[openssl-users] DTLS over UDP
Hi All, I am trying to establish DTLS over UDP connection by using DTLSv1_listen method . I have followed the below steps - 1. Created a server socket and using this socket created bio and ssl object. bio = BIO_new_dgram(VI_sock,BIO_NOCLOSE)) SSL_set_bio(ssl,VP_bio,VP_bio); 2. Enable cookie exchange on SSL object. SSL_set_options(ssl, SSL_OP_COOKIE_EXCHANGE); 3. Then started listening using dtlsv1_listen for the new client connections. Once dtlsv1_listen is successful and i got the peer address. 4. Once i got the peer address , i am creating one more socket 5. With the new socket i tried to connect to peer address. 6. Then i am trying to do ssl_accept on the new socket by calling bio_set_fd. BIO_set_fd(SSL_get_rbio(ssl),VI_new_sock_id,BIO_NOCLOSE); BIO_ctrl(SSL_get_rbio(VP_ssl),BIO_CTRL_DGRAM_SET_CONNECTED, 0, &client_addr); SSL_set_fd(ssl,VI_newsock_id); VI_res = SSL_accept(ssl); But ssl_accept will always return error code 2 [ i.e want read or want write] But if i am doing ssl_accept without doing the step no 6 it it will be successful. Could someone please let us know how to switch to newly created socket, so that it can start using newly created socket for further read and write operations and original server socket will keep on listening for new connections. Regards, Nivedita -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] 回复: crash in `sha1_block_data_order_avx`
Dear all, very appreciate your reply! We have double check the implementation of related functions, and confirm that the input params for the function int rsa_public_encrypt(const uint8_t *rsa_input, const int input_len, uint8_t *enc_out, uint8_t *public_key, const int key_len) are all stack variables(say rsa_input, enc_out and public_key), so there should have no problems with alloc; we find things about threads with openssl here https://www.openssl.org/docs/man1.0.2/crypto/threads.html and add the lock functions, till now, it seems ok, but we still could not make sure whether it is the safely in multi-thread response for the crash By the way, the function 'base64_encode' is to encode chars in base64, any function implement this method could be used for compilation. renxiang0214 邮箱:renxiang0...@gmail.com 签名由 网易邮箱大师 定制 在2018年02月11日 21:12,Salz, Rich via openssl-users 写道: The usual cause for this is a stray or incorrect pointer, corrupting malloc structures. Have you run your code under a valgrind or similar?-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] 回复: crash in `sha1_block_data_order_avx`
On 13/02/2018 12:16, Xiang Ren wrote: Dear all, very appreciate your reply! We have double check the implementation of related functions, and confirm that the input params for the function int rsa_public_encrypt(const uint8_t *rsa_input, const int input_len, uint8_t *enc_out, uint8_t *public_key, const int key_len) are all stack variables(say rsa_input, enc_out and public_key), so there should have no problems with alloc; we find things about threads with openssl here https://www.openssl.org/docs/man1.0.2/crypto/threads.html and add the lock functions, till now, it seems ok, but we still could not make sure whether it is the safely in multi-thread response for the crash By the way, the function 'base64_encode' is to encode chars in base64, any function implement this method could be used for compilation. When a program crashes in malloc(), the likely corruption in the heap may have happened anywhere in the program, at any time before the crash. malloc() then crashes when it uses the malloc-internal data that was corrupted. That is why the best way to find the cause is to run the program with a heap corruption detection system such as valgrind. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] 回复: crash in `sha1_block_data_order_avx`
If your program uses threads, then you *have* to set the thread functions. Glad you got it fixed. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] 回复: crash in `sha1_block_data_order_avx`
> Dear all, very appreciate your reply! We have double check the implementation > of related > functions, and confirm that the input params for the function > int rsa_public_encrypt(const uint8_t *rsa_input, const int input_len, uint8_t > *enc_out, > uint8_t *public_key, const int key_len) > are all stack variables(say rsa_input, enc_out and public_key), so there > should have no > problems with alloc; Several days ago we emailed you regarding this issue. Never got a response. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] OpenSSL version 1.1.1 pre release 1 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 1.1.1 pre release 1 (alpha) === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 1.1.1 is currently in alpha. OpenSSL 1.1.1 pre release 1 has now been made available. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.1-notes.html Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. The alpha release is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.1-pre1.tar.gz Size: 6406872 SHA1 checksum: 83fee0570c8aff4701700f88d193fcf785b595ae SHA256 checksum: dd291d0a81d77219d40b21b9caf4713daaf43416fe8d6eae0b96df39b8b17e6d The checksums were calculated using the following commands: openssl sha1 openssl-1.1.1-pre1.tar.gz openssl sha256 openssl-1.1.1-pre1.tar.gz Please download and check this alpha release as soon as possible. To report a bug, open an issue on GitHub: ttps://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJaguyiAAoJENnE0m0OYESRQSoH/03mmxlj3zAcOgiWcQW7Nsfv bDr6TArh2zplEv/KUxrZiy9CCCKh3p9KI2VlUclObj327pkknMrQfx2TvYDztqfn UsbBL2XA+aiTlF0qgzDQMxg4bdfzYMKL5MUxQvsteVyyTrz5Wm1EWnwjn/mtKh6f p+nJPM9slFeV5EYTdNWIsugl55xU3oueFdVKdOqdZIUkKf5yAVe0/7UH/zVHYRt9 Mq7KZP6suRWhOgcK+g16tevO03+KkY/4O8rwE05DG3gjBbpT/hQvMcluV6jpHgIK KhMUurwOwjN81TZhYmkdKf5gBRvJ03zaJE+LeZHIKR6xdzOQBURsM4m+xPAs7i0= =ZT+8 -END PGP SIGNATURE- -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] extract private exponent
Hi All, is there any openssl API to extract private exponent from DER key? -rds, -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] DTLS over UDP
Nivedita wrote: > I am trying to establish DTLS over UDP connection by using > DTLSv1_listen method . > I have followed the below steps - 1. Created a server socket and using > this socket created bio and ssl object. bio = > BIO_new_dgram(VI_sock,BIO_NOCLOSE)) SSL_set_bio(ssl,VP_bio,VP_bio); > 2. Enable cookie exchange on SSL object. SSL_set_options(ssl, > SSL_OP_COOKIE_EXCHANGE); > 3. Then started listening using dtlsv1_listen for the new client > connections. Once dtlsv1_listen is successful and i got the peer > address. okay. > 4. Once i got the peer address , i am creating one more socket > 5. With the new socket i tried to connect to peer address. Do you mean, you call "SSL_connect()"? Or do you mean you bind(2) and connect(2) the socket. > 6. Then i am trying to do ssl_accept on the new socket by calling > bio_set_fd. > BIO_set_fd(SSL_get_rbio(ssl),VI_new_sock_id,BIO_NOCLOSE); > BIO_ctrl(SSL_get_rbio(VP_ssl),BIO_CTRL_DGRAM_SET_CONNECTED, 0, > &client_addr); > SSL_set_fd(ssl,VI_newsock_id); So, SSL_set_fd() will allocate a ne bio, which probably undoes the effect of calling BIO_CRTL_DGRAM_SET_CONNECTED. Since you have set the fd of the existing BIO, I think you can omit that line. > VI_res = SSL_accept(ssl); > But ssl_accept will always return error code 2 [ i.e want read or want > write] > But if i am doing ssl_accept without doing the step no 6 it it will be > successful. Yes. > Could someone please let us know how to switch to newly created socket, > so that it can start using newly created socket for further read and > write operations and original server socket will keep on listening for > new connections. Do you expect additional connections on the existing socket? I've been working on some new API to make this all easier. Your method may fail if you have bound your "listen" to :: (0.0.0.0), and you have multiple IPs. In my case, I expect connections over IPv6 LL addresses, and there are always multiple of those, and ifindex issues as well. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works| network architect [ ] m...@sandelman.ca http://www.sandelman.ca/| ruby on rails[ signature.asc Description: PGP signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] OpenSSL 1.1.1 pre-release 1 build failure
This is on Ubuntu 16.04with a build configured to be debug-linux-x86_64 normg@moop>gmake make depend && make _all make[1]: Entering directory '/export/moop3/users/normg/gs64-3xm1/slow50/openssl_1.1' make[1]: Leaving directory '/export/moop3/users/normg/gs64-3xm1/slow50/openssl_1.1' make[1]: Entering directory '/export/moop3/users/normg/gs64-3xm1/slow50/openssl_1.1' /usr/bin/gcc -I. -Icrypto/include -Iinclude -Wall -O0 -g -pthread -m64 -fPIC -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSLDIR="\"/export/moop3/users/normg/gs64-3xm1/slow50/openssl_1.1/install50/ssl\"" -DENGINESDIR="\"/export/moop3/users/normg/gs64-3xm1/slow50/openssl_1.1/install50/lib/engines-1.1\"" -c -MMD -MF crypto/conf/conf_mod.d.tmp -MT crypto/conf/conf_mod.o -c -o crypto/conf/conf_mod.o crypto/conf/conf_mod.c crypto/conf/conf_mod.c: In function 'CONF_get1_default_config_file': crypto/conf/conf_mod.c:491:19: error: 'OPENSSL_CONF' undeclared (first use in this function) len += strlen(OPENSSL_CONF); ^ crypto/conf/conf_mod.c:491:19: note: each undeclared identifier is reported only once for each function it appears in Makefile:2305: recipe for target 'crypto/conf/conf_mod.o' failed make[1]: *** [crypto/conf/conf_mod.o] Error 1 make[1]: Leaving directory '/export/moop3/users/normg/gs64-3xm1/slow50/openssl_1.1' Makefile:143: recipe for target 'all' failed make: *** [all] Error 2 Perhaps we are missing an include of: include/internal/cryptlib.h ? Norm -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] 回复: crash in `sha1_block_data_order_avx`
On 2/13/2018 5:31 AM, Salz, Rich via openssl-users wrote: > > If your program uses threads, then you **have** to set the thread > functions. Glad you got it fixed. > Why can't OpenSSL do this automatically? Yes, some applications will need to supply specialty functions, but it could supply defaults. -- Jordan Brown, Oracle Solaris -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] 回复: crash in `sha1_block_data_order_avx`
* If your program uses threads, then you *have* to set the thread functions. Glad you got it fixed. > Why can't OpenSSL do this automatically? Yes, some applications will need to > supply specialty functions, but it could supply defaults. It does in 1.1.0 and later. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Explicit IV in TLS 1.1+
Hi all, I'm developing support for TLS 1.1 and 1.2 in a radius-server that until now only handles TLS 1.0. I'm testing with a testtool that the vendor says is using OpenSSL to implement the TLS support. It all seems to work except for the following: When all key exchange messages are sent from the server and back from the client the client sends the "Finished" message which is the first encrypted with the negotiated symmetric cipher suite. I use AES-128 in block mode and according to the spec (RFC4346 for TLS 1.1) the IV is prepended to the encrypted message (containing the payload, MAC and padding). The message size i right and when (in the server) I use the first 16 bytes of the message received from the client as IV the decryption fails but when I use the mechanism from TLS 1.0 to pick up the IV from the key_block the decryption is successful. I understand that this is one way to generate the IV that I suppose you use which is fine but shouldn't this 16 byte vector be prepended, unecrypted, to the encrypted data that is sent to the server? In TLS 1.2 there is not IV material generated at all in the key_block so in that case I don't even know where to find it. The simple question is, shouldn't the first 16 bytes (assuming AES) of the message (after the 5 byte header) be the unencrypted IV to be used in the decryption of the rest of the message? I tried to dig in to the OpenSSL source but it's far too long ago I did some serious C coding so I hope someone with a working knowledge can enlighten me. I might have misunderstood the spec but in that case I would be grateful if someone could clarify this specific part of it. TIA Curt Johansson -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL 1.1.1 pre-release 1 build failure
On 13/02/18 21:06, Norm Green wrote: > This is on Ubuntu 16.04with a build configured to be debug-linux-x86_64 > > normg@moop>gmake > make depend && make _all > make[1]: Entering directory > '/export/moop3/users/normg/gs64-3xm1/slow50/openssl_1.1' > make[1]: Leaving directory > '/export/moop3/users/normg/gs64-3xm1/slow50/openssl_1.1' > make[1]: Entering directory > '/export/moop3/users/normg/gs64-3xm1/slow50/openssl_1.1' > /usr/bin/gcc -I. -Icrypto/include -Iinclude -Wall -O0 -g -pthread -m64 > -fPIC -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_STATIC_ENGINE > -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 > -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m > -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM > -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM > -DPOLY1305_ASM -DOPENSSL_USE_NODELETE -DL_ENDIAN > -DOPENSSLDIR="\"/export/moop3/users/normg/gs64-3xm1/slow50/openssl_1.1/install50/ssl\"" > -DENGINESDIR="\"/export/moop3/users/normg/gs64-3xm1/slow50/openssl_1.1/install50/lib/engines-1.1\"" > -c -MMD -MF crypto/conf/conf_mod.d.tmp -MT crypto/conf/conf_mod.o -c -o > crypto/conf/conf_mod.o crypto/conf/conf_mod.c > crypto/conf/conf_mod.c: In function 'CONF_get1_default_config_file': > crypto/conf/conf_mod.c:491:19: error: 'OPENSSL_CONF' undeclared (first > use in this function) > len += strlen(OPENSSL_CONF); > ^ > crypto/conf/conf_mod.c:491:19: note: each undeclared identifier is > reported only once for each function it appears in > Makefile:2305: recipe for target 'crypto/conf/conf_mod.o' failed > make[1]: *** [crypto/conf/conf_mod.o] Error 1 > make[1]: Leaving directory > '/export/moop3/users/normg/gs64-3xm1/slow50/openssl_1.1' > Makefile:143: recipe for target 'all' failed > make: *** [all] Error 2 > > Perhaps we are missing an include of: include/internal/cryptlib.h ? Hmm. That is very strange. The include of that header is right at the top of that file. Could you provide explicitly the build steps you followed to produce this result? Thanks Matt > > Norm > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Explicit IV in TLS 1.1+
On 13/02/18 22:02, Curt Johansson wrote: > Hi all, > > I'm developing support for TLS 1.1 and 1.2 in a radius-server that until now > only handles TLS 1.0. I'm testing with a testtool that the vendor says is > using OpenSSL to implement the TLS support. It all seems to work except for > the following: > > When all key exchange messages are sent from the server and back from the > client the client sends the "Finished" message which > is the first encrypted with the negotiated symmetric cipher suite. I use > AES-128 in block mode and according to the spec (RFC4346 for TLS 1.1) > the IV is prepended to the encrypted message (containing the payload, MAC and > padding). The message size i right and when (in the server) I use the first > 16 bytes > of the message received from the client as IV the decryption fails but when I > use the mechanism from TLS 1.0 to pick up the IV from > the key_block the decryption is successful. I understand that this is one way > to generate the IV that I suppose you use which is fine but > shouldn't this 16 byte vector be prepended, unecrypted, to the encrypted data > that is sent to the server? In TLS 1.2 there is not IV material generated > at all in the key_block so in that case I don't even know where to find it. > > The simple question is, shouldn't the first 16 bytes (assuming AES) of the > message (after the 5 byte header) be the unencrypted IV to be used in the > decryption of the rest of the message? Yes, assuming you have negotiated an AES CBC ciphersuite in TLSv1.1 or TLSv1.2, then that is what happens. You don't say what version of OpenSSL you are using. Here is the code that does it for 1.1.1 (i.e. master branch): https://github.com/openssl/openssl/blob/master/ssl/record/ssl3_record.c#L954 As can be seen on line 969 we just fill the IV with random bytes. Perhaps you could provide a wireshark trace of the handshake which might provide some enlightenment as to what is happening. Matt > > I tried to dig in to the OpenSSL source but it's far too long ago I did some > serious C coding so I hope someone with a working knowledge can enlighten me. > I might have > misunderstood the spec but in that case I would be grateful if someone could > clarify this specific part of it. > > TIA > Curt Johansson > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL 1.1.1 pre-release 1 build failure
Turns out it only fails in my build environment and it builds clean as a stand-alone SSL build. So it's something on my end. Sorry for the noise. Norm On 2/13/2018 2:59 PM, Matt Caswell wrote: On 13/02/18 21:06, Norm Green wrote: This is on Ubuntu 16.04with a build configured to be debug-linux-x86_64 normg@moop>gmake make depend && make _all make[1]: Entering directory '/export/moop3/users/normg/gs64-3xm1/slow50/openssl_1.1' make[1]: Leaving directory '/export/moop3/users/normg/gs64-3xm1/slow50/openssl_1.1' make[1]: Entering directory '/export/moop3/users/normg/gs64-3xm1/slow50/openssl_1.1' /usr/bin/gcc -I. -Icrypto/include -Iinclude -Wall -O0 -g -pthread -m64 -fPIC -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSLDIR="\"/export/moop3/users/normg/gs64-3xm1/slow50/openssl_1.1/install50/ssl\"" -DENGINESDIR="\"/export/moop3/users/normg/gs64-3xm1/slow50/openssl_1.1/install50/lib/engines-1.1\"" -c -MMD -MF crypto/conf/conf_mod.d.tmp -MT crypto/conf/conf_mod.o -c -o crypto/conf/conf_mod.o crypto/conf/conf_mod.c crypto/conf/conf_mod.c: In function 'CONF_get1_default_config_file': crypto/conf/conf_mod.c:491:19: error: 'OPENSSL_CONF' undeclared (first use in this function) len += strlen(OPENSSL_CONF); ^ crypto/conf/conf_mod.c:491:19: note: each undeclared identifier is reported only once for each function it appears in Makefile:2305: recipe for target 'crypto/conf/conf_mod.o' failed make[1]: *** [crypto/conf/conf_mod.o] Error 1 make[1]: Leaving directory '/export/moop3/users/normg/gs64-3xm1/slow50/openssl_1.1' Makefile:143: recipe for target 'all' failed make: *** [all] Error 2 Perhaps we are missing an include of: include/internal/cryptlib.h ? Hmm. That is very strange. The include of that header is right at the top of that file. Could you provide explicitly the build steps you followed to produce this result? Thanks Matt Norm -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] OSSL_STORE_ctrl
In 1.1.1 pre-relase 1, we have this new function: int OSSL_STORE_ctrl(OSSL_STORE_CTX *ctx, int cmd, ... /* args */); Would it be possible to add a version that takes va_args like this? int OSSL_STORE_vctrl(OSSL_STORE_CTX *ctx, int cmd, va_list args); OpenSSL already have this precedent in other places, such as with BIO_printf() / BIO_vprintf() Norm -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Fwd: DTLS over UDP
Hi Michael,
Please ignore the previous mail. By mistankely it got sent.
I have provided my comments below.
Thanks in advance.
Regards,
Nivedita
On Wed, Feb 14, 2018 at 10:22 AM, Nivedita wrote:
> Hi Michael,
>
> Thanks for the reply.
>
> I have mentioned the answers below.
>
>
> On Wed, Feb 14, 2018 at 12:21 AM, Michael Richardson
> wrote:
>
>> From: Michael Richardson
>> To: openssl-users@openssl.org
>> Subject: Re: [openssl-users] DTLS over UDP
>> In-Reply-To: > ail.com>
>> References: > ail.com>
>> X-Mailer: MH-E 8.6; nmh 1.7-RC3; GNU Emacs 24.5.1
>> X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0
>> ;<'$9xN5Ub#
>> z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m> MIME-Version: 1.0
>> Content-Type: multipart/signed; boundary="=-=-=";
>> micalg=pgp-sha256; protocol="application/pgp-signature"
>> Date: Tue, 13 Feb 2018 13:51:10 -0500
>> Message-ID: <10616.1518547...@obiwan.sandelman.ca>
>>
>> --=-=-=
>> Content-Type: text/plain
>>
>>
>> Nivedita wrote:
>> > I am trying to establish DTLS over UDP connection by using
>> > DTLSv1_listen method .
>>
>> > I have followed the below steps - 1. Created a server socket and
>> using
>> > this socket created bio and ssl object. bio =
>> > BIO_new_dgram(VI_sock,BIO_NOCLOSE)) SSL_set_bio(ssl,VP_bio,VP_bio);
>>
>> > 2. Enable cookie exchange on SSL object. SSL_set_options(ssl,
>> > SSL_OP_COOKIE_EXCHANGE);
>>
>> > 3. Then started listening using dtlsv1_listen for the new client
>> > connections. Once dtlsv1_listen is successful and i got the peer
>> > address.
>>
>> okay.
>>
>Nivedita- Here the ssl object is created on the server socket and
same ssl is passed to dtlsv1_listen method.
>
>Nivedita- All the above mentioned steps i am doing on server side . On
> the client side i have already initiated ssl_connect.
> On the server side when i am listening using
> dtlsv1_listen method -
>
> while ( VI_res= DTLSv1_listen(VP_ssl, &VS_client_addr)
> <= 0);
>
Now i got the client_addr from dtlsv1_listen method.
>
>
>> > 4. Once i got the client address , i am creating one new socket
>> > 5. With the new socket i tried to connect to client address.
>>
>> Do you mean, you call "SSL_connect()"?
>> Or do you mean you bind(2) and connect(2) the socket.
>>
>
Nivedita- Once i got the client address from dtlsv1_listen, i am
creating one more socket , tried to connect the client address, which i
have got in dtlsv1_listen method
Vi_res= connect(new sockid, client_addr, sizeof (client
addr));
>
>> > 6. Then i am trying to do ssl_accept on the new socket by calling
>> > bio_set_fd.
>>
>> > BIO_set_fd(SSL_get_rbio(ssl),VI_new_sock_id,BIO_NOCLOSE);
>>
>> > BIO_ctrl(SSL_get_rbio(VP_ssl),BIO_CTRL_DGRAM_SET_CONNECTED, 0,
>> > &client_addr);
>>
>> > SSL_set_fd(ssl,VI_newsock_id);
>>
>> So, SSL_set_fd() will allocate a ne bio, which probably undoes the effect
>> of calling BIO_CRTL_DGRAM_SET_CONNECTED. Since you have set the fd of
>> the existing BIO, I think you can omit that line.
>>
>> Nivedita - I have removed SSL_set _fd and tried by doing
BIO_set_fd and Bio_ctrl, but still ssl_accept always returns -1 and with
error code of 2.
VI_res = BIO_set_fd(SSL_get_rbio(VP_
ssl),VI_new_sock_id,BIO_NOCLOSE);
VI_res =
BIO_ctrl(SSL_get_rbio(VP_ssl),BIO_CTRL_DGRAM_SET_CONNECTED,
0, &client_addr);
SSL_set_accept_state(VP_ssl);
VI_res = SSL_accept(ssl);
This ssl object is the same one which we have passed in
dtlsv1_listen method. Actually i am trying to do the ssl_accept on the
different socket for every client, even though
dtlsv1_listen happens on server socket. Could you please let me know
if it is possible.
> > VI_res = SSL_accept(ssl);
>>
>> > But ssl_accept will always return error code 2 [ i.e want read or
>> want
>> > write]
>>
>> > But if i am doing ssl_accept without doing the step no 6 it it will
>> be
>> > successful.
>>
>> Yes.
>>
>> > Could someone please let us know how to switch to newly created
>> socket,
>> > so that it can start using newly created socket for further read and
>> > write operations and original server socket will keep on listening
>> for
>> > new connections.
>>
>> Do you expect additional connections on the existing socket?
>> I've been working on some new API to make this all easier.
>>
>>Nivedita - Yes, we have multiple peers which try to connect to
same server,so in that case i need different sockets for listening
operations and one for read/write operations [one for client]
Your method may fail if you have bound your "listen" to :: (0.0.0.0),
>> and you have multiple IPs. In my case, I expect connections over IPv6 LL
>> addresses, and there are always multiple of those, and ifindex iss
