Add replay detection
This commit is contained in:
parent
4956fd7437
commit
b47368a00a
2 changed files with 36 additions and 17 deletions
|
@ -2104,6 +2104,10 @@ static void ssl_flight_free( ssl_flight_item *flight )
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if defined(POLARSSL_SSL_DTLS_ANTI_REPLAY)
|
||||||
|
static void ssl_dtls_replay_reset( ssl_context *ssl );
|
||||||
|
#endif
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Swap transform_out and out_ctr with the alternative ones
|
* Swap transform_out and out_ctr with the alternative ones
|
||||||
*/
|
*/
|
||||||
|
@ -2830,7 +2834,7 @@ static int ssl_parse_record_header( ssl_context *ssl )
|
||||||
return( POLARSSL_ERR_SSL_INVALID_RECORD );
|
return( POLARSSL_ERR_SSL_INVALID_RECORD );
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Check epoch with DTLS */
|
/* Check epoch (and sequence number) with DTLS */
|
||||||
#if defined(POLARSSL_SSL_PROTO_DTLS)
|
#if defined(POLARSSL_SSL_PROTO_DTLS)
|
||||||
if( ssl->transport == SSL_TRANSPORT_DATAGRAM )
|
if( ssl->transport == SSL_TRANSPORT_DATAGRAM )
|
||||||
{
|
{
|
||||||
|
@ -2839,13 +2843,21 @@ static int ssl_parse_record_header( ssl_context *ssl )
|
||||||
|
|
||||||
if( exp_epoch != rec_epoch )
|
if( exp_epoch != rec_epoch )
|
||||||
{
|
{
|
||||||
SSL_DEBUG_MSG( 1, ( "discarding record from another epoch: "
|
SSL_DEBUG_MSG( 1, ( "record from another epoch: "
|
||||||
"expected %d, received %d",
|
"expected %d, received %d",
|
||||||
exp_epoch, rec_epoch ) );
|
exp_epoch, rec_epoch ) );
|
||||||
return( POLARSSL_ERR_NET_WANT_READ );
|
return( POLARSSL_ERR_SSL_INVALID_RECORD );
|
||||||
|
}
|
||||||
|
|
||||||
|
#if defined(POLARSSL_SSL_DTLS_ANTI_REPLAY)
|
||||||
|
if( ssl_dtls_replay_check( ssl ) != 0 )
|
||||||
|
{
|
||||||
|
SSL_DEBUG_MSG( 1, ( "replayed record" ) );
|
||||||
|
return( POLARSSL_ERR_SSL_INVALID_RECORD );
|
||||||
}
|
}
|
||||||
}
|
|
||||||
#endif
|
#endif
|
||||||
|
}
|
||||||
|
#endif /* POLARSSL_SSL_PROTO_DTLS */
|
||||||
|
|
||||||
/* Check length against the size of our buffer */
|
/* Check length against the size of our buffer */
|
||||||
if( ssl->in_msglen > SSL_BUFFER_LEN
|
if( ssl->in_msglen > SSL_BUFFER_LEN
|
||||||
|
@ -2959,6 +2971,14 @@ static int ssl_prepare_record_content( ssl_context *ssl )
|
||||||
}
|
}
|
||||||
#endif /* POLARSSL_ZLIB_SUPPORT */
|
#endif /* POLARSSL_ZLIB_SUPPORT */
|
||||||
|
|
||||||
|
#if defined(POLARSSL_SSL_PROTO_DTLS) && \
|
||||||
|
defined(POLARSSL_SSL_DTLS_ANTI_REPLAY)
|
||||||
|
if( ssl->transport == SSL_TRANSPORT_DATAGRAM )
|
||||||
|
{
|
||||||
|
ssl_dtls_replay_update( ssl );
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -4197,8 +4217,9 @@ int ssl_parse_finished( ssl_context *ssl )
|
||||||
{
|
{
|
||||||
unsigned char i;
|
unsigned char i;
|
||||||
|
|
||||||
/* Set sequence_number to zero */
|
#if defined(POLARSSL_SSL_DTLS_ANTI_REPLAY)
|
||||||
memset( ssl->in_ctr + 2, 0, 6 );
|
ssl_dtls_replay_reset( ssl );
|
||||||
|
#endif
|
||||||
|
|
||||||
/* Increment epoch */
|
/* Increment epoch */
|
||||||
for( i = 2; i > 0; i-- )
|
for( i = 2; i > 0; i-- )
|
||||||
|
@ -4547,6 +4568,9 @@ int ssl_session_reset( ssl_context *ssl )
|
||||||
#if defined(POLARSSL_SSL_PROTO_DTLS)
|
#if defined(POLARSSL_SSL_PROTO_DTLS)
|
||||||
ssl->next_record_offset = 0;
|
ssl->next_record_offset = 0;
|
||||||
#endif
|
#endif
|
||||||
|
#if defined(POLARSSL_SSL_DTLS_ANTI_REPLAY)
|
||||||
|
ssl_dtls_replay_reset( ssl );
|
||||||
|
#endif
|
||||||
|
|
||||||
ssl->in_hslen = 0;
|
ssl->in_hslen = 0;
|
||||||
ssl->nb_zero = 0;
|
ssl->nb_zero = 0;
|
||||||
|
|
|
@ -2115,19 +2115,13 @@ run_test "DTLS proxy: reference" \
|
||||||
-s "Extra-header:" \
|
-s "Extra-header:" \
|
||||||
-c "HTTP/1.0 200 OK"
|
-c "HTTP/1.0 200 OK"
|
||||||
|
|
||||||
run_test "DTLS proxy: some duplication" \
|
run_test "DTLS proxy: duplicate every packet" \
|
||||||
-p "$P_PXY duplicate=3" \
|
|
||||||
"$P_SRV dtls=1" \
|
|
||||||
"$P_CLI dtls=1" \
|
|
||||||
0 \
|
|
||||||
-s "Extra-header:" \
|
|
||||||
-c "HTTP/1.0 200 OK"
|
|
||||||
|
|
||||||
run_test "DTLS proxy: lots of duplication" \
|
|
||||||
-p "$P_PXY duplicate=1" \
|
-p "$P_PXY duplicate=1" \
|
||||||
"$P_SRV dtls=1" \
|
"$P_SRV dtls=1 debug_level=1" \
|
||||||
"$P_CLI dtls=1" \
|
"$P_CLI dtls=1 debug_level=1" \
|
||||||
0 \
|
0 \
|
||||||
|
-c "replayed record" \
|
||||||
|
-s "replayed record" \
|
||||||
-s "Extra-header:" \
|
-s "Extra-header:" \
|
||||||
-c "HTTP/1.0 200 OK"
|
-c "HTTP/1.0 200 OK"
|
||||||
|
|
||||||
|
@ -2165,6 +2159,7 @@ run_test "DTLS proxy: delay a bit more packets" \
|
||||||
-s "Extra-header:" \
|
-s "Extra-header:" \
|
||||||
-c "HTTP/1.0 200 OK"
|
-c "HTTP/1.0 200 OK"
|
||||||
|
|
||||||
|
needs_more_time 2
|
||||||
run_test "DTLS proxy: delay more packets" \
|
run_test "DTLS proxy: delay more packets" \
|
||||||
-p "$P_PXY delay=3" \
|
-p "$P_PXY delay=3" \
|
||||||
"$P_SRV dtls=1" \
|
"$P_SRV dtls=1" \
|
||||||
|
|
Loading…
Reference in a new issue