1 /* 2 * DTLS implementation written by Nagendra Modadugu 3 * (nagendra (at) cs.stanford.edu) for the OpenSSL project 2005. 4 */ 5 /* ==================================================================== 6 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * openssl-core (at) openssl.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 * 53 * This product includes cryptographic software written by Eric Young 54 * (eay (at) cryptsoft.com). This product includes software written by Tim 55 * Hudson (tjh (at) cryptsoft.com). 56 * 57 */ 58 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com) 59 * All rights reserved. 60 * 61 * This package is an SSL implementation written 62 * by Eric Young (eay (at) cryptsoft.com). 63 * The implementation was written so as to conform with Netscapes SSL. 64 * 65 * This library is free for commercial and non-commercial use as long as 66 * the following conditions are aheared to. The following conditions 67 * apply to all code found in this distribution, be it the RC4, RSA, 68 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 69 * included with this distribution is covered by the same copyright terms 70 * except that the holder is Tim Hudson (tjh (at) cryptsoft.com). 71 * 72 * Copyright remains Eric Young's, and as such any Copyright notices in 73 * the code are not to be removed. 74 * If this package is used in a product, Eric Young should be given attribution 75 * as the author of the parts of the library used. 76 * This can be in the form of a textual message at program startup or 77 * in documentation (online or textual) provided with the package. 78 * 79 * Redistribution and use in source and binary forms, with or without 80 * modification, are permitted provided that the following conditions 81 * are met: 82 * 1. Redistributions of source code must retain the copyright 83 * notice, this list of conditions and the following disclaimer. 84 * 2. Redistributions in binary form must reproduce the above copyright 85 * notice, this list of conditions and the following disclaimer in the 86 * documentation and/or other materials provided with the distribution. 87 * 3. All advertising materials mentioning features or use of this software 88 * must display the following acknowledgement: 89 * "This product includes cryptographic software written by 90 * Eric Young (eay (at) cryptsoft.com)" 91 * The word 'cryptographic' can be left out if the rouines from the library 92 * being used are not cryptographic related :-). 93 * 4. If you include any Windows specific code (or a derivative thereof) from 94 * the apps directory (application code) you must include an acknowledgement: 95 * "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)" 96 * 97 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 98 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 99 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 100 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 101 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 102 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 103 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 104 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 105 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 106 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 107 * SUCH DAMAGE. 