if the padding is valid 367 * -1: if the padding is invalid 368 */ 369 if (enc_err == 0) { 370 /* For DTLS we simply ignore bad packets. */ 371 rr->length = 0; 372 s->packet_length = 0; 373 goto err; 374 } 375#ifdef TLS_DEBUG 376 printf("dec %d\n", rr->length); 377 { 378 unsigned int z; 379 for (z = 0; z < rr->length; z++) 380 printf("%02X%c", rr->data[z], ((z + 1) % 16) ? ' ' : '\n'); 381 } 382 printf("\n"); 383#endif 384 385 /* r->length is now the compressed data plus mac */ 386 if ((sess != NULL) && (s->enc_read_ctx != NULL) && (s->read_hash != NULL)) { 387 /* s->read_hash != NULL => mac_size != -1 */ 388 unsigned char *mac = NULL; 389 unsigned char mac_tmp[EVP_MAX_MD_SIZE]; 390 mac_size = EVP_MD_size(s->read_hash); 391 OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); 392 393 /* 394 * kludge: *_cbc_remove_padding passes padding length in rr->type 395 */ 396 orig_len = rr->length + ((unsigned int)rr->type >> 8); 397 398 /* 399 * orig_len is the length of the record before any padding was 400 * removed. This is public information, as is the MAC in use, 401 * therefore we can safely process the record in a different amount 402 * of time if it's too short to possibly contain a MAC. 403 */ 404 if (orig_len < mac_size || 405 /* CBC records must have a padding length byte too. */ 406 (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && 407 orig_len < mac_size + 1)) { 408 al = SSL_AD_DECODE_ERROR; 409 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_LENGTH_TOO_SHORT); 410 goto f_err; 411 } 412 413 if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) { 414 /* 415 * We update the length so that the TLS header bytes can be 416 * constructed correctly but we need to extract the MAC in 417 * constant time from within the record, without leaking the 418 * contents of the padding bytes. 419 */ 420 mac = mac_tmp; 421 ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len); 422 rr->length -= mac_size; 423 } else { 424 /* 425 * In this case there's no padding, so |orig_len| equals 426 * |rec->length| and we checked that there's enough bytes for 427 * |mac_size| above. 428 */ 429 rr->length -= mac_size; 430 mac = &rr->data[rr->length]; 431 } 432 433 i = s->method->ssl3_enc->mac(s, md, 0 /* not send */ ); 434 if (i < 0 || mac == NULL 435 || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) 436 enc_err = -1; 437 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size) 438 enc_err = -1; 439 } 440 441 if (enc_err < 0) { 442 /* decryption failed, silently discard message */ 443 rr->length = 0; 444 s->packet_length = 0; 445 goto err; 446 } 447 448 /* r->length is now just compressed */ 449 if (s->expand != NULL) { 450 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) { 451 al = SSL_AD_RECORD_OVERFLOW; 452 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, 453 SSL_R_COMPRESSED_LENGTH_TOO_LONG); 454 goto f_err; 455 } 456 if (!ssl3_do_uncompress(s)) { 457 al = SSL_AD_DECOMPRESSION_FAILURE; 458 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_BAD_DECOMPRESSION); 459 goto f_err; 460 } 461 } 462 463 if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) { 464 al = SSL_AD_RECORD_OVERFLOW; 465 SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_DATA_LENGTH_TOO_LONG); 466 goto f_err; 467 } 468 469 rr->off = 0; 470 /*- 471 * So at this point the following is true 472 * ssl->s3->rrec.type is the type of record 473 * ssl->s3->rrec.length == number of bytes in record 474 * ssl->s3->rrec.off == offset to first valid byte 475 * ssl->s3->rrec.data == where to take bytes from, increment 476 * after use :-). 477 */ 478 479 /* we have pulled in a full packet so zero things */ 480 s->packet_length = 0; 481 dtls1_record_bitmap_update(s, &(s->d1->bitmap)); /* Mark receipt of 482 * record. */ 483 return (1); 484 485 f_err: 486 ssl3_send_alert(s, SSL3_AL_FATAL, al); 487 err: 488 return (0); 489} 490 491/*- 492 * Call this to get a new input record. 493 * It will return <= 0 if more data is needed, normally due to an error 494 * or non-blocking IO. 495 * When it finishes, one packet has been decoded and can be found in 496 * ssl->s3->rrec.type - is the type of record 497 * ssl->s3->rrec.data, - data 498 * ssl->s3->rrec.length, - number of bytes 499 */ 500/* used only by dtls1_read_bytes */ 501int dtls1_get_record(SSL *s) 502{ 503 int ssl_major, ssl_minor; 504 int i, n; 505 SSL3_RECORD *rr; 506 unsigned char *p = NULL; 507 unsigned short version; 508 DTLS1_BITMAP *bitmap; 509 unsigned int is_next_epoch; 510 511 rr = &(s->s3->rrec); 512 513 /* 514 * The epoch may have changed. If so, process all the pending records. 515 * This is a non-blocking operation. 