kris
/
boringssl
1
0
Vork 0
Code Kwesties 0 Pull-aanvragen 0 Publicaties 0 Wiki Activiteit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4556 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 1ab133a9da
Branches Labels
${ item.name }
Maak branch ${ searchTerm }
van '1ab133a9da'
${ noResults }
boringssl/ssl/d1_both.cc

845 regels
28 KiB
Ruw Blame Geschiedenis 

  1. /*

  2.  * DTLS implementation written by Nagendra Modadugu

  3.  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 

  4.  */

  5. /* ====================================================================

  6.  * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.

  7.  *

  8.  * Redistribution and use in source and binary forms, with or without

  9.  * modification, are permitted provided that the following conditions

  10.  * are met:

  11.  *

  12.  * 1. Redistributions of source code must retain the above copyright

  13.  *    notice, this list of conditions and the following disclaimer.

  14.  *

  15.  * 2. Redistributions in binary form must reproduce the above copyright

  16.  *    notice, this list of conditions and the following disclaimer in

  17.  *    the documentation and/or other materials provided with the

  18.  *    distribution.

  19.  *

  20.  * 3. All advertising materials mentioning features or use of this

  21.  *    software must display the following acknowledgment:

  22.  *    "This product includes software developed by the OpenSSL Project

  23.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

  24.  *

  25.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  26.  *    endorse or promote products derived from this software without

  27.  *    prior written permission. For written permission, please contact

  28.  *    openssl-core@openssl.org.

  29.  *

  30.  * 5. Products derived from this software may not be called "OpenSSL"

  31.  *    nor may "OpenSSL" appear in their names without prior written

  32.  *    permission of the OpenSSL Project.

  33.  *

  34.  * 6. Redistributions of any form whatsoever must retain the following

  35.  *    acknowledgment:

  36.  *    "This product includes software developed by the OpenSSL Project

  37.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

  38.  *

  39.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  40.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  41.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  42.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  43.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  44.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  45.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  46.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  48.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  49.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  50.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  51.  * ====================================================================

  52.  *

  53.  * This product includes cryptographic software written by Eric Young

  54.  * (eay@cryptsoft.com).  This product includes software written by Tim

  55.  * Hudson (tjh@cryptsoft.com).

  56.  *

  57.  */

  58. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  59.  * All rights reserved.

  60.  *

  61.  * This package is an SSL implementation written

  62.  * by Eric Young (eay@cryptsoft.com).

  63.  * The implementation was written so as to conform with Netscapes SSL.

  64.  *

  65.  * This library is free for commercial and non-commercial use as long as

  66.  * the following conditions are aheared to.  The following conditions

  67.  * apply to all code found in this distribution, be it the RC4, RSA,

  68.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  69.  * included with this distribution is covered by the same copyright terms

  70.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  71.  *

  72.  * Copyright remains Eric Young's, and as such any Copyright notices in

  73.  * the code are not to be removed.

  74.  * If this package is used in a product, Eric Young should be given attribution

  75.  * as the author of the parts of the library used.

  76.  * This can be in the form of a textual message at program startup or

  77.  * in documentation (online or textual) provided with the package.

  78.  *

  79.  * Redistribution and use in source and binary forms, with or without

  80.  * modification, are permitted provided that the following conditions

  81.  * are met:

  82.  * 1. Redistributions of source code must retain the copyright

  83.  *    notice, this list of conditions and the following disclaimer.

  84.  * 2. Redistributions in binary form must reproduce the above copyright

  85.  *    notice, this list of conditions and the following disclaimer in the

  86.  *    documentation and/or other materials provided with the distribution.

  87.  * 3. All advertising materials mentioning features or use of this software

  88.  *    must display the following acknowledgement:

  89.  *    "This product includes cryptographic software written by

  90.  *     Eric Young (eay@cryptsoft.com)"

  91.  *    The word 'cryptographic' can be left out if the rouines from the library

  92.  *    being used are not cryptographic related :-).

  93.  * 4. If you include any Windows specific code (or a derivative thereof) from

  94.  *    the apps directory (application code) you must include an acknowledgement:

  95.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  96.  *

  97.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  98.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  99.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  100.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  101.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  102.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  103.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  104.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  105.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  106.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  107.  * SUCH DAMAGE.

  108.  *

  109.  * The licence and distribution terms for any publically available version or

  110.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  111.  * copied and put under another distribution licence

  112.  * [including the GNU Public Licence.] */

  113. 

  114. #include <openssl/ssl.h>

  115. 

  116. #include <assert.h>

  117. #include <limits.h>

  118. #include <string.h>

  119. 

