DTLS: Improve DtlsVerifier performance

1 files changed, 49 insertions, 59 deletions

diff --git a/crypto/src/tls/DtlsVerifier.cs b/crypto/src/tls/DtlsVerifier.cs
index e691685e6..01437d648 100644
--- a/crypto/src/tls/DtlsVerifier.cs
+++ b/crypto/src/tls/DtlsVerifier.cs
@@ -1,89 +1,79 @@
-using System;
-using System.IO;
+using System.IO;
 
+using Org.BouncyCastle.Security;
 using Org.BouncyCastle.Tls.Crypto;
 using Org.BouncyCastle.Utilities;
 
 namespace Org.BouncyCastle.Tls
 {
+    /// <summary>
+    /// Implements cookie generation/verification for a DTLS server as described in RFC 4347,
+    /// 4.2.1. Denial of Service Countermeasures.
+    /// </summary>
+    /// <remarks>
+    /// RFC 4347 4.2.1 additionally recommends changing the secret frequently. This class does not handle that
+    /// internally, so the instance should be replaced instead.
+    /// </remarks>
     public class DtlsVerifier
     {
-        private static TlsMac CreateCookieMac(TlsCrypto crypto)
-        {
-            TlsMac mac = crypto.CreateHmac(MacAlgorithm.hmac_sha256);
-
-            byte[] secret = new byte[mac.MacLength];
-            crypto.SecureRandom.NextBytes(secret);
-
-            mac.SetKey(secret, 0, secret.Length);
-
-            return mac;
-        }
-
-        private readonly TlsMac m_cookieMac;
-        private readonly TlsMacSink m_cookieMacSink;
+        private readonly TlsCrypto m_crypto;
+        private readonly byte[] m_macKey;
 
         public DtlsVerifier(TlsCrypto crypto)
         {
-            this.m_cookieMac = CreateCookieMac(crypto);
-            this.m_cookieMacSink = new TlsMacSink(m_cookieMac);
+            m_crypto = crypto;
+            m_macKey = SecureRandom.GetNextBytes(crypto.SecureRandom, 32);
         }
 
         public virtual DtlsRequest VerifyRequest(byte[] clientID, byte[] data, int dataOff, int dataLen,
             DatagramSender sender)
         {
-            lock (this)
+            try
             {
-                bool resetCookieMac = true;
+                int msgLen = DtlsRecordLayer.ReceiveClientHelloRecord(data, dataOff, dataLen);
+                if (msgLen < 0)
+                    return null;
 
-                try
-                {
-                    m_cookieMac.Update(clientID, 0, clientID.Length);
+                int bodyLength = msgLen - DtlsReliableHandshake.MessageHeaderLength;
+                if (bodyLength < 39) // Minimum (syntactically) valid DTLS ClientHello length
+                    return null;
 
-                    DtlsRequest request = DtlsReliableHandshake.ReadClientRequest(data, dataOff, dataLen,
-                        m_cookieMacSink);
-                    if (null != request)
-                    {
-                        byte[] expectedCookie = m_cookieMac.CalculateMac();
-                        resetCookieMac = false;
+                int msgOff = dataOff + DtlsRecordLayer.RecordHeaderLength;
 
-                        // TODO Consider stricter HelloVerifyRequest protocol
-                        //switch (request.MessageSeq)
-                        //{
-                        //case 0:
-                        //{
-                        //    DtlsReliableHandshake.SendHelloVerifyRequest(sender, request.RecordSeq, expectedCookie);
-                        //    break;
-                        //}
-                        //case 1:
-                        //{
-                        //    if (Arrays.FixedTimeEquals(expectedCookie, request.ClientHello.Cookie))
-                        //        return request;
+                var buf = DtlsReliableHandshake.ReceiveClientHelloMessage(msg: data, msgOff, msgLen);
+                if (buf == null)
+                    return null;
 
-                        //    break;
-                        //}
-                        //}
+                var macInput = new MemoryStream(bodyLength);
+                ClientHello clientHello = ClientHello.Parse(buf, dtlsOutput: macInput);
+                if (clientHello == null)
+                    return null;
 
-                        if (Arrays.FixedTimeEquals(expectedCookie, request.ClientHello.Cookie))
-                            return request;
+                long recordSeq = TlsUtilities.ReadUint48(data, dataOff + 5);
 
-                        DtlsReliableHandshake.SendHelloVerifyRequest(sender, request.RecordSeq, expectedCookie);
-                    }
-                }
-                catch (IOException)
-                {
-                    // Ignore
-                }
-                finally
+                byte[] cookie = clientHello.Cookie;
+
+                TlsMac mac = m_crypto.CreateHmac(MacAlgorithm.hmac_sha256);
+                mac.SetKey(m_macKey, 0, m_macKey.Length);
+                mac.Update(clientID, 0, clientID.Length);
+                macInput.WriteTo(new TlsMacSink(mac));
+                byte[] expectedCookie = mac.CalculateMac();
+
+                if (Arrays.FixedTimeEquals(expectedCookie, cookie))
                 {
-                    if (resetCookieMac)
-                    {
-                        m_cookieMac.Reset();
-                    }
+                    byte[] message = TlsUtilities.CopyOfRangeExact(data, msgOff, msgOff + msgLen);
+
+                    return new DtlsRequest(recordSeq, message, clientHello);
                 }
 
-                return null;
+                DtlsReliableHandshake.SendHelloVerifyRequest(sender, recordSeq, expectedCookie);
+            }
+            catch (IOException)
+            {
+                // Ignore
             }
+
+            return null;
         }
     }
 }