d1_pkt.c revision 1fada29eaaa2a758ba3f68ee9ede8b6715673146
1/* ssl/d1_pkt.c */ 2/* 3 * DTLS implementation written by Nagendra Modadugu 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 5 */ 6/* ==================================================================== 7 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in 18 * the documentation and/or other materials provided with the 19 * distribution. 20 * 21 * 3. All advertising materials mentioning features or use of this 22 * software must display the following acknowledgment: 23 * "This product includes software developed by the OpenSSL Project 24 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 25 * 26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27 * endorse or promote products derived from this software without 28 * prior written permission. For written permission, please contact 29 * openssl-core@openssl.org. 30 * 31 * 5. Products derived from this software may not be called "OpenSSL" 32 * nor may "OpenSSL" appear in their names without prior written 33 * permission of the OpenSSL Project. 34 * 35 * 6. Redistributions of any form whatsoever must retain the following 36 * acknowledgment: 37 * "This product includes software developed by the OpenSSL Project 38 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51 * OF THE POSSIBILITY OF SUCH DAMAGE. 52 * ==================================================================== 53 * 54 * This product includes cryptographic software written by Eric Young 55 * (eay@cryptsoft.com). This product includes software written by Tim 56 * Hudson (tjh@cryptsoft.com). 57 * 58 */ 59/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 60 * All rights reserved. 61 * 62 * This package is an SSL implementation written 63 * by Eric Young (eay@cryptsoft.com). 64 * The implementation was written so as to conform with Netscapes SSL. 65 * 66 * This library is free for commercial and non-commercial use as long as 67 * the following conditions are aheared to. The following conditions 68 * apply to all code found in this distribution, be it the RC4, RSA, 69 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 70 * included with this distribution is covered by the same copyright terms 71 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 72 * 73 * Copyright remains Eric Young's, and as such any Copyright notices in 74 * the code are not to be removed. 75 * If this package is used in a product, Eric Young should be given attribution 76 * as the author of the parts of the library used. 77 * This can be in the form of a textual message at program startup or 78 * in documentation (online or textual) provided with the package. 79 * 80 * Redistribution and use in source and binary forms, with or without 81 * modification, are permitted provided that the following conditions 82 * are met: 83 * 1. Redistributions of source code must retain the copyright 84 * notice, this list of conditions and the following disclaimer. 85 * 2. Redistributions in binary form must reproduce the above copyright 86 * notice, this list of conditions and the following disclaimer in the 87 * documentation and/or other materials provided with the distribution. 88 * 3. All advertising materials mentioning features or use of this software 89 * must display the following acknowledgement: 90 * "This product includes cryptographic software written by 91 * Eric Young (eay@cryptsoft.com)" 92 * The word 'cryptographic' can be left out if the rouines from the library 93 * being used are not cryptographic related :-). 94 * 4. If you include any Windows specific code (or a derivative thereof) from 95 * the apps directory (application code) you must include an acknowledgement: 96 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 97 * 98 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 99 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 100 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 101 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 102 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 103 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 104 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 105 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 106 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 107 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 108 * SUCH DAMAGE. 109 * 110 * The licence and distribution terms for any publically available version or 111 * derivative of this code cannot be changed. i.e. this code cannot simply be 112 * copied and put under another distribution licence 113 * [including the GNU Public Licence.] 114 */ 115 116#include <stdio.h> 117#include <errno.h> 118#define USE_SOCKETS 119#include "ssl_locl.h" 120#include <openssl/evp.h> 121#include <openssl/buffer.h> 122#include <openssl/pqueue.h> 123#include <openssl/rand.h> 124 125static int have_handshake_fragment(SSL *s, int type, unsigned char *buf, 126 int len, int peek); 127static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap, 128 PQ_64BIT *seq_num); 129static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap); 130static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, 131 unsigned int *is_next_epoch); 132#if 0 133static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr, 134 unsigned short *priority, unsigned long *offset); 135#endif 136static int dtls1_buffer_record(SSL *s, record_pqueue *q, 137 PQ_64BIT priority); 138static int dtls1_process_record(SSL *s); 139#if PQ_64BIT_IS_INTEGER 140static PQ_64BIT bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num); 141#endif 142static void dtls1_clear_timeouts(SSL *s); 143 144/* copy buffered record into SSL structure */ 145static int 146dtls1_copy_record(SSL *s, pitem *item) 147 { 148 DTLS1_RECORD_DATA *rdata; 149 150 rdata = (DTLS1_RECORD_DATA *)item->data; 151 152 if (s->s3->rbuf.buf != NULL) 153 OPENSSL_free(s->s3->rbuf.buf); 154 155 s->packet = rdata->packet; 156 s->packet_length = rdata->packet_length; 157 memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER)); 158 memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD)); 159 160 return(1); 161 } 162 163 164static int 165dtls1_buffer_record(SSL *s, record_pqueue *queue, PQ_64BIT priority) 166{ 167 DTLS1_RECORD_DATA *rdata; 168 pitem *item; 169 170 rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); 171 item = pitem_new(priority, rdata); 172 if (rdata == NULL || item == NULL) 173 { 174 if (rdata != NULL) OPENSSL_free(rdata); 175 if (item != NULL) pitem_free(item); 176 