2 * Copyright 2005-2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include "internal/e_os.h"
12 #include <openssl/objects.h>
13 #include <openssl/rand.h>
14 #include "ssl_local.h"
16 static void get_current_time(struct timeval
*t
);
17 static int dtls1_handshake_write(SSL
*s
);
18 static size_t dtls1_link_min_mtu(void);
20 /* XDTLS: figure out the right values */
21 static const size_t g_probable_mtu
[] = { 1500, 512, 256 };
23 const SSL3_ENC_METHOD DTLSv1_enc_data
= {
27 tls1_generate_master_secret
,
28 tls1_change_cipher_state
,
29 tls1_final_finish_mac
,
30 TLS_MD_CLIENT_FINISH_CONST
, TLS_MD_CLIENT_FINISH_CONST_SIZE
,
31 TLS_MD_SERVER_FINISH_CONST
, TLS_MD_SERVER_FINISH_CONST_SIZE
,
33 tls1_export_keying_material
,
34 SSL_ENC_FLAG_DTLS
| SSL_ENC_FLAG_EXPLICIT_IV
,
35 dtls1_set_handshake_header
,
36 dtls1_close_construct_packet
,
40 const SSL3_ENC_METHOD DTLSv1_2_enc_data
= {
44 tls1_generate_master_secret
,
45 tls1_change_cipher_state
,
46 tls1_final_finish_mac
,
47 TLS_MD_CLIENT_FINISH_CONST
, TLS_MD_CLIENT_FINISH_CONST_SIZE
,
48 TLS_MD_SERVER_FINISH_CONST
, TLS_MD_SERVER_FINISH_CONST_SIZE
,
50 tls1_export_keying_material
,
51 SSL_ENC_FLAG_DTLS
| SSL_ENC_FLAG_EXPLICIT_IV
| SSL_ENC_FLAG_SIGALGS
52 | SSL_ENC_FLAG_SHA256_PRF
| SSL_ENC_FLAG_TLS1_2_CIPHERS
,
53 dtls1_set_handshake_header
,
54 dtls1_close_construct_packet
,
58 long dtls1_default_timeout(void)
61 * 2 hours, the 24 hours mentioned in the DTLSv1 spec is way too long for
62 * http, the cache would over fill
71 if (!DTLS_RECORD_LAYER_new(&s
->rlayer
)) {
77 if ((d1
= OPENSSL_zalloc(sizeof(*d1
))) == NULL
) {
82 d1
->buffered_messages
= pqueue_new();
83 d1
->sent_messages
= pqueue_new();
86 d1
->cookie_len
= sizeof(s
->d1
->cookie
);
92 if (d1
->buffered_messages
== NULL
|| d1
->sent_messages
== NULL
) {
93 pqueue_free(d1
->buffered_messages
);
94 pqueue_free(d1
->sent_messages
);
102 if (!s
->method
->ssl_clear(s
))
108 static void dtls1_clear_queues(SSL
*s
)
110 dtls1_clear_received_buffer(s
);
111 dtls1_clear_sent_buffer(s
);
114 void dtls1_clear_received_buffer(SSL
*s
)
117 hm_fragment
*frag
= NULL
;
119 while ((item
= pqueue_pop(s
->d1
->buffered_messages
)) != NULL
) {
120 frag
= (hm_fragment
*)item
->data
;
121 dtls1_hm_fragment_free(frag
);
126 void dtls1_clear_sent_buffer(SSL
*s
)
129 hm_fragment
*frag
= NULL
;
131 while ((item
= pqueue_pop(s
->d1
