1 /* 2 * Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <limits.h> 11 #include <string.h> 12 #include <stdio.h> 13 #include "../ssl_locl.h" 14 #include "statem_locl.h" 15 #include <openssl/buffer.h> 16 #include <openssl/objects.h> 17 #include <openssl/evp.h> 18 #include <openssl/x509.h> 19 20 #define RSMBLY_BITMASK_SIZE(msg_len) (((msg_len) + 7) / 8) 21 22 #define RSMBLY_BITMASK_MARK(bitmask, start, end) { \ 23 if ((end) - (start) <= 8) { \ 24 long ii; \ 25 for (ii = (start); ii < (end); ii++) bitmask[((ii) >> 3)] |= (1 << ((ii) & 7)); \ 26 } else { \ 27 long ii; \ 28 bitmask[((start) >> 3)] |= bitmask_start_values[((start) & 7)]; \ 29 for (ii = (((start) >> 3) + 1); ii < ((((end) - 1)) >> 3); ii++) bitmask[ii] = 0xff; \ 30 bitmask[(((end) - 1) >> 3)] |= bitmask_end_values[((end) & 7)]; \ 31 } } 32 33 #define RSMBLY_BITMASK_IS_COMPLETE(bitmask, msg_len, is_complete) { \ 34 long ii; \ 35 OPENSSL_assert((msg_len) > 0); \ 36 is_complete = 1; \ 37 if (bitmask[(((msg_len) - 1) >> 3)] != bitmask_end_values[((msg_len) & 7)]) is_complete = 0; \ 38 if (is_complete) for (ii = (((msg_len) - 1) >> 3) - 1; ii >= 0 ; ii--) \ 39 if (bitmask[ii] != 0xff) { is_complete = 0; break; } } 40 41 static unsigned char bitmask_start_values[] = 42 { 0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80 }; 43 static unsigned char bitmask_end_values[] = 44 { 0xff, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f }; 45 46 static void dtls1_fix_message_header(SSL *s, unsigned long frag_off, 47 unsigned long frag_len); 48 static unsigned char *dtls1_write_message_header(SSL *s, unsigned char *p); 49 static void dtls1_set_message_header_int(SSL *s, unsigned char mt, 50 unsigned long len, 51 unsigned short seq_num, 52 unsigned long frag_off, 53 unsigned long frag_len); 54 static int dtls_get_reassembled_message(SSL *s, long *len); 55 56 static hm_fragment *dtls1_hm_fragment_new(unsigned long frag_len, 57 int reassembly) 58 { 59 hm_fragment *frag = NULL; 60 unsigned char *buf = NULL; 61 unsigned char *bitmask = NULL; 62 63 frag = OPENSSL_malloc(sizeof(*frag)); 64 if (frag == NULL) 65 return NULL; 66 67 if (frag_len) { 68 buf = OPENSSL_malloc(frag_len); 69 if (buf == NULL) { 70 OPENSSL_free(frag); 71 return NULL; 72 } 73 } 74 75 /* zero length fragment gets zero frag->fragment */ 76 frag->fragment = buf; 77 78 /* Initialize reassembly bitmask if necessary */ 79 if (reassembly) { 80 bitmask = OPENSSL_zalloc(RSMBLY_BITMASK_SIZE(frag_len)); 81 if (bitmask == NULL) { 82 OPENSSL_free(buf); 83 OPENSSL_free(frag); 84 return NULL; 85 } 86 } 87 88 frag->reassembly = bitmask; 89 90 return frag; 91 } 92 93 void dtls1_hm_fragment_free(hm_fragment *frag) 94 { 95 if (!frag) 96 return; 97 if (frag->msg_header.is_ccs) { 98 EVP_CIPHER_CTX_free(frag->msg_header. 99 saved_retransmit_state.enc_write_ctx); 100 EVP_MD_CTX_free(frag->msg_header.saved_retransmit_state.write_hash); 101 } 102 OPENSSL_free(frag->fragment); 103 OPENSSL_free(frag->reassembly); 104 OPENSSL_free(frag); 105 } 106 107 /* 108 * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or 109 * SSL3_RT_CHANGE_CIPHER_SPEC) 110 */ 111 int dtls1_do_write(SSL *s, int type) 112 { 113 int ret; 114 unsigned int curr_mtu; 115 int retry = 1; 116 unsigned int len, frag_off, mac_size, blocksize, used_len; 117 118 if (!dtls1_query_mtu(s)) 119 return -1; 120 121 if (s->d1->mtu < dtls1_min_mtu(s)) 122 /* should have something reasonable now */ 123 return -1; 124 125 if (s->init_off == 0 && type == SSL3_RT_HANDSHAKE) 126 OPENSSL_assert(s->init_num == 127 (int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH); 128 129 if (s->write_hash) { 130 if (s->enc_write_ctx 131 && (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_write_ctx)) & 132 EVP_CIPH_FLAG_AEAD_CIPHER) != 0) 133 mac_size = 0; 134 else 135 mac_size = EVP_MD_CTX_size(s->write_hash); 136 } else 137 mac_size = 0; 138 139 if (s->enc_write_ctx && 140 (EVP_CIPHER_CTX_mode(s->enc_write_ctx) == EVP_CIPH_CBC_MODE)) 141 blocksize = 2 * EVP_CIPHER_CTX_block_size(s->enc_write_ctx); 142 else 143 blocksize = 0; 144 145 frag_off = 0; 146 s->rwstate = SSL_NOTHING; 147 148 /* s->init_num shouldn't ever be < 0...but just in case */ 149 while (s->init_num > 0) { 150 if (type == SSL3_RT_HANDSHAKE && s->init_off != 0) { 151 /* We must be writing a fragment other than the first one */ 152 153 if (frag_off > 0) { 154 /* This is the first attempt at writing out this fragment */ 155 156 if (s->init_off <= DTLS1_HM_HEADER_LENGTH) { 157 /* 158 * Each fragment that was already sent must at least have 159 * contained the message header plus one other byte. 160 * Therefore |init_off| must have progressed by at least 161 * |DTLS1_HM_HEADER_LENGTH + 1| bytes. If not something went 162 * wrong. 