1 1.1 christos /* 2 1.1 christos * Copyright 2005-2025 The OpenSSL Project Authors. All Rights Reserved. 3 1.1 christos * 4 1.1 christos * Licensed under the Apache License 2.0 (the "License"). You may not use 5 1.1 christos * this file except in compliance with the License. You can obtain a copy 6 1.1 christos * in the file LICENSE in the source distribution or at 7 1.1 christos * https://www.openssl.org/source/license.html 8 1.1 christos */ 9 1.1 christos 10 1.1 christos #include <assert.h> 11 1.1 christos #include <limits.h> 12 1.1 christos #include <string.h> 13 1.1 christos #include <stdio.h> 14 1.1 christos #include "../ssl_local.h" 15 1.1 christos #include "statem_local.h" 16 1.1 christos #include "internal/cryptlib.h" 17 1.1 christos #include "internal/ssl_unwrap.h" 18 1.1 christos #include <openssl/buffer.h> 19 1.1 christos 20 1.1 christos #define RSMBLY_BITMASK_SIZE(msg_len) (((msg_len) + 7) / 8) 21 1.1 christos 22 1.1.1.2 christos #define RSMBLY_BITMASK_MARK(bitmask, start, end) \ 23 1.1.1.2 christos { \ 24 1.1.1.2 christos if ((end) - (start) <= 8) { \ 25 1.1.1.2 christos long ii; \ 26 1.1.1.2 christos for (ii = (start); ii < (end); ii++) \ 27 1.1.1.2 christos bitmask[((ii) >> 3)] |= (1 << ((ii) & 7)); \ 28 1.1.1.2 christos } else { \ 29 1.1.1.2 christos long ii; \ 30 1.1.1.2 christos bitmask[((start) >> 3)] |= bitmask_start_values[((start) & 7)]; \ 31 1.1.1.2 christos for (ii = (((start) >> 3) + 1); ii < ((((end) - 1)) >> 3); ii++) \ 32 1.1.1.2 christos bitmask[ii] = 0xff; \ 33 1.1.1.2 christos bitmask[(((end) - 1) >> 3)] |= bitmask_end_values[((end) & 7)]; \ 34 1.1.1.2 christos } \ 35 1.1.1.2 christos } 36 1.1.1.2 christos 37 1.1.1.2 christos #define RSMBLY_BITMASK_IS_COMPLETE(bitmask, msg_len, is_complete) \ 38 1.1.1.2 christos { \ 39 1.1.1.2 christos long ii; \ 40 1.1.1.2 christos is_complete = 1; \ 41 1.1.1.2 christos if (bitmask[(((msg_len) - 1) >> 3)] != bitmask_end_values[((msg_len) & 7)]) \ 42 1.1.1.2 christos is_complete = 0; \ 43 1.1.1.2 christos if (is_complete) \ 44 1.1.1.2 christos for (ii = (((msg_len) - 1) >> 3) - 1; ii >= 0; ii--) \ 45 1.1.1.2 christos if (bitmask[ii] != 0xff) { \ 46 1.1.1.2 christos is_complete = 0; \ 47 1.1.1.2 christos break; \ 48 1.1.1.2 christos } \ 49 1.1.1.2 christos } 50 1.1 christos 51 1.1 christos static const unsigned char bitmask_start_values[] = { 52 1.1 christos 0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80 53 1.1 christos }; 54 1.1 christos static const unsigned char bitmask_end_values[] = { 55 1.1 christos 0xff, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f 56 1.1 christos }; 57 1.1 christos 58 1.1 christos static void dtls1_fix_message_header(SSL_CONNECTION *s, size_t frag_off, 59 1.1.1.2 christos size_t frag_len); 60 1.1 christos static unsigned char *dtls1_write_message_header(SSL_CONNECTION *s, 61 1.1.1.2 christos unsigned char *p); 62 1.1 christos static void dtls1_set_message_header_int(SSL_CONNECTION *s, unsigned char mt, 63 1.1.1.2 christos size_t len, 64 1.1.1.2 christos unsigned short seq_num, 65 1.1.1.2 christos size_t frag_off, 66 1.1.1.2 christos size_t frag_len); 67 1.1 christos static int dtls_get_reassembled_message(SSL_CONNECTION *s, int *errtype, 68 1.1.1.2 christos size_t *len); 69 1.1 christos 70 1.1 christos static hm_fragment *dtls1_hm_fragment_new(size_t frag_len, int reassembly) 71 1.1 christos { 72 1.1 christos hm_fragment *frag = NULL; 73 1.1 christos unsigned char *buf = NULL; 74 1.1 christos unsigned char *bitmask = NULL; 75 1.1 christos 76 1.1 christos if ((frag = OPENSSL_zalloc(sizeof(*frag))) == NULL) 77 1.1 christos return NULL; 78 1.1 christos 79 1.1 christos if (frag_len) { 80 1.1 christos if ((buf = OPENSSL_malloc(frag_len)) == NULL) { 81 1.1 christos OPENSSL_free(frag); 82 1.1 christos return NULL; 83 1.1 christos } 84 1.1 christos } 85 1.1 christos 86 1.1 christos /* zero length fragment gets zero frag->fragment */ 87 1.1 christos frag->fragment = buf; 88 1.1 christos 89 1.1 christos /* Initialize reassembly bitmask if necessary */ 90 1.1 christos if (reassembly) { 91 1.1 christos bitmask = OPENSSL_zalloc(RSMBLY_BITMASK_SIZE(frag_len)); 92 1.1 christos if (bitmask == NULL) { 93 1.1 christos OPENSSL_free(buf); 94 1.1 christos OPENSSL_free(frag); 95 1.1 christos return NULL; 96 1.1 christos } 97 1.1 christos } 98 1.1 christos 99 1.1 christos frag->reassembly = bitmask; 100 1.1 christos 101 1.1 christos return frag; 102 1.1 christos } 103 1.1 christos 104 1.1 christos void dtls1_hm_fragment_free(hm_fragment *frag) 105 1.1 christos { 106 1.1 christos if (!frag) 107 1.1 christos return; 108 1.1 christos 109 1.1 christos OPENSSL_free(frag->fragment); 110 1.1 christos OPENSSL_free(frag->reassembly); 111 1.1 christos OPENSSL_free(frag); 112 1.1 christos } 113 1.1 christos 114 1.1 christos /* 115 1.1 christos * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or 116 1.1 christos * SSL3_RT_CHANGE_CIPHER_SPEC) 117 1.1 christos */ 118 1.1 christos int dtls1_do_write(SSL_CONNECTION *s, uint8_t type) 119 1.1 christos { 120 1.1 christos int ret; 121 1.1 christos size_t written; 122 1.1 christos size_t curr_mtu; 123 1.1 christos int retry = 1; 124 1.1 christos size_t len, frag_off, overhead, used_len; 125 1.1 christos SSL *ssl = SSL_CONNECTION_GET_SSL(s); 126 1.1 christos SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s); 127 1.1 christos uint8_t saved_payload[DTLS1_HM_HEADER_LENGTH]; 128 1.1 christos 129 1.1 christos if (!dtls1_query_mtu(s)) 130 1.1 christos return -1; 131 1.1 christos 132 1.1 christos if (s->d1->mtu < dtls1_min_mtu(s)) 133 1.1 christos /* should have something reasonable now */ 134 1.1 christos return -1; 135 1.1 christos 136 1.1 christos if (s->init_off == 0 && type == SSL3_RT_HANDSHAKE) { 137 1.1.1.2 christos if (!ossl_assert(s->init_num == s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH)) 138 1.1 christos return -1; 139 1.1 christos } 140 1.1 christos 141 1.1 christos overhead = s->rlayer.wrlmethod->get_max_record_overhead(s->rlayer.wrl); 142 1.1 christos 143 1.1 christos frag_off = 0; 144 1.1 christos s->rwstate = SSL_NOTHING; 145 1.1 christos 146 1.1 christos /* s->init_num shouldn't ever be < 0...but just in case */ 147 1.1 christos while (s->init_num > 0) { 148 1.1 christos if (type == SSL3_RT_HANDSHAKE && s->init_off != 0) { 149 1.1 christos /* We must be writing a fragment other than the first one */ 150 1.1 christos 151 1.1 christos if (frag_off > 0) { 152 1.1 christos /* This is the first attempt at writing out this fragment */ 153 1.1 christos 154 1.1 christos if (s->init_off <= DTLS1_HM_HEADER_LENGTH) { 155 1.1 christos /* 156 1.1 christos * Each fragment that was already sent must at least have 157 1.1 christos * contained the message header plus one other byte. 158 1.1 christos * Therefore |init_off| must have progressed by at least 159 1.1 christos * |DTLS1_HM_HEADER_LENGTH + 1| bytes. If not something went 160 1.1 christos * wrong. 161 1.1 christos */ 162 1.1 christos return -1; 163 1.1 christos } 164 1.1 christos 165 1.1 christos /* 166 1.1 christos * Adjust |init_off| and |init_num| to allow room for a new 167 1.1 christos * message header for this fragment. 