[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_2_11_6-215-gb44dc60
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_2_11_6-215-gb44dc60 |
|
Date: |
Sun, 20 Feb 2011 20:11:09 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=b44dc60baf7b9e5df7f905e6adcf2206fc039b4a
The branch, master has been updated
via b44dc60baf7b9e5df7f905e6adcf2206fc039b4a (commit)
via 2c698e877f92fa355d14901f6de90f1dc24858be (commit)
via 7bc07d15b306df785e0be3f1d3cf8c6451331343 (commit)
from 01a8666e47640d69e66f31fe4307a11c6f20a378 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit b44dc60baf7b9e5df7f905e6adcf2206fc039b4a
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Feb 20 21:07:29 2011 +0100
Implemented a sliding window-like thing to discard replayed packets.
commit 2c698e877f92fa355d14901f6de90f1dc24858be
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Feb 20 21:05:16 2011 +0100
gnutls-cli shouldn't print errors on EAGAIN and INTERRUPTED.
commit 7bc07d15b306df785e0be3f1d3cf8c6451331343
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun Feb 20 20:45:32 2011 +0100
corrected uint48pp.
-----------------------------------------------------------------------
Summary of changes:
lib/gnutls_buffers.c | 2 +-
lib/gnutls_dtls.c | 101 +++++++++++++++++++++++++++++++++++++++++++++++++-
lib/gnutls_dtls.h | 3 +-
lib/gnutls_int.h | 5 ++
lib/gnutls_num.c | 2 +-
lib/gnutls_record.c | 27 ++++++++++---
lib/gnutls_state.c | 2 +
src/cli.c | 2 +-
8 files changed, 133 insertions(+), 11 deletions(-)
diff --git a/lib/gnutls_buffers.c b/lib/gnutls_buffers.c
index 0cd367f..9a44af7 100644
--- a/lib/gnutls_buffers.c
+++ b/lib/gnutls_buffers.c
@@ -826,7 +826,7 @@ _gnutls_handshake_io_write_flush (gnutls_session_t session)
(int) send_buffer->byte_length);
if (IS_DTLS(session))
- return _gnutls_dtls_transmit(session);
+ return _dtls_transmit(session);
for (cur = _mbuffer_get_first (send_buffer, &msg);
cur != NULL; cur = _mbuffer_get_first (send_buffer, &msg))
diff --git a/lib/gnutls_dtls.c b/lib/gnutls_dtls.c
index 1f3d9bd..db598b9 100644
--- a/lib/gnutls_dtls.c
+++ b/lib/gnutls_dtls.c
@@ -144,7 +144,7 @@ static int drop_usage_count(gnutls_session_t session)
* record layer.
*/
int
-_gnutls_dtls_transmit (gnutls_session_t session)
+_dtls_transmit (gnutls_session_t session)
{
int ret;
@@ -215,6 +215,105 @@ cleanup:
return ret;
}
+#define window_table session->internals.dtls.record_sw
+#define window_size session->internals.dtls.record_sw_size
+
+/* FIXME: could we modify that code to avoid using
+ * uint64_t?
+ */
+
+static void rot_window(gnutls_session_t session, int places)
+{
+ window_size -= places;
+ memmove(window_table, &window_table[places],
window_size*sizeof(window_table[0]));
+}
+
+#define MOVE_SIZE 20
+/* Checks if a sequence number is not replayed. If replayed
+ * returns a negative value, otherwise zero.
+ */
+int _dtls_record_check(gnutls_session_t session, uint64 * _seq)
+{
+uint64_t seq = 0, diff;
+int i, offset = 0;
+
+ for (i=0;i<8;i++)
+ {
+ seq |= _seq->i[i];
+ seq <<= 8;
+ }
+
+ if (window_size == 0)
+ {
+ window_size = 1;
+ window_table[0] = seq;
+ return 0;
+ }
+
+ if (seq <= window_table[0])
+ {
+ return -1;
+ }
+
+ if (window_size == DTLS_RECORD_WINDOW_SIZE) {
+ rot_window(session, MOVE_SIZE);
+ }
+
+ if (seq < window_table[window_size-1])
+ {
+ /* is between first and last */
+ diff = window_table[window_size-1] - seq;
+
+ if (diff >= window_size)
+ {
+ return -1;
+ }
+
+ offset = window_size-1-diff;
+
+ if (window_table[offset] == seq)
+ {
+ return -1;
+ }
+ else
+ {
+ window_table[offset] = seq;
+ }
+ }
+ else /* seq >= last */
+ {
+ if (seq == window_table[window_size-1])
+ {
+ return -1;
+ }
+
+ diff = seq - window_table[window_size-1];
+ if (diff <= DTLS_RECORD_WINDOW_SIZE - window_size)
+ { /* fits in our empty space */
+ offset = diff + window_size-1;
+
+ window_table[offset] = seq;
+ window_size = offset + 1;
+ }
+ else
+ {
+ if (diff > DTLS_RECORD_WINDOW_SIZE/2)
+ { /* difference is too big */
+ window_table[DTLS_RECORD_WINDOW_SIZE-1] = seq;
+ window_size = DTLS_RECORD_WINDOW_SIZE;
+ }
+ else
+ {
+ rot_window(session, diff);
+ offset = diff + window_size-1;
+ window_table[offset] = seq;
+ window_size = offset + 1;
+ }
+ }
+ }
+ return 0;