177 SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); 178 return(0); 179 } 180 181 rdata->packet = s->packet; 182 rdata->packet_length = s->packet_length; 183 memcpy(&(rdata->rbuf), &(s->s3->rbuf), sizeof(SSL3_BUFFER)); 184 memcpy(&(rdata->rrec), &(s->s3->rrec), sizeof(SSL3_RECORD)); 185 186 item->data = rdata; 187 188 /* insert should not fail, since duplicates are dropped */ 189 if (pqueue_insert(queue->q, item) == NULL) 190 { 191 OPENSSL_free(rdata); 192 pitem_free(item); 193 return(0); 194 } 195 196 s->packet = NULL; 197 s->packet_length = 0; 198 memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER)); 199 memset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD)); 200 201 if (!ssl3_setup_buffers(s)) 202 { 203 SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); 204 OPENSSL_free(rdata); 205 pitem_free(item); 206 return(0); 207 } 208 209 return(1); 210 } 211 212 213static int 214dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue) 215 { 216 pitem *item; 217 218 item = pqueue_pop(queue->q); 219 if (item) 220 { 221 dtls1_copy_record(s, item); 222 223 OPENSSL_free(item->data); 224 pitem_free(item); 225 226 return(1); 227 } 228 229 return(0); 230 } 231 232 233/* retrieve a buffered record that belongs to the new epoch, i.e., not processed 234 * yet */ 235#define dtls1_get_unprocessed_record(s) \ 236 dtls1_retrieve_buffered_record((s), \ 237 &((s)->d1->unprocessed_rcds)) 238 239/* retrieve a buffered record that belongs to the current epoch, ie, processed */ 240#define dtls1_get_processed_record(s) \ 241 dtls1_retrieve_buffered_record((s), \ 242 &((s)->d1->processed_rcds)) 243 244static int 245dtls1_process_buffered_records(SSL *s) 246 { 247 pitem *item; 248 249 item = pqueue_peek(s->d1->unprocessed_rcds.q); 250 if (item) 251 { 252 DTLS1_RECORD_DATA *rdata; 253 rdata = (DTLS1_RECORD_DATA *)item->data; 254 255 /* Check if epoch is current. */ 256 if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch) 257 return(1); /* Nothing to do. */ 258 259 /* Process all the records. */ 260 while (pqueue_peek(s->d1->unprocessed_rcds.q)) 261 { 262 dtls1_get_unprocessed_record(s); 263 if ( ! dtls1_process_record(s)) 264 return(0); 265 dtls1_buffer_record(s, &(s->d1->processed_rcds), 266 s->s3->rrec.seq_num); 267 } 268 } 269 270 /* sync epoch numbers once all the unprocessed records 271 * have been processed */ 272 s->d1->processed_rcds.epoch = s->d1->r_epoch; 273 s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1; 274 275 return(1); 276 } 277 278 279#if 0 280 281static int 282dtls1_get_buffered_record(SSL *s) 283 { 284 pitem *item; 285 PQ_64BIT priority = 286 (((PQ_64BIT)s->d1->handshake_read_seq) << 32) | 287 ((PQ_64BIT)s->d1->r_msg_hdr.frag_off); 288 289 if ( ! SSL_in_init(s)) /* if we're not (re)negotiating, 290 nothing buffered */ 291 return 0; 292 293 294 item = pqueue_peek(s->d1->rcvd_records); 295 if (item && item->priority == priority) 296 { 297 /* Check if we've received the record of interest. It must be 298 * a handshake record, since data records as passed up without 299 * buffering */ 300 DTLS1_RECORD_DATA *rdata; 301 item = pqueue_pop(s->d1->rcvd_records); 302 rdata = (DTLS1_RECORD_DATA *)item->data; 303 304 if (s->s3->rbuf.buf != NULL) 305 OPENSSL_free(s->s3->rbuf.buf); 306 307 s->packet = rdata->packet; 308 s->packet_length = rdata->packet_length; 309 memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER)); 310 memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD)); 311 312 OPENSSL_free(item->data); 313 pitem_free(item); 314 315 /* s->d1->next_expected_seq_num++; */ 316 return(1); 317 } 318 319 return 0; 320 } 321 322#endif 323 324static int 325dtls1_process_record(SSL *s) 326{ 327 int i,al; 328 int clear=0; 329 int enc_err; 330 SSL_SESSION *sess; 331 SSL3_RECORD *rr; 332 unsigned int mac_size; 333 unsigned char md[EVP_MAX_MD_SIZE]; 334 335 336 rr= &(s->s3->rrec); 337 sess = s->session; 338 339 /* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, 340 * and we have that many bytes in s->packet 341 */ 342 rr->input= &(s->packet[DTLS1_RT_HEADER_LENGTH]); 343 344 /* ok, we can now read from 's->packet' data into 'rr' 345 * rr->input points at rr->length bytes, which 346 * need to be copied into rr->data by either 347 * the decryption or by the decompression 348 * When the data is 'copied' into the rr->data buffer, 349 * rr->input will be pointed at the new buffer */ 350 351 /* We now have - encrypted [ MAC [ compressed [ plain ] ] ] 352 * rr->length bytes of encrypted compressed stuff. */ 353 354 /* check is not needed I believe */ 355 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) 356 { 357 al=SSL_AD_RECORD_OVERFLOW; 358 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG); 359 goto f_err; 360 } 361 362 /* decrypt in place in 'rr->input' */ 363 rr->data=rr->input; 364 365 enc_err = s->method->ssl3_enc->enc(s,0); 366 if (enc_err <= 0) 367 { 368 if (enc_err == 0) 369 /* SSLerr() and ssl3_send_alert() have been called */ 370 goto err; 371 372 /* otherwise enc_err == -1 */ 373 goto decryption_failed_or_bad_record_mac; 374 } 375 376#ifdef TLS_DEBUG 377printf("dec %d\n",rr->length); 378{ unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); } 379printf("\n"); 380#endif 381 382 /* r->length is now the compressed data plus mac */ 383if ( (sess == NULL) || 384 (s->enc_read_ctx == NULL) || 385 (s->read_hash == NULL)) 386 clear=1; 387 388 if (!clear) 389 { 390 mac_size=EVP_MD_size(s->read_hash); 391 392 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size) 393 { 394#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */ 395 al=SSL_AD_RECORD_OVERFLOW; 396 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); 397 goto f_err; 398#else 399 goto decryption_failed_or_bad_record_mac; 400#endif 401 } 402 /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ 403 if (rr->length < mac_size) 404 { 405#if 0 /* OK only for stream ciphers */ 406 al=SSL_AD_DECODE_ERROR; 407 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT); 408 goto f_err; 409#else 410 goto decryption_failed_or_bad_record_mac; 411#endif 412 } 413 rr->length-=mac_size; 414 i=s->method->ssl3_enc->mac(s,md,0); 415 if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0) 416 { 417 goto decryption_failed_or_bad_record_mac; 418 } 419 } 420 421 /* r->length is now just compressed */ 422 if (s->expand != NULL) 423 { 424 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) 425 { 426 al=SSL_AD_RECORD_OVERFLOW; 427 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG); 428 goto f_err; 429 } 430 if (!ssl3_do_uncompress(s)) 431 { 432 al=SSL_AD_DECOMPRESSION_FAILURE; 433 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_BAD_DECOMPRESSION); 434 goto f_err; 435 } 436 } 437 438 if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) 439 { 440 al=SSL_AD_RECORD_OVERFLOW; 441 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DATA_LENGTH_TOO_LONG); 442 goto f_err; 443 } 444 445 rr->off=0; 446 /* So at this point the following is true 447 * ssl->s3->rrec.type is the type of record 448 * ssl->s3->rrec.length == number of bytes in record 449 * ssl->s3->rrec.off == offset to first valid byte 450 * ssl->s3->rrec.data == where to take bytes from, increment 451 * after use :-). 