cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-11-04 04:32:24 -05:00
Code Issues Packages Projects Releases Wiki Activity

Make DTLS_HELLO_VERIFY a compile option

Browse Source
This commit is contained in:
Manuel Pégourié-Gonnard 2014-07-23 00:28:58 +02:00 committed by Paul Bakker
parent 98545f128a
commit 82202f0a9c
6 changed files with 52 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
include/polarssl/check_config.h
View File

@ -263,6 +263,11 @@
#error "Illegal protocol selection" #error "Illegal protocol selection"
#endif #endif
#if defined(POLARSSL_SSL_DTLS_HELLO_VERIFY) && \
( !defined(POLARSSL_SSL_SRV_C) || !defined(POLARSSL_SSL_PROTO_DTLS) )
#error "POLARSSL_SSL_DTLS_HELLO_VERIFY defined, but not all prerequisites"
#endif
#if defined(POLARSSL_SSL_SESSION_TICKETS) && defined(POLARSSL_SSL_TLS_C) && \ #if defined(POLARSSL_SSL_SESSION_TICKETS) && defined(POLARSSL_SSL_TLS_C) && \
( !defined(POLARSSL_AES_C) || !defined(POLARSSL_SHA256_C) || \ ( !defined(POLARSSL_AES_C) || !defined(POLARSSL_SHA256_C) || \
!defined(POLARSSL_CIPHER_MODE_CBC) ) !defined(POLARSSL_CIPHER_MODE_CBC) )

17
include/polarssl/config.h
View File

@ -923,6 +923,23 @@
*/ */
#define POLARSSL_SSL_ALPN #define POLARSSL_SSL_ALPN
/**
* \def POLARSSL_SSL_DTLS_HELLO_VERIFY
*
* Enable support for HelloVerifyRequest on DTLS servers.
*
* This feature is highly recommended to prevent DTLS servers being used as
* amplifiers in DoS attacks against other hosts. It should always be enabled
* unless you know for sure amplification cannot be a problem in the
* environment in which your server operates.
*
* Requires: POLARSSL_SSL_SRV_C
* POLARSSL_POLARSSL_PROTO_DTLS
*
* Comment this to disable support for HelloVerifyRequest.
*/
#define POLARSSL_SSL_DTLS_HELLO_VERIFY
/** /**
* \def POLARSSL_SSL_SESSION_TICKETS * \def POLARSSL_SSL_SESSION_TICKETS
* *

6
include/polarssl/ssl.h
View File

@ -878,7 +878,7 @@ struct _ssl_context
/* /*
* Client id (IP/port) for DTLS hello verify * Client id (IP/port) for DTLS hello verify
*/ */
#if defined(POLARSSL_SSL_PROTO_DTLS) && defined(POLARSSL_SSL_SRV_C) #if defined(POLARSSL_SSL_DTLS_HELLO_VERIFY)
unsigned char *cli_id; /*!< transport-level ID of the client */ unsigned char *cli_id; /*!< transport-level ID of the client */
size_t cli_id_len; /*!< length of cli_id */ size_t cli_id_len; /*!< length of cli_id */
md_context_t hvr_hmac_ctx; /*!< HMAC data for HelloVerifyRequest */ md_context_t hvr_hmac_ctx; /*!< HMAC data for HelloVerifyRequest */
@ -1067,7 +1067,7 @@ void ssl_set_bio( ssl_context *ssl,
int (*f_recv)(void *, unsigned char *, size_t), void *p_recv, int (*f_recv)(void *, unsigned char *, size_t), void *p_recv,
int (*f_send)(void *, const unsigned char *, size_t), void *p_send ); int (*f_send)(void *, const unsigned char *, size_t), void *p_send );
#if defined(POLARSSL_SSL_PROTO_DTLS) && defined(POLARSSL_SSL_SRV_C) #if defined(POLARSSL_SSL_DTLS_HELLO_VERIFY)
/** /**
* \brief Set client's transport-level identification info. * \brief Set client's transport-level identification info.
* (Only usable on server.) * (Only usable on server.)
@ -1095,7 +1095,7 @@ int ssl_set_client_transport_id( ssl_context *ssl,
/* Temporary */ /* Temporary */
int ssl_setup_hvr_key( ssl_context *ssl ); int ssl_setup_hvr_key( ssl_context *ssl );
#endif /* POLARSSL_SSL_PROTO_DTLS && POLARSSL_SSL_SRV_C */ #endif /* POLARSSL_SSL_DTLS_HELLO_VERIFY */
/** /**
* \brief Set the session cache callbacks (server-side only) * \brief Set the session cache callbacks (server-side only)

