d1_lib.c 15.2 KB
Newer Older
B
Ben Laurie 已提交
1
/* ssl/d1_lib.c */
2
/*
B
Ben Laurie 已提交
3
 * DTLS implementation written by Nagendra Modadugu
4
 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
B
Ben Laurie 已提交
5 6 7 8 9 10 11 12 13
 */
/* ====================================================================
 * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
14
 *    notice, this list of conditions and the following disclaimer.
B
Ben Laurie 已提交
15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */

#include <stdio.h>
61
#define USE_SOCKETS
B
Ben Laurie 已提交
62 63 64
#include <openssl/objects.h>
#include "ssl_locl.h"

A
Andy Polyakov 已提交
65
#if defined(OPENSSL_SYS_VMS)
66
# include <sys/timeb.h>
D
Dr. Stephen Henson 已提交
67 68 69
#endif

static void get_current_time(struct timeval *t);
M
Matt Caswell 已提交
70
static int dtls1_set_handshake_header(SSL *s, int type, unsigned long len);
D
Dr. Stephen Henson 已提交
71
static int dtls1_handshake_write(SSL *s);
72
const char dtls1_version_str[] = "DTLSv1" OPENSSL_VERSION_PTEXT;
D
Dr. Stephen Henson 已提交
73
int dtls1_listen(SSL *s, struct sockaddr *client);
B
Ben Laurie 已提交
74

75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112
const SSL3_ENC_METHOD DTLSv1_enc_data = {
    tls1_enc,
    tls1_mac,
    tls1_setup_key_block,
    tls1_generate_master_secret,
    tls1_change_cipher_state,
    tls1_final_finish_mac,
    TLS1_FINISH_MAC_LENGTH,
    tls1_cert_verify_mac,
    TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
    TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
    tls1_alert_code,
    tls1_export_keying_material,
    SSL_ENC_FLAG_DTLS | SSL_ENC_FLAG_EXPLICIT_IV,
    DTLS1_HM_HEADER_LENGTH,
    dtls1_set_handshake_header,
    dtls1_handshake_write
};

const SSL3_ENC_METHOD DTLSv1_2_enc_data = {
    tls1_enc,
    tls1_mac,
    tls1_setup_key_block,
    tls1_generate_master_secret,
    tls1_change_cipher_state,
    tls1_final_finish_mac,
    TLS1_FINISH_MAC_LENGTH,
    tls1_cert_verify_mac,
    TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
    TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
    tls1_alert_code,
    tls1_export_keying_material,
    SSL_ENC_FLAG_DTLS | SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS
        | SSL_ENC_FLAG_SHA256_PRF | SSL_ENC_FLAG_TLS1_2_CIPHERS,
    DTLS1_HM_HEADER_LENGTH,
    dtls1_set_handshake_header,
    dtls1_handshake_write
};
113

114
long dtls1_default_timeout(void)
115 116 117 118 119 120 121
{
    /*
     * 2 hours, the 24 hours mentioned in the DTLSv1 spec is way too long for
     * http, the cache would over fill
     */
    return (60 * 60 * 2);
}
B
Ben Laurie 已提交
122 123

int dtls1_new(SSL *s)
124 125 126
{
    DTLS1_STATE *d1;

M
Matt Caswell 已提交
127 128 129 130
    if(!DTLS_RECORD_LAYER_new(&s->rlayer)) {
        return 0;
    }
    
131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148
    if (!ssl3_new(s))
        return (0);
    if ((d1 = OPENSSL_malloc(sizeof *d1)) == NULL) {
        ssl3_free(s);
        return (0);
    }
    memset(d1, 0, sizeof *d1);

    d1->buffered_messages = pqueue_new();
    d1->sent_messages = pqueue_new();

    if (s->server) {
        d1->cookie_len = sizeof(s->d1->cookie);
    }

    d1->link_mtu = 0;
    d1->mtu = 0;

149
    if (!d1->buffered_messages || !d1->sent_messages) {
150 151 152 153 154 155 156 157 158 159 160 161 162
        if (d1->buffered_messages)
            pqueue_free(d1->buffered_messages);
        if (d1->sent_messages)
            pqueue_free(d1->sent_messages);
        OPENSSL_free(d1);
        ssl3_free(s);
        return (0);
    }

    s->d1 = d1;
    s->method->ssl_clear(s);
    return (1);
}
B
Ben Laurie 已提交
163

D
Dr. Stephen Henson 已提交
164
static void dtls1_clear_queues(SSL *s)
165
{
B
Ben Laurie 已提交
166 167
    pitem *item = NULL;
    hm_fragment *frag = NULL;
168 169

    while ((item = pqueue_pop(s->d1->buffered_messages)) != NULL) {
B
Ben Laurie 已提交
170
        frag = (hm_fragment *)item->data;
171
        dtls1_hm_fragment_free(frag);
B
Ben Laurie 已提交
172
        pitem_free(item);
173
    }
B
Ben Laurie 已提交
174

