]>
Commit | Line | Data |
---|---|---|
36d16f8e | 1 | /* ssl/d1_pkt.c */ |
0f113f3e | 2 | /* |
36d16f8e | 3 | * DTLS implementation written by Nagendra Modadugu |
0f113f3e | 4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. |
36d16f8e BL |
5 | */ |
6 | /* ==================================================================== | |
7 | * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. | |
8 | * | |
9 | * Redistribution and use in source and binary forms, with or without | |
10 | * modification, are permitted provided that the following conditions | |
11 | * are met: | |
12 | * | |
13 | * 1. Redistributions of source code must retain the above copyright | |
0f113f3e | 14 | * notice, this list of conditions and the following disclaimer. |
36d16f8e BL |
15 | * |
16 | * 2. Redistributions in binary form must reproduce the above copyright | |
17 | * notice, this list of conditions and the following disclaimer in | |
18 | * the documentation and/or other materials provided with the | |
19 | * distribution. | |
20 | * | |
21 | * 3. All advertising materials mentioning features or use of this | |
22 | * software must display the following acknowledgment: | |
23 | * "This product includes software developed by the OpenSSL Project | |
24 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | |
25 | * | |
26 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |
27 | * endorse or promote products derived from this software without | |
28 | * prior written permission. For written permission, please contact | |
29 | * openssl-core@openssl.org. | |
30 | * | |
31 | * 5. Products derived from this software may not be called "OpenSSL" | |
32 | * nor may "OpenSSL" appear in their names without prior written | |
33 | * permission of the OpenSSL Project. | |
34 | * | |
35 | * 6. Redistributions of any form whatsoever must retain the following | |
36 | * acknowledgment: | |
37 | * "This product includes software developed by the OpenSSL Project | |
38 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" | |
39 | * | |
40 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |
41 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
42 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
43 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |
44 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
45 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
46 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
47 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
48 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
49 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
50 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |
51 | * OF THE POSSIBILITY OF SUCH DAMAGE. | |
52 | * ==================================================================== | |
53 | * | |
54 | * This product includes cryptographic software written by Eric Young | |
55 | * (eay@cryptsoft.com). This product includes software written by Tim | |
56 | * Hudson (tjh@cryptsoft.com). | |
57 | * | |
58 | */ | |
59 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | |
60 | * All rights reserved. | |
61 | * | |
62 | * This package is an SSL implementation written | |
63 | * by Eric Young (eay@cryptsoft.com). | |
64 | * The implementation was written so as to conform with Netscapes SSL. | |
0f113f3e | 65 | * |
36d16f8e BL |
66 | * This library is free for commercial and non-commercial use as long as |
67 | * the following conditions are aheared to. The following conditions | |
68 | * apply to all code found in this distribution, be it the RC4, RSA, | |
69 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation | |
70 | * included with this distribution is covered by the same copyright terms | |
71 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). | |
0f113f3e | 72 | * |
36d16f8e BL |
73 | * Copyright remains Eric Young's, and as such any Copyright notices in |
74 | * the code are not to be removed. | |
75 | * If this package is used in a product, Eric Young should be given attribution | |
76 | * as the author of the parts of the library used. | |
77 | * This can be in the form of a textual message at program startup or | |
78 | * in documentation (online or textual) provided with the package. | |
0f113f3e | 79 | * |
36d16f8e BL |
80 | * Redistribution and use in source and binary forms, with or without |
81 | * modification, are permitted provided that the following conditions | |
82 | * are met: | |
83 | * 1. Redistributions of source code must retain the copyright | |
84 | * notice, this list of conditions and the following disclaimer. | |
85 | * 2. Redistributions in binary form must reproduce the above copyright | |
86 | * notice, this list of conditions and the following disclaimer in the | |
87 | * documentation and/or other materials provided with the distribution. | |
88 | * 3. All advertising materials mentioning features or use of this software | |
89 | * must display the following acknowledgement: | |
90 | * "This product includes cryptographic software written by | |
91 | * Eric Young (eay@cryptsoft.com)" | |
92 | * The word 'cryptographic' can be left out if the rouines from the library | |
93 | * being used are not cryptographic related :-). | |
0f113f3e | 94 | * 4. If you include any Windows specific code (or a derivative thereof) from |
36d16f8e BL |
95 | * the apps directory (application code) you must include an acknowledgement: |
96 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" | |
0f113f3e | 97 | * |
36d16f8e BL |
98 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
99 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
100 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
101 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |
102 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
103 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
104 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
105 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
106 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
107 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
108 | * SUCH DAMAGE. | |
0f113f3e | 109 | * |
36d16f8e BL |
110 | * The licence and distribution terms for any publically available version or |
111 | * derivative of this code cannot be changed. i.e. this code cannot simply be | |
112 | * copied and put under another distribution licence | |
113 | * [including the GNU Public Licence.] | |
114 | */ | |
115 | ||
116 | #include <stdio.h> | |
117 | #include <errno.h> | |
118 | #define USE_SOCKETS | |
119 | #include "ssl_locl.h" | |
120 | #include <openssl/evp.h> | |
121 | #include <openssl/buffer.h> | |
122 | #include <openssl/pqueue.h> | |
d527834a | 123 | #include <openssl/rand.h> |
36d16f8e | 124 | |
50ec3951 | 125 | /* mod 128 saturating subtract of two 64-bit values in big-endian order */ |
0f113f3e MC |
126 | static int satsub64be(const unsigned char *v1, const unsigned char *v2) |
127 | { | |
128 | int ret, sat, brw, i; | |
129 | ||
130 | if (sizeof(long) == 8) | |
131 | do { | |
132 | const union { | |
133 | long one; | |
134 | char little; | |
135 | } is_endian = { | |
136 | 1 | |
137 | }; | |
138 | long l; | |
139 | ||
140 | if (is_endian.little) | |
141 | break; | |
142 | /* not reached on little-endians */ | |
143 | /* | |
144 | * following test is redundant, because input is always aligned, | |
145 | * but I take no chances... | |
146 | */ | |
147 | if (((size_t)v1 | (size_t)v2) & 0x7) | |
148 | break; | |
149 | ||
150 | l = *((long *)v1); | |
151 | l -= *((long *)v2); | |
152 | if (l > 128) | |
153 | return 128; | |
154 | else if (l < -128) | |
155 | return -128; | |
156 | else | |
157 | return (int)l; | |
158 | } while (0); | |
159 | ||
160 | ret = (int)v1[7] - (int)v2[7]; | |
161 | sat = 0; | |
162 | brw = ret >> 8; /* brw is either 0 or -1 */ | |
163 | if (ret & 0x80) { | |
164 | for (i = 6; i >= 0; i--) { | |
165 | brw += (int)v1[i] - (int)v2[i]; | |
166 | sat |= ~brw; | |
167 | brw >>= 8; | |
168 | } | |
169 | } else { | |
170 | for (i = 6; i >= 0; i--) { | |
171 | brw += (int)v1[i] - (int)v2[i]; | |
172 | sat |= brw; | |
173 | brw >>= 8; | |
174 | } | |
175 | } | |
176 | brw <<= 8; /* brw is either 0 or -256 */ | |
177 | ||
178 | if (sat & 0xff) | |
