Provisional DTLS 1.2 support.
Add correct flags for DTLS 1.2, update s_server and s_client to handle
DTLS 1.2 methods.
Currently no support for version negotiation: i.e. if client/server selects
DTLS 1.2 it is that or nothing.
diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
index b1f8c5e..ec7ef0d 100644
--- a/ssl/d1_clnt.c
+++ b/ssl/d1_clnt.c
@@ -135,6 +135,8 @@
{
if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER)
return(DTLSv1_client_method());
+ else if (ver == DTLS1_2_VERSION)
+ return(DTLSv1_2_client_method());
else
return(NULL);
}
@@ -146,6 +148,13 @@
dtls1_get_client_method,
DTLSv1_enc_data)
+IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION,
+ DTLSv1_2_client_method,
+ ssl_undefined_function,
+ dtls1_connect,
+ dtls1_get_client_method,
+ DTLSv1_2_enc_data)
+
int dtls1_connect(SSL *s)
{
BUF_MEM *buf=NULL;
diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index b739153..16bafa3 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -91,6 +91,25 @@
dtls1_handshake_write
};
+SSL3_ENC_METHOD DTLSv1_2_enc_data={
+ dtls1_enc,
+ tls1_mac,
+ tls1_setup_key_block,
+ tls1_generate_master_secret,
+ tls1_change_cipher_state,
+ tls1_final_finish_mac,
+ TLS1_FINISH_MAC_LENGTH,
+ tls1_cert_verify_mac,
+ TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
+ TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
+ tls1_alert_code,
+ tls1_export_keying_material,
+ SSL_ENC_FLAG_DTLS|SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_SHA256_PRF,
+ DTLS1_HM_HEADER_LENGTH,
+ dtls1_set_handshake_header,
+ dtls1_handshake_write
+ };
+
long dtls1_default_timeout(void)
{
/* 2 hours, the 24 hours mentioned in the DTLSv1 spec
@@ -247,7 +266,7 @@
if (s->options & SSL_OP_CISCO_ANYCONNECT)
s->version=DTLS1_BAD_VER;
else
- s->version=DTLS1_VERSION;
+ s->version=s->method->version;
}
long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg)
diff --git a/ssl/d1_meth.c b/ssl/d1_meth.c
index 0470624..64a22d6 100644
--- a/ssl/d1_meth.c
+++ b/ssl/d1_meth.c
@@ -66,6 +66,8 @@
{
if (ver == DTLS1_VERSION)
return(DTLSv1_method());
+ else if (ver == DTLS1_2_VERSION)
+ return(DTLSv1_2_method());
else
return(NULL);
}
@@ -77,3 +79,10 @@
dtls1_get_method,
DTLSv1_enc_data)
+IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION,
+ DTLSv1_2_method,
+ dtls1_accept,
+ dtls1_connect,
+ dtls1_get_method,
+ DTLSv1_2_enc_data)
+
diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index 6967d8e..e7df252 100644
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -133,6 +133,8 @@
{
if (ver == DTLS1_VERSION)
return(DTLSv1_server_method());
+ else if (ver == DTLS1_2_VERSION)
+ return(DTLSv1_2_server_method());
else
return(NULL);
}
@@ -144,6 +146,13 @@
dtls1_get_server_method,
DTLSv1_enc_data)
+IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION,
+ DTLSv1_2_server_method,
+ dtls1_accept,
+ ssl_undefined_function,
+ dtls1_get_server_method,
+ DTLSv1_2_enc_data)
+
int dtls1_accept(SSL *s)
{
BUF_MEM *buf;
diff --git a/ssl/dtls1.h b/ssl/dtls1.h
index e65d501..715749a 100644
--- a/ssl/dtls1.h
+++ b/ssl/dtls1.h
@@ -85,6 +85,7 @@
#define DTLS1_VERSION 0xFEFF
#define DTLS1_BAD_VER 0x0100
+#define DTLS1_2_VERSION 0xFEFD
#if 0
/* this alert description is not specified anywhere... */
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index dbf790c..d8b9079 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -883,7 +883,7 @@
if (!ok) return((int)n);
- if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
+ if (SSL_IS_DTLS(s))
{
if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST)
{
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 37c5494..7072c2f 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -2111,6 +2111,10 @@
const SSL_METHOD *DTLSv1_server_method(void); /* DTLSv1.0 */
const SSL_METHOD *DTLSv1_client_method(void); /* DTLSv1.0 */
+const SSL_METHOD *DTLSv1_2_method(void); /* DTLSv1.2 */
+const SSL_METHOD *DTLSv1_2_server_method(void); /* DTLSv1.2 */
+const SSL_METHOD *DTLSv1_2_client_method(void); /* DTLSv1.2 */
+
STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s);
int SSL_do_handshake(SSL *s);
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 2e03e63..13680cb 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -750,6 +750,7 @@
extern SSL3_ENC_METHOD TLSv1_2_enc_data;
extern SSL3_ENC_METHOD SSLv3_enc_data;
extern SSL3_ENC_METHOD DTLSv1_enc_data;
+extern SSL3_ENC_METHOD DTLSv1_2_enc_data;
#define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \
s_get_meth, enc_data) \
diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
index 6cd1767..90f92b2 100644
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -328,6 +328,11 @@
ss->ssl_version=DTLS1_VERSION;
ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
}
+ else if (s->version == DTLS1_2_VERSION)
+ {
+ ss->ssl_version=DTLS1_2_VERSION;
+ ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
+ }
else
{
SSLerr(SSL_F_SSL_GET_NEW_SESSION,SSL_R_UNSUPPORTED_SSL_VERSION);
diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c
index 6479d52..093d840 100644
--- a/ssl/ssl_txt.c
+++ b/ssl/ssl_txt.c
@@ -123,6 +123,8 @@
s="TLSv1";
else if (x->ssl_version == DTLS1_VERSION)
s="DTLSv1";
+ else if (x->ssl_version == DTLS1_2_VERSION)
+ s="DTLSv1.2";
else if (x->ssl_version == DTLS1_BAD_VER)
s="DTLSv1-bad";
else
diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c
index e471272..4e03acd 100644
--- a/ssl/t1_trce.c
+++ b/ssl/t1_trce.c
@@ -112,6 +112,7 @@
{TLS1_1_VERSION, "TLS 1.1"},
{TLS1_2_VERSION, "TLS 1.2"},
{DTLS1_VERSION, "DTLS 1.0"},
+ {DTLS1_2_VERSION, "DTLS 1.2"},
{DTLS1_BAD_VER, "DTLS 1.0 (bad)"}
};
