statem_dtls.c 43 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311
  1. /* ssl/statem/statem_dtls.c */
  2. /*
  3. * DTLS implementation written by Nagendra Modadugu
  4. * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
  5. */
  6. /* ====================================================================
  7. * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
  8. *
  9. * Redistribution and use in source and binary forms, with or without
  10. * modification, are permitted provided that the following conditions
  11. * are met:
  12. *
  13. * 1. Redistributions of source code must retain the above copyright
  14. * notice, this list of conditions and the following disclaimer.
  15. *
  16. * 2. Redistributions in binary form must reproduce the above copyright
  17. * notice, this list of conditions and the following disclaimer in
  18. * the documentation and/or other materials provided with the
  19. * distribution.
  20. *
  21. * 3. All advertising materials mentioning features or use of this
  22. * software must display the following acknowledgment:
  23. * "This product includes software developed by the OpenSSL Project
  24. * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  25. *
  26. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  27. * endorse or promote products derived from this software without
  28. * prior written permission. For written permission, please contact
  29. * openssl-core@openssl.org.
  30. *
  31. * 5. Products derived from this software may not be called "OpenSSL"
  32. * nor may "OpenSSL" appear in their names without prior written
  33. * permission of the OpenSSL Project.
  34. *
  35. * 6. Redistributions of any form whatsoever must retain the following
  36. * acknowledgment:
  37. * "This product includes software developed by the OpenSSL Project
  38. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  39. *
  40. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  41. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  42. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  43. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  44. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  45. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  46. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  47. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  49. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  50. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  51. * OF THE POSSIBILITY OF SUCH DAMAGE.
  52. * ====================================================================
  53. *
  54. * This product includes cryptographic software written by Eric Young
  55. * (eay@cryptsoft.com). This product includes software written by Tim
  56. * Hudson (tjh@cryptsoft.com).
  57. *
  58. */
  59. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  60. * All rights reserved.
  61. *
  62. * This package is an SSL implementation written
  63. * by Eric Young (eay@cryptsoft.com).
  64. * The implementation was written so as to conform with Netscapes SSL.
  65. *
  66. * This library is free for commercial and non-commercial use as long as
  67. * the following conditions are aheared to. The following conditions
  68. * apply to all code found in this distribution, be it the RC4, RSA,
  69. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  70. * included with this distribution is covered by the same copyright terms
  71. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  72. *
  73. * Copyright remains Eric Young's, and as such any Copyright notices in
  74. * the code are not to be removed.
  75. * If this package is used in a product, Eric Young should be given attribution
  76. * as the author of the parts of the library used.
  77. * This can be in the form of a textual message at program startup or
  78. * in documentation (online or textual) provided with the package.
  79. *
  80. * Redistribution and use in source and binary forms, with or without
  81. * modification, are permitted provided that the following conditions
  82. * are met:
  83. * 1. Redistributions of source code must retain the copyright
  84. * notice, this list of conditions and the following disclaimer.
  85. * 2. Redistributions in binary form must reproduce the above copyright
  86. * notice, this list of conditions and the following disclaimer in the
  87. * documentation and/or other materials provided with the distribution.
  88. * 3. All advertising materials mentioning features or use of this software
  89. * must display the following acknowledgement:
  90. * "This product includes cryptographic software written by
  91. * Eric Young (eay@cryptsoft.com)"
  92. * The word 'cryptographic' can be left out if the rouines from the library
  93. * being used are not cryptographic related :-).
  94. * 4. If you include any Windows specific code (or a derivative thereof) from
  95. * the apps directory (application code) you must include an acknowledgement:
  96. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  97. *
  98. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  99. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  100. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  101. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  102. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  103. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  104. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  105. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  106. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  107. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  108. * SUCH DAMAGE.
  109. *
  110. * The licence and distribution terms for any publically available version or
  111. * derivative of this code cannot be changed. i.e. this code cannot simply be
  112. * copied and put under another distribution licence
  113. * [including the GNU Public Licence.]
  114. */
  115. #include <limits.h>
  116. #include <string.h>
  117. #include <stdio.h>
  118. #include "../ssl_locl.h"
  119. #include "statem_locl.h"
  120. #include <openssl/buffer.h>
  121. #include <openssl/rand.h>
  122. #include <openssl/objects.h>
  123. #include <openssl/evp.h>
  124. #include <openssl/x509.h>
  125. #define RSMBLY_BITMASK_SIZE(msg_len) (((msg_len) + 7) / 8)
  126. #define RSMBLY_BITMASK_MARK(bitmask, start, end) { \
  127. if ((end) - (start) <= 8) { \
  128. long ii; \
  129. for (ii = (start); ii < (end); ii++) bitmask[((ii) >> 3)] |= (1 << ((ii) & 7)); \
  130. } else { \
  131. long ii; \
  132. bitmask[((start) >> 3)] |= bitmask_start_values[((start) & 7)]; \
  133. for (ii = (((start) >> 3) + 1); ii < ((((end) - 1)) >> 3); ii++) bitmask[ii] = 0xff; \
  134. bitmask[(((end) - 1) >> 3)] |= bitmask_end_values[((end) & 7)]; \
  135. } }
  136. #define RSMBLY_BITMASK_IS_COMPLETE(bitmask, msg_len, is_complete) { \
  137. long ii; \
  138. OPENSSL_assert((msg_len) > 0); \
  139. is_complete = 1; \
  140. if (bitmask[(((msg_len) - 1) >> 3)] != bitmask_end_values[((msg_len) & 7)]) is_complete = 0; \
  141. if (is_complete) for (ii = (((msg_len) - 1) >> 3) - 1; ii >= 0 ; ii--) \
  142. if (bitmask[ii] != 0xff) { is_complete = 0; break; } }
  143. static unsigned char bitmask_start_values[] =
  144. { 0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80 };
  145. static unsigned char bitmask_end_values[] =
  146. { 0xff, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f };
  147. static void dtls1_fix_message_header(SSL *s, unsigned long frag_off,
  148. unsigned long frag_len);
  149. static unsigned char *dtls1_write_message_header(SSL *s, unsigned char *p);
  150. static void dtls1_set_message_header_int(SSL *s, unsigned char mt,
  151. unsigned long len,
  152. unsigned short seq_num,
  153. unsigned long frag_off,
  154. unsigned long frag_len);
  155. static int dtls_get_reassembled_message(SSL *s, long *len);
  156. static hm_fragment *dtls1_hm_fragment_new(unsigned long frag_len,
  157. int reassembly)
  158. {
  159. hm_fragment *frag = NULL;
  160. unsigned char *buf = NULL;
  161. unsigned char *bitmask = NULL;
  162. frag = OPENSSL_malloc(sizeof(*frag));
  163. if (frag == NULL)
  164. return NULL;
  165. if (frag_len) {
  166. buf = OPENSSL_malloc(frag_len);
  167. if (buf == NULL) {
  168. OPENSSL_free(frag);
  169. return NULL;
  170. }
  171. }
  172. /* zero length fragment gets zero frag->fragment */
  173. frag->fragment = buf;
  174. /* Initialize reassembly bitmask if necessary */
  175. if (reassembly) {
  176. bitmask = OPENSSL_zalloc(RSMBLY_BITMASK_SIZE(frag_len));
  177. if (bitmask == NULL) {
  178. OPENSSL_free(buf);
  179. OPENSSL_free(frag);
  180. return NULL;
  181. }
  182. }
  183. frag->reassembly = bitmask;
  184. return frag;
  185. }
  186. void dtls1_hm_fragment_free(hm_fragment *frag)
  187. {
  188. if (!frag)
  189. return;
