| blob | 940ca692790271976366e9a34fad0687d588a475 |
1 /* ssl/d1_pkt.c */
2 /*
3 * DTLS implementation written by Nagendra Modadugu
4 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
5 */
6 /* ====================================================================
7 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
19 * distribution.
20 *
21 * 3. All advertising materials mentioning features or use of this
22 * software must display the following acknowledgment:
23 * "This product includes software developed by the OpenSSL Project
24 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
25 *
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 * endorse or promote products derived from this software without
28 * prior written permission. For written permission, please contact
29 * openssl-core@openssl.org.
30 *
31 * 5. Products derived from this software may not be called "OpenSSL"
32 * nor may "OpenSSL" appear in their names without prior written
33 * permission of the OpenSSL Project.
34 *
35 * 6. Redistributions of any form whatsoever must retain the following
36 * acknowledgment:
37 * "This product includes software developed by the OpenSSL Project
38 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
53 *
54 * This product includes cryptographic software written by Eric Young
55 * (eay@cryptsoft.com). This product includes software written by Tim
56 * Hudson (tjh@cryptsoft.com).
57 *
58 */
59 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
60 * All rights reserved.
61 *
62 * This package is an SSL implementation written
63 * by Eric Young (eay@cryptsoft.com).
64 * The implementation was written so as to conform with Netscapes SSL.
65 *
66 * This library is free for commercial and non-commercial use as long as
67 * the following conditions are aheared to. The following conditions
68 * apply to all code found in this distribution, be it the RC4, RSA,
69 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
70 * included with this distribution is covered by the same copyright terms
71 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
72 *
73 * Copyright remains Eric Young's, and as such any Copyright notices in
74 * the code are not to be removed.
75 * If this package is used in a product, Eric Young should be given attribution
76 * as the author of the parts of the library used.
77 * This can be in the form of a textual message at program startup or
78 * in documentation (online or textual) provided with the package.
79 *
80 * Redistribution and use in source and binary forms, with or without
81 * modification, are permitted provided that the following conditions
82 * are met:
83 * 1. Redistributions of source code must retain the copyright
84 * notice, this list of conditions and the following disclaimer.
85 * 2. Redistributions in binary form must reproduce the above copyright
86 * notice, this list of conditions and the following disclaimer in the
87 * documentation and/or other materials provided with the distribution.
88 * 3. All advertising materials mentioning features or use of this software
89 * must display the following acknowledgement:
90 * "This product includes cryptographic software written by
91 * Eric Young (eay@cryptsoft.com)"
92 * The word 'cryptographic' can be left out if the rouines from the library
93 * being used are not cryptographic related :-).
94 * 4. If you include any Windows specific code (or a derivative thereof) from
95 * the apps directory (application code) you must include an acknowledgement:
96 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
97 *
98 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
99 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
100 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
101 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
102 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
103 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
104 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
105 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
106 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
107 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
108 * SUCH DAMAGE.
109 *
110 * The licence and distribution terms for any publically available version or
111 * derivative of this code cannot be changed. i.e. this code cannot simply be
112 * copied and put under another distribution licence
113 * [including the GNU Public Licence.]
114 */
116 #include <stdio.h>
117 #include <errno.h>
118 #define USE_SOCKETS
120 #include <openssl/evp.h>
121 #include <openssl/buffer.h>
122 #include <openssl/pqueue.h>
123 #include <openssl/rand.h>
125 /* mod 128 saturating subtract of two 64-bit values in big-endian order */
127 {
136 1
137 };
142 /* not reached on little-endians */
143 /*
144 * following test is redundant, because input is always aligned,
145 * but I take no chances...
