1/* ssl/d1_pkt.c */ 2/* 3 * DTLS implementation written by Nagendra Modadugu 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 5 */ 6/* ==================================================================== 7 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in 18 * the documentation and/or other materials provided with the 19 * distribution. 20 * 21 * 3. All advertising materials mentioning features or use of this 22 * software must display the following acknowledgment: 23 * "This product includes software developed by the OpenSSL Project 24 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 25 * 26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27 * endorse or promote products derived from this software without 28 * prior written permission. For written permission, please contact 29 * openssl-core@openssl.org. 30 * 31 * 5. Products derived from this software may not be called "OpenSSL" 32 * nor may "OpenSSL" appear in their names without prior written 33 * permission of the OpenSSL Project. 34 * 35 * 6. Redistributions of any form whatsoever must retain the following 36 * acknowledgment: 37 * "This product includes software developed by the OpenSSL Project 38 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51 * OF THE POSSIBILITY OF SUCH DAMAGE. 52 * ==================================================================== 53 * 54 * This product includes cryptographic software written by Eric Young 55 * (eay@cryptsoft.com). This product includes software written by Tim 56 * Hudson (tjh@cryptsoft.com). 57 * 58 */ 59/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 60 * All rights reserved. 61 * 62 * This package is an SSL implementation written 63 * by Eric Young (eay@cryptsoft.com). 64 * The implementation was written so as to conform with Netscapes SSL. 65 * 66 * This library is free for commercial and non-commercial use as long as 67 * the following conditions are aheared to. The following conditions 68 * apply to all code found in this distribution, be it the RC4, RSA, 69 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 70 * included with this distribution is covered by the same copyright terms 71 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 72 * 73 * Copyright remains Eric Young's, and as such any Copyright notices in 74 * the code are not to be removed. 75 * If this package is used in a product, Eric Young should be given attribution 76 * as the author of the parts of the library used. 77 * This can be in the form of a textual message at program startup or 78 * in documentation (online or textual) provided with the package. 79 * 80 * Redistribution and use in source and binary forms, with or without 81 * modification, are permitted provided that the following conditions 82 * are met: 83 * 1. Redistributions of source code must retain the copyright 84 * notice, this list of conditions and the following disclaimer. 85 * 2. Redistributions in binary form must reproduce the above copyright 86 * notice, this list of conditions and the following disclaimer in the 87 * documentation and/or other materials provided with the distribution. 88 * 3. All advertising materials mentioning features or use of this software 89 * must display the following acknowledgement: 90 * "This product includes cryptographic software written by 91 * Eric Young (eay@cryptsoft.com)" 92 * The word 'cryptographic' can be left out if the rouines from the library 93 * being used are not cryptographic related :-). 94 * 4. If you include any Windows specific code (or a derivative thereof) from 95 * the apps directory (application code) you must include an acknowledgement: 96 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 97 * 98 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 99 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 100 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 101 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 102 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 103 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 104 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 105 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 106 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 107 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 108 * SUCH DAMAGE. 109 * 110 * The licence and distribution terms for any publically available version or 111 * derivative of this code cannot be changed. i.e. this code cannot simply be 112 * copied and put under another distribution licence 113 * [including the GNU Public Licence.] 114 */ 115 116#include <stdio.h> 117#include <errno.h> 118#define USE_SOCKETS 119#include "ssl_locl.h" 120#include <openssl/evp.h> 121#include <openssl/buffer.h> 122#include <openssl/pqueue.h> 123 124static int have_handshake_fragment(SSL *s, int type, unsigned char *buf, 125 int len, int peek); 126static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap, 127 PQ_64BIT *seq_num); 128static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap); 129static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, 130 unsigned int *is_next_epoch); 131#if 0 132static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr, 133 unsigned short *priority, unsigned long *offset); 134#endif 135static int dtls1_buffer_record(SSL *s, record_pqueue *q, 136 PQ_64BIT priority); 137static int dtls1_process_record(SSL *s); 138#if PQ_64BIT_IS_INTEGER 139static PQ_64BIT bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num); 140#endif 141static void dtls1_clear_timeouts(SSL *s); 142 143/* copy buffered record into SSL structure */ 144static int 145dtls1_copy_record(SSL *s, pitem *item) 146 { 147 DTLS1_RECORD_DATA *rdata; 148 149 rdata = (DTLS1_RECORD_DATA *)item->data; 150 151 if (s->s3->rbuf.buf != NULL) 152 OPENSSL_free(s->s3->rbuf.buf); 153 154 s->packet = rdata->packet; 155 s->packet_length = rdata->packet_length; 156 memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER)); 157 memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD)); 158 159 return(1); 160 } 161 162 163static int 164dtls1_buffer_record(SSL *s, record_pqueue *queue, PQ_64BIT priority) 165{ 166 DTLS1_RECORD_DATA *rdata; 167 pitem *item; 168 169 rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); 170 item = pitem_new(priority, rdata); 171 if (rdata == NULL || item == NULL) 