1 /* $OpenBSD: d1_lib.c,v 1.54 2021/05/16 13:56:30 jsing Exp $ */ 2 /* 3 * DTLS implementation written by Nagendra Modadugu 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 5 */ 6 /* ==================================================================== 7 * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in 18 * the documentation and/or other materials provided with the 19 * distribution. 20 * 21 * 3. All advertising materials mentioning features or use of this 22 * software must display the following acknowledgment: 23 * "This product includes software developed by the OpenSSL Project 24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 25 * 26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27 * endorse or promote products derived from this software without 28 * prior written permission. For written permission, please contact 29 * openssl-core@OpenSSL.org. 30 * 31 * 5. Products derived from this software may not be called "OpenSSL" 32 * nor may "OpenSSL" appear in their names without prior written 33 * permission of the OpenSSL Project. 34 * 35 * 6. Redistributions of any form whatsoever must retain the following 36 * acknowledgment: 37 * "This product includes software developed by the OpenSSL Project 38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51 * OF THE POSSIBILITY OF SUCH DAMAGE. 52 * ==================================================================== 53 * 54 * This product includes cryptographic software written by Eric Young 55 * (eay@cryptsoft.com). This product includes software written by Tim 56 * Hudson (tjh@cryptsoft.com). 57 * 58 */ 59 60 #include <sys/types.h> 61 #include <sys/socket.h> 62 #include <sys/time.h> 63 64 #include <netinet/in.h> 65 66 #include <stdio.h> 67 68 #include <openssl/objects.h> 69 70 #include "dtls_locl.h" 71 #include "pqueue.h" 72 #include "ssl_locl.h" 73 74 void dtls1_hm_fragment_free(hm_fragment *frag); 75 76 static int dtls1_listen(SSL *s, struct sockaddr *client); 77 78 int 79 dtls1_new(SSL *s) 80 { 81 if (!ssl3_new(s)) 82 goto err; 83 84 if ((s->d1 = calloc(1, sizeof(*s->d1))) == NULL) 85 goto err; 86 if ((s->d1->internal = calloc(1, sizeof(*s->d1->internal))) == NULL) 87 goto err; 88 89 if ((s->d1->internal->unprocessed_rcds.q = pqueue_new()) == NULL) 90 goto err; 91 if ((s->d1->internal->processed_rcds.q = pqueue_new()) == NULL) 92 goto err; 93 if ((s->d1->internal->buffered_messages = pqueue_new()) == NULL) 94 goto err; 95 if ((s->d1->sent_messages = pqueue_new()) == NULL) 96 goto err; 97 if ((s->d1->internal->buffered_app_data.q = pqueue_new()) == NULL) 98 goto err; 99 100 if (s->server) 101 s->d1->internal->cookie_len = sizeof(D1I(s)->cookie); 102 103 s->method->internal->ssl_clear(s); 104 return (1); 105 106 err: 107 dtls1_free(s); 108 return (0); 109 } 110 111 static void 112 dtls1_drain_records(pqueue queue) 113 { 114 pitem *item; 115 DTLS1_RECORD_DATA_INTERNAL *rdata; 116 117 if (queue == NULL) 118 return; 119 120 while ((item = pqueue_pop(queue)) != NULL) { 121 rdata = (DTLS1_RECORD_DATA_INTERNAL *)item->data; 122 ssl3_release_buffer(&rdata->rbuf); 123 free(item->data); 124 pitem_free(item); 125 } 126 } 127 128 static void 129 dtls1_drain_fragments(pqueue queue) 130 { 131 pitem *item; 132 133 if (queue == NULL) 134 return; 135 136 while ((item = pqueue_pop(queue)) != NULL) { 137 dtls1_hm_fragment_free(item->data); 138 pitem_free(item); 139 } 140 } 141 142 static void 143 dtls1_clear_queues(SSL *s) 144 { 145 dtls1_drain_records(D1I(s)->unprocessed_rcds.q); 146 dtls1_drain_records(D1I(s)->processed_rcds.q); 147 