• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * DTLS implementation written by Nagendra Modadugu
3  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
4  */
5 /* ====================================================================
6  * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in
17  *    the documentation and/or other materials provided with the
18  *    distribution.
19  *
20  * 3. All advertising materials mentioning features or use of this
21  *    software must display the following acknowledgment:
22  *    "This product includes software developed by the OpenSSL Project
23  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
24  *
25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26  *    endorse or promote products derived from this software without
27  *    prior written permission. For written permission, please contact
28  *    openssl-core@openssl.org.
29  *
30  * 5. Products derived from this software may not be called "OpenSSL"
31  *    nor may "OpenSSL" appear in their names without prior written
32  *    permission of the OpenSSL Project.
33  *
34  * 6. Redistributions of any form whatsoever must retain the following
35  *    acknowledgment:
36  *    "This product includes software developed by the OpenSSL Project
37  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
38  *
39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50  * OF THE POSSIBILITY OF SUCH DAMAGE.
51  * ====================================================================
52  *
53  * This product includes cryptographic software written by Eric Young
54  * (eay@cryptsoft.com).  This product includes software written by Tim
55  * Hudson (tjh@cryptsoft.com).
56  *
57  */
58 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
59  * All rights reserved.
60  *
61  * This package is an SSL implementation written
62  * by Eric Young (eay@cryptsoft.com).
63  * The implementation was written so as to conform with Netscapes SSL.
64  *
65  * This library is free for commercial and non-commercial use as long as
66  * the following conditions are aheared to.  The following conditions
67  * apply to all code found in this distribution, be it the RC4, RSA,
68  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
69  * included with this distribution is covered by the same copyright terms
70  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
71  *
72  * Copyright remains Eric Young's, and as such any Copyright notices in
73  * the code are not to be removed.
74  * If this package is used in a product, Eric Young should be given attribution
75  * as the author of the parts of the library used.
76  * This can be in the form of a textual message at program startup or
77  * in documentation (online or textual) provided with the package.
78  *
79  * Redistribution and use in source and binary forms, with or without
80  * modification, are permitted provided that the following conditions
81  * are met:
82  * 1. Redistributions of source code must retain the copyright
83  *    notice, this list of conditions and the following disclaimer.
84  * 2. Redistributions in binary form must reproduce the above copyright
85  *    notice, this list of conditions and the following disclaimer in the
86  *    documentation and/or other materials provided with the distribution.
87  * 3. All advertising materials mentioning features or use of this software
88  *    must display the following acknowledgement:
89  *    "This product includes cryptographic software written by
90  *     Eric Young (eay@cryptsoft.com)"
91  *    The word 'cryptographic' can be left out if the rouines from the library
92  *    being used are not cryptographic related :-).
93  * 4. If you include any Windows specific code (or a derivative thereof) from
94  *    the apps directory (application code) you must include an acknowledgement:
95  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
96  *
97  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
98  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
99  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
100  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
101  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
102  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
103  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
104  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
105  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
106  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
