Add DTLS support.

1 files changed, 1707 insertions, 0 deletions

diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
new file mode 100644
index 0000000000..4b3aabcfa7
--- /dev/null
+++ b/ssl/d1_pkt.c
@@ -0,0 +1,1707 @@
+/* ssl/d1_pkt.c */
+/* 
+ * DTLS implementation written by Nagendra Modadugu
+ * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.  
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdio.h>
+#include <errno.h>
+#define USE_SOCKETS
+#include "ssl_locl.h"
+#include <openssl/evp.h>
+#include <openssl/buffer.h>
+#include <openssl/pqueue.h>
+
+static int have_handshake_fragment(SSL *s, int type, unsigned char *buf, 
+	int len, int peek);
+static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap,
+	unsigned long long *seq_num);
+static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap);
+static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, 
+    unsigned int *is_next_epoch);
+#if 0
+static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr,
+	unsigned short *priority, unsigned long *offset);
+#endif
+static int dtls1_buffer_record(SSL *s, record_pqueue *q,
+	unsigned long long priority);
+static int dtls1_process_record(SSL *s);
+static unsigned long long bytes_to_long_long(unsigned char *bytes);
+static void long_long_to_bytes(unsigned long long num, unsigned char *bytes);
+static void dtls1_clear_timeouts(SSL *s);
+
+
+/* copy buffered record into SSL structure */
+static int
+dtls1_copy_record(SSL *s, pitem *item)
+    {
+    DTLS1_RECORD_DATA *rdata;
+
+    rdata = (DTLS1_RECORD_DATA *)item->data;
+    
+    if (s->s3->rbuf.buf != NULL)
+        OPENSSL_free(s->s3->rbuf.buf);
+    
+    s->packet = rdata->packet;
+    s->packet_length = rdata->packet_length;
+    memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER));
+    memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));
+    
+    return(1);
+    }
+
+
+static int
+dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned long long priority)
+{
+    DTLS1_RECORD_DATA *rdata;
+	pitem *item;
+
+	rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
+	item = pitem_new(priority, rdata);
+	if (rdata == NULL || item == NULL)
+		{
+		if (rdata != NULL) OPENSSL_free(rdata);
+		if (item != NULL) pitem_free(item);
+		
+		SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR);
+		return(0);
+		}
+	
+	rdata->packet = s->packet;
+	rdata->packet_length = s->packet_length;
+	memcpy(&(rdata->rbuf), &(s->s3->rbuf), sizeof(SSL3_BUFFER));
+	memcpy(&(rdata->rrec), &(s->s3->rrec), sizeof(SSL3_RECORD));
+
+	item->data = rdata;
+
+	/* insert should not fail, since duplicates are dropped */
+	if (pqueue_insert(queue->q, item) == NULL)
+		{
+		OPENSSL_free(rdata);
+		pitem_free(item);
+		return(0);
+		}
+
+	s->packet = NULL;
+	s->packet_length = 0;
+	memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER));
+	memset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD));
+	
+	ssl3_setup_buffers(s);
+	
+	return(1);
+    }
+
+
+static int
+dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue)
+    {
+    pitem *item;
+
+    item = pqueue_pop(queue->q);
+    if (item)
+        {
+        dtls1_copy_record(s, item);
+
+        OPENSSL_free(item->data);
+		pitem_free(item);
+
+        return(1);
+        }
+
+    return(0);
+    }
+
+
+/* retrieve a buffered record that belongs to the new epoch, i.e., not processed 
+ * yet */
+#define dtls1_get_unprocessed_record(s) \
+                   dtls1_retrieve_buffered_record((s), \
+                   &((s)->d1->unprocessed_rcds))
+
+/* retrieve a buffered record that belongs to the current epoch, ie, processed */
+#define dtls1_get_processed_record(s) \
+                   dtls1_retrieve_buffered_record((s), \
+                   &((s)->d1->processed_rcds))
+
+static int
