2 * Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
12 #include "../ssl_local.h"
13 #include <openssl/evp.h>
14 #include <openssl/buffer.h>
15 #include "record_local.h"
16 #include "internal/packet.h"
17 #include "internal/cryptlib.h"
19 int DTLS_RECORD_LAYER_new(RECORD_LAYER
*rl
)
23 if ((d
= OPENSSL_malloc(sizeof(*d
))) == NULL
) {
24 ERR_raise(ERR_LIB_SSL
, ERR_R_MALLOC_FAILURE
);
30 d
->unprocessed_rcds
.q
= pqueue_new();
31 d
->processed_rcds
.q
= pqueue_new();
32 d
->buffered_app_data
.q
= pqueue_new();
34 if (d
->unprocessed_rcds
.q
== NULL
|| d
->processed_rcds
.q
== NULL
35 || d
->buffered_app_data
.q
== NULL
) {
36 pqueue_free(d
->unprocessed_rcds
.q
);
37 pqueue_free(d
->processed_rcds
.q
);
38 pqueue_free(d
->buffered_app_data
.q
);
47 void DTLS_RECORD_LAYER_free(RECORD_LAYER
*rl
)
52 DTLS_RECORD_LAYER_clear(rl
);
53 pqueue_free(rl
->d
->unprocessed_rcds
.q
);
54 pqueue_free(rl
->d
->processed_rcds
.q
);
55 pqueue_free(rl
->d
->buffered_app_data
.q
);
60 void DTLS_RECORD_LAYER_clear(RECORD_LAYER
*rl
)
64 DTLS1_RECORD_DATA
*rdata
;
65 pqueue
*unprocessed_rcds
;
66 pqueue
*processed_rcds
;
67 pqueue
*buffered_app_data
;
71 while ((item
= pqueue_pop(d
->unprocessed_rcds
.q
)) != NULL
) {
72 rdata
= (DTLS1_RECORD_DATA
*)item
->data
;
73 OPENSSL_free(rdata
->rbuf
.buf
);
74 OPENSSL_free(item
->data
);
78 while ((item
= pqueue_pop(d
->processed_rcds
.q
)) != NULL
) {
79 rdata
= (DTLS1_RECORD_DATA
*)item
->data
;
80 if (rl
->s
->options
& SSL_OP_CLEANSE_PLAINTEXT
)
81 OPENSSL_cleanse(rdata
->rbuf
.buf
, rdata
->rbuf
.len
);
82 OPENSSL_free(rdata
->rbuf
.buf
);
83 OPENSSL_free(item
->data
);
87 while ((item
= pqueue_pop(d
->buffered_app_data
.q
)) != NULL
) {
88 rdata
= (DTLS1_RECORD_DATA
*)item
->data
;
89 if (rl
->s
->options
& SSL_OP_CLEANSE_PLAINTEXT
)
90 OPENSSL_cleanse(rdata
->rbuf
.buf
, rdata
->rbuf
.len
);
91 OPENSSL_free(rdata
->rbuf
.buf
);
92 OPENSSL_free(item
->data
);
96 unprocessed_rcds
= d
->unprocessed_rcds
.q
;
97 processed_rcds
= d
->processed_rcds
.q
;
98 buffered_app_data
= d
->buffered_app_data
.q
;
99 memset(d
, 0, sizeof(*d
));
100 d
->unprocessed_rcds
.q
= unprocessed_rcds
;
101 d
->processed_rcds
.q
= processed_rcds
;
102 d
->buffered_app_data
.q
= buffered_app_data
;
105 void DTLS_RECORD_LAYER_set_saved_w_epoch(RECORD_LAYER
*rl
, unsigned short e
)
107 if (e
== rl
->d
->w_epoch
- 1) {
108 memcpy(rl
->d
->curr_write_sequence
,
109 rl
->write_sequence
, sizeof(rl
->write_sequence
));
110 memcpy(rl
->write_sequence
,
111 rl
->d
->last_write_sequence
, sizeof(rl
->write_sequence
));
112 } else if (e
== rl
->d
->w_epoch
+ 1) {
113 memcpy(rl
->d
->last_write_sequence
,
114 rl
->write_sequence
, sizeof(unsigned char[8]));
115 memcpy(rl
->write_sequence
,
116 rl
->d
->curr_write_sequence
, sizeof(rl
->write_sequence
));
121 void DTLS_RECORD_LAYER_set_write_sequence(RECORD_LAYER
*rl
, unsigned char *seq
)
123 memcpy(rl
->write_sequence
, seq
, SEQ_NUM_SIZE
);
126 /* copy buffered record into SSL structure */
127 static int dtls1_copy_record(SSL
