summaryrefslogtreecommitdiff
path: root/src/lib/libssl/d1_pkt.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/d1_pkt.c')
-rw-r--r--src/lib/libssl/d1_pkt.c543
1 files changed, 281 insertions, 262 deletions
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c
index a5439d544f..eb56cf987b 100644
--- a/src/lib/libssl/d1_pkt.c
+++ b/src/lib/libssl/d1_pkt.c
@@ -122,53 +122,10 @@
122#include <openssl/pqueue.h> 122#include <openssl/pqueue.h>
123#include <openssl/rand.h> 123#include <openssl/rand.h>
124 124
125/* mod 128 saturating subtract of two 64-bit values in big-endian order */
126static int satsub64be(const unsigned char *v1,const unsigned char *v2)
127{ int ret,sat,brw,i;
128
129 if (sizeof(long) == 8) do
130 { const union { long one; char little; } is_endian = {1};
131 long l;
132
133 if (is_endian.little) break;
134 /* not reached on little-endians */
135 /* following test is redundant, because input is
136 * always aligned, but I take no chances... */
137 if (((size_t)v1|(size_t)v2)&0x7) break;
138
139 l = *((long *)v1);
140 l -= *((long *)v2);
141 if (l>128) return 128;
142 else if (l<-128) return -128;
143 else return (int)l;
144 } while (0);
145
146 ret = (int)v1[7]-(int)v2[7];
147 sat = 0;
148 brw = ret>>8; /* brw is either 0 or -1 */
149 if (ret & 0x80)
150 { for (i=6;i>=0;i--)
151 { brw += (int)v1[i]-(int)v2[i];
152 sat |= ~brw;
153 brw >>= 8;
154 }
155 }
156 else
157 { for (i=6;i>=0;i--)
158 { brw += (int)v1[i]-(int)v2[i];
159 sat |= brw;
160 brw >>= 8;
161 }
162 }
163 brw <<= 8; /* brw is either 0 or -256 */
164
165 if (sat&0xff) return brw | 0x80;
166 else return brw + (ret&0xFF);
167}
168
169static int have_handshake_fragment(SSL *s, int type, unsigned char *buf, 125static int have_handshake_fragment(SSL *s, int type, unsigned char *buf,
170 int len, int peek); 126 int len, int peek);
171static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap); 127static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap,
128 PQ_64BIT *seq_num);
172static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap); 129static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap);
173static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, 130static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr,
174 unsigned int *is_next_epoch); 131 unsigned int *is_next_epoch);
@@ -177,8 +134,11 @@ static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr,
177 unsigned short *priority, unsigned long *offset); 134 unsigned short *priority, unsigned long *offset);
178#endif 135#endif
179static int dtls1_buffer_record(SSL *s, record_pqueue *q, 136static int dtls1_buffer_record(SSL *s, record_pqueue *q,
180 unsigned char *priority); 137 PQ_64BIT priority);
181static int dtls1_process_record(SSL *s); 138static int dtls1_process_record(SSL *s);
139#if PQ_64BIT_IS_INTEGER
140static PQ_64BIT bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num);
141#endif
182static void dtls1_clear_timeouts(SSL *s); 142static void dtls1_clear_timeouts(SSL *s);
183 143
184/* copy buffered record into SSL structure */ 144/* copy buffered record into SSL structure */
@@ -196,24 +156,17 @@ dtls1_copy_record(SSL *s, pitem *item)
196 s->packet_length = rdata->packet_length; 156 s->packet_length = rdata->packet_length;
197 memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER)); 157 memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER));
198 memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD)); 158 memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));
199
200 /* Set proper sequence number for mac calculation */
201 memcpy(&(s->s3->read_sequence[2]), &(rdata->packet[5]), 6);
202 159
203 return(1); 160 return(1);
204 } 161 }
205 162
206 163
207static int 164static int
208dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) 165dtls1_buffer_record(SSL *s, record_pqueue *queue, PQ_64BIT priority)
209 { 166{
210 DTLS1_RECORD_DATA *rdata; 167 DTLS1_RECORD_DATA *rdata;
211 pitem *item; 168 pitem *item;
212 169
213 /* Limit the size of the queue to prevent DOS attacks */
214 if (pqueue_size(queue->q) >= 100)
215 return 0;
216
217 rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); 170 rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
218 item = pitem_new(priority, rdata); 171 item = pitem_new(priority, rdata);
219 if (rdata == NULL || item == NULL) 172 if (rdata == NULL || item == NULL)
@@ -254,7 +207,7 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
254 } 207 }
255 208
256 return(1); 209 return(1);
257 } 210 }
258 211
259 212
260static int 213static int
@@ -371,17 +324,17 @@ dtls1_get_buffered_record(SSL *s)
371static int 324static int
372dtls1_process_record(SSL *s) 325dtls1_process_record(SSL *s)
373{ 326{
374 int i,al; 327 int i,al;
375 int clear=0; 328 int clear=0;
376 int enc_err; 329 int enc_err;
377 SSL_SESSION *sess; 330 SSL_SESSION *sess;
378 SSL3_RECORD *rr; 331 SSL3_RECORD *rr;
379 unsigned int mac_size; 332 unsigned int mac_size;
380 unsigned char md[EVP_MAX_MD_SIZE]; 333 unsigned char md[EVP_MAX_MD_SIZE];
381 334
382 335
383 rr= &(s->s3->rrec); 336 rr= &(s->s3->rrec);
384 sess = s->session; 337 sess = s->session;
385 338
386 /* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, 339 /* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
387 * and we have that many bytes in s->packet 340 * and we have that many bytes in s->packet
@@ -417,7 +370,7 @@ dtls1_process_record(SSL *s)
417 goto err; 370 goto err;
418 371
419 /* otherwise enc_err == -1 */ 372 /* otherwise enc_err == -1 */
420 goto err; 373 goto decryption_failed_or_bad_record_mac;
421 } 374 }
422 375
423#ifdef TLS_DEBUG 376#ifdef TLS_DEBUG
@@ -427,18 +380,14 @@ printf("\n");
427#endif 380#endif
428 381
429 /* r->length is now the compressed data plus mac */ 382 /* r->length is now the compressed data plus mac */
430 if ( (sess == NULL) || 383if ( (sess == NULL) ||
431 (s->enc_read_ctx == NULL) || 384 (s->enc_read_ctx == NULL) ||
432 (s->read_hash == NULL)) 385 (s->read_hash == NULL))
433 clear=1; 386 clear=1;
434 387
435 if (!clear) 388 if (!clear)
436 { 389 {
437 /* !clear => s->read_hash != NULL => mac_size != -1 */ 390 mac_size=EVP_MD_size(s->read_hash);
438 int t;
439 t=EVP_MD_CTX_size(s->read_hash);
440 OPENSSL_assert(t >= 0);
441 mac_size=t;
442 391
443 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size) 392 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)
444 { 393 {
@@ -447,7 +396,7 @@ printf("\n");
447 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); 396 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
448 goto f_err; 397 goto f_err;
449#else 398#else
450 goto err; 399 goto decryption_failed_or_bad_record_mac;
451#endif 400#endif
452 } 401 }
453 /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ 402 /* check the MAC for rr->input (it's in mac_size bytes at the tail) */
@@ -458,14 +407,14 @@ printf("\n");
458 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT); 407 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
459 goto f_err; 408 goto f_err;
460#else 409#else
461 goto err; 410 goto decryption_failed_or_bad_record_mac;
462#endif 411#endif
463 } 412 }
464 rr->length-=mac_size; 413 rr->length-=mac_size;
465 i=s->method->ssl3_enc->mac(s,md,0); 414 i=s->method->ssl3_enc->mac(s,md,0);
466 if (i < 0 || memcmp(md,&(rr->data[rr->length]),mac_size) != 0) 415 if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
467 { 416 {
468 goto err; 417 goto decryption_failed_or_bad_record_mac;
469 } 418 }
470 } 419 }
471 420
@@ -504,9 +453,17 @@ printf("\n");
504 453
505 /* we have pulled in a full packet so zero things */ 454 /* we have pulled in a full packet so zero things */
506 s->packet_length=0; 455 s->packet_length=0;
507 dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */ 456 dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */
508 return(1); 457 return(1);
509 458
459decryption_failed_or_bad_record_mac:
460 /* Separate 'decryption_failed' alert was introduced with TLS 1.0,
461 * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
462 * failure is directly visible from the ciphertext anyway,
463 * we should not reveal which kind of error occured -- this
464 * might become visible to an attacker (e.g. via logfile) */
465 al=SSL_AD_BAD_RECORD_MAC;
466 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
510f_err: 467f_err:
511 ssl3_send_alert(s,SSL3_AL_FATAL,al); 468 ssl3_send_alert(s,SSL3_AL_FATAL,al);
512err: 469err:
@@ -525,11 +482,11 @@ err:
525/* used only by dtls1_read_bytes */ 482/* used only by dtls1_read_bytes */
526int dtls1_get_record(SSL *s) 483int dtls1_get_record(SSL *s)
527 { 484 {
528 int ssl_major,ssl_minor; 485 int ssl_major,ssl_minor,al;
529 int i,n; 486 int i,n;
530 SSL3_RECORD *rr; 487 SSL3_RECORD *rr;
531 SSL_SESSION *sess; 488 SSL_SESSION *sess;
532 unsigned char *p = NULL; 489 unsigned char *p;
533 unsigned short version; 490 unsigned short version;
534 DTLS1_BITMAP *bitmap; 491 DTLS1_BITMAP *bitmap;
535 unsigned int is_next_epoch; 492 unsigned int is_next_epoch;
@@ -537,9 +494,10 @@ int dtls1_get_record(SSL *s)
537 rr= &(s->s3->rrec); 494 rr= &(s->s3->rrec);
538 sess=s->session; 495 sess=s->session;
539 496
