Don't send zero length session ID if stateless session resupmtion is
[openssl.git] / ssl / d1_pkt.c
index 09f1626..2e35db8 100644 (file)
 #include <openssl/evp.h>
 #include <openssl/buffer.h>
 #include <openssl/pqueue.h>
+#include <openssl/rand.h>
+
+/* mod 128 saturating subtract of two 64-bit values in big-endian order */
+static int satsub64be(const unsigned char *v1,const unsigned char *v2)
+{      int ret,sat,brw,i;
+
+       if (sizeof(long) == 8) do
+       {       const union { long one; char little; } is_endian = {1};
+               long l;
+
+               if (is_endian.little)                   break;
+               /* not reached on little-endians */
+               /* following test is redundant, because input is
+                * always aligned, but I take no chances... */
+               if (((size_t)v1|(size_t)v2)&0x7)        break;
+
+               l  = *((long *)v1);
+               l -= *((long *)v2);
+               if (l>128)              return 128;
+               else if (l<-128)        return -128;
+               else                    return (int)l;
+       } while (0);
+
+       ret = (int)v1[7]-(int)v2[7];
+       sat = 0;
+       brw = ret>>8;   /* brw is either 0 or -1 */
+       if (ret & 0x80)
+       {       for (i=6;i>=0;i--)
+               {       brw += (int)v1[i]-(int)v2[i];
+                       sat |= ~brw;
+                       brw >>= 8;
+               }
+       }
+       else
+       {       for (i=6;i>=0;i--)
+               {       brw += (int)v1[i]-(int)v2[i];
+                       sat |= brw;
+                       brw >>= 8;
+               }
+       }
+       brw <<= 8;      /* brw is either 0 or -256 */
+
+       if (sat&0xff)   return brw | 0x80;
+       else            return brw + (ret&0xFF);
+}
 
 static int have_handshake_fragment(SSL *s, int type, unsigned char *buf, 
        int len, int peek);
-static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap,
-       BN_ULLONG *seq_num);
+static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap);
 static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap);
 static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, 
     unsigned int *is_next_epoch);
@@ -133,13 +177,10 @@ static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr,
        unsigned short *priority, unsigned long *offset);
 #endif
 static int dtls1_buffer_record(SSL *s, record_pqueue *q,
-       BN_ULLONG priority);
+       unsigned char *priority);
 static int dtls1_process_record(SSL *s);
-static BN_ULLONG bytes_to_long_long(unsigned char *bytes);
-static void long_long_to_bytes(BN_ULLONG num, unsigned char *bytes);
 static void dtls1_clear_timeouts(SSL *s);
 
-
 /* copy buffered record into SSL structure */
 static int
 dtls1_copy_record(SSL *s, pitem *item)
@@ -161,9 +202,9 @@ dtls1_copy_record(SSL *s, pitem *item)
 
 
 static int
-dtls1_buffer_record(SSL *s, record_pqueue *queue, BN_ULLONG priority)
-{
-    DTLS1_RECORD_DATA *rdata;
+dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
+       {
+       DTLS1_RECORD_DATA *rdata;
        pitem *item;
 
        rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
@@ -197,10 +238,16 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, BN_ULLONG priority)
        memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER));
        memset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD));
        
-       ssl3_setup_buffers(s);
+       if (!ssl3_setup_buffers(s))
+               {
+               SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);
+               OPENSSL_free(rdata);
+               pitem_free(item);
+               return(0);
+               }
        
        return(1);
-    }
+       }
 
 
 static int
@@ -275,9 +322,9 @@ static int
 dtls1_get_buffered_record(SSL *s)
        {
        pitem *item;
-       BN_ULLONG priority = 
-               (((BN_ULLONG)s->d1->handshake_read_seq) << 32) | 
-               ((BN_ULLONG)s->d1->r_msg_hdr.frag_off);
+       PQ_64BIT priority = 
+               (((PQ_64BIT)s->d1->handshake_read_seq) << 32) | 
+               ((PQ_64BIT)s->d1->r_msg_hdr.frag_off);
        
        if ( ! SSL_in_init(s))  /* if we're not (re)negotiating, 
                                                           nothing buffered */
@@ -317,17 +364,17 @@ dtls1_get_buffered_record(SSL *s)
 static int
 dtls1_process_record(SSL *s)
 {
-    int i,al;
+       int i,al;
        int clear=0;
-    int enc_err;
+       int enc_err;
        SSL_SESSION *sess;
-    SSL3_RECORD *rr;
+       SSL3_RECORD *rr;
        unsigned int mac_size;
        unsigned char md[EVP_MAX_MD_SIZE];
 
 
        rr= &(s->s3->rrec);
-    sess = s->session;
+       sess = s->session;
 
        /* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
         * and we have that many bytes in s->packet
@@ -373,14 +420,14 @@ printf("\n");
 #endif
 
        /* r->length is now the compressed data plus mac */
-if (   (sess == NULL) ||
+       if (    (sess == NULL) ||
                (s->enc_read_ctx == NULL) ||
                (s->read_hash == NULL))
-    clear=1;
+       clear=1;
 
        if (!clear)
                {
-               mac_size=EVP_MD_size(s->read_hash);
+               mac_size=EVP_MD_CTX_size(s->read_hash);
 
                if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)
                        {
@@ -446,8 +493,8 @@ if (        (sess == NULL) ||
 
        /* we have pulled in a full packet so zero things */
        s->packet_length=0;
-    dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */
-    return(1);
+       dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */
+       return(1);
 
 decryption_failed_or_bad_record_mac:
        /* Separate 'decryption_failed' alert was introduced with TLS 1.0,
@@ -480,18 +527,17 @@ int dtls1_get_record(SSL *s)
        SSL3_RECORD *rr;
        SSL_SESSION *sess;
        unsigned char *p;
-       short version;
+       unsigned short version;
        DTLS1_BITMAP *bitmap;
-       BN_ULLONG read_sequence;
-    unsigned int is_next_epoch;
+       unsigned int is_next_epoch;
 
        rr= &(s->s3->rrec);
        sess=s->session;
 
-    /* The epoch may have changed.  If so, process all the
-     * pending records.  This is a non-blocking operation. */
-    if ( ! dtls1_process_buffered_records(s))
-        return 0;
+       /* The epoch may have changed.  If so, process all the
+        * pending records.  This is a non-blocking operation. */
+       if ( ! dtls1_process_buffered_records(s))
+            return 0;
 
        /* if we're renegotiating, then there may be buffered records */
        if (dtls1_get_processed_record(s))
@@ -519,20 +565,16 @@ again:
                ssl_minor= *(p++);
                version=(ssl_major<<8)|ssl_minor;
 
-        /* sequence number is 64 bits, with top 2 bytes = epoch */ 
+               /* sequence number is 64 bits, with top 2 bytes = epoch */ 
                n2s(p,rr->epoch);
 
-               read_sequence = 0;
-               n2l6(p, read_sequence);
-               long_long_to_bytes(read_sequence, s->s3->read_sequence);
+               memcpy(&(s->s3->read_sequence[2]), p, 6);
+               p+=6;
+
                n2s(p,rr->length);
 
                /* Lets check version */
-               if (s->first_packet)
-                       {
-                       s->first_packet=0;
-                       }
-               else
+               if (!s->first_packet)
                        {
                        if (version != s->version)
                                {
@@ -585,13 +627,13 @@ again:
        /* match epochs.  NULL means the packet is dropped on the floor */
        bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
        if ( bitmap == NULL)
-        {
-        s->packet_length = 0;  /* dump this record */
-        goto again;   /* get another record */
+               {
+               s->packet_length = 0;  /* dump this record */
+               goto again;   /* get another record */
                }
 