516 */ 517 dtls1_process_buffered_records(s); 518 519 /* if we're renegotiating, then there may be buffered records */ 520 if (dtls1_get_processed_record(s)) 521 return 1; 522 523 /* get something from the wire */ 524 again: 525 /* check if we have the header */ 526 if ((s->rstate != SSL_ST_READ_BODY) || 527 (s->packet_length < DTLS1_RT_HEADER_LENGTH)) { 528 n = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, s->s3->rbuf.len, 0); 529 /* read timeout is handled by dtls1_read_bytes */ 530 if (n <= 0) 531 return (n); /* error or non-blocking */ 532 533 /* this packet contained a partial record, dump it */ 534 if (s->packet_length != DTLS1_RT_HEADER_LENGTH) { 535 s->packet_length = 0; 536 goto again; 537 } 538 539 s->rstate = SSL_ST_READ_BODY; 540 541 p = s->packet; 542 543 /* Pull apart the header into the DTLS1_RECORD */ 544 rr->type = *(p++); 545 ssl_major = *(p++); 546 ssl_minor = *(p++); 547 version = (ssl_major << 8) | ssl_minor; 548 549 /* sequence number is 64 bits, with top 2 bytes = epoch */ 550 n2s(p, rr->epoch); 551 552 memcpy(&(s->s3->read_sequence[2]), p, 6); 553 p += 6; 554 555 n2s(p, rr->length); 556 557 /* Lets check version */ 558 if (!s->first_packet) { 559 if (version != s->version && version != DTLS1_BAD_VER) { 560 /* unexpected version, silently discard */ 561 rr->length = 0; 562 s->packet_length = 0; 563 goto again; 564 } 565 } 566 567 if ((version & 0xff00) != (DTLS1_VERSION & 0xff00) && 568 (version & 0xff00) != (DTLS1_BAD_VER & 0xff00)) { 569 /* wrong version, silently discard record */ 570 rr->length = 0; 571 s->packet_length = 0; 572 goto again; 573 } 574 575 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { 576 /* record too long, silently discard it */ 577 rr->length = 0; 578 s->packet_length = 0; 579 goto again; 580 } 581 582 s->client_version = version; 583 /* now s->rstate == SSL_ST_READ_BODY */ 584 } 585 586 /* s->rstate == SSL_ST_READ_BODY, get and decode the data */ 587 588 if (rr->length > s->packet_length - DTLS1_RT_HEADER_LENGTH) { 589 /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */ 590 i = rr->length; 591 n = ssl3_read_n(s, i, i, 1); 592 /* this packet contained a partial record, dump it */ 593 if (n != i) { 594 rr->length = 0; 595 s->packet_length = 0; 596 goto again; 597 } 598 599 /* 600 * now n == rr->length, and s->packet_length == 601 * DTLS1_RT_HEADER_LENGTH + rr->length 602 */ 603 } 604 s->rstate = SSL_ST_READ_HEADER; /* set state for later operations */ 605 606 /* match epochs. NULL means the packet is dropped on the floor */ 607 bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch); 608 if (bitmap == NULL) { 609 rr->length = 0; 610 s->packet_length = 0; /* dump this record */ 611 goto again; /* get another record */ 612 } 613 614 /* 615 * Check whether this is a repeat, or aged record. Don't check if we're 616 * listening and this message is a ClientHello. They can look as if 617 * they're replayed, since they arrive from different connections and 618 * would be dropped unnecessarily. 619 */ 620 if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE && 621 s->packet_length > DTLS1_RT_HEADER_LENGTH && 622 s->packet[DTLS1_RT_HEADER_LENGTH] == SSL3_MT_CLIENT_HELLO) && 623 !dtls1_record_replay_check(s, bitmap, &(rr->seq_num))) { 624 rr->length = 0; 625 s->packet_length = 0; /* dump this record */ 626 goto again; /* get another record */ 627 } 628 629 /* just read a 0 length packet */ 630 if (rr->length == 0) 631 goto again; 632 633 /* 634 * If this record is from the next epoch (either HM or ALERT), and a 635 * handshake is currently in progress, buffer it since it cannot be 636 * processed at this time. However, do not buffer anything while 637 * listening. 638 */ 639 if (is_next_epoch) { 640 if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen) { 641 dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), &rr->seq_num); 642 } 643 rr->length = 0; 644 s->packet_length = 0; 645 goto again; 646 } 647 648 if (!dtls1_process_record(s)) { 649 rr->length = 0; 650 s->packet_length = 0; /* dump this record */ 651 goto again; /* get another record */ 652 } 653 654 return (1); 655 656} 657 658/*- 659 * Return up to 'len' payload bytes received in 'type' records. 660 * 'type' is one of the following: 661 * 662 * - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us) 663 * - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us) 664 * - 0 (during a shutdown, no data has to be returned) 665 * 666 * If we don't have stored data to work from, read a SSL/TLS record first 667 * (possibly multiple records if we still don't have anything to return). 668 * 669 * This function must handle any surprises the peer may have for us, such as 670 * Alert records (e.g. close_notify), ChangeCipherSpec records (not really 671 * a surprise, but handled as if it were), or renegotiation requests. 672 * Also if record payloads contain fragments too small to process, we store 673 * them until there is enough for the respective protocol (the record protocol 674 * may use arbitrary fragmentation and even interleaving): 675 * Change cipher spec protocol 676 * just 1 byte needed, no need for keeping anything stored 677 * Alert protocol 678 * 2 bytes needed (AlertLevel, AlertDescription) 679 * Handshake protocol 680 * 4 bytes needed (HandshakeType, uint24 length) -- we just have 681 * to detect unexpected Client Hello and Hello Request messages 682 * here, anything else is handled by higher layers 683 * Application data protocol 684 * none of our business 685 */ 686int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) 687{ 688 int al, i, j, ret; 689 unsigned int n; 690 SSL3_RECORD *rr; 691 void (*cb) (const SSL *ssl, int type2, int val) = NULL; 692 693 if (s->s3->rbuf.buf == NULL) /* Not initialized yet */ 694 if (!ssl3_setup_buffers(s)) 695 return (-1); 696 697 /* XXX: check what the second '&& type' is about */ 698 if ((type && (type != SSL3_RT_APPLICATION_DATA) && 699 (type != SSL3_RT_HANDSHAKE) && type) || 700 (peek && (type != SSL3_RT_APPLICATION_DATA))) { 701 SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR); 702 return -1; 703 } 704 705 /* 706 * check whether there's a handshake message (client hello?) waiting 707 */ 708 if ((ret = have_handshake_fragment(s, type, buf, len, peek))) 709 return ret; 710 711 /* 712 * Now s->d1->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. 