->sent_messages
)) != NULL
) {
132 frag
= (hm_fragment
*)item
->data
;
133 dtls1_hm_fragment_free(frag
);
139 void dtls1_free(SSL
*s
)
141 DTLS_RECORD_LAYER_free(&s
->rlayer
);
146 dtls1_clear_queues(s
);
147 pqueue_free(s
->d1
->buffered_messages
);
148 pqueue_free(s
->d1
->sent_messages
);
155 int dtls1_clear(SSL
*s
)
157 pqueue
*buffered_messages
;
158 pqueue
*sent_messages
;
162 DTLS_RECORD_LAYER_clear(&s
->rlayer
);
165 DTLS_timer_cb timer_cb
= s
->d1
->timer_cb
;
167 buffered_messages
= s
->d1
->buffered_messages
;
168 sent_messages
= s
->d1
->sent_messages
;
170 link_mtu
= s
->d1
->link_mtu
;
172 dtls1_clear_queues(s
);
174 memset(s
->d1
, 0, sizeof(*s
->d1
));
176 /* Restore the timer callback from previous state */
177 s
->d1
->timer_cb
= timer_cb
;
180 s
->d1
->cookie_len
= sizeof(s
->d1
->cookie
);
183 if (SSL_get_options(s
) & SSL_OP_NO_QUERY_MTU
) {
185 s
->d1
->link_mtu
= link_mtu
;
188 s
->d1
->buffered_messages
= buffered_messages
;
189 s
->d1
->sent_messages
= sent_messages
;
195 if (s
->method
->version
== DTLS_ANY_VERSION
)
196 s
->version
= DTLS_MAX_VERSION_INTERNAL
;
197 #ifndef OPENSSL_NO_DTLS1_METHOD
198 else if (s
->options
& SSL_OP_CISCO_ANYCONNECT
)
199 s
->client_version
= s
->version
= DTLS1_BAD_VER
;
202 s
->version
= s
->method
->version
;
207 long dtls1_ctrl(SSL
*s
, int cmd
, long larg
, void *parg
)
212 case DTLS_CTRL_GET_TIMEOUT
:
213 if (dtls1_get_timeout(s
, (struct timeval
*)parg
) != NULL
) {
217 case DTLS_CTRL_HANDLE_TIMEOUT
:
218 ret
= dtls1_handle_timeout(s
);
220 case DTLS_CTRL_SET_LINK_MTU
:
221 if (larg
< (long)dtls1_link_min_mtu())
223 s
->d1
->link_mtu
= larg
;
225 case DTLS_CTRL_GET_LINK_MIN_MTU
:
226 return (long)dtls1_link_min_mtu();
227 case SSL_CTRL_SET_MTU
:
229 * We may not have a BIO set yet so can't call dtls1_min_mtu()
230 * We'll have to make do with dtls1_link_min_mtu() and max overhead
232 if (larg
< (long)dtls1_link_min_mtu() - DTLS1_MAX_MTU_OVERHEAD
)
237 ret
= ssl3_ctrl(s
, cmd
, larg
, parg
);
243 void dtls1_start_timer(SSL
*s
)
245 unsigned int sec
, usec
;
247 #ifndef OPENSSL_NO_SCTP
248 /* Disable timer for SCTP */
249 if (BIO_dgram_is_sctp(SSL_get_wbio(s
))) {
250 memset(&s
->d1
->next_timeout
, 0, sizeof(s
->d1
->next_timeout
));
256 * If timer is not set, initialize duration with 1 second or
257 * a user-specified value if the timer callback is installed.