107  * SUCH DAMAGE.
108  *
109  * The licence and distribution terms for any publically available version or
110  * derivative of this code cannot be changed.  i.e. this code cannot simply be
111  * copied and put under another distribution licence
112  * [including the GNU Public Licence.] */
113 
114 #include <openssl/ssl.h>
115 
116 #include <assert.h>
117 #include <limits.h>
118 #include <stdio.h>
119 #include <string.h>
120 
121 #include <openssl/buf.h>
122 #include <openssl/err.h>
123 #include <openssl/evp.h>
124 #include <openssl/mem.h>
125 #include <openssl/obj.h>
126 #include <openssl/rand.h>
127 #include <openssl/x509.h>
128 
129 #include "internal.h"
130 
131 
132 /* TODO(davidben): 28 comes from the size of IP + UDP header. Is this reasonable
133  * for these values? Notably, why is kMinMTU a function of the transport
134  * protocol's overhead rather than, say, what's needed to hold a minimally-sized
135  * handshake fragment plus protocol overhead. */
136 
137 /* kMinMTU is the minimum acceptable MTU value. */
138 static const unsigned int kMinMTU = 256 - 28;
139 
140 /* kDefaultMTU is the default MTU value to use if neither the user nor
141  * the underlying BIO supplies one. */
142 static const unsigned int kDefaultMTU = 1500 - 28;
143 
144 /* kMaxHandshakeBuffer is the maximum number of handshake messages ahead of the
145  * current one to buffer. */
146 static const unsigned int kHandshakeBufferSize = 10;
147 
dtls1_hm_fragment_new(size_t frag_len,int reassembly)148 static hm_fragment *dtls1_hm_fragment_new(size_t frag_len, int reassembly) {
149   hm_fragment *frag = OPENSSL_malloc(sizeof(hm_fragment));
150   if (frag == NULL) {
151     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
152     return NULL;
153   }
154   memset(frag, 0, sizeof(hm_fragment));
155 
156   /* If the handshake message is empty, |frag->fragment| and |frag->reassembly|
157    * are NULL. */
158   if (frag_len > 0) {
159     frag->fragment = OPENSSL_malloc(frag_len);
160     if (frag->fragment == NULL) {
161       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
162       goto err;
163     }
164 
165     if (reassembly) {
166       /* Initialize reassembly bitmask. */
167       if (frag_len + 7 < frag_len) {
168         OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
169         goto err;
170       }
171       size_t bitmask_len = (frag_len + 7) / 8;
172       frag->reassembly = OPENSSL_malloc(bitmask_len);
173       if (frag->reassembly == NULL) {
174         OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
175         goto err;
176       }
177       memset(frag->reassembly, 0, bitmask_len);
178     }
179   }
180 
181   return frag;
182 
183 err:
184   dtls1_hm_fragment_free(frag);
185   return NULL;
186 }
187 
dtls1_hm_fragment_free(hm_fragment * frag)188 void dtls1_hm_fragment_free(hm_fragment *frag) {
189   if (frag == NULL) {
190     return;
191   }
192   OPENSSL_free(frag->fragment);
193   OPENSSL_free(frag->reassembly);
194   OPENSSL_free(frag);
195 }
196 
197 #if !defined(inline)
198 #define inline __inline
199 #endif
200 
201 /* bit_range returns a |uint8_t| with bits |start|, inclusive, to |end|,
202  * exclusive, set. */
bit_range(size_t start,size_t end)203 static inline uint8_t bit_range(size_t start, size_t end) {
204   return (uint8_t)(~((1u << start) - 1) & ((1u << end) - 1));
205 }
206 
207 /* dtls1_hm_fragment_mark marks bytes |start|, inclusive, to |end|, exclusive,
208  * as received in |frag|. If |frag| becomes complete, it clears
209  * |frag->reassembly|. The range must be within the bounds of |frag|'s message
210  * and |frag->reassembly| must not be NULL. */
dtls1_hm_fragment_mark(hm_fragment * frag,size_t start,size_t end)211 static void dtls1_hm_fragment_mark(hm_fragment *frag, size_t start,
212                                    size_t end) {
213   size_t i;
214   size_t msg_len = frag->msg_header.msg_len;
215 
216   if (frag->reassembly == NULL || start > end || end > msg_len) {
217     assert(0);
218     return;
219   }
220   /* A zero-length message will never have a pending reassembly. */
221   assert(msg_len > 0);
222 
223   if ((start >> 3) == (end >> 3)) {
224     frag->reassembly[start >> 3] |= bit_range(start & 7, end & 7);
225   } else {
226     frag->reassembly[start >> 3] |= bit_range(start & 7, 8);
227     for (i = (start >> 3) + 1; i < (end >> 3); i++) {
228       frag->reassembly[i] = 0xff;
229     }
230     if ((end & 7) != 0) {
