fix SSLerr stuff for DTLS1 code;

move some functions from exported header <openssl/dtl1.h> into "ssl_locl.h"; fix silly indentation (a TAB is *not* always 4 spaces)
2005-04-26 18:08:00 +00:00 · 2005-04-26 18:08:00 +00:00 · beb056b303
commit beb056b303
parent 4e321ffaff
11 changed files with 223 additions and 161 deletions
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@ -324,8 +324,7 @@ int dtls1_do_write(SSL *s, int type)
 * Read an entire handshake message.  Handshake messages arrive in
 * fragments.
 */
-long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, 
+long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
 	int	*ok)
 	{
 	int i, al;
@ -337,7 +336,7 @@ long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max,
 		if ((mt >= 0) && (s->s3->tmp.message_type != mt))
 			{
 			al=SSL_AD_UNEXPECTED_MESSAGE;
-			SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_UNEXPECTED_MESSAGE);
+			SSLerr(SSL_F_DTLS1_GET_MESSAGE,SSL_R_UNEXPECTED_MESSAGE);
 			goto f_err;
 			}
 		*ok=1;
@ -488,7 +487,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st *msg_hdr, int *ok)
    if ( (int)msg_hdr->frag_len && !BUF_MEM_grow_clean(s->init_buf, 
             (int)msg_hdr->frag_len + DTLS1_HM_HEADER_LENGTH + s->init_num))
        {
-        SSLerr(SSL_F_SSL3_GET_MESSAGE,ERR_R_BUF_LIB);
+        SSLerr(SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE,ERR_R_BUF_LIB);
        goto err;
        }
@ -519,7 +518,7 @@ err:
    }
-static long 
+static long
 dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
 	{
 	unsigned char *p;
@ -573,7 +572,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
    if ( frag_off + frag_len > l)
        {
        al=SSL_AD_ILLEGAL_PARAMETER;
-        SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_EXCESSIVE_MESSAGE_SIZE);
+        SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL_R_EXCESSIVE_MESSAGE_SIZE);
        goto f_err;
        }
@ -598,7 +597,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
        else /* Incorrectly formated Hello request */
            {
            al=SSL_AD_UNEXPECTED_MESSAGE;
-            SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_UNEXPECTED_MESSAGE);
+            SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL_R_UNEXPECTED_MESSAGE);
            goto f_err;
            }
        }
@ -613,13 +612,13 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
 		if (l > (INT_MAX-DTLS1_HM_HEADER_LENGTH)) 
 			{
 			al=SSL_AD_ILLEGAL_PARAMETER;
-			SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_EXCESSIVE_MESSAGE_SIZE);
+			SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL_R_EXCESSIVE_MESSAGE_SIZE);
 			goto f_err;
 			}
 		if (l && !BUF_MEM_grow_clean(s->init_buf,(int)l
 			+ DTLS1_HM_HEADER_LENGTH))
 			{
-			SSLerr(SSL_F_SSL3_GET_MESSAGE,ERR_R_BUF_LIB);
+			SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,ERR_R_BUF_LIB);
 			goto err;
 			}
        /* Only do this test when we're reading the expected message.
@ -627,7 +626,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
        if ( l > (unsigned long)max)
 			{
 			al=SSL_AD_ILLEGAL_PARAMETER;
-			SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_EXCESSIVE_MESSAGE_SIZE);
+			SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL_R_EXCESSIVE_MESSAGE_SIZE);
 			goto f_err;
 			}
@ -637,20 +636,20 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
    if ( frag_len > (unsigned long)max)
        {
        al=SSL_AD_ILLEGAL_PARAMETER;
-        SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_EXCESSIVE_MESSAGE_SIZE);
+        SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL_R_EXCESSIVE_MESSAGE_SIZE);
        goto f_err;
        }
    if ( frag_len + s->init_num > (INT_MAX - DTLS1_HM_HEADER_LENGTH))
        {
        al=SSL_AD_ILLEGAL_PARAMETER;
-        SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_EXCESSIVE_MESSAGE_SIZE);
+        SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL_R_EXCESSIVE_MESSAGE_SIZE);
        goto f_err;
        }
    if ( frag_len & !BUF_MEM_grow_clean(s->init_buf, (int)frag_len 
             + DTLS1_HM_HEADER_LENGTH + s->init_num))
        {
-        SSLerr(SSL_F_SSL3_GET_MESSAGE,ERR_R_BUF_LIB);
+        SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,ERR_R_BUF_LIB);
        goto err;
        }
@ -842,14 +841,14 @@ unsigned long dtls1_output_cert_chain(SSL *s, X509 *x)
 	buf=s->init_buf;
 	if (!BUF_MEM_grow_clean(buf,10))
 		{
-		SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
+		SSLerr(SSL_F_DTLS1_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
 		return(0);
 		}
 	if (x != NULL)
 		{
 		if(!X509_STORE_CTX_init(&xs_ctx,s->ctx->cert_store,NULL,NULL))
 			{
-			SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_X509_LIB);
+			SSLerr(SSL_F_DTLS1_OUTPUT_CERT_CHAIN,ERR_R_X509_LIB);
 			return(0);
 			}
@ -858,7 +857,7 @@ unsigned long dtls1_output_cert_chain(SSL *s, X509 *x)
 			n=i2d_X509(x,NULL);
 			if (!BUF_MEM_grow_clean(buf,(int)(n+l+3)))
 				{
-				SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
+				SSLerr(SSL_F_DTLS1_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
 				return(0);
 				}
 			p=(unsigned char *)&(buf->data[l]);
@ -888,7 +887,7 @@ unsigned long dtls1_output_cert_chain(SSL *s, X509 *x)
 		n=i2d_X509(x,NULL);
 		if (!BUF_MEM_grow_clean(buf,(int)(n+l+3)))
 			{
-			SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
+			SSLerr(SSL_F_DTLS1_OUTPUT_CERT_CHAIN,ERR_R_BUF_LIB);
