1c9496f6bSchristos /*
2*4724848cSchristos * Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved.
3c9496f6bSchristos *
4*4724848cSchristos * Licensed under the OpenSSL license (the "License"). You may not use
5*4724848cSchristos * this file except in compliance with the License. You can obtain a copy
6*4724848cSchristos * in the file LICENSE in the source distribution or at
7*4724848cSchristos * https://www.openssl.org/source/license.html
8c9496f6bSchristos */
9c9496f6bSchristos
10*4724848cSchristos #include "e_os.h"
11c9496f6bSchristos #include <stdio.h>
12c9496f6bSchristos #include <openssl/objects.h>
13*4724848cSchristos #include <openssl/rand.h>
14*4724848cSchristos #include "ssl_local.h"
15c9496f6bSchristos
16c9496f6bSchristos static void get_current_time(struct timeval *t);
17c9496f6bSchristos static int dtls1_handshake_write(SSL *s);
18*4724848cSchristos static size_t dtls1_link_min_mtu(void);
19c9496f6bSchristos
20*4724848cSchristos /* XDTLS: figure out the right values */
21*4724848cSchristos static const size_t g_probable_mtu[] = { 1500, 512, 256 };
22*4724848cSchristos
23*4724848cSchristos const SSL3_ENC_METHOD DTLSv1_enc_data = {
24c9496f6bSchristos tls1_enc,
25c9496f6bSchristos tls1_mac,
26c9496f6bSchristos tls1_setup_key_block,
27c9496f6bSchristos tls1_generate_master_secret,
28c9496f6bSchristos tls1_change_cipher_state,
29c9496f6bSchristos tls1_final_finish_mac,
30c9496f6bSchristos TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
31c9496f6bSchristos TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
32c9496f6bSchristos tls1_alert_code,
33c9496f6bSchristos tls1_export_keying_material,
34c9496f6bSchristos SSL_ENC_FLAG_DTLS | SSL_ENC_FLAG_EXPLICIT_IV,
35c9496f6bSchristos dtls1_set_handshake_header,
36*4724848cSchristos dtls1_close_construct_packet,
37c9496f6bSchristos dtls1_handshake_write
38c9496f6bSchristos };
39c9496f6bSchristos
40*4724848cSchristos const SSL3_ENC_METHOD DTLSv1_2_enc_data = {
41c9496f6bSchristos tls1_enc,
42c9496f6bSchristos tls1_mac,
43c9496f6bSchristos tls1_setup_key_block,
44c9496f6bSchristos tls1_generate_master_secret,
45c9496f6bSchristos tls1_change_cipher_state,
46c9496f6bSchristos tls1_final_finish_mac,
47c9496f6bSchristos TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
48c9496f6bSchristos TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
49c9496f6bSchristos tls1_alert_code,
50c9496f6bSchristos tls1_export_keying_material,
51c9496f6bSchristos SSL_ENC_FLAG_DTLS | SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS
52c9496f6bSchristos | SSL_ENC_FLAG_SHA256_PRF | SSL_ENC_FLAG_TLS1_2_CIPHERS,
53c9496f6bSchristos dtls1_set_handshake_header,
54*4724848cSchristos dtls1_close_construct_packet,
55c9496f6bSchristos dtls1_handshake_write
56c9496f6bSchristos };
57c9496f6bSchristos
dtls1_default_timeout(void)58c9496f6bSchristos long dtls1_default_timeout(void)
59c9496f6bSchristos {
60c9496f6bSchristos /*
61c9496f6bSchristos * 2 hours, the 24 hours mentioned in the DTLSv1 spec is way too long for
62c9496f6bSchristos * http, the cache would over fill
63c9496f6bSchristos */
64c9496f6bSchristos return (60 * 60 * 2);
65c9496f6bSchristos }
66c9496f6bSchristos
dtls1_new(SSL * s)67c9496f6bSchristos int dtls1_new(SSL *s)
68c9496f6bSchristos {
69c9496f6bSchristos DTLS1_STATE *d1;
70c9496f6bSchristos
71*4724848cSchristos if (!DTLS_RECORD_LAYER_new(&s->rlayer)) {
72*4724848cSchristos return 0;
73*4724848cSchristos }
74*4724848cSchristos
75c9496f6bSchristos if (!ssl3_new(s))
76*4724848cSchristos return 0;
77*4724848cSchristos if ((d1 = OPENSSL_zalloc(sizeof(*d1))) == NULL) {
78*4724848cSchristos ssl3_free(s);
79*4724848cSchristos return 0;
80*4724848cSchristos }
81c9496f6bSchristos
82c9496f6bSchristos d1->buffered_messages = pqueue_new();
83c9496f6bSchristos d1->sent_messages = pqueue_new();
84c9496f6bSchristos
85c9496f6bSchristos if (s->server) {
86c9496f6bSchristos d1->cookie_len = sizeof(s->d1->cookie);
87c9496f6bSchristos }
88c9496f6bSchristos
89c9496f6bSchristos d1->link_mtu = 0;
90c9496f6bSchristos d1->mtu = 0;
91c9496f6bSchristos
92*4724848cSchristos if (d1->buffered_messages == NULL || d1->sent_messages == NULL) {
93c9496f6bSchristos pqueue_free(d1->buffered_messages);
94c9496f6bSchristos pqueue_free(d1->sent_messages);
95c9496f6bSchristos OPENSSL_free(d1);
96*4724848cSchristos ssl3_free(s);
97*4724848cSchristos return 0;
98c9496f6bSchristos }
99c9496f6bSchristos
100c9496f6bSchristos s->d1 = d1;
101*4724848cSchristos
102*4724848cSchristos if (!s->method->ssl_clear(s))
103*4724848cSchristos return 0;
104*4724848cSchristos
105*4724848cSchristos return 1;
106c9496f6bSchristos }
107c9496f6bSchristos
dtls1_clear_queues(SSL * s)108c9496f6bSchristos static void dtls1_clear_queues(SSL *s)
109c9496f6bSchristos {
110c9496f6bSchristos dtls1_clear_received_buffer(s);
111c9496f6bSchristos dtls1_clear_sent_buffer(s);
112c9496f6bSchristos }
113c9496f6bSchristos
dtls1_clear_received_buffer(SSL * s)114c9496f6bSchristos void dtls1_clear_received_buffer(SSL *s)
115c9496f6bSchristos {
116c9496f6bSchristos pitem *item = NULL;
117c9496f6bSchristos hm_fragment *frag = NULL;
118c9496f6bSchristos
119c9496f6bSchristos while ((item = pqueue_pop(s->d1->buffered_messages)) != NULL) {
120c9496f6bSchristos frag = (hm_fragment *)item->data;
121c9496f6bSchristos dtls1_hm_fragment_free(frag);
122c9496f6bSchristos pitem_free(item);
123c9496f6bSchristos }
124c9496f6bSchristos }
125c9496f6bSchristos
dtls1_clear_sent_buffer(SSL * s)126c9496f6bSchristos void dtls1_clear_sent_buffer(SSL *s)
