Coverage Report

Created: 2023-06-08 06:41

/src/openssl/ssl/d1_lib.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright 2005-2022 The OpenSSL Project Authors. All Rights Reserved.
3
 *
4
 * Licensed under the Apache License 2.0 (the "License").  You may not use
5
 * this file except in compliance with the License.  You can obtain a copy
6
 * in the file LICENSE in the source distribution or at
7
 * https://www.openssl.org/source/license.html
8
 */
9
10
#include "internal/e_os.h"
11
#include <stdio.h>
12
#include <openssl/objects.h>
13
#include <openssl/rand.h>
14
#include "ssl_local.h"
15
#include "internal/time.h"
16
17
static int dtls1_handshake_write(SSL_CONNECTION *s);
18
static size_t dtls1_link_min_mtu(void);
19
20
/* XDTLS:  figure out the right values */
21
static const size_t g_probable_mtu[] = { 1500, 512, 256 };
22
23
const SSL3_ENC_METHOD DTLSv1_enc_data = {
24
    tls1_setup_key_block,
25
    tls1_generate_master_secret,
26
    tls1_change_cipher_state,
27
    tls1_final_finish_mac,
28
    TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
29
    TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
30
    tls1_alert_code,
31
    tls1_export_keying_material,
32
    SSL_ENC_FLAG_DTLS | SSL_ENC_FLAG_EXPLICIT_IV,
33
    dtls1_set_handshake_header,
34
    dtls1_close_construct_packet,
35
    dtls1_handshake_write
36
};
37
38
const SSL3_ENC_METHOD DTLSv1_2_enc_data = {
39
    tls1_setup_key_block,
40
    tls1_generate_master_secret,
41
    tls1_change_cipher_state,
42
    tls1_final_finish_mac,
43
    TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
44
    TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
45
    tls1_alert_code,
46
    tls1_export_keying_material,
47
    SSL_ENC_FLAG_DTLS | SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS
48
        | SSL_ENC_FLAG_SHA256_PRF | SSL_ENC_FLAG_TLS1_2_CIPHERS,
49
    dtls1_set_handshake_header,
50
    dtls1_close_construct_packet,
51
    dtls1_handshake_write
52
};
53
54
OSSL_TIME dtls1_default_timeout(void)
55
0
{
56
    /*
57
     * 2 hours, the 24 hours mentioned in the DTLSv1 spec is way too long for
58
     * http, the cache would over fill
59
     */
60
0
    return ossl_seconds2time(60 * 60 * 2);
61
0
}
62
63
int dtls1_new(SSL *ssl)
64
0
{
65
0
    DTLS1_STATE *d1;
66
0
    SSL_CONNECTION *s = SSL_CONNECTION_FROM_SSL_ONLY(ssl);
67
68
0
    if (s == NULL)
69
0
        return 0;
70
71
0
    if (!DTLS_RECORD_LAYER_new(&s->rlayer)) {
72
0
        return 0;
73
0
    }
74
75
0
    if (!ssl3_new(ssl))
76
0
        return 0;
77
0
    if ((d1 = OPENSSL_zalloc(sizeof(*d1))) == NULL) {
78
0
        ssl3_free(ssl);
79
0
        return 0;
80
0
    }
81
82
0
    d1->buffered_messages = pqueue_new();
83
0
    d1->sent_messages = pqueue_new();
84
85
0
    if (s->server) {
86
0
        d1->cookie_len = sizeof(s->d1->cookie);
87
0
    }
88
89
0
    d1->link_mtu = 0;
90
0
    d1->mtu = 0;
91
92
0
    if (d1->buffered_messages == NULL || d1->sent_messages == NULL) {
93
0
        pqueue_free(d1->buffered_messages);
94
0
        pqueue_free(d1->sent_messages);
95
0
        OPENSSL_free(d1);
96
0
        ssl3_free(ssl);
97
0
        return 0;
98
0
    }
99
100
0
    s->d1 = d1;
101
102
0
    if (!ssl->method->ssl_clear(ssl))
103
0
        return 0;
104
105
0
    return 1;
106
0
}
107
108
static void dtls1_clear_queues(SSL_CONNECTION *s)
109
0
{
110
0
    dtls1_clear_received_buffer(s);
111
0
    dtls1_clear_sent_buffer(s);
112
0
}
113
114
void dtls1_clear_received_buffer(SSL_CONNECTION *s)
115
0
{
116
0
    pitem *item = NULL;
117
0
    hm_fragment *frag = NULL;
118
119
0
    while ((item = pqueue_pop(s->d1->buffered_messages)) != NULL) {
120
0
        frag = (hm_fragment *)item->data;
121
0
        dtls1_hm_fragment_free(frag);
122
0
        pitem_free(item);
123
0
    }
124
0
}
125
126
void dtls1_clear_sent_buffer(SSL_CONNECTION *s)
127
0
{
128
0
    pitem *item = NULL;
129
0
    hm_fragment *frag = NULL;
130
131
0
    while ((item = pqueue_pop(s->d1->sent_messages)) != NULL) {
132
0
        frag = (hm_fragment *)item->data;
133
0
        dtls1_hm_fragment_free(frag);
134
0
        pitem_free(item);
135
0
    }
136
0
}
137
138
139
void dtls1_free(SSL *ssl)
140
0
{
141
0
