PR: 1833
[openssl.git] / ssl / d1_pkt.c
index 77e1031..ee67561 100644 (file)
 #include <openssl/evp.h>
 #include <openssl/buffer.h>
 #include <openssl/pqueue.h>
+#include <openssl/rand.h>
+
+/* mod 128 saturating subtract of two 64-bit values in big-endian order */
+static int satsub64be(const unsigned char *v1,const unsigned char *v2)
+{      int ret,sat,brw,i;
+
+       if (sizeof(long) == 8) do
+       {       const union { long one; char little; } is_endian = {1};
+               long l;
+
+               if (is_endian.little)                   break;
+               /* not reached on little-endians */
+               /* following test is redundant, because input is
+                * always aligned, but I take no chances... */
+               if (((size_t)v1|(size_t)v2)&0x7)        break;
+
+               l  = *((long *)v1);
+               l -= *((long *)v2);
+               if (l>128)              return 128;
+               else if (l<-128)        return -128;
+               else                    return (int)l;
+       } while (0);
+
+       ret = (int)v1[7]-(int)v2[7];
+       sat = 0;
+       brw = ret>>8;   /* brw is either 0 or -1 */
+       if (ret & 0x80)
+       {       for (i=6;i>=0;i--)
+               {       brw += (int)v1[i]-(int)v2[i];
+                       sat |= ~brw;
+                       brw >>= 8;
+               }
+       }
+       else
+       {       for (i=6;i>=0;i--)
+               {       brw += (int)v1[i]-(int)v2[i];
+                       sat |= brw;
+                       brw >>= 8;
+               }
+       }
+       brw <<= 8;      /* brw is either 0 or -256 */
+
+       if (sat&0xff)   return brw | 0x80;
+       else            return brw + (ret&0xFF);
+}
 
 static int have_handshake_fragment(SSL *s, int type, unsigned char *buf, 
        int len, int peek);
-static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap,
-       PQ_64BIT *seq_num);
+static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap);
 static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap);
 static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, 
     unsigned int *is_next_epoch);
@@ -133,11 +177,8 @@ static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr,
        unsigned short *priority, unsigned long *offset);
 #endif
 static int dtls1_buffer_record(SSL *s, record_pqueue *q,
-       PQ_64BIT priority);
+       unsigned char *priority);
 static int dtls1_process_record(SSL *s);
-#if !(defined(OPENSSL_SYS_VMS) || defined(VMS_TEST))
-static PQ_64BIT bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num);
-#endif
 static void dtls1_clear_timeouts(SSL *s);
 
 /* copy buffered record into SSL structure */
@@ -155,17 +196,24 @@ dtls1_copy_record(SSL *s, pitem *item)
     s->packet_length = rdata->packet_length;
     memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER));
     memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));
+       
+       /* Set proper sequence number for mac calculation */
+       memcpy(&(s->s3->read_sequence[2]), &(rdata->packet[5]), 6);
     
     return(1);
     }
 
 
 static int
-dtls1_buffer_record(SSL *s, record_pqueue *queue, PQ_64BIT priority)
-{
-    DTLS1_RECORD_DATA *rdata;
+dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
+       {
+       DTLS1_RECORD_DATA *rdata;
        pitem *item;
 
+       /* Limit the size of the queue to prevent DOS attacks */
+       if (pqueue_size(queue->q) >= 100)
+               return 0;
+               
        rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
        item = pitem_new(priority, rdata);
        if (rdata == NULL || item == NULL)
@@ -197,10 +245,16 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, PQ_64BIT priority)
        memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER));
        memset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD));
        
-       ssl3_setup_buffers(s);
+       if (!ssl3_setup_buffers(s))
+               {
+               SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);
+               OPENSSL_free(rdata);
+               pitem_free(item);
+               return(0);
+               }
        
        return(1);
-    }
+       }
 
 
 static int
@@ -242,9 +296,6 @@ dtls1_process_buffered_records(SSL *s)
     item = pqueue_peek(s->d1->unprocessed_rcds.q);
     if (item)
         {
-        DTLS1_RECORD_DATA *rdata;
-        rdata = (DTLS1_RECORD_DATA *)item->data;
-        
         /* Check if epoch is current. */
         if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch)
             return(1);  /* Nothing to do. */
@@ -317,17 +368,17 @@ dtls1_get_buffered_record(SSL *s)
 static int
 dtls1_process_record(SSL *s)
 {
-    int i,al;
+       int i,al;
        int clear=0;
-    int enc_err;
+       int enc_err;
        SSL_SESSION *sess;
-    SSL3_RECORD *rr;
+       SSL3_RECORD *rr;
        unsigned int mac_size;
        unsigned char md[EVP_MAX_MD_SIZE];
 
 
        rr= &(s->s3->rrec);
-    sess = s->session;
+       sess = s->session;
 