259 if (s
->d1
->next_timeout
.tv_sec
== 0 && s
->d1
->next_timeout
.tv_usec
== 0) {
261 if (s
->d1
->timer_cb
!= NULL
)
262 s
->d1
->timeout_duration_us
= s
->d1
->timer_cb(s
, 0);
264 s
->d1
->timeout_duration_us
= 1000000;
267 /* Set timeout to current time */
268 get_current_time(&(s
->d1
->next_timeout
));
270 /* Add duration to current time */
272 sec
= s
->d1
->timeout_duration_us
/ 1000000;
273 usec
= s
->d1
->timeout_duration_us
- (sec
* 1000000);
275 s
->d1
->next_timeout
.tv_sec
+= sec
;
276 s
->d1
->next_timeout
.tv_usec
+= usec
;
278 if (s
->d1
->next_timeout
.tv_usec
>= 1000000) {
279 s
->d1
->next_timeout
.tv_sec
++;
280 s
->d1
->next_timeout
.tv_usec
-= 1000000;
283 BIO_ctrl(SSL_get_rbio(s
), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT
, 0,
284 &(s
->d1
->next_timeout
));
287 struct timeval
*dtls1_get_timeout(SSL
*s
, struct timeval
*timeleft
)
289 struct timeval timenow
;
291 /* If no timeout is set, just return NULL */
292 if (s
->d1
->next_timeout
.tv_sec
== 0 && s
->d1
->next_timeout
.tv_usec
== 0) {
296 /* Get current time */
297 get_current_time(&timenow
);
299 /* If timer already expired, set remaining time to 0 */
300 if (s
->d1
->next_timeout
.tv_sec
< timenow
.tv_sec
||
301 (s
->d1
->next_timeout
.tv_sec
== timenow
.tv_sec
&&
302 s
->d1
->next_timeout
.tv_usec
<= timenow
.tv_usec
)) {
303 memset(timeleft
, 0, sizeof(*timeleft
));
307 /* Calculate time left until timer expires */
308 memcpy(timeleft
, &(s
->d1
->next_timeout
), sizeof(struct timeval
));
309 timeleft
->tv_sec
-= timenow
.tv_sec
;
310 timeleft
->tv_usec
-= timenow
.tv_usec
;
311 if (timeleft
->tv_usec
< 0) {
313 timeleft
->tv_usec
+= 1000000;
317 * If remaining time is less than 15 ms, set it to 0 to prevent issues
318 * because of small divergences with socket timeouts.
320 if (timeleft
->tv_sec
== 0 && timeleft
->tv_usec
< 15000) {
321 memset(timeleft
, 0, sizeof(*timeleft
));
327 int dtls1_is_timer_expired(SSL
*s
)
329 struct timeval timeleft
;
331 /* Get time left until timeout, return false if no timer running */
332 if (dtls1_get_timeout(s
, &timeleft
) == NULL
) {
336 /* Return false if timer is not expired yet */
337 if (timeleft
.tv_sec
> 0 || timeleft
.tv_usec
> 0) {
341 /* Timer expired, so return true */
345 static void dtls1_double_timeout(SSL
*s
)
347 s
->d1
->timeout_duration_us
*= 2;
348 if (s
->d1
->timeout_duration_us
> 60000000)
349 s
->d1
->timeout_duration_us
= 60000000;
352 void dtls1_stop_timer(SSL
*s
)
354 /* Reset everything */
355 s
->d1
->timeout_num_alerts
= 0;
356 memset(&s
->d1
->next_timeout
, 0, sizeof(s
->d1
->next_timeout
));
357 s
->d1
->timeout_duration_us
= 1000000;
358 BIO_ctrl(SSL_get_rbio(s
), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT
, 0,
359 &(s
->d1
->next_timeout
));
360 /* Clear retransmission buffer */
361 dtls1_clear_sent_buffer(s
);
364 int dtls1_check_timeout_num(SSL
*s
)
368 s
->d1
->timeout_num_alerts
++;
370 /* Reduce MTU after 2 unsuccessful retransmissions */
371 if (s
->d1
->timeout_num_alerts
> 2
372 && !(SSL_get_options(s
) & SSL_OP_NO_QUERY_MTU
)) {
374 BIO_ctrl(SSL_get_wbio(s
), BIO_CTRL_DGRAM_GET_FALLBACK_MTU
, 0, NULL
);
375 if (mtu
< s
->d1
->mtu
)
379 if (s
->d1
->timeout_num_alerts
> DTLS1_TMO_ALERT_COUNT
) {
380 /* fail the connection, enough alerts have been sent */
381 SSLfatal(s
, SSL_AD_NO_ALERT
, SSL_R_READ_TIMEOUT_EXPIRED
);
388 int dtls1_handle_timeout(SSL
*s
)
