Context Navigation

← Previous Revision
Latest Revision
Next Revision →
Blame
Revision Log

statem_dtls.c@ 331

Last change on this file since 331 was 331, checked in by coas-nagasima, 6 years ago
prototoolに関連するプロジェクトをnewlibからmuslを使うよう変更・更新 ntshellをnewlibの下位の実装から、muslのsyscallの実装に変更・更新以下のOSSをアップデート・mruby-1.3.0 ・musl-1.1.18 ・onigmo-6.1.3 ・tcc-0.9.27 以下のOSSを追加・openssl-1.1.0e ・curl-7.57.0 ・zlib-1.2.11 以下のmrbgemsを追加・iij/mruby-digest ・iij/mruby-env ・iij/mruby-errno ・iij/mruby-iijson ・iij/mruby-ipaddr ・iij/mruby-mock ・iij/mruby-require ・iij/mruby-tls-openssl
Property svn:eol-style set to `native` Property svn:mime-type set to `text/x-csrc`
File size: 37.7 KB

Line
1	/*
2	* Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved.
3	*
4	* Licensed under the OpenSSL license (the "License"). You may not use
5	* this file except in compliance with the License. You can obtain a copy
6	* in the file LICENSE in the source distribution or at
7	* https://www.openssl.org/source/license.html
8	*/
9
10	#include <limits.h>
11	#include <string.h>
12	#include <stdio.h>
13	#include "../ssl_locl.h"
14	#include "statem_locl.h"
15	#include <openssl/buffer.h>
16	#include <openssl/objects.h>
17	#include <openssl/evp.h>
18	#include <openssl/x509.h>
19
20	#define RSMBLY_BITMASK_SIZE(msg_len) (((msg_len) + 7) / 8)
21
22	#define RSMBLY_BITMASK_MARK(bitmask, start, end) { \
23	if ((end) - (start) <= 8) { \
24	long ii; \
25	for (ii = (start); ii < (end); ii++) bitmask[((ii) >> 3)] \|= (1 << ((ii) & 7)); \
26	} else { \
27	long ii; \
28	bitmask[((start) >> 3)] \|= bitmask_start_values[((start) & 7)]; \
29	for (ii = (((start) >> 3) + 1); ii < ((((end) - 1)) >> 3); ii++) bitmask[ii] = 0xff; \
30	bitmask[(((end) - 1) >> 3)] \|= bitmask_end_values[((end) & 7)]; \
31	} }
32
33	#define RSMBLY_BITMASK_IS_COMPLETE(bitmask, msg_len, is_complete) { \
34	long ii; \
35	OPENSSL_assert((msg_len) > 0); \
36	is_complete = 1; \
37	if (bitmask[(((msg_len) - 1) >> 3)] != bitmask_end_values[((msg_len) & 7)]) is_complete = 0; \
38	if (is_complete) for (ii = (((msg_len) - 1) >> 3) - 1; ii >= 0 ; ii--) \
39	if (bitmask[ii] != 0xff) { is_complete = 0; break; } }
40
41	static unsigned char bitmask_start_values[] =
42	{ 0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80 };
43	static unsigned char bitmask_end_values[] =
44	{ 0xff, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f };
45
46	static void dtls1_fix_message_header(SSL *s, unsigned long frag_off,
47	unsigned long frag_len);
48	static unsigned char dtls1_write_message_header(SSL s, unsigned char *p);
49	static void dtls1_set_message_header_int(SSL *s, unsigned char mt,
50	unsigned long len,
51	unsigned short seq_num,
52	unsigned long frag_off,
53	unsigned long frag_len);
54	static int dtls_get_reassembled_message(SSL s, long len);
55
56	static hm_fragment *dtls1_hm_fragment_new(unsigned long frag_len,
57	int reassembly)
58	{
59	hm_fragment *frag = NULL;
60	unsigned char *buf = NULL;
61	unsigned char *bitmask = NULL;
62
63	frag = OPENSSL_malloc(sizeof(*frag));
64	if (frag == NULL)
65	return NULL;
66
67	if (frag_len) {
68	buf = OPENSSL_malloc(frag_len);
69	if (buf == NULL) {
70	OPENSSL_free(frag);
71	return NULL;
72	}
73	}
74
75	/* zero length fragment gets zero frag->fragment */
76	frag->fragment = buf;
77
78	/* Initialize reassembly bitmask if necessary */
79	if (reassembly) {
80	bitmask = OPENSSL_zalloc(RSMBLY_BITMASK_SIZE(frag_len));
81	if (bitmask == NULL) {
82	OPENSSL_free(buf);
83	OPENSSL_free(frag);
84	return NULL;
85	}
86	}
87
88	frag->reassembly = bitmask;
89
90	return frag;
91	}
92
93	void dtls1_hm_fragment_free(hm_fragment *frag)
94	{
95	if (!frag)
96	return;
