File: | src/lib/libssl/d1_both.c |
Warning: | line 957, column 2 Null pointer passed as 1st argument to memory copy function |
Press '?' to see keyboard shortcuts
Keyboard shortcuts:
1 | /* $OpenBSD: d1_both.c,v 1.80 2021/10/23 13:36:03 jsing Exp $ */ | |||
2 | /* | |||
3 | * DTLS implementation written by Nagendra Modadugu | |||
4 | * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. | |||
5 | */ | |||
6 | /* ==================================================================== | |||
7 | * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. | |||
8 | * | |||
9 | * Redistribution and use in source and binary forms, with or without | |||
10 | * modification, are permitted provided that the following conditions | |||
11 | * are met: | |||
12 | * | |||
13 | * 1. Redistributions of source code must retain the above copyright | |||
14 | * notice, this list of conditions and the following disclaimer. | |||
15 | * | |||
16 | * 2. Redistributions in binary form must reproduce the above copyright | |||
17 | * notice, this list of conditions and the following disclaimer in | |||
18 | * the documentation and/or other materials provided with the | |||
19 | * distribution. | |||
20 | * | |||
21 | * 3. All advertising materials mentioning features or use of this | |||
22 | * software must display the following acknowledgment: | |||
23 | * "This product includes software developed by the OpenSSL Project | |||
24 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | |||
25 | * | |||
26 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |||
27 | * endorse or promote products derived from this software without | |||
28 | * prior written permission. For written permission, please contact | |||
29 | * openssl-core@openssl.org. | |||
30 | * | |||
31 | * 5. Products derived from this software may not be called "OpenSSL" | |||
32 | * nor may "OpenSSL" appear in their names without prior written | |||
33 | * permission of the OpenSSL Project. | |||
34 | * | |||
35 | * 6. Redistributions of any form whatsoever must retain the following | |||
36 | * acknowledgment: | |||
37 | * "This product includes software developed by the OpenSSL Project | |||
38 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" | |||
39 | * | |||
40 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |||
41 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |||
42 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |||
43 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |||
44 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |||
45 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |||
46 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |||
47 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |||
48 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |||
49 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |||
50 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |||
51 | * OF THE POSSIBILITY OF SUCH DAMAGE. | |||
52 | * ==================================================================== | |||
53 | * | |||
54 | * This product includes cryptographic software written by Eric Young | |||
55 | * (eay@cryptsoft.com). This product includes software written by Tim | |||
56 | * Hudson (tjh@cryptsoft.com). | |||
57 | * | |||
58 | */ | |||
59 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | |||
60 | * All rights reserved. | |||
61 | * | |||
62 | * This package is an SSL implementation written | |||
63 | * by Eric Young (eay@cryptsoft.com). | |||
64 | * The implementation was written so as to conform with Netscapes SSL. | |||
65 | * | |||
66 | * This library is free for commercial and non-commercial use as long as | |||
67 | * the following conditions are aheared to. The following conditions | |||
68 | * apply to all code found in this distribution, be it the RC4, RSA, | |||
69 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation | |||
70 | * included with this distribution is covered by the same copyright terms | |||
71 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). | |||
72 | * | |||
73 | * Copyright remains Eric Young's, and as such any Copyright notices in | |||
74 | * the code are not to be removed. | |||
75 | * If this package is used in a product, Eric Young should be given attribution | |||
76 | * as the author of the parts of the library used. | |||
77 | * This can be in the form of a textual message at program startup or | |||
78 | * in documentation (online or textual) provided with the package. | |||
79 | * | |||
80 | * Redistribution and use in source and binary forms, with or without | |||
81 | * modification, are permitted provided that the following conditions | |||
82 | * are met: | |||
83 | * 1. Redistributions of source code must retain the copyright | |||
84 | * notice, this list of conditions and the following disclaimer. | |||
85 | * 2. Redistributions in binary form must reproduce the above copyright | |||
86 | * notice, this list of conditions and the following disclaimer in the | |||
87 | * documentation and/or other materials provided with the distribution. | |||
88 | * 3. All advertising materials mentioning features or use of this software | |||
89 | * must display the following acknowledgement: | |||
90 | * "This product includes cryptographic software written by | |||
91 | * Eric Young (eay@cryptsoft.com)" | |||
92 | * The word 'cryptographic' can be left out if the rouines from the library | |||
93 | * being used are not cryptographic related :-). | |||
94 | * 4. If you include any Windows specific code (or a derivative thereof) from | |||
95 | * the apps directory (application code) you must include an acknowledgement: | |||
96 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" | |||
97 | * | |||
98 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND | |||
99 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |||
100 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |||
101 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |||
102 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |||
103 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |||
104 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |||
105 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |||
106 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |||
107 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |||
108 | * SUCH DAMAGE. | |||
109 | * | |||
110 | * The licence and distribution terms for any publically available version or | |||
111 | * derivative of this code cannot be changed. i.e. this code cannot simply be | |||
112 | * copied and put under another distribution licence | |||
