| 1 | /* |
|---|---|
| 2 | * Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved. |
| 3 | * |
| 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
| 5 | * this file except in compliance with the License. You can obtain a copy |
| 6 | * in the file LICENSE in the source distribution or at |
| 7 | * https://www.openssl.org/source/license.html |
| 8 | */ |
| 9 | |
| 10 | #include <limits.h> |
| 11 | #include <string.h> |
| 12 | #include <stdio.h> |
| 13 | #include "../ssl_local.h" |
| 14 | #include "statem_local.h" |
| 15 | #include "internal/cryptlib.h" |
| 16 | #include <openssl/buffer.h> |
| 17 | #include <openssl/objects.h> |
| 18 | #include <openssl/evp.h> |
| 19 | #include <openssl/x509.h> |
| 20 | |
| 21 | #define RSMBLY_BITMASK_SIZE(msg_len) (((msg_len) + 7) / 8) |
| 22 | |
| 23 | #define RSMBLY_BITMASK_MARK(bitmask, start, end) { \ |
| 24 | if ((end) - (start) <= 8) { \ |
| 25 | long ii; \ |
| 26 | for (ii = (start); ii < (end); ii++) bitmask[((ii) >> 3)] |= (1 << ((ii) & 7)); \ |
| 27 | } else { \ |
| 28 | long ii; \ |
| 29 | bitmask[((start) >> 3)] |= bitmask_start_values[((start) & 7)]; \ |
| 30 | for (ii = (((start) >> 3) + 1); ii < ((((end) - 1)) >> 3); ii++) bitmask[ii] = 0xff; \ |
| 31 | bitmask[(((end) - 1) >> 3)] |= bitmask_end_values[((end) & 7)]; \ |
| 32 | } } |
| 33 | |
| 34 | #define RSMBLY_BITMASK_IS_COMPLETE(bitmask, msg_len, is_complete) { \ |
| 35 | long ii; \ |
| 36 | is_complete = 1; \ |
| 37 | if (bitmask[(((msg_len) - 1) >> 3)] != bitmask_end_values[((msg_len) & 7)]) is_complete = 0; \ |
| 38 | if (is_complete) for (ii = (((msg_len) - 1) >> 3) - 1; ii >= 0 ; ii--) \ |
| 39 | if (bitmask[ii] != 0xff) { is_complete = 0; break; } } |
| 40 | |
| 41 | static unsigned char bitmask_start_values[] = |
| 42 | { 0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80 }; |
| 43 | static unsigned char bitmask_end_values[] = |
| 44 | { 0xff, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f }; |
| 45 | |
| 46 | static void dtls1_fix_message_header(SSL *s, size_t frag_off, |
| 47 | size_t frag_len); |
| 48 | static unsigned char *dtls1_write_message_header(SSL *s, unsigned char *p); |
| 49 | static void dtls1_set_message_header_int(SSL *s, unsigned char mt, |
| 50 | size_t len, |
| 51 | unsigned short seq_num, |
| 52 | size_t frag_off, |
| 53 | size_t frag_len); |
| 54 | static int dtls_get_reassembled_message(SSL *s, int *errtype, size_t *len); |
| 55 | |
| 56 | static hm_fragment *dtls1_hm_fragment_new(size_t frag_len, int reassembly) |
| 57 | { |
| 58 | hm_fragment *frag = NULL; |
| 59 | unsigned char *buf = NULL; |
| 60 | unsigned char *bitmask = NULL; |
| 61 | |
| 62 | if ((frag = OPENSSL_malloc(sizeof(*frag))) == NULL) { |
| 63 | SSLerr(SSL_F_DTLS1_HM_FRAGMENT_NEW, ERR_R_MALLOC_FAILURE); |
| 64 | return NULL; |
| 65 | } |
| 66 | |
| 67 | if (frag_len) { |
| 68 | if ((buf = OPENSSL_malloc(frag_len)) == NULL) { |
| 69 | SSLerr(SSL_F_DTLS1_HM_FRAGMENT_NEW, ERR_R_MALLOC_FAILURE); |
| 70 | OPENSSL_free(frag); |
| 71 | return NULL; |
| 72 | } |
| 73 | } |
| 74 | |
| 75 | /* zero length fragment gets zero frag->fragment */ |
| 76 | frag->fragment = buf; |
| 77 | |
| 78 | /* Initialize reassembly bitmask if necessary */ |
| 79 | if (reassembly) { |
| 80 | bitmask = OPENSSL_zalloc(RSMBLY_BITMASK_SIZE(frag_len)); |
| 81 | if (bitmask == NULL) { |
| 82 | SSLerr(SSL_F_DTLS1_HM_FRAGMENT_NEW, ERR_R_MALLOC_FAILURE); |
| 83 | OPENSSL_free(buf); |
| 84 | OPENSSL_free(frag); |
| 85 | return NULL; |
| 86 | } |
| 87 | } |
| 88 | |
| 89 | frag->reassembly = bitmask; |
| 90 | |
| 91 | return frag; |
| 92 | } |
| 93 | |
| 94 | void dtls1_hm_fragment_free(hm_fragment *frag) |
| 95 | { |
| 96 | if (!frag) |
| 97 | return; |
| 98 | if (frag->msg_header.is_ccs) { |
| 99 | EVP_CIPHER_CTX_free(frag->msg_header. |
| 100 | saved_retransmit_state.enc_write_ctx); |
| 101 | EVP_MD_CTX_free(frag->msg_header.saved_retransmit_state.write_hash); |
| 102 | } |
| 103 | OPENSSL_free(frag->fragment); |
| 104 | OPENSSL_free(frag->reassembly); |
| 105 | OPENSSL_free(frag); |
| 106 | } |
| 107 | |
| 108 | /* |
| 109 | * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or |
| 110 | * SSL3_RT_CHANGE_CIPHER_SPEC) |
| 111 | */ |
| 112 | int dtls1_do_write(SSL *s, int type) |
| 113 | { |
| 114 | int ret; |
| 115 | size_t written; |
| 116 | size_t curr_mtu; |
| 117 | int retry = 1; |
| 118 | size_t len, frag_off, mac_size, blocksize, used_len; |
| 119 | |
| 120 | if (!dtls1_query_mtu(s)) |
| 121 | return -1; |
| 122 | |
| 123 | if (s->d1->mtu < dtls1_min_mtu(s)) |
| 124 | /* should have something reasonable now */ |
| 125 | return -1; |
| 126 | |
| 127 | if (s->init_off == 0 && type == SSL3_RT_HANDSHAKE) { |
| 128 | if (!ossl_assert(s->init_num == |
| 129 | s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH)) |
| 130 | return -1; |
| 131 | } |
| 132 | |
| 133 | if (s->write_hash) { |
| 134 | if (s->enc_write_ctx |
| 135 | && (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_write_ctx)) & |
| 136 | EVP_CIPH_FLAG_AEAD_CIPHER) != 0) |
| 137 | mac_size = 0; |
| 138 | else |
| 139 | mac_size = EVP_MD_CTX_size(s->write_hash); |
| 140 | } else |
| 141 | mac_size = 0; |
| 142 | |
| 143 | if (s->enc_write_ctx && |
| 144 | (EVP_CIPHER_CTX_mode(s->enc_write_ctx) == EVP_CIPH_CBC_MODE)) |
| 145 | blocksize = 2 * EVP_CIPHER_CTX_block_size(s->enc_write_ctx); |
| 146 | else |
| 147 | blocksize = 0; |
| 148 | |
| 149 | frag_off = 0; |
| 150 | s->rwstate = SSL_NOTHING; |
| 151 | |
| 152 | /* s->init_num shouldn't ever be < 0...but just in case */ |
| 153 | while (s->init_num > 0) { |
| 154 | if (type == SSL3_RT_HANDSHAKE && s->init_off != 0) { |