231       frag->reassembly[end >> 3] |= bit_range(0, end & 7);
232     }
233   }
234 
235   /* Check if the fragment is complete. */
236   for (i = 0; i < (msg_len >> 3); i++) {
237     if (frag->reassembly[i] != 0xff) {
238       return;
239     }
240   }
241   if ((msg_len & 7) != 0 &&
242       frag->reassembly[msg_len >> 3] != bit_range(0, msg_len & 7)) {
243     return;
244   }
245 
246   OPENSSL_free(frag->reassembly);
247   frag->reassembly = NULL;
248 }
249 
dtls1_update_mtu(SSL * ssl)250 static void dtls1_update_mtu(SSL *ssl) {
251   /* TODO(davidben): What is this code doing and do we need it? */
252   if (ssl->d1->mtu < dtls1_min_mtu() &&
253       !(SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) {
254     long mtu = BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
255     if (mtu >= 0 && mtu <= (1 << 30) && (unsigned)mtu >= dtls1_min_mtu()) {
256       ssl->d1->mtu = (unsigned)mtu;
257     } else {
258       ssl->d1->mtu = kDefaultMTU;
259       BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SET_MTU, ssl->d1->mtu, NULL);
260     }
261   }
262 
263   /* The MTU should be above the minimum now. */
264   assert(ssl->d1->mtu >= dtls1_min_mtu());
265 }
266 
267 /* dtls1_max_record_size returns the maximum record body length that may be
268  * written without exceeding the MTU. It accounts for any buffering installed on
269  * the write BIO. If no record may be written, it returns zero. */
dtls1_max_record_size(SSL * ssl)270 static size_t dtls1_max_record_size(SSL *ssl) {
271   size_t ret = ssl->d1->mtu;
272 
273   size_t overhead = ssl_max_seal_overhead(ssl);
274   if (ret <= overhead) {
275     return 0;
276   }
277   ret -= overhead;
278 
279   size_t pending = BIO_wpending(SSL_get_wbio(ssl));
280   if (ret <= pending) {
281     return 0;
282   }
283   ret -= pending;
284 
285   return ret;
286 }
287 
dtls1_write_change_cipher_spec(SSL * ssl,enum dtls1_use_epoch_t use_epoch)288 static int dtls1_write_change_cipher_spec(SSL *ssl,
289                                           enum dtls1_use_epoch_t use_epoch) {
290   dtls1_update_mtu(ssl);
291 
292   /* During the handshake, wbio is buffered to pack messages together. Flush the
293    * buffer if the ChangeCipherSpec would not fit in a packet. */
294   if (dtls1_max_record_size(ssl) == 0) {
295     ssl->rwstate = SSL_WRITING;
296     int ret = BIO_flush(SSL_get_wbio(ssl));
297     if (ret <= 0) {
298       return ret;
299     }
300     ssl->rwstate = SSL_NOTHING;
301   }
302 
303   static const uint8_t kChangeCipherSpec[1] = {SSL3_MT_CCS};
304   int ret =
305       dtls1_write_bytes(ssl, SSL3_RT_CHANGE_CIPHER_SPEC, kChangeCipherSpec,
306                         sizeof(kChangeCipherSpec), use_epoch);
307   if (ret <= 0) {
308     return ret;
309   }
310 
311   if (ssl->msg_callback != NULL) {
312     ssl->msg_callback(1 /* write */, ssl->version, SSL3_RT_CHANGE_CIPHER_SPEC,
313                       kChangeCipherSpec, sizeof(kChangeCipherSpec), ssl,
314                       ssl->msg_callback_arg);
315   }
316 
317   return 1;
318 }
319 
dtls1_do_handshake_write(SSL * ssl,enum dtls1_use_epoch_t use_epoch)320 int dtls1_do_handshake_write(SSL *ssl, enum dtls1_use_epoch_t use_epoch) {
321   dtls1_update_mtu(ssl);
322 
323   int ret = -1;
324   CBB cbb;
325   CBB_zero(&cbb);
326   /* Allocate a temporary buffer to hold the message fragments to avoid
327    * clobbering the message. */
328   uint8_t *buf = OPENSSL_malloc(ssl->d1->mtu);
329   if (buf == NULL) {
330     goto err;
331   }
332 
333   /* Consume the message header. Fragments will have different headers
334    * prepended. */
335   if (ssl->init_off == 0) {
336     ssl->init_off += DTLS1_HM_HEADER_LENGTH;
337     ssl->init_num -= DTLS1_HM_HEADER_LENGTH;
338   }
339   assert(ssl->init_off >= DTLS1_HM_HEADER_LENGTH);
340 
341   do {
342     /* During the handshake, wbio is buffered to pack messages together. Flush
343      * the buffer if there isn't enough room to make progress. */
344     if (dtls1_max_record_size(ssl) < DTLS1_HM_HEADER_LENGTH + 1) {
345       ssl->rwstate = SSL_WRITING;
346       int flush_ret = BIO_flush(SSL_get_wbio(ssl));
347       if (flush_ret <= 0) {
348         ret = flush_ret;
349         goto err;
350       }
351       ssl->rwstate = SSL_NOTHING;
352       assert(BIO_wpending(SSL_get_wbio(ssl)) == 0);
353     }
354 
355     size_t todo = dtls1_max_record_size(ssl);
356     if (todo < DTLS1_HM_HEADER_LENGTH + 1) {
357       /* To make forward progress, the MTU must, at minimum, fit the handshake
