• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * DTLS implementation written by Nagendra Modadugu
3  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
4  */
5 /* ====================================================================
6  * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in
17  *    the documentation and/or other materials provided with the
18  *    distribution.
19  *
20  * 3. All advertising materials mentioning features or use of this
21  *    software must display the following acknowledgment:
22  *    "This product includes software developed by the OpenSSL Project
23  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
24  *
25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26  *    endorse or promote products derived from this software without
27  *    prior written permission. For written permission, please contact
28  *    openssl-core@openssl.org.
29  *
30  * 5. Products derived from this software may not be called "OpenSSL"
31  *    nor may "OpenSSL" appear in their names without prior written
32  *    permission of the OpenSSL Project.
33  *
34  * 6. Redistributions of any form whatsoever must retain the following
35  *    acknowledgment:
36  *    "This product includes software developed by the OpenSSL Project
37  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
38  *
39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50  * OF THE POSSIBILITY OF SUCH DAMAGE.
51  * ====================================================================
52  *
53  * This product includes cryptographic software written by Eric Young
54  * (eay@cryptsoft.com).  This product includes software written by Tim
55  * Hudson (tjh@cryptsoft.com).
56  *
57  */
58 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
59  * All rights reserved.
60  *
61  * This package is an SSL implementation written
62  * by Eric Young (eay@cryptsoft.com).
63  * The implementation was written so as to conform with Netscapes SSL.
64  *
65  * This library is free for commercial and non-commercial use as long as
66  * the following conditions are aheared to.  The following conditions
67  * apply to all code found in this distribution, be it the RC4, RSA,
68  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
69  * included with this distribution is covered by the same copyright terms
70  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
71  *
72  * Copyright remains Eric Young's, and as such any Copyright notices in
73  * the code are not to be removed.
74  * If this package is used in a product, Eric Young should be given attribution
75  * as the author of the parts of the library used.
76  * This can be in the form of a textual message at program startup or
77  * in documentation (online or textual) provided with the package.
78  *
79  * Redistribution and use in source and binary forms, with or without
80  * modification, are permitted provided that the following conditions
81  * are met:
82  * 1. Redistributions of source code must retain the copyright
83  *    notice, this list of conditions and the following disclaimer.
84  * 2. Redistributions in binary form must reproduce the above copyright
85  *    notice, this list of conditions and the following disclaimer in the
86  *    documentation and/or other materials provided with the distribution.
87  * 3. All advertising materials mentioning features or use of this software
88  *    must display the following acknowledgement:
89  *    "This product includes cryptographic software written by
90  *     Eric Young (eay@cryptsoft.com)"
91  *    The word 'cryptographic' can be left out if the rouines from the library
92  *    being used are not cryptographic related :-).
93  * 4. If you include any Windows specific code (or a derivative thereof) from
94  *    the apps directory (application code) you must include an acknowledgement:
95  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
96  *
97  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
98  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
99  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
100  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
101  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
102  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
103  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
104  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
105  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
106  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
107  * SUCH DAMAGE.
108  *
109  * The licence and distribution terms for any publically available version or
110  * derivative of this code cannot be changed.  i.e. this code cannot simply be
111  * copied and put under another distribution licence
112  * [including the GNU Public Licence.] */
113 
114 #include <openssl/ssl.h>
115 
116 #include <assert.h>
117 #include <limits.h>
118 #include <string.h>
119 
120 #include <openssl/buf.h>
121 #include <openssl/err.h>
122 #include <openssl/evp.h>
123 #include <openssl/mem.h>
124 #include <openssl/rand.h>
125 
126 #include "../crypto/internal.h"
127 #include "internal.h"
128 
129 
130 namespace bssl {
131 
132 // TODO(davidben): 28 comes from the size of IP + UDP header. Is this reasonable
133 // for these values? Notably, why is kMinMTU a function of the transport
134 // protocol's overhead rather than, say, what's needed to hold a minimally-sized
135 // handshake fragment plus protocol overhead.
136 
137 // kMinMTU is the minimum acceptable MTU value.
138 static const unsigned int kMinMTU = 256 - 28;
139 
140 // kDefaultMTU is the default MTU value to use if neither the user nor
141 // the underlying BIO supplies one.
142 static const unsigned int kDefaultMTU = 1500 - 28;
143 
144 
145 // Receiving handshake messages.
