1 |
|
|
/* $OpenBSD: d1_pkt.c,v 1.63 2017/05/07 04:22:24 beck Exp $ */ |
2 |
|
|
/* |
3 |
|
|
* DTLS implementation written by Nagendra Modadugu |
4 |
|
|
* (nagendra@cs.stanford.edu) for the OpenSSL project 2005. |
5 |
|
|
*/ |
6 |
|
|
/* ==================================================================== |
7 |
|
|
* Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. |
8 |
|
|
* |
9 |
|
|
* Redistribution and use in source and binary forms, with or without |
10 |
|
|
* modification, are permitted provided that the following conditions |
11 |
|
|
* are met: |
12 |
|
|
* |
13 |
|
|
* 1. Redistributions of source code must retain the above copyright |
14 |
|
|
* notice, this list of conditions and the following disclaimer. |
15 |
|
|
* |
16 |
|
|
* 2. Redistributions in binary form must reproduce the above copyright |
17 |
|
|
* notice, this list of conditions and the following disclaimer in |
18 |
|
|
* the documentation and/or other materials provided with the |
19 |
|
|
* distribution. |
20 |
|
|
* |
21 |
|
|
* 3. All advertising materials mentioning features or use of this |
22 |
|
|
* software must display the following acknowledgment: |
23 |
|
|
* "This product includes software developed by the OpenSSL Project |
24 |
|
|
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
25 |
|
|
* |
26 |
|
|
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
27 |
|
|
* endorse or promote products derived from this software without |
28 |
|
|
* prior written permission. For written permission, please contact |
29 |
|
|
* openssl-core@openssl.org. |
30 |
|
|
* |
31 |
|
|
* 5. Products derived from this software may not be called "OpenSSL" |
32 |
|
|
* nor may "OpenSSL" appear in their names without prior written |
33 |
|
|
* permission of the OpenSSL Project. |
34 |
|
|
* |
35 |
|
|
* 6. Redistributions of any form whatsoever must retain the following |
36 |
|
|
* acknowledgment: |
37 |
|
|
* "This product includes software developed by the OpenSSL Project |
38 |
|
|
* for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
39 |
|
|
* |
40 |
|
|
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
41 |
|
|
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
42 |
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
43 |
|
|
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
44 |
|
|
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
45 |
|
|
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
46 |
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
47 |
|
|
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
48 |
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
49 |
|
|
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
50 |
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
51 |
|
|
* OF THE POSSIBILITY OF SUCH DAMAGE. |
52 |
|
|
* ==================================================================== |
53 |
|
|
* |
54 |
|
|
* This product includes cryptographic software written by Eric Young |
55 |
|
|
* (eay@cryptsoft.com). This product includes software written by Tim |
56 |
|
|
* Hudson (tjh@cryptsoft.com). |
57 |
|
|
* |
58 |
|
|
*/ |
59 |
|
|
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
60 |
|
|
* All rights reserved. |
61 |
|
|
* |
62 |
|
|
* This package is an SSL implementation written |
63 |
|
|
* by Eric Young (eay@cryptsoft.com). |
64 |
|
|
* The implementation was written so as to conform with Netscapes SSL. |
65 |
|
|
* |
66 |
|
|
* This library is free for commercial and non-commercial use as long as |
67 |
|
|
* the following conditions are aheared to. The following conditions |
68 |
|
|
* apply to all code found in this distribution, be it the RC4, RSA, |
69 |
|
|
* lhash, DES, etc., code; not just the SSL code. The SSL documentation |
70 |
|
|
* included with this distribution is covered by the same copyright terms |
71 |
|
|
* except that the holder is Tim Hudson (tjh@cryptsoft.com). |
72 |
|
|
* |
73 |
|
|
* Copyright remains Eric Young's, and as such any Copyright notices in |
74 |
|
|
* the code are not to be removed. |
75 |
|
|
* If this package is used in a product, Eric Young should be given attribution |
76 |
|
|
* as the author of the parts of the library used. |
77 |
|
|
* This can be in the form of a textual message at program startup or |
78 |
|
|
* in documentation (online or textual) provided with the package. |
79 |
|
|
* |
80 |
|
|
* Redistribution and use in source and binary forms, with or without |
81 |
|
|
* modification, are permitted provided that the following conditions |
82 |
|
|
* are met: |
83 |
|
|
* 1. Redistributions of source code must retain the copyright |
84 |
|
|
* notice, this list of conditions and the following disclaimer. |
85 |
|
|
* 2. Redistributions in binary form must reproduce the above copyright |
86 |
|
|
* notice, this list of conditions and the following disclaimer in the |
87 |
|
|
* documentation and/or other materials provided with the distribution. |
88 |
|
|
* 3. All advertising materials mentioning features or use of this software |
89 |
|
|
* must display the following acknowledgement: |
90 |
|
|
* "This product includes cryptographic software written by |
91 |
|
|
* Eric Young (eay@cryptsoft.com)" |
92 |
|
|
* The word 'cryptographic' can be left out if the rouines from the library |
93 |
|
|
* being used are not cryptographic related :-). |
94 |
|
|
* 4. If you include any Windows specific code (or a derivative thereof) from |
95 |
|
|
* the apps directory (application code) you must include an acknowledgement: |
96 |
|
|
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
97 |
|
|
* |
98 |
|
|
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
99 |
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
100 |
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
101 |
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
102 |
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
103 |
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
104 |
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
105 |
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
106 |
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
107 |
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
108 |
|
|
* SUCH DAMAGE. |
109 |
|
|
* |
110 |
|
|
* The licence and distribution terms for any publically available version or |
111 |
|
|
* derivative of this code cannot be changed. i.e. this code cannot simply be |
112 |
|
|
* copied and put under another distribution licence |
113 |
|
|
* [including the GNU Public Licence.] |
114 |
|
|
*/ |
115 |
|
|
|
116 |
|
|
#include <machine/endian.h> |
117 |
|
|
|
118 |
|
|
#include <errno.h> |
119 |
|
|
#include <stdio.h> |
120 |
|
|
|
121 |
|
|
#include "ssl_locl.h" |
122 |
|
|
|
123 |
|
|
#include <openssl/buffer.h> |
124 |
|
|
#include <openssl/evp.h> |
125 |
|
|
|
126 |
|
|
#include "pqueue.h" |
127 |
|
|
#include "bytestring.h" |
128 |
|
|
|
129 |
|
|
static int do_dtls1_write(SSL *s, int type, const unsigned char *buf, |
130 |
|
|
unsigned int len); |
131 |
|
|
|
132 |
|
|
|
133 |
|
|
/* mod 128 saturating subtract of two 64-bit values in big-endian order */ |
134 |
|
|
static int |
135 |
|
|
satsub64be(const unsigned char *v1, const unsigned char *v2) |
136 |
|
|
{ |
137 |
|
|
int ret, sat, brw, i; |
138 |
|
|
|
139 |
|
|
if (sizeof(long) == 8) |
140 |
|
|
do { |
141 |
|
|
long l; |