dtls1_drain_fragments(D1I(s)->buffered_messages); 148 dtls1_drain_fragments(s->d1->sent_messages); 149 dtls1_drain_records(D1I(s)->buffered_app_data.q); 150 } 151 152 void 153 dtls1_free(SSL *s) 154 { 155 if (s == NULL) 156 return; 157 158 ssl3_free(s); 159 160 dtls1_clear_queues(s); 161 162 pqueue_free(D1I(s)->unprocessed_rcds.q); 163 pqueue_free(D1I(s)->processed_rcds.q); 164 pqueue_free(D1I(s)->buffered_messages); 165 pqueue_free(s->d1->sent_messages); 166 pqueue_free(D1I(s)->buffered_app_data.q); 167 168 freezero(s->d1->internal, sizeof(*s->d1->internal)); 169 freezero(s->d1, sizeof(*s->d1)); 170 171 s->d1 = NULL; 172 } 173 174 void 175 dtls1_clear(SSL *s) 176 { 177 struct dtls1_state_internal_st *internal; 178 pqueue unprocessed_rcds; 179 pqueue processed_rcds; 180 pqueue buffered_messages; 181 pqueue sent_messages; 182 pqueue buffered_app_data; 183 unsigned int mtu; 184 185 if (s->d1) { 186 unprocessed_rcds = D1I(s)->unprocessed_rcds.q; 187 processed_rcds = D1I(s)->processed_rcds.q; 188 buffered_messages = D1I(s)->buffered_messages; 189 sent_messages = s->d1->sent_messages; 190 buffered_app_data = D1I(s)->buffered_app_data.q; 191 mtu = D1I(s)->mtu; 192 193 dtls1_clear_queues(s); 194 195 memset(s->d1->internal, 0, sizeof(*s->d1->internal)); 196 internal = s->d1->internal; 197 memset(s->d1, 0, sizeof(*s->d1)); 198 s->d1->internal = internal; 199 200 if (s->server) { 201 D1I(s)->cookie_len = sizeof(D1I(s)->cookie); 202 } 203 204 if (SSL_get_options(s) & SSL_OP_NO_QUERY_MTU) { 205 D1I(s)->mtu = mtu; 206 } 207 208 D1I(s)->unprocessed_rcds.q = unprocessed_rcds; 209 D1I(s)->processed_rcds.q = processed_rcds; 210 D1I(s)->buffered_messages = buffered_messages; 211 s->d1->sent_messages = sent_messages; 212 D1I(s)->buffered_app_data.q = buffered_app_data; 213 } 214 215 ssl3_clear(s); 216 217 s->version = DTLS1_VERSION; 218 } 219 220 long 221 dtls1_ctrl(SSL *s, int cmd, long larg, void *parg) 222 { 223 int ret = 0; 224 225 switch (cmd) { 226 case DTLS_CTRL_GET_TIMEOUT: 227 if (dtls1_get_timeout(s, (struct timeval*) parg) != NULL) { 228 ret = 1; 229 } 230 break; 231 case DTLS_CTRL_HANDLE_TIMEOUT: 232 ret = dtls1_handle_timeout(s); 233 break; 234 case DTLS_CTRL_LISTEN: 235 ret = dtls1_listen(s, parg); 236 break; 237 238 default: 239 ret = ssl3_ctrl(s, cmd, larg, parg); 240 break; 241 } 242 return (ret); 243 } 244 245 /* 246 * As it's impossible to use stream ciphers in "datagram" mode, this 247 * simple filter is designed to disengage them in DTLS. Unfortunately 248 * there is no universal way to identify stream SSL_CIPHER, so we have 249 * to explicitly list their SSL_* codes. Currently RC4 is the only one 250 * available, but if new ones emerge, they will have to be added... 251 */ 252 const SSL_CIPHER * 253 dtls1_get_cipher(unsigned int u) 254 { 255 const SSL_CIPHER *cipher; 256 257 if ((cipher = ssl3_get_cipher(u)) == NULL) 258 return NULL; 259 260 if (cipher->algorithm_enc == SSL_RC4) 261 return NULL; 262 263 return cipher; 264 } 265 266 void 267 dtls1_start_timer(SSL *s) 268 { 269 270 /* If timer is not set, initialize duration with 1 second */ 271 if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) { 272 s->d1->timeout_duration = 1; 273 } 274 275 /* Set timeout to current time */ 276 gettimeofday(&(s->d1->next_timeout), NULL); 277 278 /* Add duration to current time */ 279 s->d1->next_timeout.tv_sec += s->d1->timeout_duration; 280 BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, 281 &s->d1->next_timeout); 282 } 283 284 struct timeval* 285 dtls1_get_timeout(SSL *s, struct timeval* timeleft) 286 { 287 struct