108 * 109 * The licence and distribution terms for any publically available version or 110 * derivative of this code cannot be changed. i.e. this code cannot simply be 111 * copied and put under another distribution licence 112 * [including the GNU Public Licence.] */ 113 114 #include <openssl/ssl.h> 115 116 #include <assert.h> 117 #include <limits.h> 118 #include <stdio.h> 119 #include <string.h> 120 121 #include <openssl/buf.h> 122 #include <openssl/err.h> 123 #include <openssl/evp.h> 124 #include <openssl/mem.h> 125 #include <openssl/obj.h> 126 #include <openssl/rand.h> 127 #include <openssl/x509.h> 128 129 #include "internal.h" 130 131 132 /* TODO(davidben): 28 comes from the size of IP + UDP header. Is this reasonable 133 * for these values? Notably, why is kMinMTU a function of the transport 134 * protocol's overhead rather than, say, what's needed to hold a minimally-sized 135 * handshake fragment plus protocol overhead. */ 136 137 /* kMinMTU is the minimum acceptable MTU value. */ 138 static const unsigned int kMinMTU = 256 - 28; 139 140 /* kDefaultMTU is the default MTU value to use if neither the user nor 141 * the underlying BIO supplies one. */ 142 static const unsigned int kDefaultMTU = 1500 - 28; 143 144 /* kMaxHandshakeBuffer is the maximum number of handshake messages ahead of the 145 * current one to buffer. */ 146 static const unsigned int kHandshakeBufferSize = 10; 147 148 static hm_fragment *dtls1_hm_fragment_new(size_t frag_len, int reassembly) { 149 hm_fragment *frag = OPENSSL_malloc(sizeof(hm_fragment)); 150 if (frag == NULL) { 151 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 152 return NULL; 153 } 154 memset(frag, 0, sizeof(hm_fragment)); 155 156 /* If the handshake message is empty, |frag->fragment| and |frag->reassembly| 157 * are NULL. */ 158 if (frag_len > 0) { 159 frag->fragment = OPENSSL_malloc(frag_len); 160 if (frag->fragment == NULL) { 161 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 162 goto err; 163 } 164 165 if (reassembly) { 166 /* Initialize reassembly bitmask. */ 167 if (frag_len + 7 < frag_len) { 168 OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW); 169 goto err; 170 } 171 size_t bitmask_len = (frag_len + 7) / 8; 172 frag->reassembly = OPENSSL_malloc(bitmask_len); 173 if (frag->reassembly == NULL) { 174 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 175 goto err; 176 } 177 memset(frag->reassembly, 0, bitmask_len); 178 } 179 } 180 181 return frag; 182 183 err: 184 dtls1_hm_fragment_free(frag); 185 return NULL; 186 } 187 188 void dtls1_hm_fragment_free(hm_fragment *frag) { 189 if (frag == NULL) { 190 return; 191 } 192 OPENSSL_free(frag->fragment); 193 OPENSSL_free(frag->reassembly); 194 OPENSSL_free(frag); 195 } 196 197 #if !defined(inline) 198 #define inline __inline 199 #endif 200 201 /* bit_range returns a |uint8_t| with bits |start|, inclusive, to |end|, 202 * exclusive, set. */ 203 static inline uint8_t bit_range(size_t start, size_t end) { 204 return (uint8_t)(~((1u << start) - 1) & ((1u << end) - 1)); 205 } 206 207 /* dtls1_hm_fragment_mark marks bytes |start|, inclusive, to |end|, exclusive, 208 * as received in |frag|. If |frag| becomes complete, it clears 209 * |frag->reassembly|. The range must be within the bounds of |frag|'s message 210 * and |frag->reassembly| must not be NULL. */ 211 static void dtls1_hm_fragment_mark(hm_fragment *frag, size_t start, 212 size_t end) { 213 size_t i; 214 size_t msg_len = frag->msg_header.msg_len; 215 216 if (frag->reassembly == NULL || start > end || end > msg_len) { 217 assert(0); 218 return; 219 } 220 /* A zero-length message will never have a pending reassembly. */ 221 assert(msg_len > 0); 222 223 if ((start >> 3) == (end >> 3)) { 224 frag->reassembly[start >> 3] |= bit_range(start & 7, end & 7); 225 } else { 226 frag->reassembly[start >> 3] |= bit_range(start & 7, 8); 227 for (i = (start >> 3) + 