Change mention of Makefile.ssl to Makefile.
[openssl.git] / ssl / d1_pkt.c
1 /* ssl/d1_pkt.c */
2 /* 
3  * DTLS implementation written by Nagendra Modadugu
4  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
5  */
6 /* ====================================================================
7  * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  *
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer. 
15  *
16  * 2. Redistributions in binary form must reproduce the above copyright
17  *    notice, this list of conditions and the following disclaimer in
18  *    the documentation and/or other materials provided with the
19  *    distribution.
20  *
21  * 3. All advertising materials mentioning features or use of this
22  *    software must display the following acknowledgment:
23  *    "This product includes software developed by the OpenSSL Project
24  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
25  *
26  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27  *    endorse or promote products derived from this software without
28  *    prior written permission. For written permission, please contact
29  *    openssl-core@openssl.org.
30  *
31  * 5. Products derived from this software may not be called "OpenSSL"
32  *    nor may "OpenSSL" appear in their names without prior written
33  *    permission of the OpenSSL Project.
34  *
35  * 6. Redistributions of any form whatsoever must retain the following
36  *    acknowledgment:
37  *    "This product includes software developed by the OpenSSL Project
38  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
44  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51  * OF THE POSSIBILITY OF SUCH DAMAGE.
52  * ====================================================================
53  *
54  * This product includes cryptographic software written by Eric Young
55  * (eay@cryptsoft.com).  This product includes software written by Tim
56  * Hudson (tjh@cryptsoft.com).
57  *
58  */
59 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
60  * All rights reserved.
61  *
62  * This package is an SSL implementation written
63  * by Eric Young (eay@cryptsoft.com).
64  * The implementation was written so as to conform with Netscapes SSL.
65  * 
66  * This library is free for commercial and non-commercial use as long as
67  * the following conditions are aheared to.  The following conditions
68  * apply to all code found in this distribution, be it the RC4, RSA,
69  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
70  * included with this distribution is covered by the same copyright terms
71  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
72  * 
73  * Copyright remains Eric Young's, and as such any Copyright notices in
74  * the code are not to be removed.
75  * If this package is used in a product, Eric Young should be given attribution
76  * as the author of the parts of the library used.
77  * This can be in the form of a textual message at program startup or
78  * in documentation (online or textual) provided with the package.
79  * 
80  * Redistribution and use in source and binary forms, with or without
81  * modification, are permitted provided that the following conditions
82  * are met:
83  * 1. Redistributions of source code must retain the copyright
84  *    notice, this list of conditions and the following disclaimer.
85  * 2. Redistributions in binary form must reproduce the above copyright
86  *    notice, this list of conditions and the following disclaimer in the
87  *    documentation and/or other materials provided with the distribution.
88  * 3. All advertising materials mentioning features or use of this software
89  *    must display the following acknowledgement:
90  *    "This product includes cryptographic software written by
91  *     Eric Young (eay@cryptsoft.com)"
92  *    The word 'cryptographic' can be left out if the rouines from the library
93  *    being used are not cryptographic related :-).
94  * 4. If you include any Windows specific code (or a derivative thereof) from 
95  *    the apps directory (application code) you must include an acknowledgement:
96  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
97  * 
98  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
99  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
100  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
101  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
102  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
103  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
104  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
105  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
106  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
107  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
108  * SUCH DAMAGE.
109  * 
110  * The licence and distribution terms for any publically available version or
111  * derivative of this code cannot be changed.  i.e. this code cannot simply be
112  * copied and put under another distribution licence
113  * [including the GNU Public Licence.]
114  */
115
116 #include <stdio.h>
117 #include <errno.h>
118 #define USE_SOCKETS
119 #include "ssl_locl.h"
120 #include <openssl/evp.h>
121 #include <openssl/buffer.h>
122 #include <openssl/pqueue.h>
123
124 static int have_handshake_fragment(SSL *s, int type, unsigned char *buf, 
125         int len, int peek);
126 static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap,
127         PQ_64BIT *seq_num);
128 static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap);
129 static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, 
130     unsigned int *is_next_epoch);
131 #if 0
132 static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr,
133         unsigned short *priority, unsigned long *offset);
134 #endif
135 static int dtls1_buffer_record(SSL *s, record_pqueue *q,
136         PQ_64BIT priority);
137 static int dtls1_process_record(SSL *s);
138 #if PQ_64BIT_IS_INTEGER
139 static PQ_64BIT bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num);
140 #endif
141 static void dtls1_clear_timeouts(SSL *s);
142
143 /* copy buffered record into SSL structure */
144 static int
145 dtls1_copy_record(SSL *s, pitem *item)
146     {
147     DTLS1_RECORD_DATA *rdata;
148
149     rdata = (DTLS1_RECORD_DATA *)item->data;
150     
151     if (s->s3->rbuf.buf != NULL)
152         OPENSSL_free(s->s3->rbuf.buf);
153     
154     s->packet = rdata->packet;
155     s->packet_length = rdata->packet_length;
156     memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER));
157     memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));
158     
159     return(1);
160     }
161
162
163 static int
164 dtls1_buffer_record(SSL *s, record_pqueue *queue, PQ_64BIT priority)
165 {
166     DTLS1_RECORD_DATA *rdata;
167         pitem *item;
168
169         rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
170         item = pitem_new(priority, rdata);
171         if (rdata == NULL || item == NULL)
172                 {
173                 if (rdata != NULL) OPENSSL_free(rdata);
174                 if (item != NULL) pitem_free(item);
175                 
176                 SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);
177                 return(0);
178                 }
179         
180         rdata->packet = s->packet;
181         rdata->packet_length = s->packet_length;
182         memcpy(&(rdata->rbuf), &(s->s3->rbuf), sizeof(SSL3_BUFFER));
183         memcpy(&(rdata->rrec), &(s->s3->rrec), sizeof(SSL3_RECORD));
184
185         item->data = rdata;
186
187         /* insert should not fail, since duplicates are dropped */
188         if (pqueue_insert(queue->q, item) == NULL)
189                 {
190                 OPENSSL_free(rdata);
191                 pitem_free(item);
192                 return(0);
193                 }
194
195         s->packet = NULL;
196         s->packet_length = 0;
197         memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER));
198         memset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD));
199         
200         ssl3_setup_buffers(s);
201         
202         return(1);
203     }
204
205
206 static int
207 dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue)
208     {
209     pitem *item;
210
211     item = pqueue_pop(queue->q);
212     if (item)
213         {
214         dtls1_copy_record(s, item);
215
216         OPENSSL_free(item->data);
217                 pitem_free(item);
218
219         return(1);
220         }
221
222     return(0);
223     }
224
225
226 /* retrieve a buffered record that belongs to the new epoch, i.e., not processed 
227  * yet */
228 #define dtls1_get_unprocessed_record(s) \
229                    dtls1_retrieve_buffered_record((s), \
230                    &((s)->d1->unprocessed_rcds))
231
232 /* retrieve a buffered record that belongs to the current epoch, ie, processed */
233 #define dtls1_get_processed_record(s) \
234                    dtls1_retrieve_buffered_record((s), \
235                    &((s)->d1->processed_rcds))
236
237 static int
238 dtls1_process_buffered_records(SSL *s)
239     {
240     pitem *item;
241     
242     item = pqueue_peek(s->d1->unprocessed_rcds.q);
243     if (item)
244         {
245         DTLS1_RECORD_DATA *rdata;
246         rdata = (DTLS1_RECORD_DATA *)item->data;
247         
248         /* Check if epoch is current. */
249         if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch)
250             return(1);  /* Nothing to do. */
251         
252         /* Process all the records. */
253         while (pqueue_peek(s->d1->unprocessed_rcds.q))
254             {
255             dtls1_get_unprocessed_record(s);
256             if ( ! dtls1_process_record(s))
257                 return(0);
258             dtls1_buffer_record(s, &(s->d1->processed_rcds), 
259                 s->s3->rrec.seq_num);
260             }
261         }
262
263     /* sync epoch numbers once all the unprocessed records 
264      * have been processed */
265     s->d1->processed_rcds.epoch = s->d1->r_epoch;
266     s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1;
267
268     return(1);
269     }
270
271
272 #if 0
273
274 static int
275 dtls1_get_buffered_record(SSL *s)
276         {
277         pitem *item;
278         PQ_64BIT priority = 
279                 (((PQ_64BIT)s->d1->handshake_read_seq) << 32) | 
280                 ((PQ_64BIT)s->d1->r_msg_hdr.frag_off);
281         
282         if ( ! SSL_in_init(s))  /* if we're not (re)negotiating, 
283                                                            nothing buffered */
284                 return 0;
285
286
287         item = pqueue_peek(s->d1->rcvd_records);
288         if (item && item->priority == priority)
289                 {
290                 /* Check if we've received the record of interest.  It must be
291                  * a handshake record, since data records as passed up without
292                  * buffering */
293                 DTLS1_RECORD_DATA *rdata;
294                 item = pqueue_pop(s->d1->rcvd_records);
295                 rdata = (DTLS1_RECORD_DATA *)item->data;
296                 
297                 if (s->s3->rbuf.buf != NULL)
298                         OPENSSL_free(s->s3->rbuf.buf);
299                 
300                 s->packet = rdata->packet;
301                 s->packet_length = rdata->packet_length;
302                 memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER));
303                 memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));
304                 
305                 OPENSSL_free(item->data);
306                 pitem_free(item);
307                 
308                 /* s->d1->next_expected_seq_num++; */
309                 return(1);
310                 }
311         
312         return 0;
313         }
314
315 #endif
316
317 static int
318 dtls1_process_record(SSL *s)
319 {
320     int i,al;
321         int clear=0;
322     int enc_err;
323         SSL_SESSION *sess;
324     SSL3_RECORD *rr;
325         unsigned int mac_size;
326         unsigned char md[EVP_MAX_MD_SIZE];
327
328
329         rr= &(s->s3->rrec);
330     sess = s->session;
331
332         /* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
333          * and we have that many bytes in s->packet
334          */
335         rr->input= &(s->packet[DTLS1_RT_HEADER_LENGTH]);
336
337         /* ok, we can now read from 's->packet' data into 'rr'
338          * rr->input points at rr->length bytes, which
339          * need to be copied into rr->data by either
340          * the decryption or by the decompression
341          * When the data is 'copied' into the rr->data buffer,
342          * rr->input will be pointed at the new buffer */ 
343
344         /* We now have - encrypted [ MAC [ compressed [ plain ] ] ]
345          * rr->length bytes of encrypted compressed stuff. */
346
347         /* check is not needed I believe */
348         if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH)
349                 {
350                 al=SSL_AD_RECORD_OVERFLOW;
351                 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
352                 goto f_err;
353                 }
354
355         /* decrypt in place in 'rr->input' */
356         rr->data=rr->input;
357
358         enc_err = s->method->ssl3_enc->enc(s,0);
359         if (enc_err <= 0)
360                 {
361                 if (enc_err == 0)
362                         /* SSLerr() and ssl3_send_alert() have been called */
363                         goto err;
364
365                 /* otherwise enc_err == -1 */
366                 goto decryption_failed_or_bad_record_mac;
367                 }
368
369 #ifdef TLS_DEBUG
370 printf("dec %d\n",rr->length);
371 { unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); }
372 printf("\n");
373 #endif
374
375         /* r->length is now the compressed data plus mac */
376 if (    (sess == NULL) ||
377                 (s->enc_read_ctx == NULL) ||
378                 (s->read_hash == NULL))
379     clear=1;
380
381         if (!clear)
382                 {
383                 mac_size=EVP_MD_size(s->read_hash);
384
385                 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)
386                         {
387 #if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */
388                         al=SSL_AD_RECORD_OVERFLOW;
389                         SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
390                         goto f_err;
391 #else
392                         goto decryption_failed_or_bad_record_mac;
393 #endif                  
394                         }
395                 /* check the MAC for rr->input (it's in mac_size bytes at the tail) */
396                 if (rr->length < mac_size)
397                         {
398 #if 0 /* OK only for stream ciphers */
399                         al=SSL_AD_DECODE_ERROR;
400                         SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
401                         goto f_err;
402 #else
403                         goto decryption_failed_or_bad_record_mac;
404 #endif
405                         }
406                 rr->length-=mac_size;
407                 i=s->method->ssl3_enc->mac(s,md,0);
408                 if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
409                         {
410                         goto decryption_failed_or_bad_record_mac;
411                         }
412                 }
413
414         /* r->length is now just compressed */
415         if (s->expand != NULL)
416                 {
417                 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH)
418                         {
419                         al=SSL_AD_RECORD_OVERFLOW;
420                         SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);
421                         goto f_err;
422                         }
423                 if (!ssl3_do_uncompress(s))
424                         {
425                         al=SSL_AD_DECOMPRESSION_FAILURE;
426                         SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_BAD_DECOMPRESSION);
427                         goto f_err;
428                         }
429                 }
430
431         if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH)
432                 {
433                 al=SSL_AD_RECORD_OVERFLOW;
434                 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);
435                 goto f_err;
436                 }
437
438         rr->off=0;
439         /* So at this point the following is true
440          * ssl->s3->rrec.type   is the type of record
441          * ssl->s3->rrec.length == number of bytes in record
442          * ssl->s3->rrec.off    == offset to first valid byte
443          * ssl->s3->rrec.data   == where to take bytes from, increment
444          *                         after use :-).
445          */
446
447         /* we have pulled in a full packet so zero things */
448         s->packet_length=0;
449     dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */
450     return(1);
451
452 decryption_failed_or_bad_record_mac:
453         /* Separate 'decryption_failed' alert was introduced with TLS 1.0,
454          * SSL 3.0 only has 'bad_record_mac'.  But unless a decryption
455          * failure is directly visible from the ciphertext anyway,
456          * we should not reveal which kind of error occured -- this
457          * might become visible to an attacker (e.g. via logfile) */
458         al=SSL_AD_BAD_RECORD_MAC;
459         SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
460 f_err:
461         ssl3_send_alert(s,SSL3_AL_FATAL,al);
462 err:
463         return(0);
464 }
465
466
467 /* Call this to get a new input record.
468  * It will return <= 0 if more data is needed, normally due to an error
469  * or non-blocking IO.
470  * When it finishes, one packet has been decoded and can be found in
471  * ssl->s3->rrec.type    - is the type of record
472  * ssl->s3->rrec.data,   - data
473  * ssl->s3->rrec.length, - number of bytes
474  */
475 /* used only by dtls1_read_bytes */
476 int dtls1_get_record(SSL *s)
477         {
478         int ssl_major,ssl_minor,al;
479         int i,n;
480         SSL3_RECORD *rr;
481         SSL_SESSION *sess;
482         unsigned char *p;
483         short version;
484         DTLS1_BITMAP *bitmap;
485     unsigned int is_next_epoch;
486
487         rr= &(s->s3->rrec);
488         sess=s->session;
489
490     /* The epoch may have changed.  If so, process all the
491      * pending records.  This is a non-blocking operation. */
492     if ( ! dtls1_process_buffered_records(s))
493         return 0;
494
495         /* if we're renegotiating, then there may be buffered records */
496         if (dtls1_get_processed_record(s))
497                 return 1;
498
499         /* get something from the wire */
500 again:
501         /* check if we have the header */
502         if (    (s->rstate != SSL_ST_READ_BODY) ||
503                 (s->packet_length < DTLS1_RT_HEADER_LENGTH)) 
504                 {
505                 n=ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);
506                 /* read timeout is handled by dtls1_read_bytes */
507                 if (n <= 0) return(n); /* error or non-blocking */
508
509                 OPENSSL_assert(s->packet_length == DTLS1_RT_HEADER_LENGTH);
510
511                 s->rstate=SSL_ST_READ_BODY;
512
513                 p=s->packet;
514
515                 /* Pull apart the header into the DTLS1_RECORD */
516                 rr->type= *(p++);
517                 ssl_major= *(p++);
518                 ssl_minor= *(p++);
519                 version=(ssl_major<<8)|ssl_minor;
520
521         /* sequence number is 64 bits, with top 2 bytes = epoch */ 
522                 n2s(p,rr->epoch);
523
524                 memcpy(&(s->s3->read_sequence[2]), p, 6);
525                 p+=6;
526
527                 n2s(p,rr->length);
528
529                 /* Lets check version */
530                 if (s->first_packet)
531                         {
532                         s->first_packet=0;
533                         }
534                 else
535                         {
536                         if (version != s->version)
537                                 {
538                                 SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
539                                 /* Send back error using their
540                                  * version number :-) */
541                                 s->version=version;
542                                 al=SSL_AD_PROTOCOL_VERSION;
543                                 goto f_err;
544                                 }
545                         }
546
547                 if ((version & 0xff00) != (DTLS1_VERSION & 0xff00))
548                         {
549                         SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
550                         goto err;
551                         }
552
553                 if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH)
554                         {
555                         al=SSL_AD_RECORD_OVERFLOW;
556                         SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG);
557                         goto f_err;
558                         }
559
560                 /* now s->rstate == SSL_ST_READ_BODY */
561                 }
562
563         /* s->rstate == SSL_ST_READ_BODY, get and decode the data */
564
565         if (rr->length > s->packet_length-DTLS1_RT_HEADER_LENGTH)
566                 {
567                 /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */
568                 i=rr->length;
569                 n=ssl3_read_n(s,i,i,1);
570                 if (n <= 0) return(n); /* error or non-blocking io */
571
572                 /* this packet contained a partial record, dump it */
573                 if ( n != i)
574                         {
575                         s->packet_length = 0;
576                         goto again;
577                         }
578
579                 /* now n == rr->length,
580                  * and s->packet_length == DTLS1_RT_HEADER_LENGTH + rr->length */
581                 }
582         s->rstate=SSL_ST_READ_HEADER; /* set state for later operations */
583
584         /* match epochs.  NULL means the packet is dropped on the floor */
585         bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
586         if ( bitmap == NULL)
587         {
588         s->packet_length = 0;  /* dump this record */
589         goto again;   /* get another record */
590                 }
591
592         /* check whether this is a repeat, or aged record */
593         if ( ! dtls1_record_replay_check(s, bitmap, &(rr->seq_num)))
594                 {
595                 s->packet_length=0; /* dump this record */
596                 goto again;     /* get another record */
597                 }
598
599         /* just read a 0 length packet */
600         if (rr->length == 0) goto again;
601
602     /* If this record is from the next epoch (either HM or ALERT), buffer it
603      * since it cannot be processed at this time.
604      * Records from the next epoch are marked as received even though they are 
605      * not processed, so as to prevent any potential resource DoS attack */
606     if (is_next_epoch)
607         {
608         dtls1_record_bitmap_update(s, bitmap);
609         dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
610         s->packet_length = 0;
611         goto again;
612         }
613
614     if ( ! dtls1_process_record(s))
615         return(0);
616
617         dtls1_clear_timeouts(s);  /* done waiting */
618         return(1);
619
620 f_err:
621         ssl3_send_alert(s,SSL3_AL_FATAL,al);
622 err:
623         return(0);
624         }
625
626 /* Return up to 'len' payload bytes received in 'type' records.
627  * 'type' is one of the following:
628  *
629  *   -  SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
630  *   -  SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)
631  *   -  0 (during a shutdown, no data has to be returned)
632  *
633  * If we don't have stored data to work from, read a SSL/TLS record first
634  * (possibly multiple records if we still don't have anything to return).
635  *
636  * This function must handle any surprises the peer may have for us, such as
637  * Alert records (e.g. close_notify), ChangeCipherSpec records (not really
638  * a surprise, but handled as if it were), or renegotiation requests.
639  * Also if record payloads contain fragments too small to process, we store
640  * them until there is enough for the respective protocol (the record protocol
641  * may use arbitrary fragmentation and even interleaving):
642  *     Change cipher spec protocol
643  *             just 1 byte needed, no need for keeping anything stored
644  *     Alert protocol
645  *             2 bytes needed (AlertLevel, AlertDescription)
646  *     Handshake protocol
647  *             4 bytes needed (HandshakeType, uint24 length) -- we just have
648  *             to detect unexpected Client Hello and Hello Request messages
649  *             here, anything else is handled by higher layers
650  *     Application data protocol
651  *             none of our business
652  */
653 int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
654         {
655         int al,i,j,ret;
656         unsigned int n;
657         SSL3_RECORD *rr;
658         void (*cb)(const SSL *ssl,int type2,int val)=NULL;
659
660         if (s->s3->rbuf.buf == NULL) /* Not initialized yet */
661                 if (!ssl3_setup_buffers(s))
662                         return(-1);
663
664     /* XXX: check what the second '&& type' is about */
665         if ((type && (type != SSL3_RT_APPLICATION_DATA) && 
666                 (type != SSL3_RT_HANDSHAKE) && type) ||
667             (peek && (type != SSL3_RT_APPLICATION_DATA)))
668                 {
669                 SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR);
670                 return -1;
671                 }
672
673         /* check whether there's a handshake message (client hello?) waiting */
674         if ( (ret = have_handshake_fragment(s, type, buf, len, peek)))
675                 return ret;
676
677         /* Now s->d1->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */
678
679         if (!s->in_handshake && SSL_in_init(s))
680                 {
681                 /* type == SSL3_RT_APPLICATION_DATA */
682                 i=s->handshake_func(s);
683                 if (i < 0) return(i);
684                 if (i == 0)
685                         {
686                         SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
687                         return(-1);
688                         }
689                 }
690
691 start:
692         s->rwstate=SSL_NOTHING;
693
694         /* s->s3->rrec.type         - is the type of record
695          * s->s3->rrec.data,    - data
696          * s->s3->rrec.off,     - offset into 'data' for next read
697          * s->s3->rrec.length,  - number of bytes. */
698         rr = &(s->s3->rrec);
699
700         /* get new packet if necessary */
701         if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY))
702                 {
703                 ret=dtls1_get_record(s);
704                 if (ret <= 0) 
705                         {
706                         ret = dtls1_read_failed(s, ret);
707                         /* anything other than a timeout is an error */
708                         if (ret <= 0)  
709                                 return(ret);
710                         else
711                                 goto start;
712                         }
713                 }
714
715         /* we now have a packet which can be read and processed */
716
717         if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
718                                        * reset by ssl3_get_finished */
719                 && (rr->type != SSL3_RT_HANDSHAKE))
720                 {
721                 al=SSL_AD_UNEXPECTED_MESSAGE;
722                 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
723                 goto err;
724                 }
725
726         /* If the other end has shut down, throw anything we read away
727          * (even in 'peek' mode) */
728         if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
729                 {
730                 rr->length=0;
731                 s->rwstate=SSL_NOTHING;
732                 return(0);
733                 }
734
735
736         if (type == rr->type) /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */
737                 {
738                 /* make sure that we are not getting application data when we
739                  * are doing a handshake for the first time */
740                 if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
741                         (s->enc_read_ctx == NULL))
742                         {
743                         al=SSL_AD_UNEXPECTED_MESSAGE;
744                         SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE);
745                         goto f_err;
746                         }
747
748                 if (len <= 0) return(len);
749
750                 if ((unsigned int)len > rr->length)
751                         n = rr->length;
752                 else
753                         n = (unsigned int)len;
754
755                 memcpy(buf,&(rr->data[rr->off]),n);
756                 if (!peek)
757                         {
758                         rr->length-=n;
759                         rr->off+=n;
760                         if (rr->length == 0)
761                                 {
762                                 s->rstate=SSL_ST_READ_HEADER;
763                                 rr->off=0;
764                                 }
765                         }
766                 return(n);
767                 }
768
769
770         /* If we get here, then type != rr->type; if we have a handshake
771          * message, then it was unexpected (Hello Request or Client Hello). */
772
773         /* In case of record types for which we have 'fragment' storage,
774          * fill that so that we can process the data at a fixed place.
775          */
776                 {
777                 unsigned int k, dest_maxlen = 0;
778                 unsigned char *dest = NULL;
779                 unsigned int *dest_len = NULL;
780
781                 if (rr->type == SSL3_RT_HANDSHAKE)
782                         {
783                         dest_maxlen = sizeof s->d1->handshake_fragment;
784                         dest = s->d1->handshake_fragment;
785                         dest_len = &s->d1->handshake_fragment_len;
786                         }
787                 else if (rr->type == SSL3_RT_ALERT)
788                         {
789                         dest_maxlen = sizeof(s->d1->alert_fragment);
790                         dest = s->d1->alert_fragment;
791                         dest_len = &s->d1->alert_fragment_len;
792                         }
793                 else    /* else it's a CCS message */
794                         OPENSSL_assert(rr->type == SSL3_RT_CHANGE_CIPHER_SPEC);
795
796
797                 if (dest_maxlen > 0)
798                         {
799             /* XDTLS:  In a pathalogical case, the Client Hello
800              *  may be fragmented--don't always expect dest_maxlen bytes */
801                         if ( rr->length < dest_maxlen)
802                                 {
803                                 s->rstate=SSL_ST_READ_HEADER;
804                                 rr->length = 0;
805                                 goto start;
806                                 }
807
808                         /* now move 'n' bytes: */
809                         for ( k = 0; k < dest_maxlen; k++)
810                                 {
811                                 dest[k] = rr->data[rr->off++];
812                                 rr->length--;
813                                 }
814                         *dest_len = dest_maxlen;
815                         }
816                 }
817
818         /* s->d1->handshake_fragment_len == 12  iff  rr->type == SSL3_RT_HANDSHAKE;
819          * s->d1->alert_fragment_len == 7      iff  rr->type == SSL3_RT_ALERT.
820          * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */
821
822         /* If we are a client, check for an incoming 'Hello Request': */
823         if ((!s->server) &&
824                 (s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) &&
825                 (s->d1->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) &&
826                 (s->session != NULL) && (s->session->cipher != NULL))
827                 {
828                 s->d1->handshake_fragment_len = 0;
829
830                 if ((s->d1->handshake_fragment[1] != 0) ||
831                         (s->d1->handshake_fragment[2] != 0) ||
832                         (s->d1->handshake_fragment[3] != 0))
833                         {
834                         al=SSL_AD_DECODE_ERROR;
835                         SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_HELLO_REQUEST);
836                         goto err;
837                         }
838
839                 /* no need to check sequence number on HELLO REQUEST messages */
840
841                 if (s->msg_callback)
842                         s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 
843                                 s->d1->handshake_fragment, 4, s, s->msg_callback_arg);
844
845                 if (SSL_is_init_finished(s) &&
846                         !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
847                         !s->s3->renegotiate)
848                         {
849                         ssl3_renegotiate(s);
850                         if (ssl3_renegotiate_check(s))
851                                 {
852                                 i=s->handshake_func(s);
853                                 if (i < 0) return(i);
854                                 if (i == 0)
855                                         {
856                                         SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
857                                         return(-1);
858                                         }
859
860                                 if (!(s->mode & SSL_MODE_AUTO_RETRY))
861                                         {
862                                         if (s->s3->rbuf.left == 0) /* no read-ahead left? */
863                                                 {
864                                                 BIO *bio;
865                                                 /* In the case where we try to read application data,
866                                                  * but we trigger an SSL handshake, we return -1 with
867                                                  * the retry option set.  Otherwise renegotiation may
868                                                  * cause nasty problems in the blocking world */
869                                                 s->rwstate=SSL_READING;
870                                                 bio=SSL_get_rbio(s);
871                                                 BIO_clear_retry_flags(bio);
872                                                 BIO_set_retry_read(bio);
873                                                 return(-1);
874                                                 }
875                                         }
876                                 }
877                         }
878                 /* we either finished a handshake or ignored the request,
879                  * now try again to obtain the (application) data we were asked for */
880                 goto start;
881                 }
882
883         if (s->d1->alert_fragment_len >= DTLS1_AL_HEADER_LENGTH)
884                 {
885                 int alert_level = s->d1->alert_fragment[0];
886                 int alert_descr = s->d1->alert_fragment[1];
887
888                 s->d1->alert_fragment_len = 0;
889
890                 if (s->msg_callback)
891                         s->msg_callback(0, s->version, SSL3_RT_ALERT, 
892                                 s->d1->alert_fragment, 2, s, s->msg_callback_arg);
893
894                 if (s->info_callback != NULL)
895                         cb=s->info_callback;
896                 else if (s->ctx->info_callback != NULL)
897                         cb=s->ctx->info_callback;
898
899                 if (cb != NULL)
900                         {
901                         j = (alert_level << 8) | alert_descr;
902                         cb(s, SSL_CB_READ_ALERT, j);
903                         }
904
905                 if (alert_level == 1) /* warning */
906                         {
907                         s->s3->warn_alert = alert_descr;
908                         if (alert_descr == SSL_AD_CLOSE_NOTIFY)
909                                 {
910                                 s->shutdown |= SSL_RECEIVED_SHUTDOWN;
911                                 return(0);
912                                 }
913 #if 0
914             /* XXX: this is a possible improvement in the future */
915                         /* now check if it's a missing record */
916                         if (alert_descr == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
917                                 {
918                                 unsigned short seq;
919                                 unsigned int frag_off;
920                                 unsigned char *p = &(s->d1->alert_fragment[2]);
921
922                                 n2s(p, seq);
923                                 n2l3(p, frag_off);
924
925                                 dtls1_retransmit_message(s, seq, frag_off, &found);
926                                 if ( ! found  && SSL_in_init(s))
927                                         {
928                                         /* fprintf( stderr,"in init = %d\n", SSL_in_init(s)); */
929                                         /* requested a message not yet sent, 
930                                            send an alert ourselves */
931                                         ssl3_send_alert(s,SSL3_AL_WARNING,
932                                                 DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
933                                         }
934                                 }
935 #endif
936                         }
937                 else if (alert_level == 2) /* fatal */
938                         {
939                         char tmp[16];
940
941                         s->rwstate=SSL_NOTHING;
942                         s->s3->fatal_alert = alert_descr;
943                         SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr);
944                         BIO_snprintf(tmp,sizeof tmp,"%d",alert_descr);
945                         ERR_add_error_data(2,"SSL alert number ",tmp);
946                         s->shutdown|=SSL_RECEIVED_SHUTDOWN;
947                         SSL_CTX_remove_session(s->ctx,s->session);
948                         return(0);
949                         }
950                 else
951                         {
952                         al=SSL_AD_ILLEGAL_PARAMETER;
953                         SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE);
954                         goto f_err;
955                         }
956
957                 goto start;
958                 }
959
960         if (s->shutdown & SSL_SENT_SHUTDOWN) /* but we have not received a shutdown */
961                 {
962                 s->rwstate=SSL_NOTHING;
963                 rr->length=0;
964                 return(0);
965                 }
966
967         if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
968         {
969         struct ccs_header_st ccs_hdr;
970
971                 dtls1_get_ccs_header(rr->data, &ccs_hdr);
972
973                 if ( ccs_hdr.seq == s->d1->handshake_read_seq)
974                         {
975                         /* 'Change Cipher Spec' is just a single byte, so we know
976                          * exactly what the record payload has to look like */
977                         /* XDTLS: check that epoch is consistent */
978                         if (    (rr->length != DTLS1_CCS_HEADER_LENGTH) || 
979                                 (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
980                                 {
981                                 i=SSL_AD_ILLEGAL_PARAMETER;
982                                 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
983                                 goto err;
984                                 }
985                         
986                         rr->length=0;
987                         
988                         if (s->msg_callback)
989                                 s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, 
990                                         rr->data, 1, s, s->msg_callback_arg);
991                         
992                         s->s3->change_cipher_spec=1;
993                         if (!ssl3_do_change_cipher_spec(s))
994                                 goto err;
995                         
996                         /* do this whenever CCS is processed */
997                         dtls1_reset_seq_numbers(s, SSL3_CC_READ);
998                         
999                         /* handshake read seq is reset upon handshake completion */
1000                         s->d1->handshake_read_seq++;
1001                         
1002                         goto start;
1003                         }
1004                 else
1005                         {
1006                         rr->length = 0;
1007                         goto start;
1008                         }
1009                 }
1010
1011         /* Unexpected handshake message (Client Hello, or protocol violation) */
1012         if ((s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) && 
1013                 !s->in_handshake)
1014                 {
1015                 struct hm_header_st msg_hdr;
1016                 
1017                 /* this may just be a stale retransmit */
1018                 dtls1_get_message_header(rr->data, &msg_hdr);
1019                 if( rr->epoch != s->d1->r_epoch)
1020                         {
1021                         rr->length = 0;
1022                         goto start;
1023                         }
1024
1025                 if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
1026                         !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
1027                         {
1028 #if 0 /* worked only because C operator preferences are not as expected (and
1029        * because this is not really needed for clients except for detecting
1030        * protocol violations): */
1031                         s->state=SSL_ST_BEFORE|(s->server)
1032                                 ?SSL_ST_ACCEPT
1033                                 :SSL_ST_CONNECT;
1034 #else
1035                         s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
1036 #endif
1037                         s->new_session=1;
1038                         }
1039                 i=s->handshake_func(s);
1040                 if (i < 0) return(i);
1041                 if (i == 0)
1042                         {
1043                         SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
1044                         return(-1);
1045                         }
1046
1047                 if (!(s->mode & SSL_MODE_AUTO_RETRY))
1048                         {
1049                         if (s->s3->rbuf.left == 0) /* no read-ahead left? */
1050                                 {
1051                                 BIO *bio;
1052                                 /* In the case where we try to read application data,
1053                                  * but we trigger an SSL handshake, we return -1 with
1054                                  * the retry option set.  Otherwise renegotiation may
1055                                  * cause nasty problems in the blocking world */
1056                                 s->rwstate=SSL_READING;
1057                                 bio=SSL_get_rbio(s);
1058                                 BIO_clear_retry_flags(bio);
1059                                 BIO_set_retry_read(bio);
1060                                 return(-1);
1061                                 }
1062                         }
1063                 goto start;
1064                 }
1065
1066         switch (rr->type)
1067                 {
1068         default:
1069 #ifndef OPENSSL_NO_TLS
1070                 /* TLS just ignores unknown message types */
1071                 if (s->version == TLS1_VERSION)
1072                         {
1073                         rr->length = 0;
1074                         goto start;
1075                         }
1076 #endif
1077                 al=SSL_AD_UNEXPECTED_MESSAGE;
1078                 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
1079                 goto f_err;
1080         case SSL3_RT_CHANGE_CIPHER_SPEC:
1081         case SSL3_RT_ALERT:
1082         case SSL3_RT_HANDSHAKE:
1083                 /* we already handled all of these, with the possible exception
1084                  * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that
1085                  * should not happen when type != rr->type */
1086                 al=SSL_AD_UNEXPECTED_MESSAGE;
1087                 SSLerr(SSL_F_DTLS1_READ_BYTES,ERR_R_INTERNAL_ERROR);
1088                 goto f_err;
1089         case SSL3_RT_APPLICATION_DATA:
1090                 /* At this point, we were expecting handshake data,
1091                  * but have application data.  If the library was
1092                  * running inside ssl3_read() (i.e. in_read_app_data
1093                  * is set) and it makes sense to read application data
1094                  * at this point (session renegotiation not yet started),
1095                  * we will indulge it.
1096                  */
1097                 if (s->s3->in_read_app_data &&
1098                         (s->s3->total_renegotiations != 0) &&
1099                         ((
1100                                 (s->state & SSL_ST_CONNECT) &&
1101                                 (s->state >= SSL3_ST_CW_CLNT_HELLO_A) &&
1102                                 (s->state <= SSL3_ST_CR_SRVR_HELLO_A)
1103                                 ) || (
1104                                         (s->state & SSL_ST_ACCEPT) &&
1105                                         (s->state <= SSL3_ST_SW_HELLO_REQ_A) &&
1106                                         (s->state >= SSL3_ST_SR_CLNT_HELLO_A)
1107                                         )
1108                                 ))
1109                         {
1110                         s->s3->in_read_app_data=2;
1111                         return(-1);
1112                         }
1113                 else
1114                         {
1115                         al=SSL_AD_UNEXPECTED_MESSAGE;
1116                         SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
1117                         goto f_err;
1118                         }
1119                 }
1120         /* not reached */
1121
1122 f_err:
1123         ssl3_send_alert(s,SSL3_AL_FATAL,al);
1124 err:
1125         return(-1);
1126         }
1127
1128 int
1129 dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len)
1130         {
1131         unsigned int n,tot;
1132         int i;
1133
1134         if (SSL_in_init(s) && !s->in_handshake)
1135                 {
1136                 i=s->handshake_func(s);
1137                 if (i < 0) return(i);
1138                 if (i == 0)
1139                         {
1140                         SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
1141                         return -1;
1142                         }
1143                 }
1144
1145         tot = s->s3->wnum;
1146         n = len - tot;
1147
1148         while( n)
1149                 {
1150                 /* dtls1_write_bytes sends one record at a time, sized according to 
1151                  * the currently known MTU */
1152                 i = dtls1_write_bytes(s, type, buf_, len);
1153                 if (i <= 0) return i;
1154                 
1155                 if ((i == (int)n) ||
1156                         (type == SSL3_RT_APPLICATION_DATA &&
1157                                 (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE)))
1158                         {
1159                         /* next chunk of data should get another prepended empty fragment
1160                          * in ciphersuites with known-IV weakness: */
1161                         s->s3->empty_fragment_done = 0;
1162                         return tot+i;
1163                         }
1164
1165                 tot += i;
1166                 n-=i;
1167                 }
1168
1169         return tot;
1170         }
1171
1172
1173         /* this only happens when a client hello is received and a handshake 
1174          * is started. */
1175 static int
1176 have_handshake_fragment(SSL *s, int type, unsigned char *buf, 
1177         int len, int peek)
1178         {
1179         
1180         if ((type == SSL3_RT_HANDSHAKE) && (s->d1->handshake_fragment_len > 0))
1181                 /* (partially) satisfy request from storage */
1182                 {
1183                 unsigned char *src = s->d1->handshake_fragment;
1184                 unsigned char *dst = buf;
1185                 unsigned int k,n;
1186                 
1187                 /* peek == 0 */
1188                 n = 0;
1189                 while ((len > 0) && (s->d1->handshake_fragment_len > 0))
1190                         {
1191                         *dst++ = *src++;
1192                         len--; s->d1->handshake_fragment_len--;
1193                         n++;
1194                         }
1195                 /* move any remaining fragment bytes: */
1196                 for (k = 0; k < s->d1->handshake_fragment_len; k++)
1197                         s->d1->handshake_fragment[k] = *src++;
1198                 return n;
1199                 }
1200         
1201         return 0;
1202         }
1203
1204
1205
1206
1207 /* Call this to write data in records of type 'type'
1208  * It will return <= 0 if not all data has been sent or non-blocking IO.
1209  */
1210 int dtls1_write_bytes(SSL *s, int type, const void *buf_, int len)
1211         {
1212         const unsigned char *buf=buf_;
1213         unsigned int tot,n,nw;
1214         int i;
1215         unsigned int mtu;
1216
1217         s->rwstate=SSL_NOTHING;
1218         tot=s->s3->wnum;
1219
1220         n=(len-tot);
1221
1222         /* handshake layer figures out MTU for itself, but data records
1223          * are also sent through this interface, so need to figure out MTU */
1224 #if 0
1225         mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_MTU, 0, NULL);
1226         mtu += DTLS1_HM_HEADER_LENGTH;  /* HM already inserted */
1227 #endif
1228         mtu = s->d1->mtu;
1229
1230         if (mtu > SSL3_RT_MAX_PLAIN_LENGTH)
1231                 mtu = SSL3_RT_MAX_PLAIN_LENGTH;
1232
1233         if (n > mtu)
1234                 nw=mtu;
1235         else
1236                 nw=n;
1237         
1238         i=do_dtls1_write(s, type, &(buf[tot]), nw, 0);
1239         if (i <= 0)
1240                 {
1241                 s->s3->wnum=tot;
1242                 return i;
1243                 }
1244
1245         if ( (int)s->s3->wnum + i == len)
1246                 s->s3->wnum = 0;
1247         else 
1248                 s->s3->wnum += i;
1249
1250         return tot + i;
1251         }
1252
1253 int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len, int create_empty_fragment)
1254         {
1255         unsigned char *p,*pseq;
1256         int i,mac_size,clear=0;
1257         int prefix_len = 0;
1258         SSL3_RECORD *wr;
1259         SSL3_BUFFER *wb;
1260         SSL_SESSION *sess;
1261         int bs;
1262
1263         /* first check if there is a SSL3_BUFFER still being written
1264          * out.  This will happen with non blocking IO */
1265         if (s->s3->wbuf.left != 0)
1266                 {
1267                 OPENSSL_assert(0); /* XDTLS:  want to see if we ever get here */
1268                 return(ssl3_write_pending(s,type,buf,len));
1269                 }
1270
1271         /* If we have an alert to send, lets send it */
1272         if (s->s3->alert_dispatch)
1273                 {
1274                 i=s->method->ssl_dispatch_alert(s);
1275                 if (i <= 0)
1276                         return(i);
1277                 /* if it went, fall through and send more stuff */
1278                 }
1279
1280         if (len == 0 && !create_empty_fragment)
1281                 return 0;
1282
1283         wr= &(s->s3->wrec);
1284         wb= &(s->s3->wbuf);
1285         sess=s->session;
1286
1287         if (    (sess == NULL) ||
1288                 (s->enc_write_ctx == NULL) ||
1289                 (s->write_hash == NULL))
1290                 clear=1;
1291
1292         if (clear)
1293                 mac_size=0;
1294         else
1295                 mac_size=EVP_MD_size(s->write_hash);
1296
1297         /* DTLS implements explicit IV, so no need for empty fragments */
1298 #if 0
1299         /* 'create_empty_fragment' is true only when this function calls itself */
1300         if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done
1301                 && SSL_version(s) != DTLS1_VERSION)
1302                 {
1303                 /* countermeasure against known-IV weakness in CBC ciphersuites
1304                  * (see http://www.openssl.org/~bodo/tls-cbc.txt) 
1305                  */
1306
1307                 if (s->s3->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA)
1308                         {
1309                         /* recursive function call with 'create_empty_fragment' set;
1310                          * this prepares and buffers the data for an empty fragment
1311                          * (these 'prefix_len' bytes are sent out later
1312                          * together with the actual payload) */
1313                         prefix_len = s->method->do_ssl_write(s, type, buf, 0, 1);
1314                         if (prefix_len <= 0)
1315                                 goto err;
1316
1317                         if (s->s3->wbuf.len < (size_t)prefix_len + SSL3_RT_MAX_PACKET_SIZE)
1318                                 {
1319                                 /* insufficient space */
1320                                 SSLerr(SSL_F_DO_DTLS1_WRITE, ERR_R_INTERNAL_ERROR);
1321                                 goto err;
1322                                 }
1323                         }
1324                 
1325                 s->s3->empty_fragment_done = 1;
1326                 }
1327 #endif
1328
1329         p = wb->buf + prefix_len;
1330
1331         /* write the header */
1332
1333         *(p++)=type&0xff;
1334         wr->type=type;
1335
1336         *(p++)=(s->version>>8);
1337         *(p++)=s->version&0xff;
1338
1339         /* field where we are to write out packet epoch, seq num and len */
1340         pseq=p; 
1341         p+=10;
1342
1343         /* lets setup the record stuff. */
1344
1345         /* Make space for the explicit IV in case of CBC.
1346          * (this is a bit of a boundary violation, but what the heck).
1347          */
1348         if ( s->enc_write_ctx && 
1349                 (EVP_CIPHER_mode( s->enc_write_ctx->cipher ) & EVP_CIPH_CBC_MODE))
1350                 bs = EVP_CIPHER_block_size(s->enc_write_ctx->cipher);
1351         else
1352                 bs = 0;
1353
1354         wr->data=p + bs;  /* make room for IV in case of CBC */
1355         wr->length=(int)len;
1356         wr->input=(unsigned char *)buf;
1357
1358         /* we now 'read' from wr->input, wr->length bytes into
1359          * wr->data */
1360
1361         /* first we compress */
1362         if (s->compress != NULL)
1363                 {
1364                 if (!ssl3_do_compress(s))
1365                         {
1366                         SSLerr(SSL_F_DO_DTLS1_WRITE,SSL_R_COMPRESSION_FAILURE);
1367                         goto err;
1368                         }
1369                 }
1370         else
1371                 {
1372                 memcpy(wr->data,wr->input,wr->length);
1373                 wr->input=wr->data;
1374                 }
1375
1376         /* we should still have the output to wr->data and the input
1377          * from wr->input.  Length should be wr->length.
1378          * wr->data still points in the wb->buf */
1379
1380         if (mac_size != 0)
1381                 {
1382                 s->method->ssl3_enc->mac(s,&(p[wr->length + bs]),1);
1383                 wr->length+=mac_size;
1384                 }
1385
1386         /* this is true regardless of mac size */
1387         wr->input=p;
1388         wr->data=p;
1389
1390
1391         /* ssl3_enc can only have an error on read */
1392         wr->length += bs;  /* bs != 0 in case of CBC.  The enc fn provides
1393                                                 * the randomness */ 
1394         s->method->ssl3_enc->enc(s,1);
1395
1396         /* record length after mac and block padding */
1397 /*      if (type == SSL3_RT_APPLICATION_DATA ||
1398         (type == SSL3_RT_ALERT && ! SSL_in_init(s))) */
1399         
1400         /* there's only one epoch between handshake and app data */
1401         
1402         s2n(s->d1->w_epoch, pseq);
1403
1404         /* XDTLS: ?? */
1405 /*      else
1406         s2n(s->d1->handshake_epoch, pseq); */
1407
1408         memcpy(pseq, &(s->s3->write_sequence[2]), 6);
1409         pseq+=6;
1410         s2n(wr->length,pseq);
1411
1412         /* we should now have
1413          * wr->data pointing to the encrypted data, which is
1414          * wr->length long */
1415         wr->type=type; /* not needed but helps for debugging */
1416         wr->length+=DTLS1_RT_HEADER_LENGTH;
1417
1418 #if 0  /* this is now done at the message layer */
1419         /* buffer the record, making it easy to handle retransmits */
1420         if ( type == SSL3_RT_HANDSHAKE || type == SSL3_RT_CHANGE_CIPHER_SPEC)
1421                 dtls1_buffer_record(s, wr->data, wr->length, 
1422                         *((PQ_64BIT *)&(s->s3->write_sequence[0])));
1423 #endif
1424
1425         ssl3_record_sequence_update(&(s->s3->write_sequence[0]));
1426
1427         if (create_empty_fragment)
1428                 {
1429                 /* we are in a recursive call;
1430                  * just return the length, don't write out anything here
1431                  */
1432                 return wr->length;
1433                 }
1434
1435         /* now let's set up wb */
1436         wb->left = prefix_len + wr->length;
1437         wb->offset = 0;
1438
1439         /* memorize arguments so that ssl3_write_pending can detect bad write retries later */
1440         s->s3->wpend_tot=len;
1441         s->s3->wpend_buf=buf;
1442         s->s3->wpend_type=type;
1443         s->s3->wpend_ret=len;
1444
1445         /* we now just need to write the buffer */
1446         return ssl3_write_pending(s,type,buf,len);
1447 err:
1448         return -1;
1449         }
1450
1451
1452
1453 static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap,
1454         PQ_64BIT *seq_num)
1455         {
1456 #if PQ_64BIT_IS_INTEGER
1457         PQ_64BIT mask = 0x0000000000000001L;
1458 #endif
1459         PQ_64BIT rcd_num, tmp;
1460
1461         pq_64bit_init(&rcd_num);
1462         pq_64bit_init(&tmp);
1463
1464         /* this is the sequence number for the record just read */
1465         pq_64bit_bin2num(&rcd_num, s->s3->read_sequence, 8);
1466
1467         
1468         if (pq_64bit_gt(&rcd_num, &(bitmap->max_seq_num)) ||
1469                 pq_64bit_eq(&rcd_num, &(bitmap->max_seq_num)))
1470                 {
1471                 pq_64bit_assign(seq_num, &rcd_num);
1472                 pq_64bit_free(&rcd_num);
1473                 pq_64bit_free(&tmp);
1474                 return 1;  /* this record is new */
1475                 }
1476
1477         pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num);
1478
1479         if ( pq_64bit_get_word(&tmp) > bitmap->length)
1480                 {
1481                 pq_64bit_free(&rcd_num);
1482                 pq_64bit_free(&tmp);
1483                 return 0;  /* stale, outside the window */
1484                 }
1485
1486 #if PQ_64BIT_IS_BIGNUM
1487         {
1488         int offset;
1489         pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num);
1490         pq_64bit_sub_word(&tmp, 1);
1491         offset = pq_64bit_get_word(&tmp);
1492         if ( pq_64bit_is_bit_set(&(bitmap->map), offset))
1493                 {
1494                 pq_64bit_free(&rcd_num);
1495                 pq_64bit_free(&tmp);
1496                 return 0;
1497                 }
1498         }
1499 #else
1500         mask <<= (bitmap->max_seq_num - rcd_num - 1);
1501         if (bitmap->map & mask)
1502                 return 0; /* record previously received */
1503 #endif
1504         
1505         pq_64bit_assign(seq_num, &rcd_num);
1506         pq_64bit_free(&rcd_num);
1507         pq_64bit_free(&tmp);
1508         return 1;
1509         }
1510
1511
1512 static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap)
1513         {
1514         unsigned int shift;
1515         PQ_64BIT rcd_num;
1516         PQ_64BIT tmp;
1517         PQ_64BIT_CTX *ctx;
1518
1519         pq_64bit_init(&rcd_num);
1520         pq_64bit_init(&tmp);
1521
1522         pq_64bit_bin2num(&rcd_num, s->s3->read_sequence, 8);
1523
1524         /* unfortunate code complexity due to 64-bit manipulation support
1525          * on 32-bit machines */
1526         if ( pq_64bit_gt(&rcd_num, &(bitmap->max_seq_num)) ||
1527                 pq_64bit_eq(&rcd_num, &(bitmap->max_seq_num)))
1528                 {
1529                 pq_64bit_sub(&tmp, &rcd_num, &(bitmap->max_seq_num));
1530                 pq_64bit_add_word(&tmp, 1);
1531
1532                 shift = (unsigned int)pq_64bit_get_word(&tmp);
1533
1534                 pq_64bit_lshift(&(tmp), &(bitmap->map), shift);
1535                 pq_64bit_assign(&(bitmap->map), &tmp);
1536
1537                 pq_64bit_set_bit(&(bitmap->map), 0);
1538                 pq_64bit_add_word(&rcd_num, 1);
1539                 pq_64bit_assign(&(bitmap->max_seq_num), &rcd_num);
1540
1541                 pq_64bit_assign_word(&tmp, 1);
1542                 pq_64bit_lshift(&tmp, &tmp, bitmap->length);
1543                 ctx = pq_64bit_ctx_new(&ctx);
1544                 pq_64bit_mod(&(bitmap->map), &(bitmap->map), &tmp, ctx);
1545                 pq_64bit_ctx_free(ctx);
1546                 }
1547         else
1548                 {
1549                 pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num);
1550                 pq_64bit_sub_word(&tmp, 1);
1551                 shift = (unsigned int)pq_64bit_get_word(&tmp);
1552
1553                 pq_64bit_set_bit(&(bitmap->map), shift);
1554                 }
1555
1556         pq_64bit_free(&rcd_num);
1557         pq_64bit_free(&tmp);
1558         }
1559
1560
1561 int dtls1_dispatch_alert(SSL *s)
1562         {
1563         int i,j;
1564         void (*cb)(const SSL *ssl,int type,int val)=NULL;
1565         unsigned char buf[2 + 2 + 3]; /* alert level + alert desc + message seq +frag_off */
1566         unsigned char *ptr = &buf[0];
1567
1568         s->s3->alert_dispatch=0;
1569
1570         memset(buf, 0x00, sizeof(buf));
1571         *ptr++ = s->s3->send_alert[0];
1572         *ptr++ = s->s3->send_alert[1];
1573
1574         if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
1575                 {       
1576                 s2n(s->d1->handshake_read_seq, ptr);
1577 #if 0
1578                 if ( s->d1->r_msg_hdr.frag_off == 0)  /* waiting for a new msg */
1579
1580                 else
1581                         s2n(s->d1->r_msg_hdr.seq, ptr); /* partial msg read */
1582 #endif
1583
1584 #if 0
1585                 fprintf(stderr, "s->d1->handshake_read_seq = %d, s->d1->r_msg_hdr.seq = %d\n",s->d1->handshake_read_seq,s->d1->r_msg_hdr.seq);
1586 #endif
1587                 l2n3(s->d1->r_msg_hdr.frag_off, ptr);
1588                 }
1589
1590         i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf), 0);
1591         if (i <= 0)
1592                 {
1593                 s->s3->alert_dispatch=1;
1594                 /* fprintf( stderr, "not done with alert\n" ); */
1595                 }
1596         else
1597                 {
1598                 if ( s->s3->send_alert[0] == SSL3_AL_FATAL ||
1599                         s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
1600                         (void)BIO_flush(s->wbio);
1601
1602                 if (s->msg_callback)
1603                         s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert, 
1604                                 2, s, s->msg_callback_arg);
1605
1606                 if (s->info_callback != NULL)
1607                         cb=s->info_callback;
1608                 else if (s->ctx->info_callback != NULL)
1609                         cb=s->ctx->info_callback;
1610
1611                 if (cb != NULL)
1612                         {
1613                         j=(s->s3->send_alert[0]<<8)|s->s3->send_alert[1];
1614                         cb(s,SSL_CB_WRITE_ALERT,j);
1615                         }
1616                 }
1617         return(i);
1618         }
1619
1620
1621 static DTLS1_BITMAP *
1622 dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, unsigned int *is_next_epoch)
1623     {
1624     
1625     *is_next_epoch = 0;
1626
1627     /* In current epoch, accept HM, CCS, DATA, & ALERT */
1628     if (rr->epoch == s->d1->r_epoch)
1629         return &s->d1->bitmap;
1630
1631     /* Only HM and ALERT messages can be from the next epoch */
1632     else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) &&
1633         (rr->type == SSL3_RT_HANDSHAKE ||
1634             rr->type == SSL3_RT_ALERT))
1635         {
1636         *is_next_epoch = 1;
1637         return &s->d1->next_bitmap;
1638         }
1639
1640     return NULL;
1641     }
1642
1643 #if 0
1644 static int
1645 dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr, unsigned short *priority,
1646         unsigned long *offset)
1647         {
1648
1649         /* alerts are passed up immediately */
1650         if ( rr->type == SSL3_RT_APPLICATION_DATA ||
1651                 rr->type == SSL3_RT_ALERT)
1652                 return 0;
1653
1654         /* Only need to buffer if a handshake is underway.
1655          * (this implies that Hello Request and Client Hello are passed up
1656          * immediately) */
1657         if ( SSL_in_init(s))
1658                 {
1659                 unsigned char *data = rr->data;
1660                 /* need to extract the HM/CCS sequence number here */
1661                 if ( rr->type == SSL3_RT_HANDSHAKE ||
1662                         rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
1663                         {
1664                         unsigned short seq_num;
1665                         struct hm_header_st msg_hdr;
1666                         struct ccs_header_st ccs_hdr;
1667
1668                         if ( rr->type == SSL3_RT_HANDSHAKE)
1669                                 {
1670                                 dtls1_get_message_header(data, &msg_hdr);
1671                                 seq_num = msg_hdr.seq;
1672                                 *offset = msg_hdr.frag_off;
1673                                 }
1674                         else
1675                                 {
1676                                 dtls1_get_ccs_header(data, &ccs_hdr);
1677                                 seq_num = ccs_hdr.seq;
1678                                 *offset = 0;
1679                                 }
1680                                 
1681                         /* this is either a record we're waiting for, or a
1682                          * retransmit of something we happened to previously 
1683                          * receive (higher layers will drop the repeat silently */
1684                         if ( seq_num < s->d1->handshake_read_seq)
1685                                 return 0;
1686                         if (rr->type == SSL3_RT_HANDSHAKE && 
1687                                 seq_num == s->d1->handshake_read_seq &&
1688                                 msg_hdr.frag_off < s->d1->r_msg_hdr.frag_off)
1689                                 return 0;
1690                         else if ( seq_num == s->d1->handshake_read_seq &&
1691                                 (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC ||
1692                                         msg_hdr.frag_off == s->d1->r_msg_hdr.frag_off))
1693                                 return 0;
1694                         else
1695                                 {
1696                                 *priority = seq_num;
1697                                 return 1;
1698                                 }
1699                         }
1700                 else /* unknown record type */
1701                         return 0;
1702                 }
1703
1704         return 0;
1705         }
1706 #endif
1707
1708 void
1709 dtls1_reset_seq_numbers(SSL *s, int rw)
1710         {
1711         unsigned char *seq;
1712         unsigned int seq_bytes = sizeof(s->s3->read_sequence);
1713
1714         if ( rw & SSL3_CC_READ)
1715                 {
1716                 seq = s->s3->read_sequence;
1717                 s->d1->r_epoch++;
1718
1719                 pq_64bit_assign(&(s->d1->bitmap.map), &(s->d1->next_bitmap.map));
1720                 s->d1->bitmap.length = s->d1->next_bitmap.length;
1721                 pq_64bit_assign(&(s->d1->bitmap.max_seq_num), 
1722                         &(s->d1->next_bitmap.max_seq_num));
1723
1724                 pq_64bit_free(&(s->d1->next_bitmap.map));
1725                 pq_64bit_free(&(s->d1->next_bitmap.max_seq_num));
1726                 memset(&(s->d1->next_bitmap), 0x00, sizeof(DTLS1_BITMAP));
1727                 pq_64bit_init(&(s->d1->next_bitmap.map));
1728                 pq_64bit_init(&(s->d1->next_bitmap.max_seq_num));
1729                 }
1730         else
1731                 {
1732                 seq = s->s3->write_sequence;
1733                 s->d1->w_epoch++;
1734                 }
1735
1736         memset(seq, 0x00, seq_bytes);
1737         }
1738
1739 #if PQ_64BIT_IS_INTEGER
1740 static PQ_64BIT
1741 bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num)
1742        {
1743        PQ_64BIT _num;
1744
1745        _num = (((PQ_64BIT)bytes[0]) << 56) |
1746                (((PQ_64BIT)bytes[1]) << 48) |
1747                (((PQ_64BIT)bytes[2]) << 40) |
1748                (((PQ_64BIT)bytes[3]) << 32) |
1749                (((PQ_64BIT)bytes[4]) << 24) |
1750                (((PQ_64BIT)bytes[5]) << 16) |
1751                (((PQ_64BIT)bytes[6]) <<  8) |
1752                (((PQ_64BIT)bytes[7])      );
1753
1754            *num = _num ;
1755        return _num;
1756        }
1757 #endif
1758
1759
1760 static void
1761 dtls1_clear_timeouts(SSL *s)
1762         {
1763         memset(&(s->d1->timeout), 0x00, sizeof(struct dtls1_timeout_st));
1764         }