*s
, pitem
*item
)
129 DTLS1_RECORD_DATA
*rdata
;
131 rdata
= (DTLS1_RECORD_DATA
*)item
->data
;
133 SSL3_BUFFER_release(&s
->rlayer
.rbuf
);
135 s
->rlayer
.packet
= rdata
->packet
;
136 s
->rlayer
.packet_length
= rdata
->packet_length
;
137 memcpy(&s
->rlayer
.rbuf
, &(rdata
->rbuf
), sizeof(SSL3_BUFFER
));
138 memcpy(&s
->rlayer
.rrec
, &(rdata
->rrec
), sizeof(SSL3_RECORD
));
140 /* Set proper sequence number for mac calculation */
141 memcpy(&(s
->rlayer
.read_sequence
[2]), &(rdata
->packet
[5]), 6);
146 int dtls1_buffer_record(SSL
*s
, record_pqueue
*queue
, unsigned char *priority
)
148 DTLS1_RECORD_DATA
*rdata
;
151 /* Limit the size of the queue to prevent DOS attacks */
152 if (pqueue_size(queue
->q
) >= 100)
155 rdata
= OPENSSL_malloc(sizeof(*rdata
));
156 item
= pitem_new(priority
, rdata
);
157 if (rdata
== NULL
|| item
== NULL
) {
160 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
164 rdata
->packet
= s
->rlayer
.packet
;
165 rdata
->packet_length
= s
->rlayer
.packet_length
;
166 memcpy(&(rdata
->rbuf
), &s
->rlayer
.rbuf
, sizeof(SSL3_BUFFER
));
167 memcpy(&(rdata
->rrec
), &s
->rlayer
.rrec
, sizeof(SSL3_RECORD
));
171 #ifndef OPENSSL_NO_SCTP
172 /* Store bio_dgram_sctp_rcvinfo struct */
173 if (BIO_dgram_is_sctp(SSL_get_rbio(s
)) &&
174 (SSL_get_state(s
) == TLS_ST_SR_FINISHED
175 || SSL_get_state(s
) == TLS_ST_CR_FINISHED
)) {
176 BIO_ctrl(SSL_get_rbio(s
), BIO_CTRL_DGRAM_SCTP_GET_RCVINFO
,
177 sizeof(rdata
->recordinfo
), &rdata
->recordinfo
);
181 s
->rlayer
.packet
= NULL
;
182 s
->rlayer
.packet_length
= 0;
183 memset(&s
->rlayer
.rbuf
, 0, sizeof(s
->rlayer
.rbuf
));
184 memset(&s
->rlayer
.rrec
, 0, sizeof(s
->rlayer
.rrec
));
186 if (!ssl3_setup_buffers(s
)) {
187 /* SSLfatal() already called */
188 OPENSSL_free(rdata
->rbuf
.buf
);
194 if (pqueue_insert(queue
->q
, item
) == NULL
) {
195 /* Must be a duplicate so ignore it */
196 OPENSSL_free(rdata
->rbuf
.buf
);
204 int dtls1_retrieve_buffered_record(SSL
*s
, record_pqueue
*queue
)
208 item
= pqueue_pop(queue
->q
);
210 dtls1_copy_record(s
, item
);
212 OPENSSL_free(item
->data
);
222 * retrieve a buffered record that belongs to the new epoch, i.e., not
225 #define dtls1_get_unprocessed_record(s) \
226 dtls1_retrieve_buffered_record((s), \
227 &((s)->rlayer.d->unprocessed_rcds))
229 int dtls1_process_buffered_records(SSL
*s
)
234 DTLS1_BITMAP
*bitmap
;
235 unsigned int is_next_epoch
;
238 item
= pqueue_peek(s
->rlayer
.d
->unprocessed_rcds
.q
);
240 /* Check if epoch is current. */
241 if (s
->rlayer
.d
->unprocessed_rcds
.epoch
!= s
->rlayer
.d
->r_epoch
)
242 return 1; /* Nothing to do. */
244 rr
= RECORD_LAYER_get_rrec(&s
->rlayer
);
246 rb
= RECORD_LAYER_get_rbuf(&s
->rlayer
);
248 if (SSL3_BUFFER_get_left(rb
) > 0) {
250 * We've still got data from the current packet to read. There could
251 * be a record from the new epoch in it - so don't overwrite it
252 * with the unprocessed records yet (we'll do it when we've
253 * finished reading the current packet).
