13b4e3dcbSSimon L. B. Nielsen /*
288e852c0SJung-uk Kim * Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved.
33b4e3dcbSSimon L. B. Nielsen *
4b077aed3SPierre Pronchery * Licensed under the Apache License 2.0 (the "License"). You may not use
5e71b7053SJung-uk Kim * this file except in compliance with the License. You can obtain a copy
6e71b7053SJung-uk Kim * in the file LICENSE in the source distribution or at
7e71b7053SJung-uk Kim * https://www.openssl.org/source/license.html
83b4e3dcbSSimon L. B. Nielsen */
93b4e3dcbSSimon L. B. Nielsen
10e71b7053SJung-uk Kim #include "e_os.h"
113b4e3dcbSSimon L. B. Nielsen #include <stdio.h>
123b4e3dcbSSimon L. B. Nielsen #include <openssl/objects.h>
13e71b7053SJung-uk Kim #include <openssl/rand.h>
1417f01e99SJung-uk Kim #include "ssl_local.h"
153b4e3dcbSSimon L. B. Nielsen
166a599222SSimon L. B. Nielsen static void get_current_time(struct timeval *t);
177bded2dbSJung-uk Kim static int dtls1_handshake_write(SSL *s);
18e71b7053SJung-uk Kim static size_t dtls1_link_min_mtu(void);
193b4e3dcbSSimon L. B. Nielsen
20e71b7053SJung-uk Kim /* XDTLS: figure out the right values */
21e71b7053SJung-uk Kim static const size_t g_probable_mtu[] = { 1500, 512, 256 };
22e71b7053SJung-uk Kim
23e71b7053SJung-uk Kim const SSL3_ENC_METHOD DTLSv1_enc_data = {
247bded2dbSJung-uk Kim tls1_enc,
253b4e3dcbSSimon L. B. Nielsen tls1_mac,
263b4e3dcbSSimon L. B. Nielsen tls1_setup_key_block,
273b4e3dcbSSimon L. B. Nielsen tls1_generate_master_secret,
283b4e3dcbSSimon L. B. Nielsen tls1_change_cipher_state,
293b4e3dcbSSimon L. B. Nielsen tls1_final_finish_mac,
303b4e3dcbSSimon L. B. Nielsen TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
313b4e3dcbSSimon L. B. Nielsen TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
323b4e3dcbSSimon L. B. Nielsen tls1_alert_code,
331f13597dSJung-uk Kim tls1_export_keying_material,
347bded2dbSJung-uk Kim SSL_ENC_FLAG_DTLS | SSL_ENC_FLAG_EXPLICIT_IV,
357bded2dbSJung-uk Kim dtls1_set_handshake_header,
36e71b7053SJung-uk Kim dtls1_close_construct_packet,
377bded2dbSJung-uk Kim dtls1_handshake_write
387bded2dbSJung-uk Kim };
397bded2dbSJung-uk Kim
40e71b7053SJung-uk Kim const SSL3_ENC_METHOD DTLSv1_2_enc_data = {
417bded2dbSJung-uk Kim tls1_enc,
427bded2dbSJung-uk Kim tls1_mac,
437bded2dbSJung-uk Kim tls1_setup_key_block,
447bded2dbSJung-uk Kim tls1_generate_master_secret,
457bded2dbSJung-uk Kim tls1_change_cipher_state,
467bded2dbSJung-uk Kim tls1_final_finish_mac,
477bded2dbSJung-uk Kim TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
487bded2dbSJung-uk Kim TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
497bded2dbSJung-uk Kim tls1_alert_code,
507bded2dbSJung-uk Kim tls1_export_keying_material,
517bded2dbSJung-uk Kim SSL_ENC_FLAG_DTLS | SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS
527bded2dbSJung-uk Kim | SSL_ENC_FLAG_SHA256_PRF | SSL_ENC_FLAG_TLS1_2_CIPHERS,
537bded2dbSJung-uk Kim dtls1_set_handshake_header,
54e71b7053SJung-uk Kim dtls1_close_construct_packet,
557bded2dbSJung-uk Kim dtls1_handshake_write
563b4e3dcbSSimon L. B. Nielsen };
573b4e3dcbSSimon L. B. Nielsen
dtls1_default_timeout(void)583b4e3dcbSSimon L. B. Nielsen long dtls1_default_timeout(void)
593b4e3dcbSSimon L. B. Nielsen {
606f9291ceSJung-uk Kim /*
616f9291ceSJung-uk Kim * 2 hours, the 24 hours mentioned in the DTLSv1 spec is way too long for
626f9291ceSJung-uk Kim * http, the cache would over fill
636f9291ceSJung-uk Kim */
643b4e3dcbSSimon L. B. Nielsen return (60 * 60 * 2);
653b4e3dcbSSimon L. B. Nielsen }
663b4e3dcbSSimon L. B. Nielsen
dtls1_new(SSL * s)673b4e3dcbSSimon L. B. Nielsen int dtls1_new(SSL *s)
683b4e3dcbSSimon L. B. Nielsen {
693b4e3dcbSSimon L. B. Nielsen DTLS1_STATE *d1;
703b4e3dcbSSimon L. B. Nielsen
71e71b7053SJung-uk Kim if (!DTLS_RECORD_LAYER_new(&s->rlayer)) {
72e71b7053SJung-uk Kim return 0;
73e71b7053SJung-uk Kim }
74e71b7053SJung-uk Kim
756f9291ceSJung-uk Kim if (!ssl3_new(s))
76e71b7053SJung-uk Kim return 0;
77e71b7053SJung-uk Kim if ((d1 = OPENSSL_zalloc(sizeof(*d1))) == NULL) {
78e71b7053SJung-uk Kim ssl3_free(s);
79e71b7053SJung-uk Kim return 0;
80e71b7053SJung-uk Kim }
813b4e3dcbSSimon L. B. Nielsen
823b4e3dcbSSimon L. B. Nielsen d1->buffered_messages = pqueue_new();
833b4e3dcbSSimon L. B. Nielsen d1->sent_messages = pqueue_new();
843b4e3dcbSSimon L. B. Nielsen
856f9291ceSJung-uk Kim if (s->server) {
863b4e3dcbSSimon L. B. Nielsen d1->cookie_len = sizeof(s->d1->cookie);
873b4e3dcbSSimon L. B. Nielsen }
883b4e3dcbSSimon L. B. Nielsen
89751d2991SJung-uk Kim d1->link_mtu = 0;
90751d2991SJung-uk Kim d1->mtu = 0;
91751d2991SJung-uk Kim
92e71b7053SJung-uk Kim if (d1->buffered_messages == NULL || d1->sent_messages == NULL) {
936f9291ceSJung-uk Kim pqueue_free(d1->buffered_messages);
946f9291ceSJung-uk Kim pqueue_free(d1->sent_messages);
953b4e3dcbSSimon L. B. Nielsen OPENSSL_free(d1);
96e71b7053SJung-uk Kim ssl3_free(s);
97e71b7053SJung-uk Kim return 0;
983b4e3dcbSSimon L. B. Nielsen }
993b4e3dcbSSimon L. B. Nielsen
1003b4e3dcbSSimon L. B. Nielsen s->d1 = d1;
101e71b7053SJung-uk Kim
102e71b7053SJung-uk Kim if (!s->method->ssl_clear(s))
103e71b7053SJung-uk Kim return 0;
104e71b7053SJung-uk Kim
105e71b7053SJung-uk Kim return 1;
1063b4e3dcbSSimon L. B. Nielsen }
1073b4e3dcbSSimon L. B. Nielsen
dtls1_clear_queues(SSL * s)10812de4ed2SJung-uk Kim static void dtls1_clear_queues(SSL *s)
1093b4e3dcbSSimon L. B. Nielsen {
110aeb5019cSJung-uk Kim dtls1_clear_received_buffer(s);
111aeb5019cSJung-uk Kim dtls1_clear_sent_buffer(s);
11212de4ed2SJung-uk Kim }
11312de4ed2SJung-uk Kim
dtls1_clear_received_buffer(SSL * s)114aeb5019cSJung-uk Kim void dtls1_clear_received_buffer(SSL *s)
115aeb5019cSJung-uk Kim {
116aeb5019cSJung-uk Kim pitem *item = NULL;
117aeb5019cSJung-uk Kim hm_fragment *frag = NULL;
118aeb5019cSJung-uk Kim
119aeb5019cSJung-uk Kim while ((item = pqueue_pop(s->d1->buffered_messages)) != NULL) {
120aeb5019cSJung-uk Kim frag = (hm_fragment *)item->data;
121aeb5019cSJung-uk Kim dtls1_hm_fragment_free(frag);
122aeb5019cSJung-uk Kim pitem_free(item);
123aeb5019cSJung-uk Kim }
124aeb5019cSJung-uk Kim }
125aeb5019cSJung-uk Kim
dtls1_clear_sent_buffer(SSL * s)126aeb5019cSJung-uk Kim void dtls1_clear_sent_buffer(SSL *s)
127aeb5019cSJung-uk Kim {
128aeb5019cSJung-uk Kim pitem *item = NULL;
129aeb5019cSJung-uk Kim hm_fragment *frag = NULL;
130aeb5019cSJung-uk Kim
131aeb5019cSJung-uk Kim while ((item = pqueue_pop(s->d1->sent_messages)) != NULL) {
132aeb5019cSJung-uk Kim frag = (hm_fragment *)item->data;
133*e0c4386eSCy Schubert
134*e0c4386eSCy Schubert if (frag->msg_header.is_ccs) {