142 |
|
|
|
143 |
|
|
if (BYTE_ORDER == LITTLE_ENDIAN) |
144 |
|
|
break; |
145 |
|
|
/* not reached on little-endians */ |
146 |
|
|
/* following test is redundant, because input is |
147 |
|
|
* always aligned, but I take no chances... */ |
148 |
|
|
if (((size_t)v1 | (size_t)v2) & 0x7) |
149 |
|
|
break; |
150 |
|
|
|
151 |
|
|
l = *((long *)v1); |
152 |
|
|
l -= *((long *)v2); |
153 |
|
|
if (l > 128) |
154 |
|
|
return 128; |
155 |
|
|
else if (l<-128) |
156 |
|
|
return -128; |
157 |
|
|
else |
158 |
|
|
return (int)l; |
159 |
|
|
} while (0); |
160 |
|
|
|
161 |
|
1980 |
ret = (int)v1[7] - (int)v2[7]; |
162 |
|
|
sat = 0; |
163 |
|
990 |
brw = ret >> 8; /* brw is either 0 or -1 */ |
164 |
✗✓ |
990 |
if (ret & 0x80) { |
165 |
|
|
for (i = 6; i >= 0; i--) { |
166 |
|
|
brw += (int)v1[i]-(int)v2[i]; |
167 |
|
|
sat |= ~brw; |
168 |
|
|
brw >>= 8; |
169 |
|
|
} |
170 |
|
|
} else { |
171 |
✓✓ |
15840 |
for (i = 6; i >= 0; i--) { |
172 |
|
6930 |
brw += (int)v1[i]-(int)v2[i]; |
173 |
|
6930 |
sat |= brw; |
174 |
|
6930 |
brw >>= 8; |
175 |
|
|
} |
176 |
|
|
} |
177 |
|
990 |
brw <<= 8; /* brw is either 0 or -256 */ |
178 |
|
|
|
179 |
✗✓ |
990 |
if (sat & 0xff) |
180 |
|
|
return brw | 0x80; |
181 |
|
|
else |
182 |
|
990 |
return brw + (ret & 0xFF); |
183 |
|
990 |
} |
184 |
|
|
|
185 |
|
|
static int have_handshake_fragment(SSL *s, int type, unsigned char *buf, |
186 |
|
|
int len, int peek); |
187 |
|
|
static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap); |
188 |
|
|
static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap); |
189 |
|
|
static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, |
190 |
|
|
unsigned int *is_next_epoch); |
191 |
|
|
static int dtls1_buffer_record(SSL *s, record_pqueue *q, |
192 |
|
|
unsigned char *priority); |
193 |
|
|
static int dtls1_process_record(SSL *s); |
194 |
|
|
|
195 |
|
|
/* copy buffered record into SSL structure */ |
196 |
|
|
static int |
197 |
|
|
dtls1_copy_record(SSL *s, pitem *item) |
198 |
|
|
{ |
199 |
|
|
DTLS1_RECORD_DATA *rdata; |
200 |
|
|
|
201 |
|
|
rdata = (DTLS1_RECORD_DATA *)item->data; |
202 |
|
|
|
203 |
|
|
free(s->s3->rbuf.buf); |
204 |
|
|
|
205 |
|
|
s->internal->packet = rdata->packet; |
206 |
|
|
s->internal->packet_length = rdata->packet_length; |
207 |
|
|
memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER)); |
208 |
|
|
memcpy(&(S3I(s)->rrec), &(rdata->rrec), sizeof(SSL3_RECORD)); |
209 |
|
|
|
210 |
|
|
/* Set proper sequence number for mac calculation */ |
211 |
|
|
memcpy(&(S3I(s)->read_sequence[2]), &(rdata->packet[5]), 6); |
212 |
|
|
|
213 |
|
|
return (1); |
214 |
|
|
} |
215 |
|
|
|
216 |
|
|
|
217 |
|
|
static int |
218 |
|
|
dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) |
219 |
|
|
{ |
220 |
|
|
DTLS1_RECORD_DATA *rdata; |
221 |
|
|
pitem *item; |
222 |
|
|
|
223 |
|
|
/* Limit the size of the queue to prevent DOS attacks */ |
224 |
|
|
if (pqueue_size(queue->q) >= 100) |
225 |
|
|
return 0; |
226 |
|
|
|
227 |
|
|
rdata = malloc(sizeof(DTLS1_RECORD_DATA)); |
228 |
|
|
item = pitem_new(priority, rdata); |
229 |
|
|
if (rdata == NULL || item == NULL) |
230 |
|
|
goto init_err; |
231 |
|
|
|
232 |
|
|
rdata->packet = s->internal->packet; |
233 |
|
|
rdata->packet_length = s->internal->packet_length; |
234 |
|
|
memcpy(&(rdata->rbuf), &(s->s3->rbuf), sizeof(SSL3_BUFFER)); |
235 |
|
|
memcpy(&(rdata->rrec), &(S3I(s)->rrec), sizeof(SSL3_RECORD)); |
236 |
|
|
|
237 |
|
|
item->data = rdata; |
238 |
|
|
|
239 |
|
|
|
240 |
|
|
s->internal->packet = NULL; |
241 |
|
|
s->internal->packet_length = 0; |
242 |
|
|
memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER)); |
243 |
|
|
memset(&(S3I(s)->rrec), 0, sizeof(SSL3_RECORD)); |
244 |
|
|
|
245 |
|
|
if (!ssl3_setup_buffers(s)) |
246 |
|
|
goto err; |
247 |
|
|
|
248 |
|
|
/* insert should not fail, since duplicates are dropped */ |
249 |
|
|
if (pqueue_insert(queue->q, item) == NULL) |
250 |
|
|
goto err; |
251 |
|
|
|
252 |
|
|
return (1); |
253 |
|
|
|
254 |
|
|
err: |
255 |
|
|
free(rdata->rbuf.buf); |
256 |
|
|
|
257 |
|
|
init_err: |
258 |
|
|
SSLerror(s, ERR_R_INTERNAL_ERROR); |
259 |
|
|
free(rdata); |
260 |
|
|
pitem_free(item); |
261 |
|
|
return (-1); |
262 |
|
|
} |
263 |
|
|
|
264 |
|
|
|
265 |
|
|
static int |
266 |
|
|
dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue) |
267 |
|
|
{ |
268 |
|
|
pitem *item; |
269 |
|
|
|
270 |
|
1284 |
item = pqueue_pop(queue->q); |
271 |
✗✓ |
642 |
if (item) { |
272 |
|
|
dtls1_copy_record(s, item); |
273 |
|
|
|
274 |
|
|
free(item->data); |
275 |
|
|
pitem_free(item); |
276 |
|
|
|
277 |
|
|
return (1); |
278 |
|
|
} |
279 |
|
|
|
280 |
|
642 |
return (0); |
281 |
|
642 |
} |
282 |
|
|
|
283 |
|
|
|
284 |
|
|
/* retrieve a buffered record that belongs to the new epoch, i.e., not processed |
285 |
|
|
* yet */ |
286 |
|
|
#define dtls1_get_unprocessed_record(s) \ |
287 |
|
|
dtls1_retrieve_buffered_record((s), \ |
288 |
|
|
&((D1I(s))->unprocessed_rcds)) |
289 |
|
|
|
290 |
|
|
/* retrieve a buffered record that belongs to the current epoch, ie, processed */ |
291 |
|
|
#define dtls1_get_processed_record(s) \ |
292 |
|
|
dtls1_retrieve_buffered_record((s), \ |
293 |
|
|
&((D1I(s))->processed_rcds)) |
294 |
|
|
|
295 |
|
|
static int |
296 |
|
|
dtls1_process_buffered_records(SSL *s) |
297 |
|
|
{ |
298 |
|
|
pitem *item; |
299 |
|
|
|
300 |
|
1284 |
item = pqueue_peek(D1I(s)->unprocessed_rcds.q); |
301 |
✗✓ |
642 |
if (item) { |
302 |
|
|
/* Check if epoch is current. */ |
303 |
|
|
if (D1I(s)->unprocessed_rcds.epoch != D1I(s)->r_epoch) |
304 |
|
|
return (1); |
305 |
|
|
/* Nothing to do. */ |
306 |
|
|
|
307 |
|
|
/* Process all the records. */ |
308 |
|
|
while (pqueue_peek(D1I(s)->unprocessed_rcds.q)) { |
309 |
|
|
dtls1_get_unprocessed_record(s); |
310 |
|
|
if (! dtls1_process_record(s)) |
311 |
|
|
return (0); |
312 |
|
|
if (dtls1_buffer_record(s, &(D1I(s)->processed_rcds), |
313 |
|
|
S3I(s)->rrec.seq_num) < 0) |
314 |
|
|
return (-1); |
315 |
|
|
} |
316 |
|
|
} |
317 |
|
|
|
318 |
|
|
/* sync epoch numbers once all the unprocessed records |
319 |
|
|
* have been processed */ |
320 |
|
642 |
D1I(s)->processed_rcds.epoch = D1I(s)->r_epoch; |
321 |
|
642 |
D1I(s)->unprocessed_rcds.epoch = D1I(s)->r_epoch + 1; |
322 |
|
|
|
323 |
|
642 |
return (1); |
324 |
|
642 |
} |
325 |
|
|
|
326 |
|
|
static int |
327 |
|
|
dtls1_process_record(SSL *s) |
328 |
|
|
{ |
329 |
|
|
int i, al; |
330 |
|
|
int enc_err; |
331 |
|
|
SSL_SESSION *sess; |
332 |
|
|
SSL3_RECORD *rr; |
333 |
|
|
unsigned int mac_size, orig_len; |
334 |
|
990 |
unsigned char md[EVP_MAX_MD_SIZE]; |
335 |
|
|
|
336 |
|
495 |
rr = &(S3I(s)->rrec); |
337 |
|
495 |
sess = s->session; |
338 |
|
|
|
339 |
|
|
/* At this point, s->internal->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, |
340 |
|
|
* and we have that many bytes in s->internal->packet |
341 |
|
|
*/ |
342 |
|
495 |
rr->input = &(s->internal->packet[DTLS1_RT_HEADER_LENGTH]); |
343 |
|
|
|
344 |
|
|
/* ok, we can now read from 's->internal->packet' data into 'rr' |
345 |
|
|
* rr->input points at rr->length bytes, which |
346 |
|
|
* need to be copied into rr->data by either |
347 |
|
|
* the decryption or by the decompression |
348 |
|
|
* When the data is 'copied' into the rr->data buffer, |
349 |
|
|
* rr->input will be pointed at the new buffer */ |
350 |