452 */ 453 454 /* we have pulled in a full packet so zero things */ 455 s->packet_length=0; 456 dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */ 457 return(1); 458 459decryption_failed_or_bad_record_mac: 460 /* Separate 'decryption_failed' alert was introduced with TLS 1.0, 461 * SSL 3.0 only has 'bad_record_mac'. But unless a decryption 462 * failure is directly visible from the ciphertext anyway, 463 * we should not reveal which kind of error occured -- this 464 * might become visible to an attacker (e.g. via logfile) */ 465 al=SSL_AD_BAD_RECORD_MAC; 466 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); 467f_err: 468 ssl3_send_alert(s,SSL3_AL_FATAL,al); 469err: 470 return(0); 471} 472 473 474/* Call this to get a new input record. 475 * It will return <= 0 if more data is needed, normally due to an error 476 * or non-blocking IO. 477 * When it finishes, one packet has been decoded and can be found in 478 * ssl->s3->rrec.type - is the type of record 479 * ssl->s3->rrec.data, - data 480 * ssl->s3->rrec.length, - number of bytes 481 */ 482/* used only by dtls1_read_bytes */ 483int dtls1_get_record(SSL *s) 484 { 485 int ssl_major,ssl_minor,al; 486 int i,n; 487 SSL3_RECORD *rr; 488 SSL_SESSION *sess; 489 unsigned char *p; 490 unsigned short version; 491 DTLS1_BITMAP *bitmap; 492 unsigned int is_next_epoch; 493 494 rr= &(s->s3->rrec); 495 sess=s->session; 496 497 /* The epoch may have changed. If so, process all the 498 * pending records. This is a non-blocking operation. */ 499 if ( ! dtls1_process_buffered_records(s)) 500 return 0; 501 502 /* if we're renegotiating, then there may be buffered records */ 503 if (dtls1_get_processed_record(s)) 504 return 1; 505 506 /* get something from the wire */ 507again: 508 /* check if we have the header */ 509 if ( (s->rstate != SSL_ST_READ_BODY) || 510 (s->packet_length < DTLS1_RT_HEADER_LENGTH)) 511 { 512 n=ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, s->s3->rbuf.len, 0); 513 /* read timeout is handled by dtls1_read_bytes */ 514 if (n <= 0) return(n); /* error or non-blocking */ 515 516 OPENSSL_assert(s->packet_length == DTLS1_RT_HEADER_LENGTH); 517 518 s->rstate=SSL_ST_READ_BODY; 519 520 p=s->packet; 521 522 /* Pull apart the header into the DTLS1_RECORD */ 523 rr->type= *(p++); 524 ssl_major= *(p++); 525 ssl_minor= *(p++); 526 version=(ssl_major<<8)|ssl_minor; 527 528 /* sequence number is 64 bits, with top 2 bytes = epoch */ 529 n2s(p,rr->epoch); 530 531 memcpy(&(s->s3->read_sequence[2]), p, 6); 532 p+=6; 533 534 n2s(p,rr->length); 535 536 /* Lets check version */ 537 if (!s->first_packet) 538 { 539 if (version != s->version && version != DTLS1_BAD_VER) 540 { 541 SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); 542 /* Send back error using their 543 * version number :-) */ 544 s->version=version; 545 al=SSL_AD_PROTOCOL_VERSION; 546 goto f_err; 547 } 548 } 549 550 if ((version & 0xff00) != (DTLS1_VERSION & 0xff00) && 551 (version & 0xff00) != (DTLS1_BAD_VER & 0xff00)) 552 { 553 SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); 554 goto err; 555 } 556 557 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) 558 { 559 al=SSL_AD_RECORD_OVERFLOW; 560 SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG); 561 goto f_err; 562 } 563 564 /* If we receive a valid record larger than the current buffer size, 565 * allocate some memory for it. 566 */ 567 if (rr->length > s->s3->rbuf.len - DTLS1_RT_HEADER_LENGTH) 568 { 569 if ((p=OPENSSL_realloc(s->s3->rbuf.buf, rr->length + DTLS1_RT_HEADER_LENGTH))==NULL) 570 { 571 SSLerr(SSL_F_DTLS1_GET_RECORD,ERR_R_MALLOC_FAILURE); 572 goto err; 573 } 574 s->s3->rbuf.buf=p; 575 s->s3->rbuf.len=rr->length + DTLS1_RT_HEADER_LENGTH; 576 s->packet= &(s->s3->rbuf.buf[0]); 577 } 578 579 s->client_version = version; 580 /* now s->rstate == SSL_ST_READ_BODY */ 581 } 582 583 /* s->rstate == SSL_ST_READ_BODY, get and decode the data */ 584 585 if (rr->length > s->packet_length-DTLS1_RT_HEADER_LENGTH) 586 { 587 /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */ 588 i=rr->length; 589 n=ssl3_read_n(s,i,i,1); 590 if (n <= 0) return(n); /* error or non-blocking io */ 591 592 /* this packet contained a partial record, dump it */ 593 if ( n != i) 594 { 595 s->packet_length = 0; 596 goto again; 597 } 598 599 /* now n == rr->length, 600 * and s->packet_length == DTLS1_RT_HEADER_LENGTH + rr->length */ 601 } 602 s->rstate=SSL_ST_READ_HEADER; /* set state for later operations */ 603 604 /* match epochs. NULL means the packet is dropped on the floor */ 605 bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch); 606 if ( bitmap == NULL) 607 { 608 s->packet_length = 0; /* dump this record */ 609 goto again; /* get another record */ 610 } 611 612 /* check whether this is a repeat, or aged record */ 613 if ( ! dtls1_record_replay_check(s, bitmap, &(rr->seq_num))) 614 { 615 rr->length = 0; 616 s->packet_length=0; /* dump this record */ 617 goto again; /* get another record */ 618 } 619 620 /* just read a 0 length packet */ 621 if (rr->length == 0) goto again; 622 623 /* If this record is from the next epoch (either HM or ALERT), buffer it 624 * since it cannot be processed at this time. 625 * Records from the next epoch are marked as received even though they are 626 * not processed, so as to prevent any potential resource DoS attack */ 627 if (is_next_epoch) 628 { 629 dtls1_record_bitmap_update(s, bitmap); 630 dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num); 631 s->packet_length = 0; 632 goto again; 633 } 634 635 if ( ! dtls1_process_record(s)) 636 return(0); 637 638 dtls1_clear_timeouts(s); /* done waiting */ 639 return(1); 640 641f_err: 642 ssl3_send_alert(s,SSL3_AL_FATAL,al); 643err: 644 return(0); 645 } 646 647/* Return up to 'len' payload bytes received in 'type' records. 