X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=ssl%2Fd1_lib.c;h=ae067f6eed6329afce330e15584bfc108fb0ca9c;hb=1f9a1285199953092381a1ae80d0da2eaf4bebb0;hp=d774521aaff9f751ee85075302c0fed5b37a14de;hpb=36d16f8ee0845d932e250286e8e236580470e35b;p=oweals%2Fopenssl.git

diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index d774521aaf..ae067f6eed 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -61,11 +61,9 @@
 #include <openssl/objects.h>
 #include "ssl_locl.h"
 
-const char *dtls1_version_str="DTLSv1" OPENSSL_VERSION_PTEXT;
+const char dtls1_version_str[]="DTLSv1" OPENSSL_VERSION_PTEXT;
 
-static long dtls1_default_timeout(void);
-
-static SSL3_ENC_METHOD DTLSv1_enc_data={
+SSL3_ENC_METHOD DTLSv1_enc_data={
     dtls1_enc,
 	tls1_mac,
 	tls1_setup_key_block,
@@ -79,49 +77,17 @@ static SSL3_ENC_METHOD DTLSv1_enc_data={
 	tls1_alert_code,
 	};
 
-static SSL_METHOD DTLSv1_data= {
-	DTLS1_VERSION,
-	dtls1_new,
-	dtls1_clear,
-	dtls1_free,
-	ssl_undefined_function,
-	ssl_undefined_function,
-	ssl3_read,
-	ssl3_peek,
-	ssl3_write,
-	ssl3_shutdown,
-	ssl3_renegotiate,
-	ssl3_renegotiate_check,
-	dtls1_get_message,
-	dtls1_read_bytes,
-	dtls1_write_app_data_bytes,
-	dtls1_dispatch_alert,
-	ssl3_ctrl,
-	ssl3_ctx_ctrl,
-	ssl3_get_cipher_by_char,
-	ssl3_put_cipher_by_char,
-	ssl3_pending,
-	ssl3_num_ciphers,
-	ssl3_get_cipher,
-	ssl_bad_method,
-	dtls1_default_timeout,
-	&DTLSv1_enc_data,
-	ssl_undefined_void_function,
-	ssl3_callback_ctrl,
-	ssl3_ctx_callback_ctrl,
-	};
-
-static long dtls1_default_timeout(void)
+long dtls1_default_timeout(void)
 	{
 	/* 2 hours, the 24 hours mentioned in the DTLSv1 spec
 	 * is way too long for http, the cache would over fill */
 	return(60*60*2);
 	}
 
-SSL_METHOD *dtlsv1_base_method(void)
-	{
-	return(&DTLSv1_data);
-	}
+IMPLEMENT_dtls1_meth_func(dtlsv1_base_method,
+			ssl_undefined_function,
+			ssl_undefined_function,
+			ssl_bad_method)
 
 int dtls1_new(SSL *s)
 	{
@@ -132,11 +98,23 @@ int dtls1_new(SSL *s)
 	memset(d1,0, sizeof *d1);
 
 	/* d1->handshake_epoch=0; */
+#if defined(OPENSSL_SYS_VMS) || defined(VMS_TEST)
+	d1->bitmap.length=64;
+#else
 	d1->bitmap.length=sizeof(d1->bitmap.map) * 8;
+#endif
+	pq_64bit_init(&(d1->bitmap.map));
+	pq_64bit_init(&(d1->bitmap.max_seq_num));
+	
+	d1->next_bitmap.length = d1->bitmap.length;
+	pq_64bit_init(&(d1->next_bitmap.map));
+	pq_64bit_init(&(d1->next_bitmap.max_seq_num));
+
 	d1->unprocessed_rcds.q=pqueue_new();
-    d1->processed_rcds.q=pqueue_new();
-    d1->buffered_messages = pqueue_new();
+	d1->processed_rcds.q=pqueue_new();
+	d1->buffered_messages = pqueue_new();
 	d1->sent_messages=pqueue_new();
+	d1->buffered_app_data.q=pqueue_new();
 
 	if ( s->server)
 		{
@@ -144,12 +122,13 @@ int dtls1_new(SSL *s)
 		}
 
 	if( ! d1->unprocessed_rcds.q || ! d1->processed_rcds.q 
-        || ! d1->buffered_messages || ! d1->sent_messages)
+        || ! d1->buffered_messages || ! d1->sent_messages || ! d1->buffered_app_data.q)
 		{
         if ( d1->unprocessed_rcds.q) pqueue_free(d1->unprocessed_rcds.q);
         if ( d1->processed_rcds.q) pqueue_free(d1->processed_rcds.q);
         if ( d1->buffered_messages) pqueue_free(d1->buffered_messages);
 		if ( d1->sent_messages) pqueue_free(d1->sent_messages);
+		if ( d1->buffered_app_data.q) pqueue_free(d1->buffered_app_data.q);
 		OPENSSL_free(d1);
 		return (0);
 		}
@@ -198,6 +177,21 @@ void dtls1_free(SSL *s)
         }
 	pqueue_free(s->d1->sent_messages);
 
+	while ( (item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL)
+	{
+		frag = (hm_fragment *)item->data;
+		OPENSSL_free(frag->fragment);
+		OPENSSL_free(frag);
+		pitem_free(item);
+	}
+	pqueue_free(s->d1->buffered_app_data.q);
+	
+	pq_64bit_free(&(s->d1->bitmap.map));
+	pq_64bit_free(&(s->d1->bitmap.max_seq_num));
+
+	pq_64bit_free(&(s->d1->next_bitmap.map));
+	pq_64bit_free(&(s->d1->next_bitmap.max_seq_num));
+
 	OPENSSL_free(s->d1);
 	}
 
@@ -206,3 +200,23 @@ void dtls1_clear(SSL *s)
 	ssl3_clear(s);
 	s->version=DTLS1_VERSION;
 	}
+
+/*
+ * As it's impossible to use stream ciphers in "datagram" mode, this
+ * simple filter is designed to disengage them in DTLS. Unfortunately
+ * there is no universal way to identify stream SSL_CIPHER, so we have
+ * to explicitly list their SSL_* codes. Currently RC4 is the only one
+ * available, but if new ones emerge, they will have to be added...
+ */
+SSL_CIPHER *dtls1_get_cipher(unsigned int u)
+	{
+	SSL_CIPHER *ciph = ssl3_get_cipher(u);
+
+	if (ciph != NULL)
+		{
+		if ((ciph->algorithms&SSL_ENC_MASK) == SSL_RC4)
+			return NULL;
+		}
+
+	return ciph;
+	}