Do resuming check as soon as we get a non-resumption msg

2022-06-20 20:32:15 +02:00
parent 144f2612e4
commit fd7bf8d04d
2 changed files with 19 additions and 6 deletions
--- a/src/internal.c
+++ b/src/internal.c
@ -14766,6 +14766,24 @@ static int DoHandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
    }
 #endif

+    if (ssl->options.side == WOLFSSL_CLIENT_END) {
+        switch (type) {
+        case certificate:
+        case server_key_exchange:
+        case certificate_request:
+        case server_hello_done:
+            if (ssl->options.resuming) {
+                /* This can occur when ssl->sessionSecretCb is set. EAP-FAST
+                 * (RFC 4851) allows for detecting server session resumption
+                 * based on the msg received after the ServerHello. */
+                WOLFSSL_MSG("Not resuming as thought");
+                ssl->options.resuming = 0;
+                /* No longer resuming, reset peer authentication state. */
+                ssl->options.peerAuthGood = 0;
+            }
+        }
+    }
+
    switch (type) {

    case hello_request:
@ -14872,12 +14890,6 @@ static int DoHandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                *inOutIdx += MacSize(ssl);
        #endif
        }
-        if (ssl->options.resuming) {
-            WOLFSSL_MSG("Not resuming as thought");
-            ssl->options.resuming = 0;
-            /* CLIENT: No longer resuming, reset peer authentication state. */
-            ssl->options.peerAuthGood = 0;
-        }
        break;

    case finished:
--- a/src/ssl.c
+++ b/src/ssl.c
@ -12148,6 +12148,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
            /* CLIENT: Fail-safe for Server Authentication. */
            if (!ssl->options.peerAuthGood) {
                WOLFSSL_MSG("Server authentication did not happen");
+                ssl->error = NO_PEER_VERIFY;
                return WOLFSSL_FATAL_ERROR;
            }