33
library/ssl_srv.c
View File

@ -351,7 +351,7 @@ static int ssl_parse_ticket( ssl_context *ssl,
} }
#endif /* POLARSSL_SSL_SESSION_TICKETS */ #endif /* POLARSSL_SSL_SESSION_TICKETS */
#if defined(POLARSSL_SSL_PROTO_DTLS) #if defined(POLARSSL_SSL_DTLS_HELLO_VERIFY)
int ssl_set_client_transport_id( ssl_context *ssl, int ssl_set_client_transport_id( ssl_context *ssl,
const unsigned char *info, const unsigned char *info,
size_t ilen ) size_t ilen )
@ -369,7 +369,7 @@ int ssl_set_client_transport_id( ssl_context *ssl,
return( 0 ); return( 0 );
} }
#endif /* POLARSSL_SSL_PROTO_DTLS */ #endif /* POLARSSL_SSL_DTLS_HELLO_VERIFY */
#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
/* /*
@ -1136,7 +1136,7 @@ have_ciphersuite_v2:
} }
#endif /* POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */ #endif /* POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
#if defined(POLARSSL_SSL_PROTO_DTLS) #if defined(POLARSSL_SSL_DTLS_HELLO_VERIFY)
/* /*
* If DTLS is in use, then at least one of SHA-1, SHA-256, SHA-512 is * If DTLS is in use, then at least one of SHA-1, SHA-256, SHA-512 is
@ -1186,7 +1186,7 @@ int ssl_setup_hvr_key( ssl_context *ssl )
/* /*
* Generate cookie for DTLS ClientHello verification * Generate cookie for DTLS ClientHello verification
*/ */
static int ssl_generate_verify_cookie( ssl_context *ssl ) static int ssl_cookie_generate( ssl_context *ssl )
{ {
int ret; int ret;
unsigned char *cookie = ssl->handshake->verify_cookie; unsigned char *cookie = ssl->handshake->verify_cookie;
@ -1219,7 +1219,7 @@ static int ssl_generate_verify_cookie( ssl_context *ssl )
return( 0 ); return( 0 );
} }
#endif /* POLARSSL_SSL_PROTO_DTLS */ #endif /* POLARSSL_SSL_DTLS_HELLO_VERIFY */
static int ssl_parse_client_hello( ssl_context *ssl ) static int ssl_parse_client_hello( ssl_context *ssl )
{ {
@ -1515,14 +1515,15 @@ static int ssl_parse_client_hello( ssl_context *ssl )
SSL_DEBUG_BUF( 3, "client hello, cookie", SSL_DEBUG_BUF( 3, "client hello, cookie",
buf + cookie_offset + 1, cookie_len ); buf + cookie_offset + 1, cookie_len );
#if defined(POLARSSL_SSL_DTLS_HELLO_VERIFY)
/* /*
* Generate reference cookie content: * Generate reference cookie content:
* - used for verification below, * - used for verification below,
* - stored to be sent if verification fails * - stored to be sent if verification fails
*/ */
if( ( ret = ssl_generate_verify_cookie( ssl ) ) != 0 ) if( ( ret = ssl_cookie_generate( ssl ) ) != 0 )
{ {
SSL_DEBUG_RET( 1, "ssl_generate_verify_cookie", ret ); SSL_DEBUG_RET( 1, "ssl_cookie_generate", ret );
return( ret ); return( ret );
} }
@ -1540,7 +1541,16 @@ static int ssl_parse_client_hello( ssl_context *ssl )
SSL_DEBUG_MSG( 2, ( "client hello, cookie verification %s", SSL_DEBUG_MSG( 2, ( "client hello, cookie verification %s",
ssl->handshake->verify_cookie == NULL ? ssl->handshake->verify_cookie == NULL ?
"passed" : "failed" ) ); "passed" : "failed" ) );
#else
/* We know we didn't send a cookie, so it should be empty */
if( cookie_len != 0 )
{
SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
}
SSL_DEBUG_MSG( 2, ( "cookie verification disabled" ) );
#endif
} }
#endif /* POLARSSL_SSL_PROTO_DTLS */ #endif /* POLARSSL_SSL_PROTO_DTLS */
@ -1603,6 +1613,7 @@ static int ssl_parse_client_hello( ssl_context *ssl )
if( ssl->transport == SSL_TRANSPORT_DATAGRAM ) if( ssl->transport == SSL_TRANSPORT_DATAGRAM )
ssl->session_negotiate->compression = SSL_COMPRESS_NULL; ssl->session_negotiate->compression = SSL_COMPRESS_NULL;
#endif #endif
/* /*
* Check the extension length * Check the extension length
*/ */
@ -2037,7 +2048,7 @@ static void ssl_write_alpn_ext( ssl_context *ssl,
} }
#endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */ #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
#if defined(POLARSSL_SSL_PROTO_DTLS) #if defined(POLARSSL_SSL_DTLS_HELLO_VERIFY)
static int ssl_write_hello_verify_request( ssl_context *ssl ) static int ssl_write_hello_verify_request( ssl_context *ssl )
{ {
int ret; int ret;
@ -2081,7 +2092,7 @@ static int ssl_write_hello_verify_request( ssl_context *ssl )
return( 0 ); return( 0 );
} }
#endif /* POLARSSL_SSL_PROTO_DTLS */ #endif /* POLARSSL_SSL_DTLS_HELLO_VERIFY */
static int ssl_write_server_hello( ssl_context *ssl ) static int ssl_write_server_hello( ssl_context *ssl )
{ {
@ -2094,7 +2105,7 @@ static int ssl_write_server_hello( ssl_context *ssl )
SSL_DEBUG_MSG( 2, ( "=> write server hello" ) ); SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
#if defined(POLARSSL_SSL_PROTO_DTLS) #if defined(POLARSSL_SSL_DTLS_HELLO_VERIFY)
if( ssl->transport == SSL_TRANSPORT_DATAGRAM && if( ssl->transport == SSL_TRANSPORT_DATAGRAM &&
ssl->handshake->verify_cookie != NULL ) ssl->handshake->verify_cookie != NULL )
{ {
@ -2109,7 +2120,7 @@ static int ssl_write_server_hello( ssl_context *ssl )
return( POLARSSL_ERR_SSL_HELLO_VERIFY_REQUIRED ); return( POLARSSL_ERR_SSL_HELLO_VERIFY_REQUIRED );
} }
#endif /* POLARSSL_SSL_PROTO_DTLS */ #endif /* POLARSSL_SSL_DTLS_HELLO_VERIFY */
if( ssl->f_rng == NULL ) if( ssl->f_rng == NULL )
{ {

