GCC Code Coverage Report
Directory: ./ Exec Total Coverage
File: lib/libssl/d1_lib.c Lines: 115 188 61.2 %
Date: 2017-11-13 Branches: 43 86 50.0 %

Line Branch Exec Source
1
/* $OpenBSD: d1_lib.c,v 1.42 2017/04/10 17:27:33 jsing Exp $ */
2
/*
3
 * DTLS implementation written by Nagendra Modadugu
4
 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
5
 */
6
/* ====================================================================
7
 * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
8
 *
9
 * Redistribution and use in source and binary forms, with or without
10
 * modification, are permitted provided that the following conditions
11
 * are met:
12
 *
13
 * 1. Redistributions of source code must retain the above copyright
14
 *    notice, this list of conditions and the following disclaimer.
15
 *
16
 * 2. Redistributions in binary form must reproduce the above copyright
17
 *    notice, this list of conditions and the following disclaimer in
18
 *    the documentation and/or other materials provided with the
19
 *    distribution.
20
 *
21
 * 3. All advertising materials mentioning features or use of this
22
 *    software must display the following acknowledgment:
23
 *    "This product includes software developed by the OpenSSL Project
24
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25
 *
26
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27
 *    endorse or promote products derived from this software without
28
 *    prior written permission. For written permission, please contact
29
 *    openssl-core@OpenSSL.org.
30
 *
31
 * 5. Products derived from this software may not be called "OpenSSL"
32
 *    nor may "OpenSSL" appear in their names without prior written
33
 *    permission of the OpenSSL Project.
34
 *
35
 * 6. Redistributions of any form whatsoever must retain the following
36
 *    acknowledgment:
37
 *    "This product includes software developed by the OpenSSL Project
38
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39
 *
40
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
44
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51
 * OF THE POSSIBILITY OF SUCH DAMAGE.
52
 * ====================================================================
53
 *
54
 * This product includes cryptographic software written by Eric Young
55
 * (eay@cryptsoft.com).  This product includes software written by Tim
56
 * Hudson (tjh@cryptsoft.com).
57
 *
58
 */
59
60
#include <sys/types.h>
61
#include <sys/socket.h>
62
#include <sys/time.h>
63
64
#include <netinet/in.h>
65
66
#include <stdio.h>
67
68
#include <openssl/objects.h>
69
70
#include "pqueue.h"
71
#include "ssl_locl.h"
72
73
static int dtls1_listen(SSL *s, struct sockaddr *client);
74
75
SSL3_ENC_METHOD DTLSv1_enc_data = {
76
	.enc = dtls1_enc,
77
	.enc_flags = SSL_ENC_FLAG_EXPLICIT_IV,
78
};
79
80
long
81
dtls1_default_timeout(void)
82
{
83
	/* 2 hours, the 24 hours mentioned in the DTLSv1 spec
84
	 * is way too long for http, the cache would over fill */
85
210
	return (60*60*2);
86
}
87
88
int
89
dtls1_new(SSL *s)
90
{
91
	DTLS1_STATE *d1;
92
93
210
	if (!ssl3_new(s))
94
		return (0);
95
105
	if ((d1 = calloc(1, sizeof(*d1))) == NULL) {
96
		ssl3_free(s);
97
		return (0);
98
	}
99
105
	if ((d1->internal = calloc(1, sizeof(*d1->internal))) == NULL) {
100
		free(d1);
101
		ssl3_free(s);
102
		return (0);
103
	}
104
105
	/* d1->handshake_epoch=0; */
106
107
105
	d1->internal->unprocessed_rcds.q = pqueue_new();
108
105
	d1->internal->processed_rcds.q = pqueue_new();
109
105
	d1->internal->buffered_messages = pqueue_new();
110
105
	d1->sent_messages = pqueue_new();
111
105
	d1->internal->buffered_app_data.q = pqueue_new();
112
113
105
	if (s->server) {
114
		d1->internal->cookie_len = sizeof(D1I(s)->cookie);
115
	}
116
117

315
	if (!d1->internal->unprocessed_rcds.q || !d1->internal->processed_rcds.q ||
118

