kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2448 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 6f7374b0ed
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '6f7374b0ed'
${ noResults }
boringssl/ssl/d1_both.c

882 lines
30 KiB
Raw Blame History 

  1. /*

  2.  * DTLS implementation written by Nagendra Modadugu

  3.  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 

  4.  */

  5. /* ====================================================================

  6.  * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.

  7.  *

  8.  * Redistribution and use in source and binary forms, with or without

  9.  * modification, are permitted provided that the following conditions

  10.  * are met:

  11.  *

  12.  * 1. Redistributions of source code must retain the above copyright

  13.  *    notice, this list of conditions and the following disclaimer.

  14.  *

  15.  * 2. Redistributions in binary form must reproduce the above copyright

  16.  *    notice, this list of conditions and the following disclaimer in

  17.  *    the documentation and/or other materials provided with the

  18.  *    distribution.

  19.  *

  20.  * 3. All advertising materials mentioning features or use of this

  21.  *    software must display the following acknowledgment:

  22.  *    "This product includes software developed by the OpenSSL Project

  23.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

  24.  *

  25.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  26.  *    endorse or promote products derived from this software without

  27.  *    prior written permission. For written permission, please contact

  28.  *    openssl-core@openssl.org.

  29.  *

  30.  * 5. Products derived from this software may not be called "OpenSSL"

  31.  *    nor may "OpenSSL" appear in their names without prior written

  32.  *    permission of the OpenSSL Project.

  33.  *

  34.  * 6. Redistributions of any form whatsoever must retain the following

  35.  *    acknowledgment:

  36.  *    "This product includes software developed by the OpenSSL Project

  37.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

  38.  *

  39.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  40.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  41.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  42.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  43.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  44.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  45.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  46.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  48.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  49.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  50.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  51.  * ====================================================================

  52.  *

  53.  * This product includes cryptographic software written by Eric Young

  54.  * (eay@cryptsoft.com).  This product includes software written by Tim

  55.  * Hudson (tjh@cryptsoft.com).

  56.  *

  57.  */

  58. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  59.  * All rights reserved.

  60.  *

  61.  * This package is an SSL implementation written

  62.  * by Eric Young (eay@cryptsoft.com).

  63.  * The implementation was written so as to conform with Netscapes SSL.

  64.  *

  65.  * This library is free for commercial and non-commercial use as long as

  66.  * the following conditions are aheared to.  The following conditions

  67.  * apply to all code found in this distribution, be it the RC4, RSA,

  68.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  69.  * included with this distribution is covered by the same copyright terms

  70.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  71.  *

  72.  * Copyright remains Eric Young's, and as such any Copyright notices in

  73.  * the code are not to be removed.

  74.  * If this package is used in a product, Eric Young should be given attribution

  75.  * as the author of the parts of the library used.

  76.  * This can be in the form of a textual message at program startup or

  77.  * in documentation (online or textual) provided with the package.

  78.  *

  79.  * Redistribution and use in source and binary forms, with or without

  80.  * modification, are permitted provided that the following conditions

  81.  * are met:

  82.  * 1. Redistributions of source code must retain the copyright

  83.  *    notice, this list of conditions and the following disclaimer.

  84.  * 2. Redistributions in binary form must reproduce the above copyright

  85.  *    notice, this list of conditions and the following disclaimer in the

  86.  *    documentation and/or other materials provided with the distribution.

  87.  * 3. All advertising materials mentioning features or use of this software

  88.  *    must display the following acknowledgement:

  89.  *    "This product includes cryptographic software written by

  90.  *     Eric Young (eay@cryptsoft.com)"

  91.  *    The word 'cryptographic' can be left out if the rouines from the library

  92.  *    being used are not cryptographic related :-).

  93.  * 4. If you include any Windows specific code (or a derivative thereof) from

  94.  *    the apps directory (application code) you must include an acknowledgement:

  95.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  96.  *

  97.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  98.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  99.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  100.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  101.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  102.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  103.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  104.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  105.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  106.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  107.  * SUCH DAMAGE.

  108.  *

  109.  * The licence and distribution terms for any publically available version or

  110.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  111.  * copied and put under another distribution licence

  112.  * [including the GNU Public Licence.] */

  113. 

  114. #include <openssl/ssl.h>

  115. 

  116. #include <assert.h>

  117. #include <limits.h>

  118. #include <stdio.h>

  119. #include <string.h>

  120. 

  121. #include <openssl/buf.h>

  122. #include <openssl/err.h>

  123. #include <openssl/evp.h>

  124. #include <openssl/mem.h>

  125. #include <openssl/obj.h>

  126. #include <openssl/rand.h>

  127. #include <openssl/x509.h>

  128. 

  129. #include "internal.h"

  130. 

  131. 

  132. /* TODO(davidben): 28 comes from the size of IP + UDP header. Is this reasonable

  133.  * for these values? Notably, why is kMinMTU a function of the transport

  134.  * protocol's overhead rather than, say, what's needed to hold a minimally-sized

  135.  * handshake fragment plus protocol overhead. */

  136. 

  137. /* kMinMTU is the minimum acceptable MTU value. */

  138. static const unsigned int kMinMTU = 256 - 28;

  139. 

  140. /* kDefaultMTU is the default MTU value to use if neither the user nor

  141.  * the underlying BIO supplies one. */

  142. static const unsigned int kDefaultMTU = 1500 - 28;

  143. 

  144. /* kMaxHandshakeBuffer is the maximum number of handshake messages ahead of the

  145.  * current one to buffer. */

  146. static const unsigned int kHandshakeBufferSize = 10;

  147. 

  148. static hm_fragment *dtls1_hm_fragment_new(size_t frag_len, int reassembly) {

  149.   hm_fragment *frag = OPENSSL_malloc(sizeof(hm_fragment));

  150.   if (frag == NULL) {

  151.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  152.     return NULL;

  153.   }

  154.   memset(frag, 0, sizeof(hm_fragment));

  155. 

  156.   /* If the handshake message is empty, |frag->fragment| and |frag->reassembly|

  157.    * are NULL. */

  158.   if (frag_len > 0) {

  159.     frag->fragment = OPENSSL_malloc(frag_len);

  160.     if (frag->fragment == NULL) {

  161.       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  162.       goto err;

  163.     }

  164. 

  165.     if (reassembly) {

  166.       /* Initialize reassembly bitmask. */

  167.       if (frag_len + 7 < frag_len) {

  168.         OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);

  169.         goto err;

  170.       }

  171.       size_t bitmask_len = (frag_len + 7) / 8;

  172.       frag->reassembly = OPENSSL_malloc(bitmask_len);

  173.       if (frag->reassembly == NULL) {

  174.         OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  175.         goto err;

  176.       }

  177.       memset(frag->reassembly, 0, bitmask_len);

  178.     }

  179.   }

  180. 

  181.   return frag;

  182. 

  183. err:

  184.   dtls1_hm_fragment_free(frag);

  185.   return NULL;

  186. }

  187. 

  188. void dtls1_hm_fragment_free(hm_fragment *frag) {

  189.   if (frag == NULL) {

  190.     return;

  191.   }

  192.   OPENSSL_free(frag->fragment);

  193.   OPENSSL_free(frag->reassembly);

  194.   OPENSSL_free(frag);

  195. }

  196. 

  197. #if !defined(inline)

  198. #define inline __inline

  199. #endif

  200. 

  201. /* bit_range returns a |uint8_t| with bits |start|, inclusive, to |end|,

  202.  * exclusive, set. */

  203. static inline uint8_t bit_range(size_t start, size_t end) {

  204.   return (uint8_t)(~((1u << start) - 1) & ((1u << end) - 1));

  205. }

  206. 

  207. /* dtls1_hm_fragment_mark marks bytes |start|, inclusive, to |end|, exclusive,

  208.  * as received in |frag|. If |frag| becomes complete, it clears

  209.  * |frag->reassembly|. The range must be within the bounds of |frag|'s message

  210.  * and |frag->reassembly| must not be NULL. */

  211. static void dtls1_hm_fragment_mark(hm_fragment *frag, size_t start,

  212.                                    size_t end) {

  213.   size_t i;

  214.   size_t msg_len = frag->msg_header.msg_len;

  215. 

  216.   if (frag->reassembly == NULL || start > end || end > msg_len) {

  217.     assert(0);

  218.     return;

  219.   }

  220.   /* A zero-length message will never have a pending reassembly. */

  221.   assert(msg_len > 0);

  222. 

  223.   if ((start >> 3) == (end >> 3)) {

  224.     frag->reassembly[start >> 3] |= bit_range(start & 7, end & 7);

  225.   } else {

  226.     frag->reassembly[start >> 3] |= bit_range(start & 7, 8);

  227.     for (i = (start >> 3) + 1; i < (end >> 3); i++) {

  228.       frag->reassembly[i] = 0xff;

  229.     }

  230.     if ((end & 7) != 0) {

  231.       frag->reassembly[end >> 3] |= bit_range(0, end & 7);

  232.     }

  233.   }

  234. 

  235.   /* Check if the fragment is complete. */

  236.   for (i = 0; i < (msg_len >> 3); i++) {

  237.     if (frag->reassembly[i] != 0xff) {

  238.       return;

  239.     }

  240.   }

  241.   if ((msg_len & 7) != 0 &&

  242.       frag->reassembly[msg_len >> 3] != bit_range(0, msg_len & 7)) {

  243.     return;

  244.   }

  245. 

  246.   OPENSSL_free(frag->reassembly);

  247.   frag->reassembly = NULL;

  248. }

  249. 

