kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3834 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: f6d64efd19
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'f6d64efd19'
${ noResults }
boringssl/ssl/d1_both.c

816 lines
28 KiB
Raw Blame History 

  1. /*

  2.  * DTLS implementation written by Nagendra Modadugu

  3.  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 

  4.  */

  5. /* ====================================================================

  6.  * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.

  7.  *

  8.  * Redistribution and use in source and binary forms, with or without

  9.  * modification, are permitted provided that the following conditions

  10.  * are met:

  11.  *

  12.  * 1. Redistributions of source code must retain the above copyright

  13.  *    notice, this list of conditions and the following disclaimer.

  14.  *

  15.  * 2. Redistributions in binary form must reproduce the above copyright

  16.  *    notice, this list of conditions and the following disclaimer in

  17.  *    the documentation and/or other materials provided with the

  18.  *    distribution.

  19.  *

  20.  * 3. All advertising materials mentioning features or use of this

  21.  *    software must display the following acknowledgment:

  22.  *    "This product includes software developed by the OpenSSL Project

  23.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

  24.  *

  25.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  26.  *    endorse or promote products derived from this software without

  27.  *    prior written permission. For written permission, please contact

  28.  *    openssl-core@openssl.org.

  29.  *

  30.  * 5. Products derived from this software may not be called "OpenSSL"

  31.  *    nor may "OpenSSL" appear in their names without prior written

  32.  *    permission of the OpenSSL Project.

  33.  *

  34.  * 6. Redistributions of any form whatsoever must retain the following

  35.  *    acknowledgment:

  36.  *    "This product includes software developed by the OpenSSL Project

  37.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

  38.  *

  39.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  40.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  41.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  42.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  43.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  44.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  45.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  46.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  48.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  49.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  50.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  51.  * ====================================================================

  52.  *

  53.  * This product includes cryptographic software written by Eric Young

  54.  * (eay@cryptsoft.com).  This product includes software written by Tim

  55.  * Hudson (tjh@cryptsoft.com).

  56.  *

  57.  */

  58. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  59.  * All rights reserved.

  60.  *

  61.  * This package is an SSL implementation written

  62.  * by Eric Young (eay@cryptsoft.com).

  63.  * The implementation was written so as to conform with Netscapes SSL.

  64.  *

  65.  * This library is free for commercial and non-commercial use as long as

  66.  * the following conditions are aheared to.  The following conditions

  67.  * apply to all code found in this distribution, be it the RC4, RSA,

  68.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  69.  * included with this distribution is covered by the same copyright terms

  70.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  71.  *

  72.  * Copyright remains Eric Young's, and as such any Copyright notices in

  73.  * the code are not to be removed.

  74.  * If this package is used in a product, Eric Young should be given attribution

  75.  * as the author of the parts of the library used.

  76.  * This can be in the form of a textual message at program startup or

  77.  * in documentation (online or textual) provided with the package.

  78.  *

  79.  * Redistribution and use in source and binary forms, with or without

  80.  * modification, are permitted provided that the following conditions

  81.  * are met:

  82.  * 1. Redistributions of source code must retain the copyright

  83.  *    notice, this list of conditions and the following disclaimer.

  84.  * 2. Redistributions in binary form must reproduce the above copyright

  85.  *    notice, this list of conditions and the following disclaimer in the

  86.  *    documentation and/or other materials provided with the distribution.

  87.  * 3. All advertising materials mentioning features or use of this software

  88.  *    must display the following acknowledgement:

  89.  *    "This product includes cryptographic software written by

  90.  *     Eric Young (eay@cryptsoft.com)"

  91.  *    The word 'cryptographic' can be left out if the rouines from the library

  92.  *    being used are not cryptographic related :-).

  93.  * 4. If you include any Windows specific code (or a derivative thereof) from

  94.  *    the apps directory (application code) you must include an acknowledgement:

  95.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  96.  *

  97.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  98.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  99.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  100.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  101.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  102.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  103.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  104.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  105.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  106.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  107.  * SUCH DAMAGE.

  108.  *

  109.  * The licence and distribution terms for any publically available version or

  110.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  111.  * copied and put under another distribution licence

  112.  * [including the GNU Public Licence.] */

  113. 

  114. #include <openssl/ssl.h>

  115. 

  116. #include <assert.h>

  117. #include <limits.h>

  118. #include <string.h>

  119. 

  120. #include <openssl/buf.h>

  121. #include <openssl/err.h>

  122. #include <openssl/evp.h>

  123. #include <openssl/mem.h>

  124. #include <openssl/rand.h>

  125. #include <openssl/type_check.h>

  126. #include <openssl/x509.h>

  127. 

