]>
Commit | Line | Data |
---|---|---|
36d16f8e BL |
1 | /* ssl/d1_pkt.c */ |
2 | /* | |
3 | * DTLS implementation written by Nagendra Modadugu | |
4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. | |
5 | */ | |
6 | /* ==================================================================== | |
7 | * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. | |
8 | * | |
9 | * Redistribution and use in source and binary forms, with or without | |
10 | * modification, are permitted provided that the following conditions | |
11 | * are met: | |
12 | * | |
13 | * 1. Redistributions of source code must retain the above copyright | |
14 | * notice, this list of conditions and the following disclaimer. | |
15 | * | |
16 | * 2. Redistributions in binary form must reproduce the above copyright | |
17 | * notice, this list of conditions and the following disclaimer in | |
18 | * the documentation and/or other materials provided with the | |
19 | * distribution. | |
20 | * | |
21 | * 3. All advertising materials mentioning features or use of this | |
22 | * software must display the following acknowledgment: | |
23 | * "This product includes software developed by the OpenSSL Project | |
24 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | |
25 | * | |
26 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |
27 | * endorse or promote products derived from this software without | |
28 | * prior written permission. For written permission, please contact | |
29 | * openssl-core@openssl.org. | |
30 | * | |
31 | * 5. Products derived from this software may not be called "OpenSSL" | |
32 | * nor may "OpenSSL" appear in their names without prior written | |
33 | * permission of the OpenSSL Project. | |
34 | * | |
35 | * 6. Redistributions of any form whatsoever must retain the following | |
36 | * acknowledgment: | |
37 | * "This product includes software developed by the OpenSSL Project | |
38 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" | |
39 | * | |
40 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |
41 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
42 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
43 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |
44 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
45 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
46 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
47 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
48 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
49 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
50 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |
51 | * OF THE POSSIBILITY OF SUCH DAMAGE. | |
52 | * ==================================================================== | |
53 | * | |
54 | * This product includes cryptographic software written by Eric Young | |
55 | * (eay@cryptsoft.com). This product includes software written by Tim | |
56 | * Hudson (tjh@cryptsoft.com). | |
57 | * | |
58 | */ | |
59 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | |
60 | * All rights reserved. | |
61 | * | |
62 | * This package is an SSL implementation written | |
63 | * by Eric Young (eay@cryptsoft.com). | |
64 | * The implementation was written so as to conform with Netscapes SSL. | |
65 | * | |
66 | * This library is free for commercial and non-commercial use as long as | |
67 | * the following conditions are aheared to. The following conditions | |
68 | * apply to all code found in this distribution, be it the RC4, RSA, | |
69 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation | |
70 | * included with this distribution is covered by the same copyright terms | |
71 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). | |
72 | * | |
73 | * Copyright remains Eric Young's, and as such any Copyright notices in | |
74 | * the code are not to be removed. | |
75 | * If this package is used in a product, Eric Young should be given attribution | |
76 | * as the author of the parts of the library used. | |
77 | * This can be in the form of a textual message at program startup or | |
78 | * in documentation (online or textual) provided with the package. | |
79 | * | |
80 | * Redistribution and use in source and binary forms, with or without | |
81 | * modification, are permitted provided that the following conditions | |
82 | * are met: | |
83 | * 1. Redistributions of source code must retain the copyright | |
84 | * notice, this list of conditions and the following disclaimer. | |
85 | * 2. Redistributions in binary form must reproduce the above copyright | |
86 | * notice, this list of conditions and the following disclaimer in the | |
87 | * documentation and/or other materials provided with the distribution. | |
88 | * 3. All advertising materials mentioning features or use of this software | |
89 | * must display the following acknowledgement: | |
90 | * "This product includes cryptographic software written by | |
91 | * Eric Young (eay@cryptsoft.com)" | |
92 | * The word 'cryptographic' can be left out if the rouines from the library | |
93 | * being used are not cryptographic related :-). | |
94 | * 4. If you include any Windows specific code (or a derivative thereof) from | |
95 | * the apps directory (application code) you must include an acknowledgement: | |
96 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" | |
97 | * | |
98 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND | |
99 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
100 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
101 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |
102 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
103 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
104 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
105 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
106 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
107 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
108 | * SUCH DAMAGE. | |
109 | * | |
110 | * The licence and distribution terms for any publically available version or | |
111 | * derivative of this code cannot be changed. i.e. this code cannot simply be | |
112 | * copied and put under another distribution licence | |
113 | * [including the GNU Public Licence.] | |
114 | */ | |
115 | ||
116 | #include <stdio.h> | |
117 | #include <errno.h> | |
118 | #define USE_SOCKETS | |
119 | #include "ssl_locl.h" | |
120 | #include <openssl/evp.h> | |
121 | #include <openssl/buffer.h> | |
122 | #include <openssl/pqueue.h> | |
123 | ||
50ec3951 | 124 | /* mod 128 saturating subtract of two 64-bit values in big-endian order */ |
dffdb56b | 125 | static int satsub64be(const unsigned char *v1,const unsigned char *v2) |
50ec3951 AP |
126 | { int ret,sat,brw,i; |
127 | ||
128 | if (sizeof(long) == 8) do | |
129 | { const union { long one; char little; } is_endian = {1}; | |
130 | long l; | |
131 | ||
132 | if (is_endian.little) break; | |
133 | /* not reached on little-endians */ | |
134 | /* following test is redundant, because input is | |
135 | * always aligned, but I take no chances... */ | |
136 | if (((size_t)v1|(size_t)v2)&0x7) break; | |
137 | ||
44eff497 AP |
138 | l = *((long *)v1); |
139 | l -= *((long *)v2); | |
50ec3951 AP |
140 | if (l>128) return 128; |
141 | else if (l<-128) return -128; | |
142 | else return (int)l; | |
143 | } while (0); | |
144 | ||
145 | ret = (int)v1[7]-(int)v2[7]; | |
146 | sat = 0; | |
147 | brw = ret>>8; /* brw is either 0 or -1 */ | |
148 | if (ret & 0x80) | |
149 | { for (i=6;i>=0;i--) | |
150 | { brw += (int)v1[i]-(int)v2[i]; | |
151 | sat |= ~brw; | |
152 | brw >>= 8; | |
dffdb56b | 153 | } |
dffdb56b | 154 | } |
50ec3951 AP |
155 | else |
