Branch data Line data Source code
1 : : /* ssl/d1_pkt.c */
2 : : /*
3 : : * DTLS implementation written by Nagendra Modadugu
4 : : * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
5 : : */
6 : : /* ====================================================================
7 : : * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
8 : : *
9 : : * Redistribution and use in source and binary forms, with or without
10 : : * modification, are permitted provided that the following conditions
11 : : * are met:
12 : : *
13 : : * 1. Redistributions of source code must retain the above copyright
14 : : * notice, this list of conditions and the following disclaimer.
15 : : *
16 : : * 2. Redistributions in binary form must reproduce the above copyright
17 : : * notice, this list of conditions and the following disclaimer in
18 : : * the documentation and/or other materials provided with the
19 : : * distribution.
20 : : *
21 : : * 3. All advertising materials mentioning features or use of this
22 : : * software must display the following acknowledgment:
23 : : * "This product includes software developed by the OpenSSL Project
24 : : * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
25 : : *
26 : : * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 : : * endorse or promote products derived from this software without
28 : : * prior written permission. For written permission, please contact
29 : : * openssl-core@openssl.org.
30 : : *
31 : : * 5. Products derived from this software may not be called "OpenSSL"
32 : : * nor may "OpenSSL" appear in their names without prior written
33 : : * permission of the OpenSSL Project.
34 : : *
35 : : * 6. Redistributions of any form whatsoever must retain the following
36 : : * acknowledgment:
37 : : * "This product includes software developed by the OpenSSL Project
38 : : * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
39 : : *
40 : : * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 : : * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 : : * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 : : * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 : : * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 : : * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 : : * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 : : * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 : : * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 : : * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 : : * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 : : * OF THE POSSIBILITY OF SUCH DAMAGE.
52 : : * ====================================================================
53 : : *
54 : : * This product includes cryptographic software written by Eric Young
55 : : * (eay@cryptsoft.com). This product includes software written by Tim
56 : : * Hudson (tjh@cryptsoft.com).
57 : : *
58 : : */
59 : : /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
60 : : * All rights reserved.
61 : : *
62 : : * This package is an SSL implementation written
63 : : * by Eric Young (eay@cryptsoft.com).
64 : : * The implementation was written so as to conform with Netscapes SSL.
65 : : *
66 : : * This library is free for commercial and non-commercial use as long as
67 : : * the following conditions are aheared to. The following conditions
68 : : * apply to all code found in this distribution, be it the RC4, RSA,
69 : : * lhash, DES, etc., code; not just the SSL code. The SSL documentation
70 : : * included with this distribution is covered by the same copyright terms
71 : : * except that the holder is Tim Hudson (tjh@cryptsoft.com).
72 : : *
73 : : * Copyright remains Eric Young's, and as such any Copyright notices in
74 : : * the code are not to be removed.
75 : : * If this package is used in a product, Eric Young should be given attribution
76 : : * as the author of the parts of the library used.
77 : : * This can be in the form of a textual message at program startup or
78 : : * in documentation (online or textual) provided with the package.
79 : : *
80 : : * Redistribution and use in source and binary forms, with or without
81 : : * modification, are permitted provided that the following conditions
82 : : * are met:
83 : : * 1. Redistributions of source code must retain the copyright
84 : : * notice, this list of conditions and the following disclaimer.
85 : : * 2. Redistributions in binary form must reproduce the above copyright
86 : : * notice, this list of conditions and the following disclaimer in the
87 : : * documentation and/or other materials provided with the distribution.
88 : : * 3. All advertising materials mentioning features or use of this software
89 : : * must display the following acknowledgement:
90 : : * "This product includes cryptographic software written by
91 : : * Eric Young (eay@cryptsoft.com)"
92 : : * The word 'cryptographic' can be left out if the rouines from the library
93 : : * being used are not cryptographic related :-).
94 : : * 4. If you include any Windows specific code (or a derivative thereof) from
95 : : * the apps directory (application code) you must include an acknowledgement:
96 : : * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
97 : : *
98 : : * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
99 : : * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
100 : : * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
101 : : * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
102 : : * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
103 : : * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
104 : : * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
105 : : * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
106 : : * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
107 : : * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
108 : : * SUCH DAMAGE.
109 : : *
110 : : * The licence and distribution terms for any publically available version or
111 : : * derivative of this code cannot be changed. i.e. this code cannot simply be
112 : : * copied and put under another distribution licence
113 : : * [including the GNU Public Licence.]
114 : : */
115 : :
116 : : #include <stdio.h>
117 : : #include <errno.h>
118 : : #define USE_SOCKETS
119 : : #include "ssl_locl.h"
120 : : #include <openssl/evp.h>
121 : : #include <openssl/buffer.h>
122 : : #include <openssl/pqueue.h>
123 : : #include <openssl/rand.h>
124 : :
125 : : /* mod 128 saturating subtract of two 64-bit values in big-endian order */
126 : 0 : static int satsub64be(const unsigned char *v1,const unsigned char *v2)
127 : : { int ret,sat,brw,i;
128 : :
129 : : if (sizeof(long) == 8) do
130 : : { const union { long one; char little; } is_endian = {1};
131 : : long l;
132 : :
133 : : if (is_endian.little) break;
134 : : /* not reached on little-endians */
135 : : /* following test is redundant, because input is
136 : : * always aligned, but I take no chances... */
137 : : if (((size_t)v1|(size_t)v2)&0x7) break;
138 : :
139 : : l = *((long *)v1);
140 : : l -= *((long *)v2);
141 : : if (l>128) return 128;
142 : : else if (l<-128) return -128;
143 : : else return (int)l;
144 : : } while (0);
145 : :
146 : 0 : ret = (int)v1[7]-(int)v2[7];
147 : 0 : sat = 0;
148 : 0 : brw = ret>>8; /* brw is either 0 or -1 */
149 [ # # ]: 0 : if (ret & 0x80)
150 [ # # ]: 0 : { for (i=6;i>=0;i--)
151 : 0 : { brw += (int)v1[i]-(int)v2[i];
152 : 0 : sat |= ~brw;
153 : 0 : brw >>= 8;
154 : : }
155 : : }
156 : : else
157 [ # # ]: 0 : { for (i=6;i>=0;i--)
158 : 0 : { brw += (int)v1[i]-(int)v2[i];
159 : 0 : sat |= brw;
160 : 0 : brw >>= 8;
161 : : }
162 : : }
163 : 0 : brw <<= 8; /* brw is either 0 or -256 */
164 : :
165 [ # # ]: 0 : if (sat&0xff) return brw | 0x80;
166 : 0 : else return brw + (ret&0xFF);
167 : : }
168 : :
169 : : static int have_handshake_fragment(SSL *s, int type, unsigned char *buf,
170 : : int len, int peek);
171 : : static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap);
172 : : static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap);
173 : : static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr,
174 : : unsigned int *is_next_epoch);
175 : : #if 0
176 : : static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr,
177 : : unsigned short *priority, unsigned long *offset);
178 : : #endif
179 : : static int dtls1_buffer_record(SSL *s, record_pqueue *q,
180 : : unsigned char *priority);
181 : : static int dtls1_process_record(SSL *s);
182 : :
183 : : /* copy buffered record into SSL structure */
184 : : static int
185 : 0 : dtls1_copy_record(SSL *s, pitem *item)
186 : : {
187 : : DTLS1_RECORD_DATA *rdata;
188 : :
189 : 0 : rdata = (DTLS1_RECORD_DATA *)item->data;
190 : :
191 [ # # ]: 0 : if (s->s3->rbuf.buf != NULL)
192 : 0 : OPENSSL_free(s->s3->rbuf.buf);
193 : :
194 : 0 : s->packet = rdata->packet;
195 : 0 : s->packet_length = rdata->packet_length;
196 : 0 : memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER));
197 : 0 : memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));
198 : :
199 : : /* Set proper sequence number for mac calculation */
200 : 0 : memcpy(&(s->s3->read_sequence[2]), &(rdata->packet[5]), 6);
201 : :
202 : 0 : return(1);
203 : : }
204 : :
205 : :
206 : : static int
207 : 0 : dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
208 : : {
209 : : DTLS1_RECORD_DATA *rdata;
210 : : pitem *item;
211 : :
212 : : /* Limit the size of the queue to prevent DOS attacks */
213 [ # # ]: 0 : if (pqueue_size(queue->q) >= 100)
214 : : return 0;
215 : :
216 : 0 : rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
217 : 0 : item = pitem_new(priority, rdata);
218 [ # # ]: 0 : if (rdata == NULL || item == NULL)
219 : : {
220 [ # # ]: 0 : if (rdata != NULL) OPENSSL_free(rdata);
221 [ # # ]: 0 : if (item != NULL) pitem_free(item);
222 : :
223 : 0 : SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);
224 : : return(0);
225 : : }
226 : :
227 : 0 : rdata->packet = s->packet;
228 : 0 : rdata->packet_length = s->packet_length;
