]>
Commit | Line | Data |
---|---|---|
36d16f8e | 1 | /* ssl/d1_pkt.c */ |
0f113f3e | 2 | /* |
36d16f8e | 3 | * DTLS implementation written by Nagendra Modadugu |
0f113f3e | 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. |
36d16f8e BL |
5 | */ |
6 | /* ==================================================================== | |
7 | * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. | |
8 | * | |
9 | * Redistribution and use in source and binary forms, with or without | |
10 | * modification, are permitted provided that the following conditions | |
11 | * are met: | |
12 | * | |
13 | * 1. Redistributions of source code must retain the above copyright | |
0f113f3e | 14 | * notice, this list of conditions and the following disclaimer. |
36d16f8e BL |
15 | * |
16 | * 2. Redistributions in binary form must reproduce the above copyright | |
17 | * notice, this list of conditions and the following disclaimer in | |
18 | * the documentation and/or other materials provided with the | |
19 | * distribution. | |
20 | * | |
21 | * 3. All advertising materials mentioning features or use of this | |
22 | * software must display the following acknowledgment: | |
23 | * "This product includes software developed by the OpenSSL Project | |
24 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | |
25 | * | |
26 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |
27 | * endorse or promote products derived from this software without | |
28 | * prior written permission. For written permission, please contact | |
29 | * openssl-core@openssl.org. | |
30 | * | |
31 | * 5. Products derived from this software may not be called "OpenSSL" | |
32 | * nor may "OpenSSL" appear in their names without prior written | |
33 | * permission of the OpenSSL Project. | |
34 | * | |
35 | * 6. Redistributions of any form whatsoever must retain the following | |
36 | * acknowledgment: | |
37 | * "This product includes software developed by the OpenSSL Project | |
38 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" | |
39 | * | |
40 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |
41 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
42 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
43 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |
44 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
45 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
46 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
47 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
48 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
49 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
50 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |
51 | * OF THE POSSIBILITY OF SUCH DAMAGE. | |
52 | * ==================================================================== | |
53 | * | |
54 | * This product includes cryptographic software written by Eric Young | |
55 | * (eay@cryptsoft.com). This product includes software written by Tim | |
56 | * Hudson (tjh@cryptsoft.com). | |
57 | * | |
58 | */ | |
59 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | |
60 | * All rights reserved. | |
61 | * | |
62 | * This package is an SSL implementation written | |
63 | * by Eric Young (eay@cryptsoft.com). | |
64 | * The implementation was written so as to conform with Netscapes SSL. | |
0f113f3e | 65 | * |
36d16f8e BL |
66 | * This library is free for commercial and non-commercial use as long as |
67 | * the following conditions are aheared to. The following conditions | |
68 | * apply to all code found in this distribution, be it the RC4, RSA, | |
69 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation | |
70 | * included with this distribution is covered by the same copyright terms | |
71 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). | |
0f113f3e | 72 | * |
36d16f8e BL |
73 | * Copyright remains Eric Young's, and as such any Copyright notices in |
74 | * the code are not to be removed. | |
75 | * If this package is used in a product, Eric Young should be given attribution | |
76 | * as the author of the parts of the library used. | |
77 | * This can be in the form of a textual message at program startup or | |
78 | * in documentation (online or textual) provided with the package. | |
0f113f3e | 79 | * |
36d16f8e BL |
80 | * Redistribution and use in source and binary forms, with or without |
81 | * modification, are permitted provided that the following conditions | |
82 | * are met: | |
83 | * 1. Redistributions of source code must retain the copyright | |
84 | * notice, this list of conditions and the following disclaimer. | |
85 | * 2. Redistributions in binary form must reproduce the above copyright | |
86 | * notice, this list of conditions and the following disclaimer in the | |
87 | * documentation and/or other materials provided with the distribution. | |
88 | * 3. All advertising materials mentioning features or use of this software | |
89 | * must display the following acknowledgement: | |
90 | * "This product includes cryptographic software written by | |
91 | * Eric Young (eay@cryptsoft.com)" | |
92 | * The word 'cryptographic' can be left out if the rouines from the library | |
93 | * being used are not cryptographic related :-). | |
0f113f3e | 94 | * 4. If you include any Windows specific code (or a derivative thereof) from |
36d16f8e BL |
95 | * the apps directory (application code) you must include an acknowledgement: |
96 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" | |
0f113f3e | 97 | * |
36d16f8e BL |
98 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
99 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
100 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
101 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |
102 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
103 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
104 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
105 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
106 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
107 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
108 | * SUCH DAMAGE. | |
0f113f3e | 109 | * |
36d16f8e BL |
110 | * The licence and distribution terms for any publically available version or |
111 | * derivative of this code cannot be changed. i.e. this code cannot simply be | |
112 | * copied and put under another distribution licence | |
113 | * [including the GNU Public Licence.] | |
114 | */ | |
115 | ||
116 | #include <stdio.h> | |
117 | #include <errno.h> | |
118 | #define USE_SOCKETS | |
119 | #include "ssl_locl.h" | |
120 | #include <openssl/evp.h> | |
121 | #include <openssl/buffer.h> | |
122 | #include <openssl/pqueue.h> | |
d527834a | 123 | #include <openssl/rand.h> |
36d16f8e | 124 | |
50ec3951 | 125 | /* mod 128 saturating subtract of two 64-bit values in big-endian order */ |
0f113f3e MC |
126 | static int satsub64be(const unsigned char *v1, const unsigned char *v2) |
127 | { | |
128 | int ret, sat, brw, i; | |
129 | ||
130 | if (sizeof(long) == 8) | |
131 | do { | |
132 | const union { | |
133 | long one; | |
134 | char little; | |
135 | } is_endian = { | |
136 | 1 | |
137 | }; | |
138 | long l; | |
139 | ||
140 | if (is_endian.little) | |
141 | break; | |
142 | /* not reached on little-endians */ | |
143 | /* | |
144 | * following test is redundant, because input is always aligned, | |
145 | * but I take no chances... | |
146 | */ | |
147 | if (((size_t)v1 | (size_t)v2) & 0x7) | |
148 | break; | |
149 | ||
150 | l = *((long *)v1); | |
151 | l -= *((long *)v2); | |
152 | if (l > 128) | |
153 | return 128; | |
154 | else if (l < -128) | |
155 | return -128; | |
156 | else | |
157 | return (int)l; | |
158 | } while (0); | |
159 | ||
160 | ret = (int)v1[7] - (int)v2[7]; | |
161 | sat = 0; | |
162 | brw = ret >> 8; /* brw is either 0 or -1 */ | |
163 | if (ret & 0x80) { | |
164 | for (i = 6; i >= 0; i--) { | |
165 | brw += (int)v1[i] - (int)v2[i]; | |
166 | sat |= ~brw; | |
167 | brw >>= 8; | |
168 | } | |
169 | } else { | |
170 | for (i = 6; i >= 0; i--) { | |
171 | brw += (int)v1[i] - (int)v2[i]; | |
172 | sat |= brw; | |
173 | brw >>= 8; | |
174 | } | |