156 | { for (i=6;i>=0;i--) | |
157 | { brw += (int)v1[i]-(int)v2[i]; | |
158 | sat |= brw; | |
159 | brw >>= 8; | |
160 | } | |
161 | } | |
162 | brw <<= 8; /* brw is either 0 or -256 */ | |
163 | ||
164 | if (sat&0xff) return brw | 0x80; | |
165 | else return brw + (ret&0xFF); | |
166 | } | |
dffdb56b | 167 | |
36d16f8e BL |
168 | static int have_handshake_fragment(SSL *s, int type, unsigned char *buf, |
169 | int len, int peek); | |
50ec3951 | 170 | static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap); |
36d16f8e BL |
171 | static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap); |
172 | static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, | |
173 | unsigned int *is_next_epoch); | |
174 | #if 0 | |
175 | static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr, | |
176 | unsigned short *priority, unsigned long *offset); | |
177 | #endif | |
178 | static int dtls1_buffer_record(SSL *s, record_pqueue *q, | |
dffdb56b | 179 | unsigned char *priority); |
36d16f8e | 180 | static int dtls1_process_record(SSL *s); |
36d16f8e BL |
181 | static void dtls1_clear_timeouts(SSL *s); |
182 | ||
36d16f8e BL |
183 | /* copy buffered record into SSL structure */ |
184 | static int | |
185 | dtls1_copy_record(SSL *s, pitem *item) | |
186 | { | |
187 | DTLS1_RECORD_DATA *rdata; | |
188 | ||
189 | rdata = (DTLS1_RECORD_DATA *)item->data; | |
190 | ||
191 | if (s->s3->rbuf.buf != NULL) | |
192 | OPENSSL_free(s->s3->rbuf.buf); | |
193 | ||
194 | s->packet = rdata->packet; | |
195 | s->packet_length = rdata->packet_length; | |
196 | memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER)); | |
197 | memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD)); | |
198 | ||
199 | return(1); | |
200 | } | |
201 | ||
202 | ||
203 | static int | |
dffdb56b AP |
204 | dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) |
205 | { | |
206 | DTLS1_RECORD_DATA *rdata; | |
36d16f8e BL |
207 | pitem *item; |
208 | ||
209 | rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); | |
210 | item = pitem_new(priority, rdata); | |
211 | if (rdata == NULL || item == NULL) | |
212 | { | |
213 | if (rdata != NULL) OPENSSL_free(rdata); | |
214 | if (item != NULL) pitem_free(item); | |
215 | ||
beb056b3 | 216 | SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); |
36d16f8e BL |
217 | return(0); |
218 | } | |
219 | ||
220 | rdata->packet = s->packet; | |
221 | rdata->packet_length = s->packet_length; | |
222 | memcpy(&(rdata->rbuf), &(s->s3->rbuf), sizeof(SSL3_BUFFER)); | |
223 | memcpy(&(rdata->rrec), &(s->s3->rrec), sizeof(SSL3_RECORD)); | |
224 | ||
225 | item->data = rdata; | |
226 | ||
227 | /* insert should not fail, since duplicates are dropped */ | |
228 | if (pqueue_insert(queue->q, item) == NULL) | |
229 | { | |
230 | OPENSSL_free(rdata); | |
231 | pitem_free(item); | |
232 | return(0); | |
233 | } | |
234 | ||
235 | s->packet = NULL; | |
236 | s->packet_length = 0; | |
237 | memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER)); | |
238 | memset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD)); | |
239 | ||
240 | ssl3_setup_buffers(s); | |
241 | ||
242 | return(1); | |
dffdb56b | 243 | } |
36d16f8e BL |
244 | |
245 | ||
246 | static int | |
247 | dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue) | |
248 | { | |
249 | pitem *item; | |
250 | ||
251 | item = pqueue_pop(queue->q); | |
252 | if (item) | |
253 | { | |
254 | dtls1_copy_record(s, item); | |
255 | ||
256 | OPENSSL_free(item->data); | |
257 | pitem_free(item); | |
258 | ||
259 | return(1); | |
260 | } | |
261 | ||
262 | return(0); | |
263 | } | |
264 | ||
265 | ||
266 | /* retrieve a buffered record that belongs to the new epoch, i.e., not processed | |
267 | * yet */ | |
268 | #define dtls1_get_unprocessed_record(s) \ | |
269 | dtls1_retrieve_buffered_record((s), \ | |
270 | &((s)->d1->unprocessed_rcds)) | |
271 | ||
272 | /* retrieve a buffered record that belongs to the current epoch, ie, processed */ | |
273 | #define dtls1_get_processed_record(s) \ | |
274 | dtls1_retrieve_buffered_record((s), \ | |
275 | &((s)->d1->processed_rcds)) | |
276 | ||
277 | static int | |
278 | dtls1_process_buffered_records(SSL *s) | |
279 | { | |
280 | pitem *item; | |
281 | ||
282 | item = pqueue_peek(s->d1->unprocessed_rcds.q); | |
283 | if (item) | |
284 | { | |
285 | DTLS1_RECORD_DATA *rdata; | |
286 | rdata = (DTLS1_RECORD_DATA *)item->data; | |
287 | ||
288 | /* Check if epoch is current. */ | |
289 | if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch) | |
290 | return(1); /* Nothing to do. */ | |
291 | ||
292 | /* Process all the records. */ | |
293 | while (pqueue_peek(s->d1->unprocessed_rcds.q)) | |
294 | { | |
295 | dtls1_get_unprocessed_record(s); | |
296 | if ( ! dtls1_process_record(s)) | |
297 | return(0); | |
298 | dtls1_buffer_record(s, &(s->d1->processed_rcds), | |
299 | s->s3->rrec.seq_num); | |
300 | } | |
301 | } | |
302 | ||
303 | /* sync epoch numbers once all the unprocessed records | |
304 | * have been processed */ | |
305 | s->d1->processed_rcds.epoch = s->d1->r_epoch; | |
306 | s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1; | |
307 | ||
308 | return(1); | |
309 | } | |
310 | ||
311 | ||
312 | #if 0 | |
313 | ||
314 | static int | |
315 | dtls1_get_buffered_record(SSL *s) | |
316 | { | |
317 | pitem *item; | |
188b0579 RL |
318 | PQ_64BIT priority = |
319 | (((PQ_64BIT)s->d1->handshake_read_seq) << 32) | | |
320 | ((PQ_64BIT)s->d1->r_msg_hdr.frag_off); | |
36d16f8e BL |
321 | |
322 | if ( ! SSL_in_init(s)) /* if we're not (re)negotiating, | |
323 | nothing buffered */ | |
324 | return 0; | |
325 | ||
326 | ||
327 | item = pqueue_peek(s->d1->rcvd_records); | |
328 | if (item && item->priority == priority) | |
329 | { | |
330 | /* Check if we've received the record of interest. It must be | |
331 | * a handshake record, since data records as passed up without | |
332 | * buffering */ | |
333 | DTLS1_RECORD_DATA *rdata; | |
334 | item = pqueue_pop(s->d1->rcvd_records); | |
335 | rdata = (DTLS1_RECORD_DATA *)item->data; | |
336 | ||
337 | if (s->s3->rbuf.buf != NULL) | |
338 | OPENSSL_free(s->s3->rbuf.buf); | |
339 | ||
340 | s->packet = rdata->packet; | |
341 | s->packet_length = rdata->packet_length; | |
342 | memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER)); | |
343 | memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD)); | |
344 | ||
345 | OPENSSL_free(item->data); | |
346 | pitem_free(item); | |
347 | ||
348 | /* s->d1->next_expected_seq_num++; */ | |
349 | return(1); | |
350 | } | |
351 | ||
352 | return 0; | |
353 | } | |
354 | ||
355 | #endif | |
356 | ||
357 | static int | |
358 | dtls1_process_record(SSL *s) | |
359 | { | |
50ec3951 | 360 | int i,al; |
36d16f8e | 361 | int clear=0; |
50ec3951 | 362 | int enc_err; |
36d16f8e | 363 | SSL_SESSION *sess; |
50ec3951 | 364 | SSL3_RECORD *rr; |
36d16f8e BL |
365 | unsigned int mac_size; |
366 | unsigned char md[EVP_MAX_MD_SIZE]; | |
367 | ||
368 | ||
369 | rr= &(s->s3->rrec); | |
50ec3951 | 370 | sess = s->session; |
36d16f8e BL |
371 | |
372 | /* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, | |
373 | * and we have that many bytes in s->packet | |
374 | */ | |
375 | rr->input= &(s->packet[DTLS1_RT_HEADER_LENGTH]); | |
376 | ||
377 | /* ok, we can now read from 's->packet' data into 'rr' | |
378 | * rr->input points at rr->length bytes, which | |
379 | * need to be copied into rr->data by either | |
380 | * the decryption or by the decompression | |
381 | * When the data is 'copied' into the rr->data buffer, | |
382 | * rr->input will be pointed at the new buffer */ | |
383 | ||
384 | /* We now have - encrypted [ MAC [ compressed [ plain ] ] ] | |