390 /* if no timer is expired, don't do anything */
391 if (!dtls1_is_timer_expired(s
)) {
395 if (s
->d1
->timer_cb
!= NULL
)
396 s
->d1
->timeout_duration_us
= s
->d1
->timer_cb(s
, s
->d1
->timeout_duration_us
);
398 dtls1_double_timeout(s
);
400 if (dtls1_check_timeout_num(s
) < 0) {
401 /* SSLfatal() already called */
405 dtls1_start_timer(s
);
406 /* Calls SSLfatal() if required */
407 return dtls1_retransmit_buffered_messages(s
);
410 static void get_current_time(struct timeval
*t
)
420 SystemTimeToFileTime(&st
, &now
.ft
);
421 /* re-bias to 1/1/1970 */
423 now
.ul
-= 116444736000000000ULL;
426 now
.ul
-= 116444736000000000UI
64;
429 t
->tv_sec
= (long)(now
.ul
/ 10000000);
430 t
->tv_usec
= ((int)(now
.ul
% 10000000)) / 10;
432 gettimeofday(t
, NULL
);
436 #define LISTEN_SUCCESS 2
437 #define LISTEN_SEND_VERIFY_REQUEST 1
439 #ifndef OPENSSL_NO_SOCK
440 int DTLSv1_listen(SSL
*s
, BIO_ADDR
*client
)
442 int next
, n
, ret
= 0;
443 unsigned char cookie
[DTLS1_COOKIE_LENGTH
];
444 unsigned char seq
[SEQ_NUM_SIZE
];
445 const unsigned char *data
;
446 unsigned char *buf
, *wbuf
;
447 size_t fragoff
, fraglen
, msglen
, reclen
, align
= 0;
448 unsigned int rectype
, versmajor
, msgseq
, msgtype
, clientvers
, cookielen
;
450 BIO_ADDR
*tmpclient
= NULL
;
451 PACKET pkt
, msgpkt
, msgpayload
, session
, cookiepkt
;
453 if (s
->handshake_func
== NULL
) {
454 /* Not properly initialized yet */
455 SSL_set_accept_state(s
);
458 /* Ensure there is no state left over from a previous invocation */
464 rbio
= SSL_get_rbio(s
);
465 wbio
= SSL_get_wbio(s
);
467 if (!rbio
|| !wbio
) {
468 ERR_raise(ERR_LIB_SSL
, SSL_R_BIO_NOT_SET
);
473 * Note: This check deliberately excludes DTLS1_BAD_VER because that version
474 * requires the MAC to be calculated *including* the first ClientHello
475 * (without the cookie). Since DTLSv1_listen is stateless that cannot be
476 * supported. DTLS1_BAD_VER must use cookies in a stateful manner (e.g. via
479 if ((s
->version
& 0xff00) != (DTLS1_VERSION
& 0xff00)) {
480 ERR_raise(ERR_LIB_SSL
, SSL_R_UNSUPPORTED_SSL_VERSION
);
484 if (!ssl3_setup_buffers(s
)) {
485 /* ERR_raise() already called */
488 buf
= RECORD_LAYER_get_rbuf(&s
->rlayer
)->buf
;
489 wbuf
= RECORD_LAYER_get_wbuf(&s
->rlayer
)[0].buf
;
490 #if defined(SSL3_ALIGN_PAYLOAD)
491 # if SSL3_ALIGN_PAYLOAD != 0
493 * Using SSL3_RT_HEADER_LENGTH here instead of DTLS1_RT_HEADER_LENGTH for
494 * consistency with ssl3_read_n. In practice it should make no difference
495 * for sensible values of SSL3_ALIGN_PAYLOAD because the difference between
496 * SSL3_RT_HEADER_LENGTH and DTLS1_RT_HEADER_LENGTH is exactly 8
498 align
= (size_t)buf
+ SSL3_RT_HEADER_LENGTH
;
499 align
= SSL3_ALIGN_PAYLOAD
- 1 - ((align
- 1) % SSL3_ALIGN_PAYLOAD
);
508 n
= BIO_read(rbio
, buf
, SSL3_RT_MAX_PLAIN_LENGTH
509 + DTLS1_RT_HEADER_LENGTH
);
511 if (BIO_should_retry(rbio
)) {
512 /* Non-blocking IO */
518 if (!PACKET_buf_init(&pkt
, buf
, n
)) {
519 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
524 * Parse the received record. If there are any problems with it we just
525 * dump it - with no alert. RFC6347 says this "Unlike TLS, DTLS is
526 * resilient in the face of invalid records (e.g., invalid formatting,
527 * length, MAC, etc.). In general, invalid records SHOULD be silently
528 * discarded, thus preserving the association; however, an error MAY be
529 * logged for diagnostic purposes."