179 | return brw | 0x80; | |
180 | else | |
181 | return brw + (ret & 0xFF); | |
50ec3951 | 182 | } |
dffdb56b | 183 | |
0f113f3e MC |
184 | static int have_handshake_fragment(SSL *s, int type, unsigned char *buf, |
185 | int len, int peek); | |
50ec3951 | 186 | static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap); |
36d16f8e | 187 | static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap); |
0f113f3e MC |
188 | static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, |
189 | unsigned int *is_next_epoch); | |
36d16f8e | 190 | static int dtls1_buffer_record(SSL *s, record_pqueue *q, |
0f113f3e | 191 | unsigned char *priority); |
36d16f8e | 192 | static int dtls1_process_record(SSL *s); |
36d16f8e | 193 | |
36d16f8e | 194 | /* copy buffered record into SSL structure */ |
0f113f3e MC |
195 | static int dtls1_copy_record(SSL *s, pitem *item) |
196 | { | |
36d16f8e BL |
197 | DTLS1_RECORD_DATA *rdata; |
198 | ||
199 | rdata = (DTLS1_RECORD_DATA *)item->data; | |
0f113f3e | 200 | |
28d59af8 | 201 | SSL3_BUFFER_release(RECORD_LAYER_get_rbuf(&s->rlayer)); |
0f113f3e | 202 | |
36d16f8e BL |
203 | s->packet = rdata->packet; |
204 | s->packet_length = rdata->packet_length; | |
28d59af8 MC |
205 | memcpy(RECORD_LAYER_get_rbuf(&s->rlayer), &(rdata->rbuf), |
206 | sizeof(SSL3_BUFFER)); | |
36d16f8e | 207 | memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD)); |
36d16f8e | 208 | |
0f113f3e MC |
209 | /* Set proper sequence number for mac calculation */ |
210 | memcpy(&(s->s3->read_sequence[2]), &(rdata->packet[5]), 6); | |
211 | ||
212 | return (1); | |
213 | } | |
36d16f8e BL |
214 | |
215 | static int | |
dffdb56b | 216 | dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) |
0f113f3e MC |
217 | { |
218 | DTLS1_RECORD_DATA *rdata; | |
219 | pitem *item; | |
220 | ||
221 | /* Limit the size of the queue to prevent DOS attacks */ | |
222 | if (pqueue_size(queue->q) >= 100) | |
223 | return 0; | |
224 | ||
225 | rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); | |
226 | item = pitem_new(priority, rdata); | |
227 | if (rdata == NULL || item == NULL) { | |
228 | if (rdata != NULL) | |
229 | OPENSSL_free(rdata); | |
230 | if (item != NULL) | |
231 | pitem_free(item); | |
232 | ||
233 | SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); | |
06c6a2b4 | 234 | return -1; |
0f113f3e MC |
235 | } |
236 | ||
237 | rdata->packet = s->packet; | |
238 | rdata->packet_length = s->packet_length; | |
28d59af8 MC |
239 | memcpy(&(rdata->rbuf), RECORD_LAYER_get_rbuf(&s->rlayer), |
240 | sizeof(SSL3_BUFFER)); | |
0f113f3e MC |
241 | memcpy(&(rdata->rrec), &(s->s3->rrec), sizeof(SSL3_RECORD)); |
242 | ||
243 | item->data = rdata; | |
36d16f8e | 244 | |
7e159e01 | 245 | #ifndef OPENSSL_NO_SCTP |
0f113f3e MC |
246 | /* Store bio_dgram_sctp_rcvinfo struct */ |
247 | if (BIO_dgram_is_sctp(SSL_get_rbio(s)) && | |
248 | (s->state == SSL3_ST_SR_FINISHED_A | |
249 | || s->state == SSL3_ST_CR_FINISHED_A)) { | |
250 | BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SCTP_GET_RCVINFO, | |
251 | sizeof(rdata->recordinfo), &rdata->recordinfo); | |
252 | } | |
7e159e01 DSH |
253 | #endif |
254 | ||
0f113f3e MC |
255 | s->packet = NULL; |
256 | s->packet_length = 0; | |
28d59af8 | 257 | memset(RECORD_LAYER_get_rbuf(&s->rlayer), 0, sizeof(SSL3_BUFFER)); |
0f113f3e MC |
258 | memset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD)); |
259 | ||
260 | if (!ssl3_setup_buffers(s)) { | |
261 | SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); | |
262 | if (rdata->rbuf.buf != NULL) | |
263 | OPENSSL_free(rdata->rbuf.buf); | |
264 | OPENSSL_free(rdata); | |
265 | pitem_free(item); | |
266 | return (-1); | |
267 | } | |
36d16f8e | 268 | |
0f113f3e MC |
269 | /* insert should not fail, since duplicates are dropped */ |
270 | if (pqueue_insert(queue->q, item) == NULL) { | |
271 | SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); | |
272 | if (rdata->rbuf.buf != NULL) | |
273 | OPENSSL_free(rdata->rbuf.buf); | |
274 | OPENSSL_free(rdata); | |
275 | pitem_free(item); | |
276 | return (-1); | |
277 | } | |
36d16f8e | 278 | |
0f113f3e MC |
279 | return (1); |
280 | } | |
281 | ||
282 | static int dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue) | |
283 | { | |
36d16f8e BL |
284 | pitem *item; |
285 | ||
286 | item = pqueue_pop(queue->q); | |
0f113f3e | 287 | if (item) { |
36d16f8e BL |
288 | dtls1_copy_record(s, item); |
289 | ||
290 | OPENSSL_free(item->data); | |
0f113f3e | 291 | pitem_free(item); |
36d16f8e | 292 | |
0f113f3e | 293 | return (1); |
36d16f8e BL |
294 | } |
295 | ||
0f113f3e MC |
296 | return (0); |
297 | } | |
36d16f8e | 298 | |
0f113f3e MC |
299 | /* |
300 | * retrieve a buffered record that belongs to the new epoch, i.e., not | |
301 | * processed yet | |
302 | */ | |
36d16f8e BL |
303 | #define dtls1_get_unprocessed_record(s) \ |
304 | dtls1_retrieve_buffered_record((s), \ | |
305 | &((s)->d1->unprocessed_rcds)) | |
306 | ||
0f113f3e MC |
307 | /* |
308 | * retrieve a buffered record that belongs to the current epoch, ie, | |
309 | * processed | |
310 | */ | |
36d16f8e BL |
311 | #define dtls1_get_processed_record(s) \ |
312 | dtls1_retrieve_buffered_record((s), \ | |
313 | &((s)->d1->processed_rcds)) | |
314 | ||
0f113f3e MC |
315 | static int dtls1_process_buffered_records(SSL *s) |
316 | { | |
36d16f8e | 317 | pitem *item; |
0f113f3e | 318 | |
36d16f8e | 319 | item = pqueue_peek(s->d1->unprocessed_rcds.q); |
0f113f3e | 320 | if (item) { |
36d16f8e BL |
321 | /* Check if epoch is current. */ |
322 | if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch) | |
0f113f3e MC |
323 | return (1); /* Nothing to do. */ |
324 | ||
36d16f8e | 325 | /* Process all the records. */ |
0f113f3e | 326 | while (pqueue_peek(s->d1->unprocessed_rcds.q)) { |
36d16f8e | 327 | dtls1_get_unprocessed_record(s); |
0f113f3e MC |
328 | if (!dtls1_process_record(s)) |
329 | return (0); | |
330 | if (dtls1_buffer_record(s, &(s->d1->processed_rcds), | |
331 | s->s3->rrec.seq_num) < 0) | |
103b171d | 332 | return -1; |
36d16f8e | 333 | } |
0f113f3e | 334 | } |
36d16f8e | 335 | |
0f113f3e MC |
336 | /* |
337 | * sync epoch numbers once all the unprocessed records have been | |
338 | * processed | |
339 | */ | |
36d16f8e BL |
340 | s->d1->processed_rcds.epoch = s->d1->r_epoch; |
341 | s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1; | |
342 | ||
0f113f3e MC |
343 | return (1); |
344 | } | |
36d16f8e | 345 | |
0f113f3e | 346 | static int dtls1_process_record(SSL *s) |
36d16f8e | 347 | { |
0f113f3e MC |
348 | int i, al; |
349 | int enc_err; | |
350 | SSL_SESSION *sess; | |
351 | SSL3_RECORD *rr; | |
352 | unsigned int mac_size; | |
353 | unsigned char md[EVP_MAX_MD_SIZE]; | |
354 | ||
355 | rr = &(s->s3->rrec); | |
356 | sess = s->session; | |
357 | ||
358 | /* | |
359 | * At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, | |
360 | * and we have that many bytes in s->packet | |
361 | */ | |
362 | rr->input = &(s->packet[DTLS1_RT_HEADER_LENGTH]); | |
363 | ||
364 | /* | |
365 | * ok, we can now read from 's->packet' data into 'rr' rr->input points | |
366 | * at rr->length bytes, which need to be copied into rr->data by either | |
367 | * the decryption or by the decompression When the data is 'copied' into | |
368 | * the rr->data buffer, rr->input will be pointed at the new buffer | |
369 | */ | |
370 | ||
371 | /* | |
372 | * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length | |
373 | * bytes of encrypted compressed stuff. | |
374 | */ | |
375 | ||
376 | /* check is not needed I believe */ | |
377 | if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { | |
378 | al = SSL_AD_RECORD_OVERFLOW; | |
379 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); | |
380 | goto f_err; | |
381 | } | |
36d16f8e | 382 | |
0f113f3e MC |
383 | /* decrypt in place in 'rr->input' */ |
384 | rr->data = rr->input; | |
385 | rr->orig_len = rr->length; | |
386 | ||
387 | enc_err = s->method->ssl3_enc->enc(s, 0); | |
35a1cc90 MC |
388 | /*- |
389 | * enc_err is: | |
390 | * 0: (in non-constant time) if the record is publically invalid. | |
391 | * 1: if the padding is valid | |
392 | * -1: if the padding is invalid | |
393 | */ | |
0f113f3e MC |
394 | if (enc_err == 0) { |
