Send Hello Verify manually to avoid status creation before cookie exc…

…hange is complete.
unuseid · Mar 14, 2011 · 3c03185 · 3c03185
1 parent e1b1689
commit 3c03185
Show file tree

Hide file tree

Showing 8 changed files with 638 additions and 8 deletions.
diff --git a/Makefile b/Makefile
@@ -1,8 +1,8 @@
 openssl:=/home/bergmann
 
-SOURCES:= dsrv.c peer.c netq.c debug.c
+SOURCES:= dsrv.c peer.c netq.c dtls.c debug.c
 OBJECTS:= $(patsubst %.c, %.o, $(SOURCES))
-HEADERS:=dsrv.h peer.h netq.h debug.h config.h
+HEADERS:=dsrv.h dtls.h peer.h netq.h debug.h config.h
 CFLAGS:=-Wall -pedantic -std=c99 -g -O2
 CFLAGS+=-I$(openssl)/include
 DISTDIR=$(top_builddir)/$(package)

diff --git a/dsrv.c b/dsrv.c
@@ -126,6 +126,7 @@ void
 info_callback(const SSL *ssl, int where, int ret) {
   peer_t *peer;
 
+  debug("STATE: 0x%x\n", SSL_state(ssl));
   if (where & SSL_CB_LOOP)  /* do not care for intermediary states */
     return;
 
@@ -166,6 +167,19 @@ info_callback(const SSL *ssl, int where, int ret) {
     peer_set_state(peer, PEER_ST_ESTABLISHED);
   }
 }
+
+/* Callback function registered with dtls context to send datagrams. */
+int 
+dsrv_dtls_write(struct dtls_context_t *dtlsctx, 
+		struct sockaddr *dst, socklen_t dstlen, int ifindex, 
+		uint8 *buf, int len) {
+  struct dsrv_context_t *ctx;
+
+  ctx = (dsrv_context_t *)dtls_get_app_data(dtlsctx);
+  assert(ctx);
+
+  return dsrv_sendto(ctx, dst, dstlen, ifindex, (char *)buf, len) ? len : 0;
+}
 #endif
 
 struct dsrv_context_t *
@@ -252,6 +266,10 @@ dsrv_new_context(struct sockaddr *laddr, socklen_t laddrlen,
   SSL_CTX_set_read_ahead(c->sslctx, 1); /* enable read-ahead */
 
   SSL_CTX_set_info_callback(c->sslctx, info_callback);
+
+  c->dtlsctx = dtls_new_context(c);
+  if (c->dtlsctx) 
+    dtls_set_cb(c->dtlsctx, dsrv_dtls_write, write);
 #endif
 
   if (the_context)
@@ -273,6 +291,7 @@ dsrv_free_context(dsrv_context_t *ctx) {
     free(ctx->rq); 
     free(ctx->wq);
 #ifndef DSRV_NO_DTLS
+    dtls_free_context(ctx->dtlsctx);
     SSL_CTX_free(ctx->sslctx);
 #endif
     dsrv_close(ctx);
@@ -473,6 +492,19 @@ dsrv_free_peers(struct dsrv_context_t *ctx) {
   }
 }
 
+void dump(char *buf, int len) {
+  int i=0;
+
+  while(i<len) {
+    printf("%02x ", buf[i] & 0xff);
+
+    ++i;
+    if (i % 8 == 0) 
+      printf("\n");
+  }
+  printf("\n");
+}
+
 void
 handle_read(struct dsrv_context_t *ctx) {
   int len;
@@ -534,6 +566,16 @@ handle_read(struct dsrv_context_t *ctx) {
       }
 #endif
 
+      if (protocol == DTLS) {
+	if (dtls_verify_peer(ctx->dtlsctx, &session, 
+			     (uint8 *)buf, len) <= 0) {
+	  fprintf(stderr,"peer not verified\n");
+	  return;
+	} else {
+	  fprintf(stderr,"verify peer succeeded, update SSL status\n");
+	}
+      }
+
       peer = peer_new(&session.raddr.sa, session.rlen, session.ifindex
 #ifndef DSRV_NO_PROTOCOL_DEMUX
 		      , protocol

diff --git a/dsrv.h b/dsrv.h
@@ -75,6 +75,10 @@
  *                      serving DTLS-crypted and clear-text requests over
  *                      the same UDP socket. (Enabled by default.)
  * 
+ * When DTLS support is not switched off, \c configure will look for
+ * openssl on your system. We recommend to use at least version 1.0.0d
+ * which has been used during development of this library.
+ * 
  * \section Building
  * 
  * After configuring the software, just type
@@ -172,6 +176,7 @@ dsrv_set_cb(ctx, demux_protocol, demux);
 
 #ifndef DSRV_NO_DTLS
 #include <openssl/ssl.h>
+#include "dtls.h"
 #endif
 
 #include "uthash.h"    
@@ -199,6 +204,7 @@ typedef struct dsrv_context_t {
   struct netq_t *rq, *wq;	/**< read queue and write queue */
 #ifndef DSRV_NO_DTLS
   SSL_CTX *sslctx;
+  dtls_context_t *dtlsctx;	/**< the main context for DTLS operation */
 #endif
 
   peer_t *peers;		/**< table for peer structures */