kris
/
boringssl
1
0
Bifurcation 0
Code Tickets 0 Demandes d'ajout 0 Versions 0 Wiki Activité
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.
1913 Révisions
12 Branches
38 MiB
 
 
 
 
 
 
Aborescence: 1269ddd377
Branches Tags
${ item.name }
Créer la branche ${ searchTerm }
de '1269ddd377'
${ noResults }
boringssl/ssl/d1_both.c

874 lignes
30 KiB
Brut Annotations Historique 

  1. /*

  2.  * DTLS implementation written by Nagendra Modadugu

  3.  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 

  4.  */

  5. /* ====================================================================

  6.  * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.

  7.  *

  8.  * Redistribution and use in source and binary forms, with or without

  9.  * modification, are permitted provided that the following conditions

  10.  * are met:

  11.  *

  12.  * 1. Redistributions of source code must retain the above copyright

  13.  *    notice, this list of conditions and the following disclaimer.

  14.  *

  15.  * 2. Redistributions in binary form must reproduce the above copyright

  16.  *    notice, this list of conditions and the following disclaimer in

  17.  *    the documentation and/or other materials provided with the

  18.  *    distribution.

  19.  *

  20.  * 3. All advertising materials mentioning features or use of this

  21.  *    software must display the following acknowledgment:

  22.  *    "This product includes software developed by the OpenSSL Project

  23.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

  24.  *

  25.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  26.  *    endorse or promote products derived from this software without

  27.  *    prior written permission. For written permission, please contact

  28.  *    openssl-core@openssl.org.

  29.  *

  30.  * 5. Products derived from this software may not be called "OpenSSL"

  31.  *    nor may "OpenSSL" appear in their names without prior written

  32.  *    permission of the OpenSSL Project.

  33.  *

  34.  * 6. Redistributions of any form whatsoever must retain the following

  35.  *    acknowledgment:

  36.  *    "This product includes software developed by the OpenSSL Project

  37.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

  38.  *

  39.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  40.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  41.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  42.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  43.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  44.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  45.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  46.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  48.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  49.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  50.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  51.  * ====================================================================

  52.  *

  53.  * This product includes cryptographic software written by Eric Young

  54.  * (eay@cryptsoft.com).  This product includes software written by Tim

  55.  * Hudson (tjh@cryptsoft.com).

  56.  *

  57.  */

  58. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  59.  * All rights reserved.

  60.  *

  61.  * This package is an SSL implementation written

  62.  * by Eric Young (eay@cryptsoft.com).

  63.  * The implementation was written so as to conform with Netscapes SSL.

  64.  *

  65.  * This library is free for commercial and non-commercial use as long as

  66.  * the following conditions are aheared to.  The following conditions

  67.  * apply to all code found in this distribution, be it the RC4, RSA,

  68.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  69.  * included with this distribution is covered by the same copyright terms

  70.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  71.  *

  72.  * Copyright remains Eric Young's, and as such any Copyright notices in

  73.  * the code are not to be removed.

  74.  * If this package is used in a product, Eric Young should be given attribution

  75.  * as the author of the parts of the library used.

  76.  * This can be in the form of a textual message at program startup or

  77.  * in documentation (online or textual) provided with the package.

  78.  *

  79.  * Redistribution and use in source and binary forms, with or without

  80.  * modification, are permitted provided that the following conditions

  81.  * are met:

  82.  * 1. Redistributions of source code must retain the copyright

  83.  *    notice, this list of conditions and the following disclaimer.

  84.  * 2. Redistributions in binary form must reproduce the above copyright

  85.  *    notice, this list of conditions and the following disclaimer in the

  86.  *    documentation and/or other materials provided with the distribution.

  87.  * 3. All advertising materials mentioning features or use of this software

  88.  *    must display the following acknowledgement:

  89.  *    "This product includes cryptographic software written by

  90.  *     Eric Young (eay@cryptsoft.com)"

  91.  *    The word 'cryptographic' can be left out if the rouines from the library

  92.  *    being used are not cryptographic related :-).

  93.  * 4. If you include any Windows specific code (or a derivative thereof) from

  94.  *    the apps directory (application code) you must include an acknowledgement:

  95.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  96.  *

  97.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  98.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  99.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  100.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  101.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  102.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  103.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  104.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  105.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  106.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  107.  * SUCH DAMAGE.

  108.  *

  109.  * The licence and distribution terms for any publically available version or

  110.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  111.  * copied and put under another distribution licence

  112.  * [including the GNU Public Licence.] */

  113. 

  114. #include <openssl/ssl.h>

  115. 

  116. #include <assert.h>

  117. #include <limits.h>

  118. #include <stdio.h>

  119. #include <string.h>

  120. 