175 | } | |
176 | brw <<= 8; /* brw is either 0 or -256 */ | |
177 | ||
178 | if (sat & 0xff) | |
179 | return brw | 0x80; | |
180 | else | |
181 | return brw + (ret & 0xFF); | |
50ec3951 | 182 | } |
dffdb56b | 183 | |
0f113f3e MC |
184 | static int have_handshake_fragment(SSL *s, int type, unsigned char *buf, |
185 | int len, int peek); | |
50ec3951 | 186 | static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap); |
36d16f8e | 187 | static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap); |
0f113f3e MC |
188 | static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, |
189 | unsigned int *is_next_epoch); | |
36d16f8e | 190 | static int dtls1_buffer_record(SSL *s, record_pqueue *q, |
0f113f3e | 191 | unsigned char *priority); |
36d16f8e | 192 | static int dtls1_process_record(SSL *s); |
36d16f8e | 193 | |
36d16f8e | 194 | /* copy buffered record into SSL structure */ |
0f113f3e MC |
195 | static int dtls1_copy_record(SSL *s, pitem *item) |
196 | { | |
36d16f8e BL |
197 | DTLS1_RECORD_DATA *rdata; |
198 | ||
199 | rdata = (DTLS1_RECORD_DATA *)item->data; | |
0f113f3e | 200 | |
36d16f8e BL |
201 | if (s->s3->rbuf.buf != NULL) |
202 | OPENSSL_free(s->s3->rbuf.buf); | |
0f113f3e | 203 | |
36d16f8e BL |
204 | s->packet = rdata->packet; |
205 | s->packet_length = rdata->packet_length; | |
206 | memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER)); | |
207 | memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD)); | |
36d16f8e | 208 | |
0f113f3e MC |
209 | /* Set proper sequence number for mac calculation */ |
210 | memcpy(&(s->s3->read_sequence[2]), &(rdata->packet[5]), 6); | |
211 | ||
212 | return (1); | |
213 | } | |
36d16f8e BL |
214 | |
215 | static int | |
dffdb56b | 216 | dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) |
0f113f3e MC |
217 | { |
218 | DTLS1_RECORD_DATA *rdata; | |
219 | pitem *item; | |
220 | ||
221 | /* Limit the size of the queue to prevent DOS attacks */ | |
222 | if (pqueue_size(queue->q) >= 100) | |
223 | return 0; | |
224 | ||
225 | rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); | |
226 | item = pitem_new(priority, rdata); | |
227 | if (rdata == NULL || item == NULL) { | |
228 | if (rdata != NULL) | |
229 | OPENSSL_free(rdata); | |
230 | if (item != NULL) | |
231 | pitem_free(item); | |
232 | ||
233 | SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); | |
234 | return (0); | |
235 | } | |
236 | ||
237 | rdata->packet = s->packet; | |
238 | rdata->packet_length = s->packet_length; | |
239 | memcpy(&(rdata->rbuf), &(s->s3->rbuf), sizeof(SSL3_BUFFER)); | |
240 | memcpy(&(rdata->rrec), &(s->s3->rrec), sizeof(SSL3_RECORD)); | |
241 | ||
242 | item->data = rdata; | |
36d16f8e | 243 | |
7e159e01 | 244 | #ifndef OPENSSL_NO_SCTP |
0f113f3e MC |
245 | /* Store bio_dgram_sctp_rcvinfo struct */ |
246 | if (BIO_dgram_is_sctp(SSL_get_rbio(s)) && | |
247 | (s->state == SSL3_ST_SR_FINISHED_A | |
248 | || s->state == SSL3_ST_CR_FINISHED_A)) { | |
249 | BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SCTP_GET_RCVINFO, | |
250 | sizeof(rdata->recordinfo), &rdata->recordinfo); | |
251 | } | |
7e159e01 DSH |
252 | #endif |
253 | ||
0f113f3e MC |
254 | s->packet = NULL; |
255 | s->packet_length = 0; | |
256 | memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER)); | |
257 | memset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD)); | |
258 | ||
259 | if (!ssl3_setup_buffers(s)) { | |
260 | SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); | |
261 | if (rdata->rbuf.buf != NULL) | |
262 | OPENSSL_free(rdata->rbuf.buf); | |
263 | OPENSSL_free(rdata); | |
264 | pitem_free(item); | |
265 | return (-1); | |
266 | } | |
36d16f8e | 267 | |
0f113f3e MC |
268 | /* insert should not fail, since duplicates are dropped */ |
269 | if (pqueue_insert(queue->q, item) == NULL) { | |
270 | SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); | |
271 | if (rdata->rbuf.buf != NULL) | |
272 | OPENSSL_free(rdata->rbuf.buf); | |
273 | OPENSSL_free(rdata); | |
274 | pitem_free(item); | |
275 | return (-1); | |
276 | } | |
36d16f8e | 277 | |
0f113f3e MC |
278 | return (1); |
279 | } | |
280 | ||
281 | static int dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue) | |
282 | { | |
36d16f8e BL |
283 | pitem *item; |
284 | ||
285 | item = pqueue_pop(queue->q); | |
0f113f3e | 286 | if (item) { |
36d16f8e BL |
287 | dtls1_copy_record(s, item); |
288 | ||
289 | OPENSSL_free(item->data); | |
0f113f3e | 290 | pitem_free(item); |
36d16f8e | 291 | |
0f113f3e | 292 | return (1); |
36d16f8e BL |
293 | } |
294 | ||
0f113f3e MC |
295 | return (0); |
296 | } | |
36d16f8e | 297 | |
0f113f3e MC |
298 | /* |
299 | * retrieve a buffered record that belongs to the new epoch, i.e., not | |
300 | * processed yet | |
301 | */ | |
36d16f8e BL |
302 | #define dtls1_get_unprocessed_record(s) \ |
303 | dtls1_retrieve_buffered_record((s), \ | |
304 | &((s)->d1->unprocessed_rcds)) | |
305 | ||
0f113f3e MC |
306 | /* |
307 | * retrieve a buffered record that belongs to the current epoch, ie, | |
308 | * processed | |
309 | */ | |
36d16f8e BL |
310 | #define dtls1_get_processed_record(s) \ |
311 | dtls1_retrieve_buffered_record((s), \ | |
312 | &((s)->d1->processed_rcds)) | |
313 | ||
0f113f3e MC |
314 | static int dtls1_process_buffered_records(SSL *s) |
315 | { | |
36d16f8e | 316 | pitem *item; |
0f113f3e | 317 | |
36d16f8e | 318 | item = pqueue_peek(s->d1->unprocessed_rcds.q); |
0f113f3e | 319 | if (item) { |
36d16f8e BL |
320 | /* Check if epoch is current. */ |
321 | if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch) | |
0f113f3e MC |
322 | return (1); /* Nothing to do. */ |
323 | ||
36d16f8e | 324 | /* Process all the records. */ |
0f113f3e | 325 | while (pqueue_peek(s->d1->unprocessed_rcds.q)) { |
36d16f8e | 326 | dtls1_get_unprocessed_record(s); |
0f113f3e MC |
327 | if (!dtls1_process_record(s)) |
328 | return (0); | |
329 | if (dtls1_buffer_record(s, &(s->d1->processed_rcds), | |
330 | s->s3->rrec.seq_num) < 0) | |
103b171d | 331 | return -1; |
36d16f8e | 332 | } |
0f113f3e | 333 | } |
36d16f8e | 334 | |
0f113f3e MC |
335 | /* |
336 | * sync epoch numbers once all the unprocessed records have been | |
337 | * processed | |
338 | */ | |
36d16f8e BL |
339 | s->d1->processed_rcds.epoch = s->d1->r_epoch; |
340 | s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1; | |
341 | ||
0f113f3e MC |
342 | return (1); |
343 | } | |
36d16f8e | 344 | |
0f113f3e | 345 | static int dtls1_process_record(SSL *s) |
36d16f8e | 346 | { |
0f113f3e MC |
347 | int i, al; |
348 | int enc_err; | |
349 | SSL_SESSION *sess; | |
350 | SSL3_RECORD *rr; | |
351 | unsigned int mac_size; | |
352 | unsigned char md[EVP_MAX_MD_SIZE]; | |
353 | ||
354 | rr = &(s->s3->rrec); | |
355 | sess = s->session; | |
356 | ||
357 | /* | |
358 | * At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, | |
359 | * and we have that many bytes in s->packet | |
360 | */ | |
361 | rr->input = &(s->packet[DTLS1_RT_HEADER_LENGTH]); | |
362 | ||
363 | /* | |
364 | * ok, we can now read from 's->packet' data into 'rr' rr->input points | |
365 | * at rr->length bytes, which need to be copied into rr->data by either | |
366 | * the decryption or by the decompression When the data is 'copied' into | |
367 | * the rr->data buffer, rr->input will be pointed at the new buffer | |
368 | */ | |
369 | ||
370 | /* | |
371 | * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length | |
372 | * bytes of encrypted compressed stuff. | |
373 | */ | |
374 | ||
375 | /* check is not needed I believe */ | |
376 | if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { | |
377 | al = SSL_AD_RECORD_OVERFLOW; | |
378 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); | |
379 | goto f_err; | |
380 | } | |
36d16f8e | 381 | |
0f113f3e MC |
382 | /* decrypt in place in 'rr->input' */ |
383 | rr->data = rr->input; | |
384 | rr->orig_len = rr->length; | |
385 | ||
386 | enc_err = s->method->ssl3_enc->enc(s, 0); | |
35a1cc90 MC |
387 | /*- |
388 | * enc_err is: | |
389 | * 0: (in non-constant time) if the record is publically invalid. | |
390 | * 1: if the padding is valid | |
391 | * -1: if the padding is invalid | |
