#include <openssl/objects.h>
#include "ssl_locl.h"
-const char *dtls1_version_str="DTLSv1" OPENSSL_VERSION_PTEXT;
+const char dtls1_version_str[]="DTLSv1" OPENSSL_VERSION_PTEXT;
-static long dtls1_default_timeout(void);
-
-static SSL3_ENC_METHOD DTLSv1_enc_data={
+SSL3_ENC_METHOD DTLSv1_enc_data={
dtls1_enc,
tls1_mac,
tls1_setup_key_block,
tls1_alert_code,
};
-static SSL_METHOD DTLSv1_data= {
- DTLS1_VERSION,
- dtls1_new,
- dtls1_clear,
- dtls1_free,
- ssl_undefined_function,
- ssl_undefined_function,
- ssl3_read,
- ssl3_peek,
- ssl3_write,
- ssl3_shutdown,
- ssl3_renegotiate,
- ssl3_renegotiate_check,
- dtls1_get_message,
- dtls1_read_bytes,
- dtls1_write_app_data_bytes,
- dtls1_dispatch_alert,
- ssl3_ctrl,
- ssl3_ctx_ctrl,
- ssl3_get_cipher_by_char,
- ssl3_put_cipher_by_char,
- ssl3_pending,
- ssl3_num_ciphers,
- ssl3_get_cipher,
- ssl_bad_method,
- dtls1_default_timeout,
- &DTLSv1_enc_data,
- ssl_undefined_void_function,
- ssl3_callback_ctrl,
- ssl3_ctx_callback_ctrl,
- };
-
-static long dtls1_default_timeout(void)
+long dtls1_default_timeout(void)
{
/* 2 hours, the 24 hours mentioned in the DTLSv1 spec
* is way too long for http, the cache would over fill */
return(60*60*2);
}
-SSL_METHOD *dtlsv1_base_method(void)
- {
- return(&DTLSv1_data);
- }
-
int dtls1_new(SSL *s)
{
DTLS1_STATE *d1;
memset(d1,0, sizeof *d1);
/* d1->handshake_epoch=0; */
-#if defined(OPENSSL_SYS_VMS) || defined(VMS_TEST)
- d1->bitmap.length=64;
-#else
- d1->bitmap.length=sizeof(d1->bitmap.map) * 8;
-#endif
- pq_64bit_init(&(d1->bitmap.map));
- pq_64bit_init(&(d1->bitmap.max_seq_num));
-
- pq_64bit_init(&(d1->next_bitmap.map));
- pq_64bit_init(&(d1->next_bitmap.max_seq_num));
d1->unprocessed_rcds.q=pqueue_new();
d1->processed_rcds.q=pqueue_new();
}
pqueue_free(s->d1->sent_messages);
- pq_64bit_free(&(s->d1->bitmap.map));
- pq_64bit_free(&(s->d1->bitmap.max_seq_num));
-
- pq_64bit_free(&(s->d1->next_bitmap.map));
- pq_64bit_free(&(s->d1->next_bitmap.max_seq_num));
-
OPENSSL_free(s->d1);
}
ssl3_clear(s);
s->version=DTLS1_VERSION;
}
+
+/*
+ * As it's impossible to use stream ciphers in "datagram" mode, this
+ * simple filter is designed to disengage them in DTLS. Unfortunately
+ * there is no universal way to identify stream SSL_CIPHER, so we have
+ * to explicitly list their SSL_* codes. Currently RC4 is the only one
+ * available, but if new ones emerge, they will have to be added...
+ */
+const SSL_CIPHER *dtls1_get_cipher(unsigned int u)
+ {
+ const SSL_CIPHER *ciph = ssl3_get_cipher(u);
+
+ if (ciph != NULL)
+ {
+ if (ciph->algorithm_enc == SSL_RC4)
+ return NULL;
+ }
+
+ return ciph;
+ }