AuroraMiddleware/mbedtls
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Drop invalid records with DTLS

Browse Source
This commit is contained in:
Manuel Pégourié-Gonnard 2014-09-08 16:39:08 +02:00 committed by Paul Bakker
parent 167a37632d
commit 63eca930d7
3 changed files with 65 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
library/ssl_tls.c
View File

@ -2579,14 +2579,6 @@ static int ssl_prepare_record_content( ssl_context *ssl )
{ {
if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 ) if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
{ {
#if defined(POLARSSL_SSL_ALERT_MESSAGES)
if( ret == POLARSSL_ERR_SSL_INVALID_MAC )
{
ssl_send_alert_message( ssl,
SSL_ALERT_LEVEL_FATAL,
SSL_ALERT_MSG_BAD_RECORD_MAC );
}
#endif
SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret ); SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
return( ret ); return( ret );
} }
@ -2620,6 +2612,12 @@ static int ssl_prepare_record_content( ssl_context *ssl )
return( 0 ); return( 0 );
} }
/*
* Read a record.
*
* For DTLS, silently ignore invalid records (RFC 4.1.2.7.)
* and continue reading until a valid record is found.
*/
int ssl_read_record( ssl_context *ssl ) int ssl_read_record( ssl_context *ssl )
{ {
int ret; int ret;
@ -2656,6 +2654,9 @@ int ssl_read_record( ssl_context *ssl )
/* /*
* Read the record header and parse it * Read the record header and parse it
*/ */
#if defined(POLARSSL_SSL_PROTO_DTLS)
read_record_header:
#endif
if( ( ret = ssl_fetch_input( ssl, ssl_hdr_len( ssl ) ) ) != 0 ) if( ( ret = ssl_fetch_input( ssl, ssl_hdr_len( ssl ) ) ) != 0 )
{ {
SSL_DEBUG_RET( 1, "ssl_fetch_input", ret ); SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
@ -2663,7 +2664,22 @@ int ssl_read_record( ssl_context *ssl )
} }
if( ( ret = ssl_parse_record_header( ssl ) ) != 0 ) if( ( ret = ssl_parse_record_header( ssl ) ) != 0 )
{
#if defined(POLARSSL_SSL_PROTO_DTLS)
if( ssl->transport == SSL_TRANSPORT_DATAGRAM )
{
/* Ignore bad record and get next one; drop the whole datagram
* since current header cannot be trusted to find the next record
* in current datagram */
ssl->next_record_offset = 0;
ssl->in_left = 0;
SSL_DEBUG_MSG( 2, ( "discarding invalid record" ) );
goto read_record_header;
}
#endif
return( ret ); return( ret );
}
/* /*
* Read and optionally decrypt the message contents * Read and optionally decrypt the message contents
@ -2684,7 +2700,35 @@ int ssl_read_record( ssl_context *ssl )
ssl->in_left = 0; ssl->in_left = 0;
if( ( ret = ssl_prepare_record_content( ssl ) ) != 0 ) if( ( ret = ssl_prepare_record_content( ssl ) ) != 0 )
return( ret ); {
#if defined(POLARSSL_SSL_PROTO_DTLS)
if( ssl->transport == SSL_TRANSPORT_DATAGRAM )
{
/* Silently discard invalid records */
if( ret == POLARSSL_ERR_SSL_INVALID_RECORD ||
ret == POLARSSL_ERR_SSL_INVALID_MAC )
{
SSL_DEBUG_MSG( 2, ( "discarding invalid record" ) );
goto read_record_header;
}
return( ret );
}
else
#endif
{
/* Error out (and send alert) on invalid records */
#if defined(POLARSSL_SSL_ALERT_MESSAGES)
if( ret == POLARSSL_ERR_SSL_INVALID_MAC )
{
ssl_send_alert_message( ssl,
SSL_ALERT_LEVEL_FATAL,
SSL_ALERT_MSG_BAD_RECORD_MAC );
}
#endif
return( ret );
}
}
/* /*
* Handle particular types of records * Handle particular types of records

4
programs/test/udp_proxy.c
View File

@ -297,10 +297,8 @@ int send_packet( const packet *p, const char *why )
} }
/* Don't duplicate Application Data, only handshake covered */ /* Don't duplicate Application Data, only handshake covered */
// Don't duplicate CSS for now (TODO later)
if( opt.duplicate != 0 && if( opt.duplicate != 0 &&
strcmp( p->type, "ApplicationData" ) != 0 && strcmp( p->type, "ApplicationData" ) != 0 &&
strcmp( p->type, "ChangeCipherSpec" ) != 0 &&
++dupl_cnt == opt.duplicate ) ++dupl_cnt == opt.duplicate )
{ {
dupl_cnt = 0; dupl_cnt = 0;
@ -322,7 +320,7 @@ int handle_message( const char *way, int dst, int src )
packet cur; packet cur;
static packet prev; static packet prev;
/* receivec packet */ /* receive packet */
if( ( ret = net_recv( &src, cur.buf, sizeof( cur.buf ) ) ) <= 0 ) if( ( ret = net_recv( &src, cur.buf, sizeof( cur.buf ) ) ) <= 0 )
{ {
printf( " ! net_recv returned %d\n", ret ); printf( " ! net_recv returned %d\n", ret );

11
tests/ssl-opt.sh
View File

@ -2104,6 +2104,7 @@ run_test "DTLS proxy: reference" \
"$P_SRV dtls=1" \ "$P_SRV dtls=1" \
"$P_CLI dtls=1" \ "$P_CLI dtls=1" \
0 \ 0 \
-s "Extra-header:" \
-c "HTTP/1.0 200 OK" -c "HTTP/1.0 200 OK"
run_test "DTLS proxy: some duplication" \ run_test "DTLS proxy: some duplication" \
@ -2111,6 +2112,7 @@ run_test "DTLS proxy: some duplication" \
"$P_SRV dtls=1" \ "$P_SRV dtls=1" \
"$P_CLI dtls=1" \ "$P_CLI dtls=1" \
0 \ 0 \
-s "Extra-header:" \
-c "HTTP/1.0 200 OK" -c "HTTP/1.0 200 OK"
run_test "DTLS proxy: lots of duplication" \ run_test "DTLS proxy: lots of duplication" \
@ -2118,6 +2120,15 @@ run_test "DTLS proxy: lots of duplication" \
"$P_SRV dtls=1" \ "$P_SRV dtls=1" \
"$P_CLI dtls=1" \ "$P_CLI dtls=1" \
0 \ 0 \
-s "Extra-header:" \
-c "HTTP/1.0 200 OK"
run_test "DTLS proxy: inject invalid AD record" \
-p "$P_PXY bad_ad=1" \
"$P_SRV dtls=1" \
"$P_CLI dtls=1" \
0 \
-s "Extra-header:" \
-c "HTTP/1.0 200 OK" -c "HTTP/1.0 200 OK"
# Final report # Final report