392 | */ | |
0f113f3e MC |
393 | if (enc_err == 0) { |
394 | /* For DTLS we simply ignore bad packets. */ | |
395 | rr->length = 0; | |
396 | s->packet_length = 0; | |
397 | goto err; | |
398 | } | |
36d16f8e | 399 | #ifdef TLS_DEBUG |
0f113f3e MC |
400 | printf("dec %d\n", rr->length); |
401 | { | |
402 | unsigned int z; | |
403 | for (z = 0; z < rr->length; z++) | |
404 | printf("%02X%c", rr->data[z], ((z + 1) % 16) ? ' ' : '\n'); | |
405 | } | |
406 | printf("\n"); | |
36d16f8e BL |
407 | #endif |
408 | ||
0f113f3e MC |
409 | /* r->length is now the compressed data plus mac */ |
410 | if ((sess != NULL) && | |
411 | (s->enc_read_ctx != NULL) && (EVP_MD_CTX_md(s->read_hash) != NULL)) { | |
412 | /* s->read_hash != NULL => mac_size != -1 */ | |
413 | unsigned char *mac = NULL; | |
414 | unsigned char mac_tmp[EVP_MAX_MD_SIZE]; | |
415 | mac_size = EVP_MD_CTX_size(s->read_hash); | |
416 | OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); | |
417 | ||
418 | /* | |
419 | * orig_len is the length of the record before any padding was | |
420 | * removed. This is public information, as is the MAC in use, | |
421 | * therefore we can safely process the record in a different amount | |
422 | * of time if it's too short to possibly contain a MAC. | |
423 | */ | |
424 | if (rr->orig_len < mac_size || | |
425 | /* CBC records must have a padding length byte too. */ | |
426 | (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && | |
427 | rr->orig_len < mac_size + 1)) { | |
428 | al = SSL_AD_DECODE_ERROR; | |
429 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_LENGTH_TOO_SHORT); | |
430 | goto f_err; | |
431 | } | |
36d16f8e | 432 | |
0f113f3e MC |
433 | if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) { |
434 | /* | |
435 | * We update the length so that the TLS header bytes can be | |
436 | * constructed correctly but we need to extract the MAC in | |
437 | * constant time from within the record, without leaking the | |
438 | * contents of the padding bytes. | |
439 | */ | |
440 | mac = mac_tmp; | |
441 | ssl3_cbc_copy_mac(mac_tmp, rr, mac_size); | |
442 | rr->length -= mac_size; | |
443 | } else { | |
444 | /* | |
445 | * In this case there's no padding, so |rec->orig_len| equals | |
446 | * |rec->length| and we checked that there's enough bytes for | |
447 | * |mac_size| above. | |
448 | */ | |
449 | rr->length -= mac_size; | |
450 | mac = &rr->data[rr->length]; | |
451 | } | |
452 | ||
453 | i = s->method->ssl3_enc->mac(s, md, 0 /* not send */ ); | |
454 | if (i < 0 || mac == NULL | |
455 | || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) | |
456 | enc_err = -1; | |
457 | if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size) | |
458 | enc_err = -1; | |
459 | } | |
460 | ||
461 | if (enc_err < 0) { | |
462 | /* decryption failed, silently discard message */ | |
463 | rr->length = 0; | |
464 | s->packet_length = 0; | |
465 | goto err; | |
466 | } | |
467 | ||
468 | /* r->length is now just compressed */ | |
469 | if (s->expand != NULL) { | |
470 | if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) { | |
471 | al = SSL_AD_RECORD_OVERFLOW; | |
472 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD, | |
473 | SSL_R_COMPRESSED_LENGTH_TOO_LONG); | |
474 | goto f_err; | |
475 | } | |
476 | if (!ssl3_do_uncompress(s)) { | |
477 | al = SSL_AD_DECOMPRESSION_FAILURE; | |
478 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_BAD_DECOMPRESSION); | |
479 | goto f_err; | |
480 | } | |
481 | } | |
482 | ||
483 | if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) { | |
484 | al = SSL_AD_RECORD_OVERFLOW; | |
485 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_DATA_LENGTH_TOO_LONG); | |
486 | goto f_err; | |
487 | } | |
488 | ||
489 | rr->off = 0; | |
50e735f9 MC |
490 | /*- |
491 | * So at this point the following is true | |
492 | * ssl->s3->rrec.type is the type of record | |
493 | * ssl->s3->rrec.length == number of bytes in record | |
494 | * ssl->s3->rrec.off == offset to first valid byte | |
495 | * ssl->s3->rrec.data == where to take bytes from, increment | |
496 | * after use :-). | |
497 | */ | |
0f113f3e MC |
498 | |
499 | /* we have pulled in a full packet so zero things */ | |
500 | s->packet_length = 0; | |
501 | return (1); | |
502 | ||
503 | f_err: | |
504 | ssl3_send_alert(s, SSL3_AL_FATAL, al); | |
505 | err: | |
506 | return (0); | |
507 | } | |
36d16f8e | 508 | |
1d97c843 TH |
509 | /*- |
510 | * Call this to get a new input record. | |
36d16f8e BL |
511 | * It will return <= 0 if more data is needed, normally due to an error |
512 | * or non-blocking IO. | |
513 | * When it finishes, one packet has been decoded and can be found in | |
514 | * ssl->s3->rrec.type - is the type of record | |
0f113f3e | 515 | * ssl->s3->rrec.data, - data |
36d16f8e BL |
516 | * ssl->s3->rrec.length, - number of bytes |
517 | */ | |
518 | /* used only by dtls1_read_bytes */ | |
519 | int dtls1_get_record(SSL *s) | |
0f113f3e MC |
520 | { |
521 | int ssl_major, ssl_minor; | |
522 | int i, n; | |
523 | SSL3_RECORD *rr; | |
524 | unsigned char *p = NULL; | |
525 | unsigned short version; | |
526 | DTLS1_BITMAP *bitmap; | |
527 | unsigned int is_next_epoch; | |
528 | ||
529 | rr = &(s->s3->rrec); | |
530 | ||
531 | /* | |
532 | * The epoch may have changed. If so, process all the pending records. | |
533 | * This is a non-blocking operation. | |
534 | */ | |
535 | if (dtls1_process_buffered_records(s) < 0) | |
536 | return -1; | |
537 | ||
538 | /* if we're renegotiating, then there may be buffered records */ | |
539 | if (dtls1_get_processed_record(s)) | |
540 | return 1; | |
541 | ||
542 | /* get something from the wire */ | |
543 | again: | |
544 | /* check if we have the header */ | |
545 | if ((s->rstate != SSL_ST_READ_BODY) || | |
546 | (s->packet_length < DTLS1_RT_HEADER_LENGTH)) { | |
547 | n = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, s->s3->rbuf.len, 0); | |
548 | /* read timeout is handled by dtls1_read_bytes */ | |
549 | if (n <= 0) | |
550 | return (n); /* error or non-blocking */ | |
551 | ||
552 | /* this packet contained a partial record, dump it */ | |
553 | if (s->packet_length != DTLS1_RT_HEADER_LENGTH) { | |
554 | s->packet_length = 0; | |
555 | goto again; | |
556 | } | |
557 | ||
558 | s->rstate = SSL_ST_READ_BODY; | |
559 | ||
560 | p = s->packet; | |
561 | ||
562 | if (s->msg_callback) | |
563 | s->msg_callback(0, 0, SSL3_RT_HEADER, p, DTLS1_RT_HEADER_LENGTH, | |
564 | s, s->msg_callback_arg); | |
565 | ||
566 | /* Pull apart the header into the DTLS1_RECORD */ | |
567 | rr->type = *(p++); | |
568 | ssl_major = *(p++); | |
569 | ssl_minor = *(p++); | |
570 | version = (ssl_major << 8) | ssl_minor; | |
571 | ||
572 | /* sequence number is 64 bits, with top 2 bytes = epoch */ | |
573 | n2s(p, rr->epoch); | |
574 | ||
575 | memcpy(&(s->s3->read_sequence[2]), p, 6); | |
576 | p += 6; | |
577 | ||
578 | n2s(p, rr->length); | |
579 | ||
580 | /* Lets check version */ | |
581 | if (!s->first_packet) { | |
582 | if (version != s->version) { | |
583 | /* unexpected version, silently discard */ | |
584 | rr->length = 0; | |
585 | s->packet_length = 0; | |
586 | goto again; | |
587 | } | |
588 | } | |
589 | ||
590 | if ((version & 0xff00) != (s->version & 0xff00)) { | |
591 | /* wrong version, silently discard record */ | |
592 | rr->length = 0; | |
593 | s->packet_length = 0; | |
594 | goto again; | |
595 | } | |
596 | ||
597 | if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { | |
598 | /* record too long, silently discard it */ | |
599 | rr->length = 0; | |
600 | s->packet_length = 0; | |
601 | goto again; | |
602 | } | |
603 | ||
604 | /* now s->rstate == SSL_ST_READ_BODY */ | |
605 | } | |
606 | ||
607 | /* s->rstate == SSL_ST_READ_BODY, get and decode the data */ | |
608 | ||
609 | if (rr->length > s->packet_length - DTLS1_RT_HEADER_LENGTH) { | |
610 | /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */ | |
611 | i = rr->length; | |
612 | n = ssl3_read_n(s, i, i, 1); | |
613 | /* this packet contained a partial record, dump it */ | |
614 | if (n != i) { | |
615 | rr->length = 0; | |
616 | s->packet_length = 0; | |