127c9496f6bSchristos {
128c9496f6bSchristos pitem *item = NULL;
129c9496f6bSchristos hm_fragment *frag = NULL;
130c9496f6bSchristos
131c9496f6bSchristos while ((item = pqueue_pop(s->d1->sent_messages)) != NULL) {
132c9496f6bSchristos frag = (hm_fragment *)item->data;
133c9496f6bSchristos dtls1_hm_fragment_free(frag);
134c9496f6bSchristos pitem_free(item);
135c9496f6bSchristos }
136c9496f6bSchristos }
137c9496f6bSchristos
138c9496f6bSchristos
dtls1_free(SSL * s)139c9496f6bSchristos void dtls1_free(SSL *s)
140c9496f6bSchristos {
141*4724848cSchristos DTLS_RECORD_LAYER_free(&s->rlayer);
142*4724848cSchristos
143c9496f6bSchristos ssl3_free(s);
144c9496f6bSchristos
145*4724848cSchristos if (s->d1 != NULL) {
146c9496f6bSchristos dtls1_clear_queues(s);
147c9496f6bSchristos pqueue_free(s->d1->buffered_messages);
148c9496f6bSchristos pqueue_free(s->d1->sent_messages);
149*4724848cSchristos }
150c9496f6bSchristos
151c9496f6bSchristos OPENSSL_free(s->d1);
152c9496f6bSchristos s->d1 = NULL;
153c9496f6bSchristos }
154c9496f6bSchristos
dtls1_clear(SSL * s)155*4724848cSchristos int dtls1_clear(SSL *s)
156c9496f6bSchristos {
157*4724848cSchristos pqueue *buffered_messages;
158*4724848cSchristos pqueue *sent_messages;
159*4724848cSchristos size_t mtu;
160*4724848cSchristos size_t link_mtu;
161*4724848cSchristos
162*4724848cSchristos DTLS_RECORD_LAYER_clear(&s->rlayer);
163c9496f6bSchristos
164c9496f6bSchristos if (s->d1) {
165*4724848cSchristos DTLS_timer_cb timer_cb = s->d1->timer_cb;
166*4724848cSchristos
167c9496f6bSchristos buffered_messages = s->d1->buffered_messages;
168c9496f6bSchristos sent_messages = s->d1->sent_messages;
169c9496f6bSchristos mtu = s->d1->mtu;
170c9496f6bSchristos link_mtu = s->d1->link_mtu;
171c9496f6bSchristos
172c9496f6bSchristos dtls1_clear_queues(s);
173c9496f6bSchristos
174*4724848cSchristos memset(s->d1, 0, sizeof(*s->d1));
175*4724848cSchristos
176*4724848cSchristos /* Restore the timer callback from previous state */
177*4724848cSchristos s->d1->timer_cb = timer_cb;
178c9496f6bSchristos
179c9496f6bSchristos if (s->server) {
180c9496f6bSchristos s->d1->cookie_len = sizeof(s->d1->cookie);
181c9496f6bSchristos }
182c9496f6bSchristos
183c9496f6bSchristos if (SSL_get_options(s) & SSL_OP_NO_QUERY_MTU) {
184c9496f6bSchristos s->d1->mtu = mtu;
185c9496f6bSchristos s->d1->link_mtu = link_mtu;
186c9496f6bSchristos }
187c9496f6bSchristos
188c9496f6bSchristos s->d1->buffered_messages = buffered_messages;
189c9496f6bSchristos s->d1->sent_messages = sent_messages;
190c9496f6bSchristos }
191c9496f6bSchristos
192*4724848cSchristos if (!ssl3_clear(s))
193*4724848cSchristos return 0;
194*4724848cSchristos
195*4724848cSchristos if (s->method->version == DTLS_ANY_VERSION)
196*4724848cSchristos s->version = DTLS_MAX_VERSION;
197*4724848cSchristos #ifndef OPENSSL_NO_DTLS1_METHOD
198*4724848cSchristos else if (s->options & SSL_OP_CISCO_ANYCONNECT)
199c9496f6bSchristos s->client_version = s->version = DTLS1_BAD_VER;
200*4724848cSchristos #endif
201c9496f6bSchristos else
202c9496f6bSchristos s->version = s->method->version;
203*4724848cSchristos
204*4724848cSchristos return 1;
205c9496f6bSchristos }
206c9496f6bSchristos
dtls1_ctrl(SSL * s,int cmd,long larg,void * parg)207c9496f6bSchristos long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg)
208c9496f6bSchristos {
209c9496f6bSchristos int ret = 0;
210c9496f6bSchristos
211c9496f6bSchristos switch (cmd) {
212c9496f6bSchristos case DTLS_CTRL_GET_TIMEOUT:
213c9496f6bSchristos if (dtls1_get_timeout(s, (struct timeval *)parg) != NULL) {
214c9496f6bSchristos ret = 1;
215c9496f6bSchristos }
216c9496f6bSchristos break;
217c9496f6bSchristos case DTLS_CTRL_HANDLE_TIMEOUT:
218c9496f6bSchristos ret = dtls1_handle_timeout(s);
219c9496f6bSchristos break;
220c9496f6bSchristos case DTLS_CTRL_SET_LINK_MTU:
221c9496f6bSchristos if (larg < (long)dtls1_link_min_mtu())
222c9496f6bSchristos return 0;
223c9496f6bSchristos s->d1->link_mtu = larg;
224c9496f6bSchristos return 1;
225c9496f6bSchristos case DTLS_CTRL_GET_LINK_MIN_MTU:
226c9496f6bSchristos return (long)dtls1_link_min_mtu();
227c9496f6bSchristos case SSL_CTRL_SET_MTU:
228c9496f6bSchristos /*
229c9496f6bSchristos * We may not have a BIO set yet so can't call dtls1_min_mtu()
230c9496f6bSchristos * We'll have to make do with dtls1_link_min_mtu() and max overhead
231c9496f6bSchristos */
232c9496f6bSchristos if (larg < (long)dtls1_link_min_mtu() - DTLS1_MAX_MTU_OVERHEAD)
233c9496f6bSchristos return 0;
234c9496f6bSchristos s->d1->mtu = larg;
235c9496f6bSchristos return larg;
236c9496f6bSchristos default:
237c9496f6bSchristos ret = ssl3_ctrl(s, cmd, larg, parg);
238c9496f6bSchristos break;
239c9496f6bSchristos }
240*4724848cSchristos return ret;
241c9496f6bSchristos }
242c9496f6bSchristos
dtls1_start_timer(SSL * s)243c9496f6bSchristos void dtls1_start_timer(SSL *s)
244c9496f6bSchristos {
245*4724848cSchristos unsigned int sec, usec;
246*4724848cSchristos
247c9496f6bSchristos #ifndef OPENSSL_NO_SCTP
248c9496f6bSchristos /* Disable timer for SCTP */
249c9496f6bSchristos if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
250*4724848cSchristos memset(&s->d1->next_timeout, 0, sizeof(s->d1->next_timeout));
251c9496f6bSchristos return;
252c9496f6bSchristos }
253c9496f6bSchristos #endif
254c9496f6bSchristos
255*4724848cSchristos /*
256*4724848cSchristos * If timer is not set, initialize duration with 1 second or
257*4724848cSchristos * a user-specified value if the timer callback is installed.