175
    while ((item = pqueue_pop(s->d1->sent_messages)) != NULL) {
B
Ben Laurie 已提交
176
        frag = (hm_fragment *)item->data;
177
        dtls1_hm_fragment_free(frag);
B
Ben Laurie 已提交
178
        pitem_free(item);
179 180
    }
}
D
Dr. Stephen Henson 已提交
181 182

void dtls1_free(SSL *s)
183
{
184 185
    DTLS_RECORD_LAYER_free(&s->rlayer);

186
    ssl3_free(s);
D
Dr. Stephen Henson 已提交
187

188
    dtls1_clear_queues(s);
D
Dr. Stephen Henson 已提交
189 190

    pqueue_free(s->d1->buffered_messages);
191
    pqueue_free(s->d1->sent_messages);
D
Dr. Stephen Henson 已提交
192

193 194 195
    OPENSSL_free(s->d1);
    s->d1 = NULL;
}
B
Ben Laurie 已提交
196 197

void dtls1_clear(SSL *s)
198
{
D
Dr. Stephen Henson 已提交
199
    pqueue buffered_messages;
200 201 202 203
    pqueue sent_messages;
    unsigned int mtu;
    unsigned int link_mtu;

204 205
    DTLS_RECORD_LAYER_clear(&s->rlayer);

206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230
    if (s->d1) {
        buffered_messages = s->d1->buffered_messages;
        sent_messages = s->d1->sent_messages;
        mtu = s->d1->mtu;
        link_mtu = s->d1->link_mtu;

        dtls1_clear_queues(s);

        memset(s->d1, 0, sizeof(*(s->d1)));

        if (s->server) {
            s->d1->cookie_len = sizeof(s->d1->cookie);
        }

        if (SSL_get_options(s) & SSL_OP_NO_QUERY_MTU) {
            s->d1->mtu = mtu;
            s->d1->link_mtu = link_mtu;
        }

        s->d1->buffered_messages = buffered_messages;
        s->d1->sent_messages = sent_messages;
    }

    ssl3_clear(s);
    if (s->options & SSL_OP_CISCO_ANYCONNECT)
231
        s->client_version = s->version = DTLS1_BAD_VER;
232 233 234 235 236
    else if (s->method->version == DTLS_ANY_VERSION)
        s->version = DTLS1_2_VERSION;
    else
        s->version = s->method->version;
}
A
Andy Polyakov 已提交
237

D
Dr. Stephen Henson 已提交
238
long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg)
239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266
{
    int ret = 0;

    switch (cmd) {
    case DTLS_CTRL_GET_TIMEOUT:
        if (dtls1_get_timeout(s, (struct timeval *)parg) != NULL) {
            ret = 1;
        }
        break;
    case DTLS_CTRL_HANDLE_TIMEOUT:
        ret = dtls1_handle_timeout(s);
        break;
    case DTLS_CTRL_LISTEN:
        ret = dtls1_listen(s, parg);
        break;
    case SSL_CTRL_CHECK_PROTO_VERSION:
        /*
         * For library-internal use; checks that the current protocol is the
         * highest enabled version (according to s->ctx->method, as version
         * negotiation may have changed s->method).
         */
        if (s->version == s->ctx->method->version)
            return 1;
        /*
         * Apparently we're using a version-flexible SSL_METHOD (not at its
         * highest protocol version).
         */
        if (s->ctx->method->version == DTLS_method()->version) {
B
Bodo Moeller 已提交
267
#if DTLS_MAX_VERSION != DTLS1_2_VERSION
268
# error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
B
Bodo Moeller 已提交
269
#endif
270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297
            if (!(s->options & SSL_OP_NO_DTLSv1_2))
                return s->version == DTLS1_2_VERSION;
            if (!(s->options & SSL_OP_NO_DTLSv1))
                return s->version == DTLS1_VERSION;
        }
        return 0;               /* Unexpected state; fail closed. */
    case DTLS_CTRL_SET_LINK_MTU:
        if (larg < (long)dtls1_link_min_mtu())
            return 0;
        s->d1->link_mtu = larg;
        return 1;
    case DTLS_CTRL_GET_LINK_MIN_MTU:
        return (long)dtls1_link_min_mtu();
    case SSL_CTRL_SET_MTU:
        /*
         *  We may not have a BIO set yet so can't call dtls1_min_mtu()
         *  We'll have to make do with dtls1_link_min_mtu() and max overhead
         */
        if (larg < (long)dtls1_link_min_mtu() - DTLS1_MAX_MTU_OVERHEAD)
            return 0;
        s->d1->mtu = larg;
        return larg;
    default:
        ret = ssl3_ctrl(s, cmd, larg, parg);
        break;
    }
    return (ret);
}
D
Dr. Stephen Henson 已提交
298