  121. #include <openssl/buf.h>

  122. #include <openssl/err.h>

  123. #include <openssl/evp.h>

  124. #include <openssl/mem.h>

  125. #include <openssl/obj.h>

  126. #include <openssl/rand.h>

  127. #include <openssl/x509.h>

  128. 

  129. #include "internal.h"

  130. 

  131. 

  132. /* TODO(davidben): 28 comes from the size of IP + UDP header. Is this reasonable

  133.  * for these values? Notably, why is kMinMTU a function of the transport

  134.  * protocol's overhead rather than, say, what's needed to hold a minimally-sized

  135.  * handshake fragment plus protocol overhead. */

  136. 

  137. /* kMinMTU is the minimum acceptable MTU value. */

  138. static const unsigned int kMinMTU = 256 - 28;

  139. 

  140. /* kDefaultMTU is the default MTU value to use if neither the user nor

  141.  * the underlying BIO supplies one. */

  142. static const unsigned int kDefaultMTU = 1500 - 28;

  143. 

  144. /* kMaxHandshakeBuffer is the maximum number of handshake messages ahead of the

  145.  * current one to buffer. */

  146. static const unsigned int kHandshakeBufferSize = 10;

  147. 

  148. static void dtls1_fix_message_header(SSL *s, unsigned long frag_off,

  149.                                      unsigned long frag_len);

  150. static unsigned char *dtls1_write_message_header(SSL *s, unsigned char *p);

  151. 

  152. static hm_fragment *dtls1_hm_fragment_new(size_t frag_len, int reassembly) {

  153.   hm_fragment *frag = OPENSSL_malloc(sizeof(hm_fragment));

  154.   if (frag == NULL) {

  155.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  156.     return NULL;

  157.   }

  158.   memset(frag, 0, sizeof(hm_fragment));

  159. 

  160.   /* If the handshake message is empty, |frag->fragment| and |frag->reassembly|

  161.    * are NULL. */

  162.   if (frag_len > 0) {

  163.     frag->fragment = OPENSSL_malloc(frag_len);

  164.     if (frag->fragment == NULL) {

  165.       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  166.       goto err;

  167.     }

  168. 

  169.     if (reassembly) {

  170.       /* Initialize reassembly bitmask. */

  171.       if (frag_len + 7 < frag_len) {

  172.         OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);

  173.         goto err;

  174.       }

  175.       size_t bitmask_len = (frag_len + 7) / 8;

  176.       frag->reassembly = OPENSSL_malloc(bitmask_len);

  177.       if (frag->reassembly == NULL) {

  178.         OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  179.         goto err;

  180.       }

  181.       memset(frag->reassembly, 0, bitmask_len);

  182.     }

  183.   }

  184. 

  185.   return frag;

  186. 

  187. err:

  188.   dtls1_hm_fragment_free(frag);

  189.   return NULL;

  190. }

  191. 

  192. void dtls1_hm_fragment_free(hm_fragment *frag) {

  193.   if (frag == NULL) {

  194.     return;

  195.   }

  196.   OPENSSL_free(frag->fragment);

  197.   OPENSSL_free(frag->reassembly);

  198.   OPENSSL_free(frag);

  199. }

  200. 

  201. #if !defined(inline)

  202. #define inline __inline

  203. #endif

  204. 

  205. /* bit_range returns a |uint8_t| with bits |start|, inclusive, to |end|,

  206.  * exclusive, set. */

  207. static inline uint8_t bit_range(size_t start, size_t end) {

  208.   return (uint8_t)(~((1u << start) - 1) & ((1u << end) - 1));

  209. }

  210. 

  211. /* dtls1_hm_fragment_mark marks bytes |start|, inclusive, to |end|, exclusive,

  212.  * as received in |frag|. If |frag| becomes complete, it clears

  213.  * |frag->reassembly|. The range must be within the bounds of |frag|'s message

  214.  * and |frag->reassembly| must not be NULL. */

  215. static void dtls1_hm_fragment_mark(hm_fragment *frag, size_t start,

  216.                                    size_t end) {

  217.   size_t i;

  218.   size_t msg_len = frag->msg_header.msg_len;

  219. 

  220.   if (frag->reassembly == NULL || start > end || end > msg_len) {

  221.     assert(0);

  222.     return;

  223.   }

  224.   /* A zero-length message will never have a pending reassembly. */

  225.   assert(msg_len > 0);

  226. 

  227.   if ((start >> 3) == (end >> 3)) {

  228.     frag->reassembly[start >> 3] |= bit_range(start & 7, end & 7);

  229.   } else {

  230.     frag->reassembly[start >> 3] |= bit_range(start & 7, 8);

  231.     for (i = (start >> 3) + 1; i < (end >> 3); i++) {

  232.       frag->reassembly[i] = 0xff;

  233.     }

  234.     if ((end & 7) != 0) {

  235.       frag->reassembly[end >> 3] |= bit_range(0, end & 7);

  236.     }

  237.   }

  238. 