+}
+
/**
* gnutls_dtls_set_timeouts:
diff --git a/lib/gnutls_dtls.h b/lib/gnutls_dtls.h
index d3a4870..ab4e4da 100644
--- a/lib/gnutls_dtls.h
+++ b/lib/gnutls_dtls.h
@@ -27,6 +27,7 @@
#include "gnutls_int.h"
-int _gnutls_dtls_transmit(gnutls_session_t session);
+int _dtls_transmit(gnutls_session_t session);
+int _dtls_record_check(gnutls_session_t session, uint64 * _seq);
#endif
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 47978e6..5632414 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -539,6 +539,8 @@ typedef struct
int free_rsa_params;
} internal_params_st;
+#define DTLS_RECORD_WINDOW_SIZE 64
+
/* DTLS session state
*/
typedef struct
@@ -558,6 +560,9 @@ typedef struct
unsigned int total_timeout;
unsigned int hsk_hello_verify_requests;
+
+ uint64_t record_sw[DTLS_RECORD_WINDOW_SIZE];
+ int record_sw_size;
} dtls_st;
diff --git a/lib/gnutls_num.c b/lib/gnutls_num.c
index 2e5c049..46467d5 100644
--- a/lib/gnutls_num.c
+++ b/lib/gnutls_num.c
@@ -71,7 +71,7 @@ _gnutls_uint48pp (uint64 * x)
{
register int i, y = 0;
- for (i = 5; i >= 0; i--)
+ for (i = 7; i >= 3; i--)
{
y = 0;
if (x->i[i] == 0xff)
diff --git a/lib/gnutls_record.c b/lib/gnutls_record.c
index 950579a..2ac4ce9 100644
--- a/lib/gnutls_record.c
+++ b/lib/gnutls_record.c
@@ -45,6 +45,7 @@
#include "gnutls_constate.h"
#include "ext_max_record.h"
#include <gnutls_state.h>
+#include <gnutls_dtls.h>
#include <gnutls_dh.h>
/**
@@ -427,8 +428,7 @@ _gnutls_send_int (gnutls_session_t session, content_type_t
type,
sequence_write(&record_state->sequence_number, &headers[3]);
_gnutls_record_log
- ("REC[%p]: Sending Packet[%d] %s(%d) with length: %d\n", session,
- (int) _gnutls_uint64touint32 (&record_state->sequence_number),
+ ("REC[%p]: Preparing Packet %s(%d) with length: %d\n", session,
_gnutls_packet2str (type), type, (int) sizeofdata);
if (sizeofdata > MAX_RECORD_SEND_SIZE(session))
@@ -518,7 +518,7 @@ _gnutls_send_int (gnutls_session_t session, content_type_t
type,
_gnutls_record_log ("REC[%p]: Sent Packet[%d] %s(%d) with length: %d\n",
session,
- (int)
+ (unsigned int)
_gnutls_uint64touint32
(&record_state->sequence_number),
_gnutls_packet2str (type), type, (int) cipher_size);
@@ -1094,6 +1094,21 @@ begin:
header_size + length);
decrypted_length = ret;
+ /* check for duplicates. We check after the message
+ * is processed an authenticated to avoid someone
+ * messing with our windows.
+ */
+ if (IS_DTLS(session))
+ {
+ ret = _dtls_record_check(session, decrypt_sequence);
+ if (ret < 0)
+ {
+ _gnutls_audit_log("Duplicate message with sequence %u\n",
+ (unsigned int) _gnutls_uint64touint32 (decrypt_sequence));
+ return GNUTLS_E_AGAIN;
+ }
+ }
+
/* Check if this is a CHANGE_CIPHER_SPEC
*/
if (type == GNUTLS_CHANGE_CIPHER_SPEC &&
@@ -1103,19 +1118,19 @@ begin:
_gnutls_record_log
("REC[%p]: ChangeCipherSpec Packet was received\n", session);
- if ((size_t) ret != sizeofdata)
+ if ((size_t) decrypted_length != sizeofdata)
{ /* sizeofdata should be 1 */
gnutls_assert ();
return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
}
memcpy (data, tmp.data, sizeofdata);
- return ret;
+ return decrypted_length;
}
_gnutls_record_log
("REC[%p]: Decrypted Packet[%d] %s(%d) with length: %d\n", session,
- (int) _gnutls_uint64touint32 (&record_state->sequence_number),
+ (int) _gnutls_uint64touint32 (decrypt_sequence),
_gnutls_packet2str (recv_type), recv_type, decrypted_length);
/* increase sequence number
diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c
index 6ba5dd1..c679c24 100644
--- a/lib/gnutls_state.c
+++ b/lib/gnutls_state.c
@@ -412,6 +412,8 @@ gnutls_init_dtls (gnutls_session_t * session,
(*session)->internals.dtls.retrans_timeout = 300;
(*session)->internals.dtls.total_timeout = 6000;
+ (*session)->internals.dtls.record_sw_size = 0;
+
return 0;
}
diff --git a/src/cli.c b/src/cli.c
index 5df49f8..f7ee055 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -622,7 +622,7 @@ handle_error (socket_st * hd, int err)
int alert, ret;
const char *err_type, *str;
- if (err >= 0)
+ if (err >= 0 || err == GNUTLS_E_AGAIN || err == GNUTLS_E_INTERRUPTED)
return 0;
if (gnutls_error_is_fatal (err) == 0)
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_2_11_6-215-gb44dc60,
Nikos Mavrogiannopoulos <=