        /* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
         * and we have that many bytes in s->packet
@@ -363,7 +414,7 @@ dtls1_process_record(SSL *s)
                        goto err;
 
                /* otherwise enc_err == -1 */
-               goto decryption_failed_or_bad_record_mac;
+               goto err;
                }
 
 #ifdef TLS_DEBUG
@@ -373,14 +424,18 @@ printf("\n");
 #endif
 
        /* r->length is now the compressed data plus mac */
-if (   (sess == NULL) ||
+       if (    (sess == NULL) ||
                (s->enc_read_ctx == NULL) ||
                (s->read_hash == NULL))
-    clear=1;
+               clear=1;
 
        if (!clear)
                {
-               mac_size=EVP_MD_size(s->read_hash);
+               /* !clear => s->read_hash != NULL => mac_size != -1 */
+               int t;
+               t=EVP_MD_CTX_size(s->read_hash);
+               OPENSSL_assert(t >= 0);
+               mac_size=t;
 
                if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)
                        {
@@ -389,7 +444,7 @@ if (        (sess == NULL) ||
                        SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
                        goto f_err;
 #else
-                       goto decryption_failed_or_bad_record_mac;
+                       goto err;
 #endif                 
                        }
                /* check the MAC for rr->input (it's in mac_size bytes at the tail) */
@@ -400,14 +455,14 @@ if (      (sess == NULL) ||
                        SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
                        goto f_err;
 #else
-                       goto decryption_failed_or_bad_record_mac;
+                       goto err;
 #endif
                        }
                rr->length-=mac_size;
                i=s->method->ssl3_enc->mac(s,md,0);
-               if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
+               if (i < 0 || memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
                        {
-                       goto decryption_failed_or_bad_record_mac;
+                       goto err;
                        }
                }
 
@@ -446,17 +501,9 @@ if (       (sess == NULL) ||
 
        /* we have pulled in a full packet so zero things */
        s->packet_length=0;
-    dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */
-    return(1);
+       dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */
+       return(1);
 
-decryption_failed_or_bad_record_mac:
-       /* Separate 'decryption_failed' alert was introduced with TLS 1.0,
-        * SSL 3.0 only has 'bad_record_mac'.  But unless a decryption
-        * failure is directly visible from the ciphertext anyway,
-        * we should not reveal which kind of error occured -- this
-        * might become visible to an attacker (e.g. via logfile) */
-       al=SSL_AD_BAD_RECORD_MAC;
-       SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
 f_err:
        ssl3_send_alert(s,SSL3_AL_FATAL,al);
 err:
@@ -475,22 +522,19 @@ err:
 /* used only by dtls1_read_bytes */
 int dtls1_get_record(SSL *s)
        {
-       int ssl_major,ssl_minor,al;
+       int ssl_major,ssl_minor;
        int i,n;
        SSL3_RECORD *rr;
-       SSL_SESSION *sess;
-       unsigned char *p;
-       short version;
+       unsigned char *p = NULL;
+       unsigned short version;
        DTLS1_BITMAP *bitmap;
-    unsigned int is_next_epoch;
+       unsigned int is_next_epoch;
 
        rr= &(s->s3->rrec);
-       sess=s->session;
 
-    /* The epoch may have changed.  If so, process all the
-     * pending records.  This is a non-blocking operation. */
-    if ( ! dtls1_process_buffered_records(s))
-        return 0;
+       /* The epoch may have changed.  If so, process all the
+        * pending records.  This is a non-blocking operation. */
+       dtls1_process_buffered_records(s);
 
        /* if we're renegotiating, then there may be buffered records */
        if (dtls1_get_processed_record(s))
@@ -506,7 +550,12 @@ again:
                /* read timeout is handled by dtls1_read_bytes */
                if (n <= 0) return(n); /* error or non-blocking */
 