  239.   /* Check if the fragment is complete. */

  240.   for (i = 0; i < (msg_len >> 3); i++) {

  241.     if (frag->reassembly[i] != 0xff) {

  242.       return;

  243.     }

  244.   }

  245.   if ((msg_len & 7) != 0 &&

  246.       frag->reassembly[msg_len >> 3] != bit_range(0, msg_len & 7)) {

  247.     return;

  248.   }

  249. 

  250.   OPENSSL_free(frag->reassembly);

  251.   frag->reassembly = NULL;

  252. }

  253. 

  254. /* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or

  255.  * SSL3_RT_CHANGE_CIPHER_SPEC) */

  256. int dtls1_do_write(SSL *s, int type, enum dtls1_use_epoch_t use_epoch) {

  257.   int ret;

  258.   int curr_mtu;

  259.   unsigned int len, frag_off;

  260. 

  261.   /* AHA!  Figure out the MTU, and stick to the right size */

  262.   if (s->d1->mtu < dtls1_min_mtu() &&

  263.       !(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) {

  264.     long mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);

  265.     if (mtu >= 0 && mtu <= (1 << 30) && (unsigned)mtu >= dtls1_min_mtu()) {

  266.       s->d1->mtu = (unsigned)mtu;

  267.     } else {

  268.       s->d1->mtu = kDefaultMTU;

  269.       BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SET_MTU, s->d1->mtu, NULL);

  270.     }

  271.   }

  272. 

  273.   /* should have something reasonable now */

  274.   assert(s->d1->mtu >= dtls1_min_mtu());

  275. 

  276.   if (s->init_off == 0 && type == SSL3_RT_HANDSHAKE) {

  277.     assert(s->init_num ==

  278.            (int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH);

  279.   }

  280. 

  281.   /* Determine the maximum overhead of the current cipher. */

  282.   size_t max_overhead = SSL_AEAD_CTX_max_overhead(s->aead_write_ctx);

  283. 

  284.   frag_off = 0;

  285.   while (s->init_num) {

  286.     /* Account for data in the buffering BIO; multiple records may be packed

  287.      * into a single packet during the handshake.

  288.      *

  289.      * TODO(davidben): This is buggy; if the MTU is larger than the buffer size,

  290.      * the large record will be split across two packets. Moreover, in that

  291.      * case, the |dtls1_write_bytes| call may not return synchronously. This

  292.      * will break on retry as the |s->init_off| and |s->init_num| adjustment

  293.      * will run a second time. */

  294.     curr_mtu = s->d1->mtu - BIO_wpending(SSL_get_wbio(s)) -

  295.         DTLS1_RT_HEADER_LENGTH - max_overhead;

  296. 

  297.     if (curr_mtu <= DTLS1_HM_HEADER_LENGTH) {

  298.       /* Flush the buffer and continue with a fresh packet.

  299.        *

  300.        * TODO(davidben): If |BIO_flush| is not synchronous and requires multiple

  301.        * calls to |dtls1_do_write|, |frag_off| will be wrong. */

  302.       ret = BIO_flush(SSL_get_wbio(s));

  303.       if (ret <= 0) {

  304.         return ret;

  305.       }

  306.       assert(BIO_wpending(SSL_get_wbio(s)) == 0);

  307.       curr_mtu = s->d1->mtu - DTLS1_RT_HEADER_LENGTH - max_overhead;

  308.     }

  309. 

  310.     /* XDTLS: this function is too long.  split out the CCS part */

  311.     if (type == SSL3_RT_HANDSHAKE) {

  312.       /* If this isn't the first fragment, reserve space to prepend a new

  313.        * fragment header. This will override the body of a previous fragment. */

  314.       if (s->init_off != 0) {

  315.         assert(s->init_off > DTLS1_HM_HEADER_LENGTH);

  316.         s->init_off -= DTLS1_HM_HEADER_LENGTH;

  317.         s->init_num += DTLS1_HM_HEADER_LENGTH;

  318.       }

  319. 

  320.       if (curr_mtu <= DTLS1_HM_HEADER_LENGTH) {

  321.         /* To make forward progress, the MTU must, at minimum, fit the handshake

  322.          * header and one byte of handshake body. */

  323.         OPENSSL_PUT_ERROR(SSL, SSL_R_MTU_TOO_SMALL);

  324.         return -1;

  325.       }

  326. 

  327.       if (s->init_num > curr_mtu) {

  328.         len = curr_mtu;

  329.       } else {

  330.         len = s->init_num;

  331.       }

  332.       assert(len >= DTLS1_HM_HEADER_LENGTH);

  333. 

