OpenSSL  1.0.1c
 All Classes Files Functions Variables Typedefs Enumerations Enumerator Macros
d1_pkt.c
Go to the documentation of this file.
1 /* ssl/d1_pkt.c */
2 /*
3  * DTLS implementation written by Nagendra Modadugu
4  * ([email protected]) for the OpenSSL project 2005.
5  */
6 /* ====================================================================
7  * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  *
13  * 1. Redistributions of source code must retain the above copyright
14  * notice, this list of conditions and the following disclaimer.
15  *
16  * 2. Redistributions in binary form must reproduce the above copyright
17  * notice, this list of conditions and the following disclaimer in
18  * the documentation and/or other materials provided with the
19  * distribution.
20  *
21  * 3. All advertising materials mentioning features or use of this
22  * software must display the following acknowledgment:
23  * "This product includes software developed by the OpenSSL Project
24  * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
25  *
26  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27  * endorse or promote products derived from this software without
28  * prior written permission. For written permission, please contact
29  * [email protected].
30  *
31  * 5. Products derived from this software may not be called "OpenSSL"
32  * nor may "OpenSSL" appear in their names without prior written
33  * permission of the OpenSSL Project.
34  *
35  * 6. Redistributions of any form whatsoever must retain the following
36  * acknowledgment:
37  * "This product includes software developed by the OpenSSL Project
38  * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43  * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51  * OF THE POSSIBILITY OF SUCH DAMAGE.
52  * ====================================================================
53  *
54  * This product includes cryptographic software written by Eric Young
55  * ([email protected]). This product includes software written by Tim
56  * Hudson ([email protected]).
57  *
58  */
59 /* Copyright (C) 1995-1998 Eric Young ([email protected])
60  * All rights reserved.
61  *
62  * This package is an SSL implementation written
63  * by Eric Young ([email protected]).
64  * The implementation was written so as to conform with Netscapes SSL.
65  *
66  * This library is free for commercial and non-commercial use as long as
67  * the following conditions are aheared to. The following conditions
68  * apply to all code found in this distribution, be it the RC4, RSA,
69  * lhash, DES, etc., code; not just the SSL code. The SSL documentation
70  * included with this distribution is covered by the same copyright terms
71  * except that the holder is Tim Hudson ([email protected]).
72  *
73  * Copyright remains Eric Young's, and as such any Copyright notices in
74  * the code are not to be removed.
75  * If this package is used in a product, Eric Young should be given attribution
76  * as the author of the parts of the library used.
77  * This can be in the form of a textual message at program startup or
78  * in documentation (online or textual) provided with the package.
79  *
80  * Redistribution and use in source and binary forms, with or without
81  * modification, are permitted provided that the following conditions
82  * are met:
83  * 1. Redistributions of source code must retain the copyright
84  * notice, this list of conditions and the following disclaimer.
85  * 2. Redistributions in binary form must reproduce the above copyright
86  * notice, this list of conditions and the following disclaimer in the
87  * documentation and/or other materials provided with the distribution.
88  * 3. All advertising materials mentioning features or use of this software
89  * must display the following acknowledgement:
90  * "This product includes cryptographic software written by
91  * Eric Young ([email protected])"
92  * The word 'cryptographic' can be left out if the rouines from the library
93  * being used are not cryptographic related :-).
94  * 4. If you include any Windows specific code (or a derivative thereof) from
95  * the apps directory (application code) you must include an acknowledgement:
96  * "This product includes software written by Tim Hudson ([email protected])"
97  *
98  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
99  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
100  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
101  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
102  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
103  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
104  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
105  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
106  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
107  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
108  * SUCH DAMAGE.
109  *
110  * The licence and distribution terms for any publically available version or
111  * derivative of this code cannot be changed. i.e. this code cannot simply be
112  * copied and put under another distribution licence
113  * [including the GNU Public Licence.]
114  */
115 
116 #include <stdio.h>
117 #include <errno.h>
118 #define USE_SOCKETS
119 #include "ssl_locl.h"
120 #include <openssl/evp.h>
121 #include <openssl/buffer.h>
122 #include <openssl/pqueue.h>
123 #include <openssl/rand.h>
124 
125 /* mod 128 saturating subtract of two 64-bit values in big-endian order */
126 static int satsub64be(const unsigned char *v1,const unsigned char *v2)
127 { int ret,sat,brw,i;
128 
129  if (sizeof(long) == 8) do
130  { const union { long one; char little; } is_endian = {1};
131  long l;
132 
133  if (is_endian.little) break;
134  /* not reached on little-endians */
135  /* following test is redundant, because input is
136  * always aligned, but I take no chances... */
137  if (((size_t)v1|(size_t)v2)&0x7) break;
138 
139  l = *((long *)v1);
140  l -= *((long *)v2);
141  if (l>128) return 128;
142  else if (l<-128) return -128;
143  else return (int)l;
144  } while (0);
145 
146  ret = (int)v1[7]-(int)v2[7];
147  sat = 0;
148  brw = ret>>8; /* brw is either 0 or -1 */
149  if (ret & 0x80)
150  { for (i=6;i>=0;i--)
151  { brw += (int)v1[i]-(int)v2[i];
152  sat |= ~brw;
153  brw >>= 8;
154  }
155  }
156  else
157  { for (i=6;i>=0;i--)
158  { brw += (int)v1[i]-(int)v2[i];
159  sat |= brw;
160  brw >>= 8;
161  }
162  }
163  brw <<= 8; /* brw is either 0 or -256 */
164 
165  if (sat&0xff) return brw | 0x80;
166  else return brw + (ret&0xFF);
167 }
168 
169 static int have_handshake_fragment(SSL *s, int type, unsigned char *buf,
170  int len, int peek);
171 static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap);
172 static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap);
173 static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr,
174  unsigned int *is_next_epoch);
175 #if 0
176 static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr,
177  unsigned short *priority, unsigned long *offset);
178 #endif
179 static int dtls1_buffer_record(SSL *s, record_pqueue *q,
180  unsigned char *priority);
181 static int dtls1_process_record(SSL *s);
182 
183 /* copy buffered record into SSL structure */
184 static int
185 dtls1_copy_record(SSL *s, pitem *item)
186  {
187  DTLS1_RECORD_DATA *rdata;
188 
189  rdata = (DTLS1_RECORD_DATA *)item->data;
190 
191  if (s->s3->rbuf.buf != NULL)
192  OPENSSL_free(s->s3->rbuf.buf);
193 
194  s->packet = rdata->packet;
195  s->packet_length = rdata->packet_length;
196  memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER));
197  memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));
198 
199  /* Set proper sequence number for mac calculation */
200  memcpy(&(s->s3->read_sequence[2]), &(rdata->packet[5]), 6);
201 
202  return(1);
203  }
204 
205 
206 static int
207 dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
208  {
209  DTLS1_RECORD_DATA *rdata;
210  pitem *item;
211 
212  /* Limit the size of the queue to prevent DOS attacks */
213  if (pqueue_size(queue->q) >= 100)
214  return 0;
215 
216  rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
