diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2011-03-13 18:11:39 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2011-03-13 18:11:49 +0100 |
commit | 541aed3982a0b4e6d968ff2d1a38cfd4306f2d2b (patch) | |
tree | 3d22f35dc173661d76e7d89aae0551e0c18cbf26 /src | |
parent | df7d8850afcd11ffa0801ace3f3c742f92327317 (diff) | |
download | gnutls-541aed3982a0b4e6d968ff2d1a38cfd4306f2d2b.tar.gz |
Added photuris-like resource protection on the server. Added gnutls_dtls_cookie_send(), gnutls_dtls_cookie_verify() and gnutls_dtls_cookie_set() to avoid initializing a session before cookie is verified.
Diffstat (limited to 'src')
-rw-r--r-- | src/udp-serv.c | 43 |
1 files changed, 39 insertions, 4 deletions
diff --git a/src/udp-serv.c b/src/udp-serv.c index f77961c840..9202565dba 100644 --- a/src/udp-serv.c +++ b/src/udp-serv.c @@ -29,11 +29,23 @@ int udp_server(const char* name, int port, int mtu) char buffer[MAX_BUFFER]; priv_data_st priv; gnutls_session_t session; + gnutls_datum_t cookie_key; + gnutls_cookie_st cookie; unsigned char sequence[8]; + ret = gnutls_key_generate(&cookie_key, GNUTLS_COOKIE_KEY_SIZE); + if (ret < 0) + { + fprintf(stderr, "Cannot generate key\n"); + exit(1); + } + ret = listen_socket (name, port, SOCK_DGRAM); if (ret < 0) - exit (1); + { + fprintf(stderr, "Cannot listen\n"); + exit (1); + } for (;;) { @@ -43,16 +55,39 @@ int udp_server(const char* name, int port, int mtu) continue; cli_addr_size = sizeof(cli_addr); - ret = recvfrom(sock, buffer, 1, MSG_PEEK, (struct sockaddr*)&cli_addr, &cli_addr_size); - if (ret == 1) - printf ("Accepted connection from %s\n", + ret = recvfrom(sock, buffer, sizeof(buffer), MSG_PEEK, (struct sockaddr*)&cli_addr, &cli_addr_size); + if (ret > 0) + { + memset(&cookie, 0, sizeof(cookie)); + ret = gnutls_dtls_cookie_verify(&cookie_key, &cli_addr, sizeof(cli_addr), buffer, ret, &cookie); + if (ret < 0) /* cookie not valid */ + { + priv_data_st s; + + memset(&s,0,sizeof(s)); + s.fd = sock; + s.cli_addr = (void*)&cli_addr; + s.cli_addr_size = sizeof(cli_addr); + + printf("Sending hello verify request to %s\n", human_addr ((struct sockaddr *) + &cli_addr, sizeof(cli_addr), buffer, sizeof(buffer))); + gnutls_dtls_cookie_send(&cookie_key, &cli_addr, sizeof(cli_addr), &cookie, (gnutls_transport_ptr_t)&s, push_func); + + /* discard peeked data*/ + recvfrom(sock, buffer, sizeof(buffer), 0, (struct sockaddr*)&cli_addr, &cli_addr_size); + usleep(100); + continue; + } + printf ("Accepted connection from %s\n", human_addr ((struct sockaddr *) &cli_addr, sizeof(cli_addr), buffer, sizeof (buffer))); + } else continue; session = initialize_session(1); + gnutls_dtls_cookie_set(session, &cookie); if (mtu) gnutls_dtls_set_mtu(session, mtu); priv.session = session; |