typo
[openssl.git] / ssl / d1_pkt.c
index bf189f1..aefd85d 100644 (file)
 #include <openssl/evp.h>
 #include <openssl/buffer.h>
 #include <openssl/pqueue.h>
+#include <openssl/rand.h>
 
 /* mod 128 saturating subtract of two 64-bit values in big-endian order */
 static int satsub64be(const unsigned char *v1,const unsigned char *v2)
@@ -178,7 +179,6 @@ static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr,
 static int dtls1_buffer_record(SSL *s, record_pqueue *q,
        unsigned char *priority);
 static int dtls1_process_record(SSL *s);
-static void dtls1_clear_timeouts(SSL *s);
 
 /* copy buffered record into SSL structure */
 static int
@@ -195,6 +195,9 @@ dtls1_copy_record(SSL *s, pitem *item)
     s->packet_length = rdata->packet_length;
     memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER));
     memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));
+       
+       /* Set proper sequence number for mac calculation */
+       memcpy(&(s->s3->read_sequence[2]), &(rdata->packet[5]), 6);
     
     return(1);
     }
@@ -206,6 +209,10 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
        DTLS1_RECORD_DATA *rdata;
        pitem *item;
 
+       /* Limit the size of the queue to prevent DOS attacks */
+       if (pqueue_size(queue->q) >= 100)
+               return 0;
+               
        rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
        item = pitem_new(priority, rdata);
        if (rdata == NULL || item == NULL)
@@ -224,6 +231,14 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
 
        item->data = rdata;
 
+#ifndef OPENSSL_NO_SCTP
+       /* Store bio_dgram_sctp_rcvinfo struct */
+       if (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
+           (s->state == SSL3_ST_SR_FINISHED_A || s->state == SSL3_ST_CR_FINISHED_A)) {
+               BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SCTP_GET_RCVINFO, sizeof(rdata->recordinfo), &rdata->recordinfo);
+       }
+#endif
+
        /* insert should not fail, since duplicates are dropped */
        if (pqueue_insert(queue->q, item) == NULL)
                {
@@ -288,9 +303,6 @@ dtls1_process_buffered_records(SSL *s)
     item = pqueue_peek(s->d1->unprocessed_rcds.q);
     if (item)
         {
-        DTLS1_RECORD_DATA *rdata;
-        rdata = (DTLS1_RECORD_DATA *)item->data;
-        
         /* Check if epoch is current. */
         if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch)
             return(1);  /* Nothing to do. */
@@ -364,14 +376,12 @@ static int
 dtls1_process_record(SSL *s)
 {
        int i,al;
-       int clear=0;
        int enc_err;
        SSL_SESSION *sess;
        SSL3_RECORD *rr;
        unsigned int mac_size;
        unsigned char md[EVP_MAX_MD_SIZE];
 
-
        rr= &(s->s3->rrec);
        sess = s->session;
 
@@ -400,16 +410,19 @@ dtls1_process_record(SSL *s)
 
        /* decrypt in place in 'rr->input' */
        rr->data=rr->input;
+       rr->orig_len=rr->length;
 
        enc_err = s->method->ssl3_enc->enc(s,0);
-       if (enc_err <= 0)
+       /* enc_err is:
+        *    0: (in non-constant time) if the record is publically invalid.
+        *    1: if the padding is valid
+        *    -1: if the padding is invalid */
+       if (enc_err == 0)
                {
-               if (enc_err == 0)
-                       /* SSLerr() and ssl3_send_alert() have been called */
-                       goto err;
-
-               /* otherwise enc_err == -1 */
-               goto decryption_failed_or_bad_record_mac;
+               /* For DTLS we simply ignore bad packets. */
+               rr->length = 0;
+               s->packet_length = 0;
+               goto err;
                }
 
 #ifdef TLS_DEBUG
@@ -419,42 +432,64 @@ printf("\n");
 #endif
 
        /* r->length is now the compressed data plus mac */
-       if (    (sess == NULL) ||
-               (s->enc_read_ctx == NULL) ||
-               (s->read_hash == NULL))
-       clear=1;
-
-       if (!clear)
+       if ((sess != NULL) &&
+           (s->enc_read_ctx != NULL) &&
+           (EVP_MD_CTX_md(s->read_hash) != NULL))
                {
+               /* s->read_hash != NULL => mac_size != -1 */
+               unsigned char *mac = NULL;
+               unsigned char mac_tmp[EVP_MAX_MD_SIZE];
                mac_size=EVP_MD_CTX_size(s->read_hash);
+               OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
 
