/* This Source Code Form is subject to the terms of the Mozilla Public

 * License, v. 2.0. If a copy of the MPL was not distributed with this

 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

/*

 * DTLS Protocol

 */

#include "ssl.h"

#include "sslimpl.h"

#include "sslproto.h"

#ifndef PR_ARRAY_SIZE

#define PR_ARRAY_SIZE(a) (sizeof(a)/sizeof((a)[0]))

#endif

static SECStatus dtls_TransmitMessageFlight(sslSocket *ss);

static void dtls_RetransmitTimerExpiredCb(sslSocket *ss);

static SECStatus dtls_SendSavedWriteData(sslSocket *ss);

/* -28 adjusts for the IP/UDP header */

static const PRUint16 COMMON_MTU_VALUES[] = {

    1500 - 28,  /* Ethernet MTU */

    1280 - 28,  /* IPv6 minimum MTU */

    576 - 28,   /* Common assumption */

    256 - 28    /* We're in serious trouble now */

};

#define DTLS_COOKIE_BYTES 32

/* List copied from ssl3con.c:cipherSuites */

static const ssl3CipherSuite nonDTLSSuites[] = {

#ifndef NSS_DISABLE_ECC

    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,

    TLS_ECDHE_RSA_WITH_RC4_128_SHA,

#endif /* NSS_DISABLE_ECC */

    TLS_DHE_DSS_WITH_RC4_128_SHA,

#ifndef NSS_DISABLE_ECC

    TLS_ECDH_RSA_WITH_RC4_128_SHA,

    TLS_ECDH_ECDSA_WITH_RC4_128_SHA,

#endif /* NSS_DISABLE_ECC */

    TLS_RSA_WITH_RC4_128_MD5,

    TLS_RSA_WITH_RC4_128_SHA,

    TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,

    TLS_RSA_EXPORT_WITH_RC4_40_MD5,

    0 /* End of list marker */

};

/* Map back and forth between TLS and DTLS versions in wire format.

 * Mapping table is:

 *

 * TLS             DTLS

 * 1.1 (0302)      1.0 (feff)

 * 1.2 (0303)      1.2 (fefd)

 * 1.3 (0304)      1.3 (fefc)

 */

SSL3ProtocolVersion

dtls_TLSVersionToDTLSVersion(SSL3ProtocolVersion tlsv)

{

    if (tlsv == SSL_LIBRARY_VERSION_TLS_1_1) {

        return SSL_LIBRARY_VERSION_DTLS_1_0_WIRE;

    }

    if (tlsv == SSL_LIBRARY_VERSION_TLS_1_2) {

        return SSL_LIBRARY_VERSION_DTLS_1_2_WIRE;

    }

    if (tlsv == SSL_LIBRARY_VERSION_TLS_1_3) {

        return SSL_LIBRARY_VERSION_DTLS_1_3_WIRE;

    }

    /* Anything other than TLS 1.1 or 1.2 is an error, so return

     * the invalid version 0xffff. */

    return 0xffff;

}

/* Map known DTLS versions to known TLS versions.

 * - Invalid versions (< 1.0) return a version of 0

 * - Versions > known return a version one higher than we know of

 * to accomodate a theoretically newer version */

SSL3ProtocolVersion

dtls_DTLSVersionToTLSVersion(SSL3ProtocolVersion dtlsv)

{

    if (MSB(dtlsv) == 0xff) {

        return 0;

    }

    if (dtlsv == SSL_LIBRARY_VERSION_DTLS_1_0_WIRE) {

        return SSL_LIBRARY_VERSION_TLS_1_1;

    }

    if (dtlsv == SSL_LIBRARY_VERSION_DTLS_1_2_WIRE) {

        return SSL_LIBRARY_VERSION_TLS_1_2;

    }

    if (dtlsv == SSL_LIBRARY_VERSION_DTLS_1_3_WIRE) {

        return SSL_LIBRARY_VERSION_TLS_1_3;

