From 509491f5548732126577589bf5cfbcebf7e05f72 Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Mon, 16 Jun 2025 09:59:32 +0200 Subject: [PATCH] dtls13: wolfSSL_is_init_finished true after last server ACK Do not consider the handshake finished until the last server ACK. This way the application knows where to switch from wolfSSL_negotiate/wolfSSL_connect to wolfSSL_read/wolfSSL_write. --- src/ssl.c | 7 +++++++ tests/api.c | 3 +-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 80589ad5c..e4909e35a 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -12811,6 +12811,13 @@ cleanup: if (ssl == NULL) return 0; +#if defined(WOLFSSL_DTLS13) && !defined(WOLFSSL_NO_CLIENT) + if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->options.dtls + && IsAtLeastTLSv1_3(ssl->version)) { + return ssl->options.serverState == SERVER_FINISHED_ACKED; + } +#endif /* WOLFSSL_DTLS13 && !WOLFSSL_NO_CLIENT */ + /* Can't use ssl->options.connectState and ssl->options.acceptState * because they differ in meaning for TLS <=1.2 and 1.3 */ if (ssl->options.handShakeState == HANDSHAKE_DONE) diff --git a/tests/api.c b/tests/api.c index a5b7ad435..653618222 100644 --- a/tests/api.c +++ b/tests/api.c @@ -66072,8 +66072,7 @@ static int test_dtls13_missing_finished_server(void) ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ); /* Let's clear the output */ test_memio_clear_buffer(&test_ctx, 0); - /* We should signal that the handshake is done */ - ExpectTrue(wolfSSL_is_init_finished(ssl_c)); + ExpectFalse(wolfSSL_is_init_finished(ssl_c)); /* Let's send some app data */ ExpectIntEQ(wolfSSL_write(ssl_c, test_str, sizeof(test_str)), sizeof(test_str));