-               if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)
-                       {
-#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */
-                       al=SSL_AD_RECORD_OVERFLOW;
-                       SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
-                       goto f_err;
-#else
-                       goto decryption_failed_or_bad_record_mac;
-#endif                 
-                       }
-               /* check the MAC for rr->input (it's in mac_size bytes at the tail) */
-               if (rr->length < mac_size)
+               /* orig_len is the length of the record before any padding was
+                * removed. This is public information, as is the MAC in use,
+                * therefore we can safely process the record in a different
+                * amount of time if it's too short to possibly contain a MAC.
+                */
+               if (rr->orig_len < mac_size ||
+                   /* CBC records must have a padding length byte too. */
+                   (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
+                    rr->orig_len < mac_size+1))
                        {
-#if 0 /* OK only for stream ciphers */
                        al=SSL_AD_DECODE_ERROR;
                        SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
                        goto f_err;
-#else
-                       goto decryption_failed_or_bad_record_mac;
-#endif
                        }
-               rr->length-=mac_size;
-               i=s->method->ssl3_enc->mac(s,md,0);
-               if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
+
+               if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE)
+                       {
+                       /* We update the length so that the TLS header bytes
+                        * can be constructed correctly but we need to extract
+                        * the MAC in constant time from within the record,
+                        * without leaking the contents of the padding bytes.
+                        * */
+                       mac = mac_tmp;
+                       ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);
+                       rr->length -= mac_size;
+                       }
+               else
                        {
-                       goto decryption_failed_or_bad_record_mac;
+                       /* In this case there's no padding, so |rec->orig_len|
+                        * equals |rec->length| and we checked that there's
+                        * enough bytes for |mac_size| above. */
+                       rr->length -= mac_size;
+                       mac = &rr->data[rr->length];
                        }
+
+               i=s->method->ssl3_enc->mac(s,md,0 /* not send */);
+               if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
+                       enc_err = -1;
+               if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)
+                       enc_err = -1;
+               }
+
+       if (enc_err < 0)
+               {
+               /* decryption failed, silently discard message */
+               rr->length = 0;
+               s->packet_length = 0;
+               goto err;
                }
 
        /* r->length is now just compressed */
@@ -495,14 +530,6 @@ printf("\n");
        dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */
        return(1);
 
-decryption_failed_or_bad_record_mac:
-       /* Separate 'decryption_failed' alert was introduced with TLS 1.0,
-        * SSL 3.0 only has 'bad_record_mac'.  But unless a decryption
-        * failure is directly visible from the ciphertext anyway,
-        * we should not reveal which kind of error occured -- this
-        * might become visible to an attacker (e.g. via logfile) */
-       al=SSL_AD_BAD_RECORD_MAC;
-       SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
 f_err:
        ssl3_send_alert(s,SSL3_AL_FATAL,al);
 err:
@@ -521,22 +548,19 @@ err:
 /* used only by dtls1_read_bytes */
 int dtls1_get_record(SSL *s)
        {
-       int ssl_major,ssl_minor,al;
+       int ssl_major,ssl_minor;
        int i,n;
        SSL3_RECORD *rr;
-       SSL_SESSION *sess;
-       unsigned char *p;
-       short version;
+       unsigned char *p = NULL;
+       unsigned short version;
        DTLS1_BITMAP *bitmap;
        unsigned int is_next_epoch;
 
        rr= &(s->s3->rrec);
-       sess=s->session;
 
        /* The epoch may have changed.  If so, process all the
         * pending records.  This is a non-blocking operation. */
-       if ( ! dtls1_process_buffered_records(s))
-            return 0;
+       dtls1_process_buffered_records(s);
 
        /* if we're renegotiating, then there may be buffered records */
        if (dtls1_get_processed_record(s))
@@ -552,12 +576,20 @@ again:
                /* read timeout is handled by dtls1_read_bytes */
                if (n <= 0) return(n); /* error or non-blocking */
 
-               OPENSSL_assert(s->packet_length == DTLS1_RT_HEADER_LENGTH);
+               /* this packet contained a partial record, dump it */
+               if (s->packet_length != DTLS1_RT_HEADER_LENGTH)
+                       {
+                       s->packet_length = 0;
+                       goto again;
+                       }
 
                s->rstate=SSL_ST_READ_BODY;
 
                p=s->packet;
 
+               if (s->msg_callback)
+                       s->msg_callback(0, 0, SSL3_RT_HEADER, p, DTLS1_RT_HEADER_LENGTH, s, s->msg_callback_arg);
+
                /* Pull apart the header into the DTLS1_RECORD */
                rr->type= *(p++);
                ssl_major= *(p++);
@@ -577,26 +609,27 @@ again:
                        {
                        if (version != s->version)
                                {
-                               SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
-                               /* Send back error using their
-                                * version number :-) */
-                               s->version=version;
-                               al=SSL_AD_PROTOCOL_VERSION;
-                               goto f_err;
+                               /* unexpected version, silently discard */
+                               rr->length = 0;
+                               s->packet_length = 0;
+                               goto again;
                                }
                        }
 
-               if ((version & 0xff00) != (DTLS1_VERSION & 0xff00))
+               if ((version & 0xff00) != (s->version & 0xff00))
                        {
-                       SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
-                       goto err;
+                       /* wrong version, silently discard record */
+                       rr->length = 0;
+                       s->packet_length = 0;
+                       goto again;
                        }
 
                if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH)
                        {
-                       al=SSL_AD_RECORD_OVERFLOW;
-                       SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG);
-                       goto f_err;
+                       /* record too long, silently discard it */
+                       rr->length = 0;
+                       s->packet_length = 0;
+                       goto again;
                        }
 
                /* now s->rstate == SSL_ST_READ_BODY */
@@ -614,6 +647,7 @@ again:
                /* this packet contained a partial record, dump it */
                if ( n != i)
                        {
+                       rr->length = 0;
                        s->packet_length = 0;
                        goto again;
                        }
@@ -627,43 +661,62 @@ again:
        bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
        if ( bitmap == NULL)
                {
+               rr->length = 0;
                s->packet_length = 0;  /* dump this record */
                goto again;   /* get another record */
                }
 
-       /* check whether this is a repeat, or aged record */
-       if ( ! dtls1_record_replay_check(s, bitmap))
-               {
-               s->packet_length=0; /* dump this record */
-               goto again;     /* get another record */
-               }
+#ifndef OPENSSL_NO_SCTP
+       /* Only do replay check if no SCTP bio */
+       if (!BIO_dgram_is_sctp(SSL_get_rbio(s)))
+               {
+#endif
+               /* Check whether this is a repeat, or aged record.
+                * Don't check if we're listening and this message is
+                * a ClientHello. They can look as if they're replayed,
+                * since they arrive from different connections and
+                * would be dropped unnecessarily.
+                */
+               if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE &&
+                   *p == SSL3_MT_CLIENT_HELLO) &&
+                   !dtls1_record_replay_check(s, bitmap))
+                       {
+                       rr->length = 0;
+                       s->packet_length=0; /* dump this record */
+                       goto again;     /* get another record */
+                       }
+#ifndef OPENSSL_NO_SCTP
+               }
+#endif
 
        /* just read a 0 length packet */
        if (rr->length == 0) goto again;
 
        /* If this record is from the next epoch (either HM or ALERT),
-        * buffer it since it cannot be processed at this time. Records
-        * from the next epoch are marked as received even though they
-        * are not processed, so as to prevent any potential resource
-        * DoS attack */
+        * and a handshake is currently in progress, buffer it since it
+        * cannot be processed at this time. However, do not buffer
+        * anything while listening.
+        */
        if (is_next_epoch)
                {
-               dtls1_record_bitmap_update(s, bitmap);
-               dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
+               if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen)
+                       {
+                       dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
+                       }
+               rr->length = 0;
                s->packet_length = 0;
                goto again;
                }
 
-       if ( ! dtls1_process_record(s))
-               return(0);
+       if (!dtls1_process_record(s))
+               {
+               rr->length = 0;
+               s->packet_length = 0;  /* dump this record */
+               goto again;   /* get another record */
+               }
 