+dtls1_process_buffered_records(SSL *s)
+    {
+    pitem *item;
+    
+    item = pqueue_peek(s->d1->unprocessed_rcds.q);
+    if (item)
+        {
+        DTLS1_RECORD_DATA *rdata;
+        rdata = (DTLS1_RECORD_DATA *)item->data;
+        
+        /* Check if epoch is current. */
+        if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch)
+            return(1);  /* Nothing to do. */
+        
+        /* Process all the records. */
+        while (pqueue_peek(s->d1->unprocessed_rcds.q))
+            {
+            dtls1_get_unprocessed_record(s);
+            if ( ! dtls1_process_record(s))
+                return(0);
+            dtls1_buffer_record(s, &(s->d1->processed_rcds), 
+                s->s3->rrec.seq_num);
+            }
+        }
+
+    /* sync epoch numbers once all the unprocessed records 
+     * have been processed */
+    s->d1->processed_rcds.epoch = s->d1->r_epoch;
+    s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1;
+
+    return(1);
+    }
+
+
+#if 0
+
+static int
+dtls1_get_buffered_record(SSL *s)
+	{
+	pitem *item;
+	unsigned long long priority = 
+		(((unsigned long long)s->d1->handshake_read_seq) << 32) | 
+		((unsigned long long)s->d1->r_msg_hdr.frag_off);
+	
+	if ( ! SSL_in_init(s))  /* if we're not (re)negotiating, 
+							   nothing buffered */
+		return 0;
+
+
+	item = pqueue_peek(s->d1->rcvd_records);
+	if (item && item->priority == priority)
+		{
+		/* Check if we've received the record of interest.  It must be
+		 * a handshake record, since data records as passed up without
+		 * buffering */
+		DTLS1_RECORD_DATA *rdata;
+		item = pqueue_pop(s->d1->rcvd_records);
+		rdata = (DTLS1_RECORD_DATA *)item->data;
+		
+		if (s->s3->rbuf.buf != NULL)
+			OPENSSL_free(s->s3->rbuf.buf);
+		
+		s->packet = rdata->packet;
+		s->packet_length = rdata->packet_length;
+		memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER));
+		memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));
+		
+		OPENSSL_free(item->data);
+		pitem_free(item);
+		
+		/* s->d1->next_expected_seq_num++; */
+		return(1);
+		}
+	
+	return 0;
+	}
+
+#endif
+
+static int
+dtls1_process_record(SSL *s)
+{
+    int i,al;
+	int clear=0;
+    int enc_err;
+	SSL_SESSION *sess;
+    SSL3_RECORD *rr;
+	unsigned int mac_size;
+	unsigned char md[EVP_MAX_MD_SIZE];
+
+
+	rr= &(s->s3->rrec);
+    sess = s->session;
+
+	/* At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
+	 * and we have that many bytes in s->packet
+	 */
+	rr->input= &(s->packet[DTLS1_RT_HEADER_LENGTH]);
+
+	/* ok, we can now read from 's->packet' data into 'rr'
+	 * rr->input points at rr->length bytes, which
+	 * need to be copied into rr->data by either
+	 * the decryption or by the decompression
+	 * When the data is 'copied' into the rr->data buffer,
+	 * rr->input will be pointed at the new buffer */ 
+
+	/* We now have - encrypted [ MAC [ compressed [ plain ] ] ]
+	 * rr->length bytes of encrypted compressed stuff. */
+
+	/* check is not needed I believe */
+	if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH)
+		{
+		al=SSL_AD_RECORD_OVERFLOW;
+		SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
+		goto f_err;
+		}
+
+	/* decrypt in place in 'rr->input' */
+	rr->data=rr->input;
+
+	enc_err = s->method->ssl3_enc->enc(s,0);
+	if (enc_err <= 0)
+		{
+		if (enc_err == 0)
+			/* SSLerr() and ssl3_send_alert() have been called */
+			goto err;
+
+		/* otherwise enc_err == -1 */
+		goto decryption_failed_or_bad_record_mac;
+		}
+
+#ifdef TLS_DEBUG
+printf("dec %d\n",rr->length);
+{ unsigned int z; for (z=0; z<rr->length; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); }
+printf("\n");
+#endif
+
+	/* r->length is now the compressed data plus mac */
+if (	(sess == NULL) ||
+		(s->enc_read_ctx == NULL) ||