  128. #include "../crypto/internal.h"

  129. #include "internal.h"

  130. 

  131. 

  132. /* TODO(davidben): 28 comes from the size of IP + UDP header. Is this reasonable

  133.  * for these values? Notably, why is kMinMTU a function of the transport

  134.  * protocol's overhead rather than, say, what's needed to hold a minimally-sized

  135.  * handshake fragment plus protocol overhead. */

  136. 

  137. /* kMinMTU is the minimum acceptable MTU value. */

  138. static const unsigned int kMinMTU = 256 - 28;

  139. 

  140. /* kDefaultMTU is the default MTU value to use if neither the user nor

  141.  * the underlying BIO supplies one. */

  142. static const unsigned int kDefaultMTU = 1500 - 28;

  143. 

  144. 

  145. /* Receiving handshake messages. */

  146. 

  147. static void dtls1_hm_fragment_free(hm_fragment *frag) {

  148.   if (frag == NULL) {

  149.     return;

  150.   }

  151.   OPENSSL_free(frag->data);

  152.   OPENSSL_free(frag->reassembly);

  153.   OPENSSL_free(frag);

  154. }

  155. 

  156. static hm_fragment *dtls1_hm_fragment_new(const struct hm_header_st *msg_hdr) {

  157.   hm_fragment *frag = OPENSSL_malloc(sizeof(hm_fragment));

  158.   if (frag == NULL) {

  159.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  160.     return NULL;

  161.   }

  162.   OPENSSL_memset(frag, 0, sizeof(hm_fragment));

  163.   frag->type = msg_hdr->type;

  164.   frag->seq = msg_hdr->seq;

  165.   frag->msg_len = msg_hdr->msg_len;

  166. 

  167.   /* Allocate space for the reassembled message and fill in the header. */

  168.   frag->data = OPENSSL_malloc(DTLS1_HM_HEADER_LENGTH + msg_hdr->msg_len);

  169.   if (frag->data == NULL) {

  170.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  171.     goto err;

  172.   }

  173. 

  174.   CBB cbb;

  175.   if (!CBB_init_fixed(&cbb, frag->data, DTLS1_HM_HEADER_LENGTH) ||

  176.       !CBB_add_u8(&cbb, msg_hdr->type) ||

  177.       !CBB_add_u24(&cbb, msg_hdr->msg_len) ||

  178.       !CBB_add_u16(&cbb, msg_hdr->seq) ||

  179.       !CBB_add_u24(&cbb, 0 /* frag_off */) ||

  180.       !CBB_add_u24(&cbb, msg_hdr->msg_len) ||

  181.       !CBB_finish(&cbb, NULL, NULL)) {

  182.     CBB_cleanup(&cbb);

  183.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  184.     goto err;

  185.   }

  186. 

  187.   /* If the handshake message is empty, |frag->reassembly| is NULL. */

  188.   if (msg_hdr->msg_len > 0) {

  189.     /* Initialize reassembly bitmask. */

  190.     if (msg_hdr->msg_len + 7 < msg_hdr->msg_len) {

  191.       OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);

  192.       goto err;

  193.     }

  194.     size_t bitmask_len = (msg_hdr->msg_len + 7) / 8;

  195.     frag->reassembly = OPENSSL_malloc(bitmask_len);

  196.     if (frag->reassembly == NULL) {

  197.       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  198.       goto err;

  199.     }

  200.     OPENSSL_memset(frag->reassembly, 0, bitmask_len);

  201.   }

  202. 

  203.   return frag;

  204. 

  205. err:

  206.   dtls1_hm_fragment_free(frag);

  207.   return NULL;

  208. }

  209. 

  210. /* bit_range returns a |uint8_t| with bits |start|, inclusive, to |end|,

  211.  * exclusive, set. */

  212. static uint8_t bit_range(size_t start, size_t end) {

  213.   return (uint8_t)(~((1u << start) - 1) & ((1u << end) - 1));

  214. }

  215. 

  216. /* dtls1_hm_fragment_mark marks bytes |start|, inclusive, to |end|, exclusive,

  217.  * as received in |frag|. If |frag| becomes complete, it clears

  218.  * |frag->reassembly|. The range must be within the bounds of |frag|'s message

  219.  * and |frag->reassembly| must not be NULL. */

  220. static void dtls1_hm_fragment_mark(hm_fragment *frag, size_t start,

  221.                                    size_t end) {

  222.   size_t msg_len = frag->msg_len;

  223. 

