statem_dtls.c revision 1.1.1.1
1/* 2 * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10#include <limits.h> 11#include <string.h> 12#include <stdio.h> 13#include "../ssl_locl.h" 14#include "statem_locl.h" 15#include <openssl/buffer.h> 16#include <openssl/objects.h> 17#include <openssl/evp.h> 18#include <openssl/x509.h> 19 20#define RSMBLY_BITMASK_SIZE(msg_len) (((msg_len) + 7) / 8) 21 22#define RSMBLY_BITMASK_MARK(bitmask, start, end) { \ 23 if ((end) - (start) <= 8) { \ 24 long ii; \ 25 for (ii = (start); ii < (end); ii++) bitmask[((ii) >> 3)] |= (1 << ((ii) & 7)); \ 26 } else { \ 27 long ii; \ 28 bitmask[((start) >> 3)] |= bitmask_start_values[((start) & 7)]; \ 29 for (ii = (((start) >> 3) + 1); ii < ((((end) - 1)) >> 3); ii++) bitmask[ii] = 0xff; \ 30 bitmask[(((end) - 1) >> 3)] |= bitmask_end_values[((end) & 7)]; \ 31 } } 32 33#define RSMBLY_BITMASK_IS_COMPLETE(bitmask, msg_len, is_complete) { \ 34 long ii; \ 35 OPENSSL_assert((msg_len) > 0); \ 36 is_complete = 1; \ 37 if (bitmask[(((msg_len) - 1) >> 3)] != bitmask_end_values[((msg_len) & 7)]) is_complete = 0; \ 38 if (is_complete) for (ii = (((msg_len) - 1) >> 3) - 1; ii >= 0 ; ii--) \ 39 if (bitmask[ii] != 0xff) { is_complete = 0; break; } } 40 41static unsigned char bitmask_start_values[] = 42 { 0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80 }; 43static unsigned char bitmask_end_values[] = 44 { 0xff, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f }; 45 46static void dtls1_fix_message_header(SSL *s, unsigned long frag_off, 47 unsigned long frag_len); 48static unsigned char *dtls1_write_message_header(SSL *s, unsigned char *p); 49static void dtls1_set_message_header_int(SSL *s, unsigned char mt, 50 unsigned long len, 51 unsigned short seq_num, 52 unsigned long frag_off, 53 unsigned long frag_len); 54static int dtls_get_reassembled_message(SSL *s, long *len); 55 56static hm_fragment *dtls1_hm_fragment_new(unsigned long frag_len, 57 int reassembly) 58{ 59 hm_fragment *frag = NULL; 60 unsigned char *buf = NULL; 61 unsigned char *bitmask = NULL; 62 63 frag = OPENSSL_malloc(sizeof(*frag)); 64 if (frag == NULL) 65 return NULL; 66 67 if (frag_len) { 68 buf = OPENSSL_malloc(frag_len); 69 if (buf == NULL) { 70 OPENSSL_free(frag); 71 return NULL; 72 } 73 } 74 75 /* zero length fragment gets zero frag->fragment */ 76 frag->fragment = buf; 77 78 /* Initialize reassembly bitmask if necessary */ 79 if (reassembly) { 80 bitmask = OPENSSL_zalloc(RSMBLY_BITMASK_SIZE(frag_len)); 81 if (bitmask == NULL) { 82 OPENSSL_free(buf); 83 OPENSSL_free(frag); 84 return NULL; 85 } 86 } 87 88 frag->reassembly = bitmask; 89 90 return frag; 91} 92 93void dtls1_hm_fragment_free(hm_fragment *frag) 94{ 95 if (!frag) 96 return; 97 if (frag->msg_header.is_ccs) { 98 EVP_CIPHER_CTX_free(frag->msg_header. 99 saved_retransmit_state.enc_write_ctx); 100 EVP_MD_CTX_free(frag->msg_header.saved_retransmit_state.write_hash); 101 } 102 OPENSSL_free(frag->fragment); 103 OPENSSL_free(frag->reassembly); 104 OPENSSL_free(frag); 105} 106 107/* 108 * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or 109 * SSL3_RT_CHANGE_CIPHER_SPEC) 110 */ 111int dtls1_do_write(SSL *s, int type) 112{ 113 int ret; 114 unsigned int curr_mtu; 115 int retry = 1; 116 unsigned int len, frag_off, mac_size, blocksize, used_len; 117 118 if (!dtls1_query_mtu(s)) 119 return -1; 120 121 if (s->d1->mtu < dtls1_min_mtu(s)) 122 /* should have something reasonable now */ 123 return -1; 124 125 if (s->init_off == 0 && type == SSL3_RT_HANDSHAKE) 126 OPENSSL_assert(s->init_num == 127 (int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH); 128 129 if (s->write_hash) { 130 if (s->enc_write_ctx 131 && (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_write_ctx)) & 132 EVP_CIPH_FLAG_AEAD_CIPHER) != 0) 133 mac_size = 0; 134 else 135 mac_size = EVP_MD_CTX_size(s->write_hash); 136 } else 137 mac_size = 0; 138 139 if (s->enc_write_ctx && 140 (EVP_CIPHER_CTX_mode(s->enc_write_ctx) == EVP_CIPH_CBC_MODE)) 141 blocksize = 2 * EVP_CIPHER_CTX_block_size(s->enc_write_ctx); 142 else 143 blocksize = 0; 144 145 frag_off = 0; 146 s->rwstate = SSL_NOTHING; 147 148 /* s->init_num shouldn't ever be < 0...but just in case */ 149 while (s->init_num > 0) { 150 if (type == SSL3_RT_HANDSHAKE && s->init_off != 0) { 151 /* We must be writing a fragment other than the first one */ 152 153 if (frag_off > 0) { 154 /* This is the first attempt at writing out this fragment */ 155 156 if (s->init_off <= DTLS1_HM_HEADER_LENGTH) { 157 /* 158 * Each fragment that was already sent must at least have 159 * contained the message header plus one other byte. 160 * Therefore |init_off| must have progressed by at least 161 * |DTLS1_HM_HEADER_LENGTH + 1| bytes. If not something went 162 * wrong. 