Commit Graph

42 Commits

Author SHA1 Message Date
Matt Caswell
af674d4e20 Fix d2i_SSL_SESSION for DTLS1_BAD_VER
Some Cisco appliances use a pre-standard version number for DTLS. We support
this as DTLS1_BAD_VER within the code.

This change fixes d2i_SSL_SESSION for that DTLS version.

Based on an original patch by David Woodhouse <dwmw2@infradead.org>

RT#3704

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-02-27 20:29:03 +00:00
Matt Caswell
b6ba401497 Make libssl opaque. Move all structures that were previously protected by
OPENSSL_NO_SSL_INTERN into internal header files.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-01-31 18:06:45 +00:00
Rich Salz
1a5adcfb5e "#if 0" removal: header files
Remove all "#if 0" blocks from header files.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-27 17:44:12 -05:00
Matt Caswell
0f113f3ee4 Run util/openssl-format-source -v -c .
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:09 +00:00
Matt Caswell
59669b6abf Remove instances in libssl of the constant 28 (for size of IPv4 header + UDP)
and instead use the value provided by the underlying BIO. Also provide some
new DTLS_CTRLs so that the library user can set the mtu without needing to
know this constant. These new DTLS_CTRLs provide the capability to set the
link level mtu to be used (i.e. including this IP/UDP overhead). The previous
DTLS_CTRLs required the library user to subtract this overhead first.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-03 09:24:12 +00:00
Emilia Kasper
e94a6c0ede Ensure SSL3_FLAGS_CCS_OK (or d1->change_cipher_spec_ok for DTLS) is reset
once the ChangeCipherSpec message is received. Previously, the server would
set the flag once at SSL3_ST_SR_CERT_VRFY and again at SSL3_ST_SR_FINISHED.
This would allow a second CCS to arrive and would corrupt the server state.

(Because the first CCS would latch the correct keys and subsequent CCS
messages would have to be encrypted, a MitM attacker cannot exploit this,
though.)

Thanks to Joeri de Ruiter for reporting this issue.

Reviewed-by: Matt Caswell <matt@openssl.org>
2014-11-20 14:57:15 +01:00
Bodo Moeller
cf6da05304 Support TLS_FALLBACK_SCSV.
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-10-15 04:03:28 +02:00
Dr. Stephen Henson
c6913eeb76 Dual DTLS version methods.
Add new methods DTLS_*_method() which support both DTLS 1.0 and DTLS 1.2 and
pick the highest version the peer supports during negotiation.

As with SSL/TLS options can change this behaviour specifically
SSL_OP_NO_DTLSv1 and SSL_OP_NO_DTLSv1_2.
2013-04-09 14:02:48 +01:00
Dr. Stephen Henson
c3b344e36a Provisional DTLS 1.2 support.
Add correct flags for DTLS 1.2, update s_server and s_client to handle
DTLS 1.2 methods.

Currently no support for version negotiation: i.e. if client/server selects
DTLS 1.2 it is that or nothing.
2013-03-26 15:16:41 +00:00
Dr. Stephen Henson
4817504d06 PR: 2658
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Support for TLS/DTLS heartbeats.
2011-12-31 22:59:57 +00:00
Dr. Stephen Henson
7e159e0133 PR: 2535
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Add SCTP support for DTLS (RFC 6083).
2011-12-25 14:45:15 +00:00
Dr. Stephen Henson
ffbfbef943 more vxworks patches 2011-10-14 22:04:14 +00:00
Dr. Stephen Henson
08557cf22c Initial "opaque SSL" framework. If an application defines
OPENSSL_NO_SSL_INTERN all ssl related structures are opaque
and internals cannot be directly accessed. Many applications
will need some modification to support this and most likely some
additional functions added to OpenSSL.

The advantage of this option is that any application supporting
it will still be binary compatible if SSL structures change.
2011-04-29 22:37:12 +00:00
Richard Levitte
4ec3e8ca51 For VMS, implement the possibility to choose 64-bit pointers with
different options:
"64"		The build system will choose /POINTER_SIZE=64=ARGV if
		the compiler supports it, otherwise /POINTER_SIZE=64.
"64="		The build system will force /POINTER_SIZE=64.
"64=ARGV"	The build system will force /POINTER_SIZE=64=ARGV.
2011-03-25 09:40:48 +00:00
Dr. Stephen Henson
6f678c4081 oops, revert invalid change 2010-11-24 14:03:25 +00:00
Dr. Stephen Henson
e9be051f3a use generalise mac API for SSL key generation 2010-11-24 13:16:59 +00:00
Richard Levitte
ec44f0ebfa Taken from OpenSSL_1_0_0-stable:
Include proper header files for time functions.
Submitted by Arpadffy Zoltan <Zoltan.Arpadffy@scientificgames.se>
2010-11-22 18:25:04 +00:00
Dr. Stephen Henson
934e22e814 PR: 2230
Submitted By: Robin Seggelmann <seggelmann@fh-muenster.de>

