kris
/
boringssl
1
0
Atdalīts 0
Kods Problēmas 0 Izmaiņu pieprasījumi 0 Laidieni 0 Vikivietne Aktivitāte
Nevar pievienot vairāk kā 25 tēmas Tēmai ir jāsākas ar burtu vai ciparu, tā var saturēt domu zīmes ('-') un var būt līdz 35 simboliem gara.
841 Revīzija
12 Atzari
38 MiB
 
 
 
 
 
 
Koks: 78e6978ab9
Atzari Tagi
${ item.name }
Izveidot atzaru ${ searchTerm }
no '78e6978ab9'
${ noResults }
boringssl/ssl/d1_both.c

1174 rindas
38 KiB
Neapstrādāts Vainot Vēsture 

  1. /*

  2.  * DTLS implementation written by Nagendra Modadugu

  3.  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 

  4.  */

  5. /* ====================================================================

  6.  * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.

  7.  *

  8.  * Redistribution and use in source and binary forms, with or without

  9.  * modification, are permitted provided that the following conditions

  10.  * are met:

  11.  *

  12.  * 1. Redistributions of source code must retain the above copyright

  13.  *    notice, this list of conditions and the following disclaimer.

  14.  *

  15.  * 2. Redistributions in binary form must reproduce the above copyright

  16.  *    notice, this list of conditions and the following disclaimer in

  17.  *    the documentation and/or other materials provided with the

  18.  *    distribution.

  19.  *

  20.  * 3. All advertising materials mentioning features or use of this

  21.  *    software must display the following acknowledgment:

  22.  *    "This product includes software developed by the OpenSSL Project

  23.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

  24.  *

  25.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  26.  *    endorse or promote products derived from this software without

  27.  *    prior written permission. For written permission, please contact

  28.  *    openssl-core@openssl.org.

  29.  *

  30.  * 5. Products derived from this software may not be called "OpenSSL"

  31.  *    nor may "OpenSSL" appear in their names without prior written

  32.  *    permission of the OpenSSL Project.

  33.  *

  34.  * 6. Redistributions of any form whatsoever must retain the following

  35.  *    acknowledgment:

  36.  *    "This product includes software developed by the OpenSSL Project

  37.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

  38.  *

  39.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  40.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  41.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  42.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  43.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  44.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  45.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  46.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  48.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  49.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  50.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  51.  * ====================================================================

  52.  *

  53.  * This product includes cryptographic software written by Eric Young

  54.  * (eay@cryptsoft.com).  This product includes software written by Tim

  55.  * Hudson (tjh@cryptsoft.com).

  56.  *

  57.  */

  58. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  59.  * All rights reserved.

  60.  *

  61.  * This package is an SSL implementation written

  62.  * by Eric Young (eay@cryptsoft.com).

  63.  * The implementation was written so as to conform with Netscapes SSL.

  64.  *

  65.  * This library is free for commercial and non-commercial use as long as

  66.  * the following conditions are aheared to.  The following conditions

  67.  * apply to all code found in this distribution, be it the RC4, RSA,

  68.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  69.  * included with this distribution is covered by the same copyright terms

  70.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  71.  *

  72.  * Copyright remains Eric Young's, and as such any Copyright notices in

  73.  * the code are not to be removed.

  74.  * If this package is used in a product, Eric Young should be given attribution

  75.  * as the author of the parts of the library used.

  76.  * This can be in the form of a textual message at program startup or

  77.  * in documentation (online or textual) provided with the package.

  78.  *

  79.  * Redistribution and use in source and binary forms, with or without

  80.  * modification, are permitted provided that the following conditions

  81.  * are met:

  82.  * 1. Redistributions of source code must retain the copyright

  83.  *    notice, this list of conditions and the following disclaimer.

  84.  * 2. Redistributions in binary form must reproduce the above copyright

  85.  *    notice, this list of conditions and the following disclaimer in the

  86.  *    documentation and/or other materials provided with the distribution.

  87.  * 3. All advertising materials mentioning features or use of this software

  88.  *    must display the following acknowledgement:

  89.  *    "This product includes cryptographic software written by

  90.  *     Eric Young (eay@cryptsoft.com)"

  91.  *    The word 'cryptographic' can be left out if the rouines from the library

  92.  *    being used are not cryptographic related :-).

  93.  * 4. If you include any Windows specific code (or a derivative thereof) from

  94.  *    the apps directory (application code) you must include an acknowledgement:

  95.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  96.  *

  97.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  98.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  99.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  100.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  101.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  102.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  103.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  104.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  105.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  106.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  107.  * SUCH DAMAGE.

  108.  *

  109.  * The licence and distribution terms for any publically available version or

  110.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  111.  * copied and put under another distribution licence

  112.  * [including the GNU Public Licence.] */

  113. 

  114. #include <assert.h>

  115. #include <limits.h>

  116. #include <stdio.h>

  117. #include <string.h>

  118. 

  119. #include <openssl/buf.h>

  120. #include <openssl/err.h>

  121. #include <openssl/evp.h>

  122. #include <openssl/mem.h>

  123. #include <openssl/obj.h>

  124. #include <openssl/rand.h>

  125. #include <openssl/x509.h>

  126. 

  127. #include "ssl_locl.h"

  128. 

  129. #define RSMBLY_BITMASK_SIZE(msg_len) (((msg_len) + 7) / 8)

  130. 

  131. #define RSMBLY_BITMASK_MARK(bitmask, start, end)                     \

  132.   {                                                                  \

  133.     if ((end) - (start) <= 8) {                                      \

  134.       long ii;                                                       \

  135.       for (ii = (start); ii < (end); ii++)                           \

  136.         bitmask[((ii) >> 3)] |= (1 << ((ii)&7));                     \

  137.     } else {                                                         \

  138.       long ii;                                                       \

  139.       bitmask[((start) >> 3)] |= bitmask_start_values[((start)&7)];  \

  140.       for (ii = (((start) >> 3) + 1); ii < ((((end)-1)) >> 3); ii++) \

  141.         bitmask[ii] = 0xff;                                          \

  142.       bitmask[(((end)-1) >> 3)] |= bitmask_end_values[((end)&7)];    \

  143.     }                                                                \

  144.   }

  145. 