  120. #include <openssl/buf.h>

  121. #include <openssl/err.h>

  122. #include <openssl/evp.h>

  123. #include <openssl/mem.h>

  124. #include <openssl/rand.h>

  125. 

  126. #include "../crypto/internal.h"

  127. #include "internal.h"

  128. 

  129. 

  130. namespace bssl {

  131. 

  132. // TODO(davidben): 28 comes from the size of IP + UDP header. Is this reasonable

  133. // for these values? Notably, why is kMinMTU a function of the transport

  134. // protocol's overhead rather than, say, what's needed to hold a minimally-sized

  135. // handshake fragment plus protocol overhead.

  136. 

  137. // kMinMTU is the minimum acceptable MTU value.

  138. static const unsigned int kMinMTU = 256 - 28;

  139. 

  140. // kDefaultMTU is the default MTU value to use if neither the user nor

  141. // the underlying BIO supplies one.

  142. static const unsigned int kDefaultMTU = 1500 - 28;

  143. 

  144. 

  145. // Receiving handshake messages.

  146. 

  147. static void dtls1_hm_fragment_free(hm_fragment *frag) {

  148.   if (frag == NULL) {

  149.     return;

  150.   }

  151.   OPENSSL_free(frag->data);

  152.   OPENSSL_free(frag->reassembly);

  153.   OPENSSL_free(frag);

  154. }

  155. 

  156. static hm_fragment *dtls1_hm_fragment_new(const struct hm_header_st *msg_hdr) {

  157.   ScopedCBB cbb;

  158.   hm_fragment *frag = (hm_fragment *)OPENSSL_malloc(sizeof(hm_fragment));

  159.   if (frag == NULL) {

  160.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  161.     return NULL;

  162.   }

  163.   OPENSSL_memset(frag, 0, sizeof(hm_fragment));

  164.   frag->type = msg_hdr->type;

  165.   frag->seq = msg_hdr->seq;

  166.   frag->msg_len = msg_hdr->msg_len;

  167. 

  168.   // Allocate space for the reassembled message and fill in the header.

  169.   frag->data =

  170.       (uint8_t *)OPENSSL_malloc(DTLS1_HM_HEADER_LENGTH + msg_hdr->msg_len);

  171.   if (frag->data == NULL) {

  172.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  173.     goto err;

  174.   }

  175. 

  176.   if (!CBB_init_fixed(cbb.get(), frag->data, DTLS1_HM_HEADER_LENGTH) ||

  177.       !CBB_add_u8(cbb.get(), msg_hdr->type) ||

  178.       !CBB_add_u24(cbb.get(), msg_hdr->msg_len) ||

  179.       !CBB_add_u16(cbb.get(), msg_hdr->seq) ||

  180.       !CBB_add_u24(cbb.get(), 0 /* frag_off */) ||

  181.       !CBB_add_u24(cbb.get(), msg_hdr->msg_len) ||

  182.       !CBB_finish(cbb.get(), NULL, NULL)) {

  183.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  184.     goto err;

  185.   }

  186. 

  187.   // If the handshake message is empty, |frag->reassembly| is NULL.

  188.   if (msg_hdr->msg_len > 0) {

  189.     // Initialize reassembly bitmask.

  190.     if (msg_hdr->msg_len + 7 < msg_hdr->msg_len) {

  191.       OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);

  192.       goto err;

  193.     }

  194.     size_t bitmask_len = (msg_hdr->msg_len + 7) / 8;

  195.     frag->reassembly = (uint8_t *)OPENSSL_malloc(bitmask_len);

  196.     if (frag->reassembly == NULL) {

  197.       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  198.       goto err;

  199.     }

  200.     OPENSSL_memset(frag->reassembly, 0, bitmask_len);

  201.   }

  202. 

  203.   return frag;

  204. 

  205. err:

  206.   dtls1_hm_fragment_free(frag);

  207.   return NULL;

  208. }

  209. 

  210. // bit_range returns a |uint8_t| with bits |start|, inclusive, to |end|,

  211. // exclusive, set.

  212. static uint8_t bit_range(size_t start, size_t end) {

  213.   return (uint8_t)(~((1u << start) - 1) & ((1u << end) - 1));

  214. }

  215. 

  216. // dtls1_hm_fragment_mark marks bytes |start|, inclusive, to |end|, exclusive,

  217. // as received in |frag|. If |frag| becomes complete, it clears

  218. // |frag->reassembly|. The range must be within the bounds of |frag|'s message

  219. // and |frag->reassembly| must not be NULL.

  220. static void dtls1_hm_fragment_mark(hm_fragment *frag, size_t start,

  221.                                    size_t end) {

  222.   size_t msg_len = frag->msg_len;

  223. 

  224.   if (frag->reassembly == NULL || start > end || end > msg_len) {

  225.     assert(0);

  226.     return;

  227.   }

  228.   // A zero-length message will never have a pending reassembly.

  229.   assert(msg_len > 0);

  230. 

  231.   if ((start >> 3) == (end >> 3)) {

  232.     frag->reassembly[start >> 3] |= bit_range(start & 7, end & 7);

  233.   } else {

  234.     frag->reassembly[start >> 3] |= bit_range(start & 7, 8);

  235.     for (size_t i = (start >> 3) + 1; i < (end >> 3); i++) {

  236.       frag->reassembly[i] = 0xff;

  237.     }

  238.     if ((end & 7) != 0) {

  239.       frag->reassembly[end >> 3] |= bit_range(0, end & 7);

  240.     }

  241.   }

  242. 

  243.   // Check if the fragment is complete.

  244.   for (size_t i = 0; i < (msg_len >> 3); i++) {

  245.     if (frag->reassembly[i] != 0xff) {

  246.       return;

  247.     }

  248.   }

  249.   if ((msg_len & 7) != 0 &&

  250.       frag->reassembly[msg_len >> 3] != bit_range(0, msg_len & 7)) {

  251.     return;

  252.   }

  253. 

  254.   OPENSSL_free(frag->reassembly);

  255.   frag->reassembly = NULL;

  256. }

  257. 

  258. // dtls1_is_current_message_complete returns one if the current handshake

  259. // message is complete and zero otherwise.

  260. static int dtls1_is_current_message_complete(const SSL *ssl) {

  261.   hm_fragment *frag = ssl->d1->incoming_messages[ssl->d1->handshake_read_seq %

  262.                                                  SSL_MAX_HANDSHAKE_FLIGHT];

  263.   return frag != NULL && frag->reassembly == NULL;

  264. }

  265. 

  266. // dtls1_get_incoming_message returns the incoming message corresponding to

  267. // |msg_hdr|. If none exists, it creates a new one and inserts it in the

  268. // queue. Otherwise, it checks |msg_hdr| is consistent with the existing one. It

  269. // returns NULL on failure. The caller does not take ownership of the result.

  270. static hm_fragment *dtls1_get_incoming_message(

  271.     SSL *ssl, const struct hm_header_st *msg_hdr) {

  272.   if (msg_hdr->seq < ssl->d1->handshake_read_seq ||

  273.       msg_hdr->seq - ssl->d1->handshake_read_seq >= SSL_MAX_HANDSHAKE_FLIGHT) {

  274.     return NULL;

  275.   }

  276. 

  277.   size_t idx = msg_hdr->seq % SSL_MAX_HANDSHAKE_FLIGHT;

  278.   hm_fragment *frag = ssl->d1->incoming_messages[idx];

  279.   if (frag != NULL) {

  280.     assert(frag->seq == msg_hdr->seq);

  281.     // The new fragment must be compatible with the previous fragments from this

  282.     // message.

  283.     if (frag->type != msg_hdr->type ||

  284.         frag->msg_len != msg_hdr->msg_len) {

  285.       OPENSSL_PUT_ERROR(SSL, SSL_R_FRAGMENT_MISMATCH);

  286.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  287.       return NULL;

  288.     }

  289.     return frag;

  290.   }

  291. 

  292.   // This is the first fragment from this message.

  293.   frag = dtls1_hm_fragment_new(msg_hdr);

  294.   if (frag == NULL) {

  295.     return NULL;

  296.   }

  297.   ssl->d1->incoming_messages[idx] = frag;

  298.   return frag;

  299. }

  300. 

  301. int dtls1_read_message(SSL *ssl) {

  302.   SSL3_RECORD *rr = &ssl->s3->rrec;

  303.   if (rr->length == 0) {

  304.     int ret = dtls1_get_record(ssl);

  305.     if (ret <= 0) {

  306.       return ret;

  307.     }

  308.   }

  309. 

  310.   switch (rr->type) {

  311.     case SSL3_RT_APPLICATION_DATA:

  312.       // Unencrypted application data records are always illegal.

  313.       if (ssl->s3->aead_read_ctx->is_null_cipher()) {

  314.         ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);

  315.         OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);

  316.         return -1;

  317.       }

  318. 

  319.       // Out-of-order application data may be received between ChangeCipherSpec

  320.       // and finished. Discard it.

  321.       rr->length = 0;

  322.       ssl_read_buffer_discard(ssl);

  323.       return 1;

  324. 

  325.     case SSL3_RT_CHANGE_CIPHER_SPEC:

  326.       // We do not support renegotiation, so encrypted ChangeCipherSpec records

  327.       // are illegal.

