Add DTLS support to NSS, contributed by Eric Rescorla.

net/third_party/nss/ssl/ssl3con.c

 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 /*
  * SSL3 Protocol
  *
  * ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  *
  * The contents of this file are subject to the Mozilla Public License Version
  * 1.1 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
@@ skipping 24 matching lines @@
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 /* $Id: ssl3con.c,v 1.173 2012/03/18 00:31:19 wtc%google.com Exp $ */
 
+/* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
+
 #include "cert.h"
 #include "ssl.h"
 #include "cryptohi.h"   /* for DSAU_ stuff */
 #include "keyhi.h"
 #include "secder.h"
 #include "secitem.h"
 
 #include "sslimpl.h"
 #include "sslproto.h"
 #include "sslerr.h"
@@ skipping 30 matching lines @@
 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss);
 static SECStatus ssl3_SendNextProto(         sslSocket *ss);
 static SECStatus ssl3_SendFinished(          sslSocket *ss, PRInt32 flags);
 static SECStatus ssl3_SendServerHello(       sslSocket *ss);
 static SECStatus ssl3_SendServerHelloDone(   sslSocket *ss);
 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss);
 static SECStatus ssl3_NewHandshakeHashes(    sslSocket *ss);
 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss,
                                              const unsigned char *b,
                                              unsigned int l);
+static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags);
 
 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen,
                              int maxOutputLen, const unsigned char *input,
                              int inputLen);
 
 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */
 #define MIN_SEND_BUF_LENGTH  4000
 
 #define MAX_CIPHER_SUITES 20
 
@@ skipping 109 matching lines @@
 }
 
 static const /*SSL3ClientCertificateType */ uint8 certificate_types [] = {
     ct_RSA_sign,
     ct_DSS_sign,
 #ifdef NSS_ENABLE_ECC
     ct_ECDSA_sign,
 #endif /* NSS_ENABLE_ECC */
 };
 
-#ifdef NSS_ENABLE_ZLIB
-/*
- * The DEFLATE algorithm can result in an expansion of 0.1% + 12 bytes. For a
- * maximum TLS record payload of 2**14 bytes, that's 29 bytes.
- */
-#define SSL3_COMPRESSION_MAX_EXPANSION 29
-#else  /* !NSS_ENABLE_ZLIB */
-#define SSL3_COMPRESSION_MAX_EXPANSION 0
-#endif
-
-/*
- * make sure there is room in the write buffer for padding and
- * other compression and cryptographic expansions.
- */
-#define SSL3_BUFFER_FUDGE     100 + SSL3_COMPRESSION_MAX_EXPANSION
-
 #define EXPORT_RSA_KEY_LENGTH 64        /* bytes */
 
 
 /* This global item is used only in servers.  It is is initialized by
 ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest().
 */
 CERTDistNames *ssl3_server_ca_list = NULL;
 static SSL3Statistics ssl3stats;
 
 /* indexed by SSL3BulkCipher */
@@ skipping 260 matching lines @@
 static char *
 ssl3_DecodeHandshakeType(int msgType)
 {
     char * rv;
     static char line[40];
 
     switch(msgType) {
     case hello_request:         rv = "hello_request (0)";               break;
     case client_hello:          rv = "client_hello  (1)";               break;
     case server_hello:          rv = "server_hello  (2)";               break;
+    case hello_verify_request:  rv = "hello_verify_request  (3)";       break;
     case certificate:           rv = "certificate  (11)";               break;
     case server_key_exchange:   rv = "server_key_exchange (12)";        break;
     case certificate_request:   rv = "certificate_request (13)";        break;
     case server_hello_done:     rv = "server_hello_done   (14)";        break;
     case certificate_verify:    rv = "certificate_verify  (15)";        break;
     case client_key_exchange:   rv = "client_key_exchange (16)";        break;
     case finished:              rv = "finished     (20)";               break;
     default:
         sprintf(line, "*UNKNOWN* handshake type! (%d)", msgType);
         rv = line;
@@ skipping 45 matching lines @@
         PR_ATOMIC_INCREMENT((PRInt32 *)x);
     } else {
         tooLong * tl = (tooLong *)x;
         if (PR_ATOMIC_INCREMENT(&tl->low) == 0)
             PR_ATOMIC_INCREMENT(&tl->high);
     }
 }
 
 /* return pointer to ssl3CipherSuiteDef for suite, or NULL */
 /* XXX This does a linear search.  A binary search would be better. */
-static const ssl3CipherSuiteDef *
+const ssl3CipherSuiteDef *
 ssl_LookupCipherSuiteDef(ssl3CipherSuite suite)
 {
     int cipher_suite_def_len =
         sizeof(cipher_suite_defs) / sizeof(cipher_suite_defs[0]);
     int i;
 
     for (i = 0; i < cipher_suite_def_len; i++) {
         if (cipher_suite_defs[i].cipher_suite == suite)
             return &cipher_suite_defs[i];
     }
@@ skipping 545 matching lines @@
         PK11_DestroyContext(mat->write_mac_context, PR_TRUE);
         mat->write_mac_context = NULL;
     }
 }
 
 /* Called from ssl3_SendChangeCipherSpecs() and 
 **             ssl3_HandleChangeCipherSpecs()
 **             ssl3_DestroySSL3Info
 ** Caller must hold SpecWriteLock.
 */
-static void
+void
 ssl3_DestroyCipherSpec(ssl3CipherSpec *spec, PRBool freeSrvName)
 {
     PRBool freeit = (PRBool)(!spec->bypassCiphers);
 /*  PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss)); Don't have ss! */
     if (spec->destroy) {
         spec->destroy(spec->encodeContext, freeit);
         spec->destroy(spec->decodeContext, freeit);
         spec->encodeContext = NULL; /* paranoia */
         spec->decodeContext = NULL;
     }
@@ skipping 59 matching lines @@
 
     SSL_TRC(3, ("%d: SSL3[%d]: Set XXX Pending Cipher Suite to 0x%04x",
                 SSL_GETPID(), ss->fd, suite));
 
     suite_def = ssl_LookupCipherSuiteDef(suite);
     if (suite_def == NULL) {
         ssl_ReleaseSpecWriteLock(ss);
         return SECFailure;      /* error code set by ssl_LookupCipherSuiteDef */
     }
 
+    if (IS_DTLS(ss)) {
+        /* Double-check that we did not pick an RC4 suite */
+        PORT_Assert( (suite_def->bulk_cipher_alg != cipher_rc4) &&
+                     (suite_def->bulk_cipher_alg != cipher_rc4_40) &&
+                     (suite_def->bulk_cipher_alg != cipher_rc4_56));
+    }
 
     cipher = suite_def->bulk_cipher_alg;
     kea    = suite_def->key_exchange_alg;
     mac    = suite_def->mac_alg;
     if (isTLS)
         mac += 2;
 
     ss->ssl3.hs.suite_def = suite_def;
     ss->ssl3.hs.kea_def   = &kea_defs[kea];
     PORT_Assert(ss->ssl3.hs.kea_def->kea == kea);
 
     pwSpec->cipher_def   = &bulk_cipher_defs[cipher];
     PORT_Assert(pwSpec->cipher_def->cipher == cipher);
 
     pwSpec->mac_def = &mac_defs[mac];
     PORT_Assert(pwSpec->mac_def->mac == mac);
 
     ss->sec.keyBits       = pwSpec->cipher_def->key_size        * BPB;
     ss->sec.secretKeyBits = pwSpec->cipher_def->secret_key_size * BPB;
     ss->sec.cipherType    = cipher;
 
     pwSpec->encodeContext = NULL;
     pwSpec->decodeContext = NULL;
 
     pwSpec->mac_size = pwSpec->mac_def->mac_size;
 
     pwSpec->compression_method = ss->ssl3.hs.compression;
     pwSpec->compressContext = NULL;
     pwSpec->decompressContext = NULL;
+    
+    /* Note: pwSpec == prSpec here so we're really doing the read side.
+     * The epoch is set up in InitPendingCipherSpec */
+    dtls_InitRecvdRecords(&pwSpec->recvdRecords);
 
     ssl_ReleaseSpecWriteLock(ss);  /*******************************/
     return SECSuccess;
 }
 
 #ifdef NSS_ENABLE_ZLIB
 #define SSL3_DEFLATE_CONTEXT_SIZE sizeof(z_stream)
 
 static SECStatus
 ssl3_MapZlibError(int zlib_error)
@@ skipping 477 matching lines @@
  * Sets error code, but caller probably should override to disambiguate.
  * NULL pms means re-use old master_secret.
  *
  * This code is common to the bypass and PKCS11 execution paths.
  * For the bypass case,  pms is NULL.
  */
 SECStatus
 ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms)
 {
     ssl3CipherSpec  *  pwSpec;
+    ssl3CipherSpec  *  cwSpec;
     SECStatus          rv;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
     ssl_GetSpecWriteLock(ss);   /**************************************/
 
     PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
 
     pwSpec        = ss->ssl3.pwSpec;
+    cwSpec        = ss->ssl3.cwSpec;
 
     if (pms || (!pwSpec->msItem.len && !pwSpec->master_secret)) {
         rv = ssl3_DeriveMasterSecret(ss, pms);
         if (rv != SECSuccess) {
             goto done;  /* err code set by ssl3_DeriveMasterSecret */
         }
     }
     if (ss->opt.bypassPKCS11 && pwSpec->msItem.len && pwSpec->msItem.data) {
         /* Double Bypass succeeded in extracting the master_secret */
         const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def;
@@ skipping 11 matching lines @@
     } else if (pwSpec->master_secret) {
         rv = ssl3_DeriveConnectionKeysPKCS11(ss);
         if (rv == SECSuccess) {
             rv = ssl3_InitPendingContextsPKCS11(ss);
         }
     } else {
         PORT_Assert(pwSpec->master_secret);
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         rv = SECFailure;
     }
 

[wtc, 2012/03/21 23:12:16]

IMPORTANT: I think we need to add
    if (rv != SECSuccess) {
        goto done;
    }
here to skip the new code that sets the sequence numbers
if something already failed.

[ekr, 2012/03/22 15:07:17]

I concur.

+    /* Generic behaviors -- common to all crypto methods */
+    if (!IS_DTLS(ss)) {
+        pwSpec->read_seq_num.high = pwSpec->write_seq_num.high = 0;
+    } else {
+        if (cwSpec->epoch == 65535) {
+            /* The problem here is that we have rehandshaked too many
+             * times (you are not allowed to wrap the epoch). The
+             * spec says you should be discarding the connection
+             * and start over, so not much we can do here. */
+            PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+            rv = SECFailure;

[wtc, 2012/03/21 23:12:16]

IMPORTANT: Should we add 'goto done' here?