  190. if (frag->msg_header.is_ccs) {
  191. EVP_CIPHER_CTX_free(frag->msg_header.
  192. saved_retransmit_state.enc_write_ctx);
  193. EVP_MD_CTX_free(frag->msg_header.saved_retransmit_state.write_hash);
  194. }
  195. OPENSSL_free(frag->fragment);
  196. OPENSSL_free(frag->reassembly);
  197. OPENSSL_free(frag);
  198. }
  199. /*
  200. * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
  201. * SSL3_RT_CHANGE_CIPHER_SPEC)
  202. */
  203. int dtls1_do_write(SSL *s, int type)
  204. {
  205. int ret;
  206. unsigned int curr_mtu;
  207. int retry = 1;
  208. unsigned int len, frag_off, mac_size, blocksize, used_len;
  209. if (!dtls1_query_mtu(s))
  210. return -1;
  211. OPENSSL_assert(s->d1->mtu >= dtls1_min_mtu(s)); /* should have something
  212. * reasonable now */
  213. if (s->init_off == 0 && type == SSL3_RT_HANDSHAKE)
  214. OPENSSL_assert(s->init_num ==
  215. (int)s->d1->w_msg_hdr.msg_len +
  216. DTLS1_HM_HEADER_LENGTH);
  217. if (s->write_hash) {
  218. if (s->enc_write_ctx
  219. && (EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_write_ctx)) &
  220. EVP_CIPH_FLAG_AEAD_CIPHER) != 0)
  221. mac_size = 0;
  222. else
  223. mac_size = EVP_MD_CTX_size(s->write_hash);
  224. } else
  225. mac_size = 0;
  226. if (s->enc_write_ctx &&
  227. (EVP_CIPHER_CTX_mode(s->enc_write_ctx) == EVP_CIPH_CBC_MODE))
  228. blocksize = 2 * EVP_CIPHER_CTX_block_size(s->enc_write_ctx);
  229. else
  230. blocksize = 0;
  231. frag_off = 0;
  232. s->rwstate = SSL_NOTHING;
  233. /* s->init_num shouldn't ever be < 0...but just in case */
  234. while (s->init_num > 0) {
  235. if (type == SSL3_RT_HANDSHAKE && s->init_off != 0) {
  236. /* We must be writing a fragment other than the first one */
  237. if (frag_off > 0) {
  238. /* This is the first attempt at writing out this fragment */
  239. if (s->init_off <= DTLS1_HM_HEADER_LENGTH) {
  240. /*
  241. * Each fragment that was already sent must at least have
  242. * contained the message header plus one other byte.
  243. * Therefore |init_off| must have progressed by at least
  244. * |DTLS1_HM_HEADER_LENGTH + 1| bytes. If not something went
  245. * wrong.
  246. */
  247. return -1;
  248. }
  249. /*
  250. * Adjust |init_off| and |init_num| to allow room for a new
  251. * message header for this fragment.
  252. */
  253. s->init_off -= DTLS1_HM_HEADER_LENGTH;
  254. s->init_num += DTLS1_HM_HEADER_LENGTH;
  255. } else {
  256. /*
  257. * We must have been called again after a retry so use the
  258. * fragment offset from our last attempt. We do not need
  259. * to adjust |init_off| and |init_num| as above, because
  260. * that should already have been done before the retry.