+		(s->read_hash == NULL))
+    clear=1;
+
+	if (!clear)
+		{
+		mac_size=EVP_MD_size(s->read_hash);
+
+		if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)
+			{
+#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */
+			al=SSL_AD_RECORD_OVERFLOW;
+			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
+			goto f_err;
+#else
+			goto decryption_failed_or_bad_record_mac;
+#endif			
+			}
+		/* check the MAC for rr->input (it's in mac_size bytes at the tail) */
+		if (rr->length < mac_size)
+			{
+#if 0 /* OK only for stream ciphers */
+			al=SSL_AD_DECODE_ERROR;
+			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
+			goto f_err;
+#else
+			goto decryption_failed_or_bad_record_mac;
+#endif
+			}
+		rr->length-=mac_size;
+		i=s->method->ssl3_enc->mac(s,md,0);
+		if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
+			{
+			goto decryption_failed_or_bad_record_mac;
+			}
+		}
+
+	/* r->length is now just compressed */
+	if (s->expand != NULL)
+		{
+		if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH)
+			{
+			al=SSL_AD_RECORD_OVERFLOW;
+			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);
+			goto f_err;
+			}
+		if (!ssl3_do_uncompress(s))
+			{
+			al=SSL_AD_DECOMPRESSION_FAILURE;
+			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_DECOMPRESSION);
+			goto f_err;
+			}
+		}
+
+	if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH)
+		{
+		al=SSL_AD_RECORD_OVERFLOW;
+		SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);
+		goto f_err;
+		}
+
+	rr->off=0;
+	/* So at this point the following is true
+	 * ssl->s3->rrec.type 	is the type of record
+	 * ssl->s3->rrec.length	== number of bytes in record
+	 * ssl->s3->rrec.off	== offset to first valid byte
+	 * ssl->s3->rrec.data	== where to take bytes from, increment
+	 *			   after use :-).
+	 */
+
+	/* we have pulled in a full packet so zero things */
+	s->packet_length=0;
+    dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */
+    return(1);
+
+decryption_failed_or_bad_record_mac:
+	/* Separate 'decryption_failed' alert was introduced with TLS 1.0,
+	 * SSL 3.0 only has 'bad_record_mac'.  But unless a decryption
+	 * failure is directly visible from the ciphertext anyway,
+	 * we should not reveal which kind of error occured -- this
+	 * might become visible to an attacker (e.g. via logfile) */
+	al=SSL_AD_BAD_RECORD_MAC;
+	SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
+f_err:
+	ssl3_send_alert(s,SSL3_AL_FATAL,al);
+err:
+	return(0);
+}
+
+
+/* Call this to get a new input record.
+ * It will return <= 0 if more data is needed, normally due to an error
+ * or non-blocking IO.
+ * When it finishes, one packet has been decoded and can be found in
+ * ssl->s3->rrec.type    - is the type of record
+ * ssl->s3->rrec.data, 	 - data
+ * ssl->s3->rrec.length, - number of bytes
+ */
+/* used only by dtls1_read_bytes */
+int dtls1_get_record(SSL *s)
+	{
+	int ssl_major,ssl_minor,al;
+	int i,n;
+	SSL3_RECORD *rr;
+	SSL_SESSION *sess;
+	unsigned char *p;
+	short version;
+	DTLS1_BITMAP *bitmap;
+	unsigned long long read_sequence;
+    unsigned int is_next_epoch;
+
+	rr= &(s->s3->rrec);
+	sess=s->session;
+
+    /* The epoch may have changed.  If so, process all the
+     * pending records.  This is a non-blocking operation. */
+    if ( ! dtls1_process_buffered_records(s))
+        return 0;
+
+	/* if we're renegotiating, then there may be buffered records */
+	if (dtls1_get_processed_record(s))
+		return 1;
+
+	/* get something from the wire */
+again:
+	/* check if we have the header */
+	if (	(s->rstate != SSL_ST_READ_BODY) ||
+		(s->packet_length < DTLS1_RT_HEADER_LENGTH)) 
+		{
+		n=ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);
+		/* read timeout is handled by dtls1_read_bytes */
