From 990f9e428a7f2913c2d1ee073a2c54d8a819e161 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Sat, 6 Sep 2014 12:27:02 +0200 Subject: [PATCH] Handle late handshake messages gracefully --- library/ssl_tls.c | 21 ++++++++++++++++++++- tests/ssl-opt.sh | 21 ++++++++++++++++++--- 2 files changed, 38 insertions(+), 4 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 71d07b5a9c..31413e4d9c 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4970,6 +4970,25 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len ) ssl->in_hslen != 4 ) ) { SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) ); + + /* With DTLS, drop the packet (probably from last handshake) */ +#if defined(POLARSSL_SSL_PROTO_DTLS) + if( ssl->transport == SSL_TRANSPORT_DATAGRAM ) + return( POLARSSL_ERR_NET_WANT_READ ); +#endif + return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE ); + } + + if( ssl->endpoint == SSL_IS_SERVER && + ssl->in_msg[0] != SSL_HS_CLIENT_HELLO ) + { + SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) ); + + /* With DTLS, drop the packet (probably from last handshake) */ +#if defined(POLARSSL_SSL_PROTO_DTLS) + if( ssl->transport == SSL_TRANSPORT_DATAGRAM ) + return( POLARSSL_ERR_NET_WANT_READ ); +#endif return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE ); } @@ -4978,7 +4997,7 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len ) ssl->allow_legacy_renegotiation == SSL_LEGACY_NO_RENEGOTIATION ) ) { - SSL_DEBUG_MSG( 3, ( "ignoring renegotiation, sending alert" ) ); + SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) ); #if defined(POLARSSL_SSL_PROTO_SSL3) if( ssl->minor_ver == SSL_MINOR_VERSION_0 ) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 64d39734e4..c7758b883c 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2097,13 +2097,28 @@ run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \ -c "found fragmented DTLS handshake message" \ -C "error" -# Temporary test for ability to use the UDP proxy +# Tests with UDP proxy emulating unreliable transport -run_test "DTLS proxy usability test" \ +run_test "DTLS proxy: reference" \ -p "$P_PXY" \ "$P_SRV dtls=1" \ "$P_CLI dtls=1" \ - 0 + 0 \ + -c "HTTP/1.0 200 OK" + +run_test "DTLS proxy: some duplication" \ + -p "$P_PXY duplicate=3" \ + "$P_SRV dtls=1" \ + "$P_CLI dtls=1" \ + 0 \ + -c "HTTP/1.0 200 OK" + +run_test "DTLS proxy: lots of duplication" \ + -p "$P_PXY duplicate=1" \ + "$P_SRV dtls=1" \ + "$P_CLI dtls=1" \ + 0 \ + -c "HTTP/1.0 200 OK" # Final report