|
|
|
351 |
|
|
/* We now have - encrypted [ MAC [ compressed [ plain ] ] ] |
352 |
|
|
* rr->length bytes of encrypted compressed stuff. */ |
353 |
|
|
|
354 |
|
|
/* check is not needed I believe */ |
355 |
✗✓ |
495 |
if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { |
356 |
|
|
al = SSL_AD_RECORD_OVERFLOW; |
357 |
|
|
SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); |
358 |
|
|
goto f_err; |
359 |
|
|
} |
360 |
|
|
|
361 |
|
|
/* decrypt in place in 'rr->input' */ |
362 |
|
495 |
rr->data = rr->input; |
363 |
|
|
|
364 |
|
495 |
enc_err = s->method->internal->ssl3_enc->enc(s, 0); |
365 |
|
|
/* enc_err is: |
366 |
|
|
* 0: (in non-constant time) if the record is publically invalid. |
367 |
|
|
* 1: if the padding is valid |
368 |
|
|
* -1: if the padding is invalid */ |
369 |
✗✓ |
495 |
if (enc_err == 0) { |
370 |
|
|
/* For DTLS we simply ignore bad packets. */ |
371 |
|
|
rr->length = 0; |
372 |
|
|
s->internal->packet_length = 0; |
373 |
|
|
goto err; |
374 |
|
|
} |
375 |
|
|
|
376 |
|
|
|
377 |
|
|
/* r->length is now the compressed data plus mac */ |
378 |
✓✓✓✓ ✓✗ |
1098 |
if ((sess != NULL) && (s->enc_read_ctx != NULL) && |
379 |
|
144 |
(EVP_MD_CTX_md(s->read_hash) != NULL)) { |
380 |
|
|
/* s->read_hash != NULL => mac_size != -1 */ |
381 |
|
|
unsigned char *mac = NULL; |
382 |
|
144 |
unsigned char mac_tmp[EVP_MAX_MD_SIZE]; |
383 |
|
144 |
mac_size = EVP_MD_CTX_size(s->read_hash); |
384 |
✗✓ |
144 |
OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); |
385 |
|
|
|
386 |
|
|
/* kludge: *_cbc_remove_padding passes padding length in rr->type */ |
387 |
|
144 |
orig_len = rr->length + ((unsigned int)rr->type >> 8); |
388 |
|
|
|
389 |
|
|
/* orig_len is the length of the record before any padding was |
390 |
|
|
* removed. This is public information, as is the MAC in use, |
391 |
|
|
* therefore we can safely process the record in a different |
392 |
|
|
* amount of time if it's too short to possibly contain a MAC. |
393 |
|
|
*/ |
394 |
✓✗✗✓
|
264 |
if (orig_len < mac_size || |
395 |
|
|
/* CBC records must have a padding length byte too. */ |
396 |
✓✓ |
144 |
(EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && |
397 |
|
120 |
orig_len < mac_size + 1)) { |
398 |
|
|
al = SSL_AD_DECODE_ERROR; |
399 |
|
|
SSLerror(s, SSL_R_LENGTH_TOO_SHORT); |
400 |
|
|
goto f_err; |
401 |
|
|
} |
402 |
|
|
|
403 |
✓✓ |
144 |
if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) { |
404 |
|
|
/* We update the length so that the TLS header bytes |
405 |
|
|
* can be constructed correctly but we need to extract |
406 |
|
|
* the MAC in constant time from within the record, |
407 |
|
|
* without leaking the contents of the padding bytes. |
408 |
|
|
* */ |
409 |
|
120 |
mac = mac_tmp; |
410 |
|
120 |
ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len); |
411 |
|
120 |
rr->length -= mac_size; |
412 |
|
120 |
} else { |
413 |
|
|
/* In this case there's no padding, so |orig_len| |
414 |
|
|
* equals |rec->length| and we checked that there's |
415 |
|
|
* enough bytes for |mac_size| above. */ |
416 |
|
24 |
rr->length -= mac_size; |
417 |
|
24 |
mac = &rr->data[rr->length]; |
418 |
|
|
} |
419 |
|
|
|
420 |
|
144 |
i = tls1_mac(s, md, 0 /* not send */); |
421 |
✓✗✗✓
|
288 |
if (i < 0 || mac == NULL || timingsafe_memcmp(md, mac, (size_t)mac_size) != 0) |
422 |
|
|
enc_err = -1; |
423 |
✗✓ |
144 |
if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH + mac_size) |
424 |
|
|
enc_err = -1; |
425 |
✓✗✓ |
576 |
} |
426 |
|
|
|
427 |
✗✓ |
495 |
if (enc_err < 0) { |
428 |
|
|
/* decryption failed, silently discard message */ |
429 |
|
|
rr->length = 0; |
430 |
|
|
s->internal->packet_length = 0; |
431 |
|
|
goto err; |
432 |
|
|
} |
433 |
|
|
|
434 |
✗✓ |
495 |
if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) { |
435 |
|
|
al = SSL_AD_RECORD_OVERFLOW; |
436 |
|
|
SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); |
437 |
|
|
goto f_err; |
438 |
|
|
} |
439 |
|
|
|
440 |
|
495 |
rr->off = 0; |
441 |
|
|
/* So at this point the following is true |
442 |
|
|
* ssl->s3->internal->rrec.type is the type of record |
443 |
|
|
* ssl->s3->internal->rrec.length == number of bytes in record |
444 |
|
|
* ssl->s3->internal->rrec.off == offset to first valid byte |
445 |
|
|
* ssl->s3->internal->rrec.data == where to take bytes from, increment |
446 |
|
|
* after use :-). |
447 |
|
|
*/ |
448 |
|
|
|
449 |
|
|
/* we have pulled in a full packet so zero things */ |
450 |
|
495 |
s->internal->packet_length = 0; |
451 |
|
495 |
return (1); |
452 |
|
|
|
453 |
|
|
f_err: |
454 |
|
|
ssl3_send_alert(s, SSL3_AL_FATAL, al); |
455 |
|
|
err: |
456 |
|
|
return (0); |
457 |
|
495 |
} |
458 |
|
|
|
459 |
|
|
|
460 |
|
|
/* Call this to get a new input record. |
461 |
|
|
* It will return <= 0 if more data is needed, normally due to an error |
462 |
|
|
* or non-blocking IO. |
463 |
|
|
* When it finishes, one packet has been decoded and can be found in |
464 |
|
|
* ssl->s3->internal->rrec.type - is the type of record |
465 |
|
|
* ssl->s3->internal->rrec.data, - data |
466 |
|
|
* ssl->s3->internal->rrec.length, - number of bytes |
467 |
|
|
*/ |
468 |
|
|
/* used only by dtls1_read_bytes */ |
469 |
|
|
int |
470 |
|
|
dtls1_get_record(SSL *s) |
471 |
|
|
{ |
472 |
|
|
SSL3_RECORD *rr; |
473 |
|
|
unsigned char *p = NULL; |
474 |
|
|
DTLS1_BITMAP *bitmap; |
475 |
|
1284 |
unsigned int is_next_epoch; |
476 |
|
|
int n; |
477 |
|
|
|
478 |
|
642 |
rr = &(S3I(s)->rrec); |
479 |
|
|
|
480 |
|
|
/* The epoch may have changed. If so, process all the |
481 |
|
|
* pending records. This is a non-blocking operation. */ |
482 |
✗✓ |
642 |
if (dtls1_process_buffered_records(s) < 0) |
483 |
|
|
return (-1); |
484 |
|
|
|
485 |
|
|
/* if we're renegotiating, then there may be buffered records */ |
486 |
✗✓ |
642 |
if (dtls1_get_processed_record(s)) |
487 |
|
|
return 1; |
488 |
|
|
|
489 |
|
|
/* get something from the wire */ |
490 |
|
642 |
if (0) { |
491 |
|
|
again: |
492 |
|
|
/* dump this record on all retries */ |
493 |
|
3 |
rr->length = 0; |
494 |
|
3 |
s->internal->packet_length = 0; |
495 |
|
3 |
} |
496 |
|
|
|
497 |
|
|
/* check if we have the header */ |
498 |
✗✓✗✗
|
645 |
if ((s->internal->rstate != SSL_ST_READ_BODY) || |
499 |
|
|
(s->internal->packet_length < DTLS1_RT_HEADER_LENGTH)) { |
500 |
|
645 |
CBS header, seq_no; |
501 |
|
645 |
uint16_t epoch, len, ssl_version; |
502 |
|
645 |
uint8_t type; |
503 |
|
|
|
504 |
|
645 |
n = ssl3_packet_read(s, DTLS1_RT_HEADER_LENGTH); |
505 |
✓✓ |
645 |
if (n <= 0) |
506 |
|
147 |
return (n); |
507 |
|
|
|
508 |
|
|
/* If this packet contained a partial record, dump it. */ |
509 |
✓✓ |
498 |
if (n != DTLS1_RT_HEADER_LENGTH) |
510 |
|
3 |
goto again; |
511 |
|
|
|
512 |
|
495 |
s->internal->rstate = SSL_ST_READ_BODY; |
513 |
|
|
|
514 |
|
495 |
CBS_init(&header, s->internal->packet, s->internal->packet_length); |
515 |
|
|
|
516 |
|
|
/* Pull apart the header into the DTLS1_RECORD */ |
517 |
✗✓ |
495 |
if (!CBS_get_u8(&header, &type)) |
518 |
|
|
goto again; |
519 |
✗✓ |
495 |
if (!CBS_get_u16(&header, &ssl_version)) |
520 |
|
|
goto again; |
521 |
|
|
|
522 |
|
|
/* sequence number is 64 bits, with top 2 bytes = epoch */ |
523 |
✓✗✗✓
|
990 |
if (!CBS_get_u16(&header, &epoch) || |
524 |
|
495 |
!CBS_get_bytes(&header, &seq_no, 6)) |
525 |
|
|
goto again; |
526 |
