From fd7bf8d04d32297117fa63d1c916264e4ca32a1c Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Mon, 20 Jun 2022 20:32:15 +0200 Subject: [PATCH] Do resuming check as soon as we get a non-resumption msg --- src/internal.c | 24 ++++++++++++++++++------ src/ssl.c | 1 + 2 files changed, 19 insertions(+), 6 deletions(-) diff --git a/src/internal.c b/src/internal.c index 98286ba8c..5c69e531a 100644 --- a/src/internal.c +++ b/src/internal.c @@ -14766,6 +14766,24 @@ static int DoHandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx, } #endif + if (ssl->options.side == WOLFSSL_CLIENT_END) { + switch (type) { + case certificate: + case server_key_exchange: + case certificate_request: + case server_hello_done: + if (ssl->options.resuming) { + /* This can occur when ssl->sessionSecretCb is set. EAP-FAST + * (RFC 4851) allows for detecting server session resumption + * based on the msg received after the ServerHello. */ + WOLFSSL_MSG("Not resuming as thought"); + ssl->options.resuming = 0; + /* No longer resuming, reset peer authentication state. */ + ssl->options.peerAuthGood = 0; + } + } + } + switch (type) { case hello_request: @@ -14872,12 +14890,6 @@ static int DoHandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx, *inOutIdx += MacSize(ssl); #endif } - if (ssl->options.resuming) { - WOLFSSL_MSG("Not resuming as thought"); - ssl->options.resuming = 0; - /* CLIENT: No longer resuming, reset peer authentication state. */ - ssl->options.peerAuthGood = 0; - } break; case finished: diff --git a/src/ssl.c b/src/ssl.c index 3f19647b9..cf53a5a06 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -12148,6 +12148,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, /* CLIENT: Fail-safe for Server Authentication. */ if (!ssl->options.peerAuthGood) { WOLFSSL_MSG("Server authentication did not happen"); + ssl->error = NO_PEER_VERIFY; return WOLFSSL_FATAL_ERROR; }