146 */
156 else
168 }
174 }
175 }
180 else
182 }
190 #if 0
194 #endif
199 /* copy buffered record into SSL structure */
201 {
214 /* Set proper sequence number for mac calculation */
218 }
220 static int
222 {
226 /* Limit the size of the queue to prevent DOS attacks */
240 }
249 #ifndef OPENSSL_NO_SCTP
250 /* Store bio_dgram_sctp_rcvinfo struct */
256 }
257 #endif
271 }
273 /* insert should not fail, since duplicates are dropped */
281 }
284 }
287 {
298 }
301 }
303 /*
304 * retrieve a buffered record that belongs to the new epoch, i.e., not
305 * processed yet
306 */
307 #define dtls1_get_unprocessed_record(s) \
308 dtls1_retrieve_buffered_record((s), \
309 &((s)->d1->unprocessed_rcds))
311 /*
312 * retrieve a buffered record that belongs to the current epoch, ie,
313 * processed
314 */
315 #define dtls1_get_processed_record(s) \
316 dtls1_retrieve_buffered_record((s), \
317 &((s)->d1->processed_rcds))
320 {
325 /* Check if epoch is current. */
329 /* Process all the records. */
337 }
338 }
340 /*
341 * sync epoch numbers once all the unprocessed records have been
342 * processed
343 */
348 }
350 #if 0
353 {
355 PQ_64BIT priority =
359 /* if we're not (re)negotiating, nothing buffered */
365 /*
366 * Check if we've received the record of interest. It must be a
367 * handshake record, since data records as passed up without
368 * buffering
369 */
385 /* s->d1->next_expected_seq_num++; */
387 }
390 }
392 #endif
395 {
406 /*
407 * At this point, s->packet_length == SSL3_RT_HEADER_LNGTH + rr->length,
408 * and we have that many bytes in s->packet
409 */
412 /*
413 * ok, we can now read from 's->packet' data into 'rr' rr->input points
414 * at rr->length bytes, which need to be copied into rr->data by either
415 * the decryption or by the decompression When the data is 'copied' into
416 * the rr->data buffer, rr->input will be pointed at the new buffer
417 */
419 /*
420 * We now have - encrypted [ MAC [ compressed [ plain ] ] ] rr->length
421 * bytes of encrypted compressed stuff.
422 */
424 /* check is not needed I believe */
429 }
431 /* decrypt in place in 'rr->input' */
435 /*-
436 * enc_err is:
437 * 0: (in non-constant time) if the record is publically invalid.
438 * 1: if the padding is valid
439 * -1: if the padding is invalid
440 */
442 /* For DTLS we simply ignore bad packets. */
446 }
447 #ifdef TLS_DEBUG
449 {
453 }
455 #endif
457 /* r->length is now the compressed data plus mac */
460 /* s->read_hash != NULL => mac_size != -1 */
466 /*
467 * kludge: *_cbc_remove_padding passes padding length in rr->type
468 */
471 /*
472 * orig_len is the length of the record before any padding was
473 * removed. This is public information, as is the MAC in use,
474 * therefore we can safely process the record in a different amount
475 * of time if it's too short to possibly contain a MAC.
476 */
478 /* CBC records must have a padding length byte too. */
484 }
487 /*
488 * We update the length so that the TLS header bytes can be
489 * constructed correctly but we need to extract the MAC in
490 * constant time from within the record, without leaking the
491 * contents of the padding bytes.
492 */
497 /*
498 * In this case there's no padding, so |orig_len| equals
499 * |rec->length| and we checked that there's enough bytes for
500 * |mac_size| above.
501 */
504 }
512 }
515 /* decryption failed, silently discard message */
519 }
521 /* r->length is now just compressed */
526 SSL_R_COMPRESSED_LENGTH_TOO_LONG);
528 }
533 }
534 }
540 }
543 /*-
544 * So at this point the following is true
545 * ssl->s3->rrec.type is the type of record
546 * ssl->s3->rrec.length == number of bytes in record
547 * ssl->s3->rrec.off == offset to first valid byte
548 * ssl->s3->rrec.data == where to take bytes from, increment
549 * after use :-).
550 */
552 /* we have pulled in a full packet so zero things */
556 f_err:
558 err:
560 }
562 /*-
563 * Call this to get a new input record.