163 */ 164 return -1; 165 } 166 167 /* 168 * Adjust |init_off| and |init_num| to allow room for a new 169 * message header for this fragment. 170 */ 171 s->init_off -= DTLS1_HM_HEADER_LENGTH; 172 s->init_num += DTLS1_HM_HEADER_LENGTH; 173 } else { 174 /* 175 * We must have been called again after a retry so use the 176 * fragment offset from our last attempt. We do not need 177 * to adjust |init_off| and |init_num| as above, because 178 * that should already have been done before the retry. 179 */ 180 frag_off = s->d1->w_msg_hdr.frag_off; 181 } 182 } 183 184 used_len = BIO_wpending(s->wbio) + DTLS1_RT_HEADER_LENGTH 185 + mac_size + blocksize; 186 if (s->d1->mtu > used_len) 187 curr_mtu = s->d1->mtu - used_len; 188 else 189 curr_mtu = 0; 190 191 if (curr_mtu <= DTLS1_HM_HEADER_LENGTH) { 192 /* 193 * grr.. we could get an error if MTU picked was wrong 194 */ 195 ret = BIO_flush(s->wbio); 196 if (ret <= 0) { 197 s->rwstate = SSL_WRITING; 198 return ret; 199 } 200 used_len = DTLS1_RT_HEADER_LENGTH + mac_size + blocksize; 201 if (s->d1->mtu > used_len + DTLS1_HM_HEADER_LENGTH) { 202 curr_mtu = s->d1->mtu - used_len; 203 } else { 204 /* Shouldn't happen */ 205 return -1; 206 } 207 } 208 209 /* 210 * We just checked that s->init_num > 0 so this cast should be safe 211 */ 212 if (((unsigned int)s->init_num) > curr_mtu) 213 len = curr_mtu; 214 else 215 len = s->init_num; 216 217 if (len > s->max_send_fragment) 218 len = s->max_send_fragment; 219 220 /* 221 * XDTLS: this function is too long. split out the CCS part 222 */ 223 if (type == SSL3_RT_HANDSHAKE) { 224 if (len < DTLS1_HM_HEADER_LENGTH) { 225 /* 226 * len is so small that we really can't do anything sensible 227 * so fail 228 */ 229 return -1; 230 } 231 dtls1_fix_message_header(s, frag_off, len - DTLS1_HM_HEADER_LENGTH); 232 233 dtls1_write_message_header(s, 234 (unsigned char *)&s->init_buf-> 235 data[s->init_off]); 236 } 237 238 ret = dtls1_write_bytes(s, type, &s->init_buf->data[s->init_off], len); 239 if (ret < 0) { 240 /* 241 * might need to update MTU here, but we don't know which 242 * previous packet caused the failure -- so can't really 243 * retransmit anything. continue as if everything is fine and 244 * wait for an alert to handle the retransmit 245 */ 246 if (retry && BIO_ctrl(SSL_get_wbio(s), 247 BIO_CTRL_DGRAM_MTU_EXCEEDED, 0, NULL) > 0) { 248 if (!(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) { 249 if (!dtls1_query_mtu(s)) 250 return -1; 251 /* Have one more go */ 252 retry = 0; 253 } else 254 return -1; 255 } else { 256 return (-1); 257 } 258 } else { 259 260 /* 261 * bad if this assert fails, only part of the handshake message 262 * got sent. but why would this happen? 263 */ 264 OPENSSL_assert(len == (unsigned int)ret); 265 266 if (type == SSL3_RT_HANDSHAKE && !s->d1->retransmitting) { 267 /* 268 * should not be done for 'Hello Request's, but in that case 269 * we'll ignore the result anyway 270 */ 271 unsigned char *p = 272 (unsigned char *)&s->init_buf->data[s->init_off]; 273 const struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; 274 int xlen; 275 276 if (frag_off == 0 && s->version != DTLS1_BAD_VER) { 277 /* 278 * reconstruct message header is if it is being sent in 279 * single fragment 280 */ 281 *p++ = msg_hdr->type; 282 l2n3(msg_hdr->msg_len, p); 283 s2n(msg_hdr->seq, p); 284 l2n3(0, p); 285 l2n3(msg_hdr->msg_len, p); 286 p -= DTLS1_HM_HEADER_LENGTH; 287 xlen = ret; 288 } else { 289 p += DTLS1_HM_HEADER_LENGTH; 290 xlen = ret - DTLS1_HM_HEADER_LENGTH; 291 } 292 293 if (!ssl3_finish_mac(s, p, xlen)) 294 return -1; 295 } 296 297 if (ret == s->init_num) { 298 if (s->msg_callback) 299 s->msg_callback(1, s->version, type, s->init_buf->data, 300 (size_t)(s->init_off + s->init_num), s, 301 s->msg_callback_arg); 302 303 s->init_off = 0; /* done writing this message */ 304 s->init_num = 0; 305 306 return (1); 307 } 308 s->init_off += ret; 309 s->init_num -= ret; 310 ret -= DTLS1_HM_HEADER_LENGTH; 311 frag_off += ret; 312 313 /* 314 * We save the fragment offset for the next fragment so we have it 315 * available in case of an IO retry. We don't know the length of the 316 * next fragment yet so just set that to 0 for now. It will be 317 * updated again later. 