d1_lib.c 15.2 KB
Newer Older
B
Ben Laurie 已提交
1
/* ssl/d1_lib.c */
2
/*
B
Ben Laurie 已提交
3
 * DTLS implementation written by Nagendra Modadugu
4
 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
B
Ben Laurie 已提交
5 6 7 8 9 10 11 12 13
 */
/* ====================================================================
 * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
14
 *    notice, this list of conditions and the following disclaimer.
B
Ben Laurie 已提交
15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */

#include <stdio.h>
61
#define USE_SOCKETS
B
Ben Laurie 已提交
62 63 64
#include <openssl/objects.h>
#include "ssl_locl.h"

A
Andy Polyakov 已提交
65
#if defined(OPENSSL_SYS_VMS)
66
# include <sys/timeb.h>
67 68 69 70 71 72
#elif defined(OPENSSL_SYS_NETWARE) && !defined(_WINSOCK2API_)
# include <sys/timeval.h>
#elif defined(OPENSSL_SYS_VXWORKS)
# include <sys/times.h>
#elif !defined(OPENSSL_SYS_WIN32)
# include <sys/time.h>
D
Dr. Stephen Henson 已提交
73 74 75
#endif

static void get_current_time(struct timeval *t);
M
Matt Caswell 已提交
76
static int dtls1_set_handshake_header(SSL *s, int type, unsigned long len);
D
Dr. Stephen Henson 已提交
77
static int dtls1_handshake_write(SSL *s);
D
Dr. Stephen Henson 已提交
78
int dtls1_listen(SSL *s, struct sockaddr *client);
B
Ben Laurie 已提交
79

80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117
const SSL3_ENC_METHOD DTLSv1_enc_data = {
    tls1_enc,
    tls1_mac,
    tls1_setup_key_block,
    tls1_generate_master_secret,
    tls1_change_cipher_state,
    tls1_final_finish_mac,
    TLS1_FINISH_MAC_LENGTH,
    tls1_cert_verify_mac,
    TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
    TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
    tls1_alert_code,
    tls1_export_keying_material,
    SSL_ENC_FLAG_DTLS | SSL_ENC_FLAG_EXPLICIT_IV,
    DTLS1_HM_HEADER_LENGTH,
    dtls1_set_handshake_header,
    dtls1_handshake_write
};

const SSL3_ENC_METHOD DTLSv1_2_enc_data = {
    tls1_enc,
    tls1_mac,
    tls1_setup_key_block,
    tls1_generate_master_secret,
    tls1_change_cipher_state,
    tls1_final_finish_mac,
    TLS1_FINISH_MAC_LENGTH,
    tls1_cert_verify_mac,
    TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
    TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
    tls1_alert_code,
    tls1_export_keying_material,
    SSL_ENC_FLAG_DTLS | SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS
        | SSL_ENC_FLAG_SHA256_PRF | SSL_ENC_FLAG_TLS1_2_CIPHERS,
    DTLS1_HM_HEADER_LENGTH,
    dtls1_set_handshake_header,
    dtls1_handshake_write
};
118

119
long dtls1_default_timeout(void)
120 121 122 123 124 125 126
{
    /*
     * 2 hours, the 24 hours mentioned in the DTLSv1 spec is way too long for
     * http, the cache would over fill
     */
    return (60 * 60 * 2);
}
B
Ben Laurie 已提交
127 128

int dtls1_new(SSL *s)
129 130 131
{
    DTLS1_STATE *d1;

V
Viktor Dukhovni 已提交
132
    if (!DTLS_RECORD_LAYER_new(&s->rlayer)) {
M
Matt Caswell 已提交
133 134 135
        return 0;
    }
    
136 137
    if (!ssl3_new(s))
        return (0);
R
Rich Salz 已提交
138
    if ((d1 = OPENSSL_zalloc(sizeof(*d1))) == NULL) {
139 140 141 142 143 144 145 146 147 148 149 150 151 152
        ssl3_free(s);
        return (0);
    }

    d1->buffered_messages = pqueue_new();
    d1->sent_messages = pqueue_new();

    if (s->server) {
        d1->cookie_len = sizeof(s->d1->cookie);
    }

    d1->link_mtu = 0;
    d1->mtu = 0;