229 : 0 : memcpy(&(rdata->rbuf), &(s->s3->rbuf), sizeof(SSL3_BUFFER));
230 : 0 : memcpy(&(rdata->rrec), &(s->s3->rrec), sizeof(SSL3_RECORD));
231 : :
232 : 0 : item->data = rdata;
233 : :
234 : : #ifndef OPENSSL_NO_SCTP
235 : : /* Store bio_dgram_sctp_rcvinfo struct */
236 : : if (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
237 : : (s->state == SSL3_ST_SR_FINISHED_A || s->state == SSL3_ST_CR_FINISHED_A)) {
238 : : BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SCTP_GET_RCVINFO, sizeof(rdata->recordinfo), &rdata->recordinfo);
239 : : }
240 : : #endif
241 : :
242 : 0 : s->packet = NULL;
243 : 0 : s->packet_length = 0;
244 : 0 : memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER));
245 : 0 : memset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD));
246 : :
247 [ # # ]: 0 : if (!ssl3_setup_buffers(s))
248 : : {
249 : 0 : SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);
250 : 0 : OPENSSL_free(rdata);
251 : 0 : pitem_free(item);
252 : : return(0);
253 : : }
254 : :
255 : : /* insert should not fail, since duplicates are dropped */
256 [ # # ]: 0 : if (pqueue_insert(queue->q, item) == NULL)
257 : : {
258 : 0 : SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);
259 : 0 : OPENSSL_free(rdata);
260 : 0 : pitem_free(item);
261 : : return(0);
262 : : }
263 : :
264 : : return(1);
265 : : }
266 : :
267 : :
268 : : static int
269 : 0 : dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue)
270 : : {
271 : 0 : pitem *item;
272 : :
273 : 0 : item = pqueue_pop(queue->q);
274 [ # # ]: 0 : if (item)
275 : : {
276 : 0 : dtls1_copy_record(s, item);
277 : :
278 : 0 : OPENSSL_free(item->data);
279 : 0 : pitem_free(item);
280 : :
281 : : return(1);
282 : : }
283 : :
284 : : return(0);
285 : : }
286 : :
287 : :
288 : : /* retrieve a buffered record that belongs to the new epoch, i.e., not processed
289 : : * yet */
290 : : #define dtls1_get_unprocessed_record(s) \
291 : : dtls1_retrieve_buffered_record((s), \
292 : : &((s)->d1->unprocessed_rcds))
293 : :
294 : : /* retrieve a buffered record that belongs to the current epoch, ie, processed */
295 : : #define dtls1_get_processed_record(s) \
296 : : dtls1_retrieve_buffered_record((s), \
297 : : &((s)->d1->processed_rcds))
298 : :
299 : : static int
300 : 0 : dtls1_process_buffered_records(SSL *s)
301 : : {
302 : : pitem *item;
303 : :
304 : 0 : item = pqueue_peek(s->d1->unprocessed_rcds.q);
305 [ # # ]: 0 : if (item)
306 : : {
307 : : /* Check if epoch is current. */
308 [ # # ]: 0 : if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch)
309 : : return(1); /* Nothing to do. */
310 : :
311 : : /* Process all the records. */
312 [ # # ]: 0 : while (pqueue_peek(s->d1->unprocessed_rcds.q))
313 : : {
314 : 0 : dtls1_get_unprocessed_record(s);
315 [ # # ]: 0 : if ( ! dtls1_process_record(s))
316 : : return(0);
317 : 0 : dtls1_buffer_record(s, &(s->d1->processed_rcds),
318 : 0 : s->s3->rrec.seq_num);
319 : : }
320 : : }
321 : :
322 : : /* sync epoch numbers once all the unprocessed records
323 : : * have been processed */
324 : 0 : s->d1->processed_rcds.epoch = s->d1->r_epoch;
325 : 0 : s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1;
326 : :
327 : 0 : return(1);
328 : : }
329 : :
330 : :
331 : : #if 0
332 : :
333 : : static int
334 : : dtls1_get_buffered_record(SSL *s)
335 : : {
336 : : pitem *item;
337 : : PQ_64BIT priority =
338 : : (((PQ_64BIT)s->d1->handshake_read_seq) << 32) |
339 : : ((PQ_64BIT)s->d1->r_msg_hdr.frag_off);
340 : :
341 : : if ( ! SSL_in_init(s)) /* if we're not (re)negotiating,
342 : : nothing buffered */
343 : : return 0;
344 : :
345 : :
346 : : item = pqueue_peek(s->d1->rcvd_records);
347 : : if (item && item->priority == priority)
348 : : {
349 : : /* Check if we've received the record of interest. It must be
350 : : * a handshake record, since data records as passed up without
351 : : * buffering */
352 : : DTLS1_RECORD_DATA *rdata;
353 : : item = pqueue_pop(s->d1->rcvd_records);
354 : : rdata = (DTLS1_RECORD_DATA *)item->data;
355 : :
356 : : if (s->s3->rbuf.buf != NULL)
357 : : OPENSSL_free(s->s3->rbuf.buf);
358 : :
359 : : s->packet = rdata->packet;
360 : : s->packet_length = rdata->packet_length;
361 : : memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER));
362 : : memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));
363 : :
364 : : OPENSSL_free(item->data);
365 : : pitem_free(item);
366 : :
367 : : /* s->d1->next_expected_seq_num++; */
368 : : return(1);
369 : : }
370 : :
371 : : return 0;
372 : : }
373 : :
374 : : #endif
375 : :
376 : : static int
377 : 0 : dtls1_process_record(SSL *s)
378 : : {
379 : : int i,al;
380 : : int enc_err;
381 : : SSL_SESSION *sess;
382 : : SSL3_RECORD *rr;
383 : : unsigned int mac_size;
384 : : unsigned char md[EVP_MAX_MD_SIZE];
385 : :
386 : 0 : rr= &(s->s3->rrec);
387 : 0 : sess = s->session;
388 : :
389 : : /* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
390 : : * and we have that many bytes in s->packet
391 : : */
392 : 0 : rr->input= &(s->packet[DTLS1_RT_HEADER_LENGTH]);
393 : :
394 : : /* ok, we can now read from 's->packet' data into 'rr'
395 : : * rr->input points at rr->length bytes, which
396 : : * need to be copied into rr->data by either
397 : : * the decryption or by the decompression
398 : : * When the data is 'copied' into the rr->data buffer,
399 : : * rr->input will be pointed at the new buffer */
400 : :
401 : : /* We now have - encrypted [ MAC [ compressed [ plain ] ] ]
402 : : * rr->length bytes of encrypted compressed stuff. */
403 : :
404 : : /* check is not needed I believe */
405 [ # # ]: 0 : if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH)
406 : : {
407 : 0 : al=SSL_AD_RECORD_OVERFLOW;
408 : 0 : SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
409 : 0 : goto f_err;
410 : : }
411 : :
412 : : /* decrypt in place in 'rr->input' */
413 : 0 : rr->data=rr->input;
414 : 0 : rr->orig_len=rr->length;
415 : :
416 : 0 : enc_err = s->method->ssl3_enc->enc(s,0);
417 : : /* enc_err is:
418 : : * 0: (in non-constant time) if the record is publically invalid.
419 : : * 1: if the padding is valid
420 : : * -1: if the padding is invalid */
421 [ # # ]: 0 : if (enc_err == 0)
422 : : {
423 : : /* For DTLS we simply ignore bad packets. */
424 : 0 : rr->length = 0;
425 : 0 : s->packet_length = 0;
426 : 0 : goto err;
427 : : }
428 : :
429 : : #ifdef TLS_DEBUG
430 : : printf("dec %d\n",rr->length);
431 : : { unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); }
432 : : printf("\n");
433 : : #endif
434 : :
435 : : /* r->length is now the compressed data plus mac */
436 [ # # ][ # # ]: 0 : if ((sess != NULL) &&
437 [ # # ]: 0 : (s->enc_read_ctx != NULL) &&
438 : 0 : (EVP_MD_CTX_md(s->read_hash) != NULL))
439 : : {
440 : : /* s->read_hash != NULL => mac_size != -1 */
441 : 0 : unsigned char *mac = NULL;
442 : : unsigned char mac_tmp[EVP_MAX_MD_SIZE];
443 : 0 : mac_size=EVP_MD_CTX_size(s->read_hash);
444 [ # # ]: 0 : OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
445 : :
446 : : /* orig_len is the length of the record before any padding was
447 : : * removed. This is public information, as is the MAC in use,
448 : : * therefore we can safely process the record in a different
449 : : * amount of time if it's too short to possibly contain a MAC.
450 : : */
451 [ # # # # ]: 0 : if (rr->orig_len < mac_size ||
452 : : /* CBC records must have a padding length byte too. */
453 [ # # ]: 0 : (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
454 : 0 : rr->orig_len < mac_size+1))
455 : : {
456 : 0 : al=SSL_AD_DECODE_ERROR;
457 : 0 : SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
458 : 0 : goto f_err;
459 : : }
460 : :
461 [ # # ]: 0 : if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE)
462 : : {
463 : : /* We update the length so that the TLS header bytes
464 : : * can be constructed correctly but we need to extract
465 : : * the MAC in constant time from within the record,
466 : : * without leaking the contents of the padding bytes.
467 : : * */
468 : 0 : mac = mac_tmp;
469 : 0 : ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);
470 : 0 : rr->length -= mac_size;
471 : : }
472 : : else
473 : : {
474 : : /* In this case there's no padding, so |rec->orig_len|
475 : : * equals |rec->length| and we checked that there's
476 : : * enough bytes for |mac_size| above. */
477 : 0 : rr->length -= mac_size;
478 : 0 : mac = &rr->data[rr->length];
479 : : }
480 : :
481 : 0 : i=s->method->ssl3_enc->mac(s,md,0 /* not send */);
482 [ # # ][ # # ]: 0 : if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
483 : : enc_err = -1;
484 [ # # ]: 0 : if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)
485 : 0 : enc_err = -1;
486 : : }
487 : :
488 [ # # ]: 0 : if (enc_err < 0)
489 : : {
490 : : /* decryption failed, silently discard message */
491 : 0 : rr->length = 0;
492 : 0 : s->packet_length = 0;
493 : 0 : goto err;
494 : : }
495 : :
496 : : /* r->length is now just compressed */
497 [ # # ]: 0 : if (s->expand != NULL)
498 : : {
499 [ # # ]: 0 : if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH)
500 : : {
501 : 0 : al=SSL_AD_RECORD_OVERFLOW;
502 : 0 : SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);
503 : 0 : goto f_err;
504 : : }
505 [ # # ]: 0 : if (!ssl3_do_uncompress(s))
506 : : {
507 : 0 : al=SSL_AD_DECOMPRESSION_FAILURE;
508 : 0 : SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_BAD_DECOMPRESSION);
509 : 0 : goto f_err;
510 : : }
511 : : }
512 : :
513 [ # # ]: 0 : if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH)
514 : : {
515 : 0 : al=SSL_AD_RECORD_OVERFLOW;
516 : 0 : SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);
517 : 0 : goto f_err;
518 : : }
519 : :
520 : 0 : rr->off=0;
521 : : /* So at this point the following is true
522 : : * ssl->s3->rrec.type is the type of record
523 : : * ssl->s3->rrec.length == number of bytes in record
524 : : * ssl->s3->rrec.off == offset to first valid byte
525 : : * ssl->s3->rrec.data == where to take bytes from, increment
526 : : * after use :-).
527 : : */
528 : :
529 : : /* we have pulled in a full packet so zero things */
530 : 0 : s->packet_length=0;
531 : 0 : dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */
532 : 0 : return(1);
533 : :
534 : : f_err:
535 : 0 : ssl3_send_alert(s,SSL3_AL_FATAL,al);
536 : : err:
537 : : return(0);
538 : : }
539 : :
540 : :
541 : : /* Call this to get a new input record.
542 : : * It will return <= 0 if more data is needed, normally due to an error
543 : : * or non-blocking IO.
544 : : * When it finishes, one packet has been decoded and can be found in
545 : : * ssl->s3->rrec.type - is the type of record
546 : : * ssl->s3->rrec.data, - data
547 : : * ssl->s3->rrec.length, - number of bytes
548 : : */
549 : : /* used only by dtls1_read_bytes */
550 : 0 : int dtls1_get_record(SSL *s)
551 : : {
552 : : int ssl_major,ssl_minor;
553 : : int i,n;
554 : 0 : SSL3_RECORD *rr;
555 : 0 : unsigned char *p = NULL;
556 : : unsigned short version;
557 : : DTLS1_BITMAP *bitmap;
558 : : unsigned int is_next_epoch;
559 : :
560 : 0 : rr= &(s->s3->rrec);
561 : :
562 : : /* The epoch may have changed. If so, process all the
563 : : * pending records. This is a non-blocking operation. */
564 : 0 : dtls1_process_buffered_records(s);
565 : :
566 : : /* if we're renegotiating, then there may be buffered records */
567 [ # # ]: 0 : if (dtls1_get_processed_record(s))
568 : : return 1;
569 : :
570 : : /* get something from the wire */
571 : : again:
572 : : /* check if we have the header */
573 [ # # ][ # # ]: 0 : if ( (s->rstate != SSL_ST_READ_BODY) ||
574 : 0 : (s->packet_length < DTLS1_RT_HEADER_LENGTH))
575 : : {
576 : 0 : n=ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);
577 : : /* read timeout is handled by dtls1_read_bytes */
578 [ # # ]: 0 : if (n <= 0) return(n); /* error or non-blocking */
579 : :
580 : : /* this packet contained a partial record, dump it */
581 [ # # ]: 0 : if (s->packet_length != DTLS1_RT_HEADER_LENGTH)
582 : : {
583 : 0 : s->packet_length = 0;
584 : 0 : goto again;
585 : : }
586 : :
587 : 0 : s->rstate=SSL_ST_READ_BODY;
588 : :
589 : 0 : p=s->packet;
590 : :
591 [ # # ]: 0 : if (s->msg_callback)
592 : 0 : s->msg_callback(0, 0, SSL3_RT_HEADER, p, DTLS1_RT_HEADER_LENGTH, s, s->msg_callback_arg);
593 : :
594 : : /* Pull apart the header into the DTLS1_RECORD */
595 : 0 : rr->type= *(p++);
596 : 0 : ssl_major= *(p++);
597 : 0 : ssl_minor= *(p++);
598 : 0 : version=(ssl_major<<8)|ssl_minor;
599 : :
600 : : /* sequence number is 64 bits, with top 2 bytes = epoch */
601 : 0 : n2s(p,rr->epoch);
602 : :
603 : 0 : memcpy(&(s->s3->read_sequence[2]), p, 6);
604 : 0 : p+=6;
605 : :
606 : 0 : n2s(p,rr->length);
607 : :
608 : : /* Lets check version */
609 [ # # ]: 0 : if (!s->first_packet)
610 : : {
611 [ # # ]: 0 : if (version != s->version)
612 : : {
613 : : /* unexpected version, silently discard */
614 : 0 : rr->length = 0;
615 : 0 : s->packet_length = 0;
616 : 0 : goto again;
617 : : }
618 : : }
619 : :
620 [ # # ]: 0 : if ((version & 0xff00) != (s->version & 0xff00))
621 : : {
622 : : /* wrong version, silently discard record */
623 : 0 : rr->length = 0;
624 : 0 : s->packet_length = 0;
625 : 0 : goto again;
626 : : }
627 : :
628 [ # # ]: 0 : if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH)
629 : : {
630 : : /* record too long, silently discard it */
631 : 0 : rr->length = 0;
632 : 0 : s->packet_length = 0;
633 : 0 : goto again;
634 : : }
635 : :
636 : : /* now s->rstate == SSL_ST_READ_BODY */
637 : : }
638 : :
639 : : /* s->rstate == SSL_ST_READ_BODY, get and decode the data */
640 : :
641 [ # # ]: 0 : if (rr->length > s->packet_length-DTLS1_RT_HEADER_LENGTH)
642 : : {
643 : : /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */
644 : 0 : i=rr->length;
645 : 0 : n=ssl3_read_n(s,i,i,1);
646 [ # # ]: 0 : if (n <= 0) return(n); /* error or non-blocking io */
647 : :
648 : : /* this packet contained a partial record, dump it */
649 [ # # ]: 0 : if ( n != i)
650 : : {
651 : 0 : rr->length = 0;
652 : 0 : s->packet_length = 0;
653 : 0 : goto again;
654 : : }
655 : :
656 : : /* now n == rr->length,
657 : : * and s->packet_length == DTLS1_RT_HEADER_LENGTH + rr->length */
658 : : }
659 : 0 : s->rstate=SSL_ST_READ_HEADER; /* set state for later operations */
660 : :
661 : : /* match epochs. NULL means the packet is dropped on the floor */
662 : 0 : bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
663 [ # # ]: 0 : if ( bitmap == NULL)
664 : : {
665 : 0 : rr->length = 0;
666 : 0 : s->packet_length = 0; /* dump this record */
667 : 0 : goto again; /* get another record */
668 : : }
669 : :
670 : : #ifndef OPENSSL_NO_SCTP
671 : : /* Only do replay check if no SCTP bio */
672 : : if (!BIO_dgram_is_sctp(SSL_get_rbio(s)))
673 : : {
674 : : #endif
675 : : /* Check whether this is a repeat, or aged record.
676 : : * Don't check if we're listening and this message is
677 : : * a ClientHello. They can look as if they're replayed,
678 : : * since they arrive from different connections and
679 : : * would be dropped unnecessarily.
680 : : */
681 [ # # ][ # # ]: 0 : if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE &&
[ # # ]
682 [ # # ]: 0 : *p == SSL3_MT_CLIENT_HELLO) &&
683 : 0 : !dtls1_record_replay_check(s, bitmap))
684 : : {
685 : 0 : rr->length = 0;
686 : 0 : s->packet_length=0; /* dump this record */
687 : 0 : goto again; /* get another record */
688 : : }
689 : : #ifndef OPENSSL_NO_SCTP
690 : : }
691 : : #endif
692 : :
693 : : /* just read a 0 length packet */
694 [ # # ]: 0 : if (rr->length == 0) goto again;
695 : :
696 : : /* If this record is from the next epoch (either HM or ALERT),
697 : : * and a handshake is currently in progress, buffer it since it
698 : : * cannot be processed at this time. However, do not buffer
699 : : * anything while listening.
700 : : */
701 [ # # ]: 0 : if (is_next_epoch)
702 : : {
703 [ # # ][ # # ]: 0 : if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen)
[ # # ]
704 : : {
705 : 0 : dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
706 : : }
707 : 0 : rr->length = 0;
708 : 0 : s->packet_length = 0;
709 : 0 : goto again;
710 : : }
711 : :
712 [ # # ]: 0 : if (!dtls1_process_record(s))
713 : : {
714 : 0 : rr->length = 0;
715 : 0 : s->packet_length = 0; /* dump this record */
716 : 0 : goto again; /* get another record */
717 : : }
718 : :
719 : : return(1);
720 : :
721 : : }
722 : :
723 : : /* Return up to 'len' payload bytes received in 'type' records.
724 : : * 'type' is one of the following:
725 : : *
726 : : * - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
727 : : * - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)
728 : : * - 0 (during a shutdown, no data has to be returned)
729 : : *
730 : : * If we don't have stored data to work from, read a SSL/TLS record first
731 : : * (possibly multiple records if we still don't have anything to return).
732 : : *
733 : : * This function must handle any surprises the peer may have for us, such as
734 : : * Alert records (e.g. close_notify), ChangeCipherSpec records (not really
735 : : * a surprise, but handled as if it were), or renegotiation requests.
736 : : * Also if record payloads contain fragments too small to process, we store
737 : : * them until there is enough for the respective protocol (the record protocol
738 : : * may use arbitrary fragmentation and even interleaving):
739 : : * Change cipher spec protocol
740 : : * just 1 byte needed, no need for keeping anything stored
741 : : * Alert protocol
742 : : * 2 bytes needed (AlertLevel, AlertDescription)
743 : : * Handshake protocol
744 : : * 4 bytes needed (HandshakeType, uint24 length) -- we just have
745 : : * to detect unexpected Client Hello and Hello Request messages
746 : : * here, anything else is handled by higher layers
747 : : * Application data protocol
748 : : * none of our business
749 : : */
750 : 0 : int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
751 : : {
752 : : int al,i,j,ret;
753 : : unsigned int n;
754 : : SSL3_RECORD *rr;
755 : 0 : void (*cb)(const SSL *ssl,int type2,int val)=NULL;
756 : :
757 [ # # ]: 0 : if (s->s3->rbuf.buf == NULL) /* Not initialized yet */
758 [ # # ]: 0 : if (!ssl3_setup_buffers(s))
759 : : return(-1);
760 : :
761 : : /* XXX: check what the second '&& type' is about */
762 [ # # ]: 0 : if ((type && (type != SSL3_RT_APPLICATION_DATA) &&
763 [ # # ][ # # ]: 0 : (type != SSL3_RT_HANDSHAKE) && type) ||
764 : 0 : (peek && (type != SSL3_RT_APPLICATION_DATA)))
765 : : {
766 : 0 : SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR);
767 : 0 : return -1;
768 : : }
769 : :
770 : : /* check whether there's a handshake message (client hello?) waiting */
771 [ # # ]: 0 : if ( (ret = have_handshake_fragment(s, type, buf, len, peek)))
772 : : return ret;
773 : :
774 : : /* Now s->d1->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */
775 : :
776 : : #ifndef OPENSSL_NO_SCTP
777 : : /* Continue handshake if it had to be interrupted to read
778 : : * app data with SCTP.
