]>
Commit | Line | Data |
---|---|---|
36d16f8e BL |
1 | /* ssl/d1_pkt.c */ |
2 | /* | |
3 | * DTLS implementation written by Nagendra Modadugu | |
4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. | |
5 | */ | |
6 | /* ==================================================================== | |
7 | * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. | |
8 | * | |
9 | * Redistribution and use in source and binary forms, with or without | |
10 | * modification, are permitted provided that the following conditions | |
11 | * are met: | |
12 | * | |
13 | * 1. Redistributions of source code must retain the above copyright | |
14 | * notice, this list of conditions and the following disclaimer. | |
15 | * | |
16 | * 2. Redistributions in binary form must reproduce the above copyright | |
17 | * notice, this list of conditions and the following disclaimer in | |
18 | * the documentation and/or other materials provided with the | |
19 | * distribution. | |
20 | * | |
21 | * 3. All advertising materials mentioning features or use of this | |
22 | * software must display the following acknowledgment: | |
23 | * "This product includes software developed by the OpenSSL Project | |
24 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | |
25 | * | |
26 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |
27 | * endorse or promote products derived from this software without | |
28 | * prior written permission. For written permission, please contact | |
29 | * openssl-core@openssl.org. | |
30 | * | |
31 | * 5. Products derived from this software may not be called "OpenSSL" | |
32 | * nor may "OpenSSL" appear in their names without prior written | |
33 | * permission of the OpenSSL Project. | |
34 | * | |
35 | * 6. Redistributions of any form whatsoever must retain the following | |
36 | * acknowledgment: | |
37 | * "This product includes software developed by the OpenSSL Project | |
38 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" | |
39 | * | |
40 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |
41 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
42 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
43 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |
44 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
45 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
46 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
47 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
48 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
49 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
50 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |
51 | * OF THE POSSIBILITY OF SUCH DAMAGE. | |
52 | * ==================================================================== | |
53 | * | |
54 | * This product includes cryptographic software written by Eric Young | |
55 | * (eay@cryptsoft.com). This product includes software written by Tim | |
56 | * Hudson (tjh@cryptsoft.com). | |
57 | * | |
58 | */ | |
59 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | |
60 | * All rights reserved. | |
61 | * | |
62 | * This package is an SSL implementation written | |
63 | * by Eric Young (eay@cryptsoft.com). | |
64 | * The implementation was written so as to conform with Netscapes SSL. | |
65 | * | |
66 | * This library is free for commercial and non-commercial use as long as | |
67 | * the following conditions are aheared to. The following conditions | |
68 | * apply to all code found in this distribution, be it the RC4, RSA, | |
69 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation | |
70 | * included with this distribution is covered by the same copyright terms | |
71 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). | |
72 | * | |
73 | * Copyright remains Eric Young's, and as such any Copyright notices in | |
74 | * the code are not to be removed. | |
75 | * If this package is used in a product, Eric Young should be given attribution | |
76 | * as the author of the parts of the library used. | |
77 | * This can be in the form of a textual message at program startup or | |
78 | * in documentation (online or textual) provided with the package. | |
79 | * | |
80 | * Redistribution and use in source and binary forms, with or without | |
81 | * modification, are permitted provided that the following conditions | |
82 | * are met: | |
83 | * 1. Redistributions of source code must retain the copyright | |
84 | * notice, this list of conditions and the following disclaimer. | |
85 | * 2. Redistributions in binary form must reproduce the above copyright | |
86 | * notice, this list of conditions and the following disclaimer in the | |
87 | * documentation and/or other materials provided with the distribution. | |
88 | * 3. All advertising materials mentioning features or use of this software | |
89 | * must display the following acknowledgement: | |
90 | * "This product includes cryptographic software written by | |
91 | * Eric Young (eay@cryptsoft.com)" | |
92 | * The word 'cryptographic' can be left out if the rouines from the library | |
93 | * being used are not cryptographic related :-). | |
94 | * 4. If you include any Windows specific code (or a derivative thereof) from | |
95 | * the apps directory (application code) you must include an acknowledgement: | |
96 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" | |
97 | * | |
98 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND | |
99 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
100 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
101 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |
102 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
103 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
104 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
105 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
106 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
107 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
108 | * SUCH DAMAGE. | |
109 | * | |
110 | * The licence and distribution terms for any publically available version or | |
111 | * derivative of this code cannot be changed. i.e. this code cannot simply be | |
112 | * copied and put under another distribution licence | |
113 | * [including the GNU Public Licence.] | |
114 | */ | |
115 | ||
116 | #include <stdio.h> | |
117 | #include <errno.h> | |
118 | #define USE_SOCKETS | |
119 | #include "ssl_locl.h" | |
120 | #include <openssl/evp.h> | |
121 | #include <openssl/buffer.h> | |
122 | #include <openssl/pqueue.h> | |
d527834a | 123 | #include <openssl/rand.h> |
36d16f8e | 124 | |
50ec3951 | 125 | /* mod 128 saturating subtract of two 64-bit values in big-endian order */ |
dffdb56b | 126 | static int satsub64be(const unsigned char *v1,const unsigned char *v2) |
50ec3951 AP |
127 | { int ret,sat,brw,i; |
128 | ||
129 | if (sizeof(long) == 8) do | |
130 | { const union { long one; char little; } is_endian = {1}; | |
131 | long l; | |
132 | ||
133 | if (is_endian.little) break; | |
134 | /* not reached on little-endians */ | |
135 | /* following test is redundant, because input is | |
136 | * always aligned, but I take no chances... */ | |
137 | if (((size_t)v1|(size_t)v2)&0x7) break; | |
138 | ||
44eff497 AP |
139 | l = *((long *)v1); |
140 | l -= *((long *)v2); | |
50ec3951 AP |
141 | if (l>128) return 128; |
142 | else if (l<-128) return -128; | |
143 | else return (int)l; | |
144 | } while (0); | |
145 | ||
146 | ret = (int)v1[7]-(int)v2[7]; | |
147 | sat = 0; | |
148 | brw = ret>>8; /* brw is either 0 or -1 */ | |
149 | if (ret & 0x80) | |
150 | { for (i=6;i>=0;i--) | |
151 | { brw += (int)v1[i]-(int)v2[i]; | |
152 | sat |= ~brw; | |
153 | brw >>= 8; | |
dffdb56b | 154 | } |
dffdb56b | 155 | } |
50ec3951 AP |
156 | else |
157 | { for (i=6;i>=0;i--) | |
158 | { brw += (int)v1[i]-(int)v2[i]; | |
159 | sat |= brw; | |
160 | brw >>= 8; | |
