From f1ab188949e024aa772f53a6ab58e184e98653b4 Mon Sep 17 00:00:00 2001 From: toddouska Date: Tue, 18 Nov 2014 16:27:39 -0800 Subject: [PATCH] disallow client to fast forward handshake messages --- src/internal.c | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/src/internal.c b/src/internal.c index 4808cff99..e1c9c6130 100644 --- a/src/internal.c +++ b/src/internal.c @@ -4758,6 +4758,14 @@ static int SanityCheckMsgReceived(CYASSL* ssl, byte type) return OUT_OF_ORDER_E; } } +#endif +#ifndef NO_CYASSL_SERVER + if (ssl->options.side == CYASSL_SERVER_END) { + if ( ssl->msgsReceived.got_client_hello == 0) { + CYASSL_MSG("No ClientHello before Cert"); + return OUT_OF_ORDER_E; + } + } #endif break; @@ -4825,6 +4833,10 @@ static int SanityCheckMsgReceived(CYASSL* ssl, byte type) } ssl->msgsReceived.got_certificate_verify = 1; + if ( ssl->msgsReceived.got_certificate == 0) { + CYASSL_MSG("No Cert before CertVerify"); + return OUT_OF_ORDER_E; + } break; #endif @@ -4836,6 +4848,10 @@ static int SanityCheckMsgReceived(CYASSL* ssl, byte type) } ssl->msgsReceived.got_client_key_exchange = 1; + if (ssl->msgsReceived.got_client_hello == 0) { + CYASSL_MSG("No ClientHello before ClientKeyExchange"); + return OUT_OF_ORDER_E; + } break; #endif @@ -4864,7 +4880,16 @@ static int SanityCheckMsgReceived(CYASSL* ssl, byte type) if (ssl->options.side == CYASSL_CLIENT_END) { if (!ssl->options.resuming && ssl->msgsReceived.got_server_hello_done == 0) { - CYASSL_MSG("No ServerHelloDone before ChangeCipher "); + CYASSL_MSG("No ServerHelloDone before ChangeCipher"); + return OUT_OF_ORDER_E; + } + } +#endif +#ifndef NO_CYASSL_SERVER + if (ssl->options.side == CYASSL_SERVER_END) { + if (!ssl->options.resuming && + ssl->msgsReceived.got_client_key_exchange == 0) { + CYASSL_MSG("No ClientKeyExchange before ChangeCipher"); return OUT_OF_ORDER_E; } }