 			return(0);
 			}
 		p=(unsigned char *)&(buf->data[l]);
--- a/ssl/d1_clnt.c
+++ b/ssl/d1_clnt.c
@ -197,7 +197,7 @@ int dtls1_connect(SSL *s)
 			if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00))
 				{
-				SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR);
+				SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR);
 				ret = -1;
 				goto end;
 				}
@ -499,7 +499,7 @@ int dtls1_connect(SSL *s)
 			/* break; */
 		default:
-			SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE);
+			SSLerr(SSL_F_DTLS1_CONNECT,SSL_R_UNKNOWN_STATE);
 			ret= -1;
 			goto end;
 			/* break; */
@ -579,7 +579,7 @@ int dtls1_client_hello(SSL *s)
 			{
 			if (i > sizeof s->session->session_id)
 				{
-				SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
+				SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
 				goto err;
 				}
 			memcpy(p,s->session->session_id,i);
@ -589,7 +589,7 @@ int dtls1_client_hello(SSL *s)
 		/* cookie stuff */
 		if ( s->d1->cookie_len > sizeof(s->d1->cookie))
 			{
-			SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
+			SSLerr(SSL_F_DTLS1_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
 			goto err;
 			}
 		*(p++) = s->d1->cookie_len;
@ -600,7 +600,7 @@ int dtls1_client_hello(SSL *s)
 		i=ssl_cipher_list_to_bytes(s,SSL_get_ciphers(s),&(p[2]));
 		if (i == 0)
 			{
-			SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
+			SSLerr(SSL_F_DTLS1_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
 			goto err;
 			}
 		s2n(i,p);
@ -665,7 +665,7 @@ static int dtls1_get_hello_verify(SSL *s)
 	if ((data[0] != (s->version>>8)) || (data[1] != (s->version&0xff)))
 		{
-		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_SSL_VERSION);
+		SSLerr(SSL_F_DTLS1_GET_HELLO_VERIFY,SSL_R_WRONG_SSL_VERSION);
 		s->version=(s->version&0xff00)|data[1];
 		al = SSL_AD_PROTOCOL_VERSION;
 		goto f_err;
@ -727,7 +727,7 @@ int dtls1_send_client_key_exchange(SSL *s)
 					(pkey->type != EVP_PKEY_RSA) ||
 					(pkey->pkey.rsa == NULL))
 					{
-					SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
+					SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
 					goto err;
 					}
 				rsa=pkey->pkey.rsa;
@ -753,7 +753,7 @@ int dtls1_send_client_key_exchange(SSL *s)
 #endif
 			if (n <= 0)
 				{
-				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT);
+				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_ENCRYPT);
 				goto err;
 				}
@ -816,7 +816,7 @@ int dtls1_send_client_key_exchange(SSL *s)
                                {
                                ssl3_send_alert(s,SSL3_AL_FATAL,
 						SSL_AD_HANDSHAKE_FAILURE);
-                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+                                SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
 						kssl_err.reason);
                                goto err;
                                }
@ -883,7 +883,7 @@ int dtls1_send_client_key_exchange(SSL *s)
 			outl += padl;
 			if (outl > sizeof epms)
 				{
-				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
 				goto err;
 				}
 			EVP_CIPHER_CTX_cleanup(&ciph_ctx);
@ -914,19 +914,19 @@ int dtls1_send_client_key_exchange(SSL *s)
 				{
 				/* we get them from the cert */
 				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
-				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
+				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
 				goto err;
 				}
 			/* generate a new random key */
 			if ((dh_clnt=DHparams_dup(dh_srvr)) == NULL)
 				{
-				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
+				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
 				goto err;
 				}
 			if (!DH_generate_key(dh_clnt))
 				{
-				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
+				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
 				goto err;
 				}
@ -937,7 +937,7 @@ int dtls1_send_client_key_exchange(SSL *s)
 			if (n <= 0)
 				{
-				SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
+				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
 				goto err;
 				}
@ -962,7 +962,7 @@ int dtls1_send_client_key_exchange(SSL *s)
 		else
 			{
 			ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
-			SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
+			SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
 			goto err;
 			}
@ -1021,7 +1021,7 @@ int dtls1_send_client_verify(SSL *s)
 					 MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
 					&(p[2]), &u, pkey->pkey.rsa) <= 0 )
 				{
-				SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB);
+				SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,ERR_R_RSA_LIB);
 				goto err;
 				}
 			s2n(u,p);
@ -1037,7 +1037,7 @@ int dtls1_send_client_verify(SSL *s)
 				SHA_DIGEST_LENGTH,&(p[2]),
 				(unsigned int *)&j,pkey->pkey.dsa))
 				{
-				SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB);
+				SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,ERR_R_DSA_LIB);
 				goto err;
 				}
 			s2n(j,p);
@ -1046,7 +1046,7 @@ int dtls1_send_client_verify(SSL *s)
 		else
 #endif
 			{
-			SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR);
+			SSLerr(SSL_F_DTLS1_SEND_CLIENT_VERIFY,ERR_R_INTERNAL_ERROR);
 			goto err;
 			}
@ -1110,7 +1110,7 @@ int dtls1_send_client_certificate(SSL *s)
 		else if (i == 1)
 			{
 			i=0;
-			SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
+			SSLerr(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE,SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
