wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-31 19:24:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix issue with missing client key exchange and duplicate change cipher spec messages.

Browse Source
This commit is contained in:
John Safranek
2016-04-27 12:03:37 -07:00
parent a54b0f9d0c
commit 7123b080ed
1 changed files with 38 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
src/internal.c
View File

@@ -6211,7 +6211,10 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
WOLFSSL_MSG("Duplicate ChangeCipher received");
return DUPLICATE_MSG_E;
}
ssl->msgsReceived.got_change_cipher = 1;
/* DTLS is going to ignore the CCS message if the client key
* exchange message wasn't received yet. */
if (!ssl->options.dtls)
ssl->msgsReceived.got_change_cipher = 1;
#ifndef NO_WOLFSSL_CLIENT
if (ssl->options.side == WOLFSSL_CLIENT_END) {
@@ -6231,7 +6234,8 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
}
}
#endif
if (ssl->options.dtls)
ssl->msgsReceived.got_change_cipher = 1;
break;
default:
@@ -8028,8 +8032,12 @@ int ProcessReply(WOLFSSL* ssl)
if (ssl->options.dtls && ret == SEQUENCE_ERROR) {
WOLFSSL_MSG("Silently dropping out of order DTLS message");
ssl->options.processReply = doProcessInit;
ssl->buffers.inputBuffer.length = 0;
ssl->buffers.inputBuffer.idx = 0;
ssl->buffers.inputBuffer.idx += ssl->curSize;
ret = DtlsPoolSend(ssl);
if (ret != 0)
return ret;
continue;
}
#endif
@@ -8161,31 +8169,33 @@ int ProcessReply(WOLFSSL* ssl)
}
#endif
#ifdef WOLFSSL_DTLS
/* Check for duplicate CCS message in DTLS mode.
* DTLS allows for duplicate messages, and it should be
* skipped. */
if (ssl->options.dtls &&
ssl->msgsReceived.got_change_cipher) {
WOLFSSL_MSG("Duplicate ChangeCipher msg");
ret = DtlsPoolSend(ssl);
if (ret != 0)
return ret;
if (ssl->curSize != 1) {
WOLFSSL_MSG("Malicious or corrupted"
" duplicate ChangeCipher msg");
return LENGTH_ERROR;
}
ssl->buffers.inputBuffer.idx++;
break;
}
#endif
ret = SanityCheckMsgReceived(ssl, change_cipher_hs);
if (ret != 0)
return ret;
if (ret != 0) {
if (!ssl->options.dtls) {
return ret;
}
#ifdef WOLFSSL_DTLS
else {
/* Check for duplicate CCS message in DTLS mode.
* DTLS allows for duplicate messages, and it should be
* skipped. Also skip if out of order. */
if (ret != DUPLICATE_MSG_E && ret != OUT_OF_ORDER_E)
return ret;
ret = DtlsPoolSend(ssl);
if (ret != 0)
return ret;
if (ssl->curSize != 1) {
WOLFSSL_MSG("Malicious or corrupted"
" duplicate ChangeCipher msg");
return LENGTH_ERROR;
}
ssl->buffers.inputBuffer.idx++;
break;
}
#endif /* WOLFSSL_DTLS */
}
#ifdef HAVE_SESSION_TICKET
if (ssl->options.side == WOLFSSL_CLIENT_END &&