[asterisk-bugs] [JIRA] (ASTERISK-25103) Roundup - investigate Asterisk DTLS crashes

Stefan Engström (JIRA) noreply at issues.asterisk.org
Sun Jun 28 07:01:33 CDT 2015 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-25103?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=226687#comment-226687 ] 

Stefan Engström commented on ASTERISK-25103:
--------------------------------------------

I still think the unsynchronized call to SSL_do_handshake(dtls->ssl); on a ssl object on which  SSL_set_accept_state(ssl) has been called is the main problem. 

When we have initialized the dtls->ssl to act as server, all the code needed to progress and finish the handshake is essentially already in __rtp_recvfrom. That function will at some point receive a client handshake message such as 'client hello', then write it to the input buffer (BIO_write(dtls->read_bio, buf, len)) and call SSL_read to make openssl progress the handshake (write server hello to output buffer).

When we are dtls-clients it is appropriate to call SSL_do_handshake after ice completion because that kicks off the handshake by producing a client hello so this call cannot race with the ssl-processing within __rtp_recvfrom.

I do not understand all the possible call-flows within asterisk so i created a test program at http://pastebin.com/8TGqN10j based off the example at http://www.roxlu.com/2014/042/using-openssl-with-memory-bios

Indeed my program crashes half the time when SSL_do_handshake and other SSL related calls race. I noted that in roxlu's example they call SSL_do_handshake within the krx_ssl_handle_traffic function instead of our SSL_read; this seems to be two alternative ways of progressing the handshake (i.e. both those calls makes ssl write server hello to output buffer given that we have written client hello to input buffer), but this is different from our call to SSL_do_handshake, i believe one should only call SSL_do_handshake (or SSL_read) as server  whenever there's a possible change in the BIO buffers, not from a asynchronously callback. 

renegotiation is a different story...

I might have missed something as I base my conclusions on empirical tests on a very narrow use case as well as looking at unofficial documentation/guides on google for openssl :)

> Roundup - investigate Asterisk DTLS crashes
> -------------------------------------------
>
>                 Key: ASTERISK-25103
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-25103
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_rtp_asterisk
>         Environment: Asterisk 11, 13, Master
>            Reporter: Rusty Newton
>            Assignee: Joshua Colp
>
> A issue for an investigation into the various DTLS crashes currently hanging about.
> I'll link the issues currently on the tracker to this issue rather than linking them all to each other.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list