172 { 173 if (rdata != NULL) OPENSSL_free(rdata); 174 if (item != NULL) pitem_free(item); 175 176 SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); 177 return(0); 178 } 179 180 rdata->packet = s->packet; 181 rdata->packet_length = s->packet_length; 182 memcpy(&(rdata->rbuf), &(s->s3->rbuf), sizeof(SSL3_BUFFER)); 183 memcpy(&(rdata->rrec), &(s->s3->rrec), sizeof(SSL3_RECORD)); 184 185 item->data = rdata; 186 187 /* insert should not fail, since duplicates are dropped */ 188 if (pqueue_insert(queue->q, item) == NULL) 189 { 190 OPENSSL_free(rdata); 191 pitem_free(item); 192 return(0); 193 } 194 195 s->packet = NULL; 196 s->packet_length = 0; 197 memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER)); 198 memset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD)); 199 200 if (!ssl3_setup_buffers(s)) 201 { 202 SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); 203 OPENSSL_free(rdata); 204 pitem_free(item); 205 return(0); 206 } 207 208 return(1); 209 } 210 211 212static int 213dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue) 214 { 215 pitem *item; 216 217 item = pqueue_pop(queue->q); 218 if (item) 219 { 220 dtls1_copy_record(s, item); 221 222 OPENSSL_free(item->data); 223 pitem_free(item); 224 225 return(1); 226 } 227 228 return(0); 229 } 230 231 232/* retrieve a buffered record that belongs to the new epoch, i.e., not processed 233 * yet */ 234#define dtls1_get_unprocessed_record(s) \ 235 dtls1_retrieve_buffered_record((s), \ 236 &((s)->d1->unprocessed_rcds)) 237 238/* retrieve a buffered record that belongs to the current epoch, ie, processed */ 239#define dtls1_get_processed_record(s) \ 240 dtls1_retrieve_buffered_record((s), \ 241 &((s)->d1->processed_rcds)) 242 243static int 244dtls1_process_buffered_records(SSL *s) 245 { 246 pitem *item; 247 248 item = pqueue_peek(s->d1->unprocessed_rcds.q); 249 if (item) 250 { 251 DTLS1_RECORD_DATA *rdata; 252 rdata = (DTLS1_RECORD_DATA *)item->data; 253 254 /* Check if epoch is current. */ 255 if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch) 256 return(1); /* Nothing to do. */ 257 258 /* Process all the records. */ 259 while (pqueue_peek(s->d1->unprocessed_rcds.q)) 260 { 261 dtls1_get_unprocessed_record(s); 262 if ( ! dtls1_process_record(s)) 263 return(0); 264 dtls1_buffer_record(s, &(s->d1->processed_rcds), 265 s->s3->rrec.seq_num); 266 } 267 } 268 269 /* sync epoch numbers once all the unprocessed records 270 * have been processed */ 271 s->d1->processed_rcds.epoch = s->d1->r_epoch; 272 s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1; 273 274 return(1); 275 } 276 277 278#if 0 279 280static int 281dtls1_get_buffered_record(SSL *s) 282 { 283 pitem *item; 284 PQ_64BIT priority = 285 (((PQ_64BIT)s->d1->handshake_read_seq) << 32) | 286 ((PQ_64BIT)s->d1->r_msg_hdr.frag_off); 287 288 if ( ! SSL_in_init(s)) /* if we're not (re)negotiating, 289 nothing buffered */ 290 return 0; 291 292 293 item = pqueue_peek(s->d1->rcvd_records); 294 if (item && item->priority == priority) 295 { 296 /* Check if we've received the record of interest. It must be 297 * a handshake record, since data records as passed up without 298 * buffering */ 299 DTLS1_RECORD_DATA *rdata; 300 item = pqueue_pop(s->d1->rcvd_records); 301 rdata = (DTLS1_RECORD_DATA *)item->data; 302 303 if (s->s3->rbuf.buf != NULL) 304 OPENSSL_free(s->s3->rbuf.buf); 305 306 s->packet = rdata->packet; 307 s->packet_length = rdata->packet_length; 308 memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER)); 309 memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD)); 310 311 OPENSSL_free(item->data); 312 pitem_free(item); 313 314 /* s->d1->next_expected_seq_num++; */ 315 return(1); 316 } 317 318 return 0; 319 } 320 321#endif 322 323static int 324dtls1_process_record(SSL *s) 325{ 326 int i,al; 327 int clear=0; 328 int enc_err; 329 SSL_SESSION *sess; 330 SSL3_RECORD *rr; 331 unsigned int mac_size; 332 unsigned char md[EVP_MAX_MD_SIZE]; 333 334 335 rr= &(s->s3->rrec); 336 sess = s->session; 337 338 /* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, 339 * and we have that many bytes in s->packet 340 */ 341 rr->input= &(s->packet[DTLS1_RT_HEADER_LENGTH]); 342 343 /* ok, we can now read from 's->packet' data into 'rr' 344 * rr->input points at rr->length bytes, which 345 * need to be copied into rr->data by either 346 * the decryption or by the decompression 347 * When the data is 'copied' into the rr->data buffer, 348 * rr->input will be pointed at the new buffer */ 349 350 /* We now have - encrypted [ MAC [ compressed [ plain ] ] ] 351 * rr->length bytes of encrypted compressed stuff. */ 352 353 /* check is not needed I believe */ 354 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) 355 { 356 al=SSL_AD_RECORD_OVERFLOW; 357 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG); 358 goto f_err; 359 } 360 361 /* decrypt in place in 'rr->input' */ 362 rr->data=rr->input; 363 364 enc_err = s->method->ssl3_enc->enc(s,0); 365 if (enc_err <= 0) 366 { 367 if (enc_err == 0) 368 /* SSLerr() and ssl3_send_alert() have been called */ 369 goto err; 370 371 /* otherwise enc_err == -1 */ 372 goto decryption_failed_or_bad_record_mac; 373 } 374 375#ifdef TLS_DEBUG 376printf("dec %d\n",rr->length); 377{ unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); } 378printf("\n"); 379#endif 380 381 /* r->length is now the compressed data plus mac */ 382if ( (sess == NULL) || 383 (s->enc_read_ctx == NULL) || 384 (s->read_hash == NULL)) 385 clear=1; 386 387 if (!clear) 388 { 389 mac_size=EVP_MD_size(s->read_hash); 390 391 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size) 392 { 393#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */ 394 al=SSL_AD_RECORD_OVERFLOW; 395 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); 396 goto f_err; 397#else 398 goto decryption_failed_or_bad_record_mac; 399#endif 400 } 401 /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ 402 if (rr->length < mac_size) 403 { 404#if 0 /* OK only for stream ciphers */ 405 al=SSL_AD_DECODE_ERROR; 406 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT); 407 goto f_err; 408#else 409 goto decryption_failed_or_bad_record_mac; 410#endif 411 } 412 rr->length-=mac_size; 413 i=s->method->ssl3_enc->mac(s,md,0); 414 if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0) 415 { 416 goto decryption_failed_or_bad_record_mac; 