kris
/
boringssl
1
0
포크 0
코드 이슈 0 풀 리퀘스트 0 릴리즈 0 위키 활동
25개 이상의 토픽을 선택하실 수 없습니다. Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1026 커밋
12 브랜치
38 MiB
 
 
 
 
 
 
트리: b18f024816
브랜치 태그
${ item.name }
${ searchTerm } 브랜치 생성
from 'b18f024816'
${ noResults }
boringssl/ssl/d1_pkt.c

1134 lines
34 KiB
Raw Blame 히스토리 

  1. /* DTLS implementation written by Nagendra Modadugu

  2.  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. */

  3. /* ====================================================================

  4.  * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.

  5.  *

  6.  * Redistribution and use in source and binary forms, with or without

  7.  * modification, are permitted provided that the following conditions

  8.  * are met:

  9.  *

  10.  * 1. Redistributions of source code must retain the above copyright

  11.  *    notice, this list of conditions and the following disclaimer.

  12.  *

  13.  * 2. Redistributions in binary form must reproduce the above copyright

  14.  *    notice, this list of conditions and the following disclaimer in

  15.  *    the documentation and/or other materials provided with the

  16.  *    distribution.

  17.  *

  18.  * 3. All advertising materials mentioning features or use of this

  19.  *    software must display the following acknowledgment:

  20.  *    "This product includes software developed by the OpenSSL Project

  21.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

  22.  *

  23.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  24.  *    endorse or promote products derived from this software without

  25.  *    prior written permission. For written permission, please contact

  26.  *    openssl-core@openssl.org.

  27.  *

  28.  * 5. Products derived from this software may not be called "OpenSSL"

  29.  *    nor may "OpenSSL" appear in their names without prior written

  30.  *    permission of the OpenSSL Project.

  31.  *

  32.  * 6. Redistributions of any form whatsoever must retain the following

  33.  *    acknowledgment:

  34.  *    "This product includes software developed by the OpenSSL Project

  35.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

  36.  *

  37.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  38.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  39.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  40.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  41.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  42.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  43.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  44.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  45.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  46.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  47.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  48.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  49.  * ====================================================================

  50.  *

  51.  * This product includes cryptographic software written by Eric Young

  52.  * (eay@cryptsoft.com).  This product includes software written by Tim

  53.  * Hudson (tjh@cryptsoft.com).

  54.  *

  55.  */

  56. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  57.  * All rights reserved.

  58.  *

  59.  * This package is an SSL implementation written

  60.  * by Eric Young (eay@cryptsoft.com).

  61.  * The implementation was written so as to conform with Netscapes SSL.

  62.  *

  63.  * This library is free for commercial and non-commercial use as long as

  64.  * the following conditions are aheared to.  The following conditions

  65.  * apply to all code found in this distribution, be it the RC4, RSA,

  66.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  67.  * included with this distribution is covered by the same copyright terms

  68.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  69.  *

  70.  * Copyright remains Eric Young's, and as such any Copyright notices in

  71.  * the code are not to be removed.

  72.  * If this package is used in a product, Eric Young should be given attribution

  73.  * as the author of the parts of the library used.

  74.  * This can be in the form of a textual message at program startup or

  75.  * in documentation (online or textual) provided with the package.

  76.  *

  77.  * Redistribution and use in source and binary forms, with or without

  78.  * modification, are permitted provided that the following conditions

  79.  * are met:

  80.  * 1. Redistributions of source code must retain the copyright

  81.  *    notice, this list of conditions and the following disclaimer.

  82.  * 2. Redistributions in binary form must reproduce the above copyright

  83.  *    notice, this list of conditions and the following disclaimer in the

  84.  *    documentation and/or other materials provided with the distribution.

  85.  * 3. All advertising materials mentioning features or use of this software

  86.  *    must display the following acknowledgement:

  87.  *    "This product includes cryptographic software written by

  88.  *     Eric Young (eay@cryptsoft.com)"

  89.  *    The word 'cryptographic' can be left out if the rouines from the library

  90.  *    being used are not cryptographic related :-).

  91.  * 4. If you include any Windows specific code (or a derivative thereof) from

  92.  *    the apps directory (application code) you must include an acknowledgement:

  93.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  94.  *

  95.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  96.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  97.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  98.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  99.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  100.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  101.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  102.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  103.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  104.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  105.  * SUCH DAMAGE.

  106.  *

  107.  * The licence and distribution terms for any publically available version or

  108.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  109.  * copied and put under another distribution licence

  110.  * [including the GNU Public Licence.] */

  111. 

  112. #include <stdio.h>

  113. #include <errno.h>

  114. #include <assert.h>

  115. 

  116. #include <openssl/buf.h>

  117. #include <openssl/mem.h>

  118. #include <openssl/evp.h>

  119. #include <openssl/err.h>

  120. #include <openssl/rand.h>

  121. 

  122. #include "ssl_locl.h"

  123. 

  124. 

  125. /* mod 128 saturating subtract of two 64-bit values in big-endian order */

  126. static int satsub64be(const uint8_t *v1, const uint8_t *v2) {

  127.   int ret, sat, brw, i;

  128. 

  129.   if (sizeof(long) == 8) {

  130.     do {

  131.       const union {

  132.         long one;

  133.         char little;

  134.       } is_endian = {1};

  135.       long l;

  136. 

  137.       if (is_endian.little) {

  138.         break;

  139.       }

  140.       /* not reached on little-endians */

  141.       /* following test is redundant, because input is

  142.        * always aligned, but I take no chances... */

  143.       if (((size_t)v1 | (size_t)v2) & 0x7) {

  144.         break;

  145.       }

  146. 

