[dnsmasq] Update to version 2.49
[openwrt.git] / package / openssl / patches / 001-upstream_dtls_cisco.patch
1 --- a/ssl/d1_clnt.c
2 +++ b/ssl/d1_clnt.c
3 @@ -130,7 +130,7 @@ static int dtls1_get_hello_verify(SSL *s
4
5 static SSL_METHOD *dtls1_get_client_method(int ver)
6 {
7 - if (ver == DTLS1_VERSION)
8 + if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER)
9 return(DTLSv1_client_method());
10 else
11 return(NULL);
12 @@ -181,7 +181,8 @@ int dtls1_connect(SSL *s)
13 s->server=0;
14 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
15
16 - if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00))
17 + if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00) &&
18 + (s->version & 0xff00 ) != (DTLS1_BAD_VER & 0xff00))
19 {
20 SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR);
21 ret = -1;
22 --- a/ssl/d1_lib.c
23 +++ b/ssl/d1_lib.c
24 @@ -187,7 +187,10 @@ void dtls1_free(SSL *s)
25 void dtls1_clear(SSL *s)
26 {
27 ssl3_clear(s);
28 - s->version=DTLS1_VERSION;
29 + if (s->options & SSL_OP_CISCO_ANYCONNECT)
30 + s->version=DTLS1_BAD_VER;
31 + else
32 + s->version=DTLS1_VERSION;
33 }
34
35 /*
36 --- a/ssl/d1_pkt.c
37 +++ b/ssl/d1_pkt.c
38 @@ -987,15 +987,17 @@ start:
39 if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
40 {
41 struct ccs_header_st ccs_hdr;
42 + int ccs_hdr_len = DTLS1_CCS_HEADER_LENGTH;
43
44 dtls1_get_ccs_header(rr->data, &ccs_hdr);
45
46 /* 'Change Cipher Spec' is just a single byte, so we know
47 * exactly what the record payload has to look like */
48 /* XDTLS: check that epoch is consistent */
49 - if ( (s->client_version == DTLS1_BAD_VER && rr->length != 3) ||
50 - (s->client_version != DTLS1_BAD_VER && rr->length != DTLS1_CCS_HEADER_LENGTH) ||
51 - (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
52 + if (s->client_version == DTLS1_BAD_VER || s->version == DTLS1_BAD_VER)
53 + ccs_hdr_len = 3;
54 +
55 + if ((rr->length != ccs_hdr_len) || (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
56 {
57 i=SSL_AD_ILLEGAL_PARAMETER;
58 SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
59 @@ -1311,7 +1313,7 @@ int do_dtls1_write(SSL *s, int type, con
60 #if 0
61 /* 'create_empty_fragment' is true only when this function calls itself */
62 if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done
63 - && SSL_version(s) != DTLS1_VERSION)
64 + && SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER)
65 {
66 /* countermeasure against known-IV weakness in CBC ciphersuites
67 * (see http://www.openssl.org/~bodo/tls-cbc.txt)
68 --- a/ssl/s3_clnt.c
69 +++ b/ssl/s3_clnt.c
70 @@ -708,7 +708,7 @@ int ssl3_get_server_hello(SSL *s)
71
72 if (!ok) return((int)n);
73
74 - if ( SSL_version(s) == DTLS1_VERSION)
75 + if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
76 {
77 if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST)
78 {
79 --- a/ssl/ssl.h
80 +++ b/ssl/ssl.h
81 @@ -510,6 +510,8 @@ typedef struct ssl_session_st
82 #define SSL_OP_COOKIE_EXCHANGE 0x00002000L
83 /* Don't use RFC4507 ticket extension */
84 #define SSL_OP_NO_TICKET 0x00004000L
85 +/* Use Cisco's "speshul" version of DTLS_BAD_VER (as client) */
86 +#define SSL_OP_CISCO_ANYCONNECT 0x00008000L
87
88 /* As server, disallow session resumption on renegotiation */
89 #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L
90 --- a/ssl/ssl_lib.c
91 +++ b/ssl/ssl_lib.c
92 @@ -995,7 +995,8 @@ long SSL_ctrl(SSL *s,int cmd,long larg,v
93 s->max_cert_list=larg;
94 return(l);
95 case SSL_CTRL_SET_MTU:
96 - if (SSL_version(s) == DTLS1_VERSION)
97 + if (SSL_version(s) == DTLS1_VERSION ||
98 + SSL_version(s) == DTLS1_BAD_VER)
99 {
100 s->d1->mtu = larg;
101 return larg;
102 --- a/ssl/ssl_sess.c
103 +++ b/ssl/ssl_sess.c
104 @@ -211,6 +211,11 @@ int ssl_get_new_session(SSL *s, int sess
105 ss->ssl_version=TLS1_VERSION;
106 ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
107 }
108 + else if (s->version == DTLS1_BAD_VER)
109 + {
110 + ss->ssl_version=DTLS1_BAD_VER;
111 + ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
112 + }
113 else if (s->version == DTLS1_VERSION)
114 {
115 ss->ssl_version=DTLS1_VERSION;
116 --- a/ssl/t1_enc.c
117 +++ b/ssl/t1_enc.c
118 @@ -765,10 +765,10 @@ int tls1_mac(SSL *ssl, unsigned char *md
119 HMAC_CTX_init(&hmac);
120 HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL);
121
122 - if (ssl->version == DTLS1_VERSION && ssl->client_version != DTLS1_BAD_VER)
123 + if (ssl->version == DTLS1_BAD_VER ||
124 + (ssl->version == DTLS1_VERSION && ssl->client_version != DTLS1_BAD_VER))
125 {
126 unsigned char dtlsseq[8],*p=dtlsseq;
127 -
128 s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p);
129 memcpy (p,&seq[2],6);
130
131 @@ -793,7 +793,7 @@ printf("rec=");
132 {unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); }
133 #endif
134
135 - if ( SSL_version(ssl) != DTLS1_VERSION)
136 + if ( SSL_version(ssl) != DTLS1_VERSION && SSL_version(ssl) != DTLS1_BAD_VER)
137 {
138 for (i=7; i>=0; i--)
139 {
This page took 0.064246 seconds and 5 git commands to generate.