417 } 418 } 419 420 /* r->length is now just compressed */ 421 if (s->expand != NULL) 422 { 423 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) 424 { 425 al=SSL_AD_RECORD_OVERFLOW; 426 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG); 427 goto f_err; 428 } 429 if (!ssl3_do_uncompress(s)) 430 { 431 al=SSL_AD_DECOMPRESSION_FAILURE; 432 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_BAD_DECOMPRESSION); 433 goto f_err; 434 } 435 } 436 437 if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) 438 { 439 al=SSL_AD_RECORD_OVERFLOW; 440 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DATA_LENGTH_TOO_LONG); 441 goto f_err; 442 } 443 444 rr->off=0; 445 /* So at this point the following is true 446 * ssl->s3->rrec.type is the type of record 447 * ssl->s3->rrec.length == number of bytes in record 448 * ssl->s3->rrec.off == offset to first valid byte 449 * ssl->s3->rrec.data == where to take bytes from, increment 450 * after use :-). 451 */ 452 453 /* we have pulled in a full packet so zero things */ 454 s->packet_length=0; 455 dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */ 456 return(1); 457 458decryption_failed_or_bad_record_mac: 459 /* Separate 'decryption_failed' alert was introduced with TLS 1.0, 460 * SSL 3.0 only has 'bad_record_mac'. But unless a decryption 461 * failure is directly visible from the ciphertext anyway, 462 * we should not reveal which kind of error occured -- this 463 * might become visible to an attacker (e.g. via logfile) */ 464 al=SSL_AD_BAD_RECORD_MAC; 465 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); 466f_err: 467 ssl3_send_alert(s,SSL3_AL_FATAL,al); 468err: 469 return(0); 470} 471 472 473/* Call this to get a new input record. 474 * It will return <= 0 if more data is needed, normally due to an error 475 * or non-blocking IO. 476 * When it finishes, one packet has been decoded and can be found in 477 * ssl->s3->rrec.type - is the type of record 478 * ssl->s3->rrec.data, - data 479 * ssl->s3->rrec.length, - number of bytes 480 */ 481/* used only by dtls1_read_bytes */ 482int dtls1_get_record(SSL *s) 483 { 484 int ssl_major,ssl_minor,al; 485 int i,n; 486 SSL3_RECORD *rr; 487 SSL_SESSION *sess; 488 unsigned char *p; 489 short version; 490 DTLS1_BITMAP *bitmap; 491 unsigned int is_next_epoch; 492 493 rr= &(s->s3->rrec); 494 sess=s->session; 495 496 /* The epoch may have changed. If so, process all the 497 * pending records. This is a non-blocking operation. */ 498 if ( ! dtls1_process_buffered_records(s)) 499 return 0; 500 501 /* if we're renegotiating, then there may be buffered records */ 502 if (dtls1_get_processed_record(s)) 503 return 1; 504 505 /* get something from the wire */ 506again: 507 /* check if we have the header */ 508 if ( (s->rstate != SSL_ST_READ_BODY) || 509 (s->packet_length < DTLS1_RT_HEADER_LENGTH)) 510 { 511 n=ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, s->s3->rbuf.len, 0); 512 /* read timeout is handled by dtls1_read_bytes */ 513 if (n <= 0) return(n); /* error or non-blocking */ 514 515 OPENSSL_assert(s->packet_length == DTLS1_RT_HEADER_LENGTH); 516 517 s->rstate=SSL_ST_READ_BODY; 518 519 p=s->packet; 520 521 /* Pull apart the header into the DTLS1_RECORD */ 522 rr->type= *(p++); 523 ssl_major= *(p++); 524 ssl_minor= *(p++); 525 version=(ssl_major<<8)|ssl_minor; 526 527 /* sequence number is 64 bits, with top 2 bytes = epoch */ 528 n2s(p,rr->epoch); 529 530 memcpy(&(s->s3->read_sequence[2]), p, 6); 531 p+=6; 532 533 n2s(p,rr->length); 534 535 /* Lets check version */ 536 if (!s->first_packet) 537 { 538 if (version != s->version) 539 { 540 SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); 541 /* Send back error using their 542 * version number :-) */ 543 s->version=version; 544 al=SSL_AD_PROTOCOL_VERSION; 545 goto f_err; 546 } 547 } 548 549 if ((version & 0xff00) != (DTLS1_VERSION & 0xff00)) 550 { 551 SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); 552 goto err; 553 } 554 555 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) 556 { 557 al=SSL_AD_RECORD_OVERFLOW; 558 SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG); 559 goto f_err; 560 } 561 562 /* now s->rstate == SSL_ST_READ_BODY */ 563 } 564 565 /* s->rstate == SSL_ST_READ_BODY, get and decode the data */ 566 567 if (rr->length > s->packet_length-DTLS1_RT_HEADER_LENGTH) 568 { 569 /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */ 570 i=rr->length; 571 n=ssl3_read_n(s,i,i,1); 572 if (n <= 0) return(n); /* error or non-blocking io */ 573 574 /* this packet contained a partial record, dump it */ 575 if ( n != i) 576 { 577 s->packet_length = 0; 578 goto again; 579 } 580 581 /* now n == rr->length, 582 * and s->packet_length == DTLS1_RT_HEADER_LENGTH + rr->length */ 583 } 584 s->rstate=SSL_ST_READ_HEADER; /* set state for later operations */ 585 586 /* match epochs. NULL means the packet is dropped on the floor */ 587 bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch); 588 if ( bitmap == NULL) 589 { 590 s->packet_length = 0; /* dump this record */ 591 goto again; /* get another record */ 592 } 593 594 /* check whether this is a repeat, or aged record */ 595 if ( ! dtls1_record_replay_check(s, bitmap, &(rr->seq_num))) 596 { 597 s->packet_length=0; /* dump this record */ 598 goto again; /* get another record */ 599 } 600 601 /* just read a 0 length packet */ 602 if (rr->length == 0) goto again; 603 604 /* If this record is from the next epoch (either HM or ALERT), buffer it 605 * since it cannot be processed at this time. 606 * Records from the next epoch are marked as received even though they are 607 * not processed, so as to prevent any potential resource DoS attack */ 608 if (is_next_epoch) 609 { 610 dtls1_record_bitmap_update(s, bitmap); 611 dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num); 612 s->packet_length = 0; 613 goto again; 614 } 615 616 if ( ! dtls1_process_record(s)) 617 return(0); 618 619 dtls1_clear_timeouts(s); /* done waiting */ 620 return(1); 621 622f_err: 623 ssl3_send_alert(s,SSL3_AL_FATAL,al); 624err: 625 return(0); 626 } 627 628/* Return up to 'len' payload bytes received in 'type' records. 629 * 'type' is one of the following: 630 * 631 * - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us) 632 * - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us) 633 * - 0 (during a shutdown, no data has to be returned) 634 * 635 * If we don't have stored data to work from, read a SSL/TLS record first 636 * (possibly multiple records if we still don't have anything to return). 