  261. */
  262. frag_off = s->d1->w_msg_hdr.frag_off;
  263. }
  264. }
  265. used_len = BIO_wpending(SSL_get_wbio(s)) + DTLS1_RT_HEADER_LENGTH
  266. + mac_size + blocksize;
  267. if (s->d1->mtu > used_len)
  268. curr_mtu = s->d1->mtu - used_len;
  269. else
  270. curr_mtu = 0;
  271. if (curr_mtu <= DTLS1_HM_HEADER_LENGTH) {
  272. /*
  273. * grr.. we could get an error if MTU picked was wrong
  274. */
  275. ret = BIO_flush(SSL_get_wbio(s));
  276. if (ret <= 0) {
  277. s->rwstate = SSL_WRITING;
  278. return ret;
  279. }
  280. used_len = DTLS1_RT_HEADER_LENGTH + mac_size + blocksize;
  281. if (s->d1->mtu > used_len + DTLS1_HM_HEADER_LENGTH) {
  282. curr_mtu = s->d1->mtu - used_len;
  283. } else {
  284. /* Shouldn't happen */
  285. return -1;
  286. }
  287. }
  288. /*
  289. * We just checked that s->init_num > 0 so this cast should be safe
  290. */
  291. if (((unsigned int)s->init_num) > curr_mtu)
  292. len = curr_mtu;
  293. else
  294. len = s->init_num;
  295. /* Shouldn't ever happen */
  296. if (len > INT_MAX)
  297. len = INT_MAX;
  298. /*
  299. * XDTLS: this function is too long. split out the CCS part
  300. */
  301. if (type == SSL3_RT_HANDSHAKE) {
  302. if (len < DTLS1_HM_HEADER_LENGTH) {
  303. /*
  304. * len is so small that we really can't do anything sensible
  305. * so fail
  306. */
  307. return -1;
  308. }
  309. dtls1_fix_message_header(s, frag_off,
  310. len - DTLS1_HM_HEADER_LENGTH);
  311. dtls1_write_message_header(s,
  312. (unsigned char *)&s->init_buf->
  313. data[s->init_off]);
  314. }
  315. ret = dtls1_write_bytes(s, type, &s->init_buf->data[s->init_off],
  316. len);
  317. if (ret < 0) {
  318. /*
  319. * might need to update MTU here, but we don't know which
  320. * previous packet caused the failure -- so can't really
  321. * retransmit anything. continue as if everything is fine and
  322. * wait for an alert to handle the retransmit
  323. */
  324. if (retry && BIO_ctrl(SSL_get_wbio(s),
  325. BIO_CTRL_DGRAM_MTU_EXCEEDED, 0, NULL) > 0) {
  326. if (!(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) {
  327. if (!dtls1_query_mtu(s))
  328. return -1;
  329. /* Have one more go */
  330. retry = 0;
  331. } else
  332. return -1;
  333. } else {
  334. return (-1);
  335. }
  336. } else {
  337. /*
  338. * bad if this assert fails, only part of the handshake message
  339. * got sent. but why would this happen?
  340. */
  341. OPENSSL_assert(len == (unsigned int)ret);
  342. if (type == SSL3_RT_HANDSHAKE && !s->d1->retransmitting) {
  343. /*
  344. * should not be done for 'Hello Request's, but in that case
  345. * we'll ignore the result anyway
  346. */
  347. unsigned char *p =
  348. (unsigned char *)&s->init_buf->data[s->init_off];
  349. const struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
  350. int xlen;
  351. if (frag_off == 0 && s->version != DTLS1_BAD_VER) {
  352. /*
  353. * reconstruct message header is if it is being sent in
  354. * single fragment
  355. */
  356. *p++ = msg_hdr->type;
  357. l2n3(msg_hdr->msg_len, p);
  358. s2n(msg_hdr->seq, p);
  359. l2n3(0, p);
  360. l2n3(msg_hdr->msg_len, p);
  361. p -= DTLS1_HM_HEADER_LENGTH;
  362. xlen = ret;
  363. } else {
  364. p += DTLS1_HM_HEADER_LENGTH;
  365. xlen = ret - DTLS1_HM_HEADER_LENGTH;
  366. }
  367. ssl3_finish_mac(s, p, xlen);
  368. }
  369. if (ret == s->init_num) {
  370. if (s->msg_callback)
  371. s->msg_callback(1, s->version, type, s->init_buf->data,
  372. (size_t)(s->init_off + s->init_num), s,
  373. s->msg_callback_arg);
  374. s->init_off = 0; /* done writing this message */
  375. s->init_num = 0;
  376. return (1);
  377. }
  378. s->init_off += ret;
  379. s->init_num -= ret;
  380. ret -= DTLS1_HM_HEADER_LENGTH;
  381. frag_off += ret;
  382. /*
  383. * We save the fragment offset for the next fragment so we have it
  384. * available in case of an IO retry. We don't know the length of the
  385. * next fragment yet so just set that to 0 for now. It will be
  386. * updated again later.
  387. */
  388. dtls1_fix_message_header(s, frag_off, 0);
  389. }
  390. }
  391. return (0);
  392. }
  393. int dtls_get_message(SSL *s, int *mt, unsigned long *len)
  394. {
  395. struct hm_header_st *msg_hdr;
  396. unsigned char *p;
  397. unsigned long msg_len;
  398. int ok;
  399. long tmplen;
  400. msg_hdr = &s->d1->r_msg_hdr;
  401. memset(msg_hdr, 0, sizeof(*msg_hdr));
  402. again:
  403. ok = dtls_get_reassembled_message(s, &tmplen);
  404. if (tmplen == DTLS1_HM_BAD_FRAGMENT
  405. || tmplen == DTLS1_HM_FRAGMENT_RETRY) {
  406. /* bad fragment received */
  407. goto again;
  408. } else if (tmplen <= 0 && !ok) {
  409. return 0;
  410. }
  411. *mt = s->s3->tmp.message_type;
  412. p = (unsigned char *)s->init_buf->data;
  413. if (*mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
  414. if (s->msg_callback) {
  415. s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC,
  416. p, 1, s, s->msg_callback_arg);
  417. }
  418. /*
  419. * This isn't a real handshake message so skip the processing below.
