1/* 2 * Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10#include "e_os.h" 11#include <stdio.h> 12#include <openssl/objects.h> 13#include <openssl/rand.h> 14#include "ssl_local.h" 15 16static void get_current_time(struct timeval *t); 17static int dtls1_handshake_write(SSL *s); 18static size_t dtls1_link_min_mtu(void); 19 20/* XDTLS: figure out the right values */ 21static const size_t g_probable_mtu[] = { 1500, 512, 256 }; 22 23const SSL3_ENC_METHOD DTLSv1_enc_data = { 24 tls1_enc, 25 tls1_mac, 26 tls1_setup_key_block, 27 tls1_generate_master_secret, 28 tls1_change_cipher_state, 29 tls1_final_finish_mac, 30 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 31 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 32 tls1_alert_code, 33 tls1_export_keying_material, 34 SSL_ENC_FLAG_DTLS | SSL_ENC_FLAG_EXPLICIT_IV, 35 dtls1_set_handshake_header, 36 dtls1_close_construct_packet, 37 dtls1_handshake_write 38}; 39 40const SSL3_ENC_METHOD DTLSv1_2_enc_data = { 41 tls1_enc, 42 tls1_mac, 43 tls1_setup_key_block, 44 tls1_generate_master_secret, 45 tls1_change_cipher_state, 46 tls1_final_finish_mac, 47 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 48 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 49 tls1_alert_code, 50 tls1_export_keying_material, 51 SSL_ENC_FLAG_DTLS | SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS 52 | SSL_ENC_FLAG_SHA256_PRF | SSL_ENC_FLAG_TLS1_2_CIPHERS, 53 dtls1_set_handshake_header, 54 dtls1_close_construct_packet, 55 dtls1_handshake_write 56}; 57 58long dtls1_default_timeout(void) 59{ 60 /* 61 * 2 hours, the 24 hours mentioned in the DTLSv1 spec is way too long for 62 * http, the cache would over fill 63 */ 64 return (60 * 60 * 2); 65} 66 67int dtls1_new(SSL *s) 68{ 69 DTLS1_STATE *d1; 70 71 if (!DTLS_RECORD_LAYER_new(&s->rlayer)) { 72 return 0; 73 } 74 75 if (!ssl3_new(s)) 76 return 0; 77 if ((d1 = OPENSSL_zalloc(sizeof(*d1))) == NULL) { 78 ssl3_free(s); 79 return 0; 80 } 81 82 d1->buffered_messages = pqueue_new(); 83 d1->sent_messages = pqueue_new(); 84 85 if (s->server) { 86 d1->cookie_len = sizeof(s->d1->cookie); 87 } 88 89 d1->link_mtu = 0; 90 d1->mtu = 0; 91 92 if (d1->buffered_messages == NULL || d1->sent_messages == NULL) { 93 pqueue_free(d1->buffered_messages); 94 pqueue_free(d1->sent_messages); 95 OPENSSL_free(d1); 96 ssl3_free(s); 97 return 0; 98 } 99 100 s->d1 = d1; 101 102 if (!s->method->ssl_clear(s)) 103 return 0; 104 105 return 1; 106} 107 108static void dtls1_clear_queues(SSL *s) 109{ 110 dtls1_clear_received_buffer(s); 111 dtls1_clear_sent_buffer(s); 112} 113 114void dtls1_clear_received_buffer(SSL *s) 115{ 116 pitem *item = NULL; 117 hm_fragment *frag = NULL; 118 119 while ((item = pqueue_pop(s->d1->buffered_messages)) != NULL) { 120 frag = (hm_fragment *)item->data; 121 dtls1_hm_fragment_free(frag); 122 pitem_free(item); 123 } 124} 125 126void dtls1_clear_sent_buffer(SSL *s) 127{ 128 pitem *item = NULL; 129 hm_fragment *frag = NULL; 130 131 while ((item = pqueue_pop(s->d1->sent_messages)) != NULL) { 132 frag = (hm_fragment *)item->data; 133 dtls1_hm_fragment_free(frag); 134 pitem_free(item); 135 } 136} 137 138 139void dtls1_free(SSL *s) 140{ 141 DTLS_RECORD_LAYER_free(&s->rlayer); 142 143 ssl3_free(s); 144 145 if (s->d1 != NULL) { 146 dtls1_clear_queues(s); 147 pqueue_free(s->d1->buffered_messages); 