1; i < (end >> 3); i++) { 228 frag->reassembly[i] = 0xff; 229 } 230 if ((end & 7) != 0) { 231 frag->reassembly[end >> 3] |= bit_range(0, end & 7); 232 } 233 } 234 235 /* Check if the fragment is complete. */ 236 for (i = 0; i < (msg_len >> 3); i++) { 237 if (frag->reassembly[i] != 0xff) { 238 return; 239 } 240 } 241 if ((msg_len & 7) != 0 && 242 frag->reassembly[msg_len >> 3] != bit_range(0, msg_len & 7)) { 243 return; 244 } 245 246 OPENSSL_free(frag->reassembly); 247 frag->reassembly = NULL; 248 } 249 250 static void dtls1_update_mtu(SSL *ssl) { 251 /* TODO(davidben): What is this code doing and do we need it? */ 252 if (ssl->d1->mtu < dtls1_min_mtu() && 253 !(SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) { 254 long mtu = BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL); 255 if (mtu >= 0 && mtu <= (1 << 30) && (unsigned)mtu >= dtls1_min_mtu()) { 256 ssl->d1->mtu = (unsigned)mtu; 257 } else { 258 ssl->d1->mtu = kDefaultMTU; 259 BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SET_MTU, ssl->d1->mtu, NULL); 260 } 261 } 262 263 /* The MTU should be above the minimum now. */ 264 assert(ssl->d1->mtu >= dtls1_min_mtu()); 265 } 266 267 /* dtls1_max_record_size returns the maximum record body length that may be 268 * written without exceeding the MTU. It accounts for any buffering installed on 269 * the write BIO. If no record may be written, it returns zero. */ 270 static size_t dtls1_max_record_size(SSL *ssl) { 271 size_t ret = ssl->d1->mtu; 272 273 size_t overhead = ssl_max_seal_overhead(ssl); 274 if (ret <= overhead) { 275 return 0; 276 } 277 ret -= overhead; 278 279 size_t pending = BIO_wpending(SSL_get_wbio(ssl)); 280 if (ret <= pending) { 281 return 0; 282 } 283 ret -= pending; 284 285 return ret; 286 } 287 288 static int dtls1_write_change_cipher_spec(SSL *ssl, 289 enum dtls1_use_epoch_t use_epoch) { 290 dtls1_update_mtu(ssl); 291 292 /* During the handshake, wbio is buffered to pack messages together. Flush the 293 * buffer if the ChangeCipherSpec would not fit in a packet. */ 294 if (dtls1_max_record_size(ssl) == 0) { 295 ssl->rwstate = SSL_WRITING; 296 int ret = BIO_flush(SSL_get_wbio(ssl)); 297 if (ret <= 0) { 298 return ret; 299 } 300 ssl->rwstate = SSL_NOTHING; 301 } 302 303 static const uint8_t kChangeCipherSpec[1] = {SSL3_MT_CCS}; 304 int ret = 305 dtls1_write_bytes(ssl, SSL3_RT_CHANGE_CIPHER_SPEC, kChangeCipherSpec, 306 sizeof(kChangeCipherSpec), use_epoch); 307 if (ret <= 0) { 308 return ret; 309 } 310 311 if (ssl->msg_callback != NULL) { 312 ssl->msg_callback(1 /* write */, ssl->version, SSL3_RT_CHANGE_CIPHER_SPEC, 313 kChangeCipherSpec, sizeof(kChangeCipherSpec), ssl, 314 ssl->msg_callback_arg); 315 } 316 317 return 1; 318 } 319 320 int dtls1_do_handshake_write(SSL *ssl, enum dtls1_use_epoch_t use_epoch) { 321 dtls1_update_mtu(ssl); 322 323 int ret = -1; 324 CBB cbb; 325 CBB_zero(&cbb); 326 /* Allocate a temporary buffer to hold the message fragments to avoid 327 * clobbering the message. */ 328 uint8_t *buf = OPENSSL_malloc(ssl->d1->mtu); 329 if (buf == NULL) { 330 goto err; 331 } 332 333 /* Consume the message header. Fragments will have different headers 334 * prepended. */ 335 if (ssl->init_off == 0) { 336 ssl->init_off += DTLS1_HM_HEADER_LENGTH; 337 ssl->init_num -= DTLS1_HM_HEADER_LENGTH; 338 } 339 assert(ssl->init_off >= DTLS1_HM_HEADER_LENGTH); 340 341 do { 342 /* During the handshake, wbio is buffered to pack messages together. Flush 343 * the buffer if there isn't enough room to make progress. */ 344 if (dtls1_max_record_size(ssl) < DTLS1_HM_HEADER_LENGTH + 1) { 345 ssl->rwstate = SSL_WRITING; 