395 | /* For DTLS we simply ignore bad packets. */ | |
396 | rr->length = 0; | |
397 | s->packet_length = 0; | |
398 | goto err; | |
399 | } | |
36d16f8e | 400 | #ifdef TLS_DEBUG |
0f113f3e MC |
401 | printf("dec %d\n", rr->length); |
402 | { | |
403 | unsigned int z; | |
404 | for (z = 0; z < rr->length; z++) | |
405 | printf("%02X%c", rr->data[z], ((z + 1) % 16) ? ' ' : '\n'); | |
406 | } | |
407 | printf("\n"); | |
36d16f8e BL |
408 | #endif |
409 | ||
0f113f3e MC |
410 | /* r->length is now the compressed data plus mac */ |
411 | if ((sess != NULL) && | |
412 | (s->enc_read_ctx != NULL) && (EVP_MD_CTX_md(s->read_hash) != NULL)) { | |
413 | /* s->read_hash != NULL => mac_size != -1 */ | |
414 | unsigned char *mac = NULL; | |
415 | unsigned char mac_tmp[EVP_MAX_MD_SIZE]; | |
416 | mac_size = EVP_MD_CTX_size(s->read_hash); | |
417 | OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); | |
418 | ||
419 | /* | |
420 | * orig_len is the length of the record before any padding was | |
421 | * removed. This is public information, as is the MAC in use, | |
422 | * therefore we can safely process the record in a different amount | |
423 | * of time if it's too short to possibly contain a MAC. | |
424 | */ | |
425 | if (rr->orig_len < mac_size || | |
426 | /* CBC records must have a padding length byte too. */ | |
427 | (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && | |
428 | rr->orig_len < mac_size + 1)) { | |
429 | al = SSL_AD_DECODE_ERROR; | |
430 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_LENGTH_TOO_SHORT); | |
431 | goto f_err; | |
432 | } | |
36d16f8e | 433 | |
0f113f3e MC |
434 | if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) { |
435 | /* | |
436 | * We update the length so that the TLS header bytes can be | |
437 | * constructed correctly but we need to extract the MAC in | |
438 | * constant time from within the record, without leaking the | |
439 | * contents of the padding bytes. | |
440 | */ | |
441 | mac = mac_tmp; | |
442 | ssl3_cbc_copy_mac(mac_tmp, rr, mac_size); | |
443 | rr->length -= mac_size; | |
444 | } else { | |
445 | /* | |
446 | * In this case there's no padding, so |rec->orig_len| equals | |
447 | * |rec->length| and we checked that there's enough bytes for | |
448 | * |mac_size| above. | |
449 | */ | |
450 | rr->length -= mac_size; | |
451 | mac = &rr->data[rr->length]; | |
452 | } | |
453 | ||
454 | i = s->method->ssl3_enc->mac(s, md, 0 /* not send */ ); | |
455 | if (i < 0 || mac == NULL | |
456 | || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) | |
457 | enc_err = -1; | |
458 | if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size) | |
459 | enc_err = -1; | |
460 | } | |
461 | ||
462 | if (enc_err < 0) { | |
463 | /* decryption failed, silently discard message */ | |
464 | rr->length = 0; | |
465 | s->packet_length = 0; | |
466 | goto err; | |
467 | } | |
468 | ||
469 | /* r->length is now just compressed */ | |
470 | if (s->expand != NULL) { | |
471 | if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) { | |
472 | al = SSL_AD_RECORD_OVERFLOW; | |
473 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD, | |
474 | SSL_R_COMPRESSED_LENGTH_TOO_LONG); | |
475 | goto f_err; | |
476 | } | |
477 | if (!ssl3_do_uncompress(s)) { | |
478 | al = SSL_AD_DECOMPRESSION_FAILURE; | |
479 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_BAD_DECOMPRESSION); | |
480 | goto f_err; | |
481 | } | |
482 | } | |
483 | ||
484 | if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) { | |
485 | al = SSL_AD_RECORD_OVERFLOW; | |
486 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD, SSL_R_DATA_LENGTH_TOO_LONG); | |
487 | goto f_err; | |
488 | } | |
489 | ||
490 | rr->off = 0; | |
50e735f9 MC |
491 | /*- |
492 | * So at this point the following is true | |
493 | * ssl->s3->rrec.type is the type of record | |
494 | * ssl->s3->rrec.length == number of bytes in record | |
495 | * ssl->s3->rrec.off == offset to first valid byte | |
496 | * ssl->s3->rrec.data == where to take bytes from, increment | |
497 | * after use :-). | |
498 | */ | |
0f113f3e MC |
499 | |
500 | /* we have pulled in a full packet so zero things */ | |
501 | s->packet_length = 0; | |
502 | return (1); | |
503 | ||
504 | f_err: | |
505 | ssl3_send_alert(s, SSL3_AL_FATAL, al); | |
506 | err: | |
507 | return (0); | |
508 | } | |
36d16f8e | 509 | |
1d97c843 TH |
510 | /*- |
511 | * Call this to get a new input record. | |
36d16f8e BL |
512 | * It will return <= 0 if more data is needed, normally due to an error |
513 | * or non-blocking IO. | |
514 | * When it finishes, one packet has been decoded and can be found in | |
515 | * ssl->s3->rrec.type - is the type of record | |
0f113f3e | 516 | * ssl->s3->rrec.data, - data |
36d16f8e BL |
517 | * ssl->s3->rrec.length, - number of bytes |
518 | */ | |
519 | /* used only by dtls1_read_bytes */ | |
520 | int dtls1_get_record(SSL *s) | |
0f113f3e MC |
521 | { |
522 | int ssl_major, ssl_minor; | |
523 | int i, n; | |
524 | SSL3_RECORD *rr; | |
525 | unsigned char *p = NULL; | |
526 | unsigned short version; | |
527 | DTLS1_BITMAP *bitmap; | |
528 | unsigned int is_next_epoch; | |
529 | ||
530 | rr = &(s->s3->rrec); | |
531 | ||
532 | /* | |
533 | * The epoch may have changed. If so, process all the pending records. | |
534 | * This is a non-blocking operation. | |
535 | */ | |
536 | if (dtls1_process_buffered_records(s) < 0) | |
537 | return -1; | |
538 | ||
539 | /* if we're renegotiating, then there may be buffered records */ | |
540 | if (dtls1_get_processed_record(s)) | |
541 | return 1; | |
542 | ||
543 | /* get something from the wire */ | |
544 | again: | |
545 | /* check if we have the header */ | |
546 | if ((s->rstate != SSL_ST_READ_BODY) || | |
547 | (s->packet_length < DTLS1_RT_HEADER_LENGTH)) { | |
28d59af8 MC |
548 | n = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, |
549 | SSL3_BUFFER_get_len(RECORD_LAYER_get_rbuf(&s->rlayer)), 0); | |
0f113f3e MC |
550 | /* read timeout is handled by dtls1_read_bytes */ |
551 | if (n <= 0) | |
552 | return (n); /* error or non-blocking */ | |
553 | ||
554 | /* this packet contained a partial record, dump it */ | |
555 | if (s->packet_length != DTLS1_RT_HEADER_LENGTH) { | |
556 | s->packet_length = 0; | |
557 | goto again; | |
558 | } | |
559 | ||
560 | s->rstate = SSL_ST_READ_BODY; | |
561 | ||
562 | p = s->packet; | |
563 | ||
564 | if (s->msg_callback) | |
565 | s->msg_callback(0, 0, SSL3_RT_HEADER, p, DTLS1_RT_HEADER_LENGTH, | |
566 | s, s->msg_callback_arg); | |
567 | ||
568 | /* Pull apart the header into the DTLS1_RECORD */ | |
569 | rr->type = *(p++); | |
570 | ssl_major = *(p++); | |
571 | ssl_minor = *(p++); | |
572 | version = (ssl_major << 8) | ssl_minor; | |
573 | ||
574 | /* sequence number is 64 bits, with top 2 bytes = epoch */ | |
575 | n2s(p, rr->epoch); | |
576 | ||
577 | memcpy(&(s->s3->read_sequence[2]), p, 6); | |
578 | p += 6; | |
579 | ||
580 | n2s(p, rr->length); | |
581 | ||
582 | /* Lets check version */ | |
583 | if (!s->first_packet) { | |
584 | if (version != s->version) { | |
585 | /* unexpected version, silently discard */ | |
586 | rr->length = 0; | |
587 | s->packet_length = 0; | |
588 | goto again; | |
589 | } | |
590 | } | |
591 | ||
592 | if ((version & 0xff00) != (s->version & 0xff00)) { | |
593 | /* wrong version, silently discard record */ | |
594 | rr->length = 0; | |
595 | s->packet_length = 0; | |
596 | goto again; | |
597 | } | |
598 | ||
599 | if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { | |
600 | /* record too long, silently discard it */ | |
601 | rr->length = 0; | |
602 | s->packet_length = 0; | |
603 | goto again; | |
604 | } | |
605 | ||
606 | /* now s->rstate == SSL_ST_READ_BODY */ | |
607 | } | |
608 | ||
609 | /* s->rstate == SSL_ST_READ_BODY, get and decode the data */ | |
610 | ||
611 | if (rr->length > s->packet_length - DTLS1_RT_HEADER_LENGTH) { | |
612 | /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */ | |
613 | i = rr->length; | |
614 | n = ssl3_read_n(s, i, i, 1); | |
615 | /* this packet contained a partial record, dump it */ | |
616 | if (n != i) { | |
617 | rr->length = 0; | |
618 | s->packet_length = 0; | |
619 | goto again; | |
620 | } | |
36d16f8e | 621 | |
0f113f3e MC |