146 
~hm_fragment()147 hm_fragment::~hm_fragment() {
148   OPENSSL_free(data);
149   OPENSSL_free(reassembly);
150 }
151 
dtls1_hm_fragment_new(const struct hm_header_st * msg_hdr)152 static UniquePtr<hm_fragment> dtls1_hm_fragment_new(
153     const struct hm_header_st *msg_hdr) {
154   ScopedCBB cbb;
155   UniquePtr<hm_fragment> frag = MakeUnique<hm_fragment>();
156   if (!frag) {
157     return nullptr;
158   }
159   frag->type = msg_hdr->type;
160   frag->seq = msg_hdr->seq;
161   frag->msg_len = msg_hdr->msg_len;
162 
163   // Allocate space for the reassembled message and fill in the header.
164   frag->data =
165       (uint8_t *)OPENSSL_malloc(DTLS1_HM_HEADER_LENGTH + msg_hdr->msg_len);
166   if (frag->data == NULL) {
167     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
168     return nullptr;
169   }
170 
171   if (!CBB_init_fixed(cbb.get(), frag->data, DTLS1_HM_HEADER_LENGTH) ||
172       !CBB_add_u8(cbb.get(), msg_hdr->type) ||
173       !CBB_add_u24(cbb.get(), msg_hdr->msg_len) ||
174       !CBB_add_u16(cbb.get(), msg_hdr->seq) ||
175       !CBB_add_u24(cbb.get(), 0 /* frag_off */) ||
176       !CBB_add_u24(cbb.get(), msg_hdr->msg_len) ||
177       !CBB_finish(cbb.get(), NULL, NULL)) {
178     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
179     return nullptr;
180   }
181 
182   // If the handshake message is empty, |frag->reassembly| is NULL.
183   if (msg_hdr->msg_len > 0) {
184     // Initialize reassembly bitmask.
185     if (msg_hdr->msg_len + 7 < msg_hdr->msg_len) {
186       OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
187       return nullptr;
188     }
189     size_t bitmask_len = (msg_hdr->msg_len + 7) / 8;
190     frag->reassembly = (uint8_t *)OPENSSL_malloc(bitmask_len);
191     if (frag->reassembly == NULL) {
192       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
193       return nullptr;
194     }
195     OPENSSL_memset(frag->reassembly, 0, bitmask_len);
196   }
197 
198   return frag;
199 }
200 
201 // bit_range returns a |uint8_t| with bits |start|, inclusive, to |end|,
202 // exclusive, set.
bit_range(size_t start,size_t end)203 static uint8_t bit_range(size_t start, size_t end) {
204   return (uint8_t)(~((1u << start) - 1) & ((1u << end) - 1));
205 }
206 
207 // dtls1_hm_fragment_mark marks bytes |start|, inclusive, to |end|, exclusive,
208 // as received in |frag|. If |frag| becomes complete, it clears
209 // |frag->reassembly|. The range must be within the bounds of |frag|'s message
210 // and |frag->reassembly| must not be NULL.
dtls1_hm_fragment_mark(hm_fragment * frag,size_t start,size_t end)211 static void dtls1_hm_fragment_mark(hm_fragment *frag, size_t start,
212                                    size_t end) {
213   size_t msg_len = frag->msg_len;
214 
215   if (frag->reassembly == NULL || start > end || end > msg_len) {
216     assert(0);
217     return;
218   }
219   // A zero-length message will never have a pending reassembly.
220   assert(msg_len > 0);
221 
222   if (start == end) {
223     return;
224   }
225 
226   if ((start >> 3) == (end >> 3)) {
227     frag->reassembly[start >> 3] |= bit_range(start & 7, end & 7);
228   } else {
229     frag->reassembly[start >> 3] |= bit_range(start & 7, 8);
230     for (size_t i = (start >> 3) + 1; i < (end >> 3); i++) {
231       frag->reassembly[i] = 0xff;
232     }
233     if ((end & 7) != 0) {
234       frag->reassembly[end >> 3] |= bit_range(0, end & 7);
235     }
236   }
237 
238   // Check if the fragment is complete.
