summaryrefslogtreecommitdiff
path: root/src/lib/libssl/d1_pkt.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/d1_pkt.c')
-rw-r--r--src/lib/libssl/d1_pkt.c543
1 files changed, 262 insertions, 281 deletions
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c
index eb56cf987b..a5439d544f 100644
--- a/src/lib/libssl/d1_pkt.c
+++ b/src/lib/libssl/d1_pkt.c
@@ -122,10 +122,53 @@
122#include <openssl/pqueue.h> 122#include <openssl/pqueue.h>
123#include <openssl/rand.h> 123#include <openssl/rand.h>
124 124
125/* mod 128 saturating subtract of two 64-bit values in big-endian order */
126static int satsub64be(const unsigned char *v1,const unsigned char *v2)
127{ int ret,sat,brw,i;
128
129 if (sizeof(long) == 8) do
130 { const union { long one; char little; } is_endian = {1};
131 long l;
132
133 if (is_endian.little) break;
134 /* not reached on little-endians */
135 /* following test is redundant, because input is
136 * always aligned, but I take no chances... */
137 if (((size_t)v1|(size_t)v2)&0x7) break;
138
139 l = *((long *)v1);
140 l -= *((long *)v2);
141 if (l>128) return 128;
142 else if (l<-128) return -128;
143 else return (int)l;
144 } while (0);
145
146 ret = (int)v1[7]-(int)v2[7];
147 sat = 0;
148 brw = ret>>8; /* brw is either 0 or -1 */
149 if (ret & 0x80)
150 { for (i=6;i>=0;i--)
151 { brw += (int)v1[i]-(int)v2[i];
152 sat |= ~brw;
153 brw >>= 8;
154 }
155 }
156 else
157 { for (i=6;i>=0;i--)
158 { brw += (int)v1[i]-(int)v2[i];
159 sat |= brw;
160 brw >>= 8;
161 }
162 }
163 brw <<= 8; /* brw is either 0 or -256 */
164
165 if (sat&0xff) return brw | 0x80;
166 else return brw + (ret&0xFF);
167}
168
125static int have_handshake_fragment(SSL *s, int type, unsigned char *buf, 169static int have_handshake_fragment(SSL *s, int type, unsigned char *buf,
126 int len, int peek); 170 int len, int peek);
127static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap, 171static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap);
128 PQ_64BIT *seq_num);
129static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap); 172static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap);
130static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, 173static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr,
131 unsigned int *is_next_epoch); 174 unsigned int *is_next_epoch);
@@ -134,11 +177,8 @@ static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr,
134 unsigned short *priority, unsigned long *offset); 177 unsigned short *priority, unsigned long *offset);
135#endif 178#endif
136static int dtls1_buffer_record(SSL *s, record_pqueue *q, 179static int dtls1_buffer_record(SSL *s, record_pqueue *q,
137 PQ_64BIT priority); 180 unsigned char *priority);
138static int dtls1_process_record(SSL *s); 181static int dtls1_process_record(SSL *s);
139#if PQ_64BIT_IS_INTEGER
140static PQ_64BIT bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num);
141#endif
142static void dtls1_clear_timeouts(SSL *s); 182static void dtls1_clear_timeouts(SSL *s);
143 183
144/* copy buffered record into SSL structure */ 184/* copy buffered record into SSL structure */
@@ -156,17 +196,24 @@ dtls1_copy_record(SSL *s, pitem *item)
156 s->packet_length = rdata->packet_length; 196 s->packet_length = rdata->packet_length;
157 memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER)); 197 memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER));
158 memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD)); 198 memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));
199
200 /* Set proper sequence number for mac calculation */
201 memcpy(&(s->s3->read_sequence[2]), &(rdata->packet[5]), 6);
159 202
160 return(1); 203 return(1);
161 } 204 }
162 205
163 206
164static int 207static int
165dtls1_buffer_record(SSL *s, record_pqueue *queue, PQ_64BIT priority) 208dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
166{ 209 {
167 DTLS1_RECORD_DATA *rdata; 210 DTLS1_RECORD_DATA *rdata;
168 pitem *item; 211 pitem *item;
169 212
213 /* Limit the size of the queue to prevent DOS attacks */
214 if (pqueue_size(queue->q) >= 100)
215 return 0;
216
170 rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); 217 rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
171 item = pitem_new(priority, rdata); 218 item = pitem_new(priority, rdata);
172 if (rdata == NULL || item == NULL) 219 if (rdata == NULL || item == NULL)