385 | * rr->length bytes of encrypted compressed stuff. */ | |
386 | ||
387 | /* check is not needed I believe */ | |
388 | if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) | |
389 | { | |
390 | al=SSL_AD_RECORD_OVERFLOW; | |
beb056b3 | 391 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG); |
36d16f8e BL |
392 | goto f_err; |
393 | } | |
394 | ||
395 | /* decrypt in place in 'rr->input' */ | |
396 | rr->data=rr->input; | |
397 | ||
398 | enc_err = s->method->ssl3_enc->enc(s,0); | |
399 | if (enc_err <= 0) | |
400 | { | |
401 | if (enc_err == 0) | |
402 | /* SSLerr() and ssl3_send_alert() have been called */ | |
403 | goto err; | |
404 | ||
405 | /* otherwise enc_err == -1 */ | |
406 | goto decryption_failed_or_bad_record_mac; | |
407 | } | |
408 | ||
409 | #ifdef TLS_DEBUG | |
410 | printf("dec %d\n",rr->length); | |
411 | { unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); } | |
412 | printf("\n"); | |
413 | #endif | |
414 | ||
415 | /* r->length is now the compressed data plus mac */ | |
50ec3951 | 416 | if ( (sess == NULL) || |
36d16f8e BL |
417 | (s->enc_read_ctx == NULL) || |
418 | (s->read_hash == NULL)) | |
50ec3951 | 419 | clear=1; |
36d16f8e BL |
420 | |
421 | if (!clear) | |
422 | { | |
423 | mac_size=EVP_MD_size(s->read_hash); | |
424 | ||
425 | if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size) | |
426 | { | |
427 | #if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */ | |
428 | al=SSL_AD_RECORD_OVERFLOW; | |
beb056b3 | 429 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); |
36d16f8e BL |
430 | goto f_err; |
431 | #else | |
432 | goto decryption_failed_or_bad_record_mac; | |
433 | #endif | |
434 | } | |
435 | /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ | |
436 | if (rr->length < mac_size) | |
437 | { | |
438 | #if 0 /* OK only for stream ciphers */ | |
439 | al=SSL_AD_DECODE_ERROR; | |
beb056b3 | 440 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT); |
36d16f8e BL |
441 | goto f_err; |
442 | #else | |
443 | goto decryption_failed_or_bad_record_mac; | |
444 | #endif | |
445 | } | |
446 | rr->length-=mac_size; | |
447 | i=s->method->ssl3_enc->mac(s,md,0); | |
448 | if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0) | |
449 | { | |
450 | goto decryption_failed_or_bad_record_mac; | |
451 | } | |
452 | } | |
453 | ||
454 | /* r->length is now just compressed */ | |
455 | if (s->expand != NULL) | |
456 | { | |
457 | if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) | |
458 | { | |
459 | al=SSL_AD_RECORD_OVERFLOW; | |
beb056b3 | 460 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG); |
36d16f8e BL |
461 | goto f_err; |
462 | } | |
463 | if (!ssl3_do_uncompress(s)) | |
464 | { | |
465 | al=SSL_AD_DECOMPRESSION_FAILURE; | |
beb056b3 | 466 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_BAD_DECOMPRESSION); |
36d16f8e BL |
467 | goto f_err; |
468 | } | |
469 | } | |
470 | ||
471 | if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) | |
472 | { | |
473 | al=SSL_AD_RECORD_OVERFLOW; | |
beb056b3 | 474 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DATA_LENGTH_TOO_LONG); |
36d16f8e BL |
475 | goto f_err; |
476 | } | |
477 | ||
478 | rr->off=0; | |
479 | /* So at this point the following is true | |
480 | * ssl->s3->rrec.type is the type of record | |
481 | * ssl->s3->rrec.length == number of bytes in record | |
482 | * ssl->s3->rrec.off == offset to first valid byte | |
483 | * ssl->s3->rrec.data == where to take bytes from, increment | |
484 | * after use :-). | |
485 | */ | |
486 | ||
487 | /* we have pulled in a full packet so zero things */ | |
488 | s->packet_length=0; | |
50ec3951 AP |
489 | dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */ |
490 | return(1); | |
36d16f8e BL |
491 | |
492 | decryption_failed_or_bad_record_mac: | |
493 | /* Separate 'decryption_failed' alert was introduced with TLS 1.0, | |
494 | * SSL 3.0 only has 'bad_record_mac'. But unless a decryption | |
495 | * failure is directly visible from the ciphertext anyway, | |
496 | * we should not reveal which kind of error occured -- this | |
497 | * might become visible to an attacker (e.g. via logfile) */ | |
498 | al=SSL_AD_BAD_RECORD_MAC; | |
beb056b3 | 499 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); |
36d16f8e BL |
500 | f_err: |
501 | ssl3_send_alert(s,SSL3_AL_FATAL,al); | |
502 | err: | |
503 | return(0); | |
504 | } | |
505 | ||
506 | ||
507 | /* Call this to get a new input record. | |
508 | * It will return <= 0 if more data is needed, normally due to an error | |
509 | * or non-blocking IO. | |
510 | * When it finishes, one packet has been decoded and can be found in | |
511 | * ssl->s3->rrec.type - is the type of record | |
512 | * ssl->s3->rrec.data, - data | |
513 | * ssl->s3->rrec.length, - number of bytes | |
514 | */ | |
515 | /* used only by dtls1_read_bytes */ | |
516 | int dtls1_get_record(SSL *s) | |
517 | { | |
518 | int ssl_major,ssl_minor,al; | |
519 | int i,n; | |
520 | SSL3_RECORD *rr; | |
521 | SSL_SESSION *sess; | |
522 | unsigned char *p; | |
523 | short version; | |
524 | DTLS1_BITMAP *bitmap; | |
dffdb56b | 525 | unsigned int is_next_epoch; |
36d16f8e BL |
526 | |
527 | rr= &(s->s3->rrec); | |
528 | sess=s->session; | |
529 | ||
dffdb56b AP |
530 | /* The epoch may have changed. If so, process all the |
531 | * pending records. This is a non-blocking operation. */ | |
532 | if ( ! dtls1_process_buffered_records(s)) | |
533 | return 0; | |
36d16f8e BL |
534 | |
535 | /* if we're renegotiating, then there may be buffered records */ | |
536 | if (dtls1_get_processed_record(s)) | |
537 | return 1; | |
538 | ||
539 | /* get something from the wire */ | |
540 | again: | |
541 | /* check if we have the header */ | |
542 | if ( (s->rstate != SSL_ST_READ_BODY) || | |
543 | (s->packet_length < DTLS1_RT_HEADER_LENGTH)) | |
544 | { | |
545 | n=ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, s->s3->rbuf.len, 0); | |
546 | /* read timeout is handled by dtls1_read_bytes */ | |
547 | if (n <= 0) return(n); /* error or non-blocking */ | |
548 | ||
549 | OPENSSL_assert(s->packet_length == DTLS1_RT_HEADER_LENGTH); | |
550 | ||
551 | s->rstate=SSL_ST_READ_BODY; | |
552 | ||
553 | p=s->packet; | |
554 | ||
555 | /* Pull apart the header into the DTLS1_RECORD */ | |
556 | rr->type= *(p++); | |
557 | ssl_major= *(p++); | |
558 | ssl_minor= *(p++); | |
559 | version=(ssl_major<<8)|ssl_minor; | |
560 | ||
dffdb56b | 561 | /* sequence number is 64 bits, with top 2 bytes = epoch */ |
36d16f8e BL |
562 | n2s(p,rr->epoch); |
563 | ||
188b0579 RL |
564 | memcpy(&(s->s3->read_sequence[2]), p, 6); |
565 | p+=6; | |
566 | ||
36d16f8e BL |
567 | n2s(p,rr->length); |
568 | ||
569 | /* Lets check version */ | |
570 | if (s->first_packet) | |
571 | { | |
572 | s->first_packet=0; | |
573 | } | |
574 | else | |
575 | { | |
576 | if (version != s->version) | |
577 | { | |
beb056b3 | 578 | SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); |
36d16f8e BL |
579 | /* Send back error using their |
580 | * version number :-) */ | |
581 | s->version=version; | |
582 | al=SSL_AD_PROTOCOL_VERSION; | |
583 | goto f_err; | |
584 | } | |
585 | } | |
586 | ||
587 | if ((version & 0xff00) != (DTLS1_VERSION & 0xff00)) | |
588 | { | |
beb056b3 | 589 | SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); |
36d16f8e BL |
590 | goto err; |
591 | } | |
592 | ||
593 | if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) | |
594 | { | |
595 | al=SSL_AD_RECORD_OVERFLOW; | |
beb056b3 | 596 | SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG); |
36d16f8e BL |
597 | goto f_err; |
598 | } | |
599 | ||
600 | /* now s->rstate == SSL_ST_READ_BODY */ | |
601 | } | |