163 */ 164 return -1; 165 } 166 167 /* 168 * Adjust |init_off| and |init_num| to allow room for a new 169 * message header for this fragment. 170 */ 171 s->init_off -= DTLS1_HM_HEADER_LENGTH; 172 s->init_num += DTLS1_HM_HEADER_LENGTH; 173 } else { 174 /* 175 * We must have been called again after a retry so use the 176 * fragment offset from our last attempt. We do not need 177 * to adjust |init_off| and |init_num| as above, because 178 * that should already have been done before the retry. 179 */ 180 frag_off = s->d1->w_msg_hdr.frag_off; 181 } 182 } 183 184 used_len = BIO_wpending(s->wbio) + DTLS1_RT_HEADER_LENGTH 185 + mac_size + blocksize; 186 if (s->d1->mtu > used_len) 187 curr_mtu = s->d1->mtu - used_len; 188 else 189 curr_mtu = 0; 190 191 if (curr_mtu <= DTLS1_HM_HEADER_LENGTH) { 192 /* 193 * grr.. we could get an error if MTU picked was wrong 194 */ 195 ret = BIO_flush(s->wbio); 196 if (ret <= 0) { 197 s->rwstate = SSL_WRITING; 198 return ret; 199 } 200 used_len = DTLS1_RT_HEADER_LENGTH + mac_size + blocksize; 201 if (s->d1->mtu > used_len + DTLS1_HM_HEADER_LENGTH) { 202 curr_mtu = s->d1->mtu - used_len; 203 } else { 204 /* Shouldn't happen */ 205 return -1; 206 } 207 } 208 209 /* 210 * We just checked that s->init_num > 0 so this cast should be safe 211 */ 212 if (((unsigned int)s->init_num) > curr_mtu) 213 len = curr_mtu; 214 else 215 len = s->init_num; 216 217 if (len > s->max_send_fragment) 218 len = s->max_send_fragment; 219 220 /* 221 * XDTLS: this function is too long. split out the CCS part 222 */ 223 if (type == SSL3_RT_HANDSHAKE) { 224 if (len < DTLS1_HM_HEADER_LENGTH) { 225 /* 226 * len is so small that we really can't do anything sensible 227 * so fail 228 */ 229 return -1; 230 } 231 dtls1_fix_message_header(s, frag_off, len - DTLS1_HM_HEADER_LENGTH); 232 233 dtls1_write_message_header(s, 234 (unsigned char *)&s->init_buf-> 235 data[s->init_off]); 236 } 237 238 ret = dtls1_write_bytes(s, type, &s->init_buf->data[s->init_off], len); 239 if (ret < 0) { 240 /* 241 * might need to update MTU here, but we don't know which 242 * previous packet caused the failure -- so can't really 243 * retransmit anything. continue as if everything is fine and 244 * wait for an alert to handle the retransmit 245 */ 246 if (retry && BIO_ctrl(SSL_get_wbio(s), 247 BIO_CTRL_DGRAM_MTU_EXCEEDED, 0, NULL) > 0) { 248 if (!(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) { 249 if (!dtls1_query_mtu(s)) 250 return -1; 251 /* Have one more go */ 252 retry = 0; 253 } else 254 return -1; 255 } else { 256 return (-1); 257 } 258 } else { 259 260 /* 261 * bad if this assert fails, only part of the handshake message 262 * got sent. but why would this happen? 263 */ 264 OPENSSL_assert(len == (unsigned int)ret); 265 266 if (type == SSL3_RT_HANDSHAKE && !s->d1->retransmitting) { 267 /* 268 * should not be done for 'Hello Request's, but in that case 269 * we'll ignore the result anyway 270 */ 271 unsigned char *p = 272 (unsigned char *)&s->init_buf->data[s->init_off]; 273 const struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; 274 int xlen; 275 276 if (frag_off == 0 && s->version != DTLS1_BAD_VER) { 277 /* 278 * reconstruct message header is if it is being sent in 279 * single fragment 280 */ 281 *p++ = msg_hdr->type; 282 l2n3(msg_hdr->msg_len, p); 283 s2n(msg_hdr->seq, p); 284 l2n3(0, p); 285 l2n3(msg_hdr->msg_len, p); 286 p -= DTLS1_HM_HEADER_LENGTH; 287 xlen = ret; 288 } else { 289 p += DTLS1_HM_HEADER_LENGTH; 290 xlen = ret - DTLS1_HM_HEADER_LENGTH; 291 } 292 293 if (!ssl3_finish_mac(s, p, xlen)) 294 return -1; 295 } 296 297 if (ret == s->init_num) { 298 if (s->msg_callback) 299 s->msg_callback(1, s->version, type, s->init_buf->data, 300 (size_t)(s->init_off + s->init_num), s, 301 s->msg_callback_arg); 302 303 s->init_off = 0; /* done writing this message */ 304 s->init_num = 0; 305 306 return (1); 307 } 308 s->init_off += ret; 309 s->init_num -= ret; 310 ret -= DTLS1_HM_HEADER_LENGTH; 311 frag_off += ret; 312 313 /* 314 * We save the fragment offset for the next fragment so we have it 315 * available in case of an IO retry. We don't know the length of the 316 * next fragment yet so just set that to 0 for now. It will be 317 * updated again later. 