| 155 | /* We must be writing a fragment other than the first one */ |
| 156 | |
| 157 | if (frag_off > 0) { |
| 158 | /* This is the first attempt at writing out this fragment */ |
| 159 | |
| 160 | if (s->init_off <= DTLS1_HM_HEADER_LENGTH) { |
| 161 | /* |
| 162 | * Each fragment that was already sent must at least have |
| 163 | * contained the message header plus one other byte. |
| 164 | * Therefore |init_off| must have progressed by at least |
| 165 | * |DTLS1_HM_HEADER_LENGTH + 1| bytes. If not something went |
| 166 | * wrong. |
| 167 | */ |
| 168 | return -1; |
| 169 | } |
| 170 | |
| 171 | /* |
| 172 | * Adjust |init_off| and |init_num| to allow room for a new |
| 173 | * message header for this fragment. |
| 174 | */ |
| 175 | s->init_off -= DTLS1_HM_HEADER_LENGTH; |
| 176 | s->init_num += DTLS1_HM_HEADER_LENGTH; |
| 177 | } else { |
| 178 | /* |
| 179 | * We must have been called again after a retry so use the |
| 180 | * fragment offset from our last attempt. We do not need |
| 181 | * to adjust |init_off| and |init_num| as above, because |
| 182 | * that should already have been done before the retry. |
| 183 | */ |
| 184 | frag_off = s->d1->w_msg_hdr.frag_off; |
| 185 | } |
| 186 | } |
| 187 | |
| 188 | used_len = BIO_wpending(s->wbio) + DTLS1_RT_HEADER_LENGTH |
| 189 | + mac_size + blocksize; |
| 190 | if (s->d1->mtu > used_len) |
| 191 | curr_mtu = s->d1->mtu - used_len; |
| 192 | else |
| 193 | curr_mtu = 0; |
| 194 | |
| 195 | if (curr_mtu <= DTLS1_HM_HEADER_LENGTH) { |
| 196 | /* |
| 197 | * grr.. we could get an error if MTU picked was wrong |
| 198 | */ |
| 199 | ret = BIO_flush(s->wbio); |
| 200 | if (ret <= 0) { |
| 201 | s->rwstate = SSL_WRITING; |
| 202 | return ret; |
| 203 | } |
| 204 | used_len = DTLS1_RT_HEADER_LENGTH + mac_size + blocksize; |
| 205 | if (s->d1->mtu > used_len + DTLS1_HM_HEADER_LENGTH) { |
| 206 | curr_mtu = s->d1->mtu - used_len; |
| 207 | } else { |
| 208 | /* Shouldn't happen */ |
| 209 | return -1; |
| 210 | } |
| 211 | } |
| 212 | |
| 213 | /* |
| 214 | * We just checked that s->init_num > 0 so this cast should be safe |
| 215 | */ |
| 216 | if (((unsigned int)s->init_num) > curr_mtu) |
| 217 | len = curr_mtu; |
| 218 | else |
| 219 | len = s->init_num; |
| 220 | |
| 221 | if (len > s->max_send_fragment) |
| 222 | len = s->max_send_fragment; |
| 223 | |
| 224 | /* |
| 225 | * XDTLS: this function is too long. split out the CCS part |
| 226 | */ |
| 227 | if (type == SSL3_RT_HANDSHAKE) { |
| 228 | if (len < DTLS1_HM_HEADER_LENGTH) { |
| 229 | /* |
| 230 | * len is so small that we really can't do anything sensible |
| 231 | * so fail |
| 232 | */ |
| 233 | return -1; |
| 234 | } |
| 235 | dtls1_fix_message_header(s, frag_off, len - DTLS1_HM_HEADER_LENGTH); |
| 236 | |
| 237 | dtls1_write_message_header(s, |
| 238 | (unsigned char *)&s->init_buf-> |
| 239 | data[s->init_off]); |
| 240 | } |
| 241 | |
| 242 | ret = dtls1_write_bytes(s, type, &s->init_buf->data[s->init_off], len, |
| 243 | &written); |
| 244 | if (ret < 0) { |
| 245 | /* |
| 246 | * might need to update MTU here, but we don't know which |
| 247 | * previous packet caused the failure -- so can't really |
| 248 | * retransmit anything. continue as if everything is fine and |
| 249 | * wait for an alert to handle the retransmit |
| 250 | */ |
| 251 | if (retry && BIO_ctrl(SSL_get_wbio(s), |
| 252 | BIO_CTRL_DGRAM_MTU_EXCEEDED, 0, NULL) > 0) { |
| 253 | if (!(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) { |
| 254 | if (!dtls1_query_mtu(s)) |
| 255 | return -1; |
| 256 | /* Have one more go */ |
| 257 | retry = 0; |
| 258 | } else |
| 259 | return -1; |
| 260 | } else { |
| 261 | return -1; |
| 262 | } |
| 263 | } else { |
| 264 | |
| 265 | /* |
| 266 | * bad if this assert fails, only part of the handshake message |
| 267 | * got sent. but why would this happen? |
| 268 | */ |
| 269 | if (!ossl_assert(len == written)) |
| 270 | return -1; |
| 271 | |
| 272 | if (type == SSL3_RT_HANDSHAKE && !s->d1->retransmitting) { |
| 273 | /* |
| 274 | * should not be done for 'Hello Request's, but in that case |
| 275 | * we'll ignore the result anyway |
| 276 | */ |
| 277 | unsigned char *p = |
| 278 | (unsigned char *)&s->init_buf->data[s->init_off]; |
| 279 | const struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; |
| 280 | size_t xlen; |
| 281 | |
| 282 | if (frag_off == 0 && s->version != DTLS1_BAD_VER) { |
| 283 | /* |
| 284 | * reconstruct message header is if it is being sent in |
| 285 | * single fragment |
| 286 | */ |
| 287 | *p++ = msg_hdr->type; |
| 288 | l2n3(msg_hdr->msg_len, p); |
| 289 | s2n(msg_hdr->seq, p); |
| 290 | l2n3(0, p); |
| 291 | l2n3(msg_hdr->msg_len, p); |
| 292 | p -= DTLS1_HM_HEADER_LENGTH; |
| 293 | xlen = written; |
| 294 | } else { |
| 295 | p += DTLS1_HM_HEADER_LENGTH; |
| 296 | xlen = written - DTLS1_HM_HEADER_LENGTH; |
| 297 | } |
| 298 | |
| 299 | if (!ssl3_finish_mac(s, p, xlen)) |
| 300 | return -1; |
| 301 | } |
| 302 | |
| 303 | if (written == s->init_num) { |
| 304 | if (s->msg_callback) |
| 305 | s->msg_callback(1, s->version, type, s->init_buf->data, |
| 306 | (size_t)(s->init_off + s->init_num), s, |
| 307 | s->msg_callback_arg); |
| 308 | |
| 309 | s->init_off = 0; /* done writing this message */ |
| 310 | s->init_num = 0; |
| 311 | |
| 312 | return 1; |
| 313 | } |
| 314 | s->init_off += written; |
| 315 | s->init_num -= written; |
| 316 | written -= DTLS1_HM_HEADER_LENGTH; |
| 317 | frag_off += written; |
| 318 | |
| 319 | /* |
| 320 | * We save the fragment offset for the next fragment so we have it |
| 321 | * available in case of an IO retry. We don't know the length of the |