148 pqueue_free(s->d1->sent_messages); 149 } 150 151 OPENSSL_free(s->d1); 152 s->d1 = NULL; 153} 154 155int dtls1_clear(SSL *s) 156{ 157 pqueue *buffered_messages; 158 pqueue *sent_messages; 159 size_t mtu; 160 size_t link_mtu; 161 162 DTLS_RECORD_LAYER_clear(&s->rlayer); 163 164 if (s->d1) { 165 DTLS_timer_cb timer_cb = s->d1->timer_cb; 166 167 buffered_messages = s->d1->buffered_messages; 168 sent_messages = s->d1->sent_messages; 169 mtu = s->d1->mtu; 170 link_mtu = s->d1->link_mtu; 171 172 dtls1_clear_queues(s); 173 174 memset(s->d1, 0, sizeof(*s->d1)); 175 176 /* Restore the timer callback from previous state */ 177 s->d1->timer_cb = timer_cb; 178 179 if (s->server) { 180 s->d1->cookie_len = sizeof(s->d1->cookie); 181 } 182 183 if (SSL_get_options(s) & SSL_OP_NO_QUERY_MTU) { 184 s->d1->mtu = mtu; 185 s->d1->link_mtu = link_mtu; 186 } 187 188 s->d1->buffered_messages = buffered_messages; 189 s->d1->sent_messages = sent_messages; 190 } 191 192 if (!ssl3_clear(s)) 193 return 0; 194 195 if (s->method->version == DTLS_ANY_VERSION) 196 s->version = DTLS_MAX_VERSION_INTERNAL; 197#ifndef OPENSSL_NO_DTLS1_METHOD 198 else if (s->options & SSL_OP_CISCO_ANYCONNECT) 199 s->client_version = s->version = DTLS1_BAD_VER; 200#endif 201 else 202 s->version = s->method->version; 203 204 return 1; 205} 206 207long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg) 208{ 209 int ret = 0; 210 211 switch (cmd) { 212 case DTLS_CTRL_GET_TIMEOUT: 213 if (dtls1_get_timeout(s, (struct timeval *)parg) != NULL) { 214 ret = 1; 215 } 216 break; 217 case DTLS_CTRL_HANDLE_TIMEOUT: 218 ret = dtls1_handle_timeout(s); 219 break; 220 case DTLS_CTRL_SET_LINK_MTU: 221 if (larg < (long)dtls1_link_min_mtu()) 222 return 0; 223 s->d1->link_mtu = larg; 224 return 1; 225 case DTLS_CTRL_GET_LINK_MIN_MTU: 226 return (long)dtls1_link_min_mtu(); 227 case SSL_CTRL_SET_MTU: 228 /* 229 * We may not have a BIO set yet so can't call dtls1_min_mtu() 230 * We'll have to make do with dtls1_link_min_mtu() and max overhead 231 */ 232 if (larg < (long)dtls1_link_min_mtu() - DTLS1_MAX_MTU_OVERHEAD) 233 return 0; 234 s->d1->mtu = larg; 235 return larg; 236 default: 237 ret = ssl3_ctrl(s, cmd, larg, parg); 238 break; 239 } 240 return ret; 241} 242 243void dtls1_start_timer(SSL *s) 244{ 245 unsigned int sec, usec; 246 247#ifndef OPENSSL_NO_SCTP 248 /* Disable timer for SCTP */ 249 if (BIO_dgram_is_sctp(SSL_get_wbio(s))) { 250 memset(&s->d1->next_timeout, 0, sizeof(s->d1->next_timeout)); 251 return; 252 } 253#endif 254 255 /* 256 * If timer is not set, initialize duration with 1 second or 257 * a user-specified value if the timer callback is installed. 258 */ 259 if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) { 260 261 if (s->d1->timer_cb != NULL) 262 s->d1->timeout_duration_us = s->d1->timer_cb(s, 0); 263 else 264 s->d1->timeout_duration_us = 1000000; 265 } 266 267 /* Set timeout to current time */ 268 get_current_time(&(s->d1->next_timeout)); 269 270 /* Add duration to current time */ 271 272 sec = s->d1->timeout_duration_us / 1000000; 273 usec = s->d1->timeout_duration_us - (sec * 1000000); 274 275 s->d1->next_timeout.tv_sec += sec; 276 s->d1->next_timeout.tv_usec += usec; 277 278 if (s->d1->next_timeout.tv_usec >= 1000000) { 279 s->d1->next_timeout.tv_sec++; 280 