Add DTLS support to NSS, contributed by Eric Rescorla.

net/third_party/nss/ssl/ssl3con.c

 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 /*
  * SSL3 Protocol
  *
  * ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  *
  * The contents of this file are subject to the Mozilla Public License Version
  * 1.1 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
@@ skipping 24 matching lines @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 /* $Id: ssl3con.c,v 1.173 2012/03/18 00:31:19 wtc%google.com Exp $ */
 
+/* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */

[Ryan Sleevi, 2012/03/22 22:26:37]

XXX instead (if upstreaming is intended)

+
 #include "cert.h"
 #include "ssl.h"
 #include "cryptohi.h"   /* for DSAU_ stuff */
 #include "keyhi.h"
 #include "secder.h"
 #include "secitem.h"
 
 #include "sslimpl.h"
 #include "sslproto.h"
 #include "sslerr.h"
@@ skipping 30 matching lines @@
 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss);
 static SECStatus ssl3_SendNextProto(         sslSocket *ss);
 static SECStatus ssl3_SendFinished(          sslSocket *ss, PRInt32 flags);
 static SECStatus ssl3_SendServerHello(       sslSocket *ss);
 static SECStatus ssl3_SendServerHelloDone(   sslSocket *ss);
 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss);
 static SECStatus ssl3_NewHandshakeHashes(    sslSocket *ss);
 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss,
                                              const unsigned char *b,
                                              unsigned int l);
+static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags);
 
 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen,
                              int maxOutputLen, const unsigned char *input,
                              int inputLen);
 
 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */
 #define MIN_SEND_BUF_LENGTH  4000
 
 #define MAX_CIPHER_SUITES 20
 
@@ skipping 109 matching lines @@
 }
 
 static const /*SSL3ClientCertificateType */ uint8 certificate_types [] = {
     ct_RSA_sign,
     ct_DSS_sign,
 #ifdef NSS_ENABLE_ECC
     ct_ECDSA_sign,
 #endif /* NSS_ENABLE_ECC */
 };
 
-#ifdef NSS_ENABLE_ZLIB
-/*
- * The DEFLATE algorithm can result in an expansion of 0.1% + 12 bytes. For a
- * maximum TLS record payload of 2**14 bytes, that's 29 bytes.
- */
-#define SSL3_COMPRESSION_MAX_EXPANSION 29
-#else  /* !NSS_ENABLE_ZLIB */
-#define SSL3_COMPRESSION_MAX_EXPANSION 0
-#endif
-
-/*
- * make sure there is room in the write buffer for padding and
- * other compression and cryptographic expansions.
- */
-#define SSL3_BUFFER_FUDGE     100 + SSL3_COMPRESSION_MAX_EXPANSION
-
 #define EXPORT_RSA_KEY_LENGTH 64        /* bytes */
 
 
 /* This global item is used only in servers.  It is is initialized by
 ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest().
 */
 CERTDistNames *ssl3_server_ca_list = NULL;
 static SSL3Statistics ssl3stats;
 
 /* indexed by SSL3BulkCipher */
@@ skipping 260 matching lines @@
 static char *
 ssl3_DecodeHandshakeType(int msgType)
 {
     char * rv;
     static char line[40];
 
     switch(msgType) {
     case hello_request:         rv = "hello_request (0)";               break;
     case client_hello:          rv = "client_hello  (1)";               break;
     case server_hello:          rv = "server_hello  (2)";               break;
+    case hello_verify_request:  rv = "hello_verify_request (3)";        break;
     case certificate:           rv = "certificate  (11)";               break;
     case server_key_exchange:   rv = "server_key_exchange (12)";        break;
     case certificate_request:   rv = "certificate_request (13)";        break;
     case server_hello_done:     rv = "server_hello_done   (14)";        break;
     case certificate_verify:    rv = "certificate_verify  (15)";        break;
     case client_key_exchange:   rv = "client_key_exchange (16)";        break;
     case finished:              rv = "finished     (20)";               break;
     default:
         sprintf(line, "*UNKNOWN* handshake type! (%d)", msgType);
         rv = line;
@@ skipping 119 matching lines @@
         if (suite->enabled) {
             ++numEnabled;
             /* We need the cipher defs to see if we have a token that can handle
              * this cipher.  It isn't part of the static definition.
              */
             cipher_def = ssl_LookupCipherSuiteDef(suite->cipher_suite);
             if (!cipher_def) {
                 suite->isPresent = PR_FALSE;
                 continue;
             }
-            cipher_alg=bulk_cipher_defs[cipher_def->bulk_cipher_alg ].calg;
+            cipher_alg = bulk_cipher_defs[cipher_def->bulk_cipher_alg].calg;
             PORT_Assert(  alg2Mech[cipher_alg].calg == cipher_alg);
             cipher_mech = alg2Mech[cipher_alg].cmech;
             exchKeyType =
                     kea_defs[cipher_def->key_exchange_alg].exchKeyType;
 #ifndef NSS_ENABLE_ECC
             svrAuth = ss->serverCerts + exchKeyType;
 #else
             /* XXX SSLKEAType isn't really a good choice for 
              * indexing certificates. It doesn't work for
              * (EC)DHE-* ciphers. Here we use a hack to ensure
@@ skipping 471 matching lines @@
         PK11_DestroyContext(mat->write_mac_context, PR_TRUE);
         mat->write_mac_context = NULL;
     }
 }
 
 /* Called from ssl3_SendChangeCipherSpecs() and 
 **             ssl3_HandleChangeCipherSpecs()
 **             ssl3_DestroySSL3Info
 ** Caller must hold SpecWriteLock.
 */
-static void
+void
 ssl3_DestroyCipherSpec(ssl3CipherSpec *spec, PRBool freeSrvName)
 {
     PRBool freeit = (PRBool)(!spec->bypassCiphers);
 /*  PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); Don't have ss! */
     if (spec->destroy) {
         spec->destroy(spec->encodeContext, freeit);
         spec->destroy(spec->decodeContext, freeit);
         spec->encodeContext = NULL; /* paranoia */
         spec->decodeContext = NULL;
     }
@@ skipping 59 matching lines @@
 
     SSL_TRC(3, ("%d: SSL3[%d]: Set XXX Pending Cipher Suite to 0x%04x",
                 SSL_GETPID(), ss->fd, suite));
 
     suite_def = ssl_LookupCipherSuiteDef(suite);
     if (suite_def == NULL) {
         ssl_ReleaseSpecWriteLock(ss);
         return SECFailure;      /* error code set by ssl_LookupCipherSuiteDef */
     }
 
+    if (IS_DTLS(ss)) {
+        /* Double-check that we did not pick an RC4 suite */
+        PORT_Assert((suite_def->bulk_cipher_alg != cipher_rc4) &&
+                    (suite_def->bulk_cipher_alg != cipher_rc4_40) &&
+                    (suite_def->bulk_cipher_alg != cipher_rc4_56));

[Ryan Sleevi, 2012/03/22 22:26:37]

My understanding is that PORT_Assert is intended to catch implementation bugs /
developer bugs, not possible (but unlikely) runtime conditions.

It seems that this should either be a static check, causing a SECFailure return
(making sure to release the lock as on 1215 / 1259). Since RC4 is MUST NOT,
seems to me it should be an always-on check.

The other thing to consider is whether or not the "Is bulk cipher allowed in
DTLS" logic should be moved elsewhere. Yes, I realize RC4 is the only one with
issues ( http://www.iana.org/assignments/tls-parameters/tls-parameters.xml ), so
it may be YAGNI, but since there are security considerations, it seems like such
logic should be centralized - either in a function or as a flag on the bulk
cipher alg. Minor FWIW.

[ekr, 2012/03/23 12:46:41]

There is a separate place where this is allegedly enforced: 

ssl3_DisableNonDTLSSuites(sslSocket * ss). 

However, when we put this in I got nervous that a coding error could result in
us missing an invalid cipher. E.g., we added one but forgot to update
nonDTLSCipherSuites. The purpose of this check was to catch such errors. Does
that seem bad? 

[wtc, 2012/03/23 13:48:49]

I think the use of PORT_Assert is appropriate here because
we are not detecting a possible but unlikely runtime
condition.  We are detecting an NSS bug.

[Ryan Sleevi, 2012/03/26 19:11:55]

Good point. SGTM.

+    }
 
     cipher = suite_def->bulk_cipher_alg;
     kea    = suite_def->key_exchange_alg;
     mac    = suite_def->mac_alg;
     if (isTLS)
         mac += 2;
 
     ss->ssl3.hs.suite_def = suite_def;
     ss->ssl3.hs.kea_def   = &kea_defs[kea];
     PORT_Assert(ss->ssl3.hs.kea_def->kea == kea);
 
     pwSpec->cipher_def   = &bulk_cipher_defs[cipher];
     PORT_Assert(pwSpec->cipher_def->cipher == cipher);
 
     pwSpec->mac_def = &mac_defs[mac];
     PORT_Assert(pwSpec->mac_def->mac == mac);
 
     ss->sec.keyBits       = pwSpec->cipher_def->key_size        * BPB;
     ss->sec.secretKeyBits = pwSpec->cipher_def->secret_key_size * BPB;
     ss->sec.cipherType    = cipher;
 
     pwSpec->encodeContext = NULL;
     pwSpec->decodeContext = NULL;
 
     pwSpec->mac_size = pwSpec->mac_def->mac_size;
 
     pwSpec->compression_method = ss->ssl3.hs.compression;
     pwSpec->compressContext = NULL;
     pwSpec->decompressContext = NULL;
+    
+    /* Note: pwSpec == prSpec here so we're really doing the read side.
+     * The epoch is set up in InitPendingCipherSpec */
+    dtls_InitRecvdRecords(&pwSpec->recvdRecords);
 
     ssl_ReleaseSpecWriteLock(ss);  /*******************************/
     return SECSuccess;
 }
 
 #ifdef NSS_ENABLE_ZLIB
 #define SSL3_DEFLATE_CONTEXT_SIZE sizeof(z_stream)
 
 static SECStatus
 ssl3_MapZlibError(int zlib_error)
@@ skipping 477 matching lines @@
  * Sets error code, but caller probably should override to disambiguate.
  * NULL pms means re-use old master_secret.
  *
  * This code is common to the bypass and PKCS11 execution paths.
  * For the bypass case,  pms is NULL.
  */
 SECStatus
 ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms)
 {
     ssl3CipherSpec  *  pwSpec;
+    ssl3CipherSpec  *  cwSpec;
     SECStatus          rv;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
     ssl_GetSpecWriteLock(ss);   /**************************************/
 
     PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
 
     pwSpec        = ss->ssl3.pwSpec;
+    cwSpec        = ss->ssl3.cwSpec;
 
     if (pms || (!pwSpec->msItem.len && !pwSpec->master_secret)) {
         rv = ssl3_DeriveMasterSecret(ss, pms);
         if (rv != SECSuccess) {
             goto done;  /* err code set by ssl3_DeriveMasterSecret */
         }
     }
     if (ss->opt.bypassPKCS11 && pwSpec->msItem.len && pwSpec->msItem.data) {
         /* Double Bypass succeeded in extracting the master_secret */
         const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def;
@@ skipping 12 matching lines @@
         rv = ssl3_DeriveConnectionKeysPKCS11(ss);
         if (rv == SECSuccess) {
             rv = ssl3_InitPendingContextsPKCS11(ss);
         }
     } else {
         PORT_Assert(pwSpec->master_secret);
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         rv = SECFailure;
     }
 
+    /* Generic behaviors -- common to all crypto methods */
+    if (!IS_DTLS(ss)) {
+        pwSpec->read_seq_num.high = pwSpec->write_seq_num.high = 0;
+    } else {
+        if (cwSpec->epoch == 65535) {

[Ryan Sleevi, 2012/03/22 22:26:37]

nit: PR_UINT16_MAX ?