779 : : */
780 : : if ((!s->in_handshake && SSL_in_init(s)) ||
781 : : (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
782 : : (s->state == DTLS1_SCTP_ST_SR_READ_SOCK || s->state == DTLS1_SCTP_ST_CR_READ_SOCK) &&
783 : : s->s3->in_read_app_data != 2))
784 : : #else
785 [ # # ][ # # ]: 0 : if (!s->in_handshake && SSL_in_init(s))
786 : : #endif
787 : : {
788 : : /* type == SSL3_RT_APPLICATION_DATA */
789 : 0 : i=s->handshake_func(s);
790 [ # # ]: 0 : if (i < 0) return(i);
791 [ # # ]: 0 : if (i == 0)
792 : : {
793 : 0 : SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
794 : 0 : return(-1);
795 : : }
796 : : }
797 : :
798 : : start:
799 : 0 : s->rwstate=SSL_NOTHING;
800 : :
801 : : /* s->s3->rrec.type - is the type of record
802 : : * s->s3->rrec.data, - data
803 : : * s->s3->rrec.off, - offset into 'data' for next read
804 : : * s->s3->rrec.length, - number of bytes. */
805 : 0 : rr = &(s->s3->rrec);
806 : :
807 : : /* We are not handshaking and have no data yet,
808 : : * so process data buffered during the last handshake
809 : : * in advance, if any.
810 : : */
811 [ # # ][ # # ]: 0 : if (s->state == SSL_ST_OK && rr->length == 0)
812 : : {
813 : 0 : pitem *item;
814 : 0 : item = pqueue_pop(s->d1->buffered_app_data.q);
815 [ # # ]: 0 : if (item)
816 : : {
817 : : #ifndef OPENSSL_NO_SCTP
818 : : /* Restore bio_dgram_sctp_rcvinfo struct */
819 : : if (BIO_dgram_is_sctp(SSL_get_rbio(s)))
820 : : {
821 : : DTLS1_RECORD_DATA *rdata = (DTLS1_RECORD_DATA *) item->data;
822 : : BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SCTP_SET_RCVINFO, sizeof(rdata->recordinfo), &rdata->recordinfo);
823 : : }
824 : : #endif
825 : :
826 : 0 : dtls1_copy_record(s, item);
827 : :
828 : 0 : OPENSSL_free(item->data);
829 : 0 : pitem_free(item);
830 : : }
831 : : }
832 : :
833 : : /* Check for timeout */
834 [ # # ]: 0 : if (dtls1_handle_timeout(s) > 0)
835 : : goto start;
836 : :
837 : : /* get new packet if necessary */
838 [ # # ][ # # ]: 0 : if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY))
839 : : {
840 : 0 : ret=dtls1_get_record(s);
841 [ # # ]: 0 : if (ret <= 0)
842 : : {
843 : 0 : ret = dtls1_read_failed(s, ret);
844 : : /* anything other than a timeout is an error */
845 [ # # ]: 0 : if (ret <= 0)
846 : : return(ret);
847 : : else
848 : : goto start;
849 : : }
850 : : }
851 : :
852 [ # # ][ # # ]: 0 : if (s->d1->listen && rr->type != SSL3_RT_HANDSHAKE)
853 : : {
854 : 0 : rr->length = 0;
855 : 0 : goto start;
856 : : }
857 : :
858 : : /* we now have a packet which can be read and processed */
859 : :
860 [ # # ]: 0 : if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
861 : : * reset by ssl3_get_finished */
862 [ # # ]: 0 : && (rr->type != SSL3_RT_HANDSHAKE))
863 : : {
864 : : /* We now have application data between CCS and Finished.
865 : : * Most likely the packets were reordered on their way, so
866 : : * buffer the application data for later processing rather
867 : : * than dropping the connection.
868 : : */
869 : 0 : dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num);
870 : 0 : rr->length = 0;
871 : 0 : goto start;
872 : : }
873 : :
874 : : /* If the other end has shut down, throw anything we read away
875 : : * (even in 'peek' mode) */
876 [ # # ]: 0 : if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
877 : : {
878 : 0 : rr->length=0;
879 : 0 : s->rwstate=SSL_NOTHING;
880 : 0 : return(0);
881 : : }
882 : :
883 : :
884 [ # # ]: 0 : if (type == rr->type) /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */
885 : : {
886 : : /* make sure that we are not getting application data when we
887 : : * are doing a handshake for the first time */
888 [ # # ][ # # ]: 0 : if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
[ # # ]
889 : 0 : (s->enc_read_ctx == NULL))
890 : : {
891 : 0 : al=SSL_AD_UNEXPECTED_MESSAGE;
892 : 0 : SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE);
893 : 0 : goto f_err;
894 : : }
895 : :
896 [ # # ]: 0 : if (len <= 0) return(len);
897 : :
898 [ # # ]: 0 : if ((unsigned int)len > rr->length)
899 : : n = rr->length;
900 : : else
901 : 0 : n = (unsigned int)len;
902 : :
903 : 0 : memcpy(buf,&(rr->data[rr->off]),n);
904 [ # # ]: 0 : if (!peek)
905 : : {
906 : 0 : rr->length-=n;
907 : 0 : rr->off+=n;
908 [ # # ]: 0 : if (rr->length == 0)
909 : : {
910 : 0 : s->rstate=SSL_ST_READ_HEADER;
911 : 0 : rr->off=0;
912 : : }
913 : : }
914 : :
915 : : #ifndef OPENSSL_NO_SCTP
916 : : /* We were about to renegotiate but had to read
917 : : * belated application data first, so retry.
918 : : */
919 : : if (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
920 : : rr->type == SSL3_RT_APPLICATION_DATA &&
921 : : (s->state == DTLS1_SCTP_ST_SR_READ_SOCK || s->state == DTLS1_SCTP_ST_CR_READ_SOCK))
922 : : {
923 : : s->rwstate=SSL_READING;
924 : : BIO_clear_retry_flags(SSL_get_rbio(s));
925 : : BIO_set_retry_read(SSL_get_rbio(s));
926 : : }
927 : :
928 : : /* We might had to delay a close_notify alert because
929 : : * of reordered app data. If there was an alert and there
930 : : * is no message to read anymore, finally set shutdown.
931 : : */
932 : : if (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
933 : : s->d1->shutdown_received && !BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s)))
934 : : {
935 : : s->shutdown |= SSL_RECEIVED_SHUTDOWN;
936 : : return(0);
937 : : }
938 : : #endif
939 : 0 : return(n);
940 : : }
941 : :
942 : :
943 : : /* If we get here, then type != rr->type; if we have a handshake
944 : : * message, then it was unexpected (Hello Request or Client Hello). */
945 : :
946 : : /* In case of record types for which we have 'fragment' storage,
947 : : * fill that so that we can process the data at a fixed place.
948 : : */
949 : : {
950 : 0 : unsigned int k, dest_maxlen = 0;
951 : 0 : unsigned char *dest = NULL;
952 : 0 : unsigned int *dest_len = NULL;
953 : :
954 [ # # ]: 0 : if (rr->type == SSL3_RT_HANDSHAKE)
955 : : {
956 : 0 : dest_maxlen = sizeof s->d1->handshake_fragment;
957 : 0 : dest = s->d1->handshake_fragment;
958 : 0 : dest_len = &s->d1->handshake_fragment_len;
959 : : }
960 [ # # ]: 0 : else if (rr->type == SSL3_RT_ALERT)
961 : : {
962 : 0 : dest_maxlen = sizeof(s->d1->alert_fragment);
963 : 0 : dest = s->d1->alert_fragment;
964 : 0 : dest_len = &s->d1->alert_fragment_len;
965 : : }
966 : : #ifndef OPENSSL_NO_HEARTBEATS
967 [ # # ]: 0 : else if (rr->type == TLS1_RT_HEARTBEAT)
968 : : {
969 : 0 : dtls1_process_heartbeat(s);
970 : :
971 : : /* Exit and notify application to read again */
972 : 0 : rr->length = 0;
973 : 0 : s->rwstate=SSL_READING;
974 : 0 : BIO_clear_retry_flags(SSL_get_rbio(s));
975 : 0 : BIO_set_retry_read(SSL_get_rbio(s));
976 : 0 : return(-1);
977 : : }
978 : : #endif
979 : : /* else it's a CCS message, or application data or wrong */
980 [ # # ]: 0 : else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC)
981 : : {
982 : : /* Application data while renegotiating
983 : : * is allowed. Try again reading.
984 : : */
985 [ # # ]: 0 : if (rr->type == SSL3_RT_APPLICATION_DATA)
986 : : {
987 : : BIO *bio;
988 : 0 : s->s3->in_read_app_data=2;
989 : 0 : bio=SSL_get_rbio(s);
990 : 0 : s->rwstate=SSL_READING;
991 : 0 : BIO_clear_retry_flags(bio);
992 : 0 : BIO_set_retry_read(bio);
993 : 0 : return(-1);
994 : : }
995 : :
996 : : /* Not certain if this is the right error handling */
997 : 0 : al=SSL_AD_UNEXPECTED_MESSAGE;
998 : 0 : SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
999 : 0 : goto f_err;
1000 : : }
1001 : :
1002 [ # # ]: 0 : if (dest_maxlen > 0)
1003 : : {
1004 : : /* XDTLS: In a pathalogical case, the Client Hello
1005 : : * may be fragmented--don't always expect dest_maxlen bytes */
1006 [ # # ]: 0 : if ( rr->length < dest_maxlen)
1007 : : {
1008 : : #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
1009 : : /*
1010 : : * for normal alerts rr->length is 2, while
1011 : : * dest_maxlen is 7 if we were to handle this
1012 : : * non-existing alert...