  224.   if (frag->reassembly == NULL || start > end || end > msg_len) {

  225.     assert(0);

  226.     return;

  227.   }

  228.   /* A zero-length message will never have a pending reassembly. */

  229.   assert(msg_len > 0);

  230. 

  231.   if ((start >> 3) == (end >> 3)) {

  232.     frag->reassembly[start >> 3] |= bit_range(start & 7, end & 7);

  233.   } else {

  234.     frag->reassembly[start >> 3] |= bit_range(start & 7, 8);

  235.     for (size_t i = (start >> 3) + 1; i < (end >> 3); i++) {

  236.       frag->reassembly[i] = 0xff;

  237.     }

  238.     if ((end & 7) != 0) {

  239.       frag->reassembly[end >> 3] |= bit_range(0, end & 7);

  240.     }

  241.   }

  242. 

  243.   /* Check if the fragment is complete. */

  244.   for (size_t i = 0; i < (msg_len >> 3); i++) {

  245.     if (frag->reassembly[i] != 0xff) {

  246.       return;

  247.     }

  248.   }

  249.   if ((msg_len & 7) != 0 &&

  250.       frag->reassembly[msg_len >> 3] != bit_range(0, msg_len & 7)) {

  251.     return;

  252.   }

  253. 

  254.   OPENSSL_free(frag->reassembly);

  255.   frag->reassembly = NULL;

  256. }

  257. 

  258. /* dtls1_is_current_message_complete returns one if the current handshake

  259.  * message is complete and zero otherwise. */

  260. static int dtls1_is_current_message_complete(const SSL *ssl) {

  261.   hm_fragment *frag = ssl->d1->incoming_messages[ssl->d1->handshake_read_seq %

  262.                                                  SSL_MAX_HANDSHAKE_FLIGHT];

  263.   return frag != NULL && frag->reassembly == NULL;

  264. }

  265. 

  266. /* dtls1_get_incoming_message returns the incoming message corresponding to

  267.  * |msg_hdr|. If none exists, it creates a new one and inserts it in the

  268.  * queue. Otherwise, it checks |msg_hdr| is consistent with the existing one. It

  269.  * returns NULL on failure. The caller does not take ownership of the result. */

  270. static hm_fragment *dtls1_get_incoming_message(

  271.     SSL *ssl, const struct hm_header_st *msg_hdr) {

  272.   if (msg_hdr->seq < ssl->d1->handshake_read_seq ||

  273.       msg_hdr->seq - ssl->d1->handshake_read_seq >= SSL_MAX_HANDSHAKE_FLIGHT) {

  274.     return NULL;

  275.   }

  276. 

  277.   size_t idx = msg_hdr->seq % SSL_MAX_HANDSHAKE_FLIGHT;

  278.   hm_fragment *frag = ssl->d1->incoming_messages[idx];

  279.   if (frag != NULL) {

  280.     assert(frag->seq == msg_hdr->seq);

  281.     /* The new fragment must be compatible with the previous fragments from this

  282.      * message. */

  283.     if (frag->type != msg_hdr->type ||

  284.         frag->msg_len != msg_hdr->msg_len) {

  285.       OPENSSL_PUT_ERROR(SSL, SSL_R_FRAGMENT_MISMATCH);

  286.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  287.       return NULL;

  288.     }

  289.     return frag;

  290.   }

  291. 

  292.   /* This is the first fragment from this message. */

  293.   frag = dtls1_hm_fragment_new(msg_hdr);

  294.   if (frag == NULL) {

  295.     return NULL;

  296.   }

  297.   ssl->d1->incoming_messages[idx] = frag;

  298.   return frag;

  299. }

  300. 

  301. /* dtls1_process_handshake_record reads a handshake record and processes it. It

  302.  * returns one if the record was successfully processed and 0 or -1 on error. */

  303. static int dtls1_process_handshake_record(SSL *ssl) {

  304.   SSL3_RECORD *rr = &ssl->s3->rrec;

  305. 

  306. start:

  307.   if (rr->length == 0) {

  308.     int ret = dtls1_get_record(ssl);

  309.     if (ret <= 0) {

  310.       return ret;

  311.     }

  312.   }

  313. 

  314.   /* Cross-epoch records are discarded, but we may receive out-of-order

  315.    * application data between ChangeCipherSpec and Finished or a

  316.    * ChangeCipherSpec before the appropriate point in the handshake. Those must

  317.    * be silently discarded.

  318.    *

  319.    * However, only allow the out-of-order records in the correct epoch.

