mkerr.pl update from HEAD.

[openssl.git] / ssl / d1_pkt.c

diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index c84e6865a0576621fcfea40654ff9c3b38024eb1..892b8897088c0091eb73445f2dcb11619428b3ca 100644 (file)
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -124,7 +124,7 @@
 static int have_handshake_fragment(SSL *s, int type, unsigned char *buf, 
        int len, int peek);
 static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap,
-       unsigned long long *seq_num);
+       PQ_64BIT *seq_num);
 static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap);
 static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, 
     unsigned int *is_next_epoch);
@@ -133,13 +133,13 @@ static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr,
        unsigned short *priority, unsigned long *offset);
 #endif
 static int dtls1_buffer_record(SSL *s, record_pqueue *q,
-       unsigned long long priority);
+       PQ_64BIT priority);
 static int dtls1_process_record(SSL *s);
-static unsigned long long bytes_to_long_long(unsigned char *bytes);
-static void long_long_to_bytes(unsigned long long num, unsigned char *bytes);
+#if PQ_64BIT_IS_INTEGER
+static PQ_64BIT bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num);
+#endif
 static void dtls1_clear_timeouts(SSL *s);
 
-
 /* copy buffered record into SSL structure */
 static int
 dtls1_copy_record(SSL *s, pitem *item)
@@ -161,7 +161,7 @@ dtls1_copy_record(SSL *s, pitem *item)
 
 
 static int
-dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned long long priority)
+dtls1_buffer_record(SSL *s, record_pqueue *queue, PQ_64BIT priority)
 {
     DTLS1_RECORD_DATA *rdata;
        pitem *item;
@@ -173,7 +173,7 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned long long priority)
                if (rdata != NULL) OPENSSL_free(rdata);
                if (item != NULL) pitem_free(item);
                
-               SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR);
+               SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);
                return(0);
                }
        
@@ -275,9 +275,9 @@ static int
 dtls1_get_buffered_record(SSL *s)
        {
        pitem *item;
-       unsigned long long priority = 
-               (((unsigned long long)s->d1->handshake_read_seq) << 32) | 
-               ((unsigned long long)s->d1->r_msg_hdr.frag_off);
+       PQ_64BIT priority = 
+               (((PQ_64BIT)s->d1->handshake_read_seq) << 32) | 
+               ((PQ_64BIT)s->d1->r_msg_hdr.frag_off);
        
        if ( ! SSL_in_init(s))  /* if we're not (re)negotiating, 
                                                           nothing buffered */
@@ -348,7 +348,7 @@ dtls1_process_record(SSL *s)
        if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH)
                {
                al=SSL_AD_RECORD_OVERFLOW;
-               SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
+               SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
                goto f_err;
                }
 
@@ -386,7 +386,7 @@ if (        (sess == NULL) ||
                        {
 #if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */
                        al=SSL_AD_RECORD_OVERFLOW;
-                       SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
+                       SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
                        goto f_err;
 #else
                        goto decryption_failed_or_bad_record_mac;
@@ -397,7 +397,7 @@ if (        (sess == NULL) ||
                        {
 #if 0 /* OK only for stream ciphers */
                        al=SSL_AD_DECODE_ERROR;
-                       SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
+                       SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
                        goto f_err;
 #else
                        goto decryption_failed_or_bad_record_mac;
@@ -417,13 +417,13 @@ if (      (sess == NULL) ||
                if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH)
                        {
                        al=SSL_AD_RECORD_OVERFLOW;
-                       SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);
+                       SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);
                        goto f_err;
                        }
                if (!ssl3_do_uncompress(s))
                        {
                        al=SSL_AD_DECOMPRESSION_FAILURE;
-                       SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_DECOMPRESSION);
+                       SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_BAD_DECOMPRESSION);
                        goto f_err;
                        }
                }
@@ -431,7 +431,7 @@ if (        (sess == NULL) ||
        if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH)
                {
                al=SSL_AD_RECORD_OVERFLOW;
-               SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);
+               SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);
                goto f_err;
                }
 
