| blob | 7b49a7dd7a6db9221761f60a2547d2e80b4f12e7 |
1 /* ssl/d1_pkt.c */
2 /*
3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
5 */
6 /* ====================================================================
7 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
19 * distribution.
20 *
21 * 3. All advertising materials mentioning features or use of this
22 * software must display the following acknowledgment:
23 * "This product includes software developed by the OpenSSL Project
24 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
25 *
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 * endorse or promote products derived from this software without
28 * prior written permission. For written permission, please contact
29 * openssl-core@openssl.org.
30 *
31 * 5. Products derived from this software may not be called "OpenSSL"
32 * nor may "OpenSSL" appear in their names without prior written
33 * permission of the OpenSSL Project.
34 *
35 * 6. Redistributions of any form whatsoever must retain the following
36 * acknowledgment:
37 * "This product includes software developed by the OpenSSL Project
38 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
53 *
54 * This product includes cryptographic software written by Eric Young
55 * (eay@cryptsoft.com). This product includes software written by Tim
56 * Hudson (tjh@cryptsoft.com).
57 *
58 */
59 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
60 * All rights reserved.
61 *
62 * This package is an SSL implementation written
63 * by Eric Young (eay@cryptsoft.com).
64 * The implementation was written so as to conform with Netscapes SSL.
65 *
66 * This library is free for commercial and non-commercial use as long as
67 * the following conditions are aheared to. The following conditions
68 * apply to all code found in this distribution, be it the RC4, RSA,
69 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
70 * included with this distribution is covered by the same copyright terms
71 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
72 *
73 * Copyright remains Eric Young's, and as such any Copyright notices in
74 * the code are not to be removed.
75 * If this package is used in a product, Eric Young should be given attribution
76 * as the author of the parts of the library used.
77 * This can be in the form of a textual message at program startup or
78 * in documentation (online or textual) provided with the package.
79 *
80 * Redistribution and use in source and binary forms, with or without
81 * modification, are permitted provided that the following conditions
82 * are met:
83 * 1. Redistributions of source code must retain the copyright
84 * notice, this list of conditions and the following disclaimer.
85 * 2. Redistributions in binary form must reproduce the above copyright
86 * notice, this list of conditions and the following disclaimer in the
87 * documentation and/or other materials provided with the distribution.
88 * 3. All advertising materials mentioning features or use of this software
89 * must display the following acknowledgement:
90 * "This product includes cryptographic software written by
91 * Eric Young (eay@cryptsoft.com)"
92 * The word 'cryptographic' can be left out if the rouines from the library
93 * being used are not cryptographic related :-).
94 * 4. If you include any Windows specific code (or a derivative thereof) from
95 * the apps directory (application code) you must include an acknowledgement:
96 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
97 *
98 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
99 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
100 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
101 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
102 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
103 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
104 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
105 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
106 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
107 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
108 * SUCH DAMAGE.
109 *
110 * The licence and distribution terms for any publically available version or
111 * derivative of this code cannot be changed. i.e. this code cannot simply be
112 * copied and put under another distribution licence
113 * [including the GNU Public Licence.]
114 */
116 #include <stdio.h>
117 #include <errno.h>
118 #define USE_SOCKETS
120 #include <openssl/evp.h>
121 #include <openssl/buffer.h>
122 #include <openssl/pqueue.h>
123 #include <openssl/rand.h>
125 /* mod 128 saturating subtract of two 64-bit values in big-endian order */
127 {
136 1
137 };
142 /* not reached on little-endians */
143 /*
144 * following test is redundant, because input is always aligned,
145 * but I take no chances...