  328.       if (!ssl->s3->aead_read_ctx->is_null_cipher()) {

  329.         ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);

  330.         OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);

  331.         return -1;

  332.       }

  333. 

  334.       if (rr->length != 1 || rr->data[0] != SSL3_MT_CCS) {

  335.         OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_CHANGE_CIPHER_SPEC);

  336.         ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  337.         return -1;

  338.       }

  339. 

  340.       // Flag the ChangeCipherSpec for later.

  341.       ssl->d1->has_change_cipher_spec = true;

  342.       ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_CHANGE_CIPHER_SPEC,

  343.                           rr->data, rr->length);

  344. 

  345.       rr->length = 0;

  346.       ssl_read_buffer_discard(ssl);

  347.       return 1;

  348. 

  349.     case SSL3_RT_HANDSHAKE:

  350.       // Break out to main processing.

  351.       break;

  352. 

  353.     default:

  354.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);

  355.       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);

  356.       return -1;

  357.   }

  358. 

  359.   CBS cbs;

  360.   CBS_init(&cbs, rr->data, rr->length);

  361. 

  362.   while (CBS_len(&cbs) > 0) {

  363.     // Read a handshake fragment.

  364.     struct hm_header_st msg_hdr;

  365.     CBS body;

  366.     if (!dtls1_parse_fragment(&cbs, &msg_hdr, &body)) {

  367.       OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_HANDSHAKE_RECORD);

  368.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  369.       return -1;

  370.     }

  371. 

  372.     const size_t frag_off = msg_hdr.frag_off;

  373.     const size_t frag_len = msg_hdr.frag_len;

  374.     const size_t msg_len = msg_hdr.msg_len;

  375.     if (frag_off > msg_len || frag_off + frag_len < frag_off ||

  376.         frag_off + frag_len > msg_len ||

  377.         msg_len > ssl_max_handshake_message_len(ssl)) {

  378.       OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE);

  379.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  380.       return -1;

  381.     }

  382. 

  383.     // The encrypted epoch in DTLS has only one handshake message.

  384.     if (ssl->d1->r_epoch == 1 && msg_hdr.seq != ssl->d1->handshake_read_seq) {

  385.       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);

  386.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);

  387.       return -1;

  388.     }

  389. 

  390.     if (msg_hdr.seq < ssl->d1->handshake_read_seq ||

  391.         msg_hdr.seq >

  392.             (unsigned)ssl->d1->handshake_read_seq + SSL_MAX_HANDSHAKE_FLIGHT) {

  393.       // Ignore fragments from the past, or ones too far in the future.

  394.       continue;

  395.     }

  396. 

  397.     hm_fragment *frag = dtls1_get_incoming_message(ssl, &msg_hdr);

  398.     if (frag == NULL) {

  399.       return -1;

  400.     }

  401.     assert(frag->msg_len == msg_len);

  402. 

  403.     if (frag->reassembly == NULL) {

  404.       // The message is already assembled.

  405.       continue;

  406.     }

  407.     assert(msg_len > 0);

  408. 

  409.     // Copy the body into the fragment.

  410.     OPENSSL_memcpy(frag->data + DTLS1_HM_HEADER_LENGTH + frag_off,

  411.                    CBS_data(&body), CBS_len(&body));

  412.     dtls1_hm_fragment_mark(frag, frag_off, frag_off + frag_len);

  413.   }

  414. 

  415.   rr->length = 0;

  416.   ssl_read_buffer_discard(ssl);

  417.   return 1;

  418. }

  419. 

  420. bool dtls1_get_message(SSL *ssl, SSLMessage *out) {

  421.   if (!dtls1_is_current_message_complete(ssl)) {

  422.     return false;

  423.   }

  424. 

  425.   hm_fragment *frag = ssl->d1->incoming_messages[ssl->d1->handshake_read_seq %

  426.                                                  SSL_MAX_HANDSHAKE_FLIGHT];

  427.   out->type = frag->type;

  428.   CBS_init(&out->body, frag->data + DTLS1_HM_HEADER_LENGTH, frag->msg_len);

  429.   CBS_init(&out->raw, frag->data, DTLS1_HM_HEADER_LENGTH + frag->msg_len);

  430.   out->is_v2_hello = false;

  431.   if (!ssl->s3->has_message) {

  432.     ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_HANDSHAKE, frag->data,

  433.                         frag->msg_len + DTLS1_HM_HEADER_LENGTH);

  434.     ssl->s3->has_message = 1;

  435.   }

  436.   return true;

  437. }

  438. 