318 */ 319 dtls1_fix_message_header(s, frag_off, 0); 320 } 321 } 322 return (0); 323} 324 325int dtls_get_message(SSL *s, int *mt, unsigned long *len) 326{ 327 struct hm_header_st *msg_hdr; 328 unsigned char *p; 329 unsigned long msg_len; 330 int ok; 331 long tmplen; 332 333 msg_hdr = &s->d1->r_msg_hdr; 334 memset(msg_hdr, 0, sizeof(*msg_hdr)); 335 336 again: 337 ok = dtls_get_reassembled_message(s, &tmplen); 338 if (tmplen == DTLS1_HM_BAD_FRAGMENT || tmplen == DTLS1_HM_FRAGMENT_RETRY) { 339 /* bad fragment received */ 340 goto again; 341 } else if (tmplen <= 0 && !ok) { 342 return 0; 343 } 344 345 *mt = s->s3->tmp.message_type; 346 347 p = (unsigned char *)s->init_buf->data; 348 349 if (*mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 350 if (s->msg_callback) { 351 s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, 352 p, 1, s, s->msg_callback_arg); 353 } 354 /* 355 * This isn't a real handshake message so skip the processing below. 356 */ 357 *len = (unsigned long)tmplen; 358 return 1; 359 } 360 361 msg_len = msg_hdr->msg_len; 362 363 /* reconstruct message header */ 364 *(p++) = msg_hdr->type; 365 l2n3(msg_len, p); 366 s2n(msg_hdr->seq, p); 367 l2n3(0, p); 368 l2n3(msg_len, p); 369 if (s->version != DTLS1_BAD_VER) { 370 p -= DTLS1_HM_HEADER_LENGTH; 371 msg_len += DTLS1_HM_HEADER_LENGTH; 372 } 373 374 if (!ssl3_finish_mac(s, p, msg_len)) 375 return 0; 376 if (s->msg_callback) 377 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 378 p, msg_len, s, s->msg_callback_arg); 379 380 memset(msg_hdr, 0, sizeof(*msg_hdr)); 381 382 s->d1->handshake_read_seq++; 383 384 s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH; 385 *len = s->init_num; 386 387 return 1; 388} 389 390/* 391 * dtls1_max_handshake_message_len returns the maximum number of bytes 392 * permitted in a DTLS handshake message for |s|. The minimum is 16KB, but 393 * may be greater if the maximum certificate list size requires it. 394 */ 395static unsigned long dtls1_max_handshake_message_len(const SSL *s) 396{ 397 unsigned long max_len = 398 DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; 399 if (max_len < (unsigned long)s->max_cert_list) 400 return s->max_cert_list; 401 return max_len; 402} 403 404static int dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr) 405{ 406 size_t frag_off, frag_len, msg_len; 407 408 msg_len = msg_hdr->msg_len; 409 frag_off = msg_hdr->frag_off; 410 frag_len = msg_hdr->frag_len; 411 412 /* sanity checking */ 413 if ((frag_off + frag_len) > msg_len 414 || msg_len > dtls1_max_handshake_message_len(s)) { 415 SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, SSL_R_EXCESSIVE_MESSAGE_SIZE); 416 return SSL_AD_ILLEGAL_PARAMETER; 417 } 418 419 if (s->d1->r_msg_hdr.frag_off == 0) { /* first fragment */ 420 /* 421 * msg_len is limited to 2^24, but is effectively checked against 422 * dtls_max_handshake_message_len(s) above 423 */ 424 if (!BUF_MEM_grow_clean(s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH)) { 425 SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, ERR_R_BUF_LIB); 426 return SSL_AD_INTERNAL_ERROR; 427 } 428 429 s->s3->tmp.message_size = msg_len; 430 s->d1->r_msg_hdr.msg_len = msg_len; 431 s->s3->tmp.message_type = msg_hdr->type; 432 s->d1->r_msg_hdr.type = msg_hdr->type; 433 s->d1->r_msg_hdr.seq = msg_hdr->seq; 434 } else if (msg_len != s->d1->r_msg_hdr.msg_len) { 435 /* 436 * They must be playing with us! BTW, failure to enforce upper limit 437 * would open possibility for buffer overrun. 