d1_both.cc source code [flutter_engine/third_party/boringssl/src/ssl/d1_both.cc]

1	/*
2	* DTLS implementation written by Nagendra Modadugu
3	* (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
4	*/
5	/ ====================================================================*
6	* Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
7	*
8	* Redistribution and use in source and binary forms, with or without
9	* modification, are permitted provided that the following conditions
10	* are met:
11	*
12	* 1. Redistributions of source code must retain the above copyright
13	* notice, this list of conditions and the following disclaimer.
14	*
15	* 2. Redistributions in binary form must reproduce the above copyright
16	* notice, this list of conditions and the following disclaimer in
17	* the documentation and/or other materials provided with the
18	* distribution.
19	*
20	* 3. All advertising materials mentioning features or use of this
21	* software must display the following acknowledgment:
22	* "This product includes software developed by the OpenSSL Project
23	* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
24	*
25	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26	* endorse or promote products derived from this software without
27	* prior written permission. For written permission, please contact
28	* openssl-core@openssl.org.
29	*
30	* 5. Products derived from this software may not be called "OpenSSL"
31	* nor may "OpenSSL" appear in their names without prior written
32	* permission of the OpenSSL Project.
33	*
34	* 6. Redistributions of any form whatsoever must retain the following
35	* acknowledgment:
36	* "This product includes software developed by the OpenSSL Project
37	* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
38	*
39	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50	* OF THE POSSIBILITY OF SUCH DAMAGE.
51	* ====================================================================
52	*
53	* This product includes cryptographic software written by Eric Young
54	* (eay@cryptsoft.com). This product includes software written by Tim
55	* Hudson (tjh@cryptsoft.com).
56	*
57	*/
58	/ Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)*
59	* All rights reserved.
60	*
61	* This package is an SSL implementation written
62	* by Eric Young (eay@cryptsoft.com).
63	* The implementation was written so as to conform with Netscapes SSL.
64	*
65	* This library is free for commercial and non-commercial use as long as
66	* the following conditions are aheared to. The following conditions
67	* apply to all code found in this distribution, be it the RC4, RSA,
68	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
69	* included with this distribution is covered by the same copyright terms
70	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
71	*
72	* Copyright remains Eric Young's, and as such any Copyright notices in
73	* the code are not to be removed.
74	* If this package is used in a product, Eric Young should be given attribution
75	* as the author of the parts of the library used.
76	* This can be in the form of a textual message at program startup or
77	* in documentation (online or textual) provided with the package.
78	*
79	* Redistribution and use in source and binary forms, with or without
80	* modification, are permitted provided that the following conditions
81	* are met:
82	* 1. Redistributions of source code must retain the copyright
83	* notice, this list of conditions and the following disclaimer.
84	* 2. Redistributions in binary form must reproduce the above copyright
85	* notice, this list of conditions and the following disclaimer in the
86	* documentation and/or other materials provided with the distribution.
87	* 3. All advertising materials mentioning features or use of this software
88	* must display the following acknowledgement:
89	* "This product includes cryptographic software written by
90	* Eric Young (eay@cryptsoft.com)"
91	* The word 'cryptographic' can be left out if the rouines from the library
92	* being used are not cryptographic related :-).
93	* 4. If you include any Windows specific code (or a derivative thereof) from
94	* the apps directory (application code) you must include an acknowledgement:
95	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
96	*
97	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
98	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
99	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
100	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
101	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
102	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
103	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
104	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
105	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
106	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
107	* SUCH DAMAGE.
108	*
109	* The licence and distribution terms for any publically available version or
110	* derivative of this code cannot be changed. i.e. this code cannot simply be
111	* copied and put under another distribution licence
112	* [including the GNU Public Licence.] */
113
114	#include <openssl/ssl.h>
115
116	#include <assert.h>
117	#include <limits.h>
118	#include <string.h>
119
120	#include <openssl/err.h>
121	#include <openssl/evp.h>
122	#include <openssl/mem.h>
123	#include <openssl/rand.h>
124
125	#include "../crypto/internal.h"
126	#include "internal.h"
127
128
129	BSSL_NAMESPACE_BEGIN
130
131	// TODO(davidben): 28 comes from the size of IP + UDP header. Is this reasonable
132	// for these values? Notably, why is kMinMTU a function of the transport
133	// protocol's overhead rather than, say, what's needed to hold a minimally-sized
134	// handshake fragment plus protocol overhead.
135
136	// kMinMTU is the minimum acceptable MTU value.
137	static const unsigned int kMinMTU = `256` - `28`;
138
139	// kDefaultMTU is the default MTU value to use if neither the user nor
140	// the underlying BIO supplies one.
141	static const unsigned int kDefaultMTU = `1500` - `28`;
142
143
144	// Receiving handshake messages.
145
146	hm_fragment::~hm_fragment() {
147	OPENSSL_free(ptr: data);
148	OPENSSL_free(ptr: reassembly);
149	}
150
151	static UniquePtr<hm_fragment> dtls1_hm_fragment_new(
152	const struct hm_header_st *msg_hdr) {
153	ScopedCBB cbb;
154	UniquePtr<hm_fragment> frag = MakeUnique<hm_fragment>();
155	if (!frag) {
156	return nullptr;
157	}
158	frag ->type = msg_hdr->type;
159	frag ->seq = msg_hdr->seq;
160	frag ->msg_len = msg_hdr->msg_len;
161
162	// Allocate space for the reassembled message and fill in the header.
163	frag ->data =
164	(uint8_t *)OPENSSL_malloc(DTLS1_HM_HEADER_LENGTH + msg_hdr->msg_len);
165	if (frag ->data == NULL) {
166	return nullptr;
167	}
168
169	if (!CBB_init_fixed(cbb: cbb.get(), buf: frag ->data, DTLS1_HM_HEADER_LENGTH) \|\|
170	!CBB_add_u8(cbb: cbb.get(), value: msg_hdr->type) \|\|
171	!CBB_add_u24(cbb: cbb.get(), value: msg_hdr->msg_len) \|\|
172	!CBB_add_u16(cbb: cbb.get(), value: msg_hdr->seq) \|\|
173	!CBB_add_u24(cbb: cbb.get(), value: `0` / frag_off /) \|\|
174	!CBB_add_u24(cbb: cbb.get(), value: msg_hdr->msg_len) \|\|
175	!CBB_finish(cbb: cbb.get(), NULL, NULL)) {
176	return nullptr;
177	}
178
179	// If the handshake message is empty, \|frag->reassembly\| is NULL.
180	if (msg_hdr->msg_len > `0`) {
181	// Initialize reassembly bitmask.
182	if (msg_hdr->msg_len + `7` < msg_hdr->msg_len) {
183	OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
184	return nullptr;
185	}
186	size_t bitmask_len = (msg_hdr->msg_len + `7`) / `8`;
187	frag ->reassembly = (uint8_t *)OPENSSL_malloc(size: bitmask_len);
188	if (frag ->reassembly == NULL) {
189	return nullptr;
190	}
191	OPENSSL_memset(dst: frag ->reassembly, c: `0`, n: bitmask_len);
192	}
193
194	return frag;
195	}
196
197	// bit_range returns a \|uint8_t\| with bits \|start\|, inclusive, to \|end\|,
198	// exclusive, set.
199	static uint8_t bit_range(size_t start, size_t end) {
200	return (uint8_t)(~((`1u` << start) - `1`) & ((`1u` << end) - `1`));
201	}
202
203	// dtls1_hm_fragment_mark marks bytes \|start\|, inclusive, to \|end\|, exclusive,
204	// as received in \|frag\|. If \|frag\| becomes complete, it clears
205	// \|frag->reassembly\|. The range must be within the bounds of \|frag\|'s message
206	// and \|frag->reassembly\| must not be NULL.
207	static void dtls1_hm_fragment_mark(hm_fragment *frag, size_t start,
208	size_t end) {
209	size_t msg_len = frag->msg_len;
210
211	if (frag->reassembly == NULL \|\| start > end \|\| end > msg_len) {
212	assert(`0`);
213	return;
214	}
215	// A zero-length message will never have a pending reassembly.
216	assert(msg_len > `0`);
217
218	if (start == end) {
219	return;
220	}
221
222	if ((start >> `3`) == (end >> `3`)) {
223	frag->reassembly[start >> `3`] \|= bit_range(start: start & `7`, end: end & `7`);
224	} else {
225	frag->reassembly[start >> `3`] \|= bit_range(start: start & `7`, end: `8`);
226	for (size_t i = (start >> `3`) + `1`; i < (end >> `3`); i++) {
227	frag->reassembly[i] = `0xff`;
228	}
229	if ((end & `7`) != `0`) {
230	frag->reassembly[end >> `3`] \|= bit_range(start: `0`, end: end & `7`);
231	}
232	}
233
234	// Check if the fragment is complete.
235	for (size_t i = `0`; i < (msg_len >> `3`); i++) {
236	if (frag->reassembly[i] != `0xff`) {
237	return;
238	}
239	}
240	if ((msg_len & `7`) != `0` &&
241	frag->reassembly[msg_len >> `3`] != bit_range(start: `0`, end: msg_len & `7`)) {
242	return;
243	}
244
245	OPENSSL_free(ptr: frag->reassembly);
246	frag->reassembly = NULL;
247	}
248
249	// dtls1_is_current_message_complete returns whether the current handshake
250	// message is complete.
251	static bool dtls1_is_current_message_complete(const SSL *ssl) {
252	size_t idx = ssl->d1->handshake_read_seq % SSL_MAX_HANDSHAKE_FLIGHT;
253	hm_fragment *frag = ssl->d1->incoming_messages[idx].get();
254	return frag != NULL && frag->reassembly == NULL;
255	}
256
257	// dtls1_get_incoming_message returns the incoming message corresponding to
258	// \|msg_hdr\|. If none exists, it creates a new one and inserts it in the
259	// queue. Otherwise, it checks \|msg_hdr\| is consistent with the existing one. It
260	// returns NULL on failure. The caller does not take ownership of the result.
261	static hm_fragment *dtls1_get_incoming_message(
262	SSL ssl, uint8_t out_alert, const struct hm_header_st *msg_hdr) {
263	if (msg_hdr->seq < ssl->d1->handshake_read_seq \|\|
264	msg_hdr->seq - ssl->d1->handshake_read_seq >= SSL_MAX_HANDSHAKE_FLIGHT) {
265	*out_alert = SSL_AD_INTERNAL_ERROR;
266	return NULL;
267	}
268
269	size_t idx = msg_hdr->seq % SSL_MAX_HANDSHAKE_FLIGHT;
270	hm_fragment *frag = ssl->d1->incoming_messages[idx].get();
271	if (frag != NULL) {
272	assert(frag->seq == msg_hdr->seq);
273	// The new fragment must be compatible with the previous fragments from this
274	// message.
275	if (frag->type != msg_hdr->type \|\|
276	frag->msg_len != msg_hdr->msg_len) {
277	OPENSSL_PUT_ERROR(SSL, SSL_R_FRAGMENT_MISMATCH);
278	*out_alert = SSL_AD_ILLEGAL_PARAMETER;
279	return NULL;
280	}
281	return frag;
282	}
283
284	// This is the first fragment from this message.
285	ssl->d1->incoming_messages[idx] = dtls1_hm_fragment_new(msg_hdr);
286	if (!ssl->d1->incoming_messages[idx]) {
287	*out_alert = SSL_AD_INTERNAL_ERROR;
288	return NULL;
289	}
290	return ssl->d1->incoming_messages[idx].get();
291	}
292
293	ssl_open_record_t dtls1_open_handshake(SSL ssl, size_t out_consumed,
294	uint8_t *out_alert, Span<uint8_t> in) {
295	uint8_t type;
296	Span<uint8_t> record;
297	auto ret = dtls_open_record(ssl, out_type: &type, out: &record, out_consumed, out_alert, in);
298	if (ret != ssl_open_record_success) {
299	return ret;
300	}
301
302	switch (type) {
303	case SSL3_RT_APPLICATION_DATA:
304	// Unencrypted application data records are always illegal.
305	if (ssl->s3->aead_read_ctx ->is_null_cipher()) {
306	OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
307	*out_alert = SSL_AD_UNEXPECTED_MESSAGE;
308	return ssl_open_record_error;
309	}
310
311	// Out-of-order application data may be received between ChangeCipherSpec
312	// and finished. Discard it.
313	return ssl_open_record_discard;
314
315	case SSL3_RT_CHANGE_CIPHER_SPEC:
316	// We do not support renegotiation, so encrypted ChangeCipherSpec records
317	// are illegal.
318	if (!ssl->s3->aead_read_ctx ->is_null_cipher()) {
319	OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
320	*out_alert = SSL_AD_UNEXPECTED_MESSAGE;
321	return ssl_open_record_error;
322	}
323
324	if (record.size() != `1u` \|\| record [`0`] != SSL3_MT_CCS) {
325	OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_CHANGE_CIPHER_SPEC);
326	*out_alert = SSL_AD_ILLEGAL_PARAMETER;
327	return ssl_open_record_error;
328	}
329
330	// Flag the ChangeCipherSpec for later.
331	ssl->d1->has_change_cipher_spec = true;
332	ssl_do_msg_callback(ssl, is_write: `0` / read /, SSL3_RT_CHANGE_CIPHER_SPEC,
333	in: record);
334	return ssl_open_record_success;
335
336	case SSL3_RT_HANDSHAKE:
337	// Break out to main processing.
338	break;
339
340	default:
341	OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
342	*out_alert = SSL_AD_UNEXPECTED_MESSAGE;
343	return ssl_open_record_error;
344	}
345
346	CBS cbs;
347	CBS_init(cbs: &cbs, data: record.data(), len: record.size());
348	while (CBS_len(cbs: &cbs) > `0`) {
349	// Read a handshake fragment.
350	struct hm_header_st msg_hdr;
351	CBS body;
352	if (!dtls1_parse_fragment(cbs: &cbs, out_hdr: &msg_hdr, out_body: &body)) {
353	OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_HANDSHAKE_RECORD);
354	*out_alert = SSL_AD_DECODE_ERROR;
355	return ssl_open_record_error;
356	}
357
358	const size_t frag_off = msg_hdr.frag_off;
359	const size_t frag_len = msg_hdr.frag_len;
360	const size_t msg_len = msg_hdr.msg_len;
361	if (frag_off > msg_len \|\| frag_off + frag_len < frag_off \|\|
362	frag_off + frag_len > msg_len \|\|
363	msg_len > ssl_max_handshake_message_len(ssl)) {
364	OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE);
365	*out_alert = SSL_AD_ILLEGAL_PARAMETER;
366	return ssl_open_record_error;
367	}
368
369	// The encrypted epoch in DTLS has only one handshake message.
370	if (ssl->d1->r_epoch == `1` && msg_hdr.seq != ssl->d1->handshake_read_seq) {
371	OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
372	*out_alert = SSL_AD_UNEXPECTED_MESSAGE;
373	return ssl_open_record_error;
374	}
375
376	if (msg_hdr.seq < ssl->d1->handshake_read_seq \|\|
377	msg_hdr.seq >
378	(unsigned)ssl->d1->handshake_read_seq + SSL_MAX_HANDSHAKE_FLIGHT) {
379	// Ignore fragments from the past, or ones too far in the future.
380	continue;
381	}
382
383	hm_fragment *frag = dtls1_get_incoming_message(ssl, out_alert, msg_hdr: &msg_hdr);
384	if (frag == NULL) {
385	return ssl_open_record_error;
386	}
387	assert(frag->msg_len == msg_len);
388
389	if (frag->reassembly == NULL) {
390	// The message is already assembled.
391	continue;
392	}
393	assert(msg_len > `0`);
394
395	// Copy the body into the fragment.
396	OPENSSL_memcpy(dst: frag->data + DTLS1_HM_HEADER_LENGTH + frag_off,
397	src: CBS_data(cbs: &body), n: CBS_len(cbs: &body));
398	dtls1_hm_fragment_mark(frag, start: frag_off, end: frag_off + frag_len);
399	}
400
401	return ssl_open_record_success;
402	}
403
404	bool dtls1_get_message(const SSL ssl, SSLMessage out) {
405	if (!dtls1_is_current_message_complete(ssl)) {
406	return false;
407	}
408
409	size_t idx = ssl->d1->handshake_read_seq % SSL_MAX_HANDSHAKE_FLIGHT;
410	hm_fragment *frag = ssl->d1->incoming_messages[idx].get();
411	out->type = frag->type;
412	CBS_init(cbs: &out->body, data: frag->data + DTLS1_HM_HEADER_LENGTH, len: frag->msg_len);
413	CBS_init(cbs: &out->raw, data: frag->data, DTLS1_HM_HEADER_LENGTH + frag->msg_len);
414	out->is_v2_hello = false;
415	if (!ssl->s3->has_message) {
416	ssl_do_msg_callback(ssl, is_write: `0` / read /, SSL3_RT_HANDSHAKE, in: out->raw);
417	ssl->s3->has_message = true;
418	}
419	return true;
420	}
421
422	void dtls1_next_message(SSL *ssl) {
423	assert(ssl->s3->has_message);
424	assert(dtls1_is_current_message_complete(ssl));
425	size_t index = ssl->d1->handshake_read_seq % SSL_MAX_HANDSHAKE_FLIGHT;
426	ssl->d1->incoming_messages[index].reset();
427	ssl->d1->handshake_read_seq++;
428	ssl->s3->has_message = false;
429	// If we previously sent a flight, mark it as having a reply, so
430	// \|on_handshake_complete\| can manage post-handshake retransmission.
431	if (ssl->d1->outgoing_messages_complete) {
432	ssl->d1->flight_has_reply = true;
433	}
434	}
435
436	bool dtls_has_unprocessed_handshake_data(const SSL *ssl) {
437	size_t current = ssl->d1->handshake_read_seq % SSL_MAX_HANDSHAKE_FLIGHT;
438	for (size_t i = `0`; i < SSL_MAX_HANDSHAKE_FLIGHT; i++) {
439	// Skip the current message.
440	if (ssl->s3->has_message && i == current) {
441	assert(dtls1_is_current_message_complete(ssl));
442	continue;
443	}
444	if (ssl->d1->incoming_messages[i] != nullptr) {
445	return true;
446	}
447	}
448	return false;
449	}
450
451	bool dtls1_parse_fragment(CBS cbs, struct* hm_header_st *out_hdr,
452	CBS *out_body) {
453	OPENSSL_memset(dst: out_hdr, c: `0x00`, n: sizeof(struct hm_header_st));
454
455	if (!CBS_get_u8(cbs, out: &out_hdr->type) \|\|
456	!CBS_get_u24(cbs, out: &out_hdr->msg_len) \|\|
457	!CBS_get_u16(cbs, out: &out_hdr->seq) \|\|
458	!CBS_get_u24(cbs, out: &out_hdr->frag_off) \|\|
459	!CBS_get_u24(cbs, out: &out_hdr->frag_len) \|\|
460	!CBS_get_bytes(cbs, out: out_body, len: out_hdr->frag_len)) {
461	return false;
462	}
463
464	return true;
465	}
466
467	ssl_open_record_t dtls1_open_change_cipher_spec(SSL ssl, size_t out_consumed,
468	uint8_t *out_alert,
469	Span<uint8_t> in) {
470	if (!ssl->d1->has_change_cipher_spec) {
471	// dtls1_open_handshake processes both handshake and ChangeCipherSpec.
472	auto ret = dtls1_open_handshake(ssl, out_consumed, out_alert, in);
473	if (ret != ssl_open_record_success) {
474	return ret;
475	}
476	}
477	if (ssl->d1->has_change_cipher_spec) {
478	ssl->d1->has_change_cipher_spec = false;
479	return ssl_open_record_success;
480	}
481	return ssl_open_record_discard;
482	}
483
484
485	// Sending handshake messages.
486
487	void DTLS_OUTGOING_MESSAGE::Clear() { data.Reset(); }
488
489	void dtls_clear_outgoing_messages(SSL *ssl) {
490	for (size_t i = `0`; i < ssl->d1->outgoing_messages_len; i++) {
491	ssl->d1->outgoing_messages[i].Clear();
492	}
493	ssl->d1->outgoing_messages_len = `0`;
494	ssl->d1->outgoing_written = `0`;
495	ssl->d1->outgoing_offset = `0`;
496	ssl->d1->outgoing_messages_complete = false;
497	ssl->d1->flight_has_reply = false;
498	}
499
500	bool dtls1_init_message(const SSL ssl, CBB cbb, CBB *body, uint8_t type) {
501	// Pick a modest size hint to save most of the \|realloc\| calls.
502	if (!CBB_init(cbb, initial_capacity: `64`) \|\|
503	!CBB_add_u8(cbb, value: type) \|\|
504	!CBB_add_u24(cbb, value: `0` / length (filled in later) /) \|\|
505	!CBB_add_u16(cbb, value: ssl->d1->handshake_write_seq) \|\|
506	!CBB_add_u24(cbb, value: `0` / offset /) \|\|
507	!CBB_add_u24_length_prefixed(cbb, out_contents: body)) {
508	return false;
509	}
510
511	return true;
512	}
513
514	bool dtls1_finish_message(const SSL ssl, CBB cbb, Array<uint8_t> *out_msg) {
515	if (!CBBFinishArray(cbb, out: out_msg) \|\|
516	out_msg->size() < DTLS1_HM_HEADER_LENGTH) {
517	OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
518	return false;
519	}
520
521	// Fix up the header. Copy the fragment length into the total message
522	// length.
523	OPENSSL_memcpy(dst: out_msg->data() + `1`,
524	src: out_msg->data() + DTLS1_HM_HEADER_LENGTH - `3`, n: `3`);
525	return true;
526	}
527
528	// ssl_size_t_greater_than_32_bits returns whether \|v\| exceeds the bounds of a
529	// 32-bit value. The obvious thing doesn't work because, in some 32-bit build
530	// configurations, the compiler warns that the test is always false and breaks
531	// the build.
532	static bool ssl_size_t_greater_than_32_bits(size_t v) {
533	#if defined(OPENSSL_64_BIT)
534	return v > `0xffffffff`;
535	#elif defined(OPENSSL_32_BIT)
536	return false;
537	#else
538	#error "Building for neither 32- nor 64-bits."
539	#endif
540	}
541
542	// add_outgoing adds a new handshake message or ChangeCipherSpec to the current
543	// outgoing flight. It returns true on success and false on error.
544	static bool add_outgoing(SSL ssl, bool* is_ccs, Array<uint8_t> data) {
545	if (ssl->d1->outgoing_messages_complete) {
546	// If we've begun writing a new flight, we received the peer flight. Discard
547	// the timer and the our flight.
548	dtls1_stop_timer(ssl);
549	dtls_clear_outgoing_messages(ssl);
550	}
551
552	static_assert(SSL_MAX_HANDSHAKE_FLIGHT <
553	(`1` << `8` * sizeof(ssl->d1->outgoing_messages_len)),
554	"outgoing_messages_len is too small");
555	if (ssl->d1->outgoing_messages_len >= SSL_MAX_HANDSHAKE_FLIGHT \|\|
556	ssl_size_t_greater_than_32_bits(v: data.size())) {
557	assert(false);
558	OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
559	return false;
560	}
561
562	if (!is_ccs) {
563	// TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript
564	// on hs.
565	if (ssl->s3->hs != NULL &&
566	!ssl->s3->hs ->transcript.Update(in: data)) {
567	OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
568	return false;
569	}
570	ssl->d1->handshake_write_seq++;
571	}
572
573	DTLS_OUTGOING_MESSAGE *msg =
574	&ssl->d1->outgoing_messages[ssl->d1->outgoing_messages_len];
575	msg->data = std::move(data);
576	msg->epoch = ssl->d1->w_epoch;
577	msg->is_ccs = is_ccs;
578
579	ssl->d1->outgoing_messages_len++;
580	return true;
581	}
582
583	bool dtls1_add_message(SSL *ssl, Array<uint8_t> data) {
584	return add_outgoing(ssl, is_ccs: false / handshake /, data: std::move(data));
585	}
586
587	bool dtls1_add_change_cipher_spec(SSL *ssl) {
588	return add_outgoing(ssl, is_ccs: true / ChangeCipherSpec /, data: Array<uint8_t>());
589	}
590
591	// dtls1_update_mtu updates the current MTU from the BIO, ensuring it is above
592	// the minimum.
593	static void dtls1_update_mtu(SSL *ssl) {
594	// TODO(davidben): No consumer implements \|BIO_CTRL_DGRAM_SET_MTU\| and the
595	// only \|BIO_CTRL_DGRAM_QUERY_MTU\| implementation could use
596	// \|SSL_set_mtu\|. Does this need to be so complex?
597	if (ssl->d1->mtu < dtls1_min_mtu() &&
598	!(SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) {
599	long mtu = BIO_ctrl(bio: ssl->wbio.get(), BIO_CTRL_DGRAM_QUERY_MTU, larg: `0`, NULL);
600	if (mtu >= `0` && mtu <= (`1` << `30`) && (unsigned)mtu >= dtls1_min_mtu()) {
601	ssl->d1->mtu = (unsigned)mtu;
602	} else {
603	ssl->d1->mtu = kDefaultMTU;
604	BIO_ctrl(bio: ssl->wbio.get(), BIO_CTRL_DGRAM_SET_MTU, larg: ssl->d1->mtu, NULL);
605	}
606	}
607
608	// The MTU should be above the minimum now.
609	assert(ssl->d1->mtu >= dtls1_min_mtu());
610	}
611
612	enum seal_result_t {
613	seal_error,
614	seal_no_progress,
615	seal_partial,
616	seal_success,
617	};
618
619	// seal_next_message seals \|msg\|, which must be the next message, to \|out\|. If
620	// progress was made, it returns \|seal_partial\| or \|seal_success\| and sets
621	// \|out_len\| to the number of bytes written.*
622	static enum seal_result_t seal_next_message(SSL ssl, uint8_t out,
623	size_t *out_len, size_t max_out,
624	const DTLS_OUTGOING_MESSAGE *msg) {
625	assert(ssl->d1->outgoing_written < ssl->d1->outgoing_messages_len);
626	assert(msg == &ssl->d1->outgoing_messages[ssl->d1->outgoing_written]);
627
628	enum dtls1_use_epoch_t use_epoch = dtls1_use_current_epoch;
629	if (ssl->d1->w_epoch >= `1` && msg->epoch == ssl->d1->w_epoch - `1`) {
630	use_epoch = dtls1_use_previous_epoch;
631	} else if (msg->epoch != ssl->d1->w_epoch) {
632	OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
633	return seal_error;
634	}
635
636	size_t overhead = dtls_max_seal_overhead(ssl, use_epoch);
637	size_t prefix = dtls_seal_prefix_len(ssl, use_epoch);
638
639	if (msg->is_ccs) {
640	// Check there is room for the ChangeCipherSpec.
641	static const uint8_t kChangeCipherSpec[`1`] = {SSL3_MT_CCS};
642	if (max_out < sizeof(kChangeCipherSpec) + overhead) {
643	return seal_no_progress;
644	}
645
646	if (!dtls_seal_record(ssl, out, out_len, max_out,
647	SSL3_RT_CHANGE_CIPHER_SPEC, in: kChangeCipherSpec,
648	in_len: sizeof(kChangeCipherSpec), use_epoch)) {
649	return seal_error;
650	}
651
652	ssl_do_msg_callback(ssl, is_write: `1` / write /, SSL3_RT_CHANGE_CIPHER_SPEC,
653	in: kChangeCipherSpec);
654	return seal_success;
655	}
656
657	// DTLS messages are serialized as a single fragment in \|msg\|.
658	CBS cbs, body;
659	struct hm_header_st hdr;
660	CBS_init(cbs: &cbs, data: msg->data.data(), len: msg->data.size());
661	if (!dtls1_parse_fragment(cbs: &cbs, out_hdr: &hdr, out_body: &body) \|\|
662	hdr.frag_off != `0` \|\|
663	hdr.frag_len != CBS_len(cbs: &body) \|\|
664	hdr.msg_len != CBS_len(cbs: &body) \|\|
665	!CBS_skip(cbs: &body, len: ssl->d1->outgoing_offset) \|\|
666	CBS_len(cbs: &cbs) != `0`) {
667	OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
668	return seal_error;
669	}
670
671	// Determine how much progress can be made.
672	if (max_out < DTLS1_HM_HEADER_LENGTH + `1` + overhead \|\| max_out < prefix) {
673	return seal_no_progress;
674	}
675	size_t todo = CBS_len(cbs: &body);
676	if (todo > max_out - DTLS1_HM_HEADER_LENGTH - overhead) {
677	todo = max_out - DTLS1_HM_HEADER_LENGTH - overhead;
678	}
679
680	// Assemble a fragment, to be sealed in-place.
681	ScopedCBB cbb;
682	CBB child;
683	uint8_t *frag = out + prefix;
684	size_t max_frag = max_out - prefix, frag_len;
685	if (!CBB_init_fixed(cbb: cbb.get(), buf: frag, len: max_frag) \|\|
686	!CBB_add_u8(cbb: cbb.get(), value: hdr.type) \|\|
687	!CBB_add_u24(cbb: cbb.get(), value: hdr.msg_len) \|\|
688	!CBB_add_u16(cbb: cbb.get(), value: hdr.seq) \|\|
689	!CBB_add_u24(cbb: cbb.get(), value: ssl->d1->outgoing_offset) \|\|
690	!CBB_add_u24_length_prefixed(cbb: cbb.get(), out_contents: &child) \|\|
691	!CBB_add_bytes(cbb: &child, data: CBS_data(cbs: &body), len: todo) \|\|
692	!CBB_finish(cbb: cbb.get(), NULL, out_len: &frag_len)) {
693	OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
694	return seal_error;
695	}
696
697	ssl_do_msg_callback(ssl, is_write: `1` / write /, SSL3_RT_HANDSHAKE,
698	in: MakeSpan(ptr: frag, size: frag_len));
699
700	if (!dtls_seal_record(ssl, out, out_len, max_out, SSL3_RT_HANDSHAKE,
701	in: out + prefix, in_len: frag_len, use_epoch)) {
702	return seal_error;
703	}
704
705	if (todo == CBS_len(cbs: &body)) {
706	// The next message is complete.