timeval timenow; 288 289 /* If no timeout is set, just return NULL */ 290 if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) { 291 return NULL; 292 } 293 294 /* Get current time */ 295 gettimeofday(&timenow, NULL); 296 297 /* If timer already expired, set remaining time to 0 */ 298 if (s->d1->next_timeout.tv_sec < timenow.tv_sec || 299 (s->d1->next_timeout.tv_sec == timenow.tv_sec && 300 s->d1->next_timeout.tv_usec <= timenow.tv_usec)) { 301 memset(timeleft, 0, sizeof(struct timeval)); 302 return timeleft; 303 } 304 305 /* Calculate time left until timer expires */ 306 memcpy(timeleft, &(s->d1->next_timeout), sizeof(struct timeval)); 307 timeleft->tv_sec -= timenow.tv_sec; 308 timeleft->tv_usec -= timenow.tv_usec; 309 if (timeleft->tv_usec < 0) { 310 timeleft->tv_sec--; 311 timeleft->tv_usec += 1000000; 312 } 313 314 /* If remaining time is less than 15 ms, set it to 0 315 * to prevent issues because of small devergences with 316 * socket timeouts. 317 */ 318 if (timeleft->tv_sec == 0 && timeleft->tv_usec < 15000) { 319 memset(timeleft, 0, sizeof(struct timeval)); 320 } 321 322 323 return timeleft; 324 } 325 326 int 327 dtls1_is_timer_expired(SSL *s) 328 { 329 struct timeval timeleft; 330 331 /* Get time left until timeout, return false if no timer running */ 332 if (dtls1_get_timeout(s, &timeleft) == NULL) { 333 return 0; 334 } 335 336 /* Return false if timer is not expired yet */ 337 if (timeleft.tv_sec > 0 || timeleft.tv_usec > 0) { 338 return 0; 339 } 340 341 /* Timer expired, so return true */ 342 return 1; 343 } 344 345 void 346 dtls1_double_timeout(SSL *s) 347 { 348 s->d1->timeout_duration *= 2; 349 if (s->d1->timeout_duration > 60) 350 s->d1->timeout_duration = 60; 351 dtls1_start_timer(s); 352 } 353 354 void 355 dtls1_stop_timer(SSL *s) 356 { 357 /* Reset everything */ 358 memset(&(D1I(s)->timeout), 0, sizeof(struct dtls1_timeout_st)); 359 memset(&(s->d1->next_timeout), 0, sizeof(struct timeval)); 360 s->d1->timeout_duration = 1; 361 BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, 362 &(s->d1->next_timeout)); 363 /* Clear retransmission buffer */ 364 dtls1_clear_record_buffer(s); 365 } 366 367 int 368 dtls1_check_timeout_num(SSL *s) 369 { 370 D1I(s)->timeout.num_alerts++; 371 372 /* Reduce MTU after 2 unsuccessful retransmissions */ 373 if (D1I(s)->timeout.num_alerts > 2) { 374 D1I(s)->mtu = BIO_ctrl(SSL_get_wbio(s), 375 BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL); 376 377 } 378 379 if (D1I(s)->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) { 380 /* fail the connection, enough alerts have been sent */ 381 SSLerror(s, SSL_R_READ_TIMEOUT_EXPIRED); 382 return -1; 383 } 384 385 return 0; 386 } 387 388 int 389 dtls1_handle_timeout(SSL *s) 390 { 391 /* if no timer is expired, don't do anything */ 392 if (!dtls1_is_timer_expired(s)) { 393 return 0; 394 } 395 396 dtls1_double_timeout(s); 397 398 if (dtls1_check_timeout_num(s) < 0) 399 return -1; 400 401 D1I(s)->timeout.read_timeouts++; 402 if (D1I(s)->timeout.read_timeouts > DTLS1_TMO_READ_COUNT) { 403 D1I(s)->timeout.read_timeouts = 1; 404 } 405 406 dtls1_start_timer(s); 407 return dtls1_retransmit_buffered_messages(s); 408 } 409 410 int 411 dtls1_listen(SSL *s, struct sockaddr *client) 412 { 413 int ret; 414 415 /* Ensure there is no state left over from a previous invocation */ 416 SSL_clear(s); 417 418 SSL_set_options(s, SSL_OP_COOKIE_EXCHANGE); 419 D1I(s)->listen = 1; 420 421 ret = SSL_accept(s); 422 if (ret <= 0) 423 return ret; 424 425 (void)BIO_dgram_get_peer(SSL_get_rbio(s), client); 426 return 1; 427 } 428