From c1970434d16db1ec9c5199c65fc1b9322cd08d7f Mon Sep 17 00:00:00 2001 From: John Safranek Date: Mon, 22 Aug 2016 08:49:10 -0700 Subject: [PATCH] simplify the SCTP options --- src/internal.c | 32 +++++++++++--- src/ssl.c | 103 ++++++++++++++++++--------------------------- wolfssl/internal.h | 9 ++-- wolfssl/ssl.h | 7 ++- 4 files changed, 75 insertions(+), 76 deletions(-) diff --git a/src/internal.c b/src/internal.c index 81910b8a9..3f14858ea 100755 --- a/src/internal.c +++ b/src/internal.c @@ -195,6 +195,20 @@ static INLINE int IsEncryptionOn(WOLFSSL* ssl, int isSend) } +#ifdef WOLFSSL_DTLS +/* If SCTP is not enabled returns the state of the dtls option. + * If SCTP is enabled returns dtls && sctp. */ +static INLINE int IsDtlsSctpMode(WOLFSSL* ssl) +{ +#ifdef WOLFSSL_SCTP + return ssl->options.dtls && ssl->options.dtlsSctp; +#else + return ssl->options.dtls; +#endif +} +#endif + + #ifdef HAVE_QSH /* free all structs that where used with QSH */ static int QSH_FreeAll(WOLFSSL* ssl) @@ -1373,6 +1387,10 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap) ctx->devId = INVALID_DEVID; +#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_SCTP) + ctx->dtlsMtuSz = MAX_MTU; +#endif + #ifndef NO_CERTS ctx->cm = wolfSSL_CertManagerNew_ex(heap); if (ctx->cm == NULL) { @@ -3336,9 +3354,13 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx) ssl->options.processReply = doProcessInit; #ifdef WOLFSSL_DTLS + #ifdef WOLFSSL_SCTP + ssl->options.dtlsSctp = ctx->dtlsSctp; + #endif ssl->dtls_timeout_init = DTLS_TIMEOUT_INIT; ssl->dtls_timeout_max = DTLS_TIMEOUT_MAX; ssl->dtls_timeout = ssl->dtls_timeout_init; + ssl->buffers.dtlsCtx.fd = -1; #endif #ifndef NO_OLD_TLS @@ -3348,10 +3370,6 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx) #endif -#ifdef WOLFSSL_DTLS - ssl->buffers.dtlsCtx.fd = -1; -#endif - ssl->cipher.ssl = ssl; #ifdef HAVE_TLS_EXTENSIONS @@ -5055,7 +5073,7 @@ static int GetRecordHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx, } #ifdef WOLFSSL_DTLS - if (ssl->options.dtls && + if (IsDtlsSctpMode(ssl) && (!DtlsCheckWindow(&ssl->keys.dtls_state) || (ssl->options.handShakeDone && ssl->keys.dtls_state.curEpoch == 0))) { return SEQUENCE_ERROR; @@ -9282,11 +9300,11 @@ int ProcessReply(WOLFSSL* ssl) ssl->keys.decryptedCur = 1; } - if (ssl->options.dtls) { #ifdef WOLFSSL_DTLS + if (IsDtlsSctpMode(ssl)) { DtlsUpdateWindow(&ssl->keys.dtls_state); - #endif /* WOLFSSL_DTLS */ } + #endif /* WOLFSSL_DTLS */ WOLFSSL_MSG("received record layer msg"); diff --git a/src/ssl.c b/src/ssl.c index f9a459c10..4e7346940 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -549,11 +549,42 @@ int wolfSSL_dtls_get_peer(WOLFSSL* ssl, void* peer, unsigned int* peerSz) } -int wolfSSL_dtls_set_mtu(WOLFSSL* ssl, unsigned int newMtu) -{ #if defined(WOLFSSL_DTLS) && defined(WOLFSSL_SCTP) + +int wolfSSL_CTX_dtls_set_sctp(WOLFSSL_CTX* ctx) +{ + WOLFSSL_ENTER("wolfSSL_CTX_dtls_set_sctp()"); + + if (ctx == NULL) + return BAD_FUNC_ARG; + + ctx->dtlsSctp = 1; + return SSL_SUCCESS; +} + + +int wolfSSL_dtls_set_sctp(WOLFSSL* ssl) +{ + WOLFSSL_ENTER("wolfSSL_dtls_set_sctp()"); + if (ssl == NULL) - return SSL_FAILURE; + return BAD_FUNC_ARG; + + ssl->options.dtlsSctp = 1; + return SSL_SUCCESS; +} + + +/* wolfSSL_dtls_set_mtu + * Sets the DTLS MTU size. For the deafult MTU of 1500, set to 1500. + * The maximum allowed value is 16384, the maximum record size. The MTU + * needs to be larger than 200, need to be able to fit in the IP/UDP/DTLS + * headers. + */ +int wolfSSL_CTX_dtls_set_mtu(WOLFSSL_CTX* ctx, word32 newMtu) +{ + if (ctx == NULL) + return BAD_FUNC_ARG; if (newMtu > MAX_RECORD_SIZE) { ssl->error = BAD_FUNC_ARG; @@ -561,76 +592,24 @@ int wolfSSL_dtls_set_mtu(WOLFSSL* ssl, unsigned int newMtu) } return SSL_SUCCESS; -#else /* WOLFSSL_DTLS && WOLFSSL_SCTP */ - (void)ssl; - (void)newMtu; - return SSL_NOT_IMPLEMENTED; -#endif /* WOLFSSL_DTLS && WOLFSSL_SCTP */ } -int wolfSSL_dtls_enable_retransmission(WOLFSSL* ssl, unsigned int options) +int wolfSSL_dtls_set_mtu(WOLFSSL* ssl, word32 newMtu) { - (void)options; - -#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_SCTP) if (ssl == NULL) - return SSL_FAILURE; + return BAD_FUNC_ARG; + + if (newMtu > MAX_RECORD_SIZE) { + ssl->error = BAD_FUNC_ARG; + return SSL_FAILURE; + } - ssl->options.dtlsRetxEnable = 1; return SSL_SUCCESS; -#else /* WOLFSSL_DTLS && WOLFSSL_SCTP */ - (void)ssl; - return SSL_NOT_IMPLEMENTED; -#endif /* WOLFSSL_DTLS && WOLFSSL_SCTP */ } -int wolfSSL_dtls_disable_retransmission(WOLFSSL* ssl) -{ -#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_SCTP) - if (ssl == NULL) - return SSL_FAILURE; - - ssl->options.dtlsRetxEnable = 0; - return SSL_SUCCESS; -#else /* WOLFSSL_DTLS && WOLFSSL_SCTP */ - (void)ssl; - return SSL_NOT_IMPLEMENTED; #endif /* WOLFSSL_DTLS && WOLFSSL_SCTP */ -} - - -int wolfSSL_dtls_enable_replay_detection(WOLFSSL* ssl, unsigned int options) -{ - (void)options; - -#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_SCTP) - if (ssl == NULL) - return SSL_FAILURE; - - ssl->options.dtlsReplayEnable = 1; - return SSL_SUCCESS; -#else /* WOLFSSL_DTLS && WOLFSSL_SCTP */ - (void)ssl; - return SSL_NOT_IMPLEMENTED; -#endif /* WOLFSSL_DTLS && WOLFSSL_SCTP */ -} - - -int wolfSSL_dtls_disable_replay_detection(WOLFSSL* ssl) -{ -#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_SCTP) - if (ssl == NULL) - return SSL_FAILURE; - - ssl->options.dtlsReplayEnable = 0; - return SSL_SUCCESS; -#else /* WOLFSSL_DTLS && WOLFSSL_SCTP */ - (void)ssl; - return SSL_NOT_IMPLEMENTED; -#endif /* WOLFSSL_DTLS && WOLFSSL_SCTP */ -} #endif /* WOLFSSL_LEANPSK */ diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 65ca2b5b8..31cbf32d7 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1940,6 +1940,10 @@ struct WOLFSSL_CTX { byte quietShutdown; /* don't send close notify */ byte groupMessages; /* group handshake messages before sending */ byte minDowngrade; /* minimum downgrade version */ +#if defined(WOLFSSL_SCTP) && defined(WOLFSSL_DTLS) + byte dtlsSctp; /* DTLS-over-SCTP mode */ + word16 dtlsMtuSz; /* DTLS MTU size */ +#endif #ifndef NO_DH word16 minDhKeySz; /* minimum DH key size */ #endif @@ -2406,9 +2410,8 @@ typedef struct Options { #ifdef WOLFSSL_DTLS word16 dtlsHsRetain:1; /* DTLS retaining HS data */ #ifdef WOLFSSL_SCTP - word16 dtlsRetxEnable:1; /* DTLS HS retransmission enable */ - word16 dtlsReplayEnable:1; /* DTLS Replay detection enable */ -#endif /* WOLFSSL_SCTP */ + word16 dtlsSctp:1; /* DTLS-over-SCTP mode */ +#endif #endif /* need full byte values for this section */ diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 63373d15a..7cd34b34f 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -409,11 +409,10 @@ WOLFSSL_API int wolfSSL_dtls(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_dtls_set_peer(WOLFSSL*, void*, unsigned int); WOLFSSL_API int wolfSSL_dtls_get_peer(WOLFSSL*, void*, unsigned int*); +WOLFSSL_API int wolfSSL_CTX_dtls_set_sctp(WOLFSSL_CTX*); +WOLFSSL_API int wolfSSL_dtls_set_sctp(WOLFSSL*); +WOLFSSL_API int wolfSSL_CTX_dtls_set_mtu(WOLFSSL_CTX*, unsigned int); WOLFSSL_API int wolfSSL_dtls_set_mtu(WOLFSSL*, unsigned int); -WOLFSSL_API int wolfSSL_dtls_enable_retransmission(WOLFSSL*, unsigned int); -WOLFSSL_API int wolfSSL_dtls_disable_retransmission(WOLFSSL*); -WOLFSSL_API int wolfSSL_dtls_enable_replay_detection(WOLFSSL*, unsigned int); -WOLFSSL_API int wolfSSL_dtls_disable_replay_detection(WOLFSSL*); WOLFSSL_API int wolfSSL_ERR_GET_REASON(unsigned long err); WOLFSSL_API char* wolfSSL_ERR_error_string(unsigned long,char*);