[ekr, 2012/03/22 15:07:17]

Yes, I agree.

+        }
+        /* We only need to modify pwSpec since there is only one
+         * "pending" spec object being pointed to by pwSpec and
+         * cwSpec at different times.

[wtc, 2012/03/21 23:12:16]

Did you mean prSpec or cwSpec here?  cwSpec is not pointing to
a "pending" spec object.

[ekr, 2012/03/22 15:07:17]

I assume we're just talking about the comment here? If so, I agree that it's
misleading and it should say prSpec.

[wtc, 2012/03/22 20:09:20]

Yes, I was just asking about the comment here.  I decided to
remove the comment because this function already asserts that
property at line 1762 above.

    PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);

+         *
+         * The sequence number has the high 16 bits as the epoch.
+         */
+        pwSpec->epoch = cwSpec->epoch + 1;
+        pwSpec->read_seq_num.high = pwSpec->write_seq_num.high = 
+            pwSpec->epoch << 16;
+    }
+    pwSpec->read_seq_num.low = pwSpec->write_seq_num.low = 0;
+
 done:
     ssl_ReleaseSpecWriteLock(ss);       /******************************/
     if (rv != SECSuccess)
         ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
     return rv;
 }
 
 /*
  * 60 bytes is 3 times the maximum length MAC size that is supported.
  */
@@ skipping 19 matching lines @@
 };
 
 /* Called from: ssl3_SendRecord()
 **              ssl3_HandleRecord()
 ** Caller must already hold the SpecReadLock. (wish we could assert that!)
 */
 static SECStatus
 ssl3_ComputeRecordMAC(
     ssl3CipherSpec *   spec,
     PRBool             useServerMacKey,
+    PRBool             isDTLS,
     SSL3ContentType    type,
     SSL3ProtocolVersion version,
     SSL3SequenceNumber seq_num,
     const SSL3Opaque * input,
     int                inputLength,
     unsigned char *    outbuf,
     unsigned int *     outLength)
 {
     const ssl3MACDef * mac_def;
     SECStatus          rv;
@@ skipping 17 matching lines @@
     ** NOT based on the version value in the record itself.
     ** But, we use the record'v version value in the computation.
     */
     if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
         temp[9]  = MSB(inputLength);
         temp[10] = LSB(inputLength);
         tempLen  = 11;
         isTLS    = PR_FALSE;
     } else {
         /* New TLS hash includes version. */
-        temp[9]  = MSB(version);
-        temp[10] = LSB(version);
+        if (isDTLS) {
+            SSL3ProtocolVersion dtls_version;
+
+            dtls_version = dtls_TLSVersionToDTLSVersion(version);
+            temp[9]  = MSB(dtls_version);
+            temp[10] = LSB(dtls_version);
+        } else {
+            temp[9]  = MSB(version);
+            temp[10] = LSB(version);
+        }
         temp[11] = MSB(inputLength);
         temp[12] = LSB(inputLength);
         tempLen  = 13;
         isTLS    = PR_TRUE;
     }
 
     PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen));
     PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength));
 
     mac_def = spec->mac_def;
@@ skipping 129 matching lines @@
         (PK11_NeedLogin(slot) && !PK11_IsLoggedIn(slot, NULL))) {
         isPresent = PR_FALSE;
     } 
     if (slot) {
         PK11_FreeSlot(slot);
     }
     return isPresent;
 }
 
 /* Caller must hold the spec read lock. */
-static SECStatus
+SECStatus
 ssl3_CompressMACEncryptRecord(ssl3CipherSpec *   cwSpec,
                               PRBool             isServer,
+                              PRBool             isDTLS,
                               SSL3ContentType    type,
                               const SSL3Opaque * pIn,
                               PRUint32           contentLen,
                               sslBuffer *        wrBuf)
 {
     const ssl3BulkCipherDef * cipher_def;
     SECStatus                 rv;
     PRUint32                  macLen = 0;
     PRUint32                  fragLen;
     PRUint32  p1Len, p2Len, oddLen = 0;
+    PRUint16                  headerLen;
     int                       ivLen = 0;
     int                       cipherBytes = 0;
 
     cipher_def = cwSpec->cipher_def;
+    headerLen = isDTLS ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LENGTH;
 
     if (cipher_def->type == type_block &&
         cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
         /* Prepend the per-record explicit IV using technique 2b from
          * RFC 4346 section 6.2.3.2: The IV is a cryptographically
          * strong random number XORed with the CBC residue from the previous
          * record.
          */
         ivLen = cipher_def->iv_size;
-        if (ivLen > wrBuf->space - SSL3_RECORD_HEADER_LENGTH) {
+        if (ivLen > wrBuf->space - headerLen) {
             PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
             return SECFailure;
         }
-        rv = PK11_GenerateRandom(wrBuf->buf + SSL3_RECORD_HEADER_LENGTH, ivLen);
+        rv = PK11_GenerateRandom(wrBuf->buf + headerLen, ivLen);
         if (rv != SECSuccess) {
             ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
             return rv;
         }
         rv = cwSpec->encode( cwSpec->encodeContext, 
-            wrBuf->buf + SSL3_RECORD_HEADER_LENGTH,
+            wrBuf->buf + headerLen,
             &cipherBytes,                       /* output and actual outLen */
             ivLen,                              /* max outlen */
-            wrBuf->buf + SSL3_RECORD_HEADER_LENGTH,
+            wrBuf->buf + headerLen,
             ivLen);                             /* input and inputLen*/
         if (rv != SECSuccess || cipherBytes != ivLen) {
             PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
             return SECFailure;
         }
     }
 
     if (cwSpec->compressor) {
         int outlen;
         rv = cwSpec->compressor(
             cwSpec->compressContext,
-            wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen, &outlen,
-            wrBuf->space - SSL3_RECORD_HEADER_LENGTH - ivLen, pIn, contentLen);
+            wrBuf->buf + headerLen + ivLen, &outlen,
+            wrBuf->space - headerLen - ivLen, pIn, contentLen);
         if (rv != SECSuccess)
             return rv;
-        pIn = wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen;
+        pIn = wrBuf->buf + headerLen + ivLen;
         contentLen = outlen;
     }
 
     /*
      * Add the MAC
      */
-    rv = ssl3_ComputeRecordMAC( cwSpec, isServer,
+    rv = ssl3_ComputeRecordMAC( cwSpec, isServer, isDTLS,
         type, cwSpec->version, cwSpec->write_seq_num, pIn, contentLen,
-        wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen + contentLen, &macLen);
+        wrBuf->buf + headerLen + ivLen + contentLen, &macLen);
     if (rv != SECSuccess) {
         ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
         return SECFailure;
     }
     p1Len   = contentLen;
     p2Len   = macLen;
     fragLen = contentLen + macLen;      /* needs to be encrypted */
     PORT_Assert(fragLen <= MAX_FRAGMENT_LENGTH + 1024);
 
     /*
      * Pad the text (if we're doing a block cipher)
      * then Encrypt it
      */
     if (cipher_def->type == type_block) {
         unsigned char * pBuf;
         int             padding_length;
         int             i;
 
         oddLen = contentLen % cipher_def->block_size;
         /* Assume blockSize is a power of two */
         padding_length = cipher_def->block_size - 1 -
                         ((fragLen) & (cipher_def->block_size - 1));
         fragLen += padding_length + 1;
         PORT_Assert((fragLen % cipher_def->block_size) == 0);
 
         /* Pad according to TLS rules (also acceptable to SSL3). */
-        pBuf = &wrBuf->buf[SSL3_RECORD_HEADER_LENGTH + ivLen + fragLen - 1];
+        pBuf = &wrBuf->buf[headerLen + ivLen + fragLen - 1];
         for (i = padding_length + 1; i > 0; --i) {
             *pBuf-- = padding_length;
         }
         /* now, if contentLen is not a multiple of block size, fix it */
         p2Len = fragLen - p1Len;
     }
     if (p1Len < 256) {
         oddLen = p1Len;
         p1Len = 0;
     } else {
         p1Len -= oddLen;
     }
     if (oddLen) {
         p2Len += oddLen;
         PORT_Assert( (cipher_def->block_size < 2) || \
                      (p2Len % cipher_def->block_size) == 0);
-        memmove(wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen + p1Len,
-                pIn + p1Len, oddLen);
+        memmove(wrBuf->buf + headerLen + ivLen + p1Len, pIn + p1Len, oddLen);
     }
     if (p1Len > 0) {
         int cipherBytesPart1 = -1;
         rv = cwSpec->encode( cwSpec->encodeContext, 
-            wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen, /* output */
+            wrBuf->buf + headerLen + ivLen,         /* output */
             &cipherBytesPart1,                      /* actual outlen */
             p1Len,                                  /* max outlen */
             pIn, p1Len);                      /* input, and inputlen */
         PORT_Assert(rv == SECSuccess && cipherBytesPart1 == (int) p1Len);
         if (rv != SECSuccess || cipherBytesPart1 != (int) p1Len) {
             PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
             return SECFailure;
         }
         cipherBytes += cipherBytesPart1;
     }
     if (p2Len > 0) {
         int cipherBytesPart2 = -1;
         rv = cwSpec->encode( cwSpec->encodeContext, 
-            wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen + p1Len,
+            wrBuf->buf + headerLen + ivLen + p1Len,
             &cipherBytesPart2,          /* output and actual outLen */
             p2Len,                             /* max outlen */
-            wrBuf->buf + SSL3_RECORD_HEADER_LENGTH + ivLen + p1Len,
+            wrBuf->buf + headerLen + ivLen + p1Len,
             p2Len);                            /* input and inputLen*/
         PORT_Assert(rv == SECSuccess && cipherBytesPart2 == (int) p2Len);
         if (rv != SECSuccess || cipherBytesPart2 != (int) p2Len) {
             PORT_SetError(SSL_ERROR_ENCRYPTION_FAILURE);
             return SECFailure;
         }
         cipherBytes += cipherBytesPart2;
     }   
+
     PORT_Assert(cipherBytes <= MAX_FRAGMENT_LENGTH + 1024);
 