    }

    /* Return a fictional higher version than we know of */

    return SSL_LIBRARY_VERSION_TLS_1_2 + 1;

}

/* On this socket, Disable non-DTLS cipher suites in the argument's list */

SECStatus

ssl3_DisableNonDTLSSuites(sslSocket * ss)

{

    const ssl3CipherSuite * suite;

    for (suite = nonDTLSSuites; *suite; ++suite) {

        SECStatus rv = ssl3_CipherPrefSet(ss, *suite, PR_FALSE);

        PORT_Assert(rv == SECSuccess); /* else is coding error */

    }

    return SECSuccess;

}

/* Allocate a DTLSQueuedMessage.

 *

 * Called from dtls_QueueMessage()

 */

static DTLSQueuedMessage *

dtls_AllocQueuedMessage(PRUint16 epoch, SSL3ContentType type,

                        const unsigned char *data, PRUint32 len)

{

    DTLSQueuedMessage *msg = NULL;

    msg = PORT_ZAlloc(sizeof(DTLSQueuedMessage));

    if (!msg)

        return NULL;

    msg->data = PORT_Alloc(len);

    if (!msg->data) {

        PORT_Free(msg);

        return NULL;

    }

    PORT_Memcpy(msg->data, data, len);

    msg->len = len;

    msg->epoch = epoch;

    msg->type = type;

    return msg;

}

/*

 * Free a handshake message

 *

 * Called from dtls_FreeHandshakeMessages()

 */

static void

dtls_FreeHandshakeMessage(DTLSQueuedMessage *msg)

{

    if (!msg)

        return;

    PORT_ZFree(msg->data, msg->len);

    PORT_Free(msg);

}

/*

 * Free a list of handshake messages

 *

 * Called from:

 *              dtls_HandleHandshake()

 *              ssl3_DestroySSL3Info()

 */

void

dtls_FreeHandshakeMessages(PRCList *list)

{

    PRCList *cur_p;

    while (!PR_CLIST_IS_EMPTY(list)) {

        cur_p = PR_LIST_TAIL(list);

        PR_REMOVE_LINK(cur_p);

        dtls_FreeHandshakeMessage((DTLSQueuedMessage *)cur_p);

    }

}

/* Called only from ssl3_HandleRecord, for each (deciphered) DTLS record.

 * origBuf is the decrypted ssl record content and is expected to contain

 * complete handshake records

 * Caller must hold the handshake and RecvBuf locks.

 *

 * Note that this code uses msg_len for two purposes:

 *

 * (1) To pass the length to ssl3_HandleHandshakeMessage()

 * (2) To carry the length of a message currently being reassembled

 *

 * However, unlike ssl3_HandleHandshake(), it is not used to carry

 * the state of reassembly (i.e., whether one is in progress). That

 * is carried in recvdHighWater and recvdFragments.

 */

#define OFFSET_BYTE(o) (o/8)

#define OFFSET_MASK(o) (1 << (o%8))

SECStatus

dtls_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)

{

    /* XXX OK for now.

     * This doesn't work properly with asynchronous certificate validation.

     * because that returns a WOULDBLOCK error. The current DTLS

     * applications do not need asynchronous validation, but in the

     * future we will need to add this.

     */

    sslBuffer buf = *origBuf;

    SECStatus rv = SECSuccess;

    PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss));

    PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));

    while (buf.len > 0) {

        PRUint8 type;

        PRUint32 message_length;

        PRUint16 message_seq;

        PRUint32 fragment_offset;

        PRUint32 fragment_length;

        PRUint32 offset;

        if (buf.len < 12) {

            PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE);

            rv = SECFailure;

            break;

        }

        /* Parse the header */

        type = buf.buf[0];

        message_length = (buf.buf[1] << 16) | (buf.buf[2] << 8) | buf.buf[3];

        message_seq = (buf.buf[4] << 8) | buf.buf[5];

        fragment_offset = (buf.buf[6] << 16) | (buf.buf[7] << 8) | buf.buf[8];

        fragment_length = (buf.buf[9] << 16) | (buf.buf[10] << 8) | buf.buf[11];

#define MAX_HANDSHAKE_MSG_LEN 0x1ffff   /* 128k - 1 */

        if (message_length > MAX_HANDSHAKE_MSG_LEN) {

            (void)ssl3_DecodeError(ss);

            PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE);

            return SECFailure;

        }

#undef MAX_HANDSHAKE_MSG_LEN

        buf.buf += 12;

        buf.len -= 12;

        /* This fragment must be complete */

        if (buf.len < fragment_length) {

            PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE);

            rv = SECFailure;

            break;

        }

        /* Sanity check the packet contents */

        if ((fragment_length + fragment_offset) > message_length) {

            PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE);

            rv = SECFailure;

            break;

        }

        /* There are three ways we could not be ready for this packet.

         *

         * 1. It's a partial next message.

         * 2. It's a partial or complete message beyond the next

         * 3. It's a message we've already seen

         *

         * If it's the complete next message we accept it right away.

         * This is the common case for short messages

         */

        if ((message_seq == ss->ssl3.hs.recvMessageSeq)

            && (fragment_offset == 0)

            && (fragment_length == message_length)) {

            /* Complete next message. Process immediately */

            ss->ssl3.hs.msg_type = (SSL3HandshakeType)type;

            ss->ssl3.hs.msg_len = message_length;

            /* At this point we are advancing our state machine, so

             * we can free our last flight of messages */

            dtls_FreeHandshakeMessages(&ss->ssl3.hs.lastMessageFlight);

            ss->ssl3.hs.recvdHighWater = -1;

            dtls_CancelTimer(ss);

            /* Reset the timer to the initial value if the retry counter

             * is 0, per Sec. 4.2.4.1 */

            if (ss->ssl3.hs.rtRetries == 0) {

                ss->ssl3.hs.rtTimeoutMs = INITIAL_DTLS_TIMEOUT_MS;

            }

            rv = ssl3_HandleHandshakeMessage(ss, buf.buf, ss->ssl3.hs.msg_len);

            if (rv == SECFailure) {

                /* Do not attempt to process rest of messages in this record */

                break;

            }

        } else {

            if (message_seq < ss->ssl3.hs.recvMessageSeq) {

                /* Case 3: we do an immediate retransmit if we're

                 * in a waiting state*/

                if (ss->ssl3.hs.rtTimerCb == NULL) {

                    /* Ignore */

                } else if (ss->ssl3.hs.rtTimerCb ==

                         dtls_RetransmitTimerExpiredCb) {

                    SSL_TRC(30, ("%d: SSL3[%d]: Retransmit detected",

                                 SSL_GETPID(), ss->fd));

                    /* Check to see if we retransmitted recently. If so,

                     * suppress the triggered retransmit. This avoids

                     * retransmit wars after packet loss.

                     * This is not in RFC 5346 but should be

                     */

                    if ((PR_IntervalNow() - ss->ssl3.hs.rtTimerStarted) >

                        (ss->ssl3.hs.rtTimeoutMs / 4)) {

                            SSL_TRC(30,

                            ("%d: SSL3[%d]: Shortcutting retransmit timer",

                            SSL_GETPID(), ss->fd));

                            /* Cancel the timer and call the CB,

                             * which re-arms the timer */

                            dtls_CancelTimer(ss);

                            dtls_RetransmitTimerExpiredCb(ss);

                            rv = SECSuccess;

                            break;

                        } else {

                            SSL_TRC(30,

                            ("%d: SSL3[%d]: We just retransmitted. Ignoring.",

                            SSL_GETPID(), ss->fd));

                            rv = SECSuccess;

                            break;

                        }

                } else if (ss->ssl3.hs.rtTimerCb == dtls_FinishedTimerCb) {

                    /* Retransmit the messages and re-arm the timer

                     * Note that we are not backing off the timer here.

                     * The spec isn't clear and my reasoning is that this

                     * may be a re-ordered packet rather than slowness,

                     * so let's be aggressive. */

                    dtls_CancelTimer(ss);

                    rv = dtls_TransmitMessageFlight(ss);

                    if (rv == SECSuccess) {

                        rv = dtls_StartTimer(ss, dtls_FinishedTimerCb);

                    }

                    if (rv != SECSuccess)

                        return rv;

                    break;

                }

            } else if (message_seq > ss->ssl3.hs.recvMessageSeq) {

                /* Case 2

                 *

                 * Ignore this message. This means we don't handle out of

                 * order complete messages that well, but we're still

                 * compliant and this probably does not happen often

                 *

                 * XXX OK for now. Maybe do something smarter at some point?

                 */

            } else {

                /* Case 1

                 *

                 * Buffer the fragment for reassembly

                 */

                /* Make room for the message */

                if (ss->ssl3.hs.recvdHighWater == -1) {

                    PRUint32 map_length = OFFSET_BYTE(message_length) + 1;

                    rv = sslBuffer_Grow(&ss->ssl3.hs.msg_body, message_length);

                    if (rv != SECSuccess)

                        break;

                    /* Make room for the fragment map */

                    rv = sslBuffer_Grow(&ss->ssl3.hs.recvdFragments,

                                        map_length);

                    if (rv != SECSuccess)

                        break;

                    /* Reset the reassembly map */

                    ss->ssl3.hs.recvdHighWater = 0;

                    PORT_Memset(ss->ssl3.hs.recvdFragments.buf, 0,

                                ss->ssl3.hs.recvdFragments.space);

                    ss->ssl3.hs.msg_type = (SSL3HandshakeType)type;

                    ss->ssl3.hs.msg_len = message_length;

                }

                /* If we have a message length mismatch, abandon the reassembly

                 * in progress and hope that the next retransmit will give us

                 * something sane

                 */

                if (message_length != ss->ssl3.hs.msg_len) {

                    ss->ssl3.hs.recvdHighWater = -1;

                    PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE);

                    rv = SECFailure;

                    break;

                }

                /* Now copy this fragment into the buffer */

                PORT_Assert((fragment_offset + fragment_length) <=

                            ss->ssl3.hs.msg_body.space);

                PORT_Memcpy(ss->ssl3.hs.msg_body.buf + fragment_offset,

                            buf.buf, fragment_length);

                /* This logic is a bit tricky. We have two values for

                 * reassembly state:

                 *

                 * - recvdHighWater contains the highest contiguous number of

                 *   bytes received

                 * - recvdFragments contains a bitmask of packets received

                 *   above recvdHighWater

                 *

                 * This avoids having to fill in the bitmask in the common

                 * case of adjacent fragments received in sequence

                 */

                if (fragment_offset <= ss->ssl3.hs.recvdHighWater) {

                    /* Either this is the adjacent fragment or an overlapping

                     * fragment */

                    ss->ssl3.hs.recvdHighWater = fragment_offset +

                                                 fragment_length;

                } else {

                    for (offset = fragment_offset;

                         offset < fragment_offset + fragment_length;

                         offset++) {

                        ss->ssl3.hs.recvdFragments.buf[OFFSET_BYTE(offset)] |=

                            OFFSET_MASK(offset);

                    }

                }

                /* Now figure out the new high water mark if appropriate */

                for (offset = ss->ssl3.hs.recvdHighWater;

                     offset < ss->ssl3.hs.msg_len; offset++) {

                    /* Note that this loop is not efficient, since it counts

                     * bit by bit. If we have a lot of out-of-order packets,

                     * we should optimize this */

                    if (ss->ssl3.hs.recvdFragments.buf[OFFSET_BYTE(offset)] &

                        OFFSET_MASK(offset)) {

                        ss->ssl3.hs.recvdHighWater++;

                    } else {

                        break;

                    }

                }

                /* If we have all the bytes, then we are good to go */

                if (ss->ssl3.hs.recvdHighWater == ss->ssl3.hs.msg_len) {

                    ss->ssl3.hs.recvdHighWater = -1;

                    rv = ssl3_HandleHandshakeMessage(ss,

                                                     ss->ssl3.hs.msg_body.buf,

                                                     ss->ssl3.hs.msg_len);

                    if (rv == SECFailure)

                        break; /* Skip rest of record */

                    /* At this point we are advancing our state machine, so

                     * we can free our last flight of messages */

                    dtls_FreeHandshakeMessages(&ss->ssl3.hs.lastMessageFlight);

                    dtls_CancelTimer(ss);

                    /* If there have been no retries this time, reset the

                     * timer value to the default per Section 4.2.4.1 */

                    if (ss->ssl3.hs.rtRetries == 0) {

                        ss->ssl3.hs.rtTimeoutMs = INITIAL_DTLS_TIMEOUT_MS;

                    }

                }

            }

        }

        buf.buf += fragment_length;

        buf.len -= fragment_length;

    }

    origBuf->len = 0;   /* So ssl3_GatherAppDataRecord will keep looping. */

    /* XXX OK for now. In future handle rv == SECWouldBlock safely in order

     * to deal with asynchronous certificate verification */

    return rv;

}

/* Enqueue a message (either handshake or CCS)

 *

 * Called from:

 *              dtls_StageHandshakeMessage()

 *              ssl3_SendChangeCipherSpecs()

 */

SECStatus dtls_QueueMessage(sslSocket *ss, SSL3ContentType type,

    const SSL3Opaque *pIn, PRInt32 nIn)

{

    SECStatus rv = SECSuccess;

    DTLSQueuedMessage *msg = NULL;

    PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));

    PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));

    msg = dtls_AllocQueuedMessage(ss->ssl3.cwSpec->epoch, type, pIn, nIn);

    if (!msg) {

        PORT_SetError(SEC_ERROR_NO_MEMORY);

        rv = SECFailure;

    } else {

        PR_APPEND_LINK(&msg->link, &ss->ssl3.hs.lastMessageFlight);

    }

    return rv;

}

/* Add DTLS handshake message to the pending queue

 * Empty the sendBuf buffer.

 * This function returns SECSuccess or SECFailure, never SECWouldBlock.

 * Always set sendBuf.len to 0, even when returning SECFailure.

 *

 * Called from:

 *              ssl3_AppendHandshakeHeader()

 *              dtls_FlushHandshake()

 */

SECStatus

dtls_StageHandshakeMessage(sslSocket *ss)

{

    SECStatus rv = SECSuccess;

    PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));

    PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));

    /* This function is sometimes called when no data is actually to

     * be staged, so just return SECSuccess. */

    if (!ss->sec.ci.sendBuf.buf || !ss->sec.ci.sendBuf.len)

        return rv;

    rv = dtls_QueueMessage(ss, content_handshake,

                           ss->sec.ci.sendBuf.buf, ss->sec.ci.sendBuf.len);

    /* Whether we succeeded or failed, toss the old handshake data. */

    ss->sec.ci.sendBuf.len = 0;

    return rv;

}

/* Enqueue the handshake message in sendBuf (if any) and then

 * transmit the resulting flight of handshake messages.

 *

 * Called from:

 *              ssl3_FlushHandshake()

 */

SECStatus

dtls_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags)

{

    SECStatus rv = SECSuccess;

    PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));

    PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));

    rv = dtls_StageHandshakeMessage(ss);

    if (rv != SECSuccess)

        return rv;

    if (!(flags & ssl_SEND_FLAG_FORCE_INTO_BUFFER)) {

        rv = dtls_TransmitMessageFlight(ss);

        if (rv != SECSuccess)

            return rv;

        if (!(flags & ssl_SEND_FLAG_NO_RETRANSMIT)) {

            ss->ssl3.hs.rtRetries = 0;

            rv = dtls_StartTimer(ss, dtls_RetransmitTimerExpiredCb);

        }

    }

    return rv;

}

/* The callback for when the retransmit timer expires

 *

 * Called from:

 *              dtls_CheckTimer()

 *              dtls_HandleHandshake()

 */

static void

dtls_RetransmitTimerExpiredCb(sslSocket *ss)

{

    SECStatus rv = SECFailure;

    ss->ssl3.hs.rtRetries++;

    if (!(ss->ssl3.hs.rtRetries % 3)) {

        /* If one of the messages was potentially greater than > MTU,

         * then downgrade. Do this every time we have retransmitted a

         * message twice, per RFC 6347 Sec. 4.1.1 */

        dtls_SetMTU(ss, ss->ssl3.hs.maxMessageSent - 1);

    }

    rv = dtls_TransmitMessageFlight(ss);

    if (rv == SECSuccess) {

        /* Re-arm the timer */

        rv = dtls_RestartTimer(ss, PR_TRUE, dtls_RetransmitTimerExpiredCb);

    }

    if (rv == SECFailure) {

        /* XXX OK for now. In future maybe signal the stack that we couldn't

         * transmit. For now, let the read handle any real network errors */

    }

}

/* Transmit a flight of handshake messages, stuffing them

 * into as few records as seems reasonable

 *

 * Called from:

 *             dtls_FlushHandshake()

 *             dtls_RetransmitTimerExpiredCb()

 */

static SECStatus

dtls_TransmitMessageFlight(sslSocket *ss)

{

    SECStatus rv = SECSuccess;

    PRCList *msg_p;

    PRUint16 room_left = ss->ssl3.mtu;

    PRInt32 sent;

    ssl_GetXmitBufLock(ss);

    ssl_GetSpecReadLock(ss);

    /* DTLS does not buffer its handshake messages in

     * ss->pendingBuf, but rather in the lastMessageFlight

     * structure. This is just a sanity check that

     * some programming error hasn't inadvertantly

     * stuffed something in ss->pendingBuf

     */

    PORT_Assert(!ss->pendingBuf.len);

    for (msg_p = PR_LIST_HEAD(&ss->ssl3.hs.lastMessageFlight);

         msg_p != &ss->ssl3.hs.lastMessageFlight;

         msg_p = PR_NEXT_LINK(msg_p)) {

        DTLSQueuedMessage *msg = (DTLSQueuedMessage *)msg_p;

        /* The logic here is:

         *

         * 1. If this is a message that will not fit into the remaining

         *    space, then flush.

         * 2. If the message will now fit into the remaining space,

         *    encrypt, buffer, and loop.

         * 3. If the message will not fit, then fragment.

         *

         * At the end of the function, flush.

         */

        if ((msg->len + SSL3_BUFFER_FUDGE) > room_left) {

            /* The message will not fit into the remaining space, so flush */

            rv = dtls_SendSavedWriteData(ss);

            if (rv != SECSuccess)

                break;

            room_left = ss->ssl3.mtu;

        }

        if ((msg->len + SSL3_BUFFER_FUDGE) <= room_left) {

            /* The message will fit, so encrypt and then continue with the

             * next packet */

            sent = ssl3_SendRecord(ss, msg->epoch, msg->type,

                                   msg->data, msg->len,

                                   ssl_SEND_FLAG_FORCE_INTO_BUFFER |

                                   ssl_SEND_FLAG_USE_EPOCH);

            if (sent != msg->len) {

                rv = SECFailure;

                if (sent != -1) {

                    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);

                }

                break;

            }

            room_left = ss->ssl3.mtu - ss->pendingBuf.len;

        } else {

            /* The message will not fit, so fragment.

             *

             * XXX OK for now. Arrange to coalesce the last fragment

             * of this message with the next message if possible.

             * That would be more efficient.

             */

            PRUint32 fragment_offset = 0;

            unsigned char fragment[DTLS_MAX_MTU]; /* >= than largest

                                                   * plausible MTU */

            /* Assert that we have already flushed */

            PORT_Assert(room_left == ss->ssl3.mtu);

            /* Case 3: We now need to fragment this message

             * DTLS only supports fragmenting handshaking messages */

            PORT_Assert(msg->type == content_handshake);

            /* The headers consume 12 bytes so the smalles possible

             *  message (i.e., an empty one) is 12 bytes

             */

            PORT_Assert(msg->len >= 12);

            while ((fragment_offset + 12) < msg->len) {

                PRUint32 fragment_len;

                const unsigned char *content = msg->data + 12;

                PRUint32 content_len = msg->len - 12;

                /* The reason we use 8 here is that that's the length of

                 * the new DTLS data that we add to the header */

                fragment_len = PR_MIN(room_left - (SSL3_BUFFER_FUDGE + 8),

                                      content_len - fragment_offset);

                PORT_Assert(fragment_len < DTLS_MAX_MTU - 12);

                /* Make totally sure that we are within the buffer.

                 * Note that the only way that fragment len could get

                 * adjusted here is if

                 *

                 * (a) we are in release mode so the PORT_Assert is compiled out

                 * (b) either the MTU table is inconsistent with DTLS_MAX_MTU

                 * or ss->ssl3.mtu has become corrupt.

                 */

                fragment_len = PR_MIN(fragment_len, DTLS_MAX_MTU - 12);

                /* Construct an appropriate-sized fragment */

                /* Type, length, sequence */

                PORT_Memcpy(fragment, msg->data, 6);

                /* Offset */

                fragment[6] = (fragment_offset >> 16) & 0xff;

                fragment[7] = (fragment_offset >> 8) & 0xff;

                fragment[8] = (fragment_offset) & 0xff;

                /* Fragment length */

                fragment[9] = (fragment_len >> 16) & 0xff;

                fragment[10] = (fragment_len >> 8) & 0xff;

                fragment[11] = (fragment_len) & 0xff;

                PORT_Memcpy(fragment + 12, content + fragment_offset,

                            fragment_len);

                /*

                 *  Send the record. We do this in two stages

                 * 1. Encrypt

                 */

                sent = ssl3_SendRecord(ss, msg->epoch, msg->type,

                                       fragment, fragment_len + 12,

                                       ssl_SEND_FLAG_FORCE_INTO_BUFFER |

                                       ssl_SEND_FLAG_USE_EPOCH);

                if (sent != (fragment_len + 12)) {

                    rv = SECFailure;

                    if (sent != -1) {

                        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);

                    }

                    break;

                }

                /* 2. Flush */

                rv = dtls_SendSavedWriteData(ss);

                if (rv != SECSuccess)

                    break;

                fragment_offset += fragment_len;

            }

        }

    }

    /* Finally, we need to flush */

    if (rv == SECSuccess)

        rv = dtls_SendSavedWriteData(ss);

    /* Give up the locks */

    ssl_ReleaseSpecReadLock(ss);

    ssl_ReleaseXmitBufLock(ss);

    return rv;

}

/* Flush the data in the pendingBuf and update the max message sent

 * so we can adjust the MTU estimate if we need to.

 * Wrapper for ssl_SendSavedWriteData.

 *

 * Called from dtls_TransmitMessageFlight()

 */

static

SECStatus dtls_SendSavedWriteData(sslSocket *ss)

{

    PRInt32 sent;

    sent = ssl_SendSavedWriteData(ss);

    if (sent < 0)

        return SECFailure;

    /* We should always have complete writes b/c datagram sockets

     * don't really block */

    if (ss->pendingBuf.len > 0) {

        ssl_MapLowLevelError(SSL_ERROR_SOCKET_WRITE_FAILURE);

        return SECFailure;

    }

    /* Update the largest message sent so we can adjust the MTU

     * estimate if necessary */

    if (sent > ss->ssl3.hs.maxMessageSent)

        ss->ssl3.hs.maxMessageSent = sent;

    return SECSuccess;

}

/* Compress, MAC, encrypt a DTLS record. Allows specification of

 * the epoch using epoch value. If use_epoch is PR_TRUE then

 * we use the provided epoch. If use_epoch is PR_FALSE then

 * whatever the current value is in effect is used.

 *

 * Called from ssl3_SendRecord()

 */

SECStatus

dtls_CompressMACEncryptRecord(sslSocket *        ss,

                              DTLSEpoch          epoch,

                              PRBool             use_epoch,

                              SSL3ContentType    type,

                              const SSL3Opaque * pIn,

                              PRUint32           contentLen,

                              sslBuffer        * wrBuf)

{

    SECStatus rv = SECFailure;

    ssl3CipherSpec *          cwSpec;

    ssl_GetSpecReadLock(ss);    /********************************/

    /* The reason for this switch-hitting code is that we might have

     * a flight of records spanning an epoch boundary, e.g.,

     *

     * ClientKeyExchange (epoch = 0)

     * ChangeCipherSpec (epoch = 0)

     * Finished (epoch = 1)

     *

     * Thus, each record needs a different cipher spec. The information

     * about which epoch to use is carried with the record.

     */

    if (use_epoch) {

        if (ss->ssl3.cwSpec->epoch == epoch)

            cwSpec = ss->ssl3.cwSpec;

        else if (ss->ssl3.pwSpec->epoch == epoch)

            cwSpec = ss->ssl3.pwSpec;

        else

            cwSpec = NULL;

    } else {

        cwSpec = ss->ssl3.cwSpec;

    }

    if (cwSpec) {

        rv = ssl3_CompressMACEncryptRecord(cwSpec, ss->sec.isServer, PR_TRUE,

                                           PR_FALSE, type, pIn, contentLen,

                                           wrBuf);

    } else {

        PR_NOT_REACHED("Couldn't find a cipher spec matching epoch");

        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);

    }

    ssl_ReleaseSpecReadLock(ss); /************************************/

    return rv;

}

/* Start a timer

 *

 * Called from:

 *             dtls_HandleHandshake()

 *             dtls_FlushHAndshake()

 *             dtls_RestartTimer()

 */

SECStatus

dtls_StartTimer(sslSocket *ss, DTLSTimerCb cb)

{

    PORT_Assert(ss->ssl3.hs.rtTimerCb == NULL);

    ss->ssl3.hs.rtTimerStarted = PR_IntervalNow();

    ss->ssl3.hs.rtTimerCb = cb;

    return SECSuccess;

}

/* Restart a timer with optional backoff

 *

 * Called from dtls_RetransmitTimerExpiredCb()

 */

SECStatus

dtls_RestartTimer(sslSocket *ss, PRBool backoff, DTLSTimerCb cb)

{

    if (backoff) {

        ss->ssl3.hs.rtTimeoutMs *= 2;

        if (ss->ssl3.hs.rtTimeoutMs > MAX_DTLS_TIMEOUT_MS)

            ss->ssl3.hs.rtTimeoutMs = MAX_DTLS_TIMEOUT_MS;

    }

    return dtls_StartTimer(ss, cb);

}

/* Cancel a pending timer

 *

 * Called from:

 *              dtls_HandleHandshake()

 *              dtls_CheckTimer()

 */

void

dtls_CancelTimer(sslSocket *ss)

{

    PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss));

    ss->ssl3.hs.rtTimerCb = NULL;

}

/* Check the pending timer and fire the callback if it expired