1 /* $OpenBSD: d1_lib.c,v 1.64 2022/11/26 16:08:55 tb Exp $ */
2 /*
3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
5 */
6 /* ====================================================================
7 * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
19 * distribution.
20 *
21 * 3. All advertising materials mentioning features or use of this
22 * software must display the following acknowledgment:
23 * "This product includes software developed by the OpenSSL Project
24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25 *
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 * endorse or promote products derived from this software without
28 * prior written permission. For written permission, please contact
29 * openssl-core@OpenSSL.org.
30 *
31 * 5. Products derived from this software may not be called "OpenSSL"
32 * nor may "OpenSSL" appear in their names without prior written
33 * permission of the OpenSSL Project.
34 *
35 * 6. Redistributions of any form whatsoever must retain the following
36 * acknowledgment:
37 * "This product includes software developed by the OpenSSL Project
38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
53 *
54 * This product includes cryptographic software written by Eric Young
55 * (eay@cryptsoft.com). This product includes software written by Tim
56 * Hudson (tjh@cryptsoft.com).
57 *
58 */
59
60 #include <sys/types.h>
61 #include <sys/socket.h>
62 #include <sys/time.h>
63
64 #include <netinet/in.h>
65
66 #include <stdio.h>
67
68 #include <openssl/objects.h>
69
70 #include "dtls_local.h"
71 #include "pqueue.h"
72 #include "ssl_local.h"
73
74 void dtls1_hm_fragment_free(hm_fragment *frag);
75
76 static int dtls1_listen(SSL *s, struct sockaddr *client);
77
78 int
dtls1_new(SSL * s)79 dtls1_new(SSL *s)
80 {
81 if (!ssl3_new(s))
82 goto err;
83
84 if ((s->d1 = calloc(1, sizeof(*s->d1))) == NULL)
85 goto err;
86
87 if ((s->d1->unprocessed_rcds.q = pqueue_new()) == NULL)
88 goto err;
89 if ((s->d1->buffered_messages = pqueue_new()) == NULL)
90 goto err;
91 if ((s->d1->sent_messages = pqueue_new()) == NULL)
92 goto err;
93 if ((s->d1->buffered_app_data.q = pqueue_new()) == NULL)
94 goto err;
95
96 if (s->server)
97 s->d1->cookie_len = sizeof(s->d1->cookie);
98
99 s->method->ssl_clear(s);
100 return (1);
101
102 err:
103 dtls1_free(s);
104 return (0);
105 }
106
107 static void
dtls1_drain_rcontents(pqueue queue)108 dtls1_drain_rcontents(pqueue queue)
109 {
110 DTLS1_RCONTENT_DATA_INTERNAL *rdata;
111 pitem *item;
112
113 if (queue == NULL)
114 return;
115
116 while ((item = pqueue_pop(queue)) != NULL) {
117 rdata = (DTLS1_RCONTENT_DATA_INTERNAL *)item->data;
118 tls_content_free(rdata->rcontent);
119 free(item->data);
120 pitem_free(item);
121 }
122 }
123
124 static void
dtls1_drain_records(pqueue queue)125 dtls1_drain_records(pqueue queue)
126 {
127 pitem *item;
128 DTLS1_RECORD_DATA_INTERNAL *rdata;
129
130 if (queue == NULL)
131 return;
132
133 while ((item = pqueue_pop(queue)) != NULL) {
134 rdata = (DTLS1_RECORD_DATA_INTERNAL *)item->data;
135 ssl3_release_buffer(&rdata->rbuf);
136 free(item->data);
137 pitem_free(item);
138 }
139 }
140
141 static void
dtls1_drain_fragments(pqueue queue)142 dtls1_drain_fragments(pqueue queue)
143 {
144 pitem *item;
145
146 if (queue == NULL)
147 return;
148
149 while ((item = pqueue_pop(queue)) != NULL) {
150 dtls1_hm_fragment_free(item->data);
151 pitem_free(item);
152 }
153 }
154
155 static void
dtls1_clear_queues(SSL * s)156 dtls1_clear_queues(SSL *s)
157 {
158 dtls1_drain_records(s->d1->unprocessed_rcds.q);
159 dtls1_drain_fragments(s->d1->buffered_messages);
160 dtls1_drain_fragments(s->d1->sent_messages);
161 dtls1_drain_rcontents(s->d1->buffered_app_data.q);
162 }
163
164 void
dtls1_free(SSL * s)165 dtls1_free(SSL *s)
166 {
167 if (s == NULL)
168 return;
169
170 ssl3_free(s);
171
172 if (s->d1 == NULL)
173 return;
174
175 dtls1_clear_queues(s);
176
177 pqueue_free(s->d1->unprocessed_rcds.q);
178 pqueue_free(s->d1->buffered_messages);
179 pqueue_free(s->d1->sent_messages);
