Don't send zero length session ID if stateless session resupmtion is
[openssl.git] / ssl / d1_pkt.c
index e4c194b..2e35db8 100644 (file)
 #include <openssl/evp.h>
 #include <openssl/buffer.h>
 #include <openssl/pqueue.h>
+#include <openssl/rand.h>
 
-/* mod 256 saturating subtract of two 64-bit values in big-endian order */
+/* mod 128 saturating subtract of two 64-bit values in big-endian order */
 static int satsub64be(const unsigned char *v1,const unsigned char *v2)
-       {
-       int i;
-       unsigned char c1,c2;
-
-       for (i=0;i<8;i++,v1++,v2++)
-               {
-               c1=*v1; c2=*v2;
-               if (c1!=c2) break;
+{      int ret,sat,brw,i;
+
+       if (sizeof(long) == 8) do
+       {       const union { long one; char little; } is_endian = {1};
+               long l;
+
+               if (is_endian.little)                   break;
+               /* not reached on little-endians */
+               /* following test is redundant, because input is
+                * always aligned, but I take no chances... */
+               if (((size_t)v1|(size_t)v2)&0x7)        break;
+
+               l  = *((long *)v1);
+               l -= *((long *)v2);
+               if (l>128)              return 128;
+               else if (l<-128)        return -128;
+               else                    return (int)l;
+       } while (0);
+
+       ret = (int)v1[7]-(int)v2[7];
+       sat = 0;
+       brw = ret>>8;   /* brw is either 0 or -1 */
+       if (ret & 0x80)
+       {       for (i=6;i>=0;i--)
+               {       brw += (int)v1[i]-(int)v2[i];
+                       sat |= ~brw;
+                       brw >>= 8;
+               }
+       }
+       else
+       {       for (i=6;i>=0;i--)
+               {       brw += (int)v1[i]-(int)v2[i];
+                       sat |= brw;
+                       brw >>= 8;
                }
-       if (i==8)       return 0;
-       else if (i==7)  return (int)c1-(int)c2;
-       else if (c1>c2) return 256;
-       else            return -256;
        }
+       brw <<= 8;      /* brw is either 0 or -256 */
+
+       if (sat&0xff)   return brw | 0x80;
+       else            return brw + (ret&0xFF);
+}
 
 static int have_handshake_fragment(SSL *s, int type, unsigned char *buf, 
        int len, int peek);
-static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap,
-       unsigned char *seq_num);
+static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap);
 static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap);
 static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, 
     unsigned int *is_next_epoch);
@@ -152,9 +179,6 @@ static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr,
 static int dtls1_buffer_record(SSL *s, record_pqueue *q,
        unsigned char *priority);
 static int dtls1_process_record(SSL *s);
-#if PQ_64BIT_IS_INTEGER
-static PQ_64BIT bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num);
-#endif
 static void dtls1_clear_timeouts(SSL *s);
 
 /* copy buffered record into SSL structure */
@@ -214,7 +238,13 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
        memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER));
        memset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD));
        
-       ssl3_setup_buffers(s);
+       if (!ssl3_setup_buffers(s))
+               {
+               SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);
+               OPENSSL_free(rdata);
+               pitem_free(item);
+               return(0);
+               }
        
        return(1);
        }
@@ -334,17 +364,17 @@ dtls1_get_buffered_record(SSL *s)
 static int
 dtls1_process_record(SSL *s)
 {
-    int i,al;
+       int i,al;
        int clear=0;
-    int enc_err;
+       int enc_err;
        SSL_SESSION *sess;
-    SSL3_RECORD *rr;
+       SSL3_RECORD *rr;
        unsigned int mac_size;
        unsigned char md[EVP_MAX_MD_SIZE];
 
 
        rr= &(s->s3->rrec);
-    sess = s->session;
+       sess = s->session;
 
        /* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
         * and we have that many bytes in s->packet
@@ -390,14 +420,14 @@ printf("\n");
 #endif
 
        /* r->length is now the compressed data plus mac */
-if (   (sess == NULL) ||
+       if (    (sess == NULL) ||
                (s->enc_read_ctx == NULL) ||
                (s->read_hash == NULL))
-    clear=1;
+       clear=1;
 
        if (!clear)
                {
-               mac_size=EVP_MD_size(s->read_hash);
+               mac_size=EVP_MD_CTX_size(s->read_hash);
 
                if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)
                        {
@@ -463,8 +493,8 @@ if (        (sess == NULL) ||
 
        /* we have pulled in a full packet so zero things */
        s->packet_length=0;
-    dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */
-    return(1);
+       dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */
+       return(1);
 
 decryption_failed_or_bad_record_mac:
        /* Separate 'decryption_failed' alert was introduced with TLS 1.0,
@@ -497,7 +527,7 @@ int dtls1_get_record(SSL *s)
        SSL3_RECORD *rr;
        SSL_SESSION *sess;
        unsigned char *p;
-       short version;
+       unsigned short version;
        DTLS1_BITMAP *bitmap;
        unsigned int is_next_epoch;
 
@@ -544,11 +574,7 @@ again:
                n2s(p,rr->length);
 
                /* Lets check version */
-               if (s->first_packet)
-                       {
-                       s->first_packet=0;
-                       }
-               else
+               if (!s->first_packet)
                        {
                        if (version != s->version)
                                {
@@ -601,13 +627,13 @@ again:
        /* match epochs.  NULL means the packet is dropped on the floor */
        bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
        if ( bitmap == NULL)
-        {
-        s->packet_length = 0;  /* dump this record */
-        goto again;   /* get another record */
+               {
+               s->packet_length = 0;  /* dump this record */
+               goto again;   /* get another record */
                }
 
        /* check whether this is a repeat, or aged record */
-       if ( ! dtls1_record_replay_check(s, bitmap, rr->seq_num))
+       if ( ! dtls1_record_replay_check(s, bitmap))
                {
                s->packet_length=0; /* dump this record */
                goto again;     /* get another record */
@@ -808,8 +834,14 @@ start:
                        dest = s->d1->alert_fragment;
                        dest_len = &s->d1->alert_fragment_len;
                        }
-               else    /* else it's a CCS message */
-                       OPENSSL_assert(rr->type == SSL3_RT_CHANGE_CIPHER_SPEC);
+                /* else it's a CCS message, or it's wrong */
+                else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC)
+                        {
+                          /* Not certain if this is the right error handling */
+                          al=SSL_AD_UNEXPECTED_MESSAGE;
+                          SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
+                          goto f_err;
+                        }
 
 
                if (dest_maxlen > 0)
@@ -983,47 +1015,36 @@ start:
                }
 
        if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
-        {
-        struct ccs_header_st ccs_hdr;
+               {
+               struct ccs_header_st ccs_hdr;
 
                dtls1_get_ccs_header(rr->data, &ccs_hdr);
 
-               if ( ccs_hdr.seq == s->d1->handshake_read_seq)
+               /* 'Change Cipher Spec' is just a single byte, so we know
+                * exactly what the record payload has to look like */
+               /* XDTLS: check that epoch is consistent */
+               if (    (rr->length != DTLS1_CCS_HEADER_LENGTH) || 
+                       (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
                        {
-                       /* 'Change Cipher Spec' is just a single byte, so we know
-                        * exactly what the record payload has to look like */
-                       /* XDTLS: check that epoch is consistent */
-                       if (    (rr->length != DTLS1_CCS_HEADER_LENGTH) || 
-                               (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
-                               {
-                               i=SSL_AD_ILLEGAL_PARAMETER;
-                               SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
-                               goto err;
-                               }
-                       
-                       rr->length=0;
-                       
-                       if (s->msg_callback)
-                               s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, 
-                                       rr->data, 1, s, s->msg_callback_arg);
-                       
-                       s->s3->change_cipher_spec=1;
-                       if (!ssl3_do_change_cipher_spec(s))
-                               goto err;
-                       
-                       /* do this whenever CCS is processed */
-                       dtls1_reset_seq_numbers(s, SSL3_CC_READ);
-                       
-                       /* handshake read seq is reset upon handshake completion */
-                       s->d1->handshake_read_seq++;
-                       
-                       goto start;
-                       }
-               else
-                       {
-                       rr->length = 0;
-                       goto start;
+                       i=SSL_AD_ILLEGAL_PARAMETER;
+                       SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
+                       goto err;
                        }
+
+               rr->length=0;
+
+               if (s->msg_callback)
+                       s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, 
+                               rr->data, 1, s, s->msg_callback_arg);
+
+               s->s3->change_cipher_spec=1;
+               if (!ssl3_do_change_cipher_spec(s))
+                       goto err;
+
+               /* do this whenever CCS is processed */
+               dtls1_reset_seq_numbers(s, SSL3_CC_READ);
+
+               goto start;
                }
 
