提交 c3b344e3 编写于 作者: D Dr. Stephen Henson

Provisional DTLS 1.2 support.

Add correct flags for DTLS 1.2, update s_server and s_client to handle
DTLS 1.2 methods.

Currently no support for version negotiation: i.e. if client/server selects
DTLS 1.2 it is that or nothing.
上级 9cf0f187
......@@ -148,7 +148,7 @@ typedef fd_mask fd_set;
#define PORT_STR "4433"
#define PROTOCOL "tcp"
int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context, int naccept);
int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, int stype, unsigned char *context), unsigned char *context, int naccept);
#ifdef HEADER_X509_H
int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
#endif
......
......@@ -886,6 +886,11 @@ static char *jpake_secret = NULL;
meth=DTLSv1_client_method();
socket_type=SOCK_DGRAM;
}
else if (strcmp(*argv,"-dtls1_2") == 0)
{
meth=DTLSv1_2_client_method();
socket_type=SOCK_DGRAM;
}
else if (strcmp(*argv,"-timeout") == 0)
enable_timeouts=1;
else if (strcmp(*argv,"-mtu") == 0)
......@@ -1376,7 +1381,7 @@ re_start:
#endif
if (c_Pause & 0x01) SSL_set_debug(con, 1);
if ( SSL_version(con) == DTLS1_VERSION)
if (socket_type == SOCK_DGRAM)
{
sbio=BIO_new_dgram(s,BIO_NOCLOSE);
......
......@@ -205,9 +205,9 @@ typedef unsigned int u_int;
static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength);
#endif
static int not_resumable_sess_cb(SSL *s, int is_forward_secure);
static int sv_body(char *hostname, int s, unsigned char *context);
static int www_body(char *hostname, int s, unsigned char *context);
static int rev_body(char *hostname, int s, unsigned char *context);
static int sv_body(char *hostname, int s, int stype, unsigned char *context);
static int www_body(char *hostname, int s, int stype, unsigned char *context);
static int rev_body(char *hostname, int s, int stype, unsigned char *context);
static void close_accept_socket(void );
static void sv_usage(void);
static int init_ssl_connection(SSL *s);
......@@ -533,6 +533,7 @@ static void sv_usage(void)
BIO_printf(bio_err," -tls1_1 - Just talk TLSv1.1\n");
BIO_printf(bio_err," -tls1 - Just talk TLSv1\n");
BIO_printf(bio_err," -dtls1 - Just talk DTLSv1\n");
BIO_printf(bio_err," -dtls1_2 - Just talk DTLSv1.2\n");
BIO_printf(bio_err," -timeout - Enable timeouts\n");
BIO_printf(bio_err," -mtu - Set link layer MTU\n");
BIO_printf(bio_err," -chain - Read a certificate chain\n");
......@@ -1366,6 +1367,11 @@ int MAIN(int argc, char *argv[])
meth=DTLSv1_server_method();
socket_type = SOCK_DGRAM;
}
else if (strcmp(*argv,"-dtls1_2") == 0)
{
meth=DTLSv1_2_server_method();
socket_type = SOCK_DGRAM;
}
else if (strcmp(*argv,"-timeout") == 0)
enable_timeouts = 1;
else if (strcmp(*argv,"-mtu") == 0)
......@@ -2070,7 +2076,7 @@ static void print_stats(BIO *bio, SSL_CTX *ssl_ctx)
SSL_CTX_sess_get_cache_size(ssl_ctx));
}
static int sv_body(char *hostname, int s, unsigned char *context)
static int sv_body(char *hostname, int s, int stype, unsigned char *context)
{
char *buf=NULL;
fd_set readfds;
......@@ -2140,7 +2146,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
#endif
#endif
if (SSL_version(con) == DTLS1_VERSION)
if (stype == SOCK_DGRAM)
{
sbio=BIO_new_dgram(s,BIO_NOCLOSE);
......@@ -2681,7 +2687,7 @@ static int load_CA(SSL_CTX *ctx, char *file)
}
#endif
static int www_body(char *hostname, int s, unsigned char *context)
static int www_body(char *hostname, int s, int stype, unsigned char *context)
{
char *buf=NULL;
int ret=1;
......@@ -3115,7 +3121,7 @@ err:
return(ret);
}
static int rev_body(char *hostname, int s, unsigned char *context)
static int rev_body(char *hostname, int s, int stype, unsigned char *context)
{
char *buf=NULL;
int i;
......
......@@ -280,7 +280,7 @@ static int init_client_ip(int *sock, const unsigned char ip[4], int port,
return(1);
}
int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context, int naccept)
int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, int stype, unsigned char *context), unsigned char *context, int naccept)
{
int sock;
char *name = NULL;
......@@ -310,7 +310,7 @@ int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, uns
}
else
sock = accept_socket;
i=(*cb)(name,sock, context);
i=(*cb)(name,sock, type, context);
if (name != NULL) OPENSSL_free(name);
if (type==SOCK_STREAM)
SHUTDOWN2(sock);
......
......@@ -135,6 +135,8 @@ static const SSL_METHOD *dtls1_get_client_method(int ver)
{
if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER)
return(DTLSv1_client_method());
