From: Jonathan Bastien-Filiatrault Date: Mon, 6 Sep 2010 02:52:03 +0000 (-0400) Subject: dtls: Limit the number of HelloVerifyRequest round trips. X-Git-Tag: gnutls_2_99_0~234 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=239a5ec0faadf13527c487f9db9ad28d8985ee67;p=thirdparty%2Fgnutls.git dtls: Limit the number of HelloVerifyRequest round trips. Signed-off-by: Nikos Mavrogiannopoulos --- diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index 7bb63b6556..f5d3794b1e 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -2417,6 +2417,7 @@ _gnutls_recv_hello_verify_request (gnutls_session_t session, ssize_t len = datalen; size_t pos = 0; uint8_t cookie_len; + unsigned int nb_verifs; if (!_gnutls_is_dtls (session) || session->security_parameters.entity == GNUTLS_SERVER) @@ -2425,6 +2426,15 @@ _gnutls_recv_hello_verify_request (gnutls_session_t session, return GNUTLS_E_UNEXPECTED_PACKET; } + nb_verifs = ++session->internals.dtls.hsk_hello_verify_requests; + if (nb_verifs >= MAX_HANDSHAKE_HELLO_VERIFY_REQUESTS) + { + /* The server is either buggy, malicious or changing cookie + secrets _way_ too fast. */ + gnutls_assert (); + return GNUTLS_E_UNEXPECTED_PACKET; + } + /* TODO: determine if we need to do anything with the server version field */ DECR_LEN (len, 2); pos += 2; diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index 278937d4c4..90efdb5eae 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -178,6 +178,10 @@ typedef enum transport_t /* the maximum size of the DTLS cookie */ #define DTLS_MAX_COOKIE_SIZE 32 +/* The maximum number of HELLO_VERIFY_REQUEST messages the client + processes before aborting. */ +#define MAX_HANDSHAKE_HELLO_VERIFY_REQUESTS 5 + /* defaults for verification functions */ #define DEFAULT_VERIFY_DEPTH 32 @@ -566,6 +570,8 @@ typedef struct /* Head of the next outgoing flight. */ dtls_hsk_retransmit_buffer *retransmit; dtls_hsk_retransmit_buffer **retransmit_end; + + unsigned int hsk_hello_verify_requests; } dtls_st;