438 */ 439 SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, SSL_R_EXCESSIVE_MESSAGE_SIZE); 440 return SSL_AD_ILLEGAL_PARAMETER; 441 } 442 443 return 0; /* no error */ 444} 445 446static int dtls1_retrieve_buffered_fragment(SSL *s, int *ok) 447{ 448 /*- 449 * (0) check whether the desired fragment is available 450 * if so: 451 * (1) copy over the fragment to s->init_buf->data[] 452 * (2) update s->init_num 453 */ 454 pitem *item; 455 hm_fragment *frag; 456 int al; 457 458 *ok = 0; 459 460 do { 461 item = pqueue_peek(s->d1->buffered_messages); 462 if (item == NULL) 463 return 0; 464 465 frag = (hm_fragment *)item->data; 466 467 if (frag->msg_header.seq < s->d1->handshake_read_seq) { 468 /* This is a stale message that has been buffered so clear it */ 469 pqueue_pop(s->d1->buffered_messages); 470 dtls1_hm_fragment_free(frag); 471 pitem_free(item); 472 item = NULL; 473 frag = NULL; 474 } 475 } while (item == NULL); 476 477 /* Don't return if reassembly still in progress */ 478 if (frag->reassembly != NULL) 479 return 0; 480 481 if (s->d1->handshake_read_seq == frag->msg_header.seq) { 482 unsigned long frag_len = frag->msg_header.frag_len; 483 pqueue_pop(s->d1->buffered_messages); 484 485 al = dtls1_preprocess_fragment(s, &frag->msg_header); 486 487 if (al == 0) { /* no alert */ 488 unsigned char *p = 489 (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH; 490 memcpy(&p[frag->msg_header.frag_off], frag->fragment, 491 frag->msg_header.frag_len); 492 } 493 494 dtls1_hm_fragment_free(frag); 495 pitem_free(item); 496 497 if (al == 0) { 498 *ok = 1; 499 return frag_len; 500 } 501 502 ssl3_send_alert(s, SSL3_AL_FATAL, al); 503 s->init_num = 0; 504 *ok = 0; 505 return -1; 506 } else 507 return 0; 508} 509 510static int 511dtls1_reassemble_fragment(SSL *s, const struct hm_header_st *msg_hdr, int *ok) 512{ 513 hm_fragment *frag = NULL; 514 pitem *item = NULL; 515 int i = -1, is_complete; 516 unsigned char seq64be[8]; 517 unsigned long frag_len = msg_hdr->frag_len; 518 519 if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len || 520 msg_hdr->msg_len > dtls1_max_handshake_message_len(s)) 521 goto err; 522 523 if (frag_len == 0) 524 return DTLS1_HM_FRAGMENT_RETRY; 525 526 /* Try to find item in queue */ 527 memset(seq64be, 0, sizeof(seq64be)); 528 seq64be[6] = (unsigned char)(msg_hdr->seq >> 8); 529 seq64be[7] = (unsigned char)msg_hdr->seq; 530 item = pqueue_find(s->d1->buffered_messages, seq64be); 531 532 if (item == NULL) { 533 frag = dtls1_hm_fragment_new(msg_hdr->msg_len, 1); 534 if (frag == NULL) 535 goto err; 536 memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); 537 frag->msg_header.frag_len = frag->msg_header.msg_len; 538 frag->msg_header.frag_off = 0; 539 } else { 540 frag = (hm_fragment *)item->data; 541 if (frag->msg_header.msg_len != msg_hdr->msg_len) { 542 item = NULL; 543 frag = NULL; 544 goto err; 545 } 546 } 547 548 /* 549 * If message is already reassembled, this must be a retransmit and can 550 * be dropped. In this case item != NULL and so frag does not need to be 551 * freed. 552 */ 553 if (frag->reassembly == NULL) { 554 unsigned char devnull[256]; 555 556 while (frag_len) { 557 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL, 558 devnull, 559 frag_len > 560 sizeof(devnull) ? sizeof(devnull) : 561 frag_len, 0); 562 if (i <= 0) 563 goto err; 564 frag_len -= i; 565 } 566 return DTLS1_HM_FRAGMENT_RETRY; 567 } 568 569 /* read the body of the fragment (header has already been read */ 570 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL, 571 frag->fragment + msg_hdr->frag_off, 572 frag_len, 0); 573 if ((unsigned long)i != frag_len) 574 i = -1; 575 if (i <= 0) 576 goto err; 577 578 RSMBLY_BITMASK_MARK(frag->reassembly, (long)msg_hdr->frag_off, 579 (long)(msg_hdr->frag_off + frag_len)); 580 581 RSMBLY_BITMASK_IS_COMPLETE(frag->reassembly, (long)msg_hdr->msg_len, 582 is_complete); 583 584 if (is_complete) { 585 OPENSSL_free(frag->reassembly); 586 frag->reassembly = NULL; 587 } 588 589 if (item == NULL) { 590 item = pitem_new(seq64be, frag); 591 if (item == NULL) { 592 i = -1; 593 goto err; 594 } 595 596 item = pqueue_insert(s->d1->buffered_messages, item); 597 /* 598 * pqueue_insert fails iff a duplicate item is inserted. However, 599 * |item| cannot be a duplicate. If it were, |pqueue_find|, above, 600 * would have returned it and control would never have reached this 601 * branch. 