s->d1->next_timeout.tv_usec -= 1000000; 281 } 282 283 BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, 284 &(s->d1->next_timeout)); 285} 286 287struct timeval *dtls1_get_timeout(SSL *s, struct timeval *timeleft) 288{ 289 struct timeval timenow; 290 291 /* If no timeout is set, just return NULL */ 292 if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) { 293 return NULL; 294 } 295 296 /* Get current time */ 297 get_current_time(&timenow); 298 299 /* If timer already expired, set remaining time to 0 */ 300 if (s->d1->next_timeout.tv_sec < timenow.tv_sec || 301 (s->d1->next_timeout.tv_sec == timenow.tv_sec && 302 s->d1->next_timeout.tv_usec <= timenow.tv_usec)) { 303 memset(timeleft, 0, sizeof(*timeleft)); 304 return timeleft; 305 } 306 307 /* Calculate time left until timer expires */ 308 memcpy(timeleft, &(s->d1->next_timeout), sizeof(struct timeval)); 309 timeleft->tv_sec -= timenow.tv_sec; 310 timeleft->tv_usec -= timenow.tv_usec; 311 if (timeleft->tv_usec < 0) { 312 timeleft->tv_sec--; 313 timeleft->tv_usec += 1000000; 314 } 315 316 /* 317 * If remaining time is less than 15 ms, set it to 0 to prevent issues 318 * because of small divergences with socket timeouts. 319 */ 320 if (timeleft->tv_sec == 0 && timeleft->tv_usec < 15000) { 321 memset(timeleft, 0, sizeof(*timeleft)); 322 } 323 324 return timeleft; 325} 326 327int dtls1_is_timer_expired(SSL *s) 328{ 329 struct timeval timeleft; 330 331 /* Get time left until timeout, return false if no timer running */ 332 if (dtls1_get_timeout(s, &timeleft) == NULL) { 333 return 0; 334 } 335 336 /* Return false if timer is not expired yet */ 337 if (timeleft.tv_sec > 0 || timeleft.tv_usec > 0) { 338 return 0; 339 } 340 341 /* Timer expired, so return true */ 342 return 1; 343} 344 345static void dtls1_double_timeout(SSL *s) 346{ 347 s->d1->timeout_duration_us *= 2; 348 if (s->d1->timeout_duration_us > 60000000) 349 s->d1->timeout_duration_us = 60000000; 350} 351 352void dtls1_stop_timer(SSL *s) 353{ 354 /* Reset everything */ 355 s->d1->timeout_num_alerts = 0; 356 memset(&s->d1->next_timeout, 0, sizeof(s->d1->next_timeout)); 357 s->d1->timeout_duration_us = 1000000; 358 BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, 359 &(s->d1->next_timeout)); 360 /* Clear retransmission buffer */ 361 dtls1_clear_sent_buffer(s); 362} 363 364int dtls1_check_timeout_num(SSL *s) 365{ 366 size_t mtu; 367 368 s->d1->timeout_num_alerts++; 369 370 /* Reduce MTU after 2 unsuccessful retransmissions */ 371 if (s->d1->timeout_num_alerts > 2 372 && !(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) { 373 mtu = 374 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL); 375 if (mtu < s->d1->mtu) 376 s->d1->mtu = mtu; 377 } 378 379 if (s->d1->timeout_num_alerts > DTLS1_TMO_ALERT_COUNT) { 380 /* fail the connection, enough alerts have been sent */ 381 SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_READ_TIMEOUT_EXPIRED); 382 return -1; 383 } 384 385 return 0; 386} 387 388int dtls1_handle_timeout(SSL *s) 389{ 390 /* if no timer is expired, don't do anything */ 391 if (!dtls1_is_timer_expired(s)) { 392 return 0; 393 } 394 395 if (s->d1->timer_cb != NULL) 396 s->d1->timeout_duration_us = s->d1->timer_cb(s, s->d1->timeout_duration_us); 397 else 398 dtls1_double_timeout(s); 399 400 if (dtls1_check_timeout_num(s) < 