| 322 | * next fragment yet so just set that to 0 for now. It will be |
| 323 | * updated again later. |
| 324 | */ |
| 325 | dtls1_fix_message_header(s, frag_off, 0); |
| 326 | } |
| 327 | } |
| 328 | return 0; |
| 329 | } |
| 330 | |
| 331 | int dtls_get_message(SSL *s, int *mt, size_t *len) |
| 332 | { |
| 333 | struct hm_header_st *msg_hdr; |
| 334 | unsigned char *p; |
| 335 | size_t msg_len; |
| 336 | size_t tmplen; |
| 337 | int errtype; |
| 338 | |
| 339 | msg_hdr = &s->d1->r_msg_hdr; |
| 340 | memset(msg_hdr, 0, sizeof(*msg_hdr)); |
| 341 | |
| 342 | again: |
| 343 | if (!dtls_get_reassembled_message(s, &errtype, &tmplen)) { |
| 344 | if (errtype == DTLS1_HM_BAD_FRAGMENT |
| 345 | || errtype == DTLS1_HM_FRAGMENT_RETRY) { |
| 346 | /* bad fragment received */ |
| 347 | goto again; |
| 348 | } |
| 349 | return 0; |
| 350 | } |
| 351 | |
| 352 | *mt = s->s3.tmp.message_type; |
| 353 | |
| 354 | p = (unsigned char *)s->init_buf->data; |
| 355 | *len = s->init_num; |
| 356 | |
| 357 | if (*mt == SSL3_MT_CHANGE_CIPHER_SPEC) { |
| 358 | if (s->msg_callback) { |
| 359 | s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, |
| 360 | p, 1, s, s->msg_callback_arg); |
| 361 | } |
| 362 | /* |
| 363 | * This isn't a real handshake message so skip the processing below. |
| 364 | */ |
| 365 | return 1; |
| 366 | } |
| 367 | |
| 368 | msg_len = msg_hdr->msg_len; |
| 369 | |
| 370 | /* reconstruct message header */ |
| 371 | *(p++) = msg_hdr->type; |
| 372 | l2n3(msg_len, p); |
| 373 | s2n(msg_hdr->seq, p); |
| 374 | l2n3(0, p); |
| 375 | l2n3(msg_len, p); |
| 376 | if (s->version != DTLS1_BAD_VER) { |
| 377 | p -= DTLS1_HM_HEADER_LENGTH; |
| 378 | msg_len += DTLS1_HM_HEADER_LENGTH; |
| 379 | } |
| 380 | |
| 381 | /* |
| 382 | * If receiving Finished, record MAC of prior handshake messages for |
| 383 | * Finished verification. |
| 384 | */ |
| 385 | if (*mt == SSL3_MT_FINISHED && !ssl3_take_mac(s)) { |
| 386 | /* SSLfatal() already called */ |
| 387 | return 0; |
| 388 | } |
| 389 | |
| 390 | if (!ssl3_finish_mac(s, p, msg_len)) |
| 391 | return 0; |
| 392 | if (s->msg_callback) |
| 393 | s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, |
| 394 | p, msg_len, s, s->msg_callback_arg); |
| 395 | |
| 396 | memset(msg_hdr, 0, sizeof(*msg_hdr)); |
| 397 | |
| 398 | s->d1->handshake_read_seq++; |
| 399 | |
| 400 | s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH; |
| 401 | |
| 402 | return 1; |
| 403 | } |
| 404 | |
| 405 | /* |
| 406 | * dtls1_max_handshake_message_len returns the maximum number of bytes |
| 407 | * permitted in a DTLS handshake message for |s|. The minimum is 16KB, but |
| 408 | * may be greater if the maximum certificate list size requires it. |
| 409 | */ |
| 410 | static size_t dtls1_max_handshake_message_len(const SSL *s) |
| 411 | { |
| 412 | size_t max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; |
| 413 | if (max_len < s->max_cert_list) |
| 414 | return s->max_cert_list; |
| 415 | return max_len; |
| 416 | } |
| 417 | |
| 418 | static int dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr) |
| 419 | { |
| 420 | size_t frag_off, frag_len, msg_len; |
| 421 | |
| 422 | msg_len = msg_hdr->msg_len; |
| 423 | frag_off = msg_hdr->frag_off; |
| 424 | frag_len = msg_hdr->frag_len; |
| 425 | |
| 426 | /* sanity checking */ |
| 427 | if ((frag_off + frag_len) > msg_len |
| 428 | || msg_len > dtls1_max_handshake_message_len(s)) { |
| 429 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_DTLS1_PREPROCESS_FRAGMENT, |
| 430 | SSL_R_EXCESSIVE_MESSAGE_SIZE); |
| 431 | return 0; |
| 432 | } |
| 433 | |
| 434 | if (s->d1->r_msg_hdr.frag_off == 0) { /* first fragment */ |
| 435 | /* |
| 436 | * msg_len is limited to 2^24, but is effectively checked against |
| 437 | * dtls_max_handshake_message_len(s) above |
| 438 | */ |
| 439 | if (!BUF_MEM_grow_clean(s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH)) { |
| 440 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_PREPROCESS_FRAGMENT, |
| 441 | ERR_R_BUF_LIB); |
| 442 | return 0; |
| 443 | } |
| 444 | |
| 445 | s->s3.tmp.message_size = msg_len; |
| 446 | s->d1->r_msg_hdr.msg_len = msg_len; |
| 447 | s->s3.tmp.message_type = msg_hdr->type; |
| 448 | s->d1->r_msg_hdr.type = msg_hdr->type; |
| 449 | s->d1->r_msg_hdr.seq = msg_hdr->seq; |
| 450 | } else if (msg_len != s->d1->r_msg_hdr.msg_len) { |
| 451 | /* |
| 452 | * They must be playing with us! BTW, failure to enforce upper limit |
| 453 | * would open possibility for buffer overrun. |
| 454 | */ |
| 455 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_DTLS1_PREPROCESS_FRAGMENT, |
| 456 | SSL_R_EXCESSIVE_MESSAGE_SIZE); |
| 457 | return 0; |
| 458 | } |
| 459 | |
| 460 | return 1; |
| 461 | } |
| 462 | |
| 463 | /* |
| 464 | * Returns 1 if there is a buffered fragment available, 0 if not, or -1 on a |
| 465 | * fatal error. |
| 466 | */ |
| 467 | static int dtls1_retrieve_buffered_fragment(SSL *s, size_t *len) |
| 468 | { |
| 469 | /*- |
| 470 | * (0) check whether the desired fragment is available |
| 471 | * if so: |
| 472 | * (1) copy over the fragment to s->init_buf->data[] |
| 473 | * (2) update s->init_num |
| 474 | */ |
| 475 | pitem *item; |
| 476 | hm_fragment *frag; |
| 477 | int ret; |
| 478 | |
| 479 | do { |
| 480 | item = pqueue_peek(s->d1->buffered_messages); |
| 481 | if (item == NULL) |
| 482 | return 0; |
| 483 | |
| 484 | frag = (hm_fragment *)item->data; |
| 485 | |
| 486 | if (frag->msg_header.seq < s->d1->handshake_read_seq) { |
| 487 | /* This is a stale message that has been buffered so clear it */ |
| 488 | pqueue_pop(s->d1->buffered_messages); |
| 489 | dtls1_hm_fragment_free(frag); |