346 int flush_ret = BIO_flush(SSL_get_wbio(ssl)); 347 if (flush_ret <= 0) { 348 ret = flush_ret; 349 goto err; 350 } 351 ssl->rwstate = SSL_NOTHING; 352 assert(BIO_wpending(SSL_get_wbio(ssl)) == 0); 353 } 354 355 size_t todo = dtls1_max_record_size(ssl); 356 if (todo < DTLS1_HM_HEADER_LENGTH + 1) { 357 /* To make forward progress, the MTU must, at minimum, fit the handshake 358 * header and one byte of handshake body. */ 359 OPENSSL_PUT_ERROR(SSL, SSL_R_MTU_TOO_SMALL); 360 goto err; 361 } 362 todo -= DTLS1_HM_HEADER_LENGTH; 363 364 if (todo > (size_t)ssl->init_num) { 365 todo = ssl->init_num; 366 } 367 if (todo >= (1u << 24)) { 368 todo = (1u << 24) - 1; 369 } 370 371 size_t len; 372 if (!CBB_init_fixed(&cbb, buf, ssl->d1->mtu) || 373 !CBB_add_u8(&cbb, ssl->d1->w_msg_hdr.type) || 374 !CBB_add_u24(&cbb, ssl->d1->w_msg_hdr.msg_len) || 375 !CBB_add_u16(&cbb, ssl->d1->w_msg_hdr.seq) || 376 !CBB_add_u24(&cbb, ssl->init_off - DTLS1_HM_HEADER_LENGTH) || 377 !CBB_add_u24(&cbb, todo) || 378 !CBB_add_bytes( 379 &cbb, (const uint8_t *)ssl->init_buf->data + ssl->init_off, todo) || 380 !CBB_finish(&cbb, NULL, &len)) { 381 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 382 goto err; 383 } 384 385 int write_ret = dtls1_write_bytes(ssl, SSL3_RT_HANDSHAKE, buf, len, 386 use_epoch); 387 if (write_ret <= 0) { 388 ret = write_ret; 389 goto err; 390 } 391 ssl->init_off += todo; 392 ssl->init_num -= todo; 393 } while (ssl->init_num > 0); 394 395 if (ssl->msg_callback != NULL) { 396 ssl->msg_callback( 397 1 /* write */, ssl->version, SSL3_RT_HANDSHAKE, ssl->init_buf->data, 398 (size_t)(ssl->init_off + ssl->init_num), ssl, ssl->msg_callback_arg); 399 } 400 401 ssl->init_off = 0; 402 ssl->init_num = 0; 403 404 ret = 1; 405 406 err: 407 CBB_cleanup(&cbb); 408 OPENSSL_free(buf); 409 return ret; 410 } 411 412 /* dtls1_is_next_message_complete returns one if the next handshake message is 413 * complete and zero otherwise. */ 414 static int dtls1_is_next_message_complete(SSL *ssl) { 415 pitem *item = pqueue_peek(ssl->d1->buffered_messages); 416 if (item == NULL) { 417 return 0; 418 } 419 420 hm_fragment *frag = (hm_fragment *)item->data; 421 assert(ssl->d1->handshake_read_seq <= frag->msg_header.seq); 422 423 return ssl->d1->handshake_read_seq == frag->msg_header.seq && 424 frag->reassembly == NULL; 425 } 426 427 /* dtls1_discard_fragment_body discards a handshake fragment body of length 428 * |frag_len|. It returns one on success and zero on error. 429 * 430 * TODO(davidben): This function will go away when ssl_read_bytes is gone from 431 * the DTLS side. */ 432 static int dtls1_discard_fragment_body(SSL *ssl, size_t frag_len) { 433 uint8_t discard[256]; 434 while (frag_len > 0) { 435 size_t chunk = frag_len < sizeof(discard) ? frag_len : sizeof(discard); 436 int ret = dtls1_read_bytes(ssl, SSL3_RT_HANDSHAKE, discard, chunk, 0); 437 if (ret != (int) chunk) { 438 return 0; 439 } 440 frag_len -= chunk; 441 } 442 return 1; 443 } 444 445 /* dtls1_get_buffered_message returns the buffered message corresponding to 446 * |msg_hdr|. If none exists, it creates a new one and inserts it in the 447 * queue. Otherwise, it checks |msg_hdr| is consistent with the existing one. It 448 * returns NULL on failure. The caller does not take ownership of the result. */ 449 static hm_fragment *dtls1_get_buffered_message( 450 SSL *ssl, const struct hm_header_st *msg_hdr) { 451 uint8_t seq64be[8]; 452 memset(seq64be, 0, sizeof(seq64be)); 453 seq64be[6] = (uint8_t)(msg_hdr->seq >> 8); 454 seq64be[7] = (uint8_t)msg_hdr->seq; 455 pitem *item = pqueue_find(ssl->d1->buffered_messages, seq64be); 