Re: [openssl.org #3008] Possible bug when using DTLS with a BIO pair

Wed, 06 Mar 2013 07:32:00 -0800 

On 03/06/2013 09:54 AM, Michael Tuexen wrote:
> On Mar 6, 2013, at 1:19 PM, Gary Grebus via RT wrote:
>
>> I have an application which needs to protect datagram traffic, and
>> also directly control the socket I/O.  Using DTLS over a BIO pair
>> appears to work for my purposes except for one problem when handling 
>> timeouts.
>>
>> In dtls1_check_timeout_num(), after 2 unsuccessful retransmission
>> attempts, the code calls BIO_ctrl() with the BIO_CTRL_DGRAM_GET_FALLBACK_MTU
>> option to adjust the MTU.  This operation is not defined for a BIO
>> pair, and results in the MTU being set to zero.  That eventually
>> causes an OpenSSL_assert() to fail in dtls1_do_write().
> So the question is: When using a BIO pair, why does sending fail? Are the
> packets later on sent over UDP? If yes, how to you handle the case that
> the path MTU needs to be adjusted?
>

It fails because dtls1_do_write() contains the following check:

    OPENSSL_assert(s->d1->mtu >= dtls1_min_mtu());  /* should have
something reasonable now */

which fails if s->d1->mtu is set to zero.

In our particular case, we do eventually send the packets over UDP.  We
use SSL_set_mtu() and fix the MTU to a suitable minimum. 

  -- Gary
>> It would make sense to recognize that zero can't be a valid fallback MTU
>> value, and avoid resetting the MTU.   A patch with a possible fix is 
>> attached.
>>
>> --- Gary
>>
>>
>> diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
>> index db180f2..371199d 100644
>> --- a/ssl/d1_lib.c
>> +++ b/ssl/d1_lib.c
>> @@ -401,12 +401,17 @@ void dtls1_stop_timer(SSL *s)
>>
>> int dtls1_check_timeout_num(SSL *s)
>>      {
>> +    unsigned int mtu;
>>      s->d1->timeout.num_alerts++;
>>
>>      /* Reduce MTU after 2 unsuccessful retransmissions */
>>      if (s->d1->timeout.num_alerts > 2)
>>              {
>> -            s->d1->mtu = BIO_ctrl(SSL_get_wbio(s), 
>> BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL);               
>> +            mtu = BIO_ctrl(SSL_get_wbio(s), 
>> BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL);
>> +            if (mtu > 0)
>> +                    {
>> +                    s->d1->mtu = mtu;
>> +                    }
>>              }
>>
>>      if (s->d1->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT)
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> Development Mailing List                       openssl-dev@openssl.org
> Automated List Manager                           majord...@openssl.org

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to