@@ -207,7 +254,7 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, PQ_64BIT priority)
207 } 254 }
208 255
209 return(1); 256 return(1);
210 } 257 }
211 258
212 259
213static int 260static int
@@ -324,17 +371,17 @@ dtls1_get_buffered_record(SSL *s)
324static int 371static int
325dtls1_process_record(SSL *s) 372dtls1_process_record(SSL *s)
326{ 373{
327 int i,al; 374 int i,al;
328 int clear=0; 375 int clear=0;
329 int enc_err; 376 int enc_err;
330 SSL_SESSION *sess; 377 SSL_SESSION *sess;
331 SSL3_RECORD *rr; 378 SSL3_RECORD *rr;
332 unsigned int mac_size; 379 unsigned int mac_size;
333 unsigned char md[EVP_MAX_MD_SIZE]; 380 unsigned char md[EVP_MAX_MD_SIZE];
334 381
335 382
336 rr= &(s->s3->rrec); 383 rr= &(s->s3->rrec);
337 sess = s->session; 384 sess = s->session;
338 385
339 /* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, 386 /* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
340 * and we have that many bytes in s->packet 387 * and we have that many bytes in s->packet
@@ -370,7 +417,7 @@ dtls1_process_record(SSL *s)
370 goto err; 417 goto err;
371 418
372 /* otherwise enc_err == -1 */ 419 /* otherwise enc_err == -1 */
373 goto decryption_failed_or_bad_record_mac; 420 goto err;
374 } 421 }
375 422
376#ifdef TLS_DEBUG 423#ifdef TLS_DEBUG
@@ -380,14 +427,18 @@ printf("\n");
380#endif 427#endif
381 428
382 /* r->length is now the compressed data plus mac */ 429 /* r->length is now the compressed data plus mac */
383if ( (sess == NULL) || 430 if ( (sess == NULL) ||
384 (s->enc_read_ctx == NULL) || 431 (s->enc_read_ctx == NULL) ||
385 (s->read_hash == NULL)) 432 (s->read_hash == NULL))
386 clear=1; 433 clear=1;
387 434
388 if (!clear) 435 if (!clear)
389 { 436 {
390 mac_size=EVP_MD_size(s->read_hash); 437 /* !clear => s->read_hash != NULL => mac_size != -1 */
438 int t;
439 t=EVP_MD_CTX_size(s->read_hash);
440 OPENSSL_assert(t >= 0);
441 mac_size=t;
391 442
392 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size) 443 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)
393 { 444 {
@@ -396,7 +447,7 @@ if ( (sess == NULL) ||
396 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); 447 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
397 goto f_err; 448 goto f_err;
398#else 449#else
399 goto decryption_failed_or_bad_record_mac; 450 goto err;
400#endif 451#endif
401 } 452 }
402 /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ 453 /* check the MAC for rr->input (it's in mac_size bytes at the tail) */
@@ -407,14 +458,14 @@ if ( (sess == NULL) ||
407 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT); 458 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
408 goto f_err; 459 goto f_err;
409#else 460#else
410 goto decryption_failed_or_bad_record_mac; 461 goto err;
411#endif 462#endif
412 } 463 }
413 rr->length-=mac_size; 464 rr->length-=mac_size;
414 i=s->method->ssl3_enc->mac(s,md,0); 465 i=s->method->ssl3_enc->mac(s,md,0);
415 if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0) 466 if (i < 0 || memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
416 { 467 {
417 goto decryption_failed_or_bad_record_mac; 468 goto err;
418 } 469 }
419 } 470 }
420 471
@@ -453,17 +504,9 @@ if ( (sess == NULL) ||
453 504
454 /* we have pulled in a full packet so zero things */ 505 /* we have pulled in a full packet so zero things */
455 s->packet_length=0; 506 s->packet_length=0;
456 dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */ 507 dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */
457 return(1); 508 return(1);
458 509
459decryption_failed_or_bad_record_mac:
460 /* Separate 'decryption_failed' alert was introduced with TLS 1.0,
461 * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
462 * failure is directly visible from the ciphertext anyway,
463 * we should not reveal which kind of error occured -- this
464 * might become visible to an attacker (e.g. via logfile) */
465 al=SSL_AD_BAD_RECORD_MAC;
466 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
467f_err: 510f_err:
468 ssl3_send_alert(s,SSL3_AL_FATAL,al); 511 ssl3_send_alert(s,SSL3_AL_FATAL,al);
469err: 512err:
@@ -482,11 +525,11 @@ err:
482/* used only by dtls1_read_bytes */ 525/* used only by dtls1_read_bytes */
483int dtls1_get_record(SSL *s) 526int dtls1_get_record(SSL *s)
484 { 527 {
485 int ssl_major,ssl_minor,al; 528 int ssl_major,ssl_minor;