97	if (frag->msg_header.is_ccs) {
98	EVP_CIPHER_CTX_free(frag->msg_header.
99	saved_retransmit_state.enc_write_ctx);
100	EVP_MD_CTX_free(frag->msg_header.saved_retransmit_state.write_hash);
101	}
102	OPENSSL_free(frag->fragment);
103	OPENSSL_free(frag->reassembly);
104	OPENSSL_free(frag);
105	}
106
107	/*
108	* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
109	* SSL3_RT_CHANGE_CIPHER_SPEC)
110	*/
111	int dtls1_do_write(SSL *s, int type)
112	{
113	int ret;
114	unsigned int curr_mtu;
115	int retry = 1;
116	unsigned int len, frag_off, mac_size, blocksize, used_len;
117
118	if (!dtls1_query_mtu(s))
119	return -1;
120
121	if (s->d1->mtu < dtls1_min_mtu(s))
122	/* should have something reasonable now */
123	return -1;
124
125	if (s->init_off == 0 && type == SSL3_RT_HANDSHAKE)
126	OPENSSL_assert(s->init_num ==
127	(int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH);
128
129	if (s->write_hash) {
130	if (s->enc_write_ctx
131	&& (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_write_ctx)) &
132	EVP_CIPH_FLAG_AEAD_CIPHER) != 0)
133	mac_size = 0;
134	else
135	mac_size = EVP_MD_CTX_size(s->write_hash);
136	} else
137	mac_size = 0;
138
139	if (s->enc_write_ctx &&
140	(EVP_CIPHER_CTX_mode(s->enc_write_ctx) == EVP_CIPH_CBC_MODE))
141	blocksize = 2 * EVP_CIPHER_CTX_block_size(s->enc_write_ctx);
142	else
143	blocksize = 0;
144
145	frag_off = 0;
146	s->rwstate = SSL_NOTHING;
147
148	/* s->init_num shouldn't ever be < 0...but just in case */
149	while (s->init_num > 0) {
150	if (type == SSL3_RT_HANDSHAKE && s->init_off != 0) {
151	/* We must be writing a fragment other than the first one */
152
153	if (frag_off > 0) {
154	/* This is the first attempt at writing out this fragment */
155
156	if (s->init_off <= DTLS1_HM_HEADER_LENGTH) {
157	/*
158	* Each fragment that was already sent must at least have
159	* contained the message header plus one other byte.
160	* Therefore \|init_off\| must have progressed by at least
161	* \|DTLS1_HM_HEADER_LENGTH + 1\| bytes. If not something went
162	* wrong.
163	*/
164	return -1;
165	}
166
167	/*
168	* Adjust \|init_off\| and \|init_num\| to allow room for a new
169	* message header for this fragment.
170	*/
171	s->init_off -= DTLS1_HM_HEADER_LENGTH;
172	s->init_num += DTLS1_HM_HEADER_LENGTH;
173	} else {
174	/*
175	* We must have been called again after a retry so use the
176	* fragment offset from our last attempt. We do not need
177	* to adjust \|init_off\| and \|init_num\| as above, because
178	* that should already have been done before the retry.
179	*/
180	frag_off = s->d1->w_msg_hdr.frag_off;
181	}
182	}
183
184	used_len = BIO_wpending(s->wbio) + DTLS1_RT_HEADER_LENGTH
185	+ mac_size + blocksize;
186	if (s->d1->mtu > used_len)
187	curr_mtu = s->d1->mtu - used_len;
188	else
189	curr_mtu = 0;
190
191	if (curr_mtu <= DTLS1_HM_HEADER_LENGTH) {
192	/*
193	* grr.. we could get an error if MTU picked was wrong
194	*/
195	ret = BIO_flush(s->wbio);
196	if (ret <= 0) {
197	s->rwstate = SSL_WRITING;
198	return ret;
199	}
200	used_len = DTLS1_RT_HEADER_LENGTH + mac_size + blocksize;
201	if (s->d1->mtu > used_len + DTLS1_HM_HEADER_LENGTH) {
202	curr_mtu = s->d1->mtu - used_len;
203	} else {
204	/* Shouldn't happen */
205	return -1;
206	}
207	}
208
209	/*
210	* We just checked that s->init_num > 0 so this cast should be safe
211	*/
212	if (((unsigned int)s->init_num) > curr_mtu)
213	len = curr_mtu;
214	else
215	len = s->init_num;
216
217	/* Shouldn't ever happen */
218	if (len > INT_MAX)
219	len = INT_MAX;
220
221	/*
222	* XDTLS: this function is too long. split out the CCS part
223	*/
224	if (type == SSL3_RT_HANDSHAKE) {
225	if (len < DTLS1_HM_HEADER_LENGTH) {
226	/*
227	* len is so small that we really can't do anything sensible
228	* so fail
229	*/
230	return -1;
231	}
232	dtls1_fix_message_header(s, frag_off, len - DTLS1_HM_HEADER_LENGTH);
233
234	dtls1_write_message_header(s,
235	(unsigned char *)&s->init_buf->
236	data[s->init_off]);
237	}
238
239	ret = dtls1_write_bytes(s, type, &s->init_buf->data[s->init_off], len);
240	if (ret < 0) {
241	/*
242	* might need to update MTU here, but we don't know which
243	* previous packet caused the failure -- so can't really
244	* retransmit anything. continue as if everything is fine and
245	* wait for an alert to handle the retransmit
246	*/
247	if (retry && BIO_ctrl(SSL_get_wbio(s),
248	BIO_CTRL_DGRAM_MTU_EXCEEDED, 0, NULL) > 0) {
249	if (!(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) {
250	if (!dtls1_query_mtu(s))
251	return -1;
252	/* Have one more go */
253	retry = 0;
254	} else
255	return -1;
256	} else {
257	return (-1);
258	}
259	} else {
260
261	/*
262	* bad if this assert fails, only part of the handshake message
263	* got sent. but why would this happen?
