kris
/
boringssl
1
0
Fork 0
Koodi Ongelmat 0 Pull-pyynnöt 0 Julkaisut 0 Wiki Toiminta
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1256 Commitit
12 Branchit
38 MiB
 
 
 
 
 
 
Puu: 160f4ef14c
Branchit Tagit
${ item.name }
Create branch ${ searchTerm }
from '160f4ef14c'
${ noResults }
boringssl/ssl/d1_both.c

931 rivejä
32 KiB
Raaka Blame Historia 

  1. /*

  2.  * DTLS implementation written by Nagendra Modadugu

  3.  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 

  4.  */

  5. /* ====================================================================

  6.  * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.

  7.  *

  8.  * Redistribution and use in source and binary forms, with or without

  9.  * modification, are permitted provided that the following conditions

  10.  * are met:

  11.  *

  12.  * 1. Redistributions of source code must retain the above copyright

  13.  *    notice, this list of conditions and the following disclaimer.

  14.  *

  15.  * 2. Redistributions in binary form must reproduce the above copyright

  16.  *    notice, this list of conditions and the following disclaimer in

  17.  *    the documentation and/or other materials provided with the

  18.  *    distribution.

  19.  *

  20.  * 3. All advertising materials mentioning features or use of this

  21.  *    software must display the following acknowledgment:

  22.  *    "This product includes software developed by the OpenSSL Project

  23.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

  24.  *

  25.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  26.  *    endorse or promote products derived from this software without

  27.  *    prior written permission. For written permission, please contact

  28.  *    openssl-core@openssl.org.

  29.  *

  30.  * 5. Products derived from this software may not be called "OpenSSL"

  31.  *    nor may "OpenSSL" appear in their names without prior written

  32.  *    permission of the OpenSSL Project.

  33.  *

  34.  * 6. Redistributions of any form whatsoever must retain the following

  35.  *    acknowledgment:

  36.  *    "This product includes software developed by the OpenSSL Project

  37.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

  38.  *

  39.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  40.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  41.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  42.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  43.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  44.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  45.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  46.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  48.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  49.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  50.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  51.  * ====================================================================

  52.  *

  53.  * This product includes cryptographic software written by Eric Young

  54.  * (eay@cryptsoft.com).  This product includes software written by Tim

  55.  * Hudson (tjh@cryptsoft.com).

  56.  *

  57.  */

  58. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  59.  * All rights reserved.

  60.  *

  61.  * This package is an SSL implementation written

  62.  * by Eric Young (eay@cryptsoft.com).

  63.  * The implementation was written so as to conform with Netscapes SSL.

  64.  *

  65.  * This library is free for commercial and non-commercial use as long as

  66.  * the following conditions are aheared to.  The following conditions

  67.  * apply to all code found in this distribution, be it the RC4, RSA,

  68.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  69.  * included with this distribution is covered by the same copyright terms

  70.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  71.  *

  72.  * Copyright remains Eric Young's, and as such any Copyright notices in

  73.  * the code are not to be removed.

  74.  * If this package is used in a product, Eric Young should be given attribution

  75.  * as the author of the parts of the library used.

  76.  * This can be in the form of a textual message at program startup or

  77.  * in documentation (online or textual) provided with the package.

  78.  *

  79.  * Redistribution and use in source and binary forms, with or without

  80.  * modification, are permitted provided that the following conditions

  81.  * are met:

  82.  * 1. Redistributions of source code must retain the copyright

  83.  *    notice, this list of conditions and the following disclaimer.

  84.  * 2. Redistributions in binary form must reproduce the above copyright

  85.  *    notice, this list of conditions and the following disclaimer in the

  86.  *    documentation and/or other materials provided with the distribution.

  87.  * 3. All advertising materials mentioning features or use of this software

  88.  *    must display the following acknowledgement:

  89.  *    "This product includes cryptographic software written by

  90.  *     Eric Young (eay@cryptsoft.com)"

  91.  *    The word 'cryptographic' can be left out if the rouines from the library

  92.  *    being used are not cryptographic related :-).

  93.  * 4. If you include any Windows specific code (or a derivative thereof) from

  94.  *    the apps directory (application code) you must include an acknowledgement:

  95.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  96.  *

  97.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  98.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  99.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  100.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  101.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  102.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  103.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  104.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  105.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  106.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  107.  * SUCH DAMAGE.

  108.  *

  109.  * The licence and distribution terms for any publically available version or

  110.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  111.  * copied and put under another distribution licence

  112.  * [including the GNU Public Licence.] */

  113. 

  114. #include <assert.h>

  115. #include <limits.h>

  116. #include <stdio.h>

  117. #include <string.h>

  118. 

  119. #include <openssl/buf.h>

  120. #include <openssl/err.h>

  121. #include <openssl/evp.h>

  122. #include <openssl/mem.h>

  123. #include <openssl/obj.h>

  124. #include <openssl/rand.h>

  125. #include <openssl/x509.h>

  126. 

  127. #include "internal.h"

  128. 

  129. 

  130. /* TODO(davidben): 28 comes from the size of IP + UDP header. Is this reasonable

  131.  * for these values? Notably, why is kMinMTU a function of the transport

  132.  * protocol's overhead rather than, say, what's needed to hold a minimally-sized

  133.  * handshake fragment plus protocol overhead. */

  134. 

  135. /* kMinMTU is the minimum acceptable MTU value. */

  136. static const unsigned int kMinMTU = 256 - 28;

  137. 

  138. /* kDefaultMTU is the default MTU value to use if neither the user nor

  139.  * the underlying BIO supplies one. */

  140. static const unsigned int kDefaultMTU = 1500 - 28;

  141. 

  142. /* kMaxHandshakeBuffer is the maximum number of handshake messages ahead of the

  143.  * current one to buffer. */

  144. static const unsigned int kHandshakeBufferSize = 10;

  145. 

  146. static void dtls1_fix_message_header(SSL *s, unsigned long frag_off,

  147.                                      unsigned long frag_len);

  148. static unsigned char *dtls1_write_message_header(SSL *s, unsigned char *p);

  149. 

  150. static hm_fragment *dtls1_hm_fragment_new(unsigned long frag_len,

  151.                                           int reassembly) {

  152.   hm_fragment *frag = NULL;

  153.   uint8_t *buf = NULL;

  154.   uint8_t *bitmask = NULL;

  155. 

  156.   frag = (hm_fragment *)OPENSSL_malloc(sizeof(hm_fragment));

  157.   if (frag == NULL) {

  158.     OPENSSL_PUT_ERROR(SSL, dtls1_hm_fragment_new, ERR_R_MALLOC_FAILURE);

  159.     return NULL;

  160.   }

  161. 

  162.   if (frag_len) {

  163.     buf = (uint8_t *)OPENSSL_malloc(frag_len);

  164.     if (buf == NULL) {

  165.       OPENSSL_PUT_ERROR(SSL, dtls1_hm_fragment_new, ERR_R_MALLOC_FAILURE);

  166.       OPENSSL_free(frag);

  167.       return NULL;

  168.     }

  169.   }

  170. 

  171.   /* zero length fragment gets zero frag->fragment */

  172.   frag->fragment = buf;

  173. 

  174.   /* Initialize reassembly bitmask if necessary */

  175.   if (reassembly && frag_len > 0) {

  176.     if (frag_len + 7 < frag_len) {

  177.       OPENSSL_PUT_ERROR(SSL, dtls1_hm_fragment_new, ERR_R_OVERFLOW);

  178.       return NULL;

  179.     }

  180.     size_t bitmask_len = (frag_len + 7) / 8;

  181.     bitmask = (uint8_t *)OPENSSL_malloc(bitmask_len);

  182.     if (bitmask == NULL) {

  183.       OPENSSL_PUT_ERROR(SSL, dtls1_hm_fragment_new, ERR_R_MALLOC_FAILURE);

  184.       if (buf != NULL) {

  185.         OPENSSL_free(buf);

  186.       }

  187.       OPENSSL_free(frag);

  188.       return NULL;

  189.     }

  190.     memset(bitmask, 0, bitmask_len);

  191.   }

  192. 

  193.   frag->reassembly = bitmask;

  194. 

  195.   return frag;

  196. }

  197. 

  198. void dtls1_hm_fragment_free(hm_fragment *frag) {

  199.   if (frag->fragment) {

  200.     OPENSSL_free(frag->fragment);

  201.   }

  202.   if (frag->reassembly) {

  203.     OPENSSL_free(frag->reassembly);

  204.   }

  205.   OPENSSL_free(frag);

  206. }

  207. 

  208. #if !defined(inline)

  209. #define inline __inline

  210. #endif

  211. 

  212. /* bit_range returns a |uint8_t| with bits |start|, inclusive, to |end|,

  213.  * exclusive, set. */

  214. static inline uint8_t bit_range(size_t start, size_t end) {

  215.   return (uint8_t)(~((1u << start) - 1) & ((1u << end) - 1));

  216. }

  217. 

  218. /* dtls1_hm_fragment_mark marks bytes |start|, inclusive, to |end|, exclusive,

  219.  * as received in |frag|. If |frag| becomes complete, it clears

  220.  * |frag->reassembly|. The range must be within the bounds of |frag|'s message

  221.  * and |frag->reassembly| must not be NULL. */

  222. static void dtls1_hm_fragment_mark(hm_fragment *frag, size_t start,

  223.                                    size_t end) {

  224.   size_t i;

  225.   size_t msg_len = frag->msg_header.msg_len;

  226. 

  227.   if (frag->reassembly == NULL || start > end || end > msg_len) {

  228.     assert(0);

  229.     return;

  230.   }

  231.   /* A zero-length message will never have a pending reassembly. */

  232.   assert(msg_len > 0);

  233. 

  234.   if ((start >> 3) == (end >> 3)) {

  235.     frag->reassembly[start >> 3] |= bit_range(start & 7, end & 7);

  236.   } else {

  237.     frag->reassembly[start >> 3] |= bit_range(start & 7, 8);

  238.     for (i = (start >> 3) + 1; i < (end >> 3); i++) {

  239.       frag->reassembly[i] = 0xff;

  240.     }

  241.     if ((end & 7) != 0) {

  242.       frag->reassembly[end >> 3] |= bit_range(0, end & 7);

  243.     }

  244.   }

  245. 