1013 : : */
1014 : : FIX ME
1015 : : #endif
1016 : 0 : s->rstate=SSL_ST_READ_HEADER;
1017 : 0 : rr->length = 0;
1018 : 0 : goto start;
1019 : : }
1020 : :
1021 : : /* now move 'n' bytes: */
1022 [ # # ]: 0 : for ( k = 0; k < dest_maxlen; k++)
1023 : : {
1024 : 0 : dest[k] = rr->data[rr->off++];
1025 : 0 : rr->length--;
1026 : : }
1027 : 0 : *dest_len = dest_maxlen;
1028 : : }
1029 : : }
1030 : :
1031 : : /* s->d1->handshake_fragment_len == 12 iff rr->type == SSL3_RT_HANDSHAKE;
1032 : : * s->d1->alert_fragment_len == 7 iff rr->type == SSL3_RT_ALERT.
1033 : : * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */
1034 : :
1035 : : /* If we are a client, check for an incoming 'Hello Request': */
1036 [ # # ][ # # ]: 0 : if ((!s->server) &&
1037 [ # # ]: 0 : (s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) &&
1038 [ # # ]: 0 : (s->d1->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) &&
1039 [ # # ]: 0 : (s->session != NULL) && (s->session->cipher != NULL))
1040 : : {
1041 : 0 : s->d1->handshake_fragment_len = 0;
1042 : :
1043 [ # # ]: 0 : if ((s->d1->handshake_fragment[1] != 0) ||
1044 : 0 : (s->d1->handshake_fragment[2] != 0) ||
1045 : : (s->d1->handshake_fragment[3] != 0))
1046 : : {
1047 : 0 : al=SSL_AD_DECODE_ERROR;
1048 : 0 : SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_HELLO_REQUEST);
1049 : 0 : goto err;
1050 : : }
1051 : :
1052 : : /* no need to check sequence number on HELLO REQUEST messages */
1053 : :
1054 [ # # ]: 0 : if (s->msg_callback)
1055 : 0 : s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
1056 : 0 : s->d1->handshake_fragment, 4, s, s->msg_callback_arg);
1057 : :
1058 [ # # ][ # # ]: 0 : if (SSL_is_init_finished(s) &&
1059 [ # # ]: 0 : !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
1060 : 0 : !s->s3->renegotiate)
1061 : : {
1062 : 0 : s->d1->handshake_read_seq++;
1063 : 0 : s->new_session = 1;
1064 : 0 : ssl3_renegotiate(s);
1065 [ # # ]: 0 : if (ssl3_renegotiate_check(s))
1066 : : {
1067 : 0 : i=s->handshake_func(s);
1068 [ # # ]: 0 : if (i < 0) return(i);
1069 [ # # ]: 0 : if (i == 0)
1070 : : {
1071 : 0 : SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
1072 : 0 : return(-1);
1073 : : }
1074 : :
1075 [ # # ]: 0 : if (!(s->mode & SSL_MODE_AUTO_RETRY))
1076 : : {
1077 [ # # ]: 0 : if (s->s3->rbuf.left == 0) /* no read-ahead left? */
1078 : : {
1079 : : BIO *bio;
1080 : : /* In the case where we try to read application data,
1081 : : * but we trigger an SSL handshake, we return -1 with
1082 : : * the retry option set. Otherwise renegotiation may
1083 : : * cause nasty problems in the blocking world */
1084 : 0 : s->rwstate=SSL_READING;
1085 : 0 : bio=SSL_get_rbio(s);
1086 : 0 : BIO_clear_retry_flags(bio);
1087 : 0 : BIO_set_retry_read(bio);
1088 : 0 : return(-1);
1089 : : }
1090 : : }
1091 : : }
1092 : : }
1093 : : /* we either finished a handshake or ignored the request,
1094 : : * now try again to obtain the (application) data we were asked for */
1095 : : goto start;
1096 : : }
1097 : :
1098 [ # # ]: 0 : if (s->d1->alert_fragment_len >= DTLS1_AL_HEADER_LENGTH)
1099 : : {
1100 : 0 : int alert_level = s->d1->alert_fragment[0];
1101 : 0 : int alert_descr = s->d1->alert_fragment[1];
1102 : :
1103 : 0 : s->d1->alert_fragment_len = 0;
1104 : :
1105 [ # # ]: 0 : if (s->msg_callback)
1106 : 0 : s->msg_callback(0, s->version, SSL3_RT_ALERT,
1107 : 0 : s->d1->alert_fragment, 2, s, s->msg_callback_arg);
1108 : :
1109 [ # # ]: 0 : if (s->info_callback != NULL)
1110 : : cb=s->info_callback;
1111 [ # # ]: 0 : else if (s->ctx->info_callback != NULL)
1112 : 0 : cb=s->ctx->info_callback;
1113 : :
1114 [ # # ]: 0 : if (cb != NULL)
1115 : : {
1116 : 0 : j = (alert_level << 8) | alert_descr;
1117 : 0 : cb(s, SSL_CB_READ_ALERT, j);
1118 : : }
1119 : :
1120 [ # # ]: 0 : if (alert_level == 1) /* warning */
1121 : : {
1122 : 0 : s->s3->warn_alert = alert_descr;
1123 [ # # ]: 0 : if (alert_descr == SSL_AD_CLOSE_NOTIFY)
1124 : : {
1125 : : #ifndef OPENSSL_NO_SCTP
1126 : : /* With SCTP and streams the socket may deliver app data
1127 : : * after a close_notify alert. We have to check this
1128 : : * first so that nothing gets discarded.
1129 : : */
1130 : : if (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
1131 : : BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s)))
1132 : : {
1133 : : s->d1->shutdown_received = 1;
1134 : : s->rwstate=SSL_READING;
1135 : : BIO_clear_retry_flags(SSL_get_rbio(s));
1136 : : BIO_set_retry_read(SSL_get_rbio(s));
1137 : : return -1;
1138 : : }
1139 : : #endif
1140 : 0 : s->shutdown |= SSL_RECEIVED_SHUTDOWN;
1141 : 0 : return(0);
1142 : : }
1143 : : #if 0
1144 : : /* XXX: this is a possible improvement in the future */
1145 : : /* now check if it's a missing record */
1146 : : if (alert_descr == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
1147 : : {
1148 : : unsigned short seq;
1149 : : unsigned int frag_off;
1150 : : unsigned char *p = &(s->d1->alert_fragment[2]);
1151 : :
1152 : : n2s(p, seq);
1153 : : n2l3(p, frag_off);
1154 : :
1155 : : dtls1_retransmit_message(s,
1156 : : dtls1_get_queue_priority(frag->msg_header.seq, 0),
1157 : : frag_off, &found);
1158 : : if ( ! found && SSL_in_init(s))
1159 : : {
1160 : : /* fprintf( stderr,"in init = %d\n", SSL_in_init(s)); */
1161 : : /* requested a message not yet sent,
1162 : : send an alert ourselves */
1163 : : ssl3_send_alert(s,SSL3_AL_WARNING,
1164 : : DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
1165 : : }
1166 : : }
1167 : : #endif
1168 : : }
1169 [ # # ]: 0 : else if (alert_level == 2) /* fatal */
1170 : : {
1171 : : char tmp[16];
1172 : :
1173 : 0 : s->rwstate=SSL_NOTHING;
1174 : 0 : s->s3->fatal_alert = alert_descr;
1175 : 0 : SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr);
1176 : 0 : BIO_snprintf(tmp,sizeof tmp,"%d",alert_descr);
1177 : 0 : ERR_add_error_data(2,"SSL alert number ",tmp);
1178 : 0 : s->shutdown|=SSL_RECEIVED_SHUTDOWN;
1179 : 0 : SSL_CTX_remove_session(s->ctx,s->session);
1180 : : return(0);
1181 : : }
1182 : : else
1183 : : {
1184 : 0 : al=SSL_AD_ILLEGAL_PARAMETER;
1185 : 0 : SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE);
1186 : 0 : goto f_err;
1187 : : }
1188 : :
1189 : : goto start;
1190 : : }
1191 : :
1192 [ # # ]: 0 : if (s->shutdown & SSL_SENT_SHUTDOWN) /* but we have not received a shutdown */
1193 : : {
1194 : 0 : s->rwstate=SSL_NOTHING;
1195 : 0 : rr->length=0;
1196 : 0 : return(0);
1197 : : }
1198 : :
1199 [ # # ]: 0 : if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
1200 : : {
1201 : : struct ccs_header_st ccs_hdr;
1202 : 0 : unsigned int ccs_hdr_len = DTLS1_CCS_HEADER_LENGTH;
1203 : :
1204 : 0 : dtls1_get_ccs_header(rr->data, &ccs_hdr);
1205 : :
1206 [ # # ]: 0 : if (s->version == DTLS1_BAD_VER)
1207 : 0 : ccs_hdr_len = 3;
1208 : :
1209 : : /* 'Change Cipher Spec' is just a single byte, so we know
1210 : : * exactly what the record payload has to look like */
1211 : : /* XDTLS: check that epoch is consistent */
1212 [ # # ][ # # ]: 0 : if ( (rr->length != ccs_hdr_len) ||
1213 [ # # ]: 0 : (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
1214 : : {
1215 : 0 : i=SSL_AD_ILLEGAL_PARAMETER;
1216 : 0 : SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
1217 : 0 : goto err;
1218 : : }
1219 : :
1220 : 0 : rr->length=0;
1221 : :
1222 [ # # ]: 0 : if (s->msg_callback)
1223 : 0 : s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC,
1224 : : rr->data, 1, s, s->msg_callback_arg);
1225 : :
1226 : : /* We can't process a CCS now, because previous handshake
1227 : : * messages are still missing, so just drop it.
