Merge pull request #5128 from rizlik/dtls_bidrectional_shutdown

Support DTLS bidirectional shutdown in the examples
2022-05-11 17:00:44 -07:00 · 2022-05-11 17:00:44 -07:00 · 798d81723b
parent 36575ff480 761ab6b17a
commit 798d81723b
4 changed files with 85 additions and 19 deletions
--- a/examples/client/client.c
+++ b/examples/client/client.c
@ -4034,17 +4034,22 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
    }
 #endif

-    if (dtlsUDP == 0) {           /* don't send alert after "break" command */
-        ret = wolfSSL_shutdown(ssl);
-        if (wc_shutdown && ret == WOLFSSL_SHUTDOWN_NOT_DONE) {
-            if (tcp_select(sockfd, DEFAULT_TIMEOUT_SEC) == TEST_RECV_READY) {
-                ret = wolfSSL_shutdown(ssl); /* bidirectional shutdown */
-                if (ret == WOLFSSL_SUCCESS)
-                    printf("Bidirectional shutdown complete\n");
+    ret = wolfSSL_shutdown(ssl);
+    if (wc_shutdown && ret == WOLFSSL_SHUTDOWN_NOT_DONE) {
+        while (tcp_select(wolfSSL_get_fd(ssl), DEFAULT_TIMEOUT_SEC) ==
+                TEST_RECV_READY) {
+            ret = wolfSSL_shutdown(ssl); /* bidirectional shutdown */
+            if (ret == WOLFSSL_SUCCESS) {
+                printf("Bidirectional shutdown complete\n");
+                break;
            }
-            if (ret != WOLFSSL_SUCCESS)
+            else if (ret != WOLFSSL_SHUTDOWN_NOT_DONE) {
                printf("Bidirectional shutdown failed\n");
+                break;
+            }
        }
+        if (ret != WOLFSSL_SUCCESS)
+            printf("Bidirectional shutdown failed\n");
    }
 #if defined(ATOMIC_USER) && !defined(WOLFSSL_AEAD_ONLY)
    if (atomicUser)
--- a/examples/server/server.c
+++ b/examples/server/server.c
@ -2908,16 +2908,44 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
        if (doDTLS && dtlsUDP) {
            byte          b[1500];
            int           n;
+            int           isClientHello = 0;

-            client_len = sizeof client_addr;
+            while (!isClientHello) {
+                client_len = sizeof client_addr;

-            /* For DTLS, peek at the next datagram so we can get the client's
-             * address and set it into the ssl object later to generate the
-             * cookie. */
-            n = (int)recvfrom(clientfd, (char*)b, sizeof(b), MSG_PEEK,
-                              (struct sockaddr*)&client_addr, &client_len);
-            if (n <= 0)
-                err_sys_ex(runWithErrors, "recvfrom failed");
+                /* For DTLS, peek at the next datagram so we can get the
+                 * client's address and set it into the ssl object later to
+                 * generate the cookie. */
+                n = (int)recvfrom(clientfd, (char*)b, sizeof(b), MSG_PEEK,
+                                  (struct sockaddr*)&client_addr, &client_len);
+
+                if (n <= 0)
+                    err_sys_ex(runWithErrors, "recvfrom failed");
+
+                /* when doing resumption, it may happen that we receive the
+                   alert used to shutdown the first connection as the first
+                   packet of the second accept:
+
+                   Client                |    Server
+                                         |    WolfSSL_Shutdown()
+                                         |    <- Alert
+                                         |    recvfrom(peek)
+                   WolfSSL_Shutdown()    |
+                   Alert->               |
+                                         |    wolfSSL_set_dtls_peer()
+
+                   but this will set the wrong src port, making the test fail.
+                   Discard not-handshake message to avoid this.
+                */
+                if (b[0] != 0x16) {
+                    /* discard the packet */
+                    n = (int)recvfrom(clientfd, (char *)b, sizeof(b), 0,
+                        (struct sockaddr *)&client_addr, &client_len);
+                }
+                else {
+                    isClientHello = 1;
+                }
+            }

            if (doBlockSeq) {
                XMEMCPY(&dtlsCtx.peer.sa, &client_addr, client_len);
@ -3303,9 +3331,20 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)

        ret = SSL_shutdown(ssl);
        if (wc_shutdown && ret == WOLFSSL_SHUTDOWN_NOT_DONE) {
-            ret = SSL_shutdown(ssl); /* bidirectional shutdown */
-            if (ret == WOLFSSL_SUCCESS)
-                printf("Bidirectional shutdown complete\n");
+            while (tcp_select(wolfSSL_get_fd(ssl), DEFAULT_TIMEOUT_SEC) ==
+                    TEST_RECV_READY) {
+                ret = wolfSSL_shutdown(ssl); /* bidirectional shutdown */
+                if (ret == WOLFSSL_SUCCESS) {
+                    printf("Bidirectional shutdown complete\n");
+                    break;
+                }
+                else if (ret != WOLFSSL_SHUTDOWN_NOT_DONE) {
+                    printf("Bidirectional shutdown failed\n");
+                    break;
+                }
+            }
+            if (ret != WOLFSSL_SUCCESS)
+                printf("Bidirectional shutdown failed\n");
        }

        /* display collected statistics */
--- a/tests/test-dtls-resume.conf
+++ b/tests/test-dtls-resume.conf
@ -1061,3 +1061,17 @@
 -a
 -v 2
 -l ADH-AES128-SHA
+
+# server DTLSv1.2 DHE-RSA-CHACHA20-POLY1305 bidirectional shutdown
+-u
+-r
+-v 3
+-l DHE-RSA-CHACHA20-POLY1305
+-w
+
+# client DTLSv1.2 DHE-RSA-CHACHA20-POLY1305 bidirectional shutdown
+-u
+-r
+-v 3
+-l DHE-RSA-CHACHA20-POLY1305
+-w
--- a/tests/test-dtls.conf
+++ b/tests/test-dtls.conf
@ -907,3 +907,11 @@
 -a
 -v 2
 -l ADH-AES128-SHA
+
+# server with bidirectional shutdown
+-l ECDHE-RSA-AES128-SHA256
+-w
+
+# client with bidirectional shutdown
+-l ECDHE-RSA-AES128-SHA256
+-w