713 */ 714 715 if (!s->in_handshake && SSL_in_init(s)) { 716 /* type == SSL3_RT_APPLICATION_DATA */ 717 i = s->handshake_func(s); 718 if (i < 0) 719 return (i); 720 if (i == 0) { 721 SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE); 722 return (-1); 723 } 724 } 725 726 start: 727 s->rwstate = SSL_NOTHING; 728 729 /*- 730 * s->s3->rrec.type - is the type of record 731 * s->s3->rrec.data, - data 732 * s->s3->rrec.off, - offset into 'data' for next read 733 * s->s3->rrec.length, - number of bytes. 734 */ 735 rr = &(s->s3->rrec); 736 737 /* 738 * We are not handshaking and have no data yet, so process data buffered 739 * during the last handshake in advance, if any. 740 */ 741 if (s->state == SSL_ST_OK && rr->length == 0) { 742 pitem *item; 743 item = pqueue_pop(s->d1->buffered_app_data.q); 744 if (item) { 745 dtls1_copy_record(s, item); 746 747 OPENSSL_free(item->data); 748 pitem_free(item); 749 } 750 } 751 752 /* Check for timeout */ 753 if (dtls1_handle_timeout(s) > 0) 754 goto start; 755 756 /* get new packet if necessary */ 757 if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY)) { 758 ret = dtls1_get_record(s); 759 if (ret <= 0) { 760 ret = dtls1_read_failed(s, ret); 761 /* anything other than a timeout is an error */ 762 if (ret <= 0) 763 return (ret); 764 else 765 goto start; 766 } 767 } 768 769 if (s->d1->listen && rr->type != SSL3_RT_HANDSHAKE) { 770 rr->length = 0; 771 goto start; 772 } 773 774 /* we now have a packet which can be read and processed */ 775 776 if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, 777 * reset by ssl3_get_finished */ 778 && (rr->type != SSL3_RT_HANDSHAKE)) { 779 /* 780 * We now have application data between CCS and Finished. Most likely 781 * the packets were reordered on their way, so buffer the application 782 * data for later processing rather than dropping the connection. 783 */ 784 dtls1_buffer_record(s, &(s->d1->buffered_app_data), &rr->seq_num); 785 rr->length = 0; 786 goto start; 787 } 788 789 /* 790 * If the other end has shut down, throw anything we read away (even in 791 * 'peek' mode) 792 */ 793 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { 794 rr->length = 0; 795 s->rwstate = SSL_NOTHING; 796 return (0); 797 } 798 799 if (type == rr->type) { /* SSL3_RT_APPLICATION_DATA or 800 * SSL3_RT_HANDSHAKE */ 801 /* 802 * make sure that we are not getting application data when we are 803 * doing a handshake for the first time 804 */ 805 if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) && 806 (s->enc_read_ctx == NULL)) { 807 al = SSL_AD_UNEXPECTED_MESSAGE; 808 SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_APP_DATA_IN_HANDSHAKE); 809 goto f_err; 810 } 811 812 if (len <= 0) 813 return (len); 814 815 if ((unsigned int)len > rr->length) 816 n = rr->length; 817 else 818 n = (unsigned int)len; 819 820 memcpy(buf, &(rr->data[rr->off]), n); 821 if (!peek) { 822 rr->length -= n; 823 rr->off += n; 824 if (rr->length == 0) { 825 s->rstate = SSL_ST_READ_HEADER; 826 rr->off = 0; 827 } 828 } 829 return (n); 830 } 831 832 /* 833 * If we get here, then type != rr->type; if we have a handshake message, 834 * then it was unexpected (Hello Request or Client Hello). 835 */ 836 837 /* 838 * In case of record types for which we have 'fragment' storage, fill 839 * that so that we can process the data at a fixed place. 840 */ 841 { 842 unsigned int k, dest_maxlen = 0; 843 unsigned char *dest = NULL; 844 unsigned int *dest_len = NULL; 845 846 if (rr->type == SSL3_RT_HANDSHAKE) { 847 dest_maxlen = sizeof s->d1->handshake_fragment; 848 dest = s->d1->handshake_fragment; 849 dest_len = &s->d1->handshake_fragment_len; 850 } else if (rr->type == SSL3_RT_ALERT) { 851 dest_maxlen = sizeof(s->d1->alert_fragment); 852 dest = s->d1->alert_fragment; 853 dest_len = &s->d1->alert_fragment_len; 854 } 855 /* else it's a CCS message, or application data or wrong */ 856 else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC) { 857 /* 858 * Application data while renegotiating is allowed. Try again 859 * reading. 860 */ 861 if (rr->type == SSL3_RT_APPLICATION_DATA) { 862 BIO *bio; 863 s->s3->in_read_app_data = 2; 864 bio = SSL_get_rbio(s); 865 s->rwstate = SSL_READING; 866 BIO_clear_retry_flags(bio); 867 BIO_set_retry_read(bio); 868 return (-1); 869 } 870 871 /* Not certain if this is the right error handling */ 872 al = SSL_AD_UNEXPECTED_MESSAGE; 873 SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNEXPECTED_RECORD); 874 goto f_err; 875 } 876 877 if (dest_maxlen > 0) { 878 /* 879 * XDTLS: In a pathalogical case, the Client Hello may be 880 * fragmented--don't always expect dest_maxlen bytes 881 */ 882 if (rr->length < dest_maxlen) { 883#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE 884 /* 885 * for normal alerts rr->length is 2, while 886 * dest_maxlen is 7 if we were to handle this 887 * non-existing alert... 