| blob | 085084fe120f09d8a25301646cdb495e043a8629 |
1 Index: ssl/d1_clnt.c
2 ===================================================================
3 RCS file: /home/dwmw2/openssl-cvs/openssl/ssl/d1_clnt.c,v
4 retrieving revision 1.3.2.10
5 diff -u -p -r1.3.2.10 d1_clnt.c
6 --- ssl/d1_clnt.c 4 Jun 2008 18:35:25 -0000 1.3.2.10
7 +++ ssl/d1_clnt.c 29 Sep 2008 08:27:31 -0000
8 @@ -130,7 +130,7 @@ static int dtls1_get_hello_verify(SSL *s
10 static SSL_METHOD *dtls1_get_client_method(int ver)
11 {
12 - if (ver == DTLS1_VERSION)
13 + if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER)
14 return(DTLSv1_client_method());
15 else
16 return(NULL);
17 @@ -181,7 +181,8 @@ int dtls1_connect(SSL *s)
18 s->server=0;
19 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
21 - if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00))
22 + if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00) &&
23 + (s->version & 0xff00 ) != (DTLS1_BAD_VER & 0xff00))
24 {
25 SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR);
26 ret = -1;
27 Index: ssl/d1_lib.c
28 ===================================================================
29 RCS file: /home/dwmw2/openssl-cvs/openssl/ssl/d1_lib.c,v
30 retrieving revision 1.1.2.5
31 diff -u -p -r1.1.2.5 d1_lib.c
32 --- ssl/d1_lib.c 5 Oct 2007 21:05:27 -0000 1.1.2.5
33 +++ ssl/d1_lib.c 29 Sep 2008 08:38:49 -0000
34 @@ -186,7 +186,10 @@ void dtls1_free(SSL *s)
35 void dtls1_clear(SSL *s)
36 {
37 ssl3_clear(s);
38 - s->version=DTLS1_VERSION;
39 + if (s->options & SSL_OP_CISCO_ANYCONNECT)
40 + s->version=DTLS1_BAD_VER;
41 + else
42 + s->version=DTLS1_VERSION;
43 }
45 /*
46 Index: ssl/d1_pkt.c
47 ===================================================================
48 RCS file: /home/dwmw2/openssl-cvs/openssl/ssl/d1_pkt.c,v
49 retrieving revision 1.4.2.12
50 diff -u -p -r1.4.2.12 d1_pkt.c
51 --- ssl/d1_pkt.c 14 Sep 2008 17:57:03 -0000 1.4.2.12
52 +++ ssl/d1_pkt.c 29 Sep 2008 08:27:31 -0000
53 @@ -986,15 +986,17 @@ start:
54 if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
55 {
56 struct ccs_header_st ccs_hdr;
57 + int ccs_hdr_len = DTLS1_CCS_HEADER_LENGTH;
59 dtls1_get_ccs_header(rr->data, &ccs_hdr);
61 /* 'Change Cipher Spec' is just a single byte, so we know
62 * exactly what the record payload has to look like */
63 /* XDTLS: check that epoch is consistent */
64 - if ( (s->client_version == DTLS1_BAD_VER && rr->length != 3) ||
65 - (s->client_version != DTLS1_BAD_VER && rr->length != DTLS1_CCS_HEADER_LENGTH) ||
66 - (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
67 + if (s->client_version == DTLS1_BAD_VER || s->version == DTLS1_BAD_VER)
68 + ccs_hdr_len = 3;
69 +
70 + if ((rr->length != ccs_hdr_len) || (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
71 {
72 i=SSL_AD_ILLEGAL_PARAMETER;
73 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
74 @@ -1310,7 +1312,7 @@ int do_dtls1_write(SSL *s, int type, con
75 #if 0
76 /* 'create_empty_fragment' is true only when this function calls itself */
77 if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done
78 - && SSL_version(s) != DTLS1_VERSION)
79 + && SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER)
80 {
81 /* countermeasure against known-IV weakness in CBC ciphersuites
82 * (see http://www.openssl.org/~bodo/tls-cbc.txt)
83 Index: ssl/s3_clnt.c
84 ===================================================================
85 RCS file: /home/dwmw2/openssl-cvs/openssl/ssl/s3_clnt.c,v
86 retrieving revision 1.88.2.17
87 diff -u -p -r1.88.2.17 s3_clnt.c
88 --- ssl/s3_clnt.c 16 Jun 2008 16:56:41 -0000 1.88.2.17
