forked from wolfSSL/wolfssl
Merge pull request #403 from ejohnstown/dtls-fix
when dropping a DTLS message, drop the whole datagram
This commit is contained in:
Kaleb Himes
@ -4497,12 +4497,18 @@ retry:
|
||||
return -1;
|
||||
|
||||
case WOLFSSL_CBIO_ERR_TIMEOUT:
|
||||
if (ssl->options.dtls) {
|
||||
#ifdef WOLFSSL_DTLS
|
||||
if (DtlsPoolTimeout(ssl) == 0 && DtlsPoolSend(ssl) == 0)
|
||||
goto retry;
|
||||
else
|
||||
if ((!ssl->options.handShakeDone ||
|
||||
ssl->options.dtlsHsRetain) &&
|
||||
DtlsPoolTimeout(ssl) == 0 &&
|
||||
DtlsPoolSend(ssl) == 0) {
|
||||
|
||||
goto retry;
|
||||
}
|
||||
#endif
|
||||
return -1;
|
||||
}
|
||||
return -1;
|
||||
|
||||
default:
|
||||
return recvd;
|
||||
@ -4744,6 +4750,11 @@ static int GetRecordHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
}
|
||||
else {
|
||||
#ifdef WOLFSSL_DTLS
|
||||
#ifdef HAVE_FUZZER
|
||||
if (ssl->fuzzerCb)
|
||||
ssl->fuzzerCb(ssl, input + *inOutIdx, DTLS_RECORD_HEADER_SZ,
|
||||
FUZZ_HEAD, ssl->fuzzerCtx);
|
||||
#endif
|
||||
/* type and version in same sport */
|
||||
XMEMCPY(rh, input + *inOutIdx, ENUM_LEN + VERSION_SZ);
|
||||
*inOutIdx += ENUM_LEN + VERSION_SZ;
|
||||
@ -4753,12 +4764,6 @@ static int GetRecordHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
*inOutIdx += 4; /* advance past rest of seq */
|
||||
ato16(input + *inOutIdx, size);
|
||||
*inOutIdx += LENGTH_SZ;
|
||||
#ifdef HAVE_FUZZER
|
||||
if (ssl->fuzzerCb)
|
||||
ssl->fuzzerCb(ssl, input + *inOutIdx - LENGTH_SZ - 8 - ENUM_LEN -
|
||||
VERSION_SZ, ENUM_LEN + VERSION_SZ + 8 + LENGTH_SZ,
|
||||
FUZZ_HEAD, ssl->fuzzerCtx);
|
||||
#endif
|
||||
#endif
|
||||
}
|
||||
|
||||
@ -7335,7 +7340,7 @@ static INLINE int DtlsCheckWindow(DtlsState* state)
|
||||
next = state->nextSeq;
|
||||
window = state->window;
|
||||
}
|
||||
else if (state->curEpoch < state->nextEpoch) {
|
||||
else if (state->curEpoch == state->nextEpoch - 1) {
|
||||
next = state->prevSeq;
|
||||
window = state->prevWindow;
|
||||
}
|
||||
@ -7351,6 +7356,9 @@ static INLINE int DtlsCheckWindow(DtlsState* state)
|
||||
else if ((cur < next) && (window & ((DtlsSeq)1 << (next - cur - 1)))) {
|
||||
return 0;
|
||||
}
|
||||
else if (cur > next + DTLS_SEQ_BITS) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
||||
@ -8848,11 +8856,14 @@ int ProcessReply(WOLFSSL* ssl)
|
||||
if (ssl->options.dtls && ret == SEQUENCE_ERROR) {
|
||||
WOLFSSL_MSG("Silently dropping out of order DTLS message");
|
||||
ssl->options.processReply = doProcessInit;
|
||||
ssl->buffers.inputBuffer.idx += ssl->curSize;
|
||||
ssl->buffers.inputBuffer.length = 0;
|
||||
ssl->buffers.inputBuffer.idx = 0;
|
||||
|
||||
ret = DtlsPoolSend(ssl);
|
||||
if (ret != 0)
|
||||
return ret;
|
||||
if (ssl->options.dtlsHsRetain) {
|
||||
ret = DtlsPoolSend(ssl);
|
||||
if (ret != 0)
|
||||
return ret;
|
||||
}
|
||||
|
||||
continue;
|
||||
}
|
||||
@ -8990,8 +9001,8 @@ int ProcessReply(WOLFSSL* ssl)
|
||||
if (!ssl->options.dtls) {
|
||||
return ret;
|
||||
}
|
||||
#ifdef WOLFSSL_DTLS
|
||||
else {
|
||||
#ifdef WOLFSSL_DTLS
|
||||
/* Check for duplicate CCS message in DTLS mode.
|
||||
* DTLS allows for duplicate messages, and it should be
|
||||
* skipped. Also skip if out of order. */
|
||||
@ -9009,8 +9020,8 @@ int ProcessReply(WOLFSSL* ssl)
|
||||
}
|
||||
ssl->buffers.inputBuffer.idx++;
|
||||
break;
|
||||
}
|
||||
#endif /* WOLFSSL_DTLS */
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef HAVE_SESSION_TICKET
|
||||
|
||||
Reference in New Issue
Block a user