3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
6 /* ====================================================================
7 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
21 * 3. All advertising materials mentioning features or use of this
22 * software must display the following acknowledgment:
23 * "This product includes software developed by the OpenSSL Project
24 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 * endorse or promote products derived from this software without
28 * prior written permission. For written permission, please contact
29 * openssl-core@openssl.org.
31 * 5. Products derived from this software may not be called "OpenSSL"
32 * nor may "OpenSSL" appear in their names without prior written
33 * permission of the OpenSSL Project.
35 * 6. Redistributions of any form whatsoever must retain the following
37 * "This product includes software developed by the OpenSSL Project
38 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
54 * This product includes cryptographic software written by Eric Young
55 * (eay@cryptsoft.com). This product includes software written by Tim
56 * Hudson (tjh@cryptsoft.com).
59 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
60 * All rights reserved.
62 * This package is an SSL implementation written
63 * by Eric Young (eay@cryptsoft.com).
64 * The implementation was written so as to conform with Netscapes SSL.
66 * This library is free for commercial and non-commercial use as long as
67 * the following conditions are aheared to. The following conditions
68 * apply to all code found in this distribution, be it the RC4, RSA,
69 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
70 * included with this distribution is covered by the same copyright terms
71 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
73 * Copyright remains Eric Young's, and as such any Copyright notices in
74 * the code are not to be removed.
75 * If this package is used in a product, Eric Young should be given attribution
76 * as the author of the parts of the library used.
77 * This can be in the form of a textual message at program startup or
78 * in documentation (online or textual) provided with the package.
80 * Redistribution and use in source and binary forms, with or without
81 * modification, are permitted provided that the following conditions
83 * 1. Redistributions of source code must retain the copyright
84 * notice, this list of conditions and the following disclaimer.
85 * 2. Redistributions in binary form must reproduce the above copyright
86 * notice, this list of conditions and the following disclaimer in the
87 * documentation and/or other materials provided with the distribution.
88 * 3. All advertising materials mentioning features or use of this software
89 * must display the following acknowledgement:
90 * "This product includes cryptographic software written by
91 * Eric Young (eay@cryptsoft.com)"
92 * The word 'cryptographic' can be left out if the rouines from the library
93 * being used are not cryptographic related :-).
94 * 4. If you include any Windows specific code (or a derivative thereof) from
95 * the apps directory (application code) you must include an acknowledgement:
96 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
98 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
99 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
100 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
101 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
102 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
103 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
104 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
105 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
106 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
107 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
110 * The licence and distribution terms for any publically available version or
111 * derivative of this code cannot be changed. i.e. this code cannot simply be
112 * copied and put under another distribution licence
113 * [including the GNU Public Licence.]
119 #include "ssl_locl.h"
120 #include <openssl/evp.h>
121 #include <openssl/buffer.h>
122 #include <openssl/pqueue.h>
123 #include <openssl/rand.h>
125 /* mod 128 saturating subtract of two 64-bit values in big-endian order */
126 static int satsub64be(const unsigned char *v1
, const unsigned char *v2
)
128 int ret
, sat
, brw
, i
;
130 if (sizeof(long) == 8)
140 if (is_endian
.little
)
142 /* not reached on little-endians */
144 * following test is redundant, because input is always aligned,
145 * but I take no chances...
147 if (((size_t)v1
| (size_t)v2
) & 0x7)
160 ret
= (int)v1
[7] - (int)v2
[7];
162 brw
= ret
>> 8; /* brw is either 0 or -1 */
164 for (i
= 6; i
>= 0; i
--) {
165 brw
+= (int)v1
[i
] - (int)v2
[i
];
170 for (i
= 6; i
>= 0; i
--) {
171 brw
+= (int)v1
[i
] - (int)v2
[i
];
176 brw
<<= 8; /* brw is either 0 or -256 */
181 return brw
+ (ret
& 0xFF);
184 static int have_handshake_fragment(SSL
*s
, int type
, unsigned char *buf
,
186 static int dtls1_record_replay_check(SSL
*s
, DTLS1_BITMAP
*bitmap
);
187 static void dtls1_record_bitmap_update(SSL
*s
, DTLS1_BITMAP
*bitmap
);
188 static DTLS1_BITMAP
*dtls1_get_bitmap(SSL
*s
, SSL3_RECORD
*rr
,
189 unsigned int *is_next_epoch
);
190 static int dtls1_buffer_record(SSL
*s
, record_pqueue
*q
,
191 unsigned char *priority
);
192 static int dtls1_process_record(SSL
*s
);
194 /* copy buffered record into SSL structure */
195 static int dtls1_copy_record(SSL
*s
, pitem
*item
)
197 DTLS1_RECORD_DATA
*rdata
;
199 rdata
= (DTLS1_RECORD_DATA
*)item
->data
;
201 if (s
->s3
->rbuf
.buf
!= NULL
)
202 OPENSSL_free(s
->s3
->rbuf
.buf
);
204 s
->packet
= rdata
->packet
;
205 s