210
	    !d1->internal->buffered_messages || !d1->sent_messages ||
119
105
	    !d1->internal->buffered_app_data.q) {
120
		pqueue_free(d1->internal->unprocessed_rcds.q);
121
		pqueue_free(d1->internal->processed_rcds.q);
122
		pqueue_free(d1->internal->buffered_messages);
123
		pqueue_free(d1->sent_messages);
124
		pqueue_free(d1->internal->buffered_app_data.q);
125
		free(d1);
126
		ssl3_free(s);
127
		return (0);
128
	}
129
130
105
	s->d1 = d1;
131
105
	s->method->internal->ssl_clear(s);
132
105
	return (1);
133
105
}
134
135
static void
136
dtls1_clear_queues(SSL *s)
137
{
138
	pitem *item = NULL;
139
	hm_fragment *frag = NULL;
140
	DTLS1_RECORD_DATA *rdata;
141
142
1161
	while ((item = pqueue_pop(D1I(s)->unprocessed_rcds.q)) != NULL) {
143
		rdata = (DTLS1_RECORD_DATA *) item->data;
144
		free(rdata->rbuf.buf);
145
		free(item->data);
146
		pitem_free(item);
147
	}
148
149
774
	while ((item = pqueue_pop(D1I(s)->processed_rcds.q)) != NULL) {
150
		rdata = (DTLS1_RECORD_DATA *) item->data;
151
		free(rdata->rbuf.buf);
152
		free(item->data);
153
		pitem_free(item);
154
	}
155
156
774
	while ((item = pqueue_pop(D1I(s)->buffered_messages)) != NULL) {
157
		frag = (hm_fragment *)item->data;
158
		free(frag->fragment);
159
		free(frag);
160
		pitem_free(item);
161
	}
162
163
996
	while ((item = pqueue_pop(s->d1->sent_messages)) != NULL) {
164
111
		frag = (hm_fragment *)item->data;
165
111
		free(frag->fragment);
166
111
		free(frag);
167
111
		pitem_free(item);
168
	}
169
170
774
	while ((item = pqueue_pop(D1I(s)->buffered_app_data.q)) != NULL) {
171
		rdata = (DTLS1_RECORD_DATA *) item->data;
172
		free(rdata->rbuf.buf);
173
		free(item->data);
174
		pitem_free(item);
175
	}
176
387
}
177
178
void
179
dtls1_free(SSL *s)
180
{
181
204
	if (s == NULL)
182
		return;
183
184
102
	ssl3_free(s);
185
186
102
	dtls1_clear_queues(s);
187
188
102
	pqueue_free(D1I(s)->unprocessed_rcds.q);
189
102
	pqueue_free(D1I(s)->processed_rcds.q);
190
102
	pqueue_free(D1I(s)->buffered_messages);
191
102
	pqueue_free(s->d1->sent_messages);
192
102
	pqueue_free(D1I(s)->buffered_app_data.q);
193
194
102
	freezero(s->d1->internal, sizeof(*s->d1->internal));
195
102
	freezero(s->d1, sizeof(*s->d1));
196
197
102
	s->d1 = NULL;
198
204
}
199
200
void
201
dtls1_clear(SSL *s)
202
{
203
	struct dtls1_state_internal_st *internal;
204
	pqueue unprocessed_rcds;
205
	pqueue processed_rcds;
206
	pqueue buffered_messages;
207
	pqueue sent_messages;
208
	pqueue buffered_app_data;
209
	unsigned int mtu;
210
211
780
	if (s->d1) {
212
285
		unprocessed_rcds = D1I(s)->unprocessed_rcds.q;
213
285
		processed_rcds = D1I(s)->processed_rcds.q;
214
285
		buffered_messages = D1I(s)->buffered_messages;
215
285
		sent_messages = s->d1->sent_messages;
216
285
		buffered_app_data = D1I(s)->buffered_app_data.q;
217
285
		mtu = D1I(s)->mtu;
218
219
285
		dtls1_clear_queues(s);
220
221
285
		memset(s->d1->internal, 0, sizeof(*s->d1->internal));
222
285
		internal = s->d1->internal;
223
285
		memset(s->d1, 0, sizeof(*s->d1));
224
285
		s->d1->internal = internal;
225
226
285
		if (s->server) {
227
129
			D1I(s)->cookie_len = sizeof(D1I(s)->cookie);
228
129
		}
229
230
285
		if (SSL_get_options(s) & SSL_OP_NO_QUERY_MTU) {
231
			D1I(s)->mtu = mtu;
232
		}
233
234
285
		D1I(s)->unprocessed_rcds.q = unprocessed_rcds;
235
285
		D1I(s)->processed_rcds.q = processed_rcds;
236
285
		D1I(s)->buffered_messages = buffered_messages;
237
285
		s->d1->sent_messages = sent_messages;
238
285
		D1I(s)->buffered_app_data.q = buffered_app_data;
239
285
	}
240
241
390
	ssl3_clear(s);
242
243
390
	s->version = DTLS1_VERSION;
244
390
}
245
246
long
247
dtls1_ctrl(SSL *s, int cmd, long larg, void *parg)
248
{
249
	int ret = 0;
250
251
	switch (cmd) {
252
	case DTLS_CTRL_GET_TIMEOUT:
253
		if (dtls1_get_timeout(s, (struct timeval*) parg) != NULL) {
254
			ret = 1;
255
		}
256
		break;
257
	case DTLS_CTRL_HANDLE_TIMEOUT:
258
		ret = dtls1_handle_timeout(s);
259
		break;
260
	case DTLS_CTRL_LISTEN:
261
		ret = dtls1_listen(s, parg);
262
		break;
263
264
	default:
265
		ret = ssl3_ctrl(s, cmd, larg, parg);
266
		break;
267
	}
268
	return (ret);
269
}
270
271
/*
272
 * As it's impossible to use stream ciphers in "datagram" mode, this
273
 * simple filter is designed to disengage them in DTLS. Unfortunately
274
 * there is no universal way to identify stream SSL_CIPHER, so we have
275
 * to explicitly list their SSL_* codes. Currently RC4 is the only one
276
 * available, but if new ones emerge, they will have to be added...
277
 */
278
const SSL_CIPHER *
279
dtls1_get_cipher(unsigned int u)
280
{
281
22032
	const SSL_CIPHER *ciph = ssl3_get_cipher(u);
282
283
11016
	if (ciph != NULL) {
284
11016
		if (ciph->algorithm_enc == SSL_RC4)
285
918
			return NULL;
286
	}
287
288
10098
	return ciph;
289
11016
}
290
291
void
292
dtls1_start_timer(SSL *s)
293
{
294
295
	/* If timer is not set, initialize duration with 1 second */
296

