7u83/freewtp
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Before create new session check if receive DTLS Client Hello

Browse Source
This commit is contained in:
vemax78 2013-10-21 18:44:37 +02:00
parent 059f6d9dc9
commit 3147abc9bc
3 changed files with 43 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
src/ac/ac_execute.c
View File

@ -591,20 +591,23 @@ int ac_execute(void) {
} }
} }
} else if (check == CAPWAP_DTLS_PACKET) { } else if (check == CAPWAP_DTLS_PACKET) {
/* Need create a new sessione for check if it is a valid DTLS handshake */ /* Before create new session check if receive DTLS Client Hello */
if (ac_backend_isconnect() && (sessioncount < g_ac.descriptor.maxwtp)) { if (capwap_sanity_check_dtls_clienthello(&((char*)buffer)[sizeof(struct capwap_dtls_header)], buffersize - sizeof(struct capwap_dtls_header))) {
/* TODO prevent dos attack add filtering ip for multiple error */ /* Need create a new session for check if it is a valid DTLS handshake */
if (ac_backend_isconnect() && (sessioncount < g_ac.descriptor.maxwtp)) {
/* Retrive socket info */ /* TODO prevent dos attack add filtering ip for multiple error */
capwap_get_network_socket(&g_ac.net, &ctrlsock, fds[index].fd);
/* Retrive socket info */
/* Create a new session */ capwap_get_network_socket(&g_ac.net, &ctrlsock, fds[index].fd);
session = ac_create_session(&recvfromaddr, &recvtoaddr, &ctrlsock);
if (session) { /* Create a new session */
ac_session_add_packet(session, buffer, buffersize, isctrlsocket, 0); session = ac_create_session(&recvfromaddr, &recvtoaddr, &ctrlsock);
if (session) {
/* Release reference */ ac_session_add_packet(session, buffer, buffersize, isctrlsocket, 0);
ac_session_release_reference(session);
/* Release reference */
ac_session_release_reference(session);
}
} }
} }
} }

24
src/common/capwap_dtls.c
View File

@ -974,3 +974,27 @@ int capwap_decrypt_packet(struct capwap_dtls* dtls, void* encrybuffer, int size,
return result; return result;
} }
/* */
#define SIZEOF_DTLS_LAYERS 14
#define DTLS_RECORD_LAYER_HANDSHAKE_CONTENT_TYPE 22
#define DTLS_1_0_VERSION 0xfeff
#define DTLS_1_2_VERSION 0xfefd
#define DTLS_HANDSHAKE_LAYER_CLIENT_HELLO 1
/* */
int capwap_sanity_check_dtls_clienthello(void* buffer, int buffersize) {
unsigned char* dtlsdata = (unsigned char*)buffer;
/* Read DTLS packet in RAW mode */
if ((buffer != NULL) && (buffersize > SIZEOF_DTLS_LAYERS)) {
if (dtlsdata[0] == DTLS_RECORD_LAYER_HANDSHAKE_CONTENT_TYPE) {
uint16_t version = ntohs(*(uint16_t*)(dtlsdata + 1));
if (((version == DTLS_1_0_VERSION) || (version == DTLS_1_2_VERSION)) && (dtlsdata[13] == DTLS_HANDSHAKE_LAYER_CLIENT_HELLO)) {
return 1;
}
}
}
return 0;
}

2
src/common/capwap_dtls.h
View File

@ -115,4 +115,6 @@ int capwap_crypt_sendto(struct capwap_dtls* dtls, int sock, void* buffer, int si
int capwap_crypt_sendto_fragmentpacket(struct capwap_dtls* dtls, int sock, struct capwap_list* fragmentlist, struct sockaddr_storage* sendfromaddr, struct sockaddr_storage* sendtoaddr); int capwap_crypt_sendto_fragmentpacket(struct capwap_dtls* dtls, int sock, struct capwap_list* fragmentlist, struct sockaddr_storage* sendfromaddr, struct sockaddr_storage* sendtoaddr);
int capwap_decrypt_packet(struct capwap_dtls* dtls, void* encrybuffer, int size, void* plainbuffer, int maxsize); int capwap_decrypt_packet(struct capwap_dtls* dtls, void* encrybuffer, int size, void* plainbuffer, int maxsize);
int capwap_sanity_check_dtls_clienthello(void* buffer, int buffersize);
#endif /* __CAPWAP_DTLS_HEADER__ */ #endif /* __CAPWAP_DTLS_HEADER__ */