add AlertCount to detect dos attempt

2017-07-31 15:17:54 -07:00
parent fb53fac1c1
commit 66852a9252
4 changed files with 15 additions and 0 deletions
--- a/src/internal.c
+++ b/src/internal.c
@ -11273,6 +11273,11 @@ static int DoAlert(WOLFSSL* ssl, byte* input, word32* inOutIdx, int* type,
                          ssl->heap);
    #endif

+    if (++ssl->options.alertCount >= WOLFSSL_ALERT_COUNT_MAX) {
+        WOLFSSL_MSG("Alert count exceeded");
+        return ALERT_COUNT_E;
+    }
+
    /* make sure can read the message */
    if (*inOutIdx + ALERT_SIZE > totalSz)
        return BUFFER_E;
@ -14276,6 +14281,9 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
    case MCAST_HIGHWATER_CB_E:
        return "Multicast highwater callback returned error";

+    case ALERT_COUNT_E:
+        return "Alert Count exceeded error";
+
    default :
        return "unknown error number";
    }
--- a/wolfssl/error-ssl.h
+++ b/wolfssl/error-ssl.h
@ -162,6 +162,7 @@ enum wolfSSL_ErrorCodes {
    EXT_NOT_ALLOWED              = -424,   /* Extension not allowed in msg */
    INVALID_PARAMETER            = -425,   /* Security parameter invalid */
    MCAST_HIGHWATER_CB_E         = -426,   /* Multicast highwater cb err */
+    ALERT_COUNT_E                = -427,   /* Alert Count exceeded err */
    /* add strings to wolfSSL_ERR_reason_error_string in internal.c !!!!! */

    /* begin negotiation parameter errors */
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@ -2907,6 +2907,7 @@ typedef struct Options {
    byte            acceptState;        /* nonblocking resume */
    byte            asyncState;         /* sub-state for enum asyncState */
    byte            buildMsgState;      /* sub-state for enum buildMsgState */
+    byte            alertCount;         /* detect warning dos attempt */
 #ifdef WOLFSSL_MULTICAST
    word16          mcastID;            /* Multicast group ID */
 #endif
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@ -1631,6 +1631,11 @@ extern void uITRON4_free(void *p) ;
        #define ED25519_SMALL
 #endif

+
+#ifndef WOLFSSL_ALERT_COUNT_MAX
+    #define WOLFSSL_ALERT_COUNT_MAX 5
+#endif
+
 /* warning for not using harden build options (default with ./configure) */
 #ifndef WC_NO_HARDEN
    #if (defined(USE_FAST_MATH) && !defined(TFM_TIMING_RESISTANT)) || \