summaryrefslogtreecommitdiff
path: root/src/lib/libssl/d1_both.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/d1_both.c129
1 files changed, 84 insertions, 45 deletions
diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c
index bd4267238f..f27588fcff 100644
--- a/src/lib/libssl/d1_both.c
+++ b/src/lib/libssl/d1_both.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: d1_both.c,v 1.22 2014/07/02 20:45:26 miod Exp $ */ 1/* $OpenBSD: d1_both.c,v 1.23 2014/07/10 08:25:00 guenther Exp $ */
2/* 2/*
3 * DTLS implementation written by Nagendra Modadugu 3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -233,8 +233,11 @@ dtls1_do_write(SSL *s, int type)
233 s->d1->mtu = BIO_ctrl(SSL_get_wbio(s), 233 s->d1->mtu = BIO_ctrl(SSL_get_wbio(s),
234 BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL); 234 BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
235 235
236 /* I've seen the kernel return bogus numbers when it doesn't know 236 /*
237 * (initial write), so just make sure we have a reasonable number */ 237 * I've seen the kernel return bogus numbers when it
238 * doesn't know the MTU (ie., the initial write), so just
239 * make sure we have a reasonable number
240 */
238 if (s->d1->mtu < dtls1_min_mtu()) { 241 if (s->d1->mtu < dtls1_min_mtu()) {
239 s->d1->mtu = 0; 242 s->d1->mtu = 0;
240 s->d1->mtu = dtls1_guess_mtu(s->d1->mtu); 243 s->d1->mtu = dtls1_guess_mtu(s->d1->mtu);
@@ -306,11 +309,12 @@ dtls1_do_write(SSL *s, int type)
306 ret = dtls1_write_bytes(s, type, 309 ret = dtls1_write_bytes(s, type,
307 &s->init_buf->data[s->init_off], len); 310 &s->init_buf->data[s->init_off], len);
308 if (ret < 0) { 311 if (ret < 0) {
309 /* might need to update MTU here, but we don't know 312 /*
310 * which previous packet caused the failure -- so can't 313 * Might need to update MTU here, but we don't know
311 * really retransmit anything. continue as if everything 314 * which previous packet caused the failure -- so
312 * is fine and wait for an alert to handle the 315 * can't really retransmit anything. continue as
313 * retransmit 316 * if everything is fine and wait for an alert to
317 * handle the retransmit
314 */ 318 */
315 if (BIO_ctrl(SSL_get_wbio(s), 319 if (BIO_ctrl(SSL_get_wbio(s),
316 BIO_CTRL_DGRAM_MTU_EXCEEDED, 0, NULL) > 0) 320 BIO_CTRL_DGRAM_MTU_EXCEEDED, 0, NULL) > 0)
@@ -320,22 +324,30 @@ dtls1_do_write(SSL *s, int type)
320 return (-1); 324 return (-1);
321 } else { 325 } else {
322 326
323 /* bad if this assert fails, only part of the handshake 327 /*
324 * message got sent. but why would this happen? */ 328 * Bad if this assert fails, only part of the
329 * handshake message got sent. but why would
330 * this happen?
331 */
325 OPENSSL_assert(len == (unsigned int)ret); 332 OPENSSL_assert(len == (unsigned int)ret);
326 333
327 if (type == SSL3_RT_HANDSHAKE && 334 if (type == SSL3_RT_HANDSHAKE &&
328 !s->d1->retransmitting) { 335 !s->d1->retransmitting) {
329 /* should not be done for 'Hello Request's, but in that case 336 /*
330 * we'll ignore the result anyway */ 337 * Should not be done for 'Hello Request's,
338 * but in that case we'll ignore the result
339 * anyway
340 */
331 unsigned char *p = (unsigned char *)&s->init_buf->data[s->init_off]; 341 unsigned char *p = (unsigned char *)&s->init_buf->data[s->init_off];
332 const struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; 342 const struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
333 int xlen; 343 int xlen;
334 344
335 if (frag_off == 0 && 345 if (frag_off == 0 &&
336 s->version != DTLS1_BAD_VER) { 346 s->version != DTLS1_BAD_VER) {
337 /* reconstruct message header is if it 347 /*
338 * is being sent in single fragment */ 348 * Reconstruct message header is if it
349 * is being sent in single fragment
350 */
339 *p++ = msg_hdr->type; 351 *p++ = msg_hdr->type;
340 l2n3(msg_hdr->msg_len, p); 352 l2n3(msg_hdr->msg_len, p);
341 s2n (msg_hdr->seq, p); 353 s2n (msg_hdr->seq, p);
@@ -373,7 +385,8 @@ dtls1_do_write(SSL *s, int type)
373} 385}
374 386
375 387
376/* Obtain handshake message of message type 'mt' (any if mt == -1), 388/*
389 * Obtain handshake message of message type 'mt' (any if mt == -1),
377 * maximum acceptable body length 'max'. 390 * maximum acceptable body length 'max'.
