X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=ssl%2Fd1_pkt.c;h=eb56cf987ba3a12a4da4be7af6f0a46abbe200a4;hb=7f065cfdbd6f18a81a3f54ba6b8d5045fb533c89;hp=4b3aabcfa7b6aa3be70659a07524ef9af37bd7ea;hpb=36d16f8ee0845d932e250286e8e236580470e35b;p=oweals%2Fopenssl.git diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c index 4b3aabcfa7..eb56cf987b 100644 --- a/ssl/d1_pkt.c +++ b/ssl/d1_pkt.c @@ -120,11 +120,12 @@ #include #include #include +#include static int have_handshake_fragment(SSL *s, int type, unsigned char *buf, int len, int peek); static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap, - unsigned long long *seq_num); + PQ_64BIT *seq_num); static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap); static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, unsigned int *is_next_epoch); @@ -133,13 +134,13 @@ static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr, unsigned short *priority, unsigned long *offset); #endif static int dtls1_buffer_record(SSL *s, record_pqueue *q, - unsigned long long priority); + PQ_64BIT priority); static int dtls1_process_record(SSL *s); -static unsigned long long bytes_to_long_long(unsigned char *bytes); -static void long_long_to_bytes(unsigned long long num, unsigned char *bytes); +#if PQ_64BIT_IS_INTEGER +static PQ_64BIT bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num); +#endif static void dtls1_clear_timeouts(SSL *s); - /* copy buffered record into SSL structure */ static int dtls1_copy_record(SSL *s, pitem *item) @@ -161,7 +162,7 @@ dtls1_copy_record(SSL *s, pitem *item) static int -dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned long long priority) +dtls1_buffer_record(SSL *s, record_pqueue *queue, PQ_64BIT priority) { DTLS1_RECORD_DATA *rdata; pitem *item; @@ -173,7 +174,7 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned long long priority) if (rdata != NULL) OPENSSL_free(rdata); if (item != NULL) pitem_free(item); - SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR); + SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); return(0); } @@ -197,7 +198,13 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned long long priority) memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER)); memset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD)); - ssl3_setup_buffers(s); + if (!ssl3_setup_buffers(s)) + { + SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); + OPENSSL_free(rdata); + pitem_free(item); + return(0); + } return(1); } @@ -275,9 +282,9 @@ static int dtls1_get_buffered_record(SSL *s) { pitem *item; - unsigned long long priority = - (((unsigned long long)s->d1->handshake_read_seq) << 32) | - ((unsigned long long)s->d1->r_msg_hdr.frag_off); + PQ_64BIT priority = + (((PQ_64BIT)s->d1->handshake_read_seq) << 32) | + ((PQ_64BIT)s->d1->r_msg_hdr.frag_off); if ( ! SSL_in_init(s)) /* if we're not (re)negotiating, nothing buffered */ @@ -348,7 +355,7 @@ dtls1_process_record(SSL *s) if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { al=SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG); + SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG); goto f_err; } @@ -386,7 +393,7 @@ if ( (sess == NULL) || { #if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */ al=SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); + SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); goto f_err; #else goto decryption_failed_or_bad_record_mac; @@ -397,7 +404,7 @@ if ( (sess == NULL) || { #if 0 /* OK only for stream ciphers */ al=SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT); + SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT); goto f_err; #else goto decryption_failed_or_bad_record_mac; @@ -417,13 +424,13 @@ if ( (sess == NULL) || if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH) { al=SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG); + SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG); goto f_err; } if (!ssl3_do_uncompress(s)) { al=SSL_AD_DECOMPRESSION_FAILURE; - SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_DECOMPRESSION); + SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_BAD_DECOMPRESSION); goto f_err; } } @@ -431,7 +438,7 @@ if ( (sess == NULL) || if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) { al=SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG); + SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DATA_LENGTH_TOO_LONG); goto f_err; } @@ -456,7 +463,7 @@ decryption_failed_or_bad_record_mac: * we should not reveal which kind of error occured -- this * might become visible to an attacker (e.g. via logfile) */ al=SSL_AD_BAD_RECORD_MAC; - SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); + SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); f_err: ssl3_send_alert(s,SSL3_AL_FATAL,al); err: @@ -480,10 +487,9 @@ int dtls1_get_record(SSL *s) SSL3_RECORD *rr; SSL_SESSION *sess; unsigned char *p; - short version; + unsigned short version; DTLS1_BITMAP *bitmap; - unsigned long long read_sequence; - unsigned int is_next_epoch; + unsigned int is_next_epoch; rr= &(s->s3->rrec); sess=s->session; @@ -519,24 +525,20 @@ again: ssl_minor= *(p++); version=(ssl_major<<8)|ssl_minor; - /* sequence number is 64 bits, with top 2 bytes = epoch */ + /* sequence number is 64 bits, with top 2 bytes = epoch */ n2s(p,rr->epoch); - read_sequence = 0; - n2l6(p, read_sequence); - long_long_to_bytes(read_sequence, s->s3->read_sequence); + memcpy(&(s->s3->read_sequence[2]), p, 6); + p+=6; + n2s(p,rr->length); /* Lets check version */ - if (s->first_packet) + if (!s->first_packet) { - s->first_packet=0; - } - else - { - if (version != s->version) + if (version != s->version && version != DTLS1_BAD_VER) { - SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); + SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); /* Send back error using their * version number :-) */ s->version=version; @@ -545,19 +547,21 @@ again: } } - if ((version & 0xff00) != (DTLS1_VERSION & 0xff00)) + if ((version & 0xff00) != (DTLS1_VERSION & 0xff00) && + (version & 0xff00) != (DTLS1_BAD_VER & 0xff00)) { - SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); + SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); goto err; } if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) { al=SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG); + SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG); goto f_err; } + s->client_version = version; /* now s->rstate == SSL_ST_READ_BODY */ } @@ -593,6 +597,7 @@ again: /* check whether this is a repeat, or aged record */ if ( ! dtls1_record_replay_check(s, bitmap, &(rr->seq_num))) { + rr->length = 0; s->packet_length=0; /* dump this record */ goto again; /* get another record */ } @@ -667,7 +672,7 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) (type != SSL3_RT_HANDSHAKE) && type) || (peek && (type != SSL3_RT_APPLICATION_DATA))) { - SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR); + SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR); return -1; } @@ -684,7 +689,7 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) if (i < 0) return(i); if (i == 0) { - SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE); + SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE); return(-1); } } @@ -720,7 +725,7 @@ start: && (rr->type != SSL3_RT_HANDSHAKE)) { al=SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED); + SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED); goto err; } @@ -742,7 +747,7 @@ start: (s->enc_read_ctx == NULL)) { al=SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE); + SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE); goto f_err; } @@ -775,7 +780,7 @@ start: * fill that so that we can process the data at a fixed place. */ { - unsigned int i, dest_maxlen = 0; + unsigned int k, dest_maxlen = 0; unsigned char *dest = NULL; unsigned int *dest_len = NULL; @@ -791,8 +796,14 @@ start: dest = s->d1->alert_fragment; dest_len = &s->d1->alert_fragment_len; } - else /* else it's a CCS message */ - OPENSSL_assert(rr->type == SSL3_RT_CHANGE_CIPHER_SPEC); + /* else it's a CCS message, or it's wrong */ + else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC) + { + /* Not certain if this is the right error handling */ + al=SSL_AD_UNEXPECTED_MESSAGE; + SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD); + goto f_err; + } if (dest_maxlen > 0) @@ -801,15 +812,23 @@ start: * may be fragmented--don't always expect dest_maxlen bytes */ if ( rr->length < dest_maxlen) { +#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE + /* + * for normal alerts rr->length is 2, while + * dest_maxlen is 7 if we were to handle this + * non-existing alert... + */ + FIX ME +#endif s->rstate=SSL_ST_READ_HEADER; rr->length = 0; goto start; } /* now move 'n' bytes: */ - for ( i = 0; i < dest_maxlen; i++) + for ( k = 0; k < dest_maxlen; k++) { - dest[i] = rr->data[rr->off++]; + dest[k] = rr->data[rr->off++]; rr->length--; } *dest_len = dest_maxlen; @@ -833,7 +852,7 @@ start: (s->d1->handshake_fragment[3] != 0)) { al=SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_HELLO_REQUEST); + SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_HELLO_REQUEST); goto err; } @@ -854,7 +873,7 @@ start: if (i < 0) return(i); if (i == 0) { - SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE); + SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE); return(-1); } @@ -941,7 +960,7 @@ start: s->rwstate=SSL_NOTHING; s->s3->fatal_alert = alert_descr; - SSLerr(SSL_F_SSL3_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr); + SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr); BIO_snprintf(tmp,sizeof tmp,"%d",alert_descr); ERR_add_error_data(2,"SSL alert number ",tmp); s->shutdown|=SSL_RECEIVED_SHUTDOWN; @@ -951,7 +970,7 @@ start: else { al=SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE); + SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE); goto f_err; } @@ -966,47 +985,40 @@ start: } if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) - { - struct ccs_header_st ccs_hdr; + { + struct ccs_header_st ccs_hdr; dtls1_get_ccs_header(rr->data, &ccs_hdr); - if ( ccs_hdr.seq == s->d1->handshake_read_seq) + /* 'Change Cipher Spec' is just a single byte, so we know + * exactly what the record payload has to look like */ + /* XDTLS: check that epoch is consistent */ + if ( (s->client_version == DTLS1_BAD_VER && rr->length != 3) || + (s->client_version != DTLS1_BAD_VER && rr->length != DTLS1_CCS_HEADER_LENGTH) || + (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS)) { - /* 'Change Cipher Spec' is just a single byte, so we know - * exactly what the record payload has to look like */ - /* XDTLS: check that epoch is consistent */ - if ( (rr->length != DTLS1_CCS_HEADER_LENGTH) || - (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS)) - { - i=SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC); - goto err; - } - - rr->length=0; - - if (s->msg_callback) - s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, - rr->data, 1, s, s->msg_callback_arg); - - s->s3->change_cipher_spec=1; - if (!ssl3_do_change_cipher_spec(s)) - goto err; - - /* do this whenever CCS is processed */ - dtls1_reset_seq_numbers(s, SSL3_CC_READ); - - /* handshake read seq is reset upon handshake completion */ - s->d1->handshake_read_seq++; - - goto start; - } - else - { - rr->length = 0; - goto start; + i=SSL_AD_ILLEGAL_PARAMETER; + SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC); + goto err; } + + rr->length=0; + + if (s->msg_callback) + s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, + rr->data, 1, s, s->msg_callback_arg); + + s->s3->change_cipher_spec=1; + if (!ssl3_do_change_cipher_spec(s)) + goto err; + + /* do this whenever CCS is processed */ + dtls1_reset_seq_numbers(s, SSL3_CC_READ); + + if (s->client_version == DTLS1_BAD_VER) + s->d1->handshake_read_seq++; + + goto start; } /* Unexpected handshake message (Client Hello, or protocol violation) */ @@ -1041,7 +1053,7 @@ start: if (i < 0) return(i); if (i == 0) { - SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE); + SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE); return(-1); } @@ -1076,7 +1088,7 @@ start: } #endif al=SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD); + SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD); goto f_err; case SSL3_RT_CHANGE_CIPHER_SPEC: case SSL3_RT_ALERT: @@ -1085,7 +1097,7 @@ start: * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that * should not happen when type != rr->type */ al=SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_READ_BYTES,ERR_R_INTERNAL_ERROR); + SSLerr(SSL_F_DTLS1_READ_BYTES,ERR_R_INTERNAL_ERROR); goto f_err; case SSL3_RT_APPLICATION_DATA: /* At this point, we were expecting handshake data, @@ -1114,7 +1126,7 @@ start: else { al=SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD); + SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD); goto f_err; } } @@ -1138,7 +1150,7 @@ dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len) if (i < 0) return(i); if (i == 0) { - SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE); + SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE); return -1; } } @@ -1243,16 +1255,15 @@ int dtls1_write_bytes(SSL *s, int type, const void *buf_, int len) return i; } - if ( s->s3->wnum + i == len) + if ( (int)s->s3->wnum + i == len) s->s3->wnum = 0; else s->s3->wnum += i; - return tot + i; + return i; } -int do_dtls1_write(SSL *s, int type, const unsigned char *buf, - unsigned int len, int create_empty_fragment) +int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len, int create_empty_fragment) { unsigned char *p,*pseq; int i,mac_size,clear=0; @@ -1319,7 +1330,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, if (s->s3->wbuf.len < (size_t)prefix_len + SSL3_RT_MAX_PACKET_SIZE) { /* insufficient space */ - SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); + SSLerr(SSL_F_DO_DTLS1_WRITE, ERR_R_INTERNAL_ERROR); goto err; } } @@ -1335,8 +1346,12 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, *(p++)=type&0xff; wr->type=type; - *(p++)=(s->version>>8); - *(p++)=s->version&0xff; + if (s->client_version == DTLS1_BAD_VER) + *(p++) = DTLS1_BAD_VER>>8, + *(p++) = DTLS1_BAD_VER&0xff; + else + *(p++)=(s->version>>8), + *(p++)=s->version&0xff; /* field where we are to write out packet epoch, seq num and len */ pseq=p; @@ -1365,7 +1380,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, { if (!ssl3_do_compress(s)) { - SSLerr(SSL_F_DO_SSL3_WRITE,SSL_R_COMPRESSION_FAILURE); + SSLerr(SSL_F_DO_DTLS1_WRITE,SSL_R_COMPRESSION_FAILURE); goto err; } } @@ -1391,8 +1406,14 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, /* ssl3_enc can only have an error on read */ - wr->length += bs; /* bs != 0 in case of CBC. The enc fn provides - * the randomness */ + if (bs) /* bs != 0 in case of CBC */ + { + RAND_pseudo_bytes(p,bs); + /* master IV and last CBC residue stand for + * the rest of randomness */ + wr->length += bs; + } + s->method->ssl3_enc->enc(s,1); /* record length after mac and block padding */ @@ -1407,7 +1428,8 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, /* else s2n(s->d1->handshake_epoch, pseq); */ - l2n6(bytes_to_long_long(s->s3->write_sequence), pseq); + memcpy(pseq, &(s->s3->write_sequence[2]), 6); + pseq+=6; s2n(wr->length,pseq); /* we should now have @@ -1420,7 +1442,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, /* buffer the record, making it easy to handle retransmits */ if ( type == SSL3_RT_HANDSHAKE || type == SSL3_RT_CHANGE_CIPHER_SPEC) dtls1_buffer_record(s, wr->data, wr->length, - *((unsigned long long *)&(s->s3->write_sequence[0]))); + *((PQ_64BIT *)&(s->s3->write_sequence[0]))); #endif ssl3_record_sequence_update(&(s->s3->write_sequence[0])); @@ -1452,27 +1474,60 @@ err: static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap, - unsigned long long *seq_num) + PQ_64BIT *seq_num) { - unsigned long long mask = 0x0000000000000001LL; - unsigned long long rcd_num; +#if PQ_64BIT_IS_INTEGER + PQ_64BIT mask = 0x0000000000000001L; +#endif + PQ_64BIT rcd_num, tmp; + + pq_64bit_init(&rcd_num); + pq_64bit_init(&tmp); + + /* this is the sequence number for the record just read */ + pq_64bit_bin2num(&rcd_num, s->s3->read_sequence, 8); - rcd_num = bytes_to_long_long(s->s3->read_sequence); - if (rcd_num >= bitmap->max_seq_num) + if (pq_64bit_gt(&rcd_num, &(bitmap->max_seq_num)) || + pq_64bit_eq(&rcd_num, &(bitmap->max_seq_num))) { - *seq_num = rcd_num; + pq_64bit_assign(seq_num, &rcd_num); + pq_64bit_free(&rcd_num); + pq_64bit_free(&tmp); return 1; /* this record is new */ } - - if (bitmap->max_seq_num - rcd_num > bitmap->length) + + pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num); + + if ( pq_64bit_get_word(&tmp) > bitmap->length) + { + pq_64bit_free(&rcd_num); + pq_64bit_free(&tmp); return 0; /* stale, outside the window */ + } +#if PQ_64BIT_IS_BIGNUM + { + int offset; + pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num); + pq_64bit_sub_word(&tmp, 1); + offset = pq_64bit_get_word(&tmp); + if ( pq_64bit_is_bit_set(&(bitmap->map), offset)) + { + pq_64bit_free(&rcd_num); + pq_64bit_free(&tmp); + return 0; + } + } +#else mask <<= (bitmap->max_seq_num - rcd_num - 1); if (bitmap->map & mask) return 0; /* record previously received */ +#endif - *seq_num = rcd_num; + pq_64bit_assign(seq_num, &rcd_num); + pq_64bit_free(&rcd_num); + pq_64bit_free(&tmp); return 1; } @@ -1480,23 +1535,49 @@ static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap, static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap) { unsigned int shift; - unsigned long long mask = 0x0000000000000001L; - unsigned long long rcd_num; + PQ_64BIT rcd_num; + PQ_64BIT tmp; + PQ_64BIT_CTX *ctx; - rcd_num = bytes_to_long_long(s->s3->read_sequence); + pq_64bit_init(&rcd_num); + pq_64bit_init(&tmp); - if (rcd_num >= bitmap->max_seq_num) + pq_64bit_bin2num(&rcd_num, s->s3->read_sequence, 8); + + /* unfortunate code complexity due to 64-bit manipulation support + * on 32-bit machines */ + if ( pq_64bit_gt(&rcd_num, &(bitmap->max_seq_num)) || + pq_64bit_eq(&rcd_num, &(bitmap->max_seq_num))) { - shift = rcd_num - bitmap->max_seq_num + 1; - bitmap->max_seq_num = rcd_num + 1; - bitmap->map <<= shift; - bitmap->map |= 0x0000000000000001LL; + pq_64bit_sub(&tmp, &rcd_num, &(bitmap->max_seq_num)); + pq_64bit_add_word(&tmp, 1); + + shift = (unsigned int)pq_64bit_get_word(&tmp); + + pq_64bit_lshift(&(tmp), &(bitmap->map), shift); + pq_64bit_assign(&(bitmap->map), &tmp); + + pq_64bit_set_bit(&(bitmap->map), 0); + pq_64bit_add_word(&rcd_num, 1); + pq_64bit_assign(&(bitmap->max_seq_num), &rcd_num); + + pq_64bit_assign_word(&tmp, 1); + pq_64bit_lshift(&tmp, &tmp, bitmap->length); + ctx = pq_64bit_ctx_new(&ctx); + pq_64bit_mod(&(bitmap->map), &(bitmap->map), &tmp, ctx); + pq_64bit_ctx_free(ctx); } else { - mask <<= (bitmap->max_seq_num - rcd_num - 1); - bitmap->map |= mask; + pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num); + pq_64bit_sub_word(&tmp, 1); + shift = (unsigned int)pq_64bit_get_word(&tmp); + + pq_64bit_set_bit(&(bitmap->map), shift); } + + pq_64bit_free(&rcd_num); + pq_64bit_free(&tmp); } @@ -1504,8 +1585,8 @@ int dtls1_dispatch_alert(SSL *s) { int i,j; void (*cb)(const SSL *ssl,int type,int val)=NULL; - char buf[2 + 2 + 3]; /* alert level + alert desc + message seq +frag_off */ - char *ptr = &buf[0]; + unsigned char buf[DTLS1_AL_HEADER_LENGTH]; + unsigned char *ptr = &buf[0]; s->s3->alert_dispatch=0; @@ -1513,6 +1594,7 @@ int dtls1_dispatch_alert(SSL *s) *ptr++ = s->s3->send_alert[0]; *ptr++ = s->s3->send_alert[1]; +#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) { s2n(s->d1->handshake_read_seq, ptr); @@ -1528,6 +1610,7 @@ int dtls1_dispatch_alert(SSL *s) #endif l2n3(s->d1->r_msg_hdr.frag_off, ptr); } +#endif i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf), 0); if (i <= 0) @@ -1537,8 +1620,11 @@ int dtls1_dispatch_alert(SSL *s) } else { - if ( s->s3->send_alert[0] == SSL3_AL_FATAL || - s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) + if (s->s3->send_alert[0] == SSL3_AL_FATAL +#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE + || s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE +#endif + ) (void)BIO_flush(s->wbio); if (s->msg_callback) @@ -1571,7 +1657,7 @@ dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, unsigned int *is_next_epoch) return &s->d1->bitmap; /* Only HM and ALERT messages can be from the next epoch */ - else if (rr->epoch == s->d1->r_epoch + 1 && + else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) && (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) { @@ -1657,8 +1743,17 @@ dtls1_reset_seq_numbers(SSL *s, int rw) { seq = s->s3->read_sequence; s->d1->r_epoch++; - memcpy(&(s->d1->bitmap), &(s->d1->next_bitmap), sizeof(DTLS1_BITMAP)); + + pq_64bit_assign(&(s->d1->bitmap.map), &(s->d1->next_bitmap.map)); + s->d1->bitmap.length = s->d1->next_bitmap.length; + pq_64bit_assign(&(s->d1->bitmap.max_seq_num), + &(s->d1->next_bitmap.max_seq_num)); + + pq_64bit_free(&(s->d1->next_bitmap.map)); + pq_64bit_free(&(s->d1->next_bitmap.max_seq_num)); memset(&(s->d1->next_bitmap), 0x00, sizeof(DTLS1_BITMAP)); + pq_64bit_init(&(s->d1->next_bitmap.map)); + pq_64bit_init(&(s->d1->next_bitmap.max_seq_num)); } else { @@ -1669,36 +1764,26 @@ dtls1_reset_seq_numbers(SSL *s, int rw) memset(seq, 0x00, seq_bytes); } +#if PQ_64BIT_IS_INTEGER +static PQ_64BIT +bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num) + { + PQ_64BIT _num; + + _num = (((PQ_64BIT)bytes[0]) << 56) | + (((PQ_64BIT)bytes[1]) << 48) | + (((PQ_64BIT)bytes[2]) << 40) | + (((PQ_64BIT)bytes[3]) << 32) | + (((PQ_64BIT)bytes[4]) << 24) | + (((PQ_64BIT)bytes[5]) << 16) | + (((PQ_64BIT)bytes[6]) << 8) | + (((PQ_64BIT)bytes[7]) ); + + *num = _num ; + return _num; + } +#endif -static unsigned long long -bytes_to_long_long(unsigned char *bytes) - { - unsigned long long num; - - num = (((unsigned long long)bytes[0]) << 56) | - (((unsigned long long)bytes[1]) << 48) | - (((unsigned long long)bytes[2]) << 40) | - (((unsigned long long)bytes[3]) << 32) | - (((unsigned long long)bytes[4]) << 24) | - (((unsigned long long)bytes[5]) << 16) | - (((unsigned long long)bytes[6]) << 8) | - (((unsigned long long)bytes[7]) ); - - return num; - } - -static void -long_long_to_bytes(unsigned long long num, unsigned char *bytes) - { - bytes[0] = (unsigned char)((num >> 56)&0xff); - bytes[1] = (unsigned char)((num >> 48)&0xff); - bytes[2] = (unsigned char)((num >> 40)&0xff); - bytes[3] = (unsigned char)((num >> 32)&0xff); - bytes[4] = (unsigned char)((num >> 24)&0xff); - bytes[5] = (unsigned char)((num >> 16)&0xff); - bytes[6] = (unsigned char)((num >> 8)&0xff); - bytes[7] = (unsigned char)((num )&0xff); - } static void dtls1_clear_timeouts(SSL *s)