486 int i,n; 529 int i,n;
487 SSL3_RECORD *rr; 530 SSL3_RECORD *rr;
488 SSL_SESSION *sess; 531 SSL_SESSION *sess;
489 unsigned char *p; 532 unsigned char *p = NULL;
490 unsigned short version; 533 unsigned short version;
491 DTLS1_BITMAP *bitmap; 534 DTLS1_BITMAP *bitmap;
492 unsigned int is_next_epoch; 535 unsigned int is_next_epoch;
@@ -494,10 +537,9 @@ int dtls1_get_record(SSL *s)
494 rr= &(s->s3->rrec); 537 rr= &(s->s3->rrec);
495 sess=s->session; 538 sess=s->session;
496 539
497 /* The epoch may have changed. If so, process all the 540 /* The epoch may have changed. If so, process all the
498 * pending records. This is a non-blocking operation. */ 541 * pending records. This is a non-blocking operation. */
499 if ( ! dtls1_process_buffered_records(s)) 542 dtls1_process_buffered_records(s);
500 return 0;
501 543
502 /* if we're renegotiating, then there may be buffered records */ 544 /* if we're renegotiating, then there may be buffered records */
503 if (dtls1_get_processed_record(s)) 545 if (dtls1_get_processed_record(s))
@@ -513,7 +555,12 @@ again:
513 /* read timeout is handled by dtls1_read_bytes */ 555 /* read timeout is handled by dtls1_read_bytes */
514 if (n <= 0) return(n); /* error or non-blocking */ 556 if (n <= 0) return(n); /* error or non-blocking */
515 557
516 OPENSSL_assert(s->packet_length == DTLS1_RT_HEADER_LENGTH); 558 /* this packet contained a partial record, dump it */
559 if (s->packet_length != DTLS1_RT_HEADER_LENGTH)
560 {
561 s->packet_length = 0;
562 goto again;
563 }
517 564
518 s->rstate=SSL_ST_READ_BODY; 565 s->rstate=SSL_ST_READ_BODY;
519 566
@@ -536,32 +583,31 @@ again:
536 /* Lets check version */ 583 /* Lets check version */
537 if (!s->first_packet) 584 if (!s->first_packet)
538 { 585 {
539 if (version != s->version && version != DTLS1_BAD_VER) 586 if (version != s->version)
540 { 587 {
541 SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); 588 /* unexpected version, silently discard */
542 /* Send back error using their 589 rr->length = 0;
543 * version number :-) */ 590 s->packet_length = 0;
544 s->version=version; 591 goto again;
545 al=SSL_AD_PROTOCOL_VERSION;
546 goto f_err;
547 } 592 }
548 } 593 }
549 594
550 if ((version & 0xff00) != (DTLS1_VERSION & 0xff00) && 595 if ((version & 0xff00) != (s->version & 0xff00))
551 (version & 0xff00) != (DTLS1_BAD_VER & 0xff00))
552 { 596 {
553 SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); 597 /* wrong version, silently discard record */
554 goto err; 598 rr->length = 0;
599 s->packet_length = 0;
600 goto again;
555 } 601 }
556 602
557 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) 603 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH)
558 { 604 {
559 al=SSL_AD_RECORD_OVERFLOW; 605 /* record too long, silently discard it */
560 SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG); 606 rr->length = 0;
561 goto f_err; 607 s->packet_length = 0;
608 goto again;
562 } 609 }
563 610
564 s->client_version = version;
565 /* now s->rstate == SSL_ST_READ_BODY */ 611 /* now s->rstate == SSL_ST_READ_BODY */
566 } 612 }
567 613
@@ -577,6 +623,7 @@ again:
577 /* this packet contained a partial record, dump it */ 623 /* this packet contained a partial record, dump it */
578 if ( n != i) 624 if ( n != i)
579 { 625 {
626 rr->length = 0;
580 s->packet_length = 0; 627 s->packet_length = 0;
581 goto again; 628 goto again;
582 } 629 }
@@ -589,13 +636,21 @@ again:
589 /* match epochs. NULL means the packet is dropped on the floor */ 636 /* match epochs. NULL means the packet is dropped on the floor */
590 bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch); 637 bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
591 if ( bitmap == NULL) 638 if ( bitmap == NULL)
592 { 639 {
593 s->packet_length = 0; /* dump this record */ 640 rr->length = 0;
594 goto again; /* get another record */ 641 s->packet_length = 0; /* dump this record */
642 goto again; /* get another record */
595 } 643 }
596 644
597 /* check whether this is a repeat, or aged record */ 645 /* Check whether this is a repeat, or aged record.
598 if ( ! dtls1_record_replay_check(s, bitmap, &(rr->seq_num))) 646 * Don't check if we're listening and this message is
647 * a ClientHello. They can look as if they're replayed,
648 * since they arrive from different connections and
649 * would be dropped unnecessarily.
