xref: /freebsd/crypto/openssl/ssl/d1_lib.c (revision d8a0fe102c0cfdfcd5b818f850eff09d8536c9bc)
1 /* ssl/d1_lib.c */
2 /*
3  * DTLS implementation written by Nagendra Modadugu
4  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
5  */
6 /* ====================================================================
7  * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  *
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  *
16  * 2. Redistributions in binary form must reproduce the above copyright
17  *    notice, this list of conditions and the following disclaimer in
18  *    the documentation and/or other materials provided with the
19  *    distribution.
20  *
21  * 3. All advertising materials mentioning features or use of this
22  *    software must display the following acknowledgment:
23  *    "This product includes software developed by the OpenSSL Project
24  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25  *
26  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27  *    endorse or promote products derived from this software without
28  *    prior written permission. For written permission, please contact
29  *    openssl-core@OpenSSL.org.
30  *
31  * 5. Products derived from this software may not be called "OpenSSL"
32  *    nor may "OpenSSL" appear in their names without prior written
33  *    permission of the OpenSSL Project.
34  *
35  * 6. Redistributions of any form whatsoever must retain the following
36  *    acknowledgment:
37  *    "This product includes software developed by the OpenSSL Project
38  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
44  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51  * OF THE POSSIBILITY OF SUCH DAMAGE.
52  * ====================================================================
53  *
54  * This product includes cryptographic software written by Eric Young
55  * (eay@cryptsoft.com).  This product includes software written by Tim
56  * Hudson (tjh@cryptsoft.com).
57  *
58  */
59 
60 #include <stdio.h>
61 #define USE_SOCKETS
62 #include <openssl/objects.h>
63 #include "ssl_locl.h"
64 
65 #if defined(OPENSSL_SYS_VMS)
66 # include <sys/timeb.h>
67 #endif
68 
69 static void get_current_time(struct timeval *t);
70 static void dtls1_set_handshake_header(SSL *s, int type, unsigned long len);
71 static int dtls1_handshake_write(SSL *s);
72 const char dtls1_version_str[] = "DTLSv1" OPENSSL_VERSION_PTEXT;
73 int dtls1_listen(SSL *s, struct sockaddr *client);
74 
75 SSL3_ENC_METHOD DTLSv1_enc_data = {
76     tls1_enc,
77     tls1_mac,
78     tls1_setup_key_block,
79     tls1_generate_master_secret,
80     tls1_change_cipher_state,
81     tls1_final_finish_mac,
82     TLS1_FINISH_MAC_LENGTH,
83     tls1_cert_verify_mac,
84     TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
85     TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
86     tls1_alert_code,
87     tls1_export_keying_material,
88     SSL_ENC_FLAG_DTLS | SSL_ENC_FLAG_EXPLICIT_IV,
89     DTLS1_HM_HEADER_LENGTH,
90     dtls1_set_handshake_header,
91     dtls1_handshake_write
92 };
93 
94 SSL3_ENC_METHOD DTLSv1_2_enc_data = {
95     tls1_enc,
96     tls1_mac,
97     tls1_setup_key_block,
98     tls1_generate_master_secret,
99     tls1_change_cipher_state,
100     tls1_final_finish_mac,
101     TLS1_FINISH_MAC_LENGTH,
102     tls1_cert_verify_mac,
103     TLS_MD_CLIENT_FINISH_CONST, TLS_MD_CLIENT_FINISH_CONST_SIZE,
104     TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
105     tls1_alert_code,
106     tls1_export_keying_material,
107     SSL_ENC_FLAG_DTLS | SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS
108         | SSL_ENC_FLAG_SHA256_PRF | SSL_ENC_FLAG_TLS1_2_CIPHERS,
109     DTLS1_HM_HEADER_LENGTH,
110     dtls1_set_handshake_header,
111     dtls1_handshake_write
112 };
113 
114 long dtls1_default_timeout(void)
115 {
116     /*
117      * 2 hours, the 24 hours mentioned in the DTLSv1 spec is way too long for
