Provisional DTLS 1.2 support.

Add correct flags for DTLS 1.2, update s_server and s_client to handle
DTLS 1.2 methods.

Currently no support for version negotiation: i.e. if client/server selects
DTLS 1.2 it is that or nothing.

apps/s_apps.h

@@ -148,7 +148,7 @@ typedef fd_mask fd_set;
 #define PORT_STR        "4433"
 #define PROTOCOL        "tcp"
 
-int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context, int naccept);
+int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, int stype, unsigned char *context), unsigned char *context, int naccept);
 #ifdef HEADER_X509_H
 int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
 #endif

apps/s_client.c

@@ -886,6 +886,11 @@ static char *jpake_secret = NULL;
 			meth=DTLSv1_client_method();
 			socket_type=SOCK_DGRAM;
 			}
+		else if	(strcmp(*argv,"-dtls1_2") == 0)
+			{
+			meth=DTLSv1_2_client_method();
+			socket_type=SOCK_DGRAM;
+			}
 		else if (strcmp(*argv,"-timeout") == 0)
 			enable_timeouts=1;
 		else if (strcmp(*argv,"-mtu") == 0)
@@ -1376,7 +1381,7 @@ re_start:
 #endif                                              
 	if (c_Pause & 0x01) SSL_set_debug(con, 1);
 
-	if ( SSL_version(con) == DTLS1_VERSION)
+	if (socket_type == SOCK_DGRAM)
 		{
 
 		sbio=BIO_new_dgram(s,BIO_NOCLOSE);

apps/s_server.c

@@ -205,9 +205,9 @@ typedef unsigned int u_int;
 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength);
 #endif
 static int not_resumable_sess_cb(SSL *s, int is_forward_secure);
-static int sv_body(char *hostname, int s, unsigned char *context);
-static int www_body(char *hostname, int s, unsigned char *context);
-static int rev_body(char *hostname, int s, unsigned char *context);
+static int sv_body(char *hostname, int s, int stype, unsigned char *context);
+static int www_body(char *hostname, int s, int stype, unsigned char *context);
+static int rev_body(char *hostname, int s, int stype, unsigned char *context);
 static void close_accept_socket(void );
 static void sv_usage(void);
 static int init_ssl_connection(SSL *s);
@@ -533,6 +533,7 @@ static void sv_usage(void)
 	BIO_printf(bio_err," -tls1_1       - Just talk TLSv1.1\n");
 	BIO_printf(bio_err," -tls1         - Just talk TLSv1\n");
 	BIO_printf(bio_err," -dtls1        - Just talk DTLSv1\n");
+	BIO_printf(bio_err," -dtls1_2      - Just talk DTLSv1.2\n");
 	BIO_printf(bio_err," -timeout      - Enable timeouts\n");
 	BIO_printf(bio_err," -mtu          - Set link layer MTU\n");
 	BIO_printf(bio_err," -chain        - Read a certificate chain\n");
@@ -1366,6 +1367,11 @@ int MAIN(int argc, char *argv[])
 			meth=DTLSv1_server_method();
 			socket_type = SOCK_DGRAM;
 			}
+		else if	(strcmp(*argv,"-dtls1_2") == 0)
+			{ 
+			meth=DTLSv1_2_server_method();
+			socket_type = SOCK_DGRAM;
+			}
 		else if (strcmp(*argv,"-timeout") == 0)
 			enable_timeouts = 1;
 		else if (strcmp(*argv,"-mtu") == 0)
@@ -2070,7 +2076,7 @@ static void print_stats(BIO *bio, SSL_CTX *ssl_ctx)
 		SSL_CTX_sess_get_cache_size(ssl_ctx));
 	}
 
-static int sv_body(char *hostname, int s, unsigned char *context)
+static int sv_body(char *hostname, int s, int stype, unsigned char *context)
 	{
 	char *buf=NULL;
 	fd_set readfds;
@@ -2140,7 +2146,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
 #endif
 #endif
 
-	if (SSL_version(con) == DTLS1_VERSION)
+	if (stype == SOCK_DGRAM)
 		{
 
 		sbio=BIO_new_dgram(s,BIO_NOCLOSE);
@@ -2681,7 +2687,7 @@ static int load_CA(SSL_CTX *ctx, char *file)
 	}
 #endif
 