->packet_length
= rdata
->packet_length
;
206 memcpy(&(s
->s3
->rbuf
), &(rdata
->rbuf
), sizeof(SSL3_BUFFER
));
207 memcpy(&(s
->s3
->rrec
), &(rdata
->rrec
), sizeof(SSL3_RECORD
));
209 /* Set proper sequence number for mac calculation */
210 memcpy(&(s
->s3
->read_sequence
[2]), &(rdata
->packet
[5]), 6);
216 dtls1_buffer_record(SSL
*s
, record_pqueue
*queue
, unsigned char *priority
)
218 DTLS1_RECORD_DATA
*rdata
;
221 /* Limit the size of the queue to prevent DOS attacks */
222 if (pqueue_size(queue
->q
) >= 100)
225 rdata
= OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA
));
226 item
= pitem_new(priority
, rdata
);
227 if (rdata
== NULL
|| item
== NULL
) {
233 SSLerr(SSL_F_DTLS1_BUFFER_RECORD
, ERR_R_INTERNAL_ERROR
);
237 rdata
->packet
= s
->packet
;
238 rdata
->packet_length
= s
->packet_length
;
239 memcpy(&(rdata
->rbuf
), &(s
->s3
->rbuf
), sizeof(SSL3_BUFFER
));
240 memcpy(&(rdata
->rrec
), &(s
->s3
->rrec
), sizeof(SSL3_RECORD
));
244 #ifndef OPENSSL_NO_SCTP
245 /* Store bio_dgram_sctp_rcvinfo struct */
246 if (BIO_dgram_is_sctp(SSL_get_rbio(s
)) &&
247 (s
->state
== SSL3_ST_SR_FINISHED_A
248 || s
->state
== SSL3_ST_CR_FINISHED_A
)) {
249 BIO_ctrl(SSL_get_rbio(s
), BIO_CTRL_DGRAM_SCTP_GET_RCVINFO
,
250 sizeof(rdata
->recordinfo
), &rdata
->recordinfo
);
255 s
->packet_length
= 0;
256 memset(&(s
->s3
->rbuf
), 0, sizeof(SSL3_BUFFER
));
257 memset(&(s
->s3
->rrec
), 0, sizeof(SSL3_RECORD
));
259 if (!ssl3_setup_buffers(s
)) {
260 SSLerr(SSL_F_DTLS1_BUFFER_RECORD
, ERR_R_INTERNAL_ERROR
);
261 if (rdata
->rbuf
.buf
!= NULL
)
262 OPENSSL_free(rdata
->rbuf
.buf
);
268 /* insert should not fail, since duplicates are dropped */
269 if (pqueue_insert(queue
->q
, item
) == NULL
) {
270 SSLerr(SSL_F_DTLS1_BUFFER_RECORD
, ERR_R_INTERNAL_ERROR
);
271 if (rdata
->rbuf
.buf
!= NULL
)
272 OPENSSL_free(rdata
->rbuf
.buf
);
281 static int dtls1_retrieve_buffered_record(SSL
*s
, record_pqueue
*queue
)
285 item
= pqueue_pop(queue
->q
);
287 dtls1_copy_record(s
, item
);
289 OPENSSL_free(item
->data
);
299 * retrieve a buffered record that belongs to the new epoch, i.e., not
302 #define dtls1_get_unprocessed_record(s) \
303 dtls1_retrieve_buffered_record((s), \
304 &((s)->d1->unprocessed_rcds))
307 * retrieve a buffered record that belongs to the current epoch, ie,
310 #define dtls1_get_processed_record(s) \
311 dtls1_retrieve_buffered_record((s), \
312 &((s)->d1->processed_rcds))
314 static int dtls1_process_buffered_records(SSL
*s
)
318 item
= pqueue_peek(s
->d1
->unprocessed_rcds
.q
);
320 /* Check if epoch is current. */
321 if (s
->d1
->unprocessed_rcds
.epoch
!= s
->d1
->r_epoch
)
322 return (1); /* Nothing to do. */
324 /* Process all the records. */
325 while (pqueue_peek(s
->d1
->unprocessed_rcds
.q
)) {
326 dtls1_get_unprocessed_record(s
);
327 if (!dtls1_process_record(s
))
329 if (dtls1_buffer_record(s
, &(s
->d1
->processed_rcds
),
330 s
->s3
->rrec
.seq_num
) < 0)
336 * sync epoch numbers once all the unprocessed records have been
339 s
->d1
->processed_rcds
.epoch
= s
->d1
->r_epoch
;
340 s
->d1
->unprocessed_rcds
.epoch
= s
->d1
->r_epoch
+ 1;
345 static int dtls1_process_record(SSL
*s
)
351 unsigned int mac_size
;
352 unsigned char md
[EVP_MAX_MD_SIZE
];
358 * At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
359 * and we have that many bytes in s->packet
361 rr
->input
= &(s
->packet
[DTLS1_RT_HEADER_LENGTH
]);
364 * ok, we can now read from 's->packet' data into 'rr' rr->input points
365 * at rr->length bytes, which need to be copied into rr->data by either
366 * the decryption or by the decompression When the data is 'copied' into
367 * the rr->data buffer, rr->input will be pointed at the new buffer
371 * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length
372 * bytes of encrypted compressed stuff.
375 /* check is not needed I believe */
376 if (rr
->length
> SSL3_RT_MAX_ENCRYPTED_LENGTH
) {
377 al
= SSL_AD_RECORD_OVERFLOW
;
378 SSLerr(SSL_F_DTLS1_PROCESS_RECORD
, SSL_R_ENCRYPTED_LENGTH_TOO_LONG
);
382 /* decrypt in place in 'rr->input' */
383 rr
->data
= rr
->input
;
384 rr
->orig_len
= rr
->length
;
386 enc_err
= s
->method
->ssl3_enc
->enc(s
, 0);
389 * 0: (in non-constant time) if the record is publically invalid.
390 * 1: if the padding is valid
391 * -1: if the padding is invalid
394 /* For DTLS we simply ignore bad packets. */
396 s
->packet_length
= 0;
400 printf("dec %d\n", rr
->length
);
403 for (z
= 0; z
< rr
->length
; z
++)
404 printf("%02X%c", rr
->data
[z
], ((z
+ 1) % 16) ? ' ' : '\n');
409 /* r->length is now the compressed data plus mac */
410 if ((sess
!= NULL
) &&
411 (s
->enc_read_ctx
!= NULL
) && (EVP_MD_CTX_md(s
->read_hash
) != NULL
)) {
412 /* s->read_hash != NULL => mac_size != -1 */
413 unsigned char *mac
= NULL
;
414 unsigned char mac_tmp
[EVP_MAX_MD_SIZE
];
415 mac_size
= EVP_MD_CTX_size(s
->read_hash
);
416 OPENSSL_assert(mac_size
<= EVP_MAX_MD_SIZE
);
419 * orig_len is the length of the record before any padding was
420 * removed. This is public information, as is the MAC in use,
421 * therefore we can safely process the record in a different amount
422 * of time if it's too short to possibly contain a MAC.
424 if (rr
->orig_len
< mac_size
||
425 /* CBC records must have a padding length byte too. */
426 (EVP_CIPHER_CTX_mode(s
->enc_read_ctx
) == EVP_CIPH_CBC_MODE
&&
427 rr
->orig_len
< mac_size
+ 1)) {
428 al
= SSL_AD_DECODE_ERROR
;
429 SSLerr(SSL_F_DTLS1_PROCESS_RECORD
, SSL_R_LENGTH_TOO_SHORT
);
433 if (EVP_CIPHER_CTX_mode(s
->enc_read_ctx
) == EVP_CIPH_CBC_MODE
) {
435 * We update the length so that the TLS header bytes can be
436 * constructed correctly but we need to extract the MAC in
437 * constant time from within the record, without leaking the
438 * contents of the padding bytes.