239   for (size_t i = 0; i < (msg_len >> 3); i++) {
240     if (frag->reassembly[i] != 0xff) {
241       return;
242     }
243   }
244   if ((msg_len & 7) != 0 &&
245       frag->reassembly[msg_len >> 3] != bit_range(0, msg_len & 7)) {
246     return;
247   }
248 
249   OPENSSL_free(frag->reassembly);
250   frag->reassembly = NULL;
251 }
252 
253 // dtls1_is_current_message_complete returns whether the current handshake
254 // message is complete.
dtls1_is_current_message_complete(const SSL * ssl)255 static bool dtls1_is_current_message_complete(const SSL *ssl) {
256   size_t idx = ssl->d1->handshake_read_seq % SSL_MAX_HANDSHAKE_FLIGHT;
257   hm_fragment *frag = ssl->d1->incoming_messages[idx].get();
258   return frag != NULL && frag->reassembly == NULL;
259 }
260 
261 // dtls1_get_incoming_message returns the incoming message corresponding to
262 // |msg_hdr|. If none exists, it creates a new one and inserts it in the
263 // queue. Otherwise, it checks |msg_hdr| is consistent with the existing one. It
264 // returns NULL on failure. The caller does not take ownership of the result.
dtls1_get_incoming_message(SSL * ssl,uint8_t * out_alert,const struct hm_header_st * msg_hdr)265 static hm_fragment *dtls1_get_incoming_message(
266     SSL *ssl, uint8_t *out_alert, const struct hm_header_st *msg_hdr) {
267   if (msg_hdr->seq < ssl->d1->handshake_read_seq ||
268       msg_hdr->seq - ssl->d1->handshake_read_seq >= SSL_MAX_HANDSHAKE_FLIGHT) {
269     *out_alert = SSL_AD_INTERNAL_ERROR;
270     return NULL;
271   }
272 
273   size_t idx = msg_hdr->seq % SSL_MAX_HANDSHAKE_FLIGHT;
274   hm_fragment *frag = ssl->d1->incoming_messages[idx].get();
275   if (frag != NULL) {
276     assert(frag->seq == msg_hdr->seq);
277     // The new fragment must be compatible with the previous fragments from this
278     // message.
279     if (frag->type != msg_hdr->type ||
280         frag->msg_len != msg_hdr->msg_len) {
281       OPENSSL_PUT_ERROR(SSL, SSL_R_FRAGMENT_MISMATCH);
282       *out_alert = SSL_AD_ILLEGAL_PARAMETER;
283       return NULL;
284     }
285     return frag;
286   }
287 
288   // This is the first fragment from this message.
289   ssl->d1->incoming_messages[idx] = dtls1_hm_fragment_new(msg_hdr);
290   if (!ssl->d1->incoming_messages[idx]) {
291     *out_alert = SSL_AD_INTERNAL_ERROR;
292     return NULL;
293   }
294   return ssl->d1->incoming_messages[idx].get();
295 }
296 
dtls1_open_handshake(SSL * ssl,size_t * out_consumed,uint8_t * out_alert,Span<uint8_t> in)297 ssl_open_record_t dtls1_open_handshake(SSL *ssl, size_t *out_consumed,
298                                        uint8_t *out_alert, Span<uint8_t> in) {
299   uint8_t type;
300   Span<uint8_t> record;
301   auto ret = dtls_open_record(ssl, &type, &record, out_consumed, out_alert, in);
302   if (ret != ssl_open_record_success) {
303     return ret;
304   }
305 
306   switch (type) {
307     case SSL3_RT_APPLICATION_DATA:
308       // Unencrypted application data records are always illegal.
309       if (ssl->s3->aead_read_ctx->is_null_cipher()) {
310         OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
311         *out_alert = SSL_AD_UNEXPECTED_MESSAGE;
312         return ssl_open_record_error;
313       }
314 
315       // Out-of-order application data may be received between ChangeCipherSpec
316       // and finished. Discard it.
317       return ssl_open_record_discard;
318 
319     case SSL3_RT_CHANGE_CIPHER_SPEC:
320       // We do not support renegotiation, so encrypted ChangeCipherSpec records
321       // are illegal.
322       if (!ssl->s3->aead_read_ctx->is_null_cipher()) {
323         OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
324         *out_alert = SSL_AD_UNEXPECTED_MESSAGE;
325         return ssl_open_record_error;
326       }
327 
328       if (record.size() != 1u || record[0] != SSL3_MT_CCS) {
329         OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_CHANGE_CIPHER_SPEC);
330         *out_alert = SSL_AD_ILLEGAL_PARAMETER;
331         return ssl_open_record_error;
332       }
333 
334       // Flag the ChangeCipherSpec for later.