540 /* The epoch may have changed. If so, process all the 497 /* The epoch may have changed. If so, process all the
541 * pending records. This is a non-blocking operation. */ 498 * pending records. This is a non-blocking operation. */
542 dtls1_process_buffered_records(s); 499 if ( ! dtls1_process_buffered_records(s))
500 return 0;
543 501
544 /* if we're renegotiating, then there may be buffered records */ 502 /* if we're renegotiating, then there may be buffered records */
545 if (dtls1_get_processed_record(s)) 503 if (dtls1_get_processed_record(s))
@@ -555,12 +513,7 @@ again:
555 /* read timeout is handled by dtls1_read_bytes */ 513 /* read timeout is handled by dtls1_read_bytes */
556 if (n <= 0) return(n); /* error or non-blocking */ 514 if (n <= 0) return(n); /* error or non-blocking */
557 515
558 /* this packet contained a partial record, dump it */ 516 OPENSSL_assert(s->packet_length == DTLS1_RT_HEADER_LENGTH);
559 if (s->packet_length != DTLS1_RT_HEADER_LENGTH)
560 {
561 s->packet_length = 0;
562 goto again;
563 }
564 517
565 s->rstate=SSL_ST_READ_BODY; 518 s->rstate=SSL_ST_READ_BODY;
566 519
@@ -583,31 +536,32 @@ again:
583 /* Lets check version */ 536 /* Lets check version */
584 if (!s->first_packet) 537 if (!s->first_packet)
585 { 538 {
586 if (version != s->version) 539 if (version != s->version && version != DTLS1_BAD_VER)
587 { 540 {
588 /* unexpected version, silently discard */ 541 SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
589 rr->length = 0; 542 /* Send back error using their
590 s->packet_length = 0; 543 * version number :-) */
591 goto again; 544 s->version=version;
545 al=SSL_AD_PROTOCOL_VERSION;
546 goto f_err;
592 } 547 }
593 } 548 }
594 549
595 if ((version & 0xff00) != (s->version & 0xff00)) 550 if ((version & 0xff00) != (DTLS1_VERSION & 0xff00) &&
551 (version & 0xff00) != (DTLS1_BAD_VER & 0xff00))
596 { 552 {
597 /* wrong version, silently discard record */ 553 SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
598 rr->length = 0; 554 goto err;
599 s->packet_length = 0;
600 goto again;
601 } 555 }
602 556
603 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) 557 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH)
604 { 558 {
605 /* record too long, silently discard it */ 559 al=SSL_AD_RECORD_OVERFLOW;
606 rr->length = 0; 560 SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG);
607 s->packet_length = 0; 561 goto f_err;
608 goto again;
609 } 562 }
610 563
564 s->client_version = version;
611 /* now s->rstate == SSL_ST_READ_BODY */ 565 /* now s->rstate == SSL_ST_READ_BODY */
612 } 566 }
613 567
@@ -623,7 +577,6 @@ again:
623 /* this packet contained a partial record, dump it */ 577 /* this packet contained a partial record, dump it */
624 if ( n != i) 578 if ( n != i)
625 { 579 {
626 rr->length = 0;
627 s->packet_length = 0; 580 s->packet_length = 0;
628 goto again; 581 goto again;
629 } 582 }
@@ -636,21 +589,13 @@ again:
636 /* match epochs. NULL means the packet is dropped on the floor */ 589 /* match epochs. NULL means the packet is dropped on the floor */
637 bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch); 590 bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
638 if ( bitmap == NULL) 591 if ( bitmap == NULL)
639 { 592 {
640 rr->length = 0; 593 s->packet_length = 0; /* dump this record */
641 s->packet_length = 0; /* dump this record */ 594 goto again; /* get another record */
642 goto again; /* get another record */
643 } 595 }
644 596
645 /* Check whether this is a repeat, or aged record. 597 /* check whether this is a repeat, or aged record */
646 * Don't check if we're listening and this message is 598 if ( ! dtls1_record_replay_check(s, bitmap, &(rr->seq_num)))
647 * a ClientHello. They can look as if they're replayed,
648 * since they arrive from different connections and
649 * would be dropped unnecessarily.
650 */
651 if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE &&
652 *p == SSL3_MT_CLIENT_HELLO) &&
653 !dtls1_record_replay_check(s, bitmap))
654 { 599 {
655 rr->length = 0; 600 rr->length = 0;
656 s->packet_length=0; /* dump this record */ 601 s->packet_length=0; /* dump this record */
@@ -660,30 +605,28 @@ again:
660 /* just read a 0 length packet */ 605 /* just read a 0 length packet */
661 if (rr->length == 0) goto again; 606 if (rr->length == 0) goto again;
662 607
663 /* If this record is from the next epoch (either HM or ALERT), 608 /* If this record is from the next epoch (either HM or ALERT), buffer it
664 * and a handshake is currently in progress, buffer it since it 609 * since it cannot be processed at this time.