118      * http, the cache would over fill
119      */
120     return (60 * 60 * 2);
121 }
122 
123 int dtls1_new(SSL *s)
124 {
125     DTLS1_STATE *d1;
126 
127     if (!ssl3_new(s))
128         return (0);
129     if ((d1 = OPENSSL_malloc(sizeof *d1)) == NULL)
130         return (0);
131     memset(d1, 0, sizeof *d1);
132 
133     /* d1->handshake_epoch=0; */
134 
135     d1->unprocessed_rcds.q = pqueue_new();
136     d1->processed_rcds.q = pqueue_new();
137     d1->buffered_messages = pqueue_new();
138     d1->sent_messages = pqueue_new();
139     d1->buffered_app_data.q = pqueue_new();
140 
141     if (s->server) {
142         d1->cookie_len = sizeof(s->d1->cookie);
143     }
144 
145     d1->link_mtu = 0;
146     d1->mtu = 0;
147 
148     if (!d1->unprocessed_rcds.q || !d1->processed_rcds.q
149         || !d1->buffered_messages || !d1->sent_messages
150         || !d1->buffered_app_data.q) {
151         if (d1->unprocessed_rcds.q)
152             pqueue_free(d1->unprocessed_rcds.q);
153         if (d1->processed_rcds.q)
154             pqueue_free(d1->processed_rcds.q);
155         if (d1->buffered_messages)
156             pqueue_free(d1->buffered_messages);
157         if (d1->sent_messages)
158             pqueue_free(d1->sent_messages);
159         if (d1->buffered_app_data.q)
160             pqueue_free(d1->buffered_app_data.q);
161         OPENSSL_free(d1);
162         return (0);
163     }
164 
165     s->d1 = d1;
166     s->method->ssl_clear(s);
167     return (1);
168 }
169 
170 static void dtls1_clear_queues(SSL *s)
171 {
172     pitem *item = NULL;
173     DTLS1_RECORD_DATA *rdata;
174 
175     while ((item = pqueue_pop(s->d1->unprocessed_rcds.q)) != NULL) {
176         rdata = (DTLS1_RECORD_DATA *)item->data;
177         if (rdata->rbuf.buf) {
178             OPENSSL_free(rdata->rbuf.buf);
179         }
180         OPENSSL_free(item->data);
181         pitem_free(item);
182     }
183 
184     while ((item = pqueue_pop(s->d1->processed_rcds.q)) != NULL) {
185         rdata = (DTLS1_RECORD_DATA *)item->data;
186         if (rdata->rbuf.buf) {
187             OPENSSL_free(rdata->rbuf.buf);
188         }
189         OPENSSL_free(item->data);
190         pitem_free(item);
191     }
192 
193     while ((item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL) {
194         rdata = (DTLS1_RECORD_DATA *)item->data;
195         if (rdata->rbuf.buf) {
196             OPENSSL_free(rdata->rbuf.buf);
197         }
198         OPENSSL_free(item->data);
199         pitem_free(item);
200     }
201 
202     dtls1_clear_received_buffer(s);
203     dtls1_clear_sent_buffer(s);
204 }
205 
206 void dtls1_clear_received_buffer(SSL *s)
207 {
208     pitem *item = NULL;
209     hm_fragment *frag = NULL;
210 
211     while ((item = pqueue_pop(s->d1->buffered_messages)) != NULL) {
212         frag = (hm_fragment *)item->data;
213         dtls1_hm_fragment_free(frag);
214         pitem_free(item);
215     }
216 }
217 
218 void dtls1_clear_sent_buffer(SSL *s)
219 {
220     pitem *item = NULL;
221     hm_fragment *frag = NULL;
222 
223     while ((item = pqueue_pop(s->d1->sent_messages)) != NULL) {
224         frag = (hm_fragment *)item->data;
225         dtls1_hm_fragment_free(frag);
226         pitem_free(item);
227     }
228 }
229 
230 
231 void dtls1_free(SSL *s)
232 {
233     ssl3_free(s);
234 
235     dtls1_clear_queues(s);
236 
237     pqueue_free(s->d1->unprocessed_rcds.q);
238     pqueue_free(s->d1->processed_rcds.q);
239     pqueue_free(s->d1->buffered_messages);
240     pqueue_free(s->d1->sent_messages);
241     pqueue_free(s->d1->buffered_app_data.q);
242 
243     OPENSSL_free(s->d1);
244     s->d1 = NULL;
245 }
246 
247 void dtls1_clear(SSL *s)
248 {
249     pqueue unprocessed_rcds;
250     pqueue processed_rcds;
251     pqueue buffered_messages;
252     pqueue sent_messages;
253     pqueue buffered_app_data;
254     unsigned int mtu;
255     unsigned int link_mtu;
256 
257     if (s->d1) {