  439. void dtls1_next_message(SSL *ssl) {

  440.   assert(ssl->s3->has_message);

  441.   assert(dtls1_is_current_message_complete(ssl));

  442.   size_t index = ssl->d1->handshake_read_seq % SSL_MAX_HANDSHAKE_FLIGHT;

  443.   dtls1_hm_fragment_free(ssl->d1->incoming_messages[index]);

  444.   ssl->d1->incoming_messages[index] = NULL;

  445.   ssl->d1->handshake_read_seq++;

  446.   ssl->s3->has_message = 0;

  447.   // If we previously sent a flight, mark it as having a reply, so

  448.   // |on_handshake_complete| can manage post-handshake retransmission.

  449.   if (ssl->d1->outgoing_messages_complete) {

  450.     ssl->d1->flight_has_reply = true;

  451.   }

  452. }

  453. 

  454. void dtls_clear_incoming_messages(SSL *ssl) {

  455.   for (size_t i = 0; i < SSL_MAX_HANDSHAKE_FLIGHT; i++) {

  456.     dtls1_hm_fragment_free(ssl->d1->incoming_messages[i]);

  457.     ssl->d1->incoming_messages[i] = NULL;

  458.   }

  459. }

  460. 

  461. int dtls_has_incoming_messages(const SSL *ssl) {

  462.   size_t current = ssl->d1->handshake_read_seq % SSL_MAX_HANDSHAKE_FLIGHT;

  463.   for (size_t i = 0; i < SSL_MAX_HANDSHAKE_FLIGHT; i++) {

  464.     // Skip the current message.

  465.     if (ssl->s3->has_message && i == current) {

  466.       assert(dtls1_is_current_message_complete(ssl));

  467.       continue;

  468.     }

  469.     if (ssl->d1->incoming_messages[i] != NULL) {

  470.       return 1;

  471.     }

  472.   }

  473.   return 0;

  474. }

  475. 

  476. int dtls1_parse_fragment(CBS *cbs, struct hm_header_st *out_hdr,

  477.                          CBS *out_body) {

  478.   OPENSSL_memset(out_hdr, 0x00, sizeof(struct hm_header_st));

  479. 

  480.   if (!CBS_get_u8(cbs, &out_hdr->type) ||

  481.       !CBS_get_u24(cbs, &out_hdr->msg_len) ||

  482.       !CBS_get_u16(cbs, &out_hdr->seq) ||

  483.       !CBS_get_u24(cbs, &out_hdr->frag_off) ||

  484.       !CBS_get_u24(cbs, &out_hdr->frag_len) ||

  485.       !CBS_get_bytes(cbs, out_body, out_hdr->frag_len)) {

  486.     return 0;

  487.   }

  488. 

  489.   return 1;

  490. }

  491. 

  492. int dtls1_read_change_cipher_spec(SSL *ssl) {

  493.   // Process handshake records until there is a ChangeCipherSpec.

  494.   while (!ssl->d1->has_change_cipher_spec) {

  495.     int ret = dtls1_read_message(ssl);

  496.     if (ret <= 0) {

  497.       return ret;

  498.     }

  499.   }

  500. 

  501.   ssl->d1->has_change_cipher_spec = false;

  502.   return 1;

  503. }

  504. 

  505. 

  506. // Sending handshake messages.

  507. 

  508. void dtls_clear_outgoing_messages(SSL *ssl) {

  509.   for (size_t i = 0; i < ssl->d1->outgoing_messages_len; i++) {

  510.     OPENSSL_free(ssl->d1->outgoing_messages[i].data);

  511.     ssl->d1->outgoing_messages[i].data = NULL;

  512.   }

  513.   ssl->d1->outgoing_messages_len = 0;

  514.   ssl->d1->outgoing_written = 0;

  515.   ssl->d1->outgoing_offset = 0;

  516.   ssl->d1->outgoing_messages_complete = false;

  517.   ssl->d1->flight_has_reply = false;

  518. }

  519. 

  520. int dtls1_init_message(SSL *ssl, CBB *cbb, CBB *body, uint8_t type) {

  521.   // Pick a modest size hint to save most of the |realloc| calls.

  522.   if (!CBB_init(cbb, 64) ||

  523.       !CBB_add_u8(cbb, type) ||

  524.       !CBB_add_u24(cbb, 0 /* length (filled in later) */) ||

  525.       !CBB_add_u16(cbb, ssl->d1->handshake_write_seq) ||

  526.       !CBB_add_u24(cbb, 0 /* offset */) ||

  527.       !CBB_add_u24_length_prefixed(cbb, body)) {

  528.     return 0;

  529.   }

  530. 

  531.   return 1;

  532. }

  533. 