+            /* The problem here is that we have rehandshaked too many
+             * times (you are not allowed to wrap the epoch). The
+             * spec says you should be discarding the connection
+             * and start over, so not much we can do here. */
+            PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+            rv = SECFailure;
+        }
+        /* We only need to modify pwSpec since there is only one
+         * "pending" spec object being pointed to by pwSpec and
+         * cwSpec at different times.
+         *
+         * The sequence number has the high 16 bits as the epoch.
+         */
+        pwSpec->epoch = cwSpec->epoch + 1;
+        pwSpec->read_seq_num.high = pwSpec->write_seq_num.high =
+            pwSpec->epoch << 16;
+    }
+    pwSpec->read_seq_num.low = pwSpec->write_seq_num.low = 0;

[wtc, 2012/03/22 01:11:42]

rsleevi: this block of code is originally in
- ssl3_SendChangeCipherSpecs: lines 2818-2819 on the left
- ssl3_HandleChangeCipherSpecs: line 2881 on the left

I am not sure about moving the code here.  I've asked EKR
for clarification.

+
 done:
     ssl_ReleaseSpecWriteLock(ss);       /******************************/
     if (rv != SECSuccess)
         ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
     return rv;
 }
 
 /*
  * 60 bytes is 3 times the maximum length MAC size that is supported.
  */
@@ skipping 19 matching lines @@
 };
 
 /* Called from: ssl3_SendRecord()
 **              ssl3_HandleRecord()
 ** Caller must already hold the SpecReadLock. (wish we could assert that!)
 */
 static SECStatus
 ssl3_ComputeRecordMAC(
     ssl3CipherSpec *   spec,
     PRBool             useServerMacKey,
+    PRBool             isDTLS,
     SSL3ContentType    type,
     SSL3ProtocolVersion version,
     SSL3SequenceNumber seq_num,
     const SSL3Opaque * input,
     int                inputLength,
     unsigned char *    outbuf,
     unsigned int *     outLength)
 {
     const ssl3MACDef * mac_def;
     SECStatus          rv;
@@ skipping 17 matching lines @@
     ** NOT based on the version value in the record itself.
     ** But, we use the record'v version value in the computation.
     */
     if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
         temp[9]  = MSB(inputLength);
         temp[10] = LSB(inputLength);
         tempLen  = 11;
         isTLS    = PR_FALSE;
     } else {
         /* New TLS hash includes version. */
-        temp[9]  = MSB(version);
-        temp[10] = LSB(version);
+        if (isDTLS) {
+            SSL3ProtocolVersion dtls_version;
+
+            dtls_version = dtls_TLSVersionToDTLSVersion(version);
+            temp[9]  = MSB(dtls_version);
+            temp[10] = LSB(dtls_version);
+        } else {
+            temp[9]  = MSB(version);
+            temp[10] = LSB(version);
+        }
         temp[11] = MSB(inputLength);
         temp[12] = LSB(inputLength);
         tempLen  = 13;
         isTLS    = PR_TRUE;
     }
 
     PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen));
     PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength));
 
     mac_def = spec->mac_def;
@@ skipping 129 matching lines @@
         (PK11_NeedLogin(slot) && !PK11_IsLoggedIn(slot, NULL))) {
         isPresent = PR_FALSE;
     } 
     if (slot) {
         PK11_FreeSlot(slot);
     }
     return isPresent;
 }
 
 /* Caller must hold the spec read lock. */
-static SECStatus
+SECStatus
 ssl3_CompressMACEncryptRecord(ssl3CipherSpec *   cwSpec,
                               PRBool             isServer,
+                              PRBool             isDTLS,
                               SSL3ContentType    type,
                               const SSL3Opaque * pIn,
                               PRUint32           contentLen,
                               sslBuffer *        wrBuf)
 {
     const ssl3BulkCipherDef * cipher_def;
     SECStatus                 rv;
     PRUint32                  macLen = 0;
     PRUint32                  fragLen;
     PRUint32  p1Len, p2Len, oddLen = 0;
+    PRUint16                  headerLen;
     int                       ivLen = 0;
     int                       cipherBytes = 0;
 
     cipher_def = cwSpec->cipher_def;
+    headerLen = isDTLS ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LENGTH;
 
     if (cipher_def->type == type_block &&
         cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
         /* Prepend the per-record explicit IV using technique 2b from
          * RFC 4346 section 6.2.3.2: The IV is a cryptographically
          * strong random number XORed with the CBC residue from the previous
          * record.
          */
         ivLen = cipher_def->iv_size;
-        if (ivLen > wrBuf->space - SSL3_RECORD_HEADER_LENGTH) {
+        if (ivLen > wrBuf->space - headerLen) {
             PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
             return SECFailure;
         }
-        rv = PK11_GenerateRandom(wrBuf->buf + SSL3_RECORD_HEADER_LENGTH, ivLen);
+        rv = PK11_GenerateRandom(wrBuf->buf + headerLen, ivLen);
         if (rv != SECSuccess) {
             ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
             return rv;
         }
         rv = cwSpec->encode( cwSpec->encodeContext, 
-            wrBuf->buf + SSL3_RECORD_HEADER_LENGTH,
+            wrBuf->buf + headerLen,
             &cipherBytes,                       /* output and actual outLen */
             ivLen,                              /* max outlen */
-            wrBuf->buf + SSL3_RECORD_HEADER_LENGTH,
+            wrBuf->buf + headerLen,
             ivLen);                             /* input and inputLen*/
         if (rv != SECSuccess || cipherBytes != ivLen) {
             PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
             return SECFailure;
         }
     }
 
     if (cwSpec->compressor) {
         int outlen;
         rv = cwSpec->compressor(
             cwSpec->compressContext,
-            wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen, &outlen,
-            wrBuf->space - SSL3_RECORD_HEADER_LENGTH - ivLen, pIn, contentLen);
+            wrBuf->buf + headerLen + ivLen, &outlen,
+            wrBuf->space - headerLen - ivLen, pIn, contentLen);
         if (rv != SECSuccess)
             return rv;
-        pIn = wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen;
+        pIn = wrBuf->buf + headerLen + ivLen;
         contentLen = outlen;
     }
 
     /*
      * Add the MAC
      */
-    rv = ssl3_ComputeRecordMAC( cwSpec, isServer,
+    rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDTLS,
         type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen,
-        wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen + contentLen, &macLen);
+        wrBuf->buf + headerLen + ivLen + contentLen, &macLen);
     if (rv != SECSuccess) {
         ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
         return SECFailure;
     }
     p1Len   = contentLen;
     p2Len   = macLen;
     fragLen = contentLen + macLen;      /* needs to be encrypted */
     PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024);
 
     /*
      * Pad the text (if we're doing a block cipher)
      * then Encrypt it
      */
     if (cipher_def->type == type_block) {
         unsigned char * pBuf;
         int             padding_length;
         int             i;
 
         oddLen = contentLen % cipher_def->block_size;
         /* Assume blockSize is a power of two */
         padding_length = cipher_def->block_size - 1 -
                         ((fragLen) & (cipher_def->block_size - 1));
         fragLen += padding_length + 1;
         PORT_Assert((fragLen % cipher_def->block_size) == 0);
 
         /* Pad according to TLS rules (also acceptable to SSL3). */
-        pBuf = &wrBuf->buf[SSL3_RECORD_HEADER_LENGTH + ivLen + fragLen - 1];
+        pBuf = &wrBuf->buf[headerLen + ivLen + fragLen - 1];
         for (i = padding_length + 1; i > 0; --i) {
             *pBuf-- = padding_length;
         }
         /* now, if contentLen is not a multiple of block size, fix it */
         p2Len = fragLen - p1Len;
     }
     if (p1Len < 256) {
         oddLen = p1Len;
         p1Len = 0;
     } else {
         p1Len -= oddLen;
     }
     if (oddLen) {
         p2Len += oddLen;
         PORT_Assert( (cipher_def->block_size < 2) || \
                      (p2Len % cipher_def->block_size) == 0);
-        memmove(wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen + p1Len,
-                pIn + p1Len, oddLen);
+        memmove(wrBuf->buf + headerLen + ivLen + p1Len, pIn + p1Len, oddLen);
     }
     if (p1Len > 0) {
         int cipherBytesPart1 = -1;
         rv = cwSpec->encode( cwSpec->encodeContext, 
-            wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen, /* output */
+            wrBuf->buf + headerLen + ivLen,         /* output */
             &cipherBytesPart1,                      /* actual outlen */
             p1Len,                                  /* max outlen */
             pIn, p1Len);                      /* input, and inputlen */
         PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len);
         if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) {
             PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
             return SECFailure;
         }
         cipherBytes += cipherBytesPart1;
     }
     if (p2Len > 0) {
         int cipherBytesPart2 = -1;
         rv = cwSpec->encode( cwSpec->encodeContext, 
-            wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen + p1Len,
+            wrBuf->buf + headerLen + ivLen + p1Len,
             &cipherBytesPart2,          /* output and actual outLen */
             p2Len,                             /* max outlen */
-            wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen + p1Len,
+            wrBuf->buf + headerLen + ivLen + p1Len,
             p2Len);                            /* input and inputLen*/
         PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len);
         if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) {
             PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
             return SECFailure;
         }
         cipherBytes += cipherBytesPart2;
     }   
     PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024);
 
+    wrBuf->len    = cipherBytes + headerLen;
+    wrBuf->buf[0] = type;
+    if (isDTLS) {
+        SSL3ProtocolVersion version;
+
+        version = dtls_TLSVersionToDTLSVersion(cwSpec->version);
+        wrBuf->buf[1] = MSB(version);
+        wrBuf->buf[2] = LSB(version);
+        wrBuf->buf[3] = (unsigned char)(cwSpec->write_seq_num.high >> 24);
+        wrBuf->buf[4] = (unsigned char)(cwSpec->write_seq_num.high >> 16);
+        wrBuf->buf[5] = (unsigned char)(cwSpec->write_seq_num.high >>  8);
+        wrBuf->buf[6] = (unsigned char)(cwSpec->write_seq_num.high >>  0);
+        wrBuf->buf[7] = (unsigned char)(cwSpec->write_seq_num.low  >> 24);
+        wrBuf->buf[8] = (unsigned char)(cwSpec->write_seq_num.low  >> 16);
+        wrBuf->buf[9] = (unsigned char)(cwSpec->write_seq_num.low  >>  8);
+        wrBuf->buf[10] = (unsigned char)(cwSpec->write_seq_num.low >>  0);
+        wrBuf->buf[11] = MSB(cipherBytes);
+        wrBuf->buf[12] = LSB(cipherBytes);
+    } else {
+        wrBuf->buf[1] = MSB(cwSpec->version);
+        wrBuf->buf[2] = LSB(cwSpec->version);
+        wrBuf->buf[3] = MSB(cipherBytes);
+        wrBuf->buf[4] = LSB(cipherBytes);
+    }
+
     ssl3_BumpSequenceNumber(&cwSpec->write_seq_num);
 
-    wrBuf->len    = cipherBytes + SSL3_RECORD_HEADER_LENGTH;
-    wrBuf->buf[0] = type;
-    wrBuf->buf[1] = MSB(cwSpec->version);
-    wrBuf->buf[2] = LSB(cwSpec->version);
-    wrBuf->buf[3] = MSB(cipherBytes);
-    wrBuf->buf[4] = LSB(cipherBytes);
-
     return SECSuccess;
 }
 
 /* Process the plain text before sending it.
  * Returns the number of bytes of plaintext that were successfully sent
  *      plus the number of bytes of plaintext that were copied into the
  *      output (write) buffer.
  * Returns SECFailure on a hard IO error, memory error, or crypto error.
  * Does NOT return SECWouldBlock.
  *
  * Notes on the use of the private ssl flags:
  * (no private SSL flags)
  *    Attempt to make and send SSL records for all plaintext
  *    If non-blocking and a send gets WOULD_BLOCK,
  *    or if the pending (ciphertext) buffer is not empty,
  *    then buffer remaining bytes of ciphertext into pending buf,
  *    and continue to do that for all succssive records until all
  *    bytes are used.
  * ssl_SEND_FLAG_FORCE_INTO_BUFFER
  *    As above, except this suppresses all write attempts, and forces
  *    all ciphertext into the pending ciphertext buffer.
+ * ssl_SEND_FLAG_USE_EPOCH (for DTLS)
+ *    Forces the use of the provided epoch
  *
  */
-static PRInt32
+PRInt32
 ssl3_SendRecord(   sslSocket *        ss,
+                   DTLSEpoch          epoch, /* DTLS only */
                    SSL3ContentType    type,
                    const SSL3Opaque * pIn,   /* input buffer */
                    PRInt32            nIn,   /* bytes of input */
                    PRInt32            flags)
 {
     sslBuffer      *          wrBuf       = &ss->sec.writeBuf;
     SECStatus                 rv;
     PRInt32                   totalSent   = 0;
 
     SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d",
@@ skipping 51 matching lines @@
                 SSL_DBG(("%d: SSL3[%d]: SendRecord, tried to get %d bytes",
                          SSL_GETPID(), ss->fd, spaceNeeded));
                 goto spec_locked_loser; /* sslBuffer_Grow set error code. */
             }
         }
 
         if (numRecords == 2) {
             sslBuffer secondRecord;
 
             rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
-                                               ss->sec.isServer, type, pIn, 1,
-                                               wrBuf);
+                                               ss->sec.isServer, IS_DTLS(ss),
+                                               type, pIn, 1, wrBuf);

[Ryan Sleevi, 2012/03/22 22:26:37]

nit: tabs & spaces inconsistently mixed.

             if (rv != SECSuccess)
                 goto spec_locked_loser;
 
             PRINT_BUF(50, (ss, "send (encrypted) record data [1/2]:",
                            wrBuf->buf, wrBuf->len));
 
             secondRecord.buf = wrBuf->buf + wrBuf->len;
             secondRecord.len = 0;
             secondRecord.space = wrBuf->space - wrBuf->len;
 
             rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
-                                               ss->sec.isServer, type, pIn + 1,
-                                               contentLen - 1, &secondRecord);
+                                               ss->sec.isServer, IS_DTLS(ss),
+                                               type, pIn + 1, contentLen - 1,
+                                               &secondRecord);
             if (rv == SECSuccess) {
                 PRINT_BUF(50, (ss, "send (encrypted) record data [2/2]:",
                                secondRecord.buf, secondRecord.len));
                 wrBuf->len += secondRecord.len;
             }
         } else {
-            rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
-                                               ss->sec.isServer, type, pIn,
-                                               contentLen, wrBuf);
+            if (!IS_DTLS(ss)) {
+                rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
+                                                   ss->sec.isServer,
+                                                   IS_DTLS(ss),
+                                                   type, pIn,
+                                                   contentLen, wrBuf);
+            } else {
+                rv = dtls_CompressMACEncryptRecord(ss, epoch,
+                                                   !!(flags & ssl_SEND_FLAG_USE_EPOCH),
+                                                   type, pIn,
+                                                   contentLen, wrBuf);
+            }
+
             if (rv == SECSuccess) {
                 PRINT_BUF(50, (ss, "send (encrypted) record data:",
                                wrBuf->buf, wrBuf->len));
             }
         }
 
 spec_locked_loser:
         ssl_ReleaseSpecReadLock(ss); /************************************/
 
         if (rv != SECSuccess)
@@ skipping 37 matching lines @@
             if (sent < 0) {
                 if (PR_GetError() != PR_WOULD_BLOCK_ERROR) {
                     ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE);
                     return SECFailure;
                 }
                 /* we got PR_WOULD_BLOCK_ERROR, which means none was sent. */
                 sent = 0;
             }
             wrBuf->len -= sent;
             if (wrBuf->len) {
+                if (IS_DTLS(ss)) {
+                    /* DTLS just says no in this case. No buffering */
+                    PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
+                    return SECFailure;
+                }
                 /* now take all the remaining unsent new ciphertext and 
                  * append it to the buffer of previously unsent ciphertext.
                  */
                 rv = ssl_SaveWriteData(ss, wrBuf->buf + sent, wrBuf->len);
                 if (rv != SECSuccess) {
                     /* presumably a memory error, SEC_ERROR_NO_MEMORY */
                     return SECFailure;
                 }
             }
         }
         totalSent += contentLen;
     }
     return totalSent;
 }
 
 #define SSL3_PENDING_HIGH_WATER 1024
 
 /* Attempt to send the content of "in" in an SSL application_data record.
  * Returns "len" or SECFailure,   never SECWouldBlock, nor SECSuccess.
  */
 int
 ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in,
                          PRInt32 len, PRInt32 flags)
 {
     PRInt32   totalSent = 0;
     PRInt32   discarded = 0;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
+    /* These flags for internal use only */
+    PORT_Assert(!(flags & (ssl_SEND_FLAG_USE_EPOCH |
+                           ssl_SEND_FLAG_NO_RETRANSMIT)));
     if (len < 0 || !in) {
         PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
         return SECFailure;
     }
 
     if (ss->pendingBuf.len > SSL3_PENDING_HIGH_WATER &&
         !ssl_SocketIsBlocking(ss)) {
         PORT_Assert(!ssl_SocketIsBlocking(ss));
         PORT_SetError(PR_WOULD_BLOCK_ERROR);
         return SECFailure;
@@ skipping 17 matching lines @@
              * The thread yield is intended to give the reader thread a
              * chance to get some cycles while the writer thread is in
              * the middle of a large application data write.  (See
              * Bugzilla bug 127740, comment #1.)
              */
             ssl_ReleaseXmitBufLock(ss);
             PR_Sleep(PR_INTERVAL_NO_WAIT);      /* PR_Yield(); */
             ssl_GetXmitBufLock(ss);
         }
         toSend = PR_MIN(len - totalSent, MAX_FRAGMENT_LENGTH);
-        sent = ssl3_SendRecord(ss, content_application_data, 
+        /*
+         * Note that the 0 epoch is OK because flags will never require 
+         * its use, as guaranteed by the PORT_Assert above.
+         */
+        sent = ssl3_SendRecord(ss, 0, content_application_data,
                                in + totalSent, toSend, flags);
         if (sent < 0) {
             if (totalSent > 0 && PR_GetError() == PR_WOULD_BLOCK_ERROR) {
                 PORT_Assert(ss->lastWriteBlocked);
                 break;
             }
             return SECFailure; /* error code set by ssl3_SendRecord */
         }
         totalSent += sent;
         if (ss->pendingBuf.len) {
@@ skipping 14 matching lines @@
         if (totalSent <= 0) {
             PORT_SetError(PR_WOULD_BLOCK_ERROR);
             totalSent = SECFailure;
         }
         return totalSent;
     } 
     ss->appDataBuffered = 0;
     return totalSent + discarded;
 }
 