|
|
|
527 |
✗✓ |
495 |
if (!CBS_write_bytes(&seq_no, &(S3I(s)->read_sequence[2]), |
528 |
|
|
sizeof(S3I(s)->read_sequence) - 2, NULL)) |
529 |
|
|
goto again; |
530 |
✗✓ |
495 |
if (!CBS_get_u16(&header, &len)) |
531 |
|
|
goto again; |
532 |
|
|
|
533 |
|
495 |
rr->type = type; |
534 |
|
495 |
rr->epoch = epoch; |
535 |
|
495 |
rr->length = len; |
536 |
|
|
|
537 |
|
|
/* unexpected version, silently discard */ |
538 |
✓✓✗✓
|
918 |
if (!s->internal->first_packet && ssl_version != s->version) |
539 |
|
|
goto again; |
540 |
|
|
|
541 |
|
|
/* wrong version, silently discard record */ |
542 |
✗✓ |
495 |
if ((ssl_version & 0xff00) != (s->version & 0xff00)) |
543 |
|
|
goto again; |
544 |
|
|
|
545 |
|
|
/* record too long, silently discard it */ |
546 |
✗✓ |
495 |
if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) |
547 |
|
|
goto again; |
548 |
|
|
|
549 |
|
|
/* now s->internal->rstate == SSL_ST_READ_BODY */ |
550 |
|
495 |
p = (unsigned char *)CBS_data(&header); |
551 |
✓✓✓ |
1635 |
} |
552 |
|
|
|
553 |
|
|
/* s->internal->rstate == SSL_ST_READ_BODY, get and decode the data */ |
554 |
|
|
|
555 |
|
495 |
n = ssl3_packet_extend(s, DTLS1_RT_HEADER_LENGTH + rr->length); |
556 |
✗✓ |
495 |
if (n <= 0) |
557 |
|
|
return (n); |
558 |
|
|
|
559 |
|
|
/* If this packet contained a partial record, dump it. */ |
560 |
✗✓ |
495 |
if (n != DTLS1_RT_HEADER_LENGTH + rr->length) |
561 |
|
|
goto again; |
562 |
|
|
|
563 |
|
495 |
s->internal->rstate = SSL_ST_READ_HEADER; /* set state for later operations */ |
564 |
|
|
|
565 |
|
|
/* match epochs. NULL means the packet is dropped on the floor */ |
566 |
|
495 |
bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch); |
567 |
✗✓ |
495 |
if (bitmap == NULL) |
568 |
|
|
goto again; |
569 |
|
|
|
570 |
|
|
/* |
571 |
|
|
* Check whether this is a repeat, or aged record. |
572 |
|
|
* Don't check if we're listening and this message is |
573 |
|
|
* a ClientHello. They can look as if they're replayed, |
574 |
|
|
* since they arrive from different connections and |
575 |
|
|
* would be dropped unnecessarily. |
576 |
|
|
*/ |
577 |
✗✓✗✗ ✗✓ |
990 |
if (!(D1I(s)->listen && rr->type == SSL3_RT_HANDSHAKE && |
578 |
|
|
p != NULL && *p == SSL3_MT_CLIENT_HELLO) && |
579 |
|
495 |
!dtls1_record_replay_check(s, bitmap)) |
580 |
|
|
goto again; |
581 |
|
|
|
582 |
|
|
/* just read a 0 length packet */ |
583 |
✗✓ |
495 |
if (rr->length == 0) |
584 |
|
|
goto again; |
585 |
|
|
|
586 |
|
|
/* If this record is from the next epoch (either HM or ALERT), |
587 |
|
|
* and a handshake is currently in progress, buffer it since it |
588 |
|
|
* cannot be processed at this time. However, do not buffer |
589 |
|
|
* anything while listening. |
590 |
|
|
*/ |
591 |
✗✓ |
495 |
if (is_next_epoch) { |
592 |
|
|
if ((SSL_in_init(s) || s->internal->in_handshake) && !D1I(s)->listen) { |
593 |
|
|
if (dtls1_buffer_record(s, &(D1I(s)->unprocessed_rcds), |
594 |
|
|
rr->seq_num) < 0) |
595 |
|
|
return (-1); |
596 |
|
|
/* Mark receipt of record. */ |
597 |
|
|
dtls1_record_bitmap_update(s, bitmap); |
598 |
|
|
} |
599 |
|
|
goto again; |
600 |
|
|
} |
601 |
|
|
|
602 |
✗✓ |
495 |
if (!dtls1_process_record(s)) |
603 |
|
|
goto again; |
604 |
|
|
|
605 |
|
|
/* Mark receipt of record. */ |
606 |
|
495 |
dtls1_record_bitmap_update(s, bitmap); |
607 |
|
|
|
608 |
|
495 |
return (1); |
609 |
|
642 |
} |
610 |
|
|
|
611 |
|
|
/* Return up to 'len' payload bytes received in 'type' records. |
612 |
|
|
* 'type' is one of the following: |
613 |
|
|
* |
614 |
|
|
* - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us) |
615 |
|
|
* - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us) |
616 |
|
|
* - 0 (during a shutdown, no data has to be returned) |
617 |
|
|
* |
618 |
|
|
* If we don't have stored data to work from, read a SSL/TLS record first |
619 |
|
|
* (possibly multiple records if we still don't have anything to return). |
620 |
|
|
* |
621 |
|
|
* This function must handle any surprises the peer may have for us, such as |
622 |
|
|
* Alert records (e.g. close_notify), ChangeCipherSpec records (not really |
623 |
|
|
* a surprise, but handled as if it were), or renegotiation requests. |
624 |
|
|
* Also if record payloads contain fragments too small to process, we store |
625 |
|
|
* them until there is enough for the respective protocol (the record protocol |
626 |
|
|
* may use arbitrary fragmentation and even interleaving): |
627 |
|
|
* Change cipher spec protocol |
628 |
|
|
* just 1 byte needed, no need for keeping anything stored |
629 |
|
|
* Alert protocol |
630 |
|
|
* 2 bytes needed (AlertLevel, AlertDescription) |
631 |
|
|
* Handshake protocol |
632 |
|
|
* 4 bytes needed (HandshakeType, uint24 length) -- we just have |
633 |
|
|
* to detect unexpected Client Hello and Hello Request messages |
634 |
|
|
* here, anything else is handled by higher layers |
635 |
|
|
* Application data protocol |
636 |
|
|
* none of our business |
637 |
|
|
*/ |
638 |
|
|
int |
639 |
|
|
dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) |
640 |
|
|
{ |
641 |
|
|
int al, i, j, ret; |
642 |
|
|
unsigned int n; |
643 |
|
|
SSL3_RECORD *rr; |
644 |
|
|
void (*cb)(const SSL *ssl, int type2, int val) = NULL; |
645 |
|
|
|
646 |
✓✓ |
1842 |
if (s->s3->rbuf.buf == NULL) /* Not initialized yet */ |
647 |
✗✓ |
36 |
if (!ssl3_setup_buffers(s)) |
648 |
|
|
return (-1); |
649 |
|
|
|
650 |
✓✗ |
2763 |
if ((type && |
651 |
|
1842 |
type != SSL3_RT_APPLICATION_DATA && type != SSL3_RT_HANDSHAKE) || |
652 |
✗✓ |
921 |
(peek && (type != SSL3_RT_APPLICATION_DATA))) { |
653 |
|
|
SSLerror(s, ERR_R_INTERNAL_ERROR); |
654 |
|
|
return -1; |
655 |
|
|
} |
656 |
|
|
|
657 |
|
|
/* check whether there's a handshake message (client hello?) waiting */ |
658 |
✗✓ |
921 |
if ((ret = have_handshake_fragment(s, type, buf, len, peek))) |
659 |
|
|
return ret; |
660 |
|
|
|
661 |
|
|
/* Now D1I(s)->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */ |
662 |
|
|
|
663 |
✓✓✓✓
|
1950 |
if (!s->internal->in_handshake && SSL_in_init(s)) |
664 |
|
|
{ |
665 |
|
|
/* type == SSL3_RT_APPLICATION_DATA */ |
666 |
|
72 |
i = s->internal->handshake_func(s); |
667 |
✓✓ |
72 |
if (i < 0) |
668 |
|
36 |
return (i); |
669 |
✗✓ |
36 |
if (i == 0) { |
670 |
|
|
SSLerror(s, SSL_R_SSL_HANDSHAKE_FAILURE); |
671 |
|
|
return (-1); |
672 |
|
|
} |
673 |
|
|
} |
674 |
|
|
|
675 |
|
|
start: |
676 |
|
957 |
s->internal->rwstate = SSL_NOTHING; |
677 |
|
|
|
678 |
|
|
/* S3I(s)->rrec.type - is the type of record |
679 |
|
|
* S3I(s)->rrec.data, - data |
680 |
|
|
* S3I(s)->rrec.off, - offset into 'data' for next read |
681 |
|
|
* S3I(s)->rrec.length, - number of bytes. */ |
682 |
|
957 |
rr = &(S3I(s)->rrec); |
683 |
|
|
|
684 |
|
|
/* We are not handshaking and have no data yet, |
685 |
|
|
* so process data buffered during the last handshake |
686 |
|
|
* in advance, if any. |
687 |
|
|
*/ |
688 |
✓✓✓✗
|
1065 |
if (S3I(s)->hs.state == SSL_ST_OK && rr->length == 0) { |
689 |
|
|
pitem *item; |
690 |
|
108 |
item = pqueue_pop(D1I(s)->buffered_app_data.q); |
691 |
✗✓ |
108 |
if (item) { |
692 |
|
|
|
693 |
|
|
dtls1_copy_record(s, item); |
694 |
|
|
|
695 |
|
|
free(item->data); |
696 |
|
|
pitem_free(item); |
697 |
|
|
} |
698 |
|
108 |
} |
699 |
|
|
|
700 |
|
|
/* Check for timeout */ |
701 |
✗✓ |
957 |
if (dtls1_handle_timeout(s) > 0) |
702 |
|
|
goto start; |
703 |
|
|
|
704 |
|
|
/* get new packet if necessary */ |
705 |
✓✓✗✓
|
1272 |
if ((rr->length == 0) || (s->internal->rstate == SSL_ST_READ_BODY)) { |
706 |
|
642 |
ret = dtls1_get_record(s); |
707 |
✓✓ |
642 |
if (ret <= 0) { |
708 |
|
147 |
ret = dtls1_read_failed(s, ret); |
709 |
|
|
/* anything other than a timeout is an error */ |
710 |
✓✗ |
147 |
if (ret <= 0) |
711 |
|
147 |
return (ret); |
712 |
|
|
else |
713 |
|
|
goto start; |
714 |
|
|
} |
715 |
|
|
} |
716 |
|
|
|
717 |
✗✓✗✗
|
810 |
if (D1I(s)->listen && rr->type != SSL3_RT_HANDSHAKE) { |
718 |
|
|
rr->length = 0; |
719 |
|
|
goto start; |
720 |
|
|
} |
721 |
|
|
|
722 |
|
|
/* we now have a packet which can be read and processed */ |
723 |
|
|
|
724 |
✗✓ |
954 |
if (S3I(s)->change_cipher_spec /* set when we receive ChangeCipherSpec, |
725 |
|
|
* reset by ssl3_get_finished */ |
726 |
✓✓ |
954 |
&& (rr->type != SSL3_RT_HANDSHAKE)) { |
727 |
|
|
/* We now have application data between CCS and Finished. |
728 |
|
|
* Most likely the packets were reordered on their way, so |
729 |
|
|
* buffer the application data for later processing rather |
730 |
|
|
* than dropping the connection. |
731 |
|
|
*/ |
732 |
|
|
if (dtls1_buffer_record(s, &(D1I(s)->buffered_app_data), |
733 |
|
|
rr->seq_num) < 0) { |
734 |
|
|
SSLerror(s, ERR_R_INTERNAL_ERROR); |
735 |
|
|
return (-1); |
736 |
|
|
} |
737 |
|
|
rr->length = 0; |
738 |
|
|
goto start; |
739 |
|
|
} |
740 |
|
|
|
741 |
|
|
/* If the other end has shut down, throw anything we read away |
742 |
|
|
* (even in 'peek' mode) */ |
743 |
✗✓ |
810 |
if (s->internal->shutdown & SSL_RECEIVED_SHUTDOWN) { |
744 |
|
|
rr->length = 0; |
745 |
|
|
s->internal->rwstate = SSL_NOTHING; |
746 |
|
|
return (0); |
747 |
|
|
} |
748 |
|
|
|
749 |
|
|
|
750 |
✓✓ |
810 |
if (type == rr->type) /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */ |
751 |
|
|
{ |
752 |
|
|
/* make sure that we are not getting application data when we |
753 |
|
|
* are doing a handshake for the first time */ |
754 |
✗✓✗✗
|
738 |
if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) && |
755 |
|
|
(s->enc_read_ctx == NULL)) { |
756 |
|
|
al = SSL_AD_UNEXPECTED_MESSAGE; |
757 |
|
|
SSLerror(s, SSL_R_APP_DATA_IN_HANDSHAKE); |
758 |
|
|
goto f_err; |
759 |
|
|
} |
760 |
|
|
|
761 |
✗✓ |
738 |
if (len <= 0) |
762 |
|
|
return (len); |
763 |
|
|
|
764 |
✓✓ |
738 |
if ((unsigned int)len > rr->length) |
765 |
|
72 |
n = rr->length; |
766 |
|
|
else |
767 |
|
|
n = (unsigned int)len; |
768 |
|
|
|
769 |
|
738 |
memcpy(buf, &(rr->data[rr->off]), n); |
770 |
✓✗ |
738 |
if (!peek) { |
771 |
|
738 |
rr->length -= n; |
772 |
|
738 |
rr->off += n; |
773 |
✓✓ |
738 |
if (rr->length == 0) { |
774 |
|
423 |
s->internal->rstate = SSL_ST_READ_HEADER; |
775 |
|
423 |
rr->off = 0; |
776 |
|
423 |
} |
777 |
|
|
} |
778 |
|
|
|
779 |
|
738 |
return (n); |
780 |
|
|
} |
781 |
|
|
|
782 |
|
|
|
783 |
|
|
/* If we get here, then type != rr->type; if we have a handshake |
784 |
|
|
* message, then it was unexpected (Hello Request or Client Hello). */ |
785 |
|
|
|
786 |
|
|
/* In case of record types for which we have 'fragment' storage, |
787 |
|
|
* fill that so that we can process the data at a fixed place. |
788 |
|
|
*/ |
789 |
|
|
{ |
790 |
|
|
unsigned int k, dest_maxlen = 0; |
791 |
|
|
unsigned char *dest = NULL; |
792 |
|
|
unsigned int *dest_len = NULL; |
793 |
|
|
|
794 |
✗✓ |
72 |
if (rr->type == SSL3_RT_HANDSHAKE) { |
795 |
|
|
dest_maxlen = sizeof D1I(s)->handshake_fragment; |
796 |
|
|
dest = D1I(s)->handshake_fragment; |
797 |
|
|
dest_len = &D1I(s)->handshake_fragment_len; |
798 |
✗✓ |
72 |
} else if (rr->type == SSL3_RT_ALERT) { |
799 |
|
|
dest_maxlen = sizeof(D1I(s)->alert_fragment); |
800 |
|
|
dest = D1I(s)->alert_fragment; |
801 |
|
|
dest_len = &D1I(s)->alert_fragment_len; |
802 |
|
|
} |
803 |
|
|
/* else it's a CCS message, or application data or wrong */ |
804 |
✗✓ |
72 |
else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC) { |
805 |
|
|
/* Application data while renegotiating |
806 |
|
|
* is allowed. Try again reading. |
807 |
|
|
*/ |
808 |
|
|
if (rr->type == SSL3_RT_APPLICATION_DATA) { |
809 |
|
|
BIO *bio; |
810 |
|
|
S3I(s)->in_read_app_data = 2; |
811 |
|
|
bio = SSL_get_rbio(s); |
812 |
|
|
s->internal->rwstate = SSL_READING; |
813 |
|
|
BIO_clear_retry_flags(bio); |
814 |
|
|
BIO_set_retry_read(bio); |
815 |
|
|
return (-1); |
816 |
|
|
} |
817 |
|
|
|
818 |
|
|
/* Not certain if this is the right error handling */ |
819 |
|
|
al = SSL_AD_UNEXPECTED_MESSAGE; |
820 |
|
|
SSLerror(s, SSL_R_UNEXPECTED_RECORD); |
821 |
|
|
goto f_err; |
822 |
|
|
} |
823 |
|
|
|
824 |
✗✓ |
72 |
if (dest_maxlen > 0) { |
825 |
|
|
/* XDTLS: In a pathalogical case, the Client Hello |
826 |
|
|
* may be fragmented--don't always expect dest_maxlen bytes */ |
827 |
|
|
if (rr->length < dest_maxlen) { |
828 |
|
|
#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE |
829 |
|
|
/* |
830 |
|
|
* for normal alerts rr->length is 2, while |
831 |
|
|
* dest_maxlen is 7 if we were to handle this |
832 |
|
|
* non-existing alert... |
833 |
|
|
*/ |
834 |
|
|
FIX ME |
835 |
|
|
#endif |
836 |
|
|
s->internal->rstate = SSL_ST_READ_HEADER; |
837 |
|
|
rr->length = 0; |
838 |
|
|
goto start; |
839 |
|
|
} |
840 |
|
|
|
841 |
|
|
/* now move 'n' bytes: */ |
842 |
|
|
for ( k = 0; k < dest_maxlen; k++) { |
843 |
|
|
dest[k] = rr->data[rr->off++]; |
844 |
|
|
rr->length--; |
845 |
|
|
} |
846 |
|
|
*dest_len = dest_maxlen; |
847 |
|
|
} |
848 |
✗✓✗✗
|
72 |
} |
849 |
|
|
|
850 |
|
|
/* D1I(s)->handshake_fragment_len == 12 iff rr->type == SSL3_RT_HANDSHAKE; |
851 |
|
|
* D1I(s)->alert_fragment_len == 7 iff rr->type == SSL3_RT_ALERT. |
852 |
|
|
* (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */ |
853 |
|
|
|
854 |
|
|
/* If we are a client, check for an incoming 'Hello Request': */ |
855 |
✓✓✗✗
|
72 |
if ((!s->server) && |
856 |
✗✓ |
36 |
(D1I(s)->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) && |
857 |
|
|
(D1I(s)->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) && |
858 |
|
|
(s->session != NULL) && (s->session->cipher != NULL)) { |
859 |
|
|
D1I(s)->handshake_fragment_len = 0; |
860 |
|
|
|
861 |
|
|
if ((D1I(s)->handshake_fragment[1] != 0) || |
862 |
|
|
(D1I(s)->handshake_fragment[2] != 0) || |
863 |
|
|
(D1I(s)->handshake_fragment[3] != 0)) { |
864 |
|
|
al = SSL_AD_DECODE_ERROR; |
865 |
|
|
SSLerror(s, SSL_R_BAD_HELLO_REQUEST); |
866 |
|
|
goto err; |
867 |
|
|
} |
868 |
|
|
|
869 |
|
|
/* no need to check sequence number on HELLO REQUEST messages */ |
870 |
|
|
|
871 |
|
|
if (s->internal->msg_callback) |
872 |
|
|
s->internal->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, |
873 |
|
|
D1I(s)->handshake_fragment, 4, s, s->internal->msg_callback_arg); |
874 |
|
|
|
875 |
|
|
if (SSL_is_init_finished(s) && |
876 |
|
|
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && |
877 |
|
|
!S3I(s)->renegotiate) { |
878 |
|
|
D1I(s)->handshake_read_seq++; |
879 |
|
|
s->internal->new_session = 1; |
880 |
|
|
ssl3_renegotiate(s); |
881 |
|
|
if (ssl3_renegotiate_check(s)) { |
882 |
|
|
i = s->internal->handshake_func(s); |
883 |
|
|
if (i < 0) |
884 |
|
|
return (i); |
885 |
|
|
if (i == 0) { |
886 |
|
|
SSLerror(s, SSL_R_SSL_HANDSHAKE_FAILURE); |
887 |
|
|
return (-1); |
888 |
|
|
} |
889 |
|
|
|
890 |
|
|
if (!(s->internal->mode & SSL_MODE_AUTO_RETRY)) { |
891 |
|
|
if (s->s3->rbuf.left == 0) /* no read-ahead left? */ |
892 |
|
|
{ |
893 |
|
|
BIO *bio; |
894 |
|
|
/* In the case where we try to read application data, |
895 |
|
|
* but we trigger an SSL handshake, we return -1 with |
896 |
|
|
* the retry option set. Otherwise renegotiation may |
897 |
|
|
* cause nasty problems in the blocking world */ |
898 |
|
|
s->internal->rwstate = SSL_READING; |
899 |
|
|
bio = SSL_get_rbio(s); |
900 |
|
|
BIO_clear_retry_flags(bio); |
901 |
|
|
BIO_set_retry_read(bio); |
902 |
|
|
return (-1); |
903 |
|
|
} |
904 |
|
|
} |
905 |
|
|
} |
906 |
|
|
} |
907 |
|
|
/* we either finished a handshake or ignored the request, |
908 |
|
|
* now try again to obtain the (application) data we were asked for */ |
909 |
|
|
goto start; |
910 |
|
|
} |
911 |
|
|
|
912 |
✗✓ |
72 |
if (D1I(s)->alert_fragment_len >= DTLS1_AL_HEADER_LENGTH) { |
913 |
|
|
int alert_level = D1I(s)->alert_fragment[0]; |
914 |
|
|
int alert_descr = D1I(s)->alert_fragment[1]; |
915 |
|
|
|
916 |
|
|
D1I(s)->alert_fragment_len = 0; |
917 |
|
|
|
918 |
|
|
if (s->internal->msg_callback) |
919 |
|
|
s->internal->msg_callback(0, s->version, SSL3_RT_ALERT, |
920 |
|
|
D1I(s)->alert_fragment, 2, s, s->internal->msg_callback_arg); |
921 |
|
|
|
922 |
|
|
if (s->internal->info_callback != NULL) |
923 |
|
|
cb = s->internal->info_callback; |
924 |
|
|
else if (s->ctx->internal->info_callback != NULL) |
925 |
|
|
cb = s->ctx->internal->info_callback; |
926 |
|
|
|
927 |
|
|
if (cb != NULL) { |
928 |
|
|
j = (alert_level << 8) | alert_descr; |
929 |
|
|
cb(s, SSL_CB_READ_ALERT, j); |
930 |
|
|
} |
931 |
|
|
|
932 |
|
|
if (alert_level == 1) /* warning */ |
933 |
|
|
{ |
934 |
|
|
S3I(s)->warn_alert = alert_descr; |
935 |
|
|
if (alert_descr == SSL_AD_CLOSE_NOTIFY) { |
936 |
|
|
s->internal->shutdown |= SSL_RECEIVED_SHUTDOWN; |
937 |
|
|
return (0); |
938 |
|
|
} |
939 |
|
|
} else if (alert_level == 2) /* fatal */ |
940 |
|
|
{ |
941 |
|
|
s->internal->rwstate = SSL_NOTHING; |
942 |
|
|
S3I(s)->fatal_alert = alert_descr; |
943 |
|
|
SSLerror(s, SSL_AD_REASON_OFFSET + alert_descr); |
944 |
|
|
ERR_asprintf_error_data("SSL alert number %d", |
945 |
|
|
alert_descr); |
946 |
|
|
s->internal->shutdown|=SSL_RECEIVED_SHUTDOWN; |
947 |
|
|
SSL_CTX_remove_session(s->ctx, s->session); |
948 |
|
|
return (0); |
949 |
|
|
} else { |
950 |
|
|
al = SSL_AD_ILLEGAL_PARAMETER; |
951 |
|
|
SSLerror(s, SSL_R_UNKNOWN_ALERT_TYPE); |
952 |
|
|
goto f_err; |
953 |
|
|
} |
954 |
|
|
|
955 |
|
|
goto start; |
956 |
|
|
} |
957 |
|
|
|
958 |
✗✓ |
72 |
if (s->internal->shutdown & SSL_SENT_SHUTDOWN) /* but we have not received a shutdown */ |
959 |
|
|
{ |
960 |
|
|
s->internal->rwstate = SSL_NOTHING; |
961 |
|
|
rr->length = 0; |
962 |
|
|
return (0); |
963 |
|
|
} |
964 |
|
|
|
965 |
✓✗ |
72 |
if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) { |
966 |
|
72 |
struct ccs_header_st ccs_hdr; |
967 |
|
|
unsigned int ccs_hdr_len = DTLS1_CCS_HEADER_LENGTH; |
968 |
|
|
|
969 |
|
72 |
dtls1_get_ccs_header(rr->data, &ccs_hdr); |
970 |
|
|
|
971 |
|
|
/* 'Change Cipher Spec' is just a single byte, so we know |
972 |
|
|
* exactly what the record payload has to look like */ |
973 |
|
|
/* XDTLS: check that epoch is consistent */ |
974 |
✓✗✗✓
|
144 |
if ((rr->length != ccs_hdr_len) || |
975 |
✓✗ |
144 |
(rr->off != 0) || (rr->data[0] != SSL3_MT_CCS)) { |
976 |
|
|
i = SSL_AD_ILLEGAL_PARAMETER; |
977 |
|
|
SSLerror(s, SSL_R_BAD_CHANGE_CIPHER_SPEC); |
978 |
|
|
goto err; |
979 |
|
|
} |
980 |
|
|
|
981 |
|
72 |
rr->length = 0; |
982 |
|
|
|
983 |
✗✓ |
72 |
if (s->internal->msg_callback) |
984 |
|
|
s->internal->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, |
985 |
|
|
rr->data, 1, s, s->internal->msg_callback_arg); |
986 |
|
|
|
987 |
|
|
/* We can't process a CCS now, because previous handshake |
988 |
|
|
* messages are still missing, so just drop it. |
989 |
|
|
*/ |
990 |
✗✓ |
72 |
if (!D1I(s)->change_cipher_spec_ok) { |
991 |
|
|
goto start; |
992 |
|
|
} |
993 |
|
|
|
994 |
|
72 |
D1I(s)->change_cipher_spec_ok = 0; |
995 |
|
|
|
996 |
|
72 |
S3I(s)->change_cipher_spec = 1; |
997 |
✗✓ |
72 |
if (!ssl3_do_change_cipher_spec(s)) |
998 |
|
|
goto err; |
999 |
|
|
|
1000 |
|
|
/* do this whenever CCS is processed */ |
1001 |
|
72 |
dtls1_reset_seq_numbers(s, SSL3_CC_READ); |
1002 |
|
|
|
1003 |
|
72 |
goto start; |
1004 |
✓✗✓ |
684 |
} |
1005 |
|
|
|
1006 |
|
|
/* Unexpected handshake message (Client Hello, or protocol violation) */ |
1007 |
|
|
if ((D1I(s)->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) && |
1008 |
|
|
!s->internal->in_handshake) { |
1009 |
|
|
struct hm_header_st msg_hdr; |
1010 |
|
|
|
1011 |
|
|
/* this may just be a stale retransmit */ |
1012 |
|
|
if (!dtls1_get_message_header(rr->data, &msg_hdr)) |
1013 |
|
|
return -1; |
1014 |
|
|
if (rr->epoch != D1I(s)->r_epoch) { |
1015 |
|
|
rr->length = 0; |
1016 |
|
|
goto start; |
1017 |
|
|
} |
1018 |
|
|
|
1019 |
|
|
/* If we are server, we may have a repeated FINISHED of the |
1020 |
|
|
* client here, then retransmit our CCS and FINISHED. |
1021 |
|
|
*/ |
1022 |
|
|
if (msg_hdr.type == SSL3_MT_FINISHED) { |
1023 |
|
|
if (dtls1_check_timeout_num(s) < 0) |
1024 |
|
|
return -1; |
1025 |
|
|
|
1026 |
|
|
dtls1_retransmit_buffered_messages(s); |
1027 |
|
|
rr->length = 0; |
1028 |
|
|
goto start; |
1029 |
|
|
} |
1030 |
|
|
|
1031 |
|
|
if (((S3I(s)->hs.state&SSL_ST_MASK) == SSL_ST_OK) && |
1032 |
|
|
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) { |
1033 |
|
|
S3I(s)->hs.state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; |
1034 |
|
|
s->internal->renegotiate = 1; |
1035 |
|
|
s->internal->new_session = 1; |
1036 |
|
|
} |
1037 |
|
|
i = s->internal->handshake_func(s); |
1038 |
|
|
if (i < 0) |
1039 |
|
|
return (i); |
1040 |
|
|
if (i == 0) { |
1041 |
|
|
SSLerror(s, SSL_R_SSL_HANDSHAKE_FAILURE); |
1042 |
|
|
return (-1); |
1043 |
|
|
} |
1044 |
|
|
|
1045 |
|
|
if (!(s->internal->mode & SSL_MODE_AUTO_RETRY)) { |
1046 |
|
|
if (s->s3->rbuf.left == 0) /* no read-ahead left? */ |
1047 |
|
|
{ |
1048 |
|
|
BIO *bio; |
1049 |
|
|
/* In the case where we try to read application data, |
1050 |
|
|
* but we trigger an SSL handshake, we return -1 with |
1051 |
|
|
* the retry option set. Otherwise renegotiation may |
1052 |
|
|
* cause nasty problems in the blocking world */ |
1053 |
|
|
s->internal->rwstate = SSL_READING; |
1054 |
|
|
bio = SSL_get_rbio(s); |
1055 |
|
|
BIO_clear_retry_flags(bio); |
1056 |
|
|
BIO_set_retry_read(bio); |
1057 |
|
|
return (-1); |
1058 |
|
|
} |
1059 |
|
|
} |
1060 |
|
|
goto start; |
1061 |
|
|
} |
1062 |
|
|
|
1063 |
|
|
switch (rr->type) { |
1064 |
|
|
default: |
1065 |
|
|
/* TLS just ignores unknown message types */ |
1066 |
|
|
if (s->version == TLS1_VERSION) { |
1067 |
|
|
rr->length = 0; |
1068 |
|
|
goto start; |
1069 |
|
|
} |
1070 |
|
|
al = SSL_AD_UNEXPECTED_MESSAGE; |
1071 |
|
|
SSLerror(s, SSL_R_UNEXPECTED_RECORD); |
1072 |
|
|
goto f_err; |
1073 |
|
|
case SSL3_RT_CHANGE_CIPHER_SPEC: |
1074 |
|
|
case SSL3_RT_ALERT: |
1075 |
|
|
case SSL3_RT_HANDSHAKE: |
1076 |
|
|
/* we already handled all of these, with the possible exception |
1077 |
|
|
* of SSL3_RT_HANDSHAKE when s->internal->in_handshake is set, but that |
1078 |
|
|
* should not happen when type != rr->type */ |
1079 |
|
|
al = SSL_AD_UNEXPECTED_MESSAGE; |
1080 |
|
|
SSLerror(s, ERR_R_INTERNAL_ERROR); |
1081 |
|
|
goto f_err; |
1082 |
|
|
case SSL3_RT_APPLICATION_DATA: |
1083 |
|
|
/* At this point, we were expecting handshake data, |
1084 |
|
|
* but have application data. If the library was |
1085 |
|
|
* running inside ssl3_read() (i.e. in_read_app_data |
1086 |
|
|
* is set) and it makes sense to read application data |
1087 |
|
|
* at this point (session renegotiation not yet started), |
1088 |
|
|
* we will indulge it. |
1089 |
|
|
*/ |
1090 |
|
|
if (S3I(s)->in_read_app_data && |
1091 |
|
|
(S3I(s)->total_renegotiations != 0) && |
1092 |
|
|
(((S3I(s)->hs.state & SSL_ST_CONNECT) && |
1093 |
|
|
(S3I(s)->hs.state >= SSL3_ST_CW_CLNT_HELLO_A) && |
1094 |
|
|
(S3I(s)->hs.state <= SSL3_ST_CR_SRVR_HELLO_A)) || ( |
1095 |
|
|
(S3I(s)->hs.state & SSL_ST_ACCEPT) && |
1096 |
|
|
(S3I(s)->hs.state <= SSL3_ST_SW_HELLO_REQ_A) && |
1097 |
|
|
(S3I(s)->hs.state >= SSL3_ST_SR_CLNT_HELLO_A)))) { |
1098 |
|
|
S3I(s)->in_read_app_data = 2; |
1099 |
|
|
return (-1); |
1100 |
|
|
} else { |
1101 |
|
|
al = SSL_AD_UNEXPECTED_MESSAGE; |
1102 |
|
|
SSLerror(s, SSL_R_UNEXPECTED_RECORD); |
1103 |
|
|
goto f_err; |
1104 |
|
|
} |
1105 |
|
|
} |
1106 |
|
|
/* not reached */ |
1107 |
|
|
|
1108 |
|
|
f_err: |
1109 |
|
|
ssl3_send_alert(s, SSL3_AL_FATAL, al); |
1110 |
|
|
err: |
1111 |
|
|
return (-1); |
1112 |
|
921 |
} |
1113 |
|
|
|
1114 |
|
|
int |
1115 |
|
|
dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len) |
1116 |
|
|
{ |
1117 |
|
|
int i; |
1118 |
|
|
|
1119 |
✓✓✓✗
|
396 |
if (SSL_in_init(s) && !s->internal->in_handshake) |
1120 |
|
|
{ |
1121 |
|
108 |
i = s->internal->handshake_func(s); |
1122 |
✓✓ |
108 |
if (i < 0) |
1123 |
|
72 |
return (i); |
1124 |
✗✓ |
36 |
if (i == 0) { |
1125 |
|
|
SSLerror(s, SSL_R_SSL_HANDSHAKE_FAILURE); |
1126 |
|
|
return -1; |
1127 |
|
|
} |
1128 |
|
|
} |
1129 |
|
|
|
1130 |
✗✓ |
72 |
if (len > SSL3_RT_MAX_PLAIN_LENGTH) { |
1131 |
|
|
SSLerror(s, SSL_R_DTLS_MESSAGE_TOO_BIG); |
1132 |
|
|
return -1; |
1133 |
|
|
} |
1134 |
|
|
|
1135 |
|
72 |
i = dtls1_write_bytes(s, type, buf_, len); |
1136 |
|
72 |
return i; |
1137 |
|
144 |
} |
1138 |
|
|
|
1139 |
|
|
|
1140 |
|
|
/* this only happens when a client hello is received and a handshake |
1141 |
|
|
* is started. */ |
1142 |
|
|
static int |
1143 |
|
|
have_handshake_fragment(SSL *s, int type, unsigned char *buf, |
1144 |
|
|
int len, int peek) |
1145 |
|
|
{ |
1146 |
|
|
|
1147 |
✓✓✗✓
|
2619 |
if ((type == SSL3_RT_HANDSHAKE) && (D1I(s)->handshake_fragment_len > 0)) |
1148 |
|
|
/* (partially) satisfy request from storage */ |
1149 |
|
|
{ |
1150 |
|
|
unsigned char *src = D1I(s)->handshake_fragment; |
1151 |
|
|
unsigned char *dst = buf; |
1152 |
|
|
unsigned int k, n; |
1153 |
|
|
|
1154 |
|
|
/* peek == 0 */ |
1155 |
|
|
n = 0; |
1156 |
|
|
while ((len > 0) && (D1I(s)->handshake_fragment_len > 0)) { |
1157 |
|
|
*dst++ = *src++; |
1158 |
|
|
len--; |
1159 |
|
|
D1I(s)->handshake_fragment_len--; |
1160 |
|
|
n++; |
1161 |
|
|
} |
1162 |
|
|
/* move any remaining fragment bytes: */ |
1163 |
|
|
for (k = 0; k < D1I(s)->handshake_fragment_len; k++) |
1164 |
|
|
D1I(s)->handshake_fragment[k] = *src++; |
1165 |
|
|
return n; |
1166 |
|
|
} |
1167 |
|
|
|
1168 |
|
921 |
return 0; |
1169 |
|
921 |
} |
1170 |
|
|
|
1171 |
|
|
|
1172 |
|
|
/* Call this to write data in records of type 'type' |
1173 |
|
|
* It will return <= 0 if not all data has been sent or non-blocking IO. |
1174 |
|
|
*/ |
1175 |
|
|
int |
1176 |
|
|
dtls1_write_bytes(SSL *s, int type, const void *buf, int len) |
1177 |
|
|
{ |
1178 |
|
|
int i; |
1179 |
|
|
|
1180 |
✗✓ |
996 |
OPENSSL_assert(len <= SSL3_RT_MAX_PLAIN_LENGTH); |
1181 |
|
498 |
s->internal->rwstate = SSL_NOTHING; |
1182 |
|
498 |
i = do_dtls1_write(s, type, buf, len); |
1183 |
|
498 |
return i; |
1184 |
|
|
} |
1185 |
|
|
|
1186 |
|
|
int |
1187 |
|
|
do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len) |
1188 |
|
|
{ |
1189 |
|
|
unsigned char *p, *pseq; |
1190 |
|
|
int i, mac_size, clear = 0; |
1191 |
|
|
int prefix_len = 0; |
1192 |
|
|
SSL3_RECORD *wr; |
1193 |
|
|
SSL3_BUFFER *wb; |
1194 |
|
|
SSL_SESSION *sess; |
1195 |
|
|
int bs; |
1196 |
|
|
|
1197 |
|
|
/* first check if there is a SSL3_BUFFER still being written |
1198 |
|
|
* out. This will happen with non blocking IO */ |
1199 |
✗✓ |
1140 |
if (s->s3->wbuf.left != 0) { |
1200 |
|
|
OPENSSL_assert(0); /* XDTLS: want to see if we ever get here */ |
1201 |
|
|
return (ssl3_write_pending(s, type, buf, len)); |
1202 |
|
|
} |
1203 |
|
|
|
1204 |
|
|
/* If we have an alert to send, lets send it */ |
1205 |
✗✓ |
570 |
if (s->s3->alert_dispatch) { |
1206 |
|
|
i = s->method->ssl_dispatch_alert(s); |
1207 |
|
|
if (i <= 0) |
1208 |
|
|
return (i); |
1209 |
|
|
/* if it went, fall through and send more stuff */ |
1210 |
|
|
} |
1211 |
|
|
|
1212 |
✗✓ |
570 |
if (len == 0) |
1213 |
|
|
return 0; |
1214 |
|
|
|
1215 |
|
570 |
wr = &(S3I(s)->wrec); |
1216 |
|
570 |
wb = &(s->s3->wbuf); |
1217 |
|
570 |
sess = s->session; |
1218 |
|
|
|
1219 |
✓✗✓✓ ✗✓ |
1356 |
if ((sess == NULL) || (s->internal->enc_write_ctx == NULL) || |
1220 |
|
216 |
(EVP_MD_CTX_md(s->internal->write_hash) == NULL)) |
1221 |
|
354 |
clear = 1; |
1222 |
|
|
|
1223 |
✓✓ |
570 |
if (clear) |
1224 |
|
354 |
mac_size = 0; |
1225 |
|
|
else { |
1226 |
|
216 |
mac_size = EVP_MD_CTX_size(s->internal->write_hash); |
1227 |
✓✗ |
216 |
if (mac_size < 0) |
1228 |
|
|
goto err; |
1229 |
|
|
} |
1230 |
|
|
|
1231 |
|
|
/* DTLS implements explicit IV, so no need for empty fragments. */ |
1232 |
|
|
|
1233 |
|
570 |
p = wb->buf + prefix_len; |
1234 |
|
|
|
1235 |
|
|
/* write the header */ |
1236 |
|
|
|
1237 |
|
570 |
*(p++) = type&0xff; |
1238 |
|
570 |
wr->type = type; |
1239 |
|
|
|
1240 |
|
570 |
*(p++) = (s->version >> 8); |
1241 |
|
570 |
*(p++) = s->version&0xff; |
1242 |
|
|
|
1243 |
|
|
/* field where we are to write out packet epoch, seq num and len */ |
1244 |
|
|
pseq = p; |
1245 |
|
|
|
1246 |
|
570 |
p += 10; |
1247 |
|
|
|
1248 |
|
|
/* lets setup the record stuff. */ |
1249 |
|
|
|
1250 |
|
|
/* Make space for the explicit IV in case of CBC. |
1251 |
|
|
* (this is a bit of a boundary violation, but what the heck). |
1252 |
|
|
*/ |
1253 |
✓✓✓✓
|
786 |
if (s->internal->enc_write_ctx && |
1254 |
|
216 |
(EVP_CIPHER_mode(s->internal->enc_write_ctx->cipher) & EVP_CIPH_CBC_MODE)) |
1255 |
|
180 |
bs = EVP_CIPHER_block_size(s->internal->enc_write_ctx->cipher); |
1256 |
|
|
else |
1257 |
|
|
bs = 0; |
1258 |
|
|
|
1259 |
|
570 |
wr->data = p + bs; |
1260 |
|
|
/* make room for IV in case of CBC */ |
1261 |
|
570 |
wr->length = (int)len; |
1262 |
|
570 |
wr->input = (unsigned char *)buf; |
1263 |
|
|
|
1264 |
|
|
/* we now 'read' from wr->input, wr->length bytes into |
1265 |
|
|
* wr->data */ |
1266 |
|
|
|
1267 |
|
570 |
memcpy(wr->data, wr->input, wr->length); |
1268 |
|
570 |
wr->input = wr->data; |
1269 |
|
|
|
1270 |
|
|
/* we should still have the output to wr->data and the input |
1271 |
|
|
* from wr->input. Length should be wr->length. |
1272 |
|
|
* wr->data still points in the wb->buf */ |
1273 |
|
|
|
1274 |
✓✓ |
570 |
if (mac_size != 0) { |
1275 |
✓✗ |
216 |
if (tls1_mac(s, &(p[wr->length + bs]), 1) < 0) |
1276 |
|
|
goto err; |
1277 |
|
216 |
wr->length += mac_size; |
1278 |
|
216 |
} |
1279 |
