Provisional DTLS 1.2 support.
authorDr. Stephen Henson <steve@openssl.org>
Wed, 20 Mar 2013 15:49:14 +0000 (15:49 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Tue, 26 Mar 2013 15:16:41 +0000 (15:16 +0000)
Add correct flags for DTLS 1.2, update s_server and s_client to handle
DTLS 1.2 methods.

Currently no support for version negotiation: i.e. if client/server selects
DTLS 1.2 it is that or nothing.

15 files changed:
apps/s_apps.h
apps/s_client.c
apps/s_server.c
apps/s_socket.c
ssl/d1_clnt.c
ssl/d1_lib.c
ssl/d1_meth.c
ssl/d1_srvr.c
ssl/dtls1.h
ssl/s3_clnt.c
ssl/ssl.h
ssl/ssl_locl.h
ssl/ssl_sess.c
ssl/ssl_txt.c
ssl/t1_trce.c

index be98528..ce5a763 100644 (file)
@@ -148,7 +148,7 @@ typedef fd_mask fd_set;
 #define PORT_STR        "4433"
 #define PROTOCOL        "tcp"
 
-int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context, int naccept);
+int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, int stype, unsigned char *context), unsigned char *context, int naccept);
 #ifdef HEADER_X509_H
 int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
 #endif
index 841395d..d09d695 100644 (file)
@@ -886,6 +886,11 @@ static char *jpake_secret = NULL;
                        meth=DTLSv1_client_method();
                        socket_type=SOCK_DGRAM;
                        }
+               else if (strcmp(*argv,"-dtls1_2") == 0)
+                       {
+                       meth=DTLSv1_2_client_method();
+                       socket_type=SOCK_DGRAM;
+                       }
                else if (strcmp(*argv,"-timeout") == 0)
                        enable_timeouts=1;
                else if (strcmp(*argv,"-mtu") == 0)
@@ -1376,7 +1381,7 @@ re_start:
 #endif                                              
        if (c_Pause & 0x01) SSL_set_debug(con, 1);
 
-       if ( SSL_version(con) == DTLS1_VERSION)
+       if (socket_type == SOCK_DGRAM)
                {
 
                sbio=BIO_new_dgram(s,BIO_NOCLOSE);
index 7cb9a08..3eaee82 100644 (file)
@@ -205,9 +205,9 @@ typedef unsigned int u_int;
 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength);
 #endif
 static int not_resumable_sess_cb(SSL *s, int is_forward_secure);
-static int sv_body(char *hostname, int s, unsigned char *context);
-static int www_body(char *hostname, int s, unsigned char *context);
-static int rev_body(char *hostname, int s, unsigned char *context);
+static int sv_body(char *hostname, int s, int stype, unsigned char *context);
+static int www_body(char *hostname, int s, int stype, unsigned char *context);
+static int rev_body(char *hostname, int s, int stype, unsigned char *context);
 static void close_accept_socket(void );
 static void sv_usage(void);
 static int init_ssl_connection(SSL *s);
@@ -533,6 +533,7 @@ static void sv_usage(void)
        BIO_printf(bio_err," -tls1_1       - Just talk TLSv1.1\n");
        BIO_printf(bio_err," -tls1         - Just talk TLSv1\n");
        BIO_printf(bio_err," -dtls1        - Just talk DTLSv1\n");
+       BIO_printf(bio_err," -dtls1_2      - Just talk DTLSv1.2\n");
        BIO_printf(bio_err," -timeout      - Enable timeouts\n");
        BIO_printf(bio_err," -mtu          - Set link layer MTU\n");
        BIO_printf(bio_err," -chain        - Read a certificate chain\n");
@@ -1366,6 +1367,11 @@ int MAIN(int argc, char *argv[])
                        meth=DTLSv1_server_method();
                        socket_type = SOCK_DGRAM;
                        }
+               else if (strcmp(*argv,"-dtls1_2") == 0)
+                       { 
+                       meth=DTLSv1_2_server_method();
+                       socket_type = SOCK_DGRAM;
+                       }
                else if (strcmp(*argv,"-timeout") == 0)
                        enable_timeouts = 1;
                else if (strcmp(*argv,"-mtu") == 0)
@@ -2070,7 +2076,7 @@ static void print_stats(BIO *bio, SSL_CTX *ssl_ctx)
                SSL_CTX_sess_get_cache_size(ssl_ctx));
        }
 
