Add DTLS support to NSS, contributed by Eric Rescorla.

net/third_party/nss/ssl/ssl3con.c

 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 /*
  * SSL3 Protocol
  *
  * ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  *
  * The contents of this file are subject to the Mozilla Public License Version
  * 1.1 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
@@ skipping 24 matching lines @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 /* $Id: ssl3con.c,v 1.173 2012/03/18 00:31:19 wtc%google.com Exp $ */
 
+/* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
+
 #include "cert.h"
 #include "ssl.h"
 #include "cryptohi.h"   /* for DSAU_ stuff */
 #include "keyhi.h"
 #include "secder.h"
 #include "secitem.h"
 
 #include "sslimpl.h"
 #include "sslproto.h"
 #include "sslerr.h"
@@ skipping 30 matching lines @@
 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss);
 static SECStatus ssl3_SendNextProto(         sslSocket *ss);
 static SECStatus ssl3_SendFinished(          sslSocket *ss, PRInt32 flags);
 static SECStatus ssl3_SendServerHello(       sslSocket *ss);
 static SECStatus ssl3_SendServerHelloDone(   sslSocket *ss);
 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss);
 static SECStatus ssl3_NewHandshakeHashes(    sslSocket *ss);
 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss,
                                              const unsigned char *b,
                                              unsigned int l);
+static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags);
 
 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen,
                              int maxOutputLen, const unsigned char *input,
                              int inputLen);
 
 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */
 #define MIN_SEND_BUF_LENGTH  4000
 
 #define MAX_CIPHER_SUITES 20
 
@@ skipping 109 matching lines @@
 }
 
 static const /*SSL3ClientCertificateType */ uint8 certificate_types [] = {
     ct_RSA_sign,
     ct_DSS_sign,
 #ifdef NSS_ENABLE_ECC
     ct_ECDSA_sign,
 #endif /* NSS_ENABLE_ECC */
 };
 
-#ifdef NSS_ENABLE_ZLIB
-/*
- * The DEFLATE algorithm can result in an expansion of 0.1% + 12 bytes. For a
- * maximum TLS record payload of 2**14 bytes, that's 29 bytes.
- */
-#define SSL3_COMPRESSION_MAX_EXPANSION 29
-#else  /* !NSS_ENABLE_ZLIB */
-#define SSL3_COMPRESSION_MAX_EXPANSION 0
-#endif
-
-/*
- * make sure there is room in the write buffer for padding and
- * other compression and cryptographic expansions.
- */
-#define SSL3_BUFFER_FUDGE     100 + SSL3_COMPRESSION_MAX_EXPANSION
-
 #define EXPORT_RSA_KEY_LENGTH 64        /* bytes */
 
 
 /* This global item is used only in servers.  It is is initialized by
 ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest().
 */
 CERTDistNames *ssl3_server_ca_list = NULL;
 static SSL3Statistics ssl3stats;
 
 /* indexed by SSL3BulkCipher */
@@ skipping 260 matching lines @@
 static char *
 ssl3_DecodeHandshakeType(int msgType)
 {
     char * rv;
     static char line[40];
 
     switch(msgType) {
     case hello_request:         rv = "hello_request (0)";               break;
     case client_hello:          rv = "client_hello  (1)";               break;
     case server_hello:          rv = "server_hello  (2)";               break;
+    case hello_verify_request:  rv = "hello_verify_request (3)";        break;
     case certificate:           rv = "certificate  (11)";               break;
     case server_key_exchange:   rv = "server_key_exchange (12)";        break;
     case certificate_request:   rv = "certificate_request (13)";        break;
     case server_hello_done:     rv = "server_hello_done   (14)";        break;
     case certificate_verify:    rv = "certificate_verify  (15)";        break;
     case client_key_exchange:   rv = "client_key_exchange (16)";        break;
     case finished:              rv = "finished     (20)";               break;
     default:
         sprintf(line, "*UNKNOWN* handshake type! (%d)", msgType);
         rv = line;
@@ skipping 119 matching lines @@
         if (suite->enabled) {
             ++numEnabled;
             /* We need the cipher defs to see if we have a token that can handle
              * this cipher.  It isn't part of the static definition.
              */
             cipher_def = ssl_LookupCipherSuiteDef(suite->cipher_suite);
             if (!cipher_def) {
                 suite->isPresent = PR_FALSE;
                 continue;
             }
-            cipher_alg=bulk_cipher_defs[cipher_def->bulk_cipher_alg ].calg;
+            cipher_alg = bulk_cipher_defs[cipher_def->bulk_cipher_alg].calg;
             PORT_Assert(  alg2Mech[cipher_alg].calg == cipher_alg);
             cipher_mech = alg2Mech[cipher_alg].cmech;
             exchKeyType =
                     kea_defs[cipher_def->key_exchange_alg].exchKeyType;
 #ifndef NSS_ENABLE_ECC
             svrAuth = ss->serverCerts + exchKeyType;
 #else
             /* XXX SSLKEAType isn't really a good choice for 
              * indexing certificates. It doesn't work for
              * (EC)DHE-* ciphers. Here we use a hack to ensure
@@ skipping 471 matching lines @@
         PK11_DestroyContext(mat->write_mac_context, PR_TRUE);
         mat->write_mac_context = NULL;
     }
 }
 
 /* Called from ssl3_SendChangeCipherSpecs() and 
 **             ssl3_HandleChangeCipherSpecs()
 **             ssl3_DestroySSL3Info
 ** Caller must hold SpecWriteLock.
 */
-static void
+void
 ssl3_DestroyCipherSpec(ssl3CipherSpec *spec, PRBool freeSrvName)
 {
     PRBool freeit = (PRBool)(!spec->bypassCiphers);
 /*  PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); Don't have ss! */
     if (spec->destroy) {
         spec->destroy(spec->encodeContext, freeit);
         spec->destroy(spec->decodeContext, freeit);
         spec->encodeContext = NULL; /* paranoia */
         spec->decodeContext = NULL;
     }
@@ skipping 59 matching lines @@
 
     SSL_TRC(3, ("%d: SSL3[%d]: Set XXX Pending Cipher Suite to 0x%04x",
                 SSL_GETPID(), ss->fd, suite));
 
     suite_def = ssl_LookupCipherSuiteDef(suite);
     if (suite_def == NULL) {
         ssl_ReleaseSpecWriteLock(ss);
         return SECFailure;      /* error code set by ssl_LookupCipherSuiteDef */
     }
 
+    if (IS_DTLS(ss)) {
+        /* Double-check that we did not pick an RC4 suite */
+        PORT_Assert((suite_def->bulk_cipher_alg != cipher_rc4) &&
+                    (suite_def->bulk_cipher_alg != cipher_rc4_40) &&
+                    (suite_def->bulk_cipher_alg != cipher_rc4_56));
+    }
 
     cipher = suite_def->bulk_cipher_alg;
     kea    = suite_def->key_exchange_alg;
     mac    = suite_def->mac_alg;
     if (isTLS)
         mac += 2;
 
     ss->ssl3.hs.suite_def = suite_def;
     ss->ssl3.hs.kea_def   = &kea_defs[kea];
     PORT_Assert(ss->ssl3.hs.kea_def->kea == kea);
 
     pwSpec->cipher_def   = &bulk_cipher_defs[cipher];
     PORT_Assert(pwSpec->cipher_def->cipher == cipher);
 
     pwSpec->mac_def = &mac_defs[mac];
     PORT_Assert(pwSpec->mac_def->mac == mac);
 
     ss->sec.keyBits       = pwSpec->cipher_def->key_size        * BPB;
     ss->sec.secretKeyBits = pwSpec->cipher_def->secret_key_size * BPB;
     ss->sec.cipherType    = cipher;
 
     pwSpec->encodeContext = NULL;
     pwSpec->decodeContext = NULL;
 
     pwSpec->mac_size = pwSpec->mac_def->mac_size;
 
     pwSpec->compression_method = ss->ssl3.hs.compression;
     pwSpec->compressContext = NULL;
     pwSpec->decompressContext = NULL;
+    
+    /* Note: pwSpec == prSpec here so we're really doing the read side.
+     * The epoch is set up in InitPendingCipherSpec */
+    dtls_InitRecvdRecords(&pwSpec->recvdRecords);

[wtc, 2012/03/22 21:59:54]

ekr: can we also move this
    dtls_InitRecvdRecords(&pwSpec->recvdRecords);
call to ssl3_InitPendingCipherSpec, next to where it sets
pwSpec->epoch?

[ekr, 2012/03/23 12:46:41]

I have have the nagging feeling that I tried this and it didn't work for some
reason (which would be worrisome), though it could equally well be that I got
lost in the maze of different cipher spec setup functions and just opted to add
a comment rather than fix. Do you think we should analyze/try it?