258*4724848cSchristos */
259c9496f6bSchristos if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) {
260*4724848cSchristos
261*4724848cSchristos if (s->d1->timer_cb != NULL)
262*4724848cSchristos s->d1->timeout_duration_us = s->d1->timer_cb(s, 0);
263*4724848cSchristos else
264*4724848cSchristos s->d1->timeout_duration_us = 1000000;
265c9496f6bSchristos }
266c9496f6bSchristos
267c9496f6bSchristos /* Set timeout to current time */
268c9496f6bSchristos get_current_time(&(s->d1->next_timeout));
269c9496f6bSchristos
270c9496f6bSchristos /* Add duration to current time */
271*4724848cSchristos
272*4724848cSchristos sec = s->d1->timeout_duration_us / 1000000;
273*4724848cSchristos usec = s->d1->timeout_duration_us - (sec * 1000000);
274*4724848cSchristos
275*4724848cSchristos s->d1->next_timeout.tv_sec += sec;
276*4724848cSchristos s->d1->next_timeout.tv_usec += usec;
277*4724848cSchristos
278*4724848cSchristos if (s->d1->next_timeout.tv_usec >= 1000000) {
279*4724848cSchristos s->d1->next_timeout.tv_sec++;
280*4724848cSchristos s->d1->next_timeout.tv_usec -= 1000000;
281*4724848cSchristos }
282*4724848cSchristos
283c9496f6bSchristos BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
284c9496f6bSchristos &(s->d1->next_timeout));
285c9496f6bSchristos }
286c9496f6bSchristos
dtls1_get_timeout(SSL * s,struct timeval * timeleft)287c9496f6bSchristos struct timeval *dtls1_get_timeout(SSL *s, struct timeval *timeleft)
288c9496f6bSchristos {
289c9496f6bSchristos struct timeval timenow;
290c9496f6bSchristos
291c9496f6bSchristos /* If no timeout is set, just return NULL */
292c9496f6bSchristos if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) {
293c9496f6bSchristos return NULL;
294c9496f6bSchristos }
295c9496f6bSchristos
296c9496f6bSchristos /* Get current time */
297c9496f6bSchristos get_current_time(&timenow);
298c9496f6bSchristos
299c9496f6bSchristos /* If timer already expired, set remaining time to 0 */
300c9496f6bSchristos if (s->d1->next_timeout.tv_sec < timenow.tv_sec ||
301c9496f6bSchristos (s->d1->next_timeout.tv_sec == timenow.tv_sec &&
302c9496f6bSchristos s->d1->next_timeout.tv_usec <= timenow.tv_usec)) {
303*4724848cSchristos memset(timeleft, 0, sizeof(*timeleft));
304c9496f6bSchristos return timeleft;
305c9496f6bSchristos }
306c9496f6bSchristos
307c9496f6bSchristos /* Calculate time left until timer expires */
308c9496f6bSchristos memcpy(timeleft, &(s->d1->next_timeout), sizeof(struct timeval));
309c9496f6bSchristos timeleft->tv_sec -= timenow.tv_sec;
310c9496f6bSchristos timeleft->tv_usec -= timenow.tv_usec;
311c9496f6bSchristos if (timeleft->tv_usec < 0) {
312c9496f6bSchristos timeleft->tv_sec--;
313c9496f6bSchristos timeleft->tv_usec += 1000000;
314c9496f6bSchristos }
315c9496f6bSchristos
316c9496f6bSchristos /*
317c9496f6bSchristos * If remaining time is less than 15 ms, set it to 0 to prevent issues
318*4724848cSchristos * because of small divergences with socket timeouts.
319c9496f6bSchristos */
320c9496f6bSchristos if (timeleft->tv_sec == 0 && timeleft->tv_usec < 15000) {
321*4724848cSchristos memset(timeleft, 0, sizeof(*timeleft));
322c9496f6bSchristos }
323c9496f6bSchristos
324c9496f6bSchristos return timeleft;
325c9496f6bSchristos }
326c9496f6bSchristos
dtls1_is_timer_expired(SSL * s)327c9496f6bSchristos int dtls1_is_timer_expired(SSL *s)
328c9496f6bSchristos {
329c9496f6bSchristos struct timeval timeleft;
330c9496f6bSchristos
331c9496f6bSchristos /* Get time left until timeout, return false if no timer running */
332c9496f6bSchristos if (dtls1_get_timeout(s, &timeleft) == NULL) {
333c9496f6bSchristos return 0;
334c9496f6bSchristos }
335c9496f6bSchristos
336c9496f6bSchristos /* Return false if timer is not expired yet */
337c9496f6bSchristos if (timeleft.tv_sec > 0 || timeleft.tv_usec > 0) {
338c9496f6bSchristos return 0;
339c9496f6bSchristos }
340c9496f6bSchristos
341c9496f6bSchristos /* Timer expired, so return true */
342c9496f6bSchristos return 1;
343c9496f6bSchristos }
344c9496f6bSchristos
dtls1_double_timeout(SSL * s)345*4724848cSchristos static void dtls1_double_timeout(SSL *s)
346c9496f6bSchristos {
347*4724848cSchristos s->d1->timeout_duration_us *= 2;
348*4724848cSchristos if (s->d1->timeout_duration_us > 60000000)
349*4724848cSchristos s->d1->timeout_duration_us = 60000000;
350c9496f6bSchristos }
351c9496f6bSchristos
dtls1_stop_timer(SSL * s)352c9496f6bSchristos void dtls1_stop_timer(SSL *s)
353c9496f6bSchristos {
354c9496f6bSchristos /* Reset everything */
355*4724848cSchristos memset(&s->d1->timeout, 0, sizeof(s->d1->timeout));
356*4724848cSchristos memset(&s->d1->next_timeout, 0, sizeof(s->d1->next_timeout));
357*4724848cSchristos s->d1->timeout_duration_us = 1000000;
358c9496f6bSchristos BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
359c9496f6bSchristos &(s->d1->next_timeout));
360c9496f6bSchristos /* Clear retransmission buffer */
361c9496f6bSchristos dtls1_clear_sent_buffer(s);
362c9496f6bSchristos }
363c9496f6bSchristos
dtls1_check_timeout_num(SSL * s)364c9496f6bSchristos int dtls1_check_timeout_num(SSL *s)
365c9496f6bSchristos {
366*4724848cSchristos size_t mtu;
367c9496f6bSchristos
368c9496f6bSchristos s->d1->timeout.num_alerts++;
369c9496f6bSchristos
370c9496f6bSchristos /* Reduce MTU after 2 unsuccessful retransmissions */
371c9496f6bSchristos if (s->d1->timeout.num_alerts > 2
372c9496f6bSchristos && !(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) {
373c9496f6bSchristos mtu =
374*4724848cSchristos BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL);
375c9496f6bSchristos if (mtu < s->d1->mtu)
376c9496f6bSchristos s->d1->mtu = mtu;
377c9496f6bSchristos }
378c9496f6bSchristos
379c9496f6bSchristos if (s->d1->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) {
380c9496f6bSchristos /* fail the connection, enough alerts have been sent */