168 1.1 christos */ 169 1.1 christos s->init_off -= DTLS1_HM_HEADER_LENGTH; 170 1.1 christos s->init_num += DTLS1_HM_HEADER_LENGTH; 171 1.1 christos } else { 172 1.1 christos /* 173 1.1 christos * We must have been called again after a retry so use the 174 1.1 christos * fragment offset from our last attempt. We do not need 175 1.1 christos * to adjust |init_off| and |init_num| as above, because 176 1.1 christos * that should already have been done before the retry. 177 1.1 christos */ 178 1.1 christos frag_off = s->d1->w_msg_hdr.frag_off; 179 1.1 christos } 180 1.1 christos } 181 1.1 christos 182 1.1 christos used_len = BIO_wpending(s->wbio) + overhead; 183 1.1 christos if (s->d1->mtu > used_len) 184 1.1 christos curr_mtu = s->d1->mtu - used_len; 185 1.1 christos else 186 1.1 christos curr_mtu = 0; 187 1.1 christos 188 1.1 christos if (curr_mtu <= DTLS1_HM_HEADER_LENGTH) { 189 1.1 christos /* 190 1.1 christos * grr.. we could get an error if MTU picked was wrong 191 1.1 christos */ 192 1.1 christos ret = BIO_flush(s->wbio); 193 1.1 christos if (ret <= 0) { 194 1.1 christos s->rwstate = SSL_WRITING; 195 1.1 christos return ret; 196 1.1 christos } 197 1.1 christos if (s->d1->mtu > overhead + DTLS1_HM_HEADER_LENGTH) { 198 1.1 christos curr_mtu = s->d1->mtu - overhead; 199 1.1 christos } else { 200 1.1 christos /* Shouldn't happen */ 201 1.1 christos return -1; 202 1.1 christos } 203 1.1 christos } 204 1.1 christos 205 1.1 christos /* 206 1.1 christos * We just checked that s->init_num > 0 so this cast should be safe 207 1.1 christos */ 208 1.1 christos if (((unsigned int)s->init_num) > curr_mtu) 209 1.1 christos len = curr_mtu; 210 1.1 christos else 211 1.1 christos len = s->init_num; 212 1.1 christos 213 1.1 christos if (len > ssl_get_max_send_fragment(s)) 214 1.1 christos len = ssl_get_max_send_fragment(s); 215 1.1 christos 216 1.1 christos /* 217 1.1 christos * XDTLS: this function is too long. split out the CCS part 218 1.1 christos */ 219 1.1 christos if (type == SSL3_RT_HANDSHAKE) { 220 1.1 christos if (len < DTLS1_HM_HEADER_LENGTH) { 221 1.1 christos /* 222 1.1 christos * len is so small that we really can't do anything sensible 223 1.1 christos * so fail 224 1.1 christos */ 225 1.1 christos return -1; 226 1.1 christos } 227 1.1 christos dtls1_fix_message_header(s, frag_off, len - DTLS1_HM_HEADER_LENGTH); 228 1.1 christos 229 1.1 christos /* 230 1.1 christos * Save the data that will be overwritten by 231 1.1 christos * dtls1_write_messsage_header so no corruption occurs when using 232 1.1 christos * a msg callback. 233 1.1 christos */ 234 1.1 christos if (s->msg_callback && s->init_off != 0) 235 1.1 christos memcpy(saved_payload, &s->init_buf->data[s->init_off], 236 1.1.1.2 christos sizeof(saved_payload)); 237 1.1 christos 238 1.1 christos dtls1_write_message_header(s, 239 1.1.1.2 christos (unsigned char *)&s->init_buf->data[s->init_off]); 240 1.1 christos } 241 1.1 christos 242 1.1 christos ret = dtls1_write_bytes(s, type, &s->init_buf->data[s->init_off], len, 243 1.1.1.2 christos &written); 244 1.1 christos 245 1.1 christos if (type == SSL3_RT_HANDSHAKE && s->msg_callback && s->init_off != 0) 246 1.1 christos memcpy(&s->init_buf->data[s->init_off], saved_payload, 247 1.1.1.2 christos sizeof(saved_payload)); 248 1.1 christos 249 1.1 christos if (ret <= 0) { 250 1.1 christos /* 251 1.1 christos * might need to update MTU here, but we don't know which 252 1.1 christos * previous packet caused the failure -- so can't really 253 1.1 christos * retransmit anything. continue as if everything is fine and 254 1.1 christos * wait for an alert to handle the retransmit 255 1.1 christos */ 256 1.1.1.2 christos if (retry && BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_MTU_EXCEEDED, 0, NULL) > 0) { 257 1.1 christos if (!(SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) { 258 1.1 christos if (!dtls1_query_mtu(s)) 259 1.1 christos return -1; 260 1.1 christos /* Have one more go */ 261 1.1 christos retry = 0; 262 1.1 christos } else 263 1.1 christos return -1; 264 1.1 christos } else { 265 1.1 christos return -1; 266 1.1 christos } 267 1.1 christos } else { 268 1.1 christos 269 1.1 christos /* 270 1.1 christos * bad if this assert fails, only part of the handshake message 271 1.1 christos * got sent. but why would this happen? 272 1.1 christos */ 273 1.1 christos if (!ossl_assert(len == written)) 274 1.1 christos return -1; 275 1.1 christos 276 1.1 christos /* 277 1.1 christos * We should not exceed the MTU size. If compression is in use 278 1.1 christos * then the max record overhead calculation is unreliable so we do 279 1.1 christos * not check in that case. We use assert rather than ossl_assert 280 1.1 christos * because in a production build, if this assert were ever to fail, 281 1.1 christos * then the best thing to do is probably carry on regardless. 282 1.1 christos */ 283 1.1 christos assert(s->s3.tmp.new_compression != NULL 284 1.1.1.2 christos || BIO_wpending(s->wbio) <= (int)s->d1->mtu); 285 1.1 christos 286 1.1 christos if (type == SSL3_RT_HANDSHAKE && !s->d1->retransmitting) { 287 1.1 christos /* 288 1.1 christos * should not be done for 'Hello Request's, but in that case 289 1.1 christos * we'll ignore the result anyway 290 1.1 christos */ 291 1.1.1.2 christos unsigned char *p = (unsigned char *)&s->init_buf->data[s->init_off]; 292 1.1 christos const struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; 293 1.1 christos size_t xlen; 294 1.1 christos 295 1.1 christos if (frag_off == 0 && s->version != DTLS1_BAD_VER) { 296 1.1 christos /* 297 1.1 christos * reconstruct message header is if it is being sent in 298 1.1 christos * single fragment 299 1.1 christos */ 300 1.1 christos *p++ = msg_hdr->type; 301 1.1 christos l2n3(msg_hdr->msg_len, p); 302 1.1 christos s2n(msg_hdr->seq, p); 303 1.1 christos l2n3(0, p); 304 1.1 christos l2n3(msg_hdr->msg_len, p); 305 1.1 christos p -= DTLS1_HM_HEADER_LENGTH; 306 1.1 christos xlen = written; 307 1.1 christos } else { 308 1.1 christos p += DTLS1_HM_HEADER_LENGTH; 309 1.1 christos xlen = written - DTLS1_HM_HEADER_LENGTH; 310 1.1 christos } 311 1.1 christos 312 1.1 christos if (!ssl3_finish_mac(s, p, xlen)) 313 1.1 christos return -1; 314 1.1 christos } 315 1.1 christos 316 1.1 christos if (written == s->init_num) { 317 1.1 christos if (s->msg_callback) 318 1.1 christos s->msg_callback(1, s->version, type, s->init_buf->data, 319 1.1.1.2 christos s->init_off + s->init_num, ussl, 320 1.1.1.2 christos s->msg_callback_arg); 321 1.1 christos 322 1.1 christos s->init_off = 0; /* done writing this message */ 323 1.1 christos s->init_num = 0; 324 1.1 christos 325 1.1 christos return 1; 326 1.1 christos } 327 1.1 christos s->init_off += written; 328 1.1 christos s->init_num -= written; 329 1.1 christos written -= DTLS1_HM_HEADER_LENGTH; 330 1.1 christos frag_off += written; 331 1.1 christos 332 1.1 christos /* 333 1.1 christos * We save the fragment offset for the next fragment so we have it 334 1.1 christos * available in case of an IO retry. We don't know the length of the 335 1.1 christos * next fragment yet so just set that to 0 for now. It will be 336 1.1 christos * updated again later. 