650 */
651 if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE &&
652 *p == SSL3_MT_CLIENT_HELLO) &&
653 !dtls1_record_replay_check(s, bitmap))
599 { 654 {
600 rr->length = 0; 655 rr->length = 0;
601 s->packet_length=0; /* dump this record */ 656 s->packet_length=0; /* dump this record */
@@ -605,28 +660,30 @@ again:
605 /* just read a 0 length packet */ 660 /* just read a 0 length packet */
606 if (rr->length == 0) goto again; 661 if (rr->length == 0) goto again;
607 662
608 /* If this record is from the next epoch (either HM or ALERT), buffer it 663 /* If this record is from the next epoch (either HM or ALERT),
609 * since it cannot be processed at this time. 664 * and a handshake is currently in progress, buffer it since it
610 * Records from the next epoch are marked as received even though they are 665 * cannot be processed at this time. */
611 * not processed, so as to prevent any potential resource DoS attack */ 666 if (is_next_epoch)
612 if (is_next_epoch) 667 {
613 { 668 if (SSL_in_init(s) || s->in_handshake)
614 dtls1_record_bitmap_update(s, bitmap); 669 {
615 dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num); 670 dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
616 s->packet_length = 0; 671 }
617 goto again; 672 rr->length = 0;
618 } 673 s->packet_length = 0;
674 goto again;
675 }
619 676
620 if ( ! dtls1_process_record(s)) 677 if (!dtls1_process_record(s))
621 return(0); 678 {
679 rr->length = 0;
680 s->packet_length = 0; /* dump this record */
681 goto again; /* get another record */
682 }
622 683
623 dtls1_clear_timeouts(s); /* done waiting */ 684 dtls1_clear_timeouts(s); /* done waiting */
624 return(1); 685 return(1);
625 686
626f_err:
627 ssl3_send_alert(s,SSL3_AL_FATAL,al);
628err:
629 return(0);
630 } 687 }
631 688
632/* Return up to 'len' payload bytes received in 'type' records. 689/* Return up to 'len' payload bytes received in 'type' records.
@@ -703,6 +760,27 @@ start:
703 * s->s3->rrec.length, - number of bytes. */ 760 * s->s3->rrec.length, - number of bytes. */
704 rr = &(s->s3->rrec); 761 rr = &(s->s3->rrec);
705 762
763 /* We are not handshaking and have no data yet,
764 * so process data buffered during the last handshake
765 * in advance, if any.
766 */
767 if (s->state == SSL_ST_OK && rr->length == 0)
768 {
769 pitem *item;
770 item = pqueue_pop(s->d1->buffered_app_data.q);
771 if (item)
772 {
773 dtls1_copy_record(s, item);
774
775 OPENSSL_free(item->data);
776 pitem_free(item);
777 }
778 }
779
780 /* Check for timeout */
781 if (dtls1_handle_timeout(s) > 0)
782 goto start;
783
706 /* get new packet if necessary */ 784 /* get new packet if necessary */
707 if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY)) 785 if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY))
708 { 786 {
@@ -724,9 +802,14 @@ start:
724 * reset by ssl3_get_finished */ 802 * reset by ssl3_get_finished */
725 && (rr->type != SSL3_RT_HANDSHAKE)) 803 && (rr->type != SSL3_RT_HANDSHAKE))
726 { 804 {
727 al=SSL_AD_UNEXPECTED_MESSAGE; 805 /* We now have application data between CCS and Finished.
728 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED); 806 * Most likely the packets were reordered on their way, so
729 goto err; 807 * buffer the application data for later processing rather
808 * than dropping the connection.
809 */
810 dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num);
811 rr->length = 0;
812 goto start;
730 } 813 }
731 814
732 /* If the other end has shut down, throw anything we read away 815 /* If the other end has shut down, throw anything we read away
@@ -796,15 +879,28 @@ start:
796 dest = s->d1->alert_fragment; 879 dest = s->d1->alert_fragment;
797 dest_len = &s->d1->alert_fragment_len; 880 dest_len = &s->d1->alert_fragment_len;
798 } 881 }
799 /* else it's a CCS message, or it's wrong */ 882 /* else it's a CCS message, or application data or wrong */
800 else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC) 883 else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC)
801 { 884 {
802 /* Not certain if this is the right error handling */ 885 /* Application data while renegotiating
803 al=SSL_AD_UNEXPECTED_MESSAGE; 886 * is allowed. Try again reading.