0) { 401 /* SSLfatal() already called */ 402 return -1; 403 } 404 405 dtls1_start_timer(s); 406 /* Calls SSLfatal() if required */ 407 return dtls1_retransmit_buffered_messages(s); 408} 409 410static void get_current_time(struct timeval *t) 411{ 412#if defined(_WIN32) 413 SYSTEMTIME st; 414 union { 415 unsigned __int64 ul; 416 FILETIME ft; 417 } now; 418 419 GetSystemTime(&st); 420 SystemTimeToFileTime(&st, &now.ft); 421 /* re-bias to 1/1/1970 */ 422# ifdef __MINGW32__ 423 now.ul -= 116444736000000000ULL; 424# else 425 /* *INDENT-OFF* */ 426 now.ul -= 116444736000000000UI64; 427 /* *INDENT-ON* */ 428# endif 429 t->tv_sec = (long)(now.ul / 10000000); 430 t->tv_usec = ((int)(now.ul % 10000000)) / 10; 431#else 432 gettimeofday(t, NULL); 433#endif 434} 435 436#define LISTEN_SUCCESS 2 437#define LISTEN_SEND_VERIFY_REQUEST 1 438 439#ifndef OPENSSL_NO_SOCK 440int DTLSv1_listen(SSL *s, BIO_ADDR *client) 441{ 442 int next, n, ret = 0; 443 unsigned char cookie[DTLS1_COOKIE_LENGTH]; 444 unsigned char seq[SEQ_NUM_SIZE]; 445 const unsigned char *data; 446 unsigned char *buf, *wbuf; 447 size_t fragoff, fraglen, msglen, reclen, align = 0; 448 unsigned int rectype, versmajor, msgseq, msgtype, clientvers, cookielen; 449 BIO *rbio, *wbio; 450 BIO_ADDR *tmpclient = NULL; 451 PACKET pkt, msgpkt, msgpayload, session, cookiepkt; 452 453 if (s->handshake_func == NULL) { 454 /* Not properly initialized yet */ 455 SSL_set_accept_state(s); 456 } 457 458 /* Ensure there is no state left over from a previous invocation */ 459 if (!SSL_clear(s)) 460 return -1; 461 462 ERR_clear_error(); 463 464 rbio = SSL_get_rbio(s); 465 wbio = SSL_get_wbio(s); 466 467 if (!rbio || !wbio) { 468 ERR_raise(ERR_LIB_SSL, SSL_R_BIO_NOT_SET); 469 return -1; 470 } 471 472 /* 473 * Note: This check deliberately excludes DTLS1_BAD_VER because that version 474 * requires the MAC to be calculated *including* the first ClientHello 475 * (without the cookie). Since DTLSv1_listen is stateless that cannot be 476 * supported. DTLS1_BAD_VER must use cookies in a stateful manner (e.g. via 477 * SSL_accept) 478 */ 479 if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) { 480 ERR_raise(ERR_LIB_SSL, SSL_R_UNSUPPORTED_SSL_VERSION); 481 return -1; 482 } 483 484 if (!ssl3_setup_buffers(s)) { 485 /* ERR_raise() already called */ 486 return -1; 487 } 488 buf = RECORD_LAYER_get_rbuf(&s->rlayer)->buf; 489 wbuf = RECORD_LAYER_get_wbuf(&s->rlayer)[0].buf; 490#if defined(SSL3_ALIGN_PAYLOAD) 491# if SSL3_ALIGN_PAYLOAD != 0 492 /* 493 * Using SSL3_RT_HEADER_LENGTH here instead of DTLS1_RT_HEADER_LENGTH for 494 * consistency with ssl3_read_n. In practice it should make no difference 495 * for sensible values of SSL3_ALIGN_PAYLOAD because the difference between 496 * SSL3_RT_HEADER_LENGTH and DTLS1_RT_HEADER_LENGTH is exactly 8 497 */ 498 align = (size_t)buf + SSL3_RT_HEADER_LENGTH; 499 align = SSL3_ALIGN_PAYLOAD - 1 - ((align - 1) % SSL3_ALIGN_PAYLOAD); 500# endif 501#endif 502 buf += align; 503 504 do { 505 /* Get a packet */ 506 507 clear_sys_error(); 508 n = BIO_read(rbio, buf, SSL3_RT_MAX_PLAIN_LENGTH 509 + DTLS1_RT_HEADER_LENGTH); 510 if (n <= 0) { 511 if (BIO_should_retry(rbio)) { 512 /* Non-blocking IO */ 513 goto end; 514 } 515 return -1; 516 } 517 518 if (!PACKET_buf_init(&pkt, buf, n)) { 519 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); 520 return -1; 521 } 522 523 /* 524 * Parse the received record. If there are any problems with it we just 525 * dump it - with no alert. RFC6347 says this "Unlike TLS, DTLS is 526 * resilient in the face of invalid records (e.g., invalid formatting, 527 * length, MAC, etc.). In general, invalid records SHOULD be silently 528 * discarded, thus preserving the association; however, an error MAY be 529 * logged for diagnostic purposes." 