Remove DTLSv1_listen.

This was added in http://rt.openssl.org/Ticket/Display.html?id=2033 to support
a mode where a DTLS socket would statelessly perform the ClientHello /
HelloVerifyRequest portion of the handshake, to be handed off to a socket
specific to this peer address.

This is not used by WebRTC or other current consumers. If we need to support
something like this, it would be cleaner to do the listen portion (cookieless
ClientHello + HelloVerifyRequest) externally and then spin up an SSL instance
on receipt of a cookied ClientHello. This would require a slightly more complex
BIO to replay the second ClientHello but would avoid peppering the DTLS
handshake state with a special short-circuiting mode.

Change-Id: I7a413932edfb62f8b9368912a9a0621d4155f1aa
Reviewed-on: https://boringssl-review.googlesource.com/2220
Reviewed-by: Adam Langley <agl@google.com>

include/openssl/dtls1.h

@@ -209,9 +209,6 @@ typedef struct dtls1_state_st
 	 */
 	record_pqueue buffered_app_data;
 
-	/* Is set when listening for new connections with dtls1_listen() */
-	unsigned int listen;
-
 	unsigned int mtu; /* max DTLS packet size */
 
 	struct hm_header_st w_msg_hdr;

include/openssl/ssl.h

@@ -1645,7 +1645,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 
 #define DTLS_CTRL_GET_TIMEOUT		73
 #define DTLS_CTRL_HANDLE_TIMEOUT	74
-#define DTLS_CTRL_LISTEN			75
 
 #define SSL_CTRL_GET_RI_SUPPORT			76
 #define SSL_CTRL_CLEAR_OPTIONS			77
@@ -1690,8 +1689,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 	SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
 #define DTLSv1_handle_timeout(ssl) \
 	SSL_ctrl(ssl,DTLS_CTRL_HANDLE_TIMEOUT,0, NULL)
-#define DTLSv1_listen(ssl, peer) \
-	SSL_ctrl(ssl,DTLS_CTRL_LISTEN,0, (void *)peer)
 
 #define SSL_session_reused(ssl) \
 	SSL_ctrl((ssl),SSL_CTRL_GET_SESSION_REUSED,0,NULL)

ssl/d1_both.c

@@ -483,9 +483,7 @@ again:
 
 	memset(msg_hdr, 0x00, sizeof(struct hm_header_st));
 
-	/* Don't change sequence numbers while listening */
-	if (!s->d1->listen)
-		s->d1->handshake_read_seq++;
+	s->d1->handshake_read_seq++;
 
 	return s->init_num;
 
@@ -850,10 +848,8 @@ dtls1_get_message_fragment(SSL *s, int stn, long max, int *ok)
 	/* 
 	 * if this is a future (or stale) message it gets buffered
 	 * (or dropped)--no further processing at this time
-	 * While listening, we accept seq 1 (ClientHello with cookie)
-	 * although we're still expecting seq 0 (ClientHello)
 	 */
-	if (msg_hdr.seq != s->d1->handshake_read_seq && !(s->d1->listen && msg_hdr.seq == 1))
+	if (msg_hdr.seq != s->d1->handshake_read_seq)
 		return dtls1_process_out_of_seq_message(s, &msg_hdr, ok);
 
 	len = msg_hdr.msg_len;
@@ -1206,8 +1202,7 @@ unsigned char *
 dtls1_set_message_header(SSL *s, unsigned char *p, unsigned char mt,
 			unsigned long len, unsigned long frag_off, unsigned long frag_len)
 	{
-	/* Don't change sequence numbers while listening */
-	if (frag_off == 0 && !s->d1->listen)
+	if (frag_off == 0)
 		{
 		s->d1->handshake_write_seq = s->d1->next_handshake_write_seq;
 		s->d1->next_handshake_write_seq++;

ssl/d1_lib.c

@@ -75,7 +75,6 @@ static void get_current_time(OPENSSL_timeval *t);
 static OPENSSL_timeval* dtls1_get_timeout(SSL *s, OPENSSL_timeval* timeleft);
 static void dtls1_set_handshake_header(SSL *s, int type, unsigned long len);
 static int dtls1_handshake_write(SSL *s, enum should_add_to_finished_hash should_add_to_finished_hash);
-int dtls1_listen(SSL *s, struct sockaddr *client);
 static void dtls1_add_to_finished_hash(SSL *s);
 