441 ssl3_cbc_copy_mac(mac_tmp
, rr
, mac_size
);
442 rr
->length
-= mac_size
;
445 * In this case there's no padding, so |rec->orig_len| equals
446 * |rec->length| and we checked that there's enough bytes for
449 rr
->length
-= mac_size
;
450 mac
= &rr
->data
[rr
->length
];
453 i
= s
->method
->ssl3_enc
->mac(s
, md
, 0 /* not send */ );
454 if (i
< 0 || mac
== NULL
455 || CRYPTO_memcmp(md
, mac
, (size_t)mac_size
) != 0)
457 if (rr
->length
> SSL3_RT_MAX_COMPRESSED_LENGTH
+ mac_size
)
462 /* decryption failed, silently discard message */
464 s
->packet_length
= 0;
468 /* r->length is now just compressed */
469 if (s
->expand
!= NULL
) {
470 if (rr
->length
> SSL3_RT_MAX_COMPRESSED_LENGTH
) {
471 al
= SSL_AD_RECORD_OVERFLOW
;
472 SSLerr(SSL_F_DTLS1_PROCESS_RECORD
,
473 SSL_R_COMPRESSED_LENGTH_TOO_LONG
);
476 if (!ssl3_do_uncompress(s
)) {
477 al
= SSL_AD_DECOMPRESSION_FAILURE
;
478 SSLerr(SSL_F_DTLS1_PROCESS_RECORD
, SSL_R_BAD_DECOMPRESSION
);
483 if (rr
->length
> SSL3_RT_MAX_PLAIN_LENGTH
) {
484 al
= SSL_AD_RECORD_OVERFLOW
;
485 SSLerr(SSL_F_DTLS1_PROCESS_RECORD
, SSL_R_DATA_LENGTH_TOO_LONG
);
491 * So at this point the following is true
492 * ssl->s3->rrec.type is the type of record
493 * ssl->s3->rrec.length == number of bytes in record
494 * ssl->s3->rrec.off == offset to first valid byte
495 * ssl->s3->rrec.data == where to take bytes from, increment
499 /* we have pulled in a full packet so zero things */
500 s
->packet_length
= 0;
504 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
510 * Call this to get a new input record.
511 * It will return <= 0 if more data is needed, normally due to an error
512 * or non-blocking IO.
513 * When it finishes, one packet has been decoded and can be found in
514 * ssl->s3->rrec.type - is the type of record
515 * ssl->s3->rrec.data, - data
516 * ssl->s3->rrec.length, - number of bytes
518 /* used only by dtls1_read_bytes */
519 int dtls1_get_record(SSL
*s
)
521 int ssl_major
, ssl_minor
;
524 unsigned char *p
= NULL
;
525 unsigned short version
;
526 DTLS1_BITMAP
*bitmap
;
527 unsigned int is_next_epoch
;
532 * The epoch may have changed. If so, process all the pending records.
533 * This is a non-blocking operation.
535 if (dtls1_process_buffered_records(s
) < 0)
538 /* if we're renegotiating, then there may be buffered records */
539 if (dtls1_get_processed_record(s
))
542 /* get something from the wire */
544 /* check if we have the header */
545 if ((s
->rstate
!= SSL_ST_READ_BODY
) ||
546 (s
->packet_length
< DTLS1_RT_HEADER_LENGTH
)) {
547 n
= ssl3_read_n(s
, DTLS1_RT_HEADER_LENGTH
, s
->s3
->rbuf
.len
, 0);
548 /* read timeout is handled by dtls1_read_bytes */
550 return (n
); /* error or non-blocking */
552 /* this packet contained a partial record, dump it */
553 if (s
->packet_length
!= DTLS1_RT_HEADER_LENGTH
) {
554 s
->packet_length
= 0;
558 s
->rstate
= SSL_ST_READ_BODY
;
563 s
->msg_callback(0, 0, SSL3_RT_HEADER
, p
, DTLS1_RT_HEADER_LENGTH
,
564 s
, s
->msg_callback_arg
);
566 /* Pull apart the header into the DTLS1_RECORD */
570 version
= (ssl_major
<< 8) | ssl_minor
;
572 /* sequence number is 64 bits, with top 2 bytes = epoch */
575 memcpy(&(s
->s3
->read_sequence
[2]), p
, 6);
580 /* Lets check version */
581 if (!s
->first_packet
) {
582 if (version
!= s
->version
) {
583 /* unexpected version, silently discard */
585 s
->packet_length
= 0;
590 if ((version
& 0xff00) != (s
->version
& 0xff00)) {
591 /* wrong version, silently discard record */
593 s
->packet_length
= 0;
597 if (rr
->length
> SSL3_RT_MAX_ENCRYPTED_LENGTH
) {
598 /* record too long, silently discard it */
600 s
->packet_length
= 0;
604 /* now s->rstate == SSL_ST_READ_BODY */
607 /* s->rstate == SSL_ST_READ_BODY, get and decode the data */
609 if (rr
->length
> s
->packet_length
- DTLS1_RT_HEADER_LENGTH
) {
610 /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */
612 n
= ssl3_read_n(s
, i
, i
, 1);
613 /* this packet contained a partial record, dump it */
616 s
->packet_length
= 0;
621 * now n == rr->length, and s->packet_length ==
622 * DTLS1_RT_HEADER_LENGTH + rr->length
625 s
->rstate
= SSL_ST_READ_HEADER
; /* set state for later operations */
627 /* match epochs. NULL means the packet is dropped on the floor */
628 bitmap
= dtls1_get_bitmap(s
, rr
, &is_next_epoch
);
629 if (bitmap
== NULL
) {
631 s
->packet_length
= 0; /* dump this record */
632 goto again
; /* get another record */
634 #ifndef OPENSSL_NO_SCTP
635 /* Only do replay check if no SCTP bio */
636 if (!BIO_dgram_is_sctp(SSL_get_rbio(s
))) {
639 * Check whether this is a repeat, or aged record. Don't check if
640 * we're listening and this message is a ClientHello. They can look
641 * as if they're replayed, since they arrive from different
642 * connections and would be dropped unnecessarily.
644 if (!(s
->d1
->listen
&& rr
->type
== SSL3_RT_HANDSHAKE
&&
645 s
->packet_length
> DTLS1_RT_HEADER_LENGTH
&&
646 s
->packet
[DTLS1_RT_HEADER_LENGTH
] == SSL3_MT_CLIENT_HELLO
) &&
647 !dtls1_record_replay_check(s
, bitmap
)) {
649 s
->packet_length
= 0; /* dump this record */
650 goto again
; /* get another record */
652 #ifndef OPENSSL_NO_SCTP
656 /* just read a 0 length packet */
661 * If this record is from the next epoch (either HM or ALERT), and a
662 * handshake is currently in progress, buffer it since it cannot be
663 * processed at this time. However, do not buffer anything while
667 if ((SSL_in_init(s
) || s
->in_handshake
) && !s
->d1
->listen
) {
668 if (dtls1_buffer_record
669 (s
, &(s
->d1
->unprocessed_rcds
), rr
->seq_num
) < 0)
671 /* Mark receipt of record. */
672 dtls1_record_bitmap_update(s
, bitmap
);
675 s
->packet_length
= 0;
679 if (!dtls1_process_record(s
)) {
681 s
->packet_length
= 0; /* dump this record */
682 goto again
; /* get another record */
684 dtls1_record_bitmap_update(s
, bitmap
); /* Mark receipt of record. */
691 * Return up to 'len' payload bytes received in 'type' records.
692 * 'type' is one of the following:
694 * - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
695 * - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)
696 * - 0 (during a shutdown, no data has to be returned)
698 * If we don't have stored data to work from, read a SSL/TLS record first
699 * (possibly multiple records if we still don't have anything to return).
701 * This function must handle any surprises the peer may have for us, such as
702 * Alert records (e.g. close_notify), ChangeCipherSpec records (not really
703 * a surprise, but handled as if it were), or renegotiation requests.
704 * Also if record payloads contain fragments too small to process, we store
705 * them until there is enough for the respective protocol (the record protocol
706 * may use arbitrary fragmentation and even interleaving):
707 * Change cipher spec protocol
708 * just 1 byte needed, no need for keeping anything stored
710 * 2 bytes needed (AlertLevel, AlertDescription)
712 * 4 bytes needed (HandshakeType, uint24 length) -- we just have
713 * to detect unexpected Client Hello and Hello Request messages
714 * here, anything else is handled by higher layers
715 * Application data protocol
716 * none of our business
718 int dtls1_read_bytes(SSL
*s
, int type
, unsigned char *buf
, int len
, int peek
)
723 void (*cb
) (const SSL
*ssl
, int type2
, int val
) = NULL
;
725 if (s
->s3
->rbuf
.buf
== NULL
) /* Not initialized yet */
726 if (!ssl3_setup_buffers(s
))
729 if ((type
&& (type
!= SSL3_RT_APPLICATION_DATA
) &&
730 (type
!= SSL3_RT_HANDSHAKE
)) ||
731 (peek
&& (type
!= SSL3_RT_APPLICATION_DATA
))) {
732 SSLerr(SSL_F_DTLS1_READ_BYTES
, ERR_R_INTERNAL_ERROR
);
737 * check whether there's a handshake message (client hello?) waiting
739 if ((ret
= have_handshake_fragment(s
, type
, buf
, len
, peek
)))
743 * Now s->d1->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE.
746 #ifndef OPENSSL_NO_SCTP
748 * Continue handshake if it had to be interrupted to read app data with
751 if ((!s
->in_handshake
&& SSL_in_init(s
)) ||
752 (BIO_dgram_is_sctp(SSL_get_rbio(s
)) &&
753 (s
->state
== DTLS1_SCTP_ST_SR_READ_SOCK
754 || s
->state
== DTLS1_SCTP_ST_CR_READ_SOCK
)
755 && s
->s3
->in_read_app_data
!= 2))
757 if (!s
->in_handshake
&& SSL_in_init(s
))
760 /* type == SSL3_RT_APPLICATION_DATA */
761 i
= s
->handshake_func(s
);
765 SSLerr(SSL_F_DTLS1_READ_BYTES
, SSL_R_SSL_HANDSHAKE_FAILURE
);
771 s
->rwstate
= SSL_NOTHING
;
774 * s->s3->rrec.type - is the type of record
775 * s->s3->rrec.data, - data
776 * s->s3->rrec.off, - offset into 'data' for next read
777 * s->s3->rrec.length, - number of bytes.
782 * We are not handshaking and have no data yet, so process data buffered
783 * during the last handshake in advance, if any.
785 if (s
->state
== SSL_ST_OK
&& rr
->length
== 0) {
787 item
= pqueue_pop(s
->d1
->buffered_app_data
.q
);
789 #ifndef OPENSSL_NO_SCTP
790 /* Restore bio_dgram_sctp_rcvinfo struct */
791 if (BIO_dgram_is_sctp(SSL_get_rbio(s
))) {
792 DTLS1_RECORD_DATA
*rdata
= (DTLS1_RECORD_DATA
*)item
->data
;
793 BIO_ctrl(SSL_get_rbio(s
), BIO_CTRL_DGRAM_SCTP_SET_RCVINFO
,
794 sizeof(rdata
->recordinfo
), &rdata
->recordinfo
);
798 dtls1_copy_record(s
, item
);
800 OPENSSL_free(item
->data
);
805 /* Check for timeout */
806 if (dtls1_handle_timeout(s
) > 0)
809 /* get new packet if necessary */
810 if ((rr
->length
== 0) || (s
->rstate
== SSL_ST_READ_BODY
)) {
811 ret
= dtls1_get_record(s
);
813 ret
= dtls1_read_failed(s
, ret
);
814 /* anything other than a timeout is an error */
822 if (s
->d1
->listen
&& rr
->type
!= SSL3_RT_HANDSHAKE
) {
827 /* we now have a packet which can be read and processed */
829 if (s
->s3
->change_cipher_spec
/* set when we receive ChangeCipherSpec,
830 * reset by ssl3_get_finished */
831 && (rr
->type
!= SSL3_RT_HANDSHAKE
)) {
833 * We now have application data between CCS and Finished. Most likely
834 * the packets were reordered on their way, so buffer the application
835 * data for later processing rather than dropping the connection.
837 if (dtls1_buffer_record(s
, &(s
->d1
->buffered_app_data
), rr
->seq_num
) <
839 SSLerr(SSL_F_DTLS1_READ_BYTES
, ERR_R_INTERNAL_ERROR
);
847 * If the other end has shut down, throw anything we read away (even in
850 if (s
->shutdown
& SSL_RECEIVED_SHUTDOWN
) {
852 s
->rwstate
= SSL_NOTHING
;
856 if (type
== rr
->type
) { /* SSL3_RT_APPLICATION_DATA or
857 * SSL3_RT_HANDSHAKE */
859 * make sure that we are not getting application data when we are
860 * doing a handshake for the first time
862 if (SSL_in_init(s
) && (type
== SSL3_RT_APPLICATION_DATA
) &&
863 (s
->enc_read_ctx
== NULL
)) {
864 al
= SSL_AD_UNEXPECTED_MESSAGE
;
865 SSLerr(SSL_F_DTLS1_READ_BYTES
, SSL_R_APP_DATA_IN_HANDSHAKE
);
872 if ((unsigned int)len
> rr
->length
)
875 n
= (unsigned int)len
;
877 memcpy(buf
, &(rr
->data
[rr
->off
]), n
);
881 if (rr
->length
== 0) {
882 s
->rstate
= SSL_ST_READ_HEADER
;
886 #ifndef OPENSSL_NO_SCTP
888 * We were about to renegotiate but had to read belated application
889 * data first, so retry.
891 if (BIO_dgram_is_sctp(SSL_get_rbio(s
)) &&
892 rr
->type
== SSL3_RT_APPLICATION_DATA
&&
893 (s
->state
== DTLS1_SCTP_ST_SR_READ_SOCK
894 || s
->state
== DTLS1_SCTP_ST_CR_READ_SOCK
)) {
895 s
->rwstate
= SSL_READING
;
896 BIO_clear_retry_flags(SSL_get_rbio(s
));
897 BIO_set_retry_read(SSL_get_rbio(s
));
901 * We might had to delay a close_notify alert because of reordered
902 * app data. If there was an alert and there is no message to read
903 * anymore, finally set shutdown.
905 if (BIO_dgram_is_sctp(SSL_get_rbio(s
)) &&
906 s
->d1
->shutdown_received
907 && !BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s
))) {
908 s
->shutdown
|= SSL_RECEIVED_SHUTDOWN
;
916 * If we get here, then type != rr->type; if we have a handshake message,
917 * then it was unexpected (Hello Request or Client Hello).
921 * In case of record types for which we have 'fragment' storage, fill
922 * that so that we can process the data at a fixed place.
925 unsigned int k
, dest_maxlen
= 0;
926 unsigned char *dest
= NULL
;
927 unsigned int *dest_len
= NULL
;
929 if (rr
->type
== SSL3_RT_HANDSHAKE
) {
930 dest_maxlen
= sizeof s
->d1
->handshake_fragment
;
931 dest
= s
->d1
->handshake_fragment
;
932 dest_len
= &s
->d1
->handshake_fragment_len
;
933 } else if (rr
->type
== SSL3_RT_ALERT
) {
934 dest_maxlen
= sizeof(s
->d1
->alert_fragment
);
935 dest
= s
->d1
->alert_fragment
;
936 dest_len
= &s
->d1
->alert_fragment_len
;
938 #ifndef OPENSSL_NO_HEARTBEATS
939 else if (rr
->type
== TLS1_RT_HEARTBEAT
) {
940 /* We allow a 0 return */
941 if(dtls1_process_heartbeat(s
) < 0) {
945 /* Exit and notify application to read again */
947 s
->rwstate
= SSL_READING
;
948 BIO_clear_retry_flags(SSL_get_rbio(s
));
949 BIO_set_retry_read(SSL_get_rbio(s
));
953 /* else it's a CCS message, or application data or wrong */
954 else if (rr
->type
!= SSL3_RT_CHANGE_CIPHER_SPEC
) {
956 * Application data while renegotiating is allowed. Try again
959 if (rr
->type
== SSL3_RT_APPLICATION_DATA
) {
961 s
->s3
->in_read_app_data
= 2;
962 bio
= SSL_get_rbio(s
);
963 s
->rwstate
= SSL_READING
;
964 BIO_clear_retry_flags(bio
);
965 BIO_set_retry_read(bio
);
969 /* Not certain if this is the right error handling */
970 al
= SSL_AD_UNEXPECTED_MESSAGE
;
971 SSLerr(SSL_F_DTLS1_READ_BYTES
, SSL_R_UNEXPECTED_RECORD
);
975 if (dest_maxlen
> 0) {
977 * XDTLS: In a pathalogical case, the Client Hello may be
978 * fragmented--don't always expect dest_maxlen bytes
980 if (rr
->length
< dest_maxlen
) {
981 #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
983 * for normal alerts rr->length is 2, while
984 * dest_maxlen is 7 if we were to handle this
985 * non-existing alert...
989 s
->rstate
= SSL_ST_READ_HEADER
;
994 /* now move 'n' bytes: */
995 for (k
= 0; k
< dest_maxlen
; k
++) {
996 dest
[k
] = rr
->data
[rr
->off
++];
999 *dest_len
= dest_maxlen
;
1004 * s->d1->handshake_fragment_len == 12 iff rr->type == SSL3_RT_HANDSHAKE;
1005 * s->d1->alert_fragment_len == 7 iff rr->type == SSL3_RT_ALERT.
1006 * (Possibly rr is 'empty' now, i.e. rr->length may be 0.)
1009 /* If we are a client, check for an incoming 'Hello Request': */
1011 (s
->d1
->handshake_fragment_len
>= DTLS1_HM_HEADER_LENGTH
) &&
1012 (s
->d1
->handshake_fragment
[0] == SSL3_MT_HELLO_REQUEST
) &&
1013 (s
->session
!= NULL
) && (s
->session
->cipher
!= NULL
)) {
1014 s
->d1
->handshake_fragment_len
= 0;
1016 if ((s
->d1
->handshake_fragment
[1] != 0) ||
1017 (s
->d1
->handshake_fragment
[2] != 0) ||
1018 (s
->d1
->handshake_fragment
[3] != 0)) {
1019 al
= SSL_AD_DECODE_ERROR
;
1020 SSLerr(SSL_F_DTLS1_READ_BYTES
, SSL_R_BAD_HELLO_REQUEST
);
1025 * no need to check sequence number on HELLO REQUEST messages
1028 if (s
->msg_callback
)
1029 s
->msg_callback(0, s
->version
, SSL3_RT_HANDSHAKE
,
1030 s
->d1
->handshake_fragment
, 4, s
,
1031 s
->msg_callback_arg
);
1033 if (SSL_is_init_finished(s
) &&
1034 !(s
->s3
->flags
& SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
) &&
1035 !s
->s3
->renegotiate
) {
1036 s
->d1
->handshake_read_seq
++;
1038 ssl3_renegotiate(s
);
1039 if (ssl3_renegotiate_check(s
)) {
1040 i
= s
->handshake_func(s
);
1044 SSLerr(SSL_F_DTLS1_READ_BYTES
,
1045 SSL_R_SSL_HANDSHAKE_FAILURE
);
1049 if (!(s
->mode
& SSL_MODE_AUTO_RETRY
)) {
1050 if (s
->s3
->rbuf
.left
== 0) { /* no read-ahead left? */
1053 * In the case where we try to read application data,
1054 * but we trigger an SSL handshake, we return -1 with
1055 * the retry option set. Otherwise renegotiation may
1056 * cause nasty problems in the blocking world
1058 s
->rwstate
= SSL_READING
;
1059 bio
= SSL_get_rbio(s
);
1060 BIO_clear_retry_flags(bio
);
1061 BIO_set_retry_read(bio
);
1068 * we either finished a handshake or ignored the request, now try
1069 * again to obtain the (application) data we were asked for
1074 if (s
->d1
->alert_fragment_len
>= DTLS1_AL_HEADER_LENGTH
) {
1075 int alert_level
= s
->d1
->alert_fragment
[0];
1076 int alert_descr
= s
->d1
->alert_fragment
[1];
1078 s
->d1
->alert_fragment_len
= 0;
1080 if (s
->msg_callback
)
1081 s
->msg_callback(0, s
->version
, SSL3_RT_ALERT
,
1082 s
->d1
->alert_fragment
, 2, s
, s
->msg_callback_arg
);
1084 if (s
->info_callback
!= NULL
)
1085 cb
= s
->info_callback
;
1086 else if (s
->ctx
->info_callback
!= NULL
)
1087 cb
= s
->ctx
->info_callback
;
1090 j
= (alert_level
<< 8) | alert_descr
;
1091 cb(s
, SSL_CB_READ_ALERT
, j
);
1094 if (alert_level
== SSL3_AL_WARNING
) {
1095 s
->s3
->warn_alert
= alert_descr
;
1096 if (alert_descr
== SSL_AD_CLOSE_NOTIFY
) {
1097 #ifndef OPENSSL_NO_SCTP
1099 * With SCTP and streams the socket may deliver app data
1100 * after a close_notify alert. We have to check this first so
1101 * that nothing gets discarded.
