1 /* ssl/d1_lib.c */ 2 /* 3 * DTLS implementation written by Nagendra Modadugu 4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 5 */ 6 /* ==================================================================== 7 * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in 18 * the documentation and/or other materials provided with the 19 * distribution. 20 * 21 * 3. All advertising materials mentioning features or use of this 22 * software must display the following acknowledgment: 23 * "This product includes software developed by the OpenSSL Project 24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 25 * 26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 27 * endorse or promote products derived from this software without 28 * prior written permission. For written permission, please contact 29 * openssl-core@OpenSSL.org. 30 * 31 * 5. Products derived from this software may not be called "OpenSSL" 32 * nor may "OpenSSL" appear in their names without prior written 33 * permission of the OpenSSL Project. 34 * 35 * 6. Redistributions of any form whatsoever must retain the following 36 * acknowledgment: 37 * "This product includes software developed by the OpenSSL Project 38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 39 * 40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 51 * OF THE POSSIBILITY OF SUCH DAMAGE. 52 * ==================================================================== 53 * 54 * This product includes cryptographic software written by Eric Young 55 * (eay@cryptsoft.com). This product includes software written by Tim 56 * Hudson (tjh@cryptsoft.com). 57 * 58 */ 59 60 #include <stdio.h> 61 #define USE_SOCKETS 62 #include <openssl/objects.h> 63 #include "ssl_locl.h" 64 65 #if defined(OPENSSL_SYS_VMS) 66 # include <sys/timeb.h> 67 #endif 68 69 static void get_current_time(struct timeval *t); 70 static void dtls1_set_handshake_header(SSL *s, int type, unsigned long len); 71 static int dtls1_handshake_write(SSL *s); 72 const char dtls1_version_str[] = "DTLSv1" OPENSSL_VERSION_PTEXT; 73 int dtls1_listen(SSL *s, struct sockaddr *client); 74 75 SSL3_ENC_METHOD DTLSv1_enc_data = { 76 tls1_enc, 77 tls1_mac, 78 tls1_setup_key_block, 79 tls1_generate_master_secret, 80 tls1_change_cipher_state, 81 tls1_final_finish_mac, 82 TLS1_FINISH_MAC_LENGTH, 83 tls1_cert_verify_mac, 84 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 85 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 86 tls1_alert_code, 87 tls1_export_keying_material, 88 SSL_ENC_FLAG_DTLS | SSL_ENC_FLAG_EXPLICIT_IV, 89 DTLS1_HM_HEADER_LENGTH, 90 dtls1_set_handshake_header, 91 dtls1_handshake_write 92 }; 93 94 SSL3_ENC_METHOD DTLSv1_2_enc_data = { 95 tls1_enc, 96 tls1_mac, 97 tls1_setup_key_block, 98 tls1_generate_master_secret, 99 tls1_change_cipher_state, 100 tls1_final_finish_mac, 101 TLS1_FINISH_MAC_LENGTH, 102 tls1_cert_verify_mac, 103 TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE, 104 TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 105 tls1_alert_code, 106 tls1_export_keying_material, 107 SSL_ENC_FLAG_DTLS | SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS 108 | SSL_ENC_FLAG_SHA256_PRF | SSL_ENC_FLAG_TLS1_2_CIPHERS, 109 DTLS1_HM_HEADER_LENGTH, 110 dtls1_set_handshake_header, 111 dtls1_handshake_write 112 }; 113 114 long dtls1_default_timeout(void) 115 { 116 /* 117 * 2 hours, the 24 hours mentioned in the DTLSv1 spec is way too long for 118 * http, the cache would over fill 119 */ 120 return (60 * 60 * 2); 121 } 122 123 int dtls1_new(SSL *s) 124 { 125 DTLS1_STATE *d1; 126 127 if (!ssl3_new(s)) 128 return (0); 129 if ((d1 = OPENSSL_malloc(sizeof *d1)) == NULL) 130 return (0); 131 memset(d1, 0, sizeof *d1); 132 133 /* d1->handshake_epoch=0; */ 134 135 d1->unprocessed_rcds.q = pqueue_new(); 136 d1->processed_rcds.q = pqueue_new(); 137 d1->buffered_messages = pqueue_new(); 138 d1->sent_messages = pqueue_new(); 139 d1->buffered_app_data.q = pqueue_new(); 140 141 if (s->server) { 142 d1->cookie_len = sizeof(s->d1->cookie); 143 } 144 145 d1->link_mtu = 0; 146 d1->mtu = 0; 147 148 if (!d1->unprocessed_rcds.q || !d1->processed_rcds.q 149 || !d1->buffered_messages || !d1->sent_messages 150 || !d1->buffered_app_data.q) { 151 if (d1->unprocessed_rcds.q) 152 pqueue_free(d1->unprocessed_rcds.q); 153 if (d1->processed_rcds.q) 154 pqueue_free(d1->processed_rcds.q); 155 if (d1->buffered_messages) 156 pqueue_free(d1->buffered_messages); 157 if (d1->sent_messages) 158 pqueue_free(d1->sent_messages); 159 if (d1->buffered_app_data.q) 160 pqueue_free(d1->buffered_app_data.q); 161 OPENSSL_free(d1); 162 return (0); 163 } 164 165 s->d1 = d1; 166 s->method->ssl_clear(s); 167 return (1); 168 } 169 170 static void dtls1_clear_queues(SSL *s) 171 { 172 pitem *item = NULL; 173 DTLS1_RECORD_DATA *rdata; 174 175 while ((item = pqueue_pop(s->d1->unprocessed_rcds.q)) != NULL) { 176 rdata = (DTLS1_RECORD_DATA *)item->data; 177 if (rdata->rbuf.buf) { 178 OPENSSL_free(rdata->rbuf.buf); 179 } 180 OPENSSL_free(item->data); 181 pitem_free(item); 182 } 183 184 while ((item = pqueue_pop(s->d1->processed_rcds.q)) != NULL) { 185 rdata = (DTLS1_RECORD_DATA *)item->data; 186 if (rdata->rbuf.buf) { 187 OPENSSL_free(rdata->rbuf.buf); 188 } 189 OPENSSL_free(item->data); 190 pitem_free(item); 191 } 192 193 while ((item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL) { 194 rdata = (DTLS1_RECORD_DATA *)item->data; 195 if (rdata->rbuf.buf) { 196 OPENSSL_free(rdata->rbuf.buf); 197 } 198 OPENSSL_free(item->data); 199 pitem_free(item); 200 } 201 202 dtls1_clear_received_buffer(s); 203 dtls1_clear_sent_buffer(s); 204 } 205 206 void dtls1_clear_received_buffer(SSL *s) 207 { 208 pitem *item = NULL; 209 hm_fragment *frag = NULL; 210 211 while ((item = pqueue_pop(s->d1->buffered_messages)) != NULL) { 212 frag = (hm_fragment *)item->data; 213 dtls1_hm_fragment_free(frag); 214 pitem_free(item); 215 } 216 } 217 218 void dtls1_clear_sent_buffer(SSL *s) 219 { 220 pitem *item = NULL; 221 hm_fragment *frag = NULL; 222 223 while ((item = pqueue_pop(s->d1->sent_messages)) != NULL) { 224 frag = (hm_fragment *)item->data; 225 dtls1_hm_fragment_free(frag); 226 pitem_free(item); 227 } 228 } 229 230 231 void dtls1_free(SSL *s) 232 { 233 ssl3_free(s); 234 235 dtls1_clear_queues(s); 236 237 pqueue_free(s->d1->unprocessed_rcds.q); 238 pqueue_free(s->d1->processed_rcds.q); 239 pqueue_free(s->d1->buffered_messages); 240 pqueue_free(s->d1->sent_messages); 241 pqueue_free(s->d1->buffered_app_data.q); 242 243 OPENSSL_free(s->d1); 244 s->d1 = NULL; 245 } 246 247 void dtls1_clear(SSL *s) 248 { 249 pqueue unprocessed_rcds; 250 pqueue processed_rcds; 251 pqueue buffered_messages; 252 pqueue sent_messages; 253 pqueue buffered_app_data; 254 unsigned int mtu; 255 unsigned int link_mtu; 256 257 if (s->d1) { 258 unprocessed_rcds = s->d1->unprocessed_rcds.q; 259 processed_rcds = s->d1->processed_rcds.q; 260 buffered_messages = s->d1->buffered_messages; 261 sent_messages = s->d1->sent_messages; 262 buffered_app_data = s->d1->buffered_app_data.q; 263 mtu = s->d1->mtu; 264 link_mtu = s->d1->link_mtu; 265 266 dtls1_clear_queues(s); 267 268 memset(s->d1, 0, sizeof(*(s->d1))); 269 270 if (s->server) { 271 s->d1->cookie_len = sizeof(s->d1->cookie); 272 } 273 274 if (SSL_get_options(s) & SSL_OP_NO_QUERY_MTU) { 275 s->d1->mtu = mtu; 276 s->d1->link_mtu = link_mtu; 277 } 278 279 s->d1->unprocessed_rcds.q = unprocessed_rcds; 280 s->d1->processed_rcds.q = processed_rcds; 281 s->d1->buffered_messages = buffered_messages; 282 s->d1->sent_messages = sent_messages; 283 s->d1->buffered_app_data.q = buffered_app_data; 284 } 285 286 ssl3_clear(s); 287 if (s->options & SSL_OP_CISCO_ANYCONNECT) 288 s->client_version = s->version = DTLS1_BAD_VER; 289 else if (s->method->version == DTLS_ANY_VERSION) 290 s->version = DTLS1_2_VERSION; 291 else 292 s->version = s->method->version; 293 } 294 295 long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg) 296 { 297 int ret = 0; 298 299 switch (cmd) { 300 case DTLS_CTRL_GET_TIMEOUT: 301 if (dtls1_get_timeout(s, (struct timeval *)parg) != NULL) { 302 ret = 1; 303 } 304 break; 305 case DTLS_CTRL_HANDLE_TIMEOUT: 306 ret = dtls1_handle_timeout(s); 307 break; 308 case DTLS_CTRL_LISTEN: 309 ret = dtls1_listen(s, parg); 310 break; 311 case SSL_CTRL_CHECK_PROTO_VERSION: 312 /* 313 * For library-internal use; checks that the current protocol is the 314 * highest enabled version (according to s->ctx->method, as version 315 * negotiation may have changed s->method). 316 */ 317 if (s->version == s->ctx->method->version) 318 return 1; 319 /* 320 * Apparently we're using a version-flexible SSL_METHOD (not at its 321 * highest protocol version). 322 */ 323 if (s->ctx->method->version == DTLS_method()->version) { 324 #if DTLS_MAX_VERSION != DTLS1_2_VERSION 325 # error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION. 326 #endif 327 if (!(s->options & SSL_OP_NO_DTLSv1_2)) 328 return s->version == DTLS1_2_VERSION; 329 if (!(s->options & SSL_OP_NO_DTLSv1)) 330 return s->version == DTLS1_VERSION; 331 } 332 return 0; /* Unexpected state; fail closed. */ 333 case DTLS_CTRL_SET_LINK_MTU: 334 if (larg < (long)dtls1_link_min_mtu()) 335 return 0; 336 s->d1->link_mtu = larg; 337 return 1; 338 case DTLS_CTRL_GET_LINK_MIN_MTU: 339 return (long)dtls1_link_min_mtu(); 340 case SSL_CTRL_SET_MTU: 341 /* 342 * We may not have a BIO set yet so can't call dtls1_min_mtu() 343 * We'll have to make do with dtls1_link_min_mtu() and max overhead 344 */ 345 if (larg < (long)dtls1_link_min_mtu() - DTLS1_MAX_MTU_OVERHEAD) 346 return 0; 347 s->d1->mtu = larg; 348 return larg; 349 default: 350 ret = ssl3_ctrl(s, cmd, larg, parg); 351 break; 352 } 353 return (ret); 354 } 355 356 /* 357 * As it's impossible to use stream ciphers in "datagram" mode, this 358 * simple filter is designed to disengage them in DTLS. Unfortunately 359 * there is no universal way to identify stream SSL_CIPHER, so we have 360 * to explicitly list their SSL_* codes. Currently RC4 is the only one 361 * available, but if new ones emerge, they will have to be added... 362 */ 363 const SSL_CIPHER *dtls1_get_cipher(unsigned int u) 364 { 365 const SSL_CIPHER *ciph = ssl3_get_cipher(u); 366 367 if (ciph != NULL) { 368 if (ciph->algorithm_enc == SSL_RC4) 369 return NULL; 370 } 371 372 return ciph; 373 } 374 375 void dtls1_start_timer(SSL *s) 376 { 377 #ifndef OPENSSL_NO_SCTP 378 /* Disable timer for SCTP */ 379 if (BIO_dgram_is_sctp(SSL_get_wbio(s))) { 380 memset(&(s->d1->next_timeout), 0, sizeof(struct timeval)); 381 return; 382 } 383 #endif 384 385 /* If timer is not set, initialize duration with 1 second */ 386 if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) { 387 s->d1->timeout_duration = 1; 388 } 389 390 /* Set timeout to current time */ 391 get_current_time(&(s->d1->next_timeout)); 392 393 /* Add duration to current time */ 394 s->d1->next_timeout.tv_sec += s->d1->timeout_duration; 395 BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, 396 &(s->d1->next_timeout)); 397 } 398 399 struct timeval *dtls1_get_timeout(SSL *s, struct timeval *timeleft) 400 { 401 struct timeval timenow; 402 403 /* If no timeout is set, just return NULL */ 404 if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) { 405 return NULL; 406 } 407 408 /* Get current time */ 409 get_current_time(&timenow); 410 411 /* If timer already expired, set remaining time to 0 */ 412 if (s->d1->next_timeout.tv_sec < timenow.tv_sec || 413 (s->d1->next_timeout.tv_sec == timenow.tv_sec && 414 s->d1->next_timeout.tv_usec <= timenow.tv_usec)) { 415 memset(timeleft, 0, sizeof(struct timeval)); 416 return timeleft; 417 } 418 419 /* Calculate time left until timer expires */ 420 memcpy(timeleft, &(s->d1->next_timeout), sizeof(struct timeval)); 421 timeleft->tv_sec -= timenow.tv_sec; 422 timeleft->tv_usec -= timenow.tv_usec; 423 if (timeleft->tv_usec < 0) { 424 timeleft->tv_sec--; 425 timeleft->tv_usec += 1000000; 426 } 427 428 /* 429 * If remaining time is less than 15 ms, set it to 0 to prevent issues 430 * because of small devergences with socket timeouts. 431 */ 432 if (timeleft->tv_sec == 0 && timeleft->tv_usec < 15000) { 433 memset(timeleft, 0, sizeof(struct timeval)); 434 } 435 436 return timeleft; 437 } 438 439 int dtls1_is_timer_expired(SSL *s) 440 { 441 struct timeval timeleft; 442 443 /* Get time left until timeout, return false if no timer running */ 444 if (dtls1_get_timeout(s, &timeleft) == NULL) { 445 return 0; 446 } 447 448 /* Return false if timer is not expired yet */ 449 if (timeleft.tv_sec > 0 || timeleft.tv_usec > 0) { 450 return 0; 451 } 452 453 /* Timer expired, so return true */ 454 return 1; 455 } 456 457 void dtls1_double_timeout(SSL *s) 458 { 459 s->d1->timeout_duration *= 2; 460 if (s->d1->timeout_duration > 60) 461 s->d1->timeout_duration = 60; 462 dtls1_start_timer(s); 463 } 464 465 void dtls1_stop_timer(SSL *s) 466 { 467 /* Reset everything */ 468 memset(&(s->d1->timeout), 0, sizeof(struct dtls1_timeout_st)); 469 memset(&(s->d1->next_timeout), 0, sizeof(struct timeval)); 470 s->d1->timeout_duration = 1; 471 BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, 472 &(s->d1->next_timeout)); 473 /* Clear retransmission buffer */ 474 dtls1_clear_sent_buffer(s); 475 } 476 477 int dtls1_check_timeout_num(SSL *s) 478 { 479 unsigned int mtu; 480 481 s->d1->timeout.num_alerts++; 482 483 /* Reduce MTU after 2 unsuccessful retransmissions */ 484 if (s->d1->timeout.num_alerts > 2 485 && !(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) { 486 mtu = 487 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, 488 NULL); 489 if (mtu < s->d1->mtu) 490 s->d1->mtu = mtu; 491 } 492 493 if (s->d1->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) { 494 /* fail the connection, enough alerts have been sent */ 495 SSLerr(SSL_F_DTLS1_CHECK_TIMEOUT_NUM, SSL_R_READ_TIMEOUT_EXPIRED); 496 return -1; 497 } 498 499 return 0; 500 } 501 502 int dtls1_handle_timeout(SSL *s) 503 { 504 /* if no timer is expired, don't do anything */ 505 if (!dtls1_is_timer_expired(s)) { 506 return 0; 507 } 508 509 dtls1_double_timeout(s); 510 511 if (dtls1_check_timeout_num(s) < 0) 512 return -1; 513 514 s->d1->timeout.read_timeouts++; 515 if (s->d1->timeout.read_timeouts > DTLS1_TMO_READ_COUNT) { 516 s->d1->timeout.read_timeouts = 1; 517 } 518 #ifndef OPENSSL_NO_HEARTBEATS 519 if (s->tlsext_hb_pending) { 520 s->tlsext_hb_pending = 0; 521 return dtls1_heartbeat(s); 522 } 523 #endif 524 525 dtls1_start_timer(s); 526 return dtls1_retransmit_buffered_messages(s); 527 } 528 529 static void get_current_time(struct timeval *t) 530 { 531 #if defined(_WIN32) 532 SYSTEMTIME st; 533 union { 534 unsigned __int64 ul; 535 FILETIME ft; 536 } now; 537 538 GetSystemTime(&st); 539 SystemTimeToFileTime(&st, &now.ft); 540 # ifdef __MINGW32__ 541 now.ul -= 116444736000000000ULL; 542 # else 543 now.ul -= 116444736000000000UI64; /* re-bias to 1/1/1970 */ 544 # endif 545 t->tv_sec = (long)(now.ul / 10000000); 546 t->tv_usec = ((int)(now.ul % 10000000)) / 10; 547 #elif defined(OPENSSL_SYS_VMS) 548 struct timeb tb; 549 ftime(&tb); 550 t->tv_sec = (long)tb.time; 551 t->tv_usec = (long)tb.millitm * 1000; 552 #else 553 gettimeofday(t, NULL); 554 #endif 555 } 556 557 int dtls1_listen(SSL *s, struct sockaddr *client) 558 { 559 int ret; 560 561 /* Ensure there is no state left over from a previous invocation */ 562 SSL_clear(s); 563 564 SSL_set_options(s, SSL_OP_COOKIE_EXCHANGE); 565 s->d1->listen = 1; 566 567 ret = SSL_accept(s); 568 if (ret <= 0) 569 return ret; 570 571 (void)BIO_dgram_get_peer(SSL_get_rbio(s), client); 572 return 1; 573 } 574 575 static void dtls1_set_handshake_header(SSL *s, int htype, unsigned long len) 576 { 577 unsigned char *p = (unsigned char *)s->init_buf->data; 578 dtls1_set_message_header(s, p, htype, len, 0, len); 579 s->init_num = (int)len + DTLS1_HM_HEADER_LENGTH; 580 s->init_off = 0; 581 /* Buffer the message to handle re-xmits */ 582 dtls1_buffer_message(s, 0); 583 } 584 585 static int dtls1_handshake_write(SSL *s) 586 { 587 return dtls1_do_write(s, SSL3_RT_HANDSHAKE); 588 } 589