Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / boringssl / d9e397b599b13d642138480a28c14db7a136bf05 / . / src / ssl / d1_lib.c
blob: 8244cb94572ddf795560f8e56698d7305df4466c [file] [log] [blame]
Adam Langleyd9e397b2015-01-22 14:27:53 -0800[diff] [blame^]1/*
2 * DTLS implementation written by Nagendra Modadugu
3 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
4 */
5/* ====================================================================
6 * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * openssl-core@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com). */
56
57#include <openssl/base.h>
58
59#include <limits.h>
60#include <stdio.h>
61
62#if defined(OPENSSL_WINDOWS)
63#include <sys/timeb.h>
64#else
65#include <sys/socket.h>
66#include <sys/time.h>
67#endif
68
69#include <openssl/err.h>
70#include <openssl/mem.h>
71#include <openssl/obj.h>
72
73#include "ssl_locl.h"
74
75static void get_current_time(OPENSSL_timeval *t);
76static OPENSSL_timeval *dtls1_get_timeout(SSL *s, OPENSSL_timeval *timeleft);
77static void dtls1_set_handshake_header(SSL *s, int type, unsigned long len);
78static int dtls1_handshake_write(SSL *s);
79
80const SSL3_ENC_METHOD DTLSv1_enc_data = {
81 tls1_enc,
82 tls1_prf,
83 tls1_setup_key_block,
84 tls1_generate_master_secret,
85 tls1_change_cipher_state,
86 tls1_final_finish_mac,
87 TLS1_FINISH_MAC_LENGTH,
88 tls1_cert_verify_mac,
89 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
90 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
91 tls1_alert_code,
92 tls1_export_keying_material,
93 SSL_ENC_FLAG_DTLS|SSL_ENC_FLAG_EXPLICIT_IV,
94 DTLS1_HM_HEADER_LENGTH,
95 dtls1_set_handshake_header,
96 dtls1_handshake_write,
97};
98
99const SSL3_ENC_METHOD DTLSv1_2_enc_data = {
100 tls1_enc,
101 tls1_prf,
102 tls1_setup_key_block,
103 tls1_generate_master_secret,
104 tls1_change_cipher_state,
105 tls1_final_finish_mac,
106 TLS1_FINISH_MAC_LENGTH,
107 tls1_cert_verify_mac,
108 TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
109 TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
110 tls1_alert_code,
111 tls1_export_keying_material,
112 SSL_ENC_FLAG_DTLS | SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS |
113 SSL_ENC_FLAG_SHA256_PRF | SSL_ENC_FLAG_TLS1_2_CIPHERS,
114 DTLS1_HM_HEADER_LENGTH,
115 dtls1_set_handshake_header,
116 dtls1_handshake_write,
117};
118
119int dtls1_new(SSL *s) {
120 DTLS1_STATE *d1;
121
122 if (!ssl3_new(s)) {
123 return 0;
124 }
125 d1 = OPENSSL_malloc(sizeof *d1);
126 if (d1 == NULL) {
127 ssl3_free(s);
128 return 0;
129 }
130 memset(d1, 0, sizeof *d1);
131
132 d1->unprocessed_rcds.q = pqueue_new();
133 d1->processed_rcds.q = pqueue_new();
134 d1->buffered_messages = pqueue_new();
135 d1->sent_messages = pqueue_new();
136 d1->buffered_app_data.q = pqueue_new();
137
138 if (!d1->unprocessed_rcds.q || !d1->processed_rcds.q ||
139 !d1->buffered_messages || !d1->sent_messages ||
140 !d1->buffered_app_data.q) {
141 if (d1->unprocessed_rcds.q) {
142 pqueue_free(d1->unprocessed_rcds.q);
143 }
144 if (d1->processed_rcds.q) {
145 pqueue_free(d1->processed_rcds.q);
146 }
147 if (d1->buffered_messages) {
148 pqueue_free(d1->buffered_messages);
149 }
150 if (d1->sent_messages) {
151 pqueue_free(d1->sent_messages);
152 }
153 if (d1->buffered_app_data.q) {
154 pqueue_free(d1->buffered_app_data.q);
155 }
156 OPENSSL_free(d1);
157 ssl3_free(s);
158 return 0;
159 }
160
161 s->d1 = d1;
162
163 /* Set the version to the highest version for DTLS. This controls the initial
164 * state of |s->enc_method| and what the API reports as the version prior to
165 * negotiation.