  147.       l = *((long *)v1);

  148.       l -= *((long *)v2);

  149.       if (l > 128) {

  150.         return 128;

  151.       } else if (l < -128) {

  152.         return -128;

  153.       } else {

  154.         return (int)l;

  155.       }

  156.     } while (0);

  157.   }

  158. 

  159.   ret = (int)v1[7] - (int)v2[7];

  160.   sat = 0;

  161.   brw = ret >> 8; /* brw is either 0 or -1 */

  162.   if (ret & 0x80) {

  163.     for (i = 6; i >= 0; i--) {

  164.       brw += (int)v1[i] - (int)v2[i];

  165.       sat |= ~brw;

  166.       brw >>= 8;

  167.     }

  168.   } else {

  169.     for (i = 6; i >= 0; i--) {

  170.       brw += (int)v1[i] - (int)v2[i];

  171.       sat |= brw;

  172.       brw >>= 8;

  173.     }

  174.   }

  175.   brw <<= 8; /* brw is either 0 or -256 */

  176. 

  177.   if (sat & 0xff) {

  178.     return brw | 0x80;

  179.   } else {

  180.     return brw + (ret & 0xFF);

  181.   }

  182. }

  183. 

  184. static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap);

  185. static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap);

  186. static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr,

  187.                                       unsigned int *is_next_epoch);

  188. static int dtls1_buffer_record(SSL *s, record_pqueue *q,

  189.                                uint8_t *priority);

  190. static int dtls1_process_record(SSL *s);

  191. static int do_dtls1_write(SSL *s, int type, const uint8_t *buf,

  192.                           unsigned int len);

  193. 

  194. /* copy buffered record into SSL structure */

  195. static int dtls1_copy_record(SSL *s, pitem *item) {

  196.   DTLS1_RECORD_DATA *rdata;

  197. 

  198.   rdata = (DTLS1_RECORD_DATA *)item->data;

  199. 

  200.   if (s->s3->rbuf.buf != NULL) {

  201.     OPENSSL_free(s->s3->rbuf.buf);

  202.   }

  203. 

  204.   s->packet = rdata->packet;

  205.   s->packet_length = rdata->packet_length;

  206.   memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER));

  207.   memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));

  208. 

  209.   /* Set proper sequence number for mac calculation */

  210.   memcpy(&(s->s3->read_sequence[2]), &(rdata->packet[5]), 6);

  211. 

  212.   return 1;

  213. }

  214. 

  215. static int dtls1_buffer_record(SSL *s, record_pqueue *queue,

  216.                                uint8_t *priority) {

  217.   DTLS1_RECORD_DATA *rdata;

  218.   pitem *item;

  219. 

  220.   /* Limit the size of the queue to prevent DOS attacks */

  221.   if (pqueue_size(queue->q) >= 100) {

  222.     return 0;

  223.   }

  224. 

  225.   rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));

  226.   item = pitem_new(priority, rdata);

  227.   if (rdata == NULL || item == NULL) {

  228.     if (rdata != NULL) {

  229.       OPENSSL_free(rdata);

  230.     }

  231.     if (item != NULL) {

  232.       pitem_free(item);

  233.     }

  234. 

  235.     OPENSSL_PUT_ERROR(SSL, dtls1_buffer_record, ERR_R_INTERNAL_ERROR);

  236.     return -1;

  237.   }

  238. 

  239.   rdata->packet = s->packet;

  240.   rdata->packet_length = s->packet_length;

  241.   memcpy(&(rdata->rbuf), &(s->s3->rbuf), sizeof(SSL3_BUFFER));

  242.   memcpy(&(rdata->rrec), &(s->s3->rrec), sizeof(SSL3_RECORD));

  243. 

  244.   item->data = rdata;

  245. 

  246.   s->packet = NULL;

  247.   s->packet_length = 0;

  248.   memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER));

  249.   memset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD));

  250. 

  251.   if (!ssl3_setup_buffers(s)) {

  252.     goto internal_error;

  253.   }

  254. 

  255.   /* insert should not fail, since duplicates are dropped */

  256.   if (pqueue_insert(queue->q, item) == NULL) {

  257.     goto internal_error;

  258.   }

  259. 

  260.   return 1;

  261. 

  262. internal_error:

  263.   OPENSSL_PUT_ERROR(SSL, dtls1_buffer_record, ERR_R_INTERNAL_ERROR);

  264.   if (rdata->rbuf.buf != NULL) {

  265.     OPENSSL_free(rdata->rbuf.buf);

  266.   }

  267.   OPENSSL_free(rdata);

  268.   pitem_free(item);

  269.   return -1;

  270. }

  271. 

  272. static int dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue) {

  273.   pitem *item;

  274. 

  275.   item = pqueue_pop(queue->q);

  276.   if (item) {

  277.     dtls1_copy_record(s, item);

  278. 

  279.     OPENSSL_free(item->data);

  280.     pitem_free(item);

  281. 

  282.     return 1;

  283.   }

  284. 

  285.   return 0;

  286. }

  287. 

  288. /* retrieve a buffered record that belongs to the new epoch, i.e., not

  289.  * processed yet */

  290. #define dtls1_get_unprocessed_record(s) \

  291.   dtls1_retrieve_buffered_record((s), &((s)->d1->unprocessed_rcds))

  292. 

  293. /* retrieve a buffered record that belongs to the current epoch, i.e.,

  294.  * processed */

  295. #define dtls1_get_processed_record(s) \

  296.   dtls1_retrieve_buffered_record((s), &((s)->d1->processed_rcds))

  297. 

  298. static int dtls1_process_buffered_records(SSL *s) {

  299.   pitem *item;

  300. 

  301.   item = pqueue_peek(s->d1->unprocessed_rcds.q);

  302.   if (item) {

  303.     /* Check if epoch is current. */

  304.     if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch) {

  305.       return 1; /* Nothing to do. */

  306.     }

  307. 

  308.     /* Process all the records. */

  309.     while (pqueue_peek(s->d1->unprocessed_rcds.q)) {

  310.       dtls1_get_unprocessed_record(s);

  311.       if (!dtls1_process_record(s)) {

  312.         return 0;

  313.       }

  314.       if (dtls1_buffer_record(s, &(s->d1->processed_rcds),

  315.                               s->s3->rrec.seq_num) < 0) {

  316.         return -1;

  317.       }

  318.     }

  319.   }

  320. 

  321.   /* sync epoch numbers once all the unprocessed records have been processed */

  322.   s->d1->processed_rcds.epoch = s->d1->r_epoch;

  323.   s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1;

  324. 

  325.   return 1;

  326. }

  327. 

  328. static int dtls1_process_record(SSL *s) {

  329.   int al;

  330.   SSL3_RECORD *rr;

  331. 

  332.   rr = &(s->s3->rrec);

  333. 

  334.   /* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length, and

  335.    * we have that many bytes in s->packet. */

  336.   rr->input = &(s->packet[DTLS1_RT_HEADER_LENGTH]);

  337. 

  338.   /* ok, we can now read from 's->packet' data into 'rr' rr->input points at

  339.    * rr->length bytes, which need to be copied into rr->data by either the

  340.    * decryption or by the decompression When the data is 'copied' into the

  341.    * rr->data buffer, rr->input will be pointed at the new buffer */

  342. 

  343.   /* We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length bytes

  344.    * of encrypted compressed stuff. */

  345. 

  346.   /* check is not needed I believe */

  347.   if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {

  348.     al = SSL_AD_RECORD_OVERFLOW;

  349.     OPENSSL_PUT_ERROR(SSL, dtls1_process_record,

  350.                       SSL_R_ENCRYPTED_LENGTH_TOO_LONG);

  351.     goto f_err;

  352.   }

  353. 

  354.   /* decrypt in place in 'rr->input' */

  355.   rr->data = rr->input;

  356. 

  357.   if (!s->enc_method->enc(s, 0)) {

  358.     /* Bad packets are silently dropped in DTLS. Clear the error queue of any

  359.      * errors decryption may have added. */

  360.     ERR_clear_error();

  361.     rr->length = 0;

  362.     s->packet_length = 0;

  363.     goto err;

  364.   }

  365. 

  366.   if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH) {

  367.     al = SSL_AD_RECORD_OVERFLOW;

  368.     OPENSSL_PUT_ERROR(SSL, dtls1_process_record, SSL_R_DATA_LENGTH_TOO_LONG);

  369.     goto f_err;

  370.   }

  371. 

  372.   rr->off = 0;

  373.   /* So at this point the following is true

  374.    * ssl->s3->rrec.type 	is the type of record

  375.    * ssl->s3->rrec.length	== number of bytes in record

  376.    * ssl->s3->rrec.off	== offset to first valid byte

  377.    * ssl->s3->rrec.data	== where to take bytes from, increment

  378.    *			   after use :-). */

  379. 

  380.   /* we have pulled in a full packet so zero things */

  381.   s->packet_length = 0;

  382.   return 1;

  383. 

  384. f_err:

  385.   ssl3_send_alert(s, SSL3_AL_FATAL, al);

  386. 

  387. err:

  388.   return 0;

  389. }

  390. 

  391. /* Call this to get a new input record.

  392.  * It will return <= 0 if more data is needed, normally due to an error

  393.  * or non-blocking IO.

  394.  * When it finishes, one packet has been decoded and can be found in

  395.  * ssl->s3->rrec.type    - is the type of record

  396.  * ssl->s3->rrec.data,   - data

  397.  * ssl->s3->rrec.length, - number of bytes

  398.  *

  399.  * used only by dtls1_read_bytes */

  400. int dtls1_get_record(SSL *s) {

  401.   int ssl_major, ssl_minor;

  402.   int i, n;

  403.   SSL3_RECORD *rr;

  404.   unsigned char *p = NULL;

  405.   unsigned short version;

  406.   DTLS1_BITMAP *bitmap;

  407.   unsigned int is_next_epoch;

  408. 

  409.   rr = &(s->s3->rrec);

  410. 

  411.   /* The epoch may have changed. If so, process all the pending records. This

  412.    * is a non-blocking operation. */

  413.   if (dtls1_process_buffered_records(s) < 0) {

  414.     return -1;

  415.   }

  416. 

  417.   /* If we're renegotiating, then there may be buffered records. */

  418.   if (dtls1_get_processed_record(s)) {

  419.     return 1;

  420.   }

  421. 

  422.   /* get something from the wire */

  423. again:

  424.   /* check if we have the header */

  425.   if ((s->rstate != SSL_ST_READ_BODY) ||

  426.       (s->packet_length < DTLS1_RT_HEADER_LENGTH)) {

  427.     n = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);

  428.     /* read timeout is handled by dtls1_read_bytes */

  429.     if (n <= 0) {

  430.       return n; /* error or non-blocking */

  431.     }

  432. 

  433.     /* this packet contained a partial record, dump it */

  434.     if (s->packet_length != DTLS1_RT_HEADER_LENGTH) {

  435.       s->packet_length = 0;

  436.       goto again;

  437.     }

  438. 

  439.     s->rstate = SSL_ST_READ_BODY;

  440. 

  441.     p = s->packet;

  442. 

  443.     if (s->msg_callback) {

  444.       s->msg_callback(0, 0, SSL3_RT_HEADER, p, DTLS1_RT_HEADER_LENGTH, s,

  445.                       s->msg_callback_arg);

  446.     }

  447. 

  448.     /* Pull apart the header into the DTLS1_RECORD */

  449.     rr->type = *(p++);

  450.     ssl_major = *(p++);

  451.     ssl_minor = *(p++);

  452.     version = (ssl_major << 8) | ssl_minor;

  453. 

  454.     /* sequence number is 64 bits, with top 2 bytes = epoch */

  455.     n2s(p, rr->epoch);

  456. 

  457.     memcpy(&(s->s3->read_sequence[2]), p, 6);

  458.     p += 6;

  459. 

  460.     n2s(p, rr->length);

  461. 

  462.     /* Lets check version */

  463.     if (s->s3->have_version) {

  464.       if (version != s->version) {

  465.         /* The record's version doesn't match, so silently drop it.

  466.          *

  467.          * TODO(davidben): This doesn't work. The DTLS record layer is not

  468.          * packet-based, so the remainder of the packet isn't dropped and we

  469.          * get a framing error. It's also unclear what it means to silently

  470.          * drop a record in a packet containing two records. */

  471.         rr->length = 0;

  472.         s->packet_length = 0;

  473.         goto again;

  474.       }

  475.     }

  476. 

  477.     if ((version & 0xff00) != (s->version & 0xff00)) {

  478.       /* wrong version, silently discard record */

  479.       rr->length = 0;

  480.       s->packet_length = 0;

  481.       goto again;

  482.     }

  483. 

  484.     if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) {

  485.       /* record too long, silently discard it */

  486.       rr->length = 0;

  487.       s->packet_length = 0;

  488.       goto again;

  489.     }

  490. 

  491.     /* now s->rstate == SSL_ST_READ_BODY */

  492.   }

  493. 

  494.   /* s->rstate == SSL_ST_READ_BODY, get and decode the data */

  495. 

  496.   if (rr->length > s->packet_length - DTLS1_RT_HEADER_LENGTH) {

  497.     /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */

  498.     i = rr->length;

  499.     n = ssl3_read_n(s, i, i, 1);

  500.     if (n <= 0) {

  501.       return n; /* error or non-blocking io */

  502.     }

  503. 

  504.     /* this packet contained a partial record, dump it */

  505.     if (n != i) {

  506.       rr->length = 0;

  507.       s->packet_length = 0;

  508.       goto again;

  509.     }

  510. 

  511.     /* now n == rr->length,

  512.      * and s->packet_length == DTLS1_RT_HEADER_LENGTH + rr->length */

  513.   }

  514.   s->rstate = SSL_ST_READ_HEADER; /* set state for later operations */

  515. 

  516.   /* match epochs.  NULL means the packet is dropped on the floor */

  517.   bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);

  518.   if (bitmap == NULL) {

  519.     rr->length = 0;

  520.     s->packet_length = 0; /* dump this record */

  521.     goto again;           /* get another record */

  522.   }

  523. 

  524.   /* Check whether this is a repeat, or aged record. */

  525.   if (!dtls1_record_replay_check(s, bitmap)) {

  526.     rr->length = 0;

  527.     s->packet_length = 0; /* dump this record */

  528.     goto again;           /* get another record */

  529.   }

  530. 

  531.   /* just read a 0 length packet */

  532.   if (rr->length == 0) {

  533.     goto again;

  534.   }

  535. 

  536.   /* If this record is from the next epoch (either HM or ALERT),

  537.    * and a handshake is currently in progress, buffer it since it

  538.    * cannot be processed at this time.

  539.    */

  540.   if (is_next_epoch) {

  541.     if (SSL_in_init(s) || s->in_handshake) {

  542.       if (dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num) < 0) {

  543.         return -1;

  544.       }

  545.       dtls1_record_bitmap_update(s, bitmap); /* Mark receipt of record. */

  546.     }

  547.     rr->length = 0;

  548.     s->packet_length = 0;

  549.     goto again;

  550.   }

  551. 

  552.   if (!dtls1_process_record(s)) {

  553.     rr->length = 0;

  554.     s->packet_length = 0; /* dump this record */

  555.     goto again;           /* get another record */

  556.   }

  557.   dtls1_record_bitmap_update(s, bitmap); /* Mark receipt of record. */

  558. 

  559.   return 1;

  560. }

  561. 

  562. /* Return up to 'len' payload bytes received in 'type' records.

  563.  * 'type' is one of the following:

  564.  *

  565.  *   -  SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)

  566.  *   -  SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)

  567.  *   -  0 (during a shutdown, no data has to be returned)

  568.  *

  569.  * If we don't have stored data to work from, read a SSL/TLS record first

  570.  * (possibly multiple records if we still don't have anything to return).

  571.  *

  572.  * This function must handle any surprises the peer may have for us, such as

  573.  * Alert records (e.g. close_notify), ChangeCipherSpec records (not really

  574.  * a surprise, but handled as if it were), or renegotiation requests.

  575.  * Also if record payloads contain fragments too small to process, we store

  576.  * them until there is enough for the respective protocol (the record protocol

  577.  * may use arbitrary fragmentation and even interleaving):

  578.  *     Change cipher spec protocol

  579.  *             just 1 byte needed, no need for keeping anything stored

  580.  *     Alert protocol

  581.  *             2 bytes needed (AlertLevel, AlertDescription)

  582.  *     Handshake protocol

  583.  *             4 bytes needed (HandshakeType, uint24 length) -- we just have

  584.  *             to detect unexpected Client Hello and Hello Request messages

  585.  *             here, anything else is handled by higher layers

  586.  *     Application data protocol

  587.  *             none of our business

  588.  */

  589. int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) {

  590.   int al, i, ret;

  591.   unsigned int n;

  592.   SSL3_RECORD *rr;

  593.   void (*cb)(const SSL *ssl, int type2, int val) = NULL;

  594. 

  595.   /* XXX: check what the second '&& type' is about */

  596.   if ((type && (type != SSL3_RT_APPLICATION_DATA) &&

  597.        (type != SSL3_RT_HANDSHAKE) && type) ||

  598.       (peek && (type != SSL3_RT_APPLICATION_DATA))) {

  599.     OPENSSL_PUT_ERROR(SSL, dtls1_read_bytes, ERR_R_INTERNAL_ERROR);

  600.     return -1;

  601.   }

  602. 

  603.   if (!s->in_handshake && SSL_in_init(s)) {

  604.     /* type == SSL3_RT_APPLICATION_DATA */

  605.     i = s->handshake_func(s);

  606.     if (i < 0) {

  607.       return i;

  608.     }

  609.     if (i == 0) {

  610.       OPENSSL_PUT_ERROR(SSL, dtls1_read_bytes, SSL_R_SSL_HANDSHAKE_FAILURE);

  611.       return -1;

  612.     }

  613.   }

  614. 

  615.   if (s->s3->rbuf.buf == NULL && !ssl3_setup_buffers(s)) {

  616.     /* TODO(davidben): Is this redundant with the calls in the handshake? */

  617.     return -1;

  618.   }

  619. 

  620. start:

  621.   s->rwstate = SSL_NOTHING;

  622. 

  623.   /* s->s3->rrec.type     - is the type of record

  624.    * s->s3->rrec.data     - data

  625.    * s->s3->rrec.off      - offset into 'data' for next read

  626.    * s->s3->rrec.length   - number of bytes. */

  627.   rr = &s->s3->rrec;

  628. 

  629.   /* We are not handshaking and have no data yet,

  630.    * so process data buffered during the last handshake

  631.    * in advance, if any.

  632.    */

  633.   if (s->state == SSL_ST_OK && rr->length == 0) {

  634.     pitem *item;

  635.     item = pqueue_pop(s->d1->buffered_app_data.q);

  636.     if (item) {

  637.       dtls1_copy_record(s, item);

  638. 

  639.       OPENSSL_free(item->data);

  640.       pitem_free(item);

  641.     }

  642.   }

  643. 

  644.   /* Check for timeout */

  645.   if (dtls1_handle_timeout(s) > 0) {

  646.     goto start;

  647.   }

  648. 

  649.   /* get new packet if necessary */

  650.   if (rr->length == 0 || s->rstate == SSL_ST_READ_BODY) {

  651.     ret = dtls1_get_record(s);

  652.     if (ret <= 0) {

  653.       ret = dtls1_read_failed(s, ret);

  654.       /* anything other than a timeout is an error */

  655.       if (ret <= 0) {

  656.         return ret;

  657.       } else {

  658.         goto start;

  659.       }

  660.     }

  661.   }

  662. 

  663.   /* we now have a packet which can be read and processed */

  664. 

  665.   /* |change_cipher_spec is set when we receive a ChangeCipherSpec and reset by

  666.    * ssl3_get_finished. */

  667.   if (s->s3->change_cipher_spec && rr->type != SSL3_RT_HANDSHAKE) {

  668.     /* We now have application data between CCS and Finished. Most likely the

  669.      * packets were reordered on their way, so buffer the application data for

  670.      * later processing rather than dropping the connection. */

  671.     if (dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num) < 0) {

  672.       OPENSSL_PUT_ERROR(SSL, dtls1_read_bytes, ERR_R_INTERNAL_ERROR);

  673.       return -1;

  674.     }

  675.     rr->length = 0;

  676.     goto start;

  677.   }

  678. 

  679.   /* If the other end has shut down, throw anything we read away (even in

  680.    * 'peek' mode) */

  681.   if (s->shutdown & SSL_RECEIVED_SHUTDOWN) {

  682.     rr->length = 0;

  683.     s->rwstate = SSL_NOTHING;

  684.     return 0;

  685.   }

  686. 

  687. 

  688.   if (type == rr->type) { /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */

  689.     /* make sure that we are not getting application data when we

  690.      * are doing a handshake for the first time */

  691.     if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&

  692.         (s->aead_read_ctx == NULL)) {

  693.       /* TODO(davidben): Is this check redundant with the handshake_func

  694.        * check? */

  695.       al = SSL_AD_UNEXPECTED_MESSAGE;

  696.       OPENSSL_PUT_ERROR(SSL, dtls1_read_bytes, SSL_R_APP_DATA_IN_HANDSHAKE);

  697.       goto f_err;

  698.     }

  699. 

  700.     if (len <= 0) {

  701.       return len;

  702.     }

  703. 

  704.     if ((unsigned int)len > rr->length) {

  705.       n = rr->length;

  706.     } else {

  707.       n = (unsigned int)len;

  708.     }

  709. 

  710.     memcpy(buf, &(rr->data[rr->off]), n);

  711.     if (!peek) {

  712.       rr->length -= n;

  713.       rr->off += n;

  714.       if (rr->length == 0) {

  715.         s->rstate = SSL_ST_READ_HEADER;

  716.         rr->off = 0;

  717.       }

  718.     }

  719. 

  720.     return n;

  721.   }

  722. 

  723.   /* If we get here, then type != rr->type. */

  724. 

  725.   /* If an alert record, process one alert out of the record. Note that we allow

  726.    * a single record to contain multiple alerts. */

  727.   if (rr->type == SSL3_RT_ALERT) {

  728.     /* Alerts may not be fragmented. */

  729.     if (rr->length < 2) {

  730.       al = SSL_AD_DECODE_ERROR;

  731.       OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes, SSL_R_BAD_ALERT);

  732.       goto f_err;

  733.     }

  734. 

  735.     if (s->msg_callback) {

  736.       s->msg_callback(0, s->version, SSL3_RT_ALERT, &rr->data[rr->off], 2, s,

  737.                       s->msg_callback_arg);

  738.     }

  739.     const uint8_t alert_level = rr->data[rr->off++];

  740.     const uint8_t alert_descr = rr->data[rr->off++];

  741.     rr->length -= 2;

  742. 

  743.     if (s->info_callback != NULL) {

  744.       cb = s->info_callback;

  745.     } else if (s->ctx->info_callback != NULL) {

  746.       cb = s->ctx->info_callback;

  747.     }

  748. 

  749.     if (cb != NULL) {

  750.       uint16_t alert = (alert_level << 8) | alert_descr;

  751.       cb(s, SSL_CB_READ_ALERT, alert);

  752.     }

  753. 

  754.     if (alert_level == SSL3_AL_WARNING) {

  755.       s->s3->warn_alert = alert_descr;

  756.       if (alert_descr == SSL_AD_CLOSE_NOTIFY) {

  757.         s->shutdown |= SSL_RECEIVED_SHUTDOWN;

  758.         return 0;

  759.       }

  760.     } else if (alert_level == SSL3_AL_FATAL) {

  761.       char tmp[16];

  762. 

  763.       s->rwstate = SSL_NOTHING;

  764.       s->s3->fatal_alert = alert_descr;

  765.       OPENSSL_PUT_ERROR(SSL, dtls1_read_bytes,

  766.                         SSL_AD_REASON_OFFSET + alert_descr);

  767.       BIO_snprintf(tmp, sizeof tmp, "%d", alert_descr);

  768.       ERR_add_error_data(2, "SSL alert number ", tmp);

  769.       s->shutdown |= SSL_RECEIVED_SHUTDOWN;

  770.       SSL_CTX_remove_session(s->ctx, s->session);

  771.       return 0;

  772.     } else {

  773.       al = SSL_AD_ILLEGAL_PARAMETER;

  774.       OPENSSL_PUT_ERROR(SSL, dtls1_read_bytes, SSL_R_UNKNOWN_ALERT_TYPE);

  775.       goto f_err;

  776.     }

  777. 

  778.     goto start;

  779.   }

  780. 

  781.   if (s->shutdown & SSL_SENT_SHUTDOWN) {

  782.     /* but we have not received a shutdown */

  783.     s->rwstate = SSL_NOTHING;

  784.     rr->length = 0;

  785.     return 0;

  786.   }

  787. 

  788.   if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) {

  789.     /* 'Change Cipher Spec' is just a single byte, so we know exactly what the

  790.      * record payload has to look like */

  791.     if (rr->length != 1 || rr->off != 0 || rr->data[0] != SSL3_MT_CCS) {

  792.       al = SSL_AD_ILLEGAL_PARAMETER;

  793.       OPENSSL_PUT_ERROR(SSL, dtls1_read_bytes, SSL_R_BAD_CHANGE_CIPHER_SPEC);

  794.       goto f_err;

  795.     }

  796. 

  797.     rr->length = 0;

  798. 

  799.     if (s->msg_callback) {

  800.       s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, rr->data, 1, s,

  801.                       s->msg_callback_arg);

  802.     }

  803. 

  804.     /* We can't process a CCS now, because previous handshake

  805.      * messages are still missing, so just drop it.

  806.      */

  807.     if (!s->d1->change_cipher_spec_ok) {

  808.       goto start;

  809.     }

  810. 

  811.     s->d1->change_cipher_spec_ok = 0;

  812. 

  813.     s->s3->change_cipher_spec = 1;

  814.     if (!ssl3_do_change_cipher_spec(s)) {

  815.       goto err;

  816.     }

  817. 

  818.     /* do this whenever CCS is processed */

  819.     dtls1_reset_seq_numbers(s, SSL3_CC_READ);

  820. 

  821.     goto start;

  822.   }

  823. 

  824.   /* Unexpected handshake message. It may be a retransmitted Finished (the only

  825.    * post-CCS message). Otherwise, it's a pre-CCS handshake message from an

  826.    * unsupported renegotiation attempt. */

  827.   if (rr->type == SSL3_RT_HANDSHAKE && !s->in_handshake) {

  828.     if (rr->length < DTLS1_HM_HEADER_LENGTH) {

  829.       al = SSL_AD_DECODE_ERROR;

  830.       OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes, SSL_R_BAD_HANDSHAKE_RECORD);

  831.       goto f_err;

  832.     }

  833.     struct hm_header_st msg_hdr;

  834.     dtls1_get_message_header(&rr->data[rr->off], &msg_hdr);

  835. 

  836.     /* Ignore a stray Finished from the previous handshake. */

  837.     if (msg_hdr.type == SSL3_MT_FINISHED) {

  838.       if (msg_hdr.frag_off == 0) {

  839.         /* Retransmit our last flight of messages. If the peer sends the second

  840.          * Finished, they may not have received ours. Only do this for the

  841.          * first fragment, in case the Finished was fragmented. */

  842.         if (dtls1_check_timeout_num(s) < 0) {

  843.           return -1;

  844.         }

  845. 

  846.         dtls1_retransmit_buffered_messages(s);

  847.       }

  848. 

  849.       rr->length = 0;

  850.       goto start;

  851.     }

  852.   }

  853. 

  854.   /* We already handled these. */

  855.   assert(rr->type != SSL3_RT_CHANGE_CIPHER_SPEC && rr->type != SSL3_RT_ALERT);

  856. 

  857.   al = SSL_AD_UNEXPECTED_MESSAGE;

  858.   OPENSSL_PUT_ERROR(SSL, dtls1_read_bytes, SSL_R_UNEXPECTED_RECORD);

  859. 

  860. f_err:

  861.   ssl3_send_alert(s, SSL3_AL_FATAL, al);

  862. err:

  863.   return -1;

  864. }

  865. 

  866. int dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len) {

  867.   int i;

  868. 

  869.   if (SSL_in_init(s) && !s->in_handshake) {

  870.     i = s->handshake_func(s);

  871.     if (i < 0) {

  872.       return i;

  873.     }

  874.     if (i == 0) {

  875.       OPENSSL_PUT_ERROR(SSL, dtls1_write_app_data_bytes,

  876.                         SSL_R_SSL_HANDSHAKE_FAILURE);

  877.       return -1;

  878.     }

  879.   }

  880. 

  881.   if (len > SSL3_RT_MAX_PLAIN_LENGTH) {

  882.     OPENSSL_PUT_ERROR(SSL, dtls1_write_app_data_bytes,

  883.                       SSL_R_DTLS_MESSAGE_TOO_BIG);

  884.     return -1;

  885.   }

  886. 

  887.   i = dtls1_write_bytes(s, type, buf_, len);

  888.   return i;

  889. }

  890. 

  891. /* Call this to write data in records of type 'type' It will return <= 0 if not

  892.  * all data has been sent or non-blocking IO. */

  893. int dtls1_write_bytes(SSL *s, int type, const void *buf, int len) {

  894.   int i;

  895. 

  896.   assert(len <= SSL3_RT_MAX_PLAIN_LENGTH);

  897.   s->rwstate = SSL_NOTHING;

  898.   i = do_dtls1_write(s, type, buf, len);

  899.   return i;

  900. }

  901. 

  902. static int do_dtls1_write(SSL *s, int type, const uint8_t *buf,

  903.                           unsigned int len) {

  904.   uint8_t *p, *pseq;

  905.   int i;

  906.   int prefix_len = 0;

  907.   int eivlen = 0;

  908.   SSL3_RECORD *wr;

  909.   SSL3_BUFFER *wb;

  910. 

  911.   /* first check if there is a SSL3_BUFFER still being written

  912.    * out.  This will happen with non blocking IO */

  913.   if (s->s3->wbuf.left != 0) {

  914.     assert(0); /* XDTLS:  want to see if we ever get here */

  915.     return ssl3_write_pending(s, type, buf, len);

  916.   }

  917. 

  918.   /* If we have an alert to send, lets send it */

  919.   if (s->s3->alert_dispatch) {

  920.     i = s->method->ssl_dispatch_alert(s);

  921.     if (i <= 0) {

  922.       return i;

  923.     }

  924.     /* if it went, fall through and send more stuff */

  925.   }

  926. 

  927.   if (len == 0) {

  928.     return 0;

  929.   }

  930. 

  931.   wr = &(s->s3->wrec);

  932.   wb = &(s->s3->wbuf);

  933. 

  934.   p = wb->buf + prefix_len;

  935. 

  936.   /* write the header */

  937. 

  938.   *(p++) = type & 0xff;

  939.   wr->type = type;

  940.   /* Special case: for hello verify request, client version 1.0 and

  941.    * we haven't decided which version to use yet send back using

  942.    * version 1.0 header: otherwise some clients will ignore it.

  943.    */

  944.   if (!s->s3->have_version) {

  945.     *(p++) = DTLS1_VERSION >> 8;

  946.     *(p++) = DTLS1_VERSION & 0xff;

  947.   } else {

  948.     *(p++) = s->version >> 8;

  949.     *(p++) = s->version & 0xff;

  950.   }

  951. 

  952.   /* field where we are to write out packet epoch, seq num and len */

  953.   pseq = p;

  954.   p += 10;

  955. 

  956.   /* Leave room for the variable nonce for AEADs which specify it explicitly. */

  957.   if (s->aead_write_ctx != NULL &&

  958.       s->aead_write_ctx->variable_nonce_included_in_record) {

  959.     eivlen = s->aead_write_ctx->variable_nonce_len;

  960.   }

  961. 

  962.   /* lets setup the record stuff. */

  963.   wr->data = p + eivlen; /* make room for IV in case of CBC */

  964.   wr->length = (int)len;

  965.   wr->input = (unsigned char *)buf;

  966. 

  967.   /* we now 'read' from wr->input, wr->length bytes into wr->data */

  968.   memcpy(wr->data, wr->input, wr->length);

  969.   wr->input = wr->data;

  970. 

  971.   /* this is true regardless of mac size */

  972.   wr->input = p;

  973.   wr->data = p;

  974.   wr->length += eivlen;

  975. 

  976.   if (!s->enc_method->enc(s, 1)) {

  977.     goto err;

  978.   }

  979. 

  980.   /* there's only one epoch between handshake and app data */

  981.   s2n(s->d1->w_epoch, pseq);

  982. 

  983.   memcpy(pseq, &(s->s3->write_sequence[2]), 6);

  984.   pseq += 6;

  985.   s2n(wr->length, pseq);

  986. 

  987.   if (s->msg_callback) {

  988.     s->msg_callback(1, 0, SSL3_RT_HEADER, pseq - DTLS1_RT_HEADER_LENGTH,

  989.                     DTLS1_RT_HEADER_LENGTH, s, s->msg_callback_arg);

  990.   }

  991. 

  992.   /* we should now have wr->data pointing to the encrypted data, which is

  993.    * wr->length long */

  994.   wr->type = type; /* not needed but helps for debugging */

  995.   wr->length += DTLS1_RT_HEADER_LENGTH;

  996. 

  997.   ssl3_record_sequence_update(&(s->s3->write_sequence[0]));

  998. 

  999.   /* now let's set up wb */

  1000.   wb->left = prefix_len + wr->length;

  1001.   wb->offset = 0;

  1002. 

  1003.   /* memorize arguments so that ssl3_write_pending can detect bad write retries

  1004.    * later */

  1005.   s->s3->wpend_tot = len;

  1006.   s->s3->wpend_buf = buf;

  1007.   s->s3->wpend_type = type;

  1008.   s->s3->wpend_ret = len;

  1009. 

  1010.   /* we now just need to write the buffer */

  1011.   return ssl3_write_pending(s, type, buf, len);

  1012. 

  1013. err:

  1014.   return -1;

  1015. }

  1016. 

  1017. static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap) {

  1018.   int cmp;

  1019.   unsigned int shift;

  1020.   const uint8_t *seq = s->s3->read_sequence;

  1021. 

  1022.   cmp = satsub64be(seq, bitmap->max_seq_num);

  1023.   if (cmp > 0) {

  1024.     memcpy(s->s3->rrec.seq_num, seq, 8);

  1025.     return 1; /* this record in new */

  1026.   }

  1027.   shift = -cmp;

  1028.   if (shift >= sizeof(bitmap->map) * 8) {

  1029.     return 0; /* stale, outside the window */

  1030.   } else if (bitmap->map & (((uint64_t)1) << shift)) {

  1031.     return 0; /* record previously received */

  1032.   }

  1033. 

  1034.   memcpy(s->s3->rrec.seq_num, seq, 8);

  1035.   return 1;

  1036. }

  1037. 

  1038. static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap) {

  1039.   int cmp;

  1040.   unsigned int shift;

  1041.   const uint8_t *seq = s->s3->read_sequence;

  1042. 

  1043.   cmp = satsub64be(seq, bitmap->max_seq_num);

  1044.   if (cmp > 0) {

  1045.     shift = cmp;

  1046.     if (shift < sizeof(bitmap->map) * 8) {

  1047.       bitmap->map <<= shift, bitmap->map |= 1UL;

  1048.     } else {

  1049.       bitmap->map = 1UL;

  1050.     }

  1051.     memcpy(bitmap->max_seq_num, seq, 8);

  1052.   } else {

  1053.     shift = -cmp;

  1054.     if (shift < sizeof(bitmap->map) * 8) {

  1055.       bitmap->map |= ((uint64_t)1) << shift;

  1056.     }

  1057.   }

  1058. }

  1059. 

  1060. int dtls1_dispatch_alert(SSL *s) {

  1061.   int i, j;

  1062.   void (*cb)(const SSL *ssl, int type, int val) = NULL;

  1063.   uint8_t buf[DTLS1_AL_HEADER_LENGTH];

  1064.   uint8_t *ptr = &buf[0];

  1065. 

  1066.   s->s3->alert_dispatch = 0;

  1067. 

  1068.   memset(buf, 0x00, sizeof(buf));

  1069.   *ptr++ = s->s3->send_alert[0];

  1070.   *ptr++ = s->s3->send_alert[1];

  1071. 

  1072.   i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf));

  1073.   if (i <= 0) {

  1074.     s->s3->alert_dispatch = 1;

  1075.   } else {

  1076.     if (s->s3->send_alert[0] == SSL3_AL_FATAL) {

  1077.       (void)BIO_flush(s->wbio);

  1078.     }

  1079. 

  1080.     if (s->msg_callback) {

  1081.       s->msg_callback(1, s->version, SSL3_RT_ALERT, s->s3->send_alert, 2, s,

  1082.                       s->msg_callback_arg);

  1083.     }

  1084. 

  1085.     if (s->info_callback != NULL) {

  1086.       cb = s->info_callback;

  1087.     } else if (s->ctx->info_callback != NULL) {

  1088.       cb = s->ctx->info_callback;

  1089.     }

  1090. 

  1091.     if (cb != NULL) {

  1092.       j = (s->s3->send_alert[0] << 8) | s->s3->send_alert[1];

  1093.       cb(s, SSL_CB_WRITE_ALERT, j);

  1094.     }

  1095.   }

  1096. 

  1097.   return i;

  1098. }

  1099. 

  1100. static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr,

  1101.                                       unsigned int *is_next_epoch) {

  1102.   *is_next_epoch = 0;

  1103. 

  1104.   /* In current epoch, accept HM, CCS, DATA, & ALERT */

  1105.   if (rr->epoch == s->d1->r_epoch) {

  1106.     return &s->d1->bitmap;

  1107.   } else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) &&

  1108.              (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) {

  1109.     /* Only HM and ALERT messages can be from the next epoch */

  1110.     *is_next_epoch = 1;

  1111.     return &s->d1->next_bitmap;

  1112.   }

  1113. 

  1114.   return NULL;

  1115. }

  1116. 

  1117. void dtls1_reset_seq_numbers(SSL *s, int rw) {

  1118.   uint8_t *seq;

  1119.   unsigned int seq_bytes = sizeof(s->s3->read_sequence);

  1120. 

  1121.   if (rw & SSL3_CC_READ) {

  1122.     seq = s->s3->read_sequence;

  1123.     s->d1->r_epoch++;

  1124.     memcpy(&(s->d1->bitmap), &(s->d1->next_bitmap), sizeof(DTLS1_BITMAP));

  1125.     memset(&(s->d1->next_bitmap), 0x00, sizeof(DTLS1_BITMAP));

  1126.   } else {

  1127.     seq = s->s3->write_sequence;

  1128.     memcpy(s->d1->last_write_sequence, seq, sizeof(s->s3->write_sequence));

  1129.     s->d1->w_epoch++;

  1130.   }

  1131. 

  1132.   memset(seq, 0x00, seq_bytes);

  1133. }