Hello, > The example is helpful, but it isn't clear to me when/how the DTLS > session is established. In the _read function it appears that the > session may be setup either during BIO_dgram_set_peer or SSL_set_bio. In _read() session may be setup using BIO_dgram_set_peer() AND SSL_set_bio(). This means that if there is no SSL object for some peer, new SSL object is created, new BIO for writing is created, this BIO is set to sent UDP packets to this peer with BIO_dgram_set_peer() and at the end SSL_set_bio(ssl,NULL,wbio) is called which setup this writing BIO in SSL object (no reading BIO exists in SSL objects for now). Because data from socket is already in internal buffer, to read this buffer to SSL layer memory BIO is created ((BIO_new_mem_buf( buffer, len)) and setup as reading SSL object BIO (ssl->rbio = rbio), then SSL_read() is called and after that this BIO is destroyed and ssl->rbio is set with dummy BIO). And now encrypted data from memory buffer (read with recvfrom()) was decrypted with SSL layer and put in other memory buffer (using SSL_read() with memory BIO).
> Furthermore, it seems that the DTLS clienthello datagram is now sitting > in the memory buffer. This implies that the function must block until > the peer times out and resends the clienthello. It also seems to > stipulate that the next datagram must be the lost clienthello and not a > datagram from another dtls session. Is this correct? No, in this code there is no SSL_connect() or SSL_accept() because this is exchanged with SSL_set_accept_state(ssl) in _read() or SSL_set_connect_state(ssl) in _write which directs SSL_read() or SSL_write() to do transparent SSL_connect()/SSL_accept() when reading/writing data from not yet established SSL tunnel. Best regards, -- Marek Marcola <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