113 | * [including the GNU Public Licence.] | |||
114 | */ | |||
115 | ||||
116 | #include <limits.h> | |||
117 | #include <stdio.h> | |||
118 | #include <string.h> | |||
119 | ||||
120 | #include <openssl/buffer.h> | |||
121 | #include <openssl/evp.h> | |||
122 | #include <openssl/objects.h> | |||
123 | #include <openssl/x509.h> | |||
124 | ||||
125 | #include "bytestring.h" | |||
126 | #include "dtls_locl.h" | |||
127 | #include "pqueue.h" | |||
128 | #include "ssl_locl.h" | |||
129 | ||||
130 | #define RSMBLY_BITMASK_SIZE(msg_len)(((msg_len) + 7) / 8) (((msg_len) + 7) / 8) | |||
131 | ||||
132 | #define RSMBLY_BITMASK_MARK(bitmask, start, end){ if ((end) - (start) <= 8) { long ii; for (ii = (start); ii < (end); ii++) bitmask[((ii) >> 3)] |= (1 << ( (ii) & 7)); } else { long ii; bitmask[((start) >> 3 )] |= bitmask_start_values[((start) & 7)]; for (ii = (((start ) >> 3) + 1); ii < ((((end) - 1)) >> 3); ii++) bitmask[ii] = 0xff; bitmask[(((end) - 1) >> 3)] |= bitmask_end_values [((end) & 7)]; } } { \ | |||
133 | if ((end) - (start) <= 8) { \ | |||
134 | long ii; \ | |||
135 | for (ii = (start); ii < (end); ii++) bitmask[((ii) >> 3)] |= (1 << ((ii) & 7)); \ | |||
136 | } else { \ | |||
137 | long ii; \ | |||
138 | bitmask[((start) >> 3)] |= bitmask_start_values[((start) & 7)]; \ | |||
139 | for (ii = (((start) >> 3) + 1); ii < ((((end) - 1)) >> 3); ii++) bitmask[ii] = 0xff; \ | |||
140 | bitmask[(((end) - 1) >> 3)] |= bitmask_end_values[((end) & 7)]; \ | |||
141 | } } | |||
142 | ||||
143 | #define RSMBLY_BITMASK_IS_COMPLETE(bitmask, msg_len, is_complete){ long ii; (void)(((msg_len) > 0) ? 0 : (OpenSSLDie("/usr/src/lib/libssl/d1_both.c" , 143, "(msg_len) > 0"),1)); is_complete = 1; if (bitmask[ (((msg_len) - 1) >> 3)] != bitmask_end_values[((msg_len ) & 7)]) is_complete = 0; if (is_complete) for (ii = (((msg_len ) - 1) >> 3) - 1; ii >= 0 ; ii--) if (bitmask[ii] != 0xff) { is_complete = 0; break; } } { \ | |||
144 | long ii; \ | |||
145 | OPENSSL_assert((msg_len) > 0)(void)(((msg_len) > 0) ? 0 : (OpenSSLDie("/usr/src/lib/libssl/d1_both.c" , 145, "(msg_len) > 0"),1)); \ | |||
146 | is_complete = 1; \ | |||
147 | if (bitmask[(((msg_len) - 1) >> 3)] != bitmask_end_values[((msg_len) & 7)]) is_complete = 0; \ | |||
148 | if (is_complete) for (ii = (((msg_len) - 1) >> 3) - 1; ii >= 0 ; ii--) \ | |||
149 | if (bitmask[ii] != 0xff) { is_complete = 0; break; } } | |||
150 | ||||
151 | static const unsigned char bitmask_start_values[] = { | |||
152 | 0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80 | |||
153 | }; | |||
154 | static const unsigned char bitmask_end_values[] = { | |||
155 | 0xff, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f | |||
156 | }; | |||
157 | ||||
158 | /* XDTLS: figure out the right values */ | |||
159 | static const unsigned int g_probable_mtu[] = {1500 - 28, 512 - 28, 256 - 28}; | |||
160 | ||||
161 | static unsigned int dtls1_guess_mtu(unsigned int curr_mtu); | |||
162 | static void dtls1_fix_message_header(SSL *s, unsigned long frag_off, | |||
163 | unsigned long frag_len); | |||
164 | static int dtls1_write_message_header(const struct hm_header_st *msg_hdr, | |||
165 | unsigned long frag_off, unsigned long frag_len, unsigned char *p); | |||
166 | static long dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, | |||
167 | int *ok); | |||
168 | ||||
169 | void dtls1_hm_fragment_free(hm_fragment *frag); | |||
170 | ||||
171 | static hm_fragment * | |||
172 | dtls1_hm_fragment_new(unsigned long frag_len, int reassembly) | |||
173 | { | |||
174 | hm_fragment *frag; | |||
175 | ||||
176 | if ((frag = calloc(1, sizeof(*frag))) == NULL((void*)0)) | |||
177 | goto err; | |||
178 | ||||
179 | if (frag_len > 0) { | |||
180 | if ((frag->fragment = calloc(1, frag_len)) == NULL((void*)0)) | |||
181 | goto err; | |||
182 | } | |||
183 | ||||
184 | /* Initialize reassembly bitmask if necessary. */ | |||
185 | if (reassembly
| |||
186 | if ((frag->reassembly = calloc(1, | |||
187 | RSMBLY_BITMASK_SIZE(frag_len)(((frag_len) + 7) / 8))) == NULL((void*)0)) | |||
188 | goto err; | |||
189 | } | |||
190 | ||||
191 | return frag; | |||
192 | ||||
193 | err: | |||
194 | dtls1_hm_fragment_free(frag); | |||
195 | return NULL((void*)0); | |||
196 | } | |||
197 | ||||
198 | void | |||
199 | dtls1_hm_fragment_free(hm_fragment *frag) | |||
200 | { | |||
201 | if (frag == NULL((void*)0)) | |||
202 | return; | |||
203 | ||||
204 | free(frag->fragment); | |||
205 | free(frag->reassembly); | |||
206 | free(frag); | |||
207 | } | |||
208 | ||||
209 | /* send s->internal->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC) */ | |||
210 | int | |||
211 | dtls1_do_write(SSL *s, int type) | |||
212 | { | |||
213 | int ret; | |||
214 | int curr_mtu; | |||
215 | unsigned int len, frag_off; | |||
216 | size_t overhead; | |||
217 | ||||
218 | /* AHA! Figure out the MTU, and stick to the right size */ | |||
219 | if (s->d1->mtu < dtls1_min_mtu() && | |||
220 | !(SSL_get_options(s)SSL_ctrl((s),32,0,((void*)0)) & SSL_OP_NO_QUERY_MTU0x00001000L)) { | |||
221 | s->d1->mtu = BIO_ctrl(SSL_get_wbio(s), | |||
222 | BIO_CTRL_DGRAM_QUERY_MTU40, 0, NULL((void*)0)); | |||
223 | ||||
224 | /* | |||
225 | * I've seen the kernel return bogus numbers when it | |||
226 | * doesn't know the MTU (ie., the initial write), so just | |||
227 | * make sure we have a reasonable number | |||
228 | */ | |||
229 | if (s->d1->mtu < dtls1_min_mtu()) { | |||
230 | s->d1->mtu = 0; | |||
231 | s->d1->mtu = dtls1_guess_mtu(s->d1->mtu); | |||
232 | BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SET_MTU42, | |||
233 | s->d1->mtu, NULL((void*)0)); | |||
234 | } | |||
235 | } | |||
236 | ||||
237 | OPENSSL_assert(s->d1->mtu >= dtls1_min_mtu())(void)((s->d1->mtu >= dtls1_min_mtu()) ? 0 : (OpenSSLDie ("/usr/src/lib/libssl/d1_both.c", 237, "s->d1->mtu >= dtls1_min_mtu()" ),1)); | |||
238 | /* should have something reasonable now */ | |||
239 | ||||
240 | if (s->internal->init_off == 0 && type == SSL3_RT_HANDSHAKE22) | |||
241 | OPENSSL_assert(s->internal->init_num ==(void)((s->internal->init_num == (int)s->d1->w_msg_hdr .msg_len + 12) ? 0 : (OpenSSLDie("/usr/src/lib/libssl/d1_both.c" , 242, "s->internal->init_num == (int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH" ),1)) | |||
242 | (int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH)(void)((s->internal->init_num == (int)s->d1->w_msg_hdr .msg_len + 12) ? 0 : (OpenSSLDie("/usr/src/lib/libssl/d1_both.c" , 242, "s->internal->init_num == (int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH" ),1)); | |||
243 | ||||
