Suite B support for DTLS 1.2

[openssl.git] / ssl / d1_srvr.c

diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index e7df252bf061a3d9ef20db6eea5898c85e4d55d8..c628db56ef89102b4235b33520bc1a515dfd3edb 100644 (file)
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -153,6 +153,13 @@ IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION,
                        dtls1_get_server_method,
                        DTLSv1_2_enc_data)
 
+IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION,
+                       DTLS_server_method,
+                       dtls1_accept,
+                       ssl_undefined_function,
+                       dtls1_get_server_method,
+                       DTLSv1_2_enc_data)
+
 int dtls1_accept(SSL *s)
        {
        BUF_MEM *buf;
@@ -649,6 +656,24 @@ int dtls1_accept(SSL *s)
                                s->state=SSL3_ST_SR_FINISHED_A;
                                s->init_num = 0;
                                }
+                       else if (SSL_USE_SIGALGS(s))
+                               {
+                               s->state=SSL3_ST_SR_CERT_VRFY_A;
+                               s->init_num=0;
+                               if (!s->session->peer)
+                                       break;
+                               /* For sigalgs freeze the handshake buffer
+                                * at this point and digest cached records.
+                                */
+                               if (!s->s3->handshake_buffer)
+                                       {
+                                       SSLerr(SSL_F_DTLS1_ACCEPT,ERR_R_INTERNAL_ERROR);
+                                       return -1;
+                                       }
+                               s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE;
+                               if (!ssl3_digest_cached_records(s))
+                                       return -1;
+                               }
                        else
                                {
                                s->state=SSL3_ST_SR_CERT_VRFY_A;
@@ -866,8 +891,9 @@ int dtls1_send_hello_verify_request(SSL *s)
                buf = (unsigned char *)s->init_buf->data;
 
                msg = p = &(buf[DTLS1_HM_HEADER_LENGTH]);
-               *(p++) = s->version >> 8;
-               *(p++) = s->version & 0xFF;
+               /* Always use DTLS 1.0 version: see RFC 6347 */
+               *(p++) = DTLS1_VERSION >> 8;
+               *(p++) = DTLS1_VERSION & 0xFF;
 
                if (s->ctx->app_gen_cookie_cb == NULL ||
                     s->ctx->app_gen_cookie_cb(s, s->d1->cookie,