  534. int dtls1_finish_message(SSL *ssl, CBB *cbb, uint8_t **out_msg,

  535.                          size_t *out_len) {

  536.   *out_msg = NULL;

  537.   if (!CBB_finish(cbb, out_msg, out_len) ||

  538.       *out_len < DTLS1_HM_HEADER_LENGTH) {

  539.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  540.     OPENSSL_free(*out_msg);

  541.     return 0;

  542.   }

  543. 

  544.   // Fix up the header. Copy the fragment length into the total message

  545.   // length.

  546.   OPENSSL_memcpy(*out_msg + 1, *out_msg + DTLS1_HM_HEADER_LENGTH - 3, 3);

  547.   return 1;

  548. }

  549. 

  550. // add_outgoing adds a new handshake message or ChangeCipherSpec to the current

  551. // outgoing flight. It returns one on success and zero on error. In both cases,

  552. // it takes ownership of |data| and releases it with |OPENSSL_free| when

  553. // done.

  554. static int add_outgoing(SSL *ssl, int is_ccs, uint8_t *data, size_t len) {

  555.   if (ssl->d1->outgoing_messages_complete) {

  556.     // If we've begun writing a new flight, we received the peer flight. Discard

  557.     // the timer and the our flight.

  558.     dtls1_stop_timer(ssl);

  559.     dtls_clear_outgoing_messages(ssl);

  560.   }

  561. 

  562.   static_assert(SSL_MAX_HANDSHAKE_FLIGHT <

  563.                     (1 << 8 * sizeof(ssl->d1->outgoing_messages_len)),

  564.                 "outgoing_messages_len is too small");

  565.   if (ssl->d1->outgoing_messages_len >= SSL_MAX_HANDSHAKE_FLIGHT) {

  566.     assert(0);

  567.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  568.     OPENSSL_free(data);

  569.     return 0;

  570.   }

  571. 

  572.   if (!is_ccs) {

  573.     // TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript

  574.     // on hs.

  575.     if (ssl->s3->hs != NULL &&

  576.         !ssl->s3->hs->transcript.Update(data, len)) {

  577.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  578.       OPENSSL_free(data);

  579.       return 0;

  580.     }

  581.     ssl->d1->handshake_write_seq++;

  582.   }

  583. 

  584.   DTLS_OUTGOING_MESSAGE *msg =

  585.       &ssl->d1->outgoing_messages[ssl->d1->outgoing_messages_len];

  586.   msg->data = data;

  587.   msg->len = len;

  588.   msg->epoch = ssl->d1->w_epoch;

  589.   msg->is_ccs = is_ccs;

  590. 

  591.   ssl->d1->outgoing_messages_len++;

  592.   return 1;

  593. }

  594. 

  595. int dtls1_add_message(SSL *ssl, uint8_t *data, size_t len) {

  596.   return add_outgoing(ssl, 0 /* handshake */, data, len);

  597. }

  598. 

  599. int dtls1_add_change_cipher_spec(SSL *ssl) {

  600.   return add_outgoing(ssl, 1 /* ChangeCipherSpec */, NULL, 0);

  601. }

  602. 

  603. int dtls1_add_alert(SSL *ssl, uint8_t level, uint8_t desc) {

  604.   // The |add_alert| path is only used for warning alerts for now, which DTLS

  605.   // never sends. This will be implemented later once closure alerts are

  606.   // converted.

  607.   assert(0);

  608.   OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  609.   return 0;

  610. }

  611. 

  612. // dtls1_update_mtu updates the current MTU from the BIO, ensuring it is above

  613. // the minimum.

  614. static void dtls1_update_mtu(SSL *ssl) {

  615.   // TODO(davidben): No consumer implements |BIO_CTRL_DGRAM_SET_MTU| and the

  616.   // only |BIO_CTRL_DGRAM_QUERY_MTU| implementation could use

  617.   // |SSL_set_mtu|. Does this need to be so complex?

  618.   if (ssl->d1->mtu < dtls1_min_mtu() &&

  619.       !(SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) {

  620.     long mtu = BIO_ctrl(ssl->wbio, BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);

  621.     if (mtu >= 0 && mtu <= (1 << 30) && (unsigned)mtu >= dtls1_min_mtu()) {

  622.       ssl->d1->mtu = (unsigned)mtu;

  623.     } else {

  624.       ssl->d1->mtu = kDefaultMTU;

  625.       BIO_ctrl(ssl->wbio, BIO_CTRL_DGRAM_SET_MTU, ssl->d1->mtu, NULL);

  626.     }

  627.   }

  628. 

  629.   // The MTU should be above the minimum now.