180 pqueue_free(s->d1->buffered_app_data.q);
181
182 freezero(s->d1, sizeof(*s->d1));
183 s->d1 = NULL;
184 }
185
186 void
dtls1_clear(SSL * s)187 dtls1_clear(SSL *s)
188 {
189 pqueue unprocessed_rcds;
190 pqueue buffered_messages;
191 pqueue sent_messages;
192 pqueue buffered_app_data;
193 unsigned int mtu;
194
195 if (s->d1) {
196 unprocessed_rcds = s->d1->unprocessed_rcds.q;
197 buffered_messages = s->d1->buffered_messages;
198 sent_messages = s->d1->sent_messages;
199 buffered_app_data = s->d1->buffered_app_data.q;
200 mtu = s->d1->mtu;
201
202 dtls1_clear_queues(s);
203
204 memset(s->d1, 0, sizeof(*s->d1));
205
206 s->d1->unprocessed_rcds.epoch =
207 tls12_record_layer_read_epoch(s->rl) + 1;
208
209 if (s->server) {
210 s->d1->cookie_len = sizeof(s->d1->cookie);
211 }
212
213 if (SSL_get_options(s) & SSL_OP_NO_QUERY_MTU) {
214 s->d1->mtu = mtu;
215 }
216
217 s->d1->unprocessed_rcds.q = unprocessed_rcds;
218 s->d1->buffered_messages = buffered_messages;
219 s->d1->sent_messages = sent_messages;
220 s->d1->buffered_app_data.q = buffered_app_data;
221 }
222
223 ssl3_clear(s);
224
225 s->version = DTLS1_VERSION;
226 }
227
228 long
dtls1_ctrl(SSL * s,int cmd,long larg,void * parg)229 dtls1_ctrl(SSL *s, int cmd, long larg, void *parg)
230 {
231 int ret = 0;
232
233 switch (cmd) {
234 case DTLS_CTRL_GET_TIMEOUT:
235 if (dtls1_get_timeout(s, (struct timeval*) parg) != NULL) {
236 ret = 1;
237 }
238 break;
239 case DTLS_CTRL_HANDLE_TIMEOUT:
240 ret = dtls1_handle_timeout(s);
241 break;
242 case DTLS_CTRL_LISTEN:
243 ret = dtls1_listen(s, parg);
244 break;
245
246 default:
247 ret = ssl3_ctrl(s, cmd, larg, parg);
248 break;
249 }
250 return (ret);
251 }
252
253 /*
254 * As it's impossible to use stream ciphers in "datagram" mode, this
255 * simple filter is designed to disengage them in DTLS. Unfortunately
256 * there is no universal way to identify stream SSL_CIPHER, so we have
257 * to explicitly list their SSL_* codes. Currently RC4 is the only one
258 * available, but if new ones emerge, they will have to be added...
259 */
260 const SSL_CIPHER *
dtls1_get_cipher(unsigned int u)261 dtls1_get_cipher(unsigned int u)
262 {
263 const SSL_CIPHER *cipher;
264
265 if ((cipher = ssl3_get_cipher(u)) == NULL)
266 return NULL;
267
268 if (cipher->algorithm_enc == SSL_RC4)
269 return NULL;
270
271 return cipher;
272 }
273
274 void
dtls1_start_timer(SSL * s)275 dtls1_start_timer(SSL *s)
276 {
277
278 /* If timer is not set, initialize duration with 1 second */
279 if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) {
280 s->d1->timeout_duration = 1;
281 }
282
283 /* Set timeout to current time */
284 gettimeofday(&(s->d1->next_timeout), NULL);
285
286 /* Add duration to current time */
287 s->d1->next_timeout.tv_sec += s->d1->timeout_duration;
288 BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
289 &s->d1->next_timeout);
290 }
291
292 struct timeval*
dtls1_get_timeout(SSL * s,struct timeval * timeleft)293 dtls1_get_timeout(SSL *s, struct timeval* timeleft)
294 {
295 struct timeval timenow;
296
297 /* If no timeout is set, just return NULL */
298 if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) {
299 return NULL;
300 }
301
302 /* Get current time */
303 gettimeofday(&timenow, NULL);
304
305 /* If timer already expired, set remaining time to 0 */
306 if (s->d1->next_timeout.tv_sec < timenow.tv_sec ||
307 (s->d1->next_timeout.tv_sec == timenow.tv_sec &&
308 s->d1->next_timeout.tv_usec <= timenow.tv_usec)) {
309 memset(timeleft, 0, sizeof(struct timeval));
310 return timeleft;
311 }
312
313 /* Calculate time left until timer expires */
314 memcpy(timeleft, &(s->d1->next_timeout), sizeof(struct timeval));
315 timeleft->tv_sec -= timenow.tv_sec;
316 timeleft->tv_usec -= timenow.tv_usec;
317 if (timeleft->tv_usec < 0) {
318 timeleft->tv_sec--;
319 timeleft->tv_usec += 1000000;
320 }
321
322 /* If remaining time is less than 15 ms, set it to 0
323 * to prevent issues because of small devergences with
324 * socket timeouts.