-               OPENSSL_assert(s->packet_length == DTLS1_RT_HEADER_LENGTH);
+               /* this packet contained a partial record, dump it */
+               if (s->packet_length != DTLS1_RT_HEADER_LENGTH)
+                       {
+                       s->packet_length = 0;
+                       goto again;
+                       }
 
                s->rstate=SSL_ST_READ_BODY;
 
@@ -518,7 +567,7 @@ again:
                ssl_minor= *(p++);
                version=(ssl_major<<8)|ssl_minor;
 
-        /* sequence number is 64 bits, with top 2 bytes = epoch */ 
+               /* sequence number is 64 bits, with top 2 bytes = epoch */ 
                n2s(p,rr->epoch);
 
                memcpy(&(s->s3->read_sequence[2]), p, 6);
@@ -527,34 +576,31 @@ again:
                n2s(p,rr->length);
 
                /* Lets check version */
-               if (s->first_packet)
-                       {
-                       s->first_packet=0;
-                       }
-               else
+               if (!s->first_packet)
                        {
                        if (version != s->version)
                                {
-                               SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
-                               /* Send back error using their
-                                * version number :-) */
-                               s->version=version;
-                               al=SSL_AD_PROTOCOL_VERSION;
-                               goto f_err;
+                               /* unexpected version, silently discard */
+                               rr->length = 0;
+                               s->packet_length = 0;
+                               goto again;
                                }
                        }
 
-               if ((version & 0xff00) != (DTLS1_VERSION & 0xff00))
+               if ((version & 0xff00) != (s->version & 0xff00))
                        {
-                       SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
-                       goto err;
+                       /* wrong version, silently discard record */
+                       rr->length = 0;
+                       s->packet_length = 0;
+                       goto again;
                        }
 
                if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH)
                        {
-                       al=SSL_AD_RECORD_OVERFLOW;
-                       SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG);
-                       goto f_err;
+                       /* record too long, silently discard it */
+                       rr->length = 0;
+                       s->packet_length = 0;
+                       goto again;
                        }
 
                /* now s->rstate == SSL_ST_READ_BODY */
@@ -572,6 +618,7 @@ again:
                /* this packet contained a partial record, dump it */
                if ( n != i)
                        {
+                       rr->length = 0;
                        s->packet_length = 0;
                        goto again;
                        }
@@ -584,14 +631,23 @@ again:
        /* match epochs.  NULL means the packet is dropped on the floor */
        bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
        if ( bitmap == NULL)
-        {
-        s->packet_length = 0;  /* dump this record */
-        goto again;   /* get another record */
+               {
+               rr->length = 0;
+               s->packet_length = 0;  /* dump this record */
+               goto again;   /* get another record */
                }
 
-       /* check whether this is a repeat, or aged record */
-       if ( ! dtls1_record_replay_check(s, bitmap, &(rr->seq_num)))
+       /* Check whether this is a repeat, or aged record.
+        * Don't check if we're listening and this message is
+        * a ClientHello. They can look as if they're replayed,
+        * since they arrive from different connections and
+        * would be dropped unnecessarily.
+        */
+       if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE &&
+               *p == SSL3_MT_CLIENT_HELLO) &&
+               !dtls1_record_replay_check(s, bitmap))
                {
+               rr->length = 0;
                s->packet_length=0; /* dump this record */
                goto again;     /* get another record */
                }
@@ -599,28 +655,30 @@ again:
        /* just read a 0 length packet */
        if (rr->length == 0) goto again;
 
-    /* If this record is from the next epoch (either HM or ALERT), buffer it
-     * since it cannot be processed at this time.
-     * Records from the next epoch are marked as received even though they are 
-     * not processed, so as to prevent any potential resource DoS attack */
-    if (is_next_epoch)
-        {
-        dtls1_record_bitmap_update(s, bitmap);
-        dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
-        s->packet_length = 0;
-        goto again;
-        }
+       /* If this record is from the next epoch (either HM or ALERT),
+        * and a handshake is currently in progress, buffer it since it
+        * cannot be processed at this time. */
+       if (is_next_epoch)
+               {
+               if (SSL_in_init(s) || s->in_handshake)
+                       {
+                       dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
+                       }
+               rr->length = 0;
+               s->packet_length = 0;
+               goto again;
+               }
 
-    if ( ! dtls1_process_record(s))
-        return(0);
+       if (!dtls1_process_record(s))
+               {
+               rr->length = 0;
+               s->packet_length = 0;  /* dump this record */
+               goto again;   /* get another record */
+               }
 
        dtls1_clear_timeouts(s);  /* done waiting */
        return(1);
 
-f_err:
-       ssl3_send_alert(s,SSL3_AL_FATAL,al);
-err:
-       return(0);
        }
 
 /* Return up to 'len' payload bytes received in 'type' records.
@@ -697,6 +755,27 @@ start:
         * s->s3->rrec.length,  - number of bytes. */
        rr = &(s->s3->rrec);
 
+       /* We are not handshaking and have no data yet,
+        * so process data buffered during the last handshake
+        * in advance, if any.
+        */
+       if (s->state == SSL_ST_OK && rr->length == 0)
+               {
+               pitem *item;
+               item = pqueue_pop(s->d1->buffered_app_data.q);
+               if (item)
+                       {
+                       dtls1_copy_record(s, item);
+
+                       OPENSSL_free(item->data);
+                       pitem_free(item);
+                       }
+               }
+
+       /* Check for timeout */
+       if (dtls1_handle_timeout(s) > 0)
+               goto start;
+
        /* get new packet if necessary */
        if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY))
                {
@@ -718,9 +797,14 @@ start:
                                       * reset by ssl3_get_finished */
                && (rr->type != SSL3_RT_HANDSHAKE))
                {
-               al=SSL_AD_UNEXPECTED_MESSAGE;
-               SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
-               goto err;
+               /* We now have application data between CCS and Finished.
+                * Most likely the packets were reordered on their way, so
+                * buffer the application data for later processing rather
+                * than dropping the connection.
+                */
+               dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num);
+               rr->length = 0;
+               goto start;
                }
 
        /* If the other end has shut down, throw anything we read away
@@ -790,9 +874,28 @@ start:
                        dest = s->d1->alert_fragment;
                        dest_len = &s->d1->alert_fragment_len;
                        }
-               else    /* else it's a CCS message */
-                       OPENSSL_assert(rr->type == SSL3_RT_CHANGE_CIPHER_SPEC);
+               /* else it's a CCS message, or application data or wrong */
+               else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC)
+                       {
+                       /* Application data while renegotiating
+                        * is allowed. Try again reading.
+                        */
+                       if (rr->type == SSL3_RT_APPLICATION_DATA)
+                               {
+                               BIO *bio;
+                               s->s3->in_read_app_data=2;
+                               bio=SSL_get_rbio(s);
+                               s->rwstate=SSL_READING;
+                               BIO_clear_retry_flags(bio);
+                               BIO_set_retry_read(bio);
+                               return(-1);
+                               }
 
+                       /* Not certain if this is the right error handling */
+                       al=SSL_AD_UNEXPECTED_MESSAGE;
+                       SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
+                       goto f_err;
+                       }
 
                if (dest_maxlen > 0)
                        {
@@ -800,6 +903,14 @@ start:
              *  may be fragmented--don't always expect dest_maxlen bytes */
                        if ( rr->length < dest_maxlen)
                                {
+#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
+                               /*
+                                * for normal alerts rr->length is 2, while
+                                * dest_maxlen is 7 if we were to handle this
+                                * non-existing alert...
+                                */
+                               FIX ME
+#endif
                                s->rstate=SSL_ST_READ_HEADER;
                                rr->length = 0;
                                goto start;
@@ -846,6 +957,7 @@ start:
                        !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
                        !s->s3->renegotiate)
                        {
+                       s->new_session = 1;
                        ssl3_renegotiate(s);
                        if (ssl3_renegotiate_check(s))
                                {
@@ -922,7 +1034,9 @@ start:
                                n2s(p, seq);
                                n2l3(p, frag_off);
 
-                               dtls1_retransmit_message(s, seq, frag_off, &found);
+                               dtls1_retransmit_message(s,
+                                                                                dtls1_get_queue_priority(frag->msg_header.seq, 0),
+                                                                                frag_off, &found);
                                if ( ! found  && SSL_in_init(s))
                                        {
                                        /* fprintf( stderr,"in init = %d\n", SSL_in_init(s)); */
@@ -965,47 +1079,53 @@ start:
                }
 
        if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
-        {
-        struct ccs_header_st ccs_hdr;
+               {
+               struct ccs_header_st ccs_hdr;
+               unsigned int ccs_hdr_len = DTLS1_CCS_HEADER_LENGTH;
 
                dtls1_get_ccs_header(rr->data, &ccs_hdr);
 
