| blob | b3104d21e7dcc5770325372eb342a17e60e4afee |
1 /* $OpenBSD: d1_pkt.c,v 1.64 2018/08/24 19:35:05 jsing Exp $ */
2 /*
3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
5 */
6 /* ====================================================================
7 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
19 * distribution.
20 *
21 * 3. All advertising materials mentioning features or use of this
22 * software must display the following acknowledgment:
23 * "This product includes software developed by the OpenSSL Project
24 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
25 *
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 * endorse or promote products derived from this software without
28 * prior written permission. For written permission, please contact
29 * openssl-core@openssl.org.
30 *
31 * 5. Products derived from this software may not be called "OpenSSL"
32 * nor may "OpenSSL" appear in their names without prior written
33 * permission of the OpenSSL Project.
34 *
35 * 6. Redistributions of any form whatsoever must retain the following
36 * acknowledgment:
37 * "This product includes software developed by the OpenSSL Project
38 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
53 *
54 * This product includes cryptographic software written by Eric Young
55 * (eay@cryptsoft.com). This product includes software written by Tim
56 * Hudson (tjh@cryptsoft.com).
57 *
58 */
59 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
60 * All rights reserved.
61 *
62 * This package is an SSL implementation written
63 * by Eric Young (eay@cryptsoft.com).
64 * The implementation was written so as to conform with Netscapes SSL.
65 *
66 * This library is free for commercial and non-commercial use as long as
67 * the following conditions are aheared to. The following conditions
68 * apply to all code found in this distribution, be it the RC4, RSA,
69 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
70 * included with this distribution is covered by the same copyright terms
71 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
72 *
73 * Copyright remains Eric Young's, and as such any Copyright notices in
74 * the code are not to be removed.
75 * If this package is used in a product, Eric Young should be given attribution
76 * as the author of the parts of the library used.
77 * This can be in the form of a textual message at program startup or
78 * in documentation (online or textual) provided with the package.
79 *
80 * Redistribution and use in source and binary forms, with or without
81 * modification, are permitted provided that the following conditions
82 * are met:
83 * 1. Redistributions of source code must retain the copyright
84 * notice, this list of conditions and the following disclaimer.
85 * 2. Redistributions in binary form must reproduce the above copyright
86 * notice, this list of conditions and the following disclaimer in the
87 * documentation and/or other materials provided with the distribution.
88 * 3. All advertising materials mentioning features or use of this software
89 * must display the following acknowledgement:
90 * "This product includes cryptographic software written by
91 * Eric Young (eay@cryptsoft.com)"
92 * The word 'cryptographic' can be left out if the rouines from the library
93 * being used are not cryptographic related :-).
94 * 4. If you include any Windows specific code (or a derivative thereof) from
95 * the apps directory (application code) you must include an acknowledgement:
96 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
97 *
98 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
99 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
100 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
101 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
102 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
103 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
104 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
105 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
106 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
107 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
108 * SUCH DAMAGE.
109 *
110 * The licence and distribution terms for any publically available version or
111 * derivative of this code cannot be changed. i.e. this code cannot simply be
112 * copied and put under another distribution licence
113 * [including the GNU Public Licence.]
114 */
116 #include <machine/endian.h>
118 #include <errno.h>
119 #include <stdio.h>
123 #include <openssl/buffer.h>
124 #include <openssl/evp.h>
133 /* mod 128 saturating subtract of two 64-bit values in big-endian order */
134 static int
136 {
145 /* not reached on little-endians */
146 /* following test is redundant, because input is
147 * always aligned, but I take no chances... */
157 else
169 }
175 }
176 }
181 else
183 }
195 /* copy buffered record into SSL structure */
196 static int
198 {
210 /* Set proper sequence number for mac calculation */
214 }
217 static int
219 {
223 /* Limit the size of the queue to prevent DOS attacks */
248 /* insert should not fail, since duplicates are dropped */
254 err:
257 init_err:
262 }
265 static int
267 {
278 }
281 }
284 /* retrieve a buffered record that belongs to the new epoch, i.e., not processed
285 * yet */
286 #define dtls1_get_unprocessed_record(s) \
287 dtls1_retrieve_buffered_record((s), \
288 &((D1I(s))->unprocessed_rcds))
290 /* retrieve a buffered record that belongs to the current epoch, ie, processed */
291 #define dtls1_get_processed_record(s) \
292 dtls1_retrieve_buffered_record((s), \
293 &((D1I(s))->processed_rcds))
295 static int
297 {
302 /* Check if epoch is current. */
305 /* Nothing to do. */
307 /* Process all the records. */
315 }
316 }
318 /* sync epoch numbers once all the unprocessed records
319 * have been processed */
324 }
326 static int
328 {
339 /* At this point, s->internal->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
340 * and we have that many bytes in s->internal->packet
341 */
344 /* ok, we can now read from 's->internal->packet' data into 'rr'
345 * rr->input points at rr->length bytes, which
346 * need to be copied into rr->data by either
347 * the decryption or by the decompression
348 * When the data is 'copied' into the rr->data buffer,
349 * rr->input will be pointed at the new buffer */
351 /* We now have - encrypted [ MAC [ compressed [ plain ] ] ]
352 * rr->length bytes of encrypted compressed stuff. */
354 /* check is not needed I believe */
359 }
361 /* decrypt in place in 'rr->input' */
365 /* enc_err is:
366 * 0: (in non-constant time) if the record is publically invalid.