637 * 638 * This function must handle any surprises the peer may have for us, such as 639 * Alert records (e.g. close_notify), ChangeCipherSpec records (not really 640 * a surprise, but handled as if it were), or renegotiation requests. 641 * Also if record payloads contain fragments too small to process, we store 642 * them until there is enough for the respective protocol (the record protocol 643 * may use arbitrary fragmentation and even interleaving): 644 * Change cipher spec protocol 645 * just 1 byte needed, no need for keeping anything stored 646 * Alert protocol 647 * 2 bytes needed (AlertLevel, AlertDescription) 648 * Handshake protocol 649 * 4 bytes needed (HandshakeType, uint24 length) -- we just have 650 * to detect unexpected Client Hello and Hello Request messages 651 * here, anything else is handled by higher layers 652 * Application data protocol 653 * none of our business 654 */ 655int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) 656 { 657 int al,i,j,ret; 658 unsigned int n; 659 SSL3_RECORD *rr; 660 void (*cb)(const SSL *ssl,int type2,int val)=NULL; 661 662 if (s->s3->rbuf.buf == NULL) /* Not initialized yet */ 663 if (!ssl3_setup_buffers(s)) 664 return(-1); 665 666 /* XXX: check what the second '&& type' is about */ 667 if ((type && (type != SSL3_RT_APPLICATION_DATA) && 668 (type != SSL3_RT_HANDSHAKE) && type) || 669 (peek && (type != SSL3_RT_APPLICATION_DATA))) 670 { 671 SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR); 672 return -1; 673 } 674 675 /* check whether there's a handshake message (client hello?) waiting */ 676 if ( (ret = have_handshake_fragment(s, type, buf, len, peek))) 677 return ret; 678 679 /* Now s->d1->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */ 680 681 if (!s->in_handshake && SSL_in_init(s)) 682 { 683 /* type == SSL3_RT_APPLICATION_DATA */ 684 i=s->handshake_func(s); 685 if (i < 0) return(i); 686 if (i == 0) 687 { 688 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE); 689 return(-1); 690 } 691 } 692 693start: 694 s->rwstate=SSL_NOTHING; 695 696 /* s->s3->rrec.type - is the type of record 697 * s->s3->rrec.data, - data 698 * s->s3->rrec.off, - offset into 'data' for next read 699 * s->s3->rrec.length, - number of bytes. */ 700 rr = &(s->s3->rrec); 701 702 /* get new packet if necessary */ 703 if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY)) 704 { 705 ret=dtls1_get_record(s); 706 if (ret <= 0) 707 { 708 ret = dtls1_read_failed(s, ret); 709 /* anything other than a timeout is an error */ 710 if (ret <= 0) 711 return(ret); 712 else 713 goto start; 714 } 715 } 716 717 /* we now have a packet which can be read and processed */ 718 719 if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, 720 * reset by ssl3_get_finished */ 721 && (rr->type != SSL3_RT_HANDSHAKE)) 722 { 723 al=SSL_AD_UNEXPECTED_MESSAGE; 724 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED); 725 goto err; 726 } 727 728 /* If the other end has shut down, throw anything we read away 729 * (even in 'peek' mode) */ 730 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) 731 { 732 rr->length=0; 733 s->rwstate=SSL_NOTHING; 734 return(0); 735 } 736 737 738 if (type == rr->type) /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */ 739 { 740 /* make sure that we are not getting application data when we 741 * are doing a handshake for the first time */ 742 if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) && 743 (s->enc_read_ctx == NULL)) 744 { 745 al=SSL_AD_UNEXPECTED_MESSAGE; 746 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE); 747 goto f_err; 748 } 749 750 if (len <= 0) return(len); 751 752 if ((unsigned int)len > rr->length) 753 n = rr->length; 754 else 755 n = (unsigned int)len; 756 757 memcpy(buf,&(rr->data[rr->off]),n); 758 if (!peek) 759 { 760 rr->length-=n; 761 rr->off+=n; 762 if (rr->length == 0) 763 { 764 s->rstate=SSL_ST_READ_HEADER; 765 rr->off=0; 766 } 767 } 768 return(n); 769 } 770 771 772 /* If we get here, then type != rr->type; if we have a handshake 773 * message, then it was unexpected (Hello Request or Client Hello). */ 774 775 /* In case of record types for which we have 'fragment' storage, 776 * fill that so that we can process the data at a fixed place. 777 */ 778 { 779 unsigned int k, dest_maxlen = 0; 780 unsigned char *dest = NULL; 781 unsigned int *dest_len = NULL; 782 783 if (rr->type == SSL3_RT_HANDSHAKE) 784 { 785 dest_maxlen = sizeof s->d1->handshake_fragment; 786 dest = s->d1->handshake_fragment; 787 dest_len = &s->d1->handshake_fragment_len; 788 } 789 else if (rr->type == SSL3_RT_ALERT) 790 { 791 dest_maxlen = sizeof(s->d1->alert_fragment); 792 dest = s->d1->alert_fragment; 793 dest_len = &s->d1->alert_fragment_len; 794 } 795 /* else it's a CCS message, or it's wrong */ 796 else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC) 797 { 798 /* Not certain if this is the right error handling */ 799 al=SSL_AD_UNEXPECTED_MESSAGE; 800 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD); 801 goto f_err; 802 } 803 804 805 if (dest_maxlen > 0) 806 { 807 /* XDTLS: In a pathalogical case, the Client Hello 808 * may be fragmented--don't always expect dest_maxlen bytes */ 809 if ( rr->length < dest_maxlen) 810 { 811 s->rstate=SSL_ST_READ_HEADER; 812 rr->length = 0; 813 goto start; 814 } 815 816 /* now move 'n' bytes: */ 817 for ( k = 0; k < dest_maxlen; k++) 818 { 819 dest[k] = rr->data[rr->off++]; 820 rr->length--; 821 } 822 *dest_len = dest_maxlen; 823 } 824 } 825 826 /* s->d1->handshake_fragment_len == 12 iff rr->type == SSL3_RT_HANDSHAKE; 827 * s->d1->alert_fragment_len == 7 iff rr->type == SSL3_RT_ALERT. 