617 | goto again; | |
618 | } | |
36d16f8e | 619 | |
0f113f3e MC |
620 | /* |
621 | * now n == rr->length, and s->packet_length == | |
622 | * DTLS1_RT_HEADER_LENGTH + rr->length | |
623 | */ | |
624 | } | |
625 | s->rstate = SSL_ST_READ_HEADER; /* set state for later operations */ | |
626 | ||
627 | /* match epochs. NULL means the packet is dropped on the floor */ | |
628 | bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch); | |
629 | if (bitmap == NULL) { | |
630 | rr->length = 0; | |
631 | s->packet_length = 0; /* dump this record */ | |
632 | goto again; /* get another record */ | |
633 | } | |
7e159e01 | 634 | #ifndef OPENSSL_NO_SCTP |
0f113f3e MC |
635 | /* Only do replay check if no SCTP bio */ |
636 | if (!BIO_dgram_is_sctp(SSL_get_rbio(s))) { | |
7e159e01 | 637 | #endif |
0f113f3e MC |
638 | /* |
639 | * Check whether this is a repeat, or aged record. Don't check if | |
640 | * we're listening and this message is a ClientHello. They can look | |
641 | * as if they're replayed, since they arrive from different | |
642 | * connections and would be dropped unnecessarily. | |
643 | */ | |
644 | if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE && | |
645 | s->packet_length > DTLS1_RT_HEADER_LENGTH && | |
646 | s->packet[DTLS1_RT_HEADER_LENGTH] == SSL3_MT_CLIENT_HELLO) && | |
647 | !dtls1_record_replay_check(s, bitmap)) { | |
648 | rr->length = 0; | |
649 | s->packet_length = 0; /* dump this record */ | |
650 | goto again; /* get another record */ | |
651 | } | |
7e159e01 | 652 | #ifndef OPENSSL_NO_SCTP |
0f113f3e | 653 | } |
7e159e01 | 654 | #endif |
36d16f8e | 655 | |
0f113f3e MC |
656 | /* just read a 0 length packet */ |
657 | if (rr->length == 0) | |
658 | goto again; | |
659 | ||
660 | /* | |
661 | * If this record is from the next epoch (either HM or ALERT), and a | |
662 | * handshake is currently in progress, buffer it since it cannot be | |
663 | * processed at this time. However, do not buffer anything while | |
664 | * listening. | |
665 | */ | |
666 | if (is_next_epoch) { | |
667 | if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen) { | |
668 | if (dtls1_buffer_record | |
669 | (s, &(s->d1->unprocessed_rcds), rr->seq_num) < 0) | |
670 | return -1; | |
671 | /* Mark receipt of record. */ | |
672 | dtls1_record_bitmap_update(s, bitmap); | |
673 | } | |
674 | rr->length = 0; | |
675 | s->packet_length = 0; | |
676 | goto again; | |
677 | } | |
678 | ||
679 | if (!dtls1_process_record(s)) { | |
680 | rr->length = 0; | |
681 | s->packet_length = 0; /* dump this record */ | |
682 | goto again; /* get another record */ | |
683 | } | |
684 | dtls1_record_bitmap_update(s, bitmap); /* Mark receipt of record. */ | |
685 | ||
686 | return (1); | |
687 | ||
688 | } | |
36d16f8e | 689 | |
1d97c843 TH |
690 | /*- |
691 | * Return up to 'len' payload bytes received in 'type' records. | |
36d16f8e BL |
692 | * 'type' is one of the following: |
693 | * | |
694 | * - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us) | |
695 | * - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us) | |
696 | * - 0 (during a shutdown, no data has to be returned) | |
697 | * | |
698 | * If we don't have stored data to work from, read a SSL/TLS record first | |
699 | * (possibly multiple records if we still don't have anything to return). | |
700 | * | |
701 | * This function must handle any surprises the peer may have for us, such as | |
702 | * Alert records (e.g. close_notify), ChangeCipherSpec records (not really | |
703 | * a surprise, but handled as if it were), or renegotiation requests. | |
704 | * Also if record payloads contain fragments too small to process, we store | |
705 | * them until there is enough for the respective protocol (the record protocol | |
706 | * may use arbitrary fragmentation and even interleaving): | |
707 | * Change cipher spec protocol | |
708 | * just 1 byte needed, no need for keeping anything stored | |
709 | * Alert protocol | |
710 | * 2 bytes needed (AlertLevel, AlertDescription) | |
711 | * Handshake protocol | |
712 | * 4 bytes needed (HandshakeType, uint24 length) -- we just have | |
713 | * to detect unexpected Client Hello and Hello Request messages | |
714 | * here, anything else is handled by higher layers | |
715 | * Application data protocol | |
716 | * none of our business | |
717 | */ | |
718 | int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) | |
0f113f3e MC |
719 | { |
720 | int al, i, j, ret; | |
721 | unsigned int n; | |
722 | SSL3_RECORD *rr; | |
723 | void (*cb) (const SSL *ssl, int type2, int val) = NULL; | |
724 | ||
725 | if (s->s3->rbuf.buf == NULL) /* Not initialized yet */ | |
726 | if (!ssl3_setup_buffers(s)) | |
727 | return (-1); | |
728 | ||
729 | if ((type && (type != SSL3_RT_APPLICATION_DATA) && | |
730 | (type != SSL3_RT_HANDSHAKE)) || | |
731 | (peek && (type != SSL3_RT_APPLICATION_DATA))) { | |
732 | SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR); | |
733 | return -1; | |
734 | } | |
735 | ||
736 | /* | |
737 | * check whether there's a handshake message (client hello?) waiting | |
738 | */ | |
739 | if ((ret = have_handshake_fragment(s, type, buf, len, peek))) | |
740 | return ret; | |
741 | ||
742 | /* | |
743 | * Now s->d1->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. | |
744 | */ | |
36d16f8e | 745 | |
7e159e01 | 746 | #ifndef OPENSSL_NO_SCTP |
0f113f3e MC |
747 | /* |
748 | * Continue handshake if it had to be interrupted to read app data with | |
749 | * SCTP. | |
750 | */ | |
751 | if ((!s->in_handshake && SSL_in_init(s)) || | |
752 | (BIO_dgram_is_sctp(SSL_get_rbio(s)) && | |
753 | (s->state == DTLS1_SCTP_ST_SR_READ_SOCK | |
754 | || s->state == DTLS1_SCTP_ST_CR_READ_SOCK) | |
755 | && s->s3->in_read_app_data != 2)) | |
7e159e01 | 756 | #else |
0f113f3e | 757 | if (!s->in_handshake && SSL_in_init(s)) |
7e159e01 | 758 | #endif |
0f113f3e MC |
759 | { |
760 | /* type == SSL3_RT_APPLICATION_DATA */ | |
761 | i = s->handshake_func(s); | |
762 | if (i < 0) | |
763 | return (i); | |
764 | if (i == 0) { | |
765 | SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE); | |
766 | return (-1); | |
767 | } | |
768 | } | |
769 | ||
770 | start: | |
771 | s->rwstate = SSL_NOTHING; | |
772 | ||
50e735f9 MC |
773 | /*- |
774 | * s->s3->rrec.type - is the type of record | |
775 | * s->s3->rrec.data, - data | |
776 | * s->s3->rrec.off, - offset into 'data' for next read | |
777 | * s->s3->rrec.length, - number of bytes. | |
778 | */ | |
0f113f3e MC |
779 | rr = &(s->s3->rrec); |
780 | ||
781 | /* | |
782 | * We are not handshaking and have no data yet, so process data buffered | |
783 | * during the last handshake in advance, if any. | |
784 | */ | |
785 | if (s->state == SSL_ST_OK && rr->length == 0) { | |
786 | pitem *item; | |
787 | item = pqueue_pop(s->d1->buffered_app_data.q); | |
788 | if (item) { | |
7e159e01 | 789 | #ifndef OPENSSL_NO_SCTP |
0f113f3e MC |
790 | /* Restore bio_dgram_sctp_rcvinfo struct */ |
791 | if (BIO_dgram_is_sctp(SSL_get_rbio(s))) { | |
792 | DTLS1_RECORD_DATA *rdata = (DTLS1_RECORD_DATA *)item->data; | |
793 | BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SCTP_SET_RCVINFO, | |
794 | sizeof(rdata->recordinfo), &rdata->recordinfo); | |
795 | } | |
7e159e01 DSH |
796 | #endif |
797 | ||
0f113f3e MC |
798 | dtls1_copy_record(s, item); |
799 | ||
800 | OPENSSL_free(item->data); | |
801 | pitem_free(item); | |
802 | } | |
803 | } | |
804 | ||
805 | /* Check for timeout */ | |
806 | if (dtls1_handle_timeout(s) > 0) | |
807 | goto start; | |
808 | ||
809 | /* get new packet if necessary */ | |
810 | if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY)) { | |
811 | ret = dtls1_get_record(s); | |
812 | if (ret <= 0) { | |
813 | ret = dtls1_read_failed(s, ret); | |
814 | /* anything other than a timeout is an error */ | |
815 | if (ret <= 0) | |
816 | return (ret); | |
817 | else | |
818 | goto start; | |
819 | } | |
820 | } | |
821 | ||
822 | if (s->d1->listen && rr->type != SSL3_RT_HANDSHAKE) { | |
823 | rr->length = 0; | |
824 | goto start; | |
825 | } | |
826 | ||
827 | /* we now have a packet which can be read and processed */ | |
828 | ||