648 * 'type' is one of the following: 649 * 650 * - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us) 651 * - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us) 652 * - 0 (during a shutdown, no data has to be returned) 653 * 654 * If we don't have stored data to work from, read a SSL/TLS record first 655 * (possibly multiple records if we still don't have anything to return). 656 * 657 * This function must handle any surprises the peer may have for us, such as 658 * Alert records (e.g. close_notify), ChangeCipherSpec records (not really 659 * a surprise, but handled as if it were), or renegotiation requests. 660 * Also if record payloads contain fragments too small to process, we store 661 * them until there is enough for the respective protocol (the record protocol 662 * may use arbitrary fragmentation and even interleaving): 663 * Change cipher spec protocol 664 * just 1 byte needed, no need for keeping anything stored 665 * Alert protocol 666 * 2 bytes needed (AlertLevel, AlertDescription) 667 * Handshake protocol 668 * 4 bytes needed (HandshakeType, uint24 length) -- we just have 669 * to detect unexpected Client Hello and Hello Request messages 670 * here, anything else is handled by higher layers 671 * Application data protocol 672 * none of our business 673 */ 674int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) 675 { 676 int al,i,j,ret; 677 unsigned int n; 678 SSL3_RECORD *rr; 679 void (*cb)(const SSL *ssl,int type2,int val)=NULL; 680 681 if (s->s3->rbuf.buf == NULL) /* Not initialized yet */ 682 if (!ssl3_setup_buffers(s)) 683 return(-1); 684 685 /* XXX: check what the second '&& type' is about */ 686 if ((type && (type != SSL3_RT_APPLICATION_DATA) && 687 (type != SSL3_RT_HANDSHAKE) && type) || 688 (peek && (type != SSL3_RT_APPLICATION_DATA))) 689 { 690 SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR); 691 return -1; 692 } 693 694 /* check whether there's a handshake message (client hello?) waiting */ 695 if ( (ret = have_handshake_fragment(s, type, buf, len, peek))) 696 return ret; 697 698 /* Now s->d1->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */ 699 700 if (!s->in_handshake && SSL_in_init(s)) 701 { 702 /* type == SSL3_RT_APPLICATION_DATA */ 703 i=s->handshake_func(s); 704 if (i < 0) return(i); 705 if (i == 0) 706 { 707 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE); 708 return(-1); 709 } 710 } 711 712start: 713 s->rwstate=SSL_NOTHING; 714 715 /* s->s3->rrec.type - is the type of record 716 * s->s3->rrec.data, - data 717 * s->s3->rrec.off, - offset into 'data' for next read 718 * s->s3->rrec.length, - number of bytes. */ 719 rr = &(s->s3->rrec); 720 721 /* get new packet if necessary */ 722 if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY)) 723 { 724 ret=dtls1_get_record(s); 725 if (ret <= 0) 726 { 727 ret = dtls1_read_failed(s, ret); 728 /* anything other than a timeout is an error */ 729 if (ret <= 0) 730 return(ret); 731 else 732 goto start; 733 } 734 } 735 736 /* we now have a packet which can be read and processed */ 737 738 if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, 739 * reset by ssl3_get_finished */ 740 && (rr->type != SSL3_RT_HANDSHAKE)) 741 { 742 al=SSL_AD_UNEXPECTED_MESSAGE; 743 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED); 744 goto err; 745 } 746 747 /* If the other end has shut down, throw anything we read away 748 * (even in 'peek' mode) */ 749 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) 750 { 751 rr->length=0; 752 s->rwstate=SSL_NOTHING; 753 return(0); 754 } 755 756 757 if (type == rr->type) /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */ 758 { 759 /* make sure that we are not getting application data when we 760 * are doing a handshake for the first time */ 761 if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) && 762 (s->enc_read_ctx == NULL)) 763 { 764 al=SSL_AD_UNEXPECTED_MESSAGE; 765 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE); 766 goto f_err; 767 } 768 769 if (len <= 0) return(len); 770 771 if ((unsigned int)len > rr->length) 772 n = rr->length; 773 else 774 n = (unsigned int)len; 775 776 memcpy(buf,&(rr->data[rr->off]),n); 777 if (!peek) 778 { 779 rr->length-=n; 780 rr->off+=n; 781 if (rr->length == 0) 782 { 783 s->rstate=SSL_ST_READ_HEADER; 784 rr->off=0; 785 } 786 } 787 return(n); 788 } 789 790 791 /* If we get here, then type != rr->type; if we have a handshake 792 * message, then it was unexpected (Hello Request or Client Hello). */ 793 794 /* In case of record types for which we have 'fragment' storage, 795 * fill that so that we can process the data at a fixed place. 796 */ 797 { 798 unsigned int k, dest_maxlen = 0; 799 unsigned char *dest = NULL; 800 unsigned int *dest_len = NULL; 801 802 if (rr->type == SSL3_RT_HANDSHAKE) 803 { 804 dest_maxlen = sizeof s->d1->handshake_fragment; 805 dest = s->d1->handshake_fragment; 806 dest_len = &s->d1->handshake_fragment_len; 807 } 808 else if (rr->type == SSL3_RT_ALERT) 809 { 810 dest_maxlen = sizeof(s->d1->alert_fragment); 811 dest = s->d1->alert_fragment; 812 dest_len = &s->d1->alert_fragment_len; 813 } 814 /* else it's a CCS message, or it's wrong */ 815 else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC) 816 { 817 /* Not certain if this is the right error handling */ 818 al=SSL_AD_UNEXPECTED_MESSAGE; 819 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD); 820 goto f_err; 821 } 822 823 824 if (dest_maxlen > 0) 825 { 826 /* XDTLS: In a pathalogical case, the Client Hello 827 * may be fragmented--don't always expect dest_maxlen bytes */ 828 if ( rr->length < dest_maxlen) 829 { 830#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE 831 /* 832 * for normal alerts rr->length is 2, while 833 * dest_maxlen is 7 if we were to handle this 834 * non-existing alert... 835 */ 836 FIX ME 837#endif 838 s->rstate=SSL_ST_READ_HEADER; 839 rr->length = 0; 840 goto start; 841 } 842 843 /* now move 'n' bytes: */ 844 for ( k = 0; k < dest_maxlen; k++) 845 { 846 dest[k] = rr->data[rr->off++]; 847 rr->length--; 848 } 849 *dest_len = dest_maxlen; 850 } 851 } 852 853 /* s->d1->handshake_fragment_len == 12 iff rr->type == SSL3_RT_HANDSHAKE; 854 * s->d1->alert_fragment_len == 7 iff rr->type == SSL3_RT_ALERT. 855 * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */ 856 857 /* If we are a client, check for an incoming 'Hello Request': */ 858 if ((!s->server) && 859 (s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) && 860 (s->d1->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) && 861 (s->session != NULL) && (s->session->cipher != NULL)) 862 { 863 s->d1->handshake_fragment_len = 0; 864 865 if ((s->d1->handshake_fragment[1] != 0) || 866 (s->d1->handshake_fragment[2] != 0) || 867 (s->d1->handshake_fragment[3] != 0)) 868 { 869 al=SSL_AD_DECODE_ERROR; 870 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_HELLO_REQUEST); 871 goto err; 872 } 873 874 /* no need to check sequence number on HELLO REQUEST messages */ 875 876 if (s->msg_callback) 877 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 878 s->d1->handshake_fragment, 4, s, s->msg_callback_arg); 879 880 if (SSL_is_init_finished(s) && 881 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && 882 !s->s3->renegotiate) 883 { 884 ssl3_renegotiate(s); 885 if (ssl3_renegotiate_check(s)) 886 { 887 i=s->handshake_func(s); 888 if (i < 0) return(i); 889 if (i == 0) 890 { 891 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE); 892 return(-1); 893 } 894 895 if (!(s->mode & SSL_MODE_AUTO_RETRY)) 896 { 897 if (s->s3->rbuf.left == 0) /* no read-ahead left? */ 898 { 899 BIO *bio; 900 /* In the case where we try to read application data, 901 * but we trigger an SSL handshake, we return -1 with 902 * the retry option set. Otherwise renegotiation may 903 * cause nasty problems in the blocking world */ 904 s->rwstate=SSL_READING; 905 bio=SSL_get_rbio(s); 906 BIO_clear_retry_flags(bio); 907 BIO_set_retry_read(bio); 908 return(-1); 909 } 910 } 911 } 912 } 913 /* we either finished a handshake or ignored the request, 914 * now try again to obtain the (application) data we were asked for */ 915 goto start; 916 } 917 918 if (s->d1->alert_fragment_len >= DTLS1_AL_HEADER_LENGTH) 919 { 920 int alert_level = s->d1->alert_fragment[0]; 921 int alert_descr = s->d1->alert_fragment[1]; 922 923 s->d1->alert_fragment_len = 0; 924 925 if (s->msg_callback) 926 s->msg_callback(0, s->version, SSL3_RT_ALERT, 927 s->d1->alert_fragment, 2, s, s->msg_callback_arg); 928 929 if (s->info_callback != NULL) 930 cb=s->info_callback; 931 else if (s->ctx->info_callback != NULL) 932 cb=s->ctx->info_callback; 933 934 if (cb != NULL) 935 { 936 j = (alert_level << 8) | alert_descr; 937 cb(s, SSL_CB_READ_ALERT, j); 938 } 939 940 if (alert_level == 1) /* warning */ 941 { 942 s->s3->warn_alert = alert_descr; 943 if (alert_descr == SSL_AD_CLOSE_NOTIFY) 944 { 945 s->shutdown |= SSL_RECEIVED_SHUTDOWN; 946 return(0); 947 } 948#if 0 949 /* XXX: this is a possible improvement in the future */ 950 /* now check if it's a missing record */ 951 if (alert_descr == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) 952 { 953 unsigned short seq; 954 unsigned int frag_off; 955 unsigned char *p = &(s->d1->alert_fragment[2]); 956 957 n2s(p, seq); 958 n2l3(p, frag_off); 959 960 dtls1_retransmit_message(s, seq, frag_off, &found); 961 if ( ! found && SSL_in_init(s)) 962 { 963 /* fprintf( stderr,"in init = %d\n", SSL_in_init(s)); */ 964 /* requested a message not yet sent, 965 send an alert ourselves */ 966 ssl3_send_alert(s,SSL3_AL_WARNING, 967 DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); 968 } 969 } 970#endif 971 } 972 else if (alert_level == 2) /* fatal */ 973 { 974 char tmp[16]; 975 976 s->rwstate=SSL_NOTHING; 977 s->s3->fatal_alert = alert_descr; 978 SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr); 979 BIO_snprintf(tmp,sizeof tmp,"%d",alert_descr); 980 ERR_add_error_data(2,"SSL alert number ",tmp); 981 s->shutdown|=SSL_RECEIVED_SHUTDOWN; 982 SSL_CTX_remove_session(s->ctx,s->session); 983 return(0); 984 } 985 else 986 { 987 al=SSL_AD_ILLEGAL_PARAMETER; 988 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE); 989 goto f_err; 990 } 991 992 goto start; 993 } 994 995 if (s->shutdown & SSL_SENT_SHUTDOWN) /* but we have not received a shutdown */ 996 { 997 s->rwstate=SSL_NOTHING; 998 rr->length=0; 999 return(0); 1000 } 1001 1002 if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) 1003 { 1004 struct ccs_header_st ccs_hdr; 1005 1006 dtls1_get_ccs_header(rr->data, &ccs_hdr); 1007 1008 /* 'Change Cipher Spec' is just a single byte, so we know 1009 * exactly what the record payload has to look like */ 1010 /* XDTLS: check that epoch is consistent */ 1011 if ( (s->client_version == DTLS1_BAD_VER && rr->length != 3) || 1012 (s->client_version != DTLS1_BAD_VER && rr->length != DTLS1_CCS_HEADER_LENGTH) || 1013 (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS)) 1014 { 1015 i=SSL_AD_ILLEGAL_PARAMETER; 1016 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC); 1017 goto err; 1018 } 1019 1020 rr->length=0; 1021 1022 if (s->msg_callback) 1023 s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, 1024 rr->data, 1, s, s->msg_callback_arg); 1025 1026 s->s3->change_cipher_spec=1; 1027 if (!ssl3_do_change_cipher_spec(s)) 1028 goto err; 1029 1030 /* do this whenever CCS is processed */ 1031 dtls1_reset_seq_numbers(s, SSL3_CC_READ); 1032 1033 if (s->client_version == DTLS1_BAD_VER) 1034 s->d1->handshake_read_seq++; 1035 1036 goto start; 1037 } 1038 1039 /* Unexpected handshake message (Client Hello, or protocol violation) */ 1040 if ((s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) && 1041 !s->in_handshake) 1042 { 1043 struct hm_header_st msg_hdr; 1044 1045 /* this may just be a stale retransmit */ 1046 dtls1_get_message_header(rr->data, &msg_hdr); 1047 if( rr->epoch != s->d1->r_epoch) 1048 { 1049 rr->length = 0; 1050 goto start; 1051 } 1052 1053 if (((s->state&SSL_ST_MASK) == SSL_ST_OK) && 1054 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) 1055 { 1056#if 0 /* worked only because C operator preferences are not as expected (and 1057 * because this is not really needed for clients except for detecting 1058 * protocol violations): */ 1059 s->state=SSL_ST_BEFORE|(s->server) 1060 ?SSL_ST_ACCEPT 1061 :SSL_ST_CONNECT; 1062#else 1063 s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; 1064#endif 1065 s->new_session=1; 1066 } 1067 i=s->handshake_func(s); 1068 if (i < 0) return(i); 1069 if (i == 0) 1070 { 1071 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE); 1072 return(-1); 1073 } 1074 1075 if (!(s->mode & SSL_MODE_AUTO_RETRY)) 1076 { 1077 if (s->s3->rbuf.left == 0) /* no read-ahead left? */ 1078 { 1079 BIO *bio; 1080 /* In the case where we try to read application data, 1081 * but we trigger an SSL handshake, we return -1 with 1082 * the retry option set. Otherwise renegotiation may 1083 * cause nasty problems in the blocking world */ 1084 s->rwstate=SSL_READING; 1085 bio=SSL_get_rbio(s); 1086 BIO_clear_retry_flags(bio); 1087 BIO_set_retry_read(bio); 1088 return(-1); 1089 } 1090 } 1091 goto start; 1092 } 1093 1094 switch (rr->type) 1095 { 1096 default: 1097#ifndef OPENSSL_NO_TLS 1098 /* TLS just ignores unknown message types */ 1099 if (s->version == TLS1_VERSION) 1100 { 1101 rr->length = 0; 1102 goto start; 1103 } 1104#endif 1105 al=SSL_AD_UNEXPECTED_MESSAGE; 1106 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD); 1107 goto f_err; 1108 case SSL3_RT_CHANGE_CIPHER_SPEC: 1109 case SSL3_RT_ALERT: 1110 case SSL3_RT_HANDSHAKE: 1111 /* we already handled all of these, with the possible exception 1112 * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that 1113 * should not happen when type != rr->type */ 1114 al=SSL_AD_UNEXPECTED_MESSAGE; 1115 SSLerr(SSL_F_DTLS1_READ_BYTES,ERR_R_INTERNAL_ERROR); 1116 goto f_err; 1117 case SSL3_RT_APPLICATION_DATA: 1118 /* At this point, we were expecting handshake data, 1119 * but have application data. If the library was 1120 * running inside ssl3_read() (i.e. in_read_app_data 1121 * is set) and it makes sense to read application data 1122 * at this point (session renegotiation not yet started), 1123 * we will indulge it. 1124 */ 1125 if (s->s3->in_read_app_data && 1126 (s->s3->total_renegotiations != 0) && 1127 (( 1128 (s->state & SSL_ST_CONNECT) && 1129 (s->state >= SSL3_ST_CW_CLNT_HELLO_A) && 1130 (s->state <= SSL3_ST_CR_SRVR_HELLO_A) 1131 ) || ( 1132 (s->state & SSL_ST_ACCEPT) && 1133 (s->state <= SSL3_ST_SW_HELLO_REQ_A) && 1134 (s->state >= SSL3_ST_SR_CLNT_HELLO_A) 1135 ) 1136 )) 1137 { 1138 s->s3->in_read_app_data=2; 1139 return(-1); 1140 } 1141 else 1142 { 1143 al=SSL_AD_UNEXPECTED_MESSAGE; 1144 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD); 1145 goto f_err; 1146 } 1147 } 1148 /* not reached */ 1149 1150f_err: 1151 ssl3_send_alert(s,SSL3_AL_FATAL,al); 1152err: 1153 return(-1); 1154 } 1155 1156int 1157dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len) 1158 { 1159 unsigned int n,tot; 1160 int i; 1161 1162 if (SSL_in_init(s) && !s->in_handshake) 1163 { 1164 i=s->handshake_func(s); 1165 if (i < 0) return(i); 1166 if (i == 0) 1167 { 1168 SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE); 1169 return -1; 1170 } 1171 } 1172 1173 tot = s->s3->wnum; 1174 n = len - tot; 1175 1176 while( n) 1177 { 1178 /* dtls1_write_bytes sends one record at a time, sized according to 1179 * the currently known MTU */ 1180 i = dtls1_write_bytes(s, type, buf_, len); 1181 if (i <= 0) return i; 1182 1183 if ((i == (int)n) || 1184 (type == SSL3_RT_APPLICATION_DATA && 1185 (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE))) 1186 { 1187 /* next chunk of data should get another prepended empty fragment 1188 * in ciphersuites with known-IV weakness: */ 1189 s->s3->empty_fragment_done = 0; 1190 return tot+i; 1191 } 1192 1193 tot += i; 1194 n-=i; 1195 } 1196 1197 return tot; 1198 } 1199 1200 1201 /* this only happens when a client hello is received and a handshake 1202 * is started. */ 1203static int 1204have_handshake_fragment(SSL *s, int type, unsigned char *buf, 1205 int len, int peek) 1206 { 1207 1208 if ((type == SSL3_RT_HANDSHAKE) && (s->d1->handshake_fragment_len > 0)) 1209 /* (partially) satisfy request from storage */ 1210 { 1211 unsigned char *src = s->d1->handshake_fragment; 1212 unsigned char *dst = buf; 1213 unsigned int k,n; 1214 1215 /* peek == 0 */ 1216 n = 0; 1217 while ((len > 0) && (s->d1->handshake_fragment_len > 0)) 1218 { 1219 *dst++ = *src++; 1220 len--; s->d1->handshake_fragment_len--; 1221 n++; 1222 } 1223 /* move any remaining fragment bytes: */ 1224 for (k = 0; k < s->d1->handshake_fragment_len; k++) 1225 s->d1->handshake_fragment[k] = *src++; 1226 return n; 1227 } 1228 1229 return 0; 1230 } 1231 1232 1233 1234 1235/* Call this to write data in records of type 'type' 1236 * It will return <= 0 if not all data has been sent or non-blocking IO. 1237 */ 1238int dtls1_write_bytes(SSL *s, int type, const void *buf_, int len) 1239 { 1240 const unsigned char *buf=buf_; 1241 unsigned int tot,n,nw; 1242 int i; 1243 unsigned int mtu; 1244 unsigned int max_mtu; 1245 1246 s->rwstate=SSL_NOTHING; 1247 tot=s->s3->wnum; 1248 1249 n=(len-tot); 1250 1251 /* handshake layer figures out MTU for itself, but data records 1252 * are also sent through this interface, so need to figure out MTU */ 1253#if 0 1254 mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_MTU, 0, NULL); 1255 mtu += DTLS1_HM_HEADER_LENGTH; /* HM already inserted */ 1256#endif 1257 mtu = s->d1->mtu; 1258 1259 if (!(SSL_get_mode(s) & SSL_MODE_SMALL_BUFFERS)) 1260 { 1261 max_mtu = SSL3_RT_MAX_PLAIN_LENGTH; 1262 } 1263 else 1264 { 1265 max_mtu = SSL3_RT_DEFAULT_PLAIN_LENGTH; 1266 } 1267 1268 if (mtu > max_mtu) 1269 mtu = max_mtu; 1270 1271 if (n > mtu) 1272 nw=mtu; 1273 else 1274 nw=n; 1275 1276 i=do_dtls1_write(s, type, &(buf[tot]), nw, 0); 1277 if (i <= 0) 1278 { 1279 s->s3->wnum=tot; 1280 return i; 1281 } 1282 1283 if ( (int)s->s3->wnum + i == len) 1284 s->s3->wnum = 0; 1285 else 1286 s->s3->wnum += i; 1287 1288 return i; 1289 } 1290 1291int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len, int create_empty_fragment) 1292 { 1293 unsigned char *p,*pseq; 1294 int i,mac_size,clear=0; 1295 int prefix_len = 0; 1296 SSL3_RECORD *wr; 1297 SSL3_BUFFER *wb; 1298 SSL_SESSION *sess; 1299 int bs; 1300 1301 /* first check if there is a SSL3_BUFFER still being written 1302 * out. This will happen with non blocking IO */ 1303 if (s->s3->wbuf.left != 0) 1304 { 1305 OPENSSL_assert(0); /* XDTLS: want to see if we ever get here */ 1306 return(ssl3_write_pending(s,type,buf,len)); 1307 } 1308 1309 /* If we have an alert to send, lets send it */ 1310 if (s->s3->alert_dispatch) 1311 { 1312 i=s->method->ssl_dispatch_alert(s); 1313 if (i <= 0) 1314 return(i); 1315 /* if it went, fall through and send more stuff */ 1316 } 1317 1318 if (len == 0 && !create_empty_fragment) 1319 return 0; 1320 1321 wr= &(s->s3->wrec); 1322 wb= &(s->s3->wbuf); 1323 sess=s->session; 1324 1325 if ( (sess == NULL) || 1326 (s->enc_write_ctx == NULL) || 1327 (s->write_hash == NULL)) 1328 clear=1; 1329 1330 if (clear) 1331 mac_size=0; 1332 else 1333 mac_size=EVP_MD_size(s->write_hash); 1334 1335 /* DTLS implements explicit IV, so no need for empty fragments */ 1336#if 0 1337 /* 'create_empty_fragment' is true only when this function calls itself */ 1338 if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done 1339 && SSL_version(s) != DTLS1_VERSION) 1340 { 1341 /* countermeasure against known-IV weakness in CBC ciphersuites 1342 * (see http://www.openssl.org/~bodo/tls-cbc.txt) 1343 */ 1344 1345 if (s->s3->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA) 1346 { 1347 /* recursive function call with 'create_empty_fragment' set; 1348 * this prepares and buffers the data for an empty fragment 1349 * (these 'prefix_len' bytes are sent out later 1350 * together with the actual payload) */ 1351 prefix_len = s->method->do_ssl_write(s, type, buf, 0, 1); 1352 if (prefix_len <= 0) 1353 goto err; 1354 1355 if (s->s3->wbuf.len < (size_t)prefix_len + 1356 ((SSL_get_mode(s) & SSL_MODE_SMALL_BUFFERS) ? SSL3_RT_DEFAULT_PACKET_SIZE : 1357 SSL3_RT_MAX_PACKET_SIZE)) 1358 { 1359 /* insufficient space */ 1360 SSLerr(SSL_F_DO_DTLS1_WRITE, ERR_R_INTERNAL_ERROR); 1361 goto err; 1362 } 1363 } 1364 1365 s->s3->empty_fragment_done = 1; 1366 } 1367#endif 1368 1369 p = wb->buf + prefix_len; 1370 1371 /* write the header */ 1372 1373 *(p++)=type&0xff; 1374 wr->type=type; 1375 1376 if (s->client_version == DTLS1_BAD_VER) 1377 *(p++) = DTLS1_BAD_VER>>8, 1378 *(p++) = DTLS1_BAD_VER&0xff; 1379 else 1380 *(p++)=(s->version>>8), 1381 *(p++)=s->version&0xff; 1382 1383 /* field where we are to write out packet epoch, seq num and len */ 1384 pseq=p; 1385 p+=10; 1386 1387 /* lets setup the record stuff. */ 1388 1389 /* Make space for the explicit IV in case of CBC. 1390 * (this is a bit of a boundary violation, but what the heck). 1391 */ 1392 if ( s->enc_write_ctx && 1393 (EVP_CIPHER_mode( s->enc_write_ctx->cipher ) & EVP_CIPH_CBC_MODE)) 1394 bs = EVP_CIPHER_block_size(s->enc_write_ctx->cipher); 1395 else 1396 bs = 0; 1397 1398 wr->data=p + bs; /* make room for IV in case of CBC */ 1399 wr->length=(int)len; 1400 wr->input=(unsigned char *)buf; 1401 1402 /* we now 'read' from wr->input, wr->length bytes into 1403 * wr->data */ 1404 1405 /* first we compress */ 1406 if (s->compress != NULL) 1407 { 1408 if (!ssl3_do_compress(s)) 1409 { 1410 SSLerr(SSL_F_DO_DTLS1_WRITE,SSL_R_COMPRESSION_FAILURE); 1411 goto err; 1412 } 1413 } 1414 else 1415 { 1416 memcpy(wr->data,wr->input,wr->length); 1417 wr->input=wr->data; 1418 } 1419 1420 /* we should still have the output to wr->data and the input 1421 * from wr->input. Length should be wr->length. 1422 * wr->data still points in the wb->buf */ 1423 1424 if (mac_size != 0) 1425 { 1426 s->method->ssl3_enc->mac(s,&(p[wr->length + bs]),1); 1427 wr->length+=mac_size; 1428 } 1429 1430 /* this is true regardless of mac size */ 1431 wr->input=p; 1432 wr->data=p; 1433 1434 1435 /* ssl3_enc can only have an error on read */ 1436 if (bs) /* bs != 0 in case of CBC */ 1437 { 1438 RAND_pseudo_bytes(p,bs); 1439 /* master IV and last CBC residue stand for 1440 * the rest of randomness */ 1441 wr->length += bs; 1442 } 1443 1444 s->method->ssl3_enc->enc(s,1); 1445 1446 /* record length after mac and block padding */ 1447/* if (type == SSL3_RT_APPLICATION_DATA || 1448 (type == SSL3_RT_ALERT && ! SSL_in_init(s))) */ 1449 1450 /* there's only one epoch between handshake and app data */ 1451 1452 s2n(s->d1->w_epoch, pseq); 1453 1454 /* XDTLS: ?? */ 1455/* else 1456 s2n(s->d1->handshake_epoch, pseq); */ 1457 1458 memcpy(pseq, &(s->s3->write_sequence[2]), 6); 1459 pseq+=6; 1460 s2n(wr->length,pseq); 1461 1462 /* we should now have 1463 * wr->data pointing to the encrypted data, which is 1464 * wr->length long */ 1465 wr->type=type; /* not needed but helps for debugging */ 1466 wr->length+=DTLS1_RT_HEADER_LENGTH; 1467 1468#if 0 /* this is now done at the message layer */ 1469 /* buffer the record, making it easy to handle retransmits */ 1470 if ( type == SSL3_RT_HANDSHAKE || type == SSL3_RT_CHANGE_CIPHER_SPEC) 1471 dtls1_buffer_record(s, wr->data, wr->length, 1472 *((PQ_64BIT *)&(s->s3->write_sequence[0]))); 1473#endif 1474 1475 ssl3_record_sequence_update(&(s->s3->write_sequence[0])); 1476 1477 if (create_empty_fragment) 1478 { 1479 /* we are in a recursive call; 1480 * just return the length, don't write out anything here 1481 */ 1482 return wr->length; 1483 } 1484 1485 /* now let's set up wb */ 1486 wb->left = prefix_len + wr->length; 1487 wb->offset = 0; 1488 1489 /* memorize arguments so that ssl3_write_pending can detect bad write retries later */ 1490 s->s3->wpend_tot=len; 1491 s->s3->wpend_buf=buf; 1492 s->s3->wpend_type=type; 1493 s->s3->wpend_ret=len; 1494 1495 /* we now just need to write the buffer */ 1496 return ssl3_write_pending(s,type,buf,len); 1497err: 1498 return -1; 1499 } 1500 1501 1502 1503static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap, 1504 PQ_64BIT *seq_num) 1505 { 1506#if PQ_64BIT_IS_INTEGER 1507 PQ_64BIT mask = 0x0000000000000001L; 1508#endif 1509 PQ_64BIT rcd_num, tmp; 1510 1511 pq_64bit_init(&rcd_num); 1512 pq_64bit_init(&tmp); 1513 1514 /* this is the sequence number for the record just read */ 1515 pq_64bit_bin2num(&rcd_num, s->s3->read_sequence, 8); 1516 1517 1518 if (pq_64bit_gt(&rcd_num, &(bitmap->max_seq_num)) || 1519 pq_64bit_eq(&rcd_num, &(bitmap->max_seq_num))) 1520 { 1521 pq_64bit_assign(seq_num, &rcd_num); 1522 pq_64bit_free(&rcd_num); 1523 pq_64bit_free(&tmp); 1524 return 1; /* this record is new */ 1525 } 1526 1527 pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num); 1528 1529 if ( pq_64bit_get_word(&tmp) > bitmap->length) 1530 { 1531 pq_64bit_free(&rcd_num); 1532 pq_64bit_free(&tmp); 1533 return 0; /* stale, outside the window */ 1534 } 1535 1536#if PQ_64BIT_IS_BIGNUM 1537 { 1538 int offset; 1539 pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num); 1540 pq_64bit_sub_word(&tmp, 1); 1541 offset = pq_64bit_get_word(&tmp); 1542 if ( pq_64bit_is_bit_set(&(bitmap->map), offset)) 1543 { 1544 pq_64bit_free(&rcd_num); 1545 pq_64bit_free(&tmp); 1546 return 0; 1547 } 1548 } 1549#else 1550 mask <<= (bitmap->max_seq_num - rcd_num - 1); 1551 if (bitmap->map & mask) 1552 return 0; /* record previously received */ 1553#endif 1554 1555 pq_64bit_assign(seq_num, &rcd_num); 1556 pq_64bit_free(&rcd_num); 1557 pq_64bit_free(&tmp); 1558 return 1; 1559 } 1560 1561 1562static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap) 1563 { 1564 unsigned int shift; 1565 PQ_64BIT rcd_num; 1566 PQ_64BIT tmp; 1567 PQ_64BIT_CTX *ctx; 1568 1569 pq_64bit_init(&rcd_num); 1570 pq_64bit_init(&tmp); 1571 1572 pq_64bit_bin2num(&rcd_num, s->s3->read_sequence, 8); 1573 1574 /* unfortunate code complexity due to 64-bit manipulation support 1575 * on 32-bit machines */ 1576 if ( pq_64bit_gt(&rcd_num, &(bitmap->max_seq_num)) || 1577 pq_64bit_eq(&rcd_num, &(bitmap->max_seq_num))) 1578 { 1579 pq_64bit_sub(&tmp, &rcd_num, &(bitmap->max_seq_num)); 1580 pq_64bit_add_word(&tmp, 1); 1581 1582 shift = (unsigned int)pq_64bit_get_word(&tmp); 1583 1584 pq_64bit_lshift(&(tmp), &(bitmap->map), shift); 1585 pq_64bit_assign(&(bitmap->map), &tmp); 1586 1587 pq_64bit_set_bit(&(bitmap->map), 0); 1588 pq_64bit_add_word(&rcd_num, 1); 1589 pq_64bit_assign(&(bitmap->max_seq_num), &rcd_num); 1590 1591 pq_64bit_assign_word(&tmp, 1); 1592 pq_64bit_lshift(&tmp, &tmp, bitmap->length); 1593 ctx = pq_64bit_ctx_new(&ctx); 1594 pq_64bit_mod(&(bitmap->map), &(bitmap->map), &tmp, ctx); 1595 pq_64bit_ctx_free(ctx); 1596 } 1597 else 1598 { 1599 pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num); 1600 pq_64bit_sub_word(&tmp, 1); 1601 shift = (unsigned int)pq_64bit_get_word(&tmp); 1602 1603 pq_64bit_set_bit(&(bitmap->map), shift); 1604 } 1605 1606 pq_64bit_free(&rcd_num); 1607 pq_64bit_free(&tmp); 1608 } 1609 1610 1611int dtls1_dispatch_alert(SSL *s) 1612 { 1613 int i,j; 1614 void (*cb)(const SSL *ssl,int type,int val)=NULL; 1615 unsigned char buf[DTLS1_AL_HEADER_LENGTH]; 1616 unsigned char *ptr = &buf[0]; 1617 1618 s->s3->alert_dispatch=0; 1619 1620 memset(buf, 0x00, sizeof(buf)); 1621 *ptr++ = s->s3->send_alert[0]; 1622 *ptr++ = s->s3->send_alert[1]; 1623 1624#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE 1625 if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) 1626 { 1627 s2n(s->d1->handshake_read_seq, ptr); 1628#if 0 1629 if ( s->d1->r_msg_hdr.frag_off == 0) /* waiting for a new msg */ 1630 1631 else 1632 s2n(s->d1->r_msg_hdr.seq, ptr); /* partial msg read */ 1633#endif 1634 1635#if 0 1636 fprintf(stderr, "s->d1->handshake_read_seq = %d, s->d1->r_msg_hdr.seq = %d\n",s->d1->handshake_read_seq,s->d1->r_msg_hdr.seq); 1637#endif 1638 l2n3(s->d1->r_msg_hdr.frag_off, ptr); 1639 } 1640#endif 1641 1642 i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf), 0); 1643 if (i <= 0) 1644 { 1645 s->s3->alert_dispatch=1; 1646 /* fprintf( stderr, "not done with alert\n" ); */ 1647 } 1648 else 1649 { 1650 if (s->s3->send_alert[0] == SSL3_AL_FATAL 1651#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE 1652 || s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE 1653#endif 1654 ) 1655 (void)BIO_flush(s->wbio); 1656 1657 if (s->msg_callback) 1658 s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert, 1659 2, s, s->msg_callback_arg); 1660 1661 if (s->info_callback != NULL) 1662 cb=s->info_callback; 1663 else if (s->ctx->info_callback != NULL) 1664 cb=s->ctx->info_callback; 1665 1666 if (cb != NULL) 1667 { 1668 j=(s->s3->send_alert[0]<<8)|s->s3->send_alert[1]; 1669 cb(s,SSL_CB_WRITE_ALERT,j); 1670 } 1671 } 1672 return(i); 1673 } 1674 1675 1676static DTLS1_BITMAP * 1677dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, unsigned int *is_next_epoch) 1678 { 1679 1680 *is_next_epoch = 0; 1681 1682 /* In current epoch, accept HM, CCS, DATA, & ALERT */ 1683 if (rr->epoch == s->d1->r_epoch) 1684 return &s->d1->bitmap; 1685 1686 /* Only HM and ALERT messages can be from the next epoch */ 1687 else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) && 1688 (rr->type == SSL3_RT_HANDSHAKE || 1689 rr->type == SSL3_RT_ALERT)) 1690 { 1691 *is_next_epoch = 1; 1692 return &s->d1->next_bitmap; 1693 } 1694 1695 return NULL; 1696 } 1697 1698#if 0 1699static int 1700dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr, unsigned short *priority, 1701 unsigned long *offset) 1702 { 1703 1704 /* alerts are passed up immediately */ 1705 if ( rr->type == SSL3_RT_APPLICATION_DATA || 1706 rr->type == SSL3_RT_ALERT) 1707 return 0; 1708 1709 /* Only need to buffer if a handshake is underway. 1710 * (this implies that Hello Request and Client Hello are passed up 1711 * immediately) */ 1712 if ( SSL_in_init(s)) 1713 { 1714 unsigned char *data = rr->data; 1715 /* need to extract the HM/CCS sequence number here */ 1716 if ( rr->type == SSL3_RT_HANDSHAKE || 1717 rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) 1718 { 1719 unsigned short seq_num; 1720 struct hm_header_st msg_hdr; 1721 struct ccs_header_st ccs_hdr; 1722 1723 if ( rr->type == SSL3_RT_HANDSHAKE) 1724 { 1725 dtls1_get_message_header(data, &msg_hdr); 1726 seq_num = msg_hdr.seq; 1727 *offset = msg_hdr.frag_off; 1728 } 1729 else 1730 { 1731 dtls1_get_ccs_header(data, &ccs_hdr); 1732 seq_num = ccs_hdr.seq; 1733 *offset = 0; 1734 } 1735 1736 /* this is either a record we're waiting for, or a 1737 * retransmit of something we happened to previously 1738 * receive (higher layers will drop the repeat silently */ 1739 if ( seq_num < s->d1->handshake_read_seq) 1740 return 0; 1741 if (rr->type == SSL3_RT_HANDSHAKE && 1742 seq_num == s->d1->handshake_read_seq && 1743 msg_hdr.frag_off < s->d1->r_msg_hdr.frag_off) 1744 return 0; 1745 else if ( seq_num == s->d1->handshake_read_seq && 1746 (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC || 1747 msg_hdr.frag_off == s->d1->r_msg_hdr.frag_off)) 1748 return 0; 1749 else 1750 { 1751 *priority = seq_num; 1752 return 1; 1753 } 1754 } 1755 else /* unknown record type */ 1756 return 0; 1757 } 1758 1759 return 0; 1760 } 1761#endif 1762 1763void 1764dtls1_reset_seq_numbers(SSL *s, int rw) 1765 { 1766 unsigned char *seq; 1767 unsigned int seq_bytes = sizeof(s->s3->read_sequence); 1768 1769 if ( rw & SSL3_CC_READ) 1770 { 1771 seq = s->s3->read_sequence; 1772 s->d1->r_epoch++; 1773 1774 pq_64bit_assign(&(s->d1->bitmap.map), &(s->d1->next_bitmap.map)); 1775 s->d1->bitmap.length = s->d1->next_bitmap.length; 1776 pq_64bit_assign(&(s->d1->bitmap.max_seq_num), 1777 &(s->d1->next_bitmap.max_seq_num)); 1778 1779 pq_64bit_free(&(s->d1->next_bitmap.map)); 1780 pq_64bit_free(&(s->d1->next_bitmap.max_seq_num)); 1781 memset(&(s->d1->next_bitmap), 0x00, sizeof(DTLS1_BITMAP)); 1782 pq_64bit_init(&(s->d1->next_bitmap.map)); 1783 pq_64bit_init(&(s->d1->next_bitmap.max_seq_num)); 1784 } 1785 else 1786 { 1787 seq = s->s3->write_sequence; 1788 s->d1->w_epoch++; 1789 } 1790 1791 memset(seq, 0x00, seq_bytes); 1792 } 1793 1794#if PQ_64BIT_IS_INTEGER 1795static PQ_64BIT 1796bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num) 1797 { 1798 PQ_64BIT _num; 1799 1800 _num = (((PQ_64BIT)bytes[0]) << 56) | 1801 (((PQ_64BIT)bytes[1]) << 48) | 1802 (((PQ_64BIT)bytes[2]) << 40) | 1803 (((PQ_64BIT)bytes[3]) << 32) | 1804 (((PQ_64BIT)bytes[4]) << 24) | 1805 (((PQ_64BIT)bytes[5]) << 16) | 1806 (((PQ_64BIT)bytes[6]) << 8) | 1807 (((PQ_64BIT)bytes[7]) ); 1808 1809 *num = _num ; 1810 return _num; 1811 } 1812#endif 1813 1814 1815static void 1816dtls1_clear_timeouts(SSL *s) 1817 { 1818 memset(&(s->d1->timeout), 0x00, sizeof(struct dtls1_timeout_st)); 1819 } 1820