828 * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */ 829 830 /* If we are a client, check for an incoming 'Hello Request': */ 831 if ((!s->server) && 832 (s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) && 833 (s->d1->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) && 834 (s->session != NULL) && (s->session->cipher != NULL)) 835 { 836 s->d1->handshake_fragment_len = 0; 837 838 if ((s->d1->handshake_fragment[1] != 0) || 839 (s->d1->handshake_fragment[2] != 0) || 840 (s->d1->handshake_fragment[3] != 0)) 841 { 842 al=SSL_AD_DECODE_ERROR; 843 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_HELLO_REQUEST); 844 goto err; 845 } 846 847 /* no need to check sequence number on HELLO REQUEST messages */ 848 849 if (s->msg_callback) 850 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 851 s->d1->handshake_fragment, 4, s, s->msg_callback_arg); 852 853 if (SSL_is_init_finished(s) && 854 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && 855 !s->s3->renegotiate) 856 { 857 ssl3_renegotiate(s); 858 if (ssl3_renegotiate_check(s)) 859 { 860 i=s->handshake_func(s); 861 if (i < 0) return(i); 862 if (i == 0) 863 { 864 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE); 865 return(-1); 866 } 867 868 if (!(s->mode & SSL_MODE_AUTO_RETRY)) 869 { 870 if (s->s3->rbuf.left == 0) /* no read-ahead left? */ 871 { 872 BIO *bio; 873 /* In the case where we try to read application data, 874 * but we trigger an SSL handshake, we return -1 with 875 * the retry option set. Otherwise renegotiation may 876 * cause nasty problems in the blocking world */ 877 s->rwstate=SSL_READING; 878 bio=SSL_get_rbio(s); 879 BIO_clear_retry_flags(bio); 880 BIO_set_retry_read(bio); 881 return(-1); 882 } 883 } 884 } 885 } 886 /* we either finished a handshake or ignored the request, 887 * now try again to obtain the (application) data we were asked for */ 888 goto start; 889 } 890 891 if (s->d1->alert_fragment_len >= DTLS1_AL_HEADER_LENGTH) 892 { 893 int alert_level = s->d1->alert_fragment[0]; 894 int alert_descr = s->d1->alert_fragment[1]; 895 896 s->d1->alert_fragment_len = 0; 897 898 if (s->msg_callback) 899 s->msg_callback(0, s->version, SSL3_RT_ALERT, 900 s->d1->alert_fragment, 2, s, s->msg_callback_arg); 901 902 if (s->info_callback != NULL) 903 cb=s->info_callback; 904 else if (s->ctx->info_callback != NULL) 905 cb=s->ctx->info_callback; 906 907 if (cb != NULL) 908 { 909 j = (alert_level << 8) | alert_descr; 910 cb(s, SSL_CB_READ_ALERT, j); 911 } 912 913 if (alert_level == 1) /* warning */ 914 { 915 s->s3->warn_alert = alert_descr; 916 if (alert_descr == SSL_AD_CLOSE_NOTIFY) 917 { 918 s->shutdown |= SSL_RECEIVED_SHUTDOWN; 919 return(0); 920 } 921#if 0 922 /* XXX: this is a possible improvement in the future */ 923 /* now check if it's a missing record */ 924 if (alert_descr == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) 925 { 926 unsigned short seq; 927 unsigned int frag_off; 928 unsigned char *p = &(s->d1->alert_fragment[2]); 929 930 n2s(p, seq); 931 n2l3(p, frag_off); 932 933 dtls1_retransmit_message(s, seq, frag_off, &found); 934 if ( ! found && SSL_in_init(s)) 935 { 936 /* fprintf( stderr,"in init = %d\n", SSL_in_init(s)); */ 937 /* requested a message not yet sent, 938 send an alert ourselves */ 939 ssl3_send_alert(s,SSL3_AL_WARNING, 940 DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); 941 } 942 } 943#endif 944 } 945 else if (alert_level == 2) /* fatal */ 946 { 947 char tmp[16]; 948 949 s->rwstate=SSL_NOTHING; 950 s->s3->fatal_alert = alert_descr; 951 SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr); 952 BIO_snprintf(tmp,sizeof tmp,"%d",alert_descr); 953 ERR_add_error_data(2,"SSL alert number ",tmp); 954 s->shutdown|=SSL_RECEIVED_SHUTDOWN; 955 SSL_CTX_remove_session(s->ctx,s->session); 956 return(0); 957 } 958 else 959 { 960 al=SSL_AD_ILLEGAL_PARAMETER; 961 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE); 962 goto f_err; 963 } 964 965 goto start; 966 } 967 968 if (s->shutdown & SSL_SENT_SHUTDOWN) /* but we have not received a shutdown */ 969 { 970 s->rwstate=SSL_NOTHING; 971 rr->length=0; 972 return(0); 973 } 974 975 if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) 976 { 977 struct ccs_header_st ccs_hdr; 978 979 dtls1_get_ccs_header(rr->data, &ccs_hdr); 980 981 if ( ccs_hdr.seq == s->d1->handshake_read_seq) 982 { 983 /* 'Change Cipher Spec' is just a single byte, so we know 984 * exactly what the record payload has to look like */ 985 /* XDTLS: check that epoch is consistent */ 986 if ( (rr->length != DTLS1_CCS_HEADER_LENGTH) || 987 (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS)) 988 { 989 i=SSL_AD_ILLEGAL_PARAMETER; 990 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC); 991 goto err; 992 } 993 994 rr->length=0; 995 996 if (s->msg_callback) 997 s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, 998 rr->data, 1, s, s->msg_callback_arg); 999 1000 s->s3->change_cipher_spec=1; 1001 if (!ssl3_do_change_cipher_spec(s)) 1002 goto err; 1003 1004 /* do this whenever CCS is processed */ 1005 dtls1_reset_seq_numbers(s, SSL3_CC_READ); 1006 1007 /* handshake read seq is reset upon handshake completion */ 1008 s->d1->handshake_read_seq++; 1009 1010 goto start; 1011 } 1012 else 1013 { 1014 rr->length = 0; 1015 goto start; 1016 } 1017 } 1018 1019 /* Unexpected handshake message (Client Hello, or protocol violation) */ 1020 if ((s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) && 1021 !s->in_handshake) 1022 { 1023 struct hm_header_st msg_hdr; 1024 1025 /* this may just be a stale retransmit */ 1026 dtls1_get_message_header(rr->data, &msg_hdr); 1027 if( rr->epoch != s->d1->r_epoch) 1028 { 1029 rr->length = 0; 1030 goto start; 1031 } 1032 1033 if (((s->state&SSL_ST_MASK) == SSL_ST_OK) && 1034 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) 1035 { 1036#if 0 /* worked only because C operator preferences are not as expected (and 1037 * because this is not really needed for clients except for detecting 1038 * protocol violations): */ 1039 s->state=SSL_ST_BEFORE|(s->server) 1040 ?SSL_ST_ACCEPT 1041 :SSL_ST_CONNECT; 1042#else 1043 s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; 1044#endif 1045 s->new_session=1; 1046 } 1047 i=s->handshake_func(s); 1048 if (i < 0) return(i); 1049 if (i == 0) 1050 { 1051 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE); 1052 return(-1); 1053 } 1054 1055 if (!