+		if (n <= 0) return(n); /* error or non-blocking */
+
+		OPENSSL_assert(s->packet_length == DTLS1_RT_HEADER_LENGTH);
+
+		s->rstate=SSL_ST_READ_BODY;
+
+		p=s->packet;
+
+		/* Pull apart the header into the DTLS1_RECORD */
+		rr->type= *(p++);
+		ssl_major= *(p++);
+		ssl_minor= *(p++);
+		version=(ssl_major<<8)|ssl_minor;
+
+        /* sequence number is 64 bits, with top 2 bytes = epoch */ 
+		n2s(p,rr->epoch);
+
+		read_sequence = 0;
+		n2l6(p, read_sequence);
+		long_long_to_bytes(read_sequence, s->s3->read_sequence);
+		n2s(p,rr->length);
+
+		/* Lets check version */
+		if (s->first_packet)
+			{
+			s->first_packet=0;
+			}
+		else
+			{
+			if (version != s->version)
+				{
+				SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
+				/* Send back error using their
+				 * version number :-) */
+				s->version=version;
+				al=SSL_AD_PROTOCOL_VERSION;
+				goto f_err;
+				}
+			}
+
+		if ((version & 0xff00) != (DTLS1_VERSION & 0xff00))
+			{
+			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
+			goto err;
+			}
+
+		if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH)
+			{
+			al=SSL_AD_RECORD_OVERFLOW;
+			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG);
+			goto f_err;
+			}
+
+		/* now s->rstate == SSL_ST_READ_BODY */
+		}
+
+	/* s->rstate == SSL_ST_READ_BODY, get and decode the data */
+
+	if (rr->length > s->packet_length-DTLS1_RT_HEADER_LENGTH)
+		{
+		/* now s->packet_length == DTLS1_RT_HEADER_LENGTH */
+		i=rr->length;
+		n=ssl3_read_n(s,i,i,1);
+		if (n <= 0) return(n); /* error or non-blocking io */
+
+		/* this packet contained a partial record, dump it */
+		if ( n != i)
+			{
+			s->packet_length = 0;
+			goto again;
+			}
+
+		/* now n == rr->length,
+		 * and s->packet_length == DTLS1_RT_HEADER_LENGTH + rr->length */
+		}
+	s->rstate=SSL_ST_READ_HEADER; /* set state for later operations */
+
+	/* match epochs.  NULL means the packet is dropped on the floor */
+	bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
+	if ( bitmap == NULL)
+        {
+        s->packet_length = 0;  /* dump this record */
+        goto again;   /* get another record */
+		}
+
+	/* check whether this is a repeat, or aged record */
+	if ( ! dtls1_record_replay_check(s, bitmap, &(rr->seq_num)))
+		{
+		s->packet_length=0; /* dump this record */
+		goto again;     /* get another record */
+		}
+
+	/* just read a 0 length packet */
+	if (rr->length == 0) goto again;
+
+    /* If this record is from the next epoch (either HM or ALERT), buffer it
+     * since it cannot be processed at this time.
+     * Records from the next epoch are marked as received even though they are 
+     * not processed, so as to prevent any potential resource DoS attack */
+    if (is_next_epoch)
+        {
+        dtls1_record_bitmap_update(s, bitmap);
+        dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
+        s->packet_length = 0;
+        goto again;
+        }
+
+    if ( ! dtls1_process_record(s))
+        return(0);
+
+	dtls1_clear_timeouts(s);  /* done waiting */
+	return(1);
+
+f_err:
+	ssl3_send_alert(s,SSL3_AL_FATAL,al);
+err:
+	return(0);
+	}
+
+/* Return up to 'len' payload bytes received in 'type' records.
+ * 'type' is one of the following:
+ *
+ *   -  SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
+ *   -  SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)
+ *   -  0 (during a shutdown, no data has to be returned)
+ *
+ * If we don't have stored data to work from, read a SSL/TLS record first
+ * (possibly multiple records if we still don't have anything to return).
+ *
+ * This function must handle any surprises the peer may have for us, such as
+ * Alert records (e.g. close_notify), ChangeCipherSpec records (not really
+ * a surprise, but handled as if it were), or renegotiation requests.
