DTLS: treat bad MAC on Finished as an error
This is not required nor recommended by the protocol, and it's a layering violation, but it's a know flaw in the protocol that you can't detect a PSK auth error in any other way, so it is probably the right thing to do. closes #227
This commit is contained in:
Manuel Pégourié-Gonnard
parent
7381ff0046
commit
0a8857435c
@ -3573,6 +3573,23 @@ read_record_header:
|
||||
if( ret == MBEDTLS_ERR_SSL_INVALID_RECORD ||
|
||||
ret == MBEDTLS_ERR_SSL_INVALID_MAC )
|
||||
{
|
||||
/* Except when waiting for Finished as a bad mac here
|
||||
* probably means something went wrong in the handshake
|
||||
* (eg wrong psk used, mitm downgrade attempt, etc.) */
|
||||
if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED ||
|
||||
ssl->state == MBEDTLS_SSL_SERVER_FINISHED )
|
||||
{
|
||||
#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
|
||||
if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
|
||||
{
|
||||
mbedtls_ssl_send_alert_message( ssl,
|
||||
MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||
MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
|
||||
}
|
||||
#endif
|
||||
return( ret );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
|
||||
if( ssl->conf->badmac_limit != 0 &&
|
||||
++ssl->badmac_seen >= ssl->conf->badmac_limit )
|
||||
|
||||
@ -2851,6 +2851,13 @@ run_test "DTLS client auth: none, client has no cert" \
|
||||
-c "skip write certificate$" \
|
||||
-s "! Certificate verification was skipped"
|
||||
|
||||
run_test "DTLS wrong PSK: badmac alert" \
|
||||
"$P_SRV dtls=1 psk=abc123 force_ciphersuite=TLS-PSK-WITH-AES-128-GCM-SHA256" \
|
||||
"$P_CLI dtls=1 psk=abc124" \
|
||||
1 \
|
||||
-s "SSL - Verification of the message MAC failed" \
|
||||
-c "SSL - A fatal alert message was received from our peer"
|
||||
|
||||
# Tests for receiving fragmented handshake messages with DTLS
|
||||
|
||||
requires_gnutls
|
||||
|
||||
Loading…
Reference in New Issue
Block a user