  246.   /* Check if the fragment is complete. */

  247.   for (i = 0; i < (msg_len >> 3); i++) {

  248.     if (frag->reassembly[i] != 0xff) {

  249.       return;

  250.     }

  251.   }

  252.   if ((msg_len & 7) != 0 &&

  253.       frag->reassembly[msg_len >> 3] != bit_range(0, msg_len & 7)) {

  254.     return;

  255.   }

  256. 

  257.   OPENSSL_free(frag->reassembly);

  258.   frag->reassembly = NULL;

  259. }

  260. 

  261. /* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or

  262.  * SSL3_RT_CHANGE_CIPHER_SPEC) */

  263. int dtls1_do_write(SSL *s, int type) {

  264.   int ret;

  265.   int curr_mtu;

  266.   unsigned int len, frag_off;

  267.   size_t max_overhead = 0;

  268. 

  269.   /* AHA!  Figure out the MTU, and stick to the right size */

  270.   if (s->d1->mtu < dtls1_min_mtu() &&

  271.       !(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) {

  272.     long mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);

  273.     if (mtu >= 0 && mtu <= (1 << 30) && (unsigned)mtu >= dtls1_min_mtu()) {

  274.       s->d1->mtu = (unsigned)mtu;

  275.     } else {

  276.       s->d1->mtu = kDefaultMTU;

  277.       BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SET_MTU, s->d1->mtu, NULL);

  278.     }

  279.   }

  280. 

  281.   /* should have something reasonable now */

  282.   assert(s->d1->mtu >= dtls1_min_mtu());

  283. 

  284.   if (s->init_off == 0 && type == SSL3_RT_HANDSHAKE) {

  285.     assert(s->init_num ==

  286.            (int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH);

  287.   }

  288. 

  289.   /* Determine the maximum overhead of the current cipher. */

  290.   if (s->aead_write_ctx != NULL) {

  291.     max_overhead = EVP_AEAD_max_overhead(s->aead_write_ctx->ctx.aead);

  292.     if (s->aead_write_ctx->variable_nonce_included_in_record) {

  293.       max_overhead += s->aead_write_ctx->variable_nonce_len;

  294.     }

  295.   }

  296. 

  297.   frag_off = 0;

  298.   while (s->init_num) {

  299.     /* Account for data in the buffering BIO; multiple records may be packed

  300.      * into a single packet during the handshake.

  301.      *

  302.      * TODO(davidben): This is buggy; if the MTU is larger than the buffer size,

  303.      * the large record will be split across two packets. Moreover, in that

  304.      * case, the |dtls1_write_bytes| call may not return synchronously. This

  305.      * will break on retry as the |s->init_off| and |s->init_num| adjustment

  306.      * will run a second time. */

  307.     curr_mtu = s->d1->mtu - BIO_wpending(SSL_get_wbio(s)) -

  308.         DTLS1_RT_HEADER_LENGTH - max_overhead;

  309. 

  310.     if (curr_mtu <= DTLS1_HM_HEADER_LENGTH) {

  311.       /* Flush the buffer and continue with a fresh packet.

  312.        *

  313.        * TODO(davidben): If |BIO_flush| is not synchronous and requires multiple

  314.        * calls to |dtls1_do_write|, |frag_off| will be wrong. */

  315.       ret = BIO_flush(SSL_get_wbio(s));

  316.       if (ret <= 0) {

  317.         return ret;

  318.       }

  319.       assert(BIO_wpending(SSL_get_wbio(s)) == 0);

  320.       curr_mtu = s->d1->mtu - DTLS1_RT_HEADER_LENGTH - max_overhead;

  321.     }

  322. 

  323.     /* XDTLS: this function is too long.  split out the CCS part */

  324.     if (type == SSL3_RT_HANDSHAKE) {

  325.       /* If this isn't the first fragment, reserve space to prepend a new

  326.        * fragment header. This will override the body of a previous fragment. */

  327.       if (s->init_off != 0) {

  328.         assert(s->init_off > DTLS1_HM_HEADER_LENGTH);

  329.         s->init_off -= DTLS1_HM_HEADER_LENGTH;

  330.         s->init_num += DTLS1_HM_HEADER_LENGTH;

  331.       }

  332. 

  333.       if (curr_mtu <= DTLS1_HM_HEADER_LENGTH) {

  334.         /* To make forward progress, the MTU must, at minimum, fit the handshake

  335.          * header and one byte of handshake body. */

  336.         OPENSSL_PUT_ERROR(SSL, dtls1_do_write, SSL_R_MTU_TOO_SMALL);

  337.         return -1;

  338.       }

  339. 

  340.       if (s->init_num > curr_mtu) {

  341.         len = curr_mtu;

  342.       } else {

  343.         len = s->init_num;

  344.       }

  345.       assert(len >= DTLS1_HM_HEADER_LENGTH);

  346. 

  347.       dtls1_fix_message_header(s, frag_off, len - DTLS1_HM_HEADER_LENGTH);

  348.       dtls1_write_message_header(

  349.           s, (uint8_t *)&s->init_buf->data[s->init_off]);

  350.     } else {

  351.       assert(type == SSL3_RT_CHANGE_CIPHER_SPEC);

  352.       /* ChangeCipherSpec cannot be fragmented. */

  353.       if (s->init_num > curr_mtu) {

  354.         OPENSSL_PUT_ERROR(SSL, dtls1_do_write, SSL_R_MTU_TOO_SMALL);

  355.         return -1;

  356.       }

  357.       len = s->init_num;

  358.     }

  359. 