146 */
156 else
168 }
174 }
175 }
180 else
182 }
190 #if 0
194 #endif
199 /* copy buffered record into SSL structure */
201 {
214 /* Set proper sequence number for mac calculation */
218 }
220 static int
222 {
226 /* Limit the size of the queue to prevent DOS attacks */
240 }
249 #ifndef OPENSSL_NO_SCTP
250 /* Store bio_dgram_sctp_rcvinfo struct */
256 }
257 #endif
271 }
273 /* insert should not fail, since duplicates are dropped */
281 }
284 }
287 {
298 }
301 }
303 /*
304 * retrieve a buffered record that belongs to the new epoch, i.e., not
305 * processed yet
306 */
307 #define dtls1_get_unprocessed_record(s) \
308 dtls1_retrieve_buffered_record((s), \
309 &((s)->d1->unprocessed_rcds))
311 /*
312 * retrieve a buffered record that belongs to the current epoch, ie,
313 * processed
314 */
315 #define dtls1_get_processed_record(s) \
316 dtls1_retrieve_buffered_record((s), \
317 &((s)->d1->processed_rcds))
320 {
325 /* Check if epoch is current. */
329 /* Process all the records. */
337 }
338 }
340 /*
341 * sync epoch numbers once all the unprocessed records have been
342 * processed
343 */
348 }
350 #if 0
353 {
355 PQ_64BIT priority =
359 /* if we're not (re)negotiating, nothing buffered */
365 /*
366 * Check if we've received the record of interest. It must be a
367 * handshake record, since data records as passed up without
368 * buffering
369 */
385 /* s->d1->next_expected_seq_num++; */
387 }
390 }
392 #endif
395 {
406 /*
407 * At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
408 * and we have that many bytes in s->packet
409 */
412 /*
413 * ok, we can now read from 's->packet' data into 'rr' rr->input points
414 * at rr->length bytes, which need to be copied into rr->data by either
415 * the decryption or by the decompression When the data is 'copied' into
416 * the rr->data buffer, rr->input will be pointed at the new buffer
417 */
419 /*
420 * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length
421 * bytes of encrypted compressed stuff.
422 */
424 /* check is not needed I believe */
429 }
431 /* decrypt in place in 'rr->input' */
435 /*-
436 * enc_err is:
437 * 0: (in non-constant time) if the record is publically invalid.
438 * 1: if the padding is valid
439 * -1: if the padding is invalid
440 */
442 /* For DTLS we simply ignore bad packets. */
446 }
447 #ifdef TLS_DEBUG
449 {
453 }
455 #endif
457 /* r->length is now the compressed data plus mac */
460 /* s->read_hash != NULL => mac_size != -1 */
466 /*
467 * kludge: *_cbc_remove_padding passes padding length in rr->type
468 */
471 /*
472 * orig_len is the length of the record before any padding was
473 * removed. This is public information, as is the MAC in use,
474 * therefore we can safely process the record in a different amount
475 * of time if it's too short to possibly contain a MAC.
476 */
478 /* CBC records must have a padding length byte too. */
484 }
487 /*
488 * We update the length so that the TLS header bytes can be
489 * constructed correctly but we need to extract the MAC in
490 * constant time from within the record, without leaking the
491 * contents of the padding bytes.
492 */
497 /*
498 * In this case there's no padding, so |orig_len| equals
499 * |rec->length| and we checked that there's enough bytes for
500 * |mac_size| above.
501 */
504 }
512 }
515 /* decryption failed, silently discard message */
519 }
521 /* r->length is now just compressed */
526 SSL_R_COMPRESSED_LENGTH_TOO_LONG);
528 }
533 }
534 }
540 }
543 /*-
544 * So at this point the following is true
545 * ssl->s3->rrec.type is the type of record
546 * ssl->s3->rrec.length == number of bytes in record
547 * ssl->s3->rrec.off == offset to first valid byte
548 * ssl->s3->rrec.data == where to take bytes from, increment
549 * after use :-).
550 */
552 /* we have pulled in a full packet so zero things */
556 f_err:
558 err:
560 }
562 /*-
563 * Call this to get a new input record.
564 * It will return <= 0 if more data is needed, normally due to an error
565 * or non-blocking IO.