325 */
326 if (timeleft->tv_sec == 0 && timeleft->tv_usec < 15000) {
327 memset(timeleft, 0, sizeof(struct timeval));
328 }
329
330
331 return timeleft;
332 }
333
334 int
dtls1_is_timer_expired(SSL * s)335 dtls1_is_timer_expired(SSL *s)
336 {
337 struct timeval timeleft;
338
339 /* Get time left until timeout, return false if no timer running */
340 if (dtls1_get_timeout(s, &timeleft) == NULL) {
341 return 0;
342 }
343
344 /* Return false if timer is not expired yet */
345 if (timeleft.tv_sec > 0 || timeleft.tv_usec > 0) {
346 return 0;
347 }
348
349 /* Timer expired, so return true */
350 return 1;
351 }
352
353 void
dtls1_double_timeout(SSL * s)354 dtls1_double_timeout(SSL *s)
355 {
356 s->d1->timeout_duration *= 2;
357 if (s->d1->timeout_duration > 60)
358 s->d1->timeout_duration = 60;
359 dtls1_start_timer(s);
360 }
361
362 void
dtls1_stop_timer(SSL * s)363 dtls1_stop_timer(SSL *s)
364 {
365 /* Reset everything */
366 memset(&(s->d1->timeout), 0, sizeof(struct dtls1_timeout_st));
367 memset(&(s->d1->next_timeout), 0, sizeof(struct timeval));
368 s->d1->timeout_duration = 1;
369 BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
370 &(s->d1->next_timeout));
371 /* Clear retransmission buffer */
372 dtls1_clear_record_buffer(s);
373 }
374
375 int
dtls1_check_timeout_num(SSL * s)376 dtls1_check_timeout_num(SSL *s)
377 {
378 s->d1->timeout.num_alerts++;
379
380 /* Reduce MTU after 2 unsuccessful retransmissions */
381 if (s->d1->timeout.num_alerts > 2) {
382 s->d1->mtu = BIO_ctrl(SSL_get_wbio(s),
383 BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL);
384
385 }
386
387 if (s->d1->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) {
388 /* fail the connection, enough alerts have been sent */
389 SSLerror(s, SSL_R_READ_TIMEOUT_EXPIRED);
390 return -1;
391 }
392
393 return 0;
394 }
395
396 int
dtls1_handle_timeout(SSL * s)397 dtls1_handle_timeout(SSL *s)
398 {
399 /* if no timer is expired, don't do anything */
400 if (!dtls1_is_timer_expired(s)) {
401 return 0;
402 }
403
404 dtls1_double_timeout(s);
405
406 if (dtls1_check_timeout_num(s) < 0)
407 return -1;
408
409 s->d1->timeout.read_timeouts++;
410 if (s->d1->timeout.read_timeouts > DTLS1_TMO_READ_COUNT) {
411 s->d1->timeout.read_timeouts = 1;
412 }
413
414 dtls1_start_timer(s);
415 return dtls1_retransmit_buffered_messages(s);
416 }
417
418 int
dtls1_listen(SSL * s,struct sockaddr * client)419 dtls1_listen(SSL *s, struct sockaddr *client)
420 {
421 int ret;
422
423 /* Ensure there is no state left over from a previous invocation */
424 SSL_clear(s);
425
426 SSL_set_options(s, SSL_OP_COOKIE_EXCHANGE);
427 s->d1->listen = 1;
428
429 ret = SSL_accept(s);
430 if (ret <= 0)
431 return ret;
432
433 (void)BIO_dgram_get_peer(SSL_get_rbio(s), client);
434 return 1;
435 }
436