358        * header and one byte of handshake body. */
359       OPENSSL_PUT_ERROR(SSL, SSL_R_MTU_TOO_SMALL);
360       goto err;
361     }
362     todo -= DTLS1_HM_HEADER_LENGTH;
363 
364     if (todo > (size_t)ssl->init_num) {
365       todo = ssl->init_num;
366     }
367     if (todo >= (1u << 24)) {
368       todo = (1u << 24) - 1;
369     }
370 
371     size_t len;
372     if (!CBB_init_fixed(&cbb, buf, ssl->d1->mtu) ||
373         !CBB_add_u8(&cbb, ssl->d1->w_msg_hdr.type) ||
374         !CBB_add_u24(&cbb, ssl->d1->w_msg_hdr.msg_len) ||
375         !CBB_add_u16(&cbb, ssl->d1->w_msg_hdr.seq) ||
376         !CBB_add_u24(&cbb, ssl->init_off - DTLS1_HM_HEADER_LENGTH) ||
377         !CBB_add_u24(&cbb, todo) ||
378         !CBB_add_bytes(
379             &cbb, (const uint8_t *)ssl->init_buf->data + ssl->init_off, todo) ||
380         !CBB_finish(&cbb, NULL, &len)) {
381       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
382       goto err;
383     }
384 
385     int write_ret = dtls1_write_bytes(ssl, SSL3_RT_HANDSHAKE, buf, len,
386                                       use_epoch);
387     if (write_ret <= 0) {
388       ret = write_ret;
389       goto err;
390     }
391     ssl->init_off += todo;
392     ssl->init_num -= todo;
393   } while (ssl->init_num > 0);
394 
395   if (ssl->msg_callback != NULL) {
396     ssl->msg_callback(
397         1 /* write */, ssl->version, SSL3_RT_HANDSHAKE, ssl->init_buf->data,
398         (size_t)(ssl->init_off + ssl->init_num), ssl, ssl->msg_callback_arg);
399   }
400 
401   ssl->init_off = 0;
402   ssl->init_num = 0;
403 
404   ret = 1;
405 
406 err:
407   CBB_cleanup(&cbb);
408   OPENSSL_free(buf);
409   return ret;
410 }
411 
412 /* dtls1_is_next_message_complete returns one if the next handshake message is
413  * complete and zero otherwise. */
dtls1_is_next_message_complete(SSL * ssl)414 static int dtls1_is_next_message_complete(SSL *ssl) {
415   pitem *item = pqueue_peek(ssl->d1->buffered_messages);
416   if (item == NULL) {
417     return 0;
418   }
419 
420   hm_fragment *frag = (hm_fragment *)item->data;
421   assert(ssl->d1->handshake_read_seq <= frag->msg_header.seq);
422 
423   return ssl->d1->handshake_read_seq == frag->msg_header.seq &&
424          frag->reassembly == NULL;
425 }
426 
427 /* dtls1_discard_fragment_body discards a handshake fragment body of length
428  * |frag_len|. It returns one on success and zero on error.
429  *
430  * TODO(davidben): This function will go away when ssl_read_bytes is gone from
431  * the DTLS side. */
dtls1_discard_fragment_body(SSL * ssl,size_t frag_len)432 static int dtls1_discard_fragment_body(SSL *ssl, size_t frag_len) {
433   uint8_t discard[256];
434   while (frag_len > 0) {
435     size_t chunk = frag_len < sizeof(discard) ? frag_len : sizeof(discard);
436     int ret = dtls1_read_bytes(ssl, SSL3_RT_HANDSHAKE, discard, chunk, 0);
437     if (ret != (int) chunk) {
438       return 0;
439     }
440     frag_len -= chunk;
441   }
442   return 1;
443 }
444 
445 /* dtls1_get_buffered_message returns the buffered message corresponding to
446  * |msg_hdr|. If none exists, it creates a new one and inserts it in the
447  * queue. Otherwise, it checks |msg_hdr| is consistent with the existing one. It
448  * returns NULL on failure. The caller does not take ownership of the result. */
dtls1_get_buffered_message(SSL * ssl,const struct hm_header_st * msg_hdr)449 static hm_fragment *dtls1_get_buffered_message(
450     SSL *ssl, const struct hm_header_st *msg_hdr) {
451   uint8_t seq64be[8];
452   memset(seq64be, 0, sizeof(seq64be));
453   seq64be[6] = (uint8_t)(msg_hdr->seq >> 8);
454   seq64be[7] = (uint8_t)msg_hdr->seq;
455   pitem *item = pqueue_find(ssl->d1->buffered_messages, seq64be);
456 
457   hm_fragment *frag;
458   if (item == NULL) {
459     /* This is the first fragment from this message. */
460     frag = dtls1_hm_fragment_new(msg_hdr->msg_len,
461                                  1 /* reassembly buffer needed */);
462     if (frag == NULL) {
463       return NULL;
464     }
465     memcpy(&frag->msg_header, msg_hdr, sizeof(*msg_hdr));
466     item = pitem_new(seq64be, frag);
467     if (item == NULL) {
468       dtls1_hm_fragment_free(frag);
469       return NULL;
470     }
471     item = pqueue_insert(ssl->d1->buffered_messages, item);
472     /* |pqueue_insert| fails iff a duplicate item is inserted, but |item| cannot
473      * be a duplicate. */
474     assert(item != NULL);
475   } else {
