ssl/libssl/src/d1_pkt.c
changeset 0 e4d67989cc36
equal deleted inserted replaced
-1:000000000000 0:e4d67989cc36
       
     1 /* ssl/d1_pkt.c */
       
     2 /* 
       
     3  * DTLS implementation written by Nagendra Modadugu
       
     4  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
       
     5  */
       
     6 /* ====================================================================
       
     7  * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
       
     8  *
       
     9  * Redistribution and use in source and binary forms, with or without
       
    10  * modification, are permitted provided that the following conditions
       
    11  * are met:
       
    12  *
       
    13  * 1. Redistributions of source code must retain the above copyright
       
    14  *    notice, this list of conditions and the following disclaimer. 
       
    15  *
       
    16  * 2. Redistributions in binary form must reproduce the above copyright
       
    17  *    notice, this list of conditions and the following disclaimer in
       
    18  *    the documentation and/or other materials provided with the
       
    19  *    distribution.
       
    20  *
       
    21  * 3. All advertising materials mentioning features or use of this
       
    22  *    software must display the following acknowledgment:
       
    23  *    "This product includes software developed by the OpenSSL Project
       
    24  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
       
    25  *
       
    26  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
       
    27  *    endorse or promote products derived from this software without
       
    28  *    prior written permission. For written permission, please contact
       
    29  *    openssl-core@openssl.org.
       
    30  *
       
    31  * 5. Products derived from this software may not be called "OpenSSL"
       
    32  *    nor may "OpenSSL" appear in their names without prior written
       
    33  *    permission of the OpenSSL Project.
       
    34  *
       
    35  * 6. Redistributions of any form whatsoever must retain the following
       
    36  *    acknowledgment:
       
    37  *    "This product includes software developed by the OpenSSL Project
       
    38  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
       
    39  *
       
    40  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
       
    41  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
       
    42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
       
    43  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
       
    44  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
       
    45  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
       
    46  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
       
    47  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
       
    48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
       
    49  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
       
    50  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
       
    51  * OF THE POSSIBILITY OF SUCH DAMAGE.
       
    52  * ====================================================================
       
    53  *
       
    54  * This product includes cryptographic software written by Eric Young
       
    55  * (eay@cryptsoft.com).  This product includes software written by Tim
       
    56  * Hudson (tjh@cryptsoft.com).
       
    57  *
       
    58  */
       
    59 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
       
    60  * All rights reserved.
       
    61  *
       
    62  * This package is an SSL implementation written
       
    63  * by Eric Young (eay@cryptsoft.com).
       
    64  * The implementation was written so as to conform with Netscapes SSL.
       
    65  * 
       
    66  * This library is free for commercial and non-commercial use as long as
       
    67  * the following conditions are aheared to.  The following conditions
       
    68  * apply to all code found in this distribution, be it the RC4, RSA,
       
    69  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
       
    70  * included with this distribution is covered by the same copyright terms
       
    71  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
       
    72  * 
       
    73  * Copyright remains Eric Young's, and as such any Copyright notices in
       
    74  * the code are not to be removed.
       
    75  * If this package is used in a product, Eric Young should be given attribution
       
    76  * as the author of the parts of the library used.
       
    77  * This can be in the form of a textual message at program startup or
       
    78  * in documentation (online or textual) provided with the package.
       
    79  * 
       
    80  * Redistribution and use in source and binary forms, with or without
       
    81  * modification, are permitted provided that the following conditions
       
    82  * are met:
       
    83  * 1. Redistributions of source code must retain the copyright
       
    84  *    notice, this list of conditions and the following disclaimer.
       
    85  * 2. Redistributions in binary form must reproduce the above copyright
       
    86  *    notice, this list of conditions and the following disclaimer in the
       
    87  *    documentation and/or other materials provided with the distribution.
       
    88  * 3. All advertising materials mentioning features or use of this software
       
    89  *    must display the following acknowledgement:
       
    90  *    "This product includes cryptographic software written by
       
    91  *     Eric Young (eay@cryptsoft.com)"
       
    92  *    The word 'cryptographic' can be left out if the rouines from the library
       
    93  *    being used are not cryptographic related :-).
       
    94  * 4. If you include any Windows specific code (or a derivative thereof) from 
       
    95  *    the apps directory (application code) you must include an acknowledgement:
       
    96  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
       
    97  * 
       
    98  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
       
    99  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
       
   100  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
       
   101  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
       
   102  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
       
   103  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
       
   104  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
       
   105  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
       
   106  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
       
   107  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
       
   108  * SUCH DAMAGE.
       
   109  * 
       
   110  * The licence and distribution terms for any publically available version or
       
   111  * derivative of this code cannot be changed.  i.e. this code cannot simply be
       
   112  * copied and put under another distribution licence
       
   113  * [including the GNU Public Licence.]
       
   114  */
       
   115 
       
   116 #include <stdio.h>
       
   117 #include <errno.h>
       
   118 #define USE_SOCKETS
       
   119 #include "ssl_locl.h"
       
   120 #include <openssl/evp.h>
       
   121 #include <openssl/buffer.h>
       
   122 #include <openssl/pqueue.h>
       
   123 #include <openssl/rand.h>
       
   124 
       
   125 static int have_handshake_fragment(SSL *s, int type, unsigned char *buf, 
       
   126 	int len, int peek);
       
   127 static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap,
       
   128 	PQ_64BIT *seq_num);
       
   129 static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap);
       
   130 static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, 
       
   131     unsigned int *is_next_epoch);
       
   132 #if 0
       
   133 static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr,
       
   134 	unsigned short *priority, unsigned long *offset);
       
   135 #endif
       
   136 static int dtls1_buffer_record(SSL *s, record_pqueue *q,
       
   137 	PQ_64BIT priority);
       
   138 static int dtls1_process_record(SSL *s);
       
   139 #if PQ_64BIT_IS_INTEGER
       
   140 static PQ_64BIT bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num);
       
   141 #endif
       
   142 static void dtls1_clear_timeouts(SSL *s);
       
   143 
       
   144 /* copy buffered record into SSL structure */
       
   145 static int
       
   146 dtls1_copy_record(SSL *s, pitem *item)
       
   147     {
       
   148     DTLS1_RECORD_DATA *rdata;
       
   149 
       
   150     rdata = (DTLS1_RECORD_DATA *)item->data;
       
   151     
       
   152     if (s->s3->rbuf.buf != NULL)
       
   153         OPENSSL_free(s->s3->rbuf.buf);
       
   154     
       
   155     s->packet = rdata->packet;
       
   156     s->packet_length = rdata->packet_length;
       
   157     memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER));
       
   158     memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));
       
   159     
       
   160     return(1);
       
   161     }
       
   162 
       
   163 
       
   164 static int
       
   165 dtls1_buffer_record(SSL *s, record_pqueue *queue, PQ_64BIT priority)
       
   166 {
       
   167     DTLS1_RECORD_DATA *rdata;
       
   168 	pitem *item;
       
   169 
       
   170 	rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
       
   171 	item = pitem_new(priority, rdata);
       
   172 	if (rdata == NULL || item == NULL)
       
   173 		{
       
   174 		if (rdata != NULL) OPENSSL_free(rdata);
       
   175 		if (item != NULL) pitem_free(item);
       
   176 		
       
   177 		SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);
       
   178 		return(0);
       
   179 		}
       
   180 	
       
   181 	rdata->packet = s->packet;
       
   182 	rdata->packet_length = s->packet_length;
       
   183 	memcpy(&(rdata->rbuf), &(s->s3->rbuf), sizeof(SSL3_BUFFER));
       
   184 	memcpy(&(rdata->rrec), &(s->s3->rrec), sizeof(SSL3_RECORD));
       
   185 
       
   186 	item->data = rdata;
       
   187 
       
   188 	/* insert should not fail, since duplicates are dropped */
       
   189 	if (pqueue_insert(queue->q, item) == NULL)
       
   190 		{
       
   191 		OPENSSL_free(rdata);
       
   192 		pitem_free(item);
       
   193 		return(0);
       
   194 		}
       
   195 
       
   196 	s->packet = NULL;
       
   197 	s->packet_length = 0;
       
   198 	memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER));
       
   199 	memset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD));
       
   200 	
       
   201 	if (!ssl3_setup_buffers(s))
       
   202 		{
       
   203 		SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);
       
   204 		OPENSSL_free(rdata);
       
   205 		pitem_free(item);
       
   206 		return(0);
       
   207 		}
       
   208 	
       
   209 	return(1);
       
   210     }
       
   211 
       
   212 
       
   213 static int
       
   214 dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue)
       
   215     {
       
   216     pitem *item;
       
   217 
       
   218     item = pqueue_pop(queue->q);
       
   219     if (item)
       
   220         {
       
   221         dtls1_copy_record(s, item);
       
   222 
       
   223         OPENSSL_free(item->data);
       
   224 		pitem_free(item);
       
   225 
       
   226         return(1);
       
   227         }
       
   228 
       
   229     return(0);
       
   230     }
       
   231 
       
   232 
       
   233 /* retrieve a buffered record that belongs to the new epoch, i.e., not processed 
       
   234  * yet */
       
   235 #define dtls1_get_unprocessed_record(s) \
       
   236                    dtls1_retrieve_buffered_record((s), \
       
   237                    &((s)->d1->unprocessed_rcds))
       
   238 
       
   239 /* retrieve a buffered record that belongs to the current epoch, ie, processed */
       
