| blob | 78371e62a6c02228002b06a3ec5e19317297b7ef |
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
5 /*
6 * DTLS Protocol
7 */
13 #ifndef PR_ARRAY_SIZE
14 #define PR_ARRAY_SIZE(a) (sizeof(a)/sizeof((a)[0]))
15 #endif
21 /* -28 adjusts for the IP/UDP header */
27 };
29 #define DTLS_COOKIE_BYTES 32
31 /* List copied from ssl3con.c:cipherSuites */
33 #ifdef NSS_ENABLE_ECC
34 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
35 TLS_ECDHE_RSA_WITH_RC4_128_SHA,
37 TLS_DHE_DSS_WITH_RC4_128_SHA,
38 #ifdef NSS_ENABLE_ECC
39 TLS_ECDH_RSA_WITH_RC4_128_SHA,
40 TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
42 SSL_RSA_WITH_RC4_128_MD5,
43 SSL_RSA_WITH_RC4_128_SHA,
44 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
45 SSL_RSA_EXPORT_WITH_RC4_40_MD5,
47 };
49 /* Map back and forth between TLS and DTLS versions in wire format.
50 * Mapping table is:
51 *
52 * TLS DTLS
53 * 1.1 (0302) 1.0 (feff)
54 */
55 SSL3ProtocolVersion
57 {
58 /* Anything other than TLS 1.1 is an error, so return
59 * the invalid version ffff. */
64 }
66 /* Map known DTLS versions to known TLS versions.
67 * - Invalid versions (< 1.0) return a version of 0
68 * - Versions > known return a version one higher than we know of
69 * to accomodate a theoretically newer version */
70 SSL3ProtocolVersion
72 {
75 }
80 /* Return a fictional higher version than we know of */
82 }
84 /* On this socket, Disable non-DTLS cipher suites in the argument's list */
85 SECStatus
87 {
94 }
96 }
98 /* Allocate a DTLSQueuedMessage.
99 *
100 * Called from dtls_QueueMessage()
101 */
105 {
116 }
124 }
126 /*
127 * Free a handshake message
128 *
129 * Called from dtls_FreeHandshakeMessages()
130 */
131 static void
133 {
139 }
141 /*
142 * Free a list of handshake messages
143 *
144 * Called from:
145 * dtls_HandleHandshake()
146 * ssl3_DestroySSL3Info()
147 */
148 void
150 {
157 }
158 }
160 /* Called only from ssl3_HandleRecord, for each (deciphered) DTLS record.
161 * origBuf is the decrypted ssl record content and is expected to contain
162 * complete handshake records
163 * Caller must hold the handshake and RecvBuf locks.
164 *
165 * Note that this code uses msg_len for two purposes:
166 *
167 * (1) To pass the length to ssl3_HandleHandshakeMessage()
168 * (2) To carry the length of a message currently being reassembled
169 *
170 * However, unlike ssl3_HandleHandshake(), it is not used to carry
171 * the state of reassembly (i.e., whether one is in progress). That
172 * is carried in recvdHighWater and recvdFragments.
173 */
174 #define OFFSET_BYTE(o) (o/8)
175 #define OFFSET_MASK(o) (1 << (o%8))
177 SECStatus
179 {
180 /* XXX OK for now.
181 * This doesn't work properly with asynchronous certificate validation.
182 * because that returns a WOULDBLOCK error. The current DTLS
183 * applications do not need asynchronous validation, but in the
184 * future we will need to add this.
185 */
193 PRUint8 type;
194 PRUint32 message_length;
195 PRUint16 message_seq;
196 PRUint32 fragment_offset;
197 PRUint32 fragment_length;
198 PRUint32 offset;
204 }
206 /* Parse the header */
218 }
219 #undef MAX_HANDSHAKE_MSG_LEN
224 /* This fragment must be complete */
229 }
231 /* Sanity check the packet contents */
236 }
238 /* There are three ways we could not be ready for this packet.
239 *
240 * 1. It's a partial next message.
241 * 2. It's a partial or complete message beyond the next
242 * 3. It's a message we've already seen
243 *
244 * If it's the complete next message we accept it right away.
245 * This is the common case for short messages
246 */
250 /* Complete next message. Process immediately */
254 /* At this point we are advancing our state machine, so
255 * we can free our last flight of messages */
260 /* Reset the timer to the initial value if the retry counter
261 * is 0, per Sec. 4.2.4.1 */
264 }
268 /* Do not attempt to process rest of messages in this record */
270 }
273 /* Case 3: we do an immediate retransmit if we're
274 * in a waiting state*/
276 /* Ignore */
278 dtls_RetransmitTimerExpiredCb) {
281 /* Check to see if we retransmitted recently. If so,
282 * suppress the triggered retransmit. This avoids
283 * retransmit wars after packet loss.
284 * This is not in RFC 5346 but should be
285 */
292 /* Cancel the timer and call the CB,
293 * which re-arms the timer */
304 }
306 /* Retransmit the messages and re-arm the timer
307 * Note that we are not backing off the timer here.
308 * The spec isn't clear and my reasoning is that this
309 * may be a re-ordered packet rather than slowness,
310 * so let's be aggressive. */
315 }
319 }
321 /* Case 2
322 *
323 * Ignore this message. This means we don't handle out of
324 * order complete messages that well, but we're still
325 * compliant and this probably does not happen often
326 *
327 * XXX OK for now. Maybe do something smarter at some point?
328 */
330 /* Case 1
331 *
332 * Buffer the fragment for reassembly
333 */
334 /* Make room for the message */
341 /* Make room for the fragment map */
343 map_length);
347 /* Reset the reassembly map */
353 }
355 /* If we have a message length mismatch, abandon the reassembly
356 * in progress and hope that the next retransmit will give us
357 * something sane
358 */
364 }
366 /* Now copy this fragment into the buffer */
372 /* This logic is a bit tricky. We have two values for
373 * reassembly state:
374 *
375 * - recvdHighWater contains the highest contiguous number of
376 * bytes received
377 * - recvdFragments contains a bitmask of packets received
378 * above recvdHighWater
379 *
380 * This avoids having to fill in the bitmask in the common
381 * case of adjacent fragments received in sequence
382 */
384 /* Either this is the adjacent fragment or an overlapping
385 * fragment */
387 fragment_length;
391 offset++) {
394 }
395 }
397 /* Now figure out the new high water mark if appropriate */
400 /* Note that this loop is not efficient, since it counts
401 * bit by bit. If we have a lot of out-of-order packets,
402 * we should optimize this */
408 }
409 }
411 /* If we have all the bytes, then we are good to go */
421 /* At this point we are advancing our state machine, so
422 * we can free our last flight of messages */
426 /* If there have been no retries this time, reset the
427 * timer value to the default per Section 4.2.4.1 */
430 }
431 }
432 }
433 }
437 }
441 /* XXX OK for now. In future handle rv == SECWouldBlock safely in order
442 * to deal with asynchronous certificate verification */
444 }
446 /* Enqueue a message (either handshake or CCS)
447 *
448 * Called from:
449 * dtls_StageHandshakeMessage()
450 * ssl3_SendChangeCipherSpecs()
451 */
454 {
468 }
471 }
473 /* Add DTLS handshake message to the pending queue
474 * Empty the sendBuf buffer.
475 * This function returns SECSuccess or SECFailure, never SECWouldBlock.
476 * Always set sendBuf.len to 0, even when returning SECFailure.
477 *
478 * Called from:
479 * ssl3_AppendHandshakeHeader()
480 * dtls_FlushHandshake()
481 */
482 SECStatus
484 {
490 /* This function is sometimes called when no data is actually to
491 * be staged, so just return SECSuccess. */
498 /* Whether we succeeded or failed, toss the old handshake data. */
501 }
503 /* Enqueue the handshake message in sendBuf (if any) and then
504 * transmit the resulting flight of handshake messages.
505 *
506 * Called from:
507 * ssl3_FlushHandshake()
508 */
509 SECStatus
511 {
529 }
530 }
533 }
535 /* The callback for when the retransmit timer expires
536 *
537 * Called from:
538 * dtls_CheckTimer()
539 * dtls_HandleHandshake()
540 */
541 static void
543 {
549 /* If one of the messages was potentially greater than > MTU,
550 * then downgrade. Do this every time we have retransmitted a
551 * message twice, per RFC 6347 Sec. 4.1.1 */
553 }
558 /* Re-arm the timer */
560 }
563 /* XXX OK for now. In future maybe signal the stack that we couldn't
564 * transmit. For now, let the read handle any real network errors */
565 }
566 }
568 /* Transmit a flight of handshake messages, stuffing them
569 * into as few records as seems reasonable
570 *
571 * Called from:
572 * dtls_FlushHandshake()
573 * dtls_RetransmitTimerExpiredCb()
574 */
575 static SECStatus
577 {
581 PRInt32 sent;
586 /* DTLS does not buffer its handshake messages in
587 * ss->pendingBuf, but rather in the lastMessageFlight
588 * structure. This is just a sanity check that
589 * some programming error hasn't inadvertantly
590 * stuffed something in ss->pendingBuf
591 */
598 /* The logic here is:
599 *
600 * 1. If this is a message that will not fit into the remaining
601 * space, then flush.
602 * 2. If the message will now fit into the remaining space,
603 * encrypt, buffer, and loop.
604 * 3. If the message will not fit, then fragment.
605 *
606 * At the end of the function, flush.
607 */
609 /* The message will not fit into the remaining space, so flush */
615 }
618 /* The message will fit, so encrypt and then continue with the
619 * next packet */
622 ssl_SEND_FLAG_FORCE_INTO_BUFFER |
623 ssl_SEND_FLAG_USE_EPOCH);
628 }
630 }
634 /* The message will not fit, so fragment.
635 *
636 * XXX OK for now. Arrange to coalesce the last fragment
637 * of this message with the next message if possible.
638 * That would be more efficient.
639 */
642 * plausible MTU */
644 /* Assert that we have already flushed */
647 /* Case 3: We now need to fragment this message
648 * DTLS only supports fragmenting handshaking messages */
651 /* The headers consume 12 bytes so the smalles possible
652 * message (i.e., an empty one) is 12 bytes
653 */
657 PRUint32 fragment_len;
661 /* The reason we use 8 here is that that's the length of
662 * the new DTLS data that we add to the header */
666 /* Make totally sure that we are within the buffer.
667 * Note that the only way that fragment len could get
668 * adjusted here is if
669 *
670 * (a) we are in release mode so the PORT_Assert is compiled out
671 * (b) either the MTU table is inconsistent with DTLS_MAX_MTU
672 * or ss->ssl3.mtu has become corrupt.
673 */
676 /* Construct an appropriate-sized fragment */
677 /* Type, length, sequence */
680 /* Offset */
685 /* Fragment length */
691 fragment_len);
693 /*
694 * Send the record. We do this in two stages
695 * 1. Encrypt
696 */
699 ssl_SEND_FLAG_FORCE_INTO_BUFFER |
700 ssl_SEND_FLAG_USE_EPOCH);
705 }
707 }
709 /* 2. Flush */
715 }
716 }
717 }
719 /* Finally, we need to flush */
723 /* Give up the locks */
728 }
730 /* Flush the data in the pendingBuf and update the max message sent
731 * so we can adjust the MTU estimate if we need to.
732 * Wrapper for ssl_SendSavedWriteData.
733 *
734 * Called from dtls_TransmitMessageFlight()
735 */
736 static
738 {
739 PRInt32 sent;
745 /* We should always have complete writes b/c datagram sockets
746 * don't really block */
750 }
752 /* Update the largest message sent so we can adjust the MTU
753 * estimate if necessary */
758 }
760 /* Compress, MAC, encrypt a DTLS record. Allows specification of
761 * the epoch using epoch value. If use_epoch is PR_TRUE then
762 * we use the provided epoch. If use_epoch is PR_FALSE then
763 * whatever the current value is in effect is used.
764 *
765 * Called from ssl3_SendRecord()
766 */
767 SECStatus
769 DTLSEpoch epoch,
770 PRBool use_epoch,
771 SSL3ContentType type,
773 PRUint32 contentLen,
775 {
781 /* The reason for this switch-hitting code is that we might have
782 * a flight of records spanning an epoch boundary, e.g.,
783 *
784 * ClientKeyExchange (epoch = 0)
785 * ChangeCipherSpec (epoch = 0)
786 * Finished (epoch = 1)
787 *
788 * Thus, each record needs a different cipher spec. The information
789 * about which epoch to use is carried with the record.
790 */
796 else
800 }
805 wrBuf);
809 }
813 }
815 /* Start a timer
816 *
817 * Called from:
818 * dtls_HandleHandshake()
819 * dtls_FlushHAndshake()
820 * dtls_RestartTimer()
821 */
822 SECStatus
824 {
831 }
833 /* Restart a timer with optional backoff
834 *
835 * Called from dtls_RetransmitTimerExpiredCb()
836 */
837 SECStatus
839 {
844 }
847 }
849 /* Cancel a pending timer
850 *
851 * Called from:
852 * dtls_HandleHandshake()
853 * dtls_CheckTimer()
854 */
855 void
857 {
861 }
863 /* Check the pending timer and fire the callback if it expired
864 *
865 * Called from ssl3_GatherCompleteHandshake()
866 */
867 void
869 {
875 /* Timer has expired */
878 /* Cancel the timer so that we can call the CB safely */
881 /* Now call the CB */
883 }
884 }
886 /* The callback to fire when the holddown timer for the Finished
887 * message expires and we can delete it
888 *
889 * Called from dtls_CheckTimer()
890 */
891 void
893 {
895 }
897 /* Cancel the Finished hold-down timer and destroy the
898 * pending cipher spec. Note that this means that
899 * successive rehandshakes will fail if the Finished is
900 * lost.
901 *
902 * XXX OK for now. Figure out how to handle the combination
903 * of Finished lost and rehandshake
904 */
905 void
907 {
912 }
914 /* Set the MTU to the next step less than or equal to the
915 * advertised value. Also used to downgrade the MTU by
916 * doing dtls_SetMTU(ss, biggest packet set).
917 *
918 * Passing 0 means set this to the largest MTU known
919 * (effectively resetting the PMTU backoff value).
920 *
921 * Called by:
922 * ssl3_InitState()
923 * dtls_RetransmitTimerExpiredCb()
924 */
925 void
927 {
934 }
941 }
942 }
944 /* Fallback */
947 }
949 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a
950 * DTLS hello_verify_request
951 * Caller must hold Handshake and RecvBuf locks.
952 */
953 SECStatus
955 {
957 SECStatus rv;
958 PRInt32 temp;
971 }
973 /* The version */
977 }
980 /* Note: this will need adjustment for DTLS 1.2 per Section 4.2.1 */
982 }
984 /* The cookie */
988 }
992 }
1000 /* Now re-send the client hello */
1008 alert_loser:
1011 loser:
1014 }
1016 /* Initialize the DTLS anti-replay window
1017 *
1018 * Called from:
1019 * ssl3_SetupPendingCipherSpec()
1020 * ssl3_InitCipherSpec()
1021 */
1022 void
1024 {
1028 }
1030 /*
1031 * Has this DTLS record been received? Return values are:
1032 * -1 -- out of range to the left
1033 * 0 -- not received yet
1034 * 1 -- replay
1035 *
1036 * Called from: dtls_HandleRecord()
1037 */
1038 int
1040 {
1041 PRUint64 offset;
1043 /* Out of range to the left */
1046 }
1048 /* Out of range to the right; since we advance the window on
1049 * receipt, that means that this packet has not been received
1050 * yet */
1057 }
1059 /* Update the DTLS anti-replay window
1060 *
1061 * Called from ssl3_HandleRecord()
1062 */
1063 void
1065 {
1066 PRUint64 offset;
1072 PRUint64 new_left;
1073 PRUint64 new_right;
1074 PRUint64 right;
1076 /* Slide to the right; this is the tricky part
1077 *
1078 * 1. new_top is set to have room for seq, on the
1079 * next byte boundary by setting the right 8
1080 * bits of seq
1081 * 2. new_left is set to compensate.
1082 * 3. Zero all bits between top and new_top. Since
1083 * this is a ring, this zeroes everything as-yet
1084 * unseen. Because we always operate on byte
1085 * boundaries, we can zero one byte at a time
1086 */
1093 }
1097 }
1102 }
1104 SECStatus
1106 {
1108 PRIntervalTime elapsed;
1109 PRIntervalTime desired;
1125 /* Timer expired */
1129 }
1132 }