-       dtls1_clear_timeouts(s);  /* done waiting */
        return(1);
 
-f_err:
-       ssl3_send_alert(s,SSL3_AL_FATAL,al);
-err:
-       return(0);
        }
 
 /* Return up to 'len' payload bytes received in 'type' records.
@@ -719,7 +772,17 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
 
        /* Now s->d1->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */
 
+#ifndef OPENSSL_NO_SCTP
+       /* Continue handshake if it had to be interrupted to read
+        * app data with SCTP.
+        */
+       if ((!s->in_handshake && SSL_in_init(s)) ||
+           (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
+            (s->state == DTLS1_SCTP_ST_SR_READ_SOCK || s->state == DTLS1_SCTP_ST_CR_READ_SOCK) &&
+            s->s3->in_read_app_data != 2))
+#else
        if (!s->in_handshake && SSL_in_init(s))
+#endif
                {
                /* type == SSL3_RT_APPLICATION_DATA */
                i=s->handshake_func(s);
@@ -740,6 +803,36 @@ start:
         * s->s3->rrec.length,  - number of bytes. */
        rr = &(s->s3->rrec);
 
+       /* We are not handshaking and have no data yet,
+        * so process data buffered during the last handshake
+        * in advance, if any.
+        */
+       if (s->state == SSL_ST_OK && rr->length == 0)
+               {
+               pitem *item;
+               item = pqueue_pop(s->d1->buffered_app_data.q);
+               if (item)
+                       {
+#ifndef OPENSSL_NO_SCTP
+                       /* Restore bio_dgram_sctp_rcvinfo struct */
+                       if (BIO_dgram_is_sctp(SSL_get_rbio(s)))
+                               {
+                               DTLS1_RECORD_DATA *rdata = (DTLS1_RECORD_DATA *) item->data;
+                               BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SCTP_SET_RCVINFO, sizeof(rdata->recordinfo), &rdata->recordinfo);
+                               }
+#endif
+
+                       dtls1_copy_record(s, item);
+
+                       OPENSSL_free(item->data);
+                       pitem_free(item);
+                       }
+               }
+
+       /* Check for timeout */
+       if (dtls1_handle_timeout(s) > 0)
+               goto start;
+
        /* get new packet if necessary */
        if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY))
                {
@@ -755,15 +848,26 @@ start:
                        }
                }
 
+       if (s->d1->listen && rr->type != SSL3_RT_HANDSHAKE)
+               {
+               rr->length = 0;
+               goto start;
+               }
+
        /* we now have a packet which can be read and processed */
 
        if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
                                       * reset by ssl3_get_finished */
                && (rr->type != SSL3_RT_HANDSHAKE))
                {
-               al=SSL_AD_UNEXPECTED_MESSAGE;
-               SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
-               goto err;
+               /* We now have application data between CCS and Finished.
+                * Most likely the packets were reordered on their way, so
+                * buffer the application data for later processing rather
+                * than dropping the connection.
+                */
+               dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num);
+               rr->length = 0;
+               goto start;
                }
 
        /* If the other end has shut down, throw anything we read away
@@ -806,6 +910,31 @@ start:
                                rr->off=0;
                                }
                        }
+
+#ifndef OPENSSL_NO_SCTP
+                       /* We were about to renegotiate but had to read
+                        * belated application data first, so retry.
+                        */
+                       if (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
+                           rr->type == SSL3_RT_APPLICATION_DATA &&
+                           (s->state == DTLS1_SCTP_ST_SR_READ_SOCK || s->state == DTLS1_SCTP_ST_CR_READ_SOCK))
+                               {
+                               s->rwstate=SSL_READING;
+                               BIO_clear_retry_flags(SSL_get_rbio(s));
+                               BIO_set_retry_read(SSL_get_rbio(s));
+                               }
+
+                       /* We might had to delay a close_notify alert because
+                        * of reordered app data. If there was an alert and there
+                        * is no message to read anymore, finally set shutdown.
+                        */
+                       if (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
+                           s->d1->shutdown_received && !BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s)))
+                               {
+                               s->shutdown |= SSL_RECEIVED_SHUTDOWN;
+                               return(0);
+                               }
+#endif                 
                return(n);
                }
 
@@ -833,15 +962,41 @@ start:
                        dest = s->d1->alert_fragment;
                        dest_len = &s->d1->alert_fragment_len;
                        }
-                /* else it's a CCS message, or it's wrong */
-                else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC)
-                        {
-                          /* Not certain if this is the right error handling */
-                          al=SSL_AD_UNEXPECTED_MESSAGE;
-                          SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
-                          goto f_err;
-                        }
+#ifndef OPENSSL_NO_HEARTBEATS
+               else if (rr->type == TLS1_RT_HEARTBEAT)
+                       {
+                       dtls1_process_heartbeat(s);
 
+                       /* Exit and notify application to read again */
+                       rr->length = 0;
+                       s->rwstate=SSL_READING;
+                       BIO_clear_retry_flags(SSL_get_rbio(s));
+                       BIO_set_retry_read(SSL_get_rbio(s));
+                       return(-1);
+                       }
+#endif
+               /* else it's a CCS message, or application data or wrong */
+               else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC)
+                       {
+                       /* Application data while renegotiating
+                        * is allowed. Try again reading.
+                        */
+                       if (rr->type == SSL3_RT_APPLICATION_DATA)
+                               {
+                               BIO *bio;
+                               s->s3->in_read_app_data=2;
+                               bio=SSL_get_rbio(s);
+                               s->rwstate=SSL_READING;
+                               BIO_clear_retry_flags(bio);
+                               BIO_set_retry_read(bio);
+                               return(-1);
+                               }
+
+                       /* Not certain if this is the right error handling */
+                       al=SSL_AD_UNEXPECTED_MESSAGE;
+                       SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
+                       goto f_err;
+                       }
 
                if (dest_maxlen > 0)
                        {
@@ -849,6 +1004,14 @@ start:
              *  may be fragmented--don't always expect dest_maxlen bytes */
                        if ( rr->length < dest_maxlen)
                                {
+#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
+                               /*
+                                * for normal alerts rr->length is 2, while
+                                * dest_maxlen is 7 if we were to handle this
+                                * non-existing alert...
+                                */
+                               FIX ME
+#endif
                                s->rstate=SSL_ST_READ_HEADER;
                                rr->length = 0;
                                goto start;
@@ -895,6 +1058,8 @@ start:
                        !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
                        !s->s3->renegotiate)
                        {
+                       s->d1->handshake_read_seq++;
+                       s->new_session = 1;
                        ssl3_renegotiate(s);
                        if (ssl3_renegotiate_check(s))
                                {
@@ -956,6 +1121,21 @@ start:
                        s->s3->warn_alert = alert_descr;
                        if (alert_descr == SSL_AD_CLOSE_NOTIFY)
                                {
+#ifndef OPENSSL_NO_SCTP
+                               /* With SCTP and streams the socket may deliver app data
+                                * after a close_notify alert. We have to check this
+                                * first so that nothing gets discarded.
+                                */
+                               if (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
+                                       BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s)))
+                                       {
+                                       s->d1->shutdown_received = 1;
+                                       s->rwstate=SSL_READING;
+                                       BIO_clear_retry_flags(SSL_get_rbio(s));
+                                       BIO_set_retry_read(SSL_get_rbio(s));
+                                       return -1;
+                                       }
+#endif
                                s->shutdown |= SSL_RECEIVED_SHUTDOWN;
                                return(0);
                                }
@@ -971,7 +1151,9 @@ start:
                                n2s(p, seq);
                                n2l3(p, frag_off);
 
-                               dtls1_retransmit_message(s, seq, frag_off, &found);
+                               dtls1_retransmit_message(s,
+                                                                                dtls1_get_queue_priority(frag->msg_header.seq, 0),
+                                                                                frag_off, &found);
                                if ( ! found  && SSL_in_init(s))
                                        {
                                        /* fprintf( stderr,"in init = %d\n", SSL_in_init(s)); */
@@ -1014,47 +1196,62 @@ start:
                }
 
        if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
-        {
-        struct ccs_header_st ccs_hdr;
+               {
+               struct ccs_header_st ccs_hdr;
+               unsigned int ccs_hdr_len = DTLS1_CCS_HEADER_LENGTH;
 
                dtls1_get_ccs_header(rr->data, &ccs_hdr);
 
-               if ( ccs_hdr.seq == s->d1->handshake_read_seq)
+               if (s->version == DTLS1_BAD_VER)
+                       ccs_hdr_len = 3;
+
+               /* 'Change Cipher Spec' is just a single byte, so we know
+                * exactly what the record payload has to look like */
+               /* XDTLS: check that epoch is consistent */
+               if (    (rr->length != ccs_hdr_len) || 
+                       (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
                        {
-                       /* 'Change Cipher Spec' is just a single byte, so we know
-                        * exactly what the record payload has to look like */
-                       /* XDTLS: check that epoch is consistent */
-                       if (    (rr->length != DTLS1_CCS_HEADER_LENGTH) || 
-                               (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
-                               {
-                               i=SSL_AD_ILLEGAL_PARAMETER;
-                               SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
-                               goto err;
-                               }
-                       
-                       rr->length=0;
-                       
-                       if (s->msg_callback)
-                               s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, 
-                                       rr->data, 1, s, s->msg_callback_arg);
-                       
-                       s->s3->change_cipher_spec=1;
-                       if (!ssl3_do_change_cipher_spec(s))
-                               goto err;
-                       
-                       /* do this whenever CCS is processed */
-                       dtls1_reset_seq_numbers(s, SSL3_CC_READ);
-                       
-                       /* handshake read seq is reset upon handshake completion */
-                       s->d1->handshake_read_seq++;
-                       
-                       goto start;
+                       i=SSL_AD_ILLEGAL_PARAMETER;
+                       SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
+                       goto err;
                        }
-               else
+
+               rr->length=0;
+
+               if (s->msg_callback)
+                       s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, 
+                               rr->data, 1, s, s->msg_callback_arg);
+
+               /* We can't process a CCS now, because previous handshake
+                * messages are still missing, so just drop it.
+                */
+               if (!s->d1->change_cipher_spec_ok)
                        {
-                       rr->length = 0;
                        goto start;
                        }
+
+               s->d1->change_cipher_spec_ok = 0;
+
+               s->s3->change_cipher_spec=1;
+               if (!ssl3_do_change_cipher_spec(s))
+                       goto err;
+
+               /* do this whenever CCS is processed */
+               dtls1_reset_seq_numbers(s, SSL3_CC_READ);
+
+               if (s->version == DTLS1_BAD_VER)
+                       s->d1->handshake_read_seq++;
+
+#ifndef OPENSSL_NO_SCTP
+               /* Remember that a CCS has been received,
+                * so that an old key of SCTP-Auth can be
+                * deleted when a CCS is sent. Will be ignored
+                * if no SCTP is used
+                */
+               BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL);
+#endif
+
+               goto start;
                }
 
        /* Unexpected handshake message (Client Hello, or protocol violation) */
@@ -1071,6 +1268,19 @@ start:
                        goto start;
                        }
 
+               /* If we are server, we may have a repeated FINISHED of the
+                * client here, then retransmit our CCS and FINISHED.
+                */
+               if (msg_hdr.type == SSL3_MT_FINISHED)
+                       {
+                       if (dtls1_check_timeout_num(s) < 0)
+                               return -1;
+
+                       dtls1_retransmit_buffered_messages(s);
+                       rr->length = 0;
+                       goto start;
+                       }
+
                if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
                        !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
                        {
@@ -1083,6 +1293,7 @@ start:
 #else
                        s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
 #endif
+                       s->renegotiate=1;
                        s->new_session=1;
                        }
                i=s->handshake_func(s);
@@ -1177,10 +1388,18 @@ err:
 int
 dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len)
        {
-       unsigned int n,tot;
        int i;
 
-       if (SSL_in_init(s) && !s->in_handshake)
+#ifndef OPENSSL_NO_SCTP
+               /* Check if we have to continue an interrupted handshake
+                * for reading belated app data with SCTP.
+                */
+               if ((SSL_in_init(s) && !s->in_handshake) ||
+                   (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
+                    (s->state == DTLS1_SCTP_ST_SR_READ_SOCK || s->state == DTLS1_SCTP_ST_CR_READ_SOCK)))
+#else
+               if (SSL_in_init(s) && !s->in_handshake)
+#endif
                {
                i=s->handshake_func(s);
                if (i < 0) return(i);
@@ -1191,31 +1410,14 @@ dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len)
                        }
                }
 
-       tot = s->s3->wnum;
-       n = len - tot;
-
-       while( n)
+       if (len > SSL3_RT_MAX_PLAIN_LENGTH)
                {
-               /* dtls1_write_bytes sends one record at a time, sized according to 
-                * the currently known MTU */
-               i = dtls1_write_bytes(s, type, buf_, len);
-               if (i <= 0) return i;
-               
-               if ((i == (int)n) ||
-                       (type == SSL3_RT_APPLICATION_DATA &&
-                               (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE)))
-                       {
-                       /* next chunk of data should get another prepended empty fragment
-                        * in ciphersuites with known-IV weakness: */
-                       s->s3->empty_fragment_done = 0;
-                       return tot+i;
-                       }
-
-               tot += i;
-               n-=i;
+                       SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES,SSL_R_DTLS_MESSAGE_TOO_BIG);
+                       return -1;
                }
 
-       return tot;
+       i = dtls1_write_bytes(s, type, buf_, len);
+       return i;
        }
 
 
@@ -1256,47 +1458,14 @@ have_handshake_fragment(SSL *s, int type, unsigned char *buf,
 /* Call this to write data in records of type 'type'
  * It will return <= 0 if not all data has been sent or non-blocking IO.
  */
-int dtls1_write_bytes(SSL *s, int type, const void *buf_, int len)
+int dtls1_write_bytes(SSL *s, int type, const void *buf, int len)
        {
-       const unsigned char *buf=buf_;
-       unsigned int tot,n,nw;
        int i;
-       unsigned int mtu;
 
+       OPENSSL_assert(len <= SSL3_RT_MAX_PLAIN_LENGTH);
        s->rwstate=SSL_NOTHING;
-       tot=s->s3->wnum;
-
-       n=(len-tot);
-
-       /* handshake layer figures out MTU for itself, but data records
-        * are also sent through this interface, so need to figure out MTU */
-#if 0
-       mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_MTU, 0, NULL);
-       mtu += DTLS1_HM_HEADER_LENGTH;  /* HM already inserted */
-#endif
-       mtu = s->d1->mtu;
-
-       if (mtu > SSL3_RT_MAX_PLAIN_LENGTH)
-               mtu = SSL3_RT_MAX_PLAIN_LENGTH;
-
-       if (n > mtu)
-               nw=mtu;
-       else
-               nw=n;
-       
-       i=do_dtls1_write(s, type, &(buf[tot]), nw, 0);
-       if (i <= 0)
-               {
-               s->s3->wnum=tot;
-               return i;
-               }
-
-       if ( (int)s->s3->wnum + i == len)
-               s->s3->wnum = 0;
-       else 
-               s->s3->wnum += i;
-
-       return tot + i;
+       i=do_dtls1_write(s, type, buf, len, 0);
+       return i;
        }
 
 int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len, int create_empty_fragment)
@@ -1304,10 +1473,10 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
        unsigned char *p,*pseq;
        int i,mac_size,clear=0;
        int prefix_len = 0;
+       int eivlen;
        SSL3_RECORD *wr;
        SSL3_BUFFER *wb;
        SSL_SESSION *sess;
-       int bs;
 
        /* first check if there is a SSL3_BUFFER still being written
         * out.  This will happen with non blocking IO */
@@ -1341,13 +1510,17 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
        if (clear)
                mac_size=0;
        else
+               {
                mac_size=EVP_MD_CTX_size(s->write_hash);
+               if (mac_size < 0)
+                       goto err;
+               }
 
        /* DTLS implements explicit IV, so no need for empty fragments */
 #if 0
        /* 'create_empty_fragment' is true only when this function calls itself */
        if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done
-               && SSL_version(s) != DTLS1_VERSION)
+           && SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER)
                {
                /* countermeasure against known-IV weakness in CBC ciphersuites
                 * (see http://www.openssl.org/~bodo/tls-cbc.txt) 
@@ -1374,33 +1547,52 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
                s->s3->empty_fragment_done = 1;
                }
 #endif
-
        p = wb->buf + prefix_len;
 
        /* write the header */
 
        *(p++)=type&0xff;
        wr->type=type;
-
-       *(p++)=(s->version>>8);
-       *(p++)=s->version&0xff;
+       /* Special case: for hello verify request, client version 1.0 and
+        * we haven't decided which version to use yet send back using 
+        * version 1.0 header: otherwise some clients will ignore it.
+        */
+       if (s->method->version == DTLS_ANY_VERSION)
+               {
+               *(p++)=DTLS1_VERSION>>8;
+               *(p++)=DTLS1_VERSION&0xff;
+               }
+       else
+               {
+               *(p++)=s->version>>8;
+               *(p++)=s->version&0xff;
+               }
 
        /* field where we are to write out packet epoch, seq num and len */
        pseq=p; 
        p+=10;
 
-       /* lets setup the record stuff. */
-
-       /* Make space for the explicit IV in case of CBC.
-        * (this is a bit of a boundary violation, but what the heck).
-        */
-       if ( s->enc_write_ctx && 
-               (EVP_CIPHER_mode( s->enc_write_ctx->cipher ) & EVP_CIPH_CBC_MODE))
-               bs = EVP_CIPHER_block_size(s->enc_write_ctx->cipher);
-       else
-               bs = 0;
+       /* Explicit IV length, block ciphers appropriate version flag */
+       if (s->enc_write_ctx)
+               {
+               int mode = EVP_CIPHER_CTX_mode(s->enc_write_ctx);
+               if (mode == EVP_CIPH_CBC_MODE)
+                       {
+                       eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx);
+                       if (eivlen <= 1)
+                               eivlen = 0;
+                       }
+               /* Need explicit part of IV for GCM mode */
+               else if (mode == EVP_CIPH_GCM_MODE)
+                       eivlen = EVP_GCM_TLS_EXPLICIT_IV_LEN;
+               else
+                       eivlen = 0;
+               }
+       else 
+               eivlen = 0;
 
-       wr->data=p + bs;  /* make room for IV in case of CBC */
+       /* lets setup the record stuff. */
+       wr->data=p + eivlen;  /* make room for IV in case of CBC */
        wr->length=(int)len;
        wr->input=(unsigned char *)buf;
 
@@ -1428,7 +1620,8 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
 
        if (mac_size != 0)
                {
-               s->method->ssl3_enc->mac(s,&(p[wr->length + bs]),1);
+               if(s->method->ssl3_enc->mac(s,&(p[wr->length + eivlen]),1) < 0)
+                       goto err;
                wr->length+=mac_size;
                }
 
@@ -1436,10 +1629,9 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
        wr->input=p;
        wr->data=p;
 
+       if (eivlen)
+               wr->length += eivlen;
 
-       /* ssl3_enc can only have an error on read */
-       wr->length += bs;  /* bs != 0 in case of CBC.  The enc fn provides
-                                               * the randomness */ 
        s->method->ssl3_enc->enc(s,1);
 
        /* record length after mac and block padding */
@@ -1458,6 +1650,9 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
        pseq+=6;
        s2n(wr->length,pseq);
 
+       if (s->msg_callback)
+               s->msg_callback(1, 0, SSL3_RT_HEADER, pseq - DTLS1_RT_HEADER_LENGTH, DTLS1_RT_HEADER_LENGTH, s, s->msg_callback_arg);
+
        /* we should now have
         * wr->data pointing to the encrypted data, which is
         * wr->length long */
@@ -1550,7 +1745,7 @@ int dtls1_dispatch_alert(SSL *s)
        {
        int i,j;
        void (*cb)(const SSL *ssl,int type,int val)=NULL;
-       unsigned char buf[2 + 2 + 3]; /* alert level + alert desc + message seq +frag_off */
+       unsigned char buf[DTLS1_AL_HEADER_LENGTH];
        unsigned char *ptr = &buf[0];
 
        s->s3->alert_dispatch=0;
@@ -1714,15 +1909,9 @@ dtls1_reset_seq_numbers(SSL *s, int rw)
        else
                {
                seq = s->s3->write_sequence;
+               memcpy(s->d1->last_write_sequence, seq, sizeof(s->s3->write_sequence));
                s->d1->w_epoch++;
                }
 
        memset(seq, 0x00, seq_bytes);
        }
-
-
-static void
-dtls1_clear_timeouts(SSL *s)
-       {
-       memset(&(s->d1->timeout), 0x00, sizeof(struct dtls1_timeout_st));
-       }