476     frag = item->data;
477     assert(frag->msg_header.seq == msg_hdr->seq);
478     if (frag->msg_header.type != msg_hdr->type ||
479         frag->msg_header.msg_len != msg_hdr->msg_len) {
480       /* The new fragment must be compatible with the previous fragments from
481        * this message. */
482       OPENSSL_PUT_ERROR(SSL, SSL_R_FRAGMENT_MISMATCH);
483       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
484       return NULL;
485     }
486   }
487   return frag;
488 }
489 
490 /* dtls1_max_handshake_message_len returns the maximum number of bytes
491  * permitted in a DTLS handshake message for |ssl|. The minimum is 16KB, but may
492  * be greater if the maximum certificate list size requires it. */
dtls1_max_handshake_message_len(const SSL * ssl)493 static size_t dtls1_max_handshake_message_len(const SSL *ssl) {
494   size_t max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;
495   if (max_len < ssl->max_cert_list) {
496     return ssl->max_cert_list;
497   }
498   return max_len;
499 }
500 
501 /* dtls1_process_fragment reads a handshake fragment and processes it. It
502  * returns one if a fragment was successfully processed and 0 or -1 on error. */
dtls1_process_fragment(SSL * ssl)503 static int dtls1_process_fragment(SSL *ssl) {
504   /* Read handshake message header. */
505   uint8_t header[DTLS1_HM_HEADER_LENGTH];
506   int ret = dtls1_read_bytes(ssl, SSL3_RT_HANDSHAKE, header,
507                              DTLS1_HM_HEADER_LENGTH, 0);
508   if (ret <= 0) {
509     return ret;
510   }
511   if (ret != DTLS1_HM_HEADER_LENGTH) {
512     OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
513     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
514     return -1;
515   }
516 
517   /* Parse the message fragment header. */
518   struct hm_header_st msg_hdr;
519   dtls1_get_message_header(header, &msg_hdr);
520 
521   /* TODO(davidben): dtls1_read_bytes is the wrong abstraction for DTLS. There
522    * should be no need to reach into |ssl->s3->rrec.length|. */
523   const size_t frag_off = msg_hdr.frag_off;
524   const size_t frag_len = msg_hdr.frag_len;
525   const size_t msg_len = msg_hdr.msg_len;
526   if (frag_off > msg_len || frag_off + frag_len < frag_off ||
527       frag_off + frag_len > msg_len ||
528       msg_len > dtls1_max_handshake_message_len(ssl) ||
529       frag_len > ssl->s3->rrec.length) {
530     OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE);
531     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
532     return -1;
533   }
534 
535   if (msg_hdr.seq < ssl->d1->handshake_read_seq ||
536       msg_hdr.seq > (unsigned)ssl->d1->handshake_read_seq +
537                     kHandshakeBufferSize) {
538     /* Ignore fragments from the past, or ones too far in the future. */
539     if (!dtls1_discard_fragment_body(ssl, frag_len)) {
540       return -1;
541     }
542     return 1;
543   }
544 
545   hm_fragment *frag = dtls1_get_buffered_message(ssl, &msg_hdr);
546   if (frag == NULL) {
547     return -1;
548   }
549   assert(frag->msg_header.msg_len == msg_len);
550 
551   if (frag->reassembly == NULL) {
552     /* The message is already assembled. */
553     if (!dtls1_discard_fragment_body(ssl, frag_len)) {
554       return -1;
555     }
556     return 1;
557   }
558   assert(msg_len > 0);
559 
560   /* Read the body of the fragment. */
561   ret = dtls1_read_bytes(ssl, SSL3_RT_HANDSHAKE, frag->fragment + frag_off,
562                          frag_len, 0);
563   if (ret != (int) frag_len) {
564     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
565     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
566     return -1;
567   }
568   dtls1_hm_fragment_mark(frag, frag_off, frag_off + frag_len);
569 
570   return 1;
571 }
572 
573 /* dtls1_get_message reads a handshake message of message type |msg_type| (any
574  * if |msg_type| == -1), maximum acceptable body length |max|. Read an entire
575  * handshake message. Handshake messages arrive in fragments. */
dtls1_get_message(SSL * ssl,int st1,int stn,int msg_type,long max,enum ssl_hash_message_t hash_message,int * ok)576 long dtls1_get_message(SSL *ssl, int st1, int stn, int msg_type, long max,
577                        enum ssl_hash_message_t hash_message, int *ok) {
578   pitem *item = NULL;
579   hm_fragment *frag = NULL;
580   int al;
581 
582   /* s3->tmp is used to store messages that are unexpected, caused
583    * by the absence of an optional handshake message */