A
Andy Polyakov 已提交
299 300 301 302 303 304 305
/*
 * As it's impossible to use stream ciphers in "datagram" mode, this
 * simple filter is designed to disengage them in DTLS. Unfortunately
 * there is no universal way to identify stream SSL_CIPHER, so we have
 * to explicitly list their SSL_* codes. Currently RC4 is the only one
 * available, but if new ones emerge, they will have to be added...
 */
306
const SSL_CIPHER *dtls1_get_cipher(unsigned int u)
307 308
{
    const SSL_CIPHER *ciph = ssl3_get_cipher(u);
A
Andy Polyakov 已提交
309

310 311 312 313
    if (ciph != NULL) {
        if (ciph->algorithm_enc == SSL_RC4)
            return NULL;
    }
A
Andy Polyakov 已提交
314

315 316
    return ciph;
}
D
Dr. Stephen Henson 已提交
317 318

void dtls1_start_timer(SSL *s)
319
{
D
Dr. Stephen Henson 已提交
320
#ifndef OPENSSL_NO_SCTP
321 322 323 324 325
    /* Disable timer for SCTP */
    if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
        memset(&(s->d1->next_timeout), 0, sizeof(struct timeval));
        return;
    }
D
Dr. Stephen Henson 已提交
326 327
#endif

328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380
    /* If timer is not set, initialize duration with 1 second */
    if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) {
        s->d1->timeout_duration = 1;
    }

    /* Set timeout to current time */
    get_current_time(&(s->d1->next_timeout));

    /* Add duration to current time */
    s->d1->next_timeout.tv_sec += s->d1->timeout_duration;
    BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
             &(s->d1->next_timeout));
}

struct timeval *dtls1_get_timeout(SSL *s, struct timeval *timeleft)
{
    struct timeval timenow;

    /* If no timeout is set, just return NULL */
    if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) {
        return NULL;
    }

    /* Get current time */
    get_current_time(&timenow);

    /* If timer already expired, set remaining time to 0 */
    if (s->d1->next_timeout.tv_sec < timenow.tv_sec ||
        (s->d1->next_timeout.tv_sec == timenow.tv_sec &&
         s->d1->next_timeout.tv_usec <= timenow.tv_usec)) {
        memset(timeleft, 0, sizeof(struct timeval));
        return timeleft;
    }

    /* Calculate time left until timer expires */
    memcpy(timeleft, &(s->d1->next_timeout), sizeof(struct timeval));
    timeleft->tv_sec -= timenow.tv_sec;
    timeleft->tv_usec -= timenow.tv_usec;
    if (timeleft->tv_usec < 0) {
        timeleft->tv_sec--;
        timeleft->tv_usec += 1000000;
    }

    /*
     * If remaining time is less than 15 ms, set it to 0 to prevent issues
     * because of small devergences with socket timeouts.
     */
    if (timeleft->tv_sec == 0 && timeleft->tv_usec < 15000) {
        memset(timeleft, 0, sizeof(struct timeval));
    }

    return timeleft;
}
D
Dr. Stephen Henson 已提交
381 382

int dtls1_is_timer_expired(SSL *s)
383 384
{
    struct timeval timeleft;
D
Dr. Stephen Henson 已提交
385

386 387 388 389
    /* Get time left until timeout, return false if no timer running */
    if (dtls1_get_timeout(s, &timeleft) == NULL) {
        return 0;
    }
D
Dr. Stephen Henson 已提交
390

391 392 393 394
    /* Return false if timer is not expired yet */
    if (timeleft.tv_sec > 0 || timeleft.tv_usec > 0) {
        return 0;
    }
D
Dr. Stephen Henson 已提交
395

396 397 398
    /* Timer expired, so return true */
    return 1;
}
D
Dr. Stephen Henson 已提交
399 400

void dtls1_double_timeout(SSL *s)
401 402 403 404 405 406
{
    s->d1->timeout_duration *= 2;
    if (s->d1->timeout_duration > 60)
        s->d1->timeout_duration = 60;
    dtls1_start_timer(s);
}
D
Dr. Stephen Henson 已提交
407 408

void dtls1_stop_timer(SSL *s)
409 410 411 412 413 414 415 416 417 418
{
    /* Reset everything */
    memset(&(s->d1->timeout), 0, sizeof(struct dtls1_timeout_st));
    memset(&(s->d1->next_timeout), 0, sizeof(struct timeval));
    s->d1->timeout_duration = 1;
    BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
             &(s->d1->next_timeout));
    /* Clear retransmission buffer */
    dtls1_clear_record_buffer(s);
}
D
Dr. Stephen Henson 已提交
419

D
Dr. Stephen Henson 已提交
420
int dtls1_check_timeout_num(SSL *s)
421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443
{
    unsigned int mtu;

    s->d1->timeout.num_alerts++;