  320.    * Application data must come in the encrypted epoch, and ChangeCipherSpec in

  321.    * the unencrypted epoch (we never renegotiate). Other cases fall through and

  322.    * fail with a fatal error. */

  323.   if ((rr->type == SSL3_RT_APPLICATION_DATA &&

  324.        ssl->s3->aead_read_ctx != NULL) ||

  325.       (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC &&

  326.        ssl->s3->aead_read_ctx == NULL)) {

  327.     rr->length = 0;

  328.     goto start;

  329.   }

  330. 

  331.   if (rr->type != SSL3_RT_HANDSHAKE) {

  332.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);

  333.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);

  334.     return -1;

  335.   }

  336. 

  337.   CBS cbs;

  338.   CBS_init(&cbs, rr->data, rr->length);

  339. 

  340.   while (CBS_len(&cbs) > 0) {

  341.     /* Read a handshake fragment. */

  342.     struct hm_header_st msg_hdr;

  343.     CBS body;

  344.     if (!dtls1_parse_fragment(&cbs, &msg_hdr, &body)) {

  345.       OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_HANDSHAKE_RECORD);

  346.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  347.       return -1;

  348.     }

  349. 

  350.     const size_t frag_off = msg_hdr.frag_off;

  351.     const size_t frag_len = msg_hdr.frag_len;

  352.     const size_t msg_len = msg_hdr.msg_len;

  353.     if (frag_off > msg_len || frag_off + frag_len < frag_off ||

  354.         frag_off + frag_len > msg_len ||

  355.         msg_len > ssl_max_handshake_message_len(ssl)) {

  356.       OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE);

  357.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  358.       return -1;

  359.     }

  360. 

  361.     /* The encrypted epoch in DTLS has only one handshake message. */

  362.     if (ssl->d1->r_epoch == 1 && msg_hdr.seq != ssl->d1->handshake_read_seq) {

  363.       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);

  364.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);

  365.       return -1;

  366.     }

  367. 

  368.     if (msg_hdr.seq < ssl->d1->handshake_read_seq ||

  369.         msg_hdr.seq >

  370.             (unsigned)ssl->d1->handshake_read_seq + SSL_MAX_HANDSHAKE_FLIGHT) {

  371.       /* Ignore fragments from the past, or ones too far in the future. */

  372.       continue;

  373.     }

  374. 

  375.     hm_fragment *frag = dtls1_get_incoming_message(ssl, &msg_hdr);

  376.     if (frag == NULL) {

  377.       return -1;

  378.     }

  379.     assert(frag->msg_len == msg_len);

  380. 

  381.     if (frag->reassembly == NULL) {

  382.       /* The message is already assembled. */

  383.       continue;

  384.     }

  385.     assert(msg_len > 0);

  386. 

  387.     /* Copy the body into the fragment. */

  388.     OPENSSL_memcpy(frag->data + DTLS1_HM_HEADER_LENGTH + frag_off,

  389.                    CBS_data(&body), CBS_len(&body));

  390.     dtls1_hm_fragment_mark(frag, frag_off, frag_off + frag_len);

  391.   }

  392. 

  393.   rr->length = 0;

  394.   ssl_read_buffer_discard(ssl);

  395.   return 1;

  396. }

  397. 

  398. int dtls1_get_message(SSL *ssl) {

  399.   if (ssl->s3->tmp.reuse_message) {

  400.     /* There must be a current message. */

  401.     assert(ssl->init_msg != NULL);

  402.     ssl->s3->tmp.reuse_message = 0;

  403.   } else {

  404.     dtls1_release_current_message(ssl, 0 /* don't free buffer */);

  405.   }

  406. 

  407.   /* Process handshake records until the current message is ready. */

  408.   while (!dtls1_is_current_message_complete(ssl)) {

  409.     int ret = dtls1_process_handshake_record(ssl);

  410.     if (ret <= 0) {

  411.       return ret;

  412.     }

  413.   }

  414. 

  415.   hm_fragment *frag = ssl->d1->incoming_messages[ssl->d1->handshake_read_seq %

  416.                                                  SSL_MAX_HANDSHAKE_FLIGHT];

  417.   assert(frag != NULL);

  418.   assert(frag->reassembly == NULL);

  419.   assert(ssl->d1->handshake_read_seq == frag->seq);

  420. 

  421.   /* TODO(davidben): This function has a lot of implicit outputs. Simplify the

  422.    * |ssl_get_message| API. */

  423.   ssl->s3->tmp.message_type = frag->type;

  424.   ssl->init_msg = frag->data + DTLS1_HM_HEADER_LENGTH;

  425.   ssl->init_num = frag->msg_len;

  426. 

  427.   ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_HANDSHAKE, frag->data,

  428.                       ssl->init_num + DTLS1_HM_HEADER_LENGTH);

  429.   return 1;

  430. }

  431. 

  432. void dtls1_get_current_message(const SSL *ssl, CBS *out) {

  433.   assert(dtls1_is_current_message_complete(ssl));

  434. 

  435.   hm_fragment *frag = ssl->d1->incoming_messages[ssl->d1->handshake_read_seq %

  436.                                                  SSL_MAX_HANDSHAKE_FLIGHT];

  437.   CBS_init(out, frag->data, DTLS1_HM_HEADER_LENGTH + frag->msg_len);

  438. }

  439. 

  440. void dtls1_release_current_message(SSL *ssl, int free_buffer) {

  441.   if (ssl->init_msg == NULL) {

  442.     return;

  443.   }

  444. 

  445.   assert(dtls1_is_current_message_complete(ssl));

  446.   size_t index = ssl->d1->handshake_read_seq % SSL_MAX_HANDSHAKE_FLIGHT;

  447.   dtls1_hm_fragment_free(ssl->d1->incoming_messages[index]);

  448.   ssl->d1->incoming_messages[index] = NULL;

  449.   ssl->d1->handshake_read_seq++;

  450. 

  451.   ssl->init_msg = NULL;

  452.   ssl->init_num = 0;

  453. }

  454. 

  455. void dtls_clear_incoming_messages(SSL *ssl) {

  456.   for (size_t i = 0; i < SSL_MAX_HANDSHAKE_FLIGHT; i++) {

  457.     dtls1_hm_fragment_free(ssl->d1->incoming_messages[i]);

  458.     ssl->d1->incoming_messages[i] = NULL;

  459.   }

  460. }

  461. 

  462. int dtls_has_incoming_messages(const SSL *ssl) {

  463.   size_t current = ssl->d1->handshake_read_seq % SSL_MAX_HANDSHAKE_FLIGHT;

  464.   for (size_t i = 0; i < SSL_MAX_HANDSHAKE_FLIGHT; i++) {

  465.     /* Skip the current message. */

  466.     if (ssl->init_msg != NULL && i == current) {

  467.       assert(dtls1_is_current_message_complete(ssl));

  468.       continue;

  469.     }

  470.     if (ssl->d1->incoming_messages[i] != NULL) {

  471.       return 1;

  472.     }

  473.   }

  474.   return 0;

  475. }

  476. 

  477. int dtls1_parse_fragment(CBS *cbs, struct hm_header_st *out_hdr,

  478.                          CBS *out_body) {

  479.   OPENSSL_memset(out_hdr, 0x00, sizeof(struct hm_header_st));

  480. 

  481.   if (!CBS_get_u8(cbs, &out_hdr->type) ||

  482.       !CBS_get_u24(cbs, &out_hdr->msg_len) ||

  483.       !CBS_get_u16(cbs, &out_hdr->seq) ||

  484.       !CBS_get_u24(cbs, &out_hdr->frag_off) ||

  485.       !CBS_get_u24(cbs, &out_hdr->frag_len) ||

  486.       !CBS_get_bytes(cbs, out_body, out_hdr->frag_len)) {

  487.     return 0;

  488.   }

  489. 

  490.   return 1;

  491. }

  492. 

  493. 

  494. /* Sending handshake messages. */

  495. 

  496. void dtls_clear_outgoing_messages(SSL *ssl) {

  497.   for (size_t i = 0; i < ssl->d1->outgoing_messages_len; i++) {

  498.     OPENSSL_free(ssl->d1->outgoing_messages[i].data);

  499.     ssl->d1->outgoing_messages[i].data = NULL;

  500.   }

  501.   ssl->d1->outgoing_messages_len = 0;

  502.   ssl->d1->outgoing_written = 0;

  503.   ssl->d1->outgoing_offset = 0;

  504. }

  505. 

  506. int dtls1_init_message(SSL *ssl, CBB *cbb, CBB *body, uint8_t type) {

  507.   /* Pick a modest size hint to save most of the |realloc| calls. */

  508.   if (!CBB_init(cbb, 64) ||

  509.       !CBB_add_u8(cbb, type) ||

  510.       !CBB_add_u24(cbb, 0 /* length (filled in later) */) ||

  511.       !CBB_add_u16(cbb, ssl->d1->handshake_write_seq) ||

  512.       !CBB_add_u24(cbb, 0 /* offset */) ||

  513.       !CBB_add_u24_length_prefixed(cbb, body)) {

  514.     return 0;

  515.   }

  516. 

  517.   return 1;

  518. }

  519. 

  520. int dtls1_finish_message(SSL *ssl, CBB *cbb, uint8_t **out_msg,

  521.                          size_t *out_len) {

  522.   *out_msg = NULL;

  523.   if (!CBB_finish(cbb, out_msg, out_len) ||

  524.       *out_len < DTLS1_HM_HEADER_LENGTH) {

  525.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  526.     OPENSSL_free(*out_msg);

  527.     return 0;

  528.   }

  529. 

  530.   /* Fix up the header. Copy the fragment length into the total message

  531.    * length. */

  532.   OPENSSL_memcpy(*out_msg + 1, *out_msg + DTLS1_HM_HEADER_LENGTH - 3, 3);

  533.   return 1;

  534. }

  535. 

  536. /* add_outgoing adds a new handshake message or ChangeCipherSpec to the current

  537.  * outgoing flight. It returns one on success and zero on error. In both cases,

  538.  * it takes ownership of |data| and releases it with |OPENSSL_free| when

  539.  * done. */

  540. static int add_outgoing(SSL *ssl, int is_ccs, uint8_t *data, size_t len) {

  541.   OPENSSL_COMPILE_ASSERT(SSL_MAX_HANDSHAKE_FLIGHT <

  542.                              (1 << 8 * sizeof(ssl->d1->outgoing_messages_len)),

  543.                          outgoing_messages_len_is_too_small);

  544.   if (ssl->d1->outgoing_messages_len >= SSL_MAX_HANDSHAKE_FLIGHT) {

  545.     assert(0);

  546.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  547.     OPENSSL_free(data);

  548.     return 0;

  549.   }

  550. 

  551.   if (!is_ccs) {

  552.     /* TODO(svaldez): Move this up a layer to fix abstraction for SSL_TRANSCRIPT

  553.      * on hs. */

  554.     if (ssl->s3->hs != NULL &&

  555.         !SSL_TRANSCRIPT_update(&ssl->s3->hs->transcript, data, len)) {

  556.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  557.       OPENSSL_free(data);

  558.       return 0;

  559.     }

  560.     ssl->d1->handshake_write_seq++;

  561.   }

  562. 

  563.   DTLS_OUTGOING_MESSAGE *msg =

  564.       &ssl->d1->outgoing_messages[ssl->d1->outgoing_messages_len];

  565.   msg->data = data;

  566.   msg->len = len;

  567.   msg->epoch = ssl->d1->w_epoch;

  568.   msg->is_ccs = is_ccs;

  569. 

  570.   ssl->d1->outgoing_messages_len++;

  571.   return 1;

  572. }

  573. 

  574. int dtls1_add_message(SSL *ssl, uint8_t *data, size_t len) {

  575.   return add_outgoing(ssl, 0 /* handshake */, data, len);

  576. }

  577. 

  578. int dtls1_add_change_cipher_spec(SSL *ssl) {

  579.   return add_outgoing(ssl, 1 /* ChangeCipherSpec */, NULL, 0);

  580. }

  581. 

  582. int dtls1_add_alert(SSL *ssl, uint8_t level, uint8_t desc) {

  583.   /* The |add_alert| path is only used for warning alerts for now, which DTLS

  584.    * never sends. This will be implemented later once closure alerts are

  585.    * converted. */

  586.   assert(0);

  587.   OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  588.   return 0;

  589. }

  590. 

  591. /* dtls1_update_mtu updates the current MTU from the BIO, ensuring it is above

  592.  * the minimum. */

  593. static void dtls1_update_mtu(SSL *ssl) {

  594.   /* TODO(davidben): No consumer implements |BIO_CTRL_DGRAM_SET_MTU| and the

  595.    * only |BIO_CTRL_DGRAM_QUERY_MTU| implementation could use

  596.    * |SSL_set_mtu|. Does this need to be so complex?  */

  597.   if (ssl->d1->mtu < dtls1_min_mtu() &&

  598.       !(SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) {

  599.     long mtu = BIO_ctrl(ssl->wbio, BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);

  600.     if (mtu >= 0 && mtu <= (1 << 30) && (unsigned)mtu >= dtls1_min_mtu()) {

  601.       ssl->d1->mtu = (unsigned)mtu;

  602.     } else {

  603.       ssl->d1->mtu = kDefaultMTU;

  604.       BIO_ctrl(ssl->wbio, BIO_CTRL_DGRAM_SET_MTU, ssl->d1->mtu, NULL);

  605.     }

  606.   }

  607. 

  608.   /* The MTU should be above the minimum now. */

  609.   assert(ssl->d1->mtu >= dtls1_min_mtu());

  610. }

  611. 

  612. enum seal_result_t {

  613.   seal_error,

  614.   seal_no_progress,

  615.   seal_partial,

  616.   seal_success,

  617. };

  618. 

  619. /* seal_next_message seals |msg|, which must be the next message, to |out|. If

  620.  * progress was made, it returns |seal_partial| or |seal_success| and sets

  621.  * |*out_len| to the number of bytes written. */

  622. static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out,

  623.                                             size_t *out_len, size_t max_out,

  624.                                             const DTLS_OUTGOING_MESSAGE *msg) {

  625.   assert(ssl->d1->outgoing_written < ssl->d1->outgoing_messages_len);

  626.   assert(msg == &ssl->d1->outgoing_messages[ssl->d1->outgoing_written]);

  627. 

  628.   /* DTLS renegotiation is unsupported, so only epochs 0 (NULL cipher) and 1

  629.    * (negotiated cipher) exist. */

  630.   assert(ssl->d1->w_epoch == 0 || ssl->d1->w_epoch == 1);

  631.   assert(msg->epoch <= ssl->d1->w_epoch);

  632.   enum dtls1_use_epoch_t use_epoch = dtls1_use_current_epoch;

  633.   if (ssl->d1->w_epoch == 1 && msg->epoch == 0) {

  634.     use_epoch = dtls1_use_previous_epoch;

  635.   }

  636.   size_t overhead = dtls_max_seal_overhead(ssl, use_epoch);

  637.   size_t prefix = dtls_seal_prefix_len(ssl, use_epoch);

  638. 

  639.   if (msg->is_ccs) {

  640.     /* Check there is room for the ChangeCipherSpec. */

  641.     static const uint8_t kChangeCipherSpec[1] = {SSL3_MT_CCS};

  642.     if (max_out < sizeof(kChangeCipherSpec) + overhead) {

  643.       return seal_no_progress;

  644.     }

  645. 

  646.     if (!dtls_seal_record(ssl, out, out_len, max_out,

  647.                           SSL3_RT_CHANGE_CIPHER_SPEC, kChangeCipherSpec,

  648.                           sizeof(kChangeCipherSpec), use_epoch)) {

  649.       return seal_error;

  650.     }

  651. 

  652.     ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_CHANGE_CIPHER_SPEC,

  653.                         kChangeCipherSpec, sizeof(kChangeCipherSpec));

  654.     return seal_success;

  655.   }

  656. 

  657.   /* DTLS messages are serialized as a single fragment in |msg|. */

  658.   CBS cbs, body;

  659.   struct hm_header_st hdr;

  660.   CBS_init(&cbs, msg->data, msg->len);

  661.   if (!dtls1_parse_fragment(&cbs, &hdr, &body) ||

  662.       hdr.frag_off != 0 ||

  663.       hdr.frag_len != CBS_len(&body) ||

  664.       hdr.msg_len != CBS_len(&body) ||

  665.       !CBS_skip(&body, ssl->d1->outgoing_offset) ||

  666.       CBS_len(&cbs) != 0) {

  667.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  668.     return seal_error;

  669.   }

  670. 

  671.   /* Determine how much progress can be made. */

  672.   if (max_out < DTLS1_HM_HEADER_LENGTH + 1 + overhead || max_out < prefix) {

  673.     return seal_no_progress;

  674.   }

  675.   size_t todo = CBS_len(&body);

  676.   if (todo > max_out - DTLS1_HM_HEADER_LENGTH - overhead) {

  677.     todo = max_out - DTLS1_HM_HEADER_LENGTH - overhead;

  678.   }

  679. 

  680.   /* Assemble a fragment, to be sealed in-place. */

  681.   CBB cbb;

  682.   uint8_t *frag = out + prefix;

  683.   size_t max_frag = max_out - prefix, frag_len;

  684.   if (!CBB_init_fixed(&cbb, frag, max_frag) ||

  685.       !CBB_add_u8(&cbb, hdr.type) ||

  686.       !CBB_add_u24(&cbb, hdr.msg_len) ||

  687.       !CBB_add_u16(&cbb, hdr.seq) ||

  688.       !CBB_add_u24(&cbb, ssl->d1->outgoing_offset) ||

  689.       !CBB_add_u24(&cbb, todo) ||

  690.       !CBB_add_bytes(&cbb, CBS_data(&body), todo) ||

  691.       !CBB_finish(&cbb, NULL, &frag_len)) {

  692.     CBB_cleanup(&cbb);

  693.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  694.     return seal_error;

  695.   }

  696. 