888 */ 889 FIX ME 890#endif 891 s->rstate = SSL_ST_READ_HEADER; 892 rr->length = 0; 893 goto start; 894 } 895 896 /* now move 'n' bytes: */ 897 for (k = 0; k < dest_maxlen; k++) { 898 dest[k] = rr->data[rr->off++]; 899 rr->length--; 900 } 901 *dest_len = dest_maxlen; 902 } 903 } 904 905 /*- 906 * s->d1->handshake_fragment_len == 12 iff rr->type == SSL3_RT_HANDSHAKE; 907 * s->d1->alert_fragment_len == 7 iff rr->type == SSL3_RT_ALERT. 908 * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) 909 */ 910 911 /* If we are a client, check for an incoming 'Hello Request': */ 912 if ((!s->server) && 913 (s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) && 914 (s->d1->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) && 915 (s->session != NULL) && (s->session->cipher != NULL)) { 916 s->d1->handshake_fragment_len = 0; 917 918 if ((s->d1->handshake_fragment[1] != 0) || 919 (s->d1->handshake_fragment[2] != 0) || 920 (s->d1->handshake_fragment[3] != 0)) { 921 al = SSL_AD_DECODE_ERROR; 922 SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_BAD_HELLO_REQUEST); 923 goto err; 924 } 925 926 /* 927 * no need to check sequence number on HELLO REQUEST messages 928 */ 929 930 if (s->msg_callback) 931 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 932 s->d1->handshake_fragment, 4, s, 933 s->msg_callback_arg); 934 935 if (SSL_is_init_finished(s) && 936 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && 937 !s->s3->renegotiate) { 938 s->d1->handshake_read_seq++; 939 ssl3_renegotiate(s); 940 if (ssl3_renegotiate_check(s)) { 941 i = s->handshake_func(s); 942 if (i < 0) 943 return (i); 944 if (i == 0) { 945 SSLerr(SSL_F_DTLS1_READ_BYTES, 946 SSL_R_SSL_HANDSHAKE_FAILURE); 947 return (-1); 948 } 949 950 if (!(s->mode & SSL_MODE_AUTO_RETRY)) { 951 if (s->s3->rbuf.left == 0) { /* no read-ahead left? */ 952 BIO *bio; 953 /* 954 * In the case where we try to read application data, 955 * but we trigger an SSL handshake, we return -1 with 956 * the retry option set. Otherwise renegotiation may 957 * cause nasty problems in the blocking world 958 */ 959 s->rwstate = SSL_READING; 960 bio = SSL_get_rbio(s); 961 BIO_clear_retry_flags(bio); 962 BIO_set_retry_read(bio); 963 return (-1); 964 } 965 } 966 } 967 } 968 /* 969 * we either finished a handshake or ignored the request, now try 970 * again to obtain the (application) data we were asked for 971 */ 972 goto start; 973 } 974 975 if (s->d1->alert_fragment_len >= DTLS1_AL_HEADER_LENGTH) { 976 int alert_level = s->d1->alert_fragment[0]; 977 int alert_descr = s->d1->alert_fragment[1]; 978 979 s->d1->alert_fragment_len = 0; 980 981 if (s->msg_callback) 982 s->msg_callback(0, s->version, SSL3_RT_ALERT, 983 s->d1->alert_fragment, 2, s, s->msg_callback_arg); 984 985 if (s->info_callback != NULL) 986 cb = s->info_callback; 987 else if (s->ctx->info_callback != NULL) 988 cb = s->ctx->info_callback; 989 990 if (cb != NULL) { 991 j = (alert_level << 8) | alert_descr; 992 cb(s, SSL_CB_READ_ALERT, j); 993 } 994 995 if (alert_level == 1) { /* warning */ 996 s->s3->warn_alert = alert_descr; 997 if (alert_descr == SSL_AD_CLOSE_NOTIFY) { 998 s->shutdown |= SSL_RECEIVED_SHUTDOWN; 999 return (0); 1000 } 1001#if 0 1002 /* XXX: this is a possible improvement in the future */ 1003 /* now check if it's a missing record */ 1004 if (alert_descr == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) { 1005 unsigned short seq; 1006 unsigned int frag_off; 1007 unsigned char *p = &(s->d1->alert_fragment[2]); 1008 1009 n2s(p, seq); 1010 n2l3(p, frag_off); 1011 1012 dtls1_retransmit_message(s, 1013 dtls1_get_queue_priority 1014 (frag->msg_header.seq, 0), frag_off, 1015 &found); 1016 if (!found && SSL_in_init(s)) { 1017 /* 1018 * fprintf( stderr,"in init = %d\n", SSL_in_init(s)); 1019 */ 1020 /* 1021 * requested a message not yet sent, send an alert 1022 * ourselves 1023 */ 1024 ssl3_send_alert(s, SSL3_AL_WARNING, 1025 DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); 1026 } 1027 } 1028#endif 1029 } else if (alert_level == 2) { /* fatal */ 1030 char tmp[16]; 1031 1032 s->rwstate = SSL_NOTHING; 1033 s->s3->fatal_alert = alert_descr; 1034 SSLerr(SSL_F_DTLS1_READ_BYTES, 1035 SSL_AD_REASON_OFFSET + alert_descr); 1036 BIO_snprintf(tmp, sizeof tmp, "%d", alert_descr); 1037 ERR_add_error_data(2, "SSL alert number ", tmp); 1038 s->shutdown |= SSL_RECEIVED_SHUTDOWN; 1039 SSL_CTX_remove_session(s->ctx, s->session); 1040 return (0); 1041 } else { 1042 al = SSL_AD_ILLEGAL_PARAMETER; 1043 SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNKNOWN_ALERT_TYPE); 1044 goto f_err; 1045 } 1046 1047 goto start; 1048 } 1049 1050 if (s->shutdown & SSL_SENT_SHUTDOWN) { /* but we have not received a 1051 * shutdown */ 1052 s->rwstate = SSL_NOTHING; 1053 rr->length = 0; 1054 return (0); 1055 } 1056 1057 if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) { 1058 struct ccs_header_st ccs_hdr; 1059 unsigned int ccs_hdr_len = DTLS1_CCS_HEADER_LENGTH; 1060 1061 dtls1_get_ccs_header(rr->data, &ccs_hdr); 1062 1063 /* 1064 * 'Change Cipher Spec' is just a single byte, so we know exactly 1065 * what the record payload has to look like 1066 */ 1067 /* XDTLS: check that epoch is consistent */ 1068 if (s->client_version == DTLS1_BAD_VER || s->version == DTLS1_BAD_VER) 