829 | if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, | |
830 | * reset by ssl3_get_finished */ | |
831 | && (rr->type != SSL3_RT_HANDSHAKE)) { | |
832 | /* | |
833 | * We now have application data between CCS and Finished. Most likely | |
834 | * the packets were reordered on their way, so buffer the application | |
835 | * data for later processing rather than dropping the connection. | |
836 | */ | |
837 | if (dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num) < | |
838 | 0) { | |
839 | SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR); | |
840 | return -1; | |
841 | } | |
842 | rr->length = 0; | |
843 | goto start; | |
844 | } | |
845 | ||
846 | /* | |
847 | * If the other end has shut down, throw anything we read away (even in | |
848 | * 'peek' mode) | |
849 | */ | |
850 | if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { | |
851 | rr->length = 0; | |
852 | s->rwstate = SSL_NOTHING; | |
853 | return (0); | |
854 | } | |
855 | ||
856 | if (type == rr->type) { /* SSL3_RT_APPLICATION_DATA or | |
857 | * SSL3_RT_HANDSHAKE */ | |
858 | /* | |
859 | * make sure that we are not getting application data when we are | |
860 | * doing a handshake for the first time | |
861 | */ | |
862 | if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) && | |
863 | (s->enc_read_ctx == NULL)) { | |
864 | al = SSL_AD_UNEXPECTED_MESSAGE; | |
865 | SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_APP_DATA_IN_HANDSHAKE); | |
866 | goto f_err; | |
867 | } | |
7e159e01 | 868 | |
0f113f3e MC |
869 | if (len <= 0) |
870 | return (len); | |
871 | ||
872 | if ((unsigned int)len > rr->length) | |
873 | n = rr->length; | |
874 | else | |
875 | n = (unsigned int)len; | |
876 | ||
877 | memcpy(buf, &(rr->data[rr->off]), n); | |
878 | if (!peek) { | |
879 | rr->length -= n; | |
880 | rr->off += n; | |
881 | if (rr->length == 0) { | |
882 | s->rstate = SSL_ST_READ_HEADER; | |
883 | rr->off = 0; | |
884 | } | |
885 | } | |
7e159e01 | 886 | #ifndef OPENSSL_NO_SCTP |
0f113f3e MC |
887 | /* |
888 | * We were about to renegotiate but had to read belated application | |
889 | * data first, so retry. | |
890 | */ | |
891 | if (BIO_dgram_is_sctp(SSL_get_rbio(s)) && | |
892 | rr->type == SSL3_RT_APPLICATION_DATA && | |
893 | (s->state == DTLS1_SCTP_ST_SR_READ_SOCK | |
894 | || s->state == DTLS1_SCTP_ST_CR_READ_SOCK)) { | |
895 | s->rwstate = SSL_READING; | |
896 | BIO_clear_retry_flags(SSL_get_rbio(s)); | |
897 | BIO_set_retry_read(SSL_get_rbio(s)); | |
898 | } | |
899 | ||
900 | /* | |
901 | * We might had to delay a close_notify alert because of reordered | |
902 | * app data. If there was an alert and there is no message to read | |
903 | * anymore, finally set shutdown. | |
904 | */ | |
905 | if (BIO_dgram_is_sctp(SSL_get_rbio(s)) && | |
906 | s->d1->shutdown_received | |
907 | && !BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) { | |
908 | s->shutdown |= SSL_RECEIVED_SHUTDOWN; | |
909 | return (0); | |
910 | } | |
911 | #endif | |
912 | return (n); | |
913 | } | |
914 | ||
915 | /* | |
916 | * If we get here, then type != rr->type; if we have a handshake message, | |
917 | * then it was unexpected (Hello Request or Client Hello). | |
918 | */ | |
919 | ||
920 | /* | |
921 | * In case of record types for which we have 'fragment' storage, fill | |
922 | * that so that we can process the data at a fixed place. | |
923 | */ | |
924 | { | |
925 | unsigned int k, dest_maxlen = 0; | |
926 | unsigned char *dest = NULL; | |
927 | unsigned int *dest_len = NULL; | |
928 | ||
929 | if (rr->type == SSL3_RT_HANDSHAKE) { | |
930 | dest_maxlen = sizeof s->d1->handshake_fragment; | |
931 | dest = s->d1->handshake_fragment; | |
932 | dest_len = &s->d1->handshake_fragment_len; | |
933 | } else if (rr->type == SSL3_RT_ALERT) { | |
934 | dest_maxlen = sizeof(s->d1->alert_fragment); | |
935 | dest = s->d1->alert_fragment; | |
936 | dest_len = &s->d1->alert_fragment_len; | |
937 | } | |
4817504d | 938 | #ifndef OPENSSL_NO_HEARTBEATS |
0f113f3e MC |
939 | else if (rr->type == TLS1_RT_HEARTBEAT) { |
940 | dtls1_process_heartbeat(s); | |
941 | ||
942 | /* Exit and notify application to read again */ | |
943 | rr->length = 0; | |
944 | s->rwstate = SSL_READING; | |
945 | BIO_clear_retry_flags(SSL_get_rbio(s)); | |
946 | BIO_set_retry_read(SSL_get_rbio(s)); | |
947 | return (-1); | |
948 | } | |
4817504d | 949 | #endif |
0f113f3e MC |
950 | /* else it's a CCS message, or application data or wrong */ |
951 | else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC) { | |
952 | /* | |
953 | * Application data while renegotiating is allowed. Try again | |
954 | * reading. | |
955 | */ | |
956 | if (rr->type == SSL3_RT_APPLICATION_DATA) { | |
957 | BIO *bio; | |
958 | s->s3->in_read_app_data = 2; | |
959 | bio = SSL_get_rbio(s); | |
960 | s->rwstate = SSL_READING; | |
961 | BIO_clear_retry_flags(bio); | |
962 | BIO_set_retry_read(bio); | |
963 | return (-1); | |
964 | } | |
965 | ||
966 | /* Not certain if this is the right error handling */ | |
967 | al = SSL_AD_UNEXPECTED_MESSAGE; | |
968 | SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNEXPECTED_RECORD); | |
969 | goto f_err; | |
970 | } | |
971 | ||
972 | if (dest_maxlen > 0) { | |
973 | /* | |
974 | * XDTLS: In a pathalogical case, the Client Hello may be | |
975 | * fragmented--don't always expect dest_maxlen bytes | |
976 | */ | |
977 | if (rr->length < dest_maxlen) { | |
d4938995 | 978 | #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE |
0f113f3e MC |
979 | /* |
980 | * for normal alerts rr->length is 2, while | |
981 | * dest_maxlen is 7 if we were to handle this | |
982 | * non-existing alert... | |
983 | */ | |
984 | FIX ME | |
d4938995 | 985 | #endif |
0f113f3e MC |
986 | s->rstate = SSL_ST_READ_HEADER; |
987 | rr->length = 0; | |
988 | goto start; | |
989 | } | |
990 | ||
991 | /* now move 'n' bytes: */ | |
992 | for (k = 0; k < dest_maxlen; k++) { | |
993 | dest[k] = rr->data[rr->off++]; | |
994 | rr->length--; | |
995 | } | |
996 | *dest_len = dest_maxlen; | |
997 | } | |
998 | } | |
999 | ||
35a1cc90 MC |
1000 | /*- |
1001 | * s->d1->handshake_fragment_len == 12 iff rr->type == SSL3_RT_HANDSHAKE; | |
1002 | * s->d1->alert_fragment_len == 7 iff rr->type == SSL3_RT_ALERT. | |
1003 | * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) | |
1004 | */ | |
0f113f3e MC |
1005 | |
1006 | /* If we are a client, check for an incoming 'Hello Request': */ | |
1007 | if ((!s->server) && | |
1008 | (s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) && | |
1009 | (s->d1->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) && | |
1010 | (s->session != NULL) && (s->session->cipher != NULL)) { | |
1011 | s->d1->handshake_fragment_len = 0; | |
1012 | ||
1013 | if ((s->d1->handshake_fragment[1] != 0) || | |
1014 | (s->d1->handshake_fragment[2] != 0) || | |
1015 | (s->d1->handshake_fragment[3] != 0)) { | |
1016 | al = SSL_AD_DECODE_ERROR; | |
1017 | SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_BAD_HELLO_REQUEST); | |
1018 | goto err; | |
1019 | } | |
1020 | ||
1021 | /* | |
1022 | * no need to check sequence number on HELLO REQUEST messages | |
1023 | */ | |
1024 | ||
1025 | if (s->msg_callback) | |
1026 | s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, | |
1027 | s->d1->handshake_fragment, 4, s, | |
1028 | s->msg_callback_arg); | |
1029 | ||
1030 | if (SSL_is_init_finished(s) && | |
1031 | !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && | |
1032 | !s->s3->renegotiate) { | |
1033 | s->d1->handshake_read_seq++; | |
1034 | s->new_session = 1; | |
1035 | ssl3_renegotiate(s); | |
1036 | if (ssl3_renegotiate_check(s)) { | |
1037 | i = s->handshake_func(s); | |
1038 | if (i < 0) | |
1039 | return (i); | |
1040 | if (i == 0) { | |
1041 | SSLerr(SSL_F_DTLS1_READ_BYTES, | |
1042 | SSL_R_SSL_HANDSHAKE_FAILURE); | |
1043 | return (-1); | |
1044 | } | |
1045 | ||
1046 | if (!(s->mode & SSL_MODE_AUTO_RETRY)) { | |
1047 | if (s->s3->rbuf.left == 0) { /* no read-ahead left? */ | |
1048 | BIO *bio; | |
1049 | /* | |
1050 | * In the case where we try to read application data, | |
1051 | * but we trigger an SSL handshake, we return -1 with | |