| 490 | pitem_free(item); |
| 491 | item = NULL; |
| 492 | frag = NULL; |
| 493 | } |
| 494 | } while (item == NULL); |
| 495 | |
| 496 | /* Don't return if reassembly still in progress */ |
| 497 | if (frag->reassembly != NULL) |
| 498 | return 0; |
| 499 | |
| 500 | if (s->d1->handshake_read_seq == frag->msg_header.seq) { |
| 501 | size_t frag_len = frag->msg_header.frag_len; |
| 502 | pqueue_pop(s->d1->buffered_messages); |
| 503 | |
| 504 | /* Calls SSLfatal() as required */ |
| 505 | ret = dtls1_preprocess_fragment(s, &frag->msg_header); |
| 506 | |
| 507 | if (ret && frag->msg_header.frag_len > 0) { |
| 508 | unsigned char *p = |
| 509 | (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH; |
| 510 | memcpy(&p[frag->msg_header.frag_off], frag->fragment, |
| 511 | frag->msg_header.frag_len); |
| 512 | } |
| 513 | |
| 514 | dtls1_hm_fragment_free(frag); |
| 515 | pitem_free(item); |
| 516 | |
| 517 | if (ret) { |
| 518 | *len = frag_len; |
| 519 | return 1; |
| 520 | } |
| 521 | |
| 522 | /* Fatal error */ |
| 523 | s->init_num = 0; |
| 524 | return -1; |
| 525 | } else { |
| 526 | return 0; |
| 527 | } |
| 528 | } |
| 529 | |
| 530 | static int |
| 531 | dtls1_reassemble_fragment(SSL *s, const struct hm_header_st *msg_hdr) |
| 532 | { |
| 533 | hm_fragment *frag = NULL; |
| 534 | pitem *item = NULL; |
| 535 | int i = -1, is_complete; |
| 536 | unsigned char seq64be[8]; |
| 537 | size_t frag_len = msg_hdr->frag_len; |
| 538 | size_t readbytes; |
| 539 | |
| 540 | if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len || |
| 541 | msg_hdr->msg_len > dtls1_max_handshake_message_len(s)) |
| 542 | goto err; |
| 543 | |
| 544 | if (frag_len == 0) { |
| 545 | return DTLS1_HM_FRAGMENT_RETRY; |
| 546 | } |
| 547 | |
| 548 | /* Try to find item in queue */ |
| 549 | memset(seq64be, 0, sizeof(seq64be)); |
| 550 | seq64be[6] = (unsigned char)(msg_hdr->seq >> 8); |
| 551 | seq64be[7] = (unsigned char)msg_hdr->seq; |
| 552 | item = pqueue_find(s->d1->buffered_messages, seq64be); |
| 553 | |
| 554 | if (item == NULL) { |
| 555 | frag = dtls1_hm_fragment_new(msg_hdr->msg_len, 1); |
| 556 | if (frag == NULL) |
| 557 | goto err; |
| 558 | memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); |
| 559 | frag->msg_header.frag_len = frag->msg_header.msg_len; |
| 560 | frag->msg_header.frag_off = 0; |
| 561 | } else { |
| 562 | frag = (hm_fragment *)item->data; |
| 563 | if (frag->msg_header.msg_len != msg_hdr->msg_len) { |
| 564 | item = NULL; |
| 565 | frag = NULL; |
| 566 | goto err; |
| 567 | } |
| 568 | } |
| 569 | |
| 570 | /* |
| 571 | * If message is already reassembled, this must be a retransmit and can |
| 572 | * be dropped. In this case item != NULL and so frag does not need to be |
| 573 | * freed. |
| 574 | */ |
| 575 | if (frag->reassembly == NULL) { |
| 576 | unsigned char devnull[256]; |
| 577 | |
| 578 | while (frag_len) { |
| 579 | i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL, |
| 580 | devnull, |
| 581 | frag_len > |
| 582 | sizeof(devnull) ? sizeof(devnull) : |
| 583 | frag_len, 0, &readbytes); |
| 584 | if (i <= 0) |
| 585 | goto err; |
| 586 | frag_len -= readbytes; |
| 587 | } |
| 588 | return DTLS1_HM_FRAGMENT_RETRY; |
| 589 | } |
| 590 | |
| 591 | /* read the body of the fragment (header has already been read */ |
| 592 | i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL, |
| 593 | frag->fragment + msg_hdr->frag_off, |
| 594 | frag_len, 0, &readbytes); |
| 595 | if (i <= 0 || readbytes != frag_len) |
| 596 | i = -1; |
| 597 | if (i <= 0) |
| 598 | goto err; |
| 599 | |
| 600 | RSMBLY_BITMASK_MARK(frag->reassembly, (long)msg_hdr->frag_off, |
| 601 | (long)(msg_hdr->frag_off + frag_len)); |
| 602 | |
| 603 | if (!ossl_assert(msg_hdr->msg_len > 0)) |
| 604 | goto err; |
| 605 | RSMBLY_BITMASK_IS_COMPLETE(frag->reassembly, (long)msg_hdr->msg_len, |
| 606 | is_complete); |
| 607 | |
| 608 | if (is_complete) { |
| 609 | OPENSSL_free(frag->reassembly); |
| 610 | frag->reassembly = NULL; |
| 611 | } |
| 612 | |
| 613 | if (item == NULL) { |
| 614 | item = pitem_new(seq64be, frag); |
| 615 | if (item == NULL) { |
| 616 | i = -1; |
| 617 | goto err; |
| 618 | } |
| 619 | |
| 620 | item = pqueue_insert(s->d1->buffered_messages, item); |
| 621 | /* |
| 622 | * pqueue_insert fails iff a duplicate item is inserted. However, |
| 623 | * |item| cannot be a duplicate. If it were, |pqueue_find|, above, |
| 624 | * would have returned it and control would never have reached this |
| 625 | * branch. |
| 626 | */ |
| 627 | if (!ossl_assert(item != NULL)) |
| 628 | goto err; |
| 629 | } |
| 630 | |
| 631 | return DTLS1_HM_FRAGMENT_RETRY; |
| 632 | |
| 633 | err: |
| 634 | if (item == NULL) |
| 635 | dtls1_hm_fragment_free(frag); |
| 636 | return -1; |
| 637 | } |
| 638 | |
| 639 | static int |
| 640 | dtls1_process_out_of_seq_message(SSL *s, const struct hm_header_st *msg_hdr) |
| 641 | { |
| 642 | int i = -1; |
| 643 | hm_fragment *frag = NULL; |
| 644 | pitem *item = NULL; |
| 645 | unsigned char seq64be[8]; |
| 646 | size_t frag_len = msg_hdr->frag_len; |
| 647 | size_t readbytes; |
| 648 | |
| 649 | if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len) |
| 650 | goto err; |
| 651 | |
| 652 | /* Try to find item in queue, to prevent duplicate entries */ |
| 653 | memset(seq64be, 0, sizeof(seq64be)); |
| 654 | seq64be[6] = (unsigned char)(msg_hdr->seq >> 8); |
| 655 | seq64be[7] = (unsigned char)msg_hdr->seq; |
| 656 | item = pqueue_find(s->d1->buffered_messages, seq64be); |
| 657 | |
| 658 | /* |
| 659 | * If we already have an entry and this one is a fragment, don't discard |
| 660 | * it and rather try to reassemble it. |
