xref: /openssl/ssl/record/rec_layer_d1.c (revision ef39dd05)
1 /*
2  * Copyright 2005-2024 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 #include <stdio.h>
11 #include <errno.h>
12 #include "../ssl_local.h"
13 #include <openssl/evp.h>
14 #include <openssl/buffer.h>
15 #include "record_local.h"
16 #include "internal/packet.h"
17 #include "internal/cryptlib.h"
18 
DTLS_RECORD_LAYER_new(RECORD_LAYER * rl)19 int DTLS_RECORD_LAYER_new(RECORD_LAYER *rl)
20 {
21     DTLS_RECORD_LAYER *d;
22 
23     if ((d = OPENSSL_malloc(sizeof(*d))) == NULL)
24         return 0;
25 
26     rl->d = d;
27 
28     d->buffered_app_data = pqueue_new();
29 
30     if (d->buffered_app_data == NULL) {
31         OPENSSL_free(d);
32         rl->d = NULL;
33         return 0;
34     }
35 
36     return 1;
37 }
38 
DTLS_RECORD_LAYER_free(RECORD_LAYER * rl)39 void DTLS_RECORD_LAYER_free(RECORD_LAYER *rl)
40 {
41     if (rl->d == NULL)
42         return;
43 
44     DTLS_RECORD_LAYER_clear(rl);
45     pqueue_free(rl->d->buffered_app_data);
46     OPENSSL_free(rl->d);
47     rl->d = NULL;
48 }
49 
DTLS_RECORD_LAYER_clear(RECORD_LAYER * rl)50 void DTLS_RECORD_LAYER_clear(RECORD_LAYER *rl)
51 {
52     DTLS_RECORD_LAYER *d;
53     pitem *item = NULL;
54     TLS_RECORD *rec;
55     pqueue *buffered_app_data;
56 
57     d = rl->d;
58 
59     while ((item = pqueue_pop(d->buffered_app_data)) != NULL) {
60         rec = (TLS_RECORD *)item->data;
61 
62         if (rl->s->options & SSL_OP_CLEANSE_PLAINTEXT)
63             OPENSSL_cleanse(rec->allocdata, rec->length);
64         OPENSSL_free(rec->allocdata);
65         OPENSSL_free(item->data);
66         pitem_free(item);
67     }
68 
69     buffered_app_data = d->buffered_app_data;
70     memset(d, 0, sizeof(*d));
71     d->buffered_app_data = buffered_app_data;
72 }
73 
dtls_buffer_record(SSL_CONNECTION * s,TLS_RECORD * rec)74 static int dtls_buffer_record(SSL_CONNECTION *s, TLS_RECORD *rec)
75 {
76     TLS_RECORD *rdata;
77     pitem *item;
78     struct pqueue_st *queue = s->rlayer.d->buffered_app_data;
79 
80     /* Limit the size of the queue to prevent DOS attacks */
81     if (pqueue_size(queue) >= 100)
82         return 0;
83 
84     /* We don't buffer partially read records */
85     if (!ossl_assert(rec->off == 0))
86         return -1;
87 
88     rdata = OPENSSL_malloc(sizeof(*rdata));
89     item = pitem_new(rec->seq_num, rdata);
90     if (rdata == NULL || item == NULL) {
91         OPENSSL_free(rdata);
92         pitem_free(item);
93         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
94         return -1;
95     }
96 
97     *rdata = *rec;
98     /*
99      * We will release the record from the record layer soon, so we take a copy
100      * now. Copying data isn't good - but this should be infrequent so we
101      * accept it here.
102      */
103     rdata->data = rdata->allocdata = OPENSSL_memdup(rec->data, rec->length);
104     if (rdata->data == NULL) {
105         OPENSSL_free(rdata);
106         pitem_free(item);
107         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB);
108         return -1;
109     }
110     /*
111      * We use a NULL rechandle to indicate that the data field has been
112      * allocated by us.
113      */
114     rdata->rechandle = NULL;
115 
116     item->data = rdata;
117 
118 #ifndef OPENSSL_NO_SCTP
119     /* Store bio_dgram_sctp_rcvinfo struct */
120     if (BIO_dgram_is_sctp(s->rbio) &&
121         (ossl_statem_get_state(s) == TLS_ST_SR_FINISHED
122          || ossl_statem_get_state(s) == TLS_ST_CR_FINISHED)) {
123         BIO_ctrl(s->rbio, BIO_CTRL_DGRAM_SCTP_GET_RCVINFO,
124                  sizeof(rdata->recordinfo), &rdata->recordinfo);
125     }
126 #endif
127 
128     if (pqueue_insert(queue, item) == NULL) {
129         /* Must be a duplicate so ignore it */
130         OPENSSL_free(rdata->allocdata);
131         OPENSSL_free(rdata);
132         pitem_free(item);
133     }
134 
135     return 1;
136 }
137 
138 /* Unbuffer a previously buffered TLS_RECORD structure if any */
dtls_unbuffer_record(SSL_CONNECTION * s)139 static void dtls_unbuffer_record(SSL_CONNECTION *s)
140 {
141     TLS_RECORD *rdata;
142     pitem *item;
143 
144     /* If we already have records to handle then do nothing */
145     if (s->rlayer.curr_rec < s->rlayer.num_recs)
146         return;
147 
148     item = pqueue_pop(s->rlayer.d->buffered_app_data);
149     if (item != NULL) {
150         rdata = (TLS_RECORD *)item->data;
151 
152         s->rlayer.tlsrecs[0] = *rdata;
153         s->rlayer.num_recs = 1;
154         s->rlayer.curr_rec = 0;
155 
156 #ifndef OPENSSL_NO_SCTP
157         /* Restore bio_dgram_sctp_rcvinfo struct */
158         if (BIO_dgram_is_sctp(s->rbio)) {
159             BIO_ctrl(s->rbio, BIO_CTRL_DGRAM_SCTP_SET_RCVINFO,
160                      sizeof(rdata->recordinfo), &rdata->recordinfo);
161         }
162 #endif
163 
164         OPENSSL_free(item->data);
165         pitem_free(item);
166     }
167 }
168 
169 /*-
170  * Return up to 'len' payload bytes received in 'type' records.
171  * 'type' is one of the following:
172  *
173  *   -  SSL3_RT_HANDSHAKE
174  *   -  SSL3_RT_APPLICATION_DATA (when ssl3_read calls us)
175  *   -  0 (during a shutdown, no data has to be returned)
176  *
177  * If we don't have stored data to work from, read an SSL/TLS record first
178  * (possibly multiple records if we still don't have anything to return).
179  *
180  * This function must handle any surprises the peer may have for us, such as
181  * Alert records (e.g. close_notify) or renegotiation requests. ChangeCipherSpec
182  * messages are treated as if they were handshake messages *if* the |recd_type|
183  * argument is non NULL.
184  * Also if record payloads contain fragments too small to process, we store
185  * them until there is enough for the respective protocol (the record protocol
186  * may use arbitrary fragmentation and even interleaving):
187  *     Change cipher spec protocol
188  *             just 1 byte needed, no need for keeping anything stored
189  *     Alert protocol
190  *             2 bytes needed (AlertLevel, AlertDescription)
191  *     Handshake protocol
192  *             4 bytes needed (HandshakeType, uint24 length) -- we just have
193  *             to detect unexpected Client Hello and Hello Request messages
194  *             here, anything else is handled by higher layers
195  *     Application data protocol
196  *             none of our business
197  */
dtls1_read_bytes(SSL * s,uint8_t type,uint8_t * recvd_type,unsigned char * buf,size_t len,int peek,size_t * readbytes)198 int dtls1_read_bytes(SSL *s, uint8_t type, uint8_t *recvd_type,
199                      unsigned char *buf, size_t len,
200                      int peek, size_t *readbytes)
201 {
202     int i, j, ret;
203     size_t n;
204     TLS_RECORD *rr;
205     void (*cb) (const SSL *ssl, int type2, int val) = NULL;
206     SSL_CONNECTION *sc = SSL_CONNECTION_FROM_SSL(s);
207 
208     if (sc == NULL)
209         return -1;
210 
211     if ((type && (type != SSL3_RT_APPLICATION_DATA) &&
212          (type != SSL3_RT_HANDSHAKE)) ||
213         (peek && (type != SSL3_RT_APPLICATION_DATA))) {
214         SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
215         return -1;
216     }
217 
218     if (!ossl_statem_get_in_handshake(sc) && SSL_in_init(s)) {
219         /* type == SSL3_RT_APPLICATION_DATA */
220         i = sc->handshake_func(s);
221         /* SSLfatal() already called if appropriate */
222         if (i < 0)
223             return i;
224         if (i == 0)
225             return -1;
226     }
227 
228  start:
229     sc->rwstate = SSL_NOTHING;
230 
231     /*
232      * We are not handshaking and have no data yet, so process data buffered
233      * during the last handshake in advance, if any.
234      */
235     if (SSL_is_init_finished(s))
236         dtls_unbuffer_record(sc);
237 
238     /* Check for timeout */
239     if (dtls1_handle_timeout(sc) > 0) {
240         goto start;
241     } else if (ossl_statem_in_error(sc)) {
242         /* dtls1_handle_timeout() has failed with a fatal error */
243         return -1;
244     }
245 
246     /* get new packet if necessary */
247     if (sc->rlayer.curr_rec >= sc->rlayer.num_recs) {
248         sc->rlayer.curr_rec = sc->rlayer.num_recs = 0;
249         do {
250             rr = &sc->rlayer.tlsrecs[sc->rlayer.num_recs];
251 
252             ret = HANDLE_RLAYER_READ_RETURN(sc,
253                     sc->rlayer.rrlmethod->read_record(sc->rlayer.rrl,
254                                                       &rr->rechandle,
255                                                       &rr->version, &rr->type,
256                                                       &rr->data, &rr->length,
257                                                       &rr->epoch, rr->seq_num));
258             if (ret <= 0) {
259                 ret = dtls1_read_failed(sc, ret);
260                 /*
261                 * Anything other than a timeout is an error. SSLfatal() already
262                 * called if appropriate.
263                 */
264                 if (ret <= 0)
265                     return ret;
266                 else
267                     goto start;
268             }
269             rr->off = 0;
270             sc->rlayer.num_recs++;
271         } while (sc->rlayer.rrlmethod->processed_read_pending(sc->rlayer.rrl)
272                  && sc->rlayer.num_recs < SSL_MAX_PIPELINES);
273     }
274     rr = &sc->rlayer.tlsrecs[sc->rlayer.curr_rec];
275 
276     /*
277      * Reset the count of consecutive warning alerts if we've got a non-empty
278      * record that isn't an alert.
279      */
280     if (rr->type != SSL3_RT_ALERT && rr->length != 0)
281         sc->rlayer.alert_count = 0;
282 
283     /* we now have a packet which can be read and processed */
284 
285     if (sc->s3.change_cipher_spec /* set when we receive ChangeCipherSpec,
286                                   * reset by ssl3_get_finished */
287         && (rr->type != SSL3_RT_HANDSHAKE)) {
288         /*
289          * We now have application data between CCS and Finished. Most likely
290          * the packets were reordered on their way, so buffer the application
291          * data for later processing rather than dropping the connection.
292          */
293         if (dtls_buffer_record(sc, rr) < 0) {
294             /* SSLfatal() already called */
295             return -1;
296         }
297         if (!ssl_release_record(sc, rr, 0))
298             return -1;
299         goto start;
300     }
301 
302     /*
303      * If the other end has shut down, throw anything we read away (even in
304      * 'peek' mode)
305      */
306     if (sc->shutdown & SSL_RECEIVED_SHUTDOWN) {
307         if (!ssl_release_record(sc, rr, 0))
308             return -1;
309         sc->rwstate = SSL_NOTHING;
310         return 0;
311     }
312 
313     if (type == rr->type
314         || (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC
315             && type == SSL3_RT_HANDSHAKE && recvd_type != NULL)) {
316         /*
317          * SSL3_RT_APPLICATION_DATA or
318          * SSL3_RT_HANDSHAKE or
319          * SSL3_RT_CHANGE_CIPHER_SPEC
320          */
321         /*
322          * make sure that we are not getting application data when we are
323          * doing a handshake for the first time
324          */
325         if (SSL_in_init(s) && (type == SSL3_RT_APPLICATION_DATA)
326                 && (SSL_IS_FIRST_HANDSHAKE(sc))) {
327             SSLfatal(sc, SSL_AD_UNEXPECTED_MESSAGE,
328                      SSL_R_APP_DATA_IN_HANDSHAKE);
329             return -1;
330         }
331 
332         if (recvd_type != NULL)
333             *recvd_type = rr->type;
334 
335         if (len == 0) {
336             /*
337              * Release a zero length record. This ensures multiple calls to
338              * SSL_read() with a zero length buffer will eventually cause
339              * SSL_pending() to report data as being available.
340              */
341             if (rr->length == 0 && !ssl_release_record(sc, rr, 0))
342                 return -1;
343             return 0;
344         }
345 
346         if (len > rr->length)
347             n = rr->length;
348         else
349             n = len;
350 
351         memcpy(buf, &(rr->data[rr->off]), n);
352         if (peek) {
353             if (rr->length == 0 && !ssl_release_record(sc, rr, 0))
354                 return -1;
355         } else {
356             if (!ssl_release_record(sc, rr, n))
357                 return -1;
358         }
359 #ifndef OPENSSL_NO_SCTP
360         /*
361          * We might had to delay a close_notify alert because of reordered
362          * app data. If there was an alert and there is no message to read
363          * anymore, finally set shutdown.
364          */
365         if (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
366             sc->d1->shutdown_received
367             && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s)) <= 0) {
368             sc->shutdown |= SSL_RECEIVED_SHUTDOWN;
369             return 0;
370         }
371 #endif
372         *readbytes = n;
373         return 1;
374     }
375 
376     /*
377      * If we get here, then type != rr->type; if we have a handshake message,
378      * then it was unexpected (Hello Request or Client Hello).
379      */
380 
381     if (rr->type == SSL3_RT_ALERT) {
382         unsigned int alert_level, alert_descr;
383         const unsigned char *alert_bytes = rr->data + rr->off;
384         PACKET alert;
385 
386         if (!PACKET_buf_init(&alert, alert_bytes, rr->length)
387                 || !PACKET_get_1(&alert, &alert_level)
388                 || !PACKET_get_1(&alert, &alert_descr)
389                 || PACKET_remaining(&alert) != 0) {
390             SSLfatal(sc, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_INVALID_ALERT);
391             return -1;
392         }
393 
394         if (sc->msg_callback)
395             sc->msg_callback(0, sc->version, SSL3_RT_ALERT, alert_bytes, 2, s,
396                              sc->msg_callback_arg);
397 
398         if (sc->info_callback != NULL)
399             cb = sc->info_callback;
400         else if (s->ctx->info_callback != NULL)
401             cb = s->ctx->info_callback;
402 
403         if (cb != NULL) {
404             j = (alert_level << 8) | alert_descr;
405             cb(s, SSL_CB_READ_ALERT, j);
406         }
407 
408         if (alert_level == SSL3_AL_WARNING) {
409             sc->s3.warn_alert = alert_descr;
410             if (!ssl_release_record(sc, rr, 0))
411                 return -1;
412 
413             sc->rlayer.alert_count++;
414             if (sc->rlayer.alert_count == MAX_WARN_ALERT_COUNT) {
415                 SSLfatal(sc, SSL_AD_UNEXPECTED_MESSAGE,
416                          SSL_R_TOO_MANY_WARN_ALERTS);
417                 return -1;
418             }
419 
420             if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
421 #ifndef OPENSSL_NO_SCTP
422                 /*
423                  * With SCTP and streams the socket may deliver app data
424                  * after a close_notify alert. We have to check this first so
425                  * that nothing gets discarded.
426                  */
427                 if (BIO_dgram_is_sctp(SSL_get_rbio(s)) &&
428                     BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s)) > 0) {
429                     sc->d1->shutdown_received = 1;
430                     sc->rwstate = SSL_READING;
431                     BIO_clear_retry_flags(SSL_get_rbio(s));
432                     BIO_set_retry_read(SSL_get_rbio(s));
433                     return -1;
434                 }
435 #endif
436                 sc->shutdown |= SSL_RECEIVED_SHUTDOWN;
437                 return 0;
438             }
439         } else if (alert_level == SSL3_AL_FATAL) {
440             sc->rwstate = SSL_NOTHING;
441             sc->s3.fatal_alert = alert_descr;
442             SSLfatal_data(sc, SSL_AD_NO_ALERT,
443                           SSL_AD_REASON_OFFSET + alert_descr,
444                           "SSL alert number %d", alert_descr);
445             sc->shutdown |= SSL_RECEIVED_SHUTDOWN;
446             if (!ssl_release_record(sc, rr, 0))
447                 return -1;
448             SSL_CTX_remove_session(sc->session_ctx, sc->session);
449             return 0;
450         } else {
451             SSLfatal(sc, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_ALERT_TYPE);
452             return -1;
453         }
454 
455         goto start;
456     }
457 
458     if (sc->shutdown & SSL_SENT_SHUTDOWN) { /* but we have not received a
459                                             * shutdown */
460         sc->rwstate = SSL_NOTHING;
461         if (!ssl_release_record(sc, rr, 0))
462             return -1;
463         return 0;
464     }
465 
466     if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) {
467         /*
468          * We can't process a CCS now, because previous handshake messages
469          * are still missing, so just drop it.
470          */
471         if (!ssl_release_record(sc, rr, 0))
472             return -1;
473         goto start;
474     }
475 
476     /*
477      * Unexpected handshake message (Client Hello, or protocol violation)
478      */
479     if (rr->type == SSL3_RT_HANDSHAKE && !ossl_statem_get_in_handshake(sc)) {
480         struct hm_header_st msg_hdr;
481 
482         /*
483          * This may just be a stale retransmit. Also sanity check that we have
484          * at least enough record bytes for a message header
485          */
486         if (rr->epoch != sc->rlayer.d->r_epoch
487                 || rr->length < DTLS1_HM_HEADER_LENGTH) {
488             if (!ssl_release_record(sc, rr, 0))
489                 return -1;
490             goto start;
491         }
492 
493         dtls1_get_message_header(rr->data, &msg_hdr);
494 
495         /*
496          * If we are server, we may have a repeated FINISHED of the client
497          * here, then retransmit our CCS and FINISHED.
498          */
499         if (msg_hdr.type == SSL3_MT_FINISHED) {
500             if (dtls1_check_timeout_num(sc) < 0) {
501                 /* SSLfatal) already called */
502                 return -1;
503             }
504 
505             if (dtls1_retransmit_buffered_messages(sc) <= 0) {
506                 /* Fail if we encountered a fatal error */
507                 if (ossl_statem_in_error(sc))
508                     return -1;
509             }
510             if (!ssl_release_record(sc, rr, 0))
511                 return -1;
512             if (!(sc->mode & SSL_MODE_AUTO_RETRY)) {
513                 if (!sc->rlayer.rrlmethod->unprocessed_read_pending(sc->rlayer.rrl)) {
514                     /* no read-ahead left? */
515                     BIO *bio;
516 
517                     sc->rwstate = SSL_READING;
518                     bio = SSL_get_rbio(s);
519                     BIO_clear_retry_flags(bio);
520                     BIO_set_retry_read(bio);
521                     return -1;
522                 }
523             }
524             goto start;
525         }
526 
527         /*
528          * To get here we must be trying to read app data but found handshake
529          * data. But if we're trying to read app data, and we're not in init
530          * (which is tested for at the top of this function) then init must be
531          * finished
532          */
533         if (!ossl_assert(SSL_is_init_finished(s))) {
534             SSLfatal(sc, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
535             return -1;
536         }
537 
538         /* We found handshake data, so we're going back into init */
539         ossl_statem_set_in_init(sc, 1);
540 
541         i = sc->handshake_func(s);
542         /* SSLfatal() called if appropriate */
543         if (i < 0)
544             return i;
545         if (i == 0)
546             return -1;
547 
548         if (!(sc->mode & SSL_MODE_AUTO_RETRY)) {
549             if (!sc->rlayer.rrlmethod->unprocessed_read_pending(sc->rlayer.rrl)) {
550                 /* no read-ahead left? */
551                 BIO *bio;
552                 /*
553                  * In the case where we try to read application data, but we
554                  * trigger an SSL handshake, we return -1 with the retry
555                  * option set.  Otherwise renegotiation may cause nasty
556                  * problems in the blocking world
557                  */
558                 sc->rwstate = SSL_READING;
559                 bio = SSL_get_rbio(s);
560                 BIO_clear_retry_flags(bio);
561                 BIO_set_retry_read(bio);
562                 return -1;
563             }
564         }
565         goto start;
566     }
567 
568     switch (rr->type) {
569     default:
570         SSLfatal(sc, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_RECORD);
571         return -1;
572     case SSL3_RT_CHANGE_CIPHER_SPEC:
573     case SSL3_RT_ALERT:
574     case SSL3_RT_HANDSHAKE:
575         /*
576          * we already handled all of these, with the possible exception of
577          * SSL3_RT_HANDSHAKE when ossl_statem_get_in_handshake(s) is true, but
578          * that should not happen when type != rr->type
579          */
580         SSLfatal(sc, SSL_AD_UNEXPECTED_MESSAGE, ERR_R_INTERNAL_ERROR);
581         return -1;
582     case SSL3_RT_APPLICATION_DATA:
583         /*
584          * At this point, we were expecting handshake data, but have
585          * application data.  If the library was running inside ssl3_read()
586          * (i.e. in_read_app_data is set) and it makes sense to read
587          * application data at this point (session renegotiation not yet
588          * started), we will indulge it.
589          */
590         if (sc->s3.in_read_app_data &&
591             (sc->s3.total_renegotiations != 0) &&
592             ossl_statem_app_data_allowed(sc)) {
593             sc->s3.in_read_app_data = 2;
594             return -1;
595         } else {
596             SSLfatal(sc, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_RECORD);
597             return -1;
598         }
599     }
600     /* not reached */
601 }
602 
603 /*
604  * Call this to write data in records of type 'type' It will return <= 0 if
605  * not all data has been sent or non-blocking IO.
606  */
dtls1_write_bytes(SSL_CONNECTION * s,uint8_t type,const void * buf,size_t len,size_t * written)607 int dtls1_write_bytes(SSL_CONNECTION *s, uint8_t type, const void *buf,
608                       size_t len, size_t *written)
609 {
610     int i;
611 
612     if (!ossl_assert(len <= SSL3_RT_MAX_PLAIN_LENGTH)) {
613         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
614         return -1;
615     }
616     s->rwstate = SSL_NOTHING;
617     i = do_dtls1_write(s, type, buf, len, written);
618     return i;
619 }
620 
do_dtls1_write(SSL_CONNECTION * sc,uint8_t type,const unsigned char * buf,size_t len,size_t * written)621 int do_dtls1_write(SSL_CONNECTION *sc, uint8_t type, const unsigned char *buf,
622                    size_t len, size_t *written)
623 {
624     int i;
625     OSSL_RECORD_TEMPLATE tmpl;
626     SSL *s = SSL_CONNECTION_GET_SSL(sc);
627     int ret;
628 
629     /* If we have an alert to send, lets send it */
630     if (sc->s3.alert_dispatch > 0) {
631         i = s->method->ssl_dispatch_alert(s);
632         if (i <= 0)
633             return i;
634         /* if it went, fall through and send more stuff */
635     }
636 
637     if (len == 0)
638         return 0;
639 
640     if (len > ssl_get_max_send_fragment(sc)) {
641         SSLfatal(sc, SSL_AD_INTERNAL_ERROR, SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE);
642         return 0;
643     }
644 
645     tmpl.type = type;
646     /*
647      * Special case: for hello verify request, client version 1.0 and we
648      * haven't decided which version to use yet send back using version 1.0
649      * header: otherwise some clients will ignore it.
650      */
651     if (s->method->version == DTLS_ANY_VERSION
652             && sc->max_proto_version != DTLS1_BAD_VER)
653         tmpl.version = DTLS1_VERSION;
654     else
655         tmpl.version = sc->version;
656     tmpl.buf = buf;
657     tmpl.buflen = len;
658 
659     ret = HANDLE_RLAYER_WRITE_RETURN(sc,
660               sc->rlayer.wrlmethod->write_records(sc->rlayer.wrl, &tmpl, 1));
661 
662     if (ret > 0)
663         *written = (int)len;
664 
665     return ret;
666 }
667 
dtls1_increment_epoch(SSL_CONNECTION * s,int rw)668 void dtls1_increment_epoch(SSL_CONNECTION *s, int rw)
669 {
670     if (rw & SSL3_CC_READ) {
671         s->rlayer.d->r_epoch++;
672 
673         /*
674          * We must not use any buffered messages received from the previous
675          * epoch
676          */
677         dtls1_clear_received_buffer(s);
678     } else {
679         s->rlayer.d->w_epoch++;
680     }
681 }
682 
dtls1_get_epoch(SSL_CONNECTION * s,int rw)683 uint16_t dtls1_get_epoch(SSL_CONNECTION *s, int rw) {
684     uint16_t epoch;
685 
686     if (rw & SSL3_CC_READ)
687         epoch = s->rlayer.d->r_epoch;
688     else
689         epoch = s->rlayer.d->w_epoch;
690 
691     return epoch;
692 }
693