456 457 hm_fragment *frag; 458 if (item == NULL) { 459 /* This is the first fragment from this message. */ 460 frag = dtls1_hm_fragment_new(msg_hdr->msg_len, 461 1 /* reassembly buffer needed */); 462 if (frag == NULL) { 463 return NULL; 464 } 465 memcpy(&frag->msg_header, msg_hdr, sizeof(*msg_hdr)); 466 item = pitem_new(seq64be, frag); 467 if (item == NULL) { 468 dtls1_hm_fragment_free(frag); 469 return NULL; 470 } 471 item = pqueue_insert(ssl->d1->buffered_messages, item); 472 /* |pqueue_insert| fails iff a duplicate item is inserted, but |item| cannot 473 * be a duplicate. */ 474 assert(item != NULL); 475 } else { 476 frag = item->data; 477 assert(frag->msg_header.seq == msg_hdr->seq); 478 if (frag->msg_header.type != msg_hdr->type || 479 frag->msg_header.msg_len != msg_hdr->msg_len) { 480 /* The new fragment must be compatible with the previous fragments from 481 * this message. */ 482 OPENSSL_PUT_ERROR(SSL, SSL_R_FRAGMENT_MISMATCH); 483 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 484 return NULL; 485 } 486 } 487 return frag; 488 } 489 490 /* dtls1_max_handshake_message_len returns the maximum number of bytes 491 * permitted in a DTLS handshake message for |ssl|. The minimum is 16KB, but may 492 * be greater if the maximum certificate list size requires it. */ 493 static size_t dtls1_max_handshake_message_len(const SSL *ssl) { 494 size_t max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; 495 if (max_len < ssl->max_cert_list) { 496 return ssl->max_cert_list; 497 } 498 return max_len; 499 } 500 501 /* dtls1_process_fragment reads a handshake fragment and processes it. It 502 * returns one if a fragment was successfully processed and 0 or -1 on error. */ 503 static int dtls1_process_fragment(SSL *ssl) { 504 /* Read handshake message header. */ 505 uint8_t header[DTLS1_HM_HEADER_LENGTH]; 506 int ret = dtls1_read_bytes(ssl, SSL3_RT_HANDSHAKE, header, 507 DTLS1_HM_HEADER_LENGTH, 0); 508 if (ret <= 0) { 509 return ret; 510 } 511 if (ret != DTLS1_HM_HEADER_LENGTH) { 512 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE); 513 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); 514 return -1; 515 } 516 517 /* Parse the message fragment header. */ 518 struct hm_header_st msg_hdr; 519 dtls1_get_message_header(header, &msg_hdr); 520 521 /* TODO(davidben): dtls1_read_bytes is the wrong abstraction for DTLS. There 522 * should be no need to reach into |ssl->s3->rrec.length|. */ 523 const size_t frag_off = msg_hdr.frag_off; 524 const size_t frag_len = msg_hdr.frag_len; 525 const size_t msg_len = msg_hdr.msg_len; 526 if (frag_off > msg_len || frag_off + frag_len < frag_off || 527 frag_off + frag_len > msg_len || 528 msg_len > dtls1_max_handshake_message_len(ssl) || 529 frag_len > ssl->s3->rrec.length) { 530 OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE); 531 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 532 return -1; 533 } 534 535 if (msg_hdr.seq < ssl->d1->handshake_read_seq || 536 msg_hdr.seq > (unsigned)ssl->d1->handshake_read_seq + 537 kHandshakeBufferSize) { 538 /* Ignore fragments from the past, or ones too far in the future. */ 539 if (!dtls1_discard_fragment_body(ssl, frag_len)) { 540 return -1; 541 } 542 return 1; 543 } 544 545 hm_fragment *frag = dtls1_get_buffered_message(ssl, &msg_hdr); 546 if (frag == NULL) { 547 return -1; 548 } 549 assert(frag->msg_header.msg_len == msg_len); 550 551 if (frag->reassembly == NULL) { 552 /* The message is already assembled. */ 553 if (!dtls1_discard_fragment_body(ssl, frag_len)) { 554 return -1; 555 } 556 return 1; 557 } 558 assert(msg_len > 