2 * Copyright 2005-2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include "internal/e_os.h"
12 #include <openssl/objects.h>
13 #include <openssl/rand.h>
14 #include "ssl_local.h"
15 #include "internal/time.h"
17 static int dtls1_handshake_write(SSL_CONNECTION
*s
);
18 static size_t dtls1_link_min_mtu(void);
20 /* XDTLS: figure out the right values */
21 static const size_t g_probable_mtu
[] = { 1500, 512, 256 };
23 const SSL3_ENC_METHOD DTLSv1_enc_data
= {
27 tls1_generate_master_secret
,
28 tls1_change_cipher_state
,
29 tls1_final_finish_mac
,
30 TLS_MD_CLIENT_FINISH_CONST
, TLS_MD_CLIENT_FINISH_CONST_SIZE
,
31 TLS_MD_SERVER_FINISH_CONST
, TLS_MD_SERVER_FINISH_CONST_SIZE
,
33 tls1_export_keying_material
,
34 SSL_ENC_FLAG_DTLS
| SSL_ENC_FLAG_EXPLICIT_IV
,
35 dtls1_set_handshake_header
,
36 dtls1_close_construct_packet
,
40 const SSL3_ENC_METHOD DTLSv1_2_enc_data
= {
44 tls1_generate_master_secret
,
45 tls1_change_cipher_state
,
46 tls1_final_finish_mac
,
47 TLS_MD_CLIENT_FINISH_CONST
, TLS_MD_CLIENT_FINISH_CONST_SIZE
,
48 TLS_MD_SERVER_FINISH_CONST
, TLS_MD_SERVER_FINISH_CONST_SIZE
,
50 tls1_export_keying_material
,
51 SSL_ENC_FLAG_DTLS
| SSL_ENC_FLAG_EXPLICIT_IV
| SSL_ENC_FLAG_SIGALGS
52 | SSL_ENC_FLAG_SHA256_PRF
| SSL_ENC_FLAG_TLS1_2_CIPHERS
,
53 dtls1_set_handshake_header
,
54 dtls1_close_construct_packet
,
58 OSSL_TIME
dtls1_default_timeout(void)
61 * 2 hours, the 24 hours mentioned in the DTLSv1 spec is way too long for
62 * http, the cache would over fill
64 return ossl_seconds2time(60 * 60 * 2);
67 int dtls1_new(SSL
*ssl
)
70 SSL_CONNECTION
*s
= SSL_CONNECTION_FROM_SSL_ONLY(ssl
);
75 if (!DTLS_RECORD_LAYER_new(&s
->rlayer
)) {
81 if ((d1
= OPENSSL_zalloc(sizeof(*d1
))) == NULL
) {
86 d1
->buffered_messages
= pqueue_new();
87 d1
->sent_messages
= pqueue_new();
90 d1
->cookie_len
= sizeof(s
->d1
->cookie
);
96 if (d1
->buffered_messages
== NULL
|| d1
->sent_messages
== NULL
) {
97 pqueue_free(d1
->buffered_messages
);
98 pqueue_free(d1
->sent_messages
);
106 if (!ssl
->method
->ssl_clear(ssl
))
112 static void dtls1_clear_queues(SSL_CONNECTION
*s
)
114 dtls1_clear_received_buffer(s
);
115 dtls1_clear_sent_buffer(s
);
118 void dtls1_clear_received_buffer(SSL_CONNECTION
*s
)
121 hm_fragment
*frag
= NULL
;
123 while ((item
= pqueue_pop(s
->d1
->buffered_messages
)) != NULL
) {
124 frag
= (hm_fragment
*)item
->data
;
125 dtls1_hm_fragment_free(frag
);
130 void dtls1_clear_sent_buffer(SSL_CONNECTION
*s
)
133 hm_fragment
*frag
= NULL
;
135 while ((item
= pqueue_pop(s
->d1
->sent_messages
)) != NULL
) {
136 frag
= (hm_fragment
