diff options
Diffstat (limited to 'package/openssl/patches/001-upstream_dtls_cisco.patch')
-rw-r--r-- | package/openssl/patches/001-upstream_dtls_cisco.patch | 139 |
1 files changed, 0 insertions, 139 deletions
diff --git a/package/openssl/patches/001-upstream_dtls_cisco.patch b/package/openssl/patches/001-upstream_dtls_cisco.patch deleted file mode 100644 index 46f4bb2233..0000000000 --- a/package/openssl/patches/001-upstream_dtls_cisco.patch +++ /dev/null @@ -1,139 +0,0 @@ ---- a/ssl/d1_clnt.c -+++ b/ssl/d1_clnt.c -@@ -130,7 +130,7 @@ static int dtls1_get_hello_verify(SSL *s - - static SSL_METHOD *dtls1_get_client_method(int ver) - { -- if (ver == DTLS1_VERSION) -+ if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER) - return(DTLSv1_client_method()); - else - return(NULL); -@@ -181,7 +181,8 @@ int dtls1_connect(SSL *s) - s->server=0; - if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); - -- if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00)) -+ if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00) && -+ (s->version & 0xff00 ) != (DTLS1_BAD_VER & 0xff00)) - { - SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR); - ret = -1; ---- a/ssl/d1_lib.c -+++ b/ssl/d1_lib.c -@@ -187,7 +187,10 @@ void dtls1_free(SSL *s) - void dtls1_clear(SSL *s) - { - ssl3_clear(s); -- s->version=DTLS1_VERSION; -+ if (s->options & SSL_OP_CISCO_ANYCONNECT) -+ s->version=DTLS1_BAD_VER; -+ else -+ s->version=DTLS1_VERSION; - } - - /* ---- a/ssl/d1_pkt.c -+++ b/ssl/d1_pkt.c -@@ -987,15 +987,17 @@ start: - if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) - { - struct ccs_header_st ccs_hdr; -+ int ccs_hdr_len = DTLS1_CCS_HEADER_LENGTH; - - dtls1_get_ccs_header(rr->data, &ccs_hdr); - - /* 'Change Cipher Spec' is just a single byte, so we know - * exactly what the record payload has to look like */ - /* XDTLS: check that epoch is consistent */ -- if ( (s->client_version == DTLS1_BAD_VER && rr->length != 3) || -- (s->client_version != DTLS1_BAD_VER && rr->length != DTLS1_CCS_HEADER_LENGTH) || -- (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS)) -+ if (s->client_version == DTLS1_BAD_VER || s->version == DTLS1_BAD_VER) -+ ccs_hdr_len = 3; -+ -+ if ((rr->length != ccs_hdr_len) || (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS)) - { - i=SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC); -@@ -1311,7 +1313,7 @@ int do_dtls1_write(SSL *s, int type, con - #if 0 - /* 'create_empty_fragment' is true only when this function calls itself */ - if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done -- && SSL_version(s) != DTLS1_VERSION) -+ && SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER) - { - /* countermeasure against known-IV weakness in CBC ciphersuites - * (see http://www.openssl.org/~bodo/tls-cbc.txt) ---- a/ssl/s3_clnt.c -+++ b/ssl/s3_clnt.c -@@ -708,7 +708,7 @@ int ssl3_get_server_hello(SSL *s) - - if (!ok) return((int)n); - -- if ( SSL_version(s) == DTLS1_VERSION) -+ if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) - { - if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) - { ---- a/ssl/ssl.h -+++ b/ssl/ssl.h -@@ -510,6 +510,8 @@ typedef struct ssl_session_st - #define SSL_OP_COOKIE_EXCHANGE 0x00002000L - /* Don't use RFC4507 ticket extension */ - #define SSL_OP_NO_TICKET 0x00004000L -+/* Use Cisco's "speshul" version of DTLS_BAD_VER (as client) */ -+#define SSL_OP_CISCO_ANYCONNECT 0x00008000L - - /* As server, disallow session resumption on renegotiation */ - #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x00010000L ---- a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -995,7 +995,8 @@ long SSL_ctrl(SSL *s,int cmd,long larg,v - s->max_cert_list=larg; - return(l); - case SSL_CTRL_SET_MTU: -- if (SSL_version(s) == DTLS1_VERSION) -+ if (SSL_version(s) == DTLS1_VERSION || -+ SSL_version(s) == DTLS1_BAD_VER) - { - s->d1->mtu = larg; - return larg; ---- a/ssl/ssl_sess.c -+++ b/ssl/ssl_sess.c -@@ -211,6 +211,11 @@ int ssl_get_new_session(SSL *s, int sess - ss->ssl_version=TLS1_VERSION; - ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH; - } -+ else if (s->version == DTLS1_BAD_VER) -+ { -+ ss->ssl_version=DTLS1_BAD_VER; -+ ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH; -+ } - else if (s->version == DTLS1_VERSION) - { - ss->ssl_version=DTLS1_VERSION; ---- a/ssl/t1_enc.c -+++ b/ssl/t1_enc.c -@@ -765,10 +765,10 @@ int tls1_mac(SSL *ssl, unsigned char *md - HMAC_CTX_init(&hmac); - HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL); - -- if (ssl->version == DTLS1_VERSION && ssl->client_version != DTLS1_BAD_VER) -+ if (ssl->version == DTLS1_BAD_VER || -+ (ssl->version == DTLS1_VERSION && ssl->client_version != DTLS1_BAD_VER)) - { - unsigned char dtlsseq[8],*p=dtlsseq; -- - s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p); - memcpy (p,&seq[2],6); - -@@ -793,7 +793,7 @@ printf("rec="); - {unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); } - #endif - -- if ( SSL_version(ssl) != DTLS1_VERSION) -+ if ( SSL_version(ssl) != DTLS1_VERSION && SSL_version(ssl) != DTLS1_BAD_VER) - { - for (i=7; i>=0; i--) - { |