On shutdown, a previous iteration of dtsl_connection_process()
might be incomplete and leave a partial bio_buffer behind.
If the DTLS connection is already marked closed, drop out
of dtls_connection_process early without asserting.
Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/merge_requests/1741>
keys_exported flag should be set only if keys are actually exported.
For that the next conditions are needed:
1 - SSL_export_keying_material on success
2 - SSL_get_selected_srtp_profile returns a valid profile
3 - The profile ID is SRTP_AES128_CM_SHA1_80 or SRTP_AES128_CM_SHA1_32
Also don't crash if NULL is returned as profile.
Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/merge_requests/1156>
openssl 1.1.1e does some stricker EOF handling and will throw an error
if the EOF is unexpected (like in the middle of a record). As we are
streaming data into openssl here, it is entirely possible that we push
data from multiple buffers/packets into openssl separately.
From the openssl changelog:
Changes between 1.1.1d and 1.1.1e [17 Mar 2020]
*) Properly detect EOF while reading in libssl. Previously if we hit an EOF
while reading in libssl then we would report an error back to the
application (SSL_ERROR_SYSCALL) but errno would be 0. We now add
an error to the stack (which means we instead return SSL_ERROR_SSL) and
therefore give a hint as to what went wrong.
[Matt Caswell]
We can relax the EOF signalling to only return TRUE when we have stopped
for any reason (EOS, error).
Will also remove a spurious EOF error from previous openssl version.
Previously we simply logged errors but never reported them to elements
or even to the user. Fatal errors are now properly reported.
Additionally proper connection closing is implemented based on EOS:
- dtlsenc: EOS will cause close_notify to be sent to the peer and only
if the peer also sent back close_notify we will forward the
EOS event.
- dtlsdec: EOS will be forwarded normally, this only means that the
unterlying transport was closed. On receiving a DTLS packet
containing close_notify, return EOS and send EOS downstream.
By passing NULL to `g_signal_new` instead of a marshaller, GLib will
actually internally optimize the signal (if the marshaller is available
in GLib itself) by also setting the valist marshaller. This makes the
signal emission a bit more performant than the regular marshalling,
which still needs to box into `GValue` and call libffi in case of a
generic marshaller.
Note that for custom marshallers, one would use
`g_signal_set_va_marshaller()` with the valist marshaller instead.
As suggested in [the SSL_get_error manpage][1]. Upgrade the message to a
warning if the errno isn't 0 (success). The latter apparently means the
transport encountered an EOF (shutdown) without the shut down handshake
on the (D)TLS level. This happens quite often for otherwise normal DTLS
connections.
[1]: https://www.openssl.org/docs/man1.1.1/man3/SSL_get_error.html
Print out all errors from the OpenSSL error queue instead of just
looking at the topmost error. Using the callback interface also removes
the need for formatting using a buffer on the stack.
Changes are:
- Use the wrapper functions to access opaque data types. To preserve
backward compatibility, define fallback definitions
- Remove the use of idiom "pqueue_size(ssl->d1->sent_messages)", since
there is no replacement
- Use RSA_generate_key_ex instead of the deprecated RSA_generate_key
https://bugzilla.gnome.org/show_bug.cgi?id=773540
No need to ref/unref the connection every time we push something on the pool.
However we have to provide non-NULL data to the pool, so let's just give it
some coffee.
This way we will share threads with other DTLS connections if possible, and
don't have to start/stop threads for timeouts if there are many to be handled
in a short period of time.
Also use the system clock and async waiting on it for scheduling the timeouts.
GST_DTLS_USE_GST_LOG is not defined anywhere, so
we'd just log into the default category by accident.
We use the gst logging system unconditionally now,
so might just as well remove this #if #else.
gcc-4.9.2:
gstdtlsagent.c:114:1: error: old-style function definition
gstdtlsconnection.c:253:3: error: ISO C90 forbids mixed declarations and code
gstdtlsconnection.c:291:3: error: ISO C90 forbids mixed declarations and code
gstdtlsconnection.c:391:3: error: ISO C90 forbids mixed declarations and code
gstdtlsconnection.c:434:3: error: ISO C90 forbids mixed declarations and code
gstdtlsconnection.c:773:1: error: 'BIO_s_gst_dtls_connection' was used with no prototype before its definition
gstdtlsconnection.c:773:1: error: old-style function definition
gstdtlsconnection.c:128:32: error: passing 'const char [30]' to parameter of type 'void *'
discards qualifiers [-Werror,-Wincompatible-pointer-types-discards-qualifiers]
SSL_get_ex_new_index (0, "gstdtlsagent connection index", NULL, NULL,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/include/openssl/ssl.h:1981:43: note: passing argument to parameter 'argp' here
int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
^
gstdtlsconnection.c:822:40: error: arithmetic on a pointer to void is a GNU extension
[-Werror,-Wpointer-arith]
memcpy (out_buffer, priv->bio_buffer + priv->bio_buffer_offset, copy_size);
~~~~~~~~~~~~~~~~ ^