258 /* Process all the records. */
259 while (pqueue_peek(s
->rlayer
.d
->unprocessed_rcds
.q
)) {
260 dtls1_get_unprocessed_record(s
);
261 bitmap
= dtls1_get_bitmap(s
, rr
, &is_next_epoch
);
262 if (bitmap
== NULL
) {
264 * Should not happen. This will only ever be NULL when the
265 * current record is from a different epoch. But that cannot
266 * be the case because we already checked the epoch above
268 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
271 #ifndef OPENSSL_NO_SCTP
272 /* Only do replay check if no SCTP bio */
273 if (!BIO_dgram_is_sctp(SSL_get_rbio(s
)))
277 * Check whether this is a repeat, or aged record. We did this
278 * check once already when we first received the record - but
279 * we might have updated the window since then due to
280 * records we subsequently processed.
282 replayok
= dtls1_record_replay_check(s
, bitmap
);
285 if (!replayok
|| !dtls1_process_record(s
, bitmap
)) {
286 if (ossl_statem_in_error(s
)) {
287 /* dtls1_process_record called SSLfatal() */
290 /* dump this record */
292 RECORD_LAYER_reset_packet_length(&s
->rlayer
);
296 if (dtls1_buffer_record(s
, &(s
->rlayer
.d
->processed_rcds
),
297 SSL3_RECORD_get_seq_num(s
->rlayer
.rrec
)) < 0) {
298 /* SSLfatal() already called */
305 * sync epoch numbers once all the unprocessed records have been
308 s
->rlayer
.d
->processed_rcds
.epoch
= s
->rlayer
.d
->r_epoch
;
309 s
->rlayer
.d
->unprocessed_rcds
.epoch
= s
->rlayer
.d
->r_epoch
+ 1;
315 * Return up to 'len' payload bytes received in 'type' records.
316 * 'type' is one of the following:
318 * - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
319 * - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)
320 * - 0 (during a shutdown, no data has to be returned)
322 * If we don't have stored data to work from, read a SSL/TLS record first
323 * (possibly multiple records if we still don't have anything to return).
325 * This function must handle any surprises the peer may have for us, such as
326 * Alert records (e.g. close_notify) or renegotiation requests. ChangeCipherSpec
327 * messages are treated as if they were handshake messages *if* the |recd_type|
328 * argument is non NULL.
329 * Also if record payloads contain fragments too small to process, we store
330 * them until there is enough for the respective protocol (the record protocol
331 * may use arbitrary fragmentation and even interleaving):
332 * Change cipher spec protocol
333 * just 1 byte needed, no need for keeping anything stored
335 * 2 bytes needed (AlertLevel, AlertDescription)
337 * 4 bytes needed (HandshakeType, uint24 length) -- we just have
338 * to detect unexpected Client Hello and Hello Request messages
339 * here, anything else is handled by higher layers
340 * Application data protocol
341 * none of our business
343 int dtls1_read_bytes(SSL
*s
, int type
, int *recvd_type
, unsigned char *buf
,
344 size_t len
, int peek
, size_t *readbytes
)
349 void (*cb
) (const SSL
*ssl
, int type2
, int val
) = NULL
;
351 if (!SSL3_BUFFER_is_initialised(&s
->rlayer
.rbuf
)) {
352 /* Not initialized yet */
353 if (!ssl3_setup_buffers(s
)) {
354 /* SSLfatal() already called */
359 if ((type
&& (type
!= SSL3_RT_APPLICATION_DATA
) &&
360 (type
!= SSL3_RT_HANDSHAKE
)) ||
361 (peek
&& (type
!= SSL3_RT_APPLICATION_DATA
))) {
362 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
366 if (!ossl_statem_get_in_handshake(s
) && SSL_in_init(s
)) {
367 /* type == SSL3_RT_APPLICATION_DATA */
368 i
= s
->handshake_func(s
);
369 /* SSLfatal() already called if appropriate */
377 s
->rwstate
= SSL_NOTHING
;
380 * s->s3.rrec.type - is the type of record
381 * s->s3.rrec.data, - data
382 * s->s3.rrec.off, - offset into 'data' for next read
383 * s->s3.rrec.length, - number of bytes.
388 * We are not handshaking and have no data yet, so process data buffered
389 * during the last handshake in advance, if any.