else if (ver == DTLS1_2_VERSION)
return(DTLSv1_2_client_method());
else
return(NULL);
}
......@@ -146,6 +148,13 @@ IMPLEMENT_dtls1_meth_func(DTLS1_VERSION,
dtls1_get_client_method,
DTLSv1_enc_data)
IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION,
DTLSv1_2_client_method,
ssl_undefined_function,
dtls1_connect,
dtls1_get_client_method,
DTLSv1_2_enc_data)
int dtls1_connect(SSL *s)
{
BUF_MEM *buf=NULL;
......
......@@ -91,6 +91,25 @@ SSL3_ENC_METHOD DTLSv1_enc_data={
dtls1_handshake_write
};
SSL3_ENC_METHOD DTLSv1_2_enc_data={
dtls1_enc,
tls1_mac,
tls1_setup_key_block,
tls1_generate_master_secret,
tls1_change_cipher_state,
tls1_final_finish_mac,
TLS1_FINISH_MAC_LENGTH,
tls1_cert_verify_mac,
TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
tls1_alert_code,
tls1_export_keying_material,
SSL_ENC_FLAG_DTLS|SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_SHA256_PRF,
DTLS1_HM_HEADER_LENGTH,
dtls1_set_handshake_header,
dtls1_handshake_write
};
long dtls1_default_timeout(void)
{
/* 2 hours, the 24 hours mentioned in the DTLSv1 spec
......@@ -247,7 +266,7 @@ void dtls1_clear(SSL *s)
if (s->options & SSL_OP_CISCO_ANYCONNECT)
s->version=DTLS1_BAD_VER;
else
s->version=DTLS1_VERSION;
s->version=s->method->version;
}
long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg)
......
......@@ -66,6 +66,8 @@ static const SSL_METHOD *dtls1_get_method(int ver)
{
if (ver == DTLS1_VERSION)
return(DTLSv1_method());
else if (ver == DTLS1_2_VERSION)
return(DTLSv1_2_method());
else
return(NULL);
}
......@@ -77,3 +79,10 @@ IMPLEMENT_dtls1_meth_func(DTLS1_VERSION,
dtls1_get_method,
DTLSv1_enc_data)
IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION,
DTLSv1_2_method,
dtls1_accept,
dtls1_connect,
dtls1_get_method,
DTLSv1_2_enc_data)
......@@ -133,6 +133,8 @@ static const SSL_METHOD *dtls1_get_server_method(int ver)
{
if (ver == DTLS1_VERSION)
return(DTLSv1_server_method());
else if (ver == DTLS1_2_VERSION)
return(DTLSv1_2_server_method());
else
return(NULL);
}
......@@ -144,6 +146,13 @@ IMPLEMENT_dtls1_meth_func(DTLS1_VERSION,
dtls1_get_server_method,
DTLSv1_enc_data)
IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION,
DTLSv1_2_server_method,
dtls1_accept,
ssl_undefined_function,
dtls1_get_server_method,
DTLSv1_2_enc_data)
int dtls1_accept(SSL *s)
{
BUF_MEM *buf;
......
......@@ -85,6 +85,7 @@ extern "C" {
#define DTLS1_VERSION 0xFEFF
#define DTLS1_BAD_VER 0x0100
#define DTLS1_2_VERSION 0xFEFD
#if 0
/* this alert description is not specified anywhere... */
......
......@@ -883,7 +883,7 @@ int ssl3_get_server_hello(SSL *s)
if (!ok) return((int)n);
if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
if (SSL_IS_DTLS(s))
{
if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST)
{
......
......@@ -2111,6 +2111,10 @@ const SSL_METHOD *DTLSv1_method(void); /* DTLSv1.0 */
const SSL_METHOD *DTLSv1_server_method(void); /* DTLSv1.0 */
const SSL_METHOD *DTLSv1_client_method(void); /* DTLSv1.0 */
const SSL_METHOD *DTLSv1_2_method(void); /* DTLSv1.2 */
const SSL_METHOD *DTLSv1_2_server_method(void); /* DTLSv1.2 */
const SSL_METHOD *DTLSv1_2_client_method(void); /* DTLSv1.2 */
STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s);
int SSL_do_handshake(SSL *s);
......
......@@ -750,6 +750,7 @@ extern SSL3_ENC_METHOD TLSv1_1_enc_data;
extern SSL3_ENC_METHOD TLSv1_2_enc_data;
extern SSL3_ENC_METHOD SSLv3_enc_data;
extern SSL3_ENC_METHOD DTLSv1_enc_data;
extern SSL3_ENC_METHOD DTLSv1_2_enc_data;
#define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \
s_get_meth, enc_data) \
......
......@@ -328,6 +328,11 @@ int ssl_get_new_session(SSL *s, int session)
ss->ssl_version=DTLS1_VERSION;
ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
}
else if (s->version == DTLS1_2_VERSION)
{
ss->ssl_version=DTLS1_2_VERSION;
ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
}
else
{
SSLerr(SSL_F_SSL_GET_NEW_SESSION,SSL_R_UNSUPPORTED_SSL_VERSION);
......
......@@ -123,6 +123,8 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
s="TLSv1";
else if (x->ssl_version == DTLS1_VERSION)
s="DTLSv1";
else if (x->ssl_version == DTLS1_2_VERSION)
s="DTLSv1.2";
else if (x->ssl_version == DTLS1_BAD_VER)
s="DTLSv1-bad";
else
......
......@@ -112,6 +112,7 @@ static ssl_trace_tbl ssl_version_tbl[] = {
{TLS1_1_VERSION, "TLS 1.1"},
{TLS1_2_VERSION, "TLS 1.2"},
{DTLS1_VERSION, "DTLS 1.0"},
{DTLS1_2_VERSION, "DTLS 1.2"},
{DTLS1_BAD_VER, "DTLS 1.0 (bad)"}
};
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册