566 * When it finishes, one packet has been decoded and can be found in
567 * ssl->s3->rrec.type - is the type of record
568 * ssl->s3->rrec.data, - data
569 * ssl->s3->rrec.length, - number of bytes
570 */
571 /* used only by dtls1_read_bytes */
573 {
584 /*
585 * The epoch may have changed. If so, process all the pending records.
586 * This is a non-blocking operation.
587 */
591 /* if we're renegotiating, then there may be buffered records */
595 /* get something from the wire */
596 again:
597 /* check if we have the header */
601 /* read timeout is handled by dtls1_read_bytes */
605 /* this packet contained a partial record, dump it */
609 }
615 /* Pull apart the header into the DTLS1_RECORD */
621 /* sequence number is 64 bits, with top 2 bytes = epoch */
629 /* Lets check version */
632 /* unexpected version, silently discard */
636 }
637 }
640 /* wrong version, silently discard record */
644 }
647 /* record too long, silently discard it */
651 }
653 /* now s->rstate == SSL_ST_READ_BODY */
654 }
656 /* s->rstate == SSL_ST_READ_BODY, get and decode the data */
659 /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */
662 /* this packet contained a partial record, dump it */
667 }
669 /*
670 * now n == rr->length, and s->packet_length ==
671 * DTLS1_RT_HEADER_LENGTH + rr->length
672 */
673 }
676 /* match epochs. NULL means the packet is dropped on the floor */
682 }
683 #ifndef OPENSSL_NO_SCTP
684 /* Only do replay check if no SCTP bio */
686 #endif
687 /*
688 * Check whether this is a repeat, or aged record. Don't check if
689 * we're listening and this message is a ClientHello. They can look
690 * as if they're replayed, since they arrive from different
691 * connections and would be dropped unnecessarily.
692 */
700 }
701 #ifndef OPENSSL_NO_SCTP
702 }
703 #endif
705 /* just read a 0 length packet */
709 /*
710 * If this record is from the next epoch (either HM or ALERT), and a
711 * handshake is currently in progress, buffer it since it cannot be
712 * processed at this time. However, do not buffer anything while
713 * listening.
714 */
720 /* Mark receipt of record. */
722 }
726 }
732 }
737 }
739 /*-
740 * Return up to 'len' payload bytes received in 'type' records.
741 * 'type' is one of the following:
742 *
743 * - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
744 * - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)
745 * - 0 (during a shutdown, no data has to be returned)
746 *
747 * If we don't have stored data to work from, read a SSL/TLS record first
748 * (possibly multiple records if we still don't have anything to return).
749 *
750 * This function must handle any surprises the peer may have for us, such as
751 * Alert records (e.g. close_notify), ChangeCipherSpec records (not really
752 * a surprise, but handled as if it were), or renegotiation requests.
753 * Also if record payloads contain fragments too small to process, we store
754 * them until there is enough for the respective protocol (the record protocol
755 * may use arbitrary fragmentation and even interleaving):
756 * Change cipher spec protocol
757 * just 1 byte needed, no need for keeping anything stored
758 * Alert protocol
759 * 2 bytes needed (AlertLevel, AlertDescription)
760 * Handshake protocol
761 * 4 bytes needed (HandshakeType, uint24 length) -- we just have
762 * to detect unexpected Client Hello and Hello Request messages
763 * here, anything else is handled by higher layers
764 * Application data protocol
765 * none of our business
766 */
768 {
778 /* XXX: check what the second '&& type' is about */
784 }
786 /*
787 * check whether there's a handshake message (client hello?) waiting
788 */
792 /*
793 * Now s->d1->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE.
794 */
796 #ifndef OPENSSL_NO_SCTP
797 /*
798 * Continue handshake if it had to be interrupted to read app data with
799 * SCTP.
