openssl: add a patch to support DTLS compatibility with Cisco AnyConnect & OpenConnect VPN clients (thanks to freezer)
SVN-Revision: 15410
This commit is contained in:
parent
5282bfd731
commit
2a54a83244
2 changed files with 141 additions and 2 deletions
|
@ -1,5 +1,5 @@
|
||||||
#
|
#
|
||||||
# Copyright (C) 2006-2008 OpenWrt.org
|
# Copyright (C) 2006-2009 OpenWrt.org
|
||||||
#
|
#
|
||||||
# This is free software, licensed under the GNU General Public License v2.
|
# This is free software, licensed under the GNU General Public License v2.
|
||||||
# See /LICENSE for more information.
|
# See /LICENSE for more information.
|
||||||
|
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
|
||||||
|
|
||||||
PKG_NAME:=openssl
|
PKG_NAME:=openssl
|
||||||
PKG_VERSION:=0.9.8k
|
PKG_VERSION:=0.9.8k
|
||||||
PKG_RELEASE:=1
|
PKG_RELEASE:=2
|
||||||
|
|
||||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||||
PKG_SOURCE_URL:=http://www.openssl.org/source/ \
|
PKG_SOURCE_URL:=http://www.openssl.org/source/ \
|
||||||
|
|
139
package/openssl/patches/001-upstream_dtls_cisco.patch
Normal file
139
package/openssl/patches/001-upstream_dtls_cisco.patch
Normal file
|
@ -0,0 +1,139 @@
|
||||||
|
--- a/ssl/d1_clnt.c
|
||||||
|
+++ b/ssl/d1_clnt.c
|
||||||
|
@@ -130,7 +130,7 @@ static int dtls1_get_hello_verify(SSL *s
|
||||||
|
|
||||||
|
static SSL_METHOD *dtls1_get_client_method(int ver)
|
||||||
|
{
|
||||||
|
- if (ver == DTLS1_VERSION)
|
||||||
|
+ if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER)
|
||||||
|
return(DTLSv1_client_method());
|
||||||
|
else
|
||||||
|
return(NULL);
|
||||||
|
@@ -181,7 +181,8 @@ int dtls1_connect(SSL *s)
|
||||||
|
s->server=0;
|
||||||
|
if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
|
||||||
|
|
||||||
|
- if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00))
|
||||||
|
+ if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00) &&
|
||||||
|
+ (s->version & 0xff00 ) != (DTLS1_BAD_VER & 0xff00))
|
||||||
|
{
|
||||||
|
SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR);
|
||||||
|
ret = -1;
|
||||||
|
--- a/ssl/d1_lib.c
|
||||||
|
+++ b/ssl/d1_lib.c
|
||||||
|
@@ -187,7 +187,10 @@ void dtls1_free(SSL *s)
|
||||||
|
void dtls1_clear(SSL *s)
|
||||||
|
{
|
||||||
|
ssl3_clear(s);
|
||||||
|
- s->version=DTLS1_VERSION;
|
||||||
|
+ if (s->options & SSL_OP_CISCO_ANYCONNECT)
|
||||||
|
+ s->version=DTLS1_BAD_VER;
|
||||||
|
+ else
|
||||||
|
+ s->version=DTLS1_VERSION;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
--- a/ssl/d1_pkt.c
|
||||||
|
+++ b/ssl/d1_pkt.c
|
||||||
|
@@ -987,15 +987,17 @@ start:
|
||||||
|
if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
|
||||||
|
{
|
||||||
|
struct ccs_header_st ccs_hdr;
|
||||||
|
+ int ccs_hdr_len = DTLS1_CCS_HEADER_LENGTH;
|
||||||
|
|
||||||
|
dtls1_get_ccs_header(rr->data, &ccs_hdr);
|
||||||
|
|
||||||
|
/* 'Change Cipher Spec' is just a single byte, so we know
|
||||||
|
* exactly what the record payload has to look like */
|
||||||
|
/* XDTLS: check that epoch is consistent */
|
||||||
|
- if ( (s->client_version == DTLS1_BAD_VER && rr->length != 3) ||
|
||||||
|
- (s->client_version != DTLS1_BAD_VER && rr->length != DTLS1_CCS_HEADER_LENGTH) ||
|
||||||
|
- (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
|
||||||
|
+ if (s->client_version == DTLS1_BAD_VER || s->version == DTLS1_BAD_VER)
|
||||||
|
+ ccs_hdr_len = 3;
|
||||||
|
+
|
||||||
|
+ if ((rr->length != ccs_hdr_len) || (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
|
||||||
|
{
|
||||||
|
i=SSL_AD_ILLEGAL_PARAMETER;