89 +++ ssl/s3_clnt.c 29 Sep 2008 08:27:31 -0000
90 @@ -708,7 +708,7 @@ int ssl3_get_server_hello(SSL *s)
92 if (!ok) return((int)n);
94 - if ( SSL_version(s) == DTLS1_VERSION)
95 + if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
96 {
97 if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST)
98 {
99 Index: ssl/ssl.h
100 ===================================================================
101 RCS file: /home/dwmw2/openssl-cvs/openssl/ssl/ssl.h,v
102 retrieving revision 1.161.2.21
103 diff -u -p -r1.161.2.21 ssl.h
104 --- ssl/ssl.h 13 Aug 2008 19:44:44 -0000 1.161.2.21
105 +++ ssl/ssl.h 29 Sep 2008 08:39:24 -0000
106 @@ -510,6 +510,8 @@ typedef struct ssl_session_st
107 #define SSL_OP_COOKIE_EXCHANGE 0x00002000L
108 /* Don't use RFC4507 ticket extension */
109 #define SSL_OP_NO_TICKET 0x00004000L
110 +/* Use Cisco's "speshul" version of DTLS_BAD_VER (as client) */
111 +#define SSL_OP_CISCO_ANYCONNECT 0x00008000L
113 /* As server, disallow session resumption on renegotiation */
114 #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L
115 Index: ssl/ssl_lib.c
116 ===================================================================
117 RCS file: /home/dwmw2/openssl-cvs/openssl/ssl/ssl_lib.c,v
118 retrieving revision 1.133.2.15
119 diff -u -p -r1.133.2.15 ssl_lib.c
120 --- ssl/ssl_lib.c 16 Jun 2008 16:56:42 -0000 1.133.2.15
121 +++ ssl/ssl_lib.c 29 Sep 2008 08:37:16 -0000
122 @@ -993,7 +993,8 @@ long SSL_ctrl(SSL *s,int cmd,long larg,v
123 s->max_cert_list=larg;
124 return(l);
125 case SSL_CTRL_SET_MTU:
126 - if (SSL_version(s) == DTLS1_VERSION)
127 + if (SSL_version(s) == DTLS1_VERSION ||
128 + SSL_version(s) == DTLS1_BAD_VER)
129 {
130 s->d1->mtu = larg;
131 return larg;
132 Index: ssl/ssl_sess.c
133 ===================================================================
134 RCS file: /home/dwmw2/openssl-cvs/openssl/ssl/ssl_sess.c,v
135 retrieving revision 1.51.2.9
136 diff -u -p -r1.51.2.9 ssl_sess.c
137 --- ssl/ssl_sess.c 4 Jun 2008 18:35:27 -0000 1.51.2.9
138 +++ ssl/ssl_sess.c 29 Sep 2008 08:27:31 -0000
139 @@ -211,6 +211,11 @@ int ssl_get_new_session(SSL *s, int sess
140 ss->ssl_version=TLS1_VERSION;
141 ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
142 }
143 + else if (s->version == DTLS1_BAD_VER)
144 + {
145 + ss->ssl_version=DTLS1_BAD_VER;
146 + ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
147 + }
148 else if (s->version == DTLS1_VERSION)
149 {
150 ss->ssl_version=DTLS1_VERSION;
151 Index: ssl/t1_enc.c
152 ===================================================================
153 RCS file: /home/dwmw2/openssl-cvs/openssl/ssl/t1_enc.c,v
154 retrieving revision 1.35.2.6
155 diff -u -p -r1.35.2.6 t1_enc.c
156 --- ssl/t1_enc.c 13 Sep 2008 18:25:36 -0000 1.35.2.6
157 +++ ssl/t1_enc.c 29 Sep 2008 08:35:54 -0000
158 @@ -757,10 +757,10 @@ int tls1_mac(SSL *ssl, unsigned char *md
159 HMAC_CTX_init(&hmac);
160 HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL);
162 - if (ssl->version == DTLS1_VERSION && ssl->client_version != DTLS1_BAD_VER)
163 + if (ssl->version == DTLS1_BAD_VER ||
164 + (ssl->version == DTLS1_VERSION && ssl->client_version != DTLS1_BAD_VER))
165 {
166 unsigned char dtlsseq[8],*p=dtlsseq;
167 -
168 s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p);
169 memcpy (p,&seq[2],6);
171 @@ -785,7 +785,7 @@ printf("rec=");
172 {unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); }
173 #endif
175 - if ( SSL_version(ssl) != DTLS1_VERSION)
176 + if ( SSL_version(ssl) != DTLS1_VERSION && SSL_version(ssl) != DTLS1_BAD_VER)
177 {
178 for (i=7; i>=0; i--)
179 {