665 * cannot be processed at this time. */ 610 * Records from the next epoch are marked as received even though they are
666 if (is_next_epoch) 611 * not processed, so as to prevent any potential resource DoS attack */
667 { 612 if (is_next_epoch)
668 if (SSL_in_init(s) || s->in_handshake) 613 {
669 { 614 dtls1_record_bitmap_update(s, bitmap);
670 dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num); 615 dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
671 } 616 s->packet_length = 0;
672 rr->length = 0; 617 goto again;
673 s->packet_length = 0; 618 }
674 goto again;
675 }
676 619
677 if (!dtls1_process_record(s)) 620 if ( ! dtls1_process_record(s))
678 { 621 return(0);
679 rr->length = 0;
680 s->packet_length = 0; /* dump this record */
681 goto again; /* get another record */
682 }
683 622
684 dtls1_clear_timeouts(s); /* done waiting */ 623 dtls1_clear_timeouts(s); /* done waiting */
685 return(1); 624 return(1);
686 625
626f_err:
627 ssl3_send_alert(s,SSL3_AL_FATAL,al);
628err:
629 return(0);
687 } 630 }
688 631
689/* Return up to 'len' payload bytes received in 'type' records. 632/* Return up to 'len' payload bytes received in 'type' records.
@@ -760,27 +703,6 @@ start:
760 * s->s3->rrec.length, - number of bytes. */ 703 * s->s3->rrec.length, - number of bytes. */
761 rr = &(s->s3->rrec); 704 rr = &(s->s3->rrec);
762 705
763 /* We are not handshaking and have no data yet,
764 * so process data buffered during the last handshake
765 * in advance, if any.
766 */
767 if (s->state == SSL_ST_OK && rr->length == 0)
768 {
769 pitem *item;
770 item = pqueue_pop(s->d1->buffered_app_data.q);
771 if (item)
772 {
773 dtls1_copy_record(s, item);
774
775 OPENSSL_free(item->data);
776 pitem_free(item);
777 }
778 }
779
780 /* Check for timeout */
781 if (dtls1_handle_timeout(s) > 0)
782 goto start;
783
784 /* get new packet if necessary */ 706 /* get new packet if necessary */
785 if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY)) 707 if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY))
786 { 708 {
@@ -802,14 +724,9 @@ start:
802 * reset by ssl3_get_finished */ 724 * reset by ssl3_get_finished */
803 && (rr->type != SSL3_RT_HANDSHAKE)) 725 && (rr->type != SSL3_RT_HANDSHAKE))
804 { 726 {
805 /* We now have application data between CCS and Finished. 727 al=SSL_AD_UNEXPECTED_MESSAGE;
806 * Most likely the packets were reordered on their way, so 728 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
807 * buffer the application data for later processing rather 729 goto err;
808 * than dropping the connection.
809 */
810 dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num);
811 rr->length = 0;
812 goto start;
813 } 730 }
814 731
815 /* If the other end has shut down, throw anything we read away 732 /* If the other end has shut down, throw anything we read away
@@ -879,28 +796,15 @@ start:
879 dest = s->d1->alert_fragment; 796 dest = s->d1->alert_fragment;
880 dest_len = &s->d1->alert_fragment_len; 797 dest_len = &s->d1->alert_fragment_len;
881 } 798 }
882 /* else it's a CCS message, or application data or wrong */ 799 /* else it's a CCS message, or it's wrong */
883 else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC) 800 else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC)
884 { 801 {
885 /* Application data while renegotiating 802 /* Not certain if this is the right error handling */
886 * is allowed. Try again reading. 803 al=SSL_AD_UNEXPECTED_MESSAGE;
887 */ 804 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
888 if (rr->type == SSL3_RT_APPLICATION_DATA) 805 goto f_err;
889 { 806 }
890 BIO *bio;
891 s->s3->in_read_app_data=2;
892 bio=SSL_get_rbio(s);
893 s->rwstate=SSL_READING;
894 BIO_clear_retry_flags(bio);
895 BIO_set_retry_read(bio);
896 return(-1);
897 }
898 807
899 /* Not certain if this is the right error handling */
900 al=SSL_AD_UNEXPECTED_MESSAGE;
901 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
902 goto f_err;
903 }
904 808
905 if (dest_maxlen > 0) 809 if (dest_maxlen > 0)
906 { 810 {
@@ -1038,9 +942,7 @@ start:
1038 n2s(p, seq); 942 n2s(p, seq);
1039 n2l3(p, frag_off); 943 n2l3(p, frag_off);
1040 944
1041 dtls1_retransmit_message(s, 945 dtls1_retransmit_message(s, seq, frag_off, &found);
1042 dtls1_get_queue_priority(frag->msg_header.seq, 0),
1043 frag_off, &found);
1044 if ( ! found && SSL_in_init(s)) 946 if ( ! found && SSL_in_init(s))
1045 { 947 {
1046 /* fprintf( stderr,"in init = %d\n", SSL_in_init(s)); */ 948 /* fprintf( stderr,"in init = %d\n", SSL_in_init(s)); */
@@ -1085,17 +987,14 @@ start:
1085 if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) 987 if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
1086 { 988 {
1087 struct ccs_header_st ccs_hdr; 989 struct ccs_header_st ccs_hdr;
1088 unsigned int ccs_hdr_len = DTLS1_CCS_HEADER_LENGTH;
1089 990
1090 dtls1_get_ccs_header(rr->data, &ccs_hdr); 991 dtls1_get_ccs_header(rr->data, &ccs_hdr);
1091 992
1092 if (s->version == DTLS1_BAD_VER)
1093 ccs_hdr_len = 3;
1094
1095 /* 'Change Cipher Spec' is just a single byte, so we know 993 /* 'Change Cipher Spec' is just a single byte, so we know
1096 * exactly what the record payload has to look like */ 994 * exactly what the record payload has to look like */
1097 /* XDTLS: check that epoch is consistent */ 995 /* XDTLS: check that epoch is consistent */
1098 if ( (rr->length != ccs_hdr_len) || 996 if ( (s->client_version == DTLS1_BAD_VER && rr->length != 3) ||
997 (s->client_version != DTLS1_BAD_VER && rr->length != DTLS1_CCS_HEADER_LENGTH) ||
1099 (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS)) 998 (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
1100 { 999 {
1101 i=SSL_AD_ILLEGAL_PARAMETER; 1000 i=SSL_AD_ILLEGAL_PARAMETER;
@@ -1109,16 +1008,6 @@ start:
1109 s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, 1008 s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC,
1110 rr->data, 1, s, s->msg_callback_arg); 1009 rr->data, 1, s, s->msg_callback_arg);
1111 1010
1112 /* We can't process a CCS now, because previous handshake
1113 * messages are still missing, so just drop it.
1114 */
1115 if (!s->d1->change_cipher_spec_ok)
1116 {
1117 goto start;
1118 }
1119
1120 s->d1->change_cipher_spec_ok = 0;
1121
1122 s->s3->change_cipher_spec=1; 1011 s->s3->change_cipher_spec=1;
1123 if (!ssl3_do_change_cipher_spec(s)) 1012 if (!ssl3_do_change_cipher_spec(s))
1124 goto err; 1013 goto err;
@@ -1126,7 +1015,7 @@ start:
1126 /* do this whenever CCS is processed */ 1015 /* do this whenever CCS is processed */
1127 dtls1_reset_seq_numbers(s, SSL3_CC_READ); 1016 dtls1_reset_seq_numbers(s, SSL3_CC_READ);
1128 1017
1129 if (s->version == DTLS1_BAD_VER) 1018 if (s->client_version == DTLS1_BAD_VER)
1130 s->d1->handshake_read_seq++; 1019 s->d1->handshake_read_seq++;
1131 1020
1132 goto start; 1021 goto start;
@@ -1146,16 +1035,6 @@ start:
1146 goto start; 1035 goto start;
1147 } 1036 }
1148 1037
1149 /* If we are server, we may have a repeated FINISHED of the
1150 * client here, then retransmit our CCS and FINISHED.
1151 */
1152 if (msg_hdr.type == SSL3_MT_FINISHED)
1153 {
1154 dtls1_retransmit_buffered_messages(s);
1155 rr->length = 0;
1156 goto start;
1157 }
1158
1159 if (((s->state&SSL_ST_MASK) == SSL_ST_OK) && 1038 if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
1160 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) 1039 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
1161 { 1040 {
@@ -1262,6 +1141,7 @@ err:
1262int 1141int
1263dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len) 1142dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len)
1264 { 1143 {
1144 unsigned int n,tot;
1265 int i; 1145 int i;
1266 1146
1267 if (SSL_in_init(s) && !s->in_handshake) 1147 if (SSL_in_init(s) && !s->in_handshake)
@@ -1275,14 +1155,31 @@ dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len)
1275 } 1155 }
1276 } 1156 }
1277 1157
1278 if (len > SSL3_RT_MAX_PLAIN_LENGTH) 1158 tot = s->s3->wnum;
1159 n = len - tot;
1160
1161 while( n)
1279 { 1162 {
1280 SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES,SSL_R_DTLS_MESSAGE_TOO_BIG); 1163 /* dtls1_write_bytes sends one record at a time, sized according to
1281 return -1; 1164 * the currently known MTU */
1165 i = dtls1_write_bytes(s, type, buf_, len);
1166 if (i <= 0) return i;
1167
1168 if ((i == (int)n) ||
1169 (type == SSL3_RT_APPLICATION_DATA &&
1170 (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE)))
1171 {
1172 /* next chunk of data should get another prepended empty fragment
1173 * in ciphersuites with known-IV weakness: */
1174 s->s3->empty_fragment_done = 0;
1175 return tot+i;
1176 }
1177
1178 tot += i;
1179 n-=i;
1282 } 1180 }
1283 1181
1284 i = dtls1_write_bytes(s, type, buf_, len); 1182 return tot;
1285 return i;
1286 } 1183 }
1287 1184
1288 1185
@@ -1323,13 +1220,46 @@ have_handshake_fragment(SSL *s, int type, unsigned char *buf,
1323/* Call this to write data in records of type 'type' 1220/* Call this to write data in records of type 'type'
1324 * It will return <= 0 if not all data has been sent or non-blocking IO. 1221 * It will return <= 0 if not all data has been sent or non-blocking IO.
