Fix return code for truncated DTLS fragment.
[openssl.git] / ssl / d1_both.c
1 /* ssl/d1_both.c */
2 /* 
3  * DTLS implementation written by Nagendra Modadugu
4  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
5  */
6 /* ====================================================================
7  * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  *
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer. 
15  *
16  * 2. Redistributions in binary form must reproduce the above copyright
17  *    notice, this list of conditions and the following disclaimer in
18  *    the documentation and/or other materials provided with the
19  *    distribution.
20  *
21  * 3. All advertising materials mentioning features or use of this
22  *    software must display the following acknowledgment:
23  *    "This product includes software developed by the OpenSSL Project
24  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
25  *
26  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27  *    endorse or promote products derived from this software without
28  *    prior written permission. For written permission, please contact
29  *    openssl-core@openssl.org.
30  *
31  * 5. Products derived from this software may not be called "OpenSSL"
32  *    nor may "OpenSSL" appear in their names without prior written
33  *    permission of the OpenSSL Project.
34  *
35  * 6. Redistributions of any form whatsoever must retain the following
36  *    acknowledgment:
37  *    "This product includes software developed by the OpenSSL Project
38  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
44  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51  * OF THE POSSIBILITY OF SUCH DAMAGE.
52  * ====================================================================
53  *
54  * This product includes cryptographic software written by Eric Young
55  * (eay@cryptsoft.com).  This product includes software written by Tim
56  * Hudson (tjh@cryptsoft.com).
57  *
58  */
59 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
60  * All rights reserved.
61  *
62  * This package is an SSL implementation written
63  * by Eric Young (eay@cryptsoft.com).
64  * The implementation was written so as to conform with Netscapes SSL.
65  * 
66  * This library is free for commercial and non-commercial use as long as
67  * the following conditions are aheared to.  The following conditions
68  * apply to all code found in this distribution, be it the RC4, RSA,
69  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
70  * included with this distribution is covered by the same copyright terms
71  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
72  * 
73  * Copyright remains Eric Young's, and as such any Copyright notices in
74  * the code are not to be removed.
75  * If this package is used in a product, Eric Young should be given attribution
76  * as the author of the parts of the library used.
77  * This can be in the form of a textual message at program startup or
78  * in documentation (online or textual) provided with the package.
79  * 
80  * Redistribution and use in source and binary forms, with or without
81  * modification, are permitted provided that the following conditions
82  * are met:
83  * 1. Redistributions of source code must retain the copyright
84  *    notice, this list of conditions and the following disclaimer.
85  * 2. Redistributions in binary form must reproduce the above copyright
86  *    notice, this list of conditions and the following disclaimer in the
87  *    documentation and/or other materials provided with the distribution.
88  * 3. All advertising materials mentioning features or use of this software
89  *    must display the following acknowledgement:
90  *    "This product includes cryptographic software written by
91  *     Eric Young (eay@cryptsoft.com)"
92  *    The word 'cryptographic' can be left out if the rouines from the library
93  *    being used are not cryptographic related :-).
94  * 4. If you include any Windows specific code (or a derivative thereof) from 
95  *    the apps directory (application code) you must include an acknowledgement:
96  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
97  * 
98  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
99  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
100  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
101  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
102  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
103  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
104  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
105  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
106  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
107  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
108  * SUCH DAMAGE.
109  * 
110  * The licence and distribution terms for any publically available version or
111  * derivative of this code cannot be changed.  i.e. this code cannot simply be
112  * copied and put under another distribution licence
113  * [including the GNU Public Licence.]
114  */
115
116 #include <limits.h>
117 #include <string.h>
118 #include <stdio.h>
119 #include "ssl_locl.h"
120 #include <openssl/buffer.h>
121 #include <openssl/rand.h>
122 #include <openssl/objects.h>
123 #include <openssl/evp.h>
124 #include <openssl/x509.h>
125
126 #define RSMBLY_BITMASK_SIZE(msg_len) (((msg_len) + 7) / 8)
127
128 #define RSMBLY_BITMASK_MARK(bitmask, start, end) { \
129                         if ((end) - (start) <= 8) { \
130                                 long ii; \
131                                 for (ii = (start); ii < (end); ii++) bitmask[((ii) >> 3)] |= (1 << ((ii) & 7)); \
132                         } else { \
133                                 long ii; \
134                                 bitmask[((start) >> 3)] |= bitmask_start_values[((start) & 7)]; \
135                                 for (ii = (((start) >> 3) + 1); ii < ((((end) - 1)) >> 3); ii++) bitmask[ii] = 0xff; \
136                                 bitmask[(((end) - 1) >> 3)] |= bitmask_end_values[((end) & 7)]; \
137                         } }
138
139 #define RSMBLY_BITMASK_IS_COMPLETE(bitmask, msg_len, is_complete) { \
140                         long ii; \
141                         OPENSSL_assert((msg_len) > 0); \
142                         is_complete = 1; \
143                         if (bitmask[(((msg_len) - 1) >> 3)] != bitmask_end_values[((msg_len) & 7)]) is_complete = 0; \
144                         if (is_complete) for (ii = (((msg_len) - 1) >> 3) - 1; ii >= 0 ; ii--) \
145                                 if (bitmask[ii] != 0xff) { is_complete = 0; break; } }
146
147 #if 0
148 #define RSMBLY_BITMASK_PRINT(bitmask, msg_len) { \
149                         long ii; \
150                         printf("bitmask: "); for (ii = 0; ii < (msg_len); ii++) \
151                         printf("%d ", (bitmask[ii >> 3] & (1 << (ii & 7))) >> (ii & 7)); \
152                         printf("\n"); }
153 #endif
154
155 static unsigned char bitmask_start_values[] = {0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80};
156 static unsigned char bitmask_end_values[]   = {0xff, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f};
157
158 /* XDTLS:  figure out the right values */
159 static unsigned int g_probable_mtu[] = {1500 - 28, 512 - 28, 256 - 28};
160
161 static unsigned int dtls1_guess_mtu(unsigned int curr_mtu);
162 static void dtls1_fix_message_header(SSL *s, unsigned long frag_off, 
163         unsigned long frag_len);
164 static unsigned char *dtls1_write_message_header(SSL *s,
165         unsigned char *p);
166 static void dtls1_set_message_header_int(SSL *s, unsigned char mt,
167         unsigned long len, unsigned short seq_num, unsigned long frag_off, 
168         unsigned long frag_len);
169 static long dtls1_get_message_fragment(SSL *s, int st1, int stn, 
170         long max, int *ok);
171
172 static hm_fragment *
173 dtls1_hm_fragment_new(unsigned long frag_len, int reassembly)
174         {
175         hm_fragment *frag = NULL;
176         unsigned char *buf = NULL;
177         unsigned char *bitmask = NULL;
178
179         frag = (hm_fragment *)OPENSSL_malloc(sizeof(hm_fragment));
180         if ( frag == NULL)
181                 return NULL;
182
183         if (frag_len)
184                 {
185                 buf = (unsigned char *)OPENSSL_malloc(frag_len);
186                 if ( buf == NULL)
187                         {
188                         OPENSSL_free(frag);
189                         return NULL;
190                         }
191                 }
192
193         /* zero length fragment gets zero frag->fragment */
194         frag->fragment = buf;
195
196         /* Initialize reassembly bitmask if necessary */
197         if (reassembly)
198                 {
199                 bitmask = (unsigned char *)OPENSSL_malloc(RSMBLY_BITMASK_SIZE(frag_len));
200                 if (bitmask == NULL)
201                         {
202                         if (buf != NULL) OPENSSL_free(buf);
203                         OPENSSL_free(frag);
204                         return NULL;
205                         }
206                 memset(bitmask, 0, RSMBLY_BITMASK_SIZE(frag_len));
207                 }
208
209         frag->reassembly = bitmask;
