Use single SSL_CTX for DTLS support (#996)
Similar to #989, use a single SSL context for all versions of DTLS protocol - Add support for modern API (protocol version independent APIs) - Add DTLS test to the CI test - Removing calls to `SSL_CTX_set_read_ahead` in DTLS context (does nothing as DTLS is datagram protocol - we always get the whole datagram so this call has no impact) Fixes #924
This commit is contained in:
Pavel Punsky
GitHub
parent
9a6393e908
commit
ae2673959b
@ -33,3 +33,12 @@ else
|
||||
echo FAIL
|
||||
exit $?
|
||||
fi
|
||||
|
||||
echo 'Running turn client DTLS'
|
||||
../bin/turnutils_uclient -S -e 127.0.0.1 -X -g -u user -W secret 127.0.0.1 | grep "start_mclient: tot_send_bytes ~ 1000, tot_recv_bytes ~ 1000" > /dev/null
|
||||
if [ $? -eq 0 ]; then
|
||||
echo OK
|
||||
else
|
||||
echo FAIL
|
||||
exit $?
|
||||
fi
|
||||
|
||||
@ -279,18 +279,7 @@ static ioa_socket_handle dtls_server_input_handler(dtls_listener_relay_server_ty
|
||||
timeout.tv_usec = 0;
|
||||
BIO_ctrl(wbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
|
||||
|
||||
#if DTLSv1_2_SUPPORTED
|
||||
if(get_dtls_version(ioa_network_buffer_data(nbh),
|
||||
(int)ioa_network_buffer_get_size(nbh)) == 1) {
|
||||
connecting_ssl = SSL_new(server->e->dtls_ctx_v1_2);
|
||||
} else {
|
||||
connecting_ssl = SSL_new(server->e->dtls_ctx);
|
||||
}
|
||||
#else
|
||||
{
|
||||
connecting_ssl = SSL_new(server->e->dtls_ctx);
|
||||
}
|
||||
#endif
|
||||
connecting_ssl = SSL_new(server->e->dtls_ctx);
|
||||
|
||||
SSL_set_accept_state(connecting_ssl);
|
||||
|
||||
@ -573,18 +562,7 @@ static int create_new_connected_udp_socket(
|
||||
timeout.tv_usec = 0;
|
||||
BIO_ctrl(wbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
|
||||
|
||||
#if DTLSv1_2_SUPPORTED
|
||||
if(get_dtls_version(ioa_network_buffer_data(server->sm.m.sm.nd.nbh),
|
||||
(int)ioa_network_buffer_get_size(server->sm.m.sm.nd.nbh)) == 1) {
|
||||
connecting_ssl = SSL_new(server->e->dtls_ctx_v1_2);
|
||||
} else {
|
||||
connecting_ssl = SSL_new(server->e->dtls_ctx);
|
||||
}
|
||||
#else
|
||||
{
|
||||
connecting_ssl = SSL_new(server->e->dtls_ctx);
|
||||
}
|
||||
#endif
|
||||
connecting_ssl = SSL_new(server->e->dtls_ctx);
|
||||
|
||||
SSL_set_accept_state(connecting_ssl);
|
||||
|
||||
@ -966,8 +944,6 @@ void setup_dtls_callbacks(SSL_CTX *ctx) {
|
||||
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, dtls_verify_callback);
|
||||
#endif
|
||||
|
||||
SSL_CTX_set_read_ahead(ctx, 1);
|
||||
|
||||
SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie);
|
||||
SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie);
|
||||
}
|
||||
|
||||
@ -83,37 +83,31 @@ char HTTP_ALPN[128] = "http/1.1";
|
||||
#define DEFAULT_GENERAL_RELAY_SERVERS_NUMBER (1)
|
||||
|
||||
turn_params_t turn_params = {
|
||||
NULL,
|
||||
#if DTLS_SUPPORTED
|
||||
NULL,
|
||||
#endif
|
||||
#if DTLSv1_2_SUPPORTED
|
||||
NULL,
|
||||
#endif
|
||||
|
||||
NULL, /* tls_ctx */
|
||||
NULL, /* dtls_ctx */
|
||||
DH_2066, "", "", "",
|
||||
"turn_server_cert.pem","turn_server_pkey.pem", "", "",
|
||||
0,0,0,
|
||||
#if !TLS_SUPPORTED
|
||||
1,
|
||||
1,
|
||||
#else
|
||||
0,
|
||||
0,
|
||||
#endif
|
||||
|
||||
#if !DTLS_SUPPORTED
|
||||
1,
|
||||
1,
|
||||
#else
|
||||
0,
|
||||
0,
|
||||
#endif
|
||||
|
||||
NULL, PTHREAD_MUTEX_INITIALIZER,
|
||||
|
||||
//////////////// Common params ////////////////////
|
||||
TURN_VERBOSE_NONE, /* verbose */
|
||||
0, /* turn_daemon */
|
||||
0, /* no_software_attribute */
|
||||
0, /* web_admin_listen_on_workers */
|
||||
0, /* do_not_use_config_file */
|
||||
TURN_VERBOSE_NONE, /* verbose */
|
||||
0, /* turn_daemon */
|
||||
0, /* no_software_attribute */
|
||||
0, /* web_admin_listen_on_workers */
|
||||
0, /* do_not_use_config_file */
|
||||
"/var/run/turnserver.pid", /* pidfile */
|
||||
"", /* acme_redirect */
|
||||
DEFAULT_STUN_PORT, /* listener_port*/
|
||||
@ -3100,14 +3094,6 @@ static void set_ctx(SSL_CTX** out, const char *protocol, const SSL_METHOD* metho