-static int sv_body(char *hostname, int s, unsigned char *context)
+static int sv_body(char *hostname, int s, int stype, unsigned char *context)
        {
        char *buf=NULL;
        fd_set readfds;
@@ -2140,7 +2146,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
 #endif
 #endif
 
-       if (SSL_version(con) == DTLS1_VERSION)
+       if (stype == SOCK_DGRAM)
                {
 
                sbio=BIO_new_dgram(s,BIO_NOCLOSE);
@@ -2681,7 +2687,7 @@ static int load_CA(SSL_CTX *ctx, char *file)
        }
 #endif
 
-static int www_body(char *hostname, int s, unsigned char *context)
+static int www_body(char *hostname, int s, int stype, unsigned char *context)
        {
        char *buf=NULL;
        int ret=1;
@@ -3115,7 +3121,7 @@ err:
        return(ret);
        }
 
-static int rev_body(char *hostname, int s, unsigned char *context)
+static int rev_body(char *hostname, int s, int stype, unsigned char *context)
        {
        char *buf=NULL;
        int i;
index d83eecb..a04b990 100644 (file)
@@ -280,7 +280,7 @@ static int init_client_ip(int *sock, const unsigned char ip[4], int port,
        return(1);
        }
 
-int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context, int naccept)
+int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, int stype, unsigned char *context), unsigned char *context, int naccept)
        {
        int sock;
        char *name = NULL;
@@ -310,7 +310,7 @@ int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, uns
                        }
                else
                        sock = accept_socket;
-               i=(*cb)(name,sock, context);
+               i=(*cb)(name,sock, type, context);
                if (name != NULL) OPENSSL_free(name);
                if (type==SOCK_STREAM)
                        SHUTDOWN2(sock);
index b1f8c5e..ec7ef0d 100644 (file)
@@ -135,6 +135,8 @@ static const SSL_METHOD *dtls1_get_client_method(int ver)
        {
        if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER)
                return(DTLSv1_client_method());
+       else if (ver == DTLS1_2_VERSION)
+               return(DTLSv1_2_client_method());
        else
                return(NULL);
        }
@@ -146,6 +148,13 @@ IMPLEMENT_dtls1_meth_func(DTLS1_VERSION,
                        dtls1_get_client_method,
                        DTLSv1_enc_data)
 
+IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION,
+                       DTLSv1_2_client_method,
+                       ssl_undefined_function,
+                       dtls1_connect,
+                       dtls1_get_client_method,
+                       DTLSv1_2_enc_data)
+
 int dtls1_connect(SSL *s)
        {
        BUF_MEM *buf=NULL;
index b739153..16bafa3 100644 (file)
@@ -91,6 +91,25 @@ SSL3_ENC_METHOD DTLSv1_enc_data={
        dtls1_handshake_write   
        };
 
+SSL3_ENC_METHOD DTLSv1_2_enc_data={
+    dtls1_enc,
+       tls1_mac,
+       tls1_setup_key_block,
+       tls1_generate_master_secret,
+       tls1_change_cipher_state,
+       tls1_final_finish_mac,
+       TLS1_FINISH_MAC_LENGTH,
+       tls1_cert_verify_mac,
+       TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
+       TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
+       tls1_alert_code,
+       tls1_export_keying_material,
+       SSL_ENC_FLAG_DTLS|SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_SHA256_PRF,
+       DTLS1_HM_HEADER_LENGTH,
+       dtls1_set_handshake_header,
+       dtls1_handshake_write   
+       };
+
 long dtls1_default_timeout(void)
        {
        /* 2 hours, the 24 hours mentioned in the DTLSv1 spec
@@ -247,7 +266,7 @@ void dtls1_clear(SSL *s)
        if (s->options & SSL_OP_CISCO_ANYCONNECT)
                s->version=DTLS1_BAD_VER;
        else
-               s->version=DTLS1_VERSION;
+               s->version=s->method->version;
        }
 
 long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg)
index 0470624..64a22d6 100644 (file)
@@ -66,6 +66,8 @@ static const SSL_METHOD *dtls1_get_method(int ver)
        {
        if (ver == DTLS1_VERSION)
                return(DTLSv1_method());
+       else if (ver == DTLS1_2_VERSION)
+               return(DTLSv1_2_method());
        else
                return(NULL);
        }
@@ -77,3 +79,10 @@ IMPLEMENT_dtls1_meth_func(DTLS1_VERSION,
                        dtls1_get_method,
                        DTLSv1_enc_data)
 
+IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION,
+                       DTLSv1_2_method,
+                       dtls1_accept,
+                       dtls1_connect,
+                       dtls1_get_method,
+                       DTLSv1_2_enc_data)
+
index 6967d8e..e7df252 100644 (file)
@@ -133,6 +133,8 @@ static const SSL_METHOD *dtls1_get_server_method(int ver)
        {
        if (ver == DTLS1_VERSION)
                return(DTLSv1_server_method());
+       else if (ver == DTLS1_2_VERSION)
+               return(DTLSv1_2_server_method());
        else
                return(NULL);
        }
@@ -144,6 +146,13 @@ IMPLEMENT_dtls1_meth_func(DTLS1_VERSION,
                        dtls1_get_server_method,
                        DTLSv1_enc_data)
 
+IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION,
+                       DTLSv1_2_server_method,
+                       dtls1_accept,
+                       ssl_undefined_function,
+                       dtls1_get_server_method,
+                       DTLSv1_2_enc_data)
+
 int dtls1_accept(SSL *s)
        {
        BUF_MEM *buf;
index e65d501..715749a 100644 (file)
@@ -85,6 +85,7 @@ extern "C" {
 
 #define DTLS1_VERSION                  0xFEFF
 #define DTLS1_BAD_VER                  0x0100
+#define DTLS1_2_VERSION                        0xFEFD
 
 #if 0
 /* this alert description is not specified anywhere... */
index dbf790c..d8b9079 100644 (file)
@@ -883,7 +883,7 @@ int ssl3_get_server_hello(SSL *s)
 
        if (!ok) return((int)n);
 
-       if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
+       if (SSL_IS_DTLS(s))
                {
                if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST)
                        {
index 37c5494..7072c2f 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -2111,6 +2111,10 @@ const SSL_METHOD *DTLSv1_method(void);           /* DTLSv1.0 */
 const SSL_METHOD *DTLSv1_server_method(void);  /* DTLSv1.0 */
 const SSL_METHOD *DTLSv1_client_method(void);  /* DTLSv1.0 */
 
+const SSL_METHOD *DTLSv1_2_method(void);       /* DTLSv1.2 */
+const SSL_METHOD *DTLSv1_2_server_method(void);        /* DTLSv1.2 */
+const SSL_METHOD *DTLSv1_2_client_method(void);        /* DTLSv1.2 */
+
 STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s);
 
 int SSL_do_handshake(SSL *s);
index 2e03e63..13680cb 100644 (file)
@@ -750,6 +750,7 @@ extern SSL3_ENC_METHOD TLSv1_1_enc_data;
 extern SSL3_ENC_METHOD TLSv1_2_enc_data;
 extern SSL3_ENC_METHOD SSLv3_enc_data;
 extern SSL3_ENC_METHOD DTLSv1_enc_data;
+extern SSL3_ENC_METHOD DTLSv1_2_enc_data;
 
 #define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \
                                s_get_meth, enc_data) \
index 6cd1767..90f92b2 100644 (file)
@@ -328,6 +328,11 @@ int ssl_get_new_session(SSL *s, int session)
                        ss->ssl_version=DTLS1_VERSION;
                        ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
                        }
+               else if (s->version == DTLS1_2_VERSION)
+                       {
+                       ss->ssl_version=DTLS1_2_VERSION;
+                       ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
+                       }
                else
                        {
                        SSLerr(SSL_F_SSL_GET_NEW_SESSION,SSL_R_UNSUPPORTED_SSL_VERSION);
index 6479d52..093d840 100644 (file)
@@ -123,6 +123,8 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
                s="TLSv1";
        else if (x->ssl_version == DTLS1_VERSION)
                s="DTLSv1";
+       else if (x->ssl_version == DTLS1_2_VERSION)
+               s="DTLSv1.2";
        else if (x->ssl_version == DTLS1_BAD_VER)
                s="DTLSv1-bad";
        else
index e471272..4e03acd 100644 (file)
@@ -112,6 +112,7 @@ static ssl_trace_tbl ssl_version_tbl[] = {
        {TLS1_1_VERSION,        "TLS 1.1"},
        {TLS1_2_VERSION,        "TLS 1.2"},
        {DTLS1_VERSION,         "DTLS 1.0"},
+       {DTLS1_2_VERSION,       "DTLS 1.2"},
        {DTLS1_BAD_VER,         "DTLS 1.0 (bad)"}
 };