(s->mode & SSL_MODE_AUTO_RETRY)) 1056 { 1057 if (s->s3->rbuf.left == 0) /* no read-ahead left? */ 1058 { 1059 BIO *bio; 1060 /* In the case where we try to read application data, 1061 * but we trigger an SSL handshake, we return -1 with 1062 * the retry option set. Otherwise renegotiation may 1063 * cause nasty problems in the blocking world */ 1064 s->rwstate=SSL_READING; 1065 bio=SSL_get_rbio(s); 1066 BIO_clear_retry_flags(bio); 1067 BIO_set_retry_read(bio); 1068 return(-1); 1069 } 1070 } 1071 goto start; 1072 } 1073 1074 switch (rr->type) 1075 { 1076 default: 1077#ifndef OPENSSL_NO_TLS 1078 /* TLS just ignores unknown message types */ 1079 if (s->version == TLS1_VERSION) 1080 { 1081 rr->length = 0; 1082 goto start; 1083 } 1084#endif 1085 al=SSL_AD_UNEXPECTED_MESSAGE; 1086 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD); 1087 goto f_err; 1088 case SSL3_RT_CHANGE_CIPHER_SPEC: 1089 case SSL3_RT_ALERT: 1090 case SSL3_RT_HANDSHAKE: 1091 /* we already handled all of these, with the possible exception 1092 * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that 1093 * should not happen when type != rr->type */ 1094 al=SSL_AD_UNEXPECTED_MESSAGE; 1095 SSLerr(SSL_F_DTLS1_READ_BYTES,ERR_R_INTERNAL_ERROR); 1096 goto f_err; 1097 case SSL3_RT_APPLICATION_DATA: 1098 /* At this point, we were expecting handshake data, 1099 * but have application data. If the library was 1100 * running inside ssl3_read() (i.e. in_read_app_data 1101 * is set) and it makes sense to read application data 1102 * at this point (session renegotiation not yet started), 1103 * we will indulge it. 1104 */ 1105 if (s->s3->in_read_app_data && 1106 (s->s3->total_renegotiations != 0) && 1107 (( 1108 (s->state & SSL_ST_CONNECT) && 1109 (s->state >= SSL3_ST_CW_CLNT_HELLO_A) && 1110 (s->state <= SSL3_ST_CR_SRVR_HELLO_A) 1111 ) || ( 1112 (s->state & SSL_ST_ACCEPT) && 1113 (s->state <= SSL3_ST_SW_HELLO_REQ_A) && 1114 (s->state >= SSL3_ST_SR_CLNT_HELLO_A) 1115 ) 1116 )) 1117 { 1118 s->s3->in_read_app_data=2; 1119 return(-1); 1120 } 1121 else 1122 { 1123 al=SSL_AD_UNEXPECTED_MESSAGE; 1124 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD); 1125 goto f_err; 1126 } 1127 } 1128 /* not reached */ 1129 1130f_err: 1131 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1132err: 1133 return(-1); 1134 } 1135 1136int 1137dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len) 1138 { 1139 unsigned int n,tot; 1140 int i; 1141 1142 if (SSL_in_init(s) && !s->in_handshake) 1143 { 1144 i=s->handshake_func(s); 1145 if (i < 0) return(i); 1146 if (i == 0) 1147 { 1148 SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE); 1149 return -1; 1150 } 1151 } 1152 1153 tot = s->s3->wnum; 1154 n = len - tot; 1155 1156 while( n) 1157 { 1158 /* dtls1_write_bytes sends one record at a time, sized according to 1159 * the currently known MTU */ 1160 i = dtls1_write_bytes(s, type, buf_, len); 1161 if (i <= 0) return i; 1162 1163 if ((i == (int)n) || 1164 (type == SSL3_RT_APPLICATION_DATA && 1165 (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE))) 1166 { 1167 /* next chunk of data should get another prepended empty fragment 1168 * in ciphersuites with known-IV weakness: */ 1169 s->s3->empty_fragment_done = 0; 1170 return tot+i; 1171 } 1172 1173 tot += i; 1174 n-=i; 1175 } 1176 1177 return tot; 1178 } 1179 1180 1181 /* this only happens when a client hello is received and a handshake 1182 * is started. */ 1183static int 1184have_handshake_fragment(SSL *s, int type, unsigned char *buf, 1185 int len, int peek) 1186 { 1187 1188 if ((type == SSL3_RT_HANDSHAKE) && (s->d1->handshake_fragment_len > 0)) 1189 /* (partially) satisfy request from storage */ 1190 { 1191 unsigned char *src = s->d1->handshake_fragment; 1192 unsigned char *dst = buf; 1193 unsigned int k,n; 1194 1195 /* peek == 0 */ 1196 n = 0; 1197 while ((len > 0) && (s->d1->handshake_fragment_len > 0)) 1198 { 1199 *dst++ = *src++; 1200 len--; s->d1->handshake_fragment_len--; 1201 n++; 1202 } 1203 /* move any remaining fragment bytes: */ 1204 for (k = 0; k < s->d1->handshake_fragment_len; k++) 1205 s->d1->handshake_fragment[k] = *src++; 1206 return n; 1207 } 1208 1209 return 0; 1210 } 1211 1212 1213 1214 1215/* Call this to write data in records of type 'type' 1216 * It will return <= 0 if not all data has been sent or non-blocking IO. 1217 */ 1218int dtls1_write_bytes(SSL *s, int type, const void *buf_, int len) 1219 { 1220 const unsigned char *buf=buf_; 1221 unsigned int tot,n,nw; 1222 int i; 1223 unsigned int mtu; 1224 1225 s->rwstate=SSL_NOTHING; 1226 tot=s->s3->wnum; 1227 1228 n=(len-tot); 1229 1230 /* handshake layer figures out MTU for itself, but data records 1231 * are also sent through this interface, so need to figure out MTU */ 1232#if 0 1233 mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_MTU, 0, NULL); 1234 mtu += DTLS1_HM_HEADER_LENGTH; /* HM already inserted */ 1235#endif 1236 mtu = s->d1->mtu; 1237 1238 if (mtu > SSL3_RT_MAX_PLAIN_LENGTH) 1239 mtu = SSL3_RT_MAX_PLAIN_LENGTH; 1240 1241 if (n > mtu) 1242 nw=mtu; 1243 else 1244 nw=n; 1245 1246 i=do_dtls1_write(s, type, &(buf[tot]), nw, 0); 1247 if (i <= 0) 1248 { 1249 s->s3->wnum=tot; 1250 return i; 1251 } 1252 1253 if ( (int)s->s3->wnum + i == len) 1254 s->s3->wnum = 0; 1255 else 1256 s->s3->wnum += i; 1257 1258 return tot + i; 1259 } 1260 1261int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len, int create_empty_fragment) 1262 { 1263 unsigned char *p,*pseq; 1264 int i,mac_size,clear=0; 1265 int prefix_len = 0; 1266 SSL3_RECORD *wr; 1267 SSL3_BUFFER *wb; 1268 SSL_SESSION *sess; 1269 int bs; 1270 1271 /* first check if there is a SSL3_BUFFER still being written 1272 * out. This will happen with non blocking IO */ 1273 if (s->s3->wbuf.left != 0) 1274 { 1275 OPENSSL_assert(0); /* XDTLS: want to see if we ever get here */ 1276 return(ssl3_write_pending(s,type,buf,len)); 1277 } 1278 1279 /* If we have an alert to send, lets send it */ 1280 if (s->s3->alert_dispatch) 1281 { 1282 i=s->method->ssl_dispatch_alert(s); 1283 if (i <= 0) 1284 return(i); 1285 /* if it went, fall through and send more stuff */ 1286 } 1287 1288 if (len == 0 && !create_empty_fragment) 1289 return 0; 1290 1291 wr= &(s->s3->wrec); 1292 wb= &(s->s3->wbuf); 1293 sess=s->session; 1294 1295 if ( (sess == NULL) || 1296 (s->enc_write_ctx == NULL) || 1297 (s->write_hash == NULL)) 1298 clear=1; 1299 1300 if (clear) 1301 mac_size=0; 1302 else 1303 mac_size=EVP_MD_size(s->write_hash); 1304 1305 /* DTLS implements explicit IV, so no need for empty fragments */ 1306#if 0 1307 /* 'create_empty_fragment' is true only when this function calls itself */ 1308 if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done 1309 && SSL_version(s) != DTLS1_VERSION) 1310 { 1311 /* countermeasure against known-IV weakness in CBC ciphersuites 1312 * (see http://www.openssl.org/~bodo/tls-cbc.txt) 