602 | ||
603 | /* s->rstate == SSL_ST_READ_BODY, get and decode the data */ | |
604 | ||
605 | if (rr->length > s->packet_length-DTLS1_RT_HEADER_LENGTH) | |
606 | { | |
607 | /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */ | |
608 | i=rr->length; | |
609 | n=ssl3_read_n(s,i,i,1); | |
610 | if (n <= 0) return(n); /* error or non-blocking io */ | |
611 | ||
612 | /* this packet contained a partial record, dump it */ | |
613 | if ( n != i) | |
614 | { | |
615 | s->packet_length = 0; | |
616 | goto again; | |
617 | } | |
618 | ||
619 | /* now n == rr->length, | |
620 | * and s->packet_length == DTLS1_RT_HEADER_LENGTH + rr->length */ | |
621 | } | |
622 | s->rstate=SSL_ST_READ_HEADER; /* set state for later operations */ | |
623 | ||
624 | /* match epochs. NULL means the packet is dropped on the floor */ | |
625 | bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch); | |
626 | if ( bitmap == NULL) | |
50ec3951 AP |
627 | { |
628 | s->packet_length = 0; /* dump this record */ | |
629 | goto again; /* get another record */ | |
36d16f8e BL |
630 | } |
631 | ||
632 | /* check whether this is a repeat, or aged record */ | |
50ec3951 | 633 | if ( ! dtls1_record_replay_check(s, bitmap)) |
36d16f8e BL |
634 | { |
635 | s->packet_length=0; /* dump this record */ | |
636 | goto again; /* get another record */ | |
637 | } | |
638 | ||
639 | /* just read a 0 length packet */ | |
640 | if (rr->length == 0) goto again; | |
641 | ||
dffdb56b AP |
642 | /* If this record is from the next epoch (either HM or ALERT), |
643 | * buffer it since it cannot be processed at this time. Records | |
644 | * from the next epoch are marked as received even though they | |
645 | * are not processed, so as to prevent any potential resource | |
646 | * DoS attack */ | |
647 | if (is_next_epoch) | |
648 | { | |
649 | dtls1_record_bitmap_update(s, bitmap); | |
650 | dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num); | |
651 | s->packet_length = 0; | |
652 | goto again; | |
653 | } | |
36d16f8e | 654 | |
dffdb56b AP |
655 | if ( ! dtls1_process_record(s)) |
656 | return(0); | |
36d16f8e BL |
657 | |
658 | dtls1_clear_timeouts(s); /* done waiting */ | |
659 | return(1); | |
660 | ||
661 | f_err: | |
662 | ssl3_send_alert(s,SSL3_AL_FATAL,al); | |
663 | err: | |
664 | return(0); | |
665 | } | |
666 | ||
667 | /* Return up to 'len' payload bytes received in 'type' records. | |
668 | * 'type' is one of the following: | |
669 | * | |
670 | * - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us) | |
671 | * - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us) | |
672 | * - 0 (during a shutdown, no data has to be returned) | |
673 | * | |
674 | * If we don't have stored data to work from, read a SSL/TLS record first | |
675 | * (possibly multiple records if we still don't have anything to return). | |
676 | * | |
677 | * This function must handle any surprises the peer may have for us, such as | |
678 | * Alert records (e.g. close_notify), ChangeCipherSpec records (not really | |
679 | * a surprise, but handled as if it were), or renegotiation requests. | |
680 | * Also if record payloads contain fragments too small to process, we store | |
681 | * them until there is enough for the respective protocol (the record protocol | |
682 | * may use arbitrary fragmentation and even interleaving): | |
683 | * Change cipher spec protocol | |
684 | * just 1 byte needed, no need for keeping anything stored | |
685 | * Alert protocol | |
686 | * 2 bytes needed (AlertLevel, AlertDescription) | |
687 | * Handshake protocol | |
688 | * 4 bytes needed (HandshakeType, uint24 length) -- we just have | |
689 | * to detect unexpected Client Hello and Hello Request messages | |
690 | * here, anything else is handled by higher layers | |
691 | * Application data protocol | |
692 | * none of our business | |
693 | */ | |
694 | int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) | |
695 | { | |
696 | int al,i,j,ret; | |
697 | unsigned int n; | |
698 | SSL3_RECORD *rr; | |
699 | void (*cb)(const SSL *ssl,int type2,int val)=NULL; | |
700 | ||
701 | if (s->s3->rbuf.buf == NULL) /* Not initialized yet */ | |
702 | if (!ssl3_setup_buffers(s)) | |
703 | return(-1); | |
704 | ||
705 | /* XXX: check what the second '&& type' is about */ | |
706 | if ((type && (type != SSL3_RT_APPLICATION_DATA) && | |
707 | (type != SSL3_RT_HANDSHAKE) && type) || | |
708 | (peek && (type != SSL3_RT_APPLICATION_DATA))) | |
709 | { | |
beb056b3 | 710 | SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR); |
36d16f8e BL |
711 | return -1; |
712 | } | |
713 | ||
714 | /* check whether there's a handshake message (client hello?) waiting */ | |
715 | if ( (ret = have_handshake_fragment(s, type, buf, len, peek))) | |
716 | return ret; | |
717 | ||
718 | /* Now s->d1->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */ | |
719 | ||
720 | if (!s->in_handshake && SSL_in_init(s)) | |
721 | { | |
722 | /* type == SSL3_RT_APPLICATION_DATA */ | |
723 | i=s->handshake_func(s); | |
724 | if (i < 0) return(i); | |
725 | if (i == 0) | |
726 | { | |
beb056b3 | 727 | SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE); |
36d16f8e BL |
728 | return(-1); |
729 | } | |
730 | } | |
731 | ||
732 | start: | |
733 | s->rwstate=SSL_NOTHING; | |
734 | ||
735 | /* s->s3->rrec.type - is the type of record | |
736 | * s->s3->rrec.data, - data | |
737 | * s->s3->rrec.off, - offset into 'data' for next read | |
738 | * s->s3->rrec.length, - number of bytes. */ | |
739 | rr = &(s->s3->rrec); | |
740 | ||
741 | /* get new packet if necessary */ | |
742 | if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY)) | |
743 | { | |
744 | ret=dtls1_get_record(s); | |
745 | if (ret <= 0) | |
746 | { | |
747 | ret = dtls1_read_failed(s, ret); | |
748 | /* anything other than a timeout is an error */ | |
749 | if (ret <= 0) | |
750 | return(ret); | |
751 | else | |
752 | goto start; | |
753 | } | |
754 | } | |
755 | ||
756 | /* we now have a packet which can be read and processed */ | |
757 | ||
758 | if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, | |
759 | * reset by ssl3_get_finished */ | |
760 | && (rr->type != SSL3_RT_HANDSHAKE)) | |
761 | { | |
762 | al=SSL_AD_UNEXPECTED_MESSAGE; | |
beb056b3 | 763 | SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED); |
36d16f8e BL |
764 | goto err; |
765 | } | |
766 | ||
767 | /* If the other end has shut down, throw anything we read away | |
768 | * (even in 'peek' mode) */ | |
769 | if (s->shutdown & SSL_RECEIVED_SHUTDOWN) | |
770 | { | |
771 | rr->length=0; | |
772 | s->rwstate=SSL_NOTHING; | |
773 | return(0); | |
774 | } | |
775 | ||
776 | ||
777 | if (type == rr->type) /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */ | |
778 | { | |
779 | /* make sure that we are not getting application data when we | |
780 | * are doing a handshake for the first time */ | |
781 | if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) && | |
782 | (s->enc_read_ctx == NULL)) | |
783 | { | |
784 | al=SSL_AD_UNEXPECTED_MESSAGE; | |
beb056b3 | 785 | SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE); |
36d16f8e BL |
786 | goto f_err; |
787 | } | |
788 | ||
789 | if (len <= 0) return(len); | |
790 | ||
791 | if ((unsigned int)len > rr->length) | |
792 | n = rr->length; | |
793 | else | |
794 | n = (unsigned int)len; | |
795 | ||
796 | memcpy(buf,&(rr->data[rr->off]),n); | |
797 | if (!peek) | |
798 | { | |
799 | rr->length-=n; | |
800 | rr->off+=n; | |
801 | if (rr->length == 0) | |
802 | { | |
803 | s->rstate=SSL_ST_READ_HEADER; | |
804 | rr->off=0; | |
805 | } | |
806 | } | |
807 | return(n); | |
808 | } | |
809 | ||
810 | ||