    SSL_CONNECTION *s = SSL_CONNECTION_FROM_SSL_ONLY(ssl);
142
143
0
    if (s == NULL)
144
0
        return;
145
146
0
    DTLS_RECORD_LAYER_free(&s->rlayer);
147
148
0
    ssl3_free(ssl);
149
150
0
    if (s->d1 != NULL) {
151
0
        dtls1_clear_queues(s);
152
0
        pqueue_free(s->d1->buffered_messages);
153
0
        pqueue_free(s->d1->sent_messages);
154
0
    }
155
156
0
    OPENSSL_free(s->d1);
157
0
    s->d1 = NULL;
158
0
}
159
160
int dtls1_clear(SSL *ssl)
161
0
{
162
0
    pqueue *buffered_messages;
163
0
    pqueue *sent_messages;
164
0
    size_t mtu;
165
0
    size_t link_mtu;
166
167
0
    SSL_CONNECTION *s = SSL_CONNECTION_FROM_SSL_ONLY(ssl);
168
169
0
    if (s == NULL)
170
0
        return 0;
171
172
0
    DTLS_RECORD_LAYER_clear(&s->rlayer);
173
174
0
    if (s->d1) {
175
0
        DTLS_timer_cb timer_cb = s->d1->timer_cb;
176
177
0
        buffered_messages = s->d1->buffered_messages;
178
0
        sent_messages = s->d1->sent_messages;
179
0
        mtu = s->d1->mtu;
180
0
        link_mtu = s->d1->link_mtu;
181
182
0
        dtls1_clear_queues(s);
183
184
0
        memset(s->d1, 0, sizeof(*s->d1));
185
186
        /* Restore the timer callback from previous state */
187
0
        s->d1->timer_cb = timer_cb;
188
189
0
        if (s->server) {
190
0
            s->d1->cookie_len = sizeof(s->d1->cookie);
191
0
        }
192
193
0
        if (SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU) {
194
0
            s->d1->mtu = mtu;
195
0
            s->d1->link_mtu = link_mtu;
196
0
        }
197
198
0
        s->d1->buffered_messages = buffered_messages;
199
0
        s->d1->sent_messages = sent_messages;
200
0
    }
201
202
0
    if (!ssl3_clear(ssl))
203
0
        return 0;
204
205
0
    if (ssl->method->version == DTLS_ANY_VERSION)
206
0
        s->version = DTLS_MAX_VERSION_INTERNAL;
207
0
#ifndef OPENSSL_NO_DTLS1_METHOD
208
0
    else if (s->options & SSL_OP_CISCO_ANYCONNECT)
209
0
        s->client_version = s->version = DTLS1_BAD_VER;
210
0
#endif
211
0
    else
212
0
        s->version = ssl->method->version;
213
214
0
    return 1;
215
0
}
216
217
long dtls1_ctrl(SSL *ssl, int cmd, long larg, void *parg)
218
0
{
219
0
    int ret = 0;
220
0
    OSSL_TIME t;
221
0
    SSL_CONNECTION *s = SSL_CONNECTION_FROM_SSL_ONLY(ssl);
222
223
0
    if (s == NULL)
224
0
        return 0;
225
226
0
    switch (cmd) {
227
0
    case DTLS_CTRL_GET_TIMEOUT:
228
0
        if (dtls1_get_timeout(s, &t)) {
229
0
            *(struct timeval *)parg = ossl_time_to_timeval(t);
230
0
            ret = 1;
231
0
        }
232
0
        break;
233
0
    case DTLS_CTRL_HANDLE_TIMEOUT:
234
0
        ret = dtls1_handle_timeout(s);
235
0
        break;
236
0
    case DTLS_CTRL_SET_LINK_MTU:
237
0
        if (larg < (long)dtls1_link_min_mtu())
238
0
            return 0;
239
0
        s->d1->link_mtu = larg;
240
0
        return 1;
241
0
    case DTLS_CTRL_GET_LINK_MIN_MTU:
242
0
        return (long)dtls1_link_min_mtu();
243
0
    case SSL_CTRL_SET_MTU:
244
        /*
245
         *  We may not have a BIO set yet so can't call dtls1_min_mtu()
246
         *  We'll have to make do with dtls1_link_min_mtu() and max overhead
247
         */
248
0
        if (larg < (long)dtls1_link_min_mtu() - DTLS1_MAX_MTU_OVERHEAD)
249
0
            return 0;
250
0
        s->d1->mtu = larg;
251
0
        return larg;
252
0
    default:
253
0
        ret = ssl3_ctrl(ssl, cmd, larg, parg);
254
0
        break;
255
0
    }
256
0
    return ret;
257
0
}
258
259
static void dtls1_bio_set_next_timeout(BIO * bio, const DTLS1_STATE *d1)
260
0
{
261
0
    struct timeval tv = ossl_time_to_timeval(d1->next_timeout);
262
263
0
    BIO_ctrl(bio, BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, &tv);
264
0
}
265
266
void dtls1_start_timer(SSL_CONNECTION *s)
267
0
{
268
0
    OSSL_TIME duration;
269
0
    SSL *ssl = SSL_CONNECTION_GET_SSL(s);
270
271
#ifndef OPENSSL_NO_SCTP
272
    /* Disable timer for SCTP */
273
    if (BIO_dgram_is_sctp(SSL_get_wbio(ssl))) {
274
        s->d1->next_timeout = ossl_time_zero();
275
        return;
276
    }
277
#endif
278
279
    /*
280
     * If timer is not set, initialize duration with 1 second or
281
     * a user-specified value if the timer callback is installed.