  334.       dtls1_fix_message_header(s, frag_off, len - DTLS1_HM_HEADER_LENGTH);

  335.       dtls1_write_message_header(

  336.           s, (uint8_t *)&s->init_buf->data[s->init_off]);

  337.     } else {

  338.       assert(type == SSL3_RT_CHANGE_CIPHER_SPEC);

  339.       /* ChangeCipherSpec cannot be fragmented. */

  340.       if (s->init_num > curr_mtu) {

  341.         OPENSSL_PUT_ERROR(SSL, SSL_R_MTU_TOO_SMALL);

  342.         return -1;

  343.       }

  344.       len = s->init_num;

  345.     }

  346. 

  347.     ret = dtls1_write_bytes(s, type, &s->init_buf->data[s->init_off], len,

  348.                             use_epoch);

  349.     if (ret < 0) {

  350.       return -1;

  351.     }

  352. 

  353.     /* bad if this assert fails, only part of the handshake message got sent.

  354.      * But why would this happen? */

  355.     assert(len == (unsigned int)ret);

  356. 

  357.     if (ret == s->init_num) {

  358.       if (s->msg_callback) {

  359.         s->msg_callback(1, s->version, type, s->init_buf->data,

  360.                         (size_t)(s->init_off + s->init_num), s,

  361.                         s->msg_callback_arg);

  362.       }

  363. 

  364.       s->init_off = 0; /* done writing this message */

  365.       s->init_num = 0;

  366. 

  367.       return 1;

  368.     }

  369.     s->init_off += ret;

  370.     s->init_num -= ret;

  371.     frag_off += (ret -= DTLS1_HM_HEADER_LENGTH);

  372.   }

  373. 

  374.   return 0;

  375. }

  376. 

  377. /* dtls1_is_next_message_complete returns one if the next handshake message is

  378.  * complete and zero otherwise. */

  379. static int dtls1_is_next_message_complete(SSL *s) {

  380.   pitem *item = pqueue_peek(s->d1->buffered_messages);

  381.   if (item == NULL) {

  382.     return 0;

  383.   }

  384. 

  385.   hm_fragment *frag = (hm_fragment *)item->data;

  386.   assert(s->d1->handshake_read_seq <= frag->msg_header.seq);

  387. 

  388.   return s->d1->handshake_read_seq == frag->msg_header.seq &&

  389.       frag->reassembly == NULL;

  390. }

  391. 

  392. /* dtls1_discard_fragment_body discards a handshake fragment body of length

  393.  * |frag_len|. It returns one on success and zero on error.

  394.  *

  395.  * TODO(davidben): This function will go away when ssl_read_bytes is gone from

  396.  * the DTLS side. */

  397. static int dtls1_discard_fragment_body(SSL *s, size_t frag_len) {

  398.   uint8_t discard[256];

  399.   while (frag_len > 0) {

  400.     size_t chunk = frag_len < sizeof(discard) ? frag_len : sizeof(discard);

  401.     int ret = dtls1_read_bytes(s, SSL3_RT_HANDSHAKE, discard, chunk, 0);

  402.     if (ret != chunk) {

  403.       return 0;

  404.     }

  405.     frag_len -= chunk;

  406.   }

  407.   return 1;

  408. }

  409. 

  410. /* dtls1_get_buffered_message returns the buffered message corresponding to

  411.  * |msg_hdr|. If none exists, it creates a new one and inserts it in the

  412.  * queue. Otherwise, it checks |msg_hdr| is consistent with the existing one. It

  413.  * returns NULL on failure. The caller does not take ownership of the result. */

  414. static hm_fragment *dtls1_get_buffered_message(

  415.     SSL *s, const struct hm_header_st *msg_hdr) {

  416.   uint8_t seq64be[8];

  417.   memset(seq64be, 0, sizeof(seq64be));

  418.   seq64be[6] = (uint8_t)(msg_hdr->seq >> 8);

  419.   seq64be[7] = (uint8_t)msg_hdr->seq;

  420.   pitem *item = pqueue_find(s->d1->buffered_messages, seq64be);

  421. 

  422.   hm_fragment *frag;

  423.   if (item == NULL) {

  424.     /* This is the first fragment from this message. */

  425.     frag = dtls1_hm_fragment_new(msg_hdr->msg_len,

  426.                                  1 /* reassembly buffer needed */);

  427.     if (frag == NULL) {

  428.       return NULL;

  429.     }

  430.     memcpy(&frag->msg_header, msg_hdr, sizeof(*msg_hdr));

  431.     item = pitem_new(seq64be, frag);

  432.     if (item == NULL) {

  433.       dtls1_hm_fragment_free(frag);

  434.       return NULL;

  435.     }

  436.     item = pqueue_insert(s->d1->buffered_messages, item);

  437.     /* |pqueue_insert| fails iff a duplicate item is inserted, but |item| cannot

  438.      * be a duplicate. */

  439.     assert(item != NULL);

  440.   } else {

  441.     frag = item->data;

  442.     assert(frag->msg_header.seq == msg_hdr->seq);

  443.     if (frag->msg_header.type != msg_hdr->type ||

  444.         frag->msg_header.msg_len != msg_hdr->msg_len) {

  445.       /* The new fragment must be compatible with the previous fragments from

  446.        * this message. */

  447.       OPENSSL_PUT_ERROR(SSL, SSL_R_FRAGMENT_MISMATCH);

  448.       ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  449.       return NULL;

  450.     }

  451.   }

  452.   return frag;

  453. }

  454. 

