Wes Hardaker wrote:
http://www.net-snmp.org/wiki/index.php/DTLS_Implementation_Notes
Hi Wes,
I have some comments regarding your wiki article. But first of all
thanks for taking the time writing down all this information:
I'm trying to implement IPFIX on top of DTLS so I also made some
experiences with DTLS and OpenSSL.
I do not use a memory BIO for sending data. I create a datagram BIO
instead and let OpenSSL write to this datagram BIO directly. When it
comes to receiving data from the UDP socket I create a new memory BIO
for *each* packet I received via recvfrom() and pass that memory BIO to
OpenSSL. Here's some code:
len = read(socket,recvbuf,sizeof(recvbuf));
/* Free existing BIO */
/* TODO: Check whether EOF reached. */
BIO_free(ssl->rbio);
/* Create new BIO */
ssl->rbio = BIO_new_mem_buf(recvbuf,len);
BIO_set_mem_eof_return(ssl->rbio,-1);
I've got a question regarding your solution for sending data: How do
ensure that the message boundaries are preserved? What you are doing is
basically:
1. Call some SSL_* function like SSL_write, SSL_connect or SSL_accept.
2. Perform a BIO_read on the for_writing BIO
3. Use sendto to send data just read in step 2.
What happens if the SSL_* function wants to send more than one UDP
datagram at once? I *guess* this could happen if someone wants to send a
very large certificate (chain). To me it seems like that you're assuming
that OpenSSL sends only a single packet during one invocation of SSL_*,
aren't you? If OpenSSL happens to send two packets you're going to
concatenate the payload and send out one large datagram instead of two
smaller ones.
As regards DTLS Cookie handling I suggest to ignore the information
hiding/data abstraction principle for now and to access OpenSSL's
internal variables in order to find out in which state the OpenSSL state
machine is right now. I guess that there's some way to find out whether
OpenSSL sent out a HelloVerifyRequest or a ServerHello. If it just sent
a HelloVerifyRequest we could just destroy the SSL object and wait for
the client to send back the Cookie.
Daniel
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org