From 3235a2d4755b1bf83a42726488154952b1db10e1 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Wed, 22 Jun 2022 20:13:10 +0200 Subject: [PATCH 1/9] Init DTLS 1.3 examples --- dtls/Makefile | 8 +- dtls/client-dtls13.c | 182 +++++++++++++ dtls/dtls-common.h | 74 ++++++ dtls/server-dtls13-event.c | 511 +++++++++++++++++++++++++++++++++++++ dtls/server-dtls13.c | 230 +++++++++++++++++ 5 files changed, 1002 insertions(+), 3 deletions(-) create mode 100644 dtls/client-dtls13.c create mode 100644 dtls/dtls-common.h create mode 100644 dtls/server-dtls13-event.c create mode 100644 dtls/server-dtls13.c diff --git a/dtls/Makefile b/dtls/Makefile index 7eaef58b..39475f8d 100644 --- a/dtls/Makefile +++ b/dtls/Makefile @@ -7,13 +7,13 @@ LIBS = -L$(LIB_PATH)/lib -lm # option variables DYN_LIB = -lwolfssl STATIC_LIB = $(LIB_PATH)/lib/libwolfssl.a -DEBUG_FLAGS = -g -DDEBUG +DEBUG_FLAGS = -g3 -DDEBUG -O0 DEBUG_INC_PATHS = -MD OPTIMIZE = -Os # Options -#CFLAGS+=$(DEBUG_FLAGS) -CFLAGS+=$(OPTIMIZE) +CFLAGS+=$(DEBUG_FLAGS) +#CFLAGS+=$(OPTIMIZE) #LIBS+=$(STATIC_LIB) LIBS+=$(DYN_LIB) @@ -34,6 +34,8 @@ debug: all %-shared: CFLAGS+=-pthread %-shared: LIBS+=-lpthread +server-dtls13-event: LIBS+=-levent + # build template %: %.c $(CC) -o $@ $< $(CFLAGS) $(LIBS) diff --git a/dtls/client-dtls13.c b/dtls/client-dtls13.c new file mode 100644 index 00000000..b58d70bb --- /dev/null +++ b/dtls/client-dtls13.c @@ -0,0 +1,182 @@ +/* + * client-dtls13.c + * + * Copyright (C) 2006-2022 wolfSSL Inc. + * + * This file is part of wolfSSL. (formerly known as CyaSSL) + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + * + *============================================================================= + * + * Bare-bones example of a DTLS 1.3 client for instructional/learning purposes. + * This example uses blocking sockets for simplicity. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "dtls-common.h" + +#define MAXLINE 4096 +#define SERV_PORT 11111 +#define LOOP_LIMIT 5 +#define SFD_TIMEOUT 1 + +int main (int argc, char** argv) +{ + /* standard variables used in a dtls client*/ + int n = 0; + int sockfd = INVALID_SOCKET; + int err; + int ret; + int exitVal = 1; + struct sockaddr_in servAddr; + WOLFSSL* ssl = NULL; + WOLFSSL_CTX* ctx = NULL; + char* certs = "../certs/ca-cert.pem"; + char sendLine[MAXLINE]; + char recvLine[MAXLINE - 1]; + + /* Program argument checking */ + if (argc != 2) { + fprintf(stderr, "usage: %s \n", argv[0]); + return exitVal; + } + + /* Initialize wolfSSL before assigning ctx */ + if (wolfSSL_Init() != WOLFSSL_SUCCESS) { + fprintf(stderr, "wolfSSL_CTX_new error.\n"); + return exitVal; + } + + /* No-op when debugging is not compiled in */ + wolfSSL_Debugging_ON(); + + if ( (ctx = wolfSSL_CTX_new(wolfDTLSv1_3_client_method())) == NULL) { + fprintf(stderr, "wolfSSL_CTX_new error.\n"); + goto cleanup; + } + + /* Load certificates into ctx variable */ + if (wolfSSL_CTX_load_verify_locations(ctx, certs, 0) + != SSL_SUCCESS) { + fprintf(stderr, "Error loading %s, please check the file.\n", certs); + goto cleanup; + } + + /* Assign ssl variable */ + ssl = wolfSSL_new(ctx); + if (ssl == NULL) { + fprintf(stderr, "unable to get ssl object\n"); + goto cleanup; + } + + /* servAddr setup */ + memset(&servAddr, 0, sizeof(servAddr)); + servAddr.sin_family = AF_INET; + servAddr.sin_port = htons(SERV_PORT); + if (inet_pton(AF_INET, argv[1], &servAddr.sin_addr) < 1) { + perror("inet_pton()"); + goto cleanup; + } + + if (wolfSSL_dtls_set_peer(ssl, &servAddr, sizeof(servAddr)) + != WOLFSSL_SUCCESS) { + fprintf(stderr, "wolfSSL_dtls_set_peer failed\n"); + goto cleanup; + } + + if ( (sockfd = socket(AF_INET, SOCK_DGRAM, 0)) == -1) { + perror("socket()"); + goto cleanup; + } + + /* Set the file descriptor for ssl */ + if (wolfSSL_set_fd(ssl, sockfd) != WOLFSSL_SUCCESS) { + fprintf(stderr, "cannot set socket file descriptor\n"); + goto cleanup; + } + + /* Perform SSL connection */ + if (wolfSSL_connect(ssl) != SSL_SUCCESS) { + err = wolfSSL_get_error(ssl, 0); + fprintf(stderr, "err = %d, %s\n", err, wolfSSL_ERR_reason_error_string(err)); + fprintf(stderr, "wolfSSL_connect failed\n"); + goto cleanup; + } + +/*****************************************************************************/ +/* Code for sending datagram to server */ + if (fgets(sendLine, MAXLINE, stdin) != NULL) { + + /* Send sendLine to the server */ + if (wolfSSL_write(ssl, sendLine, strlen(sendLine)) != strlen(sendLine)) { + err = wolfSSL_get_error(ssl, 0); + fprintf(stderr, "err = %d, %s\n", err, wolfSSL_ERR_reason_error_string(err)); + fprintf(stderr, "wolfSSL_write failed\n"); + goto cleanup; + } + + /* n is the # of bytes received */ + n = wolfSSL_read(ssl, recvLine, sizeof(recvLine)-1); + + if (n > 0) { + /* Add a terminating character to the generic server message */ + recvLine[n] = '\0'; + printf("%s\n", recvLine); + } + else { + err = wolfSSL_get_error(ssl, 0); + fprintf(stderr, "err = %d, %s\n", err, wolfSSL_ERR_reason_error_string(err)); + fprintf(stderr, "wolfSSL_read failed\n"); + goto cleanup; + } + } +/* End code for sending datagram to server */ +/*****************************************************************************/ + + exitVal = 0; +cleanup: + if (ssl != NULL) { + /* Attempt a full shutdown */ + ret = wolfSSL_shutdown(ssl); + if (ret == WOLFSSL_SHUTDOWN_NOT_DONE) + ret = wolfSSL_shutdown(ssl); + if (ret != WOLFSSL_SUCCESS) { + err = wolfSSL_get_error(ssl, 0); + fprintf(stderr, "err = %d, %s\n", err, wolfSSL_ERR_reason_error_string(err)); + fprintf(stderr, "wolfSSL_shutdown failed\n"); + } + wolfSSL_free(ssl); + } + if (sockfd != INVALID_SOCKET) + close(sockfd); + if (ctx != NULL) + wolfSSL_CTX_free(ctx); + wolfSSL_Cleanup(); + + return exitVal; +} + diff --git a/dtls/dtls-common.h b/dtls/dtls-common.h new file mode 100644 index 00000000..c409b4ef --- /dev/null +++ b/dtls/dtls-common.h @@ -0,0 +1,74 @@ +/* + * dtls-common.h + * + * Copyright (C) 2006-2022 wolfSSL Inc. + * + * This file is part of wolfSSL. (formerly known as CyaSSL) + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + * + *============================================================================= + * + * Bare-bones example of a DTLS 1.3 client for instructional/learning purposes. + */ + +#ifndef DTLS_COMMON_H_ +#define DTLS_COMMON_H_ + +#define INVALID_SOCKET (-1) + +#define SFD_TIMEOUT_E (-1) +#define SFD_SOCKET_E (-2) +#define SFD_SELECT_E (-3) + +int wait_sfd(SOCKET_T socketfd, int to, int rx) { + fd_set fds, errfds; + fd_set* recvfds = NULL; + fd_set* sendfds = NULL; + SOCKET_T nfds = socketfd + 1; + struct timeval timeout; + int result; + + memset(&timeout, 0, sizeof(timeout)); + timeout.tv_sec = to; + + FD_ZERO(&fds); + FD_SET(socketfd, &fds); + FD_ZERO(&errfds); + FD_SET(socketfd, &errfds); + + if (rx) + recvfds = &fds; + else + sendfds = &fds; + + result = select(nfds, recvfds, sendfds, &errfds, &timeout); + + if (result == 0) + return SFD_TIMEOUT_E; + else if (result > 0) { + if (FD_ISSET(socketfd, &fds)) { + return 0; + } + else if(FD_ISSET(socketfd, &errfds)) + return SFD_SOCKET_E; + } + perror("select()"); + + return SFD_SELECT_E; +} + + +#endif /* DTLS_COMMON_H_ */ diff --git a/dtls/server-dtls13-event.c b/dtls/server-dtls13-event.c new file mode 100644 index 00000000..5f39bc8f --- /dev/null +++ b/dtls/server-dtls13-event.c @@ -0,0 +1,511 @@ +/* server-dtls13.c + * + * Copyright (C) 2006-2022 wolfSSL Inc. + * + * This file is part of wolfSSL. (formerly known as CyaSSL) + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + * + *============================================================================= + * + * Single threaded example of a DTLS 1.3 server for instructional/learning + * purposes. This example can handle multiple simultaneous connections by using + * the libevent library to handle the event loop. Please note that this example + * is not thread safe as access to global objects is not protected. + */ + +#include +#include /* standard in/out procedures */ +#include /* defines system calls */ +#include /* necessary for memset */ +#include +#include /* used for all socket calls */ +#include /* used for sockaddr_in */ +#include +#include +#include +#include +#include + +/* Requires libevent */ +#include + +#include "dtls-common.h" + +#define SERV_PORT 11111 /* define our server port number */ +#define MSGLEN 4096 +#define QUICK_MULT 4 /* Our quick timeout multiplier */ +#define CHGOODCB_E (-1000) /* An error outside the range of wolfSSL + * errors */ +#define CONN_TIMEOUT 5 /* How long we wait for peer data before + * closing the connection */ + +typedef struct conn_ctx { + WOLFSSL* ssl; + struct event* readEv; + struct event* writeEv; + char waitingOnData:1; +} conn_ctx; + +WOLFSSL_CTX* ctx = NULL; +struct event_base* base = NULL; +WOLFSSL* pendingSSL = NULL; +int listenfd = INVALID_SOCKET; /* Initialize our socket */ + +static void sig_handler(const int sig); +static void free_resources(void); +static void newConn(evutil_socket_t fd, short events, void* arg); +static void dataReady(evutil_socket_t fd, short events, void* arg); +static int chGoodCb(WOLFSSL* ssl, void*); +static int newPendingSSL(void); +static int newFD(void); + +int main(int argc, char** argv) +{ + /* Loc short for "location" */ + char caCertLoc[] = "../certs/ca-cert.pem"; + char servCertLoc[] = "../certs/server-cert.pem"; + char servKeyLoc[] = "../certs/server-key.pem"; + int exitVal = 1; + struct event* newConnEvent = NULL; + + /* Initialize wolfSSL before assigning ctx */ + if (wolfSSL_Init() != WOLFSSL_SUCCESS) { + fprintf(stderr, "wolfSSL_Init error.\n"); + return exitVal; + } + + /* No-op when debugging is not compiled in */ + wolfSSL_Debugging_ON(); + + /* Set ctx to DTLS 1.3 */ + if ((ctx = wolfSSL_CTX_new(wolfDTLSv1_3_server_method())) == NULL) { + fprintf(stderr, "wolfSSL_CTX_new error.\n"); + goto cleanup; + } + /* Load CA certificates */ + if (wolfSSL_CTX_load_verify_locations(ctx,caCertLoc,0) != + SSL_SUCCESS) { + fprintf(stderr, "Error loading %s, please check the file.\n", caCertLoc); + goto cleanup; + } + /* Load server certificates */ + if (wolfSSL_CTX_use_certificate_file(ctx, servCertLoc, SSL_FILETYPE_PEM) != + SSL_SUCCESS) { + fprintf(stderr, "Error loading %s, please check the file.\n", servCertLoc); + goto cleanup; + } + /* Load server Keys */ + if (wolfSSL_CTX_use_PrivateKey_file(ctx, servKeyLoc, + SSL_FILETYPE_PEM) != SSL_SUCCESS) { + fprintf(stderr, "Error loading %s, please check the file.\n", servKeyLoc); + goto cleanup; + } + + listenfd = newFD(); + if (listenfd == INVALID_SOCKET) + goto cleanup; + + if (!newPendingSSL()) + goto cleanup; + + signal(SIGINT, sig_handler); + + base = event_base_new(); + if (base == NULL) { + perror("event_base_new failed"); + exit(EXIT_FAILURE); + } + + newConnEvent = event_new(base, listenfd, EV_READ|EV_PERSIST, newConn, NULL); + if (newConnEvent == NULL) { + fprintf(stderr, "event_new failed for srvEvent\n"); + goto cleanup; + } + if (event_add(newConnEvent, NULL) != 0) { + fprintf(stderr, "event_add failed\n"); + goto cleanup; + } + + printf("running event loop\n"); + + if (event_base_dispatch(base) == -1) { + fprintf(stderr, "event_base_dispatch failed\n"); + goto cleanup; + } + + printf("done with dispatching\n"); + + + exitVal = 0; +cleanup: + free_resources(); + wolfSSL_Cleanup(); + + return exitVal; +} + +static int newFD(void) +{ + int fd; + int on = 1; + struct sockaddr_in servAddr; /* our server's address */ + + /* Create a UDP/IP socket */ + if ((fd = socket(AF_INET, SOCK_DGRAM, 0)) < 0 ) { + perror("socket()"); + return INVALID_SOCKET; + } + memset((char *)&servAddr, 0, sizeof(servAddr)); + /* host-to-network-long conversion (htonl) */ + /* host-to-network-short conversion (htons) */ + servAddr.sin_family = AF_INET; + servAddr.sin_addr.s_addr = htonl(INADDR_ANY); + servAddr.sin_port = htons(SERV_PORT); + + if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (char*)&on, sizeof(on)) != 0) { + perror("setsockopt() with SO_REUSEADDR"); + goto cleanup; + } +#ifdef SO_REUSEPORT + if (setsockopt(fd, SOL_SOCKET, SO_REUSEPORT, (char*)&on, sizeof(on)) != 0) { + perror("setsockopt() with SO_REUSEPORT"); + goto cleanup; + } +#endif + if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0) { + perror("fcntl"); + goto cleanup; + } + + /* Bind Socket */ + if (bind(fd, (struct sockaddr*)&servAddr, sizeof(servAddr)) < 0) { + perror("bind()"); + goto cleanup; + } + return fd; +cleanup: + if (fd != INVALID_SOCKET) { + close(fd); + fd = INVALID_SOCKET; + } + return INVALID_SOCKET; +} + +static int newPendingSSL(void) +{ + /* Create the pending WOLFSSL Object */ + if ((pendingSSL = wolfSSL_new(ctx)) == NULL) { + fprintf(stderr, "wolfSSL_new error.\n"); + return 0; + } + + wolfSSL_dtls_set_using_nonblock(pendingSSL, 1); + + if (wolfSSL_SetChGoodCb(pendingSSL, chGoodCb, NULL) != WOLFSSL_SUCCESS ) { + fprintf(stderr, "wolfSSL_SetChGoodCb error.\n"); + return 0; + } + + if (wolfSSL_set_fd(pendingSSL, listenfd) != WOLFSSL_SUCCESS) { + fprintf(stderr, "wolfSSL_set_fd error.\n"); + return 0; + } + + return 1; +} + +static void newConn(evutil_socket_t fd, short events, void* arg) +{ + struct sockaddr_in cliaddr; /* the client's address */ + socklen_t cliLen; + char b; + int ret; + int err; + int drop = 1; + /* Store pointer because pendingSSL can be modified in chGoodCb */ + WOLFSSL* ssl = pendingSSL; + + (void)events; + (void)arg; + + /* Get the incoming address */ + cliLen = sizeof(cliaddr); + ret = (int)recvfrom(listenfd, &b, sizeof(b), MSG_PEEK, + (struct sockaddr*)&cliaddr, &cliLen); + if (ret <= 0) { + perror("recvfrom()"); + goto error; + } + + if (wolfSSL_dtls_set_peer(ssl, &cliaddr, cliLen) != WOLFSSL_SUCCESS) { + fprintf(stderr, "wolfSSL_dtls_set_peer error.\n"); + goto error; + } + + drop = 0; + ret = wolfSSL_accept(ssl); + if (ret != WOLFSSL_SUCCESS) { + err = wolfSSL_get_error(ssl, 0); + if (err != WOLFSSL_ERROR_WANT_READ) { + fprintf(stderr, "error = %d, %s\n", err, + wolfSSL_ERR_reason_error_string(err)); + fprintf(stderr, "SSL_accept failed.\n"); + free_resources(); + wolfSSL_Cleanup(); + exit(1); + } + } + +error: + /* Drop the datagram */ + if (drop) + (void)recv(listenfd, &b, sizeof(b), 0); +} + +/* Called when we have verified a connection */ +static int chGoodCb(WOLFSSL* ssl, void* arg) +{ + int fd = INVALID_SOCKET; + struct sockaddr_in cliaddr; /* the client's address */ + socklen_t cliLen = sizeof(cliaddr); + conn_ctx* new_ctx = (conn_ctx*)calloc(1, sizeof(conn_ctx)); + int timeout = wolfSSL_dtls_get_current_timeout(ssl); + struct timeval tv; + + (void)arg; + + if (new_ctx == NULL) { + fprintf(stderr, "Out of memory!\n"); + goto error; + } + + new_ctx->ssl = ssl; + + if (wolfSSL_dtls_get_peer(ssl, &cliaddr, &cliLen) != WOLFSSL_SUCCESS) { + fprintf(stderr, "wolfSSL_dtls_get_peer failed\n"); + goto error; + } + + /* Promote the pending connection to an active connection */ + if (!newPendingSSL()) + goto error; + + /* We need to change the sfd here so that the ssl object doesn't drop any + * new connections */ + fd = newFD(); + if (fd == INVALID_SOCKET) + goto error; + + /* Limit new SFD to only this connection */ + if (connect(fd, (const struct sockaddr*)&cliaddr, cliLen) != 0) { + perror("connect()"); + goto error; + } + + /* Have the ssl object use only the SFD without the peer address (since the + * SFD is now connected) */ + if (wolfSSL_dtls_set_peer(ssl, NULL, 0) != WOLFSSL_SUCCESS) { + fprintf(stderr, "wolfSSL_dtls_set_peer error.\n"); + goto error; + } + + if (wolfSSL_set_fd(ssl, fd) != WOLFSSL_SUCCESS) { + fprintf(stderr, "wolfSSL_set_fd error.\n"); + goto error; + } + + new_ctx->writeEv = event_new(base, fd, EV_WRITE, dataReady, new_ctx); + if (new_ctx->writeEv == NULL) { + fprintf(stderr, "event_new failed for srvEvent\n"); + goto error; + } + new_ctx->readEv = event_new(base, fd, EV_READ, dataReady, new_ctx); + if (new_ctx->readEv == NULL) { + fprintf(stderr, "event_new failed for srvEvent\n"); + goto error; + } + memset(&tv, 0, sizeof(tv)); + if (wolfSSL_dtls13_use_quick_timeout(ssl)) { + if (timeout >= QUICK_MULT) + tv.tv_sec = timeout / QUICK_MULT; + else + tv.tv_usec = timeout * 1000000 / QUICK_MULT; + } + else + tv.tv_sec = timeout; + /* We are using non-blocking sockets so we will definitely be waiting for + * the peer. Start the timer now. */ + if (event_add(new_ctx->readEv, &tv) != 0) { + fprintf(stderr, "event_add failed\n"); + goto error; + } + + return 0; +error: + if (fd != INVALID_SOCKET) { + close(fd); + fd = INVALID_SOCKET; + } + (void)wolfSSL_set_fd(ssl, INVALID_SOCKET); + return CHGOODCB_E; +} + +static void dataReady(evutil_socket_t fd, short events, void* arg) +{ + conn_ctx* connCtx = (conn_ctx*)arg; + int ret; + int err; + int timeout; + struct timeval tv; + char msg[100]; + int msgSz; + char* ack = "I hear you fashizzle!\n"; + + memset(&tv, 0, sizeof(tv)); + if (events & EV_TIMEOUT) { + /* A timeout occurred */ + if (!wolfSSL_is_init_finished(connCtx->ssl)) { + if (wolfSSL_dtls_got_timeout(connCtx->ssl) != WOLFSSL_SUCCESS) { + fprintf(stderr, "wolfSSL_dtls_got_timeout failed\n"); + goto error; + } + timeout = wolfSSL_dtls_get_current_timeout(connCtx->ssl); + if (wolfSSL_dtls13_use_quick_timeout(connCtx->ssl)) { + if (timeout >= QUICK_MULT) + tv.tv_sec = timeout / QUICK_MULT; + else + tv.tv_usec = timeout * 1000000 / QUICK_MULT; + } + else + tv.tv_sec = timeout; + if (event_add(connCtx->readEv, &tv) != 0) { + fprintf(stderr, "event_add failed\n"); + goto error; + } + } + else { + if (connCtx->waitingOnData) { + /* Too long waiting for peer data. Shutdown the connection. + * Don't wait for a response from the peer. */ + printf("Closing connection after timeout"); + (void)wolfSSL_shutdown(connCtx->ssl); + goto error; + } + else { + tv.tv_sec = CONN_TIMEOUT; + connCtx->waitingOnData = 1; + if (event_add(connCtx->readEv, &tv) != 0) { + fprintf(stderr, "event_add failed\n"); + goto error; + } + } + } + } + else if (events & (EV_READ|EV_WRITE)) { + ret = wolfSSL_read(connCtx->ssl, msg, sizeof(msg) - 1); + if (ret > 0) { + msgSz = ret; + msg[msgSz] = '\0'; + printf("Received message: %s\n", msg); + ret = wolfSSL_write(connCtx->ssl, ack, strlen(ack)); + } + + if (ret <= 0) { + err = wolfSSL_get_error(connCtx->ssl, 0); + if (err == WOLFSSL_ERROR_WANT_READ || + err == WOLFSSL_ERROR_WANT_WRITE) { + timeout = wolfSSL_dtls_get_current_timeout(connCtx->ssl); + if (wolfSSL_dtls13_use_quick_timeout(connCtx->ssl)) { + if (timeout >= QUICK_MULT) + tv.tv_sec = timeout / QUICK_MULT; + else + tv.tv_usec = timeout * 1000000 / QUICK_MULT; + } + else + tv.tv_sec = timeout; + if (event_add(err == WOLFSSL_ERROR_WANT_READ ? + connCtx->readEv : connCtx->writeEv, &tv) != 0) { + fprintf(stderr, "event_add failed\n"); + goto error; + } + } + else if (err == WOLFSSL_ERROR_ZERO_RETURN) { + /* Peer closed connection. Let's do the same. */ + printf("peer closed connection\n"); + ret = wolfSSL_shutdown(connCtx->ssl); + if (ret != WOLFSSL_SUCCESS) { + fprintf(stderr, "wolfSSL_shutdown failed (%d)\n", ret); + } + goto error; + } + else { + fprintf(stderr, "error = %d, %s\n", err, + wolfSSL_ERR_reason_error_string(err)); + fprintf(stderr, "wolfSSL_read or wolfSSL_write failed\n"); + goto error; + } + } + else { + tv.tv_sec = CONN_TIMEOUT; + connCtx->waitingOnData = 1; + if (event_add(connCtx->readEv, &tv) != 0) { + fprintf(stderr, "event_add failed\n"); + goto error; + } + } + } + else { + fprintf(stderr, "Unexpected events %d\n", events); + goto error; + } + + + return; +error: + /* Free the connection */ + (void)event_del(connCtx->readEv); + (void)event_del(connCtx->writeEv); + event_free(connCtx->readEv); /* EV_PERSIST not used so safe to free here */ + event_free(connCtx->writeEv); /* EV_PERSIST not used so safe to free here */ + wolfSSL_Free(connCtx->ssl); + close(fd); + free(connCtx); +} + +void sig_handler(const int sig) +{ + (void)sig; + free_resources(); + wolfSSL_Cleanup(); + exit(0); +} + +void free_resources(void) +{ + if (pendingSSL != NULL) { + wolfSSL_shutdown(pendingSSL); + wolfSSL_free(pendingSSL); + pendingSSL = NULL; + } + if (ctx != NULL) { + wolfSSL_CTX_free(ctx); + ctx = NULL; + } + if (listenfd != INVALID_SOCKET) { + close(listenfd); + listenfd = INVALID_SOCKET; + } +} diff --git a/dtls/server-dtls13.c b/dtls/server-dtls13.c new file mode 100644 index 00000000..fc8d6621 --- /dev/null +++ b/dtls/server-dtls13.c @@ -0,0 +1,230 @@ +/* server-dtls13.c + * + * Copyright (C) 2006-2022 wolfSSL Inc. + * + * This file is part of wolfSSL. (formerly known as CyaSSL) + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + * + *============================================================================= + * + * Bare-bones example of a DTLS 1.3 server for instructional/learning purposes. + * This example can only accept one connection at a time. + */ + +#include +#include /* standard in/out procedures */ +#include /* defines system calls */ +#include /* necessary for memset */ +#include +#include /* used for all socket calls */ +#include /* used for sockaddr_in */ +#include +#include +#include +#include +#include + +#include "dtls-common.h" + +#define SERV_PORT 11111 /* define our server port number */ +#define MSGLEN 4096 + +WOLFSSL_CTX* ctx = NULL; +WOLFSSL* ssl = NULL; +int listenfd = INVALID_SOCKET; /* Initialize our socket */ + +void sig_handler(const int sig); +void free_resources(void); + +int main(int argc, char** argv) +{ + /* Loc short for "location" */ + char caCertLoc[] = "../certs/ca-cert.pem"; + char servCertLoc[] = "../certs/server-cert.pem"; + char servKeyLoc[] = "../certs/server-key.pem"; + int exitVal = 1; + struct sockaddr_in servAddr; /* our server's address */ + struct sockaddr_in cliaddr; /* the client's address */ + int ret; + int err; + int recvLen = 0; /* length of message */ + socklen_t cliLen; + unsigned char b[MSGLEN]; /* watch for incoming messages */ + char buff[MSGLEN]; /* the incoming message */ + char ack[] = "I hear you fashizzle!\n"; + + /* Initialize wolfSSL before assigning ctx */ + if (wolfSSL_Init() != WOLFSSL_SUCCESS) { + fprintf(stderr, "wolfSSL_Init error.\n"); + return exitVal; + } + + /* No-op when debugging is not compiled in */ + wolfSSL_Debugging_ON(); + + /* Set ctx to DTLS 1.3 */ + if ((ctx = wolfSSL_CTX_new(wolfDTLSv1_3_server_method())) == NULL) { + fprintf(stderr, "wolfSSL_CTX_new error.\n"); + goto cleanup; + } + /* Load CA certificates */ + if (wolfSSL_CTX_load_verify_locations(ctx,caCertLoc,0) != + SSL_SUCCESS) { + fprintf(stderr, "Error loading %s, please check the file.\n", caCertLoc); + goto cleanup; + } + /* Load server certificates */ + if (wolfSSL_CTX_use_certificate_file(ctx, servCertLoc, SSL_FILETYPE_PEM) != + SSL_SUCCESS) { + fprintf(stderr, "Error loading %s, please check the file.\n", servCertLoc); + goto cleanup; + } + /* Load server Keys */ + if (wolfSSL_CTX_use_PrivateKey_file(ctx, servKeyLoc, + SSL_FILETYPE_PEM) != SSL_SUCCESS) { + fprintf(stderr, "Error loading %s, please check the file.\n", servKeyLoc); + goto cleanup; + } + + /* Create a UDP/IP socket */ + if ((listenfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0 ) { + perror("socket()"); + goto cleanup; + } + printf("Socket allocated\n"); + memset((char *)&servAddr, 0, sizeof(servAddr)); + /* host-to-network-long conversion (htonl) */ + /* host-to-network-short conversion (htons) */ + servAddr.sin_family = AF_INET; + servAddr.sin_addr.s_addr = htonl(INADDR_ANY); + servAddr.sin_port = htons(SERV_PORT); + + /* Bind Socket */ + if (bind(listenfd, (struct sockaddr*)&servAddr, sizeof(servAddr)) < 0) { + perror("bind()"); + goto cleanup; + } + + signal(SIGINT, sig_handler); + + while (1) { + printf("Awaiting client connection on port %d\n", SERV_PORT); + + cliLen = sizeof(cliaddr); + ret = (int)recvfrom(listenfd, (char *)&b, sizeof(b), MSG_PEEK, + (struct sockaddr*)&cliaddr, &cliLen); + + if (ret < 0) { + perror("recvfrom()"); + goto cleanup; + } + else if (ret == 0) { + fprintf(stderr, "recvfrom zero return\n"); + goto cleanup; + } + + /* Create the WOLFSSL Object */ + if ((ssl = wolfSSL_new(ctx)) == NULL) { + fprintf(stderr, "wolfSSL_new error.\n"); + goto cleanup; + } + + if (wolfSSL_dtls_set_peer(ssl, &cliaddr, cliLen) != WOLFSSL_SUCCESS) { + fprintf(stderr, "wolfSSL_dtls_set_peer error.\n"); + goto cleanup; + } + + if (wolfSSL_set_fd(ssl, listenfd) != WOLFSSL_SUCCESS) { + fprintf(stderr, "wolfSSL_set_fd error.\n"); + break; + } + + if (wolfSSL_accept(ssl) != SSL_SUCCESS) { + err = wolfSSL_get_error(ssl, 0); + fprintf(stderr, "error = %d, %s\n", err, wolfSSL_ERR_reason_error_string(err)); + fprintf(stderr, "SSL_accept failed.\n"); + goto cleanup; + } + printf("Connected!\n"); + if ((recvLen = wolfSSL_read(ssl, buff, sizeof(buff)-1)) > 0) { + printf("heard %d bytes\n", recvLen); + + buff[recvLen] = '\0'; + printf("I heard this: \"%s\"\n", buff); + } + else if (recvLen <= 0) { + err = wolfSSL_get_error(ssl, 0); + fprintf(stderr, "error = %d, %s\n", err, wolfSSL_ERR_reason_error_string(err)); + fprintf(stderr, "SSL_read failed.\n"); + goto cleanup; + } + printf("Sending reply.\n"); + if (wolfSSL_write(ssl, ack, sizeof(ack)) < 0) { + err = wolfSSL_get_error(ssl, 0); + fprintf(stderr, "error = %d, %s\n", err, wolfSSL_ERR_reason_error_string(err)); + fprintf(stderr, "wolfSSL_write failed.\n"); + goto cleanup; + } + + printf("reply sent \"%s\"\n", ack); + + /* Attempt a full shutdown */ + ret = wolfSSL_shutdown(ssl); + if (ret == WOLFSSL_SHUTDOWN_NOT_DONE) + ret = wolfSSL_shutdown(ssl); + if (ret != WOLFSSL_SUCCESS) { + err = wolfSSL_get_error(ssl, 0); + fprintf(stderr, "err = %d, %s\n", err, wolfSSL_ERR_reason_error_string(err)); + fprintf(stderr, "wolfSSL_shutdown failed\n"); + } + wolfSSL_free(ssl); + ssl = NULL; + + printf("Client left cont to idle state\n"); + } + + exitVal = 0; +cleanup: + free_resources(); + wolfSSL_Cleanup(); + + return exitVal; +} + + +void sig_handler(const int sig) +{ + (void)sig; + free_resources(); + wolfSSL_Cleanup(); +} + +void free_resources(void) +{ + if (ssl != NULL) { + wolfSSL_shutdown(ssl); + wolfSSL_free(ssl); + ssl = NULL; + } + if (ctx != NULL) { + wolfSSL_CTX_free(ctx); + ctx = NULL; + } + if (listenfd != INVALID_SOCKET) { + close(listenfd); + listenfd = INVALID_SOCKET; + } +} From c7898d31954d99b877d817dc09b8c8cdf339f6ac Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Fri, 24 Jun 2022 10:41:12 +0200 Subject: [PATCH 2/9] DTLS 1.3 client and server examples - Basic client - Basic single-thread single-connection server - Basic single-thread multiple-connection server using libevent Compile wolfSSL with `./configure --enable-dtls --enable-dtls13 --enable-hrrcookie`. Statelessness of server-dtls13-event tested by sending packets found in `dtls/bin-msgs` (`cat dtls/bin-msgs/CH1.bin | nc -u 127.0.0.1 11111 > /dev/null`) --- dtls/bin-msgs/CH1.bin | Bin 0 -> 259 bytes dtls/bin-msgs/CH2.bin | Bin 0 -> 332 bytes dtls/client-dtls13.c | 9 ++- dtls/dtls-common.h | 45 +------------ dtls/server-dtls.c | 39 +++++------ dtls/server-dtls13-event.c | 131 +++++++++++++++++++++++++++++-------- dtls/server-dtls13.c | 2 +- 7 files changed, 136 insertions(+), 90 deletions(-) create mode 100644 dtls/bin-msgs/CH1.bin create mode 100644 dtls/bin-msgs/CH2.bin diff --git a/dtls/bin-msgs/CH1.bin b/dtls/bin-msgs/CH1.bin new file mode 100644 index 0000000000000000000000000000000000000000..e2ccb26a12bd684c83bd1b67a65fd9ea1dff32b3 GIT binary patch literal 259 zcmWgp_m=?%zA-W|yn=FG{rk&x`T~E9bi<~3$Hdu}mF_F^dab1py|cA+sb$Z4uCf!E zK$T{~jKWO9%m;K1Xdf^*pwBR$VcwaQXI7k9bwK@q@&SzlDhId@a2^mjAk2`>kj`Mq zV0=d8jPMyzpgmm-#tiNZt_JPCQ}fTtDTb*NX)_MJuQORNeFa_R5RSIf5@{ zPI_*2w6Rxn(o{`f^%a$+omoB8a*h6OI%6s3vMDkmpTqH(I~#*G12faVKMcGK3Jh{= x%&g2T%uLK2Y#iJitQ=e%EF7F{jI4|-jLeKoj0{{1JU}eTAOW-)K;;0}0nP&=2ZR~2 z8PXXn8H~?}oDn`F3bf)fgEj**)4x9qybKBqa%{}3%q+}I%p7bS+#IYNTpTPMoNSD& zj4X`Ij7*FSIt;E1&I+^4#NGuR;3~QK{jhjW*{Ti;t-2s65* z#7yxkTUevBuk`g#?&5so8@12*qvB22gd~OD%y~7P!I;4vXp}gEBTM$Q6HnMV*H8KA z^JG? a=Wsmc&c?vSzyrjR3=%-&KpqlfU;qH!oo*2T literal 0 HcmV?d00001 diff --git a/dtls/client-dtls13.c b/dtls/client-dtls13.c index b58d70bb..2c7ae0e5 100644 --- a/dtls/client-dtls13.c +++ b/dtls/client-dtls13.c @@ -127,9 +127,16 @@ int main (int argc, char** argv) goto cleanup; } + showConnInfo(ssl); + /*****************************************************************************/ /* Code for sending datagram to server */ - if (fgets(sendLine, MAXLINE, stdin) != NULL) { + while (1) { + if (fgets(sendLine, MAXLINE, stdin) == NULL) + break; + + if (strncmp(sendLine, "end", 3) == 0) + break; /* Send sendLine to the server */ if (wolfSSL_write(ssl, sendLine, strlen(sendLine)) != strlen(sendLine)) { diff --git a/dtls/dtls-common.h b/dtls/dtls-common.h index c409b4ef..b1df4c63 100644 --- a/dtls/dtls-common.h +++ b/dtls/dtls-common.h @@ -19,9 +19,6 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA * - *============================================================================= - * - * Bare-bones example of a DTLS 1.3 client for instructional/learning purposes. */ #ifndef DTLS_COMMON_H_ @@ -29,45 +26,9 @@ #define INVALID_SOCKET (-1) -#define SFD_TIMEOUT_E (-1) -#define SFD_SOCKET_E (-2) -#define SFD_SELECT_E (-3) - -int wait_sfd(SOCKET_T socketfd, int to, int rx) { - fd_set fds, errfds; - fd_set* recvfds = NULL; - fd_set* sendfds = NULL; - SOCKET_T nfds = socketfd + 1; - struct timeval timeout; - int result; - - memset(&timeout, 0, sizeof(timeout)); - timeout.tv_sec = to; - - FD_ZERO(&fds); - FD_SET(socketfd, &fds); - FD_ZERO(&errfds); - FD_SET(socketfd, &errfds); - - if (rx) - recvfds = &fds; - else - sendfds = &fds; - - result = select(nfds, recvfds, sendfds, &errfds, &timeout); - - if (result == 0) - return SFD_TIMEOUT_E; - else if (result > 0) { - if (FD_ISSET(socketfd, &fds)) { - return 0; - } - else if(FD_ISSET(socketfd, &errfds)) - return SFD_SOCKET_E; - } - perror("select()"); - - return SFD_SELECT_E; +void showConnInfo(WOLFSSL* ssl) { + printf("New connection established using %s %s\n", + wolfSSL_get_version(ssl), wolfSSL_get_cipher(ssl)); } diff --git a/dtls/server-dtls.c b/dtls/server-dtls.c index 96c40b1b..5e4c13e8 100644 --- a/dtls/server-dtls.c +++ b/dtls/server-dtls.c @@ -175,25 +175,27 @@ int main(int argc, char** argv) printf("SSL_accept failed.\n"); break; } - if ((recvLen = wolfSSL_read(ssl, buff, sizeof(buff)-1)) > 0) { - printf("heard %d bytes\n", recvLen); + while (1) { + if ((recvLen = wolfSSL_read(ssl, buff, sizeof(buff)-1)) > 0) { + printf("heard %d bytes\n", recvLen); - buff[recvLen] = 0; - printf("I heard this: \"%s\"\n", buff); - } - else if (recvLen < 0) { - int readErr = wolfSSL_get_error(ssl, 0); - if(readErr != SSL_ERROR_WANT_READ) { - printf("SSL_read failed.\n"); - break; + buff[recvLen] = 0; + printf("I heard this: \"%s\"\n", buff); + } + else if (recvLen < 0) { + int readErr = wolfSSL_get_error(ssl, 0); + if(readErr != SSL_ERROR_WANT_READ) { + printf("SSL_read failed.\n"); + goto error; + } + } + if (wolfSSL_write(ssl, ack, sizeof(ack)) < 0) { + printf("wolfSSL_write fail.\n"); + goto error; + } + else { + printf("Sending reply.\n"); } - } - if (wolfSSL_write(ssl, ack, sizeof(ack)) < 0) { - printf("wolfSSL_write fail.\n"); - break; - } - else { - printf("Sending reply.\n"); } printf("reply sent \"%s\"\n", ack); @@ -207,8 +209,7 @@ int main(int argc, char** argv) printf("Client left cont to idle state\n"); } - /* With the "continue" keywords, it is possible for the loop to exit * - * without changing the value of cont */ +error: if (cleanup == 1) { wolfSSL_set_fd(ssl, 0); wolfSSL_shutdown(ssl); diff --git a/dtls/server-dtls13-event.c b/dtls/server-dtls13-event.c index 5f39bc8f..145d26a4 100644 --- a/dtls/server-dtls13-event.c +++ b/dtls/server-dtls13-event.c @@ -35,6 +35,7 @@ #include /* used for sockaddr_in */ #include #include +#include #include #include #include @@ -49,10 +50,11 @@ #define QUICK_MULT 4 /* Our quick timeout multiplier */ #define CHGOODCB_E (-1000) /* An error outside the range of wolfSSL * errors */ -#define CONN_TIMEOUT 5 /* How long we wait for peer data before +#define CONN_TIMEOUT 10 /* How long we wait for peer data before * closing the connection */ typedef struct conn_ctx { + struct conn_ctx* next; WOLFSSL* ssl; struct event* readEv; struct event* writeEv; @@ -63,14 +65,18 @@ WOLFSSL_CTX* ctx = NULL; struct event_base* base = NULL; WOLFSSL* pendingSSL = NULL; int listenfd = INVALID_SOCKET; /* Initialize our socket */ +conn_ctx* active = NULL; +struct event* newConnEvent = NULL; static void sig_handler(const int sig); static void free_resources(void); static void newConn(evutil_socket_t fd, short events, void* arg); static void dataReady(evutil_socket_t fd, short events, void* arg); static int chGoodCb(WOLFSSL* ssl, void*); +static int hsDoneCb(WOLFSSL* ssl, void*); static int newPendingSSL(void); static int newFD(void); +static void conn_ctx_free(conn_ctx* connCtx); int main(int argc, char** argv) { @@ -79,7 +85,6 @@ int main(int argc, char** argv) char servCertLoc[] = "../certs/server-cert.pem"; char servKeyLoc[] = "../certs/server-key.pem"; int exitVal = 1; - struct event* newConnEvent = NULL; /* Initialize wolfSSL before assigning ctx */ if (wolfSSL_Init() != WOLFSSL_SUCCESS) { @@ -206,24 +211,44 @@ cleanup: static int newPendingSSL(void) { + /* Applications should update this secret periodically */ + char *secret = "My secret"; + WOLFSSL* ssl; + /* Create the pending WOLFSSL Object */ - if ((pendingSSL = wolfSSL_new(ctx)) == NULL) { + if ((ssl = wolfSSL_new(ctx)) == NULL) { fprintf(stderr, "wolfSSL_new error.\n"); return 0; } - wolfSSL_dtls_set_using_nonblock(pendingSSL, 1); + wolfSSL_dtls_set_using_nonblock(ssl, 1); - if (wolfSSL_SetChGoodCb(pendingSSL, chGoodCb, NULL) != WOLFSSL_SUCCESS ) { + if (wolfSSL_SetChGoodCb(ssl, chGoodCb, NULL) != WOLFSSL_SUCCESS ) { fprintf(stderr, "wolfSSL_SetChGoodCb error.\n"); + wolfSSL_free(ssl); return 0; } - if (wolfSSL_set_fd(pendingSSL, listenfd) != WOLFSSL_SUCCESS) { - fprintf(stderr, "wolfSSL_set_fd error.\n"); + if (wolfSSL_SetHsDoneCb(ssl, hsDoneCb, NULL) != WOLFSSL_SUCCESS ) { + fprintf(stderr, "wolfSSL_SetHsDoneCb error.\n"); + wolfSSL_free(ssl); return 0; } + if (wolfSSL_set_fd(ssl, listenfd) != WOLFSSL_SUCCESS) { + fprintf(stderr, "wolfSSL_set_fd error.\n"); + wolfSSL_free(ssl); + return 0; + } + + if (wolfSSL_send_hrr_cookie(ssl, (byte*)secret, strlen(secret)) != WOLFSSL_SUCCESS) { + fprintf(stderr, "wolfSSL_set_fd error.\n"); + wolfSSL_free(ssl); + return 0; + } + + pendingSSL = ssl; + return 1; } @@ -281,28 +306,26 @@ static int chGoodCb(WOLFSSL* ssl, void* arg) int fd = INVALID_SOCKET; struct sockaddr_in cliaddr; /* the client's address */ socklen_t cliLen = sizeof(cliaddr); - conn_ctx* new_ctx = (conn_ctx*)calloc(1, sizeof(conn_ctx)); + conn_ctx* connCtx = (conn_ctx*)calloc(1, sizeof(conn_ctx)); int timeout = wolfSSL_dtls_get_current_timeout(ssl); struct timeval tv; (void)arg; - if (new_ctx == NULL) { + if (connCtx == NULL) { fprintf(stderr, "Out of memory!\n"); goto error; } - new_ctx->ssl = ssl; + /* Push to active connection stack */ + connCtx->next = active; + active = connCtx; if (wolfSSL_dtls_get_peer(ssl, &cliaddr, &cliLen) != WOLFSSL_SUCCESS) { fprintf(stderr, "wolfSSL_dtls_get_peer failed\n"); goto error; } - /* Promote the pending connection to an active connection */ - if (!newPendingSSL()) - goto error; - /* We need to change the sfd here so that the ssl object doesn't drop any * new connections */ fd = newFD(); @@ -327,13 +350,13 @@ static int chGoodCb(WOLFSSL* ssl, void* arg) goto error; } - new_ctx->writeEv = event_new(base, fd, EV_WRITE, dataReady, new_ctx); - if (new_ctx->writeEv == NULL) { + connCtx->writeEv = event_new(base, fd, EV_WRITE, dataReady, connCtx); + if (connCtx->writeEv == NULL) { fprintf(stderr, "event_new failed for srvEvent\n"); goto error; } - new_ctx->readEv = event_new(base, fd, EV_READ, dataReady, new_ctx); - if (new_ctx->readEv == NULL) { + connCtx->readEv = event_new(base, fd, EV_READ, dataReady, connCtx); + if (connCtx->readEv == NULL) { fprintf(stderr, "event_new failed for srvEvent\n"); goto error; } @@ -348,21 +371,37 @@ static int chGoodCb(WOLFSSL* ssl, void* arg) tv.tv_sec = timeout; /* We are using non-blocking sockets so we will definitely be waiting for * the peer. Start the timer now. */ - if (event_add(new_ctx->readEv, &tv) != 0) { + if (event_add(connCtx->readEv, &tv) != 0) { fprintf(stderr, "event_add failed\n"); goto error; } + /* Promote the pending connection to an active connection */ + if (!newPendingSSL()) + goto error; + connCtx->ssl = ssl; + return 0; error: if (fd != INVALID_SOCKET) { close(fd); fd = INVALID_SOCKET; } + if (connCtx != NULL) { + connCtx->ssl = NULL; + conn_ctx_free(connCtx); + } (void)wolfSSL_set_fd(ssl, INVALID_SOCKET); return CHGOODCB_E; } +static int hsDoneCb(WOLFSSL* ssl, void* arg) +{ + showConnInfo(ssl); + (void)arg; + return 0; +} + static void dataReady(evutil_socket_t fd, short events, void* arg) { conn_ctx* connCtx = (conn_ctx*)arg; @@ -400,7 +439,7 @@ static void dataReady(evutil_socket_t fd, short events, void* arg) if (connCtx->waitingOnData) { /* Too long waiting for peer data. Shutdown the connection. * Don't wait for a response from the peer. */ - printf("Closing connection after timeout"); + printf("Closing connection after timeout\n"); (void)wolfSSL_shutdown(connCtx->ssl); goto error; } @@ -476,18 +515,41 @@ static void dataReady(evutil_socket_t fd, short events, void* arg) return; error: /* Free the connection */ - (void)event_del(connCtx->readEv); - (void)event_del(connCtx->writeEv); - event_free(connCtx->readEv); /* EV_PERSIST not used so safe to free here */ - event_free(connCtx->writeEv); /* EV_PERSIST not used so safe to free here */ - wolfSSL_Free(connCtx->ssl); + conn_ctx_free(connCtx); close(fd); - free(connCtx); +} + +static void conn_ctx_free(conn_ctx* connCtx) +{ + if (connCtx != NULL) { + /* Remove from active stack */ + if (active != NULL) { + conn_ctx** prev = &active; + while (*prev != NULL) { + if (*prev == connCtx) { + *prev = connCtx->next; + break; + } + prev = &(*prev)->next; + } + } + if (connCtx->ssl != NULL) + wolfSSL_free(connCtx->ssl); + if (connCtx->readEv != NULL) { + (void)event_del(connCtx->readEv); + event_free(connCtx->readEv); + } + if (connCtx->writeEv != NULL) { + (void)event_del(connCtx->writeEv); + event_free(connCtx->writeEv); + } + free(connCtx); + } } void sig_handler(const int sig) { - (void)sig; + printf("Received signal %d. Cleaning up.\n", sig); free_resources(); wolfSSL_Cleanup(); exit(0); @@ -495,6 +557,12 @@ void sig_handler(const int sig) void free_resources(void) { + conn_ctx* connCtx = active; + while (connCtx != NULL) { + active = active->next; + conn_ctx_free(connCtx); + connCtx = active; + } if (pendingSSL != NULL) { wolfSSL_shutdown(pendingSSL); wolfSSL_free(pendingSSL); @@ -508,4 +576,13 @@ void free_resources(void) close(listenfd); listenfd = INVALID_SOCKET; } + if (newConnEvent != NULL) { + (void)event_del(newConnEvent); + event_free(newConnEvent); + newConnEvent = NULL; + } + if (base != NULL) { + event_base_free(base); + base = NULL; + } } diff --git a/dtls/server-dtls13.c b/dtls/server-dtls13.c index fc8d6621..8fb904ae 100644 --- a/dtls/server-dtls13.c +++ b/dtls/server-dtls13.c @@ -158,7 +158,7 @@ int main(int argc, char** argv) fprintf(stderr, "SSL_accept failed.\n"); goto cleanup; } - printf("Connected!\n"); + showConnInfo(ssl); if ((recvLen = wolfSSL_read(ssl, buff, sizeof(buff)-1)) > 0) { printf("heard %d bytes\n", recvLen); From e10507b31c881d09948a4eb3b93e7eaeeccaacc0 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Tue, 28 Jun 2022 12:17:55 +0200 Subject: [PATCH 3/9] Revert default CFLAGS --- dtls/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dtls/Makefile b/dtls/Makefile index 39475f8d..b2cb5a9a 100644 --- a/dtls/Makefile +++ b/dtls/Makefile @@ -12,8 +12,8 @@ DEBUG_INC_PATHS = -MD OPTIMIZE = -Os # Options -CFLAGS+=$(DEBUG_FLAGS) -#CFLAGS+=$(OPTIMIZE) +#CFLAGS+=$(DEBUG_FLAGS) +CFLAGS+=$(OPTIMIZE) #LIBS+=$(STATIC_LIB) LIBS+=$(DYN_LIB) From 109e07ae4d5817e46c0ac8171f17782e33213e4c Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Tue, 28 Jun 2022 12:19:13 +0200 Subject: [PATCH 4/9] Ignore compilation errors with server-dtls13-event.c --- dtls/Makefile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/dtls/Makefile b/dtls/Makefile index b2cb5a9a..d6dcb065 100644 --- a/dtls/Makefile +++ b/dtls/Makefile @@ -34,7 +34,9 @@ debug: all %-shared: CFLAGS+=-pthread %-shared: LIBS+=-lpthread -server-dtls13-event: LIBS+=-levent +# try to build the libevent server. "|| true" ignores the error return. +server-dtls13-event: server-dtls13-event.c + $(CC) -o $@ $< $(CFLAGS) $(LIBS) -levent || true # build template %: %.c From 88cf4e3e5e42903c58d68f014f06a4f1372002c9 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Tue, 28 Jun 2022 12:19:43 +0200 Subject: [PATCH 5/9] Move common definitions to dtls-common.h --- dtls/client-dtls13.c | 10 ++-------- dtls/dtls-common.h | 11 ++++++++++- dtls/server-dtls13-event.c | 8 +------- dtls/server-dtls13.c | 11 ++--------- 4 files changed, 15 insertions(+), 25 deletions(-) diff --git a/dtls/client-dtls13.c b/dtls/client-dtls13.c index 2c7ae0e5..d30df62b 100644 --- a/dtls/client-dtls13.c +++ b/dtls/client-dtls13.c @@ -39,11 +39,6 @@ #include "dtls-common.h" -#define MAXLINE 4096 -#define SERV_PORT 11111 -#define LOOP_LIMIT 5 -#define SFD_TIMEOUT 1 - int main (int argc, char** argv) { /* standard variables used in a dtls client*/ @@ -55,7 +50,6 @@ int main (int argc, char** argv) struct sockaddr_in servAddr; WOLFSSL* ssl = NULL; WOLFSSL_CTX* ctx = NULL; - char* certs = "../certs/ca-cert.pem"; char sendLine[MAXLINE]; char recvLine[MAXLINE - 1]; @@ -80,9 +74,9 @@ int main (int argc, char** argv) } /* Load certificates into ctx variable */ - if (wolfSSL_CTX_load_verify_locations(ctx, certs, 0) + if (wolfSSL_CTX_load_verify_locations(ctx, caCertLoc, 0) != SSL_SUCCESS) { - fprintf(stderr, "Error loading %s, please check the file.\n", certs); + fprintf(stderr, "Error loading %s, please check the file.\n", caCertLoc); goto cleanup; } diff --git a/dtls/dtls-common.h b/dtls/dtls-common.h index b1df4c63..dcfa8898 100644 --- a/dtls/dtls-common.h +++ b/dtls/dtls-common.h @@ -24,7 +24,16 @@ #ifndef DTLS_COMMON_H_ #define DTLS_COMMON_H_ -#define INVALID_SOCKET (-1) +#define INVALID_SOCKET -1 +#define MAXLINE 4096 +#define SERV_PORT 11111 +#define LOOP_LIMIT 5 +#define SFD_TIMEOUT 1 + +/* Loc short for "location" */ +const char caCertLoc[] = "../certs/ca-cert.pem"; +const char servCertLoc[] = "../certs/server-cert.pem"; +const char servKeyLoc[] = "../certs/server-key.pem"; void showConnInfo(WOLFSSL* ssl) { printf("New connection established using %s %s\n", diff --git a/dtls/server-dtls13-event.c b/dtls/server-dtls13-event.c index 145d26a4..5b26cd13 100644 --- a/dtls/server-dtls13-event.c +++ b/dtls/server-dtls13-event.c @@ -1,4 +1,4 @@ -/* server-dtls13.c +/* server-dtls13-event.c * * Copyright (C) 2006-2022 wolfSSL Inc. * @@ -45,8 +45,6 @@ #include "dtls-common.h" -#define SERV_PORT 11111 /* define our server port number */ -#define MSGLEN 4096 #define QUICK_MULT 4 /* Our quick timeout multiplier */ #define CHGOODCB_E (-1000) /* An error outside the range of wolfSSL * errors */ @@ -80,10 +78,6 @@ static void conn_ctx_free(conn_ctx* connCtx); int main(int argc, char** argv) { - /* Loc short for "location" */ - char caCertLoc[] = "../certs/ca-cert.pem"; - char servCertLoc[] = "../certs/server-cert.pem"; - char servKeyLoc[] = "../certs/server-key.pem"; int exitVal = 1; /* Initialize wolfSSL before assigning ctx */ diff --git a/dtls/server-dtls13.c b/dtls/server-dtls13.c index 8fb904ae..ef29ff46 100644 --- a/dtls/server-dtls13.c +++ b/dtls/server-dtls13.c @@ -39,9 +39,6 @@ #include "dtls-common.h" -#define SERV_PORT 11111 /* define our server port number */ -#define MSGLEN 4096 - WOLFSSL_CTX* ctx = NULL; WOLFSSL* ssl = NULL; int listenfd = INVALID_SOCKET; /* Initialize our socket */ @@ -52,9 +49,6 @@ void free_resources(void); int main(int argc, char** argv) { /* Loc short for "location" */ - char caCertLoc[] = "../certs/ca-cert.pem"; - char servCertLoc[] = "../certs/server-cert.pem"; - char servKeyLoc[] = "../certs/server-key.pem"; int exitVal = 1; struct sockaddr_in servAddr; /* our server's address */ struct sockaddr_in cliaddr; /* the client's address */ @@ -62,8 +56,7 @@ int main(int argc, char** argv) int err; int recvLen = 0; /* length of message */ socklen_t cliLen; - unsigned char b[MSGLEN]; /* watch for incoming messages */ - char buff[MSGLEN]; /* the incoming message */ + char buff[MAXLINE]; /* the incoming message */ char ack[] = "I hear you fashizzle!\n"; /* Initialize wolfSSL before assigning ctx */ @@ -124,7 +117,7 @@ int main(int argc, char** argv) printf("Awaiting client connection on port %d\n", SERV_PORT); cliLen = sizeof(cliaddr); - ret = (int)recvfrom(listenfd, (char *)&b, sizeof(b), MSG_PEEK, + ret = (int)recvfrom(listenfd, (char *)&buff, sizeof(buff), MSG_PEEK, (struct sockaddr*)&cliaddr, &cliLen); if (ret < 0) { From 656762d3130717ee8584844fb66bfa0e92eb4873 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Thu, 30 Jun 2022 16:29:43 +0200 Subject: [PATCH 6/9] dtls: Refactor handshake timeout logic and simplify newConn --- dtls/server-dtls13-event.c | 75 +++++++++----------------------------- 1 file changed, 17 insertions(+), 58 deletions(-) diff --git a/dtls/server-dtls13-event.c b/dtls/server-dtls13-event.c index 5b26cd13..b1be0a0d 100644 --- a/dtls/server-dtls13-event.c +++ b/dtls/server-dtls13-event.c @@ -248,33 +248,14 @@ static int newPendingSSL(void) static void newConn(evutil_socket_t fd, short events, void* arg) { - struct sockaddr_in cliaddr; /* the client's address */ - socklen_t cliLen; - char b; int ret; int err; - int drop = 1; /* Store pointer because pendingSSL can be modified in chGoodCb */ WOLFSSL* ssl = pendingSSL; (void)events; (void)arg; - /* Get the incoming address */ - cliLen = sizeof(cliaddr); - ret = (int)recvfrom(listenfd, &b, sizeof(b), MSG_PEEK, - (struct sockaddr*)&cliaddr, &cliLen); - if (ret <= 0) { - perror("recvfrom()"); - goto error; - } - - if (wolfSSL_dtls_set_peer(ssl, &cliaddr, cliLen) != WOLFSSL_SUCCESS) { - fprintf(stderr, "wolfSSL_dtls_set_peer error.\n"); - goto error; - } - - drop = 0; ret = wolfSSL_accept(ssl); if (ret != WOLFSSL_SUCCESS) { err = wolfSSL_get_error(ssl, 0); @@ -287,11 +268,19 @@ static void newConn(evutil_socket_t fd, short events, void* arg) exit(1); } } +} -error: - /* Drop the datagram */ - if (drop) - (void)recv(listenfd, &b, sizeof(b), 0); +static void setHsTimeout(WOLFSSL* ssl, struct timeval *tv) +{ + int timeout = wolfSSL_dtls_get_current_timeout(ssl); + if (wolfSSL_dtls13_use_quick_timeout(ssl)) { + if (timeout >= QUICK_MULT) + tv->tv_sec = timeout / QUICK_MULT; + else + tv->tv_usec = timeout * 1000000 / QUICK_MULT; + } + else + tv->tv_sec = timeout; } /* Called when we have verified a connection */ @@ -320,7 +309,7 @@ static int chGoodCb(WOLFSSL* ssl, void* arg) goto error; } - /* We need to change the sfd here so that the ssl object doesn't drop any + /* We need to change the SFD here so that the ssl object doesn't drop any * new connections */ fd = newFD(); if (fd == INVALID_SOCKET) @@ -332,14 +321,7 @@ static int chGoodCb(WOLFSSL* ssl, void* arg) goto error; } - /* Have the ssl object use only the SFD without the peer address (since the - * SFD is now connected) */ - if (wolfSSL_dtls_set_peer(ssl, NULL, 0) != WOLFSSL_SUCCESS) { - fprintf(stderr, "wolfSSL_dtls_set_peer error.\n"); - goto error; - } - - if (wolfSSL_set_fd(ssl, fd) != WOLFSSL_SUCCESS) { + if (wolfSSL_set_dtls_fd_connected(ssl, fd) != WOLFSSL_SUCCESS) { fprintf(stderr, "wolfSSL_set_fd error.\n"); goto error; } @@ -355,14 +337,7 @@ static int chGoodCb(WOLFSSL* ssl, void* arg) goto error; } memset(&tv, 0, sizeof(tv)); - if (wolfSSL_dtls13_use_quick_timeout(ssl)) { - if (timeout >= QUICK_MULT) - tv.tv_sec = timeout / QUICK_MULT; - else - tv.tv_usec = timeout * 1000000 / QUICK_MULT; - } - else - tv.tv_sec = timeout; + setHsTimeout(ssl, &tv); /* We are using non-blocking sockets so we will definitely be waiting for * the peer. Start the timer now. */ if (event_add(connCtx->readEv, &tv) != 0) { @@ -415,15 +390,7 @@ static void dataReady(evutil_socket_t fd, short events, void* arg) fprintf(stderr, "wolfSSL_dtls_got_timeout failed\n"); goto error; } - timeout = wolfSSL_dtls_get_current_timeout(connCtx->ssl); - if (wolfSSL_dtls13_use_quick_timeout(connCtx->ssl)) { - if (timeout >= QUICK_MULT) - tv.tv_sec = timeout / QUICK_MULT; - else - tv.tv_usec = timeout * 1000000 / QUICK_MULT; - } - else - tv.tv_sec = timeout; + setHsTimeout(connCtx->ssl, &tv); if (event_add(connCtx->readEv, &tv) != 0) { fprintf(stderr, "event_add failed\n"); goto error; @@ -460,15 +427,7 @@ static void dataReady(evutil_socket_t fd, short events, void* arg) err = wolfSSL_get_error(connCtx->ssl, 0); if (err == WOLFSSL_ERROR_WANT_READ || err == WOLFSSL_ERROR_WANT_WRITE) { - timeout = wolfSSL_dtls_get_current_timeout(connCtx->ssl); - if (wolfSSL_dtls13_use_quick_timeout(connCtx->ssl)) { - if (timeout >= QUICK_MULT) - tv.tv_sec = timeout / QUICK_MULT; - else - tv.tv_usec = timeout * 1000000 / QUICK_MULT; - } - else - tv.tv_sec = timeout; + setHsTimeout(connCtx->ssl, &tv); if (event_add(err == WOLFSSL_ERROR_WANT_READ ? connCtx->readEv : connCtx->writeEv, &tv) != 0) { fprintf(stderr, "event_add failed\n"); From ccd205db81e8423e2a8594c75dd102f8fd3cd8ce Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Thu, 30 Jun 2022 17:00:12 +0200 Subject: [PATCH 7/9] dtls: use USE_DTLS12 to compile some DTLS 1.3 examples to use DTLS 1.2 --- dtls/client-dtls13.c | 12 +++++++++++- dtls/server-dtls13-event.c | 33 +++++++++++++++++++++++---------- 2 files changed, 34 insertions(+), 11 deletions(-) diff --git a/dtls/client-dtls13.c b/dtls/client-dtls13.c index d30df62b..86eb6962 100644 --- a/dtls/client-dtls13.c +++ b/dtls/client-dtls13.c @@ -23,6 +23,10 @@ * * Bare-bones example of a DTLS 1.3 client for instructional/learning purposes. * This example uses blocking sockets for simplicity. + * + * To exit the sending loop enter "end" or Ctrl+D + * + * Define USE_DTLS12 to use DTLS 1.2 instead of DTLS 1.3 */ #include @@ -68,7 +72,13 @@ int main (int argc, char** argv) /* No-op when debugging is not compiled in */ wolfSSL_Debugging_ON(); - if ( (ctx = wolfSSL_CTX_new(wolfDTLSv1_3_client_method())) == NULL) { + if ( (ctx = wolfSSL_CTX_new( +#ifndef USE_DTLS12 + wolfDTLSv1_3_client_method() +#else + wolfDTLSv1_2_client_method() +#endif + )) == NULL) { fprintf(stderr, "wolfSSL_CTX_new error.\n"); goto cleanup; } diff --git a/dtls/server-dtls13-event.c b/dtls/server-dtls13-event.c index b1be0a0d..78d77efc 100644 --- a/dtls/server-dtls13-event.c +++ b/dtls/server-dtls13-event.c @@ -24,6 +24,8 @@ * purposes. This example can handle multiple simultaneous connections by using * the libevent library to handle the event loop. Please note that this example * is not thread safe as access to global objects is not protected. + * + * Define USE_DTLS12 to use DTLS 1.2 instead of DTLS 1.3 */ #include @@ -90,7 +92,13 @@ int main(int argc, char** argv) wolfSSL_Debugging_ON(); /* Set ctx to DTLS 1.3 */ - if ((ctx = wolfSSL_CTX_new(wolfDTLSv1_3_server_method())) == NULL) { + if ((ctx = wolfSSL_CTX_new( +#ifndef USE_DTLS12 + wolfDTLSv1_3_server_method() +#else + wolfDTLSv1_2_server_method() +#endif + )) == NULL) { fprintf(stderr, "wolfSSL_CTX_new error.\n"); goto cleanup; } @@ -205,8 +213,6 @@ cleanup: static int newPendingSSL(void) { - /* Applications should update this secret periodically */ - char *secret = "My secret"; WOLFSSL* ssl; /* Create the pending WOLFSSL Object */ @@ -235,11 +241,18 @@ static int newPendingSSL(void) return 0; } - if (wolfSSL_send_hrr_cookie(ssl, (byte*)secret, strlen(secret)) != WOLFSSL_SUCCESS) { - fprintf(stderr, "wolfSSL_set_fd error.\n"); - wolfSSL_free(ssl); - return 0; +#ifndef USE_DTLS12 + { + /* Applications should update this secret periodically */ + char *secret = "My secret"; + if (wolfSSL_send_hrr_cookie(ssl, (byte*)secret, strlen(secret)) + != WOLFSSL_SUCCESS) { + fprintf(stderr, "wolfSSL_send_hrr_cookie error.\n"); + wolfSSL_free(ssl); + return 0; + } } +#endif pendingSSL = ssl; @@ -273,6 +286,7 @@ static void newConn(evutil_socket_t fd, short events, void* arg) static void setHsTimeout(WOLFSSL* ssl, struct timeval *tv) { int timeout = wolfSSL_dtls_get_current_timeout(ssl); +#ifndef USE_DTLS12 if (wolfSSL_dtls13_use_quick_timeout(ssl)) { if (timeout >= QUICK_MULT) tv->tv_sec = timeout / QUICK_MULT; @@ -280,6 +294,7 @@ static void setHsTimeout(WOLFSSL* ssl, struct timeval *tv) tv->tv_usec = timeout * 1000000 / QUICK_MULT; } else +#endif tv->tv_sec = timeout; } @@ -290,7 +305,6 @@ static int chGoodCb(WOLFSSL* ssl, void* arg) struct sockaddr_in cliaddr; /* the client's address */ socklen_t cliLen = sizeof(cliaddr); conn_ctx* connCtx = (conn_ctx*)calloc(1, sizeof(conn_ctx)); - int timeout = wolfSSL_dtls_get_current_timeout(ssl); struct timeval tv; (void)arg; @@ -322,7 +336,7 @@ static int chGoodCb(WOLFSSL* ssl, void* arg) } if (wolfSSL_set_dtls_fd_connected(ssl, fd) != WOLFSSL_SUCCESS) { - fprintf(stderr, "wolfSSL_set_fd error.\n"); + fprintf(stderr, "wolfSSL_set_dtls_fd_connected error.\n"); goto error; } @@ -376,7 +390,6 @@ static void dataReady(evutil_socket_t fd, short events, void* arg) conn_ctx* connCtx = (conn_ctx*)arg; int ret; int err; - int timeout; struct timeval tv; char msg[100]; int msgSz; From 6b3baa887bd21dcdfbd724d56f94ab61fb6f36b9 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Fri, 1 Jul 2022 17:53:19 +0200 Subject: [PATCH 8/9] Address code review --- dtls/dtls-common.h | 6 +++- dtls/server-dtls13-event.c | 8 +++--- dtls/server-dtls13.c | 58 +++++++++++++++++++++++--------------- 3 files changed, 44 insertions(+), 28 deletions(-) diff --git a/dtls/dtls-common.h b/dtls/dtls-common.h index dcfa8898..8acdcc60 100644 --- a/dtls/dtls-common.h +++ b/dtls/dtls-common.h @@ -19,6 +19,10 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA * + * ----------------------------------------------------------------------------- + * + * Define USE_DTLS12 to use DTLS 1.2 instead of DTLS 1.3 + * */ #ifndef DTLS_COMMON_H_ @@ -35,7 +39,7 @@ const char caCertLoc[] = "../certs/ca-cert.pem"; const char servCertLoc[] = "../certs/server-cert.pem"; const char servKeyLoc[] = "../certs/server-key.pem"; -void showConnInfo(WOLFSSL* ssl) { +static inline void showConnInfo(WOLFSSL* ssl) { printf("New connection established using %s %s\n", wolfSSL_get_version(ssl), wolfSSL_get_cipher(ssl)); } diff --git a/dtls/server-dtls13-event.c b/dtls/server-dtls13-event.c index 78d77efc..81d197ff 100644 --- a/dtls/server-dtls13-event.c +++ b/dtls/server-dtls13-event.c @@ -391,9 +391,9 @@ static void dataReady(evutil_socket_t fd, short events, void* arg) int ret; int err; struct timeval tv; - char msg[100]; + char msg[MAXLINE]; int msgSz; - char* ack = "I hear you fashizzle!\n"; + const char* ack = "I hear you fashizzle!\n"; memset(&tv, 0, sizeof(tv)); if (events & EV_TIMEOUT) { @@ -513,7 +513,7 @@ static void conn_ctx_free(conn_ctx* connCtx) } } -void sig_handler(const int sig) +static void sig_handler(const int sig) { printf("Received signal %d. Cleaning up.\n", sig); free_resources(); @@ -521,7 +521,7 @@ void sig_handler(const int sig) exit(0); } -void free_resources(void) +static void free_resources(void) { conn_ctx* connCtx = active; while (connCtx != NULL) { diff --git a/dtls/server-dtls13.c b/dtls/server-dtls13.c index ef29ff46..c46466bd 100644 --- a/dtls/server-dtls13.c +++ b/dtls/server-dtls13.c @@ -22,6 +22,8 @@ * * Bare-bones example of a DTLS 1.3 server for instructional/learning purposes. * This example can only accept one connection at a time. + * + * Define USE_DTLS12 to use DTLS 1.2 instead of DTLS 1.3 */ #include @@ -43,8 +45,8 @@ WOLFSSL_CTX* ctx = NULL; WOLFSSL* ssl = NULL; int listenfd = INVALID_SOCKET; /* Initialize our socket */ -void sig_handler(const int sig); -void free_resources(void); +static void sig_handler(const int sig); +static void free_resources(void); int main(int argc, char** argv) { @@ -69,7 +71,13 @@ int main(int argc, char** argv) wolfSSL_Debugging_ON(); /* Set ctx to DTLS 1.3 */ - if ((ctx = wolfSSL_CTX_new(wolfDTLSv1_3_server_method())) == NULL) { + if ((ctx = wolfSSL_CTX_new( +#ifndef USE_DTLS12 + wolfDTLSv1_3_server_method() +#else + wolfDTLSv1_2_server_method() +#endif + )) == NULL) { fprintf(stderr, "wolfSSL_CTX_new error.\n"); goto cleanup; } @@ -152,24 +160,28 @@ int main(int argc, char** argv) goto cleanup; } showConnInfo(ssl); - if ((recvLen = wolfSSL_read(ssl, buff, sizeof(buff)-1)) > 0) { - printf("heard %d bytes\n", recvLen); + while (1) { + if ((recvLen = wolfSSL_read(ssl, buff, sizeof(buff)-1)) > 0) { + printf("heard %d bytes\n", recvLen); - buff[recvLen] = '\0'; - printf("I heard this: \"%s\"\n", buff); - } - else if (recvLen <= 0) { - err = wolfSSL_get_error(ssl, 0); - fprintf(stderr, "error = %d, %s\n", err, wolfSSL_ERR_reason_error_string(err)); - fprintf(stderr, "SSL_read failed.\n"); - goto cleanup; - } - printf("Sending reply.\n"); - if (wolfSSL_write(ssl, ack, sizeof(ack)) < 0) { - err = wolfSSL_get_error(ssl, 0); - fprintf(stderr, "error = %d, %s\n", err, wolfSSL_ERR_reason_error_string(err)); - fprintf(stderr, "wolfSSL_write failed.\n"); - goto cleanup; + buff[recvLen] = '\0'; + printf("I heard this: \"%s\"\n", buff); + } + else if (recvLen <= 0) { + err = wolfSSL_get_error(ssl, 0); + if (err == WOLFSSL_ERROR_ZERO_RETURN) /* Received shutdown */ + break; + fprintf(stderr, "error = %d, %s\n", err, wolfSSL_ERR_reason_error_string(err)); + fprintf(stderr, "SSL_read failed.\n"); + goto cleanup; + } + printf("Sending reply.\n"); + if (wolfSSL_write(ssl, ack, sizeof(ack)) < 0) { + err = wolfSSL_get_error(ssl, 0); + fprintf(stderr, "error = %d, %s\n", err, wolfSSL_ERR_reason_error_string(err)); + fprintf(stderr, "wolfSSL_write failed.\n"); + goto cleanup; + } } printf("reply sent \"%s\"\n", ack); @@ -186,7 +198,7 @@ int main(int argc, char** argv) wolfSSL_free(ssl); ssl = NULL; - printf("Client left cont to idle state\n"); + printf("Awaiting new connection\n"); } exitVal = 0; @@ -198,14 +210,14 @@ cleanup: } -void sig_handler(const int sig) +static void sig_handler(const int sig) { (void)sig; free_resources(); wolfSSL_Cleanup(); } -void free_resources(void) +static void free_resources(void) { if (ssl != NULL) { wolfSSL_shutdown(ssl); From 2b52c38fa1a07466f5e2193ac2cb4cd7dd2d6aa5 Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 1 Jul 2022 12:09:54 -0700 Subject: [PATCH 9/9] Switch to new name `wolfDTLS_SetChGoodCb` --- dtls/server-dtls13-event.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dtls/server-dtls13-event.c b/dtls/server-dtls13-event.c index 81d197ff..9fe03c2b 100644 --- a/dtls/server-dtls13-event.c +++ b/dtls/server-dtls13-event.c @@ -223,8 +223,8 @@ static int newPendingSSL(void) wolfSSL_dtls_set_using_nonblock(ssl, 1); - if (wolfSSL_SetChGoodCb(ssl, chGoodCb, NULL) != WOLFSSL_SUCCESS ) { - fprintf(stderr, "wolfSSL_SetChGoodCb error.\n"); + if (wolfDTLS_SetChGoodCb(ssl, chGoodCb, NULL) != WOLFSSL_SUCCESS ) { + fprintf(stderr, "wolfDTLS_SetChGoodCb error.\n"); wolfSSL_free(ssl); return 0; }