xref: /freebsd/crypto/openssl/ssl/d1_lib.c (revision 39ee7a7a6bdd1557b1c3532abf60d139798ac88b)
1 /* ssl/d1_lib.c */
2 /*
3  * DTLS implementation written by Nagendra Modadugu
4  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
5  */
6 /* ====================================================================
7  * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  *
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  *
16  * 2. Redistributions in binary form must reproduce the above copyright
17  *    notice, this list of conditions and the following disclaimer in
18  *    the documentation and/or other materials provided with the
19  *    distribution.
20  *
21  * 3. All advertising materials mentioning features or use of this
22  *    software must display the following acknowledgment:
23  *    "This product includes software developed by the OpenSSL Project
24  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25  *
26  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27  *    endorse or promote products derived from this software without
28  *    prior written permission. For written permission, please contact
29  *    openssl-core@OpenSSL.org.
30  *
31  * 5. Products derived from this software may not be called "OpenSSL"
32  *    nor may "OpenSSL" appear in their names without prior written
33  *    permission of the OpenSSL Project.
34  *
35  * 6. Redistributions of any form whatsoever must retain the following
36  *    acknowledgment:
37  *    "This product includes software developed by the OpenSSL Project
38  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
44  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51  * OF THE POSSIBILITY OF SUCH DAMAGE.
52  * ====================================================================
53  *
54  * This product includes cryptographic software written by Eric Young
55  * (eay@cryptsoft.com).  This product includes software written by Tim
56  * Hudson (tjh@cryptsoft.com).
57  *
58  */
59 
60 #include <stdio.h>
61 #define USE_SOCKETS
62 #include <openssl/objects.h>
63 #include "ssl_locl.h"
64 
65 #if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS)
66 # include <sys/timeb.h>
67 #endif
68 
69 static void get_current_time(struct timeval *t);
70 const char dtls1_version_str[] = "DTLSv1" OPENSSL_VERSION_PTEXT;
71 int dtls1_listen(SSL *s, struct sockaddr *client);
72 
73 SSL3_ENC_METHOD DTLSv1_enc_data = {
74     dtls1_enc,
75     tls1_mac,
76     tls1_setup_key_block,
77     tls1_generate_master_secret,
78     tls1_change_cipher_state,
79     tls1_final_finish_mac,
80     TLS1_FINISH_MAC_LENGTH,
81     tls1_cert_verify_mac,
82     TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
83     TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
84     tls1_alert_code,
85     tls1_export_keying_material,
86 };
87 
88 long dtls1_default_timeout(void)
89 {
90     /*
91      * 2 hours, the 24 hours mentioned in the DTLSv1 spec is way too long for
92      * http, the cache would over fill
93      */
94     return (60 * 60 * 2);
95 }
96 
97 int dtls1_new(SSL *s)
98 {
99     DTLS1_STATE *d1;
100 
101     if (!ssl3_new(s))
102         return (0);
103     if ((d1 = OPENSSL_malloc(sizeof *d1)) == NULL)
104         return (0);
105     memset(d1, 0, sizeof *d1);
106 
107     /* d1->handshake_epoch=0; */
108 
109     d1->unprocessed_rcds.q = pqueue_new();
110     d1->processed_rcds.q = pqueue_new();
111     d1->buffered_messages = pqueue_new();
112     d1->sent_messages = pqueue_new();
113     d1->buffered_app_data.q = pqueue_new();
114 
115     if (s->server) {
116         d1->cookie_len = sizeof(s->d1->cookie);
117     }
118 
119     d1->link_mtu = 0;
120     d1->mtu = 0;
121 
122     if (!d1->unprocessed_rcds.q || !d1->processed_rcds.q
123         || !d1->buffered_messages || !d1->sent_messages
124         || !d1->buffered_app_data.q) {
125         if (d1->unprocessed_rcds.q)
126             pqueue_free(d1->unprocessed_rcds.q);
127         if (d1->processed_rcds.q)
128             pqueue_free(d1->processed_rcds.q);
129         if (d1->buffered_messages)
130             pqueue_free(d1->buffered_messages);
131         if (d1->sent_messages)
132             pqueue_free(d1->sent_messages);
133         if (d1->buffered_app_data.q)