602 */ 603 OPENSSL_assert(item != NULL); 604 } 605 606 return DTLS1_HM_FRAGMENT_RETRY; 607 608 err: 609 if (item == NULL) 610 dtls1_hm_fragment_free(frag); 611 *ok = 0; 612 return i; 613} 614 615static int 616dtls1_process_out_of_seq_message(SSL *s, const struct hm_header_st *msg_hdr, 617 int *ok) 618{ 619 int i = -1; 620 hm_fragment *frag = NULL; 621 pitem *item = NULL; 622 unsigned char seq64be[8]; 623 unsigned long frag_len = msg_hdr->frag_len; 624 625 if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len) 626 goto err; 627 628 /* Try to find item in queue, to prevent duplicate entries */ 629 memset(seq64be, 0, sizeof(seq64be)); 630 seq64be[6] = (unsigned char)(msg_hdr->seq >> 8); 631 seq64be[7] = (unsigned char)msg_hdr->seq; 632 item = pqueue_find(s->d1->buffered_messages, seq64be); 633 634 /* 635 * If we already have an entry and this one is a fragment, don't discard 636 * it and rather try to reassemble it. 637 */ 638 if (item != NULL && frag_len != msg_hdr->msg_len) 639 item = NULL; 640 641 /* 642 * Discard the message if sequence number was already there, is too far 643 * in the future, already in the queue or if we received a FINISHED 644 * before the SERVER_HELLO, which then must be a stale retransmit. 645 */ 646 if (msg_hdr->seq <= s->d1->handshake_read_seq || 647 msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL || 648 (s->d1->handshake_read_seq == 0 && msg_hdr->type == SSL3_MT_FINISHED)) { 649 unsigned char devnull[256]; 650 651 while (frag_len) { 652 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL, 653 devnull, 654 frag_len > 655 sizeof(devnull) ? sizeof(devnull) : 656 frag_len, 0); 657 if (i <= 0) 658 goto err; 659 frag_len -= i; 660 } 661 } else { 662 if (frag_len != msg_hdr->msg_len) 663 return dtls1_reassemble_fragment(s, msg_hdr, ok); 664 665 if (frag_len > dtls1_max_handshake_message_len(s)) 666 goto err; 667 668 frag = dtls1_hm_fragment_new(frag_len, 0); 669 if (frag == NULL) 670 goto err; 671 672 memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); 673 674 if (frag_len) { 675 /* 676 * read the body of the fragment (header has already been read 677 */ 678 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL, 679 frag->fragment, frag_len, 0); 680 if ((unsigned long)i != frag_len) 681 i = -1; 682 if (i <= 0) 683 goto err; 684 } 685 686 item = pitem_new(seq64be, frag); 687 if (item == NULL) 688 goto err; 689 690 item = pqueue_insert(s->d1->buffered_messages, item); 691 /* 692 * pqueue_insert fails iff a duplicate item is inserted. However, 693 * |item| cannot be a duplicate. If it were, |pqueue_find|, above, 694 * would have returned it. Then, either |frag_len| != 695 * |msg_hdr->msg_len| in which case |item| is set to NULL and it will 696 * have been processed with |dtls1_reassemble_fragment|, above, or 697 * the record will have been discarded. 698 */ 699 OPENSSL_assert(item != NULL); 700 } 701 702 return DTLS1_HM_FRAGMENT_RETRY; 703 704 err: 705 if (item == NULL) 706 dtls1_hm_fragment_free(frag); 707 *ok = 0; 708 return i; 709} 710 711static int dtls_get_reassembled_message(SSL *s, long *len) 712{ 713 unsigned char wire[DTLS1_HM_HEADER_LENGTH]; 714 unsigned long mlen, frag_off, frag_len; 715 int i, al, recvd_type; 716 struct hm_header_st msg_hdr; 717 int ok; 718 719 redo: 720 /* see if we have the required fragment already */ 721 if ((frag_len = dtls1_retrieve_buffered_fragment(s, &ok)) || ok) { 722 if (ok) 723 s->init_num = frag_len; 724 *len = frag_len; 725 return ok; 726 } 727 728 /* read handshake message header */ 729 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type, wire, 730 DTLS1_HM_HEADER_LENGTH, 0); 731 if (i <= 0) { /* nbio, or an error */ 732 s->rwstate = SSL_READING; 733 *len = i; 734 return 0; 735 } 736 if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) { 737 if (wire[0] != SSL3_MT_CCS) { 738 al = SSL_AD_UNEXPECTED_MESSAGE; 739 SSLerr(SSL_F_DTLS_GET_REASSEMBLED_MESSAGE, 740 SSL_R_BAD_CHANGE_CIPHER_SPEC); 741 goto f_err; 742 } 743 744 memcpy(s->init_buf->data, wire, i); 745 s->init_num = i - 1; 746 s->init_msg = s->init_buf->data + 1; 747 s->s3->tmp.message_type = SSL3_MT_CHANGE_CIPHER_SPEC; 748 s->s3->tmp.message_size = i - 1; 749 *len = i - 1; 750 return 1; 751 } 752 753 /* Handshake fails if message header is incomplete */ 754 if (i != DTLS1_HM_HEADER_LENGTH) { 755 al = SSL_AD_UNEXPECTED_MESSAGE; 756 SSLerr(SSL_F_DTLS_GET_REASSEMBLED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); 757 goto f_err; 758 } 759 760 /* parse the message fragment header */ 761 dtls1_get_message_header(wire, &msg_hdr); 762 763 mlen = msg_hdr.msg_len; 764 frag_off = msg_hdr.frag_off; 765 frag_len = msg_hdr.frag_len; 766 767 /* 768 * We must have at least frag_len bytes left in the record to be read. 769 * Fragments must not span records. 