135*e0c4386eSCy Schubert /*
136*e0c4386eSCy Schubert * If we're freeing the CCS then we're done with the old
137*e0c4386eSCy Schubert * enc_write_ctx/write_hash and they can be freed
138*e0c4386eSCy Schubert */
139*e0c4386eSCy Schubert if (s->enc_write_ctx
140*e0c4386eSCy Schubert != frag->msg_header.saved_retransmit_state.enc_write_ctx)
141*e0c4386eSCy Schubert EVP_CIPHER_CTX_free(frag->msg_header.saved_retransmit_state
142*e0c4386eSCy Schubert .enc_write_ctx);
143*e0c4386eSCy Schubert
144*e0c4386eSCy Schubert if (s->write_hash
145*e0c4386eSCy Schubert != frag->msg_header.saved_retransmit_state.write_hash)
146*e0c4386eSCy Schubert EVP_MD_CTX_free(frag->msg_header.saved_retransmit_state
147*e0c4386eSCy Schubert .write_hash);
148*e0c4386eSCy Schubert }
149*e0c4386eSCy Schubert
150aeb5019cSJung-uk Kim dtls1_hm_fragment_free(frag);
151aeb5019cSJung-uk Kim pitem_free(item);
152aeb5019cSJung-uk Kim }
153aeb5019cSJung-uk Kim }
154aeb5019cSJung-uk Kim
155aeb5019cSJung-uk Kim
dtls1_free(SSL * s)15612de4ed2SJung-uk Kim void dtls1_free(SSL *s)
15712de4ed2SJung-uk Kim {
158e71b7053SJung-uk Kim DTLS_RECORD_LAYER_free(&s->rlayer);
159e71b7053SJung-uk Kim
16012de4ed2SJung-uk Kim ssl3_free(s);
16112de4ed2SJung-uk Kim
16288e852c0SJung-uk Kim if (s->d1 != NULL) {
16312de4ed2SJung-uk Kim dtls1_clear_queues(s);
16412de4ed2SJung-uk Kim pqueue_free(s->d1->buffered_messages);
16512de4ed2SJung-uk Kim pqueue_free(s->d1->sent_messages);
16688e852c0SJung-uk Kim }
1676a599222SSimon L. B. Nielsen
1683b4e3dcbSSimon L. B. Nielsen OPENSSL_free(s->d1);
169de78d5d8SJung-uk Kim s->d1 = NULL;
1703b4e3dcbSSimon L. B. Nielsen }
1713b4e3dcbSSimon L. B. Nielsen
dtls1_clear(SSL * s)172e71b7053SJung-uk Kim int dtls1_clear(SSL *s)
1733b4e3dcbSSimon L. B. Nielsen {
174e71b7053SJung-uk Kim pqueue *buffered_messages;
175e71b7053SJung-uk Kim pqueue *sent_messages;
176e71b7053SJung-uk Kim size_t mtu;
177e71b7053SJung-uk Kim size_t link_mtu;
178e71b7053SJung-uk Kim
179e71b7053SJung-uk Kim DTLS_RECORD_LAYER_clear(&s->rlayer);
18012de4ed2SJung-uk Kim
1816f9291ceSJung-uk Kim if (s->d1) {
182e71b7053SJung-uk Kim DTLS_timer_cb timer_cb = s->d1->timer_cb;
183e71b7053SJung-uk Kim
18412de4ed2SJung-uk Kim buffered_messages = s->d1->buffered_messages;
18512de4ed2SJung-uk Kim sent_messages = s->d1->sent_messages;
18612de4ed2SJung-uk Kim mtu = s->d1->mtu;
187751d2991SJung-uk Kim link_mtu = s->d1->link_mtu;
18812de4ed2SJung-uk Kim
18912de4ed2SJung-uk Kim dtls1_clear_queues(s);
19012de4ed2SJung-uk Kim
191e71b7053SJung-uk Kim memset(s->d1, 0, sizeof(*s->d1));
192e71b7053SJung-uk Kim
193e71b7053SJung-uk Kim /* Restore the timer callback from previous state */
194e71b7053SJung-uk Kim s->d1->timer_cb = timer_cb;
19512de4ed2SJung-uk Kim
1966f9291ceSJung-uk Kim if (s->server) {
19712de4ed2SJung-uk Kim s->d1->cookie_len = sizeof(s->d1->cookie);
19812de4ed2SJung-uk Kim }
19912de4ed2SJung-uk Kim
2006f9291ceSJung-uk Kim if (SSL_get_options(s) & SSL_OP_NO_QUERY_MTU) {
20112de4ed2SJung-uk Kim s->d1->mtu = mtu;
202751d2991SJung-uk Kim s->d1->link_mtu = link_mtu;
20312de4ed2SJung-uk Kim }
20412de4ed2SJung-uk Kim
20512de4ed2SJung-uk Kim s->d1->buffered_messages = buffered_messages;
20612de4ed2SJung-uk Kim s->d1->sent_messages = sent_messages;
20712de4ed2SJung-uk Kim }
20812de4ed2SJung-uk Kim
209e71b7053SJung-uk Kim if (!ssl3_clear(s))
210e71b7053SJung-uk Kim return 0;
211e71b7053SJung-uk Kim
212e71b7053SJung-uk Kim if (s->method->version == DTLS_ANY_VERSION)
213b077aed3SPierre Pronchery s->version = DTLS_MAX_VERSION_INTERNAL;
214e71b7053SJung-uk Kim #ifndef OPENSSL_NO_DTLS1_METHOD
215e71b7053SJung-uk Kim else if (s->options & SSL_OP_CISCO_ANYCONNECT)
2167bded2dbSJung-uk Kim s->client_version = s->version = DTLS1_BAD_VER;
217e71b7053SJung-uk Kim #endif
2186a599222SSimon L. B. Nielsen else
2197bded2dbSJung-uk Kim s->version = s->method->version;
220e71b7053SJung-uk Kim
221e71b7053SJung-uk Kim return 1;
2223b4e3dcbSSimon L. B. Nielsen }
223db522d3aSSimon L. B. Nielsen
dtls1_ctrl(SSL * s,int cmd,long larg,void * parg)2246a599222SSimon L. B. Nielsen long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg)
2256a599222SSimon L. B. Nielsen {
2266a599222SSimon L. B. Nielsen int ret = 0;
2276a599222SSimon L. B. Nielsen
2286f9291ceSJung-uk Kim switch (cmd) {
2296a599222SSimon L. B. Nielsen case DTLS_CTRL_GET_TIMEOUT:
2306f9291ceSJung-uk Kim if (dtls1_get_timeout(s, (struct timeval *)parg) != NULL) {
2316a599222SSimon L. B. Nielsen ret = 1;
2326a599222SSimon L. B. Nielsen }
2336a599222SSimon L. B. Nielsen break;
2346a599222SSimon L. B. Nielsen case DTLS_CTRL_HANDLE_TIMEOUT:
2356a599222SSimon L. B. Nielsen ret = dtls1_handle_timeout(s);
2366a599222SSimon L. B. Nielsen break;
237751d2991SJung-uk Kim case DTLS_CTRL_SET_LINK_MTU:
238751d2991SJung-uk Kim if (larg < (long)dtls1_link_min_mtu())
239751d2991SJung-uk Kim return 0;
240751d2991SJung-uk Kim s->d1->link_mtu = larg;
241751d2991SJung-uk Kim return 1;
242751d2991SJung-uk Kim case DTLS_CTRL_GET_LINK_MIN_MTU:
243751d2991SJung-uk Kim return (long)dtls1_link_min_mtu();
244751d2991SJung-uk Kim case SSL_CTRL_SET_MTU:
245751d2991SJung-uk Kim /*
246751d2991SJung-uk Kim * We may not have a BIO set yet so can't call dtls1_min_mtu()
247751d2991SJung-uk Kim * We'll have to make do with dtls1_link_min_mtu() and max overhead
248751d2991SJung-uk Kim */
249751d2991SJung-uk Kim if (larg < (long)dtls1_link_min_mtu() - DTLS1_MAX_MTU_OVERHEAD)
250751d2991SJung-uk Kim return 0;
251751d2991SJung-uk Kim s->d1->mtu = larg;
252751d2991SJung-uk Kim return larg;
2536a599222SSimon L. B. Nielsen default:
2546a599222SSimon L. B. Nielsen ret = ssl3_ctrl(s, cmd, larg, parg);
2556a599222SSimon L. B. Nielsen break;
2566a599222SSimon L. B. Nielsen }
257e71b7053SJung-uk Kim return ret;
258db522d3aSSimon L. B. Nielsen }
2596a599222SSimon L. B. Nielsen
dtls1_start_timer(SSL * s)2606a599222SSimon L. B. Nielsen void dtls1_start_timer(SSL *s)
2616a599222SSimon L. B. Nielsen {
262e71b7053SJung-uk Kim unsigned int sec, usec;
263e71b7053SJung-uk Kim
2641f13597dSJung-uk Kim #ifndef OPENSSL_NO_SCTP
2651f13597dSJung-uk Kim /* Disable timer for SCTP */
2666f9291ceSJung-uk Kim if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
267e71b7053SJung-uk Kim memset(&s->d1->next_timeout, 0, sizeof(s->d1->next_timeout));
2681f13597dSJung-uk Kim return;
2691f13597dSJung-uk Kim }
2701f13597dSJung-uk Kim #endif
2711f13597dSJung-uk Kim
272e71b7053SJung-uk Kim /*
273e71b7053SJung-uk Kim * If timer is not set, initialize duration with 1 second or
274e71b7053SJung-uk Kim * a user-specified value if the timer callback is installed.