        /* Unexpected handshake message (Client Hello, or protocol violation) */
@@ -1304,13 +1325,13 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
 
        if (    (sess == NULL) ||
                (s->enc_write_ctx == NULL) ||
-               (s->write_hash == NULL))
+               (EVP_MD_CTX_md(s->write_hash) == NULL))
                clear=1;
 
        if (clear)
                mac_size=0;
        else
-               mac_size=EVP_MD_size(s->write_hash);
+               mac_size=EVP_MD_CTX_size(s->write_hash);
 
        /* DTLS implements explicit IV, so no need for empty fragments */
 #if 0
@@ -1407,8 +1428,14 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
 
 
        /* ssl3_enc can only have an error on read */
-       wr->length += bs;  /* bs != 0 in case of CBC.  The enc fn provides
-                                               * the randomness */ 
+       if (bs) /* bs != 0 in case of CBC */
+               {
+               RAND_pseudo_bytes(p,bs);
+               /* master IV and last CBC residue stand for
+                * the rest of randomness */
+               wr->length += bs;
+               }
+
        s->method->ssl3_enc->enc(s,1);
 
        /* record length after mac and block padding */
@@ -1468,8 +1495,7 @@ err:
 
 
 
-static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap,
-       unsigned char *seq_num)
+static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap)
        {
        int cmp;
        unsigned int shift;
@@ -1478,7 +1504,7 @@ static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap,
        cmp = satsub64be(seq,bitmap->max_seq_num);
        if (cmp > 0)
                {
-               memcpy (seq_num,seq,8);
+               memcpy (s->s3->rrec.seq_num,seq,8);
                return 1; /* this record in new */
                }
        shift = -cmp;
@@ -1487,6 +1513,7 @@ static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap,
        else if (bitmap->map & (1UL<<shift))
                return 0; /* record previously received */
 
+       memcpy (s->s3->rrec.seq_num,seq,8);
        return 1;
        }
 
@@ -1528,6 +1555,7 @@ int dtls1_dispatch_alert(SSL *s)
        *ptr++ = s->s3->send_alert[0];
        *ptr++ = s->s3->send_alert[1];
 
+#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
        if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
                {       
                s2n(s->d1->handshake_read_seq, ptr);
@@ -1543,6 +1571,7 @@ int dtls1_dispatch_alert(SSL *s)
 #endif
                l2n3(s->d1->r_msg_hdr.frag_off, ptr);
                }
+#endif
 
        i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf), 0);
        if (i <= 0)
@@ -1552,8 +1581,11 @@ int dtls1_dispatch_alert(SSL *s)
                }
        else
                {
-               if ( s->s3->send_alert[0] == SSL3_AL_FATAL ||
-                       s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
+               if (s->s3->send_alert[0] == SSL3_AL_FATAL
+#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
+                   || s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
+#endif
+                   )
                        (void)BIO_flush(s->wbio);
 
                if (s->msg_callback)
@@ -1684,26 +1716,6 @@ dtls1_reset_seq_numbers(SSL *s, int rw)
        memset(seq, 0x00, seq_bytes);
        }
 
-#if PQ_64BIT_IS_INTEGER
-static PQ_64BIT
-bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num)
-       {
-       PQ_64BIT _num;
-
-       _num = (((PQ_64BIT)bytes[0]) << 56) |
-               (((PQ_64BIT)bytes[1]) << 48) |
-               (((PQ_64BIT)bytes[2]) << 40) |
-               (((PQ_64BIT)bytes[3]) << 32) |
-               (((PQ_64BIT)bytes[4]) << 24) |
-               (((PQ_64BIT)bytes[5]) << 16) |
-               (((PQ_64BIT)bytes[6]) <<  8) |
-               (((PQ_64BIT)bytes[7])      );
-
-          *num = _num ;
-       return _num;
-       }
-#endif
-
 
 static void
 dtls1_clear_timeouts(SSL *s)