1313 */ 1314 1315 if (s->s3->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA) 1316 { 1317 /* recursive function call with 'create_empty_fragment' set; 1318 * this prepares and buffers the data for an empty fragment 1319 * (these 'prefix_len' bytes are sent out later 1320 * together with the actual payload) */ 1321 prefix_len = s->method->do_ssl_write(s, type, buf, 0, 1); 1322 if (prefix_len <= 0) 1323 goto err; 1324 1325 if (s->s3->wbuf.len < (size_t)prefix_len + SSL3_RT_MAX_PACKET_SIZE) 1326 { 1327 /* insufficient space */ 1328 SSLerr(SSL_F_DO_DTLS1_WRITE, ERR_R_INTERNAL_ERROR); 1329 goto err; 1330 } 1331 } 1332 1333 s->s3->empty_fragment_done = 1; 1334 } 1335#endif 1336 1337 p = wb->buf + prefix_len; 1338 1339 /* write the header */ 1340 1341 *(p++)=type&0xff; 1342 wr->type=type; 1343 1344 *(p++)=(s->version>>8); 1345 *(p++)=s->version&0xff; 1346 1347 /* field where we are to write out packet epoch, seq num and len */ 1348 pseq=p; 1349 p+=10; 1350 1351 /* lets setup the record stuff. */ 1352 1353 /* Make space for the explicit IV in case of CBC. 1354 * (this is a bit of a boundary violation, but what the heck). 1355 */ 1356 if ( s->enc_write_ctx && 1357 (EVP_CIPHER_mode( s->enc_write_ctx->cipher ) & EVP_CIPH_CBC_MODE)) 1358 bs = EVP_CIPHER_block_size(s->enc_write_ctx->cipher); 1359 else 1360 bs = 0; 1361 1362 wr->data=p + bs; /* make room for IV in case of CBC */ 1363 wr->length=(int)len; 1364 wr->input=(unsigned char *)buf; 1365 1366 /* we now 'read' from wr->input, wr->length bytes into 1367 * wr->data */ 1368 1369 /* first we compress */ 1370 if (s->compress != NULL) 1371 { 1372 if (!ssl3_do_compress(s)) 1373 { 1374 SSLerr(SSL_F_DO_DTLS1_WRITE,SSL_R_COMPRESSION_FAILURE); 1375 goto err; 1376 } 1377 } 1378 else 1379 { 1380 memcpy(wr->data,wr->input,wr->length); 1381 wr->input=wr->data; 1382 } 1383 1384 /* we should still have the output to wr->data and the input 1385 * from wr->input. Length should be wr->length. 1386 * wr->data still points in the wb->buf */ 1387 1388 if (mac_size != 0) 1389 { 1390 s->method->ssl3_enc->mac(s,&(p[wr->length + bs]),1); 1391 wr->length+=mac_size; 1392 } 1393 1394 /* this is true regardless of mac size */ 1395 wr->input=p; 1396 wr->data=p; 1397 1398 1399 /* ssl3_enc can only have an error on read */ 1400 wr->length += bs; /* bs != 0 in case of CBC. The enc fn provides 1401 * the randomness */ 1402 s->method->ssl3_enc->enc(s,1); 1403 1404 /* record length after mac and block padding */ 1405/* if (type == SSL3_RT_APPLICATION_DATA || 1406 (type == SSL3_RT_ALERT && ! SSL_in_init(s))) */ 1407 1408 /* there's only one epoch between handshake and app data */ 1409 1410 s2n(s->d1->w_epoch, pseq); 1411 1412 /* XDTLS: ?? */ 1413/* else 1414 s2n(s->d1->handshake_epoch, pseq); */ 1415 1416 memcpy(pseq, &(s->s3->write_sequence[2]), 6); 1417 pseq+=6; 1418 s2n(wr->length,pseq); 1419 1420 /* we should now have 1421 * wr->data pointing to the encrypted data, which is 1422 * wr->length long */ 1423 wr->type=type; /* not needed but helps for debugging */ 1424 wr->length+=DTLS1_RT_HEADER_LENGTH; 1425 1426#if 0 /* this is now done at the message layer */ 1427 /* buffer the record, making it easy to handle retransmits */ 1428 if ( type == SSL3_RT_HANDSHAKE || type == SSL3_RT_CHANGE_CIPHER_SPEC) 1429 dtls1_buffer_record(s, wr->data, wr->length, 1430 *((PQ_64BIT *)&(s->s3->write_sequence[0]))); 1431#endif 1432 1433 ssl3_record_sequence_update(&(s->s3->write_sequence[0])); 1434 1435 if (create_empty_fragment) 1436 { 1437 /* we are in a recursive call; 1438 * just return the length, don't write out anything here 1439 */ 1440 return wr->length; 1441 } 1442 1443 /* now let's set up wb */ 1444 wb->left = prefix_len + wr->length; 1445 wb->offset = 0; 1446 1447 /* memorize arguments so that ssl3_write_pending can detect bad write retries later */ 1448 s->s3->wpend_tot=len; 1449 s->s3->wpend_buf=buf; 1450 s->s3->wpend_type=type; 1451 s->s3->wpend_ret=len; 1452 1453 /* we now just need to write the buffer */ 1454 return ssl3_write_pending(s,type,buf,len); 1455err: 1456 return -1; 1457 } 1458 1459 1460 1461static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap, 1462 PQ_64BIT *seq_num) 1463 { 1464#if PQ_64BIT_IS_INTEGER 1465 PQ_64BIT mask = 0x0000000000000001L; 1466#endif 1467 PQ_64BIT rcd_num, tmp; 1468 1469 pq_64bit_init(&rcd_num); 1470 pq_64bit_init(&tmp); 1471 1472 /* this is the sequence number for the record just read */ 1473 pq_64bit_bin2num(&rcd_num, s->s3->read_sequence, 8); 1474 1475 1476 if (pq_64bit_gt(&rcd_num, &(bitmap->max_seq_num)) || 1477 pq_64bit_eq(&rcd_num, &(bitmap->max_seq_num))) 1478 { 1479 pq_64bit_assign(seq_num, &rcd_num); 1480 pq_64bit_free(&rcd_num); 1481 pq_64bit_free(&tmp); 1482 return 1; /* this record is new */ 1483 } 1484 1485 pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num); 1486 1487 if ( pq_64bit_get_word(&tmp) > bitmap->length) 1488 { 1489 pq_64bit_free(&rcd_num); 1490 pq_64bit_free(&tmp); 1491 return 0; /* stale, outside the window */ 1492 } 1493 1494#if PQ_64BIT_IS_BIGNUM 1495 { 1496 int offset; 1497 pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num); 1498 pq_64bit_sub_word(&tmp, 1); 1499 offset = pq_64bit_get_word(&tmp); 1500 if ( pq_64bit_is_bit_set(&(bitmap->map), offset)) 1501 { 1502 pq_64bit_free(&rcd_num); 1503 pq_64bit_free(&tmp); 1504 return 0; 1505 } 1506 } 1507#else 1508 mask <<= (bitmap->max_seq_num - rcd_num - 1); 1509 if (bitmap->map & mask) 1510 return 0; /* record previously received */ 1511#endif 1512 1513 pq_64bit_assign(seq_num, &rcd_num); 1514 pq_64bit_free(&rcd_num); 1515 pq_64bit_free(&tmp); 1516 return 1; 1517 } 1518 1519 1520static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap) 1521 { 1522 unsigned int shift; 1523 PQ_64BIT rcd_num; 1524 PQ_64BIT tmp; 1525 PQ_64BIT_CTX *ctx; 1526 1527 pq_64bit_init(&rcd_num); 1528 pq_64bit_init(&tmp); 1529 1530 pq_64bit_bin2num(&rcd_num, s->s3->read_sequence, 8); 1531 1532 /* unfortunate code complexity due to 64-bit manipulation support 1533 * on 32-bit machines */ 1534 if ( pq_64bit_gt(&rcd_num, &(bitmap->max_seq_num)) || 1535 pq_64bit_eq(&rcd_num, &(bitmap->max_seq_num))) 1536 { 1537 pq_64bit_sub(&tmp, &rcd_num, &(bitmap->max_seq_num)); 1538 pq_64bit_add_word(&tmp, 1); 1539 1540 shift = (unsigned int)pq_64bit_get_word(&tmp); 1541 1542 pq_64bit_lshift(&(tmp), &(bitmap->map), shift); 