*)item
->data
;
137 dtls1_hm_fragment_free(frag
);
143 void dtls1_free(SSL
*ssl
)
145 SSL_CONNECTION
*s
= SSL_CONNECTION_FROM_SSL_ONLY(ssl
);
150 DTLS_RECORD_LAYER_free(&s
->rlayer
);
155 dtls1_clear_queues(s
);
156 pqueue_free(s
->d1
->buffered_messages
);
157 pqueue_free(s
->d1
->sent_messages
);
164 int dtls1_clear(SSL
*ssl
)
166 pqueue
*buffered_messages
;
167 pqueue
*sent_messages
;
171 SSL_CONNECTION
*s
= SSL_CONNECTION_FROM_SSL_ONLY(ssl
);
176 DTLS_RECORD_LAYER_clear(&s
->rlayer
);
179 DTLS_timer_cb timer_cb
= s
->d1
->timer_cb
;
181 buffered_messages
= s
->d1
->buffered_messages
;
182 sent_messages
= s
->d1
->sent_messages
;
184 link_mtu
= s
->d1
->link_mtu
;
186 dtls1_clear_queues(s
);
188 memset(s
->d1
, 0, sizeof(*s
->d1
));
190 /* Restore the timer callback from previous state */
191 s
->d1
->timer_cb
= timer_cb
;
194 s
->d1
->cookie_len
= sizeof(s
->d1
->cookie
);
197 if (SSL_get_options(ssl
) & SSL_OP_NO_QUERY_MTU
) {
199 s
->d1
->link_mtu
= link_mtu
;
202 s
->d1
->buffered_messages
= buffered_messages
;
203 s
->d1
->sent_messages
= sent_messages
;
206 if (!ssl3_clear(ssl
))
209 if (ssl
->method
->version
== DTLS_ANY_VERSION
)
210 s
->version
= DTLS_MAX_VERSION_INTERNAL
;
211 #ifndef OPENSSL_NO_DTLS1_METHOD
212 else if (s
->options
& SSL_OP_CISCO_ANYCONNECT
)
213 s
->client_version
= s
->version
= DTLS1_BAD_VER
;
216 s
->version
= ssl
->method
->version
;
221 long dtls1_ctrl(SSL
*ssl
, int cmd
, long larg
, void *parg
)
225 SSL_CONNECTION
*s
= SSL_CONNECTION_FROM_SSL_ONLY(ssl
);
231 case DTLS_CTRL_GET_TIMEOUT
:
232 if (dtls1_get_timeout(s
, &t
) != NULL
) {
233 *(struct timeval
*)parg
= ossl_time_to_timeval(t
);
237 case DTLS_CTRL_HANDLE_TIMEOUT
:
238 ret
= dtls1_handle_timeout(s
);
240 case DTLS_CTRL_SET_LINK_MTU
:
241 if (larg
< (long)dtls1_link_min_mtu())
243 s
->d1
->link_mtu
= larg
;
245 case DTLS_CTRL_GET_LINK_MIN_MTU
:
246 return (long)dtls1_link_min_mtu();
247 case SSL_CTRL_SET_MTU
:
249 * We may not have a BIO set yet so can't call dtls1_min_mtu()
250 * We'll have to make do with dtls1_link_min_mtu() and max overhead
252 if (larg
< (long)dtls1_link_min_mtu() - DTLS1_MAX_MTU_OVERHEAD
)
257 ret
= ssl3_ctrl(ssl
, cmd
, larg
, parg
);
263 void dtls1_start_timer(SSL_CONNECTION
*s
)
267 SSL
*ssl
= SSL_CONNECTION_GET_SSL(s
);
269 #ifndef OPENSSL_NO_SCTP
270 /* Disable timer for SCTP */
271 if (BIO_dgram_is_sctp(SSL_get_wbio(ssl
))) {
272 s
->d1
->next_timeout
= ossl_time_zero();
278 * If timer is not set, initialize duration with 1 second or
279 * a user-specified value if the timer callback is installed.
