X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=ssl%2Fd1_lib.c;h=3568e97a8771573c97a3ff421218e78a6ca4c903;hb=7f065cfdbd6f18a81a3f54ba6b8d5045fb533c89;hp=d774521aaff9f751ee85075302c0fed5b37a14de;hpb=36d16f8ee0845d932e250286e8e236580470e35b;p=oweals%2Fopenssl.git diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index d774521aaf..3568e97a87 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -61,11 +61,9 @@ #include #include "ssl_locl.h" -const char *dtls1_version_str="DTLSv1" OPENSSL_VERSION_PTEXT; +const char dtls1_version_str[]="DTLSv1" OPENSSL_VERSION_PTEXT; -static long dtls1_default_timeout(void); - -static SSL3_ENC_METHOD DTLSv1_enc_data={ +SSL3_ENC_METHOD DTLSv1_enc_data={ dtls1_enc, tls1_mac, tls1_setup_key_block, @@ -79,49 +77,17 @@ static SSL3_ENC_METHOD DTLSv1_enc_data={ tls1_alert_code, }; -static SSL_METHOD DTLSv1_data= { - DTLS1_VERSION, - dtls1_new, - dtls1_clear, - dtls1_free, - ssl_undefined_function, - ssl_undefined_function, - ssl3_read, - ssl3_peek, - ssl3_write, - ssl3_shutdown, - ssl3_renegotiate, - ssl3_renegotiate_check, - dtls1_get_message, - dtls1_read_bytes, - dtls1_write_app_data_bytes, - dtls1_dispatch_alert, - ssl3_ctrl, - ssl3_ctx_ctrl, - ssl3_get_cipher_by_char, - ssl3_put_cipher_by_char, - ssl3_pending, - ssl3_num_ciphers, - ssl3_get_cipher, - ssl_bad_method, - dtls1_default_timeout, - &DTLSv1_enc_data, - ssl_undefined_void_function, - ssl3_callback_ctrl, - ssl3_ctx_callback_ctrl, - }; - -static long dtls1_default_timeout(void) +long dtls1_default_timeout(void) { /* 2 hours, the 24 hours mentioned in the DTLSv1 spec * is way too long for http, the cache would over fill */ return(60*60*2); } -SSL_METHOD *dtlsv1_base_method(void) - { - return(&DTLSv1_data); - } +IMPLEMENT_dtls1_meth_func(dtlsv1_base_method, + ssl_undefined_function, + ssl_undefined_function, + ssl_bad_method) int dtls1_new(SSL *s) { @@ -132,10 +98,21 @@ int dtls1_new(SSL *s) memset(d1,0, sizeof *d1); /* d1->handshake_epoch=0; */ +#if defined(OPENSSL_SYS_VMS) || defined(VMS_TEST) + d1->bitmap.length=64; +#else d1->bitmap.length=sizeof(d1->bitmap.map) * 8; +#endif + pq_64bit_init(&(d1->bitmap.map)); + pq_64bit_init(&(d1->bitmap.max_seq_num)); + + d1->next_bitmap.length = d1->bitmap.length; + pq_64bit_init(&(d1->next_bitmap.map)); + pq_64bit_init(&(d1->next_bitmap.max_seq_num)); + d1->unprocessed_rcds.q=pqueue_new(); - d1->processed_rcds.q=pqueue_new(); - d1->buffered_messages = pqueue_new(); + d1->processed_rcds.q=pqueue_new(); + d1->buffered_messages = pqueue_new(); d1->sent_messages=pqueue_new(); if ( s->server) @@ -198,6 +175,12 @@ void dtls1_free(SSL *s) } pqueue_free(s->d1->sent_messages); + pq_64bit_free(&(s->d1->bitmap.map)); + pq_64bit_free(&(s->d1->bitmap.max_seq_num)); + + pq_64bit_free(&(s->d1->next_bitmap.map)); + pq_64bit_free(&(s->d1->next_bitmap.max_seq_num)); + OPENSSL_free(s->d1); } @@ -206,3 +189,23 @@ void dtls1_clear(SSL *s) ssl3_clear(s); s->version=DTLS1_VERSION; } + +/* + * As it's impossible to use stream ciphers in "datagram" mode, this + * simple filter is designed to disengage them in DTLS. Unfortunately + * there is no universal way to identify stream SSL_CIPHER, so we have + * to explicitly list their SSL_* codes. Currently RC4 is the only one + * available, but if new ones emerge, they will have to be added... + */ +SSL_CIPHER *dtls1_get_cipher(unsigned int u) + { + SSL_CIPHER *ciph = ssl3_get_cipher(u); + + if (ciph != NULL) + { + if ((ciph->algorithms&SSL_ENC_MASK) == SSL_RC4) + return NULL; + } + + return ciph; + }