800 */
806 #else
808 #endif
809 {
810 /* type == SSL3_RT_APPLICATION_DATA */
817 }
818 }
820 start:
823 /*-
824 * s->s3->rrec.type - is the type of record
825 * s->s3->rrec.data, - data
826 * s->s3->rrec.off, - offset into 'data' for next read
827 * s->s3->rrec.length, - number of bytes.
828 */
831 /*
832 * We are not handshaking and have no data yet, so process data buffered
833 * during the last handshake in advance, if any.
834 */
839 #ifndef OPENSSL_NO_SCTP
840 /* Restore bio_dgram_sctp_rcvinfo struct */
845 }
846 #endif
852 }
853 }
855 /* Check for timeout */
859 /* get new packet if necessary */
864 /* anything other than a timeout is an error */
867 else
869 }
870 }
875 }
877 /* we now have a packet which can be read and processed */
880 * reset by ssl3_get_finished */
882 /*
883 * We now have application data between CCS and Finished. Most likely
884 * the packets were reordered on their way, so buffer the application
885 * data for later processing rather than dropping the connection.
886 */
891 }
894 }
896 /*
897 * If the other end has shut down, throw anything we read away (even in
898 * 'peek' mode)
899 */
904 }
907 * SSL3_RT_HANDSHAKE */
908 /*
909 * make sure that we are not getting application data when we are
910 * doing a handshake for the first time
911 */
917 }
924 else
934 }
935 }
936 #ifndef OPENSSL_NO_SCTP
937 /*
938 * We were about to renegotiate but had to read belated application
939 * data first, so retry.
940 */
948 }
950 /*
951 * We might had to delay a close_notify alert because of reordered
952 * app data. If there was an alert and there is no message to read
953 * anymore, finally set shutdown.
954 */
960 }
961 #endif
963 }
965 /*
966 * If we get here, then type != rr->type; if we have a handshake message,
967 * then it was unexpected (Hello Request or Client Hello).
968 */
970 /*
971 * In case of record types for which we have 'fragment' storage, fill
972 * that so that we can process the data at a fixed place.
973 */
974 {
987 }
988 #ifndef OPENSSL_NO_HEARTBEATS
992 /* Exit and notify application to read again */
998 }
999 #endif
1000 /* else it's a CCS message, or application data or wrong */
1002 /*
1003 * Application data while renegotiating is allowed. Try again
1004 * reading.
1005 */
1014 }
1016 /* Not certain if this is the right error handling */
1020 }
1023 /*
1024 * XDTLS: In a pathalogical case, the Client Hello may be
1025 * fragmented--don't always expect dest_maxlen bytes
1026 */
1028 #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
1029 /*
1030 * for normal alerts rr->length is 2, while
1031 * dest_maxlen is 7 if we were to handle this
1032 * non-existing alert...
1033 */
1034 FIX ME
1035 #endif
1039 }
1041 /* now move 'n' bytes: */
1045 }
1047 }
1048 }
1050 /*-
1051 * s->d1->handshake_fragment_len == 12 iff rr->type == SSL3_RT_HANDSHAKE;
1052 * s->d1->alert_fragment_len == 7 iff rr->type == SSL3_RT_ALERT.
1053 * (Possibly rr is 'empty' now, i.e. rr->length may be 0.)
1054 */
1056 /* If we are a client, check for an incoming 'Hello Request': */
1069 }
1071 /*
1072 * no need to check sequence number on HELLO REQUEST messages
1073 */
1092 SSL_R_SSL_HANDSHAKE_FAILURE);
1094 }
1099 /*
1100 * In the case where we try to read application data,
1101 * but we trigger an SSL handshake, we return -1 with
1102 * the retry option set. Otherwise renegotiation may
1103 * cause nasty problems in the blocking world
1104 */
1110 }
1111 }
1112 }
1113 }
1114 /*
1115 * we either finished a handshake or ignored the request, now try
1116 * again to obtain the (application) data we were asked for
1117 */
1119 }
1139 }
1144 #ifndef OPENSSL_NO_SCTP
1145 /*
1146 * With SCTP and streams the socket may deliver app data
1147 * after a close_notify alert. We have to check this first so
1148 * that nothing gets discarded.
