static ioa_socket_handle dtls_server_input_handler(dtls_listener_relay_server_type* server,
ioa_socket_handle s,
ioa_network_buffer_handle nbh)
{
FUNCSTART;
if (!server || !nbh) {
return NULL;
}
SSL* connecting_ssl = NULL;
BIO *wbio = NULL;
struct timeval timeout;
/* Create BIO */
wbio = BIO_new_dgram(s->fd, BIO_NOCLOSE);
(void)BIO_dgram_set_peer(wbio, (struct sockaddr*) &(server->sm.m.sm.nd.src_addr));
/* Set and activate timeouts */
timeout.tv_sec = DTLS_MAX_RECV_TIMEOUT;
timeout.tv_usec = 0;
BIO_ctrl(wbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
#if DTLSv1_2_SUPPORTED
if(get_dtls_version(ioa_network_buffer_data(nbh),
(int)ioa_network_buffer_get_size(nbh)) == 1) {
connecting_ssl = SSL_NEW(server->dtls_ctx_v1_2);
} else {
connecting_ssl = SSL_NEW(server->dtls_ctx);
}
#else
{
connecting_ssl = SSL_NEW(server->dtls_ctx);
}
#endif
SSL_set_accept_state(connecting_ssl);
SSL_set_bio(connecting_ssl, NULL, wbio);
SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE);
SSL_set_max_cert_list(connecting_ssl, 655350);
ioa_socket_handle rc = dtls_accept_client_connection(server, s, connecting_ssl,
&(server->sm.m.sm.nd.src_addr),
&(server->addr),
nbh);
if (!rc) {
if (!(SSL_get_shutdown(connecting_ssl) & SSL_SENT_SHUTDOWN)) {
SSL_set_shutdown(connecting_ssl, SSL_RECEIVED_SHUTDOWN);
SSL_shutdown(connecting_ssl);
}
SSL_FREE(connecting_ssl);
}
return rc;
}
static ioa_socket_handle dtls_server_input_handler(dtls_listener_relay_server_type* server, u08bits *buf, int len)
{
FUNCSTART;
if (!server || !buf || len<1) {
return NULL;
}
SSL* connecting_ssl = NULL;
BIO *wbio = NULL;
struct timeval timeout;
/* Create BIO */
wbio = BIO_new_dgram(server->udp_listen_s->fd, BIO_NOCLOSE);
(void)BIO_dgram_set_peer(wbio, (struct sockaddr*) &(server->sm.m.sm.nd.src_addr));
/* Set and activate timeouts */
timeout.tv_sec = DTLS_MAX_RECV_TIMEOUT;
timeout.tv_usec = 0;
BIO_ctrl(wbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
connecting_ssl = SSL_new(server->dtls_ctx);
SSL_set_accept_state(connecting_ssl);
SSL_set_bio(connecting_ssl, NULL, wbio);
SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE);
SSL_set_max_cert_list(connecting_ssl, 655350);
ioa_socket_handle rc = dtls_accept_client_connection(server, connecting_ssl,
&(server->sm.m.sm.nd.src_addr),
&(server->addr),
buf, len);
if (!rc) {
if (!(SSL_get_shutdown(connecting_ssl) & SSL_SENT_SHUTDOWN)) {
SSL_set_shutdown(connecting_ssl, SSL_RECEIVED_SHUTDOWN);
SSL_shutdown(connecting_ssl);
}
SSL_free(connecting_ssl);
}
return rc;
}
IoSecureSocket *IoSecureServer_dtlsWrap(IoSecureServer *self, IoObject *locals, IoMessage *msg)
{
SSL_CTX *ctx = OCTX(self);
IoSocket *sock = IoObject_getSlot_(self, IOSYMBOL("socket"));
IoIPAddress *ioip = IoMessage_locals_addressArgAt_(msg, locals, 0);
IPAddress *ip = IoIPAddress_rawIPAddress(ioip);
struct sockaddr *addr = IPAddress_sockaddr(ip);
IoNumber *port = IoObject_getSlot_(sock, IOSYMBOL("port"));
int fd = IoSocket_rawDescriptor(sock);
SSL *ssl = SSL_new(ctx);
BIO *rbio = BIO_new(BIO_s_mem());
BIO_set_mem_eof_return(rbio, -1);
BIO *wbio = BIO_new_dgram(fd, BIO_NOCLOSE);
BIO_dgram_set_peer(wbio, addr);
SSL_set_bio(ssl, rbio, wbio);
SSL_set_accept_state(ssl);
set_nonblocking(wbio);
SSL_set_mode(ssl, SSL_MODE_ENABLE_PARTIAL_WRITE |
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
IoSecureSocket *ssock = IoSecureSocket_newWithSSL_IP_(IoObject_state(self), ssl, ioip);
return ssock;
}
int DTLSv1_listen(SSL *s, BIO_ADDR *client)
{
int next, n, ret = 0, clearpkt = 0;
unsigned char cookie[DTLS1_COOKIE_LENGTH];
unsigned char seq[SEQ_NUM_SIZE];
const unsigned char *data;
unsigned char *p, *buf;
unsigned long reclen, fragoff, fraglen, msglen;
unsigned int rectype, versmajor, msgseq, msgtype, clientvers, cookielen;
BIO *rbio, *wbio;
BUF_MEM *bufm;
BIO_ADDR *tmpclient = NULL;
PACKET pkt, msgpkt, msgpayload, session, cookiepkt;
/* Ensure there is no state left over from a previous invocation */
if (!SSL_clear(s))
return -1;
ERR_clear_error();
rbio = SSL_get_rbio(s);
wbio = SSL_get_wbio(s);
if (!rbio || !wbio) {
SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_BIO_NOT_SET);
return -1;
}
/*
* We only peek at incoming ClientHello's until we're sure we are going to
* to respond with a HelloVerifyRequest. If its a ClientHello with a valid
* cookie then we leave it in the BIO for accept to handle.