1052 | * the retry option set. Otherwise renegotiation may | |
1053 | * cause nasty problems in the blocking world | |
1054 | */ | |
1055 | s->rwstate = SSL_READING; | |
1056 | bio = SSL_get_rbio(s); | |
1057 | BIO_clear_retry_flags(bio); | |
1058 | BIO_set_retry_read(bio); | |
1059 | return (-1); | |
1060 | } | |
1061 | } | |
1062 | } | |
1063 | } | |
1064 | /* | |
1065 | * we either finished a handshake or ignored the request, now try | |
1066 | * again to obtain the (application) data we were asked for | |
1067 | */ | |
1068 | goto start; | |
1069 | } | |
1070 | ||
1071 | if (s->d1->alert_fragment_len >= DTLS1_AL_HEADER_LENGTH) { | |
1072 | int alert_level = s->d1->alert_fragment[0]; | |
1073 | int alert_descr = s->d1->alert_fragment[1]; | |
1074 | ||
1075 | s->d1->alert_fragment_len = 0; | |
1076 | ||
1077 | if (s->msg_callback) | |
1078 | s->msg_callback(0, s->version, SSL3_RT_ALERT, | |
1079 | s->d1->alert_fragment, 2, s, s->msg_callback_arg); | |
1080 | ||
1081 | if (s->info_callback != NULL) | |
1082 | cb = s->info_callback; | |
1083 | else if (s->ctx->info_callback != NULL) | |
1084 | cb = s->ctx->info_callback; | |
1085 | ||
1086 | if (cb != NULL) { | |
1087 | j = (alert_level << 8) | alert_descr; | |
1088 | cb(s, SSL_CB_READ_ALERT, j); | |
1089 | } | |
1090 | ||
fd865cad | 1091 | if (alert_level == SSL3_AL_WARNING) { |
0f113f3e MC |
1092 | s->s3->warn_alert = alert_descr; |
1093 | if (alert_descr == SSL_AD_CLOSE_NOTIFY) { | |
7e159e01 | 1094 | #ifndef OPENSSL_NO_SCTP |
0f113f3e MC |
1095 | /* |
1096 | * With SCTP and streams the socket may deliver app data | |
1097 | * after a close_notify alert. We have to check this first so | |
1098 | * that nothing gets discarded. | |
1099 | */ | |
1100 | if (BIO_dgram_is_sctp(SSL_get_rbio(s)) && | |
1101 | BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) { | |
1102 | s->d1->shutdown_received = 1; | |
1103 | s->rwstate = SSL_READING; | |
1104 | BIO_clear_retry_flags(SSL_get_rbio(s)); | |
1105 | BIO_set_retry_read(SSL_get_rbio(s)); | |
1106 | return -1; | |
1107 | } | |
7e159e01 | 1108 | #endif |
0f113f3e MC |
1109 | s->shutdown |= SSL_RECEIVED_SHUTDOWN; |
1110 | return (0); | |
1111 | } | |
36d16f8e BL |
1112 | #if 0 |
1113 | /* XXX: this is a possible improvement in the future */ | |
0f113f3e MC |
1114 | /* now check if it's a missing record */ |
1115 | if (alert_descr == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) { | |
1116 | unsigned short seq; | |
1117 | unsigned int frag_off; | |
1118 | unsigned char *p = &(s->d1->alert_fragment[2]); | |
1119 | ||
1120 | n2s(p, seq); | |
1121 | n2l3(p, frag_off); | |
1122 | ||
1123 | dtls1_retransmit_message(s, | |
1124 | dtls1_get_queue_priority | |
1125 | (frag->msg_header.seq, 0), frag_off, | |
1126 | &found); | |
1127 | if (!found && SSL_in_init(s)) { | |
1128 | /* | |
1129 | * fprintf( stderr,"in init = %d\n", SSL_in_init(s)); | |
1130 | */ | |
1131 | /* | |
1132 | * requested a message not yet sent, send an alert | |
1133 | * ourselves | |
1134 | */ | |
1135 | ssl3_send_alert(s, SSL3_AL_WARNING, | |
1136 | DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); | |
1137 | } | |
1138 | } | |
36d16f8e | 1139 | #endif |
fd865cad | 1140 | } else if (alert_level == SSL3_AL_FATAL) { |
0f113f3e MC |
1141 | char tmp[16]; |
1142 | ||
1143 | s->rwstate = SSL_NOTHING; | |
1144 | s->s3->fatal_alert = alert_descr; | |
1145 | SSLerr(SSL_F_DTLS1_READ_BYTES, | |
1146 | SSL_AD_REASON_OFFSET + alert_descr); | |
1147 | BIO_snprintf(tmp, sizeof tmp, "%d", alert_descr); | |
1148 | ERR_add_error_data(2, "SSL alert number ", tmp); | |
1149 | s->shutdown |= SSL_RECEIVED_SHUTDOWN; | |
1150 | SSL_CTX_remove_session(s->ctx, s->session); | |
1151 | return (0); | |
1152 | } else { | |
1153 | al = SSL_AD_ILLEGAL_PARAMETER; | |
1154 | SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNKNOWN_ALERT_TYPE); | |
1155 | goto f_err; | |
1156 | } | |
1157 | ||
1158 | goto start; | |
1159 | } | |
1160 | ||
1161 | if (s->shutdown & SSL_SENT_SHUTDOWN) { /* but we have not received a | |
1162 | * shutdown */ | |
1163 | s->rwstate = SSL_NOTHING; | |
1164 | rr->length = 0; | |
1165 | return (0); | |
1166 | } | |
1167 | ||
1168 | if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) { | |
1169 | struct ccs_header_st ccs_hdr; | |
1170 | unsigned int ccs_hdr_len = DTLS1_CCS_HEADER_LENGTH; | |
1171 | ||
1172 | dtls1_get_ccs_header(rr->data, &ccs_hdr); | |
1173 | ||
1174 | if (s->version == DTLS1_BAD_VER) | |
1175 | ccs_hdr_len = 3; | |
1176 | ||
1177 | /* | |
1178 | * 'Change Cipher Spec' is just a single byte, so we know exactly | |
1179 | * what the record payload has to look like | |
1180 | */ | |
1181 | /* XDTLS: check that epoch is consistent */ | |
1182 | if ((rr->length != ccs_hdr_len) || | |
1183 | (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS)) { | |
1184 | i = SSL_AD_ILLEGAL_PARAMETER; | |
1185 | SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_BAD_CHANGE_CIPHER_SPEC); | |
1186 | goto err; | |
1187 | } | |
1188 | ||
1189 | rr->length = 0; | |
1190 | ||
1191 | if (s->msg_callback) | |
1192 | s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, | |
1193 | rr->data, 1, s, s->msg_callback_arg); | |
1194 | ||
1195 | /* | |
1196 | * We can't process a CCS now, because previous handshake messages | |
1197 | * are still missing, so just drop it. | |
1198 | */ | |
1199 | if (!s->d1->change_cipher_spec_ok) { | |
1200 | goto start; | |
1201 | } | |
1202 | ||
1203 | s->d1->change_cipher_spec_ok = 0; | |
1204 | ||
1205 | s->s3->change_cipher_spec = 1; | |
1206 | if (!ssl3_do_change_cipher_spec(s)) | |
1207 | goto err; | |
1208 | ||
1209 | /* do this whenever CCS is processed */ | |
1210 | dtls1_reset_seq_numbers(s, SSL3_CC_READ); | |
1211 | ||
1212 | if (s->version == DTLS1_BAD_VER) | |
1213 | s->d1->handshake_read_seq++; | |
8711efb4 | 1214 | |
7e159e01 | 1215 | #ifndef OPENSSL_NO_SCTP |
0f113f3e MC |
1216 | /* |
1217 | * Remember that a CCS has been received, so that an old key of | |
1218 | * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no | |
1219 | * SCTP is used | |
1220 | */ | |
1221 | BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL); | |
7e159e01 DSH |
1222 | #endif |
1223 | ||
0f113f3e MC |
1224 | goto start; |
1225 | } | |
1226 | ||
1227 | /* | |
1228 | * Unexpected handshake message (Client Hello, or protocol violation) | |
1229 | */ | |
1230 | if ((s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) && | |
1231 | !s->in_handshake) { | |
1232 | struct hm_header_st msg_hdr; | |
1233 | ||
1234 | /* this may just be a stale retransmit */ | |
1235 | dtls1_get_message_header(rr->data, &msg_hdr); | |
1236 | if (rr->epoch != s->d1->r_epoch) { | |
1237 | rr->length = 0; | |
1238 | goto start; | |
1239 | } | |
1240 | ||
1241 | /* | |
1242 | * If we are server, we may have a repeated FINISHED of the client | |
1243 | * here, then retransmit our CCS and FINISHED. | |
1244 | */ | |
1245 | if (msg_hdr.type == SSL3_MT_FINISHED) { | |
1246 | if (dtls1_check_timeout_num(s) < 0) | |
1247 | return -1; | |
1248 | ||
1249 | dtls1_retransmit_buffered_messages(s); | |
1250 | rr->length = 0; | |
1251 | goto start; | |
1252 | } | |
1253 | ||
1254 | if (((s->state & SSL_ST_MASK) == SSL_ST_OK) && | |
1255 | !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) { | |
0f113f3e | 1256 | s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; |
0f113f3e MC |
1257 | s->renegotiate = 1; |
1258 | s->new_session = 1; | |
1259 | } | |
1260 | i = s->handshake_func(s); | |
1261 | if (i < 0) | |
1262 | return (i); | |
1263 | if (i == 0) { | |
1264 | SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE); | |
1265 | return (-1); | |
1266 | } | |
1267 | ||
1268 | if (!(s->mode & SSL_MODE_AUTO_RETRY)) { | |
1269 | if (s->s3->rbuf.left == 0) { /* no read-ahead left? */ | |
1270 | BIO *bio; | |
1271 | /* | |
1272 | * In the case where we try to read application data, but we | |
1273 | * trigger an SSL handshake, we return -1 with the retry | |
1274 | * option set. Otherwise renegotiation may cause nasty | |
1275 | * problems in the blocking world | |
1276 | */ | |
1277 | s->rwstate = SSL_READING; | |
1278 | bio = SSL_get_rbio(s); | |