584   if (ssl->s3->tmp.reuse_message) {
585     /* A ssl_dont_hash_message call cannot be combined with reuse_message; the
586      * ssl_dont_hash_message would have to have been applied to the previous
587      * call. */
588     assert(hash_message == ssl_hash_message);
589     ssl->s3->tmp.reuse_message = 0;
590     if (msg_type >= 0 && ssl->s3->tmp.message_type != msg_type) {
591       al = SSL_AD_UNEXPECTED_MESSAGE;
592       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
593       goto f_err;
594     }
595     *ok = 1;
596     ssl->init_msg = (uint8_t *)ssl->init_buf->data + DTLS1_HM_HEADER_LENGTH;
597     ssl->init_num = (int)ssl->s3->tmp.message_size;
598     return ssl->init_num;
599   }
600 
601   /* Process fragments until one is found. */
602   while (!dtls1_is_next_message_complete(ssl)) {
603     int ret = dtls1_process_fragment(ssl);
604     if (ret <= 0) {
605       *ok = 0;
606       return ret;
607     }
608   }
609 
610   /* Read out the next complete handshake message. */
611   item = pqueue_pop(ssl->d1->buffered_messages);
612   assert(item != NULL);
613   frag = (hm_fragment *)item->data;
614   assert(ssl->d1->handshake_read_seq == frag->msg_header.seq);
615   assert(frag->reassembly == NULL);
616 
617   if (frag->msg_header.msg_len > (size_t)max) {
618     OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE);
619     goto err;
620   }
621 
622   /* Reconstruct the assembled message. */
623   size_t len;
624   CBB cbb;
625   CBB_zero(&cbb);
626   if (!BUF_MEM_grow(ssl->init_buf, (size_t)frag->msg_header.msg_len +
627                                        DTLS1_HM_HEADER_LENGTH) ||
628       !CBB_init_fixed(&cbb, (uint8_t *)ssl->init_buf->data,
629                       ssl->init_buf->max) ||
630       !CBB_add_u8(&cbb, frag->msg_header.type) ||
631       !CBB_add_u24(&cbb, frag->msg_header.msg_len) ||
632       !CBB_add_u16(&cbb, frag->msg_header.seq) ||
633       !CBB_add_u24(&cbb, 0 /* frag_off */) ||
634       !CBB_add_u24(&cbb, frag->msg_header.msg_len) ||
635       !CBB_add_bytes(&cbb, frag->fragment, frag->msg_header.msg_len) ||
636       !CBB_finish(&cbb, NULL, &len)) {
637     CBB_cleanup(&cbb);
638     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
639     goto err;
640   }
641   assert(len == (size_t)frag->msg_header.msg_len + DTLS1_HM_HEADER_LENGTH);
642 
643   ssl->d1->handshake_read_seq++;
644 
645   /* TODO(davidben): This function has a lot of implicit outputs. Simplify the
646    * |ssl_get_message| API. */
647   ssl->s3->tmp.message_type = frag->msg_header.type;
648   ssl->s3->tmp.message_size = frag->msg_header.msg_len;
649   ssl->init_msg = (uint8_t *)ssl->init_buf->data + DTLS1_HM_HEADER_LENGTH;
650   ssl->init_num = frag->msg_header.msg_len;
651 
652   if (msg_type >= 0 && ssl->s3->tmp.message_type != msg_type) {
653     al = SSL_AD_UNEXPECTED_MESSAGE;
654     OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
655     goto f_err;
656   }
657   if (hash_message == ssl_hash_message && !ssl3_hash_current_message(ssl)) {
658     goto err;
659   }
660   if (ssl->msg_callback) {
661     ssl->msg_callback(0, ssl->version, SSL3_RT_HANDSHAKE, ssl->init_buf->data,
662                     ssl->init_num + DTLS1_HM_HEADER_LENGTH, ssl,
663                     ssl->msg_callback_arg);
664   }
665 
666   pitem_free(item);
667   dtls1_hm_fragment_free(frag);
668 
669   ssl->state = stn;
670   *ok = 1;
671   return ssl->init_num;
672 
673 f_err:
674   ssl3_send_alert(ssl, SSL3_AL_FATAL, al);
675 err:
676   pitem_free(item);
677   dtls1_hm_fragment_free(frag);
678   *ok = 0;
679   return -1;
680 }
681 
dtls1_read_failed(SSL * ssl,int code)682 int dtls1_read_failed(SSL *ssl, int code) {
683   if (code > 0) {
684     assert(0);
685     return 1;
686   }
687 
688   if (!dtls1_is_timer_expired(ssl)) {
689     /* not a timeout, none of our business, let higher layers handle this. In
690      * fact, it's probably an error */
691     return code;
692   }
693 
694   if (!SSL_in_init(ssl)) {
695     /* done, no need to send a retransmit */
696     BIO_set_flags(SSL_get_rbio(ssl), BIO_FLAGS_READ);
697     return code;
698   }
699 
700   return DTLSv1_handle_timeout(ssl);
701 }
702 
dtls1_get_queue_priority(uint16_t seq,int is_ccs)703 static uint16_t dtls1_get_queue_priority(uint16_t seq, int is_ccs) {
704   assert(seq * 2 >= seq);
705 
706   /* The index of the retransmission queue actually is the message sequence
707    * number, since the queue only contains messages of a single handshake.