337 1.1 christos */ 338 1.1 christos dtls1_fix_message_header(s, frag_off, 0); 339 1.1 christos } 340 1.1 christos } 341 1.1 christos return 0; 342 1.1 christos } 343 1.1 christos 344 1.1 christos int dtls_get_message(SSL_CONNECTION *s, int *mt) 345 1.1 christos { 346 1.1 christos struct hm_header_st *msg_hdr; 347 1.1 christos unsigned char *p; 348 1.1 christos size_t msg_len; 349 1.1 christos size_t tmplen; 350 1.1 christos int errtype; 351 1.1 christos 352 1.1 christos msg_hdr = &s->d1->r_msg_hdr; 353 1.1 christos memset(msg_hdr, 0, sizeof(*msg_hdr)); 354 1.1 christos 355 1.1.1.2 christos again: 356 1.1 christos if (!dtls_get_reassembled_message(s, &errtype, &tmplen)) { 357 1.1 christos if (errtype == DTLS1_HM_BAD_FRAGMENT 358 1.1.1.2 christos || errtype == DTLS1_HM_FRAGMENT_RETRY) { 359 1.1 christos /* bad fragment received */ 360 1.1 christos goto again; 361 1.1 christos } 362 1.1 christos return 0; 363 1.1 christos } 364 1.1 christos 365 1.1 christos *mt = s->s3.tmp.message_type; 366 1.1 christos 367 1.1 christos p = (unsigned char *)s->init_buf->data; 368 1.1 christos 369 1.1 christos if (*mt == SSL3_MT_CHANGE_CIPHER_SPEC) { 370 1.1 christos if (s->msg_callback) { 371 1.1 christos s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, 372 1.1.1.2 christos p, 1, SSL_CONNECTION_GET_USER_SSL(s), 373 1.1.1.2 christos s->msg_callback_arg); 374 1.1 christos } 375 1.1 christos /* 376 1.1 christos * This isn't a real handshake message so skip the processing below. 377 1.1 christos */ 378 1.1 christos return 1; 379 1.1 christos } 380 1.1 christos 381 1.1 christos msg_len = msg_hdr->msg_len; 382 1.1 christos 383 1.1 christos /* reconstruct message header */ 384 1.1 christos *(p++) = msg_hdr->type; 385 1.1 christos l2n3(msg_len, p); 386 1.1 christos s2n(msg_hdr->seq, p); 387 1.1 christos l2n3(0, p); 388 1.1 christos l2n3(msg_len, p); 389 1.1 christos 390 1.1 christos memset(msg_hdr, 0, sizeof(*msg_hdr)); 391 1.1 christos 392 1.1 christos s->d1->handshake_read_seq++; 393 1.1 christos 394 1.1 christos s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH; 395 1.1 christos 396 1.1 christos return 1; 397 1.1 christos } 398 1.1 christos 399 1.1 christos /* 400 1.1 christos * Actually we already have the message body - but this is an opportunity for 401 1.1 christos * DTLS to do any further processing it wants at the same point that TLS would 402 1.1 christos * be asked for the message body. 403 1.1 christos */ 404 1.1 christos int dtls_get_message_body(SSL_CONNECTION *s, size_t *len) 405 1.1 christos { 406 1.1 christos unsigned char *msg = (unsigned char *)s->init_buf->data; 407 1.1 christos size_t msg_len = s->init_num + DTLS1_HM_HEADER_LENGTH; 408 1.1 christos 409 1.1 christos if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) { 410 1.1 christos /* Nothing to be done */ 411 1.1 christos goto end; 412 1.1 christos } 413 1.1 christos /* 414 1.1 christos * If receiving Finished, record MAC of prior handshake messages for 415 1.1 christos * Finished verification. 416 1.1 christos */ 417 1.1 christos if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) { 418 1.1 christos /* SSLfatal() already called */ 419 1.1 christos return 0; 420 1.1 christos } 421 1.1 christos 422 1.1 christos if (s->version == DTLS1_BAD_VER) { 423 1.1 christos msg += DTLS1_HM_HEADER_LENGTH; 424 1.1 christos msg_len -= DTLS1_HM_HEADER_LENGTH; 425 1.1 christos } 426 1.1 christos 427 1.1 christos if (!ssl3_finish_mac(s, msg, msg_len)) 428 1.1 christos return 0; 429 1.1 christos 430 1.1 christos if (s->msg_callback) 431 1.1 christos s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 432 1.1.1.2 christos s->init_buf->data, s->init_num + DTLS1_HM_HEADER_LENGTH, 433 1.1.1.2 christos SSL_CONNECTION_GET_USER_SSL(s), s->msg_callback_arg); 434 1.1 christos 435 1.1.1.2 christos end: 436 1.1 christos *len = s->init_num; 437 1.1 christos return 1; 438 1.1 christos } 439 1.1 christos 440 1.1 christos /* 441 1.1 christos * dtls1_max_handshake_message_len returns the maximum number of bytes 442 1.1 christos * permitted in a DTLS handshake message for |s|. The minimum is 16KB, but 443 1.1 christos * may be greater if the maximum certificate list size requires it. 444 1.1 christos */ 445 1.1 christos static size_t dtls1_max_handshake_message_len(const SSL_CONNECTION *s) 446 1.1 christos { 447 1.1 christos size_t max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; 448 1.1 christos if (max_len < s->max_cert_list) 449 1.1 christos return s->max_cert_list; 450 1.1 christos return max_len; 451 1.1 christos } 452 1.1 christos 453 1.1 christos static int dtls1_preprocess_fragment(SSL_CONNECTION *s, 454 1.1.1.2 christos struct hm_header_st *msg_hdr) 455 1.1 christos { 456 1.1 christos size_t frag_off, frag_len, msg_len; 457 1.1 christos 458 1.1 christos msg_len = msg_hdr->msg_len; 459 1.1 christos frag_off = msg_hdr->frag_off; 460 1.1 christos frag_len = msg_hdr->frag_len; 461 1.1 christos 462 1.1 christos /* sanity checking */ 463 1.1 christos if ((frag_off + frag_len) > msg_len 464 1.1.1.2 christos || msg_len > dtls1_max_handshake_message_len(s)) { 465 1.1 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_EXCESSIVE_MESSAGE_SIZE); 466 1.1 christos return 0; 467 1.1 christos } 468 1.1 christos 469 1.1 christos if (s->d1->r_msg_hdr.frag_off == 0) { /* first fragment */ 470 1.1 christos /* 471 1.1 christos * msg_len is limited to 2^24, but is effectively checked against 472 1.1 christos * dtls_max_handshake_message_len(s) above 473 1.1 christos */ 474 1.1 christos if (!BUF_MEM_grow_clean(s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH)) { 475 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BUF_LIB); 476 1.1 christos return 0; 477 1.1 christos } 478 1.1 christos 479 1.1 christos s->s3.tmp.message_size = msg_len; 480 1.1 christos s->d1->r_msg_hdr.msg_len = msg_len; 481 1.1 christos s->s3.tmp.message_type = msg_hdr->type; 482 1.1 christos s->d1->r_msg_hdr.type = msg_hdr->type; 483 1.1 christos s->d1->r_msg_hdr.seq = msg_hdr->seq; 484 1.1 christos } else if (msg_len != s->d1->r_msg_hdr.msg_len) { 485 1.1 christos /* 486 1.1 christos * They must be playing with us! BTW, failure to enforce upper limit 487 1.1 christos * would open possibility for buffer overrun. 488 1.1 christos */ 489 1.1 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_EXCESSIVE_MESSAGE_SIZE); 490 1.1 christos return 0; 491 1.1 christos } 492 1.1 christos 493 1.1 christos return 1; 494 1.1 christos } 495 1.1 christos 496 1.1 christos /* 497 1.1 christos * Returns 1 if there is a buffered fragment available, 0 if not, or -1 on a 498 1.1 christos * fatal error. 