Merge pull request #431 from rizlik/dtls-server-fixes

dtls: server fixes

Author: philljj

dtls/client-dtls-threaded.c

@@ -116,7 +116,6 @@ main(int    argc,
             printf("error: pthread_create returned %d\n", ret);
             threads[i] = 0;
         }
-        sleep(1);
     }
 
     for (size_t i = 0; i < n_threads; ++i) {

dtls/server-dtls-threaded.c

@@ -21,7 +21,10 @@
  *=============================================================================
  *
  * A simple dtls server example with configurable threadpool, for
- * instructional/learning purposes. Utilizes DTLS 1.2.
+ * instructional/learning purposes. Utilizes DTLS 1.2.  Please note that if
+ * multiple client hellos arrive at the same time, the server might drop some of
+ * them. A production-ready server needs a more sophisticated mechanism to
+ * multiplex packets from different clients to the same port.
  */
 
 #include <wolfssl/options.h>
@@ -174,57 +177,47 @@ main(int   argc,
                 continue;
             }
 
+            ret = recvfrom(listenfd, NULL, 0, MSG_PEEK,
+                           (struct sockaddr *)&cliaddr, &cliLen);
+            if (ret < 0)
+                continue;
+
+            printf("Received a packet from %s:%d\n",
+                   inet_ntoa(cliaddr.sin_addr), ntohs(cliaddr.sin_port));
+
             memset(&args[i], 0, sizeof(thread_args_t));
+            args[i].activefd = listenfd;
+            listenfd = new_udp_listen_socket();
+            /* Avoid future packets from other peers to be received over
+             * args[i].activefd. Please note that packets from other clients
+             * already received might be returned from future invocations of
+             * recvfrom()/read(). The args[i].ssl object will discard those packets
+             * that don't match the set DTLS peer. */
+            ret = connect(args[i].activefd, (const struct sockaddr *)&cliaddr, cliLen);
+            if (ret != 0) {
+                printf("error: connect returned: %d\n", ret);
+                break;
+            }
 
             args[i].ssl = wolfSSL_new(ctx);
             if (args[i].ssl == NULL) {
                 printf("error: wolfSSL_new returned null\n");
                 break;
             }
 
-            /* set the session ssl to client connection port */
-            ret = wolfSSL_set_fd(args[i].ssl, listenfd);
+            ret = wolfSSL_set_fd(args[i].ssl, args[i].activefd);
             if (ret != SSL_SUCCESS) {
-                printf("error: wolfSSL_set_fd returned %d\n", ret);
+                printf("error: wolfSSL_set_fd: %d\n", ret);
                 break;
             }
 
-            ret = wolfSSL_accept(args[i].ssl);
-            if (ret != SSL_SUCCESS) {
-                printf("error: wolfSSL_accept returned %d\n", ret);
-                break;
-            }
-
-            ret = wolfSSL_dtls_get_peer(args[i].ssl, &cliaddr, &cliLen);
+            ret = wolfSSL_dtls_set_peer(args[i].ssl, &cliaddr, cliLen);
             if (ret != WOLFSSL_SUCCESS) {
-                printf("error: wolfSSL_dtls_get_peer failed\n");
+                printf("error: wolfSSL_dtls_set_peer: %d\n", ret);
                 break;
             }
 
             args[i].peer_port = ntohs(cliaddr.sin_port);
-
-            printf("info: new dtls session: %p, %d\n", (void*) args[i].ssl,
-                   args[i].peer_port);
-
-            /* Open new UDP socket. */
-            args[i].activefd = new_udp_listen_socket();
-            if (args[i].activefd <= 0 ) {
-                break;
-            }
-
-            ret = connect(args[i].activefd, (const struct sockaddr *)&cliaddr,
-                          cliLen);
-            if (ret != 0) {
-                printf("error: connect returned: %d\n", ret);
-                break;
-            }
-
-            ret = wolfSSL_set_dtls_fd_connected(args[i].ssl, args[i].activefd);
-            if (ret != SSL_SUCCESS) {
-                printf("error: wolfSSL_set_dtls_fd_connected: %d\n", ret);
-                break;
-            }
-
             ret = pthread_create(&threads[i], NULL, server_work, &args[i]);
 
             if (ret == 0 ) {
@@ -319,6 +312,19 @@ server_work(void * args)
     int             n_bytes = 0;
     char            recv_msg[MSGLEN];
     char            send_msg[MSGLEN];
+    int ret;
+
+    ret = wolfSSL_accept(thread_args->ssl);
+    if (ret != SSL_SUCCESS)
+    {
+        printf("error: wolfSSL_accept returned %d\n", ret);
+        pthread_exit(NULL);
+        /* we should never reach here */
+        return NULL;
+    }
+
+    printf("info: new dtls session: %p, %d\n", (void *)thread_args->ssl,
+           thread_args->peer_port);
 
     for (size_t i = 0; i < 4; ++i) {
         if (stop_server) {
@@ -374,14 +380,21 @@ server_work(void * args)
 static void
 safer_shutdown(thread_args_t * args)
 {
+    int ret;
+
     if (args == NULL) {
         printf("error: safer_shutdown with null args\n");
         return;
     }
 
     if (args->ssl != NULL) {
         printf("info: closed dtls session: %p\n", (void*) args->ssl);
-        wolfSSL_shutdown(args->ssl);
+        ret = wolfSSL_shutdown(args->ssl);
+
+        /* bidirectional shutdown */
+        if (ret != WOLFSSL_SUCCESS)
+            ret = wolfSSL_shutdown(args->ssl);
+
         wolfSSL_free(args->ssl);
         args->ssl = NULL;
     }