134             pqueue_free(d1->buffered_app_data.q);
135         OPENSSL_free(d1);
136         return (0);
137     }
138 
139     s->d1 = d1;
140     s->method->ssl_clear(s);
141     return (1);
142 }
143 
144 static void dtls1_clear_queues(SSL *s)
145 {
146     pitem *item = NULL;
147     hm_fragment *frag = NULL;
148     DTLS1_RECORD_DATA *rdata;
149 
150     while ((item = pqueue_pop(s->d1->unprocessed_rcds.q)) != NULL) {
151         rdata = (DTLS1_RECORD_DATA *)item->data;
152         if (rdata->rbuf.buf) {
153             OPENSSL_free(rdata->rbuf.buf);
154         }
155         OPENSSL_free(item->data);
156         pitem_free(item);
157     }
158 
159     while ((item = pqueue_pop(s->d1->processed_rcds.q)) != NULL) {
160         rdata = (DTLS1_RECORD_DATA *)item->data;
161         if (rdata->rbuf.buf) {
162             OPENSSL_free(rdata->rbuf.buf);
163         }
164         OPENSSL_free(item->data);
165         pitem_free(item);
166     }
167 
168     while ((item = pqueue_pop(s->d1->buffered_messages)) != NULL) {
169         frag = (hm_fragment *)item->data;
170         dtls1_hm_fragment_free(frag);
171         pitem_free(item);
172     }
173 
174     while ((item = pqueue_pop(s->d1->sent_messages)) != NULL) {
175         frag = (hm_fragment *)item->data;
176         dtls1_hm_fragment_free(frag);
177         pitem_free(item);
178     }
179 
180     while ((item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL) {
181         rdata = (DTLS1_RECORD_DATA *)item->data;
182         if (rdata->rbuf.buf) {
183             OPENSSL_free(rdata->rbuf.buf);
184         }
185         OPENSSL_free(item->data);
186         pitem_free(item);
187     }
188 }
189 
190 void dtls1_free(SSL *s)
191 {
192     ssl3_free(s);
193 
194     dtls1_clear_queues(s);
195 
196     pqueue_free(s->d1->unprocessed_rcds.q);
197     pqueue_free(s->d1->processed_rcds.q);
198     pqueue_free(s->d1->buffered_messages);
199     pqueue_free(s->d1->sent_messages);
200     pqueue_free(s->d1->buffered_app_data.q);
201 
202     OPENSSL_free(s->d1);
203     s->d1 = NULL;
204 }
205 
206 void dtls1_clear(SSL *s)
207 {
208     pqueue unprocessed_rcds;
209     pqueue processed_rcds;
210     pqueue buffered_messages;
211     pqueue sent_messages;
212     pqueue buffered_app_data;
213     unsigned int mtu;
214     unsigned int link_mtu;
215 
216     if (s->d1) {
217         unprocessed_rcds = s->d1->unprocessed_rcds.q;
218         processed_rcds = s->d1->processed_rcds.q;
219         buffered_messages = s->d1->buffered_messages;
220         sent_messages = s->d1->sent_messages;
221         buffered_app_data = s->d1->buffered_app_data.q;
222         mtu = s->d1->mtu;
223         link_mtu = s->d1->link_mtu;
224 
225         dtls1_clear_queues(s);
226 
227         memset(s->d1, 0, sizeof(*(s->d1)));
228 
229         if (s->server) {
230             s->d1->cookie_len = sizeof(s->d1->cookie);
231         }
232 
233         if (SSL_get_options(s) & SSL_OP_NO_QUERY_MTU) {
234             s->d1->mtu = mtu;
235             s->d1->link_mtu = link_mtu;
236         }
237 
238         s->d1->unprocessed_rcds.q = unprocessed_rcds;
239         s->d1->processed_rcds.q = processed_rcds;
240         s->d1->buffered_messages = buffered_messages;
241         s->d1->sent_messages = sent_messages;
242         s->d1->buffered_app_data.q = buffered_app_data;
243     }
244 
245     ssl3_clear(s);
246     if (s->options & SSL_OP_CISCO_ANYCONNECT)
247         s->version = DTLS1_BAD_VER;
248     else
249         s->version = DTLS1_VERSION;
250 }
251 
252 long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg)
253 {
254     int ret = 0;
255 
256     switch (cmd) {
257     case DTLS_CTRL_GET_TIMEOUT:
258         if (dtls1_get_timeout(s, (struct timeval *)parg) != NULL) {
259             ret = 1;
260         }
261         break;
262     case DTLS_CTRL_HANDLE_TIMEOUT:
263         ret = dtls1_handle_timeout(s);
264         break;
265     case DTLS_CTRL_LISTEN:
266         ret = dtls1_listen(s, parg);
267         break;
268     case SSL_CTRL_CHECK_PROTO_VERSION:
269         /*
270          * For library-internal use; checks that the current protocol is the
271          * highest enabled version (according to s->ctx->method, as version
272          * negotiation may have changed s->method).
273          */
274 #if DTLS_MAX_VERSION != DTLS1_VERSION
275 # error Code needs update for DTLS_method() support beyond DTLS1_VERSION.
276 #endif
277         /*
278          * Just one protocol version is supported so far; fail closed if the
279          * version is not as expected.
280          */
281         return s->version == DTLS_MAX_VERSION;
282     case DTLS_CTRL_SET_LINK_MTU:
283         if (larg < (long)dtls1_link_min_mtu())
284             return 0;
285         s->d1->link_mtu = larg;
286         return 1;
287     case DTLS_CTRL_GET_LINK_MIN_MTU:
288         return (long)dtls1_link_min_mtu();
289     case SSL_CTRL_SET_MTU:
290         /*
291          *  We may not have a BIO set yet so can't call dtls1_min_mtu()
292          *  We'll have to make do with dtls1_link_min_mtu() and max overhead
293          */
294         if (larg < (long)dtls1_link_min_mtu() - DTLS1_MAX_MTU_OVERHEAD)
295             return 0;
296         s->d1->mtu = larg;
297         return larg;
298     default:
299         ret = ssl3_ctrl(s, cmd, larg, parg);
300         break;
301     }
302     return (ret);
303 }
304 
305 /*
306  * As it's impossible to use stream ciphers in "datagram" mode, this
307  * simple filter is designed to disengage them in DTLS. Unfortunately
308  * there is no universal way to identify stream SSL_CIPHER, so we have
309  * to explicitly list their SSL_* codes. Currently RC4 is the only one
310  * available, but if new ones emerge, they will have to be added...
311  */
312 const SSL_CIPHER *dtls1_get_cipher(unsigned int u)
313 {
314     const SSL_CIPHER *ciph = ssl3_get_cipher(u);
315 
316     if (ciph != NULL) {
317         if (ciph->algorithm_enc == SSL_RC4)
318             return NULL;
319     }
320 
321     return ciph;
322 }
323 
324 void dtls1_start_timer(SSL *s)
325 {
326 #ifndef OPENSSL_NO_SCTP
327     /* Disable timer for SCTP */
328     if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
329         memset(&(s->d1->next_timeout), 0, sizeof(struct timeval));
330         return;
331     }
332 #endif
333 
334     /* If timer is not set, initialize duration with 1 second */
335     if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) {
336         s->d1->timeout_duration = 1;
337     }
338 
339     /* Set timeout to current time */
340     get_current_time(&(s->d1->next_timeout));
341 
342     /* Add duration to current time */
343     s->d1->next_timeout.tv_sec += s->d1->timeout_duration;
344     BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
345              &(s->d1->next_timeout));
346 }
347 
348 struct timeval *dtls1_get_timeout(SSL *s, struct timeval *timeleft)
349 {
350     struct timeval timenow;
351 
352     /* If no timeout is set, just return NULL */
353     if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) {
354         return NULL;
355     }
356 
357     /* Get current time */
358     get_current_time(&timenow);
359 
360     /* If timer already expired, set remaining time to 0 */
361     if (s->d1->next_timeout.tv_sec < timenow.tv_sec ||
362         (s->d1->next_timeout.tv_sec == timenow.tv_sec &&
363          s->d1->next_timeout.tv_usec <= timenow.tv_usec)) {
364         memset(timeleft, 0, sizeof(struct timeval));
365         return timeleft;
366     }
367 
368     /* Calculate time left until timer expires */
369     memcpy(timeleft, &(s->d1->next_timeout), sizeof(struct timeval));
370     timeleft->tv_sec -= timenow.tv_sec;
371     timeleft->tv_usec -= timenow.tv_usec;
372     if (timeleft->tv_usec < 0) {
373         timeleft->tv_sec--;
374         timeleft->tv_usec += 1000000;
375     }
376 
377     /*
378      * If remaining time is less than 15 ms, set it to 0 to prevent issues
379      * because of small devergences with socket timeouts.