161 | } | |
162 | } | |
163 | brw <<= 8; /* brw is either 0 or -256 */ | |
164 | ||
165 | if (sat&0xff) return brw | 0x80; | |
166 | else return brw + (ret&0xFF); | |
167 | } | |
dffdb56b | 168 | |
36d16f8e BL |
169 | static int have_handshake_fragment(SSL *s, int type, unsigned char *buf, |
170 | int len, int peek); | |
50ec3951 | 171 | static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap); |
36d16f8e BL |
172 | static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap); |
173 | static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, | |
174 | unsigned int *is_next_epoch); | |
175 | #if 0 | |
176 | static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr, | |
177 | unsigned short *priority, unsigned long *offset); | |
178 | #endif | |
179 | static int dtls1_buffer_record(SSL *s, record_pqueue *q, | |
dffdb56b | 180 | unsigned char *priority); |
36d16f8e | 181 | static int dtls1_process_record(SSL *s); |
36d16f8e BL |
182 | static void dtls1_clear_timeouts(SSL *s); |
183 | ||
36d16f8e BL |
184 | /* copy buffered record into SSL structure */ |
185 | static int | |
186 | dtls1_copy_record(SSL *s, pitem *item) | |
187 | { | |
188 | DTLS1_RECORD_DATA *rdata; | |
189 | ||
190 | rdata = (DTLS1_RECORD_DATA *)item->data; | |
191 | ||
192 | if (s->s3->rbuf.buf != NULL) | |
193 | OPENSSL_free(s->s3->rbuf.buf); | |
194 | ||
195 | s->packet = rdata->packet; | |
196 | s->packet_length = rdata->packet_length; | |
197 | memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER)); | |
198 | memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD)); | |
199 | ||
200 | return(1); | |
201 | } | |
202 | ||
203 | ||
204 | static int | |
dffdb56b AP |
205 | dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) |
206 | { | |
207 | DTLS1_RECORD_DATA *rdata; | |
36d16f8e BL |
208 | pitem *item; |
209 | ||
210 | rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); | |
211 | item = pitem_new(priority, rdata); | |
212 | if (rdata == NULL || item == NULL) | |
213 | { | |
214 | if (rdata != NULL) OPENSSL_free(rdata); | |
215 | if (item != NULL) pitem_free(item); | |
216 | ||
beb056b3 | 217 | SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); |
36d16f8e BL |
218 | return(0); |
219 | } | |
220 | ||
221 | rdata->packet = s->packet; | |
222 | rdata->packet_length = s->packet_length; | |
223 | memcpy(&(rdata->rbuf), &(s->s3->rbuf), sizeof(SSL3_BUFFER)); | |
224 | memcpy(&(rdata->rrec), &(s->s3->rrec), sizeof(SSL3_RECORD)); | |
225 | ||
226 | item->data = rdata; | |
227 | ||
228 | /* insert should not fail, since duplicates are dropped */ | |
229 | if (pqueue_insert(queue->q, item) == NULL) | |
230 | { | |
231 | OPENSSL_free(rdata); | |
232 | pitem_free(item); | |
233 | return(0); | |
234 | } | |
235 | ||
236 | s->packet = NULL; | |
237 | s->packet_length = 0; | |
238 | memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER)); | |
239 | memset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD)); | |
240 | ||
8c5a2bd6 NL |
241 | if (!ssl3_setup_buffers(s)) |
242 | { | |
243 | SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); | |
244 | OPENSSL_free(rdata); | |
245 | pitem_free(item); | |
246 | return(0); | |
247 | } | |
36d16f8e BL |
248 | |
249 | return(1); | |
dffdb56b | 250 | } |
36d16f8e BL |
251 | |
252 | ||
253 | static int | |
254 | dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue) | |
255 | { | |
256 | pitem *item; | |
257 | ||
258 | item = pqueue_pop(queue->q); | |
259 | if (item) | |
260 | { | |
261 | dtls1_copy_record(s, item); | |
262 | ||
263 | OPENSSL_free(item->data); | |
264 | pitem_free(item); | |
265 | ||
266 | return(1); | |
267 | } | |
268 | ||
269 | return(0); | |
270 | } | |
271 | ||
272 | ||
273 | /* retrieve a buffered record that belongs to the new epoch, i.e., not processed | |
274 | * yet */ | |
275 | #define dtls1_get_unprocessed_record(s) \ | |
276 | dtls1_retrieve_buffered_record((s), \ | |
277 | &((s)->d1->unprocessed_rcds)) | |
278 | ||
279 | /* retrieve a buffered record that belongs to the current epoch, ie, processed */ | |
280 | #define dtls1_get_processed_record(s) \ | |
281 | dtls1_retrieve_buffered_record((s), \ | |
282 | &((s)->d1->processed_rcds)) | |
283 | ||
284 | static int | |
285 | dtls1_process_buffered_records(SSL *s) | |
286 | { | |
287 | pitem *item; | |
288 | ||
289 | item = pqueue_peek(s->d1->unprocessed_rcds.q); | |
290 | if (item) | |
291 | { | |
292 | DTLS1_RECORD_DATA *rdata; | |
293 | rdata = (DTLS1_RECORD_DATA *)item->data; | |
294 | ||
295 | /* Check if epoch is current. */ | |
296 | if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch) | |
297 | return(1); /* Nothing to do. */ | |
298 | ||
299 | /* Process all the records. */ | |
300 | while (pqueue_peek(s->d1->unprocessed_rcds.q)) | |
301 | { | |
302 | dtls1_get_unprocessed_record(s); | |
303 | if ( ! dtls1_process_record(s)) | |
304 | return(0); | |
305 | dtls1_buffer_record(s, &(s->d1->processed_rcds), | |
306 | s->s3->rrec.seq_num); | |
307 | } | |
308 | } | |
309 | ||
310 | /* sync epoch numbers once all the unprocessed records | |
311 | * have been processed */ | |
312 | s->d1->processed_rcds.epoch = s->d1->r_epoch; | |
313 | s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1; | |
314 | ||
315 | return(1); | |
316 | } | |
317 | ||
318 | ||
319 | #if 0 | |
320 | ||
321 | static int | |
322 | dtls1_get_buffered_record(SSL *s) | |
323 | { | |
324 | pitem *item; | |
188b0579 RL |
325 | PQ_64BIT priority = |
326 | (((PQ_64BIT)s->d1->handshake_read_seq) << 32) | | |
327 | ((PQ_64BIT)s->d1->r_msg_hdr.frag_off); | |
36d16f8e BL |
328 | |
329 | if ( ! SSL_in_init(s)) /* if we're not (re)negotiating, | |
330 | nothing buffered */ | |
331 | return 0; | |
332 | ||
333 | ||
334 | item = pqueue_peek(s->d1->rcvd_records); | |
335 | if (item && item->priority == priority) | |
336 | { | |
337 | /* Check if we've received the record of interest. It must be | |
338 | * a handshake record, since data records as passed up without | |
339 | * buffering */ | |
340 | DTLS1_RECORD_DATA *rdata; | |
341 | item = pqueue_pop(s->d1->rcvd_records); | |
342 | rdata = (DTLS1_RECORD_DATA *)item->data; | |
343 | ||
344 | if (s->s3->rbuf.buf != NULL) | |
345 | OPENSSL_free(s->s3->rbuf.buf); | |
346 | ||
347 | s->packet = rdata->packet; | |
348 | s->packet_length = rdata->packet_length; | |
349 | memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER)); | |
350 | memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD)); | |
351 | ||
352 | OPENSSL_free(item->data); | |
353 | pitem_free(item); | |
354 | ||
355 | /* s->d1->next_expected_seq_num++; */ | |
356 | return(1); | |
357 | } | |
358 | ||
359 | return 0; | |
360 | } | |
361 | ||
362 | #endif | |
363 | ||
364 | static int | |
365 | dtls1_process_record(SSL *s) | |
366 | { | |
50ec3951 | 367 | int i,al; |
36d16f8e | 368 | int clear=0; |
50ec3951 | 369 | int enc_err; |
36d16f8e | 370 | SSL_SESSION *sess; |
50ec3951 | 371 | SSL3_RECORD *rr; |
36d16f8e BL |
372 | unsigned int mac_size; |
373 | unsigned char md[EVP_MAX_MD_SIZE]; | |
374 | ||
375 | ||
376 | rr= &(s->s3->rrec); | |
50ec3951 | 377 | sess = s->session; |
36d16f8e BL |
378 | |
379 | /* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, | |
380 | * and we have that many bytes in s->packet | |
381 | */ | |
382 | rr->input= &(s->packet[DTLS1_RT_HEADER_LENGTH]); | |
383 | ||
384 | /* ok, we can now read from 's->packet' data into 'rr' | |
385 | * rr->input points at rr->length bytes, which | |
386 | * need to be copied into rr->data by either | |
387 | * the decryption or by the decompression | |
388 | * When the data is 'copied' into the rr->data buffer, | |
389 | * rr->input will be pointed at the new buffer */ | |
390 | ||
391 | /* We now have - encrypted [ MAC [ compressed [ plain ] ] ] | |
392 | * rr->length bytes of encrypted compressed stuff. */ | |
393 | ||
394 | /* check is not needed I believe */ | |