708    * However, the ChangeCipherSpec has no message sequence number and so using
709    * only the sequence will result in the CCS and Finished having the same
710    * index. To prevent this, the sequence number is multiplied by 2. In case of
711    * a CCS 1 is subtracted. This does not only differ CSS and Finished, it also
712    * maintains the order of the index (important for priority queues) and fits
713    * in the unsigned short variable. */
714   return seq * 2 - is_ccs;
715 }
716 
dtls1_retransmit_message(SSL * ssl,hm_fragment * frag)717 static int dtls1_retransmit_message(SSL *ssl, hm_fragment *frag) {
718   /* DTLS renegotiation is unsupported, so only epochs 0 (NULL cipher) and 1
719    * (negotiated cipher) exist. */
720   assert(ssl->d1->w_epoch == 0 || ssl->d1->w_epoch == 1);
721   assert(frag->msg_header.epoch <= ssl->d1->w_epoch);
722   enum dtls1_use_epoch_t use_epoch = dtls1_use_current_epoch;
723   if (ssl->d1->w_epoch == 1 && frag->msg_header.epoch == 0) {
724     use_epoch = dtls1_use_previous_epoch;
725   }
726 
727   /* TODO(davidben): This cannot handle non-blocking writes. */
728   int ret;
729   if (frag->msg_header.is_ccs) {
730     ret = dtls1_write_change_cipher_spec(ssl, use_epoch);
731   } else {
732     /* Restore the message body.
733      * TODO(davidben): Make this less stateful. */
734     memcpy(ssl->init_buf->data, frag->fragment,
735            frag->msg_header.msg_len + DTLS1_HM_HEADER_LENGTH);
736     ssl->init_num = frag->msg_header.msg_len + DTLS1_HM_HEADER_LENGTH;
737 
738     dtls1_set_message_header(ssl, frag->msg_header.type,
739                              frag->msg_header.msg_len, frag->msg_header.seq,
740                              0, frag->msg_header.frag_len);
741     ret = dtls1_do_handshake_write(ssl, use_epoch);
742   }
743 
744   /* TODO(davidben): Check return value? */
745   (void)BIO_flush(SSL_get_wbio(ssl));
746   return ret;
747 }
748 
749 
dtls1_retransmit_buffered_messages(SSL * ssl)750 int dtls1_retransmit_buffered_messages(SSL *ssl) {
751   pqueue sent = ssl->d1->sent_messages;
752   piterator iter = pqueue_iterator(sent);
753   pitem *item;
754 
755   for (item = pqueue_next(&iter); item != NULL; item = pqueue_next(&iter)) {
756     hm_fragment *frag = (hm_fragment *)item->data;
757     if (dtls1_retransmit_message(ssl, frag) <= 0) {
758       return -1;
759     }
760   }
761 
762   return 1;
763 }
764 
765 /* dtls1_buffer_change_cipher_spec adds a ChangeCipherSpec to the current
766  * handshake flight, ordered just before the handshake message numbered
767  * |seq|. */
dtls1_buffer_change_cipher_spec(SSL * ssl,uint16_t seq)768 static int dtls1_buffer_change_cipher_spec(SSL *ssl, uint16_t seq) {
769   hm_fragment *frag = dtls1_hm_fragment_new(0 /* frag_len */,
770                                             0 /* no reassembly */);
771   if (frag == NULL) {
772     return 0;
773   }
774   frag->msg_header.is_ccs = 1;
775   frag->msg_header.epoch = ssl->d1->w_epoch;
776 
777   uint16_t priority = dtls1_get_queue_priority(seq, 1 /* is_ccs */);
778   uint8_t seq64be[8];
779   memset(seq64be, 0, sizeof(seq64be));
780   seq64be[6] = (uint8_t)(priority >> 8);
781   seq64be[7] = (uint8_t)priority;
782 
783   pitem *item = pitem_new(seq64be, frag);
784   if (item == NULL) {
785     dtls1_hm_fragment_free(frag);
786     return 0;
787   }
788 
789   pqueue_insert(ssl->d1->sent_messages, item);
790   return 1;
791 }
792 