381*4724848cSchristos SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_DTLS1_CHECK_TIMEOUT_NUM,
382*4724848cSchristos SSL_R_READ_TIMEOUT_EXPIRED);
383c9496f6bSchristos return -1;
384c9496f6bSchristos }
385c9496f6bSchristos
386c9496f6bSchristos return 0;
387c9496f6bSchristos }
388c9496f6bSchristos
dtls1_handle_timeout(SSL * s)389c9496f6bSchristos int dtls1_handle_timeout(SSL *s)
390c9496f6bSchristos {
391c9496f6bSchristos /* if no timer is expired, don't do anything */
392c9496f6bSchristos if (!dtls1_is_timer_expired(s)) {
393c9496f6bSchristos return 0;
394c9496f6bSchristos }
395c9496f6bSchristos
396*4724848cSchristos if (s->d1->timer_cb != NULL)
397*4724848cSchristos s->d1->timeout_duration_us = s->d1->timer_cb(s, s->d1->timeout_duration_us);
398*4724848cSchristos else
399c9496f6bSchristos dtls1_double_timeout(s);
400c9496f6bSchristos
401*4724848cSchristos if (dtls1_check_timeout_num(s) < 0) {
402*4724848cSchristos /* SSLfatal() already called */
403c9496f6bSchristos return -1;
404*4724848cSchristos }
405c9496f6bSchristos
406c9496f6bSchristos s->d1->timeout.read_timeouts++;
407c9496f6bSchristos if (s->d1->timeout.read_timeouts > DTLS1_TMO_READ_COUNT) {
408c9496f6bSchristos s->d1->timeout.read_timeouts = 1;
409c9496f6bSchristos }
410c9496f6bSchristos
411c9496f6bSchristos dtls1_start_timer(s);
412*4724848cSchristos /* Calls SSLfatal() if required */
413c9496f6bSchristos return dtls1_retransmit_buffered_messages(s);
414c9496f6bSchristos }
415c9496f6bSchristos
get_current_time(struct timeval * t)416c9496f6bSchristos static void get_current_time(struct timeval *t)
417c9496f6bSchristos {
418c9496f6bSchristos #if defined(_WIN32)
419c9496f6bSchristos SYSTEMTIME st;
420c9496f6bSchristos union {
421c9496f6bSchristos unsigned __int64 ul;
422c9496f6bSchristos FILETIME ft;
423c9496f6bSchristos } now;
424c9496f6bSchristos
425c9496f6bSchristos GetSystemTime(&st);
426c9496f6bSchristos SystemTimeToFileTime(&st, &now.ft);
427*4724848cSchristos /* re-bias to 1/1/1970 */
428c9496f6bSchristos # ifdef __MINGW32__
429c9496f6bSchristos now.ul -= 116444736000000000ULL;
430c9496f6bSchristos # else
431*4724848cSchristos /* *INDENT-OFF* */
432*4724848cSchristos now.ul -= 116444736000000000UI64;
433*4724848cSchristos /* *INDENT-ON* */
434c9496f6bSchristos # endif
435c9496f6bSchristos t->tv_sec = (long)(now.ul / 10000000);
436c9496f6bSchristos t->tv_usec = ((int)(now.ul % 10000000)) / 10;
437c9496f6bSchristos #else
438c9496f6bSchristos gettimeofday(t, NULL);
439c9496f6bSchristos #endif
440c9496f6bSchristos }
441c9496f6bSchristos
442*4724848cSchristos #define LISTEN_SUCCESS 2
443*4724848cSchristos #define LISTEN_SEND_VERIFY_REQUEST 1
444*4724848cSchristos
445*4724848cSchristos #ifndef OPENSSL_NO_SOCK
DTLSv1_listen(SSL * s,BIO_ADDR * client)446*4724848cSchristos int DTLSv1_listen(SSL *s, BIO_ADDR *client)
447c9496f6bSchristos {
448*4724848cSchristos int next, n, ret = 0;
449*4724848cSchristos unsigned char cookie[DTLS1_COOKIE_LENGTH];
450*4724848cSchristos unsigned char seq[SEQ_NUM_SIZE];
451*4724848cSchristos const unsigned char *data;
452*4724848cSchristos unsigned char *buf, *wbuf;
453*4724848cSchristos size_t fragoff, fraglen, msglen, reclen, align = 0;
454*4724848cSchristos unsigned int rectype, versmajor, msgseq, msgtype, clientvers, cookielen;
455*4724848cSchristos BIO *rbio, *wbio;
456*4724848cSchristos BIO_ADDR *tmpclient = NULL;
457*4724848cSchristos PACKET pkt, msgpkt, msgpayload, session, cookiepkt;
458*4724848cSchristos
459*4724848cSchristos if (s->handshake_func == NULL) {
460*4724848cSchristos /* Not properly initialized yet */
461*4724848cSchristos SSL_set_accept_state(s);
462*4724848cSchristos }
463c9496f6bSchristos
464c9496f6bSchristos /* Ensure there is no state left over from a previous invocation */
465*4724848cSchristos if (!SSL_clear(s))
466*4724848cSchristos return -1;
467c9496f6bSchristos
468*4724848cSchristos ERR_clear_error();
469*4724848cSchristos
470*4724848cSchristos rbio = SSL_get_rbio(s);
471*4724848cSchristos wbio = SSL_get_wbio(s);
472*4724848cSchristos
473*4724848cSchristos if (!rbio || !wbio) {
474*4724848cSchristos SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_BIO_NOT_SET);
475*4724848cSchristos return -1;
476*4724848cSchristos }
477*4724848cSchristos
478*4724848cSchristos /*
479*4724848cSchristos * Note: This check deliberately excludes DTLS1_BAD_VER because that version
480*4724848cSchristos * requires the MAC to be calculated *including* the first ClientHello
481*4724848cSchristos * (without the cookie). Since DTLSv1_listen is stateless that cannot be
482*4724848cSchristos * supported. DTLS1_BAD_VER must use cookies in a stateful manner (e.g. via
483*4724848cSchristos * SSL_accept)
484*4724848cSchristos */
485*4724848cSchristos if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) {
486*4724848cSchristos SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_UNSUPPORTED_SSL_VERSION);
487*4724848cSchristos return -1;
488*4724848cSchristos }
489*4724848cSchristos
490*4724848cSchristos if (!ssl3_setup_buffers(s)) {
491*4724848cSchristos /* SSLerr already called */
492*4724848cSchristos return -1;
493*4724848cSchristos }
494*4724848cSchristos buf = RECORD_LAYER_get_rbuf(&s->rlayer)->buf;
495*4724848cSchristos wbuf = RECORD_LAYER_get_wbuf(&s->rlayer)[0].buf;
496*4724848cSchristos #if defined(SSL3_ALIGN_PAYLOAD)
497*4724848cSchristos # if SSL3_ALIGN_PAYLOAD != 0
498*4724848cSchristos /*
499*4724848cSchristos * Using SSL3_RT_HEADER_LENGTH here instead of DTLS1_RT_HEADER_LENGTH for
500*4724848cSchristos * consistency with ssl3_read_n. In practice it should make no difference
501*4724848cSchristos * for sensible values of SSL3_ALIGN_PAYLOAD because the difference between
502*4724848cSchristos * SSL3_RT_HEADER_LENGTH and DTLS1_RT_HEADER_LENGTH is exactly 8
503*4724848cSchristos */
504*4724848cSchristos align = (size_t)buf + SSL3_RT_HEADER_LENGTH;