1325 */ 1222 */
1326int dtls1_write_bytes(SSL *s, int type, const void *buf, int len) 1223int dtls1_write_bytes(SSL *s, int type, const void *buf_, int len)
1327 { 1224 {
1225 const unsigned char *buf=buf_;
1226 unsigned int tot,n,nw;
1328 int i; 1227 int i;
1228 unsigned int mtu;
1329 1229
1330 OPENSSL_assert(len <= SSL3_RT_MAX_PLAIN_LENGTH);
1331 s->rwstate=SSL_NOTHING; 1230 s->rwstate=SSL_NOTHING;
1332 i=do_dtls1_write(s, type, buf, len, 0); 1231 tot=s->s3->wnum;
1232
1233 n=(len-tot);
1234
1235 /* handshake layer figures out MTU for itself, but data records
1236 * are also sent through this interface, so need to figure out MTU */
1237#if 0
1238 mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_MTU, 0, NULL);
1239 mtu += DTLS1_HM_HEADER_LENGTH; /* HM already inserted */
1240#endif
1241 mtu = s->d1->mtu;
1242
1243 if (mtu > SSL3_RT_MAX_PLAIN_LENGTH)
1244 mtu = SSL3_RT_MAX_PLAIN_LENGTH;
1245
1246 if (n > mtu)
1247 nw=mtu;
1248 else
1249 nw=n;
1250
1251 i=do_dtls1_write(s, type, &(buf[tot]), nw, 0);
1252 if (i <= 0)
1253 {
1254 s->s3->wnum=tot;
1255 return i;
1256 }
1257
1258 if ( (int)s->s3->wnum + i == len)
1259 s->s3->wnum = 0;
1260 else
1261 s->s3->wnum += i;
1262
1333 return i; 1263 return i;
1334 } 1264 }
1335 1265
@@ -1369,23 +1299,19 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
1369 1299
1370 if ( (sess == NULL) || 1300 if ( (sess == NULL) ||
1371 (s->enc_write_ctx == NULL) || 1301 (s->enc_write_ctx == NULL) ||
1372 (EVP_MD_CTX_md(s->write_hash) == NULL)) 1302 (s->write_hash == NULL))
1373 clear=1; 1303 clear=1;
1374 1304
1375 if (clear) 1305 if (clear)
1376 mac_size=0; 1306 mac_size=0;
1377 else 1307 else
1378 { 1308 mac_size=EVP_MD_size(s->write_hash);
1379 mac_size=EVP_MD_CTX_size(s->write_hash);
1380 if (mac_size < 0)
1381 goto err;
1382 }
1383 1309
1384 /* DTLS implements explicit IV, so no need for empty fragments */ 1310 /* DTLS implements explicit IV, so no need for empty fragments */
1385#if 0 1311#if 0
1386 /* 'create_empty_fragment' is true only when this function calls itself */ 1312 /* 'create_empty_fragment' is true only when this function calls itself */
1387 if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done 1313 if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done
1388 && SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER) 1314 && SSL_version(s) != DTLS1_VERSION)
1389 { 1315 {
1390 /* countermeasure against known-IV weakness in CBC ciphersuites 1316 /* countermeasure against known-IV weakness in CBC ciphersuites
1391 * (see http://www.openssl.org/~bodo/tls-cbc.txt) 1317 * (see http://www.openssl.org/~bodo/tls-cbc.txt)
@@ -1412,6 +1338,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
1412 s->s3->empty_fragment_done = 1; 1338 s->s3->empty_fragment_done = 1;
1413 } 1339 }
1414#endif 1340#endif
1341
1415 p = wb->buf + prefix_len; 1342 p = wb->buf + prefix_len;
1416 1343
1417 /* write the header */ 1344 /* write the header */
@@ -1419,8 +1346,12 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
1419 *(p++)=type&0xff; 1346 *(p++)=type&0xff;
1420 wr->type=type; 1347 wr->type=type;
1421 1348
1422 *(p++)=(s->version>>8); 1349 if (s->client_version == DTLS1_BAD_VER)
1423 *(p++)=s->version&0xff; 1350 *(p++) = DTLS1_BAD_VER>>8,
1351 *(p++) = DTLS1_BAD_VER&0xff;
1352 else
1353 *(p++)=(s->version>>8),
1354 *(p++)=s->version&0xff;
1424 1355
1425 /* field where we are to write out packet epoch, seq num and len */ 1356 /* field where we are to write out packet epoch, seq num and len */