804 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD); 887 */
805 goto f_err; 888 if (rr->type == SSL3_RT_APPLICATION_DATA)
806 } 889 {
890 BIO *bio;
891 s->s3->in_read_app_data=2;
892 bio=SSL_get_rbio(s);
893 s->rwstate=SSL_READING;
894 BIO_clear_retry_flags(bio);
895 BIO_set_retry_read(bio);
896 return(-1);
897 }
807 898
899 /* Not certain if this is the right error handling */
900 al=SSL_AD_UNEXPECTED_MESSAGE;
901 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
902 goto f_err;
903 }
808 904
809 if (dest_maxlen > 0) 905 if (dest_maxlen > 0)
810 { 906 {
@@ -942,7 +1038,9 @@ start:
942 n2s(p, seq); 1038 n2s(p, seq);
943 n2l3(p, frag_off); 1039 n2l3(p, frag_off);
944 1040
945 dtls1_retransmit_message(s, seq, frag_off, &found); 1041 dtls1_retransmit_message(s,
1042 dtls1_get_queue_priority(frag->msg_header.seq, 0),
1043 frag_off, &found);
946 if ( ! found && SSL_in_init(s)) 1044 if ( ! found && SSL_in_init(s))
947 { 1045 {
948 /* fprintf( stderr,"in init = %d\n", SSL_in_init(s)); */ 1046 /* fprintf( stderr,"in init = %d\n", SSL_in_init(s)); */
@@ -987,14 +1085,17 @@ start:
987 if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) 1085 if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
988 { 1086 {
989 struct ccs_header_st ccs_hdr; 1087 struct ccs_header_st ccs_hdr;
1088 unsigned int ccs_hdr_len = DTLS1_CCS_HEADER_LENGTH;
990 1089
991 dtls1_get_ccs_header(rr->data, &ccs_hdr); 1090 dtls1_get_ccs_header(rr->data, &ccs_hdr);
992 1091
1092 if (s->version == DTLS1_BAD_VER)
1093 ccs_hdr_len = 3;
1094
993 /* 'Change Cipher Spec' is just a single byte, so we know 1095 /* 'Change Cipher Spec' is just a single byte, so we know
994 * exactly what the record payload has to look like */ 1096 * exactly what the record payload has to look like */
995 /* XDTLS: check that epoch is consistent */ 1097 /* XDTLS: check that epoch is consistent */
996 if ( (s->client_version == DTLS1_BAD_VER && rr->length != 3) || 1098 if ( (rr->length != ccs_hdr_len) ||
997 (s->client_version != DTLS1_BAD_VER && rr->length != DTLS1_CCS_HEADER_LENGTH) ||
998 (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS)) 1099 (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
999 { 1100 {
1000 i=SSL_AD_ILLEGAL_PARAMETER; 1101 i=SSL_AD_ILLEGAL_PARAMETER;
@@ -1008,6 +1109,16 @@ start:
1008 s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, 1109 s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC,
1009 rr->data, 1, s, s->msg_callback_arg); 1110 rr->data, 1, s, s->msg_callback_arg);
1010 1111
1112 /* We can't process a CCS now, because previous handshake
1113 * messages are still missing, so just drop it.
1114 */
1115 if (!s->d1->change_cipher_spec_ok)
1116 {
1117 goto start;
1118 }
1119
1120 s->d1->change_cipher_spec_ok = 0;
1121
1011 s->s3->change_cipher_spec=1; 1122 s->s3->change_cipher_spec=1;
1012 if (!ssl3_do_change_cipher_spec(s)) 1123 if (!ssl3_do_change_cipher_spec(s))
1013 goto err; 1124 goto err;
@@ -1015,7 +1126,7 @@ start:
1015 /* do this whenever CCS is processed */ 1126 /* do this whenever CCS is processed */
1016 dtls1_reset_seq_numbers(s, SSL3_CC_READ); 1127 dtls1_reset_seq_numbers(s, SSL3_CC_READ);
1017 1128
1018 if (s->client_version == DTLS1_BAD_VER) 1129 if (s->version == DTLS1_BAD_VER)
1019 s->d1->handshake_read_seq++; 1130 s->d1->handshake_read_seq++;
1020 1131
1021 goto start; 1132 goto start;
@@ -1035,6 +1146,16 @@ start:
1035 goto start; 1146 goto start;
1036 } 1147 }
1037 1148
1149 /* If we are server, we may have a repeated FINISHED of the
1150 * client here, then retransmit our CCS and FINISHED.
1151 */
1152 if (msg_hdr.type == SSL3_MT_FINISHED)
1153 {
1154 dtls1_retransmit_buffered_messages(s);
1155 rr->length = 0;
1156 goto start;
1157 }
1158
1038 if (((s->state&SSL_ST_MASK) == SSL_ST_OK) && 1159 if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
1039 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) 1160 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
1040 { 1161 {
@@ -1141,7 +1262,6 @@ err:
1141int 1262int
1142dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len) 1263dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len)
1143 { 1264 {
1144 unsigned int n,tot;
1145 int i; 1265 int i;
1146 1266
1147 if (SSL_in_init(s) && !s->in_handshake) 1267 if (SSL_in_init(s) && !s->in_handshake)
@@ -1155,31 +1275,14 @@ dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len)
1155 } 1275 }
1156 } 1276 }
1157 1277
1158 tot = s->s3->wnum; 1278 if (len > SSL3_RT_MAX_PLAIN_LENGTH)
1159 n = len - tot;
1160
1161 while( n)
1162 { 1279 {
1163 /* dtls1_write_bytes sends one record at a time, sized according to 1280 SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES,SSL_R_DTLS_MESSAGE_TOO_BIG);
1164 * the currently known MTU */ 1281 return -1;
1165 i = dtls1_write_bytes(s, type, buf_, len);
1166 if (i <= 0) return i;
1167
1168 if ((i == (int)n) ||
1169 (type == SSL3_RT_APPLICATION_DATA &&
1170 (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE)))
1171 {
1172 /* next chunk of data should get another prepended empty fragment
1173 * in ciphersuites with known-IV weakness: */
1174 s->s3->empty_fragment_done = 0;
1175 return tot+i;
1176 }
1177
1178 tot += i;
1179 n-=i;
1180 } 1282 }
1181 1283
1182 return tot; 1284 i = dtls1_write_bytes(s, type, buf_, len);
1285 return i;
1183 } 1286 }
1184 1287
1185 1288
@@ -1220,46 +1323,13 @@ have_handshake_fragment(SSL *s, int type, unsigned char *buf,
1220/* Call this to write data in records of type 'type' 1323/* Call this to write data in records of type 'type'
1221 * It will return <= 0 if not all data has been sent or non-blocking IO. 1324 * It will return <= 0 if not all data has been sent or non-blocking IO.