258         unprocessed_rcds = s->d1->unprocessed_rcds.q;
259         processed_rcds = s->d1->processed_rcds.q;
260         buffered_messages = s->d1->buffered_messages;
261         sent_messages = s->d1->sent_messages;
262         buffered_app_data = s->d1->buffered_app_data.q;
263         mtu = s->d1->mtu;
264         link_mtu = s->d1->link_mtu;
265 
266         dtls1_clear_queues(s);
267 
268         memset(s->d1, 0, sizeof(*(s->d1)));
269 
270         if (s->server) {
271             s->d1->cookie_len = sizeof(s->d1->cookie);
272         }
273 
274         if (SSL_get_options(s) & SSL_OP_NO_QUERY_MTU) {
275             s->d1->mtu = mtu;
276             s->d1->link_mtu = link_mtu;
277         }
278 
279         s->d1->unprocessed_rcds.q = unprocessed_rcds;
280         s->d1->processed_rcds.q = processed_rcds;
281         s->d1->buffered_messages = buffered_messages;
282         s->d1->sent_messages = sent_messages;
283         s->d1->buffered_app_data.q = buffered_app_data;
284     }
285 
286     ssl3_clear(s);
287     if (s->options & SSL_OP_CISCO_ANYCONNECT)
288         s->client_version = s->version = DTLS1_BAD_VER;
289     else if (s->method->version == DTLS_ANY_VERSION)
290         s->version = DTLS1_2_VERSION;
291     else
292         s->version = s->method->version;
293 }
294 
295 long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg)
296 {
297     int ret = 0;
298 
299     switch (cmd) {
300     case DTLS_CTRL_GET_TIMEOUT:
301         if (dtls1_get_timeout(s, (struct timeval *)parg) != NULL) {
302             ret = 1;
303         }
304         break;
305     case DTLS_CTRL_HANDLE_TIMEOUT:
306         ret = dtls1_handle_timeout(s);
307         break;
308     case DTLS_CTRL_LISTEN:
309         ret = dtls1_listen(s, parg);
310         break;
311     case SSL_CTRL_CHECK_PROTO_VERSION:
312         /*
313          * For library-internal use; checks that the current protocol is the
314          * highest enabled version (according to s->ctx->method, as version
315          * negotiation may have changed s->method).
316          */
317         if (s->version == s->ctx->method->version)
318             return 1;
319         /*
320          * Apparently we're using a version-flexible SSL_METHOD (not at its
321          * highest protocol version).
322          */
323         if (s->ctx->method->version == DTLS_method()->version) {
324 #if DTLS_MAX_VERSION != DTLS1_2_VERSION
325 # error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
326 #endif
327             if (!(s->options & SSL_OP_NO_DTLSv1_2))
328                 return s->version == DTLS1_2_VERSION;
329             if (!(s->options & SSL_OP_NO_DTLSv1))
330                 return s->version == DTLS1_VERSION;
331         }
332         return 0;               /* Unexpected state; fail closed. */
333     case DTLS_CTRL_SET_LINK_MTU:
334         if (larg < (long)dtls1_link_min_mtu())
335             return 0;
336         s->d1->link_mtu = larg;
337         return 1;
338     case DTLS_CTRL_GET_LINK_MIN_MTU:
339         return (long)dtls1_link_min_mtu();
340     case SSL_CTRL_SET_MTU:
341         /*
342          *  We may not have a BIO set yet so can't call dtls1_min_mtu()
343          *  We'll have to make do with dtls1_link_min_mtu() and max overhead
344          */
345         if (larg < (long)dtls1_link_min_mtu() - DTLS1_MAX_MTU_OVERHEAD)
346             return 0;
347         s->d1->mtu = larg;
348         return larg;
349     default:
350         ret = ssl3_ctrl(s, cmd, larg, parg);
351         break;
352     }
353     return (ret);
354 }
355 
356 /*
357  * As it's impossible to use stream ciphers in "datagram" mode, this
358  * simple filter is designed to disengage them in DTLS. Unfortunately
359  * there is no universal way to identify stream SSL_CIPHER, so we have
360  * to explicitly list their SSL_* codes. Currently RC4 is the only one
361  * available, but if new ones emerge, they will have to be added...
362  */
363 const SSL_CIPHER *dtls1_get_cipher(unsigned int u)
364 {
365     const SSL_CIPHER *ciph = ssl3_get_cipher(u);
366 
367     if (ciph != NULL) {
368         if (ciph->algorithm_enc == SSL_RC4)
369             return NULL;
370     }
371 
372     return ciph;
373 }
374 
375 void dtls1_start_timer(SSL *s)
376 {
377 #ifndef OPENSSL_NO_SCTP
378     /* Disable timer for SCTP */
379     if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
380         memset(&(s->d1->next_timeout), 0, sizeof(struct timeval));
381         return;
382     }
383 #endif
384 
385     /* If timer is not set, initialize duration with 1 second */
386     if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) {
387         s->d1->timeout_duration = 1;
388     }
389 
390     /* Set timeout to current time */
391     get_current_time(&(s->d1->next_timeout));
392 
393     /* Add duration to current time */
394     s->d1->next_timeout.tv_sec += s->d1->timeout_duration;
395     BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
396              &(s->d1->next_timeout));
397 }
398 
399 struct timeval *dtls1_get_timeout(SSL *s, struct timeval *timeleft)
400 {
401     struct timeval timenow;
402 
403     /* If no timeout is set, just return NULL */
404     if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) {
405         return NULL;
406     }
407 
408     /* Get current time */
409     get_current_time(&timenow);
410 
411     /* If timer already expired, set remaining time to 0 */
412     if (s->d1->next_timeout.tv_sec < timenow.tv_sec ||
413         (s->d1->next_timeout.tv_sec == timenow.tv_sec &&
414          s->d1->next_timeout.tv_usec <= timenow.tv_usec)) {
415         memset(timeleft, 0, sizeof(struct timeval));
416         return timeleft;
417     }
418 
419     /* Calculate time left until timer expires */
420     memcpy(timeleft, &(s->d1->next_timeout), sizeof(struct timeval));
421     timeleft->tv_sec -= timenow.tv_sec;
422     timeleft->tv_usec -= timenow.tv_usec;
423     if (timeleft->tv_usec < 0) {
424         timeleft->tv_sec--;
425         timeleft->tv_usec += 1000000;
426     }
427 
428     /*
429      * If remaining time is less than 15 ms, set it to 0 to prevent issues
430      * because of small devergences with socket timeouts.
431      */
432     if (timeleft->tv_sec == 0 && timeleft->tv_usec < 15000) {
433         memset(timeleft, 0, sizeof(struct timeval));
434     }
435 
436     return timeleft;
437 }
438 
439 int dtls1_is_timer_expired(SSL *s)
440 {
441     struct timeval timeleft;
442 
443     /* Get time left until timeout, return false if no timer running */
444     if (dtls1_get_timeout(s, &timeleft) == NULL) {
445         return 0;
446     }
447 
448     /* Return false if timer is not expired yet */
449     if (timeleft.tv_sec > 0 || timeleft.tv_usec > 0) {
450         return 0;
451     }
452 
453     /* Timer expired, so return true */
454     return 1;
455 }
456 
457 void dtls1_double_timeout(SSL *s)
458 {
459     s->d1->timeout_duration *= 2;
460     if (s->d1->timeout_duration > 60)
461         s->d1->timeout_duration = 60;
462     dtls1_start_timer(s);
463 }
464 
465 void dtls1_stop_timer(SSL *s)
466 {
467     /* Reset everything */
468     memset(&(s->d1->timeout), 0, sizeof(struct dtls1_timeout_st));
469     memset(&(s->d1->next_timeout), 0, sizeof(struct timeval));
470     s->d1->timeout_duration = 1;
471     BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
472              &(s->d1->next_timeout));
473     /* Clear retransmission buffer */
474     dtls1_clear_sent_buffer(s);
475 }
476 
477 int dtls1_check_timeout_num(SSL *s)
478 {
479     unsigned int mtu;
480 
481     s->d1->timeout.num_alerts++;
482 
483     /* Reduce MTU after 2 unsuccessful retransmissions */
484     if (s->d1->timeout.num_alerts > 2
485         && !(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) {
486         mtu =
487             BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0,
488                      NULL);
489         if (mtu < s->d1->mtu)
490             s->d1->mtu = mtu;
491     }
492 
493     if (s->d1->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) {
494         /* fail the connection, enough alerts have been sent */
495         SSLerr(SSL_F_DTLS1_CHECK_TIMEOUT_NUM, SSL_R_READ_TIMEOUT_EXPIRED);
496         return -1;
497     }
498 
499     return 0;
500 }
501 
502 int dtls1_handle_timeout(SSL *s)
503 {
504     /* if no timer is expired, don't do anything */
505     if (!dtls1_is_timer_expired(s)) {
506         return 0;
507     }
508 
509     dtls1_double_timeout(s);
510 
511     if (dtls1_check_timeout_num(s) < 0)
512         return -1;
513 
514     s->d1->timeout.read_timeouts++;
515     if (s->d1->timeout.read_timeouts > DTLS1_TMO_READ_COUNT) {
516         s->d1->timeout.read_timeouts = 1;
517     }
518 #ifndef OPENSSL_NO_HEARTBEATS
519     if (s->tlsext_hb_pending) {
520         s->tlsext_hb_pending = 0;
521         return dtls1_heartbeat(s);
522     }
523 #endif
524 
525     dtls1_start_timer(s);
526     return dtls1_retransmit_buffered_messages(s);
527 }
528 
529 static void get_current_time(struct timeval *t)
530 {
531 #if defined(_WIN32)
532     SYSTEMTIME st;
533     union {
534         unsigned __int64 ul;
535         FILETIME ft;
536     } now;
537 
538     GetSystemTime(&st);
539     SystemTimeToFileTime(&st, &now.ft);
540 # ifdef  __MINGW32__
541     now.ul -= 116444736000000000ULL;
542 # else
543     now.ul -= 116444736000000000UI64; /* re-bias to 1/1/1970 */
544 # endif
545     t->tv_sec = (long)(now.ul / 10000000);
546     t->tv_usec = ((int)(now.ul % 10000000)) / 10;
547 #elif defined(OPENSSL_SYS_VMS)
548     struct timeb tb;
549     ftime(&tb);
550     t->tv_sec = (long)tb.time;
551     t->tv_usec = (long)tb.millitm * 1000;
552 #else
553     gettimeofday(t, NULL);
554 #endif
555 }
556 
557 int dtls1_listen(SSL *s, struct sockaddr *client)
558 {
559     int ret;
560 
561     /* Ensure there is no state left over from a previous invocation */
562     SSL_clear(s);
563 
564     SSL_set_options(s, SSL_OP_COOKIE_EXCHANGE);
565     s->d1->listen = 1;
566 
567     ret = SSL_accept(s);
568     if (ret <= 0)
569         return ret;
570 
571     (void)BIO_dgram_get_peer(SSL_get_rbio(s), client);
572     return 1;
573 }
574 
575 static void dtls1_set_handshake_header(SSL *s, int htype, unsigned long len)
576 {
577     unsigned char *p = (unsigned char *)s->init_buf->data;
578     dtls1_set_message_header(s, p, htype, len, 0, len);
579     s->init_num = (int)len + DTLS1_HM_HEADER_LENGTH;
580     s->init_off = 0;
581     /* Buffer the message to handle re-xmits */
582     dtls1_buffer_message(s, 0);
583 }
584 
585 static int dtls1_handshake_write(SSL *s)
586 {
587     return dtls1_do_write(s, SSL3_RT_HANDSHAKE);
588 }
589