367 * 1: if the padding is valid
368 * -1: if the padding is invalid */
370 /* For DTLS we simply ignore bad packets. */
374 }
377 /* r->length is now the compressed data plus mac */
380 /* s->read_hash != NULL => mac_size != -1 */
386 /* kludge: *_cbc_remove_padding passes padding length in rr->type */
389 /* orig_len is the length of the record before any padding was
390 * removed. This is public information, as is the MAC in use,
391 * therefore we can safely process the record in a different
392 * amount of time if it's too short to possibly contain a MAC.
393 */
395 /* CBC records must have a padding length byte too. */
401 }
404 /* We update the length so that the TLS header bytes
405 * can be constructed correctly but we need to extract
406 * the MAC in constant time from within the record,
407 * without leaking the contents of the padding bytes.
408 * */
413 /* In this case there's no padding, so |orig_len|
414 * equals |rec->length| and we checked that there's
415 * enough bytes for |mac_size| above. */
418 }
425 }
428 /* decryption failed, silently discard message */
432 }
438 }
441 /* So at this point the following is true
442 * ssl->s3->internal->rrec.type is the type of record
443 * ssl->s3->internal->rrec.length == number of bytes in record
444 * ssl->s3->internal->rrec.off == offset to first valid byte
445 * ssl->s3->internal->rrec.data == where to take bytes from, increment
446 * after use :-).
447 */
449 /* we have pulled in a full packet so zero things */
453 f_err:
455 err:
457 }
460 /* Call this to get a new input record.
461 * It will return <= 0 if more data is needed, normally due to an error
462 * or non-blocking IO.
463 * When it finishes, one packet has been decoded and can be found in
464 * ssl->s3->internal->rrec.type - is the type of record
465 * ssl->s3->internal->rrec.data, - data
466 * ssl->s3->internal->rrec.length, - number of bytes
467 */
468 /* used only by dtls1_read_bytes */
469 int
471 {
480 /* The epoch may have changed. If so, process all the
481 * pending records. This is a non-blocking operation. */
485 /* if we're renegotiating, then there may be buffered records */
489 /* get something from the wire */
491 again:
492 /* dump this record on all retries */
495 }
497 /* check if we have the header */
508 /* If this packet contained a partial record, dump it. */
516 /* Pull apart the header into the DTLS1_RECORD */
522 /* sequence number is 64 bits, with top 2 bytes = epoch */
537 /* unexpected version, silently discard */
541 /* wrong version, silently discard record */
545 /* record too long, silently discard it */
549 /* now s->internal->rstate == SSL_ST_READ_BODY */
551 }
553 /* s->internal->rstate == SSL_ST_READ_BODY, get and decode the data */
559 /* If this packet contained a partial record, dump it. */
565 /* match epochs. NULL means the packet is dropped on the floor */
570 /*
571 * Check whether this is a repeat, or aged record.
572 * Don't check if we're listening and this message is
573 * a ClientHello. They can look as if they're replayed,
574 * since they arrive from different connections and
575 * would be dropped unnecessarily.
576 */
582 /* just read a 0 length packet */
586 /* If this record is from the next epoch (either HM or ALERT),
587 * and a handshake is currently in progress, buffer it since it
588 * cannot be processed at this time. However, do not buffer
589 * anything while listening.
590 */
596 /* Mark receipt of record. */
598 }
600 }
605 /* Mark receipt of record. */
609 }
611 /* Return up to 'len' payload bytes received in 'type' records.
612 * 'type' is one of the following:
613 *
614 * - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
615 * - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)
616 * - 0 (during a shutdown, no data has to be returned)
617 *
618 * If we don't have stored data to work from, read a SSL/TLS record first
619 * (possibly multiple records if we still don't have anything to return).
620 *
621 * This function must handle any surprises the peer may have for us, such as
622 * Alert records (e.g. close_notify), ChangeCipherSpec records (not really
623 * a surprise, but handled as if it were), or renegotiation requests.
624 * Also if record payloads contain fragments too small to process, we store
625 * them until there is enough for the respective protocol (the record protocol
626 * may use arbitrary fragmentation and even interleaving):
627 * Change cipher spec protocol
628 * just 1 byte needed, no need for keeping anything stored
629 * Alert protocol
630 * 2 bytes needed (AlertLevel, AlertDescription)
631 * Handshake protocol
632 * 4 bytes needed (HandshakeType, uint24 length) -- we just have
633 * to detect unexpected Client Hello and Hello Request messages
634 * here, anything else is handled by higher layers
635 * Application data protocol
636 * none of our business
637 */
638 int
640 {
655 }
657 /* check whether there's a handshake message (client hello?) waiting */
661 /* Now D1I(s)->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */
664 {
665 /* type == SSL3_RT_APPLICATION_DATA */
672 }
673 }
675 start:
678 /* S3I(s)->rrec.type - is the type of record
679 * S3I(s)->rrec.data, - data
680 * S3I(s)->rrec.off, - offset into 'data' for next read
681 * S3I(s)->rrec.length, - number of bytes. */
684 /* We are not handshaking and have no data yet,
685 * so process data buffered during the last handshake
686 * in advance, if any.
687 */
697 }
698 }
700 /* Check for timeout */
704 /* get new packet if necessary */
709 /* anything other than a timeout is an error */
712 else
714 }
715 }
720 }
722 /* we now have a packet which can be read and processed */
725 * reset by ssl3_get_finished */
727 /* We now have application data between CCS and Finished.
728 * Most likely the packets were reordered on their way, so
729 * buffer the application data for later processing rather
730 * than dropping the connection.
731 */
736 }
739 }
741 /* If the other end has shut down, throw anything we read away
742 * (even in 'peek' mode) */
747 }
751 {
752 /* make sure that we are not getting application data when we
753 * are doing a handshake for the first time */
759 }
766 else
776 }
777 }
780 }
783 /* If we get here, then type != rr->type; if we have a handshake
784 * message, then it was unexpected (Hello Request or Client Hello). */
786 /* In case of record types for which we have 'fragment' storage,
787 * fill that so that we can process the data at a fixed place.
788 */
789 {
802 }
803 /* else it's a CCS message, or application data or wrong */
805 /* Application data while renegotiating
806 * is allowed. Try again reading.
807 */
816 }
818 /* Not certain if this is the right error handling */
822 }
825 /* XDTLS: In a pathalogical case, the Client Hello
826 * may be fragmented--don't always expect dest_maxlen bytes */
831 }
833 /* now move 'n' bytes: */
837 }
839 }
840 }
842 /* D1I(s)->handshake_fragment_len == 12 iff rr->type == SSL3_RT_HANDSHAKE;
843 * D1I(s)->alert_fragment_len == 7 iff rr->type == SSL3_RT_ALERT.
844 * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */
846 /* If we are a client, check for an incoming 'Hello Request': */
859 }
861 /* no need to check sequence number on HELLO REQUEST messages */
880 }
884 {
886 /* In the case where we try to read application data,
887 * but we trigger an SSL handshake, we return -1 with
888 * the retry option set. Otherwise renegotiation may
889 * cause nasty problems in the blocking world */
895 }
896 }
897 }
898 }
899 /* we either finished a handshake or ignored the request,
900 * now try again to obtain the (application) data we were asked for */
902 }
922 }
925 {
930 }
932 {
937 alert_descr);
945 }
948 }
951 {
955 }
963 /* 'Change Cipher Spec' is just a single byte, so we know
964 * exactly what the record payload has to look like */
965 /* XDTLS: check that epoch is consistent */
971 }
979 /* We can't process a CCS now, because previous handshake
980 * messages are still missing, so just drop it.