1222 */ 1325 */
1223int dtls1_write_bytes(SSL *s, int type, const void *buf_, int len) 1326int dtls1_write_bytes(SSL *s, int type, const void *buf, int len)
1224 { 1327 {
1225 const unsigned char *buf=buf_;
1226 unsigned int tot,n,nw;
1227 int i; 1328 int i;
1228 unsigned int mtu;
1229 1329
1330 OPENSSL_assert(len <= SSL3_RT_MAX_PLAIN_LENGTH);
1230 s->rwstate=SSL_NOTHING; 1331 s->rwstate=SSL_NOTHING;
1231 tot=s->s3->wnum; 1332 i=do_dtls1_write(s, type, buf, len, 0);
1232
1233 n=(len-tot);
1234
1235 /* handshake layer figures out MTU for itself, but data records
1236 * are also sent through this interface, so need to figure out MTU */
1237#if 0
1238 mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_MTU, 0, NULL);
1239 mtu += DTLS1_HM_HEADER_LENGTH; /* HM already inserted */
1240#endif
1241 mtu = s->d1->mtu;
1242
1243 if (mtu > SSL3_RT_MAX_PLAIN_LENGTH)
1244 mtu = SSL3_RT_MAX_PLAIN_LENGTH;
1245
1246 if (n > mtu)
1247 nw=mtu;
1248 else
1249 nw=n;
1250
1251 i=do_dtls1_write(s, type, &(buf[tot]), nw, 0);
1252 if (i <= 0)
1253 {
1254 s->s3->wnum=tot;
1255 return i;
1256 }
1257
1258 if ( (int)s->s3->wnum + i == len)
1259 s->s3->wnum = 0;
1260 else
1261 s->s3->wnum += i;
1262
1263 return i; 1333 return i;
1264 } 1334 }
1265 1335
@@ -1299,19 +1369,23 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
1299 1369
1300 if ( (sess == NULL) || 1370 if ( (sess == NULL) ||
1301 (s->enc_write_ctx == NULL) || 1371 (s->enc_write_ctx == NULL) ||
1302 (s->write_hash == NULL)) 1372 (EVP_MD_CTX_md(s->write_hash) == NULL))
1303 clear=1; 1373 clear=1;
1304 1374
1305 if (clear) 1375 if (clear)
1306 mac_size=0; 1376 mac_size=0;
1307 else 1377 else
1308 mac_size=EVP_MD_size(s->write_hash); 1378 {
1379 mac_size=EVP_MD_CTX_size(s->write_hash);
1380 if (mac_size < 0)
1381 goto err;
1382 }
1309 1383
1310 /* DTLS implements explicit IV, so no need for empty fragments */ 1384 /* DTLS implements explicit IV, so no need for empty fragments */
1311#if 0 1385#if 0
1312 /* 'create_empty_fragment' is true only when this function calls itself */ 1386 /* 'create_empty_fragment' is true only when this function calls itself */
1313 if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done 1387 if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done
1314 && SSL_version(s) != DTLS1_VERSION) 1388 && SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER)
1315 { 1389 {
1316 /* countermeasure against known-IV weakness in CBC ciphersuites 1390 /* countermeasure against known-IV weakness in CBC ciphersuites
1317 * (see http://www.openssl.org/~bodo/tls-cbc.txt) 1391 * (see http://www.openssl.org/~bodo/tls-cbc.txt)
@@ -1338,7 +1412,6 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
1338 s->s3->empty_fragment_done = 1; 1412 s->s3->empty_fragment_done = 1;
1339 } 1413 }
1340#endif 1414#endif
1341
1342 p = wb->buf + prefix_len; 1415 p = wb->buf + prefix_len;
1343 1416
1344 /* write the header */ 1417 /* write the header */
@@ -1346,12 +1419,8 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
1346 *(p++)=type&0xff; 1419 *(p++)=type&0xff;
1347 wr->type=type; 1420 wr->type=type;
1348 1421
1349 if (s->client_version == DTLS1_BAD_VER) 1422 *(p++)=(s->version>>8);
1350 *(p++) = DTLS1_BAD_VER>>8, 1423 *(p++)=s->version&0xff;
1351 *(p++) = DTLS1_BAD_VER&0xff;
1352 else
1353 *(p++)=(s->version>>8),
1354 *(p++)=s->version&0xff;
1355 1424
1356 /* field where we are to write out packet epoch, seq num and len */ 1425 /* field where we are to write out packet epoch, seq num and len */