380      */
381     if (timeleft->tv_sec == 0 && timeleft->tv_usec < 15000) {
382         memset(timeleft, 0, sizeof(struct timeval));
383     }
384 
385     return timeleft;
386 }
387 
388 int dtls1_is_timer_expired(SSL *s)
389 {
390     struct timeval timeleft;
391 
392     /* Get time left until timeout, return false if no timer running */
393     if (dtls1_get_timeout(s, &timeleft) == NULL) {
394         return 0;
395     }
396 
397     /* Return false if timer is not expired yet */
398     if (timeleft.tv_sec > 0 || timeleft.tv_usec > 0) {
399         return 0;
400     }
401 
402     /* Timer expired, so return true */
403     return 1;
404 }
405 
406 void dtls1_double_timeout(SSL *s)
407 {
408     s->d1->timeout_duration *= 2;
409     if (s->d1->timeout_duration > 60)
410         s->d1->timeout_duration = 60;
411     dtls1_start_timer(s);
412 }
413 
414 void dtls1_stop_timer(SSL *s)
415 {
416     /* Reset everything */
417     memset(&(s->d1->timeout), 0, sizeof(struct dtls1_timeout_st));
418     memset(&(s->d1->next_timeout), 0, sizeof(struct timeval));
419     s->d1->timeout_duration = 1;
420     BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
421              &(s->d1->next_timeout));
422     /* Clear retransmission buffer */
423     dtls1_clear_record_buffer(s);
424 }
425 
426 int dtls1_check_timeout_num(SSL *s)
427 {
428     unsigned int mtu;
429 
430     s->d1->timeout.num_alerts++;
431 
432     /* Reduce MTU after 2 unsuccessful retransmissions */
433     if (s->d1->timeout.num_alerts > 2
434         && !(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) {
435         mtu =
436             BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0,
437                      NULL);
438         if (mtu < s->d1->mtu)
439             s->d1->mtu = mtu;
440     }
441 
442     if (s->d1->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) {
443         /* fail the connection, enough alerts have been sent */
444         SSLerr(SSL_F_DTLS1_CHECK_TIMEOUT_NUM, SSL_R_READ_TIMEOUT_EXPIRED);
445         return -1;
446     }
447 
448     return 0;
449 }
450 
451 int dtls1_handle_timeout(SSL *s)
452 {
453     /* if no timer is expired, don't do anything */
454     if (!dtls1_is_timer_expired(s)) {
455         return 0;
456     }
457 
458     dtls1_double_timeout(s);
459 
460     if (dtls1_check_timeout_num(s) < 0)
461         return -1;
462 
463     s->d1->timeout.read_timeouts++;
464     if (s->d1->timeout.read_timeouts > DTLS1_TMO_READ_COUNT) {
465         s->d1->timeout.read_timeouts = 1;
466     }
467 #ifndef OPENSSL_NO_HEARTBEATS
468     if (s->tlsext_hb_pending) {
469         s->tlsext_hb_pending = 0;
470         return dtls1_heartbeat(s);
471     }
472 #endif
473 
474     dtls1_start_timer(s);
475     return dtls1_retransmit_buffered_messages(s);
476 }
477 
478 static void get_current_time(struct timeval *t)
479 {
480 #ifdef OPENSSL_SYS_WIN32
481     struct _timeb tb;
482     _ftime(&tb);
483     t->tv_sec = (long)tb.time;
484     t->tv_usec = (long)tb.millitm * 1000;
485 #elif defined(OPENSSL_SYS_VMS)
486     struct timeb tb;
487     ftime(&tb);
488     t->tv_sec = (long)tb.time;
489     t->tv_usec = (long)tb.millitm * 1000;
490 #else
491     gettimeofday(t, NULL);
492 #endif
493 }
494 
495 int dtls1_listen(SSL *s, struct sockaddr *client)
496 {
497     int ret;
498 
499     /* Ensure there is no state left over from a previous invocation */
500     SSL_clear(s);
501 
502     SSL_set_options(s, SSL_OP_COOKIE_EXCHANGE);
503     s->d1->listen = 1;
504 
505     ret = SSL_accept(s);
506     if (ret <= 0)
507         return ret;
508 
509     (void)BIO_dgram_get_peer(SSL_get_rbio(s), client);
510     return 1;
511 }
512