  420. */
  421. *len = (unsigned long)tmplen;
  422. return 1;
  423. }
  424. msg_len = msg_hdr->msg_len;
  425. /* reconstruct message header */
  426. *(p++) = msg_hdr->type;
  427. l2n3(msg_len, p);
  428. s2n(msg_hdr->seq, p);
  429. l2n3(0, p);
  430. l2n3(msg_len, p);
  431. if (s->version != DTLS1_BAD_VER) {
  432. p -= DTLS1_HM_HEADER_LENGTH;
  433. msg_len += DTLS1_HM_HEADER_LENGTH;
  434. }
  435. ssl3_finish_mac(s, p, msg_len);
  436. if (s->msg_callback)
  437. s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
  438. p, msg_len, s, s->msg_callback_arg);
  439. memset(msg_hdr, 0, sizeof(*msg_hdr));
  440. s->d1->handshake_read_seq++;
  441. s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
  442. *len = s->init_num;
  443. return 1;
  444. }
  445. static int dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr)
  446. {
  447. size_t frag_off, frag_len, msg_len;
  448. msg_len = msg_hdr->msg_len;
  449. frag_off = msg_hdr->frag_off;
  450. frag_len = msg_hdr->frag_len;
  451. /* sanity checking */
  452. if ((frag_off + frag_len) > msg_len) {
  453. SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, SSL_R_EXCESSIVE_MESSAGE_SIZE);
  454. return SSL_AD_ILLEGAL_PARAMETER;
  455. }
  456. if (s->d1->r_msg_hdr.frag_off == 0) { /* first fragment */
  457. /*
  458. * msg_len is limited to 2^24, but is effectively checked against max
  459. * above
  460. */
  461. if (!BUF_MEM_grow_clean
  462. (s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH)) {
  463. SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, ERR_R_BUF_LIB);
  464. return SSL_AD_INTERNAL_ERROR;
  465. }
  466. s->s3->tmp.message_size = msg_len;
  467. s->d1->r_msg_hdr.msg_len = msg_len;
  468. s->s3->tmp.message_type = msg_hdr->type;
  469. s->d1->r_msg_hdr.type = msg_hdr->type;
  470. s->d1->r_msg_hdr.seq = msg_hdr->seq;
  471. } else if (msg_len != s->d1->r_msg_hdr.msg_len) {
  472. /*
  473. * They must be playing with us! BTW, failure to enforce upper limit
  474. * would open possibility for buffer overrun.
  475. */
  476. SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, SSL_R_EXCESSIVE_MESSAGE_SIZE);
  477. return SSL_AD_ILLEGAL_PARAMETER;
  478. }
  479. return 0; /* no error */
  480. }
  481. static int dtls1_retrieve_buffered_fragment(SSL *s, int *ok)
  482. {
  483. /*-
  484. * (0) check whether the desired fragment is available
  485. * if so:
  486. * (1) copy over the fragment to s->init_buf->data[]
  487. * (2) update s->init_num
  488. */
  489. pitem *item;
  490. hm_fragment *frag;
  491. int al;
  492. *ok = 0;
  493. item = pqueue_peek(s->d1->buffered_messages);
  494. if (item == NULL)
  495. return 0;
  496. frag = (hm_fragment *)item->data;
  497. /* Don't return if reassembly still in progress */
  498. if (frag->reassembly != NULL)
  499. return 0;
  500. if (s->d1->handshake_read_seq == frag->msg_header.seq) {
  501. unsigned long frag_len = frag->msg_header.frag_len;
  502. pqueue_pop(s->d1->buffered_messages);
  503. al = dtls1_preprocess_fragment(s, &frag->msg_header);
  504. if (al == 0) { /* no alert */
  505. unsigned char *p =
  506. (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
  507. memcpy(&p[frag->msg_header.frag_off], frag->fragment,
  508. frag->msg_header.frag_len);
  509. }
  510. dtls1_hm_fragment_free(frag);
  511. pitem_free(item);
  512. if (al == 0) {
  513. *ok = 1;
  514. return frag_len;
  515. }
  516. ssl3_send_alert(s, SSL3_AL_FATAL, al);
  517. s->init_num = 0;
  518. *ok = 0;
  519. return -1;
  520. } else
  521. return 0;
  522. }
  523. /*
  524. * dtls1_max_handshake_message_len returns the maximum number of bytes
  525. * permitted in a DTLS handshake message for |s|. The minimum is 16KB, but
  526. * may be greater if the maximum certificate list size requires it.
  527. */
  528. static unsigned long dtls1_max_handshake_message_len(const SSL *s)
  529. {
  530. unsigned long max_len =
  531. DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;
  532. if (max_len < (unsigned long)s->max_cert_list)
  533. return s->max_cert_list;
  534. return max_len;
  535. }
  536. static int
  537. dtls1_reassemble_fragment(SSL *s, const struct hm_header_st *msg_hdr, int *ok)
  538. {
  539. hm_fragment *frag = NULL;
  540. pitem *item = NULL;
  541. int i = -1, is_complete;
  542. unsigned char seq64be[8];
  543. unsigned long frag_len = msg_hdr->frag_len;
  544. if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len ||
  545. msg_hdr->msg_len > dtls1_max_handshake_message_len(s))
  546. goto err;
  547. if (frag_len == 0)
  548. return DTLS1_HM_FRAGMENT_RETRY;
  549. /* Try to find item in queue */
  550. memset(seq64be, 0, sizeof(seq64be));
  551. seq64be[6] = (unsigned char)(msg_hdr->seq >> 8);
  552. seq64be[7] = (unsigned char)msg_hdr->seq;
  553. item = pqueue_find(s->d1->buffered_messages, seq64be);
  554. if (item == NULL) {
  555. frag = dtls1_hm_fragment_new(msg_hdr->msg_len, 1);
  556. if (frag == NULL)
  557. goto err;
  558. memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
  559. frag->msg_header.frag_len = frag->msg_header.msg_len;
  560. frag->msg_header.frag_off = 0;
  561. } else {
  562. frag = (hm_fragment *)item->data;
  563. if (frag->msg_header.msg_len != msg_hdr->msg_len) {
  564. item = NULL;
  565. frag = NULL;
  566. goto err;
  567. }
  568. }
  569. /*
  570. * If message is already reassembled, this must be a retransmit and can
  571. * be dropped. In this case item != NULL and so frag does not need to be
  572. * freed.