318 */ 319 dtls1_fix_message_header(s, frag_off, 0); 320 } 321 } 322 return (0); 323 } 324 325 int dtls_get_message(SSL *s, int *mt, unsigned long *len) 326 { 327 struct hm_header_st *msg_hdr; 328 unsigned char *p; 329 unsigned long msg_len; 330 int ok; 331 long tmplen; 332 333 msg_hdr = &s->d1->r_msg_hdr; 334 memset(msg_hdr, 0, sizeof(*msg_hdr)); 335 336 again: 337 ok = dtls_get_reassembled_message(s, &tmplen); 338 if (tmplen == DTLS1_HM_BAD_FRAGMENT || tmplen == DTLS1_HM_FRAGMENT_RETRY) { 339 /* bad fragment received */ 340 goto again; 341 } else if (tmplen <= 0 && !ok) { 342 return 0; 343 } 344 345 *mt = s->s3->tmp.message_type; 346 347 p = (unsigned char *)s->init_buf->data; 348 349 if (*mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 350 if (s->msg_callback) { 351 s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, 352 p, 1, s, s->msg_callback_arg); 353 } 354 /* 355 * This isn't a real handshake message so skip the processing below. 356 */ 357 *len = (unsigned long)tmplen; 358 return 1; 359 } 360 361 msg_len = msg_hdr->msg_len; 362 363 /* reconstruct message header */ 364 *(p++) = msg_hdr->type; 365 l2n3(msg_len, p); 366 s2n(msg_hdr->seq, p); 367 l2n3(0, p); 368 l2n3(msg_len, p); 369 if (s->version != DTLS1_BAD_VER) { 370 p -= DTLS1_HM_HEADER_LENGTH; 371 msg_len += DTLS1_HM_HEADER_LENGTH; 372 } 373 374 /* 375 * If receiving Finished, record MAC of prior handshake messages for 376 * Finished verification. 377 */ 378 if (*mt == SSL3_MT_FINISHED && !ssl3_take_mac(s)) { 379 /* SSLfatal() already called */ 380 return 0; 381 } 382 383 if (!ssl3_finish_mac(s, p, msg_len)) 384 return 0; 385 if (s->msg_callback) 386 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 387 p, msg_len, s, s->msg_callback_arg); 388 389 memset(msg_hdr, 0, sizeof(*msg_hdr)); 390 391 s->d1->handshake_read_seq++; 392 393 s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH; 394 *len = s->init_num; 395 396 return 1; 397 } 398 399 /* 400 * dtls1_max_handshake_message_len returns the maximum number of bytes 401 * permitted in a DTLS handshake message for |s|. The minimum is 16KB, but 402 * may be greater if the maximum certificate list size requires it. 403 */ 404 static unsigned long dtls1_max_handshake_message_len(const SSL *s) 405 { 406 unsigned long max_len = 407 DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; 408 if (max_len < (unsigned long)s->max_cert_list) 409 return s->max_cert_list; 410 return max_len; 411 } 412 413 static int dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr) 414 { 415 size_t frag_off, frag_len, msg_len; 416 417 msg_len = msg_hdr->msg_len; 418 frag_off = msg_hdr->frag_off; 419 frag_len = msg_hdr->frag_len; 420 421 /* sanity checking */ 422 if ((frag_off + frag_len) > msg_len 423 || msg_len > dtls1_max_handshake_message_len(s)) { 424 SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, SSL_R_EXCESSIVE_MESSAGE_SIZE); 425 return SSL_AD_ILLEGAL_PARAMETER; 426 } 427 428 if (s->d1->r_msg_hdr.frag_off == 0) { /* first fragment */ 429 /* 430 * msg_len is limited to 2^24, but is effectively checked against 431 * dtls_max_handshake_message_len(s) above 432 */ 433 if (!BUF_MEM_grow_clean(s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH)) { 434 SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, ERR_R_BUF_LIB); 435 return SSL_AD_INTERNAL_ERROR; 436 } 437 438 s->s3->tmp.message_size = msg_len; 439 s->d1->r_msg_hdr.msg_len = msg_len; 440 s->s3->tmp.message_type = msg_hdr->type; 441 s->d1->r_msg_hdr.type = msg_hdr->type; 442 s->d1->r_msg_hdr.seq = msg_hdr->seq; 443 } else if (msg_len != s->d1->r_msg_hdr.msg_len) { 444 /* 445 * They must be playing with us! BTW, failure to enforce upper limit 446 * would open possibility for buffer overrun. 