From b0de40d10aecf4636c8b6c746313a2de1185cf84 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Thu, 30 Sep 2021 14:27:21 -0700 Subject: [PATCH 1/2] Forgive a DTLS session trying to send too much at once. (ZD12921) --- src/internal.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/internal.c b/src/internal.c index c132429b7..aa1ddf349 100644 --- a/src/internal.c +++ b/src/internal.c @@ -19247,8 +19247,12 @@ int ReceiveData(WOLFSSL* ssl, byte* output, int sz, int peek) if (ssl->options.dtls) { /* In DTLS mode, we forgive some errors and allow the session * to continue despite them. */ - if (ssl->error == VERIFY_MAC_ERROR || ssl->error == DECRYPT_ERROR) + if (ssl->error == VERIFY_MAC_ERROR || + ssl->error == DECRYPT_ERROR || + ssl->error == DTLS_SIZE_ERROR) { + ssl->error = 0; + } } #endif /* WOLFSSL_DTLS */ From cd2bd0b7a3520043441547410357b849699488df Mon Sep 17 00:00:00 2001 From: John Safranek Date: Fri, 1 Oct 2021 09:56:58 -0700 Subject: [PATCH 2/2] Enable All Disable DTLS fixes 1. Remove mcast and jni from enable-all. 2. Add comment to DTLS section. Testing `./configure --enable-all --disable-dtls` would leave DTLS still enabled. enable-all was also enabling mcast, which it doesn't need to do, that would force DTLS back on. JNI also forces DTLS on. The other language wrappers are not included in enable-all, so leave JNI out. --- configure.ac | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index b417a3b43..81d8f28c6 100644 --- a/configure.ac +++ b/configure.ac @@ -463,7 +463,6 @@ then test "$enable_cryptocb" = "" && enable_cryptocb=yes test "$enable_fallback_scsv" = "" && enable_fallback_scsv=yes test "$enable_anon" = "" && enable_anon=yes - test "$enable_mcast" = "" && enable_mcast=yes if test "$ENABLED_32BIT" != "yes" then @@ -498,7 +497,6 @@ then test "$enable_opensslextra" = "" && enable_opensslextra=yes test "$enable_opensslall" = "" && enable_opensslall=yes test "$enable_certservice" = "" && enable_certservice=yes - test "$enable_jni" = "" && enable_jni=yes test "$enable_lighty" = "" && enable_lighty=yes test "$enable_haproxy" = "" && enable_haproxy=yes test "$enable_stunnel" = "" && enable_stunnel=yes @@ -691,6 +689,8 @@ AS_IF([ test "x$ENABLED_SINGLETHREADED" = "xyes" ],[ AM_CFLAGS="-DSINGLE_THREADE # DTLS +# DTLS is a prereq for the options mcast, sctp, and jni. Enabling any of those +# without DTLS will also enable DTLS. AC_ARG_ENABLE([dtls], [AS_HELP_STRING([--enable-dtls],[Enable wolfSSL DTLS (default: disabled)])], [ ENABLED_DTLS=$enableval ],