From 36d16f8ee0845d932e250286e8e236580470e35b Mon Sep 17 00:00:00 2001 From: Ben Laurie Date: Tue, 26 Apr 2005 16:02:40 +0000 Subject: Add DTLS support. --- apps/s_apps.h | 4 ++-- apps/s_client.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++-- apps/s_server.c | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++++---- apps/s_socket.c | 67 ++++++++++++++++++++++++++++++++------------------- apps/timeouts.h | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 248 insertions(+), 34 deletions(-) create mode 100644 apps/timeouts.h (limited to 'apps') diff --git a/apps/s_apps.h b/apps/s_apps.h index ca5caacd04..bb48244ead 100644 --- a/apps/s_apps.h +++ b/apps/s_apps.h @@ -148,7 +148,7 @@ typedef fd_mask fd_set; #define PORT_STR "4433" #define PROTOCOL "tcp" -int do_server(int port, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), char *context); +int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), char *context); #ifdef HEADER_X509_H int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx); #endif @@ -156,7 +156,7 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx); int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file); int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key); #endif -int init_client(int *sock, char *server, int port); +int init_client(int *sock, char *server, int port, int type); int should_retry(int i); int extract_port(char *str, short *port_ptr); int extract_host_port(char *str,char **host_ptr,unsigned char *ip,short *p); diff --git a/apps/s_client.c b/apps/s_client.c index d5c0a4f792..2f0f568daf 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -135,6 +135,7 @@ typedef unsigned int u_int; #include #include #include "s_apps.h" +#include "timeouts.h" #ifdef OPENSSL_SYS_WINCE /* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */ @@ -215,6 +216,8 @@ static void sc_usage(void) BIO_printf(bio_err," -ssl2 - just use SSLv2\n"); BIO_printf(bio_err," -ssl3 - just use SSLv3\n"); BIO_printf(bio_err," -tls1 - just use TLSv1\n"); + BIO_printf(bio_err," -dtls1 - just use DTLSv1\n"); + BIO_printf(bio_err," -mtu - set the MTU\n"); BIO_printf(bio_err," -no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n"); BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n"); BIO_printf(bio_err," -serverpref - Use server's cipher preferences (only SSLv2)\n"); @@ -260,6 +263,7 @@ int MAIN(int argc, char **argv) int starttls_proto = 0; int prexit = 0, vflags = 0; SSL_METHOD *meth=NULL; + int sock_type=SOCK_STREAM; BIO *sbio; char *inrand=NULL; #ifndef OPENSSL_NO_ENGINE @@ -270,6 +274,11 @@ int MAIN(int argc, char **argv) struct timeval tv; #endif + struct sockaddr peer; + int peerlen = sizeof(peer); + int enable_timeouts = 0 ; + long mtu = 0; + #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) meth=SSLv23_client_method(); #elif !defined(OPENSSL_NO_SSL3) @@ -386,6 +395,20 @@ int MAIN(int argc, char **argv) #ifndef OPENSSL_NO_TLS1 else if (strcmp(*argv,"-tls1") == 0) meth=TLSv1_client_method(); +#endif +#ifndef OPENSSL_NO_DTLS1 + else if (strcmp(*argv,"-dtls1") == 0) + { + meth=DTLSv1_client_method(); + sock_type=SOCK_DGRAM; + } + else if (strcmp(*argv,"-timeout") == 0) + enable_timeouts=1; + else if (strcmp(*argv,"-mtu") == 0) + { + if (--argc < 1) goto bad; + mtu = atol(*(++argv)); + } #endif else if (strcmp(*argv,"-bugs") == 0) bugs=1; @@ -550,6 +573,10 @@ bad: SSL_CTX_set_options(ctx,SSL_OP_ALL|off); else SSL_CTX_set_options(ctx,off); + /* DTLS: partial reads end up discarding unread UDP bytes :-( + * Setting read ahead solves this problem. + */ + if (sock_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1); if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback); if (cipher != NULL) @@ -589,7 +616,7 @@ bad: re_start: - if (init_client(&s,host,port) == 0) + if (init_client(&s,host,port,sock_type) == 0) { BIO_printf(bio_err,"connect:errno=%d\n",get_last_socket_error()); SHUTDOWN(s); @@ -610,7 +637,46 @@ re_start: } #endif if (c_Pause & 0x01) con->debug=1; - sbio=BIO_new_socket(s,BIO_NOCLOSE); + + if ( SSL_version(con) == DTLS1_VERSION) + { + struct timeval timeout; + + sbio=BIO_new_dgram(s,BIO_NOCLOSE); + if (getsockname(s, &peer, &peerlen) < 0) + { + BIO_printf(bio_err, "getsockname:errno=%d\n", + get_last_socket_error()); + SHUTDOWN(s); + goto end; + } + + BIO_ctrl_set_connected(sbio, 1, &peer); + + if ( enable_timeouts) + { + timeout.tv_sec = 0; + timeout.tv_usec = DGRAM_RCV_TIMEOUT; + BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout); + + timeout.tv_sec = 0; + timeout.tv_usec = DGRAM_SND_TIMEOUT; + BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout); + } + + if ( mtu > 0) + { + SSL_set_options(con, SSL_OP_NO_QUERY_MTU); + SSL_set_mtu(con, mtu); + } + else + /* want to do MTU discovery */ + BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL); + } + else + sbio=BIO_new_socket(s,BIO_NOCLOSE); + + if (nbio_test) { diff --git a/apps/s_server.c b/apps/s_server.c index 40d00cc563..059c4a06c7 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -154,6 +154,7 @@ typedef unsigned int u_int; #include #include #include "s_apps.h" +#include "timeouts.h" #ifdef OPENSSL_SYS_WINCE /* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */ @@ -260,6 +261,11 @@ static char *engine_id=NULL; #endif static const char *session_id_prefix=NULL; +static int enable_timeouts = 0; +static long mtu; +static int cert_chain = 0; + + #ifdef MONOLITH static void s_server_init(void) { @@ -333,6 +339,10 @@ static void sv_usage(void) BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n"); BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n"); BIO_printf(bio_err," -tls1 - Just talk TLSv1\n"); + BIO_printf(bio_err," -dtls1 - Just talk DTLSv1\n"); + BIO_printf(bio_err," -timeout - Enable timeouts\n"); + BIO_printf(bio_err," -mtu - Set MTU\n"); + BIO_printf(bio_err," -chain - Read a certificate chain\n"); BIO_printf(bio_err," -no_ssl2 - Just disable SSLv2\n"); BIO_printf(bio_err," -no_ssl3 - Just disable SSLv3\n"); BIO_printf(bio_err," -no_tls1 - Just disable TLSv1\n"); @@ -524,6 +534,7 @@ int MAIN(int argc, char *argv[]) int no_tmp_rsa=0,no_dhe=0,no_ecdhe=0,nocert=0; int state=0; SSL_METHOD *meth=NULL; + int sock_type=SOCK_STREAM; #ifndef OPENSSL_NO_ENGINE ENGINE *e=NULL; #endif @@ -740,6 +751,22 @@ int MAIN(int argc, char *argv[]) #ifndef OPENSSL_NO_TLS1 else if (strcmp(*argv,"-tls1") == 0) { meth=TLSv1_server_method(); } +#endif +#ifndef OPENSSL_NO_DTLS1 + else if (strcmp(*argv,"-dtls1") == 0) + { + meth=DTLSv1_server_method(); + sock_type = SOCK_DGRAM; + } + else if (strcmp(*argv,"-timeout") == 0) + enable_timeouts = 1; + else if (strcmp(*argv,"-mtu") == 0) + { + if (--argc < 1) goto bad; + mtu = atol(*(++argv)); + } + else if (strcmp(*argv, "-chain") == 0) + cert_chain = 1; #endif else if (strcmp(*argv, "-id_prefix") == 0) { @@ -892,6 +919,10 @@ bad: if (bugs) SSL_CTX_set_options(ctx,SSL_OP_ALL); if (hack) SSL_CTX_set_options(ctx,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG); SSL_CTX_set_options(ctx,off); + /* DTLS: partial reads end up discarding unread UDP bytes :-( + * Setting read ahead solves this problem. + */ + if (sock_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1); if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback); @@ -1046,9 +1077,9 @@ bad: BIO_printf(bio_s_out,"ACCEPT\n"); if (www) - do_server(port,&accept_socket,www_body, context); + do_server(port,sock_type,&accept_socket,www_body, context); else - do_server(port,&accept_socket,sv_body, context); + do_server(port,sock_type,&accept_socket,sv_body, context); print_stats(bio_s_out,ctx); ret=0; end: @@ -1067,7 +1098,7 @@ end: OPENSSL_free(dpass); if (bio_s_out != NULL) { - BIO_free(bio_s_out); + BIO_free(bio_s_out); bio_s_out=NULL; } apps_shutdown(); @@ -1146,7 +1177,39 @@ static int sv_body(char *hostname, int s, unsigned char *context) } SSL_clear(con); - sbio=BIO_new_socket(s,BIO_NOCLOSE); + if (SSL_version(con) == DTLS1_VERSION) + { + struct timeval timeout; + + sbio=BIO_new_dgram(s,BIO_NOCLOSE); + + if ( enable_timeouts) + { + timeout.tv_sec = 0; + timeout.tv_usec = DGRAM_RCV_TIMEOUT; + BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout); + + timeout.tv_sec = 0; + timeout.tv_usec = DGRAM_SND_TIMEOUT; + BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout); + } + + + if ( mtu > 0) + { + SSL_set_options(con, SSL_OP_NO_QUERY_MTU); + SSL_set_mtu(con, mtu); + } + else + /* want to do MTU discovery */ + BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL); + + /* turn on cookie exchange */ + SSL_set_options(con, SSL_OP_COOKIE_EXCHANGE); + } + else + sbio=BIO_new_socket(s,BIO_NOCLOSE); + if (s_nbio_test) { BIO *test; @@ -1252,7 +1315,8 @@ static int sv_body(char *hostname, int s, unsigned char *context) if ((i <= 0) || (buf[0] == 'q')) { BIO_printf(bio_s_out,"DONE\n"); - SHUTDOWN(s); + if (SSL_version(con) != DTLS1_VERSION) + SHUTDOWN(s); /* close_accept_socket(); ret= -11;*/ goto err; diff --git a/apps/s_socket.c b/apps/s_socket.c index cf43301df2..b5dd47d76b 100644 --- a/apps/s_socket.c +++ b/apps/s_socket.c @@ -92,9 +92,9 @@ static struct hostent *GetHostByName(char *name); static void ssl_sock_cleanup(void); #endif static int ssl_sock_init(void); -static int init_client_ip(int *sock,unsigned char ip[4], int port); -static int init_server(int *sock, int port); -static int init_server_long(int *sock, int port,char *ip); +static int init_client_ip(int *sock,unsigned char ip[4], int port, int type); +static int init_server(int *sock, int port, int type); +static int init_server_long(int *sock, int port,char *ip, int type); static int do_accept(int acc_sock, int *sock, char **host); static int host_ip(char *str, unsigned char ip[4]); @@ -224,7 +224,7 @@ static int ssl_sock_init(void) return(1); } -int init_client(int *sock, char *host, int port) +int init_client(int *sock, char *host, int port, int type) { unsigned char ip[4]; short p=0; @@ -234,10 +234,10 @@ int init_client(int *sock, char *host, int port) return(0); } if (p != 0) port=p; - return(init_client_ip(sock,ip,port)); + return(init_client_ip(sock,ip,port,type)); } -static int init_client_ip(int *sock, unsigned char ip[4], int port) +static int init_client_ip(int *sock, unsigned char ip[4], int port, int type) { unsigned long addr; struct sockaddr_in them; @@ -255,13 +255,20 @@ static int init_client_ip(int *sock, unsigned char ip[4], int port) ((unsigned long)ip[3]); them.sin_addr.s_addr=htonl(addr); - s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL); + if (type == SOCK_STREAM) + s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL); + else /* ( type == SOCK_DGRAM) */ + s=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP); + if (s == INVALID_SOCKET) { perror("socket"); return(0); } #ifndef OPENSSL_SYS_MPE - i=0; - i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i)); - if (i < 0) { perror("keepalive"); return(0); } + if (type == SOCK_STREAM) + { + i=0; + i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i)); + if (i < 0) { perror("keepalive"); return(0); } + } #endif if (connect(s,(struct sockaddr *)&them,sizeof(them)) == -1) @@ -270,30 +277,36 @@ static int init_client_ip(int *sock, unsigned char ip[4], int port) return(1); } -int do_server(int port, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), char *context) +int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), char *context) { int sock; - char *name; + char *name = NULL; int accept_socket; int i; - if (!init_server(&accept_socket,port)) return(0); + if (!init_server(&accept_socket,port,type)) return(0); if (ret != NULL) { *ret=accept_socket; /* return(1);*/ } - for (;;) - { - if (do_accept(accept_socket,&sock,&name) == 0) + for (;;) + { + if (type==SOCK_STREAM) { - SHUTDOWN(accept_socket); - return(0); + if (do_accept(accept_socket,&sock,&name) == 0) + { + SHUTDOWN(accept_socket); + return(0); + } } - i=(*cb)(name,sock, (unsigned char *)context); + else + sock = accept_socket; + i=(*cb)(name,sock, context); if (name != NULL) OPENSSL_free(name); - SHUTDOWN2(sock); + if (type==SOCK_STREAM) + SHUTDOWN2(sock); if (i < 0) { SHUTDOWN2(accept_socket); @@ -302,7 +315,7 @@ int do_server(int port, int *ret, int (*cb)(char *hostname, int s, unsigned char } } -static int init_server_long(int *sock, int port, char *ip) +static int init_server_long(int *sock, int port, char *ip, int type) { int ret=0; struct sockaddr_in server; @@ -322,7 +335,11 @@ static int init_server_long(int *sock, int port, char *ip) #else memcpy(&server.sin_addr,ip,4); #endif - s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL); + + if (type == SOCK_STREAM) + s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL); + else /* type == SOCK_DGRAM */ + s=socket(AF_INET, SOCK_DGRAM,IPPROTO_UDP); if (s == INVALID_SOCKET) goto err; #if defined SOL_SOCKET && defined SO_REUSEADDR @@ -340,7 +357,7 @@ static int init_server_long(int *sock, int port, char *ip) goto err; } /* Make it 128 for linux */ - if (listen(s,128) == -1) goto err; + if (type==SOCK_STREAM && listen(s,128) == -1) goto err; i=0; *sock=s; ret=1; @@ -352,9 +369,9 @@ err: return(ret); } -static int init_server(int *sock, int port) +static int init_server(int *sock, int port, int type) { - return(init_server_long(sock, port, NULL)); + return(init_server_long(sock, port, NULL, type)); } static int do_accept(int acc_sock, int *sock, char **host) diff --git a/apps/timeouts.h b/apps/timeouts.h new file mode 100644 index 0000000000..89b5dc76f6 --- /dev/null +++ b/apps/timeouts.h @@ -0,0 +1,67 @@ +/* apps/timeouts.h */ +/* + * DTLS implementation written by Nagendra Modadugu + * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. + */ +/* ==================================================================== + * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#ifndef INCLUDED_TIMEOUTS_H +#define INCLUDED_TIMEOUTS_H + +/* numbers in us */ +#define DGRAM_RCV_TIMEOUT 250000 +#define DGRAM_SND_TIMEOUT 250000 + +#endif /* ! INCLUDED_TIMEOUTS_H */ -- cgit v1.2.3