1103 if (BIO_dgram_is_sctp(SSL_get_rbio(s
)) &&
1104 BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s
))) {
1105 s
->d1
->shutdown_received
= 1;
1106 s
->rwstate
= SSL_READING
;
1107 BIO_clear_retry_flags(SSL_get_rbio(s
));
1108 BIO_set_retry_read(SSL_get_rbio(s
));
1112 s
->shutdown
|= SSL_RECEIVED_SHUTDOWN
;
1116 /* XXX: this is a possible improvement in the future */
1117 /* now check if it's a missing record */
1118 if (alert_descr
== DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
) {
1120 unsigned int frag_off
;
1121 unsigned char *p
= &(s
->d1
->alert_fragment
[2]);
1126 dtls1_retransmit_message(s
,
1127 dtls1_get_queue_priority
1128 (frag
->msg_header
.seq
, 0), frag_off
,
1130 if (!found
&& SSL_in_init(s
)) {
1132 * fprintf( stderr,"in init = %d\n", SSL_in_init(s));
1135 * requested a message not yet sent, send an alert
1138 ssl3_send_alert(s
, SSL3_AL_WARNING
,
1139 DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
);
1143 } else if (alert_level
== SSL3_AL_FATAL
) {
1146 s
->rwstate
= SSL_NOTHING
;
1147 s
->s3
->fatal_alert
= alert_descr
;
1148 SSLerr(SSL_F_DTLS1_READ_BYTES
,
1149 SSL_AD_REASON_OFFSET
+ alert_descr
);
1150 BIO_snprintf(tmp
, sizeof tmp
, "%d", alert_descr
);
1151 ERR_add_error_data(2, "SSL alert number ", tmp
);
1152 s
->shutdown
|= SSL_RECEIVED_SHUTDOWN
;
1153 SSL_CTX_remove_session(s
->ctx
, s
->session
);
1156 al
= SSL_AD_ILLEGAL_PARAMETER
;
1157 SSLerr(SSL_F_DTLS1_READ_BYTES
, SSL_R_UNKNOWN_ALERT_TYPE
);
1164 if (s
->shutdown
& SSL_SENT_SHUTDOWN
) { /* but we have not received a
1166 s
->rwstate
= SSL_NOTHING
;
1171 if (rr
->type
== SSL3_RT_CHANGE_CIPHER_SPEC
) {
1172 struct ccs_header_st ccs_hdr
;
1173 unsigned int ccs_hdr_len
= DTLS1_CCS_HEADER_LENGTH
;
1175 dtls1_get_ccs_header(rr
->data
, &ccs_hdr
);
1177 if (s
->version
== DTLS1_BAD_VER
)
1181 * 'Change Cipher Spec' is just a single byte, so we know exactly
1182 * what the record payload has to look like
1184 /* XDTLS: check that epoch is consistent */
1185 if ((rr
->length
!= ccs_hdr_len
) ||
1186 (rr
->off
!= 0) || (rr
->data
[0] != SSL3_MT_CCS
)) {
1187 i
= SSL_AD_ILLEGAL_PARAMETER
;
1188 SSLerr(SSL_F_DTLS1_READ_BYTES
, SSL_R_BAD_CHANGE_CIPHER_SPEC
);
1194 if (s
->msg_callback
)
1195 s
->msg_callback(0, s
->version
, SSL3_RT_CHANGE_CIPHER_SPEC
,
1196 rr
->data
, 1, s
, s
->msg_callback_arg
);
1199 * We can't process a CCS now, because previous handshake messages
1200 * are still missing, so just drop it.
1202 if (!s
->d1
->change_cipher_spec_ok
) {
1206 s
->d1
->change_cipher_spec_ok
= 0;
1208 s
->s3
->change_cipher_spec
= 1;
1209 if (!ssl3_do_change_cipher_spec(s
))
1212 /* do this whenever CCS is processed */
1213 dtls1_reset_seq_numbers(s
, SSL3_CC_READ
);
1215 if (s
->version
== DTLS1_BAD_VER
)
1216 s
->d1
->handshake_read_seq
++;
1218 #ifndef OPENSSL_NO_SCTP
1220 * Remember that a CCS has been received, so that an old key of
1221 * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
1224 BIO_ctrl(SSL_get_wbio(s
), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD
, 1, NULL
);
1231 * Unexpected handshake message (Client Hello, or protocol violation)
1233 if ((s
->d1
->handshake_fragment_len
>= DTLS1_HM_HEADER_LENGTH
) &&
1235 struct hm_header_st msg_hdr
;
1237 /* this may just be a stale retransmit */
1238 dtls1_get_message_header(rr
->data
, &msg_hdr
);
1239 if (rr
->epoch
!= s
->d1
->r_epoch
) {
1245 * If we are server, we may have a repeated FINISHED of the client
1246 * here, then retransmit our CCS and FINISHED.
1248 if (msg_hdr
.type
== SSL3_MT_FINISHED
) {
1249 if (dtls1_check_timeout_num(s
) < 0)
1252 dtls1_retransmit_buffered_messages(s
);
1257 if (((s
->state
& SSL_ST_MASK
) == SSL_ST_OK
) &&
1258 !(s
->s3
->flags
& SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
)) {
1259 s
->state
= s
->server
? SSL_ST_ACCEPT
: SSL_ST_CONNECT
;
1263 i
= s
->handshake_func(s
);
1267 SSLerr(SSL_F_DTLS1_READ_BYTES
, SSL_R_SSL_HANDSHAKE_FAILURE
);
1271 if (!(s
->mode
& SSL_MODE_AUTO_RETRY
)) {
1272 if (s
->s3
->rbuf
.left
== 0) { /* no read-ahead left? */
1275 * In the case where we try to read application data, but we
1276 * trigger an SSL handshake, we return -1 with the retry
1277 * option set. Otherwise renegotiation may cause nasty
1278 * problems in the blocking world
1280 s
->rwstate
= SSL_READING
;
1281 bio
= SSL_get_rbio(s
);
1282 BIO_clear_retry_flags(bio
);
1283 BIO_set_retry_read(bio
);
1292 /* TLS just ignores unknown message types */
1293 if (s
->version
== TLS1_VERSION
) {
1297 al
= SSL_AD_UNEXPECTED_MESSAGE
;
1298 SSLerr(SSL_F_DTLS1_READ_BYTES
, SSL_R_UNEXPECTED_RECORD
);
1300 case SSL3_RT_CHANGE_CIPHER_SPEC
:
1302 case SSL3_RT_HANDSHAKE
:
1304 * we already handled all of these, with the possible exception of
1305 * SSL3_RT_HANDSHAKE when s->in_handshake is set, but that should not
1306 * happen when type != rr->type
1308 al
= SSL_AD_UNEXPECTED_MESSAGE
;
1309 SSLerr(SSL_F_DTLS1_READ_BYTES
, ERR_R_INTERNAL_ERROR
);
1311 case SSL3_RT_APPLICATION_DATA
:
1313 * At this point, we were expecting handshake data, but have
1314 * application data. If the library was running inside ssl3_read()
1315 * (i.e. in_read_app_data is set) and it makes sense to read
1316 * application data at this point (session renegotiation not yet
1317 * started), we will indulge it.