0); 559 560 /* Read the body of the fragment. */ 561 ret = dtls1_read_bytes(ssl, SSL3_RT_HANDSHAKE, frag->fragment + frag_off, 562 frag_len, 0); 563 if (ret != (int) frag_len) { 564 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 565 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 566 return -1; 567 } 568 dtls1_hm_fragment_mark(frag, frag_off, frag_off + frag_len); 569 570 return 1; 571 } 572 573 /* dtls1_get_message reads a handshake message of message type |msg_type| (any 574 * if |msg_type| == -1), maximum acceptable body length |max|. Read an entire 575 * handshake message. Handshake messages arrive in fragments. */ 576 long dtls1_get_message(SSL *ssl, int st1, int stn, int msg_type, long max, 577 enum ssl_hash_message_t hash_message, int *ok) { 578 pitem *item = NULL; 579 hm_fragment *frag = NULL; 580 int al; 581 582 /* s3->tmp is used to store messages that are unexpected, caused 583 * by the absence of an optional handshake message */ 584 if (ssl->s3->tmp.reuse_message) { 585 /* A ssl_dont_hash_message call cannot be combined with reuse_message; the 586 * ssl_dont_hash_message would have to have been applied to the previous 587 * call. */ 588 assert(hash_message == ssl_hash_message); 589 ssl->s3->tmp.reuse_message = 0; 590 if (msg_type >= 0 && ssl->s3->tmp.message_type != msg_type) { 591 al = SSL_AD_UNEXPECTED_MESSAGE; 592 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE); 593 goto f_err; 594 } 595 *ok = 1; 596 ssl->init_msg = (uint8_t *)ssl->init_buf->data + DTLS1_HM_HEADER_LENGTH; 597 ssl->init_num = (int)ssl->s3->tmp.message_size; 598 return ssl->init_num; 599 } 600 601 /* Process fragments until one is found. */ 602 while (!dtls1_is_next_message_complete(ssl)) { 603 int ret = dtls1_process_fragment(ssl); 604 if (ret <= 0) { 605 *ok = 0; 606 return ret; 607 } 608 } 609 610 /* Read out the next complete handshake message. */ 611 item = pqueue_pop(ssl->d1->buffered_messages); 612 assert(item != NULL); 613 frag = (hm_fragment *)item->data; 614 assert(ssl->d1->handshake_read_seq == frag->msg_header.seq); 615 assert(frag->reassembly == NULL); 616 617 if (frag->msg_header.msg_len > (size_t)max) { 618 OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE); 619 goto err; 620 } 621 622 /* Reconstruct the assembled message. */ 623 size_t len; 624 CBB cbb; 625 CBB_zero(&cbb); 626 if (!BUF_MEM_grow(ssl->init_buf, (size_t)frag->msg_header.msg_len + 627 DTLS1_HM_HEADER_LENGTH) || 628 !CBB_init_fixed(&cbb, (uint8_t *)ssl->init_buf->data, 629 ssl->init_buf->max) || 630 !CBB_add_u8(&cbb, frag->msg_header.type) || 631 !CBB_add_u24(&cbb, frag->msg_header.msg_len) || 632 !CBB_add_u16(&cbb, frag->msg_header.seq) || 633 !CBB_add_u24(&cbb, 0 /* frag_off */) || 634 !CBB_add_u24(&cbb, frag->msg_header.msg_len) || 635 !CBB_add_bytes(&cbb, frag->fragment, frag->msg_header.msg_len) || 636 !CBB_finish(&cbb, NULL, &len)) { 637 CBB_cleanup(&cbb); 638 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 639 goto err; 640 } 641 assert(len == (size_t)frag->msg_header.msg_len + DTLS1_HM_HEADER_LENGTH); 642 643 ssl->d1->handshake_read_seq++; 644 645 /* TODO(davidben): This function has a lot of implicit outputs. Simplify the 646 * |ssl_get_message| API. */ 647 ssl->s3->tmp.message_type = frag->msg_header.type; 648 ssl->s3->tmp.message_size = frag->msg_header.msg_len; 649 ssl->init_msg = (uint8_t *)ssl->init_buf->data + DTLS1_HM_HEADER_LENGTH; 650 ssl->init_num = frag->msg_header.msg_len; 651 652 if (msg_type >= 0 && ssl->s3->tmp.message_type != msg_type) { 653 al = SSL_AD_UNEXPECTED_MESSAGE; 654 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE); 