391 if (SSL_is_init_finished(s
) && SSL3_RECORD_get_length(rr
) == 0) {
393 item
= pqueue_pop(s
->rlayer
.d
->buffered_app_data
.q
);
395 #ifndef OPENSSL_NO_SCTP
396 /* Restore bio_dgram_sctp_rcvinfo struct */
397 if (BIO_dgram_is_sctp(SSL_get_rbio(s
))) {
398 DTLS1_RECORD_DATA
*rdata
= (DTLS1_RECORD_DATA
*)item
->data
;
399 BIO_ctrl(SSL_get_rbio(s
), BIO_CTRL_DGRAM_SCTP_SET_RCVINFO
,
400 sizeof(rdata
->recordinfo
), &rdata
->recordinfo
);
404 dtls1_copy_record(s
, item
);
406 OPENSSL_free(item
->data
);
411 /* Check for timeout */
412 if (dtls1_handle_timeout(s
) > 0) {
414 } else if (ossl_statem_in_error(s
)) {
415 /* dtls1_handle_timeout() has failed with a fatal error */
419 /* get new packet if necessary */
420 if ((SSL3_RECORD_get_length(rr
) == 0)
421 || (s
->rlayer
.rstate
== SSL_ST_READ_BODY
)) {
422 RECORD_LAYER_set_numrpipes(&s
->rlayer
, 0);
423 iret
= dtls1_get_record(s
);
425 iret
= dtls1_read_failed(s
, iret
);
427 * Anything other than a timeout is an error. SSLfatal() already
428 * called if appropriate.
435 RECORD_LAYER_set_numrpipes(&s
->rlayer
, 1);
439 * Reset the count of consecutive warning alerts if we've got a non-empty
440 * record that isn't an alert.
442 if (SSL3_RECORD_get_type(rr
) != SSL3_RT_ALERT
443 && SSL3_RECORD_get_length(rr
) != 0)
444 s
->rlayer
.alert_count
= 0;
446 /* we now have a packet which can be read and processed */
448 if (s
->s3
.change_cipher_spec
/* set when we receive ChangeCipherSpec,
449 * reset by ssl3_get_finished */
450 && (SSL3_RECORD_get_type(rr
) != SSL3_RT_HANDSHAKE
)) {
452 * We now have application data between CCS and Finished. Most likely
453 * the packets were reordered on their way, so buffer the application
454 * data for later processing rather than dropping the connection.
456 if (dtls1_buffer_record(s
, &(s
->rlayer
.d
->buffered_app_data
),
457 SSL3_RECORD_get_seq_num(rr
)) < 0) {
458 /* SSLfatal() already called */
461 SSL3_RECORD_set_length(rr
, 0);
462 SSL3_RECORD_set_read(rr
);
467 * If the other end has shut down, throw anything we read away (even in
470 if (s
->shutdown
& SSL_RECEIVED_SHUTDOWN
) {
471 SSL3_RECORD_set_length(rr
, 0);
472 SSL3_RECORD_set_read(rr
);
473 s
->rwstate
= SSL_NOTHING
;
477 if (type
== SSL3_RECORD_get_type(rr
)
478 || (SSL3_RECORD_get_type(rr
) == SSL3_RT_CHANGE_CIPHER_SPEC
479 && type
== SSL3_RT_HANDSHAKE
&& recvd_type
!= NULL
)) {
481 * SSL3_RT_APPLICATION_DATA or
482 * SSL3_RT_HANDSHAKE or
483 * SSL3_RT_CHANGE_CIPHER_SPEC
486 * make sure that we are not getting application data when we are
487 * doing a handshake for the first time
489 if (SSL_in_init(s
) && (type
== SSL3_RT_APPLICATION_DATA
) &&
490 (s
->enc_read_ctx
== NULL
)) {
491 SSLfatal(s
, SSL_AD_UNEXPECTED_MESSAGE
,
492 SSL_R_APP_DATA_IN_HANDSHAKE
);
496 if (recvd_type
!= NULL
)
497 *recvd_type
= SSL3_RECORD_get_type(rr
);
501 * Mark a zero length record as read. This ensures multiple calls to
502 * SSL_read() with a zero length buffer will eventually cause
503 * SSL_pending() to report data as being available.
505 if (SSL3_RECORD_get_length(rr
) == 0)
506 SSL3_RECORD_set_read(rr
);
510 if (len
> SSL3_RECORD_get_length(rr
))
511 n
= SSL3_RECORD_get_length(rr
);
515 memcpy(buf
, &(SSL3_RECORD_get_data(rr
)[SSL3_RECORD_get_off(rr
)]), n
);
517 if (SSL3_RECORD_get_length(rr
) == 0)
518 SSL3_RECORD_set_read(rr
);
520 if (s
->options
& SSL_OP_CLEANSE_PLAINTEXT
)
521 OPENSSL_cleanse(&(SSL3_RECORD_get_data(rr
)[SSL3_RECORD_get_off(rr
)]), n
);
522 SSL3_RECORD_sub_length(rr
, n
);
523 SSL3_RECORD_add_off(rr
, n
);
524 if (SSL3_RECORD_get_length(rr
) == 0) {
525 s
->rlayer
.rstate
= SSL_ST_READ_HEADER
;
526 SSL3_RECORD_set_off(rr
, 0);
527 SSL3_RECORD_set_read(rr
);
530 #ifndef OPENSSL_NO_SCTP
532 * We might had to delay a close_notify alert because of reordered
533 * app data. If there was an alert and there is no message to read
534 * anymore, finally set shutdown.