1228 : : */
1229 [ # # ]: 0 : if (!s->d1->change_cipher_spec_ok)
1230 : : {
1231 : : goto start;
1232 : : }
1233 : :
1234 : 0 : s->d1->change_cipher_spec_ok = 0;
1235 : :
1236 : 0 : s->s3->change_cipher_spec=1;
1237 [ # # ]: 0 : if (!ssl3_do_change_cipher_spec(s))
1238 : : goto err;
1239 : :
1240 : : /* do this whenever CCS is processed */
1241 : 0 : dtls1_reset_seq_numbers(s, SSL3_CC_READ);
1242 : :
1243 [ # # ]: 0 : if (s->version == DTLS1_BAD_VER)
1244 : 0 : s->d1->handshake_read_seq++;
1245 : :
1246 : : #ifndef OPENSSL_NO_SCTP
1247 : : /* Remember that a CCS has been received,
1248 : : * so that an old key of SCTP-Auth can be
1249 : : * deleted when a CCS is sent. Will be ignored
1250 : : * if no SCTP is used
1251 : : */
1252 : : BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL);
1253 : : #endif
1254 : :
1255 : : goto start;
1256 : : }
1257 : :
1258 : : /* Unexpected handshake message (Client Hello, or protocol violation) */
1259 [ # # ][ # # ]: 0 : if ((s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) &&
1260 : 0 : !s->in_handshake)
1261 : : {
1262 : : struct hm_header_st msg_hdr;
1263 : :
1264 : : /* this may just be a stale retransmit */
1265 : 0 : dtls1_get_message_header(rr->data, &msg_hdr);
1266 [ # # ]: 0 : if( rr->epoch != s->d1->r_epoch)
1267 : : {
1268 : 0 : rr->length = 0;
1269 : 0 : goto start;
1270 : : }
1271 : :
1272 : : /* If we are server, we may have a repeated FINISHED of the
1273 : : * client here, then retransmit our CCS and FINISHED.
1274 : : */
1275 [ # # ]: 0 : if (msg_hdr.type == SSL3_MT_FINISHED)
1276 : : {
1277 [ # # ]: 0 : if (dtls1_check_timeout_num(s) < 0)
1278 : 0 : return -1;
1279 : :
1280 : 0 : dtls1_retransmit_buffered_messages(s);
1281 : 0 : rr->length = 0;
1282 : 0 : goto start;
1283 : : }
1284 : :
1285 [ # # ][ # # ]: 0 : if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
1286 : 0 : !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
1287 : : {
1288 : : #if 0 /* worked only because C operator preferences are not as expected (and
1289 : : * because this is not really needed for clients except for detecting
1290 : : * protocol violations): */
1291 : : s->state=SSL_ST_BEFORE|(s->server)
1292 : : ?SSL_ST_ACCEPT
1293 : : :SSL_ST_CONNECT;
1294 : : #else
1295 [ # # ]: 0 : s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
1296 : : #endif
1297 : 0 : s->renegotiate=1;
1298 : 0 : s->new_session=1;
1299 : : }
1300 : 0 : i=s->handshake_func(s);
1301 [ # # ]: 0 : if (i < 0) return(i);
1302 [ # # ]: 0 : if (i == 0)
1303 : : {
1304 : 0 : SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
1305 : 0 : return(-1);
1306 : : }
1307 : :
1308 [ # # ]: 0 : if (!(s->mode & SSL_MODE_AUTO_RETRY))
1309 : : {
1310 [ # # ]: 0 : if (s->s3->rbuf.left == 0) /* no read-ahead left? */
1311 : : {
1312 : : BIO *bio;
1313 : : /* In the case where we try to read application data,
1314 : : * but we trigger an SSL handshake, we return -1 with
1315 : : * the retry option set. Otherwise renegotiation may
1316 : : * cause nasty problems in the blocking world */
1317 : 0 : s->rwstate=SSL_READING;
1318 : 0 : bio=SSL_get_rbio(s);
1319 : 0 : BIO_clear_retry_flags(bio);
1320 : 0 : BIO_set_retry_read(bio);
1321 : 0 : return(-1);
1322 : : }
1323 : : }
1324 : : goto start;
1325 : : }
1326 : :
1327 [ # # # ]: 0 : switch (rr->type)
1328 : : {
1329 : : default:
1330 : : #ifndef OPENSSL_NO_TLS
1331 : : /* TLS just ignores unknown message types */
1332 [ # # ]: 0 : if (s->version == TLS1_VERSION)
1333 : : {
1334 : 0 : rr->length = 0;
1335 : 0 : goto start;
1336 : : }
1337 : : #endif
1338 : 0 : al=SSL_AD_UNEXPECTED_MESSAGE;
1339 : 0 : SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
1340 : 0 : goto f_err;
1341 : : case SSL3_RT_CHANGE_CIPHER_SPEC:
1342 : : case SSL3_RT_ALERT:
1343 : : case SSL3_RT_HANDSHAKE:
1344 : : /* we already handled all of these, with the possible exception
1345 : : * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that
1346 : : * should not happen when type != rr->type */
1347 : 0 : al=SSL_AD_UNEXPECTED_MESSAGE;
1348 : 0 : SSLerr(SSL_F_DTLS1_READ_BYTES,ERR_R_INTERNAL_ERROR);
1349 : 0 : goto f_err;
1350 : : case SSL3_RT_APPLICATION_DATA:
1351 : : /* At this point, we were expecting handshake data,
1352 : : * but have application data. If the library was
1353 : : * running inside ssl3_read() (i.e. in_read_app_data
1354 : : * is set) and it makes sense to read application data
1355 : : * at this point (session renegotiation not yet started),
1356 : : * we will indulge it.
1357 : : */
1358 [ # # ][ # # ]: 0 : if (s->s3->in_read_app_data &&
1359 [ # # ]: 0 : (s->s3->total_renegotiations != 0) &&
1360 : : ((
1361 [ # # ]: 0 : (s->state & SSL_ST_CONNECT) &&
1362 [ # # ]: 0 : (s->state >= SSL3_ST_CW_CLNT_HELLO_A) &&
1363 : : (s->state <= SSL3_ST_CR_SRVR_HELLO_A)
1364 [ # # ]: 0 : ) || (
1365 [ # # ]: 0 : (s->state & SSL_ST_ACCEPT) &&
1366 [ # # ]: 0 : (s->state <= SSL3_ST_SW_HELLO_REQ_A) &&
1367 : : (s->state >= SSL3_ST_SR_CLNT_HELLO_A)
1368 : : )
1369 : : ))
1370 : : {
1371 : 0 : s->s3->in_read_app_data=2;
1372 : 0 : return(-1);
1373 : : }
1374 : : else
1375 : : {
1376 : 0 : al=SSL_AD_UNEXPECTED_MESSAGE;
1377 : 0 : SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
1378 : 0 : goto f_err;
1379 : : }
1380 : : }
1381 : : /* not reached */
1382 : :
1383 : : f_err:
1384 : 0 : ssl3_send_alert(s,SSL3_AL_FATAL,al);
1385 : : err:
1386 : : return(-1);
1387 : : }
1388 : :
1389 : : int
1390 : 0 : dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len)
1391 : : {
1392 : : int i;
1393 : :
1394 : : #ifndef OPENSSL_NO_SCTP
1395 : : /* Check if we have to continue an interrupted handshake
1396 : : * for reading belated app data with SCTP.
1397 : : */
1398 : : if ((SSL_in_init(s) && !s->in_handshake) ||
1399 : : (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
1400 : : (s->state == DTLS1_SCTP_ST_SR_READ_SOCK || s->state == DTLS1_SCTP_ST_CR_READ_SOCK)))
1401 : : #else
1402 [ # # ][ # # ]: 0 : if (SSL_in_init(s) && !s->in_handshake)
1403 : : #endif
1404 : : {
1405 : 0 : i=s->handshake_func(s);
1406 [ # # ]: 0 : if (i < 0) return(i);
1407 [ # # ]: 0 : if (i == 0)
1408 : : {
1409 : 0 : SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
1410 : 0 : return -1;
1411 : : }
1412 : : }
1413 : :
1414 [ # # ]: 0 : if (len > SSL3_RT_MAX_PLAIN_LENGTH)
1415 : : {
1416 : 0 : SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES,SSL_R_DTLS_MESSAGE_TOO_BIG);
1417 : 0 : return -1;
1418 : : }
1419 : :
1420 : 0 : i = dtls1_write_bytes(s, type, buf_, len);
1421 : 0 : return i;
1422 : : }
1423 : :
1424 : :
1425 : : /* this only happens when a client hello is received and a handshake
1426 : : * is started. */
1427 : : static int
1428 : 0 : have_handshake_fragment(SSL *s, int type, unsigned char *buf,
1429 : : int len, int peek)
1430 : : {
1431 : :
1432 [ # # ][ # # ]: 0 : if ((type == SSL3_RT_HANDSHAKE) && (s->d1->handshake_fragment_len > 0))
1433 : : /* (partially) satisfy request from storage */
1434 : : {
1435 : 0 : unsigned char *src = s->d1->handshake_fragment;
1436 : 0 : unsigned char *dst = buf;
1437 : : unsigned int k,n;
1438 : :
1439 : : /* peek == 0 */
1440 : 0 : n = 0;
1441 [ # # ][ # # ]: 0 : while ((len > 0) && (s->d1->handshake_fragment_len > 0))
1442 : : {
1443 : 0 : *dst++ = *src++;
1444 : 0 : len--; s->d1->handshake_fragment_len--;
1445 : 0 : n++;
1446 : : }
1447 : : /* move any remaining fragment bytes: */
1448 [ # # ]: 0 : for (k = 0; k < s->d1->handshake_fragment_len; k++)
1449 : 0 : s->d1->handshake_fragment[k] = *src++;
1450 : 0 : return n;
1451 : : }
1452 : :
1453 : : return 0;
1454 : : }
1455 : :
1456 : :
1457 : :
1458 : :
1459 : : /* Call this to write data in records of type 'type'
1460 : : * It will return <= 0 if not all data has been sent or non-blocking IO.
