| blob | 89315eee041b9a85eb5d9d18927e617d339789a4 |
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
5 /*
6 * DTLS Protocol
7 */
13 #ifndef PR_ARRAY_SIZE
14 #define PR_ARRAY_SIZE(a) (sizeof(a)/sizeof((a)[0]))
15 #endif
21 /* -28 adjusts for the IP/UDP header */
27 };
29 #define DTLS_COOKIE_BYTES 32
31 /* List copied from ssl3con.c:cipherSuites */
33 #ifndef NSS_DISABLE_ECC
34 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
35 TLS_ECDHE_RSA_WITH_RC4_128_SHA,
37 TLS_DHE_DSS_WITH_RC4_128_SHA,
38 #ifndef NSS_DISABLE_ECC
39 TLS_ECDH_RSA_WITH_RC4_128_SHA,
40 TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
42 TLS_RSA_WITH_RC4_128_MD5,
43 TLS_RSA_WITH_RC4_128_SHA,
44 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
45 TLS_RSA_EXPORT_WITH_RC4_40_MD5,
47 };
49 /* Map back and forth between TLS and DTLS versions in wire format.
50 * Mapping table is:
51 *
52 * TLS DTLS
53 * 1.1 (0302) 1.0 (feff)
54 * 1.2 (0303) 1.2 (fefd)
55 * 1.3 (0304) 1.3 (fefc)
56 */
57 SSL3ProtocolVersion
59 {
62 }
65 }
68 }
70 /* Anything other than TLS 1.1 or 1.2 is an error, so return
71 * the invalid version 0xffff. */
73 }
75 /* Map known DTLS versions to known TLS versions.
76 * - Invalid versions (< 1.0) return a version of 0
77 * - Versions > known return a version one higher than we know of
78 * to accomodate a theoretically newer version */
79 SSL3ProtocolVersion
81 {
84 }
88 }
91 }
94 }
96 /* Return a fictional higher version than we know of */
98 }
100 /* On this socket, Disable non-DTLS cipher suites in the argument's list */
101 SECStatus
103 {
110 }
112 }
114 /* Allocate a DTLSQueuedMessage.
115 *
116 * Called from dtls_QueueMessage()
117 */
121 {
132 }
140 }
142 /*
143 * Free a handshake message
144 *
145 * Called from dtls_FreeHandshakeMessages()
146 */
147 static void
149 {
155 }
157 /*
158 * Free a list of handshake messages
159 *
160 * Called from:
161 * dtls_HandleHandshake()
162 * ssl3_DestroySSL3Info()
163 */
164 void
166 {
173 }
174 }
176 /* Called only from ssl3_HandleRecord, for each (deciphered) DTLS record.
177 * origBuf is the decrypted ssl record content and is expected to contain
178 * complete handshake records
179 * Caller must hold the handshake and RecvBuf locks.
180 *
181 * Note that this code uses msg_len for two purposes:
182 *
183 * (1) To pass the length to ssl3_HandleHandshakeMessage()
184 * (2) To carry the length of a message currently being reassembled
185 *
186 * However, unlike ssl3_HandleHandshake(), it is not used to carry
187 * the state of reassembly (i.e., whether one is in progress). That
188 * is carried in recvdHighWater and recvdFragments.
189 */
190 #define OFFSET_BYTE(o) (o/8)
191 #define OFFSET_MASK(o) (1 << (o%8))
193 SECStatus
195 {
196 /* XXX OK for now.
197 * This doesn't work properly with asynchronous certificate validation.
198 * because that returns a WOULDBLOCK error. The current DTLS
199 * applications do not need asynchronous validation, but in the
200 * future we will need to add this.
201 */
209 PRUint8 type;
210 PRUint32 message_length;
211 PRUint16 message_seq;
212 PRUint32 fragment_offset;
213 PRUint32 fragment_length;
214 PRUint32 offset;
220 }
222 /* Parse the header */
234 }
235 #undef MAX_HANDSHAKE_MSG_LEN
240 /* This fragment must be complete */
245 }
247 /* Sanity check the packet contents */
252 }
254 /* There are three ways we could not be ready for this packet.
255 *
256 * 1. It's a partial next message.
257 * 2. It's a partial or complete message beyond the next
258 * 3. It's a message we've already seen
259 *
260 * If it's the complete next message we accept it right away.
