feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #1069 from ejohnstown/dtls-mac

Browse Source 
DTLS Bad MAC Checks
This commit is contained in:
dgarske
2017-08-01 13:45:19 -07:00
committed by GitHub
parent b553d36548 36a539760a
commit bd20729fba
3 changed files with 44 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
examples/echoclient/echoclient.c
View File

@@ -25,10 +25,12 @@
#endif #endif
#include <cyassl/ctaocrypt/settings.h> #include <cyassl/ctaocrypt/settings.h>
/* let's use cyassl layer AND cyassl openssl layer */ /* let's use cyassl layer AND cyassl openssl layer */
#include <cyassl/ssl.h> #include <cyassl/ssl.h>
#include <cyassl/openssl/ssl.h> #include <cyassl/openssl/ssl.h>
#ifdef CYASSL_DTLS
#include <cyassl/error-ssl.h>
#endif
#if defined(WOLFSSL_MDK_ARM) || defined(WOLFSSL_KEIL_TCP_NET) #if defined(WOLFSSL_MDK_ARM) || defined(WOLFSSL_KEIL_TCP_NET)
#include <stdio.h> #include <stdio.h>
@@ -266,6 +268,14 @@ void echoclient_test(void* args)
fflush(fout) ; fflush(fout) ;
sendSz -= ret; sendSz -= ret;
} }
#ifdef CYASSL_DTLS
else if (wolfSSL_dtls(ssl) && err == DECRYPT_ERROR) {
/* This condition is OK. The packet should be dropped
* silently when there is a decrypt or MAC error on
* a DTLS record. */
sendSz = 0;
}
#endif
else { else {
printf("SSL_read msg error %d, %s\n", err, printf("SSL_read msg error %d, %s\n", err,
ERR_error_string(err, buffer)); ERR_error_string(err, buffer));

9
examples/server/server.c
View File

@@ -47,6 +47,9 @@
#endif #endif
#include <cyassl/openssl/ssl.h> #include <cyassl/openssl/ssl.h>
#include <cyassl/test.h> #include <cyassl/test.h>
#ifdef CYASSL_DTLS
#include <cyassl/error-ssl.h>
#endif
#include "examples/server/server.h" #include "examples/server/server.h"
@@ -294,6 +297,12 @@ static void ServerRead(WOLFSSL* ssl, char* input, int inputLen)
if (ret < 0) break; if (ret < 0) break;
} }
else else
#endif
#ifdef CYASSL_DTLS
if (wolfSSL_dtls(ssl) && err == DECRYPT_ERROR) {
printf("Dropped client's message due to a bad MAC\n");
}
else
#endif #endif
if (err != SSL_ERROR_WANT_READ) { if (err != SSL_ERROR_WANT_READ) {
printf("SSL_read input error %d, %s\n", err, printf("SSL_read input error %d, %s\n", err,

27
src/internal.c
View File

@@ -11711,6 +11711,9 @@ int ProcessReply(WOLFSSL* ssl)
ssl->options.processReply = doProcessInit; ssl->options.processReply = doProcessInit;
ssl->buffers.inputBuffer.idx = ssl->buffers.inputBuffer.idx =
ssl->buffers.inputBuffer.length; ssl->buffers.inputBuffer.length;
#ifdef WOLFSSL_DTLS_DROP_STATS
ssl->macDropCount++;
#endif /* WOLFSSL_DTLS_DROP_STATS */
} }
#endif /* WOLFSSL_DTLS */ #endif /* WOLFSSL_DTLS */
@@ -11737,9 +11740,18 @@ int ProcessReply(WOLFSSL* ssl)
if (ret < 0) { if (ret < 0) {
WOLFSSL_MSG("VerifyMac failed"); WOLFSSL_MSG("VerifyMac failed");
WOLFSSL_ERROR(ret); WOLFSSL_ERROR(ret);
#ifdef WOLFSSL_DTLS_DROP_STATS #ifdef WOLFSSL_DTLS
ssl->macDropCount++; /* If in DTLS mode, if the decrypt fails for any
#endif /* WOLFSSL_DTLS_DROP_STATS */ * reason, pretend the datagram never happened. */
if (ssl->options.dtls) {
ssl->options.processReply = doProcessInit;
ssl->buffers.inputBuffer.idx =
ssl->buffers.inputBuffer.length;
#ifdef WOLFSSL_DTLS_DROP_STATS
ssl->macDropCount++;
#endif /* WOLFSSL_DTLS_DROP_STATS */
}
#endif /* WOLFSSL_DTLS */
return DECRYPT_ERROR; return DECRYPT_ERROR;
} }
} }
@@ -13542,6 +13554,15 @@ int SendData(WOLFSSL* ssl, const void* data, int sz)
if (ssl->error == WANT_WRITE || ssl->error == WC_PENDING_E) if (ssl->error == WANT_WRITE || ssl->error == WC_PENDING_E)
ssl->error = 0; ssl->error = 0;
#ifdef WOLFSSL_DTLS
if (ssl->options.dtls) {
/* In DTLS mode, we forgive some errors and allow the session
* to continue despite them. */
if (ssl->error == VERIFY_MAC_ERROR || ssl->error == DECRYPT_ERROR)
ssl->error = 0;
}
#endif /* WOLFSSL_DTLS */
#ifdef WOLFSSL_EARLY_DATA #ifdef WOLFSSL_EARLY_DATA
if (ssl->earlyData) { if (ssl->earlyData) {
if (ssl->options.handShakeState == HANDSHAKE_DONE) { if (ssl->options.handShakeState == HANDSHAKE_DONE) {