feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #403 from ejohnstown/dtls-fix

Browse Source 
when dropping a DTLS message, drop the whole datagram
This commit is contained in:
Kaleb Himes
2016-05-30 17:26:25 -06:00
parent a4fa4d5253 1b9b7f52c9
commit 5be916e336
1 changed files with 28 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
src/internal.c
View File

@ -4497,12 +4497,18 @@ retry:
return -1; return -1;
case WOLFSSL_CBIO_ERR_TIMEOUT: case WOLFSSL_CBIO_ERR_TIMEOUT:
if (ssl->options.dtls) {
#ifdef WOLFSSL_DTLS #ifdef WOLFSSL_DTLS
if (DtlsPoolTimeout(ssl) == 0 && DtlsPoolSend(ssl) == 0) if ((!ssl->options.handShakeDone ||
goto retry; ssl->options.dtlsHsRetain) &&
else DtlsPoolTimeout(ssl) == 0 &&
DtlsPoolSend(ssl) == 0) {
goto retry;
}
#endif #endif
return -1; }
return -1;
default: default:
return recvd; return recvd;
@ -4744,6 +4750,11 @@ static int GetRecordHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
} }
else { else {
#ifdef WOLFSSL_DTLS #ifdef WOLFSSL_DTLS
#ifdef HAVE_FUZZER
if (ssl->fuzzerCb)
ssl->fuzzerCb(ssl, input + *inOutIdx, DTLS_RECORD_HEADER_SZ,
FUZZ_HEAD, ssl->fuzzerCtx);
#endif
/* type and version in same sport */ /* type and version in same sport */
XMEMCPY(rh, input + *inOutIdx, ENUM_LEN + VERSION_SZ); XMEMCPY(rh, input + *inOutIdx, ENUM_LEN + VERSION_SZ);
*inOutIdx += ENUM_LEN + VERSION_SZ; *inOutIdx += ENUM_LEN + VERSION_SZ;
@ -4753,12 +4764,6 @@ static int GetRecordHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
*inOutIdx += 4; /* advance past rest of seq */ *inOutIdx += 4; /* advance past rest of seq */
ato16(input + *inOutIdx, size); ato16(input + *inOutIdx, size);
*inOutIdx += LENGTH_SZ; *inOutIdx += LENGTH_SZ;
#ifdef HAVE_FUZZER
if (ssl->fuzzerCb)
ssl->fuzzerCb(ssl, input + *inOutIdx - LENGTH_SZ - 8 - ENUM_LEN -
VERSION_SZ, ENUM_LEN + VERSION_SZ + 8 + LENGTH_SZ,
FUZZ_HEAD, ssl->fuzzerCtx);
#endif
#endif #endif
} }
@ -7335,7 +7340,7 @@ static INLINE int DtlsCheckWindow(DtlsState* state)
next = state->nextSeq; next = state->nextSeq;
window = state->window; window = state->window;
} }
else if (state->curEpoch < state->nextEpoch) { else if (state->curEpoch == state->nextEpoch - 1) {
next = state->prevSeq; next = state->prevSeq;
window = state->prevWindow; window = state->prevWindow;
} }
@ -7351,6 +7356,9 @@ static INLINE int DtlsCheckWindow(DtlsState* state)
else if ((cur < next) && (window & ((DtlsSeq)1 << (next - cur - 1)))) { else if ((cur < next) && (window & ((DtlsSeq)1 << (next - cur - 1)))) {
return 0; return 0;
} }
else if (cur > next + DTLS_SEQ_BITS) {
return 0;
}
return 1; return 1;
} }
@ -8848,11 +8856,14 @@ int ProcessReply(WOLFSSL* ssl)
if (ssl->options.dtls && ret == SEQUENCE_ERROR) { if (ssl->options.dtls && ret == SEQUENCE_ERROR) {
WOLFSSL_MSG("Silently dropping out of order DTLS message"); WOLFSSL_MSG("Silently dropping out of order DTLS message");
ssl->options.processReply = doProcessInit; ssl->options.processReply = doProcessInit;
ssl->buffers.inputBuffer.idx += ssl->curSize; ssl->buffers.inputBuffer.length = 0;
ssl->buffers.inputBuffer.idx = 0;
ret = DtlsPoolSend(ssl); if (ssl->options.dtlsHsRetain) {
if (ret != 0) ret = DtlsPoolSend(ssl);
return ret; if (ret != 0)
return ret;
}
continue; continue;
} }
@ -8990,8 +9001,8 @@ int ProcessReply(WOLFSSL* ssl)
if (!ssl->options.dtls) { if (!ssl->options.dtls) {
return ret; return ret;
} }
#ifdef WOLFSSL_DTLS
else { else {
#ifdef WOLFSSL_DTLS
/* Check for duplicate CCS message in DTLS mode. /* Check for duplicate CCS message in DTLS mode.
* DTLS allows for duplicate messages, and it should be * DTLS allows for duplicate messages, and it should be
* skipped. Also skip if out of order. */ * skipped. Also skip if out of order. */
@ -9009,8 +9020,8 @@ int ProcessReply(WOLFSSL* ssl)
} }
ssl->buffers.inputBuffer.idx++; ssl->buffers.inputBuffer.idx++;
break; break;
}
#endif /* WOLFSSL_DTLS */ #endif /* WOLFSSL_DTLS */
}
} }
#ifdef HAVE_SESSION_TICKET #ifdef HAVE_SESSION_TICKET