commit 82202f0a9ce7ecf0a37c224e6cb307d8e9d15b61
author Manuel Pégourié-Gonnard <mpg@elzevir.fr> Wed Jul 23 00:28:58 2014 +0200
committer Paul Bakker <p.j.bakker@polarssl.org> Tue Oct 21 16:30:16 2014 +0200
tree 086826e8396626b1e09d917496ee0a7b99812a66
parent 98545f128a030051713bf58e3745ccdd58737f8b

Make DTLS_HELLO_VERIFY a compile option

library/ssl_srv.c

diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 2b1a654..2b06f7e 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -351,7 +351,7 @@
 }
 #endif /* POLARSSL_SSL_SESSION_TICKETS */
 
-#if defined(POLARSSL_SSL_PROTO_DTLS)
+#if defined(POLARSSL_SSL_DTLS_HELLO_VERIFY)
 int ssl_set_client_transport_id( ssl_context *ssl,
                                  const unsigned char *info,
                                  size_t ilen )
@@ -369,7 +369,7 @@
 
     return( 0 );
 }
-#endif /* POLARSSL_SSL_PROTO_DTLS */
+#endif /* POLARSSL_SSL_DTLS_HELLO_VERIFY */
 
 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
 /*
@@ -1136,7 +1136,7 @@
 }
 #endif /* POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
 
-#if defined(POLARSSL_SSL_PROTO_DTLS)
+#if defined(POLARSSL_SSL_DTLS_HELLO_VERIFY)
 
 /*
  * If DTLS is in use, then at least one of SHA-1, SHA-256, SHA-512 is
@@ -1186,7 +1186,7 @@
 /*
  * Generate cookie for DTLS ClientHello verification
  */
-static int ssl_generate_verify_cookie( ssl_context *ssl )
+static int ssl_cookie_generate( ssl_context *ssl )
 {
     int ret;
     unsigned char *cookie = ssl->handshake->verify_cookie;
@@ -1219,7 +1219,7 @@
 
     return( 0 );
 }
-#endif /* POLARSSL_SSL_PROTO_DTLS */
+#endif /* POLARSSL_SSL_DTLS_HELLO_VERIFY */
 
 static int ssl_parse_client_hello( ssl_context *ssl )
 {
@@ -1515,14 +1515,15 @@
         SSL_DEBUG_BUF( 3, "client hello, cookie",
                        buf + cookie_offset + 1, cookie_len );
 
+#if defined(POLARSSL_SSL_DTLS_HELLO_VERIFY)
         /*
          * Generate reference cookie content:
          * - used for verification below,
          * - stored to be sent if verification fails
          */
-        if( ( ret = ssl_generate_verify_cookie( ssl ) ) != 0 )
+        if( ( ret = ssl_cookie_generate( ssl ) ) != 0 )
         {
-            SSL_DEBUG_RET( 1, "ssl_generate_verify_cookie", ret );
+            SSL_DEBUG_RET( 1, "ssl_cookie_generate", ret );
             return( ret );
         }
 
@@ -1540,7 +1541,16 @@
         SSL_DEBUG_MSG( 2, ( "client hello, cookie verification %s",
                             ssl->handshake->verify_cookie == NULL ?
                             "passed" : "failed" ) );
+#else
+        /* We know we didn't send a cookie, so it should be empty */
+        if( cookie_len != 0 )
+        {
+            SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+            return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
+        }
 
+        SSL_DEBUG_MSG( 2, ( "cookie verification disabled" ) );
+#endif
     }
 #endif /* POLARSSL_SSL_PROTO_DTLS */
 
@@ -1603,6 +1613,7 @@
     if( ssl->transport == SSL_TRANSPORT_DATAGRAM )
         ssl->session_negotiate->compression = SSL_COMPRESS_NULL;
 #endif
+
     /*
      * Check the extension length
      */
@@ -2037,7 +2048,7 @@
 }
 #endif /* POLARSSL_ECDH_C || POLARSSL_ECDSA_C */
 
-#if defined(POLARSSL_SSL_PROTO_DTLS)
+#if defined(POLARSSL_SSL_DTLS_HELLO_VERIFY)
 static int ssl_write_hello_verify_request( ssl_context *ssl )
 {
     int ret;
@@ -2081,7 +2092,7 @@
 
     return( 0 );
 }
-#endif /* POLARSSL_SSL_PROTO_DTLS */
+#endif /* POLARSSL_SSL_DTLS_HELLO_VERIFY */
 
 static int ssl_write_server_hello( ssl_context *ssl )
 {
@@ -2094,7 +2105,7 @@
 
     SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
 
-#if defined(POLARSSL_SSL_PROTO_DTLS)
+#if defined(POLARSSL_SSL_DTLS_HELLO_VERIFY)
     if( ssl->transport == SSL_TRANSPORT_DATAGRAM &&
         ssl->handshake->verify_cookie != NULL )
     {
@@ -2109,7 +2120,7 @@
 
         return( POLARSSL_ERR_SSL_HELLO_VERIFY_REQUIRED );
     }
-#endif /* POLARSSL_SSL_PROTO_DTLS */
+#endif /* POLARSSL_SSL_DTLS_HELLO_VERIFY */
 
     if( ssl->f_rng == NULL )
     {