395 | if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) | |
396 | { | |
397 | al=SSL_AD_RECORD_OVERFLOW; | |
beb056b3 | 398 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG); |
36d16f8e BL |
399 | goto f_err; |
400 | } | |
401 | ||
402 | /* decrypt in place in 'rr->input' */ | |
403 | rr->data=rr->input; | |
404 | ||
405 | enc_err = s->method->ssl3_enc->enc(s,0); | |
406 | if (enc_err <= 0) | |
407 | { | |
408 | if (enc_err == 0) | |
409 | /* SSLerr() and ssl3_send_alert() have been called */ | |
410 | goto err; | |
411 | ||
412 | /* otherwise enc_err == -1 */ | |
413 | goto decryption_failed_or_bad_record_mac; | |
414 | } | |
415 | ||
416 | #ifdef TLS_DEBUG | |
417 | printf("dec %d\n",rr->length); | |
418 | { unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); } | |
419 | printf("\n"); | |
420 | #endif | |
421 | ||
422 | /* r->length is now the compressed data plus mac */ | |
50ec3951 | 423 | if ( (sess == NULL) || |
36d16f8e BL |
424 | (s->enc_read_ctx == NULL) || |
425 | (s->read_hash == NULL)) | |
fe1c7fec | 426 | clear=1; |
36d16f8e BL |
427 | |
428 | if (!clear) | |
429 | { | |
fe1c7fec | 430 | /* !clear => s->read_hash != NULL => mac_size != -1 */ |
0eab41fb BL |
431 | int t; |
432 | t=EVP_MD_CTX_size(s->read_hash); | |
433 | OPENSSL_assert(t >= 0); | |
434 | mac_size=t; | |
36d16f8e BL |
435 | |
436 | if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size) | |
437 | { | |
438 | #if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */ | |
439 | al=SSL_AD_RECORD_OVERFLOW; | |
beb056b3 | 440 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); |
36d16f8e BL |
441 | goto f_err; |
442 | #else | |
443 | goto decryption_failed_or_bad_record_mac; | |
444 | #endif | |
445 | } | |
446 | /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ | |
447 | if (rr->length < mac_size) | |
448 | { | |
449 | #if 0 /* OK only for stream ciphers */ | |
450 | al=SSL_AD_DECODE_ERROR; | |
beb056b3 | 451 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT); |
36d16f8e BL |
452 | goto f_err; |
453 | #else | |
454 | goto decryption_failed_or_bad_record_mac; | |
455 | #endif | |
456 | } | |
457 | rr->length-=mac_size; | |
458 | i=s->method->ssl3_enc->mac(s,md,0); | |
0eab41fb | 459 | if (i < 0 || memcmp(md,&(rr->data[rr->length]),mac_size) != 0) |
36d16f8e BL |
460 | { |
461 | goto decryption_failed_or_bad_record_mac; | |
462 | } | |
463 | } | |
464 | ||
465 | /* r->length is now just compressed */ | |
466 | if (s->expand != NULL) | |
467 | { | |
468 | if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) | |
469 | { | |
470 | al=SSL_AD_RECORD_OVERFLOW; | |
beb056b3 | 471 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG); |
36d16f8e BL |
472 | goto f_err; |
473 | } | |
474 | if (!ssl3_do_uncompress(s)) | |
475 | { | |
476 | al=SSL_AD_DECOMPRESSION_FAILURE; | |
beb056b3 | 477 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_BAD_DECOMPRESSION); |
36d16f8e BL |
478 | goto f_err; |
479 | } | |
480 | } | |
481 | ||
482 | if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) | |
483 | { | |
484 | al=SSL_AD_RECORD_OVERFLOW; | |
beb056b3 | 485 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DATA_LENGTH_TOO_LONG); |
36d16f8e BL |
486 | goto f_err; |
487 | } | |
488 | ||
489 | rr->off=0; | |
490 | /* So at this point the following is true | |
491 | * ssl->s3->rrec.type is the type of record | |
492 | * ssl->s3->rrec.length == number of bytes in record | |
493 | * ssl->s3->rrec.off == offset to first valid byte | |
494 | * ssl->s3->rrec.data == where to take bytes from, increment | |
495 | * after use :-). | |
496 | */ | |
497 | ||
498 | /* we have pulled in a full packet so zero things */ | |
499 | s->packet_length=0; | |
50ec3951 AP |
500 | dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */ |
501 | return(1); | |
36d16f8e BL |
502 | |
503 | decryption_failed_or_bad_record_mac: | |
504 | /* Separate 'decryption_failed' alert was introduced with TLS 1.0, | |
505 | * SSL 3.0 only has 'bad_record_mac'. But unless a decryption | |
506 | * failure is directly visible from the ciphertext anyway, | |
507 | * we should not reveal which kind of error occured -- this | |
508 | * might become visible to an attacker (e.g. via logfile) */ | |
509 | al=SSL_AD_BAD_RECORD_MAC; | |
beb056b3 | 510 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); |
36d16f8e BL |
511 | f_err: |
512 | ssl3_send_alert(s,SSL3_AL_FATAL,al); | |
513 | err: | |
514 | return(0); | |
515 | } | |
516 | ||
517 | ||
518 | /* Call this to get a new input record. | |
519 | * It will return <= 0 if more data is needed, normally due to an error | |
520 | * or non-blocking IO. | |
521 | * When it finishes, one packet has been decoded and can be found in | |
522 | * ssl->s3->rrec.type - is the type of record | |
523 | * ssl->s3->rrec.data, - data | |
524 | * ssl->s3->rrec.length, - number of bytes | |
525 | */ | |
526 | /* used only by dtls1_read_bytes */ | |
527 | int dtls1_get_record(SSL *s) | |
528 | { | |
529 | int ssl_major,ssl_minor,al; | |
530 | int i,n; | |
531 | SSL3_RECORD *rr; | |
532 | SSL_SESSION *sess; | |
533 | unsigned char *p; | |
7432d073 | 534 | unsigned short version; |
36d16f8e | 535 | DTLS1_BITMAP *bitmap; |
dffdb56b | 536 | unsigned int is_next_epoch; |
36d16f8e BL |
537 | |
538 | rr= &(s->s3->rrec); | |
539 | sess=s->session; | |
540 | ||
dffdb56b AP |
541 | /* The epoch may have changed. If so, process all the |
542 | * pending records. This is a non-blocking operation. */ | |
543 | if ( ! dtls1_process_buffered_records(s)) | |
544 | return 0; | |
36d16f8e BL |
545 | |
546 | /* if we're renegotiating, then there may be buffered records */ | |
547 | if (dtls1_get_processed_record(s)) | |
548 | return 1; | |
549 | ||
550 | /* get something from the wire */ | |
551 | again: | |
552 | /* check if we have the header */ | |
553 | if ( (s->rstate != SSL_ST_READ_BODY) || | |
554 | (s->packet_length < DTLS1_RT_HEADER_LENGTH)) | |
555 | { | |
556 | n=ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, s->s3->rbuf.len, 0); | |
557 | /* read timeout is handled by dtls1_read_bytes */ | |
558 | if (n <= 0) return(n); /* error or non-blocking */ | |
559 | ||
560 | OPENSSL_assert(s->packet_length == DTLS1_RT_HEADER_LENGTH); | |
561 | ||
562 | s->rstate=SSL_ST_READ_BODY; | |
563 | ||
564 | p=s->packet; | |
565 | ||
566 | /* Pull apart the header into the DTLS1_RECORD */ | |
567 | rr->type= *(p++); | |
568 | ssl_major= *(p++); | |
569 | ssl_minor= *(p++); | |
570 | version=(ssl_major<<8)|ssl_minor; | |
571 | ||
dffdb56b | 572 | /* sequence number is 64 bits, with top 2 bytes = epoch */ |
36d16f8e BL |
573 | n2s(p,rr->epoch); |
574 | ||
188b0579 RL |
575 | memcpy(&(s->s3->read_sequence[2]), p, 6); |
576 | p+=6; | |
577 | ||
36d16f8e BL |
578 | n2s(p,rr->length); |
579 | ||
580 | /* Lets check version */ | |
1e24b3a0 | 581 | if (!s->first_packet) |
36d16f8e BL |
582 | { |
583 | if (version != s->version) | |
584 | { | |
beb056b3 | 585 | SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); |
36d16f8e BL |
586 | /* Send back error using their |
587 | * version number :-) */ | |
588 | s->version=version; | |
589 | al=SSL_AD_PROTOCOL_VERSION; | |
590 | goto f_err; | |
591 | } | |
592 | } | |
593 | ||
594 | if ((version & 0xff00) != (DTLS1_VERSION & 0xff00)) | |
595 | { | |
beb056b3 | 596 | SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); |
36d16f8e BL |
597 | goto err; |
598 | } | |
599 | ||
600 | if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) | |
601 | { | |
602 | al=SSL_AD_RECORD_OVERFLOW; | |
beb056b3 | 603 | SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG); |
36d16f8e BL |
604 | goto f_err; |
605 | } | |
606 | ||
607 | /* now s->rstate == SSL_ST_READ_BODY */ | |
608 | } | |
609 | ||
610 | /* s->rstate == SSL_ST_READ_BODY, get and decode the data */ | |
611 | ||