  455. /* dtls1_max_handshake_message_len returns the maximum number of bytes

  456.  * permitted in a DTLS handshake message for |s|. The minimum is 16KB, but may

  457.  * be greater if the maximum certificate list size requires it. */

  458. static size_t dtls1_max_handshake_message_len(const SSL *s) {

  459.   size_t max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;

  460.   if (max_len < s->max_cert_list) {

  461.     return s->max_cert_list;

  462.   }

  463.   return max_len;

  464. }

  465. 

  466. /* dtls1_process_fragment reads a handshake fragment and processes it. It

  467.  * returns one if a fragment was successfully processed and 0 or -1 on error. */

  468. static int dtls1_process_fragment(SSL *s) {

  469.   /* Read handshake message header. */

  470.   uint8_t header[DTLS1_HM_HEADER_LENGTH];

  471.   int ret = dtls1_read_bytes(s, SSL3_RT_HANDSHAKE, header,

  472.                              DTLS1_HM_HEADER_LENGTH, 0);

  473.   if (ret <= 0) {

  474.     return ret;

  475.   }

  476.   if (ret != DTLS1_HM_HEADER_LENGTH) {

  477.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);

  478.     ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);

  479.     return -1;

  480.   }

  481. 

  482.   /* Parse the message fragment header. */

  483.   struct hm_header_st msg_hdr;

  484.   dtls1_get_message_header(header, &msg_hdr);

  485. 

  486.   /* TODO(davidben): dtls1_read_bytes is the wrong abstraction for DTLS. There

  487.    * should be no need to reach into |s->s3->rrec.length|. */

  488.   const size_t frag_off = msg_hdr.frag_off;

  489.   const size_t frag_len = msg_hdr.frag_len;

  490.   const size_t msg_len = msg_hdr.msg_len;

  491.   if (frag_off > msg_len || frag_off + frag_len < frag_off ||

  492.       frag_off + frag_len > msg_len ||

  493.       msg_len > dtls1_max_handshake_message_len(s) ||

  494.       frag_len > s->s3->rrec.length) {

  495.     OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE);

  496.     ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  497.     return -1;

  498.   }

  499. 

  500.   if (msg_hdr.seq < s->d1->handshake_read_seq ||

  501.       msg_hdr.seq > (unsigned)s->d1->handshake_read_seq +

  502.                     kHandshakeBufferSize) {

  503.     /* Ignore fragments from the past, or ones too far in the future. */

  504.     if (!dtls1_discard_fragment_body(s, frag_len)) {

  505.       return -1;

  506.     }

  507.     return 1;

  508.   }

  509. 

  510.   hm_fragment *frag = dtls1_get_buffered_message(s, &msg_hdr);

  511.   if (frag == NULL) {

  512.     return -1;

  513.   }

  514.   assert(frag->msg_header.msg_len == msg_len);

  515. 

  516.   if (frag->reassembly == NULL) {

  517.     /* The message is already assembled. */

  518.     if (!dtls1_discard_fragment_body(s, frag_len)) {

  519.       return -1;

  520.     }

  521.     return 1;

  522.   }

  523.   assert(msg_len > 0);

  524. 

  525.   /* Read the body of the fragment. */

  526.   ret = dtls1_read_bytes(s, SSL3_RT_HANDSHAKE, frag->fragment + frag_off,

  527.                          frag_len, 0);

  528.   if (ret != frag_len) {

  529.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  530.     ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  531.     return -1;

  532.   }

  533.   dtls1_hm_fragment_mark(frag, frag_off, frag_off + frag_len);

  534. 

  535.   return 1;

  536. }

  537. 

  538. /* dtls1_get_message reads a handshake message of message type |msg_type| (any

  539.  * if |msg_type| == -1), maximum acceptable body length |max|. Read an entire

  540.  * handshake message. Handshake messages arrive in fragments. */

  541. long dtls1_get_message(SSL *s, int st1, int stn, int msg_type, long max,

  542.                        enum ssl_hash_message_t hash_message, int *ok) {

  543.   pitem *item = NULL;

  544.   hm_fragment *frag = NULL;

  545.   int al;

  546. 