530 */ 531 532 /* this packet contained a partial record, dump it */ 533 if (n < DTLS1_RT_HEADER_LENGTH) { 534 ERR_raise(ERR_LIB_SSL, SSL_R_RECORD_TOO_SMALL); 535 goto end; 536 } 537 538 if (s->msg_callback) 539 s->msg_callback(0, 0, SSL3_RT_HEADER, buf, 540 DTLS1_RT_HEADER_LENGTH, s, s->msg_callback_arg); 541 542 /* Get the record header */ 543 if (!PACKET_get_1(&pkt, &rectype) 544 || !PACKET_get_1(&pkt, &versmajor)) { 545 ERR_raise(ERR_LIB_SSL, SSL_R_LENGTH_MISMATCH); 546 goto end; 547 } 548 549 if (rectype != SSL3_RT_HANDSHAKE) { 550 ERR_raise(ERR_LIB_SSL, SSL_R_UNEXPECTED_MESSAGE); 551 goto end; 552 } 553 554 /* 555 * Check record version number. We only check that the major version is 556 * the same. 557 */ 558 if (versmajor != DTLS1_VERSION_MAJOR) { 559 ERR_raise(ERR_LIB_SSL, SSL_R_BAD_PROTOCOL_VERSION_NUMBER); 560 goto end; 561 } 562 563 if (!PACKET_forward(&pkt, 1) 564 /* Save the sequence number: 64 bits, with top 2 bytes = epoch */ 565 || !PACKET_copy_bytes(&pkt, seq, SEQ_NUM_SIZE) 566 || !PACKET_get_length_prefixed_2(&pkt, &msgpkt)) { 567 ERR_raise(ERR_LIB_SSL, SSL_R_LENGTH_MISMATCH); 568 goto end; 569 } 570 reclen = PACKET_remaining(&msgpkt); 571 /* 572 * We allow data remaining at the end of the packet because there could 573 * be a second record (but we ignore it) 574 */ 575 576 /* This is an initial ClientHello so the epoch has to be 0 */ 577 if (seq[0] != 0 || seq[1] != 0) { 578 ERR_raise(ERR_LIB_SSL, SSL_R_UNEXPECTED_MESSAGE); 579 goto end; 580 } 581 582 /* Get a pointer to the raw message for the later callback */ 583 data = PACKET_data(&msgpkt); 584 585 /* Finished processing the record header, now process the message */ 586 if (!PACKET_get_1(&msgpkt, &msgtype) 587 || !PACKET_get_net_3_len(&msgpkt, &msglen) 588 || !PACKET_get_net_2(&msgpkt, &msgseq) 589 || !PACKET_get_net_3_len(&msgpkt, &fragoff) 590 || !PACKET_get_net_3_len(&msgpkt, &fraglen) 591 || !PACKET_get_sub_packet(&msgpkt, &msgpayload, fraglen) 592 || PACKET_remaining(&msgpkt) != 0) { 593 ERR_raise(ERR_LIB_SSL, SSL_R_LENGTH_MISMATCH); 594 goto end; 595 } 596 597 if (msgtype != SSL3_MT_CLIENT_HELLO) { 598 ERR_raise(ERR_LIB_SSL, SSL_R_UNEXPECTED_MESSAGE); 599 goto end; 600 } 601 602 /* Message sequence number can only be 0 or 1 */ 603 if (msgseq > 2) { 604 ERR_raise(ERR_LIB_SSL, SSL_R_INVALID_SEQUENCE_NUMBER); 605 goto end; 606 } 607 608 /* 609 * We don't support fragment reassembly for ClientHellos whilst 610 * listening because that would require server side state (which is 611 * against the whole point of the ClientHello/HelloVerifyRequest 612 * mechanism). Instead we only look at the first ClientHello fragment 613 * and require that the cookie must be contained within it. 614 */ 615 if (fragoff != 0 || fraglen > msglen) { 616 /* Non initial ClientHello fragment (or bad fragment) */ 617 