|
||||||
|
SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
|
||||||
|
@@ -1311,7 +1313,7 @@ int do_dtls1_write(SSL *s, int type, con
|
||||||
|
#if 0
|
||||||
|
/* 'create_empty_fragment' is true only when this function calls itself */
|
||||||
|
if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done
|
||||||
|
- && SSL_version(s) != DTLS1_VERSION)
|
||||||
|
+ && SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER)
|
||||||
|
{
|
||||||
|
/* countermeasure against known-IV weakness in CBC ciphersuites
|
||||||
|
* (see http://www.openssl.org/~bodo/tls-cbc.txt)
|
||||||
|
--- a/ssl/s3_clnt.c
|
||||||
|
+++ b/ssl/s3_clnt.c
|
||||||
|
@@ -708,7 +708,7 @@ int ssl3_get_server_hello(SSL *s)
|
||||||
|
|
||||||
|
if (!ok) return((int)n);
|
||||||
|
|
||||||
|
- if ( SSL_version(s) == DTLS1_VERSION)
|
||||||
|
+ if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
|
||||||
|
{
|
||||||
|
if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST)
|
||||||
|
{
|
||||||
|
--- a/ssl/ssl.h
|
||||||
|
+++ b/ssl/ssl.h
|
||||||
|
@@ -510,6 +510,8 @@ typedef struct ssl_session_st
|
||||||
|
#define SSL_OP_COOKIE_EXCHANGE 0x00002000L
|
||||||
|
/* Don't use RFC4507 ticket extension */
|
||||||
|
#define SSL_OP_NO_TICKET 0x00004000L
|
||||||
|
+/* Use Cisco's "speshul" version of DTLS_BAD_VER (as client) */
|
||||||
|
+#define SSL_OP_CISCO_ANYCONNECT 0x00008000L
|
||||||
|
|
||||||
|
/* As server, disallow session resumption on renegotiation */
|
||||||
|
#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L
|
||||||
|
--- a/ssl/ssl_lib.c
|
||||||
|
+++ b/ssl/ssl_lib.c
|
||||||
|
@@ -995,7 +995,8 @@ long SSL_ctrl(SSL *s,int cmd,long larg,v
|
||||||
|
s->max_cert_list=larg;
|
||||||
|
return(l);
|
||||||
|
case SSL_CTRL_SET_MTU:
|
||||||
|
- if (SSL_version(s) == DTLS1_VERSION)
|
||||||
|
+ if (SSL_version(s) == DTLS1_VERSION ||
|
||||||
|
+ SSL_version(s) == DTLS1_BAD_VER)
|
||||||
|
{
|
||||||
|
s->d1->mtu = larg;
|
||||||
|
return larg;
|
||||||
|
--- a/ssl/ssl_sess.c
|
||||||
|
+++ b/ssl/ssl_sess.c
|
||||||
|
@@ -211,6 +211,11 @@ int ssl_get_new_session(SSL *s, int sess
|
||||||
|
ss->ssl_version=TLS1_VERSION;
|
||||||
|
ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
|
||||||
|
}
|
||||||
|
+ else if (s->version == DTLS1_BAD_VER)
|
||||||
|
+ {
|
||||||
|
+ ss->ssl_version=DTLS1_BAD_VER;
|
||||||
|
+ ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
|
||||||
|
+ }
|
||||||
|
else if (s->version == DTLS1_VERSION)
|
||||||
|
{
|
||||||
|
ss->ssl_version=DTLS1_VERSION;
|
||||||
|
--- a/ssl/t1_enc.c
|
||||||
|
+++ b/ssl/t1_enc.c
|
||||||
|
@@ -765,10 +765,10 @@ int tls1_mac(SSL *ssl, unsigned char *md
|
||||||
|
HMAC_CTX_init(&hmac);
|
||||||
|
HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL);
|
||||||
|
|
||||||
|
- if (ssl->version == DTLS1_VERSION && ssl->client_version != DTLS1_BAD_VER)
|
||||||
|
+ if (ssl->version == DTLS1_BAD_VER ||
|
||||||
|
+ (ssl->version == DTLS1_VERSION && ssl->client_version != DTLS1_BAD_VER))
|
||||||
|
{
|
||||||
|
unsigned char dtlsseq[8],*p=dtlsseq;
|
||||||
|
-
|
||||||
|
s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p);
|
||||||
|
memcpy (p,&seq[2],6);
|
||||||
|
|
||||||
|
@@ -793,7 +793,7 @@ printf("rec=");
|
||||||
|
{unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); }
|
||||||
|
#endif
|
||||||
|
|
||||||
|
- if ( SSL_version(ssl) != DTLS1_VERSION)
|
||||||
|
+ if ( SSL_version(ssl) != DTLS1_VERSION && SSL_version(ssl) != DTLS1_BAD_VER)
|
||||||
|
{
|
||||||
|
for (i=7; i>=0; i--)
|
||||||
|
{
|
Loading…
Reference in a new issue