1149 */
1157 }
1158 #endif
1161 }
1162 #if 0
1163 /* XXX: this is a possible improvement in the future */
1164 /* now check if it's a missing record */
1174 dtls1_get_queue_priority
1178 /*
1179 * fprintf( stderr,"in init = %d\n", SSL_in_init(s));
1180 */
1181 /*
1182 * requested a message not yet sent, send an alert
1183 * ourselves
1184 */
1186 DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
1187 }
1188 }
1189 #endif
1206 }
1209 }
1212 * shutdown */
1216 }
1227 /*
1228 * 'Change Cipher Spec' is just a single byte, so we know exactly
1229 * what the record payload has to look like
1230 */
1231 /* XDTLS: check that epoch is consistent */
1237 }
1245 /*
1246 * We can't process a CCS now, because previous handshake messages
1247 * are still missing, so just drop it.
1248 */
1251 }
1259 /* do this whenever CCS is processed */
1265 #ifndef OPENSSL_NO_SCTP
1266 /*
1267 * Remember that a CCS has been received, so that an old key of
1268 * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
1269 * SCTP is used
1270 */
1272 #endif
1275 }
1277 /*
1278 * Unexpected handshake message (Client Hello, or protocol violation)
1279 */
1284 /* this may just be a stale retransmit */
1289 }
1291 /*
1292 * If we are server, we may have a repeated FINISHED of the client
1293 * here, then retransmit our CCS and FINISHED.
1294 */
1302 }
1307 * are not as expected (and because this is
1308 * not really needed for clients except for
1309 * detecting protocol violations): */
1312 #else
1314 #endif
1317 }
1324 }
1329 /*
1330 * In the case where we try to read application data, but we
1331 * trigger an SSL handshake, we return -1 with the retry
1332 * option set. Otherwise renegotiation may cause nasty
1333 * problems in the blocking world
1334 */
1340 }
1341 }
1343 }
1347 #ifndef OPENSSL_NO_TLS
1348 /* TLS just ignores unknown message types */
1352 }
1353 #endif
1360 /*
1361 * we already handled all of these, with the possible exception of
1362 * SSL3_RT_HANDSHAKE when s->in_handshake is set, but that should not
1363 * happen when type != rr->type
1364 */
1369 /*
1370 * At this point, we were expecting handshake data, but have
1371 * application data. If the library was running inside ssl3_read()
1372 * (i.e. in_read_app_data is set) and it makes sense to read
1373 * application data at this point (session renegotiation not yet
1374 * started), we will indulge it.
1375 */
1384 )
1385 )) {
1392 }
1393 }
1394 /* not reached */
1396 f_err:
1398 err:
1400 }
1403 {
1406 #ifndef OPENSSL_NO_SCTP
1407 /*
1408 * Check if we have to continue an interrupted handshake for reading
1409 * belated app data with SCTP.
1410 */
1415 #else
1417 #endif
1418 {
1424 SSL_R_SSL_HANDSHAKE_FAILURE);
1426 }
1427 }
1432 }
1436 }
1438 /*
1439 * this only happens when a client hello is received and a handshake
1440 * is started.
1441 */
1442 static int
1445 {
1448 /* (partially) satisfy request from storage */
1449 {
1454 /* peek == 0 */
1458 len--;
1460 n++;
1461 }
1462 /* move any remaining fragment bytes: */
1466 }
1469 }
1471 /*
1472 * Call this to write data in records of type 'type' It will return <= 0 if
1473 * not all data has been sent or non-blocking IO.