  250. static void dtls1_update_mtu(SSL *ssl) {

  251.   /* TODO(davidben): What is this code doing and do we need it? */

  252.   if (ssl->d1->mtu < dtls1_min_mtu() &&

  253.       !(SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) {

  254.     long mtu = BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);

  255.     if (mtu >= 0 && mtu <= (1 << 30) && (unsigned)mtu >= dtls1_min_mtu()) {

  256.       ssl->d1->mtu = (unsigned)mtu;

  257.     } else {

  258.       ssl->d1->mtu = kDefaultMTU;

  259.       BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SET_MTU, ssl->d1->mtu, NULL);

  260.     }

  261.   }

  262. 

  263.   /* The MTU should be above the minimum now. */

  264.   assert(ssl->d1->mtu >= dtls1_min_mtu());

  265. }

  266. 

  267. /* dtls1_max_record_size returns the maximum record body length that may be

  268.  * written without exceeding the MTU. It accounts for any buffering installed on

  269.  * the write BIO. If no record may be written, it returns zero. */

  270. static size_t dtls1_max_record_size(SSL *ssl) {

  271.   size_t ret = ssl->d1->mtu;

  272. 

  273.   size_t overhead = ssl_max_seal_overhead(ssl);

  274.   if (ret <= overhead) {

  275.     return 0;

  276.   }

  277.   ret -= overhead;

  278. 

  279.   size_t pending = BIO_wpending(SSL_get_wbio(ssl));

  280.   if (ret <= pending) {

  281.     return 0;

  282.   }

  283.   ret -= pending;

  284. 

  285.   return ret;

  286. }

  287. 

  288. static int dtls1_write_change_cipher_spec(SSL *ssl,

  289.                                           enum dtls1_use_epoch_t use_epoch) {

  290.   dtls1_update_mtu(ssl);

  291. 

  292.   /* During the handshake, wbio is buffered to pack messages together. Flush the

  293.    * buffer if the ChangeCipherSpec would not fit in a packet. */

  294.   if (dtls1_max_record_size(ssl) == 0) {

  295.     ssl->rwstate = SSL_WRITING;

  296.     int ret = BIO_flush(SSL_get_wbio(ssl));

  297.     if (ret <= 0) {

  298.       return ret;

  299.     }

  300.     ssl->rwstate = SSL_NOTHING;

  301.   }

  302. 

  303.   static const uint8_t kChangeCipherSpec[1] = {SSL3_MT_CCS};

  304.   int ret =

  305.       dtls1_write_bytes(ssl, SSL3_RT_CHANGE_CIPHER_SPEC, kChangeCipherSpec,

  306.                         sizeof(kChangeCipherSpec), use_epoch);

  307.   if (ret <= 0) {

  308.     return ret;

  309.   }

  310. 

  311.   if (ssl->msg_callback != NULL) {

  312.     ssl->msg_callback(1 /* write */, ssl->version, SSL3_RT_CHANGE_CIPHER_SPEC,

  313.                       kChangeCipherSpec, sizeof(kChangeCipherSpec), ssl,

  314.                       ssl->msg_callback_arg);

  315.   }

  316. 

  317.   return 1;

  318. }

  319. 

  320. int dtls1_do_handshake_write(SSL *ssl, enum dtls1_use_epoch_t use_epoch) {

  321.   dtls1_update_mtu(ssl);

  322. 

  323.   int ret = -1;

  324.   CBB cbb;

  325.   CBB_zero(&cbb);

  326.   /* Allocate a temporary buffer to hold the message fragments to avoid

  327.    * clobbering the message. */

  328.   uint8_t *buf = OPENSSL_malloc(ssl->d1->mtu);

  329.   if (buf == NULL) {

  330.     goto err;

  331.   }

  332. 

  333.   /* Consume the message header. Fragments will have different headers

  334.    * prepended. */

  335.   if (ssl->init_off == 0) {

  336.     ssl->init_off += DTLS1_HM_HEADER_LENGTH;

  337.     ssl->init_num -= DTLS1_HM_HEADER_LENGTH;

  338.   }

  339.   assert(ssl->init_off >= DTLS1_HM_HEADER_LENGTH);

  340. 

  341.   do {

  342.     /* During the handshake, wbio is buffered to pack messages together. Flush

  343.      * the buffer if there isn't enough room to make progress. */

  344.     if (dtls1_max_record_size(ssl) < DTLS1_HM_HEADER_LENGTH + 1) {

  345.       ssl->rwstate = SSL_WRITING;

  346.       int flush_ret = BIO_flush(SSL_get_wbio(ssl));

  347.       if (flush_ret <= 0) {

  348.         ret = flush_ret;

  349.         goto err;

  350.       }

  351.       ssl->rwstate = SSL_NOTHING;

  352.       assert(BIO_wpending(SSL_get_wbio(ssl)) == 0);

  353.     }

  354. 

  355.     size_t todo = dtls1_max_record_size(ssl);

  356.     if (todo < DTLS1_HM_HEADER_LENGTH + 1) {

  357.       /* To make forward progress, the MTU must, at minimum, fit the handshake

  358.        * header and one byte of handshake body. */

  359.       OPENSSL_PUT_ERROR(SSL, SSL_R_MTU_TOO_SMALL);

  360.       goto err;

  361.     }

  362.     todo -= DTLS1_HM_HEADER_LENGTH;

  363. 

  364.     if (todo > (size_t)ssl->init_num) {

  365.       todo = ssl->init_num;

  366.     }

  367.     if (todo >= (1u << 24)) {

  368.       todo = (1u << 24) - 1;

  369.     }

  370. 

  371.     size_t len;

  372.     if (!CBB_init_fixed(&cbb, buf, ssl->d1->mtu) ||

  373.         !CBB_add_u8(&cbb, ssl->d1->w_msg_hdr.type) ||

  374.         !CBB_add_u24(&cbb, ssl->d1->w_msg_hdr.msg_len) ||

  375.         !CBB_add_u16(&cbb, ssl->d1->w_msg_hdr.seq) ||

  376.         !CBB_add_u24(&cbb, ssl->init_off - DTLS1_HM_HEADER_LENGTH) ||

  377.         !CBB_add_u24(&cbb, todo) ||

  378.         !CBB_add_bytes(

  379.             &cbb, (const uint8_t *)ssl->init_buf->data + ssl->init_off, todo) ||

  380.         !CBB_finish(&cbb, NULL, &len)) {

  381.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  382.       goto err;

  383.     }

  384. 

  385.     int write_ret = dtls1_write_bytes(ssl, SSL3_RT_HANDSHAKE, buf, len,

  386.                                       use_epoch);

  387.     if (write_ret <= 0) {

  388.       ret = write_ret;

  389.       goto err;

  390.     }

  391.     ssl->init_off += todo;

  392.     ssl->init_num -= todo;

  393.   } while (ssl->init_num > 0);

  394. 

  395.   if (ssl->msg_callback != NULL) {

  396.     ssl->msg_callback(

  397.         1 /* write */, ssl->version, SSL3_RT_HANDSHAKE, ssl->init_buf->data,

  398.         (size_t)(ssl->init_off + ssl->init_num), ssl, ssl->msg_callback_arg);

  399.   }

  400. 

  401.   ssl->init_off = 0;

  402.   ssl->init_num = 0;

  403. 

  404.   ret = 1;

  405. 

  406. err:

  407.   CBB_cleanup(&cbb);

  408.   OPENSSL_free(buf);

  409.   return ret;

  410. }

  411. 

  412. /* dtls1_is_next_message_complete returns one if the next handshake message is

  413.  * complete and zero otherwise. */

  414. static int dtls1_is_next_message_complete(SSL *ssl) {

  415.   pitem *item = pqueue_peek(ssl->d1->buffered_messages);

  416.   if (item == NULL) {

  417.     return 0;

  418.   }

  419. 

  420.   hm_fragment *frag = (hm_fragment *)item->data;

  421.   assert(ssl->d1->handshake_read_seq <= frag->msg_header.seq);

  422. 

  423.   return ssl->d1->handshake_read_seq == frag->msg_header.seq &&

  424.          frag->reassembly == NULL;

  425. }

  426. 

  427. /* dtls1_discard_fragment_body discards a handshake fragment body of length

  428.  * |frag_len|. It returns one on success and zero on error.

  429.  *

  430.  * TODO(davidben): This function will go away when ssl_read_bytes is gone from

  431.  * the DTLS side. */

  432. static int dtls1_discard_fragment_body(SSL *ssl, size_t frag_len) {

  433.   uint8_t discard[256];

  434.   while (frag_len > 0) {

  435.     size_t chunk = frag_len < sizeof(discard) ? frag_len : sizeof(discard);

  436.     int ret = dtls1_read_bytes(ssl, SSL3_RT_HANDSHAKE, discard, chunk, 0);

  437.     if (ret != (int) chunk) {

  438.       return 0;

  439.     }

  440.     frag_len -= chunk;

  441.   }

  442.   return 1;

  443. }

  444. 

  445. /* dtls1_get_buffered_message returns the buffered message corresponding to

  446.  * |msg_hdr|. If none exists, it creates a new one and inserts it in the

  447.  * queue. Otherwise, it checks |msg_hdr| is consistent with the existing one. It

  448.  * returns NULL on failure. The caller does not take ownership of the result. */

  449. static hm_fragment *dtls1_get_buffered_message(

  450.     SSL *ssl, const struct hm_header_st *msg_hdr) {

  451.   uint8_t seq64be[8];

  452.   memset(seq64be, 0, sizeof(seq64be));

  453.   seq64be[6] = (uint8_t)(msg_hdr->seq >> 8);

  454.   seq64be[7] = (uint8_t)msg_hdr->seq;

  455.   pitem *item = pqueue_find(ssl->d1->buffered_messages, seq64be);

  456. 

  457.   hm_fragment *frag;

  458.   if (item == NULL) {

  459.     /* This is the first fragment from this message. */

  460.     frag = dtls1_hm_fragment_new(msg_hdr->msg_len,

  461.                                  1 /* reassembly buffer needed */);

  462.     if (frag == NULL) {

  463.       return NULL;

  464.     }

  465.     memcpy(&frag->msg_header, msg_hdr, sizeof(*msg_hdr));

  466.     item = pitem_new(seq64be, frag);

  467.     if (item == NULL) {

  468.       dtls1_hm_fragment_free(frag);

  469.       return NULL;

  470.     }

  471.     item = pqueue_insert(ssl->d1->buffered_messages, item);

  472.     /* |pqueue_insert| fails iff a duplicate item is inserted, but |item| cannot

  473.      * be a duplicate. */

  474.     assert(item != NULL);

  475.   } else {

  476.     frag = item->data;

  477.     assert(frag->msg_header.seq == msg_hdr->seq);

  478.     if (frag->msg_header.type != msg_hdr->type ||

  479.         frag->msg_header.msg_len != msg_hdr->msg_len) {

  480.       /* The new fragment must be compatible with the previous fragments from

  481.        * this message. */

  482.       OPENSSL_PUT_ERROR(SSL, SSL_R_FRAGMENT_MISMATCH);

  483.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  484.       return NULL;

  485.     }

  486.   }

  487.   return frag;

  488. }

  489. 

  490. /* dtls1_max_handshake_message_len returns the maximum number of bytes

  491.  * permitted in a DTLS handshake message for |ssl|. The minimum is 16KB, but may

  492.  * be greater if the maximum certificate list size requires it. */

  493. static size_t dtls1_max_handshake_message_len(const SSL *ssl) {

  494.   size_t max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;

  495.   if (max_len < ssl->max_cert_list) {

  496.     return ssl->max_cert_list;

  497.   }

  498.   return max_len;

  499. }

  500. 

  501. /* dtls1_process_fragment reads a handshake fragment and processes it. It

  502.  * returns one if a fragment was successfully processed and 0 or -1 on error. */

  503. static int dtls1_process_fragment(SSL *ssl) {

  504.   /* Read handshake message header. */

  505.   uint8_t header[DTLS1_HM_HEADER_LENGTH];

  506.   int ret = dtls1_read_bytes(ssl, SSL3_RT_HANDSHAKE, header,

  507.                              DTLS1_HM_HEADER_LENGTH, 0);

  508.   if (ret <= 0) {

  509.     return ret;

  510.   }

  511.   if (ret != DTLS1_HM_HEADER_LENGTH) {

  512.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);

  513.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);

  514.     return -1;

  515.   }

  516. 

  517.   /* Parse the message fragment header. */

  518.   struct hm_header_st msg_hdr;

  519.   dtls1_get_message_header(header, &msg_hdr);

  520. 

  521.   /* TODO(davidben): dtls1_read_bytes is the wrong abstraction for DTLS. There

  522.    * should be no need to reach into |ssl->s3->rrec.length|. */

  523.   const size_t frag_off = msg_hdr.frag_off;

  524.   const size_t frag_len = msg_hdr.frag_len;

  525.   const size_t msg_len = msg_hdr.msg_len;

  526.   if (frag_off > msg_len || frag_off + frag_len < frag_off ||

  527.       frag_off + frag_len > msg_len ||

  528.       msg_len > dtls1_max_handshake_message_len(ssl) ||

  529.       frag_len > ssl->s3->rrec.length) {

  530.     OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE);

  531.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  532.     return -1;

  533.   }

  534. 

  535.   if (msg_hdr.seq < ssl->d1->handshake_read_seq ||

  536.       msg_hdr.seq > (unsigned)ssl->d1->handshake_read_seq +

  537.                     kHandshakeBufferSize) {

  538.     /* Ignore fragments from the past, or ones too far in the future. */

  539.     if (!dtls1_discard_fragment_body(ssl, frag_len)) {

  540.       return -1;

  541.     }

  542.     return 1;

  543.   }

  544. 

  545.   hm_fragment *frag = dtls1_get_buffered_message(ssl, &msg_hdr);

  546.   if (frag == NULL) {

  547.     return -1;

  548.   }

  549.   assert(frag->msg_header.msg_len == msg_len);

  550. 

  551.   if (frag->reassembly == NULL) {

  552.     /* The message is already assembled. */

  553.     if (!dtls1_discard_fragment_body(ssl, frag_len)) {

  554.       return -1;

  555.     }

  556.     return 1;

  557.   }

  558.   assert(msg_len > 0);

  559. 

  560.   /* Read the body of the fragment. */

  561.   ret = dtls1_read_bytes(ssl, SSL3_RT_HANDSHAKE, frag->fragment + frag_off,

  562.                          frag_len, 0);

  563.   if (ret != (int) frag_len) {

  564.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  565.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  566.     return -1;

  567.   }

  568.   dtls1_hm_fragment_mark(frag, frag_off, frag_off + frag_len);

  569. 

  570.   return 1;

  571. }

  572. 

  573. /* dtls1_get_message reads a handshake message of message type |msg_type| (any

  574.  * if |msg_type| == -1), maximum acceptable body length |max|. Read an entire

  575.  * handshake message. Handshake messages arrive in fragments. */

  576. long dtls1_get_message(SSL *ssl, int st1, int stn, int msg_type, long max,

  577.                        enum ssl_hash_message_t hash_message, int *ok) {

  578.   pitem *item = NULL;

  579.   hm_fragment *frag = NULL;

  580.   int al;

  581. 

  582.   /* s3->tmp is used to store messages that are unexpected, caused

  583.    * by the absence of an optional handshake message */

  584.   if (ssl->s3->tmp.reuse_message) {

  585.     /* A ssl_dont_hash_message call cannot be combined with reuse_message; the

  586.      * ssl_dont_hash_message would have to have been applied to the previous

  587.      * call. */

  588.     assert(hash_message == ssl_hash_message);

  589.     ssl->s3->tmp.reuse_message = 0;

  590.     if (msg_type >= 0 && ssl->s3->tmp.message_type != msg_type) {

  591.       al = SSL_AD_UNEXPECTED_MESSAGE;

  592.       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);

  593.       goto f_err;

  594.     }

  595.     *ok = 1;

  596.     ssl->init_msg = (uint8_t *)ssl->init_buf->data + DTLS1_HM_HEADER_LENGTH;

  597.     ssl->init_num = (int)ssl->s3->tmp.message_size;

  598.     return ssl->init_num;

  599.   }

  600. 

  601.   /* Process fragments until one is found. */

  602.   while (!dtls1_is_next_message_complete(ssl)) {

  603.     int ret = dtls1_process_fragment(ssl);

  604.     if (ret <= 0) {

  605.       *ok = 0;

  606.       return ret;

  607.     }

  608.   }

  609. 

  610.   /* Read out the next complete handshake message. */

  611.   item = pqueue_pop(ssl->d1->buffered_messages);

  612.   assert(item != NULL);

  613.   frag = (hm_fragment *)item->data;

  614.   assert(ssl->d1->handshake_read_seq == frag->msg_header.seq);

  615.   assert(frag->reassembly == NULL);

  616. 

  617.   if (frag->msg_header.msg_len > (size_t)max) {

  618.     OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE);

  619.     goto err;

  620.   }

  621. 

  622.   /* Reconstruct the assembled message. */

  623.   size_t len;

  624.   CBB cbb;

  625.   CBB_zero(&cbb);

  626.   if (!BUF_MEM_grow(ssl->init_buf, (size_t)frag->msg_header.msg_len +

  627.                                        DTLS1_HM_HEADER_LENGTH) ||

  628.       !CBB_init_fixed(&cbb, (uint8_t *)ssl->init_buf->data,

  629.                       ssl->init_buf->max) ||

  630.       !CBB_add_u8(&cbb, frag->msg_header.type) ||

  631.       !CBB_add_u24(&cbb, frag->msg_header.msg_len) ||

  632.       !CBB_add_u16(&cbb, frag->msg_header.seq) ||

  633.       !CBB_add_u24(&cbb, 0 /* frag_off */) ||

  634.       !CBB_add_u24(&cbb, frag->msg_header.msg_len) ||

  635.       !CBB_add_bytes(&cbb, frag->fragment, frag->msg_header.msg_len) ||

  636.       !CBB_finish(&cbb, NULL, &len)) {

  637.     CBB_cleanup(&cbb);

  638.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  639.     goto err;

  640.   }

  641.   assert(len == (size_t)frag->msg_header.msg_len + DTLS1_HM_HEADER_LENGTH);

  642. 

  643.   ssl->d1->handshake_read_seq++;

  644. 

  645.   /* TODO(davidben): This function has a lot of implicit outputs. Simplify the

  646.    * |ssl_get_message| API. */

  647.   ssl->s3->tmp.message_type = frag->msg_header.type;

  648.   ssl->s3->tmp.message_size = frag->msg_header.msg_len;

  649.   ssl->init_msg = (uint8_t *)ssl->init_buf->data + DTLS1_HM_HEADER_LENGTH;

  650.   ssl->init_num = frag->msg_header.msg_len;

  651. 

  652.   if (msg_type >= 0 && ssl->s3->tmp.message_type != msg_type) {

  653.     al = SSL_AD_UNEXPECTED_MESSAGE;

  654.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);

  655.     goto f_err;

  656.   }

  657.   if (hash_message == ssl_hash_message && !ssl3_hash_current_message(ssl)) {

  658.     goto err;

  659.   }

  660.   if (ssl->msg_callback) {

  661.     ssl->msg_callback(0, ssl->version, SSL3_RT_HANDSHAKE, ssl->init_buf->data,

  662.                     ssl->init_num + DTLS1_HM_HEADER_LENGTH, ssl,

  663.                     ssl->msg_callback_arg);

  664.   }

  665. 

  666.   pitem_free(item);

  667.   dtls1_hm_fragment_free(frag);

  668. 

  669.   ssl->state = stn;

  670.   *ok = 1;

  671.   return ssl->init_num;

  672. 

  673. f_err:

  674.   ssl3_send_alert(ssl, SSL3_AL_FATAL, al);

  675. err:

  676.   pitem_free(item);

  677.   dtls1_hm_fragment_free(frag);

  678.   *ok = 0;

  679.   return -1;

  680. }

  681. 

  682. int dtls1_read_failed(SSL *ssl, int code) {

  683.   if (code > 0) {

  684.     assert(0);

  685.     return 1;

  686.   }

  687. 

  688.   if (!dtls1_is_timer_expired(ssl)) {

  689.     /* not a timeout, none of our business, let higher layers handle this. In

  690.      * fact, it's probably an error */

  691.     return code;

  692.   }

  693. 

  694.   if (!SSL_in_init(ssl)) {

  695.     /* done, no need to send a retransmit */

  696.     BIO_set_flags(SSL_get_rbio(ssl), BIO_FLAGS_READ);

  697.     return code;

  698.   }

  699. 

  700.   return DTLSv1_handle_timeout(ssl);

  701. }

  702. 

  703. static uint16_t dtls1_get_queue_priority(uint16_t seq, int is_ccs) {

  704.   assert(seq * 2 >= seq);

  705. 

  706.   /* The index of the retransmission queue actually is the message sequence

  707.    * number, since the queue only contains messages of a single handshake.

  708.    * However, the ChangeCipherSpec has no message sequence number and so using

  709.    * only the sequence will result in the CCS and Finished having the same

  710.    * index. To prevent this, the sequence number is multiplied by 2. In case of

  711.    * a CCS 1 is subtracted. This does not only differ CSS and Finished, it also

  712.    * maintains the order of the index (important for priority queues) and fits

  713.    * in the unsigned short variable. */

  714.   return seq * 2 - is_ccs;

  715. }

  716. 

  717. static int dtls1_retransmit_message(SSL *ssl, hm_fragment *frag) {

  718.   /* DTLS renegotiation is unsupported, so only epochs 0 (NULL cipher) and 1

  719.    * (negotiated cipher) exist. */

  720.   assert(ssl->d1->w_epoch == 0 || ssl->d1->w_epoch == 1);

  721.   assert(frag->msg_header.epoch <= ssl->d1->w_epoch);

  722.   enum dtls1_use_epoch_t use_epoch = dtls1_use_current_epoch;

  723.   if (ssl->d1->w_epoch == 1 && frag->msg_header.epoch == 0) {

  724.     use_epoch = dtls1_use_previous_epoch;

  725.   }

  726. 

  727.   /* TODO(davidben): This cannot handle non-blocking writes. */

  728.   int ret;

  729.   if (frag->msg_header.is_ccs) {

  730.     ret = dtls1_write_change_cipher_spec(ssl, use_epoch);

  731.   } else {

  732.     /* Restore the message body.

  733.      * TODO(davidben): Make this less stateful. */

  734.     memcpy(ssl->init_buf->data, frag->fragment,

  735.            frag->msg_header.msg_len + DTLS1_HM_HEADER_LENGTH);

  736.     ssl->init_num = frag->msg_header.msg_len + DTLS1_HM_HEADER_LENGTH;

  737. 

  738.     dtls1_set_message_header(ssl, frag->msg_header.type,

  739.                              frag->msg_header.msg_len, frag->msg_header.seq,

  740.                              0, frag->msg_header.frag_len);

  741.     ret = dtls1_do_handshake_write(ssl, use_epoch);

  742.   }

  743. 

  744.   /* TODO(davidben): Check return value? */

  745.   (void)BIO_flush(SSL_get_wbio(ssl));

  746.   return ret;

  747. }

  748. 

  749. 

  750. int dtls1_retransmit_buffered_messages(SSL *ssl) {

  751.   pqueue sent = ssl->d1->sent_messages;

  752.   piterator iter = pqueue_iterator(sent);

  753.   pitem *item;

  754. 

  755.   for (item = pqueue_next(&iter); item != NULL; item = pqueue_next(&iter)) {

  756.     hm_fragment *frag = (hm_fragment *)item->data;

  757.     if (dtls1_retransmit_message(ssl, frag) <= 0) {

  758.       return -1;

  759.     }

  760.   }

  761. 

  762.   return 1;

  763. }

  764. 

  765. /* dtls1_buffer_change_cipher_spec adds a ChangeCipherSpec to the current

  766.  * handshake flight, ordered just before the handshake message numbered

  767.  * |seq|. */

  768. static int dtls1_buffer_change_cipher_spec(SSL *ssl, uint16_t seq) {

  769.   hm_fragment *frag = dtls1_hm_fragment_new(0 /* frag_len */,

  770.                                             0 /* no reassembly */);

  771.   if (frag == NULL) {

  772.     return 0;

  773.   }

  774.   frag->msg_header.is_ccs = 1;

  775.   frag->msg_header.epoch = ssl->d1->w_epoch;

  776. 

  777.   uint16_t priority = dtls1_get_queue_priority(seq, 1 /* is_ccs */);

  778.   uint8_t seq64be[8];

  779.   memset(seq64be, 0, sizeof(seq64be));

  780.   seq64be[6] = (uint8_t)(priority >> 8);

  781.   seq64be[7] = (uint8_t)priority;

  782. 

  783.   pitem *item = pitem_new(seq64be, frag);

  784.   if (item == NULL) {

  785.     dtls1_hm_fragment_free(frag);

  786.     return 0;

  787.   }

  788. 

  789.   pqueue_insert(ssl->d1->sent_messages, item);

  790.   return 1;

  791. }

  792. 

  793. int dtls1_buffer_message(SSL *ssl) {

  794.   /* this function is called immediately after a message has

  795.    * been serialized */

  796.   assert(ssl->init_off == 0);

  797. 

  798.   hm_fragment *frag = dtls1_hm_fragment_new(ssl->init_num, 0);

  799.   if (!frag) {

  800.     return 0;

  801.   }

  802. 

  803.   memcpy(frag->fragment, ssl->init_buf->data, ssl->init_num);

  804. 

  805.   assert(ssl->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH ==

  806.          (unsigned int)ssl->init_num);

  807. 

  808.   frag->msg_header.msg_len = ssl->d1->w_msg_hdr.msg_len;

  809.   frag->msg_header.seq = ssl->d1->w_msg_hdr.seq;

  810.   frag->msg_header.type = ssl->d1->w_msg_hdr.type;

  811.   frag->msg_header.frag_off = 0;

  812.   frag->msg_header.frag_len = ssl->d1->w_msg_hdr.msg_len;

  813.   frag->msg_header.is_ccs = 0;

  814.   frag->msg_header.epoch = ssl->d1->w_epoch;

  815. 

  816.   uint16_t priority = dtls1_get_queue_priority(frag->msg_header.seq,

  817.                                                0 /* handshake */);

  818.   uint8_t seq64be[8];

  819.   memset(seq64be, 0, sizeof(seq64be));

  820.   seq64be[6] = (uint8_t)(priority >> 8);

  821.   seq64be[7] = (uint8_t)priority;

  822. 

  823.   pitem *item = pitem_new(seq64be, frag);

  824.   if (item == NULL) {

  825.     dtls1_hm_fragment_free(frag);

  826.     return 0;

  827.   }

  828. 

  829.   pqueue_insert(ssl->d1->sent_messages, item);

  830.   return 1;

  831. }

  832. 

  833. int dtls1_send_change_cipher_spec(SSL *ssl, int a, int b) {

  834.   if (ssl->state == a) {

  835.     /* Buffer the message to handle retransmits. */

  836.     ssl->d1->handshake_write_seq = ssl->d1->next_handshake_write_seq;

  837.     dtls1_buffer_change_cipher_spec(ssl, ssl->d1->handshake_write_seq);

  838.     ssl->state = b;

  839.   }

  840. 

  841.   return dtls1_write_change_cipher_spec(ssl, dtls1_use_current_epoch);

  842. }

  843. 

  844. /* call this function when the buffered messages are no longer needed */

  845. void dtls1_clear_record_buffer(SSL *ssl) {

  846.   pitem *item;

  847. 

  848.   for (item = pqueue_pop(ssl->d1->sent_messages); item != NULL;

  849.        item = pqueue_pop(ssl->d1->sent_messages)) {

  850.     dtls1_hm_fragment_free((hm_fragment *)item->data);

  851.     pitem_free(item);

  852.   }

  853. }

  854. 

  855. /* don't actually do the writing, wait till the MTU has been retrieved */

  856. void dtls1_set_message_header(SSL *ssl, uint8_t mt, unsigned long len,

  857.                               unsigned short seq_num, unsigned long frag_off,

  858.                               unsigned long frag_len) {

  859.   struct hm_header_st *msg_hdr = &ssl->d1->w_msg_hdr;

  860. 

  861.   msg_hdr->type = mt;

  862.   msg_hdr->msg_len = len;

  863.   msg_hdr->seq = seq_num;

  864.   msg_hdr->frag_off = frag_off;

  865.   msg_hdr->frag_len = frag_len;

  866. }

  867. 

  868. unsigned int dtls1_min_mtu(void) {

  869.   return kMinMTU;

  870. }

  871. 

  872. void dtls1_get_message_header(uint8_t *data,

  873.                               struct hm_header_st *msg_hdr) {

  874.   memset(msg_hdr, 0x00, sizeof(struct hm_header_st));

  875.   msg_hdr->type = *(data++);

  876.   n2l3(data, msg_hdr->msg_len);

  877. 

  878.   n2s(data, msg_hdr->seq);

  879.   n2l3(data, msg_hdr->frag_off);

  880.   n2l3(data, msg_hdr->frag_len);

  881. }