diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2013-03-20 15:49:14 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2013-09-18 13:46:02 +0100 |
| commit | acec5a6244b6e54b805a5f7512efc72e18cc693a (patch) | |
| tree | 458d6b2bb9b943545fd35762f063da7ce62eac45 /ssl | |
| parent | 68039af3e7fbbdef1f8a801c9fe5399015c0e58d (diff) | |
Provisional DTLS 1.2 support.
Add correct flags for DTLS 1.2, update s_server and s_client to handle
DTLS 1.2 methods.
Currently no support for version negotiation: i.e. if client/server selects
DTLS 1.2 it is that or nothing.
(cherry picked from commit c3b344e36a088283731b4f65a70e85b100f55686)
Conflicts:
apps/s_server.c
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/d1_clnt.c | 9 | ||||
| -rw-r--r-- | ssl/d1_lib.c | 21 | ||||
| -rw-r--r-- | ssl/d1_meth.c | 9 | ||||
| -rw-r--r-- | ssl/d1_srvr.c | 9 | ||||
| -rw-r--r-- | ssl/dtls1.h | 1 | ||||
| -rw-r--r-- | ssl/s3_clnt.c | 2 | ||||
| -rw-r--r-- | ssl/ssl.h | 4 | ||||
| -rw-r--r-- | ssl/ssl_locl.h | 1 | ||||
| -rw-r--r-- | ssl/ssl_sess.c | 5 | ||||
| -rw-r--r-- | ssl/ssl_txt.c | 2 | ||||
| -rw-r--r-- | ssl/t1_trce.c | 1 |
11 files changed, 62 insertions, 2 deletions
diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c index b1f8c5e8f4..ec7ef0d817 100644 --- a/ssl/d1_clnt.c +++ b/ssl/d1_clnt.c @@ -135,6 +135,8 @@ static const SSL_METHOD *dtls1_get_client_method(int ver) { if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER) return(DTLSv1_client_method()); + else if (ver == DTLS1_2_VERSION) + return(DTLSv1_2_client_method()); else return(NULL); } @@ -146,6 +148,13 @@ IMPLEMENT_dtls1_meth_func(DTLS1_VERSION, dtls1_get_client_method, DTLSv1_enc_data) +IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, + DTLSv1_2_client_method, + ssl_undefined_function, + dtls1_connect, + dtls1_get_client_method, + DTLSv1_2_enc_data) + int dtls1_connect(SSL *s) { BUF_MEM *buf=NULL; diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index f03a7ee1d8..2b82d527df 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -91,6 +91,25 @@ SSL3_ENC_METHOD DTLSv1_enc_data={ dtls1_handshake_write }; +SSL3_ENC_METHOD DTLSv1_2_enc_data={ + dtls1_enc, + tls1_mac, + tls1_setup_key_block, + tls1_generate_master_secret, + tls1_change_cipher_state, + tls1_final_finish_mac, + TLS1_FINISH_MAC_LENGTH, + tls1_cert_verify_mac, + TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE, + TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, + tls1_alert_code, + tls1_export_keying_material, + SSL_ENC_FLAG_DTLS|SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_SHA256_PRF, + DTLS1_HM_HEADER_LENGTH, + dtls1_set_handshake_header, + dtls1_handshake_write + }; + long dtls1_default_timeout(void) { /* 2 hours, the 24 hours mentioned in the DTLSv1 spec @@ -248,7 +267,7 @@ void dtls1_clear(SSL *s) if (s->options & SSL_OP_CISCO_ANYCONNECT) s->version=DTLS1_BAD_VER; else - s->version=DTLS1_VERSION; + s->version=s->method->version; } long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg) diff --git a/ssl/d1_meth.c b/ssl/d1_meth.c index 0470624b3f..64a22d6b09 100644 --- a/ssl/d1_meth.c +++ b/ssl/d1_meth.c @@ -66,6 +66,8 @@ static const SSL_METHOD *dtls1_get_method(int ver) { if (ver == DTLS1_VERSION) return(DTLSv1_method()); + else if (ver == DTLS1_2_VERSION) + return(DTLSv1_2_method()); else return(NULL); } @@ -77,3 +79,10 @@ IMPLEMENT_dtls1_meth_func(DTLS1_VERSION, dtls1_get_method, DTLSv1_enc_data) +IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, + DTLSv1_2_method, + dtls1_accept, + dtls1_connect, + dtls1_get_method, + DTLSv1_2_enc_data) + diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c