  547.   /* s3->tmp is used to store messages that are unexpected, caused

  548.    * by the absence of an optional handshake message */

  549.   if (s->s3->tmp.reuse_message) {

  550.     /* A ssl_dont_hash_message call cannot be combined with reuse_message; the

  551.      * ssl_dont_hash_message would have to have been applied to the previous

  552.      * call. */

  553.     assert(hash_message == ssl_hash_message);

  554.     s->s3->tmp.reuse_message = 0;

  555.     if (msg_type >= 0 && s->s3->tmp.message_type != msg_type) {

  556.       al = SSL_AD_UNEXPECTED_MESSAGE;

  557.       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);

  558.       goto f_err;

  559.     }

  560.     *ok = 1;

  561.     s->init_msg = (uint8_t *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;

  562.     s->init_num = (int)s->s3->tmp.message_size;

  563.     return s->init_num;

  564.   }

  565. 

  566.   /* Process fragments until one is found. */

  567.   while (!dtls1_is_next_message_complete(s)) {

  568.     int ret = dtls1_process_fragment(s);

  569.     if (ret <= 0) {

  570.       *ok = 0;

  571.       return ret;

  572.     }

  573.   }

  574. 

  575.   /* Read out the next complete handshake message. */

  576.   item = pqueue_pop(s->d1->buffered_messages);

  577.   assert(item != NULL);

  578.   frag = (hm_fragment *)item->data;

  579.   assert(s->d1->handshake_read_seq == frag->msg_header.seq);

  580.   assert(frag->reassembly == NULL);

  581. 

  582.   if (frag->msg_header.msg_len > (size_t)max) {

  583.     OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE);

  584.     goto err;

  585.   }

  586. 

  587.   /* Reconstruct the assembled message. */

  588.   size_t len;

  589.   CBB cbb;

  590.   CBB_zero(&cbb);

  591.   if (!BUF_MEM_grow(s->init_buf,

  592.                     (size_t)frag->msg_header.msg_len +

  593.                     DTLS1_HM_HEADER_LENGTH) ||

  594.       !CBB_init_fixed(&cbb, (uint8_t *)s->init_buf->data, s->init_buf->max) ||

  595.       !CBB_add_u8(&cbb, frag->msg_header.type) ||

  596.       !CBB_add_u24(&cbb, frag->msg_header.msg_len) ||

  597.       !CBB_add_u16(&cbb, frag->msg_header.seq) ||

  598.       !CBB_add_u24(&cbb, 0 /* frag_off */) ||

  599.       !CBB_add_u24(&cbb, frag->msg_header.msg_len) ||

  600.       !CBB_add_bytes(&cbb, frag->fragment, frag->msg_header.msg_len) ||

  601.       !CBB_finish(&cbb, NULL, &len)) {

  602.     CBB_cleanup(&cbb);

  603.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  604.     goto err;

  605.   }

  606.   assert(len == (size_t)frag->msg_header.msg_len + DTLS1_HM_HEADER_LENGTH);

  607. 

  608.   s->d1->handshake_read_seq++;

  609. 

  610.   /* TODO(davidben): This function has a lot of implicit outputs. Simplify the

  611.    * |ssl_get_message| API. */

  612.   s->s3->tmp.message_type = frag->msg_header.type;

  613.   s->s3->tmp.message_size = frag->msg_header.msg_len;

  614.   s->init_msg = (uint8_t *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;

  615.   s->init_num = frag->msg_header.msg_len;

  616. 

  617.   if (msg_type >= 0 && s->s3->tmp.message_type != msg_type) {

  618.     al = SSL_AD_UNEXPECTED_MESSAGE;

  619.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);

  620.     goto f_err;

  621.   }

  622.   if (hash_message == ssl_hash_message && !ssl3_hash_current_message(s)) {

  623.     goto err;

  624.   }

  625.   if (s->msg_callback) {

  626.     s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,

  627.                     s->init_num + DTLS1_HM_HEADER_LENGTH, s,

  628.                     s->msg_callback_arg);

  629.   }

  630. 

  631.   pitem_free(item);

  632.   dtls1_hm_fragment_free(frag);

  633. 

  634.   s->state = stn;

  635.   *ok = 1;

  636.   return s->init_num;

  637. 

  638. f_err:

  639.   ssl3_send_alert(s, SSL3_AL_FATAL, al);

  640. err:

  641.   pitem_free(item);

  642.   dtls1_hm_fragment_free(frag);

  643.   *ok = 0;

  644.   return -1;

  645. }

  646. 

  647. /* for these 2 messages, we need to

  648.  * ssl->enc_read_ctx			re-init

  649.  * ssl->s3->read_sequence		zero

  650.  * ssl->s3->read_mac_secret		re-init

  651.  * ssl->session->read_sym_enc		assign

  652.  * ssl->session->read_compression	assign

  653.  * ssl->session->read_hash		assign */

  654. int dtls1_send_change_cipher_spec(SSL *s, int a, int b) {

  655.   uint8_t *p;

  656. 