378 * Read an entire handshake message. Handshake messages arrive in 391 * Read an entire handshake message. Handshake messages arrive in
379 * fragments. 392 * fragments.
@@ -386,8 +399,10 @@ dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
386 unsigned char *p; 399 unsigned char *p;
387 unsigned long msg_len; 400 unsigned long msg_len;
388 401
389 /* s3->tmp is used to store messages that are unexpected, caused 402 /*
390 * by the absence of an optional handshake message */ 403 * s3->tmp is used to store messages that are unexpected, caused
404 * by the absence of an optional handshake message
405 */
391 if (s->s3->tmp.reuse_message) { 406 if (s->s3->tmp.reuse_message) {
392 s->s3->tmp.reuse_message = 0; 407 s->s3->tmp.reuse_message = 0;
393 if ((mt >= 0) && (s->s3->tmp.message_type != mt)) { 408 if ((mt >= 0) && (s->s3->tmp.message_type != mt)) {
@@ -472,8 +487,10 @@ dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max)
472 487
473 if ( s->d1->r_msg_hdr.frag_off == 0) /* first fragment */ 488 if ( s->d1->r_msg_hdr.frag_off == 0) /* first fragment */
474 { 489 {
475 /* msg_len is limited to 2^24, but is effectively checked 490 /*
476 * against max above */ 491 * msg_len is limited to 2^24, but is effectively checked
492 * against max above
493 */
477 if (!BUF_MEM_grow_clean(s->init_buf, 494 if (!BUF_MEM_grow_clean(s->init_buf,
478 msg_len + DTLS1_HM_HEADER_LENGTH)) { 495 msg_len + DTLS1_HM_HEADER_LENGTH)) {
479 SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, ERR_R_BUF_LIB); 496 SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, ERR_R_BUF_LIB);
@@ -486,8 +503,10 @@ dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max)
486 s->d1->r_msg_hdr.type = msg_hdr->type; 503 s->d1->r_msg_hdr.type = msg_hdr->type;
487 s->d1->r_msg_hdr.seq = msg_hdr->seq; 504 s->d1->r_msg_hdr.seq = msg_hdr->seq;
488 } else if (msg_len != s->d1->r_msg_hdr.msg_len) { 505 } else if (msg_len != s->d1->r_msg_hdr.msg_len) {
489 /* They must be playing with us! BTW, failure to enforce 506 /*
490 * upper limit would open possibility for buffer overrun. */ 507 * They must be playing with us! BTW, failure to enforce
508 * upper limit would open possibility for buffer overrun.
509 */
491 SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, 510 SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT,
492 SSL_R_EXCESSIVE_MESSAGE_SIZE); 511 SSL_R_EXCESSIVE_MESSAGE_SIZE);
493 return SSL_AD_ILLEGAL_PARAMETER; 512 return SSL_AD_ILLEGAL_PARAMETER;
@@ -499,7 +518,8 @@ dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max)
499static int 518static int
500dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok) 519dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
501{ 520{
502 /* (0) check whether the desired fragment is available 521 /*
522 * (0) check whether the desired fragment is available
503 * if so: 523 * if so:
504 * (1) copy over the fragment to s->init_buf->data[] 524 * (1) copy over the fragment to s->init_buf->data[]
505 * (2) update s->init_num 525 * (2) update s->init_num
@@ -561,7 +581,8 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
561 if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len) 581 if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len)
562 goto err; 582 goto err;
563 583
564 /* Determine maximum allowed message size. Depends on (user set) 584 /*
585 * Determine maximum allowed message size. Depends on (user set)
565 * maximum certificate length, but 16k is minimum. 586 * maximum certificate length, but 16k is minimum.
566 */ 587 */
567 if (DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH < 588 if (DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH <
@@ -595,7 +616,8 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
595 } 616 }
596 } 617 }
597 618
598 /* If message is already reassembled, this must be a 619 /*
620 * If message is already reassembled, this must be a
599 * retransmit and can be dropped. 621 * retransmit and can be dropped.
600 */ 622 */
601 if (frag->reassembly == NULL) { 623 if (frag->reassembly == NULL) {
@@ -672,13 +694,15 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
672 seq64be[7] = (unsigned char) msg_hdr->seq; 694 seq64be[7] = (unsigned char) msg_hdr->seq;
673 item = pqueue_find(s->d1->buffered_messages, seq64be); 695 item = pqueue_find(s->d1->buffered_messages, seq64be);
674 696
675 /* If we already have an entry and this one is a fragment, 697 /*
698 * If we already have an entry and this one is a fragment,
676 * don't discard it and rather try to reassemble it. 699 * don't discard it and rather try to reassemble it.
677 */ 700 */
678 if (item != NULL && frag_len < msg_hdr->msg_len) 701 if (item != NULL && frag_len < msg_hdr->msg_len)
679 item = NULL; 702 item = NULL;
680 703
681 /* Discard the message if sequence number was already there, is 704 /*
705 * Discard the message if sequence number was already there, is
682 * too far in the future, already in the queue or if we received 706 * too far in the future, already in the queue or if we received
683 * a FINISHED before the SERVER_HELLO, which then must be a stale 707 * a FINISHED before the SERVER_HELLO, which then must be a stale
684 * retransmit. 708 * retransmit.
@@ -791,10 +815,12 @@ again:
791 815
792 if (!s->server && s->d1->r_msg_hdr.frag_off == 0 && 816 if (!s->server && s->d1->r_msg_hdr.frag_off == 0 &&
793 wire[0] == SSL3_MT_HELLO_REQUEST) { 817 wire[0] == SSL3_MT_HELLO_REQUEST) {
794 /* The server may always send 'Hello Request' messages -- 818 /*
819 * The server may always send 'Hello Request' messages --
795 * we are doing a handshake anyway now, so ignore them 820 * we are doing a handshake anyway now, so ignore them
796 * if their format is correct. Does not count for 821 * if their format is correct. Does not count for
797 * 'Finished' MAC. */ 822 * 'Finished' MAC.
823 */
798 if (wire[1] == 0 && wire[2] == 0 && wire[3] == 0) { 824 if (wire[1] == 0 && wire[2] == 0 && wire[3] == 0) {
799 if (s->msg_callback) 825 if (s->msg_callback)
800 s->msg_callback(0, s->version, 826 s->msg_callback(0, s->version,
@@ -834,8 +860,10 @@ again:
834 } else 860 } else
835 i = 0; 861 i = 0;
836 862
837 /* XDTLS: an incorrectly formatted fragment should cause the 863 /*
838 * handshake to fail */ 864 * XDTLS: an incorrectly formatted fragment should cause the
865 * handshake to fail
866 */
839 if (i != (int)frag_len) { 867 if (i != (int)frag_len) {
840 al = SSL3_AD_ILLEGAL_PARAMETER; 868 al = SSL3_AD_ILLEGAL_PARAMETER;
841 SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT, 869 SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,
@@ -845,10 +873,12 @@ again:
845 873
846 *ok = 1; 874 *ok = 1;
847 875
848 /* Note that s->init_num is *not* used as current offset in 876 /*
877 * Note that s->init_num is *not* used as current offset in
849 * s->init_buf->data, but as a counter summing up fragments' 878 * s->init_buf->data, but as a counter summing up fragments'
850 * lengths: as soon as they sum up to handshake packet 879 * lengths: as soon as they sum up to handshake packet
851 * length, we assume we have got all the fragments. */ 880 * length, we assume we have got all the fragments.
881 */
852 s->init_num = frag_len; 882 s->init_num = frag_len;
853 return frag_len; 883 return frag_len;
854 884
@@ -878,7 +908,8 @@ dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen)
878 p += i; 908 p += i;
879 l = i; 909 l = i;
880 910
881 /* Copy the finished so we can use it for 911 /*
912 * Copy the finished so we can use it for
882 * renegotiation checks 913 * renegotiation checks
883 */ 914 */
884 if (s->type == SSL_ST_CONNECT) { 915 if (s->type == SSL_ST_CONNECT) {
@@ -907,7 +938,8 @@ dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen)
907 return (dtls1_do_write(s, SSL3_RT_HANDSHAKE)); 938 return (dtls1_do_write(s, SSL3_RT_HANDSHAKE));
908} 939}
909 940
910/* for these 2 messages, we need to 941/*
942 * for these 2 messages, we need to
911 * ssl->enc_read_ctx re-init 943 * ssl->enc_read_ctx re-init
912 * ssl->s3->read_sequence zero 944 * ssl->s3->read_sequence zero
913 * ssl->s3->read_mac_secret re-init 945 * ssl->s3->read_mac_secret re-init
@@ -1031,8 +1063,10 @@ dtls1_read_failed(SSL *s, int code)
1031 } 1063 }
1032 1064
1033 if (!dtls1_is_timer_expired(s)) { 1065 if (!dtls1_is_timer_expired(s)) {
1034 /* not a timeout, none of our business, 1066 /*
1035 let higher layers handle this. in fact it's probably an error */ 1067 * not a timeout, none of our business, let higher layers
1068 * handle this. in fact it's probably an error
1069 */
1036 return code; 1070 return code;
1037 } 1071 }
1038 1072
@@ -1048,13 +1082,16 @@ dtls1_read_failed(SSL *s, int code)
1048int 1082int
1049dtls1_get_queue_priority(unsigned short seq, int is_ccs) 1083dtls1_get_queue_priority(unsigned short seq, int is_ccs)
1050{ 1084{
1051 /* The index of the retransmission queue actually is the message sequence number, 1085 /*
1052 * since the queue only contains messages of a single handshake. However, the 1086 * The index of the retransmission queue actually is the message
1053 * ChangeCipherSpec has no message sequence number and so using only the sequence 1087 * sequence number, since the queue only contains messages of a
1054 * will result in the CCS and Finished having the same index. To prevent this, 1088 * single handshake. However, the ChangeCipherSpec has no message
1055 * the sequence number is multiplied by 2. In case of a CCS 1 is subtracted. 1089 * sequence number and so using only the sequence will result in
1056 * This does not only differ CSS and Finished, it also maintains the order of the 1090 * the CCS and Finished having the same index. To prevent this, the
1057 * index (important for priority queues) and fits in the unsigned short variable. 1091 * sequence number is multiplied by 2. In case of a CCS 1 is
1092 * subtracted. This does not only differ CSS and Finished, it also
1093 * maintains the order of the index (important for priority queues)
1094 * and fits in the unsigned short variable.
1058 */ 1095 */
1059 return seq * 2 - is_ccs; 1096 return seq * 2 - is_ccs;
1060} 1097}
@@ -1092,8 +1129,10 @@ dtls1_buffer_message(SSL *s, int is_ccs)
1092 hm_fragment *frag; 1129 hm_fragment *frag;
1093 unsigned char seq64be[8]; 1130 unsigned char seq64be[8];
1094 1131
1095 /* this function is called immediately after a message has 1132 /*
1096 * been serialized */ 1133 * This function is called immediately after a message has
1134 * been serialized
1135 */
1097 OPENSSL_assert(s->init_off == 0); 1136 OPENSSL_assert(s->init_off == 0);
1098 1137
1099 frag = dtls1_hm_fragment_new(s->init_num, 0); 1138 frag = dtls1_hm_fragment_new(s->init_num, 0);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-28 23:25:51 +0000