| 661 | */ |
| 662 | if (item != NULL && frag_len != msg_hdr->msg_len) |
| 663 | item = NULL; |
| 664 | |
| 665 | /* |
| 666 | * Discard the message if sequence number was already there, is too far |
| 667 | * in the future, already in the queue or if we received a FINISHED |
| 668 | * before the SERVER_HELLO, which then must be a stale retransmit. |
| 669 | */ |
| 670 | if (msg_hdr->seq <= s->d1->handshake_read_seq || |
| 671 | msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL || |
| 672 | (s->d1->handshake_read_seq == 0 && msg_hdr->type == SSL3_MT_FINISHED)) { |
| 673 | unsigned char devnull[256]; |
| 674 | |
| 675 | while (frag_len) { |
| 676 | i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL, |
| 677 | devnull, |
| 678 | frag_len > |
| 679 | sizeof(devnull) ? sizeof(devnull) : |
| 680 | frag_len, 0, &readbytes); |
| 681 | if (i <= 0) |
| 682 | goto err; |
| 683 | frag_len -= readbytes; |
| 684 | } |
| 685 | } else { |
| 686 | if (frag_len != msg_hdr->msg_len) { |
| 687 | return dtls1_reassemble_fragment(s, msg_hdr); |
| 688 | } |
| 689 | |
| 690 | if (frag_len > dtls1_max_handshake_message_len(s)) |
| 691 | goto err; |
| 692 | |
| 693 | frag = dtls1_hm_fragment_new(frag_len, 0); |
| 694 | if (frag == NULL) |
| 695 | goto err; |
| 696 | |
| 697 | memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); |
| 698 | |
| 699 | if (frag_len) { |
| 700 | /* |
| 701 | * read the body of the fragment (header has already been read |
| 702 | */ |
| 703 | i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL, |
| 704 | frag->fragment, frag_len, 0, |
| 705 | &readbytes); |
| 706 | if (i<=0 || readbytes != frag_len) |
| 707 | i = -1; |
| 708 | if (i <= 0) |
| 709 | goto err; |
| 710 | } |
| 711 | |
| 712 | item = pitem_new(seq64be, frag); |
| 713 | if (item == NULL) |
| 714 | goto err; |
| 715 | |
| 716 | item = pqueue_insert(s->d1->buffered_messages, item); |
| 717 | /* |
| 718 | * pqueue_insert fails iff a duplicate item is inserted. However, |
| 719 | * |item| cannot be a duplicate. If it were, |pqueue_find|, above, |
| 720 | * would have returned it. Then, either |frag_len| != |
| 721 | * |msg_hdr->msg_len| in which case |item| is set to NULL and it will |
| 722 | * have been processed with |dtls1_reassemble_fragment|, above, or |
| 723 | * the record will have been discarded. |
| 724 | */ |
| 725 | if (!ossl_assert(item != NULL)) |
| 726 | goto err; |
| 727 | } |
| 728 | |
| 729 | return DTLS1_HM_FRAGMENT_RETRY; |
| 730 | |
| 731 | err: |
| 732 | if (item == NULL) |
| 733 | dtls1_hm_fragment_free(frag); |
| 734 | return 0; |
| 735 | } |
| 736 | |
| 737 | static int dtls_get_reassembled_message(SSL *s, int *errtype, size_t *len) |
| 738 | { |
| 739 | unsigned char wire[DTLS1_HM_HEADER_LENGTH]; |
| 740 | size_t mlen, frag_off, frag_len; |
| 741 | int i, ret, recvd_type; |
| 742 | struct hm_header_st msg_hdr; |
| 743 | size_t readbytes; |
| 744 | |
| 745 | *errtype = 0; |
| 746 | |
| 747 | redo: |
| 748 | /* see if we have the required fragment already */ |
| 749 | ret = dtls1_retrieve_buffered_fragment(s, &frag_len); |
| 750 | if (ret < 0) { |
| 751 | /* SSLfatal() already called */ |
| 752 | return 0; |
| 753 | } |
| 754 | if (ret > 0) { |
| 755 | s->init_num = frag_len; |
| 756 | *len = frag_len; |
| 757 | return 1; |
| 758 | } |
| 759 | |
| 760 | /* read handshake message header */ |
| 761 | i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type, wire, |
| 762 | DTLS1_HM_HEADER_LENGTH, 0, &readbytes); |
| 763 | if (i <= 0) { /* nbio, or an error */ |
| 764 | s->rwstate = SSL_READING; |
| 765 | *len = 0; |
| 766 | return 0; |
| 767 | } |
| 768 | if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) { |
| 769 | if (wire[0] != SSL3_MT_CCS) { |
| 770 | SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, |
| 771 | SSL_F_DTLS_GET_REASSEMBLED_MESSAGE, |
| 772 | SSL_R_BAD_CHANGE_CIPHER_SPEC); |
| 773 | goto f_err; |
| 774 | } |
| 775 | |
| 776 | memcpy(s->init_buf->data, wire, readbytes); |
| 777 | s->init_num = readbytes - 1; |
| 778 | s->init_msg = s->init_buf->data + 1; |
| 779 | s->s3.tmp.message_type = SSL3_MT_CHANGE_CIPHER_SPEC; |
| 780 | s->s3.tmp.message_size = readbytes - 1; |
| 781 | *len = readbytes - 1; |
| 782 | return 1; |
| 783 | } |
| 784 | |
| 785 | /* Handshake fails if message header is incomplete */ |
| 786 | if (readbytes != DTLS1_HM_HEADER_LENGTH) { |
| 787 | SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, |
| 788 | SSL_F_DTLS_GET_REASSEMBLED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); |
| 789 | goto f_err; |
| 790 | } |
| 791 | |
| 792 | /* parse the message fragment header */ |
| 793 | dtls1_get_message_header(wire, &msg_hdr); |
| 794 | |
| 795 | mlen = msg_hdr.msg_len; |
| 796 | frag_off = msg_hdr.frag_off; |
| 797 | frag_len = msg_hdr.frag_len; |
| 798 | |
| 799 | /* |
| 800 | * We must have at least frag_len bytes left in the record to be read. |
| 801 | * Fragments must not span records. |
| 802 | */ |
| 803 | if (frag_len > RECORD_LAYER_get_rrec_length(&s->rlayer)) { |
| 804 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, |
| 805 | SSL_F_DTLS_GET_REASSEMBLED_MESSAGE, SSL_R_BAD_LENGTH); |
| 806 | goto f_err; |
| 807 | } |
| 808 | |
| 809 | /* |
| 810 | * if this is a future (or stale) message it gets buffered |
| 811 | * (or dropped)--no further processing at this time |
| 812 | * While listening, we accept seq 1 (ClientHello with cookie) |
| 813 | * although we're still expecting seq 0 (ClientHello) |
| 814 | */ |
| 815 | if (msg_hdr.seq != s->d1->handshake_read_seq) { |
| 816 | *errtype = dtls1_process_out_of_seq_message(s, &msg_hdr); |
| 817 | return 0; |