        /* check whether this is a repeat, or aged record */
-       if ( ! dtls1_record_replay_check(s, bitmap, &(rr->seq_num)))
+       if ( ! dtls1_record_replay_check(s, bitmap))
                {
                s->packet_length=0; /* dump this record */
                goto again;     /* get another record */
@@ -600,20 +642,21 @@ again:
        /* just read a 0 length packet */
        if (rr->length == 0) goto again;
 
-    /* If this record is from the next epoch (either HM or ALERT), buffer it
-     * since it cannot be processed at this time.
-     * Records from the next epoch are marked as received even though they are 
-     * not processed, so as to prevent any potential resource DoS attack */
-    if (is_next_epoch)
-        {
-        dtls1_record_bitmap_update(s, bitmap);
-        dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
-        s->packet_length = 0;
-        goto again;
-        }
+       /* If this record is from the next epoch (either HM or ALERT),
+        * buffer it since it cannot be processed at this time. Records
+        * from the next epoch are marked as received even though they
+        * are not processed, so as to prevent any potential resource
+        * DoS attack */
+       if (is_next_epoch)
+               {
+               dtls1_record_bitmap_update(s, bitmap);
+               dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
+               s->packet_length = 0;
+               goto again;
+               }
 
-    if ( ! dtls1_process_record(s))
-        return(0);
+       if ( ! dtls1_process_record(s))
+               return(0);
 
        dtls1_clear_timeouts(s);  /* done waiting */
        return(1);
@@ -791,8 +834,14 @@ start:
                        dest = s->d1->alert_fragment;
                        dest_len = &s->d1->alert_fragment_len;
                        }
-               else    /* else it's a CCS message */
-                       OPENSSL_assert(rr->type == SSL3_RT_CHANGE_CIPHER_SPEC);
+                /* else it's a CCS message, or it's wrong */
+                else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC)
+                        {
+                          /* Not certain if this is the right error handling */
+                          al=SSL_AD_UNEXPECTED_MESSAGE;
+                          SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
+                          goto f_err;
+                        }
 
 
                if (dest_maxlen > 0)
@@ -966,47 +1015,36 @@ start:
                }
 
        if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
-        {
-        struct ccs_header_st ccs_hdr;
+               {
+               struct ccs_header_st ccs_hdr;
 
                dtls1_get_ccs_header(rr->data, &ccs_hdr);
 
-               if ( ccs_hdr.seq == s->d1->handshake_read_seq)
-                       {
-                       /* 'Change Cipher Spec' is just a single byte, so we know
-                        * exactly what the record payload has to look like */
-                       /* XDTLS: check that epoch is consistent */
-                       if (    (rr->length != DTLS1_CCS_HEADER_LENGTH) || 
-                               (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
-                               {
-                               i=SSL_AD_ILLEGAL_PARAMETER;
-                               SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
-                               goto err;
-                               }
-                       
-                       rr->length=0;
-                       
-                       if (s->msg_callback)
-                               s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, 
-                                       rr->data, 1, s, s->msg_callback_arg);
-                       
-                       s->s3->change_cipher_spec=1;
-                       if (!ssl3_do_change_cipher_spec(s))
-                               goto err;
-                       
-                       /* do this whenever CCS is processed */
-                       dtls1_reset_seq_numbers(s, SSL3_CC_READ);
-                       
-                       /* handshake read seq is reset upon handshake completion */
-                       s->d1->handshake_read_seq++;
-                       
-                       goto start;
-                       }
-               else
+               /* 'Change Cipher Spec' is just a single byte, so we know
+                * exactly what the record payload has to look like */
+               /* XDTLS: check that epoch is consistent */
+               if (    (rr->length != DTLS1_CCS_HEADER_LENGTH) || 
+                       (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
                        {
-                       rr->length = 0;
-                       goto start;
+                       i=SSL_AD_ILLEGAL_PARAMETER;
+                       SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
+                       goto err;
                        }
+
+               rr->length=0;
+
+               if (s->msg_callback)
+                       s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, 
+                               rr->data, 1, s, s->msg_callback_arg);
+
+               s->s3->change_cipher_spec=1;
+               if (!ssl3_do_change_cipher_spec(s))
+                       goto err;
+
+               /* do this whenever CCS is processed */
+               dtls1_reset_seq_numbers(s, SSL3_CC_READ);
+
+               goto start;
                }
 
        /* Unexpected handshake message (Client Hello, or protocol violation) */
@@ -1287,13 +1325,13 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
 
        if (    (sess == NULL) ||
                (s->enc_write_ctx == NULL) ||
-               (s->write_hash == NULL))
+               (EVP_MD_CTX_md(s->write_hash) == NULL))
                clear=1;
 
        if (clear)
                mac_size=0;
        else
-               mac_size=EVP_MD_size(s->write_hash);
+               mac_size=EVP_MD_CTX_size(s->write_hash);
 
        /* DTLS implements explicit IV, so no need for empty fragments */
 #if 0
@@ -1390,8 +1428,14 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
 
 
        /* ssl3_enc can only have an error on read */
-       wr->length += bs;  /* bs != 0 in case of CBC.  The enc fn provides
-                                               * the randomness */ 
+       if (bs) /* bs != 0 in case of CBC */
+               {
+               RAND_pseudo_bytes(p,bs);
+               /* master IV and last CBC residue stand for
+                * the rest of randomness */
+               wr->length += bs;
+               }
+
        s->method->ssl3_enc->enc(s,1);
 
        /* record length after mac and block padding */
@@ -1406,7 +1450,8 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
 /*     else
        s2n(s->d1->handshake_epoch, pseq); */
 
-       l2n6(bytes_to_long_long(s->s3->write_sequence), pseq);
+       memcpy(pseq, &(s->s3->write_sequence[2]), 6);
+       pseq+=6;
        s2n(wr->length,pseq);
 
        /* we should now have
@@ -1419,7 +1464,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
        /* buffer the record, making it easy to handle retransmits */
        if ( type == SSL3_RT_HANDSHAKE || type == SSL3_RT_CHANGE_CIPHER_SPEC)
                dtls1_buffer_record(s, wr->data, wr->length, 
-                       *((BN_ULLONG *)&(s->s3->write_sequence[0])));
+                       *((PQ_64BIT *)&(s->s3->write_sequence[0])));
 #endif
 
        ssl3_record_sequence_update(&(s->s3->write_sequence[0]));
@@ -1450,51 +1495,49 @@ err:
 
 
 
-static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap,
-       BN_ULLONG *seq_num)
+static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap)
        {
-       BN_ULLONG mask = 0x0000000000000001L;
-       BN_ULLONG rcd_num;
+       int cmp;
+       unsigned int shift;
+       const unsigned char *seq = s->s3->read_sequence;
 
-       rcd_num = bytes_to_long_long(s->s3->read_sequence);
-       
-       if (rcd_num >= bitmap->max_seq_num)
+       cmp = satsub64be(seq,bitmap->max_seq_num);
+       if (cmp > 0)
                {
-               *seq_num = rcd_num;
-               return 1;  /* this record is new */
+               memcpy (s->s3->rrec.seq_num,seq,8);
+               return 1; /* this record in new */
                }
-       
-       if (bitmap->max_seq_num - rcd_num > bitmap->length)
-               return 0;  /* stale, outside the window */
-
-       mask <<= (bitmap->max_seq_num - rcd_num - 1);
-       if (bitmap->map & mask)
+       shift = -cmp;
+       if (shift >= sizeof(bitmap->map)*8)
+               return 0; /* stale, outside the window */
+       else if (bitmap->map & (1UL<<shift))
                return 0; /* record previously received */
-       
-       *seq_num = rcd_num;
+
+       memcpy (s->s3->rrec.seq_num,seq,8);
        return 1;
        }
 
 
 static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap)
        {
+       int cmp;
        unsigned int shift;
-       BN_ULLONG mask = 0x0000000000000001L;
-       BN_ULLONG rcd_num;
-
-       rcd_num = bytes_to_long_long(s->s3->read_sequence);
+       const unsigned char *seq = s->s3->read_sequence;
 