  657.   if (s->state == a) {

  658.     p = (uint8_t *)s->init_buf->data;

  659.     *p++ = SSL3_MT_CCS;

  660.     s->d1->handshake_write_seq = s->d1->next_handshake_write_seq;

  661.     s->init_num = DTLS1_CCS_HEADER_LENGTH;

  662. 

  663.     s->init_off = 0;

  664. 

  665.     dtls1_set_message_header(s, SSL3_MT_CCS, 0, s->d1->handshake_write_seq, 0,

  666.                              0);

  667. 

  668.     /* buffer the message to handle re-xmits */

  669.     dtls1_buffer_message(s, 1);

  670. 

  671.     s->state = b;

  672.   }

  673. 

  674.   /* SSL3_ST_CW_CHANGE_B */

  675.   return dtls1_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC, dtls1_use_current_epoch);

  676. }

  677. 

  678. int dtls1_read_failed(SSL *s, int code) {

  679.   if (code > 0) {

  680.     assert(0);

  681.     return 1;

  682.   }

  683. 

  684.   if (!dtls1_is_timer_expired(s)) {

  685.     /* not a timeout, none of our business, let higher layers handle this. In

  686.      * fact, it's probably an error */

  687.     return code;

  688.   }

  689. 

  690.   if (!SSL_in_init(s)) {

  691.     /* done, no need to send a retransmit */

  692.     BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ);

  693.     return code;

  694.   }

  695. 

  696.   return DTLSv1_handle_timeout(s);

  697. }

  698. 

  699. int dtls1_get_queue_priority(unsigned short seq, int is_ccs) {

  700.   /* The index of the retransmission queue actually is the message sequence

  701.    * number, since the queue only contains messages of a single handshake.

  702.    * However, the ChangeCipherSpec has no message sequence number and so using

  703.    * only the sequence will result in the CCS and Finished having the same

  704.    * index. To prevent this, the sequence number is multiplied by 2. In case of

  705.    * a CCS 1 is subtracted. This does not only differ CSS and Finished, it also

  706.    * maintains the order of the index (important for priority queues) and fits

  707.    * in the unsigned short variable. */

  708.   return seq * 2 - is_ccs;

  709. }

  710. 

  711. static int dtls1_retransmit_message(SSL *s, hm_fragment *frag) {

  712.   int ret;

  713.   /* XDTLS: for now assuming that read/writes are blocking */

  714.   unsigned long header_length;

  715. 

  716.   /* assert(s->init_num == 0);

  717.      assert(s->init_off == 0); */

  718. 

  719.   if (frag->msg_header.is_ccs) {

  720.     header_length = DTLS1_CCS_HEADER_LENGTH;

  721.   } else {

  722.     header_length = DTLS1_HM_HEADER_LENGTH;

  723.   }

  724. 

  725.   memcpy(s->init_buf->data, frag->fragment,

  726.          frag->msg_header.msg_len + header_length);

  727.   s->init_num = frag->msg_header.msg_len + header_length;

  728. 

  729.   dtls1_set_message_header(s, frag->msg_header.type,

  730.                            frag->msg_header.msg_len, frag->msg_header.seq,

  731.                            0, frag->msg_header.frag_len);

  732. 

  733.   /* DTLS renegotiation is unsupported, so only epochs 0 (NULL cipher) and 1

  734.    * (negotiated cipher) exist. */

  735.   assert(s->d1->w_epoch == 0 || s->d1->w_epoch == 1);

  736.   assert(frag->msg_header.epoch <= s->d1->w_epoch);

  737.   enum dtls1_use_epoch_t use_epoch = dtls1_use_current_epoch;

  738.   if (s->d1->w_epoch == 1 && frag->msg_header.epoch == 0) {

  739.     use_epoch = dtls1_use_previous_epoch;

  740.   }

  741. 

  742.   ret = dtls1_do_write(s, frag->msg_header.is_ccs ? SSL3_RT_CHANGE_CIPHER_SPEC

  743.                                                   : SSL3_RT_HANDSHAKE,

  744.                        use_epoch);

  745. 

  746.   (void)BIO_flush(SSL_get_wbio(s));

  747.   return ret;

  748. }

  749. 

  750. 

  751. int dtls1_retransmit_buffered_messages(SSL *s) {

  752.   pqueue sent = s->d1->sent_messages;

  753.   piterator iter = pqueue_iterator(sent);

  754.   pitem *item;

  755. 

  756.   for (item = pqueue_next(&iter); item != NULL; item = pqueue_next(&iter)) {

  757.     hm_fragment *frag = (hm_fragment *)item->data;

  758.     if (dtls1_retransmit_message(s, frag) <= 0) {

  759.       return -1;

  760.     }

  761.   }

  762. 

  763.   return 1;

  764. }

  765. 

  766. int dtls1_buffer_message(SSL *s, int is_ccs) {

  767.   pitem *item;

  768.   hm_fragment *frag;

  769.   uint8_t seq64be[8];

  770. 

  771.   /* this function is called immediately after a message has

  772.    * been serialized */

  773.   assert(s->init_off == 0);

  774. 

  775.   frag = dtls1_hm_fragment_new(s->init_num, 0);

  776.   if (!frag) {

  777.     return 0;

  778.   }

  779. 

  780.   memcpy(frag->fragment, s->init_buf->data, s->init_num);

  781. 

  782.   if (is_ccs) {

  783.     assert(s->d1->w_msg_hdr.msg_len + DTLS1_CCS_HEADER_LENGTH ==

  784.            (unsigned int)s->init_num);

  785.   } else {

  786.     assert(s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH ==

  787.            (unsigned int)s->init_num);

  788.   }

  789. 

  790.   frag->msg_header.msg_len = s->d1->w_msg_hdr.msg_len;

  791.   frag->msg_header.seq = s->d1->w_msg_hdr.seq;

  792.   frag->msg_header.type = s->d1->w_msg_hdr.type;

  793.   frag->msg_header.frag_off = 0;

  794.   frag->msg_header.frag_len = s->d1->w_msg_hdr.msg_len;

  795.   frag->msg_header.is_ccs = is_ccs;

  796.   frag->msg_header.epoch = s->d1->w_epoch;

  797. 

  798.   memset(seq64be, 0, sizeof(seq64be));

  799.   seq64be[6] = (uint8_t)(

  800.       dtls1_get_queue_priority(frag->msg_header.seq, frag->msg_header.is_ccs) >>

  801.       8);

  802.   seq64be[7] = (uint8_t)(

  803.       dtls1_get_queue_priority(frag->msg_header.seq, frag->msg_header.is_ccs));

  804. 

  805.   item = pitem_new(seq64be, frag);

  806.   if (item == NULL) {

  807.     dtls1_hm_fragment_free(frag);

  808.     return 0;

  809.   }

  810. 

  811.   pqueue_insert(s->d1->sent_messages, item);

  812.   return 1;

  813. }

  814. 

  815. /* call this function when the buffered messages are no longer needed */

  816. void dtls1_clear_record_buffer(SSL *s) {

  817.   pitem *item;

  818. 

  819.   for (item = pqueue_pop(s->d1->sent_messages); item != NULL;

  820.        item = pqueue_pop(s->d1->sent_messages)) {

  821.     dtls1_hm_fragment_free((hm_fragment *)item->data);

  822.     pitem_free(item);

  823.   }

  824. }

  825. 

  826. /* don't actually do the writing, wait till the MTU has been retrieved */

  827. void dtls1_set_message_header(SSL *s, uint8_t mt, unsigned long len,

  828.                               unsigned short seq_num, unsigned long frag_off,

  829.                               unsigned long frag_len) {

  830.   struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;

  831. 

  832.   msg_hdr->type = mt;

  833.   msg_hdr->msg_len = len;

  834.   msg_hdr->seq = seq_num;

  835.   msg_hdr->frag_off = frag_off;

  836.   msg_hdr->frag_len = frag_len;

  837. }

  838. 

  839. static void dtls1_fix_message_header(SSL *s, unsigned long frag_off,

  840.                                      unsigned long frag_len) {

  841.   struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;

  842. 

  843.   msg_hdr->frag_off = frag_off;

  844.   msg_hdr->frag_len = frag_len;

  845. }

  846. 

  847. static uint8_t *dtls1_write_message_header(SSL *s, uint8_t *p) {

  848.   struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;

  849. 

  850.   *p++ = msg_hdr->type;

  851.   l2n3(msg_hdr->msg_len, p);

  852. 

  853.   s2n(msg_hdr->seq, p);

  854.   l2n3(msg_hdr->frag_off, p);

  855.   l2n3(msg_hdr->frag_len, p);

  856. 

  857.   return p;

  858. }

  859. 

  860. unsigned int dtls1_min_mtu(void) {

  861.   return kMinMTU;

  862. }

  863. 

  864. void dtls1_get_message_header(uint8_t *data,

  865.                               struct hm_header_st *msg_hdr) {

  866.   memset(msg_hdr, 0x00, sizeof(struct hm_header_st));

  867.   msg_hdr->type = *(data++);

  868.   n2l3(data, msg_hdr->msg_len);

  869. 

  870.   n2s(data, msg_hdr->seq);

  871.   n2l3(data, msg_hdr->frag_off);

  872.   n2l3(data, msg_hdr->frag_len);

  873. }