612 | if (rr->length > s->packet_length-DTLS1_RT_HEADER_LENGTH) | |
613 | { | |
614 | /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */ | |
615 | i=rr->length; | |
616 | n=ssl3_read_n(s,i,i,1); | |
617 | if (n <= 0) return(n); /* error or non-blocking io */ | |
618 | ||
619 | /* this packet contained a partial record, dump it */ | |
620 | if ( n != i) | |
621 | { | |
622 | s->packet_length = 0; | |
623 | goto again; | |
624 | } | |
625 | ||
626 | /* now n == rr->length, | |
627 | * and s->packet_length == DTLS1_RT_HEADER_LENGTH + rr->length */ | |
628 | } | |
629 | s->rstate=SSL_ST_READ_HEADER; /* set state for later operations */ | |
630 | ||
631 | /* match epochs. NULL means the packet is dropped on the floor */ | |
632 | bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch); | |
633 | if ( bitmap == NULL) | |
50ec3951 AP |
634 | { |
635 | s->packet_length = 0; /* dump this record */ | |
636 | goto again; /* get another record */ | |
36d16f8e BL |
637 | } |
638 | ||
639 | /* check whether this is a repeat, or aged record */ | |
50ec3951 | 640 | if ( ! dtls1_record_replay_check(s, bitmap)) |
36d16f8e | 641 | { |
570006f3 | 642 | rr->length = 0; |
36d16f8e BL |
643 | s->packet_length=0; /* dump this record */ |
644 | goto again; /* get another record */ | |
645 | } | |
646 | ||
647 | /* just read a 0 length packet */ | |
648 | if (rr->length == 0) goto again; | |
649 | ||
dffdb56b AP |
650 | /* If this record is from the next epoch (either HM or ALERT), |
651 | * buffer it since it cannot be processed at this time. Records | |
652 | * from the next epoch are marked as received even though they | |
653 | * are not processed, so as to prevent any potential resource | |
654 | * DoS attack */ | |
655 | if (is_next_epoch) | |
656 | { | |
657 | dtls1_record_bitmap_update(s, bitmap); | |
658 | dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num); | |
659 | s->packet_length = 0; | |
660 | goto again; | |
661 | } | |
36d16f8e | 662 | |
dffdb56b AP |
663 | if ( ! dtls1_process_record(s)) |
664 | return(0); | |
36d16f8e BL |
665 | |
666 | dtls1_clear_timeouts(s); /* done waiting */ | |
667 | return(1); | |
668 | ||
669 | f_err: | |
670 | ssl3_send_alert(s,SSL3_AL_FATAL,al); | |
671 | err: | |
672 | return(0); | |
673 | } | |
674 | ||
675 | /* Return up to 'len' payload bytes received in 'type' records. | |
676 | * 'type' is one of the following: | |
677 | * | |
678 | * - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us) | |
679 | * - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us) | |
680 | * - 0 (during a shutdown, no data has to be returned) | |
681 | * | |
682 | * If we don't have stored data to work from, read a SSL/TLS record first | |
683 | * (possibly multiple records if we still don't have anything to return). | |
684 | * | |
685 | * This function must handle any surprises the peer may have for us, such as | |
686 | * Alert records (e.g. close_notify), ChangeCipherSpec records (not really | |
687 | * a surprise, but handled as if it were), or renegotiation requests. | |
688 | * Also if record payloads contain fragments too small to process, we store | |
689 | * them until there is enough for the respective protocol (the record protocol | |
690 | * may use arbitrary fragmentation and even interleaving): | |
691 | * Change cipher spec protocol | |
692 | * just 1 byte needed, no need for keeping anything stored | |
693 | * Alert protocol | |
694 | * 2 bytes needed (AlertLevel, AlertDescription) | |
695 | * Handshake protocol | |
696 | * 4 bytes needed (HandshakeType, uint24 length) -- we just have | |
697 | * to detect unexpected Client Hello and Hello Request messages | |
698 | * here, anything else is handled by higher layers | |
699 | * Application data protocol | |
700 | * none of our business | |
701 | */ | |
702 | int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) | |
703 | { | |
704 | int al,i,j,ret; | |
705 | unsigned int n; | |
706 | SSL3_RECORD *rr; | |
707 | void (*cb)(const SSL *ssl,int type2,int val)=NULL; | |
708 | ||
709 | if (s->s3->rbuf.buf == NULL) /* Not initialized yet */ | |
710 | if (!ssl3_setup_buffers(s)) | |
711 | return(-1); | |
712 | ||
713 | /* XXX: check what the second '&& type' is about */ | |
714 | if ((type && (type != SSL3_RT_APPLICATION_DATA) && | |
715 | (type != SSL3_RT_HANDSHAKE) && type) || | |
716 | (peek && (type != SSL3_RT_APPLICATION_DATA))) | |
717 | { | |
beb056b3 | 718 | SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR); |
36d16f8e BL |
719 | return -1; |
720 | } | |
721 | ||
722 | /* check whether there's a handshake message (client hello?) waiting */ | |
723 | if ( (ret = have_handshake_fragment(s, type, buf, len, peek))) | |
724 | return ret; | |
725 | ||
726 | /* Now s->d1->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */ | |
727 | ||
728 | if (!s->in_handshake && SSL_in_init(s)) | |
729 | { | |
730 | /* type == SSL3_RT_APPLICATION_DATA */ | |
731 | i=s->handshake_func(s); | |
732 | if (i < 0) return(i); | |
733 | if (i == 0) | |
734 | { | |
beb056b3 | 735 | SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE); |
36d16f8e BL |
736 | return(-1); |
737 | } | |
738 | } | |
739 | ||
740 | start: | |
741 | s->rwstate=SSL_NOTHING; | |
742 | ||
743 | /* s->s3->rrec.type - is the type of record | |
744 | * s->s3->rrec.data, - data | |
745 | * s->s3->rrec.off, - offset into 'data' for next read | |
746 | * s->s3->rrec.length, - number of bytes. */ | |
747 | rr = &(s->s3->rrec); | |
748 | ||
749 | /* get new packet if necessary */ | |
750 | if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY)) | |
751 | { | |
752 | ret=dtls1_get_record(s); | |
753 | if (ret <= 0) | |
754 | { | |
755 | ret = dtls1_read_failed(s, ret); | |
756 | /* anything other than a timeout is an error */ | |
757 | if (ret <= 0) | |
758 | return(ret); | |
759 | else | |
760 | goto start; | |
761 | } | |
762 | } | |
763 | ||
764 | /* we now have a packet which can be read and processed */ | |
765 | ||
766 | if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, | |
767 | * reset by ssl3_get_finished */ | |
768 | && (rr->type != SSL3_RT_HANDSHAKE)) | |
769 | { | |
770 | al=SSL_AD_UNEXPECTED_MESSAGE; | |
beb056b3 | 771 | SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED); |
36d16f8e BL |
772 | goto err; |
773 | } | |
774 | ||
775 | /* If the other end has shut down, throw anything we read away | |
776 | * (even in 'peek' mode) */ | |
777 | if (s->shutdown & SSL_RECEIVED_SHUTDOWN) | |
778 | { | |
779 | rr->length=0; | |
780 | s->rwstate=SSL_NOTHING; | |
781 | return(0); | |
782 | } | |
783 | ||
784 | ||
785 | if (type == rr->type) /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */ | |
786 | { | |
787 | /* make sure that we are not getting application data when we | |
788 | * are doing a handshake for the first time */ | |
789 | if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) && | |
790 | (s->enc_read_ctx == NULL)) | |
791 | { | |
792 | al=SSL_AD_UNEXPECTED_MESSAGE; | |
beb056b3 | 793 | SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE); |
36d16f8e BL |
794 | goto f_err; |
795 | } | |
796 | ||
797 | if (len <= 0) return(len); | |
798 | ||
799 | if ((unsigned int)len > rr->length) | |
800 | n = rr->length; | |
801 | else | |
802 | n = (unsigned int)len; | |
803 | ||
804 | memcpy(buf,&(rr->data[rr->off]),n); | |
805 | if (!peek) | |
806 | { | |
807 | rr->length-=n; | |
808 | rr->off+=n; | |
809 | if (rr->length == 0) | |
810 | { | |
811 | s->rstate=SSL_ST_READ_HEADER; | |
812 | rr->off=0; | |
813 | } | |
814 | } | |
815 | return(n); | |
816 | } | |
817 | ||
818 | ||
819 | /* If we get here, then type != rr->type; if we have a handshake | |
820 | * message, then it was unexpected (Hello Request or Client Hello). */ | |
821 | ||
822 | /* In case of record types for which we have 'fragment' storage, | |
823 | * fill that so that we can process the data at a fixed place. | |