811 | /* If we get here, then type != rr->type; if we have a handshake | |
812 | * message, then it was unexpected (Hello Request or Client Hello). */ | |
813 | ||
814 | /* In case of record types for which we have 'fragment' storage, | |
815 | * fill that so that we can process the data at a fixed place. | |
816 | */ | |
817 | { | |
4e321ffa | 818 | unsigned int k, dest_maxlen = 0; |
36d16f8e BL |
819 | unsigned char *dest = NULL; |
820 | unsigned int *dest_len = NULL; | |
821 | ||
822 | if (rr->type == SSL3_RT_HANDSHAKE) | |
823 | { | |
824 | dest_maxlen = sizeof s->d1->handshake_fragment; | |
825 | dest = s->d1->handshake_fragment; | |
826 | dest_len = &s->d1->handshake_fragment_len; | |
827 | } | |
828 | else if (rr->type == SSL3_RT_ALERT) | |
829 | { | |
830 | dest_maxlen = sizeof(s->d1->alert_fragment); | |
831 | dest = s->d1->alert_fragment; | |
832 | dest_len = &s->d1->alert_fragment_len; | |
833 | } | |
834 | else /* else it's a CCS message */ | |
835 | OPENSSL_assert(rr->type == SSL3_RT_CHANGE_CIPHER_SPEC); | |
836 | ||
837 | ||
838 | if (dest_maxlen > 0) | |
839 | { | |
840 | /* XDTLS: In a pathalogical case, the Client Hello | |
841 | * may be fragmented--don't always expect dest_maxlen bytes */ | |
842 | if ( rr->length < dest_maxlen) | |
843 | { | |
844 | s->rstate=SSL_ST_READ_HEADER; | |
845 | rr->length = 0; | |
846 | goto start; | |
847 | } | |
848 | ||
849 | /* now move 'n' bytes: */ | |
4e321ffa | 850 | for ( k = 0; k < dest_maxlen; k++) |
36d16f8e | 851 | { |
4e321ffa | 852 | dest[k] = rr->data[rr->off++]; |
36d16f8e BL |
853 | rr->length--; |
854 | } | |
855 | *dest_len = dest_maxlen; | |
856 | } | |
857 | } | |
858 | ||
859 | /* s->d1->handshake_fragment_len == 12 iff rr->type == SSL3_RT_HANDSHAKE; | |
860 | * s->d1->alert_fragment_len == 7 iff rr->type == SSL3_RT_ALERT. | |
861 | * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */ | |
862 | ||
863 | /* If we are a client, check for an incoming 'Hello Request': */ | |
864 | if ((!s->server) && | |
865 | (s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) && | |
866 | (s->d1->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) && | |
867 | (s->session != NULL) && (s->session->cipher != NULL)) | |
868 | { | |
869 | s->d1->handshake_fragment_len = 0; | |
870 | ||
871 | if ((s->d1->handshake_fragment[1] != 0) || | |
872 | (s->d1->handshake_fragment[2] != 0) || | |
873 | (s->d1->handshake_fragment[3] != 0)) | |
874 | { | |
875 | al=SSL_AD_DECODE_ERROR; | |
beb056b3 | 876 | SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_HELLO_REQUEST); |
36d16f8e BL |
877 | goto err; |
878 | } | |
879 | ||
880 | /* no need to check sequence number on HELLO REQUEST messages */ | |
881 | ||
882 | if (s->msg_callback) | |
883 | s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, | |
884 | s->d1->handshake_fragment, 4, s, s->msg_callback_arg); | |
885 | ||
886 | if (SSL_is_init_finished(s) && | |
887 | !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && | |
888 | !s->s3->renegotiate) | |
889 | { | |
890 | ssl3_renegotiate(s); | |
891 | if (ssl3_renegotiate_check(s)) | |
892 | { | |
893 | i=s->handshake_func(s); | |
894 | if (i < 0) return(i); | |
895 | if (i == 0) | |
896 | { | |
beb056b3 | 897 | SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE); |
36d16f8e BL |
898 | return(-1); |
899 | } | |
900 | ||
901 | if (!(s->mode & SSL_MODE_AUTO_RETRY)) | |
902 | { | |
903 | if (s->s3->rbuf.left == 0) /* no read-ahead left? */ | |
904 | { | |
905 | BIO *bio; | |
906 | /* In the case where we try to read application data, | |
907 | * but we trigger an SSL handshake, we return -1 with | |
908 | * the retry option set. Otherwise renegotiation may | |
909 | * cause nasty problems in the blocking world */ | |
910 | s->rwstate=SSL_READING; | |
911 | bio=SSL_get_rbio(s); | |
912 | BIO_clear_retry_flags(bio); | |
913 | BIO_set_retry_read(bio); | |
914 | return(-1); | |
915 | } | |
916 | } | |
917 | } | |
918 | } | |
919 | /* we either finished a handshake or ignored the request, | |
920 | * now try again to obtain the (application) data we were asked for */ | |
921 | goto start; | |
922 | } | |
923 | ||
924 | if (s->d1->alert_fragment_len >= DTLS1_AL_HEADER_LENGTH) | |
925 | { | |
926 | int alert_level = s->d1->alert_fragment[0]; | |
927 | int alert_descr = s->d1->alert_fragment[1]; | |
928 | ||
929 | s->d1->alert_fragment_len = 0; | |
930 | ||
931 | if (s->msg_callback) | |
932 | s->msg_callback(0, s->version, SSL3_RT_ALERT, | |
933 | s->d1->alert_fragment, 2, s, s->msg_callback_arg); | |
934 | ||
935 | if (s->info_callback != NULL) | |
936 | cb=s->info_callback; | |
937 | else if (s->ctx->info_callback != NULL) | |
938 | cb=s->ctx->info_callback; | |
939 | ||
940 | if (cb != NULL) | |
941 | { | |
942 | j = (alert_level << 8) | alert_descr; | |
943 | cb(s, SSL_CB_READ_ALERT, j); | |
944 | } | |
945 | ||
946 | if (alert_level == 1) /* warning */ | |
947 | { | |
948 | s->s3->warn_alert = alert_descr; | |
949 | if (alert_descr == SSL_AD_CLOSE_NOTIFY) | |
950 | { | |
951 | s->shutdown |= SSL_RECEIVED_SHUTDOWN; | |
952 | return(0); | |
953 | } | |
954 | #if 0 | |
955 | /* XXX: this is a possible improvement in the future */ | |
956 | /* now check if it's a missing record */ | |
957 | if (alert_descr == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) | |
958 | { | |
959 | unsigned short seq; | |
960 | unsigned int frag_off; | |
961 | unsigned char *p = &(s->d1->alert_fragment[2]); | |
962 | ||
963 | n2s(p, seq); | |
964 | n2l3(p, frag_off); | |
965 | ||
966 | dtls1_retransmit_message(s, seq, frag_off, &found); | |
967 | if ( ! found && SSL_in_init(s)) | |
968 | { | |
969 | /* fprintf( stderr,"in init = %d\n", SSL_in_init(s)); */ | |
970 | /* requested a message not yet sent, | |
971 | send an alert ourselves */ | |
972 | ssl3_send_alert(s,SSL3_AL_WARNING, | |
973 | DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); | |
974 | } | |
975 | } | |
976 | #endif | |
977 | } | |
978 | else if (alert_level == 2) /* fatal */ | |
979 | { | |
980 | char tmp[16]; | |
981 | ||
982 | s->rwstate=SSL_NOTHING; | |
983 | s->s3->fatal_alert = alert_descr; | |
beb056b3 | 984 | SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr); |
36d16f8e BL |
985 | BIO_snprintf(tmp,sizeof tmp,"%d",alert_descr); |
986 | ERR_add_error_data(2,"SSL alert number ",tmp); | |
987 | s->shutdown|=SSL_RECEIVED_SHUTDOWN; | |
988 | SSL_CTX_remove_session(s->ctx,s->session); | |
989 | return(0); | |
990 | } | |
991 | else | |
992 | { | |
993 | al=SSL_AD_ILLEGAL_PARAMETER; | |
beb056b3 | 994 | SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE); |
36d16f8e BL |
995 | goto f_err; |
996 | } | |
997 | ||
998 | goto start; | |
999 | } | |
1000 | ||
1001 | if (s->shutdown & SSL_SENT_SHUTDOWN) /* but we have not received a shutdown */ | |
1002 | { | |
1003 | s->rwstate=SSL_NOTHING; | |
1004 | rr->length=0; | |
1005 | return(0); | |
1006 | } | |
1007 | ||
1008 | if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) | |
1009 | { | |
1010 | struct ccs_header_st ccs_hdr; | |
1011 | ||
1012 | dtls1_get_ccs_header(rr->data, &ccs_hdr); | |
1013 | ||
1014 | if ( ccs_hdr.seq == s->d1->handshake_read_seq) | |
1015 | { | |
1016 | /* 'Change Cipher Spec' is just a single byte, so we know | |
1017 | * exactly what the record payload has to look like */ | |
1018 | /* XDTLS: check that epoch is consistent */ | |
1019 | if ( (rr->length != DTLS1_CCS_HEADER_LENGTH) || | |
1020 | (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS)) | |
1021 | { | |
1022 | i=SSL_AD_ILLEGAL_PARAMETER; | |
beb056b3 | 1023 | SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC); |
36d16f8e BL |
1024 | goto err; |
1025 | } | |
1026 | ||
1027 | rr->length=0; | |
1028 | ||