  573. */
  574. if (frag->reassembly == NULL) {
  575. unsigned char devnull[256];
  576. while (frag_len) {
  577. i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
  578. devnull,
  579. frag_len >
  580. sizeof(devnull) ? sizeof(devnull) :
  581. frag_len, 0);
  582. if (i <= 0)
  583. goto err;
  584. frag_len -= i;
  585. }
  586. return DTLS1_HM_FRAGMENT_RETRY;
  587. }
  588. /* read the body of the fragment (header has already been read */
  589. i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
  590. frag->fragment + msg_hdr->frag_off,
  591. frag_len, 0);
  592. if ((unsigned long)i != frag_len)
  593. i = -1;
  594. if (i <= 0)
  595. goto err;
  596. RSMBLY_BITMASK_MARK(frag->reassembly, (long)msg_hdr->frag_off,
  597. (long)(msg_hdr->frag_off + frag_len));
  598. RSMBLY_BITMASK_IS_COMPLETE(frag->reassembly, (long)msg_hdr->msg_len,
  599. is_complete);
  600. if (is_complete) {
  601. OPENSSL_free(frag->reassembly);
  602. frag->reassembly = NULL;
  603. }
  604. if (item == NULL) {
  605. item = pitem_new(seq64be, frag);
  606. if (item == NULL) {
  607. i = -1;
  608. goto err;
  609. }
  610. item = pqueue_insert(s->d1->buffered_messages, item);
  611. /*
  612. * pqueue_insert fails iff a duplicate item is inserted. However,
  613. * |item| cannot be a duplicate. If it were, |pqueue_find|, above,
  614. * would have returned it and control would never have reached this
  615. * branch.
  616. */
  617. OPENSSL_assert(item != NULL);
  618. }
  619. return DTLS1_HM_FRAGMENT_RETRY;
  620. err:
  621. if (item == NULL)
  622. dtls1_hm_fragment_free(frag);
  623. *ok = 0;
  624. return i;
  625. }
  626. static int
  627. dtls1_process_out_of_seq_message(SSL *s, const struct hm_header_st *msg_hdr,
  628. int *ok)
  629. {
  630. int i = -1;
  631. hm_fragment *frag = NULL;
  632. pitem *item = NULL;
  633. unsigned char seq64be[8];
  634. unsigned long frag_len = msg_hdr->frag_len;
  635. if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len)
  636. goto err;
  637. /* Try to find item in queue, to prevent duplicate entries */
  638. memset(seq64be, 0, sizeof(seq64be));
  639. seq64be[6] = (unsigned char)(msg_hdr->seq >> 8);
  640. seq64be[7] = (unsigned char)msg_hdr->seq;
  641. item = pqueue_find(s->d1->buffered_messages, seq64be);
  642. /*
  643. * If we already have an entry and this one is a fragment, don't discard
  644. * it and rather try to reassemble it.
  645. */
  646. if (item != NULL && frag_len != msg_hdr->msg_len)
  647. item = NULL;
  648. /*
  649. * Discard the message if sequence number was already there, is too far
  650. * in the future, already in the queue or if we received a FINISHED
  651. * before the SERVER_HELLO, which then must be a stale retransmit.
  652. */
  653. if (msg_hdr->seq <= s->d1->handshake_read_seq ||
  654. msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL ||
  655. (s->d1->handshake_read_seq == 0 && msg_hdr->type == SSL3_MT_FINISHED))
  656. {
  657. unsigned char devnull[256];
  658. while (frag_len) {
  659. i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
  660. devnull,
  661. frag_len >
  662. sizeof(devnull) ? sizeof(devnull) :
  663. frag_len, 0);
  664. if (i <= 0)
  665. goto err;
  666. frag_len -= i;
  667. }
  668. } else {
  669. if (frag_len != msg_hdr->msg_len)
  670. return dtls1_reassemble_fragment(s, msg_hdr, ok);
  671. if (frag_len > dtls1_max_handshake_message_len(s))
  672. goto err;
  673. frag = dtls1_hm_fragment_new(frag_len, 0);
  674. if (frag == NULL)
  675. goto err;
  676. memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
  677. if (frag_len) {
  678. /*
  679. * read the body of the fragment (header has already been read
  680. */
  681. i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
  682. frag->fragment, frag_len, 0);
  683. if ((unsigned long)i != frag_len)
  684. i = -1;
  685. if (i <= 0)
  686. goto err;
  687. }
  688. item = pitem_new(seq64be, frag);
  689. if (item == NULL)
  690. goto err;
  691. item = pqueue_insert(s->d1->buffered_messages, item);
  692. /*
  693. * pqueue_insert fails iff a duplicate item is inserted. However,
  694. * |item| cannot be a duplicate. If it were, |pqueue_find|, above,
  695. * would have returned it. Then, either |frag_len| !=
  696. * |msg_hdr->msg_len| in which case |item| is set to NULL and it will
  697. * have been processed with |dtls1_reassemble_fragment|, above, or
  698. * the record will have been discarded.
  699. */
  700. OPENSSL_assert(item != NULL);
  701. }
  702. return DTLS1_HM_FRAGMENT_RETRY;
  703. err:
  704. if (item == NULL)
  705. dtls1_hm_fragment_free(frag);
  706. *ok = 0;
  707. return i;
  708. }
  709. static int dtls_get_reassembled_message(SSL *s, long *len)
  710. {
  711. unsigned char wire[DTLS1_HM_HEADER_LENGTH];
  712. unsigned long mlen, frag_off, frag_len;
  713. int i, al, recvd_type;
  714. struct hm_header_st msg_hdr;
  715. int ok;
  716. redo:
  717. /* see if we have the required fragment already */
  718. if ((frag_len = dtls1_retrieve_buffered_fragment(s, &ok)) || ok) {
  719. if (ok)
  720. s->init_num = frag_len;
  721. *len = frag_len;
  722. return ok;
  723. }
  724. /* read handshake message header */
  725. i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type, wire,
  726. DTLS1_HM_HEADER_LENGTH, 0);
  727. if (i <= 0) { /* nbio, or an error */
  728. s->rwstate = SSL_READING;
  729. *len = i;
  730. return 0;
  731. }
  732. if(recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
  733. if (wire[0] != SSL3_MT_CCS) {
  734. al = SSL_AD_UNEXPECTED_MESSAGE;
  735. SSLerr(SSL_F_DTLS_GET_REASSEMBLED_MESSAGE,
  736. SSL_R_BAD_CHANGE_CIPHER_SPEC);
  737. goto f_err;
  738. }
  739. memcpy(s->init_buf->data, wire, i);
  740. s->init_num = i - 1;
  741. s->init_msg = s->init_buf->data + 1;
  742. s->s3->tmp.message_type = SSL3_MT_CHANGE_CIPHER_SPEC;
  743. s->s3->tmp.message_size = i - 1;
  744. *len = i - 1;
  745. return 1;
  746. }
  747. /* Handshake fails if message header is incomplete */
  748. if (i != DTLS1_HM_HEADER_LENGTH) {
  749. al = SSL_AD_UNEXPECTED_MESSAGE;
  750. SSLerr(SSL_F_DTLS_GET_REASSEMBLED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
  751. goto f_err;
  752. }
  753. /* parse the message fragment header */
  754. dtls1_get_message_header(wire, &msg_hdr);
  755. mlen = msg_hdr.msg_len;
  756. frag_off = msg_hdr.frag_off;
  757. frag_len = msg_hdr.frag_len;
  758. /*
  759. * We must have at least frag_len bytes left in the record to be read.
