diff --git a/src/internal.c b/src/internal.c index 3affa2fde..3c7983475 100644 --- a/src/internal.c +++ b/src/internal.c @@ -6092,7 +6092,7 @@ static int DoDtlsHandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx, *inOutIdx += fragSz; if(type == finished ) *inOutIdx += ssl->keys.padSz; - ret = 0; + ret = DtlsPoolSend(ssl); } else if (fragSz < size) { /* Since this branch is in order, but fragmented, dtls_msg_list will be @@ -7603,6 +7603,7 @@ int ProcessReply(WOLFSSL* ssl) } #endif +#ifdef WOLFSSL_DTLS /* Check for duplicate CCS message in DTLS mode. * DTLS allows for duplicate messages, and it should be * skipped. */ @@ -7610,6 +7611,10 @@ int ProcessReply(WOLFSSL* ssl) ssl->msgsReceived.got_change_cipher) { WOLFSSL_MSG("Duplicate ChangeCipher msg"); + ret = DtlsPoolSend(ssl); + if (ret != 0) + return ret; + if (ssl->curSize != 1) { WOLFSSL_MSG("Malicious or corrupted" " duplicate ChangeCipher msg"); @@ -7618,6 +7623,7 @@ int ProcessReply(WOLFSSL* ssl) ssl->buffers.inputBuffer.idx++; break; } +#endif ret = SanityCheckMsgReceived(ssl, change_cipher_hs); if (ret != 0) @@ -7680,6 +7686,12 @@ int ProcessReply(WOLFSSL* ssl) case application_data: WOLFSSL_MSG("got app DATA"); + #ifdef WOLFSSL_DTLS + if (ssl->options.dtls && ssl->options.dtlsHsRetain) { + FreeHandshakeResources(ssl); + ssl->options.dtlsHsRetain = 0; + } + #endif if ((ret = DoApplicationData(ssl, ssl->buffers.inputBuffer.buffer, &ssl->buffers.inputBuffer.idx)) @@ -7810,7 +7822,7 @@ int SendChangeCipher(WOLFSSL* ssl) if (ssl->options.groupMessages) return 0; - #ifdef WOLFSSL_DTLS + #if defined(WOLFSSL_DTLS) && !defined(WOLFSSL_DEBUG_DTLS) else if (ssl->options.dtls) { /* If using DTLS, force the ChangeCipherSpec message to be in the * same datagram as the finished message. */ diff --git a/src/io.c b/src/io.c index 026c66e7a..c710754ae 100644 --- a/src/io.c +++ b/src/io.c @@ -404,7 +404,10 @@ int EmbedReceiveFrom(WOLFSSL *ssl, char *buf, int sz, void *ctx) WOLFSSL_ENTER("EmbedReceiveFrom()"); - if (!wolfSSL_get_using_nonblock(ssl) && dtls_timeout != 0) { + if (ssl->options.handShakeDone) + dtls_timeout = 0; + + if (!wolfSSL_get_using_nonblock(ssl)) { #ifdef USE_WINDOWS_API DWORD timeout = dtls_timeout * 1000; #else diff --git a/src/ssl.c b/src/ssl.c index c2762ffdb..8e788a4bf 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -6060,7 +6060,16 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, } } #endif /* NO_HANDSHAKE_DONE_CB */ - FreeHandshakeResources(ssl); + + if (!ssl->options.dtls) { + FreeHandshakeResources(ssl); + } +#ifdef WOLFSSL_DTLS + else { + ssl->options.dtlsHsRetain = 1; + } +#endif /* WOLFSSL_DTLS */ + WOLFSSL_LEAVE("SSL_connect()", SSL_SUCCESS); return SSL_SUCCESS; @@ -6334,7 +6343,16 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, } } #endif /* NO_HANDSHAKE_DONE_CB */ - FreeHandshakeResources(ssl); + + if (!ssl->options.dtls) { + FreeHandshakeResources(ssl); + } +#ifdef WOLFSSL_DTLS + else { + ssl->options.dtlsHsRetain = 1; + } +#endif /* WOLFSSL_DTLS */ + WOLFSSL_LEAVE("SSL_accept()", SSL_SUCCESS); return SSL_SUCCESS; diff --git a/wolfssl/internal.h b/wolfssl/internal.h index fa513da99..fb9c40471 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2270,6 +2270,9 @@ typedef struct Options { word16 createTicket:1; /* Server to create new Ticket */ word16 useTicket:1; /* Use Ticket not session cache */ #endif +#ifdef WOLFSSL_DTLS + word16 dtlsHsRetain:1; /* DTLS retaining HS data */ +#endif /* need full byte values for this section */ byte processReply; /* nonblocking resume */