*/
BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_PEEK_MODE, 1, NULL);
/*
* Note: This check deliberately excludes DTLS1_BAD_VER because that version
* requires the MAC to be calculated *including* the first ClientHello
* (without the cookie). Since DTLSv1_listen is stateless that cannot be
* supported. DTLS1_BAD_VER must use cookies in a stateful manner (e.g. via
* SSL_accept)
*/
if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) {
SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_UNSUPPORTED_SSL_VERSION);
return -1;
}
if (s->init_buf == NULL) {
if ((bufm = BUF_MEM_new()) == NULL) {
SSLerr(SSL_F_DTLSV1_LISTEN, ERR_R_MALLOC_FAILURE);
return -1;
}
if (!BUF_MEM_grow(bufm, SSL3_RT_MAX_PLAIN_LENGTH)) {
BUF_MEM_free(bufm);
SSLerr(SSL_F_DTLSV1_LISTEN, ERR_R_MALLOC_FAILURE);
return -1;
}
s->init_buf = bufm;
}
buf = (unsigned char *)s->init_buf->data;
do {
/* Get a packet */
clear_sys_error();
/*
* Technically a ClientHello could be SSL3_RT_MAX_PLAIN_LENGTH
* + DTLS1_RT_HEADER_LENGTH bytes long. Normally init_buf does not store
* the record header as well, but we do here. We've set up init_buf to
* be the standard size for simplicity. In practice we shouldn't ever
* receive a ClientHello as long as this. If we do it will get dropped
* in the record length check below.
*/
n = BIO_read(rbio, buf, SSL3_RT_MAX_PLAIN_LENGTH);
if (n <= 0) {
if (BIO_should_retry(rbio)) {
/* Non-blocking IO */
goto end;
}
return -1;
}
/* If we hit any problems we need to clear this packet from the BIO */
clearpkt = 1;
if (!PACKET_buf_init(&pkt, buf, n)) {
SSLerr(SSL_F_DTLSV1_LISTEN, ERR_R_INTERNAL_ERROR);
return -1;
}
/*
* Parse the received record. If there are any problems with it we just
* dump it - with no alert. RFC6347 says this "Unlike TLS, DTLS is
* resilient in the face of invalid records (e.g., invalid formatting,
* length, MAC, etc.). In general, invalid records SHOULD be silently
* discarded, thus preserving the association; however, an error MAY be
* logged for diagnostic purposes."
*/
/* this packet contained a partial record, dump it */
if (n < DTLS1_RT_HEADER_LENGTH) {
SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_RECORD_TOO_SMALL);
goto end;
}
if (s->msg_callback)
s->msg_callback(0, 0, SSL3_RT_HEADER, buf,
DTLS1_RT_HEADER_LENGTH, s, s->msg_callback_arg);
/* Get the record header */
if (!PACKET_get_1(&pkt, &rectype)
|| !PACKET_get_1(&pkt, &versmajor)) {
SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_LENGTH_MISMATCH);
goto end;
}
if (rectype != SSL3_RT_HANDSHAKE) {
SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_UNEXPECTED_MESSAGE);
goto end;
}
/*
* Check record version number. We only check that the major version is
* the same.
*/
if (versmajor != DTLS1_VERSION_MAJOR) {
SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
goto end;
}
if (!PACKET_forward(&pkt, 1)
/* Save the sequence number: 64 bits, with top 2 bytes = epoch */
|| !PACKET_copy_bytes(&pkt, seq, SEQ_NUM_SIZE)
|| !PACKET_get_length_prefixed_2(&pkt, &msgpkt)) {
SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_LENGTH_MISMATCH);
goto end;
}
/*
* We allow data remaining at the end of the packet because there could
* be a second record (but we ignore it)
*/
/* This is an initial ClientHello so the epoch has to be 0 */
if (seq[0] != 0 || seq[1] != 0) {
SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_UNEXPECTED_MESSAGE);
goto end;
}
/* Get a pointer to the raw message for the later callback */
data = PACKET_data(&msgpkt);
/* Finished processing the record header, now process the message */
if (!PACKET_get_1(&msgpkt, &msgtype)
|| !PACKET_get_net_3(&msgpkt, &msglen)
|| !PACKET_get_net_2(&msgpkt, &msgseq)
|| !PACKET_get_net_3(&msgpkt, &fragoff)
|| !PACKET_get_net_3(&msgpkt, &fraglen)
|| !PACKET_get_sub_packet(&msgpkt, &msgpayload, fraglen)
|| PACKET_remaining(&msgpkt) != 0) {
SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_LENGTH_MISMATCH);
goto end;
}
if (msgtype != SSL3_MT_CLIENT_HELLO) {
SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_UNEXPECTED_MESSAGE);
goto end;
}
/* Message sequence number can only be 0 or 1 */
if (msgseq > 2) {
SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_INVALID_SEQUENCE_NUMBER);
goto end;
}
/*
* We don't support fragment reassembly for ClientHellos whilst
* listening because that would require server side state (which is
* against the whole point of the ClientHello/HelloVerifyRequest
* mechanism). Instead we only look at the first ClientHello fragment
* and require that the cookie must be contained within it.