564 * It will return <= 0 if more data is needed, normally due to an error
565 * or non-blocking IO.
566 * When it finishes, one packet has been decoded and can be found in
567 * ssl->s3->rrec.type - is the type of record
568 * ssl->s3->rrec.data, - data
569 * ssl->s3->rrec.length, - number of bytes
570 */
571 /* used only by dtls1_read_bytes */
573 {
584 /*
585 * The epoch may have changed. If so, process all the pending records.
586 * This is a non-blocking operation.
587 */
591 /* if we're renegotiating, then there may be buffered records */
595 /* get something from the wire */
596 again:
597 /* check if we have the header */
601 /* read timeout is handled by dtls1_read_bytes */
605 /* this packet contained a partial record, dump it */
609 }
619 /* Pull apart the header into the DTLS1_RECORD */
625 /* sequence number is 64 bits, with top 2 bytes = epoch */
633 /* Lets check version */
636 /* unexpected version, silently discard */
640 }
641 }
644 /* wrong version, silently discard record */
648 }
651 /* record too long, silently discard it */
655 }
657 /* now s->rstate == SSL_ST_READ_BODY */
658 }
660 /* s->rstate == SSL_ST_READ_BODY, get and decode the data */
663 /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */
666 /* this packet contained a partial record, dump it */
671 }
673 /*
674 * now n == rr->length, and s->packet_length ==
675 * DTLS1_RT_HEADER_LENGTH + rr->length
676 */
677 }
680 /* match epochs. NULL means the packet is dropped on the floor */
686 }
687 #ifndef OPENSSL_NO_SCTP
688 /* Only do replay check if no SCTP bio */
690 #endif
691 /*
692 * Check whether this is a repeat, or aged record. Don't check if
693 * we're listening and this message is a ClientHello. They can look
694 * as if they're replayed, since they arrive from different
695 * connections and would be dropped unnecessarily.
696 */
704 }
705 #ifndef OPENSSL_NO_SCTP
706 }
707 #endif
709 /* just read a 0 length packet */
713 /*
714 * If this record is from the next epoch (either HM or ALERT), and a
715 * handshake is currently in progress, buffer it since it cannot be
716 * processed at this time. However, do not buffer anything while
717 * listening.
718 */
724 /* Mark receipt of record. */
726 }
730 }
736 }
741 }
743 /*-
744 * Return up to 'len' payload bytes received in 'type' records.
745 * 'type' is one of the following:
746 *
747 * - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)
748 * - SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)
749 * - 0 (during a shutdown, no data has to be returned)
750 *
751 * If we don't have stored data to work from, read a SSL/TLS record first
752 * (possibly multiple records if we still don't have anything to return).
753 *
754 * This function must handle any surprises the peer may have for us, such as
755 * Alert records (e.g. close_notify), ChangeCipherSpec records (not really
756 * a surprise, but handled as if it were), or renegotiation requests.
757 * Also if record payloads contain fragments too small to process, we store
758 * them until there is enough for the respective protocol (the record protocol
759 * may use arbitrary fragmentation and even interleaving):
760 * Change cipher spec protocol
761 * just 1 byte needed, no need for keeping anything stored
762 * Alert protocol
763 * 2 bytes needed (AlertLevel, AlertDescription)
764 * Handshake protocol
765 * 4 bytes needed (HandshakeType, uint24 length) -- we just have
766 * to detect unexpected Client Hello and Hello Request messages
767 * here, anything else is handled by higher layers
768 * Application data protocol
769 * none of our business
770 */
772 {
782 /* XXX: check what the second '&& type' is about */
788 }
790 /*
791 * check whether there's a handshake message (client hello?) waiting
792 */
796 /*
797 * Now s->d1->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE.
798 */
800 #ifndef OPENSSL_NO_SCTP
801 /*
802 * Continue handshake if it had to be interrupted to read app data with
803 * SCTP.