655 goto f_err; 656 } 657 if (hash_message == ssl_hash_message && !ssl3_hash_current_message(ssl)) { 658 goto err; 659 } 660 if (ssl->msg_callback) { 661 ssl->msg_callback(0, ssl->version, SSL3_RT_HANDSHAKE, ssl->init_buf->data, 662 ssl->init_num + DTLS1_HM_HEADER_LENGTH, ssl, 663 ssl->msg_callback_arg); 664 } 665 666 pitem_free(item); 667 dtls1_hm_fragment_free(frag); 668 669 ssl->state = stn; 670 *ok = 1; 671 return ssl->init_num; 672 673 f_err: 674 ssl3_send_alert(ssl, SSL3_AL_FATAL, al); 675 err: 676 pitem_free(item); 677 dtls1_hm_fragment_free(frag); 678 *ok = 0; 679 return -1; 680 } 681 682 int dtls1_read_failed(SSL *ssl, int code) { 683 if (code > 0) { 684 assert(0); 685 return 1; 686 } 687 688 if (!dtls1_is_timer_expired(ssl)) { 689 /* not a timeout, none of our business, let higher layers handle this. In 690 * fact, it's probably an error */ 691 return code; 692 } 693 694 if (!SSL_in_init(ssl)) { 695 /* done, no need to send a retransmit */ 696 BIO_set_flags(SSL_get_rbio(ssl), BIO_FLAGS_READ); 697 return code; 698 } 699 700 return DTLSv1_handle_timeout(ssl); 701 } 702 703 static uint16_t dtls1_get_queue_priority(uint16_t seq, int is_ccs) { 704 assert(seq * 2 >= seq); 705 706 /* The index of the retransmission queue actually is the message sequence 707 * number, since the queue only contains messages of a single handshake. 708 * However, the ChangeCipherSpec has no message sequence number and so using 709 * only the sequence will result in the CCS and Finished having the same 710 * index. To prevent this, the sequence number is multiplied by 2. In case of 711 * a CCS 1 is subtracted. This does not only differ CSS and Finished, it also 712 * maintains the order of the index (important for priority queues) and fits 713 * in the unsigned short variable. */ 714 return seq * 2 - is_ccs; 715 } 716 717 static int dtls1_retransmit_message(SSL *ssl, hm_fragment *frag) { 718 /* DTLS renegotiation is unsupported, so only epochs 0 (NULL cipher) and 1 719 * (negotiated cipher) exist. */ 720 assert(ssl->d1->w_epoch == 0 || ssl->d1->w_epoch == 1); 721 assert(frag->msg_header.epoch <= ssl->d1->w_epoch); 722 enum dtls1_use_epoch_t use_epoch = dtls1_use_current_epoch; 723 if (ssl->d1->w_epoch == 1 && frag->msg_header.epoch == 0) { 724 use_epoch = dtls1_use_previous_epoch; 725 } 726 727 /* TODO(davidben): This cannot handle non-blocking writes. */ 728 int ret; 729 if (frag->msg_header.is_ccs) { 730 ret = dtls1_write_change_cipher_spec(ssl, use_epoch); 731 } else { 732 /* Restore the message body. 733 * TODO(davidben): Make this less stateful. */ 734 memcpy(ssl->init_buf->data, frag->fragment, 735 frag->msg_header.msg_len + DTLS1_HM_HEADER_LENGTH); 736 ssl->init_num = frag->msg_header.msg_len + DTLS1_HM_HEADER_LENGTH; 737 738 dtls1_set_message_header(ssl, frag->msg_header.type, 739 frag->msg_header.msg_len, frag->msg_header.seq, 740 0, frag->msg_header.frag_len); 741 ret = dtls1_do_handshake_write(ssl, use_epoch); 742 } 743 744 /* TODO(davidben): Check return value? */ 745 (void)BIO_flush(SSL_get_wbio(ssl)); 746 return ret; 747 } 748 749 750 int dtls1_retransmit_buffered_messages(SSL *ssl) { 751 pqueue sent = ssl->d1->sent_messages; 752 piterator iter = pqueue_iterator(sent); 753 pitem *item; 754 755 for (item = pqueue_next(&iter); item != NULL; item = pqueue_next(&iter)) { 756 hm_fragment *frag = (hm_fragment *)item->data; 757 if (dtls1_retransmit_message(ssl, frag) <= 0) { 758 return -1; 759 } 760 } 761 762 return 1; 763 } 764 765 /* dtls1_buffer_change_cipher_spec adds a ChangeCipherSpec to the current 766 * handshake flight, ordered