wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-31 19:24:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

dtls: drop non-handshake messages before cookie exchange

Browse Source
This commit is contained in:
Marco Oliverio
2022-08-30 09:09:43 +02:00
parent 05b6cb5279
commit 400671dc7c
2 changed files with 88 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
src/internal.c
View File

@@ -18870,6 +18870,28 @@ static int DtlsShouldDrop(WOLFSSL* ssl, int retcode)
return 1; return 1;
} }
#ifndef NO_WOLFSSL_SERVER
if (ssl->options.side == WOLFSSL_SERVER_END
&& ssl->curRL.type != handshake) {
int beforeCookieVerified = 0;
if (!IsAtLeastTLSv1_3(ssl->version)) {
beforeCookieVerified =
ssl->options.acceptState < ACCEPT_FIRST_REPLY_DONE;
}
#ifdef WOLFSSL_DTLS13
else {
beforeCookieVerified =
ssl->options.acceptState < TLS13_ACCEPT_SECOND_REPLY_DONE;
}
#endif /* WOLFSSL_DTLS13 */
if (beforeCookieVerified) {
WOLFSSL_MSG("Drop non-handshake record before handshake");
return 1;
}
}
#endif /* NO_WOLFSSL_SERVER */
return 0; return 0;
} }
#endif /* WOLFSSL_DTLS */ #endif /* WOLFSSL_DTLS */

66
tests/api.c
View File

@@ -55819,10 +55819,75 @@ static int test_wolfSSL_dtls_fragments(void)
return 0; return 0;
} }
static void test_wolfSSL_dtls_send_alert(WOLFSSL* ssl)
{
int fd, ret;
byte alert_msg[] = {
0x15, /* alert type */
0xfe, 0xfd, /* version */
0x00, 0x00, /* epoch */
0x00, 0x00, 0x00, 0x00, 0x00, 0x01, /* seq number */
0x00, 0x02, /* length */
0x02, /* level: fatal */
0x46 /* protocol version */
};
fd = wolfSSL_get_fd(ssl);
ret = (int)send(fd, alert_msg, sizeof(alert_msg), 0);
AssertIntGT(ret, 0);
}
static int _test_wolfSSL_ignore_alert_before_cookie(byte version12)
{
callback_functions client_cbs, server_cbs;
XMEMSET(&client_cbs, 0, sizeof(client_cbs));
XMEMSET(&server_cbs, 0, sizeof(server_cbs));
client_cbs.doUdp = server_cbs.doUdp = 1;
if (version12) {
client_cbs.method = wolfDTLSv1_2_client_method;
server_cbs.method = wolfDTLSv1_2_server_method;
}
else {
#ifdef WOLFSSL_DTLS13
client_cbs.method = wolfDTLSv1_3_client_method;
server_cbs.method = wolfDTLSv1_3_server_method;
#else
return 0;
#endif /* WOLFSSL_DTLS13 */
}
client_cbs.ssl_ready = test_wolfSSL_dtls_send_alert;
test_wolfSSL_client_server_nofail(&client_cbs, &server_cbs);
if (!client_cbs.return_code)
return -1;
if (!server_cbs.return_code)
return -1;
return 0;
}
static int test_wolfSSL_ignore_alert_before_cookie(void)
{
int ret;
ret =_test_wolfSSL_ignore_alert_before_cookie(0);
if (ret != 0)
return ret;
ret =_test_wolfSSL_ignore_alert_before_cookie(1);
if (ret != 0)
return ret;
return 0;
}
#else #else
static int test_wolfSSL_dtls_fragments(void) { static int test_wolfSSL_dtls_fragments(void) {
return 0; return 0;
} }
static int test_wolfSSL_ignore_alert_before_cookie(void) {
return 0;
}
#endif #endif
#if defined(WOLFSSL_DTLS13) && !defined(WOLFSSL_TLS13_IGNORE_AEAD_LIMITS) #if defined(WOLFSSL_DTLS13) && !defined(WOLFSSL_TLS13_IGNORE_AEAD_LIMITS)
@@ -58737,6 +58802,7 @@ TEST_CASE testCases[] = {
TEST_DECL(test_wolfSSL_DTLS_either_side), TEST_DECL(test_wolfSSL_DTLS_either_side),
TEST_DECL(test_wolfSSL_dtls_fragments), TEST_DECL(test_wolfSSL_dtls_fragments),
TEST_DECL(test_wolfSSL_dtls_AEAD_limit), TEST_DECL(test_wolfSSL_dtls_AEAD_limit),
TEST_DECL(test_wolfSSL_ignore_alert_before_cookie),
TEST_DECL(test_generate_cookie), TEST_DECL(test_generate_cookie),
TEST_DECL(test_wolfSSL_X509_STORE_set_flags), TEST_DECL(test_wolfSSL_X509_STORE_set_flags),
TEST_DECL(test_wolfSSL_X509_LOOKUP_load_file), TEST_DECL(test_wolfSSL_X509_LOOKUP_load_file),