   240 #define dtls1_get_processed_record(s) \
       
   241                    dtls1_retrieve_buffered_record((s), \
       
   242                    &((s)->d1->processed_rcds))
       
   243 
       
   244 static int
       
   245 dtls1_process_buffered_records(SSL *s)
       
   246     {
       
   247     pitem *item;
       
   248     
       
   249     item = pqueue_peek(s->d1->unprocessed_rcds.q);
       
   250     if (item)
       
   251         {
       
   252         DTLS1_RECORD_DATA *rdata;
       
   253         rdata = (DTLS1_RECORD_DATA *)item->data;
       
   254         
       
   255         /* Check if epoch is current. */
       
   256         if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch)
       
   257             return(1);  /* Nothing to do. */
       
   258         
       
   259         /* Process all the records. */
       
   260         while (pqueue_peek(s->d1->unprocessed_rcds.q))
       
   261             {
       
   262             dtls1_get_unprocessed_record(s);
       
   263             if ( ! dtls1_process_record(s))
       
   264                 return(0);
       
   265             dtls1_buffer_record(s, &(s->d1->processed_rcds), 
       
   266                 s->s3->rrec.seq_num);
       
   267             }
       
   268         }
       
   269 
       
   270     /* sync epoch numbers once all the unprocessed records 
       
   271      * have been processed */
       
   272     s->d1->processed_rcds.epoch = s->d1->r_epoch;
       
   273     s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1;
       
   274 
       
   275     return(1);
       
   276     }
       
   277 
       
   278 
       
   279 #if 0
       
   280 
       
   281 static int
       
   282 dtls1_get_buffered_record(SSL *s)
       
   283 	{
       
   284 	pitem *item;
       
   285 	PQ_64BIT priority = 
       
   286 		(((PQ_64BIT)s->d1->handshake_read_seq) << 32) | 
       
   287 		((PQ_64BIT)s->d1->r_msg_hdr.frag_off);
       
   288 	
       
   289 	if ( ! SSL_in_init(s))  /* if we're not (re)negotiating, 
       
   290 							   nothing buffered */
       
   291 		return 0;
       
   292 
       
   293 
       
   294 	item = pqueue_peek(s->d1->rcvd_records);
       
   295 	if (item && item->priority == priority)
       
   296 		{
       
   297 		/* Check if we've received the record of interest.  It must be
       
   298 		 * a handshake record, since data records as passed up without
       
   299 		 * buffering */
       
   300 		DTLS1_RECORD_DATA *rdata;
       
   301 		item = pqueue_pop(s->d1->rcvd_records);
       
   302 		rdata = (DTLS1_RECORD_DATA *)item->data;
       
   303 		
       
   304 		if (s->s3->rbuf.buf != NULL)
       
   305 			OPENSSL_free(s->s3->rbuf.buf);
       
   306 		
       
   307 		s->packet = rdata->packet;
       
   308 		s->packet_length = rdata->packet_length;
       
   309 		memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER));
       
   310 		memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));
       
   311 		
       
   312 		OPENSSL_free(item->data);
       
   313 		pitem_free(item);
       
   314 		
       
   315 		/* s->d1->next_expected_seq_num++; */
       
   316 		return(1);
       
   317 		}
       
   318 	
       
   319 	return 0;
       
   320 	}
       
   321 
       
   322 #endif
       
   323 
       
   324 static int
       
   325 dtls1_process_record(SSL *s)
       
   326 {
       
   327     int i,al;
       
   328 	int clear=0;
       
   329     int enc_err;
       
   330 	SSL_SESSION *sess;
       
   331     SSL3_RECORD *rr;
       
   332 	unsigned int mac_size;
       
   333 	unsigned char md[EVP_MAX_MD_SIZE];
       
   334 
       
   335 
       
   336 	rr= &(s->s3->rrec);
       
   337     sess = s->session;
       
   338 
       
   339 	/* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
       
   340 	 * and we have that many bytes in s->packet
       
   341 	 */
       
   342 	rr->input= &(s->packet[DTLS1_RT_HEADER_LENGTH]);
       
   343 
       
   344 	/* ok, we can now read from 's->packet' data into 'rr'
       
   345 	 * rr->input points at rr->length bytes, which
       
   346 	 * need to be copied into rr->data by either
       
   347 	 * the decryption or by the decompression
       
   348 	 * When the data is 'copied' into the rr->data buffer,
       
   349 	 * rr->input will be pointed at the new buffer */ 
       
   350 
       
   351 	/* We now have - encrypted [ MAC [ compressed [ plain ] ] ]
       
   352 	 * rr->length bytes of encrypted compressed stuff. */
       
   353 
       
   354 	/* check is not needed I believe */
       
   355 	if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH)
       
   356 		{
       
   357 		al=SSL_AD_RECORD_OVERFLOW;
       
   358 		SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
       
   359 		goto f_err;
       
   360 		}
       
   361 
       
   362 	/* decrypt in place in 'rr->input' */
       
   363 	rr->data=rr->input;
       
   364 
       
   365 	enc_err = s->method->ssl3_enc->enc(s,0);
       
   366 	if (enc_err <= 0)
       
   367 		{
       
   368 		if (enc_err == 0)
       
   369 			/* SSLerr() and ssl3_send_alert() have been called */
       
   370 			goto err;
       
   371 
       
   372 		/* otherwise enc_err == -1 */
       
   373 		goto decryption_failed_or_bad_record_mac;
       
   374 		}
       
   375 
       
   376 #ifdef TLS_DEBUG
       
   377 printf("dec %d\n",rr->length);
       
   378 { unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); }
       
   379 printf("\n");
       
   380 #endif
       
   381 
       
   382 	/* r->length is now the compressed data plus mac */
       
   383 if (	(sess == NULL) ||
       
   384 		(s->enc_read_ctx == NULL) ||
       
   385 		(s->read_hash == NULL))
       
   386     clear=1;
       
   387 
       
   388 	if (!clear)
       
   389 		{
       
   390 		mac_size=EVP_MD_size(s->read_hash);
       
   391 
       
   392 		if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)
       
   393 			{
       
   394 #if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */
       
   395 			al=SSL_AD_RECORD_OVERFLOW;
       
   396 			SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
       
   397 			goto f_err;
       
   398 #else
       
   399 			goto decryption_failed_or_bad_record_mac;
       
   400 #endif			
       
   401 			}
       
   402 		/* check the MAC for rr->input (it's in mac_size bytes at the tail) */
       
   403 		if (rr->length < mac_size)
       
   404 			{
       
   405 #if 0 /* OK only for stream ciphers */
       
   406 			al=SSL_AD_DECODE_ERROR;
       
   407 			SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
       
   408 			goto f_err;
       
   409 #else
       
   410 			goto decryption_failed_or_bad_record_mac;
       
   411 #endif
       
   412 			}
       
   413 		rr->length-=mac_size;
       
   414 		i=s->method->ssl3_enc->mac(s,md,0);
       
   415 		if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
       
   416 			{
       
   417 			goto decryption_failed_or_bad_record_mac;
       
   418 			}
       
   419 		}
       
   420 
       
   421 	/* r->length is now just compressed */
       
   422 	if (s->expand != NULL)
       
   423 		{
       
   424 		if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH)
       
   425 			{
       
   426 			al=SSL_AD_RECORD_OVERFLOW;
       
   427 			SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);
       
   428 			goto f_err;
       
   429 			}
       
   430 		if (!ssl3_do_uncompress(s))
       
   431 			{
       
   432 			al=SSL_AD_DECOMPRESSION_FAILURE;
       
   433 			SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_BAD_DECOMPRESSION);
       
   434 			goto f_err;
       
   435 			}
       
   436 		}
       
   437 
       
   438 	if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH)
       
   439 		{
       
   440 		al=SSL_AD_RECORD_OVERFLOW;
       
   441 		SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);
       
   442 		goto f_err;
       
   443 		}
       
   444 
       
   445 	rr->off=0;
       
   446 	/* So at this point the following is true
       
   447 	 * ssl->s3->rrec.type 	is the type of record
       
   448 	 * ssl->s3->rrec.length	== number of bytes in record
       
   449 	 * ssl->s3->rrec.off	== offset to first valid byte
       
   450 	 * ssl->s3->rrec.data	== where to take bytes from, increment
       
   451 	 *			   after use :-).
       
   452 	 */
       
   453 
       
   454 	/* we have pulled in a full packet so zero things */
       
   455 	s->packet_length=0;
       
   456     dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */
       
   457     return(1);
       
   458 
       
   459 decryption_failed_or_bad_record_mac:
       
   460 	/* Separate 'decryption_failed' alert was introduced with TLS 1.0,
       
   461 	 * SSL 3.0 only has 'bad_record_mac'.  But unless a decryption
       
   462 	 * failure is directly visible from the ciphertext anyway,
       
   463 	 * we should not reveal which kind of error occured -- this
       
   464 	 * might become visible to an attacker (e.g. via logfile) */
       
   465 	al=SSL_AD_BAD_RECORD_MAC;
       
   466 	SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
       
   467 f_err:
       
   468 	ssl3_send_alert(s,SSL3_AL_FATAL,al);
       
   469 err:
       
   470 	return(0);
       
   471 }
       
   472 
       
   473 
       
   474 /* Call this to get a new input record.
       
   475  * It will return <= 0 if more data is needed, normally due to an error
       
   476  * or non-blocking IO.
       
   477  * When it finishes, one packet has been decoded and can be found in
       
   478  * ssl->s3->rrec.type    - is the type of record
       
   479  * ssl->s3->rrec.data, 	 - data
       
   480  * ssl->s3->rrec.length, - number of bytes
       
   481  */
       
   482 /* used only by dtls1_read_bytes */
       
   483 int dtls1_get_record(SSL *s)
       
   484 	{
       
   485 	int ssl_major,ssl_minor,al;
       
   486 	int i,n;
       
   487 	SSL3_RECORD *rr;
       
   488 	SSL_SESSION *sess;
       
   489 	unsigned char *p;
       
   490 	unsigned short version;
       
   491 	DTLS1_BITMAP *bitmap;
       
   492 	unsigned int is_next_epoch;
       
   493 
       
   494 	rr= &(s->s3->rrec);
       
   495 	sess=s->session;
       
   496 
       
   497     /* The epoch may have changed.  If so, process all the
       
   498      * pending records.  This is a non-blocking operation. */
       
   499     if ( ! dtls1_process_buffered_records(s))
       
   500         return 0;
       
   501 
       
   502 	/* if we're renegotiating, then there may be buffered records */
       
   503 	if (dtls1_get_processed_record(s))
       
   504 		return 1;
       
   505 
       
   506 	/* get something from the wire */
       
   507 again:
       
   508 	/* check if we have the header */
       
   509 	if (	(s->rstate != SSL_ST_READ_BODY) ||
       
   510 		(s->packet_length < DTLS1_RT_HEADER_LENGTH)) 
       
   511 		{
       
   512 		n=ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);
       
   513 		/* read timeout is handled by dtls1_read_bytes */
       
   514 		if (n <= 0) return(n); /* error or non-blocking */
       
   515 
       
   516 		OPENSSL_assert(s->packet_length == DTLS1_RT_HEADER_LENGTH);
       
   517 
       
   518 		s->rstate=SSL_ST_READ_BODY;
       
   519 
       
   520 		p=s->packet;
       
   521 
       
   522 		/* Pull apart the header into the DTLS1_RECORD */
       
   523 		rr->type= *(p++);
       
   524 		ssl_major= *(p++);
       
   525 		ssl_minor= *(p++);
       
   526 		version=(ssl_major<<8)|ssl_minor;
       
   527 
       
   528 		/* sequence number is 64 bits, with top 2 bytes = epoch */ 
       
   529 		n2s(p,rr->epoch);
       
   530 
       
   531 		memcpy(&(s->s3->read_sequence[2]), p, 6);
       
   532 		p+=6;
       
   533 
       
   534 		n2s(p,rr->length);
       
   535 
       
   536 		/* Lets check version */
       
   537 		if (!s->first_packet)
       
   538 			{
       
   539 			if (version != s->version && version != DTLS1_BAD_VER)
       
   540 				{
       
   541 				SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
       
   542 				/* Send back error using their
       
   543 				 * version number :-) */
       
   544 				s->version=version;
       
   545 				al=SSL_AD_PROTOCOL_VERSION;
       
   546 				goto f_err;
       
   547 				}
       
   548 			}
       
   549 
       
   550 		if ((version & 0xff00) != (DTLS1_VERSION & 0xff00) &&
       
   551 		    (version & 0xff00) != (DTLS1_BAD_VER & 0xff00))
       
   552 			{
       
   553 			SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
       
   554 			goto err;
       
   555 			}
       
   556 
       
   557 		if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH)
       
   558 			{
       
   559 			al=SSL_AD_RECORD_OVERFLOW;
       
   560 			SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG);
       
   561 			goto f_err;
       
   562 			}
       
   563 
       
   564 		s->client_version = version;
       
   565 		/* now s->rstate == SSL_ST_READ_BODY */
       
   566 		}
       
   567 
       
   568 	/* s->rstate == SSL_ST_READ_BODY, get and decode the data */
       
   569 
       
   570 	if (rr->length > s->packet_length-DTLS1_RT_HEADER_LENGTH)
       
   571 		{
       
   572 		/* now s->packet_length == DTLS1_RT_HEADER_LENGTH */
       
   573 		i=rr->length;
       
   574 		n=ssl3_read_n(s,i,i,1);
       
   575 		if (n <= 0) return(n); /* error or non-blocking io */
       
   576 
       
   577 		/* this packet contained a partial record, dump it */
       
   578 		if ( n != i)
       
   579 			{
       
   580 			s->packet_length = 0;
       
   581 			goto again;
       
   582 			}
       
   583 
       
   584 		/* now n == rr->length,
       
   585 		 * and s->packet_length == DTLS1_RT_HEADER_LENGTH + rr->length */
       
   586 		}
       
   587 	s->rstate=SSL_ST_READ_HEADER; /* set state for later operations */
       
   588 
       
   589 	/* match epochs.  NULL means the packet is dropped on the floor */
       
   590 	bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
       
   591 	if ( bitmap == NULL)
       
   592         {
       
   593         s->packet_length = 0;  /* dump this record */
       
   594         goto again;   /* get another record */
       
   595 		}
       
   596 
       
   597 	/* check whether this is a repeat, or aged record */
       
   598 	if ( ! dtls1_record_replay_check(s, bitmap, &(rr->seq_num)))
       
   599 		{
       
   600 		s->packet_length=0; /* dump this record */
       
   601 		goto again;     /* get another record */
       
   602 		}
       
   603 
       
   604 	/* just read a 0 length packet */
       
   605 	if (rr->length == 0) goto again;
       
   606 
       
   607     /* If this record is from the next epoch (either HM or ALERT), buffer it
       
   608      * since it cannot be processed at this time.
       
   609      * Records from the next epoch are marked as received even though they are 
       
   610      * not processed, so as to prevent any potential resource DoS attack */
       
   611     if (is_next_epoch)
       
   612         {
       
   613         dtls1_record_bitmap_update(s, bitmap);
       
   614         dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
       
   615         s->packet_length = 0;
       
   616         goto again;
       
   617         }
       
   618 
       
   619     if ( ! dtls1_process_record(s))
       
   620         return(0);
       
   621 
       
   622 	dtls1_clear_timeouts(s);  /* done waiting */
       
   623 	return(1);
       
   624 
       
   625 f_err:
       
   626 	ssl3_send_alert(s,SSL3_AL_FATAL,al);
       
   627 err:
       
   628 	return(0);
       
   629 	}
       
   630 
       
   631 /* Return up to 'len' payload bytes received in 'type' records.
       
   632  * 'type' is one of the following:
       
   633  *
       
   634  *   -  SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
       
   635  *   -  SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)
       
   636  *   -  0 (during a shutdown, no data has to be returned)
       
   637  *
       
   638  * If we don't have stored data to work from, read a SSL/TLS record first
       
   639  * (possibly multiple records if we still don't have anything to return).
       
   640  *
       
   641  * This function must handle any surprises the peer may have for us, such as
       
   642  * Alert records (e.g. close_notify), ChangeCipherSpec records (not really
       
   643  * a surprise, but handled as if it were), or renegotiation requests.
       
   644  * Also if record payloads contain fragments too small to process, we store
       
   645  * them until there is enough for the respective protocol (the record protocol
       
   646  * may use arbitrary fragmentation and even interleaving):
       
   647  *     Change cipher spec protocol
       
   648  *             just 1 byte needed, no need for keeping anything stored
       
   649  *     Alert protocol
       
   650  *             2 bytes needed (AlertLevel, AlertDescription)
       
   651  *     Handshake protocol
       
   652  *             4 bytes needed (HandshakeType, uint24 length) -- we just have
       
   653  *             to detect unexpected Client Hello and Hello Request messages
       
   654  *             here, anything else is handled by higher layers
       
   655  *     Application data protocol
       
   656  *             none of our business
       
   657  */
       
   658 int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
       
   659 	{
       
   660 	int al,i,j,ret;
       
   661 	unsigned int n;
       
   662 	SSL3_RECORD *rr;
       
   663 	void (*cb)(const SSL *ssl,int type2,int val)=NULL;
       
   664 
       
   665 	if (s->s3->rbuf.buf == NULL) /* Not initialized yet */
       
   666 		if (!ssl3_setup_buffers(s))
       
   667 			return(-1);
       
   668 
       
   669     /* XXX: check what the second '&& type' is about */
       
   670 	if ((type && (type != SSL3_RT_APPLICATION_DATA) && 
       
   671 		(type != SSL3_RT_HANDSHAKE) && type) ||
       
   672 	    (peek && (type != SSL3_RT_APPLICATION_DATA)))
       
   673 		{
       
   674 		SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR);
       
   675 		return -1;
       
   676 		}
       
   677 
       
   678 	/* check whether there's a handshake message (client hello?) waiting */
       
   679 	if ( (ret = have_handshake_fragment(s, type, buf, len, peek)))
       
   680 		return ret;
       
   681 
       
   682 	/* Now s->d1->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */
       
   683 
       
   684 	if (!s->in_handshake && SSL_in_init(s))
       
   685 		{
       
   686 		/* type == SSL3_RT_APPLICATION_DATA */
       
   687 		i=s->handshake_func(s);
       
   688 		if (i < 0) return(i);
       
   689 		if (i == 0)
       
   690 			{
       
   691 			SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
       
   692 			return(-1);
       
   693 			}
       
   694 		}
       
   695 
       
   696 start:
       
   697 	s->rwstate=SSL_NOTHING;
       
   698 
       
   699 	/* s->s3->rrec.type	    - is the type of record
       
   700 	 * s->s3->rrec.data,    - data
       
   701 	 * s->s3->rrec.off,     - offset into 'data' for next read
       
   702 	 * s->s3->rrec.length,  - number of bytes. */
       
   703 	rr = &(s->s3->rrec);
       
   704 
       
   705 	/* get new packet if necessary */
       
   706 	if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY))
       
   707 		{
       
   708 		ret=dtls1_get_record(s);
       
   709 		if (ret <= 0) 
       
   710 			{
       
   711 			ret = dtls1_read_failed(s, ret);
       
   712 			/* anything other than a timeout is an error */
       
   713 			if (ret <= 0)  
       
   714 				return(ret);
       
   715 			else
       
   716 				goto start;
       
   717 			}
       
   718 		}
       
   719 
       
   720 	/* we now have a packet which can be read and processed */
       
   721 
       
   722 	if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
       
   723 	                               * reset by ssl3_get_finished */
       
   724 		&& (rr->type != SSL3_RT_HANDSHAKE))
       
   725 		{
       
   726 		al=SSL_AD_UNEXPECTED_MESSAGE;
       
   727 		SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
       
   728 		goto err;
       
   729 		}
       
   730 
       
   731 	/* If the other end has shut down, throw anything we read away
       
   732 	 * (even in 'peek' mode) */
       
   733 	if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
       
   734 		{
       
   735 		rr->length=0;
       
   736 		s->rwstate=SSL_NOTHING;
       
   737 		return(0);
       
   738 		}
       
   739 
       
   740 
       
   741 	if (type == rr->type) /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */
       
   742 		{
       
   743 		/* make sure that we are not getting application data when we
       
   744 		 * are doing a handshake for the first time */
       
   745 		if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
       
   746 			(s->enc_read_ctx == NULL))
       
   747 			{
       
   748 			al=SSL_AD_UNEXPECTED_MESSAGE;
       
   749 			SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE);
       
   750 			goto f_err;
       
   751 			}
       
   752 
       
   753 		if (len <= 0) return(len);
       
   754 
       
   755 		if ((unsigned int)len > rr->length)
       
   756 			n = rr->length;
       
   757 		else
       
   758 			n = (unsigned int)len;
       
   759 
       
   760 		memcpy(buf,&(rr->data[rr->off]),n);
       
   761 		if (!peek)
       
   762 			{
       
   763 			rr->length-=n;
       
   764 			rr->off+=n;
       
   765 			if (rr->length == 0)
       
   766 				{
       
   767 				s->rstate=SSL_ST_READ_HEADER;
       
   768 				rr->off=0;
       
   769 				}
       
   770 			}
       
   771 		return(n);
       
   772 		}
       
   773 
       
   774 
       
   775 	/* If we get here, then type != rr->type; if we have a handshake
       
   776 	 * message, then it was unexpected (Hello Request or Client Hello). */
       
   777 
       
   778 	/* In case of record types for which we have 'fragment' storage,
       
   779 	 * fill that so that we can process the data at a fixed place.
       
   780 	 */
       
   781 		{
       
   782 		unsigned int k, dest_maxlen = 0;
       
   783 		unsigned char *dest = NULL;
       
   784 		unsigned int *dest_len = NULL;
       
   785 
       
   786 		if (rr->type == SSL3_RT_HANDSHAKE)
       
   787 			{
       
   788 			dest_maxlen = sizeof s->d1->handshake_fragment;
       
   789 			dest = s->d1->handshake_fragment;
       
   790 			dest_len = &s->d1->handshake_fragment_len;
       
   791 			}
       
   792 		else if (rr->type == SSL3_RT_ALERT)
       
   793 			{
       
   794 			dest_maxlen = sizeof(s->d1->alert_fragment);
       
   795 			dest = s->d1->alert_fragment;
       
   796 			dest_len = &s->d1->alert_fragment_len;
       
   797 			}
       
   798                 /* else it's a CCS message, or it's wrong */
       
   799                 else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC)
       
   800                         {
       
   801                           /* Not certain if this is the right error handling */
       
   802                           al=SSL_AD_UNEXPECTED_MESSAGE;
       
   803                           SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
       
   804                           goto f_err;
       
   805                         }
       
   806 
       
   807 
       
   808 		if (dest_maxlen > 0)
       
   809 			{
       
   810             /* XDTLS:  In a pathalogical case, the Client Hello
       
   811              *  may be fragmented--don't always expect dest_maxlen bytes */
       
   812 			if ( rr->length < dest_maxlen)
       
   813 				{
       
   814 				s->rstate=SSL_ST_READ_HEADER;
       
   815 				rr->length = 0;
       
   816 				goto start;
       
   817 				}
       
   818 
       
   819 			/* now move 'n' bytes: */
       
   820 			for ( k = 0; k < dest_maxlen; k++)
       
   821 				{
       
   822 				dest[k] = rr->data[rr->off++];
       
   823 				rr->length--;
       
   824 				}
       
   825 			*dest_len = dest_maxlen;
       
   826 			}
       
   827 		}
       
   828 
       
   829 	/* s->d1->handshake_fragment_len == 12  iff  rr->type == SSL3_RT_HANDSHAKE;
       
   830 	 * s->d1->alert_fragment_len == 7      iff  rr->type == SSL3_RT_ALERT.
       
   831 	 * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */
       
   832 
       
   833 	/* If we are a client, check for an incoming 'Hello Request': */
       
   834 	if ((!s->server) &&
       
   835 		(s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) &&
       
   836 		(s->d1->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) &&
       
   837 		(s->session != NULL) && (s->session->cipher != NULL))
       
   838 		{
       
   839 		s->d1->handshake_fragment_len = 0;
       
   840 
       
   841 		if ((s->d1->handshake_fragment[1] != 0) ||
       
   842 			(s->d1->handshake_fragment[2] != 0) ||
       
   843 			(s->d1->handshake_fragment[3] != 0))
       
   844 			{
       
   845 			al=SSL_AD_DECODE_ERROR;
       
   846 			SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_HELLO_REQUEST);
       
   847 			goto err;
       
   848 			}
       
   849 
       
   850 		/* no need to check sequence number on HELLO REQUEST messages */
       
   851 
       
   852 		if (s->msg_callback)
       
   853 			s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 
       
   854 				s->d1->handshake_fragment, 4, s, s->msg_callback_arg);
       
   855 
       
   856 		if (SSL_is_init_finished(s) &&
       
   857 			!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
       
   858 			!s->s3->renegotiate)
       
   859 			{
       
   860 			ssl3_renegotiate(s);
       
   861 			if (ssl3_renegotiate_check(s))
       
   862 				{
       
   863 				i=s->handshake_func(s);
       
   864 				if (i < 0) return(i);
       
   865 				if (i == 0)
       
   866 					{
       
   867 					SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
       
   868 					return(-1);
       
   869 					}
       
   870 
       
   871 				if (!(s->mode & SSL_MODE_AUTO_RETRY))
       
   872 					{
       
   873 					if (s->s3->rbuf.left == 0) /* no read-ahead left? */
       
   874 						{
       
   875 						BIO *bio;
       
   876 						/* In the case where we try to read application data,
       
   877 						 * but we trigger an SSL handshake, we return -1 with
       
   878 						 * the retry option set.  Otherwise renegotiation may
       
   879 						 * cause nasty problems in the blocking world */
       
   880 						s->rwstate=SSL_READING;
       
   881 						bio=SSL_get_rbio(s);
       
   882 						BIO_clear_retry_flags(bio);
       
   883 						BIO_set_retry_read(bio);
       
   884 						return(-1);
       
   885 						}
       
   886 					}
       
   887 				}
       
   888 			}
       
   889 		/* we either finished a handshake or ignored the request,
       
   890 		 * now try again to obtain the (application) data we were asked for */
       
   891 		goto start;
       
   892 		}
       
   893 
       
   894 	if (s->d1->alert_fragment_len >= DTLS1_AL_HEADER_LENGTH)
       
   895 		{
       
   896 		int alert_level = s->d1->alert_fragment[0];
       
   897 		int alert_descr = s->d1->alert_fragment[1];
       
   898 
       
   899 		s->d1->alert_fragment_len = 0;
       
   900 
       
   901 		if (s->msg_callback)
       
   902 			s->msg_callback(0, s->version, SSL3_RT_ALERT, 
       
   903 				s->d1->alert_fragment, 2, s, s->msg_callback_arg);
       
   904 
       
   905 		if (s->info_callback != NULL)
       
   906 			cb=s->info_callback;
       
   907 		else if (s->ctx->info_callback != NULL)
       
   908 			cb=s->ctx->info_callback;
       
   909 
       
   910 		if (cb != NULL)
       
   911 			{
       
   912 			j = (alert_level << 8) | alert_descr;
       
   913 			cb(s, SSL_CB_READ_ALERT, j);
       
   914 			}
       
   915 
       
   916 		if (alert_level == 1) /* warning */
       
   917 			{
       
   918 			s->s3->warn_alert = alert_descr;
       
   919 			if (alert_descr == SSL_AD_CLOSE_NOTIFY)
       
   920 				{
       
   921 				s->shutdown |= SSL_RECEIVED_SHUTDOWN;
       
   922 				return(0);
       
   923 				}
       
   924 #if 0
       
   925             /* XXX: this is a possible improvement in the future */
       
   926 			/* now check if it's a missing record */
       
   927 			if (alert_descr == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
       
   928 				{
       
   929 				unsigned short seq;
       
   930 				unsigned int frag_off;
       
   931 				unsigned char *p = &(s->d1->alert_fragment[2]);
       
   932 
       
   933 				n2s(p, seq);
       
   934 				n2l3(p, frag_off);
       
   935 
       
   936 				dtls1_retransmit_message(s, seq, frag_off, &found);
       
   937 				if ( ! found  && SSL_in_init(s))
       
   938 					{
       
   939 					/* fprintf( stderr,"in init = %d\n", SSL_in_init(s)); */
       
   940 					/* requested a message not yet sent, 
       
   941 					   send an alert ourselves */
       
   942 					ssl3_send_alert(s,SSL3_AL_WARNING,
       
   943 						DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
       
   944 					}
       
   945 				}
       
   946 #endif
       
   947 			}
       
   948 		else if (alert_level == 2) /* fatal */
       
   949 			{
       
   950 			char tmp[16];
       
   951 
       
   952 			s->rwstate=SSL_NOTHING;
       
   953 			s->s3->fatal_alert = alert_descr;
       
   954 			SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr);
       
   955 			BIO_snprintf(tmp,sizeof tmp,"%d",alert_descr);
       
   956 			ERR_add_error_data(2,"SSL alert number ",tmp);
       
   957 			s->shutdown|=SSL_RECEIVED_SHUTDOWN;
       
   958 			SSL_CTX_remove_session(s->ctx,s->session);
       
   959 			return(0);
       
   960 			}
       
   961 		else
       
   962 			{
       
   963 			al=SSL_AD_ILLEGAL_PARAMETER;
       
   964 			SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE);
       
   965 			goto f_err;
       
   966 			}
       
   967 
       
   968 		goto start;
       
   969 		}
       
   970 
       
   971 	if (s->shutdown & SSL_SENT_SHUTDOWN) /* but we have not received a shutdown */
       
   972 		{
       
   973 		s->rwstate=SSL_NOTHING;
       
   974 		rr->length=0;
       
   975 		return(0);
       
   976 		}
       
   977 
       
   978 	if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
       
   979 		{
       
   980 		struct ccs_header_st ccs_hdr;
       
   981 
       
   982 		dtls1_get_ccs_header(rr->data, &ccs_hdr);
       
   983 
       
   984 		/* 'Change Cipher Spec' is just a single byte, so we know
       
   985 		 * exactly what the record payload has to look like */
       
   986 		/* XDTLS: check that epoch is consistent */
       
   987 		if (	(s->client_version == DTLS1_BAD_VER && rr->length != 3) ||
       
   988 			(s->client_version != DTLS1_BAD_VER && rr->length != DTLS1_CCS_HEADER_LENGTH) || 
       
   989 			(rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
       
   990 			{
       
   991 			i=SSL_AD_ILLEGAL_PARAMETER;
       
   992 			SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
       
   993 			goto err;
       
   994 			}
       
   995 
       
   996 		rr->length=0;
       
   997 
       
   998 		if (s->msg_callback)
       
   999 			s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, 
       
  1000 				rr->data, 1, s, s->msg_callback_arg);
       
  1001 
       
  1002 		s->s3->change_cipher_spec=1;
       
  1003 		if (!ssl3_do_change_cipher_spec(s))
       
  1004 			goto err;
       
  1005 
       
  1006 		/* do this whenever CCS is processed */
       
  1007 		dtls1_reset_seq_numbers(s, SSL3_CC_READ);
       
  1008 
       
  1009 		if (s->client_version == DTLS1_BAD_VER)
       
  1010 			s->d1->handshake_read_seq++;
       
  1011 
       
  1012 		goto start;
       
  1013 		}
       
  1014 
       
  1015 	/* Unexpected handshake message (Client Hello, or protocol violation) */
       
  1016 	if ((s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) && 
       
  1017 		!s->in_handshake)
       
  1018 		{
       
  1019 		struct hm_header_st msg_hdr;
       
  1020 		
       
  1021 		/* this may just be a stale retransmit */
       
  1022 		dtls1_get_message_header(rr->data, &msg_hdr);
       
  1023 		if( rr->epoch != s->d1->r_epoch)
       
  1024 			{
       
  1025 			rr->length = 0;
       
  1026 			goto start;
       
  1027 			}
       
  1028 
       
  1029 		if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
       
  1030 			!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
       
  1031 			{
       
  1032 #if 0 /* worked only because C operator preferences are not as expected (and
       
  1033        * because this is not really needed for clients except for detecting
       
  1034        * protocol violations): */
       
  1035 			s->state=SSL_ST_BEFORE|(s->server)
       
  1036 				?SSL_ST_ACCEPT
       
  1037 				:SSL_ST_CONNECT;
       
  1038 #else
       
  1039 			s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
       
  1040 #endif
       
  1041 			s->new_session=1;
       
  1042 			}
       
  1043 		i=s->handshake_func(s);
       
  1044 		if (i < 0) return(i);
       
  1045 		if (i == 0)
       
  1046 			{
       
  1047 			SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
       
  1048 			return(-1);
       
  1049 			}
       
  1050 
       
  1051 		if (!(s->mode & SSL_MODE_AUTO_RETRY))
       
  1052 			{
       
  1053 			if (s->s3->rbuf.left == 0) /* no read-ahead left? */
       
  1054 				{
       
  1055 				BIO *bio;
       
  1056 				/* In the case where we try to read application data,
       
  1057 				 * but we trigger an SSL handshake, we return -1 with
       
  1058 				 * the retry option set.  Otherwise renegotiation may
       
  1059 				 * cause nasty problems in the blocking world */
       
  1060 				s->rwstate=SSL_READING;
       
  1061 				bio=SSL_get_rbio(s);
       
  1062 				BIO_clear_retry_flags(bio);
       
  1063 				BIO_set_retry_read(bio);
       
  1064 				return(-1);
       
  1065 				}
       
  1066 			}
       
  1067 		goto start;
       
  1068 		}
       
  1069 
       
  1070 	switch (rr->type)
       
  1071 		{
       
  1072 	default:
       
  1073 #ifndef OPENSSL_NO_TLS
       
  1074 		/* TLS just ignores unknown message types */
       
  1075 		if (s->version == TLS1_VERSION)
       
  1076 			{
       
  1077 			rr->length = 0;
       
  1078 			goto start;
       
  1079 			}
       
  1080 #endif
       
  1081 		al=SSL_AD_UNEXPECTED_MESSAGE;
       
  1082 		SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
       
  1083 		goto f_err;
       
  1084 	case SSL3_RT_CHANGE_CIPHER_SPEC:
       
  1085 	case SSL3_RT_ALERT:
       
  1086 	case SSL3_RT_HANDSHAKE:
       
  1087 		/* we already handled all of these, with the possible exception
       
  1088 		 * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that
       
  1089 		 * should not happen when type != rr->type */
       
  1090 		al=SSL_AD_UNEXPECTED_MESSAGE;
       
  1091 		SSLerr(SSL_F_DTLS1_READ_BYTES,ERR_R_INTERNAL_ERROR);
       
  1092 		goto f_err;
       
  1093 	case SSL3_RT_APPLICATION_DATA:
       
  1094 		/* At this point, we were expecting handshake data,
       
  1095 		 * but have application data.  If the library was
       
  1096 		 * running inside ssl3_read() (i.e. in_read_app_data
       
  1097 		 * is set) and it makes sense to read application data
       
  1098 		 * at this point (session renegotiation not yet started),
       
  1099 		 * we will indulge it.
       
  1100 		 */
       
  1101 		if (s->s3->in_read_app_data &&
       
  1102 			(s->s3->total_renegotiations != 0) &&
       
  1103 			((
       
  1104 				(s->state & SSL_ST_CONNECT) &&
       
  1105 				(s->state >= SSL3_ST_CW_CLNT_HELLO_A) &&
       
  1106 				(s->state <= SSL3_ST_CR_SRVR_HELLO_A)
       
  1107 				) || (
       
  1108 					(s->state & SSL_ST_ACCEPT) &&
       
  1109 					(s->state <= SSL3_ST_SW_HELLO_REQ_A) &&
       
  1110 					(s->state >= SSL3_ST_SR_CLNT_HELLO_A)
       
  1111 					)
       
  1112 				))
       
  1113 			{
       
  1114 			s->s3->in_read_app_data=2;
       
  1115 			return(-1);
       
  1116 			}
       
  1117 		else
       
  1118 			{
       
  1119 			al=SSL_AD_UNEXPECTED_MESSAGE;
       
  1120 			SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
       
  1121 			goto f_err;
       
  1122 			}
       
  1123 		}
       
  1124 	/* not reached */
       
  1125 
       
  1126 f_err:
       
  1127 	ssl3_send_alert(s,SSL3_AL_FATAL,al);
       
  1128 err:
       
  1129 	return(-1);
       
  1130 	}
       
  1131 
       
  1132 int
       
  1133 dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len)
       
  1134 	{
       
  1135 	unsigned int n,tot;
       
  1136 	int i;
       
  1137 
       
  1138 	if (SSL_in_init(s) && !s->in_handshake)
       
  1139 		{
       
  1140 		i=s->handshake_func(s);
       
  1141 		if (i < 0) return(i);
       
  1142 		if (i == 0)
       
  1143 			{
       
  1144 			SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
       
  1145 			return -1;
       
  1146 			}
       
  1147 		}
       
  1148 
       
  1149 	tot = s->s3->wnum;
       
  1150 	n = len - tot;
       
  1151 
       
  1152 	while( n)
       
  1153 		{
       
  1154 		/* dtls1_write_bytes sends one record at a time, sized according to 
       
  1155 		 * the currently known MTU */
       
  1156 		i = dtls1_write_bytes(s, type, buf_, len);
       
  1157 		if (i <= 0) return i;
       
  1158 		
       
  1159 		if ((i == (int)n) ||
       
  1160 			(type == SSL3_RT_APPLICATION_DATA &&
       
  1161 				(s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE)))
       
  1162 			{
       
  1163 			/* next chunk of data should get another prepended empty fragment
       
  1164 			 * in ciphersuites with known-IV weakness: */
       
  1165 			s->s3->empty_fragment_done = 0;
       
  1166 			return tot+i;
       
  1167 			}
       
  1168 
       
  1169 		tot += i;
       
  1170 		n-=i;
       
  1171 		}
       
  1172 
       
  1173 	return tot;
       
  1174 	}
       
  1175 
       
  1176 
       
  1177 	/* this only happens when a client hello is received and a handshake 
       
  1178 	 * is started. */
       
  1179 static int
       
  1180 have_handshake_fragment(SSL *s, int type, unsigned char *buf, 
       
  1181 	int len, int peek)
       
  1182 	{
       
  1183 	
       
  1184 	if ((type == SSL3_RT_HANDSHAKE) && (s->d1->handshake_fragment_len > 0))
       
  1185 		/* (partially) satisfy request from storage */
       
  1186 		{
       
  1187 		unsigned char *src = s->d1->handshake_fragment;
       
  1188 		unsigned char *dst = buf;
       
  1189 		unsigned int k,n;
       
  1190 		
       
  1191 		/* peek == 0 */
       
  1192 		n = 0;
       
  1193 		while ((len > 0) && (s->d1->handshake_fragment_len > 0))
       
  1194 			{
       
  1195 			*dst++ = *src++;
       
  1196 			len--; s->d1->handshake_fragment_len--;
       
  1197 			n++;
       
  1198 			}
       
  1199 		/* move any remaining fragment bytes: */
       
  1200 		for (k = 0; k < s->d1->handshake_fragment_len; k++)
       
  1201 			s->d1->handshake_fragment[k] = *src++;
       
  1202 		return n;
       
  1203 		}
       
  1204 	
       
  1205 	return 0;
       
  1206 	}
       
  1207 
       
  1208 
       
  1209 
       
  1210 
       
  1211 /* Call this to write data in records of type 'type'
       
  1212  * It will return <= 0 if not all data has been sent or non-blocking IO.
       
  1213  */
       
  1214 int dtls1_write_bytes(SSL *s, int type, const void *buf_, int len)
       
  1215 	{
       
  1216 	const unsigned char *buf=buf_;
       
  1217 	unsigned int tot,n,nw;
       
  1218 	int i;
       
  1219 	unsigned int mtu;
       
  1220 
       
  1221 	s->rwstate=SSL_NOTHING;
       
  1222 	tot=s->s3->wnum;
       
  1223 
       
  1224 	n=(len-tot);
       
  1225 
       
  1226 	/* handshake layer figures out MTU for itself, but data records
       
  1227 	 * are also sent through this interface, so need to figure out MTU */
       
  1228 #if 0
       
  1229 	mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_MTU, 0, NULL);
       
  1230 	mtu += DTLS1_HM_HEADER_LENGTH;  /* HM already inserted */
       
  1231 #endif
       
  1232 	mtu = s->d1->mtu;
       
  1233 
       
  1234 	if (mtu > SSL3_RT_MAX_PLAIN_LENGTH)
       
  1235 		mtu = SSL3_RT_MAX_PLAIN_LENGTH;
       
  1236 
       
  1237 	if (n > mtu)
       
  1238 		nw=mtu;
       
  1239 	else
       
  1240 		nw=n;
       
  1241 	
       
  1242 	i=do_dtls1_write(s, type, &(buf[tot]), nw, 0);
       
  1243 	if (i <= 0)
       
  1244 		{
       
  1245 		s->s3->wnum=tot;
       
  1246 		return i;
       
  1247 		}
       
  1248 
       
  1249 	if ( (int)s->s3->wnum + i == len)
       
  1250 		s->s3->wnum = 0;
       
  1251 	else 
       
  1252 		s->s3->wnum += i;
       
  1253 
       
  1254 	return tot + i;
       
  1255 	}
       
  1256 
       
  1257 int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len, int create_empty_fragment)
       
  1258 	{
       
  1259 	unsigned char *p,*pseq;
       
  1260 	int i,mac_size,clear=0;
       
  1261 	int prefix_len = 0;
       
  1262 	SSL3_RECORD *wr;
       
  1263 	SSL3_BUFFER *wb;
       
  1264 	SSL_SESSION *sess;
       
  1265 	int bs;
       
  1266 
       
  1267 	/* first check if there is a SSL3_BUFFER still being written
       
  1268 	 * out.  This will happen with non blocking IO */
       
  1269 	if (s->s3->wbuf.left != 0)
       
  1270 		{
       
  1271 		OPENSSL_assert(0); /* XDTLS:  want to see if we ever get here */
       
  1272 		return(ssl3_write_pending(s,type,buf,len));
       
  1273 		}
       
  1274 
       
  1275 	/* If we have an alert to send, lets send it */
       
  1276 	if (s->s3->alert_dispatch)
       
  1277 		{
       
  1278 		i=s->method->ssl_dispatch_alert(s);
       
  1279 		if (i <= 0)
       
  1280 			return(i);
       
  1281 		/* if it went, fall through and send more stuff */
       
  1282 		}
       
  1283 
       
  1284 	if (len == 0 && !create_empty_fragment)
       
  1285 		return 0;
       
  1286 
       
  1287 	wr= &(s->s3->wrec);
       
  1288 	wb= &(s->s3->wbuf);
       
  1289 	sess=s->session;
       
  1290 
       
  1291 	if (	(sess == NULL) ||
       
  1292 		(s->enc_write_ctx == NULL) ||
       
  1293 		(s->write_hash == NULL))
       
  1294 		clear=1;
       
  1295 
       
  1296 	if (clear)
       
  1297 		mac_size=0;
       
  1298 	else
       
  1299 		mac_size=EVP_MD_size(s->write_hash);
       
  1300 
       
  1301 	/* DTLS implements explicit IV, so no need for empty fragments */
       
  1302 #if 0
       
  1303 	/* 'create_empty_fragment' is true only when this function calls itself */
       
  1304 	if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done
       
  1305 		&& SSL_version(s) != DTLS1_VERSION)
       
  1306 		{
       
  1307 		/* countermeasure against known-IV weakness in CBC ciphersuites
       
  1308 		 * (see http://www.openssl.org/~bodo/tls-cbc.txt) 
       
  1309 		 */
       
  1310 
       
  1311 		if (s->s3->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA)
       
  1312 			{
       
  1313 			/* recursive function call with 'create_empty_fragment' set;
       
  1314 			 * this prepares and buffers the data for an empty fragment
       
  1315 			 * (these 'prefix_len' bytes are sent out later
       
  1316 			 * together with the actual payload) */
       
  1317 			prefix_len = s->method->do_ssl_write(s, type, buf, 0, 1);
       
  1318 			if (prefix_len <= 0)
       
  1319 				goto err;
       
  1320 
       
  1321 			if (s->s3->wbuf.len < (size_t)prefix_len + SSL3_RT_MAX_PACKET_SIZE)
       
  1322 				{
       
  1323 				/* insufficient space */
       
  1324 				SSLerr(SSL_F_DO_DTLS1_WRITE, ERR_R_INTERNAL_ERROR);
       
  1325 				goto err;
       
  1326 				}
       
  1327 			}
       
  1328 		
       
  1329 		s->s3->empty_fragment_done = 1;
       
  1330 		}
       
  1331 #endif
       
  1332 
       
  1333 	p = wb->buf + prefix_len;
       
  1334 
       
  1335 	/* write the header */
       
  1336 
       
  1337 	*(p++)=type&0xff;
       
  1338 	wr->type=type;
       
  1339 
       
  1340 	if (s->client_version == DTLS1_BAD_VER)
       
  1341 		*(p++) = DTLS1_BAD_VER>>8,
       
  1342 		*(p++) = DTLS1_BAD_VER&0xff;
       
  1343 	else
       
  1344 		*(p++)=(s->version>>8),
       
  1345 		*(p++)=s->version&0xff;
       
  1346 
       
  1347 	/* field where we are to write out packet epoch, seq num and len */
       
  1348 	pseq=p; 
       
  1349 	p+=10;
       
  1350 
       
  1351 	/* lets setup the record stuff. */
       
  1352 
       
  1353 	/* Make space for the explicit IV in case of CBC.
       
  1354 	 * (this is a bit of a boundary violation, but what the heck).
       
  1355 	 */
       
  1356 	if ( s->enc_write_ctx && 
       
  1357 		(EVP_CIPHER_mode( s->enc_write_ctx->cipher ) & EVP_CIPH_CBC_MODE))
       
  1358 		bs = EVP_CIPHER_block_size(s->enc_write_ctx->cipher);
       
  1359 	else
       
  1360 		bs = 0;
       
  1361 
       
  1362 	wr->data=p + bs;  /* make room for IV in case of CBC */
       
  1363 	wr->length=(int)len;
       
  1364 	wr->input=(unsigned char *)buf;
       
  1365 
       
  1366 	/* we now 'read' from wr->input, wr->length bytes into
       
  1367 	 * wr->data */
       
  1368 
       
  1369 	/* first we compress */
       
  1370 	if (s->compress != NULL)
       
  1371 		{
       
  1372 		if (!ssl3_do_compress(s))
       
  1373 			{
       
  1374 			SSLerr(SSL_F_DO_DTLS1_WRITE,SSL_R_COMPRESSION_FAILURE);
       
  1375 			goto err;
       
  1376 			}
       
  1377 		}
       
  1378 	else
       
  1379 		{
       
  1380 		memcpy(wr->data,wr->input,wr->length);
       
  1381 		wr->input=wr->data;
       
  1382 		}
       
  1383 
       
  1384 	/* we should still have the output to wr->data and the input
       
  1385 	 * from wr->input.  Length should be wr->length.
       
  1386 	 * wr->data still points in the wb->buf */
       
  1387 
       
  1388 	if (mac_size != 0)
       
  1389 		{
       
  1390 		s->method->ssl3_enc->mac(s,&(p[wr->length + bs]),1);
       
  1391 		wr->length+=mac_size;
       
  1392 		}
       
  1393 
       
  1394 	/* this is true regardless of mac size */
       
  1395 	wr->input=p;
       
  1396 	wr->data=p;
       
  1397 
       
  1398 
       
  1399 	/* ssl3_enc can only have an error on read */
       
  1400 	if (bs)	/* bs != 0 in case of CBC */
       
  1401 		{
       
  1402 		RAND_pseudo_bytes(p,bs);
       
  1403 		/* master IV and last CBC residue stand for
       
  1404 		 * the rest of randomness */
       
  1405 		wr->length += bs;
       
  1406 		}
       
  1407 
       
  1408 	s->method->ssl3_enc->enc(s,1);
       
  1409 
       
  1410 	/* record length after mac and block padding */
       
  1411 /*	if (type == SSL3_RT_APPLICATION_DATA ||
       
  1412 	(type == SSL3_RT_ALERT && ! SSL_in_init(s))) */
       
  1413 	
       
  1414 	/* there's only one epoch between handshake and app data */
       
  1415 	
       
  1416 	s2n(s->d1->w_epoch, pseq);
       
  1417 
       
  1418 	/* XDTLS: ?? */
       
  1419 /*	else
       
  1420 	s2n(s->d1->handshake_epoch, pseq); */
       
  1421 
       
  1422 	memcpy(pseq, &(s->s3->write_sequence[2]), 6);
       
  1423 	pseq+=6;
       
  1424 	s2n(wr->length,pseq);
       
  1425 
       
  1426 	/* we should now have
       
  1427 	 * wr->data pointing to the encrypted data, which is
       
  1428 	 * wr->length long */
       
  1429 	wr->type=type; /* not needed but helps for debugging */
       
  1430 	wr->length+=DTLS1_RT_HEADER_LENGTH;
       
  1431 
       
  1432 #if 0  /* this is now done at the message layer */
       
  1433 	/* buffer the record, making it easy to handle retransmits */
       
  1434 	if ( type == SSL3_RT_HANDSHAKE || type == SSL3_RT_CHANGE_CIPHER_SPEC)
       
  1435 		dtls1_buffer_record(s, wr->data, wr->length, 
       
  1436 			*((PQ_64BIT *)&(s->s3->write_sequence[0])));
       
  1437 #endif
       
  1438 
       
  1439 	ssl3_record_sequence_update(&(s->s3->write_sequence[0]));
       
  1440 
       
  1441 	if (create_empty_fragment)
       
  1442 		{
       
  1443 		/* we are in a recursive call;
       
  1444 		 * just return the length, don't write out anything here
       
  1445 		 */
       
  1446 		return wr->length;
       
  1447 		}
       
  1448 
       
  1449 	/* now let's set up wb */
       
  1450 	wb->left = prefix_len + wr->length;
       
  1451 	wb->offset = 0;
       
  1452 
       
  1453 	/* memorize arguments so that ssl3_write_pending can detect bad write retries later */
       
  1454 	s->s3->wpend_tot=len;
       
  1455 	s->s3->wpend_buf=buf;
       
  1456 	s->s3->wpend_type=type;
       
  1457 	s->s3->wpend_ret=len;
       
  1458 
       
  1459 	/* we now just need to write the buffer */
       
  1460 	return ssl3_write_pending(s,type,buf,len);
       
  1461 err:
       
  1462 	return -1;
       
  1463 	}
       
  1464 
       
  1465 
       
  1466 
       
  1467 static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap,
       
  1468 	PQ_64BIT *seq_num)
       
  1469 	{
       
  1470 #if PQ_64BIT_IS_INTEGER
       
  1471 	PQ_64BIT mask = 0x0000000000000001L;
       
  1472 #endif
       
  1473 	PQ_64BIT rcd_num, tmp;
       
  1474 
       
  1475 	pq_64bit_init(&rcd_num);
       
  1476 	pq_64bit_init(&tmp);
       
  1477 
       
  1478 	/* this is the sequence number for the record just read */
       
  1479 	pq_64bit_bin2num(&rcd_num, s->s3->read_sequence, 8);
       
  1480 
       
  1481 	
       
  1482 	if (pq_64bit_gt(&rcd_num, &(bitmap->max_seq_num)) ||
       
  1483 		pq_64bit_eq(&rcd_num, &(bitmap->max_seq_num)))
       
  1484 		{
       
  1485 		pq_64bit_assign(seq_num, &rcd_num);
       
  1486 		pq_64bit_free(&rcd_num);
       
  1487 		pq_64bit_free(&tmp);
       
  1488 		return 1;  /* this record is new */
       
  1489 		}
       
  1490 
       
  1491 	pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num);
       
  1492 
       
  1493 	if ( pq_64bit_get_word(&tmp) > bitmap->length)
       
  1494 		{
       
  1495 		pq_64bit_free(&rcd_num);
       
  1496 		pq_64bit_free(&tmp);
       
  1497 		return 0;  /* stale, outside the window */
       
  1498 		}
       
  1499 
       
  1500 #if PQ_64BIT_IS_BIGNUM
       
  1501 	{
       
  1502 	int offset;
       
  1503 	pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num);
       
  1504 	pq_64bit_sub_word(&tmp, 1);
       
  1505 	offset = pq_64bit_get_word(&tmp);
       
  1506 	if ( pq_64bit_is_bit_set(&(bitmap->map), offset))
       
  1507 		{
       
  1508 		pq_64bit_free(&rcd_num);
       
  1509 		pq_64bit_free(&tmp);
       
  1510 		return 0;
       
  1511 		}
       
  1512 	}
       
  1513 #else
       
  1514 	mask <<= (bitmap->max_seq_num - rcd_num - 1);
       
  1515 	if (bitmap->map & mask)
       
  1516 		return 0; /* record previously received */
       
  1517 #endif
       
  1518 	
       
  1519 	pq_64bit_assign(seq_num, &rcd_num);
       
  1520 	pq_64bit_free(&rcd_num);
       
  1521 	pq_64bit_free(&tmp);
       
  1522 	return 1;
       
  1523 	}
       
  1524 
       
  1525 
       
  1526 static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap)
       
  1527 	{
       
  1528 	unsigned int shift;
       
  1529 	PQ_64BIT rcd_num;
       
  1530 	PQ_64BIT tmp;
       
  1531 	PQ_64BIT_CTX *ctx;
       
  1532 
       
  1533 	pq_64bit_init(&rcd_num);
       
  1534 	pq_64bit_init(&tmp);
       
  1535 
       
  1536 	pq_64bit_bin2num(&rcd_num, s->s3->read_sequence, 8);
       
  1537 
       
  1538 	/* unfortunate code complexity due to 64-bit manipulation support
       
  1539 	 * on 32-bit machines */
       
  1540 	if ( pq_64bit_gt(&rcd_num, &(bitmap->max_seq_num)) ||
       
  1541 		pq_64bit_eq(&rcd_num, &(bitmap->max_seq_num)))
       
  1542 		{
       
  1543 		pq_64bit_sub(&tmp, &rcd_num, &(bitmap->max_seq_num));
       
  1544 		pq_64bit_add_word(&tmp, 1);
       
  1545 
       
  1546 		shift = (unsigned int)pq_64bit_get_word(&tmp);
       
  1547 
       
  1548 		pq_64bit_lshift(&(tmp), &(bitmap->map), shift);
       
  1549 		pq_64bit_assign(&(bitmap->map), &tmp);
       
  1550 
       
  1551 		pq_64bit_set_bit(&(bitmap->map), 0);
       
  1552 		pq_64bit_add_word(&rcd_num, 1);
       
  1553 		pq_64bit_assign(&(bitmap->max_seq_num), &rcd_num);
       
  1554 
       
  1555 		pq_64bit_assign_word(&tmp, 1);
       
  1556 		pq_64bit_lshift(&tmp, &tmp, bitmap->length);
       
  1557 		ctx = pq_64bit_ctx_new(&ctx);
       
  1558 		pq_64bit_mod(&(bitmap->map), &(bitmap->map), &tmp, ctx);
       
  1559 		pq_64bit_ctx_free(ctx);
       
  1560 		}
       
  1561 	else
       
  1562 		{
       
  1563 		pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num);
       
  1564 		pq_64bit_sub_word(&tmp, 1);
       
  1565 		shift = (unsigned int)pq_64bit_get_word(&tmp);
       
  1566 
       
  1567 		pq_64bit_set_bit(&(bitmap->map), shift);
       
  1568 		}
       
  1569 
       
  1570 	pq_64bit_free(&rcd_num);
       
  1571 	pq_64bit_free(&tmp);
       
  1572 	}
       
  1573 
       
  1574 
       
  1575 int dtls1_dispatch_alert(SSL *s)
       
  1576 	{
       
  1577 	int i,j;
       
  1578 	void (*cb)(const SSL *ssl,int type,int val)=NULL;
       
  1579 	unsigned char buf[2 + 2 + 3]; /* alert level + alert desc + message seq +frag_off */
       
  1580 	unsigned char *ptr = &buf[0];
       
  1581 
       
  1582 	s->s3->alert_dispatch=0;
       
  1583 
       
  1584 	memset(buf, 0x00, sizeof(buf));
       
  1585 	*ptr++ = s->s3->send_alert[0];
       
  1586 	*ptr++ = s->s3->send_alert[1];
       
  1587 
       
  1588 	if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
       
  1589 		{	
       
  1590 		s2n(s->d1->handshake_read_seq, ptr);
       
  1591 #if 0
       
  1592 		if ( s->d1->r_msg_hdr.frag_off == 0)  /* waiting for a new msg */
       
  1593 
       
  1594 		else
       
  1595 			s2n(s->d1->r_msg_hdr.seq, ptr); /* partial msg read */
       
  1596 #endif
       
  1597 
       
  1598 #if 0
       
  1599 		fprintf(stderr, "s->d1->handshake_read_seq = %d, s->d1->r_msg_hdr.seq = %d\n",s->d1->handshake_read_seq,s->d1->r_msg_hdr.seq);
       
  1600 #endif
       
  1601 		l2n3(s->d1->r_msg_hdr.frag_off, ptr);
       
  1602 		}
       
  1603 
       
  1604 	i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf), 0);
       
  1605 	if (i <= 0)
       
  1606 		{
       
  1607 		s->s3->alert_dispatch=1;
       
  1608 		/* fprintf( stderr, "not done with alert\n" ); */
       
  1609 		}
       
  1610 	else
       
  1611 		{
       
  1612 		if ( s->s3->send_alert[0] == SSL3_AL_FATAL ||
       
  1613 			s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
       
  1614 			(void)BIO_flush(s->wbio);
       
  1615 
       
  1616 		if (s->msg_callback)
       
  1617 			s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert, 
       
  1618 				2, s, s->msg_callback_arg);
       
  1619 
       
  1620 		if (s->info_callback != NULL)
       
  1621 			cb=s->info_callback;
       
  1622 		else if (s->ctx->info_callback != NULL)
       
  1623 			cb=s->ctx->info_callback;
       
  1624 
       
  1625 		if (cb != NULL)
       
  1626 			{
       
  1627 			j=(s->s3->send_alert[0]<<8)|s->s3->send_alert[1];
       
  1628 			cb(s,SSL_CB_WRITE_ALERT,j);
       
  1629 			}
       
  1630 		}
       
  1631 	return(i);
       
  1632 	}
       
  1633 
       
  1634 
       
  1635 static DTLS1_BITMAP *
       
  1636 dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, unsigned int *is_next_epoch)
       
  1637     {
       
  1638     
       
  1639     *is_next_epoch = 0;
       
  1640 
       
  1641     /* In current epoch, accept HM, CCS, DATA, & ALERT */
       
  1642     if (rr->epoch == s->d1->r_epoch)
       
  1643         return &s->d1->bitmap;
       
  1644 
       
  1645     /* Only HM and ALERT messages can be from the next epoch */
       
  1646     else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) &&
       
  1647         (rr->type == SSL3_RT_HANDSHAKE ||
       
  1648             rr->type == SSL3_RT_ALERT))
       
  1649         {
       
  1650         *is_next_epoch = 1;
       
  1651         return &s->d1->next_bitmap;
       
  1652         }
       
  1653 
       
  1654     return NULL;
       
  1655     }
       
  1656 
       
  1657 #if 0
       
  1658 static int
       
  1659 dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr, unsigned short *priority,
       
  1660 	unsigned long *offset)
       
  1661 	{
       
  1662 
       
  1663 	/* alerts are passed up immediately */
       
  1664 	if ( rr->type == SSL3_RT_APPLICATION_DATA ||
       
  1665 		rr->type == SSL3_RT_ALERT)
       
  1666 		return 0;
       
  1667 
       
  1668 	/* Only need to buffer if a handshake is underway.
       
  1669 	 * (this implies that Hello Request and Client Hello are passed up
       
  1670 	 * immediately) */
       
  1671 	if ( SSL_in_init(s))
       
  1672 		{
       
  1673 		unsigned char *data = rr->data;
       
  1674 		/* need to extract the HM/CCS sequence number here */
       
  1675 		if ( rr->type == SSL3_RT_HANDSHAKE ||
       
  1676 			rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
       
  1677 			{
       
  1678 			unsigned short seq_num;
       
  1679 			struct hm_header_st msg_hdr;
       
  1680 			struct ccs_header_st ccs_hdr;
       
  1681 
       
  1682 			if ( rr->type == SSL3_RT_HANDSHAKE)
       
  1683 				{
       
  1684 				dtls1_get_message_header(data, &msg_hdr);
       
  1685 				seq_num = msg_hdr.seq;
       
  1686 				*offset = msg_hdr.frag_off;
       
  1687 				}
       
  1688 			else
       
  1689 				{
       
  1690 				dtls1_get_ccs_header(data, &ccs_hdr);
       
  1691 				seq_num = ccs_hdr.seq;
       
  1692 				*offset = 0;
       
  1693 				}
       
  1694 				
       
  1695 			/* this is either a record we're waiting for, or a
       
  1696 			 * retransmit of something we happened to previously 
       
  1697 			 * receive (higher layers will drop the repeat silently */
       
  1698 			if ( seq_num < s->d1->handshake_read_seq)
       
  1699 				return 0;
       
  1700 			if (rr->type == SSL3_RT_HANDSHAKE && 
       
  1701 				seq_num == s->d1->handshake_read_seq &&
       
  1702 				msg_hdr.frag_off < s->d1->r_msg_hdr.frag_off)
       
  1703 				return 0;
       
  1704 			else if ( seq_num == s->d1->handshake_read_seq &&
       
  1705 				(rr->type == SSL3_RT_CHANGE_CIPHER_SPEC ||
       
  1706 					msg_hdr.frag_off == s->d1->r_msg_hdr.frag_off))
       
  1707 				return 0;
       
  1708 			else
       
  1709 				{
       
  1710 				*priority = seq_num;
       
  1711 				return 1;
       
  1712 				}
       
  1713 			}
       
  1714 		else /* unknown record type */
       
  1715 			return 0;
       
  1716 		}
       
  1717 
       
  1718 	return 0;
       
  1719 	}
       
  1720 #endif
       
  1721 
       
  1722 void
       
  1723 dtls1_reset_seq_numbers(SSL *s, int rw)
       
  1724 	{
       
  1725 	unsigned char *seq;
       
  1726 	unsigned int seq_bytes = sizeof(s->s3->read_sequence);
       
  1727 
       
  1728 	if ( rw & SSL3_CC_READ)
       
  1729 		{
       
  1730 		seq = s->s3->read_sequence;
       
  1731 		s->d1->r_epoch++;
       
  1732 
       
  1733 		pq_64bit_assign(&(s->d1->bitmap.map), &(s->d1->next_bitmap.map));
       
  1734 		s->d1->bitmap.length = s->d1->next_bitmap.length;
       
  1735 		pq_64bit_assign(&(s->d1->bitmap.max_seq_num), 
       
  1736 			&(s->d1->next_bitmap.max_seq_num));
       
  1737 
       
  1738 		pq_64bit_free(&(s->d1->next_bitmap.map));
       
  1739 		pq_64bit_free(&(s->d1->next_bitmap.max_seq_num));
       
  1740 		memset(&(s->d1->next_bitmap), 0x00, sizeof(DTLS1_BITMAP));
       
  1741 		pq_64bit_init(&(s->d1->next_bitmap.map));
       
  1742 		pq_64bit_init(&(s->d1->next_bitmap.max_seq_num));
       
  1743 		}
       
  1744 	else
       
  1745 		{
       
  1746 		seq = s->s3->write_sequence;
       
  1747 		s->d1->w_epoch++;
       
  1748 		}
       
  1749 
       
  1750 	memset(seq, 0x00, seq_bytes);
       
  1751 	}
       
  1752 
       
  1753 #if PQ_64BIT_IS_INTEGER
       
  1754 static PQ_64BIT
       
  1755 bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num)
       
  1756        {
       
  1757        PQ_64BIT _num;
       
  1758 
       
  1759        _num = (((PQ_64BIT)bytes[0]) << 56) |
       
  1760                (((PQ_64BIT)bytes[1]) << 48) |
       
  1761                (((PQ_64BIT)bytes[2]) << 40) |
       
  1762                (((PQ_64BIT)bytes[3]) << 32) |
       
  1763                (((PQ_64BIT)bytes[4]) << 24) |
       
  1764                (((PQ_64BIT)bytes[5]) << 16) |
       
  1765                (((PQ_64BIT)bytes[6]) <<  8) |
       
  1766                (((PQ_64BIT)bytes[7])      );
       
  1767 
       
  1768 	   *num = _num ;
       
  1769        return _num;
       
  1770        }
       
  1771 #endif
       
  1772 
       
  1773 
       
  1774 static void
       
  1775 dtls1_clear_timeouts(SSL *s)
       
  1776 	{
       
  1777 	memset(&(s->d1->timeout), 0x00, sizeof(struct dtls1_timeout_st));
       
  1778 	}