"Liberate" dtls from BN dependency. Fix bug in replay/update.

2025-02-17 14:32:04 +08:00 · 2005-06-07 22:21:14 +00:00 · 2005-06-07 22:21:14 +00:00 · dffdb56b7f
commit dffdb56b7f
parent a78c0632ed
9 changed files with 115 additions and 184 deletions
--- a/crypto/pqueue/pq_compat.h
+++ b/crypto/pqueue/pq_compat.h
@ -1,3 +1,4 @@
 #error "to be deleted"
 /* crypto/pqueue/pqueue_compat.h */
 /* 
 * DTLS implementation written by Nagendra Modadugu
--- a/crypto/pqueue/pqueue.c
+++ b/crypto/pqueue/pqueue.c
@ -68,13 +68,12 @@ typedef struct _pqueue
 	} pqueue_s;
 pitem *
-pitem_new(PQ_64BIT priority, void *data)
+pitem_new(unsigned char *prio64be, void *data)
 	{
 	pitem *item = (pitem *) OPENSSL_malloc(sizeof(pitem));
 	if (item == NULL) return NULL;
-	pq_64bit_init(&(item->priority));
+	memcpy(item->priority,prio64be,sizeof(item->priority));
 	pq_64bit_assign(&item->priority, &priority);
 	item->data = data;
 	item->next = NULL;
@ -87,7 +86,6 @@ pitem_free(pitem *item)
 	{
 	if (item == NULL) return;
 	pq_64bit_free(&(item->priority));
 	OPENSSL_free(item);
 	}
@ -124,7 +122,10 @@ pqueue_insert(pqueue_s *pq, pitem *item)
 		next != NULL;
 		curr = next, next = next->next)
 		{
-		if (pq_64bit_gt(&(next->priority), &(item->priority)))
+		/* we can compare 64-bit value in big-endian encoding
 		 * with memcmp:-) */
 		int cmp = memcmp(next->priority, item->priority,8);
 		if (cmp > 0)		/* next > item */
 			{
 			item->next = next;
@ -135,8 +136,8 @@ pqueue_insert(pqueue_s *pq, pitem *item)
 			return item;
 			}
-		/* duplicates not allowed */
+		
-		if (pq_64bit_eq(&(item->priority), &(next->priority)))
+		else if (cmp == 0)	/* duplicates not allowed */
 			return NULL;
 		}
@ -164,7 +165,7 @@ pqueue_pop(pqueue_s *pq)
 	}
 pitem *
-pqueue_find(pqueue_s *pq, PQ_64BIT priority)
+pqueue_find(pqueue_s *pq, unsigned char *prio64be)
 	{
 	pitem *next, *prev = NULL;
 	pitem *found = NULL;
@ -175,7 +176,7 @@ pqueue_find(pqueue_s *pq, PQ_64BIT priority)
 	for ( next = pq->items; next->next != NULL; 
 		  prev = next, next = next->next)
 		{
-		if ( pq_64bit_eq(&(next->priority), &priority))
+		if ( memcmp(next->priority, prio64be,8) == 0)
 			{
 			found = next;
 			break;
@ -183,7 +184,7 @@ pqueue_find(pqueue_s *pq, PQ_64BIT priority)
 		}
 	/* check the one last node */
-	if ( pq_64bit_eq(&(next->priority), &priority))
+	if ( memcpy(next->priority, prio64be,8) ==0)
 		found = next;
 	if ( ! found)
@ -199,7 +200,6 @@ pqueue_find(pqueue_s *pq, PQ_64BIT priority)
 	return found;
 	}
 #if PQ_64BIT_IS_INTEGER
 void
 pqueue_print(pqueue_s *pq)
 	{
@ -207,11 +207,14 @@ pqueue_print(pqueue_s *pq)
 	while(item != NULL)
 		{
-		printf("item\t%lld\n", item->priority);
+		printf("item\t%02x%02x%02x%02x%02x%02x%02x%02x\n",
 			item->priority[0],item->priority[1],
 			item->priority[2],item->priority[3],
 			item->priority[4],item->priority[5],
 			item->priority[6],item->priority[7]);
 		item = item->next;
 		}
 	}
 #endif
 pitem *
 pqueue_iterator(pqueue_s *pq)
--- a/crypto/pqueue/pqueue.h
+++ b/crypto/pqueue/pqueue.h
@ -64,20 +64,18 @@
 #include <stdlib.h>
 #include <string.h>
 #include <openssl/pq_compat.h>
 typedef struct _pqueue *pqueue;
 typedef struct _pitem
 	{
-	PQ_64BIT priority;
+	unsigned char priority[8]; /* 64-bit value in big-endian encoding */
 	void *data;
 	struct _pitem *next;
 	} pitem;
 typedef struct _pitem *piterator;
-pitem *pitem_new(PQ_64BIT priority, void *data);
+pitem *pitem_new(unsigned char *prio64be, void *data);
 void   pitem_free(pitem *item);
 pqueue pqueue_new(void);
@ -86,7 +84,7 @@ void   pqueue_free(pqueue pq);
 pitem *pqueue_insert(pqueue pq, pitem *item);
 pitem *pqueue_peek(pqueue pq);
 pitem *pqueue_pop(pqueue pq);
-pitem *pqueue_find(pqueue pq, PQ_64BIT priority);
+pitem *pqueue_find(pqueue pq, unsigned char *prio64be);
 pitem *pqueue_iterator(pqueue pq);
 pitem *pqueue_next(piterator *iter);
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@ -442,7 +442,7 @@ dtls1_buffer_handshake_fragment(SSL *s, struct hm_header_st* msg_hdr)
 {
    hm_fragment *frag = NULL;
    pitem *item = NULL;
-	PQ_64BIT seq64;
+    unsigned char seq64be[8];
    frag = dtls1_hm_fragment_new(msg_hdr->frag_len);
    if ( frag == NULL)
@ -453,15 +453,14 @@ dtls1_buffer_handshake_fragment(SSL *s, struct hm_header_st* msg_hdr)
    memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
-    pq_64bit_init(&seq64);
+    memset(seq64be,0,sizeof(seq64be));
-    pq_64bit_assign_word(&seq64, msg_hdr->seq);
+    seq64be[6] = (unsigned char)(msg_hdr->seq>>8);
    seq64be[7] = (unsigned char)(msg_hdr->seq);
-    item = pitem_new(seq64, frag);
+    item = pitem_new(seq64be, frag);
    if ( item == NULL)
        goto err;
    pq_64bit_free(&seq64);
    pqueue_insert(s->d1->buffered_messages, item);
    return 1;
@ -1043,7 +1042,7 @@ dtls1_buffer_message(SSL *s, int is_ccs)
    {
    pitem *item;
    hm_fragment *frag;
-	PQ_64BIT seq64;
+    unsigned char seq64be[8];
    /* this function is called immediately after a message has 
     * been serialized */
@ -1071,11 +1070,11 @@ dtls1_buffer_message(SSL *s, int is_ccs)
    frag->msg_header.frag_len = s->d1->w_msg_hdr.msg_len;
    frag->msg_header.is_ccs = is_ccs;
-    pq_64bit_init(&seq64);
+    memset(seq64be,0,sizeof(seq64be));
-    pq_64bit_assign_word(&seq64, frag->msg_header.seq);
+    seq64be[6] = (unsigned char)(frag->msg_header.seq>>8);
    seq64be[7] = (unsigned char)(frag->msg_header.seq);
-    item = pitem_new(seq64, frag);
+    item = pitem_new(seq64be, frag);
    pq_64bit_free(&seq64);
    if ( item == NULL)
        {
        dtls1_hm_fragment_free(frag);
@ -1101,7 +1100,7 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
    pitem *item;
    hm_fragment *frag ;
    unsigned long header_length;
-	PQ_64BIT seq64;
+    unsigned char seq64be[8];
    /*
      OPENSSL_assert(s->init_num == 0);
@ -1109,11 +1108,11 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
     */
    /* XDTLS:  the requested message ought to be found, otherwise error */
-    pq_64bit_init(&seq64);
+    memset(seq64be,0,sizeof(seq64be));
-    pq_64bit_assign_word(&seq64, seq);
+    seq64be[6] = (unsigned char)(seq>>8);
    seq64be[7] = (unsigned char)seq;
-    item = pqueue_find(s->d1->sent_messages, seq64);
+    item = pqueue_find(s->d1->sent_messages, seq64be);
    pq_64bit_free(&seq64);
    if ( item == NULL)
        {
        fprintf(stderr, "retransmit:  message %d non-existant\n", seq);
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@ -132,16 +132,6 @@ int dtls1_new(SSL *s)
 	memset(d1,0, sizeof *d1);
 	/* d1->handshake_epoch=0; */
 #if defined(OPENSSL_SYS_VMS) || defined(VMS_TEST)
 	d1->bitmap.length=64;
 #else
 	d1->bitmap.length=sizeof(d1->bitmap.map) * 8;
 #endif
 	pq_64bit_init(&(d1->bitmap.map));
 	pq_64bit_init(&(d1->bitmap.max_seq_num));
 	pq_64bit_init(&(d1->next_bitmap.map));
 	pq_64bit_init(&(d1->next_bitmap.max_seq_num));
 	d1->unprocessed_rcds.q=pqueue_new();
 	d1->processed_rcds.q=pqueue_new();
@ -208,12 +198,6 @@ void dtls1_free(SSL *s)
        }
 	pqueue_free(s->d1->sent_messages);
 	pq_64bit_free(&(s->d1->bitmap.map));
 	pq_64bit_free(&(s->d1->bitmap.max_seq_num));
 	pq_64bit_free(&(s->d1->next_bitmap.map));
 	pq_64bit_free(&(s->d1->next_bitmap.max_seq_num));
 	OPENSSL_free(s->d1);
 	}
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@ -121,10 +121,27 @@
 #include <openssl/buffer.h>
 #include <openssl/pqueue.h>
 /* mod 256 saturating subtract of two 64-bit values in big-endian order */
 static int satsub64be(const unsigned char *v1,const unsigned char *v2)
 	{
 	int i;
 	unsigned char c1,c2;
 	for (i=0;i<8;i++,v1++,v2++)
 		{
 		c1=*v1; c2=*v2;
 		if (c1!=c2) break;
 		}
 	if (i==8)	return 0;
 	else if (i==7)	return (int)c1-(int)c2;
 	else if (c1>c2)	return 256;
 	else		return -256;
 	}
 static int have_handshake_fragment(SSL *s, int type, unsigned char *buf, 
 	int len, int peek);
 static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap,
-	PQ_64BIT *seq_num);
+	unsigned char *seq_num);
 static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap);
 static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, 
    unsigned int *is_next_epoch);
@ -133,7 +150,7 @@ static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr,
 	unsigned short *priority, unsigned long *offset);
 #endif
 static int dtls1_buffer_record(SSL *s, record_pqueue *q,
-	PQ_64BIT priority);
+	unsigned char *priority);
 static int dtls1_process_record(SSL *s);
 #if PQ_64BIT_IS_INTEGER
 static PQ_64BIT bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num);
@ -161,9 +178,9 @@ dtls1_copy_record(SSL *s, pitem *item)
 static int
-dtls1_buffer_record(SSL *s, record_pqueue *queue, PQ_64BIT priority)
+dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
-{
+	{
-    DTLS1_RECORD_DATA *rdata;
+	DTLS1_RECORD_DATA *rdata;
 	pitem *item;
 	rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
@ -200,7 +217,7 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, PQ_64BIT priority)
 	ssl3_setup_buffers(s);
 	return(1);
-    }
+	}
 static int
@ -482,15 +499,15 @@ int dtls1_get_record(SSL *s)
 	unsigned char *p;
 	short version;
 	DTLS1_BITMAP *bitmap;
-    unsigned int is_next_epoch;
+	unsigned int is_next_epoch;
 	rr= &(s->s3->rrec);
 	sess=s->session;
-    /* The epoch may have changed.  If so, process all the
+	/* The epoch may have changed.  If so, process all the
-     * pending records.  This is a non-blocking operation. */
+	 * pending records.  This is a non-blocking operation. */
-    if ( ! dtls1_process_buffered_records(s))
+	if ( ! dtls1_process_buffered_records(s))
-        return 0;
+            return 0;
 	/* if we're renegotiating, then there may be buffered records */
 	if (dtls1_get_processed_record(s))
@ -518,7 +535,7 @@ again:
 		ssl_minor= *(p++);
 		version=(ssl_major<<8)|ssl_minor;
-        /* sequence number is 64 bits, with top 2 bytes = epoch */ 
+		/* sequence number is 64 bits, with top 2 bytes = epoch */ 
 		n2s(p,rr->epoch);
 		memcpy(&(s->s3->read_sequence[2]), p, 6);
@ -590,7 +607,7 @@ again:
 		}
 	/* check whether this is a repeat, or aged record */
-	if ( ! dtls1_record_replay_check(s, bitmap, &(rr->seq_num)))
+	if ( ! dtls1_record_replay_check(s, bitmap, rr->seq_num))
 		{
 		s->packet_length=0; /* dump this record */
 		goto again;     /* get another record */
@ -599,20 +616,21 @@ again:
 	/* just read a 0 length packet */
 	if (rr->length == 0) goto again;
-    /* If this record is from the next epoch (either HM or ALERT), buffer it
+	/* If this record is from the next epoch (either HM or ALERT),
-     * since it cannot be processed at this time.
+	 * buffer it since it cannot be processed at this time. Records
-     * Records from the next epoch are marked as received even though they are 
+	 * from the next epoch are marked as received even though they
-     * not processed, so as to prevent any potential resource DoS attack */
+	 * are not processed, so as to prevent any potential resource
-    if (is_next_epoch)
+	 * DoS attack */
-        {
+	if (is_next_epoch)
-        dtls1_record_bitmap_update(s, bitmap);
+		{
-        dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
+		dtls1_record_bitmap_update(s, bitmap);
-        s->packet_length = 0;
+		dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
-        goto again;
+		s->packet_length = 0;
-        }
+		goto again;
 		}
-    if ( ! dtls1_process_record(s))
+	if ( ! dtls1_process_record(s))
-        return(0);
+		return(0);
 	dtls1_clear_timeouts(s);  /* done waiting */
 	return(1);
@ -1451,110 +1469,49 @@ err:
 static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap,
-	PQ_64BIT *seq_num)
+	unsigned char *seq_num)
 	{
-#if PQ_64BIT_IS_INTEGER
+	int cmp;
-	PQ_64BIT mask = 0x0000000000000001L;
+	unsigned int shift;
-#endif
+	const unsigned char *seq = s->s3->read_sequence;
 	PQ_64BIT rcd_num, tmp;
-	pq_64bit_init(&rcd_num);
+	cmp = satsub64be(seq,bitmap->max_seq_num);
-	pq_64bit_init(&tmp);
+	if (cmp > 0)
 	/* this is the sequence number for the record just read */
 	pq_64bit_bin2num(&rcd_num, s->s3->read_sequence, 8);
 	if (pq_64bit_gt(&rcd_num, &(bitmap->max_seq_num)) ||
 		pq_64bit_eq(&rcd_num, &(bitmap->max_seq_num)))
 		{
-		pq_64bit_assign(seq_num, &rcd_num);
+		memcpy (seq_num,seq,8);
-		pq_64bit_free(&rcd_num);
+		return 1; /* this record in new */
 		pq_64bit_free(&tmp);
 		return 1;  /* this record is new */
 		}
-
+	shift = -cmp;
-	pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num);
+	if (shift >= sizeof(bitmap->map)*8)
-
+		return 0; /* stale, outside the window */
-	if ( pq_64bit_get_word(&tmp) > bitmap->length)
+	else if (bitmap->map & (1UL<<shift))
 		{
 		pq_64bit_free(&rcd_num);
 		pq_64bit_free(&tmp);
 		return 0;  /* stale, outside the window */
 		}
 #if PQ_64BIT_IS_BIGNUM
 	{
 	int offset;
 	pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num);
 	pq_64bit_sub_word(&tmp, 1);
 	offset = pq_64bit_get_word(&tmp);
 	if ( pq_64bit_is_bit_set(&(bitmap->map), offset))
 		{
 		pq_64bit_free(&rcd_num);
 		pq_64bit_free(&tmp);
 		return 0;
 		}
 	}
 #else
 	mask <<= (bitmap->max_seq_num - rcd_num - 1);
 	if (bitmap->map & mask)
 		return 0; /* record previously received */
-#endif
+
 	pq_64bit_assign(seq_num, &rcd_num);
 	pq_64bit_free(&rcd_num);
 	pq_64bit_free(&tmp);
 	return 1;
 	}
 static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap)
 	{
 	int cmp;
 	unsigned int shift;
-	PQ_64BIT rcd_num;
+	const unsigned char *seq = s->s3->read_sequence;
 	PQ_64BIT tmp;
 	PQ_64BIT_CTX *ctx;
-	pq_64bit_init(&rcd_num);
+	cmp = satsub64be(seq,bitmap->max_seq_num);
-	pq_64bit_init(&tmp);
+	if (cmp > 0)
 	pq_64bit_bin2num(&rcd_num, s->s3->read_sequence, 8);
 	/* unfortunate code complexity due to 64-bit manipulation support
 	 * on 32-bit machines */
 	if ( pq_64bit_gt(&rcd_num, &(bitmap->max_seq_num)) ||
 		pq_64bit_eq(&rcd_num, &(bitmap->max_seq_num)))
 		{
-		pq_64bit_sub(&tmp, &rcd_num, &(bitmap->max_seq_num));
+		shift = cmp;
-		pq_64bit_add_word(&tmp, 1);
+		if (shift < sizeof(bitmap->map)*8)
-
+			bitmap->map <<= shift, bitmap->map |= 1UL;
-		shift = (unsigned int)pq_64bit_get_word(&tmp);
+		else
-
+			bitmap->map = 1UL;
-		pq_64bit_lshift(&(tmp), &(bitmap->map), shift);
+		memcpy(bitmap->max_seq_num,seq,8);
 		pq_64bit_assign(&(bitmap->map), &tmp);
 		pq_64bit_set_bit(&(bitmap->map), 0);
 		pq_64bit_add_word(&rcd_num, 1);
 		pq_64bit_assign(&(bitmap->max_seq_num), &rcd_num);
 		pq_64bit_assign_word(&tmp, 1);
 		pq_64bit_lshift(&tmp, &tmp, bitmap->length);
 		ctx = pq_64bit_ctx_new(&ctx);
 		pq_64bit_mod(&(bitmap->map), &(bitmap->map), &tmp, ctx);
 		pq_64bit_ctx_free(ctx);
 		}
-	else
+	else	{
-		{
+		shift = -cmp;
-		pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num);
+		if (shift < sizeof(bitmap->map)*8)
-		pq_64bit_sub_word(&tmp, 1);
+			bitmap->map |= 1UL<<shift;
 		shift = (unsigned int)pq_64bit_get_word(&tmp);
 		pq_64bit_set_bit(&(bitmap->map), shift);
 		}
 	pq_64bit_free(&rcd_num);
 	pq_64bit_free(&tmp);
 	}
@ -1715,17 +1672,8 @@ dtls1_reset_seq_numbers(SSL *s, int rw)
 		{
 		seq = s->s3->read_sequence;
 		s->d1->r_epoch++;
-
+		memcpy(&(s->d1->bitmap), &(s->d1->next_bitmap), sizeof(DTLS1_BITMAP));
 		pq_64bit_assign(&(s->d1->bitmap.map), &(s->d1->next_bitmap.map));
 		s->d1->bitmap.length = s->d1->next_bitmap.length;
 		pq_64bit_assign(&(s->d1->bitmap.max_seq_num), 
 			&(s->d1->next_bitmap.max_seq_num));
 		pq_64bit_free(&(s->d1->next_bitmap.map));
 		pq_64bit_free(&(s->d1->next_bitmap.max_seq_num));
 		memset(&(s->d1->next_bitmap), 0x00, sizeof(DTLS1_BITMAP));
 		pq_64bit_init(&(s->d1->next_bitmap.map));
 		pq_64bit_init(&(s->d1->next_bitmap.max_seq_num));
 		}
 	else
 		{
--- a/ssl/dtls1.h
+++ b/ssl/dtls1.h
@ -90,9 +90,11 @@ extern "C" {
 typedef struct dtls1_bitmap_st
 	{
-	PQ_64BIT map;
+	unsigned long map;		/* track 32 packets on 32-bit systems
-	unsigned long length;     /* sizeof the bitmap in bits */
+					   and 64 - on 64-bit systems */
-	PQ_64BIT max_seq_num;  /* max record number seen so far */
+	unsigned char max_seq_num[8];	/* max record number seen so far,
 					   64-bit value in big-endian
 					   encoding */
 	} DTLS1_BITMAP;
 struct hm_header_st
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@ -128,7 +128,6 @@
 #include "kssl_lcl.h"
 #include <openssl/md5.h>
 #include <openssl/dh.h>
 #include <openssl/pq_compat.h>
 const char *ssl3_version_str="SSLv3" OPENSSL_VERSION_PTEXT;
@ -1442,8 +1441,8 @@ int ssl3_new(SSL *s)
 	memset(s3,0,sizeof *s3);
 	EVP_MD_CTX_init(&s3->finish_dgst1);
 	EVP_MD_CTX_init(&s3->finish_dgst2);
-	pq_64bit_init(&(s3->rrec.seq_num));
+	memset(s3->rrec.seq_num,0,sizeof(s3->rrec.seq_num));
-	pq_64bit_init(&(s3->wrec.seq_num));
+	memset(s3->wrec.seq_num,0,sizeof(s3->wrec.seq_num));
 	s->s3=s3;
@ -1478,8 +1477,6 @@ void ssl3_free(SSL *s)
 		sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free);
 	EVP_MD_CTX_cleanup(&s->s3->finish_dgst1);
 	EVP_MD_CTX_cleanup(&s->s3->finish_dgst2);
 	pq_64bit_free(&(s->s3->rrec.seq_num));
 	pq_64bit_free(&(s->s3->wrec.seq_num));
 	OPENSSL_cleanse(s->s3,sizeof *s->s3);
 	OPENSSL_free(s->s3);
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h
@ -123,7 +123,6 @@
 #include <openssl/buffer.h>
 #include <openssl/evp.h>
 #include <openssl/ssl.h>
 #include <openssl/pq_compat.h>
 #ifdef  __cplusplus
 extern "C" {
@ -296,7 +295,7 @@ typedef struct ssl3_record_st
 /*rw*/	unsigned char *input;   /* where the decode bytes are */
 /*r */	unsigned char *comp;    /* only used with decompression - malloc()ed */
 /*r */  unsigned long epoch;    /* epoch number, needed by DTLS1 */
-/*r */  PQ_64BIT seq_num;       /* sequence number, needed by DTLS1 */
+/*r */  unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */
 	} SSL3_RECORD;
 typedef struct ssl3_buffer_st