1461 : : */
1462 : 0 : int dtls1_write_bytes(SSL *s, int type, const void *buf, int len)
1463 : : {
1464 : : int i;
1465 : :
1466 [ # # ]: 0 : OPENSSL_assert(len <= SSL3_RT_MAX_PLAIN_LENGTH);
1467 : 0 : s->rwstate=SSL_NOTHING;
1468 : 0 : i=do_dtls1_write(s, type, buf, len, 0);
1469 : 0 : return i;
1470 : : }
1471 : :
1472 : 0 : int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len, int create_empty_fragment)
1473 : : {
1474 : : unsigned char *p,*pseq;
1475 : 0 : int i,mac_size,clear=0;
1476 : 0 : int prefix_len = 0;
1477 : : int eivlen;
1478 : : SSL3_RECORD *wr;
1479 : : SSL3_BUFFER *wb;
1480 : : SSL_SESSION *sess;
1481 : :
1482 : : /* first check if there is a SSL3_BUFFER still being written
1483 : : * out. This will happen with non blocking IO */
1484 [ # # ]: 0 : if (s->s3->wbuf.left != 0)
1485 : : {
1486 : 0 : OPENSSL_assert(0); /* XDTLS: want to see if we ever get here */
1487 : 0 : return(ssl3_write_pending(s,type,buf,len));
1488 : : }
1489 : :
1490 : : /* If we have an alert to send, lets send it */
1491 [ # # ]: 0 : if (s->s3->alert_dispatch)
1492 : : {
1493 : 0 : i=s->method->ssl_dispatch_alert(s);
1494 [ # # ]: 0 : if (i <= 0)
1495 : : return(i);
1496 : : /* if it went, fall through and send more stuff */
1497 : : }
1498 : :
1499 [ # # ]: 0 : if (len == 0 && !create_empty_fragment)
1500 : : return 0;
1501 : :
1502 : 0 : wr= &(s->s3->wrec);
1503 : 0 : wb= &(s->s3->wbuf);
1504 : 0 : sess=s->session;
1505 : :
1506 [ # # ][ # # ]: 0 : if ( (sess == NULL) ||
1507 [ # # ]: 0 : (s->enc_write_ctx == NULL) ||
1508 : 0 : (EVP_MD_CTX_md(s->write_hash) == NULL))
1509 : : clear=1;
1510 : :
1511 [ # # ]: 0 : if (clear)
1512 : : mac_size=0;
1513 : : else
1514 : : {
1515 : 0 : mac_size=EVP_MD_CTX_size(s->write_hash);
1516 [ # # ]: 0 : if (mac_size < 0)
1517 : : goto err;
1518 : : }
1519 : :
1520 : : /* DTLS implements explicit IV, so no need for empty fragments */
1521 : : #if 0
1522 : : /* 'create_empty_fragment' is true only when this function calls itself */
1523 : : if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done
1524 : : && SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER)
1525 : : {
1526 : : /* countermeasure against known-IV weakness in CBC ciphersuites
1527 : : * (see http://www.openssl.org/~bodo/tls-cbc.txt)
1528 : : */
1529 : :
1530 : : if (s->s3->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA)
1531 : : {
1532 : : /* recursive function call with 'create_empty_fragment' set;
1533 : : * this prepares and buffers the data for an empty fragment
1534 : : * (these 'prefix_len' bytes are sent out later
1535 : : * together with the actual payload) */
1536 : : prefix_len = s->method->do_ssl_write(s, type, buf, 0, 1);
1537 : : if (prefix_len <= 0)
1538 : : goto err;
1539 : :
1540 : : if (s->s3->wbuf.len < (size_t)prefix_len + SSL3_RT_MAX_PACKET_SIZE)
1541 : : {
1542 : : /* insufficient space */
1543 : : SSLerr(SSL_F_DO_DTLS1_WRITE, ERR_R_INTERNAL_ERROR);
1544 : : goto err;
1545 : : }
1546 : : }
1547 : :
1548 : : s->s3->empty_fragment_done = 1;
1549 : : }
1550 : : #endif
1551 : 0 : p = wb->buf + prefix_len;
1552 : :
1553 : : /* write the header */
1554 : :
1555 : 0 : *(p++)=type&0xff;
1556 : 0 : wr->type=type;
1557 : : /* Special case: for hello verify request, client version 1.0 and
1558 : : * we haven't decided which version to use yet send back using
1559 : : * version 1.0 header: otherwise some clients will ignore it.
1560 : : */
1561 [ # # ]: 0 : if (s->method->version == DTLS_ANY_VERSION)
1562 : : {
1563 : 0 : *(p++)=DTLS1_VERSION>>8;
1564 : 0 : *(p++)=DTLS1_VERSION&0xff;
1565 : : }
1566 : : else
1567 : : {
1568 : 0 : *(p++)=s->version>>8;
1569 : 0 : *(p++)=s->version&0xff;
1570 : : }
1571 : :
1572 : : /* field where we are to write out packet epoch, seq num and len */
1573 : 0 : pseq=p;
1574 : 0 : p+=10;
1575 : :
1576 : : /* Explicit IV length, block ciphers appropriate version flag */
1577 [ # # ]: 0 : if (s->enc_write_ctx)
1578 : : {
1579 : 0 : int mode = EVP_CIPHER_CTX_mode(s->enc_write_ctx);
1580 [ # # ]: 0 : if (mode == EVP_CIPH_CBC_MODE)
1581 : : {
1582 : 0 : eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx);
1583 [ # # ]: 0 : if (eivlen <= 1)
1584 : 0 : eivlen = 0;
1585 : : }
1586 : : /* Need explicit part of IV for GCM mode */
1587 [ # # ]: 0 : else if (mode == EVP_CIPH_GCM_MODE)
1588 : : eivlen = EVP_GCM_TLS_EXPLICIT_IV_LEN;
1589 : : else
1590 : 0 : eivlen = 0;
1591 : : }
1592 : : else
1593 : : eivlen = 0;
1594 : :
1595 : : /* lets setup the record stuff. */
1596 : 0 : wr->data=p + eivlen; /* make room for IV in case of CBC */
1597 : 0 : wr->length=(int)len;
1598 : 0 : wr->input=(unsigned char *)buf;
1599 : :
1600 : : /* we now 'read' from wr->input, wr->length bytes into
1601 : : * wr->data */
1602 : :
1603 : : /* first we compress */
1604 [ # # ]: 0 : if (s->compress != NULL)
1605 : : {
1606 [ # # ]: 0 : if (!ssl3_do_compress(s))
1607 : : {
1608 : 0 : SSLerr(SSL_F_DO_DTLS1_WRITE,SSL_R_COMPRESSION_FAILURE);
1609 : 0 : goto err;
1610 : : }
1611 : : }
1612 : : else
1613 : : {
1614 : 0 : memcpy(wr->data,wr->input,wr->length);
1615 : 0 : wr->input=wr->data;
1616 : : }
1617 : :
1618 : : /* we should still have the output to wr->data and the input
1619 : : * from wr->input. Length should be wr->length.
1620 : : * wr->data still points in the wb->buf */
1621 : :
1622 [ # # ]: 0 : if (mac_size != 0)
1623 : : {
1624 [ # # ]: 0 : if(s->method->ssl3_enc->mac(s,&(p[wr->length + eivlen]),1) < 0)
1625 : : goto err;
1626 : 0 : wr->length+=mac_size;
1627 : : }
1628 : :
1629 : : /* this is true regardless of mac size */
1630 : 0 : wr->input=p;
1631 : 0 : wr->data=p;
1632 : :
1633 [ # # ]: 0 : if (eivlen)
1634 : 0 : wr->length += eivlen;
1635 : :
1636 : 0 : s->method->ssl3_enc->enc(s,1);
1637 : :
1638 : : /* record length after mac and block padding */
1639 : : /* if (type == SSL3_RT_APPLICATION_DATA ||
1640 : : (type == SSL3_RT_ALERT && ! SSL_in_init(s))) */
1641 : :
1642 : : /* there's only one epoch between handshake and app data */
1643 : :
1644 : 0 : s2n(s->d1->w_epoch, pseq);
1645 : :
1646 : : /* XDTLS: ?? */
1647 : : /* else
1648 : : s2n(s->d1->handshake_epoch, pseq); */
1649 : :
1650 : 0 : memcpy(pseq, &(s->s3->write_sequence[2]), 6);
1651 : 0 : pseq+=6;
1652 : 0 : s2n(wr->length,pseq);
1653 : :
1654 [ # # ]: 0 : if (s->msg_callback)
1655 : 0 : s->msg_callback(1, 0, SSL3_RT_HEADER, pseq - DTLS1_RT_HEADER_LENGTH, DTLS1_RT_HEADER_LENGTH, s, s->msg_callback_arg);
1656 : :
1657 : : /* we should now have
1658 : : * wr->data pointing to the encrypted data, which is
1659 : : * wr->length long */
1660 : 0 : wr->type=type; /* not needed but helps for debugging */
1661 : 0 : wr->length+=DTLS1_RT_HEADER_LENGTH;
1662 : :
1663 : : #if 0 /* this is now done at the message layer */
1664 : : /* buffer the record, making it easy to handle retransmits */
1665 : : if ( type == SSL3_RT_HANDSHAKE || type == SSL3_RT_CHANGE_CIPHER_SPEC)
1666 : : dtls1_buffer_record(s, wr->data, wr->length,
1667 : : *((PQ_64BIT *)&(s->s3->write_sequence[0])));
1668 : : #endif
1669 : :
1670 : 0 : ssl3_record_sequence_update(&(s->s3->write_sequence[0]));
1671 : :
1672 [ # # ]: 0 : if (create_empty_fragment)
1673 : : {
1674 : : /* we are in a recursive call;
1675 : : * just return the length, don't write out anything here
1676 : : */
1677 : 0 : return wr->length;
1678 : : }
1679 : :
1680 : : /* now let's set up wb */
1681 : 0 : wb->left = prefix_len + wr->length;
1682 : 0 : wb->offset = 0;
1683 : :
1684 : : /* memorize arguments so that ssl3_write_pending can detect bad write retries later */
1685 : 0 : s->s3->wpend_tot=len;
1686 : 0 : s->s3->wpend_buf=buf;
1687 : 0 : s->s3->wpend_type=type;
1688 : 0 : s->s3->wpend_ret=len;
1689 : :
1690 : : /* we now just need to write the buffer */
1691 : 0 : return ssl3_write_pending(s,type,buf,len);
1692 : : err:
1693 : : return -1;
1694 : : }
1695 : :
1696 : :
1697 : :
1698 : 0 : static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap)
1699 : : {
1700 : : int cmp;
1701 : : unsigned int shift;
1702 : 0 : const unsigned char *seq = s->s3->read_sequence;
1703 : :
1704 : 0 : cmp = satsub64be(seq,bitmap->max_seq_num);
1705 [ # # ]: 0 : if (cmp > 0)
1706 : : {
1707 : 0 : memcpy (s->s3->rrec.seq_num,seq,8);
1708 : : return 1; /* this record in new */
1709 : : }
1710 : 0 : shift = -cmp;
1711 [ # # ]: 0 : if (shift >= sizeof(bitmap->map)*8)
1712 : : return 0; /* stale, outside the window */
1713 [ # # ]: 0 : else if (bitmap->map & (1UL<<shift))
1714 : : return 0; /* record previously received */
1715 : :
1716 : 0 : memcpy (s->s3->rrec.seq_num,seq,8);
1717 : : return 1;
1718 : : }
1719 : :
1720 : :
1721 : 0 : static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap)
1722 : : {
1723 : : int cmp;
1724 : : unsigned int shift;
1725 : 0 : const unsigned char *seq = s->s3->read_sequence;
1726 : :
1727 : 0 : cmp = satsub64be(seq,bitmap->max_seq_num);
1728 [ # # ]: 0 : if (cmp > 0)
1729 : : {
1730 : 0 : shift = cmp;
1731 [ # # ]: 0 : if (shift < sizeof(bitmap->map)*8)
1732 : 0 : bitmap->map <<= shift, bitmap->map |= 1UL;
1733 : : else
1734 : 0 : bitmap->map = 1UL;
1735 : 0 : memcpy(bitmap->max_seq_num,seq,8);
1736 : : }
1737 : : else {
1738 : 0 : shift = -cmp;
1739 [ # # ]: 0 : if (shift < sizeof(bitmap->map)*8)
1740 : 0 : bitmap->map |= 1UL<<shift;
1741 : : }
1742 : 0 : }
1743 : :
1744 : :
1745 : 0 : int dtls1_dispatch_alert(SSL *s)
1746 : : {
1747 : : int i,j;
1748 : 0 : void (*cb)(const SSL *ssl,int type,int val)=NULL;
1749 : : unsigned char buf[DTLS1_AL_HEADER_LENGTH];
1750 : 0 : unsigned char *ptr = &buf[0];
1751 : :
1752 : 0 : s->s3->alert_dispatch=0;
1753 : :
1754 : : memset(buf, 0x00, sizeof(buf));
1755 : 0 : *ptr++ = s->s3->send_alert[0];
1756 : 0 : *ptr++ = s->s3->send_alert[1];
1757 : :
1758 : : #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
1759 : : if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
1760 : : {
1761 : : s2n(s->d1->handshake_read_seq, ptr);
1762 : : #if 0
1763 : : if ( s->d1->r_msg_hdr.frag_off == 0) /* waiting for a new msg */
1764 : :
1765 : : else
1766 : : s2n(s->d1->r_msg_hdr.seq, ptr); /* partial msg read */
1767 : : #endif
1768 : :
1769 : : #if 0
1770 : : fprintf(stderr, "s->d1->handshake_read_seq = %d, s->d1->r_msg_hdr.seq = %d\n",s->d1->handshake_read_seq,s->d1->r_msg_hdr.seq);
1771 : : #endif
1772 : : l2n3(s->d1->r_msg_hdr.frag_off, ptr);
1773 : : }
1774 : : #endif
1775 : :
1776 : 0 : i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf), 0);
1777 [ # # ]: 0 : if (i <= 0)
1778 : : {
1779 : 0 : s->s3->alert_dispatch=1;
1780 : : /* fprintf( stderr, "not done with alert\n" ); */
1781 : : }
1782 : : else
1783 : : {
1784 [ # # ]: 0 : if (s->s3->send_alert[0] == SSL3_AL_FATAL
1785 : : #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
1786 : : || s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
1787 : : #endif
1788 : : )
1789 : 0 : (void)BIO_flush(s->wbio);
1790 : :
1791 [ # # ]: 0 : if (s->msg_callback)
1792 : 0 : s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert,
1793 : : 2, s, s->msg_callback_arg);
1794 : :
1795 [ # # ]: 0 : if (s->info_callback != NULL)
1796 : : cb=s->info_callback;
1797 [ # # ]: 0 : else if (s->ctx->info_callback != NULL)
1798 : 0 : cb=s->ctx->info_callback;
1799 : :
1800 [ # # ]: 0 : if (cb != NULL)
1801 : : {
1802 : 0 : j=(s->s3->send_alert[0]<<8)|s->s3->send_alert[1];
1803 : 0 : cb(s,SSL_CB_WRITE_ALERT,j);
1804 : : }
1805 : : }
1806 : 0 : return(i);
1807 : : }
1808 : :
1809 : :
1810 : : static DTLS1_BITMAP *
1811 : 0 : dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, unsigned int *is_next_epoch)
1812 : : {
1813 : :
1814 : 0 : *is_next_epoch = 0;
1815 : :
1816 : : /* In current epoch, accept HM, CCS, DATA, & ALERT */
1817 [ # # ]: 0 : if (rr->epoch == s->d1->r_epoch)
1818 : 0 : return &s->d1->bitmap;
1819 : :
1820 : : /* Only HM and ALERT messages can be from the next epoch */
1821 [ # # ][ # # ]: 0 : else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) &&
1822 : 0 : (rr->type == SSL3_RT_HANDSHAKE ||
1823 : : rr->type == SSL3_RT_ALERT))
1824 : : {
1825 : 0 : *is_next_epoch = 1;
1826 : 0 : return &s->d1->next_bitmap;
1827 : : }
1828 : :
1829 : : return NULL;
1830 : : }
1831 : :
1832 : : #if 0
1833 : : static int
1834 : : dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr, unsigned short *priority,
1835 : : unsigned long *offset)
1836 : : {
1837 : :
1838 : : /* alerts are passed up immediately */
1839 : : if ( rr->type == SSL3_RT_APPLICATION_DATA ||
1840 : : rr->type == SSL3_RT_ALERT)
1841 : : return 0;
1842 : :
1843 : : /* Only need to buffer if a handshake is underway.
1844 : : * (this implies that Hello Request and Client Hello are passed up
1845 : : * immediately) */
1846 : : if ( SSL_in_init(s))
1847 : : {
1848 : : unsigned char *data = rr->data;
1849 : : /* need to extract the HM/CCS sequence number here */
1850 : : if ( rr->type == SSL3_RT_HANDSHAKE ||
1851 : : rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
1852 : : {
1853 : : unsigned short seq_num;
1854 : : struct hm_header_st msg_hdr;
1855 : : struct ccs_header_st ccs_hdr;
1856 : :
1857 : : if ( rr->type == SSL3_RT_HANDSHAKE)
1858 : : {
1859 : : dtls1_get_message_header(data, &msg_hdr);
1860 : : seq_num = msg_hdr.seq;
1861 : : *offset = msg_hdr.frag_off;
1862 : : }
1863 : : else
1864 : : {
1865 : : dtls1_get_ccs_header(data, &ccs_hdr);
1866 : : seq_num = ccs_hdr.seq;
1867 : : *offset = 0;
1868 : : }
1869 : :
1870 : : /* this is either a record we're waiting for, or a
1871 : : * retransmit of something we happened to previously
1872 : : * receive (higher layers will drop the repeat silently */
1873 : : if ( seq_num < s->d1->handshake_read_seq)
1874 : : return 0;
1875 : : if (rr->type == SSL3_RT_HANDSHAKE &&
1876 : : seq_num == s->d1->handshake_read_seq &&
1877 : : msg_hdr.frag_off < s->d1->r_msg_hdr.frag_off)
1878 : : return 0;
1879 : : else if ( seq_num == s->d1->handshake_read_seq &&
1880 : : (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC ||
1881 : : msg_hdr.frag_off == s->d1->r_msg_hdr.frag_off))
1882 : : return 0;
1883 : : else
1884 : : {
1885 : : *priority = seq_num;
1886 : : return 1;
1887 : : }
1888 : : }
1889 : : else /* unknown record type */
1890 : : return 0;
1891 : : }
1892 : :
1893 : : return 0;
1894 : : }
1895 : : #endif
1896 : :
1897 : : void
1898 : 0 : dtls1_reset_seq_numbers(SSL *s, int rw)
1899 : : {
1900 : : unsigned char *seq;
1901 : 0 : unsigned int seq_bytes = sizeof(s->s3->read_sequence);
1902 : :
1903 [ # # ]: 0 : if ( rw & SSL3_CC_READ)
1904 : : {
1905 : 0 : seq = s->s3->read_sequence;
1906 : 0 : s->d1->r_epoch++;
1907 : 0 : memcpy(&(s->d1->bitmap), &(s->d1->next_bitmap), sizeof(DTLS1_BITMAP));
1908 : 0 : memset(&(s->d1->next_bitmap), 0x00, sizeof(DTLS1_BITMAP));
1909 : : }
1910 : : else
1911 : : {
1912 : 0 : seq = s->s3->write_sequence;
1913 : 0 : memcpy(s->d1->last_write_sequence, seq, sizeof(s->s3->write_sequence));
1914 : 0 : s->d1->w_epoch++;
1915 : : }
1916 : :
1917 : 0 : memset(seq, 0x00, seq_bytes);
1918 : 0 : }
|