505*4724848cSchristos align = SSL3_ALIGN_PAYLOAD - 1 - ((align - 1) % SSL3_ALIGN_PAYLOAD);
506*4724848cSchristos # endif
507*4724848cSchristos #endif
508*4724848cSchristos buf += align;
509*4724848cSchristos
510*4724848cSchristos do {
511*4724848cSchristos /* Get a packet */
512*4724848cSchristos
513*4724848cSchristos clear_sys_error();
514*4724848cSchristos n = BIO_read(rbio, buf, SSL3_RT_MAX_PLAIN_LENGTH
515*4724848cSchristos + DTLS1_RT_HEADER_LENGTH);
516*4724848cSchristos if (n <= 0) {
517*4724848cSchristos if (BIO_should_retry(rbio)) {
518*4724848cSchristos /* Non-blocking IO */
519*4724848cSchristos goto end;
520*4724848cSchristos }
521*4724848cSchristos return -1;
522*4724848cSchristos }
523*4724848cSchristos
524*4724848cSchristos if (!PACKET_buf_init(&pkt, buf, n)) {
525*4724848cSchristos SSLerr(SSL_F_DTLSV1_LISTEN, ERR_R_INTERNAL_ERROR);
526*4724848cSchristos return -1;
527*4724848cSchristos }
528*4724848cSchristos
529*4724848cSchristos /*
530*4724848cSchristos * Parse the received record. If there are any problems with it we just
531*4724848cSchristos * dump it - with no alert. RFC6347 says this "Unlike TLS, DTLS is
532*4724848cSchristos * resilient in the face of invalid records (e.g., invalid formatting,
533*4724848cSchristos * length, MAC, etc.). In general, invalid records SHOULD be silently
534*4724848cSchristos * discarded, thus preserving the association; however, an error MAY be
535*4724848cSchristos * logged for diagnostic purposes."
536*4724848cSchristos */
537*4724848cSchristos
538*4724848cSchristos /* this packet contained a partial record, dump it */
539*4724848cSchristos if (n < DTLS1_RT_HEADER_LENGTH) {
540*4724848cSchristos SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_RECORD_TOO_SMALL);
541*4724848cSchristos goto end;
542*4724848cSchristos }
543*4724848cSchristos
544*4724848cSchristos if (s->msg_callback)
545*4724848cSchristos s->msg_callback(0, 0, SSL3_RT_HEADER, buf,
546*4724848cSchristos DTLS1_RT_HEADER_LENGTH, s, s->msg_callback_arg);
547*4724848cSchristos
548*4724848cSchristos /* Get the record header */
549*4724848cSchristos if (!PACKET_get_1(&pkt, &rectype)
550*4724848cSchristos || !PACKET_get_1(&pkt, &versmajor)) {
551*4724848cSchristos SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_LENGTH_MISMATCH);
552*4724848cSchristos goto end;
553*4724848cSchristos }
554*4724848cSchristos
555*4724848cSchristos if (rectype != SSL3_RT_HANDSHAKE) {
556*4724848cSchristos SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_UNEXPECTED_MESSAGE);
557*4724848cSchristos goto end;
558*4724848cSchristos }
559*4724848cSchristos
560*4724848cSchristos /*
561*4724848cSchristos * Check record version number. We only check that the major version is
562*4724848cSchristos * the same.
563*4724848cSchristos */
564*4724848cSchristos if (versmajor != DTLS1_VERSION_MAJOR) {
565*4724848cSchristos SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
566*4724848cSchristos goto end;
567*4724848cSchristos }
568*4724848cSchristos
569*4724848cSchristos if (!PACKET_forward(&pkt, 1)
570*4724848cSchristos /* Save the sequence number: 64 bits, with top 2 bytes = epoch */
571*4724848cSchristos || !PACKET_copy_bytes(&pkt, seq, SEQ_NUM_SIZE)
572*4724848cSchristos || !PACKET_get_length_prefixed_2(&pkt, &msgpkt)) {
573*4724848cSchristos SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_LENGTH_MISMATCH);
574*4724848cSchristos goto end;
575*4724848cSchristos }
576*4724848cSchristos reclen = PACKET_remaining(&msgpkt);
577*4724848cSchristos /*
578*4724848cSchristos * We allow data remaining at the end of the packet because there could
579*4724848cSchristos * be a second record (but we ignore it)
580*4724848cSchristos */
581*4724848cSchristos
582*4724848cSchristos /* This is an initial ClientHello so the epoch has to be 0 */
583*4724848cSchristos if (seq[0] != 0 || seq[1] != 0) {
584*4724848cSchristos SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_UNEXPECTED_MESSAGE);
585*4724848cSchristos goto end;
586*4724848cSchristos }
587*4724848cSchristos
588*4724848cSchristos /* Get a pointer to the raw message for the later callback */
589*4724848cSchristos data = PACKET_data(&msgpkt);
590*4724848cSchristos
591*4724848cSchristos /* Finished processing the record header, now process the message */
592*4724848cSchristos if (!PACKET_get_1(&msgpkt, &msgtype)
593*4724848cSchristos || !PACKET_get_net_3_len(&msgpkt, &msglen)
594*4724848cSchristos || !PACKET_get_net_2(&msgpkt, &msgseq)
595*4724848cSchristos || !PACKET_get_net_3_len(&msgpkt, &fragoff)
596*4724848cSchristos || !PACKET_get_net_3_len(&msgpkt, &fraglen)
597*4724848cSchristos || !PACKET_get_sub_packet(&msgpkt, &msgpayload, fraglen)
598*4724848cSchristos || PACKET_remaining(&msgpkt) != 0) {
599*4724848cSchristos SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_LENGTH_MISMATCH);
600*4724848cSchristos goto end;
601*4724848cSchristos }
602*4724848cSchristos
603*4724848cSchristos if (msgtype != SSL3_MT_CLIENT_HELLO) {
604*4724848cSchristos SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_UNEXPECTED_MESSAGE);
605*4724848cSchristos goto end;
606*4724848cSchristos }
607*4724848cSchristos
608*4724848cSchristos /* Message sequence number can only be 0 or 1 */
609*4724848cSchristos if (msgseq > 2) {
610*4724848cSchristos SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_INVALID_SEQUENCE_NUMBER);
611*4724848cSchristos goto end;
612*4724848cSchristos }
613*4724848cSchristos
614*4724848cSchristos /*
615*4724848cSchristos * We don't support fragment reassembly for ClientHellos whilst
616*4724848cSchristos * listening because that would require server side state (which is
617*4724848cSchristos * against the whole point of the ClientHello/HelloVerifyRequest
618*4724848cSchristos * mechanism). Instead we only look at the first ClientHello fragment
619*4724848cSchristos * and require that the cookie must be contained within it.