1029 | if (s->msg_callback) | |
1030 | s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, | |
1031 | rr->data, 1, s, s->msg_callback_arg); | |
1032 | ||
1033 | s->s3->change_cipher_spec=1; | |
1034 | if (!ssl3_do_change_cipher_spec(s)) | |
1035 | goto err; | |
1036 | ||
1037 | /* do this whenever CCS is processed */ | |
1038 | dtls1_reset_seq_numbers(s, SSL3_CC_READ); | |
1039 | ||
1040 | /* handshake read seq is reset upon handshake completion */ | |
1041 | s->d1->handshake_read_seq++; | |
1042 | ||
1043 | goto start; | |
1044 | } | |
1045 | else | |
1046 | { | |
1047 | rr->length = 0; | |
1048 | goto start; | |
1049 | } | |
1050 | } | |
1051 | ||
1052 | /* Unexpected handshake message (Client Hello, or protocol violation) */ | |
1053 | if ((s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) && | |
1054 | !s->in_handshake) | |
1055 | { | |
1056 | struct hm_header_st msg_hdr; | |
1057 | ||
1058 | /* this may just be a stale retransmit */ | |
1059 | dtls1_get_message_header(rr->data, &msg_hdr); | |
1060 | if( rr->epoch != s->d1->r_epoch) | |
1061 | { | |
1062 | rr->length = 0; | |
1063 | goto start; | |
1064 | } | |
1065 | ||
1066 | if (((s->state&SSL_ST_MASK) == SSL_ST_OK) && | |
1067 | !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) | |
1068 | { | |
1069 | #if 0 /* worked only because C operator preferences are not as expected (and | |
1070 | * because this is not really needed for clients except for detecting | |
1071 | * protocol violations): */ | |
1072 | s->state=SSL_ST_BEFORE|(s->server) | |
1073 | ?SSL_ST_ACCEPT | |
1074 | :SSL_ST_CONNECT; | |
1075 | #else | |
1076 | s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; | |
1077 | #endif | |
1078 | s->new_session=1; | |
1079 | } | |
1080 | i=s->handshake_func(s); | |
1081 | if (i < 0) return(i); | |
1082 | if (i == 0) | |
1083 | { | |
beb056b3 | 1084 | SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE); |
36d16f8e BL |
1085 | return(-1); |
1086 | } | |
1087 | ||
1088 | if (!(s->mode & SSL_MODE_AUTO_RETRY)) | |
1089 | { | |
1090 | if (s->s3->rbuf.left == 0) /* no read-ahead left? */ | |
1091 | { | |
1092 | BIO *bio; | |
1093 | /* In the case where we try to read application data, | |
1094 | * but we trigger an SSL handshake, we return -1 with | |
1095 | * the retry option set. Otherwise renegotiation may | |
1096 | * cause nasty problems in the blocking world */ | |
1097 | s->rwstate=SSL_READING; | |
1098 | bio=SSL_get_rbio(s); | |
1099 | BIO_clear_retry_flags(bio); | |
1100 | BIO_set_retry_read(bio); | |
1101 | return(-1); | |
1102 | } | |
1103 | } | |
1104 | goto start; | |
1105 | } | |
1106 | ||
1107 | switch (rr->type) | |
1108 | { | |
1109 | default: | |
1110 | #ifndef OPENSSL_NO_TLS | |
1111 | /* TLS just ignores unknown message types */ | |
1112 | if (s->version == TLS1_VERSION) | |
1113 | { | |
1114 | rr->length = 0; | |
1115 | goto start; | |
1116 | } | |
1117 | #endif | |
1118 | al=SSL_AD_UNEXPECTED_MESSAGE; | |
beb056b3 | 1119 | SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD); |
36d16f8e BL |
1120 | goto f_err; |
1121 | case SSL3_RT_CHANGE_CIPHER_SPEC: | |
1122 | case SSL3_RT_ALERT: | |
1123 | case SSL3_RT_HANDSHAKE: | |
1124 | /* we already handled all of these, with the possible exception | |
1125 | * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that | |
1126 | * should not happen when type != rr->type */ | |
1127 | al=SSL_AD_UNEXPECTED_MESSAGE; | |
beb056b3 | 1128 | SSLerr(SSL_F_DTLS1_READ_BYTES,ERR_R_INTERNAL_ERROR); |
36d16f8e BL |
1129 | goto f_err; |
1130 | case SSL3_RT_APPLICATION_DATA: | |
1131 | /* At this point, we were expecting handshake data, | |
1132 | * but have application data. If the library was | |
1133 | * running inside ssl3_read() (i.e. in_read_app_data | |
1134 | * is set) and it makes sense to read application data | |
1135 | * at this point (session renegotiation not yet started), | |
1136 | * we will indulge it. | |
1137 | */ | |
1138 | if (s->s3->in_read_app_data && | |
1139 | (s->s3->total_renegotiations != 0) && | |
1140 | (( | |
1141 | (s->state & SSL_ST_CONNECT) && | |
1142 | (s->state >= SSL3_ST_CW_CLNT_HELLO_A) && | |
1143 | (s->state <= SSL3_ST_CR_SRVR_HELLO_A) | |
1144 | ) || ( | |
1145 | (s->state & SSL_ST_ACCEPT) && | |
1146 | (s->state <= SSL3_ST_SW_HELLO_REQ_A) && | |
1147 | (s->state >= SSL3_ST_SR_CLNT_HELLO_A) | |
1148 | ) | |
1149 | )) | |
1150 | { | |
1151 | s->s3->in_read_app_data=2; | |
1152 | return(-1); | |
1153 | } | |
1154 | else | |
1155 | { | |
1156 | al=SSL_AD_UNEXPECTED_MESSAGE; | |
beb056b3 | 1157 | SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD); |
36d16f8e BL |
1158 | goto f_err; |
1159 | } | |
1160 | } | |
1161 | /* not reached */ | |
1162 | ||
1163 | f_err: | |
1164 | ssl3_send_alert(s,SSL3_AL_FATAL,al); | |
1165 | err: | |
1166 | return(-1); | |
1167 | } | |
1168 | ||
1169 | int | |
1170 | dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len) | |
1171 | { | |
1172 | unsigned int n,tot; | |
1173 | int i; | |
1174 | ||
1175 | if (SSL_in_init(s) && !s->in_handshake) | |
1176 | { | |
1177 | i=s->handshake_func(s); | |
1178 | if (i < 0) return(i); | |
1179 | if (i == 0) | |
1180 | { | |
beb056b3 | 1181 | SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE); |
36d16f8e BL |
1182 | return -1; |
1183 | } | |
1184 | } | |
1185 | ||
1186 | tot = s->s3->wnum; | |
1187 | n = len - tot; | |
1188 | ||
1189 | while( n) | |
1190 | { | |
1191 | /* dtls1_write_bytes sends one record at a time, sized according to | |
1192 | * the currently known MTU */ | |
1193 | i = dtls1_write_bytes(s, type, buf_, len); | |
1194 | if (i <= 0) return i; | |
1195 | ||
1196 | if ((i == (int)n) || | |
1197 | (type == SSL3_RT_APPLICATION_DATA && | |
1198 | (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE))) | |
1199 | { | |
1200 | /* next chunk of data should get another prepended empty fragment | |
1201 | * in ciphersuites with known-IV weakness: */ | |
1202 | s->s3->empty_fragment_done = 0; | |
1203 | return tot+i; | |
1204 | } | |
1205 | ||
1206 | tot += i; | |
1207 | n-=i; | |
1208 | } | |
1209 | ||
1210 | return tot; | |
1211 | } | |
1212 | ||
1213 | ||
1214 | /* this only happens when a client hello is received and a handshake | |
1215 | * is started. */ | |
1216 | static int | |
1217 | have_handshake_fragment(SSL *s, int type, unsigned char *buf, | |
1218 | int len, int peek) | |
1219 | { | |
1220 | ||
1221 | if ((type == SSL3_RT_HANDSHAKE) && (s->d1->handshake_fragment_len > 0)) | |
1222 | /* (partially) satisfy request from storage */ | |
1223 | { | |
1224 | unsigned char *src = s->d1->handshake_fragment; | |
1225 | unsigned char *dst = buf; | |
1226 | unsigned int k,n; | |
1227 | ||
1228 | /* peek == 0 */ | |
1229 | n = 0; | |
1230 | while ((len > 0) && (s->d1->handshake_fragment_len > 0)) | |
1231 | { | |
1232 | *dst++ = *src++; | |
1233 | len--; s->d1->handshake_fragment_len--; | |
1234 | n++; | |
1235 | } | |
1236 | /* move any remaining fragment bytes: */ | |
1237 | for (k = 0; k < s->d1->handshake_fragment_len; k++) | |
1238 | s->d1->handshake_fragment[k] = *src++; | |
1239 | return n; | |
1240 | } | |
1241 | ||
1242 | return 0; | |
1243 | } | |
1244 | ||
1245 | ||
1246 | ||
1247 | ||
1248 | /* Call this to write data in records of type 'type' | |
1249 | * It will return <= 0 if not all data has been sent or non-blocking IO. | |
1250 | */ | |
1251 | int dtls1_write_bytes(SSL *s, int type, const void *buf_, int len) | |
1252 | { | |
1253 | const unsigned char *buf=buf_; | |
1254 | unsigned int tot,n,nw; | |
1255 | int i; | |
1256 | unsigned int mtu; | |
1257 | ||
1258 | s->rwstate=SSL_NOTHING; | |
1259 | tot=s->s3->wnum; | |
1260 | ||
1261 | n=(len-tot); | |
1262 | ||