264	*/
265	OPENSSL_assert(len == (unsigned int)ret);
266
267	if (type == SSL3_RT_HANDSHAKE && !s->d1->retransmitting) {
268	/*
269	* should not be done for 'Hello Request's, but in that case
270	* we'll ignore the result anyway
271	*/
272	unsigned char *p =
273	(unsigned char *)&s->init_buf->data[s->init_off];
274	const struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
275	int xlen;
276
277	if (frag_off == 0 && s->version != DTLS1_BAD_VER) {
278	/*
279	* reconstruct message header is if it is being sent in
280	* single fragment
281	*/
282	*p++ = msg_hdr->type;
283	l2n3(msg_hdr->msg_len, p);
284	s2n(msg_hdr->seq, p);
285	l2n3(0, p);
286	l2n3(msg_hdr->msg_len, p);
287	p -= DTLS1_HM_HEADER_LENGTH;
288	xlen = ret;
289	} else {
290	p += DTLS1_HM_HEADER_LENGTH;
291	xlen = ret - DTLS1_HM_HEADER_LENGTH;
292	}
293
294	if (!ssl3_finish_mac(s, p, xlen))
295	return -1;
296	}
297
298	if (ret == s->init_num) {
299	if (s->msg_callback)
300	s->msg_callback(1, s->version, type, s->init_buf->data,
301	(size_t)(s->init_off + s->init_num), s,
302	s->msg_callback_arg);
303
304	s->init_off = 0; /* done writing this message */
305	s->init_num = 0;
306
307	return (1);
308	}
309	s->init_off += ret;
310	s->init_num -= ret;
311	ret -= DTLS1_HM_HEADER_LENGTH;
312	frag_off += ret;
313
314	/*
315	* We save the fragment offset for the next fragment so we have it
316	* available in case of an IO retry. We don't know the length of the
317	* next fragment yet so just set that to 0 for now. It will be
318	* updated again later.
319	*/
320	dtls1_fix_message_header(s, frag_off, 0);
321	}
322	}
323	return (0);
324	}
325
326	int dtls_get_message(SSL s, int mt, unsigned long *len)
327	{
328	struct hm_header_st *msg_hdr;
329	unsigned char *p;
330	unsigned long msg_len;
331	int ok;
332	long tmplen;
333
334	msg_hdr = &s->d1->r_msg_hdr;
335	memset(msg_hdr, 0, sizeof(*msg_hdr));
336
337	again:
338	ok = dtls_get_reassembled_message(s, &tmplen);
339	if (tmplen == DTLS1_HM_BAD_FRAGMENT \|\| tmplen == DTLS1_HM_FRAGMENT_RETRY) {
340	/* bad fragment received */
341	goto again;
342	} else if (tmplen <= 0 && !ok) {
343	return 0;
344	}
345
346	*mt = s->s3->tmp.message_type;
347
348	p = (unsigned char *)s->init_buf->data;
349
350	if (*mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
351	if (s->msg_callback) {
352	s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC,
353	p, 1, s, s->msg_callback_arg);
354	}
355	/*
356	* This isn't a real handshake message so skip the processing below.
357	*/
358	*len = (unsigned long)tmplen;
359	return 1;
360	}
361
362	msg_len = msg_hdr->msg_len;
363
364	/* reconstruct message header */
365	*(p++) = msg_hdr->type;
366	l2n3(msg_len, p);
367	s2n(msg_hdr->seq, p);
368	l2n3(0, p);
369	l2n3(msg_len, p);
370	if (s->version != DTLS1_BAD_VER) {
371	p -= DTLS1_HM_HEADER_LENGTH;
372	msg_len += DTLS1_HM_HEADER_LENGTH;
373	}
374
375	if (!ssl3_finish_mac(s, p, msg_len))
376	return 0;
377	if (s->msg_callback)
378	s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
379	p, msg_len, s, s->msg_callback_arg);
380
381	memset(msg_hdr, 0, sizeof(*msg_hdr));
382
383	s->d1->handshake_read_seq++;
384
385	s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
386	*len = s->init_num;
387
388	return 1;
389	}
390
391	/*
392	* dtls1_max_handshake_message_len returns the maximum number of bytes
393	* permitted in a DTLS handshake message for \|s\|. The minimum is 16KB, but
394	* may be greater if the maximum certificate list size requires it.
395	*/
396	static unsigned long dtls1_max_handshake_message_len(const SSL *s)
397	{
398	unsigned long max_len =
399	DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;
400	if (max_len < (unsigned long)s->max_cert_list)
401	return s->max_cert_list;
402	return max_len;
403	}
404
405	static int dtls1_preprocess_fragment(SSL s, struct hm_header_st msg_hdr)
406	{
407	size_t frag_off, frag_len, msg_len;
408
409	msg_len = msg_hdr->msg_len;
410	frag_off = msg_hdr->frag_off;
411	frag_len = msg_hdr->frag_len;
412
413	/* sanity checking */
414	if ((frag_off + frag_len) > msg_len
415	\|\| msg_len > dtls1_max_handshake_message_len(s)) {
416	SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, SSL_R_EXCESSIVE_MESSAGE_SIZE);
417	return SSL_AD_ILLEGAL_PARAMETER;
418	}
419
420	if (s->d1->r_msg_hdr.frag_off == 0) { /* first fragment */
421	/*
422	* msg_len is limited to 2^24, but is effectively checked against
423	* dtls_max_handshake_message_len(s) above
424	*/
425	if (!BUF_MEM_grow_clean(s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH)) {
426	SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, ERR_R_BUF_LIB);
427	return SSL_AD_INTERNAL_ERROR;
428	}
429
430	s->s3->tmp.message_size = msg_len;
431	s->d1->r_msg_hdr.msg_len = msg_len;
432	s->s3->tmp.message_type = msg_hdr->type;
433	s->d1->r_msg_hdr.type = msg_hdr->type;
434	s->d1->r_msg_hdr.seq = msg_hdr->seq;
435	} else if (msg_len != s->d1->r_msg_hdr.msg_len) {
436	/*
437	* They must be playing with us! BTW, failure to enforce upper limit
438	* would open possibility for buffer overrun.
439	*/
440	SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, SSL_R_EXCESSIVE_MESSAGE_SIZE);
441	return SSL_AD_ILLEGAL_PARAMETER;
442	}
443
444	return 0; /* no error */
445	}
446
447	static int dtls1_retrieve_buffered_fragment(SSL s, int ok)
448	{
449	/*-
450	* (0) check whether the desired fragment is available
451	* if so:
452	* (1) copy over the fragment to s->init_buf->data[]
453	* (2) update s->init_num
454	*/
455	pitem *item;
456	hm_fragment *frag;
457	int al;
458
459	*ok = 0;
460
461	do {
462	item = pqueue_peek(s->d1->buffered_messages);
463	if (item == NULL)
464	return 0;
465
466	frag = (hm_fragment *)item->data;
467
468	if (frag->msg_header.seq < s->d1->handshake_read_seq) {
469	/* This is a stale message that has been buffered so clear it */
470	pqueue_pop(s->d1->buffered_messages);
471	dtls1_hm_fragment_free(frag);
472	pitem_free(item);
473	item = NULL;
474	frag = NULL;
475	}
476	} while (item == NULL);
477
478	/* Don't return if reassembly still in progress */
479	if (frag->reassembly != NULL)
480	return 0;
481
482	if (s->d1->handshake_read_seq == frag->msg_header.seq) {
483	unsigned long frag_len = frag->msg_header.frag_len;
484	pqueue_pop(s->d1->buffered_messages);
485
486	al = dtls1_preprocess_fragment(s, &frag->msg_header);
487
488	if (al == 0) { /* no alert */
489	unsigned char *p =
490	(unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
491	memcpy(&p[frag->msg_header.frag_off], frag->fragment,
492	frag->msg_header.frag_len);
493	}
494
495	dtls1_hm_fragment_free(frag);
496	pitem_free(item);
497
498	if (al == 0) {
499	*ok = 1;
500	return frag_len;
501	}
502
503	ssl3_send_alert(s, SSL3_AL_FATAL, al);
504	s->init_num = 0;
505	*ok = 0;
506	return -1;
507	} else
508	return 0;
509	}
510
511	static int
512	dtls1_reassemble_fragment(SSL s, const struct hm_header_st msg_hdr, int *ok)
513	{
514	hm_fragment *frag = NULL;
515	pitem *item = NULL;
516	int i = -1, is_complete;
517	unsigned char seq64be[8];
518	unsigned long frag_len = msg_hdr->frag_len;
519
520	if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len \|\|
521	msg_hdr->msg_len > dtls1_max_handshake_message_len(s))
522	goto err;
523
524	if (frag_len == 0)
525	return DTLS1_HM_FRAGMENT_RETRY;
526
527	/* Try to find item in queue */
528	memset(seq64be, 0, sizeof(seq64be));
529	seq64be[6] = (unsigned char)(msg_hdr->seq >> 8);
530	seq64be[7] = (unsigned char)msg_hdr->seq;
531	item = pqueue_find(s->d1->buffered_messages, seq64be);
532
533	if (item == NULL) {
534	frag = dtls1_hm_fragment_new(msg_hdr->msg_len, 1);
535	if (frag == NULL)
536	goto err;
537	memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
538	frag->msg_header.frag_len = frag->msg_header.msg_len;
539	frag->msg_header.frag_off = 0;
540	} else {
541	frag = (hm_fragment *)item->data;
542	if (frag->msg_header.msg_len != msg_hdr->msg_len) {
543	item = NULL;
544	frag = NULL;
545	goto err;
546	}
547	}
548
549	/*
550	* If message is already reassembled, this must be a retransmit and can
551	* be dropped. In this case item != NULL and so frag does not need to be
552	* freed.
553	*/
554	if (frag->reassembly == NULL) {
555	unsigned char devnull[256];
556
557	while (frag_len) {
558	i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
559	devnull,
560	frag_len >
561	sizeof(devnull) ? sizeof(devnull) :
562	frag_len, 0);
563	if (i <= 0)
564	goto err;
565	frag_len -= i;
566	}
567	return DTLS1_HM_FRAGMENT_RETRY;
568	}
569
570	/* read the body of the fragment (header has already been read */
571	i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
572	frag->fragment + msg_hdr->frag_off,
573	frag_len, 0);
574	if ((unsigned long)i != frag_len)
575	i = -1;
576	if (i <= 0)
577	goto err;
578
579	RSMBLY_BITMASK_MARK(frag->reassembly, (long)msg_hdr->frag_off,
580	(long)(msg_hdr->frag_off + frag_len));
581
582	RSMBLY_BITMASK_IS_COMPLETE(frag->reassembly, (long)msg_hdr->msg_len,
583	is_complete);
584
585	if (is_complete) {
586	OPENSSL_free(frag->reassembly);
587	frag->reassembly = NULL;
588	}
589
590	if (item == NULL) {
591	item = pitem_new(seq64be, frag);
592	if (item == NULL) {
593	i = -1;
594	goto err;
595	}
596
597	item = pqueue_insert(s->d1->buffered_messages, item);
598	/*
599	* pqueue_insert fails iff a duplicate item is inserted. However,
600	* \|item\| cannot be a duplicate. If it were, \|pqueue_find\|, above,
601	* would have returned it and control would never have reached this
602	* branch.