804 */
810 #else
812 #endif
813 {
814 /* type == SSL3_RT_APPLICATION_DATA */
821 }
822 }
824 start:
827 /*-
828 * s->s3->rrec.type - is the type of record
829 * s->s3->rrec.data, - data
830 * s->s3->rrec.off, - offset into 'data' for next read
831 * s->s3->rrec.length, - number of bytes.
832 */
835 /*
836 * We are not handshaking and have no data yet, so process data buffered
837 * during the last handshake in advance, if any.
838 */
843 #ifndef OPENSSL_NO_SCTP
844 /* Restore bio_dgram_sctp_rcvinfo struct */
849 }
850 #endif
856 }
857 }
859 /* Check for timeout */
863 /* get new packet if necessary */
868 /* anything other than a timeout is an error */
871 else
873 }
874 }
879 }
881 /* we now have a packet which can be read and processed */
884 * reset by ssl3_get_finished */
886 /*
887 * We now have application data between CCS and Finished. Most likely
888 * the packets were reordered on their way, so buffer the application
889 * data for later processing rather than dropping the connection.
890 */
895 }
898 }
900 /*
901 * If the other end has shut down, throw anything we read away (even in
902 * 'peek' mode)
903 */
908 }
911 * SSL3_RT_HANDSHAKE */
912 /*
913 * make sure that we are not getting application data when we are
914 * doing a handshake for the first time
915 */
921 }
928 else
938 }
939 }
940 #ifndef OPENSSL_NO_SCTP
941 /*
942 * We were about to renegotiate but had to read belated application
943 * data first, so retry.
944 */
952 }
954 /*
955 * We might had to delay a close_notify alert because of reordered
956 * app data. If there was an alert and there is no message to read
957 * anymore, finally set shutdown.
958 */
964 }
965 #endif
967 }
969 /*
970 * If we get here, then type != rr->type; if we have a handshake message,
971 * then it was unexpected (Hello Request or Client Hello).
972 */
974 /*
975 * In case of record types for which we have 'fragment' storage, fill
976 * that so that we can process the data at a fixed place.
977 */
978 {
991 }
992 #ifndef OPENSSL_NO_HEARTBEATS
996 /* Exit and notify application to read again */
1002 }
1003 #endif
1004 /* else it's a CCS message, or application data or wrong */
1006 /*
1007 * Application data while renegotiating is allowed. Try again
1008 * reading.
1009 */
1018 }
1020 /* Not certain if this is the right error handling */
1024 }
1027 /*
1028 * XDTLS: In a pathalogical case, the Client Hello may be
1029 * fragmented--don't always expect dest_maxlen bytes
1030 */
1032 #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
1033 /*
1034 * for normal alerts rr->length is 2, while
1035 * dest_maxlen is 7 if we were to handle this
1036 * non-existing alert...
1037 */
1038 FIX ME
1039 #endif
1043 }
1045 /* now move 'n' bytes: */
1049 }
1051 }
1052 }
1054 /*-
1055 * s->d1->handshake_fragment_len == 12 iff rr->type == SSL3_RT_HANDSHAKE;
1056 * s->d1->alert_fragment_len == 7 iff rr->type == SSL3_RT_ALERT.
1057 * (Possibly rr is 'empty' now, i.e. rr->length may be 0.)
1058 */
1060 /* If we are a client, check for an incoming 'Hello Request': */
1073 }
1075 /*
1076 * no need to check sequence number on HELLO REQUEST messages
1077 */
1096 SSL_R_SSL_HANDSHAKE_FAILURE);
1098 }
1103 /*
1104 * In the case where we try to read application data,
1105 * but we trigger an SSL handshake, we return -1 with
1106 * the retry option set. Otherwise renegotiation may
1107 * cause nasty problems in the blocking world
1108 */
1114 }
1115 }
1116 }
1117 }
1118 /*
1119 * we either finished a handshake or ignored the request, now try
1120 * again to obtain the (application) data we were asked for
1121 */
1123 }
1143 }
1148 #ifndef OPENSSL_NO_SCTP
1149 /*
1150 * With SCTP and streams the socket may deliver app data
1151 * after a close_notify alert. We have to check this first so
1152 * that nothing gets discarded.
1153 */
1161 }
1162 #endif
1165 }
1166 #if 0
1167 /* XXX: this is a possible improvement in the future */
1168 /* now check if it's a missing record */
1178 dtls1_get_queue_priority
1182 /*
1183 * fprintf( stderr,"in init = %d\n", SSL_in_init(s));
1184 */
1185 /*
1186 * requested a message not yet sent, send an alert
1187 * ourselves
1188 */
1190 DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
1191 }
1192 }
1193 #endif
1210 }
1213 }
1216 * shutdown */
1220 }
1231 /*
1232 * 'Change Cipher Spec' is just a single byte, so we know exactly
1233 * what the record payload has to look like
1234 */
1235 /* XDTLS: check that epoch is consistent */
1241 }
1249 /*
1250 * We can't process a CCS now, because previous handshake messages
1251 * are still missing, so just drop it.
1252 */
1255 }
1263 /* do this whenever CCS is processed */
1269 #ifndef OPENSSL_NO_SCTP
1270 /*
1271 * Remember that a CCS has been received, so that an old key of
1272 * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
1273 * SCTP is used
1274 */
1276 #endif
1279 }
1281 /*
1282 * Unexpected handshake message (Client Hello, or protocol violation)
1283 */
1288 /* this may just be a stale retransmit */
1293 }
1295 /*
1296 * If we are server, we may have a repeated FINISHED of the client
1297 * here, then retransmit our CCS and FINISHED.
1298 */
1306 }
1311 * are not as expected (and because this is
1312 * not really needed for clients except for
1313 * detecting protocol violations): */
1316 #else
1318 #endif
1321 }
1328 }
1333 /*
1334 * In the case where we try to read application data, but we
1335 * trigger an SSL handshake, we return -1 with the retry
1336 * option set. Otherwise renegotiation may cause nasty
1337 * problems in the blocking world
1338 */
1344 }
1345 }
1347 }
1351 #ifndef OPENSSL_NO_TLS
1352 /* TLS just ignores unknown message types */
1356 }
1357 #endif
1364 /*
1365 * we already handled all of these, with the possible exception of
1366 * SSL3_RT_HANDSHAKE when s->in_handshake is set, but that should not
1367 * happen when type != rr->type
1368 */
1373 /*
1374 * At this point, we were expecting handshake data, but have
1375 * application data. If the library was running inside ssl3_read()
1376 * (i.e. in_read_app_data is set) and it makes sense to read
1377 * application data at this point (session renegotiation not yet
1378 * started), we will indulge it.
1379 */
1388 )
1389 )) {
1396 }
1397 }
1398 /* not reached */
1400 f_err:
1402 err:
1404 }
1407 {
1410 #ifndef OPENSSL_NO_SCTP
1411 /*
1412 * Check if we have to continue an interrupted handshake for reading
1413 * belated app data with SCTP.
1414 */
1419 #else
1421 #endif
1422 {
1428 SSL_R_SSL_HANDSHAKE_FAILURE);
1430 }
1431 }
1436 }
1440 }
1442 /*
1443 * this only happens when a client hello is received and a handshake
1444 * is started.
1445 */
1446 static int
1449 {
1452 /* (partially) satisfy request from storage */
1453 {
1458 /* peek == 0 */
1462 len--;
1464 n++;
1465 }
1466 /* move any remaining fragment bytes: */
1470 }
1473 }
1475 /*
1476 * Call this to write data in records of type 'type' It will return <= 0 if
1477 * not all data has been sent or non-blocking IO.
1478 */
1480 {
1487 }
1491 {
1500 /*
1501 * first check if there is a SSL3_BUFFER still being written out. This
1502 * will happen with non blocking IO
1503 */
1507 }
1509 /* If we have an alert to send, lets send it */
1514 /* if it went, fall through and send more stuff */
1515 }
1534 }
1536 /* DTLS implements explicit IV, so no need for empty fragments */
1537 #if 0
1538 /*
1539 * 'create_empty_fragment' is true only when this function calls itself
1540 */
1543 {
1544 /*
1545 * countermeasure against known-IV weakness in CBC ciphersuites (see
1546 * http://www.openssl.org/~bodo/tls-cbc.txt)
1547 */
1550 /*
1551 * recursive function call with 'create_empty_fragment' set; this
1552 * prepares and buffers the data for an empty fragment (these
1553 * 'prefix_len' bytes are sent out later together with the actual
1554 * payload)
1555 */
1562 /* insufficient space */
1565 }
1566 }
1569 }
1570 #endif
1573 /* write the header */
1577 /*
1578 * Special case: for hello verify request, client version 1.0 and we
1579 * haven't decided which version to use yet send back using version 1.0
1580 * header: otherwise some clients will ignore it.
1581 */
1588 }
1590 /* field where we are to write out packet epoch, seq num and len */
1594 /* Explicit IV length, block ciphers appropriate version flag */
1601 }
1602 /* Need explicit part of IV for GCM mode */
1605 else
1610 /* lets setup the record stuff. */
1615 /*
1616 * we now 'read' from wr->input, wr->length bytes into wr->data
1617 */
1619 /* first we compress */
1624 }
1628 }
1630 /*
1631 * we should still have the output to wr->data and the input from
1632 * wr->input. Length should be wr->length. wr->data still points in the
1633 * wb->buf
1634 */
1640 }
1642 /* this is true regardless of mac size */
1652 /* record length after mac and block padding */
1653 /*
1654 * if (type == SSL3_RT_APPLICATION_DATA || (type == SSL3_RT_ALERT && !
1655 * SSL_in_init(s)))
1656 */
1658 /* there's only one epoch between handshake and app data */
1662 /* XDTLS: ?? */
1663 /*
1664 * else s2n(s->d1->handshake_epoch, pseq);
1665 */
1675 /*
1676 * we should now have wr->data pointing to the encrypted data, which is
1677 * wr->length long
1678 */
1683 /* buffer the record, making it easy to handle retransmits */
1687 #endif
1692 /*
1693 * we are in a recursive call; just return the length, don't write
1694 * out anything here
1695 */
1697 }
1699 /* now let's set up wb */
1703 /*
1704 * memorize arguments so that ssl3_write_pending can detect bad write
1705 * retries later
1706 */
1712 /* we now just need to write the buffer */
1714 err:
1716 }
1719 {
1728 }
1737 }
1740 {
1750 else
1757 }
1758 }
1761 {
1773 #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
1776 # if 0
1778 /*
1779 * waiting for a new msg
1780 */
1781 else
1783 # endif
1785 # if 0
1789 # endif
1791 }
1792 #endif
1797 /* fprintf( stderr, "not done with alert\n" ); */
1800 #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
1802 #endif
1803 )
1818 }
1819 }
1821 }
1825 {
1829 /* In current epoch, accept HM, CCS, DATA, & ALERT */
1833 /* Only HM and ALERT messages can be from the next epoch */
1838 }
1841 }
1843 #if 0
1844 static int
1847 {
1849 /* alerts are passed up immediately */
1853 /*
1854 * Only need to buffer if a handshake is underway. (this implies that
1855 * Hello Request and Client Hello are passed up immediately)
1856 */
1859 /* need to extract the HM/CCS sequence number here */
1874 }
1876 /*
1877 * this is either a record we're waiting for, or a retransmit of
1878 * something we happened to previously receive (higher layers
1879 * will drop the repeat silently
1880 */
1894 }
1897 }
1900 }
1901 #endif
1904 {
1918 }
1921 }