OLD | NEW |
1 /* ssl/d1_pkt.c */ | 1 /* ssl/d1_pkt.c */ |
2 /* | 2 /* |
3 * DTLS implementation written by Nagendra Modadugu | 3 * DTLS implementation written by Nagendra Modadugu |
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. | 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. |
5 */ | 5 */ |
6 /* ==================================================================== | 6 /* ==================================================================== |
7 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. | 7 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. |
8 * | 8 * |
9 * Redistribution and use in source and binary forms, with or without | 9 * Redistribution and use in source and binary forms, with or without |
10 * modification, are permitted provided that the following conditions | 10 * modification, are permitted provided that the following conditions |
(...skipping 104 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
115 | 115 |
116 #include <stdio.h> | 116 #include <stdio.h> |
117 #include <errno.h> | 117 #include <errno.h> |
118 #define USE_SOCKETS | 118 #define USE_SOCKETS |
119 #include "ssl_locl.h" | 119 #include "ssl_locl.h" |
120 #include <openssl/evp.h> | 120 #include <openssl/evp.h> |
121 #include <openssl/buffer.h> | 121 #include <openssl/buffer.h> |
122 #include <openssl/pqueue.h> | 122 #include <openssl/pqueue.h> |
123 #include <openssl/rand.h> | 123 #include <openssl/rand.h> |
124 | 124 |
| 125 /* mod 128 saturating subtract of two 64-bit values in big-endian order */ |
| 126 static int satsub64be(const unsigned char *v1,const unsigned char *v2) |
| 127 { int ret,sat,brw,i; |
| 128 |
| 129 if (sizeof(long) == 8) do |
| 130 { const union { long one; char little; } is_endian = {1}; |
| 131 long l; |
| 132 |
| 133 if (is_endian.little) break; |
| 134 /* not reached on little-endians */ |
| 135 /* following test is redundant, because input is |
| 136 * always aligned, but I take no chances... */ |
| 137 if (((size_t)v1|(size_t)v2)&0x7) break; |
| 138 |
| 139 l = *((long *)v1); |
| 140 l -= *((long *)v2); |
| 141 if (l>128) return 128; |
| 142 else if (l<-128) return -128; |
| 143 else return (int)l; |
| 144 } while (0); |
| 145 |
| 146 ret = (int)v1[7]-(int)v2[7]; |
| 147 sat = 0; |
| 148 brw = ret>>8; /* brw is either 0 or -1 */ |
| 149 if (ret & 0x80) |
| 150 { for (i=6;i>=0;i--) |
| 151 { brw += (int)v1[i]-(int)v2[i]; |
| 152 sat |= ~brw; |
| 153 brw >>= 8; |
| 154 } |
| 155 } |
| 156 else |
| 157 { for (i=6;i>=0;i--) |
| 158 { brw += (int)v1[i]-(int)v2[i]; |
| 159 sat |= brw; |
| 160 brw >>= 8; |
| 161 } |
| 162 } |
| 163 brw <<= 8; /* brw is either 0 or -256 */ |
| 164 |
| 165 if (sat&0xff) return brw | 0x80; |
| 166 else return brw + (ret&0xFF); |
| 167 } |
| 168 |
125 static int have_handshake_fragment(SSL *s, int type, unsigned char *buf, | 169 static int have_handshake_fragment(SSL *s, int type, unsigned char *buf, |
126 int len, int peek); | 170 int len, int peek); |
127 static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap, | 171 static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap); |
128 » PQ_64BIT *seq_num); | |
129 static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap); | 172 static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap); |
130 static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, | 173 static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, |
131 unsigned int *is_next_epoch); | 174 unsigned int *is_next_epoch); |
132 #if 0 | 175 #if 0 |
133 static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr, | 176 static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr, |
134 unsigned short *priority, unsigned long *offset); | 177 unsigned short *priority, unsigned long *offset); |
135 #endif | 178 #endif |
136 static int dtls1_buffer_record(SSL *s, record_pqueue *q, | 179 static int dtls1_buffer_record(SSL *s, record_pqueue *q, |
137 » PQ_64BIT *priority); | 180 » unsigned char *priority); |
138 static int dtls1_process_record(SSL *s); | 181 static int dtls1_process_record(SSL *s); |
139 #if PQ_64BIT_IS_INTEGER | |
140 static PQ_64BIT bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num); | |
141 #endif | |
142 static void dtls1_clear_timeouts(SSL *s); | 182 static void dtls1_clear_timeouts(SSL *s); |
143 | 183 |
144 /* copy buffered record into SSL structure */ | 184 /* copy buffered record into SSL structure */ |
145 static int | 185 static int |
146 dtls1_copy_record(SSL *s, pitem *item) | 186 dtls1_copy_record(SSL *s, pitem *item) |
147 { | 187 { |
148 DTLS1_RECORD_DATA *rdata; | 188 DTLS1_RECORD_DATA *rdata; |
149 | 189 |
150 rdata = (DTLS1_RECORD_DATA *)item->data; | 190 rdata = (DTLS1_RECORD_DATA *)item->data; |
151 | 191 |
152 if (s->s3->rbuf.buf != NULL) | 192 if (s->s3->rbuf.buf != NULL) |
153 OPENSSL_free(s->s3->rbuf.buf); | 193 OPENSSL_free(s->s3->rbuf.buf); |
154 | 194 |
155 s->packet = rdata->packet; | 195 s->packet = rdata->packet; |
156 s->packet_length = rdata->packet_length; | 196 s->packet_length = rdata->packet_length; |
157 memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER)); | 197 memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER)); |
158 memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD)); | 198 memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD)); |
159 | 199 |
160 /* Set proper sequence number for mac calculation */ | 200 /* Set proper sequence number for mac calculation */ |
161 memcpy(&(s->s3->read_sequence[2]), &(rdata->packet[5]), 6); | 201 memcpy(&(s->s3->read_sequence[2]), &(rdata->packet[5]), 6); |
162 | 202 |
163 return(1); | 203 return(1); |
164 } | 204 } |
165 | 205 |
166 | 206 |
167 static int | 207 static int |
168 dtls1_buffer_record(SSL *s, record_pqueue *queue, PQ_64BIT *priority) | 208 dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) |
169 { | 209 » { |
170 DTLS1_RECORD_DATA *rdata; | 210 » DTLS1_RECORD_DATA *rdata; |
171 pitem *item; | 211 pitem *item; |
172 | 212 |
173 /* Limit the size of the queue to prevent DOS attacks */ | 213 /* Limit the size of the queue to prevent DOS attacks */ |
174 if (pqueue_size(queue->q) >= 100) | 214 if (pqueue_size(queue->q) >= 100) |