1319 if (s
->s3
->in_read_app_data
&&
1320 (s
->s3
->total_renegotiations
!= 0) &&
1321 (((s
->state
& SSL_ST_CONNECT
) &&
1322 (s
->state
>= SSL3_ST_CW_CLNT_HELLO_A
) &&
1323 (s
->state
<= SSL3_ST_CR_SRVR_HELLO_A
)
1324 ) || ((s
->state
& SSL_ST_ACCEPT
) &&
1325 (s
->state
<= SSL3_ST_SW_HELLO_REQ_A
) &&
1326 (s
->state
>= SSL3_ST_SR_CLNT_HELLO_A
)
1329 s
->s3
->in_read_app_data
= 2;
1332 al
= SSL_AD_UNEXPECTED_MESSAGE
;
1333 SSLerr(SSL_F_DTLS1_READ_BYTES
, SSL_R_UNEXPECTED_RECORD
);
1340 ssl3_send_alert(s
, SSL3_AL_FATAL
, al
);
1345 int dtls1_write_app_data_bytes(SSL
*s
, int type
, const void *buf_
, int len
)
1349 #ifndef OPENSSL_NO_SCTP
1351 * Check if we have to continue an interrupted handshake for reading
1352 * belated app data with SCTP.
1354 if ((SSL_in_init(s
) && !s
->in_handshake
) ||
1355 (BIO_dgram_is_sctp(SSL_get_wbio(s
)) &&
1356 (s
->state
== DTLS1_SCTP_ST_SR_READ_SOCK
1357 || s
->state
== DTLS1_SCTP_ST_CR_READ_SOCK
)))
1359 if (SSL_in_init(s
) && !s
->in_handshake
)
1362 i
= s
->handshake_func(s
);
1366 SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES
,
1367 SSL_R_SSL_HANDSHAKE_FAILURE
);
1372 if (len
> SSL3_RT_MAX_PLAIN_LENGTH
) {
1373 SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES
, SSL_R_DTLS_MESSAGE_TOO_BIG
);
1377 i
= dtls1_write_bytes(s
, type
, buf_
, len
);
1382 * this only happens when a client hello is received and a handshake
1386 have_handshake_fragment(SSL
*s
, int type
, unsigned char *buf
,
1390 if ((type
== SSL3_RT_HANDSHAKE
) && (s
->d1
->handshake_fragment_len
> 0))
1391 /* (partially) satisfy request from storage */
1393 unsigned char *src
= s
->d1
->handshake_fragment
;
1394 unsigned char *dst
= buf
;
1399 while ((len
> 0) && (s
->d1
->handshake_fragment_len
> 0)) {
1402 s
->d1
->handshake_fragment_len
--;
1405 /* move any remaining fragment bytes: */
1406 for (k
= 0; k
< s
->d1
->handshake_fragment_len
; k
++)
1407 s
->d1
->handshake_fragment
[k
] = *src
++;
1415 * Call this to write data in records of type 'type' It will return <= 0 if
1416 * not all data has been sent or non-blocking IO.
1418 int dtls1_write_bytes(SSL
*s
, int type
, const void *buf
, int len
)
1422 OPENSSL_assert(len
<= SSL3_RT_MAX_PLAIN_LENGTH
);
1423 s
->rwstate
= SSL_NOTHING
;
1424 i
= do_dtls1_write(s
, type
, buf
, len
, 0);
1428 int do_dtls1_write(SSL
*s
, int type
, const unsigned char *buf
,
1429 unsigned int len
, int create_empty_fragment
)
1431 unsigned char *p
, *pseq
;
1432 int i
, mac_size
, clear
= 0;
1440 * first check if there is a SSL3_BUFFER still being written out. This
1441 * will happen with non blocking IO
1443 if (s
->s3
->wbuf
.left
!= 0) {
1444 OPENSSL_assert(0); /* XDTLS: want to see if we ever get here */
1445 return (ssl3_write_pending(s
, type
, buf
, len
));
1448 /* If we have an alert to send, lets send it */
1449 if (s
->s3
->alert_dispatch
) {
1450 i
= s
->method
->ssl_dispatch_alert(s
);
1453 /* if it went, fall through and send more stuff */
1456 if (len
== 0 && !create_empty_fragment
)
1459 wr
= &(s
->s3
->wrec
);
1460 wb
= &(s
->s3
->wbuf
);
1463 if ((sess
== NULL
) ||
1464 (s
->enc_write_ctx
== NULL
) || (EVP_MD_CTX_md(s
->write_hash
) == NULL
))
1470 mac_size
= EVP_MD_CTX_size(s
->write_hash
);
1475 p
= wb
->buf
+ prefix_len
;
1477 /* write the header */
1479 *(p
++) = type
& 0xff;
1482 * Special case: for hello verify request, client version 1.0 and we
1483 * haven't decided which version to use yet send back using version 1.0
1484 * header: otherwise some clients will ignore it.
1486 if (s
->method
->version
== DTLS_ANY_VERSION
) {
1487 *(p
++) = DTLS1_VERSION
>> 8;
1488 *(p
++) = DTLS1_VERSION
& 0xff;
1490 *(p
++) = s
->version
>> 8;
1491 *(p
++) = s
->version
& 0xff;
1494 /* field where we are to write out packet epoch, seq num and len */
1498 /* Explicit IV length, block ciphers appropriate version flag */
1499 if (s
->enc_write_ctx
) {
1500 int mode
= EVP_CIPHER_CTX_mode(s
->enc_write_ctx
);
1501 if (mode
== EVP_CIPH_CBC_MODE
) {
1502 eivlen
= EVP_CIPHER_CTX_iv_length(s
->enc_write_ctx
);
1506 /* Need explicit part of IV for GCM mode */
1507 else if (mode
== EVP_CIPH_GCM_MODE
)
1508 eivlen
= EVP_GCM_TLS_EXPLICIT_IV_LEN
;
1514 /* lets setup the record stuff. */
1515 wr
->data
= p
+ eivlen
; /* make room for IV in case of CBC */
1516 wr
->length
= (int)len
;
1517 wr
->input
= (unsigned char *)buf
;
1520 * we now 'read' from wr->input, wr->length bytes into wr->data
1523 /* first we compress */
1524 if (s
->compress
!= NULL
) {
1525 if (!ssl3_do_compress(s
)) {
1526 SSLerr(SSL_F_DO_DTLS1_WRITE
, SSL_R_COMPRESSION_FAILURE
);
1530 memcpy(wr
->data
, wr
->input
, wr
->length
);
1531 wr
->input
= wr
->data
;
1535 * we should still have the output to wr->data and the input from
1536 * wr->input. Length should be wr->length. wr->data still points in the
1540 if (mac_size
!= 0) {
1541 if (s
->method
->ssl3_enc
->mac(s
, &(p
[wr
->length
+ eivlen
]), 1) < 0)
1543 wr
->length
+= mac_size
;
1546 /* this is true regardless of mac size */
1551 wr
->length
+= eivlen
;
1553 if (s
->method
->ssl3_enc
->enc(s
, 1) < 1)
1556 /* record length after mac and block padding */
1558 * if (type == SSL3_RT_APPLICATION_DATA || (type == SSL3_RT_ALERT && !