244 | if (!tls12_record_layer_write_overhead(s->internal->rl, &overhead)) | |||
245 | return -1; | |||
246 | ||||
247 | frag_off = 0; | |||
248 | while (s->internal->init_num) { | |||
249 | curr_mtu = s->d1->mtu - BIO_wpending(SSL_get_wbio(s))(int)BIO_ctrl(SSL_get_wbio(s),13,0,((void*)0)) - | |||
250 | DTLS1_RT_HEADER_LENGTH13 - overhead; | |||
251 | ||||
252 | if (curr_mtu <= DTLS1_HM_HEADER_LENGTH12) { | |||
253 | /* grr.. we could get an error if MTU picked was wrong */ | |||
254 | ret = BIO_flush(SSL_get_wbio(s))(int)BIO_ctrl(SSL_get_wbio(s),11,0,((void*)0)); | |||
255 | if (ret <= 0) | |||
256 | return ret; | |||
257 | curr_mtu = s->d1->mtu - DTLS1_RT_HEADER_LENGTH13 - | |||
258 | overhead; | |||
259 | } | |||
260 | ||||
261 | if (s->internal->init_num > curr_mtu) | |||
262 | len = curr_mtu; | |||
263 | else | |||
264 | len = s->internal->init_num; | |||
265 | ||||
266 | /* XDTLS: this function is too long. split out the CCS part */ | |||
267 | if (type == SSL3_RT_HANDSHAKE22) { | |||
268 | if (s->internal->init_off != 0) { | |||
269 | OPENSSL_assert(s->internal->init_off > DTLS1_HM_HEADER_LENGTH)(void)((s->internal->init_off > 12) ? 0 : (OpenSSLDie ("/usr/src/lib/libssl/d1_both.c", 269, "s->internal->init_off > DTLS1_HM_HEADER_LENGTH" ),1)); | |||
270 | s->internal->init_off -= DTLS1_HM_HEADER_LENGTH12; | |||
271 | s->internal->init_num += DTLS1_HM_HEADER_LENGTH12; | |||
272 | ||||
273 | if (s->internal->init_num > curr_mtu) | |||
274 | len = curr_mtu; | |||
275 | else | |||
276 | len = s->internal->init_num; | |||
277 | } | |||
278 | ||||
279 | dtls1_fix_message_header(s, frag_off, | |||
280 | len - DTLS1_HM_HEADER_LENGTH12); | |||
281 | ||||
282 | if (!dtls1_write_message_header(&s->d1->w_msg_hdr, | |||
283 | s->d1->w_msg_hdr.frag_off, s->d1->w_msg_hdr.frag_len, | |||
284 | (unsigned char *)&s->internal->init_buf->data[s->internal->init_off])) | |||
285 | return -1; | |||
286 | ||||
287 | OPENSSL_assert(len >= DTLS1_HM_HEADER_LENGTH)(void)((len >= 12) ? 0 : (OpenSSLDie("/usr/src/lib/libssl/d1_both.c" , 287, "len >= DTLS1_HM_HEADER_LENGTH"),1)); | |||
288 | } | |||
289 | ||||
290 | ret = dtls1_write_bytes(s, type, | |||
291 | &s->internal->init_buf->data[s->internal->init_off], len); | |||
292 | if (ret < 0) { | |||
293 | /* | |||
294 | * Might need to update MTU here, but we don't know | |||
295 | * which previous packet caused the failure -- so | |||
296 | * can't really retransmit anything. continue as | |||
297 | * if everything is fine and wait for an alert to | |||
298 | * handle the retransmit | |||
299 | */ | |||
300 | if (BIO_ctrl(SSL_get_wbio(s), | |||
301 | BIO_CTRL_DGRAM_MTU_EXCEEDED43, 0, NULL((void*)0)) > 0) | |||
302 | s->d1->mtu = BIO_ctrl(SSL_get_wbio(s), | |||
303 | BIO_CTRL_DGRAM_QUERY_MTU40, 0, NULL((void*)0)); | |||
304 | else | |||
305 | return (-1); | |||
306 | } else { | |||
307 | ||||
308 | /* | |||
309 | * Bad if this assert fails, only part of the | |||
310 | * handshake message got sent. but why would | |||
311 | * this happen? | |||
312 | */ | |||
313 | OPENSSL_assert(len == (unsigned int)ret)(void)((len == (unsigned int)ret) ? 0 : (OpenSSLDie("/usr/src/lib/libssl/d1_both.c" , 313, "len == (unsigned int)ret"),1)); | |||
314 | ||||
315 | if (type == SSL3_RT_HANDSHAKE22 && | |||
316 | !s->d1->retransmitting) { | |||
317 | /* | |||
318 | * Should not be done for 'Hello Request's, | |||
319 | * but in that case we'll ignore the result | |||
320 | * anyway | |||
321 | */ | |||
322 | unsigned char *p = (unsigned char *)&s->internal->init_buf->data[s->internal->init_off]; | |||
323 | const struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; | |||
324 | int xlen; | |||
325 | ||||
326 | if (frag_off == 0) { | |||
327 | /* | |||
328 | * Reconstruct message header is if it | |||
329 | * is being sent in single fragment | |||
330 | */ | |||
331 | if (!dtls1_write_message_header(msg_hdr, | |||
332 | 0, msg_hdr->msg_len, p)) | |||
333 | return (-1); | |||
334 | xlen = ret; | |||
335 | } else { | |||
336 | p += DTLS1_HM_HEADER_LENGTH12; | |||
337 | xlen = ret - DTLS1_HM_HEADER_LENGTH12; | |||
338 | } | |||
339 | ||||
340 | tls1_transcript_record(s, p, xlen); | |||
341 | } | |||
342 | ||||
343 | if (ret == s->internal->init_num) { | |||
344 | if (s->internal->msg_callback) | |||
345 | s->internal->msg_callback(1, s->version, type, | |||
346 | s->internal->init_buf->data, | |||
347 | (size_t)(s->internal->init_off + s->internal->init_num), | |||
348 | s, s->internal->msg_callback_arg); | |||
349 | ||||
350 | s->internal->init_off = 0; | |||
351 | /* done writing this message */ | |||
352 | s->internal->init_num = 0; | |||
353 | ||||
354 | return (1); | |||
355 | } | |||
356 | s->internal->init_off += ret; | |||
357 | s->internal->init_num -= ret; | |||
358 | frag_off += (ret -= DTLS1_HM_HEADER_LENGTH12); | |||
359 | } | |||
360 | } | |||
361 | return (0); | |||
362 | } | |||
363 | ||||
364 | ||||
365 | /* | |||
366 | * Obtain handshake message of message type 'mt' (any if mt == -1), | |||
367 | * maximum acceptable body length 'max'. | |||
368 | * Read an entire handshake message. Handshake messages arrive in | |||
369 | * fragments. | |||
370 | */ | |||
371 | int | |||
372 | dtls1_get_message(SSL *s, int st1, int stn, int mt, long max) | |||
373 | { | |||
374 | struct hm_header_st *msg_hdr; | |||
375 | unsigned char *p; | |||
376 | unsigned long msg_len; | |||
377 | int i, al, ok; | |||
378 | ||||
379 | /* | |||
380 | * s3->internal->tmp is used to store messages that are unexpected, caused | |||
381 | * by the absence of an optional handshake message | |||
382 | */ | |||
383 | if (S3I(s)(s->s3->internal)->hs.tls12.reuse_message) { | |||
384 | S3I(s)(s->s3->internal)->hs.tls12.reuse_message = 0; | |||
385 | if ((mt >= 0) && (S3I(s)(s->s3->internal)->hs.tls12.message_type != mt)) { | |||
386 | al = SSL_AD_UNEXPECTED_MESSAGE10; | |||
387 | SSLerror(s, SSL_R_UNEXPECTED_MESSAGE)SSL_error_internal(s, 244, "/usr/src/lib/libssl/d1_both.c", 387 ); | |||
388 | goto fatal_err; | |||
389 | } | |||
390 | s->internal->init_msg = s->internal->init_buf->data + DTLS1_HM_HEADER_LENGTH12; | |||
391 | s->internal->init_num = (int)S3I(s)(s->s3->internal)->hs.tls12.message_size; | |||
392 | return 1; | |||
393 | } | |||
394 | ||||
395 | msg_hdr = &s->d1->r_msg_hdr; | |||
396 | memset(msg_hdr, 0, sizeof(struct hm_header_st)); | |||
397 | ||||
398 | again: | |||
399 | i = dtls1_get_message_fragment(s, st1, stn, max, &ok); | |||
400 | if (i == DTLS1_HM_BAD_FRAGMENT-2 || | |||
401 | i == DTLS1_HM_FRAGMENT_RETRY-3) /* bad fragment received */ | |||
402 | goto again; | |||