603	*/
604	OPENSSL_assert(item != NULL);
605	}
606
607	return DTLS1_HM_FRAGMENT_RETRY;
608
609	err:
610	if (item == NULL)
611	dtls1_hm_fragment_free(frag);
612	*ok = 0;
613	return i;
614	}
615
616	static int
617	dtls1_process_out_of_seq_message(SSL s, const struct hm_header_st msg_hdr,
618	int *ok)
619	{
620	int i = -1;
621	hm_fragment *frag = NULL;
622	pitem *item = NULL;
623	unsigned char seq64be[8];
624	unsigned long frag_len = msg_hdr->frag_len;
625
626	if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len)
627	goto err;
628
629	/* Try to find item in queue, to prevent duplicate entries */
630	memset(seq64be, 0, sizeof(seq64be));
631	seq64be[6] = (unsigned char)(msg_hdr->seq >> 8);
632	seq64be[7] = (unsigned char)msg_hdr->seq;
633	item = pqueue_find(s->d1->buffered_messages, seq64be);
634
635	/*
636	* If we already have an entry and this one is a fragment, don't discard
637	* it and rather try to reassemble it.
638	*/
639	if (item != NULL && frag_len != msg_hdr->msg_len)
640	item = NULL;
641
642	/*
643	* Discard the message if sequence number was already there, is too far
644	* in the future, already in the queue or if we received a FINISHED
645	* before the SERVER_HELLO, which then must be a stale retransmit.
646	*/
647	if (msg_hdr->seq <= s->d1->handshake_read_seq \|\|
648	msg_hdr->seq > s->d1->handshake_read_seq + 10 \|\| item != NULL \|\|
649	(s->d1->handshake_read_seq == 0 && msg_hdr->type == SSL3_MT_FINISHED)) {
650	unsigned char devnull[256];
651
652	while (frag_len) {
653	i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
654	devnull,
655	frag_len >
656	sizeof(devnull) ? sizeof(devnull) :
657	frag_len, 0);
658	if (i <= 0)
659	goto err;
660	frag_len -= i;
661	}
662	} else {
663	if (frag_len != msg_hdr->msg_len)
664	return dtls1_reassemble_fragment(s, msg_hdr, ok);
665
666	if (frag_len > dtls1_max_handshake_message_len(s))
667	goto err;
668
669	frag = dtls1_hm_fragment_new(frag_len, 0);
670	if (frag == NULL)
671	goto err;
672
673	memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
674
675	if (frag_len) {
676	/*
677	* read the body of the fragment (header has already been read
678	*/
679	i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
680	frag->fragment, frag_len, 0);
681	if ((unsigned long)i != frag_len)
682	i = -1;
683	if (i <= 0)
684	goto err;
685	}
686
687	item = pitem_new(seq64be, frag);
688	if (item == NULL)
689	goto err;
690
691	item = pqueue_insert(s->d1->buffered_messages, item);
692	/*
693	* pqueue_insert fails iff a duplicate item is inserted. However,
694	* \|item\| cannot be a duplicate. If it were, \|pqueue_find\|, above,
695	* would have returned it. Then, either \|frag_len\| !=
696	* \|msg_hdr->msg_len\| in which case \|item\| is set to NULL and it will
697	* have been processed with \|dtls1_reassemble_fragment\|, above, or
698	* the record will have been discarded.
699	*/
700	OPENSSL_assert(item != NULL);
701	}
702
703	return DTLS1_HM_FRAGMENT_RETRY;
704
705	err:
706	if (item == NULL)
707	dtls1_hm_fragment_free(frag);
708	*ok = 0;
709	return i;
710	}
711
712	static int dtls_get_reassembled_message(SSL s, long len)
713	{
714	unsigned char wire[DTLS1_HM_HEADER_LENGTH];
715	unsigned long mlen, frag_off, frag_len;
716	int i, al, recvd_type;
717	struct hm_header_st msg_hdr;
718	int ok;
719
720	redo:
721	/* see if we have the required fragment already */
722	if ((frag_len = dtls1_retrieve_buffered_fragment(s, &ok)) \|\| ok) {
723	if (ok)
724	s->init_num = frag_len;
725	*len = frag_len;
726	return ok;
727	}
728
729	/* read handshake message header */
730	i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type, wire,
731	DTLS1_HM_HEADER_LENGTH, 0);
732	if (i <= 0) { /* nbio, or an error */
733	s->rwstate = SSL_READING;
734	*len = i;
735	return 0;
736	}
737	if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
738	if (wire[0] != SSL3_MT_CCS) {
739	al = SSL_AD_UNEXPECTED_MESSAGE;
740	SSLerr(SSL_F_DTLS_GET_REASSEMBLED_MESSAGE,
741	SSL_R_BAD_CHANGE_CIPHER_SPEC);
742	goto f_err;
743	}
744
745	memcpy(s->init_buf->data, wire, i);
746	s->init_num = i - 1;
747	s->init_msg = s->init_buf->data + 1;
748	s->s3->tmp.message_type = SSL3_MT_CHANGE_CIPHER_SPEC;
749	s->s3->tmp.message_size = i - 1;
750	*len = i - 1;
751	return 1;
752	}
753
754	/* Handshake fails if message header is incomplete */
755	if (i != DTLS1_HM_HEADER_LENGTH) {
756	al = SSL_AD_UNEXPECTED_MESSAGE;
757	SSLerr(SSL_F_DTLS_GET_REASSEMBLED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
758	goto f_err;
759	}
760
761	/* parse the message fragment header */
762	dtls1_get_message_header(wire, &msg_hdr);
763
764	mlen = msg_hdr.msg_len;
765	frag_off = msg_hdr.frag_off;
766	frag_len = msg_hdr.frag_len;
767
768	/*
769	* We must have at least frag_len bytes left in the record to be read.