*/
if (fragoff != 0 || fraglen > msglen) {
/* Non initial ClientHello fragment (or bad fragment) */
SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_FRAGMENTED_CLIENT_HELLO);
goto end;
}
if (s->msg_callback)
s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, data,
fraglen + DTLS1_HM_HEADER_LENGTH, s,
s->msg_callback_arg);
if (!PACKET_get_net_2(&msgpayload, &clientvers)) {
SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_LENGTH_MISMATCH);
goto end;
}
/*
* Verify client version is supported
*/
if (DTLS_VERSION_LT(clientvers, (unsigned int)s->method->version) &&
s->method->version != DTLS_ANY_VERSION) {
SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_WRONG_VERSION_NUMBER);
goto end;
}
if (!PACKET_forward(&msgpayload, SSL3_RANDOM_SIZE)
|| !PACKET_get_length_prefixed_1(&msgpayload, &session)
|| !PACKET_get_length_prefixed_1(&msgpayload, &cookiepkt)) {
/*
* Could be malformed or the cookie does not fit within the initial
* ClientHello fragment. Either way we can't handle it.
*/
SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_LENGTH_MISMATCH);
goto end;
}
/*
* Check if we have a cookie or not. If not we need to send a
* HelloVerifyRequest.
*/
if (PACKET_remaining(&cookiepkt) == 0) {
next = LISTEN_SEND_VERIFY_REQUEST;
} else {
/*
* We have a cookie, so lets check it.
*/
if (s->ctx->app_verify_cookie_cb == NULL) {
SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_NO_VERIFY_COOKIE_CALLBACK);
/* This is fatal */
return -1;
}
if (s->ctx->app_verify_cookie_cb(s, PACKET_data(&cookiepkt),
PACKET_remaining(&cookiepkt)) ==
0) {
/*
* We treat invalid cookies in the same was as no cookie as
* per RFC6347
*/
next = LISTEN_SEND_VERIFY_REQUEST;
} else {
/* Cookie verification succeeded */
next = LISTEN_SUCCESS;
}
}
if (next == LISTEN_SEND_VERIFY_REQUEST) {
/*
* There was no cookie in the ClientHello so we need to send a
* HelloVerifyRequest. If this fails we do not worry about trying
* to resend, we just drop it.
*/
/*
* Dump the read packet, we don't need it any more. Ignore return
* value
*/
BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_PEEK_MODE, 0, NULL);
BIO_read(rbio, buf, SSL3_RT_MAX_PLAIN_LENGTH);
BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_PEEK_MODE, 1, NULL);
/* Generate the cookie */
if (s->ctx->app_gen_cookie_cb == NULL ||
s->ctx->app_gen_cookie_cb(s, cookie, &cookielen) == 0 ||
cookielen > 255) {
SSLerr(SSL_F_DTLSV1_LISTEN, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
/* This is fatal */
return -1;
}
p = &buf[DTLS1_RT_HEADER_LENGTH];
msglen = dtls_raw_hello_verify_request(p + DTLS1_HM_HEADER_LENGTH,
cookie, cookielen);
*p++ = DTLS1_MT_HELLO_VERIFY_REQUEST;
/* Message length */
l2n3(msglen, p);
/* Message sequence number is always 0 for a HelloVerifyRequest */
s2n(0, p);
/*
* We never fragment a HelloVerifyRequest, so fragment offset is 0
* and fragment length is message length
*/
l2n3(0, p);
l2n3(msglen, p);
/* Set reclen equal to length of whole handshake message */
reclen = msglen + DTLS1_HM_HEADER_LENGTH;
/* Add the record header */
p = buf;
*(p++) = SSL3_RT_HANDSHAKE;
/*
* Special case: for hello verify request, client version 1.0 and we
* haven't decided which version to use yet send back using version
* 1.0 header: otherwise some clients will ignore it.
*/
if (s->method->version == DTLS_ANY_VERSION) {
*(p++) = DTLS1_VERSION >> 8;
*(p++) = DTLS1_VERSION & 0xff;
} else {
*(p++) = s->version >> 8;
*(p++) = s->version & 0xff;
}
/*
* Record sequence number is always the same as in the received
* ClientHello
*/
memcpy(p, seq, SEQ_NUM_SIZE);
p += SEQ_NUM_SIZE;
/* Length */
s2n(reclen, p);
/*
* Set reclen equal to length of whole record including record
* header
*/
reclen += DTLS1_RT_HEADER_LENGTH;
if (s->msg_callback)
s->msg_callback(1, 0, SSL3_RT_HEADER, buf,
DTLS1_RT_HEADER_LENGTH, s, s->msg_callback_arg);
if ((tmpclient = BIO_ADDR_new()) == NULL) {
SSLerr(SSL_F_DTLSV1_LISTEN, ERR_R_MALLOC_FAILURE);
goto end;
}
/*
* This is unnecessary if rbio and wbio are one and the same - but
* maybe they're not. We ignore errors here - some BIOs do not
* support this.
