diff options
Diffstat (limited to 'src/lib/libssl/d1_pkt.c')
-rw-r--r-- | src/lib/libssl/d1_pkt.c | 543 |
1 files changed, 281 insertions, 262 deletions
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c index a5439d544f..eb56cf987b 100644 --- a/src/lib/libssl/d1_pkt.c +++ b/src/lib/libssl/d1_pkt.c | |||
@@ -122,53 +122,10 @@ | |||
122 | #include <openssl/pqueue.h> | 122 | #include <openssl/pqueue.h> |
123 | #include <openssl/rand.h> | 123 | #include <openssl/rand.h> |
124 | 124 | ||
125 | /* mod 128 saturating subtract of two 64-bit values in big-endian order */ | ||
126 | static int satsub64be(const unsigned char *v1,const unsigned char *v2) | ||
127 | { int ret,sat,brw,i; | ||
128 | |||
129 | if (sizeof(long) == 8) do | ||
130 | { const union { long one; char little; } is_endian = {1}; | ||
131 | long l; | ||
132 | |||
133 | if (is_endian.little) break; | ||
134 | /* not reached on little-endians */ | ||
135 | /* following test is redundant, because input is | ||
136 | * always aligned, but I take no chances... */ | ||
137 | if (((size_t)v1|(size_t)v2)&0x7) break; | ||
138 | |||
139 | l = *((long *)v1); | ||
140 | l -= *((long *)v2); | ||
141 | if (l>128) return 128; | ||
142 | else if (l<-128) return -128; | ||
143 | else return (int)l; | ||
144 | } while (0); | ||
145 | |||
146 | ret = (int)v1[7]-(int)v2[7]; | ||
147 | sat = 0; | ||
148 | brw = ret>>8; /* brw is either 0 or -1 */ | ||
149 | if (ret & 0x80) | ||
150 | { for (i=6;i>=0;i--) | ||
151 | { brw += (int)v1[i]-(int)v2[i]; | ||
152 | sat |= ~brw; | ||
153 | brw >>= 8; | ||
154 | } | ||
155 | } | ||
156 | else | ||
157 | { for (i=6;i>=0;i--) | ||
158 | { brw += (int)v1[i]-(int)v2[i]; | ||
159 | sat |= brw; | ||
160 | brw >>= 8; | ||
161 | } | ||
162 | } | ||
163 | brw <<= 8; /* brw is either 0 or -256 */ | ||
164 | |||
165 | if (sat&0xff) return brw | 0x80; | ||
166 | else return brw + (ret&0xFF); | ||
167 | } | ||
168 | |||
169 | static int have_handshake_fragment(SSL *s, int type, unsigned char *buf, | 125 | static int have_handshake_fragment(SSL *s, int type, unsigned char *buf, |
170 | int len, int peek); | 126 | int len, int peek); |
171 | static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap); | 127 | static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap, |
128 | PQ_64BIT *seq_num); | ||
172 | static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap); | 129 | static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap); |
173 | static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, | 130 | static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, |
174 | unsigned int *is_next_epoch); | 131 | unsigned int *is_next_epoch); |
@@ -177,8 +134,11 @@ static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr, | |||
177 | unsigned short *priority, unsigned long *offset); | 134 | unsigned short *priority, unsigned long *offset); |
178 | #endif | 135 | #endif |
179 | static int dtls1_buffer_record(SSL *s, record_pqueue *q, | 136 | static int dtls1_buffer_record(SSL *s, record_pqueue *q, |
180 | unsigned char *priority); | 137 | PQ_64BIT priority); |
181 | static int dtls1_process_record(SSL *s); | 138 | static int dtls1_process_record(SSL *s); |
139 | #if PQ_64BIT_IS_INTEGER | ||
140 | static PQ_64BIT bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num); | ||
141 | #endif | ||
182 | static void dtls1_clear_timeouts(SSL *s); | 142 | static void dtls1_clear_timeouts(SSL *s); |
183 | 143 | ||
184 | /* copy buffered record into SSL structure */ | 144 | /* copy buffered record into SSL structure */ |
@@ -196,24 +156,17 @@ dtls1_copy_record(SSL *s, pitem *item) | |||
196 | s->packet_length = rdata->packet_length; | 156 | s->packet_length = rdata->packet_length; |
197 | memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER)); | 157 | memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER)); |
198 | memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD)); | 158 | memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD)); |
199 | |||
200 | /* Set proper sequence number for mac calculation */ | ||
201 | memcpy(&(s->s3->read_sequence[2]), &(rdata->packet[5]), 6); | ||
202 | 159 | ||
203 | return(1); | 160 | return(1); |
204 | } | 161 | } |
205 | 162 | ||
206 | 163 | ||
207 | static int | 164 | static int |
208 | dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) | 165 | dtls1_buffer_record(SSL *s, record_pqueue *queue, PQ_64BIT priority) |
209 | { | 166 | { |
210 | DTLS1_RECORD_DATA *rdata; | 167 | DTLS1_RECORD_DATA *rdata; |
211 | pitem *item; | 168 | pitem *item; |
212 | 169 | ||
213 | /* Limit the size of the queue to prevent DOS attacks */ | ||
214 | if (pqueue_size(queue->q) >= 100) | ||
215 | return 0; | ||
216 | |||
217 | rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); | 170 | rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); |