1357 pseq=p; 1426 pseq=p;
@@ -1396,7 +1465,8 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
1396 1465
1397 if (mac_size != 0) 1466 if (mac_size != 0)
1398 { 1467 {
1399 s->method->ssl3_enc->mac(s,&(p[wr->length + bs]),1); 1468 if(s->method->ssl3_enc->mac(s,&(p[wr->length + bs]),1) < 0)
1469 goto err;
1400 wr->length+=mac_size; 1470 wr->length+=mac_size;
1401 } 1471 }
1402 1472
@@ -1473,111 +1543,50 @@ err:
1473 1543
1474 1544
1475 1545
1476static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap, 1546static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap)
1477 PQ_64BIT *seq_num)
1478 { 1547 {
1479#if PQ_64BIT_IS_INTEGER 1548 int cmp;
1480 PQ_64BIT mask = 0x0000000000000001L; 1549 unsigned int shift;
1481#endif 1550 const unsigned char *seq = s->s3->read_sequence;
1482 PQ_64BIT rcd_num, tmp;
1483
1484 pq_64bit_init(&rcd_num);
1485 pq_64bit_init(&tmp);
1486
1487 /* this is the sequence number for the record just read */
1488 pq_64bit_bin2num(&rcd_num, s->s3->read_sequence, 8);
1489
1490
1491 if (pq_64bit_gt(&rcd_num, &(bitmap->max_seq_num)) ||
1492 pq_64bit_eq(&rcd_num, &(bitmap->max_seq_num)))
1493 {
1494 pq_64bit_assign(seq_num, &rcd_num);
1495 pq_64bit_free(&rcd_num);
1496 pq_64bit_free(&tmp);
1497 return 1; /* this record is new */
1498 }
1499
1500 pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num);
1501
1502 if ( pq_64bit_get_word(&tmp) > bitmap->length)
1503 {
1504 pq_64bit_free(&rcd_num);
1505 pq_64bit_free(&tmp);
1506 return 0; /* stale, outside the window */
1507 }
1508 1551
1509#if PQ_64BIT_IS_BIGNUM 1552 cmp = satsub64be(seq,bitmap->max_seq_num);
1510 { 1553 if (cmp > 0)
1511 int offset;
1512 pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num);
1513 pq_64bit_sub_word(&tmp, 1);
1514 offset = pq_64bit_get_word(&tmp);
1515 if ( pq_64bit_is_bit_set(&(bitmap->map), offset))
1516 { 1554 {
1517 pq_64bit_free(&rcd_num); 1555 memcpy (s->s3->rrec.seq_num,seq,8);
1518 pq_64bit_free(&tmp); 1556 return 1; /* this record in new */
1519 return 0;
1520 } 1557 }
1521 } 1558 shift = -cmp;
1522#else 1559 if (shift >= sizeof(bitmap->map)*8)
1523 mask <<= (bitmap->max_seq_num - rcd_num - 1); 1560 return 0; /* stale, outside the window */
1524 if (bitmap->map & mask) 1561 else if (bitmap->map & (1UL<<shift))
1525 return 0; /* record previously received */ 1562 return 0; /* record previously received */
1526#endif 1563
1527 1564 memcpy (s->s3->rrec.seq_num,seq,8);
1528 pq_64bit_assign(seq_num, &rcd_num);
1529 pq_64bit_free(&rcd_num);
1530 pq_64bit_free(&tmp);
1531 return 1; 1565 return 1;
1532 } 1566 }
1533 1567
1534 1568
1535static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap) 1569static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap)
1536 { 1570 {
1571 int cmp;
1537 unsigned int shift; 1572 unsigned int shift;
1538 PQ_64BIT rcd_num; 1573 const unsigned char *seq = s->s3->read_sequence;
1539 PQ_64BIT tmp;
1540 PQ_64BIT_CTX *ctx;
1541 1574
1542 pq_64bit_init(&rcd_num); 1575 cmp = satsub64be(seq,bitmap->max_seq_num);
1543 pq_64bit_init(&tmp); 1576 if (cmp > 0)
1544
1545 pq_64bit_bin2num(&rcd_num, s->s3->read_sequence, 8);
1546
1547 /* unfortunate code complexity due to 64-bit manipulation support
1548 * on 32-bit machines */
1549 if ( pq_64bit_gt(&rcd_num, &(bitmap->max_seq_num)) ||
1550 pq_64bit_eq(&rcd_num, &(bitmap->max_seq_num)))
1551 { 1577 {
1552 pq_64bit_sub(&tmp, &rcd_num, &(bitmap->max_seq_num)); 1578 shift = cmp;
1553 pq_64bit_add_word(&tmp, 1); 1579 if (shift < sizeof(bitmap->map)*8)
1554 1580 bitmap->map <<= shift, bitmap->map |= 1UL;
1555 shift = (unsigned int)pq_64bit_get_word(&tmp); 1581 else
1556 1582 bitmap->map = 1UL;
1557 pq_64bit_lshift(&(tmp), &(bitmap->map), shift); 1583 memcpy(bitmap->max_seq_num,seq,8);
1558 pq_64bit_assign(&(bitmap->map), &tmp);
1559
1560 pq_64bit_set_bit(&(bitmap->map), 0);
1561 pq_64bit_add_word(&rcd_num, 1);
1562 pq_64bit_assign(&(bitmap->max_seq_num), &rcd_num);
1563
1564 pq_64bit_assign_word(&tmp, 1);
1565 pq_64bit_lshift(&tmp, &tmp, bitmap->length);
1566 ctx = pq_64bit_ctx_new(&ctx);
1567 pq_64bit_mod(&(bitmap->map), &(bitmap->map), &tmp, ctx);
1568 pq_64bit_ctx_free(ctx);
1569 } 1584 }
1570 else 1585 else {
1571 { 1586 shift = -cmp;
1572 pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num); 1587 if (shift < sizeof(bitmap->map)*8)
1573 pq_64bit_sub_word(&tmp, 1); 1588 bitmap->map |= 1UL<<shift;
1574 shift = (unsigned int)pq_64bit_get_word(&tmp);
1575
1576 pq_64bit_set_bit(&(bitmap->map), shift);
1577 } 1589 }
1578
1579 pq_64bit_free(&rcd_num);
1580 pq_64bit_free(&tmp);
1581 } 1590 }
1582 1591
1583 1592
@@ -1624,7 +1633,7 @@ int dtls1_dispatch_alert(SSL *s)
1624#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE 1633#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
1625 || s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE 1634 || s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
1626#endif 1635#endif
1627 ) 1636 )
1628 (void)BIO_flush(s->wbio); 1637 (void)BIO_flush(s->wbio);
1629 1638
1630 if (s->msg_callback) 1639 if (s->msg_callback)
@@ -1743,47 +1752,19 @@ dtls1_reset_seq_numbers(SSL *s, int rw)
1743 { 1752 {
1744 seq = s->s3->read_sequence; 1753 seq = s->s3->read_sequence;
1745 s->d1->r_epoch++; 1754 s->d1->r_epoch++;
1746 1755 memcpy(&(s->d1->bitmap), &(s->d1->next_bitmap), sizeof(DTLS1_BITMAP));
1747 pq_64bit_assign(&(s->d1->bitmap.map), &(s->d1->next_bitmap.map));
1748 s->d1->bitmap.length = s->d1->next_bitmap.length;
1749 pq_64bit_assign(&(s->d1->bitmap.max_seq_num),
1750 &(s->d1->next_bitmap.max_seq_num));
1751
1752 pq_64bit_free(&(s->d1->next_bitmap.map));
1753 pq_64bit_free(&(s->d1->next_bitmap.max_seq_num));
1754 memset(&(s->d1->next_bitmap), 0x00, sizeof(DTLS1_BITMAP)); 1756 memset(&(s->d1->next_bitmap), 0x00, sizeof(DTLS1_BITMAP));
1755 pq_64bit_init(&(s->d1->next_bitmap.map));
1756 pq_64bit_init(&(s->d1->next_bitmap.max_seq_num));
1757 } 1757 }
1758 else 1758 else
1759 { 1759 {
1760 seq = s->s3->write_sequence; 1760 seq = s->s3->write_sequence;
1761 memcpy(s->d1->last_write_sequence, seq, sizeof(s->s3->write_sequence));
1761 s->d1->w_epoch++; 1762 s->d1->w_epoch++;
1762 } 1763 }
1763 1764
1764 memset(seq, 0x00, seq_bytes); 1765 memset(seq, 0x00, seq_bytes);
1765 } 1766 }
1766 1767
1767#if PQ_64BIT_IS_INTEGER
1768static PQ_64BIT
1769bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num)
1770 {
1771 PQ_64BIT _num;
1772
1773 _num = (((PQ_64BIT)bytes[0]) << 56) |
1774 (((PQ_64BIT)bytes[1]) << 48) |
1775 (((PQ_64BIT)bytes[2]) << 40) |
1776 (((PQ_64BIT)bytes[3]) << 32) |
1777 (((PQ_64BIT)bytes[4]) << 24) |
1778 (((PQ_64BIT)bytes[5]) << 16) |
1779 (((PQ_64BIT)bytes[6]) << 8) |
1780 (((PQ_64BIT)bytes[7]) );
1781
1782 *num = _num ;
1783 return _num;
1784 }
1785#endif
1786
1787 1768
1788static void 1769static void
1789dtls1_clear_timeouts(SSL *s) 1770dtls1_clear_timeouts(SSL *s)
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 14:28:44 +0000