forked from wolfSSL/wolfssl
fix issue with missing client key exchange and duplicate change cipher spec messages.
This commit is contained in:
John Safranek
@@ -6211,6 +6211,9 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
|
|||||||
WOLFSSL_MSG("Duplicate ChangeCipher received");
|
WOLFSSL_MSG("Duplicate ChangeCipher received");
|
||||||
return DUPLICATE_MSG_E;
|
return DUPLICATE_MSG_E;
|
||||||
}
|
}
|
||||||
|
/* DTLS is going to ignore the CCS message if the client key
|
||||||
|
* exchange message wasn't received yet. */
|
||||||
|
if (!ssl->options.dtls)
|
||||||
ssl->msgsReceived.got_change_cipher = 1;
|
ssl->msgsReceived.got_change_cipher = 1;
|
||||||
|
|
||||||
#ifndef NO_WOLFSSL_CLIENT
|
#ifndef NO_WOLFSSL_CLIENT
|
||||||
@@ -6231,7 +6234,8 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
if (ssl->options.dtls)
|
||||||
|
ssl->msgsReceived.got_change_cipher = 1;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
default:
|
default:
|
||||||
@@ -8028,8 +8032,12 @@ int ProcessReply(WOLFSSL* ssl)
|
|||||||
if (ssl->options.dtls && ret == SEQUENCE_ERROR) {
|
if (ssl->options.dtls && ret == SEQUENCE_ERROR) {
|
||||||
WOLFSSL_MSG("Silently dropping out of order DTLS message");
|
WOLFSSL_MSG("Silently dropping out of order DTLS message");
|
||||||
ssl->options.processReply = doProcessInit;
|
ssl->options.processReply = doProcessInit;
|
||||||
ssl->buffers.inputBuffer.length = 0;
|
ssl->buffers.inputBuffer.idx += ssl->curSize;
|
||||||
ssl->buffers.inputBuffer.idx = 0;
|
|
||||||
|
ret = DtlsPoolSend(ssl);
|
||||||
|
if (ret != 0)
|
||||||
|
return ret;
|
||||||
|
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
@@ -8161,14 +8169,19 @@ int ProcessReply(WOLFSSL* ssl)
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
ret = SanityCheckMsgReceived(ssl, change_cipher_hs);
|
||||||
|
if (ret != 0) {
|
||||||
|
if (!ssl->options.dtls) {
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
#ifdef WOLFSSL_DTLS
|
#ifdef WOLFSSL_DTLS
|
||||||
|
else {
|
||||||
/* Check for duplicate CCS message in DTLS mode.
|
/* Check for duplicate CCS message in DTLS mode.
|
||||||
* DTLS allows for duplicate messages, and it should be
|
* DTLS allows for duplicate messages, and it should be
|
||||||
* skipped. */
|
* skipped. Also skip if out of order. */
|
||||||
if (ssl->options.dtls &&
|
if (ret != DUPLICATE_MSG_E && ret != OUT_OF_ORDER_E)
|
||||||
ssl->msgsReceived.got_change_cipher) {
|
return ret;
|
||||||
|
|
||||||
WOLFSSL_MSG("Duplicate ChangeCipher msg");
|
|
||||||
ret = DtlsPoolSend(ssl);
|
ret = DtlsPoolSend(ssl);
|
||||||
if (ret != 0)
|
if (ret != 0)
|
||||||
return ret;
|
return ret;
|
||||||
@@ -8181,11 +8194,8 @@ int ProcessReply(WOLFSSL* ssl)
|
|||||||
ssl->buffers.inputBuffer.idx++;
|
ssl->buffers.inputBuffer.idx++;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
#endif
|
#endif /* WOLFSSL_DTLS */
|
||||||
|
}
|
||||||
ret = SanityCheckMsgReceived(ssl, change_cipher_hs);
|
|
||||||
if (ret != 0)
|
|
||||||
return ret;
|
|
||||||
|
|
||||||
#ifdef HAVE_SESSION_TICKET
|
#ifdef HAVE_SESSION_TICKET
|
||||||
if (ssl->options.side == WOLFSSL_CLIENT_END &&
|
if (ssl->options.side == WOLFSSL_CLIENT_END &&
|
||||||
|
|||||||
Reference in New Issue
Block a user