536 if (BIO_dgram_is_sctp(SSL_get_rbio(s
)) &&
537 s
->d1
->shutdown_received
538 && !BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s
))) {
539 s
->shutdown
|= SSL_RECEIVED_SHUTDOWN
;
548 * If we get here, then type != rr->type; if we have a handshake message,
549 * then it was unexpected (Hello Request or Client Hello).
552 if (SSL3_RECORD_get_type(rr
) == SSL3_RT_ALERT
) {
553 unsigned int alert_level
, alert_descr
;
554 unsigned char *alert_bytes
= SSL3_RECORD_get_data(rr
)
555 + SSL3_RECORD_get_off(rr
);
558 if (!PACKET_buf_init(&alert
, alert_bytes
, SSL3_RECORD_get_length(rr
))
559 || !PACKET_get_1(&alert
, &alert_level
)
560 || !PACKET_get_1(&alert
, &alert_descr
)
561 || PACKET_remaining(&alert
) != 0) {
562 SSLfatal(s
, SSL_AD_UNEXPECTED_MESSAGE
, SSL_R_INVALID_ALERT
);
567 s
->msg_callback(0, s
->version
, SSL3_RT_ALERT
, alert_bytes
, 2, s
,
568 s
->msg_callback_arg
);
570 if (s
->info_callback
!= NULL
)
571 cb
= s
->info_callback
;
572 else if (s
->ctx
->info_callback
!= NULL
)
573 cb
= s
->ctx
->info_callback
;
576 j
= (alert_level
<< 8) | alert_descr
;
577 cb(s
, SSL_CB_READ_ALERT
, j
);
580 if (alert_level
== SSL3_AL_WARNING
) {
581 s
->s3
.warn_alert
= alert_descr
;
582 SSL3_RECORD_set_read(rr
);
584 s
->rlayer
.alert_count
++;
585 if (s
->rlayer
.alert_count
== MAX_WARN_ALERT_COUNT
) {
586 SSLfatal(s
, SSL_AD_UNEXPECTED_MESSAGE
,
587 SSL_R_TOO_MANY_WARN_ALERTS
);
591 if (alert_descr
== SSL_AD_CLOSE_NOTIFY
) {
592 #ifndef OPENSSL_NO_SCTP
594 * With SCTP and streams the socket may deliver app data
595 * after a close_notify alert. We have to check this first so
596 * that nothing gets discarded.
598 if (BIO_dgram_is_sctp(SSL_get_rbio(s
)) &&
599 BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s
))) {
600 s
->d1
->shutdown_received
= 1;
601 s
->rwstate
= SSL_READING
;
602 BIO_clear_retry_flags(SSL_get_rbio(s
));
603 BIO_set_retry_read(SSL_get_rbio(s
));
607 s
->shutdown
|= SSL_RECEIVED_SHUTDOWN
;
610 } else if (alert_level
== SSL3_AL_FATAL
) {
611 s
->rwstate
= SSL_NOTHING
;
612 s
->s3
.fatal_alert
= alert_descr
;
613 SSLfatal_data(s
, SSL_AD_NO_ALERT
,
614 SSL_AD_REASON_OFFSET
+ alert_descr
,
615 "SSL alert number %d", alert_descr
);
616 s
->shutdown
|= SSL_RECEIVED_SHUTDOWN
;
617 SSL3_RECORD_set_read(rr
);
618 SSL_CTX_remove_session(s
->session_ctx
, s
->session
);
621 SSLfatal(s
, SSL_AD_ILLEGAL_PARAMETER
, SSL_R_UNKNOWN_ALERT_TYPE
);
628 if (s
->shutdown
& SSL_SENT_SHUTDOWN
) { /* but we have not received a
630 s
->rwstate
= SSL_NOTHING
;
631 SSL3_RECORD_set_length(rr
, 0);
632 SSL3_RECORD_set_read(rr
);
636 if (SSL3_RECORD_get_type(rr
) == SSL3_RT_CHANGE_CIPHER_SPEC
) {
638 * We can't process a CCS now, because previous handshake messages
639 * are still missing, so just drop it.