499 1.1 christos */ 500 1.1 christos static int dtls1_retrieve_buffered_fragment(SSL_CONNECTION *s, size_t *len) 501 1.1 christos { 502 1.1 christos /*- 503 1.1 christos * (0) check whether the desired fragment is available 504 1.1 christos * if so: 505 1.1 christos * (1) copy over the fragment to s->init_buf->data[] 506 1.1 christos * (2) update s->init_num 507 1.1 christos */ 508 1.1 christos pitem *item; 509 1.1 christos piterator iter; 510 1.1 christos hm_fragment *frag; 511 1.1 christos int ret; 512 1.1 christos int chretran = 0; 513 1.1 christos 514 1.1 christos iter = pqueue_iterator(s->d1->buffered_messages); 515 1.1 christos do { 516 1.1 christos item = pqueue_next(&iter); 517 1.1 christos if (item == NULL) 518 1.1 christos return 0; 519 1.1 christos 520 1.1 christos frag = (hm_fragment *)item->data; 521 1.1 christos 522 1.1 christos if (frag->msg_header.seq < s->d1->handshake_read_seq) { 523 1.1 christos pitem *next; 524 1.1 christos hm_fragment *nextfrag; 525 1.1 christos 526 1.1 christos if (!s->server 527 1.1.1.2 christos || frag->msg_header.seq != 0 528 1.1.1.2 christos || s->d1->handshake_read_seq != 1 529 1.1.1.2 christos || s->statem.hand_state != DTLS_ST_SW_HELLO_VERIFY_REQUEST) { 530 1.1 christos /* 531 1.1 christos * This is a stale message that has been buffered so clear it. 532 1.1 christos * It is safe to pop this message from the queue even though 533 1.1 christos * we have an active iterator 534 1.1 christos */ 535 1.1 christos pqueue_pop(s->d1->buffered_messages); 536 1.1 christos dtls1_hm_fragment_free(frag); 537 1.1 christos pitem_free(item); 538 1.1 christos item = NULL; 539 1.1 christos frag = NULL; 540 1.1 christos } else { 541 1.1 christos /* 542 1.1 christos * We have fragments for a ClientHello without a cookie, 543 1.1 christos * even though we have sent a HelloVerifyRequest. It is possible 544 1.1 christos * that the HelloVerifyRequest got lost and this is a 545 1.1 christos * retransmission of the original ClientHello 546 1.1 christos */ 547 1.1 christos next = pqueue_next(&iter); 548 1.1 christos if (next != NULL) { 549 1.1 christos nextfrag = (hm_fragment *)next->data; 550 1.1 christos if (nextfrag->msg_header.seq == s->d1->handshake_read_seq) { 551 1.1 christos /* 552 1.1.1.2 christos * We have fragments for both a ClientHello without 553 1.1.1.2 christos * cookie and one with. Ditch the one without. 554 1.1.1.2 christos */ 555 1.1 christos pqueue_pop(s->d1->buffered_messages); 556 1.1 christos dtls1_hm_fragment_free(frag); 557 1.1 christos pitem_free(item); 558 1.1 christos item = next; 559 1.1 christos frag = nextfrag; 560 1.1 christos } else { 561 1.1 christos chretran = 1; 562 1.1 christos } 563 1.1 christos } else { 564 1.1 christos chretran = 1; 565 1.1 christos } 566 1.1 christos } 567 1.1 christos } 568 1.1 christos } while (item == NULL); 569 1.1 christos 570 1.1 christos /* Don't return if reassembly still in progress */ 571 1.1 christos if (frag->reassembly != NULL) 572 1.1 christos return 0; 573 1.1 christos 574 1.1 christos if (s->d1->handshake_read_seq == frag->msg_header.seq || chretran) { 575 1.1 christos size_t frag_len = frag->msg_header.frag_len; 576 1.1 christos pqueue_pop(s->d1->buffered_messages); 577 1.1 christos 578 1.1 christos /* Calls SSLfatal() as required */ 579 1.1 christos ret = dtls1_preprocess_fragment(s, &frag->msg_header); 580 1.1 christos 581 1.1 christos if (ret && frag->msg_header.frag_len > 0) { 582 1.1.1.2 christos unsigned char *p = (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH; 583 1.1 christos memcpy(&p[frag->msg_header.frag_off], frag->fragment, 584 1.1.1.2 christos frag->msg_header.frag_len); 585 1.1 christos } 586 1.1 christos 587 1.1 christos dtls1_hm_fragment_free(frag); 588 1.1 christos pitem_free(item); 589 1.1 christos 590 1.1 christos if (ret) { 591 1.1 christos if (chretran) { 592 1.1 christos /* 593 1.1 christos * We got a new ClientHello with a message sequence of 0. 594 1.1 christos * Reset the read/write sequences back to the beginning. 595 1.1 christos * We process it like this is the first time we've seen a 596 1.1 christos * ClientHello from the client. 597 1.1 christos */ 598 1.1 christos s->d1->handshake_read_seq = 0; 599 1.1 christos s->d1->next_handshake_write_seq = 0; 600 1.1 christos } 601 1.1 christos *len = frag_len; 602 1.1 christos return 1; 603 1.1 christos } 604 1.1 christos 605 1.1 christos /* Fatal error */ 606 1.1 christos s->init_num = 0; 607 1.1 christos return -1; 608 1.1 christos } else { 609 1.1 christos return 0; 610 1.1 christos } 611 1.1 christos } 612 1.1 christos 613 1.1 christos static int dtls1_reassemble_fragment(SSL_CONNECTION *s, 614 1.1.1.2 christos const struct hm_header_st *msg_hdr) 615 1.1 christos { 616 1.1 christos hm_fragment *frag = NULL; 617 1.1 christos pitem *item = NULL; 618 1.1 christos int i = -1, is_complete; 619 1.1 christos unsigned char seq64be[8]; 620 1.1 christos size_t frag_len = msg_hdr->frag_len; 621 1.1 christos size_t readbytes; 622 1.1 christos SSL *ssl = SSL_CONNECTION_GET_SSL(s); 623 1.1 christos 624 1.1.1.2 christos if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len || msg_hdr->msg_len > dtls1_max_handshake_message_len(s)) 625 1.1 christos goto err; 626 1.1 christos 627 1.1 christos if (frag_len == 0) { 628 1.1 christos return DTLS1_HM_FRAGMENT_RETRY; 629 1.1 christos } 630 1.1 christos 631 1.1 christos /* Try to find item in queue */ 632 1.1 christos memset(seq64be, 0, sizeof(seq64be)); 633 1.1 christos seq64be[6] = (unsigned char)(msg_hdr->seq >> 8); 634 1.1 christos seq64be[7] = (unsigned char)msg_hdr->seq; 635 1.1 christos item = pqueue_find(s->d1->buffered_messages, seq64be); 636 1.1 christos 637 1.1 christos if (item == NULL) { 638 1.1 christos frag = dtls1_hm_fragment_new(msg_hdr->msg_len, 1); 639 1.1 christos if (frag == NULL) 640 1.1 christos goto err; 641 1.1 christos memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); 642 1.1 christos frag->msg_header.frag_len = frag->msg_header.msg_len; 643 1.1 christos frag->msg_header.frag_off = 0; 644 1.1 christos } else { 645 1.1 christos frag = (hm_fragment *)item->data; 646 1.1 christos if (frag->msg_header.msg_len != msg_hdr->msg_len) { 647 1.1 christos item = NULL; 648 1.1 christos frag = NULL; 649 1.1 christos goto err; 650 1.1 christos } 651 1.1 christos } 652 1.1 christos 653 1.1 christos /* 654 1.1 christos * If message is already reassembled, this must be a retransmit and can 655 1.1 christos * be dropped. In this case item != NULL and so frag does not need to be 656 1.1 christos * freed. 657 1.1 christos */ 658 1.1 christos if (frag->reassembly == NULL) { 659 1.1 christos unsigned char devnull[256]; 660 1.1 christos 661 1.1 christos while (frag_len) { 662 1.1 christos i = ssl->method->ssl_read_bytes(ssl, SSL3_RT_HANDSHAKE, NULL, 663 1.1.1.2 christos devnull, 664 1.1.1.2 christos frag_len > sizeof(devnull) ? sizeof(devnull) : frag_len, 0, &readbytes); 665 1.1 christos if (i <= 0) 666 1.1 christos goto err; 667 1.1 christos frag_len -= readbytes; 668 1.1 christos } 669 1.1 christos return DTLS1_HM_FRAGMENT_RETRY; 670 1.1 christos } 671 1.1 christos 672 1.1 christos /* read the body of the fragment (header has already been read */ 673 1.1 christos i = ssl->method->ssl_read_bytes(ssl, SSL3_RT_HANDSHAKE, NULL, 674 1.1.1.2 christos frag->fragment + msg_hdr->frag_off, 675 1.1.1.2 christos frag_len, 0, &readbytes); 676 1.1 christos if (i <= 0 || readbytes != frag_len) 677 1.1 christos i = -1; 678 1.1 christos if (i <= 0) 679 1.1 christos goto err; 680 1.1 christos 681 1.1 christos RSMBLY_BITMASK_MARK(frag->reassembly, (long)msg_hdr->frag_off, 682 1.1.1.2 christos (long)(msg_hdr->frag_off + frag_len)); 683 1.1 christos 684 1.1 christos if (!ossl_assert(msg_hdr->msg_len > 0)) 685 1.1 christos goto err; 686 1.1 christos RSMBLY_BITMASK_IS_COMPLETE(frag->reassembly, (long)msg_hdr->msg_len, 687 1.1.1.2 christos is_complete); 688 1.1 christos 689 1.1 christos if (is_complete) { 690 1.1 christos OPENSSL_free(frag->reassembly); 691 1.1 christos frag->reassembly = NULL; 692 1.1 christos } 693 1.1 christos 694 1.1 christos if (item == NULL) { 695 1.1 christos item = pitem_new(seq64be, frag); 696 1.1 christos if (item == NULL) { 697 1.1 christos i = -1; 698 1.1 christos goto err; 699 1.1 christos } 700 1.1 christos 701 1.1 christos item = pqueue_insert(s->d1->buffered_messages, item); 702 1.1 christos /* 703 1.1 christos * pqueue_insert fails iff a duplicate item is inserted. However, 704 1.1 christos * |item| cannot be a duplicate. If it were, |pqueue_find|, above, 705 1.1 christos * would have returned it and control would never have reached this 706 1.1 christos * branch. 