  760. * Fragments must not span records.
  761. */
  762. if (frag_len > RECORD_LAYER_get_rrec_length(&s->rlayer)) {
  763. al = SSL3_AD_ILLEGAL_PARAMETER;
  764. SSLerr(SSL_F_DTLS_GET_REASSEMBLED_MESSAGE, SSL_R_BAD_LENGTH);
  765. goto f_err;
  766. }
  767. /*
  768. * if this is a future (or stale) message it gets buffered
  769. * (or dropped)--no further processing at this time
  770. * While listening, we accept seq 1 (ClientHello with cookie)
  771. * although we're still expecting seq 0 (ClientHello)
  772. */
  773. if (msg_hdr.seq != s->d1->handshake_read_seq) {
  774. *len = dtls1_process_out_of_seq_message(s, &msg_hdr, &ok);
  775. return ok;
  776. }
  777. if (frag_len && frag_len < mlen) {
  778. *len = dtls1_reassemble_fragment(s, &msg_hdr, &ok);
  779. return ok;
  780. }
  781. if (!s->server && s->d1->r_msg_hdr.frag_off == 0 &&
  782. wire[0] == SSL3_MT_HELLO_REQUEST) {
  783. /*
  784. * The server may always send 'Hello Request' messages -- we are
  785. * doing a handshake anyway now, so ignore them if their format is
  786. * correct. Does not count for 'Finished' MAC.
  787. */
  788. if (wire[1] == 0 && wire[2] == 0 && wire[3] == 0) {
  789. if (s->msg_callback)
  790. s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
  791. wire, DTLS1_HM_HEADER_LENGTH, s,
  792. s->msg_callback_arg);
  793. s->init_num = 0;
  794. goto redo;
  795. } else { /* Incorrectly formated Hello request */
  796. al = SSL_AD_UNEXPECTED_MESSAGE;
  797. SSLerr(SSL_F_DTLS_GET_REASSEMBLED_MESSAGE,
  798. SSL_R_UNEXPECTED_MESSAGE);
  799. goto f_err;
  800. }
  801. }
  802. if ((al = dtls1_preprocess_fragment(s, &msg_hdr)))
  803. goto f_err;
  804. if (frag_len > 0) {
  805. unsigned char *p =
  806. (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
  807. i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
  808. &p[frag_off], frag_len, 0);
  809. /*
  810. * This shouldn't ever fail due to NBIO because we already checked
  811. * that we have enough data in the record
  812. */
  813. if (i <= 0) {
  814. s->rwstate = SSL_READING;
  815. *len = i;
  816. return 0;
  817. }
  818. } else
  819. i = 0;
  820. /*
  821. * XDTLS: an incorrectly formatted fragment should cause the handshake
  822. * to fail
  823. */
  824. if (i != (int)frag_len) {
  825. al = SSL3_AD_ILLEGAL_PARAMETER;
  826. SSLerr(SSL_F_DTLS_GET_REASSEMBLED_MESSAGE, SSL3_AD_ILLEGAL_PARAMETER);
  827. goto f_err;
  828. }
  829. /*
  830. * Note that s->init_num is *not* used as current offset in
  831. * s->init_buf->data, but as a counter summing up fragments' lengths: as
  832. * soon as they sum up to handshake packet length, we assume we have got
  833. * all the fragments.
