From cf60801ca3b94260f22c1ae64ed3b1c632abebfe Mon Sep 17 00:00:00 2001
From: "7u83@mail.ru" <7u83@mail.ru@noemail.net>
Date: Sat, 2 Aug 2014 16:50:07 +0000
Subject: [PATCH] Activated dtls cookie handling. (But openssl seems to ignore
 it)

FossilOrigin-Name: ce91ec6df86b16f5ffc71b480c26d81f696bd576f2a0d057d4dfc5e77a4c0e39
---
 src/capwap/dtls_openssl.c | 38 +++++++++++++++++++++++++++++++-------
 1 file changed, 31 insertions(+), 7 deletions(-)

diff --git a/src/capwap/dtls_openssl.c b/src/capwap/dtls_openssl.c
index 10c37a67..bb9d42d9 100644
--- a/src/capwap/dtls_openssl.c
+++ b/src/capwap/dtls_openssl.c
@@ -147,6 +147,17 @@ int dtls_openssl_set_certs(struct conn * conn, struct dtls_openssl_data *d)
 }
 
 
+int dtls_verify_callback (int ok, X509_STORE_CTX *ctx) {
+
+
+	printf("XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX501 verify\n");
+
+	/* This function should ask the user
+	 * if he trusts the received certificate.
+	 * Here we always trust.
+	 */
+	return 1;
+}
 
 
 struct dtls_openssl_data * dtls_openssl_data_create(struct conn * conn, const SSL_METHOD * method, BIO_METHOD * bio)
@@ -163,9 +174,7 @@ struct dtls_openssl_data * dtls_openssl_data_create(struct conn * conn, const SS
 	}
 
 	SSL_CTX_set_read_ahead(d->ctx, 1);
-//	int rc = SSL_CTX_set_cipher_list(d->ctx, "PSK-AES128-CBC-SHA");
 	
-	//int rc = SSL_CTX_set_cipher_list(d->ctx, "PSiaK-AXES128-C5BC-SaHA");
 	int rc = SSL_CTX_set_cipher_list(d->ctx, conn->dtls_cipher);
 	if (!rc){
 		dtls_openssl_log_error(0,rc,"DTLS:");
@@ -173,6 +182,15 @@ struct dtls_openssl_data * dtls_openssl_data_create(struct conn * conn, const SS
 		return 0;
 	}
 
+	SSL_CTX_set_session_cache_mode(d->ctx, SSL_SESS_CACHE_OFF);
+
+	SSL_CTX_set_cookie_generate_cb(d->ctx, dtls_openssl_generate_cookie);
+	SSL_CTX_set_cookie_verify_cb(d->ctx, dtls_openssl_verify_cookie);
+
+	SSL_CTX_set_verify(d->ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, dtls_verify_callback);
+
+	printf ("Ver cookie rc %d\n",rc);
+
 
 /*
 	if (conn->dtls_key_file && conn->dtls_cert_file){
@@ -306,6 +324,10 @@ unsigned char cookie_secret[COOKIE_SECRET_LENGTH];
 
 int dtls_openssl_generate_cookie(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len)
 {
+
+printf(" Gen cookie!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n");
+
+
 	unsigned char *buffer, result[EVP_MAX_MD_SIZE];
 	unsigned int length = 0, resultlength;
 	union {
@@ -318,10 +340,10 @@ int dtls_openssl_generate_cookie(SSL *ssl, unsigned char *cookie, unsigned int *
 	if (!cookie_initialized)
 	{
 		if (!RAND_bytes(cookie_secret, COOKIE_SECRET_LENGTH))
-			{
+		{
 			printf("error setting random cookie secret\n");
 			return 0;
-			}
+		}
 		cookie_initialized = 1;
 	}
 
@@ -344,11 +366,10 @@ int dtls_openssl_generate_cookie(SSL *ssl, unsigned char *cookie, unsigned int *
 	length += sizeof(in_port_t);
 	buffer = (unsigned char*) OPENSSL_malloc(length);
 
-	if (buffer == NULL)
-		{
+	if (buffer == NULL) {
 		printf("out of memory\n");
 		return 0;
-		}
+	}
 
 	switch (peer.ss.ss_family) {
 		case AF_INET:
@@ -388,6 +409,9 @@ int dtls_openssl_generate_cookie(SSL *ssl, unsigned char *cookie, unsigned int *
 
 int dtls_openssl_verify_cookie(SSL *ssl, unsigned char *cookie, unsigned int cookie_len)
 {
+
+printf(" Verify cookie!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n");
+
 	unsigned char *buffer, result[EVP_MAX_MD_SIZE];
 	unsigned int length = 0, resultlength;
 	union {