447 */ 448 SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, SSL_R_EXCESSIVE_MESSAGE_SIZE); 449 return SSL_AD_ILLEGAL_PARAMETER; 450 } 451 452 return 0; /* no error */ 453 } 454 455 static int dtls1_retrieve_buffered_fragment(SSL *s, int *ok) 456 { 457 /*- 458 * (0) check whether the desired fragment is available 459 * if so: 460 * (1) copy over the fragment to s->init_buf->data[] 461 * (2) update s->init_num 462 */ 463 pitem *item; 464 hm_fragment *frag; 465 int al; 466 467 *ok = 0; 468 469 do { 470 item = pqueue_peek(s->d1->buffered_messages); 471 if (item == NULL) 472 return 0; 473 474 frag = (hm_fragment *)item->data; 475 476 if (frag->msg_header.seq < s->d1->handshake_read_seq) { 477 /* This is a stale message that has been buffered so clear it */ 478 pqueue_pop(s->d1->buffered_messages); 479 dtls1_hm_fragment_free(frag); 480 pitem_free(item); 481 item = NULL; 482 frag = NULL; 483 } 484 } while (item == NULL); 485 486 /* Don't return if reassembly still in progress */ 487 if (frag->reassembly != NULL) 488 return 0; 489 490 if (s->d1->handshake_read_seq == frag->msg_header.seq) { 491 unsigned long frag_len = frag->msg_header.frag_len; 492 pqueue_pop(s->d1->buffered_messages); 493 494 al = dtls1_preprocess_fragment(s, &frag->msg_header); 495 496 if (al == 0) { /* no alert */ 497 unsigned char *p = 498 (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH; 499 memcpy(&p[frag->msg_header.frag_off], frag->fragment, 500 frag->msg_header.frag_len); 501 } 502 503 dtls1_hm_fragment_free(frag); 504 pitem_free(item); 505 506 if (al == 0) { 507 *ok = 1; 508 return frag_len; 509 } 510 511 ssl3_send_alert(s, SSL3_AL_FATAL, al); 512 s->init_num = 0; 513 *ok = 0; 514 return -1; 515 } else 516 return 0; 517 } 518 519 static int 520 dtls1_reassemble_fragment(SSL *s, const struct hm_header_st *msg_hdr, int *ok) 521 { 522 hm_fragment *frag = NULL; 523 pitem *item = NULL; 524 int i = -1, is_complete; 525 unsigned char seq64be[8]; 526 unsigned long frag_len = msg_hdr->frag_len; 527 528 if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len || 529 msg_hdr->msg_len > dtls1_max_handshake_message_len(s)) 530 goto err; 531 532 if (frag_len == 0) 533 return DTLS1_HM_FRAGMENT_RETRY; 534 535 /* Try to find item in queue */ 536 memset(seq64be, 0, sizeof(seq64be)); 537 seq64be[6] = (unsigned char)(msg_hdr->seq >> 8); 538 seq64be[7] = (unsigned char)msg_hdr->seq; 539 item = pqueue_find(s->d1->buffered_messages, seq64be); 540 541 if (item == NULL) { 542 frag = dtls1_hm_fragment_new(msg_hdr->msg_len, 1); 543 if (frag == NULL) 544 goto err; 545 memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); 546 frag->msg_header.frag_len = frag->msg_header.msg_len; 547 frag->msg_header.frag_off = 0; 548 } else { 549 frag = (hm_fragment *)item->data; 550 if (frag->msg_header.msg_len != msg_hdr->msg_len) { 551 item = NULL; 552 frag = NULL; 553 goto err; 554 } 555 } 556 557 /* 558 * If message is already reassembled, this must be a retransmit and can 559 * be dropped. In this case item != NULL and so frag does not need to be 560 * freed. 561 */ 562 if (frag->reassembly == NULL) { 563 unsigned char devnull[256]; 564 565 while (frag_len) { 566 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL, 567 devnull, 568 frag_len > 569 sizeof(devnull) ? sizeof(devnull) : 570 frag_len, 0); 571 if (i <= 0) 572 goto err; 573 frag_len -= i; 574 } 575 return DTLS1_HM_FRAGMENT_RETRY; 576 } 577 578 /* read the body of the fragment (header has already been read */ 579 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL, 580 frag->fragment + msg_hdr->frag_off, 581 frag_len, 0); 582 if ((unsigned long)i != frag_len) 583 i = -1; 584 if (i <= 0) 585 goto err; 586 587 RSMBLY_BITMASK_MARK(frag->reassembly, (long)msg_hdr->frag_off, 588 (long)(msg_hdr->frag_off + frag_len)); 589 590 RSMBLY_BITMASK_IS_COMPLETE(frag->reassembly, (long)msg_hdr->msg_len, 591 is_complete); 592 593 if (is_complete) { 594 OPENSSL_free(frag->reassembly); 595 frag->reassembly = NULL; 596 } 597 598 if (item == NULL) { 599 item = pitem_new(seq64be, frag); 600 if (item == NULL) { 601 i = -1; 602 goto err; 603 } 604 605 item = pqueue_insert(s->d1->buffered_messages, item); 606 /* 607 * pqueue_insert fails iff a duplicate item is inserted. However, 608 * |item| cannot be a duplicate. If it were, |pqueue_find|, above, 609 * would have returned it and control would never have reached this 610 * branch. 