282
     */
283
0
    if (ossl_time_is_zero(s->d1->next_timeout)) {
284
0
        if (s->d1->timer_cb != NULL)
285
0
            s->d1->timeout_duration_us = s->d1->timer_cb(ssl, 0);
286
0
        else
287
0
            s->d1->timeout_duration_us = 1000000;
288
0
    }
289
290
    /* Set timeout to current time plus duration */
291
0
    duration = ossl_us2time(s->d1->timeout_duration_us);
292
0
    s->d1->next_timeout = ossl_time_add(ossl_time_now(), duration);
293
294
    /* set s->d1->next_timeout into ssl->rbio interface */
295
0
    dtls1_bio_set_next_timeout(SSL_get_rbio(ssl), s->d1);
296
0
}
297
298
int dtls1_get_timeout(const SSL_CONNECTION *s, OSSL_TIME *timeleft)
299
0
{
300
0
    OSSL_TIME timenow;
301
302
    /* If no timeout is set, just return NULL */
303
0
    if (ossl_time_is_zero(s->d1->next_timeout))
304
0
        return 0;
305
306
    /* Get current time */
307
0
    timenow = ossl_time_now();
308
309
    /*
310
     * If timer already expired or if remaining time is less than 15 ms,
311
     * set it to 0 to prevent issues because of small divergences with
312
     * socket timeouts.
313
     */
314
0
    *timeleft = ossl_time_subtract(s->d1->next_timeout, timenow);
315
0
    if (ossl_time_compare(*timeleft, ossl_ms2time(15)) <= 0)
316
0
        *timeleft = ossl_time_zero();
317
0
    return 1;
318
0
}
319
320
int dtls1_is_timer_expired(SSL_CONNECTION *s)
321
0
{
322
0
    OSSL_TIME timeleft;
323
324
    /* Get time left until timeout, return false if no timer running */
325
0
    if (!dtls1_get_timeout(s, &timeleft))
326
0
        return 0;
327
328
    /* Return false if timer is not expired yet */
329
0
    if (!ossl_time_is_zero(timeleft))
330
0
        return 0;
331
332
    /* Timer expired, so return true */
333
0
    return 1;
334
0
}
335
336
static void dtls1_double_timeout(SSL_CONNECTION *s)
337
0
{
338
0
    s->d1->timeout_duration_us *= 2;
339
0
    if (s->d1->timeout_duration_us > 60000000)
340
0
        s->d1->timeout_duration_us = 60000000;
341
0
}
342
343
void dtls1_stop_timer(SSL_CONNECTION *s)
344
0
{
345
    /* Reset everything */
346
0
    s->d1->timeout_num_alerts = 0;
347
0
    s->d1->next_timeout = ossl_time_zero();
348
0
    s->d1->timeout_duration_us = 1000000;
349
0
    dtls1_bio_set_next_timeout(s->rbio, s->d1);
350
    /* Clear retransmission buffer */
351
0
    dtls1_clear_sent_buffer(s);
352
0
}
353
354
int dtls1_check_timeout_num(SSL_CONNECTION *s)
355
0
{
356
0
    size_t mtu;
357
0
    SSL *ssl = SSL_CONNECTION_GET_SSL(s);
358
359
0
    s->d1->timeout_num_alerts++;
360
361
    /* Reduce MTU after 2 unsuccessful retransmissions */
362
0
    if (s->d1->timeout_num_alerts > 2
363
0
        && !(SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) {
364
0
        mtu =
365
0
            BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL);
366
0
        if (mtu < s->d1->mtu)
367
0
            s->d1->mtu = mtu;
368
0
    }
369
370
0
    if (s->d1->timeout_num_alerts > DTLS1_TMO_ALERT_COUNT) {
371
        /* fail the connection, enough alerts have been sent */
372
0
        SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_READ_TIMEOUT_EXPIRED);
373
0
        return -1;
374
0
    }
375
376
0
    return 0;
377
0
}
378
379
int dtls1_handle_timeout(SSL_CONNECTION *s)
380
0
{
381
    /* if no timer is expired, don't do anything */
382
0
    if (!dtls1_is_timer_expired(s)) {
383
0
        return 0;
384
0
    }
385
386
0
    if (s->d1->timer_cb != NULL)
387
0
        s->d1->timeout_duration_us = s->d1->timer_cb(SSL_CONNECTION_GET_SSL(s),
388
0
                                                     s->d1->timeout_duration_us);