+ * Also if record payloads contain fragments too small to process, we store
+ * them until there is enough for the respective protocol (the record protocol
+ * may use arbitrary fragmentation and even interleaving):
+ *     Change cipher spec protocol
+ *             just 1 byte needed, no need for keeping anything stored
+ *     Alert protocol
+ *             2 bytes needed (AlertLevel, AlertDescription)
+ *     Handshake protocol
+ *             4 bytes needed (HandshakeType, uint24 length) -- we just have
+ *             to detect unexpected Client Hello and Hello Request messages
+ *             here, anything else is handled by higher layers
+ *     Application data protocol
+ *             none of our business
+ */
+int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
+	{
+	int al,i,j,ret;
+	unsigned int n;
+	SSL3_RECORD *rr;
+	void (*cb)(const SSL *ssl,int type2,int val)=NULL;
+
+	if (s->s3->rbuf.buf == NULL) /* Not initialized yet */
+		if (!ssl3_setup_buffers(s))
+			return(-1);
+
+    /* XXX: check what the second '&& type' is about */
+	if ((type && (type != SSL3_RT_APPLICATION_DATA) && 
+		(type != SSL3_RT_HANDSHAKE) && type) ||
+	    (peek && (type != SSL3_RT_APPLICATION_DATA)))
+		{
+		SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);
+		return -1;
+		}
+
+	/* check whether there's a handshake message (client hello?) waiting */
+	if ( (ret = have_handshake_fragment(s, type, buf, len, peek)))
+		return ret;
+
+	/* Now s->d1->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */
+
+	if (!s->in_handshake && SSL_in_init(s))
+		{
+		/* type == SSL3_RT_APPLICATION_DATA */
+		i=s->handshake_func(s);
+		if (i < 0) return(i);
+		if (i == 0)
+			{
+			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
+			return(-1);
+			}
+		}
+
+start:
+	s->rwstate=SSL_NOTHING;
+
+	/* s->s3->rrec.type	    - is the type of record
+	 * s->s3->rrec.data,    - data
+	 * s->s3->rrec.off,     - offset into 'data' for next read
+	 * s->s3->rrec.length,  - number of bytes. */
+	rr = &(s->s3->rrec);
+
+	/* get new packet if necessary */
+	if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY))
+		{
+		ret=dtls1_get_record(s);
+		if (ret <= 0) 
+			{
+			ret = dtls1_read_failed(s, ret);
+			/* anything other than a timeout is an error */
+			if (ret <= 0)  
+				return(ret);
+			else
+				goto start;
+			}
+		}
+
+	/* we now have a packet which can be read and processed */
+
+	if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
+	                               * reset by ssl3_get_finished */
+		&& (rr->type != SSL3_RT_HANDSHAKE))
+		{
+		al=SSL_AD_UNEXPECTED_MESSAGE;
+		SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
+		goto err;
+		}
+
+	/* If the other end has shut down, throw anything we read away
+	 * (even in 'peek' mode) */
+	if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
+		{
+		rr->length=0;
+		s->rwstate=SSL_NOTHING;
+		return(0);
+		}
+
+
+	if (type == rr->type) /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */
+		{
+		/* make sure that we are not getting application data when we
+		 * are doing a handshake for the first time */
+		if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA) &&
+			(s->enc_read_ctx == NULL))
+			{
+			al=SSL_AD_UNEXPECTED_MESSAGE;
+			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE);
+			goto f_err;
+			}
+
+		if (len <= 0) return(len);
+
+		if ((unsigned int)len > rr->length)
+			n = rr->length;
+		else
+			n = (unsigned int)len;
+
+		memcpy(buf,&(rr->data[rr->off]),n);
+		if (!peek)
+			{
+			rr->length-=n;
+			rr->off+=n;
+			if (rr->length == 0)
+				{
+				s->rstate=SSL_ST_READ_HEADER;
+				rr->off=0;
+				}
+			}
+		return(n);
+		}
+
+
+	/* If we get here, then type != rr->type; if we have a handshake
+	 * message, then it was unexpected (Hello Request or Client Hello). */
+
+	/* In case of record types for which we have 'fragment' storage,
+	 * fill that so that we can process the data at a fixed place.