707 1.1 christos */ 708 1.1 christos if (!ossl_assert(item != NULL)) 709 1.1 christos goto err; 710 1.1 christos } 711 1.1 christos 712 1.1 christos return DTLS1_HM_FRAGMENT_RETRY; 713 1.1 christos 714 1.1.1.2 christos err: 715 1.1 christos if (item == NULL) 716 1.1 christos dtls1_hm_fragment_free(frag); 717 1.1 christos return -1; 718 1.1 christos } 719 1.1 christos 720 1.1 christos static int dtls1_process_out_of_seq_message(SSL_CONNECTION *s, 721 1.1.1.2 christos const struct hm_header_st *msg_hdr) 722 1.1 christos { 723 1.1 christos int i = -1; 724 1.1 christos hm_fragment *frag = NULL; 725 1.1 christos pitem *item = NULL; 726 1.1 christos unsigned char seq64be[8]; 727 1.1 christos size_t frag_len = msg_hdr->frag_len; 728 1.1 christos size_t readbytes; 729 1.1 christos SSL *ssl = SSL_CONNECTION_GET_SSL(s); 730 1.1 christos 731 1.1 christos if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len) 732 1.1 christos goto err; 733 1.1 christos 734 1.1 christos /* Try to find item in queue, to prevent duplicate entries */ 735 1.1 christos memset(seq64be, 0, sizeof(seq64be)); 736 1.1 christos seq64be[6] = (unsigned char)(msg_hdr->seq >> 8); 737 1.1 christos seq64be[7] = (unsigned char)msg_hdr->seq; 738 1.1 christos item = pqueue_find(s->d1->buffered_messages, seq64be); 739 1.1 christos 740 1.1 christos /* 741 1.1 christos * If we already have an entry and this one is a fragment, don't discard 742 1.1 christos * it and rather try to reassemble it. 743 1.1 christos */ 744 1.1 christos if (item != NULL && frag_len != msg_hdr->msg_len) 745 1.1 christos item = NULL; 746 1.1 christos 747 1.1 christos /* 748 1.1 christos * Discard the message if sequence number was already there, is too far 749 1.1 christos * in the future, already in the queue or if we received a FINISHED 750 1.1 christos * before the SERVER_HELLO, which then must be a stale retransmit. 751 1.1 christos */ 752 1.1.1.2 christos if (msg_hdr->seq <= s->d1->handshake_read_seq || msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL || (s->d1->handshake_read_seq == 0 && msg_hdr->type == SSL3_MT_FINISHED)) { 753 1.1 christos unsigned char devnull[256]; 754 1.1 christos 755 1.1 christos while (frag_len) { 756 1.1 christos i = ssl->method->ssl_read_bytes(ssl, SSL3_RT_HANDSHAKE, NULL, 757 1.1.1.2 christos devnull, 758 1.1.1.2 christos frag_len > sizeof(devnull) ? sizeof(devnull) : frag_len, 0, &readbytes); 759 1.1 christos if (i <= 0) 760 1.1 christos goto err; 761 1.1 christos frag_len -= readbytes; 762 1.1 christos } 763 1.1 christos } else { 764 1.1 christos if (frag_len != msg_hdr->msg_len) { 765 1.1 christos return dtls1_reassemble_fragment(s, msg_hdr); 766 1.1 christos } 767 1.1 christos 768 1.1 christos if (frag_len > dtls1_max_handshake_message_len(s)) 769 1.1 christos goto err; 770 1.1 christos 771 1.1 christos frag = dtls1_hm_fragment_new(frag_len, 0); 772 1.1 christos if (frag == NULL) 773 1.1 christos goto err; 774 1.1 christos 775 1.1 christos memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); 776 1.1 christos 777 1.1 christos if (frag_len) { 778 1.1 christos /* 779 1.1 christos * read the body of the fragment (header has already been read 780 1.1 christos */ 781 1.1 christos i = ssl->method->ssl_read_bytes(ssl, SSL3_RT_HANDSHAKE, NULL, 782 1.1.1.2 christos frag->fragment, frag_len, 0, 783 1.1.1.2 christos &readbytes); 784 1.1.1.2 christos if (i <= 0 || readbytes != frag_len) 785 1.1 christos i = -1; 786 1.1 christos if (i <= 0) 787 1.1 christos goto err; 788 1.1 christos } 789 1.1 christos 790 1.1 christos item = pitem_new(seq64be, frag); 791 1.1 christos if (item == NULL) 792 1.1 christos goto err; 793 1.1 christos 794 1.1 christos item = pqueue_insert(s->d1->buffered_messages, item); 795 1.1 christos /* 796 1.1 christos * pqueue_insert fails iff a duplicate item is inserted. However, 797 1.1 christos * |item| cannot be a duplicate. If it were, |pqueue_find|, above, 798 1.1 christos * would have returned it. Then, either |frag_len| != 799 1.1 christos * |msg_hdr->msg_len| in which case |item| is set to NULL and it will 800 1.1 christos * have been processed with |dtls1_reassemble_fragment|, above, or 801 1.1 christos * the record will have been discarded. 802 1.1 christos */ 803 1.1 christos if (!ossl_assert(item != NULL)) 804 1.1 christos goto err; 805 1.1 christos } 806 1.1 christos 807 1.1 christos return DTLS1_HM_FRAGMENT_RETRY; 808 1.1 christos 809 1.1.1.2 christos err: 810 1.1 christos if (item == NULL) 811 1.1 christos dtls1_hm_fragment_free(frag); 812 1.1 christos return 0; 813 1.1 christos } 814 1.1 christos 815 1.1 christos static int dtls_get_reassembled_message(SSL_CONNECTION *s, int *errtype, 816 1.1.1.2 christos size_t *len) 817 1.1 christos { 818 1.1 christos size_t mlen, frag_off, frag_len; 819 1.1 christos int i, ret; 820 1.1 christos uint8_t recvd_type; 821 1.1 christos struct hm_header_st msg_hdr; 822 1.1 christos size_t readbytes; 823 1.1 christos SSL *ssl = SSL_CONNECTION_GET_SSL(s); 824 1.1 christos SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s); 825 1.1 christos int chretran = 0; 826 1.1 christos unsigned char *p; 827 1.1 christos 828 1.1 christos *errtype = 0; 829 1.1 christos 830 1.1 christos p = (unsigned char *)s->init_buf->data; 831 1.1 christos 832 1.1.1.2 christos redo: 833 1.1 christos /* see if we have the required fragment already */ 834 1.1 christos ret = dtls1_retrieve_buffered_fragment(s, &frag_len); 835 1.1 christos if (ret < 0) { 836 1.1 christos /* SSLfatal() already called */ 837 1.1 christos return 0; 838 1.1 christos } 839 1.1 christos if (ret > 0) { 840 1.1 christos s->init_num = frag_len; 841 1.1 christos *len = frag_len; 842 1.1 christos return 1; 843 1.1 christos } 844 1.1 christos 845 1.1 christos /* read handshake message header */ 846 1.1 christos i = ssl->method->ssl_read_bytes(ssl, SSL3_RT_HANDSHAKE, &recvd_type, p, 847 1.1.1.2 christos DTLS1_HM_HEADER_LENGTH, 0, &readbytes); 848 1.1.1.2 christos if (i <= 0) { /* nbio, or an error */ 849 1.1 christos s->rwstate = SSL_READING; 850 1.1 christos *len = 0; 851 1.1 christos return 0; 852 1.1 christos } 853 1.1 christos if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) { 854 1.1 christos if (p[0] != SSL3_MT_CCS) { 855 1.1 christos SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, 856 1.1.1.2 christos SSL_R_BAD_CHANGE_CIPHER_SPEC); 857 1.1 christos goto f_err; 858 1.1 christos } 859 1.1 christos 860 1.1 christos s->init_num = readbytes - 1; 861 1.1 christos s->init_msg = s->init_buf->data + 1; 862 1.1 christos s->s3.tmp.message_type = SSL3_MT_CHANGE_CIPHER_SPEC; 863 1.1 christos s->s3.tmp.message_size = readbytes - 1; 864 1.1 christos *len = readbytes - 1; 865 1.1 christos return 1; 866 1.1 christos } 867 1.1 christos 868 1.1 christos /* Handshake fails if message header is incomplete */ 869 1.1 christos if (readbytes != DTLS1_HM_HEADER_LENGTH) { 870 1.1 christos SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); 871 1.1 christos goto f_err; 872 1.1 christos } 873 1.1 christos 874 1.1 christos /* parse the message fragment header */ 875 1.1 christos dtls1_get_message_header(p, &msg_hdr); 876 1.1 christos 877 1.1 christos mlen = msg_hdr.msg_len; 878 1.1 christos frag_off = msg_hdr.frag_off; 879 1.1 christos frag_len = msg_hdr.frag_len; 880 1.1 christos 881 1.1 christos /* 882 1.1 christos * We must have at least frag_len bytes left in the record to be read. 883 1.1 christos * Fragments must not span records. 