1279 | BIO_clear_retry_flags(bio); | |
1280 | BIO_set_retry_read(bio); | |
1281 | return (-1); | |
1282 | } | |
1283 | } | |
1284 | goto start; | |
1285 | } | |
1286 | ||
1287 | switch (rr->type) { | |
1288 | default: | |
0f113f3e MC |
1289 | /* TLS just ignores unknown message types */ |
1290 | if (s->version == TLS1_VERSION) { | |
1291 | rr->length = 0; | |
1292 | goto start; | |
1293 | } | |
0f113f3e MC |
1294 | al = SSL_AD_UNEXPECTED_MESSAGE; |
1295 | SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNEXPECTED_RECORD); | |
1296 | goto f_err; | |
1297 | case SSL3_RT_CHANGE_CIPHER_SPEC: | |
1298 | case SSL3_RT_ALERT: | |
1299 | case SSL3_RT_HANDSHAKE: | |
1300 | /* | |
1301 | * we already handled all of these, with the possible exception of | |
1302 | * SSL3_RT_HANDSHAKE when s->in_handshake is set, but that should not | |
1303 | * happen when type != rr->type | |
1304 | */ | |
1305 | al = SSL_AD_UNEXPECTED_MESSAGE; | |
1306 | SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR); | |
1307 | goto f_err; | |
1308 | case SSL3_RT_APPLICATION_DATA: | |
1309 | /* | |
1310 | * At this point, we were expecting handshake data, but have | |
1311 | * application data. If the library was running inside ssl3_read() | |
1312 | * (i.e. in_read_app_data is set) and it makes sense to read | |
1313 | * application data at this point (session renegotiation not yet | |
1314 | * started), we will indulge it. | |
1315 | */ | |
1316 | if (s->s3->in_read_app_data && | |
1317 | (s->s3->total_renegotiations != 0) && | |
1318 | (((s->state & SSL_ST_CONNECT) && | |
1319 | (s->state >= SSL3_ST_CW_CLNT_HELLO_A) && | |
1320 | (s->state <= SSL3_ST_CR_SRVR_HELLO_A) | |
1321 | ) || ((s->state & SSL_ST_ACCEPT) && | |
1322 | (s->state <= SSL3_ST_SW_HELLO_REQ_A) && | |
1323 | (s->state >= SSL3_ST_SR_CLNT_HELLO_A) | |
1324 | ) | |
1325 | )) { | |
1326 | s->s3->in_read_app_data = 2; | |
1327 | return (-1); | |
1328 | } else { | |
1329 | al = SSL_AD_UNEXPECTED_MESSAGE; | |
1330 | SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNEXPECTED_RECORD); | |
1331 | goto f_err; | |
1332 | } | |
1333 | } | |
1334 | /* not reached */ | |
1335 | ||
1336 | f_err: | |
1337 | ssl3_send_alert(s, SSL3_AL_FATAL, al); | |
1338 | err: | |
1339 | return (-1); | |
1340 | } | |
1341 | ||
1342 | int dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len) | |
1343 | { | |
1344 | int i; | |
36d16f8e | 1345 | |
7e159e01 | 1346 | #ifndef OPENSSL_NO_SCTP |
0f113f3e MC |
1347 | /* |
1348 | * Check if we have to continue an interrupted handshake for reading | |
1349 | * belated app data with SCTP. | |
1350 | */ | |
1351 | if ((SSL_in_init(s) && !s->in_handshake) || | |
1352 | (BIO_dgram_is_sctp(SSL_get_wbio(s)) && | |
1353 | (s->state == DTLS1_SCTP_ST_SR_READ_SOCK | |
1354 | || s->state == DTLS1_SCTP_ST_CR_READ_SOCK))) | |
7e159e01 | 1355 | #else |
0f113f3e | 1356 | if (SSL_in_init(s) && !s->in_handshake) |
7e159e01 | 1357 | #endif |
0f113f3e MC |
1358 | { |
1359 | i = s->handshake_func(s); | |
1360 | if (i < 0) | |
1361 | return (i); | |
1362 | if (i == 0) { | |
1363 | SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES, | |
1364 | SSL_R_SSL_HANDSHAKE_FAILURE); | |
1365 | return -1; | |
1366 | } | |
1367 | } | |
1368 | ||
1369 | if (len > SSL3_RT_MAX_PLAIN_LENGTH) { | |
1370 | SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES, SSL_R_DTLS_MESSAGE_TOO_BIG); | |
1371 | return -1; | |
1372 | } | |
1373 | ||
1374 | i = dtls1_write_bytes(s, type, buf_, len); | |
1375 | return i; | |
1376 | } | |
1377 | ||
1378 | /* | |
1379 | * this only happens when a client hello is received and a handshake | |
1380 | * is started. | |
1381 | */ | |
36d16f8e | 1382 | static int |
0f113f3e MC |
1383 | have_handshake_fragment(SSL *s, int type, unsigned char *buf, |
1384 | int len, int peek) | |
1385 | { | |
1386 | ||
1387 | if ((type == SSL3_RT_HANDSHAKE) && (s->d1->handshake_fragment_len > 0)) | |
1388 | /* (partially) satisfy request from storage */ | |
1389 | { | |
1390 | unsigned char *src = s->d1->handshake_fragment; | |
1391 | unsigned char *dst = buf; | |
1392 | unsigned int k, n; | |
1393 | ||
1394 | /* peek == 0 */ | |
1395 | n = 0; | |
1396 | while ((len > 0) && (s->d1->handshake_fragment_len > 0)) { | |
1397 | *dst++ = *src++; | |
1398 | len--; | |
1399 | s->d1->handshake_fragment_len--; | |
1400 | n++; | |
1401 | } | |
1402 | /* move any remaining fragment bytes: */ | |
1403 | for (k = 0; k < s->d1->handshake_fragment_len; k++) | |
1404 | s->d1->handshake_fragment[k] = *src++; | |
1405 | return n; | |
1406 | } | |
1407 | ||
1408 | return 0; | |
1409 | } | |
1410 | ||
1411 | /* | |
1412 | * Call this to write data in records of type 'type' It will return <= 0 if | |
1413 | * not all data has been sent or non-blocking IO. | |
36d16f8e | 1414 | */ |
480b9e5d | 1415 | int dtls1_write_bytes(SSL *s, int type, const void *buf, int len) |
0f113f3e MC |
1416 | { |
1417 | int i; | |
1418 | ||
1419 | OPENSSL_assert(len <= SSL3_RT_MAX_PLAIN_LENGTH); | |
1420 | s->rwstate = SSL_NOTHING; | |
1421 | i = do_dtls1_write(s, type, buf, len, 0); | |
1422 | return i; | |
1423 | } | |
1424 | ||
1425 | int do_dtls1_write(SSL *s, int type, const unsigned char *buf, | |
1426 | unsigned int len, int create_empty_fragment) | |
1427 | { | |
1428 | unsigned char *p, *pseq; | |
1429 | int i, mac_size, clear = 0; | |
1430 | int prefix_len = 0; | |
1431 | int eivlen; | |
1432 | SSL3_RECORD *wr; | |
1433 | SSL3_BUFFER *wb; | |
1434 | SSL_SESSION *sess; | |
1435 | ||
1436 | /* | |
1437 | * first check if there is a SSL3_BUFFER still being written out. This | |
1438 | * will happen with non blocking IO | |
1439 | */ | |
1440 | if (s->s3->wbuf.left != 0) { | |
1441 | OPENSSL_assert(0); /* XDTLS: want to see if we ever get here */ | |
1442 | return (ssl3_write_pending(s, type, buf, len)); | |
1443 | } | |
1444 | ||
1445 | /* If we have an alert to send, lets send it */ | |
1446 | if (s->s3->alert_dispatch) { | |
1447 | i = s->method->ssl_dispatch_alert(s); | |
1448 | if (i <= 0) | |
1449 | return (i); | |
1450 | /* if it went, fall through and send more stuff */ | |
1451 | } | |
1452 | ||
1453 | if (len == 0 && !create_empty_fragment) | |
1454 | return 0; | |
1455 | ||
1456 | wr = &(s->s3->wrec); | |
1457 | wb = &(s->s3->wbuf); | |
1458 | sess = s->session; | |
1459 | ||
1460 | if ((sess == NULL) || | |
1461 | (s->enc_write_ctx == NULL) || (EVP_MD_CTX_md(s->write_hash) == NULL)) | |
1462 | clear = 1; | |
1463 | ||
1464 | if (clear) | |
1465 | mac_size = 0; | |
1466 | else { | |
1467 | mac_size = EVP_MD_CTX_size(s->write_hash); | |
1468 | if (mac_size < 0) | |
1469 | goto err; | |
1470 | } | |
1471 | ||
0f113f3e MC |
1472 | p = wb->buf + prefix_len; |
1473 | ||
1474 | /* write the header */ | |
1475 | ||
1476 | *(p++) = type & 0xff; | |
1477 | wr->type = type; | |
1478 | /* | |
1479 | * Special case: for hello verify request, client version 1.0 and we | |
1480 | * haven't decided which version to use yet send back using version 1.0 | |
1481 | * header: otherwise some clients will ignore it. | |
1482 | */ | |
1483 | if (s->method->version == DTLS_ANY_VERSION) { | |
1484 | *(p++) = DTLS1_VERSION >> 8; | |
1485 | *(p++) = DTLS1_VERSION & 0xff; | |
1486 | } else { | |
1487 | *(p++) = s->version >> 8; | |
1488 | *(p++) = s->version & 0xff; | |
1489 | } | |
1490 | ||
1491 | /* field where we are to write out packet epoch, seq num and len */ | |
1492 | pseq = p; | |
1493 | p += 10; | |
1494 | ||
1495 | /* Explicit IV length, block ciphers appropriate version flag */ | |
1496 | if (s->enc_write_ctx) { | |
1497 | int mode = EVP_CIPHER_CTX_mode(s->enc_write_ctx); | |
1498 | if (mode == EVP_CIPH_CBC_MODE) { | |
1499 | eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx); | |
1500 | if (eivlen <= 1) | |
1501 | eivlen = 0; | |
1502 | } | |
1503 | /* Need explicit part of IV for GCM mode */ | |
1504 | else if (mode == EVP_CIPH_GCM_MODE) | |
1505 | eivlen = EVP_GCM_TLS_EXPLICIT_IV_LEN; | |
1506 | else | |
1507 | eivlen = 0; | |
1508 | } else | |
1509 | eivlen = 0; | |
1510 | ||
1511 | /* lets setup the record stuff. */ | |
1512 | wr->data = p + eivlen; /* make room for IV in case of CBC */ | |