1426 pseq=p; 1357 pseq=p;
@@ -1465,8 +1396,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
1465 1396
1466 if (mac_size != 0) 1397 if (mac_size != 0)
1467 { 1398 {
1468 if(s->method->ssl3_enc->mac(s,&(p[wr->length + bs]),1) < 0) 1399 s->method->ssl3_enc->mac(s,&(p[wr->length + bs]),1);
1469 goto err;
1470 wr->length+=mac_size; 1400 wr->length+=mac_size;
1471 } 1401 }
1472 1402
@@ -1543,50 +1473,111 @@ err:
1543 1473
1544 1474
1545 1475
1546static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap) 1476static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap,
1477 PQ_64BIT *seq_num)
1547 { 1478 {
1548 int cmp; 1479#if PQ_64BIT_IS_INTEGER
1549 unsigned int shift; 1480 PQ_64BIT mask = 0x0000000000000001L;
1550 const unsigned char *seq = s->s3->read_sequence; 1481#endif
1482 PQ_64BIT rcd_num, tmp;
1483
1484 pq_64bit_init(&rcd_num);
1485 pq_64bit_init(&tmp);
1486
1487 /* this is the sequence number for the record just read */
1488 pq_64bit_bin2num(&rcd_num, s->s3->read_sequence, 8);
1551 1489
1552 cmp = satsub64be(seq,bitmap->max_seq_num); 1490
1553 if (cmp > 0) 1491 if (pq_64bit_gt(&rcd_num, &(bitmap->max_seq_num)) ||
1492 pq_64bit_eq(&rcd_num, &(bitmap->max_seq_num)))
1554 { 1493 {
1555 memcpy (s->s3->rrec.seq_num,seq,8); 1494 pq_64bit_assign(seq_num, &rcd_num);
1556 return 1; /* this record in new */ 1495 pq_64bit_free(&rcd_num);
1496 pq_64bit_free(&tmp);
1497 return 1; /* this record is new */
1498 }
1499
1500 pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num);
1501
1502 if ( pq_64bit_get_word(&tmp) > bitmap->length)
1503 {
1504 pq_64bit_free(&rcd_num);
1505 pq_64bit_free(&tmp);
1506 return 0; /* stale, outside the window */
1557 } 1507 }
1558 shift = -cmp;
1559 if (shift >= sizeof(bitmap->map)*8)
1560 return 0; /* stale, outside the window */
1561 else if (bitmap->map & (1UL<<shift))
1562 return 0; /* record previously received */
1563 1508
1564 memcpy (s->s3->rrec.seq_num,seq,8); 1509#if PQ_64BIT_IS_BIGNUM
1510 {
1511 int offset;
1512 pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num);
1513 pq_64bit_sub_word(&tmp, 1);
1514 offset = pq_64bit_get_word(&tmp);
1515 if ( pq_64bit_is_bit_set(&(bitmap->map), offset))
1516 {
1517 pq_64bit_free(&rcd_num);
1518 pq_64bit_free(&tmp);
1519 return 0;
1520 }
1521 }
1522#else
1523 mask <<= (bitmap->max_seq_num - rcd_num - 1);
1524 if (bitmap->map & mask)
1525 return 0; /* record previously received */
1526#endif
1527
1528 pq_64bit_assign(seq_num, &rcd_num);
1529 pq_64bit_free(&rcd_num);
1530 pq_64bit_free(&tmp);
1565 return 1; 1531 return 1;
1566 } 1532 }
1567 1533
1568 1534
1569static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap) 1535static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap)
1570 { 1536 {
1571 int cmp;
1572 unsigned int shift; 1537 unsigned int shift;
1573 const unsigned char *seq = s->s3->read_sequence; 1538 PQ_64BIT rcd_num;
1539 PQ_64BIT tmp;
1540 PQ_64BIT_CTX *ctx;
1574 1541
1575 cmp = satsub64be(seq,bitmap->max_seq_num); 1542 pq_64bit_init(&rcd_num);
1576 if (cmp > 0) 1543 pq_64bit_init(&tmp);
1544
1545 pq_64bit_bin2num(&rcd_num, s->s3->read_sequence, 8);
1546
1547 /* unfortunate code complexity due to 64-bit manipulation support
1548 * on 32-bit machines */
1549 if ( pq_64bit_gt(&rcd_num, &(bitmap->max_seq_num)) ||
1550 pq_64bit_eq(&rcd_num, &(bitmap->max_seq_num)))
1577 { 1551 {