641 SSL3_RECORD_set_length(rr
, 0);
642 SSL3_RECORD_set_read(rr
);
647 * Unexpected handshake message (Client Hello, or protocol violation)
649 if ((SSL3_RECORD_get_type(rr
) == SSL3_RT_HANDSHAKE
) &&
650 !ossl_statem_get_in_handshake(s
)) {
651 struct hm_header_st msg_hdr
;
654 * This may just be a stale retransmit. Also sanity check that we have
655 * at least enough record bytes for a message header
657 if (SSL3_RECORD_get_epoch(rr
) != s
->rlayer
.d
->r_epoch
658 || SSL3_RECORD_get_length(rr
) < DTLS1_HM_HEADER_LENGTH
) {
659 SSL3_RECORD_set_length(rr
, 0);
660 SSL3_RECORD_set_read(rr
);
664 dtls1_get_message_header(rr
->data
, &msg_hdr
);
667 * If we are server, we may have a repeated FINISHED of the client
668 * here, then retransmit our CCS and FINISHED.
670 if (msg_hdr
.type
== SSL3_MT_FINISHED
) {
671 if (dtls1_check_timeout_num(s
) < 0) {
672 /* SSLfatal) already called */
676 if (dtls1_retransmit_buffered_messages(s
) <= 0) {
677 /* Fail if we encountered a fatal error */
678 if (ossl_statem_in_error(s
))
681 SSL3_RECORD_set_length(rr
, 0);
682 SSL3_RECORD_set_read(rr
);
683 if (!(s
->mode
& SSL_MODE_AUTO_RETRY
)) {
684 if (SSL3_BUFFER_get_left(&s
->rlayer
.rbuf
) == 0) {
685 /* no read-ahead left? */
688 s
->rwstate
= SSL_READING
;
689 bio
= SSL_get_rbio(s
);
690 BIO_clear_retry_flags(bio
);
691 BIO_set_retry_read(bio
);
699 * To get here we must be trying to read app data but found handshake
700 * data. But if we're trying to read app data, and we're not in init
701 * (which is tested for at the top of this function) then init must be
704 if (!ossl_assert(SSL_is_init_finished(s
))) {
705 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
709 /* We found handshake data, so we're going back into init */
710 ossl_statem_set_in_init(s
, 1);
712 i
= s
->handshake_func(s
);
713 /* SSLfatal() called if appropriate */
719 if (!(s
->mode
& SSL_MODE_AUTO_RETRY
)) {
720 if (SSL3_BUFFER_get_left(&s
->rlayer
.rbuf
) == 0) {
721 /* no read-ahead left? */
724 * In the case where we try to read application data, but we
725 * trigger an SSL handshake, we return -1 with the retry
726 * option set. Otherwise renegotiation may cause nasty
727 * problems in the blocking world
729 s
->rwstate
= SSL_READING
;
730 bio
= SSL_get_rbio(s
);
731 BIO_clear_retry_flags(bio
);
732 BIO_set_retry_read(bio
);
739 switch (SSL3_RECORD_get_type(rr
)) {
741 SSLfatal(s
, SSL_AD_UNEXPECTED_MESSAGE
, SSL_R_UNEXPECTED_RECORD
);
743 case SSL3_RT_CHANGE_CIPHER_SPEC
:
745 case SSL3_RT_HANDSHAKE
:
747 * we already handled all of these, with the possible exception of
748 * SSL3_RT_HANDSHAKE when ossl_statem_get_in_handshake(s) is true, but
749 * that should not happen when type != rr->type
751 SSLfatal(s
, SSL_AD_UNEXPECTED_MESSAGE
, ERR_R_INTERNAL_ERROR
);
753 case SSL3_RT_APPLICATION_DATA
:
755 * At this point, we were expecting handshake data, but have
756 * application data. If the library was running inside ssl3_read()
757 * (i.e. in_read_app_data is set) and it makes sense to read
758 * application data at this point (session renegotiation not yet
759 * started), we will indulge it.
761 if (s
->s3
.in_read_app_data
&&
762 (s
->s3
.total_renegotiations
!= 0) &&
763 ossl_statem_app_data_allowed(s
)) {
764 s
->s3
.in_read_app_data
= 2;
767 SSLfatal(s
, SSL_AD_UNEXPECTED_MESSAGE
, SSL_R_UNEXPECTED_RECORD
);
775 * Call this to write data in records of type 'type' It will return <= 0 if
776 * not all data has been sent or non-blocking IO.