403 | else if (i <= 0 && !ok) | |||
404 | return i; | |||
405 | ||||
406 | p = (unsigned char *)s->internal->init_buf->data; | |||
407 | msg_len = msg_hdr->msg_len; | |||
408 | ||||
409 | /* reconstruct message header */ | |||
410 | if (!dtls1_write_message_header(msg_hdr, 0, msg_len, p)) | |||
411 | return -1; | |||
412 | ||||
413 | msg_len += DTLS1_HM_HEADER_LENGTH12; | |||
414 | ||||
415 | tls1_transcript_record(s, p, msg_len); | |||
416 | if (s->internal->msg_callback) | |||
417 | s->internal->msg_callback(0, s->version, SSL3_RT_HANDSHAKE22, p, msg_len, | |||
418 | s, s->internal->msg_callback_arg); | |||
419 | ||||
420 | memset(msg_hdr, 0, sizeof(struct hm_header_st)); | |||
421 | ||||
422 | /* Don't change sequence numbers while listening */ | |||
423 | if (!s->d1->listen) | |||
424 | s->d1->handshake_read_seq++; | |||
425 | ||||
426 | s->internal->init_msg = s->internal->init_buf->data + DTLS1_HM_HEADER_LENGTH12; | |||
427 | return 1; | |||
428 | ||||
429 | fatal_err: | |||
430 | ssl3_send_alert(s, SSL3_AL_FATAL2, al); | |||
431 | return -1; | |||
432 | } | |||
433 | ||||
434 | static int | |||
435 | dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max) | |||
436 | { | |||
437 | size_t frag_off, frag_len, msg_len; | |||
438 | ||||
439 | msg_len = msg_hdr->msg_len; | |||
440 | frag_off = msg_hdr->frag_off; | |||
441 | frag_len = msg_hdr->frag_len; | |||
442 | ||||
443 | /* sanity checking */ | |||
444 | if ((frag_off + frag_len) > msg_len) { | |||
445 | SSLerror(s, SSL_R_EXCESSIVE_MESSAGE_SIZE)SSL_error_internal(s, 152, "/usr/src/lib/libssl/d1_both.c", 445 ); | |||
446 | return SSL_AD_ILLEGAL_PARAMETER47; | |||
447 | } | |||
448 | ||||
449 | if ((frag_off + frag_len) > (unsigned long)max) { | |||
450 | SSLerror(s, SSL_R_EXCESSIVE_MESSAGE_SIZE)SSL_error_internal(s, 152, "/usr/src/lib/libssl/d1_both.c", 450 ); | |||
451 | return SSL_AD_ILLEGAL_PARAMETER47; | |||
452 | } | |||
453 | ||||
454 | if ( s->d1->r_msg_hdr.frag_off == 0) /* first fragment */ | |||
455 | { | |||
456 | /* | |||
457 | * msg_len is limited to 2^24, but is effectively checked | |||
458 | * against max above | |||
459 | */ | |||
460 | if (!BUF_MEM_grow_clean(s->internal->init_buf, | |||
461 | msg_len + DTLS1_HM_HEADER_LENGTH12)) { | |||
462 | SSLerror(s, ERR_R_BUF_LIB)SSL_error_internal(s, 7, "/usr/src/lib/libssl/d1_both.c", 462 ); | |||
463 | return SSL_AD_INTERNAL_ERROR80; | |||
464 | } | |||
465 | ||||
466 | S3I(s)(s->s3->internal)->hs.tls12.message_size = msg_len; | |||
467 | s->d1->r_msg_hdr.msg_len = msg_len; | |||
468 | S3I(s)(s->s3->internal)->hs.tls12.message_type = msg_hdr->type; | |||
469 | s->d1->r_msg_hdr.type = msg_hdr->type; | |||
470 | s->d1->r_msg_hdr.seq = msg_hdr->seq; | |||
471 | } else if (msg_len != s->d1->r_msg_hdr.msg_len) { | |||
472 | /* | |||
473 | * They must be playing with us! BTW, failure to enforce | |||
474 | * upper limit would open possibility for buffer overrun. | |||
475 | */ | |||
476 | SSLerror(s, SSL_R_EXCESSIVE_MESSAGE_SIZE)SSL_error_internal(s, 152, "/usr/src/lib/libssl/d1_both.c", 476 ); | |||
477 | return SSL_AD_ILLEGAL_PARAMETER47; | |||
478 | } | |||
479 | ||||
480 | return 0; /* no error */ | |||
481 | } | |||
482 | ||||
483 | static int | |||
484 | dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok) | |||
485 | { | |||
486 | /* | |||
487 | * (0) check whether the desired fragment is available | |||
488 | * if so: | |||
489 | * (1) copy over the fragment to s->internal->init_buf->data[] | |||
490 | * (2) update s->internal->init_num | |||
491 | */ | |||
492 | pitem *item; | |||
493 | hm_fragment *frag; | |||
494 | int al; | |||
495 | ||||
496 | *ok = 0; | |||
497 | item = pqueue_peek(s->d1->buffered_messages); | |||
498 | if (item == NULL((void*)0)) | |||
499 | return 0; | |||
500 | ||||
501 | frag = (hm_fragment *)item->data; | |||
502 | ||||
503 | /* Don't return if reassembly still in progress */ | |||
504 | if (frag->reassembly != NULL((void*)0)) | |||
505 | return 0; | |||
506 | ||||
507 | if (s->d1->handshake_read_seq == frag->msg_header.seq) { | |||
508 | unsigned long frag_len = frag->msg_header.frag_len; | |||
509 | pqueue_pop(s->d1->buffered_messages); | |||
510 | ||||
511 | al = dtls1_preprocess_fragment(s, &frag->msg_header, max); | |||
512 | ||||
513 | if (al == 0) /* no alert */ | |||
514 | { | |||
515 | unsigned char *p = (unsigned char *)s->internal->init_buf->data + DTLS1_HM_HEADER_LENGTH12; | |||
516 | memcpy(&p[frag->msg_header.frag_off], | |||
517 | frag->fragment, frag->msg_header.frag_len); | |||
518 | } | |||
519 | ||||
520 | dtls1_hm_fragment_free(frag); | |||
521 | pitem_free(item); | |||
522 | ||||
523 | if (al == 0) { | |||
524 | *ok = 1; | |||
525 | return frag_len; | |||
526 | } | |||
527 | ||||
528 | ssl3_send_alert(s, SSL3_AL_FATAL2, al); | |||
529 | s->internal->init_num = 0; | |||
530 | *ok = 0; | |||
531 | return -1; | |||
532 | } else | |||
533 | return 0; | |||
534 | } | |||
535 | ||||
536 | /* | |||
537 | * dtls1_max_handshake_message_len returns the maximum number of bytes | |||
538 | * permitted in a DTLS handshake message for |s|. The minimum is 16KB, | |||
539 | * but may be greater if the maximum certificate list size requires it. | |||
540 | */ | |||
541 | static unsigned long | |||
542 | dtls1_max_handshake_message_len(const SSL *s) | |||
543 | { | |||
544 | unsigned long max_len; | |||
545 | ||||
546 | max_len = DTLS1_HM_HEADER_LENGTH12 + SSL3_RT_MAX_ENCRYPTED_LENGTH((256 + 64)+16384); | |||
547 | if (max_len < (unsigned long)s->internal->max_cert_list) | |||
548 | return s->internal->max_cert_list; | |||
549 | return max_len; | |||
550 | } | |||
551 | ||||
552 | static int | |||
553 | dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) | |||
554 | { | |||
555 | hm_fragment *frag = NULL((void*)0); | |||
556 | pitem *item = NULL((void*)0); | |||
557 | int i = -1, is_complete; | |||
558 | unsigned char seq64be[8]; | |||
559 | unsigned long frag_len = msg_hdr->frag_len; | |||
560 | ||||
561 | if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len || | |||
562 | msg_hdr->msg_len > dtls1_max_handshake_message_len(s)) | |||
563 | goto err; | |||
564 | ||||
565 | if (frag_len == 0) { | |||
566 | i = DTLS1_HM_FRAGMENT_RETRY-3; | |||
567 | goto err; | |||
568 | } | |||
569 | ||||
570 | /* Try to find item in queue */ | |||
571 | memset(seq64be, 0, sizeof(seq64be)); | |||
572 | seq64be[6] = (unsigned char)(msg_hdr->seq >> 8); | |||
573 | seq64be[7] = (unsigned char)msg_hdr->seq; | |||
574 | item = pqueue_find(s->d1->buffered_messages, seq64be); | |||
575 | ||||
576 | if (item == NULL((void*)0)) { | |||