1578 shift = cmp; 1552 pq_64bit_sub(&tmp, &rcd_num, &(bitmap->max_seq_num));
1579 if (shift < sizeof(bitmap->map)*8) 1553 pq_64bit_add_word(&tmp, 1);
1580 bitmap->map <<= shift, bitmap->map |= 1UL; 1554
1581 else 1555 shift = (unsigned int)pq_64bit_get_word(&tmp);
1582 bitmap->map = 1UL; 1556
1583 memcpy(bitmap->max_seq_num,seq,8); 1557 pq_64bit_lshift(&(tmp), &(bitmap->map), shift);
1558 pq_64bit_assign(&(bitmap->map), &tmp);
1559
1560 pq_64bit_set_bit(&(bitmap->map), 0);
1561 pq_64bit_add_word(&rcd_num, 1);
1562 pq_64bit_assign(&(bitmap->max_seq_num), &rcd_num);
1563
1564 pq_64bit_assign_word(&tmp, 1);
1565 pq_64bit_lshift(&tmp, &tmp, bitmap->length);
1566 ctx = pq_64bit_ctx_new(&ctx);
1567 pq_64bit_mod(&(bitmap->map), &(bitmap->map), &tmp, ctx);
1568 pq_64bit_ctx_free(ctx);
1584 } 1569 }
1585 else { 1570 else
1586 shift = -cmp; 1571 {
1587 if (shift < sizeof(bitmap->map)*8) 1572 pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num);
1588 bitmap->map |= 1UL<<shift; 1573 pq_64bit_sub_word(&tmp, 1);
1574 shift = (unsigned int)pq_64bit_get_word(&tmp);
1575
1576 pq_64bit_set_bit(&(bitmap->map), shift);
1589 } 1577 }
1578
1579 pq_64bit_free(&rcd_num);
1580 pq_64bit_free(&tmp);
1590 } 1581 }
1591 1582
1592 1583
@@ -1633,7 +1624,7 @@ int dtls1_dispatch_alert(SSL *s)
1633#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE 1624#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
1634 || s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE 1625 || s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
1635#endif 1626#endif
1636 ) 1627 )
1637 (void)BIO_flush(s->wbio); 1628 (void)BIO_flush(s->wbio);
1638 1629
1639 if (s->msg_callback) 1630 if (s->msg_callback)
@@ -1752,19 +1743,47 @@ dtls1_reset_seq_numbers(SSL *s, int rw)
1752 { 1743 {
1753 seq = s->s3->read_sequence; 1744 seq = s->s3->read_sequence;
1754 s->d1->r_epoch++; 1745 s->d1->r_epoch++;
1755 memcpy(&(s->d1->bitmap), &(s->d1->next_bitmap), sizeof(DTLS1_BITMAP)); 1746
1747 pq_64bit_assign(&(s->d1->bitmap.map), &(s->d1->next_bitmap.map));
1748 s->d1->bitmap.length = s->d1->next_bitmap.length;
1749 pq_64bit_assign(&(s->d1->bitmap.max_seq_num),
1750 &(s->d1->next_bitmap.max_seq_num));
1751
1752 pq_64bit_free(&(s->d1->next_bitmap.map));
1753 pq_64bit_free(&(s->d1->next_bitmap.max_seq_num));
1756 memset(&(s->d1->next_bitmap), 0x00, sizeof(DTLS1_BITMAP)); 1754 memset(&(s->d1->next_bitmap), 0x00, sizeof(DTLS1_BITMAP));
1755 pq_64bit_init(&(s->d1->next_bitmap.map));
1756 pq_64bit_init(&(s->d1->next_bitmap.max_seq_num));
1757 } 1757 }
1758 else 1758 else
1759 { 1759 {
1760 seq = s->s3->write_sequence; 1760 seq = s->s3->write_sequence;
1761 memcpy(s->d1->last_write_sequence, seq, sizeof(s->s3->write_sequence));
1762 s->d1->w_epoch++; 1761 s->d1->w_epoch++;
1763 } 1762 }
1764 1763
1765 memset(seq, 0x00, seq_bytes); 1764 memset(seq, 0x00, seq_bytes);
1766 } 1765 }
1767 1766
1767#if PQ_64BIT_IS_INTEGER
1768static PQ_64BIT
1769bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num)
1770 {
1771 PQ_64BIT _num;
1772
1773 _num = (((PQ_64BIT)bytes[0]) << 56) |
1774 (((PQ_64BIT)bytes[1]) << 48) |
1775 (((PQ_64BIT)bytes[2]) << 40) |
1776 (((PQ_64BIT)bytes[3]) << 32) |
1777 (((PQ_64BIT)bytes[4]) << 24) |
1778 (((PQ_64BIT)bytes[5]) << 16) |
1779 (((PQ_64BIT)bytes[6]) << 8) |
1780 (((PQ_64BIT)bytes[7]) );
1781
1782 *num = _num ;
1783 return _num;
1784 }
1785#endif
1786
1768 1787
1769static void 1788static void
1770dtls1_clear_timeouts(SSL *s) 1789dtls1_clear_timeouts(SSL *s)