Improvement to wolfSSL_write to not allow for VERIFY_MAC_ERROR or DECRYPT_ERROR errors. This resolves possible end user application implentation issue where a wolfSSL_read failure isn't handled and a wolfSSL_write is done anyways.

2025-07-30 18:57:27 +02:00 · 2019-04-12 11:29:28 -07:00
parent 364bf50a94
commit 68390b1ba3
1 changed files with 10 additions and 6 deletions
--- a/src/internal.c
+++ b/src/internal.c
@ -15223,14 +15223,18 @@ int SendData(WOLFSSL* ssl, const void* data, int sz)
        ssl->error = 0;
    }

-#ifdef WOLFSSL_DTLS
+    /* don't allow write after decrypt or mac error */
+    if (ssl->error == VERIFY_MAC_ERROR || ssl->error == DECRYPT_ERROR) {
+        /* For DTLS allow these possible errors and allow the session
+            to continue despite them */
        if (ssl->options.dtls) {
-        /* In DTLS mode, we forgive some errors and allow the session
-         * to continue despite them. */
-        if (ssl->error == VERIFY_MAC_ERROR || ssl->error == DECRYPT_ERROR)
            ssl->error = 0;
        }
-#endif /* WOLFSSL_DTLS */
+        else {
+            WOLFSSL_MSG("Not allowing write after decrypt or mac error");
+            return WOLFSSL_FATAL_ERROR;
+        }
+    }

 #ifdef WOLFSSL_EARLY_DATA
    if (ssl->earlyData != no_early_data) {