1069 ccs_hdr_len = 3; 1070 1071 if ((rr->length != ccs_hdr_len) || (rr->off != 0) 1072 || (rr->data[0] != SSL3_MT_CCS)) { 1073 i = SSL_AD_ILLEGAL_PARAMETER; 1074 SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_BAD_CHANGE_CIPHER_SPEC); 1075 goto err; 1076 } 1077 1078 rr->length = 0; 1079 1080 if (s->msg_callback) 1081 s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, 1082 rr->data, 1, s, s->msg_callback_arg); 1083 1084 /* 1085 * We can't process a CCS now, because previous handshake messages 1086 * are still missing, so just drop it. 1087 */ 1088 if (!s->d1->change_cipher_spec_ok) { 1089 goto start; 1090 } 1091 1092 s->d1->change_cipher_spec_ok = 0; 1093 1094 s->s3->change_cipher_spec = 1; 1095 if (!ssl3_do_change_cipher_spec(s)) 1096 goto err; 1097 1098 /* do this whenever CCS is processed */ 1099 dtls1_reset_seq_numbers(s, SSL3_CC_READ); 1100 1101 if (s->client_version == DTLS1_BAD_VER) 1102 s->d1->handshake_read_seq++; 1103 1104 goto start; 1105 } 1106 1107 /* 1108 * Unexpected handshake message (Client Hello, or protocol violation) 1109 */ 1110 if ((s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) && 1111 !s->in_handshake) { 1112 struct hm_header_st msg_hdr; 1113 1114 /* this may just be a stale retransmit */ 1115 dtls1_get_message_header(rr->data, &msg_hdr); 1116 if (rr->epoch != s->d1->r_epoch) { 1117 rr->length = 0; 1118 goto start; 1119 } 1120 1121 /* 1122 * If we are server, we may have a repeated FINISHED of the client 1123 * here, then retransmit our CCS and FINISHED. 1124 */ 1125 if (msg_hdr.type == SSL3_MT_FINISHED) { 1126 if (dtls1_check_timeout_num(s) < 0) 1127 return -1; 1128 1129 dtls1_retransmit_buffered_messages(s); 1130 rr->length = 0; 1131 goto start; 1132 } 1133 1134 if (((s->state & SSL_ST_MASK) == SSL_ST_OK) && 1135 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) { 1136#if 0 /* worked only because C operator preferences 1137 * are not as expected (and because this is 1138 * not really needed for clients except for 1139 * detecting protocol violations): */ 1140 s->state = SSL_ST_BEFORE | (s->server) 1141 ? SSL_ST_ACCEPT : SSL_ST_CONNECT; 1142#else 1143 s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; 1144#endif 1145 s->new_session = 1; 1146 } 1147 i = s->handshake_func(s); 1148 if (i < 0) 1149 return (i); 1150 if (i == 0) { 1151 SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE); 1152 return (-1); 1153 } 1154 1155 if (!(s->mode & SSL_MODE_AUTO_RETRY)) { 1156 if (s->s3->rbuf.left == 0) { /* no read-ahead left? */ 1157 BIO *bio; 1158 /* 1159 * In the case where we try to read application data, but we 1160 * trigger an SSL handshake, we return -1 with the retry 1161 * option set. Otherwise renegotiation may cause nasty 1162 * problems in the blocking world 1163 */ 1164 s->rwstate = SSL_READING; 1165 bio = SSL_get_rbio(s); 1166 BIO_clear_retry_flags(bio); 1167 BIO_set_retry_read(bio); 1168 return (-1); 1169 } 1170 } 1171 goto start; 1172 } 1173 1174 switch (rr->type) { 1175 default: 1176#ifndef OPENSSL_NO_TLS 1177 /* TLS just ignores unknown message types */ 1178 if (s->version == TLS1_VERSION) { 1179 rr->length = 0; 1180 goto start; 1181 } 1182#endif 1183 al = SSL_AD_UNEXPECTED_MESSAGE; 1184 SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNEXPECTED_RECORD); 1185 goto f_err; 1186 case SSL3_RT_CHANGE_CIPHER_SPEC: 1187 case SSL3_RT_ALERT: 1188 case SSL3_RT_HANDSHAKE: 1189 /* 1190 * we already handled all of these, with the possible exception of 1191 * SSL3_RT_HANDSHAKE when s->in_handshake is set, but that should not 1192 * happen when type != rr->type 1193 */ 1194 al = SSL_AD_UNEXPECTED_MESSAGE; 1195 SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR); 1196 goto f_err; 1197 case SSL3_RT_APPLICATION_DATA: 1198 /* 1199 * At this point, we were expecting handshake data, but have 1200 * application data. If the library was running inside ssl3_read() 1201 * (i.e. in_read_app_data is set) and it makes sense to read 1202 * application data at this point (session renegotiation not yet 1203 * started), we will indulge it. 1204 */ 1205 if (s->s3->in_read_app_data && 1206 (s->s3->total_renegotiations != 0) && 1207 (((s->state & SSL_ST_CONNECT) && 1208 (s->state >= SSL3_ST_CW_CLNT_HELLO_A) && 1209 (s->state <= SSL3_ST_CR_SRVR_HELLO_A) 1210 ) || ((s->state & SSL_ST_ACCEPT) && 1211 (s->state <= SSL3_ST_SW_HELLO_REQ_A) && 1212 (s->state >= SSL3_ST_SR_CLNT_HELLO_A) 1213 ) 1214 )) { 1215 s->s3->in_read_app_data = 2; 1216 return (-1); 1217 } else { 1218 al = SSL_AD_UNEXPECTED_MESSAGE; 1219 SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNEXPECTED_RECORD); 1220 goto f_err; 1221 } 1222 } 1223 /* not reached */ 1224 1225 f_err: 1226 ssl3_send_alert(s, SSL3_AL_FATAL, al); 1227 err: 1228 return (-1); 1229} 1230 1231int dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len) 1232{ 1233 int i; 1234 1235 if (SSL_in_init(s) && !s->in_handshake) { 1236 i = s->handshake_func(s); 1237 if (i < 0) 1238 return (i); 1239 if (i == 0) { 1240 SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES, 1241 SSL_R_SSL_HANDSHAKE_FAILURE); 1242 return -1; 1243 } 1244 } 1245 1246 if (len > SSL3_RT_MAX_PLAIN_LENGTH) { 1247 SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES, SSL_R_DTLS_MESSAGE_TOO_BIG); 1248 return -1; 1249 } 1250 1251 i = dtls1_write_bytes(s, type, buf_, len); 1252 return i; 1253} 1254 1255 /* 1256 * this only happens when a client hello is received and a handshake 1257 * is started. 