770 */ 771 if (frag_len > RECORD_LAYER_get_rrec_length(&s->rlayer)) { 772 al = SSL3_AD_ILLEGAL_PARAMETER; 773 SSLerr(SSL_F_DTLS_GET_REASSEMBLED_MESSAGE, SSL_R_BAD_LENGTH); 774 goto f_err; 775 } 776 777 /* 778 * if this is a future (or stale) message it gets buffered 779 * (or dropped)--no further processing at this time 780 * While listening, we accept seq 1 (ClientHello with cookie) 781 * although we're still expecting seq 0 (ClientHello) 782 */ 783 if (msg_hdr.seq != s->d1->handshake_read_seq) { 784 *len = dtls1_process_out_of_seq_message(s, &msg_hdr, &ok); 785 return ok; 786 } 787 788 if (frag_len && frag_len < mlen) { 789 *len = dtls1_reassemble_fragment(s, &msg_hdr, &ok); 790 return ok; 791 } 792 793 if (!s->server && s->d1->r_msg_hdr.frag_off == 0 && 794 wire[0] == SSL3_MT_HELLO_REQUEST) { 795 /* 796 * The server may always send 'Hello Request' messages -- we are 797 * doing a handshake anyway now, so ignore them if their format is 798 * correct. Does not count for 'Finished' MAC. 799 */ 800 if (wire[1] == 0 && wire[2] == 0 && wire[3] == 0) { 801 if (s->msg_callback) 802 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 803 wire, DTLS1_HM_HEADER_LENGTH, s, 804 s->msg_callback_arg); 805 806 s->init_num = 0; 807 goto redo; 808 } else { /* Incorrectly formatted Hello request */ 809 810 al = SSL_AD_UNEXPECTED_MESSAGE; 811 SSLerr(SSL_F_DTLS_GET_REASSEMBLED_MESSAGE, 812 SSL_R_UNEXPECTED_MESSAGE); 813 goto f_err; 814 } 815 } 816 817 if ((al = dtls1_preprocess_fragment(s, &msg_hdr))) 818 goto f_err; 819 820 if (frag_len > 0) { 821 unsigned char *p = 822 (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH; 823 824 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL, 825 &p[frag_off], frag_len, 0); 826 827 /* 828 * This shouldn't ever fail due to NBIO because we already checked 829 * that we have enough data in the record 830 */ 831 if (i <= 0) { 832 s->rwstate = SSL_READING; 833 *len = i; 834 return 0; 835 } 836 } else 837 i = 0; 838 839 /* 840 * XDTLS: an incorrectly formatted fragment should cause the handshake 841 * to fail 842 */ 843 if (i != (int)frag_len) { 844 al = SSL3_AD_ILLEGAL_PARAMETER; 845 SSLerr(SSL_F_DTLS_GET_REASSEMBLED_MESSAGE, SSL3_AD_ILLEGAL_PARAMETER); 846 goto f_err; 847 } 848 849 /* 850 * Note that s->init_num is *not* used as current offset in 851 * s->init_buf->data, but as a counter summing up fragments' lengths: as 852 * soon as they sum up to handshake packet length, we assume we have got 853 * all the fragments. 854 */ 855 *len = s->init_num = frag_len; 856 return 1; 857 858 f_err: 859 ssl3_send_alert(s, SSL3_AL_FATAL, al); 860 s->init_num = 0; 861 *len = -1; 862 return 0; 863} 864 865/*- 866 * for these 2 messages, we need to 867 * ssl->enc_read_ctx re-init 868 * ssl->rlayer.read_sequence zero 869 * ssl->s3->read_mac_secret re-init 870 * ssl->session->read_sym_enc assign 871 * ssl->session->read_compression assign 872 * ssl->session->read_hash assign 873 */ 874int dtls_construct_change_cipher_spec(SSL *s) 875{ 876 unsigned char *p; 877 878 p = (unsigned char *)s->init_buf->data; 879 *p++ = SSL3_MT_CCS; 880 s->d1->handshake_write_seq = s->d1->next_handshake_write_seq; 881 s->init_num = DTLS1_CCS_HEADER_LENGTH; 882 883 if (s->version == DTLS1_BAD_VER) { 884 s->d1->next_handshake_write_seq++; 885 s2n(s->d1->handshake_write_seq, p); 886 s->init_num += 2; 887 } 888 889 s->init_off = 0; 890 891 dtls1_set_message_header_int(s, SSL3_MT_CCS, 0, 892 s->d1->handshake_write_seq, 0, 0); 893 894 /* buffer the message to handle re-xmits */ 895 if (!dtls1_buffer_message(s, 1)) { 896 SSLerr(SSL_F_DTLS_CONSTRUCT_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR); 897 return 0; 898 } 899 900 return 1; 901} 902 903#ifndef OPENSSL_NO_SCTP 904WORK_STATE dtls_wait_for_dry(SSL *s) 905{ 906 int ret; 907 908 /* read app data until dry event */ 909 ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s)); 910 if (ret < 0) 911 return WORK_ERROR; 912 913 if (ret == 0) { 914 s->s3->in_read_app_data = 2; 915 s->rwstate = SSL_READING; 916 