1 files changed, 65 insertions, 20 deletions

diff --git a/lib/ssl/src/dtls_connection.erl b/lib/ssl/src/dtls_connection.erl
index 440607e99d..2de947d8b4 100644
--- a/lib/ssl/src/dtls_connection.erl
+++ b/lib/ssl/src/dtls_connection.erl
@@ -1,7 +1,7 @@
 %%
 %% %CopyrightBegin%
 %%
-%% Copyright Ericsson AB 2013-2016. All Rights Reserved.
+%% Copyright Ericsson AB 2013-2017. All Rights Reserved.
 %%
 %% Licensed under the Apache License, Version 2.0 (the "License");
 %% you may not use this file except in compliance with the License.
@@ -53,7 +53,7 @@
 %% Data handling
 
 -export([encode_data/3, passive_receive/2,  next_record_if_active/1, handle_common_event/4,
-	 send/3, socket/5]).
+	 send/3, socket/5, setopts/3, getopts/3]).
 
 %% gen_statem state functions
 -export([init/3, error/3, downgrade/3, %% Initiation and take down states
@@ -203,6 +203,11 @@ select_sni_extension(_) ->
 socket(Pid,  Transport, Socket, Connection, _) ->
     dtls_socket:socket(Pid, Transport, Socket, Connection).
 
+setopts(Transport, Socket, Other) ->
+    dtls_socket:setopts(Transport, Socket, Other).
+getopts(Transport, Socket, Tag) ->
+    dtls_socket:getopts(Transport, Socket, Tag).
+
 %%====================================================================
 %% tls_connection_sup API
 %%====================================================================
@@ -250,7 +255,7 @@ init({call, From}, {start, Timeout},
 					Cache, CacheCb, Renegotiation, Cert),
 
     Version = Hello#client_hello.client_version,
-    HelloVersion = dtls_record:lowest_protocol_version(SslOpts#ssl_options.versions),
+    HelloVersion = dtls_record:hello_version(Version, SslOpts#ssl_options.versions),
     State1 = prepare_flight(State0#state{negotiated_version = Version}),
     {State2, Actions} = send_handshake(Hello, State1#state{negotiated_version = HelloVersion}),  
     State3 = State2#state{negotiated_version = Version, %% Requested version
@@ -688,16 +693,18 @@ next_record(#state{unprocessed_handshake_events = N} = State) when N > 0 ->
     {no_record, State#state{unprocessed_handshake_events = N-1}};
 					 
 next_record(#state{protocol_buffers =
-		       #protocol_buffers{dtls_cipher_texts = [CT | Rest]}
+		       #protocol_buffers{dtls_cipher_texts = [#ssl_tls{epoch = Epoch} = CT | Rest]}
 		   = Buffers,
-		   connection_states = ConnStates0} = State) ->
-    case dtls_record:decode_cipher_text(CT, ConnStates0) of
-	{Plain, ConnStates} ->		      
-	    {Plain, State#state{protocol_buffers =
-				    Buffers#protocol_buffers{dtls_cipher_texts = Rest},
-				connection_states = ConnStates}};
-	#alert{} = Alert ->
-	    {Alert, State}
+		   connection_states = ConnectionStates} = State) ->
+    CurrentRead = dtls_record:get_connection_state_by_epoch(Epoch, ConnectionStates, read),
+    case dtls_record:replay_detect(CT, CurrentRead) of
+        false ->
+            decode_cipher_text(State#state{connection_states = ConnectionStates}) ;
+        true ->
+            %% Ignore replayed record
+            next_record(State#state{protocol_buffers =
+                                        Buffers#protocol_buffers{dtls_cipher_texts = Rest},
+                                    connection_states = ConnectionStates})
     end;
 next_record(#state{role = server,
 		   socket = {Listener, {Client, _}},
@@ -743,31 +750,69 @@ next_event(connection = StateName, no_record,
 	{#ssl_tls{epoch = Epoch,
 		  type = ?HANDSHAKE,
 		  version = _Version}, State1} = _Record when Epoch == CurrentEpoch-1 ->
-	    {State, MoreActions} = send_handshake_flight(State1, Epoch),
+	    {State, MoreActions} = send_handshake_flight(State1, CurrentEpoch),
+	    {next_state, StateName, State, Actions ++ MoreActions};
+        %% From FLIGHT perspective CHANGE_CIPHER_SPEC is treated as a handshake
+        {#ssl_tls{epoch = Epoch,
+		  type = ?CHANGE_CIPHER_SPEC,
+		  version = _Version}, State1} = _Record when Epoch == CurrentEpoch-1 ->
+	    {State, MoreActions} = send_handshake_flight(State1, CurrentEpoch),
 	    {next_state, StateName, State, Actions ++ MoreActions};
 	{#ssl_tls{epoch = _Epoch,
-		  version = _Version}, State} ->
+		  version = _Version}, State1} ->
 	    %% TODO maybe buffer later epoch
-	    {next_state, StateName, State, Actions};
+            {Record, State} = next_record(State1),
+            next_event(StateName, Record, State, Actions); 
 	{#alert{} = Alert, State} ->
 	    {next_state, StateName, State, [{next_event, internal, Alert} | Actions]}
     end;
+next_event(connection = StateName, Record,
+	   #state{connection_states = #{current_read := #{epoch := CurrentEpoch}}} = State0, Actions) ->
+    case Record of
+	#ssl_tls{epoch = CurrentEpoch} ->
+	    {next_state, StateName, State0, [{next_event, internal, {protocol_record, Record}} | Actions]};
+	#ssl_tls{epoch = Epoch,
+                 type = ?HANDSHAKE,
+                 version = _Version} when Epoch == CurrentEpoch-1 ->
+	    {State, MoreActions} = send_handshake_flight(State0, CurrentEpoch),
+	    {next_state, StateName, State, Actions ++ MoreActions};
+        %% From FLIGHT perspective CHANGE_CIPHER_SPEC is treated as a handshake
+        #ssl_tls{epoch = Epoch,
+                 type = ?CHANGE_CIPHER_SPEC,
+                 version = _Version} when Epoch == CurrentEpoch-1 ->
+	    {State, MoreActions} = send_handshake_flight(State0, CurrentEpoch),
+	    {next_state, StateName, State, Actions ++ MoreActions};
+        _ -> 
+            next_event(StateName, no_record, State0, Actions) 
+    end;
 next_event(StateName, Record, 
-	   #state{connection_states = #{current_read := #{epoch := CurrentEpoch}}} = State, Actions) ->
+	   #state{connection_states = #{current_read := #{epoch := CurrentEpoch}}} = State0, Actions) ->
     case Record of
 	no_record ->
-	    {next_state, StateName, State, Actions};
+	    {next_state, StateName, State0, Actions};
 	#ssl_tls{epoch = CurrentEpoch,
 		  version = Version} = Record ->
 	    {next_state, StateName, 
-	     dtls_version(StateName, Version, State), 
+	     dtls_version(StateName, Version, State0), 
 	     [{next_event, internal, {protocol_record, Record}} | Actions]};
 	#ssl_tls{epoch = _Epoch,
 		 version = _Version} = _Record ->
 	    %% TODO maybe buffer later epoch
-	    {next_state, StateName, State, Actions};
+            {Record, State} = next_record(State0),
+            next_event(StateName, Record, State, Actions); 
 	#alert{} = Alert ->
-	    {next_state, StateName, State, [{next_event, internal, Alert} | Actions]}
+	    {next_state, StateName, State0, [{next_event, internal, Alert} | Actions]}
+    end.
+
+decode_cipher_text(#state{protocol_buffers = #protocol_buffers{dtls_cipher_texts = [ CT | Rest]} = Buffers,
+                          connection_states = ConnStates0} = State) ->
+    case dtls_record:decode_cipher_text(CT, ConnStates0) of
+	{Plain, ConnStates} ->		      
+	    {Plain, State#state{protocol_buffers =
+				    Buffers#protocol_buffers{dtls_cipher_texts = Rest},
+				connection_states = ConnStates}};
+	#alert{} = Alert ->
+	    {Alert, State}
     end.
 
 dtls_version(hello, Version, #state{role = server} = State) ->