[wtc, 2012/03/23 13:48:49]

Yes, please.

 
     ssl_ReleaseSpecWriteLock(ss);  /*******************************/
     return SECSuccess;
 }
 
 #ifdef NSS_ENABLE_ZLIB
 #define SSL3_DEFLATE_CONTEXT_SIZE sizeof(z_stream)
 
 static SECStatus
 ssl3_MapZlibError(int zlib_error)
@@ skipping 477 matching lines @@
  * Sets error code, but caller probably should override to disambiguate.
  * NULL pms means re-use old master_secret.
  *
  * This code is common to the bypass and PKCS11 execution paths.
  * For the bypass case,  pms is NULL.
  */
 SECStatus
 ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms)
 {
     ssl3CipherSpec  *  pwSpec;
+    ssl3CipherSpec  *  cwSpec;
     SECStatus          rv;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
     ssl_GetSpecWriteLock(ss);   /**************************************/
 
     PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
 
     pwSpec        = ss->ssl3.pwSpec;
+    cwSpec        = ss->ssl3.cwSpec;
 
     if (pms || (!pwSpec->msItem.len && !pwSpec->master_secret)) {
         rv = ssl3_DeriveMasterSecret(ss, pms);
         if (rv != SECSuccess) {
             goto done;  /* err code set by ssl3_DeriveMasterSecret */
         }
     }
     if (ss->opt.bypassPKCS11 && pwSpec->msItem.len && pwSpec->msItem.data) {
         /* Double Bypass succeeded in extracting the master_secret */
         const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def;
@@ skipping 11 matching lines @@
     } else if (pwSpec->master_secret) {
         rv = ssl3_DeriveConnectionKeysPKCS11(ss);
         if (rv == SECSuccess) {
             rv = ssl3_InitPendingContextsPKCS11(ss);
         }
     } else {
         PORT_Assert(pwSpec->master_secret);
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         rv = SECFailure;
     }
+    if (rv != SECSuccess) {
+        goto done;
+    }
+
+    /* Generic behaviors -- common to all crypto methods */
+    if (!IS_DTLS(ss)) {
+        pwSpec->read_seq_num.high = pwSpec->write_seq_num.high = 0;
+    } else {
+        if (cwSpec->epoch == 65535) {
+            /* The problem here is that we have rehandshaked too many
+             * times (you are not allowed to wrap the epoch). The
+             * spec says you should be discarding the connection
+             * and start over, so not much we can do here. */
+            PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+            rv = SECFailure;
+            goto done;
+        }
+        /* The sequence number has the high 16 bits as the epoch. */
+        pwSpec->epoch = cwSpec->epoch + 1;
+        pwSpec->read_seq_num.high = pwSpec->write_seq_num.high =
+            pwSpec->epoch << 16;
+    }
+    pwSpec->read_seq_num.low = pwSpec->write_seq_num.low = 0;
 
 done:
     ssl_ReleaseSpecWriteLock(ss);       /******************************/
     if (rv != SECSuccess)
         ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
     return rv;
 }
 
 /*
  * 60 bytes is 3 times the maximum length MAC size that is supported.
@@ skipping 20 matching lines @@
 };
 
 /* Called from: ssl3_SendRecord()
 **              ssl3_HandleRecord()
 ** Caller must already hold the SpecReadLock. (wish we could assert that!)
 */
 static SECStatus
 ssl3_ComputeRecordMAC(
     ssl3CipherSpec *   spec,
     PRBool             useServerMacKey,
+    PRBool             isDTLS,
     SSL3ContentType    type,
     SSL3ProtocolVersion version,
     SSL3SequenceNumber seq_num,
     const SSL3Opaque * input,
     int                inputLength,
     unsigned char *    outbuf,
     unsigned int *     outLength)
 {
     const ssl3MACDef * mac_def;
     SECStatus          rv;
@@ skipping 17 matching lines @@
     ** NOT based on the version value in the record itself.
     ** But, we use the record'v version value in the computation.
     */
     if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
         temp[9]  = MSB(inputLength);
         temp[10] = LSB(inputLength);
         tempLen  = 11;
         isTLS    = PR_FALSE;
     } else {
         /* New TLS hash includes version. */
-        temp[9]  = MSB(version);
-        temp[10] = LSB(version);
+        if (isDTLS) {
+            SSL3ProtocolVersion dtls_version;
+
+            dtls_version = dtls_TLSVersionToDTLSVersion(version);
+            temp[9]  = MSB(dtls_version);
+            temp[10] = LSB(dtls_version);
+        } else {
+            temp[9]  = MSB(version);
+            temp[10] = LSB(version);
+        }
         temp[11] = MSB(inputLength);
         temp[12] = LSB(inputLength);
         tempLen  = 13;
         isTLS    = PR_TRUE;
     }
 
     PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen));
     PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength));
 
     mac_def = spec->mac_def;
@@ skipping 129 matching lines @@
         (PK11_NeedLogin(slot) && !PK11_IsLoggedIn(slot, NULL))) {
         isPresent = PR_FALSE;
     } 
     if (slot) {
         PK11_FreeSlot(slot);
     }
     return isPresent;
 }
 
 /* Caller must hold the spec read lock. */
-static SECStatus
+SECStatus
 ssl3_CompressMACEncryptRecord(ssl3CipherSpec *   cwSpec,
                               PRBool             isServer,
+                              PRBool             isDTLS,
                               SSL3ContentType    type,
                               const SSL3Opaque * pIn,
                               PRUint32           contentLen,
                               sslBuffer *        wrBuf)
 {
     const ssl3BulkCipherDef * cipher_def;
     SECStatus                 rv;
     PRUint32                  macLen = 0;
     PRUint32                  fragLen;
     PRUint32  p1Len, p2Len, oddLen = 0;
+    PRUint16                  headerLen;
     int                       ivLen = 0;
     int                       cipherBytes = 0;
 
     cipher_def = cwSpec->cipher_def;
+    headerLen = isDTLS ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LENGTH;
 
     if (cipher_def->type == type_block &&
         cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
         /* Prepend the per-record explicit IV using technique 2b from
          * RFC 4346 section 6.2.3.2: The IV is a cryptographically
          * strong random number XORed with the CBC residue from the previous
          * record.
          */
         ivLen = cipher_def->iv_size;
-        if (ivLen > wrBuf->space - SSL3_RECORD_HEADER_LENGTH) {
+        if (ivLen > wrBuf->space - headerLen) {
             PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
             return SECFailure;
         }
-        rv = PK11_GenerateRandom(wrBuf->buf + SSL3_RECORD_HEADER_LENGTH, ivLen);
+        rv = PK11_GenerateRandom(wrBuf->buf + headerLen, ivLen);
         if (rv != SECSuccess) {
             ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
             return rv;
         }
         rv = cwSpec->encode( cwSpec->encodeContext, 
-            wrBuf->buf + SSL3_RECORD_HEADER_LENGTH,
+            wrBuf->buf + headerLen,
             &cipherBytes,                       /* output and actual outLen */
             ivLen,                              /* max outlen */
-            wrBuf->buf + SSL3_RECORD_HEADER_LENGTH,
+            wrBuf->buf + headerLen,
             ivLen);                             /* input and inputLen*/
         if (rv != SECSuccess || cipherBytes != ivLen) {
             PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
             return SECFailure;
         }
     }
 
     if (cwSpec->compressor) {
         int outlen;
         rv = cwSpec->compressor(
             cwSpec->compressContext,
-            wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen, &outlen,
-            wrBuf->space - SSL3_RECORD_HEADER_LENGTH - ivLen, pIn, contentLen);
+            wrBuf->buf + headerLen + ivLen, &outlen,
+            wrBuf->space - headerLen - ivLen, pIn, contentLen);
         if (rv != SECSuccess)
             return rv;
-        pIn = wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen;
+        pIn = wrBuf->buf + headerLen + ivLen;
         contentLen = outlen;
     }
 
     /*
      * Add the MAC
      */
-    rv = ssl3_ComputeRecordMAC( cwSpec, isServer,
+    rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDTLS,
         type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen,
-        wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen + contentLen, &macLen);
+        wrBuf->buf + headerLen + ivLen + contentLen, &macLen);
     if (rv != SECSuccess) {
         ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
         return SECFailure;
     }
     p1Len   = contentLen;
     p2Len   = macLen;
     fragLen = contentLen + macLen;      /* needs to be encrypted */
     PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024);
 
     /*
      * Pad the text (if we're doing a block cipher)
      * then Encrypt it
      */
     if (cipher_def->type == type_block) {
         unsigned char * pBuf;
         int             padding_length;
         int             i;
 
         oddLen = contentLen % cipher_def->block_size;
         /* Assume blockSize is a power of two */
         padding_length = cipher_def->block_size - 1 -
                         ((fragLen) & (cipher_def->block_size - 1));
         fragLen += padding_length + 1;
         PORT_Assert((fragLen % cipher_def->block_size) == 0);
 
         /* Pad according to TLS rules (also acceptable to SSL3). */
-        pBuf = &wrBuf->buf[SSL3_RECORD_HEADER_LENGTH + ivLen + fragLen - 1];
+        pBuf = &wrBuf->buf[headerLen + ivLen + fragLen - 1];
         for (i = padding_length + 1; i > 0; --i) {
             *pBuf-- = padding_length;
         }
         /* now, if contentLen is not a multiple of block size, fix it */
         p2Len = fragLen - p1Len;
     }
     if (p1Len < 256) {
         oddLen = p1Len;
         p1Len = 0;
     } else {
         p1Len -= oddLen;
     }
     if (oddLen) {
         p2Len += oddLen;
         PORT_Assert( (cipher_def->block_size < 2) || \
                      (p2Len % cipher_def->block_size) == 0);
-        memmove(wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen + p1Len,
-                pIn + p1Len, oddLen);
+        memmove(wrBuf->buf + headerLen + ivLen + p1Len, pIn + p1Len, oddLen);
     }
     if (p1Len > 0) {
         int cipherBytesPart1 = -1;
         rv = cwSpec->encode( cwSpec->encodeContext, 
-            wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen, /* output */
+            wrBuf->buf + headerLen + ivLen,         /* output */
             &cipherBytesPart1,                      /* actual outlen */
             p1Len,                                  /* max outlen */
             pIn, p1Len);                      /* input, and inputlen */
         PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len);
         if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) {
             PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
             return SECFailure;
         }
         cipherBytes += cipherBytesPart1;
     }
     if (p2Len > 0) {
         int cipherBytesPart2 = -1;
         rv = cwSpec->encode( cwSpec->encodeContext, 
-            wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen + p1Len,
+            wrBuf->buf + headerLen + ivLen + p1Len,
             &cipherBytesPart2,          /* output and actual outLen */
             p2Len,                             /* max outlen */
-            wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen + p1Len,
+            wrBuf->buf + headerLen + ivLen + p1Len,
             p2Len);                            /* input and inputLen*/
         PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len);
         if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) {
             PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
             return SECFailure;
         }
         cipherBytes += cipherBytesPart2;
     }   
     PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024);
 
+    wrBuf->len    = cipherBytes + headerLen;
+    wrBuf->buf[0] = type;
+    if (isDTLS) {
+        SSL3ProtocolVersion version;
+
+        version = dtls_TLSVersionToDTLSVersion(cwSpec->version);
+        wrBuf->buf[1] = MSB(version);
+        wrBuf->buf[2] = LSB(version);
+        wrBuf->buf[3] = (unsigned char)(cwSpec->write_seq_num.high >> 24);
+        wrBuf->buf[4] = (unsigned char)(cwSpec->write_seq_num.high >> 16);
+        wrBuf->buf[5] = (unsigned char)(cwSpec->write_seq_num.high >>  8);
+        wrBuf->buf[6] = (unsigned char)(cwSpec->write_seq_num.high >>  0);
+        wrBuf->buf[7] = (unsigned char)(cwSpec->write_seq_num.low  >> 24);
+        wrBuf->buf[8] = (unsigned char)(cwSpec->write_seq_num.low  >> 16);
+        wrBuf->buf[9] = (unsigned char)(cwSpec->write_seq_num.low  >>  8);
+        wrBuf->buf[10] = (unsigned char)(cwSpec->write_seq_num.low >>  0);
+        wrBuf->buf[11] = MSB(cipherBytes);
+        wrBuf->buf[12] = LSB(cipherBytes);
+    } else {
+        wrBuf->buf[1] = MSB(cwSpec->version);
+        wrBuf->buf[2] = LSB(cwSpec->version);
+        wrBuf->buf[3] = MSB(cipherBytes);
+        wrBuf->buf[4] = LSB(cipherBytes);
+    }
+
     ssl3_BumpSequenceNumber(&cwSpec->write_seq_num);
 
-    wrBuf->len    = cipherBytes + SSL3_RECORD_HEADER_LENGTH;
-    wrBuf->buf[0] = type;
-    wrBuf->buf[1] = MSB(cwSpec->version);
-    wrBuf->buf[2] = LSB(cwSpec->version);
-    wrBuf->buf[3] = MSB(cipherBytes);
-    wrBuf->buf[4] = LSB(cipherBytes);
-
     return SECSuccess;
 }
 
 /* Process the plain text before sending it.
  * Returns the number of bytes of plaintext that were successfully sent
  *      plus the number of bytes of plaintext that were copied into the
  *      output (write) buffer.
  * Returns SECFailure on a hard IO error, memory error, or crypto error.
  * Does NOT return SECWouldBlock.
  *
  * Notes on the use of the private ssl flags:
  * (no private SSL flags)
  *    Attempt to make and send SSL records for all plaintext
  *    If non-blocking and a send gets WOULD_BLOCK,
  *    or if the pending (ciphertext) buffer is not empty,
  *    then buffer remaining bytes of ciphertext into pending buf,
  *    and continue to do that for all succssive records until all
  *    bytes are used.
  * ssl_SEND_FLAG_FORCE_INTO_BUFFER
  *    As above, except this suppresses all write attempts, and forces
  *    all ciphertext into the pending ciphertext buffer.
+ * ssl_SEND_FLAG_USE_EPOCH (for DTLS)
+ *    Forces the use of the provided epoch
  *
  */
-static PRInt32
+PRInt32
 ssl3_SendRecord(   sslSocket *        ss,
+                   DTLSEpoch          epoch, /* DTLS only */
                    SSL3ContentType    type,
                    const SSL3Opaque * pIn,   /* input buffer */
                    PRInt32            nIn,   /* bytes of input */
                    PRInt32            flags)
 {
     sslBuffer      *          wrBuf       = &ss->sec.writeBuf;
     SECStatus                 rv;
     PRInt32                   totalSent   = 0;
 
     SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d",
@@ skipping 51 matching lines @@
                 SSL_DBG(("%d: SSL3[%d]: SendRecord, tried to get %d bytes",
                          SSL_GETPID(), ss->fd, spaceNeeded));
                 goto spec_locked_loser; /* sslBuffer_Grow set error code. */
             }
         }
 
         if (numRecords == 2) {
             sslBuffer secondRecord;
 
             rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
-                                               ss->sec.isServer, type, pIn, 1,
-                                               wrBuf);
+                                               ss->sec.isServer, IS_DTLS(ss),
+                                               type, pIn, 1, wrBuf);
             if (rv != SECSuccess)
                 goto spec_locked_loser;
 
             PRINT_BUF(50, (ss, "send (encrypted) record data [1/2]:",
                            wrBuf->buf, wrBuf->len));
 
             secondRecord.buf = wrBuf->buf + wrBuf->len;
             secondRecord.len = 0;
             secondRecord.space = wrBuf->space - wrBuf->len;
 
             rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
-                                               ss->sec.isServer, type, pIn + 1,
-                                               contentLen - 1, &secondRecord);
+                                               ss->sec.isServer, IS_DTLS(ss),
+                                               type, pIn + 1, contentLen - 1,
+                                               &secondRecord);
             if (rv == SECSuccess) {
                 PRINT_BUF(50, (ss, "send (encrypted) record data [2/2]:",
                                secondRecord.buf, secondRecord.len));
                 wrBuf->len += secondRecord.len;
             }
         } else {
-            rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
-                                               ss->sec.isServer, type, pIn,
-                                               contentLen, wrBuf);
+            if (!IS_DTLS(ss)) {
+                rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
+                                                   ss->sec.isServer,
+                                                   IS_DTLS(ss),
+                                                   type, pIn,
+                                                   contentLen, wrBuf);
+            } else {
+                rv = dtls_CompressMACEncryptRecord(ss, epoch,
+                                                   !!(flags & ssl_SEND_FLAG_USE_EPOCH),
+                                                   type, pIn,
+                                                   contentLen, wrBuf);
+            }
+
             if (rv == SECSuccess) {
                 PRINT_BUF(50, (ss, "send (encrypted) record data:",
                                wrBuf->buf, wrBuf->len));
             }
         }
 
 spec_locked_loser:
         ssl_ReleaseSpecReadLock(ss); /************************************/
 
         if (rv != SECSuccess)
@@ skipping 37 matching lines @@
             if (sent < 0) {
                 if (PR_GetError() != PR_WOULD_BLOCK_ERROR) {
                     ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE);
                     return SECFailure;
                 }
                 /* we got PR_WOULD_BLOCK_ERROR, which means none was sent. */
                 sent = 0;
             }
             wrBuf->len -= sent;
             if (wrBuf->len) {
+                if (IS_DTLS(ss)) {
+                    /* DTLS just says no in this case. No buffering */
+                    PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
+                    return SECFailure;
+                }
                 /* now take all the remaining unsent new ciphertext and 
                  * append it to the buffer of previously unsent ciphertext.
                  */
                 rv = ssl_SaveWriteData(ss, wrBuf->buf + sent, wrBuf->len);
                 if (rv != SECSuccess) {
                     /* presumably a memory error, SEC_ERROR_NO_MEMORY */
                     return SECFailure;
                 }
             }
         }
         totalSent += contentLen;
     }
     return totalSent;
 }
 
 #define SSL3_PENDING_HIGH_WATER 1024
 
 /* Attempt to send the content of "in" in an SSL application_data record.
  * Returns "len" or SECFailure,   never SECWouldBlock, nor SECSuccess.
  */
 int
 ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in,
                          PRInt32 len, PRInt32 flags)
 {
     PRInt32   totalSent = 0;
     PRInt32   discarded = 0;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
+    /* These flags for internal use only */
+    PORT_Assert(!(flags & (ssl_SEND_FLAG_USE_EPOCH |
+                           ssl_SEND_FLAG_NO_RETRANSMIT)));
     if (len < 0 || !in) {
         PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
         return SECFailure;
     }
 
     if (ss->pendingBuf.len > SSL3_PENDING_HIGH_WATER &&
         !ssl_SocketIsBlocking(ss)) {
         PORT_Assert(!ssl_SocketIsBlocking(ss));
         PORT_SetError(PR_WOULD_BLOCK_ERROR);
         return SECFailure;
@@ skipping 17 matching lines @@
              * The thread yield is intended to give the reader thread a
              * chance to get some cycles while the writer thread is in
              * the middle of a large application data write.  (See
              * Bugzilla bug 127740, comment #1.)
              */
             ssl_ReleaseXmitBufLock(ss);
             PR_Sleep(PR_INTERVAL_NO_WAIT);      /* PR_Yield(); */
             ssl_GetXmitBufLock(ss);
         }
         toSend = PR_MIN(len - totalSent, MAX_FRAGMENT_LENGTH);
-        sent = ssl3_SendRecord(ss, content_application_data, 
+        /*
+         * Note that the 0 epoch is OK because flags will never require 
+         * its use, as guaranteed by the PORT_Assert above.
+         */
+        sent = ssl3_SendRecord(ss, 0, content_application_data,
                                in + totalSent, toSend, flags);
         if (sent < 0) {
             if (totalSent > 0 && PR_GetError() == PR_WOULD_BLOCK_ERROR) {
                 PORT_Assert(ss->lastWriteBlocked);
                 break;
             }
             return SECFailure; /* error code set by ssl3_SendRecord */
         }
         totalSent += sent;
         if (ss->pendingBuf.len) {
@@ skipping 14 matching lines @@
         if (totalSent <= 0) {
             PORT_SetError(PR_WOULD_BLOCK_ERROR);
             totalSent = SECFailure;
         }
         return totalSent;
     } 
     ss->appDataBuffered = 0;
     return totalSent + discarded;
 }
 
-/* Attempt to send the content of sendBuf buffer in an SSL handshake record.
+/* Attempt to send buffered handshake messages.
  * This function returns SECSuccess or SECFailure, never SECWouldBlock.
  * Always set sendBuf.len to 0, even when returning SECFailure.
  *
+ * Depending on whether we are doing DTLS or not, this either calls
+ *
+ * - ssl3_FlushHandshakeMessages if non-DTLS
+ * - dtls_FlushHandshakeMessages if DTLS
+ *
  * Called from SSL3_SendAlert(), ssl3_SendChangeCipherSpecs(),
  *             ssl3_AppendHandshake(), ssl3_SendClientHello(),
  *             ssl3_SendHelloRequest(), ssl3_SendServerHelloDone(),
  *             ssl3_SendFinished(),
  */
 static SECStatus
 ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags)
 {
+    if (IS_DTLS(ss)) {
+        return dtls_FlushHandshakeMessages(ss, flags);
+    } else {
+        return ssl3_FlushHandshakeMessages(ss, flags);
+    }
+}
+
+/* Attempt to send the content of sendBuf buffer in an SSL handshake record.
+ * This function returns SECSuccess or SECFailure, never SECWouldBlock.
+ * Always set sendBuf.len to 0, even when returning SECFailure.
+ *
+ * Called from ssl3_FlushHandshake
+ */
+static SECStatus
+ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags)
+{
     PRInt32 rv = SECSuccess;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
 
     if (!ss->sec.ci.sendBuf.buf || !ss->sec.ci.sendBuf.len)
         return rv;
 
     /* only this flag is allowed */
     PORT_Assert(!(flags & ~ssl_SEND_FLAG_FORCE_INTO_BUFFER));
     if ((flags & ~ssl_SEND_FLAG_FORCE_INTO_BUFFER) != 0) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         rv = SECFailure;
     } else {
-        rv = ssl3_SendRecord(ss, content_handshake, ss->sec.ci.sendBuf.buf,
+        rv = ssl3_SendRecord(ss, 0, content_handshake, ss->sec.ci.sendBuf.buf,
                              ss->sec.ci.sendBuf.len, flags);
     }
     if (rv < 0) { 
         int err = PORT_GetError();
         PORT_Assert(err != PR_WOULD_BLOCK_ERROR);
         if (err == PR_WOULD_BLOCK_ERROR) {
             PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         }
     } else if (rv < ss->sec.ci.sendBuf.len) {
         /* short write should never happen */
@@ skipping 96 matching lines @@
     ssl_GetSSL3HandshakeLock(ss);
     if (level == alert_fatal) {
         if (ss->sec.ci.sid) {
             ss->sec.uncache(ss->sec.ci.sid);
         }
     }
     ssl_GetXmitBufLock(ss);
     rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
     if (rv == SECSuccess) {
         PRInt32 sent;
-        sent = ssl3_SendRecord(ss, content_alert, bytes, 2, 
+        sent = ssl3_SendRecord(ss, 0, content_alert, bytes, 2, 
                                desc == no_certificate 
                                ? ssl_SEND_FLAG_FORCE_INTO_BUFFER : 0);
         rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
     }
     ssl_ReleaseXmitBufLock(ss);
     ssl_ReleaseSSL3HandshakeLock(ss);
     return rv;  /* error set by ssl3_FlushHandshake or ssl3_SendRecord */
 }
 
 /*
@@ skipping 53 matching lines @@
     SSL_DBG(("%d: SSL3[%d]: peer certificate is no good: error=%d",
              SSL_GETPID(), ss->fd, errCode));
 
     (void) SSL3_SendAlert(ss, alert_fatal, desc);
 }
 
 
 /*
  * Send handshake_Failure alert.  Set generic error number.
  */
-static SECStatus
+SECStatus
 ssl3_DecodeError(sslSocket *ss)
 {
     (void)SSL3_SendAlert(ss, alert_fatal, 
                   ss->version > SSL_LIBRARY_VERSION_3_0 ? decode_error 
                                                         : illegal_parameter);
     PORT_SetError( ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
                                     : SSL_ERROR_BAD_SERVER );
     return SECFailure;
 }
 
@@ skipping 67 matching lines @@
                         error = SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT; break;
     case unrecognized_name: 
                         error = SSL_ERROR_UNRECOGNIZED_NAME_ALERT;        break;
     case bad_certificate_status_response: 
                         error = SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT; break;
     case bad_certificate_hash_value: 
                         error = SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT;      break;
     default:            error = SSL_ERROR_RX_UNKNOWN_ALERT;               break;
     }
     if (level == alert_fatal) {
-        ss->sec.uncache(ss->sec.ci.sid);
+        if (!ss->opt.noCache)
+            ss->sec.uncache(ss->sec.ci.sid);
         if ((ss->ssl3.hs.ws == wait_server_hello) &&
             (desc == handshake_failure)) {
             /* XXX This is a hack.  We're assuming that any handshake failure
              * XXX on the client hello is a failure to match ciphers.
              */
             error = SSL_ERROR_NO_CYPHER_OVERLAP;
         }
         PORT_SetError(error);
         return SECFailure;
     }
@@ skipping 30 matching lines @@
     SSL_TRC(3, ("%d: SSL3[%d]: send change_cipher_spec record",
                 SSL_GETPID(), ss->fd));
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
     rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
     if (rv != SECSuccess) {
         return rv;      /* error code set by ssl3_FlushHandshake */
     }
-    sent = ssl3_SendRecord(ss, content_change_cipher_spec, &change, 1,
-                              ssl_SEND_FLAG_FORCE_INTO_BUFFER);
-    if (sent < 0) {
-        return (SECStatus)sent; /* error code set by ssl3_SendRecord */
+    if (!IS_DTLS(ss)) {
+        sent = ssl3_SendRecord(ss, 0, content_change_cipher_spec, &change, 1,
+                               ssl_SEND_FLAG_FORCE_INTO_BUFFER);
+        if (sent < 0) {
+            return (SECStatus)sent;     /* error code set by ssl3_SendRecord */
+        }
+    } else {
+        rv = dtls_QueueMessage(ss, content_change_cipher_spec, &change, 1);
+        if (rv != SECSuccess) {
+            return rv;
+        }
     }
 
     /* swap the pending and current write specs. */
     ssl_GetSpecWriteLock(ss);   /**************************************/
     pwSpec                     = ss->ssl3.pwSpec;
-    pwSpec->write_seq_num.high = 0;
-    pwSpec->write_seq_num.low  = 0;
 
     ss->ssl3.pwSpec = ss->ssl3.cwSpec;
     ss->ssl3.cwSpec = pwSpec;
 
     SSL_TRC(3, ("%d: SSL3[%d] Set Current Write Cipher Suite to Pending",
                 SSL_GETPID(), ss->fd ));
 
     /* We need to free up the contexts, keys and certs ! */
     /* If we are really through with the old cipher spec
      * (Both the read and write sides have changed) destroy it.
      */
     if (ss->ssl3.prSpec == ss->ssl3.pwSpec) {
-        ssl3_DestroyCipherSpec(ss->ssl3.pwSpec, PR_FALSE/*freeSrvName*/);
+        if (!IS_DTLS(ss)) {
+            ssl3_DestroyCipherSpec(ss->ssl3.pwSpec, PR_FALSE/*freeSrvName*/);
+        } else {
+            /* With DTLS, we need to set a holddown timer in case the final
+             * message got lost */
+            ss->ssl3.hs.rtTimeoutMs = DTLS_FINISHED_TIMER_MS;
+            dtls_StartTimer(ss, dtls_FinishedTimerCb);
+        }
     }
     ssl_ReleaseSpecWriteLock(ss); /**************************************/
 
     return SECSuccess;
 }
 
 /* Called from ssl3_HandleRecord.
 ** Caller must hold both RecvBuf and Handshake locks.
  *
  * Acquires and releases spec write lock, to protect switching the current
@@ skipping 28 matching lines @@
         /* illegal_parameter is correct here for both SSL3 and TLS. */
         (void)ssl3_IllegalParameter(ss);
         PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
         return SECFailure;
     }
     buf->len = 0;
 
     /* Swap the pending and current read specs. */
     ssl_GetSpecWriteLock(ss);   /*************************************/
     prSpec                    = ss->ssl3.prSpec;
-    prSpec->read_seq_num.high = prSpec->read_seq_num.low = 0;
 
     ss->ssl3.prSpec  = ss->ssl3.crSpec;
     ss->ssl3.crSpec  = prSpec;
 
     if (ss->sec.isServer &&
         ss->opt.requestCertificate &&
         ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
         ss->ssl3.hs.ws = wait_client_cert;
     } else {
         ss->ssl3.hs.ws = wait_finished;
@@ skipping 82 matching lines @@
                                  keyData->data, keyData->len);
                 }
             }
         }
 #endif
         pwSpec->master_secret = PK11_DeriveWithFlags(pms, master_derive, 
                                 &params, key_derive, CKA_DERIVE, 0, keyFlags);
         if (!isDH && pwSpec->master_secret && ss->opt.detectRollBack) {
             SSL3ProtocolVersion client_version;
             client_version = pms_version.major << 8 | pms_version.minor;
+
+            if (IS_DTLS(ss)) {
+                client_version = dtls_DTLSVersionToTLSVersion(client_version);
+            }
+
             if (client_version != ss->clientHelloVersion) {
                 /* Destroy it.  Version roll-back detected. */
                 PK11_FreeSymKey(pwSpec->master_secret);
                 pwSpec->master_secret = NULL;
             }
         }
         if (pwSpec->master_secret == NULL) {
             /* Generate a faux master secret in the same slot as the old one. */
             PK11SlotInfo * slot = PK11_GetSlotFromKey((PK11SymKey *)pms);
             PK11SymKey *   fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot);
@@ skipping 404 matching lines @@
     SSL_TRC(60, ("data:"));
     rv = ssl3_AppendHandshake(ss, src, bytes);
     return rv;  /* error code set by AppendHandshake, if applicable. */
 }
 
 SECStatus
 ssl3_AppendHandshakeHeader(sslSocket *ss, SSL3HandshakeType t, PRUint32 length)
 {
     SECStatus rv;
 
+    /* If we already have a message in place, we need to enqueue it.
+     * This empties the buffer. This is a convenient place to call
+     * dtls_StageHandshakeMessage to mark the message boundary.
+     */
+    if (IS_DTLS(ss)) {
+        rv = dtls_StageHandshakeMessage(ss);
+        if (rv != SECSuccess) {
+            return rv;
+        }
+    }
+
     SSL_TRC(30,("%d: SSL3[%d]: append handshake header: type %s",
         SSL_GETPID(), ss->fd, ssl3_DecodeHandshakeType(t)));
     PRINT_BUF(60, (ss, "MD5 handshake hash:",
                   (unsigned char*)ss->ssl3.hs.md5_cx, MD5_LENGTH));
     PRINT_BUF(95, (ss, "SHA handshake hash:",
                   (unsigned char*)ss->ssl3.hs.sha_cx, SHA1_LENGTH));
 
     rv = ssl3_AppendHandshakeNumber(ss, t, 1);
     if (rv != SECSuccess) {
         return rv;      /* error code set by AppendHandshake, if applicable. */
     }
     rv = ssl3_AppendHandshakeNumber(ss, length, 3);
+    if (rv != SECSuccess) {
+        return rv;      /* error code set by AppendHandshake, if applicable. */
+    }
+
+    if (IS_DTLS(ss)) {
+        /* Note that we make an unfragmented message here. We fragment in the
+         * transmission code, if necessary */
+        rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.sendMessageSeq, 2);
+        if (rv != SECSuccess) {
+            return rv;  /* error code set by AppendHandshake, if applicable. */
+        }
+        ss->ssl3.hs.sendMessageSeq++;
+
+        /* 0 is the fragment offset, because it's not fragmented yet */
+        rv = ssl3_AppendHandshakeNumber(ss, 0, 3);
+        if (rv != SECSuccess) {
+            return rv;  /* error code set by AppendHandshake, if applicable. */
+        }
+
+        /* Fragment length -- set to the packet length because not fragmented */
+        rv = ssl3_AppendHandshakeNumber(ss, length, 3);
+        if (rv != SECSuccess) {
+            return rv;  /* error code set by AppendHandshake, if applicable. */
+        }
+    }
+
     return rv;          /* error code set by AppendHandshake, if applicable. */
 }
 
 /**************************************************************************
  * Consume Handshake functions.
  *
  * All data used in these functions is protected by two locks,
  * the RecvBufLock and the SSL3HandshakeLock
  **************************************************************************/
 
@@ skipping 386 matching lines @@
 }
 
 /**************************************************************************
  * end of Handshake Hash functions.
  * Begin Send and Handle functions for handshakes.
  **************************************************************************/
 
 /* Called from ssl3_HandleHelloRequest(),
  *             ssl3_RedoHandshake()
  *             ssl2_BeginClientHandshake (when resuming ssl3 session)
+ *             dtls_HandleHelloVerifyRequest(with resending=PR_TRUE)
  */
 SECStatus
-ssl3_SendClientHello(sslSocket *ss)
+ssl3_SendClientHello(sslSocket *ss, PRBool resending)
 {
     sslSessionID *   sid;
     ssl3CipherSpec * cwSpec;
     SECStatus        rv;
     int              i;
     int              length;
     int              num_suites;
     int              actual_count = 0;
     PRBool           isTLS = PR_FALSE;
     PRInt32          total_exten_len = 0;
     unsigned         numCompressionMethods;
 
     SSL_TRC(3, ("%d: SSL3[%d]: send client_hello handshake", SSL_GETPID(),
                 ss->fd));
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
 
     rv = ssl3_InitState(ss);
     if (rv != SECSuccess) {
         return rv;              /* ssl3_InitState has set the error code. */
     }
     ss->ssl3.hs.sendingSCSV = PR_FALSE; /* Must be reset every handshake */
+    PORT_Assert(IS_DTLS(ss) || !resending);
 
     /* We might be starting a session renegotiation in which case we should
      * clear previous state.
      */
     PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
 
     SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes",
             SSL_GETPID(), ss->fd ));
     rv = ssl3_RestartHandshakeHashes(ss);
     if (rv != SECSuccess) {
@@ skipping 139 matching lines @@
             total_exten_len += 2;
     }
 
 #if defined(NSS_ENABLE_ECC) && !defined(NSS_ECC_MORE_THAN_SUITE_B)
     if (!total_exten_len || !isTLS) {
         /* not sending the elliptic_curves and ec_point_formats extensions */
         ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */
     }
 #endif
 
+    if (IS_DTLS(ss)) {
+        ssl3_DisableNonDTLSSuites(ss);
+    }
+
     /* how many suites are permitted by policy and user preference? */
     num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE);
     if (!num_suites)
         return SECFailure;      /* count_cipher_suites has set error code. */
     if (ss->ssl3.hs.sendingSCSV) {
         ++num_suites;   /* make room for SCSV */
     }
 
     /* count compression methods */
     numCompressionMethods = 0;
     for (i = 0; i < compressionMethodsCount; i++) {
         if (compressionEnabled(ss, compressions[i]))
             numCompressionMethods++;
     }
 
     length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH +
         1 + ((sid == NULL) ? 0 : sid->u.ssl3.sessionIDLength) +
         2 + num_suites*sizeof(ssl3CipherSuite) +
         1 + numCompressionMethods + total_exten_len;
+    if (IS_DTLS(ss)) {
+        length += 1 + ss->ssl3.hs.cookieLen;
+    }
 
     rv = ssl3_AppendHandshakeHeader(ss, client_hello, length);
     if (rv != SECSuccess) {
         return rv;      /* err set by ssl3_AppendHandshake* */
     }
 
     ss->clientHelloVersion = ss->version;
-    rv = ssl3_AppendHandshakeNumber(ss, ss->clientHelloVersion, 2);
+    if (IS_DTLS(ss)) {
+        PRUint16 version;
+
+        version = dtls_TLSVersionToDTLSVersion(ss->clientHelloVersion);
+        rv = ssl3_AppendHandshakeNumber(ss, version, 2);
+    } else {
+        rv = ssl3_AppendHandshakeNumber(ss, ss->clientHelloVersion, 2);
+    }
     if (rv != SECSuccess) {
         return rv;      /* err set by ssl3_AppendHandshake* */
     }
-    rv = ssl3_GetNewRandom(&ss->ssl3.hs.client_random);
-    if (rv != SECSuccess) {
-        return rv;      /* err set by GetNewRandom. */
+
+    if (!resending) { /* Don't re-generate if we are in DTLS re-sending mode */
+        rv = ssl3_GetNewRandom(&ss->ssl3.hs.client_random);
+        if (rv != SECSuccess) {
+            return rv;  /* err set by GetNewRandom. */
+        }
     }
     rv = ssl3_AppendHandshake(ss, &ss->ssl3.hs.client_random,
                               SSL3_RANDOM_LENGTH);
     if (rv != SECSuccess) {
         return rv;      /* err set by ssl3_AppendHandshake* */
     }
 
     if (sid)
         rv = ssl3_AppendHandshakeVariable(
             ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1);
     else
         rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
     if (rv != SECSuccess) {
         return rv;      /* err set by ssl3_AppendHandshake* */
     }
 
+    if (IS_DTLS(ss)) {
+        rv = ssl3_AppendHandshakeVariable(
+            ss, ss->ssl3.hs.cookie, ss->ssl3.hs.cookieLen, 1);
+        if (rv != SECSuccess) {
+            return rv;  /* err set by ssl3_AppendHandshake* */
+        }
+    }
+
     rv = ssl3_AppendHandshakeNumber(ss, num_suites*sizeof(ssl3CipherSuite), 2);
     if (rv != SECSuccess) {
         return rv;      /* err set by ssl3_AppendHandshake* */
     }
 
     if (ss->ssl3.hs.sendingSCSV) {
         /* Add the actual SCSV */
         rv = ssl3_AppendHandshakeNumber(ss, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
                                         sizeof(ssl3CipherSuite));
         if (rv != SECSuccess) {
@@ skipping 103 matching lines @@
         PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED);
         return SECFailure;
     }
 
     if (sid) {
         ss->sec.uncache(sid);
         ssl_FreeSID(sid);
         ss->sec.ci.sid = NULL;
     }
 
+    if (IS_DTLS(ss)) {
+        dtls_RehandshakeCleanup(ss);
+    }
+
     ssl_GetXmitBufLock(ss);
-    rv = ssl3_SendClientHello(ss);
+    rv = ssl3_SendClientHello(ss, PR_FALSE);
     ssl_ReleaseXmitBufLock(ss);
 
     return rv;
 }
 
 #define UNKNOWN_WRAP_MECHANISM 0x7fffffff
 
 static const CK_MECHANISM_TYPE wrapMechanismList[SSL_NUM_WRAP_MECHS] = {
     CKM_DES3_ECB,
     CKM_CAST5_ECB,
@@ skipping 834 matching lines @@
        ss->ssl3.platformClientKey = (PlatformKey)NULL;
     }
 #endif  /* NSS_PLATFORM_CLIENT_AUTH */
 
     temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
     if (temp < 0) {
         goto loser;     /* alert has been sent */
     }
     version = (SSL3ProtocolVersion)temp;
 
+    if (IS_DTLS(ss)) {
+        /* RFC 4347 required that you verify that the server versions
+         * match (S 4.2.1) in the HelloVerifyRequest and the ServerHello
+         *
+         * RFC 6347 suggests (SHOULD) that servers always use 1.0
+         * in HelloVerifyRequest and allows the versions not to match,
+         * esp. when 1.2 is being negotiated.
+         *
+         * Therefore we do not check for matching here.
+         */
+        version = dtls_DTLSVersionToTLSVersion(version);
+        if (version == 0) {  /* Insane version number */
+            goto alert_loser;
+        }
+    }
+
     rv = ssl3_NegotiateVersion(ss, version, PR_FALSE);
     if (rv != SECSuccess) {
         desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version 
                                                    : handshake_failure;
         errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
         goto alert_loser;
     }
     isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0);
 
     rv = ssl3_ConsumeHandshake(
@@ skipping 1208 matching lines @@
     sslSessionID *      sid      = NULL;
     PRInt32             tmp;
     unsigned int        i;
     int                 j;
     SECStatus           rv;
     int                 errCode  = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO;
     SSL3AlertDescription desc    = illegal_parameter;
     SSL3AlertLevel      level    = alert_fatal;
     SSL3ProtocolVersion version;
     SECItem             sidBytes = {siBuffer, NULL, 0};
+    SECItem             cookieBytes = {siBuffer, NULL, 0};
     SECItem             suites   = {siBuffer, NULL, 0};
     SECItem             comps    = {siBuffer, NULL, 0};
     PRBool              haveSpecWriteLock = PR_FALSE;
     PRBool              haveXmitBufLock   = PR_FALSE;
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle client_hello handshake",
         SSL_GETPID(), ss->fd));
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
     /* Get peer name of client */
     rv = ssl_GetPeerInfo(ss);
     if (rv != SECSuccess) {
         return rv;              /* error code is set. */
     }
 
+    /* Clearing the handshake pointers so that ssl_Do1stHandshake won't
+     * call ssl2_HandleMessage.
+     *
+     * The issue here is that TLS ordinarily starts out in
+     * ssl2_HandleV3HandshakeRecord() because of the backward-compatibility
+     * code paths. That function zeroes these next pointers. But with DTLS,
+     * we don't even try to do the v2 ClientHello so we skip that function
+     * and need to reset these values here.
+     */
+    if (IS_DTLS(ss)) {
+        ss->nextHandshake     = NULL;
+        ss->securityHandshake = NULL;
+    }

[wtc, 2012/03/22 21:59:54]

ekr: I put this code inside IS_DTLS(ss) to reduce risk.

[Ryan Sleevi, 2012/03/22 22:26:37]

See my note about the whole firstHandshakeLock needing to be held here.

+
     /* We might be starting session renegotiation in which case we should
      * clear previous state.
      */
     PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
     ss->statelessResume = PR_FALSE;
 
     rv = ssl3_InitState(ss);
     if (rv != SECSuccess) {
         return rv;              /* ssl3_InitState has set the error code. */
     }
 
     if ((ss->ssl3.hs.ws != wait_client_hello) &&
         (ss->ssl3.hs.ws != idle_handshake)) {
         desc    = unexpected_message;
         errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO;
         goto alert_loser;
     }
     if (ss->ssl3.hs.ws == idle_handshake  &&
         ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) {
         desc    = no_renegotiation;
         level   = alert_warning;
         errCode = SSL_ERROR_RENEGOTIATION_NOT_ALLOWED;
         goto alert_loser;
     }
 
+    if (IS_DTLS(ss)) {
+        dtls_RehandshakeCleanup(ss);
+    }
+
     tmp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
     if (tmp < 0)
         goto loser;             /* malformed, alert already sent */
-    ss->clientHelloVersion = version = (SSL3ProtocolVersion)tmp;
+
+    /* Translate the version */
+    if (IS_DTLS(ss)) {
+        ss->clientHelloVersion = version =
+            dtls_DTLSVersionToTLSVersion((SSL3ProtocolVersion)tmp);
+    } else {
+        ss->clientHelloVersion = version = (SSL3ProtocolVersion)tmp;
+    }
+
     rv = ssl3_NegotiateVersion(ss, version, PR_TRUE);
     if (rv != SECSuccess) {
         desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version 
                                                    : handshake_failure;
         errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
         goto alert_loser;
     }
 
     /* grab the client random data. */
     rv = ssl3_ConsumeHandshake(
         ss, &ss->ssl3.hs.client_random, SSL3_RANDOM_LENGTH, &b, &length);
     if (rv != SECSuccess) {
         goto loser;             /* malformed */
     }
 
     /* grab the client's SID, if present. */
     rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length);
     if (rv != SECSuccess) {
         goto loser;             /* malformed */
     }
 
+    /* grab the client's cookie, if present. */
+    if (IS_DTLS(ss)) {
+        rv = ssl3_ConsumeHandshakeVariable(ss, &cookieBytes, 1, &b, &length);
+        if (rv != SECSuccess) {
+            goto loser;         /* malformed */
+        }
+    }
+
     /* grab the list of cipher suites. */
     rv = ssl3_ConsumeHandshakeVariable(ss, &suites, 2, &b, &length);
     if (rv != SECSuccess) {
         goto loser;             /* malformed */
     }
 
     /* grab the list of compression methods. */
     rv = ssl3_ConsumeHandshakeVariable(ss, &comps, 1, &b, &length);
     if (rv != SECSuccess) {
         goto loser;             /* malformed */
@@ skipping 128 matching lines @@
             ssl_FreeSID(sid);
             sid = NULL;
         }
     }
 
 #ifdef NSS_ENABLE_ECC
     /* Disable any ECC cipher suites for which we have no cert. */
     ssl3_FilterECCipherSuitesByServerCerts(ss);
 #endif
 
+    if (IS_DTLS(ss)) {
+        ssl3_DisableNonDTLSSuites(ss);
+    }
+
 #ifdef PARANOID
     /* Look for a matching cipher suite. */
     j = ssl3_config_match_init(ss);
     if (j <= 0) {               /* no ciphers are working/supported by PK11 */
         errCode = PORT_GetError();      /* error code is already set. */
         goto alert_loser;
     }
 #endif
 
     /* If we already have a session for this client, be sure to pick the
@@ skipping 667 matching lines @@
 **      ssl3_SendServerHelloSequence <- ssl3_HandleV2ClientHello (new session)
 */
 static SECStatus
 ssl3_SendServerHello(sslSocket *ss)
 {
     sslSessionID *sid;
     SECStatus     rv;
     PRUint32      maxBytes = 65535;
     PRUint32      length;
     PRInt32       extensions_len = 0;
+    SSL3ProtocolVersion version;
 
     SSL_TRC(3, ("%d: SSL3[%d]: send server_hello handshake", SSL_GETPID(),
                 ss->fd));
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
-    PORT_Assert( MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_3_0));
 
-    if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_3_0)) {
-        PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
-        return SECFailure;
+    if (!IS_DTLS(ss)) {
+        PORT_Assert(MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_3_0));
+
+        if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_3_0)) {
+            PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
+            return SECFailure;
+        }
+    } else {
+        PORT_Assert(MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_DTLS_1_0));
+
+        if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_DTLS_1_0)) {
+            PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
+            return SECFailure;
+        }
     }
 
     sid = ss->sec.ci.sid;
 
     extensions_len = ssl3_CallHelloExtensionSenders(ss, PR_FALSE, maxBytes,
                                                &ss->xtnData.serverSenders[0]);
     if (extensions_len > 0)
         extensions_len += 2; /* Add sizeof total extension length */
 
     length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH + 1 +
              ((sid == NULL) ? 0: sid->u.ssl3.sessionIDLength) +
              sizeof(ssl3CipherSuite) + 1 + extensions_len;
     rv = ssl3_AppendHandshakeHeader(ss, server_hello, length);
     if (rv != SECSuccess) {
         return rv;      /* err set by AppendHandshake. */
     }
 
-    rv = ssl3_AppendHandshakeNumber(ss, ss->version, 2);
+    if (IS_DTLS(ss)) {
+        version = dtls_TLSVersionToDTLSVersion(ss->version);
+    } else {
+        version = ss->version;
+    }
+
+    rv = ssl3_AppendHandshakeNumber(ss, version, 2);
     if (rv != SECSuccess) {
         return rv;      /* err set by AppendHandshake. */
     }
     rv = ssl3_GetNewRandom(&ss->ssl3.hs.server_random);
     if (rv != SECSuccess) {
         ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
         return rv;
     }
     rv = ssl3_AppendHandshake(
         ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH);
@@ skipping 164 matching lines @@
     ca_list = ss->ssl3.ca_list;
     if (!ca_list) {
         ca_list = ssl3_server_ca_list;
     }
 
     if (ca_list != NULL) {
         names = ca_list->names;
         nnames = ca_list->nnames;
     }
 
-    if (!nnames) {
-        PORT_SetError(SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA);
-        return SECFailure;
-    }
-
+    /* There used to be a test here to require a CA, but there
+     * are cases where you want to have no CAs offered. */
     for (i = 0, name = names; i < nnames; i++, name++) {
         calen += 2 + name->len;
     }
 
     certTypes       = certificate_types;
     certTypesLength = sizeof certificate_types;
 
     length = 1 + certTypesLength + 2 + calen;
 
     rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length);
@@ skipping 147 matching lines @@
            /* can't find a slot with all three, find a slot with the minimum */
             slot = PK11_GetBestSlotMultiple(mechanism_array, 2, pwArg);
             if (slot == NULL) {
                 PORT_SetError(SSL_ERROR_TOKEN_SLOT_NOT_FOUND);
                 return pms;     /* which is NULL */
             }
         }
     }
 
     /* Generate the pre-master secret ...  */
-    version.major = MSB(ss->clientHelloVersion);
-    version.minor = LSB(ss->clientHelloVersion);
+    if (IS_DTLS(ss)) {
+        SSL3ProtocolVersion temp;
+
+        temp = dtls_TLSVersionToDTLSVersion(ss->clientHelloVersion);
+        version.major = MSB(temp);
+        version.minor = LSB(temp);
+    } else {
+        version.major = MSB(ss->clientHelloVersion);
+        version.minor = LSB(ss->clientHelloVersion);
+    }
 
     param.data = (unsigned char *)&version;
     param.len  = sizeof version;
 
     pms = PK11_KeyGen(slot, CKM_SSL3_PRE_MASTER_KEY_GEN, &param, 0, pwArg);
     if (!serverKeySlot)
         PK11_FreeSlot(slot);
     if (pms == NULL) {
         ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
     }
@@ skipping 62 matching lines @@
          */
 
         rv = PK11_PrivDecryptPKCS1(serverKey, rsaPmsBuf, &outLen, 
                                    sizeof rsaPmsBuf, enc_pms.data, enc_pms.len);
         if (rv != SECSuccess) {
             /* triple bypass failed.  Let's try for a double bypass. */
             goto double_bypass;
         } else if (ss->opt.detectRollBack) {
             SSL3ProtocolVersion client_version = 
                                          (rsaPmsBuf[0] << 8) | rsaPmsBuf[1];
+
+            if (IS_DTLS(ss)) {
+                client_version = dtls_DTLSVersionToTLSVersion(client_version);
+            }
+
             if (client_version != ss->clientHelloVersion) {
                 /* Version roll-back detected. ensure failure.  */
                 rv = PK11_GenerateRandom(rsaPmsBuf, sizeof rsaPmsBuf);
             }
         }
         /* have PMS, build MS without PKCS11 */
         rv = ssl3_MasterKeyDeriveBypass(pwSpec, cr, sr, &pmsItem, isTLS, 
                                         PR_TRUE);
         if (rv != SECSuccess) {
             pwSpec->msItem.data = pwSpec->raw_master_secret;
@@ skipping 1196 matching lines @@
             flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER;
         }
 
         if (!isServer && !ss->firstHsDone) {
             rv = ssl3_SendNextProto(ss);
             if (rv != SECSuccess) {
                 goto xmit_loser; /* err code was set. */
             }
         }
 
+        if (IS_DTLS(ss)) {
+            flags |= ssl_SEND_FLAG_NO_RETRANSMIT;
+        }
+
         rv = ssl3_SendFinished(ss, flags);
         if (rv != SECSuccess) {
             goto xmit_loser;    /* err is set. */
         }
     }
 
 xmit_loser:
     ssl_ReleaseXmitBufLock(ss); /*************************************/
     if (rv != SECSuccess) {
         return rv;
@@ skipping 109 matching lines @@
                                     ss->ssl3.hs.pending_cert_msg.len);
         SECITEM_FreeItem(&ss->ssl3.hs.pending_cert_msg, PR_FALSE);
     }
     return rv;
 }
 
 /* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3
  * hanshake message.
  * Caller must hold Handshake and RecvBuf locks.
  */
-static SECStatus
+SECStatus
 ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 {
     SECStatus         rv        = SECSuccess;
     SSL3HandshakeType type      = ss->ssl3.hs.msg_type;
     SSL3Hashes        hashes;   /* computed hashes are put here. */
     PRUint8           hdr[4];
+    PRUint8           dtlsData[8];
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
     /*
      * We have to compute the hashes before we update them with the
      * current message.
      */
     ssl_GetSpecReadLock(ss);    /************************************/
     if((type == finished) || (type == certificate_verify)) {
         SSL3Sender      sender = (SSL3Sender)0;
@@ skipping 25 matching lines @@
 
     /* Start new handshake hashes when we start a new handshake */
     if (ss->ssl3.hs.msg_type == client_hello) {
         SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes",
                 SSL_GETPID(), ss->fd ));
         rv = ssl3_RestartHandshakeHashes(ss);
         if (rv != SECSuccess) {
             return rv;
         }
     }
-    /* We should not include hello_request messages in the handshake hashes */
-    if (ss->ssl3.hs.msg_type != hello_request) {
+    /* We should not include hello_request and hello_verify_request messages
+     * in the handshake hashes */
+    if ((ss->ssl3.hs.msg_type != hello_request) &&
+        (ss->ssl3.hs.msg_type != hello_verify_request)) {
         rv = ssl3_UpdateHandshakeHashes(ss, (unsigned char*) hdr, 4);
         if (rv != SECSuccess) return rv;        /* err code already set. */
+
+        /* Extra data to simulate a complete DTLS handshake fragment */
+        if (IS_DTLS(ss)) {
+            /* Sequence number */
+            dtlsData[0] = MSB(ss->ssl3.hs.recvMessageSeq);
+            dtlsData[1] = LSB(ss->ssl3.hs.recvMessageSeq);
+
+            /* Fragment offset */
+            dtlsData[2] = 0;
+            dtlsData[3] = 0;
+            dtlsData[4] = 0;
+
+            /* Fragment length */
+            dtlsData[5] = (PRUint8)(length >> 16);
+            dtlsData[6] = (PRUint8)(length >>  8);
+            dtlsData[7] = (PRUint8)(length      );
+
+            rv = ssl3_UpdateHandshakeHashes(ss, (unsigned char*) dtlsData,
+                                            sizeof(dtlsData));
+            if (rv != SECSuccess) return rv;    /* err code already set. */
+        }
+
+        /* The message body */
         rv = ssl3_UpdateHandshakeHashes(ss, b, length);
         if (rv != SECSuccess) return rv;        /* err code already set. */
     }
 
     PORT_SetError(0);   /* each message starts with no error. */
     switch (ss->ssl3.hs.msg_type) {
     case hello_request:
         if (length != 0) {
             (void)ssl3_DecodeError(ss);
             PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_REQUEST);
@@ skipping 15 matching lines @@
         rv = ssl3_HandleClientHello(ss, b, length);
         break;
     case server_hello:
         if (ss->sec.isServer) {
             (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
             PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO);
             return SECFailure;
         }
         rv = ssl3_HandleServerHello(ss, b, length);
         break;
+    case hello_verify_request:
+        if (!IS_DTLS(ss) || ss->sec.isServer) {
+            (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+            PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQUEST);
+            return SECFailure;
+        }
+        rv = dtls_HandleHelloVerifyRequest(ss, b, length);
+        break;
     case certificate:
         if (ss->ssl3.hs.may_get_cert_status) {
             /* If we might get a CertificateStatus then we want to postpone the
              * processing of the Certificate message until after we have
              * processed the CertificateStatus */
             if (ss->ssl3.hs.pending_cert_msg.data ||
                 ss->ssl3.hs.ws != wait_server_cert) {
                 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
                 (void)ssl_MapLowLevelError(SSL_ERROR_RX_UNEXPECTED_CERTIFICATE);
                 return SECFailure;
@@ skipping 78 matching lines @@
         rv = ssl3_HandleNewSessionTicket(ss, b, length);
         break;
     case finished:
         rv = ssl3_HandleFinished(ss, b, length, &hashes);
         break;
     default:
         (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
         PORT_SetError(SSL_ERROR_RX_UNKNOWN_HANDSHAKE);
         rv = SECFailure;
     }
+
+    if (IS_DTLS(ss) && (rv == SECSuccess)) {
+        /* Increment the expected sequence number */
+        ss->ssl3.hs.recvMessageSeq++;
+    }
+
     return rv;
 }
 
 /* Called only from ssl3_HandleRecord, for each (deciphered) ssl3 record.
  * origBuf is the decrypted ssl record content.
  * Caller must hold the handshake and RecvBuf locks.
  */
 static SECStatus
 ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
 {
@@ skipping 142 matching lines @@
     ssl3CipherSpec *     crSpec;
     SECStatus            rv;
     unsigned int         hashBytes = MAX_MAC_LENGTH + 1;
     unsigned int         padding_length;
     PRBool               isTLS;
     PRBool               padIsBad = PR_FALSE;
     SSL3ContentType      rType;
     SSL3Opaque           hash[MAX_MAC_LENGTH];
     sslBuffer           *plaintext;
     sslBuffer            temp_buf;
+    PRUint64             dtls_seq_num;
     unsigned int         ivLen = 0;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
 
     if (!ss->ssl3.initialized) {
         ssl_GetSSL3HandshakeLock(ss);
         rv = ssl3_InitState(ss);
         ssl_ReleaseSSL3HandshakeLock(ss);
         if (rv != SECSuccess) {
             return rv;          /* ssl3_InitState has set the error code. */
@@ skipping 15 matching lines @@
                  SSL_GETPID(), ss->fd));
         rType = content_handshake;
         goto process_it;
     }
 
     ssl_GetSpecReadLock(ss); /******************************************/
 
     crSpec = ss->ssl3.crSpec;
     cipher_def = crSpec->cipher_def;
 
+    /* 
+     * DTLS relevance checks:
+     * Note that this code currently ignores all out-of-epoch packets,
+     * which means we lose some in the case of rehandshake +
+     * loss/reordering. Since DTLS is explicitly unreliable, this
+     * seems like a good tradeoff for implementation effort and is
+     * consistent with the guidance of RFC 6347 S 4.1 and S 4.2.4.1
+     */
+    if (IS_DTLS(ss)) {
+        DTLSEpoch epoch = (cText->seq_num.high >> 16) & 0xffff;
+        
+        if (crSpec->epoch != epoch) {
+            ssl_ReleaseSpecReadLock(ss);
+            SSL_DBG(("%d: SSL3[%d]: HandleRecord, received packet "
+                     "from irrelevant epoch %d", SSL_GETPID(), ss->fd, epoch));
+            /* Silently drop the packet */
+            databuf->len = 0; /* Needed to ensure data not left around */
+            return SECSuccess;
+        }
+
+        dtls_seq_num = (((PRUint64)(cText->seq_num.high & 0xffff)) << 32) |
+                        ((PRUint64)cText->seq_num.low);
+
+        if (dtls_RecordGetRecvd(&crSpec->recvdRecords, dtls_seq_num)) {
+            ssl_ReleaseSpecReadLock(ss);
+            SSL_DBG(("%d: SSL3[%d]: HandleRecord, rejecting "
+                     "potentially replayed packet", SSL_GETPID(), ss->fd));
+            /* Silently drop the packet */
+            databuf->len = 0; /* Needed to ensure data not left around */
+            return SECSuccess;
+        }
+    }
+
     if (cipher_def->type == type_block &&
         crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
         /* Consume the per-record explicit IV. RFC 4346 Section 6.2.3.2 states
          * "The receiver decrypts the entire GenericBlockCipher structure and
          * then discards the first cipher block corresponding to the IV
          * component." Instead, we decrypt the first cipher block and then
          * discard it before decrypting the rest.
          */
         SSL3Opaque iv[MAX_IV_LENGTH];
         int decoded;
@@ skipping 101 matching lines @@
 
     /* Remove the MAC. */
     if (plaintext->len >= crSpec->mac_size)
         plaintext->len -= crSpec->mac_size;
     else
         padIsBad = PR_TRUE;     /* really macIsBad */
 
     /* compute the MAC */
     rType = cText->type;
     rv = ssl3_ComputeRecordMAC( crSpec, (PRBool)(!ss->sec.isServer),
-        rType, cText->version, crSpec->read_seq_num, 
+        IS_DTLS(ss), rType, cText->version,
+        IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num,
         plaintext->buf, plaintext->len, hash, &hashBytes);
     if (rv != SECSuccess) {
         padIsBad = PR_TRUE;     /* really macIsBad */
     }
 
     /* Check the MAC */
     if (hashBytes != (unsigned)crSpec->mac_size || padIsBad || 
         NSS_SecureMemcmp(plaintext->buf + plaintext->len, hash,
                          crSpec->mac_size) != 0) {
         /* must not hold spec lock when calling SSL3_SendAlert. */
         ssl_ReleaseSpecReadLock(ss);
-        SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
-        /* always log mac error, in case attacker can read server logs. */
-        PORT_SetError(SSL_ERROR_BAD_MAC_READ);
 
         SSL_DBG(("%d: SSL3[%d]: mac check failed", SSL_GETPID(), ss->fd));
 
-        return SECFailure;
+        if (!IS_DTLS(ss)) {
+            SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
+            /* always log mac error, in case attacker can read server logs. */
+            PORT_SetError(SSL_ERROR_BAD_MAC_READ);
+            return SECFailure;
+        } else {
+            /* Silently drop the packet */
+            databuf->len = 0; /* Needed to ensure data not left around */
+            return SECSuccess;
+        }
     }
 
-
-
-    ssl3_BumpSequenceNumber(&crSpec->read_seq_num);
+    if (!IS_DTLS(ss)) {
+        ssl3_BumpSequenceNumber(&crSpec->read_seq_num);
+    } else {
+        dtls_RecordSetRecvd(&crSpec->recvdRecords, dtls_seq_num);
+    }
 
     ssl_ReleaseSpecReadLock(ss); /*****************************************/
 
     /*
      * The decrypted data is now in plaintext.
      */
 
     /* possibly decompress the record. If we aren't using compression then
      * plaintext == databuf and so the uncompressed data is already in
      * databuf. */
@@ skipping 84 matching lines @@
     ** they return SECFailure or SECWouldBlock.
     */
     switch (rType) {
     case content_change_cipher_spec:
         rv = ssl3_HandleChangeCipherSpecs(ss, databuf);
         break;
     case content_alert:
         rv = ssl3_HandleAlert(ss, databuf);
         break;
     case content_handshake:
-        rv = ssl3_HandleHandshake(ss, databuf);
+        if (!IS_DTLS(ss)) {
+            rv = ssl3_HandleHandshake(ss, databuf);
+        } else {
+            rv = dtls_HandleHandshake(ss, databuf);
+        }
         break;
     /*
     case content_application_data is handled before this switch
     */
     default:
         SSL_DBG(("%d: SSL3[%d]: bogus content type=%d",
                  SSL_GETPID(), ss->fd, cText->type));
         /* XXX Send an alert ???  */
         PORT_SetError(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE);
         rv = SECFailure;
@@ skipping 39 matching lines @@
     spec->server.write_key         = NULL;
     spec->server.write_mac_key     = NULL;
     spec->server.write_mac_context = NULL;
 
     spec->write_seq_num.high       = 0;
     spec->write_seq_num.low        = 0;
 
     spec->read_seq_num.high        = 0;
     spec->read_seq_num.low         = 0;
 
+    spec->epoch                    = 0;
+    dtls_InitRecvdRecords(&spec->recvdRecords);
+
     spec->version                  = ss->vrange.max;
 }
 
 /* Called from: ssl3_SendRecord
 **              ssl3_StartHandshakeHash() <- ssl2_BeginClientHandshake()
 **              ssl3_SendClientHello()
 **              ssl3_HandleServerHello()
 **              ssl3_HandleClientHello()
 **              ssl3_HandleV2ClientHello()
 **              ssl3_HandleRecord()
@@ skipping 21 matching lines @@
     ssl3_InitCipherSpec(ss, ss->ssl3.prSpec);
 
     ss->ssl3.hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello;
 #ifdef NSS_ENABLE_ECC
     ss->ssl3.hs.negotiatedECCurves = SSL3_SUPPORTED_CURVES_MASK;
 #endif
     ssl_ReleaseSpecWriteLock(ss);
 
     PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
 
+    if (IS_DTLS(ss)) {
+        ss->ssl3.hs.sendMessageSeq = 0;
+        ss->ssl3.hs.recvMessageSeq = 0;
+        ss->ssl3.hs.rtTimeoutMs = INITIAL_DTLS_TIMEOUT_MS;
+        ss->ssl3.hs.rtRetries = 0;
+
+        /* Have to allocate this because ssl_FreeSocket relocates
+         * this structure in DEBUG mode */
+        if (!(ss->ssl3.hs.lastMessageFlight = PORT_New(PRCList)))
+            return SECFailure;
+        ss->ssl3.hs.recvdHighWater = -1;
+        PR_INIT_CLIST(ss->ssl3.hs.lastMessageFlight);
+        dtls_SetMTU(ss, 0); /* Set the MTU to the highest plateau */
+    }
+
     rv = ssl3_NewHandshakeHashes(ss);
     if (rv == SECSuccess) {
         ss->ssl3.initialized = PR_TRUE;
     }
 
     return rv;
 }
 
 /* Returns a reference counted object that contains a key pair.
  * Or NULL on failure.  Initial ref count is 1.
@@ skipping 232 matching lines @@
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
     if (!ss->firstHsDone ||
         ((ss->version >= SSL_LIBRARY_VERSION_3_0) &&
          ss->ssl3.initialized && 
          (ss->ssl3.hs.ws != idle_handshake))) {
         PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED);
         return SECFailure;
     }
+
+    if (IS_DTLS(ss)) {
+        dtls_RehandshakeCleanup(ss);
+    }
+
     if (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) {
         PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED);
         return SECFailure;
     }
     if (sid && flushCache) {
         ss->sec.uncache(sid);   /* remove it from whichever cache it's in. */
         ssl_FreeSID(sid);       /* dec ref count and free if zero. */
         ss->sec.ci.sid = NULL;
     }
 
     ssl_GetXmitBufLock(ss);     /**************************************/
 
     /* start off a new handshake. */
     rv = (ss->sec.isServer) ? ssl3_SendHelloRequest(ss)
-                            : ssl3_SendClientHello(ss);
+                            : ssl3_SendClientHello(ss, PR_FALSE);
 
     ssl_ReleaseXmitBufLock(ss); /**************************************/
     return rv;
 }
 
 /* Called from ssl_DestroySocketContents() in sslsock.c */
 void
 ssl3_DestroySSL3Info(sslSocket *ss)
 {
 
@@ skipping 39 matching lines @@
         SECITEM_FreeItem(&ss->ssl3.hs.cert_status, PR_FALSE);
     }
 
     /* free the SSL3Buffer (msg_body) */
     PORT_Free(ss->ssl3.hs.msg_body.buf);
 
     /* free up the CipherSpecs */
     ssl3_DestroyCipherSpec(&ss->ssl3.specs[0], PR_TRUE/*freeSrvName*/);
     ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/);
 
+    /* Destroy the DTLS data */
+    if (IS_DTLS(ss)) {
+        if (ss->ssl3.hs.lastMessageFlight) {
+            dtls_FreeHandshakeMessages(ss->ssl3.hs.lastMessageFlight);
+            PORT_Free(ss->ssl3.hs.lastMessageFlight);
+        }
+        if (ss->ssl3.hs.recvdFragments.buf) {
+            PORT_Free(ss->ssl3.hs.recvdFragments.buf);
+        }
+    }
+
     ss->ssl3.initialized = PR_FALSE;
 
     SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
 }
 
 /* End of ssl3con.c */