1258 */ 1259static int 1260have_handshake_fragment(SSL *s, int type, unsigned char *buf, 1261 int len, int peek) 1262{ 1263 1264 if ((type == SSL3_RT_HANDSHAKE) && (s->d1->handshake_fragment_len > 0)) 1265 /* (partially) satisfy request from storage */ 1266 { 1267 unsigned char *src = s->d1->handshake_fragment; 1268 unsigned char *dst = buf; 1269 unsigned int k, n; 1270 1271 /* peek == 0 */ 1272 n = 0; 1273 while ((len > 0) && (s->d1->handshake_fragment_len > 0)) { 1274 *dst++ = *src++; 1275 len--; 1276 s->d1->handshake_fragment_len--; 1277 n++; 1278 } 1279 /* move any remaining fragment bytes: */ 1280 for (k = 0; k < s->d1->handshake_fragment_len; k++) 1281 s->d1->handshake_fragment[k] = *src++; 1282 return n; 1283 } 1284 1285 return 0; 1286} 1287 1288/* 1289 * Call this to write data in records of type 'type' It will return <= 0 if 1290 * not all data has been sent or non-blocking IO. 1291 */ 1292int dtls1_write_bytes(SSL *s, int type, const void *buf, int len) 1293{ 1294 int i; 1295 1296 OPENSSL_assert(len <= SSL3_RT_MAX_PLAIN_LENGTH); 1297 s->rwstate = SSL_NOTHING; 1298 i = do_dtls1_write(s, type, buf, len, 0); 1299 return i; 1300} 1301 1302int do_dtls1_write(SSL *s, int type, const unsigned char *buf, 1303 unsigned int len, int create_empty_fragment) 1304{ 1305 unsigned char *p, *pseq; 1306 int i, mac_size, clear = 0; 1307 int prefix_len = 0; 1308 SSL3_RECORD *wr; 1309 SSL3_BUFFER *wb; 1310 SSL_SESSION *sess; 1311 int bs; 1312 1313 /* 1314 * first check if there is a SSL3_BUFFER still being written out. This 1315 * will happen with non blocking IO 1316 */ 1317 if (s->s3->wbuf.left != 0) { 1318 OPENSSL_assert(0); /* XDTLS: want to see if we ever get here */ 1319 return (ssl3_write_pending(s, type, buf, len)); 1320 } 1321 1322 /* If we have an alert to send, lets send it */ 1323 if (s->s3->alert_dispatch) { 1324 i = s->method->ssl_dispatch_alert(s); 1325 if (i <= 0) 1326 return (i); 1327 /* if it went, fall through and send more stuff */ 1328 } 1329 1330 if (len == 0 && !create_empty_fragment) 1331 return 0; 1332 1333 wr = &(s->s3->wrec); 1334 wb = &(s->s3->wbuf); 1335 sess = s->session; 1336 1337 if ((sess == NULL) || 1338 (s->enc_write_ctx == NULL) || (s->write_hash == NULL)) 1339 clear = 1; 1340 1341 if (clear) 1342 mac_size = 0; 1343 else 1344 mac_size = EVP_MD_size(s->write_hash); 1345 1346 /* DTLS implements explicit IV, so no need for empty fragments */ 1347#if 0 1348 /* 1349 * 'create_empty_fragment' is true only when this function calls itself 1350 */ 1351 if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done 1352 && SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER) 1353 { 1354 /* 1355 * countermeasure against known-IV weakness in CBC ciphersuites (see 1356 * http://www.openssl.org/~bodo/tls-cbc.txt) 1357 */ 1358 1359 if (s->s3->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA) { 1360 /* 1361 * recursive function call with 'create_empty_fragment' set; this 1362 * prepares and buffers the data for an empty fragment (these 1363 * 'prefix_len' bytes are sent out later together with the actual 1364 * payload) 1365 */ 1366 prefix_len = s->method->do_ssl_write(s, type, buf, 0, 1); 1367 if (prefix_len <= 0) 1368 goto err; 1369 1370 if (s->s3->wbuf.len < 1371 (size_t)prefix_len + SSL3_RT_MAX_PACKET_SIZE) { 1372 /* insufficient space */ 1373 SSLerr(SSL_F_DO_DTLS1_WRITE, ERR_R_INTERNAL_ERROR); 1374 goto err; 1375 } 1376 } 1377 1378 s->s3->empty_fragment_done = 1; 1379 } 1380#endif 1381 1382 p = wb->buf + prefix_len; 1383 1384 /* write the header */ 1385 1386 *(p++) = type & 0xff; 1387 wr->type = type; 1388 1389 if (s->client_version == DTLS1_BAD_VER) 1390 *(p++) = DTLS1_BAD_VER >> 8, *(p++) = DTLS1_BAD_VER & 0xff; 1391 else 1392 *(p++) = (s->version >> 8), *(p++) = s->version & 0xff; 1393 1394 /* field where we are to write out packet epoch, seq num and len */ 1395 pseq = p; 1396 p += 10; 1397 1398 /* lets setup the record stuff. */ 1399 1400 /* 1401 * Make space for the explicit IV in case of CBC. (this is a bit of a 1402 * boundary violation, but what the heck). 1403 */ 1404 if (s->enc_write_ctx && 1405 (EVP_CIPHER_mode(s->enc_write_ctx->cipher) & EVP_CIPH_CBC_MODE)) 1406 bs = EVP_CIPHER_block_size(s->enc_write_ctx->cipher); 1407 else 1408 bs = 0; 1409 1410 wr->data = p + bs; /* make room for IV in case of CBC */ 1411 wr->length = (int)len; 1412 wr->input = (unsigned char *)buf; 1413 1414 /* 1415 * we now 'read' from wr->input, wr->length bytes into wr->data 1416 */ 1417 1418 /* first we compress */ 1419 if (s->compress != NULL) { 1420 if (!ssl3_do_compress(s)) { 1421 SSLerr(SSL_F_DO_DTLS1_WRITE, SSL_R_COMPRESSION_FAILURE); 1422 goto err; 1423 } 1424 } else { 1425 memcpy(wr->data, wr->input, wr->length); 1426 wr->input = wr->data; 1427 } 1428 1429 /* 1430 * we should still have the output to wr->data and the input from 1431 * wr->input. Length should be wr->length. wr->data still points in the 1432 * wb->buf 1433 */ 1434 1435 if (mac_size != 0) { 1436 s->method->ssl3_enc->mac(s, &(p[wr->length + bs]), 1); 1437 wr->length += mac_size; 1438 } 1439 1440 /* this is true regardless of mac size */ 1441 wr->input = p; 1442 wr->data = p; 1443 1444 /* ssl3_enc can only have an error on read */ 1445 if (bs) { /* bs != 0 in case of CBC */ 1446 RAND_pseudo_bytes(p, bs); 1447 /* 1448 * master IV and last CBC residue stand for the rest of randomness 1449 */ 1450 wr->length += bs; 1451 } 1452 1453 s->method->ssl3_enc->enc(s, 1); 1454 1455 /* record length after mac and block padding */ 1456 /* 1457 * if (type == SSL3_RT_APPLICATION_DATA || (type == SSL3_RT_ALERT && ! 