ERR_raise(ERR_LIB_SSL, SSL_R_FRAGMENTED_CLIENT_HELLO); 618 goto end; 619 } 620 621 if (s->msg_callback) 622 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, data, 623 fraglen + DTLS1_HM_HEADER_LENGTH, s, 624 s->msg_callback_arg); 625 626 if (!PACKET_get_net_2(&msgpayload, &clientvers)) { 627 ERR_raise(ERR_LIB_SSL, SSL_R_LENGTH_MISMATCH); 628 goto end; 629 } 630 631 /* 632 * Verify client version is supported 633 */ 634 if (DTLS_VERSION_LT(clientvers, (unsigned int)s->method->version) && 635 s->method->version != DTLS_ANY_VERSION) { 636 ERR_raise(ERR_LIB_SSL, SSL_R_WRONG_VERSION_NUMBER); 637 goto end; 638 } 639 640 if (!PACKET_forward(&msgpayload, SSL3_RANDOM_SIZE) 641 || !PACKET_get_length_prefixed_1(&msgpayload, &session) 642 || !PACKET_get_length_prefixed_1(&msgpayload, &cookiepkt)) { 643 /* 644 * Could be malformed or the cookie does not fit within the initial 645 * ClientHello fragment. Either way we can't handle it. 646 */ 647 ERR_raise(ERR_LIB_SSL, SSL_R_LENGTH_MISMATCH); 648 goto end; 649 } 650 651 /* 652 * Check if we have a cookie or not. If not we need to send a 653 * HelloVerifyRequest. 654 */ 655 if (PACKET_remaining(&cookiepkt) == 0) { 656 next = LISTEN_SEND_VERIFY_REQUEST; 657 } else { 658 /* 659 * We have a cookie, so lets check it. 660 */ 661 if (s->ctx->app_verify_cookie_cb == NULL) { 662 ERR_raise(ERR_LIB_SSL, SSL_R_NO_VERIFY_COOKIE_CALLBACK); 663 /* This is fatal */ 664 return -1; 665 } 666 if (s->ctx->app_verify_cookie_cb(s, PACKET_data(&cookiepkt), 667 (unsigned int)PACKET_remaining(&cookiepkt)) == 0) { 668 /* 669 * We treat invalid cookies in the same was as no cookie as 670 * per RFC6347 671 */ 672 next = LISTEN_SEND_VERIFY_REQUEST; 673 } else { 674 /* Cookie verification succeeded */ 675 next = LISTEN_SUCCESS; 676 } 677 } 678 679 if (next == LISTEN_SEND_VERIFY_REQUEST) { 680 WPACKET wpkt; 681 unsigned int version; 682 size_t wreclen; 683 684 /* 685 * There was no cookie in the ClientHello so we need to send a 686 * HelloVerifyRequest. If this fails we do not worry about trying 687 * to resend, we just drop it. 688 */ 689 690 /* Generate the cookie */ 691 if (s->ctx->app_gen_cookie_cb == NULL || 692 s->ctx->app_gen_cookie_cb(s, cookie, &cookielen) == 0 || 693 cookielen > 255) { 694 ERR_raise(ERR_LIB_SSL, SSL_R_COOKIE_GEN_CALLBACK_FAILURE); 695 /* This is fatal */ 696 return -1; 697 } 698 699 /* 700 * Special case: for hello verify request, client version 1.0 and we 701 * haven't decided which version to use yet send back using version 702 * 1.0 header: otherwise some clients will ignore it. 703 */ 704 version = (s->method->version == DTLS_ANY_VERSION) ? DTLS1_VERSION 705 : s->version; 706 707 /* Construct the record and message headers */ 708 if (!WPACKET_init_static_len(&wpkt, 709 wbuf, 710 ssl_get_max_send_fragment(s) 711 + DTLS1_RT_HEADER_LENGTH, 712 0) 713 || !WPACKET_put_bytes_u8(&wpkt, SSL3_RT_HANDSHAKE) 714 || !WPACKET_put_bytes_u16(&wpkt, version) 715 /* 716 * Record sequence number is always the same as in the 717 * received ClientHello 718 */ 719 || !WPACKET_memcpy(&wpkt, seq, SEQ_NUM_SIZE) 720 /* End of record, start sub packet for message */ 721 || !WPACKET_start_sub_packet_u16(&wpkt) 722 /* Message type */ 723 || !WPACKET_put_bytes_u8(&wpkt, 724 DTLS1_MT_HELLO_VERIFY_REQUEST) 725 /* 726 * Message length - doesn't follow normal TLS convention: 727 * the length isn't the last thing in the message header. 728 * We'll need to fill this in later when we know the 729 * length. Set it to zero for now 730 */ 731 || !WPACKET_put_bytes_u24(&wpkt, 0) 732 /* 733 * Message sequence number is always 0 for a 734 * HelloVerifyRequest 735 */ 736 || !WPACKET_put_bytes_u16(&wpkt, 0) 737 /* 738 * We never fragment a HelloVerifyRequest, so fragment 739 * offset is 0 740 */ 741 || !WPACKET_put_bytes_u24(&wpkt, 0) 742 /* 743 * Fragment length is the same as message length, but 744 * this *is* the last thing in the message header so we 745 * can just start a sub-packet. No need to come back 746 * later for this one. 747 */ 748 || !WPACKET_start_sub_packet_u24(&wpkt) 749 /* Create the actual HelloVerifyRequest body */ 750 || !dtls_raw_hello_verify_request(&wpkt, cookie, cookielen) 751 /* Close message body */ 752 || !WPACKET_close(&wpkt) 753 /* Close record body */ 754 || !WPACKET_close(&wpkt) 755 || !WPACKET_get_total_written(&wpkt, &wreclen) 756 || !WPACKET_finish(&wpkt)) { 757 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); 758 WPACKET_cleanup(&wpkt); 759 /* This is fatal */ 760 return -1; 761 } 762 763 /* 764 * Fix up the message len in the message header. Its the same as the 765 * fragment len which has been filled in by WPACKET, so just copy 766 * that. Destination for the message len is after the record header 767 * plus one byte for the message content type. The source is the 768 * last 3 bytes of the message header 769 */ 770 memcpy(&wbuf[DTLS1_RT_HEADER_LENGTH + 1], 771 &wbuf[DTLS1_RT_HEADER_LENGTH + DTLS1_HM_HEADER_LENGTH - 3], 772 3); 773 774 if (s->msg_callback) 775 s->msg_callback(1, 0, SSL3_RT_HEADER, buf, 776 DTLS1_RT_HEADER_LENGTH, s, s->msg_callback_arg); 777 778 if ((tmpclient = BIO_ADDR_new()) == NULL) { 779 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 780 goto end; 781 } 782 783 /* 784 * This is unnecessary if rbio and wbio are one and the same - but 785 * maybe they're not. We ignore errors here - some BIOs do not 786 * support this. 787 */ 788 if (BIO_dgram_get_peer(rbio, tmpclient) > 0) { 789 (void)BIO_dgram_set_peer(wbio, tmpclient); 790 } 791 BIO_ADDR_free(tmpclient); 792 tmpclient = NULL; 793 794 if (BIO_write(wbio, wbuf, wreclen) < (int)wreclen) { 795 if (BIO_should_retry(wbio)) { 796 /* 797 * Non-blocking IO...but we're stateless, so we're just 798 * going to drop this packet. 799 */ 800 goto end; 801 } 802 return -1; 803 } 804 805 if (BIO_flush(wbio) <= 0) { 806 if (BIO_should_retry(wbio)) { 807 /* 808 * Non-blocking IO...but we're stateless, so we're just 809 * going to drop this packet. 810 */ 811 goto end; 812 } 813 return -1; 814 } 815 } 816 } while (next != LISTEN_SUCCESS); 817 818 /* 819 * Set expected sequence numbers to continue the handshake. 820 */ 821 s->d1->handshake_read_seq = 1; 822 s->d1->handshake_write_seq = 1; 823 s->d1->next_handshake_write_seq = 1; 824 DTLS_RECORD_LAYER_set_write_sequence(&s->rlayer, seq); 825 826 /* 827 * We are doing cookie exchange, so make sure we set that option in the 828 * SSL object 829 */ 830 SSL_set_options(s, SSL_OP_COOKIE_EXCHANGE); 831 832 /* 833 * Tell the state machine that we've done the initial hello verify 834 * exchange 835 */ 836 ossl_statem_set_hello_verify_done(s); 837 838 /* 839 * Some BIOs may not support this. If we fail we clear the client address 840 */ 841 if (BIO_dgram_get_peer(rbio, client) <= 0) 842 BIO_ADDR_clear(client); 843 844 /* Buffer the record in the processed_rcds queue */ 845 if (!dtls_buffer_listen_record(s, reclen, seq, align)) 846 return -1; 847 848 ret = 1; 849 end: 850 BIO_ADDR_free(tmpclient); 851 return ret; 852} 853#endif 854 855static int dtls1_handshake_write(SSL *s) 856{ 857 return dtls1_do_write(s, SSL3_RT_HANDSHAKE); 858} 859 860int dtls1_shutdown(SSL *s) 861{ 862 int ret; 863#ifndef OPENSSL_NO_SCTP 864 BIO *wbio; 865 866 wbio = SSL_get_wbio(s); 867 if (wbio != NULL && BIO_dgram_is_sctp(wbio) && 868 !(s->shutdown & SSL_SENT_SHUTDOWN)) { 869 ret = BIO_dgram_sctp_wait_for_dry(wbio); 870 if (ret < 0) 871 return -1; 872 873 if (ret == 0) 874 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SAVE_SHUTDOWN, 1, 875 NULL); 876 } 877#endif 878 ret = ssl3_shutdown(s); 879#ifndef OPENSSL_NO_SCTP 880 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SAVE_SHUTDOWN, 0, NULL); 881#endif 882 return ret; 883} 884 885int dtls1_query_mtu(SSL *s) 886{ 887 if (s->d1->link_mtu) { 888 s->d1->mtu = 889 s->d1->link_mtu - BIO_dgram_get_mtu_overhead(SSL_get_wbio(s)); 890 s->d1->link_mtu = 0; 891 } 892 893 /* AHA! Figure out the MTU, and stick to the right size */ 894 if (s->d1->mtu < dtls1_min_mtu(s)) { 895 if (!(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) { 896 s->d1->mtu = 897 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL); 898 899 /* 900 * I've seen the kernel return bogus numbers when it doesn't know 901 * (initial write), so just make sure we have a reasonable number 902 */ 903 if (s->d1->mtu < dtls1_min_mtu(s)) { 904 /* Set to min mtu */ 905 s->d1->mtu = dtls1_min_mtu(s); 906 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SET_MTU, 907 (long)s->d1->mtu, NULL); 908 } 909 } else 910 return 0; 911 } 912 return 1; 913} 914 915static size_t dtls1_link_min_mtu(void) 916{ 917 return (g_probable_mtu[(sizeof(g_probable_mtu) / 918 sizeof(g_probable_mtu[0])) - 1]); 919} 920 921size_t dtls1_min_mtu(SSL *s) 922{ 923 return dtls1_link_min_mtu() - BIO_dgram_get_mtu_overhead(SSL_get_wbio(s)); 924} 925 926size_t DTLS_get_data_mtu(const SSL *s) 927{ 928 size_t mac_overhead, int_overhead, blocksize, ext_overhead; 929 const SSL_CIPHER *ciph = SSL_get_current_cipher(s); 930 size_t mtu = s->d1->mtu; 931 932 if (ciph == NULL) 933 return 0; 934 935 if (!ssl_cipher_get_overhead(ciph, &mac_overhead, &int_overhead, 936 &blocksize, &ext_overhead)) 937 return 0; 938 939 if (SSL_READ_ETM(s)) 940 ext_overhead += mac_overhead; 941 else 942 int_overhead += mac_overhead; 943 944 /* Subtract external overhead (e.g. IV/nonce, separate MAC) */ 945 if (ext_overhead + DTLS1_RT_HEADER_LENGTH >= mtu) 946 return 0; 947 mtu -= ext_overhead + DTLS1_RT_HEADER_LENGTH; 948 949 /* Round encrypted payload down to cipher block size (for CBC etc.) 950 * No check for overflow since 'mtu % blocksize' cannot exceed mtu. */ 951 if (blocksize) 952 mtu -= (mtu % blocksize); 953 954 /* Subtract internal overhead (e.g. CBC padding len byte) */ 955 if (int_overhead >= mtu) 956 return 0; 957 mtu -= int_overhead; 958 959 return mtu; 960} 961 962void DTLS_set_timer_cb(SSL *s, DTLS_timer_cb cb) 963{ 964 s->d1->timer_cb = cb; 965} 966