389
0
    else
390
0
        dtls1_double_timeout(s);
391
392
0
    if (dtls1_check_timeout_num(s) < 0) {
393
        /* SSLfatal() already called */
394
0
        return -1;
395
0
    }
396
397
0
    dtls1_start_timer(s);
398
    /* Calls SSLfatal() if required */
399
0
    return dtls1_retransmit_buffered_messages(s);
400
0
}
401
402
0
#define LISTEN_SUCCESS              2
403
0
#define LISTEN_SEND_VERIFY_REQUEST  1
404
405
#ifndef OPENSSL_NO_SOCK
406
int DTLSv1_listen(SSL *ssl, BIO_ADDR *client)
407
0
{
408
0
    int next, n, ret = 0;
409
0
    unsigned char cookie[DTLS1_COOKIE_LENGTH];
410
0
    unsigned char seq[SEQ_NUM_SIZE];
411
0
    const unsigned char *data;
412
0
    unsigned char *buf = NULL, *wbuf;
413
0
    size_t fragoff, fraglen, msglen;
414
0
    unsigned int rectype, versmajor, msgseq, msgtype, clientvers, cookielen;
415
0
    BIO *rbio, *wbio;
416
0
    BIO_ADDR *tmpclient = NULL;
417
0
    PACKET pkt, msgpkt, msgpayload, session, cookiepkt;
418
0
    SSL_CONNECTION *s = SSL_CONNECTION_FROM_SSL_ONLY(ssl);
419
420
0
    if (s == NULL)
421
0
        return -1;
422
423
0
    if (s->handshake_func == NULL) {
424
        /* Not properly initialized yet */
425
0
        SSL_set_accept_state(ssl);
426
0
    }
427
428
    /* Ensure there is no state left over from a previous invocation */
429
0
    if (!SSL_clear(ssl))
430
0
        return -1;
431
432
0
    ERR_clear_error();
433
434
0
    rbio = SSL_get_rbio(ssl);
435
0
    wbio = SSL_get_wbio(ssl);
436
437
0
    if (!rbio || !wbio) {
438
0
        ERR_raise(ERR_LIB_SSL, SSL_R_BIO_NOT_SET);
439
0
        return -1;
440
0
    }
441
442
    /*
443
     * Note: This check deliberately excludes DTLS1_BAD_VER because that version
444
     * requires the MAC to be calculated *including* the first ClientHello
445
     * (without the cookie). Since DTLSv1_listen is stateless that cannot be
446
     * supported. DTLS1_BAD_VER must use cookies in a stateful manner (e.g. via
447
     * SSL_accept)
448
     */
449
0
    if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) {
450
0
        ERR_raise(ERR_LIB_SSL, SSL_R_UNSUPPORTED_SSL_VERSION);
451
0
        return -1;
452
0
    }
453
454
0
    buf = OPENSSL_malloc(DTLS1_RT_HEADER_LENGTH + SSL3_RT_MAX_PLAIN_LENGTH);
455
0
    if (buf == NULL)
456
0
        return -1;
457
0
    wbuf = OPENSSL_malloc(DTLS1_RT_HEADER_LENGTH + SSL3_RT_MAX_PLAIN_LENGTH);
458
0
    if (wbuf == NULL) {
459
0
        OPENSSL_free(buf);
460
0
        return -1;
461
0
    }
462
463
0
    do {
464
        /* Get a packet */
465
466
0
        clear_sys_error();
467
0
        n = BIO_read(rbio, buf, SSL3_RT_MAX_PLAIN_LENGTH
468
0
                                + DTLS1_RT_HEADER_LENGTH);
469
0
        if (n <= 0) {
470
0
            if (BIO_should_retry(rbio)) {
471
                /* Non-blocking IO */
472
0
                goto end;
473
0
            }
474
0
            ret = -1;
475
0
            goto end;
476
0
        }
477
478
0
        if (!PACKET_buf_init(&pkt, buf, n)) {
479
0
            ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
480
0
            ret = -1;
481
0
            goto end;
482
0
        }
483
484
        /*
485
         * Parse the received record. If there are any problems with it we just
486
         * dump it - with no alert. RFC6347 says this "Unlike TLS, DTLS is
487
         * resilient in the face of invalid records (e.g., invalid formatting,
488
         * length, MAC, etc.).  In general, invalid records SHOULD be silently
489
         * discarded, thus preserving the association; however, an error MAY be
490
         * logged for diagnostic purposes."