884 1.1 christos */ 885 1.1 christos if (frag_len > s->rlayer.tlsrecs[s->rlayer.curr_rec].length) { 886 1.1 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_LENGTH); 887 1.1 christos goto f_err; 888 1.1 christos } 889 1.1 christos 890 1.1 christos /* 891 1.1 christos * if this is a future (or stale) message it gets buffered 892 1.1 christos * (or dropped)--no further processing at this time 893 1.1 christos * While listening, we accept seq 1 (ClientHello with cookie) 894 1.1 christos * although we're still expecting seq 0 (ClientHello) 895 1.1 christos */ 896 1.1 christos if (msg_hdr.seq != s->d1->handshake_read_seq) { 897 1.1 christos if (!s->server 898 1.1.1.2 christos || msg_hdr.seq != 0 899 1.1.1.2 christos || s->d1->handshake_read_seq != 1 900 1.1.1.2 christos || p[0] != SSL3_MT_CLIENT_HELLO 901 1.1.1.2 christos || s->statem.hand_state != DTLS_ST_SW_HELLO_VERIFY_REQUEST) { 902 1.1 christos *errtype = dtls1_process_out_of_seq_message(s, &msg_hdr); 903 1.1 christos return 0; 904 1.1 christos } 905 1.1 christos /* 906 1.1 christos * We received a ClientHello and sent back a HelloVerifyRequest. We 907 1.1 christos * now seem to have received a retransmitted initial ClientHello. That 908 1.1 christos * is allowed (possibly our HelloVerifyRequest got lost). 909 1.1 christos */ 910 1.1 christos chretran = 1; 911 1.1 christos } 912 1.1 christos 913 1.1 christos if (frag_len && frag_len < mlen) { 914 1.1 christos *errtype = dtls1_reassemble_fragment(s, &msg_hdr); 915 1.1 christos return 0; 916 1.1 christos } 917 1.1 christos 918 1.1 christos if (!s->server 919 1.1.1.2 christos && s->d1->r_msg_hdr.frag_off == 0 920 1.1.1.2 christos && s->statem.hand_state != TLS_ST_OK 921 1.1.1.2 christos && p[0] == SSL3_MT_HELLO_REQUEST) { 922 1.1 christos /* 923 1.1 christos * The server may always send 'Hello Request' messages -- we are 924 1.1 christos * doing a handshake anyway now, so ignore them if their format is 925 1.1 christos * correct. Does not count for 'Finished' MAC. 926 1.1 christos */ 927 1.1 christos if (p[1] == 0 && p[2] == 0 && p[3] == 0) { 928 1.1 christos if (s->msg_callback) 929 1.1 christos s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 930 1.1.1.2 christos p, DTLS1_HM_HEADER_LENGTH, ussl, 931 1.1.1.2 christos s->msg_callback_arg); 932 1.1 christos 933 1.1 christos s->init_num = 0; 934 1.1 christos goto redo; 935 1.1.1.2 christos } else { /* Incorrectly formatted Hello request */ 936 1.1 christos 937 1.1 christos SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); 938 1.1 christos goto f_err; 939 1.1 christos } 940 1.1 christos } 941 1.1 christos 942 1.1 christos if (!dtls1_preprocess_fragment(s, &msg_hdr)) { 943 1.1 christos /* SSLfatal() already called */ 944 1.1 christos goto f_err; 945 1.1 christos } 946 1.1 christos 947 1.1 christos if (frag_len > 0) { 948 1.1.1.2 christos /* dtls1_preprocess_fragment() above could reallocate init_buf */ 949 1.1.1.2 christos p = (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH; 950 1.1 christos 951 1.1 christos i = ssl->method->ssl_read_bytes(ssl, SSL3_RT_HANDSHAKE, NULL, 952 1.1.1.2 christos &p[frag_off], frag_len, 0, &readbytes); 953 1.1 christos 954 1.1 christos /* 955 1.1 christos * This shouldn't ever fail due to NBIO because we already checked 956 1.1 christos * that we have enough data in the record 957 1.1 christos */ 958 1.1 christos if (i <= 0) { 959 1.1 christos s->rwstate = SSL_READING; 960 1.1 christos *len = 0; 961 1.1 christos return 0; 962 1.1 christos } 963 1.1 christos } else { 964 1.1 christos readbytes = 0; 965 1.1 christos } 966 1.1 christos 967 1.1 christos /* 968 1.1 christos * XDTLS: an incorrectly formatted fragment should cause the handshake 969 1.1 christos * to fail 970 1.1 christos */ 971 1.1 christos if (readbytes != frag_len) { 972 1.1 christos SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_LENGTH); 973 1.1 christos goto f_err; 974 1.1 christos } 975 1.1 christos 976 1.1 christos if (chretran) { 977 1.1 christos /* 978 1.1 christos * We got a new ClientHello with a message sequence of 0. 979 1.1 christos * Reset the read/write sequences back to the beginning. 980 1.1 christos * We process it like this is the first time we've seen a ClientHello 981 1.1 christos * from the client. 982 1.1 christos */ 983 1.1 christos s->d1->handshake_read_seq = 0; 984 1.1 christos s->d1->next_handshake_write_seq = 0; 985 1.1 christos } 986 1.1 christos 987 1.1 christos /* 988 1.1 christos * Note that s->init_num is *not* used as current offset in 989 1.1 christos * s->init_buf->data, but as a counter summing up fragments' lengths: as 990 1.1 christos * soon as they sum up to handshake packet length, we assume we have got 991 1.1 christos * all the fragments. 992 1.1 christos */ 993 1.1 christos *len = s->init_num = frag_len; 994 1.1 christos return 1; 995 1.1 christos 996 1.1.1.2 christos f_err: 997 1.1 christos s->init_num = 0; 998 1.1 christos *len = 0; 999 1.1 christos return 0; 1000 1.1 christos } 1001 1.1 christos 1002 1.1 christos /*- 1003 1.1 christos * for these 2 messages, we need to 1004 1.1 christos * ssl->session->read_sym_enc assign 1005 1.1 christos * ssl->session->read_compression assign 1006 1.1 christos * ssl->session->read_hash assign 1007 1.1 christos */ 1008 1.1 christos CON_FUNC_RETURN dtls_construct_change_cipher_spec(SSL_CONNECTION *s, 1009 1.1.1.2 christos WPACKET *pkt) 1010 1.1 christos { 1011 1.1 christos if (s->version == DTLS1_BAD_VER) { 1012 1.1 christos s->d1->next_handshake_write_seq++; 1013 1.1 christos 1014 1.1 christos if (!WPACKET_put_bytes_u16(pkt, s->d1->handshake_write_seq)) { 1015 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1016 1.1 christos return CON_FUNC_ERROR; 1017 1.1 christos } 1018 1.1 christos } 1019 1.1 christos 1020 1.1 christos return CON_FUNC_SUCCESS; 1021 1.1 christos } 1022 1.1 christos 1023 1.1 christos #ifndef OPENSSL_NO_SCTP 1024 1.1 christos /* 1025 1.1 christos * Wait for a dry event. Should only be called at a point in the handshake 1026 1.1 christos * where we are not expecting any data from the peer except an alert. 