622 | /* |
623 | * now n == rr->length, and s->packet_length == | |
624 | * DTLS1_RT_HEADER_LENGTH + rr->length | |
625 | */ | |
626 | } | |
627 | s->rstate = SSL_ST_READ_HEADER; /* set state for later operations */ | |
628 | ||
629 | /* match epochs. NULL means the packet is dropped on the floor */ | |
630 | bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch); | |
631 | if (bitmap == NULL) { | |
632 | rr->length = 0; | |
633 | s->packet_length = 0; /* dump this record */ | |
634 | goto again; /* get another record */ | |
635 | } | |
7e159e01 | 636 | #ifndef OPENSSL_NO_SCTP |
0f113f3e MC |
637 | /* Only do replay check if no SCTP bio */ |
638 | if (!BIO_dgram_is_sctp(SSL_get_rbio(s))) { | |
7e159e01 | 639 | #endif |
0f113f3e MC |
640 | /* |
641 | * Check whether this is a repeat, or aged record. Don't check if | |
642 | * we're listening and this message is a ClientHello. They can look | |
643 | * as if they're replayed, since they arrive from different | |
644 | * connections and would be dropped unnecessarily. | |
645 | */ | |
646 | if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE && | |
647 | s->packet_length > DTLS1_RT_HEADER_LENGTH && | |
648 | s->packet[DTLS1_RT_HEADER_LENGTH] == SSL3_MT_CLIENT_HELLO) && | |
649 | !dtls1_record_replay_check(s, bitmap)) { | |
650 | rr->length = 0; | |
651 | s->packet_length = 0; /* dump this record */ | |
652 | goto again; /* get another record */ | |
653 | } | |
7e159e01 | 654 | #ifndef OPENSSL_NO_SCTP |
0f113f3e | 655 | } |
7e159e01 | 656 | #endif |
36d16f8e | 657 | |
0f113f3e MC |
658 | /* just read a 0 length packet */ |
659 | if (rr->length == 0) | |
660 | goto again; | |
661 | ||
662 | /* | |
663 | * If this record is from the next epoch (either HM or ALERT), and a | |
664 | * handshake is currently in progress, buffer it since it cannot be | |
665 | * processed at this time. However, do not buffer anything while | |
666 | * listening. | |
667 | */ | |
668 | if (is_next_epoch) { | |
669 | if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen) { | |
670 | if (dtls1_buffer_record | |
671 | (s, &(s->d1->unprocessed_rcds), rr->seq_num) < 0) | |
672 | return -1; | |
673 | /* Mark receipt of record. */ | |
674 | dtls1_record_bitmap_update(s, bitmap); | |
675 | } | |
676 | rr->length = 0; | |
677 | s->packet_length = 0; | |
678 | goto again; | |
679 | } | |
680 | ||
681 | if (!dtls1_process_record(s)) { | |
682 | rr->length = 0; | |
683 | s->packet_length = 0; /* dump this record */ | |
684 | goto again; /* get another record */ | |
685 | } | |
686 | dtls1_record_bitmap_update(s, bitmap); /* Mark receipt of record. */ | |
687 | ||
688 | return (1); | |
689 | ||
690 | } | |
36d16f8e | 691 | |
1d97c843 TH |
692 | /*- |
693 | * Return up to 'len' payload bytes received in 'type' records. | |
36d16f8e BL |
694 | * 'type' is one of the following: |
695 | * | |
696 | * - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us) | |
697 | * - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us) | |
698 | * - 0 (during a shutdown, no data has to be returned) | |
699 | * | |
700 | * If we don't have stored data to work from, read a SSL/TLS record first | |
701 | * (possibly multiple records if we still don't have anything to return). | |
702 | * | |
703 | * This function must handle any surprises the peer may have for us, such as | |
704 | * Alert records (e.g. close_notify), ChangeCipherSpec records (not really | |
705 | * a surprise, but handled as if it were), or renegotiation requests. | |
706 | * Also if record payloads contain fragments too small to process, we store | |
707 | * them until there is enough for the respective protocol (the record protocol | |
708 | * may use arbitrary fragmentation and even interleaving): | |
709 | * Change cipher spec protocol | |
710 | * just 1 byte needed, no need for keeping anything stored | |
711 | * Alert protocol | |
712 | * 2 bytes needed (AlertLevel, AlertDescription) | |
713 | * Handshake protocol | |
714 | * 4 bytes needed (HandshakeType, uint24 length) -- we just have | |
715 | * to detect unexpected Client Hello and Hello Request messages | |
716 | * here, anything else is handled by higher layers | |
717 | * Application data protocol | |
718 | * none of our business | |
719 | */ | |
720 | int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) | |
0f113f3e MC |
721 | { |
722 | int al, i, j, ret; | |
723 | unsigned int n; | |
724 | SSL3_RECORD *rr; | |
725 | void (*cb) (const SSL *ssl, int type2, int val) = NULL; | |
726 | ||
28d59af8 MC |
727 | if (!SSL3_BUFFER_is_initialised(RECORD_LAYER_get_rbuf(&s->rlayer))) { |
728 | /* Not initialized yet */ | |
0f113f3e MC |
729 | if (!ssl3_setup_buffers(s)) |
730 | return (-1); | |
28d59af8 | 731 | } |
0f113f3e MC |
732 | |
733 | if ((type && (type != SSL3_RT_APPLICATION_DATA) && | |
734 | (type != SSL3_RT_HANDSHAKE)) || | |
735 | (peek && (type != SSL3_RT_APPLICATION_DATA))) { | |
736 | SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR); | |
737 | return -1; | |
738 | } | |
739 | ||
740 | /* | |
741 | * check whether there's a handshake message (client hello?) waiting | |
742 | */ | |
743 | if ((ret = have_handshake_fragment(s, type, buf, len, peek))) | |
744 | return ret; | |
745 | ||
746 | /* | |
747 | * Now s->d1->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. | |
748 | */ | |
36d16f8e | 749 | |
7e159e01 | 750 | #ifndef OPENSSL_NO_SCTP |
0f113f3e MC |
751 | /* |
752 | * Continue handshake if it had to be interrupted to read app data with | |
753 | * SCTP. | |
754 | */ | |
755 | if ((!s->in_handshake && SSL_in_init(s)) || | |
756 | (BIO_dgram_is_sctp(SSL_get_rbio(s)) && | |
757 | (s->state == DTLS1_SCTP_ST_SR_READ_SOCK | |
758 | || s->state == DTLS1_SCTP_ST_CR_READ_SOCK) | |
759 | && s->s3->in_read_app_data != 2)) | |
7e159e01 | 760 | #else |
0f113f3e | 761 | if (!s->in_handshake && SSL_in_init(s)) |
7e159e01 | 762 | #endif |
0f113f3e MC |
763 | { |
764 | /* type == SSL3_RT_APPLICATION_DATA */ | |
765 | i = s->handshake_func(s); | |
766 | if (i < 0) | |
767 | return (i); | |
768 | if (i == 0) { | |
769 | SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE); | |
770 | return (-1); | |
771 | } | |
772 | } | |
773 | ||
774 | start: | |
775 | s->rwstate = SSL_NOTHING; | |
776 | ||
50e735f9 MC |
777 | /*- |
778 | * s->s3->rrec.type - is the type of record | |
779 | * s->s3->rrec.data, - data | |
780 | * s->s3->rrec.off, - offset into 'data' for next read | |
781 | * s->s3->rrec.length, - number of bytes. | |
782 | */ | |
0f113f3e MC |
783 | rr = &(s->s3->rrec); |
784 | ||
785 | /* | |
786 | * We are not handshaking and have no data yet, so process data buffered | |
787 | * during the last handshake in advance, if any. | |
788 | */ | |
789 | if (s->state == SSL_ST_OK && rr->length == 0) { | |
790 | pitem *item; | |
791 | item = pqueue_pop(s->d1->buffered_app_data.q); | |
792 | if (item) { | |
7e159e01 | 793 | #ifndef OPENSSL_NO_SCTP |
0f113f3e MC |
794 | /* Restore bio_dgram_sctp_rcvinfo struct */ |
795 | if (BIO_dgram_is_sctp(SSL_get_rbio(s))) { | |
796 | DTLS1_RECORD_DATA *rdata = (DTLS1_RECORD_DATA *)item->data; | |
797 | BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SCTP_SET_RCVINFO, | |
798 | sizeof(rdata->recordinfo), &rdata->recordinfo); | |
799 | } | |
7e159e01 DSH |
800 | #endif |
801 | ||
0f113f3e MC |
802 | dtls1_copy_record(s, item); |
803 | ||
804 | OPENSSL_free(item->data); | |
805 | pitem_free(item); | |
806 | } | |
807 | } | |
808 | ||
809 | /* Check for timeout */ | |
810 | if (dtls1_handle_timeout(s) > 0) | |
811 | goto start; | |
812 | ||
813 | /* get new packet if necessary */ | |
814 | if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY)) { | |
815 | ret = dtls1_get_record(s); | |
816 | if (ret <= 0) { | |
817 | ret = dtls1_read_failed(s, ret); | |
818 | /* anything other than a timeout is an error */ | |
819 | if (ret <= 0) | |
820 | return (ret); | |
821 | else | |
822 | goto start; | |
823 | } | |
824 | } | |
825 | ||
826 | if (s->d1->listen && rr->type != SSL3_RT_HANDSHAKE) { | |
827 | rr->length = 0; | |
828 | goto start; | |
829 | } | |
830 | ||
831 | /* we now have a packet which can be read and processed */ | |
832 | ||
833 | if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, | |
