]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
updated cookie negotiation to use only a prestate structure and avoids setting data...
authorNikos Mavrogiannopoulos <nmav@gnutls.org>
Sun, 13 Mar 2011 18:07:24 +0000 (19:07 +0100)
committerNikos Mavrogiannopoulos <nmav@gnutls.org>
Sun, 13 Mar 2011 18:07:24 +0000 (19:07 +0100)
lib/gnutls_dtls.c
lib/includes/gnutls/dtls.h
lib/libgnutls.map
src/udp-serv.c

index 708e262c6540b257fdd85f6150c7f7a6c31f99dc..6ecf414491b9907f1410bd0e1695a59b2389bb83 100644 (file)
@@ -380,11 +380,11 @@ int ret;
     return session->internals.dtls.mtu - RECORD_HEADER_SIZE(session);
 }
 
-#define COOKIE_SIZE 19
+#define COOKIE_SIZE 16
 #define COOKIE_MAC_SIZE 16
 
-/* record seq || hsk read seq || hsk write seq ||   MAC
- *   1 byte         1 byte           1 byte       16 bytes
+/*   MAC
+ * 16 bytes
  *
  * total 19 bytes
  */
@@ -412,10 +412,9 @@ int ret;
  *
  **/
 int gnutls_dtls_cookie_send(gnutls_datum_t* key, void* client_data, size_t client_data_size, 
-  gnutls_cookie_st* cookie,
+  gnutls_dtls_prestate_st* prestate,
   gnutls_transport_ptr_t ptr, gnutls_push_func push_func)
 {
-
 opaque hvr[20+DTLS_HANDSHAKE_HEADER_SIZE+COOKIE_SIZE];
 int hvr_size = 0, ret;
 uint8_t digest[C_HASH_SIZE];
@@ -455,7 +454,8 @@ uint8_t digest[C_HASH_SIZE];
   
   /* epoch + seq */
   memset(&hvr[hvr_size], 0, 8);
-  hvr_size += 8;
+  hvr_size += 7;
+  hvr[hvr_size++] = prestate->record_seq;
 
   /* length */
   _gnutls_write_uint16(DTLS_HANDSHAKE_HEADER_SIZE+COOKIE_SIZE+3, &hvr[hvr_size]);
@@ -467,8 +467,8 @@ uint8_t digest[C_HASH_SIZE];
   hvr_size += 3;
   
   /* handshake seq */
-  memset(&hvr[hvr_size], 0, 2);
-  hvr_size += 2;
+  hvr[hvr_size++] = 0;
+  hvr[hvr_size++] = prestate->hsk_write_seq;
 
   _gnutls_write_uint24(0, &hvr[hvr_size]);
   hvr_size += 3;
@@ -485,19 +485,6 @@ uint8_t digest[C_HASH_SIZE];
   if (ret < 0)
     return gnutls_assert_val(ret);
 
-  if (cookie && cookie->cookie_size > 3)
-    {
-      hvr[hvr_size++] = cookie->cookie[0]+1/* record */;
-      hvr[hvr_size++] = cookie->cookie[1]+1/* hsk read seq*/;
-      hvr[hvr_size++] = cookie->cookie[2]+1/* hsk write seq */;
-    }
-  else
-    {
-      hvr[hvr_size++] = 1;
-      hvr[hvr_size++] = 1;
-      hvr[hvr_size++] = 1;
-    }
-
   memcpy(&hvr[hvr_size], digest, COOKIE_MAC_SIZE);
   hvr_size+= COOKIE_MAC_SIZE;
 
@@ -520,14 +507,14 @@ uint8_t digest[C_HASH_SIZE];
  * This function will verify an incoming message for
  * a valid cookie. If a valid cookie is returned then
  * it should be associated with the session using
- * gnutls_dtls_cookie_set();
+ * gnutls_dtls_prestate_set();
  *
  * Returns: zero on success, or a negative error code.  
  *
  **/
 int gnutls_dtls_cookie_verify(gnutls_datum_t* key, 
   void* client_data, size_t client_data_size, 
-  void* _msg, size_t msg_size, gnutls_cookie_st* out)
+  void* _msg, size_t msg_size, gnutls_dtls_prestate_st* out)
 {
 gnutls_datum_t cookie;
 int sid_size;
@@ -572,32 +559,34 @@ uint8_t digest[C_HASH_SIZE];
   if (ret < 0)
     return gnutls_assert_val(ret);
 
-  if (memcmp(digest, &cookie.data[3], COOKIE_MAC_SIZE) != 0)
+  if (memcmp(digest, cookie.data, COOKIE_MAC_SIZE) != 0)
     return gnutls_assert_val(GNUTLS_E_BAD_COOKIE);
   
-  memcpy(out->cookie, cookie.data, cookie.size);
-  out->cookie_size = cookie.size;
-
+  out->record_seq = msg[10]; /* client's record seq */
+  out->hsk_read_seq =  msg[DTLS_RECORD_HEADER_SIZE+5];/* client's hsk seq */
+  out->hsk_write_seq = out->hsk_read_seq;/* client's hsk seq */
+  
   return 0;
 }
 
 /**
- * gnutls_dtls_cookie_set:
+ * gnutls_dtls_prestate_set:
  * @session: a new session
- * @cookie: contains the client's cookie
+ * @prestate: contains the client's prestate
  *
- * This function will associate the received cookie by
- * the client, with the newly established session.
+ * This function will associate the prestate acquired by
+ * the cookie authentication with the client, with the newly 
+ * established session.
  *
  * Returns: zero on success, or a negative error code.  
  *
  **/
-void gnutls_dtls_cookie_set(gnutls_session_t session, gnutls_cookie_st* st)
+void gnutls_dtls_prestate_set(gnutls_session_t session, gnutls_dtls_prestate_st* st)
 {
   record_parameters_st *params;
   int ret;
 