| 818 | } |
| 819 | |
| 820 | if (frag_len && frag_len < mlen) { |
| 821 | *errtype = dtls1_reassemble_fragment(s, &msg_hdr); |
| 822 | return 0; |
| 823 | } |
| 824 | |
| 825 | if (!s->server |
| 826 | && s->d1->r_msg_hdr.frag_off == 0 |
| 827 | && s->statem.hand_state != TLS_ST_OK |
| 828 | && wire[0] == SSL3_MT_HELLO_REQUEST) { |
| 829 | /* |
| 830 | * The server may always send 'Hello Request' messages -- we are |
| 831 | * doing a handshake anyway now, so ignore them if their format is |
| 832 | * correct. Does not count for 'Finished' MAC. |
| 833 | */ |
| 834 | if (wire[1] == 0 && wire[2] == 0 && wire[3] == 0) { |
| 835 | if (s->msg_callback) |
| 836 | s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, |
| 837 | wire, DTLS1_HM_HEADER_LENGTH, s, |
| 838 | s->msg_callback_arg); |
| 839 | |
| 840 | s->init_num = 0; |
| 841 | goto redo; |
| 842 | } else { /* Incorrectly formatted Hello request */ |
| 843 | |
| 844 | SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, |
| 845 | SSL_F_DTLS_GET_REASSEMBLED_MESSAGE, |
| 846 | SSL_R_UNEXPECTED_MESSAGE); |
| 847 | goto f_err; |
| 848 | } |
| 849 | } |
| 850 | |
| 851 | if (!dtls1_preprocess_fragment(s, &msg_hdr)) { |
| 852 | /* SSLfatal() already called */ |
| 853 | goto f_err; |
| 854 | } |
| 855 | |
| 856 | if (frag_len > 0) { |
| 857 | unsigned char *p = |
| 858 | (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH; |
| 859 | |
| 860 | i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL, |
| 861 | &p[frag_off], frag_len, 0, &readbytes); |
| 862 | |
| 863 | /* |
| 864 | * This shouldn't ever fail due to NBIO because we already checked |
| 865 | * that we have enough data in the record |
| 866 | */ |
| 867 | if (i <= 0) { |
| 868 | s->rwstate = SSL_READING; |
| 869 | *len = 0; |
| 870 | return 0; |
| 871 | } |
| 872 | } else { |
| 873 | readbytes = 0; |
| 874 | } |
| 875 | |
| 876 | /* |
| 877 | * XDTLS: an incorrectly formatted fragment should cause the handshake |
| 878 | * to fail |
| 879 | */ |
| 880 | if (readbytes != frag_len) { |
| 881 | SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, |
| 882 | SSL_F_DTLS_GET_REASSEMBLED_MESSAGE, SSL_R_BAD_LENGTH); |
| 883 | goto f_err; |
| 884 | } |
| 885 | |
| 886 | /* |
| 887 | * Note that s->init_num is *not* used as current offset in |
| 888 | * s->init_buf->data, but as a counter summing up fragments' lengths: as |
| 889 | * soon as they sum up to handshake packet length, we assume we have got |
| 890 | * all the fragments. |
| 891 | */ |
| 892 | *len = s->init_num = frag_len; |
| 893 | return 1; |
| 894 | |
| 895 | f_err: |
| 896 | s->init_num = 0; |
| 897 | *len = 0; |
| 898 | return 0; |
| 899 | } |
| 900 | |
| 901 | /*- |
| 902 | * for these 2 messages, we need to |
| 903 | * ssl->enc_read_ctx re-init |
| 904 | * ssl->rlayer.read_sequence zero |
| 905 | * ssl->s3.read_mac_secret re-init |
| 906 | * ssl->session->read_sym_enc assign |
| 907 | * ssl->session->read_compression assign |
| 908 | * ssl->session->read_hash assign |
| 909 | */ |
| 910 | int dtls_construct_change_cipher_spec(SSL *s, WPACKET *pkt) |
| 911 | { |
| 912 | if (s->version == DTLS1_BAD_VER) { |
| 913 | s->d1->next_handshake_write_seq++; |
| 914 | |
| 915 | if (!WPACKET_put_bytes_u16(pkt, s->d1->handshake_write_seq)) { |
| 916 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
| 917 | SSL_F_DTLS_CONSTRUCT_CHANGE_CIPHER_SPEC, |
| 918 | ERR_R_INTERNAL_ERROR); |
| 919 | return 0; |
| 920 | } |
| 921 | } |
| 922 | |
| 923 | return 1; |
| 924 | } |
| 925 | |
| 926 | #ifndef OPENSSL_NO_SCTP |
| 927 | /* |
| 928 | * Wait for a dry event. Should only be called at a point in the handshake |
| 929 | * where we are not expecting any data from the peer except an alert. |
| 930 | */ |
| 931 | WORK_STATE dtls_wait_for_dry(SSL *s) |
| 932 | { |
| 933 | int ret, errtype; |
| 934 | size_t len; |
| 935 | |
| 936 | /* read app data until dry event */ |
| 937 | ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s)); |
| 938 | if (ret < 0) { |
| 939 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS_WAIT_FOR_DRY, |
| 940 | ERR_R_INTERNAL_ERROR); |
| 941 | return WORK_ERROR; |
| 942 | } |
| 943 | |
| 944 | if (ret == 0) { |
| 945 | /* |
| 946 | * We're not expecting any more messages from the peer at this point - |
| 947 | * but we could get an alert. If an alert is waiting then we will never |
| 948 | * return successfully. Therefore we attempt to read a message. This |
| 949 | * should never succeed but will process any waiting alerts. |
| 950 | */ |
| 951 | if (dtls_get_reassembled_message(s, &errtype, &len)) { |
| 952 | /* The call succeeded! This should never happen */ |
| 953 | SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_DTLS_WAIT_FOR_DRY, |
| 954 | SSL_R_UNEXPECTED_MESSAGE); |
| 955 | return WORK_ERROR; |
| 956 | } |
| 957 | |
| 958 | s->s3.in_read_app_data = 2; |
| 959 | s->rwstate = SSL_READING; |
| 960 | BIO_clear_retry_flags(SSL_get_rbio(s)); |
| 961 | BIO_set_retry_read(SSL_get_rbio(s)); |
| 962 | return WORK_MORE_A; |
| 963 | } |
| 964 | return WORK_FINISHED_CONTINUE; |
| 965 | } |
| 966 | #endif |
| 967 | |
| 968 | int dtls1_read_failed(SSL *s, int code) |
| 969 | { |
| 970 | if (code > 0) { |
| 971 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
| 972 | SSL_F_DTLS1_READ_FAILED, ERR_R_INTERNAL_ERROR); |
| 973 | return 0; |
| 974 | } |
| 975 | |
| 976 | if (!dtls1_is_timer_expired(s) || ossl_statem_in_error(s)) { |
| 977 | /* |
| 978 | * not a timeout, none of our business, let higher layers handle |
| 979 | * this. in fact it's probably an error |
| 980 | */ |
| 981 | return code; |
| 982 | } |
| 983 | /* done, no need to send a retransmit */ |