218 | item = pitem_new(priority, rdata); | 171 | item = pitem_new(priority, rdata); |
219 | if (rdata == NULL || item == NULL) | 172 | if (rdata == NULL || item == NULL) |
@@ -254,7 +207,7 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) | |||
254 | } | 207 | } |
255 | 208 | ||
256 | return(1); | 209 | return(1); |
257 | } | 210 | } |
258 | 211 | ||
259 | 212 | ||
260 | static int | 213 | static int |
@@ -371,17 +324,17 @@ dtls1_get_buffered_record(SSL *s) | |||
371 | static int | 324 | static int |
372 | dtls1_process_record(SSL *s) | 325 | dtls1_process_record(SSL *s) |
373 | { | 326 | { |
374 | int i,al; | 327 | int i,al; |
375 | int clear=0; | 328 | int clear=0; |
376 | int enc_err; | 329 | int enc_err; |
377 | SSL_SESSION *sess; | 330 | SSL_SESSION *sess; |
378 | SSL3_RECORD *rr; | 331 | SSL3_RECORD *rr; |
379 | unsigned int mac_size; | 332 | unsigned int mac_size; |
380 | unsigned char md[EVP_MAX_MD_SIZE]; | 333 | unsigned char md[EVP_MAX_MD_SIZE]; |
381 | 334 | ||
382 | 335 | ||
383 | rr= &(s->s3->rrec); | 336 | rr= &(s->s3->rrec); |
384 | sess = s->session; | 337 | sess = s->session; |
385 | 338 | ||
386 | /* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, | 339 | /* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, |
387 | * and we have that many bytes in s->packet | 340 | * and we have that many bytes in s->packet |
@@ -417,7 +370,7 @@ dtls1_process_record(SSL *s) | |||
417 | goto err; | 370 | goto err; |
418 | 371 | ||
419 | /* otherwise enc_err == -1 */ | 372 | /* otherwise enc_err == -1 */ |
420 | goto err; | 373 | goto decryption_failed_or_bad_record_mac; |
421 | } | 374 | } |
422 | 375 | ||
423 | #ifdef TLS_DEBUG | 376 | #ifdef TLS_DEBUG |
@@ -427,18 +380,14 @@ printf("\n"); | |||
427 | #endif | 380 | #endif |
428 | 381 | ||
429 | /* r->length is now the compressed data plus mac */ | 382 | /* r->length is now the compressed data plus mac */ |
430 | if ( (sess == NULL) || | 383 | if ( (sess == NULL) || |
431 | (s->enc_read_ctx == NULL) || | 384 | (s->enc_read_ctx == NULL) || |
432 | (s->read_hash == NULL)) | 385 | (s->read_hash == NULL)) |
433 | clear=1; | 386 | clear=1; |
434 | 387 | ||
435 | if (!clear) | 388 | if (!clear) |
436 | { | 389 | { |
437 | /* !clear => s->read_hash != NULL => mac_size != -1 */ | 390 | mac_size=EVP_MD_size(s->read_hash); |
438 | int t; | ||
439 | t=EVP_MD_CTX_size(s->read_hash); | ||
440 | OPENSSL_assert(t >= 0); | ||
441 | mac_size=t; | ||
442 | 391 | ||
443 | if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size) | 392 | if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size) |
444 | { | 393 | { |
@@ -447,7 +396,7 @@ printf("\n"); | |||
447 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); | 396 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); |
448 | goto f_err; | 397 | goto f_err; |
449 | #else | 398 | #else |
450 | goto err; | 399 | goto decryption_failed_or_bad_record_mac; |
451 | #endif | 400 | #endif |
452 | } | 401 | } |
453 | /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ | 402 | /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ |
@@ -458,14 +407,14 @@ printf("\n"); | |||
458 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT); | 407 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT); |
459 | goto f_err; | 408 | goto f_err; |
460 | #else | 409 | #else |
461 | goto err; | 410 | goto decryption_failed_or_bad_record_mac; |
462 | #endif | 411 | #endif |
463 | } | 412 | } |
464 | rr->length-=mac_size; | 413 | rr->length-=mac_size; |
465 | i=s->method->ssl3_enc->mac(s,md,0); | 414 | i=s->method->ssl3_enc->mac(s,md,0); |
466 | if (i < 0 || memcmp(md,&(rr->data[rr->length]),mac_size) != 0) | 415 | if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0) |
467 | { | 416 | { |
468 | goto err; | 417 | goto decryption_failed_or_bad_record_mac; |
469 | } | 418 | } |
470 | } | 419 | } |
471 | 420 | ||
@@ -504,9 +453,17 @@ printf("\n"); | |||
504 | 453 | ||
505 | /* we have pulled in a full packet so zero things */ | 454 | /* we have pulled in a full packet so zero things */ |
506 | s->packet_length=0; | 455 | s->packet_length=0; |
507 | dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */ | 456 | dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */ |
508 | return(1); | 457 | return(1); |
509 | 458 | ||
459 | decryption_failed_or_bad_record_mac: | ||
460 | /* Separate 'decryption_failed' alert was introduced with TLS 1.0, | ||
461 | * SSL 3.0 only has 'bad_record_mac'. But unless a decryption | ||
462 | * failure is directly visible from the ciphertext anyway, | ||
463 | * we should not reveal which kind of error occured -- this | ||
464 | * might become visible to an attacker (e.g. via logfile) */ | ||
465 | al=SSL_AD_BAD_RECORD_MAC; | ||
466 | SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); | ||
510 | f_err: | 467 | f_err: |
511 | ssl3_send_alert(s,SSL3_AL_FATAL,al); | 468 | ssl3_send_alert(s,SSL3_AL_FATAL,al); |