834 | * reset by ssl3_get_finished */ | |
835 | && (rr->type != SSL3_RT_HANDSHAKE)) { | |
836 | /* | |
837 | * We now have application data between CCS and Finished. Most likely | |
838 | * the packets were reordered on their way, so buffer the application | |
839 | * data for later processing rather than dropping the connection. | |
840 | */ | |
841 | if (dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num) < | |
842 | 0) { | |
843 | SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR); | |
844 | return -1; | |
845 | } | |
846 | rr->length = 0; | |
847 | goto start; | |
848 | } | |
849 | ||
850 | /* | |
851 | * If the other end has shut down, throw anything we read away (even in | |
852 | * 'peek' mode) | |
853 | */ | |
854 | if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { | |
855 | rr->length = 0; | |
856 | s->rwstate = SSL_NOTHING; | |
857 | return (0); | |
858 | } | |
859 | ||
860 | if (type == rr->type) { /* SSL3_RT_APPLICATION_DATA or | |
861 | * SSL3_RT_HANDSHAKE */ | |
862 | /* | |
863 | * make sure that we are not getting application data when we are | |
864 | * doing a handshake for the first time | |
865 | */ | |
866 | if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) && | |
867 | (s->enc_read_ctx == NULL)) { | |
868 | al = SSL_AD_UNEXPECTED_MESSAGE; | |
869 | SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_APP_DATA_IN_HANDSHAKE); | |
870 | goto f_err; | |
871 | } | |
7e159e01 | 872 | |
0f113f3e MC |
873 | if (len <= 0) |
874 | return (len); | |
875 | ||
876 | if ((unsigned int)len > rr->length) | |
877 | n = rr->length; | |
878 | else | |
879 | n = (unsigned int)len; | |
880 | ||
881 | memcpy(buf, &(rr->data[rr->off]), n); | |
882 | if (!peek) { | |
883 | rr->length -= n; | |
884 | rr->off += n; | |
885 | if (rr->length == 0) { | |
886 | s->rstate = SSL_ST_READ_HEADER; | |
887 | rr->off = 0; | |
888 | } | |
889 | } | |
7e159e01 | 890 | #ifndef OPENSSL_NO_SCTP |
0f113f3e MC |
891 | /* |
892 | * We were about to renegotiate but had to read belated application | |
893 | * data first, so retry. | |
894 | */ | |
895 | if (BIO_dgram_is_sctp(SSL_get_rbio(s)) && | |
896 | rr->type == SSL3_RT_APPLICATION_DATA && | |
897 | (s->state == DTLS1_SCTP_ST_SR_READ_SOCK | |
898 | || s->state == DTLS1_SCTP_ST_CR_READ_SOCK)) { | |
899 | s->rwstate = SSL_READING; | |
900 | BIO_clear_retry_flags(SSL_get_rbio(s)); | |
901 | BIO_set_retry_read(SSL_get_rbio(s)); | |
902 | } | |
903 | ||
904 | /* | |
905 | * We might had to delay a close_notify alert because of reordered | |
906 | * app data. If there was an alert and there is no message to read | |
907 | * anymore, finally set shutdown. | |
908 | */ | |
909 | if (BIO_dgram_is_sctp(SSL_get_rbio(s)) && | |
910 | s->d1->shutdown_received | |
911 | && !BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) { | |
912 | s->shutdown |= SSL_RECEIVED_SHUTDOWN; | |
913 | return (0); | |
914 | } | |
915 | #endif | |
916 | return (n); | |
917 | } | |
918 | ||
919 | /* | |
920 | * If we get here, then type != rr->type; if we have a handshake message, | |
921 | * then it was unexpected (Hello Request or Client Hello). | |
922 | */ | |
923 | ||
924 | /* | |
925 | * In case of record types for which we have 'fragment' storage, fill | |
926 | * that so that we can process the data at a fixed place. | |
927 | */ | |
928 | { | |
929 | unsigned int k, dest_maxlen = 0; | |
930 | unsigned char *dest = NULL; | |
931 | unsigned int *dest_len = NULL; | |
932 | ||
933 | if (rr->type == SSL3_RT_HANDSHAKE) { | |
934 | dest_maxlen = sizeof s->d1->handshake_fragment; | |
935 | dest = s->d1->handshake_fragment; | |
936 | dest_len = &s->d1->handshake_fragment_len; | |
937 | } else if (rr->type == SSL3_RT_ALERT) { | |
938 | dest_maxlen = sizeof(s->d1->alert_fragment); | |
939 | dest = s->d1->alert_fragment; | |
940 | dest_len = &s->d1->alert_fragment_len; | |
941 | } | |
4817504d | 942 | #ifndef OPENSSL_NO_HEARTBEATS |
0f113f3e | 943 | else if (rr->type == TLS1_RT_HEARTBEAT) { |
69f68237 MC |
944 | /* We allow a 0 return */ |
945 | if(dtls1_process_heartbeat(s) < 0) { | |
946 | return -1; | |
947 | } | |
0f113f3e MC |
948 | |
949 | /* Exit and notify application to read again */ | |
950 | rr->length = 0; | |
951 | s->rwstate = SSL_READING; | |
952 | BIO_clear_retry_flags(SSL_get_rbio(s)); | |
953 | BIO_set_retry_read(SSL_get_rbio(s)); | |
954 | return (-1); | |
955 | } | |
4817504d | 956 | #endif |
0f113f3e MC |
957 | /* else it's a CCS message, or application data or wrong */ |
958 | else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC) { | |
959 | /* | |
960 | * Application data while renegotiating is allowed. Try again | |
961 | * reading. | |
962 | */ | |
963 | if (rr->type == SSL3_RT_APPLICATION_DATA) { | |
964 | BIO *bio; | |
965 | s->s3->in_read_app_data = 2; | |
966 | bio = SSL_get_rbio(s); | |
967 | s->rwstate = SSL_READING; | |
968 | BIO_clear_retry_flags(bio); | |
969 | BIO_set_retry_read(bio); | |
970 | return (-1); | |
971 | } | |
972 | ||
973 | /* Not certain if this is the right error handling */ | |
974 | al = SSL_AD_UNEXPECTED_MESSAGE; | |
975 | SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNEXPECTED_RECORD); | |
976 | goto f_err; | |
977 | } | |
978 | ||
979 | if (dest_maxlen > 0) { | |
980 | /* | |
981 | * XDTLS: In a pathalogical case, the Client Hello may be | |
982 | * fragmented--don't always expect dest_maxlen bytes | |
983 | */ | |
984 | if (rr->length < dest_maxlen) { | |
d4938995 | 985 | #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE |
0f113f3e MC |
986 | /* |
987 | * for normal alerts rr->length is 2, while | |
988 | * dest_maxlen is 7 if we were to handle this | |
989 | * non-existing alert... | |
990 | */ | |
991 | FIX ME | |
d4938995 | 992 | #endif |
0f113f3e MC |
993 | s->rstate = SSL_ST_READ_HEADER; |
994 | rr->length = 0; | |
995 | goto start; | |
996 | } | |
997 | ||
998 | /* now move 'n' bytes: */ | |
999 | for (k = 0; k < dest_maxlen; k++) { | |
1000 | dest[k] = rr->data[rr->off++]; | |
1001 | rr->length--; | |
1002 | } | |
1003 | *dest_len = dest_maxlen; | |
1004 | } | |
1005 | } | |
1006 | ||
35a1cc90 MC |
1007 | /*- |
1008 | * s->d1->handshake_fragment_len == 12 iff rr->type == SSL3_RT_HANDSHAKE; | |
1009 | * s->d1->alert_fragment_len == 7 iff rr->type == SSL3_RT_ALERT. | |
1010 | * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) | |
1011 | */ | |
0f113f3e MC |
1012 | |
1013 | /* If we are a client, check for an incoming 'Hello Request': */ | |
1014 | if ((!s->server) && | |
1015 | (s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) && | |
1016 | (s->d1->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) && | |
1017 | (s->session != NULL) && (s->session->cipher != NULL)) { | |
1018 | s->d1->handshake_fragment_len = 0; | |
1019 | ||
1020 | if ((s->d1->handshake_fragment[1] != 0) || | |
1021 | (s->d1->handshake_fragment[2] != 0) || | |
1022 | (s->d1->handshake_fragment[3] != 0)) { | |
1023 | al = SSL_AD_DECODE_ERROR; | |
1024 | SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_BAD_HELLO_REQUEST); | |
1025 | goto err; | |
1026 | } | |
1027 | ||
1028 | /* | |
1029 | * no need to check sequence number on HELLO REQUEST messages | |
1030 | */ | |
1031 | ||
1032 | if (s->msg_callback) | |
1033 | s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, | |
1034 | s->d1->handshake_fragment, 4, s, | |
1035 | s->msg_callback_arg); | |
1036 | ||
1037 | if (SSL_is_init_finished(s) && | |
1038 | !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && | |
1039 | !s->s3->renegotiate) { | |
1040 | s->d1->handshake_read_seq++; | |
1041 | s->new_session = 1; | |
1042 | ssl3_renegotiate(s); | |
1043 | if (ssl3_renegotiate_check(s)) { | |
1044 | i = s->handshake_func(s); | |
1045 | if (i < 0) | |
1046 | return (i); | |
1047 | if (i == 0) { | |
1048 | SSLerr(SSL_F_DTLS1_READ_BYTES, | |
1049 | SSL_R_SSL_HANDSHAKE_FAILURE); | |
1050 | return (-1); | |
1051 | } | |
1052 | ||
1053 | if (!(s->mode & SSL_MODE_AUTO_RETRY)) { | |
28d59af8 MC |
1054 | if (SSL3_BUFFER_get_left( |
1055 | RECORD_LAYER_get_rbuf(&s->rlayer)) == 0) { | |
1056 | /* no read-ahead left? */ | |
0f113f3e MC |
1057 | BIO *bio; |
1058 | /* | |
1059 | * In the case where we try to read application data, | |
1060 | * but we trigger an SSL handshake, we return -1 with | |
1061 | * the retry option set. Otherwise renegotiation may | |
1062 | * cause nasty problems in the blocking world | |
1063 | */ | |
1064 | s->rwstate = SSL_READING; | |
1065 | bio = SSL_get_rbio(s); | |
1066 | BIO_clear_retry_flags(bio); | |
1067 | BIO_set_retry_read(bio); | |
1068 | return (-1); | |
1069 | } | |
1070 | } | |
1071 | } | |
1072 | } | |
1073 | /* | |
1074 | * we either finished a handshake or ignored the request, now try | |
1075 | * again to obtain the (application) data we were asked for | |
1076 | */ | |
1077 | goto start; | |
1078 | } | |
1079 | ||
1080 | if (s->d1->alert_fragment_len >= DTLS1_AL_HEADER_LENGTH) { | |
1081 | int alert_level = s->d1->alert_fragment[0]; | |
1082 | int alert_descr = s->d1->alert_fragment[1]; | |
1083 | ||
1084 | s->d1->alert_fragment_len = 0; | |
1085 | ||
1086 | if (s->msg_callback) | |
1087 | s->msg_callback(0, s->version, SSL3_RT_ALERT, | |
1088 | s->d1->alert_fragment, 2, s, s->msg_callback_arg); | |
1089 | ||
1090 | if (s->info_callback != NULL) | |
1091 | cb = s->info_callback; | |
1092 | else if (s->ctx->info_callback != NULL) | |
1093 | cb = s->ctx->info_callback; | |
1094 | ||
1095 | if (cb != NULL) { | |
1096 | j = (alert_level << 8) | alert_descr; | |
1097 | cb(s, SSL_CB_READ_ALERT, j); | |
1098 | } | |
1099 | ||
fd865cad | 1100 | if (alert_level == SSL3_AL_WARNING) { |
0f113f3e MC |
1101 | s->s3->warn_alert = alert_descr; |
1102 | if (alert_descr == SSL_AD_CLOSE_NOTIFY) { | |
7e159e01 | 1103 | #ifndef OPENSSL_NO_SCTP |
0f113f3e MC |
1104 | /* |
1105 | * With SCTP and streams the socket may deliver app data | |
1106 | * after a close_notify alert. We have to check this first so | |
1107 | * that nothing gets discarded. | |
1108 | */ | |
1109 | if (BIO_dgram_is_sctp(SSL_get_rbio(s)) && | |
1110 | BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) { | |
1111 | s->d1->shutdown_received = 1; | |
1112 | s->rwstate = SSL_READING; | |
1113 | BIO_clear_retry_flags(SSL_get_rbio(s)); | |
1114 | BIO_set_retry_read(SSL_get_rbio(s)); | |
1115 | return -1; | |
1116 | } | |
7e159e01 | 1117 | #endif |
0f113f3e MC |
1118 | s->shutdown |= SSL_RECEIVED_SHUTDOWN; |
1119 | return (0); | |
1120 | } | |
36d16f8e BL |
1121 | #if 0 |
1122 | /* XXX: this is a possible improvement in the future */ | |
0f113f3e MC |
1123 | /* now check if it's a missing record */ |
1124 | if (alert_descr == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) { | |
1125 | unsigned short seq; | |
1126 | unsigned int frag_off; | |
1127 | unsigned char *p = &(s->d1->alert_fragment[2]); | |
1128 | ||
1129 | n2s(p, seq); | |
1130 | n2l3(p, frag_off); | |
1131 | ||
1132 | dtls1_retransmit_message(s, | |
1133 | dtls1_get_queue_priority | |
1134 | (frag->msg_header.seq, 0), frag_off, | |
1135 | &found); | |
1136 | if (!found && SSL_in_init(s)) { | |
1137 | /* | |
1138 | * fprintf( stderr,"in init = %d\n", SSL_in_init(s)); | |
1139 | */ | |
1140 | /* | |
1141 | * requested a message not yet sent, send an alert | |
1142 | * ourselves | |
1143 | */ | |
1144 | ssl3_send_alert(s, SSL3_AL_WARNING, | |
1145 | DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); | |
1146 | } | |
1147 | } | |
36d16f8e | 1148 | #endif |
fd865cad | 1149 | } else if (alert_level == SSL3_AL_FATAL) { |
0f113f3e MC |
1150 | char tmp[16]; |
1151 | ||
1152 | s->rwstate = SSL_NOTHING; | |
1153 | s->s3->fatal_alert = alert_descr; | |
1154 | SSLerr(SSL_F_DTLS1_READ_BYTES, | |
1155 | SSL_AD_REASON_OFFSET + alert_descr); | |
1156 | BIO_snprintf(tmp, sizeof tmp, "%d", alert_descr); | |
1157 | ERR_add_error_data(2, "SSL alert number ", tmp); | |
1158 | s->shutdown |= SSL_RECEIVED_SHUTDOWN; | |
1159 | SSL_CTX_remove_session(s->ctx, s->session); | |
1160 | return (0); | |
1161 | } else { | |
1162 | al = SSL_AD_ILLEGAL_PARAMETER; | |
1163 | SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNKNOWN_ALERT_TYPE); | |
1164 | goto f_err; | |
1165 | } | |
1166 | ||
1167 | goto start; | |
1168 | } | |
1169 | ||
1170 | if (s->shutdown & SSL_SENT_SHUTDOWN) { /* but we have not received a | |
1171 | * shutdown */ | |
1172 | s->rwstate = SSL_NOTHING; | |
1173 | rr->length = 0; | |
1174 | return (0); | |
1175 | } | |
1176 | ||
1177 | if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) { | |
1178 | struct ccs_header_st ccs_hdr; | |
1179 | unsigned int ccs_hdr_len = DTLS1_CCS_HEADER_LENGTH; | |
1180 | ||
1181 | dtls1_get_ccs_header(rr->data, &ccs_hdr); | |
1182 | ||
1183 | if (s->version == DTLS1_BAD_VER) | |
1184 | ccs_hdr_len = 3; | |
1185 | ||
1186 | /* | |
1187 | * 'Change Cipher Spec' is just a single byte, so we know exactly | |
1188 | * what the record payload has to look like | |
1189 | */ | |
1190 | /* XDTLS: check that epoch is consistent */ | |
1191 | if ((rr->length != ccs_hdr_len) || | |
1192 | (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS)) { | |
1193 | i = SSL_AD_ILLEGAL_PARAMETER; | |
1194 | SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_BAD_CHANGE_CIPHER_SPEC); | |
1195 | goto err; | |
1196 | } | |
1197 | ||
1198 | rr->length = 0; | |
1199 | ||
1200 | if (s->msg_callback) | |
1201 | s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, | |
1202 | rr->data, 1, s, s->msg_callback_arg); | |
1203 | ||
1204 | /* | |
1205 | * We can't process a CCS now, because previous handshake messages | |
1206 | * are still missing, so just drop it. | |
1207 | */ | |
1208 | if (!s->d1->change_cipher_spec_ok) { | |
1209 | goto start; | |
1210 | } | |
1211 | ||
1212 | s->d1->change_cipher_spec_ok = 0; | |
1213 | ||
1214 | s->s3->change_cipher_spec = 1; | |
1215 | if (!ssl3_do_change_cipher_spec(s)) | |
1216 | goto err; | |
1217 | ||
1218 | /* do this whenever CCS is processed */ | |
1219 | dtls1_reset_seq_numbers(s, SSL3_CC_READ); | |
1220 | ||
1221 | if (s->version == DTLS1_BAD_VER) | |
1222 | s->d1->handshake_read_seq++; | |
8711efb4 | 1223 | |
7e159e01 | 1224 | #ifndef OPENSSL_NO_SCTP |
0f113f3e MC |
1225 | /* |
1226 | * Remember that a CCS has been received, so that an old key of | |
1227 | * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no | |
1228 | * SCTP is used | |
1229 | */ | |
1230 | BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL); | |
7e159e01 DSH |
1231 | #endif |
1232 | ||
0f113f3e MC |
1233 | goto start; |
1234 | } | |
1235 | ||
1236 | /* | |
1237 | * Unexpected handshake message (Client Hello, or protocol violation) | |
1238 | */ | |
1239 | if ((s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) && | |
1240 | !s->in_handshake) { | |
1241 | struct hm_header_st msg_hdr; | |
1242 | ||
1243 | /* this may just be a stale retransmit */ | |
1244 | dtls1_get_message_header(rr->data, &msg_hdr); | |
1245 | if (rr->epoch != s->d1->r_epoch) { | |
1246 | rr->length = 0; | |
1247 | goto start; | |
1248 | } | |
1249 | ||
1250 | /* | |
1251 | * If we are server, we may have a repeated FINISHED of the client | |
1252 | * here, then retransmit our CCS and FINISHED. | |
1253 | */ | |
1254 | if (msg_hdr.type == SSL3_MT_FINISHED) { | |
1255 | if (dtls1_check_timeout_num(s) < 0) | |
1256 | return -1; | |
1257 | ||
17dd65e6 | 1258 | dtls1_retransmit_buffered_messages(s); |
0f113f3e MC |
1259 | rr->length = 0; |
1260 | goto start; | |
1261 | } | |
1262 | ||
1263 | if (((s->state & SSL_ST_MASK) == SSL_ST_OK) && | |
1264 | !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) { | |
0f113f3e | 1265 | s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; |
0f113f3e MC |
1266 | s->renegotiate = 1; |
1267 | s->new_session = 1; | |
1268 | } | |
1269 | i = s->handshake_func(s); | |
1270 | if (i < 0) | |
1271 | return (i); | |
1272 | if (i == 0) { | |
1273 | SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE); | |
1274 | return (-1); | |
1275 | } | |
1276 | ||
1277 | if (!(s->mode & SSL_MODE_AUTO_RETRY)) { | |
28d59af8 MC |
1278 | if (SSL3_BUFFER_get_left( |
1279 | RECORD_LAYER_get_rbuf(&s->rlayer)) == 0) { | |
1280 | /* no read-ahead left? */ | |
0f113f3e MC |
1281 | BIO *bio; |
1282 | /* | |
1283 | * In the case where we try to read application data, but we | |
1284 | * trigger an SSL handshake, we return -1 with the retry | |
1285 | * option set. Otherwise renegotiation may cause nasty | |
1286 | * problems in the blocking world | |