620*4724848cSchristos */
621*4724848cSchristos if (fragoff != 0 || fraglen > msglen) {
622*4724848cSchristos /* Non initial ClientHello fragment (or bad fragment) */
623*4724848cSchristos SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_FRAGMENTED_CLIENT_HELLO);
624*4724848cSchristos goto end;
625*4724848cSchristos }
626*4724848cSchristos
627*4724848cSchristos if (s->msg_callback)
628*4724848cSchristos s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, data,
629*4724848cSchristos fraglen + DTLS1_HM_HEADER_LENGTH, s,
630*4724848cSchristos s->msg_callback_arg);
631*4724848cSchristos
632*4724848cSchristos if (!PACKET_get_net_2(&msgpayload, &clientvers)) {
633*4724848cSchristos SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_LENGTH_MISMATCH);
634*4724848cSchristos goto end;
635*4724848cSchristos }
636*4724848cSchristos
637*4724848cSchristos /*
638*4724848cSchristos * Verify client version is supported
639*4724848cSchristos */
640*4724848cSchristos if (DTLS_VERSION_LT(clientvers, (unsigned int)s->method->version) &&
641*4724848cSchristos s->method->version != DTLS_ANY_VERSION) {
642*4724848cSchristos SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_WRONG_VERSION_NUMBER);
643*4724848cSchristos goto end;
644*4724848cSchristos }
645*4724848cSchristos
646*4724848cSchristos if (!PACKET_forward(&msgpayload, SSL3_RANDOM_SIZE)
647*4724848cSchristos || !PACKET_get_length_prefixed_1(&msgpayload, &session)
648*4724848cSchristos || !PACKET_get_length_prefixed_1(&msgpayload, &cookiepkt)) {
649*4724848cSchristos /*
650*4724848cSchristos * Could be malformed or the cookie does not fit within the initial
651*4724848cSchristos * ClientHello fragment. Either way we can't handle it.
652*4724848cSchristos */
653*4724848cSchristos SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_LENGTH_MISMATCH);
654*4724848cSchristos goto end;
655*4724848cSchristos }
656*4724848cSchristos
657*4724848cSchristos /*
658*4724848cSchristos * Check if we have a cookie or not. If not we need to send a
659*4724848cSchristos * HelloVerifyRequest.
660*4724848cSchristos */
661*4724848cSchristos if (PACKET_remaining(&cookiepkt) == 0) {
662*4724848cSchristos next = LISTEN_SEND_VERIFY_REQUEST;
663*4724848cSchristos } else {
664*4724848cSchristos /*
665*4724848cSchristos * We have a cookie, so lets check it.
666*4724848cSchristos */
667*4724848cSchristos if (s->ctx->app_verify_cookie_cb == NULL) {
668*4724848cSchristos SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_NO_VERIFY_COOKIE_CALLBACK);
669*4724848cSchristos /* This is fatal */
670*4724848cSchristos return -1;
671*4724848cSchristos }
672*4724848cSchristos if (s->ctx->app_verify_cookie_cb(s, PACKET_data(&cookiepkt),
673*4724848cSchristos (unsigned int)PACKET_remaining(&cookiepkt)) == 0) {
674*4724848cSchristos /*
675*4724848cSchristos * We treat invalid cookies in the same was as no cookie as
676*4724848cSchristos * per RFC6347
677*4724848cSchristos */
678*4724848cSchristos next = LISTEN_SEND_VERIFY_REQUEST;
679*4724848cSchristos } else {
680*4724848cSchristos /* Cookie verification succeeded */
681*4724848cSchristos next = LISTEN_SUCCESS;
682*4724848cSchristos }
683*4724848cSchristos }
684*4724848cSchristos
685*4724848cSchristos if (next == LISTEN_SEND_VERIFY_REQUEST) {
686*4724848cSchristos WPACKET wpkt;
687*4724848cSchristos unsigned int version;
688*4724848cSchristos size_t wreclen;
689*4724848cSchristos
690*4724848cSchristos /*
691*4724848cSchristos * There was no cookie in the ClientHello so we need to send a
692*4724848cSchristos * HelloVerifyRequest. If this fails we do not worry about trying
693*4724848cSchristos * to resend, we just drop it.
694*4724848cSchristos */
695*4724848cSchristos
696*4724848cSchristos /* Generate the cookie */
697*4724848cSchristos if (s->ctx->app_gen_cookie_cb == NULL ||
698*4724848cSchristos s->ctx->app_gen_cookie_cb(s, cookie, &cookielen) == 0 ||
699*4724848cSchristos cookielen > 255) {
700*4724848cSchristos SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
701*4724848cSchristos /* This is fatal */
702*4724848cSchristos return -1;
703*4724848cSchristos }
704*4724848cSchristos
705*4724848cSchristos /*
706*4724848cSchristos * Special case: for hello verify request, client version 1.0 and we
707*4724848cSchristos * haven't decided which version to use yet send back using version
708*4724848cSchristos * 1.0 header: otherwise some clients will ignore it.
709*4724848cSchristos */
710*4724848cSchristos version = (s->method->version == DTLS_ANY_VERSION) ? DTLS1_VERSION
711*4724848cSchristos : s->version;
712*4724848cSchristos
713*4724848cSchristos /* Construct the record and message headers */
714*4724848cSchristos if (!WPACKET_init_static_len(&wpkt,
715*4724848cSchristos wbuf,
716*4724848cSchristos ssl_get_max_send_fragment(s)
717*4724848cSchristos + DTLS1_RT_HEADER_LENGTH,
718*4724848cSchristos 0)
719*4724848cSchristos || !WPACKET_put_bytes_u8(&wpkt, SSL3_RT_HANDSHAKE)
720*4724848cSchristos || !WPACKET_put_bytes_u16(&wpkt, version)
721*4724848cSchristos /*
722*4724848cSchristos * Record sequence number is always the same as in the
723*4724848cSchristos * received ClientHello
724*4724848cSchristos */
725*4724848cSchristos || !WPACKET_memcpy(&wpkt, seq, SEQ_NUM_SIZE)
726*4724848cSchristos /* End of record, start sub packet for message */
727*4724848cSchristos || !WPACKET_start_sub_packet_u16(&wpkt)
728*4724848cSchristos /* Message type */
729*4724848cSchristos || !WPACKET_put_bytes_u8(&wpkt,
730*4724848cSchristos DTLS1_MT_HELLO_VERIFY_REQUEST)
731*4724848cSchristos /*
732*4724848cSchristos * Message length - doesn't follow normal TLS convention:
733*4724848cSchristos * the length isn't the last thing in the message header.