512 | err: | 469 | err: |
@@ -525,11 +482,11 @@ err: | |||
525 | /* used only by dtls1_read_bytes */ | 482 | /* used only by dtls1_read_bytes */ |
526 | int dtls1_get_record(SSL *s) | 483 | int dtls1_get_record(SSL *s) |
527 | { | 484 | { |
528 | int ssl_major,ssl_minor; | 485 | int ssl_major,ssl_minor,al; |
529 | int i,n; | 486 | int i,n; |
530 | SSL3_RECORD *rr; | 487 | SSL3_RECORD *rr; |
531 | SSL_SESSION *sess; | 488 | SSL_SESSION *sess; |
532 | unsigned char *p = NULL; | 489 | unsigned char *p; |
533 | unsigned short version; | 490 | unsigned short version; |
534 | DTLS1_BITMAP *bitmap; | 491 | DTLS1_BITMAP *bitmap; |
535 | unsigned int is_next_epoch; | 492 | unsigned int is_next_epoch; |
@@ -537,9 +494,10 @@ int dtls1_get_record(SSL *s) | |||
537 | rr= &(s->s3->rrec); | 494 | rr= &(s->s3->rrec); |
538 | sess=s->session; | 495 | sess=s->session; |
539 | 496 | ||
540 | /* The epoch may have changed. If so, process all the | 497 | /* The epoch may have changed. If so, process all the |
541 | * pending records. This is a non-blocking operation. */ | 498 | * pending records. This is a non-blocking operation. */ |
542 | dtls1_process_buffered_records(s); | 499 | if ( ! dtls1_process_buffered_records(s)) |
500 | return 0; | ||
543 | 501 | ||
544 | /* if we're renegotiating, then there may be buffered records */ | 502 | /* if we're renegotiating, then there may be buffered records */ |
545 | if (dtls1_get_processed_record(s)) | 503 | if (dtls1_get_processed_record(s)) |
@@ -555,12 +513,7 @@ again: | |||
555 | /* read timeout is handled by dtls1_read_bytes */ | 513 | /* read timeout is handled by dtls1_read_bytes */ |
556 | if (n <= 0) return(n); /* error or non-blocking */ | 514 | if (n <= 0) return(n); /* error or non-blocking */ |
557 | 515 | ||
558 | /* this packet contained a partial record, dump it */ | 516 | OPENSSL_assert(s->packet_length == DTLS1_RT_HEADER_LENGTH); |
559 | if (s->packet_length != DTLS1_RT_HEADER_LENGTH) | ||
560 | { | ||
561 | s->packet_length = 0; | ||
562 | goto again; | ||
563 | } | ||
564 | 517 | ||
565 | s->rstate=SSL_ST_READ_BODY; | 518 | s->rstate=SSL_ST_READ_BODY; |
566 | 519 | ||
@@ -583,31 +536,32 @@ again: | |||
583 | /* Lets check version */ | 536 | /* Lets check version */ |
584 | if (!s->first_packet) | 537 | if (!s->first_packet) |
585 | { | 538 | { |
586 | if (version != s->version) | 539 | if (version != s->version && version != DTLS1_BAD_VER) |
587 | { | 540 | { |
588 | /* unexpected version, silently discard */ | 541 | SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); |
589 | rr->length = 0; | 542 | /* Send back error using their |
590 | s->packet_length = 0; | 543 | * version number :-) */ |
591 | goto again; | 544 | s->version=version; |
545 | al=SSL_AD_PROTOCOL_VERSION; | ||
546 | goto f_err; | ||
592 | } | 547 | } |
593 | } | 548 | } |
594 | 549 | ||
595 | if ((version & 0xff00) != (s->version & 0xff00)) | 550 | if ((version & 0xff00) != (DTLS1_VERSION & 0xff00) && |
551 | (version & 0xff00) != (DTLS1_BAD_VER & 0xff00)) | ||
596 | { | 552 | { |
597 | /* wrong version, silently discard record */ | 553 | SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); |
598 | rr->length = 0; | 554 | goto err; |
599 | s->packet_length = 0; | ||
600 | goto again; | ||
601 | } | 555 | } |
602 | 556 | ||
603 | if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) | 557 | if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) |
604 | { | 558 | { |
605 | /* record too long, silently discard it */ | 559 | al=SSL_AD_RECORD_OVERFLOW; |
606 | rr->length = 0; | 560 | SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG); |
607 | s->packet_length = 0; | 561 | goto f_err; |
608 | goto again; | ||
609 | } | 562 | } |
610 | 563 | ||
564 | s->client_version = version; | ||
611 | /* now s->rstate == SSL_ST_READ_BODY */ | 565 | /* now s->rstate == SSL_ST_READ_BODY */ |
612 | } | 566 | } |
613 | 567 | ||
@@ -623,7 +577,6 @@ again: | |||
623 | /* this packet contained a partial record, dump it */ | 577 | /* this packet contained a partial record, dump it */ |
624 | if ( n != i) | 578 | if ( n != i) |
625 | { | 579 | { |
626 | rr->length = 0; | ||
627 | s->packet_length = 0; | 580 | s->packet_length = 0; |
628 | goto again; | 581 | goto again; |
629 | } | 582 | } |
@@ -636,21 +589,13 @@ again: | |||
636 | /* match epochs. NULL means the packet is dropped on the floor */ | 589 | /* match epochs. NULL means the packet is dropped on the floor */ |
637 | bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch); | 590 | bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch); |
638 | if ( bitmap == NULL) | 591 | if ( bitmap == NULL) |
639 | { | 592 | { |
640 | rr->length = 0; | 593 | s->packet_length = 0; /* dump this record */ |
641 | s->packet_length = 0; /* dump this record */ | 594 | goto again; /* get another record */ |
642 | goto again; /* get another record */ | ||
643 | } | 595 | } |
644 | 596 | ||
645 | /* Check whether this is a repeat, or aged record. | 597 | /* check whether this is a repeat, or aged record */ |
646 | * Don't check if we're listening and this message is | 598 | if ( ! dtls1_record_replay_check(s, bitmap, &(rr->seq_num))) |
647 | * a ClientHello. They can look as if they're replayed, | ||
648 | * since they arrive from different connections and | ||
649 | * would be dropped unnecessarily. | ||
650 | */ | ||
651 | if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE && | ||
652 | *p == SSL3_MT_CLIENT_HELLO) && | ||
653 | !dtls1_record_replay_check(s, bitmap)) | ||
654 | { | 599 | { |
655 | rr->length = 0; | 600 | rr->length = 0; |
656 | s->packet_length=0; /* dump this record */ | 601 | s->packet_length=0; /* dump this record */ |
@@ -660,30 +605,28 @@ again: | |||
660 | /* just read a 0 length packet */ | 605 | /* just read a 0 length packet */ |
661 | if (rr->length == 0) goto again; | 606 | if (rr->length == 0) goto again; |
662 | 607 | ||
663 | /* If this record is from the next epoch (either HM or ALERT), | 608 | /* If this record is from the next epoch (either HM or ALERT), buffer it |
664 | * and a handshake is currently in progress, buffer it since it | 609 | * since it cannot be processed at this time. |
665 | * cannot be processed at this time. */ | 610 | * Records from the next epoch are marked as received even though they are |
666 | if (is_next_epoch) | 611 | * not processed, so as to prevent any potential resource DoS attack */ |
667 | { | 612 | if (is_next_epoch) |
668 | if (SSL_in_init(s) || s->in_handshake) | 613 | { |
669 | { | 614 | dtls1_record_bitmap_update(s, bitmap); |
670 | dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num); | 615 | dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num); |
671 | } | 616 | s->packet_length = 0; |
672 | rr->length = 0; | 617 | goto again; |
673 | s->packet_length = 0; | 618 | } |
674 | goto again; | ||
675 | } | ||
676 | 619 | ||
677 | if (!dtls1_process_record(s)) | 620 | if ( ! dtls1_process_record(s)) |
678 | { | 621 | return(0); |
679 | rr->length = 0; | ||
680 | s->packet_length = 0; /* dump this record */ | ||
681 | goto again; /* get another record */ | ||
682 | } | ||
683 | 622 | ||
684 | dtls1_clear_timeouts(s); /* done waiting */ | 623 | dtls1_clear_timeouts(s); /* done waiting */ |
685 | return(1); | 624 | return(1); |
686 | 625 | ||
626 | f_err: | ||
627 | ssl3_send_alert(s,SSL3_AL_FATAL,al); | ||
628 | err: | ||
629 | return(0); | ||
687 | } | 630 | } |
688 | 631 | ||
689 | /* Return up to 'len' payload bytes received in 'type' records. | 632 | /* Return up to 'len' payload bytes received in 'type' records. |
@@ -760,27 +703,6 @@ start: | |||
760 | * s->s3->rrec.length, - number of bytes. */ | 703 | * s->s3->rrec.length, - number of bytes. */ |
761 | rr = &(s->s3->rrec); | 704 | rr = &(s->s3->rrec); |
762 | 705 | ||
763 | /* We are not handshaking and have no data yet, | ||
764 | * so process data buffered during the last handshake | ||
765 | * in advance, if any. | ||
766 | */ | ||
767 | if (s->state == SSL_ST_OK && rr->length == 0) | ||
768 | { | ||
769 | pitem *item; | ||
770 | item = pqueue_pop(s->d1->buffered_app_data.q); | ||
771 | if (item) | ||
772 | { | ||
773 | dtls1_copy_record(s, item); | ||
774 | |||
775 | OPENSSL_free(item->data); | ||
776 | pitem_free(item); | ||
777 | } | ||
778 | } | ||
779 | |||
780 | /* Check for timeout */ | ||
781 | if (dtls1_handle_timeout(s) > 0) | ||
782 | goto start; | ||
783 | |||
784 | /* get new packet if necessary */ | 706 | /* get new packet if necessary */ |
785 | if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY)) | 707 | if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY)) |
786 | { | 708 | { |
@@ -802,14 +724,9 @@ start: | |||
802 | * reset by ssl3_get_finished */ | 724 | * reset by ssl3_get_finished */ |
803 | && (rr->type != SSL3_RT_HANDSHAKE)) | 725 | && (rr->type != SSL3_RT_HANDSHAKE)) |
804 | { | 726 | { |
805 | /* We now have application data between CCS and Finished. | 727 | al=SSL_AD_UNEXPECTED_MESSAGE; |
806 | * Most likely the packets were reordered on their way, so | 728 | SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED); |
807 | * buffer the application data for later processing rather | 729 | goto err; |
808 | * than dropping the connection. | ||
809 | */ | ||
810 | dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num); | ||
811 | rr->length = 0; | ||
812 | goto start; | ||
813 | } | 730 | } |
814 | 731 | ||
815 | /* If the other end has shut down, throw anything we read away | 732 | /* If the other end has shut down, throw anything we read away |
@@ -879,28 +796,15 @@ start: | |||
879 | dest = s->d1->alert_fragment; | 796 | dest = s->d1->alert_fragment; |
880 | dest_len = &s->d1->alert_fragment_len; | 797 | dest_len = &s->d1->alert_fragment_len; |
881 | } | 798 | } |
882 | /* else it's a CCS message, or application data or wrong */ | 799 | /* else it's a CCS message, or it's wrong */ |
883 | else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC) | 800 | else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC) |
884 | { | 801 | { |
885 | /* Application data while renegotiating | 802 | /* Not certain if this is the right error handling */ |
886 | * is allowed. Try again reading. | 803 | al=SSL_AD_UNEXPECTED_MESSAGE; |
887 | */ | 804 | SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD); |
888 | if (rr->type == SSL3_RT_APPLICATION_DATA) | 805 | goto f_err; |
889 | { | 806 | } |
890 | BIO *bio; | ||
891 | s->s3->in_read_app_data=2; | ||
892 | bio=SSL_get_rbio(s); | ||
893 | s->rwstate=SSL_READING; | ||
894 | BIO_clear_retry_flags(bio); | ||
895 | BIO_set_retry_read(bio); | ||
896 | return(-1); | ||
897 | } | ||
898 | 807 | ||
899 | /* Not certain if this is the right error handling */ | ||
900 | al=SSL_AD_UNEXPECTED_MESSAGE; | ||
901 | SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD); | ||
902 | goto f_err; | ||
903 | } | ||
904 | 808 | ||
905 | if (dest_maxlen > 0) | 809 | if (dest_maxlen > 0) |
906 | { | 810 | { |
@@ -1038,9 +942,7 @@ start: | |||
1038 | n2s(p, seq); | 942 | n2s(p, seq); |
1039 | n2l3(p, frag_off); | 943 | n2l3(p, frag_off); |
1040 | 944 | ||
1041 | dtls1_retransmit_message(s, | 945 | dtls1_retransmit_message(s, seq, frag_off, &found); |
1042 | dtls1_get_queue_priority(frag->msg_header.seq, 0), | ||
1043 | frag_off, &found); | ||
1044 | if ( ! found && SSL_in_init(s)) | 946 | if ( ! found && SSL_in_init(s)) |
1045 | { | 947 | { |
1046 | /* fprintf( stderr,"in init = %d\n", SSL_in_init(s)); */ | 948 | /* fprintf( stderr,"in init = %d\n", SSL_in_init(s)); */ |
@@ -1085,17 +987,14 @@ start: | |||
1085 | if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) | 987 | if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) |
1086 | { | 988 | { |
1087 | struct ccs_header_st ccs_hdr; | 989 | struct ccs_header_st ccs_hdr; |
1088 | unsigned int ccs_hdr_len = DTLS1_CCS_HEADER_LENGTH; | ||
1089 | 990 | ||
1090 | dtls1_get_ccs_header(rr->data, &ccs_hdr); | 991 | dtls1_get_ccs_header(rr->data, &ccs_hdr); |
1091 | 992 | ||
1092 | if (s->version == DTLS1_BAD_VER) | ||
1093 | ccs_hdr_len = 3; | ||
1094 | |||
1095 | /* 'Change Cipher Spec' is just a single byte, so we know | 993 | /* 'Change Cipher Spec' is just a single byte, so we know |
1096 | * exactly what the record payload has to look like */ | 994 | * exactly what the record payload has to look like */ |
1097 | /* XDTLS: check that epoch is consistent */ | 995 | /* XDTLS: check that epoch is consistent */ |
1098 | if ( (rr->length != ccs_hdr_len) || | 996 | if ( (s->client_version == DTLS1_BAD_VER && rr->length != 3) || |
997 | (s->client_version != DTLS1_BAD_VER && rr->length != DTLS1_CCS_HEADER_LENGTH) || | ||
1099 | (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS)) | 998 | (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS)) |
1100 | { | 999 | { |
1101 | i=SSL_AD_ILLEGAL_PARAMETER; | 1000 | i=SSL_AD_ILLEGAL_PARAMETER; |
@@ -1109,16 +1008,6 @@ start: | |||
1109 | s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, | 1008 | s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, |
1110 | rr->data, 1, s, s->msg_callback_arg); | 1009 | rr->data, 1, s, s->msg_callback_arg); |
1111 | 1010 | ||
1112 | /* We can't process a CCS now, because previous handshake | ||
1113 | * messages are still missing, so just drop it. | ||
1114 | */ | ||
1115 | if (!s->d1->change_cipher_spec_ok) | ||
1116 | { | ||
1117 | goto start; | ||
1118 | } | ||
1119 | |||
1120 | s->d1->change_cipher_spec_ok = 0; | ||
1121 | |||
1122 | s->s3->change_cipher_spec=1; | 1011 | s->s3->change_cipher_spec=1; |
1123 | if (!ssl3_do_change_cipher_spec(s)) | 1012 | if (!ssl3_do_change_cipher_spec(s)) |
1124 | goto err; | 1013 | goto err; |
@@ -1126,7 +1015,7 @@ start: | |||
1126 | /* do this whenever CCS is processed */ | 1015 | /* do this whenever CCS is processed */ |
1127 | dtls1_reset_seq_numbers(s, SSL3_CC_READ); | 1016 | dtls1_reset_seq_numbers(s, SSL3_CC_READ); |
1128 | 1017 | ||
1129 | if (s->version == DTLS1_BAD_VER) | 1018 | if (s->client_version == DTLS1_BAD_VER) |
1130 | s->d1->handshake_read_seq++; | 1019 | s->d1->handshake_read_seq++; |
1131 | 1020 | ||
1132 | goto start; | 1021 | goto start; |
@@ -1146,16 +1035,6 @@ start: | |||
1146 | goto start; | 1035 | goto start; |
1147 | } | 1036 | } |
1148 | 1037 | ||
1149 | /* If we are server, we may have a repeated FINISHED of the | ||
1150 | * client here, then retransmit our CCS and FINISHED. | ||
1151 | */ | ||
1152 | if (msg_hdr.type == SSL3_MT_FINISHED) | ||
1153 | { | ||
1154 | dtls1_retransmit_buffered_messages(s); | ||
1155 | rr->length = 0; | ||
1156 | goto start; | ||
1157 | } | ||
1158 | |||
1159 | if (((s->state&SSL_ST_MASK) == SSL_ST_OK) && | 1038 | if (((s->state&SSL_ST_MASK) == SSL_ST_OK) && |
1160 | !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) | 1039 | !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) |
1161 | { | 1040 | { |
@@ -1262,6 +1141,7 @@ err: | |||
1262 | int | 1141 | int |
1263 | dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len) | 1142 | dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len) |
1264 | { | 1143 | { |
1144 | unsigned int n,tot; | ||
1265 | int i; | 1145 | int i; |
1266 | 1146 | ||
1267 | if (SSL_in_init(s) && !s->in_handshake) | 1147 | if (SSL_in_init(s) && !s->in_handshake) |
@@ -1275,14 +1155,31 @@ dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len) | |||
1275 | } | 1155 | } |
1276 | } | 1156 | } |
1277 | 1157 | ||
1278 | if (len > SSL3_RT_MAX_PLAIN_LENGTH) | 1158 | tot = s->s3->wnum; |
1159 | n = len - tot; | ||
1160 | |||
1161 | while( n) | ||
1279 | { | 1162 | { |
1280 | SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES,SSL_R_DTLS_MESSAGE_TOO_BIG); | 1163 | /* dtls1_write_bytes sends one record at a time, sized according to |
1281 | return -1; | 1164 | * the currently known MTU */ |
1165 | i = dtls1_write_bytes(s, type, buf_, len); | ||
1166 | if (i <= 0) return i; | ||
1167 | |||
1168 | if ((i == (int)n) || | ||
1169 | (type == SSL3_RT_APPLICATION_DATA && | ||
1170 | (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE))) | ||
1171 | { | ||
1172 | /* next chunk of data should get another prepended empty fragment | ||
1173 | * in ciphersuites with known-IV weakness: */ | ||
1174 | s->s3->empty_fragment_done = 0; | ||
1175 | return tot+i; | ||
1176 | } | ||
1177 | |||
1178 | tot += i; | ||
1179 | n-=i; | ||
1282 | } | 1180 | } |
1283 | 1181 | ||
1284 | i = dtls1_write_bytes(s, type, buf_, len); | 1182 | return tot; |
1285 | return i; | ||
1286 | } | 1183 | } |
1287 | 1184 | ||
1288 | 1185 | ||
@@ -1323,13 +1220,46 @@ have_handshake_fragment(SSL *s, int type, unsigned char *buf, | |||
1323 | /* Call this to write data in records of type 'type' | 1220 | /* Call this to write data in records of type 'type' |
1324 | * It will return <= 0 if not all data has been sent or non-blocking IO. | 1221 | * It will return <= 0 if not all data has been sent or non-blocking IO. |
1325 | */ | 1222 | */ |
1326 | int dtls1_write_bytes(SSL *s, int type, const void *buf, int len) | 1223 | int dtls1_write_bytes(SSL *s, int type, const void *buf_, int len) |
1327 | { | 1224 | { |
1225 | const unsigned char *buf=buf_; | ||
1226 | unsigned int tot,n,nw; | ||
1328 | int i; | 1227 | int i; |
1228 | unsigned int mtu; | ||
1329 | 1229 | ||
1330 | OPENSSL_assert(len <= SSL3_RT_MAX_PLAIN_LENGTH); | ||
1331 | s->rwstate=SSL_NOTHING; | 1230 | s->rwstate=SSL_NOTHING; |
1332 | i=do_dtls1_write(s, type, buf, len, 0); | 1231 | tot=s->s3->wnum; |
1232 | |||
1233 | n=(len-tot); | ||
1234 | |||
1235 | /* handshake layer figures out MTU for itself, but data records | ||
1236 | * are also sent through this interface, so need to figure out MTU */ | ||
1237 | #if 0 | ||
1238 | mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_MTU, 0, NULL); | ||
1239 | mtu += DTLS1_HM_HEADER_LENGTH; /* HM already inserted */ | ||
1240 | #endif | ||
1241 | mtu = s->d1->mtu; | ||
1242 | |||
1243 | if (mtu > SSL3_RT_MAX_PLAIN_LENGTH) | ||
1244 | mtu = SSL3_RT_MAX_PLAIN_LENGTH; | ||
1245 | |||
1246 | if (n > mtu) | ||
1247 | nw=mtu; | ||
1248 | else | ||
1249 | nw=n; | ||
1250 | |||
1251 | i=do_dtls1_write(s, type, &(buf[tot]), nw, 0); | ||
1252 | if (i <= 0) | ||
1253 | { | ||
1254 | s->s3->wnum=tot; | ||
1255 | return i; | ||
1256 | } | ||
1257 | |||
1258 | if ( (int)s->s3->wnum + i == len) | ||
1259 | s->s3->wnum = 0; | ||
1260 | else | ||
1261 | s->s3->wnum += i; | ||
1262 | |||
1333 | return i; | 1263 | return i; |
1334 | } | 1264 | } |
1335 | 1265 | ||
@@ -1369,23 +1299,19 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len, | |||
1369 | 1299 | ||
1370 | if ( (sess == NULL) || | 1300 | if ( (sess == NULL) || |
1371 | (s->enc_write_ctx == NULL) || | 1301 | (s->enc_write_ctx == NULL) || |
1372 | (EVP_MD_CTX_md(s->write_hash) == NULL)) | 1302 | (s->write_hash == NULL)) |
1373 | clear=1; | 1303 | clear=1; |
1374 | 1304 | ||
1375 | if (clear) | 1305 | if (clear) |
1376 | mac_size=0; | 1306 | mac_size=0; |
1377 | else | 1307 | else |
1378 | { | 1308 | mac_size=EVP_MD_size(s->write_hash); |
1379 | mac_size=EVP_MD_CTX_size(s->write_hash); | ||
1380 | if (mac_size < 0) | ||
1381 | goto err; | ||
1382 | } | ||
1383 | 1309 | ||
1384 | /* DTLS implements explicit IV, so no need for empty fragments */ | 1310 | /* DTLS implements explicit IV, so no need for empty fragments */ |
1385 | #if 0 | 1311 | #if 0 |
1386 | /* 'create_empty_fragment' is true only when this function calls itself */ | 1312 | /* 'create_empty_fragment' is true only when this function calls itself */ |
1387 | if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done | 1313 | if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done |
1388 | && SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER) | 1314 | && SSL_version(s) != DTLS1_VERSION) |
1389 | { | 1315 | { |
1390 | /* countermeasure against known-IV weakness in CBC ciphersuites | 1316 | /* countermeasure against known-IV weakness in CBC ciphersuites |
1391 | * (see http://www.openssl.org/~bodo/tls-cbc.txt) | 1317 | * (see http://www.openssl.org/~bodo/tls-cbc.txt) |
@@ -1412,6 +1338,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len, | |||
1412 | s->s3->empty_fragment_done = 1; | 1338 | s->s3->empty_fragment_done = 1; |
1413 | } | 1339 | } |
1414 | #endif | 1340 | #endif |
1341 | |||
1415 | p = wb->buf + prefix_len; | 1342 | p = wb->buf + prefix_len; |
1416 | 1343 | ||
1417 | /* write the header */ | 1344 | /* write the header */ |
@@ -1419,8 +1346,12 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len, | |||
1419 | *(p++)=type&0xff; | 1346 | *(p++)=type&0xff; |
1420 | wr->type=type; | 1347 | wr->type=type; |
1421 | 1348 | ||
1422 | *(p++)=(s->version>>8); | 1349 | if (s->client_version == DTLS1_BAD_VER) |
1423 | *(p++)=s->version&0xff; | 1350 | *(p++) = DTLS1_BAD_VER>>8, |
1351 | *(p++) = DTLS1_BAD_VER&0xff; | ||
1352 | else | ||
1353 | *(p++)=(s->version>>8), | ||
1354 | *(p++)=s->version&0xff; | ||
1424 | 1355 | ||
1425 | /* field where we are to write out packet epoch, seq num and len */ | 1356 | /* field where we are to write out packet epoch, seq num and len */ |
1426 | pseq=p; | 1357 | pseq=p; |
@@ -1465,8 +1396,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len, | |||
1465 | 1396 | ||
1466 | if (mac_size != 0) | 1397 | if (mac_size != 0) |
1467 | { | 1398 | { |
1468 | if(s->method->ssl3_enc->mac(s,&(p[wr->length + bs]),1) < 0) | 1399 | s->method->ssl3_enc->mac(s,&(p[wr->length + bs]),1); |
1469 | goto err; | ||
1470 | wr->length+=mac_size; | 1400 | wr->length+=mac_size; |
1471 | } | 1401 | } |
1472 | 1402 | ||
@@ -1543,50 +1473,111 @@ err: | |||
1543 | 1473 | ||
1544 | 1474 | ||
1545 | 1475 | ||
1546 | static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap) | 1476 | static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap, |
1477 | PQ_64BIT *seq_num) | ||
1547 | { | 1478 | { |
1548 | int cmp; | 1479 | #if PQ_64BIT_IS_INTEGER |
1549 | unsigned int shift; | 1480 | PQ_64BIT mask = 0x0000000000000001L; |
1550 | const unsigned char *seq = s->s3->read_sequence; | 1481 | #endif |
1482 | PQ_64BIT rcd_num, tmp; | ||
1483 | |||
1484 | pq_64bit_init(&rcd_num); | ||
1485 | pq_64bit_init(&tmp); | ||
1486 | |||
1487 | /* this is the sequence number for the record just read */ | ||
1488 | pq_64bit_bin2num(&rcd_num, s->s3->read_sequence, 8); | ||
1551 | 1489 | ||
1552 | cmp = satsub64be(seq,bitmap->max_seq_num); | 1490 | |
1553 | if (cmp > 0) | 1491 | if (pq_64bit_gt(&rcd_num, &(bitmap->max_seq_num)) || |
1492 | pq_64bit_eq(&rcd_num, &(bitmap->max_seq_num))) | ||
1554 | { | 1493 | { |
1555 | memcpy (s->s3->rrec.seq_num,seq,8); | 1494 | pq_64bit_assign(seq_num, &rcd_num); |
1556 | return 1; /* this record in new */ | 1495 | pq_64bit_free(&rcd_num); |
1496 | pq_64bit_free(&tmp); | ||
1497 | return 1; /* this record is new */ | ||
1498 | } | ||
1499 | |||
1500 | pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num); | ||
1501 | |||
1502 | if ( pq_64bit_get_word(&tmp) > bitmap->length) | ||
1503 | { | ||
1504 | pq_64bit_free(&rcd_num); | ||
1505 | pq_64bit_free(&tmp); | ||
1506 | return 0; /* stale, outside the window */ | ||
1557 | } | 1507 | } |
1558 | shift = -cmp; | ||
1559 | if (shift >= sizeof(bitmap->map)*8) | ||
1560 | return 0; /* stale, outside the window */ | ||
1561 | else if (bitmap->map & (1UL<<shift)) | ||
1562 | return 0; /* record previously received */ | ||
1563 | 1508 | ||
1564 | memcpy (s->s3->rrec.seq_num,seq,8); | 1509 | #if PQ_64BIT_IS_BIGNUM |
1510 | { | ||
1511 | int offset; | ||
1512 | pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num); | ||
1513 | pq_64bit_sub_word(&tmp, 1); | ||
1514 | offset = pq_64bit_get_word(&tmp); | ||
1515 | if ( pq_64bit_is_bit_set(&(bitmap->map), offset)) | ||
1516 | { | ||
1517 | pq_64bit_free(&rcd_num); | ||
1518 | pq_64bit_free(&tmp); | ||
1519 | return 0; | ||
1520 | } | ||
1521 | } | ||
1522 | #else | ||
1523 | mask <<= (bitmap->max_seq_num - rcd_num - 1); | ||
1524 | if (bitmap->map & mask) | ||
1525 | return 0; /* record previously received */ | ||
1526 | #endif | ||
1527 | |||
1528 | pq_64bit_assign(seq_num, &rcd_num); | ||
1529 | pq_64bit_free(&rcd_num); | ||
1530 | pq_64bit_free(&tmp); | ||
1565 | return 1; | 1531 | return 1; |
1566 | } | 1532 | } |
1567 | 1533 | ||
1568 | 1534 | ||
1569 | static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap) | 1535 | static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap) |
1570 | { | 1536 | { |
1571 | int cmp; | ||
1572 | unsigned int shift; | 1537 | unsigned int shift; |
1573 | const unsigned char *seq = s->s3->read_sequence; | 1538 | PQ_64BIT rcd_num; |
1539 | PQ_64BIT tmp; | ||
1540 | PQ_64BIT_CTX *ctx; | ||
1574 | 1541 | ||
1575 | cmp = satsub64be(seq,bitmap->max_seq_num); | 1542 | pq_64bit_init(&rcd_num); |
1576 | if (cmp > 0) | 1543 | pq_64bit_init(&tmp); |
1544 | |||
1545 | pq_64bit_bin2num(&rcd_num, s->s3->read_sequence, 8); | ||
1546 | |||
1547 | /* unfortunate code complexity due to 64-bit manipulation support | ||
1548 | * on 32-bit machines */ | ||
1549 | if ( pq_64bit_gt(&rcd_num, &(bitmap->max_seq_num)) || | ||
1550 | pq_64bit_eq(&rcd_num, &(bitmap->max_seq_num))) | ||
1577 | { | 1551 | { |
1578 | shift = cmp; | 1552 | pq_64bit_sub(&tmp, &rcd_num, &(bitmap->max_seq_num)); |
1579 | if (shift < sizeof(bitmap->map)*8) | 1553 | pq_64bit_add_word(&tmp, 1); |
1580 | bitmap->map <<= shift, bitmap->map |= 1UL; | 1554 | |
1581 | else | 1555 | shift = (unsigned int)pq_64bit_get_word(&tmp); |
1582 | bitmap->map = 1UL; | 1556 | |
1583 | memcpy(bitmap->max_seq_num,seq,8); | 1557 | pq_64bit_lshift(&(tmp), &(bitmap->map), shift); |
1558 | pq_64bit_assign(&(bitmap->map), &tmp); | ||
1559 | |||
1560 | pq_64bit_set_bit(&(bitmap->map), 0); | ||
1561 | pq_64bit_add_word(&rcd_num, 1); | ||
1562 | pq_64bit_assign(&(bitmap->max_seq_num), &rcd_num); | ||
1563 | |||
1564 | pq_64bit_assign_word(&tmp, 1); | ||
1565 | pq_64bit_lshift(&tmp, &tmp, bitmap->length); | ||
1566 | ctx = pq_64bit_ctx_new(&ctx); | ||
1567 | pq_64bit_mod(&(bitmap->map), &(bitmap->map), &tmp, ctx); | ||
1568 | pq_64bit_ctx_free(ctx); | ||
1584 | } | 1569 | } |
1585 | else { | 1570 | else |
1586 | shift = -cmp; | 1571 | { |
1587 | if (shift < sizeof(bitmap->map)*8) | 1572 | pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num); |
1588 | bitmap->map |= 1UL<<shift; | 1573 | pq_64bit_sub_word(&tmp, 1); |
1574 | shift = (unsigned int)pq_64bit_get_word(&tmp); | ||
1575 | |||
1576 | pq_64bit_set_bit(&(bitmap->map), shift); | ||
1589 | } | 1577 | } |
1578 | |||
1579 | pq_64bit_free(&rcd_num); | ||
1580 | pq_64bit_free(&tmp); | ||
1590 | } | 1581 | } |
1591 | 1582 | ||
1592 | 1583 | ||
@@ -1633,7 +1624,7 @@ int dtls1_dispatch_alert(SSL *s) | |||
1633 | #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE | 1624 | #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE |
1634 | || s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE | 1625 | || s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE |
1635 | #endif | 1626 | #endif |
1636 | ) | 1627 | ) |
1637 | (void)BIO_flush(s->wbio); | 1628 | (void)BIO_flush(s->wbio); |
1638 | 1629 | ||
1639 | if (s->msg_callback) | 1630 | if (s->msg_callback) |
@@ -1752,19 +1743,47 @@ dtls1_reset_seq_numbers(SSL *s, int rw) | |||
1752 | { | 1743 | { |
1753 | seq = s->s3->read_sequence; | 1744 | seq = s->s3->read_sequence; |
1754 | s->d1->r_epoch++; | 1745 | s->d1->r_epoch++; |
1755 | memcpy(&(s->d1->bitmap), &(s->d1->next_bitmap), sizeof(DTLS1_BITMAP)); | 1746 | |
1747 | pq_64bit_assign(&(s->d1->bitmap.map), &(s->d1->next_bitmap.map)); | ||
1748 | s->d1->bitmap.length = s->d1->next_bitmap.length; | ||
1749 | pq_64bit_assign(&(s->d1->bitmap.max_seq_num), | ||
1750 | &(s->d1->next_bitmap.max_seq_num)); | ||
1751 | |||
1752 | pq_64bit_free(&(s->d1->next_bitmap.map)); | ||
1753 | pq_64bit_free(&(s->d1->next_bitmap.max_seq_num)); | ||
1756 | memset(&(s->d1->next_bitmap), 0x00, sizeof(DTLS1_BITMAP)); | 1754 | memset(&(s->d1->next_bitmap), 0x00, sizeof(DTLS1_BITMAP)); |
1755 | pq_64bit_init(&(s->d1->next_bitmap.map)); | ||
1756 | pq_64bit_init(&(s->d1->next_bitmap.max_seq_num)); | ||
1757 | } | 1757 | } |
1758 | else | 1758 | else |
1759 | { | 1759 | { |
1760 | seq = s->s3->write_sequence; | 1760 | seq = s->s3->write_sequence; |
1761 | memcpy(s->d1->last_write_sequence, seq, sizeof(s->s3->write_sequence)); | ||
1762 | s->d1->w_epoch++; | 1761 | s->d1->w_epoch++; |
1763 | } | 1762 | } |
1764 | 1763 | ||
1765 | memset(seq, 0x00, seq_bytes); | 1764 | memset(seq, 0x00, seq_bytes); |
1766 | } | 1765 | } |
1767 | 1766 | ||
1767 | #if PQ_64BIT_IS_INTEGER | ||
1768 | static PQ_64BIT | ||
1769 | bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num) | ||
1770 | { | ||
1771 | PQ_64BIT _num; | ||
1772 | |||
1773 | _num = (((PQ_64BIT)bytes[0]) << 56) | | ||
1774 | (((PQ_64BIT)bytes[1]) << 48) | | ||
1775 | (((PQ_64BIT)bytes[2]) << 40) | | ||
1776 | (((PQ_64BIT)bytes[3]) << 32) | | ||
1777 | (((PQ_64BIT)bytes[4]) << 24) | | ||
1778 | (((PQ_64BIT)bytes[5]) << 16) | | ||
1779 | (((PQ_64BIT)bytes[6]) << 8) | | ||
1780 | (((PQ_64BIT)bytes[7]) ); | ||
1781 | |||
1782 | *num = _num ; | ||
1783 | return _num; | ||
1784 | } | ||
1785 | #endif | ||
1786 | |||
1768 | 1787 | ||
1769 | static void | 1788 | static void |
1770 | dtls1_clear_timeouts(SSL *s) | 1789 | dtls1_clear_timeouts(SSL *s) |