275e71b7053SJung-uk Kim */
2766f9291ceSJung-uk Kim if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) {
277e71b7053SJung-uk Kim
278e71b7053SJung-uk Kim if (s->d1->timer_cb != NULL)
279e71b7053SJung-uk Kim s->d1->timeout_duration_us = s->d1->timer_cb(s, 0);
280e71b7053SJung-uk Kim else
281e71b7053SJung-uk Kim s->d1->timeout_duration_us = 1000000;
2826a599222SSimon L. B. Nielsen }
2836a599222SSimon L. B. Nielsen
2846a599222SSimon L. B. Nielsen /* Set timeout to current time */
2856a599222SSimon L. B. Nielsen get_current_time(&(s->d1->next_timeout));
2866a599222SSimon L. B. Nielsen
2876a599222SSimon L. B. Nielsen /* Add duration to current time */
288e71b7053SJung-uk Kim
289e71b7053SJung-uk Kim sec = s->d1->timeout_duration_us / 1000000;
290e71b7053SJung-uk Kim usec = s->d1->timeout_duration_us - (sec * 1000000);
291e71b7053SJung-uk Kim
292e71b7053SJung-uk Kim s->d1->next_timeout.tv_sec += sec;
293e71b7053SJung-uk Kim s->d1->next_timeout.tv_usec += usec;
294e71b7053SJung-uk Kim
295e71b7053SJung-uk Kim if (s->d1->next_timeout.tv_usec >= 1000000) {
296e71b7053SJung-uk Kim s->d1->next_timeout.tv_sec++;
297e71b7053SJung-uk Kim s->d1->next_timeout.tv_usec -= 1000000;
298e71b7053SJung-uk Kim }
299e71b7053SJung-uk Kim
3006f9291ceSJung-uk Kim BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
3016f9291ceSJung-uk Kim &(s->d1->next_timeout));
3026a599222SSimon L. B. Nielsen }
3036a599222SSimon L. B. Nielsen
dtls1_get_timeout(SSL * s,struct timeval * timeleft)3046a599222SSimon L. B. Nielsen struct timeval *dtls1_get_timeout(SSL *s, struct timeval *timeleft)
3056a599222SSimon L. B. Nielsen {
3066a599222SSimon L. B. Nielsen struct timeval timenow;
3076a599222SSimon L. B. Nielsen
3086a599222SSimon L. B. Nielsen /* If no timeout is set, just return NULL */
3096f9291ceSJung-uk Kim if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) {
3106a599222SSimon L. B. Nielsen return NULL;
3116a599222SSimon L. B. Nielsen }
3126a599222SSimon L. B. Nielsen
3136a599222SSimon L. B. Nielsen /* Get current time */
3146a599222SSimon L. B. Nielsen get_current_time(&timenow);
3156a599222SSimon L. B. Nielsen
3166a599222SSimon L. B. Nielsen /* If timer already expired, set remaining time to 0 */
3176a599222SSimon L. B. Nielsen if (s->d1->next_timeout.tv_sec < timenow.tv_sec ||
3186a599222SSimon L. B. Nielsen (s->d1->next_timeout.tv_sec == timenow.tv_sec &&
3196f9291ceSJung-uk Kim s->d1->next_timeout.tv_usec <= timenow.tv_usec)) {
320e71b7053SJung-uk Kim memset(timeleft, 0, sizeof(*timeleft));
3216a599222SSimon L. B. Nielsen return timeleft;
3226a599222SSimon L. B. Nielsen }
3236a599222SSimon L. B. Nielsen
3246a599222SSimon L. B. Nielsen /* Calculate time left until timer expires */
3256a599222SSimon L. B. Nielsen memcpy(timeleft, &(s->d1->next_timeout), sizeof(struct timeval));
3266a599222SSimon L. B. Nielsen timeleft->tv_sec -= timenow.tv_sec;
3276a599222SSimon L. B. Nielsen timeleft->tv_usec -= timenow.tv_usec;
3286f9291ceSJung-uk Kim if (timeleft->tv_usec < 0) {
3296a599222SSimon L. B. Nielsen timeleft->tv_sec--;
3306a599222SSimon L. B. Nielsen timeleft->tv_usec += 1000000;
3316a599222SSimon L. B. Nielsen }
3326a599222SSimon L. B. Nielsen
3336f9291ceSJung-uk Kim /*
3346f9291ceSJung-uk Kim * If remaining time is less than 15 ms, set it to 0 to prevent issues
335e71b7053SJung-uk Kim * because of small divergences with socket timeouts.