Fix various DTLS fragment reassembly bugs.
2010-04-14 00:17:55 +00:00
Richard Levitte
0a02d1db34 Update from 1.0.0-stable 2009-11-12 17:03:10 +00:00
Dr. Stephen Henson
1fc3ac806d PR: 2033
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

DTLS listen support.
2009-09-09 17:05:18 +00:00
Dr. Stephen Henson
07a9d1a2c2 PR: 2028
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

Fix DTLS cookie management bugs.
2009-09-04 17:42:53 +00:00
Dr. Stephen Henson
4f33534c8a PR: 1958
Submitted by: Sean Boudreau <seanb@qnx.com>
Approved by: steve@openssl.org

qnx6 support.
2009-06-17 11:37:44 +00:00
Dr. Stephen Henson
716cddc03c PR: 1946
Submitted by: Guenter <lists@gknw.net>
Approved by: steve@openssl.org

Netware header fix.
2009-06-16 16:54:44 +00:00
Dr. Stephen Henson
58f41a926a Updates from 1.0.0-stable 2009-06-05 14:59:26 +00:00
Dr. Stephen Henson
225f303a9d PR: 1946
Submitted by: Guenter <lists@gknw.net>
Reviewed by: steve@openssl.org

Get timeval definition on Netware.
2009-06-02 11:23:13 +00:00
Dr. Stephen Henson
cc9001cb3f Update from 1.0.0-stable 2009-05-28 21:41:47 +00:00
Dr. Stephen Henson
046f210112 Update from 1.0.0-stable. 2009-05-17 16:04:58 +00:00
Dr. Stephen Henson
eb38b26dbc Update from 1.0.0-stable. 2009-05-15 22:58:40 +00:00
Dr. Stephen Henson
8711efb498 Updates from 1.0.0-stable branch. 2009-04-20 11:33:12 +00:00
Dr. Stephen Henson
e5fa864f62 Updates from 1.0.0-stable. 2009-04-15 15:27:03 +00:00
Lutz Jänicke
b8dfde2a36 Remove the DTLS1_BAD_VER thing from 0.9.9-dev. It is present in 0.9.8
but has been omitted from HEAD (0.9.9), see commit
  http://cvs.openssl.org/chngview?cn=16627
by appro.
2008-10-13 06:45:59 +00:00
Ben Laurie
6665ef303e Add missing DTLS1_BAD_VER (hope I got the value right). 2008-10-12 14:04:34 +00:00
Andy Polyakov
d493899579 DTLS didn't handle alerts correctly.
PR: 1632
2008-09-13 18:24:38 +00:00
Andy Polyakov
81fe8dcfe1 Oops! This was erroneously left out commit #16632. 2007-10-01 06:27:21 +00:00
Andy Polyakov
7432d073af Switch to RFC-compliant version encoding in DTLS. 2007-09-30 18:53:54 +00:00
Bodo Möller
01c76c6606 There's no such things as DTLS1_AD_MISSING_HANDSHAKE_MESSAGE.
For now, anyway.
2006-01-07 20:44:29 +00:00
Andy Polyakov
dffdb56b7f "Liberate" dtls from BN dependency. Fix bug in replay/update. 2005-06-07 22:21:14 +00:00
Richard Levitte
188b05792f pqueue and dtls uses 64-bit values. Unfortunately, OpenSSL doesn't
have a uniform representation for those over all architectures, so a
little bit of hackery is needed.

Contributed by nagendra modadugu <nagendra@cs.stanford.edu>
2005-05-30 22:34:37 +00:00
Dr. Stephen Henson
6c61726b2a Lots of Win32 fixes for DTLS.
1. "unsigned long long" isn't portable changed: to BN_ULLONG.
2. The LL prefix isn't allowed in VC++ but it isn't needed where it is used.
2. Avoid lots of compiler warnings about signed/unsigned mismatches.
3. Include new library directory pqueue in mk1mf build system.
4. Update symbols.
2005-04-27 16:27:14 +00:00
Bodo Möller
480506bd49 remove some functions from exported headers 2005-04-26 18:18:35 +00:00
Bodo Möller
beb056b303 fix SSLerr stuff for DTLS1 code;
move some functions from exported header <openssl/dtl1.h> into "ssl_locl.h";
fix silly indentation (a TAB is *not* always 4 spaces)
2005-04-26 18:08:00 +00:00
Ben Laurie
36d16f8ee0 Add DTLS support. 2005-04-26 16:02:40 +00:00