From acec5a6244b6e54b805a5f7512efc72e18cc693a Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 20 Mar 2013 15:49:14 +0000 Subject: [PATCH] Provisional DTLS 1.2 support. Add correct flags for DTLS 1.2, update s_server and s_client to handle DTLS 1.2 methods. Currently no support for version negotiation: i.e. if client/server selects DTLS 1.2 it is that or nothing. (cherry picked from commit c3b344e36a088283731b4f65a70e85b100f55686) Conflicts: apps/s_server.c --- apps/s_apps.h | 2 +- apps/s_client.c | 7 ++++++- apps/s_server.c | 20 +++++++++++++------- apps/s_socket.c | 4 ++-- ssl/d1_clnt.c | 9 +++++++++ ssl/d1_lib.c | 21 ++++++++++++++++++++- ssl/d1_meth.c | 9 +++++++++ ssl/d1_srvr.c | 9 +++++++++ ssl/dtls1.h | 1 + ssl/s3_clnt.c | 2 +- ssl/ssl.h | 4 ++++ ssl/ssl_locl.h | 1 + ssl/ssl_sess.c | 5 +++++ ssl/ssl_txt.c | 2 ++ ssl/t1_trce.c | 1 + 15 files changed, 84 insertions(+), 13 deletions(-) diff --git a/apps/s_apps.h b/apps/s_apps.h index be985280c9..ce5a763da8 100644 --- a/apps/s_apps.h +++ b/apps/s_apps.h @@ -148,7 +148,7 @@ typedef fd_mask fd_set; #define PORT_STR "4433" #define PROTOCOL "tcp" -int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context, int naccept); +int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, int stype, unsigned char *context), unsigned char *context, int naccept); #ifdef HEADER_X509_H int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx); #endif diff --git a/apps/s_client.c b/apps/s_client.c index 25bb3d6b86..bec6dbfb4e 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -917,6 +917,11 @@ static char *jpake_secret = NULL; meth=DTLSv1_client_method(); socket_type=SOCK_DGRAM; } + else if (strcmp(*argv,"-dtls1_2") == 0) + { + meth=DTLSv1_2_client_method(); + socket_type=SOCK_DGRAM; + } else if (strcmp(*argv,"-timeout") == 0) enable_timeouts=1; else if (strcmp(*argv,"-mtu") == 0) @@ -1445,7 +1450,7 @@ re_start: #endif if (c_Pause & 0x01) SSL_set_debug(con, 1); - if ( SSL_version(con) == DTLS1_VERSION) + if (socket_type == SOCK_DGRAM) { sbio=BIO_new_dgram(s,BIO_NOCLOSE); diff --git a/apps/s_server.c b/apps/s_server.c index 47b6ecd632..94500689bd 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -204,9 +204,9 @@ typedef unsigned int u_int; #ifndef OPENSSL_NO_RSA static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength); #endif -static int sv_body(char *hostname, int s, unsigned char *context); -static int www_body(char *hostname, int s, unsigned char *context); -static int rev_body(char *hostname, int s, unsigned char *context); +static int sv_body(char *hostname, int s, int stype, unsigned char *context); +static int www_body(char *hostname, int s, int stype, unsigned char *context); +static int rev_body(char *hostname, int s, int stype, unsigned char *context); static void close_accept_socket(void ); static void sv_usage(void); static int init_ssl_connection(SSL *s); @@ -540,6 +540,7 @@ static void sv_usage(void) BIO_printf(bio_err," -tls1_1 - Just talk TLSv1.1\n"); BIO_printf(bio_err," -tls1 - Just talk TLSv1\n"); BIO_printf(bio_err," -dtls1 - Just talk DTLSv1\n"); + BIO_printf(bio_err," -dtls1_2 - Just talk DTLSv1.2\n"); BIO_printf(bio_err," -timeout - Enable timeouts\n"); BIO_printf(bio_err," -mtu - Set link layer MTU\n"); BIO_printf(bio_err," -chain - Read a certificate chain\n"); @@ -1373,6 +1374,11 @@ int MAIN(int argc, char *argv[]) meth=DTLSv1_server_method(); socket_type = SOCK_DGRAM; } + else if (strcmp(*argv,"-dtls1_2") == 0) + { + meth=DTLSv1_2_server_method(); + socket_type = SOCK_DGRAM; + } else if (strcmp(*argv,"-timeout") == 0) enable_timeouts = 1; else if (strcmp(*argv,"-mtu") == 0) @@ -2076,7 +2082,7 @@ static void print_stats(BIO *bio, SSL_CTX *ssl_ctx) SSL_CTX_sess_get_cache_size(ssl_ctx)); } -static int sv_body(char *hostname, int