1562 /* there's only one epoch between handshake and app data */
1564 s2n(s
->d1
->w_epoch
, pseq
);
1568 * else s2n(s->d1->handshake_epoch, pseq);
1571 memcpy(pseq
, &(s
->s3
->write_sequence
[2]), 6);
1573 s2n(wr
->length
, pseq
);
1575 if (s
->msg_callback
)
1576 s
->msg_callback(1, 0, SSL3_RT_HEADER
, pseq
- DTLS1_RT_HEADER_LENGTH
,
1577 DTLS1_RT_HEADER_LENGTH
, s
, s
->msg_callback_arg
);
1580 * we should now have wr->data pointing to the encrypted data, which is
1583 wr
->type
= type
; /* not needed but helps for debugging */
1584 wr
->length
+= DTLS1_RT_HEADER_LENGTH
;
1586 ssl3_record_sequence_update(&(s
->s3
->write_sequence
[0]));
1588 if (create_empty_fragment
) {
1590 * we are in a recursive call; just return the length, don't write
1596 /* now let's set up wb */
1597 wb
->left
= prefix_len
+ wr
->length
;
1601 * memorize arguments so that ssl3_write_pending can detect bad write
1604 s
->s3
->wpend_tot
= len
;
1605 s
->s3
->wpend_buf
= buf
;
1606 s
->s3
->wpend_type
= type
;
1607 s
->s3
->wpend_ret
= len
;
1609 /* we now just need to write the buffer */
1610 return ssl3_write_pending(s
, type
, buf
, len
);
1615 static int dtls1_record_replay_check(SSL
*s
, DTLS1_BITMAP
*bitmap
)
1619 const unsigned char *seq
= s
->s3
->read_sequence
;
1621 cmp
= satsub64be(seq
, bitmap
->max_seq_num
);
1623 memcpy(s
->s3
->rrec
.seq_num
, seq
, 8);
1624 return 1; /* this record in new */
1627 if (shift
>= sizeof(bitmap
->map
) * 8)
1628 return 0; /* stale, outside the window */
1629 else if (bitmap
->map
& (1UL << shift
))
1630 return 0; /* record previously received */
1632 memcpy(s
->s3
->rrec
.seq_num
, seq
, 8);
1636 static void dtls1_record_bitmap_update(SSL
*s
, DTLS1_BITMAP
*bitmap
)
1640 const unsigned char *seq
= s
->s3
->read_sequence
;
1642 cmp
= satsub64be(seq
, bitmap
->max_seq_num
);
1645 if (shift
< sizeof(bitmap
->map
) * 8)
1646 bitmap
->map
<<= shift
, bitmap
->map
|= 1UL;
1649 memcpy(bitmap
->max_seq_num
, seq
, 8);
1652 if (shift
< sizeof(bitmap
->map
) * 8)
1653 bitmap
->map
|= 1UL << shift
;
1657 int dtls1_dispatch_alert(SSL
*s
)
1660 void (*cb
) (const SSL
*ssl
, int type
, int val
) = NULL
;
1661 unsigned char buf
[DTLS1_AL_HEADER_LENGTH
];
1662 unsigned char *ptr
= &buf
[0];
1664 s
->s3
->alert_dispatch
= 0;
1666 memset(buf
, 0x00, sizeof(buf
));
1667 *ptr
++ = s
->s3
->send_alert
[0];
1668 *ptr
++ = s
->s3
->send_alert
[1];
1670 #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
1671 if (s
->s3
->send_alert
[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
) {
1672 s2n(s
->d1
->handshake_read_seq
, ptr
);
1673 l2n3(s
->d1
->r_msg_hdr
.frag_off
, ptr
);
1677 i
= do_dtls1_write(s
, SSL3_RT_ALERT
, &buf
[0], sizeof(buf
), 0);
1679 s
->s3
->alert_dispatch
= 1;
1680 /* fprintf( stderr, "not done with alert\n" ); */
1682 if (s
->s3
->send_alert
[0] == SSL3_AL_FATAL
1683 #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
1684 || s
->s3
->send_alert
[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
1687 (void)BIO_flush(s
->wbio
);
1689 if (s
->msg_callback
)
1690 s
->msg_callback(1, s
->version
, SSL3_RT_ALERT
, s
->s3
->send_alert
,
1691 2, s
, s
->msg_callback_arg
);
1693 if (s
->info_callback
!= NULL
)
1694 cb
= s
->info_callback
;
1695 else if (s
->ctx
->info_callback
!= NULL
)
1696 cb
= s
->ctx
->info_callback
;
1699 j
= (s
->s3
->send_alert
[0] << 8) | s
->s3
->send_alert
[1];
1700 cb(s
, SSL_CB_WRITE_ALERT
, j
);
1706 static DTLS1_BITMAP
*dtls1_get_bitmap(SSL
*s
, SSL3_RECORD
*rr
,
1707 unsigned int *is_next_epoch
)
1712 /* In current epoch, accept HM, CCS, DATA, & ALERT */
1713 if (rr
->epoch
== s
->d1
->r_epoch
)
1714 return &s
->d1
->bitmap
;
1716 /* Only HM and ALERT messages can be from the next epoch */
1717 else if (rr
->epoch
== (unsigned long)(s
->d1
->r_epoch
+ 1) &&
1718 (rr
->type
== SSL3_RT_HANDSHAKE
|| rr
->type
== SSL3_RT_ALERT
)) {
1720 return &s
->d1
->next_bitmap
;
1726 void dtls1_reset_seq_numbers(SSL
*s
, int rw
)
1729 unsigned int seq_bytes
= sizeof(s
->s3
->read_sequence
);
1731 if (rw
& SSL3_CC_READ
) {
1732 seq
= s
->s3
->read_sequence
;
1734 memcpy(&(s
->d1
->bitmap
), &(s
->d1
->next_bitmap
), sizeof(DTLS1_BITMAP
));
1735 memset(&(s
->d1
->next_bitmap
), 0x00, sizeof(DTLS1_BITMAP
));
1737 seq
= s
->s3
->write_sequence
;
1738 memcpy(s
->d1
->last_write_sequence
, seq
,
1739 sizeof(s
->s3
->write_sequence
));
1743 memset(seq
, 0x00, seq_bytes
);