824 | */ | |
825 | { | |
4e321ffa | 826 | unsigned int k, dest_maxlen = 0; |
36d16f8e BL |
827 | unsigned char *dest = NULL; |
828 | unsigned int *dest_len = NULL; | |
829 | ||
830 | if (rr->type == SSL3_RT_HANDSHAKE) | |
831 | { | |
832 | dest_maxlen = sizeof s->d1->handshake_fragment; | |
833 | dest = s->d1->handshake_fragment; | |
834 | dest_len = &s->d1->handshake_fragment_len; | |
835 | } | |
836 | else if (rr->type == SSL3_RT_ALERT) | |
837 | { | |
838 | dest_maxlen = sizeof(s->d1->alert_fragment); | |
839 | dest = s->d1->alert_fragment; | |
840 | dest_len = &s->d1->alert_fragment_len; | |
841 | } | |
89c9c667 DSH |
842 | /* else it's a CCS message, or it's wrong */ |
843 | else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC) | |
844 | { | |
845 | /* Not certain if this is the right error handling */ | |
846 | al=SSL_AD_UNEXPECTED_MESSAGE; | |
847 | SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD); | |
848 | goto f_err; | |
849 | } | |
36d16f8e BL |
850 | |
851 | ||
852 | if (dest_maxlen > 0) | |
853 | { | |
854 | /* XDTLS: In a pathalogical case, the Client Hello | |
855 | * may be fragmented--don't always expect dest_maxlen bytes */ | |
856 | if ( rr->length < dest_maxlen) | |
857 | { | |
d4938995 AP |
858 | #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE |
859 | /* | |
860 | * for normal alerts rr->length is 2, while | |
861 | * dest_maxlen is 7 if we were to handle this | |
862 | * non-existing alert... | |
863 | */ | |
864 | FIX ME | |
865 | #endif | |
36d16f8e BL |
866 | s->rstate=SSL_ST_READ_HEADER; |
867 | rr->length = 0; | |
868 | goto start; | |
869 | } | |
870 | ||
871 | /* now move 'n' bytes: */ | |
4e321ffa | 872 | for ( k = 0; k < dest_maxlen; k++) |
36d16f8e | 873 | { |
4e321ffa | 874 | dest[k] = rr->data[rr->off++]; |
36d16f8e BL |
875 | rr->length--; |
876 | } | |
877 | *dest_len = dest_maxlen; | |
878 | } | |
879 | } | |
880 | ||
881 | /* s->d1->handshake_fragment_len == 12 iff rr->type == SSL3_RT_HANDSHAKE; | |
882 | * s->d1->alert_fragment_len == 7 iff rr->type == SSL3_RT_ALERT. | |
883 | * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */ | |
884 | ||
885 | /* If we are a client, check for an incoming 'Hello Request': */ | |
886 | if ((!s->server) && | |
887 | (s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) && | |
888 | (s->d1->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) && | |
889 | (s->session != NULL) && (s->session->cipher != NULL)) | |
890 | { | |
891 | s->d1->handshake_fragment_len = 0; | |
892 | ||
893 | if ((s->d1->handshake_fragment[1] != 0) || | |
894 | (s->d1->handshake_fragment[2] != 0) || | |
895 | (s->d1->handshake_fragment[3] != 0)) | |
896 | { | |
897 | al=SSL_AD_DECODE_ERROR; | |
beb056b3 | 898 | SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_HELLO_REQUEST); |
36d16f8e BL |
899 | goto err; |
900 | } | |
901 | ||
902 | /* no need to check sequence number on HELLO REQUEST messages */ | |
903 | ||
904 | if (s->msg_callback) | |
905 | s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, | |
906 | s->d1->handshake_fragment, 4, s, s->msg_callback_arg); | |
907 | ||
908 | if (SSL_is_init_finished(s) && | |
909 | !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && | |
910 | !s->s3->renegotiate) | |
911 | { | |
912 | ssl3_renegotiate(s); | |
913 | if (ssl3_renegotiate_check(s)) | |
914 | { | |
915 | i=s->handshake_func(s); | |
916 | if (i < 0) return(i); | |
917 | if (i == 0) | |
918 | { | |
beb056b3 | 919 | SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE); |
36d16f8e BL |
920 | return(-1); |
921 | } | |
922 | ||
923 | if (!(s->mode & SSL_MODE_AUTO_RETRY)) | |
924 | { | |
925 | if (s->s3->rbuf.left == 0) /* no read-ahead left? */ | |
926 | { | |
927 | BIO *bio; | |
928 | /* In the case where we try to read application data, | |
929 | * but we trigger an SSL handshake, we return -1 with | |
930 | * the retry option set. Otherwise renegotiation may | |
931 | * cause nasty problems in the blocking world */ | |
932 | s->rwstate=SSL_READING; | |
933 | bio=SSL_get_rbio(s); | |
934 | BIO_clear_retry_flags(bio); | |
935 | BIO_set_retry_read(bio); | |
936 | return(-1); | |
937 | } | |
938 | } | |
939 | } | |
940 | } | |
941 | /* we either finished a handshake or ignored the request, | |
942 | * now try again to obtain the (application) data we were asked for */ | |
943 | goto start; | |
944 | } | |
945 | ||
946 | if (s->d1->alert_fragment_len >= DTLS1_AL_HEADER_LENGTH) | |
947 | { | |
948 | int alert_level = s->d1->alert_fragment[0]; | |
949 | int alert_descr = s->d1->alert_fragment[1]; | |
950 | ||
951 | s->d1->alert_fragment_len = 0; | |
952 | ||
953 | if (s->msg_callback) | |
954 | s->msg_callback(0, s->version, SSL3_RT_ALERT, | |
955 | s->d1->alert_fragment, 2, s, s->msg_callback_arg); | |
956 | ||
957 | if (s->info_callback != NULL) | |
958 | cb=s->info_callback; | |
959 | else if (s->ctx->info_callback != NULL) | |
960 | cb=s->ctx->info_callback; | |
961 | ||
962 | if (cb != NULL) | |
963 | { | |
964 | j = (alert_level << 8) | alert_descr; | |
965 | cb(s, SSL_CB_READ_ALERT, j); | |
966 | } | |
967 | ||
968 | if (alert_level == 1) /* warning */ | |
969 | { | |
970 | s->s3->warn_alert = alert_descr; | |
971 | if (alert_descr == SSL_AD_CLOSE_NOTIFY) | |
972 | { | |
973 | s->shutdown |= SSL_RECEIVED_SHUTDOWN; | |
974 | return(0); | |
975 | } | |
976 | #if 0 | |
977 | /* XXX: this is a possible improvement in the future */ | |
978 | /* now check if it's a missing record */ | |
979 | if (alert_descr == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) | |
980 | { | |
981 | unsigned short seq; | |
982 | unsigned int frag_off; | |
983 | unsigned char *p = &(s->d1->alert_fragment[2]); | |
984 | ||
985 | n2s(p, seq); | |
986 | n2l3(p, frag_off); | |
987 | ||
988 | dtls1_retransmit_message(s, seq, frag_off, &found); | |
989 | if ( ! found && SSL_in_init(s)) | |
990 | { | |
991 | /* fprintf( stderr,"in init = %d\n", SSL_in_init(s)); */ | |
992 | /* requested a message not yet sent, | |
993 | send an alert ourselves */ | |
994 | ssl3_send_alert(s,SSL3_AL_WARNING, | |
995 | DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); | |
996 | } | |
997 | } | |
998 | #endif | |
999 | } | |
1000 | else if (alert_level == 2) /* fatal */ | |
1001 | { | |
1002 | char tmp[16]; | |
1003 | ||
1004 | s->rwstate=SSL_NOTHING; | |
1005 | s->s3->fatal_alert = alert_descr; | |
beb056b3 | 1006 | SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr); |
36d16f8e BL |
1007 | BIO_snprintf(tmp,sizeof tmp,"%d",alert_descr); |
1008 | ERR_add_error_data(2,"SSL alert number ",tmp); | |
1009 | s->shutdown|=SSL_RECEIVED_SHUTDOWN; | |
1010 | SSL_CTX_remove_session(s->ctx,s->session); | |
1011 | return(0); | |
1012 | } | |
1013 | else | |
1014 | { | |
1015 | al=SSL_AD_ILLEGAL_PARAMETER; | |
beb056b3 | 1016 | SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE); |
36d16f8e BL |
1017 | goto f_err; |
1018 | } | |
1019 | ||
1020 | goto start; | |
1021 | } | |
1022 | ||
1023 | if (s->shutdown & SSL_SENT_SHUTDOWN) /* but we have not received a shutdown */ | |
1024 | { | |
1025 | s->rwstate=SSL_NOTHING; | |
1026 | rr->length=0; | |
1027 | return(0); | |
1028 | } | |
1029 | ||
1030 | if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) | |
89c333e3 AP |
1031 | { |
1032 | struct ccs_header_st ccs_hdr; | |
36d16f8e BL |
1033 | |
1034 | dtls1_get_ccs_header(rr->data, &ccs_hdr); | |
1035 | ||
89c333e3 AP |
1036 | /* 'Change Cipher Spec' is just a single byte, so we know |
1037 | * exactly what the record payload has to look like */ | |
1038 | /* XDTLS: check that epoch is consistent */ | |
1039 | if ( (rr->length != DTLS1_CCS_HEADER_LENGTH) || | |
1040 | (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS)) | |
36d16f8e | 1041 | { |
89c333e3 AP |
1042 | i=SSL_AD_ILLEGAL_PARAMETER; |