4
library/ssl_tls.c
View File

@ -3749,7 +3749,7 @@ int ssl_session_reset( ssl_context *ssl )
ssl->alpn_chosen = NULL; ssl->alpn_chosen = NULL;
#endif #endif
#if defined(POLARSSL_SSL_PROTO_DTLS) && defined(POLARSSL_SSL_SRV_C) #if defined(POLARSSL_SSL_DTLS_HELLO_VERIFY)
polarssl_free( ssl->cli_id ); polarssl_free( ssl->cli_id );
ssl->cli_id = NULL; ssl->cli_id = NULL;
ssl->cli_id_len = 0; ssl->cli_id_len = 0;
@ -5039,7 +5039,7 @@ void ssl_free( ssl_context *ssl )
} }
#endif #endif
#if defined(POLARSSL_SSL_PROTO_DTLS) && defined(POLARSSL_SSL_SRV_C) #if defined(POLARSSL_SSL_DTLS_HELLO_VERIFY)
polarssl_free( ssl->cli_id ); polarssl_free( ssl->cli_id );
md_free( &ssl->hvr_hmac_ctx ); md_free( &ssl->hvr_hmac_ctx );
#endif #endif

6
programs/ssl/ssl_server2.c
View File

@ -1344,7 +1344,7 @@ int main( int argc, char *argv[] )
ssl_set_session_ticket_lifetime( &ssl, opt.ticket_timeout ); ssl_set_session_ticket_lifetime( &ssl, opt.ticket_timeout );
#endif #endif
#if defined(POLARSSL_SSL_PROTO_DTLS) #if defined(POLARSSL_SSL_DTLS_HELLO_VERIFY)
if( opt.transport == SSL_TRANSPORT_DATAGRAM && if( opt.transport == SSL_TRANSPORT_DATAGRAM &&
( ret = ssl_setup_hvr_key( &ssl ) ) != 0 ) ( ret = ssl_setup_hvr_key( &ssl ) ) != 0 )
{ {
@ -1538,7 +1538,7 @@ reset:
else else
ssl_set_bio( &ssl, net_recv, &client_fd, net_send, &client_fd ); ssl_set_bio( &ssl, net_recv, &client_fd, net_send, &client_fd );
#if defined(POLARSSL_SSL_PROTO_DTLS) #if defined(POLARSSL_SSL_DTLS_HELLO_VERIFY)
if( opt.transport == SSL_TRANSPORT_DATAGRAM ) if( opt.transport == SSL_TRANSPORT_DATAGRAM )
{ {
if( ( ret = ssl_set_client_transport_id( &ssl, client_ip, if( ( ret = ssl_set_client_transport_id( &ssl, client_ip,
@ -1549,7 +1549,7 @@ reset:
goto exit; goto exit;
} }
} }
#endif /* POLARSSL_SSL_PROTO_DTLS */ #endif /* POLARSSL_SSL_DTLS_HELLO_VERIFY */
printf( " ok\n" ); printf( " ok\n" );