+    wrBuf->len    = cipherBytes + headerLen;
+    wrBuf->buf[0] = type;
+    if (isDTLS) {
+        SSL3ProtocolVersion version;
+
+        version = dtls_TLSVersionToDTLSVersion(cwSpec->version);
+        wrBuf->buf[1] = MSB(version);
+        wrBuf->buf[2] = LSB(version);
+        wrBuf->buf[3] = (unsigned char)(cwSpec->write_seq_num.high >>  24);
+        wrBuf->buf[4] = (unsigned char)(cwSpec->write_seq_num.high >>  16);
+        wrBuf->buf[5] = (unsigned char)(cwSpec->write_seq_num.high >>  8);
+        wrBuf->buf[6] = (unsigned char)(cwSpec->write_seq_num.high >>  0);
+        wrBuf->buf[7] = (unsigned char)(cwSpec->write_seq_num.low  >> 24);
+        wrBuf->buf[8] = (unsigned char)(cwSpec->write_seq_num.low  >> 16);
+        wrBuf->buf[9] = (unsigned char)(cwSpec->write_seq_num.low  >>  8);
+        wrBuf->buf[10] = (unsigned char)(cwSpec->write_seq_num.low  >>  0);
+        wrBuf->buf[11] = MSB(cipherBytes);
+        wrBuf->buf[12] = LSB(cipherBytes);
+    } else {
+        wrBuf->buf[1] = MSB(cwSpec->version);
+        wrBuf->buf[2] = LSB(cwSpec->version);
+        wrBuf->buf[3] = MSB(cipherBytes);
+        wrBuf->buf[4] = LSB(cipherBytes);
+    }
+
     ssl3_BumpSequenceNumber(&cwSpec->write_seq_num);
 
-    wrBuf->len    = cipherBytes + SSL3_RECORD_HEADER_LENGTH;
-    wrBuf->buf[0] = type;
-    wrBuf->buf[1] = MSB(cwSpec->version);
-    wrBuf->buf[2] = LSB(cwSpec->version);
-    wrBuf->buf[3] = MSB(cipherBytes);
-    wrBuf->buf[4] = LSB(cipherBytes);
-
     return SECSuccess;
 }
 
 /* Process the plain text before sending it.
  * Returns the number of bytes of plaintext that were successfully sent
  *      plus the number of bytes of plaintext that were copied into the
  *      output (write) buffer.
  * Returns SECFailure on a hard IO error, memory error, or crypto error.
  * Does NOT return SECWouldBlock.
  *
  * Notes on the use of the private ssl flags:
  * (no private SSL flags)
  *    Attempt to make and send SSL records for all plaintext
  *    If non-blocking and a send gets WOULD_BLOCK,
  *    or if the pending (ciphertext) buffer is not empty,
  *    then buffer remaining bytes of ciphertext into pending buf,
  *    and continue to do that for all succssive records until all
  *    bytes are used.
  * ssl_SEND_FLAG_FORCE_INTO_BUFFER
  *    As above, except this suppresses all write attempts, and forces
  *    all ciphertext into the pending ciphertext buffer.
+ * ssl_SEND_FLAG_USE_EPOCH (for DTLS)
+ *    Forces the use of the provided epoch
  *
  */
-static PRInt32
+PRInt32
 ssl3_SendRecord(   sslSocket *        ss,
+                   DTLSEpoch          epoch, /* DTLS only */
                    SSL3ContentType    type,
                    const SSL3Opaque * pIn,   /* input buffer */
                    PRInt32            nIn,   /* bytes of input */
                    PRInt32            flags)
 {
     sslBuffer      *          wrBuf       = &ss->sec.writeBuf;
     SECStatus                 rv;
     PRInt32                   totalSent   = 0;
 
     SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d",
@@ skipping 51 matching lines @@
                 SSL_DBG(("%d: SSL3[%d]: SendRecord, tried to get %d bytes",
                          SSL_GETPID(), ss->fd, spaceNeeded));
                 goto spec_locked_loser; /* sslBuffer_Grow set error code. */
             }
         }
 
         if (numRecords == 2) {
             sslBuffer secondRecord;
 
             rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
-                                               ss->sec.isServer, type, pIn, 1,
+                                               ss->sec.isServer,
+                                               IS_DTLS(ss),
+                                               type, pIn, 1,
                                                wrBuf);
             if (rv != SECSuccess)
                 goto spec_locked_loser;
 
             PRINT_BUF(50, (ss, "send (encrypted) record data [1/2]:",
                            wrBuf->buf, wrBuf->len));
 
             secondRecord.buf = wrBuf->buf + wrBuf->len;
             secondRecord.len = 0;
             secondRecord.space = wrBuf->space - wrBuf->len;
 
             rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
-                                               ss->sec.isServer, type, pIn + 1,
+                                               ss->sec.isServer,
+                                               IS_DTLS(ss),
+                                               type, pIn + 1,
                                                contentLen - 1, &secondRecord);
             if (rv == SECSuccess) {
                 PRINT_BUF(50, (ss, "send (encrypted) record data [2/2]:",
                                secondRecord.buf, secondRecord.len));
                 wrBuf->len += secondRecord.len;
             }
         } else {
-            rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
-                                               ss->sec.isServer, type, pIn,
-                                               contentLen, wrBuf);
+            if (!IS_DTLS(ss)) {
+                rv = ssl3_CompressMACEncryptRecord(ss->ssl3.cwSpec,
+                                                   ss->sec.isServer,
+                                                   IS_DTLS(ss),
+                                                   type, pIn,
+                                                   contentLen, wrBuf);
+            }
+            else {
+                rv = dtls_CompressMACEncryptRecord(ss, epoch, 
+                                                   !!(flags & ssl_SEND_FLAG_USE_EPOCH),
+                                                   type, pIn,
+                                                   contentLen, wrBuf);
+            }
+            
             if (rv == SECSuccess) {
                 PRINT_BUF(50, (ss, "send (encrypted) record data:",
                                wrBuf->buf, wrBuf->len));
             }
         }
 
 spec_locked_loser:
         ssl_ReleaseSpecReadLock(ss); /************************************/
 
         if (rv != SECSuccess)
@@ skipping 37 matching lines @@
             if (sent < 0) {
                 if (PR_GetError() != PR_WOULD_BLOCK_ERROR) {
                     ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE);
                     return SECFailure;
                 }
                 /* we got PR_WOULD_BLOCK_ERROR, which means none was sent. */
                 sent = 0;
             }
             wrBuf->len -= sent;
             if (wrBuf->len) {
+                if (IS_DTLS(ss)) {
+                    /* DTLS just says no in this case. No buffering */
+                    PR_SetError(PR_WOULD_BLOCK_ERROR, 0);
+                    return SECFailure;
+                }
                 /* now take all the remaining unsent new ciphertext and 
                  * append it to the buffer of previously unsent ciphertext.
                  */
                 rv = ssl_SaveWriteData(ss, wrBuf->buf + sent, wrBuf->len);
                 if (rv != SECSuccess) {
                     /* presumably a memory error, SEC_ERROR_NO_MEMORY */
                     return SECFailure;
                 }
             }
         }
         totalSent += contentLen;
     }
     return totalSent;
 }
 
 #define SSL3_PENDING_HIGH_WATER 1024
 
 /* Attempt to send the content of "in" in an SSL application_data record.
  * Returns "len" or SECFailure,   never SECWouldBlock, nor SECSuccess.
  */
 int
 ssl3_SendApplicationData(sslSocket *ss, const unsigned char *in,
                          PRInt32 len, PRInt32 flags)
 {
     PRInt32   totalSent = 0;
     PRInt32   discarded = 0;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
+    /* These flags for internal use only */
+    PORT_Assert( !(flags & (ssl_SEND_FLAG_USE_EPOCH |
+                            ssl_SEND_FLAG_NO_RETRANSMIT)));
     if (len < 0 || !in) {
         PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
         return SECFailure;
     }
 
     if (ss->pendingBuf.len > SSL3_PENDING_HIGH_WATER &&
         !ssl_SocketIsBlocking(ss)) {
         PORT_Assert(!ssl_SocketIsBlocking(ss));
         PORT_SetError(PR_WOULD_BLOCK_ERROR);
         return SECFailure;
@@ skipping 17 matching lines @@
              * The thread yield is intended to give the reader thread a
              * chance to get some cycles while the writer thread is in
              * the middle of a large application data write.  (See
              * Bugzilla bug 127740, comment #1.)
              */
             ssl_ReleaseXmitBufLock(ss);
             PR_Sleep(PR_INTERVAL_NO_WAIT);      /* PR_Yield(); */
             ssl_GetXmitBufLock(ss);
         }
         toSend = PR_MIN(len - totalSent, MAX_FRAGMENT_LENGTH);
-        sent = ssl3_SendRecord(ss, content_application_data, 
+        /*
+         * Note that the 0 epoch is OK because flags will never
+         * require its use, as guaranteed by the PORT_Assert
+         * above
+         */
+        sent = ssl3_SendRecord(ss, 0, content_application_data,
                                in + totalSent, toSend, flags);
         if (sent < 0) {
             if (totalSent > 0 && PR_GetError() == PR_WOULD_BLOCK_ERROR) {
                 PORT_Assert(ss->lastWriteBlocked);
                 break;
             }
             return SECFailure; /* error code set by ssl3_SendRecord */
         }
         totalSent += sent;
         if (ss->pendingBuf.len) {
@@ skipping 14 matching lines @@
         if (totalSent <= 0) {
             PORT_SetError(PR_WOULD_BLOCK_ERROR);
             totalSent = SECFailure;
         }
         return totalSent;
     } 
     ss->appDataBuffered = 0;
     return totalSent + discarded;
 }
 
-/* Attempt to send the content of sendBuf buffer in an SSL handshake record.
+/* Attempt to send buffered handshake messages.
  * This function returns SECSuccess or SECFailure, never SECWouldBlock.
  * Always set sendBuf.len to 0, even when returning SECFailure.
  *
+ * Depending on whether we are doing DTLS or not, this either calls
+ *
+ * - ssl3_FlushHandshake if non-DTLS
+ * - dtls_FlushHandshake if DTLS
+ *
  * Called from SSL3_SendAlert(), ssl3_SendChangeCipherSpecs(),
  *             ssl3_AppendHandshake(), ssl3_SendClientHello(),
  *             ssl3_SendHelloRequest(), ssl3_SendServerHelloDone(),
  *             ssl3_SendFinished(),
  */
 static SECStatus
 ssl3_FlushHandshake(sslSocket *ss, PRInt32 flags)
 {
+    if (IS_DTLS(ss)) {
+        return dtls_FlushHandshakeMessages(ss, flags);
+    } else {
+        return ssl3_FlushHandshakeMessages(ss, flags);
+    }
+}
+
+/* Attempt to send the content of sendBuf buffer in an SSL handshake record.
+ * This function returns SECSuccess or SECFailure, never SECWouldBlock.
+ * Always set sendBuf.len to 0, even when returning SECFailure.
+ *
+ * Called from ssl3_FlushHandshake
+ */
+static SECStatus
+ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags)
+{
     PRInt32 rv = SECSuccess;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
 
     if (!ss->sec.ci.sendBuf.buf || !ss->sec.ci.sendBuf.len)
         return rv;
 
     /* only this flag is allowed */
     PORT_Assert(!(flags & ~ssl_SEND_FLAG_FORCE_INTO_BUFFER));
     if ((flags & ~ssl_SEND_FLAG_FORCE_INTO_BUFFER) != 0) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         rv = SECFailure;
     } else {
-        rv = ssl3_SendRecord(ss, content_handshake, ss->sec.ci.sendBuf.buf,
+        rv = ssl3_SendRecord(ss, 0, content_handshake, ss->sec.ci.sendBuf.buf,
                              ss->sec.ci.sendBuf.len, flags);
     }
     if (rv < 0) { 
         int err = PORT_GetError();
         PORT_Assert(err != PR_WOULD_BLOCK_ERROR);
         if (err == PR_WOULD_BLOCK_ERROR) {
             PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         }
     } else if (rv < ss->sec.ci.sendBuf.len) {
         /* short write should never happen */
@@ skipping 96 matching lines @@
     ssl_GetSSL3HandshakeLock(ss);
     if (level == alert_fatal) {
         if (ss->sec.ci.sid) {
             ss->sec.uncache(ss->sec.ci.sid);
         }
     }
     ssl_GetXmitBufLock(ss);
     rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
     if (rv == SECSuccess) {
         PRInt32 sent;
-        sent = ssl3_SendRecord(ss, content_alert, bytes, 2, 
+        sent = ssl3_SendRecord(ss, 0, content_alert, bytes, 2, 
                                desc == no_certificate 
                                ? ssl_SEND_FLAG_FORCE_INTO_BUFFER : 0);
         rv = (sent >= 0) ? SECSuccess : (SECStatus)sent;
     }
     ssl_ReleaseXmitBufLock(ss);
     ssl_ReleaseSSL3HandshakeLock(ss);
     return rv;  /* error set by ssl3_FlushHandshake or ssl3_SendRecord */
 }
 
 /*
@@ skipping 53 matching lines @@
     SSL_DBG(("%d: SSL3[%d]: peer certificate is no good: error=%d",
              SSL_GETPID(), ss->fd, errCode));
 
     (void) SSL3_SendAlert(ss, alert_fatal, desc);
 }
 
 
 /*
  * Send handshake_Failure alert.  Set generic error number.
  */
-static SECStatus
+SECStatus
 ssl3_DecodeError(sslSocket *ss)
 {
     (void)SSL3_SendAlert(ss, alert_fatal, 
                   ss->version > SSL_LIBRARY_VERSION_3_0 ? decode_error 
                                                         : illegal_parameter);
     PORT_SetError( ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
                                     : SSL_ERROR_BAD_SERVER );
     return SECFailure;
 }
 
@@ skipping 67 matching lines @@
                         error = SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT; break;
     case unrecognized_name: 
                         error = SSL_ERROR_UNRECOGNIZED_NAME_ALERT;        break;
     case bad_certificate_status_response: 
                         error = SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT; break;
     case bad_certificate_hash_value: 
                         error = SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT;      break;
     default:            error = SSL_ERROR_RX_UNKNOWN_ALERT;               break;
     }
     if (level == alert_fatal) {
-        ss->sec.uncache(ss->sec.ci.sid);
+        if (!ss->opt.noCache)
+            ss->sec.uncache(ss->sec.ci.sid);
         if ((ss->ssl3.hs.ws == wait_server_hello) &&
             (desc == handshake_failure)) {
             /* XXX This is a hack.  We're assuming that any handshake failure
              * XXX on the client hello is a failure to match ciphers.
              */
             error = SSL_ERROR_NO_CYPHER_OVERLAP;
         }
         PORT_SetError(error);
         return SECFailure;
     }
@@ skipping 30 matching lines @@
     SSL_TRC(3, ("%d: SSL3[%d]: send change_cipher_spec record",
                 SSL_GETPID(), ss->fd));
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
     rv = ssl3_FlushHandshake(ss, ssl_SEND_FLAG_FORCE_INTO_BUFFER);
     if (rv != SECSuccess) {
         return rv;      /* error code set by ssl3_FlushHandshake */
     }
-    sent = ssl3_SendRecord(ss, content_change_cipher_spec, &change, 1,
-                              ssl_SEND_FLAG_FORCE_INTO_BUFFER);
-    if (sent < 0) {
-        return (SECStatus)sent; /* error code set by ssl3_SendRecord */
+    if (!IS_DTLS(ss)) {
+        sent = ssl3_SendRecord(ss, 0, content_change_cipher_spec, &change, 1,
+                               ssl_SEND_FLAG_FORCE_INTO_BUFFER);
+        if (sent < 0) {
+            return (SECStatus)sent;     /* error code set by ssl3_SendRecord */
+        }
+    } else {
+        rv = dtls_QueueMessage(ss, content_change_cipher_spec, &change, 1);
+        if (rv != SECSuccess)
+            return rv;
     }
 
     /* swap the pending and current write specs. */
     ssl_GetSpecWriteLock(ss);   /**************************************/
     pwSpec                     = ss->ssl3.pwSpec;
-    pwSpec->write_seq_num.high = 0;
-    pwSpec->write_seq_num.low  = 0;

[wtc, 2012/03/21 23:12:16]

IMPORTANT: Where did this go?  Same question for line 2881 below.

[ekr, 2012/03/22 15:07:17]

I claim that I moved these to ssl_InitPendingSpec:1803-1826.

You asked why this is safe. My argument here is that a cipher suite cannot be
initialized without calling ssl_InitPendingCipherSpec() [the evidence of this is
that that is the only call site for ssl3_DeriveConnectionKeysPKCS11(). And thus
it doesn't matter whether we zero the values at the time when we create the
cipher spec or when we set it to current. But I could have misunderstood this,
so I would be happy to be double-checked.

[wtc, 2012/03/22 20:09:20]

Thank you for confirming this.
I studied the code to understand how read_seq_num and
write_seq_num are set and used.  I came to the same
conclusion that it is fine to zero them in
ssl3_InitPendingCipherSpec().  Your proof using the
ssl3_DeriveConnectionKeysPKCS11() call is also very
convincing.  Thanks.

 
     ss->ssl3.pwSpec = ss->ssl3.cwSpec;
     ss->ssl3.cwSpec = pwSpec;
 
     SSL_TRC(3, ("%d: SSL3[%d] Set Current Write Cipher Suite to Pending",
                 SSL_GETPID(), ss->fd ));
 
     /* We need to free up the contexts, keys and certs ! */
     /* If we are really through with the old cipher spec
      * (Both the read and write sides have changed) destroy it.
      */
-    if (ss->ssl3.prSpec == ss->ssl3.pwSpec) {
-        ssl3_DestroyCipherSpec(ss->ssl3.pwSpec, PR_FALSE/*freeSrvName*/);
+    if ( ss->ssl3.prSpec == ss->ssl3.pwSpec ) {
+        if (!IS_DTLS(ss)) {
+            ssl3_DestroyCipherSpec(ss->ssl3.pwSpec, PR_FALSE/*freeSrvName*/);
+        } else {
+            /* With DTLS, we need to set a holddown timer in case the final
+             * message got lost */
+            ss->ssl3.hs.rtTimeoutMs = DTLS_FINISHED_TIMER_MS;
+            dtls_StartTimer(ss, dtls_FinishedTimerCb); 
+        }
     }
     ssl_ReleaseSpecWriteLock(ss); /**************************************/
 
     return SECSuccess;
 }
 
 /* Called from ssl3_HandleRecord.
 ** Caller must hold both RecvBuf and Handshake locks.
  *
  * Acquires and releases spec write lock, to protect switching the current
@@ skipping 28 matching lines @@
         /* illegal_parameter is correct here for both SSL3 and TLS. */
         (void)ssl3_IllegalParameter(ss);
         PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
         return SECFailure;
     }
     buf->len = 0;
 
     /* Swap the pending and current read specs. */
     ssl_GetSpecWriteLock(ss);   /*************************************/
     prSpec                    = ss->ssl3.prSpec;
-    prSpec->read_seq_num.high = prSpec->read_seq_num.low = 0;
 
     ss->ssl3.prSpec  = ss->ssl3.crSpec;
     ss->ssl3.crSpec  = prSpec;
 
     if (ss->sec.isServer &&
         ss->opt.requestCertificate &&
         ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
         ss->ssl3.hs.ws = wait_client_cert;
     } else {
         ss->ssl3.hs.ws = wait_finished;
@@ skipping 82 matching lines @@
                                  keyData->data, keyData->len);
                 }
             }
         }
 #endif
         pwSpec->master_secret = PK11_DeriveWithFlags(pms, master_derive, 
                                 &params, key_derive, CKA_DERIVE, 0, keyFlags);
         if (!isDH && pwSpec->master_secret && ss->opt.detectRollBack) {
             SSL3ProtocolVersion client_version;
             client_version = pms_version.major << 8 | pms_version.minor;
+
+            if (IS_DTLS(ss)) {
+                client_version = dtls_DTLSVersionToTLSVersion(client_version);
+            }
+
             if (client_version != ss->clientHelloVersion) {
                 /* Destroy it.  Version roll-back detected. */
                 PK11_FreeSymKey(pwSpec->master_secret);
                 pwSpec->master_secret = NULL;
             }
         }
         if (pwSpec->master_secret == NULL) {
             /* Generate a faux master secret in the same slot as the old one. */
             PK11SlotInfo * slot = PK11_GetSlotFromKey((PK11SymKey *)pms);
             PK11SymKey *   fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot);
@@ skipping 404 matching lines @@
     SSL_TRC(60, ("data:"));
     rv = ssl3_AppendHandshake(ss, src, bytes);
     return rv;  /* error code set by AppendHandshake, if applicable. */
 }
 
 SECStatus
 ssl3_AppendHandshakeHeader(sslSocket *ss, SSL3HandshakeType t, PRUint32 length)
 {
     SECStatus rv;
 
+    /* If we already have a message in place, we need to enqueue it.
+     * This empties the buffer
+     */
+    if (IS_DTLS(ss)) {
+        rv = dtls_StageHandshakeMessage(ss);
+        if (rv != SECSuccess)
+            return rv;
+    }
+
     SSL_TRC(30,("%d: SSL3[%d]: append handshake header: type %s",
         SSL_GETPID(), ss->fd, ssl3_DecodeHandshakeType(t)));
     PRINT_BUF(60, (ss, "MD5 handshake hash:",
                   (unsigned char*)ss->ssl3.hs.md5_cx, MD5_LENGTH));
     PRINT_BUF(95, (ss, "SHA handshake hash:",
                   (unsigned char*)ss->ssl3.hs.sha_cx, SHA1_LENGTH));
 
     rv = ssl3_AppendHandshakeNumber(ss, t, 1);
     if (rv != SECSuccess) {
         return rv;      /* error code set by AppendHandshake, if applicable. */
     }
     rv = ssl3_AppendHandshakeNumber(ss, length, 3);
+    if (rv != SECSuccess) {
+        return rv;      /* error code set by AppendHandshake, if applicable. */
+    }
+
+    if (IS_DTLS(ss)) {
+        /* Note that we make an unfragmented message here. We fragment in the
+         * transmission code, if necessary */
+        rv = ssl3_AppendHandshakeNumber(ss, ss->ssl3.hs.sendMessageSeq, 2);
+        if (rv != SECSuccess) {
+            return rv;  /* error code set by AppendHandshake, if applicable. */
+        }
+        ss->ssl3.hs.sendMessageSeq++; 
+
+        /* 0 is the fragment offset, because it's not fragmented yet */
+        rv = ssl3_AppendHandshakeNumber(ss, 0, 3);
+        if (rv != SECSuccess) {
+            return rv;  /* error code set by AppendHandshake, if applicable. */
+        }
+      
+        /* Fragment length -- set to the packet length because not fragmented */
+        rv = ssl3_AppendHandshakeNumber(ss, length, 3);
+        if (rv != SECSuccess) {
+            return rv;  /* error code set by AppendHandshake, if applicable. */
+        }
+    }
+    
     return rv;          /* error code set by AppendHandshake, if applicable. */
 }
 
 /**************************************************************************
  * Consume Handshake functions.
  *
  * All data used in these functions is protected by two locks,
  * the RecvBufLock and the SSL3HandshakeLock
  **************************************************************************/
 
@@ skipping 386 matching lines @@
 }
 
 /**************************************************************************
  * end of Handshake Hash functions.
  * Begin Send and Handle functions for handshakes.
  **************************************************************************/
 
 /* Called from ssl3_HandleHelloRequest(),
  *             ssl3_RedoHandshake()
  *             ssl2_BeginClientHandshake (when resuming ssl3 session)
+ *             dtls_HandleHelloVerifyRequest(with resending=PR_TRUE)
  */
 SECStatus
-ssl3_SendClientHello(sslSocket *ss)
+ssl3_SendClientHello(sslSocket *ss, PRBool resending)
 {
     sslSessionID *   sid;
     ssl3CipherSpec * cwSpec;
     SECStatus        rv;
     int              i;
     int              length;
     int              num_suites;
     int              actual_count = 0;
     PRBool           isTLS = PR_FALSE;
     PRInt32          total_exten_len = 0;
     unsigned         numCompressionMethods;
 
     SSL_TRC(3, ("%d: SSL3[%d]: send client_hello handshake", SSL_GETPID(),
                 ss->fd));
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
 
     rv = ssl3_InitState(ss);
     if (rv != SECSuccess) {
         return rv;              /* ssl3_InitState has set the error code. */
     }
     ss->ssl3.hs.sendingSCSV = PR_FALSE; /* Must be reset every handshake */
+    PORT_Assert(IS_DTLS(ss) || !resending);
 
     /* We might be starting a session renegotiation in which case we should
      * clear previous state.
      */
     PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
 
     SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes",
             SSL_GETPID(), ss->fd ));
     rv = ssl3_RestartHandshakeHashes(ss);
     if (rv != SECSuccess) {
@@ skipping 139 matching lines @@
             total_exten_len += 2;
     }
 
 #if defined(NSS_ENABLE_ECC) && !defined(NSS_ECC_MORE_THAN_SUITE_B)
     if (!total_exten_len || !isTLS) {
         /* not sending the elliptic_curves and ec_point_formats extensions */
         ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */
     }
 #endif
 
+    if (IS_DTLS(ss)) {
+        ssl3_DisableNonDTLSSuites(ss);
+    }
+
     /* how many suites are permitted by policy and user preference? */
     num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE);
     if (!num_suites)
         return SECFailure;      /* count_cipher_suites has set error code. */
     if (ss->ssl3.hs.sendingSCSV) {
         ++num_suites;   /* make room for SCSV */
     }
 
     /* count compression methods */
     numCompressionMethods = 0;
     for (i = 0; i < compressionMethodsCount; i++) {
         if (compressionEnabled(ss, compressions[i]))
             numCompressionMethods++;
     }
 
     length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH +
         1 + ((sid == NULL) ? 0 : sid->u.ssl3.sessionIDLength) +
         2 + num_suites*sizeof(ssl3CipherSuite) +
         1 + numCompressionMethods + total_exten_len;
+    if (IS_DTLS(ss)) {
+        length += 1 + ss->ssl3.hs.cookieLen;
+    }
 
     rv = ssl3_AppendHandshakeHeader(ss, client_hello, length);
     if (rv != SECSuccess) {
         return rv;      /* err set by ssl3_AppendHandshake* */
     }
 
     ss->clientHelloVersion = ss->version;
-    rv = ssl3_AppendHandshakeNumber(ss, ss->clientHelloVersion, 2);
+    if (IS_DTLS(ss)) {
+        /* One's complement */
+        PRUint16 version;
+
+        version = dtls_TLSVersionToDTLSVersion(ss->clientHelloVersion);
+        rv = ssl3_AppendHandshakeNumber(ss, version, 2);
+    } else {
+        rv = ssl3_AppendHandshakeNumber(ss, ss->clientHelloVersion, 2);
+    }
     if (rv != SECSuccess) {
         return rv;      /* err set by ssl3_AppendHandshake* */
     }
-    rv = ssl3_GetNewRandom(&ss->ssl3.hs.client_random);
-    if (rv != SECSuccess) {
-        return rv;      /* err set by GetNewRandom. */
+    
+    if (!resending) { /* Don't re-generate if we are in DTLS re-sending mode */
+        rv = ssl3_GetNewRandom(&ss->ssl3.hs.client_random);
+        if (rv != SECSuccess) {
+            return rv;  /* err set by GetNewRandom. */
+        }
     }
     rv = ssl3_AppendHandshake(ss, &ss->ssl3.hs.client_random,
                               SSL3_RANDOM_LENGTH);
     if (rv != SECSuccess) {
         return rv;      /* err set by ssl3_AppendHandshake* */
     }
 
     if (sid)
         rv = ssl3_AppendHandshakeVariable(
             ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1);
     else
         rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
     if (rv != SECSuccess) {
         return rv;      /* err set by ssl3_AppendHandshake* */
     }
 
+    if (IS_DTLS(ss)) {
+        rv = ssl3_AppendHandshakeVariable(
+            ss, ss->ssl3.hs.cookie, ss->ssl3.hs.cookieLen, 1);
+    }
+    if (rv != SECSuccess) {
+        return rv;      /* err set by ssl3_AppendHandshake* */
+    }
+
     rv = ssl3_AppendHandshakeNumber(ss, num_suites*sizeof(ssl3CipherSuite), 2);
     if (rv != SECSuccess) {
         return rv;      /* err set by ssl3_AppendHandshake* */
     }
 
     if (ss->ssl3.hs.sendingSCSV) {
         /* Add the actual SCSV */
         rv = ssl3_AppendHandshakeNumber(ss, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
                                         sizeof(ssl3CipherSuite));
         if (rv != SECSuccess) {
@@ skipping 103 matching lines @@
         PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED);
         return SECFailure;
     }
 
     if (sid) {
         ss->sec.uncache(sid);
         ssl_FreeSID(sid);
         ss->sec.ci.sid = NULL;
     }
 
+    if (IS_DTLS(ss)) {
+        dtls_RehandshakeCleanup(ss);
+    }
+
     ssl_GetXmitBufLock(ss);
-    rv = ssl3_SendClientHello(ss);
+    rv = ssl3_SendClientHello(ss, PR_FALSE);
     ssl_ReleaseXmitBufLock(ss);
 
     return rv;
 }
 
 #define UNKNOWN_WRAP_MECHANISM 0x7fffffff
 
 static const CK_MECHANISM_TYPE wrapMechanismList[SSL_NUM_WRAP_MECHS] = {
     CKM_DES3_ECB,
     CKM_CAST5_ECB,
@@ skipping 832 matching lines @@
     if (ss->ssl3.platformClientKey) {
        ssl_FreePlatformKey(ss->ssl3.platformClientKey);
        ss->ssl3.platformClientKey = (PlatformKey)NULL;
     }
 #endif  /* NSS_PLATFORM_CLIENT_AUTH */
 
     temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
     if (temp < 0) {
         goto loser;     /* alert has been sent */
     }
-    version = (SSL3ProtocolVersion)temp;
+
+    if (!IS_DTLS(ss)) {
+        /* this is appropriate since the negotiation is complete, and we only
+         * know SSL 3.x.
+         */
+        version = (SSL3ProtocolVersion)temp;
+        if (MSB(version) != MSB(SSL_LIBRARY_VERSION_3_0)) {
+            desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version 
+              : handshake_failure;
+            goto alert_loser;
+        }

[wtc, 2012/03/21 23:12:16]

Lines 5228-5230 and 5232-5236 have been removed by the SSL
version range API patch.

+    } else {
+        /* RFC 4347 required that you verify that the server versions
+         * match (S 4.2.1) in the HelloVerifyRequest and the ServerHello
+         *
+         * RFC 6347 suggests (SHOULD) that servers always use 1.0
+         * in HelloVerifyRequest and allows the versions not to match,
+         * esp. when 1.2 is being negotiated.
+         *
+         * Therefore we do not check for matching here.
+         */
+        version = dtls_DTLSVersionToTLSVersion(temp);
+        if (version == 0)  /* Insane version number */
+            goto alert_loser;
+    }
 
     rv = ssl3_NegotiateVersion(ss, version, PR_FALSE);
     if (rv != SECSuccess) {
         desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version 
                                                    : handshake_failure;
         errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
         goto alert_loser;
     }
     isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0);
 
@@ skipping 1209 matching lines @@
     sslSessionID *      sid      = NULL;
     PRInt32             tmp;
     unsigned int        i;
     int                 j;
     SECStatus           rv;
     int                 errCode  = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO;
     SSL3AlertDescription desc    = illegal_parameter;
     SSL3AlertLevel      level    = alert_fatal;
     SSL3ProtocolVersion version;
     SECItem             sidBytes = {siBuffer, NULL, 0};
+    SECItem             cookieBytes = {siBuffer, NULL, 0};
     SECItem             suites   = {siBuffer, NULL, 0};
     SECItem             comps    = {siBuffer, NULL, 0};
     PRBool              haveSpecWriteLock = PR_FALSE;
     PRBool              haveXmitBufLock   = PR_FALSE;
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle client_hello handshake",
         SSL_GETPID(), ss->fd));
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
     /* Get peer name of client */
     rv = ssl_GetPeerInfo(ss);
     if (rv != SECSuccess) {
         return rv;              /* error code is set. */
     }
 
+    /* Clearing the handshake pointers so that
+     * ssl_Do1stHandshake won't call ssl2_HandleMessage.
+     *
+     * The issue here is that TLS ordinarily starts out
+     * in ssl2_HandleV3HandshakeRecord() because of the
+     * backward-compatibility code paths. That function
+     * zeroes these next pointers. But with DTLS, we
+     * don't even try to do the v2 ClientHello so we
+     * skip that function and need to reset these 
+     * values here.
+     */
+    ss->nextHandshake     = NULL;
+    ss->securityHandshake = NULL;
+
     /* We might be starting session renegotiation in which case we should
      * clear previous state.
      */
     PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
     ss->statelessResume = PR_FALSE;
 
     rv = ssl3_InitState(ss);
     if (rv != SECSuccess) {
         return rv;              /* ssl3_InitState has set the error code. */
     }
 
     if ((ss->ssl3.hs.ws != wait_client_hello) &&
         (ss->ssl3.hs.ws != idle_handshake)) {
         desc    = unexpected_message;
         errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO;
         goto alert_loser;
     }
     if (ss->ssl3.hs.ws == idle_handshake  &&
         ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) {
         desc    = no_renegotiation;
         level   = alert_warning;
         errCode = SSL_ERROR_RENEGOTIATION_NOT_ALLOWED;
         goto alert_loser;
     }
 
+    if (IS_DTLS(ss)) {
+        dtls_RehandshakeCleanup(ss);
+    }
+
     tmp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
     if (tmp < 0)
         goto loser;             /* malformed, alert already sent */
-    ss->clientHelloVersion = version = (SSL3ProtocolVersion)tmp;
+    
+    /* Translate the version */
+    if (IS_DTLS(ss)) {
+        ss->clientHelloVersion = version =
+            dtls_DTLSVersionToTLSVersion((SSL3ProtocolVersion)tmp);
+    } else {
+        ss->clientHelloVersion = version = (SSL3ProtocolVersion)tmp;
+    }
+
     rv = ssl3_NegotiateVersion(ss, version, PR_TRUE);
     if (rv != SECSuccess) {
         desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version 
                                                    : handshake_failure;
         errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
         goto alert_loser;
     }
 
     /* grab the client random data. */
     rv = ssl3_ConsumeHandshake(
         ss, &ss->ssl3.hs.client_random, SSL3_RANDOM_LENGTH, &b, &length);
     if (rv != SECSuccess) {
         goto loser;             /* malformed */
     }
 
     /* grab the client's SID, if present. */
     rv = ssl3_ConsumeHandshakeVariable(ss, &sidBytes, 1, &b, &length);
     if (rv != SECSuccess) {
         goto loser;             /* malformed */
     }
 
+    /* grab the client's cookie, if present. */
+    if (IS_DTLS(ss)) {
+        rv = ssl3_ConsumeHandshakeVariable(ss, &cookieBytes, 1, &b, &length);
+        if (rv != SECSuccess) {
+            goto loser;         /* malformed */
+        }
+    }
+
     /* grab the list of cipher suites. */
     rv = ssl3_ConsumeHandshakeVariable(ss, &suites, 2, &b, &length);
     if (rv != SECSuccess) {
         goto loser;             /* malformed */
     }
 
     /* grab the list of compression methods. */
     rv = ssl3_ConsumeHandshakeVariable(ss, &comps, 1, &b, &length);
     if (rv != SECSuccess) {
         goto loser;             /* malformed */
@@ skipping 128 matching lines @@
             ssl_FreeSID(sid);
             sid = NULL;
         }
     }
 
 #ifdef NSS_ENABLE_ECC
     /* Disable any ECC cipher suites for which we have no cert. */
     ssl3_FilterECCipherSuitesByServerCerts(ss);
 #endif
 
+    if (IS_DTLS(ss)) {
+        ssl3_DisableNonDTLSSuites(ss);
+    }
+
 #ifdef PARANOID
     /* Look for a matching cipher suite. */
     j = ssl3_config_match_init(ss);
     if (j <= 0) {               /* no ciphers are working/supported by PK11 */
         errCode = PORT_GetError();      /* error code is already set. */
         goto alert_loser;
     }
 #endif
 
     /* If we already have a session for this client, be sure to pick the
@@ skipping 667 matching lines @@
 **      ssl3_SendServerHelloSequence <- ssl3_HandleV2ClientHello (new session)
 */
 static SECStatus
 ssl3_SendServerHello(sslSocket *ss)
 {
     sslSessionID *sid;
     SECStatus     rv;
     PRUint32      maxBytes = 65535;
     PRUint32      length;
     PRInt32       extensions_len = 0;
+    SSL3ProtocolVersion version;
 
     SSL_TRC(3, ("%d: SSL3[%d]: send server_hello handshake", SSL_GETPID(),
                 ss->fd));
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
-    PORT_Assert( MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_3_0));
 
-    if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_3_0)) {
-        PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
-        return SECFailure;
+    if (!IS_DTLS(ss)) {
+        PORT_Assert( MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_3_0));
+
+        if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_3_0)) {
+            PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
+            return SECFailure;
+        }
+    } else {
+        PORT_Assert(MSB(ss->version) == MSB(SSL_LIBRARY_VERSION_DTLS_1_0));
+
+        if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_DTLS_1_0)) {
+            PORT_SetError(SSL_ERROR_NO_CYPHER_OVERLAP);
+            return SECFailure;
+        }
     }
 
     sid = ss->sec.ci.sid;
 
     extensions_len = ssl3_CallHelloExtensionSenders(ss, PR_FALSE, maxBytes,
                                                &ss->xtnData.serverSenders[0]);
     if (extensions_len > 0)
         extensions_len += 2; /* Add sizeof total extension length */
 
     length = sizeof(SSL3ProtocolVersion) + SSL3_RANDOM_LENGTH + 1 +
              ((sid == NULL) ? 0: sid->u.ssl3.sessionIDLength) +
              sizeof(ssl3CipherSuite) + 1 + extensions_len;
     rv = ssl3_AppendHandshakeHeader(ss, server_hello, length);
     if (rv != SECSuccess) {
         return rv;      /* err set by AppendHandshake. */
     }
 
-    rv = ssl3_AppendHandshakeNumber(ss, ss->version, 2);
+    if (IS_DTLS(ss)) {
+        version = dtls_TLSVersionToDTLSVersion(ss->version);
+    } else {
+        version = ss->version;
+    }
+
+    rv = ssl3_AppendHandshakeNumber(ss, version, 2);
     if (rv != SECSuccess) {
         return rv;      /* err set by AppendHandshake. */
     }
     rv = ssl3_GetNewRandom(&ss->ssl3.hs.server_random);
     if (rv != SECSuccess) {
         ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
         return rv;
     }
     rv = ssl3_AppendHandshake(
         ss, &ss->ssl3.hs.server_random, SSL3_RANDOM_LENGTH);
@@ skipping 164 matching lines @@
     ca_list = ss->ssl3.ca_list;
     if (!ca_list) {
         ca_list = ssl3_server_ca_list;
     }
 
     if (ca_list != NULL) {
         names = ca_list->names;
         nnames = ca_list->nnames;
     }
 
-    if (!nnames) {
-        PORT_SetError(SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA);
-        return SECFailure;
-    }
-
+    /* There used to be a test here to require a CA, but there
+     * are cases where you want to have no CAs offered. */
     for (i = 0, name = names; i < nnames; i++, name++) {
         calen += 2 + name->len;
     }
 
     certTypes       = certificate_types;
     certTypesLength = sizeof certificate_types;
 
     length = 1 + certTypesLength + 2 + calen;
 
     rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length);
@@ skipping 147 matching lines @@
            /* can't find a slot with all three, find a slot with the minimum */
             slot = PK11_GetBestSlotMultiple(mechanism_array, 2, pwArg);
             if (slot == NULL) {
                 PORT_SetError(SSL_ERROR_TOKEN_SLOT_NOT_FOUND);
                 return pms;     /* which is NULL */
             }
         }
     }
 
     /* Generate the pre-master secret ...  */
-    version.major = MSB(ss->clientHelloVersion);
-    version.minor = LSB(ss->clientHelloVersion);
+    if (IS_DTLS(ss)) {
+        SSL3ProtocolVersion temp;
+
+        temp = dtls_TLSVersionToDTLSVersion(ss->clientHelloVersion);
+        version.major = MSB(temp);
+        version.minor = LSB(temp);
+    } else {
+        version.major = MSB(ss->clientHelloVersion);
+        version.minor = LSB(ss->clientHelloVersion);
+    }
 
     param.data = (unsigned char *)&version;
     param.len  = sizeof version;
 
     pms = PK11_KeyGen(slot, CKM_SSL3_PRE_MASTER_KEY_GEN, &param, 0, pwArg);
     if (!serverKeySlot)
         PK11_FreeSlot(slot);
     if (pms == NULL) {
         ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
     }
@@ skipping 62 matching lines @@
          */
 
         rv = PK11_PrivDecryptPKCS1(serverKey, rsaPmsBuf, &outLen, 
                                    sizeof rsaPmsBuf, enc_pms.data, enc_pms.len);
         if (rv != SECSuccess) {
             /* triple bypass failed.  Let's try for a double bypass. */
             goto double_bypass;
         } else if (ss->opt.detectRollBack) {
             SSL3ProtocolVersion client_version = 
                                          (rsaPmsBuf[0] << 8) | rsaPmsBuf[1];
+            
+            if (IS_DTLS(ss)) {
+                client_version = dtls_DTLSVersionToTLSVersion(client_version);
+            }
+
             if (client_version != ss->clientHelloVersion) {
                 /* Version roll-back detected. ensure failure.  */
                 rv = PK11_GenerateRandom(rsaPmsBuf, sizeof rsaPmsBuf);
             }
         }
         /* have PMS, build MS without PKCS11 */
         rv = ssl3_MasterKeyDeriveBypass(pwSpec, cr, sr, &pmsItem, isTLS, 
                                         PR_TRUE);
         if (rv != SECSuccess) {
             pwSpec->msItem.data = pwSpec->raw_master_secret;
@@ skipping 1196 matching lines @@
             flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER;
         }
 
         if (!isServer && !ss->firstHsDone) {
             rv = ssl3_SendNextProto(ss);
             if (rv != SECSuccess) {
                 goto xmit_loser; /* err code was set. */
             }
         }
 
+        if (IS_DTLS(ss)) {
+            flags |= ssl_SEND_FLAG_NO_RETRANSMIT;
+        }
+
         rv = ssl3_SendFinished(ss, flags);
         if (rv != SECSuccess) {
             goto xmit_loser;    /* err is set. */
         }
     }
 
 xmit_loser:
     ssl_ReleaseXmitBufLock(ss); /*************************************/
     if (rv != SECSuccess) {
         return rv;
@@ skipping 109 matching lines @@
                                     ss->ssl3.hs.pending_cert_msg.len);
         SECITEM_FreeItem(&ss->ssl3.hs.pending_cert_msg, PR_FALSE);
     }
     return rv;
 }
 
 /* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3
  * hanshake message.
  * Caller must hold Handshake and RecvBuf locks.
  */
-static SECStatus
+SECStatus
 ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 {
     SECStatus         rv        = SECSuccess;
     SSL3HandshakeType type      = ss->ssl3.hs.msg_type;
     SSL3Hashes        hashes;   /* computed hashes are put here. */
     PRUint8           hdr[4];
+    PRUint8           dtlsData[8];
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
     /*
      * We have to compute the hashes before we update them with the
      * current message.
      */
     ssl_GetSpecReadLock(ss);    /************************************/
     if((type == finished) || (type == certificate_verify)) {
         SSL3Sender      sender = (SSL3Sender)0;
@@ skipping 26 matching lines @@
     /* Start new handshake hashes when we start a new handshake */
     if (ss->ssl3.hs.msg_type == client_hello) {
         SSL_TRC(30,("%d: SSL3[%d]: reset handshake hashes",
                 SSL_GETPID(), ss->fd ));
         rv = ssl3_RestartHandshakeHashes(ss);
         if (rv != SECSuccess) {
             return rv;
         }
     }
     /* We should not include hello_request messages in the handshake hashes */
-    if (ss->ssl3.hs.msg_type != hello_request) {
+    if ((ss->ssl3.hs.msg_type != hello_request) &&
+        (ss->ssl3.hs.msg_type != hello_verify_request)) {
         rv = ssl3_UpdateHandshakeHashes(ss, (unsigned char*) hdr, 4);
         if (rv != SECSuccess) return rv;        /* err code already set. */
+
+        /* Extra data to simulate a complete DTLS handshake fragment */
+        if (IS_DTLS(ss)) {
+            /* Sequence number */
+            dtlsData[0] = MSB(ss->ssl3.hs.recvMessageSeq); 
+            dtlsData[1] = LSB(ss->ssl3.hs.recvMessageSeq);
+  
+            /* Fragment offset */
+            dtlsData[2] = 0;
+            dtlsData[3] = 0;
+            dtlsData[4] = 0;
+
+            /* Fragment length */
+            dtlsData[5] = (PRUint8)(length >> 16);
+            dtlsData[6] = (PRUint8)(length >>  8);
+            dtlsData[7] = (PRUint8)(length      );
+        
+            rv = ssl3_UpdateHandshakeHashes(ss, (unsigned char*) dtlsData,
+                                            sizeof(dtlsData));
+            if (rv != SECSuccess) return rv;    /* err code already set. */
+        
+        }
+        
+        /* The message body */
         rv = ssl3_UpdateHandshakeHashes(ss, b, length);
         if (rv != SECSuccess) return rv;        /* err code already set. */
     }
 
     PORT_SetError(0);   /* each message starts with no error. */
     switch (ss->ssl3.hs.msg_type) {
     case hello_request:
         if (length != 0) {
             (void)ssl3_DecodeError(ss);
             PORT_SetError(SSL_ERROR_RX_MALFORMED_HELLO_REQUEST);
@@ skipping 15 matching lines @@
         rv = ssl3_HandleClientHello(ss, b, length);
         break;
     case server_hello:
         if (ss->sec.isServer) {
             (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
             PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_HELLO);
             return SECFailure;
         }
         rv = ssl3_HandleServerHello(ss, b, length);
         break;
+    case hello_verify_request:
+        if (!IS_DTLS(ss) || ss->sec.isServer) {
+            (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
+            PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQUEST);
+            return SECFailure;
+        }
+        rv = dtls_HandleHelloVerifyRequest(ss, b, length);
+        break;
     case certificate:
         if (ss->ssl3.hs.may_get_cert_status) {
             /* If we might get a CertificateStatus then we want to postpone the
              * processing of the Certificate message until after we have
              * processed the CertificateStatus */
             if (ss->ssl3.hs.pending_cert_msg.data ||
                 ss->ssl3.hs.ws != wait_server_cert) {
                 (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
                 (void)ssl_MapLowLevelError(SSL_ERROR_RX_UNEXPECTED_CERTIFICATE);
                 return SECFailure;
@@ skipping 78 matching lines @@
         rv = ssl3_HandleNewSessionTicket(ss, b, length);
         break;
     case finished:
         rv = ssl3_HandleFinished(ss, b, length, &hashes);
         break;
     default:
         (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
         PORT_SetError(SSL_ERROR_RX_UNKNOWN_HANDSHAKE);
         rv = SECFailure;
     }
+
+    if (IS_DTLS(ss) && (rv == SECSuccess)) {
+        /* Increment the expected sequence number */
+        ss->ssl3.hs.recvMessageSeq++;
+    }
+                        
     return rv;
 }
 
 /* Called only from ssl3_HandleRecord, for each (deciphered) ssl3 record.
  * origBuf is the decrypted ssl record content.
  * Caller must hold the handshake and RecvBuf locks.
  */
 static SECStatus
 ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
 {
@@ skipping 142 matching lines @@
     ssl3CipherSpec *     crSpec;
     SECStatus            rv;
     unsigned int         hashBytes = MAX_MAC_LENGTH + 1;
     unsigned int         padding_length;
     PRBool               isTLS;
     PRBool               padIsBad = PR_FALSE;
     SSL3ContentType      rType;
     SSL3Opaque           hash[MAX_MAC_LENGTH];
     sslBuffer           *plaintext;
     sslBuffer            temp_buf;
+    PRUint64             dtls_seq_num;
     unsigned int         ivLen = 0;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
 
     if (!ss->ssl3.initialized) {
         ssl_GetSSL3HandshakeLock(ss);
         rv = ssl3_InitState(ss);
         ssl_ReleaseSSL3HandshakeLock(ss);
         if (rv != SECSuccess) {
             return rv;          /* ssl3_InitState has set the error code. */
@@ skipping 15 matching lines @@
                  SSL_GETPID(), ss->fd));
         rType = content_handshake;
         goto process_it;
     }
 
     ssl_GetSpecReadLock(ss); /******************************************/
 
     crSpec = ss->ssl3.crSpec;
     cipher_def = crSpec->cipher_def;
 
+    /* If we will be decompressing the buffer we need to decrypt somewhere
+     * other than into databuf */
+    if (crSpec->decompressor) {
+        temp_buf.buf = NULL;
+        temp_buf.space = 0;
+        plaintext = &temp_buf;
+    } else {
+        plaintext = databuf;
+    }
+
+    plaintext->len = 0; /* filled in by decode call below. */

[wtc, 2012/03/21 23:12:16]

I moved this block of code (lines 9693-9703) back to its
original location.  This seems to be a merging error.

[ekr, 2012/03/22 15:07:17]

It may be an error but it was intentional. :)

The issue is that there are a number of conditions below in which packets get
rejected but we return SECSuccess. We want to make sure that there is no way for
the caller to end up with data in the plaintext buffers that hasn't been
integrity checked. One would hope that databuf is already empty at this point,
but moving this assignment up makes sure. Can you sugest a better approach?

[wtc, 2012/03/22 20:09:20]

I see.  I suggest that we set databuf->len to 0 before
returning SECSuccess, like you do on lines 9867-9869
below.  Note: there we should also set databuf->len instead
of plaintext->len to 0 because plaintext points to temp_buf
if we need to decompress.

+
+    /* 
+     * DTLS relevance checks:
+     * Note that this code currently ignores all out-of-epoch packets,
+     * which means we lose some in the case of rehandshake +
+     * loss/reordering. Since DTLS is explicitly unreliable, this
+     * seems like a good tradeoff for implementation effort and is
+     * consistent with the guidance of RFC 6347 S 4.1 and S 4.2.4.1
+     */
+    if (IS_DTLS(ss)) {
+        DTLSEpoch epoch = (cText->seq_num.high >> 16) & 0xffff;
+        
+        if (crSpec->epoch != epoch) {
+            ssl_ReleaseSpecReadLock(ss);
+            SSL_DBG(("%d: SSL3[%d]: HandleRecord, received packet "
+                     "from irrelevant epoch %d", SSL_GETPID(), ss->fd, epoch));
+            return SECSuccess;
+        }
+
+        dtls_seq_num = (((PRUint64)(cText->seq_num.high & 0xffff)) << 32) |
+            ((PRUint64)cText->seq_num.low);
+
+        if (dtls_RecordGetRecvd(&crSpec->recvdRecords, dtls_seq_num)) {
+            ssl_ReleaseSpecReadLock(ss);
+            SSL_DBG(("%d: SSL3[%d]: HandleRecord, rejecting "
+                     "potentially replayed packet", SSL_GETPID(), ss->fd));
+            return SECSuccess;
+        }
+    }
+
     if (cipher_def->type == type_block &&
         crSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
         /* Consume the per-record explicit IV. RFC 4346 Section 6.2.3.2 states
          * "The receiver decrypts the entire GenericBlockCipher structure and
          * then discards the first cipher block corresponding to the IV
          * component." Instead, we decrypt the first cipher block and then
          * discard it before decrypting the rest.
          */
         SSL3Opaque iv[MAX_IV_LENGTH];
         int decoded;
@@ skipping 25 matching lines @@
                             sizeof(iv), cText->buf->buf, ivLen);
 
         if (rv != SECSuccess) {
             /* All decryption failures must be treated like a bad record
              * MAC; see RFC 5246 (TLS 1.2). 
              */
             padIsBad = PR_TRUE;
         }
     }
 
-    /* If we will be decompressing the buffer we need to decrypt somewhere
-     * other than into databuf */
-    if (crSpec->decompressor) {
-        temp_buf.buf = NULL;
-        temp_buf.space = 0;
-        plaintext = &temp_buf;
-    } else {
-        plaintext = databuf;
-    }
-
-    plaintext->len = 0; /* filled in by decode call below. */
     if (plaintext->space < MAX_FRAGMENT_LENGTH) {
         rv = sslBuffer_Grow(plaintext, MAX_FRAGMENT_LENGTH + 2048);
         if (rv != SECSuccess) {
             ssl_ReleaseSpecReadLock(ss);
             SSL_DBG(("%d: SSL3[%d]: HandleRecord, tried to get %d bytes",
                      SSL_GETPID(), ss->fd, MAX_FRAGMENT_LENGTH + 2048));
             /* sslBuffer_Grow has set a memory error code. */
             /* Perhaps we should send an alert. (but we have no memory!) */
             return SECFailure;
         }
     }
 
     PRINT_BUF(80, (ss, "ciphertext:", cText->buf->buf + ivLen,
                                       cText->buf->len - ivLen));
 
+    cipher_def = crSpec->cipher_def;
     isTLS = (PRBool)(crSpec->version > SSL_LIBRARY_VERSION_3_0);
 
     if (isTLS && cText->buf->len - ivLen > (MAX_FRAGMENT_LENGTH + 2048)) {
         ssl_ReleaseSpecReadLock(ss);
         SSL3_SendAlert(ss, alert_fatal, record_overflow);
         PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
         return SECFailure;
     }
 
     /* decrypt from cText buf to plaintext. */
@@ skipping 30 matching lines @@
 
     /* Remove the MAC. */
     if (plaintext->len >= crSpec->mac_size)
         plaintext->len -= crSpec->mac_size;
     else
         padIsBad = PR_TRUE;     /* really macIsBad */
 
     /* compute the MAC */
     rType = cText->type;
     rv = ssl3_ComputeRecordMAC( crSpec, (PRBool)(!ss->sec.isServer),
-        rType, cText->version, crSpec->read_seq_num, 
+        IS_DTLS(ss), rType, cText->version, 
+        IS_DTLS(ss) ? cText->seq_num : crSpec->read_seq_num, 
         plaintext->buf, plaintext->len, hash, &hashBytes);
     if (rv != SECSuccess) {
         padIsBad = PR_TRUE;     /* really macIsBad */
     }
 
     /* Check the MAC */
     if (hashBytes != (unsigned)crSpec->mac_size || padIsBad || 
         NSS_SecureMemcmp(plaintext->buf + plaintext->len, hash,
                          crSpec->mac_size) != 0) {
         /* must not hold spec lock when calling SSL3_SendAlert. */
         ssl_ReleaseSpecReadLock(ss);
-        SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
-        /* always log mac error, in case attacker can read server logs. */
-        PORT_SetError(SSL_ERROR_BAD_MAC_READ);
 
         SSL_DBG(("%d: SSL3[%d]: mac check failed", SSL_GETPID(), ss->fd));
 
-        return SECFailure;
+        if (!IS_DTLS(ss)) {
+            SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
+            /* always log mac error, in case attacker can read server logs. */
+            PORT_SetError(SSL_ERROR_BAD_MAC_READ);
+            return SECFailure;
+        } else {
+            /* Silently drop the packet */ 
+            plaintext->len = 0; /* Needed to ensure data not left around */
+            return SECSuccess;
+        }
     }
 
-
-
-    ssl3_BumpSequenceNumber(&crSpec->read_seq_num);
+    if (!IS_DTLS(ss)) {
+        ssl3_BumpSequenceNumber(&crSpec->read_seq_num);
+    } else {
+        dtls_RecordSetRecvd(&crSpec->recvdRecords, dtls_seq_num);
+    }
 
     ssl_ReleaseSpecReadLock(ss); /*****************************************/
 
     /*
      * The decrypted data is now in plaintext.
      */
 
     /* possibly decompress the record. If we aren't using compression then
      * plaintext == databuf and so the uncompressed data is already in
      * databuf. */
@@ skipping 84 matching lines @@
     ** they return SECFailure or SECWouldBlock.
     */
     switch (rType) {
     case content_change_cipher_spec:
         rv = ssl3_HandleChangeCipherSpecs(ss, databuf);
         break;
     case content_alert:
         rv = ssl3_HandleAlert(ss, databuf);
         break;
     case content_handshake:
-        rv = ssl3_HandleHandshake(ss, databuf);
+        if (!IS_DTLS(ss)) {
+            rv = ssl3_HandleHandshake(ss, databuf);
+        } else {
+            rv = dtls_HandleHandshake(ss, databuf);
+        }
         break;
     /*
     case content_application_data is handled before this switch
     */
     default:
         SSL_DBG(("%d: SSL3[%d]: bogus content type=%d",
                  SSL_GETPID(), ss->fd, cText->type));
         /* XXX Send an alert ???  */
         PORT_SetError(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE);
         rv = SECFailure;
@@ skipping 39 matching lines @@
     spec->server.write_key         = NULL;
     spec->server.write_mac_key     = NULL;
     spec->server.write_mac_context = NULL;
 
     spec->write_seq_num.high       = 0;
     spec->write_seq_num.low        = 0;
 
     spec->read_seq_num.high        = 0;
     spec->read_seq_num.low         = 0;
 
+    spec->epoch                    = 0;
+    dtls_InitRecvdRecords(&spec->recvdRecords);
+
     spec->version                  = ss->vrange.max;
 }
 
 /* Called from: ssl3_SendRecord
 **              ssl3_StartHandshakeHash() <- ssl2_BeginClientHandshake()
 **              ssl3_SendClientHello()
 **              ssl3_HandleServerHello()
 **              ssl3_HandleClientHello()
 **              ssl3_HandleV2ClientHello()
 **              ssl3_HandleRecord()
@@ skipping 21 matching lines @@
     ssl3_InitCipherSpec(ss, ss->ssl3.prSpec);
 
     ss->ssl3.hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello;
 #ifdef NSS_ENABLE_ECC
     ss->ssl3.hs.negotiatedECCurves = SSL3_SUPPORTED_CURVES_MASK;
 #endif
     ssl_ReleaseSpecWriteLock(ss);
 
     PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
 
+    if (IS_DTLS(ss)) {
+        ss->ssl3.hs.sendMessageSeq = 0;
+        ss->ssl3.hs.recvMessageSeq = 0;
+        ss->ssl3.hs.rtTimeoutMs = INITIAL_DTLS_TIMEOUT_MS;
+        ss->ssl3.hs.rtRetries = 0;
+
+        /* Have to allocate this because ssl_FreeSocket relocates
+         * this structure in DEBUG mode */
+        if (!(ss->ssl3.hs.lastMessageFlight = PORT_Alloc(sizeof(PRCList)))) 
+            return SECFailure;
+        ss->ssl3.hs.recvdHighWater = -1;
+        PR_INIT_CLIST(ss->ssl3.hs.lastMessageFlight);
+        dtls_SetMTU(ss, 0); /* Set the MTU to the highest plateau */
+    }
+
     rv = ssl3_NewHandshakeHashes(ss);
     if (rv == SECSuccess) {
         ss->ssl3.initialized = PR_TRUE;
     }
 
     return rv;
 }
 
 /* Returns a reference counted object that contains a key pair.
  * Or NULL on failure.  Initial ref count is 1.
@@ skipping 232 matching lines @@
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
     if (!ss->firstHsDone ||
         ((ss->version >= SSL_LIBRARY_VERSION_3_0) &&
          ss->ssl3.initialized && 
          (ss->ssl3.hs.ws != idle_handshake))) {
         PORT_SetError(SSL_ERROR_HANDSHAKE_NOT_COMPLETED);
         return SECFailure;
     }
+
+    if (IS_DTLS(ss)) {
+        dtls_RehandshakeCleanup(ss);
+    }
+
     if (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) {
         PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED);
         return SECFailure;
     }
     if (sid && flushCache) {
         ss->sec.uncache(sid);   /* remove it from whichever cache it's in. */
         ssl_FreeSID(sid);       /* dec ref count and free if zero. */
         ss->sec.ci.sid = NULL;
     }
 
     ssl_GetXmitBufLock(ss);     /**************************************/
 
     /* start off a new handshake. */
     rv = (ss->sec.isServer) ? ssl3_SendHelloRequest(ss)
-                            : ssl3_SendClientHello(ss);
+                            : ssl3_SendClientHello(ss, PR_FALSE);
 
     ssl_ReleaseXmitBufLock(ss); /**************************************/
     return rv;
 }
 
 /* Called from ssl_DestroySocketContents() in sslsock.c */
 void
 ssl3_DestroySSL3Info(sslSocket *ss)
 {
 
@@ skipping 39 matching lines @@
         SECITEM_FreeItem(&ss->ssl3.hs.cert_status, PR_FALSE);
     }
 
     /* free the SSL3Buffer (msg_body) */
     PORT_Free(ss->ssl3.hs.msg_body.buf);
 
     /* free up the CipherSpecs */
     ssl3_DestroyCipherSpec(&ss->ssl3.specs[0], PR_TRUE/*freeSrvName*/);
     ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/);
 
+    /* Destroy the DTLS data */
+    if (IS_DTLS(ss)) {
+        if (ss->ssl3.hs.lastMessageFlight) {
+            dtls_FreeHandshakeMessages(ss->ssl3.hs.lastMessageFlight);
+            PORT_Free(ss->ssl3.hs.lastMessageFlight);
+        }
+        if (ss->ssl3.hs.recvdFragments.buf) {
+            PORT_Free(ss->ssl3.hs.recvdFragments.buf);
+        }
+    }
+
     ss->ssl3.initialized = PR_FALSE;
 
     SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
 }
 
 /* End of ssl3con.c */