1287 | */ | |
1288 | s->rwstate = SSL_READING; | |
1289 | bio = SSL_get_rbio(s); | |
1290 | BIO_clear_retry_flags(bio); | |
1291 | BIO_set_retry_read(bio); | |
1292 | return (-1); | |
1293 | } | |
1294 | } | |
1295 | goto start; | |
1296 | } | |
1297 | ||
1298 | switch (rr->type) { | |
1299 | default: | |
0f113f3e MC |
1300 | /* TLS just ignores unknown message types */ |
1301 | if (s->version == TLS1_VERSION) { | |
1302 | rr->length = 0; | |
1303 | goto start; | |
1304 | } | |
0f113f3e MC |
1305 | al = SSL_AD_UNEXPECTED_MESSAGE; |
1306 | SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNEXPECTED_RECORD); | |
1307 | goto f_err; | |
1308 | case SSL3_RT_CHANGE_CIPHER_SPEC: | |
1309 | case SSL3_RT_ALERT: | |
1310 | case SSL3_RT_HANDSHAKE: | |
1311 | /* | |
1312 | * we already handled all of these, with the possible exception of | |
1313 | * SSL3_RT_HANDSHAKE when s->in_handshake is set, but that should not | |
1314 | * happen when type != rr->type | |
1315 | */ | |
1316 | al = SSL_AD_UNEXPECTED_MESSAGE; | |
1317 | SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR); | |
1318 | goto f_err; | |
1319 | case SSL3_RT_APPLICATION_DATA: | |
1320 | /* | |
1321 | * At this point, we were expecting handshake data, but have | |
1322 | * application data. If the library was running inside ssl3_read() | |
1323 | * (i.e. in_read_app_data is set) and it makes sense to read | |
1324 | * application data at this point (session renegotiation not yet | |
1325 | * started), we will indulge it. | |
1326 | */ | |
1327 | if (s->s3->in_read_app_data && | |
1328 | (s->s3->total_renegotiations != 0) && | |
1329 | (((s->state & SSL_ST_CONNECT) && | |
1330 | (s->state >= SSL3_ST_CW_CLNT_HELLO_A) && | |
1331 | (s->state <= SSL3_ST_CR_SRVR_HELLO_A) | |
1332 | ) || ((s->state & SSL_ST_ACCEPT) && | |
1333 | (s->state <= SSL3_ST_SW_HELLO_REQ_A) && | |
1334 | (s->state >= SSL3_ST_SR_CLNT_HELLO_A) | |
1335 | ) | |
1336 | )) { | |
1337 | s->s3->in_read_app_data = 2; | |
1338 | return (-1); | |
1339 | } else { | |
1340 | al = SSL_AD_UNEXPECTED_MESSAGE; | |
1341 | SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_UNEXPECTED_RECORD); | |
1342 | goto f_err; | |
1343 | } | |
1344 | } | |
1345 | /* not reached */ | |
1346 | ||
1347 | f_err: | |
1348 | ssl3_send_alert(s, SSL3_AL_FATAL, al); | |
1349 | err: | |
1350 | return (-1); | |
1351 | } | |
1352 | ||
1353 | int dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len) | |
1354 | { | |
1355 | int i; | |
36d16f8e | 1356 | |
7e159e01 | 1357 | #ifndef OPENSSL_NO_SCTP |
0f113f3e MC |
1358 | /* |
1359 | * Check if we have to continue an interrupted handshake for reading | |
1360 | * belated app data with SCTP. | |
1361 | */ | |
1362 | if ((SSL_in_init(s) && !s->in_handshake) || | |
1363 | (BIO_dgram_is_sctp(SSL_get_wbio(s)) && | |
1364 | (s->state == DTLS1_SCTP_ST_SR_READ_SOCK | |
1365 | || s->state == DTLS1_SCTP_ST_CR_READ_SOCK))) | |
7e159e01 | 1366 | #else |
0f113f3e | 1367 | if (SSL_in_init(s) && !s->in_handshake) |
7e159e01 | 1368 | #endif |
0f113f3e MC |
1369 | { |
1370 | i = s->handshake_func(s); | |
1371 | if (i < 0) | |
1372 | return (i); | |
1373 | if (i == 0) { | |
1374 | SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES, | |
1375 | SSL_R_SSL_HANDSHAKE_FAILURE); | |
1376 | return -1; | |
1377 | } | |
1378 | } | |
1379 | ||
1380 | if (len > SSL3_RT_MAX_PLAIN_LENGTH) { | |
1381 | SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES, SSL_R_DTLS_MESSAGE_TOO_BIG); | |
1382 | return -1; | |
1383 | } | |
1384 | ||
1385 | i = dtls1_write_bytes(s, type, buf_, len); | |
1386 | return i; | |
1387 | } | |
1388 | ||
1389 | /* | |
1390 | * this only happens when a client hello is received and a handshake | |
1391 | * is started. | |
1392 | */ | |
36d16f8e | 1393 | static int |
0f113f3e MC |
1394 | have_handshake_fragment(SSL *s, int type, unsigned char *buf, |
1395 | int len, int peek) | |
1396 | { | |
1397 | ||
1398 | if ((type == SSL3_RT_HANDSHAKE) && (s->d1->handshake_fragment_len > 0)) | |
1399 | /* (partially) satisfy request from storage */ | |
1400 | { | |
1401 | unsigned char *src = s->d1->handshake_fragment; | |
1402 | unsigned char *dst = buf; | |
1403 | unsigned int k, n; | |
1404 | ||
1405 | /* peek == 0 */ | |
1406 | n = 0; | |
1407 | while ((len > 0) && (s->d1->handshake_fragment_len > 0)) { | |
1408 | *dst++ = *src++; | |
1409 | len--; | |
1410 | s->d1->handshake_fragment_len--; | |
1411 | n++; | |
1412 | } | |
1413 | /* move any remaining fragment bytes: */ | |
1414 | for (k = 0; k < s->d1->handshake_fragment_len; k++) | |
1415 | s->d1->handshake_fragment[k] = *src++; | |
1416 | return n; | |
1417 | } | |
1418 | ||
1419 | return 0; | |
1420 | } | |
1421 | ||
1422 | /* | |
1423 | * Call this to write data in records of type 'type' It will return <= 0 if | |
1424 | * not all data has been sent or non-blocking IO. | |
36d16f8e | 1425 | */ |
480b9e5d | 1426 | int dtls1_write_bytes(SSL *s, int type, const void *buf, int len) |
0f113f3e MC |
1427 | { |
1428 | int i; | |
1429 | ||
1430 | OPENSSL_assert(len <= SSL3_RT_MAX_PLAIN_LENGTH); | |
1431 | s->rwstate = SSL_NOTHING; | |
1432 | i = do_dtls1_write(s, type, buf, len, 0); | |
1433 | return i; | |
1434 | } | |
1435 | ||
1436 | int do_dtls1_write(SSL *s, int type, const unsigned char *buf, | |
1437 | unsigned int len, int create_empty_fragment) | |
1438 | { | |
1439 | unsigned char *p, *pseq; | |
1440 | int i, mac_size, clear = 0; | |
1441 | int prefix_len = 0; | |
1442 | int eivlen; | |
1443 | SSL3_RECORD *wr; | |
1444 | SSL3_BUFFER *wb; | |
1445 | SSL_SESSION *sess; | |
1446 | ||
db9a32e7 MC |
1447 | wb = RECORD_LAYER_get_wbuf(&s->rlayer); |
1448 | ||
0f113f3e MC |
1449 | /* |
1450 | * first check if there is a SSL3_BUFFER still being written out. This | |
1451 | * will happen with non blocking IO | |
1452 | */ | |
db9a32e7 | 1453 | if (SSL3_BUFFER_get_left(wb) != 0) { |
0f113f3e MC |
1454 | OPENSSL_assert(0); /* XDTLS: want to see if we ever get here */ |
1455 | return (ssl3_write_pending(s, type, buf, len)); | |
1456 | } | |
1457 | ||
1458 | /* If we have an alert to send, lets send it */ | |
1459 | if (s->s3->alert_dispatch) { | |
1460 | i = s->method->ssl_dispatch_alert(s); | |
1461 | if (i <= 0) | |
1462 | return (i); | |
1463 | /* if it went, fall through and send more stuff */ | |
1464 | } | |
1465 | ||
1466 | if (len == 0 && !create_empty_fragment) | |
1467 | return 0; | |
1468 | ||
1469 | wr = &(s->s3->wrec); | |
0f113f3e MC |
1470 | sess = s->session; |
1471 | ||
1472 | if ((sess == NULL) || | |
1473 | (s->enc_write_ctx == NULL) || (EVP_MD_CTX_md(s->write_hash) == NULL)) | |
1474 | clear = 1; | |
1475 | ||
1476 | if (clear) | |
1477 | mac_size = 0; | |
1478 | else { | |
1479 | mac_size = EVP_MD_CTX_size(s->write_hash); | |
1480 | if (mac_size < 0) | |
1481 | goto err; | |
1482 | } | |
1483 | ||
0f113f3e MC |
1484 | p = wb->buf + prefix_len; |
1485 | ||
1486 | /* write the header */ | |
1487 | ||
1488 | *(p++) = type & 0xff; | |
1489 | wr->type = type; | |
1490 | /* | |
1491 | * Special case: for hello verify request, client version 1.0 and we | |
1492 | * haven't decided which version to use yet send back using version 1.0 | |
1493 | * header: otherwise some clients will ignore it. | |
1494 | */ | |
1495 | if (s->method->version == DTLS_ANY_VERSION) { | |
1496 | *(p++) = DTLS1_VERSION >> 8; | |
1497 | *(p++) = DTLS1_VERSION & 0xff; | |
1498 | } else { | |
1499 | *(p++) = s->version >> 8; | |
1500 | *(p++) = s->version & 0xff; | |
1501 | } | |
1502 | ||
1503 | /* field where we are to write out packet epoch, seq num and len */ | |
1504 | pseq = p; | |
1505 | p += 10; | |
1506 | ||
1507 | /* Explicit IV length, block ciphers appropriate version flag */ | |
1508 | if (s->enc_write_ctx) { | |
1509 | int mode = EVP_CIPHER_CTX_mode(s->enc_write_ctx); | |
1510 | if (mode == EVP_CIPH_CBC_MODE) { | |
1511 | eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx); | |
1512 | if (eivlen <= 1) | |
1513 | eivlen = 0; | |
1514 | } | |
1515 | /* Need explicit part of IV for GCM mode */ | |
1516 | else if (mode == EVP_CIPH_GCM_MODE) | |
1517 | eivlen = EVP_GCM_TLS_EXPLICIT_IV_LEN; | |
1518 | else | |
1519 | eivlen = 0; | |
1520 | } else | |
1521 | eivlen = 0; | |
1522 | ||
1523 | /* lets setup the record stuff. */ | |