@@ -456,7 +456,7 @@ decryption_failed_or_bad_record_mac:
         * we should not reveal which kind of error occured -- this
         * might become visible to an attacker (e.g. via logfile) */
        al=SSL_AD_BAD_RECORD_MAC;
-       SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
+       SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
 f_err:
        ssl3_send_alert(s,SSL3_AL_FATAL,al);
 err:
@@ -482,7 +482,6 @@ int dtls1_get_record(SSL *s)
        unsigned char *p;
        short version;
        DTLS1_BITMAP *bitmap;
-       unsigned long long read_sequence;
     unsigned int is_next_epoch;
 
        rr= &(s->s3->rrec);
@@ -522,9 +521,9 @@ again:
         /* sequence number is 64 bits, with top 2 bytes = epoch */ 
                n2s(p,rr->epoch);
 
-               read_sequence = 0;
-               n2l6(p, read_sequence);
-               long_long_to_bytes(read_sequence, s->s3->read_sequence);
+               memcpy(&(s->s3->read_sequence[2]), p, 6);
+               p+=6;
+
                n2s(p,rr->length);
 
                /* Lets check version */
@@ -536,7 +535,7 @@ again:
                        {
                        if (version != s->version)
                                {
-                               SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
+                               SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
                                /* Send back error using their
                                 * version number :-) */
                                s->version=version;
@@ -547,14 +546,14 @@ again:
 
                if ((version & 0xff00) != (DTLS1_VERSION & 0xff00))
                        {
-                       SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
+                       SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
                        goto err;
                        }
 
                if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH)
                        {
                        al=SSL_AD_RECORD_OVERFLOW;
-                       SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG);
+                       SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG);
                        goto f_err;
                        }
 
@@ -667,7 +666,7 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
                (type != SSL3_RT_HANDSHAKE) && type) ||
            (peek && (type != SSL3_RT_APPLICATION_DATA)))
                {
-               SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);
+               SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR);
                return -1;
                }
 
@@ -684,7 +683,7 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
                if (i < 0) return(i);
                if (i == 0)
                        {
-                       SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
+                       SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
                        return(-1);
                        }
                }
@@ -720,7 +719,7 @@ start:
                && (rr->type != SSL3_RT_HANDSHAKE))
                {
                al=SSL_AD_UNEXPECTED_MESSAGE;
-               SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
+               SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
                goto err;
                }
 
@@ -742,7 +741,7 @@ start:
                        (s->enc_read_ctx == NULL))
                        {
                        al=SSL_AD_UNEXPECTED_MESSAGE;
-                       SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE);
+                       SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE);
                        goto f_err;
                        }
 
@@ -833,7 +832,7 @@ start:
                        (s->d1->handshake_fragment[3] != 0))
                        {
                        al=SSL_AD_DECODE_ERROR;
-                       SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_HELLO_REQUEST);
+                       SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_HELLO_REQUEST);
                        goto err;
                        }
 
@@ -854,7 +853,7 @@ start:
                                if (i < 0) return(i);
                                if (i == 0)
                                        {
-                                       SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
+                                       SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
                                        return(-1);
                                        }
 
@@ -941,7 +940,7 @@ start:
 
                        s->rwstate=SSL_NOTHING;
                        s->s3->fatal_alert = alert_descr;
-                       SSLerr(SSL_F_SSL3_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr);
+                       SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr);
                        BIO_snprintf(tmp,sizeof tmp,"%d",alert_descr);
                        ERR_add_error_data(2,"SSL alert number ",tmp);
                        s->shutdown|=SSL_RECEIVED_SHUTDOWN;
@@ -951,7 +950,7 @@ start:
                else
                        {
                        al=SSL_AD_ILLEGAL_PARAMETER;
-                       SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE);
+                       SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE);
                        goto f_err;
                        }
 
@@ -980,7 +979,7 @@ start:
                                (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
                                {
                                i=SSL_AD_ILLEGAL_PARAMETER;
-                               SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
+                               SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
                                goto err;
                                }
                        
@@ -1041,7 +1040,7 @@ start:
                if (i < 0) return(i);
                if (i == 0)
                        {
-                       SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
+                       SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
                        return(-1);
                        }
 
