diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-01-05 14:12:46 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2019-01-23 16:41:02 +0100 |
commit | 00cf33f2aad0fc1bf22827ba9af298a39893d5bf (patch) | |
tree | 120edcd4c89d5e7fa64dbb1dbc1288b9ccd5a9e1 | |
parent | 0d8ebf4ec05aa8f55b3cc66fabdacf25fa3cf871 (diff) | |
download | gnutls-00cf33f2aad0fc1bf22827ba9af298a39893d5bf.tar.gz |
gnutls-serv: improvements in UDP servertmp-fix-udp-serv
This modifies the server to deinitialize the session after use
(avoiding leaks), and to only send the hello verify request when
a client hello is seen.
This also adds a basic unit test of gnutls-serv with the --udp option.
Resolves #632
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
-rw-r--r-- | src/udp-serv.c | 17 | ||||
-rw-r--r-- | tests/Makefile.am | 3 | ||||
-rwxr-xr-x | tests/serv-udp.sh | 71 |
3 files changed, 88 insertions, 3 deletions
diff --git a/src/udp-serv.c b/src/udp-serv.c index fdaa0fb886..2d82482876 100644 --- a/src/udp-serv.c +++ b/src/udp-serv.c @@ -56,6 +56,15 @@ static ssize_t pull_func(gnutls_transport_ptr_t p, void *data, #define MAX_BUFFER 255 /* Longest string to echo */ +/* record layer indication for a handshake packet */ +#define HANDSHAKE_CONTENT_TYPE 22 +/* TLS record content is the first by of the packet */ +#define RECORD_CONTENT_POS 0 +/* handshake type is first byte in Handshake packet; + * we have to skip type;version;epoch;sequence_number; + * and length in DTLSPlaintext */ +#define HANDSHAKE_TYPE_POS 13 + void udp_server(const char *name, int port, int mtu) { int sock, ret; @@ -91,7 +100,11 @@ void udp_server(const char *name, int port, int mtu) recvfrom(sock, buffer, sizeof(buffer)-1, MSG_PEEK, (struct sockaddr *) &cli_addr, &cli_addr_size); - if (ret > 0) { + + /* only accept a valid client hello */ + if (ret > HANDSHAKE_TYPE_POS && + buffer[RECORD_CONTENT_POS] == HANDSHAKE_CONTENT_TYPE && + buffer[HANDSHAKE_TYPE_POS] == GNUTLS_HANDSHAKE_CLIENT_HELLO) { if (!HAVE_OPT(NOCOOKIE)) { memset(&prestate, 0, sizeof(prestate)); ret = @@ -222,8 +235,8 @@ void udp_server(const char *name, int port, int mtu) } } } + gnutls_deinit(session); } - gnutls_deinit(session); } /* Wait for data to be received within a timeout period in milliseconds diff --git a/tests/Makefile.am b/tests/Makefile.am index 56149cce5e..3e77add14d 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -459,7 +459,8 @@ dist_check_SCRIPTS += fastopen.sh pkgconfig.sh starttls.sh starttls-ftp.sh start ocsp-tests/ocsp-tls-connection ocsp-tests/ocsp-must-staple-connection \ ocsp-tests/ocsp-test cipher-listings.sh sni-hostname.sh server-multi-keys.sh \ psktool.sh ocsp-tests/ocsp-load-chain gnutls-cli-save-data.sh gnutls-cli-debug.sh \ - sni-resume.sh ocsp-tests/ocsptool cert-reencoding.sh pkcs7-cat.sh long-crl.sh + sni-resume.sh ocsp-tests/ocsptool cert-reencoding.sh pkcs7-cat.sh long-crl.sh \ + serv-udp.sh dist_check_SCRIPTS += gnutls-cli-self-signed.sh gnutls-cli-invalid-crl.sh diff --git a/tests/serv-udp.sh b/tests/serv-udp.sh new file mode 100755 index 0000000000..9db3a32a42 --- /dev/null +++ b/tests/serv-udp.sh @@ -0,0 +1,71 @@ +#!/bin/sh + +# Copyright (C) 2010-2016 Free Software Foundation, Inc. +# +# Author: Nikos Mavrogiannopoulos +# +# This file is part of GnuTLS. +# +# GnuTLS is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at +# your option) any later version. +# +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GnuTLS; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +srcdir="${srcdir:-.}" +SERV="${SERV:-../src/gnutls-serv${EXEEXT}}" +CLI="${CLI:-../src/gnutls-cli${EXEEXT}}" +unset RETCODE + +if ! test -x "${SERV}"; then + exit 77 +fi + +if ! test -x "${CLI}"; then + exit 77 +fi + +if test "${WINDIR}" != ""; then + exit 77 +fi + +if ! test -z "${VALGRIND}"; then + VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15" +fi + + +SERV="${SERV} -q" + +. "${srcdir}/scripts/common.sh" + +echo "Checking whether UDP server works" + +KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem +CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem + +eval "${GETPORT}" +launch_server $$ --x509keyfile ${KEY1} --x509certfile ${CERT1} --udp -d 2 +PID=$! + +wait_udp_server $PID + +${VALGRIND} "${CLI}" -p "${PORT}" 127.0.0.1 --insecure --udp </dev/null >/dev/null || \ + fail ${PID} "1. handshake should have succeeded!" + +#retry +${VALGRIND} "${CLI}" -p "${PORT}" 127.0.0.1 --insecure --udp </dev/null >/dev/null || \ + fail ${PID} "2. handshake should have succeeded!" + + +kill ${PID} +wait + +exit 0 |