index e96ef64e28..b0f516880e 100644 --- a/ssl/d1_srvr.c +++ b/ssl/d1_srvr.c @@ -133,6 +133,8 @@ static const SSL_METHOD *dtls1_get_server_method(int ver) { if (ver == DTLS1_VERSION) return(DTLSv1_server_method()); + else if (ver == DTLS1_2_VERSION) + return(DTLSv1_2_server_method()); else return(NULL); } @@ -144,6 +146,13 @@ IMPLEMENT_dtls1_meth_func(DTLS1_VERSION, dtls1_get_server_method, DTLSv1_enc_data) +IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, + DTLSv1_2_server_method, + dtls1_accept, + ssl_undefined_function, + dtls1_get_server_method, + DTLSv1_2_enc_data) + int dtls1_accept(SSL *s) { BUF_MEM *buf; diff --git a/ssl/dtls1.h b/ssl/dtls1.h index e65d501191..715749ae27 100644 --- a/ssl/dtls1.h +++ b/ssl/dtls1.h @@ -85,6 +85,7 @@ extern "C" { #define DTLS1_VERSION 0xFEFF #define DTLS1_BAD_VER 0x0100 +#define DTLS1_2_VERSION 0xFEFD #if 0 /* this alert description is not specified anywhere... */ diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 76f21b4b1b..e9c716ff95 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -883,7 +883,7 @@ int ssl3_get_server_hello(SSL *s) if (!ok) return((int)n); - if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) + if (SSL_IS_DTLS(s)) { if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) { @@ -2205,6 +2205,10 @@ const SSL_METHOD *DTLSv1_method(void); /* DTLSv1.0 */ const SSL_METHOD *DTLSv1_server_method(void); /* DTLSv1.0 */ const SSL_METHOD *DTLSv1_client_method(void); /* DTLSv1.0 */ +const SSL_METHOD *DTLSv1_2_method(void); /* DTLSv1.2 */ +const SSL_METHOD *DTLSv1_2_server_method(void); /* DTLSv1.2 */ +const SSL_METHOD *DTLSv1_2_client_method(void); /* DTLSv1.2 */ + STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s); int SSL_do_handshake(SSL *s); diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 292d6e32e8..f5597ee64b 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -760,6 +760,7 @@ extern SSL3_ENC_METHOD TLSv1_1_enc_data; extern SSL3_ENC_METHOD TLSv1_2_enc_data; extern SSL3_ENC_METHOD SSLv3_enc_data; extern SSL3_ENC_METHOD DTLSv1_enc_data; +extern SSL3_ENC_METHOD DTLSv1_2_enc_data; #define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \ s_get_meth, enc_data) \ diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 6cd17679bb..90f92b2d11 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -328,6 +328,11 @@ int ssl_get_new_session(SSL *s, int session) ss->ssl_version=DTLS1_VERSION; ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH; } + else if (s->version == DTLS1_2_VERSION) + { + ss->ssl_version=DTLS1_2_VERSION; + ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH; + } else { SSLerr(SSL_F_SSL_GET_NEW_SESSION,SSL_R_UNSUPPORTED_SSL_VERSION); diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c index 6479d52c0c..093d84076f 100644 --- a/ssl/ssl_txt.c +++ b/ssl/ssl_txt.c @@ -123,6 +123,8 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) s="TLSv1"; else if (x->ssl_version == DTLS1_VERSION) s="DTLSv1"; + else if (x->ssl_version == DTLS1_2_VERSION) + s="DTLSv1.2"; else if (x->ssl_version == DTLS1_BAD_VER) s="DTLSv1-bad"; else diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c index f1efde2640..80d7f49c9b 100644 --- a/ssl/t1_trce.c +++ b/ssl/t1_trce.c @@ -113,6 +113,7 @@ static ssl_trace_tbl ssl_version_tbl[] = { {TLS1_1_VERSION, "TLS 1.1"}, {TLS1_2_VERSION, "TLS 1.2"}, {DTLS1_VERSION, "DTLS 1.0"}, + {DTLS1_2_VERSION, "DTLS 1.2"}, {DTLS1_BAD_VER, "DTLS 1.0 (bad)"} }; |