611 */ 612 OPENSSL_assert(item != NULL); 613 } 614 615 return DTLS1_HM_FRAGMENT_RETRY; 616 617 err: 618 if (item == NULL) 619 dtls1_hm_fragment_free(frag); 620 *ok = 0; 621 return i; 622 } 623 624 static int 625 dtls1_process_out_of_seq_message(SSL *s, const struct hm_header_st *msg_hdr, 626 int *ok) 627 { 628 int i = -1; 629 hm_fragment *frag = NULL; 630 pitem *item = NULL; 631 unsigned char seq64be[8]; 632 unsigned long frag_len = msg_hdr->frag_len; 633 634 if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len) 635 goto err; 636 637 /* Try to find item in queue, to prevent duplicate entries */ 638 memset(seq64be, 0, sizeof(seq64be)); 639 seq64be[6] = (unsigned char)(msg_hdr->seq >> 8); 640 seq64be[7] = (unsigned char)msg_hdr->seq; 641 item = pqueue_find(s->d1->buffered_messages, seq64be); 642 643 /* 644 * If we already have an entry and this one is a fragment, don't discard 645 * it and rather try to reassemble it. 646 */ 647 if (item != NULL && frag_len != msg_hdr->msg_len) 648 item = NULL; 649 650 /* 651 * Discard the message if sequence number was already there, is too far 652 * in the future, already in the queue or if we received a FINISHED 653 * before the SERVER_HELLO, which then must be a stale retransmit. 654 */ 655 if (msg_hdr->seq <= s->d1->handshake_read_seq || 656 msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL || 657 (s->d1->handshake_read_seq == 0 && msg_hdr->type == SSL3_MT_FINISHED)) { 658 unsigned char devnull[256]; 659 660 while (frag_len) { 661 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL, 662 devnull, 663 frag_len > 664 sizeof(devnull) ? sizeof(devnull) : 665 frag_len, 0); 666 if (i <= 0) 667 goto err; 668 frag_len -= i; 669 } 670 } else { 671 if (frag_len != msg_hdr->msg_len) 672 return dtls1_reassemble_fragment(s, msg_hdr, ok); 673 674 if (frag_len > dtls1_max_handshake_message_len(s)) 675 goto err; 676 677 frag = dtls1_hm_fragment_new(frag_len, 0); 678 if (frag == NULL) 679 goto err; 680 681 memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); 682 683 if (frag_len) { 684 /* 685 * read the body of the fragment (header has already been read 686 */ 687 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL, 688 frag->fragment, frag_len, 0); 689 if ((unsigned long)i != frag_len) 690 i = -1; 691 if (i <= 0) 692 goto err; 693 } 694 695 item = pitem_new(seq64be, frag); 696 if (item == NULL) 697 goto err; 698 699 item = pqueue_insert(s->d1->buffered_messages, item); 700 /* 701 * pqueue_insert fails iff a duplicate item is inserted. However, 702 * |item| cannot be a duplicate. If it were, |pqueue_find|, above, 703 * would have returned it. Then, either |frag_len| != 704 * |msg_hdr->msg_len| in which case |item| is set to NULL and it will 705 * have been processed with |dtls1_reassemble_fragment|, above, or 706 * the record will have been discarded. 707 */ 708 OPENSSL_assert(item != NULL); 709 } 710 711 return DTLS1_HM_FRAGMENT_RETRY; 712 713 err: 714 if (item == NULL) 715 dtls1_hm_fragment_free(frag); 716 *ok = 0; 717 return i; 718 } 719 720 static int dtls_get_reassembled_message(SSL *s, long *len) 721 { 722 unsigned char wire[DTLS1_HM_HEADER_LENGTH]; 723 unsigned long mlen, frag_off, frag_len; 724 int i, al, recvd_type; 725 struct hm_header_st msg_hdr; 726 int ok; 727 728 redo: 729 /* see if we have the required fragment already */ 730 if ((frag_len = dtls1_retrieve_buffered_fragment(s, &ok)) || ok) { 731 if (ok) 732 s->init_num = frag_len; 733 *len = frag_len; 734 return ok; 735 } 736 737 /* read handshake message header */ 738 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type, wire, 739 DTLS1_HM_HEADER_LENGTH, 0); 740 if (i <= 0) { /* nbio, or an error */ 741 s->rwstate = SSL_READING; 742 *len = i; 743 return 0; 744 } 745 if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) { 746 if (wire[0] != SSL3_MT_CCS) { 747 al = SSL_AD_UNEXPECTED_MESSAGE; 748 SSLerr(SSL_F_DTLS_GET_REASSEMBLED_MESSAGE, 749 SSL_R_BAD_CHANGE_CIPHER_SPEC); 750 goto f_err; 751 } 752 753 memcpy(s->init_buf->data, wire, i); 754 s->init_num = i - 1; 755 s->init_msg = s->init_buf->data + 1; 756 s->s3->tmp.message_type = SSL3_MT_CHANGE_CIPHER_SPEC; 757 s->s3->tmp.message_size = i - 1; 758 *len = i - 1; 759 return 1; 760 } 761 762 /* Handshake fails if message header is incomplete */ 763 if (i != DTLS1_HM_HEADER_LENGTH) { 764 al = SSL_AD_UNEXPECTED_MESSAGE; 765 SSLerr(SSL_F_DTLS_GET_REASSEMBLED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); 766 goto f_err; 767 } 768 769 /* parse the message fragment header */ 770 dtls1_get_message_header(wire, &msg_hdr); 771 772 mlen = msg_hdr.msg_len; 773 frag_off = msg_hdr.frag_off; 774 frag_len = msg_hdr.frag_len; 775 776 /* 777 * We must have at least frag_len bytes left in the record to be read. 778 * Fragments must not span records. 