532 /* this packet contained a partial record, dump it */
533 if (n
< DTLS1_RT_HEADER_LENGTH
) {
534 ERR_raise(ERR_LIB_SSL
, SSL_R_RECORD_TOO_SMALL
);
539 s
->msg_callback(0, 0, SSL3_RT_HEADER
, buf
,
540 DTLS1_RT_HEADER_LENGTH
, s
, s
->msg_callback_arg
);
542 /* Get the record header */
543 if (!PACKET_get_1(&pkt
, &rectype
)
544 || !PACKET_get_1(&pkt
, &versmajor
)) {
545 ERR_raise(ERR_LIB_SSL
, SSL_R_LENGTH_MISMATCH
);
549 if (rectype
!= SSL3_RT_HANDSHAKE
) {
550 ERR_raise(ERR_LIB_SSL
, SSL_R_UNEXPECTED_MESSAGE
);
555 * Check record version number. We only check that the major version is
558 if (versmajor
!= DTLS1_VERSION_MAJOR
) {
559 ERR_raise(ERR_LIB_SSL
, SSL_R_BAD_PROTOCOL_VERSION_NUMBER
);
563 if (!PACKET_forward(&pkt
, 1)
564 /* Save the sequence number: 64 bits, with top 2 bytes = epoch */
565 || !PACKET_copy_bytes(&pkt
, seq
, SEQ_NUM_SIZE
)
566 || !PACKET_get_length_prefixed_2(&pkt
, &msgpkt
)) {
567 ERR_raise(ERR_LIB_SSL
, SSL_R_LENGTH_MISMATCH
);
570 reclen
= PACKET_remaining(&msgpkt
);
572 * We allow data remaining at the end of the packet because there could
573 * be a second record (but we ignore it)
576 /* This is an initial ClientHello so the epoch has to be 0 */
577 if (seq
[0] != 0 || seq
[1] != 0) {
578 ERR_raise(ERR_LIB_SSL
, SSL_R_UNEXPECTED_MESSAGE
);
582 /* Get a pointer to the raw message for the later callback */
583 data
= PACKET_data(&msgpkt
);
585 /* Finished processing the record header, now process the message */
586 if (!PACKET_get_1(&msgpkt
, &msgtype
)
587 || !PACKET_get_net_3_len(&msgpkt
, &msglen
)
588 || !PACKET_get_net_2(&msgpkt
, &msgseq
)
589 || !PACKET_get_net_3_len(&msgpkt
, &fragoff
)
590 || !PACKET_get_net_3_len(&msgpkt
, &fraglen
)
591 || !PACKET_get_sub_packet(&msgpkt
, &msgpayload
, fraglen
)
592 || PACKET_remaining(&msgpkt
) != 0) {
593 ERR_raise(ERR_LIB_SSL
, SSL_R_LENGTH_MISMATCH
);
597 if (msgtype
!= SSL3_MT_CLIENT_HELLO
) {
598 ERR_raise(ERR_LIB_SSL
, SSL_R_UNEXPECTED_MESSAGE
);
602 /* Message sequence number can only be 0 or 1 */
604 ERR_raise(ERR_LIB_SSL
, SSL_R_INVALID_SEQUENCE_NUMBER
);
609 * We don't support fragment reassembly for ClientHellos whilst
610 * listening because that would require server side state (which is
611 * against the whole point of the ClientHello/HelloVerifyRequest
612 * mechanism). Instead we only look at the first ClientHello fragment
613 * and require that the cookie must be contained within it.