 SSL3_ENC_METHOD DTLSv1_enc_data={
@@ -295,9 +294,6 @@ long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg)
 	case DTLS_CTRL_HANDLE_TIMEOUT:
 		ret = dtls1_handle_timeout(s);
 		break;
-	case DTLS_CTRL_LISTEN:
-		ret = dtls1_listen(s, parg);
-		break;
 
 	default:
 		ret = ssl3_ctrl(s, cmd, larg, parg);
@@ -481,20 +477,6 @@ static void get_current_time(OPENSSL_timeval *t)
 #endif
 }
 
-int dtls1_listen(SSL *s, struct sockaddr *client)
-	{
-	int ret;
-
-	SSL_set_options(s, SSL_OP_COOKIE_EXCHANGE);
-	s->d1->listen = 1;
-
-	ret = SSL_accept(s);
-	if (ret <= 0) return ret;
-	
-	BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_GET_PEER, 0, &client);
-	return 1;
-	}
-
 static void dtls1_set_handshake_header(SSL *s, int htype, unsigned long len)
 	{
 	unsigned char *p = (unsigned char *)s->init_buf->data;

ssl/d1_pkt.c

@@ -644,32 +644,24 @@ again:
 		goto again;   /* get another record */
 		}
 
-		/* Check whether this is a repeat, or aged record.
-		 * Don't check if we're listening and this message is
-		 * a ClientHello. They can look as if they're replayed,
-		 * since they arrive from different connections and
-		 * would be dropped unnecessarily.
-		 */
-		if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE &&
-		    *p == SSL3_MT_CLIENT_HELLO) &&
-		    !dtls1_record_replay_check(s, bitmap))
-			{
-			rr->length = 0;
-			s->packet_length=0; /* dump this record */
-			goto again;     /* get another record */
-			}
+	/* Check whether this is a repeat, or aged record. */
+	if (!dtls1_record_replay_check(s, bitmap))
+		{
+		rr->length = 0;
+		s->packet_length=0; /* dump this record */
+		goto again;     /* get another record */
+		}
 
 	/* just read a 0 length packet */
 	if (rr->length == 0) goto again;
 
 	/* If this record is from the next epoch (either HM or ALERT),
 	 * and a handshake is currently in progress, buffer it since it
-	 * cannot be processed at this time. However, do not buffer
-	 * anything while listening.
+	 * cannot be processed at this time.
 	 */
 	if (is_next_epoch)
 		{
-		if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen)
+		if (SSL_in_init(s) || s->in_handshake)
 			{
 			dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
 			}
@@ -799,12 +791,6 @@ start:
 			}
 		}
 
-	if (s->d1->listen && rr->type != SSL3_RT_HANDSHAKE)
-		{
-		rr->length = 0;
-		goto start;
-		}
-
 	/* we now have a packet which can be read and processed */
 
 	if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,

ssl/d1_srvr.c

@@ -166,7 +166,6 @@ int dtls1_accept(SSL *s)
 	unsigned long alg_a;
 	int ret= -1;
 	int new_state,state,skip=0;
-	int listen;
 
 	ERR_clear_error();
 	ERR_clear_system_error();
@@ -175,15 +174,11 @@ int dtls1_accept(SSL *s)
 		cb=s->info_callback;
 	else if (s->ctx->info_callback != NULL)
 		cb=s->ctx->info_callback;
-	
-	listen = s->d1->listen;
 
 	/* init things to blank */
 	s->in_handshake++;
 	if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
 
-	s->d1->listen = listen;
-
 	if (s->cert == NULL)
 		{
 		OPENSSL_PUT_ERROR(SSL, dtls1_accept, SSL_R_NO_CERTIFICATE_SET);
@@ -295,27 +290,6 @@ int dtls1_accept(SSL *s)
 				s->state = SSL3_ST_SW_SRVR_HELLO_A;
 
 			s->init_num=0;
-
-			/* Reflect ClientHello sequence to remain stateless while listening */
-			if (listen)
-				{
-				memcpy(s->s3->write_sequence, s->s3->read_sequence, sizeof(s->s3->write_sequence));
-				}
-
-			/* If we're just listening, stop here */
-			if (listen && s->state == SSL3_ST_SW_SRVR_HELLO_A)
-				{
-				ret = 2;
-				s->d1->listen = 0;
-				/* Set expected sequence numbers
-				 * to continue the handshake.
-				 */
-				s->d1->handshake_read_seq = 2;
-				s->d1->handshake_write_seq = 1;
-				s->d1->next_handshake_write_seq = 1;
-				goto end;
-				}
-			
 			break;
 			
 		case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A: