diff options
author | Ingela Anderton Andin <[email protected]> | 2017-05-16 09:57:17 +0200 |
---|---|---|
committer | Ingela Anderton Andin <[email protected]> | 2017-05-16 09:57:17 +0200 |
commit | a8b65c562ea9168dfb9f3b36ae726422280d6abe (patch) | |
tree | bd595e1422fd4738682d5826f5976b411629874c /lib/ssl/src/dtls_connection.erl | |
parent | 6399c4911bf1c0c717e3cf1c30ac366e8667ad5a (diff) | |
parent | 4fd3360bb68adb2ee942b3fbaeab7d766b6d3454 (diff) | |
download | otp-a8b65c562ea9168dfb9f3b36ae726422280d6abe.tar.gz otp-a8b65c562ea9168dfb9f3b36ae726422280d6abe.tar.bz2 otp-a8b65c562ea9168dfb9f3b36ae726422280d6abe.zip |
Merge branch 'ingela/dtls/replay-protect/OTP-14077'
* ingela/dtls/replay-protect/OTP-14077:
dtls: Implement replay protection
Diffstat (limited to 'lib/ssl/src/dtls_connection.erl')
-rw-r--r-- | lib/ssl/src/dtls_connection.erl | 32 |
1 files changed, 23 insertions, 9 deletions
diff --git a/lib/ssl/src/dtls_connection.erl b/lib/ssl/src/dtls_connection.erl index 9937373e6e..b52896a458 100644 --- a/lib/ssl/src/dtls_connection.erl +++ b/lib/ssl/src/dtls_connection.erl @@ -688,16 +688,19 @@ next_record(#state{unprocessed_handshake_events = N} = State) when N > 0 -> {no_record, State#state{unprocessed_handshake_events = N-1}}; next_record(#state{protocol_buffers = - #protocol_buffers{dtls_cipher_texts = [CT | Rest]} + #protocol_buffers{dtls_cipher_texts = [#ssl_tls{epoch = Epoch} = CT | Rest]} = Buffers, - connection_states = ConnStates0} = State) -> - case dtls_record:decode_cipher_text(CT, ConnStates0) of - {Plain, ConnStates} -> - {Plain, State#state{protocol_buffers = - Buffers#protocol_buffers{dtls_cipher_texts = Rest}, - connection_states = ConnStates}}; - #alert{} = Alert -> - {Alert, State} + connection_states = ConnectionStates} = State) -> + CurrentRead = dtls_record:get_connection_state_by_epoch(Epoch, ConnectionStates, read), + case dtls_record:replay_detect(CT, CurrentRead) of + false -> + decode_cipher_text(State#state{connection_states = ConnectionStates}) ; + true -> + ct:pal("Replay detect", []), + %% Ignore replayed record + next_record(State#state{protocol_buffers = + Buffers#protocol_buffers{dtls_cipher_texts = Rest}, + connection_states = ConnectionStates}) end; next_record(#state{role = server, socket = {Listener, {Client, _}}, @@ -770,6 +773,17 @@ next_event(StateName, Record, {next_state, StateName, State, [{next_event, internal, Alert} | Actions]} end. +decode_cipher_text(#state{protocol_buffers = #protocol_buffers{dtls_cipher_texts = [ CT | Rest]} = Buffers, + connection_states = ConnStates0} = State) -> + case dtls_record:decode_cipher_text(CT, ConnStates0) of + {Plain, ConnStates} -> + {Plain, State#state{protocol_buffers = + Buffers#protocol_buffers{dtls_cipher_texts = Rest}, + connection_states = ConnStates}}; + #alert{} = Alert -> + {Alert, State} + end. + dtls_version(hello, Version, #state{role = server} = State) -> State#state{negotiated_version = Version}; %%Inital version dtls_version(_,_, State) -> |