175 return 0; | 215 return 0; |
176 | 216 |
177 rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); | 217 rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); |
178 » item = pitem_new(*priority, rdata); | 218 » item = pitem_new(priority, rdata); |
179 if (rdata == NULL || item == NULL) | 219 if (rdata == NULL || item == NULL) |
180 { | 220 { |
181 if (rdata != NULL) OPENSSL_free(rdata); | 221 if (rdata != NULL) OPENSSL_free(rdata); |
182 if (item != NULL) pitem_free(item); | 222 if (item != NULL) pitem_free(item); |
183 | 223 |
184 SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); | 224 SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); |
185 return(0); | 225 return(0); |
186 } | 226 } |
187 | 227 |
188 rdata->packet = s->packet; | 228 rdata->packet = s->packet; |
(...skipping 18 matching lines...) Expand all Loading... |
207 | 247 |
208 if (!ssl3_setup_buffers(s)) | 248 if (!ssl3_setup_buffers(s)) |
209 { | 249 { |
210 SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); | 250 SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); |
211 OPENSSL_free(rdata); | 251 OPENSSL_free(rdata); |
212 pitem_free(item); | 252 pitem_free(item); |
213 return(0); | 253 return(0); |
214 } | 254 } |
215 | 255 |
216 return(1); | 256 return(1); |
217 } | 257 » } |
218 | 258 |
219 | 259 |
220 static int | 260 static int |
221 dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue) | 261 dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue) |
222 { | 262 { |
223 pitem *item; | 263 pitem *item; |
224 | 264 |
225 item = pqueue_pop(queue->q); | 265 item = pqueue_pop(queue->q); |
226 if (item) | 266 if (item) |
227 { | 267 { |
(...skipping 21 matching lines...) Expand all Loading... |
249 &((s)->d1->processed_rcds)) | 289 &((s)->d1->processed_rcds)) |
250 | 290 |
251 static int | 291 static int |
252 dtls1_process_buffered_records(SSL *s) | 292 dtls1_process_buffered_records(SSL *s) |
253 { | 293 { |
254 pitem *item; | 294 pitem *item; |
255 | 295 |
256 item = pqueue_peek(s->d1->unprocessed_rcds.q); | 296 item = pqueue_peek(s->d1->unprocessed_rcds.q); |
257 if (item) | 297 if (item) |
258 { | 298 { |
259 DTLS1_RECORD_DATA *rdata; | |
260 rdata = (DTLS1_RECORD_DATA *)item->data; | |
261 | |
262 /* Check if epoch is current. */ | 299 /* Check if epoch is current. */ |
263 if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch) | 300 if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch) |
264 return(1); /* Nothing to do. */ | 301 return(1); /* Nothing to do. */ |
265 | 302 |
266 /* Process all the records. */ | 303 /* Process all the records. */ |
267 while (pqueue_peek(s->d1->unprocessed_rcds.q)) | 304 while (pqueue_peek(s->d1->unprocessed_rcds.q)) |
268 { | 305 { |
269 dtls1_get_unprocessed_record(s); | 306 dtls1_get_unprocessed_record(s); |
270 if ( ! dtls1_process_record(s)) | 307 if ( ! dtls1_process_record(s)) |
271 return(0); | 308 return(0); |
272 dtls1_buffer_record(s, &(s->d1->processed_rcds), | 309 dtls1_buffer_record(s, &(s->d1->processed_rcds), |
273 &s->s3->rrec.seq_num); | 310 s->s3->rrec.seq_num); |
274 } | 311 } |
275 } | 312 } |
276 | 313 |
277 /* sync epoch numbers once all the unprocessed records | 314 /* sync epoch numbers once all the unprocessed records |
278 * have been processed */ | 315 * have been processed */ |
279 s->d1->processed_rcds.epoch = s->d1->r_epoch; | 316 s->d1->processed_rcds.epoch = s->d1->r_epoch; |
280 s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1; | 317 s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1; |
281 | 318 |
282 return(1); | 319 return(1); |
283 } | 320 } |
(...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
324 } | 361 } |
325 | 362 |
326 return 0; | 363 return 0; |
327 } | 364 } |
328 | 365 |
329 #endif | 366 #endif |
330 | 367 |
331 static int | 368 static int |
332 dtls1_process_record(SSL *s) | 369 dtls1_process_record(SSL *s) |
333 { | 370 { |
334 int i,al; | 371 » int i,al; |
335 int clear=0; | 372 int clear=0; |
336 int enc_err; | 373 » int enc_err; |
337 SSL_SESSION *sess; | 374 SSL_SESSION *sess; |
338 SSL3_RECORD *rr; | 375 » SSL3_RECORD *rr; |
339 unsigned int mac_size; | 376 unsigned int mac_size; |
340 unsigned char md[EVP_MAX_MD_SIZE]; | 377 unsigned char md[EVP_MAX_MD_SIZE]; |
| 378 int decryption_failed_or_bad_record_mac = 0; |
341 | 379 |
342 | 380 |
343 rr= &(s->s3->rrec); | 381 rr= &(s->s3->rrec); |
344 sess = s->session; | 382 » sess = s->session; |
345 | 383 |
346 /* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, | 384 /* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, |
347 * and we have that many bytes in s->packet | 385 * and we have that many bytes in s->packet |
348 */ | 386 */ |
349 rr->input= &(s->packet[DTLS1_RT_HEADER_LENGTH]); | 387 rr->input= &(s->packet[DTLS1_RT_HEADER_LENGTH]); |
350 | 388 |
351 /* ok, we can now read from 's->packet' data into 'rr' | 389 /* ok, we can now read from 's->packet' data into 'rr' |
352 * rr->input points at rr->length bytes, which | 390 * rr->input points at rr->length bytes, which |
353 * need to be copied into rr->data by either | 391 * need to be copied into rr->data by either |
354 * the decryption or by the decompression | 392 * the decryption or by the decompression |
(...skipping 10 matching lines...) Expand all Loading... |
365 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LON
G); | 403 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LON
G); |
366 goto f_err; | 404 goto f_err; |
367 } | 405 } |
368 | 406 |
369 /* decrypt in place in 'rr->input' */ | 407 /* decrypt in place in 'rr->input' */ |
370 rr->data=rr->input; | 408 rr->data=rr->input; |
371 | 409 |
372 enc_err = s->method->ssl3_enc->enc(s,0); | 410 enc_err = s->method->ssl3_enc->enc(s,0); |
373 if (enc_err <= 0) | 411 if (enc_err <= 0) |
374 { | 412 { |
375 » » if (enc_err == 0) | 413 » » /* To minimize information leaked via timing, we will always |
376 » » » /* SSLerr() and ssl3_send_alert() have been called */ | 414 » » * perform all computations before discarding the message. |
377 » » » goto err; | 415 » » */ |
378 | 416 » » decryption_failed_or_bad_record_mac = 1; |
379 » » /* otherwise enc_err == -1 */ | |
