Commit 032924c4 authored by David Woodhouse's avatar David Woodhouse Committed by Matt Caswell
Browse files

Make DTLS1_BAD_VER work with DTLS_client_method() 



DTLSv1_client_method() is deprecated, but it was the only way to obtain
DTLS1_BAD_VER support. The SSL_OP_CISCO_ANYCONNECT hack doesn't work with
DTLS_client_method(), and it's relatively non-trivial to make it work without
expanding the hack into lots of places.

So deprecate SSL_OP_CISCO_ANYCONNECT with DTLSv1_client_method(), and make
it work with SSL_CTX_set_{min,max}_proto_version(DTLS1_BAD_VER) instead.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
parent 387cf213

include/openssl/ssl.h

+5 −2
Original line number Diff line number Diff line
@@ -306,8 +306,11 @@ typedef int (*custom_ext_parse_cb) (SSL *s, unsigned int ext_type, 
# define SSL_OP_COOKIE_EXCHANGE              0x00002000U

/* Don't use RFC4507 ticket extension */

# define SSL_OP_NO_TICKET                    0x00004000U

/* Use Cisco's "speshul" version of DTLS_BAD_VER (as client)  */

# ifndef OPENSSL_NO_DTLS1_METHOD

/* Use Cisco's "speshul" version of DTLS_BAD_VER

 * (only with deprecated DTLSv1_client_method())  */

#  define SSL_OP_CISCO_ANYCONNECT             0x00008000U

# endif



/* As server, disallow session resumption on renegotiation */

# define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION   0x00010000U

ssl/d1_lib.c

+6 −3
Original line number Diff line number Diff line
@@ -179,10 +179,13 @@ void dtls1_clear(SSL *s) 
    }



    ssl3_clear(s);

    if (s->options & SSL_OP_CISCO_ANYCONNECT)

        s->client_version = s->version = DTLS1_BAD_VER;

    else if (s->method->version == DTLS_ANY_VERSION)



    if (s->method->version == DTLS_ANY_VERSION)

        s->version = DTLS_MAX_VERSION;

#ifndef OPENSSL_NO_DTLS1_METHOD

    else if (s->options & SSL_OP_CISCO_ANYCONNECT)

        s->client_version = s->version = DTLS1_BAD_VER;

#endif

    else

        s->version = s->method->version;

}

ssl/methods.c

+5 −0
Original line number Diff line number Diff line
@@ -191,6 +191,11 @@ IMPLEMENT_dtls1_meth_func(DTLS1_VERSION, SSL_METHOD_NO_SUITEB, SSL_OP_NO_DTLSv1, 
                          ssl_undefined_function,

                          ossl_statem_connect,

                          DTLSv1_enc_data)

IMPLEMENT_dtls1_meth_func(DTLS1_BAD_VER, SSL_METHOD_NO_SUITEB, SSL_OP_NO_DTLSv1,

                          dtls_bad_ver_client_method,

                          ssl_undefined_function,

                          ossl_statem_connect,

                          DTLSv1_enc_data)

#endif



#ifndef OPENSSL_NO_DTLS1_2_METHOD

ssl/record/rec_layer_d1.c

+2 −1
Original line number Diff line number Diff line
@@ -980,7 +980,8 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, 
     * haven't decided which version to use yet send back using version 1.0

     * header: otherwise some clients will ignore it.

     */

    if (s->method->version == DTLS_ANY_VERSION) {

    if (s->method->version == DTLS_ANY_VERSION &&

	s->max_proto_version != DTLS1_BAD_VER) {

        *(p++) = DTLS1_VERSION >> 8;

        *(p++) = DTLS1_VERSION & 0xff;

    } else {

ssl/ssl_locl.h

+1 −0
Original line number Diff line number Diff line
@@ -1655,6 +1655,7 @@ __owur const SSL_METHOD *tlsv1_2_client_method(void); 
__owur const SSL_METHOD *dtlsv1_method(void);

__owur const SSL_METHOD *dtlsv1_server_method(void);

__owur const SSL_METHOD *dtlsv1_client_method(void);

__owur const SSL_METHOD *dtls_bad_ver_client_method(void);

__owur const SSL_METHOD *dtlsv1_2_method(void);

__owur const SSL_METHOD *dtlsv1_2_server_method(void);

__owur const SSL_METHOD *dtlsv1_2_client_method(void);