Allow disabling HelloVerifyRequest

This commit is contained in:
Manuel Pégourié-Gonnard 2014-07-23 17:52:09 +02:00 committed by Paul Bakker
parent e4de06145a
commit 7d38d215b1
3 changed files with 74 additions and 18 deletions

View File

@ -1136,6 +1136,16 @@ typedef int ssl_cookie_check_t( void *ctx,
* \brief Register callbacks for DTLS cookies * \brief Register callbacks for DTLS cookies
* (Server only. DTLS only.) * (Server only. DTLS only.)
* *
* Default: dummy callbacks that fail, to force you to
* register working callbacks (and initialize their context).
*
* To disable HelloVerifyRequest, register NULL callbacks.
*
* \warning Disabling hello verification allows your server to be used
* for amplification in DoS attacks against other hosts.
* Only disable if you known this can't happen in your
* particular environment.
*
* \param ssl SSL context * \param ssl SSL context
* \param f_cookie_write Cookie write callback * \param f_cookie_write Cookie write callback
* \param f_cookie_check Cookie check callback * \param f_cookie_check Cookie check callback

View File

@ -1441,19 +1441,24 @@ static int ssl_parse_client_hello( ssl_context *ssl )
buf + cookie_offset + 1, cookie_len ); buf + cookie_offset + 1, cookie_len );
#if defined(POLARSSL_SSL_DTLS_HELLO_VERIFY) #if defined(POLARSSL_SSL_DTLS_HELLO_VERIFY)
if( ssl->f_cookie_check != NULL )
{
if( ssl->f_cookie_check( ssl->p_cookie, if( ssl->f_cookie_check( ssl->p_cookie,
buf + cookie_offset + 1, cookie_len, buf + cookie_offset + 1, cookie_len,
ssl->cli_id, ssl->cli_id_len ) != 0 ) ssl->cli_id, ssl->cli_id_len ) != 0 )
{ {
SSL_DEBUG_MSG( 2, ( "client hello, cookie verification failed" ) ); SSL_DEBUG_MSG( 2, ( "cookie verification failed" ) );
ssl->handshake->verify_cookie_len = 1; ssl->handshake->verify_cookie_len = 1;
} }
else else
{ {
SSL_DEBUG_MSG( 2, ( "client hello, cookie verification passed" ) ); SSL_DEBUG_MSG( 2, ( "cookie verification passed" ) );
ssl->handshake->verify_cookie_len = 0; ssl->handshake->verify_cookie_len = 0;
} }
#else }
else
#endif /* POLARSSL_SSL_DTLS_HELLO_VERIFY */
{
/* We know we didn't send a cookie, so it should be empty */ /* We know we didn't send a cookie, so it should be empty */
if( cookie_len != 0 ) if( cookie_len != 0 )
{ {
@ -1461,8 +1466,8 @@ static int ssl_parse_client_hello( ssl_context *ssl )
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO ); return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
} }
SSL_DEBUG_MSG( 2, ( "client hello, cookie verification skipped" ) ); SSL_DEBUG_MSG( 2, ( "cookie verification skipped" ) );
#endif /* POLARSSL_SSL_DTLS_HELLO_VERIFY */ }
} }
#endif /* POLARSSL_SSL_PROTO_DTLS */ #endif /* POLARSSL_SSL_PROTO_DTLS */
@ -1982,6 +1987,13 @@ static int ssl_write_hello_verify_request( ssl_context *ssl )
SSL_DEBUG_BUF( 3, "server version", (unsigned char *) p, 2 ); SSL_DEBUG_BUF( 3, "server version", (unsigned char *) p, 2 );
p += 2; p += 2;
/* If we get here, f_cookie_check is not null */
if( ssl->f_cookie_write == NULL )
{
SSL_DEBUG_MSG( 1, ( "inconsistent cookie callbacks" ) );
return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
}
/* Skip length byte until we know the length */ /* Skip length byte until we know the length */
cookie_len_byte = p++; cookie_len_byte = p++;

View File

@ -3607,6 +3607,35 @@ static int ssl_handshake_init( ssl_context *ssl )
return( 0 ); return( 0 );
} }
#if defined(POLARSSL_SSL_DTLS_HELLO_VERIFY)
/* Dummy cookie callbacks for defaults */
static int ssl_cookie_write_dummy( void *ctx,
unsigned char **p, unsigned char *end,
const unsigned char *cli_id, size_t cli_id_len )
{
((void) ctx);
((void) p);
((void) end);
((void) cli_id);
((void) cli_id_len);
return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
}
static int ssl_cookie_check_dummy( void *ctx,
const unsigned char *cookie, size_t cookie_len,
const unsigned char *cli_id, size_t cli_id_len )
{
((void) ctx);
((void) cookie);
((void) cookie_len);
((void) cli_id);
((void) cli_id_len);
return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
}
#endif /* POLARSSL_SSL_DTLS_HELLO_VERIFY */
/* /*
* Initialize an SSL context * Initialize an SSL context
*/ */
@ -3670,6 +3699,11 @@ int ssl_init( ssl_context *ssl )
ssl->curve_list = ecp_grp_id_list( ); ssl->curve_list = ecp_grp_id_list( );
#endif #endif
#if defined(POLARSSL_SSL_DTLS_HELLO_VERIFY)
ssl->f_cookie_write = ssl_cookie_write_dummy;
ssl->f_cookie_check = ssl_cookie_check_dummy;
#endif
if( ( ret = ssl_handshake_init( ssl ) ) != 0 ) if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
return( ret ); return( ret );