-  if (st == NULL || st->cookie_size == 0)
+  if (st == NULL)
     return;
 
   /* we do not care about read_params, since we accept anything
@@ -607,16 +596,8 @@ void gnutls_dtls_cookie_set(gnutls_session_t session, gnutls_cookie_st* st)
   if (ret < 0)
     return;
 
-  if (st->cookie_size < 3)
-    return;
-
-  params->write.sequence_number.i[7] = st->cookie[0];
-
-  session->internals.dtls.hsk_read_seq = st->cookie[1];
-  session->internals.dtls.hsk_write_seq = st->cookie[2];
-
-fprintf(stderr, "record send seq: %d\n", (int)st->cookie[0]);
-fprintf(stderr, "hsk read seq: %d\n", (int)st->cookie[1]);
-fprintf(stderr, "hsk write seq: %d\n", (int)st->cookie[2]);
+  params->write.sequence_number.i[7] = st->record_seq;
 
+  session->internals.dtls.hsk_read_seq = st->hsk_read_seq;
+  session->internals.dtls.hsk_write_seq = st->hsk_write_seq;
 }
index 9f5dde91f108c36867bc2d5b4dae28ea69b8d465..89d038898d1ca08f0ec104a58b91e53a7001ee86 100644 (file)
@@ -45,20 +45,21 @@ unsigned int gnutls_dtls_get_mtu (gnutls_session_t session);
 void gnutls_dtls_set_mtu (gnutls_session_t session, unsigned int mtu);
 
 typedef struct {
-  unsigned char cookie[255];
-  size_t cookie_size;
-} gnutls_cookie_st;
+  unsigned int record_seq;
+  unsigned int hsk_read_seq;
+  unsigned int hsk_write_seq;
+} gnutls_dtls_prestate_st;
 
 int gnutls_dtls_cookie_send(gnutls_datum_t* key, void* client_data, size_t client_data_size, 
-  gnutls_cookie_st* cookie,
+  gnutls_dtls_prestate_st* state,
   gnutls_transport_ptr_t ptr, gnutls_push_func push_func);
 
 
 int gnutls_dtls_cookie_verify(gnutls_datum_t* key, 
   void* client_data, size_t client_data_size, 
-  void* _msg, size_t msg_size, gnutls_cookie_st* cookie);
+  void* _msg, size_t msg_size, gnutls_dtls_prestate_st* state);
 
-void gnutls_dtls_cookie_set(gnutls_session_t session, gnutls_cookie_st* st);
+void gnutls_dtls_prestate_set(gnutls_session_t session, gnutls_dtls_prestate_st* st);
 
 #ifdef __cplusplus
 }
index aa76fde3ae0627c0178316dafbaa2120aab9c22d..021f8db4f5a9d4e8214f82ee29617201e11f3627 100644 (file)
@@ -699,7 +699,7 @@ GNUTLS_3_0_0 {
        gnutls_key_generate;
        gnutls_dtls_cookie_verify;
        gnutls_dtls_cookie_send;
-       gnutls_dtls_cookie_set;
+       gnutls_dtls_prestate_set;
 } GNUTLS_2_12;
 
 GNUTLS_PRIVATE {
index 9202565dba04c4db426bdf316eda047efa26e353..75cd7e960341a8d03933c214f91a0af42b0ced97 100644 (file)
@@ -30,7 +30,7 @@ int udp_server(const char* name, int port, int mtu)
     priv_data_st priv;
     gnutls_session_t session;
     gnutls_datum_t cookie_key;
-    gnutls_cookie_st cookie;
+    gnutls_dtls_prestate_st prestate;
     unsigned char sequence[8];
 
     ret = gnutls_key_generate(&cookie_key, GNUTLS_COOKIE_KEY_SIZE);
@@ -58,8 +58,8 @@ int udp_server(const char* name, int port, int mtu)
         ret = recvfrom(sock, buffer, sizeof(buffer), MSG_PEEK, (struct sockaddr*)&cli_addr, &cli_addr_size);
         if (ret > 0)
           {
-            memset(&cookie, 0, sizeof(cookie));
-            ret = gnutls_dtls_cookie_verify(&cookie_key, &cli_addr, sizeof(cli_addr), buffer, ret, &cookie);
+            memset(&prestate, 0, sizeof(prestate));
+            ret = gnutls_dtls_cookie_verify(&cookie_key, &cli_addr, sizeof(cli_addr), buffer, ret, &prestate);
             if (ret < 0) /* cookie not valid */
               {
                 priv_data_st s;
@@ -71,7 +71,7 @@ int udp_server(const char* name, int port, int mtu)
                 
                 printf("Sending hello verify request to %s\n", human_addr ((struct sockaddr *)
                   &cli_addr, sizeof(cli_addr), buffer, sizeof(buffer)));
-                gnutls_dtls_cookie_send(&cookie_key, &cli_addr, sizeof(cli_addr), &cookie, (gnutls_transport_ptr_t)&s, push_func);
+                gnutls_dtls_cookie_send(&cookie_key, &cli_addr, sizeof(cli_addr), &prestate, (gnutls_transport_ptr_t)&s, push_func);
 
                 /* discard peeked data*/
                 recvfrom(sock, buffer, sizeof(buffer), 0, (struct sockaddr*)&cli_addr, &cli_addr_size);
@@ -87,7 +87,7 @@ int udp_server(const char* name, int port, int mtu)
           continue;
 
         session = initialize_session(1);
-        gnutls_dtls_cookie_set(session, &cookie);
+        gnutls_dtls_prestate_set(session, &prestate);
         if (mtu) gnutls_dtls_set_mtu(session, mtu);
 
         priv.session = session;