1 /* 2 * DTLS implementation written by Nagendra Modadugu 3 * (nagendra (at) cs.stanford.edu) for the OpenSSL project 2005. 4 */ 5 /* ==================================================================== 6 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * openssl-core (at) openssl.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 * 53 * This product includes cryptographic software written by Eric Young 54 * (eay (at) cryptsoft.com). This product includes software written by Tim 55 * Hudson (tjh (at) cryptsoft.com). 56 * 57 */ 58 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 59 * All rights reserved. 60 * 61 * This package is an SSL implementation written 62 * by Eric Young (eay (at) cryptsoft.com). 63 * The implementation was written so as to conform with Netscapes SSL. 64 * 65 * This library is free for commercial and non-commercial use as long as 66 * the following conditions are aheared to. The following conditions 67 * apply to all code found in this distribution, be it the RC4, RSA, 68 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 69 * included with this distribution is covered by the same copyright terms 70 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 71 * 72 * Copyright remains Eric Young's, and as such any Copyright notices in 73 * the code are not to be removed. 74 * If this package is used in a product, Eric Young should be given attribution 75 * as the author of the parts of the library used. 76 * This can be in the form of a textual message at program startup or 77 * in documentation (online or textual) provided with the package. 78 * 79 * Redistribution and use in source and binary forms, with or without 80 * modification, are permitted provided that the following conditions 81 * are met: 82 * 1. Redistributions of source code must retain the copyright 83 * notice, this list of conditions and the following disclaimer. 84 * 2. Redistributions in binary form must reproduce the above copyright 85 * notice, this list of conditions and the following disclaimer in the 86 * documentation and/or other materials provided with the distribution. 87 * 3. All advertising materials mentioning features or use of this software 88 * must display the following acknowledgement: 89 * "This product includes cryptographic software written by 90 * Eric Young (eay (at) cryptsoft.com)" 91 * The word 'cryptographic' can be left out if the rouines from the library 92 * being used are not cryptographic related :-). 93 * 4. If you include any Windows specific code (or a derivative thereof) from 94 * the apps directory (application code) you must include an acknowledgement: 95 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 96 * 97 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 98 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 99 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 100 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 101 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 102 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 103 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 104 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 105 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 106 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 107 * SUCH DAMAGE. 108 * 109 * The licence and distribution terms for any publically available version or 110 * derivative of this code cannot be changed. i.e. this code cannot simply be 111 * copied and put under another distribution licence 112 * [including the GNU Public Licence.] */ 113 114 #include <assert.h> 115 #include <limits.h> 116 #include <stdio.h> 117 #include <string.h> 118 119 #include <openssl/buf.h> 120 #include <openssl/err.h> 121 #include <openssl/evp.h> 122 #include <openssl/mem.h> 123 #include <openssl/obj.h> 124 #include <openssl/rand.h> 125 #include <openssl/x509.h> 126 127 #include "internal.h" 128 129 130 /* TODO(davidben): 28 comes from the size of IP + UDP header. Is this reasonable 131 * for these values? Notably, why is kMinMTU a function of the transport 132 * protocol's overhead rather than, say, what's needed to hold a minimally-sized 133 * handshake fragment plus protocol overhead. */ 134 135 /* kMinMTU is the minimum acceptable MTU value. */ 136 static const unsigned int kMinMTU = 256 - 28; 137 138 /* kDefaultMTU is the default MTU value to use if neither the user nor 139 * the underlying BIO supplies one. */ 140 static const unsigned int kDefaultMTU = 1500 - 28; 141 142 /* kMaxHandshakeBuffer is the maximum number of handshake messages ahead of the 143 * current one to buffer. */ 144 static const unsigned int kHandshakeBufferSize = 10; 145 146 static void dtls1_fix_message_header(SSL *s, unsigned long frag_off, 147 unsigned long frag_len); 148 static unsigned char *dtls1_write_message_header(SSL *s, unsigned char *p); 149 150 static hm_fragment *dtls1_hm_fragment_new(unsigned long frag_len, 151 int reassembly) { 152 hm_fragment *frag = NULL; 153 uint8_t *buf = NULL; 154 uint8_t *bitmask = NULL; 155 156 frag = (hm_fragment *)OPENSSL_malloc(sizeof(hm_fragment)); 157 if (frag == NULL) { 158 OPENSSL_PUT_ERROR(SSL, dtls1_hm_fragment_new, ERR_R_MALLOC_FAILURE); 159 return NULL; 160 } 161 162 if (frag_len) { 163 buf = (uint8_t *)OPENSSL_malloc(frag_len); 164 if (buf == NULL) { 165 OPENSSL_PUT_ERROR(SSL, dtls1_hm_fragment_new, ERR_R_MALLOC_FAILURE); 166 OPENSSL_free(frag); 167 return NULL; 168 } 169 } 170 171 /* zero length fragment gets zero frag->fragment */ 172 frag->fragment = buf; 173 174 /* Initialize reassembly bitmask if necessary */ 175 if (reassembly && frag_len > 0) { 176 if (frag_len + 7 < frag_len) { 177 OPENSSL_PUT_ERROR(SSL, dtls1_hm_fragment_new, ERR_R_OVERFLOW); 178 return NULL; 179 } 180 size_t bitmask_len = (frag_len + 7) / 8; 181 bitmask = (uint8_t *)OPENSSL_malloc(bitmask_len); 182 if (bitmask == NULL) { 183 OPENSSL_PUT_ERROR(SSL, dtls1_hm_fragment_new, ERR_R_MALLOC_FAILURE); 184 if (buf != NULL) { 185 OPENSSL_free(buf); 186 } 187 OPENSSL_free(frag); 188 return NULL; 189 } 190 memset(bitmask, 0, bitmask_len); 191 } 192 193 frag->reassembly = bitmask; 194 195 return frag; 196 } 197 198 void dtls1_hm_fragment_free(hm_fragment *frag) { 199 if (frag == NULL) { 200 return; 201 } 202 OPENSSL_free(frag->fragment); 203 OPENSSL_free(frag->reassembly); 204 OPENSSL_free(frag); 205 } 206 207 #if !defined(inline) 208 #define inline __inline 209 #endif 210 211 /* bit_range returns a |uint8_t| with bits |start|, inclusive, to |end|, 212 * exclusive, set. */ 213 static inline uint8_t bit_range(size_t start, size_t end) { 214 return (uint8_t)(~((1u << start) - 1) & ((1u << end) - 1)); 215 } 216 217 /* dtls1_hm_fragment_mark marks bytes |start|, inclusive, to |end|, exclusive, 218 * as received in |frag|. If |frag| becomes complete, it clears 219 * |frag->reassembly|. The range must be within the bounds of |frag|'s message 220 * and |frag->reassembly| must not be NULL. */ 221 static void dtls1_hm_fragment_mark(hm_fragment *frag, size_t start, 222 size_t end) { 223 size_t i; 224 size_t msg_len = frag->msg_header.msg_len; 225 226 if (frag->reassembly == NULL || start > end || end > msg_len) { 227 assert(0); 228 return; 229 } 230 /* A zero-length message will never have a pending reassembly. */ 231 assert(msg_len > 0); 232 233 if ((start >> 3) == (end >> 3)) { 234 frag->reassembly[start >> 3] |= bit_range(start & 7, end & 7); 235 } else { 236 frag->reassembly[start >> 3] |= bit_range(start & 7, 8); 237 for (i = (start >> 3) + 1; i < (end >> 3); i++) { 238 frag->reassembly[i] = 0xff; 239 } 240 if ((end & 7) != 0) { 241 frag->reassembly[end >> 3] |= bit_range(0, end & 7); 242 } 243 } 244 245 /* Check if the fragment is complete. */ 246 for (i = 0; i < (msg_len >> 3); i++) { 247 if (frag->reassembly[i] != 0xff) { 248 return; 249 } 250 } 251 if ((msg_len & 7) != 0 && 252 frag->reassembly[msg_len >> 3] != bit_range(0, msg_len & 7)) { 253 return; 254 } 255 256 OPENSSL_free(frag->reassembly); 257 frag->reassembly = NULL; 258 } 259 260 /* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or 261 * SSL3_RT_CHANGE_CIPHER_SPEC) */ 262 int dtls1_do_write(SSL *s, int type, enum dtls1_use_epoch_t use_epoch) { 263 int ret; 264 int curr_mtu; 265 unsigned int len, frag_off; 266 267 /* AHA! Figure out the MTU, and stick to the right size */ 268 if (s->d1->mtu < dtls1_min_mtu() && 269 !(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) { 270 long mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL); 271 if (mtu >= 0 && mtu <= (1 << 30) && (unsigned)mtu >= dtls1_min_mtu()) { 272 s->d1->mtu = (unsigned)mtu; 273 } else { 274 s->d1->mtu = kDefaultMTU; 275 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SET_MTU, s->d1->mtu, NULL); 276 } 277 } 278 279 /* should have something reasonable now */ 280 assert(s->d1->mtu >= dtls1_min_mtu()); 281 282 if (s->init_off == 0 && type == SSL3_RT_HANDSHAKE) { 283 assert(s->init_num == 284 (int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH); 285 } 286 287 /* Determine the maximum overhead of the current cipher. */ 288 size_t max_overhead = SSL_AEAD_CTX_max_overhead(s->aead_write_ctx); 289 290 frag_off = 0; 291 while (s->init_num) { 292 /* Account for data in the buffering BIO; multiple records may be packed 293 * into a single packet during the handshake. 294 * 295 * TODO(davidben): This is buggy; if the MTU is larger than the buffer size, 296 * the large record will be split across two packets. Moreover, in that 297 * case, the |dtls1_write_bytes| call may not return synchronously. This 298 * will break on retry as the |s->init_off| and |s->init_num| adjustment 299 * will run a second time. */ 300 curr_mtu = s->d1->mtu - BIO_wpending(SSL_get_wbio(s)) - 301 DTLS1_RT_HEADER_LENGTH - max_overhead; 302 303 if (curr_mtu <= DTLS1_HM_HEADER_LENGTH) { 304 /* Flush the buffer and continue with a fresh packet. 305 * 306 * TODO(davidben): If |BIO_flush| is not synchronous and requires multiple 307 * calls to |dtls1_do_write|, |frag_off| will be wrong. */ 308 ret = BIO_flush(SSL_get_wbio(s)); 309 if (ret <= 0) { 310 return ret; 311 } 312 assert(BIO_wpending(SSL_get_wbio(s)) == 0); 313 curr_mtu = s->d1->mtu - DTLS1_RT_HEADER_LENGTH - max_overhead; 314 } 315 316 /* XDTLS: this function is too long. split out the CCS part */ 317 if (type == SSL3_RT_HANDSHAKE) { 318 /* If this isn't the first fragment, reserve space to prepend a new 319 * fragment header. This will override the body of a previous fragment. */ 320 if (s->init_off != 0) { 321 assert(s->init_off > DTLS1_HM_HEADER_LENGTH); 322 s->init_off -= DTLS1_HM_HEADER_LENGTH; 323 s->init_num += DTLS1_HM_HEADER_LENGTH; 324 } 325 326 if (curr_mtu <= DTLS1_HM_HEADER_LENGTH) { 327 /* To make forward progress, the MTU must, at minimum, fit the handshake 328 * header and one byte of handshake body. */ 329 OPENSSL_PUT_ERROR(SSL, dtls1_do_write, SSL_R_MTU_TOO_SMALL); 330 return -1; 331 } 332 333 if (s->init_num > curr_mtu) { 334 len = curr_mtu; 335 } else { 336 len = s->init_num; 337 } 338 assert(len >= DTLS1_HM_HEADER_LENGTH); 339 340 dtls1_fix_message_header(s, frag_off, len - DTLS1_HM_HEADER_LENGTH); 341 dtls1_write_message_header( 342 s, (uint8_t *)&s->init_buf->data[s->init_off]); 343 } else { 344 assert(type == SSL3_RT_CHANGE_CIPHER_SPEC); 345 /* ChangeCipherSpec cannot be fragmented. */ 346 if (s->init_num > curr_mtu) { 347 OPENSSL_PUT_ERROR(SSL, dtls1_do_write, SSL_R_MTU_TOO_SMALL); 348 return -1; 349 } 350 len = s->init_num; 351 } 352 353 ret = dtls1_write_bytes(s, type, &s->init_buf->data[s->init_off], len, 354 use_epoch); 355 if (ret < 0) { 356 return -1; 357 } 358 359 /* bad if this assert fails, only part of the handshake message got sent. 360 * But why would this happen? */ 361 assert(len == (unsigned int)ret); 362 363 if (ret == s->init_num) { 364 if (s->msg_callback) { 365 s->msg_callback(1, s->version, type, s->init_buf->data, 366 (size_t)(s->init_off + s->init_num), s, 367 s->msg_callback_arg); 368 } 369 370 s->init_off = 0; /* done writing this message */ 371 s->init_num = 0; 372 373 return 1; 374 } 375 s->init_off += ret; 376 s->init_num -= ret; 377 frag_off += (ret -= DTLS1_HM_HEADER_LENGTH); 378 } 379 380 return 0; 381 } 382 383 /* dtls1_is_next_message_complete returns one if the next handshake message is 384 * complete and zero otherwise. */ 385 static int dtls1_is_next_message_complete(SSL *s) { 386 pitem *item = pqueue_peek(s->d1->buffered_messages); 387 if (item == NULL) { 388 return 0; 389 } 390 391 hm_fragment *frag = (hm_fragment *)item->data; 392 assert(s->d1->handshake_read_seq <= frag->msg_header.seq); 393 394 return s->d1->handshake_read_seq == frag->msg_header.seq && 395 frag->reassembly == NULL; 396 } 397 398 /* dtls1_discard_fragment_body discards a handshake fragment body of length 399 * |frag_len|. It returns one on success and zero on error. 400 * 401 * TODO(davidben): This function will go away when ssl_read_bytes is gone from 402 * the DTLS side. */ 403 static int dtls1_discard_fragment_body(SSL *s, size_t frag_len) { 404 uint8_t discard[256]; 405 while (frag_len > 0) { 406 size_t chunk = frag_len < sizeof(discard) ? frag_len : sizeof(discard); 407 int ret = dtls1_read_bytes(s, SSL3_RT_HANDSHAKE, discard, chunk, 0); 408 if (ret != chunk) { 409 return 0; 410 } 411 frag_len -= chunk; 412 } 413 return 1; 414 } 415 416 /* dtls1_get_buffered_message returns the buffered message corresponding to 417 * |msg_hdr|. If none exists, it creates a new one and inserts it in the 418 * queue. Otherwise, it checks |msg_hdr| is consistent with the existing one. It 419 * returns NULL on failure. The caller does not take ownership of the result. */ 420 static hm_fragment *dtls1_get_buffered_message( 421 SSL *s, const struct hm_header_st *msg_hdr) { 422 uint8_t seq64be[8]; 423 memset(seq64be, 0, sizeof(seq64be)); 424 seq64be[6] = (uint8_t)(msg_hdr->seq >> 8); 425 seq64be[7] = (uint8_t)msg_hdr->seq; 426 pitem *item = pqueue_find(s->d1->buffered_messages, seq64be); 427 428 hm_fragment *frag; 429 if (item == NULL) { 430 /* This is the first fragment from this message. */ 431 frag = dtls1_hm_fragment_new(msg_hdr->msg_len, 432 1 /* reassembly buffer needed */); 433 if (frag == NULL) { 434 return NULL; 435 } 436 memcpy(&frag->msg_header, msg_hdr, sizeof(*msg_hdr)); 437 item = pitem_new(seq64be, frag); 438 if (item == NULL) { 439 dtls1_hm_fragment_free(frag); 440 return NULL; 441 } 442 item = pqueue_insert(s->d1->buffered_messages, item); 443 /* |pqueue_insert| fails iff a duplicate item is inserted, but |item| cannot 444 * be a duplicate. */ 445 assert(item != NULL); 446 } else { 447 frag = item->data; 448 assert(frag->msg_header.seq == msg_hdr->seq); 449 if (frag->msg_header.type != msg_hdr->type || 450 frag->msg_header.msg_len != msg_hdr->msg_len) { 451 /* The new fragment must be compatible with the previous fragments from 452 * this message. */ 453 OPENSSL_PUT_ERROR(SSL, dtls1_get_buffered_message, 454 SSL_R_FRAGMENT_MISMATCH); 455 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 456 return NULL; 457 } 458 } 459 return frag; 460 } 461 462 /* dtls1_max_handshake_message_len returns the maximum number of bytes 463 * permitted in a DTLS handshake message for |s|. The minimum is 16KB, but may 464 * be greater if the maximum certificate list size requires it. */ 465 static size_t dtls1_max_handshake_message_len(const SSL *s) { 466 size_t max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; 467 if (max_len < s->max_cert_list) { 468 return s->max_cert_list; 469 } 470 return max_len; 471 } 472 473 /* dtls1_process_fragment reads a handshake fragment and processes it. It 474 * returns one if a fragment was successfully processed and 0 or -1 on error. */ 475 static int dtls1_process_fragment(SSL *s) { 476 /* Read handshake message header. 477 * 478 * TODO(davidben): ssl_read_bytes allows splitting the fragment header and 479 * body across two records. Change this interface to consume the fragment in 480 * one pass. */ 481 uint8_t header[DTLS1_HM_HEADER_LENGTH]; 482 int ret = dtls1_read_bytes(s, SSL3_RT_HANDSHAKE, header, 483 DTLS1_HM_HEADER_LENGTH, 0); 484 if (ret <= 0) { 485 return ret; 486 } 487 if (ret != DTLS1_HM_HEADER_LENGTH) { 488 OPENSSL_PUT_ERROR(SSL, dtls1_process_fragment, SSL_R_UNEXPECTED_MESSAGE); 489 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); 490 return -1; 491 } 492 493 /* Parse the message fragment header. */ 494 struct hm_header_st msg_hdr; 495 dtls1_get_message_header(header, &msg_hdr); 496 497 const size_t frag_off = msg_hdr.frag_off; 498 const size_t frag_len = msg_hdr.frag_len; 499 const size_t msg_len = msg_hdr.msg_len; 500 if (frag_off > msg_len || frag_off + frag_len < frag_off || 501 frag_off + frag_len > msg_len || 502 msg_len > dtls1_max_handshake_message_len(s)) { 503 OPENSSL_PUT_ERROR(SSL, dtls1_process_fragment, 504 SSL_R_EXCESSIVE_MESSAGE_SIZE); 505 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 506 return -1; 507 } 508 509 if (msg_hdr.seq < s->d1->handshake_read_seq || 510 msg_hdr.seq > (unsigned)s->d1->handshake_read_seq + 511 kHandshakeBufferSize) { 512 /* Ignore fragments from the past, or ones too far in the future. */ 513 if (!dtls1_discard_fragment_body(s, frag_len)) { 514 return -1; 515 } 516 return 1; 517 } 518 519 hm_fragment *frag = dtls1_get_buffered_message(s, &msg_hdr); 520 if (frag == NULL) { 521 return -1; 522 } 523 assert(frag->msg_header.msg_len == msg_len); 524 525 if (frag->reassembly == NULL) { 526 /* The message is already assembled. */ 527 if (!dtls1_discard_fragment_body(s, frag_len)) { 528 return -1; 529 } 530 return 1; 531 } 532 assert(msg_len > 0); 533 534 /* Read the body of the fragment. */ 535 ret = dtls1_read_bytes(s, SSL3_RT_HANDSHAKE, frag->fragment + frag_off, 536 frag_len, 0); 537 if (ret != frag_len) { 538 OPENSSL_PUT_ERROR(SSL, dtls1_process_fragment, SSL_R_UNEXPECTED_MESSAGE); 539 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); 540 return -1; 541 } 542 dtls1_hm_fragment_mark(frag, frag_off, frag_off + frag_len); 543 544 return 1; 545 } 546 547 /* dtls1_get_message reads a handshake message of message type |msg_type| (any 548 * if |msg_type| == -1), maximum acceptable body length |max|. Read an entire 549 * handshake message. Handshake messages arrive in fragments. */ 550 long dtls1_get_message(SSL *s, int st1, int stn, int msg_type, long max, 551 enum ssl_hash_message_t hash_message, int *ok) { 552 pitem *item = NULL; 553 hm_fragment *frag = NULL; 554 int al; 555 556 /* s3->tmp is used to store messages that are unexpected, caused 557 * by the absence of an optional handshake message */ 558 if (s->s3->tmp.reuse_message) { 559 /* A ssl_dont_hash_message call cannot be combined with reuse_message; the 560 * ssl_dont_hash_message would have to have been applied to the previous 561 * call. */ 562 assert(hash_message == ssl_hash_message); 563 s->s3->tmp.reuse_message = 0; 564 if (msg_type >= 0 && s->s3->tmp.message_type != msg_type) { 565 al = SSL_AD_UNEXPECTED_MESSAGE; 566 OPENSSL_PUT_ERROR(SSL, dtls1_get_message, SSL_R_UNEXPECTED_MESSAGE); 567 goto f_err; 568 } 569 *ok = 1; 570 s->init_msg = (uint8_t *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH; 571 s->init_num = (int)s->s3->tmp.message_size; 572 return s->init_num; 573 } 574 575 /* Process fragments until one is found. */ 576 while (!dtls1_is_next_message_complete(s)) { 577 int ret = dtls1_process_fragment(s); 578 if (ret <= 0) { 579 *ok = 0; 580 return ret; 581 } 582 } 583 584 /* Read out the next complete handshake message. */ 585 item = pqueue_pop(s->d1->buffered_messages); 586 assert(item != NULL); 587 frag = (hm_fragment *)item->data; 588 assert(s->d1->handshake_read_seq == frag->msg_header.seq); 589 assert(frag->reassembly == NULL); 590 591 if (frag->msg_header.msg_len > (size_t)max) { 592 OPENSSL_PUT_ERROR(SSL, dtls1_get_message, SSL_R_EXCESSIVE_MESSAGE_SIZE); 593 goto err; 594 } 595 596 CBB cbb; 597 if (!BUF_MEM_grow(s->init_buf, 598 (size_t)frag->msg_header.msg_len + 599 DTLS1_HM_HEADER_LENGTH) || 600 !CBB_init_fixed(&cbb, (uint8_t *)s->init_buf->data, s->init_buf->max)) { 601 OPENSSL_PUT_ERROR(SSL, dtls1_get_message, ERR_R_MALLOC_FAILURE); 602 goto err; 603 } 604 605 /* Reconstruct the assembled message. */ 606 size_t len; 607 if (!CBB_add_u8(&cbb, frag->msg_header.type) || 608 !CBB_add_u24(&cbb, frag->msg_header.msg_len) || 609 !CBB_add_u16(&cbb, frag->msg_header.seq) || 610 !CBB_add_u24(&cbb, 0 /* frag_off */) || 611 !CBB_add_u24(&cbb, frag->msg_header.msg_len) || 612 !CBB_add_bytes(&cbb, frag->fragment, frag->msg_header.msg_len) || 613 !CBB_finish(&cbb, NULL, &len)) { 614 CBB_cleanup(&cbb); 615 OPENSSL_PUT_ERROR(SSL, dtls1_get_message, ERR_R_INTERNAL_ERROR); 616 goto err; 617 } 618 assert(len == (size_t)frag->msg_header.msg_len + DTLS1_HM_HEADER_LENGTH); 619 620 s->d1->handshake_read_seq++; 621 622 /* TODO(davidben): This function has a lot of implicit outputs. Simplify the 623 * |ssl_get_message| API. */ 624 s->s3->tmp.message_type = frag->msg_header.type; 625 s->s3->tmp.message_size = frag->msg_header.msg_len; 626 s->init_msg = (uint8_t *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH; 627 s->init_num = frag->msg_header.msg_len; 628 629 if (msg_type >= 0 && s->s3->tmp.message_type != msg_type) { 630 al = SSL_AD_UNEXPECTED_MESSAGE; 631 OPENSSL_PUT_ERROR(SSL, dtls1_get_message, SSL_R_UNEXPECTED_MESSAGE); 632 goto f_err; 633 } 634 if (hash_message == ssl_hash_message && !ssl3_hash_current_message(s)) { 635 goto err; 636 } 637 if (s->msg_callback) { 638 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, 639 s->init_num + DTLS1_HM_HEADER_LENGTH, s, 640 s->msg_callback_arg); 641 } 642 643 pitem_free(item); 644 dtls1_hm_fragment_free(frag); 645 646 s->state = stn; 647 *ok = 1; 648 return s->init_num; 649 650 f_err: 651 ssl3_send_alert(s, SSL3_AL_FATAL, al); 652 err: 653 pitem_free(item); 654 dtls1_hm_fragment_free(frag); 655 *ok = 0; 656 return -1; 657 } 658 659 /* for these 2 messages, we need to 660 * ssl->enc_read_ctx re-init 661 * ssl->s3->read_sequence zero 662 * ssl->s3->read_mac_secret re-init 663 * ssl->session->read_sym_enc assign 664 * ssl->session->read_compression assign 665 * ssl->session->read_hash assign */ 666 int dtls1_send_change_cipher_spec(SSL *s, int a, int b) { 667 uint8_t *p; 668 669 if (s->state == a) { 670 p = (uint8_t *)s->init_buf->data; 671 *p++ = SSL3_MT_CCS; 672 s->d1->handshake_write_seq = s->d1->next_handshake_write_seq; 673 s->init_num = DTLS1_CCS_HEADER_LENGTH; 674 675 s->init_off = 0; 676 677 dtls1_set_message_header(s, SSL3_MT_CCS, 0, s->d1->handshake_write_seq, 0, 678 0); 679 680 /* buffer the message to handle re-xmits */ 681 dtls1_buffer_message(s, 1); 682 683 s->state = b; 684 } 685 686 /* SSL3_ST_CW_CHANGE_B */ 687 return dtls1_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC, dtls1_use_current_epoch); 688 } 689 690 int dtls1_read_failed(SSL *s, int code) { 691 if (code > 0) { 692 assert(0); 693 return 1; 694 } 695 696 if (!dtls1_is_timer_expired(s)) { 697 /* not a timeout, none of our business, let higher layers handle this. In 698 * fact, it's probably an error */ 699 return code; 700 } 701 702 if (!SSL_in_init(s)) { 703 /* done, no need to send a retransmit */ 704 BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ); 705 return code; 706 } 707 708 return DTLSv1_handle_timeout(s); 709 } 710 711 int dtls1_get_queue_priority(unsigned short seq, int is_ccs) { 712 /* The index of the retransmission queue actually is the message sequence 713 * number, since the queue only contains messages of a single handshake. 714 * However, the ChangeCipherSpec has no message sequence number and so using 715 * only the sequence will result in the CCS and Finished having the same 716 * index. To prevent this, the sequence number is multiplied by 2. In case of 717 * a CCS 1 is subtracted. This does not only differ CSS and Finished, it also 718 * maintains the order of the index (important for priority queues) and fits 719 * in the unsigned short variable. */ 720 return seq * 2 - is_ccs; 721 } 722 723 static int dtls1_retransmit_message(SSL *s, hm_fragment *frag) { 724 int ret; 725 /* XDTLS: for now assuming that read/writes are blocking */ 726 unsigned long header_length; 727 728 /* assert(s->init_num == 0); 729 assert(s->init_off == 0); */ 730 731 if (frag->msg_header.is_ccs) { 732 header_length = DTLS1_CCS_HEADER_LENGTH; 733 } else { 734 header_length = DTLS1_HM_HEADER_LENGTH; 735 } 736 737 memcpy(s->init_buf->data, frag->fragment, 738 frag->msg_header.msg_len + header_length); 739 s->init_num = frag->msg_header.msg_len + header_length; 740 741 dtls1_set_message_header(s, frag->msg_header.type, 742 frag->msg_header.msg_len, frag->msg_header.seq, 743 0, frag->msg_header.frag_len); 744 745 /* DTLS renegotiation is unsupported, so only epochs 0 (NULL cipher) and 1 746 * (negotiated cipher) exist. */ 747 assert(s->d1->w_epoch == 0 || s->d1->w_epoch == 1); 748 assert(frag->msg_header.epoch <= s->d1->w_epoch); 749 enum dtls1_use_epoch_t use_epoch = dtls1_use_current_epoch; 750 if (s->d1->w_epoch == 1 && frag->msg_header.epoch == 0) { 751 use_epoch = dtls1_use_previous_epoch; 752 } 753 754 ret = dtls1_do_write(s, frag->msg_header.is_ccs ? SSL3_RT_CHANGE_CIPHER_SPEC 755 : SSL3_RT_HANDSHAKE, 756 use_epoch); 757 758 (void)BIO_flush(SSL_get_wbio(s)); 759 return ret; 760 } 761 762 763 int dtls1_retransmit_buffered_messages(SSL *s) { 764 pqueue sent = s->d1->sent_messages; 765 piterator iter = pqueue_iterator(sent); 766 pitem *item; 767 768 for (item = pqueue_next(&iter); item != NULL; item = pqueue_next(&iter)) { 769 hm_fragment *frag = (hm_fragment *)item->data; 770 if (dtls1_retransmit_message(s, frag) <= 0) { 771 return -1; 772 } 773 } 774 775 return 1; 776 } 777 778 int dtls1_buffer_message(SSL *s, int is_ccs) { 779 pitem *item; 780 hm_fragment *frag; 781 uint8_t seq64be[8]; 782 783 /* this function is called immediately after a message has 784 * been serialized */ 785 assert(s->init_off == 0); 786 787 frag = dtls1_hm_fragment_new(s->init_num, 0); 788 if (!frag) { 789 return 0; 790 } 791 792 memcpy(frag->fragment, s->init_buf->data, s->init_num); 793 794 if (is_ccs) { 795 assert(s->d1->w_msg_hdr.msg_len + DTLS1_CCS_HEADER_LENGTH == 796 (unsigned int)s->init_num); 797 } else { 798 assert(s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH == 799 (unsigned int)s->init_num); 800 } 801 802 frag->msg_header.msg_len = s->d1->w_msg_hdr.msg_len; 803 frag->msg_header.seq = s->d1->w_msg_hdr.seq; 804 frag->msg_header.type = s->d1->w_msg_hdr.type; 805 frag->msg_header.frag_off = 0; 806 frag->msg_header.frag_len = s->d1->w_msg_hdr.msg_len; 807 frag->msg_header.is_ccs = is_ccs; 808 frag->msg_header.epoch = s->d1->w_epoch; 809 810 memset(seq64be, 0, sizeof(seq64be)); 811 seq64be[6] = (uint8_t)( 812 dtls1_get_queue_priority(frag->msg_header.seq, frag->msg_header.is_ccs) >> 813 8); 814 seq64be[7] = (uint8_t)( 815 dtls1_get_queue_priority(frag->msg_header.seq, frag->msg_header.is_ccs)); 816 817 item = pitem_new(seq64be, frag); 818 if (item == NULL) { 819 dtls1_hm_fragment_free(frag); 820 return 0; 821 } 822 823 pqueue_insert(s->d1->sent_messages, item); 824 return 1; 825 } 826 827 /* call this function when the buffered messages are no longer needed */ 828 void dtls1_clear_record_buffer(SSL *s) { 829 pitem *item; 830 831 for (item = pqueue_pop(s->d1->sent_messages); item != NULL; 832 item = pqueue_pop(s->d1->sent_messages)) { 833 dtls1_hm_fragment_free((hm_fragment *)item->data); 834 pitem_free(item); 835 } 836 } 837 838 /* don't actually do the writing, wait till the MTU has been retrieved */ 839 void dtls1_set_message_header(SSL *s, uint8_t mt, unsigned long len, 840 unsigned short seq_num, unsigned long frag_off, 841 unsigned long frag_len) { 842 struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; 843 844 msg_hdr->type = mt; 845 msg_hdr->msg_len = len; 846 msg_hdr->seq = seq_num; 847 msg_hdr->frag_off = frag_off; 848 msg_hdr->frag_len = frag_len; 849 } 850 851 static void dtls1_fix_message_header(SSL *s, unsigned long frag_off, 852 unsigned long frag_len) { 853 struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; 854 855 msg_hdr->frag_off = frag_off; 856 msg_hdr->frag_len = frag_len; 857 } 858 859 static uint8_t *dtls1_write_message_header(SSL *s, uint8_t *p) { 860 struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; 861 862 *p++ = msg_hdr->type; 863 l2n3(msg_hdr->msg_len, p); 864 865 s2n(msg_hdr->seq, p); 866 l2n3(msg_hdr->frag_off, p); 867 l2n3(msg_hdr->frag_len, p); 868 869 return p; 870 } 871 872 unsigned int dtls1_min_mtu(void) { 873 return kMinMTU; 874 } 875 876 void dtls1_get_message_header(uint8_t *data, 877 struct hm_header_st *msg_hdr) { 878 memset(msg_hdr, 0x00, sizeof(struct hm_header_st)); 879 msg_hdr->type = *(data++); 880 n2l3(data, msg_hdr->msg_len); 881 882 n2s(data, msg_hdr->seq); 883 n2l3(data, msg_hdr->frag_off); 884 n2l3(data, msg_hdr->frag_len); 885 } 886