380 » » goto err; | |
381 } | 417 } |
382 | 418 |
383 #ifdef TLS_DEBUG | 419 #ifdef TLS_DEBUG |
384 printf("dec %d\n",rr->length); | 420 printf("dec %d\n",rr->length); |
385 { unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1
)%16)?' ':'\n'); } | 421 { unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1
)%16)?' ':'\n'); } |
386 printf("\n"); | 422 printf("\n"); |
387 #endif | 423 #endif |
388 | 424 |
389 /* r->length is now the compressed data plus mac */ | 425 /* r->length is now the compressed data plus mac */ |
390 if (» (sess == NULL) || | 426 » if (» (sess == NULL) || |
391 (s->enc_read_ctx == NULL) || | 427 (s->enc_read_ctx == NULL) || |
392 (s->read_hash == NULL)) | 428 (s->read_hash == NULL)) |
393 clear=1; | 429 » » clear=1; |
394 | 430 |
395 if (!clear) | 431 if (!clear) |
396 { | 432 { |
397 » » mac_size=EVP_MD_size(s->read_hash); | 433 » » /* !clear => s->read_hash != NULL => mac_size != -1 */ |
| 434 » » int t; |
| 435 » » t=EVP_MD_CTX_size(s->read_hash); |
| 436 » » OPENSSL_assert(t >= 0); |
| 437 » » mac_size=t; |
398 | 438 |
399 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size) | 439 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size) |
400 { | 440 { |
401 #if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext
anyway) */ | 441 #if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext
anyway) */ |
402 al=SSL_AD_RECORD_OVERFLOW; | 442 al=SSL_AD_RECORD_OVERFLOW; |
403 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_T
OO_LONG); | 443 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_T
OO_LONG); |
404 goto f_err; | 444 goto f_err; |
405 #else | 445 #else |
406 » » » goto err; | 446 » » » decryption_failed_or_bad_record_mac = 1; |
407 #endif | 447 #endif |
408 } | 448 } |
409 /* check the MAC for rr->input (it's in mac_size bytes at the ta
il) */ | 449 /* check the MAC for rr->input (it's in mac_size bytes at the ta
il) */ |
410 if (rr->length < mac_size) | 450 if (rr->length < mac_size) |
411 { | 451 { |
412 #if 0 /* OK only for stream ciphers */ | 452 #if 0 /* OK only for stream ciphers */ |
413 al=SSL_AD_DECODE_ERROR; | 453 al=SSL_AD_DECODE_ERROR; |
414 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT
); | 454 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT
); |
415 goto f_err; | 455 goto f_err; |
416 #else | 456 #else |
417 » » » goto err; | 457 » » » decryption_failed_or_bad_record_mac = 1; |
418 #endif | 458 #endif |
419 } | 459 } |
420 rr->length-=mac_size; | 460 rr->length-=mac_size; |
421 i=s->method->ssl3_enc->mac(s,md,0); | 461 i=s->method->ssl3_enc->mac(s,md,0); |
422 » » if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0) | 462 » » if (i < 0 || memcmp(md,&(rr->data[rr->length]),mac_size) != 0) |
423 { | 463 { |
424 » » » goto err; | 464 » » » decryption_failed_or_bad_record_mac = 1; |
425 } | 465 } |
426 } | 466 } |
427 | 467 |
| 468 if (decryption_failed_or_bad_record_mac) |
| 469 { |
| 470 /* decryption failed, silently discard message */ |
| 471 rr->length = 0; |
| 472 s->packet_length = 0; |
| 473 goto err; |
| 474 } |
| 475 |
428 /* r->length is now just compressed */ | 476 /* r->length is now just compressed */ |
429 if (s->expand != NULL) | 477 if (s->expand != NULL) |
430 { | 478 { |
431 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) | 479 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) |
432 { | 480 { |
433 al=SSL_AD_RECORD_OVERFLOW; | 481 al=SSL_AD_RECORD_OVERFLOW; |
434 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_COMPRESSED_LENGT
H_TOO_LONG); | 482 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_COMPRESSED_LENGT
H_TOO_LONG); |
435 goto f_err; | 483 goto f_err; |
436 } | 484 } |
437 if (!ssl3_do_uncompress(s)) | 485 if (!ssl3_do_uncompress(s)) |
(...skipping 15 matching lines...) Expand all Loading... |
453 /* So at this point the following is true | 501 /* So at this point the following is true |
454 * ssl->s3->rrec.type is the type of record | 502 * ssl->s3->rrec.type is the type of record |
455 * ssl->s3->rrec.length == number of bytes in record | 503 * ssl->s3->rrec.length == number of bytes in record |
456 * ssl->s3->rrec.off == offset to first valid byte | 504 * ssl->s3->rrec.off == offset to first valid byte |
457 * ssl->s3->rrec.data == where to take bytes from, increment | 505 * ssl->s3->rrec.data == where to take bytes from, increment |
458 * after use :-). | 506 * after use :-). |
459 */ | 507 */ |
460 | 508 |
461 /* we have pulled in a full packet so zero things */ | 509 /* we have pulled in a full packet so zero things */ |
462 s->packet_length=0; | 510 s->packet_length=0; |
463 dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. *
/ | 511 » dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of recor
d. */ |
464 return(1); | 512 » return(1); |
465 | 513 |
466 f_err: | 514 f_err: |
467 ssl3_send_alert(s,SSL3_AL_FATAL,al); | 515 ssl3_send_alert(s,SSL3_AL_FATAL,al); |
468 err: | 516 err: |
469 return(0); | 517 return(0); |
470 } | 518 } |
471 | 519 |
472 | 520 |
473 /* Call this to get a new input record. | 521 /* Call this to get a new input record. |
474 * It will return <= 0 if more data is needed, normally due to an error | 522 * It will return <= 0 if more data is needed, normally due to an error |
475 * or non-blocking IO. | 523 * or non-blocking IO. |
476 * When it finishes, one packet has been decoded and can be found in | 524 * When it finishes, one packet has been decoded and can be found in |
477 * ssl->s3->rrec.type - is the type of record | 525 * ssl->s3->rrec.type - is the type of record |
478 * ssl->s3->rrec.data, - data | 526 * ssl->s3->rrec.data, - data |
479 * ssl->s3->rrec.length, - number of bytes | 527 * ssl->s3->rrec.length, - number of bytes |
480 */ | 528 */ |
481 /* used only by dtls1_read_bytes */ | 529 /* used only by dtls1_read_bytes */ |
482 int dtls1_get_record(SSL *s) | 530 int dtls1_get_record(SSL *s) |
483 { | 531 { |
484 int ssl_major,ssl_minor; | 532 int ssl_major,ssl_minor; |
485 int i,n; | 533 int i,n; |
486 SSL3_RECORD *rr; | 534 SSL3_RECORD *rr; |
487 SSL_SESSION *sess; | |
488 unsigned char *p = NULL; | 535 unsigned char *p = NULL; |
489 unsigned short version; | 536 unsigned short version; |