BIO_clear_retry_flags(SSL_get_rbio(s)); 917 BIO_set_retry_read(SSL_get_rbio(s)); 918 return WORK_MORE_A; 919 } 920 return WORK_FINISHED_CONTINUE; 921} 922#endif 923 924int dtls1_read_failed(SSL *s, int code) 925{ 926 if (code > 0) { 927 SSLerr(SSL_F_DTLS1_READ_FAILED, ERR_R_INTERNAL_ERROR); 928 return 1; 929 } 930 931 if (!dtls1_is_timer_expired(s)) { 932 /* 933 * not a timeout, none of our business, let higher layers handle 934 * this. in fact it's probably an error 935 */ 936 return code; 937 } 938#ifndef OPENSSL_NO_HEARTBEATS 939 /* done, no need to send a retransmit */ 940 if (!SSL_in_init(s) && !s->tlsext_hb_pending) 941#else 942 /* done, no need to send a retransmit */ 943 if (!SSL_in_init(s)) 944#endif 945 { 946 BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ); 947 return code; 948 } 949 950 return dtls1_handle_timeout(s); 951} 952 953int dtls1_get_queue_priority(unsigned short seq, int is_ccs) 954{ 955 /* 956 * The index of the retransmission queue actually is the message sequence 957 * number, since the queue only contains messages of a single handshake. 958 * However, the ChangeCipherSpec has no message sequence number and so 959 * using only the sequence will result in the CCS and Finished having the 960 * same index. To prevent this, the sequence number is multiplied by 2. 961 * In case of a CCS 1 is subtracted. This does not only differ CSS and 962 * Finished, it also maintains the order of the index (important for 963 * priority queues) and fits in the unsigned short variable. 964 */ 965 return seq * 2 - is_ccs; 966} 967 968int dtls1_retransmit_buffered_messages(SSL *s) 969{ 970 pqueue *sent = s->d1->sent_messages; 971 piterator iter; 972 pitem *item; 973 hm_fragment *frag; 974 int found = 0; 975 976 iter = pqueue_iterator(sent); 977 978 for (item = pqueue_next(&iter); item != NULL; item = pqueue_next(&iter)) { 979 frag = (hm_fragment *)item->data; 980 if (dtls1_retransmit_message(s, (unsigned short) 981 dtls1_get_queue_priority 982 (frag->msg_header.seq, 983 frag->msg_header.is_ccs), &found) <= 0) 984 return -1; 985 } 986 987 return 1; 988} 989 990int dtls1_buffer_message(SSL *s, int is_ccs) 991{ 992 pitem *item; 993 hm_fragment *frag; 994 unsigned char seq64be[8]; 995 996 /* 997 * this function is called immediately after a message has been 998 * serialized 999 */ 1000 OPENSSL_assert(s->init_off == 0); 1001 1002 frag = dtls1_hm_fragment_new(s->init_num, 0); 1003 if (frag == NULL) 1004 return 0; 1005 1006 memcpy(frag->fragment, s->init_buf->data, s->init_num); 1007 1008 if (is_ccs) { 1009 /* For DTLS1_BAD_VER the header length is non-standard */ 1010 OPENSSL_assert(s->d1->w_msg_hdr.msg_len + 1011 ((s->version == 1012 DTLS1_BAD_VER) ? 3 : DTLS1_CCS_HEADER_LENGTH) 1013 == (unsigned int)s->init_num); 1014 } else { 1015 OPENSSL_assert(s->d1->w_msg_hdr.msg_len + 1016 DTLS1_HM_HEADER_LENGTH == (unsigned int)s->init_num); 1017 } 1018 1019 frag->msg_header.msg_len = s->d1->w_msg_hdr.msg_len; 1020 frag->msg_header.seq = s->d1->w_msg_hdr.seq; 1021 frag->msg_header.type = s->d1->w_msg_hdr.type; 1022 frag->msg_header.frag_off = 0; 1023 frag->msg_header.frag_len = s->d1->w_msg_hdr.msg_len; 1024 frag->msg_header.is_ccs = is_ccs; 1025 1026 /* save current state */ 1027 frag->msg_header.saved_retransmit_state.enc_write_ctx = s->enc_write_ctx; 1028 frag->msg_header.saved_retransmit_state.write_hash = s->write_hash; 1029 frag->msg_header.saved_retransmit_state.compress = s->compress; 1030 frag->msg_header.saved_retransmit_state.session = s->session; 1031 frag->msg_header.saved_retransmit_state.epoch = 1032 DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer); 1033 1034 memset(seq64be, 0, sizeof(seq64be)); 1035 seq64be[6] = 1036 (unsigned 1037 char)(dtls1_get_queue_priority(frag->msg_header.seq, 1038 frag->msg_header.is_ccs) >> 8); 1039 seq64be[7] = 1040 (unsigned 1041 char)(dtls1_get_queue_priority(frag->msg_header.seq, 1042 frag->msg_header.is_ccs)); 1043 1044 item = pitem_new(seq64be, frag); 1045 if (item == NULL) { 1046 dtls1_hm_fragment_free(frag); 1047 return 0; 1048 } 1049 1050 pqueue_insert(s->d1->sent_messages, item); 1051 return 1; 1052} 1053 1054int dtls1_retransmit_message(SSL *s, unsigned short seq, int *found) 1055{ 1056 int ret; 1057 /* XDTLS: for now assuming that read/writes are