1043 | SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC); | |
1044 | goto err; | |
36d16f8e | 1045 | } |
89c333e3 AP |
1046 | |
1047 | rr->length=0; | |
1048 | ||
1049 | if (s->msg_callback) | |
1050 | s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, | |
1051 | rr->data, 1, s, s->msg_callback_arg); | |
1052 | ||
1053 | s->s3->change_cipher_spec=1; | |
1054 | if (!ssl3_do_change_cipher_spec(s)) | |
1055 | goto err; | |
1056 | ||
1057 | /* do this whenever CCS is processed */ | |
1058 | dtls1_reset_seq_numbers(s, SSL3_CC_READ); | |
1059 | ||
89c333e3 | 1060 | goto start; |
36d16f8e BL |
1061 | } |
1062 | ||
1063 | /* Unexpected handshake message (Client Hello, or protocol violation) */ | |
1064 | if ((s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) && | |
1065 | !s->in_handshake) | |
1066 | { | |
1067 | struct hm_header_st msg_hdr; | |
1068 | ||
1069 | /* this may just be a stale retransmit */ | |
1070 | dtls1_get_message_header(rr->data, &msg_hdr); | |
1071 | if( rr->epoch != s->d1->r_epoch) | |
1072 | { | |
1073 | rr->length = 0; | |
1074 | goto start; | |
1075 | } | |
1076 | ||
1077 | if (((s->state&SSL_ST_MASK) == SSL_ST_OK) && | |
1078 | !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) | |
1079 | { | |
1080 | #if 0 /* worked only because C operator preferences are not as expected (and | |
1081 | * because this is not really needed for clients except for detecting | |
1082 | * protocol violations): */ | |
1083 | s->state=SSL_ST_BEFORE|(s->server) | |
1084 | ?SSL_ST_ACCEPT | |
1085 | :SSL_ST_CONNECT; | |
1086 | #else | |
1087 | s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; | |
1088 | #endif | |
1089 | s->new_session=1; | |
1090 | } | |
1091 | i=s->handshake_func(s); | |
1092 | if (i < 0) return(i); | |
1093 | if (i == 0) | |
1094 | { | |
beb056b3 | 1095 | SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE); |
36d16f8e BL |
1096 | return(-1); |
1097 | } | |
1098 | ||
1099 | if (!(s->mode & SSL_MODE_AUTO_RETRY)) | |
1100 | { | |
1101 | if (s->s3->rbuf.left == 0) /* no read-ahead left? */ | |
1102 | { | |
1103 | BIO *bio; | |
1104 | /* In the case where we try to read application data, | |
1105 | * but we trigger an SSL handshake, we return -1 with | |
1106 | * the retry option set. Otherwise renegotiation may | |
1107 | * cause nasty problems in the blocking world */ | |
1108 | s->rwstate=SSL_READING; | |
1109 | bio=SSL_get_rbio(s); | |
1110 | BIO_clear_retry_flags(bio); | |
1111 | BIO_set_retry_read(bio); | |
1112 | return(-1); | |
1113 | } | |
1114 | } | |
1115 | goto start; | |
1116 | } | |
1117 | ||
1118 | switch (rr->type) | |
1119 | { | |
1120 | default: | |
1121 | #ifndef OPENSSL_NO_TLS | |
1122 | /* TLS just ignores unknown message types */ | |
1123 | if (s->version == TLS1_VERSION) | |
1124 | { | |
1125 | rr->length = 0; | |
1126 | goto start; | |
1127 | } | |
1128 | #endif | |
1129 | al=SSL_AD_UNEXPECTED_MESSAGE; | |
beb056b3 | 1130 | SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD); |
36d16f8e BL |
1131 | goto f_err; |
1132 | case SSL3_RT_CHANGE_CIPHER_SPEC: | |
1133 | case SSL3_RT_ALERT: | |
1134 | case SSL3_RT_HANDSHAKE: | |
1135 | /* we already handled all of these, with the possible exception | |
1136 | * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that | |
1137 | * should not happen when type != rr->type */ | |
1138 | al=SSL_AD_UNEXPECTED_MESSAGE; | |
beb056b3 | 1139 | SSLerr(SSL_F_DTLS1_READ_BYTES,ERR_R_INTERNAL_ERROR); |
36d16f8e BL |
1140 | goto f_err; |
1141 | case SSL3_RT_APPLICATION_DATA: | |
1142 | /* At this point, we were expecting handshake data, | |
1143 | * but have application data. If the library was | |
1144 | * running inside ssl3_read() (i.e. in_read_app_data | |
1145 | * is set) and it makes sense to read application data | |
1146 | * at this point (session renegotiation not yet started), | |
1147 | * we will indulge it. | |
1148 | */ | |
1149 | if (s->s3->in_read_app_data && | |
1150 | (s->s3->total_renegotiations != 0) && | |
1151 | (( | |
1152 | (s->state & SSL_ST_CONNECT) && | |
1153 | (s->state >= SSL3_ST_CW_CLNT_HELLO_A) && | |
1154 | (s->state <= SSL3_ST_CR_SRVR_HELLO_A) | |
1155 | ) || ( | |
1156 | (s->state & SSL_ST_ACCEPT) && | |
1157 | (s->state <= SSL3_ST_SW_HELLO_REQ_A) && | |
1158 | (s->state >= SSL3_ST_SR_CLNT_HELLO_A) | |
1159 | ) | |
1160 | )) | |
1161 | { | |
1162 | s->s3->in_read_app_data=2; | |
1163 | return(-1); | |
1164 | } | |
1165 | else | |
1166 | { | |
1167 | al=SSL_AD_UNEXPECTED_MESSAGE; | |
beb056b3 | 1168 | SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD); |
36d16f8e BL |
1169 | goto f_err; |
1170 | } | |
1171 | } | |
1172 | /* not reached */ | |
1173 | ||
1174 | f_err: | |
1175 | ssl3_send_alert(s,SSL3_AL_FATAL,al); | |
1176 | err: | |
1177 | return(-1); | |
1178 | } | |
1179 | ||
1180 | int | |
1181 | dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len) | |
1182 | { | |
1183 | unsigned int n,tot; | |
1184 | int i; | |
1185 | ||
1186 | if (SSL_in_init(s) && !s->in_handshake) | |
1187 | { | |
1188 | i=s->handshake_func(s); | |
1189 | if (i < 0) return(i); | |
1190 | if (i == 0) | |
1191 | { | |
beb056b3 | 1192 | SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE); |
36d16f8e BL |
1193 | return -1; |
1194 | } | |
1195 | } | |
1196 | ||
1197 | tot = s->s3->wnum; | |
1198 | n = len - tot; | |
1199 | ||
1200 | while( n) | |
1201 | { | |
1202 | /* dtls1_write_bytes sends one record at a time, sized according to | |
1203 | * the currently known MTU */ | |
1204 | i = dtls1_write_bytes(s, type, buf_, len); | |
1205 | if (i <= 0) return i; | |
1206 | ||
1207 | if ((i == (int)n) || | |
1208 | (type == SSL3_RT_APPLICATION_DATA && | |
1209 | (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE))) | |
1210 | { | |
1211 | /* next chunk of data should get another prepended empty fragment | |
1212 | * in ciphersuites with known-IV weakness: */ | |
1213 | s->s3->empty_fragment_done = 0; | |
1214 | return tot+i; | |
1215 | } | |
1216 | ||
1217 | tot += i; | |
1218 | n-=i; | |
1219 | } | |
1220 | ||
1221 | return tot; | |
1222 | } | |
1223 | ||
1224 | ||
1225 | /* this only happens when a client hello is received and a handshake | |
1226 | * is started. */ | |
1227 | static int | |
1228 | have_handshake_fragment(SSL *s, int type, unsigned char *buf, | |
1229 | int len, int peek) | |
1230 | { | |
1231 | ||
1232 | if ((type == SSL3_RT_HANDSHAKE) && (s->d1->handshake_fragment_len > 0)) | |
1233 | /* (partially) satisfy request from storage */ | |
1234 | { | |
1235 | unsigned char *src = s->d1->handshake_fragment; | |
1236 | unsigned char *dst = buf; | |
1237 | unsigned int k,n; | |
1238 | ||
1239 | /* peek == 0 */ | |
1240 | n = 0; | |
1241 | while ((len > 0) && (s->d1->handshake_fragment_len > 0)) | |
1242 | { | |
1243 | *dst++ = *src++; | |
1244 | len--; s->d1->handshake_fragment_len--; | |
1245 | n++; | |
1246 | } | |
1247 | /* move any remaining fragment bytes: */ | |
1248 | for (k = 0; k < s->d1->handshake_fragment_len; k++) | |
1249 | s->d1->handshake_fragment[k] = *src++; | |
1250 | return n; | |
1251 | } | |
1252 | ||
1253 | return 0; | |
1254 | } | |
1255 | ||
1256 | ||
1257 | ||
1258 | ||
1259 | /* Call this to write data in records of type 'type' | |
1260 | * It will return <= 0 if not all data has been sent or non-blocking IO. | |
1261 | */ | |
1262 | int dtls1_write_bytes(SSL *s, int type, const void *buf_, int len) | |
1263 | { | |
1264 | const unsigned char *buf=buf_; | |
1265 | unsigned int tot,n,nw; | |
1266 | int i; | |
1267 | unsigned int mtu; | |
1268 | ||
1269 | s->rwstate=SSL_NOTHING; | |
1270 | tot=s->s3->wnum; | |
1271 | ||
1272 | n=(len-tot); | |
1273 | ||
1274 | /* handshake layer figures out MTU for itself, but data records | |
1275 | * are also sent through this interface, so need to figure out MTU */ | |
1276 | #if 0 | |
1277 | mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_MTU, 0, NULL); | |