770	* Fragments must not span records.
771	*/
772	if (frag_len > RECORD_LAYER_get_rrec_length(&s->rlayer)) {
773	al = SSL3_AD_ILLEGAL_PARAMETER;
774	SSLerr(SSL_F_DTLS_GET_REASSEMBLED_MESSAGE, SSL_R_BAD_LENGTH);
775	goto f_err;
776	}
777
778	/*
779	* if this is a future (or stale) message it gets buffered
780	* (or dropped)--no further processing at this time
781	* While listening, we accept seq 1 (ClientHello with cookie)
782	* although we're still expecting seq 0 (ClientHello)
783	*/
784	if (msg_hdr.seq != s->d1->handshake_read_seq) {
785	*len = dtls1_process_out_of_seq_message(s, &msg_hdr, &ok);
786	return ok;
787	}
788
789	if (frag_len && frag_len < mlen) {
790	*len = dtls1_reassemble_fragment(s, &msg_hdr, &ok);
791	return ok;
792	}
793
794	if (!s->server && s->d1->r_msg_hdr.frag_off == 0 &&
795	wire[0] == SSL3_MT_HELLO_REQUEST) {
796	/*
797	* The server may always send 'Hello Request' messages -- we are
798	* doing a handshake anyway now, so ignore them if their format is
799	* correct. Does not count for 'Finished' MAC.
800	*/
801	if (wire[1] == 0 && wire[2] == 0 && wire[3] == 0) {
802	if (s->msg_callback)
803	s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
804	wire, DTLS1_HM_HEADER_LENGTH, s,
805	s->msg_callback_arg);
806
807	s->init_num = 0;
808	goto redo;
809	} else { /* Incorrectly formatted Hello request */
810
811	al = SSL_AD_UNEXPECTED_MESSAGE;
812	SSLerr(SSL_F_DTLS_GET_REASSEMBLED_MESSAGE,
813	SSL_R_UNEXPECTED_MESSAGE);
814	goto f_err;
815	}
816	}
817
818	if ((al = dtls1_preprocess_fragment(s, &msg_hdr)))
819	goto f_err;
820
821	if (frag_len > 0) {
822	unsigned char *p =
823	(unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
824
825	i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
826	&p[frag_off], frag_len, 0);
827
828	/*
829	* This shouldn't ever fail due to NBIO because we already checked
830	* that we have enough data in the record
831	*/
832	if (i <= 0) {
833	s->rwstate = SSL_READING;
834	*len = i;
835	return 0;
836	}
837	} else
838	i = 0;
839
840	/*
841	* XDTLS: an incorrectly formatted fragment should cause the handshake
842	* to fail
843	*/
844	if (i != (int)frag_len) {
845	al = SSL3_AD_ILLEGAL_PARAMETER;
846	SSLerr(SSL_F_DTLS_GET_REASSEMBLED_MESSAGE, SSL3_AD_ILLEGAL_PARAMETER);
847	goto f_err;
848	}
849
850	/*
851	* Note that s->init_num is not used as current offset in
852	* s->init_buf->data, but as a counter summing up fragments' lengths: as
853	* soon as they sum up to handshake packet length, we assume we have got
854	* all the fragments.
855	*/
856	*len = s->init_num = frag_len;
857	return 1;
858
859	f_err:
860	ssl3_send_alert(s, SSL3_AL_FATAL, al);
861	s->init_num = 0;
862	*len = -1;
863	return 0;
864	}
865
866	/*-
867	* for these 2 messages, we need to
868	* ssl->enc_read_ctx re-init
869	* ssl->rlayer.read_sequence zero
870	* ssl->s3->read_mac_secret re-init
871	* ssl->session->read_sym_enc assign
872	* ssl->session->read_compression assign
873	* ssl->session->read_hash assign
874	*/
875	int dtls_construct_change_cipher_spec(SSL *s)
876	{
877	unsigned char *p;
878
879	p = (unsigned char *)s->init_buf->data;
880	*p++ = SSL3_MT_CCS;
881	s->d1->handshake_write_seq = s->d1->next_handshake_write_seq;
882	s->init_num = DTLS1_CCS_HEADER_LENGTH;
883
884	if (s->version == DTLS1_BAD_VER) {
885	s->d1->next_handshake_write_seq++;
886	s2n(s->d1->handshake_write_seq, p);
887	s->init_num += 2;
888	}
889
890	s->init_off = 0;
891
892	dtls1_set_message_header_int(s, SSL3_MT_CCS, 0,
893	s->d1->handshake_write_seq, 0, 0);
894
895	/* buffer the message to handle re-xmits */
896	if (!dtls1_buffer_message(s, 1)) {
897	SSLerr(SSL_F_DTLS_CONSTRUCT_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
898	return 0;
899	}
900
901	return 1;
902	}
903
904	#ifndef OPENSSL_NO_SCTP
905	WORK_STATE dtls_wait_for_dry(SSL *s)
906	{
907	int ret;
908
909	/* read app data until dry event */
910	ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s));
911	if (ret < 0)
912	return WORK_ERROR;
913
914	if (ret == 0) {
915	s->s3->in_read_app_data = 2;
916	s->rwstate = SSL_READING;
917	BIO_clear_retry_flags(SSL_get_rbio(s));
918	BIO_set_retry_read(SSL_get_rbio(s));
919	return WORK_MORE_A;
920	}
921	return WORK_FINISHED_CONTINUE;
922	}
923	#endif
924
925	int dtls1_read_failed(SSL *s, int code)
926	{
927	if (code > 0) {
928	SSLerr(SSL_F_DTLS1_READ_FAILED, ERR_R_INTERNAL_ERROR);
929	return 1;
930	}
931
932	if (!dtls1_is_timer_expired(s)) {
933	/*
934	* not a timeout, none of our business, let higher layers handle
935	* this. in fact it's probably an error
936	*/
937	return code;
938	}
939	#ifndef OPENSSL_NO_HEARTBEATS
940	/* done, no need to send a retransmit */
941	if (!SSL_in_init(s) && !s->tlsext_hb_pending)
942	#else
943	/* done, no need to send a retransmit */
944	if (!SSL_in_init(s))
945	#endif
946	{
947	BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ);
948	return code;
949	}
950
951	return dtls1_handle_timeout(s);
952	}
953
954	int dtls1_get_queue_priority(unsigned short seq, int is_ccs)
955	{
956	/*
957	* The index of the retransmission queue actually is the message sequence
958	* number, since the queue only contains messages of a single handshake.