734*4724848cSchristos * We'll need to fill this in later when we know the
735*4724848cSchristos * length. Set it to zero for now
736*4724848cSchristos */
737*4724848cSchristos || !WPACKET_put_bytes_u24(&wpkt, 0)
738*4724848cSchristos /*
739*4724848cSchristos * Message sequence number is always 0 for a
740*4724848cSchristos * HelloVerifyRequest
741*4724848cSchristos */
742*4724848cSchristos || !WPACKET_put_bytes_u16(&wpkt, 0)
743*4724848cSchristos /*
744*4724848cSchristos * We never fragment a HelloVerifyRequest, so fragment
745*4724848cSchristos * offset is 0
746*4724848cSchristos */
747*4724848cSchristos || !WPACKET_put_bytes_u24(&wpkt, 0)
748*4724848cSchristos /*
749*4724848cSchristos * Fragment length is the same as message length, but
750*4724848cSchristos * this *is* the last thing in the message header so we
751*4724848cSchristos * can just start a sub-packet. No need to come back
752*4724848cSchristos * later for this one.
753*4724848cSchristos */
754*4724848cSchristos || !WPACKET_start_sub_packet_u24(&wpkt)
755*4724848cSchristos /* Create the actual HelloVerifyRequest body */
756*4724848cSchristos || !dtls_raw_hello_verify_request(&wpkt, cookie, cookielen)
757*4724848cSchristos /* Close message body */
758*4724848cSchristos || !WPACKET_close(&wpkt)
759*4724848cSchristos /* Close record body */
760*4724848cSchristos || !WPACKET_close(&wpkt)
761*4724848cSchristos || !WPACKET_get_total_written(&wpkt, &wreclen)
762*4724848cSchristos || !WPACKET_finish(&wpkt)) {
763*4724848cSchristos SSLerr(SSL_F_DTLSV1_LISTEN, ERR_R_INTERNAL_ERROR);
764*4724848cSchristos WPACKET_cleanup(&wpkt);
765*4724848cSchristos /* This is fatal */
766*4724848cSchristos return -1;
767*4724848cSchristos }
768*4724848cSchristos
769*4724848cSchristos /*
770*4724848cSchristos * Fix up the message len in the message header. Its the same as the
771*4724848cSchristos * fragment len which has been filled in by WPACKET, so just copy
772*4724848cSchristos * that. Destination for the message len is after the record header
773*4724848cSchristos * plus one byte for the message content type. The source is the
774*4724848cSchristos * last 3 bytes of the message header
775*4724848cSchristos */
776*4724848cSchristos memcpy(&wbuf[DTLS1_RT_HEADER_LENGTH + 1],
777*4724848cSchristos &wbuf[DTLS1_RT_HEADER_LENGTH + DTLS1_HM_HEADER_LENGTH - 3],
778*4724848cSchristos 3);
779*4724848cSchristos
780*4724848cSchristos if (s->msg_callback)
781*4724848cSchristos s->msg_callback(1, 0, SSL3_RT_HEADER, buf,
782*4724848cSchristos DTLS1_RT_HEADER_LENGTH, s, s->msg_callback_arg);
783*4724848cSchristos
784*4724848cSchristos if ((tmpclient = BIO_ADDR_new()) == NULL) {
785*4724848cSchristos SSLerr(SSL_F_DTLSV1_LISTEN, ERR_R_MALLOC_FAILURE);
786*4724848cSchristos goto end;
787*4724848cSchristos }
788*4724848cSchristos
789*4724848cSchristos /*
790*4724848cSchristos * This is unnecessary if rbio and wbio are one and the same - but
791*4724848cSchristos * maybe they're not. We ignore errors here - some BIOs do not
792*4724848cSchristos * support this.
793*4724848cSchristos */
794*4724848cSchristos if (BIO_dgram_get_peer(rbio, tmpclient) > 0) {
795*4724848cSchristos (void)BIO_dgram_set_peer(wbio, tmpclient);
796*4724848cSchristos }
797*4724848cSchristos BIO_ADDR_free(tmpclient);
798*4724848cSchristos tmpclient = NULL;
799*4724848cSchristos
800*4724848cSchristos /* TODO(size_t): convert this call */
801*4724848cSchristos if (BIO_write(wbio, wbuf, wreclen) < (int)wreclen) {
802*4724848cSchristos if (BIO_should_retry(wbio)) {
803*4724848cSchristos /*
804*4724848cSchristos * Non-blocking IO...but we're stateless, so we're just
805*4724848cSchristos * going to drop this packet.
806*4724848cSchristos */
807*4724848cSchristos goto end;
808*4724848cSchristos }
809*4724848cSchristos return -1;
810*4724848cSchristos }
811*4724848cSchristos
812*4724848cSchristos if (BIO_flush(wbio) <= 0) {
813*4724848cSchristos if (BIO_should_retry(wbio)) {
814*4724848cSchristos /*
815*4724848cSchristos * Non-blocking IO...but we're stateless, so we're just
816*4724848cSchristos * going to drop this packet.
817*4724848cSchristos */
818*4724848cSchristos goto end;
819*4724848cSchristos }
820*4724848cSchristos return -1;
821*4724848cSchristos }
822*4724848cSchristos }
823*4724848cSchristos } while (next != LISTEN_SUCCESS);
824*4724848cSchristos
825*4724848cSchristos /*
826*4724848cSchristos * Set expected sequence numbers to continue the handshake.
