[openssl-users] DTLS without sockets (or at least an unconnected socket)

Matt Caswell matt at openssl.org
Tue Apr 14 20:16:53 UTC 2015



On 14/04/15 20:24, Florian Weimer wrote:
> On 04/14/2015 09:02 PM, Matt Caswell wrote:
>>
>>
>> On 14/04/15 19:45, Florian Weimer wrote:
>>> Is it possible to use DTLS with some sort of non-socket BIO?
>>>
>>> Basically, I have datagrams which I know belong to a specific DTLS
>>> session, and I want to feed them to OpenSSL and get back further
>>> datagrams to send out in response.  (This is similar to what SSLEngine
>>> does in OpenJDK, except there it's for plain TLS.)
>>
>> DTLS currently supports UDP and SCTP for the underlying BIO. In theory
>> you could implement your own BIO to do whatever you want but it would
>> have to support the BIO ctrls that DTLS uses - see
>> crypto/bio/bss_dgram.c (in particular the dgram_ctrl and dgram_sctp_ctrl
>> functions)
> 
> Interesting.  Is this part of the public API?

Yes. To write your own BIO you would need to create a custom BIO_METHOD
which is defined in bio.h. All of the various ctrls are also defined in
bio.h.

> 
>>> An example how to establish a DTLS session with multiple peers over an
>>> unconnected socket would help, too.
>>>
>>
>> To do that you need to use DTLSv1_listen(). I recently wrote a man page
>> for this function, but it hasn't hit the repo yet. Attached FYI.
> 
> Thanks.  DTLSv1_listen is very odd because it has a socket address as an
> “out” parameter, but no socket address length as an “in/out” argument.
> It doesn't seem very transport-agnostic, either.
> 

It is assumed that the sockaddr structure that you pass in is big enough
for whatever addressing scheme the underlying BIO is using. Thus if
you're listening on an IPv4 address pass in a pointer to a "struct
sockaddr_in". If you're listening on an IPv6 address pass in a pointer
to a "struct sockaddr_in6".

Agreed, it's not particularly transport-agnostic. Perhaps just a plain
"void *" would be better. By the time it gets passed to your BIO ctrl
function (if you implement your own) it's been cast to a "void *" anyway!

Matt


More information about the openssl-users mailing list