-               if ( ccs_hdr.seq == s->d1->handshake_read_seq)
+               if (s->version == DTLS1_BAD_VER)
+                       ccs_hdr_len = 3;
+
+               /* 'Change Cipher Spec' is just a single byte, so we know
+                * exactly what the record payload has to look like */
+               /* XDTLS: check that epoch is consistent */
+               if (    (rr->length != ccs_hdr_len) || 
+                       (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
                        {
-                       /* 'Change Cipher Spec' is just a single byte, so we know
-                        * exactly what the record payload has to look like */
-                       /* XDTLS: check that epoch is consistent */
-                       if (    (rr->length != DTLS1_CCS_HEADER_LENGTH) || 
-                               (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
-                               {
-                               i=SSL_AD_ILLEGAL_PARAMETER;
-                               SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
-                               goto err;
-                               }
-                       
-                       rr->length=0;
-                       
-                       if (s->msg_callback)
-                               s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, 
-                                       rr->data, 1, s, s->msg_callback_arg);
-                       
-                       s->s3->change_cipher_spec=1;
-                       if (!ssl3_do_change_cipher_spec(s))
-                               goto err;
-                       
-                       /* do this whenever CCS is processed */
-                       dtls1_reset_seq_numbers(s, SSL3_CC_READ);
-                       
-                       /* handshake read seq is reset upon handshake completion */
-                       s->d1->handshake_read_seq++;
-                       
-                       goto start;
+                       i=SSL_AD_ILLEGAL_PARAMETER;
+                       SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
+                       goto err;
                        }
-               else
+
+               rr->length=0;
+
+               if (s->msg_callback)
+                       s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, 
+                               rr->data, 1, s, s->msg_callback_arg);
+
+               /* We can't process a CCS now, because previous handshake
+                * messages are still missing, so just drop it.
+                */
+               if (!s->d1->change_cipher_spec_ok)
                        {
-                       rr->length = 0;
                        goto start;
                        }
+
+               s->d1->change_cipher_spec_ok = 0;
+
+               s->s3->change_cipher_spec=1;
+               if (!ssl3_do_change_cipher_spec(s))
+                       goto err;
+
+               /* do this whenever CCS is processed */
+               dtls1_reset_seq_numbers(s, SSL3_CC_READ);
+
+               if (s->version == DTLS1_BAD_VER)
+                       s->d1->handshake_read_seq++;
+
+               goto start;
                }
 
        /* Unexpected handshake message (Client Hello, or protocol violation) */
@@ -1022,6 +1142,16 @@ start:
                        goto start;
                        }
 
+               /* If we are server, we may have a repeated FINISHED of the
+                * client here, then retransmit our CCS and FINISHED.
+                */
+               if (msg_hdr.type == SSL3_MT_FINISHED)
+                       {
+                       dtls1_retransmit_buffered_messages(s);
+                       rr->length = 0;
+                       goto start;
+                       }
+
                if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
                        !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
                        {
@@ -1034,6 +1164,7 @@ start:
 #else
                        s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
 #endif
+                       s->renegotiate=1;
                        s->new_session=1;
                        }
                i=s->handshake_func(s);
@@ -1128,7 +1259,6 @@ err:
 int
 dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len)
        {
-       unsigned int n,tot;
        int i;
 
        if (SSL_in_init(s) && !s->in_handshake)
@@ -1142,31 +1272,14 @@ dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len)
                        }
                }
 
-       tot = s->s3->wnum;
-       n = len - tot;
-
-       while( n)
+       if (len > SSL3_RT_MAX_PLAIN_LENGTH)
                {
-               /* dtls1_write_bytes sends one record at a time, sized according to 
-                * the currently known MTU */
-               i = dtls1_write_bytes(s, type, buf_, len);
-               if (i <= 0) return i;
-               
-               if ((i == (int)n) ||
-                       (type == SSL3_RT_APPLICATION_DATA &&
-                               (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE)))
-                       {
-                       /* next chunk of data should get another prepended empty fragment
-                        * in ciphersuites with known-IV weakness: */
-                       s->s3->empty_fragment_done = 0;
-                       return tot+i;
-                       }
-
-               tot += i;
-               n-=i;
+                       SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES,SSL_R_DTLS_MESSAGE_TOO_BIG);
+                       return -1;
                }
 
-       return tot;
+       i = dtls1_write_bytes(s, type, buf_, len);
+       return i;
        }
 
 
@@ -1207,47 +1320,14 @@ have_handshake_fragment(SSL *s, int type, unsigned char *buf,
 /* Call this to write data in records of type 'type'
  * It will return <= 0 if not all data has been sent or non-blocking IO.
  */
-int dtls1_write_bytes(SSL *s, int type, const void *buf_, int len)
+int dtls1_write_bytes(SSL *s, int type, const void *buf, int len)
        {
-       const unsigned char *buf=buf_;
-       unsigned int tot,n,nw;
        int i;
-       unsigned int mtu;
 
+       OPENSSL_assert(len <= SSL3_RT_MAX_PLAIN_LENGTH);
        s->rwstate=SSL_NOTHING;
-       tot=s->s3->wnum;
-
-       n=(len-tot);
-
-       /* handshake layer figures out MTU for itself, but data records
-        * are also sent through this interface, so need to figure out MTU */
-#if 0
-       mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_MTU, 0, NULL);
-       mtu += DTLS1_HM_HEADER_LENGTH;  /* HM already inserted */
-#endif
-       mtu = s->d1->mtu;
-
-       if (mtu > SSL3_RT_MAX_PLAIN_LENGTH)
-               mtu = SSL3_RT_MAX_PLAIN_LENGTH;
-
-       if (n > mtu)
-               nw=mtu;
-       else
-               nw=n;
-       
-       i=do_dtls1_write(s, type, &(buf[tot]), nw, 0);
-       if (i <= 0)
-               {
-               s->s3->wnum=tot;
-               return i;
-               }
-
-       if ( (int)s->s3->wnum + i == len)
-               s->s3->wnum = 0;
-       else 
-               s->s3->wnum += i;
-
-       return tot + i;
+       i=do_dtls1_write(s, type, buf, len, 0);
+       return i;
        }
 
 int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len, int create_empty_fragment)
@@ -1286,19 +1366,23 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
 
        if (    (sess == NULL) ||
                (s->enc_write_ctx == NULL) ||
-               (s->write_hash == NULL))
+               (EVP_MD_CTX_md(s->write_hash) == NULL))
                clear=1;
 
        if (clear)
                mac_size=0;
        else
-               mac_size=EVP_MD_size(s->write_hash);
+               {
+               mac_size=EVP_MD_CTX_size(s->write_hash);
+               if (mac_size < 0)
+                       goto err;
+               }
 
        /* DTLS implements explicit IV, so no need for empty fragments */
 #if 0
        /* 'create_empty_fragment' is true only when this function calls itself */
        if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done
-               && SSL_version(s) != DTLS1_VERSION)
+           && SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER)
                {
                /* countermeasure against known-IV weakness in CBC ciphersuites
                 * (see http://www.openssl.org/~bodo/tls-cbc.txt) 
@@ -1325,7 +1409,6 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
                s->s3->empty_fragment_done = 1;
                }
 #endif
-
        p = wb->buf + prefix_len;
 
        /* write the header */
@@ -1379,7 +1462,8 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
 
        if (mac_size != 0)
                {
-               s->method->ssl3_enc->mac(s,&(p[wr->length + bs]),1);
+               if(s->method->ssl3_enc->mac(s,&(p[wr->length + bs]),1) < 0)
+                       goto err;
                wr->length+=mac_size;
                }
 
@@ -1389,8 +1473,14 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len,
 
 
        /* ssl3_enc can only have an error on read */
-       wr->length += bs;  /* bs != 0 in case of CBC.  The enc fn provides
-                                               * the randomness */ 
+       if (bs) /* bs != 0 in case of CBC */
+               {
+               RAND_pseudo_bytes(p,bs);
+               /* master IV and last CBC residue stand for
+                * the rest of randomness */
+               wr->length += bs;
+               }
+
        s->method->ssl3_enc->enc(s,1);
 
        /* record length after mac and block padding */
@@ -1450,111 +1540,50 @@ err:
 
 
 
-static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap,
-       PQ_64BIT *seq_num)
+static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap)
        {
-#if !(defined(OPENSSL_SYS_VMS) || defined(VMS_TEST))
-       PQ_64BIT mask = 0x0000000000000001L;
-#endif
-       PQ_64BIT rcd_num, tmp;
-
-       pq_64bit_init(&rcd_num);
-       pq_64bit_init(&tmp);
-
-       /* this is the sequence number for the record just read */
-       pq_64bit_bin2num(&rcd_num, s->s3->read_sequence, 8);
-
-       
-       if (pq_64bit_gt(&rcd_num, &(bitmap->max_seq_num)) ||
-               pq_64bit_eq(&rcd_num, &(bitmap->max_seq_num)))
-               {
-               pq_64bit_assign(seq_num, &rcd_num);
-               pq_64bit_free(&rcd_num);
-               pq_64bit_free(&tmp);
-               return 1;  /* this record is new */
-               }
-
-       pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num);
+       int cmp;
+       unsigned int shift;
+       const unsigned char *seq = s->s3->read_sequence;
 
-       if ( pq_64bit_get_word(&tmp) > bitmap->length)
+       cmp = satsub64be(seq,bitmap->max_seq_num);
+       if (cmp > 0)
                {
-               pq_64bit_free(&rcd_num);
-               pq_64bit_free(&tmp);
-               return 0;  /* stale, outside the window */
+               memcpy (s->s3->rrec.seq_num,seq,8);
+               return 1; /* this record in new */
                }
-
-#if (defined(OPENSSL_SYS_VMS) || defined(VMS_TEST))
-       {
-       int offset;
-       pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num);
-       pq_64bit_sub_word(&tmp, 1);
-       offset = pq_64bit_get_word(&tmp);
-       if ( pq_64bit_is_bit_set(&(bitmap->map), offset))
-               {
-               pq_64bit_free(&rcd_num);
-               pq_64bit_free(&tmp);
-               return 0;
-               }
-       }
-#else
-       mask <<= (bitmap->max_seq_num - rcd_num - 1);
-       if (bitmap->map & mask)
+       shift = -cmp;
+       if (shift >= sizeof(bitmap->map)*8)
+               return 0; /* stale, outside the window */
+       else if (bitmap->map & (1UL<<shift))
                return 0; /* record previously received */
-#endif
-       
-       pq_64bit_assign(seq_num, &rcd_num);
-       pq_64bit_free(&rcd_num);
-       pq_64bit_free(&tmp);
+
+       memcpy (s->s3->rrec.seq_num,seq,8);
        return 1;
        }
 
 
 static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap)
        {
+       int cmp;
        unsigned int shift;
-       PQ_64BIT rcd_num;
-       PQ_64BIT tmp;
-       PQ_64BIT_CTX *ctx;
+       const unsigned char *seq = s->s3->read_sequence;
 
-       pq_64bit_init(&rcd_num);
-       pq_64bit_init(&tmp);
-
-       pq_64bit_bin2num(&rcd_num, s->s3->read_sequence, 8);
-
-       /* unfortunate code complexity due to 64-bit manipulation support
-        * on 32-bit machines */
-       if ( pq_64bit_gt(&rcd_num, &(bitmap->max_seq_num)) ||
-               pq_64bit_eq(&rcd_num, &(bitmap->max_seq_num)))
+       cmp = satsub64be(seq,bitmap->max_seq_num);
+       if (cmp > 0)
                {
-               pq_64bit_sub(&tmp, &rcd_num, &(bitmap->max_seq_num));
-               pq_64bit_add_word(&tmp, 1);
-
-               shift = (unsigned int)pq_64bit_get_word(&tmp);
-
-               pq_64bit_lshift(&(tmp), &(bitmap->map), shift);
-               pq_64bit_assign(&(bitmap->map), &tmp);
-
-               pq_64bit_set_bit(&(bitmap->map), 0);
-               pq_64bit_add_word(&rcd_num, 1);
-               pq_64bit_assign(&(bitmap->max_seq_num), &rcd_num);
-
-               pq_64bit_assign_word(&tmp, 1);
-               pq_64bit_lshift(&tmp, &tmp, bitmap->length);
-               ctx = pq_64bit_ctx_new(&ctx);
-               pq_64bit_mod(&(bitmap->map), &(bitmap->map), &tmp, ctx);
-               pq_64bit_ctx_free(ctx);
+               shift = cmp;
+               if (shift < sizeof(bitmap->map)*8)
+                       bitmap->map <<= shift, bitmap->map |= 1UL;
+               else
+                       bitmap->map = 1UL;
+               memcpy(bitmap->max_seq_num,seq,8);
                }
-       else
-               {
-               pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num);
-               pq_64bit_sub_word(&tmp, 1);
-               shift = (unsigned int)pq_64bit_get_word(&tmp);
-
-               pq_64bit_set_bit(&(bitmap->map), shift);
+       else    {
+               shift = -cmp;
+               if (shift < sizeof(bitmap->map)*8)
+                       bitmap->map |= 1UL<<shift;
                }
-
-       pq_64bit_free(&rcd_num);
-       pq_64bit_free(&tmp);
        }
 
 
@@ -1562,7 +1591,7 @@ int dtls1_dispatch_alert(SSL *s)
        {
        int i,j;
        void (*cb)(const SSL *ssl,int type,int val)=NULL;
-       unsigned char buf[2 + 2 + 3]; /* alert level + alert desc + message seq +frag_off */
+       unsigned char buf[DTLS1_AL_HEADER_LENGTH];
        unsigned char *ptr = &buf[0];
 
        s->s3->alert_dispatch=0;
@@ -1571,6 +1600,7 @@ int dtls1_dispatch_alert(SSL *s)
        *ptr++ = s->s3->send_alert[0];
        *ptr++ = s->s3->send_alert[1];
 
+#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
        if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
                {       
                s2n(s->d1->handshake_read_seq, ptr);
@@ -1586,6 +1616,7 @@ int dtls1_dispatch_alert(SSL *s)
 #endif
                l2n3(s->d1->r_msg_hdr.frag_off, ptr);
                }
+#endif
 
        i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf), 0);
        if (i <= 0)
@@ -1595,8 +1626,11 @@ int dtls1_dispatch_alert(SSL *s)
                }
        else
                {
-               if ( s->s3->send_alert[0] == SSL3_AL_FATAL ||
-                       s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
+               if (s->s3->send_alert[0] == SSL3_AL_FATAL
+#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
+                   || s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
+#endif
+                   )
                        (void)BIO_flush(s->wbio);
 
                if (s->msg_callback)
@@ -1715,47 +1749,19 @@ dtls1_reset_seq_numbers(SSL *s, int rw)
                {
                seq = s->s3->read_sequence;
                s->d1->r_epoch++;
-
-               pq_64bit_assign(&(s->d1->bitmap.map), &(s->d1->next_bitmap.map));
-               s->d1->bitmap.length = s->d1->next_bitmap.length;
-               pq_64bit_assign(&(s->d1->bitmap.max_seq_num), 
-                       &(s->d1->next_bitmap.max_seq_num));
-
-               pq_64bit_free(&(s->d1->next_bitmap.map));
-               pq_64bit_free(&(s->d1->next_bitmap.max_seq_num));
+               memcpy(&(s->d1->bitmap), &(s->d1->next_bitmap), sizeof(DTLS1_BITMAP));
                memset(&(s->d1->next_bitmap), 0x00, sizeof(DTLS1_BITMAP));
-               pq_64bit_init(&(s->d1->next_bitmap.map));
-               pq_64bit_init(&(s->d1->next_bitmap.max_seq_num));
                }
        else
                {
                seq = s->s3->write_sequence;
+               memcpy(s->d1->last_write_sequence, seq, sizeof(s->s3->write_sequence));
                s->d1->w_epoch++;
                }
 
        memset(seq, 0x00, seq_bytes);
        }
 
-#if !(defined(OPENSSL_SYS_VMS) || defined(VMS_TEST))
-static PQ_64BIT
-bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num)
-       {
-       PQ_64BIT _num;
-
-       _num = (((PQ_64BIT)bytes[0]) << 56) |
-               (((PQ_64BIT)bytes[1]) << 48) |
-               (((PQ_64BIT)bytes[2]) << 40) |
-               (((PQ_64BIT)bytes[3]) << 32) |
-               (((PQ_64BIT)bytes[4]) << 24) |
-               (((PQ_64BIT)bytes[5]) << 16) |
-               (((PQ_64BIT)bytes[6]) <<  8) |
-               (((PQ_64BIT)bytes[7])      );
-
-          *num = _num ;
-       return _num;
-       }
-#endif
-
 
 static void
 dtls1_clear_timeouts(SSL *s)