*/
if (BIO_dgram_get_peer(rbio, tmpclient) > 0) {
(void)BIO_dgram_set_peer(wbio, tmpclient);
}
BIO_ADDR_free(tmpclient);
tmpclient = NULL;
if (BIO_write(wbio, buf, reclen) < (int)reclen) {
if (BIO_should_retry(wbio)) {
/*
* Non-blocking IO...but we're stateless, so we're just
* going to drop this packet.
*/
goto end;
}
return -1;
}
if (BIO_flush(wbio) <= 0) {
if (BIO_should_retry(wbio)) {
/*
* Non-blocking IO...but we're stateless, so we're just
* going to drop this packet.
*/
goto end;
}
return -1;
}
}
static int
dtls_tl_send_message(osip_transaction_t * tr, osip_message_t * sip, char *host,
int port, int out_socket)
{
int len = 0;
size_t length = 0;
struct addrinfo *addrinfo;
struct __eXosip_sockaddr addr;
char *message;
char ipbuf[INET6_ADDRSTRLEN];
int i;
int pos;
struct socket_tab *socket_tab_used=NULL;
BIO *sbio=NULL;
if (dtls_socket <= 0)
return -1;
if (host == NULL)
{
host = sip->req_uri->host;
if (sip->req_uri->port != NULL)
port = osip_atoi (sip->req_uri->port);
else
port = 5061;
}
if (port == 5060)
port = 5061;
if (MSG_IS_REQUEST(sip))
{
if (MSG_IS_REGISTER(sip)
||MSG_IS_INVITE(sip)
||MSG_IS_SUBSCRIBE(sip)
|| MSG_IS_NOTIFY(sip))
eXtl_update_local_target(sip);
}
i=-1;
#ifndef MINISIZE
if (tr!=NULL && tr->record.name[0]!='\0' && tr->record.srventry[0].srv[0]!='\0')
{
/* always choose the first here.
if a network error occur, remove first entry and
replace with next entries.
*/
osip_srv_entry_t *srv;
int n=0;
for (srv = &tr->record.srventry[0];
n<10 && tr->record.srventry[0].srv[0];
srv = &tr->record.srventry[0])
{
i = eXosip_get_addrinfo (&addrinfo, srv->srv, srv->port, IPPROTO_UDP);
if (i == 0)
{
host = srv->srv;
port = srv->port;
break;
}
memmove(&tr->record.srventry[0], &tr->record.srventry[1], 9*sizeof(osip_srv_entry_t));
memset(&tr->record.srventry[9], 0, sizeof(osip_srv_entry_t));
i=-1;
/* copy next element */
n++;
}
}
#endif
/* if SRV was used, distination may be already found */
if (i != 0)
{
i = eXosip_get_addrinfo (&addrinfo, host, port, IPPROTO_UDP);
}
if (i != 0)
{
return -1;
}
memcpy (&addr, addrinfo->ai_addr, addrinfo->ai_addrlen);
len = addrinfo->ai_addrlen;
eXosip_freeaddrinfo (addrinfo);
/* remove preloaded route if there is no tag in the To header
*/
{
osip_route_t *route=NULL;
osip_generic_param_t *tag=NULL;
osip_message_get_route (sip, 0, &route);
osip_to_get_tag (sip->to, &tag);
if (tag==NULL && route != NULL && route->url != NULL)
{
osip_list_remove(&sip->routes, 0);
}
i = osip_message_to_str (sip, &message, &length);
if (tag==NULL && route != NULL && route->url != NULL)
{
osip_list_add(&sip->routes, route, 0);
}
}
if (i != 0 || length <= 0)
{
return -1;
}
switch ( ((struct sockaddr *)&addr)->sa_family )
{
case AF_INET:
inet_ntop (((struct sockaddr *)&addr)->sa_family, &(((struct sockaddr_in *) &addr)->sin_addr),
ipbuf, sizeof (ipbuf));
break;
case AF_INET6:
inet_ntop (((struct sockaddr *)&addr)->sa_family,
&(((struct sockaddr_in6 *) &addr)->sin6_addr), ipbuf,
sizeof (ipbuf));
break;
default:
strncpy (ipbuf, "(unknown)", sizeof (ipbuf));
break;
}
OSIP_TRACE (osip_trace (__FILE__, __LINE__, OSIP_INFO1, NULL,
"Message sent: \n%s (to dest=%s:%i)\n",
message, ipbuf, port));
for (pos = 0; pos < EXOSIP_MAX_SOCKETS; pos++)
{
if (dtls_socket_tab[pos].ssl_conn != NULL
&& dtls_socket_tab[pos].ssl_type == EXOSIP_AS_A_SERVER)
{
if (dtls_socket_tab[pos].remote_port == port &&
(strcmp (dtls_socket_tab[pos].remote_ip, ipbuf) == 0))
{
BIO *rbio;
socket_tab_used = &dtls_socket_tab[pos];
rbio = BIO_new_dgram (dtls_socket, BIO_NOCLOSE);