dtls1_buffer_message(SSL * ssl)793 int dtls1_buffer_message(SSL *ssl) {
794   /* this function is called immediately after a message has
795    * been serialized */
796   assert(ssl->init_off == 0);
797 
798   hm_fragment *frag = dtls1_hm_fragment_new(ssl->init_num, 0);
799   if (!frag) {
800     return 0;
801   }
802 
803   memcpy(frag->fragment, ssl->init_buf->data, ssl->init_num);
804 
805   assert(ssl->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH ==
806          (unsigned int)ssl->init_num);
807 
808   frag->msg_header.msg_len = ssl->d1->w_msg_hdr.msg_len;
809   frag->msg_header.seq = ssl->d1->w_msg_hdr.seq;
810   frag->msg_header.type = ssl->d1->w_msg_hdr.type;
811   frag->msg_header.frag_off = 0;
812   frag->msg_header.frag_len = ssl->d1->w_msg_hdr.msg_len;
813   frag->msg_header.is_ccs = 0;
814   frag->msg_header.epoch = ssl->d1->w_epoch;
815 
816   uint16_t priority = dtls1_get_queue_priority(frag->msg_header.seq,
817                                                0 /* handshake */);
818   uint8_t seq64be[8];
819   memset(seq64be, 0, sizeof(seq64be));
820   seq64be[6] = (uint8_t)(priority >> 8);
821   seq64be[7] = (uint8_t)priority;
822 
823   pitem *item = pitem_new(seq64be, frag);
824   if (item == NULL) {
825     dtls1_hm_fragment_free(frag);
826     return 0;
827   }
828 
829   pqueue_insert(ssl->d1->sent_messages, item);
830   return 1;
831 }
832 
dtls1_send_change_cipher_spec(SSL * ssl,int a,int b)833 int dtls1_send_change_cipher_spec(SSL *ssl, int a, int b) {
834   if (ssl->state == a) {
835     /* Buffer the message to handle retransmits. */
836     ssl->d1->handshake_write_seq = ssl->d1->next_handshake_write_seq;
837     dtls1_buffer_change_cipher_spec(ssl, ssl->d1->handshake_write_seq);
838     ssl->state = b;
839   }
840 
841   return dtls1_write_change_cipher_spec(ssl, dtls1_use_current_epoch);
842 }
843 
844 /* call this function when the buffered messages are no longer needed */
dtls1_clear_record_buffer(SSL * ssl)845 void dtls1_clear_record_buffer(SSL *ssl) {
846   pitem *item;
847 
848   for (item = pqueue_pop(ssl->d1->sent_messages); item != NULL;
849        item = pqueue_pop(ssl->d1->sent_messages)) {
850     dtls1_hm_fragment_free((hm_fragment *)item->data);
851     pitem_free(item);
852   }
853 }
854 
855 /* don't actually do the writing, wait till the MTU has been retrieved */
dtls1_set_message_header(SSL * ssl,uint8_t mt,unsigned long len,unsigned short seq_num,unsigned long frag_off,unsigned long frag_len)856 void dtls1_set_message_header(SSL *ssl, uint8_t mt, unsigned long len,
857                               unsigned short seq_num, unsigned long frag_off,
858                               unsigned long frag_len) {
859   struct hm_header_st *msg_hdr = &ssl->d1->w_msg_hdr;
860 
861   msg_hdr->type = mt;
862   msg_hdr->msg_len = len;
863   msg_hdr->seq = seq_num;
864   msg_hdr->frag_off = frag_off;
865   msg_hdr->frag_len = frag_len;
866 }
867 
dtls1_min_mtu(void)868 unsigned int dtls1_min_mtu(void) {
869   return kMinMTU;
870 }
871 
dtls1_get_message_header(uint8_t * data,struct hm_header_st * msg_hdr)872 void dtls1_get_message_header(uint8_t *data,
873                               struct hm_header_st *msg_hdr) {
874   memset(msg_hdr, 0x00, sizeof(struct hm_header_st));
875   msg_hdr->type = *(data++);
876   n2l3(data, msg_hdr->msg_len);
877 
878   n2s(data, msg_hdr->seq);
879   n2l3(data, msg_hdr->frag_off);
880   n2l3(data, msg_hdr->frag_len);
881 }
882