  146. #define RSMBLY_BITMASK_IS_COMPLETE(bitmask, msg_len, is_complete)           \

  147.   {                                                                         \

  148.     long ii;                                                                \

  149.     assert((msg_len) > 0);                                                  \

  150.     is_complete = 1;                                                        \

  151.     if (bitmask[(((msg_len)-1) >> 3)] != bitmask_end_values[((msg_len)&7)]) \

  152.       is_complete = 0;                                                      \

  153.     if (is_complete)                                                        \

  154.       for (ii = (((msg_len)-1) >> 3) - 1; ii >= 0; ii--)                    \

  155.         if (bitmask[ii] != 0xff) {                                          \

  156.           is_complete = 0;                                                  \

  157.           break;                                                            \

  158.         }                                                                   \

  159.   }

  160. 

  161. static const uint8_t bitmask_start_values[] = {0xff, 0xfe, 0xfc, 0xf8,

  162.                                                0xf0, 0xe0, 0xc0, 0x80};

  163. static const uint8_t bitmask_end_values[] = {0xff, 0x01, 0x03, 0x07,

  164.                                              0x0f, 0x1f, 0x3f, 0x7f};

  165. 

  166. /* TODO(davidben): 28 comes from the size of IP + UDP header. Is this reasonable

  167.  * for these values? Notably, why is kMinMTU a function of the transport

  168.  * protocol's overhead rather than, say, what's needed to hold a minimally-sized

  169.  * handshake fragment plus protocol overhead. */

  170. 

  171. /* kMinMTU is the minimum acceptable MTU value. */

  172. static const unsigned int kMinMTU = 256 - 28;

  173. 

  174. /* kDefaultMTU is the default MTU value to use if neither the user nor

  175.  * the underlying BIO supplies one. */

  176. static const unsigned int kDefaultMTU = 1500 - 28;

  177. 

  178. static void dtls1_fix_message_header(SSL *s, unsigned long frag_off,

  179.                                      unsigned long frag_len);

  180. static unsigned char *dtls1_write_message_header(SSL *s, unsigned char *p);

  181. static long dtls1_get_message_fragment(SSL *s, int stn, long max, int *ok);

  182. 

  183. static hm_fragment *dtls1_hm_fragment_new(unsigned long frag_len,

  184.                                           int reassembly) {

  185.   hm_fragment *frag = NULL;

  186.   unsigned char *buf = NULL;

  187.   unsigned char *bitmask = NULL;

  188. 

  189.   frag = (hm_fragment *)OPENSSL_malloc(sizeof(hm_fragment));

  190.   if (frag == NULL) {

  191.     return NULL;

  192.   }

  193. 

  194.   if (frag_len) {

  195.     buf = (unsigned char *)OPENSSL_malloc(frag_len);

  196.     if (buf == NULL) {

  197.       OPENSSL_free(frag);

  198.       return NULL;

  199.     }

  200.   }

  201. 

  202.   /* zero length fragment gets zero frag->fragment */

  203.   frag->fragment = buf;

  204. 

  205.   /* Initialize reassembly bitmask if necessary */

  206.   if (reassembly) {

  207.     bitmask = (unsigned char *)OPENSSL_malloc(RSMBLY_BITMASK_SIZE(frag_len));

  208.     if (bitmask == NULL) {

  209.       if (buf != NULL) {

  210.         OPENSSL_free(buf);

  211.       }

  212.       OPENSSL_free(frag);

  213.       return NULL;

  214.     }

  215.     memset(bitmask, 0, RSMBLY_BITMASK_SIZE(frag_len));

  216.   }

  217. 

  218.   frag->reassembly = bitmask;

  219. 

  220.   return frag;

  221. }

  222. 

  223. void dtls1_hm_fragment_free(hm_fragment *frag) {

  224.   if (frag->msg_header.is_ccs) {

  225.     /* TODO(davidben): Simplify aead_write_ctx ownership, probably by just

  226.      * forbidding DTLS renego. */

  227.     SSL_AEAD_CTX *aead_write_ctx =

  228.         frag->msg_header.saved_retransmit_state.aead_write_ctx;

  229.     if (aead_write_ctx) {

  230.       EVP_AEAD_CTX_cleanup(&aead_write_ctx->ctx);

  231.       OPENSSL_free(aead_write_ctx);

  232.     }

  233.   }

  234.   if (frag->fragment) {

  235.     OPENSSL_free(frag->fragment);

  236.   }

  237.   if (frag->reassembly) {

  238.     OPENSSL_free(frag->reassembly);

  239.   }

  240.   OPENSSL_free(frag);

  241. }

  242. 

  243. /* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or

  244.  * SSL3_RT_CHANGE_CIPHER_SPEC) */

  245. int dtls1_do_write(SSL *s, int type) {

  246.   int ret;

  247.   int curr_mtu;

  248.   unsigned int len, frag_off;

  249.   size_t max_overhead = 0;

  250. 

  251.   /* AHA!  Figure out the MTU, and stick to the right size */

  252.   if (s->d1->mtu < dtls1_min_mtu() &&

  253.       !(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) {

  254.     long mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);

  255.     if (mtu >= 0 && mtu <= (1 << 30) && (unsigned)mtu >= dtls1_min_mtu()) {

  256.       s->d1->mtu = (unsigned)mtu;

  257.     } else {

  258.       s->d1->mtu = kDefaultMTU;

  259.       BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SET_MTU, s->d1->mtu, NULL);

  260.     }

  261.   }

  262. 

  263.   /* should have something reasonable now */

  264.   assert(s->d1->mtu >= dtls1_min_mtu());

  265. 

  266.   if (s->init_off == 0 && type == SSL3_RT_HANDSHAKE) {

  267.     assert(s->init_num ==

  268.            (int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH);

  269.   }

  270. 

  271.   /* Determine the maximum overhead of the current cipher. */

  272.   if (s->aead_write_ctx != NULL) {

  273.     max_overhead = EVP_AEAD_max_overhead(s->aead_write_ctx->ctx.aead);

  274.     if (s->aead_write_ctx->variable_nonce_included_in_record) {

  275.       max_overhead += s->aead_write_ctx->variable_nonce_len;

  276.     }

  277.   }

  278. 

  279.   frag_off = 0;

  280.   while (s->init_num) {

  281.     /* Account for data in the buffering BIO; multiple records may be packed

  282.      * into a single packet during the handshake.

  283.      *

  284.      * TODO(davidben): This is buggy; if the MTU is larger than the buffer size,

  285.      * the large record will be split across two packets. Moreover, in that

  286.      * case, the |dtls1_write_bytes| call may not return synchronously. This

  287.      * will break on retry as the |s->init_off| and |s->init_num| adjustment

  288.      * will run a second time. */

  289.     curr_mtu = s->d1->mtu - BIO_wpending(SSL_get_wbio(s)) -

  290.         DTLS1_RT_HEADER_LENGTH - max_overhead;

  291. 

  292.     if (curr_mtu <= DTLS1_HM_HEADER_LENGTH) {

  293.       /* Flush the buffer and continue with a fresh packet.

  294.        *

  295.        * TODO(davidben): If |BIO_flush| is not synchronous and requires multiple

  296.        * calls to |dtls1_do_write|, |frag_off| will be wrong. */

  297.       ret = BIO_flush(SSL_get_wbio(s));

  298.       if (ret <= 0) {

  299.         return ret;

  300.       }

  301.       assert(BIO_wpending(SSL_get_wbio(s)) == 0);

  302.       curr_mtu = s->d1->mtu - DTLS1_RT_HEADER_LENGTH - max_overhead;

  303.     }

  304. 

  305.     /* XDTLS: this function is too long.  split out the CCS part */

  306.     if (type == SSL3_RT_HANDSHAKE) {

  307.       /* If this isn't the first fragment, reserve space to prepend a new

  308.        * fragment header. This will override the body of a previous fragment. */

  309.       if (s->init_off != 0) {

  310.         assert(s->init_off > DTLS1_HM_HEADER_LENGTH);

  311.         s->init_off -= DTLS1_HM_HEADER_LENGTH;

  312.         s->init_num += DTLS1_HM_HEADER_LENGTH;

  313.       }

  314. 

  315.       if (curr_mtu <= DTLS1_HM_HEADER_LENGTH) {

  316.         /* To make forward progress, the MTU must, at minimum, fit the handshake

  317.          * header and one byte of handshake body. */

  318.         OPENSSL_PUT_ERROR(SSL, dtls1_do_write, SSL_R_MTU_TOO_SMALL);

  319.         return -1;

  320.       }

  321. 

  322.       if (s->init_num > curr_mtu) {

  323.         len = curr_mtu;

  324.       } else {

  325.         len = s->init_num;

  326.       }

  327.       assert(len >= DTLS1_HM_HEADER_LENGTH);

  328. 

  329.       dtls1_fix_message_header(s, frag_off, len - DTLS1_HM_HEADER_LENGTH);

  330.       dtls1_write_message_header(

  331.           s, (uint8_t *)&s->init_buf->data[s->init_off]);

  332.     } else {

  333.       assert(type == SSL3_RT_CHANGE_CIPHER_SPEC);

  334.       /* ChangeCipherSpec cannot be fragmented. */

  335.       if (s->init_num > curr_mtu) {

  336.         OPENSSL_PUT_ERROR(SSL, dtls1_do_write, SSL_R_MTU_TOO_SMALL);

  337.         return -1;

  338.       }

  339.       len = s->init_num;

  340.     }

  341. 

  342.     ret = dtls1_write_bytes(s, type, &s->init_buf->data[s->init_off], len);

  343.     if (ret < 0) {

  344.       return -1;

  345.     }

  346. 

  347.     /* bad if this assert fails, only part of the handshake message got sent.

  348.      * But why would this happen? */

  349.     assert(len == (unsigned int)ret);

  350. 

  351.     if (ret == s->init_num) {

  352.       if (s->msg_callback) {

  353.         s->msg_callback(1, s->version, type, s->init_buf->data,

  354.                         (size_t)(s->init_off + s->init_num), s,

  355.                         s->msg_callback_arg);

  356.       }

  357. 

  358.       s->init_off = 0; /* done writing this message */

  359.       s->init_num = 0;

  360. 

  361.       return 1;

  362.     }

  363.     s->init_off += ret;

  364.     s->init_num -= ret;

  365.     frag_off += (ret -= DTLS1_HM_HEADER_LENGTH);

  366.   }

  367. 

  368.   return 0;

  369. }

  370. 

  371. 

  372. /* Obtain handshake message of message type 'mt' (any if mt == -1), maximum

  373.  * acceptable body length 'max'. Read an entire handshake message. Handshake

  374.  * messages arrive in fragments. */

  375. long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max,

  376.                        int hash_message, int *ok) {

  377.   int i, al;

  378.   struct hm_header_st *msg_hdr;

  379.   uint8_t *p;

  380.   unsigned long msg_len;

  381. 

  382.   /* s3->tmp is used to store messages that are unexpected, caused

  383.    * by the absence of an optional handshake message */

  384.   if (s->s3->tmp.reuse_message) {

  385.     /* A SSL_GET_MESSAGE_DONT_HASH_MESSAGE call cannot be combined

  386.      * with reuse_message; the SSL_GET_MESSAGE_DONT_HASH_MESSAGE

  387.      * would have to have been applied to the previous call. */

  388.     assert(hash_message != SSL_GET_MESSAGE_DONT_HASH_MESSAGE);

  389.     s->s3->tmp.reuse_message = 0;

  390.     if (mt >= 0 && s->s3->tmp.message_type != mt) {

  391.       al = SSL_AD_UNEXPECTED_MESSAGE;

  392.       OPENSSL_PUT_ERROR(SSL, dtls1_get_message, SSL_R_UNEXPECTED_MESSAGE);

  393.       goto f_err;

  394.     }

  395.     *ok = 1;

  396.     s->init_msg = (uint8_t *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;

  397.     s->init_num = (int)s->s3->tmp.message_size;

  398.     return s->init_num;

  399.   }

  400. 

  401.   msg_hdr = &s->d1->r_msg_hdr;

  402.   memset(msg_hdr, 0x00, sizeof(struct hm_header_st));

  403. 

  404. again:

  405.   i = dtls1_get_message_fragment(s, stn, max, ok);

  406.   if (i == DTLS1_HM_BAD_FRAGMENT ||

  407.       i == DTLS1_HM_FRAGMENT_RETRY) {

  408.     /* bad fragment received */

  409.     goto again;

  410.   } else if (i <= 0 && !*ok) {

  411.     return i;

  412.   }

  413. 

  414.   p = (uint8_t *)s->init_buf->data;

  415.   msg_len = msg_hdr->msg_len;

  416. 

  417.   /* reconstruct message header */

  418.   *(p++) = msg_hdr->type;

  419.   l2n3(msg_len, p);

  420.   s2n(msg_hdr->seq, p);

  421.   l2n3(0, p);

  422.   l2n3(msg_len, p);

  423.   p -= DTLS1_HM_HEADER_LENGTH;

  424.   msg_len += DTLS1_HM_HEADER_LENGTH;

  425. 

  426.   s->init_msg = (uint8_t *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;

  427. 

  428.   if (hash_message != SSL_GET_MESSAGE_DONT_HASH_MESSAGE) {

  429.     ssl3_hash_current_message(s);

  430.   }

  431.   if (s->msg_callback) {

  432.     s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, p, msg_len, s,

  433.                     s->msg_callback_arg);

  434.   }

  435. 

  436.   memset(msg_hdr, 0x00, sizeof(struct hm_header_st));

  437. 

  438.   s->d1->handshake_read_seq++;

  439. 

  440.   return s->init_num;

  441. 

  442. f_err:

  443.   ssl3_send_alert(s, SSL3_AL_FATAL, al);

  444.   *ok = 0;

  445.   return -1;

  446. }

  447. 

  448. static int dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr,

  449.                                      int max) {

  450.   size_t frag_off, frag_len, msg_len;

  451. 

  452.   msg_len = msg_hdr->msg_len;

  453.   frag_off = msg_hdr->frag_off;

  454.   frag_len = msg_hdr->frag_len;

  455. 

  456.   /* sanity checking */

  457.   if ((frag_off + frag_len) > msg_len) {

  458.     OPENSSL_PUT_ERROR(SSL, dtls1_preprocess_fragment,

  459.                       SSL_R_EXCESSIVE_MESSAGE_SIZE);

  460.     return SSL_AD_ILLEGAL_PARAMETER;

  461.   }

  462. 

  463.   if ((frag_off + frag_len) > (unsigned long)max) {

  464.     OPENSSL_PUT_ERROR(SSL, dtls1_preprocess_fragment,

  465.                       SSL_R_EXCESSIVE_MESSAGE_SIZE);

  466.     return SSL_AD_ILLEGAL_PARAMETER;

  467.   }

  468. 

  469.   if (s->d1->r_msg_hdr.frag_off == 0) {

  470.     /* first fragment */

  471.     /* msg_len is limited to 2^24, but is effectively checked

  472.      * against max above */

  473.     if (!BUF_MEM_grow_clean(s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH)) {

  474.       OPENSSL_PUT_ERROR(SSL, dtls1_preprocess_fragment, ERR_R_BUF_LIB);

  475.       return SSL_AD_INTERNAL_ERROR;

  476.     }

  477. 

  478.     s->s3->tmp.message_size = msg_len;

  479.     s->d1->r_msg_hdr.msg_len = msg_len;

  480.     s->s3->tmp.message_type = msg_hdr->type;

  481.     s->d1->r_msg_hdr.type = msg_hdr->type;

  482.     s->d1->r_msg_hdr.seq = msg_hdr->seq;

  483.   } else if (msg_len != s->d1->r_msg_hdr.msg_len) {

  484.     /* They must be playing with us! BTW, failure to enforce

  485.      * upper limit would open possibility for buffer overrun. */

  486.     OPENSSL_PUT_ERROR(SSL, dtls1_preprocess_fragment,

  487.                       SSL_R_EXCESSIVE_MESSAGE_SIZE);

  488.     return SSL_AD_ILLEGAL_PARAMETER;

  489.   }

  490. 

  491.   return 0; /* no error */

  492. }

  493. 

  494. 

  495. static int dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok) {

  496.   /* (0) check whether the desired fragment is available

  497.    * if so:

  498.    * (1) copy over the fragment to s->init_buf->data[]

  499.    * (2) update s->init_num */

  500.   pitem *item;

  501.   hm_fragment *frag;

  502.   int al;

  503.   unsigned long frag_len;

  504. 

  505.   *ok = 0;

  506.   item = pqueue_peek(s->d1->buffered_messages);

  507.   if (item == NULL) {

  508.     return 0;

  509.   }

  510. 

  511.   frag = (hm_fragment *)item->data;

  512. 

  513.   /* Don't return if reassembly still in progress */

  514.   if (frag->reassembly != NULL) {

  515.     return 0;

  516.   }

  517. 

  518.   if (s->d1->handshake_read_seq != frag->msg_header.seq) {

  519.     return 0;

  520.   }

  521. 

  522.   frag_len = frag->msg_header.frag_len;

  523.   pqueue_pop(s->d1->buffered_messages);

  524. 

  525.   al = dtls1_preprocess_fragment(s, &frag->msg_header, max);

  526. 

  527.   if (al == 0) {

  528.     /* no alert */

  529.     uint8_t *p = (uint8_t *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;

  530.     memcpy(&p[frag->msg_header.frag_off], frag->fragment,

  531.            frag->msg_header.frag_len);

  532.   }

  533. 

  534.   dtls1_hm_fragment_free(frag);

  535.   pitem_free(item);

  536. 

  537.   if (al == 0) {

  538.     *ok = 1;

  539.     return frag_len;

  540.   }

  541. 

  542.   ssl3_send_alert(s, SSL3_AL_FATAL, al);

  543.   s->init_num = 0;

  544.   *ok = 0;

  545.   return -1;

  546. }

  547. 

  548. /* dtls1_max_handshake_message_len returns the maximum number of bytes

  549.  * permitted in a DTLS handshake message for |s|. The minimum is 16KB, but may

  550.  * be greater if the maximum certificate list size requires it. */

  551. static unsigned long dtls1_max_handshake_message_len(const SSL *s) {

  552.   unsigned long max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;

  553.   if (max_len < (unsigned long)s->max_cert_list) {

  554.     return s->max_cert_list;

  555.   }

  556.   return max_len;

  557. }

  558. 

  559. static int dtls1_reassemble_fragment(SSL *s, const struct hm_header_st *msg_hdr,

  560.                                      int *ok) {

  561.   hm_fragment *frag = NULL;

  562.   pitem *item = NULL;

  563.   int i = -1, is_complete;

  564.   uint8_t seq64be[8];

  565.   unsigned long frag_len = msg_hdr->frag_len;

  566. 

  567.   if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len ||

  568.       msg_hdr->msg_len > dtls1_max_handshake_message_len(s)) {

  569.     goto err;

  570.   }

  571. 

  572.   if (frag_len == 0) {

  573.     return DTLS1_HM_FRAGMENT_RETRY;

  574.   }

  575. 

  576.   /* Try to find item in queue */

  577.   memset(seq64be, 0, sizeof(seq64be));

  578.   seq64be[6] = (uint8_t)(msg_hdr->seq >> 8);

  579.   seq64be[7] = (uint8_t)msg_hdr->seq;

  580.   item = pqueue_find(s->d1->buffered_messages, seq64be);

  581. 

  582.   if (item == NULL) {

  583.     frag = dtls1_hm_fragment_new(msg_hdr->msg_len, 1);

  584.     if (frag == NULL) {

  585.       goto err;

  586.     }

  587.     memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));

  588.     frag->msg_header.frag_len = frag->msg_header.msg_len;

  589.     frag->msg_header.frag_off = 0;

  590.   } else {

  591.     frag = (hm_fragment *)item->data;

  592.     if (frag->msg_header.msg_len != msg_hdr->msg_len) {

  593.       item = NULL;

  594.       frag = NULL;

  595.       goto err;

  596.     }

  597.   }

  598. 

  599.   /* If message is already reassembled, this must be a

  600.    * retransmit and can be dropped. In this case item != NULL and so frag

  601.    * does not need to be freed. */

  602.   if (frag->reassembly == NULL) {

  603.     uint8_t devnull[256];

  604. 

  605.     assert(item != NULL);

  606.     while (frag_len) {

  607.       i = s->method->ssl_read_bytes(

  608.           s, SSL3_RT_HANDSHAKE, devnull,

  609.           frag_len > sizeof(devnull) ? sizeof(devnull) : frag_len, 0);

  610.       if (i <= 0) {

  611.         goto err;

  612.       }

  613.       frag_len -= i;

  614.     }

  615.     return DTLS1_HM_FRAGMENT_RETRY;

  616.   }

  617. 

  618.   /* read the body of the fragment (header has already been read */

  619.   i = s->method->ssl_read_bytes(

  620.       s, SSL3_RT_HANDSHAKE, frag->fragment + msg_hdr->frag_off, frag_len, 0);

  621.   if ((unsigned long)i != frag_len) {

  622.     i = -1;

  623.   }

  624.   if (i <= 0) {

  625.     goto err;

  626.   }

  627. 

  628.   RSMBLY_BITMASK_MARK(frag->reassembly, (long)msg_hdr->frag_off,

  629.                       (long)(msg_hdr->frag_off + frag_len));

  630. 

  631.   RSMBLY_BITMASK_IS_COMPLETE(frag->reassembly, (long)msg_hdr->msg_len,

  632.                              is_complete);

  633. 

  634.   if (is_complete) {

  635.     OPENSSL_free(frag->reassembly);

  636.     frag->reassembly = NULL;

  637.   }

  638. 

  639.   if (item == NULL) {

  640.     item = pitem_new(seq64be, frag);

  641.     if (item == NULL) {

  642.       i = -1;

  643.       goto err;

  644.     }

  645. 

  646.     item = pqueue_insert(s->d1->buffered_messages, item);

  647.     /* pqueue_insert fails iff a duplicate item is inserted.

  648.      * However, |item| cannot be a duplicate. If it were,

  649.      * |pqueue_find|, above, would have returned it and control

  650.      * would never have reached this branch. */

  651.     assert(item != NULL);

  652.   }

  653. 

  654.   return DTLS1_HM_FRAGMENT_RETRY;

  655. 

  656. err:

  657.   if (frag != NULL && item == NULL) {

  658.     dtls1_hm_fragment_free(frag);

  659.   }

  660.   *ok = 0;

  661.   return i;

  662. }

  663. 

  664. static int dtls1_process_out_of_seq_message(SSL *s,

  665.                                             const struct hm_header_st *msg_hdr,

  666.                                             int *ok) {

  667.   int i = -1;

  668.   hm_fragment *frag = NULL;

  669.   pitem *item = NULL;

  670.   uint8_t seq64be[8];

  671.   unsigned long frag_len = msg_hdr->frag_len;

  672. 

  673.   if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len) {

  674.     goto err;

  675.   }

  676. 

  677.   /* Try to find item in queue, to prevent duplicate entries */

  678.   memset(seq64be, 0, sizeof(seq64be));

  679.   seq64be[6] = (uint8_t)(msg_hdr->seq >> 8);

  680.   seq64be[7] = (uint8_t)msg_hdr->seq;

  681.   item = pqueue_find(s->d1->buffered_messages, seq64be);

  682. 

  683.   /* If we already have an entry and this one is a fragment,

  684.    * don't discard it and rather try to reassemble it. */

  685.   if (item != NULL && frag_len != msg_hdr->msg_len) {

  686.     item = NULL;

  687.   }

  688. 

  689.   /* Discard the message if sequence number was already there, is

  690.    * too far in the future, already in the queue or if we received

  691.    * a FINISHED before the SERVER_HELLO, which then must be a stale

  692.    * retransmit. */

  693.   if (msg_hdr->seq <= s->d1->handshake_read_seq ||

  694.       msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL ||

  695.       (s->d1->handshake_read_seq == 0 && msg_hdr->type == SSL3_MT_FINISHED)) {

  696.     uint8_t devnull[256];

  697. 

  698.     while (frag_len) {

  699.       i = s->method->ssl_read_bytes(

  700.           s, SSL3_RT_HANDSHAKE, devnull,

  701.           frag_len > sizeof(devnull) ? sizeof(devnull) : frag_len, 0);

  702.       if (i <= 0) {

  703.         goto err;

  704.       }

  705.       frag_len -= i;

  706.     }

  707.   } else {

  708.     if (frag_len != msg_hdr->msg_len) {

  709.       return dtls1_reassemble_fragment(s, msg_hdr, ok);

  710.     }

  711. 

  712.     if (frag_len > dtls1_max_handshake_message_len(s)) {

  713.       goto err;

  714.     }

  715. 

  716.     frag = dtls1_hm_fragment_new(frag_len, 0);

  717.     if (frag == NULL) {

  718.       goto err;

  719.     }

  720. 

  721.     memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));

  722. 

  723.     if (frag_len) {

  724.       /* read the body of the fragment (header has already been read */

  725.       i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, frag->fragment,

  726.                                     frag_len, 0);

  727.       if ((unsigned long)i != frag_len) {

  728.         i = -1;

  729.       }

  730.       if (i <= 0) {

  731.         goto err;

  732.       }

  733.     }

  734. 

  735.     item = pitem_new(seq64be, frag);

  736.     if (item == NULL) {

  737.       goto err;

  738.     }

  739. 

  740.     item = pqueue_insert(s->d1->buffered_messages, item);

  741.     /* pqueue_insert fails iff a duplicate item is inserted.

  742.      * However, |item| cannot be a duplicate. If it were,

  743.      * |pqueue_find|, above, would have returned it. Then, either

  744.      * |frag_len| != |msg_hdr->msg_len| in which case |item| is set

  745.      * to NULL and it will have been processed with

  746.      * |dtls1_reassemble_fragment|, above, or the record will have

  747.      * been discarded. */

  748.     assert(item != NULL);

  749.   }

  750. 

  751.   return DTLS1_HM_FRAGMENT_RETRY;

  752. 

  753. err:

  754.   if (frag != NULL && item == NULL) {

  755.     dtls1_hm_fragment_free(frag);

  756.   }

  757.   *ok = 0;

  758.   return i;

  759. }

  760. 

  761. 

  762. static long dtls1_get_message_fragment(SSL *s, int stn, long max, int *ok) {

  763.   uint8_t wire[DTLS1_HM_HEADER_LENGTH];

  764.   unsigned long len, frag_off, frag_len;

  765.   int i, al;

  766.   struct hm_header_st msg_hdr;

  767. 

  768. redo:

  769.   /* see if we have the required fragment already */

  770.   if ((frag_len = dtls1_retrieve_buffered_fragment(s, max, ok)) || *ok) {

  771.     if (*ok) {

  772.       s->init_num = frag_len;

  773.     }

  774.     return frag_len;

  775.   }

  776. 

  777.   /* read handshake message header */

  778.   i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, wire,

  779.                                 DTLS1_HM_HEADER_LENGTH, 0);

  780.   if (i <= 0) {

  781.     /* nbio, or an error */

  782.     s->rwstate = SSL_READING;

  783.     *ok = 0;

  784.     return i;

  785.   }

  786. 

  787.   /* Handshake fails if message header is incomplete */

  788.   if (i != DTLS1_HM_HEADER_LENGTH) {

  789.     al = SSL_AD_UNEXPECTED_MESSAGE;

  790.     OPENSSL_PUT_ERROR(SSL, dtls1_get_message_fragment,

  791.                       SSL_R_UNEXPECTED_MESSAGE);

  792.     goto f_err;

  793.   }

  794. 

  795.   /* parse the message fragment header */

  796.   dtls1_get_message_header(wire, &msg_hdr);

  797. 

  798.   /* if this is a future (or stale) message it gets buffered

  799.    * (or dropped)--no further processing at this time. */

  800.   if (msg_hdr.seq != s->d1->handshake_read_seq) {

  801.     return dtls1_process_out_of_seq_message(s, &msg_hdr, ok);

  802.   }

  803. 

  804.   len = msg_hdr.msg_len;

  805.   frag_off = msg_hdr.frag_off;

  806.   frag_len = msg_hdr.frag_len;

  807. 

  808.   if (frag_len && frag_len < len) {

  809.     return dtls1_reassemble_fragment(s, &msg_hdr, ok);

  810.   }

  811. 

  812.   if (!s->server && s->d1->r_msg_hdr.frag_off == 0 &&

  813.       wire[0] == SSL3_MT_HELLO_REQUEST) {

  814.     /* The server may always send 'Hello Request' messages --

  815.      * we are doing a handshake anyway now, so ignore them

  816.      * if their format is correct. Does not count for

  817.      * 'Finished' MAC. */

  818.     if (wire[1] == 0 && wire[2] == 0 && wire[3] == 0) {

  819.       if (s->msg_callback) {

  820.         s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, wire,

  821.                         DTLS1_HM_HEADER_LENGTH, s, s->msg_callback_arg);

  822.       }

  823. 

  824.       s->init_num = 0;

  825.       goto redo;

  826.     } else {

  827.       /* Incorrectly formated Hello request */

  828.       al = SSL_AD_UNEXPECTED_MESSAGE;

  829.       OPENSSL_PUT_ERROR(SSL, dtls1_get_message_fragment,

  830.                         SSL_R_UNEXPECTED_MESSAGE);

  831.       goto f_err;

  832.     }

  833.   }

  834. 

  835.   if ((al = dtls1_preprocess_fragment(s, &msg_hdr, max))) {

  836.     goto f_err;

  837.   }

  838. 

  839.   /* XDTLS:  ressurect this when restart is in place */

  840.   s->state = stn;

  841. 

  842.   if (frag_len > 0) {

  843.     uint8_t *p = (uint8_t *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;

  844. 

  845.     i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &p[frag_off], frag_len,

  846.                                   0);

  847.     /* XDTLS:  fix this--message fragments cannot span multiple packets */

  848.     if (i <= 0) {

  849.       s->rwstate = SSL_READING;

  850.       *ok = 0;

  851.       return i;

  852.     }

  853.   } else {

  854.     i = 0;

  855.   }

  856. 

  857.   /* XDTLS:  an incorrectly formatted fragment should cause the

  858.    * handshake to fail */

  859.   if (i != (int)frag_len) {

  860.     al = SSL3_AD_ILLEGAL_PARAMETER;

  861.     OPENSSL_PUT_ERROR(SSL, dtls1_get_message_fragment,

  862.                       SSL3_AD_ILLEGAL_PARAMETER);

  863.     goto f_err;

  864.   }

  865. 

  866.   *ok = 1;

  867. 

  868.   /* Note that s->init_num is *not* used as current offset in

  869.    * s->init_buf->data, but as a counter summing up fragments'

  870.    * lengths: as soon as they sum up to handshake packet

  871.    * length, we assume we have got all the fragments. */

  872.   s->init_num = frag_len;

  873.   return frag_len;

  874. 

  875. f_err:

  876.   ssl3_send_alert(s, SSL3_AL_FATAL, al);

  877.   s->init_num = 0;

  878. 

  879.   *ok = 0;

  880.   return -1;

  881. }

  882. 

  883. /* for these 2 messages, we need to

  884.  * ssl->enc_read_ctx			re-init

  885.  * ssl->s3->read_sequence		zero

  886.  * ssl->s3->read_mac_secret		re-init

  887.  * ssl->session->read_sym_enc		assign

  888.  * ssl->session->read_compression	assign

  889.  * ssl->session->read_hash		assign */

  890. int dtls1_send_change_cipher_spec(SSL *s, int a, int b) {

  891.   uint8_t *p;

  892. 

  893.   if (s->state == a) {

  894.     p = (uint8_t *)s->init_buf->data;

  895.     *p++ = SSL3_MT_CCS;

  896.     s->d1->handshake_write_seq = s->d1->next_handshake_write_seq;

  897.     s->init_num = DTLS1_CCS_HEADER_LENGTH;

  898. 

  899.     s->init_off = 0;

  900. 

  901.     dtls1_set_message_header(s, SSL3_MT_CCS, 0, s->d1->handshake_write_seq, 0,

  902.                              0);

  903. 

  904.     /* buffer the message to handle re-xmits */

  905.     dtls1_buffer_message(s, 1);

  906. 

  907.     s->state = b;

  908.   }

  909. 

  910.   /* SSL3_ST_CW_CHANGE_B */

  911.   return dtls1_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC);

  912. }

  913. 

  914. int dtls1_read_failed(SSL *s, int code) {

  915.   if (code > 0) {

  916.     fprintf(stderr, "invalid state reached %s:%d", __FILE__, __LINE__);

  917.     return 1;

  918.   }

  919. 

  920.   if (!dtls1_is_timer_expired(s)) {

  921.     /* not a timeout, none of our business, let higher layers handle this. In

  922.      * fact, it's probably an error */

  923.     return code;

  924.   }

  925. 

  926.   if (!SSL_in_init(s)) {

  927.     /* done, no need to send a retransmit */

  928.     BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ);

  929.     return code;

  930.   }

  931. 

  932.   return dtls1_handle_timeout(s);

  933. }

  934. 

  935. int dtls1_get_queue_priority(unsigned short seq, int is_ccs) {

  936.   /* The index of the retransmission queue actually is the message sequence

  937.    * number, since the queue only contains messages of a single handshake.

  938.    * However, the ChangeCipherSpec has no message sequence number and so using

  939.    * only the sequence will result in the CCS and Finished having the same

  940.    * index. To prevent this, the sequence number is multiplied by 2. In case of

  941.    * a CCS 1 is subtracted. This does not only differ CSS and Finished, it also

  942.    * maintains the order of the index (important for priority queues) and fits

  943.    * in the unsigned short variable. */

  944.   return seq * 2 - is_ccs;

  945. }

  946. 

  947. int dtls1_retransmit_buffered_messages(SSL *s) {

  948.   pqueue sent = s->d1->sent_messages;

  949.   piterator iter;

  950.   pitem *item;

  951.   hm_fragment *frag;

  952.   int found = 0;

  953. 

  954.   iter = pqueue_iterator(sent);

  955. 

  956.   for (item = pqueue_next(&iter); item != NULL; item = pqueue_next(&iter)) {

  957.     frag = (hm_fragment *)item->data;

  958.     if (dtls1_retransmit_message(

  959.             s, (unsigned short)dtls1_get_queue_priority(

  960.                    frag->msg_header.seq, frag->msg_header.is_ccs),

  961.             0, &found) <= 0 &&

  962.         found) {

  963.       fprintf(stderr, "dtls1_retransmit_message() failed\n");

  964.       return -1;

  965.     }

  966.   }

  967. 

  968.   return 1;

  969. }

  970. 

  971. int dtls1_buffer_message(SSL *s, int is_ccs) {

  972.   pitem *item;

  973.   hm_fragment *frag;

  974.   uint8_t seq64be[8];

  975. 

  976.   /* this function is called immediately after a message has

  977.    * been serialized */

  978.   assert(s->init_off == 0);

  979. 

  980.   frag = dtls1_hm_fragment_new(s->init_num, 0);

  981.   if (!frag) {

  982.     return 0;

  983.   }

  984. 

  985.   memcpy(frag->fragment, s->init_buf->data, s->init_num);

  986. 

  987.   if (is_ccs) {

  988.     assert(s->d1->w_msg_hdr.msg_len + DTLS1_CCS_HEADER_LENGTH ==

  989.            (unsigned int)s->init_num);

  990.   } else {

  991.     assert(s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH ==

  992.            (unsigned int)s->init_num);

  993.   }

  994. 

  995.   frag->msg_header.msg_len = s->d1->w_msg_hdr.msg_len;

  996.   frag->msg_header.seq = s->d1->w_msg_hdr.seq;

  997.   frag->msg_header.type = s->d1->w_msg_hdr.type;

  998.   frag->msg_header.frag_off = 0;

  999.   frag->msg_header.frag_len = s->d1->w_msg_hdr.msg_len;

  1000.   frag->msg_header.is_ccs = is_ccs;

  1001. 

  1002.   /* save current state*/

  1003.   frag->msg_header.saved_retransmit_state.aead_write_ctx = s->aead_write_ctx;

  1004.   frag->msg_header.saved_retransmit_state.session = s->session;

  1005.   frag->msg_header.saved_retransmit_state.epoch = s->d1->w_epoch;

  1006. 

  1007.   memset(seq64be, 0, sizeof(seq64be));

  1008.   seq64be[6] = (uint8_t)(

  1009.       dtls1_get_queue_priority(frag->msg_header.seq, frag->msg_header.is_ccs) >>

  1010.       8);

  1011.   seq64be[7] = (uint8_t)(

  1012.       dtls1_get_queue_priority(frag->msg_header.seq, frag->msg_header.is_ccs));

  1013. 

  1014.   item = pitem_new(seq64be, frag);

  1015.   if (item == NULL) {

  1016.     dtls1_hm_fragment_free(frag);

  1017.     return 0;

  1018.   }

  1019. 

  1020.   pqueue_insert(s->d1->sent_messages, item);

  1021.   return 1;

  1022. }

  1023. 

  1024. int dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,

  1025.                              int *found) {

  1026.   int ret;

  1027.   /* XDTLS: for now assuming that read/writes are blocking */

  1028.   pitem *item;

  1029.   hm_fragment *frag;

  1030.   unsigned long header_length;

  1031.   uint8_t seq64be[8];

  1032.   struct dtls1_retransmit_state saved_state;

  1033.   uint8_t save_write_sequence[8];

  1034. 

  1035.   /* assert(s->init_num == 0);

  1036.      assert(s->init_off == 0); */

  1037. 

  1038.   /* XDTLS:  the requested message ought to be found, otherwise error */

  1039.   memset(seq64be, 0, sizeof(seq64be));

  1040.   seq64be[6] = (uint8_t)(seq >> 8);

  1041.   seq64be[7] = (uint8_t)seq;

  1042. 

  1043.   item = pqueue_find(s->d1->sent_messages, seq64be);

  1044.   if (item == NULL) {

  1045.     fprintf(stderr, "retransmit:  message %d non-existant\n", seq);

  1046.     *found = 0;

  1047.     return 0;

  1048.   }

  1049. 

  1050.   *found = 1;

  1051.   frag = (hm_fragment *)item->data;

  1052. 

  1053.   if (frag->msg_header.is_ccs) {

  1054.     header_length = DTLS1_CCS_HEADER_LENGTH;

  1055.   } else {

  1056.     header_length = DTLS1_HM_HEADER_LENGTH;

  1057.   }

  1058. 

  1059.   memcpy(s->init_buf->data, frag->fragment,

  1060.          frag->msg_header.msg_len + header_length);

  1061.   s->init_num = frag->msg_header.msg_len + header_length;

  1062. 

  1063.   dtls1_set_message_header(s, frag->msg_header.type,

  1064.                            frag->msg_header.msg_len, frag->msg_header.seq,

  1065.                            0, frag->msg_header.frag_len);

  1066. 

  1067.   /* save current state */

  1068.   saved_state.aead_write_ctx = s->aead_write_ctx;

  1069.   saved_state.session = s->session;

  1070.   saved_state.epoch = s->d1->w_epoch;

  1071. 

  1072.   /* restore state in which the message was originally sent */

  1073.   s->aead_write_ctx = frag->msg_header.saved_retransmit_state.aead_write_ctx;

  1074.   s->session = frag->msg_header.saved_retransmit_state.session;

  1075.   s->d1->w_epoch = frag->msg_header.saved_retransmit_state.epoch;

  1076. 

  1077.   if (frag->msg_header.saved_retransmit_state.epoch == saved_state.epoch - 1) {

  1078.     memcpy(save_write_sequence, s->s3->write_sequence,

  1079.            sizeof(s->s3->write_sequence));

  1080.     memcpy(s->s3->write_sequence, s->d1->last_write_sequence,

  1081.            sizeof(s->s3->write_sequence));

  1082.   }

  1083. 

  1084.   ret = dtls1_do_write(s, frag->msg_header.is_ccs ? SSL3_RT_CHANGE_CIPHER_SPEC

  1085.                                                   : SSL3_RT_HANDSHAKE);

  1086. 

  1087.   /* restore current state */

  1088.   s->aead_write_ctx = saved_state.aead_write_ctx;

  1089.   s->session = saved_state.session;

  1090.   s->d1->w_epoch = saved_state.epoch;

  1091. 

  1092.   if (frag->msg_header.saved_retransmit_state.epoch == saved_state.epoch - 1) {

  1093.     memcpy(s->d1->last_write_sequence, s->s3->write_sequence,

  1094.            sizeof(s->s3->write_sequence));

  1095.     memcpy(s->s3->write_sequence, save_write_sequence,

  1096.            sizeof(s->s3->write_sequence));

  1097.   }

  1098. 

  1099.   (void)BIO_flush(SSL_get_wbio(s));

  1100.   return ret;

  1101. }

  1102. 

  1103. /* call this function when the buffered messages are no longer needed */

  1104. void dtls1_clear_record_buffer(SSL *s) {

  1105.   pitem *item;

  1106. 

  1107.   for (item = pqueue_pop(s->d1->sent_messages); item != NULL;

  1108.        item = pqueue_pop(s->d1->sent_messages)) {

  1109.     dtls1_hm_fragment_free((hm_fragment *)item->data);

  1110.     pitem_free(item);

  1111.   }

  1112. }

  1113. 

  1114. /* don't actually do the writing, wait till the MTU has been retrieved */

  1115. void dtls1_set_message_header(SSL *s, uint8_t mt, unsigned long len,

  1116.                               unsigned short seq_num, unsigned long frag_off,

  1117.                               unsigned long frag_len) {

  1118.   struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;

  1119. 

  1120.   msg_hdr->type = mt;

  1121.   msg_hdr->msg_len = len;

  1122.   msg_hdr->seq = seq_num;

  1123.   msg_hdr->frag_off = frag_off;

  1124.   msg_hdr->frag_len = frag_len;

  1125. }

  1126. 

  1127. static void dtls1_fix_message_header(SSL *s, unsigned long frag_off,

  1128.                                      unsigned long frag_len) {

  1129.   struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;

  1130. 

  1131.   msg_hdr->frag_off = frag_off;

  1132.   msg_hdr->frag_len = frag_len;

  1133. }

  1134. 

  1135. static uint8_t *dtls1_write_message_header(SSL *s, uint8_t *p) {

  1136.   struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;

  1137. 

  1138.   *p++ = msg_hdr->type;

  1139.   l2n3(msg_hdr->msg_len, p);

  1140. 

  1141.   s2n(msg_hdr->seq, p);

  1142.   l2n3(msg_hdr->frag_off, p);

  1143.   l2n3(msg_hdr->frag_len, p);

  1144. 

  1145.   return p;

  1146. }

  1147. 

  1148. unsigned int dtls1_min_mtu(void) {

  1149.   return kMinMTU;

  1150. }

  1151. 

  1152. void dtls1_get_message_header(uint8_t *data,

  1153.                               struct hm_header_st *msg_hdr) {

  1154.   memset(msg_hdr, 0x00, sizeof(struct hm_header_st));

  1155.   msg_hdr->type = *(data++);

  1156.   n2l3(data, msg_hdr->msg_len);

  1157. 

  1158.   n2s(data, msg_hdr->seq);

  1159.   n2l3(data, msg_hdr->frag_off);

  1160.   n2l3(data, msg_hdr->frag_len);

  1161. }

  1162. 

  1163. void dtls1_get_ccs_header(uint8_t *data, struct ccs_header_st *ccs_hdr) {

  1164.   memset(ccs_hdr, 0x00, sizeof(struct ccs_header_st));

  1165. 

  1166.   ccs_hdr->type = *(data++);

  1167. }

  1168. 

  1169. int dtls1_shutdown(SSL *s) {

  1170.   int ret;

  1171.   ret = ssl3_shutdown(s);

  1172.   return ret;

  1173. }