1458 * SSL_in_init(s))) 1459 */ 1460 1461 /* there's only one epoch between handshake and app data */ 1462 1463 s2n(s->d1->w_epoch, pseq); 1464 1465 /* XDTLS: ?? */ 1466 /* 1467 * else s2n(s->d1->handshake_epoch, pseq); 1468 */ 1469 1470 memcpy(pseq, &(s->s3->write_sequence[2]), 6); 1471 pseq += 6; 1472 s2n(wr->length, pseq); 1473 1474 /* 1475 * we should now have wr->data pointing to the encrypted data, which is 1476 * wr->length long 1477 */ 1478 wr->type = type; /* not needed but helps for debugging */ 1479 wr->length += DTLS1_RT_HEADER_LENGTH; 1480 1481#if 0 /* this is now done at the message layer */ 1482 /* buffer the record, making it easy to handle retransmits */ 1483 if (type == SSL3_RT_HANDSHAKE || type == SSL3_RT_CHANGE_CIPHER_SPEC) 1484 dtls1_buffer_record(s, wr->data, wr->length, 1485 *((PQ_64BIT *) & (s->s3->write_sequence[0]))); 1486#endif 1487 1488 ssl3_record_sequence_update(&(s->s3->write_sequence[0])); 1489 1490 if (create_empty_fragment) { 1491 /* 1492 * we are in a recursive call; just return the length, don't write 1493 * out anything here 1494 */ 1495 return wr->length; 1496 } 1497 1498 /* now let's set up wb */ 1499 wb->left = prefix_len + wr->length; 1500 wb->offset = 0; 1501 1502 /* 1503 * memorize arguments so that ssl3_write_pending can detect bad write 1504 * retries later 1505 */ 1506 s->s3->wpend_tot = len; 1507 s->s3->wpend_buf = buf; 1508 s->s3->wpend_type = type; 1509 s->s3->wpend_ret = len; 1510 1511 /* we now just need to write the buffer */ 1512 return ssl3_write_pending(s, type, buf, len); 1513 err: 1514 return -1; 1515} 1516 1517static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap, 1518 PQ_64BIT * seq_num) 1519{ 1520#if PQ_64BIT_IS_INTEGER 1521 PQ_64BIT mask = 0x0000000000000001L; 1522#endif 1523 PQ_64BIT rcd_num, tmp; 1524 1525 pq_64bit_init(&rcd_num); 1526 pq_64bit_init(&tmp); 1527 1528 /* this is the sequence number for the record just read */ 1529 pq_64bit_bin2num(&rcd_num, s->s3->read_sequence, 8); 1530 1531 if (pq_64bit_gt(&rcd_num, &(bitmap->max_seq_num)) || 1532 pq_64bit_eq(&rcd_num, &(bitmap->max_seq_num))) { 1533 pq_64bit_assign(seq_num, &rcd_num); 1534 pq_64bit_free(&rcd_num); 1535 pq_64bit_free(&tmp); 1536 return 1; /* this record is new */ 1537 } 1538 1539 pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num); 1540 1541 if (pq_64bit_get_word(&tmp) > bitmap->length) { 1542 pq_64bit_free(&rcd_num); 1543 pq_64bit_free(&tmp); 1544 return 0; /* stale, outside the window */ 1545 } 1546#if PQ_64BIT_IS_BIGNUM 1547 { 1548 int offset; 1549 pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num); 1550 pq_64bit_sub_word(&tmp, 1); 1551 offset = pq_64bit_get_word(&tmp); 1552 if (pq_64bit_is_bit_set(&(bitmap->map), offset)) { 1553 pq_64bit_free(&rcd_num); 1554 pq_64bit_free(&tmp); 1555 return 0; 1556 } 1557 } 1558#else 1559 mask <<= (bitmap->max_seq_num - rcd_num - 1); 1560 if (bitmap->map & mask) 1561 return 0; /* record previously received */ 1562#endif 1563 1564 pq_64bit_assign(seq_num, &rcd_num); 1565 pq_64bit_free(&rcd_num); 1566 pq_64bit_free(&tmp); 1567 return 1; 1568} 1569 1570static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap) 1571{ 1572 unsigned int shift; 1573 PQ_64BIT rcd_num; 1574 PQ_64BIT tmp; 1575 PQ_64BIT_CTX *ctx; 1576 1577 pq_64bit_init(&rcd_num); 1578 pq_64bit_init(&tmp); 1579 1580 pq_64bit_bin2num(&rcd_num, s->s3->read_sequence, 8); 1581 1582 /* 1583 * unfortunate code complexity due to 64-bit manipulation support on 1584 * 32-bit machines 1585 */ 1586 if (pq_64bit_gt(&rcd_num, &(bitmap->max_seq_num)) || 1587 pq_64bit_eq(&rcd_num, &(bitmap->max_seq_num))) { 1588 pq_64bit_sub(&tmp, &rcd_num, &(bitmap->max_seq_num)); 1589 pq_64bit_add_word(&tmp, 1); 1590 1591 shift = (unsigned int)pq_64bit_get_word(&tmp); 1592 1593 pq_64bit_lshift(&(tmp), &(bitmap->map), shift); 1594 pq_64bit_assign(&(bitmap->map), &tmp); 1595 1596 pq_64bit_set_bit(&(bitmap->map), 0); 1597 pq_64bit_add_word(&rcd_num, 1); 1598 pq_64bit_assign(&(bitmap->max_seq_num), &rcd_num); 1599 1600 pq_64bit_assign_word(&tmp, 1); 1601 pq_64bit_lshift(&tmp, &tmp, bitmap->length); 1602 ctx = pq_64bit_ctx_new(&ctx); 1603 pq_64bit_mod(&(bitmap->map), &(bitmap->map), &tmp, ctx); 1604 pq_64bit_ctx_free(ctx); 1605 } else { 1606 pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num); 1607 pq_64bit_sub_word(&tmp, 1); 1608 shift = (unsigned int)pq_64bit_get_word(&tmp); 1609 1610 pq_64bit_set_bit(&(bitmap->map), shift); 1611 } 1612 1613 pq_64bit_free(&rcd_num); 1614 pq_64bit_free(&tmp); 1615} 1616 1617int dtls1_dispatch_alert(SSL *s) 1618{ 1619 int i, j; 1620 void (*cb) (const SSL *ssl, int type, int val) = NULL; 1621 unsigned char buf[DTLS1_AL_HEADER_LENGTH]; 1622 unsigned char *ptr = &buf[0]; 1623 1624 s->s3->alert_dispatch = 0; 1625 1626 memset(buf, 0x00, sizeof(buf)); 1627 *ptr++ = s->s3->send_alert[0]; 1628 *ptr++ = s->s3->send_alert[1]; 1629 1630#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE 1631 if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) { 1632 s2n(s->d1->handshake_read_seq, ptr); 1633# if 0 1634 if (s->d1->r_msg_hdr.frag_off == 0) 1635 /* 1636 * waiting for a new msg 1637 */ 1638 else 1639 s2n(s->d1->r_msg_hdr.seq, ptr); /* partial msg read */ 1640# endif 1641 1642# if 0 1643 fprintf(stderr, 1644 "s->d1->handshake_read_seq = %d, s->d1->r_msg_hdr.seq = %d\n", 1645 s->d1->handshake_read_seq, s->d1->r_msg_hdr.seq); 1646# endif 1647 l2n3(s->d1->r_msg_hdr.frag_off, ptr); 1648 } 1649#endif 1650 1651 i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf), 0); 1652 if (i <= 0) { 1653 s->s3->alert_dispatch = 1; 1654 /* fprintf( stderr, "not done with alert\n" ); */ 1655 } else { 1656 if (s->s3->send_alert[0] == SSL3_AL_FATAL 1657#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE 1658 || s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE 1659#endif 1660 ) 1661 (void)BIO_flush(s->wbio); 1662 1663 if (s->msg_callback) 1664 s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert, 1665 2, s, s->msg_callback_arg); 1666 1667 if (s->info_callback != NULL) 1668 cb = s->info_callback; 1669 else if (s->ctx->info_callback != NULL) 1670 cb = s->ctx->info_callback; 1671 1672 if (cb != NULL) { 1673 j = (s->s3->send_alert[0] << 8) | s->s3->send_alert[1]; 1674 cb(s, SSL_CB_WRITE_ALERT, j); 1675 } 1676 } 1677 return (i); 1678} 1679 1680static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, 1681 unsigned int *is_next_epoch) 1682{ 1683 1684 *is_next_epoch = 0; 1685 1686 /* In current epoch, accept HM, CCS, DATA, & ALERT */ 1687 if (rr->epoch == s->d1->r_epoch) 1688 return &s->d1->bitmap; 1689 1690 /* Only HM and ALERT messages can be from the next epoch */ 1691 else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) && 1692 (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) { 1693 *is_next_epoch = 1; 1694 return &s->d1->next_bitmap; 1695 } 1696 1697 return NULL; 1698} 1699 1700#if 0 1701static int 1702dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr, 1703 unsigned short *priority, unsigned long *offset) 1704{ 1705 1706 /* alerts are passed up immediately */ 1707 if (rr->type == SSL3_RT_APPLICATION_DATA || rr->type == SSL3_RT_ALERT) 1708 return 0; 1709 1710 /* 1711 * Only need to buffer if a handshake is underway. (this implies that 1712 * Hello Request and Client Hello are passed up immediately) 1713 */ 1714 if (SSL_in_init(s)) { 1715 unsigned char *data = rr->data; 1716 /* need to extract the HM/CCS sequence number here */ 1717 if (rr->type == SSL3_RT_HANDSHAKE || 1718 rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) { 1719 unsigned short seq_num; 1720 struct hm_header_st msg_hdr; 1721 struct ccs_header_st ccs_hdr; 1722 1723 if (rr->type == SSL3_RT_HANDSHAKE) { 1724 dtls1_get_message_header(data, &msg_hdr); 1725 seq_num = msg_hdr.seq; 1726 *offset = msg_hdr.frag_off; 1727 } else { 1728 dtls1_get_ccs_header(data, &ccs_hdr); 1729 seq_num = ccs_hdr.seq; 1730 *offset = 0; 1731 } 1732 1733 /* 1734 * this is either a record we're waiting for, or a retransmit of 1735 * something we happened to previously receive (higher layers 1736 * will drop the repeat silently 1737 */ 1738 if (seq_num < s->d1->handshake_read_seq) 1739 return 0; 1740 if (rr->type == SSL3_RT_HANDSHAKE && 1741 seq_num == s->d1->handshake_read_seq && 1742 msg_hdr.frag_off < s->d1->r_msg_hdr.frag_off) 1743 return 0; 1744 else if (seq_num == s->d1->handshake_read_seq && 1745 (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC || 1746 msg_hdr.frag_off == s->d1->r_msg_hdr.frag_off)) 1747 return 0; 1748 else { 1749 *priority = seq_num; 1750 return 1; 1751 } 1752 } else /* unknown record type */ 1753 return 0; 1754 } 1755 1756 return 0; 1757} 1758#endif 1759 1760void dtls1_reset_seq_numbers(SSL *s, int rw) 1761{ 1762 unsigned char *seq; 1763 unsigned int seq_bytes = sizeof(s->s3->read_sequence); 1764 1765 if (rw & SSL3_CC_READ) { 1766 seq = s->s3->read_sequence; 1767 s->d1->r_epoch++; 1768 1769 pq_64bit_assign(&(s->d1->bitmap.map), &(s->d1->next_bitmap.map)); 1770 s->d1->bitmap.length = s->d1->next_bitmap.length; 1771 pq_64bit_assign(&(s->d1->bitmap.max_seq_num), 1772 &(s->d1->next_bitmap.max_seq_num)); 1773 1774 pq_64bit_free(&(s->d1->next_bitmap.map)); 1775 pq_64bit_free(&(s->d1->next_bitmap.max_seq_num)); 1776 memset(&(s->d1->next_bitmap), 0x00, sizeof(DTLS1_BITMAP)); 1777 pq_64bit_init(&(s->d1->next_bitmap.map)); 1778 pq_64bit_init(&(s->d1->next_bitmap.max_seq_num)); 1779 } else { 1780 seq = s->s3->write_sequence; 1781 memcpy(s->d1->last_write_sequence, seq, 1782 sizeof(s->s3->write_sequence)); 1783 s->d1->w_epoch++; 1784 } 1785 1786 memset(seq, 0x00, seq_bytes); 1787} 1788 1789#if PQ_64BIT_IS_INTEGER 1790static PQ_64BIT bytes_to_long_long(unsigned char *bytes, PQ_64BIT * num) 1791{ 1792 PQ_64BIT _num; 1793 1794 _num = (((PQ_64BIT) bytes[0]) << 56) | 1795 (((PQ_64BIT) bytes[1]) << 48) | 1796 (((PQ_64BIT) bytes[2]) << 40) | 1797 (((PQ_64BIT) bytes[3]) << 32) | 1798 (((PQ_64BIT) bytes[4]) << 24) | 1799 (((PQ_64BIT) bytes[5]) << 16) | 1800 (((PQ_64BIT) bytes[6]) << 8) | (((PQ_64BIT) bytes[7])); 1801 1802 *num = _num; 1803 return _num; 1804} 1805#endif 1806