281 if (ossl_time_is_zero(s
->d1
->next_timeout
)) {
282 if (s
->d1
->timer_cb
!= NULL
)
283 s
->d1
->timeout_duration_us
= s
->d1
->timer_cb(ssl
, 0);
285 s
->d1
->timeout_duration_us
= 1000000;
288 /* Set timeout to current time plus duration */
289 duration
= ossl_us2time(s
->d1
->timeout_duration_us
);
290 s
->d1
->next_timeout
= ossl_time_add(ossl_time_now(), duration
);
292 tv
= ossl_time_to_timeval(s
->d1
->next_timeout
);
293 BIO_ctrl(SSL_get_rbio(ssl
), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT
, 0, &tv
);
296 OSSL_TIME
*dtls1_get_timeout(SSL_CONNECTION
*s
, OSSL_TIME
*timeleft
)
300 /* If no timeout is set, just return NULL */
301 if (ossl_time_is_zero(s
->d1
->next_timeout
))
304 /* Get current time */
305 timenow
= ossl_time_now();
308 * If timer already expired or if remaining time is less than 15 ms,
309 * set it to 0 to prevent issues because of small divergences with
312 *timeleft
= ossl_time_subtract(s
->d1
->next_timeout
, timenow
);
313 if (ossl_time_compare(*timeleft
, ossl_ms2time(15)) <= 0)
314 *timeleft
= ossl_time_zero();
318 int dtls1_is_timer_expired(SSL_CONNECTION
*s
)
322 /* Get time left until timeout, return false if no timer running */
323 if (dtls1_get_timeout(s
, &timeleft
) == NULL
) {
327 /* Return false if timer is not expired yet */
328 if (!ossl_time_is_zero(timeleft
)) {
332 /* Timer expired, so return true */
336 static void dtls1_double_timeout(SSL_CONNECTION
*s
)
338 s
->d1
->timeout_duration_us
*= 2;
339 if (s
->d1
->timeout_duration_us
> 60000000)
340 s
->d1
->timeout_duration_us
= 60000000;
343 void dtls1_stop_timer(SSL_CONNECTION
*s
)
347 /* Reset everything */
348 s
->d1
->timeout_num_alerts
= 0;
349 s
->d1
->next_timeout
= ossl_time_zero();
350 s
->d1
->timeout_duration_us
= 1000000;
351 tv
= ossl_time_to_timeval(s
->d1
->next_timeout
);
352 BIO_ctrl(s
->rbio
, BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT
, 0, &tv
);
353 /* Clear retransmission buffer */
354 dtls1_clear_sent_buffer(s
);
357 int dtls1_check_timeout_num(SSL_CONNECTION
*s
)
360 SSL
*ssl
= SSL_CONNECTION_GET_SSL(s
);
362 s
->d1
->timeout_num_alerts
++;
364 /* Reduce MTU after 2 unsuccessful retransmissions */
365 if (s
->d1
->timeout_num_alerts
> 2
366 && !(SSL_get_options(ssl
) & SSL_OP_NO_QUERY_MTU
)) {
368 BIO_ctrl(SSL_get_wbio(ssl
), BIO_CTRL_DGRAM_GET_FALLBACK_MTU
, 0, NULL
);
369 if (mtu
< s
->d1
->mtu
)
373 if (s
->d1
->timeout_num_alerts
> DTLS1_TMO_ALERT_COUNT
) {
374 /* fail the connection, enough alerts have been sent */
375 SSLfatal(s
, SSL_AD_NO_ALERT
, SSL_R_READ_TIMEOUT_EXPIRED
);
382 int dtls1_handle_timeout(SSL_CONNECTION
*s
)
384 /* if no timer is expired, don't do anything */