681
	if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) {
297
111
		s->d1->timeout_duration = 1;
298
111
	}
299
300
	/* Set timeout to current time */
301
285
	gettimeofday(&(s->d1->next_timeout), NULL);
302
303
	/* Add duration to current time */
304
285
	s->d1->next_timeout.tv_sec += s->d1->timeout_duration;
305
570
	BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
306
285
	    &s->d1->next_timeout);
307
285
}
308
309
struct timeval*
310
dtls1_get_timeout(SSL *s, struct timeval* timeleft)
311
{
312
2208
	struct timeval timenow;
313
314
	/* If no timeout is set, just return NULL */
315

1398
	if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) {
316
294
		return NULL;
317
	}
318
319
	/* Get current time */
320
810
	gettimeofday(&timenow, NULL);
321
322
	/* If timer already expired, set remaining time to 0 */
323

810
	if (s->d1->next_timeout.tv_sec < timenow.tv_sec ||
324
810
	    (s->d1->next_timeout.tv_sec == timenow.tv_sec &&
325
	     s->d1->next_timeout.tv_usec <= timenow.tv_usec)) {
326
		memset(timeleft, 0, sizeof(struct timeval));
327
		return timeleft;
328
	}
329
330
	/* Calculate time left until timer expires */
331
810
	memcpy(timeleft, &(s->d1->next_timeout), sizeof(struct timeval));
332
810
	timeleft->tv_sec -= timenow.tv_sec;
333
810
	timeleft->tv_usec -= timenow.tv_usec;
334
810
	if (timeleft->tv_usec < 0) {
335
808
		timeleft->tv_sec--;
336
808
		timeleft->tv_usec += 1000000;
337
808
	}
338
339
	/* If remaining time is less than 15 ms, set it to 0
340
	 * to prevent issues because of small devergences with
341
	 * socket timeouts.
342
	 */
343

1618
	if (timeleft->tv_sec == 0 && timeleft->tv_usec < 15000) {
344
		memset(timeleft, 0, sizeof(struct timeval));
345
	}
346
347
348
810
	return timeleft;
349
1104
}
350
351
int
352
dtls1_is_timer_expired(SSL *s)
353
{
354
2208
	struct timeval timeleft;
355
356
	/* Get time left until timeout, return false if no timer running */
357
1104
	if (dtls1_get_timeout(s, &timeleft) == NULL) {
358
294
		return 0;
359
	}
360
361
	/* Return false if timer is not expired yet */
362

1618
	if (timeleft.tv_sec > 0 || timeleft.tv_usec > 0) {
363
810
		return 0;
364
	}
365
366
	/* Timer expired, so return true */
367
	return 1;
368
1104
}
369
370
void
371
dtls1_double_timeout(SSL *s)
372
{
373
	s->d1->timeout_duration *= 2;
374
	if (s->d1->timeout_duration > 60)
375
		s->d1->timeout_duration = 60;
376
	dtls1_start_timer(s);
377
}
378
379
void
380
dtls1_stop_timer(SSL *s)
381
{
382
	/* Reset everything */
383
360
	memset(&(D1I(s)->timeout), 0, sizeof(struct dtls1_timeout_st));
384
180
	memset(&(s->d1->next_timeout), 0, sizeof(struct timeval));
385
180
	s->d1->timeout_duration = 1;
386
360
	BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
387
180
	    &(s->d1->next_timeout));
388
	/* Clear retransmission buffer */
389
180
	dtls1_clear_record_buffer(s);
390
180
}
391
392
int
393
dtls1_check_timeout_num(SSL *s)
394
{
395
	D1I(s)->timeout.num_alerts++;
396
397
	/* Reduce MTU after 2 unsuccessful retransmissions */
398
	if (D1I(s)->timeout.num_alerts > 2) {
399
		D1I(s)->mtu = BIO_ctrl(SSL_get_wbio(s),
400
		    BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL);
401
402
	}
403
404
	if (D1I(s)->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) {
405
		/* fail the connection, enough alerts have been sent */
406
		SSLerror(s, SSL_R_READ_TIMEOUT_EXPIRED);
407
		return -1;
408
	}
409
410
	return 0;
411
}
412
413
int
414
dtls1_handle_timeout(SSL *s)
415
{
416
	/* if no timer is expired, don't do anything */
417
1914
	if (!dtls1_is_timer_expired(s)) {
418
957
		return 0;
419
	}
420
421
	dtls1_double_timeout(s);
422
423
	if (dtls1_check_timeout_num(s) < 0)
424
		return -1;
425
426
	D1I(s)->timeout.read_timeouts++;
427
	if (D1I(s)->timeout.read_timeouts > DTLS1_TMO_READ_COUNT) {
428
		D1I(s)->timeout.read_timeouts = 1;
429
	}
430
431
	dtls1_start_timer(s);
432
	return dtls1_retransmit_buffered_messages(s);
433
957
}
434
435
int
436
dtls1_listen(SSL *s, struct sockaddr *client)
437
{
438
	int ret;
439
440
	/* Ensure there is no state left over from a previous invocation */
441
	SSL_clear(s);
442
443
	SSL_set_options(s, SSL_OP_COOKIE_EXCHANGE);
444
	D1I(s)->listen = 1;
445
446
	ret = SSL_accept(s);
447
	if (ret <= 0)
448
		return ret;
449
450
	(void)BIO_dgram_get_peer(SSL_get_rbio(s), client);
451
	return 1;
452
}
453
454
void
455
dtls1_build_sequence_number(unsigned char *dst, unsigned char *seq,
456
    unsigned short epoch)
457
{
458
720
	unsigned char dtlsseq[SSL3_SEQUENCE_SIZE];
459
	unsigned char *p;
460
461
	p = dtlsseq;
462
360
	s2n(epoch, p);
463
360
	memcpy(p, &seq[2], SSL3_SEQUENCE_SIZE - 2);
464
360
	memcpy(dst, dtlsseq, SSL3_SEQUENCE_SIZE);
465
360
}