 			}
 		if (x509 != NULL) X509_free(x509);
--- a/ssl/d1_enc.c
+++ b/ssl/d1_enc.c
@ -217,7 +217,7 @@ int dtls1_enc(SSL *s, int send)
 			{
 			if (l == 0 || l%bs != 0)
 				{
-				SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
+				SSLerr(SSL_F_DTLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
 				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
 				return 0;
 				}
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@ -173,7 +173,7 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned long long priority)
 		if (rdata != NULL) OPENSSL_free(rdata);
 		if (item != NULL) pitem_free(item);
-		SSLerr(SSL_F_SSL3_GET_RECORD, ERR_R_INTERNAL_ERROR);
+		SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);
 		return(0);
 		}
@ -348,7 +348,7 @@ dtls1_process_record(SSL *s)
 	if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH)
 		{
 		al=SSL_AD_RECORD_OVERFLOW;
-		SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
+		SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
 		goto f_err;
 		}
@ -386,7 +386,7 @@ if (	(sess == NULL) ||
 			{
 #if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */
 			al=SSL_AD_RECORD_OVERFLOW;
-			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
+			SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
 			goto f_err;
 #else
 			goto decryption_failed_or_bad_record_mac;
@ -397,7 +397,7 @@ if (	(sess == NULL) ||
 			{
 #if 0 /* OK only for stream ciphers */
 			al=SSL_AD_DECODE_ERROR;
-			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
+			SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
 			goto f_err;
 #else
 			goto decryption_failed_or_bad_record_mac;
@ -417,13 +417,13 @@ if (	(sess == NULL) ||
 		if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH)
 			{
 			al=SSL_AD_RECORD_OVERFLOW;
-			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);
+			SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_COMPRESSED_LENGTH_TOO_LONG);
 			goto f_err;
 			}
 		if (!ssl3_do_uncompress(s))
 			{
 			al=SSL_AD_DECOMPRESSION_FAILURE;
-			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_DECOMPRESSION);
+			SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_BAD_DECOMPRESSION);
 			goto f_err;
 			}
 		}
@ -431,7 +431,7 @@ if (	(sess == NULL) ||
 	if (rr->length > SSL3_RT_MAX_PLAIN_LENGTH)
 		{
 		al=SSL_AD_RECORD_OVERFLOW;
-		SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);
+		SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DATA_LENGTH_TOO_LONG);
 		goto f_err;
 		}
@ -456,7 +456,7 @@ decryption_failed_or_bad_record_mac:
 	 * we should not reveal which kind of error occured -- this
 	 * might become visible to an attacker (e.g. via logfile) */
 	al=SSL_AD_BAD_RECORD_MAC;
-	SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
+	SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
 f_err:
 	ssl3_send_alert(s,SSL3_AL_FATAL,al);
 err:
@ -536,7 +536,7 @@ again:
 			{
 			if (version != s->version)
 				{
-				SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
+				SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
 				/* Send back error using their
 				 * version number :-) */
 				s->version=version;
@ -547,14 +547,14 @@ again:
 		if ((version & 0xff00) != (DTLS1_VERSION & 0xff00))
 			{
-			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
+			SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
 			goto err;
 			}
 		if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH)
 			{
 			al=SSL_AD_RECORD_OVERFLOW;
-			SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG);
+			SSLerr(SSL_F_DTLS1_GET_RECORD,SSL_R_PACKET_LENGTH_TOO_LONG);
 			goto f_err;
 			}
@ -667,7 +667,7 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
 		(type != SSL3_RT_HANDSHAKE) && type) ||
 	    (peek && (type != SSL3_RT_APPLICATION_DATA)))
 		{
-		SSLerr(SSL_F_SSL3_READ_BYTES, ERR_R_INTERNAL_ERROR);
+		SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR);
 		return -1;
 		}
@ -684,7 +684,7 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
 		if (i < 0) return(i);
 		if (i == 0)
 			{
-			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
+			SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
 			return(-1);
 			}
 		}
@ -720,7 +720,7 @@ start:
 		&& (rr->type != SSL3_RT_HANDSHAKE))
 		{
 		al=SSL_AD_UNEXPECTED_MESSAGE;
-		SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
+		SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
 		goto err;
 		}
@ -742,7 +742,7 @@ start:
 			(s->enc_read_ctx == NULL))
 			{
 			al=SSL_AD_UNEXPECTED_MESSAGE;
-			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE);
+			SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_APP_DATA_IN_HANDSHAKE);
 			goto f_err;
 			}
@ -833,7 +833,7 @@ start:
 			(s->d1->handshake_fragment[3] != 0))
 			{
 			al=SSL_AD_DECODE_ERROR;
-			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_HELLO_REQUEST);
+			SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_HELLO_REQUEST);
 			goto err;
 			}
@ -854,7 +854,7 @@ start:
 				if (i < 0) return(i);
 				if (i == 0)
 					{
-					SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
+					SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
 					return(-1);
 					}
@ -941,7 +941,7 @@ start:
 			s->rwstate=SSL_NOTHING;
 			s->s3->fatal_alert = alert_descr;
-			SSLerr(SSL_F_SSL3_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr);