s, unsigned char *context) +static int sv_body(char *hostname, int s, int stype, unsigned char *context) { char *buf=NULL; fd_set readfds; @@ -2146,7 +2152,7 @@ static int sv_body(char *hostname, int s, unsigned char *context) #endif #endif - if (SSL_version(con) == DTLS1_VERSION) + if (stype == SOCK_DGRAM) { sbio=BIO_new_dgram(s,BIO_NOCLOSE); @@ -2692,7 +2698,7 @@ static int load_CA(SSL_CTX *ctx, char *file) } #endif -static int www_body(char *hostname, int s, unsigned char *context) +static int www_body(char *hostname, int s, int stype, unsigned char *context) { char *buf=NULL; int ret=1; @@ -3102,7 +3108,7 @@ err: return(ret); } -static int rev_body(char *hostname, int s, unsigned char *context) +static int rev_body(char *hostname, int s, int stype, unsigned char *context) { char *buf=NULL; int i; diff --git a/apps/s_socket.c b/apps/s_socket.c index a80f380ad0..e0de63c8f1 100644 --- a/apps/s_socket.c +++ b/apps/s_socket.c @@ -284,7 +284,7 @@ static int init_client_ip(int *sock, unsigned char ip[4], int port, int type) return(1); } -int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context, int naccept) +int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, int stype, unsigned char *context), unsigned char *context, int naccept) { int sock; char *name = NULL; @@ -310,7 +310,7 @@ int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, uns } else sock = accept_socket; - i=(*cb)(name,sock, context); + i=(*cb)(name,sock, type, context); if (name != NULL) OPENSSL_free(name); if (type==SOCK_STREAM) SHUTDOWN2(sock); diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c index b1f8c5e8f4..ec7ef0d817 100644 --- a/ssl/d1_clnt.c +++ b/ssl/d1_clnt.c @@ -135,6 +135,8 @@ static const SSL_METHOD *dtls1_get_client_method(int ver) { if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER) return(DTLSv1_client_method()); + else if (ver == DTLS1_2_VERSION) + return(DTLSv1_2_client_method()); else return(NULL); } @@ -146,6 +148,13 @@ IMPLEMENT_dtls1_meth_func(DTLS1_VERSION, dtls1_get_client_method, DTLSv1_enc_data) +IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, + DTLSv1_2_client_method, + ssl_undefined_function, + dtls1_connect, + dtls1_get_client_method, + DTLSv1_2_enc_data) + int dtls1_connect(SSL *s) { BUF_MEM *buf=NULL; diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index f03a7ee1d8..2b82d527df 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -91,6 +91,25 @@ SSL3_ENC_METHOD DTLSv1_enc_data={ dtls1_handshake_write }; +SSL3_ENC_METHOD DTLSv1_2_enc_data={ + dtls1_enc, + tls1_mac, + tls1_setup_key_block, + tls1_generate_master_secret, + tls1_change_cipher_state, + tls1_final_finish_mac, + TLS1_FINISH_MAC_LENGTH, + tls1_cert_verify_mac, + TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE, + TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, + tls1_alert_code, + tls1_export_keying_material, + SSL_ENC_FLAG_DTLS|SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_SHA256_PRF, + DTLS1_HM_HEADER_LENGTH, + dtls1_set_handshake_header, + dtls1_handshake_write + }; + long dtls1_default_timeout(void) { /* 2 hours, the 24 hours mentioned in the DTLSv1 spec @@ -248,7 +267,7 @@ void dtls1_clear(SSL *s) if (s->options & SSL_OP_CISCO_ANYCONNECT) s->version=DTLS1_BAD_VER; else - s->version=DTLS1_VERSION; + s->version=s->method->version; } long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg) diff --git a/ssl/d1_meth.c b/ssl/d1_meth.c index 0470624b3f..64a22d6b09 100644 --- a/ssl/d1_meth.c +++ b/ssl/d1_meth.c @@ -66,6 +66,8 @@ static const SSL_METHOD *dtls1_get_method(int ver) { if (ver == DTLS1_VERSION) return(DTLSv1_method()); + else if (ver == DTLS1_2_VERSION) + return(DTLSv1_2_method()); else return(NULL); } @@ -77,3 +79,10 @@ IMPLEMENT_dtls1_meth_func(DTLS1_VERSION, dtls1_get_method, DTLSv1_enc_data) +IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, + DTLSv1_2_method, + dtls1_accept, + dtls1_connect, + dtls1_get_method, + DTLSv1_2_enc_data) + diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c index e96ef64e28..b0f516880e 100644 --- a/ssl/d1_srvr.c +++ b/ssl/d1_srvr.c @@ -133,6 +133,8 @@ static const SSL_METHOD *dtls1_get_server_method(int ver) { if (ver == DTLS1_VERSION) return(DTLSv1_server_method()); + else if (ver == DTLS1_2_VERSION) + return(DTLSv1_2_server_method()); else return(NULL); } @@ -144,6 +146,13 @@ IMPLEMENT_dtls1_meth_func(DTLS1_VERSION, dtls1_get_server_method, DTLSv1_enc_data) +IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION, + DTLSv1_2_server_method, + dtls1_accept, + ssl_undefined_function, + dtls1_get_server_method, + DTLSv1_2_enc_data) + int dtls1_accept(SSL *s) { BUF_MEM *buf; diff --git a/ssl/dtls1.h b/ssl/dtls1.h index e65d501191..715749ae27 100644 --- a/ssl/dtls1.h +++ b/ssl/dtls1.h @@ -85,6 +85,7 @@ extern "C" { #define DTLS1_VERSION 0xFEFF #define DTLS1_BAD_VER 0x0100 +#define DTLS1_2_VERSION 0xFEFD #if 0 /* this alert description is not specified anywhere... */ diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 76f21b4b1b..e9c716ff95 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -883,7 +883,7 @@ int ssl3_get_server_hello(SSL *s) if (!ok) return((int)n); - if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) + if (SSL_IS_DTLS(s)) { if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) { diff --git a/ssl/ssl.h b/ssl/ssl.h index e8f250ed37..67a008700e 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -2205,6 +2205,10 @@ const SSL_METHOD *DTLSv1_method(void); /* DTLSv1.0 */ const SSL_METHOD *DTLSv1_server_method(void); /* DTLSv1.0 */ const SSL_METHOD *DTLSv1_client_method(void); /* DTLSv1.0 */ +const SSL_METHOD *DTLSv1_2_method(void); /* DTLSv1.2 */ +const SSL_METHOD *DTLSv1_2_server_method(void); /* DTLSv1.2 */ +const SSL_METHOD *DTLSv1_2_client_method(void); /* DTLSv1.2 */ + STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s); int SSL_do_handshake(SSL *s); diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 292d6e32e8..f5597ee64b 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -760,6 +760,7 @@ extern SSL3_ENC_METHOD TLSv1_1_enc_data; extern SSL3_ENC_METHOD TLSv1_2_enc_data; extern SSL3_ENC_METHOD SSLv3_enc_data; extern SSL3_ENC_METHOD DTLSv1_enc_data; +extern SSL3_ENC_METHOD DTLSv1_2_enc_data; #define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \ s_get_meth, enc_data) \ diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 6cd17679bb..90f92b2d11 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -328,6 +328,11 @@ int ssl_get_new_session(SSL *s, int session) ss->ssl_version=DTLS1_VERSION; ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH; } + else if (s->version == DTLS1_2_VERSION) + { + ss->ssl_version=DTLS1_2_VERSION; + ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH; + } else { SSLerr(SSL_F_SSL_GET_NEW_SESSION,SSL_R_UNSUPPORTED_SSL_VERSION); diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c index 6479d52c0c..093d84076f 100644 --- a/ssl/ssl_txt.c +++ b/ssl/ssl_txt.c @@ -123,6 +123,8 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) s="TLSv1"; else if (x->ssl_version == DTLS1_VERSION) s="DTLSv1"; + else if (x->ssl_version == DTLS1_2_VERSION) + s="DTLSv1.2"; else if (x->ssl_version == DTLS1_BAD_VER) s="DTLSv1-bad"; else diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c index f1efde2640..80d7f49c9b 100644 --- a/ssl/t1_trce.c +++ b/ssl/t1_trce.c @@ -113,6 +113,7 @@ static ssl_trace_tbl ssl_version_tbl[] = { {TLS1_1_VERSION, "TLS 1.1"}, {TLS1_2_VERSION, "TLS 1.2"}, {DTLS1_VERSION, "DTLS 1.0"}, + {DTLS1_2_VERSION, "DTLS 1.2"}, {DTLS1_BAD_VER, "DTLS 1.0 (bad)"} }; -- 2.40.0