  697.   ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HANDSHAKE, frag, frag_len);

  698. 

  699.   if (!dtls_seal_record(ssl, out, out_len, max_out, SSL3_RT_HANDSHAKE,

  700.                         out + prefix, frag_len, use_epoch)) {

  701.     return seal_error;

  702.   }

  703. 

  704.   if (todo == CBS_len(&body)) {

  705.     /* The next message is complete. */

  706.     ssl->d1->outgoing_offset = 0;

  707.     return seal_success;

  708.   }

  709. 

  710.   ssl->d1->outgoing_offset += todo;

  711.   return seal_partial;

  712. }

  713. 

  714. /* seal_next_packet writes as much of the next flight as possible to |out| and

  715.  * advances |ssl->d1->outgoing_written| and |ssl->d1->outgoing_offset| as

  716.  * appropriate. */

  717. static int seal_next_packet(SSL *ssl, uint8_t *out, size_t *out_len,

  718.                             size_t max_out) {

  719.   int made_progress = 0;

  720.   size_t total = 0;

  721.   assert(ssl->d1->outgoing_written < ssl->d1->outgoing_messages_len);

  722.   for (; ssl->d1->outgoing_written < ssl->d1->outgoing_messages_len;

  723.        ssl->d1->outgoing_written++) {

  724.     const DTLS_OUTGOING_MESSAGE *msg =

  725.         &ssl->d1->outgoing_messages[ssl->d1->outgoing_written];

  726.     size_t len;

  727.     enum seal_result_t ret = seal_next_message(ssl, out, &len, max_out, msg);

  728.     switch (ret) {

  729.       case seal_error:

  730.         return 0;

  731. 

  732.       case seal_no_progress:

  733.         goto packet_full;

  734. 

  735.       case seal_partial:

  736.       case seal_success:

  737.         out += len;

  738.         max_out -= len;

  739.         total += len;

  740.         made_progress = 1;

  741. 

  742.         if (ret == seal_partial) {

  743.           goto packet_full;

  744.         }

  745.         break;

  746.     }

  747.   }

  748. 

  749. packet_full:

  750.   /* The MTU was too small to make any progress. */

  751.   if (!made_progress) {

  752.     OPENSSL_PUT_ERROR(SSL, SSL_R_MTU_TOO_SMALL);

  753.     return 0;

  754.   }

  755. 

  756.   *out_len = total;

  757.   return 1;

  758. }

  759. 

  760. int dtls1_flush_flight(SSL *ssl) {

  761.   dtls1_update_mtu(ssl);

  762. 

  763.   int ret = -1;

  764.   uint8_t *packet = OPENSSL_malloc(ssl->d1->mtu);

  765.   if (packet == NULL) {

  766.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  767.     goto err;

  768.   }

  769. 

  770.   while (ssl->d1->outgoing_written < ssl->d1->outgoing_messages_len) {

  771.     uint8_t old_written = ssl->d1->outgoing_written;

  772.     uint32_t old_offset = ssl->d1->outgoing_offset;

  773. 

  774.     size_t packet_len;

  775.     if (!seal_next_packet(ssl, packet, &packet_len, ssl->d1->mtu)) {

  776.       goto err;

  777.     }

  778. 

  779.     int bio_ret = BIO_write(ssl->wbio, packet, packet_len);

  780.     if (bio_ret <= 0) {

  781.       /* Retry this packet the next time around. */

  782.       ssl->d1->outgoing_written = old_written;

  783.       ssl->d1->outgoing_offset = old_offset;

  784.       ssl->rwstate = SSL_WRITING;

  785.       ret = bio_ret;

  786.       goto err;

  787.     }

  788.   }

  789. 

  790.   if (BIO_flush(ssl->wbio) <= 0) {

  791.     ssl->rwstate = SSL_WRITING;

  792.     goto err;

  793.   }

  794. 

  795.   ret = 1;

  796. 

  797. err:

  798.   OPENSSL_free(packet);

  799.   return ret;

  800. }

  801. 

  802. int dtls1_retransmit_outgoing_messages(SSL *ssl) {

  803.   /* Rewind to the start of the flight and write it again.

  804.    *

  805.    * TODO(davidben): This does not allow retransmits to be resumed on

  806.    * non-blocking write. */

  807.   ssl->d1->outgoing_written = 0;

  808.   ssl->d1->outgoing_offset = 0;

  809. 

  810.   return dtls1_flush_flight(ssl);

  811. }

  812. 

  813. unsigned int dtls1_min_mtu(void) {

  814.   return kMinMTU;

  815. }