153
    if (!d1->buffered_messages || !d1->sent_messages) {
R
Rich Salz 已提交
154 155
        pqueue_free(d1->buffered_messages);
        pqueue_free(d1->sent_messages);
156 157 158 159 160 161 162 163 164
        OPENSSL_free(d1);
        ssl3_free(s);
        return (0);
    }

    s->d1 = d1;
    s->method->ssl_clear(s);
    return (1);
}
B
Ben Laurie 已提交
165

D
Dr. Stephen Henson 已提交
166
static void dtls1_clear_queues(SSL *s)
167
{
B
Ben Laurie 已提交
168 169
    pitem *item = NULL;
    hm_fragment *frag = NULL;
170 171

    while ((item = pqueue_pop(s->d1->buffered_messages)) != NULL) {
B
Ben Laurie 已提交
172
        frag = (hm_fragment *)item->data;
173
        dtls1_hm_fragment_free(frag);
B
Ben Laurie 已提交
174
        pitem_free(item);
175
    }
B
Ben Laurie 已提交
176

177
    while ((item = pqueue_pop(s->d1->sent_messages)) != NULL) {
B
Ben Laurie 已提交
178
        frag = (hm_fragment *)item->data;
179
        dtls1_hm_fragment_free(frag);
B
Ben Laurie 已提交
180
        pitem_free(item);
181 182
    }
}
D
Dr. Stephen Henson 已提交
183 184

void dtls1_free(SSL *s)
185
{
186 187
    DTLS_RECORD_LAYER_free(&s->rlayer);

188
    ssl3_free(s);
D
Dr. Stephen Henson 已提交
189

190
    dtls1_clear_queues(s);
D
Dr. Stephen Henson 已提交
191 192

    pqueue_free(s->d1->buffered_messages);
193
    pqueue_free(s->d1->sent_messages);
D
Dr. Stephen Henson 已提交
194

195 196 197
    OPENSSL_free(s->d1);
    s->d1 = NULL;
}
B
Ben Laurie 已提交
198 199

void dtls1_clear(SSL *s)
200
{
D
Dr. Stephen Henson 已提交
201
    pqueue buffered_messages;
202 203 204 205
    pqueue sent_messages;
    unsigned int mtu;
    unsigned int link_mtu;

206 207
    DTLS_RECORD_LAYER_clear(&s->rlayer);

208 209 210 211 212 213 214 215
    if (s->d1) {
        buffered_messages = s->d1->buffered_messages;
        sent_messages = s->d1->sent_messages;
        mtu = s->d1->mtu;
        link_mtu = s->d1->link_mtu;

        dtls1_clear_queues(s);

216
        memset(s->d1, 0, sizeof(*s->d1));
217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232

        if (s->server) {
            s->d1->cookie_len = sizeof(s->d1->cookie);
        }

        if (SSL_get_options(s) & SSL_OP_NO_QUERY_MTU) {
            s->d1->mtu = mtu;
            s->d1->link_mtu = link_mtu;
        }

        s->d1->buffered_messages = buffered_messages;
        s->d1->sent_messages = sent_messages;
    }

    ssl3_clear(s);
    if (s->options & SSL_OP_CISCO_ANYCONNECT)
233
        s->client_version = s->version = DTLS1_BAD_VER;
234 235 236 237 238
    else if (s->method->version == DTLS_ANY_VERSION)
        s->version = DTLS1_2_VERSION;
    else
        s->version = s->method->version;
}
A
Andy Polyakov 已提交
239