1263 | /* handshake layer figures out MTU for itself, but data records | |
1264 | * are also sent through this interface, so need to figure out MTU */ | |
1265 | #if 0 | |
1266 | mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_MTU, 0, NULL); | |
1267 | mtu += DTLS1_HM_HEADER_LENGTH; /* HM already inserted */ | |
1268 | #endif | |
1269 | mtu = s->d1->mtu; | |
1270 | ||
1271 | if (mtu > SSL3_RT_MAX_PLAIN_LENGTH) | |
1272 | mtu = SSL3_RT_MAX_PLAIN_LENGTH; | |
1273 | ||
1274 | if (n > mtu) | |
1275 | nw=mtu; | |
1276 | else | |
1277 | nw=n; | |
1278 | ||
1279 | i=do_dtls1_write(s, type, &(buf[tot]), nw, 0); | |
1280 | if (i <= 0) | |
1281 | { | |
1282 | s->s3->wnum=tot; | |
1283 | return i; | |
1284 | } | |
1285 | ||
6c61726b | 1286 | if ( (int)s->s3->wnum + i == len) |
36d16f8e BL |
1287 | s->s3->wnum = 0; |
1288 | else | |
1289 | s->s3->wnum += i; | |
1290 | ||
1291 | return tot + i; | |
1292 | } | |
1293 | ||
beb056b3 | 1294 | int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len, int create_empty_fragment) |
36d16f8e BL |
1295 | { |
1296 | unsigned char *p,*pseq; | |
1297 | int i,mac_size,clear=0; | |
1298 | int prefix_len = 0; | |
1299 | SSL3_RECORD *wr; | |
1300 | SSL3_BUFFER *wb; | |
1301 | SSL_SESSION *sess; | |
1302 | int bs; | |
1303 | ||
1304 | /* first check if there is a SSL3_BUFFER still being written | |
1305 | * out. This will happen with non blocking IO */ | |
1306 | if (s->s3->wbuf.left != 0) | |
1307 | { | |
1308 | OPENSSL_assert(0); /* XDTLS: want to see if we ever get here */ | |
1309 | return(ssl3_write_pending(s,type,buf,len)); | |
1310 | } | |
1311 | ||
1312 | /* If we have an alert to send, lets send it */ | |
1313 | if (s->s3->alert_dispatch) | |
1314 | { | |
1315 | i=s->method->ssl_dispatch_alert(s); | |
1316 | if (i <= 0) | |
1317 | return(i); | |
1318 | /* if it went, fall through and send more stuff */ | |
1319 | } | |
1320 | ||
1321 | if (len == 0 && !create_empty_fragment) | |
1322 | return 0; | |
1323 | ||
1324 | wr= &(s->s3->wrec); | |
1325 | wb= &(s->s3->wbuf); | |
1326 | sess=s->session; | |
1327 | ||
1328 | if ( (sess == NULL) || | |
1329 | (s->enc_write_ctx == NULL) || | |
1330 | (s->write_hash == NULL)) | |
1331 | clear=1; | |
1332 | ||
1333 | if (clear) | |
1334 | mac_size=0; | |
1335 | else | |
1336 | mac_size=EVP_MD_size(s->write_hash); | |
1337 | ||
1338 | /* DTLS implements explicit IV, so no need for empty fragments */ | |
1339 | #if 0 | |
1340 | /* 'create_empty_fragment' is true only when this function calls itself */ | |
1341 | if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done | |
1342 | && SSL_version(s) != DTLS1_VERSION) | |
1343 | { | |
1344 | /* countermeasure against known-IV weakness in CBC ciphersuites | |
1345 | * (see http://www.openssl.org/~bodo/tls-cbc.txt) | |
1346 | */ | |
1347 | ||
1348 | if (s->s3->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA) | |
1349 | { | |
1350 | /* recursive function call with 'create_empty_fragment' set; | |
1351 | * this prepares and buffers the data for an empty fragment | |
1352 | * (these 'prefix_len' bytes are sent out later | |
1353 | * together with the actual payload) */ | |
1354 | prefix_len = s->method->do_ssl_write(s, type, buf, 0, 1); | |
1355 | if (prefix_len <= 0) | |
1356 | goto err; | |
1357 | ||
1358 | if (s->s3->wbuf.len < (size_t)prefix_len + SSL3_RT_MAX_PACKET_SIZE) | |
1359 | { | |
1360 | /* insufficient space */ | |
beb056b3 | 1361 | SSLerr(SSL_F_DO_DTLS1_WRITE, ERR_R_INTERNAL_ERROR); |
36d16f8e BL |
1362 | goto err; |
1363 | } | |
1364 | } | |
1365 | ||
1366 | s->s3->empty_fragment_done = 1; | |
1367 | } | |
1368 | #endif | |
1369 | ||
1370 | p = wb->buf + prefix_len; | |
1371 | ||
1372 | /* write the header */ | |
1373 | ||
1374 | *(p++)=type&0xff; | |
1375 | wr->type=type; | |
1376 | ||
1377 | *(p++)=(s->version>>8); | |
1378 | *(p++)=s->version&0xff; | |
1379 | ||
1380 | /* field where we are to write out packet epoch, seq num and len */ | |
1381 | pseq=p; | |
1382 | p+=10; | |
1383 | ||
1384 | /* lets setup the record stuff. */ | |
1385 | ||
1386 | /* Make space for the explicit IV in case of CBC. | |
1387 | * (this is a bit of a boundary violation, but what the heck). | |
1388 | */ | |
1389 | if ( s->enc_write_ctx && | |
1390 | (EVP_CIPHER_mode( s->enc_write_ctx->cipher ) & EVP_CIPH_CBC_MODE)) | |
1391 | bs = EVP_CIPHER_block_size(s->enc_write_ctx->cipher); | |
1392 | else | |
1393 | bs = 0; | |
1394 | ||
1395 | wr->data=p + bs; /* make room for IV in case of CBC */ | |
1396 | wr->length=(int)len; | |
1397 | wr->input=(unsigned char *)buf; | |
1398 | ||
1399 | /* we now 'read' from wr->input, wr->length bytes into | |
1400 | * wr->data */ | |
1401 | ||
1402 | /* first we compress */ | |
1403 | if (s->compress != NULL) | |
1404 | { | |
1405 | if (!ssl3_do_compress(s)) | |
1406 | { | |
beb056b3 | 1407 | SSLerr(SSL_F_DO_DTLS1_WRITE,SSL_R_COMPRESSION_FAILURE); |
36d16f8e BL |
1408 | goto err; |
1409 | } | |
1410 | } | |
1411 | else | |
1412 | { | |
1413 | memcpy(wr->data,wr->input,wr->length); | |
1414 | wr->input=wr->data; | |
1415 | } | |
1416 | ||
1417 | /* we should still have the output to wr->data and the input | |
1418 | * from wr->input. Length should be wr->length. | |
1419 | * wr->data still points in the wb->buf */ | |
1420 | ||
1421 | if (mac_size != 0) | |
1422 | { | |
1423 | s->method->ssl3_enc->mac(s,&(p[wr->length + bs]),1); | |
1424 | wr->length+=mac_size; | |
1425 | } | |
1426 | ||
1427 | /* this is true regardless of mac size */ | |
1428 | wr->input=p; | |
1429 | wr->data=p; | |
1430 | ||
1431 | ||
1432 | /* ssl3_enc can only have an error on read */ | |
1433 | wr->length += bs; /* bs != 0 in case of CBC. The enc fn provides | |
1434 | * the randomness */ | |
1435 | s->method->ssl3_enc->enc(s,1); | |
1436 | ||
1437 | /* record length after mac and block padding */ | |
1438 | /* if (type == SSL3_RT_APPLICATION_DATA || | |
1439 | (type == SSL3_RT_ALERT && ! SSL_in_init(s))) */ | |
1440 | ||
1441 | /* there's only one epoch between handshake and app data */ | |
1442 | ||
1443 | s2n(s->d1->w_epoch, pseq); | |
1444 | ||
1445 | /* XDTLS: ?? */ | |
1446 | /* else | |
1447 | s2n(s->d1->handshake_epoch, pseq); */ | |
1448 | ||
188b0579 RL |
1449 | memcpy(pseq, &(s->s3->write_sequence[2]), 6); |
1450 | pseq+=6; | |
36d16f8e BL |
1451 | s2n(wr->length,pseq); |
1452 | ||
1453 | /* we should now have | |
1454 | * wr->data pointing to the encrypted data, which is | |
1455 | * wr->length long */ | |
1456 | wr->type=type; /* not needed but helps for debugging */ | |
1457 | wr->length+=DTLS1_RT_HEADER_LENGTH; | |
1458 | ||
1459 | #if 0 /* this is now done at the message layer */ | |
1460 | /* buffer the record, making it easy to handle retransmits */ | |
1461 | if ( type == SSL3_RT_HANDSHAKE || type == SSL3_RT_CHANGE_CIPHER_SPEC) | |
1462 | dtls1_buffer_record(s, wr->data, wr->length, | |
188b0579 | 1463 | *((PQ_64BIT *)&(s->s3->write_sequence[0]))); |
36d16f8e BL |
1464 | #endif |
1465 | ||
1466 | ssl3_record_sequence_update(&(s->s3->write_sequence[0])); | |
1467 | ||
1468 | if (create_empty_fragment) | |
1469 | { | |
1470 | /* we are in a recursive call; | |
1471 | * just return the length, don't write out anything here | |
1472 | */ | |
1473 | return wr->length; | |
1474 | } | |
1475 | ||
1476 | /* now let's set up wb */ | |
1477 | wb->left = prefix_len + wr->length; | |
1478 | wb->offset = 0; | |
1479 | ||
1480 | /* memorize arguments so that ssl3_write_pending can detect bad write retries later */ | |
1481 | s->s3->wpend_tot=len; | |
1482 | s->s3->wpend_buf=buf; | |
1483 | s->s3->wpend_type=type; | |
1484 | s->s3->wpend_ret=len; | |
1485 | ||
1486 | /* we now just need to write the buffer */ | |
1487 | return ssl3_write_pending(s,type,buf,len); | |
1488 | err: | |
1489 | return -1; | |
1490 | } | |
1491 | ||
1492 | ||
1493 | ||
50ec3951 | 1494 | static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap) |
36d16f8e | 1495 | { |
dffdb56b AP |
1496 | int cmp; |
1497 | unsigned int shift; | |
1498 | const unsigned char *seq = s->s3->read_sequence; | |
36d16f8e | 1499 | |
dffdb56b AP |
1500 | cmp = satsub64be(seq,bitmap->max_seq_num); |
1501 | if (cmp > 0) | |
188b0579 | 1502 | { |
50ec3951 | 1503 | memcpy (s->s3->rrec.seq_num,seq,8); |
dffdb56b | 1504 | return 1; /* this record in new */ |
188b0579 | 1505 | } |
dffdb56b AP |
1506 | shift = -cmp; |
1507 | if (shift >= sizeof(bitmap->map)*8) | |
1508 | return 0; /* stale, outside the window */ | |
1509 | else if (bitmap->map & (1UL<<shift)) | |
36d16f8e | 1510 | return 0; /* record previously received */ |
dffdb56b | 1511 | |
50ec3951 | 1512 | memcpy (s->s3->rrec.seq_num,seq,8); |
36d16f8e BL |
1513 | return 1; |
1514 | } | |
1515 | ||
1516 | ||
1517 | static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap) | |
1518 | { | |
dffdb56b | 1519 | int cmp; |
36d16f8e | 1520 | unsigned int shift; |
dffdb56b | 1521 | const unsigned char *seq = s->s3->read_sequence; |
36d16f8e | 1522 | |
dffdb56b AP |
1523 | cmp = satsub64be(seq,bitmap->max_seq_num); |
1524 | if (cmp > 0) | |
36d16f8e | 1525 | { |
dffdb56b AP |
1526 | shift = cmp; |
1527 | if (shift < sizeof(bitmap->map)*8) | |
1528 | bitmap->map <<= shift, bitmap->map |= 1UL; | |
1529 | else | |
1530 | bitmap->map = 1UL; | |
1531 | memcpy(bitmap->max_seq_num,seq,8); | |
36d16f8e | 1532 | } |
dffdb56b AP |
1533 | else { |
1534 | shift = -cmp; | |
1535 | if (shift < sizeof(bitmap->map)*8) | |
1536 | bitmap->map |= 1UL<<shift; | |
36d16f8e BL |
1537 | } |
1538 | } | |
1539 | ||
1540 | ||
1541 | int dtls1_dispatch_alert(SSL *s) | |
1542 | { | |
1543 | int i,j; | |
1544 | void (*cb)(const SSL *ssl,int type,int val)=NULL; | |
4e321ffa DSH |
1545 | unsigned char buf[2 + 2 + 3]; /* alert level + alert desc + message seq +frag_off */ |
1546 | unsigned char *ptr = &buf[0]; | |
36d16f8e BL |
1547 | |
1548 | s->s3->alert_dispatch=0; | |
1549 | ||
1550 | memset(buf, 0x00, sizeof(buf)); | |
1551 | *ptr++ = s->s3->send_alert[0]; | |
1552 | *ptr++ = s->s3->send_alert[1]; | |
1553 | ||
1554 | if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) | |
1555 | { | |
1556 | s2n(s->d1->handshake_read_seq, ptr); | |
1557 | #if 0 | |
1558 | if ( s->d1->r_msg_hdr.frag_off == 0) /* waiting for a new msg */ | |
1559 | ||
1560 | else | |
1561 | s2n(s->d1->r_msg_hdr.seq, ptr); /* partial msg read */ | |
1562 | #endif | |
1563 | ||
1564 | #if 0 | |
1565 | fprintf(stderr, "s->d1->handshake_read_seq = %d, s->d1->r_msg_hdr.seq = %d\n",s->d1->handshake_read_seq,s->d1->r_msg_hdr.seq); | |
1566 | #endif | |
1567 | l2n3(s->d1->r_msg_hdr.frag_off, ptr); | |
1568 | } | |
1569 | ||
1570 | i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf), 0); | |
1571 | if (i <= 0) | |
1572 | { | |
1573 | s->s3->alert_dispatch=1; | |
1574 | /* fprintf( stderr, "not done with alert\n" ); */ | |
1575 | } | |
1576 | else | |
1577 | { | |
1578 | if ( s->s3->send_alert[0] == SSL3_AL_FATAL || | |
1579 | s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) | |
1580 | (void)BIO_flush(s->wbio); | |
1581 | ||
1582 | if (s->msg_callback) | |
1583 | s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert, | |
1584 | 2, s, s->msg_callback_arg); | |
1585 | ||
1586 | if (s->info_callback != NULL) | |
1587 | cb=s->info_callback; | |
1588 | else if (s->ctx->info_callback != NULL) | |
1589 | cb=s->ctx->info_callback; | |
1590 | ||
1591 | if (cb != NULL) | |
1592 | { | |
1593 | j=(s->s3->send_alert[0]<<8)|s->s3->send_alert[1]; | |
1594 | cb(s,SSL_CB_WRITE_ALERT,j); | |
1595 | } | |
1596 | } | |
1597 | return(i); | |
1598 | } | |
1599 | ||
1600 | ||
1601 | static DTLS1_BITMAP * | |
1602 | dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, unsigned int *is_next_epoch) | |
1603 | { | |
1604 | ||
1605 | *is_next_epoch = 0; | |
1606 | ||
1607 | /* In current epoch, accept HM, CCS, DATA, & ALERT */ | |
1608 | if (rr->epoch == s->d1->r_epoch) | |
1609 | return &s->d1->bitmap; | |
1610 | ||
1611 | /* Only HM and ALERT messages can be from the next epoch */ | |
6c61726b | 1612 | else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) && |
36d16f8e BL |
1613 | (rr->type == SSL3_RT_HANDSHAKE || |
1614 | rr->type == SSL3_RT_ALERT)) | |
1615 | { | |
1616 | *is_next_epoch = 1; | |
1617 | return &s->d1->next_bitmap; | |
1618 | } | |
1619 | ||
1620 | return NULL; | |
1621 | } | |
1622 | ||
1623 | #if 0 | |
1624 | static int | |
1625 | dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr, unsigned short *priority, | |
1626 | unsigned long *offset) | |
1627 | { | |
1628 | ||
1629 | /* alerts are passed up immediately */ | |
1630 | if ( rr->type == SSL3_RT_APPLICATION_DATA || | |
1631 | rr->type == SSL3_RT_ALERT) | |
1632 | return 0; | |
1633 | ||
1634 | /* Only need to buffer if a handshake is underway. | |
1635 | * (this implies that Hello Request and Client Hello are passed up | |
1636 | * immediately) */ | |
1637 | if ( SSL_in_init(s)) | |
1638 | { | |
1639 | unsigned char *data = rr->data; | |
1640 | /* need to extract the HM/CCS sequence number here */ | |
1641 | if ( rr->type == SSL3_RT_HANDSHAKE || | |
1642 | rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) | |
1643 | { | |
1644 | unsigned short seq_num; | |
1645 | struct hm_header_st msg_hdr; | |
1646 | struct ccs_header_st ccs_hdr; | |
1647 | ||
1648 | if ( rr->type == SSL3_RT_HANDSHAKE) | |
1649 | { | |
1650 | dtls1_get_message_header(data, &msg_hdr); | |
1651 | seq_num = msg_hdr.seq; | |
1652 | *offset = msg_hdr.frag_off; | |
1653 | } | |
1654 | else | |
1655 | { | |
1656 | dtls1_get_ccs_header(data, &ccs_hdr); | |
1657 | seq_num = ccs_hdr.seq; | |
1658 | *offset = 0; | |
1659 | } | |
1660 | ||
1661 | /* this is either a record we're waiting for, or a | |
1662 | * retransmit of something we happened to previously | |
1663 | * receive (higher layers will drop the repeat silently */ | |
1664 | if ( seq_num < s->d1->handshake_read_seq) | |
1665 | return 0; | |
1666 | if (rr->type == SSL3_RT_HANDSHAKE && | |
1667 | seq_num == s->d1->handshake_read_seq && | |
1668 | msg_hdr.frag_off < s->d1->r_msg_hdr.frag_off) | |
1669 | return 0; | |
1670 | else if ( seq_num == s->d1->handshake_read_seq && | |
1671 | (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC || | |
1672 | msg_hdr.frag_off == s->d1->r_msg_hdr.frag_off)) | |
1673 | return 0; | |
1674 | else | |
1675 | { | |
1676 | *priority = seq_num; | |
1677 | return 1; | |
1678 | } | |
1679 | } | |
1680 | else /* unknown record type */ | |
1681 | return 0; | |
1682 | } | |
1683 | ||
1684 | return 0; | |
1685 | } | |
1686 | #endif | |
1687 | ||
1688 | void | |
1689 | dtls1_reset_seq_numbers(SSL *s, int rw) | |
1690 | { | |
1691 | unsigned char *seq; | |
1692 | unsigned int seq_bytes = sizeof(s->s3->read_sequence); | |
1693 | ||
1694 | if ( rw & SSL3_CC_READ) | |
1695 | { | |
1696 | seq = s->s3->read_sequence; | |
1697 | s->d1->r_epoch++; | |
dffdb56b | 1698 | memcpy(&(s->d1->bitmap), &(s->d1->next_bitmap), sizeof(DTLS1_BITMAP)); |
36d16f8e BL |
1699 | memset(&(s->d1->next_bitmap), 0x00, sizeof(DTLS1_BITMAP)); |
1700 | } | |
1701 | else | |
1702 | { | |
1703 | seq = s->s3->write_sequence; | |
1704 | s->d1->w_epoch++; | |
1705 | } | |
1706 | ||
1707 | memset(seq, 0x00, seq_bytes); | |
1708 | } | |
1709 | ||
36d16f8e BL |
1710 | |
1711 | static void | |
1712 | dtls1_clear_timeouts(SSL *s) | |
1713 | { | |
1714 | memset(&(s->d1->timeout), 0x00, sizeof(struct dtls1_timeout_st)); | |
1715 | } |