|
||||
dh = get_dh2066();
|
||||
}
|
||||
|
||||
/*
|
||||
if(!dh) {
|
||||
dh = DH_new();
|
||||
DH_generate_parameters_ex(dh, 32, DH_GENERATOR_2, 0);
|
||||
DH_generate_key(dh);
|
||||
}
|
||||
*/
|
||||
|
||||
if(!dh) {
|
||||
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: ERROR: cannot allocate DH suite\n",__FUNCTION__);
|
||||
err = 1;
|
||||
@ -3260,24 +3246,32 @@ static void openssl_load_certificates(void)
|
||||
if(!turn_params.no_dtls) {
|
||||
#if !DTLS_SUPPORTED
|
||||
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "ERROR: DTLS is not supported.\n");
|
||||
#else
|
||||
if(OPENSSL_VERSION_NUMBER < 0x10000000L) {
|
||||
#elif OPENSSL_VERSION_NUMBER < 0x10000000L
|
||||
TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "WARNING: TURN Server was compiled with rather old OpenSSL version, DTLS may not be working correctly.\n");
|
||||
}
|
||||
|
||||
#if DTLSv1_2_SUPPORTED
|
||||
set_ctx(&turn_params.dtls_ctx,"DTLS",DTLS_server_method());
|
||||
set_ctx(&turn_params.dtls_ctx_v1_2,"DTLS1.2",DTLSv1_2_server_method());
|
||||
SSL_CTX_set_read_ahead(turn_params.dtls_ctx_v1_2, 1);
|
||||
setup_dtls_callbacks(turn_params.dtls_ctx_v1_2);
|
||||
#else
|
||||
set_ctx(&turn_params.dtls_ctx,"DTLS",DTLSv1_server_method());
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10100000L // before openssl-1.1.0 no version independent API
|
||||
#if DTLSv1_2_SUPPORTED
|
||||
set_ctx(&turn_params.dtls_ctx,"DTLS",DTLSv1_2_server_method()); // openssl-1.0.2
|
||||
if(!turn_params.no_tlsv1_2) {
|
||||
SSL_CTX_set_options(turn_params.dtls_ctx, SSL_OP_NO_DTLSv1_2);
|
||||
}
|
||||
#else
|
||||
set_ctx(&turn_params.dtls_ctx,"DTLS",DTLSv1_server_method()); // < openssl-1.0.2
|
||||
#endif
|
||||
SSL_CTX_set_read_ahead(turn_params.dtls_ctx, 1);
|
||||
if(!turn_params.no_tlsv1 || !turn_params.no_tlsv1_1) {
|
||||
SSL_CTX_set_options(turn_params.dtls_ctx, SSL_OP_NO_DTLSv1);
|
||||
}
|
||||
#else // OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
set_ctx(&turn_params.dtls_ctx,"DTLS",DTLS_server_method());
|
||||
if(!turn_params.no_tlsv1 || !turn_params.no_tlsv1_1) {
|
||||
SSL_CTX_set_min_proto_version(turn_params.tls_ctx, DTLS1_2_VERSION);
|
||||
}
|
||||
if(!turn_params.no_tlsv1_2) {
|
||||
SSL_CTX_set_max_proto_version(turn_params.tls_ctx, DTLS1_VERSION);
|
||||
}
|
||||
#endif //OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
setup_dtls_callbacks(turn_params.dtls_ctx);
|
||||
|
||||
TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "DTLS cipher suite: %s\n",turn_params.cipher_list);
|
||||
|
||||
#endif
|
||||
}
|
||||
pthread_mutex_unlock(&turn_params.tls_mutex);
|
||||
|
||||
@ -177,13 +177,7 @@ typedef struct _turn_params_ {
|
||||
//////////////// OpenSSL group //////////////////////
|
||||
|
||||
SSL_CTX *tls_ctx;
|
||||
|
||||
#if DTLS_SUPPORTED
|
||||
SSL_CTX *dtls_ctx;
|
||||
#if DTLSv1_2_SUPPORTED
|
||||
SSL_CTX *dtls_ctx_v1_2;
|
||||
#endif
|
||||
#endif
|
||||
|
||||
DH_KEY_SIZE dh_key_size;
|
||||
|
||||
|
||||
@ -336,9 +336,6 @@ static void update_ssl_ctx(evutil_socket_t sock, short events, update_ssl_ctx_cb
|
||||
replace_one_ssl_ctx(&e->tls_ctx, params->tls_ctx);
|
||||
#if DTLS_SUPPORTED
|
||||
replace_one_ssl_ctx(&e->dtls_ctx, params->dtls_ctx);
|
||||
#endif
|
||||
#if DTLSv1_2_SUPPORTED
|
||||
replace_one_ssl_ctx(&e->dtls_ctx_v1_2, params->dtls_ctx_v1_2);
|
||||
#endif
|
||||
struct event *next = args->next;
|
||||
pthread_mutex_unlock(&turn_params.tls_mutex);
|
||||
|
||||
@ -142,12 +142,7 @@ struct _ioa_engine
|
||||
rtcp_map *map_rtcp;
|
||||
stun_buffer_list bufs;
|
||||
SSL_CTX *tls_ctx;
|
||||
#if DTLS_SUPPORTED
|
||||
SSL_CTX *dtls_ctx;
|
||||
#endif
|
||||
#if DTLSv1_2_SUPPORTED
|
||||
SSL_CTX *dtls_ctx_v1_2;
|
||||
#endif
|
||||
turn_time_t jiffie; /* bandwidth check interval */
|
||||
ioa_timer_handle timer_ev;
|
||||
char cmsg[TURN_CMSG_SZ+1];
|
||||
|
||||
Loading…
Reference in New Issue
Block a user