1027 1.1 christos */ 1028 1.1 christos WORK_STATE dtls_wait_for_dry(SSL_CONNECTION *s) 1029 1.1 christos { 1030 1.1 christos int ret, errtype; 1031 1.1 christos size_t len; 1032 1.1 christos SSL *ssl = SSL_CONNECTION_GET_SSL(s); 1033 1.1 christos 1034 1.1 christos /* read app data until dry event */ 1035 1.1 christos ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(ssl)); 1036 1.1 christos if (ret < 0) { 1037 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1038 1.1 christos return WORK_ERROR; 1039 1.1 christos } 1040 1.1 christos 1041 1.1 christos if (ret == 0) { 1042 1.1 christos /* 1043 1.1 christos * We're not expecting any more messages from the peer at this point - 1044 1.1 christos * but we could get an alert. If an alert is waiting then we will never 1045 1.1 christos * return successfully. Therefore we attempt to read a message. This 1046 1.1 christos * should never succeed but will process any waiting alerts. 1047 1.1 christos */ 1048 1.1 christos if (dtls_get_reassembled_message(s, &errtype, &len)) { 1049 1.1 christos /* The call succeeded! This should never happen */ 1050 1.1 christos SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); 1051 1.1 christos return WORK_ERROR; 1052 1.1 christos } 1053 1.1 christos 1054 1.1 christos s->s3.in_read_app_data = 2; 1055 1.1 christos s->rwstate = SSL_READING; 1056 1.1 christos BIO_clear_retry_flags(SSL_get_rbio(ssl)); 1057 1.1 christos BIO_set_retry_read(SSL_get_rbio(ssl)); 1058 1.1 christos return WORK_MORE_A; 1059 1.1 christos } 1060 1.1 christos return WORK_FINISHED_CONTINUE; 1061 1.1 christos } 1062 1.1 christos #endif 1063 1.1 christos 1064 1.1 christos int dtls1_read_failed(SSL_CONNECTION *s, int code) 1065 1.1 christos { 1066 1.1 christos SSL *ssl = SSL_CONNECTION_GET_SSL(s); 1067 1.1 christos 1068 1.1 christos if (code > 0) { 1069 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1070 1.1 christos return 0; 1071 1.1 christos } 1072 1.1 christos 1073 1.1 christos if (!dtls1_is_timer_expired(s) || ossl_statem_in_error(s)) { 1074 1.1 christos /* 1075 1.1 christos * not a timeout, none of our business, let higher layers handle 1076 1.1 christos * this. in fact it's probably an error 1077 1.1 christos */ 1078 1.1 christos return code; 1079 1.1 christos } 1080 1.1 christos /* done, no need to send a retransmit */ 1081 1.1 christos if (!SSL_in_init(ssl)) { 1082 1.1 christos BIO_set_flags(SSL_get_rbio(ssl), BIO_FLAGS_READ); 1083 1.1 christos return code; 1084 1.1 christos } 1085 1.1 christos 1086 1.1 christos return dtls1_handle_timeout(s); 1087 1.1 christos } 1088 1.1 christos 1089 1.1 christos int dtls1_get_queue_priority(unsigned short seq, int is_ccs) 1090 1.1 christos { 1091 1.1 christos /* 1092 1.1 christos * The index of the retransmission queue actually is the message sequence 1093 1.1 christos * number, since the queue only contains messages of a single handshake. 1094 1.1 christos * However, the ChangeCipherSpec has no message sequence number and so 1095 1.1 christos * using only the sequence will result in the CCS and Finished having the 1096 1.1 christos * same index. To prevent this, the sequence number is multiplied by 2. 1097 1.1 christos * In case of a CCS 1 is subtracted. This does not only differ CSS and 1098 1.1 christos * Finished, it also maintains the order of the index (important for 1099 1.1 christos * priority queues) and fits in the unsigned short variable. 1100 1.1 christos */ 1101 1.1 christos return seq * 2 - is_ccs; 1102 1.1 christos } 1103 1.1 christos 1104 1.1 christos int dtls1_retransmit_buffered_messages(SSL_CONNECTION *s) 1105 1.1 christos { 1106 1.1 christos pqueue *sent = s->d1->sent_messages; 1107 1.1 christos piterator iter; 1108 1.1 christos pitem *item; 1109 1.1 christos hm_fragment *frag; 1110 1.1 christos int found = 0; 1111 1.1 christos 1112 1.1 christos iter = pqueue_iterator(sent); 1113 1.1 christos 1114 1.1 christos for (item = pqueue_next(&iter); item != NULL; item = pqueue_next(&iter)) { 1115 1.1 christos frag = (hm_fragment *)item->data; 1116 1.1.1.2 christos if (dtls1_retransmit_message(s, (unsigned short)dtls1_get_queue_priority(frag->msg_header.seq, frag->msg_header.is_ccs), &found) <= 0) 1117 1.1 christos return -1; 1118 1.1 christos } 1119 1.1 christos 1120 1.1 christos return 1; 1121 1.1 christos } 1122 1.1 christos 1123 1.1 christos int dtls1_buffer_message(SSL_CONNECTION *s, int is_ccs) 1124 1.1 christos { 1125 1.1 christos pitem *item; 1126 1.1 christos hm_fragment *frag; 1127 1.1 christos unsigned char seq64be[8]; 1128 1.1 christos 1129 1.1 christos /* 1130 1.1 christos * this function is called immediately after a message has been 1131 1.1 christos * serialized 1132 1.1 christos */ 1133 1.1 christos if (!ossl_assert(s->init_off == 0)) 1134 1.1 christos return 0; 1135 1.1 christos 1136 1.1 christos frag = dtls1_hm_fragment_new(s->init_num, 0); 1137 1.1 christos if (frag == NULL) 1138 1.1 christos return 0; 1139 1.1 christos 1140 1.1 christos memcpy(frag->fragment, s->init_buf->data, s->init_num); 1141 1.1 christos 1142 1.1 christos if (is_ccs) { 1143 1.1 christos /* For DTLS1_BAD_VER the header length is non-standard */ 1144 1.1.1.2 christos if (!ossl_assert(s->d1->w_msg_hdr.msg_len + ((s->version == DTLS1_BAD_VER) ? 3 : DTLS1_CCS_HEADER_LENGTH) 1145 1.1.1.2 christos == (unsigned int)s->init_num)) { 1146 1.1 christos dtls1_hm_fragment_free(frag); 1147 1.1 christos return 0; 1148 1.1 christos } 1149 1.1 christos } else { 1150 1.1.1.2 christos if (!ossl_assert(s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH == (unsigned int)s->init_num)) { 1151 1.1 christos dtls1_hm_fragment_free(frag); 1152 1.1 christos return 0; 1153 1.1 christos } 1154 1.1 christos } 1155 1.1 christos 1156 1.1 christos frag->msg_header.msg_len = s->d1->w_msg_hdr.msg_len; 1157 1.1 christos frag->msg_header.seq = s->d1->w_msg_hdr.seq; 1158 1.1 christos frag->msg_header.type = s->d1->w_msg_hdr.type; 1159 1.1 christos frag->msg_header.frag_off = 0; 1160 1.1 christos frag->msg_header.frag_len = s->d1->w_msg_hdr.msg_len; 1161 1.1 christos frag->msg_header.is_ccs = is_ccs; 1162 1.1 christos 1163 1.1 christos /* save current state */ 1164 1.1 christos frag->msg_header.saved_retransmit_state.wrlmethod = s->rlayer.wrlmethod; 1165 1.1 christos frag->msg_header.saved_retransmit_state.wrl = s->rlayer.wrl; 1166 1.1 christos 1167 1.1 christos memset(seq64be, 0, sizeof(seq64be)); 1168 1.1.1.2 christos seq64be[6] = (unsigned char)(dtls1_get_queue_priority(frag->msg_header.seq, 1169 1.1.1.2 christos frag->msg_header.is_ccs) 1170 1.1.1.2 christos >> 8); 1171 1.1.1.2 christos seq64be[7] = (unsigned char)(dtls1_get_queue_priority(frag->msg_header.seq, 1172 1.1.1.2 christos frag->msg_header.is_ccs)); 1173 1.1 christos 1174 1.1 christos item = pitem_new(seq64be, frag); 1175 1.1 christos if (item == NULL) { 1176 1.1 christos dtls1_hm_fragment_free(frag); 1177 1.1 christos return 0; 1178 1.1 christos } 1179 1.1 christos 1180 1.1 christos pqueue_insert(s->d1->sent_messages, item); 1181 1.1 christos return 1; 1182 1.1 christos } 1183 1.1 christos 1184 1.1 christos int dtls1_retransmit_message(SSL_CONNECTION *s, unsigned short seq, int *found) 1185 1.1 christos { 1186 1.1 christos int ret; 1187 1.1 christos /* XDTLS: for now assuming that read/writes are blocking */ 1188 1.1 christos pitem *item; 1189 1.1 christos hm_fragment *frag; 1190 1.1 christos unsigned long header_length; 1191 1.1 christos unsigned char seq64be[8]; 1192 1.1 christos struct dtls1_retransmit_state saved_state; 1193 1.1 christos 1194 1.1 christos /* XDTLS: the requested message ought to be found, otherwise error */ 1195 1.1 christos memset(seq64be, 0, sizeof(seq64be)); 