| 984 | if (!SSL_in_init(s)) |
| 985 | { |
| 986 | BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ); |
| 987 | return code; |
| 988 | } |
| 989 | |
| 990 | return dtls1_handle_timeout(s); |
| 991 | } |
| 992 | |
| 993 | int dtls1_get_queue_priority(unsigned short seq, int is_ccs) |
| 994 | { |
| 995 | /* |
| 996 | * The index of the retransmission queue actually is the message sequence |
| 997 | * number, since the queue only contains messages of a single handshake. |
| 998 | * However, the ChangeCipherSpec has no message sequence number and so |
| 999 | * using only the sequence will result in the CCS and Finished having the |
| 1000 | * same index. To prevent this, the sequence number is multiplied by 2. |
| 1001 | * In case of a CCS 1 is subtracted. This does not only differ CSS and |
| 1002 | * Finished, it also maintains the order of the index (important for |
| 1003 | * priority queues) and fits in the unsigned short variable. |
| 1004 | */ |
| 1005 | return seq * 2 - is_ccs; |
| 1006 | } |
| 1007 | |
| 1008 | int dtls1_retransmit_buffered_messages(SSL *s) |
| 1009 | { |
| 1010 | pqueue *sent = s->d1->sent_messages; |
| 1011 | piterator iter; |
| 1012 | pitem *item; |
| 1013 | hm_fragment *frag; |
| 1014 | int found = 0; |
| 1015 | |
| 1016 | iter = pqueue_iterator(sent); |
| 1017 | |
| 1018 | for (item = pqueue_next(&iter); item != NULL; item = pqueue_next(&iter)) { |
| 1019 | frag = (hm_fragment *)item->data; |
| 1020 | if (dtls1_retransmit_message(s, (unsigned short) |
| 1021 | dtls1_get_queue_priority |
| 1022 | (frag->msg_header.seq, |
| 1023 | frag->msg_header.is_ccs), &found) <= 0) |
| 1024 | return -1; |
| 1025 | } |
| 1026 | |
| 1027 | return 1; |
| 1028 | } |
| 1029 | |
| 1030 | int dtls1_buffer_message(SSL *s, int is_ccs) |
| 1031 | { |
| 1032 | pitem *item; |
| 1033 | hm_fragment *frag; |
| 1034 | unsigned char seq64be[8]; |
| 1035 | |
| 1036 | /* |
| 1037 | * this function is called immediately after a message has been |
| 1038 | * serialized |
| 1039 | */ |
| 1040 | if (!ossl_assert(s->init_off == 0)) |
| 1041 | return 0; |
| 1042 | |
| 1043 | frag = dtls1_hm_fragment_new(s->init_num, 0); |
| 1044 | if (frag == NULL) |
| 1045 | return 0; |
| 1046 | |
| 1047 | memcpy(frag->fragment, s->init_buf->data, s->init_num); |
| 1048 | |
| 1049 | if (is_ccs) { |
| 1050 | /* For DTLS1_BAD_VER the header length is non-standard */ |
| 1051 | if (!ossl_assert(s->d1->w_msg_hdr.msg_len + |
| 1052 | ((s->version == |
| 1053 | DTLS1_BAD_VER) ? 3 : DTLS1_CCS_HEADER_LENGTH) |
| 1054 | == (unsigned int)s->init_num)) |
| 1055 | return 0; |
| 1056 | } else { |
| 1057 | if (!ossl_assert(s->d1->w_msg_hdr.msg_len + |
| 1058 | DTLS1_HM_HEADER_LENGTH == (unsigned int)s->init_num)) |
| 1059 | return 0; |
| 1060 | } |
| 1061 | |
| 1062 | frag->msg_header.msg_len = s->d1->w_msg_hdr.msg_len; |
| 1063 | frag->msg_header.seq = s->d1->w_msg_hdr.seq; |
| 1064 | frag->msg_header.type = s->d1->w_msg_hdr.type; |
| 1065 | frag->msg_header.frag_off = 0; |
| 1066 | frag->msg_header.frag_len = s->d1->w_msg_hdr.msg_len; |
| 1067 | frag->msg_header.is_ccs = is_ccs; |
| 1068 | |
| 1069 | /* save current state */ |
| 1070 | frag->msg_header.saved_retransmit_state.enc_write_ctx = s->enc_write_ctx; |
| 1071 | frag->msg_header.saved_retransmit_state.write_hash = s->write_hash; |
| 1072 | frag->msg_header.saved_retransmit_state.compress = s->compress; |
| 1073 | frag->msg_header.saved_retransmit_state.session = s->session; |
| 1074 | frag->msg_header.saved_retransmit_state.epoch = |
| 1075 | DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer); |
| 1076 | |
| 1077 | memset(seq64be, 0, sizeof(seq64be)); |
| 1078 | seq64be[6] = |
| 1079 | (unsigned |
| 1080 | char)(dtls1_get_queue_priority(frag->msg_header.seq, |
| 1081 | frag->msg_header.is_ccs) >> 8); |
| 1082 | seq64be[7] = |
| 1083 | (unsigned |
| 1084 | char)(dtls1_get_queue_priority(frag->msg_header.seq, |
| 1085 | frag->msg_header.is_ccs)); |
| 1086 | |
| 1087 | item = pitem_new(seq64be, frag); |
| 1088 | if (item == NULL) { |
| 1089 | dtls1_hm_fragment_free(frag); |
| 1090 | return 0; |
| 1091 | } |
| 1092 | |
| 1093 | pqueue_insert(s->d1->sent_messages, item); |
| 1094 | return 1; |
| 1095 | } |
| 1096 | |
| 1097 | int dtls1_retransmit_message(SSL *s, unsigned short seq, int *found) |
| 1098 | { |
| 1099 | int ret; |
| 1100 | /* XDTLS: for now assuming that read/writes are blocking */ |
| 1101 | pitem *item; |
| 1102 | hm_fragment *frag; |
| 1103 | unsigned long header_length; |
| 1104 | unsigned char seq64be[8]; |
| 1105 | struct dtls1_retransmit_state saved_state; |
| 1106 | |
| 1107 | /* XDTLS: the requested message ought to be found, otherwise error */ |
| 1108 | memset(seq64be, 0, sizeof(seq64be)); |
| 1109 | seq64be[6] = (unsigned char)(seq >> 8); |
| 1110 | seq64be[7] = (unsigned char)seq; |
| 1111 | |
| 1112 | item = pqueue_find(s->d1->sent_messages, seq64be); |
| 1113 | if (item == NULL) { |
| 1114 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DTLS1_RETRANSMIT_MESSAGE, |
| 1115 | ERR_R_INTERNAL_ERROR); |
| 1116 | *found = 0; |
| 1117 | return 0; |
| 1118 | } |
| 1119 | |
| 1120 | *found = 1; |
| 1121 | frag = (hm_fragment *)item->data; |
| 1122 | |
| 1123 | if (frag->msg_header.is_ccs) |
| 1124 | header_length = DTLS1_CCS_HEADER_LENGTH; |
| 1125 | else |
| 1126 | header_length = DTLS1_HM_HEADER_LENGTH; |
| 1127 | |
| 1128 | memcpy(s->init_buf->data, frag->fragment, |
| 1129 | frag->msg_header.msg_len + header_length); |
| 1130 | s->init_num = frag->msg_header.msg_len + header_length; |
| 1131 | |
| 1132 | dtls1_set_message_header_int(s, frag->msg_header.type, |