385 if (!dtls1_is_timer_expired(s
)) {
389 if (s
->d1
->timer_cb
!= NULL
)
390 s
->d1
->timeout_duration_us
= s
->d1
->timer_cb(SSL_CONNECTION_GET_SSL(s
),
391 s
->d1
->timeout_duration_us
);
393 dtls1_double_timeout(s
);
395 if (dtls1_check_timeout_num(s
) < 0) {
396 /* SSLfatal() already called */
400 dtls1_start_timer(s
);
401 /* Calls SSLfatal() if required */
402 return dtls1_retransmit_buffered_messages(s
);
405 #define LISTEN_SUCCESS 2
406 #define LISTEN_SEND_VERIFY_REQUEST 1
408 #ifndef OPENSSL_NO_SOCK
409 int DTLSv1_listen(SSL
*ssl
, BIO_ADDR
*client
)
411 int next
, n
, ret
= 0;
412 unsigned char cookie
[DTLS1_COOKIE_LENGTH
];
413 unsigned char seq
[SEQ_NUM_SIZE
];
414 const unsigned char *data
;
415 unsigned char *buf
= NULL
, *wbuf
;
416 size_t fragoff
, fraglen
, msglen
;
417 unsigned int rectype
, versmajor
, msgseq
, msgtype
, clientvers
, cookielen
;
419 BIO_ADDR
*tmpclient
= NULL
;
420 PACKET pkt
, msgpkt
, msgpayload
, session
, cookiepkt
;
421 SSL_CONNECTION
*s
= SSL_CONNECTION_FROM_SSL_ONLY(ssl
);
426 if (s
->handshake_func
== NULL
) {
427 /* Not properly initialized yet */
428 SSL_set_accept_state(ssl
);
431 /* Ensure there is no state left over from a previous invocation */
437 rbio
= SSL_get_rbio(ssl
);
438 wbio
= SSL_get_wbio(ssl
);
440 if (!rbio
|| !wbio
) {
441 ERR_raise(ERR_LIB_SSL
, SSL_R_BIO_NOT_SET
);
446 * Note: This check deliberately excludes DTLS1_BAD_VER because that version
447 * requires the MAC to be calculated *including* the first ClientHello
448 * (without the cookie). Since DTLSv1_listen is stateless that cannot be
449 * supported. DTLS1_BAD_VER must use cookies in a stateful manner (e.g. via
452 if ((s
->version
& 0xff00) != (DTLS1_VERSION
& 0xff00)) {
453 ERR_raise(ERR_LIB_SSL
, SSL_R_UNSUPPORTED_SSL_VERSION
);
457 if (!ssl3_setup_buffers(s
)) {
458 /* ERR_raise() already called */
461 buf
= OPENSSL_malloc(DTLS1_RT_HEADER_LENGTH
+ SSL3_RT_MAX_PLAIN_LENGTH
);
463 ERR_raise(ERR_LIB_SSL
, ERR_R_MALLOC_FAILURE
);
466 wbuf
= RECORD_LAYER_get_wbuf(&s
->rlayer
)[0].buf
;
472 n
= BIO_read(rbio
, buf
, SSL3_RT_MAX_PLAIN_LENGTH
473 + DTLS1_RT_HEADER_LENGTH
);
475 if (BIO_should_retry(rbio
)) {
476 /* Non-blocking IO */
483 if (!PACKET_buf_init(&pkt
, buf
, n
)) {
484 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
490 * Parse the received record. If there are any problems with it we just
491 * dump it - with no alert. RFC6347 says this "Unlike TLS, DTLS is
492 * resilient in the face of invalid records (e.g., invalid formatting,
493 * length, MAC, etc.). In general, invalid records SHOULD be silently
494 * discarded, thus preserving the association; however, an error MAY be
495 * logged for diagnostic purposes."