166 *
167 * TODO(davidben): This is fragile and confusing. */
168 s->version = DTLS1_2_VERSION;
169 return 1;
170}
171
172static void dtls1_clear_queues(SSL *s) {
173 pitem *item = NULL;
174 hm_fragment *frag = NULL;
175 DTLS1_RECORD_DATA *rdata;
176
177 while ((item = pqueue_pop(s->d1->unprocessed_rcds.q)) != NULL) {
178 rdata = (DTLS1_RECORD_DATA *)item->data;
179 if (rdata->rbuf.buf) {
180 OPENSSL_free(rdata->rbuf.buf);
181 }
182 OPENSSL_free(item->data);
183 pitem_free(item);
184 }
185
186 while ((item = pqueue_pop(s->d1->processed_rcds.q)) != NULL) {
187 rdata = (DTLS1_RECORD_DATA *)item->data;
188 if (rdata->rbuf.buf) {
189 OPENSSL_free(rdata->rbuf.buf);
190 }
191 OPENSSL_free(item->data);
192 pitem_free(item);
193 }
194
195 while ((item = pqueue_pop(s->d1->buffered_messages)) != NULL) {
196 frag = (hm_fragment *)item->data;
197 dtls1_hm_fragment_free(frag);
198 pitem_free(item);
199 }
200
201 while ((item = pqueue_pop(s->d1->sent_messages)) != NULL) {
202 frag = (hm_fragment *)item->data;
203 dtls1_hm_fragment_free(frag);
204 pitem_free(item);
205 }
206
207 while ((item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL) {
208 rdata = (DTLS1_RECORD_DATA *)item->data;
209 if (rdata->rbuf.buf) {
210 OPENSSL_free(rdata->rbuf.buf);
211 }
212 OPENSSL_free(item->data);
213 pitem_free(item);
214 }
215}
216
217void dtls1_free(SSL *s) {
218 ssl3_free(s);
219
220 if (s == NULL || s->d1 == NULL) {
221 return;
222 }
223
224 dtls1_clear_queues(s);
225
226 pqueue_free(s->d1->unprocessed_rcds.q);
227 pqueue_free(s->d1->processed_rcds.q);
228 pqueue_free(s->d1->buffered_messages);
229 pqueue_free(s->d1->sent_messages);
230 pqueue_free(s->d1->buffered_app_data.q);
231
232 OPENSSL_free(s->d1);
233 s->d1 = NULL;
234}
235
236long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg) {
237 int ret = 0;
238
239 switch (cmd) {
240 case DTLS_CTRL_GET_TIMEOUT:
241 if (dtls1_get_timeout(s, (OPENSSL_timeval *)parg) != NULL) {
242 ret = 1;
243 }
244 break;
245
246 case DTLS_CTRL_HANDLE_TIMEOUT:
247 ret = dtls1_handle_timeout(s);
248 break;
249
250 default:
251 ret = ssl3_ctrl(s, cmd, larg, parg);
252 break;
253 }
254
255 return ret;
256}
257
258const SSL_CIPHER *dtls1_get_cipher(unsigned int u) {
259 const SSL_CIPHER *ciph = ssl3_get_cipher(u);
260 /* DTLS does not support stream ciphers. */
261 if (ciph == NULL || ciph->algorithm_enc == SSL_RC4) {
262 return NULL;
263 }
264
265 return ciph;
266}
267
268void dtls1_start_timer(SSL *s) {
269 /* If timer is not set, initialize duration with 1 second */
270 if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) {
271 s->d1->timeout_duration = 1;
272 }
273
274 /* Set timeout to current time */
275 get_current_time(&s->d1->next_timeout);
276
277 /* Add duration to current time */
278 s->d1->next_timeout.tv_sec += s->d1->timeout_duration;
279 BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
280 &s->d1->next_timeout);
281}
282
283static OPENSSL_timeval *dtls1_get_timeout(SSL *s, OPENSSL_timeval *timeleft) {
284 OPENSSL_timeval timenow;
285
286 /* If no timeout is set, just return NULL */
287 if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) {
288 return NULL;
289 }
290
291 /* Get current time */
292 get_current_time(&timenow);
293
294 /* If timer already expired, set remaining time to 0 */
295 if (s->d1->next_timeout.tv_sec < timenow.tv_sec ||
296 (s->d1->next_timeout.tv_sec == timenow.tv_sec &&
297 s->d1->next_timeout.tv_usec <= timenow.tv_usec)) {
298 memset(timeleft, 0, sizeof(OPENSSL_timeval));
299 return timeleft;
300 }
301
302 /* Calculate time left until timer expires */
303 memcpy(timeleft, &s->d1->next_timeout, sizeof(OPENSSL_timeval));
304 timeleft->tv_sec -= timenow.tv_sec;
305 timeleft->tv_usec -= timenow.tv_usec;
306 if (timeleft->tv_usec < 0) {
307 timeleft->tv_sec--;
308 timeleft->tv_usec += 1000000;
309 }
310
311 /* If remaining time is less than 15 ms, set it to 0 to prevent issues
312 * because of small devergences with socket timeouts. */
313 if (timeleft->tv_sec == 0 && timeleft->tv_usec < 15000) {
314 memset(timeleft, 0, sizeof(OPENSSL_timeval));
315 }
316
317 return timeleft;
318}
319
320int dtls1_is_timer_expired(SSL *s) {
321 OPENSSL_timeval timeleft;
322
323 /* Get time left until timeout, return false if no timer running */
324 if (dtls1_get_timeout(s, &timeleft) == NULL) {
325 return 0;
326 }
327
328 /* Return false if timer is not expired yet */
329 if (timeleft.tv_sec > 0 || timeleft.tv_usec > 0) {
330 return 0;
331 }
332
333 /* Timer expired, so return true */
334 return 1;
335}
336
337void dtls1_double_timeout(SSL *s) {
338 s->d1->timeout_duration *= 2;
339 if (s->d1->timeout_duration > 60) {
340 s->d1->timeout_duration = 60;
341 }
342 dtls1_start_timer(s);
343}
344
345void dtls1_stop_timer(SSL *s) {
346 /* Reset everything */
347 memset(&(s->d1->timeout), 0, sizeof(struct dtls1_timeout_st));
348 memset(&s->d1->next_timeout, 0, sizeof(OPENSSL_timeval));
349 s->d1->timeout_duration = 1;
350 BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
351 &s->d1->next_timeout);
352 /* Clear retransmission buffer */
353 dtls1_clear_record_buffer(s);
354}
355
356int dtls1_check_timeout_num(SSL *s) {
357 s->d1->timeout.num_alerts++;
358
359 /* Reduce MTU after 2 unsuccessful retransmissions */
360 if (s->d1->timeout.num_alerts > 2 &&
361 !(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) {
362 long mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0,
363 NULL);
364 if (mtu >= 0 && mtu <= (1 << 30) && (unsigned)mtu >= dtls1_min_mtu()) {
365 s->d1->mtu = (unsigned)mtu;
366 }
367 }
368
369 if (s->d1->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) {
370 /* fail the connection, enough alerts have been sent */
371 OPENSSL_PUT_ERROR(SSL, dtls1_check_timeout_num, SSL_R_READ_TIMEOUT_EXPIRED);
372 return -1;
373 }
374
375 return 0;
376}
377
378int dtls1_handle_timeout(SSL *s) {
379 /* if no timer is expired, don't do anything */
380 if (!dtls1_is_timer_expired(s)) {
381 return 0;
382 }
383
384 dtls1_double_timeout(s);
385
386 if (dtls1_check_timeout_num(s) < 0) {
387 return -1;
388 }
389
390 s->d1->timeout.read_timeouts++;
391 if (s->d1->timeout.read_timeouts > DTLS1_TMO_READ_COUNT) {
392 s->d1->timeout.read_timeouts = 1;
393 }
394
395 dtls1_start_timer(s);
396 return dtls1_retransmit_buffered_messages(s);
397}
398
399static void get_current_time(OPENSSL_timeval *t) {
400#if defined(OPENSSL_WINDOWS)
401 struct _timeb time;
402 _ftime(&time);
403 t->tv_sec = time.time;
404 t->tv_usec = time.millitm * 1000;
405#else
406 gettimeofday(t, NULL);
407#endif
408}
409
410static void dtls1_set_handshake_header(SSL *s, int htype, unsigned long len) {
411 uint8_t *message = (uint8_t *)s->init_buf->data;
412 const struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
413 uint8_t serialised_header[DTLS1_HM_HEADER_LENGTH];
414 uint8_t *p = serialised_header;
415
416 s->d1->handshake_write_seq = s->d1->next_handshake_write_seq;
417 s->d1->next_handshake_write_seq++;
418
419 dtls1_set_message_header(s, htype, len, s->d1->handshake_write_seq, 0, len);
420 s->init_num = (int)len + DTLS1_HM_HEADER_LENGTH;
421 s->init_off = 0;
422
423 /* Buffer the message to handle re-xmits */
424 dtls1_buffer_message(s, 0);
425
426 /* Add the new message to the handshake hash. Serialize the message
427 * header as if it were a single fragment. */
428 *p++ = msg_hdr->type;
429 l2n3(msg_hdr->msg_len, p);
430 s2n(msg_hdr->seq, p);
431 l2n3(0, p);
432 l2n3(msg_hdr->msg_len, p);
433 ssl3_finish_mac(s, serialised_header, sizeof(serialised_header));
434 ssl3_finish_mac(s, message + DTLS1_HM_HEADER_LENGTH, len);
435}
436
437static int dtls1_handshake_write(SSL *s) {
438 return dtls1_do_write(s, SSL3_RT_HANDSHAKE);
439}