BIO_dgram_set_peer (rbio, &addr);
dtls_socket_tab[pos].ssl_conn->rbio = rbio;
break;
}
}
}
if (socket_tab_used==NULL)
{
for (pos = 0; pos < EXOSIP_MAX_SOCKETS; pos++)
{
if (dtls_socket_tab[pos].ssl_conn != NULL
&& dtls_socket_tab[pos].ssl_type == EXOSIP_AS_A_CLIENT)
{
if (dtls_socket_tab[pos].remote_port == port &&
(strcmp (dtls_socket_tab[pos].remote_ip, ipbuf) == 0))
{
BIO *rbio;
socket_tab_used = &dtls_socket_tab[pos];
rbio = BIO_new_dgram (dtls_socket, BIO_NOCLOSE);
BIO_dgram_set_peer (rbio, &addr);
dtls_socket_tab[pos].ssl_conn->rbio = rbio;
break;
}
}
}
}
if (socket_tab_used==NULL)
{
/* delete an old one! */
pos=0;
if (dtls_socket_tab[pos].ssl_conn != NULL)
{
shutdown_free_client_dtls (pos);
shutdown_free_server_dtls (pos);
}
memset(&dtls_socket_tab[pos], 0, sizeof(struct socket_tab));
}
if (dtls_socket_tab[pos].ssl_conn == NULL)
{
/* create a new one */
SSL_CTX_set_read_ahead (client_ctx, 1);
dtls_socket_tab[pos].ssl_conn = SSL_new (client_ctx);
if (dtls_socket_tab[pos].ssl_conn == NULL)
{
OSIP_TRACE (osip_trace (__FILE__, __LINE__, OSIP_ERROR, NULL,
"DTLS SSL_new error\n"));
if (dtls_socket_tab[pos].ssl_conn != NULL)
{
shutdown_free_client_dtls (pos);
shutdown_free_server_dtls (pos);
}
memset(&dtls_socket_tab[pos], 0, sizeof(struct socket_tab));
osip_free (message);
return -1;
}
if (connect (dtls_socket, (struct sockaddr *) &addr, sizeof (addr)) == -1)
{
OSIP_TRACE (osip_trace (__FILE__, __LINE__, OSIP_ERROR, NULL,
"DTLS connect error\n"));
if (dtls_socket_tab[pos].ssl_conn != NULL)
{
shutdown_free_client_dtls (pos);
shutdown_free_server_dtls (pos);
}
memset(&dtls_socket_tab[pos], 0, sizeof(struct socket_tab));
osip_free (message);
return -1;
}
SSL_set_options (dtls_socket_tab[pos].ssl_conn, SSL_OP_NO_QUERY_MTU);
SSL_set_mtu (dtls_socket_tab[pos].ssl_conn, 2000);
SSL_set_connect_state (dtls_socket_tab[pos].ssl_conn);
sbio = BIO_new_dgram (dtls_socket, BIO_NOCLOSE);
BIO_ctrl_set_connected (sbio, 1, (struct sockaddr *) &addr);
SSL_set_bio (dtls_socket_tab[pos].ssl_conn, sbio, sbio);
dtls_socket_tab[pos].ssl_type = 2;
dtls_socket_tab[pos].ssl_state = 2;
osip_strncpy (dtls_socket_tab[pos].remote_ip, ipbuf,
sizeof (dtls_socket_tab[pos].remote_ip));
dtls_socket_tab[pos].remote_port = port;
}
i = SSL_write (dtls_socket_tab[pos].ssl_conn, message, length);
if (i<0)
{
i = SSL_get_error (dtls_socket_tab[pos].ssl_conn, i);
print_ssl_error (i);
if (i==SSL_ERROR_SSL
|| i==SSL_ERROR_SYSCALL)
{
OSIP_TRACE (osip_trace (__FILE__, __LINE__, OSIP_ERROR, NULL,
"DTLS SSL_write error\n"));
if (dtls_socket_tab[pos].ssl_conn != NULL)
{
shutdown_free_client_dtls (pos);
shutdown_free_server_dtls (pos);
}
memset(&dtls_socket_tab[pos], 0, sizeof(struct socket_tab));
}
#ifndef MINISIZE
/* delete first SRV entry that is not reachable */
if (tr->record.name[0]!='\0' && tr->record.srventry[0].srv[0]!='\0')
{
memmove(&tr->record.srventry[0], &tr->record.srventry[1], 9*sizeof(osip_srv_entry_t));
memset(&tr->record.srventry[9], 0, sizeof(osip_srv_entry_t));
osip_free (message);
return 0; /* retry for next retransmission! */
}
#endif
/* SIP_NETWORK_ERROR; */
osip_free (message);
return -1;
}
if (eXosip.keep_alive > 0)
{
if (MSG_IS_REGISTER (sip))
{
eXosip_reg_t *reg = NULL;
if (_eXosip_reg_find (®, tr) == 0)
{
memcpy (&(reg->addr), &addr, len);
reg->len = len;
}
}
}
osip_free (message);
return 0;
}
static int
dtls_tl_read_message(fd_set *osip_fdset)
{
char *enc_buf;
char *dec_buf;
int i;
int enc_buf_len;
if (dtls_socket<=0)
return -1;
if (FD_ISSET (dtls_socket, osip_fdset))
{
struct sockaddr_storage sa;
#ifdef __linux
socklen_t slen;
#else
int slen;
#endif
if (eXtl_dtls.proto_family == AF_INET)
slen = sizeof (struct sockaddr_in);
else
slen = sizeof (struct sockaddr_in6);
enc_buf = (char *) osip_malloc (SIP_MESSAGE_MAX_LENGTH * sizeof (char) + 1);
if (enc_buf==NULL)
return -1;
enc_buf_len = recvfrom (dtls_socket, enc_buf,
SIP_MESSAGE_MAX_LENGTH, 0,
(struct sockaddr *) &sa, &slen);
if (enc_buf_len > 5)
{
char src6host[NI_MAXHOST];
int recvport = 0;
int err;
BIO *rbio;
struct socket_tab *socket_tab_used=NULL;
int pos;
osip_strncpy (enc_buf + enc_buf_len, "\0", 1);
OSIP_TRACE (osip_trace (__FILE__, __LINE__, OSIP_INFO1, NULL,
"Received message: \n%s\n", enc_buf));
memset (src6host, 0, sizeof (src6host));
if (eXtl_dtls.proto_family == AF_INET)
recvport = ntohs (((struct sockaddr_in *) &sa)->sin_port);
else
recvport = ntohs (((struct sockaddr_in6 *) &sa)->sin6_port);
#if defined(__arc__)
{
struct sockaddr_in *fromsa = (struct sockaddr_in *) &sa;
char *tmp;
tmp = inet_ntoa(fromsa->sin_addr);
if (tmp==NULL)
{
OSIP_TRACE (osip_trace
(__FILE__, __LINE__, OSIP_ERROR, NULL,
"Message received from: NULL:%i inet_ntoa failure\n",
recvport));
}
else
{
snprintf(src6host, sizeof(src6host), "%s", tmp);
OSIP_TRACE (osip_trace
(__FILE__, __LINE__, OSIP_INFO1, NULL,
"Message received from: %s:%i\n", src6host, recvport));
}
}
#else
err = getnameinfo ((struct sockaddr *) &sa, slen,
src6host, NI_MAXHOST,
NULL, 0, NI_NUMERICHOST);
if (err != 0)
{
OSIP_TRACE (osip_trace
(__FILE__, __LINE__, OSIP_ERROR, NULL,
"Message received from: NULL:%i getnameinfo failure\n",
recvport));
snprintf(src6host, sizeof(src6host), "127.0.0.1");
}
else
{
OSIP_TRACE (osip_trace
(__FILE__, __LINE__, OSIP_INFO1, NULL,
"Message received from: %s:%i\n",
src6host, recvport));
}
#endif
OSIP_TRACE (osip_trace
(__FILE__, __LINE__, OSIP_INFO1, NULL,
"Message received from: %s:%i\n",
src6host, recvport));
for (pos = 0; pos < EXOSIP_MAX_SOCKETS; pos++)
{
if (dtls_socket_tab[pos].ssl_conn != NULL)
{
if (dtls_socket_tab[pos].remote_port == recvport &&
(strcmp (dtls_socket_tab[pos].remote_ip, src6host) == 0))
{
socket_tab_used = &dtls_socket_tab[pos];
break;
}
}
}
if (socket_tab_used==NULL)
{
for (pos = 0; pos < EXOSIP_MAX_SOCKETS; pos++)
{
if (dtls_socket_tab[pos].ssl_conn == NULL)
{
/* should accept this connection? */
break;
}
}
OSIP_TRACE (osip_trace (__FILE__, __LINE__, OSIP_INFO3, NULL,
"creating DTLS socket at index: %i\n", pos));
if (pos<0)
{
/* delete an old one! */
pos=0;
if (dtls_socket_tab[pos].ssl_conn != NULL)
{
shutdown_free_client_dtls (pos);
shutdown_free_server_dtls (pos);
}
memset(&dtls_socket_tab[pos], 0, sizeof(struct socket_tab));
}
}
if (dtls_socket_tab[pos].ssl_conn==NULL)
{
BIO *wbio;
if (!SSL_CTX_check_private_key (server_ctx))
{
OSIP_TRACE (osip_trace
(__FILE__, __LINE__, OSIP_ERROR, NULL,
"SSL CTX private key check error\n"));
osip_free(enc_buf);
return -1;
}
/* behave as a server: */
dtls_socket_tab[pos].ssl_conn = SSL_new (server_ctx);
if (dtls_socket_tab[pos].ssl_conn == NULL)
{
OSIP_TRACE (osip_trace
(__FILE__, __LINE__, OSIP_ERROR, NULL,
"SSL_new error\n"));
osip_free(enc_buf);
return -1;
}
/* No MTU query */
SSL_set_options (dtls_socket_tab[pos].ssl_conn, SSL_OP_NO_QUERY_MTU);
SSL_set_mtu (dtls_socket_tab[pos].ssl_conn, 2000);
/* MTU query */
/* BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL); */
SSL_set_options (dtls_socket_tab[pos].ssl_conn, SSL_OP_COOKIE_EXCHANGE);
wbio = BIO_new_dgram (dtls_socket,
BIO_NOCLOSE);
BIO_dgram_set_peer (wbio, &sa);
SSL_set_bio (dtls_socket_tab[pos].ssl_conn, NULL, wbio);
SSL_set_accept_state (dtls_socket_tab[pos].ssl_conn);
dtls_socket_tab[pos].ssl_state = 0;
dtls_socket_tab[pos].ssl_type = EXOSIP_AS_A_SERVER;
osip_strncpy (dtls_socket_tab[pos].remote_ip, src6host,
sizeof (dtls_socket_tab[pos].remote_ip));
dtls_socket_tab[pos].remote_port = recvport;
OSIP_TRACE (osip_trace (__FILE__, __LINE__, OSIP_INFO1, NULL,
"New DTLS connection accepted\n"));
}
dec_buf = (char *) osip_malloc (SIP_MESSAGE_MAX_LENGTH * sizeof (char) + 1);
if (dec_buf==NULL)
{
OSIP_TRACE (osip_trace
(__FILE__, __LINE__, OSIP_ERROR, NULL,
"Allocation error\n"));
osip_free(enc_buf);
return -1;
}
rbio = BIO_new_mem_buf (enc_buf, enc_buf_len);
BIO_set_mem_eof_return (rbio, -1);
dtls_socket_tab[pos].ssl_conn->rbio = rbio;
i = SSL_read (dtls_socket_tab[pos].ssl_conn, dec_buf, SIP_MESSAGE_MAX_LENGTH);
/* done with the rbio */
BIO_free (dtls_socket_tab[pos].ssl_conn->rbio);
dtls_socket_tab[pos].ssl_conn->rbio = BIO_new (BIO_s_mem ());
if (i > 5)
{
osip_strncpy (dec_buf + i, "\0", 1);
_eXosip_handle_incoming_message(dec_buf, i, dtls_socket, src6host, recvport);
}
#ifndef MINISIZE
else if (i <= 0)
{
err = SSL_get_error (dtls_socket_tab[pos].ssl_conn, i);
print_ssl_error (err);
if (err==SSL_ERROR_SYSCALL)
{
OSIP_TRACE (osip_trace
(__FILE__, __LINE__, OSIP_WARNING,
NULL, "DTLS SYSCALL on SSL_read\n"));
}
else if (err==SSL_ERROR_SSL
|| err==SSL_ERROR_ZERO_RETURN)
{
OSIP_TRACE (osip_trace
(__FILE__, __LINE__, OSIP_WARNING,
NULL, "DTLS closed\n"));
shutdown_free_client_dtls (pos);
shutdown_free_server_dtls (pos);
memset (&(dtls_socket_tab[pos]), 0, sizeof (dtls_socket_tab[pos]));
}
}
else
{
OSIP_TRACE (osip_trace (__FILE__, __LINE__, OSIP_INFO1, NULL,
"Dummy SIP message received\n"));
}
#endif
osip_free (dec_buf);
osip_free (enc_buf);
}
}
return 0;
}
static int
shutdown_free_client_dtls (int pos)
{
int i, err;
BIO *rbio;
struct addrinfo *addrinfo;
struct __eXosip_sockaddr addr;
if (dtls_socket_tab[pos].ssl_type == 2)
{
if (dtls_socket_tab[pos].ssl_conn != NULL)
{
i = eXosip_get_addrinfo (&addrinfo,
dtls_socket_tab[pos].remote_ip,
dtls_socket_tab[pos].remote_port,
IPPROTO_UDP);
if (i != 0)
{
return -1;
}
memcpy (&addr, addrinfo->ai_addr, addrinfo->ai_addrlen);
eXosip_freeaddrinfo (addrinfo);
rbio = BIO_new_dgram (dtls_socket,
BIO_NOCLOSE);
BIO_dgram_set_peer (rbio, &addr);
(dtls_socket_tab[pos].ssl_conn)->rbio = rbio;
i = SSL_shutdown (dtls_socket_tab[pos].ssl_conn);
if (i <= 0)
{
err = SSL_get_error (dtls_socket_tab[pos].ssl_conn, i);
#ifdef SSLDEBUG
OSIP_TRACE (osip_trace (__FILE__, __LINE__, OSIP_ERROR, NULL,
"DTLS client shutdown error %d <= 0\n",
i));
#endif
print_ssl_error (err);
}
else
{
#ifdef SSLDEBUG
OSIP_TRACE (osip_trace (__FILE__, __LINE__, OSIP_INFO3, NULL,
"DTLS client shutdown > 0\n"));
#endif
}
SSL_free (dtls_socket_tab[pos].ssl_conn);
#if 0
if (dtls_socket_tab[pos].ssl_ctx != NULL)
SSL_CTX_free (dtls_socket_tab[pos].ssl_ctx);
#endif
memset (&(dtls_socket_tab[pos]), 0,
sizeof (struct socket_tab));
return 0;
}
else
{
OSIP_TRACE (osip_trace (__FILE__, __LINE__, OSIP_ERROR, NULL,
"DTLS client shutdown: invalid SSL object!\n"));
return -1;
}
}
return -1;
}
static int create_new_connected_udp_socket(
dtls_listener_relay_server_type* server, ioa_socket_handle s)
{
evutil_socket_t udp_fd = socket(s->local_addr.ss.sa_family, CLIENT_DGRAM_SOCKET_TYPE, CLIENT_DGRAM_SOCKET_PROTOCOL);
if (udp_fd < 0) {