-static int www_body(char *hostname, int s, unsigned char *context)
+static int www_body(char *hostname, int s, int stype, unsigned char *context)
 	{
 	char *buf=NULL;
 	int ret=1;
@@ -3115,7 +3121,7 @@ err:
 	return(ret);
 	}
 
-static int rev_body(char *hostname, int s, unsigned char *context)
+static int rev_body(char *hostname, int s, int stype, unsigned char *context)
 	{
 	char *buf=NULL;
 	int i;

apps/s_socket.c

@@ -280,7 +280,7 @@ static int init_client_ip(int *sock, const unsigned char ip[4], int port,
 	return(1);
 	}
 
-int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context, int naccept)
+int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, int stype, unsigned char *context), unsigned char *context, int naccept)
 	{
 	int sock;
 	char *name = NULL;
@@ -310,7 +310,7 @@ int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, uns
 			}
 		else
 			sock = accept_socket;
-		i=(*cb)(name,sock, context);
+		i=(*cb)(name,sock, type, context);
 		if (name != NULL) OPENSSL_free(name);
 		if (type==SOCK_STREAM)
 			SHUTDOWN2(sock);

ssl/d1_clnt.c

@@ -135,6 +135,8 @@ static const SSL_METHOD *dtls1_get_client_method(int ver)
 	{
 	if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER)
 		return(DTLSv1_client_method());
+	else if (ver == DTLS1_2_VERSION)
+		return(DTLSv1_2_client_method());
 	else
 		return(NULL);
 	}
@@ -146,6 +148,13 @@ IMPLEMENT_dtls1_meth_func(DTLS1_VERSION,
 			dtls1_get_client_method,
 			DTLSv1_enc_data)
 
+IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION,
+			DTLSv1_2_client_method,
+			ssl_undefined_function,
+			dtls1_connect,
+			dtls1_get_client_method,
+			DTLSv1_2_enc_data)
+
 int dtls1_connect(SSL *s)
 	{
 	BUF_MEM *buf=NULL;

ssl/d1_lib.c

@@ -91,6 +91,25 @@ SSL3_ENC_METHOD DTLSv1_enc_data={
 	dtls1_handshake_write	
 	};
 
+SSL3_ENC_METHOD DTLSv1_2_enc_data={
+    dtls1_enc,
+	tls1_mac,
+	tls1_setup_key_block,
+	tls1_generate_master_secret,
+	tls1_change_cipher_state,
+	tls1_final_finish_mac,
+	TLS1_FINISH_MAC_LENGTH,
+	tls1_cert_verify_mac,
+	TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
+	TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
+	tls1_alert_code,
+	tls1_export_keying_material,
+	SSL_ENC_FLAG_DTLS|SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_SHA256_PRF,
+	DTLS1_HM_HEADER_LENGTH,
+	dtls1_set_handshake_header,
+	dtls1_handshake_write	
+	};
+
 long dtls1_default_timeout(void)
 	{
 	/* 2 hours, the 24 hours mentioned in the DTLSv1 spec
@@ -247,7 +266,7 @@ void dtls1_clear(SSL *s)
 	if (s->options & SSL_OP_CISCO_ANYCONNECT)
 		s->version=DTLS1_BAD_VER;
 	else
-		s->version=DTLS1_VERSION;
+		s->version=s->method->version;
 	}
 
 long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg)

ssl/d1_meth.c

@@ -66,6 +66,8 @@ static const SSL_METHOD *dtls1_get_method(int ver)
 	{
 	if (ver == DTLS1_VERSION)
 		return(DTLSv1_method());
+	else if (ver == DTLS1_2_VERSION)
+		return(DTLSv1_2_method());
 	else
 		return(NULL);
 	}
@@ -77,3 +79,10 @@ IMPLEMENT_dtls1_meth_func(DTLS1_VERSION,
 			dtls1_get_method,
 			DTLSv1_enc_data)
 
+IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION,
+			DTLSv1_2_method,
+			dtls1_accept,
+			dtls1_connect,
+			dtls1_get_method,
+			DTLSv1_2_enc_data)
+

ssl/d1_srvr.c

@@ -133,6 +133,8 @@ static const SSL_METHOD *dtls1_get_server_method(int ver)
 	{
 	if (ver == DTLS1_VERSION)
 		return(DTLSv1_server_method());
+	else if (ver == DTLS1_2_VERSION)
+		return(DTLSv1_2_server_method());
 	else
 		return(NULL);
 	}
@@ -144,6 +146,13 @@ IMPLEMENT_dtls1_meth_func(DTLS1_VERSION,
 			dtls1_get_server_method,
 			DTLSv1_enc_data)
 
+IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION,
+			DTLSv1_2_server_method,
+			dtls1_accept,
+			ssl_undefined_function,
+			dtls1_get_server_method,
+			DTLSv1_2_enc_data)
+
 int dtls1_accept(SSL *s)
 	{
 	BUF_MEM *buf;

ssl/dtls1.h

@@ -85,6 +85,7 @@ extern "C" {
 
 #define DTLS1_VERSION			0xFEFF
 #define DTLS1_BAD_VER			0x0100
+#define DTLS1_2_VERSION			0xFEFD
 
 #if 0
 /* this alert description is not specified anywhere... */

ssl/s3_clnt.c

@@ -883,7 +883,7 @@ int ssl3_get_server_hello(SSL *s)
 
 	if (!ok) return((int)n);
 
-	if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
+	if (SSL_IS_DTLS(s))
 		{
 		if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST)
 			{

ssl/ssl.h

@@ -2111,6 +2111,10 @@ const SSL_METHOD *DTLSv1_method(void);		/* DTLSv1.0 */
 const SSL_METHOD *DTLSv1_server_method(void);	/* DTLSv1.0 */
 const SSL_METHOD *DTLSv1_client_method(void);	/* DTLSv1.0 */
 
+const SSL_METHOD *DTLSv1_2_method(void);	/* DTLSv1.2 */
+const SSL_METHOD *DTLSv1_2_server_method(void);	/* DTLSv1.2 */
+const SSL_METHOD *DTLSv1_2_client_method(void);	/* DTLSv1.2 */
+
 STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s);
 
 int SSL_do_handshake(SSL *s);

ssl/ssl_locl.h

@@ -750,6 +750,7 @@ extern SSL3_ENC_METHOD TLSv1_1_enc_data;
 extern SSL3_ENC_METHOD TLSv1_2_enc_data;
 extern SSL3_ENC_METHOD SSLv3_enc_data;
 extern SSL3_ENC_METHOD DTLSv1_enc_data;
+extern SSL3_ENC_METHOD DTLSv1_2_enc_data;
 
 #define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \
 				s_get_meth, enc_data) \

ssl/ssl_sess.c

@@ -328,6 +328,11 @@ int ssl_get_new_session(SSL *s, int session)
 			ss->ssl_version=DTLS1_VERSION;
 			ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
 			}
+		else if (s->version == DTLS1_2_VERSION)
+			{
+			ss->ssl_version=DTLS1_2_VERSION;
+			ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
+			}
 		else
 			{
 			SSLerr(SSL_F_SSL_GET_NEW_SESSION,SSL_R_UNSUPPORTED_SSL_VERSION);

ssl/ssl_txt.c

@@ -123,6 +123,8 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
 		s="TLSv1";
 	else if (x->ssl_version == DTLS1_VERSION)
 		s="DTLSv1";
+	else if (x->ssl_version == DTLS1_2_VERSION)
+		s="DTLSv1.2";
 	else if (x->ssl_version == DTLS1_BAD_VER)
 		s="DTLSv1-bad";
 	else

ssl/t1_trce.c

@@ -112,6 +112,7 @@ static ssl_trace_tbl ssl_version_tbl[] = {
 	{TLS1_1_VERSION,	"TLS 1.1"},
 	{TLS1_2_VERSION,	"TLS 1.2"},
 	{DTLS1_VERSION,		"DTLS 1.0"},
+	{DTLS1_2_VERSION,	"DTLS 1.2"},
 	{DTLS1_BAD_VER,		"DTLS 1.0 (bad)"}
 };