/* $OpenBSD: d1_both.c,v 1.51 2017/05/07 04:22:24 beck Exp $ */

/*

 * DTLS implementation written by Nagendra Modadugu

 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.

 */

/* ====================================================================

 * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.

 *

 * Redistribution and use in source and binary forms, with or without

 * modification, are permitted provided that the following conditions

 * are met:

 *

 * 1. Redistributions of source code must retain the above copyright

 *    notice, this list of conditions and the following disclaimer.

 *

 * 2. Redistributions in binary form must reproduce the above copyright

 *    notice, this list of conditions and the following disclaimer in

 *    the documentation and/or other materials provided with the

 *    distribution.

 *

 * 3. All advertising materials mentioning features or use of this

 *    software must display the following acknowledgment:

 *    "This product includes software developed by the OpenSSL Project

 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

 *

 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

 *    endorse or promote products derived from this software without

 *    prior written permission. For written permission, please contact

 *    openssl-core@openssl.org.

 *

 * 5. Products derived from this software may not be called "OpenSSL"

 *    nor may "OpenSSL" appear in their names without prior written

 *    permission of the OpenSSL Project.

 *

 * 6. Redistributions of any form whatsoever must retain the following

 *    acknowledgment:

 *    "This product includes software developed by the OpenSSL Project

 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

 *

 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

 * OF THE POSSIBILITY OF SUCH DAMAGE.

 * ====================================================================

 *

 * This product includes cryptographic software written by Eric Young

 * (eay@cryptsoft.com).  This product includes software written by Tim

 * Hudson (tjh@cryptsoft.com).

 *

 */

/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

 * All rights reserved.

 *

 * This package is an SSL implementation written

 * by Eric Young (eay@cryptsoft.com).

 * The implementation was written so as to conform with Netscapes SSL.

 *

 * This library is free for commercial and non-commercial use as long as

 * the following conditions are aheared to.  The following conditions

 * apply to all code found in this distribution, be it the RC4, RSA,

 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

 * included with this distribution is covered by the same copyright terms

 * except that the holder is Tim Hudson (tjh@cryptsoft.com).

 *

 * Copyright remains Eric Young's, and as such any Copyright notices in

 * the code are not to be removed.

 * If this package is used in a product, Eric Young should be given attribution

 * as the author of the parts of the library used.

 * This can be in the form of a textual message at program startup or

 * in documentation (online or textual) provided with the package.

 *

 * Redistribution and use in source and binary forms, with or without

 * modification, are permitted provided that the following conditions

 * are met:

 * 1. Redistributions of source code must retain the copyright

 *    notice, this list of conditions and the following disclaimer.

 * 2. Redistributions in binary form must reproduce the above copyright

 *    notice, this list of conditions and the following disclaimer in the

 *    documentation and/or other materials provided with the distribution.

 * 3. All advertising materials mentioning features or use of this software

 *    must display the following acknowledgement:

 *    "This product includes cryptographic software written by

 *     Eric Young (eay@cryptsoft.com)"

 *    The word 'cryptographic' can be left out if the rouines from the library

 *    being used are not cryptographic related :-).

 * 4. If you include any Windows specific code (or a derivative thereof) from

 *    the apps directory (application code) you must include an acknowledgement:

 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

 *

 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

 * SUCH DAMAGE.

 *

 * The licence and distribution terms for any publically available version or

 * derivative of this code cannot be changed.  i.e. this code cannot simply be

 * copied and put under another distribution licence

 * [including the GNU Public Licence.]

 */

#include <limits.h>

#include <stdio.h>

#include <string.h>

#include "ssl_locl.h"

#include <openssl/buffer.h>

#include <openssl/evp.h>

#include <openssl/objects.h>

#include <openssl/x509.h>

#include "pqueue.h"

#include "bytestring.h"

#define RSMBLY_BITMASK_SIZE(msg_len) (((msg_len) + 7) / 8)

#define RSMBLY_BITMASK_MARK(bitmask, start, end) { \

			if ((end) - (start) <= 8) { \

				long ii; \

				for (ii = (start); ii < (end); ii++) bitmask[((ii) >> 3)] |= (1 << ((ii) & 7)); \

			} else { \

				long ii; \

				bitmask[((start) >> 3)] |= bitmask_start_values[((start) & 7)]; \

				for (ii = (((start) >> 3) + 1); ii < ((((end) - 1)) >> 3); ii++) bitmask[ii] = 0xff; \

				bitmask[(((end) - 1) >> 3)] |= bitmask_end_values[((end) & 7)]; \

			} }

#define RSMBLY_BITMASK_IS_COMPLETE(bitmask, msg_len, is_complete) { \

			long ii; \

			OPENSSL_assert((msg_len) > 0); \

			is_complete = 1; \

			if (bitmask[(((msg_len) - 1) >> 3)] != bitmask_end_values[((msg_len) & 7)]) is_complete = 0; \

			if (is_complete) for (ii = (((msg_len) - 1) >> 3) - 1; ii >= 0 ; ii--) \

				if (bitmask[ii] != 0xff) { is_complete = 0; break; } }

static unsigned char bitmask_start_values[] = {

	0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80

};

static unsigned char bitmask_end_values[] = {

	0xff, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f

};

/* XDTLS:  figure out the right values */

static unsigned int g_probable_mtu[] = {1500 - 28, 512 - 28, 256 - 28};

static unsigned int dtls1_guess_mtu(unsigned int curr_mtu);

static void dtls1_fix_message_header(SSL *s, unsigned long frag_off,

    unsigned long frag_len);

static unsigned char *dtls1_write_message_header(SSL *s, unsigned char *p);

static void dtls1_set_message_header_int(SSL *s, unsigned char mt,

    unsigned long len, unsigned short seq_num, unsigned long frag_off,

    unsigned long frag_len);

static long dtls1_get_message_fragment(SSL *s, int st1, int stn, long max,

    int *ok);

static hm_fragment *

dtls1_hm_fragment_new(unsigned long frag_len, int reassembly)

{

	hm_fragment *frag = NULL;

	unsigned char *buf = NULL;

	unsigned char *bitmask = NULL;

		}

	}

	/* zero length fragment gets zero frag->fragment */

	/* Initialize reassembly bitmask if necessary */

		}

static void

dtls1_hm_fragment_free(hm_fragment *frag)

{

		return;

/* send s->internal->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC) */

int

dtls1_do_write(SSL *s, int type)

{

	int ret;

	int curr_mtu;

	unsigned int len, frag_off, mac_size, blocksize;

	/* AHA!  Figure out the MTU, and stick to the right size */

		    BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);

		/*

		 * I've seen the kernel return bogus numbers when it

		 * doesn't know the MTU (ie., the initial write), so just

		 * make sure we have a reasonable number

		 */

	}

	/* should have something reasonable now */

		    (int)D1I(s)->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH);

	else

		mac_size = 0;

	else

		blocksize = 0;

	frag_off = 0;

			/* grr.. we could get an error if MTU picked was wrong */

		else

			len = s->internal->init_num;

		/* XDTLS: this function is too long.  split out the CCS part */

				else

					len = s->internal->init_num;

			}

		}

			/*

			 * Might need to update MTU here, but we don't know

			 * which previous packet caused the failure -- so

			 * can't really retransmit anything.  continue as

			 * if everything is fine and wait for an alert to

			 * handle the retransmit

			 */

				    BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);

			else

			/*

			 * Bad if this assert fails, only part of the

			 * handshake message got sent.  but why would

			 * this happen?

			 */

				/*

				 * Should not be done for 'Hello Request's,

				 * but in that case we'll ignore the result

				 * anyway

				 */

				int xlen;

					/*

					 * Reconstruct message header is if it

					 * is being sent in single fragment

					 */

					xlen = ret;

				}

				/* done writing this message */

			}

		}

	}

/*

 * Obtain handshake message of message type 'mt' (any if mt == -1),

 * maximum acceptable body length 'max'.

 * Read an entire handshake message.  Handshake messages arrive in

 * fragments.

 */

long

dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)

{

	int i, al;

	struct hm_header_st *msg_hdr;

	unsigned char *p;

	unsigned long msg_len;

	/*

	 * s3->internal->tmp is used to store messages that are unexpected, caused

	 * by the absence of an optional handshake message

	 */

			al = SSL_AD_UNEXPECTED_MESSAGE;

			goto f_err;

		}

	}

again:

		goto again;

	/* reconstruct message header */

	/* Don't change sequence numbers while listening */

f_err:

static int

dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max)

{

	size_t frag_off, frag_len, msg_len;

	/* sanity checking */

	}

	}

	{

		/*

		 * msg_len is limited to 2^24, but is effectively checked

		 * against max above

		 */

		}

		/*

		 * They must be playing with us! BTW, failure to enforce

		 * upper limit would open possibility for buffer overrun.

		 */

	}

static int

dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)

{

	/*

	 * (0) check whether the desired fragment is available

	 * if so:

	 * (1) copy over the fragment to s->internal->init_buf->data[]

	 * (2) update s->internal->init_num

	 */

	pitem *item;

	hm_fragment *frag;

	int al;

	/* Don't return if reassembly still in progress */

		{

		}

	} else

/*

 * dtls1_max_handshake_message_len returns the maximum number of bytes

 * permitted in a DTLS handshake message for |s|. The minimum is 16KB,

 * but may be greater if the maximum certificate list size requires it.

 */

static unsigned long

dtls1_max_handshake_message_len(const SSL *s)

{

	unsigned long max_len;

	max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;

static int

dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)

{

	hm_fragment *frag = NULL;

	pitem *item = NULL;

	int i = -1, is_complete;

		goto err;

		i = DTLS1_HM_FRAGMENT_RETRY;

	}

	/* Try to find item in queue */

			goto err;

			item = NULL;

			frag = NULL;

		}

	}

	/*

	 * If message is already reassembled, this must be a

	 * retransmit and can be dropped.

	 */

			    sizeof(devnull) : frag_len, 0);

		}

		i = DTLS1_HM_FRAGMENT_RETRY;

	}

	/* read the body of the fragment (header has already been read */

		goto err;

	    (long)(msg_hdr->frag_off + frag_len));

	    is_complete);

			i = -1;

		}

err:

static int

dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)

{

	int i = -1;

	hm_fragment *frag = NULL;

	pitem *item = NULL;

		goto err;

	/* Try to find item in queue, to prevent duplicate entries */

	/*

	 * If we already have an entry and this one is a fragment,

	 * don't discard it and rather try to reassemble it.

	 */

	/*

	 * Discard the message if sequence number was already there, is

	 * too far in the future, already in the queue or if we received

	 * a FINISHED before the SERVER_HELLO, which then must be a stale

	 * retransmit.

	 */

			    sizeof(devnull) : frag_len, 0);

		}

			goto err;

			goto err;

			/* read the body of the fragment (header has already been read */

				goto err;

		}

			goto err;

	}

err:

}

static long

dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)

{

	unsigned long len, frag_off, frag_len;

	int i, al;

again:

	/* see if we have the required fragment already */

	}

	/* read handshake message header */

	    DTLS1_HM_HEADER_LENGTH, 0);

	{

	}

	/* Handshake fails if message header is incomplete */

	    /* parse the message fragment header */

		al = SSL_AD_UNEXPECTED_MESSAGE;

	}

	/*

	 * if this is a future (or stale) message it gets buffered

	 * (or dropped)--no further processing at this time

	 * While listening, we accept seq 1 (ClientHello with cookie)

	 * although we're still expecting seq 0 (ClientHello)

	 */

		/*

		 * The server may always send 'Hello Request' messages --

		 * we are doing a handshake anyway now, so ignore them

		 * if their format is correct. Does not count for

		 * 'Finished' MAC.

		 */

				    SSL3_RT_HANDSHAKE, wire,

				    DTLS1_HM_HEADER_LENGTH, s,

		}

		else /* Incorrectly formated Hello request */

		{

			al = SSL_AD_UNEXPECTED_MESSAGE;

		}

	}

		goto f_err;

	/* XDTLS:  ressurect this when restart is in place */

		/* XDTLS:  fix this--message fragments cannot span multiple packets */

		}

		i = 0;

	/*

	 * XDTLS:  an incorrectly formatted fragment should cause the

	 * handshake to fail

	 */

		al = SSL3_AD_ILLEGAL_PARAMETER;

	}

	/*

	 * Note that s->internal->init_num is *not* used as current offset in

	 * s->internal->init_buf->data, but as a counter summing up fragments'

	 * lengths: as soon as they sum up to handshake packet

	 * length, we assume we have got all the fragments.

	 */

f_err:

/*

 * for these 2 messages, we need to

 * ssl->enc_read_ctx			re-init

 * ssl->s3->internal->read_sequence		zero

 * ssl->s3->internal->read_mac_secret		re-init

 * ssl->session->read_sym_enc		assign

 * ssl->session->read_hash		assign

 */

int

dtls1_send_change_cipher_spec(SSL *s, int a, int b)

{

	unsigned char *p;

		/* buffer the message to handle re-xmits */

	/* SSL3_ST_CW_CHANGE_B */

}

int

dtls1_read_failed(SSL *s, int code)

{

#ifdef DEBUG

		fprintf(stderr, "invalid state reached %s:%d",

		    __FILE__, __LINE__);

#endif

	}

		/*

		 * not a timeout, none of our business, let higher layers

		 * handle this.  in fact it's probably an error

		 */

	}

	{

	}

int

dtls1_get_queue_priority(unsigned short seq, int is_ccs)

{

	/*

	 * The index of the retransmission queue actually is the message

	 * sequence number, since the queue only contains messages of a

	 * single handshake. However, the ChangeCipherSpec has no message

	 * sequence number and so using only the sequence will result in

	 * the CCS and Finished having the same index. To prevent this, the

	 * sequence number is multiplied by 2. In case of a CCS 1 is