1524 | wr->data = p + eivlen; /* make room for IV in case of CBC */ | |
1525 | wr->length = (int)len; | |
1526 | wr->input = (unsigned char *)buf; | |
1527 | ||
1528 | /* | |
1529 | * we now 'read' from wr->input, wr->length bytes into wr->data | |
1530 | */ | |
1531 | ||
1532 | /* first we compress */ | |
1533 | if (s->compress != NULL) { | |
1534 | if (!ssl3_do_compress(s)) { | |
1535 | SSLerr(SSL_F_DO_DTLS1_WRITE, SSL_R_COMPRESSION_FAILURE); | |
1536 | goto err; | |
1537 | } | |
1538 | } else { | |
1539 | memcpy(wr->data, wr->input, wr->length); | |
1540 | wr->input = wr->data; | |
1541 | } | |
36d16f8e | 1542 | |
0f113f3e MC |
1543 | /* |
1544 | * we should still have the output to wr->data and the input from | |
1545 | * wr->input. Length should be wr->length. wr->data still points in the | |
1546 | * wb->buf | |
1547 | */ | |
36d16f8e | 1548 | |
0f113f3e MC |
1549 | if (mac_size != 0) { |
1550 | if (s->method->ssl3_enc->mac(s, &(p[wr->length + eivlen]), 1) < 0) | |
1551 | goto err; | |
1552 | wr->length += mac_size; | |
1553 | } | |
36d16f8e | 1554 | |
0f113f3e MC |
1555 | /* this is true regardless of mac size */ |
1556 | wr->input = p; | |
1557 | wr->data = p; | |
36d16f8e | 1558 | |
0f113f3e MC |
1559 | if (eivlen) |
1560 | wr->length += eivlen; | |
36d16f8e | 1561 | |
0f113f3e MC |
1562 | if (s->method->ssl3_enc->enc(s, 1) < 1) |
1563 | goto err; | |
36d16f8e | 1564 | |
0f113f3e MC |
1565 | /* record length after mac and block padding */ |
1566 | /* | |
1567 | * if (type == SSL3_RT_APPLICATION_DATA || (type == SSL3_RT_ALERT && ! | |
1568 | * SSL_in_init(s))) | |
1569 | */ | |
36d16f8e | 1570 | |
0f113f3e | 1571 | /* there's only one epoch between handshake and app data */ |
36d16f8e | 1572 | |
0f113f3e | 1573 | s2n(s->d1->w_epoch, pseq); |
36d16f8e | 1574 | |
0f113f3e MC |
1575 | /* XDTLS: ?? */ |
1576 | /* | |
1577 | * else s2n(s->d1->handshake_epoch, pseq); | |
1578 | */ | |
36d16f8e | 1579 | |
0f113f3e MC |
1580 | memcpy(pseq, &(s->s3->write_sequence[2]), 6); |
1581 | pseq += 6; | |
1582 | s2n(wr->length, pseq); | |
36d16f8e | 1583 | |
0f113f3e MC |
1584 | if (s->msg_callback) |
1585 | s->msg_callback(1, 0, SSL3_RT_HEADER, pseq - DTLS1_RT_HEADER_LENGTH, | |
1586 | DTLS1_RT_HEADER_LENGTH, s, s->msg_callback_arg); | |
36d16f8e | 1587 | |
0f113f3e MC |
1588 | /* |
1589 | * we should now have wr->data pointing to the encrypted data, which is | |
1590 | * wr->length long | |
1591 | */ | |
1592 | wr->type = type; /* not needed but helps for debugging */ | |
1593 | wr->length += DTLS1_RT_HEADER_LENGTH; | |
36d16f8e | 1594 | |
0f113f3e | 1595 | ssl3_record_sequence_update(&(s->s3->write_sequence[0])); |
36d16f8e | 1596 | |
0f113f3e MC |
1597 | if (create_empty_fragment) { |
1598 | /* | |
1599 | * we are in a recursive call; just return the length, don't write | |
1600 | * out anything here | |
1601 | */ | |
1602 | return wr->length; | |
1603 | } | |
36d16f8e | 1604 | |
0f113f3e MC |
1605 | /* now let's set up wb */ |
1606 | wb->left = prefix_len + wr->length; | |
1607 | wb->offset = 0; | |
1608 | ||
1609 | /* | |
1610 | * memorize arguments so that ssl3_write_pending can detect bad write | |
1611 | * retries later | |
1612 | */ | |
1613 | s->s3->wpend_tot = len; | |
1614 | s->s3->wpend_buf = buf; | |
1615 | s->s3->wpend_type = type; | |
1616 | s->s3->wpend_ret = len; | |
1617 | ||
1618 | /* we now just need to write the buffer */ | |
1619 | return ssl3_write_pending(s, type, buf, len); | |
1620 | err: | |
1621 | return -1; | |
1622 | } | |
36d16f8e | 1623 | |
0f113f3e MC |
1624 | static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap) |
1625 | { | |
1626 | int cmp; | |
1627 | unsigned int shift; | |
1628 | const unsigned char *seq = s->s3->read_sequence; | |
1629 | ||
1630 | cmp = satsub64be(seq, bitmap->max_seq_num); | |
1631 | if (cmp > 0) { | |
1632 | memcpy(s->s3->rrec.seq_num, seq, 8); | |
1633 | return 1; /* this record in new */ | |
1634 | } | |
1635 | shift = -cmp; | |
1636 | if (shift >= sizeof(bitmap->map) * 8) | |
1637 | return 0; /* stale, outside the window */ | |
1638 | else if (bitmap->map & (1UL << shift)) | |
1639 | return 0; /* record previously received */ | |
1640 | ||
1641 | memcpy(s->s3->rrec.seq_num, seq, 8); | |
1642 | return 1; | |
1643 | } | |
1644 | ||
1645 | static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap) | |
1646 | { | |
1647 | int cmp; | |
1648 | unsigned int shift; | |
1649 | const unsigned char *seq = s->s3->read_sequence; | |
1650 | ||
1651 | cmp = satsub64be(seq, bitmap->max_seq_num); | |
1652 | if (cmp > 0) { | |
1653 | shift = cmp; | |
1654 | if (shift < sizeof(bitmap->map) * 8) | |
1655 | bitmap->map <<= shift, bitmap->map |= 1UL; | |
1656 | else | |
1657 | bitmap->map = 1UL; | |
1658 | memcpy(bitmap->max_seq_num, seq, 8); | |
1659 | } else { | |
1660 | shift = -cmp; | |
1661 | if (shift < sizeof(bitmap->map) * 8) | |
1662 | bitmap->map |= 1UL << shift; | |
1663 | } | |
1664 | } | |
1665 | ||
1666 | int dtls1_dispatch_alert(SSL *s) | |
1667 | { | |
1668 | int i, j; | |
1669 | void (*cb) (const SSL *ssl, int type, int val) = NULL; | |
1670 | unsigned char buf[DTLS1_AL_HEADER_LENGTH]; | |
1671 | unsigned char *ptr = &buf[0]; | |
1672 | ||
1673 | s->s3->alert_dispatch = 0; | |
1674 | ||
1675 | memset(buf, 0x00, sizeof(buf)); | |
1676 | *ptr++ = s->s3->send_alert[0]; | |
1677 | *ptr++ = s->s3->send_alert[1]; | |
1678 | ||
1679 | #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE | |
1680 | if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) { | |
1681 | s2n(s->d1->handshake_read_seq, ptr); | |
0f113f3e MC |
1682 | l2n3(s->d1->r_msg_hdr.frag_off, ptr); |
1683 | } | |
01c76c66 | 1684 | #endif |
36d16f8e | 1685 | |
0f113f3e MC |
1686 | i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf), 0); |
1687 | if (i <= 0) { | |
1688 | s->s3->alert_dispatch = 1; | |
1689 | /* fprintf( stderr, "not done with alert\n" ); */ | |
1690 | } else { | |
1691 | if (s->s3->send_alert[0] == SSL3_AL_FATAL | |
01c76c66 | 1692 | #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE |
0f113f3e | 1693 | || s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE |
01c76c66 | 1694 | #endif |
0f113f3e MC |
1695 | ) |
1696 | (void)BIO_flush(s->wbio); | |
1697 | ||
1698 | if (s->msg_callback) | |
1699 | s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert, | |
1700 | 2, s, s->msg_callback_arg); | |
1701 | ||
1702 | if (s->info_callback != NULL) | |
1703 | cb = s->info_callback; | |
1704 | else if (s->ctx->info_callback != NULL) | |
1705 | cb = s->ctx->info_callback; | |
1706 | ||
1707 | if (cb != NULL) { | |
1708 | j = (s->s3->send_alert[0] << 8) | s->s3->send_alert[1]; | |
1709 | cb(s, SSL_CB_WRITE_ALERT, j); | |
1710 | } | |
1711 | } | |
1712 | return (i); | |
1713 | } | |
1714 | ||
1715 | static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, | |
1716 | unsigned int *is_next_epoch) | |
1717 | { | |
1718 | ||
36d16f8e BL |
1719 | *is_next_epoch = 0; |
1720 | ||
1721 | /* In current epoch, accept HM, CCS, DATA, & ALERT */ | |
1722 | if (rr->epoch == s->d1->r_epoch) | |
1723 | return &s->d1->bitmap; | |
1724 | ||
1725 | /* Only HM and ALERT messages can be from the next epoch */ | |
6c61726b | 1726 | else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) && |
0f113f3e | 1727 | (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) { |
36d16f8e BL |
1728 | *is_next_epoch = 1; |
1729 | return &s->d1->next_bitmap; | |
0f113f3e | 1730 | } |
36d16f8e BL |
1731 | |
1732 | return NULL; | |
0f113f3e | 1733 | } |
36d16f8e | 1734 | |
0f113f3e MC |
1735 | void dtls1_reset_seq_numbers(SSL *s, int rw) |
1736 | { | |
1737 | unsigned char *seq; | |
1738 | unsigned int seq_bytes = sizeof(s->s3->read_sequence); | |
1739 | ||
1740 | if (rw & SSL3_CC_READ) { | |
1741 | seq = s->s3->read_sequence; | |
1742 | s->d1->r_epoch++; | |
1743 | memcpy(&(s->d1->bitmap), &(s->d1->next_bitmap), sizeof(DTLS1_BITMAP)); | |
1744 | memset(&(s->d1->next_bitmap), 0x00, sizeof(DTLS1_BITMAP)); | |
1745 | } else { | |
1746 | seq = s->s3->write_sequence; | |
1747 | memcpy(s->d1->last_write_sequence, seq, | |
1748 | sizeof(s->s3->write_sequence)); | |
1749 | s->d1->w_epoch++; | |
1750 | } | |
1751 | ||
1752 | memset(seq, 0x00, seq_bytes); | |
1753 | } |