778 int dtls1_write_bytes(SSL
*s
, int type
, const void *buf
, size_t len
,
783 if (!ossl_assert(len
<= SSL3_RT_MAX_PLAIN_LENGTH
)) {
784 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
787 s
->rwstate
= SSL_NOTHING
;
788 i
= do_dtls1_write(s
, type
, buf
, len
, 0, written
);
792 int do_dtls1_write(SSL
*s
, int type
, const unsigned char *buf
,
793 size_t len
, int create_empty_fragment
, size_t *written
)
795 unsigned char *p
, *pseq
;
796 int i
, mac_size
, clear
= 0;
797 size_t prefix_len
= 0;
803 wb
= &s
->rlayer
.wbuf
[0];
806 * DTLS writes whole datagrams, so there can't be anything left in
809 if (!ossl_assert(SSL3_BUFFER_get_left(wb
) == 0)) {
810 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
814 /* If we have an alert to send, lets send it */
815 if (s
->s3
.alert_dispatch
) {
816 i
= s
->method
->ssl_dispatch_alert(s
);
819 /* if it went, fall through and send more stuff */
822 if (len
== 0 && !create_empty_fragment
)
825 if (len
> ssl_get_max_send_fragment(s
)) {
826 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE
);
832 if ((sess
== NULL
) ||
833 (s
->enc_write_ctx
== NULL
) || (EVP_MD_CTX_md(s
->write_hash
) == NULL
))
839 mac_size
= EVP_MD_CTX_size(s
->write_hash
);
841 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
,
842 SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE
);
847 p
= SSL3_BUFFER_get_buf(wb
) + prefix_len
;
849 /* write the header */
851 *(p
++) = type
& 0xff;
852 SSL3_RECORD_set_type(&wr
, type
);
854 * Special case: for hello verify request, client version 1.0 and we
855 * haven't decided which version to use yet send back using version 1.0
856 * header: otherwise some clients will ignore it.
858 if (s
->method
->version
== DTLS_ANY_VERSION
&&
859 s
->max_proto_version
!= DTLS1_BAD_VER
) {
860 *(p
++) = DTLS1_VERSION
>> 8;
861 *(p
++) = DTLS1_VERSION
& 0xff;
863 *(p
++) = s
->version
>> 8;
864 *(p
++) = s
->version
& 0xff;
867 /* field where we are to write out packet epoch, seq num and len */
871 /* Explicit IV length, block ciphers appropriate version flag */
872 if (s
->enc_write_ctx
) {
873 int mode
= EVP_CIPHER_CTX_mode(s
->enc_write_ctx
);
874 if (mode
== EVP_CIPH_CBC_MODE
) {
875 eivlen
= EVP_CIPHER_CTX_iv_length(s
->enc_write_ctx
);
879 /* Need explicit part of IV for GCM mode */
880 else if (mode
== EVP_CIPH_GCM_MODE
)
881 eivlen
= EVP_GCM_TLS_EXPLICIT_IV_LEN
;
882 else if (mode
== EVP_CIPH_CCM_MODE
)
883 eivlen
= EVP_CCM_TLS_EXPLICIT_IV_LEN
;
889 /* lets setup the record stuff. */
890 SSL3_RECORD_set_data(&wr
, p
+ eivlen
); /* make room for IV in case of CBC */
891 SSL3_RECORD_set_length(&wr
, len
);
892 SSL3_RECORD_set_input(&wr
, (unsigned char *)buf
);
895 * we now 'read' from wr.input, wr.length bytes into wr.data
898 /* first we compress */
899 if (s
->compress
!= NULL
) {
900 if (!ssl3_do_compress(s
, &wr
)) {
901 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, SSL_R_COMPRESSION_FAILURE
);
905 memcpy(SSL3_RECORD_get_data(&wr
), SSL3_RECORD_get_input(&wr
),
906 SSL3_RECORD_get_length(&wr
));
907 SSL3_RECORD_reset_input(&wr
);
911 * we should still have the output to wr.data and the input from
912 * wr.input. Length should be wr.length. wr.data still points in the
916 if (!SSL_WRITE_ETM(s
) && mac_size
!= 0) {
917 if (!s
->method
->ssl3_enc
->mac(s
, &wr
,
918 &(p
[SSL3_RECORD_get_length(&wr
) + eivlen
]),