1474 */
1476 {
1483 }
1487 {
1496 /*
1497 * first check if there is a SSL3_BUFFER still being written out. This
1498 * will happen with non blocking IO
1499 */
1503 }
1505 /* If we have an alert to send, lets send it */
1510 /* if it went, fall through and send more stuff */
1511 }
1530 }
1532 /* DTLS implements explicit IV, so no need for empty fragments */
1533 #if 0
1534 /*
1535 * 'create_empty_fragment' is true only when this function calls itself
1536 */
1539 {
1540 /*
1541 * countermeasure against known-IV weakness in CBC ciphersuites (see
1542 * http://www.openssl.org/~bodo/tls-cbc.txt)
1543 */
1546 /*
1547 * recursive function call with 'create_empty_fragment' set; this
1548 * prepares and buffers the data for an empty fragment (these
1549 * 'prefix_len' bytes are sent out later together with the actual
1550 * payload)
1551 */
1558 /* insufficient space */
1561 }
1562 }
1565 }
1566 #endif
1569 /* write the header */
1577 /* field where we are to write out packet epoch, seq num and len */
1581 /* lets setup the record stuff. */
1583 /*
1584 * Make space for the explicit IV in case of CBC. (this is a bit of a
1585 * boundary violation, but what the heck).
1586 */
1590 else
1597 /*
1598 * we now 'read' from wr->input, wr->length bytes into wr->data
1599 */
1601 /* first we compress */
1606 }
1610 }
1612 /*
1613 * we should still have the output to wr->data and the input from
1614 * wr->input. Length should be wr->length. wr->data still points in the
1615 * wb->buf
1616 */
1622 }
1624 /* this is true regardless of mac size */
1628 /* ssl3_enc can only have an error on read */
1631 /*
1632 * master IV and last CBC residue stand for the rest of randomness
1633 */
1635 }
1640 /* record length after mac and block padding */
1641 /*
1642 * if (type == SSL3_RT_APPLICATION_DATA || (type == SSL3_RT_ALERT && !
1643 * SSL_in_init(s)))
1644 */
1646 /* there's only one epoch between handshake and app data */
1650 /* XDTLS: ?? */
1651 /*
1652 * else s2n(s->d1->handshake_epoch, pseq);
1653 */
1659 /*
1660 * we should now have wr->data pointing to the encrypted data, which is
1661 * wr->length long
1662 */
1667 /* buffer the record, making it easy to handle retransmits */
1671 #endif
1676 /*
1677 * we are in a recursive call; just return the length, don't write
1678 * out anything here
1679 */
1681 }
1683 /* now let's set up wb */
1687 /*
1688 * memorize arguments so that ssl3_write_pending can detect bad write
1689 * retries later
1690 */
1696 /* we now just need to write the buffer */
1698 err:
1700 }
1703 {
1712 }
1721 }
1724 {
1734 else
1741 }
1742 }
1745 {
1757 #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
1760 # if 0
1762 /*
1763 * waiting for a new msg
1764 */
1765 else
1767 # endif
1769 # if 0
1773 # endif
1775 }
1776 #endif
1781 /* fprintf( stderr, "not done with alert\n" ); */
1784 #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
1786 #endif
1787 )
1802 }
1803 }
1805 }
1809 {
1813 /* In current epoch, accept HM, CCS, DATA, & ALERT */
1817 /* Only HM and ALERT messages can be from the next epoch */
1822 }
1825 }
1827 #if 0
1828 static int
1831 {
1833 /* alerts are passed up immediately */
1837 /*
1838 * Only need to buffer if a handshake is underway. (this implies that
1839 * Hello Request and Client Hello are passed up immediately)
1840 */
1843 /* need to extract the HM/CCS sequence number here */
1858 }
1860 /*
1861 * this is either a record we're waiting for, or a retransmit of
1862 * something we happened to previously receive (higher layers
1863 * will drop the repeat silently
1864 */
1878 }
1881 }
1884 }
1885 #endif
1888 {
1902 }
1905 }