336a3ddd25aSSimon L. B. Nielsen */
3376f9291ceSJung-uk Kim if (timeleft->tv_sec == 0 && timeleft->tv_usec < 15000) {
338e71b7053SJung-uk Kim memset(timeleft, 0, sizeof(*timeleft));
339a3ddd25aSSimon L. B. Nielsen }
340a3ddd25aSSimon L. B. Nielsen
3416a599222SSimon L. B. Nielsen return timeleft;
3426a599222SSimon L. B. Nielsen }
3436a599222SSimon L. B. Nielsen
dtls1_is_timer_expired(SSL * s)3446a599222SSimon L. B. Nielsen int dtls1_is_timer_expired(SSL *s)
3456a599222SSimon L. B. Nielsen {
3466a599222SSimon L. B. Nielsen struct timeval timeleft;
3476a599222SSimon L. B. Nielsen
3486a599222SSimon L. B. Nielsen /* Get time left until timeout, return false if no timer running */
3496f9291ceSJung-uk Kim if (dtls1_get_timeout(s, &timeleft) == NULL) {
3506a599222SSimon L. B. Nielsen return 0;
3516a599222SSimon L. B. Nielsen }
3526a599222SSimon L. B. Nielsen
3536a599222SSimon L. B. Nielsen /* Return false if timer is not expired yet */
3546f9291ceSJung-uk Kim if (timeleft.tv_sec > 0 || timeleft.tv_usec > 0) {
3556a599222SSimon L. B. Nielsen return 0;
3566a599222SSimon L. B. Nielsen }
3576a599222SSimon L. B. Nielsen
3586a599222SSimon L. B. Nielsen /* Timer expired, so return true */
3596a599222SSimon L. B. Nielsen return 1;
3606a599222SSimon L. B. Nielsen }
3616a599222SSimon L. B. Nielsen
dtls1_double_timeout(SSL * s)3629a3ae0cdSJung-uk Kim static void dtls1_double_timeout(SSL *s)
3636a599222SSimon L. B. Nielsen {
364e71b7053SJung-uk Kim s->d1->timeout_duration_us *= 2;
365e71b7053SJung-uk Kim if (s->d1->timeout_duration_us > 60000000)
366e71b7053SJung-uk Kim s->d1->timeout_duration_us = 60000000;
3676a599222SSimon L. B. Nielsen }
3686a599222SSimon L. B. Nielsen
dtls1_stop_timer(SSL * s)3696a599222SSimon L. B. Nielsen void dtls1_stop_timer(SSL *s)
3706a599222SSimon L. B. Nielsen {
3716a599222SSimon L. B. Nielsen /* Reset everything */
372b077aed3SPierre Pronchery s->d1->timeout_num_alerts = 0;
373e71b7053SJung-uk Kim memset(&s->d1->next_timeout, 0, sizeof(s->d1->next_timeout));
374e71b7053SJung-uk Kim s->d1->timeout_duration_us = 1000000;
3756f9291ceSJung-uk Kim BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
3766f9291ceSJung-uk Kim &(s->d1->next_timeout));
37712de4ed2SJung-uk Kim /* Clear retransmission buffer */
378aeb5019cSJung-uk Kim dtls1_clear_sent_buffer(s);
37912de4ed2SJung-uk Kim }
38012de4ed2SJung-uk Kim
dtls1_check_timeout_num(SSL * s)38112de4ed2SJung-uk Kim int dtls1_check_timeout_num(SSL *s)
38212de4ed2SJung-uk Kim {
383e71b7053SJung-uk Kim size_t mtu;
384751d2991SJung-uk Kim
385b077aed3SPierre Pronchery s->d1->timeout_num_alerts++;
38612de4ed2SJung-uk Kim
38712de4ed2SJung-uk Kim /* Reduce MTU after 2 unsuccessful retransmissions */
388b077aed3SPierre Pronchery if (s->d1->timeout_num_alerts > 2
3896f9291ceSJung-uk Kim && !(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) {
3906f9291ceSJung-uk Kim mtu =
391e71b7053SJung-uk Kim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL);
392751d2991SJung-uk Kim if (mtu < s->d1->mtu)
393751d2991SJung-uk Kim s->d1->mtu = mtu;
39412de4ed2SJung-uk Kim }
39512de4ed2SJung-uk Kim
396b077aed3SPierre Pronchery if (s->d1->timeout_num_alerts > DTLS1_TMO_ALERT_COUNT) {
39712de4ed2SJung-uk Kim /* fail the connection, enough alerts have been sent */
398b077aed3SPierre Pronchery SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_READ_TIMEOUT_EXPIRED);
39912de4ed2SJung-uk Kim return -1;
40012de4ed2SJung-uk Kim }
40112de4ed2SJung-uk Kim
40212de4ed2SJung-uk Kim return 0;
4036a599222SSimon L. B. Nielsen }
4046a599222SSimon L. B. Nielsen
dtls1_handle_timeout(SSL * s)4056a599222SSimon L. B. Nielsen int dtls1_handle_timeout(SSL *s)
4066a599222SSimon L. B. Nielsen {
4076a599222SSimon L. B. Nielsen /* if no timer is expired, don't do anything */
4086f9291ceSJung-uk Kim if (!dtls1_is_timer_expired(s)) {
4096a599222SSimon L. B. Nielsen return 0;
4106a599222SSimon L. B. Nielsen }
4116a599222SSimon L. B. Nielsen
412e71b7053SJung-uk Kim if (s->d1->timer_cb != NULL)
413e71b7053SJung-uk Kim s->d1->timeout_duration_us = s->d1->timer_cb(s, s->d1->timeout_duration_us);
414e71b7053SJung-uk Kim else
4156a599222SSimon L. B. Nielsen dtls1_double_timeout(s);
4166a599222SSimon L. B. Nielsen
417e71b7053SJung-uk Kim if (dtls1_check_timeout_num(s) < 0) {
418e71b7053SJung-uk Kim /* SSLfatal() already called */
41912de4ed2SJung-uk Kim return -1;
420e71b7053SJung-uk Kim }
42112de4ed2SJung-uk Kim
4226a599222SSimon L. B. Nielsen dtls1_start_timer(s);
423e71b7053SJung-uk Kim /* Calls SSLfatal() if required */
4246a599222SSimon L. B. Nielsen return dtls1_retransmit_buffered_messages(s);
4256a599222SSimon L. B. Nielsen }
4266a599222SSimon L. B. Nielsen
get_current_time(struct timeval * t)4276a599222SSimon L. B. Nielsen static void get_current_time(struct timeval *t)
4286a599222SSimon L. B. Nielsen {
4297bded2dbSJung-uk Kim #if defined(_WIN32)
4307bded2dbSJung-uk Kim SYSTEMTIME st;
4317bded2dbSJung-uk Kim union {
4327bded2dbSJung-uk Kim unsigned __int64 ul;
4337bded2dbSJung-uk Kim FILETIME ft;
4347bded2dbSJung-uk Kim } now;
4357bded2dbSJung-uk Kim
4367bded2dbSJung-uk Kim GetSystemTime(&st);
4377bded2dbSJung-uk Kim SystemTimeToFileTime(&st, &now.ft);
438e71b7053SJung-uk Kim /* re-bias to 1/1/1970 */
4397bded2dbSJung-uk Kim # ifdef __MINGW32__
4407bded2dbSJung-uk Kim now.ul -= 116444736000000000ULL;
4417bded2dbSJung-uk Kim # else
442e71b7053SJung-uk Kim /* *INDENT-OFF* */
443e71b7053SJung-uk Kim now.ul -= 116444736000000000UI64;
444e71b7053SJung-uk Kim /* *INDENT-ON* */
4457bded2dbSJung-uk Kim # endif
4467bded2dbSJung-uk Kim t->tv_sec = (long)(now.ul / 10000000);
4477bded2dbSJung-uk Kim t->tv_usec = ((int)(now.ul % 10000000)) / 10;
4486a599222SSimon L. B. Nielsen #else
4496a599222SSimon L. B. Nielsen gettimeofday(t, NULL);
4506a599222SSimon L. B. Nielsen #endif
4516a599222SSimon L. B. Nielsen }
4526a599222SSimon L. B. Nielsen
453e71b7053SJung-uk Kim #define LISTEN_SUCCESS 2
454e71b7053SJung-uk Kim #define LISTEN_SEND_VERIFY_REQUEST 1
455e71b7053SJung-uk Kim
456e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SOCK
DTLSv1_listen(SSL * s,BIO_ADDR * client)457e71b7053SJung-uk Kim int DTLSv1_listen(SSL *s, BIO_ADDR *client)
4586a599222SSimon L. B. Nielsen {
459c9cf7b5cSJung-uk Kim int next, n, ret = 0;
460e71b7053SJung-uk Kim unsigned char cookie[DTLS1_COOKIE_LENGTH];
461e71b7053SJung-uk Kim unsigned char seq[SEQ_NUM_SIZE];
462e71b7053SJung-uk Kim const unsigned char *data;
463c9cf7b5cSJung-uk Kim unsigned char *buf, *wbuf;
464c9cf7b5cSJung-uk Kim size_t fragoff, fraglen, msglen, reclen, align = 0;
465e71b7053SJung-uk Kim unsigned int rectype, versmajor, msgseq, msgtype, clientvers, cookielen;
466e71b7053SJung-uk Kim BIO *rbio, *wbio;
467e71b7053SJung-uk Kim BIO_ADDR *tmpclient = NULL;
468e71b7053SJung-uk Kim PACKET pkt, msgpkt, msgpayload, session, cookiepkt;
469e71b7053SJung-uk Kim
470e71b7053SJung-uk Kim if (s->handshake_func == NULL) {
471e71b7053SJung-uk Kim /* Not properly initialized yet */
472e71b7053SJung-uk Kim SSL_set_accept_state(s);
473e71b7053SJung-uk Kim }
4746a599222SSimon L. B. Nielsen
475ed6b93beSJung-uk Kim /* Ensure there is no state left over from a previous invocation */
476e71b7053SJung-uk Kim if (!SSL_clear(s))
477e71b7053SJung-uk Kim return -1;
478ed6b93beSJung-uk Kim
479e71b7053SJung-uk Kim ERR_clear_error();
480e71b7053SJung-uk Kim
481e71b7053SJung-uk Kim rbio = SSL_get_rbio(s);
482e71b7053SJung-uk Kim wbio = SSL_get_wbio(s);
483e71b7053SJung-uk Kim
484e71b7053SJung-uk Kim if (!rbio || !wbio) {
485b077aed3SPierre Pronchery ERR_raise(ERR_LIB_SSL, SSL_R_BIO_NOT_SET);
486e71b7053SJung-uk Kim return -1;
487e71b7053SJung-uk Kim }
488e71b7053SJung-uk Kim
489e71b7053SJung-uk Kim /*
490e71b7053SJung-uk Kim * Note: This check deliberately excludes DTLS1_BAD_VER because that version
491e71b7053SJung-uk Kim * requires the MAC to be calculated *including* the first ClientHello
492e71b7053SJung-uk Kim * (without the cookie). Since DTLSv1_listen is stateless that cannot be
493e71b7053SJung-uk Kim * supported. DTLS1_BAD_VER must use cookies in a stateful manner (e.g. via
494e71b7053SJung-uk Kim * SSL_accept)
495e71b7053SJung-uk Kim */
496e71b7053SJung-uk Kim if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) {
497b077aed3SPierre Pronchery ERR_raise(ERR_LIB_SSL, SSL_R_UNSUPPORTED_SSL_VERSION);
498e71b7053SJung-uk Kim return -1;
499e71b7053SJung-uk Kim }
500e71b7053SJung-uk Kim
501c9cf7b5cSJung-uk Kim if (!ssl3_setup_buffers(s)) {
502b077aed3SPierre Pronchery /* ERR_raise() already called */
503e71b7053SJung-uk Kim return -1;
504e71b7053SJung-uk Kim }
505c9cf7b5cSJung-uk Kim buf = RECORD_LAYER_get_rbuf(&s->rlayer)->buf;
506c9cf7b5cSJung-uk Kim wbuf = RECORD_LAYER_get_wbuf(&s->rlayer)[0].buf;
507c9cf7b5cSJung-uk Kim #if defined(SSL3_ALIGN_PAYLOAD)
508c9cf7b5cSJung-uk Kim # if SSL3_ALIGN_PAYLOAD != 0
509c9cf7b5cSJung-uk Kim /*
510c9cf7b5cSJung-uk Kim * Using SSL3_RT_HEADER_LENGTH here instead of DTLS1_RT_HEADER_LENGTH for
511c9cf7b5cSJung-uk Kim * consistency with ssl3_read_n. In practice it should make no difference
512c9cf7b5cSJung-uk Kim * for sensible values of SSL3_ALIGN_PAYLOAD because the difference between
513c9cf7b5cSJung-uk Kim * SSL3_RT_HEADER_LENGTH and DTLS1_RT_HEADER_LENGTH is exactly 8
514c9cf7b5cSJung-uk Kim */
515c9cf7b5cSJung-uk Kim align = (size_t)buf + SSL3_RT_HEADER_LENGTH;
516c9cf7b5cSJung-uk Kim align = SSL3_ALIGN_PAYLOAD - 1 - ((align - 1) % SSL3_ALIGN_PAYLOAD);
517c9cf7b5cSJung-uk Kim # endif
518c9cf7b5cSJung-uk Kim #endif
519c9cf7b5cSJung-uk Kim buf += align;
520e71b7053SJung-uk Kim
521e71b7053SJung-uk Kim do {
522e71b7053SJung-uk Kim /* Get a packet */
523e71b7053SJung-uk Kim
524e71b7053SJung-uk Kim clear_sys_error();
525c9cf7b5cSJung-uk Kim n = BIO_read(rbio, buf, SSL3_RT_MAX_PLAIN_LENGTH
526c9cf7b5cSJung-uk Kim + DTLS1_RT_HEADER_LENGTH);
527e71b7053SJung-uk Kim if (n <= 0) {
528e71b7053SJung-uk Kim if (BIO_should_retry(rbio)) {
529e71b7053SJung-uk Kim /* Non-blocking IO */
530e71b7053SJung-uk Kim goto end;
531e71b7053SJung-uk Kim }
532e71b7053SJung-uk Kim return -1;
533e71b7053SJung-uk Kim }
534e71b7053SJung-uk Kim
535e71b7053SJung-uk Kim if (!PACKET_buf_init(&pkt, buf, n)) {
536b077aed3SPierre Pronchery ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
537e71b7053SJung-uk Kim return -1;
538e71b7053SJung-uk Kim }
539e71b7053SJung-uk Kim
540e71b7053SJung-uk Kim /*
541e71b7053SJung-uk Kim * Parse the received record. If there are any problems with it we just
542e71b7053SJung-uk Kim * dump it - with no alert. RFC6347 says this "Unlike TLS, DTLS is
543e71b7053SJung-uk Kim * resilient in the face of invalid records (e.g., invalid formatting,
544e71b7053SJung-uk Kim * length, MAC, etc.). In general, invalid records SHOULD be silently
545e71b7053SJung-uk Kim * discarded, thus preserving the association; however, an error MAY be
546e71b7053SJung-uk Kim * logged for diagnostic purposes."
547e71b7053SJung-uk Kim */
548e71b7053SJung-uk Kim
549e71b7053SJung-uk Kim /* this packet contained a partial record, dump it */
550e71b7053SJung-uk Kim if (n < DTLS1_RT_HEADER_LENGTH) {
551b077aed3SPierre Pronchery ERR_raise(ERR_LIB_SSL, SSL_R_RECORD_TOO_SMALL);
552e71b7053SJung-uk Kim goto end;
553e71b7053SJung-uk Kim }
554e71b7053SJung-uk Kim
555e71b7053SJung-uk Kim if (s->msg_callback)
556e71b7053SJung-uk Kim s->msg_callback(0, 0, SSL3_RT_HEADER, buf,
557e71b7053SJung-uk Kim DTLS1_RT_HEADER_LENGTH, s, s->msg_callback_arg);
558e71b7053SJung-uk Kim
559e71b7053SJung-uk Kim /* Get the record header */
560e71b7053SJung-uk Kim if (!PACKET_get_1(&pkt, &rectype)
561e71b7053SJung-uk Kim || !PACKET_get_1(&pkt, &versmajor)) {
562b077aed3SPierre Pronchery ERR_raise(ERR_LIB_SSL, SSL_R_LENGTH_MISMATCH);
563e71b7053SJung-uk Kim goto end;
564e71b7053SJung-uk Kim }
565e71b7053SJung-uk Kim
566e71b7053SJung-uk Kim if (rectype != SSL3_RT_HANDSHAKE) {
567b077aed3SPierre Pronchery ERR_raise(ERR_LIB_SSL, SSL_R_UNEXPECTED_MESSAGE);
568e71b7053SJung-uk Kim goto end;
569e71b7053SJung-uk Kim }
570e71b7053SJung-uk Kim
571e71b7053SJung-uk Kim /*
572e71b7053SJung-uk Kim * Check record version number. We only check that the major version is
573e71b7053SJung-uk Kim * the same.
574e71b7053SJung-uk Kim */
575e71b7053SJung-uk Kim if (versmajor != DTLS1_VERSION_MAJOR) {
576b077aed3SPierre Pronchery ERR_raise(ERR_LIB_SSL, SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
577e71b7053SJung-uk Kim goto end;
578e71b7053SJung-uk Kim }
579e71b7053SJung-uk Kim
580e71b7053SJung-uk Kim if (!PACKET_forward(&pkt, 1)
581e71b7053SJung-uk Kim /* Save the sequence number: 64 bits, with top 2 bytes = epoch */
582e71b7053SJung-uk Kim || !PACKET_copy_bytes(&pkt, seq, SEQ_NUM_SIZE)
583e71b7053SJung-uk Kim || !PACKET_get_length_prefixed_2(&pkt, &msgpkt)) {
584b077aed3SPierre Pronchery ERR_raise(ERR_LIB_SSL, SSL_R_LENGTH_MISMATCH);
585e71b7053SJung-uk Kim goto end;
586e71b7053SJung-uk Kim }
587c9cf7b5cSJung-uk Kim reclen = PACKET_remaining(&msgpkt);
588e71b7053SJung-uk Kim /*
589e71b7053SJung-uk Kim * We allow data remaining at the end of the packet because there could
590e71b7053SJung-uk Kim * be a second record (but we ignore it)
591e71b7053SJung-uk Kim */
592e71b7053SJung-uk Kim
593e71b7053SJung-uk Kim /* This is an initial ClientHello so the epoch has to be 0 */
594e71b7053SJung-uk Kim if (seq[0] != 0 || seq[1] != 0) {
595b077aed3SPierre Pronchery ERR_raise(ERR_LIB_SSL, SSL_R_UNEXPECTED_MESSAGE);
596e71b7053SJung-uk Kim goto end;
597e71b7053SJung-uk Kim }
598e71b7053SJung-uk Kim
599e71b7053SJung-uk Kim /* Get a pointer to the raw message for the later callback */
600e71b7053SJung-uk Kim data = PACKET_data(&msgpkt);
601e71b7053SJung-uk Kim
602e71b7053SJung-uk Kim /* Finished processing the record header, now process the message */
603e71b7053SJung-uk Kim if (!PACKET_get_1(&msgpkt, &msgtype)
604e71b7053SJung-uk Kim || !PACKET_get_net_3_len(&msgpkt, &msglen)
605e71b7053SJung-uk Kim || !PACKET_get_net_2(&msgpkt, &msgseq)
606e71b7053SJung-uk Kim || !PACKET_get_net_3_len(&msgpkt, &fragoff)
607e71b7053SJung-uk Kim || !PACKET_get_net_3_len(&msgpkt, &fraglen)
608e71b7053SJung-uk Kim || !PACKET_get_sub_packet(&msgpkt, &msgpayload, fraglen)
609e71b7053SJung-uk Kim || PACKET_remaining(&msgpkt) != 0) {
610b077aed3SPierre Pronchery ERR_raise(ERR_LIB_SSL, SSL_R_LENGTH_MISMATCH);
611e71b7053SJung-uk Kim goto end;
612e71b7053SJung-uk Kim }
613e71b7053SJung-uk Kim
614e71b7053SJung-uk Kim if (msgtype != SSL3_MT_CLIENT_HELLO) {
615b077aed3SPierre Pronchery ERR_raise(ERR_LIB_SSL, SSL_R_UNEXPECTED_MESSAGE);
616e71b7053SJung-uk Kim goto end;
617e71b7053SJung-uk Kim }
618e71b7053SJung-uk Kim
619e71b7053SJung-uk Kim /* Message sequence number can only be 0 or 1 */
620e71b7053SJung-uk Kim if (msgseq > 2) {
621b077aed3SPierre Pronchery ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_SEQUENCE_NUMBER);
622e71b7053SJung-uk Kim goto end;
623e71b7053SJung-uk Kim }
624e71b7053SJung-uk Kim
625e71b7053SJung-uk Kim /*
626e71b7053SJung-uk Kim * We don't support fragment reassembly for ClientHellos whilst
627e71b7053SJung-uk Kim * listening because that would require server side state (which is
628e71b7053SJung-uk Kim * against the whole point of the ClientHello/HelloVerifyRequest
629e71b7053SJung-uk Kim * mechanism). Instead we only look at the first ClientHello fragment
630e71b7053SJung-uk Kim * and require that the cookie must be contained within it.
631e71b7053SJung-uk Kim */
632e71b7053SJung-uk Kim if (fragoff != 0 || fraglen > msglen) {
633e71b7053SJung-uk Kim /* Non initial ClientHello fragment (or bad fragment) */
634b077aed3SPierre Pronchery ERR_raise(ERR_LIB_SSL, SSL_R_FRAGMENTED_CLIENT_HELLO);
635e71b7053SJung-uk Kim goto end;
636e71b7053SJung-uk Kim }
637e71b7053SJung-uk Kim
638e71b7053SJung-uk Kim if (s->msg_callback)
639e71b7053SJung-uk Kim s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, data,
640e71b7053SJung-uk Kim fraglen + DTLS1_HM_HEADER_LENGTH, s,
641e71b7053SJung-uk Kim s->msg_callback_arg);
642e71b7053SJung-uk Kim
643e71b7053SJung-uk Kim if (!PACKET_get_net_2(&msgpayload, &clientvers)) {
644b077aed3SPierre Pronchery ERR_raise(ERR_LIB_SSL, SSL_R_LENGTH_MISMATCH);
645e71b7053SJung-uk Kim goto end;
646e71b7053SJung-uk Kim }
647e71b7053SJung-uk Kim
648e71b7053SJung-uk Kim /*
649e71b7053SJung-uk Kim * Verify client version is supported
650e71b7053SJung-uk Kim */
651e71b7053SJung-uk Kim if (DTLS_VERSION_LT(clientvers, (unsigned int)s->method->version) &&
652e71b7053SJung-uk Kim s->method->version != DTLS_ANY_VERSION) {
653b077aed3SPierre Pronchery ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_VERSION_NUMBER);
654e71b7053SJung-uk Kim goto end;
655e71b7053SJung-uk Kim }
656e71b7053SJung-uk Kim
657e71b7053SJung-uk Kim if (!PACKET_forward(&msgpayload, SSL3_RANDOM_SIZE)
658e71b7053SJung-uk Kim || !PACKET_get_length_prefixed_1(&msgpayload, &session)
659e71b7053SJung-uk Kim || !PACKET_get_length_prefixed_1(&msgpayload, &cookiepkt)) {
660e71b7053SJung-uk Kim /*
661e71b7053SJung-uk Kim * Could be malformed or the cookie does not fit within the initial
662e71b7053SJung-uk Kim * ClientHello fragment. Either way we can't handle it.
663e71b7053SJung-uk Kim */
664b077aed3SPierre Pronchery ERR_raise(ERR_LIB_SSL, SSL_R_LENGTH_MISMATCH);
665e71b7053SJung-uk Kim goto end;
666e71b7053SJung-uk Kim }
667e71b7053SJung-uk Kim
668e71b7053SJung-uk Kim /*
669e71b7053SJung-uk Kim * Check if we have a cookie or not. If not we need to send a
670e71b7053SJung-uk Kim * HelloVerifyRequest.
671e71b7053SJung-uk Kim */
672e71b7053SJung-uk Kim if (PACKET_remaining(&cookiepkt) == 0) {
673e71b7053SJung-uk Kim next = LISTEN_SEND_VERIFY_REQUEST;
674e71b7053SJung-uk Kim } else {
675e71b7053SJung-uk Kim /*
676e71b7053SJung-uk Kim * We have a cookie, so lets check it.
677e71b7053SJung-uk Kim */
678e71b7053SJung-uk Kim if (s->ctx->app_verify_cookie_cb == NULL) {
679b077aed3SPierre Pronchery ERR_raise(ERR_LIB_SSL, SSL_R_NO_VERIFY_COOKIE_CALLBACK);
680e71b7053SJung-uk Kim /* This is fatal */
681e71b7053SJung-uk Kim return -1;
682e71b7053SJung-uk Kim }
683e71b7053SJung-uk Kim if (s->ctx->app_verify_cookie_cb(s, PACKET_data(&cookiepkt),
684e71b7053SJung-uk Kim (unsigned int)PACKET_remaining(&cookiepkt)) == 0) {
685e71b7053SJung-uk Kim /*
686e71b7053SJung-uk Kim * We treat invalid cookies in the same was as no cookie as
687e71b7053SJung-uk Kim * per RFC6347
688e71b7053SJung-uk Kim */
689e71b7053SJung-uk Kim next = LISTEN_SEND_VERIFY_REQUEST;
690e71b7053SJung-uk Kim } else {
691e71b7053SJung-uk Kim /* Cookie verification succeeded */
692e71b7053SJung-uk Kim next = LISTEN_SUCCESS;
693e71b7053SJung-uk Kim }
694e71b7053SJung-uk Kim }
695e71b7053SJung-uk Kim
696e71b7053SJung-uk Kim if (next == LISTEN_SEND_VERIFY_REQUEST) {
697e71b7053SJung-uk Kim WPACKET wpkt;
698e71b7053SJung-uk Kim unsigned int version;
699e71b7053SJung-uk Kim size_t wreclen;
700e71b7053SJung-uk Kim
701e71b7053SJung-uk Kim /*
702e71b7053SJung-uk Kim * There was no cookie in the ClientHello so we need to send a
703e71b7053SJung-uk Kim * HelloVerifyRequest. If this fails we do not worry about trying
704e71b7053SJung-uk Kim * to resend, we just drop it.
705e71b7053SJung-uk Kim */
706e71b7053SJung-uk Kim
707e71b7053SJung-uk Kim /* Generate the cookie */
708e71b7053SJung-uk Kim if (s->ctx->app_gen_cookie_cb == NULL ||
709e71b7053SJung-uk Kim s->ctx->app_gen_cookie_cb(s, cookie, &cookielen) == 0 ||
710e71b7053SJung-uk Kim cookielen > 255) {
711b077aed3SPierre Pronchery ERR_raise(ERR_LIB_SSL, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
712e71b7053SJung-uk Kim /* This is fatal */
713e71b7053SJung-uk Kim return -1;
714e71b7053SJung-uk Kim }
715e71b7053SJung-uk Kim
716e71b7053SJung-uk Kim /*
717e71b7053SJung-uk Kim * Special case: for hello verify request, client version 1.0 and we
718e71b7053SJung-uk Kim * haven't decided which version to use yet send back using version
719e71b7053SJung-uk Kim * 1.0 header: otherwise some clients will ignore it.
720e71b7053SJung-uk Kim */
721e71b7053SJung-uk Kim version = (s->method->version == DTLS_ANY_VERSION) ? DTLS1_VERSION
722e71b7053SJung-uk Kim : s->version;
723e71b7053SJung-uk Kim
724e71b7053SJung-uk Kim /* Construct the record and message headers */
725c9cf7b5cSJung-uk Kim if (!WPACKET_init_static_len(&wpkt,
726c9cf7b5cSJung-uk Kim wbuf,
727c9cf7b5cSJung-uk Kim ssl_get_max_send_fragment(s)
728c9cf7b5cSJung-uk Kim + DTLS1_RT_HEADER_LENGTH,
729c9cf7b5cSJung-uk Kim 0)
730e71b7053SJung-uk Kim || !WPACKET_put_bytes_u8(&wpkt, SSL3_RT_HANDSHAKE)
731e71b7053SJung-uk Kim || !WPACKET_put_bytes_u16(&wpkt, version)
732e71b7053SJung-uk Kim /*
733e71b7053SJung-uk Kim * Record sequence number is always the same as in the
734e71b7053SJung-uk Kim * received ClientHello
735e71b7053SJung-uk Kim */
736e71b7053SJung-uk Kim || !WPACKET_memcpy(&wpkt, seq, SEQ_NUM_SIZE)
737e71b7053SJung-uk Kim /* End of record, start sub packet for message */
738e71b7053SJung-uk Kim || !WPACKET_start_sub_packet_u16(&wpkt)
739e71b7053SJung-uk Kim /* Message type */
740e71b7053SJung-uk Kim || !WPACKET_put_bytes_u8(&wpkt,
741e71b7053SJung-uk Kim DTLS1_MT_HELLO_VERIFY_REQUEST)
742e71b7053SJung-uk Kim /*
743e71b7053SJung-uk Kim * Message length - doesn't follow normal TLS convention:
744e71b7053SJung-uk Kim * the length isn't the last thing in the message header.
745e71b7053SJung-uk Kim * We'll need to fill this in later when we know the
746e71b7053SJung-uk Kim * length. Set it to zero for now
747e71b7053SJung-uk Kim */
748e71b7053SJung-uk Kim || !WPACKET_put_bytes_u24(&wpkt, 0)
749e71b7053SJung-uk Kim /*
750e71b7053SJung-uk Kim * Message sequence number is always 0 for a
751e71b7053SJung-uk Kim * HelloVerifyRequest
752e71b7053SJung-uk Kim */
753e71b7053SJung-uk Kim || !WPACKET_put_bytes_u16(&wpkt, 0)
754e71b7053SJung-uk Kim /*
755e71b7053SJung-uk Kim * We never fragment a HelloVerifyRequest, so fragment
756e71b7053SJung-uk Kim * offset is 0
757e71b7053SJung-uk Kim */
758e71b7053SJung-uk Kim || !WPACKET_put_bytes_u24(&wpkt, 0)
759e71b7053SJung-uk Kim /*
760e71b7053SJung-uk Kim * Fragment length is the same as message length, but
761e71b7053SJung-uk Kim * this *is* the last thing in the message header so we
762e71b7053SJung-uk Kim * can just start a sub-packet. No need to come back
763e71b7053SJung-uk Kim * later for this one.
764e71b7053SJung-uk Kim */
765e71b7053SJung-uk Kim || !WPACKET_start_sub_packet_u24(&wpkt)
766e71b7053SJung-uk Kim /* Create the actual HelloVerifyRequest body */
767e71b7053SJung-uk Kim || !dtls_raw_hello_verify_request(&wpkt, cookie, cookielen)
768e71b7053SJung-uk Kim /* Close message body */
769e71b7053SJung-uk Kim || !WPACKET_close(&wpkt)
770e71b7053SJung-uk Kim /* Close record body */
771e71b7053SJung-uk Kim || !WPACKET_close(&wpkt)
772e71b7053SJung-uk Kim || !WPACKET_get_total_written(&wpkt, &wreclen)
773e71b7053SJung-uk Kim || !WPACKET_finish(&wpkt)) {
774b077aed3SPierre Pronchery ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
775e71b7053SJung-uk Kim WPACKET_cleanup(&wpkt);
776e71b7053SJung-uk Kim /* This is fatal */
777e71b7053SJung-uk Kim return -1;
778e71b7053SJung-uk Kim }
779e71b7053SJung-uk Kim
780e71b7053SJung-uk Kim /*
781e71b7053SJung-uk Kim * Fix up the message len in the message header. Its the same as the
782e71b7053SJung-uk Kim * fragment len which has been filled in by WPACKET, so just copy
783e71b7053SJung-uk Kim * that. Destination for the message len is after the record header
784e71b7053SJung-uk Kim * plus one byte for the message content type. The source is the
785e71b7053SJung-uk Kim * last 3 bytes of the message header
786e71b7053SJung-uk Kim */
787c9cf7b5cSJung-uk Kim memcpy(&wbuf[DTLS1_RT_HEADER_LENGTH + 1],
788c9cf7b5cSJung-uk Kim &wbuf[DTLS1_RT_HEADER_LENGTH + DTLS1_HM_HEADER_LENGTH - 3],
789e71b7053SJung-uk Kim 3);
790e71b7053SJung-uk Kim
791e71b7053SJung-uk Kim if (s->msg_callback)
792e71b7053SJung-uk Kim s->msg_callback(1, 0, SSL3_RT_HEADER, buf,
793e71b7053SJung-uk Kim DTLS1_RT_HEADER_LENGTH, s, s->msg_callback_arg);
794e71b7053SJung-uk Kim
795e71b7053SJung-uk Kim if ((tmpclient = BIO_ADDR_new()) == NULL) {
796b077aed3SPierre Pronchery ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
797e71b7053SJung-uk Kim goto end;
798e71b7053SJung-uk Kim }
799e71b7053SJung-uk Kim
800e71b7053SJung-uk Kim /*
801e71b7053SJung-uk Kim * This is unnecessary if rbio and wbio are one and the same - but
802e71b7053SJung-uk Kim * maybe they're not. We ignore errors here - some BIOs do not
803e71b7053SJung-uk Kim * support this.
804e71b7053SJung-uk Kim */
805e71b7053SJung-uk Kim if (BIO_dgram_get_peer(rbio, tmpclient) > 0) {
806e71b7053SJung-uk Kim (void)BIO_dgram_set_peer(wbio, tmpclient);
807e71b7053SJung-uk Kim }
808e71b7053SJung-uk Kim BIO_ADDR_free(tmpclient);
809e71b7053SJung-uk Kim tmpclient = NULL;
810e71b7053SJung-uk Kim
811c9cf7b5cSJung-uk Kim if (BIO_write(wbio, wbuf, wreclen) < (int)wreclen) {
812e71b7053SJung-uk Kim if (BIO_should_retry(wbio)) {
813e71b7053SJung-uk Kim /*
814e71b7053SJung-uk Kim * Non-blocking IO...but we're stateless, so we're just
815e71b7053SJung-uk Kim * going to drop this packet.
816e71b7053SJung-uk Kim */
817e71b7053SJung-uk Kim goto end;
818e71b7053SJung-uk Kim }
819e71b7053SJung-uk Kim return -1;
820e71b7053SJung-uk Kim }
821e71b7053SJung-uk Kim
822e71b7053SJung-uk Kim if (BIO_flush(wbio) <= 0) {
823e71b7053SJung-uk Kim if (BIO_should_retry(wbio)) {
824e71b7053SJung-uk Kim /*
825e71b7053SJung-uk Kim * Non-blocking IO...but we're stateless, so we're just
826e71b7053SJung-uk Kim * going to drop this packet.
827e71b7053SJung-uk Kim */
828e71b7053SJung-uk Kim goto end;
829e71b7053SJung-uk Kim }
830e71b7053SJung-uk Kim return -1;
831e71b7053SJung-uk Kim }
832e71b7053SJung-uk Kim }
833e71b7053SJung-uk Kim } while (next != LISTEN_SUCCESS);
834e71b7053SJung-uk Kim
835e71b7053SJung-uk Kim /*
836e71b7053SJung-uk Kim * Set expected sequence numbers to continue the handshake.
837e71b7053SJung-uk Kim */
838e71b7053SJung-uk Kim s->d1->handshake_read_seq = 1;
839e71b7053SJung-uk Kim s->d1->handshake_write_seq = 1;
840e71b7053SJung-uk Kim s->d1->next_handshake_write_seq = 1;
841e71b7053SJung-uk Kim DTLS_RECORD_LAYER_set_write_sequence(&s->rlayer, seq);
842e71b7053SJung-uk Kim
843e71b7053SJung-uk Kim /*
844e71b7053SJung-uk Kim * We are doing cookie exchange, so make sure we set that option in the
845e71b7053SJung-uk Kim * SSL object
846e71b7053SJung-uk Kim */
8476a599222SSimon L. B. Nielsen SSL_set_options(s, SSL_OP_COOKIE_EXCHANGE);
8486a599222SSimon L. B. Nielsen
849e71b7053SJung-uk Kim /*
850e71b7053SJung-uk Kim * Tell the state machine that we've done the initial hello verify
851e71b7053SJung-uk Kim * exchange
852e71b7053SJung-uk Kim */
853e71b7053SJung-uk Kim ossl_statem_set_hello_verify_done(s);
854e71b7053SJung-uk Kim
855e71b7053SJung-uk Kim /*
856e71b7053SJung-uk Kim * Some BIOs may not support this. If we fail we clear the client address
857e71b7053SJung-uk Kim */
858e71b7053SJung-uk Kim if (BIO_dgram_get_peer(rbio, client) <= 0)
859e71b7053SJung-uk Kim BIO_ADDR_clear(client);
860e71b7053SJung-uk Kim
861c9cf7b5cSJung-uk Kim /* Buffer the record in the processed_rcds queue */
862c9cf7b5cSJung-uk Kim if (!dtls_buffer_listen_record(s, reclen, seq, align))
863c9cf7b5cSJung-uk Kim return -1;
864c9cf7b5cSJung-uk Kim
865e71b7053SJung-uk Kim ret = 1;
866e71b7053SJung-uk Kim end:
867e71b7053SJung-uk Kim BIO_ADDR_free(tmpclient);
8686f9291ceSJung-uk Kim return ret;
8696a599222SSimon L. B. Nielsen }
870e71b7053SJung-uk Kim #endif
8717bded2dbSJung-uk Kim
dtls1_handshake_write(SSL * s)8727bded2dbSJung-uk Kim static int dtls1_handshake_write(SSL *s)
8737bded2dbSJung-uk Kim {
8747bded2dbSJung-uk Kim return dtls1_do_write(s, SSL3_RT_HANDSHAKE);
8757bded2dbSJung-uk Kim }
876e71b7053SJung-uk Kim
dtls1_shutdown(SSL * s)877e71b7053SJung-uk Kim int dtls1_shutdown(SSL *s)
878e71b7053SJung-uk Kim {
879e71b7053SJung-uk Kim int ret;
880e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SCTP
881e71b7053SJung-uk Kim BIO *wbio;
882e71b7053SJung-uk Kim
883e71b7053SJung-uk Kim wbio = SSL_get_wbio(s);
884e71b7053SJung-uk Kim if (wbio != NULL && BIO_dgram_is_sctp(wbio) &&
885e71b7053SJung-uk Kim !(s->shutdown & SSL_SENT_SHUTDOWN)) {
886e71b7053SJung-uk Kim ret = BIO_dgram_sctp_wait_for_dry(wbio);
887e71b7053SJung-uk Kim if (ret < 0)
888e71b7053SJung-uk Kim return -1;
889e71b7053SJung-uk Kim
890e71b7053SJung-uk Kim if (ret == 0)
891e71b7053SJung-uk Kim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SAVE_SHUTDOWN, 1,
892e71b7053SJung-uk Kim NULL);
893e71b7053SJung-uk Kim }
894e71b7053SJung-uk Kim #endif
895e71b7053SJung-uk Kim ret = ssl3_shutdown(s);
896e71b7053SJung-uk Kim #ifndef OPENSSL_NO_SCTP
897e71b7053SJung-uk Kim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SAVE_SHUTDOWN, 0, NULL);
898e71b7053SJung-uk Kim #endif
899e71b7053SJung-uk Kim return ret;
900e71b7053SJung-uk Kim }
901e71b7053SJung-uk Kim
dtls1_query_mtu(SSL * s)902e71b7053SJung-uk Kim int dtls1_query_mtu(SSL *s)
903e71b7053SJung-uk Kim {
904e71b7053SJung-uk Kim if (s->d1->link_mtu) {
905e71b7053SJung-uk Kim s->d1->mtu =
906e71b7053SJung-uk Kim s->d1->link_mtu - BIO_dgram_get_mtu_overhead(SSL_get_wbio(s));
907e71b7053SJung-uk Kim s->d1->link_mtu = 0;
908e71b7053SJung-uk Kim }
909e71b7053SJung-uk Kim
910e71b7053SJung-uk Kim /* AHA! Figure out the MTU, and stick to the right size */
911e71b7053SJung-uk Kim if (s->d1->mtu < dtls1_min_mtu(s)) {
912e71b7053SJung-uk Kim if (!(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) {
913e71b7053SJung-uk Kim s->d1->mtu =
914e71b7053SJung-uk Kim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
915e71b7053SJung-uk Kim
916e71b7053SJung-uk Kim /*
917e71b7053SJung-uk Kim * I've seen the kernel return bogus numbers when it doesn't know
918e71b7053SJung-uk Kim * (initial write), so just make sure we have a reasonable number
919e71b7053SJung-uk Kim */
920e71b7053SJung-uk Kim if (s->d1->mtu < dtls1_min_mtu(s)) {
921e71b7053SJung-uk Kim /* Set to min mtu */
922e71b7053SJung-uk Kim s->d1->mtu = dtls1_min_mtu(s);
923e71b7053SJung-uk Kim BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SET_MTU,
924e71b7053SJung-uk Kim (long)s->d1->mtu, NULL);
925e71b7053SJung-uk Kim }
926e71b7053SJung-uk Kim } else
927e71b7053SJung-uk Kim return 0;
928e71b7053SJung-uk Kim }
929e71b7053SJung-uk Kim return 1;
930e71b7053SJung-uk Kim }
931e71b7053SJung-uk Kim
dtls1_link_min_mtu(void)932e71b7053SJung-uk Kim static size_t dtls1_link_min_mtu(void)
933e71b7053SJung-uk Kim {
934e71b7053SJung-uk Kim return (g_probable_mtu[(sizeof(g_probable_mtu) /
935e71b7053SJung-uk Kim sizeof(g_probable_mtu[0])) - 1]);
936e71b7053SJung-uk Kim }
937e71b7053SJung-uk Kim
dtls1_min_mtu(SSL * s)938e71b7053SJung-uk Kim size_t dtls1_min_mtu(SSL *s)
939e71b7053SJung-uk Kim {
940e71b7053SJung-uk Kim return dtls1_link_min_mtu() - BIO_dgram_get_mtu_overhead(SSL_get_wbio(s));
941e71b7053SJung-uk Kim }
942e71b7053SJung-uk Kim
DTLS_get_data_mtu(const SSL * s)943e71b7053SJung-uk Kim size_t DTLS_get_data_mtu(const SSL *s)
944e71b7053SJung-uk Kim {
945e71b7053SJung-uk Kim size_t mac_overhead, int_overhead, blocksize, ext_overhead;
946e71b7053SJung-uk Kim const SSL_CIPHER *ciph = SSL_get_current_cipher(s);
947e71b7053SJung-uk Kim size_t mtu = s->d1->mtu;
948e71b7053SJung-uk Kim
949e71b7053SJung-uk Kim if (ciph == NULL)
950e71b7053SJung-uk Kim return 0;
951e71b7053SJung-uk Kim
952e71b7053SJung-uk Kim if (!ssl_cipher_get_overhead(ciph, &mac_overhead, &int_overhead,
953e71b7053SJung-uk Kim &blocksize, &ext_overhead))
954e71b7053SJung-uk Kim return 0;
955e71b7053SJung-uk Kim
956e71b7053SJung-uk Kim if (SSL_READ_ETM(s))
957e71b7053SJung-uk Kim ext_overhead += mac_overhead;
958e71b7053SJung-uk Kim else
959e71b7053SJung-uk Kim int_overhead += mac_overhead;
960e71b7053SJung-uk Kim
961e71b7053SJung-uk Kim /* Subtract external overhead (e.g. IV/nonce, separate MAC) */
962e71b7053SJung-uk Kim if (ext_overhead + DTLS1_RT_HEADER_LENGTH >= mtu)
963e71b7053SJung-uk Kim return 0;
964e71b7053SJung-uk Kim mtu -= ext_overhead + DTLS1_RT_HEADER_LENGTH;
965e71b7053SJung-uk Kim
966e71b7053SJung-uk Kim /* Round encrypted payload down to cipher block size (for CBC etc.)
967e71b7053SJung-uk Kim * No check for overflow since 'mtu % blocksize' cannot exceed mtu. */
968e71b7053SJung-uk Kim if (blocksize)
969e71b7053SJung-uk Kim mtu -= (mtu % blocksize);
970e71b7053SJung-uk Kim
971e71b7053SJung-uk Kim /* Subtract internal overhead (e.g. CBC padding len byte) */
972e71b7053SJung-uk Kim if (int_overhead >= mtu)
973e71b7053SJung-uk Kim return 0;
974e71b7053SJung-uk Kim mtu -= int_overhead;
975e71b7053SJung-uk Kim
976e71b7053SJung-uk Kim return mtu;
977e71b7053SJung-uk Kim }
978e71b7053SJung-uk Kim
DTLS_set_timer_cb(SSL * s,DTLS_timer_cb cb)979e71b7053SJung-uk Kim void DTLS_set_timer_cb(SSL *s, DTLS_timer_cb cb)
980e71b7053SJung-uk Kim {
981e71b7053SJung-uk Kim s->d1->timer_cb = cb;
982e71b7053SJung-uk Kim }
983