261 * This is the common case for short messages
262 */
266 /* Complete next message. Process immediately */
270 /* At this point we are advancing our state machine, so
271 * we can free our last flight of messages */
276 /* Reset the timer to the initial value if the retry counter
277 * is 0, per Sec. 4.2.4.1 */
280 }
284 /* Do not attempt to process rest of messages in this record */
286 }
289 /* Case 3: we do an immediate retransmit if we're
290 * in a waiting state*/
292 /* Ignore */
294 dtls_RetransmitTimerExpiredCb) {
297 /* Check to see if we retransmitted recently. If so,
298 * suppress the triggered retransmit. This avoids
299 * retransmit wars after packet loss.
300 * This is not in RFC 5346 but should be
301 */
308 /* Cancel the timer and call the CB,
309 * which re-arms the timer */
320 }
322 /* Retransmit the messages and re-arm the timer
323 * Note that we are not backing off the timer here.
324 * The spec isn't clear and my reasoning is that this
325 * may be a re-ordered packet rather than slowness,
326 * so let's be aggressive. */
331 }
335 }
337 /* Case 2
338 *
339 * Ignore this message. This means we don't handle out of
340 * order complete messages that well, but we're still
341 * compliant and this probably does not happen often
342 *
343 * XXX OK for now. Maybe do something smarter at some point?
344 */
346 /* Case 1
347 *
348 * Buffer the fragment for reassembly
349 */
350 /* Make room for the message */
357 /* Make room for the fragment map */
359 map_length);
363 /* Reset the reassembly map */
369 }
371 /* If we have a message length mismatch, abandon the reassembly
372 * in progress and hope that the next retransmit will give us
373 * something sane
374 */
380 }
382 /* Now copy this fragment into the buffer */
388 /* This logic is a bit tricky. We have two values for
389 * reassembly state:
390 *
391 * - recvdHighWater contains the highest contiguous number of
392 * bytes received
393 * - recvdFragments contains a bitmask of packets received
394 * above recvdHighWater
395 *
396 * This avoids having to fill in the bitmask in the common
397 * case of adjacent fragments received in sequence
398 */
400 /* Either this is the adjacent fragment or an overlapping
401 * fragment */
403 fragment_length;
407 offset++) {
410 }
411 }
413 /* Now figure out the new high water mark if appropriate */
416 /* Note that this loop is not efficient, since it counts
417 * bit by bit. If we have a lot of out-of-order packets,
418 * we should optimize this */
424 }
425 }
427 /* If we have all the bytes, then we are good to go */
437 /* At this point we are advancing our state machine, so
438 * we can free our last flight of messages */
442 /* If there have been no retries this time, reset the
443 * timer value to the default per Section 4.2.4.1 */
446 }
447 }
448 }
449 }
453 }
457 /* XXX OK for now. In future handle rv == SECWouldBlock safely in order
458 * to deal with asynchronous certificate verification */
460 }
462 /* Enqueue a message (either handshake or CCS)
463 *
464 * Called from:
465 * dtls_StageHandshakeMessage()
466 * ssl3_SendChangeCipherSpecs()
467 */
470 {
484 }
487 }
489 /* Add DTLS handshake message to the pending queue
490 * Empty the sendBuf buffer.
491 * This function returns SECSuccess or SECFailure, never SECWouldBlock.
492 * Always set sendBuf.len to 0, even when returning SECFailure.
493 *
494 * Called from:
495 * ssl3_AppendHandshakeHeader()
496 * dtls_FlushHandshake()
497 */
498 SECStatus
500 {
506 /* This function is sometimes called when no data is actually to
507 * be staged, so just return SECSuccess. */
514 /* Whether we succeeded or failed, toss the old handshake data. */
517 }
519 /* Enqueue the handshake message in sendBuf (if any) and then
520 * transmit the resulting flight of handshake messages.
521 *
522 * Called from:
523 * ssl3_FlushHandshake()
524 */
525 SECStatus
527 {
545 }
546 }
549 }
551 /* The callback for when the retransmit timer expires
552 *
553 * Called from:
554 * dtls_CheckTimer()
555 * dtls_HandleHandshake()
556 */
557 static void
559 {
565 /* If one of the messages was potentially greater than > MTU,
566 * then downgrade. Do this every time we have retransmitted a
567 * message twice, per RFC 6347 Sec. 4.1.1 */
569 }
574 /* Re-arm the timer */
576 }
579 /* XXX OK for now. In future maybe signal the stack that we couldn't
580 * transmit. For now, let the read handle any real network errors */
581 }
582 }
584 /* Transmit a flight of handshake messages, stuffing them
585 * into as few records as seems reasonable
586 *
587 * Called from:
588 * dtls_FlushHandshake()
589 * dtls_RetransmitTimerExpiredCb()
590 */
591 static SECStatus
593 {
597 PRInt32 sent;
602 /* DTLS does not buffer its handshake messages in
603 * ss->pendingBuf, but rather in the lastMessageFlight
604 * structure. This is just a sanity check that
605 * some programming error hasn't inadvertantly
606 * stuffed something in ss->pendingBuf
607 */
614 /* The logic here is:
615 *
616 * 1. If this is a message that will not fit into the remaining
617 * space, then flush.
618 * 2. If the message will now fit into the remaining space,
619 * encrypt, buffer, and loop.
620 * 3. If the message will not fit, then fragment.
621 *
622 * At the end of the function, flush.
623 */
625 /* The message will not fit into the remaining space, so flush */
631 }
634 /* The message will fit, so encrypt and then continue with the
635 * next packet */
638 ssl_SEND_FLAG_FORCE_INTO_BUFFER |
639 ssl_SEND_FLAG_USE_EPOCH);
644 }
646 }
650 /* The message will not fit, so fragment.
651 *
652 * XXX OK for now. Arrange to coalesce the last fragment
653 * of this message with the next message if possible.
654 * That would be more efficient.
655 */
658 * plausible MTU */
660 /* Assert that we have already flushed */
663 /* Case 3: We now need to fragment this message
664 * DTLS only supports fragmenting handshaking messages */
667 /* The headers consume 12 bytes so the smalles possible
668 * message (i.e., an empty one) is 12 bytes
669 */
673 PRUint32 fragment_len;
677 /* The reason we use 8 here is that that's the length of
678 * the new DTLS data that we add to the header */
682 /* Make totally sure that we are within the buffer.
683 * Note that the only way that fragment len could get
684 * adjusted here is if
685 *
686 * (a) we are in release mode so the PORT_Assert is compiled out
687 * (b) either the MTU table is inconsistent with DTLS_MAX_MTU
688 * or ss->ssl3.mtu has become corrupt.
689 */
692 /* Construct an appropriate-sized fragment */
693 /* Type, length, sequence */
696 /* Offset */
701 /* Fragment length */
707 fragment_len);
709 /*
710 * Send the record. We do this in two stages
711 * 1. Encrypt
712 */
715 ssl_SEND_FLAG_FORCE_INTO_BUFFER |
716 ssl_SEND_FLAG_USE_EPOCH);
721 }
723 }
725 /* 2. Flush */
731 }
732 }
733 }
735 /* Finally, we need to flush */
739 /* Give up the locks */
744 }
746 /* Flush the data in the pendingBuf and update the max message sent
747 * so we can adjust the MTU estimate if we need to.
748 * Wrapper for ssl_SendSavedWriteData.
749 *
750 * Called from dtls_TransmitMessageFlight()
751 */
752 static
754 {
755 PRInt32 sent;
761 /* We should always have complete writes b/c datagram sockets
762 * don't really block */
766 }
768 /* Update the largest message sent so we can adjust the MTU
769 * estimate if necessary */
774 }
776 /* Compress, MAC, encrypt a DTLS record. Allows specification of
777 * the epoch using epoch value. If use_epoch is PR_TRUE then
778 * we use the provided epoch. If use_epoch is PR_FALSE then
779 * whatever the current value is in effect is used.
780 *
781 * Called from ssl3_SendRecord()
782 */
783 SECStatus
785 DTLSEpoch epoch,
786 PRBool use_epoch,
787 SSL3ContentType type,
789 PRUint32 contentLen,
791 {
797 /* The reason for this switch-hitting code is that we might have
798 * a flight of records spanning an epoch boundary, e.g.,
799 *
800 * ClientKeyExchange (epoch = 0)
801 * ChangeCipherSpec (epoch = 0)
802 * Finished (epoch = 1)
803 *
804 * Thus, each record needs a different cipher spec. The information
805 * about which epoch to use is carried with the record.
806 */
812 else
816 }
821 wrBuf);
825 }
829 }
831 /* Start a timer
832 *
833 * Called from:
834 * dtls_HandleHandshake()
835 * dtls_FlushHAndshake()
836 * dtls_RestartTimer()
837 */
838 SECStatus
840 {
847 }
849 /* Restart a timer with optional backoff
850 *
851 * Called from dtls_RetransmitTimerExpiredCb()
852 */
853 SECStatus
855 {
860 }
863 }
865 /* Cancel a pending timer
866 *
867 * Called from:
868 * dtls_HandleHandshake()
869 * dtls_CheckTimer()
870 */
871 void
873 {
877 }
879 /* Check the pending timer and fire the callback if it expired
880 *
881 * Called from ssl3_GatherCompleteHandshake()
882 */
883 void
885 {
891 /* Timer has expired */
894 /* Cancel the timer so that we can call the CB safely */
897 /* Now call the CB */
899 }
900 }
902 /* The callback to fire when the holddown timer for the Finished
903 * message expires and we can delete it
904 *
905 * Called from dtls_CheckTimer()
906 */
907 void
909 {
911 }
913 /* Cancel the Finished hold-down timer and destroy the
914 * pending cipher spec. Note that this means that
915 * successive rehandshakes will fail if the Finished is
916 * lost.
917 *
918 * XXX OK for now. Figure out how to handle the combination
919 * of Finished lost and rehandshake
920 */
921 void
923 {
928 }
930 /* Set the MTU to the next step less than or equal to the
931 * advertised value. Also used to downgrade the MTU by
932 * doing dtls_SetMTU(ss, biggest packet set).
933 *
934 * Passing 0 means set this to the largest MTU known
935 * (effectively resetting the PMTU backoff value).
936 *
937 * Called by:
938 * ssl3_InitState()
939 * dtls_RetransmitTimerExpiredCb()
940 */
941 void
943 {
950 }
957 }
958 }
960 /* Fallback */
963 }
965 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a
966 * DTLS hello_verify_request
967 * Caller must hold Handshake and RecvBuf locks.
968 */
969 SECStatus
971 {
973 SECStatus rv;
974 PRInt32 temp;
987 }
989 /* The version */
993 }
998 }
1000 /* The cookie */
1004 }
1008 }
1016 /* Now re-send the client hello */
1024 alert_loser:
1027 loser:
1030 }
1032 /* Initialize the DTLS anti-replay window
1033 *
1034 * Called from:
1035 * ssl3_SetupPendingCipherSpec()
1036 * ssl3_InitCipherSpec()
1037 */
1038 void
1040 {
1044 }
1046 /*
1047 * Has this DTLS record been received? Return values are:
1048 * -1 -- out of range to the left
1049 * 0 -- not received yet
1050 * 1 -- replay
1051 *
1052 * Called from: dtls_HandleRecord()
1053 */
1054 int
1056 {
1057 PRUint64 offset;
1059 /* Out of range to the left */
1062 }
1064 /* Out of range to the right; since we advance the window on
1065 * receipt, that means that this packet has not been received
1066 * yet */
1073 }
1075 /* Update the DTLS anti-replay window
1076 *
1077 * Called from ssl3_HandleRecord()
1078 */
1079 void
1081 {
1082 PRUint64 offset;
1088 PRUint64 new_left;
1089 PRUint64 new_right;
1090 PRUint64 right;
1092 /* Slide to the right; this is the tricky part
1093 *
1094 * 1. new_top is set to have room for seq, on the
1095 * next byte boundary by setting the right 8
1096 * bits of seq
1097 * 2. new_left is set to compensate.
1098 * 3. Zero all bits between top and new_top. Since
1099 * this is a ring, this zeroes everything as-yet
1100 * unseen. Because we always operate on byte
1101 * boundaries, we can zero one byte at a time
1102 */
1109 }
1113 }
1118 }
1120 SECStatus
1122 {
1124 PRIntervalTime elapsed;
1125 PRIntervalTime desired;
1141 /* Timer expired */
1145 }
1148 }