335       ssl->d1->has_change_cipher_spec = true;
336       ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_CHANGE_CIPHER_SPEC,
337                           record);
338       return ssl_open_record_success;
339 
340     case SSL3_RT_HANDSHAKE:
341       // Break out to main processing.
342       break;
343 
344     default:
345       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
346       *out_alert = SSL_AD_UNEXPECTED_MESSAGE;
347       return ssl_open_record_error;
348   }
349 
350   CBS cbs;
351   CBS_init(&cbs, record.data(), record.size());
352   while (CBS_len(&cbs) > 0) {
353     // Read a handshake fragment.
354     struct hm_header_st msg_hdr;
355     CBS body;
356     if (!dtls1_parse_fragment(&cbs, &msg_hdr, &body)) {
357       OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_HANDSHAKE_RECORD);
358       *out_alert = SSL_AD_DECODE_ERROR;
359       return ssl_open_record_error;
360     }
361 
362     const size_t frag_off = msg_hdr.frag_off;
363     const size_t frag_len = msg_hdr.frag_len;
364     const size_t msg_len = msg_hdr.msg_len;
365     if (frag_off > msg_len || frag_off + frag_len < frag_off ||
366         frag_off + frag_len > msg_len ||
367         msg_len > ssl_max_handshake_message_len(ssl)) {
368       OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE);
369       *out_alert = SSL_AD_ILLEGAL_PARAMETER;
370       return ssl_open_record_error;
371     }
372 
373     // The encrypted epoch in DTLS has only one handshake message.
374     if (ssl->d1->r_epoch == 1 && msg_hdr.seq != ssl->d1->handshake_read_seq) {
375       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
376       *out_alert = SSL_AD_UNEXPECTED_MESSAGE;
377       return ssl_open_record_error;
378     }
379 
380     if (msg_hdr.seq < ssl->d1->handshake_read_seq ||
381         msg_hdr.seq >
382             (unsigned)ssl->d1->handshake_read_seq + SSL_MAX_HANDSHAKE_FLIGHT) {
383       // Ignore fragments from the past, or ones too far in the future.
384       continue;
385     }
386 
387     hm_fragment *frag = dtls1_get_incoming_message(ssl, out_alert, &msg_hdr);
388     if (frag == NULL) {
389       return ssl_open_record_error;
390     }
391     assert(frag->msg_len == msg_len);
392 
393     if (frag->reassembly == NULL) {
394       // The message is already assembled.
395       continue;
396     }
397     assert(msg_len > 0);
398 
399     // Copy the body into the fragment.
400     OPENSSL_memcpy(frag->data + DTLS1_HM_HEADER_LENGTH + frag_off,
401                    CBS_data(&body), CBS_len(&body));
402     dtls1_hm_fragment_mark(frag, frag_off, frag_off + frag_len);
403   }
404 
405   return ssl_open_record_success;
406 }
407 
dtls1_get_message(SSL * ssl,SSLMessage * out)408 bool dtls1_get_message(SSL *ssl, SSLMessage *out) {
409   if (!dtls1_is_current_message_complete(ssl)) {
410     return false;
411   }
412 
413   size_t idx = ssl->d1->handshake_read_seq % SSL_MAX_HANDSHAKE_FLIGHT;
414   hm_fragment *frag = ssl->d1->incoming_messages[idx].get();
415   out->type = frag->type;
416   CBS_init(&out->body, frag->data + DTLS1_HM_HEADER_LENGTH, frag->msg_len);
417   CBS_init(&out->raw, frag->data, DTLS1_HM_HEADER_LENGTH + frag->msg_len);
418   out->is_v2_hello = false;
419   if (!ssl->s3->has_message) {
420     ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_HANDSHAKE, out->raw);
421     ssl->s3->has_message = true;
422   }
423   return true;
424 }
425 
dtls1_next_message(SSL * ssl)426 void dtls1_next_message(SSL *ssl) {
427   assert(ssl->s3->has_message);
428   assert(dtls1_is_current_message_complete(ssl));
429   size_t index = ssl->d1->handshake_read_seq % SSL_MAX_HANDSHAKE_FLIGHT;
430   ssl->d1->incoming_messages[index].reset();
431   ssl->d1->handshake_read_seq++;
432   ssl->s3->has_message = false;
433   // If we previously sent a flight, mark it as having a reply, so
434   // |on_handshake_complete| can manage post-handshake retransmission.
435   if (ssl->d1->outgoing_messages_complete) {
436     ssl->d1->flight_has_reply = true;
437   }
438 }
439 
dtls_has_unprocessed_handshake_data(const SSL * ssl)440 bool dtls_has_unprocessed_handshake_data(const SSL *ssl) {
441   if (ssl->d1->has_change_cipher_spec) {
442     return true;
443   }
444 
445   size_t current = ssl->d1->handshake_read_seq % SSL_MAX_HANDSHAKE_FLIGHT;
446   for (size_t i = 0; i < SSL_MAX_HANDSHAKE_FLIGHT; i++) {
447     // Skip the current message.
448     if (ssl->s3->has_message && i == current) {
449       assert(dtls1_is_current_message_complete(ssl));
450       continue;
451     }
452     if (ssl->d1->incoming_messages[i] != nullptr) {
453       return true;
454     }
455   }
456   return false;
457 }
458 
dtls1_parse_fragment(CBS * cbs,struct hm_header_st * out_hdr,CBS * out_body)459 bool dtls1_parse_fragment(CBS *cbs, struct hm_header_st *out_hdr,
460                           CBS *out_body) {
461   OPENSSL_memset(out_hdr, 0x00, sizeof(struct hm_header_st));
462 
463   if (!CBS_get_u8(cbs, &out_hdr->type) ||
464       !CBS_get_u24(cbs, &out_hdr->msg_len) ||
465       !CBS_get_u16(cbs, &out_hdr->seq) ||
466       !CBS_get_u24(cbs, &out_hdr->frag_off) ||
467       !CBS_get_u24(cbs, &out_hdr->frag_len) ||
468       !CBS_get_bytes(cbs, out_body, out_hdr->frag_len)) {
469     return false;
470   }
471 
472   return true;
473 }
474 
dtls1_open_change_cipher_spec(SSL * ssl,size_t * out_consumed,uint8_t * out_alert,Span<uint8_t> in)475 ssl_open_record_t dtls1_open_change_cipher_spec(SSL *ssl, size_t *out_consumed,
476                                                 uint8_t *out_alert,
477                                                 Span<uint8_t> in) {
478   if (!ssl->d1->has_change_cipher_spec) {
479     // dtls1_open_handshake processes both handshake and ChangeCipherSpec.
480     auto ret = dtls1_open_handshake(ssl, out_consumed, out_alert, in);
481     if (ret != ssl_open_record_success) {
482       return ret;
483     }
484   }
485   if (ssl->d1->has_change_cipher_spec) {
486     ssl->d1->has_change_cipher_spec = false;
487     return ssl_open_record_success;
488   }
489   return ssl_open_record_discard;
490 }
491 
492 
493 // Sending handshake messages.
494 
Clear()495 void DTLS_OUTGOING_MESSAGE::Clear() {
496   OPENSSL_free(data);
497   data = nullptr;
498 }
499 
dtls_clear_outgoing_messages(SSL * ssl)500 void dtls_clear_outgoing_messages(SSL *ssl) {
501   for (size_t i = 0; i < ssl->d1->outgoing_messages_len; i++) {
502     ssl->d1->outgoing_messages[i].Clear();
503   }
504   ssl->d1->outgoing_messages_len = 0;
505   ssl->d1->outgoing_written = 0;
506   ssl->d1->outgoing_offset = 0;
507   ssl->d1->outgoing_messages_complete = false;
508   ssl->d1->flight_has_reply = false;
509 }
510 
dtls1_init_message(SSL * ssl,CBB * cbb,CBB * body,uint8_t type)511 bool dtls1_init_message(SSL *ssl, CBB *cbb, CBB *body, uint8_t type) {
512   // Pick a modest size hint to save most of the |realloc| calls.
513   if (!CBB_init(cbb, 64) ||
514       !CBB_add_u8(cbb, type) ||
515       !CBB_add_u24(cbb, 0 /* length (filled in later) */) ||
516       !CBB_add_u16(cbb, ssl->d1->handshake_write_seq) ||
517       !CBB_add_u24(cbb, 0 /* offset */) ||
518       !CBB_add_u24_length_prefixed(cbb, body)) {
519     return false;
520   }
521 
522   return true;
523 }
524 
dtls1_finish_message(SSL * ssl,CBB * cbb,Array<uint8_t> * out_msg)525 bool dtls1_finish_message(SSL *ssl, CBB *cbb, Array<uint8_t> *out_msg) {
526   if (!CBBFinishArray(cbb, out_msg) ||
527       out_msg->size() < DTLS1_HM_HEADER_LENGTH) {
528     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
529     return false;
530   }
531 
532   // Fix up the header. Copy the fragment length into the total message
533   // length.
534   OPENSSL_memcpy(out_msg->data() + 1,
535                  out_msg->data() + DTLS1_HM_HEADER_LENGTH - 3, 3);
536   return true;
537 }
538 
539 // add_outgoing adds a new handshake message or ChangeCipherSpec to the current
540 // outgoing flight. It returns true on success and false on error.
add_outgoing(SSL * ssl,bool is_ccs,Array<uint8_t> data)541 static bool add_outgoing(SSL *ssl, bool is_ccs, Array<uint8_t> data) {
542   if (ssl->d1->outgoing_messages_complete) {
543     // If we've begun writing a new flight, we received the peer flight. Discard
544     // the timer and the our flight.
545     dtls1_stop_timer(ssl);
546     dtls_clear_outgoing_messages(ssl);
547   }
548 
549   static_assert(SSL_MAX_HANDSHAKE_FLIGHT <
550                     (1 << 8 * sizeof(ssl->d1->outgoing_messages_len)),
551                 "outgoing_messages_len is too small");
552   if (ssl->d1->outgoing_messages_len >= SSL_MAX_HANDSHAKE_FLIGHT ||
553       data.size() > 0xffffffff) {
554     assert(false);
555     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
556     return false;
557   }
558 
559   if (!is_ccs) {
560     // TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript
561     // on hs.
562     if (ssl->s3->hs != NULL &&
563         !ssl->s3->hs->transcript.Update(data)) {
564       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
565       return false;
566     }
567     ssl->d1->handshake_write_seq++;
568   }
569 
570   DTLS_OUTGOING_MESSAGE *msg =
571       &ssl->d1->outgoing_messages[ssl->d1->outgoing_messages_len];
572   size_t len;
573   data.Release(&msg->data, &len);
574   msg->len = len;
575   msg->epoch = ssl->d1->w_epoch;
576   msg->is_ccs = is_ccs;
577 
578   ssl->d1->outgoing_messages_len++;
579   return true;
580 }
581 
dtls1_add_message(SSL * ssl,Array<uint8_t> data)582 bool dtls1_add_message(SSL *ssl, Array<uint8_t> data) {
583   return add_outgoing(ssl, false /* handshake */, std::move(data));
584 }
585 
dtls1_add_change_cipher_spec(SSL * ssl)586 bool dtls1_add_change_cipher_spec(SSL *ssl) {
587   return add_outgoing(ssl, true /* ChangeCipherSpec */, Array<uint8_t>());
588 }
589 
dtls1_add_alert(SSL * ssl,uint8_t level,uint8_t desc)590 bool dtls1_add_alert(SSL *ssl, uint8_t level, uint8_t desc) {
591   // The |add_alert| path is only used for warning alerts for now, which DTLS
592   // never sends. This will be implemented later once closure alerts are
593   // converted.
594   assert(false);
595   OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
596   return false;
597 }
598 
599 // dtls1_update_mtu updates the current MTU from the BIO, ensuring it is above
600 // the minimum.
dtls1_update_mtu(SSL * ssl)601 static void dtls1_update_mtu(SSL *ssl) {
602   // TODO(davidben): No consumer implements |BIO_CTRL_DGRAM_SET_MTU| and the
603   // only |BIO_CTRL_DGRAM_QUERY_MTU| implementation could use
604   // |SSL_set_mtu|. Does this need to be so complex?
605   if (ssl->d1->mtu < dtls1_min_mtu() &&
606       !(SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) {
607     long mtu = BIO_ctrl(ssl->wbio, BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
608     if (mtu >= 0 && mtu <= (1 << 30) && (unsigned)mtu >= dtls1_min_mtu()) {
609       ssl->d1->mtu = (unsigned)mtu;
610     } else {
611       ssl->d1->mtu = kDefaultMTU;
612       BIO_ctrl(ssl->wbio, BIO_CTRL_DGRAM_SET_MTU, ssl->d1->mtu, NULL);
613     }
614   }
615 
616   // The MTU should be above the minimum now.
617   assert(ssl->d1->mtu >= dtls1_min_mtu());
618 }
619 
620 enum seal_result_t {
621   seal_error,
622   seal_no_progress,
623   seal_partial,
624   seal_success,
625 };
626 
627 // seal_next_message seals |msg|, which must be the next message, to |out|. If
628 // progress was made, it returns |seal_partial| or |seal_success| and sets
629 // |*out_len| to the number of bytes written.
seal_next_message(SSL * ssl,uint8_t * out,size_t * out_len,size_t max_out,const DTLS_OUTGOING_MESSAGE * msg)630 static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out,
631                                             size_t *out_len, size_t max_out,
632                                             const DTLS_OUTGOING_MESSAGE *msg) {
633   assert(ssl->d1->outgoing_written < ssl->d1->outgoing_messages_len);
634   assert(msg == &ssl->d1->outgoing_messages[ssl->d1->outgoing_written]);
635 
636   enum dtls1_use_epoch_t use_epoch = dtls1_use_current_epoch;
637   if (ssl->d1->w_epoch >= 1 && msg->epoch == ssl->d1->w_epoch - 1) {
638     use_epoch = dtls1_use_previous_epoch;
639   } else if (msg->epoch != ssl->d1->w_epoch) {
640     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
641     return seal_error;
642   }
643 
644   size_t overhead = dtls_max_seal_overhead(ssl, use_epoch);
645   size_t prefix = dtls_seal_prefix_len(ssl, use_epoch);
646 
647   if (msg->is_ccs) {
648     // Check there is room for the ChangeCipherSpec.
649     static const uint8_t kChangeCipherSpec[1] = {SSL3_MT_CCS};
650     if (max_out < sizeof(kChangeCipherSpec) + overhead) {
651       return seal_no_progress;
652     }
653 
654     if (!dtls_seal_record(ssl, out, out_len, max_out,
655                           SSL3_RT_CHANGE_CIPHER_SPEC, kChangeCipherSpec,
656                           sizeof(kChangeCipherSpec), use_epoch)) {
657       return seal_error;
658     }
659 
660     ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_CHANGE_CIPHER_SPEC,
661                         kChangeCipherSpec);
662     return seal_success;
663   }
664 
665   // DTLS messages are serialized as a single fragment in |msg|.
666   CBS cbs, body;
667   struct hm_header_st hdr;
668   CBS_init(&cbs, msg->data, msg->len);
669   if (!dtls1_parse_fragment(&cbs, &hdr, &body) ||
670       hdr.frag_off != 0 ||
671       hdr.frag_len != CBS_len(&body) ||
672       hdr.msg_len != CBS_len(&body) ||
673       !CBS_skip(&body, ssl->d1->outgoing_offset) ||
674       CBS_len(&cbs) != 0) {
675     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
676     return seal_error;
677   }
678 
679   // Determine how much progress can be made.
680   if (max_out < DTLS1_HM_HEADER_LENGTH + 1 + overhead || max_out < prefix) {
681     return seal_no_progress;
682   }
683   size_t todo = CBS_len(&body);
684   if (todo > max_out - DTLS1_HM_HEADER_LENGTH - overhead) {
685     todo = max_out - DTLS1_HM_HEADER_LENGTH - overhead;
686   }
687 
688   // Assemble a fragment, to be sealed in-place.
689   ScopedCBB cbb;
690   uint8_t *frag = out + prefix;
691   size_t max_frag = max_out - prefix, frag_len;
692   if (!CBB_init_fixed(cbb.get(), frag, max_frag) ||
693       !CBB_add_u8(cbb.get(), hdr.type) ||
694       !CBB_add_u24(cbb.get(), hdr.msg_len) ||
695       !CBB_add_u16(cbb.get(), hdr.seq) ||
696       !CBB_add_u24(cbb.get(), ssl->d1->outgoing_offset) ||
697       !CBB_add_u24(cbb.get(), todo) ||
698       !CBB_add_bytes(cbb.get(), CBS_data(&body), todo) ||
699       !CBB_finish(cbb.get(), NULL, &frag_len)) {
700     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
701     return seal_error;
702   }
703 
704   ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HANDSHAKE,
705                       MakeSpan(frag, frag_len));
706 
707   if (!dtls_seal_record(ssl, out, out_len, max_out, SSL3_RT_HANDSHAKE,
708                         out + prefix, frag_len, use_epoch)) {
709     return seal_error;
710   }
711 
712   if (todo == CBS_len(&body)) {
713     // The next message is complete.
714     ssl->d1->outgoing_offset = 0;
715     return seal_success;
716   }
717 
718   ssl->d1->outgoing_offset += todo;
719   return seal_partial;
720 }
721 
722 // seal_next_packet writes as much of the next flight as possible to |out| and
723 // advances |ssl->d1->outgoing_written| and |ssl->d1->outgoing_offset| as
724 // appropriate.
seal_next_packet(SSL * ssl,uint8_t * out,size_t * out_len,size_t max_out)725 static bool seal_next_packet(SSL *ssl, uint8_t *out, size_t *out_len,
726                              size_t max_out) {
727   bool made_progress = false;
728   size_t total = 0;
729   assert(ssl->d1->outgoing_written < ssl->d1->outgoing_messages_len);
730   for (; ssl->d1->outgoing_written < ssl->d1->outgoing_messages_len;
731        ssl->d1->outgoing_written++) {
732     const DTLS_OUTGOING_MESSAGE *msg =
733         &ssl->d1->outgoing_messages[ssl->d1->outgoing_written];
734     size_t len;
735     enum seal_result_t ret = seal_next_message(ssl, out, &len, max_out, msg);
736     switch (ret) {
737       case seal_error:
738         return false;
739 
740       case seal_no_progress:
741         goto packet_full;
742 
743       case seal_partial:
744       case seal_success:
745         out += len;
746         max_out -= len;
747         total += len;
748         made_progress = true;
749 
750         if (ret == seal_partial) {
751           goto packet_full;
752         }
753         break;
754     }
755   }
756 
757 packet_full:
758   // The MTU was too small to make any progress.
759   if (!made_progress) {
760     OPENSSL_PUT_ERROR(SSL, SSL_R_MTU_TOO_SMALL);
761     return false;
762   }
763 
764   *out_len = total;
765   return true;
766 }
767 
send_flight(SSL * ssl)768 static int send_flight(SSL *ssl) {
769   if (ssl->s3->write_shutdown != ssl_shutdown_none) {
770     OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
771     return -1;
772   }
773 
774   dtls1_update_mtu(ssl);
775 
776   int ret = -1;
777   uint8_t *packet = (uint8_t *)OPENSSL_malloc(ssl->d1->mtu);
778   if (packet == NULL) {
779     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
780     goto err;
781   }
782 
783   while (ssl->d1->outgoing_written < ssl->d1->outgoing_messages_len) {
784     uint8_t old_written = ssl->d1->outgoing_written;
785     uint32_t old_offset = ssl->d1->outgoing_offset;
786 
787     size_t packet_len;
788     if (!seal_next_packet(ssl, packet, &packet_len, ssl->d1->mtu)) {
789       goto err;
790     }
791 
792     int bio_ret = BIO_write(ssl->wbio, packet, packet_len);
793     if (bio_ret <= 0) {
794       // Retry this packet the next time around.
795       ssl->d1->outgoing_written = old_written;
796       ssl->d1->outgoing_offset = old_offset;
797       ssl->s3->rwstate = SSL_WRITING;
798       ret = bio_ret;
799       goto err;
800     }
801   }
802 
803   if (BIO_flush(ssl->wbio) <= 0) {
804     ssl->s3->rwstate = SSL_WRITING;
805     goto err;
806   }
807 
808   ret = 1;
809 
810 err:
811   OPENSSL_free(packet);
812   return ret;
813 }
814 
dtls1_flush_flight(SSL * ssl)815 int dtls1_flush_flight(SSL *ssl) {
816   ssl->d1->outgoing_messages_complete = true;
817   // Start the retransmission timer for the next flight (if any).
818   dtls1_start_timer(ssl);
819   return send_flight(ssl);
820 }
821 
dtls1_retransmit_outgoing_messages(SSL * ssl)822 int dtls1_retransmit_outgoing_messages(SSL *ssl) {
823   // Rewind to the start of the flight and write it again.
824   //
825   // TODO(davidben): This does not allow retransmits to be resumed on
826   // non-blocking write.
827   ssl->d1->outgoing_written = 0;
828   ssl->d1->outgoing_offset = 0;
829 
830   return send_flight(ssl);
831 }
832 
dtls1_min_mtu(void)833 unsigned int dtls1_min_mtu(void) {
834   return kMinMTU;
835 }
836 
837 }  // namespace bssl
838