920 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
923 SSL3_RECORD_add_length(&wr
, mac_size
);
926 /* this is true regardless of mac size */
927 SSL3_RECORD_set_data(&wr
, p
);
928 SSL3_RECORD_reset_input(&wr
);
931 SSL3_RECORD_add_length(&wr
, eivlen
);
933 if (s
->method
->ssl3_enc
->enc(s
, &wr
, 1, 1, NULL
, mac_size
) < 1) {
934 if (!ossl_statem_in_error(s
)) {
935 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
940 if (SSL_WRITE_ETM(s
) && mac_size
!= 0) {
941 if (!s
->method
->ssl3_enc
->mac(s
, &wr
,
942 &(p
[SSL3_RECORD_get_length(&wr
)]), 1)) {
943 SSLfatal(s
, SSL_AD_INTERNAL_ERROR
, ERR_R_INTERNAL_ERROR
);
946 SSL3_RECORD_add_length(&wr
, mac_size
);
949 /* record length after mac and block padding */
951 /* there's only one epoch between handshake and app data */
953 s2n(s
->rlayer
.d
->w_epoch
, pseq
);
955 memcpy(pseq
, &(s
->rlayer
.write_sequence
[2]), 6);
957 s2n(SSL3_RECORD_get_length(&wr
), pseq
);
960 s
->msg_callback(1, 0, SSL3_RT_HEADER
, pseq
- DTLS1_RT_HEADER_LENGTH
,
961 DTLS1_RT_HEADER_LENGTH
, s
, s
->msg_callback_arg
);
964 * we should now have wr.data pointing to the encrypted data, which is
967 SSL3_RECORD_set_type(&wr
, type
); /* not needed but helps for debugging */
968 SSL3_RECORD_add_length(&wr
, DTLS1_RT_HEADER_LENGTH
);
970 ssl3_record_sequence_update(&(s
->rlayer
.write_sequence
[0]));
972 if (create_empty_fragment
) {
974 * we are in a recursive call; just return the length, don't write
977 *written
= wr
.length
;
981 /* now let's set up wb */
982 SSL3_BUFFER_set_left(wb
, prefix_len
+ SSL3_RECORD_get_length(&wr
));
983 SSL3_BUFFER_set_offset(wb
, 0);
986 * memorize arguments so that ssl3_write_pending can detect bad write
989 s
->rlayer
.wpend_tot
= len
;
990 s
->rlayer
.wpend_buf
= buf
;
991 s
->rlayer
.wpend_type
= type
;
992 s
->rlayer
.wpend_ret
= len
;
994 /* we now just need to write the buffer. Calls SSLfatal() as required. */
995 return ssl3_write_pending(s
, type
, buf
, len
, written
);
998 DTLS1_BITMAP
*dtls1_get_bitmap(SSL
*s
, SSL3_RECORD
*rr
,
999 unsigned int *is_next_epoch
)
1004 /* In current epoch, accept HM, CCS, DATA, & ALERT */
1005 if (rr
->epoch
== s
->rlayer
.d
->r_epoch
)
1006 return &s
->rlayer
.d
->bitmap
;
1009 * Only HM and ALERT messages can be from the next epoch and only if we
1010 * have already processed all of the unprocessed records from the last
1013 else if (rr
->epoch
== (unsigned long)(s
->rlayer
.d
->r_epoch
+ 1) &&
1014 s
->rlayer
.d
->unprocessed_rcds
.epoch
!= s
->rlayer
.d
->r_epoch
&&
1015 (rr
->type
== SSL3_RT_HANDSHAKE
|| rr
->type
== SSL3_RT_ALERT
)) {
1017 return &s
->rlayer
.d
->next_bitmap
;
1023 void dtls1_reset_seq_numbers(SSL
*s
, int rw
)
1026 unsigned int seq_bytes
= sizeof(s
->rlayer
.read_sequence
);
1028 if (rw
& SSL3_CC_READ
) {
1029 seq
= s
->rlayer
.read_sequence
;
1030 s
->rlayer
.d
->r_epoch
++;
1031 memcpy(&s
->rlayer
.d
->bitmap
, &s
->rlayer
.d
->next_bitmap
,
1032 sizeof(s
->rlayer
.d
->bitmap
));
1033 memset(&s
->rlayer
.d
->next_bitmap
, 0, sizeof(s
->rlayer
.d
->next_bitmap
));
1036 * We must not use any buffered messages received from the previous
1039 dtls1_clear_received_buffer(s
);
1041 seq
= s
->rlayer
.write_sequence
;
1042 memcpy(s
->rlayer
.d
->last_write_sequence
, seq
,
1043 sizeof(s
->rlayer
.write_sequence
));
1044 s
->rlayer
.d
->w_epoch
++;
1047 memset(seq
, 0, seq_bytes
);