498 /* this packet contained a partial record, dump it */
499 if (n
< DTLS1_RT_HEADER_LENGTH
) {
500 ERR_raise(ERR_LIB_SSL
, SSL_R_RECORD_TOO_SMALL
);
505 s
->msg_callback(0, 0, SSL3_RT_HEADER
, buf
,
506 DTLS1_RT_HEADER_LENGTH
, ssl
, s
->msg_callback_arg
);
508 /* Get the record header */
509 if (!PACKET_get_1(&pkt
, &rectype
)
510 || !PACKET_get_1(&pkt
, &versmajor
)) {
511 ERR_raise(ERR_LIB_SSL
, SSL_R_LENGTH_MISMATCH
);
515 if (rectype
!= SSL3_RT_HANDSHAKE
) {
516 ERR_raise(ERR_LIB_SSL
, SSL_R_UNEXPECTED_MESSAGE
);
521 * Check record version number. We only check that the major version is
524 if (versmajor
!= DTLS1_VERSION_MAJOR
) {
525 ERR_raise(ERR_LIB_SSL
, SSL_R_BAD_PROTOCOL_VERSION_NUMBER
);
529 if (!PACKET_forward(&pkt
, 1)
530 /* Save the sequence number: 64 bits, with top 2 bytes = epoch */
531 || !PACKET_copy_bytes(&pkt
, seq
, SEQ_NUM_SIZE
)
532 || !PACKET_get_length_prefixed_2(&pkt
, &msgpkt
)) {
533 ERR_raise(ERR_LIB_SSL
, SSL_R_LENGTH_MISMATCH
);
537 * We allow data remaining at the end of the packet because there could
538 * be a second record (but we ignore it)
541 /* This is an initial ClientHello so the epoch has to be 0 */
542 if (seq
[0] != 0 || seq
[1] != 0) {
543 ERR_raise(ERR_LIB_SSL
, SSL_R_UNEXPECTED_MESSAGE
);
547 /* Get a pointer to the raw message for the later callback */
548 data
= PACKET_data(&msgpkt
);
550 /* Finished processing the record header, now process the message */
551 if (!PACKET_get_1(&msgpkt
, &msgtype
)
552 || !PACKET_get_net_3_len(&msgpkt
, &msglen
)
553 || !PACKET_get_net_2(&msgpkt
, &msgseq
)
554 || !PACKET_get_net_3_len(&msgpkt
, &fragoff
)
555 || !PACKET_get_net_3_len(&msgpkt
, &fraglen
)
556 || !PACKET_get_sub_packet(&msgpkt
, &msgpayload
, fraglen
)
557 || PACKET_remaining(&msgpkt
) != 0) {
558 ERR_raise(ERR_LIB_SSL
, SSL_R_LENGTH_MISMATCH
);
562 if (msgtype
!= SSL3_MT_CLIENT_HELLO
) {
563 ERR_raise(ERR_LIB_SSL
, SSL_R_UNEXPECTED_MESSAGE
);
567 /* Message sequence number can only be 0 or 1 */
569 ERR_raise(ERR_LIB_SSL
, SSL_R_INVALID_SEQUENCE_NUMBER
);
574 * We don't support fragment reassembly for ClientHellos whilst
575 * listening because that would require server side state (which is
576 * against the whole point of the ClientHello/HelloVerifyRequest
577 * mechanism). Instead we only look at the first ClientHello fragment
578 * and require that the cookie must be contained within it.
580 if (fragoff
!= 0 || fraglen
> msglen
) {
581 /* Non initial ClientHello fragment (or bad fragment) */
582 ERR_raise(ERR_LIB_SSL
, SSL_R_FRAGMENTED_CLIENT_HELLO
);
587 s
->msg_callback(0, s
->version
, SSL3_RT_HANDSHAKE
, data
,
588 fraglen
+ DTLS1_HM_HEADER_LENGTH
, ssl
,
589 s
->msg_callback_arg
);
591 if (!PACKET_get_net_2(&msgpayload
, &clientvers
)) {
592 ERR_raise(ERR_LIB_SSL
, SSL_R_LENGTH_MISMATCH
);
597 * Verify client version is supported
599 if (DTLS_VERSION_LT(clientvers
, (unsigned int)ssl
->method
->version
) &&
600 ssl
->method
->version
!= DTLS_ANY_VERSION
) {
601 ERR_raise(ERR_LIB_SSL
, SSL_R_WRONG_VERSION_NUMBER
);
605 if (!PACKET_forward(&msgpayload
, SSL3_RANDOM_SIZE
)
606 || !PACKET_get_length_prefixed_1(&msgpayload
, &session
)
607 || !PACKET_get_length_prefixed_1(&msgpayload
, &cookiepkt
)) {
609 * Could be malformed or the cookie does not fit within the initial
610 * ClientHello fragment. Either way we can't handle it.