  630.   assert(ssl->d1->mtu >= dtls1_min_mtu());

  631. }

  632. 

  633. enum seal_result_t {

  634.   seal_error,

  635.   seal_no_progress,

  636.   seal_partial,

  637.   seal_success,

  638. };

  639. 

  640. // seal_next_message seals |msg|, which must be the next message, to |out|. If

  641. // progress was made, it returns |seal_partial| or |seal_success| and sets

  642. // |*out_len| to the number of bytes written.

  643. static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out,

  644.                                             size_t *out_len, size_t max_out,

  645.                                             const DTLS_OUTGOING_MESSAGE *msg) {

  646.   assert(ssl->d1->outgoing_written < ssl->d1->outgoing_messages_len);

  647.   assert(msg == &ssl->d1->outgoing_messages[ssl->d1->outgoing_written]);

  648. 

  649.   enum dtls1_use_epoch_t use_epoch = dtls1_use_current_epoch;

  650.   if (ssl->d1->w_epoch >= 1 && msg->epoch == ssl->d1->w_epoch - 1) {

  651.     use_epoch = dtls1_use_previous_epoch;

  652.   } else if (msg->epoch != ssl->d1->w_epoch) {

  653.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  654.     return seal_error;

  655.   }

  656. 

  657.   size_t overhead = dtls_max_seal_overhead(ssl, use_epoch);

  658.   size_t prefix = dtls_seal_prefix_len(ssl, use_epoch);

  659. 

  660.   if (msg->is_ccs) {

  661.     // Check there is room for the ChangeCipherSpec.

  662.     static const uint8_t kChangeCipherSpec[1] = {SSL3_MT_CCS};

  663.     if (max_out < sizeof(kChangeCipherSpec) + overhead) {

  664.       return seal_no_progress;

  665.     }

  666. 

  667.     if (!dtls_seal_record(ssl, out, out_len, max_out,

  668.                           SSL3_RT_CHANGE_CIPHER_SPEC, kChangeCipherSpec,

  669.                           sizeof(kChangeCipherSpec), use_epoch)) {

  670.       return seal_error;

  671.     }

  672. 

  673.     ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_CHANGE_CIPHER_SPEC,

  674.                         kChangeCipherSpec, sizeof(kChangeCipherSpec));

  675.     return seal_success;

  676.   }

  677. 

  678.   // DTLS messages are serialized as a single fragment in |msg|.

  679.   CBS cbs, body;

  680.   struct hm_header_st hdr;

  681.   CBS_init(&cbs, msg->data, msg->len);

  682.   if (!dtls1_parse_fragment(&cbs, &hdr, &body) ||

  683.       hdr.frag_off != 0 ||

  684.       hdr.frag_len != CBS_len(&body) ||

  685.       hdr.msg_len != CBS_len(&body) ||

  686.       !CBS_skip(&body, ssl->d1->outgoing_offset) ||

  687.       CBS_len(&cbs) != 0) {

  688.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  689.     return seal_error;

  690.   }

  691. 

  692.   // Determine how much progress can be made.

  693.   if (max_out < DTLS1_HM_HEADER_LENGTH + 1 + overhead || max_out < prefix) {

  694.     return seal_no_progress;

  695.   }

  696.   size_t todo = CBS_len(&body);

  697.   if (todo > max_out - DTLS1_HM_HEADER_LENGTH - overhead) {

  698.     todo = max_out - DTLS1_HM_HEADER_LENGTH - overhead;

  699.   }

  700. 

  701.   // Assemble a fragment, to be sealed in-place.

  702.   ScopedCBB cbb;

  703.   uint8_t *frag = out + prefix;

  704.   size_t max_frag = max_out - prefix, frag_len;

  705.   if (!CBB_init_fixed(cbb.get(), frag, max_frag) ||

  706.       !CBB_add_u8(cbb.get(), hdr.type) ||

  707.       !CBB_add_u24(cbb.get(), hdr.msg_len) ||

  708.       !CBB_add_u16(cbb.get(), hdr.seq) ||

  709.       !CBB_add_u24(cbb.get(), ssl->d1->outgoing_offset) ||

  710.       !CBB_add_u24(cbb.get(), todo) ||

  711.       !CBB_add_bytes(cbb.get(), CBS_data(&body), todo) ||

  712.       !CBB_finish(cbb.get(), NULL, &frag_len)) {

  713.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  714.     return seal_error;

  715.   }

  716. 

  717.   ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HANDSHAKE, frag, frag_len);

  718. 

  719.   if (!dtls_seal_record(ssl, out, out_len, max_out, SSL3_RT_HANDSHAKE,

  720.                         out + prefix, frag_len, use_epoch)) {

  721.     return seal_error;

  722.   }

  723. 