just before the handshake message numbered 767 * |seq|. */ 768 static int dtls1_buffer_change_cipher_spec(SSL *ssl, uint16_t seq) { 769 hm_fragment *frag = dtls1_hm_fragment_new(0 /* frag_len */, 770 0 /* no reassembly */); 771 if (frag == NULL) { 772 return 0; 773 } 774 frag->msg_header.is_ccs = 1; 775 frag->msg_header.epoch = ssl->d1->w_epoch; 776 777 uint16_t priority = dtls1_get_queue_priority(seq, 1 /* is_ccs */); 778 uint8_t seq64be[8]; 779 memset(seq64be, 0, sizeof(seq64be)); 780 seq64be[6] = (uint8_t)(priority >> 8); 781 seq64be[7] = (uint8_t)priority; 782 783 pitem *item = pitem_new(seq64be, frag); 784 if (item == NULL) { 785 dtls1_hm_fragment_free(frag); 786 return 0; 787 } 788 789 pqueue_insert(ssl->d1->sent_messages, item); 790 return 1; 791 } 792 793 int dtls1_buffer_message(SSL *ssl) { 794 /* this function is called immediately after a message has 795 * been serialized */ 796 assert(ssl->init_off == 0); 797 798 hm_fragment *frag = dtls1_hm_fragment_new(ssl->init_num, 0); 799 if (!frag) { 800 return 0; 801 } 802 803 memcpy(frag->fragment, ssl->init_buf->data, ssl->init_num); 804 805 assert(ssl->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH == 806 (unsigned int)ssl->init_num); 807 808 frag->msg_header.msg_len = ssl->d1->w_msg_hdr.msg_len; 809 frag->msg_header.seq = ssl->d1->w_msg_hdr.seq; 810 frag->msg_header.type = ssl->d1->w_msg_hdr.type; 811 frag->msg_header.frag_off = 0; 812 frag->msg_header.frag_len = ssl->d1->w_msg_hdr.msg_len; 813 frag->msg_header.is_ccs = 0; 814 frag->msg_header.epoch = ssl->d1->w_epoch; 815 816 uint16_t priority = dtls1_get_queue_priority(frag->msg_header.seq, 817 0 /* handshake */); 818 uint8_t seq64be[8]; 819 memset(seq64be, 0, sizeof(seq64be)); 820 seq64be[6] = (uint8_t)(priority >> 8); 821 seq64be[7] = (uint8_t)priority; 822 823 pitem *item = pitem_new(seq64be, frag); 824 if (item == NULL) { 825 dtls1_hm_fragment_free(frag); 826 return 0; 827 } 828 829 pqueue_insert(ssl->d1->sent_messages, item); 830 return 1; 831 } 832 833 int dtls1_send_change_cipher_spec(SSL *ssl, int a, int b) { 834 if (ssl->state == a) { 835 /* Buffer the message to handle retransmits. */ 836 ssl->d1->handshake_write_seq = ssl->d1->next_handshake_write_seq; 837 dtls1_buffer_change_cipher_spec(ssl, ssl->d1->handshake_write_seq); 838 ssl->state = b; 839 } 840 841 return dtls1_write_change_cipher_spec(ssl, dtls1_use_current_epoch); 842 } 843 844 /* call this function when the buffered messages are no longer needed */ 845 void dtls1_clear_record_buffer(SSL *ssl) { 846 pitem *item; 847 848 for (item = pqueue_pop(ssl->d1->sent_messages); item != NULL; 849 item = pqueue_pop(ssl->d1->sent_messages)) { 850 dtls1_hm_fragment_free((hm_fragment *)item->data); 851 pitem_free(item); 852 } 853 } 854 855 /* don't actually do the writing, wait till the MTU has been retrieved */ 856 void dtls1_set_message_header(SSL *ssl, uint8_t mt, unsigned long len, 857 unsigned short seq_num, unsigned long frag_off, 858 unsigned long frag_len) { 859 struct hm_header_st *msg_hdr = &ssl->d1->w_msg_hdr; 860 861 msg_hdr->type = mt; 862 msg_hdr->msg_len = len; 863 msg_hdr->seq = seq_num; 864 msg_hdr->frag_off = frag_off; 865 msg_hdr->frag_len = frag_len; 866 } 867 868 unsigned int dtls1_min_mtu(void) { 869 return kMinMTU; 870 } 871 872 void dtls1_get_message_header(uint8_t *data, 873 struct hm_header_st *msg_hdr) { 874 memset(msg_hdr, 0x00, sizeof(struct hm_header_st)); 875 msg_hdr->type = *(data++); 876 n2l3(data, msg_hdr->msg_len); 877 878 n2s(data, msg_hdr->seq); 879 n2l3(data, msg_hdr->frag_off); 880 n2l3(data, msg_hdr->frag_len); 881 } 882