1513 | wr->length = (int)len; | |
1514 | wr->input = (unsigned char *)buf; | |
1515 | ||
1516 | /* | |
1517 | * we now 'read' from wr->input, wr->length bytes into wr->data | |
1518 | */ | |
1519 | ||
1520 | /* first we compress */ | |
1521 | if (s->compress != NULL) { | |
1522 | if (!ssl3_do_compress(s)) { | |
1523 | SSLerr(SSL_F_DO_DTLS1_WRITE, SSL_R_COMPRESSION_FAILURE); | |
1524 | goto err; | |
1525 | } | |
1526 | } else { | |
1527 | memcpy(wr->data, wr->input, wr->length); | |
1528 | wr->input = wr->data; | |
1529 | } | |
36d16f8e | 1530 | |
0f113f3e MC |
1531 | /* |
1532 | * we should still have the output to wr->data and the input from | |
1533 | * wr->input. Length should be wr->length. wr->data still points in the | |
1534 | * wb->buf | |
1535 | */ | |
36d16f8e | 1536 | |
0f113f3e MC |
1537 | if (mac_size != 0) { |
1538 | if (s->method->ssl3_enc->mac(s, &(p[wr->length + eivlen]), 1) < 0) | |
1539 | goto err; | |
1540 | wr->length += mac_size; | |
1541 | } | |
36d16f8e | 1542 | |
0f113f3e MC |
1543 | /* this is true regardless of mac size */ |
1544 | wr->input = p; | |
1545 | wr->data = p; | |
36d16f8e | 1546 | |
0f113f3e MC |
1547 | if (eivlen) |
1548 | wr->length += eivlen; | |
36d16f8e | 1549 | |
0f113f3e MC |
1550 | if (s->method->ssl3_enc->enc(s, 1) < 1) |
1551 | goto err; | |
36d16f8e | 1552 | |
0f113f3e MC |
1553 | /* record length after mac and block padding */ |
1554 | /* | |
1555 | * if (type == SSL3_RT_APPLICATION_DATA || (type == SSL3_RT_ALERT && ! | |
1556 | * SSL_in_init(s))) | |
1557 | */ | |
36d16f8e | 1558 | |
0f113f3e | 1559 | /* there's only one epoch between handshake and app data */ |
36d16f8e | 1560 | |
0f113f3e | 1561 | s2n(s->d1->w_epoch, pseq); |
36d16f8e | 1562 | |
0f113f3e MC |
1563 | /* XDTLS: ?? */ |
1564 | /* | |
1565 | * else s2n(s->d1->handshake_epoch, pseq); | |
1566 | */ | |
36d16f8e | 1567 | |
0f113f3e MC |
1568 | memcpy(pseq, &(s->s3->write_sequence[2]), 6); |
1569 | pseq += 6; | |
1570 | s2n(wr->length, pseq); | |
36d16f8e | 1571 | |
0f113f3e MC |
1572 | if (s->msg_callback) |
1573 | s->msg_callback(1, 0, SSL3_RT_HEADER, pseq - DTLS1_RT_HEADER_LENGTH, | |
1574 | DTLS1_RT_HEADER_LENGTH, s, s->msg_callback_arg); | |
36d16f8e | 1575 | |
0f113f3e MC |
1576 | /* |
1577 | * we should now have wr->data pointing to the encrypted data, which is | |
1578 | * wr->length long | |
1579 | */ | |
1580 | wr->type = type; /* not needed but helps for debugging */ | |
1581 | wr->length += DTLS1_RT_HEADER_LENGTH; | |
36d16f8e | 1582 | |
0f113f3e | 1583 | ssl3_record_sequence_update(&(s->s3->write_sequence[0])); |
36d16f8e | 1584 | |
0f113f3e MC |
1585 | if (create_empty_fragment) { |
1586 | /* | |
1587 | * we are in a recursive call; just return the length, don't write | |
1588 | * out anything here | |
1589 | */ | |
1590 | return wr->length; | |
1591 | } | |
36d16f8e | 1592 | |
0f113f3e MC |
1593 | /* now let's set up wb */ |
1594 | wb->left = prefix_len + wr->length; | |
1595 | wb->offset = 0; | |
1596 | ||
1597 | /* | |
1598 | * memorize arguments so that ssl3_write_pending can detect bad write | |
1599 | * retries later | |
1600 | */ | |
1601 | s->s3->wpend_tot = len; | |
1602 | s->s3->wpend_buf = buf; | |
1603 | s->s3->wpend_type = type; | |
1604 | s->s3->wpend_ret = len; | |
1605 | ||
1606 | /* we now just need to write the buffer */ | |
1607 | return ssl3_write_pending(s, type, buf, len); | |
1608 | err: | |
1609 | return -1; | |
1610 | } | |
36d16f8e | 1611 | |
0f113f3e MC |
1612 | static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap) |
1613 | { | |
1614 | int cmp; | |
1615 | unsigned int shift; | |
1616 | const unsigned char *seq = s->s3->read_sequence; | |
1617 | ||
1618 | cmp = satsub64be(seq, bitmap->max_seq_num); | |
1619 | if (cmp > 0) { | |
1620 | memcpy(s->s3->rrec.seq_num, seq, 8); | |
1621 | return 1; /* this record in new */ | |
1622 | } | |
1623 | shift = -cmp; | |
1624 | if (shift >= sizeof(bitmap->map) * 8) | |
1625 | return 0; /* stale, outside the window */ | |
1626 | else if (bitmap->map & (1UL << shift)) | |
1627 | return 0; /* record previously received */ | |
1628 | ||
1629 | memcpy(s->s3->rrec.seq_num, seq, 8); | |
1630 | return 1; | |
1631 | } | |
1632 | ||
1633 | static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap) | |
1634 | { | |
1635 | int cmp; | |
1636 | unsigned int shift; | |
1637 | const unsigned char *seq = s->s3->read_sequence; | |
1638 | ||
1639 | cmp = satsub64be(seq, bitmap->max_seq_num); | |
1640 | if (cmp > 0) { | |
1641 | shift = cmp; | |
1642 | if (shift < sizeof(bitmap->map) * 8) | |
1643 | bitmap->map <<= shift, bitmap->map |= 1UL; | |
1644 | else | |
1645 | bitmap->map = 1UL; | |
1646 | memcpy(bitmap->max_seq_num, seq, 8); | |
1647 | } else { | |
1648 | shift = -cmp; | |
1649 | if (shift < sizeof(bitmap->map) * 8) | |
1650 | bitmap->map |= 1UL << shift; | |
1651 | } | |
1652 | } | |
1653 | ||
1654 | int dtls1_dispatch_alert(SSL *s) | |
1655 | { | |
1656 | int i, j; | |
1657 | void (*cb) (const SSL *ssl, int type, int val) = NULL; | |
1658 | unsigned char buf[DTLS1_AL_HEADER_LENGTH]; | |
1659 | unsigned char *ptr = &buf[0]; | |
1660 | ||
1661 | s->s3->alert_dispatch = 0; | |
1662 | ||
1663 | memset(buf, 0x00, sizeof(buf)); | |
1664 | *ptr++ = s->s3->send_alert[0]; | |
1665 | *ptr++ = s->s3->send_alert[1]; | |
1666 | ||
1667 | #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE | |
1668 | if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) { | |
1669 | s2n(s->d1->handshake_read_seq, ptr); | |
0f113f3e MC |
1670 | l2n3(s->d1->r_msg_hdr.frag_off, ptr); |
1671 | } | |
01c76c66 | 1672 | #endif |
36d16f8e | 1673 | |
0f113f3e MC |
1674 | i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf), 0); |
1675 | if (i <= 0) { | |
1676 | s->s3->alert_dispatch = 1; | |
1677 | /* fprintf( stderr, "not done with alert\n" ); */ | |
1678 | } else { | |
1679 | if (s->s3->send_alert[0] == SSL3_AL_FATAL | |
01c76c66 | 1680 | #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE |
0f113f3e | 1681 | || s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE |
01c76c66 | 1682 | #endif |
0f113f3e MC |
1683 | ) |
1684 | (void)BIO_flush(s->wbio); | |
1685 | ||
1686 | if (s->msg_callback) | |
1687 | s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert, | |
1688 | 2, s, s->msg_callback_arg); | |
1689 | ||
1690 | if (s->info_callback != NULL) | |
1691 | cb = s->info_callback; | |
1692 | else if (s->ctx->info_callback != NULL) | |
1693 | cb = s->ctx->info_callback; | |
1694 | ||
1695 | if (cb != NULL) { | |
1696 | j = (s->s3->send_alert[0] << 8) | s->s3->send_alert[1]; | |
1697 | cb(s, SSL_CB_WRITE_ALERT, j); | |
1698 | } | |
1699 | } | |
1700 | return (i); | |
1701 | } | |
1702 | ||
1703 | static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, | |
1704 | unsigned int *is_next_epoch) | |
1705 | { | |
1706 | ||
36d16f8e BL |
1707 | *is_next_epoch = 0; |
1708 | ||
1709 | /* In current epoch, accept HM, CCS, DATA, & ALERT */ | |
1710 | if (rr->epoch == s->d1->r_epoch) | |
1711 | return &s->d1->bitmap; | |
1712 | ||
1713 | /* Only HM and ALERT messages can be from the next epoch */ | |
6c61726b | 1714 | else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) && |
0f113f3e | 1715 | (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) { |
36d16f8e BL |
1716 | *is_next_epoch = 1; |
1717 | return &s->d1->next_bitmap; | |
0f113f3e | 1718 | } |
36d16f8e BL |
1719 | |
1720 | return NULL; | |
0f113f3e | 1721 | } |
36d16f8e | 1722 | |
0f113f3e MC |
1723 | void dtls1_reset_seq_numbers(SSL *s, int rw) |
1724 | { | |
1725 | unsigned char *seq; | |
1726 | unsigned int seq_bytes = sizeof(s->s3->read_sequence); | |
1727 | ||
1728 | if (rw & SSL3_CC_READ) { | |
1729 | seq = s->s3->read_sequence; | |
1730 | s->d1->r_epoch++; | |
1731 | memcpy(&(s->d1->bitmap), &(s->d1->next_bitmap), sizeof(DTLS1_BITMAP)); | |
1732 | memset(&(s->d1->next_bitmap), 0x00, sizeof(DTLS1_BITMAP)); | |
1733 | } else { | |
1734 | seq = s->s3->write_sequence; | |
1735 | memcpy(s->d1->last_write_sequence, seq, | |
1736 | sizeof(s->s3->write_sequence)); | |
1737 | s->d1->w_epoch++; | |
1738 | } | |
1739 | ||
1740 | memset(seq, 0x00, seq_bytes); | |
1741 | } |