707	ssl->d1->outgoing_offset = `0`;
708	return seal_success;
709	}
710
711	ssl->d1->outgoing_offset += todo;
712	return seal_partial;
713	}
714
715	// seal_next_packet writes as much of the next flight as possible to \|out\| and
716	// advances \|ssl->d1->outgoing_written\| and \|ssl->d1->outgoing_offset\| as
717	// appropriate.
718	static bool seal_next_packet(SSL ssl, uint8_t out, size_t *out_len,
719	size_t max_out) {
720	bool made_progress = false;
721	size_t total = `0`;
722	assert(ssl->d1->outgoing_written < ssl->d1->outgoing_messages_len);
723	for (; ssl->d1->outgoing_written < ssl->d1->outgoing_messages_len;
724	ssl->d1->outgoing_written++) {
725	const DTLS_OUTGOING_MESSAGE *msg =
726	&ssl->d1->outgoing_messages[ssl->d1->outgoing_written];
727	size_t len;
728	enum seal_result_t ret = seal_next_message(ssl, out, out_len: &len, max_out, msg);
729	switch (ret) {
730	case seal_error:
731	return false;
732
733	case seal_no_progress:
734	goto packet_full;
735
736	case seal_partial:
737	case seal_success:
738	out += len;
739	max_out -= len;
740	total += len;
741	made_progress = true;
742
743	if (ret == seal_partial) {
744	goto packet_full;
745	}
746	break;
747	}
748	}
749
750	packet_full:
751	// The MTU was too small to make any progress.
752	if (!made_progress) {
753	OPENSSL_PUT_ERROR(SSL, SSL_R_MTU_TOO_SMALL);
754	return false;
755	}
756
757	*out_len = total;
758	return true;
759	}
760
761	static int send_flight(SSL *ssl) {
762	if (ssl->s3->write_shutdown != ssl_shutdown_none) {
763	OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
764	return -`1`;
765	}
766
767	if (ssl->wbio == nullptr) {
768	OPENSSL_PUT_ERROR(SSL, SSL_R_BIO_NOT_SET);
769	return -`1`;
770	}
771
772	dtls1_update_mtu(ssl);
773
774	Array<uint8_t> packet;
775	if (!packet.Init(new_size: ssl->d1->mtu)) {
776	return -`1`;
777	}
778
779	while (ssl->d1->outgoing_written < ssl->d1->outgoing_messages_len) {
780	uint8_t old_written = ssl->d1->outgoing_written;
781	uint32_t old_offset = ssl->d1->outgoing_offset;
782
783	size_t packet_len;
784	if (!seal_next_packet(ssl, out: packet.data(), out_len: &packet_len, max_out: packet.size())) {
785	return -`1`;
786	}
787
788	int bio_ret = BIO_write(bio: ssl->wbio.get(), data: packet.data(), len: packet_len);
789	if (bio_ret <= `0`) {
790	// Retry this packet the next time around.
791	ssl->d1->outgoing_written = old_written;
792	ssl->d1->outgoing_offset = old_offset;
793	ssl->s3->rwstate = SSL_ERROR_WANT_WRITE;
794	return bio_ret;
795	}
796	}
797
798	if (BIO_flush(bio: ssl->wbio.get()) <= `0`) {
799	ssl->s3->rwstate = SSL_ERROR_WANT_WRITE;
800	return -`1`;
801	}
802
803	return `1`;
804	}
805
806	int dtls1_flush_flight(SSL *ssl) {
807	ssl->d1->outgoing_messages_complete = true;
808	// Start the retransmission timer for the next flight (if any).
809	dtls1_start_timer(ssl);
810	return send_flight(ssl);
811	}
812
813	int dtls1_retransmit_outgoing_messages(SSL *ssl) {
814	// Rewind to the start of the flight and write it again.
815	//
816	// TODO(davidben): This does not allow retransmits to be resumed on
817	// non-blocking write.
818	ssl->d1->outgoing_written = `0`;
819	ssl->d1->outgoing_offset = `0`;
820
821	return send_flight(ssl);
822	}
823
824	unsigned int dtls1_min_mtu(void) {
825	return kMinMTU;
826	}
827
828	BSSL_NAMESPACE_END
829

source code of flutter_engine/third_party/boringssl/src/ssl/d1_both.cc