  724.   if (todo == CBS_len(&body)) {

  725.     // The next message is complete.

  726.     ssl->d1->outgoing_offset = 0;

  727.     return seal_success;

  728.   }

  729. 

  730.   ssl->d1->outgoing_offset += todo;

  731.   return seal_partial;

  732. }

  733. 

  734. // seal_next_packet writes as much of the next flight as possible to |out| and

  735. // advances |ssl->d1->outgoing_written| and |ssl->d1->outgoing_offset| as

  736. // appropriate.

  737. static int seal_next_packet(SSL *ssl, uint8_t *out, size_t *out_len,

  738.                             size_t max_out) {

  739.   int made_progress = 0;

  740.   size_t total = 0;

  741.   assert(ssl->d1->outgoing_written < ssl->d1->outgoing_messages_len);

  742.   for (; ssl->d1->outgoing_written < ssl->d1->outgoing_messages_len;

  743.        ssl->d1->outgoing_written++) {

  744.     const DTLS_OUTGOING_MESSAGE *msg =

  745.         &ssl->d1->outgoing_messages[ssl->d1->outgoing_written];

  746.     size_t len;

  747.     enum seal_result_t ret = seal_next_message(ssl, out, &len, max_out, msg);

  748.     switch (ret) {

  749.       case seal_error:

  750.         return 0;

  751. 

  752.       case seal_no_progress:

  753.         goto packet_full;

  754. 

  755.       case seal_partial:

  756.       case seal_success:

  757.         out += len;

  758.         max_out -= len;

  759.         total += len;

  760.         made_progress = 1;

  761. 

  762.         if (ret == seal_partial) {

  763.           goto packet_full;

  764.         }

  765.         break;

  766.     }

  767.   }

  768. 

  769. packet_full:

  770.   // The MTU was too small to make any progress.

  771.   if (!made_progress) {

  772.     OPENSSL_PUT_ERROR(SSL, SSL_R_MTU_TOO_SMALL);

  773.     return 0;

  774.   }

  775. 

  776.   *out_len = total;

  777.   return 1;

  778. }

  779. 

  780. static int send_flight(SSL *ssl) {

  781.   dtls1_update_mtu(ssl);

  782. 

  783.   int ret = -1;

  784.   uint8_t *packet = (uint8_t *)OPENSSL_malloc(ssl->d1->mtu);

  785.   if (packet == NULL) {

  786.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  787.     goto err;

  788.   }

  789. 

  790.   while (ssl->d1->outgoing_written < ssl->d1->outgoing_messages_len) {

  791.     uint8_t old_written = ssl->d1->outgoing_written;

  792.     uint32_t old_offset = ssl->d1->outgoing_offset;

  793. 

  794.     size_t packet_len;

  795.     if (!seal_next_packet(ssl, packet, &packet_len, ssl->d1->mtu)) {

  796.       goto err;

  797.     }

  798. 

  799.     int bio_ret = BIO_write(ssl->wbio, packet, packet_len);

  800.     if (bio_ret <= 0) {

  801.       // Retry this packet the next time around.

  802.       ssl->d1->outgoing_written = old_written;

  803.       ssl->d1->outgoing_offset = old_offset;

  804.       ssl->rwstate = SSL_WRITING;

  805.       ret = bio_ret;

  806.       goto err;

  807.     }

  808.   }

  809. 

  810.   if (BIO_flush(ssl->wbio) <= 0) {

  811.     ssl->rwstate = SSL_WRITING;

  812.     goto err;

  813.   }

  814. 

  815.   ret = 1;

  816. 

  817. err:

  818.   OPENSSL_free(packet);

  819.   return ret;

  820. }

  821. 

  822. int dtls1_flush_flight(SSL *ssl) {

  823.   ssl->d1->outgoing_messages_complete = true;

  824.   // Start the retransmission timer for the next flight (if any).

  825.   dtls1_start_timer(ssl);

  826.   return send_flight(ssl);

  827. }

  828. 

  829. int dtls1_retransmit_outgoing_messages(SSL *ssl) {

  830.   // Rewind to the start of the flight and write it again.

  831.   //

  832.   // TODO(davidben): This does not allow retransmits to be resumed on

  833.   // non-blocking write.

  834.   ssl->d1->outgoing_written = 0;

  835.   ssl->d1->outgoing_offset = 0;

  836. 

  837.   return send_flight(ssl);

  838. }

  839. 

  840. unsigned int dtls1_min_mtu(void) {

  841.   return kMinMTU;

  842. }

  843. 

  844. }  // namespace bssl