+	 */
+		{
+		unsigned int i, dest_maxlen = 0;
+		unsigned char *dest = NULL;
+		unsigned int *dest_len = NULL;
+
+		if (rr->type == SSL3_RT_HANDSHAKE)
+			{
+			dest_maxlen = sizeof s->d1->handshake_fragment;
+			dest = s->d1->handshake_fragment;
+			dest_len = &s->d1->handshake_fragment_len;
+			}
+		else if (rr->type == SSL3_RT_ALERT)
+			{
+			dest_maxlen = sizeof(s->d1->alert_fragment);
+			dest = s->d1->alert_fragment;
+			dest_len = &s->d1->alert_fragment_len;
+			}
+		else	/* else it's a CCS message */
+			OPENSSL_assert(rr->type == SSL3_RT_CHANGE_CIPHER_SPEC);
+
+
+		if (dest_maxlen > 0)
+			{
+            /* XDTLS:  In a pathalogical case, the Client Hello
+             *  may be fragmented--don't always expect dest_maxlen bytes */
+			if ( rr->length < dest_maxlen)
+				{
+				s->rstate=SSL_ST_READ_HEADER;
+				rr->length = 0;
+				goto start;
+				}
+
+			/* now move 'n' bytes: */
+			for ( i = 0; i < dest_maxlen; i++)
+				{
+				dest[i] = rr->data[rr->off++];
+				rr->length--;
+				}
+			*dest_len = dest_maxlen;
+			}
+		}
+
+	/* s->d1->handshake_fragment_len == 12  iff  rr->type == SSL3_RT_HANDSHAKE;
+	 * s->d1->alert_fragment_len == 7      iff  rr->type == SSL3_RT_ALERT.
+	 * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */
+
+	/* If we are a client, check for an incoming 'Hello Request': */
+	if ((!s->server) &&
+		(s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) &&
+		(s->d1->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST) &&
+		(s->session != NULL) && (s->session->cipher != NULL))
+		{
+		s->d1->handshake_fragment_len = 0;
+
+		if ((s->d1->handshake_fragment[1] != 0) ||
+			(s->d1->handshake_fragment[2] != 0) ||
+			(s->d1->handshake_fragment[3] != 0))
+			{
+			al=SSL_AD_DECODE_ERROR;
+			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_HELLO_REQUEST);
+			goto err;
+			}
+
+		/* no need to check sequence number on HELLO REQUEST messages */
+
+		if (s->msg_callback)
+			s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, 
+				s->d1->handshake_fragment, 4, s, s->msg_callback_arg);
+
+		if (SSL_is_init_finished(s) &&
+			!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
+			!s->s3->renegotiate)
+			{
+			ssl3_renegotiate(s);
+			if (ssl3_renegotiate_check(s))
+				{
+				i=s->handshake_func(s);
+				if (i < 0) return(i);
+				if (i == 0)
+					{
+					SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
+					return(-1);
+					}
+
+				if (!(s->mode & SSL_MODE_AUTO_RETRY))
+					{
+					if (s->s3->rbuf.left == 0) /* no read-ahead left? */
+						{
+						BIO *bio;
+						/* In the case where we try to read application data,
+						 * but we trigger an SSL handshake, we return -1 with
+						 * the retry option set.  Otherwise renegotiation may
+						 * cause nasty problems in the blocking world */
+						s->rwstate=SSL_READING;
+						bio=SSL_get_rbio(s);
+						BIO_clear_retry_flags(bio);
+						BIO_set_retry_read(bio);
+						return(-1);
+						}
+					}
+				}
+			}
+		/* we either finished a handshake or ignored the request,
+		 * now try again to obtain the (application) data we were asked for */
+		goto start;
+		}
+
+	if (s->d1->alert_fragment_len >= DTLS1_AL_HEADER_LENGTH)
+		{
+		int alert_level = s->d1->alert_fragment[0];
+		int alert_descr = s->d1->alert_fragment[1];
+
+		s->d1->alert_fragment_len = 0;
+
+		if (s->msg_callback)
+			s->msg_callback(0, s->version, SSL3_RT_ALERT, 
+				s->d1->alert_fragment, 2, s, s->msg_callback_arg);
+
+		if (s->info_callback != NULL)
+			cb=s->info_callback;
+		else if (s->ctx->info_callback != NULL)
+			cb=s->ctx->info_callback;
+
+		if (cb != NULL)
+			{
+			j = (alert_level << 8) | alert_descr;
+			cb(s, SSL_CB_READ_ALERT, j);
+			}
+
+		if (alert_level == 1) /* warning */
+			{
+			s->s3->warn_alert = alert_descr;
+			if (alert_descr == SSL_AD_CLOSE_NOTIFY)
+				{
+				s->shutdown |= SSL_RECEIVED_SHUTDOWN;
+				return(0);
+				}
+#if 0
+            /* XXX: this is a possible improvement in the future */
+			/* now check if it's a missing record */
+			if (alert_descr == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
+				{
+				unsigned short seq;
+				unsigned int frag_off;
+				unsigned char *p = &(s->d1->alert_fragment[2]);
+
+				n2s(p, seq);
+				n2l3(p, frag_off);
+
+				dtls1_retransmit_message(s, seq, frag_off, &found);
+				if ( ! found  && SSL_in_init(s))
+					{
+					/* fprintf( stderr,"in init = %d\n", SSL_in_init(s)); */
+					/* requested a message not yet sent, 
+					   send an alert ourselves */
+					ssl3_send_alert(s,SSL3_AL_WARNING,
+						DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
+					}
+				}
+#endif
+			}
+		else if (alert_level == 2) /* fatal */
+			{
+			char tmp[16];
+
+			s->rwstate=SSL_NOTHING;
+			s->s3->fatal_alert = alert_descr;
+			SSLerr(SSL_F_SSL3_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr);
+			BIO_snprintf(tmp,sizeof tmp,"%d",alert_descr);
+			ERR_add_error_data(2,"SSL alert number ",tmp);
+			s->shutdown|=SSL_RECEIVED_SHUTDOWN;
+			SSL_CTX_remove_session(s->ctx,s->session);
+			return(0);
+			}
+		else
+			{
+			al=SSL_AD_ILLEGAL_PARAMETER;
+			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE);
+			goto f_err;
+			}
+
+		goto start;
+		}
+
+	if (s->shutdown & SSL_SENT_SHUTDOWN) /* but we have not received a shutdown */
+		{
+		s->rwstate=SSL_NOTHING;
+		rr->length=0;
+		return(0);
+		}
+
+	if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
+        {
+        struct ccs_header_st ccs_hdr;
+
+		dtls1_get_ccs_header(rr->data, &ccs_hdr);
+
+		if ( ccs_hdr.seq == s->d1->handshake_read_seq)
+			{
+			/* 'Change Cipher Spec' is just a single byte, so we know
+			 * exactly what the record payload has to look like */
+			/* XDTLS: check that epoch is consistent */
+			if (	(rr->length != DTLS1_CCS_HEADER_LENGTH) || 
+				(rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
+				{
+				i=SSL_AD_ILLEGAL_PARAMETER;
+				SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
+				goto err;
+				}
+			
+			rr->length=0;
+			
+			if (s->msg_callback)
+				s->msg_callback(0, s->version, SSL3_RT_CHANGE_CIPHER_SPEC, 
+					rr->data, 1, s, s->msg_callback_arg);
+			
+			s->s3->change_cipher_spec=1;
+			if (!ssl3_do_change_cipher_spec(s))
+				goto err;
+			
+			/* do this whenever CCS is processed */
+			dtls1_reset_seq_numbers(s, SSL3_CC_READ);
+			
+			/* handshake read seq is reset upon handshake completion */
+			s->d1->handshake_read_seq++;
+			
+			goto start;
+			}
+		else
+			{
+			rr->length = 0;
+			goto start;
+			}
+		}
+
+	/* Unexpected handshake message (Client Hello, or protocol violation) */
+	if ((s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) && 
+		!s->in_handshake)
+		{
+		struct hm_header_st msg_hdr;
+		
+		/* this may just be a stale retransmit */
+		dtls1_get_message_header(rr->data, &msg_hdr);
+		if( rr->epoch != s->d1->r_epoch)
+			{
+			rr->length = 0;
+			goto start;
+			}
+
+		if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
+			!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
+			{
+#if 0 /* worked only because C operator preferences are not as expected (and
+       * because this is not really needed for clients except for detecting
+       * protocol violations): */
+			s->state=SSL_ST_BEFORE|(s->server)
+				?SSL_ST_ACCEPT
+				:SSL_ST_CONNECT;
+#else
+			s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
+#endif
+			s->new_session=1;
+			}
+		i=s->handshake_func(s);
+		if (i < 0) return(i);
+		if (i == 0)
+			{
+			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
+			return(-1);
+			}
+
+		if (!(s->mode & SSL_MODE_AUTO_RETRY))
+			{
+			if (s->s3->rbuf.left == 0) /* no read-ahead left? */
+				{
+				BIO *bio;
+				/* In the case where we try to read application data,
+				 * but we trigger an SSL handshake, we return -1 with
+				 * the retry option set.  Otherwise renegotiation may