217  item = pitem_new(priority, rdata);
218  if (rdata == NULL || item == NULL)
219  {
220  if (rdata != NULL) OPENSSL_free(rdata);
221  if (item != NULL) pitem_free(item);
222 
223  SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);
224  return(0);
225  }
226 
227  rdata->packet = s->packet;
228  rdata->packet_length = s->packet_length;
229  memcpy(&(rdata->rbuf), &(s->s3->rbuf), sizeof(SSL3_BUFFER));
230  memcpy(&(rdata->rrec), &(s->s3->rrec), sizeof(SSL3_RECORD));
231 
232  item->data = rdata;
233 
234 #ifndef OPENSSL_NO_SCTP
235  /* Store bio_dgram_sctp_rcvinfo struct */
236  if (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
237  (s->state == SSL3_ST_SR_FINISHED_A || s->state == SSL3_ST_CR_FINISHED_A)) {
238  BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SCTP_GET_RCVINFO, sizeof(rdata->recordinfo), &rdata->recordinfo);
239  }
240 #endif
241 
242  /* insert should not fail, since duplicates are dropped */
243  if (pqueue_insert(queue->q, item) == NULL)
244  {
245  OPENSSL_free(rdata);
246  pitem_free(item);
247  return(0);
248  }
249 
250  s->packet = NULL;
251  s->packet_length = 0;
252  memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER));
253  memset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD));
254 
255  if (!ssl3_setup_buffers(s))
256  {
257  SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);
258  OPENSSL_free(rdata);
259  pitem_free(item);
260  return(0);
261  }
262 
263  return(1);
264  }
265 
266 
267 static int
268 dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue)
269  {
270  pitem *item;
271 
272  item = pqueue_pop(queue->q);
273  if (item)
274  {
275  dtls1_copy_record(s, item);
276 
277  OPENSSL_free(item->data);
278  pitem_free(item);
279 
280  return(1);
281  }
282 
283  return(0);
284  }
285 
286 
287 /* retrieve a buffered record that belongs to the new epoch, i.e., not processed
288  * yet */
289 #define dtls1_get_unprocessed_record(s) \
290  dtls1_retrieve_buffered_record((s), \
291  &((s)->d1->unprocessed_rcds))
292 
293 /* retrieve a buffered record that belongs to the current epoch, ie, processed */
294 #define dtls1_get_processed_record(s) \
295  dtls1_retrieve_buffered_record((s), \
296  &((s)->d1->processed_rcds))
297 
298 static int
299 dtls1_process_buffered_records(SSL *s)
300  {
301  pitem *item;
302 
303  item = pqueue_peek(s->d1->unprocessed_rcds.q);
304  if (item)
305  {
306  /* Check if epoch is current. */
307  if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch)
308  return(1); /* Nothing to do. */
309 
310  /* Process all the records. */
311  while (pqueue_peek(s->d1->unprocessed_rcds.q))
312  {
313  dtls1_get_unprocessed_record(s);
314  if ( ! dtls1_process_record(s))
315  return(0);
316  dtls1_buffer_record(s, &(s->d1->processed_rcds),
317  s->s3->rrec.seq_num);
318  }
319  }
320 
321  /* sync epoch numbers once all the unprocessed records
322  * have been processed */
323  s->d1->processed_rcds.epoch = s->d1->r_epoch;
324  s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1;
325 
326  return(1);
327  }
328 
329 
330 #if 0
331 
332 static int
333 dtls1_get_buffered_record(SSL *s)
334  {
335  pitem *item;
336  PQ_64BIT priority =
337  (((PQ_64BIT)s->d1->handshake_read_seq) << 32) |
338  ((PQ_64BIT)s->d1->r_msg_hdr.frag_off);
339 
340  if ( ! SSL_in_init(s)) /* if we're not (re)negotiating,
341  nothing buffered */
342  return 0;
343 
344 
345  item = pqueue_peek(s->d1->rcvd_records);
346  if (item && item->priority == priority)
347  {
348  /* Check if we've received the record of interest. It must be
349  * a handshake record, since data records as passed up without
350  * buffering */
351  DTLS1_RECORD_DATA *rdata;
352  item = pqueue_pop(s->d1->rcvd_records);
353  rdata = (DTLS1_RECORD_DATA *)item->data;
354 
355  if (s->s3->rbuf.buf != NULL)
356  OPENSSL_free(s->s3->rbuf.buf);
357 
358  s->packet = rdata->packet;
359  s->packet_length = rdata->packet_length;
360  memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER));
361  memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));
362 
363  OPENSSL_free(item->data);
364  pitem_free(item);
365 
366  /* s->d1->next_expected_seq_num++; */
367  return(1);
368  }
369 
370  return 0;
371  }
372 
373 #endif
374 
375 static int
376 dtls1_process_record(SSL *s)
377 {
378  int i,al;
379  int clear=0;
380  int enc_err;
381  SSL_SESSION *sess;
382  SSL3_RECORD *rr;
383  unsigned int mac_size;
384  unsigned char md[EVP_MAX_MD_SIZE];
385  int decryption_failed_or_bad_record_mac = 0;
386  unsigned char *mac = NULL;
387 
388 
389  rr= &(s->s3->rrec);
390  sess = s->session;
391 
392  /* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
393  * and we have that many bytes in s->packet
394  */
395  rr->input= &(s->packet[DTLS1_RT_HEADER_LENGTH]);
396 
397  /* ok, we can now read from 's->packet' data into 'rr'
398  * rr->input points at rr->length bytes, which
399  * need to be copied into rr->data by either
400  * the decryption or by the decompression
401  * When the data is 'copied' into the rr->data buffer,
402  * rr->input will be pointed at the new buffer */
403 
404  /* We now have - encrypted [ MAC [ compressed [ plain ] ] ]
405  * rr->length bytes of encrypted compressed stuff. */
406 
407  /* check is not needed I believe */
408  if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH)
409  {
410  al=SSL_AD_RECORD_OVERFLOW;
411  SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
412  goto f_err;
413  }
414 
415  /* decrypt in place in 'rr->input' */
416  rr->data=rr->input;
417 
418  enc_err = s->method->ssl3_enc->enc(s,0);
419  if (enc_err <= 0)
420  {
421  /* To minimize information leaked via timing, we will always
422  * perform all computations before discarding the message.
423  */
424  decryption_failed_or_bad_record_mac = 1;
425  }
426 
427 #ifdef TLS_DEBUG
428 printf("dec %d\n",rr->length);
429 { unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); }
430 printf("\n");
431 #endif
432 
433  /* r->length is now the compressed data plus mac */
434  if ( (sess == NULL) ||
435  (s->enc_read_ctx == NULL) ||
436  (s->read_hash == NULL))
437  clear=1;
438 
439  if (!clear)
440  {
441  /* !clear => s->read_hash != NULL => mac_size != -1 */
442  int t;
443  t=EVP_MD_CTX_size(s->read_hash);
444  OPENSSL_assert(t >= 0);
445  mac_size=t;
446 
447  if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)
448  {
449 #if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */
450  al=SSL_AD_RECORD_OVERFLOW;
451  SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
452  goto f_err;
453 #else
454  decryption_failed_or_bad_record_mac = 1;
455 #endif
456  }
457  /* check the MAC for rr->input (it's in mac_size bytes at the tail) */
458  if (rr->length >= mac_size)
459  {
460  rr->length -= mac_size;
461  mac = &rr->data[rr->length];
462  }
463  else
464  rr->length = 0;
465  i=s->method->ssl3_enc->mac(s,md,0);
466  if (i < 0 || mac == NULL || memcmp(md, mac, mac_size) != 0)
467  {
468  decryption_failed_or_bad_record_mac = 1;
469  }
470  }
471 
472  if (decryption_failed_or_bad_record_mac)
473  {
474  /* decryption failed, silently discard message */
475  rr->length = 0;
476  s->packet_length = 0;
477  goto err;
478  }
479 
480  /* r->length is now just compressed */
481  if (s->expand != NULL)
482  {
483  if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH)
484  {
485  al=SSL_AD_RECORD_OVERFLOW;
486  SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);
487  goto f_err;
488  }
489  if (!ssl3_do_uncompress(s))
490  {
491  al=SSL_AD_DECOMPRESSION_FAILURE;
492  SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_BAD_DECOMPRESSION);
493  goto f_err;
494  }
495  }
496 
497  if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH)
498  {
499  al=SSL_AD_RECORD_OVERFLOW;
500  SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);
501  goto f_err;
502  }
503 
504  rr->off=0;
505  /* So at this point the following is true
506  * ssl->s3->rrec.type is the type of record
507  * ssl->s3->rrec.length == number of bytes in record
508  * ssl->s3->rrec.off == offset to first valid byte
509  * ssl->s3->rrec.data == where to take bytes from, increment
510  * after use :-).