1278 | mtu += DTLS1_HM_HEADER_LENGTH; /* HM already inserted */ | |
1279 | #endif | |
1280 | mtu = s->d1->mtu; | |
1281 | ||
1282 | if (mtu > SSL3_RT_MAX_PLAIN_LENGTH) | |
1283 | mtu = SSL3_RT_MAX_PLAIN_LENGTH; | |
1284 | ||
1285 | if (n > mtu) | |
1286 | nw=mtu; | |
1287 | else | |
1288 | nw=n; | |
1289 | ||
1290 | i=do_dtls1_write(s, type, &(buf[tot]), nw, 0); | |
1291 | if (i <= 0) | |
1292 | { | |
1293 | s->s3->wnum=tot; | |
1294 | return i; | |
1295 | } | |
1296 | ||
6c61726b | 1297 | if ( (int)s->s3->wnum + i == len) |
36d16f8e BL |
1298 | s->s3->wnum = 0; |
1299 | else | |
1300 | s->s3->wnum += i; | |
1301 | ||
51ec776b | 1302 | return i; |
36d16f8e BL |
1303 | } |
1304 | ||
beb056b3 | 1305 | int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len, int create_empty_fragment) |
36d16f8e BL |
1306 | { |
1307 | unsigned char *p,*pseq; | |
1308 | int i,mac_size,clear=0; | |
1309 | int prefix_len = 0; | |
1310 | SSL3_RECORD *wr; | |
1311 | SSL3_BUFFER *wb; | |
1312 | SSL_SESSION *sess; | |
1313 | int bs; | |
1314 | ||
1315 | /* first check if there is a SSL3_BUFFER still being written | |
1316 | * out. This will happen with non blocking IO */ | |
1317 | if (s->s3->wbuf.left != 0) | |
1318 | { | |
1319 | OPENSSL_assert(0); /* XDTLS: want to see if we ever get here */ | |
1320 | return(ssl3_write_pending(s,type,buf,len)); | |
1321 | } | |
1322 | ||
1323 | /* If we have an alert to send, lets send it */ | |
1324 | if (s->s3->alert_dispatch) | |
1325 | { | |
1326 | i=s->method->ssl_dispatch_alert(s); | |
1327 | if (i <= 0) | |
1328 | return(i); | |
1329 | /* if it went, fall through and send more stuff */ | |
1330 | } | |
1331 | ||
1332 | if (len == 0 && !create_empty_fragment) | |
1333 | return 0; | |
1334 | ||
1335 | wr= &(s->s3->wrec); | |
1336 | wb= &(s->s3->wbuf); | |
1337 | sess=s->session; | |
1338 | ||
1339 | if ( (sess == NULL) || | |
1340 | (s->enc_write_ctx == NULL) || | |
b948e2c5 | 1341 | (EVP_MD_CTX_md(s->write_hash) == NULL)) |
36d16f8e BL |
1342 | clear=1; |
1343 | ||
1344 | if (clear) | |
1345 | mac_size=0; | |
1346 | else | |
0eab41fb | 1347 | { |
b948e2c5 | 1348 | mac_size=EVP_MD_CTX_size(s->write_hash); |
0eab41fb BL |
1349 | if (mac_size < 0) |
1350 | goto err; | |
1351 | } | |
36d16f8e BL |
1352 | |
1353 | /* DTLS implements explicit IV, so no need for empty fragments */ | |
1354 | #if 0 | |
1355 | /* 'create_empty_fragment' is true only when this function calls itself */ | |
1356 | if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done | |
1357 | && SSL_version(s) != DTLS1_VERSION) | |
1358 | { | |
1359 | /* countermeasure against known-IV weakness in CBC ciphersuites | |
1360 | * (see http://www.openssl.org/~bodo/tls-cbc.txt) | |
1361 | */ | |
1362 | ||
1363 | if (s->s3->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA) | |
1364 | { | |
1365 | /* recursive function call with 'create_empty_fragment' set; | |
1366 | * this prepares and buffers the data for an empty fragment | |
1367 | * (these 'prefix_len' bytes are sent out later | |
1368 | * together with the actual payload) */ | |
1369 | prefix_len = s->method->do_ssl_write(s, type, buf, 0, 1); | |
1370 | if (prefix_len <= 0) | |
1371 | goto err; | |
1372 | ||
1373 | if (s->s3->wbuf.len < (size_t)prefix_len + SSL3_RT_MAX_PACKET_SIZE) | |
1374 | { | |
1375 | /* insufficient space */ | |
beb056b3 | 1376 | SSLerr(SSL_F_DO_DTLS1_WRITE, ERR_R_INTERNAL_ERROR); |
36d16f8e BL |
1377 | goto err; |
1378 | } | |
1379 | } | |
1380 | ||
1381 | s->s3->empty_fragment_done = 1; | |
1382 | } | |
1383 | #endif | |
1384 | ||
1385 | p = wb->buf + prefix_len; | |
1386 | ||
1387 | /* write the header */ | |
1388 | ||
1389 | *(p++)=type&0xff; | |
1390 | wr->type=type; | |
1391 | ||
1392 | *(p++)=(s->version>>8); | |
1393 | *(p++)=s->version&0xff; | |
1394 | ||
1395 | /* field where we are to write out packet epoch, seq num and len */ | |
1396 | pseq=p; | |
1397 | p+=10; | |
1398 | ||
1399 | /* lets setup the record stuff. */ | |
1400 | ||
1401 | /* Make space for the explicit IV in case of CBC. | |
1402 | * (this is a bit of a boundary violation, but what the heck). | |
1403 | */ | |
1404 | if ( s->enc_write_ctx && | |
1405 | (EVP_CIPHER_mode( s->enc_write_ctx->cipher ) & EVP_CIPH_CBC_MODE)) | |
1406 | bs = EVP_CIPHER_block_size(s->enc_write_ctx->cipher); | |
1407 | else | |
1408 | bs = 0; | |
1409 | ||
1410 | wr->data=p + bs; /* make room for IV in case of CBC */ | |
1411 | wr->length=(int)len; | |
1412 | wr->input=(unsigned char *)buf; | |
1413 | ||
1414 | /* we now 'read' from wr->input, wr->length bytes into | |
1415 | * wr->data */ | |
1416 | ||
1417 | /* first we compress */ | |
1418 | if (s->compress != NULL) | |
1419 | { | |
1420 | if (!ssl3_do_compress(s)) | |
1421 | { | |
beb056b3 | 1422 | SSLerr(SSL_F_DO_DTLS1_WRITE,SSL_R_COMPRESSION_FAILURE); |
36d16f8e BL |
1423 | goto err; |
1424 | } | |
1425 | } | |
1426 | else | |
1427 | { | |
1428 | memcpy(wr->data,wr->input,wr->length); | |
1429 | wr->input=wr->data; | |
1430 | } | |
1431 | ||
1432 | /* we should still have the output to wr->data and the input | |
1433 | * from wr->input. Length should be wr->length. | |
1434 | * wr->data still points in the wb->buf */ | |
1435 | ||
1436 | if (mac_size != 0) | |
1437 | { | |
0eab41fb BL |
1438 | if(s->method->ssl3_enc->mac(s,&(p[wr->length + bs]),1) < 0) |
1439 | goto err; | |
36d16f8e BL |
1440 | wr->length+=mac_size; |
1441 | } | |
1442 | ||
1443 | /* this is true regardless of mac size */ | |
1444 | wr->input=p; | |
1445 | wr->data=p; | |
1446 | ||
1447 | ||
1448 | /* ssl3_enc can only have an error on read */ | |
d527834a AP |
1449 | if (bs) /* bs != 0 in case of CBC */ |
1450 | { | |
1451 | RAND_pseudo_bytes(p,bs); | |
1452 | /* master IV and last CBC residue stand for | |
1453 | * the rest of randomness */ | |
1454 | wr->length += bs; | |
1455 | } | |
1456 | ||
36d16f8e BL |
1457 | s->method->ssl3_enc->enc(s,1); |
1458 | ||
1459 | /* record length after mac and block padding */ | |
1460 | /* if (type == SSL3_RT_APPLICATION_DATA || | |
1461 | (type == SSL3_RT_ALERT && ! SSL_in_init(s))) */ | |
1462 | ||
1463 | /* there's only one epoch between handshake and app data */ | |
1464 | ||
1465 | s2n(s->d1->w_epoch, pseq); | |
1466 | ||
1467 | /* XDTLS: ?? */ | |
1468 | /* else | |
1469 | s2n(s->d1->handshake_epoch, pseq); */ | |
1470 | ||
188b0579 RL |
1471 | memcpy(pseq, &(s->s3->write_sequence[2]), 6); |
1472 | pseq+=6; | |
36d16f8e BL |
1473 | s2n(wr->length,pseq); |
1474 | ||
1475 | /* we should now have | |
1476 | * wr->data pointing to the encrypted data, which is | |
1477 | * wr->length long */ | |
1478 | wr->type=type; /* not needed but helps for debugging */ | |
1479 | wr->length+=DTLS1_RT_HEADER_LENGTH; | |
1480 | ||
1481 | #if 0 /* this is now done at the message layer */ | |
1482 | /* buffer the record, making it easy to handle retransmits */ | |
1483 | if ( type == SSL3_RT_HANDSHAKE || type == SSL3_RT_CHANGE_CIPHER_SPEC) | |
1484 | dtls1_buffer_record(s, wr->data, wr->length, | |
188b0579 | 1485 | *((PQ_64BIT *)&(s->s3->write_sequence[0]))); |
36d16f8e BL |
1486 | #endif |
1487 | ||
1488 | ssl3_record_sequence_update(&(s->s3->write_sequence[0])); | |
1489 | ||
1490 | if (create_empty_fragment) | |
1491 | { | |
1492 | /* we are in a recursive call; | |
1493 | * just return the length, don't write out anything here | |
1494 | */ | |
1495 | return wr->length; | |
1496 | } | |
1497 | ||
1498 | /* now let's set up wb */ | |
1499 | wb->left = prefix_len + wr->length; | |
1500 | wb->offset = 0; | |
1501 | ||
1502 | /* memorize arguments so that ssl3_write_pending can detect bad write retries later */ | |
1503 | s->s3->wpend_tot=len; | |
1504 | s->s3->wpend_buf=buf; | |
1505 | s->s3->wpend_type=type; | |
1506 | s->s3->wpend_ret=len; | |
1507 | ||
1508 | /* we now just need to write the buffer */ | |
1509 | return ssl3_write_pending(s,type,buf,len); | |
