Document DTLS-specific retransmit and MTU functions.

The caller obligations for retransmit are messy, so I've peppered a few other functions with mentions of it. There's only three functions, so they're lumped in with the other core functions. They're irrelevant for TLS, but important for DTLS. Change-Id: Ifc995390952eef81370b58276915dcbe4fc7e3b5 Reviewed-on: https://boringssl-review.googlesource.com/6093 Reviewed-by: Adam Langley <agl@google.com>
2015-10-03 11:14:36 -04:00 · 2015-10-03 11:14:36 -04:00 · 8ac00cafbf
commit 8ac00cafbf
parent fd8e69f26d
1 changed files with 42 additions and 28 deletions
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@ -234,6 +234,9 @@ OPENSSL_EXPORT int SSL_is_server(SSL *ssl);
 * takes ownership of the two |BIO|s. If |rbio| and |wbio| are the same, |ssl|
 * only takes ownership of one reference.
 *
 * In DTLS, if |rbio| is blocking, it must handle
 * |BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT| control requests to set read timeouts.
 *
 * Calling this function on an already-configured |ssl| is deprecated. */
 OPENSSL_EXPORT void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio);
@ -248,6 +251,13 @@ OPENSSL_EXPORT BIO *SSL_get_wbio(const SSL *ssl);
 * returns <= 0. The caller should pass the value into |SSL_get_error| to
 * determine how to proceed.
 *
 * In DTLS, if the read |BIO| is non-blocking, the caller must drive
 * retransmissions. Whenever |SSL_get_error| signals |SSL_ERROR_WANT_READ|, use
 * |DTLSv1_get_timeout| to determine the current timeout. If it expires before
 * the next retry, call |DTLSv1_handle_timeout|. Note that DTLS handshake
 * retransmissions use fresh sequence numbers, so it is not sufficient to replay
 * packets at the transport.
 *
 * TODO(davidben): Ensure 0 is only returned on transport EOF.
 * https://crbug.com/466303. */
 OPENSSL_EXPORT int SSL_do_handshake(SSL *ssl);
@ -352,7 +362,11 @@ OPENSSL_EXPORT int SSL_get_error(const SSL *ssl, int ret_code);
 /* SSL_ERROR_WANT_READ indicates the operation failed attempting to read from
 * the transport. The caller may retry the operation when the transport is ready
- * for reading. */
+ * for reading.
 *
 * If signaled by a DTLS handshake, the caller must also call
 * |DTLSv1_get_timeout| and |DTLSv1_handle_timeout| as appropriate. See
 * |SSL_do_handshake|. */
 #define SSL_ERROR_WANT_READ 2
 /* SSL_ERROR_WANT_READ indicates the operation failed attempting to write to
@ -421,6 +435,33 @@ OPENSSL_EXPORT int SSL_get_error(const SSL *ssl, int ret_code);
 * See also |SSL_set_private_key_method|. */
 #define SSL_ERROR_WANT_PRIVATE_KEY_OPERATION 13
 /* SSL_set_mtu sets the |ssl|'s MTU in DTLS to |mtu|. It returns one on success
 * and zero on failure. */
 OPENSSL_EXPORT int SSL_set_mtu(SSL *ssl, unsigned mtu);
 /* DTLSv1_get_timeout queries the next DTLS handshake timeout. If there is a
 * timeout in progress, it sets |*out| to the time remaining and returns one.
 * Otherwise, it returns zero.
 *
 * When the timeout expires, call |DTLSv1_handle_timeout| to handle the
 * retransmit behavior.
 *
 * NOTE: This function must be queried again whenever the handshake state
 * machine changes, including when |DTLSv1_handle_timeout| is called. */
 OPENSSL_EXPORT int DTLSv1_get_timeout(const SSL *ssl, struct timeval *out);
 /* DTLSv1_handle_timeout is called when a DTLS handshake timeout expires. If no
 * timeout had expired, it returns 0. Otherwise, it retransmits the previous
 * flight of handshake messages and returns 1. If too many timeouts had expired
 * without progress or an error occurs, it returns -1.
 *
 * NOTE: The caller's external timer should be compatible with the one |ssl|
 * queries within some fudge factor. Otherwise, the call will be a no-op, but
 * |DTLSv1_get_timeout| will return an updated timeout.
 *
 * WARNING: This function breaks the usual return value convention. */
 OPENSSL_EXPORT int DTLSv1_handle_timeout(SSL *ssl);
 /* Protocol versions. */
@ -2542,10 +2583,6 @@ typedef struct ssl_protocol_method_st SSL_PROTOCOL_METHOD;
 typedef struct ssl_conf_ctx_st SSL_CONF_CTX;
 typedef struct ssl3_enc_method SSL3_ENC_METHOD;
 /* SSL_set_mtu sets the |ssl|'s MTU in DTLS to |mtu|. It returns one on success
 * and zero on failure. */
 OPENSSL_EXPORT int SSL_set_mtu(SSL *ssl, unsigned mtu);
 struct ssl_aead_ctx_st;
 typedef struct ssl_aead_ctx_st SSL_AEAD_CTX;
@ -2695,29 +2732,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY     /* fatal */
 #define SSL_AD_INAPPROPRIATE_FALLBACK SSL3_AD_INAPPROPRIATE_FALLBACK /* fatal */
 /* DTLSv1_get_timeout queries the next DTLS handshake timeout. If there is a
 * timeout in progress, it sets |*out| to the time remaining and returns one.
 * Otherwise, it returns zero.
 *
 * When the timeout expires, call |DTLSv1_handle_timeout| to handle the
 * retransmit behavior.
 *
 * NOTE: This function must be queried again whenever the handshake state
 * machine changes, including when |DTLSv1_handle_timeout| is called. */
 OPENSSL_EXPORT int DTLSv1_get_timeout(const SSL *ssl, struct timeval *out);
 /* DTLSv1_handle_timeout is called when a DTLS handshake timeout expires. If no
 * timeout had expired, it returns 0. Otherwise, it retransmits the previous
 * flight of handshake messages and returns 1. If too many timeouts had expired
 * without progress or an error occurs, it returns -1.
 *
 * NOTE: The caller's external timer should be compatible with the one |ssl|
 * queries within some fudge factor. Otherwise, the call will be a no-op, but
 * |DTLSv1_get_timeout| will return an updated timeout.
 *
 * WARNING: This function breaks the usual return value convention. */
 OPENSSL_EXPORT int DTLSv1_handle_timeout(SSL *ssl);
 /* SSL_total_renegotiations returns the total number of renegotiation handshakes
 * peformed by |ssl|. This includes the pending renegotiation, if any. */
 OPENSSL_EXPORT int SSL_total_renegotiations(const SSL *ssl);