577 | frag = dtls1_hm_fragment_new(msg_hdr->msg_len, 1); | |||
578 | if (frag == NULL((void*)0)) | |||
579 | goto err; | |||
580 | memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); | |||
581 | frag->msg_header.frag_len = frag->msg_header.msg_len; | |||
582 | frag->msg_header.frag_off = 0; | |||
583 | } else { | |||
584 | frag = (hm_fragment*)item->data; | |||
585 | if (frag->msg_header.msg_len != msg_hdr->msg_len) { | |||
586 | item = NULL((void*)0); | |||
587 | frag = NULL((void*)0); | |||
588 | goto err; | |||
589 | } | |||
590 | } | |||
591 | ||||
592 | /* | |||
593 | * If message is already reassembled, this must be a | |||
594 | * retransmit and can be dropped. | |||
595 | */ | |||
596 | if (frag->reassembly == NULL((void*)0)) { | |||
597 | unsigned char devnull [256]; | |||
598 | ||||
599 | while (frag_len) { | |||
600 | i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE22, | |||
601 | devnull, frag_len > sizeof(devnull) ? | |||
602 | sizeof(devnull) : frag_len, 0); | |||
603 | if (i <= 0) | |||
604 | goto err; | |||
605 | frag_len -= i; | |||
606 | } | |||
607 | i = DTLS1_HM_FRAGMENT_RETRY-3; | |||
608 | goto err; | |||
609 | } | |||
610 | ||||
611 | /* read the body of the fragment (header has already been read */ | |||
612 | i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE22, | |||
613 | frag->fragment + msg_hdr->frag_off, frag_len, 0); | |||
614 | if (i <= 0 || (unsigned long)i != frag_len) | |||
615 | goto err; | |||
616 | ||||
617 | RSMBLY_BITMASK_MARK(frag->reassembly, (long)msg_hdr->frag_off,{ if (((long)(msg_hdr->frag_off + frag_len)) - ((long)msg_hdr ->frag_off) <= 8) { long ii; for (ii = ((long)msg_hdr-> frag_off); ii < ((long)(msg_hdr->frag_off + frag_len)); ii++) frag->reassembly[((ii) >> 3)] |= (1 << ( (ii) & 7)); } else { long ii; frag->reassembly[(((long )msg_hdr->frag_off) >> 3)] |= bitmask_start_values[( ((long)msg_hdr->frag_off) & 7)]; for (ii = ((((long)msg_hdr ->frag_off) >> 3) + 1); ii < (((((long)(msg_hdr-> frag_off + frag_len)) - 1)) >> 3); ii++) frag->reassembly [ii] = 0xff; frag->reassembly[((((long)(msg_hdr->frag_off + frag_len)) - 1) >> 3)] |= bitmask_end_values[(((long )(msg_hdr->frag_off + frag_len)) & 7)]; } } | |||
618 | (long)(msg_hdr->frag_off + frag_len)){ if (((long)(msg_hdr->frag_off + frag_len)) - ((long)msg_hdr ->frag_off) <= 8) { long ii; for (ii = ((long)msg_hdr-> frag_off); ii < ((long)(msg_hdr->frag_off + frag_len)); ii++) frag->reassembly[((ii) >> 3)] |= (1 << ( (ii) & 7)); } else { long ii; frag->reassembly[(((long )msg_hdr->frag_off) >> 3)] |= bitmask_start_values[( ((long)msg_hdr->frag_off) & 7)]; for (ii = ((((long)msg_hdr ->frag_off) >> 3) + 1); ii < (((((long)(msg_hdr-> frag_off + frag_len)) - 1)) >> 3); ii++) frag->reassembly [ii] = 0xff; frag->reassembly[((((long)(msg_hdr->frag_off + frag_len)) - 1) >> 3)] |= bitmask_end_values[(((long )(msg_hdr->frag_off + frag_len)) & 7)]; } }; | |||
619 | ||||
620 | RSMBLY_BITMASK_IS_COMPLETE(frag->reassembly, (long)msg_hdr->msg_len,{ long ii; (void)((((long)msg_hdr->msg_len) > 0) ? 0 : ( OpenSSLDie("/usr/src/lib/libssl/d1_both.c", 621, "((long)msg_hdr->msg_len) > 0" ),1)); is_complete = 1; if (frag->reassembly[((((long)msg_hdr ->msg_len) - 1) >> 3)] != bitmask_end_values[(((long )msg_hdr->msg_len) & 7)]) is_complete = 0; if (is_complete ) for (ii = ((((long)msg_hdr->msg_len) - 1) >> 3) - 1 ; ii >= 0 ; ii--) if (frag->reassembly[ii] != 0xff) { is_complete = 0; break; } } | |||
621 | is_complete){ long ii; (void)((((long)msg_hdr->msg_len) > 0) ? 0 : ( OpenSSLDie("/usr/src/lib/libssl/d1_both.c", 621, "((long)msg_hdr->msg_len) > 0" ),1)); is_complete = 1; if (frag->reassembly[((((long)msg_hdr ->msg_len) - 1) >> 3)] != bitmask_end_values[(((long )msg_hdr->msg_len) & 7)]) is_complete = 0; if (is_complete ) for (ii = ((((long)msg_hdr->msg_len) - 1) >> 3) - 1 ; ii >= 0 ; ii--) if (frag->reassembly[ii] != 0xff) { is_complete = 0; break; } }; | |||
622 | ||||
623 | if (is_complete) { | |||
624 | free(frag->reassembly); | |||
625 | frag->reassembly = NULL((void*)0); | |||
626 | } | |||
627 | ||||
628 | if (item == NULL((void*)0)) { | |||
629 | memset(seq64be, 0, sizeof(seq64be)); | |||
630 | seq64be[6] = (unsigned char)(msg_hdr->seq >> 8); | |||
631 | seq64be[7] = (unsigned char)(msg_hdr->seq); | |||
632 | ||||
633 | item = pitem_new(seq64be, frag); | |||
634 | if (item == NULL((void*)0)) { | |||
635 | i = -1; | |||
636 | goto err; | |||
637 | } | |||
638 | ||||
639 | pqueue_insert(s->d1->buffered_messages, item); | |||
640 | } | |||
641 | ||||
642 | return DTLS1_HM_FRAGMENT_RETRY-3; | |||
643 | ||||
644 | err: | |||
645 | if (item == NULL((void*)0) && frag != NULL((void*)0)) | |||
646 | dtls1_hm_fragment_free(frag); | |||
647 | *ok = 0; | |||
648 | return i; | |||
649 | } | |||
650 | ||||
651 | ||||
652 | static int | |||
653 | dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok) | |||
654 | { | |||
655 | int i = -1; | |||
656 | hm_fragment *frag = NULL((void*)0); | |||
657 | pitem *item = NULL((void*)0); | |||
658 | unsigned char seq64be[8]; | |||
659 | unsigned long frag_len = msg_hdr->frag_len; | |||
660 | ||||
661 | if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len) | |||
662 | goto err; | |||
663 | ||||
664 | /* Try to find item in queue, to prevent duplicate entries */ | |||
665 | memset(seq64be, 0, sizeof(seq64be)); | |||
666 | seq64be[6] = (unsigned char) (msg_hdr->seq >> 8); | |||
667 | seq64be[7] = (unsigned char) msg_hdr->seq; | |||
668 | item = pqueue_find(s->d1->buffered_messages, seq64be); | |||
669 | ||||
670 | /* | |||
671 | * If we already have an entry and this one is a fragment, | |||
672 | * don't discard it and rather try to reassemble it. | |||
673 | */ | |||
674 | if (item != NULL((void*)0) && frag_len < msg_hdr->msg_len) | |||
675 | item = NULL((void*)0); | |||
676 | ||||
677 | /* | |||
678 | * Discard the message if sequence number was already there, is | |||
679 | * too far in the future, already in the queue or if we received | |||
680 | * a FINISHED before the SERVER_HELLO, which then must be a stale | |||
681 | * retransmit. | |||
682 | */ | |||
683 | if (msg_hdr->seq <= s->d1->handshake_read_seq || | |||
684 | msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL((void*)0) || | |||
685 | (s->d1->handshake_read_seq == 0 && | |||
686 | msg_hdr->type == SSL3_MT_FINISHED20)) { | |||
687 | unsigned char devnull [256]; | |||
688 | ||||
689 | while (frag_len) { | |||
690 | i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE22, | |||
691 | devnull, frag_len > sizeof(devnull) ? | |||
692 | sizeof(devnull) : frag_len, 0); | |||
693 | if (i <= 0) | |||
694 | goto err; | |||
695 | frag_len -= i; | |||
696 | } | |||
697 | } else { | |||
698 | if (frag_len < msg_hdr->msg_len) | |||
699 | return dtls1_reassemble_fragment(s, msg_hdr, ok); | |||
700 | ||||
701 | if (frag_len > dtls1_max_handshake_message_len(s)) | |||
702 | goto err; | |||
703 | ||||
704 | frag = dtls1_hm_fragment_new(frag_len, 0); | |||
705 | if (frag == NULL((void*)0)) | |||
706 | goto err; | |||
707 | ||||
708 | memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); | |||
709 | ||||
710 | if (frag_len) { | |||
711 | /* read the body of the fragment (header has already been read */ | |||
712 | i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE22, | |||
713 | frag->fragment, frag_len, 0); | |||
714 | if (i <= 0 || (unsigned long)i != frag_len) | |||
715 | goto err; | |||
716 | } | |||
717 | ||||
718 | memset(seq64be, 0, sizeof(seq64be)); | |||
719 | seq64be[6] = (unsigned char)(msg_hdr->seq >> 8); | |||
720 | seq64be[7] = (unsigned char)(msg_hdr->seq); | |||
721 | ||||
722 | item = pitem_new(seq64be, frag); | |||
723 | if (item == NULL((void*)0)) | |||
724 | goto err; | |||
725 | ||||
726 | pqueue_insert(s->d1->buffered_messages, item); | |||
727 | } | |||
728 | ||||
729 | return DTLS1_HM_FRAGMENT_RETRY-3; | |||
730 | ||||
731 | err: | |||
732 | if (item == NULL((void*)0) && frag != NULL((void*)0)) | |||
733 | dtls1_hm_fragment_free(frag); | |||
734 | *ok = 0; | |||
735 | return i; | |||
736 | } | |||
737 | ||||
738 | ||||
739 | static long | |||
740 | dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) | |||
741 | { | |||
742 | unsigned char wire[DTLS1_HM_HEADER_LENGTH12]; | |||
743 | unsigned long len, frag_off, frag_len; | |||
744 | struct hm_header_st msg_hdr; | |||
745 | int i, al; | |||
746 | CBS cbs; | |||
747 | ||||
748 | again: | |||
749 | /* see if we have the required fragment already */ | |||
750 | if ((frag_len = dtls1_retrieve_buffered_fragment(s, max, ok)) || *ok) { | |||
751 | if (*ok) | |||
752 | s->internal->init_num = frag_len; | |||
753 | return frag_len; | |||
754 | } | |||
755 | ||||
756 | /* read handshake message header */ | |||
757 | i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE22, wire, | |||
758 | DTLS1_HM_HEADER_LENGTH12, 0); | |||
759 | if (i <= 0) { | |||
760 | /* nbio, or an error */ | |||
761 | s->internal->rwstate = SSL_READING3; | |||
762 | *ok = 0; | |||
763 | return i; | |||
764 | } | |||
765 | ||||
766 | CBS_init(&cbs, wire, i); | |||
767 | if (!dtls1_get_message_header(&cbs, &msg_hdr)) { | |||
768 | /* Handshake fails if message header is incomplete. */ | |||
769 | al = SSL_AD_UNEXPECTED_MESSAGE10; | |||
770 | SSLerror(s, SSL_R_UNEXPECTED_MESSAGE)SSL_error_internal(s, 244, "/usr/src/lib/libssl/d1_both.c", 770 ); | |||
771 | goto fatal_err; | |||
772 | } | |||
773 | ||||
774 | /* | |||
775 | * if this is a future (or stale) message it gets buffered | |||
776 | * (or dropped)--no further processing at this time | |||
777 | * While listening, we accept seq 1 (ClientHello with cookie) | |||
778 | * although we're still expecting seq 0 (ClientHello) | |||
779 | */ | |||
780 | if (msg_hdr.seq != s->d1->handshake_read_seq && | |||
781 | !(s->d1->listen && msg_hdr.seq == 1)) | |||
782 | return dtls1_process_out_of_seq_message(s, &msg_hdr, ok); | |||
783 | ||||
784 | len = msg_hdr.msg_len; | |||
785 | frag_off = msg_hdr.frag_off; | |||
786 | frag_len = msg_hdr.frag_len; | |||
787 | ||||
788 | if (frag_len && frag_len < len) | |||
789 | return dtls1_reassemble_fragment(s, &msg_hdr, ok); | |||
790 | ||||
791 | if (!s->server && s->d1->r_msg_hdr.frag_off == 0 && | |||
792 | wire[0] == SSL3_MT_HELLO_REQUEST0) { | |||
793 | /* | |||
794 | * The server may always send 'Hello Request' messages -- | |||
795 | * we are doing a handshake anyway now, so ignore them | |||
796 | * if their format is correct. Does not count for | |||
797 | * 'Finished' MAC. | |||
798 | */ | |||
799 | if (wire[1] == 0 && wire[2] == 0 && wire[3] == 0) { | |||
800 | if (s->internal->msg_callback) | |||
801 | s->internal->msg_callback(0, s->version, | |||
802 | SSL3_RT_HANDSHAKE22, wire, | |||
803 | DTLS1_HM_HEADER_LENGTH12, s, | |||
804 | s->internal->msg_callback_arg); | |||
805 | ||||
806 | s->internal->init_num = 0; | |||
807 | goto again; | |||
808 | } | |||
809 | else /* Incorrectly formated Hello request */ | |||
810 | { | |||
811 | al = SSL_AD_UNEXPECTED_MESSAGE10; | |||
812 | SSLerror(s, SSL_R_UNEXPECTED_MESSAGE)SSL_error_internal(s, 244, "/usr/src/lib/libssl/d1_both.c", 812 ); | |||
813 | goto fatal_err; | |||
814 | } | |||
815 | } | |||
816 | ||||
817 | if ((al = dtls1_preprocess_fragment(s, &msg_hdr, max))) | |||
818 | goto fatal_err; | |||
819 | ||||
820 | /* XDTLS: ressurect this when restart is in place */ | |||
821 | S3I(s)(s->s3->internal)->hs.state = stn; | |||
822 | ||||
823 | if (frag_len > 0) { | |||
824 | unsigned char *p = (unsigned char *)s->internal->init_buf->data + DTLS1_HM_HEADER_LENGTH12; | |||
825 | ||||
826 | i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE22, | |||
827 | &p[frag_off], frag_len, 0); | |||
828 | /* XDTLS: fix this--message fragments cannot span multiple packets */ | |||
829 | if (i <= 0) { | |||
830 | s->internal->rwstate = SSL_READING3; | |||
831 | *ok = 0; | |||
832 | return i; | |||
833 | } | |||
834 | } else | |||
835 | i = 0; | |||
836 | ||||
837 | /* | |||
838 | * XDTLS: an incorrectly formatted fragment should cause the | |||
839 | * handshake to fail | |||
840 | */ | |||
841 | if (i != (int)frag_len) { | |||
842 | al = SSL_AD_ILLEGAL_PARAMETER47; | |||
843 | SSLerror(s, SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER)SSL_error_internal(s, 1047, "/usr/src/lib/libssl/d1_both.c", 843 ); | |||
844 | goto fatal_err; | |||
845 | } | |||
846 | ||||
847 | /* | |||
848 | * Note that s->internal->init_num is *not* used as current offset in | |||
849 | * s->internal->init_buf->data, but as a counter summing up fragments' | |||
850 | * lengths: as soon as they sum up to handshake packet | |||
851 | * length, we assume we have got all the fragments. | |||
852 | */ | |||
853 | s->internal->init_num = frag_len; | |||
854 | *ok = 1; | |||
855 | return frag_len; | |||
856 | ||||
857 | fatal_err: | |||
858 | ssl3_send_alert(s, SSL3_AL_FATAL2, al); | |||
859 | s->internal->init_num = 0; | |||
860 | ||||
861 | *ok = 0; | |||
862 | return (-1); | |||
863 | } | |||
864 | ||||
865 | int | |||
866 | dtls1_read_failed(SSL *s, int code) | |||
867 | { | |||
868 | if (code > 0) { | |||
869 | #ifdef DEBUG | |||
870 | fprintf(stderr(&__sF[2]), "invalid state reached %s:%d", | |||
871 | __FILE__"/usr/src/lib/libssl/d1_both.c", __LINE__871); | |||
872 | #endif | |||
873 | return 1; | |||
874 | } | |||
875 | ||||
876 | if (!dtls1_is_timer_expired(s)) { | |||
877 | /* | |||
878 | * not a timeout, none of our business, let higher layers | |||
879 | * handle this. in fact it's probably an error | |||
880 | */ | |||
881 | return code; | |||
882 | } | |||
883 | ||||
884 | if (!SSL_in_init(s)(SSL_state((s))&(0x1000|0x2000))) /* done, no need to send a retransmit */ | |||
885 | { | |||
886 | BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ0x01); | |||
887 | return code; | |||
888 | } | |||
889 | ||||
890 | return dtls1_handle_timeout(s); | |||
891 | } | |||
892 | ||||
893 | int | |||
894 | dtls1_get_queue_priority(unsigned short seq, int is_ccs) | |||
895 | { | |||
896 | /* | |||
897 | * The index of the retransmission queue actually is the message | |||
898 | * sequence number, since the queue only contains messages of a | |||
899 | * single handshake. However, the ChangeCipherSpec has no message | |||
900 | * sequence number and so using only the sequence will result in | |||
901 | * the CCS and Finished having the same index. To prevent this, the | |||
902 | * sequence number is multiplied by 2. In case of a CCS 1 is | |||
903 | * subtracted. This does not only differ CSS and Finished, it also | |||
904 | * maintains the order of the index (important for priority queues) | |||
905 | * and fits in the unsigned short variable. | |||
906 | */ | |||
907 | return seq * 2 - is_ccs; | |||
908 | } | |||
909 | ||||
910 | int | |||
911 | dtls1_retransmit_buffered_messages(SSL *s) | |||
912 | { | |||
913 | pqueue sent = s->d1->sent_messages; | |||
914 | piterator iter; | |||
915 | pitem *item; | |||
916 | hm_fragment *frag; | |||
917 | int found = 0; | |||
918 | ||||
919 | iter = pqueue_iterator(sent); | |||
920 | ||||
921 | for (item = pqueue_next(&iter); item != NULL((void*)0); | |||
922 | item = pqueue_next(&iter)) { | |||
923 | frag = (hm_fragment *)item->data; | |||
924 | if (dtls1_retransmit_message(s, | |||
925 | (unsigned short)dtls1_get_queue_priority( | |||
926 | frag->msg_header.seq, frag->msg_header.is_ccs), 0, | |||
927 | &found) <= 0 && found) { | |||
928 | #ifdef DEBUG | |||
929 | fprintf(stderr(&__sF[2]), "dtls1_retransmit_message() failed\n"); | |||
930 | #endif | |||
931 | return -1; | |||
932 | } | |||
933 | } | |||
934 | ||||
935 | return 1; | |||
936 | } | |||
937 | ||||
938 | int | |||
939 | dtls1_buffer_message(SSL *s, int is_ccs) | |||
940 | { | |||
941 | pitem *item; | |||
942 | hm_fragment *frag; | |||
943 | unsigned char seq64be[8]; | |||
944 | ||||
945 | /* Buffer the messsage in order to handle DTLS retransmissions. */ | |||
946 | ||||
947 | /* | |||
948 | * This function is called immediately after a message has | |||
949 | * been serialized | |||
950 | */ | |||
951 | OPENSSL_assert(s->internal->init_off == 0)(void)((s->internal->init_off == 0) ? 0 : (OpenSSLDie("/usr/src/lib/libssl/d1_both.c" , 951, "s->internal->init_off == 0"),1)); | |||
| ||||
952 | ||||
953 | frag = dtls1_hm_fragment_new(s->internal->init_num, 0); | |||
954 | if (frag
| |||
955 | return 0; | |||
956 | ||||
957 | memcpy(frag->fragment, s->internal->init_buf->data, s->internal->init_num); | |||
| ||||
958 | ||||
959 | OPENSSL_assert(s->d1->w_msg_hdr.msg_len +(void)((s->d1->w_msg_hdr.msg_len + (is_ccs ? 1 : 12) == (unsigned int)s->internal->init_num) ? 0 : (OpenSSLDie ("/usr/src/lib/libssl/d1_both.c", 961, "s->d1->w_msg_hdr.msg_len + (is_ccs ? DTLS1_CCS_HEADER_LENGTH : DTLS1_HM_HEADER_LENGTH) == (unsigned int)s->internal->init_num" ),1)) | |||
960 | (is_ccs ? DTLS1_CCS_HEADER_LENGTH : DTLS1_HM_HEADER_LENGTH) ==(void)((s->d1->w_msg_hdr.msg_len + (is_ccs ? 1 : 12) == (unsigned int)s->internal->init_num) ? 0 : (OpenSSLDie ("/usr/src/lib/libssl/d1_both.c", 961, "s->d1->w_msg_hdr.msg_len + (is_ccs ? DTLS1_CCS_HEADER_LENGTH : DTLS1_HM_HEADER_LENGTH) == (unsigned int)s->internal->init_num" ),1)) | |||
961 | (unsigned int)s->internal->init_num)(void)((s->d1->w_msg_hdr.msg_len + (is_ccs ? 1 : 12) == (unsigned int)s->internal->init_num) ? 0 : (OpenSSLDie ("/usr/src/lib/libssl/d1_both.c", 961, "s->d1->w_msg_hdr.msg_len + (is_ccs ? DTLS1_CCS_HEADER_LENGTH : DTLS1_HM_HEADER_LENGTH) == (unsigned int)s->internal->init_num" ),1)); | |||
962 | ||||
963 | frag->msg_header.msg_len = s->d1->w_msg_hdr.msg_len; | |||
964 | frag->msg_header.seq = s->d1->w_msg_hdr.seq; | |||
965 | frag->msg_header.type = s->d1->w_msg_hdr.type; | |||
966 | frag->msg_header.frag_off = 0; | |||
967 | frag->msg_header.frag_len = s->d1->w_msg_hdr.msg_len; | |||
968 | frag->msg_header.is_ccs = is_ccs; | |||
969 | ||||
970 | /* save current state*/ | |||
971 | frag->msg_header.saved_retransmit_state.session = s->session; | |||
972 | frag->msg_header.saved_retransmit_state.epoch = | |||
973 | tls12_record_layer_write_epoch(s->internal->rl); | |||
974 | ||||
975 | memset(seq64be, 0, sizeof(seq64be)); | |||
976 | seq64be[6] = (unsigned char)(dtls1_get_queue_priority( | |||
977 | frag->msg_header.seq, frag->msg_header.is_ccs) >> 8); | |||
978 | seq64be[7] = (unsigned char)(dtls1_get_queue_priority( | |||
979 | frag->msg_header.seq, frag->msg_header.is_ccs)); | |||
980 | ||||
981 | item = pitem_new(seq64be, frag); | |||
982 | if (item == NULL((void*)0)) { | |||
983 | dtls1_hm_fragment_free(frag); | |||
984 | return 0; | |||
985 | } | |||
986 | ||||
987 | pqueue_insert(s->d1->sent_messages, item); | |||
988 | return 1; | |||
989 | } | |||
990 | ||||
991 | int | |||
992 | dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off, | |||
993 | int *found) | |||
994 | { | |||
995 | int ret; | |||
996 | /* XDTLS: for now assuming that read/writes are blocking */ | |||
997 | pitem *item; | |||
998 | hm_fragment *frag; | |||
999 | unsigned long header_length; | |||
1000 | unsigned char seq64be[8]; | |||
1001 | struct dtls1_retransmit_state saved_state; | |||
1002 | ||||
1003 | /* | |||
1004 | OPENSSL_assert(s->internal->init_num == 0); | |||
1005 | OPENSSL_assert(s->internal->init_off == 0); | |||
1006 | */ | |||
1007 | ||||
1008 | /* XDTLS: the requested message ought to be found, otherwise error */ | |||
1009 | memset(seq64be, 0, sizeof(seq64be)); | |||
1010 | seq64be[6] = (unsigned char)(seq >> 8); | |||
1011 | seq64be[7] = (unsigned char)seq; | |||
1012 | ||||
1013 | item = pqueue_find(s->d1->sent_messages, seq64be); | |||
1014 | if (item == NULL((void*)0)) { | |||
1015 | #ifdef DEBUG | |||
1016 | fprintf(stderr(&__sF[2]), "retransmit: message %d non-existent\n", seq); | |||
1017 | #endif | |||
1018 | *found = 0; | |||
1019 | return 0; | |||
1020 | } | |||
1021 | ||||
1022 | *found = 1; | |||
1023 | frag = (hm_fragment *)item->data; | |||
1024 | ||||
1025 | if (frag->msg_header.is_ccs) | |||
1026 | header_length = DTLS1_CCS_HEADER_LENGTH1; | |||
1027 | else | |||
1028 | header_length = DTLS1_HM_HEADER_LENGTH12; | |||
1029 | ||||
1030 | memcpy(s->internal->init_buf->data, frag->fragment, | |||
1031 | frag->msg_header.msg_len + header_length); | |||
1032 | s->internal->init_num = frag->msg_header.msg_len + header_length; | |||
1033 | ||||
1034 | dtls1_set_message_header_int(s, frag->msg_header.type, | |||
1035 | frag->msg_header.msg_len, frag->msg_header.seq, 0, | |||
1036 | frag->msg_header.frag_len); | |||
1037 | ||||
1038 | /* save current state */ | |||
1039 | saved_state.session = s->session; | |||
1040 | saved_state.epoch = tls12_record_layer_write_epoch(s->internal->rl); | |||
1041 | ||||
1042 | s->d1->retransmitting = 1; | |||
1043 | ||||
1044 | /* restore state in which the message was originally sent */ | |||
1045 | s->session = frag->msg_header.saved_retransmit_state.session; | |||
1046 | if (!tls12_record_layer_use_write_epoch(s->internal->rl, | |||
1047 | frag->msg_header.saved_retransmit_state.epoch)) | |||
1048 | return 0; | |||
1049 | ||||
1050 | ret = dtls1_do_write(s, frag->msg_header.is_ccs ? | |||
1051 | SSL3_RT_CHANGE_CIPHER_SPEC20 : SSL3_RT_HANDSHAKE22); | |||
1052 | ||||
1053 | /* restore current state */ | |||
1054 | s->session = saved_state.session; | |||
1055 | if (!tls12_record_layer_use_write_epoch(s->internal->rl, | |||
1056 | saved_state.epoch)) | |||
1057 | return 0; | |||
1058 | ||||
1059 | s->d1->retransmitting = 0; | |||
1060 | ||||
1061 | (void)BIO_flush(SSL_get_wbio(s))(int)BIO_ctrl(SSL_get_wbio(s),11,0,((void*)0)); | |||
1062 | return ret; | |||
1063 | } | |||
1064 | ||||
1065 | /* call this function when the buffered messages are no longer needed */ | |||
1066 | void | |||
1067 | dtls1_clear_record_buffer(SSL *s) | |||
1068 | { | |||
1069 | hm_fragment *frag; | |||
1070 | pitem *item; | |||
1071 | ||||
1072 | for(item = pqueue_pop(s->d1->sent_messages); item != NULL((void*)0); | |||
1073 | item = pqueue_pop(s->d1->sent_messages)) { | |||
1074 | frag = item->data; | |||
1075 | if (frag->msg_header.is_ccs) | |||
1076 | tls12_record_layer_write_epoch_done(s->internal->rl, | |||
1077 | frag->msg_header.saved_retransmit_state.epoch); | |||
1078 | dtls1_hm_fragment_free(frag); | |||
1079 | pitem_free(item); | |||
1080 | } | |||
1081 | } | |||
1082 | ||||
1083 | void | |||
1084 | dtls1_set_message_header(SSL *s, unsigned char mt, unsigned long len, | |||
1085 | unsigned long frag_off, unsigned long frag_len) | |||
1086 | { | |||
1087 | /* Don't change sequence numbers while listening */ | |||
1088 | if (frag_off == 0 && !s->d1->listen) { | |||
1089 | s->d1->handshake_write_seq = s->d1->next_handshake_write_seq; | |||
1090 | s->d1->next_handshake_write_seq++; | |||
1091 | } | |||
1092 | ||||
1093 | dtls1_set_message_header_int(s, mt, len, s->d1->handshake_write_seq, | |||
1094 | frag_off, frag_len); | |||
1095 | } | |||
1096 | ||||
1097 | /* don't actually do the writing, wait till the MTU has been retrieved */ | |||
1098 | void | |||
1099 | dtls1_set_message_header_int(SSL *s, unsigned char mt, unsigned long len, | |||
1100 | unsigned short seq_num, unsigned long frag_off, unsigned long frag_len) | |||
1101 | { | |||
1102 | struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; | |||
1103 | ||||
1104 | msg_hdr->type = mt; | |||
1105 | msg_hdr->msg_len = len; | |||
1106 | msg_hdr->seq = seq_num; | |||
1107 | msg_hdr->frag_off = frag_off; | |||
1108 | msg_hdr->frag_len = frag_len; | |||
1109 | } | |||
1110 | ||||
1111 | static void | |||
1112 | dtls1_fix_message_header(SSL *s, unsigned long frag_off, unsigned long frag_len) | |||
1113 | { | |||
1114 | struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; | |||
1115 | ||||
1116 | msg_hdr->frag_off = frag_off; | |||
1117 | msg_hdr->frag_len = frag_len; | |||
1118 | } | |||
1119 | ||||
1120 | static int | |||
1121 | dtls1_write_message_header(const struct hm_header_st *msg_hdr, | |||
1122 | unsigned long frag_off, unsigned long frag_len, unsigned char *p) | |||
1123 | { | |||
1124 | CBB cbb; | |||
1125 | ||||
1126 | /* We assume DTLS1_HM_HEADER_LENGTH bytes are available for now... */ | |||
1127 | if (!CBB_init_fixed(&cbb, p, DTLS1_HM_HEADER_LENGTH12)) | |||
1128 | return 0; | |||
1129 | if (!CBB_add_u8(&cbb, msg_hdr->type)) | |||
1130 | goto err; | |||
1131 | if (!CBB_add_u24(&cbb, msg_hdr->msg_len)) | |||
1132 | goto err; | |||
1133 | if (!CBB_add_u16(&cbb, msg_hdr->seq)) | |||
1134 | goto err; | |||
1135 | if (!CBB_add_u24(&cbb, frag_off)) | |||
1136 | goto err; | |||
1137 | if (!CBB_add_u24(&cbb, frag_len)) | |||
1138 | goto err; | |||
1139 | if (!CBB_finish(&cbb, NULL((void*)0), NULL((void*)0))) | |||
1140 | goto err; | |||
1141 | ||||
1142 | return 1; | |||
1143 | ||||
1144 | err: | |||
1145 | CBB_cleanup(&cbb); | |||
1146 | return 0; | |||
1147 | } | |||
1148 | ||||
1149 | unsigned int | |||
1150 | dtls1_min_mtu(void) | |||
1151 | { | |||
1152 | return (g_probable_mtu[(sizeof(g_probable_mtu) / | |||
1153 | sizeof(g_probable_mtu[0])) - 1]); | |||
1154 | } | |||
1155 | ||||
1156 | static unsigned int | |||
1157 | dtls1_guess_mtu(unsigned int curr_mtu) | |||
1158 | { | |||
1159 | unsigned int i; | |||
1160 | ||||
1161 | if (curr_mtu == 0) | |||
1162 | return g_probable_mtu[0]; | |||
1163 | ||||
1164 | for (i = 0; i < sizeof(g_probable_mtu) / sizeof(g_probable_mtu[0]); i++) | |||
1165 | if (curr_mtu > g_probable_mtu[i]) | |||
1166 | return g_probable_mtu[i]; | |||
1167 | ||||
1168 | return curr_mtu; | |||
1169 | } | |||
1170 | ||||
1171 | int | |||
1172 | dtls1_get_message_header(CBS *header, struct hm_header_st *msg_hdr) | |||
1173 | { | |||
1174 | uint32_t msg_len, frag_off, frag_len; | |||
1175 | uint16_t seq; | |||
1176 | uint8_t type; | |||
1177 | ||||
1178 | memset(msg_hdr, 0, sizeof(*msg_hdr)); | |||
1179 | ||||
1180 | if (!CBS_get_u8(header, &type)) | |||
1181 | return 0; | |||
1182 | if (!CBS_get_u24(header, &msg_len)) | |||
1183 | return 0; | |||
1184 | if (!CBS_get_u16(header, &seq)) | |||
1185 | return 0; | |||
1186 | if (!CBS_get_u24(header, &frag_off)) | |||
1187 | return 0; | |||
1188 | if (!CBS_get_u24(header, &frag_len)) | |||
1189 | return 0; | |||
1190 | ||||
1191 | msg_hdr->type = type; | |||
1192 | msg_hdr->msg_len = msg_len; | |||
1193 | msg_hdr->seq = seq; | |||
1194 | msg_hdr->frag_off = frag_off; | |||
1195 | msg_hdr->frag_len = frag_len; | |||
1196 | ||||
1197 | return 1; | |||
1198 | } |