    /* Reduce MTU after 2 unsuccessful retransmissions */
    if (s->d1->timeout.num_alerts > 2
        && !(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) {
        mtu =
            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0,
                     NULL);
        if (mtu < s->d1->mtu)
            s->d1->mtu = mtu;
    }

    if (s->d1->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) {
        /* fail the connection, enough alerts have been sent */
        SSLerr(SSL_F_DTLS1_CHECK_TIMEOUT_NUM, SSL_R_READ_TIMEOUT_EXPIRED);
        return -1;
    }

    return 0;
}
D
Dr. Stephen Henson 已提交
444 445

int dtls1_handle_timeout(SSL *s)
446 447 448 449 450
{
    /* if no timer is expired, don't do anything */
    if (!dtls1_is_timer_expired(s)) {
        return 0;
    }
D
Dr. Stephen Henson 已提交
451

452
    dtls1_double_timeout(s);
D
Dr. Stephen Henson 已提交
453

454 455
    if (dtls1_check_timeout_num(s) < 0)
        return -1;
D
Dr. Stephen Henson 已提交
456

457 458 459 460
    s->d1->timeout.read_timeouts++;
    if (s->d1->timeout.read_timeouts > DTLS1_TMO_READ_COUNT) {
        s->d1->timeout.read_timeouts = 1;
    }
D
Dr. Stephen Henson 已提交
461
#ifndef OPENSSL_NO_HEARTBEATS
462 463 464 465
    if (s->tlsext_hb_pending) {
        s->tlsext_hb_pending = 0;
        return dtls1_heartbeat(s);
    }
D
Dr. Stephen Henson 已提交
466 467
#endif

468 469 470
    dtls1_start_timer(s);
    return dtls1_retransmit_buffered_messages(s);
}
D
Dr. Stephen Henson 已提交
471

D
Dr. Stephen Henson 已提交
472 473
static void get_current_time(struct timeval *t)
{
A
Andy Polyakov 已提交
474
#if defined(_WIN32)
475 476 477 478 479 480 481 482 483 484 485
    SYSTEMTIME st;
    union {
        unsigned __int64 ul;
        FILETIME ft;
    } now;

    GetSystemTime(&st);
    SystemTimeToFileTime(&st, &now.ft);
# ifdef  __MINGW32__
    now.ul -= 116444736000000000ULL;
# else
486
    now.ul -= 116444736000000000UI64; /* re-bias to 1/1/1970 */
487 488 489
# endif
    t->tv_sec = (long)(now.ul / 10000000);
    t->tv_usec = ((int)(now.ul % 10000000)) / 10;
D
Dr. Stephen Henson 已提交
490
#elif defined(OPENSSL_SYS_VMS)
491 492 493 494
    struct timeb tb;
    ftime(&tb);
    t->tv_sec = (long)tb.time;
    t->tv_usec = (long)tb.millitm * 1000;
D
Dr. Stephen Henson 已提交
495
#else
496
    gettimeofday(t, NULL);
D
Dr. Stephen Henson 已提交
497 498
#endif
}
D
Dr. Stephen Henson 已提交
499 500

int dtls1_listen(SSL *s, struct sockaddr *client)
501 502 503
{
    int ret;

M
Matt Caswell 已提交
504
    /* Ensure there is no state left over from a previous invocation */
M
Matt Caswell 已提交
505 506
    if(!SSL_clear(s))
        return -1;
M
Matt Caswell 已提交
507

508 509
    SSL_set_options(s, SSL_OP_COOKIE_EXCHANGE);
    s->d1->listen = 1;
D
Dr. Stephen Henson 已提交
510

511 512 513
    ret = SSL_accept(s);
    if (ret <= 0)
        return ret;
D
Dr. Stephen Henson 已提交
514

515 516 517
    (void)BIO_dgram_get_peer(SSL_get_rbio(s), client);
    return 1;
}
D
Dr. Stephen Henson 已提交
518

M
Matt Caswell 已提交
519
static int dtls1_set_handshake_header(SSL *s, int htype, unsigned long len)
520 521 522 523 524 525
{
    unsigned char *p = (unsigned char *)s->init_buf->data;
    dtls1_set_message_header(s, p, htype, len, 0, len);
    s->init_num = (int)len + DTLS1_HM_HEADER_LENGTH;
    s->init_off = 0;
    /* Buffer the message to handle re-xmits */
M
Matt Caswell 已提交
526 527 528 529 530

    if(!dtls1_buffer_message(s, 0))
        return 0;

    return 1;
531
}
D
Dr. Stephen Henson 已提交
532 533

static int dtls1_handshake_write(SSL *s)
534 535 536
{
    return dtls1_do_write(s, SSL3_RT_HANDSHAKE);
}