D
Dr. Stephen Henson 已提交
240
long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg)
241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268
{
    int ret = 0;

    switch (cmd) {
    case DTLS_CTRL_GET_TIMEOUT:
        if (dtls1_get_timeout(s, (struct timeval *)parg) != NULL) {
            ret = 1;
        }
        break;
    case DTLS_CTRL_HANDLE_TIMEOUT:
        ret = dtls1_handle_timeout(s);
        break;
    case DTLS_CTRL_LISTEN:
        ret = dtls1_listen(s, parg);
        break;
    case SSL_CTRL_CHECK_PROTO_VERSION:
        /*
         * For library-internal use; checks that the current protocol is the
         * highest enabled version (according to s->ctx->method, as version
         * negotiation may have changed s->method).
         */
        if (s->version == s->ctx->method->version)
            return 1;
        /*
         * Apparently we're using a version-flexible SSL_METHOD (not at its
         * highest protocol version).
         */
        if (s->ctx->method->version == DTLS_method()->version) {
B
Bodo Moeller 已提交
269
#if DTLS_MAX_VERSION != DTLS1_2_VERSION
270
# error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
B
Bodo Moeller 已提交
271
#endif
272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299
            if (!(s->options & SSL_OP_NO_DTLSv1_2))
                return s->version == DTLS1_2_VERSION;
            if (!(s->options & SSL_OP_NO_DTLSv1))
                return s->version == DTLS1_VERSION;
        }
        return 0;               /* Unexpected state; fail closed. */
    case DTLS_CTRL_SET_LINK_MTU:
        if (larg < (long)dtls1_link_min_mtu())
            return 0;
        s->d1->link_mtu = larg;
        return 1;
    case DTLS_CTRL_GET_LINK_MIN_MTU:
        return (long)dtls1_link_min_mtu();
    case SSL_CTRL_SET_MTU:
        /*
         *  We may not have a BIO set yet so can't call dtls1_min_mtu()
         *  We'll have to make do with dtls1_link_min_mtu() and max overhead
         */
        if (larg < (long)dtls1_link_min_mtu() - DTLS1_MAX_MTU_OVERHEAD)
            return 0;
        s->d1->mtu = larg;
        return larg;
    default:
        ret = ssl3_ctrl(s, cmd, larg, parg);
        break;
    }
    return (ret);
}
D
Dr. Stephen Henson 已提交
300

A
Andy Polyakov 已提交
301 302 303 304 305 306 307
/*
 * As it's impossible to use stream ciphers in "datagram" mode, this
 * simple filter is designed to disengage them in DTLS. Unfortunately
 * there is no universal way to identify stream SSL_CIPHER, so we have
 * to explicitly list their SSL_* codes. Currently RC4 is the only one
 * available, but if new ones emerge, they will have to be added...
 */
308
const SSL_CIPHER *dtls1_get_cipher(unsigned int u)
309 310
{
    const SSL_CIPHER *ciph = ssl3_get_cipher(u);
A
Andy Polyakov 已提交
311

312 313 314 315
    if (ciph != NULL) {
        if (ciph->algorithm_enc == SSL_RC4)
            return NULL;
    }
A
Andy Polyakov 已提交
316

317 318
    return ciph;
}
D
Dr. Stephen Henson 已提交
319 320

void dtls1_start_timer(SSL *s)
321
{
D
Dr. Stephen Henson 已提交
322
#ifndef OPENSSL_NO_SCTP
323 324
    /* Disable timer for SCTP */
    if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
325
        memset(&s->d1->next_timeout, 0, sizeof(s->d1->next_timeout));
326 327
        return;
    }
D
Dr. Stephen Henson 已提交
328 329
#endif

330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359
    /* If timer is not set, initialize duration with 1 second */
    if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) {
        s->d1->timeout_duration = 1;
    }

    /* Set timeout to current time */
    get_current_time(&(s->d1->next_timeout));

    /* Add duration to current time */
    s->d1->next_timeout.tv_sec += s->d1->timeout_duration;
    BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
             &(s->d1->next_timeout));
}

struct timeval *dtls1_get_timeout(SSL *s, struct timeval *timeleft)
{
    struct timeval timenow;

    /* If no timeout is set, just return NULL */
    if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) {
        return NULL;
    }

    /* Get current time */
    get_current_time(&timenow);

    /* If timer already expired, set remaining time to 0 */
    if (s->d1->next_timeout.tv_sec < timenow.tv_sec ||
        (s->d1->next_timeout.tv_sec == timenow.tv_sec &&
         s->d1->next_timeout.tv_usec <= timenow.tv_usec)) {
360
        memset(timeleft, 0, sizeof(*timeleft));
361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377
        return timeleft;
    }

    /* Calculate time left until timer expires */
    memcpy(timeleft, &(s->d1->next_timeout), sizeof(struct timeval));
    timeleft->tv_sec -= timenow.tv_sec;
    timeleft->tv_usec -= timenow.tv_usec;
    if (timeleft->tv_usec < 0) {
        timeleft->tv_sec--;
        timeleft->tv_usec += 1000000;
    }

    /*
     * If remaining time is less than 15 ms, set it to 0 to prevent issues
     * because of small devergences with socket timeouts.
     */
    if (timeleft->tv_sec == 0 && timeleft->tv_usec < 15000) {
378
        memset(timeleft, 0, sizeof(*timeleft));
379 380 381 382
    }

    return timeleft;
}
D
Dr. Stephen Henson 已提交
383 384

int dtls1_is_timer_expired(SSL *s)
385 386
{
    struct timeval timeleft;
D
Dr. Stephen Henson 已提交
387

388 389 390 391
    /* Get time left until timeout, return false if no timer running */
    if (dtls1_get_timeout(s, &timeleft) == NULL) {
        return 0;
    }
D
Dr. Stephen Henson 已提交
392

393 394 395 396
    /* Return false if timer is not expired yet */
    if (timeleft.tv_sec > 0 || timeleft.tv_usec > 0) {
        return 0;
    }
D
Dr. Stephen Henson 已提交
397

398 399 400
    /* Timer expired, so return true */
    return 1;
}
D
Dr. Stephen Henson 已提交
401 402

void dtls1_double_timeout(SSL *s)
403 404 405 406 407 408
{
    s->d1->timeout_duration *= 2;
    if (s->d1->timeout_duration > 60)
        s->d1->timeout_duration = 60;
    dtls1_start_timer(s);
}
D
Dr. Stephen Henson 已提交
409 410

void dtls1_stop_timer(SSL *s)
411 412
{
    /* Reset everything */
413 414
    memset(&s->d1->timeout, 0, sizeof(s->d1->timeout));
    memset(&s->d1->next_timeout, 0, sizeof(s->d1->next_timeout));
415 416 417 418 419 420
    s->d1->timeout_duration = 1;
    BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
             &(s->d1->next_timeout));
    /* Clear retransmission buffer */
    dtls1_clear_record_buffer(s);
}
D
Dr. Stephen Henson 已提交
421

D
Dr. Stephen Henson 已提交
422
int dtls1_check_timeout_num(SSL *s)
423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445
{
    unsigned int mtu;

    s->d1->timeout.num_alerts++;

    /* Reduce MTU after 2 unsuccessful retransmissions */
    if (s->d1->timeout.num_alerts > 2
        && !(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) {
        mtu =
            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0,
                     NULL);
        if (mtu < s->d1->mtu)
            s->d1->mtu = mtu;
    }

    if (s->d1->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) {
        /* fail the connection, enough alerts have been sent */
        SSLerr(SSL_F_DTLS1_CHECK_TIMEOUT_NUM, SSL_R_READ_TIMEOUT_EXPIRED);
        return -1;
    }

    return 0;
}
D
Dr. Stephen Henson 已提交
446 447

int dtls1_handle_timeout(SSL *s)
448 449 450 451 452
{
    /* if no timer is expired, don't do anything */
    if (!dtls1_is_timer_expired(s)) {
        return 0;
    }
D
Dr. Stephen Henson 已提交
453

454
    dtls1_double_timeout(s);
D
Dr. Stephen Henson 已提交
455

456 457
    if (dtls1_check_timeout_num(s) < 0)
        return -1;
D
Dr. Stephen Henson 已提交
458

459 460 461 462
    s->d1->timeout.read_timeouts++;
    if (s->d1->timeout.read_timeouts > DTLS1_TMO_READ_COUNT) {
        s->d1->timeout.read_timeouts = 1;
    }
D
Dr. Stephen Henson 已提交
463
#ifndef OPENSSL_NO_HEARTBEATS
464 465 466 467
    if (s->tlsext_hb_pending) {
        s->tlsext_hb_pending = 0;
        return dtls1_heartbeat(s);
    }
D
Dr. Stephen Henson 已提交
468 469
#endif

470 471 472
    dtls1_start_timer(s);
    return dtls1_retransmit_buffered_messages(s);
}
D
Dr. Stephen Henson 已提交
473

D
Dr. Stephen Henson 已提交
474 475
static void get_current_time(struct timeval *t)
{
A
Andy Polyakov 已提交
476
#if defined(_WIN32)
477 478 479 480 481 482 483 484 485 486 487
    SYSTEMTIME st;
    union {
        unsigned __int64 ul;
        FILETIME ft;
    } now;

    GetSystemTime(&st);
    SystemTimeToFileTime(&st, &now.ft);
# ifdef  __MINGW32__
    now.ul -= 116444736000000000ULL;
# else
488
    now.ul -= 116444736000000000UI64; /* re-bias to 1/1/1970 */
489 490 491
# endif
    t->tv_sec = (long)(now.ul / 10000000);
    t->tv_usec = ((int)(now.ul % 10000000)) / 10;
D
Dr. Stephen Henson 已提交
492
#elif defined(OPENSSL_SYS_VMS)
493 494 495 496
    struct timeb tb;
    ftime(&tb);
    t->tv_sec = (long)tb.time;
    t->tv_usec = (long)tb.millitm * 1000;
D
Dr. Stephen Henson 已提交
497
#else
498
    gettimeofday(t, NULL);
D
Dr. Stephen Henson 已提交
499 500
#endif
}
D
Dr. Stephen Henson 已提交
501 502

int dtls1_listen(SSL *s, struct sockaddr *client)
503 504 505
{
    int ret;

M
Matt Caswell 已提交
506
    /* Ensure there is no state left over from a previous invocation */
V
Viktor Dukhovni 已提交
507
    if (!SSL_clear(s))
M
Matt Caswell 已提交
508
        return -1;
M
Matt Caswell 已提交
509

510 511
    SSL_set_options(s, SSL_OP_COOKIE_EXCHANGE);
    s->d1->listen = 1;
D
Dr. Stephen Henson 已提交
512

513 514 515
    ret = SSL_accept(s);
    if (ret <= 0)
        return ret;
D
Dr. Stephen Henson 已提交
516

517 518 519
    (void)BIO_dgram_get_peer(SSL_get_rbio(s), client);
    return 1;
}
D
Dr. Stephen Henson 已提交
520

M
Matt Caswell 已提交
521
static int dtls1_set_handshake_header(SSL *s, int htype, unsigned long len)
522 523 524 525 526 527
{
    unsigned char *p = (unsigned char *)s->init_buf->data;
    dtls1_set_message_header(s, p, htype, len, 0, len);
    s->init_num = (int)len + DTLS1_HM_HEADER_LENGTH;
    s->init_off = 0;
    /* Buffer the message to handle re-xmits */
M
Matt Caswell 已提交
528

V
Viktor Dukhovni 已提交
529
    if (!dtls1_buffer_message(s, 0))
M
Matt Caswell 已提交
530 531 532
        return 0;

    return 1;
533
}
D
Dr. Stephen Henson 已提交
534 535

static int dtls1_handshake_write(SSL *s)
536 537 538
{
    return dtls1_do_write(s, SSL3_RT_HANDSHAKE);
}