  834. */
  835. *len = s->init_num = frag_len;
  836. return 1;
  837. f_err:
  838. ssl3_send_alert(s, SSL3_AL_FATAL, al);
  839. s->init_num = 0;
  840. *len = -1;
  841. return 0;
  842. }
  843. /*-
  844. * for these 2 messages, we need to
  845. * ssl->enc_read_ctx re-init
  846. * ssl->rlayer.read_sequence zero
  847. * ssl->s3->read_mac_secret re-init
  848. * ssl->session->read_sym_enc assign
  849. * ssl->session->read_compression assign
  850. * ssl->session->read_hash assign
  851. */
  852. int dtls_construct_change_cipher_spec(SSL *s)
  853. {
  854. unsigned char *p;
  855. p = (unsigned char *)s->init_buf->data;
  856. *p++ = SSL3_MT_CCS;
  857. s->d1->handshake_write_seq = s->d1->next_handshake_write_seq;
  858. s->init_num = DTLS1_CCS_HEADER_LENGTH;
  859. if (s->version == DTLS1_BAD_VER) {
  860. s->d1->next_handshake_write_seq++;
  861. s2n(s->d1->handshake_write_seq, p);
  862. s->init_num += 2;
  863. }
  864. s->init_off = 0;
  865. dtls1_set_message_header_int(s, SSL3_MT_CCS, 0,
  866. s->d1->handshake_write_seq, 0, 0);
  867. /* buffer the message to handle re-xmits */
  868. if (!dtls1_buffer_message(s, 1)) {
  869. SSLerr(SSL_F_DTLS_CONSTRUCT_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
  870. return 0;
  871. }
  872. return 1;
  873. }
  874. #ifndef OPENSSL_NO_SCTP
  875. WORK_STATE dtls_wait_for_dry(SSL *s)
  876. {
  877. int ret;
  878. /* read app data until dry event */
  879. ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s));
  880. if (ret < 0)
  881. return WORK_ERROR;
  882. if (ret == 0) {
  883. s->s3->in_read_app_data = 2;
  884. s->rwstate = SSL_READING;
  885. BIO_clear_retry_flags(SSL_get_rbio(s));
  886. BIO_set_retry_read(SSL_get_rbio(s));
  887. return WORK_MORE_A;
  888. }
  889. return WORK_FINISHED_CONTINUE;
  890. }
  891. #endif
  892. int dtls1_read_failed(SSL *s, int code)
  893. {
  894. if (code > 0) {
  895. fprintf(stderr, "invalid state reached %s:%d", __FILE__, __LINE__);
  896. return 1;
  897. }
  898. if (!dtls1_is_timer_expired(s)) {
  899. /*
  900. * not a timeout, none of our business, let higher layers handle
  901. * this. in fact it's probably an error
  902. */
  903. return code;
  904. }
  905. #ifndef OPENSSL_NO_HEARTBEATS
  906. /* done, no need to send a retransmit */
  907. if (!SSL_in_init(s) && !s->tlsext_hb_pending)
  908. #else
  909. /* done, no need to send a retransmit */
  910. if (!SSL_in_init(s))
  911. #endif
  912. {
  913. BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ);
  914. return code;
  915. }
  916. return dtls1_handle_timeout(s);
  917. }
  918. int dtls1_get_queue_priority(unsigned short seq, int is_ccs)
  919. {
  920. /*
  921. * The index of the retransmission queue actually is the message sequence
  922. * number, since the queue only contains messages of a single handshake.
  923. * However, the ChangeCipherSpec has no message sequence number and so
  924. * using only the sequence will result in the CCS and Finished having the
  925. * same index. To prevent this, the sequence number is multiplied by 2.
  926. * In case of a CCS 1 is subtracted. This does not only differ CSS and
  927. * Finished, it also maintains the order of the index (important for
  928. * priority queues) and fits in the unsigned short variable.
  929. */
  930. return seq * 2 - is_ccs;
  931. }
  932. int dtls1_retransmit_buffered_messages(SSL *s)
  933. {
  934. pqueue sent = s->d1->sent_messages;
  935. piterator iter;
  936. pitem *item;
  937. hm_fragment *frag;
  938. int found = 0;
  939. iter = pqueue_iterator(sent);
  940. for (item = pqueue_next(&iter); item != NULL; item = pqueue_next(&iter)) {
  941. frag = (hm_fragment *)item->data;
  942. if (dtls1_retransmit_message(s, (unsigned short)
  943. dtls1_get_queue_priority
  944. (frag->msg_header.seq,
  945. frag->msg_header.is_ccs), 0,
  946. &found) <= 0 && found) {
  947. fprintf(stderr, "dtls1_retransmit_message() failed\n");
  948. return -1;
  949. }
  950. }
  951. return 1;
  952. }
  953. int dtls1_buffer_message(SSL *s, int is_ccs)
  954. {
  955. pitem *item;
  956. hm_fragment *frag;
  957. unsigned char seq64be[8];
  958. /*
  959. * this function is called immediately after a message has been
  960. * serialized
  961. */
  962. OPENSSL_assert(s->init_off == 0);
  963. frag = dtls1_hm_fragment_new(s->init_num, 0);
  964. if (frag == NULL)
  965. return 0;
  966. memcpy(frag->fragment, s->init_buf->data, s->init_num);
  967. if (is_ccs) {
  968. /* For DTLS1_BAD_VER the header length is non-standard */
  969. OPENSSL_assert(s->d1->w_msg_hdr.msg_len +
  970. ((s->version==DTLS1_BAD_VER)?3:DTLS1_CCS_HEADER_LENGTH)
  971. == (unsigned int)s->init_num);
  972. } else {
  973. OPENSSL_assert(s->d1->w_msg_hdr.msg_len +
  974. DTLS1_HM_HEADER_LENGTH == (unsigned int)s->init_num);
  975. }
  976. frag->msg_header.msg_len = s->d1->w_msg_hdr.msg_len;
  977. frag->msg_header.seq = s->d1->w_msg_hdr.seq;
  978. frag->msg_header.type = s->d1->w_msg_hdr.type;
  979. frag->msg_header.frag_off = 0;
  980. frag->msg_header.frag_len = s->d1->w_msg_hdr.msg_len;
  981. frag->msg_header.is_ccs = is_ccs;
  982. /* save current state */
  983. frag->msg_header.saved_retransmit_state.enc_write_ctx = s->enc_write_ctx;
  984. frag->msg_header.saved_retransmit_state.write_hash = s->write_hash;
  985. frag->msg_header.saved_retransmit_state.compress = s->compress;
  986. frag->msg_header.saved_retransmit_state.session = s->session;
  987. frag->msg_header.saved_retransmit_state.epoch =
  988. DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer);