959	* However, the ChangeCipherSpec has no message sequence number and so
960	* using only the sequence will result in the CCS and Finished having the
961	* same index. To prevent this, the sequence number is multiplied by 2.
962	* In case of a CCS 1 is subtracted. This does not only differ CSS and
963	* Finished, it also maintains the order of the index (important for
964	* priority queues) and fits in the unsigned short variable.
965	*/
966	return seq * 2 - is_ccs;
967	}
968
969	int dtls1_retransmit_buffered_messages(SSL *s)
970	{
971	pqueue *sent = s->d1->sent_messages;
972	piterator iter;
973	pitem *item;
974	hm_fragment *frag;
975	int found = 0;
976
977	iter = pqueue_iterator(sent);
978
979	for (item = pqueue_next(&iter); item != NULL; item = pqueue_next(&iter)) {
980	frag = (hm_fragment *)item->data;
981	if (dtls1_retransmit_message(s, (unsigned short)
982	dtls1_get_queue_priority
983	(frag->msg_header.seq,
984	frag->msg_header.is_ccs), &found) <= 0)
985	return -1;
986	}
987
988	return 1;
989	}
990
991	int dtls1_buffer_message(SSL *s, int is_ccs)
992	{
993	pitem *item;
994	hm_fragment *frag;
995	unsigned char seq64be[8];
996
997	/*
998	* this function is called immediately after a message has been
999	* serialized
1000	*/
1001	OPENSSL_assert(s->init_off == 0);
1002
1003	frag = dtls1_hm_fragment_new(s->init_num, 0);
1004	if (frag == NULL)
1005	return 0;
1006
1007	memcpy(frag->fragment, s->init_buf->data, s->init_num);
1008
1009	if (is_ccs) {
1010	/* For DTLS1_BAD_VER the header length is non-standard */
1011	OPENSSL_assert(s->d1->w_msg_hdr.msg_len +
1012	((s->version ==
1013	DTLS1_BAD_VER) ? 3 : DTLS1_CCS_HEADER_LENGTH)
1014	== (unsigned int)s->init_num);
1015	} else {
1016	OPENSSL_assert(s->d1->w_msg_hdr.msg_len +
1017	DTLS1_HM_HEADER_LENGTH == (unsigned int)s->init_num);
1018	}
1019
1020	frag->msg_header.msg_len = s->d1->w_msg_hdr.msg_len;
1021	frag->msg_header.seq = s->d1->w_msg_hdr.seq;
1022	frag->msg_header.type = s->d1->w_msg_hdr.type;
1023	frag->msg_header.frag_off = 0;
1024	frag->msg_header.frag_len = s->d1->w_msg_hdr.msg_len;
1025	frag->msg_header.is_ccs = is_ccs;
1026
1027	/* save current state */
1028	frag->msg_header.saved_retransmit_state.enc_write_ctx = s->enc_write_ctx;
1029	frag->msg_header.saved_retransmit_state.write_hash = s->write_hash;
1030	frag->msg_header.saved_retransmit_state.compress = s->compress;
1031	frag->msg_header.saved_retransmit_state.session = s->session;
1032	frag->msg_header.saved_retransmit_state.epoch =
1033	DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer);
1034
1035	memset(seq64be, 0, sizeof(seq64be));
1036	seq64be[6] =
1037	(unsigned
1038	char)(dtls1_get_queue_priority(frag->msg_header.seq,
1039	frag->msg_header.is_ccs) >> 8);
1040	seq64be[7] =
1041	(unsigned
1042	char)(dtls1_get_queue_priority(frag->msg_header.seq,
1043	frag->msg_header.is_ccs));
1044
1045	item = pitem_new(seq64be, frag);
1046	if (item == NULL) {
1047	dtls1_hm_fragment_free(frag);
1048	return 0;
1049	}
1050
1051	pqueue_insert(s->d1->sent_messages, item);
1052	return 1;
1053	}
1054
1055	int dtls1_retransmit_message(SSL s, unsigned short seq, int found)
1056	{
1057	int ret;
1058	/* XDTLS: for now assuming that read/writes are blocking */
1059	pitem *item;
1060	hm_fragment *frag;
1061	unsigned long header_length;
1062	unsigned char seq64be[8];
1063	struct dtls1_retransmit_state saved_state;
1064
1065	/*-
1066	OPENSSL_assert(s->init_num == 0);
1067	OPENSSL_assert(s->init_off == 0);
1068	*/
1069
1070	/* XDTLS: the requested message ought to be found, otherwise error */
1071	memset(seq64be, 0, sizeof(seq64be));
1072	seq64be[6] = (unsigned char)(seq >> 8);
1073	seq64be[7] = (unsigned char)seq;
1074
1075	item = pqueue_find(s->d1->sent_messages, seq64be);
1076	if (item == NULL) {
1077	SSLerr(SSL_F_DTLS1_RETRANSMIT_MESSAGE, ERR_R_INTERNAL_ERROR);
1078	*found = 0;
1079	return 0;
1080	}
1081
1082	*found = 1;
1083	frag = (hm_fragment *)item->data;
1084
1085	if (frag->msg_header.is_ccs)
1086	header_length = DTLS1_CCS_HEADER_LENGTH;
1087	else
1088	header_length = DTLS1_HM_HEADER_LENGTH;
1089
1090	memcpy(s->init_buf->data, frag->fragment,
1091	frag->msg_header.msg_len + header_length);
1092	s->init_num = frag->msg_header.msg_len + header_length;
1093
1094	dtls1_set_message_header_int(s, frag->msg_header.type,
1095	frag->msg_header.msg_len,
1096	frag->msg_header.seq, 0,
1097	frag->msg_header.frag_len);
1098
1099	/* save current state */
1100	saved_state.enc_write_ctx = s->enc_write_ctx;
1101	saved_state.write_hash = s->write_hash;
1102	saved_state.compress = s->compress;
1103	saved_state.session = s->session;
1104	saved_state.epoch = DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer);
1105
1106	s->d1->retransmitting = 1;
1107
1108	/* restore state in which the message was originally sent */
1109	s->enc_write_ctx = frag->msg_header.saved_retransmit_state.enc_write_ctx;
1110	s->write_hash = frag->msg_header.saved_retransmit_state.write_hash;
1111	s->compress = frag->msg_header.saved_retransmit_state.compress;
1112	s->session = frag->msg_header.saved_retransmit_state.session;
1113	DTLS_RECORD_LAYER_set_saved_w_epoch(&s->rlayer,
1114	frag->msg_header.
1115	saved_retransmit_state.epoch);
1116
1117	ret = dtls1_do_write(s, frag->msg_header.is_ccs ?
1118	SSL3_RT_CHANGE_CIPHER_SPEC : SSL3_RT_HANDSHAKE);
1119
1120	/* restore current state */
1121	s->enc_write_ctx = saved_state.enc_write_ctx;
1122	s->write_hash = saved_state.write_hash;
1123	s->compress = saved_state.compress;
1124	s->session = saved_state.session;
1125	DTLS_RECORD_LAYER_set_saved_w_epoch(&s->rlayer, saved_state.epoch);
1126
1127	s->d1->retransmitting = 0;
1128
1129	(void)BIO_flush(s->wbio);
1130	return ret;
1131	}
1132
1133	void dtls1_set_message_header(SSL *s,
1134	unsigned char mt, unsigned long len,
1135	unsigned long frag_off, unsigned long frag_len)
1136	{
1137	if (frag_off == 0) {
1138	s->d1->handshake_write_seq = s->d1->next_handshake_write_seq;
1139	s->d1->next_handshake_write_seq++;
1140	}
1141
1142	dtls1_set_message_header_int(s, mt, len, s->d1->handshake_write_seq,
1143	frag_off, frag_len);
1144	}
1145
1146	/* don't actually do the writing, wait till the MTU has been retrieved */
1147	static void
1148	dtls1_set_message_header_int(SSL *s, unsigned char mt,
1149	unsigned long len, unsigned short seq_num,
1150	unsigned long frag_off, unsigned long frag_len)
1151	{
1152	struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
1153
1154	msg_hdr->type = mt;
1155	msg_hdr->msg_len = len;
1156	msg_hdr->seq = seq_num;
1157	msg_hdr->frag_off = frag_off;
1158	msg_hdr->frag_len = frag_len;
1159	}
1160
1161	static void
1162	dtls1_fix_message_header(SSL *s, unsigned long frag_off, unsigned long frag_len)
1163	{
1164	struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
1165
1166	msg_hdr->frag_off = frag_off;
1167	msg_hdr->frag_len = frag_len;
1168	}
1169
1170	static unsigned char dtls1_write_message_header(SSL s, unsigned char *p)
1171	{
1172	struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
1173
1174	*p++ = msg_hdr->type;
1175	l2n3(msg_hdr->msg_len, p);
1176
1177	s2n(msg_hdr->seq, p);
1178	l2n3(msg_hdr->frag_off, p);
1179	l2n3(msg_hdr->frag_len, p);
1180
1181	return p;
1182	}
1183
1184	void dtls1_get_message_header(unsigned char data, struct hm_header_st msg_hdr)
1185	{
1186	memset(msg_hdr, 0, sizeof(*msg_hdr));
1187	msg_hdr->type = *(data++);
1188	n2l3(data, msg_hdr->msg_len);
1189
1190	n2s(data, msg_hdr->seq);
1191	n2l3(data, msg_hdr->frag_off);
1192	n2l3(data, msg_hdr->frag_len);
1193	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: EcnlProtoTool/trunk/openssl-1.1.0e/ssl/statem/statem_dtls.c@ 331

Download in other formats: