1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/os/ossrv/ssl/libssl/src/d1_pkt.c Fri Jun 15 03:10:57 2012 +0200
1.3 @@ -0,0 +1,1778 @@
1.4 +/* ssl/d1_pkt.c */
1.5 +/*
1.6 + * DTLS implementation written by Nagendra Modadugu
1.7 + * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
1.8 + */
1.9 +/* ====================================================================
1.10 + * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
1.11 + *
1.12 + * Redistribution and use in source and binary forms, with or without
1.13 + * modification, are permitted provided that the following conditions
1.14 + * are met:
1.15 + *
1.16 + * 1. Redistributions of source code must retain the above copyright
1.17 + * notice, this list of conditions and the following disclaimer.
1.18 + *
1.19 + * 2. Redistributions in binary form must reproduce the above copyright
1.20 + * notice, this list of conditions and the following disclaimer in
1.21 + * the documentation and/or other materials provided with the
1.22 + * distribution.
1.23 + *
1.24 + * 3. All advertising materials mentioning features or use of this
1.25 + * software must display the following acknowledgment:
1.26 + * "This product includes software developed by the OpenSSL Project
1.27 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
1.28 + *
1.29 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
1.30 + * endorse or promote products derived from this software without
1.31 + * prior written permission. For written permission, please contact
1.32 + * openssl-core@openssl.org.
1.33 + *
1.34 + * 5. Products derived from this software may not be called "OpenSSL"
1.35 + * nor may "OpenSSL" appear in their names without prior written
1.36 + * permission of the OpenSSL Project.
1.37 + *
1.38 + * 6. Redistributions of any form whatsoever must retain the following
1.39 + * acknowledgment:
1.40 + * "This product includes software developed by the OpenSSL Project
1.41 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
1.42 + *
1.43 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
1.44 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1.45 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
1.46 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
1.47 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
1.48 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1.49 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
1.50 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1.51 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
1.52 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
1.53 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
1.54 + * OF THE POSSIBILITY OF SUCH DAMAGE.
1.55 + * ====================================================================
1.56 + *
1.57 + * This product includes cryptographic software written by Eric Young
1.58 + * (eay@cryptsoft.com). This product includes software written by Tim
1.59 + * Hudson (tjh@cryptsoft.com).
1.60 + *
1.61 + */
1.62 +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
1.63 + * All rights reserved.
1.64 + *
1.65 + * This package is an SSL implementation written
1.66 + * by Eric Young (eay@cryptsoft.com).
1.67 + * The implementation was written so as to conform with Netscapes SSL.
1.68 + *
1.69 + * This library is free for commercial and non-commercial use as long as
1.70 + * the following conditions are aheared to. The following conditions
1.71 + * apply to all code found in this distribution, be it the RC4, RSA,
1.72 + * lhash, DES, etc., code; not just the SSL code. The SSL documentation
1.73 + * included with this distribution is covered by the same copyright terms
1.74 + * except that the holder is Tim Hudson (tjh@cryptsoft.com).
1.75 + *
1.76 + * Copyright remains Eric Young's, and as such any Copyright notices in
1.77 + * the code are not to be removed.
1.78 + * If this package is used in a product, Eric Young should be given attribution
1.79 + * as the author of the parts of the library used.
1.80 + * This can be in the form of a textual message at program startup or
1.81 + * in documentation (online or textual) provided with the package.
1.82 + *
1.83 + * Redistribution and use in source and binary forms, with or without
1.84 + * modification, are permitted provided that the following conditions
1.85 + * are met:
1.86 + * 1. Redistributions of source code must retain the copyright
1.87 + * notice, this list of conditions and the following disclaimer.
1.88 + * 2. Redistributions in binary form must reproduce the above copyright
1.89 + * notice, this list of conditions and the following disclaimer in the
1.90 + * documentation and/or other materials provided with the distribution.
1.91 + * 3. All advertising materials mentioning features or use of this software
1.92 + * must display the following acknowledgement:
1.93 + * "This product includes cryptographic software written by
1.94 + * Eric Young (eay@cryptsoft.com)"
1.95 + * The word 'cryptographic' can be left out if the rouines from the library
1.96 + * being used are not cryptographic related :-).
1.97 + * 4. If you include any Windows specific code (or a derivative thereof) from
1.98 + * the apps directory (application code) you must include an acknowledgement:
1.99 + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
1.100 + *
1.101 + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
1.102 + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1.103 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1.104 + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
1.105 + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1.106 + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1.107 + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1.108 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1.109 + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1.110 + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1.111 + * SUCH DAMAGE.
1.112 + *
1.113 + * The licence and distribution terms for any publically available version or
1.114 + * derivative of this code cannot be changed. i.e. this code cannot simply be
1.115 + * copied and put under another distribution licence
1.116 + * [including the GNU Public Licence.]
1.117 + */
1.118 +
1.119 +#include <stdio.h>
1.120 +#include <errno.h>
1.121 +#define USE_SOCKETS
1.122 +#include "ssl_locl.h"
1.123 +#include <openssl/evp.h>
1.124 +#include <openssl/buffer.h>
1.125 +#include <openssl/pqueue.h>
1.126 +#include <openssl/rand.h>
1.127 +
1.128 +static int have_handshake_fragment(SSL *s, int type, unsigned char *buf,
1.129 + int len, int peek);
1.130 +static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap,
1.131 + PQ_64BIT *seq_num);
1.132 +static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap);
1.133 +static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr,
1.134 + unsigned int *is_next_epoch);
1.135 +#if 0
1.136 +static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr,
1.137 + unsigned short *priority, unsigned long *offset);
1.138 +#endif
1.139 +static int dtls1_buffer_record(SSL *s, record_pqueue *q,
1.140 + PQ_64BIT priority);
1.141 +static int dtls1_process_record(SSL *s);
1.142 +#if PQ_64BIT_IS_INTEGER
1.143 +static PQ_64BIT bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num);
1.144 +#endif
1.145 +static void dtls1_clear_timeouts(SSL *s);
1.146 +
1.147 +/* copy buffered record into SSL structure */
1.148 +static int
1.149 +dtls1_copy_record(SSL *s, pitem *item)
1.150 + {
1.151 + DTLS1_RECORD_DATA *rdata;
1.152 +
1.153 + rdata = (DTLS1_RECORD_DATA *)item->data;
1.154 +
1.155 + if (s->s3->rbuf.buf != NULL)
1.156 + OPENSSL_free(s->s3->rbuf.buf);
1.157 +
1.158 + s->packet = rdata->packet;
1.159 + s->packet_length = rdata->packet_length;
1.160 + memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER));
1.161 + memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));
1.162 +
1.163 + return(1);
1.164 + }
1.165 +
1.166 +
1.167 +static int
1.168 +dtls1_buffer_record(SSL *s, record_pqueue *queue, PQ_64BIT priority)
1.169 +{
1.170 + DTLS1_RECORD_DATA *rdata;
1.171 + pitem *item;
1.172 +
1.173 + rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
1.174 + item = pitem_new(priority, rdata);
1.175 + if (rdata == NULL || item == NULL)
1.176 + {
1.177 + if (rdata != NULL) OPENSSL_free(rdata);
1.178 + if (item != NULL) pitem_free(item);
1.179 +
1.180 + SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);
1.181 + return(0);
1.182 + }
1.183 +
1.184 + rdata->packet = s->packet;
1.185 + rdata->packet_length = s->packet_length;
1.186 + memcpy(&(rdata->rbuf), &(s->s3->rbuf), sizeof(SSL3_BUFFER));
1.187 + memcpy(&(rdata->rrec), &(s->s3->rrec), sizeof(SSL3_RECORD));
1.188 +
1.189 + item->data = rdata;
1.190 +
1.191 + /* insert should not fail, since duplicates are dropped */
1.192 + if (pqueue_insert(queue->q, item) == NULL)
1.193 + {
1.194 + OPENSSL_free(rdata);
1.195 + pitem_free(item);
1.196 + return(0);
1.197 + }
1.198 +
1.199 + s->packet = NULL;
1.200 + s->packet_length = 0;
1.201 + memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER));
1.202 + memset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD));
1.203 +
1.204 + if (!ssl3_setup_buffers(s))
1.205 + {
1.206 + SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);
1.207 + OPENSSL_free(rdata);
1.208 + pitem_free(item);
1.209 + return(0);
1.210 + }
1.211 +
1.212 + return(1);
1.213 + }
1.214 +
1.215 +
1.216 +static int
1.217 +dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue)
1.218 + {
1.219 + pitem *item;
1.220 +
1.221 + item = pqueue_pop(queue->q);
1.222 + if (item)
1.223 + {
1.224 + dtls1_copy_record(s, item);
1.225 +
1.226 + OPENSSL_free(item->data);
1.227 + pitem_free(item);
1.228 +
1.229 + return(1);
1.230 + }
1.231 +
1.232 + return(0);
1.233 + }
1.234 +
1.235 +
1.236 +/* retrieve a buffered record that belongs to the new epoch, i.e., not processed
1.237 + * yet */
1.238 +#define dtls1_get_unprocessed_record(s) \
1.239 + dtls1_retrieve_buffered_record((s), \
1.240 + &((s)->d1->unprocessed_rcds))
1.241 +
1.242 +/* retrieve a buffered record that belongs to the current epoch, ie, processed */
1.243 +#define dtls1_get_processed_record(s) \
1.244 + dtls1_retrieve_buffered_record((s), \
1.245 + &((s)->d1->processed_rcds))
1.246 +
1.247 +static int
1.248 +dtls1_process_buffered_records(SSL *s)
1.249 + {
1.250 + pitem *item;
1.251 +
1.252 + item = pqueue_peek(s->d1->unprocessed_rcds.q);
1.253 + if (item)
1.254 + {
1.255 + DTLS1_RECORD_DATA *rdata;
1.256 + rdata = (DTLS1_RECORD_DATA *)item->data;
1.257 +
1.258 + /* Check if epoch is current. */
1.259 + if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch)
1.260 + return(1); /* Nothing to do. */
1.261 +
1.262 + /* Process all the records. */
1.263 + while (pqueue_peek(s->d1->unprocessed_rcds.q))
1.264 + {
1.265 + dtls1_get_unprocessed_record(s);
1.266 + if ( ! dtls1_process_record(s))
1.267 + return(0);
1.268 + dtls1_buffer_record(s, &(s->d1->processed_rcds),
1.269 + s->s3->rrec.seq_num);
1.270 + }
1.271 + }
1.272 +
1.273 + /* sync epoch numbers once all the unprocessed records
1.274 + * have been processed */
1.275 + s->d1->processed_rcds.epoch = s->d1->r_epoch;
1.276 + s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1;
1.277 +
1.278 + return(1);
1.279 + }
1.280 +
1.281 +
1.282 +#if 0
1.283 +
1.284 +static int
1.285 +dtls1_get_buffered_record(SSL *s)
1.286 + {
1.287 + pitem *item;
1.288 + PQ_64BIT priority =
1.289 + (((PQ_64BIT)s->d1->handshake_read_seq) << 32) |
1.290 + ((PQ_64BIT)s->d1->r_msg_hdr.frag_off);
1.291 +
1.292 + if ( ! SSL_in_init(s)) /* if we're not (re)negotiating,
1.293 + nothing buffered */
1.294 + return 0;
1.295 +
1.296 +
1.297 + item = pqueue_peek(s->d1->rcvd_records);
1.298 + if (item && item->priority == priority)
1.299 + {
1.300 + /* Check if we've received the record of interest. It must be
1.301 + * a handshake record, since data records as passed up without
1.302 + * buffering */
1.303 + DTLS1_RECORD_DATA *rdata;
1.304 + item = pqueue_pop(s->d1->rcvd_records);
1.305 + rdata = (DTLS1_RECORD_DATA *)item->data;
1.306 +
1.307 + if (s->s3->rbuf.buf != NULL)
1.308 + OPENSSL_free(s->s3->rbuf.buf);
1.309 +
1.310 + s->packet = rdata->packet;
1.311 + s->packet_length = rdata->packet_length;
1.312 + memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER));
1.313 + memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));
1.314 +
1.315 + OPENSSL_free(item->data);
1.316 + pitem_free(item);
1.317 +
1.318 + /* s->d1->next_expected_seq_num++; */
1.319 + return(1);
1.320 + }
1.321 +
1.322 + return 0;
1.323 + }
1.324 +
1.325 +#endif
1.326 +
1.327 +static int
1.328 +dtls1_process_record(SSL *s)
1.329 +{
1.330 + int i,al;
1.331 + int clear=0;
1.332 + int enc_err;
1.333 + SSL_SESSION *sess;
1.334 + SSL3_RECORD *rr;
1.335 + unsigned int mac_size;
1.336 + unsigned char md[EVP_MAX_MD_SIZE];
1.337 +
1.338 +
1.339 + rr= &(s->s3->rrec);
1.340 + sess = s->session;
1.341 +
1.342 + /* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
1.343 + * and we have that many bytes in s->packet
1.344 + */
1.345 + rr->input= &(s->packet[DTLS1_RT_HEADER_LENGTH]);
1.346 +
1.347 + /* ok, we can now read from 's->packet' data into 'rr'
1.348 + * rr->input points at rr->length bytes, which
1.349 + * need to be copied into rr->data by either
1.350 + * the decryption or by the decompression
1.351 + * When the data is 'copied' into the rr->data buffer,
1.352 + * rr->input will be pointed at the new buffer */
1.353 +
1.354 + /* We now have - encrypted [ MAC [ compressed [ plain ] ] ]
1.355 + * rr->length bytes of encrypted compressed stuff. */
1.356 +
1.357 + /* check is not needed I believe */
1.358 + if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH)
1.359 + {
1.360 + al=SSL_AD_RECORD_OVERFLOW;
1.361 + SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
1.362 + goto f_err;
1.363 + }
1.364 +
1.365 + /* decrypt in place in 'rr->input' */
1.366 + rr->data=rr->input;
1.367 +
1.368 + enc_err = s->method->ssl3_enc->enc(s,0);
1.369 + if (enc_err <= 0)
1.370 + {
1.371 + if (enc_err == 0)
1.372 + /* SSLerr() and ssl3_send_alert() have been called */
1.373 + goto err;
1.374 +
1.375 + /* otherwise enc_err == -1 */
1.376 + goto decryption_failed_or_bad_record_mac;
1.377 + }
1.378 +
1.379 +#ifdef TLS_DEBUG
1.380 +printf("dec %d\n",rr->length);
1.381 +{ unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); }
1.382 +printf("\n");
1.383 +#endif
1.384 +
1.385 + /* r->length is now the compressed data plus mac */
1.386 +if ( (sess == NULL) ||
1.387 + (s->enc_read_ctx == NULL) ||
1.388 + (s->read_hash == NULL))
1.389 + clear=1;
1.390 +
1.391 + if (!clear)
1.392 + {
1.393 + mac_size=EVP_MD_size(s->read_hash);
1.394 +
1.395 + if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)
1.396 + {
1.397 +#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */
1.398 + al=SSL_AD_RECORD_OVERFLOW;
1.399 + SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
1.400 + goto f_err;
1.401 +#else
1.402 + goto decryption_failed_or_bad_record_mac;
1.403 +#endif
1.404 + }
1.405 + /* check the MAC for rr->input (it's in mac_size bytes at the tail) */
1.406 + if (rr->length < mac_size)
1.407 + {
1.408 +#if 0 /* OK only for stream ciphers */
1.409 + al=SSL_AD_DECODE_ERROR;
1.410 + SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
1.411 + goto f_err;
1.412 +#else
1.413 + goto decryption_failed_or_bad_record_mac;
1.414 +#endif
1.415 + }
1.416 + rr->length-=mac_size;
1.417 + i=s->method->ssl3_enc->mac(s,md,0);
1.418 + if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
1.419 + {
1.420 + goto decryption_failed_or_bad_record_mac;
1.421 + }
1.422 + }
1.423 +
1.424 + /* r->length is now just compressed */
1.425 + if (s->expand != NULL)
1.426 + {
1.427 + if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH)
1.428 + {
1.429 + al=SSL_AD_RECORD_OVERFLOW;
1.430 + SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);
1.431 + goto f_err;
1.432 + }
1.433 + if (!ssl3_do_uncompress(s))
1.434 + {
1.435 + al=SSL_AD_DECOMPRESSION_FAILURE;
1.436 + SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_BAD_DECOMPRESSION);
1.437 + goto f_err;
1.438 + }
1.439 + }
1.440 +
1.441 + if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH)
1.442 + {
1.443 + al=SSL_AD_RECORD_OVERFLOW;
1.444 + SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);
1.445 + goto f_err;
1.446 + }
1.447 +
1.448 + rr->off=0;
1.449 + /* So at this point the following is true
1.450 + * ssl->s3->rrec.type is the type of record
1.451 + * ssl->s3->rrec.length == number of bytes in record
1.452 + * ssl->s3->rrec.off == offset to first valid byte
1.453 + * ssl->s3->rrec.data == where to take bytes from, increment
1.454 + * after use :-).
1.455 + */
1.456 +
1.457 + /* we have pulled in a full packet so zero things */
1.458 + s->packet_length=0;
1.459 + dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */
1.460 + return(1);
1.461 +
1.462 +decryption_failed_or_bad_record_mac:
1.463 + /* Separate 'decryption_failed' alert was introduced with TLS 1.0,
1.464 + * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
1.465 + * failure is directly visible from the ciphertext anyway,
1.466 + * we should not reveal which kind of error occured -- this
1.467 + * might become visible to an attacker (e.g. via logfile) */
1.468 + al=SSL_AD_BAD_RECORD_MAC;
1.469 + SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
1.470 +f_err:
1.471 + ssl3_send_alert(s,SSL3_AL_FATAL,al);
1.472 +err:
1.473 + return(0);
1.474 +}
1.475 +
1.476 +
1.477 +/* Call this to get a new input record.
1.478 + * It will return <= 0 if more data is needed, normally due to an error
1.479 + * or non-blocking IO.
1.480 + * When it finishes, one packet has been decoded and can be found in
1.481 + * ssl->s3->rrec.type - is the type of record
1.482 + * ssl->s3->rrec.data, - data
1.483 + * ssl->s3->rrec.length, - number of bytes
1.484 + */
1.485 +/* used only by dtls1_read_bytes */
1.486 +int dtls1_get_record(SSL *s)
1.487 + {
1.488 + int ssl_major,ssl_minor,al;
1.489 + int i,n;
1.490 + SSL3_RECORD *rr;
1.491 + SSL_SESSION *sess;
1.492 + unsigned char *p;
1.493 + unsigned short version;
1.494 + DTLS1_BITMAP *bitmap;
1.495 + unsigned int is_next_epoch;
1.496 +
1.497 + rr= &(s->s3->rrec);
1.498 + sess=s->session;
1.499 +
1.500 + /* The epoch may have changed. If so, process all the
1.501 + * pending records. This is a non-blocking operation. */
1.502 + if ( ! dtls1_process_buffered_records(s))
1.503 + return 0;
1.504 +
1.505 + /* if we're renegotiating, then there may be buffered records */
1.506 + if (dtls1_get_processed_record(s))
1.507 + return 1;
1.508 +
1.509 + /* get something from the wire */
1.510 +again:
1.511 + /* check if we have the header */
1.512 + if ( (s->rstate != SSL_ST_READ_BODY) ||
1.513 + (s->packet_length < DTLS1_RT_HEADER_LENGTH))
1.514 + {
1.515 + n=ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);
1.516 + /* read timeout is handled by dtls1_read_bytes */
1.517 + if (n <= 0) return(n); /* error or non-blocking */
1.518 +
1.519 + OPENSSL_assert(s->packet_length == DTLS1_RT_HEADER_LENGTH);
1.520 +
1.521 + s->rstate=SSL_ST_READ_BODY;
1.522 +
1.523 + p=s->packet;
1.524 +
1.525 + /* Pull apart the header into the DTLS1_RECORD */
1.526 + rr->type= *(p++);
1.527 + ssl_major= *(p++);
1.528 + ssl_minor= *(p++);
1.529 + version=(ssl_major<<8)|ssl_minor;
1.530 +
1.531 + /* sequence number is 64 bits, with top 2 bytes = epoch */
1.532 + n2s(p,rr->epoch);
1.533 +
1.534 + memcpy(&(s->s3->read_sequence[2]), p, 6);
1.535 + p+=6;
1.536 +
1.537 + n2s(p,rr->length);
1.538 +
1.539 + /* Lets check version */
1.540 + if (!s->first_packet)
1.541 + {
1.542 + if (version != s->version && version != DTLS1_BAD_VER)
1.543 + {
1.544 + SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
1.545 + /* Send back error using their
1.546 + * version number :-) */
1.547 + s->version=version;
1.548 + al=SSL_AD_PROTOCOL_VERSION;
1.549 + goto f_err;
1.550 + }
1.551 + }
1.552 +
1.553 + if ((version & 0xff00) != (DTLS1_VERSION & 0xff00) &&
1.554 + (version & 0xff00) != (DTLS1_BAD_VER & 0xff00))
1.555 + {
1.556 + SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
1.557 + goto err;
1.558 + }
1.559 +
1.560 + if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH)
1.561 + {
1.562 + al=SSL_AD_RECORD_OVERFLOW;
1.563 + SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG);
1.564 + goto f_err;
1.565 + }
1.566 +
1.567 + s->client_version = version;
1.568 + /* now s->rstate == SSL_ST_READ_BODY */
1.569 + }
1.570 +
1.571 + /* s->rstate == SSL_ST_READ_BODY, get and decode the data */
1.572 +
1.573 + if (rr->length > s->packet_length-DTLS1_RT_HEADER_LENGTH)
1.574 + {
1.575 + /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */
1.576 + i=rr->length;
1.577 + n=ssl3_read_n(s,i,i,1);
1.578 + if (n <= 0) return(n); /* error or non-blocking io */
1.579 +
1.580 + /* this packet contained a partial record, dump it */
1.581 + if ( n != i)
1.582 + {
1.583 + s->packet_length = 0;
1.584 + goto again;
1.585 + }
1.586 +
1.587 + /* now n == rr->length,
1.588 + * and s->packet_length == DTLS1_RT_HEADER_LENGTH + rr->length */
1.589 + }
1.590 + s->rstate=SSL_ST_READ_HEADER; /* set state for later operations */
1.591 +
1.592 + /* match epochs. NULL means the packet is dropped on the floor */
1.593 + bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
1.594 + if ( bitmap == NULL)
1.595 + {
1.596 + s->packet_length = 0; /* dump this record */
1.597 + goto again; /* get another record */
1.598 + }
1.599 +
1.600 + /* check whether this is a repeat, or aged record */
1.601 + if ( ! dtls1_record_replay_check(s, bitmap, &(rr->seq_num)))
1.602 + {
1.603 + s->packet_length=0; /* dump this record */
1.604 + goto again; /* get another record */
1.605 + }
1.606 +
1.607 + /* just read a 0 length packet */
1.608 + if (rr->length == 0) goto again;
1.609 +
1.610 + /* If this record is from the next epoch (either HM or ALERT), buffer it
1.611 + * since it cannot be processed at this time.
1.612 + * Records from the next epoch are marked as received even though they are
1.613 + * not processed, so as to prevent any potential resource DoS attack */
1.614 + if (is_next_epoch)
1.615 + {
1.616 + dtls1_record_bitmap_update(s, bitmap);
1.617 + dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
1.618 + s->packet_length = 0;
1.619 + goto again;
1.620 + }
1.621 +
1.622 + if ( ! dtls1_process_record(s))
1.623 + return(0);
1.624 +
1.625 + dtls1_clear_timeouts(s); /* done waiting */
1.626 + return(1);
1.627 +
1.628 +f_err:
1.629 + ssl3_send_alert(s,SSL3_AL_FATAL,al);
1.630 +err:
1.631 + return(0);
1.632 + }
1.633 +
1.634 +/* Return up to 'len' payload bytes received in 'type' records.
1.635 + * 'type' is one of the following:
1.636 + *
1.637 + * - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
1.638 + * - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)
1.639 + * - 0 (during a shutdown, no data has to be returned)
1.640 + *
1.641 + * If we don't have stored data to work from, read a SSL/TLS record first
1.642 + * (possibly multiple records if we still don't have anything to return).
1.643 + *
1.644 + * This function must handle any surprises the peer may have for us, such as
1.645 + * Alert records (e.g. close_notify), ChangeCipherSpec records (not really
1.646 + * a surprise, but handled as if it were), or renegotiation requests.
1.647 + * Also if record payloads contain fragments too small to process, we store
1.648 + * them until there is enough for the respective protocol (the record protocol
1.649 + * may use arbitrary fragmentation and even interleaving):
1.650 + * Change cipher spec protocol
1.651 + * just 1 byte needed, no need for keeping anything stored
1.652 + * Alert protocol
1.653 + * 2 bytes needed (AlertLevel, AlertDescription)
1.654 + * Handshake protocol
1.655 + * 4 bytes needed (HandshakeType, uint24 length) -- we just have
1.656 + * to detect unexpected Client Hello and Hello Request messages
1.657 + * here, anything else is handled by higher layers
1.658 + * Application data protocol
1.659 + * none of our business
1.660 + */
1.661 +int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
1.662 + {
1.663 + int al,i,j,ret;
1.664 + unsigned int n;
1.665 + SSL3_RECORD *rr;
1.666 + void (*cb)(const SSL *ssl,int type2,int val)=NULL;
1.667 +
1.668 + if (s->s3->rbuf.buf == NULL) /* Not initialized yet */
1.669 + if (!ssl3_setup_buffers(s))
1.670 + return(-1);
1.671 +
1.672 + /* XXX: check what the second '&& type' is about */
1.673 + if ((type && (type != SSL3_RT_APPLICATION_DATA) &&
1.674 + (type != SSL3_RT_HANDSHAKE) && type) ||
1.675 + (peek && (type != SSL3_RT_APPLICATION_DATA)))
1.676 + {
1.677 + SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR);
1.678 + return -1;
1.679 + }
1.680 +
1.681 + /* check whether there's a handshake message (client hello?) waiting */
1.682 + if ( (ret = have_handshake_fragment(s, type, buf, len, peek)))
1.683 + return ret;
1.684 +
1.685 + /* Now s->d1->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */
1.686 +
1.687 + if (!s->in_handshake && SSL_in_init(s))
1.688 + {
1.689 + /* type == SSL3_RT_APPLICATION_DATA */
1.690 + i=s->handshake_func(s);
1.691 + if (i < 0) return(i);
1.692 + if (i == 0)
1.693 + {
1.694 + SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
1.695 + return(-1);
1.696 + }
1.697 + }
1.698 +
1.699 +start:
1.700 + s->rwstate=SSL_NOTHING;
1.701 +
1.702 + /* s->s3->rrec.type - is the type of record
1.703 + * s->s3->rrec.data, - data
1.704 + * s->s3->rrec.off, - offset into 'data' for next read
1.705 + * s->s3->rrec.length, - number of bytes. */
1.706 + rr = &(s->s3->rrec);
1.707 +
1.708 + /* get new packet if necessary */
1.709 + if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY))
1.710 + {
1.711 + ret=dtls1_get_record(s);
1.712 + if (ret <= 0)
1.713 + {
1.714 + ret = dtls1_read_failed(s, ret);
1.715 + /* anything other than a timeout is an error */
1.716 + if (ret <= 0)
1.717 + return(ret);
1.718 + else
1.719 + goto start;
1.720 + }
1.721 + }
1.722 +
1.723 + /* we now have a packet which can be read and processed */
1.724 +
1.725 + if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
1.726 + * reset by ssl3_get_finished */
1.727 + && (rr->type != SSL3_RT_HANDSHAKE))
1.728 + {
1.729 + al=SSL_AD_UNEXPECTED_MESSAGE;
1.730 + SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
1.731 + goto err;
1.732 + }
1.733 +
1.734 + /* If the other end has shut down, throw anything we read away
1.735 + * (even in 'peek' mode) */
1.736 + if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
1.737 + {
1.738 + rr->length=0;
1.739 + s->rwstate=SSL_NOTHING;
1.740 + return(0);
1.741 + }
1.742 +
1.743 +
1.744 + if (type == rr->type) /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */
1.745 + {
1.746 + /* make sure that we are not getting application data when we
1.747 + * are doing a handshake for the first time */
1.748 + if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
1.749 + (s->enc_read_ctx == NULL))
1.750 + {
1.751 + al=SSL_AD_UNEXPECTED_MESSAGE;
1.752 + SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE);
1.753 + goto f_err;
1.754 + }
1.755 +
1.756 + if (len <= 0) return(len);
1.757 +
1.758 + if ((unsigned int)len > rr->length)
1.759 + n = rr->length;
1.760 + else
1.761 + n = (unsigned int)len;
1.762 +
1.763 + memcpy(buf,&(rr->data[rr->off]),n);
1.764 + if (!peek)
1.765 + {
1.766 + rr->length-=n;
1.767 + rr->off+=n;
1.768 + if (rr->length == 0)
1.769 + {
1.770 + s->rstate=SSL_ST_READ_HEADER;
1.771 + rr->off=0;
1.772 + }
1.773 + }
1.774 + return(n);
1.775 + }
1.776 +
1.777 +
1.778 + /* If we get here, then type != rr->type; if we have a handshake
1.779 + * message, then it was unexpected (Hello Request or Client Hello). */
1.780 +
1.781 + /* In case of record types for which we have 'fragment' storage,
1.782 + * fill that so that we can process the data at a fixed place.
1.783 + */
1.784 + {
1.785 + unsigned int k, dest_maxlen = 0;
1.786 + unsigned char *dest = NULL;
1.787 + unsigned int *dest_len = NULL;
1.788 +
1.789 + if (rr->type == SSL3_RT_HANDSHAKE)
1.790 + {
1.791 + dest_maxlen = sizeof s->d1->handshake_fragment;
1.792 + dest = s->d1->handshake_fragment;
1.793 + dest_len = &s->d1->handshake_fragment_len;
1.794 + }
1.795 + else if (rr->type == SSL3_RT_ALERT)
1.796 + {
1.797 + dest_maxlen = sizeof(s->d1->alert_fragment);
1.798 + dest = s->d1->alert_fragment;
1.799 + dest_len = &s->d1->alert_fragment_len;
1.800 + }
1.801 + /* else it's a CCS message, or it's wrong */
1.802 + else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC)
1.803 + {
1.804 + /* Not certain if this is the right error handling */
1.805 + al=SSL_AD_UNEXPECTED_MESSAGE;
1.806 + SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
1.807 + goto f_err;
1.808 + }
1.809 +
1.810 +
1.811 + if (dest_maxlen > 0)
1.812 + {
1.813 + /* XDTLS: In a pathalogical case, the Client Hello
1.814 + * may be fragmented--don't always expect dest_maxlen bytes */
1.815 + if ( rr->length < dest_maxlen)
1.816 + {
1.817 + s->rstate=SSL_ST_READ_HEADER;
1.818 + rr->length = 0;
1.819 + goto start;
1.820 + }
1.821 +
1.822 + /* now move 'n' bytes: */
1.823 + for ( k = 0; k < dest_maxlen; k++)
1.824 + {
1.825 + dest[k] = rr->data[rr->off++];
1.826 + rr->length--;
1.827 + }
1.828 + *dest_len = dest_maxlen;
1.829 + }
1.830 + }
1.831 +
1.832 + /* s->d1->handshake_fragment_len == 12 iff rr->type == SSL3_RT_HANDSHAKE;
1.833 + * s->d1->alert_fragment_len == 7 iff rr->type == SSL3_RT_ALERT.
1.834 + * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */
1.835 +
1.836 + /* If we are a client, check for an incoming 'Hello Request': */
1.837 + if ((!s->server) &&
1.838 + (s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) &&
1.839 + (s->d1->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) &&
1.840 + (s->session != NULL) && (s->session->cipher != NULL))
1.841 + {
1.842 + s->d1->handshake_fragment_len = 0;
1.843 +
1.844 + if ((s->d1->handshake_fragment[1] != 0) ||
1.845 + (s->d1->handshake_fragment[2] != 0) ||
1.846 + (s->d1->handshake_fragment[3] != 0))
1.847 + {
1.848 + al=SSL_AD_DECODE_ERROR;
1.849 + SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_HELLO_REQUEST);
1.850 + goto err;
1.851 + }
1.852 +
1.853 + /* no need to check sequence number on HELLO REQUEST messages */
1.854 +
1.855 + if (s->msg_callback)
1.856 + s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
1.857 + s->d1->handshake_fragment, 4, s, s->msg_callback_arg);
1.858 +
1.859 + if (SSL_is_init_finished(s) &&
1.860 + !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
1.861 + !s->s3->renegotiate)
1.862 + {
1.863 + ssl3_renegotiate(s);
1.864 + if (ssl3_renegotiate_check(s))
1.865 + {
1.866 + i=s->handshake_func(s);
1.867 + if (i < 0) return(i);
1.868 + if (i == 0)
1.869 + {
1.870 + SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
1.871 + return(-1);
1.872 + }
1.873 +
1.874 + if (!(s->mode & SSL_MODE_AUTO_RETRY))
1.875 + {
1.876 + if (s->s3->rbuf.left == 0) /* no read-ahead left? */
1.877 + {
1.878 + BIO *bio;
1.879 + /* In the case where we try to read application data,
1.880 + * but we trigger an SSL handshake, we return -1 with
1.881 + * the retry option set. Otherwise renegotiation may
1.882 + * cause nasty problems in the blocking world */
1.883 + s->rwstate=SSL_READING;
1.884 + bio=SSL_get_rbio(s);
1.885 + BIO_clear_retry_flags(bio);
1.886 + BIO_set_retry_read(bio);
1.887 + return(-1);
1.888 + }
1.889 + }
1.890 + }
1.891 + }
1.892 + /* we either finished a handshake or ignored the request,
1.893 + * now try again to obtain the (application) data we were asked for */
1.894 + goto start;
1.895 + }
1.896 +
1.897 + if (s->d1->alert_fragment_len >= DTLS1_AL_HEADER_LENGTH)
1.898 + {
1.899 + int alert_level = s->d1->alert_fragment[0];
1.900 + int alert_descr = s->d1->alert_fragment[1];
1.901 +
1.902 + s->d1->alert_fragment_len = 0;
1.903 +
1.904 + if (s->msg_callback)
1.905 + s->msg_callback(0, s->version, SSL3_RT_ALERT,
1.906 + s->d1->alert_fragment, 2, s, s->msg_callback_arg);
1.907 +
1.908 + if (s->info_callback != NULL)
1.909 + cb=s->info_callback;
1.910 + else if (s->ctx->info_callback != NULL)
1.911 + cb=s->ctx->info_callback;
1.912 +
1.913 + if (cb != NULL)
1.914 + {
1.915 + j = (alert_level << 8) | alert_descr;
1.916 + cb(s, SSL_CB_READ_ALERT, j);
1.917 + }
1.918 +
1.919 + if (alert_level == 1) /* warning */
1.920 + {
1.921 + s->s3->warn_alert = alert_descr;
1.922 + if (alert_descr == SSL_AD_CLOSE_NOTIFY)
1.923 + {
1.924 + s->shutdown |= SSL_RECEIVED_SHUTDOWN;
1.925 + return(0);
1.926 + }
1.927 +#if 0
1.928 + /* XXX: this is a possible improvement in the future */
1.929 + /* now check if it's a missing record */
1.930 + if (alert_descr == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
1.931 + {
1.932 + unsigned short seq;
1.933 + unsigned int frag_off;
1.934 + unsigned char *p = &(s->d1->alert_fragment[2]);
1.935 +
1.936 + n2s(p, seq);
1.937 + n2l3(p, frag_off);
1.938 +
1.939 + dtls1_retransmit_message(s, seq, frag_off, &found);
1.940 + if ( ! found && SSL_in_init(s))
1.941 + {
1.942 + /* fprintf( stderr,"in init = %d\n", SSL_in_init(s)); */
1.943 + /* requested a message not yet sent,
1.944 + send an alert ourselves */
1.945 + ssl3_send_alert(s,SSL3_AL_WARNING,
1.946 + DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
1.947 + }
1.948 + }
1.949 +#endif
1.950 + }
1.951 + else if (alert_level == 2) /* fatal */
1.952 + {
1.953 + char tmp[16];
1.954 +
1.955 + s->rwstate=SSL_NOTHING;
1.956 + s->s3->fatal_alert = alert_descr;
1.957 + SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr);
1.958 + BIO_snprintf(tmp,sizeof tmp,"%d",alert_descr);
1.959 + ERR_add_error_data(2,"SSL alert number ",tmp);
1.960 + s->shutdown|=SSL_RECEIVED_SHUTDOWN;
1.961 + SSL_CTX_remove_session(s->ctx,s->session);
1.962 + return(0);
1.963 + }
1.964 + else
1.965 + {
1.966 + al=SSL_AD_ILLEGAL_PARAMETER;
1.967 + SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE);
1.968 + goto f_err;
1.969 + }
1.970 +
1.971 + goto start;
1.972 + }
1.973 +
1.974 + if (s->shutdown & SSL_SENT_SHUTDOWN) /* but we have not received a shutdown */
1.975 + {
1.976 + s->rwstate=SSL_NOTHING;
1.977 + rr->length=0;
1.978 + return(0);
1.979 + }
1.980 +
1.981 + if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
1.982 + {
1.983 + struct ccs_header_st ccs_hdr;
1.984 +
1.985 + dtls1_get_ccs_header(rr->data, &ccs_hdr);
1.986 +
1.987 + /* 'Change Cipher Spec' is just a single byte, so we know
1.988 + * exactly what the record payload has to look like */
1.989 + /* XDTLS: check that epoch is consistent */
1.990 + if ( (s->client_version == DTLS1_BAD_VER && rr->length != 3) ||
1.991 + (s->client_version != DTLS1_BAD_VER && rr->length != DTLS1_CCS_HEADER_LENGTH) ||
1.992 + (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
1.993 + {
1.994 + i=SSL_AD_ILLEGAL_PARAMETER;
1.995 + SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
1.996 + goto err;
1.997 + }
1.998 +
1.999 + rr->length=0;
1.1000 +
1.1001 + if (s->msg_callback)
1.1002 + s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC,
1.1003 + rr->data, 1, s, s->msg_callback_arg);
1.1004 +
1.1005 + s->s3->change_cipher_spec=1;
1.1006 + if (!ssl3_do_change_cipher_spec(s))
1.1007 + goto err;
1.1008 +
1.1009 + /* do this whenever CCS is processed */
1.1010 + dtls1_reset_seq_numbers(s, SSL3_CC_READ);
1.1011 +
1.1012 + if (s->client_version == DTLS1_BAD_VER)
1.1013 + s->d1->handshake_read_seq++;
1.1014 +
1.1015 + goto start;
1.1016 + }
1.1017 +
1.1018 + /* Unexpected handshake message (Client Hello, or protocol violation) */
1.1019 + if ((s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) &&
1.1020 + !s->in_handshake)
1.1021 + {
1.1022 + struct hm_header_st msg_hdr;
1.1023 +
1.1024 + /* this may just be a stale retransmit */
1.1025 + dtls1_get_message_header(rr->data, &msg_hdr);
1.1026 + if( rr->epoch != s->d1->r_epoch)
1.1027 + {
1.1028 + rr->length = 0;
1.1029 + goto start;
1.1030 + }
1.1031 +
1.1032 + if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
1.1033 + !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
1.1034 + {
1.1035 +#if 0 /* worked only because C operator preferences are not as expected (and
1.1036 + * because this is not really needed for clients except for detecting
1.1037 + * protocol violations): */
1.1038 + s->state=SSL_ST_BEFORE|(s->server)
1.1039 + ?SSL_ST_ACCEPT
1.1040 + :SSL_ST_CONNECT;
1.1041 +#else
1.1042 + s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
1.1043 +#endif
1.1044 + s->new_session=1;
1.1045 + }
1.1046 + i=s->handshake_func(s);
1.1047 + if (i < 0) return(i);
1.1048 + if (i == 0)
1.1049 + {
1.1050 + SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
1.1051 + return(-1);
1.1052 + }
1.1053 +
1.1054 + if (!(s->mode & SSL_MODE_AUTO_RETRY))
1.1055 + {
1.1056 + if (s->s3->rbuf.left == 0) /* no read-ahead left? */
1.1057 + {
1.1058 + BIO *bio;
1.1059 + /* In the case where we try to read application data,
1.1060 + * but we trigger an SSL handshake, we return -1 with
1.1061 + * the retry option set. Otherwise renegotiation may
1.1062 + * cause nasty problems in the blocking world */
1.1063 + s->rwstate=SSL_READING;
1.1064 + bio=SSL_get_rbio(s);
1.1065 + BIO_clear_retry_flags(bio);
1.1066 + BIO_set_retry_read(bio);
1.1067 + return(-1);
1.1068 + }
1.1069 + }
1.1070 + goto start;
1.1071 + }
1.1072 +
1.1073 + switch (rr->type)
1.1074 + {
1.1075 + default:
1.1076 +#ifndef OPENSSL_NO_TLS
1.1077 + /* TLS just ignores unknown message types */
1.1078 + if (s->version == TLS1_VERSION)
1.1079 + {
1.1080 + rr->length = 0;
1.1081 + goto start;
1.1082 + }
1.1083 +#endif
1.1084 + al=SSL_AD_UNEXPECTED_MESSAGE;
1.1085 + SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
1.1086 + goto f_err;
1.1087 + case SSL3_RT_CHANGE_CIPHER_SPEC:
1.1088 + case SSL3_RT_ALERT:
1.1089 + case SSL3_RT_HANDSHAKE:
1.1090 + /* we already handled all of these, with the possible exception
1.1091 + * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that
1.1092 + * should not happen when type != rr->type */
1.1093 + al=SSL_AD_UNEXPECTED_MESSAGE;
1.1094 + SSLerr(SSL_F_DTLS1_READ_BYTES,ERR_R_INTERNAL_ERROR);
1.1095 + goto f_err;
1.1096 + case SSL3_RT_APPLICATION_DATA:
1.1097 + /* At this point, we were expecting handshake data,
1.1098 + * but have application data. If the library was
1.1099 + * running inside ssl3_read() (i.e. in_read_app_data
1.1100 + * is set) and it makes sense to read application data
1.1101 + * at this point (session renegotiation not yet started),
1.1102 + * we will indulge it.
1.1103 + */
1.1104 + if (s->s3->in_read_app_data &&
1.1105 + (s->s3->total_renegotiations != 0) &&
1.1106 + ((
1.1107 + (s->state & SSL_ST_CONNECT) &&
1.1108 + (s->state >= SSL3_ST_CW_CLNT_HELLO_A) &&
1.1109 + (s->state <= SSL3_ST_CR_SRVR_HELLO_A)
1.1110 + ) || (
1.1111 + (s->state & SSL_ST_ACCEPT) &&
1.1112 + (s->state <= SSL3_ST_SW_HELLO_REQ_A) &&
1.1113 + (s->state >= SSL3_ST_SR_CLNT_HELLO_A)
1.1114 + )
1.1115 + ))
1.1116 + {
1.1117 + s->s3->in_read_app_data=2;
1.1118 + return(-1);
1.1119 + }
1.1120 + else
1.1121 + {
1.1122 + al=SSL_AD_UNEXPECTED_MESSAGE;
1.1123 + SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
1.1124 + goto f_err;
1.1125 + }
1.1126 + }
1.1127 + /* not reached */
1.1128 +
1.1129 +f_err:
1.1130 + ssl3_send_alert(s,SSL3_AL_FATAL,al);
1.1131 +err:
1.1132 + return(-1);
1.1133 + }
1.1134 +
1.1135 +int
1.1136 +dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len)
1.1137 + {
1.1138 + unsigned int n,tot;
1.1139 + int i;
1.1140 +
1.1141 + if (SSL_in_init(s) && !s->in_handshake)
1.1142 + {
1.1143 + i=s->handshake_func(s);
1.1144 + if (i < 0) return(i);
1.1145 + if (i == 0)
1.1146 + {
1.1147 + SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
1.1148 + return -1;
1.1149 + }
1.1150 + }
1.1151 +
1.1152 + tot = s->s3->wnum;
1.1153 + n = len - tot;
1.1154 +
1.1155 + while( n)
1.1156 + {
1.1157 + /* dtls1_write_bytes sends one record at a time, sized according to
1.1158 + * the currently known MTU */
1.1159 + i = dtls1_write_bytes(s, type, buf_, len);
1.1160 + if (i <= 0) return i;
1.1161 +
1.1162 + if ((i == (int)n) ||
1.1163 + (type == SSL3_RT_APPLICATION_DATA &&
1.1164 + (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE)))
1.1165 + {
1.1166 + /* next chunk of data should get another prepended empty fragment
1.1167 + * in ciphersuites with known-IV weakness: */
1.1168 + s->s3->empty_fragment_done = 0;
1.1169 + return tot+i;
1.1170 + }
1.1171 +
1.1172 + tot += i;
1.1173 + n-=i;
1.1174 + }
1.1175 +
1.1176 + return tot;
1.1177 + }
1.1178 +
1.1179 +
1.1180 + /* this only happens when a client hello is received and a handshake
1.1181 + * is started. */
1.1182 +static int
1.1183 +have_handshake_fragment(SSL *s, int type, unsigned char *buf,
1.1184 + int len, int peek)
1.1185 + {
1.1186 +
1.1187 + if ((type == SSL3_RT_HANDSHAKE) && (s->d1->handshake_fragment_len > 0))
1.1188 + /* (partially) satisfy request from storage */
1.1189 + {
1.1190 + unsigned char *src = s->d1->handshake_fragment;
1.1191 + unsigned char *dst = buf;
1.1192 + unsigned int k,n;
1.1193 +
1.1194 + /* peek == 0 */
1.1195 + n = 0;
1.1196 + while ((len > 0) && (s->d1->handshake_fragment_len > 0))
1.1197 + {
1.1198 + *dst++ = *src++;
1.1199 + len--; s->d1->handshake_fragment_len--;
1.1200 + n++;
1.1201 + }
1.1202 + /* move any remaining fragment bytes: */
1.1203 + for (k = 0; k < s->d1->handshake_fragment_len; k++)
1.1204 + s->d1->handshake_fragment[k] = *src++;
1.1205 + return n;
1.1206 + }
1.1207 +
1.1208 + return 0;
1.1209 + }
1.1210 +
1.1211 +
1.1212 +
1.1213 +
1.1214 +/* Call this to write data in records of type 'type'
1.1215 + * It will return <= 0 if not all data has been sent or non-blocking IO.
1.1216 + */
1.1217 +int dtls1_write_bytes(SSL *s, int type, const void *buf_, int len)
1.1218 + {
1.1219 + const unsigned char *buf=buf_;
1.1220 + unsigned int tot,n,nw;
1.1221 + int i;
1.1222 + unsigned int mtu;
1.1223 +
1.1224 + s->rwstate=SSL_NOTHING;
1.1225 + tot=s->s3->wnum;
1.1226 +
1.1227 + n=(len-tot);
1.1228 +
1.1229 + /* handshake layer figures out MTU for itself, but data records
1.1230 + * are also sent through this interface, so need to figure out MTU */
1.1231 +#if 0
1.1232 + mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_MTU, 0, NULL);
1.1233 + mtu += DTLS1_HM_HEADER_LENGTH; /* HM already inserted */
1.1234 +#endif
1.1235 + mtu = s->d1->mtu;
1.1236 +
1.1237 + if (mtu > SSL3_RT_MAX_PLAIN_LENGTH)
1.1238 + mtu = SSL3_RT_MAX_PLAIN_LENGTH;
1.1239 +
1.1240 + if (n > mtu)
1.1241 + nw=mtu;
1.1242 + else
1.1243 + nw=n;
1.1244 +
1.1245 + i=do_dtls1_write(s, type, &(buf[tot]), nw, 0);
1.1246 + if (i <= 0)
1.1247 + {
1.1248 + s->s3->wnum=tot;
1.1249 + return i;
1.1250 + }
1.1251 +
1.1252 + if ( (int)s->s3->wnum + i == len)
1.1253 + s->s3->wnum = 0;
1.1254 + else
1.1255 + s->s3->wnum += i;
1.1256 +
1.1257 + return tot + i;
1.1258 + }
1.1259 +
1.1260 +int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len, int create_empty_fragment)
1.1261 + {
1.1262 + unsigned char *p,*pseq;
1.1263 + int i,mac_size,clear=0;
1.1264 + int prefix_len = 0;
1.1265 + SSL3_RECORD *wr;
1.1266 + SSL3_BUFFER *wb;
1.1267 + SSL_SESSION *sess;
1.1268 + int bs;
1.1269 +
1.1270 + /* first check if there is a SSL3_BUFFER still being written
1.1271 + * out. This will happen with non blocking IO */
1.1272 + if (s->s3->wbuf.left != 0)
1.1273 + {
1.1274 + OPENSSL_assert(0); /* XDTLS: want to see if we ever get here */
1.1275 + return(ssl3_write_pending(s,type,buf,len));
1.1276 + }
1.1277 +
1.1278 + /* If we have an alert to send, lets send it */
1.1279 + if (s->s3->alert_dispatch)
1.1280 + {
1.1281 + i=s->method->ssl_dispatch_alert(s);
1.1282 + if (i <= 0)
1.1283 + return(i);
1.1284 + /* if it went, fall through and send more stuff */
1.1285 + }
1.1286 +
1.1287 + if (len == 0 && !create_empty_fragment)
1.1288 + return 0;
1.1289 +
1.1290 + wr= &(s->s3->wrec);
1.1291 + wb= &(s->s3->wbuf);
1.1292 + sess=s->session;
1.1293 +
1.1294 + if ( (sess == NULL) ||
1.1295 + (s->enc_write_ctx == NULL) ||
1.1296 + (s->write_hash == NULL))
1.1297 + clear=1;
1.1298 +
1.1299 + if (clear)
1.1300 + mac_size=0;
1.1301 + else
1.1302 + mac_size=EVP_MD_size(s->write_hash);
1.1303 +
1.1304 + /* DTLS implements explicit IV, so no need for empty fragments */
1.1305 +#if 0
1.1306 + /* 'create_empty_fragment' is true only when this function calls itself */
1.1307 + if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done
1.1308 + && SSL_version(s) != DTLS1_VERSION)
1.1309 + {
1.1310 + /* countermeasure against known-IV weakness in CBC ciphersuites
1.1311 + * (see http://www.openssl.org/~bodo/tls-cbc.txt)
1.1312 + */
1.1313 +
1.1314 + if (s->s3->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA)
1.1315 + {
1.1316 + /* recursive function call with 'create_empty_fragment' set;
1.1317 + * this prepares and buffers the data for an empty fragment
1.1318 + * (these 'prefix_len' bytes are sent out later
1.1319 + * together with the actual payload) */
1.1320 + prefix_len = s->method->do_ssl_write(s, type, buf, 0, 1);
1.1321 + if (prefix_len <= 0)
1.1322 + goto err;
1.1323 +
1.1324 + if (s->s3->wbuf.len < (size_t)prefix_len + SSL3_RT_MAX_PACKET_SIZE)
1.1325 + {
1.1326 + /* insufficient space */
1.1327 + SSLerr(SSL_F_DO_DTLS1_WRITE, ERR_R_INTERNAL_ERROR);
1.1328 + goto err;
1.1329 + }
1.1330 + }
1.1331 +
1.1332 + s->s3->empty_fragment_done = 1;
1.1333 + }
1.1334 +#endif
1.1335 +
1.1336 + p = wb->buf + prefix_len;
1.1337 +
1.1338 + /* write the header */
1.1339 +
1.1340 + *(p++)=type&0xff;
1.1341 + wr->type=type;
1.1342 +
1.1343 + if (s->client_version == DTLS1_BAD_VER)
1.1344 + *(p++) = DTLS1_BAD_VER>>8,
1.1345 + *(p++) = DTLS1_BAD_VER&0xff;
1.1346 + else
1.1347 + *(p++)=(s->version>>8),
1.1348 + *(p++)=s->version&0xff;
1.1349 +
1.1350 + /* field where we are to write out packet epoch, seq num and len */
1.1351 + pseq=p;
1.1352 + p+=10;
1.1353 +
1.1354 + /* lets setup the record stuff. */
1.1355 +
1.1356 + /* Make space for the explicit IV in case of CBC.
1.1357 + * (this is a bit of a boundary violation, but what the heck).
1.1358 + */
1.1359 + if ( s->enc_write_ctx &&
1.1360 + (EVP_CIPHER_mode( s->enc_write_ctx->cipher ) & EVP_CIPH_CBC_MODE))
1.1361 + bs = EVP_CIPHER_block_size(s->enc_write_ctx->cipher);
1.1362 + else
1.1363 + bs = 0;
1.1364 +
1.1365 + wr->data=p + bs; /* make room for IV in case of CBC */
1.1366 + wr->length=(int)len;
1.1367 + wr->input=(unsigned char *)buf;
1.1368 +
1.1369 + /* we now 'read' from wr->input, wr->length bytes into
1.1370 + * wr->data */
1.1371 +
1.1372 + /* first we compress */
1.1373 + if (s->compress != NULL)
1.1374 + {
1.1375 + if (!ssl3_do_compress(s))
1.1376 + {
1.1377 + SSLerr(SSL_F_DO_DTLS1_WRITE,SSL_R_COMPRESSION_FAILURE);
1.1378 + goto err;
1.1379 + }
1.1380 + }
1.1381 + else
1.1382 + {
1.1383 + memcpy(wr->data,wr->input,wr->length);
1.1384 + wr->input=wr->data;
1.1385 + }
1.1386 +
1.1387 + /* we should still have the output to wr->data and the input
1.1388 + * from wr->input. Length should be wr->length.
1.1389 + * wr->data still points in the wb->buf */
1.1390 +
1.1391 + if (mac_size != 0)
1.1392 + {
1.1393 + s->method->ssl3_enc->mac(s,&(p[wr->length + bs]),1);
1.1394 + wr->length+=mac_size;
1.1395 + }
1.1396 +
1.1397 + /* this is true regardless of mac size */
1.1398 + wr->input=p;
1.1399 + wr->data=p;
1.1400 +
1.1401 +
1.1402 + /* ssl3_enc can only have an error on read */
1.1403 + if (bs) /* bs != 0 in case of CBC */
1.1404 + {
1.1405 + RAND_pseudo_bytes(p,bs);
1.1406 + /* master IV and last CBC residue stand for
1.1407 + * the rest of randomness */
1.1408 + wr->length += bs;
1.1409 + }
1.1410 +
1.1411 + s->method->ssl3_enc->enc(s,1);
1.1412 +
1.1413 + /* record length after mac and block padding */
1.1414 +/* if (type == SSL3_RT_APPLICATION_DATA ||
1.1415 + (type == SSL3_RT_ALERT && ! SSL_in_init(s))) */
1.1416 +
1.1417 + /* there's only one epoch between handshake and app data */
1.1418 +
1.1419 + s2n(s->d1->w_epoch, pseq);
1.1420 +
1.1421 + /* XDTLS: ?? */
1.1422 +/* else
1.1423 + s2n(s->d1->handshake_epoch, pseq); */
1.1424 +
1.1425 + memcpy(pseq, &(s->s3->write_sequence[2]), 6);
1.1426 + pseq+=6;
1.1427 + s2n(wr->length,pseq);
1.1428 +
1.1429 + /* we should now have
1.1430 + * wr->data pointing to the encrypted data, which is
1.1431 + * wr->length long */
1.1432 + wr->type=type; /* not needed but helps for debugging */
1.1433 + wr->length+=DTLS1_RT_HEADER_LENGTH;
1.1434 +
1.1435 +#if 0 /* this is now done at the message layer */
1.1436 + /* buffer the record, making it easy to handle retransmits */
1.1437 + if ( type == SSL3_RT_HANDSHAKE || type == SSL3_RT_CHANGE_CIPHER_SPEC)
1.1438 + dtls1_buffer_record(s, wr->data, wr->length,
1.1439 + *((PQ_64BIT *)&(s->s3->write_sequence[0])));
1.1440 +#endif
1.1441 +
1.1442 + ssl3_record_sequence_update(&(s->s3->write_sequence[0]));
1.1443 +
1.1444 + if (create_empty_fragment)
1.1445 + {
1.1446 + /* we are in a recursive call;
1.1447 + * just return the length, don't write out anything here
1.1448 + */
1.1449 + return wr->length;
1.1450 + }
1.1451 +
1.1452 + /* now let's set up wb */
1.1453 + wb->left = prefix_len + wr->length;
1.1454 + wb->offset = 0;
1.1455 +
1.1456 + /* memorize arguments so that ssl3_write_pending can detect bad write retries later */
1.1457 + s->s3->wpend_tot=len;
1.1458 + s->s3->wpend_buf=buf;
1.1459 + s->s3->wpend_type=type;
1.1460 + s->s3->wpend_ret=len;
1.1461 +
1.1462 + /* we now just need to write the buffer */
1.1463 + return ssl3_write_pending(s,type,buf,len);
1.1464 +err:
1.1465 + return -1;
1.1466 + }
1.1467 +
1.1468 +
1.1469 +
1.1470 +static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap,
1.1471 + PQ_64BIT *seq_num)
1.1472 + {
1.1473 +#if PQ_64BIT_IS_INTEGER
1.1474 + PQ_64BIT mask = 0x0000000000000001L;
1.1475 +#endif
1.1476 + PQ_64BIT rcd_num, tmp;
1.1477 +
1.1478 + pq_64bit_init(&rcd_num);
1.1479 + pq_64bit_init(&tmp);
1.1480 +
1.1481 + /* this is the sequence number for the record just read */
1.1482 + pq_64bit_bin2num(&rcd_num, s->s3->read_sequence, 8);
1.1483 +
1.1484 +
1.1485 + if (pq_64bit_gt(&rcd_num, &(bitmap->max_seq_num)) ||
1.1486 + pq_64bit_eq(&rcd_num, &(bitmap->max_seq_num)))
1.1487 + {
1.1488 + pq_64bit_assign(seq_num, &rcd_num);
1.1489 + pq_64bit_free(&rcd_num);
1.1490 + pq_64bit_free(&tmp);
1.1491 + return 1; /* this record is new */
1.1492 + }
1.1493 +
1.1494 + pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num);
1.1495 +
1.1496 + if ( pq_64bit_get_word(&tmp) > bitmap->length)
1.1497 + {
1.1498 + pq_64bit_free(&rcd_num);
1.1499 + pq_64bit_free(&tmp);
1.1500 + return 0; /* stale, outside the window */
1.1501 + }
1.1502 +
1.1503 +#if PQ_64BIT_IS_BIGNUM
1.1504 + {
1.1505 + int offset;
1.1506 + pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num);
1.1507 + pq_64bit_sub_word(&tmp, 1);
1.1508 + offset = pq_64bit_get_word(&tmp);
1.1509 + if ( pq_64bit_is_bit_set(&(bitmap->map), offset))
1.1510 + {
1.1511 + pq_64bit_free(&rcd_num);
1.1512 + pq_64bit_free(&tmp);
1.1513 + return 0;
1.1514 + }
1.1515 + }
1.1516 +#else
1.1517 + mask <<= (bitmap->max_seq_num - rcd_num - 1);
1.1518 + if (bitmap->map & mask)
1.1519 + return 0; /* record previously received */
1.1520 +#endif
1.1521 +
1.1522 + pq_64bit_assign(seq_num, &rcd_num);
1.1523 + pq_64bit_free(&rcd_num);
1.1524 + pq_64bit_free(&tmp);
1.1525 + return 1;
1.1526 + }
1.1527 +
1.1528 +
1.1529 +static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap)
1.1530 + {
1.1531 + unsigned int shift;
1.1532 + PQ_64BIT rcd_num;
1.1533 + PQ_64BIT tmp;
1.1534 + PQ_64BIT_CTX *ctx;
1.1535 +
1.1536 + pq_64bit_init(&rcd_num);
1.1537 + pq_64bit_init(&tmp);
1.1538 +
1.1539 + pq_64bit_bin2num(&rcd_num, s->s3->read_sequence, 8);
1.1540 +
1.1541 + /* unfortunate code complexity due to 64-bit manipulation support
1.1542 + * on 32-bit machines */
1.1543 + if ( pq_64bit_gt(&rcd_num, &(bitmap->max_seq_num)) ||
1.1544 + pq_64bit_eq(&rcd_num, &(bitmap->max_seq_num)))
1.1545 + {
1.1546 + pq_64bit_sub(&tmp, &rcd_num, &(bitmap->max_seq_num));
1.1547 + pq_64bit_add_word(&tmp, 1);
1.1548 +
1.1549 + shift = (unsigned int)pq_64bit_get_word(&tmp);
1.1550 +
1.1551 + pq_64bit_lshift(&(tmp), &(bitmap->map), shift);
1.1552 + pq_64bit_assign(&(bitmap->map), &tmp);
1.1553 +
1.1554 + pq_64bit_set_bit(&(bitmap->map), 0);
1.1555 + pq_64bit_add_word(&rcd_num, 1);
1.1556 + pq_64bit_assign(&(bitmap->max_seq_num), &rcd_num);
1.1557 +
1.1558 + pq_64bit_assign_word(&tmp, 1);
1.1559 + pq_64bit_lshift(&tmp, &tmp, bitmap->length);
1.1560 + ctx = pq_64bit_ctx_new(&ctx);
1.1561 + pq_64bit_mod(&(bitmap->map), &(bitmap->map), &tmp, ctx);
1.1562 + pq_64bit_ctx_free(ctx);
1.1563 + }
1.1564 + else
1.1565 + {
1.1566 + pq_64bit_sub(&tmp, &(bitmap->max_seq_num), &rcd_num);
1.1567 + pq_64bit_sub_word(&tmp, 1);
1.1568 + shift = (unsigned int)pq_64bit_get_word(&tmp);
1.1569 +
1.1570 + pq_64bit_set_bit(&(bitmap->map), shift);
1.1571 + }
1.1572 +
1.1573 + pq_64bit_free(&rcd_num);
1.1574 + pq_64bit_free(&tmp);
1.1575 + }
1.1576 +
1.1577 +
1.1578 +int dtls1_dispatch_alert(SSL *s)
1.1579 + {
1.1580 + int i,j;
1.1581 + void (*cb)(const SSL *ssl,int type,int val)=NULL;
1.1582 + unsigned char buf[2 + 2 + 3]; /* alert level + alert desc + message seq +frag_off */
1.1583 + unsigned char *ptr = &buf[0];
1.1584 +
1.1585 + s->s3->alert_dispatch=0;
1.1586 +
1.1587 + memset(buf, 0x00, sizeof(buf));
1.1588 + *ptr++ = s->s3->send_alert[0];
1.1589 + *ptr++ = s->s3->send_alert[1];
1.1590 +
1.1591 + if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
1.1592 + {
1.1593 + s2n(s->d1->handshake_read_seq, ptr);
1.1594 +#if 0
1.1595 + if ( s->d1->r_msg_hdr.frag_off == 0) /* waiting for a new msg */
1.1596 +
1.1597 + else
1.1598 + s2n(s->d1->r_msg_hdr.seq, ptr); /* partial msg read */
1.1599 +#endif
1.1600 +
1.1601 +#if 0
1.1602 + fprintf(stderr, "s->d1->handshake_read_seq = %d, s->d1->r_msg_hdr.seq = %d\n",s->d1->handshake_read_seq,s->d1->r_msg_hdr.seq);
1.1603 +#endif
1.1604 + l2n3(s->d1->r_msg_hdr.frag_off, ptr);
1.1605 + }
1.1606 +
1.1607 + i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf), 0);
1.1608 + if (i <= 0)
1.1609 + {
1.1610 + s->s3->alert_dispatch=1;
1.1611 + /* fprintf( stderr, "not done with alert\n" ); */
1.1612 + }
1.1613 + else
1.1614 + {
1.1615 + if ( s->s3->send_alert[0] == SSL3_AL_FATAL ||
1.1616 + s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
1.1617 + (void)BIO_flush(s->wbio);
1.1618 +
1.1619 + if (s->msg_callback)
1.1620 + s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert,
1.1621 + 2, s, s->msg_callback_arg);
1.1622 +
1.1623 + if (s->info_callback != NULL)
1.1624 + cb=s->info_callback;
1.1625 + else if (s->ctx->info_callback != NULL)
1.1626 + cb=s->ctx->info_callback;
1.1627 +
1.1628 + if (cb != NULL)
1.1629 + {
1.1630 + j=(s->s3->send_alert[0]<<8)|s->s3->send_alert[1];
1.1631 + cb(s,SSL_CB_WRITE_ALERT,j);
1.1632 + }
1.1633 + }
1.1634 + return(i);
1.1635 + }
1.1636 +
1.1637 +
1.1638 +static DTLS1_BITMAP *
1.1639 +dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, unsigned int *is_next_epoch)
1.1640 + {
1.1641 +
1.1642 + *is_next_epoch = 0;
1.1643 +
1.1644 + /* In current epoch, accept HM, CCS, DATA, & ALERT */
1.1645 + if (rr->epoch == s->d1->r_epoch)
1.1646 + return &s->d1->bitmap;
1.1647 +
1.1648 + /* Only HM and ALERT messages can be from the next epoch */
1.1649 + else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) &&
1.1650 + (rr->type == SSL3_RT_HANDSHAKE ||
1.1651 + rr->type == SSL3_RT_ALERT))
1.1652 + {
1.1653 + *is_next_epoch = 1;
1.1654 + return &s->d1->next_bitmap;
1.1655 + }
1.1656 +
1.1657 + return NULL;
1.1658 + }
1.1659 +
1.1660 +#if 0
1.1661 +static int
1.1662 +dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr, unsigned short *priority,
1.1663 + unsigned long *offset)
1.1664 + {
1.1665 +
1.1666 + /* alerts are passed up immediately */
1.1667 + if ( rr->type == SSL3_RT_APPLICATION_DATA ||
1.1668 + rr->type == SSL3_RT_ALERT)
1.1669 + return 0;
1.1670 +
1.1671 + /* Only need to buffer if a handshake is underway.
1.1672 + * (this implies that Hello Request and Client Hello are passed up
1.1673 + * immediately) */
1.1674 + if ( SSL_in_init(s))
1.1675 + {
1.1676 + unsigned char *data = rr->data;
1.1677 + /* need to extract the HM/CCS sequence number here */
1.1678 + if ( rr->type == SSL3_RT_HANDSHAKE ||
1.1679 + rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
1.1680 + {
1.1681 + unsigned short seq_num;
1.1682 + struct hm_header_st msg_hdr;
1.1683 + struct ccs_header_st ccs_hdr;
1.1684 +
1.1685 + if ( rr->type == SSL3_RT_HANDSHAKE)
1.1686 + {
1.1687 + dtls1_get_message_header(data, &msg_hdr);
1.1688 + seq_num = msg_hdr.seq;
1.1689 + *offset = msg_hdr.frag_off;
1.1690 + }
1.1691 + else
1.1692 + {
1.1693 + dtls1_get_ccs_header(data, &ccs_hdr);
1.1694 + seq_num = ccs_hdr.seq;
1.1695 + *offset = 0;
1.1696 + }
1.1697 +
1.1698 + /* this is either a record we're waiting for, or a
1.1699 + * retransmit of something we happened to previously
1.1700 + * receive (higher layers will drop the repeat silently */
1.1701 + if ( seq_num < s->d1->handshake_read_seq)
1.1702 + return 0;
1.1703 + if (rr->type == SSL3_RT_HANDSHAKE &&
1.1704 + seq_num == s->d1->handshake_read_seq &&
1.1705 + msg_hdr.frag_off < s->d1->r_msg_hdr.frag_off)
1.1706 + return 0;
1.1707 + else if ( seq_num == s->d1->handshake_read_seq &&
1.1708 + (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC ||
1.1709 + msg_hdr.frag_off == s->d1->r_msg_hdr.frag_off))
1.1710 + return 0;
1.1711 + else
1.1712 + {
1.1713 + *priority = seq_num;
1.1714 + return 1;
1.1715 + }
1.1716 + }
1.1717 + else /* unknown record type */
1.1718 + return 0;
1.1719 + }
1.1720 +
1.1721 + return 0;
1.1722 + }
1.1723 +#endif
1.1724 +
1.1725 +void
1.1726 +dtls1_reset_seq_numbers(SSL *s, int rw)
1.1727 + {
1.1728 + unsigned char *seq;
1.1729 + unsigned int seq_bytes = sizeof(s->s3->read_sequence);
1.1730 +
1.1731 + if ( rw & SSL3_CC_READ)
1.1732 + {
1.1733 + seq = s->s3->read_sequence;
1.1734 + s->d1->r_epoch++;
1.1735 +
1.1736 + pq_64bit_assign(&(s->d1->bitmap.map), &(s->d1->next_bitmap.map));
1.1737 + s->d1->bitmap.length = s->d1->next_bitmap.length;
1.1738 + pq_64bit_assign(&(s->d1->bitmap.max_seq_num),
1.1739 + &(s->d1->next_bitmap.max_seq_num));
1.1740 +
1.1741 + pq_64bit_free(&(s->d1->next_bitmap.map));
1.1742 + pq_64bit_free(&(s->d1->next_bitmap.max_seq_num));
1.1743 + memset(&(s->d1->next_bitmap), 0x00, sizeof(DTLS1_BITMAP));
1.1744 + pq_64bit_init(&(s->d1->next_bitmap.map));
1.1745 + pq_64bit_init(&(s->d1->next_bitmap.max_seq_num));
1.1746 + }
1.1747 + else
1.1748 + {
1.1749 + seq = s->s3->write_sequence;
1.1750 + s->d1->w_epoch++;
1.1751 + }
1.1752 +
1.1753 + memset(seq, 0x00, seq_bytes);
1.1754 + }
1.1755 +
1.1756 +#if PQ_64BIT_IS_INTEGER
1.1757 +static PQ_64BIT
1.1758 +bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num)
1.1759 + {
1.1760 + PQ_64BIT _num;
1.1761 +
1.1762 + _num = (((PQ_64BIT)bytes[0]) << 56) |
1.1763 + (((PQ_64BIT)bytes[1]) << 48) |
1.1764 + (((PQ_64BIT)bytes[2]) << 40) |
1.1765 + (((PQ_64BIT)bytes[3]) << 32) |
1.1766 + (((PQ_64BIT)bytes[4]) << 24) |
1.1767 + (((PQ_64BIT)bytes[5]) << 16) |
1.1768 + (((PQ_64BIT)bytes[6]) << 8) |
1.1769 + (((PQ_64BIT)bytes[7]) );
1.1770 +
1.1771 + *num = _num ;
1.1772 + return _num;
1.1773 + }
1.1774 +#endif
1.1775 +
1.1776 +
1.1777 +static void
1.1778 +dtls1_clear_timeouts(SSL *s)
1.1779 + {
1.1780 + memset(&(s->d1->timeout), 0x00, sizeof(struct dtls1_timeout_st));
1.1781 + }