490 DTLS1_BITMAP *bitmap; | 537 DTLS1_BITMAP *bitmap; |
491 unsigned int is_next_epoch; | 538 unsigned int is_next_epoch; |
492 | 539 |
493 rr= &(s->s3->rrec); | 540 rr= &(s->s3->rrec); |
494 sess=s->session; | |
495 | 541 |
496 /* The epoch may have changed. If so, process all the | 542 » /* The epoch may have changed. If so, process all the |
497 * pending records. This is a non-blocking operation. */ | 543 » * pending records. This is a non-blocking operation. */ |
498 dtls1_process_buffered_records(s); | 544 » dtls1_process_buffered_records(s); |
499 | 545 |
500 /* if we're renegotiating, then there may be buffered records */ | 546 /* if we're renegotiating, then there may be buffered records */ |
501 if (dtls1_get_processed_record(s)) | 547 if (dtls1_get_processed_record(s)) |
502 return 1; | 548 return 1; |
503 | 549 |
504 /* get something from the wire */ | 550 /* get something from the wire */ |
505 again: | 551 again: |
506 /* check if we have the header */ | 552 /* check if we have the header */ |
507 if ( (s->rstate != SSL_ST_READ_BODY) || | 553 if ( (s->rstate != SSL_ST_READ_BODY) || |
508 (s->packet_length < DTLS1_RT_HEADER_LENGTH)) | 554 (s->packet_length < DTLS1_RT_HEADER_LENGTH)) |
(...skipping 23 matching lines...) Expand all Loading... |
532 n2s(p,rr->epoch); | 578 n2s(p,rr->epoch); |
533 | 579 |
534 memcpy(&(s->s3->read_sequence[2]), p, 6); | 580 memcpy(&(s->s3->read_sequence[2]), p, 6); |
535 p+=6; | 581 p+=6; |
536 | 582 |
537 n2s(p,rr->length); | 583 n2s(p,rr->length); |
538 | 584 |
539 /* Lets check version */ | 585 /* Lets check version */ |
540 if (!s->first_packet) | 586 if (!s->first_packet) |
541 { | 587 { |
542 » » » if (version != s->version && version != DTLS1_BAD_VER) | 588 » » » if (version != s->version) |
543 { | 589 { |
544 /* unexpected version, silently discard */ | 590 /* unexpected version, silently discard */ |
545 rr->length = 0; | 591 rr->length = 0; |
546 s->packet_length = 0; | 592 s->packet_length = 0; |
547 goto again; | 593 goto again; |
548 } | 594 } |
549 } | 595 } |
550 | 596 |
551 » » if ((version & 0xff00) != (DTLS1_VERSION & 0xff00) && | 597 » » if ((version & 0xff00) != (s->version & 0xff00)) |
552 » » (version & 0xff00) != (DTLS1_BAD_VER & 0xff00)) | |
553 { | 598 { |
554 /* wrong version, silently discard record */ | 599 /* wrong version, silently discard record */ |
555 rr->length = 0; | 600 rr->length = 0; |
556 s->packet_length = 0; | 601 s->packet_length = 0; |
557 goto again; | 602 goto again; |
558 } | 603 } |
559 | 604 |
560 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) | 605 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) |
561 { | 606 { |
562 /* record too long, silently discard it */ | 607 /* record too long, silently discard it */ |
563 rr->length = 0; | 608 rr->length = 0; |
564 s->packet_length = 0; | 609 s->packet_length = 0; |
565 goto again; | 610 goto again; |
566 } | 611 } |
567 | 612 |
568 » » s->client_version = version; | 613 » » /* If we receive a valid record larger than the current buffer s
ize, |
| 614 » » * allocate some memory for it. |
| 615 » » */ |
| 616 » » if (rr->length > s->s3->rbuf.len - DTLS1_RT_HEADER_LENGTH) |
| 617 » » » { |
| 618 » » » unsigned char *pp; |
| 619 » » » unsigned int newlen = rr->length + DTLS1_RT_HEADER_LENGT
H; |
| 620 » » » if ((pp=OPENSSL_realloc(s->s3->rbuf.buf, newlen))==NULL) |
| 621 » » » » { |
| 622 » » » » SSLerr(SSL_F_DTLS1_GET_RECORD,ERR_R_MALLOC_FAILU
RE); |
| 623 » » » » return(-1); |
| 624 » » » » } |
| 625 » » » p = pp + (p - s->s3->rbuf.buf); |
| 626 » » » s->s3->rbuf.buf=pp; |
| 627 » » » s->s3->rbuf.len=newlen; |
| 628 » » » s->packet= &(s->s3->rbuf.buf[0]); |
| 629 » » » } |
| 630 |
569 /* now s->rstate == SSL_ST_READ_BODY */ | 631 /* now s->rstate == SSL_ST_READ_BODY */ |
570 } | 632 } |
571 | 633 |
572 /* s->rstate == SSL_ST_READ_BODY, get and decode the data */ | 634 /* s->rstate == SSL_ST_READ_BODY, get and decode the data */ |
573 | 635 |
574 if (rr->length > s->packet_length-DTLS1_RT_HEADER_LENGTH) | 636 if (rr->length > s->packet_length-DTLS1_RT_HEADER_LENGTH) |
575 { | 637 { |
576 /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */ | 638 /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */ |
577 i=rr->length; | 639 i=rr->length; |
578 n=ssl3_read_n(s,i,i,1); | 640 n=ssl3_read_n(s,i,i,1); |
579 if (n <= 0) return(n); /* error or non-blocking io */ | 641 if (n <= 0) return(n); /* error or non-blocking io */ |
580 | 642 |
581 /* this packet contained a partial record, dump it */ | 643 /* this packet contained a partial record, dump it */ |
582 if ( n != i) | 644 if ( n != i) |
583 { | 645 { |
584 rr->length = 0; | 646 rr->length = 0; |
585 s->packet_length = 0; | 647 s->packet_length = 0; |
586 goto again; | 648 goto again; |
587 } | 649 } |
588 | 650 |
589 /* now n == rr->length, | 651 /* now n == rr->length, |
590 * and s->packet_length == DTLS1_RT_HEADER_LENGTH + rr->length *
/ | 652 * and s->packet_length == DTLS1_RT_HEADER_LENGTH + rr->length *
/ |
591 } | 653 } |
592 s->rstate=SSL_ST_READ_HEADER; /* set state for later operations */ | 654 s->rstate=SSL_ST_READ_HEADER; /* set state for later operations */ |
593 | 655 |
594 /* match epochs. NULL means the packet is dropped on the floor */ | 656 /* match epochs. NULL means the packet is dropped on the floor */ |
595 bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch); | 657 bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch); |
596 if ( bitmap == NULL) | 658 if ( bitmap == NULL) |
597 { | 659 » » { |
598 » rr->length = 0; | 660 » » rr->length = 0; |
599 s->packet_length = 0; /* dump this record */ | 661 » » s->packet_length = 0; /* dump this record */ |
600 goto again; /* get another record */ | 662 » » goto again; /* get another record */ |
601 } | 663 } |
602 | 664 |
603 » /* Check whether this is a repeat, or aged record. | 665 » /* Check whether this is a repeat, or aged record. |
604 * Don't check if we're listening and this message is | 666 * Don't check if we're listening and this message is |
605 * a ClientHello. They can look as if they're replayed, | 667 * a ClientHello. They can look as if they're replayed, |