1543 pq_64bit_assign(&(bitmap->map), &tmp); 1544 1545 pq_64bit_set_bit(&(bitmap->map), 0); 1546 pq_64bit_add_word(&rcd_num, 1); 1547 pq_64bit_assign(&(bitmap->max_seq_num), &rcd_num); 1548 1549 pq_64bit_assign_word(&tmp, 1); 1550 pq_64bit_lshift(&tmp, &tmp, bitmap->length); 1551 ctx = pq_64bit_ctx_new(&ctx); 1552 pq_64bit_mod(&(bitmap->map), &(bitmap->map), &tmp, ctx); 1553 pq_64bit_ctx_free(ctx); 1554 } 1555 else 1556 { 1557 pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num); 1558 pq_64bit_sub_word(&tmp, 1); 1559 shift = (unsigned int)pq_64bit_get_word(&tmp); 1560 1561 pq_64bit_set_bit(&(bitmap->map), shift); 1562 } 1563 1564 pq_64bit_free(&rcd_num); 1565 pq_64bit_free(&tmp); 1566 } 1567 1568 1569int dtls1_dispatch_alert(SSL *s) 1570 { 1571 int i,j; 1572 void (*cb)(const SSL *ssl,int type,int val)=NULL; 1573 unsigned char buf[2 + 2 + 3]; /* alert level + alert desc + message seq +frag_off */ 1574 unsigned char *ptr = &buf[0]; 1575 1576 s->s3->alert_dispatch=0; 1577 1578 memset(buf, 0x00, sizeof(buf)); 1579 *ptr++ = s->s3->send_alert[0]; 1580 *ptr++ = s->s3->send_alert[1]; 1581 1582 if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) 1583 { 1584 s2n(s->d1->handshake_read_seq, ptr); 1585#if 0 1586 if ( s->d1->r_msg_hdr.frag_off == 0) /* waiting for a new msg */ 1587 1588 else 1589 s2n(s->d1->r_msg_hdr.seq, ptr); /* partial msg read */ 1590#endif 1591 1592#if 0 1593 fprintf(stderr, "s->d1->handshake_read_seq = %d, s->d1->r_msg_hdr.seq = %d\n",s->d1->handshake_read_seq,s->d1->r_msg_hdr.seq); 1594#endif 1595 l2n3(s->d1->r_msg_hdr.frag_off, ptr); 1596 } 1597 1598 i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf), 0); 1599 if (i <= 0) 1600 { 1601 s->s3->alert_dispatch=1; 1602 /* fprintf( stderr, "not done with alert\n" ); */ 1603 } 1604 else 1605 { 1606 if ( s->s3->send_alert[0] == SSL3_AL_FATAL || 1607 s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) 1608 (void)BIO_flush(s->wbio); 1609 1610 if (s->msg_callback) 1611 s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert, 1612 2, s, s->msg_callback_arg); 1613 1614 if (s->info_callback != NULL) 1615 cb=s->info_callback; 1616 else if (s->ctx->info_callback != NULL) 1617 cb=s->ctx->info_callback; 1618 1619 if (cb != NULL) 1620 { 1621 j=(s->s3->send_alert[0]<<8)|s->s3->send_alert[1]; 1622 cb(s,SSL_CB_WRITE_ALERT,j); 1623 } 1624 } 1625 return(i); 1626 } 1627 1628 1629static DTLS1_BITMAP * 1630dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, unsigned int *is_next_epoch) 1631 { 1632 1633 *is_next_epoch = 0; 1634 1635 /* In current epoch, accept HM, CCS, DATA, & ALERT */ 1636 if (rr->epoch == s->d1->r_epoch) 1637 return &s->d1->bitmap; 1638 1639 /* Only HM and ALERT messages can be from the next epoch */ 1640 else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) && 1641 (rr->type == SSL3_RT_HANDSHAKE || 1642 rr->type == SSL3_RT_ALERT)) 1643 { 1644 *is_next_epoch = 1; 1645 return &s->d1->next_bitmap; 1646 } 1647 1648 return NULL; 1649 } 1650 1651#if 0 1652static int 1653dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr, unsigned short *priority, 1654 unsigned long *offset) 1655 { 1656 1657 /* alerts are passed up immediately */ 1658 if ( rr->type == SSL3_RT_APPLICATION_DATA || 1659 rr->type == SSL3_RT_ALERT) 1660 return 0; 1661 1662 /* Only need to buffer if a handshake is underway. 1663 * (this implies that Hello Request and Client Hello are passed up 1664 * immediately) */ 1665 if ( SSL_in_init(s)) 1666 { 1667 unsigned char *data = rr->data; 1668 /* need to extract the HM/CCS sequence number here */ 1669 if ( rr->type == SSL3_RT_HANDSHAKE || 1670 rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) 1671 { 1672 unsigned short seq_num; 1673 struct hm_header_st msg_hdr; 1674 struct ccs_header_st ccs_hdr; 1675 1676 if ( rr->type == SSL3_RT_HANDSHAKE) 1677 { 1678 dtls1_get_message_header(data, &msg_hdr); 1679 seq_num = msg_hdr.seq; 1680 *offset = msg_hdr.frag_off; 1681 } 1682 else 1683 { 1684 dtls1_get_ccs_header(data, &ccs_hdr); 1685 seq_num = ccs_hdr.seq; 1686 *offset = 0; 1687 } 1688 1689 /* this is either a record we're waiting for, or a 1690 * retransmit of something we happened to previously 1691 * receive (higher layers will drop the repeat silently */ 1692 if ( seq_num < s->d1->handshake_read_seq) 1693 return 0; 1694 if (rr->type == SSL3_RT_HANDSHAKE && 1695 seq_num == s->d1->handshake_read_seq && 1696 msg_hdr.frag_off < s->d1->r_msg_hdr.frag_off) 1697 return 0; 1698 else if ( seq_num == s->d1->handshake_read_seq && 1699 (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC || 1700 msg_hdr.frag_off == s->d1->r_msg_hdr.frag_off)) 1701 return 0; 1702 else 1703 { 1704 *priority = seq_num; 1705 return 1; 1706 } 1707 } 1708 else /* unknown record type */ 1709 return 0; 1710 } 1711 1712 return 0; 1713 } 1714#endif 1715 1716void 1717dtls1_reset_seq_numbers(SSL *s, int rw) 1718 { 1719 unsigned char *seq; 1720 unsigned int seq_bytes = sizeof(s->s3->read_sequence); 1721 1722 if ( rw & SSL3_CC_READ) 1723 { 1724 seq = s->s3->read_sequence; 1725 s->d1->r_epoch++; 1726 1727 pq_64bit_assign(&(s->d1->bitmap.map), &(s->d1->next_bitmap.map)); 1728 s->d1->bitmap.length = s->d1->next_bitmap.length; 1729 pq_64bit_assign(&(s->d1->bitmap.max_seq_num), 1730 &(s->d1->next_bitmap.max_seq_num)); 1731 1732 pq_64bit_free(&(s->d1->next_bitmap.map)); 1733 pq_64bit_free(&(s->d1->next_bitmap.max_seq_num)); 1734 memset(&(s->d1->next_bitmap), 0x00, sizeof(DTLS1_BITMAP)); 1735 pq_64bit_init(&(s->d1->next_bitmap.map)); 1736 pq_64bit_init(&(s->d1->next_bitmap.max_seq_num)); 1737 } 1738 else 1739 { 1740 seq = s->s3->write_sequence; 1741 s->d1->w_epoch++; 1742 } 1743 1744 memset(seq, 0x00, seq_bytes); 1745 } 1746 1747#if PQ_64BIT_IS_INTEGER 1748static PQ_64BIT 1749bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num) 1750 { 1751 PQ_64BIT _num; 1752 1753 _num = (((PQ_64BIT)bytes[0]) << 56) | 1754 (((PQ_64BIT)bytes[1]) << 48) | 1755 (((PQ_64BIT)bytes[2]) << 40) | 1756 (((PQ_64BIT)bytes[3]) << 32) | 1757 (((PQ_64BIT)bytes[4]) << 24) | 1758 (((PQ_64BIT)bytes[5]) << 16) | 1759 (((PQ_64BIT)bytes[6]) << 8) | 1760 (((PQ_64BIT)bytes[7]) ); 1761 1762 *num = _num ; 1763 return _num; 1764 } 1765#endif 1766 1767 1768static void 1769dtls1_clear_timeouts(SSL *s) 1770 { 1771 memset(&(s->d1->timeout), 0x00, sizeof(struct dtls1_timeout_st)); 1772 } 1773