Total Pageviews

Wednesday 21 April 2021

openssl-dtls-custom-bio

 

A simple dtls server/client program implemented with openssl library.

A custom bio is used to expose underlying bio ctrl and packet transmission.

CA is used to verify server and client.

UDP server and client.

Prerequisite

  • a working c compiler and make
  • openssl with header files
  • readline library for client
apt-get install build-essential openssl libssl-dev libreadline-dev

Build

make

Run

start server with a list of addresses to listen

./server 127.0.0.1:1234 # listen on local loopback ipv4 port 1234
./server [::1]:1234 # listen on local loopback ipv6 port 1234
./server 127.0.0.1:1234 [::1]:1234 # listen on multiple port
./server [::]:1234 # listen on any interface both ipv4/ipv6 port 1234

start client with target server

./client 127.0.0.1:1234 # connect to local server on port 1234

once connected, some simple commands could be issued from client terminal

  • ping returns pong
  • echo <some text> returns <some text>
  • whoami returns client's address and port seen by server
  • stats returns a list of server currently serving clients
  • bc <some text> broadcast <some text> to all clients

ctrl-d could be used to stop client

ctrl-c could be used to stop server or client

certs can be regenerated by

make delete-certs
make certs

Bugs

The commands used in Makefile to generate certificates are not supposed to be good practice, test use only.

A 2000 byte buffer size is hardcoded in program, an approaching sized message would fail to be sent or received. This is program's bug, neither DTLS nor UDP has this limitation. Although packet fragmentation should be avoided.

For simplicity, SSL timeout controls on bio were ignored. Although openssl library would automatically handle state machine, (in this program) this is only triggered on write or received packet events. Resulting

  • a long polling receiver might fail to receive new message until next write (requiring periodical read write to trigger state machine update)
  • a client failed to notify shutdown would left on server's list forever (missing dead peer detection)

Pitfalls

[::] would listen on both ipv6 and ipv4, so it would conflict with other addresses with same port, even ipv4 addresses.

Although the built executables could work with different version of openssl library, it is recommended to rebuild in different environment. For example, openssl changed the value of macro defined const BIO_CTRL_DGRAM_SET_PEEK_MODE between 1.1.0f and 1.1.0g, this would "not" break ABI compatability but definitely would let related function misbehave.


frm https://github.com/stepheny/openssl-dtls-custom-bio

No comments:

Post a Comment