-/* Attempt to send the content of sendBuf buffer in an SSL handshake record.
+/* Attempt to send buffered handshake messages.
  * This function returns SECSuccess or SECFailure, never SECWouldBlock.
  * Always set sendBuf.len to 0, even when returning SECFailure.
  *
+ * Depending on whether we are doing DTLS or not, this either calls
+ *
+ * - ssl3_FlushHandshakeMessages if non-DTLS
+ * - dtls_FlushHandshakeMessages if DTLS
+ *
  * Called from SSL3_SendAlert(), ssl3_SendChangeCipherSpecs(),
  *             ssl3_AppendHandshake(), ssl3_SendClientHello(),
  *             ssl3_SendHelloRequest(), ssl3_SendServerHelloDone(),
  *             ssl3_SendFinished(),
  */
 static SECStatus
 ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags)
 {
+    if (IS_DTLS(ss)) {
+        return dtls_FlushHandshakeMessages(ss, flags);
+    } else {
+        return ssl3_FlushHandshakeMessages(ss, flags);
+    }
+}
+
+/* Attempt to send the content of sendBuf buffer in an SSL handshake record.
+ * This function returns SECSuccess or SECFailure, never SECWouldBlock.
+ * Always set sendBuf.len to 0, even when returning SECFailure.
+ *
+ * Called from ssl3_FlushHandshake
+ */
+static SECStatus
+ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags)
+{
     PRInt32 rv = SECSuccess;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
 
     if (!ss->sec.ci.sendBuf.buf || !ss->sec.ci.sendBuf.len)
         return rv;
 
     /* only this flag is allowed */
     PORT_Assert(!(flags & ~ssl_SEND_FLAG_FORCE_INTO_BUFFER));
     if ((flags & ~ssl_SEND_FLAG_FORCE_INTO_BUFFER) != 0) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         rv = SECFailure;
     } else {
-        rv = ssl3_SendRecord(ss, content_handshake, ss->sec.ci.sendBuf.buf,
+        rv = ssl3_SendRecord(ss, 0, content_handshake, ss->sec.ci.sendBuf.buf,
                              ss->sec.ci.sendBuf.len, flags);
     }
     if (rv < 0) { 
         int err = PORT_GetError();
         PORT_Assert(err != PR_WOULD_BLOCK_ERROR);
         if (err == PR_WOULD_BLOCK_ERROR) {
             PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         }
     } else if (rv < ss->sec.ci.sendBuf.len) {
         /* short write should never happen */
@@ skipping 96 matching lines @@
     ssl_GetSSL3HandshakeLock(ss);
     if (level == alert_fatal) {
         if (ss->sec.ci.sid) {
             ss->sec.uncache(ss->sec.ci.sid);
         }
     }
     ssl_GetXmitBufLock(ss);
     rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
     if (rv == SECSuccess) {
         PRInt32 sent;
-        sent = ssl3_SendRecord(ss, content_alert, bytes, 2, 
+        sent = ssl3_SendRecord(ss, 0, content_alert, bytes, 2, 
                                desc == no_certificate 
                                ? ssl_SEND_FLAG_FORCE_INTO_BUFFER : 0);
         rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
     }
     ssl_ReleaseXmitBufLock(ss);
     ssl_ReleaseSSL3HandshakeLock(ss);
     return rv;  /* error set by ssl3_FlushHandshake or ssl3_SendRecord */
 }
 
 /*
@@ skipping 53 matching lines @@
     SSL_DBG(("%d: SSL3[%d]: peer certificate is no good: error=%d",
              SSL_GETPID(), ss->fd, errCode));
 
     (void) SSL3_SendAlert(ss, alert_fatal, desc);
 }
 
 
 /*
  * Send handshake_Failure alert.  Set generic error number.
  */
-static SECStatus
+SECStatus
 ssl3_DecodeError(sslSocket *ss)
 {
     (void)SSL3_SendAlert(ss, alert_fatal, 
                   ss->version > SSL_LIBRARY_VERSION_3_0 ? decode_error 
                                                         : illegal_parameter);
     PORT_SetError( ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
                                     : SSL_ERROR_BAD_SERVER );
     return SECFailure;
 }
 
@@ skipping 67 matching lines @@
                         error = SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT; break;
     case unrecognized_name: 
                         error = SSL_ERROR_UNRECOGNIZED_NAME_ALERT;        break;
     case bad_certificate_status_response: 
                         error = SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT; break;
     case bad_certificate_hash_value: 
                         error = SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT;      break;
     default:            error = SSL_ERROR_RX_UNKNOWN_ALERT;               break;
     }
     if (level == alert_fatal) {
-        ss->sec.uncache(ss->sec.ci.sid);
+        if (!ss->opt.noCache)
+            ss->sec.uncache(ss->sec.ci.sid);

[wtc, 2012/03/22 01:11:42]

rsleevi: this is a fix for the crash described in NSS bug 
https://bugzilla.mozilla.org/show_bug.cgi?id=540535#c2

         if ((ss->ssl3.hs.ws == wait_server_hello) &&
             (desc == handshake_failure)) {
             /* XXX This is a hack.  We're assuming that any handshake failure
              * XXX on the client hello is a failure to match ciphers.
              */
             error = SSL_ERROR_NO_CYPHER_OVERLAP;
         }
         PORT_SetError(error);
         return SECFailure;
     }
@@ skipping 30 matching lines @@
     SSL_TRC(3, ("%d: SSL3[%d]: send change_cipher_spec record",
                 SSL_GETPID(), ss->fd));
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
     rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
     if (rv != SECSuccess) {
         return rv;      /* error code set by ssl3_FlushHandshake */
     }
-    sent = ssl3_SendRecord(ss, content_change_cipher_spec, &change, 1,
-                              ssl_SEND_FLAG_FORCE_INTO_BUFFER);
-    if (sent < 0) {
-        return (SECStatus)sent; /* error code set by ssl3_SendRecord */
+    if (!IS_DTLS(ss)) {
+        sent = ssl3_SendRecord(ss, 0, content_change_cipher_spec, &change, 1,
+                               ssl_SEND_FLAG_FORCE_INTO_BUFFER);
+        if (sent < 0) {
+            return (SECStatus)sent;     /* error code set by ssl3_SendRecord */
+        }
+    } else {
+        rv = dtls_QueueMessage(ss, content_change_cipher_spec, &change, 1);
+        if (rv != SECSuccess) {
+            return rv;
+        }
     }
 
     /* swap the pending and current write specs. */
     ssl_GetSpecWriteLock(ss);   /**************************************/
     pwSpec                     = ss->ssl3.pwSpec;
-    pwSpec->write_seq_num.high = 0;
-    pwSpec->write_seq_num.low  = 0;
 
     ss->ssl3.pwSpec = ss->ssl3.cwSpec;
     ss->ssl3.cwSpec = pwSpec;
 
     SSL_TRC(3, ("%d: SSL3[%d] Set Current Write Cipher Suite to Pending",
                 SSL_GETPID(), ss->fd ));
 
     /* We need to free up the contexts, keys and certs ! */
     /* If we are really through with the old cipher spec
      * (Both the read and write sides have changed) destroy it.
      */
     if (ss->ssl3.prSpec == ss->ssl3.pwSpec) {
-        ssl3_DestroyCipherSpec(ss->ssl3.pwSpec, PR_FALSE/*freeSrvName*/);
+        if (!IS_DTLS(ss)) {
+            ssl3_DestroyCipherSpec(ss->ssl3.pwSpec, PR_FALSE/*freeSrvName*/);
+        } else {
+            /* With DTLS, we need to set a holddown timer in case the final
+             * message got lost */
+            ss->ssl3.hs.rtTimeoutMs = DTLS_FINISHED_TIMER_MS;
+            dtls_StartTimer(ss, dtls_FinishedTimerCb);
+        }
     }
     ssl_ReleaseSpecWriteLock(ss); /**************************************/
 
     return SECSuccess;
 }
 
 /* Called from ssl3_HandleRecord.
 ** Caller must hold both RecvBuf and Handshake locks.
  *
  * Acquires and releases spec write lock, to protect switching the current
@@ skipping 28 matching lines @@
         /* illegal_parameter is correct here for both SSL3 and TLS. */
         (void)ssl3_IllegalParameter(ss);
         PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
         return SECFailure;
     }
     buf->len = 0;
 
     /* Swap the pending and current read specs. */
     ssl_GetSpecWriteLock(ss);   /*************************************/
     prSpec                    = ss->ssl3.prSpec;
-    prSpec->read_seq_num.high = prSpec->read_seq_num.low = 0;
 
     ss->ssl3.prSpec  = ss->ssl3.crSpec;
     ss->ssl3.crSpec  = prSpec;
 
     if (ss->sec.isServer &&
         ss->opt.requestCertificate &&
         ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
         ss->ssl3.hs.ws = wait_client_cert;
     } else {
         ss->ssl3.hs.ws = wait_finished;
@@ skipping 82 matching lines @@
                                  keyData->data, keyData->len);
                 }
             }
         }
 #endif
         pwSpec->master_secret = PK11_DeriveWithFlags(pms, master_derive, 
                                 &params, key_derive, CKA_DERIVE, 0, keyFlags);
         if (!isDH && pwSpec->master_secret && ss->opt.detectRollBack) {
             SSL3ProtocolVersion client_version;
             client_version = pms_version.major << 8 | pms_version.minor;
+
+            if (IS_DTLS(ss)) {
+                client_version = dtls_DTLSVersionToTLSVersion(client_version);
+            }
+
             if (client_version != ss->clientHelloVersion) {
                 /* Destroy it.  Version roll-back detected. */
                 PK11_FreeSymKey(pwSpec->master_secret);
                 pwSpec->master_secret = NULL;
             }
         }
         if (pwSpec->master_secret == NULL) {
             /* Generate a faux master secret in the same slot as the old one. */
             PK11SlotInfo * slot = PK11_GetSlotFromKey((PK11SymKey *)pms);
             PK11SymKey *   fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot);
@@ skipping 404 matching lines @@
     SSL_TRC(60, ("data:"));
     rv = ssl3_AppendHandshake(ss, src, bytes);
     return rv;  /* error code set by AppendHandshake, if applicable. */
 }
 
 SECStatus
 ssl3_AppendHandshakeHeader(sslSocket *ss, SSL3HandshakeType t, PRUint32 length)
 {
     SECStatus rv;
 
+    /* If we already have a message in place, we need to enqueue it.
+     * This empties the buffer
+     */
+    if (IS_DTLS(ss)) {
+        rv = dtls_StageHandshakeMessage(ss);
+        if (rv != SECSuccess) {
+            return rv;
+        }
+    }
+
     SSL_TRC(30,("%d: SSL3[%d]: append handshake header: type %s",
         SSL_GETPID(), ss->fd, ssl3_DecodeHandshakeType(t)));
     PRINT_BUF(60, (ss, "MD5 handshake hash:",
                   (unsigned char*)ss->ssl3.hs.md5_cx, MD5_LENGTH));
     PRINT_BUF(95, (ss, "SHA handshake hash:",
                   (unsigned char*)ss->ssl3.hs.sha_cx, SHA1_LENGTH));
 
     rv = ssl3_AppendHandshakeNumber(ss, t, 1);
     if (rv != SECSuccess) {
         return rv;      /* error code set by AppendHandshake, if applicable. */
     }
     rv = ssl3_AppendHandshakeNumber(ss, length, 3);
+    if (rv != SECSuccess) {
+        return rv;      /* error code set by AppendHandshake, if applicable. */
+    }
+
+    if (IS_DTLS(ss)) {
+        /* Note that we make an unfragmented message here. We fragment in the
+         * transmission code, if necessary */
+        rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.sendMessageSeq, 2);
+        if (rv != SECSuccess) {
+            return rv;  /* error code set by AppendHandshake, if applicable. */
+        }
+        ss->ssl3.hs.sendMessageSeq++;

[Ryan Sleevi, 2012/03/22 22:26:37]

I admit, I haven't fully analyzed this code, but when I see a naked increment
like this, I wonder - where is the code that checks for over/underflow, if
necessary?

IIRC, this resets every CCS message, but it was just a thought.

[wtc, 2012/03/23 00:21:18]

This should be reset at the beginning of each handshake,
and is incremented for each handshake message.  A retransmitted
handshake message uses the same message sequence number.
So with the current DTLS handshake protocol
ss->ssl3.hs.sendMessageSeq won't be larger than 20.

+
+        /* 0 is the fragment offset, because it's not fragmented yet */
+        rv = ssl3_AppendHandshakeNumber(ss, 0, 3);
+        if (rv != SECSuccess) {
+            return rv;  /* error code set by AppendHandshake, if applicable. */
+        }
+
+        /* Fragment length -- set to the packet length because not fragmented */
+        rv = ssl3_AppendHandshakeNumber(ss, length, 3);
+        if (rv != SECSuccess) {
+            return rv;  /* error code set by AppendHandshake, if applicable. */
+        }
+    }
+
     return rv;          /* error code set by AppendHandshake, if applicable. */
 }
 
 /**************************************************************************
  * Consume Handshake functions.
  *
  * All data used in these functions is protected by two locks,
  * the RecvBufLock and the SSL3HandshakeLock
  **************************************************************************/
 
@@ skipping 386 matching lines @@
 }
 
 /**************************************************************************
  * end of Handshake Hash functions.
  * Begin Send and Handle functions for handshakes.
  **************************************************************************/
 
 /* Called from ssl3_HandleHelloRequest(),
  *             ssl3_RedoHandshake()
  *             ssl2_BeginClientHandshake (when resuming ssl3 session)
+ *             dtls_HandleHelloVerifyRequest(with resending=PR_TRUE)
  */
 SECStatus
-ssl3_SendClientHello(sslSocket *ss)
+ssl3_SendClientHello(sslSocket *ss, PRBool resending)
 {
     sslSessionID *   sid;
     ssl3CipherSpec * cwSpec;
     SECStatus        rv;
     int              i;
     int              length;
     int              num_suites;
     int              actual_count = 0;
     PRBool           isTLS = PR_FALSE;
     PRInt32          total_exten_len = 0;
     unsigned         numCompressionMethods;
 
     SSL_TRC(3, ("%d: SSL3[%d]: send client_hello handshake", SSL_GETPID(),
                 ss->fd));
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
 
     rv = ssl3_InitState(ss);
     if (rv != SECSuccess) {
         return rv;              /* ssl3_InitState has set the error code. */
     }
     ss->ssl3.hs.sendingSCSV = PR_FALSE; /* Must be reset every handshake */
+    PORT_Assert(IS_DTLS(ss) || !resending);
 
     /* We might be starting a session renegotiation in which case we should
      * clear previous state.
      */
     PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
 
     SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes",
             SSL_GETPID(), ss->fd ));
     rv = ssl3_RestartHandshakeHashes(ss);
     if (rv != SECSuccess) {
@@ skipping 139 matching lines @@
             total_exten_len += 2;
     }
 
 #if defined(NSS_ENABLE_ECC) && !defined(NSS_ECC_MORE_THAN_SUITE_B)
     if (!total_exten_len || !isTLS) {
         /* not sending the elliptic_curves and ec_point_formats extensions */
         ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */
     }
 #endif
 
+    if (IS_DTLS(ss)) {
+        ssl3_DisableNonDTLSSuites(ss);
+    }
+
     /* how many suites are permitted by policy and user preference? */
     num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE);
     if (!num_suites)
         return SECFailure;      /* count_cipher_suites has set error code. */
     if (ss->ssl3.hs.sendingSCSV) {
         ++num_suites;   /* make room for SCSV */
     }
 
     /* count compression methods */
     numCompressionMethods = 0;
     for (i = 0; i < compressionMethodsCount; i++) {
         if (compressionEnabled(ss, compressions[i]))
             numCompressionMethods++;
     }
 
     length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH +
         1 + ((sid == NULL) ? 0 : sid->u.ssl3.sessionIDLength) +
         2 + num_suites*sizeof(ssl3CipherSuite) +
         1 + numCompressionMethods + total_exten_len;
+    if (IS_DTLS(ss)) {
+        length += 1 + ss->ssl3.hs.cookieLen;
+    }
 
     rv = ssl3_AppendHandshakeHeader(ss, client_hello, length);
     if (rv != SECSuccess) {
         return rv;      /* err set by ssl3_AppendHandshake* */
     }
 
     ss->clientHelloVersion = ss->version;
-    rv = ssl3_AppendHandshakeNumber(ss, ss->clientHelloVersion, 2);
+    if (IS_DTLS(ss)) {
+        PRUint16 version;
+
+        version = dtls_TLSVersionToDTLSVersion(ss->clientHelloVersion);
+        rv = ssl3_AppendHandshakeNumber(ss, version, 2);
+    } else {
+        rv = ssl3_AppendHandshakeNumber(ss, ss->clientHelloVersion, 2);
+    }
     if (rv != SECSuccess) {
         return rv;      /* err set by ssl3_AppendHandshake* */
     }
-    rv = ssl3_GetNewRandom(&ss->ssl3.hs.client_random);
-    if (rv != SECSuccess) {
-        return rv;      /* err set by GetNewRandom. */
+
+    if (!resending) { /* Don't re-generate if we are in DTLS re-sending mode */
+        rv = ssl3_GetNewRandom(&ss->ssl3.hs.client_random);
+        if (rv != SECSuccess) {
+            return rv;  /* err set by GetNewRandom. */
+        }
     }
     rv = ssl3_AppendHandshake(ss, &ss->ssl3.hs.client_random,
                               SSL3_RANDOM_LENGTH);
     if (rv != SECSuccess) {
         return rv;      /* err set by ssl3_AppendHandshake* */
     }
 
     if (sid)
         rv = ssl3_AppendHandshakeVariable(
             ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1);
     else
         rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
     if (rv != SECSuccess) {
         return rv;      /* err set by ssl3_AppendHandshake* */
     }
 
+    if (IS_DTLS(ss)) {
+        rv = ssl3_AppendHandshakeVariable(
+            ss, ss->ssl3.hs.cookie, ss->ssl3.hs.cookieLen, 1);
+        if (rv != SECSuccess) {
+            return rv;  /* err set by ssl3_AppendHandshake* */
+        }
+    }
+
     rv = ssl3_AppendHandshakeNumber(ss, num_suites*sizeof(ssl3CipherSuite), 2);
     if (rv != SECSuccess) {
         return rv;      /* err set by ssl3_AppendHandshake* */
     }
 
     if (ss->ssl3.hs.sendingSCSV) {
         /* Add the actual SCSV */
         rv = ssl3_AppendHandshakeNumber(ss, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
                                         sizeof(ssl3CipherSuite));
         if (rv != SECSuccess) {
@@ skipping 103 matching lines @@
         PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED);
         return SECFailure;
     }
 
     if (sid) {
         ss->sec.uncache(sid);
         ssl_FreeSID(sid);
         ss->sec.ci.sid = NULL;
     }
 
+    if (IS_DTLS(ss)) {
+        dtls_RehandshakeCleanup(ss);
+    }
+
     ssl_GetXmitBufLock(ss);
-    rv = ssl3_SendClientHello(ss);
+    rv = ssl3_SendClientHello(ss, PR_FALSE);
     ssl_ReleaseXmitBufLock(ss);
 
     return rv;
 }
 
 #define UNKNOWN_WRAP_MECHANISM 0x7fffffff
 
 static const CK_MECHANISM_TYPE wrapMechanismList[SSL_NUM_WRAP_MECHS] = {
     CKM_DES3_ECB,
     CKM_CAST5_ECB,
@@ skipping 834 matching lines @@
        ss->ssl3.platformClientKey = (PlatformKey)NULL;
     }
 #endif  /* NSS_PLATFORM_CLIENT_AUTH */
 
     temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
     if (temp < 0) {
         goto loser;     /* alert has been sent */
     }
     version = (SSL3ProtocolVersion)temp;
 
+    if (IS_DTLS(ss)) {
+        /* RFC 4347 required that you verify that the server versions
+         * match (S 4.2.1) in the HelloVerifyRequest and the ServerHello
+         *
+         * RFC 6347 suggests (SHOULD) that servers always use 1.0
+         * in HelloVerifyRequest and allows the versions not to match,
+         * esp. when 1.2 is being negotiated.
+         *
+         * Therefore we do not check for matching here.
+         */
+        version = dtls_DTLSVersionToTLSVersion(version);
+        if (version == 0) {  /* Insane version number */
+            goto alert_loser;
+        }
+    }
+
     rv = ssl3_NegotiateVersion(ss, version, PR_FALSE);
     if (rv != SECSuccess) {
         desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version 
                                                    : handshake_failure;
         errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
         goto alert_loser;
     }
     isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0);
 
     rv = ssl3_ConsumeHandshake(
@@ skipping 1208 matching lines @@
     sslSessionID *      sid      = NULL;
     PRInt32             tmp;
     unsigned int        i;
     int                 j;
     SECStatus           rv;
     int                 errCode  = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO;
     SSL3AlertDescription desc    = illegal_parameter;
     SSL3AlertLevel      level    = alert_fatal;
     SSL3ProtocolVersion version;
     SECItem             sidBytes = {siBuffer, NULL, 0};
+    SECItem             cookieBytes = {siBuffer, NULL, 0};
     SECItem             suites   = {siBuffer, NULL, 0};
     SECItem             comps    = {siBuffer, NULL, 0};
     PRBool              haveSpecWriteLock = PR_FALSE;
     PRBool              haveXmitBufLock   = PR_FALSE;
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle client_hello handshake",
         SSL_GETPID(), ss->fd));
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
     /* Get peer name of client */
     rv = ssl_GetPeerInfo(ss);
     if (rv != SECSuccess) {
         return rv;              /* error code is set. */
     }
 
+    /* Clearing the handshake pointers so that ssl_Do1stHandshake won't
+     * call ssl2_HandleMessage.
+     *
+     * The issue here is that TLS ordinarily starts out in
+     * ssl2_HandleV3HandshakeRecord() because of the backward-compatibility
+     * code paths. That function zeroes these next pointers. But with DTLS,
+     * we don't even try to do the v2 ClientHello so we skip that function
+     * and need to reset these values here.
+     */
+    ss->nextHandshake     = NULL;
+    ss->securityHandshake = NULL;

[wtc, 2012/03/22 01:11:42]

rsleevi: I don't fully understand this change.  I believe
this change is related to the || IS_DTLS(ss) change in
ssl_GatherRecord1stHandshake at sslcon.c:1257.

Here I think EKR's comment  is referring to the following
code in sslgathr.c:ssl2_HandleV3HandshakeRecord:

    /* Clearing these handshake pointers ensures that 
     * ssl_Do1stHandshake won't call ssl2_HandleMessage when we return.
     */
    ss->nextHandshake     = 0;
    ss->securityHandshake = 0;

If necessary, we can put this code inside
    if (IS_DTLS(ss)) {
    }

[Ryan Sleevi, 2012/03/22 22:26:37]

style nit: use 0 rather than NULL, for consistency with other NSS code that
clears these values

LOCK BUG/SAFETY? I notice that, under the other times nextHandshake /
securityHandshake are modified, ssl_Get1stHandshakeLock is held (and prior to
the SSL3HandshakeLock, if that is also held).

See SSL_ResetHandshake for the most reduced case, or see sslimpl.h which notes
it as firstHandshakeLock guarded.

Considering that the SSL3HandshakeLock is acquired much higher in the code
(ssl3_HandleHandshakeMessge only requires SSL3HandshakeLock and is called by
ssl3_HandleHandshake. ssl3_HandleHandshake only requires SSL3HandshakeLock be
held, and is ultimately called by ssl3_HandleRecord), I don't see any place
where you can reasonably guarantee/acquire firstHandshakeLock when this code
executes.

Have I missed some path? Is this lock important (I think it is, if only for
general safety).

I loved over line 9964, so I realize that ssl3_HandleHandshake is bypassed here,
but I'm still concerned about the lock ordering.

[wtc, 2012/03/23 00:21:18]

The complete lock rank is documented in ssl/notes.txt.  I
reproduce it here:

recvLock ->\ firstHandshake -> recvbuf -> ssl3Handshake -> xmitbuf -> "spec"
sendLock ->/

Since this function asserts recvbuf and ssl3Handshake locks
are held, this function cannot acquire firstHandshake lock.
I believe firstHandshake lock is already held when we get
here.  See SSL_ForceHandshake (called by Chrome) and
ssl_SecureRecv and ssl_SecureSend in sslsecur.c.

+
     /* We might be starting session renegotiation in which case we should
      * clear previous state.
      */
     PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
     ss->statelessResume = PR_FALSE;
 
     rv = ssl3_InitState(ss);
     if (rv != SECSuccess) {
         return rv;              /* ssl3_InitState has set the error code. */
     }
 
     if ((ss->ssl3.hs.ws != wait_client_hello) &&
         (ss->ssl3.hs.ws != idle_handshake)) {
         desc    = unexpected_message;
         errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO;
         goto alert_loser;
     }
     if (ss->ssl3.hs.ws == idle_handshake  &&
         ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) {
         desc    = no_renegotiation;
         level   = alert_warning;
         errCode = SSL_ERROR_RENEGOTIATION_NOT_ALLOWED;
         goto alert_loser;
     }
 
+    if (IS_DTLS(ss)) {
+        dtls_RehandshakeCleanup(ss);
+    }
+
     tmp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
     if (tmp < 0)
         goto loser;             /* malformed, alert already sent */
-    ss->clientHelloVersion = version = (SSL3ProtocolVersion)tmp;
+
+    /* Translate the version */
+    if (IS_DTLS(ss)) {
+        ss->clientHelloVersion = version =
+            dtls_DTLSVersionToTLSVersion((SSL3ProtocolVersion)tmp);
+    } else {
+        ss->clientHelloVersion = version = (SSL3ProtocolVersion)tmp;
+    }
+
     rv = ssl3_NegotiateVersion(ss, version, PR_TRUE);
     if (rv != SECSuccess) {
         desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version 
                                                    : handshake_failure;
         errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
         goto alert_loser;
     }
 
     /* grab the client random data. */
     rv = ssl3_ConsumeHandshake(
         ss, &ss->ssl3.hs.client_random, SSL3_RANDOM_LENGTH, &b, &length);
     if (rv != SECSuccess) {
         goto loser;             /* malformed */
     }
 
     /* grab the client's SID, if present. */
     rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length);
     if (rv != SECSuccess) {
         goto loser;             /* malformed */
     }
 
+    /* grab the client's cookie, if present. */
+    if (IS_DTLS(ss)) {
+        rv = ssl3_ConsumeHandshakeVariable(ss, &cookieBytes, 1, &b, &length);
+        if (rv != SECSuccess) {
+            goto loser;         /* malformed */
+        }
+    }
+
     /* grab the list of cipher suites. */
     rv = ssl3_ConsumeHandshakeVariable(ss, &suites, 2, &b, &length);
     if (rv != SECSuccess) {
         goto loser;             /* malformed */
     }
 
     /* grab the list of compression methods. */
     rv = ssl3_ConsumeHandshakeVariable(ss, &comps, 1, &b, &length);
     if (rv != SECSuccess) {
         goto loser;             /* malformed */
@@ skipping 128 matching lines @@
             ssl_FreeSID(sid);
             sid = NULL;
         }
     }
 
 #ifdef NSS_ENABLE_ECC
     /* Disable any ECC cipher suites for which we have no cert. */
     ssl3_FilterECCipherSuitesByServerCerts(ss);
 #endif
 
+    if (IS_DTLS(ss)) {
+        ssl3_DisableNonDTLSSuites(ss);
+    }
+
 #ifdef PARANOID
     /* Look for a matching cipher suite. */
     j = ssl3_config_match_init(ss);
     if (j <= 0) {               /* no ciphers are working/supported by PK11 */
         errCode = PORT_GetError();      /* error code is already set. */
         goto alert_loser;
     }
 #endif
 
     /* If we already have a session for this client, be sure to pick the
@@ skipping 667 matching lines @@
 **      ssl3_SendServerHelloSequence <- ssl3_HandleV2ClientHello (new session)
 */
 static SECStatus
 ssl3_SendServerHello(sslSocket *ss)
 {
     sslSessionID *sid;
     SECStatus     rv;
     PRUint32      maxBytes = 65535;
     PRUint32      length;
     PRInt32       extensions_len = 0;
+    SSL3ProtocolVersion version;
 
     SSL_TRC(3, ("%d: SSL3[%d]: send server_hello handshake", SSL_GETPID(),
                 ss->fd));
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
-    PORT_Assert( MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_3_0));
 
-    if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_3_0)) {
-        PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
-        return SECFailure;
+    if (!IS_DTLS(ss)) {
+        PORT_Assert(MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_3_0));
+
+        if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_3_0)) {
+            PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
+            return SECFailure;
+        }
+    } else {
+        PORT_Assert(MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_DTLS_1_0));
+
+        if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_DTLS_1_0)) {
+            PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
+            return SECFailure;
+        }
     }
 
     sid = ss->sec.ci.sid;
 
     extensions_len = ssl3_CallHelloExtensionSenders(ss, PR_FALSE, maxBytes,
                                                &ss->xtnData.serverSenders[0]);
     if (extensions_len > 0)
         extensions_len += 2; /* Add sizeof total extension length */
 
     length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH + 1 +
              ((sid == NULL) ? 0: sid->u.ssl3.sessionIDLength) +
              sizeof(ssl3CipherSuite) + 1 + extensions_len;
     rv = ssl3_AppendHandshakeHeader(ss, server_hello, length);
     if (rv != SECSuccess) {
         return rv;      /* err set by AppendHandshake. */
     }
 
-    rv = ssl3_AppendHandshakeNumber(ss, ss->version, 2);
+    if (IS_DTLS(ss)) {
+        version = dtls_TLSVersionToDTLSVersion(ss->version);
+    } else {
+        version = ss->version;
+    }
+
+    rv = ssl3_AppendHandshakeNumber(ss, version, 2);
     if (rv != SECSuccess) {
         return rv;      /* err set by AppendHandshake. */
     }
     rv = ssl3_GetNewRandom(&ss->ssl3.hs.server_random);
     if (rv != SECSuccess) {
         ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
         return rv;
     }
     rv = ssl3_AppendHandshake(
         ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH);
@@ skipping 164 matching lines @@
     ca_list = ss->ssl3.ca_list;
     if (!ca_list) {
         ca_list = ssl3_server_ca_list;
     }
 
     if (ca_list != NULL) {
         names = ca_list->names;
         nnames = ca_list->nnames;
     }
 
-    if (!nnames) {
-        PORT_SetError(SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA);
-        return SECFailure;
-    }

[wtc, 2012/03/22 01:11:42]

Removing this check allows an SSL server to request a
self-signed client certificate.

[Ryan Sleevi, 2012/03/22 22:26:37]

I'm not sure I agree with this explanation, but I'm fine with its removal.

Just curious why it was done in the DTLS patch, since the DTLS code doesn't
support server mode (yet?)

[wtc, 2012/03/23 00:21:18]

DTLS server mode works.  Only HelloVerifyRequest isn't
implemented.

[ekr, 2012/03/23 12:46:41]

Correct, and this is optional.

Let me give you a more concrete explanation for why I removed it. A primary
reason I am doing this work is to enable DTLS-SRTP (RFC 5764) which uses
self-signed certs and therefore has no sensible thing to configure here. I would
be more than happy to have an extra option required to disable this check if it
makes people nervous.

-
+    /* There used to be a test here to require a CA, but there
+     * are cases where you want to have no CAs offered. */
     for (i = 0, name = names; i < nnames; i++, name++) {
         calen += 2 + name->len;
     }
 
     certTypes       = certificate_types;
     certTypesLength = sizeof certificate_types;
 
     length = 1 + certTypesLength + 2 + calen;
 
     rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length);
@@ skipping 147 matching lines @@
            /* can't find a slot with all three, find a slot with the minimum */
             slot = PK11_GetBestSlotMultiple(mechanism_array, 2, pwArg);
             if (slot == NULL) {
                 PORT_SetError(SSL_ERROR_TOKEN_SLOT_NOT_FOUND);
                 return pms;     /* which is NULL */
             }
         }
     }
 
     /* Generate the pre-master secret ...  */
-    version.major = MSB(ss->clientHelloVersion);
-    version.minor = LSB(ss->clientHelloVersion);
+    if (IS_DTLS(ss)) {
+        SSL3ProtocolVersion temp;
+
+        temp = dtls_TLSVersionToDTLSVersion(ss->clientHelloVersion);
+        version.major = MSB(temp);
+        version.minor = LSB(temp);
+    } else {
+        version.major = MSB(ss->clientHelloVersion);
+        version.minor = LSB(ss->clientHelloVersion);
+    }
 
     param.data = (unsigned char *)&version;
     param.len  = sizeof version;
 
     pms = PK11_KeyGen(slot, CKM_SSL3_PRE_MASTER_KEY_GEN, &param, 0, pwArg);
     if (!serverKeySlot)
         PK11_FreeSlot(slot);
     if (pms == NULL) {
         ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
     }
@@ skipping 62 matching lines @@
          */
 
         rv = PK11_PrivDecryptPKCS1(serverKey, rsaPmsBuf, &outLen, 
                                    sizeof rsaPmsBuf, enc_pms.data, enc_pms.len);
         if (rv != SECSuccess) {
             /* triple bypass failed.  Let's try for a double bypass. */
             goto double_bypass;
         } else if (ss->opt.detectRollBack) {
             SSL3ProtocolVersion client_version = 
                                          (rsaPmsBuf[0] << 8) | rsaPmsBuf[1];
+
+            if (IS_DTLS(ss)) {
+                client_version = dtls_DTLSVersionToTLSVersion(client_version);
+            }

[Ryan Sleevi, 2012/03/22 22:26:37]

nit: Inconsistent tabbing within this (compared to 7805-7814).

Then again, NSS tabbing is a mess to begin with.

[wtc, 2012/03/23 00:21:18]

The new code uses tabs.  I think Rietveld doesn't show the
tabs except to contrast with the original code.

+
             if (client_version != ss->clientHelloVersion) {
                 /* Version roll-back detected. ensure failure.  */
                 rv = PK11_GenerateRandom(rsaPmsBuf, sizeof rsaPmsBuf);
             }
         }
         /* have PMS, build MS without PKCS11 */
         rv = ssl3_MasterKeyDeriveBypass(pwSpec, cr, sr, &pmsItem, isTLS, 
                                         PR_TRUE);
         if (rv != SECSuccess) {
             pwSpec->msItem.data = pwSpec->raw_master_secret;
@@ skipping 1196 matching lines @@
             flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER;
         }
 
         if (!isServer && !ss->firstHsDone) {
             rv = ssl3_SendNextProto(ss);
             if (rv != SECSuccess) {
                 goto xmit_loser; /* err code was set. */
             }
         }
 
+        if (IS_DTLS(ss)) {
+            flags |= ssl_SEND_FLAG_NO_RETRANSMIT;
+        }
+
         rv = ssl3_SendFinished(ss, flags);
         if (rv != SECSuccess) {
             goto xmit_loser;    /* err is set. */
         }
     }
 
 xmit_loser:
     ssl_ReleaseXmitBufLock(ss); /*************************************/
     if (rv != SECSuccess) {
         return rv;
@@ skipping 109 matching lines @@
                                     ss->ssl3.hs.pending_cert_msg.len);
         SECITEM_FreeItem(&ss->ssl3.hs.pending_cert_msg, PR_FALSE);
     }
     return rv;
 }
 
 /* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3
  * hanshake message.
  * Caller must hold Handshake and RecvBuf locks.
  */
-static SECStatus
+SECStatus
 ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 {
     SECStatus         rv        = SECSuccess;
     SSL3HandshakeType type      = ss->ssl3.hs.msg_type;
     SSL3Hashes        hashes;   /* computed hashes are put here. */
     PRUint8           hdr[4];
+    PRUint8           dtlsData[8];
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
     /*
      * We have to compute the hashes before we update them with the
      * current message.
      */
     ssl_GetSpecReadLock(ss);    /************************************/
     if((type == finished) || (type == certificate_verify)) {
         SSL3Sender      sender = (SSL3Sender)0;
@@ skipping 26 matching lines @@
     /* Start new handshake hashes when we start a new handshake */
     if (ss->ssl3.hs.msg_type == client_hello) {
         SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes",
                 SSL_GETPID(), ss->fd ));
         rv = ssl3_RestartHandshakeHashes(ss);
         if (rv != SECSuccess) {
             return rv;
         }
     }
     /* We should not include hello_request messages in the handshake hashes */
-    if (ss->ssl3.hs.msg_type != hello_request) {
+    if ((ss->ssl3.hs.msg_type != hello_request) &&
+        (ss->ssl3.hs.msg_type != hello_verify_request)) {

[Ryan Sleevi, 2012/03/22 22:26:37]

Should there also be a check for 

&& (!IS_DTLS(ss) || ss->ssl3.hs.msg_type != client_hello))

Or is that something to omit until/if a server implementation is done (Just
looking at 4347 4.2.6 and the list of messages excluded)

[wtc, 2012/03/23 00:21:18]

I guess you're asking about excluding the initial ClientHello.
I had the same question, and EKR pointed out that it is
excluded because each call to ssl3_SendClientHello restarts
the handshake hashes, and on the server side that is done
on lines 9295-9299 above.

         rv = ssl3_UpdateHandshakeHashes(ss, (unsigned char*) hdr, 4);
         if (rv != SECSuccess) return rv;        /* err code already set. */
+
+        /* Extra data to simulate a complete DTLS handshake fragment */
+        if (IS_DTLS(ss)) {
+            /* Sequence number */
+            dtlsData[0] = MSB(ss->ssl3.hs.recvMessageSeq);
+            dtlsData[1] = LSB(ss->ssl3.hs.recvMessageSeq);
+
+            /* Fragment offset */
+            dtlsData[2] = 0;
+            dtlsData[3] = 0;
+            dtlsData[4] = 0;
+
+            /* Fragment length */
+            dtlsData[5] = (PRUint8)(length >> 16);
+            dtlsData[6] = (PRUint8)(length >>  8);
+            dtlsData[7] = (PRUint8)(length      );
+
+            rv = ssl3_UpdateHandshakeHashes(ss, (unsigned char*) dtlsData,

[Ryan Sleevi, 2012/03/22 22:26:37]

nit: delete the space in "(unsigned char*) dtlsData"

[wtc, 2012/03/23 00:21:18]

I suspect that space was copied from line 9307 above.
Actually the type cast is not necessary because PRUint8
is unsigned char.  (dtlsData is an array of PRUint8s.)

+                                            sizeof(dtlsData));
+            if (rv != SECSuccess) return rv;    /* err code already set. */
+        }
+
+        /* The message body */
         rv = ssl3_UpdateHandshakeHashes(ss, b, length);
         if (rv != SECSuccess) return rv;        /* err code already set. */
     }
 
     PORT_SetError(0);   /* each message starts with no error. */
     switch (ss->ssl3.hs.msg_type) {
     case hello_request:
         if (length != 0) {
             (void)ssl3_DecodeError(ss);
             PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_REQUEST);
@@ skipping 15 matching lines @@
         rv = ssl3_HandleClientHello(ss, b, length);
         break;
     case server_hello:
         if (ss->sec.isServer) {
             (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
             PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO);
             return SECFailure;
         }
         rv = ssl3_HandleServerHello(ss, b, length);
         break;
+    case hello_verify_request:
+        if (!IS_DTLS(ss) || ss->sec.isServer) {
+            (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+            PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQUEST);
+            return SECFailure;
+        }
+        rv = dtls_HandleHelloVerifyRequest(ss, b, length);
+        break;
     case certificate:
         if (ss->ssl3.hs.may_get_cert_status) {
             /* If we might get a CertificateStatus then we want to postpone the
              * processing of the Certificate message until after we have
              * processed the CertificateStatus */
             if (ss->ssl3.hs.pending_cert_msg.data ||
                 ss->ssl3.hs.ws != wait_server_cert) {
                 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
                 (void)ssl_MapLowLevelError(SSL_ERROR_RX_UNEXPECTED_CERTIFICATE);
                 return SECFailure;
@@ skipping 78 matching lines @@
         rv = ssl3_HandleNewSessionTicket(ss, b, length);
         break;
     case finished:
         rv = ssl3_HandleFinished(ss, b, length, &hashes);
         break;
     default:
         (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
         PORT_SetError(SSL_ERROR_RX_UNKNOWN_HANDSHAKE);
         rv = SECFailure;
     }
+
+    if (IS_DTLS(ss) && (rv == SECSuccess)) {
+        /* Increment the expected sequence number */
+        ss->ssl3.hs.recvMessageSeq++;
+    }
+
     return rv;
 }
 
 /* Called only from ssl3_HandleRecord, for each (deciphered) ssl3 record.
  * origBuf is the decrypted ssl record content.
  * Caller must hold the handshake and RecvBuf locks.
  */
 static SECStatus
 ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
 {
@@ skipping 142 matching lines @@
     ssl3CipherSpec *     crSpec;
     SECStatus            rv;
     unsigned int         hashBytes = MAX_MAC_LENGTH + 1;
     unsigned int         padding_length;
     PRBool               isTLS;
     PRBool               padIsBad = PR_FALSE;
     SSL3ContentType      rType;
     SSL3Opaque           hash[MAX_MAC_LENGTH];
     sslBuffer           *plaintext;
     sslBuffer            temp_buf;
+    PRUint64             dtls_seq_num;
     unsigned int         ivLen = 0;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
 
     if (!ss->ssl3.initialized) {
         ssl_GetSSL3HandshakeLock(ss);
         rv = ssl3_InitState(ss);
         ssl_ReleaseSSL3HandshakeLock(ss);
         if (rv != SECSuccess) {
             return rv;          /* ssl3_InitState has set the error code. */
@@ skipping 15 matching lines @@
                  SSL_GETPID(), ss->fd));
         rType = content_handshake;
         goto process_it;
     }
 
     ssl_GetSpecReadLock(ss); /******************************************/
 
     crSpec = ss->ssl3.crSpec;
     cipher_def = crSpec->cipher_def;
 
+    /* 
+     * DTLS relevance checks:
+     * Note that this code currently ignores all out-of-epoch packets,
+     * which means we lose some in the case of rehandshake +
+     * loss/reordering. Since DTLS is explicitly unreliable, this
+     * seems like a good tradeoff for implementation effort and is
+     * consistent with the guidance of RFC 6347 S 4.1 and S 4.2.4.1
+     */
+    if (IS_DTLS(ss)) {
+        DTLSEpoch epoch = (cText->seq_num.high >> 16) & 0xffff;
+        
+        if (crSpec->epoch != epoch) {
+            ssl_ReleaseSpecReadLock(ss);
+            SSL_DBG(("%d: SSL3[%d]: HandleRecord, received packet "
+                     "from irrelevant epoch %d", SSL_GETPID(), ss->fd, epoch));
+            return SECSuccess;
+        }
+
+        dtls_seq_num = (((PRUint64)(cText->seq_num.high & 0xffff)) << 32) |
+                        ((PRUint64)cText->seq_num.low);
+
+        if (dtls_RecordGetRecvd(&crSpec->recvdRecords, dtls_seq_num)) {

[Ryan Sleevi, 2012/03/22 22:26:37]

nit: While totally valid, I wonder if it makes more sense / self-documenting
code to explicitly check != 0. This makes it clear that both -1 and 1 are
handled cases. I had to look up what this methods return values were and why
this check was OK, where I think the != 0 may have been clearer that the only
'acceptable' result IS zero (not received yet).

Minor though, I defer to wtc here.

[ekr, 2012/03/23 12:46:41]

That would be fine with me as well. I'm not sure my old "memcmp/strcmp" idioms
are serving well here.

+            ssl_ReleaseSpecReadLock(ss);
+            SSL_DBG(("%d: SSL3[%d]: HandleRecord, rejecting "
+                     "potentially replayed packet", SSL_GETPID(), ss->fd));
+            return SECSuccess;
+        }
+    }
+
     if (cipher_def->type == type_block &&
         crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
         /* Consume the per-record explicit IV. RFC 4346 Section 6.2.3.2 states
          * "The receiver decrypts the entire GenericBlockCipher structure and
          * then discards the first cipher block corresponding to the IV
          * component." Instead, we decrypt the first cipher block and then
          * discard it before decrypting the rest.
          */
         SSL3Opaque iv[MAX_IV_LENGTH];
         int decoded;
@@ skipping 101 matching lines @@
 
     /* Remove the MAC. */
     if (plaintext->len >= crSpec->mac_size)
         plaintext->len -= crSpec->mac_size;
     else
         padIsBad = PR_TRUE;     /* really macIsBad */
 
     /* compute the MAC */
     rType = cText->type;
     rv = ssl3_ComputeRecordMAC( crSpec, (PRBool)(!ss->sec.isServer),
-        rType, cText->version, crSpec->read_seq_num, 
+        IS_DTLS(ss), rType, cText->version,
+        IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
         plaintext->buf, plaintext->len, hash, &hashBytes);
     if (rv != SECSuccess) {
         padIsBad = PR_TRUE;     /* really macIsBad */
     }
 
     /* Check the MAC */
     if (hashBytes != (unsigned)crSpec->mac_size || padIsBad || 
         NSS_SecureMemcmp(plaintext->buf + plaintext->len, hash,
                          crSpec->mac_size) != 0) {
         /* must not hold spec lock when calling SSL3_SendAlert. */
         ssl_ReleaseSpecReadLock(ss);
-        SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
-        /* always log mac error, in case attacker can read server logs. */
-        PORT_SetError(SSL_ERROR_BAD_MAC_READ);
 
         SSL_DBG(("%d: SSL3[%d]: mac check failed", SSL_GETPID(), ss->fd));
 
-        return SECFailure;
+        if (!IS_DTLS(ss)) {
+            SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
+            /* always log mac error, in case attacker can read server logs. */
+            PORT_SetError(SSL_ERROR_BAD_MAC_READ);
+            return SECFailure;
+        } else {
+            /* Silently drop the packet */
+            plaintext->len = 0; /* Needed to ensure data not left around */
+            return SECSuccess;
+        }
     }
 
-
-
-    ssl3_BumpSequenceNumber(&crSpec->read_seq_num);
+    if (!IS_DTLS(ss)) {
+        ssl3_BumpSequenceNumber(&crSpec->read_seq_num);
+    } else {
+        dtls_RecordSetRecvd(&crSpec->recvdRecords, dtls_seq_num);
+    }
 
     ssl_ReleaseSpecReadLock(ss); /*****************************************/
 
     /*
      * The decrypted data is now in plaintext.
      */
 
     /* possibly decompress the record. If we aren't using compression then
      * plaintext == databuf and so the uncompressed data is already in
      * databuf. */
@@ skipping 84 matching lines @@
     ** they return SECFailure or SECWouldBlock.
     */
     switch (rType) {
     case content_change_cipher_spec:
         rv = ssl3_HandleChangeCipherSpecs(ss, databuf);
         break;
     case content_alert:
         rv = ssl3_HandleAlert(ss, databuf);
         break;
     case content_handshake:
-        rv = ssl3_HandleHandshake(ss, databuf);
+        if (!IS_DTLS(ss)) {
+            rv = ssl3_HandleHandshake(ss, databuf);
+        } else {
+            rv = dtls_HandleHandshake(ss, databuf);
+        }
         break;
     /*
     case content_application_data is handled before this switch
     */
     default:
         SSL_DBG(("%d: SSL3[%d]: bogus content type=%d",
                  SSL_GETPID(), ss->fd, cText->type));
         /* XXX Send an alert ???  */
         PORT_SetError(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE);
         rv = SECFailure;
@@ skipping 39 matching lines @@
     spec->server.write_key         = NULL;
     spec->server.write_mac_key     = NULL;
     spec->server.write_mac_context = NULL;
 
     spec->write_seq_num.high       = 0;
     spec->write_seq_num.low        = 0;
 
     spec->read_seq_num.high        = 0;
     spec->read_seq_num.low         = 0;
 
+    spec->epoch                    = 0;
+    dtls_InitRecvdRecords(&spec->recvdRecords);
+
     spec->version                  = ss->vrange.max;
 }
 
 /* Called from: ssl3_SendRecord
 **              ssl3_StartHandshakeHash() <- ssl2_BeginClientHandshake()
 **              ssl3_SendClientHello()
 **              ssl3_HandleServerHello()
 **              ssl3_HandleClientHello()
 **              ssl3_HandleV2ClientHello()
 **              ssl3_HandleRecord()
@@ skipping 21 matching lines @@
     ssl3_InitCipherSpec(ss, ss->ssl3.prSpec);
 
     ss->ssl3.hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello;
 #ifdef NSS_ENABLE_ECC
     ss->ssl3.hs.negotiatedECCurves = SSL3_SUPPORTED_CURVES_MASK;
 #endif
     ssl_ReleaseSpecWriteLock(ss);
 
     PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
 
+    if (IS_DTLS(ss)) {
+        ss->ssl3.hs.sendMessageSeq = 0;
+        ss->ssl3.hs.recvMessageSeq = 0;
+        ss->ssl3.hs.rtTimeoutMs = INITIAL_DTLS_TIMEOUT_MS;
+        ss->ssl3.hs.rtRetries = 0;
+
+        /* Have to allocate this because ssl_FreeSocket relocates
+         * this structure in DEBUG mode */
+        if (!(ss->ssl3.hs.lastMessageFlight = PORT_New(PRCList)))
+            return SECFailure;
+        ss->ssl3.hs.recvdHighWater = -1;
+        PR_INIT_CLIST(ss->ssl3.hs.lastMessageFlight);
+        dtls_SetMTU(ss, 0); /* Set the MTU to the highest plateau */
+    }
+
     rv = ssl3_NewHandshakeHashes(ss);
     if (rv == SECSuccess) {
         ss->ssl3.initialized = PR_TRUE;
     }
 
     return rv;
 }
 
 /* Returns a reference counted object that contains a key pair.
  * Or NULL on failure.  Initial ref count is 1.
@@ skipping 232 matching lines @@
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
     if (!ss->firstHsDone ||
         ((ss->version >= SSL_LIBRARY_VERSION_3_0) &&
          ss->ssl3.initialized && 
          (ss->ssl3.hs.ws != idle_handshake))) {
         PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED);
         return SECFailure;
     }
+
+    if (IS_DTLS(ss)) {
+        dtls_RehandshakeCleanup(ss);
+    }
+
     if (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) {
         PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED);
         return SECFailure;
     }
     if (sid && flushCache) {
         ss->sec.uncache(sid);   /* remove it from whichever cache it's in. */
         ssl_FreeSID(sid);       /* dec ref count and free if zero. */
         ss->sec.ci.sid = NULL;
     }
 
     ssl_GetXmitBufLock(ss);     /**************************************/
 
     /* start off a new handshake. */
     rv = (ss->sec.isServer) ? ssl3_SendHelloRequest(ss)
-                            : ssl3_SendClientHello(ss);
+                            : ssl3_SendClientHello(ss, PR_FALSE);
 
     ssl_ReleaseXmitBufLock(ss); /**************************************/
     return rv;
 }
 
 /* Called from ssl_DestroySocketContents() in sslsock.c */
 void
 ssl3_DestroySSL3Info(sslSocket *ss)
 {
 
@@ skipping 39 matching lines @@
         SECITEM_FreeItem(&ss->ssl3.hs.cert_status, PR_FALSE);
     }
 
     /* free the SSL3Buffer (msg_body) */
     PORT_Free(ss->ssl3.hs.msg_body.buf);
 
     /* free up the CipherSpecs */
     ssl3_DestroyCipherSpec(&ss->ssl3.specs[0], PR_TRUE/*freeSrvName*/);
     ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/);
 
+    /* Destroy the DTLS data */
+    if (IS_DTLS(ss)) {
+        if (ss->ssl3.hs.lastMessageFlight) {
+            dtls_FreeHandshakeMessages(ss->ssl3.hs.lastMessageFlight);
+            PORT_Free(ss->ssl3.hs.lastMessageFlight);
+        }
+        if (ss->ssl3.hs.recvdFragments.buf) {
+            PORT_Free(ss->ssl3.hs.recvdFragments.buf);
+        }
+    }
+
     ss->ssl3.initialized = PR_FALSE;
 
     SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
 }
 
 /* End of ssl3con.c */