Commit c6913eeb authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Dual DTLS version methods. 

Add new methods DTLS_*_method() which support both DTLS 1.0 and DTLS 1.2 and
pick the highest version the peer supports during negotiation.

As with SSL/TLS options can change this behaviour specifically
SSL_OP_NO_DTLSv1 and SSL_OP_NO_DTLSv1_2.
parent 04638f2f

CHANGES

+5 −0
Original line number Diff line number Diff line
@@ -4,6 +4,11 @@ 


 Changes between 1.0.x and 1.1.0  [xx XXX xxxx]



  *) Support for DTLS 1.2. This adds two sets of DTLS methods: DTLS_*_method()

     supports both DTLS 1.2 and 1.0 and should use whatever version the peer

     supports and DTLSv1_2_*_method() which supports DTLS 1.2 only.

     [Steve Henson]



  *) Make openssl verify return errors.

     [Chris Palmer <palmer@google.com> and Ben Laurie]

apps/s_client.c

+5 −0
Original line number Diff line number Diff line
@@ -881,6 +881,11 @@ static char *jpake_secret = NULL; 
			meth=TLSv1_client_method();

#endif

#ifndef OPENSSL_NO_DTLS1

		else if	(strcmp(*argv,"-dtls") == 0)

			{

			meth=DTLS_client_method();

			socket_type=SOCK_DGRAM;

			}

		else if	(strcmp(*argv,"-dtls1") == 0)

			{

			meth=DTLSv1_client_method();

apps/s_server.c

+5 −0
Original line number Diff line number Diff line
@@ -1362,6 +1362,11 @@ int MAIN(int argc, char *argv[]) 
			{ meth=TLSv1_2_server_method(); }

#endif

#ifndef OPENSSL_NO_DTLS1

		else if	(strcmp(*argv,"-dtls") == 0)

			{ 

			meth=DTLS_server_method();

			socket_type = SOCK_DGRAM;

			}

		else if	(strcmp(*argv,"-dtls1") == 0)

			{ 

			meth=DTLSv1_server_method();

ssl/d1_clnt.c

+13 −2
Original line number Diff line number Diff line
@@ -155,6 +155,13 @@ IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, 
			dtls1_get_client_method,

			DTLSv1_2_enc_data)



IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION,

			DTLS_client_method,

			ssl_undefined_function,

			dtls1_connect,

			dtls1_get_client_method,

			DTLSv1_2_enc_data)



int dtls1_connect(SSL *s)

	{

	BUF_MEM *buf=NULL;
@@ -785,12 +792,14 @@ static int dtls1_get_hello_verify(SSL *s) 
	unsigned char *data;

	unsigned int cookie_len;



	s->first_packet = 1;

	n=s->method->ssl_get_message(s,

		DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A,

		DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B,

		-1,

		s->max_cert_list,

		&ok);

	s->first_packet = 0;



	if (!ok) return((int)n);
@@ -802,14 +811,16 @@ static int dtls1_get_hello_verify(SSL *s) 
		}



	data = (unsigned char *)s->init_msg;



	if ((data[0] != (s->version>>8)) || (data[1] != (s->version&0xff)))

#if 0

	if (s->method->version != DTLS_ANY_VERSION &&

		((data[0] != (s->version>>8)) || (data[1] != (s->version&0xff))))

		{

		SSLerr(SSL_F_DTLS1_GET_HELLO_VERIFY,SSL_R_WRONG_SSL_VERSION);

		s->version=(s->version&0xff00)|data[1];

		al = SSL_AD_PROTOCOL_VERSION;

		goto f_err;

		}

#endif

	data+=2;



	cookie_len = *(data++);

ssl/d1_lib.c

+2 −2
Original line number Diff line number Diff line
@@ -267,6 +267,8 @@ void dtls1_clear(SSL *s) 
	ssl3_clear(s);

	if (s->options & SSL_OP_CISCO_ANYCONNECT)

		s->version=DTLS1_BAD_VER;

	else if (s->method->version == DTLS_ANY_VERSION)

		s->version=DTLS1_2_VERSION;

	else

		s->version=s->method->version;

	}
@@ -526,5 +528,3 @@ static int dtls1_handshake_write(SSL *s) 
	{

	return dtls1_do_write(s, SSL3_RT_HANDSHAKE);

	}