| 1133 | frag->msg_header.msg_len, |
| 1134 | frag->msg_header.seq, 0, |
| 1135 | frag->msg_header.frag_len); |
| 1136 | |
| 1137 | /* save current state */ |
| 1138 | saved_state.enc_write_ctx = s->enc_write_ctx; |
| 1139 | saved_state.write_hash = s->write_hash; |
| 1140 | saved_state.compress = s->compress; |
| 1141 | saved_state.session = s->session; |
| 1142 | saved_state.epoch = DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer); |
| 1143 | |
| 1144 | s->d1->retransmitting = 1; |
| 1145 | |
| 1146 | /* restore state in which the message was originally sent */ |
| 1147 | s->enc_write_ctx = frag->msg_header.saved_retransmit_state.enc_write_ctx; |
| 1148 | s->write_hash = frag->msg_header.saved_retransmit_state.write_hash; |
| 1149 | s->compress = frag->msg_header.saved_retransmit_state.compress; |
| 1150 | s->session = frag->msg_header.saved_retransmit_state.session; |
| 1151 | DTLS_RECORD_LAYER_set_saved_w_epoch(&s->rlayer, |
| 1152 | frag->msg_header. |
| 1153 | saved_retransmit_state.epoch); |
| 1154 | |
| 1155 | ret = dtls1_do_write(s, frag->msg_header.is_ccs ? |
| 1156 | SSL3_RT_CHANGE_CIPHER_SPEC : SSL3_RT_HANDSHAKE); |
| 1157 | |
| 1158 | /* restore current state */ |
| 1159 | s->enc_write_ctx = saved_state.enc_write_ctx; |
| 1160 | s->write_hash = saved_state.write_hash; |
| 1161 | s->compress = saved_state.compress; |
| 1162 | s->session = saved_state.session; |
| 1163 | DTLS_RECORD_LAYER_set_saved_w_epoch(&s->rlayer, saved_state.epoch); |
| 1164 | |
| 1165 | s->d1->retransmitting = 0; |
| 1166 | |
| 1167 | (void)BIO_flush(s->wbio); |
| 1168 | return ret; |
| 1169 | } |
| 1170 | |
| 1171 | void dtls1_set_message_header(SSL *s, |
| 1172 | unsigned char mt, size_t len, |
| 1173 | size_t frag_off, size_t frag_len) |
| 1174 | { |
| 1175 | if (frag_off == 0) { |
| 1176 | s->d1->handshake_write_seq = s->d1->next_handshake_write_seq; |
| 1177 | s->d1->next_handshake_write_seq++; |
| 1178 | } |
| 1179 | |
| 1180 | dtls1_set_message_header_int(s, mt, len, s->d1->handshake_write_seq, |
| 1181 | frag_off, frag_len); |
| 1182 | } |
| 1183 | |
| 1184 | /* don't actually do the writing, wait till the MTU has been retrieved */ |
| 1185 | static void |
| 1186 | dtls1_set_message_header_int(SSL *s, unsigned char mt, |
| 1187 | size_t len, unsigned short seq_num, |
| 1188 | size_t frag_off, size_t frag_len) |
| 1189 | { |
| 1190 | struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; |
| 1191 | |
| 1192 | msg_hdr->type = mt; |
| 1193 | msg_hdr->msg_len = len; |
| 1194 | msg_hdr->seq = seq_num; |
| 1195 | msg_hdr->frag_off = frag_off; |
| 1196 | msg_hdr->frag_len = frag_len; |
| 1197 | } |
| 1198 | |
| 1199 | static void |
| 1200 | dtls1_fix_message_header(SSL *s, size_t frag_off, size_t frag_len) |
| 1201 | { |
| 1202 | struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; |
| 1203 | |
| 1204 | msg_hdr->frag_off = frag_off; |
| 1205 | msg_hdr->frag_len = frag_len; |
| 1206 | } |
| 1207 | |
| 1208 | static unsigned char *dtls1_write_message_header(SSL *s, unsigned char *p) |
| 1209 | { |
| 1210 | struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; |
| 1211 | |
| 1212 | *p++ = msg_hdr->type; |
| 1213 | l2n3(msg_hdr->msg_len, p); |
| 1214 | |
| 1215 | s2n(msg_hdr->seq, p); |
| 1216 | l2n3(msg_hdr->frag_off, p); |
| 1217 | l2n3(msg_hdr->frag_len, p); |
| 1218 | |
| 1219 | return p; |
| 1220 | } |
| 1221 | |
| 1222 | void dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr) |
| 1223 | { |
| 1224 | memset(msg_hdr, 0, sizeof(*msg_hdr)); |
| 1225 | msg_hdr->type = *(data++); |
| 1226 | n2l3(data, msg_hdr->msg_len); |
| 1227 | |
| 1228 | n2s(data, msg_hdr->seq); |
| 1229 | n2l3(data, msg_hdr->frag_off); |
| 1230 | n2l3(data, msg_hdr->frag_len); |
| 1231 | } |
| 1232 | |
| 1233 | int dtls1_set_handshake_header(SSL *s, WPACKET *pkt, int htype) |
| 1234 | { |
| 1235 | unsigned char *header; |
| 1236 | |
| 1237 | if (htype == SSL3_MT_CHANGE_CIPHER_SPEC) { |
| 1238 | s->d1->handshake_write_seq = s->d1->next_handshake_write_seq; |
| 1239 | dtls1_set_message_header_int(s, SSL3_MT_CCS, 0, |
| 1240 | s->d1->handshake_write_seq, 0, 0); |
| 1241 | if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) |
| 1242 | return 0; |
| 1243 | } else { |
| 1244 | dtls1_set_message_header(s, htype, 0, 0, 0); |
| 1245 | /* |
| 1246 | * We allocate space at the start for the message header. This gets |
| 1247 | * filled in later |
| 1248 | */ |
| 1249 | if (!WPACKET_allocate_bytes(pkt, DTLS1_HM_HEADER_LENGTH, &header) |
| 1250 | || !WPACKET_start_sub_packet(pkt)) |
| 1251 | return 0; |
| 1252 | } |
| 1253 | |
| 1254 | return 1; |
| 1255 | } |
| 1256 | |
| 1257 | int dtls1_close_construct_packet(SSL *s, WPACKET *pkt, int htype) |
| 1258 | { |
| 1259 | size_t msglen; |
| 1260 | |
| 1261 | if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt)) |
| 1262 | || !WPACKET_get_length(pkt, &msglen) |
| 1263 | || msglen > INT_MAX) |
| 1264 | return 0; |
| 1265 | |
| 1266 | if (htype != SSL3_MT_CHANGE_CIPHER_SPEC) { |
| 1267 | s->d1->w_msg_hdr.msg_len = msglen - DTLS1_HM_HEADER_LENGTH; |
| 1268 | s->d1->w_msg_hdr.frag_len = msglen - DTLS1_HM_HEADER_LENGTH; |
| 1269 | } |
| 1270 | s->init_num = (int)msglen; |
| 1271 | s->init_off = 0; |
| 1272 | |
| 1273 | if (htype != DTLS1_MT_HELLO_VERIFY_REQUEST) { |
| 1274 | /* Buffer the message to handle re-xmits */ |
| 1275 | if (!dtls1_buffer_message(s, htype == SSL3_MT_CHANGE_CIPHER_SPEC |
| 1276 | ? 1 : 0)) |
| 1277 | return 0; |
| 1278 | } |
| 1279 | |
| 1280 | return 1; |
| 1281 | } |
| 1282 |
Generated on 2020-Jan-04 from project ClickHouse revision 19.17.6
Powered by 
Code Browser 2.1
Generator usage only permitted with license.