612 ERR_raise(ERR_LIB_SSL
, SSL_R_LENGTH_MISMATCH
);
617 * Check if we have a cookie or not. If not we need to send a
618 * HelloVerifyRequest.
620 if (PACKET_remaining(&cookiepkt
) == 0) {
621 next
= LISTEN_SEND_VERIFY_REQUEST
;
624 * We have a cookie, so lets check it.
626 if (ssl
->ctx
->app_verify_cookie_cb
== NULL
) {
627 ERR_raise(ERR_LIB_SSL
, SSL_R_NO_VERIFY_COOKIE_CALLBACK
);
632 if (ssl
->ctx
->app_verify_cookie_cb(ssl
, PACKET_data(&cookiepkt
),
633 (unsigned int)PACKET_remaining(&cookiepkt
)) == 0) {
635 * We treat invalid cookies in the same was as no cookie as
638 next
= LISTEN_SEND_VERIFY_REQUEST
;
640 /* Cookie verification succeeded */
641 next
= LISTEN_SUCCESS
;
645 if (next
== LISTEN_SEND_VERIFY_REQUEST
) {
647 unsigned int version
;
651 * There was no cookie in the ClientHello so we need to send a
652 * HelloVerifyRequest. If this fails we do not worry about trying
653 * to resend, we just drop it.
656 /* Generate the cookie */
657 if (ssl
->ctx
->app_gen_cookie_cb
== NULL
||
658 ssl
->ctx
->app_gen_cookie_cb(ssl
, cookie
, &cookielen
) == 0 ||
660 ERR_raise(ERR_LIB_SSL
, SSL_R_COOKIE_GEN_CALLBACK_FAILURE
);
667 * Special case: for hello verify request, client version 1.0 and we
668 * haven't decided which version to use yet send back using version
669 * 1.0 header: otherwise some clients will ignore it.
671 version
= (ssl
->method
->version
== DTLS_ANY_VERSION
) ? DTLS1_VERSION
674 /* Construct the record and message headers */
675 if (!WPACKET_init_static_len(&wpkt
,
677 ssl_get_max_send_fragment(s
)
678 + DTLS1_RT_HEADER_LENGTH
,
680 || !WPACKET_put_bytes_u8(&wpkt
, SSL3_RT_HANDSHAKE
)
681 || !WPACKET_put_bytes_u16(&wpkt
, version
)
683 * Record sequence number is always the same as in the
684 * received ClientHello
686 || !WPACKET_memcpy(&wpkt
, seq
, SEQ_NUM_SIZE
)
687 /* End of record, start sub packet for message */
688 || !WPACKET_start_sub_packet_u16(&wpkt
)
690 || !WPACKET_put_bytes_u8(&wpkt
,
691 DTLS1_MT_HELLO_VERIFY_REQUEST
)
693 * Message length - doesn't follow normal TLS convention:
694 * the length isn't the last thing in the message header.
695 * We'll need to fill this in later when we know the
696 * length. Set it to zero for now
698 || !WPACKET_put_bytes_u24(&wpkt
, 0)
700 * Message sequence number is always 0 for a
703 || !WPACKET_put_bytes_u16(&wpkt
, 0)
705 * We never fragment a HelloVerifyRequest, so fragment
708 || !WPACKET_put_bytes_u24(&wpkt
, 0)
710 * Fragment length is the same as message length, but
711 * this *is* the last thing in the message header so we
712 * can just start a sub-packet. No need to come back
713 * later for this one.
715 || !WPACKET_start_sub_packet_u24(&wpkt
)
716 /* Create the actual HelloVerifyRequest body */
717 || !dtls_raw_hello_verify_request(&wpkt
, cookie
, cookielen
)
718 /* Close message body */
719 || !WPACKET_close(&wpkt
)
720 /* Close record body */
721 || !WPACKET_close(&wpkt
)
722 || !WPACKET_get_total_written(&wpkt
, &wreclen
)
723 || !WPACKET_finish(&wpkt
)) {
724 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
725 WPACKET_cleanup(&wpkt
);
732 * Fix up the message len in the message header. Its the same as the
733 * fragment len which has been filled in by WPACKET, so just copy
734 * that. Destination for the message len is after the record header
735 * plus one byte for the message content type. The source is the
736 * last 3 bytes of the message header
738 memcpy(&wbuf
[DTLS1_RT_HEADER_LENGTH
+ 1],
739 &wbuf
[DTLS1_RT_HEADER_LENGTH
+ DTLS1_HM_HEADER_LENGTH
- 3],
743 s
->msg_callback(1, 0, SSL3_RT_HEADER
, buf
,
744 DTLS1_RT_HEADER_LENGTH
, ssl
,
745 s
->msg_callback_arg
);
747 if ((tmpclient
= BIO_ADDR_new()) == NULL
) {
748 ERR_raise(ERR_LIB_SSL
, ERR_R_MALLOC_FAILURE
);
753 * This is unnecessary if rbio and wbio are one and the same - but
754 * maybe they're not. We ignore errors here - some BIOs do not
757 if (BIO_dgram_get_peer(rbio
, tmpclient
) > 0) {
758 (void)BIO_dgram_set_peer(wbio
, tmpclient
);
760 BIO_ADDR_free(tmpclient
);
763 if (BIO_write(wbio
, wbuf
, wreclen
) < (int)wreclen
) {
764 if (BIO_should_retry(wbio
)) {
766 * Non-blocking IO...but we're stateless, so we're just
767 * going to drop this packet.
775 if (BIO_flush(wbio
) <= 0) {
776 if (BIO_should_retry(wbio
)) {
778 * Non-blocking IO...but we're stateless, so we're just
779 * going to drop this packet.
787 } while (next
!= LISTEN_SUCCESS
);
790 * Set expected sequence numbers to continue the handshake.
792 s
->d1
->handshake_read_seq
= 1;
793 s
->d1
->handshake_write_seq
= 1;
794 s
->d1
->next_handshake_write_seq
= 1;
795 DTLS_RECORD_LAYER_set_write_sequence(&s
->rlayer
, seq
);
798 * We are doing cookie exchange, so make sure we set that option in the
801 SSL_set_options(ssl
, SSL_OP_COOKIE_EXCHANGE
);
804 * Tell the state machine that we've done the initial hello verify
807 ossl_statem_set_hello_verify_done(s
);
810 * Some BIOs may not support this. If we fail we clear the client address
812 if (BIO_dgram_get_peer(rbio
, client
) <= 0)
813 BIO_ADDR_clear(client
);
815 /* Buffer the record for use by the record layer */
816 if (BIO_write(s
->rlayer
.rrlnext
, buf
, n
) != n
) {
817 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
823 * Reset the record layer - but this time we can use the record we just
824 * buffered in s->rlayer.rrlnext
826 if (!ssl_set_new_record_layer(s
,
828 OSSL_RECORD_DIRECTION_READ
,
829 OSSL_RECORD_PROTECTION_LEVEL_NONE
,
830 NULL