981 */
984 }
992 /* do this whenever CCS is processed */
996 }
998 /* Unexpected handshake message (Client Hello, or protocol violation) */
1003 /* this may just be a stale retransmit */
1009 }
1011 /* If we are server, we may have a repeated FINISHED of the
1012 * client here, then retransmit our CCS and FINISHED.
1013 */
1021 }
1028 }
1035 }
1039 {
1041 /* In the case where we try to read application data,
1042 * but we trigger an SSL handshake, we return -1 with
1043 * the retry option set. Otherwise renegotiation may
1044 * cause nasty problems in the blocking world */
1050 }
1051 }
1053 }
1057 /* TLS just ignores unknown message types */
1061 }
1068 /* we already handled all of these, with the possible exception
1069 * of SSL3_RT_HANDSHAKE when s->internal->in_handshake is set, but that
1070 * should not happen when type != rr->type */
1075 /* At this point, we were expecting handshake data,
1076 * but have application data. If the library was
1077 * running inside ssl3_read() (i.e. in_read_app_data
1078 * is set) and it makes sense to read application data
1079 * at this point (session renegotiation not yet started),
1080 * we will indulge it.
1081 */
1096 }
1097 }
1098 /* not reached */
1100 f_err:
1102 err:
1104 }
1106 int
1108 {
1112 {
1119 }
1120 }
1125 }
1129 }
1132 /* this only happens when a client hello is received and a handshake
1133 * is started. */
1134 static int
1137 {
1140 /* (partially) satisfy request from storage */
1141 {
1146 /* peek == 0 */
1150 len--;
1152 n++;
1153 }
1154 /* move any remaining fragment bytes: */
1158 }
1161 }
1164 /* Call this to write data in records of type 'type'
1165 * It will return <= 0 if not all data has been sent or non-blocking IO.
1166 */
1167 int
1169 {
1176 }
1178 int
1180 {
1189 /* first check if there is a SSL3_BUFFER still being written
1190 * out. This will happen with non blocking IO */
1194 }
1196 /* If we have an alert to send, lets send it */
1201 /* if it went, fall through and send more stuff */
1202 }
1221 }
1223 /* DTLS implements explicit IV, so no need for empty fragments. */
1227 /* write the header */
1235 /* field where we are to write out packet epoch, seq num and len */
1240 /* lets setup the record stuff. */
1242 /* Make space for the explicit IV in case of CBC.
1243 * (this is a bit of a boundary violation, but what the heck).
1244 */
1248 else
1252 /* make room for IV in case of CBC */
1256 /* we now 'read' from wr->input, wr->length bytes into
1257 * wr->data */
1262 /* we should still have the output to wr->data and the input
1263 * from wr->input. Length should be wr->length.
1264 * wr->data still points in the wb->buf */
1270 }
1272 /* this is true regardless of mac size */
1277 /* ssl3_enc can only have an error on read */
1279 {
1281 /* master IV and last CBC residue stand for
1282 * the rest of randomness */
1284 }
1288 /* record length after mac and block padding */
1289 /* if (type == SSL3_RT_APPLICATION_DATA ||
1290 (type == SSL3_RT_ALERT && ! SSL_in_init(s))) */
1292 /* there's only one epoch between handshake and app data */
1296 /* XDTLS: ?? */
1297 /* else
1298 s2n(D1I(s)->handshake_epoch, pseq);
1299 */
1305 /* we should now have
1306 * wr->data pointing to the encrypted data, which is
1307 * wr->length long */
1313 /* now let's set up wb */
1317 /* memorize arguments so that ssl3_write_pending can detect bad write retries later */
1323 /* we now just need to write the buffer */
1325 err:
1327 }
1331 static int
1333 {
1342 }
1351 }
1354 static void
1356 {
1366 else
1373 }
1374 }
1377 int
1379 {
1394 /* fprintf( stderr, "not done with alert\n" ); */
1411 }
1412 }
1414 }
1419 {
1423 /* In current epoch, accept HM, CCS, DATA, & ALERT */
1427 /* Only HM and ALERT messages can be from the next epoch */
1432 }
1435 }
1437 void
1439 {
1452 }
1455 }