1196 1.1 christos seq64be[6] = (unsigned char)(seq >> 8); 1197 1.1 christos seq64be[7] = (unsigned char)seq; 1198 1.1 christos 1199 1.1 christos item = pqueue_find(s->d1->sent_messages, seq64be); 1200 1.1 christos if (item == NULL) { 1201 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 1202 1.1 christos *found = 0; 1203 1.1 christos return 0; 1204 1.1 christos } 1205 1.1 christos 1206 1.1 christos *found = 1; 1207 1.1 christos frag = (hm_fragment *)item->data; 1208 1.1 christos 1209 1.1 christos if (frag->msg_header.is_ccs) 1210 1.1 christos header_length = DTLS1_CCS_HEADER_LENGTH; 1211 1.1 christos else 1212 1.1 christos header_length = DTLS1_HM_HEADER_LENGTH; 1213 1.1 christos 1214 1.1 christos memcpy(s->init_buf->data, frag->fragment, 1215 1.1.1.2 christos frag->msg_header.msg_len + header_length); 1216 1.1 christos s->init_num = frag->msg_header.msg_len + header_length; 1217 1.1 christos 1218 1.1 christos dtls1_set_message_header_int(s, frag->msg_header.type, 1219 1.1.1.2 christos frag->msg_header.msg_len, 1220 1.1.1.2 christos frag->msg_header.seq, 0, 1221 1.1.1.2 christos frag->msg_header.frag_len); 1222 1.1 christos 1223 1.1 christos /* save current state */ 1224 1.1 christos saved_state.wrlmethod = s->rlayer.wrlmethod; 1225 1.1 christos saved_state.wrl = s->rlayer.wrl; 1226 1.1 christos 1227 1.1 christos s->d1->retransmitting = 1; 1228 1.1 christos 1229 1.1 christos /* restore state in which the message was originally sent */ 1230 1.1 christos s->rlayer.wrlmethod = frag->msg_header.saved_retransmit_state.wrlmethod; 1231 1.1 christos s->rlayer.wrl = frag->msg_header.saved_retransmit_state.wrl; 1232 1.1 christos 1233 1.1 christos /* 1234 1.1 christos * The old wrl may be still pointing at an old BIO. Update it to what we're 1235 1.1 christos * using now. 1236 1.1 christos */ 1237 1.1 christos s->rlayer.wrlmethod->set1_bio(s->rlayer.wrl, s->wbio); 1238 1.1 christos 1239 1.1.1.2 christos ret = dtls1_do_write(s, frag->msg_header.is_ccs ? SSL3_RT_CHANGE_CIPHER_SPEC : SSL3_RT_HANDSHAKE); 1240 1.1 christos 1241 1.1 christos /* restore current state */ 1242 1.1 christos s->rlayer.wrlmethod = saved_state.wrlmethod; 1243 1.1 christos s->rlayer.wrl = saved_state.wrl; 1244 1.1 christos 1245 1.1 christos s->d1->retransmitting = 0; 1246 1.1 christos 1247 1.1 christos (void)BIO_flush(s->wbio); 1248 1.1 christos return ret; 1249 1.1 christos } 1250 1.1 christos 1251 1.1 christos void dtls1_set_message_header(SSL_CONNECTION *s, 1252 1.1.1.2 christos unsigned char mt, size_t len, 1253 1.1.1.2 christos size_t frag_off, size_t frag_len) 1254 1.1 christos { 1255 1.1 christos if (frag_off == 0) { 1256 1.1 christos s->d1->handshake_write_seq = s->d1->next_handshake_write_seq; 1257 1.1 christos s->d1->next_handshake_write_seq++; 1258 1.1 christos } 1259 1.1 christos 1260 1.1 christos dtls1_set_message_header_int(s, mt, len, s->d1->handshake_write_seq, 1261 1.1.1.2 christos frag_off, frag_len); 1262 1.1 christos } 1263 1.1 christos 1264 1.1 christos /* don't actually do the writing, wait till the MTU has been retrieved */ 1265 1.1 christos static void 1266 1.1 christos dtls1_set_message_header_int(SSL_CONNECTION *s, unsigned char mt, 1267 1.1.1.2 christos size_t len, unsigned short seq_num, 1268 1.1.1.2 christos size_t frag_off, size_t frag_len) 1269 1.1 christos { 1270 1.1 christos struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; 1271 1.1 christos 1272 1.1 christos msg_hdr->type = mt; 1273 1.1 christos msg_hdr->msg_len = len; 1274 1.1 christos msg_hdr->seq = seq_num; 1275 1.1 christos msg_hdr->frag_off = frag_off; 1276 1.1 christos msg_hdr->frag_len = frag_len; 1277 1.1 christos } 1278 1.1 christos 1279 1.1 christos static void 1280 1.1 christos dtls1_fix_message_header(SSL_CONNECTION *s, size_t frag_off, size_t frag_len) 1281 1.1 christos { 1282 1.1 christos struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; 1283 1.1 christos 1284 1.1 christos msg_hdr->frag_off = frag_off; 1285 1.1 christos msg_hdr->frag_len = frag_len; 1286 1.1 christos } 1287 1.1 christos 1288 1.1 christos static unsigned char *dtls1_write_message_header(SSL_CONNECTION *s, 1289 1.1.1.2 christos unsigned char *p) 1290 1.1 christos { 1291 1.1 christos struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; 1292 1.1 christos 1293 1.1 christos *p++ = msg_hdr->type; 1294 1.1 christos l2n3(msg_hdr->msg_len, p); 1295 1.1 christos 1296 1.1 christos s2n(msg_hdr->seq, p); 1297 1.1 christos l2n3(msg_hdr->frag_off, p); 1298 1.1 christos l2n3(msg_hdr->frag_len, p); 1299 1.1 christos 1300 1.1 christos return p; 1301 1.1 christos } 1302 1.1 christos 1303 1.1.1.2 christos void dtls1_get_message_header(const unsigned char *data, struct hm_header_st *msg_hdr) 1304 1.1 christos { 1305 1.1 christos memset(msg_hdr, 0, sizeof(*msg_hdr)); 1306 1.1 christos msg_hdr->type = *(data++); 1307 1.1 christos n2l3(data, msg_hdr->msg_len); 1308 1.1 christos 1309 1.1 christos n2s(data, msg_hdr->seq); 1310 1.1 christos n2l3(data, msg_hdr->frag_off); 1311 1.1 christos n2l3(data, msg_hdr->frag_len); 1312 1.1 christos } 1313 1.1 christos 1314 1.1 christos int dtls1_set_handshake_header(SSL_CONNECTION *s, WPACKET *pkt, int htype) 1315 1.1 christos { 1316 1.1 christos unsigned char *header; 1317 1.1 christos 1318 1.1 christos if (htype == SSL3_MT_CHANGE_CIPHER_SPEC) { 1319 1.1 christos s->d1->handshake_write_seq = s->d1->next_handshake_write_seq; 1320 1.1 christos dtls1_set_message_header_int(s, SSL3_MT_CCS, 0, 1321 1.1.1.2 christos s->d1->handshake_write_seq, 0, 0); 1322 1.1 christos if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) 1323 1.1 christos return 0; 1324 1.1 christos } else { 1325 1.1 christos dtls1_set_message_header(s, htype, 0, 0, 0); 1326 1.1 christos /* 1327 1.1 christos * We allocate space at the start for the message header. This gets 1328 1.1 christos * filled in later 1329 1.1 christos */ 1330 1.1 christos if (!WPACKET_allocate_bytes(pkt, DTLS1_HM_HEADER_LENGTH, &header) 1331 1.1.1.2 christos || !WPACKET_start_sub_packet(pkt)) 1332 1.1 christos return 0; 1333 1.1 christos } 1334 1.1 christos 1335 1.1 christos return 1; 1336 1.1 christos } 1337 1.1 christos 1338 1.1 christos int dtls1_close_construct_packet(SSL_CONNECTION *s, WPACKET *pkt, int htype) 1339 1.1 christos { 1340 1.1 christos size_t msglen; 1341 1.1 christos 1342 1.1 christos if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt)) 1343 1.1.1.2 christos || !WPACKET_get_length(pkt, &msglen) 1344 1.1.1.2 christos || msglen > INT_MAX) 1345 1.1 christos return 0; 1346 1.1 christos 1347 1.1 christos if (htype != SSL3_MT_CHANGE_CIPHER_SPEC) { 1348 1.1 christos s->d1->w_msg_hdr.msg_len = msglen - DTLS1_HM_HEADER_LENGTH; 1349 1.1 christos s->d1->w_msg_hdr.frag_len = msglen - DTLS1_HM_HEADER_LENGTH; 1350 1.1 christos } 1351 1.1 christos s->init_num = (int)msglen; 1352 1.1 christos s->init_off = 0; 1353 1.1 christos 1354 1.1 christos if (htype != DTLS1_MT_HELLO_VERIFY_REQUEST) { 1355 1.1 christos /* Buffer the message to handle re-xmits */ 1356 1.1.1.2 christos if (!dtls1_buffer_message(s, htype == SSL3_MT_CHANGE_CIPHER_SPEC ? 1 : 0)) 1357 1.1 christos return 0; 1358 1.1 christos } 1359 1.1 christos 1360 1.1 christos return 1; 1361 1.1 christos } 1362
Indexes created Mon Mar 02 05:31:46 UTC 2026