606 * since they arrive from different connections and | 668 * since they arrive from different connections and |
607 * would be dropped unnecessarily. | 669 * would be dropped unnecessarily. |
608 */ | 670 */ |
609 if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE && | 671 if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE && |
610 *p == SSL3_MT_CLIENT_HELLO) && | 672 *p == SSL3_MT_CLIENT_HELLO) && |
611 » » ! dtls1_record_replay_check(s, bitmap, &(rr->seq_num))) | 673 » » !dtls1_record_replay_check(s, bitmap)) |
612 { | 674 { |
613 rr->length = 0; | 675 rr->length = 0; |
614 s->packet_length=0; /* dump this record */ | 676 s->packet_length=0; /* dump this record */ |
615 goto again; /* get another record */ | 677 goto again; /* get another record */ |
616 } | 678 } |
617 | 679 |
618 /* just read a 0 length packet */ | 680 /* just read a 0 length packet */ |
619 if (rr->length == 0) goto again; | 681 if (rr->length == 0) goto again; |
620 | 682 |
621 /* If this record is from the next epoch (either HM or ALERT), | 683 /* If this record is from the next epoch (either HM or ALERT), |
622 * and a handshake is currently in progress, buffer it since it | 684 * and a handshake is currently in progress, buffer it since it |
623 » * cannot be processed at this time. */ | 685 » * cannot be processed at this time. However, do not buffer |
| 686 » * anything while listening. |
| 687 » */ |
624 if (is_next_epoch) | 688 if (is_next_epoch) |
625 { | 689 { |
626 » » if (SSL_in_init(s) || s->in_handshake) | 690 » » if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen) |
627 { | 691 { |
628 » » » dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), &rr->
seq_num); | 692 » » » dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->s
eq_num); |
629 } | 693 } |
630 rr->length = 0; | 694 rr->length = 0; |
631 s->packet_length = 0; | 695 » » s->packet_length = 0; |
632 goto again; | 696 » » goto again; |
633 } | 697 » » } |
634 | 698 |
635 if (!dtls1_process_record(s)) | 699 » if (!dtls1_process_record(s)) |
636 { | 700 { |
637 rr->length = 0; | 701 rr->length = 0; |
638 » » s->packet_length=0; /* dump this record */ | 702 » » s->packet_length = 0; /* dump this record */ |
639 » » goto again; /* get another record */ | 703 » » goto again; /* get another record */ |
640 } | 704 } |
641 | 705 |
642 dtls1_clear_timeouts(s); /* done waiting */ | 706 dtls1_clear_timeouts(s); /* done waiting */ |
643 return(1); | 707 return(1); |
644 | 708 |
645 } | 709 } |
646 | 710 |
647 /* Return up to 'len' payload bytes received in 'type' records. | 711 /* Return up to 'len' payload bytes received in 'type' records. |
648 * 'type' is one of the following: | 712 * 'type' is one of the following: |
649 * | 713 * |
(...skipping 108 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
758 | 822 |
759 if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, | 823 if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, |
760 * reset by ssl3_get_finished */ | 824 * reset by ssl3_get_finished */ |
761 && (rr->type != SSL3_RT_HANDSHAKE)) | 825 && (rr->type != SSL3_RT_HANDSHAKE)) |
762 { | 826 { |
763 /* We now have application data between CCS and Finished. | 827 /* We now have application data between CCS and Finished. |
764 * Most likely the packets were reordered on their way, so | 828 * Most likely the packets were reordered on their way, so |
765 * buffer the application data for later processing rather | 829 * buffer the application data for later processing rather |
766 * than dropping the connection. | 830 * than dropping the connection. |
767 */ | 831 */ |
768 » » dtls1_buffer_record(s, &(s->d1->buffered_app_data), &rr->seq_num
); | 832 » » dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num)
; |
769 rr->length = 0; | 833 rr->length = 0; |
770 goto start; | 834 goto start; |
771 } | 835 } |
772 | 836 |
773 /* If the other end has shut down, throw anything we read away | 837 /* If the other end has shut down, throw anything we read away |
774 * (even in 'peek' mode) */ | 838 * (even in 'peek' mode) */ |
775 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) | 839 if (s->shutdown & SSL_RECEIVED_SHUTDOWN) |
776 { | 840 { |
777 rr->length=0; | 841 rr->length=0; |
778 s->rwstate=SSL_NOTHING; | 842 s->rwstate=SSL_NOTHING; |
(...skipping 261 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1040 return(0); | 1104 return(0); |
1041 } | 1105 } |
1042 | 1106 |
1043 if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) | 1107 if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) |
1044 { | 1108 { |
1045 struct ccs_header_st ccs_hdr; | 1109 struct ccs_header_st ccs_hdr; |
1046 unsigned int ccs_hdr_len = DTLS1_CCS_HEADER_LENGTH; | 1110 unsigned int ccs_hdr_len = DTLS1_CCS_HEADER_LENGTH; |
1047 | 1111 |
1048 dtls1_get_ccs_header(rr->data, &ccs_hdr); | 1112 dtls1_get_ccs_header(rr->data, &ccs_hdr); |
1049 | 1113 |
| 1114 if (s->version == DTLS1_BAD_VER) |
| 1115 ccs_hdr_len = 3; |
| 1116 |
1050 /* 'Change Cipher Spec' is just a single byte, so we know | 1117 /* 'Change Cipher Spec' is just a single byte, so we know |
1051 * exactly what the record payload has to look like */ | 1118 * exactly what the record payload has to look like */ |
1052 /* XDTLS: check that epoch is consistent */ | 1119 /* XDTLS: check that epoch is consistent */ |
1053 » » if (s->client_version == DTLS1_BAD_VER || s->version == DTLS1_BA
D_VER) | 1120 » » if (» (rr->length != ccs_hdr_len) || |
1054 » » » ccs_hdr_len = 3; | 1121 » » » (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS)) |
1055 | |
1056 » » if ((rr->length != ccs_hdr_len) || (rr->off != 0) || (rr->data[0
] != SSL3_MT_CCS)) | |
1057 { | 1122 { |
1058 i=SSL_AD_ILLEGAL_PARAMETER; | 1123 i=SSL_AD_ILLEGAL_PARAMETER; |
1059 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SP
EC); | 1124 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SP
EC); |
1060 goto err; | 1125 goto err; |
1061 } | 1126 } |
1062 | 1127 |
1063 rr->length=0; | 1128 rr->length=0; |
1064 | 1129 |
1065 if (s->msg_callback) | 1130 if (s->msg_callback) |
1066 s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPE
C, | 1131 s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPE
C, |
1067 rr->data, 1, s, s->msg_callback_arg); | 1132 rr->data, 1, s, s->msg_callback_arg); |
1068 | 1133 |
1069 /* We can't process a CCS now, because previous handshake | 1134 /* We can't process a CCS now, because previous handshake |
1070 * messages are still missing, so just drop it. | 1135 * messages are still missing, so just drop it. |
1071 */ | 1136 */ |
1072 if (!s->d1->change_cipher_spec_ok) | 1137 if (!s->d1->change_cipher_spec_ok) |
1073 { | 1138 { |
1074 goto start; | 1139 goto start; |
1075 } | 1140 } |
1076 | 1141 |
1077 s->d1->change_cipher_spec_ok = 0; | 1142 s->d1->change_cipher_spec_ok = 0; |
1078 | 1143 |
1079 s->s3->change_cipher_spec=1; | 1144 s->s3->change_cipher_spec=1; |
1080 if (!ssl3_do_change_cipher_spec(s)) | 1145 if (!ssl3_do_change_cipher_spec(s)) |
1081 goto err; | 1146 goto err; |
1082 | 1147 |
1083 /* do this whenever CCS is processed */ | 1148 /* do this whenever CCS is processed */ |
1084 dtls1_reset_seq_numbers(s, SSL3_CC_READ); | 1149 dtls1_reset_seq_numbers(s, SSL3_CC_READ); |
1085 | 1150 |
1086 » » if (s->client_version == DTLS1_BAD_VER) | 1151 » » if (s->version == DTLS1_BAD_VER) |
1087 s->d1->handshake_read_seq++; | 1152 s->d1->handshake_read_seq++; |
1088 | 1153 |
1089 goto start; | 1154 goto start; |
1090 } | 1155 } |
1091 | 1156 |
1092 /* Unexpected handshake message (Client Hello, or protocol violation) */ | 1157 /* Unexpected handshake message (Client Hello, or protocol violation) */ |
1093 if ((s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) && | 1158 if ((s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) && |
1094 !s->in_handshake) | 1159 !s->in_handshake) |
1095 { | 1160 { |
1096 struct hm_header_st msg_hdr; | 1161 struct hm_header_st msg_hdr; |
(...skipping 195 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1292 | 1357 |
1293 int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
int create_empty_fragment) | 1358 int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
int create_empty_fragment) |
1294 { | 1359 { |
1295 unsigned char *p,*pseq; | 1360 unsigned char *p,*pseq; |
1296 int i,mac_size,clear=0; | 1361 int i,mac_size,clear=0; |
1297 int prefix_len = 0; | 1362 int prefix_len = 0; |
1298 SSL3_RECORD *wr; | 1363 SSL3_RECORD *wr; |
1299 SSL3_BUFFER *wb; | 1364 SSL3_BUFFER *wb; |
1300 SSL_SESSION *sess; | 1365 SSL_SESSION *sess; |
1301 int bs; | 1366 int bs; |
| 1367 unsigned int len_with_overhead = len + SSL3_RT_DEFAULT_WRITE_OVERHEAD; |
1302 | 1368 |
1303 /* first check if there is a SSL3_BUFFER still being written | 1369 /* first check if there is a SSL3_BUFFER still being written |
1304 * out. This will happen with non blocking IO */ | 1370 * out. This will happen with non blocking IO */ |
1305 if (s->s3->wbuf.left != 0) | 1371 if (s->s3->wbuf.left != 0) |
1306 { | 1372 { |
1307 OPENSSL_assert(0); /* XDTLS: want to see if we ever get here */ | 1373 OPENSSL_assert(0); /* XDTLS: want to see if we ever get here */ |
1308 return(ssl3_write_pending(s,type,buf,len)); | 1374 return(ssl3_write_pending(s,type,buf,len)); |
1309 } | 1375 } |
1310 | 1376 |
| 1377 if (s->s3->wbuf.len < len_with_overhead) |
| 1378 { |
| 1379 if ((p=OPENSSL_realloc(s->s3->wbuf.buf, len_with_overhead)) == N
ULL) { |
| 1380 SSLerr(SSL_F_DO_DTLS1_WRITE,ERR_R_MALLOC_FAILURE); |
| 1381 goto err; |
| 1382 } |
| 1383 s->s3->wbuf.buf = p; |
| 1384 s->s3->wbuf.len = len_with_overhead; |
| 1385 } |
| 1386 |
1311 /* If we have an alert to send, lets send it */ | 1387 /* If we have an alert to send, lets send it */ |
1312 if (s->s3->alert_dispatch) | 1388 if (s->s3->alert_dispatch) |
1313 { | 1389 { |
1314 i=s->method->ssl_dispatch_alert(s); | 1390 i=s->method->ssl_dispatch_alert(s); |
1315 if (i <= 0) | 1391 if (i <= 0) |
1316 return(i); | 1392 return(i); |
1317 /* if it went, fall through and send more stuff */ | 1393 /* if it went, fall through and send more stuff */ |
1318 } | 1394 } |
1319 | 1395 |
1320 if (len == 0 && !create_empty_fragment) | 1396 if (len == 0 && !create_empty_fragment) |
1321 return 0; | 1397 return 0; |
1322 | 1398 |
1323 wr= &(s->s3->wrec); | 1399 wr= &(s->s3->wrec); |
1324 wb= &(s->s3->wbuf); | 1400 wb= &(s->s3->wbuf); |
1325 sess=s->session; | 1401 sess=s->session; |
1326 | 1402 |
1327 if ( (sess == NULL) || | 1403 if ( (sess == NULL) || |
1328 (s->enc_write_ctx == NULL) || | 1404 (s->enc_write_ctx == NULL) || |
1329 » » (s->write_hash == NULL)) | 1405 » » (EVP_MD_CTX_md(s->write_hash) == NULL)) |
1330 clear=1; | 1406 clear=1; |
1331 | 1407 |
1332 if (clear) | 1408 if (clear) |
1333 mac_size=0; | 1409 mac_size=0; |
1334 else | 1410 else |
1335 » » mac_size=EVP_MD_size(s->write_hash); | 1411 » » { |
| 1412 » » mac_size=EVP_MD_CTX_size(s->write_hash); |
| 1413 » » if (mac_size < 0) |
| 1414 » » » goto err; |
| 1415 » » } |
1336 | 1416 |
1337 /* DTLS implements explicit IV, so no need for empty fragments */ | 1417 /* DTLS implements explicit IV, so no need for empty fragments */ |
1338 #if 0 | 1418 #if 0 |
1339 /* 'create_empty_fragment' is true only when this function calls itself
*/ | 1419 /* 'create_empty_fragment' is true only when this function calls itself
*/ |
1340 if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done | 1420 if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done |
1341 && SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VE
R) | 1421 && SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VE
R) |
1342 { | 1422 { |
1343 /* countermeasure against known-IV weakness in CBC ciphersuites | 1423 /* countermeasure against known-IV weakness in CBC ciphersuites |
1344 * (see http://www.openssl.org/~bodo/tls-cbc.txt) | 1424 * (see http://www.openssl.org/~bodo/tls-cbc.txt) |
1345 */ | 1425 */ |
(...skipping 12 matching lines...) Expand all Loading... |
1358 { | 1438 { |
1359 /* insufficient space */ | 1439 /* insufficient space */ |
1360 SSLerr(SSL_F_DO_DTLS1_WRITE, ERR_R_INTERNAL_ERRO
R); | 1440 SSLerr(SSL_F_DO_DTLS1_WRITE, ERR_R_INTERNAL_ERRO
R); |
1361 goto err; | 1441 goto err; |
1362 } | 1442 } |
1363 } | 1443 } |
1364 | 1444 |
1365 s->s3->empty_fragment_done = 1; | 1445 s->s3->empty_fragment_done = 1; |
1366 } | 1446 } |
1367 #endif | 1447 #endif |
