From: Nikos Mavrogiannopoulos Date: Sun, 13 Mar 2011 18:07:24 +0000 (+0100) Subject: updated cookie negotiation to use only a prestate structure and avoids setting data... X-Git-Tag: gnutls_2_99_0~119 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5637bae9e09412badbdb54f0e50cabe84e8eb659;p=thirdparty%2Fgnutls.git updated cookie negotiation to use only a prestate structure and avoids setting data to cookie. --- diff --git a/lib/gnutls_dtls.c b/lib/gnutls_dtls.c index 708e262c65..6ecf414491 100644 --- a/lib/gnutls_dtls.c +++ b/lib/gnutls_dtls.c @@ -380,11 +380,11 @@ int ret; return session->internals.dtls.mtu - RECORD_HEADER_SIZE(session); } -#define COOKIE_SIZE 19 +#define COOKIE_SIZE 16 #define COOKIE_MAC_SIZE 16 -/* record seq || hsk read seq || hsk write seq || MAC - * 1 byte 1 byte 1 byte 16 bytes +/* MAC + * 16 bytes * * total 19 bytes */ @@ -412,10 +412,9 @@ int ret; * **/ int gnutls_dtls_cookie_send(gnutls_datum_t* key, void* client_data, size_t client_data_size, - gnutls_cookie_st* cookie, + gnutls_dtls_prestate_st* prestate, gnutls_transport_ptr_t ptr, gnutls_push_func push_func) { - opaque hvr[20+DTLS_HANDSHAKE_HEADER_SIZE+COOKIE_SIZE]; int hvr_size = 0, ret; uint8_t digest[C_HASH_SIZE]; @@ -455,7 +454,8 @@ uint8_t digest[C_HASH_SIZE]; /* epoch + seq */ memset(&hvr[hvr_size], 0, 8); - hvr_size += 8; + hvr_size += 7; + hvr[hvr_size++] = prestate->record_seq; /* length */ _gnutls_write_uint16(DTLS_HANDSHAKE_HEADER_SIZE+COOKIE_SIZE+3, &hvr[hvr_size]); @@ -467,8 +467,8 @@ uint8_t digest[C_HASH_SIZE]; hvr_size += 3; /* handshake seq */ - memset(&hvr[hvr_size], 0, 2); - hvr_size += 2; + hvr[hvr_size++] = 0; + hvr[hvr_size++] = prestate->hsk_write_seq; _gnutls_write_uint24(0, &hvr[hvr_size]); hvr_size += 3; @@ -485,19 +485,6 @@ uint8_t digest[C_HASH_SIZE]; if (ret < 0) return gnutls_assert_val(ret); - if (cookie && cookie->cookie_size > 3) - { - hvr[hvr_size++] = cookie->cookie[0]+1/* record */; - hvr[hvr_size++] = cookie->cookie[1]+1/* hsk read seq*/; - hvr[hvr_size++] = cookie->cookie[2]+1/* hsk write seq */; - } - else - { - hvr[hvr_size++] = 1; - hvr[hvr_size++] = 1; - hvr[hvr_size++] = 1; - } - memcpy(&hvr[hvr_size], digest, COOKIE_MAC_SIZE); hvr_size+= COOKIE_MAC_SIZE; @@ -520,14 +507,14 @@ uint8_t digest[C_HASH_SIZE]; * This function will verify an incoming message for * a valid cookie. If a valid cookie is returned then * it should be associated with the session using - * gnutls_dtls_cookie_set(); + * gnutls_dtls_prestate_set(); * * Returns: zero on success, or a negative error code. * **/ int gnutls_dtls_cookie_verify(gnutls_datum_t* key, void* client_data, size_t client_data_size, - void* _msg, size_t msg_size, gnutls_cookie_st* out) + void* _msg, size_t msg_size, gnutls_dtls_prestate_st* out) { gnutls_datum_t cookie; int sid_size; @@ -572,32 +559,34 @@ uint8_t digest[C_HASH_SIZE]; if (ret < 0) return gnutls_assert_val(ret); - if (memcmp(digest, &cookie.data[3], COOKIE_MAC_SIZE) != 0) + if (memcmp(digest, cookie.data, COOKIE_MAC_SIZE) != 0) return gnutls_assert_val(GNUTLS_E_BAD_COOKIE); - memcpy(out->cookie, cookie.data, cookie.size); - out->cookie_size = cookie.size; - + out->record_seq = msg[10]; /* client's record seq */ + out->hsk_read_seq = msg[DTLS_RECORD_HEADER_SIZE+5];/* client's hsk seq */ + out->hsk_write_seq = out->hsk_read_seq;/* client's hsk seq */ + return 0; } /** - * gnutls_dtls_cookie_set: + * gnutls_dtls_prestate_set: * @session: a new session - * @cookie: contains the client's cookie + * @prestate: contains the client's prestate * - * This function will associate the received cookie by - * the client, with the newly established session. + * This function will associate the prestate acquired by + * the cookie authentication with the client, with the newly + * established session. * * Returns: zero on success, or a negative error code. * **/ -void gnutls_dtls_cookie_set(gnutls_session_t session, gnutls_cookie_st* st) +void gnutls_dtls_prestate_set(gnutls_session_t session, gnutls_dtls_prestate_st* st) { record_parameters_st *params; int ret; - if (st == NULL || st->cookie_size == 0) + if (st == NULL) return; /* we do not care about read_params, since we accept anything @@ -607,16 +596,8 @@ void gnutls_dtls_cookie_set(gnutls_session_t session, gnutls_cookie_st* st) if (ret < 0) return; - if (st->cookie_size < 3) - return; - - params->write.sequence_number.i[7] = st->cookie[0]; - - session->internals.dtls.hsk_read_seq = st->cookie[1]; - session->internals.dtls.hsk_write_seq = st->cookie[2]; - -fprintf(stderr, "record send seq: %d\n", (int)st->cookie[0]); -fprintf(stderr, "hsk read seq: %d\n", (int)st->cookie[1]); -fprintf(stderr, "hsk write seq: %d\n", (int)st->cookie[2]); + params->write.sequence_number.i[7] = st->record_seq; + session->internals.dtls.hsk_read_seq = st->hsk_read_seq; + session->internals.dtls.hsk_write_seq = st->hsk_write_seq; } diff --git a/lib/includes/gnutls/dtls.h b/lib/includes/gnutls/dtls.h index 9f5dde91f1..89d038898d 100644 --- a/lib/includes/gnutls/dtls.h +++ b/lib/includes/gnutls/dtls.h @@ -45,20 +45,21 @@ unsigned int gnutls_dtls_get_mtu (gnutls_session_t session); void gnutls_dtls_set_mtu (gnutls_session_t session, unsigned int mtu); typedef struct { - unsigned char cookie[255]; - size_t cookie_size; -} gnutls_cookie_st; + unsigned int record_seq; + unsigned int hsk_read_seq; + unsigned int hsk_write_seq; +} gnutls_dtls_prestate_st; int gnutls_dtls_cookie_send(gnutls_datum_t* key, void* client_data, size_t client_data_size, - gnutls_cookie_st* cookie, + gnutls_dtls_prestate_st* state, gnutls_transport_ptr_t ptr, gnutls_push_func push_func); int gnutls_dtls_cookie_verify(gnutls_datum_t* key, void* client_data, size_t client_data_size, - void* _msg, size_t msg_size, gnutls_cookie_st* cookie); + void* _msg, size_t msg_size, gnutls_dtls_prestate_st* state); -void gnutls_dtls_cookie_set(gnutls_session_t session, gnutls_cookie_st* st); +void gnutls_dtls_prestate_set(gnutls_session_t session, gnutls_dtls_prestate_st* st); #ifdef __cplusplus } diff --git a/lib/libgnutls.map b/lib/libgnutls.map index aa76fde3ae..021f8db4f5 100644 --- a/lib/libgnutls.map +++ b/lib/libgnutls.map @@ -699,7 +699,7 @@ GNUTLS_3_0_0 { gnutls_key_generate; gnutls_dtls_cookie_verify; gnutls_dtls_cookie_send; - gnutls_dtls_cookie_set; + gnutls_dtls_prestate_set; } GNUTLS_2_12; GNUTLS_PRIVATE { diff --git a/src/udp-serv.c b/src/udp-serv.c index 9202565dba..75cd7e9603 100644 --- a/src/udp-serv.c +++ b/src/udp-serv.c @@ -30,7 +30,7 @@ int udp_server(const char* name, int port, int mtu) priv_data_st priv; gnutls_session_t session; gnutls_datum_t cookie_key; - gnutls_cookie_st cookie; + gnutls_dtls_prestate_st prestate; unsigned char sequence[8]; ret = gnutls_key_generate(&cookie_key, GNUTLS_COOKIE_KEY_SIZE); @@ -58,8 +58,8 @@ int udp_server(const char* name, int port, int mtu) ret = recvfrom(sock, buffer, sizeof(buffer), MSG_PEEK, (struct sockaddr*)&cli_addr, &cli_addr_size); if (ret > 0) { - memset(&cookie, 0, sizeof(cookie)); - ret = gnutls_dtls_cookie_verify(&cookie_key, &cli_addr, sizeof(cli_addr), buffer, ret, &cookie); + memset(&prestate, 0, sizeof(prestate)); + ret = gnutls_dtls_cookie_verify(&cookie_key, &cli_addr, sizeof(cli_addr), buffer, ret, &prestate); if (ret < 0) /* cookie not valid */ { priv_data_st s; @@ -71,7 +71,7 @@ int udp_server(const char* name, int port, int mtu) printf("Sending hello verify request to %s\n", human_addr ((struct sockaddr *) &cli_addr, sizeof(cli_addr), buffer, sizeof(buffer))); - gnutls_dtls_cookie_send(&cookie_key, &cli_addr, sizeof(cli_addr), &cookie, (gnutls_transport_ptr_t)&s, push_func); + gnutls_dtls_cookie_send(&cookie_key, &cli_addr, sizeof(cli_addr), &prestate, (gnutls_transport_ptr_t)&s, push_func); /* discard peeked data*/ recvfrom(sock, buffer, sizeof(buffer), 0, (struct sockaddr*)&cli_addr, &cli_addr_size); @@ -87,7 +87,7 @@ int udp_server(const char* name, int port, int mtu) continue; session = initialize_session(1); - gnutls_dtls_cookie_set(session, &cookie); + gnutls_dtls_prestate_set(session, &prestate); if (mtu) gnutls_dtls_set_mtu(session, mtu); priv.session = session;