615 if (fragoff
!= 0 || fraglen
> msglen
) {
616 /* Non initial ClientHello fragment (or bad fragment) */
617 ERR_raise(ERR_LIB_SSL
, SSL_R_FRAGMENTED_CLIENT_HELLO
);
622 s
->msg_callback(0, s
->version
, SSL3_RT_HANDSHAKE
, data
,
623 fraglen
+ DTLS1_HM_HEADER_LENGTH
, s
,
624 s
->msg_callback_arg
);
626 if (!PACKET_get_net_2(&msgpayload
, &clientvers
)) {
627 ERR_raise(ERR_LIB_SSL
, SSL_R_LENGTH_MISMATCH
);
632 * Verify client version is supported
634 if (DTLS_VERSION_LT(clientvers
, (unsigned int)s
->method
->version
) &&
635 s
->method
->version
!= DTLS_ANY_VERSION
) {
636 ERR_raise(ERR_LIB_SSL
, SSL_R_WRONG_VERSION_NUMBER
);
640 if (!PACKET_forward(&msgpayload
, SSL3_RANDOM_SIZE
)
641 || !PACKET_get_length_prefixed_1(&msgpayload
, &session
)
642 || !PACKET_get_length_prefixed_1(&msgpayload
, &cookiepkt
)) {
644 * Could be malformed or the cookie does not fit within the initial
645 * ClientHello fragment. Either way we can't handle it.
647 ERR_raise(ERR_LIB_SSL
, SSL_R_LENGTH_MISMATCH
);
652 * Check if we have a cookie or not. If not we need to send a
653 * HelloVerifyRequest.
655 if (PACKET_remaining(&cookiepkt
) == 0) {
656 next
= LISTEN_SEND_VERIFY_REQUEST
;
659 * We have a cookie, so lets check it.
661 if (s
->ctx
->app_verify_cookie_cb
== NULL
) {
662 ERR_raise(ERR_LIB_SSL
, SSL_R_NO_VERIFY_COOKIE_CALLBACK
);
666 if (s
->ctx
->app_verify_cookie_cb(s
, PACKET_data(&cookiepkt
),
667 (unsigned int)PACKET_remaining(&cookiepkt
)) == 0) {
669 * We treat invalid cookies in the same was as no cookie as
672 next
= LISTEN_SEND_VERIFY_REQUEST
;
674 /* Cookie verification succeeded */
675 next
= LISTEN_SUCCESS
;
679 if (next
== LISTEN_SEND_VERIFY_REQUEST
) {
681 unsigned int version
;
685 * There was no cookie in the ClientHello so we need to send a
686 * HelloVerifyRequest. If this fails we do not worry about trying
687 * to resend, we just drop it.
690 /* Generate the cookie */
691 if (s
->ctx
->app_gen_cookie_cb
== NULL
||
692 s
->ctx
->app_gen_cookie_cb(s
, cookie
, &cookielen
) == 0 ||
694 ERR_raise(ERR_LIB_SSL
, SSL_R_COOKIE_GEN_CALLBACK_FAILURE
);
700 * Special case: for hello verify request, client version 1.0 and we
701 * haven't decided which version to use yet send back using version
702 * 1.0 header: otherwise some clients will ignore it.
704 version
= (s
->method
->version
== DTLS_ANY_VERSION
) ? DTLS1_VERSION
707 /* Construct the record and message headers */
708 if (!WPACKET_init_static_len(&wpkt
,
710 ssl_get_max_send_fragment(s
)
711 + DTLS1_RT_HEADER_LENGTH
,
713 || !WPACKET_put_bytes_u8(&wpkt
, SSL3_RT_HANDSHAKE
)
714 || !WPACKET_put_bytes_u16(&wpkt
, version
)
716 * Record sequence number is always the same as in the
717 * received ClientHello
719 || !WPACKET_memcpy(&wpkt
, seq
, SEQ_NUM_SIZE
)
720 /* End of record, start sub packet for message */
721 || !WPACKET_start_sub_packet_u16(&wpkt
)
723 || !WPACKET_put_bytes_u8(&wpkt
,
724 DTLS1_MT_HELLO_VERIFY_REQUEST
)
726 * Message length - doesn't follow normal TLS convention:
727 * the length isn't the last thing in the message header.
728 * We'll need to fill this in later when we know the
729 * length. Set it to zero for now
731 || !WPACKET_put_bytes_u24(&wpkt
, 0)
733 * Message sequence number is always 0 for a
736 || !WPACKET_put_bytes_u16(&wpkt
, 0)
738 * We never fragment a HelloVerifyRequest, so fragment
741 || !WPACKET_put_bytes_u24(&wpkt
, 0)
743 * Fragment length is the same as message length, but
744 * this *is* the last thing in the message header so we
745 * can just start a sub-packet. No need to come back
746 * later for this one.
748 || !WPACKET_start_sub_packet_u24(&wpkt
)
749 /* Create the actual HelloVerifyRequest body */
750 || !dtls_raw_hello_verify_request(&wpkt
, cookie
, cookielen
)
751 /* Close message body */
752 || !WPACKET_close(&wpkt
)
753 /* Close record body */
754 || !WPACKET_close(&wpkt
)
755 || !WPACKET_get_total_written(&wpkt
, &wreclen
)
756 || !WPACKET_finish(&wpkt
)) {
757 ERR_raise(ERR_LIB_SSL
, ERR_R_INTERNAL_ERROR
);
758 WPACKET_cleanup(&wpkt
);
764 * Fix up the message len in the message header. Its the same as the
765 * fragment len which has been filled in by WPACKET, so just copy
766 * that. Destination for the message len is after the record header
767 * plus one byte for the message content type. The source is the
768 * last 3 bytes of the message header
770 memcpy(&wbuf
[DTLS1_RT_HEADER_LENGTH
+ 1],
771 &wbuf
[DTLS1_RT_HEADER_LENGTH
+ DTLS1_HM_HEADER_LENGTH
- 3],
775 s
->msg_callback(1, 0, SSL3_RT_HEADER
, buf
,
776 DTLS1_RT_HEADER_LENGTH
, s
, s
->msg_callback_arg
);
778 if ((tmpclient
= BIO_ADDR_new()) == NULL
) {
779 ERR_raise(ERR_LIB_SSL
, ERR_R_MALLOC_FAILURE
);
784 * This is unnecessary if rbio and wbio are one and the same - but
785 * maybe they're not. We ignore errors here - some BIOs do not
788 if (BIO_dgram_get_peer(rbio
, tmpclient
) > 0) {
789 (void)BIO_dgram_set_peer(wbio
, tmpclient
);
791 BIO_ADDR_free(tmpclient
);
794 if (BIO_write(wbio
, wbuf
, wreclen
) < (int)wreclen
) {
795 if (BIO_should_retry(wbio
)) {
797 * Non-blocking IO...but we're stateless, so we're just
798 * going to drop this packet.
805 if (BIO_flush(wbio
) <= 0) {
806 if (BIO_should_retry(wbio
)) {
808 * Non-blocking IO...but we're stateless, so we're just
809 * going to drop this packet.
816 } while (next
!= LISTEN_SUCCESS
);
819 * Set expected sequence numbers to continue the handshake.