491
         */
492
493
        /* this packet contained a partial record, dump it */
494
0
        if (n < DTLS1_RT_HEADER_LENGTH) {
495
0
            ERR_raise(ERR_LIB_SSL, SSL_R_RECORD_TOO_SMALL);
496
0
            goto end;
497
0
        }
498
499
0
        if (s->msg_callback)
500
0
            s->msg_callback(0, 0, SSL3_RT_HEADER, buf,
501
0
                            DTLS1_RT_HEADER_LENGTH, ssl, s->msg_callback_arg);
502
503
        /* Get the record header */
504
0
        if (!PACKET_get_1(&pkt, &rectype)
505
0
            || !PACKET_get_1(&pkt, &versmajor)) {
506
0
            ERR_raise(ERR_LIB_SSL, SSL_R_LENGTH_MISMATCH);
507
0
            goto end;
508
0
        }
509
510
0
        if (rectype != SSL3_RT_HANDSHAKE) {
511
0
            ERR_raise(ERR_LIB_SSL, SSL_R_UNEXPECTED_MESSAGE);
512
0
            goto end;
513
0
        }
514
515
        /*
516
         * Check record version number. We only check that the major version is
517
         * the same.
518
         */
519
0
        if (versmajor != DTLS1_VERSION_MAJOR) {
520
0
            ERR_raise(ERR_LIB_SSL, SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
521
0
            goto end;
522
0
        }
523
524
0
        if (!PACKET_forward(&pkt, 1)
525
            /* Save the sequence number: 64 bits, with top 2 bytes = epoch */
526
0
            || !PACKET_copy_bytes(&pkt, seq, SEQ_NUM_SIZE)
527
0
            || !PACKET_get_length_prefixed_2(&pkt, &msgpkt)) {
528
0
            ERR_raise(ERR_LIB_SSL, SSL_R_LENGTH_MISMATCH);
529
0
            goto end;
530
0
        }
531
        /*
532
         * We allow data remaining at the end of the packet because there could
533
         * be a second record (but we ignore it)
534
         */
535
536
        /* This is an initial ClientHello so the epoch has to be 0 */
537
0
        if (seq[0] != 0 || seq[1] != 0) {
538
0
            ERR_raise(ERR_LIB_SSL, SSL_R_UNEXPECTED_MESSAGE);
539
0
            goto end;
540
0
        }
541
542
        /* Get a pointer to the raw message for the later callback */
543
0
        data = PACKET_data(&msgpkt);
544
545
        /* Finished processing the record header, now process the message */
546
0
        if (!PACKET_get_1(&msgpkt, &msgtype)
547
0
            || !PACKET_get_net_3_len(&msgpkt, &msglen)
548
0
            || !PACKET_get_net_2(&msgpkt, &msgseq)
549
0
            || !PACKET_get_net_3_len(&msgpkt, &fragoff)
550
0
            || !PACKET_get_net_3_len(&msgpkt, &fraglen)
551
0
            || !PACKET_get_sub_packet(&msgpkt, &msgpayload, fraglen)
552
0
            || PACKET_remaining(&msgpkt) != 0) {
553
0
            ERR_raise(ERR_LIB_SSL, SSL_R_LENGTH_MISMATCH);
554
0
            goto end;
555
0
        }
556
557
0
        if (msgtype != SSL3_MT_CLIENT_HELLO) {
558
0
            ERR_raise(ERR_LIB_SSL, SSL_R_UNEXPECTED_MESSAGE);
559
0
            goto end;
560
0
        }
561
562
        /* Message sequence number can only be 0 or 1 */
563
0
        if (msgseq > 2) {
564
0
            ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_SEQUENCE_NUMBER);
565
0
            goto end;
566
0
        }
567
568
        /*
569
         * We don't support fragment reassembly for ClientHellos whilst
570
         * listening because that would require server side state (which is
571
         * against the whole point of the ClientHello/HelloVerifyRequest
572
         * mechanism). Instead we only look at the first ClientHello fragment
573
         * and require that the cookie must be contained within it.
574
         */
575
0
        if (fragoff != 0 || fraglen > msglen) {
576
            /* Non initial ClientHello fragment (or bad fragment) */
577
0
            ERR_raise(ERR_LIB_SSL, SSL_R_FRAGMENTED_CLIENT_HELLO);
578
0
            goto end;
579
0
        }
580
581
0
        if (s->msg_callback)
582
0
            s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, data,
583
0
                            fraglen + DTLS1_HM_HEADER_LENGTH, ssl,
584
0
                            s->msg_callback_arg);
585
586
0
        if (!PACKET_get_net_2(&msgpayload, &clientvers)) {
587
0
            ERR_raise(ERR_LIB_SSL, SSL_R_LENGTH_MISMATCH);
588
0
            goto end;
589
0
        }
590
591
        /*
592
         * Verify client version is supported
593
         */
594
0
        if (DTLS_VERSION_LT(clientvers, (unsigned int)ssl->method->version) &&
595
0
            ssl->method->version != DTLS_ANY_VERSION) {
596
0
            ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_VERSION_NUMBER);
597
0
            goto end;
598
0
        }
599
600
0
        if (!PACKET_forward(&msgpayload, SSL3_RANDOM_SIZE)
601
0
            || !PACKET_get_length_prefixed_1(&msgpayload, &session)
602
0
            || !PACKET_get_length_prefixed_1(&msgpayload, &cookiepkt)) {
603
            /*
604
             * Could be malformed or the cookie does not fit within the initial
605
             * ClientHello fragment. Either way we can't handle it.
606
             */
607
0
            ERR_raise(ERR_LIB_SSL, SSL_R_LENGTH_MISMATCH);
608
0
            goto end;
609
0
        }
610
611
        /*
612
         * Check if we have a cookie or not. If not we need to send a
613
         * HelloVerifyRequest.
614
         */
615
0
        if (PACKET_remaining(&cookiepkt) == 0) {
616
0
            next = LISTEN_SEND_VERIFY_REQUEST;
617
0
        } else {
618
            /*
619
             * We have a cookie, so lets check it.
620
             */
621
0
            if (ssl->ctx->app_verify_cookie_cb == NULL) {
622
0
                ERR_raise(ERR_LIB_SSL, SSL_R_NO_VERIFY_COOKIE_CALLBACK);
623
                /* This is fatal */
624
0
                ret = -1;
625
0
                goto end;
626
0
            }
627
0
            if (ssl->ctx->app_verify_cookie_cb(ssl, PACKET_data(&cookiepkt),
628
0
                    (unsigned int)PACKET_remaining(&cookiepkt)) == 0) {
629
                /*
630
                 * We treat invalid cookies in the same was as no cookie as
631
                 * per RFC6347
632
                 */
633
0
                next = LISTEN_SEND_VERIFY_REQUEST;
634
0
            } else {
635
                /* Cookie verification succeeded */
636
0
                next = LISTEN_SUCCESS;
637
0
            }
638
0
        }
639
640
0
        if (next == LISTEN_SEND_VERIFY_REQUEST) {
641
0
            WPACKET wpkt;
642
0
            unsigned int version;
643
0
            size_t wreclen;
644
645
            /*
646
             * There was no cookie in the ClientHello so we need to send a
647
             * HelloVerifyRequest. If this fails we do not worry about trying
648
             * to resend, we just drop it.
649
             */
650
651
            /* Generate the cookie */
652
0
            if (ssl->ctx->app_gen_cookie_cb == NULL ||
653
0
                ssl->ctx->app_gen_cookie_cb(ssl, cookie, &cookielen) == 0 ||
654
0
                cookielen > 255) {
655
0
                ERR_raise(ERR_LIB_SSL, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
656
                /* This is fatal */
657
0
                ret = -1;
658
0
                goto end;
659
0
            }
660
661
            /*
662
             * Special case: for hello verify request, client version 1.0 and we
663
             * haven't decided which version to use yet send back using version
664
             * 1.0 header: otherwise some clients will ignore it.
665
             */
666
0
            version = (ssl->method->version == DTLS_ANY_VERSION) ? DTLS1_VERSION
667
0
                                                                 : s->version;
668
669
            /* Construct the record and message headers */
670
0
            if (!WPACKET_init_static_len(&wpkt,
671
0
                                         wbuf,
672
0
                                         ssl_get_max_send_fragment(s)
673
0
                                         + DTLS1_RT_HEADER_LENGTH,
674
0
                                         0)
675
0
                    || !WPACKET_put_bytes_u8(&wpkt, SSL3_RT_HANDSHAKE)
676
0
                    || !WPACKET_put_bytes_u16(&wpkt, version)
677
                       /*
678
                        * Record sequence number is always the same as in the
679
                        * received ClientHello
680
                        */
681
0
                    || !WPACKET_memcpy(&wpkt, seq, SEQ_NUM_SIZE)
682
                       /* End of record, start sub packet for message */
683
0
                    || !WPACKET_start_sub_packet_u16(&wpkt)
684
                       /* Message type */
685
0
                    || !WPACKET_put_bytes_u8(&wpkt,
686
0
                                             DTLS1_MT_HELLO_VERIFY_REQUEST)
687
                       /*
688
                        * Message length - doesn't follow normal TLS convention:
689
                        * the length isn't the last thing in the message header.
690
                        * We'll need to fill this in later when we know the
691
                        * length. Set it to zero for now
692
                        */
693
0
                    || !WPACKET_put_bytes_u24(&wpkt, 0)
694
                       /*
695
                        * Message sequence number is always 0 for a
696
                        * HelloVerifyRequest
697
                        */
698
0
                    || !WPACKET_put_bytes_u16(&wpkt, 0)
699
                       /*
700
                        * We never fragment a HelloVerifyRequest, so fragment
701
                        * offset is 0
702
                        */
703
0
                    || !WPACKET_put_bytes_u24(&wpkt, 0)
704
                       /*
705
                        * Fragment length is the same as message length, but
706
                        * this *is* the last thing in the message header so we
707
                        * can just start a sub-packet. No need to come back
708
                        * later for this one.