827*4724848cSchristos */
828*4724848cSchristos s->d1->handshake_read_seq = 1;
829*4724848cSchristos s->d1->handshake_write_seq = 1;
830*4724848cSchristos s->d1->next_handshake_write_seq = 1;
831*4724848cSchristos DTLS_RECORD_LAYER_set_write_sequence(&s->rlayer, seq);
832*4724848cSchristos
833*4724848cSchristos /*
834*4724848cSchristos * We are doing cookie exchange, so make sure we set that option in the
835*4724848cSchristos * SSL object
836*4724848cSchristos */
837c9496f6bSchristos SSL_set_options(s, SSL_OP_COOKIE_EXCHANGE);
838c9496f6bSchristos
839*4724848cSchristos /*
840*4724848cSchristos * Tell the state machine that we've done the initial hello verify
841*4724848cSchristos * exchange
842*4724848cSchristos */
843*4724848cSchristos ossl_statem_set_hello_verify_done(s);
844*4724848cSchristos
845*4724848cSchristos /*
846*4724848cSchristos * Some BIOs may not support this. If we fail we clear the client address
847*4724848cSchristos */
848*4724848cSchristos if (BIO_dgram_get_peer(rbio, client) <= 0)
849*4724848cSchristos BIO_ADDR_clear(client);
850*4724848cSchristos
851*4724848cSchristos /* Buffer the record in the processed_rcds queue */
852*4724848cSchristos if (!dtls_buffer_listen_record(s, reclen, seq, align))
853*4724848cSchristos return -1;
854*4724848cSchristos
855*4724848cSchristos ret = 1;
856*4724848cSchristos end:
857*4724848cSchristos BIO_ADDR_free(tmpclient);
858c9496f6bSchristos return ret;
859c9496f6bSchristos }
860*4724848cSchristos #endif
861c9496f6bSchristos
dtls1_handshake_write(SSL * s)862c9496f6bSchristos static int dtls1_handshake_write(SSL *s)
863c9496f6bSchristos {
864c9496f6bSchristos return dtls1_do_write(s, SSL3_RT_HANDSHAKE);
865c9496f6bSchristos }
866*4724848cSchristos
dtls1_shutdown(SSL * s)867*4724848cSchristos int dtls1_shutdown(SSL *s)
868*4724848cSchristos {
869*4724848cSchristos int ret;
870*4724848cSchristos #ifndef OPENSSL_NO_SCTP
871*4724848cSchristos BIO *wbio;
872*4724848cSchristos
873*4724848cSchristos wbio = SSL_get_wbio(s);
874*4724848cSchristos if (wbio != NULL && BIO_dgram_is_sctp(wbio) &&
875*4724848cSchristos !(s->shutdown & SSL_SENT_SHUTDOWN)) {
876*4724848cSchristos ret = BIO_dgram_sctp_wait_for_dry(wbio);
877*4724848cSchristos if (ret < 0)
878*4724848cSchristos return -1;
879*4724848cSchristos
880*4724848cSchristos if (ret == 0)
881*4724848cSchristos BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SAVE_SHUTDOWN, 1,
882*4724848cSchristos NULL);
883*4724848cSchristos }
884*4724848cSchristos #endif
885*4724848cSchristos ret = ssl3_shutdown(s);
886*4724848cSchristos #ifndef OPENSSL_NO_SCTP
887*4724848cSchristos BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SAVE_SHUTDOWN, 0, NULL);
888*4724848cSchristos #endif
889*4724848cSchristos return ret;
890*4724848cSchristos }
891*4724848cSchristos
dtls1_query_mtu(SSL * s)892*4724848cSchristos int dtls1_query_mtu(SSL *s)
893*4724848cSchristos {
894*4724848cSchristos if (s->d1->link_mtu) {
895*4724848cSchristos s->d1->mtu =
896*4724848cSchristos s->d1->link_mtu - BIO_dgram_get_mtu_overhead(SSL_get_wbio(s));
897*4724848cSchristos s->d1->link_mtu = 0;
898*4724848cSchristos }
899*4724848cSchristos
900*4724848cSchristos /* AHA! Figure out the MTU, and stick to the right size */
901*4724848cSchristos if (s->d1->mtu < dtls1_min_mtu(s)) {
902*4724848cSchristos if (!(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) {
903*4724848cSchristos s->d1->mtu =
904*4724848cSchristos BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
905*4724848cSchristos
906*4724848cSchristos /*
907*4724848cSchristos * I've seen the kernel return bogus numbers when it doesn't know
908*4724848cSchristos * (initial write), so just make sure we have a reasonable number
909*4724848cSchristos */
910*4724848cSchristos if (s->d1->mtu < dtls1_min_mtu(s)) {
911*4724848cSchristos /* Set to min mtu */
912*4724848cSchristos s->d1->mtu = dtls1_min_mtu(s);
913*4724848cSchristos BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SET_MTU,
914*4724848cSchristos (long)s->d1->mtu, NULL);
915*4724848cSchristos }
916*4724848cSchristos } else
917*4724848cSchristos return 0;
918*4724848cSchristos }
919*4724848cSchristos return 1;
920*4724848cSchristos }
921*4724848cSchristos
dtls1_link_min_mtu(void)922*4724848cSchristos static size_t dtls1_link_min_mtu(void)
923*4724848cSchristos {
924*4724848cSchristos return (g_probable_mtu[(sizeof(g_probable_mtu) /
925*4724848cSchristos sizeof(g_probable_mtu[0])) - 1]);
926*4724848cSchristos }
927*4724848cSchristos
dtls1_min_mtu(SSL * s)928*4724848cSchristos size_t dtls1_min_mtu(SSL *s)
929*4724848cSchristos {
930*4724848cSchristos return dtls1_link_min_mtu() - BIO_dgram_get_mtu_overhead(SSL_get_wbio(s));
931*4724848cSchristos }
932*4724848cSchristos
DTLS_get_data_mtu(const SSL * s)933*4724848cSchristos size_t DTLS_get_data_mtu(const SSL *s)
934*4724848cSchristos {
935*4724848cSchristos size_t mac_overhead, int_overhead, blocksize, ext_overhead;
936*4724848cSchristos const SSL_CIPHER *ciph = SSL_get_current_cipher(s);
937*4724848cSchristos size_t mtu = s->d1->mtu;
938*4724848cSchristos
939*4724848cSchristos if (ciph == NULL)
940*4724848cSchristos return 0;
941*4724848cSchristos
942*4724848cSchristos if (!ssl_cipher_get_overhead(ciph, &mac_overhead, &int_overhead,
943*4724848cSchristos &blocksize, &ext_overhead))
944*4724848cSchristos return 0;
945*4724848cSchristos
946*4724848cSchristos if (SSL_READ_ETM(s))
947*4724848cSchristos ext_overhead += mac_overhead;
948*4724848cSchristos else
949*4724848cSchristos int_overhead += mac_overhead;
950*4724848cSchristos
951*4724848cSchristos /* Subtract external overhead (e.g. IV/nonce, separate MAC) */
952*4724848cSchristos if (ext_overhead + DTLS1_RT_HEADER_LENGTH >= mtu)
953*4724848cSchristos return 0;
954*4724848cSchristos mtu -= ext_overhead + DTLS1_RT_HEADER_LENGTH;
955*4724848cSchristos
956*4724848cSchristos /* Round encrypted payload down to cipher block size (for CBC etc.)
957*4724848cSchristos * No check for overflow since 'mtu % blocksize' cannot exceed mtu. */
958*4724848cSchristos if (blocksize)
959*4724848cSchristos mtu -= (mtu % blocksize);
960*4724848cSchristos
961*4724848cSchristos /* Subtract internal overhead (e.g. CBC padding len byte) */
962*4724848cSchristos if (int_overhead >= mtu)
963*4724848cSchristos return 0;
964*4724848cSchristos mtu -= int_overhead;
965*4724848cSchristos
966*4724848cSchristos return mtu;
967*4724848cSchristos }
968*4724848cSchristos
DTLS_set_timer_cb(SSL * s,DTLS_timer_cb cb)969*4724848cSchristos void DTLS_set_timer_cb(SSL *s, DTLS_timer_cb cb)
970*4724848cSchristos {
971*4724848cSchristos s->d1->timer_cb = cb;
972*4724848cSchristos }
973