1510 | err: | |
1511 | return -1; | |
1512 | } | |
1513 | ||
1514 | ||
1515 | ||
50ec3951 | 1516 | static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap) |
36d16f8e | 1517 | { |
dffdb56b AP |
1518 | int cmp; |
1519 | unsigned int shift; | |
1520 | const unsigned char *seq = s->s3->read_sequence; | |
36d16f8e | 1521 | |
dffdb56b AP |
1522 | cmp = satsub64be(seq,bitmap->max_seq_num); |
1523 | if (cmp > 0) | |
188b0579 | 1524 | { |
50ec3951 | 1525 | memcpy (s->s3->rrec.seq_num,seq,8); |
dffdb56b | 1526 | return 1; /* this record in new */ |
188b0579 | 1527 | } |
dffdb56b AP |
1528 | shift = -cmp; |
1529 | if (shift >= sizeof(bitmap->map)*8) | |
1530 | return 0; /* stale, outside the window */ | |
1531 | else if (bitmap->map & (1UL<<shift)) | |
36d16f8e | 1532 | return 0; /* record previously received */ |
dffdb56b | 1533 | |
50ec3951 | 1534 | memcpy (s->s3->rrec.seq_num,seq,8); |
36d16f8e BL |
1535 | return 1; |
1536 | } | |
1537 | ||
1538 | ||
1539 | static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap) | |
1540 | { | |
dffdb56b | 1541 | int cmp; |
36d16f8e | 1542 | unsigned int shift; |
dffdb56b | 1543 | const unsigned char *seq = s->s3->read_sequence; |
36d16f8e | 1544 | |
dffdb56b AP |
1545 | cmp = satsub64be(seq,bitmap->max_seq_num); |
1546 | if (cmp > 0) | |
36d16f8e | 1547 | { |
dffdb56b AP |
1548 | shift = cmp; |
1549 | if (shift < sizeof(bitmap->map)*8) | |
1550 | bitmap->map <<= shift, bitmap->map |= 1UL; | |
1551 | else | |
1552 | bitmap->map = 1UL; | |
1553 | memcpy(bitmap->max_seq_num,seq,8); | |
36d16f8e | 1554 | } |
dffdb56b AP |
1555 | else { |
1556 | shift = -cmp; | |
1557 | if (shift < sizeof(bitmap->map)*8) | |
1558 | bitmap->map |= 1UL<<shift; | |
36d16f8e BL |
1559 | } |
1560 | } | |
1561 | ||
1562 | ||
1563 | int dtls1_dispatch_alert(SSL *s) | |
1564 | { | |
1565 | int i,j; | |
1566 | void (*cb)(const SSL *ssl,int type,int val)=NULL; | |
d4938995 | 1567 | unsigned char buf[DTLS1_AL_HEADER_LENGTH]; |
4e321ffa | 1568 | unsigned char *ptr = &buf[0]; |
36d16f8e BL |
1569 | |
1570 | s->s3->alert_dispatch=0; | |
1571 | ||
1572 | memset(buf, 0x00, sizeof(buf)); | |
1573 | *ptr++ = s->s3->send_alert[0]; | |
1574 | *ptr++ = s->s3->send_alert[1]; | |
1575 | ||
01c76c66 | 1576 | #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE |
36d16f8e BL |
1577 | if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) |
1578 | { | |
1579 | s2n(s->d1->handshake_read_seq, ptr); | |
1580 | #if 0 | |
1581 | if ( s->d1->r_msg_hdr.frag_off == 0) /* waiting for a new msg */ | |
1582 | ||
1583 | else | |
1584 | s2n(s->d1->r_msg_hdr.seq, ptr); /* partial msg read */ | |
1585 | #endif | |
1586 | ||
1587 | #if 0 | |
1588 | fprintf(stderr, "s->d1->handshake_read_seq = %d, s->d1->r_msg_hdr.seq = %d\n",s->d1->handshake_read_seq,s->d1->r_msg_hdr.seq); | |
1589 | #endif | |
1590 | l2n3(s->d1->r_msg_hdr.frag_off, ptr); | |
1591 | } | |
01c76c66 | 1592 | #endif |
36d16f8e BL |
1593 | |
1594 | i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf), 0); | |
1595 | if (i <= 0) | |
1596 | { | |
1597 | s->s3->alert_dispatch=1; | |
1598 | /* fprintf( stderr, "not done with alert\n" ); */ | |
1599 | } | |
1600 | else | |
1601 | { | |
01c76c66 BM |
1602 | if (s->s3->send_alert[0] == SSL3_AL_FATAL |
1603 | #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE | |
1604 | || s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE | |
1605 | #endif | |
1606 | ) | |
36d16f8e BL |
1607 | (void)BIO_flush(s->wbio); |
1608 | ||
1609 | if (s->msg_callback) | |
1610 | s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert, | |
1611 | 2, s, s->msg_callback_arg); | |
1612 | ||
1613 | if (s->info_callback != NULL) | |
1614 | cb=s->info_callback; | |
1615 | else if (s->ctx->info_callback != NULL) | |
1616 | cb=s->ctx->info_callback; | |
1617 | ||
1618 | if (cb != NULL) | |
1619 | { | |
1620 | j=(s->s3->send_alert[0]<<8)|s->s3->send_alert[1]; | |
1621 | cb(s,SSL_CB_WRITE_ALERT,j); | |
1622 | } | |
1623 | } | |
1624 | return(i); | |
1625 | } | |
1626 | ||
1627 | ||
1628 | static DTLS1_BITMAP * | |
1629 | dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, unsigned int *is_next_epoch) | |
1630 | { | |
1631 | ||
1632 | *is_next_epoch = 0; | |
1633 | ||
1634 | /* In current epoch, accept HM, CCS, DATA, & ALERT */ | |
1635 | if (rr->epoch == s->d1->r_epoch) | |
1636 | return &s->d1->bitmap; | |
1637 | ||
1638 | /* Only HM and ALERT messages can be from the next epoch */ | |
6c61726b | 1639 | else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) && |
36d16f8e BL |
1640 | (rr->type == SSL3_RT_HANDSHAKE || |
1641 | rr->type == SSL3_RT_ALERT)) | |
1642 | { | |
1643 | *is_next_epoch = 1; | |
1644 | return &s->d1->next_bitmap; | |
1645 | } | |
1646 | ||
1647 | return NULL; | |
1648 | } | |
1649 | ||
1650 | #if 0 | |
1651 | static int | |
1652 | dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr, unsigned short *priority, | |
1653 | unsigned long *offset) | |
1654 | { | |
1655 | ||
1656 | /* alerts are passed up immediately */ | |
1657 | if ( rr->type == SSL3_RT_APPLICATION_DATA || | |
1658 | rr->type == SSL3_RT_ALERT) | |
1659 | return 0; | |
1660 | ||
1661 | /* Only need to buffer if a handshake is underway. | |
1662 | * (this implies that Hello Request and Client Hello are passed up | |
1663 | * immediately) */ | |
1664 | if ( SSL_in_init(s)) | |
1665 | { | |
1666 | unsigned char *data = rr->data; | |
1667 | /* need to extract the HM/CCS sequence number here */ | |
1668 | if ( rr->type == SSL3_RT_HANDSHAKE || | |
1669 | rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) | |
1670 | { | |
1671 | unsigned short seq_num; | |
1672 | struct hm_header_st msg_hdr; | |
1673 | struct ccs_header_st ccs_hdr; | |
1674 | ||
1675 | if ( rr->type == SSL3_RT_HANDSHAKE) | |
1676 | { | |
1677 | dtls1_get_message_header(data, &msg_hdr); | |
1678 | seq_num = msg_hdr.seq; | |
1679 | *offset = msg_hdr.frag_off; | |
1680 | } | |
1681 | else | |
1682 | { | |
1683 | dtls1_get_ccs_header(data, &ccs_hdr); | |
1684 | seq_num = ccs_hdr.seq; | |
1685 | *offset = 0; | |
1686 | } | |
1687 | ||
1688 | /* this is either a record we're waiting for, or a | |
1689 | * retransmit of something we happened to previously | |
1690 | * receive (higher layers will drop the repeat silently */ | |
1691 | if ( seq_num < s->d1->handshake_read_seq) | |
1692 | return 0; | |
1693 | if (rr->type == SSL3_RT_HANDSHAKE && | |
1694 | seq_num == s->d1->handshake_read_seq && | |
1695 | msg_hdr.frag_off < s->d1->r_msg_hdr.frag_off) | |
1696 | return 0; | |
1697 | else if ( seq_num == s->d1->handshake_read_seq && | |
1698 | (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC || | |
1699 | msg_hdr.frag_off == s->d1->r_msg_hdr.frag_off)) | |
1700 | return 0; | |
1701 | else | |
1702 | { | |
1703 | *priority = seq_num; | |
1704 | return 1; | |
1705 | } | |
1706 | } | |
1707 | else /* unknown record type */ | |
1708 | return 0; | |
1709 | } | |
1710 | ||
1711 | return 0; | |
1712 | } | |
1713 | #endif | |
1714 | ||
1715 | void | |
1716 | dtls1_reset_seq_numbers(SSL *s, int rw) | |
1717 | { | |
1718 | unsigned char *seq; | |
1719 | unsigned int seq_bytes = sizeof(s->s3->read_sequence); | |
1720 | ||
1721 | if ( rw & SSL3_CC_READ) | |
1722 | { | |
1723 | seq = s->s3->read_sequence; | |
1724 | s->d1->r_epoch++; | |
dffdb56b | 1725 | memcpy(&(s->d1->bitmap), &(s->d1->next_bitmap), sizeof(DTLS1_BITMAP)); |
36d16f8e BL |
1726 | memset(&(s->d1->next_bitmap), 0x00, sizeof(DTLS1_BITMAP)); |
1727 | } | |
1728 | else | |
1729 | { | |
1730 | seq = s->s3->write_sequence; | |
1731 | s->d1->w_epoch++; | |
1732 | } | |
1733 | ||
1734 | memset(seq, 0x00, seq_bytes); | |
1735 | } | |
1736 | ||
36d16f8e BL |
1737 | |
1738 | static void | |
1739 | dtls1_clear_timeouts(SSL *s) | |
1740 | { | |
1741 | memset(&(s->d1->timeout), 0x00, sizeof(struct dtls1_timeout_st)); | |
1742 | } |