  360.     ret = dtls1_write_bytes(s, type, &s->init_buf->data[s->init_off], len);

  361.     if (ret < 0) {

  362.       return -1;

  363.     }

  364. 

  365.     /* bad if this assert fails, only part of the handshake message got sent.

  366.      * But why would this happen? */

  367.     assert(len == (unsigned int)ret);

  368. 

  369.     if (ret == s->init_num) {

  370.       if (s->msg_callback) {

  371.         s->msg_callback(1, s->version, type, s->init_buf->data,

  372.                         (size_t)(s->init_off + s->init_num), s,

  373.                         s->msg_callback_arg);

  374.       }

  375. 

  376.       s->init_off = 0; /* done writing this message */

  377.       s->init_num = 0;

  378. 

  379.       return 1;

  380.     }

  381.     s->init_off += ret;

  382.     s->init_num -= ret;

  383.     frag_off += (ret -= DTLS1_HM_HEADER_LENGTH);

  384.   }

  385. 

  386.   return 0;

  387. }

  388. 

  389. /* dtls1_is_next_message_complete returns one if the next handshake message is

  390.  * complete and zero otherwise. */

  391. static int dtls1_is_next_message_complete(SSL *s) {

  392.   pitem *item = pqueue_peek(s->d1->buffered_messages);

  393.   if (item == NULL) {

  394.     return 0;

  395.   }

  396. 

  397.   hm_fragment *frag = (hm_fragment *)item->data;

  398.   assert(s->d1->handshake_read_seq <= frag->msg_header.seq);

  399. 

  400.   return s->d1->handshake_read_seq == frag->msg_header.seq &&

  401.       frag->reassembly == NULL;

  402. }

  403. 

  404. /* dtls1_discard_fragment_body discards a handshake fragment body of length

  405.  * |frag_len|. It returns one on success and zero on error.

  406.  *

  407.  * TODO(davidben): This function will go away when ssl_read_bytes is gone from

  408.  * the DTLS side. */

  409. static int dtls1_discard_fragment_body(SSL *s, size_t frag_len) {

  410.   uint8_t discard[256];

  411.   while (frag_len > 0) {

  412.     size_t chunk = frag_len < sizeof(discard) ? frag_len : sizeof(discard);

  413.     int ret = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, discard, chunk,

  414.                                         0);

  415.     if (ret != chunk) {

  416.       return 0;

  417.     }

  418.     frag_len -= chunk;

  419.   }

  420.   return 1;

  421. }

  422. 

  423. /* dtls1_get_buffered_message returns the buffered message corresponding to

  424.  * |msg_hdr|. If none exists, it creates a new one and inserts it in the

  425.  * queue. Otherwise, it checks |msg_hdr| is consistent with the existing one. It

  426.  * returns NULL on failure. The caller does not take ownership of the result. */

  427. static hm_fragment *dtls1_get_buffered_message(

  428.     SSL *s, const struct hm_header_st *msg_hdr) {

  429.   uint8_t seq64be[8];

  430.   memset(seq64be, 0, sizeof(seq64be));

  431.   seq64be[6] = (uint8_t)(msg_hdr->seq >> 8);

  432.   seq64be[7] = (uint8_t)msg_hdr->seq;

  433.   pitem *item = pqueue_find(s->d1->buffered_messages, seq64be);

  434. 

  435.   hm_fragment *frag;

  436.   if (item == NULL) {

  437.     /* This is the first fragment from this message. */

  438.     frag = dtls1_hm_fragment_new(msg_hdr->msg_len,

  439.                                  1 /* reassembly buffer needed */);

  440.     if (frag == NULL) {

  441.       return NULL;

  442.     }

  443.     memcpy(&frag->msg_header, msg_hdr, sizeof(*msg_hdr));

  444.     item = pitem_new(seq64be, frag);

  445.     if (item == NULL) {

  446.       dtls1_hm_fragment_free(frag);

  447.       return NULL;

  448.     }

  449.     item = pqueue_insert(s->d1->buffered_messages, item);

  450.     /* |pqueue_insert| fails iff a duplicate item is inserted, but |item| cannot

  451.      * be a duplicate. */

  452.     assert(item != NULL);

  453.   } else {

  454.     frag = item->data;

  455.     assert(frag->msg_header.seq == msg_hdr->seq);

  456.     if (frag->msg_header.type != msg_hdr->type ||

  457.         frag->msg_header.msg_len != msg_hdr->msg_len) {

  458.       /* The new fragment must be compatible with the previous fragments from

  459.        * this message. */

  460.       OPENSSL_PUT_ERROR(SSL, dtls1_get_buffered_message,

  461.                         SSL_R_FRAGMENT_MISMATCH);

  462.       ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  463.       return NULL;

  464.     }

  465.   }

  466.   return frag;

  467. }

  468. 

  469. /* dtls1_max_handshake_message_len returns the maximum number of bytes

  470.  * permitted in a DTLS handshake message for |s|. The minimum is 16KB, but may

  471.  * be greater if the maximum certificate list size requires it. */

  472. static size_t dtls1_max_handshake_message_len(const SSL *s) {

  473.   size_t max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;

  474.   if (max_len < (size_t)s->max_cert_list) {

  475.     return (size_t)s->max_cert_list;

  476.   }

  477.   return max_len;

  478. }

  479. 

  480. /* dtls1_process_fragment reads a handshake fragment and processes it. It

  481.  * returns one if a fragment was successfully processed and 0 or -1 on error. */

  482. static int dtls1_process_fragment(SSL *s) {

  483.   /* Read handshake message header.

  484.    *

  485.    * TODO(davidben): ssl_read_bytes allows splitting the fragment header and

  486.    * body across two records. Change this interface to consume the fragment in

  487.    * one pass. */

  488.   uint8_t header[DTLS1_HM_HEADER_LENGTH];

  489.   int ret = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, header,

  490.                                       DTLS1_HM_HEADER_LENGTH, 0);

  491.   if (ret <= 0) {

  492.     return ret;

  493.   }

  494.   if (ret != DTLS1_HM_HEADER_LENGTH) {

  495.     OPENSSL_PUT_ERROR(SSL, dtls1_process_fragment, SSL_R_UNEXPECTED_MESSAGE);

  496.     ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);

  497.     return -1;

  498.   }

  499. 

  500.   /* Parse the message fragment header. */

  501.   struct hm_header_st msg_hdr;

  502.   dtls1_get_message_header(header, &msg_hdr);

  503. 

  504.   const size_t frag_off = msg_hdr.frag_off;

  505.   const size_t frag_len = msg_hdr.frag_len;

  506.   const size_t msg_len = msg_hdr.msg_len;

  507.   if (frag_off > msg_len || frag_off + frag_len < frag_off ||

  508.       frag_off + frag_len > msg_len ||

  509.       msg_len > dtls1_max_handshake_message_len(s)) {

  510.     OPENSSL_PUT_ERROR(SSL, dtls1_process_fragment,

  511.                       SSL_R_EXCESSIVE_MESSAGE_SIZE);

  512.     ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  513.     return -1;

  514.   }

  515. 

  516.   if (msg_hdr.seq < s->d1->handshake_read_seq ||

  517.       msg_hdr.seq > (unsigned)s->d1->handshake_read_seq +

  518.                     kHandshakeBufferSize) {

  519.     /* Ignore fragments from the past, or ones too far in the future. */

  520.     if (!dtls1_discard_fragment_body(s, frag_len)) {

  521.       return -1;

  522.     }

  523.     return 1;

  524.   }

  525. 

  526.   hm_fragment *frag = dtls1_get_buffered_message(s, &msg_hdr);

  527.   if (frag == NULL) {

  528.     return -1;

  529.   }

  530.   assert(frag->msg_header.msg_len == msg_len);

  531. 

  532.   if (frag->reassembly == NULL) {

  533.     /* The message is already assembled. */

  534.     if (!dtls1_discard_fragment_body(s, frag_len)) {

  535.       return -1;

  536.     }

  537.     return 1;

  538.   }

  539.   assert(msg_len > 0);

  540. 

  541.   /* Read the body of the fragment. */

  542.   ret = s->method->ssl_read_bytes(

  543.       s, SSL3_RT_HANDSHAKE, frag->fragment + frag_off, frag_len, 0);

  544.   if (ret != frag_len) {

  545.     OPENSSL_PUT_ERROR(SSL, dtls1_process_fragment, SSL_R_UNEXPECTED_MESSAGE);

  546.     ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);

  547.     return -1;

  548.   }

  549.   dtls1_hm_fragment_mark(frag, frag_off, frag_off + frag_len);

  550. 

  551.   return 1;

  552. }

  553. 

  554. /* dtls1_get_message reads a handshake message of message type |msg_type| (any

  555.  * if |msg_type| == -1), maximum acceptable body length |max|. Read an entire

  556.  * handshake message. Handshake messages arrive in fragments. */

  557. long dtls1_get_message(SSL *s, int st1, int stn, int msg_type, long max,

  558.                        enum ssl_hash_message_t hash_message, int *ok) {

  559.   pitem *item = NULL;

  560.   hm_fragment *frag = NULL;

  561.   int al;

  562. 

  563.   /* s3->tmp is used to store messages that are unexpected, caused

  564.    * by the absence of an optional handshake message */

  565.   if (s->s3->tmp.reuse_message) {

  566.     /* A ssl_dont_hash_message call cannot be combined with reuse_message; the

  567.      * ssl_dont_hash_message would have to have been applied to the previous

  568.      * call. */

  569.     assert(hash_message == ssl_hash_message);

  570.     s->s3->tmp.reuse_message = 0;

  571.     if (msg_type >= 0 && s->s3->tmp.message_type != msg_type) {

  572.       al = SSL_AD_UNEXPECTED_MESSAGE;

  573.       OPENSSL_PUT_ERROR(SSL, dtls1_get_message, SSL_R_UNEXPECTED_MESSAGE);

  574.       goto f_err;

  575.     }

  576.     *ok = 1;

  577.     s->init_msg = (uint8_t *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;

  578.     s->init_num = (int)s->s3->tmp.message_size;

  579.     return s->init_num;

  580.   }

  581. 

  582.   /* Process fragments until one is found. */

  583.   while (!dtls1_is_next_message_complete(s)) {

  584.     int ret = dtls1_process_fragment(s);

  585.     if (ret <= 0) {

  586.       *ok = 0;

  587.       return ret;

  588.     }

  589.   }

  590. 

  591.   /* Read out the next complete handshake message. */

  592.   item = pqueue_pop(s->d1->buffered_messages);

  593.   assert(item != NULL);

  594.   frag = (hm_fragment *)item->data;

  595.   assert(s->d1->handshake_read_seq == frag->msg_header.seq);

  596.   assert(frag->reassembly == NULL);

  597. 

  598.   if (frag->msg_header.msg_len > (size_t)max) {

  599.     OPENSSL_PUT_ERROR(SSL, dtls1_get_message, SSL_R_EXCESSIVE_MESSAGE_SIZE);

  600.     goto err;

  601.   }

  602. 

  603.   CBB cbb;

  604.   if (!BUF_MEM_grow(s->init_buf,

  605.                     (size_t)frag->msg_header.msg_len +

  606.                     DTLS1_HM_HEADER_LENGTH) ||

  607.       !CBB_init_fixed(&cbb, (uint8_t *)s->init_buf->data, s->init_buf->max)) {

  608.     OPENSSL_PUT_ERROR(SSL, dtls1_get_message, ERR_R_MALLOC_FAILURE);

  609.     goto err;

  610.   }

  611. 

  612.   /* Reconstruct the assembled message. */

  613.   size_t len;

  614.   if (!CBB_add_u8(&cbb, frag->msg_header.type) ||

  615.       !CBB_add_u24(&cbb, frag->msg_header.msg_len) ||

  616.       !CBB_add_u16(&cbb, frag->msg_header.seq) ||

  617.       !CBB_add_u24(&cbb, 0 /* frag_off */) ||

  618.       !CBB_add_u24(&cbb, frag->msg_header.msg_len) ||

  619.       !CBB_add_bytes(&cbb, frag->fragment, frag->msg_header.msg_len) ||

  620.       !CBB_finish(&cbb, NULL, &len)) {

  621.     CBB_cleanup(&cbb);

  622.     OPENSSL_PUT_ERROR(SSL, dtls1_get_message, ERR_R_INTERNAL_ERROR);

  623.     goto err;

  624.   }

  625.   assert(len == (size_t)frag->msg_header.msg_len + DTLS1_HM_HEADER_LENGTH);

  626. 

  627.   s->d1->handshake_read_seq++;

  628. 

  629.   /* TODO(davidben): This function has a lot of implicit outputs. Simplify the

  630.    * |ssl_get_message| API. */

  631.   s->s3->tmp.message_type = frag->msg_header.type;

  632.   s->s3->tmp.message_size = frag->msg_header.msg_len;

  633.   s->init_msg = (uint8_t *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;

  634.   s->init_num = frag->msg_header.msg_len;

  635. 

  636.   if (msg_type >= 0 && s->s3->tmp.message_type != msg_type) {

  637.     al = SSL_AD_UNEXPECTED_MESSAGE;

  638.     OPENSSL_PUT_ERROR(SSL, dtls1_get_message, SSL_R_UNEXPECTED_MESSAGE);

  639.     goto f_err;

  640.   }

  641.   if (hash_message == ssl_hash_message && !ssl3_hash_current_message(s)) {

  642.     goto err;

  643.   }

  644.   if (s->msg_callback) {

  645.     s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,

  646.                     s->init_num + DTLS1_HM_HEADER_LENGTH, s,

  647.                     s->msg_callback_arg);

  648.   }

  649. 

  650.   pitem_free(item);

  651.   dtls1_hm_fragment_free(frag);

  652. 

  653.   s->state = stn;

  654.   *ok = 1;

  655.   return s->init_num;

  656. 

  657. f_err:

  658.   ssl3_send_alert(s, SSL3_AL_FATAL, al);

  659. err:

  660.   if (item != NULL) {

  661.     pitem_free(item);

  662.   }

  663.   if (frag != NULL) {

  664.     dtls1_hm_fragment_free(frag);

  665.   }

  666.   *ok = 0;

  667.   return -1;

  668. }

  669. 

  670. /* for these 2 messages, we need to

  671.  * ssl->enc_read_ctx			re-init

  672.  * ssl->s3->read_sequence		zero

  673.  * ssl->s3->read_mac_secret		re-init

  674.  * ssl->session->read_sym_enc		assign

  675.  * ssl->session->read_compression	assign

  676.  * ssl->session->read_hash		assign */

  677. int dtls1_send_change_cipher_spec(SSL *s, int a, int b) {

  678.   uint8_t *p;

  679. 

  680.   if (s->state == a) {

  681.     p = (uint8_t *)s->init_buf->data;

  682.     *p++ = SSL3_MT_CCS;

  683.     s->d1->handshake_write_seq = s->d1->next_handshake_write_seq;

  684.     s->init_num = DTLS1_CCS_HEADER_LENGTH;

  685. 

  686.     s->init_off = 0;

  687. 

  688.     dtls1_set_message_header(s, SSL3_MT_CCS, 0, s->d1->handshake_write_seq, 0,

  689.                              0);

  690. 

  691.     /* buffer the message to handle re-xmits */

  692.     dtls1_buffer_message(s, 1);

  693. 

  694.     s->state = b;

  695.   }

  696. 

  697.   /* SSL3_ST_CW_CHANGE_B */

  698.   return dtls1_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC);

  699. }

  700. 

  701. int dtls1_read_failed(SSL *s, int code) {

  702.   if (code > 0) {

  703.     assert(0);

  704.     return 1;

  705.   }

  706. 

  707.   if (!dtls1_is_timer_expired(s)) {

  708.     /* not a timeout, none of our business, let higher layers handle this. In

  709.      * fact, it's probably an error */

  710.     return code;

  711.   }

  712. 

  713.   if (!SSL_in_init(s)) {

  714.     /* done, no need to send a retransmit */

  715.     BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ);

  716.     return code;

  717.   }

  718. 

  719.   return dtls1_handle_timeout(s);

  720. }

  721. 

  722. int dtls1_get_queue_priority(unsigned short seq, int is_ccs) {

  723.   /* The index of the retransmission queue actually is the message sequence

  724.    * number, since the queue only contains messages of a single handshake.

  725.    * However, the ChangeCipherSpec has no message sequence number and so using

  726.    * only the sequence will result in the CCS and Finished having the same

  727.    * index. To prevent this, the sequence number is multiplied by 2. In case of

  728.    * a CCS 1 is subtracted. This does not only differ CSS and Finished, it also

  729.    * maintains the order of the index (important for priority queues) and fits

  730.    * in the unsigned short variable. */

  731.   return seq * 2 - is_ccs;

  732. }

  733. 

  734. static int dtls1_retransmit_message(SSL *s, hm_fragment *frag) {

  735.   int ret;

  736.   /* XDTLS: for now assuming that read/writes are blocking */

  737.   unsigned long header_length;

  738.   uint8_t save_write_sequence[8];

  739. 

  740.   /* assert(s->init_num == 0);

  741.      assert(s->init_off == 0); */

  742. 

  743.   if (frag->msg_header.is_ccs) {

  744.     header_length = DTLS1_CCS_HEADER_LENGTH;

  745.   } else {

  746.     header_length = DTLS1_HM_HEADER_LENGTH;

  747.   }

  748. 

  749.   memcpy(s->init_buf->data, frag->fragment,

  750.          frag->msg_header.msg_len + header_length);

  751.   s->init_num = frag->msg_header.msg_len + header_length;

  752. 

  753.   dtls1_set_message_header(s, frag->msg_header.type,

  754.                            frag->msg_header.msg_len, frag->msg_header.seq,

  755.                            0, frag->msg_header.frag_len);

  756. 

  757.   /* Save current state. */

  758.   SSL_AEAD_CTX *aead_write_ctx = s->aead_write_ctx;

  759.   uint16_t epoch = s->d1->w_epoch;

  760. 

  761.   /* DTLS renegotiation is unsupported, so only epochs 0 (NULL cipher) and 1

  762.    * (negotiated cipher) exist. */

  763.   assert(epoch == 0 || epoch == 1);

  764.   assert(frag->msg_header.epoch <= epoch);

  765.   const int fragment_from_previous_epoch = (epoch == 1 &&

  766.                                             frag->msg_header.epoch == 0);

  767.   if (fragment_from_previous_epoch) {

  768.     /* Rewind to the previous epoch.

  769.      *

  770.      * TODO(davidben): Instead of swapping out connection-global state, this

  771.      * logic should pass a "use previous epoch" parameter down to lower-level

  772.      * functions. */

  773.     s->d1->w_epoch = frag->msg_header.epoch;

  774.     s->aead_write_ctx = NULL;

  775.     memcpy(save_write_sequence, s->s3->write_sequence,

  776.            sizeof(s->s3->write_sequence));

  777.     memcpy(s->s3->write_sequence, s->d1->last_write_sequence,

  778.            sizeof(s->s3->write_sequence));

  779.   } else {

  780.     /* Otherwise the messages must be from the same epoch. */

  781.     assert(frag->msg_header.epoch == epoch);

  782.   }

  783. 

  784.   ret = dtls1_do_write(s, frag->msg_header.is_ccs ? SSL3_RT_CHANGE_CIPHER_SPEC

  785.                                                   : SSL3_RT_HANDSHAKE);

  786. 

  787.   if (fragment_from_previous_epoch) {

  788.     /* Restore the current epoch. */

  789.     s->aead_write_ctx = aead_write_ctx;

  790.     s->d1->w_epoch = epoch;

  791.     memcpy(s->d1->last_write_sequence, s->s3->write_sequence,

  792.            sizeof(s->s3->write_sequence));

  793.     memcpy(s->s3->write_sequence, save_write_sequence,

  794.            sizeof(s->s3->write_sequence));

  795.   }

  796. 

  797.   (void)BIO_flush(SSL_get_wbio(s));

  798.   return ret;

  799. }

  800. 

  801. 

  802. int dtls1_retransmit_buffered_messages(SSL *s) {

  803.   pqueue sent = s->d1->sent_messages;

  804.   piterator iter = pqueue_iterator(sent);

  805.   pitem *item;

  806. 

  807.   for (item = pqueue_next(&iter); item != NULL; item = pqueue_next(&iter)) {

  808.     hm_fragment *frag = (hm_fragment *)item->data;

  809.     if (dtls1_retransmit_message(s, frag) <= 0) {

  810.       return -1;

  811.     }

  812.   }

  813. 

  814.   return 1;

  815. }

  816. 

  817. int dtls1_buffer_message(SSL *s, int is_ccs) {

  818.   pitem *item;

  819.   hm_fragment *frag;

  820.   uint8_t seq64be[8];

  821. 

  822.   /* this function is called immediately after a message has

  823.    * been serialized */

  824.   assert(s->init_off == 0);

  825. 

  826.   frag = dtls1_hm_fragment_new(s->init_num, 0);

  827.   if (!frag) {

  828.     return 0;

  829.   }

  830. 

  831.   memcpy(frag->fragment, s->init_buf->data, s->init_num);

  832. 

  833.   if (is_ccs) {

  834.     assert(s->d1->w_msg_hdr.msg_len + DTLS1_CCS_HEADER_LENGTH ==

  835.            (unsigned int)s->init_num);

  836.   } else {

  837.     assert(s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH ==

  838.            (unsigned int)s->init_num);

  839.   }

  840. 

  841.   frag->msg_header.msg_len = s->d1->w_msg_hdr.msg_len;

  842.   frag->msg_header.seq = s->d1->w_msg_hdr.seq;

  843.   frag->msg_header.type = s->d1->w_msg_hdr.type;

  844.   frag->msg_header.frag_off = 0;

  845.   frag->msg_header.frag_len = s->d1->w_msg_hdr.msg_len;

  846.   frag->msg_header.is_ccs = is_ccs;

  847.   frag->msg_header.epoch = s->d1->w_epoch;

  848. 

  849.   memset(seq64be, 0, sizeof(seq64be));

  850.   seq64be[6] = (uint8_t)(

  851.       dtls1_get_queue_priority(frag->msg_header.seq, frag->msg_header.is_ccs) >>

  852.       8);

  853.   seq64be[7] = (uint8_t)(

  854.       dtls1_get_queue_priority(frag->msg_header.seq, frag->msg_header.is_ccs));

  855. 

  856.   item = pitem_new(seq64be, frag);

  857.   if (item == NULL) {

  858.     dtls1_hm_fragment_free(frag);

  859.     return 0;

  860.   }

  861. 

  862.   pqueue_insert(s->d1->sent_messages, item);

  863.   return 1;

  864. }

  865. 

  866. /* call this function when the buffered messages are no longer needed */

  867. void dtls1_clear_record_buffer(SSL *s) {

  868.   pitem *item;

  869. 

  870.   for (item = pqueue_pop(s->d1->sent_messages); item != NULL;

  871.        item = pqueue_pop(s->d1->sent_messages)) {

  872.     dtls1_hm_fragment_free((hm_fragment *)item->data);

  873.     pitem_free(item);

  874.   }

  875. }

  876. 

  877. /* don't actually do the writing, wait till the MTU has been retrieved */

  878. void dtls1_set_message_header(SSL *s, uint8_t mt, unsigned long len,

  879.                               unsigned short seq_num, unsigned long frag_off,

  880.                               unsigned long frag_len) {

  881.   struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;

  882. 

  883.   msg_hdr->type = mt;

  884.   msg_hdr->msg_len = len;

  885.   msg_hdr->seq = seq_num;

  886.   msg_hdr->frag_off = frag_off;

  887.   msg_hdr->frag_len = frag_len;

  888. }

  889. 

  890. static void dtls1_fix_message_header(SSL *s, unsigned long frag_off,

  891.                                      unsigned long frag_len) {

  892.   struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;

  893. 

  894.   msg_hdr->frag_off = frag_off;

  895.   msg_hdr->frag_len = frag_len;

  896. }

  897. 

  898. static uint8_t *dtls1_write_message_header(SSL *s, uint8_t *p) {

  899.   struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;

  900. 

  901.   *p++ = msg_hdr->type;

  902.   l2n3(msg_hdr->msg_len, p);

  903. 

  904.   s2n(msg_hdr->seq, p);

  905.   l2n3(msg_hdr->frag_off, p);

  906.   l2n3(msg_hdr->frag_len, p);

  907. 

  908.   return p;

  909. }

  910. 

  911. unsigned int dtls1_min_mtu(void) {

  912.   return kMinMTU;

  913. }

  914. 

  915. void dtls1_get_message_header(uint8_t *data,

  916.                               struct hm_header_st *msg_hdr) {

  917.   memset(msg_hdr, 0x00, sizeof(struct hm_header_st));

  918.   msg_hdr->type = *(data++);

  919.   n2l3(data, msg_hdr->msg_len);

  920. 

  921.   n2s(data, msg_hdr->seq);

  922.   n2l3(data, msg_hdr->frag_off);

  923.   n2l3(data, msg_hdr->frag_len);

  924. }

  925. 

  926. int dtls1_shutdown(SSL *s) {

  927.   int ret;

  928.   ret = ssl3_shutdown(s);

  929.   return ret;

  930. }