821 s
->d1
->handshake_read_seq
= 1;
822 s
->d1
->handshake_write_seq
= 1;
823 s
->d1
->next_handshake_write_seq
= 1;
824 DTLS_RECORD_LAYER_set_write_sequence(&s
->rlayer
, seq
);
827 * We are doing cookie exchange, so make sure we set that option in the
830 SSL_set_options(s
, SSL_OP_COOKIE_EXCHANGE
);
833 * Tell the state machine that we've done the initial hello verify
836 ossl_statem_set_hello_verify_done(s
);
839 * Some BIOs may not support this. If we fail we clear the client address
841 if (BIO_dgram_get_peer(rbio
, client
) <= 0)
842 BIO_ADDR_clear(client
);
844 /* Buffer the record in the processed_rcds queue */
845 if (!dtls_buffer_listen_record(s
, reclen
, seq
, align
))
850 BIO_ADDR_free(tmpclient
);
855 static int dtls1_handshake_write(SSL
*s
)
857 return dtls1_do_write(s
, SSL3_RT_HANDSHAKE
);
860 int dtls1_shutdown(SSL
*s
)
863 #ifndef OPENSSL_NO_SCTP
866 wbio
= SSL_get_wbio(s
);
867 if (wbio
!= NULL
&& BIO_dgram_is_sctp(wbio
) &&
868 !(s
->shutdown
& SSL_SENT_SHUTDOWN
)) {
869 ret
= BIO_dgram_sctp_wait_for_dry(wbio
);
874 BIO_ctrl(SSL_get_wbio(s
), BIO_CTRL_DGRAM_SCTP_SAVE_SHUTDOWN
, 1,
878 ret
= ssl3_shutdown(s
);
879 #ifndef OPENSSL_NO_SCTP
880 BIO_ctrl(SSL_get_wbio(s
), BIO_CTRL_DGRAM_SCTP_SAVE_SHUTDOWN
, 0, NULL
);
885 int dtls1_query_mtu(SSL
*s
)
887 if (s
->d1
->link_mtu
) {
889 s
->d1
->link_mtu
- BIO_dgram_get_mtu_overhead(SSL_get_wbio(s
));
893 /* AHA! Figure out the MTU, and stick to the right size */
894 if (s
->d1
->mtu
< dtls1_min_mtu(s
)) {
895 if (!(SSL_get_options(s
) & SSL_OP_NO_QUERY_MTU
)) {
897 BIO_ctrl(SSL_get_wbio(s
), BIO_CTRL_DGRAM_QUERY_MTU
, 0, NULL
);
900 * I've seen the kernel return bogus numbers when it doesn't know
901 * (initial write), so just make sure we have a reasonable number
903 if (s
->d1
->mtu
< dtls1_min_mtu(s
)) {
905 s
->d1
->mtu
= dtls1_min_mtu(s
);
906 BIO_ctrl(SSL_get_wbio(s
), BIO_CTRL_DGRAM_SET_MTU
,
907 (long)s
->d1
->mtu
, NULL
);
915 static size_t dtls1_link_min_mtu(void)
917 return (g_probable_mtu
[(sizeof(g_probable_mtu
) /
918 sizeof(g_probable_mtu
[0])) - 1]);
921 size_t dtls1_min_mtu(SSL
*s
)
923 return dtls1_link_min_mtu() - BIO_dgram_get_mtu_overhead(SSL_get_wbio(s
));
926 size_t DTLS_get_data_mtu(const SSL
*s
)
928 size_t mac_overhead
, int_overhead
, blocksize
, ext_overhead
;
929 const SSL_CIPHER
*ciph
= SSL_get_current_cipher(s
);
930 size_t mtu
= s
->d1
->mtu
;
935 if (!ssl_cipher_get_overhead(ciph
, &mac_overhead
, &int_overhead
,
936 &blocksize
, &ext_overhead
))
940 ext_overhead
+= mac_overhead
;
942 int_overhead
+= mac_overhead
;
944 /* Subtract external overhead (e.g. IV/nonce, separate MAC) */
945 if (ext_overhead
+ DTLS1_RT_HEADER_LENGTH
>= mtu
)
947 mtu
-= ext_overhead
+ DTLS1_RT_HEADER_LENGTH
;
949 /* Round encrypted payload down to cipher block size (for CBC etc.)
950 * No check for overflow since 'mtu % blocksize' cannot exceed mtu. */
952 mtu
-= (mtu
% blocksize
);
954 /* Subtract internal overhead (e.g. CBC padding len byte) */
955 if (int_overhead
>= mtu
)
962 void DTLS_set_timer_cb(SSL
*s
, DTLS_timer_cb cb
)
964 s
->d1
->timer_cb
= cb
;