709
                        */
710
0
                    || !WPACKET_start_sub_packet_u24(&wpkt)
711
                       /* Create the actual HelloVerifyRequest body */
712
0
                    || !dtls_raw_hello_verify_request(&wpkt, cookie, cookielen)
713
                       /* Close message body */
714
0
                    || !WPACKET_close(&wpkt)
715
                       /* Close record body */
716
0
                    || !WPACKET_close(&wpkt)
717
0
                    || !WPACKET_get_total_written(&wpkt, &wreclen)
718
0
                    || !WPACKET_finish(&wpkt)) {
719
0
                ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
720
0
                WPACKET_cleanup(&wpkt);
721
                /* This is fatal */
722
0
                ret = -1;
723
0
                goto end;
724
0
            }
725
726
            /*
727
             * Fix up the message len in the message header. Its the same as the
728
             * fragment len which has been filled in by WPACKET, so just copy
729
             * that. Destination for the message len is after the record header
730
             * plus one byte for the message content type. The source is the
731
             * last 3 bytes of the message header
732
             */
733
0
            memcpy(&wbuf[DTLS1_RT_HEADER_LENGTH + 1],
734
0
                   &wbuf[DTLS1_RT_HEADER_LENGTH + DTLS1_HM_HEADER_LENGTH - 3],
735
0
                   3);
736
737
0
            if (s->msg_callback)
738
0
                s->msg_callback(1, 0, SSL3_RT_HEADER, buf,
739
0
                                DTLS1_RT_HEADER_LENGTH, ssl,
740
0
                                s->msg_callback_arg);
741
742
0
            if ((tmpclient = BIO_ADDR_new()) == NULL) {
743
0
                ERR_raise(ERR_LIB_SSL, ERR_R_BIO_LIB);
744
0
                goto end;
745
0
            }
746
747
            /*
748
             * This is unnecessary if rbio and wbio are one and the same - but
749
             * maybe they're not. We ignore errors here - some BIOs do not
750
             * support this.
751
             */
752
0
            if (BIO_dgram_get_peer(rbio, tmpclient) > 0) {
753
0
                (void)BIO_dgram_set_peer(wbio, tmpclient);
754
0
            }
755
0
            BIO_ADDR_free(tmpclient);
756
0
            tmpclient = NULL;
757
758
0
            if (BIO_write(wbio, wbuf, wreclen) < (int)wreclen) {
759
0
                if (BIO_should_retry(wbio)) {
760
                    /*
761
                     * Non-blocking IO...but we're stateless, so we're just
762
                     * going to drop this packet.
763
                     */
764
0
                    goto end;
765
0
                }
766
0
                ret = -1;
767
0
                goto end;
768
0
            }
769
770
0
            if (BIO_flush(wbio) <= 0) {
771
0
                if (BIO_should_retry(wbio)) {
772
                    /*
773
                     * Non-blocking IO...but we're stateless, so we're just
774
                     * going to drop this packet.
775
                     */
776
0
                    goto end;
777
0
                }
778
0
                ret = -1;
779
0
                goto end;
780
0
            }
781
0
        }
782
0
    } while (next != LISTEN_SUCCESS);
783
784
    /*
785
     * Set expected sequence numbers to continue the handshake.
786
     */
787
0
    s->d1->handshake_read_seq = 1;
788
0
    s->d1->handshake_write_seq = 1;
789
0
    s->d1->next_handshake_write_seq = 1;
790
0
    s->rlayer.wrlmethod->increment_sequence_ctr(s->rlayer.wrl);
791
792
    /*
793
     * We are doing cookie exchange, so make sure we set that option in the
794
     * SSL object
795
     */
796
0
    SSL_set_options(ssl, SSL_OP_COOKIE_EXCHANGE);
797
798
    /*
799
     * Tell the state machine that we've done the initial hello verify
800
     * exchange
801
     */
802
0
    ossl_statem_set_hello_verify_done(s);
803
804
    /*
805
     * Some BIOs may not support this. If we fail we clear the client address
806
     */
807
0
    if (BIO_dgram_get_peer(rbio, client) <= 0)
808
0
        BIO_ADDR_clear(client);
809
810
    /* Buffer the record for use by the record layer */
811
0
    if (BIO_write(s->rlayer.rrlnext, buf, n) != n) {
812
0
        ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
813
0
        ret = -1;
814
0
        goto end;
815
0
    }
816
817
    /*
818
     * Reset the record layer - but this time we can use the record we just
819
     * buffered in s->rlayer.rrlnext
820
     */
821
0
    if (!ssl_set_new_record_layer(s,
822
0
                                  DTLS_ANY_VERSION,
823
0
                                  OSSL_RECORD_DIRECTION_READ,
824
0
                                  OSSL_RECORD_PROTECTION_LEVEL_NONE, NULL, 0,
825
0
                                  NULL, 0, NULL, 0, NULL,  0, NULL, 0,
826
0
                                  NID_undef, NULL, NULL, NULL)) {
827
        /* SSLfatal already called */
828
0
        ret = -1;
829
0
        goto end;
830
0
    }
831
832
0
    ret = 1;
833
0
 end:
834
0
    BIO_ADDR_free(tmpclient);
835
0
    OPENSSL_free(buf);
836
0
    OPENSSL_free(wbuf);
837
0
    return ret;
838
0
}
839
#endif
840
841
static int dtls1_handshake_write(SSL_CONNECTION *s)
842
0
{
843
0
    return dtls1_do_write(s, SSL3_RT_HANDSHAKE);
844
0
}
845
846
int dtls1_shutdown(SSL *s)
847
0
{
848
0
    int ret;
849
#ifndef OPENSSL_NO_SCTP
850
    BIO *wbio;
851
    SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL_ONLY(s);
852
853
    if (s == NULL)
854
        return -1;
855
856
    wbio = SSL_get_wbio(s);
857
    if (wbio != NULL && BIO_dgram_is_sctp(wbio) &&
858
        !(sc->shutdown & SSL_SENT_SHUTDOWN)) {
859
        ret = BIO_dgram_sctp_wait_for_dry(wbio);
860
        if (ret < 0)
861
            return -1;
862
863
        if (ret == 0)
864
            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SAVE_SHUTDOWN, 1,
865
                     NULL);
866
    }
867
#endif
868
0
    ret = ssl3_shutdown(s);
869
#ifndef OPENSSL_NO_SCTP
870
    BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SAVE_SHUTDOWN, 0, NULL);
871
#endif
872
0
    return ret;
873
0
}
874
875
int dtls1_query_mtu(SSL_CONNECTION *s)
876
0
{
877
0
    SSL *ssl = SSL_CONNECTION_GET_SSL(s);
878
879
0
    if (s->d1->link_mtu) {
880
0
        s->d1->mtu =
881
0
            s->d1->link_mtu - BIO_dgram_get_mtu_overhead(SSL_get_wbio(ssl));
882
0
        s->d1->link_mtu = 0;
883
0
    }
884
885
    /* AHA!  Figure out the MTU, and stick to the right size */
886
0
    if (s->d1->mtu < dtls1_min_mtu(s)) {
887
0
        if (!(SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) {
888
0
            s->d1->mtu =
889
0
                BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
890
891
            /*
892
             * I've seen the kernel return bogus numbers when it doesn't know
893
             * (initial write), so just make sure we have a reasonable number
894
             */
895
0
            if (s->d1->mtu < dtls1_min_mtu(s)) {
896
                /* Set to min mtu */
897
0
                s->d1->mtu = dtls1_min_mtu(s);
898
0
                BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SET_MTU,
899
0
                         (long)s->d1->mtu, NULL);
900
0
            }
901
0
        } else
902
0
            return 0;
903
0
    }
904
0
    return 1;
905
0
}
906
907
static size_t dtls1_link_min_mtu(void)
908
0
{
909
0
    return (g_probable_mtu[(sizeof(g_probable_mtu) /
910
0
                            sizeof(g_probable_mtu[0])) - 1]);
911
0
}
912
913
size_t dtls1_min_mtu(SSL_CONNECTION *s)
914
0
{
915
0
    SSL *ssl = SSL_CONNECTION_GET_SSL(s);
916
917
0
    return dtls1_link_min_mtu() - BIO_dgram_get_mtu_overhead(SSL_get_wbio(ssl));
918
0
}
919
920
size_t DTLS_get_data_mtu(const SSL *ssl)
921
0
{
922
0
    size_t mac_overhead, int_overhead, blocksize, ext_overhead;
923
0
    const SSL_CIPHER *ciph = SSL_get_current_cipher(ssl);
924
0
    size_t mtu;
925
0
    const SSL_CONNECTION *s = SSL_CONNECTION_FROM_CONST_SSL_ONLY(ssl);
926
927
0
    if (s == NULL)
928
0
        return 0;
929
930
0
    mtu = s->d1->mtu;
931
932
0
    if (ciph == NULL)
933
0
        return 0;
934
935
0
    if (!ssl_cipher_get_overhead(ciph, &mac_overhead, &int_overhead,
936
0
                                 &blocksize, &ext_overhead))
937
0
        return 0;
938
939
0
    if (SSL_READ_ETM(s))
940
0
        ext_overhead += mac_overhead;
941
0
    else
942
0
        int_overhead += mac_overhead;
943
944
    /* Subtract external overhead (e.g. IV/nonce, separate MAC) */
945
0
    if (ext_overhead + DTLS1_RT_HEADER_LENGTH >= mtu)
946
0
        return 0;
947
0
    mtu -= ext_overhead + DTLS1_RT_HEADER_LENGTH;
948
949
    /* Round encrypted payload down to cipher block size (for CBC etc.)
950
     * No check for overflow since 'mtu % blocksize' cannot exceed mtu. */
951
0
    if (blocksize)
952
0
        mtu -= (mtu % blocksize);
953
954
    /* Subtract internal overhead (e.g. CBC padding len byte) */
955
0
    if (int_overhead >= mtu)
956
0
        return 0;
957
0
    mtu -= int_overhead;
958
959
0
    return mtu;
960
0
}
961
962
void DTLS_set_timer_cb(SSL *ssl, DTLS_timer_cb cb)
963
0
{
964
0
    SSL_CONNECTION *s = SSL_CONNECTION_FROM_SSL_ONLY(ssl);
965
966
0
    if (s == NULL)
967
0
        return;
968
969
0
    s->d1->timer_cb = cb;
970
0
}