779 */ 780 if (frag_len > RECORD_LAYER_get_rrec_length(&s->rlayer)) { 781 al = SSL3_AD_ILLEGAL_PARAMETER; 782 SSLerr(SSL_F_DTLS_GET_REASSEMBLED_MESSAGE, SSL_R_BAD_LENGTH); 783 goto f_err; 784 } 785 786 /* 787 * if this is a future (or stale) message it gets buffered 788 * (or dropped)--no further processing at this time 789 * While listening, we accept seq 1 (ClientHello with cookie) 790 * although we're still expecting seq 0 (ClientHello) 791 */ 792 if (msg_hdr.seq != s->d1->handshake_read_seq) { 793 *len = dtls1_process_out_of_seq_message(s, &msg_hdr, &ok); 794 return ok; 795 } 796 797 if (frag_len && frag_len < mlen) { 798 *len = dtls1_reassemble_fragment(s, &msg_hdr, &ok); 799 return ok; 800 } 801 802 if (!s->server && s->d1->r_msg_hdr.frag_off == 0 && 803 wire[0] == SSL3_MT_HELLO_REQUEST) { 804 /* 805 * The server may always send 'Hello Request' messages -- we are 806 * doing a handshake anyway now, so ignore them if their format is 807 * correct. Does not count for 'Finished' MAC. 808 */ 809 if (wire[1] == 0 && wire[2] == 0 && wire[3] == 0) { 810 if (s->msg_callback) 811 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 812 wire, DTLS1_HM_HEADER_LENGTH, s, 813 s->msg_callback_arg); 814 815 s->init_num = 0; 816 goto redo; 817 } else { /* Incorrectly formatted Hello request */ 818 819 al = SSL_AD_UNEXPECTED_MESSAGE; 820 SSLerr(SSL_F_DTLS_GET_REASSEMBLED_MESSAGE, 821 SSL_R_UNEXPECTED_MESSAGE); 822 goto f_err; 823 } 824 } 825 826 if ((al = dtls1_preprocess_fragment(s, &msg_hdr))) 827 goto f_err; 828 829 if (frag_len > 0) { 830 unsigned char *p = 831 (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH; 832 833 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL, 834 &p[frag_off], frag_len, 0); 835 836 /* 837 * This shouldn't ever fail due to NBIO because we already checked 838 * that we have enough data in the record 839 */ 840 if (i <= 0) { 841 s->rwstate = SSL_READING; 842 *len = i; 843 return 0; 844 } 845 } else 846 i = 0; 847 848 /* 849 * XDTLS: an incorrectly formatted fragment should cause the handshake 850 * to fail 851 */ 852 if (i != (int)frag_len) { 853 al = SSL3_AD_ILLEGAL_PARAMETER; 854 SSLerr(SSL_F_DTLS_GET_REASSEMBLED_MESSAGE, SSL3_AD_ILLEGAL_PARAMETER); 855 goto f_err; 856 } 857 858 /* 859 * Note that s->init_num is *not* used as current offset in 860 * s->init_buf->data, but as a counter summing up fragments' lengths: as 861 * soon as they sum up to handshake packet length, we assume we have got 862 * all the fragments. 863 */ 864 *len = s->init_num = frag_len; 865 return 1; 866 867 f_err: 868 ssl3_send_alert(s, SSL3_AL_FATAL, al); 869 s->init_num = 0; 870 *len = -1; 871 return 0; 872 } 873 874 /*- 875 * for these 2 messages, we need to 876 * ssl->enc_read_ctx re-init 877 * ssl->rlayer.read_sequence zero 878 * ssl->s3->read_mac_secret re-init 879 * ssl->session->read_sym_enc assign 880 * ssl->session->read_compression assign 881 * ssl->session->read_hash assign 882 */ 883 int dtls_construct_change_cipher_spec(SSL *s) 884 { 885 unsigned char *p; 886 887 p = (unsigned char *)s->init_buf->data; 888 *p++ = SSL3_MT_CCS; 889 s->d1->handshake_write_seq = s->d1->next_handshake_write_seq; 890 s->init_num = DTLS1_CCS_HEADER_LENGTH; 891 892 if (s->version == DTLS1_BAD_VER) { 893 s->d1->next_handshake_write_seq++; 894 s2n(s->d1->handshake_write_seq, p); 895 s->init_num += 2; 896 } 897 898 s->init_off = 0; 899 900 dtls1_set_message_header_int(s, SSL3_MT_CCS, 0, 901 s->d1->handshake_write_seq, 0, 0); 902 903 /* buffer the message to handle re-xmits */ 904 if (!dtls1_buffer_message(s, 1)) { 905 SSLerr(SSL_F_DTLS_CONSTRUCT_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR); 906 return 0; 907 } 908 909 return 1; 910 } 911 912 #ifndef OPENSSL_NO_SCTP 913 /* 914 * Wait for a dry event. Should only be called at a point in the handshake 915 * where we are not expecting any data from the peer (except possibly an alert). 916 */ 917 WORK_STATE dtls_wait_for_dry(SSL *s) 918 { 919 int ret; 920 long len; 921 922 /* read app data until dry event */ 923 ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s)); 924 if (ret < 0) 925 return WORK_ERROR; 926 927 if (ret == 0) { 928 /* 929 * We're not expecting any more messages from the peer at this point - 930 * but we could get an alert. If an alert is waiting then we will never 931 * return successfully. Therefore we attempt to read a message. This 932 * should never succeed but will process any waiting alerts. 933 */ 934 if (dtls_get_reassembled_message(s, &len)) { 935 /* The call succeeded! This should never happen */ 936 SSLerr(SSL_F_DTLS_WAIT_FOR_DRY, SSL_R_UNEXPECTED_MESSAGE); 937 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); 938 ossl_statem_set_error(s); 939 return WORK_ERROR; 940 } 941 942 s->s3->in_read_app_data = 2; 943 s->rwstate = SSL_READING; 944 BIO_clear_retry_flags(SSL_get_rbio(s)); 945 BIO_set_retry_read(SSL_get_rbio(s)); 946 return WORK_MORE_A; 947 } 948 return WORK_FINISHED_CONTINUE; 949 } 950 #endif 951 952 int dtls1_read_failed(SSL *s, int code) 953 { 954 if (code > 0) { 955 SSLerr(SSL_F_DTLS1_READ_FAILED, ERR_R_INTERNAL_ERROR); 956 return 1; 957 } 958 959 if (!dtls1_is_timer_expired(s)) { 960 /* 961 * not a timeout, none of our business, let higher layers handle 962 * this. in fact it's probably an error 963 */ 964 return code; 965 } 966 #ifndef OPENSSL_NO_HEARTBEATS 967 /* done, no need to send a retransmit */ 968 if (!SSL_in_init(s) && !s->tlsext_hb_pending) 969 #else 970 /* done, no need to send a retransmit */ 971 if (!SSL_in_init(s)) 972 #endif 973 { 974 BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ); 975 return code; 976 } 977 978 return dtls1_handle_timeout(s); 979 } 980 981 int dtls1_get_queue_priority(unsigned short seq, int is_ccs) 982 { 983 /* 984 * The index of the retransmission queue actually is the message sequence 985 * number, since the queue only contains messages of a single handshake. 986 * However, the ChangeCipherSpec has no message sequence number and so 987 * using only the sequence will result in the CCS and Finished having the 988 * same index. To prevent this, the sequence number is multiplied by 2. 989 * In case of a CCS 1 is subtracted. This does not only differ CSS and 990 * Finished, it also maintains the order of the index (important for 991 * priority queues) and fits in the unsigned short variable. 992 */ 993 return seq * 2 - is_ccs; 994 } 995 996 int dtls1_retransmit_buffered_messages(SSL *s) 997 { 998 pqueue *sent = s->d1->sent_messages; 999 piterator iter; 1000 pitem *item; 1001 hm_fragment *frag; 1002 int found = 0; 1003 1004 iter = pqueue_iterator(sent); 1005 1006 for (item = pqueue_next(&iter); item != NULL; item = pqueue_next(&iter)) { 1007 frag = (hm_fragment *)item->data; 1008 if (dtls1_retransmit_message(s, (unsigned short) 1009 dtls1_get_queue_priority 1010 (frag->msg_header.seq, 1011 frag->msg_header.is_ccs), &found) <= 0) 1012 return -1; 1013 } 1014 1015 return 1; 1016 } 1017 1018 int dtls1_buffer_message(SSL *s, int is_ccs) 1019 { 1020 pitem *item; 1021 hm_fragment *frag; 1022 unsigned char seq64be[8]; 1023 1024 /* 1025 * this function is called immediately after a message has been 1026 * serialized 1027 */ 1028 OPENSSL_assert(s->init_off == 0); 1029 1030 frag = dtls1_hm_fragment_new(s->init_num, 0); 1031 if (frag == NULL) 1032 return 0; 1033 1034 memcpy(frag->fragment, s->init_buf->data, s->init_num); 1035 1036 if (is_ccs) { 1037 /* For DTLS1_BAD_VER the header length is non-standard */ 1038 OPENSSL_assert(s->d1->w_msg_hdr.msg_len + 1039 ((s->version == 1040 DTLS1_BAD_VER) ? 3 : DTLS1_CCS_HEADER_LENGTH) 1041 == (unsigned int)s->init_num); 1042 } else { 1043 OPENSSL_assert(s->d1->w_msg_hdr.msg_len + 1044 DTLS1_HM_HEADER_LENGTH == (unsigned int)s->init_num); 1045 } 1046 1047 frag->msg_header.msg_len = s->d1->w_msg_hdr.msg_len; 1048 frag->msg_header.seq = s->d1->w_msg_hdr.seq; 1049 frag->msg_header.type = s->d1->w_msg_hdr.type; 1050 frag->msg_header.frag_off = 0; 1051 frag->msg_header.frag_len = s->d1->w_msg_hdr.msg_len; 1052 frag->msg_header.is_ccs = is_ccs; 1053 1054 /* save current state */ 1055 frag->msg_header.saved_retransmit_state.enc_write_ctx = s->enc_write_ctx; 1056 frag->msg_header.saved_retransmit_state.write_hash = s->write_hash; 1057 frag->msg_header.saved_retransmit_state.compress = s->compress; 1058 frag->msg_header.saved_retransmit_state.session = s->session; 1059 frag->msg_header.saved_retransmit_state.epoch = 1060 DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer); 1061 1062 memset(seq64be, 0, sizeof(seq64be)); 1063 seq64be[6] = 1064 (unsigned 1065 char)(dtls1_get_queue_priority(frag->msg_header.seq, 1066 frag->msg_header.is_ccs) >> 8); 1067 seq64be[7] = 1068 (unsigned 1069 char)(dtls1_get_queue_priority(frag->msg_header.seq, 1070 frag->msg_header.is_ccs)); 1071 1072 item = pitem_new(seq64be, frag); 1073 if (item == NULL) { 1074 dtls1_hm_fragment_free(frag); 1075 return 0; 1076 } 1077 1078 pqueue_insert(s->d1->sent_messages, item); 1079 return 1; 1080 } 1081 1082 int dtls1_retransmit_message(SSL *s, unsigned short seq, int *found) 1083 { 1084 int ret; 1085 /* XDTLS: for now assuming that read/writes are blocking */ 1086 pitem *item; 1087 hm_fragment *frag; 1088 unsigned long header_length; 1089 unsigned char seq64be[8]; 1090 struct dtls1_retransmit_state saved_state; 1091 1092 /*- 1093 OPENSSL_assert(s->init_num == 0); 1094 OPENSSL_assert(s->init_off == 0); 1095 */ 1096 1097 /* XDTLS: the requested message ought to be found, otherwise error */ 1098 memset(seq64be, 0, sizeof(seq64be)); 1099 seq64be[6] = (unsigned char)(seq >> 8); 1100 seq64be[7] = (unsigned char)seq; 1101 1102 item = pqueue_find(s->d1->sent_messages, seq64be); 1103 if (item == NULL) { 1104 SSLerr(SSL_F_DTLS1_RETRANSMIT_MESSAGE, ERR_R_INTERNAL_ERROR); 1105 *found = 0; 1106 return 0; 1107 } 1108 1109 *found = 1; 1110 frag = (hm_fragment *)item->data; 1111 1112 if (frag->msg_header.is_ccs) 1113 header_length = DTLS1_CCS_HEADER_LENGTH; 1114 else 1115 header_length = DTLS1_HM_HEADER_LENGTH; 1116 1117 memcpy(s->init_buf->data, frag->fragment, 1118 frag->msg_header.msg_len + header_length); 1119 s->init_num = frag->msg_header.msg_len + header_length; 1120 1121 dtls1_set_message_header_int(s, frag->msg_header.type, 1122 frag->msg_header.msg_len, 1123 frag->msg_header.seq, 0, 1124 frag->msg_header.frag_len); 1125 1126 /* save current state */ 1127 saved_state.enc_write_ctx = s->enc_write_ctx; 1128 saved_state.write_hash = s->write_hash; 1129 saved_state.compress = s->compress; 1130 saved_state.session = s->session; 1131 saved_state.epoch = DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer); 1132 1133 s->d1->retransmitting = 1; 1134 1135 /* restore state in which the message was originally sent */ 1136 s->enc_write_ctx = frag->msg_header.saved_retransmit_state.enc_write_ctx; 1137 s->write_hash = frag->msg_header.saved_retransmit_state.write_hash; 1138 s->compress = frag->msg_header.saved_retransmit_state.compress; 1139 s->session = frag->msg_header.saved_retransmit_state.session; 1140 DTLS_RECORD_LAYER_set_saved_w_epoch(&s->rlayer, 1141 frag->msg_header. 1142 saved_retransmit_state.epoch); 1143 1144 ret = dtls1_do_write(s, frag->msg_header.is_ccs ? 1145 SSL3_RT_CHANGE_CIPHER_SPEC : SSL3_RT_HANDSHAKE); 1146 1147 /* restore current state */ 1148 s->enc_write_ctx = saved_state.enc_write_ctx; 1149 s->write_hash = saved_state.write_hash; 1150 s->compress = saved_state.compress; 1151 s->session = saved_state.session; 1152 DTLS_RECORD_LAYER_set_saved_w_epoch(&s->rlayer, saved_state.epoch); 1153 1154 s->d1->retransmitting = 0; 1155 1156 (void)BIO_flush(s->wbio); 1157 return ret; 1158 } 1159 1160 void dtls1_set_message_header(SSL *s, 1161 unsigned char mt, unsigned long len, 1162 unsigned long frag_off, unsigned long frag_len) 1163 { 1164 if (frag_off == 0) { 1165 s->d1->handshake_write_seq = s->d1->next_handshake_write_seq; 1166 s->d1->next_handshake_write_seq++; 1167 } 1168 1169 dtls1_set_message_header_int(s, mt, len, s->d1->handshake_write_seq, 1170 frag_off, frag_len); 1171 } 1172 1173 /* don't actually do the writing, wait till the MTU has been retrieved */ 1174 static void 1175 dtls1_set_message_header_int(SSL *s, unsigned char mt, 1176 unsigned long len, unsigned short seq_num, 1177 unsigned long frag_off, unsigned long frag_len) 1178 { 1179 struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; 1180 1181 msg_hdr->type = mt; 1182 msg_hdr->msg_len = len; 1183 msg_hdr->seq = seq_num; 1184 msg_hdr->frag_off = frag_off; 1185 msg_hdr->frag_len = frag_len; 1186 } 1187 1188 static void 1189 dtls1_fix_message_header(SSL *s, unsigned long frag_off, unsigned long frag_len) 1190 { 1191 struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; 1192 1193 msg_hdr->frag_off = frag_off; 1194 msg_hdr->frag_len = frag_len; 1195 } 1196 1197 static unsigned char *dtls1_write_message_header(SSL *s, unsigned char *p) 1198 { 1199 struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; 1200 1201 *p++ = msg_hdr->type; 1202 l2n3(msg_hdr->msg_len, p); 1203 1204 s2n(msg_hdr->seq, p); 1205 l2n3(msg_hdr->frag_off, p); 1206 l2n3(msg_hdr->frag_len, p); 1207 1208 return p; 1209 } 1210 1211 void dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr) 1212 { 1213 memset(msg_hdr, 0, sizeof(*msg_hdr)); 1214 msg_hdr->type = *(data++); 1215 n2l3(data, msg_hdr->msg_len); 1216 1217 n2s(data, msg_hdr->seq); 1218 n2l3(data, msg_hdr->frag_off); 1219 n2l3(data, msg_hdr->frag_len); 1220 } 1221