1368 | |
1369 p = wb->buf + prefix_len; | 1448 p = wb->buf + prefix_len; |
1370 | 1449 |
1371 /* write the header */ | 1450 /* write the header */ |
1372 | 1451 |
1373 *(p++)=type&0xff; | 1452 *(p++)=type&0xff; |
1374 wr->type=type; | 1453 wr->type=type; |
1375 | 1454 |
1376 » if (s->client_version == DTLS1_BAD_VER) | 1455 » *(p++)=(s->version>>8); |
1377 » » *(p++) = DTLS1_BAD_VER>>8, | 1456 » *(p++)=s->version&0xff; |
1378 » » *(p++) = DTLS1_BAD_VER&0xff; | |
1379 » else | |
1380 » » *(p++)=(s->version>>8), | |
1381 » » *(p++)=s->version&0xff; | |
1382 | 1457 |
1383 /* field where we are to write out packet epoch, seq num and len */ | 1458 /* field where we are to write out packet epoch, seq num and len */ |
1384 pseq=p; | 1459 pseq=p; |
1385 p+=10; | 1460 p+=10; |
1386 | 1461 |
1387 /* lets setup the record stuff. */ | 1462 /* lets setup the record stuff. */ |
1388 | 1463 |
1389 /* Make space for the explicit IV in case of CBC. | 1464 /* Make space for the explicit IV in case of CBC. |
1390 * (this is a bit of a boundary violation, but what the heck). | 1465 * (this is a bit of a boundary violation, but what the heck). |
1391 */ | 1466 */ |
(...skipping 24 matching lines...) Expand all Loading... |
1416 memcpy(wr->data,wr->input,wr->length); | 1491 memcpy(wr->data,wr->input,wr->length); |
1417 wr->input=wr->data; | 1492 wr->input=wr->data; |
1418 } | 1493 } |
1419 | 1494 |
1420 /* we should still have the output to wr->data and the input | 1495 /* we should still have the output to wr->data and the input |
1421 * from wr->input. Length should be wr->length. | 1496 * from wr->input. Length should be wr->length. |
1422 * wr->data still points in the wb->buf */ | 1497 * wr->data still points in the wb->buf */ |
1423 | 1498 |
1424 if (mac_size != 0) | 1499 if (mac_size != 0) |
1425 { | 1500 { |
1426 » » s->method->ssl3_enc->mac(s,&(p[wr->length + bs]),1); | 1501 » » if(s->method->ssl3_enc->mac(s,&(p[wr->length + bs]),1) < 0) |
| 1502 » » » goto err; |
1427 wr->length+=mac_size; | 1503 wr->length+=mac_size; |
1428 } | 1504 } |
1429 | 1505 |
1430 /* this is true regardless of mac size */ | 1506 /* this is true regardless of mac size */ |
1431 wr->input=p; | 1507 wr->input=p; |
1432 wr->data=p; | 1508 wr->data=p; |
1433 | 1509 |
1434 | 1510 |
1435 /* ssl3_enc can only have an error on read */ | 1511 /* ssl3_enc can only have an error on read */ |
1436 if (bs) /* bs != 0 in case of CBC */ | 1512 if (bs) /* bs != 0 in case of CBC */ |
(...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1493 s->s3->wpend_ret=len; | 1569 s->s3->wpend_ret=len; |
1494 | 1570 |
1495 /* we now just need to write the buffer */ | 1571 /* we now just need to write the buffer */ |
1496 return ssl3_write_pending(s,type,buf,len); | 1572 return ssl3_write_pending(s,type,buf,len); |
1497 err: | 1573 err: |
1498 return -1; | 1574 return -1; |
1499 } | 1575 } |
1500 | 1576 |
1501 | 1577 |
1502 | 1578 |
1503 static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap, | 1579 static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap) |
1504 » PQ_64BIT *seq_num) | |
1505 { | 1580 { |
1506 #if PQ_64BIT_IS_INTEGER | 1581 » int cmp; |
1507 » PQ_64BIT mask = 0x0000000000000001L; | 1582 » unsigned int shift; |
1508 #endif | 1583 » const unsigned char *seq = s->s3->read_sequence; |
1509 » PQ_64BIT rcd_num, tmp; | |
1510 | 1584 |
1511 » pq_64bit_init(&rcd_num); | 1585 » cmp = satsub64be(seq,bitmap->max_seq_num); |
1512 » pq_64bit_init(&tmp); | 1586 » if (cmp > 0) |
| 1587 » » { |
| 1588 » » memcpy (s->s3->rrec.seq_num,seq,8); |
| 1589 » » return 1; /* this record in new */ |
| 1590 » » } |
| 1591 » shift = -cmp; |
| 1592 » if (shift >= sizeof(bitmap->map)*8) |
| 1593 » » return 0; /* stale, outside the window */ |
| 1594 » else if (bitmap->map & (1UL<<shift)) |
| 1595 » » return 0; /* record previously received */ |
1513 | 1596 |
1514 » /* this is the sequence number for the record just read */ | 1597 » memcpy (s->s3->rrec.seq_num,seq,8); |
1515 » pq_64bit_bin2num(&rcd_num, s->s3->read_sequence, 8); | |
1516 | |
1517 » | |
1518 » if (pq_64bit_gt(&rcd_num, &(bitmap->max_seq_num)) || | |
1519 » » pq_64bit_eq(&rcd_num, &(bitmap->max_seq_num))) | |
1520 » » { | |
1521 » » pq_64bit_assign(seq_num, &rcd_num); | |
1522 » » pq_64bit_free(&rcd_num); | |
1523 » » pq_64bit_free(&tmp); | |
1524 » » return 1; /* this record is new */ | |
1525 » » } | |
1526 | |
1527 » pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num); | |
1528 | |
1529 » if ( pq_64bit_get_word(&tmp) > bitmap->length) | |
1530 » » { | |
1531 » » pq_64bit_free(&rcd_num); | |
1532 » » pq_64bit_free(&tmp); | |
1533 » » return 0; /* stale, outside the window */ | |
1534 » » } | |
1535 | |
1536 #if PQ_64BIT_IS_BIGNUM | |
1537 » { | |
1538 » int offset; | |
1539 » pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num); | |
1540 » pq_64bit_sub_word(&tmp, 1); | |
1541 » offset = pq_64bit_get_word(&tmp); | |
1542 » if ( pq_64bit_is_bit_set(&(bitmap->map), offset)) | |
1543 » » { | |
1544 » » pq_64bit_free(&rcd_num); | |
1545 » » pq_64bit_free(&tmp); | |
1546 » » return 0; | |
1547 » » } | |
1548 » } | |
1549 #else | |
1550 » mask <<= (bitmap->max_seq_num - rcd_num - 1); | |
1551 » if (bitmap->map & mask) | |
1552 » » return 0; /* record previously received */ | |
1553 #endif | |
1554 » | |
1555 » pq_64bit_assign(seq_num, &rcd_num); | |
1556 » pq_64bit_free(&rcd_num); | |
1557 » pq_64bit_free(&tmp); | |
1558 return 1; | 1598 return 1; |
1559 } | 1599 } |
1560 | 1600 |
1561 | 1601 |
1562 static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap) | 1602 static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap) |
1563 { | 1603 { |
| 1604 int cmp; |
1564 unsigned int shift; | 1605 unsigned int shift; |
1565 » PQ_64BIT rcd_num; | 1606 » const unsigned char *seq = s->s3->read_sequence; |
1566 » PQ_64BIT tmp; | |
1567 » PQ_64BIT_CTX *ctx; | |
1568 | 1607 |
1569 » pq_64bit_init(&rcd_num); | 1608 » cmp = satsub64be(seq,bitmap->max_seq_num); |
1570 » pq_64bit_init(&tmp); | 1609 » if (cmp > 0) |
1571 | |
1572 » pq_64bit_bin2num(&rcd_num, s->s3->read_sequence, 8); | |
1573 | |
1574 » /* unfortunate code complexity due to 64-bit manipulation support | |
1575 » * on 32-bit machines */ | |
1576 » if ( pq_64bit_gt(&rcd_num, &(bitmap->max_seq_num)) || | |
1577 » » pq_64bit_eq(&rcd_num, &(bitmap->max_seq_num))) | |
1578 { | 1610 { |
1579 » » pq_64bit_sub(&tmp, &rcd_num, &(bitmap->max_seq_num)); | 1611 » » shift = cmp; |
1580 » » pq_64bit_add_word(&tmp, 1); | 1612 » » if (shift < sizeof(bitmap->map)*8) |
1581 | 1613 » » » bitmap->map <<= shift, bitmap->map |= 1UL; |
1582 » » shift = (unsigned int)pq_64bit_get_word(&tmp); | 1614 » » else |
1583 | 1615 » » » bitmap->map = 1UL; |
1584 » » pq_64bit_lshift(&(tmp), &(bitmap->map), shift); | 1616 » » memcpy(bitmap->max_seq_num,seq,8); |
1585 » » pq_64bit_assign(&(bitmap->map), &tmp); | |
1586 | |
1587 » » pq_64bit_set_bit(&(bitmap->map), 0); | |
1588 » » pq_64bit_add_word(&rcd_num, 1); | |
1589 » » pq_64bit_assign(&(bitmap->max_seq_num), &rcd_num); | |
1590 | |
1591 » » pq_64bit_assign_word(&tmp, 1); | |
1592 » » pq_64bit_lshift(&tmp, &tmp, bitmap->length); | |
1593 » » ctx = pq_64bit_ctx_new(&ctx); | |
1594 » » pq_64bit_mod(&(bitmap->map), &(bitmap->map), &tmp, ctx); | |
1595 » » pq_64bit_ctx_free(ctx); | |
1596 } | 1617 } |
1597 » else | 1618 » else» { |
1598 » » { | 1619 » » shift = -cmp; |
1599 » » pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num); | 1620 » » if (shift < sizeof(bitmap->map)*8) |
1600 » » pq_64bit_sub_word(&tmp, 1); | 1621 » » » bitmap->map |= 1UL<<shift; |
1601 » » shift = (unsigned int)pq_64bit_get_word(&tmp); | |
1602 | |
1603 » » pq_64bit_set_bit(&(bitmap->map), shift); | |
1604 } | 1622 } |
1605 | |
1606 pq_64bit_free(&rcd_num); | |
1607 pq_64bit_free(&tmp); | |
1608 } | 1623 } |
1609 | 1624 |
1610 | 1625 |
1611 int dtls1_dispatch_alert(SSL *s) | 1626 int dtls1_dispatch_alert(SSL *s) |
1612 { | 1627 { |
1613 int i,j; | 1628 int i,j; |
1614 void (*cb)(const SSL *ssl,int type,int val)=NULL; | 1629 void (*cb)(const SSL *ssl,int type,int val)=NULL; |
1615 unsigned char buf[DTLS1_AL_HEADER_LENGTH]; | 1630 unsigned char buf[DTLS1_AL_HEADER_LENGTH]; |
1616 unsigned char *ptr = &buf[0]; | 1631 unsigned char *ptr = &buf[0]; |
1617 | 1632 |
(...skipping 26 matching lines...) Expand all Loading... |
1644 { | 1659 { |
1645 s->s3->alert_dispatch=1; | 1660 s->s3->alert_dispatch=1; |
1646 /* fprintf( stderr, "not done with alert\n" ); */ | 1661 /* fprintf( stderr, "not done with alert\n" ); */ |
1647 } | 1662 } |
1648 else | 1663 else |
1649 { | 1664 { |
1650 if (s->s3->send_alert[0] == SSL3_AL_FATAL | 1665 if (s->s3->send_alert[0] == SSL3_AL_FATAL |
1651 #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE | 1666 #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE |
1652 || s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAG
E | 1667 || s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAG
E |
1653 #endif | 1668 #endif |
1654 » » ) | 1669 » » ) |
1655 (void)BIO_flush(s->wbio); | 1670 (void)BIO_flush(s->wbio); |
1656 | 1671 |
1657 if (s->msg_callback) | 1672 if (s->msg_callback) |
1658 s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->sen
d_alert, | 1673 s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->sen
d_alert, |
1659 2, s, s->msg_callback_arg); | 1674 2, s, s->msg_callback_arg); |
1660 | 1675 |
1661 if (s->info_callback != NULL) | 1676 if (s->info_callback != NULL) |
1662 cb=s->info_callback; | 1677 cb=s->info_callback; |
1663 else if (s->ctx->info_callback != NULL) | 1678 else if (s->ctx->info_callback != NULL) |
1664 cb=s->ctx->info_callback; | 1679 cb=s->ctx->info_callback; |
(...skipping 98 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1763 void | 1778 void |
1764 dtls1_reset_seq_numbers(SSL *s, int rw) | 1779 dtls1_reset_seq_numbers(SSL *s, int rw) |
1765 { | 1780 { |
1766 unsigned char *seq; | 1781 unsigned char *seq; |
1767 unsigned int seq_bytes = sizeof(s->s3->read_sequence); | 1782 unsigned int seq_bytes = sizeof(s->s3->read_sequence); |
1768 | 1783 |
1769 if ( rw & SSL3_CC_READ) | 1784 if ( rw & SSL3_CC_READ) |
1770 { | 1785 { |
1771 seq = s->s3->read_sequence; | 1786 seq = s->s3->read_sequence; |
1772 s->d1->r_epoch++; | 1787 s->d1->r_epoch++; |
1773 | 1788 » » memcpy(&(s->d1->bitmap), &(s->d1->next_bitmap), sizeof(DTLS1_BIT
MAP)); |
1774 » » pq_64bit_assign(&(s->d1->bitmap.map), &(s->d1->next_bitmap.map))
; | |
1775 » » s->d1->bitmap.length = s->d1->next_bitmap.length; | |
1776 » » pq_64bit_assign(&(s->d1->bitmap.max_seq_num), | |
1777 » » » &(s->d1->next_bitmap.max_seq_num)); | |
1778 | |
1779 » » pq_64bit_free(&(s->d1->next_bitmap.map)); | |
1780 » » pq_64bit_free(&(s->d1->next_bitmap.max_seq_num)); | |
1781 memset(&(s->d1->next_bitmap), 0x00, sizeof(DTLS1_BITMAP)); | 1789 memset(&(s->d1->next_bitmap), 0x00, sizeof(DTLS1_BITMAP)); |
1782 pq_64bit_init(&(s->d1->next_bitmap.map)); | |
1783 pq_64bit_init(&(s->d1->next_bitmap.max_seq_num)); | |
1784 } | 1790 } |
1785 else | 1791 else |
1786 { | 1792 { |
1787 seq = s->s3->write_sequence; | 1793 seq = s->s3->write_sequence; |
1788 memcpy(s->d1->last_write_sequence, seq, sizeof(s->s3->write_sequ
ence)); | 1794 memcpy(s->d1->last_write_sequence, seq, sizeof(s->s3->write_sequ
ence)); |
1789 s->d1->w_epoch++; | 1795 s->d1->w_epoch++; |
1790 } | 1796 } |
1791 | 1797 |
1792 memset(seq, 0x00, seq_bytes); | 1798 memset(seq, 0x00, seq_bytes); |
1793 } | 1799 } |
1794 | 1800 |
1795 #if PQ_64BIT_IS_INTEGER | |
1796 static PQ_64BIT | |
1797 bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num) | |
1798 { | |
1799 PQ_64BIT _num; | |
1800 | |
1801 _num = (((PQ_64BIT)bytes[0]) << 56) | | |
1802 (((PQ_64BIT)bytes[1]) << 48) | | |
1803 (((PQ_64BIT)bytes[2]) << 40) | | |
1804 (((PQ_64BIT)bytes[3]) << 32) | | |
1805 (((PQ_64BIT)bytes[4]) << 24) | | |
1806 (((PQ_64BIT)bytes[5]) << 16) | | |
1807 (((PQ_64BIT)bytes[6]) << 8) | | |
1808 (((PQ_64BIT)bytes[7]) ); | |
1809 | |
1810 *num = _num ; | |
1811 return _num; | |
1812 } | |
1813 #endif | |
1814 | |
1815 | 1801 |
1816 static void | 1802 static void |
1817 dtls1_clear_timeouts(SSL *s) | 1803 dtls1_clear_timeouts(SSL *s) |
1818 { | 1804 { |
1819 memset(&(s->d1->timeout), 0x00, sizeof(struct dtls1_timeout_st)); | 1805 memset(&(s->d1->timeout), 0x00, sizeof(struct dtls1_timeout_st)); |
1820 } | 1806 } |
OLD | NEW |