210
211         return frag;
212         }
213
214 static void
215 dtls1_hm_fragment_free(hm_fragment *frag)
216         {
217
218         if (frag->msg_header.is_ccs)
219                 {
220                 EVP_CIPHER_CTX_free(frag->msg_header.saved_retransmit_state.enc_write_ctx);
221                 EVP_MD_CTX_destroy(frag->msg_header.saved_retransmit_state.write_hash);
222                 }
223         if (frag->fragment) OPENSSL_free(frag->fragment);
224         if (frag->reassembly) OPENSSL_free(frag->reassembly);
225         OPENSSL_free(frag);
226         }
227
228 /* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC) */
229 int dtls1_do_write(SSL *s, int type)
230         {
231         int ret;
232         int curr_mtu;
233         unsigned int len, frag_off, mac_size, blocksize;
234
235         /* AHA!  Figure out the MTU, and stick to the right size */
236         if (s->d1->mtu < dtls1_min_mtu() && !(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU))
237                 {
238                 s->d1->mtu = 
239                         BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
240
241                 /* I've seen the kernel return bogus numbers when it doesn't know
242                  * (initial write), so just make sure we have a reasonable number */
243                 if (s->d1->mtu < dtls1_min_mtu())
244                         {
245                         s->d1->mtu = 0;
246                         s->d1->mtu = dtls1_guess_mtu(s->d1->mtu);
247                         BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SET_MTU, 
248                                 s->d1->mtu, NULL);
249                         }
250                 }
251 #if 0 
252         mtu = s->d1->mtu;
253
254         fprintf(stderr, "using MTU = %d\n", mtu);
255
256         mtu -= (DTLS1_HM_HEADER_LENGTH + DTLS1_RT_HEADER_LENGTH);
257
258         curr_mtu = mtu - BIO_wpending(SSL_get_wbio(s));
259
260         if ( curr_mtu > 0)
261                 mtu = curr_mtu;
262         else if ( ( ret = BIO_flush(SSL_get_wbio(s))) <= 0)
263                 return ret;
264
265         if ( BIO_wpending(SSL_get_wbio(s)) + s->init_num >= mtu)
266                 {
267                 ret = BIO_flush(SSL_get_wbio(s));
268                 if ( ret <= 0)
269                         return ret;
270                 mtu = s->d1->mtu - (DTLS1_HM_HEADER_LENGTH + DTLS1_RT_HEADER_LENGTH);
271                 }
272 #endif
273
274         OPENSSL_assert(s->d1->mtu >= dtls1_min_mtu());  /* should have something reasonable now */
275
276         if ( s->init_off == 0  && type == SSL3_RT_HANDSHAKE)
277                 OPENSSL_assert(s->init_num == 
278                         (int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH);
279
280         if (s->write_hash)
281                 mac_size = EVP_MD_CTX_size(s->write_hash);
282         else
283                 mac_size = 0;
284
285         if (s->enc_write_ctx && 
286                 (EVP_CIPHER_mode( s->enc_write_ctx->cipher) & EVP_CIPH_CBC_MODE))
287                 blocksize = 2 * EVP_CIPHER_block_size(s->enc_write_ctx->cipher);
288         else
289                 blocksize = 0;
290
291         frag_off = 0;
292         while( s->init_num)
293                 {
294                 curr_mtu = s->d1->mtu - BIO_wpending(SSL_get_wbio(s)) - 
295                         DTLS1_RT_HEADER_LENGTH - mac_size - blocksize;
296
297                 if ( curr_mtu <= DTLS1_HM_HEADER_LENGTH)
298                         {
299                         /* grr.. we could get an error if MTU picked was wrong */
300                         ret = BIO_flush(SSL_get_wbio(s));
301                         if ( ret <= 0)
302                                 return ret;
303                         curr_mtu = s->d1->mtu - DTLS1_RT_HEADER_LENGTH -
304                                 mac_size - blocksize;
305                         }
306
307                 if ( s->init_num > curr_mtu)
308                         len = curr_mtu;
309                 else
310                         len = s->init_num;
311
312
313                 /* XDTLS: this function is too long.  split out the CCS part */
314                 if ( type == SSL3_RT_HANDSHAKE)
315                         {
316                         if ( s->init_off != 0)
317                                 {
318                                 OPENSSL_assert(s->init_off > DTLS1_HM_HEADER_LENGTH);
319                                 s->init_off -= DTLS1_HM_HEADER_LENGTH;
320                                 s->init_num += DTLS1_HM_HEADER_LENGTH;
321
322                                 if ( s->init_num > curr_mtu)
323                                         len = curr_mtu;
324                                 else
325                                         len = s->init_num;
326                                 }
327
328                         dtls1_fix_message_header(s, frag_off, 
329                                 len - DTLS1_HM_HEADER_LENGTH);
330
331                         dtls1_write_message_header(s, (unsigned char *)&s->init_buf->data[s->init_off]);
332
333                         OPENSSL_assert(len >= DTLS1_HM_HEADER_LENGTH);
334                         }
335
336                 ret=dtls1_write_bytes(s,type,&s->init_buf->data[s->init_off],
337                         len);
338                 if (ret < 0)
339                         {
340                         /* might need to update MTU here, but we don't know
341                          * which previous packet caused the failure -- so can't
342                          * really retransmit anything.  continue as if everything
343                          * is fine and wait for an alert to handle the
344                          * retransmit 
345                          */
346                         if ( BIO_ctrl(SSL_get_wbio(s),
347                                 BIO_CTRL_DGRAM_MTU_EXCEEDED, 0, NULL) > 0 )
348                                 s->d1->mtu = BIO_ctrl(SSL_get_wbio(s),
349                                         BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
350                         else
351                                 return(-1);
352                         }
353                 else
354                         {
355
356                         /* bad if this assert fails, only part of the handshake
357                          * message got sent.  but why would this happen? */
358                         OPENSSL_assert(len == (unsigned int)ret);
359
360                         if (type == SSL3_RT_HANDSHAKE && ! s->d1->retransmitting)
361                                 {
362                                 /* should not be done for 'Hello Request's, but in that case
363                                  * we'll ignore the result anyway */
364                                 unsigned char *p = (unsigned char *)&s->init_buf->data[s->init_off];
365                                 const struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
366                                 int xlen;
367
368                                 if (frag_off == 0 && s->version != DTLS1_BAD_VER)
369                                         {
370                                         /* reconstruct message header is if it
371                                          * is being sent in single fragment */
372                                         *p++ = msg_hdr->type;
373                                         l2n3(msg_hdr->msg_len,p);
374                                         s2n (msg_hdr->seq,p);
375                                         l2n3(0,p);
376                                         l2n3(msg_hdr->msg_len,p);
377                                         p  -= DTLS1_HM_HEADER_LENGTH;
378                                         xlen = ret;
379                                         }
380                                 else
381                                         {
382                                         p  += DTLS1_HM_HEADER_LENGTH;
383                                         xlen = ret - DTLS1_HM_HEADER_LENGTH;
384                                         }
385
386                                 ssl3_finish_mac(s, p, xlen);
387                                 }
388
389                         if (ret == s->init_num)
390                                 {
391                                 if (s->msg_callback)
392                                         s->msg_callback(1, s->version, type, s->init_buf->data, 
393                                                 (size_t)(s->init_off + s->init_num), s, 
394                                                 s->msg_callback_arg);
395
396                                 s->init_off = 0;  /* done writing this message */
397                                 s->init_num = 0;
398
399                                 return(1);
400                                 }
401                         s->init_off+=ret;
402                         s->init_num-=ret;
403                         frag_off += (ret -= DTLS1_HM_HEADER_LENGTH);
404                         }
405                 }
406         return(0);
407         }
408
409
410 /* Obtain handshake message of message type 'mt' (any if mt == -1),
411  * maximum acceptable body length 'max'.
412  * Read an entire handshake message.  Handshake messages arrive in
413  * fragments.
414  */
415 long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
416         {
417         int i, al;
418         struct hm_header_st *msg_hdr;
419         unsigned char *p;
420         unsigned long msg_len;
421
422         /* s3->tmp is used to store messages that are unexpected, caused
423          * by the absence of an optional handshake message */
424         if (s->s3->tmp.reuse_message)
425                 {
426                 s->s3->tmp.reuse_message=0;
427                 if ((mt >= 0) && (s->s3->tmp.message_type != mt))
428                         {
429                         al=SSL_AD_UNEXPECTED_MESSAGE;
430                         SSLerr(SSL_F_DTLS1_GET_MESSAGE,SSL_R_UNEXPECTED_MESSAGE);
431                         goto f_err;
432                         }
433                 *ok=1;
434                 s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
435                 s->init_num = (int)s->s3->tmp.message_size;
436                 return s->init_num;
437                 }
438
439         msg_hdr = &s->d1->r_msg_hdr;
440         memset(msg_hdr, 0x00, sizeof(struct hm_header_st));
441
442 again:
443         i = dtls1_get_message_fragment(s, st1, stn, max, ok);
444         if ( i == DTLS1_HM_BAD_FRAGMENT ||
445                 i == DTLS1_HM_FRAGMENT_RETRY)  /* bad fragment received */
446                 goto again;
447         else if ( i <= 0 && !*ok)
448                 return i;
449
450         p = (unsigned char *)s->init_buf->data;
451         msg_len = msg_hdr->msg_len;
452
453         /* reconstruct message header */
454         *(p++) = msg_hdr->type;
455         l2n3(msg_len,p);
456         s2n (msg_hdr->seq,p);
457         l2n3(0,p);
458         l2n3(msg_len,p);
459         if (s->version != DTLS1_BAD_VER) {
460                 p       -= DTLS1_HM_HEADER_LENGTH;
461                 msg_len += DTLS1_HM_HEADER_LENGTH;
462         }
463
464         ssl3_finish_mac(s, p, msg_len);
465         if (s->msg_callback)
466                 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
467                         p, msg_len,
468                         s, s->msg_callback_arg);
469
470         memset(msg_hdr, 0x00, sizeof(struct hm_header_st));
471
472         /* Don't change sequence numbers while listening */
473         if (!s->d1->listen)
474                 s->d1->handshake_read_seq++;
475
476         s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
477         return s->init_num;
478
479 f_err:
480         ssl3_send_alert(s,SSL3_AL_FATAL,al);
481         *ok = 0;
482         return -1;
483         }
484
485
486 static int dtls1_preprocess_fragment(SSL *s,struct hm_header_st *msg_hdr,int max)
487         {
488         size_t frag_off,frag_len,msg_len;
489
490         msg_len  = msg_hdr->msg_len;
491         frag_off = msg_hdr->frag_off;
492         frag_len = msg_hdr->frag_len;
493
494         /* sanity checking */
495         if ( (frag_off+frag_len) > msg_len)
496                 {
497                 SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT,SSL_R_EXCESSIVE_MESSAGE_SIZE);
498                 return SSL_AD_ILLEGAL_PARAMETER;
499                 }
500
501         if ( (frag_off+frag_len) > (unsigned long)max)
502                 {
503                 SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT,SSL_R_EXCESSIVE_MESSAGE_SIZE);
504                 return SSL_AD_ILLEGAL_PARAMETER;
505                 }
506
507         if ( s->d1->r_msg_hdr.frag_off == 0) /* first fragment */
508                 {
509                 /* msg_len is limited to 2^24, but is effectively checked
510                  * against max above */
511                 if (!BUF_MEM_grow_clean(s->init_buf,msg_len+DTLS1_HM_HEADER_LENGTH))
512                         {
513                         SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT,ERR_R_BUF_LIB);
514                         return SSL_AD_INTERNAL_ERROR;
515                         }
516
517                 s->s3->tmp.message_size  = msg_len;
518                 s->d1->r_msg_hdr.msg_len = msg_len;
519                 s->s3->tmp.message_type  = msg_hdr->type;
520                 s->d1->r_msg_hdr.type    = msg_hdr->type;
521                 s->d1->r_msg_hdr.seq     = msg_hdr->seq;
522                 }
523         else if (msg_len != s->d1->r_msg_hdr.msg_len)
524                 {
525                 /* They must be playing with us! BTW, failure to enforce
526                  * upper limit would open possibility for buffer overrun. */
527                 SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT,SSL_R_EXCESSIVE_MESSAGE_SIZE);
528                 return SSL_AD_ILLEGAL_PARAMETER;
529                 }
530
531         return 0; /* no error */
532         }
533
534
535 static int
536 dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
537         {
538         /* (0) check whether the desired fragment is available
539          * if so:
540          * (1) copy over the fragment to s->init_buf->data[]
541          * (2) update s->init_num
542          */
543         pitem *item;
544         hm_fragment *frag;
545         int al;
546
547         *ok = 0;
548         item = pqueue_peek(s->d1->buffered_messages);
549         if ( item == NULL)
550                 return 0;
551
552         frag = (hm_fragment *)item->data;
553         
554         /* Don't return if reassembly still in progress */
555         if (frag->reassembly != NULL)
556                 return 0;
557
558         if ( s->d1->handshake_read_seq == frag->msg_header.seq)
559                 {
560                 unsigned long frag_len = frag->msg_header.frag_len;
561                 pqueue_pop(s->d1->buffered_messages);
562
563                 al=dtls1_preprocess_fragment(s,&frag->msg_header,max);
564
565                 if (al==0) /* no alert */
566                         {
567                         unsigned char *p = (unsigned char *)s->init_buf->data+DTLS1_HM_HEADER_LENGTH;
568                         memcpy(&p[frag->msg_header.frag_off],
569                                 frag->fragment,frag->msg_header.frag_len);
570                         }
571
572                 dtls1_hm_fragment_free(frag);
573                 pitem_free(item);
574
575                 if (al==0)
576                         {
577                         *ok = 1;
578                         return frag_len;
579                         }
580
581                 ssl3_send_alert(s,SSL3_AL_FATAL,al);
582                 s->init_num = 0;
583                 *ok = 0;
584                 return -1;
585                 }
586         else
587                 return 0;
588         }
589
590 /* dtls1_max_handshake_message_len returns the maximum number of bytes
591  * permitted in a DTLS handshake message for |s|. The minimum is 16KB, but may
592  * be greater if the maximum certificate list size requires it. */
593 static unsigned long dtls1_max_handshake_message_len(const SSL *s)
594         {
595         unsigned long max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;
596         if (max_len < (unsigned long)s->max_cert_list)
597                 return s->max_cert_list;
598         return max_len;
599         }
600
601 static int
602 dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
603         {
604         hm_fragment *frag = NULL;
605         pitem *item = NULL;
606         int i = -1, is_complete;
607         unsigned char seq64be[8];
608         unsigned long frag_len = msg_hdr->frag_len;
609
610         if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len ||
611             msg_hdr->msg_len > dtls1_max_handshake_message_len(s))
612                 goto err;
613
614         if (frag_len == 0)
615                 return DTLS1_HM_FRAGMENT_RETRY;
616
617         /* Try to find item in queue */
618         memset(seq64be,0,sizeof(seq64be));
619         seq64be[6] = (unsigned char) (msg_hdr->seq>>8);
620         seq64be[7] = (unsigned char) msg_hdr->seq;
621         item = pqueue_find(s->d1->buffered_messages, seq64be);
622
623         if (item == NULL)
624                 {
625                 frag = dtls1_hm_fragment_new(msg_hdr->msg_len, 1);
626                 if ( frag == NULL)
627                         goto err;
628                 memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
629                 frag->msg_header.frag_len = frag->msg_header.msg_len;
630                 frag->msg_header.frag_off = 0;
631                 }
632         else
633                 {
634                 frag = (hm_fragment*) item->data;
635                 if (frag->msg_header.msg_len != msg_hdr->msg_len)
636                         {
637                         item = NULL;
638                         frag = NULL;
639                         goto err;
640                         }
641                 }
642
643
644         /* If message is already reassembled, this must be a
645          * retransmit and can be dropped. In this case item != NULL and so frag
646          * does not need to be freed.
647          */
648         if (frag->reassembly == NULL)
649                 {
650                 unsigned char devnull [256];
651
652                 while (frag_len)
653                         {
654                         i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
655                                 devnull,
656                                 frag_len>sizeof(devnull)?sizeof(devnull):frag_len,0);
657                         if (i<=0) goto err;
658                         frag_len -= i;
659                         }
660                 return DTLS1_HM_FRAGMENT_RETRY;
661                 }
662
663         /* read the body of the fragment (header has already been read */
664         i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
665                 frag->fragment + msg_hdr->frag_off,frag_len,0);
666         if (i<=0 || (unsigned long)i!=frag_len)
667                 goto err;
668
669         RSMBLY_BITMASK_MARK(frag->reassembly, (long)msg_hdr->frag_off,
670                             (long)(msg_hdr->frag_off + frag_len));
671
672         RSMBLY_BITMASK_IS_COMPLETE(frag->reassembly, (long)msg_hdr->msg_len,
673                                    is_complete);
674
675         if (is_complete)
676                 {
677                 OPENSSL_free(frag->reassembly);
678                 frag->reassembly = NULL;
679                 }
680
681         if (item == NULL)
682                 {
683                 memset(seq64be,0,sizeof(seq64be));
684                 seq64be[6] = (unsigned char)(msg_hdr->seq>>8);
685                 seq64be[7] = (unsigned char)(msg_hdr->seq);
686
687                 item = pitem_new(seq64be, frag);
688                 if (item == NULL)
689                         {
690                         i = -1;
691                         goto err;
692                         }
693
694                 item = pqueue_insert(s->d1->buffered_messages, item);
695                 /* pqueue_insert fails iff a duplicate item is inserted.
696                  * However, |item| cannot be a duplicate. If it were,
697                  * |pqueue_find|, above, would have returned it and control
698                  * would never have reached this branch. */
699                 OPENSSL_assert(item != NULL);
700                 }
701
702         return DTLS1_HM_FRAGMENT_RETRY;
703
704 err:
705         if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag);
706         *ok = 0;
707         return i;
708         }
709
710
711 static int
712 dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
713 {
714         int i=-1;
715         hm_fragment *frag = NULL;
716         pitem *item = NULL;
717         unsigned char seq64be[8];
718         unsigned long frag_len = msg_hdr->frag_len;
719
720         if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
721                 goto err;
722
723         /* Try to find item in queue, to prevent duplicate entries */
724         memset(seq64be,0,sizeof(seq64be));
725         seq64be[6] = (unsigned char) (msg_hdr->seq>>8);
726         seq64be[7] = (unsigned char) msg_hdr->seq;
727         item = pqueue_find(s->d1->buffered_messages, seq64be);
728
729         /* If we already have an entry and this one is a fragment,
730          * don't discard it and rather try to reassemble it.
731          */
732         if (item != NULL && frag_len < msg_hdr->msg_len)
733                 item = NULL;
734
735         /* Discard the message if sequence number was already there, is
736          * too far in the future, already in the queue or if we received
737          * a FINISHED before the SERVER_HELLO, which then must be a stale
738          * retransmit.
739          */
740         if (msg_hdr->seq <= s->d1->handshake_read_seq ||
741                 msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL ||
742                 (s->d1->handshake_read_seq == 0 && msg_hdr->type == SSL3_MT_FINISHED))
743                 {
744                 unsigned char devnull [256];
745
746                 while (frag_len)
747                         {
748                         i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
749                                 devnull,
750                                 frag_len>sizeof(devnull)?sizeof(devnull):frag_len,0);
751                         if (i<=0) goto err;
752                         frag_len -= i;
753                         }
754                 }
755         else
756                 {
757                 if (frag_len < msg_hdr->msg_len)
758                         return dtls1_reassemble_fragment(s, msg_hdr, ok);
759
760                 if (frag_len > dtls1_max_handshake_message_len(s))
761                         goto err;
762
763                 frag = dtls1_hm_fragment_new(frag_len, 0);
764                 if ( frag == NULL)
765                         goto err;
766
767                 memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
768
769                 if (frag_len)
770                         {
771                         /* read the body of the fragment (header has already been read */
772                         i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
773                                 frag->fragment,frag_len,0);
774                         if ((unsigned long)i!=frag_len)
775                                 i = -1;
776                         if (i<=0)
777                                 goto err;
778                         }
779
780                 memset(seq64be,0,sizeof(seq64be));
781                 seq64be[6] = (unsigned char)(msg_hdr->seq>>8);
782                 seq64be[7] = (unsigned char)(msg_hdr->seq);
783
784                 item = pitem_new(seq64be, frag);
785                 if ( item == NULL)
786                         goto err;
787
788                 item = pqueue_insert(s->d1->buffered_messages, item);
789                 /* pqueue_insert fails iff a duplicate item is inserted.
790                  * However, |item| cannot be a duplicate. If it were,
791                  * |pqueue_find|, above, would have returned it. Then, either
792                  * |frag_len| != |msg_hdr->msg_len| in which case |item| is set
793                  * to NULL and it will have been processed with
794                  * |dtls1_reassemble_fragment|, above, or the record will have
795                  * been discarded. */
796                 OPENSSL_assert(item != NULL);
797                 }
798
799         return DTLS1_HM_FRAGMENT_RETRY;
800
801 err:
802         if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag);
803         *ok = 0;
804         return i;
805         }
806
807
808 static long
809 dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
810         {
811         unsigned char wire[DTLS1_HM_HEADER_LENGTH];
812         unsigned long len, frag_off, frag_len;
813         int i,al;
814         struct hm_header_st msg_hdr;
815
816         redo:
817         /* see if we have the required fragment already */
818         if ((frag_len = dtls1_retrieve_buffered_fragment(s,max,ok)) || *ok)
819                 {
820                 if (*ok)        s->init_num = frag_len;
821                 return frag_len;
822                 }
823
824         /* read handshake message header */
825         i=s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,wire,
826                 DTLS1_HM_HEADER_LENGTH, 0);
827         if (i <= 0)     /* nbio, or an error */
828                 {
829                 s->rwstate=SSL_READING;
830                 *ok = 0;
831                 return i;
832                 }
833         /* Handshake fails if message header is incomplete */
834         if (i != DTLS1_HM_HEADER_LENGTH)
835                 {
836                 al=SSL_AD_UNEXPECTED_MESSAGE;
837                 SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL_R_UNEXPECTED_MESSAGE);
838                 goto f_err;
839                 }
840
841         /* parse the message fragment header */
842         dtls1_get_message_header(wire, &msg_hdr);
843
844         /* 
845          * if this is a future (or stale) message it gets buffered
846          * (or dropped)--no further processing at this time
847          * While listening, we accept seq 1 (ClientHello with cookie)
848          * although we're still expecting seq 0 (ClientHello)
849          */
850         if (msg_hdr.seq != s->d1->handshake_read_seq && !(s->d1->listen && msg_hdr.seq == 1))
851                 return dtls1_process_out_of_seq_message(s, &msg_hdr, ok);
852
853         len = msg_hdr.msg_len;
854         frag_off = msg_hdr.frag_off;
855         frag_len = msg_hdr.frag_len;
856
857         if (frag_len && frag_len < len)
858                 return dtls1_reassemble_fragment(s, &msg_hdr, ok);
859
860         if (!s->server && s->d1->r_msg_hdr.frag_off == 0 &&
861                 wire[0] == SSL3_MT_HELLO_REQUEST)
862                 {
863                 /* The server may always send 'Hello Request' messages --
864                  * we are doing a handshake anyway now, so ignore them
865                  * if their format is correct. Does not count for
866                  * 'Finished' MAC. */
867                 if (wire[1] == 0 && wire[2] == 0 && wire[3] == 0)
868                         {
869                         if (s->msg_callback)
870                                 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 
871                                         wire, DTLS1_HM_HEADER_LENGTH, s, 
872                                         s->msg_callback_arg);
873                         
874                         s->init_num = 0;
875                         goto redo;
876                         }
877                 else /* Incorrectly formated Hello request */
878                         {
879                         al=SSL_AD_UNEXPECTED_MESSAGE;
880                         SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL_R_UNEXPECTED_MESSAGE);
881                         goto f_err;
882                         }
883                 }
884
885         if ((al=dtls1_preprocess_fragment(s,&msg_hdr,max)))
886                 goto f_err;
887
888         /* XDTLS:  ressurect this when restart is in place */
889         s->state=stn;
890
891         if ( frag_len > 0)
892                 {
893                 unsigned char *p=(unsigned char *)s->init_buf->data+DTLS1_HM_HEADER_LENGTH;
894
895                 i=s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
896                         &p[frag_off],frag_len,0);
897                 /* XDTLS:  fix this--message fragments cannot span multiple packets */
898                 if (i <= 0)
899                         {
900                         s->rwstate=SSL_READING;
901                         *ok = 0;
902                         return i;
903                         }
904                 }
905         else
906                 i = 0;
907
908         /* XDTLS:  an incorrectly formatted fragment should cause the 
909          * handshake to fail */
910         if (i != (int)frag_len)
911                 {
912                 al=SSL3_AD_ILLEGAL_PARAMETER;
913                 SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL3_AD_ILLEGAL_PARAMETER);
914                 goto f_err;
915                 }
916
917         *ok = 1;
918
919         /* Note that s->init_num is *not* used as current offset in
920          * s->init_buf->data, but as a counter summing up fragments'
921          * lengths: as soon as they sum up to handshake packet
922          * length, we assume we have got all the fragments. */
923         s->init_num = frag_len;
924         return frag_len;
925
926 f_err:
927         ssl3_send_alert(s,SSL3_AL_FATAL,al);
928         s->init_num = 0;
929
930         *ok=0;
931         return(-1);
932         }
933
934 int dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen)
935         {
936         unsigned char *p,*d;
937         int i;
938         unsigned long l;
939
940         if (s->state == a)
941                 {
942                 d=(unsigned char *)s->init_buf->data;
943                 p= &(d[DTLS1_HM_HEADER_LENGTH]);
944
945                 i=s->method->ssl3_enc->final_finish_mac(s,
946                         sender,slen,s->s3->tmp.finish_md);
947                 s->s3->tmp.finish_md_len = i;
948                 memcpy(p, s->s3->tmp.finish_md, i);
949                 p+=i;
950                 l=i;
951
952         /* Copy the finished so we can use it for
953          * renegotiation checks
954          */
955         if(s->type == SSL_ST_CONNECT)
956                 {
957                 OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
958                 memcpy(s->s3->previous_client_finished, 
959                        s->s3->tmp.finish_md, i);
960                 s->s3->previous_client_finished_len=i;
961                 }
962         else
963                 {
964                 OPENSSL_assert(i <= EVP_MAX_MD_SIZE);
965                 memcpy(s->s3->previous_server_finished, 
966                        s->s3->tmp.finish_md, i);
967                 s->s3->previous_server_finished_len=i;
968                 }
969
970 #ifdef OPENSSL_SYS_WIN16
971                 /* MSVC 1.5 does not clear the top bytes of the word unless
972                  * I do this.
973                  */
974                 l&=0xffff;
975 #endif
976
977                 d = dtls1_set_message_header(s, d, SSL3_MT_FINISHED, l, 0, l);
978                 s->init_num=(int)l+DTLS1_HM_HEADER_LENGTH;
979                 s->init_off=0;
980
981                 /* buffer the message to handle re-xmits */
982                 dtls1_buffer_message(s, 0);
983
984                 s->state=b;
985                 }
986
987         /* SSL3_ST_SEND_xxxxxx_HELLO_B */
988         return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
989         }
990
991 /* for these 2 messages, we need to
992  * ssl->enc_read_ctx                    re-init
993  * ssl->s3->read_sequence               zero
994  * ssl->s3->read_mac_secret             re-init
995  * ssl->session->read_sym_enc           assign
996  * ssl->session->read_compression       assign
997  * ssl->session->read_hash              assign
998  */
999 int dtls1_send_change_cipher_spec(SSL *s, int a, int b)
1000         { 
1001         unsigned char *p;
1002
1003         if (s->state == a)
1004                 {
1005                 p=(unsigned char *)s->init_buf->data;
1006                 *p++=SSL3_MT_CCS;
1007                 s->d1->handshake_write_seq = s->d1->next_handshake_write_seq;
1008                 s->init_num=DTLS1_CCS_HEADER_LENGTH;
1009
1010                 if (s->version == DTLS1_BAD_VER) {
1011                         s->d1->next_handshake_write_seq++;
1012                         s2n(s->d1->handshake_write_seq,p);
1013                         s->init_num+=2;
1014                 }
1015
1016                 s->init_off=0;
1017
1018                 dtls1_set_message_header_int(s, SSL3_MT_CCS, 0, 
1019                         s->d1->handshake_write_seq, 0, 0);
1020
1021                 /* buffer the message to handle re-xmits */
1022                 dtls1_buffer_message(s, 1);
1023
1024                 s->state=b;
1025                 }
1026
1027         /* SSL3_ST_CW_CHANGE_B */
1028         return(dtls1_do_write(s,SSL3_RT_CHANGE_CIPHER_SPEC));
1029         }
1030
1031 static int dtls1_add_cert_to_buf(BUF_MEM *buf, unsigned long *l, X509 *x)
1032         {
1033         int n;
1034         unsigned char *p;
1035
1036         n=i2d_X509(x,NULL);
1037         if (!BUF_MEM_grow_clean(buf,(int)(n+(*l)+3)))
1038                 {
1039                 SSLerr(SSL_F_DTLS1_ADD_CERT_TO_BUF,ERR_R_BUF_LIB);
1040                 return 0;
1041                 }
1042         p=(unsigned char *)&(buf->data[*l]);
1043         l2n3(n,p);
1044         i2d_X509(x,&p);
1045         *l+=n+3;
1046
1047         return 1;
1048         }
1049 unsigned long dtls1_output_cert_chain(SSL *s, X509 *x)
1050         {
1051         unsigned char *p;
1052         int i;
1053         unsigned long l= 3 + DTLS1_HM_HEADER_LENGTH;
1054         BUF_MEM *buf;
1055
1056         /* TLSv1 sends a chain with nothing in it, instead of an alert */
1057         buf=s->init_buf;
1058         if (!BUF_MEM_grow_clean(buf,10))
1059                 {
1060                 SSLerr(SSL_F_DTLS1_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
1061                 return(0);
1062                 }
1063         if (x != NULL)
1064                 {
1065                 X509_STORE_CTX xs_ctx;
1066
1067                 if (!X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,x,NULL))
1068                         {
1069                         SSLerr(SSL_F_DTLS1_OUTPUT_CERT_CHAIN,ERR_R_X509_LIB);
1070                         return(0);
1071                         }
1072   
1073                 X509_verify_cert(&xs_ctx);
1074                 /* Don't leave errors in the queue */
1075                 ERR_clear_error();
1076                 for (i=0; i < sk_X509_num(xs_ctx.chain); i++)
1077                         {
1078                         x = sk_X509_value(xs_ctx.chain, i);
1079
1080                         if (!dtls1_add_cert_to_buf(buf, &l, x))
1081                                 {
1082                                 X509_STORE_CTX_cleanup(&xs_ctx);
1083                                 return 0;
1084                                 }
1085                         }
1086                 X509_STORE_CTX_cleanup(&xs_ctx);
1087                 }
1088         /* Thawte special :-) */
1089         for (i=0; i<sk_X509_num(s->ctx->extra_certs); i++)
1090                 {
1091                 x=sk_X509_value(s->ctx->extra_certs,i);
1092                 if (!dtls1_add_cert_to_buf(buf, &l, x))
1093                         return 0;
1094                 }
1095
1096         l-= (3 + DTLS1_HM_HEADER_LENGTH);
1097
1098         p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH]);
1099         l2n3(l,p);
1100         l+=3;
1101         p=(unsigned char *)&(buf->data[0]);
1102         p = dtls1_set_message_header(s, p, SSL3_MT_CERTIFICATE, l, 0, l);
1103
1104         l+=DTLS1_HM_HEADER_LENGTH;
1105         return(l);
1106         }
1107
1108 int dtls1_read_failed(SSL *s, int code)
1109         {
1110         if ( code > 0)
1111                 {
1112                 fprintf( stderr, "invalid state reached %s:%d", __FILE__, __LINE__);
1113                 return 1;
1114                 }
1115
1116         if (!dtls1_is_timer_expired(s))
1117                 {
1118                 /* not a timeout, none of our business, 
1119                    let higher layers handle this.  in fact it's probably an error */
1120                 return code;
1121                 }
1122
1123 #ifndef OPENSSL_NO_HEARTBEATS
1124         if (!SSL_in_init(s) && !s->tlsext_hb_pending)  /* done, no need to send a retransmit */
1125 #else
1126         if (!SSL_in_init(s))  /* done, no need to send a retransmit */
1127 #endif
1128                 {
1129                 BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ);
1130                 return code;
1131                 }
1132
1133 #if 0 /* for now, each alert contains only one record number */
1134         item = pqueue_peek(state->rcvd_records);
1135         if ( item )
1136                 {
1137                 /* send an alert immediately for all the missing records */
1138                 }
1139         else
1140 #endif
1141
1142 #if 0  /* no more alert sending, just retransmit the last set of messages */
1143         if ( state->timeout.read_timeouts >= DTLS1_TMO_READ_COUNT)
1144                 ssl3_send_alert(s,SSL3_AL_WARNING,
1145                         DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
1146 #endif
1147
1148         return dtls1_handle_timeout(s);
1149         }
1150
1151 int
1152 dtls1_get_queue_priority(unsigned short seq, int is_ccs)
1153         {
1154         /* The index of the retransmission queue actually is the message sequence number,
1155          * since the queue only contains messages of a single handshake. However, the
1156          * ChangeCipherSpec has no message sequence number and so using only the sequence
1157          * will result in the CCS and Finished having the same index. To prevent this,
1158          * the sequence number is multiplied by 2. In case of a CCS 1 is subtracted.
1159          * This does not only differ CSS and Finished, it also maintains the order of the
1160          * index (important for priority queues) and fits in the unsigned short variable.
1161          */     
1162         return seq * 2 - is_ccs;
1163         }
1164
1165 int
1166 dtls1_retransmit_buffered_messages(SSL *s)
1167         {
1168         pqueue sent = s->d1->sent_messages;
1169         piterator iter;
1170         pitem *item;
1171         hm_fragment *frag;
1172         int found = 0;
1173
1174         iter = pqueue_iterator(sent);
1175
1176         for ( item = pqueue_next(&iter); item != NULL; item = pqueue_next(&iter))
1177                 {
1178                 frag = (hm_fragment *)item->data;
1179                         if ( dtls1_retransmit_message(s,
1180                                 (unsigned short)dtls1_get_queue_priority(frag->msg_header.seq, frag->msg_header.is_ccs),
1181                                 0, &found) <= 0 && found)
1182                         {
1183                         fprintf(stderr, "dtls1_retransmit_message() failed\n");
1184                         return -1;
1185                         }
1186                 }
1187
1188         return 1;
1189         }
1190
1191 int
1192 dtls1_buffer_message(SSL *s, int is_ccs)
1193         {
1194         pitem *item;
1195         hm_fragment *frag;
1196         unsigned char seq64be[8];
1197
1198         /* this function is called immediately after a message has 
1199          * been serialized */
1200         OPENSSL_assert(s->init_off == 0);
1201
1202         frag = dtls1_hm_fragment_new(s->init_num, 0);
1203         if (!frag)
1204                 return 0;
1205
1206         memcpy(frag->fragment, s->init_buf->data, s->init_num);
1207
1208         if ( is_ccs)
1209                 {
1210                 OPENSSL_assert(s->d1->w_msg_hdr.msg_len + 
1211                                ((s->version==DTLS1_VERSION)?DTLS1_CCS_HEADER_LENGTH:3) == (unsigned int)s->init_num);
1212                 }
1213         else
1214                 {
1215                 OPENSSL_assert(s->d1->w_msg_hdr.msg_len + 
1216                         DTLS1_HM_HEADER_LENGTH == (unsigned int)s->init_num);
1217                 }
1218
1219         frag->msg_header.msg_len = s->d1->w_msg_hdr.msg_len;
1220         frag->msg_header.seq = s->d1->w_msg_hdr.seq;
1221         frag->msg_header.type = s->d1->w_msg_hdr.type;
1222         frag->msg_header.frag_off = 0;
1223         frag->msg_header.frag_len = s->d1->w_msg_hdr.msg_len;
1224         frag->msg_header.is_ccs = is_ccs;
1225
1226         /* save current state*/
1227         frag->msg_header.saved_retransmit_state.enc_write_ctx = s->enc_write_ctx;
1228         frag->msg_header.saved_retransmit_state.write_hash = s->write_hash;
1229         frag->msg_header.saved_retransmit_state.compress = s->compress;
1230         frag->msg_header.saved_retransmit_state.session = s->session;
1231         frag->msg_header.saved_retransmit_state.epoch = s->d1->w_epoch;
1232         
1233         memset(seq64be,0,sizeof(seq64be));
1234         seq64be[6] = (unsigned char)(dtls1_get_queue_priority(frag->msg_header.seq,
1235                                                                                                                   frag->msg_header.is_ccs)>>8);
1236         seq64be[7] = (unsigned char)(dtls1_get_queue_priority(frag->msg_header.seq,
1237                                                                                                                   frag->msg_header.is_ccs));
1238
1239         item = pitem_new(seq64be, frag);
1240         if ( item == NULL)
1241                 {
1242                 dtls1_hm_fragment_free(frag);
1243                 return 0;
1244                 }
1245
1246 #if 0
1247         fprintf( stderr, "buffered messge: \ttype = %xx\n", msg_buf->type);
1248         fprintf( stderr, "\t\t\t\t\tlen = %d\n", msg_buf->len);
1249         fprintf( stderr, "\t\t\t\t\tseq_num = %d\n", msg_buf->seq_num);
1250 #endif
1251
1252         pqueue_insert(s->d1->sent_messages, item);
1253         return 1;
1254         }
1255
1256 int
1257 dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
1258         int *found)
1259         {
1260         int ret;
1261         /* XDTLS: for now assuming that read/writes are blocking */
1262         pitem *item;
1263         hm_fragment *frag ;
1264         unsigned long header_length;
1265         unsigned char seq64be[8];
1266         struct dtls1_retransmit_state saved_state;
1267         unsigned char save_write_sequence[8];
1268
1269         /*
1270           OPENSSL_assert(s->init_num == 0);
1271           OPENSSL_assert(s->init_off == 0);
1272          */
1273
1274         /* XDTLS:  the requested message ought to be found, otherwise error */
1275         memset(seq64be,0,sizeof(seq64be));
1276         seq64be[6] = (unsigned char)(seq>>8);
1277         seq64be[7] = (unsigned char)seq;
1278
1279         item = pqueue_find(s->d1->sent_messages, seq64be);
1280         if ( item == NULL)
1281                 {
1282                 fprintf(stderr, "retransmit:  message %d non-existant\n", seq);
1283                 *found = 0;
1284                 return 0;
1285                 }
1286
1287         *found = 1;
1288         frag = (hm_fragment *)item->data;
1289
1290         if ( frag->msg_header.is_ccs)
1291                 header_length = DTLS1_CCS_HEADER_LENGTH;
1292         else
1293                 header_length = DTLS1_HM_HEADER_LENGTH;
1294
1295         memcpy(s->init_buf->data, frag->fragment, 
1296                 frag->msg_header.msg_len + header_length);
1297                 s->init_num = frag->msg_header.msg_len + header_length;
1298
1299         dtls1_set_message_header_int(s, frag->msg_header.type, 
1300                 frag->msg_header.msg_len, frag->msg_header.seq, 0, 
1301                 frag->msg_header.frag_len);
1302
1303         /* save current state */
1304         saved_state.enc_write_ctx = s->enc_write_ctx;
1305         saved_state.write_hash = s->write_hash;
1306         saved_state.compress = s->compress;
1307         saved_state.session = s->session;
1308         saved_state.epoch = s->d1->w_epoch;
1309         saved_state.epoch = s->d1->w_epoch;
1310         
1311         s->d1->retransmitting = 1;
1312         
1313         /* restore state in which the message was originally sent */
1314         s->enc_write_ctx = frag->msg_header.saved_retransmit_state.enc_write_ctx;
1315         s->write_hash = frag->msg_header.saved_retransmit_state.write_hash;
1316         s->compress = frag->msg_header.saved_retransmit_state.compress;
1317         s->session = frag->msg_header.saved_retransmit_state.session;
1318         s->d1->w_epoch = frag->msg_header.saved_retransmit_state.epoch;
1319         
1320         if (frag->msg_header.saved_retransmit_state.epoch == saved_state.epoch - 1)
1321         {
1322                 memcpy(save_write_sequence, s->s3->write_sequence, sizeof(s->s3->write_sequence));
1323                 memcpy(s->s3->write_sequence, s->d1->last_write_sequence, sizeof(s->s3->write_sequence));
1324         }
1325         
1326         ret = dtls1_do_write(s, frag->msg_header.is_ccs ? 
1327                                                  SSL3_RT_CHANGE_CIPHER_SPEC : SSL3_RT_HANDSHAKE);
1328         
1329         /* restore current state */
1330         s->enc_write_ctx = saved_state.enc_write_ctx;
1331         s->write_hash = saved_state.write_hash;
1332         s->compress = saved_state.compress;
1333         s->session = saved_state.session;
1334         s->d1->w_epoch = saved_state.epoch;
1335         
1336         if (frag->msg_header.saved_retransmit_state.epoch == saved_state.epoch - 1)
1337         {
1338                 memcpy(s->d1->last_write_sequence, s->s3->write_sequence, sizeof(s->s3->write_sequence));
1339                 memcpy(s->s3->write_sequence, save_write_sequence, sizeof(s->s3->write_sequence));
1340         }
1341
1342         s->d1->retransmitting = 0;
1343
1344         (void)BIO_flush(SSL_get_wbio(s));
1345         return ret;
1346         }
1347
1348 /* call this function when the buffered messages are no longer needed */
1349 void
1350 dtls1_clear_record_buffer(SSL *s)
1351         {
1352         pitem *item;
1353
1354         for(item = pqueue_pop(s->d1->sent_messages);
1355                 item != NULL; item = pqueue_pop(s->d1->sent_messages))
1356                 {
1357                 dtls1_hm_fragment_free((hm_fragment *)item->data);
1358                 pitem_free(item);
1359                 }
1360         }
1361
1362
1363 unsigned char *
1364 dtls1_set_message_header(SSL *s, unsigned char *p, unsigned char mt,
1365                         unsigned long len, unsigned long frag_off, unsigned long frag_len)
1366         {
1367         /* Don't change sequence numbers while listening */
1368         if (frag_off == 0 && !s->d1->listen)
1369                 {
1370                 s->d1->handshake_write_seq = s->d1->next_handshake_write_seq;
1371                 s->d1->next_handshake_write_seq++;
1372                 }
1373
1374         dtls1_set_message_header_int(s, mt, len, s->d1->handshake_write_seq,
1375                 frag_off, frag_len);
1376
1377         return p += DTLS1_HM_HEADER_LENGTH;
1378         }
1379
1380
1381 /* don't actually do the writing, wait till the MTU has been retrieved */
1382 static void
1383 dtls1_set_message_header_int(SSL *s, unsigned char mt,
1384                             unsigned long len, unsigned short seq_num, unsigned long frag_off,
1385                             unsigned long frag_len)
1386         {
1387         struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
1388
1389         msg_hdr->type = mt;
1390         msg_hdr->msg_len = len;
1391         msg_hdr->seq = seq_num;
1392         msg_hdr->frag_off = frag_off;
1393         msg_hdr->frag_len = frag_len;
1394         }
1395
1396 static void
1397 dtls1_fix_message_header(SSL *s, unsigned long frag_off,
1398                         unsigned long frag_len)
1399         {
1400         struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
1401
1402         msg_hdr->frag_off = frag_off;
1403         msg_hdr->frag_len = frag_len;
1404         }
1405
1406 static unsigned char *
1407 dtls1_write_message_header(SSL *s, unsigned char *p)
1408         {
1409         struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
1410
1411         *p++ = msg_hdr->type;
1412         l2n3(msg_hdr->msg_len, p);
1413
1414         s2n(msg_hdr->seq, p);
1415         l2n3(msg_hdr->frag_off, p);
1416         l2n3(msg_hdr->frag_len, p);
1417
1418         return p;
1419         }
1420
1421 unsigned int 
1422 dtls1_min_mtu(void)
1423         {
1424         return (g_probable_mtu[(sizeof(g_probable_mtu) / 
1425                 sizeof(g_probable_mtu[0])) - 1]);
1426         }
1427
1428 static unsigned int 
1429 dtls1_guess_mtu(unsigned int curr_mtu)
1430         {
1431         unsigned int i;
1432
1433         if ( curr_mtu == 0 )
1434                 return g_probable_mtu[0] ;
1435
1436         for ( i = 0; i < sizeof(g_probable_mtu)/sizeof(g_probable_mtu[0]); i++)
1437                 if ( curr_mtu > g_probable_mtu[i])
1438                         return g_probable_mtu[i];
1439
1440         return curr_mtu;
1441         }
1442
1443 void
1444 dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr)
1445         {
1446         memset(msg_hdr, 0x00, sizeof(struct hm_header_st));
1447         msg_hdr->type = *(data++);
1448         n2l3(data, msg_hdr->msg_len);
1449
1450         n2s(data, msg_hdr->seq);
1451         n2l3(data, msg_hdr->frag_off);
1452         n2l3(data, msg_hdr->frag_len);
1453         }
1454
1455 void
1456 dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr)
1457         {
1458         memset(ccs_hdr, 0x00, sizeof(struct ccs_header_st));
1459
1460         ccs_hdr->type = *(data++);
1461         }
1462
1463 int dtls1_shutdown(SSL *s)
1464         {
1465         int ret;
1466 #ifndef OPENSSL_NO_SCTP
1467         if (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
1468             !(s->shutdown & SSL_SENT_SHUTDOWN))
1469                 {
1470                 ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s));
1471                 if (ret < 0) return -1;
1472
1473                 if (ret == 0)
1474                         BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SAVE_SHUTDOWN, 1, NULL);
1475                 }
1476 #endif
1477         ret = ssl3_shutdown(s);
1478 #ifndef OPENSSL_NO_SCTP
1479         BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_SAVE_SHUTDOWN, 0, NULL);
1480 #endif
1481         return ret;
1482         }
1483
1484 #ifndef OPENSSL_NO_HEARTBEATS
1485 int
1486 dtls1_process_heartbeat(SSL *s)
1487         {
1488         unsigned char *p = &s->s3->rrec.data[0], *pl;
1489         unsigned short hbtype;
1490         unsigned int payload;
1491         unsigned int padding = 16; /* Use minimum padding */
1492
1493         if (s->msg_callback)
1494                 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
1495                         &s->s3->rrec.data[0], s->s3->rrec.length,
1496                         s, s->msg_callback_arg);
1497
1498         /* Read type and payload length first */
1499         if (1 + 2 + 16 > s->s3->rrec.length)
1500                 return 0; /* silently discard */
1501         hbtype = *p++;
1502         n2s(p, payload);
1503         if (1 + 2 + payload + 16 > s->s3->rrec.length)
1504                 return 0; /* silently discard per RFC 6520 sec. 4 */
1505         pl = p;
1506
1507         if (hbtype == TLS1_HB_REQUEST)
1508                 {
1509                 unsigned char *buffer, *bp;
1510                 unsigned int write_length = 1 /* heartbeat type */ +
1511                                             2 /* heartbeat length */ +
1512                                             payload + padding;
1513                 int r;
1514
1515                 if (write_length > SSL3_RT_MAX_PLAIN_LENGTH)
1516                         return 0;
1517
1518                 /* Allocate memory for the response, size is 1 byte
1519                  * message type, plus 2 bytes payload length, plus
1520                  * payload, plus padding
1521                  */
1522                 buffer = OPENSSL_malloc(write_length);
1523                 bp = buffer;
1524
1525                 /* Enter response type, length and copy payload */
1526                 *bp++ = TLS1_HB_RESPONSE;
1527                 s2n(payload, bp);
1528                 memcpy(bp, pl, payload);
1529                 bp += payload;
1530                 /* Random padding */
1531                 RAND_pseudo_bytes(bp, padding);
1532
1533                 r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length);
1534
1535                 if (r >= 0 && s->msg_callback)
1536                         s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
1537                                 buffer, write_length,
1538                                 s, s->msg_callback_arg);
1539
1540                 OPENSSL_free(buffer);
1541
1542                 if (r < 0)
1543                         return r;
1544                 }
1545         else if (hbtype == TLS1_HB_RESPONSE)
1546                 {
1547                 unsigned int seq;
1548
1549                 /* We only send sequence numbers (2 bytes unsigned int),
1550                  * and 16 random bytes, so we just try to read the
1551                  * sequence number */
1552                 n2s(pl, seq);
1553
1554                 if (payload == 18 && seq == s->tlsext_hb_seq)
1555                         {
1556                         dtls1_stop_timer(s);
1557                         s->tlsext_hb_seq++;
1558                         s->tlsext_hb_pending = 0;
1559                         }
1560                 }
1561
1562         return 0;
1563         }
1564
1565 int
1566 dtls1_heartbeat(SSL *s)
1567         {
1568         unsigned char *buf, *p;
1569         int ret;
1570         unsigned int payload = 18; /* Sequence number + random bytes */
1571         unsigned int padding = 16; /* Use minimum padding */
1572
1573         /* Only send if peer supports and accepts HB requests... */
1574         if (!(s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) ||
1575             s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS)
1576                 {
1577                 SSLerr(SSL_F_DTLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT);
1578                 return -1;
1579                 }
1580
1581         /* ...and there is none in flight yet... */
1582         if (s->tlsext_hb_pending)
1583                 {
1584                 SSLerr(SSL_F_DTLS1_HEARTBEAT,SSL_R_TLS_HEARTBEAT_PENDING);
1585                 return -1;
1586                 }
1587
1588         /* ...and no handshake in progress. */
1589         if (SSL_in_init(s) || s->in_handshake)
1590                 {
1591                 SSLerr(SSL_F_DTLS1_HEARTBEAT,SSL_R_UNEXPECTED_MESSAGE);
1592                 return -1;
1593                 }
1594
1595         /* Check if padding is too long, payload and padding
1596          * must not exceed 2^14 - 3 = 16381 bytes in total.
1597          */
1598         OPENSSL_assert(payload + padding <= 16381);
1599
1600         /* Create HeartBeat message, we just use a sequence number
1601          * as payload to distuingish different messages and add
1602          * some random stuff.
1603          *  - Message Type, 1 byte
1604          *  - Payload Length, 2 bytes (unsigned int)
1605          *  - Payload, the sequence number (2 bytes uint)
1606          *  - Payload, random bytes (16 bytes uint)
1607          *  - Padding
1608          */
1609         buf = OPENSSL_malloc(1 + 2 + payload + padding);
1610         p = buf;
1611         /* Message Type */
1612         *p++ = TLS1_HB_REQUEST;
1613         /* Payload length (18 bytes here) */
1614         s2n(payload, p);
1615         /* Sequence number */
1616         s2n(s->tlsext_hb_seq, p);
1617         /* 16 random bytes */
1618         RAND_pseudo_bytes(p, 16);
1619         p += 16;
1620         /* Random padding */
1621         RAND_pseudo_bytes(p, padding);
1622
1623         ret = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding);
1624         if (ret >= 0)
1625                 {
1626                 if (s->msg_callback)
1627                         s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
1628                                 buf, 3 + payload + padding,
1629                                 s, s->msg_callback_arg);
1630
1631                 dtls1_start_timer(s);
1632                 s->tlsext_hb_pending = 1;
1633                 }
1634
1635         OPENSSL_free(buf);
1636
1637         return ret;
1638         }
1639 #endif