-       if (rcd_num >= bitmap->max_seq_num)
+       cmp = satsub64be(seq,bitmap->max_seq_num);
+       if (cmp > 0)
                {
-               shift = (unsigned int)(rcd_num - bitmap->max_seq_num) + 1;
-               bitmap->max_seq_num = rcd_num + 1;
-               bitmap->map <<= shift;
-               bitmap->map |= 0x0000000000000001L;
+               shift = cmp;
+               if (shift < sizeof(bitmap->map)*8)
+                       bitmap->map <<= shift, bitmap->map |= 1UL;
+               else
+                       bitmap->map = 1UL;
+               memcpy(bitmap->max_seq_num,seq,8);
                }
-       else
-               {
-               mask <<= (bitmap->max_seq_num - rcd_num - 1);
-               bitmap->map |= mask;
+       else    {
+               shift = -cmp;
+               if (shift < sizeof(bitmap->map)*8)
+                       bitmap->map |= 1UL<<shift;
                }
        }
 
@@ -1512,6 +1555,7 @@ int dtls1_dispatch_alert(SSL *s)
        *ptr++ = s->s3->send_alert[0];
        *ptr++ = s->s3->send_alert[1];
 
+#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
        if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
                {       
                s2n(s->d1->handshake_read_seq, ptr);
@@ -1527,6 +1571,7 @@ int dtls1_dispatch_alert(SSL *s)
 #endif
                l2n3(s->d1->r_msg_hdr.frag_off, ptr);
                }
+#endif
 
        i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf), 0);
        if (i <= 0)
@@ -1536,8 +1581,11 @@ int dtls1_dispatch_alert(SSL *s)
                }
        else
                {
-               if ( s->s3->send_alert[0] == SSL3_AL_FATAL ||
-                       s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
+               if (s->s3->send_alert[0] == SSL3_AL_FATAL
+#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
+                   || s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
+#endif
+                   )
                        (void)BIO_flush(s->wbio);
 
                if (s->msg_callback)
@@ -1669,36 +1717,6 @@ dtls1_reset_seq_numbers(SSL *s, int rw)
        }
 
 
-static BN_ULLONG
-bytes_to_long_long(unsigned char *bytes)
-       {
-       BN_ULLONG num;
-
-       num = (((BN_ULLONG)bytes[0]) << 56) |
-               (((BN_ULLONG)bytes[1]) << 48) |
-               (((BN_ULLONG)bytes[2]) << 40) |
-               (((BN_ULLONG)bytes[3]) << 32) |
-               (((BN_ULLONG)bytes[4]) << 24) |
-               (((BN_ULLONG)bytes[5]) << 16) |
-               (((BN_ULLONG)bytes[6]) <<  8) |
-               (((BN_ULLONG)bytes[7])      );
-
-       return num;
-       }
-
-static void
-long_long_to_bytes(BN_ULLONG num, unsigned char *bytes)
-       {
-       bytes[0] = (unsigned char)((num >> 56)&0xff);
-       bytes[1] = (unsigned char)((num >> 48)&0xff);
-       bytes[2] = (unsigned char)((num >> 40)&0xff);
-       bytes[3] = (unsigned char)((num >> 32)&0xff);
-       bytes[4] = (unsigned char)((num >> 24)&0xff);
-       bytes[5] = (unsigned char)((num >> 16)&0xff);
-       bytes[6] = (unsigned char)((num >>  8)&0xff);
-       bytes[7] = (unsigned char)((num      )&0xff);
-       }
-
 static void
 dtls1_clear_timeouts(SSL *s)
        {