blocking */ 1058 pitem *item; 1059 hm_fragment *frag; 1060 unsigned long header_length; 1061 unsigned char seq64be[8]; 1062 struct dtls1_retransmit_state saved_state; 1063 1064 /*- 1065 OPENSSL_assert(s->init_num == 0); 1066 OPENSSL_assert(s->init_off == 0); 1067 */ 1068 1069 /* XDTLS: the requested message ought to be found, otherwise error */ 1070 memset(seq64be, 0, sizeof(seq64be)); 1071 seq64be[6] = (unsigned char)(seq >> 8); 1072 seq64be[7] = (unsigned char)seq; 1073 1074 item = pqueue_find(s->d1->sent_messages, seq64be); 1075 if (item == NULL) { 1076 SSLerr(SSL_F_DTLS1_RETRANSMIT_MESSAGE, ERR_R_INTERNAL_ERROR); 1077 *found = 0; 1078 return 0; 1079 } 1080 1081 *found = 1; 1082 frag = (hm_fragment *)item->data; 1083 1084 if (frag->msg_header.is_ccs) 1085 header_length = DTLS1_CCS_HEADER_LENGTH; 1086 else 1087 header_length = DTLS1_HM_HEADER_LENGTH; 1088 1089 memcpy(s->init_buf->data, frag->fragment, 1090 frag->msg_header.msg_len + header_length); 1091 s->init_num = frag->msg_header.msg_len + header_length; 1092 1093 dtls1_set_message_header_int(s, frag->msg_header.type, 1094 frag->msg_header.msg_len, 1095 frag->msg_header.seq, 0, 1096 frag->msg_header.frag_len); 1097 1098 /* save current state */ 1099 saved_state.enc_write_ctx = s->enc_write_ctx; 1100 saved_state.write_hash = s->write_hash; 1101 saved_state.compress = s->compress; 1102 saved_state.session = s->session; 1103 saved_state.epoch = DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer); 1104 1105 s->d1->retransmitting = 1; 1106 1107 /* restore state in which the message was originally sent */ 1108 s->enc_write_ctx = frag->msg_header.saved_retransmit_state.enc_write_ctx; 1109 s->write_hash = frag->msg_header.saved_retransmit_state.write_hash; 1110 s->compress = frag->msg_header.saved_retransmit_state.compress; 1111 s->session = frag->msg_header.saved_retransmit_state.session; 1112 DTLS_RECORD_LAYER_set_saved_w_epoch(&s->rlayer, 1113 frag->msg_header. 1114 saved_retransmit_state.epoch); 1115 1116 ret = dtls1_do_write(s, frag->msg_header.is_ccs ? 1117 SSL3_RT_CHANGE_CIPHER_SPEC : SSL3_RT_HANDSHAKE); 1118 1119 /* restore current state */ 1120 s->enc_write_ctx = saved_state.enc_write_ctx; 1121 s->write_hash = saved_state.write_hash; 1122 s->compress = saved_state.compress; 1123 s->session = saved_state.session; 1124 DTLS_RECORD_LAYER_set_saved_w_epoch(&s->rlayer, saved_state.epoch); 1125 1126 s->d1->retransmitting = 0; 1127 1128 (void)BIO_flush(s->wbio); 1129 return ret; 1130} 1131 1132void dtls1_set_message_header(SSL *s, 1133 unsigned char mt, unsigned long len, 1134 unsigned long frag_off, unsigned long frag_len) 1135{ 1136 if (frag_off == 0) { 1137 s->d1->handshake_write_seq = s->d1->next_handshake_write_seq; 1138 s->d1->next_handshake_write_seq++; 1139 } 1140 1141 dtls1_set_message_header_int(s, mt, len, s->d1->handshake_write_seq, 1142 frag_off, frag_len); 1143} 1144 1145/* don't actually do the writing, wait till the MTU has been retrieved */ 1146static void 1147dtls1_set_message_header_int(SSL *s, unsigned char mt, 1148 unsigned long len, unsigned short seq_num, 1149 unsigned long frag_off, unsigned long frag_len) 1150{ 1151 struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; 1152 1153 msg_hdr->type = mt; 1154 msg_hdr->msg_len = len; 1155 msg_hdr->seq = seq_num; 1156 msg_hdr->frag_off = frag_off; 1157 msg_hdr->frag_len = frag_len; 1158} 1159 1160static void 1161dtls1_fix_message_header(SSL *s, unsigned long frag_off, unsigned long frag_len) 1162{ 1163 struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; 1164 1165 msg_hdr->frag_off = frag_off; 1166 msg_hdr->frag_len = frag_len; 1167} 1168 1169static unsigned char *dtls1_write_message_header(SSL *s, unsigned char *p) 1170{ 1171 struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; 1172 1173 *p++ = msg_hdr->type; 1174 l2n3(msg_hdr->msg_len, p); 1175 1176 s2n(msg_hdr->seq, p); 1177 l2n3(msg_hdr->frag_off, p); 1178 l2n3(msg_hdr->frag_len, p); 1179 1180 return p; 1181} 1182 1183void dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr) 1184{ 1185 memset(msg_hdr, 0, sizeof(*msg_hdr)); 1186 msg_hdr->type = *(data++); 1187 n2l3(data, msg_hdr->msg_len); 1188 1189 n2s(data, msg_hdr->seq); 1190 n2l3(data, msg_hdr->frag_off); 1191 n2l3(data, msg_hdr->frag_len); 1192} 1193