  989. memset(seq64be, 0, sizeof(seq64be));
  990. seq64be[6] =
  991. (unsigned
  992. char)(dtls1_get_queue_priority(frag->msg_header.seq,
  993. frag->msg_header.is_ccs) >> 8);
  994. seq64be[7] =
  995. (unsigned
  996. char)(dtls1_get_queue_priority(frag->msg_header.seq,
  997. frag->msg_header.is_ccs));
  998. item = pitem_new(seq64be, frag);
  999. if (item == NULL) {
  1000. dtls1_hm_fragment_free(frag);
  1001. return 0;
  1002. }
  1003. pqueue_insert(s->d1->sent_messages, item);
  1004. return 1;
  1005. }
  1006. int
  1007. dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
  1008. int *found)
  1009. {
  1010. int ret;
  1011. /* XDTLS: for now assuming that read/writes are blocking */
  1012. pitem *item;
  1013. hm_fragment *frag;
  1014. unsigned long header_length;
  1015. unsigned char seq64be[8];
  1016. struct dtls1_retransmit_state saved_state;
  1017. /*-
  1018. OPENSSL_assert(s->init_num == 0);
  1019. OPENSSL_assert(s->init_off == 0);
  1020. */
  1021. /* XDTLS: the requested message ought to be found, otherwise error */
  1022. memset(seq64be, 0, sizeof(seq64be));
  1023. seq64be[6] = (unsigned char)(seq >> 8);
  1024. seq64be[7] = (unsigned char)seq;
  1025. item = pqueue_find(s->d1->sent_messages, seq64be);
  1026. if (item == NULL) {
  1027. fprintf(stderr, "retransmit: message %d non-existant\n", seq);
  1028. *found = 0;
  1029. return 0;
  1030. }
  1031. *found = 1;
  1032. frag = (hm_fragment *)item->data;
  1033. if (frag->msg_header.is_ccs)
  1034. header_length = DTLS1_CCS_HEADER_LENGTH;
  1035. else
  1036. header_length = DTLS1_HM_HEADER_LENGTH;
  1037. memcpy(s->init_buf->data, frag->fragment,
  1038. frag->msg_header.msg_len + header_length);
  1039. s->init_num = frag->msg_header.msg_len + header_length;
  1040. dtls1_set_message_header_int(s, frag->msg_header.type,
  1041. frag->msg_header.msg_len,
  1042. frag->msg_header.seq, 0,
  1043. frag->msg_header.frag_len);
  1044. /* save current state */
  1045. saved_state.enc_write_ctx = s->enc_write_ctx;
  1046. saved_state.write_hash = s->write_hash;
  1047. saved_state.compress = s->compress;
  1048. saved_state.session = s->session;
  1049. saved_state.epoch = DTLS_RECORD_LAYER_get_w_epoch(&s->rlayer);
  1050. s->d1->retransmitting = 1;
  1051. /* restore state in which the message was originally sent */
  1052. s->enc_write_ctx = frag->msg_header.saved_retransmit_state.enc_write_ctx;
  1053. s->write_hash = frag->msg_header.saved_retransmit_state.write_hash;
  1054. s->compress = frag->msg_header.saved_retransmit_state.compress;
  1055. s->session = frag->msg_header.saved_retransmit_state.session;
  1056. DTLS_RECORD_LAYER_set_saved_w_epoch(&s->rlayer,
  1057. frag->msg_header.saved_retransmit_state.epoch);
  1058. ret = dtls1_do_write(s, frag->msg_header.is_ccs ?
  1059. SSL3_RT_CHANGE_CIPHER_SPEC : SSL3_RT_HANDSHAKE);
  1060. /* restore current state */
  1061. s->enc_write_ctx = saved_state.enc_write_ctx;
  1062. s->write_hash = saved_state.write_hash;
  1063. s->compress = saved_state.compress;
  1064. s->session = saved_state.session;
  1065. DTLS_RECORD_LAYER_set_saved_w_epoch(&s->rlayer, saved_state.epoch);
  1066. s->d1->retransmitting = 0;
  1067. (void)BIO_flush(SSL_get_wbio(s));
  1068. return ret;
  1069. }
  1070. /* call this function when the buffered messages are no longer needed */
  1071. void dtls1_clear_record_buffer(SSL *s)
  1072. {
  1073. pitem *item;
  1074. for (item = pqueue_pop(s->d1->sent_messages);
  1075. item != NULL; item = pqueue_pop(s->d1->sent_messages)) {
  1076. dtls1_hm_fragment_free((hm_fragment *)item->data);
  1077. pitem_free(item);
  1078. }
  1079. }
  1080. void dtls1_set_message_header(SSL *s, unsigned char *p,
  1081. unsigned char mt, unsigned long len,
  1082. unsigned long frag_off,
  1083. unsigned long frag_len)
  1084. {
  1085. if (frag_off == 0) {
  1086. s->d1->handshake_write_seq = s->d1->next_handshake_write_seq;
  1087. s->d1->next_handshake_write_seq++;
  1088. }
  1089. dtls1_set_message_header_int(s, mt, len, s->d1->handshake_write_seq,
  1090. frag_off, frag_len);
  1091. }
  1092. /* don't actually do the writing, wait till the MTU has been retrieved */
  1093. static void
  1094. dtls1_set_message_header_int(SSL *s, unsigned char mt,
  1095. unsigned long len, unsigned short seq_num,
  1096. unsigned long frag_off, unsigned long frag_len)
  1097. {
  1098. struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
  1099. msg_hdr->type = mt;
  1100. msg_hdr->msg_len = len;
  1101. msg_hdr->seq = seq_num;
  1102. msg_hdr->frag_off = frag_off;
  1103. msg_hdr->frag_len = frag_len;
  1104. }
  1105. static void
  1106. dtls1_fix_message_header(SSL *s, unsigned long frag_off,
  1107. unsigned long frag_len)
  1108. {
  1109. struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
  1110. msg_hdr->frag_off = frag_off;
  1111. msg_hdr->frag_len = frag_len;
  1112. }
  1113. static unsigned char *dtls1_write_message_header(SSL *s, unsigned char *p)
  1114. {
  1115. struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
  1116. *p++ = msg_hdr->type;
  1117. l2n3(msg_hdr->msg_len, p);
  1118. s2n(msg_hdr->seq, p);
  1119. l2n3(msg_hdr->frag_off, p);
  1120. l2n3(msg_hdr->frag_len, p);
  1121. return p;
  1122. }
  1123. void
  1124. dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr)
  1125. {
  1126. memset(msg_hdr, 0, sizeof(*msg_hdr));
  1127. msg_hdr->type = *(data++);
  1128. n2l3(data, msg_hdr->msg_len);
  1129. n2s(data, msg_hdr->seq);
  1130. n2l3(data, msg_hdr->frag_off);
  1131. n2l3(data, msg_hdr->frag_len);
  1132. }