perror("socket");
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: Cannot allocate new socket\n",
__FUNCTION__);
return -1;
}
if (sock_bind_to_device(udp_fd, (unsigned char*) (s->e->relay_ifname))
< 0) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,
"Cannot bind udp server socket to device %s\n",
(char*) (s->e->relay_ifname));
}
ioa_socket_handle ret = (ioa_socket*) turn_malloc(sizeof(ioa_socket));
if (!ret) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,
"%s: Cannot allocate new socket structure\n", __FUNCTION__);
close(udp_fd);
return -1;
}
ns_bzero(ret, sizeof(ioa_socket));
ret->magic = SOCKET_MAGIC;
ret->fd = udp_fd;
ret->family = s->family;
ret->st = s->st;
ret->sat = CLIENT_SOCKET;
ret->local_addr_known = 1;
addr_cpy(&(ret->local_addr), &(s->local_addr));
if (addr_bind(udp_fd,&(s->local_addr),1,1,UDP_SOCKET) < 0) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,
"Cannot bind new detached udp server socket to local addr\n");
IOA_CLOSE_SOCKET(ret);
return -1;
}
ret->bound = 1;
{
int connect_err = 0;
if (addr_connect(udp_fd, &(server->sm.m.sm.nd.src_addr), &connect_err) < 0) {
char sl[129];
char sr[129];
addr_to_string(&(ret->local_addr),(u08bits*)sl);
addr_to_string(&(server->sm.m.sm.nd.src_addr),(u08bits*)sr);
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,
"Cannot connect new detached udp client socket from local addr %s to remote addr %s\n",sl,sr);
IOA_CLOSE_SOCKET(ret);
return -1;
}
}
ret->connected = 1;
addr_cpy(&(ret->remote_addr), &(server->sm.m.sm.nd.src_addr));
set_socket_options(ret);
ret->current_ttl = s->current_ttl;
ret->default_ttl = s->default_ttl;
ret->current_tos = s->current_tos;
ret->default_tos = s->default_tos;
#if DTLS_SUPPORTED
if (!turn_params.no_dtls
&& is_dtls_handshake_message(
ioa_network_buffer_data(server->sm.m.sm.nd.nbh),
(int) ioa_network_buffer_get_size(
server->sm.m.sm.nd.nbh))) {
SSL* connecting_ssl = NULL;
BIO *wbio = NULL;
struct timeval timeout;
/* Create BIO */
wbio = BIO_new_dgram(ret->fd, BIO_NOCLOSE);
(void) BIO_dgram_set_peer(wbio, (struct sockaddr*) &(server->sm.m.sm.nd.src_addr));
BIO_ctrl(wbio, BIO_CTRL_DGRAM_SET_CONNECTED, 0, &(server->sm.m.sm.nd.src_addr));
/* Set and activate timeouts */
timeout.tv_sec = DTLS_MAX_RECV_TIMEOUT;
timeout.tv_usec = 0;
BIO_ctrl(wbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
#if DTLSv1_2_SUPPORTED
if(get_dtls_version(ioa_network_buffer_data(server->sm.m.sm.nd.nbh),
(int)ioa_network_buffer_get_size(server->sm.m.sm.nd.nbh)) == 1) {
connecting_ssl = SSL_NEW(server->dtls_ctx_v1_2);
} else {
connecting_ssl = SSL_NEW(server->dtls_ctx);
}
#else
{
connecting_ssl = SSL_NEW(server->dtls_ctx);
}
#endif
SSL_set_accept_state(connecting_ssl);
SSL_set_bio(connecting_ssl, NULL, wbio);
SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE);
SSL_set_max_cert_list(connecting_ssl, 655350);
int rc = ssl_read(ret->fd, connecting_ssl, server->sm.m.sm.nd.nbh,
server->verbose);
if (rc < 0) {
if (!(SSL_get_shutdown(connecting_ssl) & SSL_SENT_SHUTDOWN)) {
SSL_set_shutdown(connecting_ssl, SSL_RECEIVED_SHUTDOWN);
SSL_shutdown(connecting_ssl);
}
SSL_FREE(connecting_ssl);
IOA_CLOSE_SOCKET(ret);
return -1;
}
addr_debug_print(server->verbose, &(server->sm.m.sm.nd.src_addr),
"Accepted DTLS connection from");
ret->ssl = connecting_ssl;
ioa_network_buffer_delete(server->e, server->sm.m.sm.nd.nbh);
server->sm.m.sm.nd.nbh = NULL;
ret->st = DTLS_SOCKET;
}
#endif
server->sm.m.sm.s = ret;
return server->connect_cb(server->e, &(server->sm));
}