511  */
512 
513  /* we have pulled in a full packet so zero things */
514  s->packet_length=0;
515  dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */
516  return(1);
517 
518 f_err:
519  ssl3_send_alert(s,SSL3_AL_FATAL,al);
520 err:
521  return(0);
522 }
523 
524 
525 /* Call this to get a new input record.
526  * It will return <= 0 if more data is needed, normally due to an error
527  * or non-blocking IO.
528  * When it finishes, one packet has been decoded and can be found in
529  * ssl->s3->rrec.type - is the type of record
530  * ssl->s3->rrec.data, - data
531  * ssl->s3->rrec.length, - number of bytes
532  */
533 /* used only by dtls1_read_bytes */
534 int dtls1_get_record(SSL *s)
535  {
536  int ssl_major,ssl_minor;
537  int i,n;
538  SSL3_RECORD *rr;
539  unsigned char *p = NULL;
540  unsigned short version;
541  DTLS1_BITMAP *bitmap;
542  unsigned int is_next_epoch;
543 
544  rr= &(s->s3->rrec);
545 
546  /* The epoch may have changed. If so, process all the
547  * pending records. This is a non-blocking operation. */
548  dtls1_process_buffered_records(s);
549 
550  /* if we're renegotiating, then there may be buffered records */
551  if (dtls1_get_processed_record(s))
552  return 1;
553 
554  /* get something from the wire */
555 again:
556  /* check if we have the header */
557  if ( (s->rstate != SSL_ST_READ_BODY) ||
558  (s->packet_length < DTLS1_RT_HEADER_LENGTH))
559  {
560  n=ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);
561  /* read timeout is handled by dtls1_read_bytes */
562  if (n <= 0) return(n); /* error or non-blocking */
563 
564  /* this packet contained a partial record, dump it */
565  if (s->packet_length != DTLS1_RT_HEADER_LENGTH)
566  {
567  s->packet_length = 0;
568  goto again;
569  }
570 
571  s->rstate=SSL_ST_READ_BODY;
572 
573  p=s->packet;
574 
575  /* Pull apart the header into the DTLS1_RECORD */
576  rr->type= *(p++);
577  ssl_major= *(p++);
578  ssl_minor= *(p++);
579  version=(ssl_major<<8)|ssl_minor;
580 
581  /* sequence number is 64 bits, with top 2 bytes = epoch */
582  n2s(p,rr->epoch);
583 
584  memcpy(&(s->s3->read_sequence[2]), p, 6);
585  p+=6;
586 
587  n2s(p,rr->length);
588 
589  /* Lets check version */
590  if (!s->first_packet)
591  {
592  if (version != s->version)
593  {
594  /* unexpected version, silently discard */
595  rr->length = 0;
596  s->packet_length = 0;
597  goto again;
598  }
599  }
600 
601  if ((version & 0xff00) != (s->version & 0xff00))
602  {
603  /* wrong version, silently discard record */
604  rr->length = 0;
605  s->packet_length = 0;
606  goto again;
607  }
608 
609  if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH)
610  {
611  /* record too long, silently discard it */
612  rr->length = 0;
613  s->packet_length = 0;
614  goto again;
615  }
616 
617  /* now s->rstate == SSL_ST_READ_BODY */
618  }
619 
620  /* s->rstate == SSL_ST_READ_BODY, get and decode the data */
621 
622  if (rr->length > s->packet_length-DTLS1_RT_HEADER_LENGTH)
623  {
624  /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */
625  i=rr->length;
626  n=ssl3_read_n(s,i,i,1);
627  if (n <= 0) return(n); /* error or non-blocking io */
628 
629  /* this packet contained a partial record, dump it */
630  if ( n != i)
631  {
632  rr->length = 0;
633  s->packet_length = 0;
634  goto again;
635  }
636 
637  /* now n == rr->length,
638  * and s->packet_length == DTLS1_RT_HEADER_LENGTH + rr->length */
639  }
640  s->rstate=SSL_ST_READ_HEADER; /* set state for later operations */
641 
642  /* match epochs. NULL means the packet is dropped on the floor */
643  bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
644  if ( bitmap == NULL)
645  {
646  rr->length = 0;
647  s->packet_length = 0; /* dump this record */
648  goto again; /* get another record */
649  }
650 
651 #ifndef OPENSSL_NO_SCTP
652  /* Only do replay check if no SCTP bio */
653  if (!BIO_dgram_is_sctp(SSL_get_rbio(s)))
654  {
655 #endif
656  /* Check whether this is a repeat, or aged record.
657  * Don't check if we're listening and this message is
658  * a ClientHello. They can look as if they're replayed,
659  * since they arrive from different connections and
660  * would be dropped unnecessarily.
661  */
662  if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE &&
663  *p == SSL3_MT_CLIENT_HELLO) &&
664  !dtls1_record_replay_check(s, bitmap))
665  {
666  rr->length = 0;
667  s->packet_length=0; /* dump this record */
668  goto again; /* get another record */
669  }
670 #ifndef OPENSSL_NO_SCTP
671  }
672 #endif
673 
674  /* just read a 0 length packet */
675  if (rr->length == 0) goto again;
676 
677  /* If this record is from the next epoch (either HM or ALERT),
678  * and a handshake is currently in progress, buffer it since it
679  * cannot be processed at this time. However, do not buffer
680  * anything while listening.
681  */
682  if (is_next_epoch)
683  {
684  if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen)
685  {
686  dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
687  }
688  rr->length = 0;
689  s->packet_length = 0;
690  goto again;
691  }
692 
693  if (!dtls1_process_record(s))
694  {
695  rr->length = 0;
696  s->packet_length = 0; /* dump this record */
697  goto again; /* get another record */
698  }
699 
700  return(1);
701 
702  }
703 
704 /* Return up to 'len' payload bytes received in 'type' records.
705  * 'type' is one of the following:
706  *
707  * - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
708  * - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)
709  * - 0 (during a shutdown, no data has to be returned)
710  *
711  * If we don't have stored data to work from, read a SSL/TLS record first
712  * (possibly multiple records if we still don't have anything to return).
713  *
714  * This function must handle any surprises the peer may have for us, such as
715  * Alert records (e.g. close_notify), ChangeCipherSpec records (not really
716  * a surprise, but handled as if it were), or renegotiation requests.
717  * Also if record payloads contain fragments too small to process, we store
718  * them until there is enough for the respective protocol (the record protocol
719  * may use arbitrary fragmentation and even interleaving):
720  * Change cipher spec protocol
721  * just 1 byte needed, no need for keeping anything stored
722  * Alert protocol
723  * 2 bytes needed (AlertLevel, AlertDescription)
724  * Handshake protocol
725  * 4 bytes needed (HandshakeType, uint24 length) -- we just have
726  * to detect unexpected Client Hello and Hello Request messages
727  * here, anything else is handled by higher layers
728  * Application data protocol
729  * none of our business
730  */
731 int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
732  {
733  int al,i,j,ret;
734  unsigned int n;
735  SSL3_RECORD *rr;
736  void (*cb)(const SSL *ssl,int type2,int val)=NULL;
737 
738  if (s->s3->rbuf.buf == NULL) /* Not initialized yet */
739  if (!ssl3_setup_buffers(s))
740  return(-1);
741 
742  /* XXX: check what the second '&& type' is about */
743  if ((type && (type != SSL3_RT_APPLICATION_DATA) &&
744  (type != SSL3_RT_HANDSHAKE) && type) ||
745  (peek && (type != SSL3_RT_APPLICATION_DATA)))
746  {
747  SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR);
748  return -1;
749  }
750 
751  /* check whether there's a handshake message (client hello?) waiting */
752  if ( (ret = have_handshake_fragment(s, type, buf, len, peek)))
753  return ret;
754 
755  /* Now s->d1->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */
756 
757 #ifndef OPENSSL_NO_SCTP
758  /* Continue handshake if it had to be interrupted to read
759  * app data with SCTP.