|
|
|
1280 |
|
|
/* this is true regardless of mac size */ |
1281 |
|
570 |
wr->input = p; |
1282 |
|
570 |
wr->data = p; |
1283 |
|
|
|
1284 |
|
|
|
1285 |
|
|
/* ssl3_enc can only have an error on read */ |
1286 |
✓✓ |
570 |
if (bs) /* bs != 0 in case of CBC */ |
1287 |
|
|
{ |
1288 |
|
180 |
arc4random_buf(p, bs); |
1289 |
|
|
/* master IV and last CBC residue stand for |
1290 |
|
|
* the rest of randomness */ |
1291 |
|
180 |
wr->length += bs; |
1292 |
|
180 |
} |
1293 |
|
|
|
1294 |
|
570 |
s->method->internal->ssl3_enc->enc(s, 1); |
1295 |
|
|
|
1296 |
|
|
/* record length after mac and block padding */ |
1297 |
|
|
/* if (type == SSL3_RT_APPLICATION_DATA || |
1298 |
|
|
(type == SSL3_RT_ALERT && ! SSL_in_init(s))) */ |
1299 |
|
|
|
1300 |
|
|
/* there's only one epoch between handshake and app data */ |
1301 |
|
|
|
1302 |
|
570 |
s2n(D1I(s)->w_epoch, pseq); |
1303 |
|
|
|
1304 |
|
|
/* XDTLS: ?? */ |
1305 |
|
|
/* else |
1306 |
|
|
s2n(D1I(s)->handshake_epoch, pseq); |
1307 |
|
|
*/ |
1308 |
|
|
|
1309 |
|
570 |
memcpy(pseq, &(S3I(s)->write_sequence[2]), 6); |
1310 |
|
570 |
pseq += 6; |
1311 |
|
570 |
s2n(wr->length, pseq); |
1312 |
|
|
|
1313 |
|
|
/* we should now have |
1314 |
|
|
* wr->data pointing to the encrypted data, which is |
1315 |
|
|
* wr->length long */ |
1316 |
|
570 |
wr->type=type; /* not needed but helps for debugging */ |
1317 |
|
570 |
wr->length += DTLS1_RT_HEADER_LENGTH; |
1318 |
|
|
|
1319 |
|
570 |
tls1_record_sequence_increment(S3I(s)->write_sequence); |
1320 |
|
|
|
1321 |
|
|
/* now let's set up wb */ |
1322 |
|
570 |
wb->left = prefix_len + wr->length; |
1323 |
|
570 |
wb->offset = 0; |
1324 |
|
|
|
1325 |
|
|
/* memorize arguments so that ssl3_write_pending can detect bad write retries later */ |
1326 |
|
570 |
S3I(s)->wpend_tot = len; |
1327 |
|
570 |
S3I(s)->wpend_buf = buf; |
1328 |
|
570 |
S3I(s)->wpend_type = type; |
1329 |
|
570 |
S3I(s)->wpend_ret = len; |
1330 |
|
|
|
1331 |
|
|
/* we now just need to write the buffer */ |
1332 |
|
570 |
return ssl3_write_pending(s, type, buf, len); |
1333 |
|
|
err: |
1334 |
|
|
return -1; |
1335 |
|
570 |
} |
1336 |
|
|
|
1337 |
|
|
|
1338 |
|
|
|
1339 |
|
|
static int |
1340 |
|
|
dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap) |
1341 |
|
|
{ |
1342 |
|
|
int cmp; |
1343 |
|
|
unsigned int shift; |
1344 |
|
990 |
const unsigned char *seq = S3I(s)->read_sequence; |
1345 |
|
|
|
1346 |
|
495 |
cmp = satsub64be(seq, bitmap->max_seq_num); |
1347 |
✓✓ |
495 |
if (cmp > 0) { |
1348 |
|
351 |
memcpy (S3I(s)->rrec.seq_num, seq, 8); |
1349 |
|
351 |
return 1; /* this record in new */ |
1350 |
|
|
} |
1351 |
|
144 |
shift = -cmp; |
1352 |
✗✓ |
144 |
if (shift >= sizeof(bitmap->map)*8) |
1353 |
|
|
return 0; /* stale, outside the window */ |
1354 |
✗✓ |
144 |
else if (bitmap->map & (1UL << shift)) |
1355 |
|
|
return 0; /* record previously received */ |
1356 |
|
|
|
1357 |
|
144 |
memcpy(S3I(s)->rrec.seq_num, seq, 8); |
1358 |
|
144 |
return 1; |
1359 |
|
495 |
} |
1360 |
|
|
|
1361 |
|
|
|
1362 |
|
|
static void |
1363 |
|
|
dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap) |
1364 |
|
|
{ |
1365 |
|
|
int cmp; |
1366 |
|
|
unsigned int shift; |
1367 |
|
990 |
const unsigned char *seq = S3I(s)->read_sequence; |
1368 |
|
|
|
1369 |
|
495 |
cmp = satsub64be(seq, bitmap->max_seq_num); |
1370 |
✓✓ |
495 |
if (cmp > 0) { |
1371 |
|
|
shift = cmp; |
1372 |
✓✗ |
351 |
if (shift < sizeof(bitmap->map)*8) |
1373 |
|
351 |
bitmap->map <<= shift, bitmap->map |= 1UL; |
1374 |
|
|
else |
1375 |
|
|
bitmap->map = 1UL; |
1376 |
|
351 |
memcpy(bitmap->max_seq_num, seq, 8); |
1377 |
|
351 |
} else { |
1378 |
|
144 |
shift = -cmp; |
1379 |
✓✗ |
144 |
if (shift < sizeof(bitmap->map) * 8) |
1380 |
|
144 |
bitmap->map |= 1UL << shift; |
1381 |
|
|
} |
1382 |
|
495 |
} |
1383 |
|
|
|
1384 |
|
|
|
1385 |
|
|
int |
1386 |
|
|
dtls1_dispatch_alert(SSL *s) |
1387 |
|
|
{ |
1388 |
|
|
int i, j; |
1389 |
|
|
void (*cb)(const SSL *ssl, int type, int val) = NULL; |
1390 |
|
144 |
unsigned char buf[DTLS1_AL_HEADER_LENGTH]; |
1391 |
|
72 |
unsigned char *ptr = &buf[0]; |
1392 |
|
|
|
1393 |
|
72 |
s->s3->alert_dispatch = 0; |
1394 |
|
|
|
1395 |
|
72 |
memset(buf, 0x00, sizeof(buf)); |
1396 |
|
72 |
*ptr++ = s->s3->send_alert[0]; |
1397 |
|
72 |
*ptr++ = s->s3->send_alert[1]; |
1398 |
|
|
|
1399 |
|
|
#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE |
1400 |
|
|
if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) { |
1401 |
|
|
s2n(D1I(s)->handshake_read_seq, ptr); |
1402 |
|
|
l2n3(D1I(s)->r_msg_hdr.frag_off, ptr); |
1403 |
|
|
} |
1404 |
|
|
#endif |
1405 |
|
|
|
1406 |
|
72 |
i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf)); |
1407 |
✓✗ |
72 |
if (i <= 0) { |
1408 |
|
72 |
s->s3->alert_dispatch = 1; |
1409 |
|
|
/* fprintf( stderr, "not done with alert\n" ); */ |
1410 |
|
72 |
} else { |
1411 |
|
|
if (s->s3->send_alert[0] == SSL3_AL_FATAL |
1412 |
|
|
#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE |
1413 |
|
|
|| s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE |
1414 |
|
|
#endif |
1415 |
|
|
) |
1416 |
|
|
(void)BIO_flush(s->wbio); |
1417 |
|
|
|
1418 |
|
|
if (s->internal->msg_callback) |
1419 |
|
|
s->internal->msg_callback(1, s->version, SSL3_RT_ALERT, |
1420 |
|
|
s->s3->send_alert, 2, s, s->internal->msg_callback_arg); |
1421 |
|
|
|
1422 |
|
|
if (s->internal->info_callback != NULL) |
1423 |
|
|
cb = s->internal->info_callback; |
1424 |
|
|
else if (s->ctx->internal->info_callback != NULL) |
1425 |
|
|
cb = s->ctx->internal->info_callback; |
1426 |
|
|
|
1427 |
|
|
if (cb != NULL) { |
1428 |
|
|
j = (s->s3->send_alert[0]<<8)|s->s3->send_alert[1]; |
1429 |
|
|
cb(s, SSL_CB_WRITE_ALERT, j); |
1430 |
|
|
} |
1431 |
|
|
} |
1432 |
|
72 |
return (i); |
1433 |
|
72 |
} |
1434 |
|
|
|
1435 |
|
|
|
1436 |
|
|
static DTLS1_BITMAP * |
1437 |
|
|
dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, unsigned int *is_next_epoch) |
1438 |
|
|
{ |
1439 |
|
|
|
1440 |
|
990 |
*is_next_epoch = 0; |
1441 |
|
|
|
1442 |
|
|
/* In current epoch, accept HM, CCS, DATA, & ALERT */ |
1443 |
✓✗ |
495 |
if (rr->epoch == D1I(s)->r_epoch) |
1444 |
|
495 |
return &D1I(s)->bitmap; |
1445 |
|
|
|
1446 |
|
|
/* Only HM and ALERT messages can be from the next epoch */ |
1447 |
|
|
else if (rr->epoch == (unsigned long)(D1I(s)->r_epoch + 1) && |
1448 |
|
|
(rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) { |
1449 |
|
|
*is_next_epoch = 1; |
1450 |
|
|
return &D1I(s)->next_bitmap; |
1451 |
|
|
} |
1452 |
|
|
|
1453 |
|
|
return NULL; |
1454 |
|
495 |
} |
1455 |
|
|
|
1456 |
|
|
void |
1457 |
|
|
dtls1_reset_seq_numbers(SSL *s, int rw) |
1458 |
|
|
{ |
1459 |
|
|
unsigned char *seq; |
1460 |
|
|
unsigned int seq_bytes = sizeof(S3I(s)->read_sequence); |
1461 |
|
|
|
1462 |
✓✓ |
288 |
if (rw & SSL3_CC_READ) { |
1463 |
|
72 |
seq = S3I(s)->read_sequence; |
1464 |
|
72 |
D1I(s)->r_epoch++; |
1465 |
|
72 |
memcpy(&(D1I(s)->bitmap), &(D1I(s)->next_bitmap), sizeof(DTLS1_BITMAP)); |
1466 |
|
72 |
memset(&(D1I(s)->next_bitmap), 0x00, sizeof(DTLS1_BITMAP)); |
1467 |
|
72 |
} else { |
1468 |
|
72 |
seq = S3I(s)->write_sequence; |
1469 |
|
72 |
memcpy(D1I(s)->last_write_sequence, seq, sizeof(S3I(s)->write_sequence)); |
1470 |
|
72 |
D1I(s)->w_epoch++; |
1471 |
|
|
} |
1472 |
|
|
|
1473 |
|
144 |
memset(seq, 0x00, seq_bytes); |
1474 |
|
144 |
} |