@@ -1076,7 +1075,7 @@ start:
                        }
 #endif
                al=SSL_AD_UNEXPECTED_MESSAGE;
-               SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
+               SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
                goto f_err;
        case SSL3_RT_CHANGE_CIPHER_SPEC:
        case SSL3_RT_ALERT:
@@ -1085,7 +1084,7 @@ start:
                 * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that
                 * should not happen when type != rr->type */
                al=SSL_AD_UNEXPECTED_MESSAGE;
-               SSLerr(SSL_F_SSL3_READ_BYTES,ERR_R_INTERNAL_ERROR);
+               SSLerr(SSL_F_DTLS1_READ_BYTES,ERR_R_INTERNAL_ERROR);
                goto f_err;
        case SSL3_RT_APPLICATION_DATA:
                /* At this point, we were expecting handshake data,
@@ -1114,7 +1113,7 @@ start:
                else
                        {
                        al=SSL_AD_UNEXPECTED_MESSAGE;
-                       SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
+                       SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
                        goto f_err;
                        }
                }
@@ -1138,7 +1137,7 @@ dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len)
                if (i < 0) return(i);
                if (i == 0)
                        {
-                       SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
+                       SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
                        return -1;
                        }
                }
@@ -1243,7 +1242,7 @@ int dtls1_write_bytes(SSL *s, int type, const void *buf_, int len)
                return i;
                }
 
-       if ( s->s3->wnum + i == len)
+       if ( (int)s->s3->wnum + i == len)
                s->s3->wnum = 0;
        else 
                s->s3->wnum += i;
@@ -1251,8 +1250,7 @@ int dtls1_write_bytes(SSL *s, int type, const void *buf_, int len)
        return tot + i;
        }
 
-int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
-       unsigned int len, int create_empty_fragment)
+int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len, int create_empty_fragment)
        {
        unsigned char *p,*pseq;
        int i,mac_size,clear=0;
@@ -1319,7 +1317,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
                        if (s->s3->wbuf.len < (size_t)prefix_len + SSL3_RT_MAX_PACKET_SIZE)
                                {
                                /* insufficient space */
-                               SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR);
+                               SSLerr(SSL_F_DO_DTLS1_WRITE, ERR_R_INTERNAL_ERROR);
                                goto err;
                                }
                        }
@@ -1365,7 +1363,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
                {
                if (!ssl3_do_compress(s))
                        {
-                       SSLerr(SSL_F_DO_SSL3_WRITE,SSL_R_COMPRESSION_FAILURE);
+                       SSLerr(SSL_F_DO_DTLS1_WRITE,SSL_R_COMPRESSION_FAILURE);
                        goto err;
                        }
                }
@@ -1407,7 +1405,8 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
 /*     else
        s2n(s->d1->handshake_epoch, pseq); */
 
-       l2n6(bytes_to_long_long(s->s3->write_sequence), pseq);
+       memcpy(pseq, &(s->s3->write_sequence[2]), 6);
+       pseq+=6;
        s2n(wr->length,pseq);
 
        /* we should now have
@@ -1420,7 +1419,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
        /* buffer the record, making it easy to handle retransmits */
        if ( type == SSL3_RT_HANDSHAKE || type == SSL3_RT_CHANGE_CIPHER_SPEC)
                dtls1_buffer_record(s, wr->data, wr->length, 
-                       *((unsigned long long *)&(s->s3->write_sequence[0])));
+                       *((PQ_64BIT *)&(s->s3->write_sequence[0])));
 #endif
 
        ssl3_record_sequence_update(&(s->s3->write_sequence[0]));
@@ -1452,27 +1451,60 @@ err:
 
 
 static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap,
-       unsigned long long *seq_num)
+       PQ_64BIT *seq_num)
        {
-       unsigned long long mask = 0x0000000000000001LL;
-       unsigned long long rcd_num;
+#if PQ_64BIT_IS_INTEGER
+       PQ_64BIT mask = 0x0000000000000001L;
+#endif
+       PQ_64BIT rcd_num, tmp;
+
+       pq_64bit_init(&rcd_num);
+       pq_64bit_init(&tmp);
+
+       /* this is the sequence number for the record just read */
+       pq_64bit_bin2num(&rcd_num, s->s3->read_sequence, 8);
 
-       rcd_num = bytes_to_long_long(s->s3->read_sequence);
        
-       if (rcd_num >= bitmap->max_seq_num)
+       if (pq_64bit_gt(&rcd_num, &(bitmap->max_seq_num)) ||
+               pq_64bit_eq(&rcd_num, &(bitmap->max_seq_num)))
                {
-               *seq_num = rcd_num;
+               pq_64bit_assign(seq_num, &rcd_num);
+               pq_64bit_free(&rcd_num);
+               pq_64bit_free(&tmp);
                return 1;  /* this record is new */
                }
-       
-       if (bitmap->max_seq_num - rcd_num > bitmap->length)
+
+       pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num);
+
+       if ( pq_64bit_get_word(&tmp) > bitmap->length)
+               {
+               pq_64bit_free(&rcd_num);
+               pq_64bit_free(&tmp);
                return 0;  /* stale, outside the window */
+               }
 
+#if PQ_64BIT_IS_BIGNUM
+       {
+       int offset;
+       pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num);
+       pq_64bit_sub_word(&tmp, 1);
+       offset = pq_64bit_get_word(&tmp);
+       if ( pq_64bit_is_bit_set(&(bitmap->map), offset))
+               {
+               pq_64bit_free(&rcd_num);
+               pq_64bit_free(&tmp);
+               return 0;
+               }
+       }
+#else
        mask <<= (bitmap->max_seq_num - rcd_num - 1);
        if (bitmap->map & mask)
                return 0; /* record previously received */
+#endif
        
-       *seq_num = rcd_num;
+       pq_64bit_assign(seq_num, &rcd_num);
+       pq_64bit_free(&rcd_num);
+       pq_64bit_free(&tmp);
        return 1;
        }
 
@@ -1480,23 +1512,49 @@ static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap,
 static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap)
        {
        unsigned int shift;
-       unsigned long long mask = 0x0000000000000001L;
-       unsigned long long rcd_num;
+       PQ_64BIT rcd_num;
+       PQ_64BIT tmp;
+       PQ_64BIT_CTX *ctx;
+
+       pq_64bit_init(&rcd_num);
+       pq_64bit_init(&tmp);
 
-       rcd_num = bytes_to_long_long(s->s3->read_sequence);
+       pq_64bit_bin2num(&rcd_num, s->s3->read_sequence, 8);
 
-       if (rcd_num >= bitmap->max_seq_num)
+       /* unfortunate code complexity due to 64-bit manipulation support
+        * on 32-bit machines */
+       if ( pq_64bit_gt(&rcd_num, &(bitmap->max_seq_num)) ||
+               pq_64bit_eq(&rcd_num, &(bitmap->max_seq_num)))
                {
-               shift = rcd_num - bitmap->max_seq_num + 1;
-               bitmap->max_seq_num = rcd_num + 1;
-               bitmap->map <<= shift;
-               bitmap->map |= 0x0000000000000001LL;
+               pq_64bit_sub(&tmp, &rcd_num, &(bitmap->max_seq_num));
+               pq_64bit_add_word(&tmp, 1);
+
+               shift = (unsigned int)pq_64bit_get_word(&tmp);
+
+               pq_64bit_lshift(&(tmp), &(bitmap->map), shift);
+               pq_64bit_assign(&(bitmap->map), &tmp);
+
+               pq_64bit_set_bit(&(bitmap->map), 0);
+               pq_64bit_add_word(&rcd_num, 1);
+               pq_64bit_assign(&(bitmap->max_seq_num), &rcd_num);
+
+               pq_64bit_assign_word(&tmp, 1);
+               pq_64bit_lshift(&tmp, &tmp, bitmap->length);
+               ctx = pq_64bit_ctx_new(&ctx);
+               pq_64bit_mod(&(bitmap->map), &(bitmap->map), &tmp, ctx);
+               pq_64bit_ctx_free(ctx);
                }
        else
                {
-               mask <<= (bitmap->max_seq_num - rcd_num - 1);
-               bitmap->map |= mask;
+               pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num);
+               pq_64bit_sub_word(&tmp, 1);
+               shift = (unsigned int)pq_64bit_get_word(&tmp);
+
+               pq_64bit_set_bit(&(bitmap->map), shift);
                }
+
+       pq_64bit_free(&rcd_num);
+       pq_64bit_free(&tmp);
        }
 
 
@@ -1571,7 +1629,7 @@ dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, unsigned int *is_next_epoch)
         return &s->d1->bitmap;
 
     /* Only HM and ALERT messages can be from the next epoch */
-    else if (rr->epoch == s->d1->r_epoch + 1 &&
+    else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) &&
         (rr->type == SSL3_RT_HANDSHAKE ||
             rr->type == SSL3_RT_ALERT))
         {
@@ -1657,8 +1715,17 @@ dtls1_reset_seq_numbers(SSL *s, int rw)
                {
                seq = s->s3->read_sequence;
                s->d1->r_epoch++;
-               memcpy(&(s->d1->bitmap), &(s->d1->next_bitmap), sizeof(DTLS1_BITMAP));
+
+               pq_64bit_assign(&(s->d1->bitmap.map), &(s->d1->next_bitmap.map));
+               s->d1->bitmap.length = s->d1->next_bitmap.length;
+               pq_64bit_assign(&(s->d1->bitmap.max_seq_num), 
+                       &(s->d1->next_bitmap.max_seq_num));
+
+               pq_64bit_free(&(s->d1->next_bitmap.map));
+               pq_64bit_free(&(s->d1->next_bitmap.max_seq_num));
                memset(&(s->d1->next_bitmap), 0x00, sizeof(DTLS1_BITMAP));
+               pq_64bit_init(&(s->d1->next_bitmap.map));
+               pq_64bit_init(&(s->d1->next_bitmap.max_seq_num));
                }
        else
                {
@@ -1669,36 +1736,26 @@ dtls1_reset_seq_numbers(SSL *s, int rw)
        memset(seq, 0x00, seq_bytes);
        }
 
+#if PQ_64BIT_IS_INTEGER
+static PQ_64BIT
+bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num)
+       {
+       PQ_64BIT _num;
+
+       _num = (((PQ_64BIT)bytes[0]) << 56) |
+               (((PQ_64BIT)bytes[1]) << 48) |
+               (((PQ_64BIT)bytes[2]) << 40) |
+               (((PQ_64BIT)bytes[3]) << 32) |
+               (((PQ_64BIT)bytes[4]) << 24) |
+               (((PQ_64BIT)bytes[5]) << 16) |
+               (((PQ_64BIT)bytes[6]) <<  8) |
+               (((PQ_64BIT)bytes[7])      );
+
+          *num = _num ;
+       return _num;
+       }
+#endif
 
-static unsigned long long
-bytes_to_long_long(unsigned char *bytes)
-       {
-       unsigned long long num;
-
-       num = (((unsigned long long)bytes[0]) << 56) |
-               (((unsigned long long)bytes[1]) << 48) |
-               (((unsigned long long)bytes[2]) << 40) |
-               (((unsigned long long)bytes[3]) << 32) |
-               (((unsigned long long)bytes[4]) << 24) |
-               (((unsigned long long)bytes[5]) << 16) |
-               (((unsigned long long)bytes[6]) <<  8) |
-               (((unsigned long long)bytes[7])      );
-
-       return num;
-       }
-
-static void
-long_long_to_bytes(unsigned long long num, unsigned char *bytes)
-       {
-       bytes[0] = (unsigned char)((num >> 56)&0xff);
-       bytes[1] = (unsigned char)((num >> 48)&0xff);
-       bytes[2] = (unsigned char)((num >> 40)&0xff);
-       bytes[3] = (unsigned char)((num >> 32)&0xff);
-       bytes[4] = (unsigned char)((num >> 24)&0xff);
-       bytes[5] = (unsigned char)((num >> 16)&0xff);
-       bytes[6] = (unsigned char)((num >>  8)&0xff);
-       bytes[7] = (unsigned char)((num      )&0xff);
-       }
 
 static void
 dtls1_clear_timeouts(SSL *s)