760  */
761  if ((!s->in_handshake && SSL_in_init(s)) ||
762  (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
763  (s->state == DTLS1_SCTP_ST_SR_READ_SOCK || s->state == DTLS1_SCTP_ST_CR_READ_SOCK) &&
764  s->s3->in_read_app_data != 2))
765 #else
766  if (!s->in_handshake && SSL_in_init(s))
767 #endif
768  {
769  /* type == SSL3_RT_APPLICATION_DATA */
770  i=s->handshake_func(s);
771  if (i < 0) return(i);
772  if (i == 0)
773  {
774  SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
775  return(-1);
776  }
777  }
778 
779 start:
780  s->rwstate=SSL_NOTHING;
781 
782  /* s->s3->rrec.type - is the type of record
783  * s->s3->rrec.data, - data
784  * s->s3->rrec.off, - offset into 'data' for next read
785  * s->s3->rrec.length, - number of bytes. */
786  rr = &(s->s3->rrec);
787 
788  /* We are not handshaking and have no data yet,
789  * so process data buffered during the last handshake
790  * in advance, if any.
791  */
792  if (s->state == SSL_ST_OK && rr->length == 0)
793  {
794  pitem *item;
795  item = pqueue_pop(s->d1->buffered_app_data.q);
796  if (item)
797  {
798 #ifndef OPENSSL_NO_SCTP
799  /* Restore bio_dgram_sctp_rcvinfo struct */
800  if (BIO_dgram_is_sctp(SSL_get_rbio(s)))
801  {
802  DTLS1_RECORD_DATA *rdata = (DTLS1_RECORD_DATA *) item->data;
803  BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SCTP_SET_RCVINFO, sizeof(rdata->recordinfo), &rdata->recordinfo);
804  }
805 #endif
806 
807  dtls1_copy_record(s, item);
808 
809  OPENSSL_free(item->data);
810  pitem_free(item);
811  }
812  }
813 
814  /* Check for timeout */
815  if (dtls1_handle_timeout(s) > 0)
816  goto start;
817 
818  /* get new packet if necessary */
819  if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY))
820  {
821  ret=dtls1_get_record(s);
822  if (ret <= 0)
823  {
824  ret = dtls1_read_failed(s, ret);
825  /* anything other than a timeout is an error */
826  if (ret <= 0)
827  return(ret);
828  else
829  goto start;
830  }
831  }
832 
833  /* we now have a packet which can be read and processed */
834 
835  if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
836  * reset by ssl3_get_finished */
837  && (rr->type != SSL3_RT_HANDSHAKE))
838  {
839  /* We now have application data between CCS and Finished.
840  * Most likely the packets were reordered on their way, so
841  * buffer the application data for later processing rather
842  * than dropping the connection.
843  */
844  dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num);
845  rr->length = 0;
846  goto start;
847  }
848 
849  /* If the other end has shut down, throw anything we read away
850  * (even in 'peek' mode) */
851  if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
852  {
853  rr->length=0;
854  s->rwstate=SSL_NOTHING;
855  return(0);
856  }
857 
858 
859  if (type == rr->type) /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */
860  {
861  /* make sure that we are not getting application data when we
862  * are doing a handshake for the first time */
863  if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
864  (s->enc_read_ctx == NULL))
865  {
866  al=SSL_AD_UNEXPECTED_MESSAGE;
867  SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE);
868  goto f_err;
869  }
870 
871  if (len <= 0) return(len);
872 
873  if ((unsigned int)len > rr->length)
874  n = rr->length;
875  else
876  n = (unsigned int)len;
877 
878  memcpy(buf,&(rr->data[rr->off]),n);
879  if (!peek)
880  {
881  rr->length-=n;
882  rr->off+=n;
883  if (rr->length == 0)
884  {
885  s->rstate=SSL_ST_READ_HEADER;
886  rr->off=0;
887  }
888  }
889 
890 #ifndef OPENSSL_NO_SCTP
891  /* We were about to renegotiate but had to read
892  * belated application data first, so retry.
893  */
894  if (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
895  rr->type == SSL3_RT_APPLICATION_DATA &&
896  (s->state == DTLS1_SCTP_ST_SR_READ_SOCK || s->state == DTLS1_SCTP_ST_CR_READ_SOCK))
897  {
898  s->rwstate=SSL_READING;
899  BIO_clear_retry_flags(SSL_get_rbio(s));
900  BIO_set_retry_read(SSL_get_rbio(s));
901  }
902 
903  /* We might had to delay a close_notify alert because
904  * of reordered app data. If there was an alert and there
905  * is no message to read anymore, finally set shutdown.
906  */
907  if (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
908  s->d1->shutdown_received && !BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s)))
909  {
910  s->shutdown |= SSL_RECEIVED_SHUTDOWN;
911  return(0);
912  }
913 #endif
914  return(n);
915  }
916 
917 
918  /* If we get here, then type != rr->type; if we have a handshake
919  * message, then it was unexpected (Hello Request or Client Hello). */
920 
921  /* In case of record types for which we have 'fragment' storage,
922  * fill that so that we can process the data at a fixed place.
923  */
924  {
925  unsigned int k, dest_maxlen = 0;
926  unsigned char *dest = NULL;
927  unsigned int *dest_len = NULL;
928 
929  if (rr->type == SSL3_RT_HANDSHAKE)
930  {
931  dest_maxlen = sizeof s->d1->handshake_fragment;
932  dest = s->d1->handshake_fragment;
933  dest_len = &s->d1->handshake_fragment_len;
934  }
935  else if (rr->type == SSL3_RT_ALERT)
936  {
937  dest_maxlen = sizeof(s->d1->alert_fragment);
938  dest = s->d1->alert_fragment;
939  dest_len = &s->d1->alert_fragment_len;
940  }
941 #ifndef OPENSSL_NO_HEARTBEATS
942  else if (rr->type == TLS1_RT_HEARTBEAT)
943  {
944  dtls1_process_heartbeat(s);
945 
946  /* Exit and notify application to read again */
947  rr->length = 0;
948  s->rwstate=SSL_READING;
949  BIO_clear_retry_flags(SSL_get_rbio(s));
950  BIO_set_retry_read(SSL_get_rbio(s));
951  return(-1);
952  }
953 #endif
954  /* else it's a CCS message, or application data or wrong */
955  else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC)
956  {
957  /* Application data while renegotiating
958  * is allowed. Try again reading.
959  */
960  if (rr->type == SSL3_RT_APPLICATION_DATA)
961  {
962  BIO *bio;
963  s->s3->in_read_app_data=2;
964  bio=SSL_get_rbio(s);
965  s->rwstate=SSL_READING;
966  BIO_clear_retry_flags(bio);
967  BIO_set_retry_read(bio);
968  return(-1);
969  }
970 
971  /* Not certain if this is the right error handling */
972  al=SSL_AD_UNEXPECTED_MESSAGE;
973  SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
974  goto f_err;
975  }
976 
977  if (dest_maxlen > 0)
978  {
979  /* XDTLS: In a pathalogical case, the Client Hello
980  * may be fragmented--don't always expect dest_maxlen bytes */
981  if ( rr->length < dest_maxlen)
982  {
983 #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
984  /*
985  * for normal alerts rr->length is 2, while
986  * dest_maxlen is 7 if we were to handle this
987  * non-existing alert...
988  */
989  FIX ME
990 #endif
991  s->rstate=SSL_ST_READ_HEADER;
992  rr->length = 0;
993  goto start;
994  }
995 
996  /* now move 'n' bytes: */
997  for ( k = 0; k < dest_maxlen; k++)
998  {
999  dest[k] = rr->data[rr->off++];
1000  rr->length--;
1001  }
1002  *dest_len = dest_maxlen;
1003  }
1004  }
1005 
1006  /* s->d1->handshake_fragment_len == 12 iff rr->type == SSL3_RT_HANDSHAKE;
1007  * s->d1->alert_fragment_len == 7 iff rr->type == SSL3_RT_ALERT.
1008  * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */
1009 
1010  /* If we are a client, check for an incoming 'Hello Request': */
1011  if ((!s->server) &&
1012  (s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) &&
1013  (s->d1->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) &&
1014  (s->session != NULL) && (s->session->cipher != NULL))
1015  {
1016  s->d1->handshake_fragment_len = 0;
1017 
1018  if ((s->d1->handshake_fragment[1] != 0) ||
1019  (s->d1->handshake_fragment[2] != 0) ||
1020  (s->d1->handshake_fragment[3] != 0))
1021  {
1022  al=SSL_AD_DECODE_ERROR;
1023  SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_HELLO_REQUEST);
1024  goto err;
1025  }
1026 
1027  /* no need to check sequence number on HELLO REQUEST messages */
1028 
1029  if (s->msg_callback)
1030  s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
1031  s->d1->handshake_fragment, 4, s, s->msg_callback_arg);
1032 
1033  if (SSL_is_init_finished(s) &&
1034  !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
1035  !s->s3->renegotiate)
1036  {
1037  s->new_session = 1;
1038  ssl3_renegotiate(s);
1039  if (ssl3_renegotiate_check(s))
1040  {
1041  i=s->handshake_func(s);
1042  if (i < 0) return(i);
1043  if (i == 0)
1044  {
1045  SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
1046  return(-1);
1047  }
1048 
1049  if (!(s->mode & SSL_MODE_AUTO_RETRY))
1050  {
1051  if (s->s3->rbuf.left == 0) /* no read-ahead left? */
1052  {
1053  BIO *bio;
1054  /* In the case where we try to read application data,
1055  * but we trigger an SSL handshake, we return -1 with
1056  * the retry option set. Otherwise renegotiation may
1057  * cause nasty problems in the blocking world */
1058  s->rwstate=SSL_READING;
1059  bio=SSL_get_rbio(s);
1060  BIO_clear_retry_flags(bio);
1061  BIO_set_retry_read(bio);
1062  return(-1);
1063  }
1064  }
1065  }
1066  }
1067  /* we either finished a handshake or ignored the request,
1068  * now try again to obtain the (application) data we were asked for */
1069  goto start;
1070  }
1071 
1072  if (s->d1->alert_fragment_len >= DTLS1_AL_HEADER_LENGTH)
1073  {
1074  int alert_level = s->d1->alert_fragment[0];
1075  int alert_descr = s->d1->alert_fragment[1];
1076 
1077  s->d1->alert_fragment_len = 0;
1078 
1079  if (s->msg_callback)
1080  s->msg_callback(0, s->version, SSL3_RT_ALERT,
1081  s->d1->alert_fragment, 2, s, s->msg_callback_arg);
1082 
1083  if (s->info_callback != NULL)
1084  cb=s->info_callback;
1085  else if (s->ctx->info_callback != NULL)
1086  cb=s->ctx->info_callback;
1087 
1088  if (cb != NULL)
1089  {
1090  j = (alert_level << 8) | alert_descr;
1091  cb(s, SSL_CB_READ_ALERT, j);
1092  }
1093 
1094  if (alert_level == 1) /* warning */
1095  {
1096  s->s3->warn_alert = alert_descr;
1097  if (alert_descr == SSL_AD_CLOSE_NOTIFY)
1098  {
1099 #ifndef OPENSSL_NO_SCTP
1100  /* With SCTP and streams the socket may deliver app data
1101  * after a close_notify alert. We have to check this
1102  * first so that nothing gets discarded.
1103  */
1104  if (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
1105  BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s)))
1106  {
1107  s->d1->shutdown_received = 1;
1108  s->rwstate=SSL_READING;
1109  BIO_clear_retry_flags(SSL_get_rbio(s));
1110  BIO_set_retry_read(SSL_get_rbio(s));
1111  return -1;
1112  }
1113 #endif
1114  s->shutdown |= SSL_RECEIVED_SHUTDOWN;
1115  return(0);
1116  }
1117 #if 0
1118  /* XXX: this is a possible improvement in the future */
1119  /* now check if it's a missing record */
1120  if (alert_descr == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
1121  {
1122  unsigned short seq;
1123  unsigned int frag_off;
1124  unsigned char *p = &(s->d1->alert_fragment[2]);
1125 
1126  n2s(p, seq);
1127  n2l3(p, frag_off);
1128 
1129  dtls1_retransmit_message(s,
1130  dtls1_get_queue_priority(frag->msg_header.seq, 0),
1131  frag_off, &found);
1132  if ( ! found && SSL_in_init(s))
1133  {
1134  /* fprintf( stderr,"in init = %d\n", SSL_in_init(s)); */
1135  /* requested a message not yet sent,
1136  send an alert ourselves */
1137  ssl3_send_alert(s,SSL3_AL_WARNING,
1138  DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
1139  }
1140  }
1141 #endif
1142  }
1143  else if (alert_level == 2) /* fatal */
1144  {
1145  char tmp[16];
1146 
1147  s->rwstate=SSL_NOTHING;
1148  s->s3->fatal_alert = alert_descr;
1149  SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr);
1150  BIO_snprintf(tmp,sizeof tmp,"%d",alert_descr);
1151  ERR_add_error_data(2,"SSL alert number ",tmp);
1152  s->shutdown|=SSL_RECEIVED_SHUTDOWN;
1153  SSL_CTX_remove_session(s->ctx,s->session);
1154  return(0);
1155  }
1156  else
1157  {
1158  al=SSL_AD_ILLEGAL_PARAMETER;
1159  SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE);
1160  goto f_err;
1161  }
1162 
1163  goto start;
1164  }
1165 
1166  if (s->shutdown & SSL_SENT_SHUTDOWN) /* but we have not received a shutdown */
1167  {
1168  s->rwstate=SSL_NOTHING;
1169  rr->length=0;
1170  return(0);
1171  }
1172 
1173  if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
1174  {
1175  struct ccs_header_st ccs_hdr;
1176  unsigned int ccs_hdr_len = DTLS1_CCS_HEADER_LENGTH;
1177 
1178  dtls1_get_ccs_header(rr->data, &ccs_hdr);
1179 
1180  if (s->version == DTLS1_BAD_VER)
1181  ccs_hdr_len = 3;
1182 
1183  /* 'Change Cipher Spec' is just a single byte, so we know
1184  * exactly what the record payload has to look like */
1185  /* XDTLS: check that epoch is consistent */
1186  if ( (rr->length != ccs_hdr_len) ||
1187  (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
1188  {
1189  i=SSL_AD_ILLEGAL_PARAMETER;
1190  SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
1191  goto err;
1192  }
1193 
1194  rr->length=0;
1195 
1196  if (s->msg_callback)
1197  s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC,
1198  rr->data, 1, s, s->msg_callback_arg);
1199 
1200  /* We can't process a CCS now, because previous handshake
1201  * messages are still missing, so just drop it.
1202  */
1203  if (!s->d1->change_cipher_spec_ok)
1204  {
1205  goto start;
1206  }
1207 
1208  s->d1->change_cipher_spec_ok = 0;
1209 
1210  s->s3->change_cipher_spec=1;
1211  if (!ssl3_do_change_cipher_spec(s))
1212  goto err;
1213 
1214  /* do this whenever CCS is processed */
1215  dtls1_reset_seq_numbers(s, SSL3_CC_READ);
1216 
1217  if (s->version == DTLS1_BAD_VER)
1218  s->d1->handshake_read_seq++;
1219 
1220 #ifndef OPENSSL_NO_SCTP
1221  /* Remember that a CCS has been received,
1222  * so that an old key of SCTP-Auth can be
1223  * deleted when a CCS is sent. Will be ignored
1224  * if no SCTP is used
1225  */
1226  BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL);
1227 #endif
1228 
1229  goto start;
1230  }
1231 
1232  /* Unexpected handshake message (Client Hello, or protocol violation) */
1233  if ((s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) &&
1234  !s->in_handshake)
1235  {
1236  struct hm_header_st msg_hdr;
1237 
1238  /* this may just be a stale retransmit */
1239  dtls1_get_message_header(rr->data, &msg_hdr);
1240  if( rr->epoch != s->d1->r_epoch)
1241  {
1242  rr->length = 0;
1243  goto start;
1244  }
1245 
1246  /* If we are server, we may have a repeated FINISHED of the
1247  * client here, then retransmit our CCS and FINISHED.
1248  */
1249  if (msg_hdr.type == SSL3_MT_FINISHED)
1250  {
1251  if (dtls1_check_timeout_num(s) < 0)
1252  return -1;
1253 
1254  dtls1_retransmit_buffered_messages(s);
1255  rr->length = 0;
1256  goto start;
1257  }
1258 
1259  if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
1260  !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
1261  {
1262 #if 0 /* worked only because C operator preferences are not as expected (and
1263  * because this is not really needed for clients except for detecting
1264  * protocol violations): */
1265  s->state=SSL_ST_BEFORE|(s->server)
1266  ?SSL_ST_ACCEPT
1267  :SSL_ST_CONNECT;
1268 #else
1269  s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
1270 #endif
1271  s->renegotiate=1;
1272  s->new_session=1;
1273  }
1274  i=s->handshake_func(s);
1275  if (i < 0) return(i);
1276  if (i == 0)
1277  {
1278  SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
1279  return(-1);
1280  }
1281 
1282  if (!(s->mode & SSL_MODE_AUTO_RETRY))
1283  {
1284  if (s->s3->rbuf.left == 0) /* no read-ahead left? */
1285  {
1286  BIO *bio;
1287  /* In the case where we try to read application data,
1288  * but we trigger an SSL handshake, we return -1 with
1289  * the retry option set. Otherwise renegotiation may
1290  * cause nasty problems in the blocking world */
1291  s->rwstate=SSL_READING;
1292  bio=SSL_get_rbio(s);
1293  BIO_clear_retry_flags(bio);
1294  BIO_set_retry_read(bio);
1295  return(-1);
1296  }
1297  }
1298  goto start;
1299  }
1300 
1301  switch (rr->type)
1302  {
1303  default:
1304 #ifndef OPENSSL_NO_TLS
1305  /* TLS just ignores unknown message types */
1306  if (s->version == TLS1_VERSION)
1307  {
1308  rr->length = 0;
1309  goto start;
1310  }
1311 #endif
1312  al=SSL_AD_UNEXPECTED_MESSAGE;
1313  SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
1314  goto f_err;
1315  case SSL3_RT_CHANGE_CIPHER_SPEC:
1316  case SSL3_RT_ALERT:
1317  case SSL3_RT_HANDSHAKE:
1318  /* we already handled all of these, with the possible exception
1319  * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that
1320  * should not happen when type != rr->type */
1321  al=SSL_AD_UNEXPECTED_MESSAGE;
1322  SSLerr(SSL_F_DTLS1_READ_BYTES,ERR_R_INTERNAL_ERROR);
1323  goto f_err;
1324  case SSL3_RT_APPLICATION_DATA:
1325  /* At this point, we were expecting handshake data,
1326  * but have application data. If the library was
1327  * running inside ssl3_read() (i.e. in_read_app_data
1328  * is set) and it makes sense to read application data
1329  * at this point (session renegotiation not yet started),
1330  * we will indulge it.
1331  */
1332  if (s->s3->in_read_app_data &&
1333  (s->s3->total_renegotiations != 0) &&
1334  ((
1335  (s->state & SSL_ST_CONNECT) &&
1336  (s->state >= SSL3_ST_CW_CLNT_HELLO_A) &&
1337  (s->state <= SSL3_ST_CR_SRVR_HELLO_A)
1338  ) || (
1339  (s->state & SSL_ST_ACCEPT) &&
1340  (s->state <= SSL3_ST_SW_HELLO_REQ_A) &&
1341  (s->state >= SSL3_ST_SR_CLNT_HELLO_A)
1342  )
1343  ))
1344  {
1345  s->s3->in_read_app_data=2;
1346  return(-1);
1347  }
1348  else
1349  {
1350  al=SSL_AD_UNEXPECTED_MESSAGE;
1351  SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
1352  goto f_err;
1353  }
1354  }
1355  /* not reached */
1356 
1357 f_err:
1358  ssl3_send_alert(s,SSL3_AL_FATAL,al);
1359 err:
1360  return(-1);
1361  }
1362 
1363 int
1364 dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len)
1365  {
1366  int i;
1367 
1368 #ifndef OPENSSL_NO_SCTP
1369  /* Check if we have to continue an interrupted handshake
1370  * for reading belated app data with SCTP.
1371  */
1372  if ((SSL_in_init(s) && !s->in_handshake) ||
1373  (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
1374  (s->state == DTLS1_SCTP_ST_SR_READ_SOCK || s->state == DTLS1_SCTP_ST_CR_READ_SOCK)))
1375 #else
1376  if (SSL_in_init(s) && !s->in_handshake)
1377 #endif
1378  {
1379  i=s->handshake_func(s);
1380  if (i < 0) return(i);
1381  if (i == 0)
1382  {
1383  SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
1384  return -1;
1385  }
1386  }
1387 
1388  if (len > SSL3_RT_MAX_PLAIN_LENGTH)
1389  {
1390  SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES,SSL_R_DTLS_MESSAGE_TOO_BIG);
1391  return -1;
1392  }
1393 
1394  i = dtls1_write_bytes(s, type, buf_, len);
1395  return i;
1396  }
1397 
1398 
1399  /* this only happens when a client hello is received and a handshake
1400  * is started. */
1401 static int
1402 have_handshake_fragment(SSL *s, int type, unsigned char *buf,
1403  int len, int peek)
1404  {
1405 
1406  if ((type == SSL3_RT_HANDSHAKE) && (s->d1->handshake_fragment_len > 0))
1407  /* (partially) satisfy request from storage */
1408  {
1409  unsigned char *src = s->d1->handshake_fragment;
1410  unsigned char *dst = buf;
1411  unsigned int k,n;
1412 
1413  /* peek == 0 */
1414  n = 0;
1415  while ((len > 0) && (s->d1->handshake_fragment_len > 0))
1416  {
1417  *dst++ = *src++;
1418  len--; s->d1->handshake_fragment_len--;
1419  n++;
1420  }
1421  /* move any remaining fragment bytes: */
1422  for (k = 0; k < s->d1->handshake_fragment_len; k++)
1423  s->d1->handshake_fragment[k] = *src++;
1424  return n;
1425  }
1426 
1427  return 0;
1428  }
1429 
1430 
1431 
1432 
1433 /* Call this to write data in records of type 'type'
1434  * It will return <= 0 if not all data has been sent or non-blocking IO.
1435  */
1436 int dtls1_write_bytes(SSL *s, int type, const void *buf, int len)
1437  {
1438  int i;
1439 
1440  OPENSSL_assert(len <= SSL3_RT_MAX_PLAIN_LENGTH);
1441  s->rwstate=SSL_NOTHING;
1442  i=do_dtls1_write(s, type, buf, len, 0);
1443  return i;
1444  }
1445 
1446 int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len, int create_empty_fragment)
1447  {
1448  unsigned char *p,*pseq;
1449  int i,mac_size,clear=0;
1450  int prefix_len = 0;
1451  SSL3_RECORD *wr;
1452  SSL3_BUFFER *wb;
1453  SSL_SESSION *sess;
1454  int bs;
1455 
1456  /* first check if there is a SSL3_BUFFER still being written
1457  * out. This will happen with non blocking IO */
1458  if (s->s3->wbuf.left != 0)
1459  {
1460  OPENSSL_assert(0); /* XDTLS: want to see if we ever get here */
1461  return(ssl3_write_pending(s,type,buf,len));
1462  }
1463 
1464  /* If we have an alert to send, lets send it */
1465  if (s->s3->alert_dispatch)
1466  {
1467  i=s->method->ssl_dispatch_alert(s);
1468  if (i <= 0)
1469  return(i);
1470  /* if it went, fall through and send more stuff */
1471  }
1472 
1473  if (len == 0 && !create_empty_fragment)
1474  return 0;
1475 
1476  wr= &(s->s3->wrec);
1477  wb= &(s->s3->wbuf);
1478  sess=s->session;
1479 
1480  if ( (sess == NULL) ||
1481  (s->enc_write_ctx == NULL) ||
1482  (EVP_MD_CTX_md(s->write_hash) == NULL))
1483  clear=1;
1484 
1485  if (clear)
1486  mac_size=0;
1487  else
1488  {
1489  mac_size=EVP_MD_CTX_size(s->write_hash);
1490  if (mac_size < 0)
1491  goto err;
1492  }
1493 
1494  /* DTLS implements explicit IV, so no need for empty fragments */
1495 #if 0
1496  /* 'create_empty_fragment' is true only when this function calls itself */
1497  if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done
1498  && SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER)
1499  {
1500  /* countermeasure against known-IV weakness in CBC ciphersuites
1501  * (see http://www.openssl.org/~bodo/tls-cbc.txt)
1502  */
1503 
1504  if (s->s3->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA)
1505  {
1506  /* recursive function call with 'create_empty_fragment' set;
1507  * this prepares and buffers the data for an empty fragment
1508  * (these 'prefix_len' bytes are sent out later
1509  * together with the actual payload) */
1510  prefix_len = s->method->do_ssl_write(s, type, buf, 0, 1);
1511  if (prefix_len <= 0)
1512  goto err;
1513 
1514  if (s->s3->wbuf.len < (size_t)prefix_len + SSL3_RT_MAX_PACKET_SIZE)
1515  {
1516  /* insufficient space */
1517  SSLerr(SSL_F_DO_DTLS1_WRITE, ERR_R_INTERNAL_ERROR);
1518  goto err;
1519  }
1520  }
1521 
1522  s->s3->empty_fragment_done = 1;
1523  }
1524 #endif
1525  p = wb->buf + prefix_len;
1526 
1527  /* write the header */
1528 
1529  *(p++)=type&0xff;
1530  wr->type=type;
1531 
1532  *(p++)=(s->version>>8);
1533  *(p++)=s->version&0xff;
1534 
1535  /* field where we are to write out packet epoch, seq num and len */
1536  pseq=p;
1537  p+=10;
1538 
1539  /* lets setup the record stuff. */
1540 
1541  /* Make space for the explicit IV in case of CBC.
1542  * (this is a bit of a boundary violation, but what the heck).
1543  */
1544  if ( s->enc_write_ctx &&
1545  (EVP_CIPHER_mode( s->enc_write_ctx->cipher ) & EVP_CIPH_CBC_MODE))
1546  bs = EVP_CIPHER_block_size(s->enc_write_ctx->cipher);
1547  else
1548  bs = 0;
1549 
1550  wr->data=p + bs; /* make room for IV in case of CBC */
1551  wr->length=(int)len;
1552  wr->input=(unsigned char *)buf;
1553 
1554  /* we now 'read' from wr->input, wr->length bytes into
1555  * wr->data */
1556 
1557  /* first we compress */
1558  if (s->compress != NULL)
1559  {
1560  if (!ssl3_do_compress(s))
1561  {
1562  SSLerr(SSL_F_DO_DTLS1_WRITE,SSL_R_COMPRESSION_FAILURE);
1563  goto err;
1564  }
1565  }
1566  else
1567  {
1568  memcpy(wr->data,wr->input,wr->length);
1569  wr->input=wr->data;
1570  }
1571 
1572  /* we should still have the output to wr->data and the input
1573  * from wr->input. Length should be wr->length.
1574  * wr->data still points in the wb->buf */
1575 
1576  if (mac_size != 0)
1577  {
1578  if(s->method->ssl3_enc->mac(s,&(p[wr->length + bs]),1) < 0)
1579  goto err;
1580  wr->length+=mac_size;
1581  }
1582 
1583  /* this is true regardless of mac size */
1584  wr->input=p;
1585  wr->data=p;
1586 
1587 
1588  /* ssl3_enc can only have an error on read */
1589  if (bs) /* bs != 0 in case of CBC */
1590  {
1591  RAND_pseudo_bytes(p,bs);
1592  /* master IV and last CBC residue stand for
1593  * the rest of randomness */
1594  wr->length += bs;
1595  }
1596 
1597  s->method->ssl3_enc->enc(s,1);
1598 
1599  /* record length after mac and block padding */
1600 /* if (type == SSL3_RT_APPLICATION_DATA ||
1601  (type == SSL3_RT_ALERT && ! SSL_in_init(s))) */
1602 
1603  /* there's only one epoch between handshake and app data */
1604 
1605  s2n(s->d1->w_epoch, pseq);
1606 
1607  /* XDTLS: ?? */
1608 /* else
1609  s2n(s->d1->handshake_epoch, pseq); */
1610 
1611  memcpy(pseq, &(s->s3->write_sequence[2]), 6);
1612  pseq+=6;
1613  s2n(wr->length,pseq);
1614 
1615  /* we should now have
1616  * wr->data pointing to the encrypted data, which is
1617  * wr->length long */
1618  wr->type=type; /* not needed but helps for debugging */
1619  wr->length+=DTLS1_RT_HEADER_LENGTH;
1620 
1621 #if 0 /* this is now done at the message layer */
1622  /* buffer the record, making it easy to handle retransmits */
1623  if ( type == SSL3_RT_HANDSHAKE || type == SSL3_RT_CHANGE_CIPHER_SPEC)
1624  dtls1_buffer_record(s, wr->data, wr->length,
1625  *((PQ_64BIT *)&(s->s3->write_sequence[0])));
1626 #endif
1627 
1628  ssl3_record_sequence_update(&(s->s3->write_sequence[0]));
1629 
1630  if (create_empty_fragment)
1631  {
1632  /* we are in a recursive call;
1633  * just return the length, don't write out anything here
1634  */
1635  return wr->length;
1636  }
1637 
1638  /* now let's set up wb */
1639  wb->left = prefix_len + wr->length;
1640  wb->offset = 0;
1641 
1642  /* memorize arguments so that ssl3_write_pending can detect bad write retries later */
1643  s->s3->wpend_tot=len;
1644  s->s3->wpend_buf=buf;
1645  s->s3->wpend_type=type;
1646  s->s3->wpend_ret=len;
1647 
1648  /* we now just need to write the buffer */
1649  return ssl3_write_pending(s,type,buf,len);
1650 err:
1651  return -1;
1652  }
1653 
1654 
1655 
1656 static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap)
1657  {
1658  int cmp;
1659  unsigned int shift;
1660  const unsigned char *seq = s->s3->read_sequence;
1661 
1662  cmp = satsub64be(seq,bitmap->max_seq_num);
1663  if (cmp > 0)
1664  {
1665  memcpy (s->s3->rrec.seq_num,seq,8);
1666  return 1; /* this record in new */
1667  }
1668  shift = -cmp;
1669  if (shift >= sizeof(bitmap->map)*8)
1670  return 0; /* stale, outside the window */
1671  else if (bitmap->map & (1UL<<shift))
1672  return 0; /* record previously received */
1673 
1674  memcpy (s->s3->rrec.seq_num,seq,8);
1675  return 1;
1676  }
1677 
1678 
1679 static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap)
1680  {
1681  int cmp;
1682  unsigned int shift;
1683  const unsigned char *seq = s->s3->read_sequence;
1684 
1685  cmp = satsub64be(seq,bitmap->max_seq_num);
1686  if (cmp > 0)
1687  {
1688  shift = cmp;
1689  if (shift < sizeof(bitmap->map)*8)
1690  bitmap->map <<= shift, bitmap->map |= 1UL;
1691  else
1692  bitmap->map = 1UL;
1693  memcpy(bitmap->max_seq_num,seq,8);
1694  }
1695  else {
1696  shift = -cmp;
1697  if (shift < sizeof(bitmap->map)*8)
1698  bitmap->map |= 1UL<<shift;
1699  }
1700  }
1701 
1702 
1703 int dtls1_dispatch_alert(SSL *s)
1704  {
1705  int i,j;
1706  void (*cb)(const SSL *ssl,int type,int val)=NULL;
1707  unsigned char buf[DTLS1_AL_HEADER_LENGTH];
1708  unsigned char *ptr = &buf[0];
1709 
1710  s->s3->alert_dispatch=0;
1711 
1712  memset(buf, 0x00, sizeof(buf));
1713  *ptr++ = s->s3->send_alert[0];
1714  *ptr++ = s->s3->send_alert[1];
1715 
1716 #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
1717  if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
1718  {
1719  s2n(s->d1->handshake_read_seq, ptr);
1720 #if 0
1721  if ( s->d1->r_msg_hdr.frag_off == 0) /* waiting for a new msg */
1722 
1723  else
1724  s2n(s->d1->r_msg_hdr.seq, ptr); /* partial msg read */
1725 #endif
1726 
1727 #if 0
1728  fprintf(stderr, "s->d1->handshake_read_seq = %d, s->d1->r_msg_hdr.seq = %d\n",s->d1->handshake_read_seq,s->d1->r_msg_hdr.seq);
1729 #endif
1730  l2n3(s->d1->r_msg_hdr.frag_off, ptr);
1731  }
1732 #endif
1733 
1734  i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf), 0);
1735  if (i <= 0)
1736  {
1737  s->s3->alert_dispatch=1;
1738  /* fprintf( stderr, "not done with alert\n" ); */
1739  }
1740  else
1741  {
1742  if (s->s3->send_alert[0] == SSL3_AL_FATAL
1743 #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
1744  || s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
1745 #endif
1746  )
1747  (void)BIO_flush(s->wbio);
1748 
1749  if (s->msg_callback)
1750  s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert,
1751  2, s, s->msg_callback_arg);
1752 
1753  if (s->info_callback != NULL)
1754  cb=s->info_callback;
1755  else if (s->ctx->info_callback != NULL)
1756  cb=s->ctx->info_callback;
1757 
1758  if (cb != NULL)
1759  {
1760  j=(s->s3->send_alert[0]<<8)|s->s3->send_alert[1];
1761  cb(s,SSL_CB_WRITE_ALERT,j);
1762  }
1763  }
1764  return(i);
1765  }
1766 
1767 
1768 static DTLS1_BITMAP *
1769 dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, unsigned int *is_next_epoch)
1770  {
1771 
1772  *is_next_epoch = 0;
1773 
1774  /* In current epoch, accept HM, CCS, DATA, & ALERT */
1775  if (rr->epoch == s->d1->r_epoch)
1776  return &s->d1->bitmap;
1777 
1778  /* Only HM and ALERT messages can be from the next epoch */
1779  else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) &&
1780  (rr->type == SSL3_RT_HANDSHAKE ||
1781  rr->type == SSL3_RT_ALERT))
1782  {
1783  *is_next_epoch = 1;
1784  return &s->d1->next_bitmap;
1785  }
1786 
1787  return NULL;
1788  }
1789 
1790 #if 0
1791 static int
1792 dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr, unsigned short *priority,
1793  unsigned long *offset)
1794  {
1795 
1796  /* alerts are passed up immediately */
1797  if ( rr->type == SSL3_RT_APPLICATION_DATA ||
1798  rr->type == SSL3_RT_ALERT)
1799  return 0;
1800 
1801  /* Only need to buffer if a handshake is underway.
1802  * (this implies that Hello Request and Client Hello are passed up
1803  * immediately) */
1804  if ( SSL_in_init(s))
1805  {
1806  unsigned char *data = rr->data;
1807  /* need to extract the HM/CCS sequence number here */
1808  if ( rr->type == SSL3_RT_HANDSHAKE ||
1809  rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
1810  {
1811  unsigned short seq_num;
1812  struct hm_header_st msg_hdr;
1813  struct ccs_header_st ccs_hdr;
1814 
1815  if ( rr->type == SSL3_RT_HANDSHAKE)
1816  {
1817  dtls1_get_message_header(data, &msg_hdr);
1818  seq_num = msg_hdr.seq;
1819  *offset = msg_hdr.frag_off;
1820  }
1821  else
1822  {
1823  dtls1_get_ccs_header(data, &ccs_hdr);
1824  seq_num = ccs_hdr.seq;
1825  *offset = 0;
1826  }
1827 
1828  /* this is either a record we're waiting for, or a
1829  * retransmit of something we happened to previously
1830  * receive (higher layers will drop the repeat silently */
1831  if ( seq_num < s->d1->handshake_read_seq)
1832  return 0;
1833  if (rr->type == SSL3_RT_HANDSHAKE &&
1834  seq_num == s->d1->handshake_read_seq &&
1835  msg_hdr.frag_off < s->d1->r_msg_hdr.frag_off)
1836  return 0;
1837  else if ( seq_num == s->d1->handshake_read_seq &&
1838  (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC ||
1839  msg_hdr.frag_off == s->d1->r_msg_hdr.frag_off))
1840  return 0;
1841  else
1842  {
1843  *priority = seq_num;
1844  return 1;
1845  }
1846  }
1847  else /* unknown record type */
1848  return 0;
1849  }
1850 
1851  return 0;
1852  }
1853 #endif
1854 
1855 void
1856 dtls1_reset_seq_numbers(SSL *s, int rw)
1857  {
1858  unsigned char *seq;
1859  unsigned int seq_bytes = sizeof(s->s3->read_sequence);
1860 
1861  if ( rw & SSL3_CC_READ)
1862  {
1863  seq = s->s3->read_sequence;
1864  s->d1->r_epoch++;
1865  memcpy(&(s->d1->bitmap), &(s->d1->next_bitmap), sizeof(DTLS1_BITMAP));
1866  memset(&(s->d1->next_bitmap), 0x00, sizeof(DTLS1_BITMAP));
1867  }
1868  else
1869  {
1870  seq = s->s3->write_sequence;
1871  memcpy(s->d1->last_write_sequence, seq, sizeof(s->s3->write_sequence));
1872  s->d1->w_epoch++;
1873  }
1874 
1875  memset(seq, 0x00, seq_bytes);
1876  }
Generated on Thu Jan 10 2013 09:53:43 for OpenSSL by   doxygen 1.8.2