+			SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_AD_REASON_OFFSET + alert_descr);
 			BIO_snprintf(tmp,sizeof tmp,"%d",alert_descr);
 			ERR_add_error_data(2,"SSL alert number ",tmp);
 			s->shutdown|=SSL_RECEIVED_SHUTDOWN;
@ -951,7 +951,7 @@ start:
 		else
 			{
 			al=SSL_AD_ILLEGAL_PARAMETER;
-			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE);
+			SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNKNOWN_ALERT_TYPE);
 			goto f_err;
 			}
@ -980,7 +980,7 @@ start:
 				(rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
 				{
 				i=SSL_AD_ILLEGAL_PARAMETER;
-				SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
+				SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
 				goto err;
 				}
@ -1041,7 +1041,7 @@ start:
 		if (i < 0) return(i);
 		if (i == 0)
 			{
-			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
+			SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
 			return(-1);
 			}
@ -1076,7 +1076,7 @@ start:
 			}
 #endif
 		al=SSL_AD_UNEXPECTED_MESSAGE;
-		SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
+		SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
 		goto f_err;
 	case SSL3_RT_CHANGE_CIPHER_SPEC:
 	case SSL3_RT_ALERT:
@ -1085,7 +1085,7 @@ start:
 		 * of SSL3_RT_HANDSHAKE when s->in_handshake is set, but that
 		 * should not happen when type != rr->type */
 		al=SSL_AD_UNEXPECTED_MESSAGE;
-		SSLerr(SSL_F_SSL3_READ_BYTES,ERR_R_INTERNAL_ERROR);
+		SSLerr(SSL_F_DTLS1_READ_BYTES,ERR_R_INTERNAL_ERROR);
 		goto f_err;
 	case SSL3_RT_APPLICATION_DATA:
 		/* At this point, we were expecting handshake data,
@ -1114,7 +1114,7 @@ start:
 		else
 			{
 			al=SSL_AD_UNEXPECTED_MESSAGE;
-			SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
+			SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
 			goto f_err;
 			}
 		}
@ -1138,7 +1138,7 @@ dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len)
 		if (i < 0) return(i);
 		if (i == 0)
 			{
-			SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
+			SSLerr(SSL_F_DTLS1_WRITE_APP_DATA_BYTES,SSL_R_SSL_HANDSHAKE_FAILURE);
 			return -1;
 			}
 		}
@ -1251,8 +1251,7 @@ int dtls1_write_bytes(SSL *s, int type, const void *buf_, int len)
 	return tot + i;
 	}
-int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
+int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len, int create_empty_fragment)
 	unsigned int len, int create_empty_fragment)
 	{
 	unsigned char *p,*pseq;
 	int i,mac_size,clear=0;
@ -1319,7 +1318,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
 			if (s->s3->wbuf.len < (size_t)prefix_len + SSL3_RT_MAX_PACKET_SIZE)
 				{
 				/* insufficient space */
-				SSLerr(SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR);
+				SSLerr(SSL_F_DO_DTLS1_WRITE, ERR_R_INTERNAL_ERROR);
 				goto err;
 				}
 			}
@ -1365,7 +1364,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
 		{
 		if (!ssl3_do_compress(s))
 			{
-			SSLerr(SSL_F_DO_SSL3_WRITE,SSL_R_COMPRESSION_FAILURE);
+			SSLerr(SSL_F_DO_DTLS1_WRITE,SSL_R_COMPRESSION_FAILURE);
 			goto err;
 			}
 		}
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@ -180,7 +180,7 @@ int dtls1_accept(SSL *s)
 	if (s->cert == NULL)
 		{
-		SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
+		SSLerr(SSL_F_DTLS1_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
 		return(-1);
 		}
@ -204,7 +204,7 @@ int dtls1_accept(SSL *s)
 			if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00))
 				{
-				SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR);
+				SSLerr(SSL_F_DTLS1_ACCEPT, ERR_R_INTERNAL_ERROR);
 				return -1;
 				}
 			s->type=SSL_ST_ACCEPT;
@ -569,7 +569,7 @@ int dtls1_accept(SSL *s)
 			/* break; */
 		default:
-			SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_UNKNOWN_STATE);
+			SSLerr(SSL_F_DTLS1_ACCEPT,SSL_R_UNKNOWN_STATE);
 			ret= -1;
 			goto end;
 			/* break; */
@ -707,7 +707,7 @@ int dtls1_send_server_hello(SSL *s)
 		sl=s->session->session_id_length;
 		if (sl > sizeof s->session->session_id)
 			{
-			SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
+			SSLerr(SSL_F_DTLS1_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
 			return -1;
 			}
 		*(p++)=sl;
@ -812,7 +812,7 @@ int dtls1_send_server_key_exchange(SSL *s)
 				if(rsa == NULL)
 				{
 					al=SSL_AD_HANDSHAKE_FAILURE;
-					SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
+					SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_ERROR_GENERATING_TMP_RSA_KEY);
 					goto f_err;
 				}
 				RSA_up_ref(rsa);
@ -821,7 +821,7 @@ int dtls1_send_server_key_exchange(SSL *s)
 			if (rsa == NULL)
 				{
 				al=SSL_AD_HANDSHAKE_FAILURE;
-				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY);
+				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_RSA_KEY);
 				goto f_err;
 				}
 			r[0]=rsa->n;
@ -841,20 +841,20 @@ int dtls1_send_server_key_exchange(SSL *s)
 			if (dhp == NULL)
 				{
 				al=SSL_AD_HANDSHAKE_FAILURE;
-				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
+				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_MISSING_TMP_DH_KEY);
 				goto f_err;
 				}
 			if (s->s3->tmp.dh != NULL)
 				{
 				DH_free(dh);
-				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
 				goto err;
 				}
 			if ((dh=DHparams_dup(dhp)) == NULL)
 				{
-				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
+				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
 				goto err;
 				}
@ -865,7 +865,7 @@ int dtls1_send_server_key_exchange(SSL *s)
 				{
 				if(!DH_generate_key(dh))
 				    {
-				    SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
+				    SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,
 					   ERR_R_DH_LIB);
 				    goto err;
 				    }
@ -877,7 +877,7 @@ int dtls1_send_server_key_exchange(SSL *s)
 				if ((dh->pub_key == NULL) ||
 					(dh->priv_key == NULL))
 					{
-					SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
+					SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_R_DH_LIB);
 					goto err;
 					}
 				}
@ -889,7 +889,7 @@ int dtls1_send_server_key_exchange(SSL *s)
 #endif
 			{
 			al=SSL_AD_HANDSHAKE_FAILURE;
-			SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
+			SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
 			goto f_err;
 			}
 		for (i=0; r[i] != NULL; i++)
@ -916,7 +916,7 @@ int dtls1_send_server_key_exchange(SSL *s)
 		if (!BUF_MEM_grow_clean(buf,n+DTLS1_HM_HEADER_LENGTH+kn))
 			{
-			SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF);
+			SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF);
 			goto err;
 			}
 		d=(unsigned char *)s->init_buf->data;
@ -955,7 +955,7 @@ int dtls1_send_server_key_exchange(SSL *s)
 				if (RSA_sign(NID_md5_sha1, md_buf, j,
 					&(p[2]), &u, pkey->pkey.rsa) <= 0)
 					{
-					SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA);
+					SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_RSA);
 					goto err;
 					}
 				s2n(u,p);
@ -974,7 +974,7 @@ int dtls1_send_server_key_exchange(SSL *s)
 				if (!EVP_SignFinal(&md_ctx,&(p[2]),
 					(unsigned int *)&i,pkey))
 					{
-					SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA);
+					SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA);
 					goto err;
 					}
 				s2n(i,p);
@ -985,7 +985,7 @@ int dtls1_send_server_key_exchange(SSL *s)
 				{
 				/* Is this error check actually needed? */
 				al=SSL_AD_HANDSHAKE_FAILURE;
-				SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE);
+				SSLerr(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_PKEY_TYPE);
 				goto f_err;
 				}
 			}
@ -1047,7 +1047,7 @@ int dtls1_send_certificate_request(SSL *s)
 				j=i2d_X509_NAME(name,NULL);
 				if (!BUF_MEM_grow_clean(buf,DTLS1_HM_HEADER_LENGTH+n+j+2))
 					{
-					SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
+					SSLerr(SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
 					goto err;
 					}
 				p=(unsigned char *)&(buf->data[DTLS1_HM_HEADER_LENGTH+n]);
@ -1122,7 +1122,7 @@ int dtls1_send_server_certificate(SSL *s)
                                & (SSL_MKEY_MASK|SSL_AUTH_MASK))
                        != (SSL_aKRB5|SSL_kKRB5))
 			{
-			SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
+			SSLerr(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
 			return(0);
 			}
--- a/ssl/dtls1.h
+++ b/ssl/dtls1.h
@ -67,8 +67,6 @@
 extern "C" {
 #endif
 #define DTLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES	1
 #define DTLS1_VERSION			0x0100
 #define DTLS1_VERSION_MAJOR		0x01
 #define DTLS1_VERSION_MINOR		0x00
@ -104,7 +102,7 @@ struct hm_header_st
 	unsigned short seq;
 	unsigned long frag_off;
 	unsigned long frag_len;
-    unsigned int is_ccs;
+	unsigned int is_ccs;
 	};
 struct ccs_header_st
@ -126,16 +124,16 @@ struct dtls1_timeout_st
 	};
 typedef struct record_pqueue_st
-    {
+	{
-    unsigned short epoch;
+	unsigned short epoch;
-    pqueue q;
+	pqueue q;
-    } record_pqueue;
+	} record_pqueue;
 typedef struct hm_fragment_st
-    {
+	{
-    struct hm_header_st msg_header;
+	struct hm_header_st msg_header;
-    unsigned char *fragment;
+	unsigned char *fragment;
-    } hm_fragment;
+	} hm_fragment;
 typedef struct dtls1_state_st
 	{
@ -164,15 +162,15 @@ typedef struct dtls1_state_st
 	unsigned short handshake_read_seq;
-    /* only matters for handshake messages */  
+	/* only matters for handshake messages */  
 	unsigned long long next_expected_seq_num; 
 	/* Received handshake records (processed and unprocessed) */
 	record_pqueue unprocessed_rcds;
-    record_pqueue processed_rcds;
+	record_pqueue processed_rcds;
-    /* Buffered handshake messages */
+	/* Buffered handshake messages */
-    pqueue buffered_messages;
+	pqueue buffered_messages;
 	/* Buffered (sent) handshake records */
 	pqueue sent_messages;
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@ -767,60 +767,60 @@ int ssl3_get_client_hello(SSL *s)
 		/* cookie stuff */
 		cookie_len = *(p++);
-        if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
+		if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
-            s->d1->send_cookie == 0)
+			s->d1->send_cookie == 0)
-            {
+			{
-            /* HelloVerifyMessage has already been sent */
+			/* HelloVerifyMessage has already been sent */
-            if ( cookie_len != s->d1->cookie_len)
+			if ( cookie_len != s->d1->cookie_len)
-                {
+				{
-                al = SSL_AD_HANDSHAKE_FAILURE;
+				al = SSL_AD_HANDSHAKE_FAILURE;
-                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
+				SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
-                goto f_err;
+				goto f_err;
-                }
+				}
-            }
+			}
-        /* 
+		/* 
-         * The ClientHello may contain a cookie even if the
+		 * The ClientHello may contain a cookie even if the
-         * HelloVerify message has not been sent--make sure that it
+		 * HelloVerify message has not been sent--make sure that it
-         * does not cause an overflow.
+		 * does not cause an overflow.
-         */
+		 */
 		if ( cookie_len > sizeof(s->d1->rcvd_cookie))
 			{
 			/* too much data */
-            al = SSL_AD_DECODE_ERROR;
+			al = SSL_AD_DECODE_ERROR;
 			SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
 			goto f_err;
 			}
-        /* verify the cookie if appropriate option is set. */
+		/* verify the cookie if appropriate option is set. */
-        if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
+		if ( (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) &&
-            cookie_len > 0)
+			cookie_len > 0)
-            {
+			{
-            memcpy(s->d1->rcvd_cookie, p, cookie_len);
+			memcpy(s->d1->rcvd_cookie, p, cookie_len);
-            if ( s->ctx->app_verify_cookie_cb != NULL)
+			if ( s->ctx->app_verify_cookie_cb != NULL)
-                {
+				{
-                if ( s->ctx->app_verify_cookie_cb(s, s->d1->rcvd_cookie,
+				if ( s->ctx->app_verify_cookie_cb(s, s->d1->rcvd_cookie,
-                    cookie_len) == 0)
+					cookie_len) == 0)
-                    {
+					{
-                    al=SSL_AD_HANDSHAKE_FAILURE;
+					al=SSL_AD_HANDSHAKE_FAILURE;
-                    SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, 
+					SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, 
-                        SSL_R_COOKIE_MISMATCH);
+						SSL_R_COOKIE_MISMATCH);
-                    goto f_err;
+					goto f_err;
-                    }
+					}
-                /* else cookie verification succeeded */
+				/* else cookie verification succeeded */
-                }
+				}
-            else if ( memcmp(s->d1->rcvd_cookie, s->d1->cookie, 
+			else if ( memcmp(s->d1->rcvd_cookie, s->d1->cookie, 
-                          s->d1->cookie_len) != 0) /* default verification */
+						  s->d1->cookie_len) != 0) /* default verification */
-                {
+				{
-                    al=SSL_AD_HANDSHAKE_FAILURE;
+					al=SSL_AD_HANDSHAKE_FAILURE;
-                    SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, 
+					SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, 
-                        SSL_R_COOKIE_MISMATCH);
+						SSL_R_COOKIE_MISMATCH);
-                    goto f_err;
+					goto f_err;
-                }
+				}
-            }
+			}
-        p += cookie_len;
+		p += cookie_len;
 		}
 	n2s(p,i);
@ -872,8 +872,7 @@ int ssl3_get_client_hello(SSL *s)
 			if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1))
 				{
 				/* Very bad for multi-threading.... */
-				s->session->cipher=sk_SSL_CIPHER_value(ciphers,
+				s->session->cipher=sk_SSL_CIPHER_value(ciphers, 0);
 								       0);
 				}
 			else
 				{
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@ -376,14 +376,12 @@ typedef struct ssl_method_st
 	int (*ssl_shutdown)(SSL *s);
 	int (*ssl_renegotiate)(SSL *s);
 	int (*ssl_renegotiate_check)(SSL *s);
 	/* -- begin DTLS -- */
 	long (*ssl_get_message)(SSL *s, int st1, int stn, int mt, long
 		max, int *ok);
 	int (*ssl_read_bytes)(SSL *s, int type, unsigned char *buf, int len, 
 		int peek);
 	int (*ssl_write_bytes)(SSL *s, int type, const void *buf_, int len);
 	int (*ssl_dispatch_alert)(SSL *s);
 	/* -- end DTLS -- */
 	long (*ssl_ctrl)(SSL *s,int cmd,long larg,void *parg);
 	long (*ssl_ctx_ctrl)(SSL_CTX *ctx,int cmd,long larg,void *parg);
 	SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr);
@ -1549,7 +1547,31 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_CLIENT_HELLO				 101
 #define SSL_F_CLIENT_MASTER_KEY				 102
 #define SSL_F_D2I_SSL_SESSION				 103
 #define SSL_F_DO_DTLS1_WRITE				 1003
 #define SSL_F_DO_SSL3_WRITE				 104
 #define SSL_F_DTLS1_ACCEPT				 1004
 #define SSL_F_DTLS1_BUFFER_RECORD			 1005
 #define SSL_F_DTLS1_CLIENT_HELLO			 1006
 #define SSL_F_DTLS1_CONNECT				 1007
 #define SSL_F_DTLS1_ENC					 1008
 #define SSL_F_DTLS1_GET_HELLO_VERIFY			 1009
 #define SSL_F_DTLS1_GET_MESSAGE				 1010
 #define SSL_F_DTLS1_GET_MESSAGE_FRAGMENT		 1011
 #define SSL_F_DTLS1_GET_RECORD				 1012
 #define SSL_F_DTLS1_OUTPUT_CERT_CHAIN			 1013
 #define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE		 1014
 #define SSL_F_DTLS1_PROCESS_RECORD			 1015
 #define SSL_F_DTLS1_READ_BYTES				 1016
 #define SSL_F_DTLS1_READ_FAILED				 1001
 #define SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST		 1017
 #define SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE		 1018
 #define SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE		 1019
 #define SSL_F_DTLS1_SEND_CLIENT_VERIFY			 1020
 #define SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST		 1002
 #define SSL_F_DTLS1_SEND_SERVER_CERTIFICATE		 1021
 #define SSL_F_DTLS1_SEND_SERVER_HELLO			 1022
 #define SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE		 1023
 #define SSL_F_DTLS1_WRITE_APP_DATA_BYTES		 1024
 #define SSL_F_GET_CLIENT_FINISHED			 105
 #define SSL_F_GET_CLIENT_HELLO				 106
 #define SSL_F_GET_CLIENT_MASTER_KEY			 107
@ -1690,9 +1712,6 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_TLS1_SETUP_KEY_BLOCK			 211
 #define SSL_F_WRITE_PENDING				 212
 #define SSL_F_DTLS1_READ_FAILED          1001
 #define SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST    1002
 /* Reason codes. */
 #define SSL_R_APP_DATA_IN_HANDSHAKE			 100
 #define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272
@ -1745,6 +1764,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_COMPRESSION_LIBRARY_ERROR			 142
 #define SSL_R_CONNECTION_ID_IS_DIFFERENT		 143
 #define SSL_R_CONNECTION_TYPE_NOT_SET			 144
 #define SSL_R_COOKIE_MISMATCH				 2002
 #define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED		 145
 #define SSL_R_DATA_LENGTH_TOO_LONG			 146
 #define SSL_R_DECRYPTION_FAILED				 147
@ -1836,6 +1856,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_PUBLIC_KEY_IS_NOT_RSA			 209
 #define SSL_R_PUBLIC_KEY_NOT_RSA			 210
 #define SSL_R_READ_BIO_NOT_SET				 211
 #define SSL_R_READ_TIMEOUT_EXPIRED			 2001
 #define SSL_R_READ_WRONG_PACKET_TYPE			 212
 #define SSL_R_RECORD_LENGTH_MISMATCH			 213
 #define SSL_R_RECORD_TOO_LARGE				 214
@ -1931,9 +1952,6 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_X509_LIB					 268
 #define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS		 269
 #define SSL_R_READ_TIMEOUT_EXPIRED              2001
 #define SSL_R_COOKIE_MISMATCH                   2002
 #ifdef  __cplusplus
 }
 #endif
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@ -75,7 +75,31 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_CLIENT_HELLO),	"CLIENT_HELLO"},
 {ERR_FUNC(SSL_F_CLIENT_MASTER_KEY),	"CLIENT_MASTER_KEY"},
 {ERR_FUNC(SSL_F_D2I_SSL_SESSION),	"d2i_SSL_SESSION"},
 {ERR_FUNC(SSL_F_DO_DTLS1_WRITE),	"DO_DTLS1_WRITE"},
 {ERR_FUNC(SSL_F_DO_SSL3_WRITE),	"DO_SSL3_WRITE"},
 {ERR_FUNC(SSL_F_DTLS1_ACCEPT),	"DTLS1_ACCEPT"},
 {ERR_FUNC(SSL_F_DTLS1_BUFFER_RECORD),	"DTLS1_BUFFER_RECORD"},
 {ERR_FUNC(SSL_F_DTLS1_CLIENT_HELLO),	"DTLS1_CLIENT_HELLO"},
 {ERR_FUNC(SSL_F_DTLS1_CONNECT),	"DTLS1_CONNECT"},
 {ERR_FUNC(SSL_F_DTLS1_ENC),	"DTLS1_ENC"},
 {ERR_FUNC(SSL_F_DTLS1_GET_HELLO_VERIFY),	"DTLS1_GET_HELLO_VERIFY"},
 {ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE),	"DTLS1_GET_MESSAGE"},
 {ERR_FUNC(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT),	"DTLS1_GET_MESSAGE_FRAGMENT"},
 {ERR_FUNC(SSL_F_DTLS1_GET_RECORD),	"DTLS1_GET_RECORD"},
 {ERR_FUNC(SSL_F_DTLS1_OUTPUT_CERT_CHAIN),	"DTLS1_OUTPUT_CERT_CHAIN"},
 {ERR_FUNC(SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE),	"DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE"},
 {ERR_FUNC(SSL_F_DTLS1_PROCESS_RECORD),	"DTLS1_PROCESS_RECORD"},
 {ERR_FUNC(SSL_F_DTLS1_READ_BYTES),	"DTLS1_READ_BYTES"},
 {ERR_FUNC(SSL_F_DTLS1_READ_FAILED),	"DTLS1_READ_FAILED"},
 {ERR_FUNC(SSL_F_DTLS1_SEND_CERTIFICATE_REQUEST),	"DTLS1_SEND_CERTIFICATE_REQUEST"},
 {ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_CERTIFICATE),	"DTLS1_SEND_CLIENT_CERTIFICATE"},
 {ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE),	"DTLS1_SEND_CLIENT_KEY_EXCHANGE"},
 {ERR_FUNC(SSL_F_DTLS1_SEND_CLIENT_VERIFY),	"DTLS1_SEND_CLIENT_VERIFY"},
 {ERR_FUNC(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST),	"DTLS1_SEND_HELLO_VERIFY_REQUEST"},
 {ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_CERTIFICATE),	"DTLS1_SEND_SERVER_CERTIFICATE"},
 {ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_HELLO),	"DTLS1_SEND_SERVER_HELLO"},
 {ERR_FUNC(SSL_F_DTLS1_SEND_SERVER_KEY_EXCHANGE),	"DTLS1_SEND_SERVER_KEY_EXCHANGE"},
 {ERR_FUNC(SSL_F_DTLS1_WRITE_APP_DATA_BYTES),	"DTLS1_WRITE_APP_DATA_BYTES"},
 {ERR_FUNC(SSL_F_GET_CLIENT_FINISHED),	"GET_CLIENT_FINISHED"},
 {ERR_FUNC(SSL_F_GET_CLIENT_HELLO),	"GET_CLIENT_HELLO"},
 {ERR_FUNC(SSL_F_GET_CLIENT_MASTER_KEY),	"GET_CLIENT_MASTER_KEY"},
@ -271,6 +295,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_COMPRESSION_LIBRARY_ERROR),"compression library error"},
 {ERR_REASON(SSL_R_CONNECTION_ID_IS_DIFFERENT),"connection id is different"},
 {ERR_REASON(SSL_R_CONNECTION_TYPE_NOT_SET),"connection type not set"},
 {ERR_REASON(SSL_R_COOKIE_MISMATCH)       ,"cookie mismatch"},
 {ERR_REASON(SSL_R_DATA_BETWEEN_CCS_AND_FINISHED),"data between ccs and finished"},
 {ERR_REASON(SSL_R_DATA_LENGTH_TOO_LONG)  ,"data length too long"},
 {ERR_REASON(SSL_R_DECRYPTION_FAILED)     ,"decryption failed"},
@ -362,6 +387,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_PUBLIC_KEY_IS_NOT_RSA) ,"public key is not rsa"},
 {ERR_REASON(SSL_R_PUBLIC_KEY_NOT_RSA)    ,"public key not rsa"},
 {ERR_REASON(SSL_R_READ_BIO_NOT_SET)      ,"read bio not set"},
 {ERR_REASON(SSL_R_READ_TIMEOUT_EXPIRED)  ,"read timeout expired"},
 {ERR_REASON(SSL_R_READ_WRONG_PACKET_TYPE),"read wrong packet type"},
 {ERR_REASON(SSL_R_RECORD_LENGTH_MISMATCH),"record length mismatch"},
 {ERR_REASON(SSL_R_RECORD_TOO_LARGE)      ,"record too large"},
@ -456,8 +482,6 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_WRONG_VERSION_NUMBER)  ,"wrong version number"},
 {ERR_REASON(SSL_R_X509_LIB)              ,"x509 lib"},
 {ERR_REASON(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS),"x509 verification setup problems"},
 {ERR_REASON(SSL_R_READ_TIMEOUT_EXPIRED)  ,"read timeout expired"},
 {ERR_REASON(SSL_R_COOKIE_MISMATCH)       ,"cookie mismatch"},
 {0,NULL}
 	};
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@ -622,7 +622,9 @@ long	ssl3_callback_ctrl(SSL *s,int cmd, void (*fp)(void));
 long	ssl3_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)(void));
 int	ssl3_pending(const SSL *s);
-/* -- begin DTLS -- */
+void ssl3_record_sequence_update(unsigned char *seq);
 int ssl3_do_change_cipher_spec(SSL *ssl);
 int dtls1_do_write(SSL *s,int type);
 int ssl3_read_n(SSL *s, int n, int max, int extend);
 int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek);
@ -635,7 +637,32 @@ unsigned char *dtls1_set_message_header(SSL *s,
 	unsigned long frag_off, unsigned long frag_len);
 int dtls1_write_app_data_bytes(SSL *s, int type, const void *buf, int len);
 int dtls1_write_bytes(SSL *s, int type, const void *buf, int len);
-/* -- end DTLS -- */
+
 /* client functionality */
 int ssl3_client_hello(SSL *s);
 int ssl3_get_server_hello(SSL *s);
 int ssl3_get_certificate_request(SSL *s);
 int ssl3_get_server_done(SSL *s);
 int ssl3_send_client_verify(SSL *s);
 int ssl3_send_client_certificate(SSL *s);
 int ssl3_send_client_key_exchange(SSL *s);
 int ssl3_get_key_exchange(SSL *s);
 int ssl3_get_server_certificate(SSL *s);
 int ssl3_check_cert_and_algorithm(SSL *s);
 /* server functionality */
 int ssl3_get_client_hello(SSL *s);
 int ssl3_send_server_hello(SSL *s);
 int ssl3_send_hello_request(SSL *s);
 int ssl3_send_server_key_exchange(SSL *s);
 int ssl3_send_certificate_request(SSL *s);
 int ssl3_send_server_done(SSL *s);
 int ssl3_check_client_hello(SSL *s);
 int ssl3_get_client_certificate(SSL *s);
 int ssl3_get_client_key_exchange(SSL *s);
 int ssl3_get_cert_verify(SSL *s);
 int ssl23_accept(SSL *s);
 int ssl23_connect(SSL *s);
@ -649,7 +676,6 @@ long tls1_ctrl(SSL *s,int cmd, long larg, void *parg);
 long tls1_callback_ctrl(SSL *s,int cmd, void (*fp)(void));
 SSL_METHOD *tlsv1_base_method(void );
 /* -- start DTLS functions -- */
 int dtls1_new(SSL *s);
 int	dtls1_accept(SSL *s);
 int	dtls1_connect(SSL *s);
@ -664,7 +690,6 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
 	unsigned int len, int create_empty_fragement);
 int dtls1_dispatch_alert(SSL *s);
 int dtls1_enc(SSL *s, int snd);
 /* -- end DTLS functions -- */
 int ssl_init_wbio_buffer(SSL *s, int push);
 void ssl_free_wbio_buffer(SSL *s);
--- a/util/ck_errf.pl
+++ b/util/ck_errf.pl
@ -13,9 +13,9 @@ foreach $file (@ARGV)
 	$func="";
 	while (<IN>)
 		{
-		if (/^[a-zA-Z].+[\s*]([A-Za-z_0-9]+)\(.*\)/)
+		if (!/;$/ && /^([a-zA-Z].+[\s*])?([A-Za-z_0-9]+)\(.*\)/)
 			{
-			$func=$1;
+			$func=$2;
 			$func =~ tr/A-Z/a-z/;
 			}
 		if (/([A-Z0-9]+)err\(([^,]+)/)