, 0, NULL
, 0, NULL
, 0, NULL
, 0,
831 NID_undef
, NULL
, NULL
)) {
832 /* SSLfatal already called */
839 BIO_ADDR_free(tmpclient
);
845 static int dtls1_handshake_write(SSL_CONNECTION
*s
)
847 return dtls1_do_write(s
, SSL3_RT_HANDSHAKE
);
850 int dtls1_shutdown(SSL
*s
)
853 #ifndef OPENSSL_NO_SCTP
855 SSL_CONNECTION
*sc
= SSL_CONNECTION_FROM_SSL_ONLY(s
);
860 wbio
= SSL_get_wbio(s
);
861 if (wbio
!= NULL
&& BIO_dgram_is_sctp(wbio
) &&
862 !(sc
->shutdown
& SSL_SENT_SHUTDOWN
)) {
863 ret
= BIO_dgram_sctp_wait_for_dry(wbio
);
868 BIO_ctrl(SSL_get_wbio(s
), BIO_CTRL_DGRAM_SCTP_SAVE_SHUTDOWN
, 1,
872 ret
= ssl3_shutdown(s
);
873 #ifndef OPENSSL_NO_SCTP
874 BIO_ctrl(SSL_get_wbio(s
), BIO_CTRL_DGRAM_SCTP_SAVE_SHUTDOWN
, 0, NULL
);
879 int dtls1_query_mtu(SSL_CONNECTION
*s
)
881 SSL
*ssl
= SSL_CONNECTION_GET_SSL(s
);
883 if (s
->d1
->link_mtu
) {
885 s
->d1
->link_mtu
- BIO_dgram_get_mtu_overhead(SSL_get_wbio(ssl
));
889 /* AHA! Figure out the MTU, and stick to the right size */
890 if (s
->d1
->mtu
< dtls1_min_mtu(s
)) {
891 if (!(SSL_get_options(ssl
) & SSL_OP_NO_QUERY_MTU
)) {
893 BIO_ctrl(SSL_get_wbio(ssl
), BIO_CTRL_DGRAM_QUERY_MTU
, 0, NULL
);
896 * I've seen the kernel return bogus numbers when it doesn't know
897 * (initial write), so just make sure we have a reasonable number
899 if (s
->d1
->mtu
< dtls1_min_mtu(s
)) {
901 s
->d1
->mtu
= dtls1_min_mtu(s
);
902 BIO_ctrl(SSL_get_wbio(ssl
), BIO_CTRL_DGRAM_SET_MTU
,
903 (long)s
->d1
->mtu
, NULL
);
911 static size_t dtls1_link_min_mtu(void)
913 return (g_probable_mtu
[(sizeof(g_probable_mtu
) /
914 sizeof(g_probable_mtu
[0])) - 1]);
917 size_t dtls1_min_mtu(SSL_CONNECTION
*s
)
919 SSL
*ssl
= SSL_CONNECTION_GET_SSL(s
);
921 return dtls1_link_min_mtu() - BIO_dgram_get_mtu_overhead(SSL_get_wbio(ssl
));
924 size_t DTLS_get_data_mtu(const SSL
*ssl
)
926 size_t mac_overhead
, int_overhead
, blocksize
, ext_overhead
;
927 const SSL_CIPHER
*ciph
= SSL_get_current_cipher(ssl
);
929 const SSL_CONNECTION
*s
= SSL_CONNECTION_FROM_CONST_SSL_ONLY(ssl
);
939 if (!ssl_cipher_get_overhead(ciph
, &mac_overhead
, &int_overhead
,
940 &blocksize
, &ext_overhead
))
944 ext_overhead
+= mac_overhead
;
946 int_overhead
+= mac_overhead
;
948 /* Subtract external overhead (e.g. IV/nonce, separate MAC) */
949 if (ext_overhead
+ DTLS1_RT_HEADER_LENGTH
>= mtu
)
951 mtu
-= ext_overhead
+ DTLS1_RT_HEADER_LENGTH
;
953 /* Round encrypted payload down to cipher block size (for CBC etc.)
954 * No check for overflow since 'mtu % blocksize' cannot exceed mtu. */
956 mtu
-= (mtu
% blocksize
);
958 /* Subtract internal overhead (e.g. CBC padding len byte) */
959 if (int_overhead
>= mtu
)
966 void DTLS_set_timer_cb(SSL
*ssl
, DTLS_timer_cb cb
)
968 SSL_CONNECTION
*s
= SSL_CONNECTION_FROM_SSL_ONLY(ssl
);
973 s
->d1
->timer_cb
= cb
;