From 106abb873f25a861b49d7c48c631e48c72c36081 Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Sat, 8 Aug 2015 23:52:32 -0700
Subject: [PATCH] skip the sanity check on a duplicate change cipher spec
 message in DTLS mode, they are allowed

---
 src/internal.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/src/internal.c b/src/internal.c
index ac18d46ec..dd83b86ae 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -6686,6 +6686,22 @@ int ProcessReply(WOLFSSL* ssl)
                         }
                     #endif
 
+                    /* Check for duplicate CCS message in DTLS mode.
+                     * DTLS allows for duplicate messages, and it should be
+                     * skipped. */
+                    if (ssl->options.dtls &&
+                        ssl->msgsReceived.got_change_cipher) {
+
+                        WOLFSSL_MSG("Duplicate ChangeCipher msg");
+                        if (ssl->curSize != 1) {
+                            WOLFSSL_MSG("Malicious or corrupted"
+                                        " duplicate ChangeCipher msg");
+                            return LENGTH_ERROR;
+                        }
+                        ssl->buffers.inputBuffer.idx++;
+                        break;
+                    }
+
                     ret = SanityCheckMsgReceived(ssl, change_cipher_hs);
                     if (ret != 0)
                         return ret;