Handle late handshake messages gracefully

2014-09-06 12:27:02 +02:00 · 2014-09-06 12:27:02 +02:00 · 990f9e428a
commit 990f9e428a
parent 2c41bd85e0
2 changed files with 38 additions and 4 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -4970,6 +4970,25 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
                  ssl->in_hslen != 4 ) )
            {
                SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
+
+                /* With DTLS, drop the packet (probably from last handshake) */
+#if defined(POLARSSL_SSL_PROTO_DTLS)
+                if( ssl->transport == SSL_TRANSPORT_DATAGRAM )
+                    return( POLARSSL_ERR_NET_WANT_READ );
+#endif
+                return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
+            }
+
+            if( ssl->endpoint == SSL_IS_SERVER &&
+                ssl->in_msg[0] != SSL_HS_CLIENT_HELLO )
+            {
+                SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) );
+
+                /* With DTLS, drop the packet (probably from last handshake) */
+#if defined(POLARSSL_SSL_PROTO_DTLS)
+                if( ssl->transport == SSL_TRANSPORT_DATAGRAM )
+                    return( POLARSSL_ERR_NET_WANT_READ );
+#endif
                return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
            }

@ -4978,7 +4997,7 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
                  ssl->allow_legacy_renegotiation ==
                                                SSL_LEGACY_NO_RENEGOTIATION ) )
            {
-                SSL_DEBUG_MSG( 3, ( "ignoring renegotiation, sending alert" ) );
+                SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) );

 #if defined(POLARSSL_SSL_PROTO_SSL3)
                if( ssl->minor_ver == SSL_MINOR_VERSION_0 )
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@ -2097,13 +2097,28 @@ run_test    "DTLS reassembly: fragmentation, nbio (openssl server)" \
            -c "found fragmented DTLS handshake message" \
            -C "error"

-# Temporary test for ability to use the UDP proxy
+# Tests with UDP proxy emulating unreliable transport

-run_test    "DTLS proxy usability test" \
+run_test    "DTLS proxy: reference" \
            -p "$P_PXY" \
            "$P_SRV dtls=1" \
            "$P_CLI dtls=1" \
-            0
+            0 \
+            -c "HTTP/1.0 200 OK"
+
+run_test    "DTLS proxy: some duplication" \
+            -p "$P_PXY duplicate=3" \
+            "$P_SRV dtls=1" \
+            "$P_CLI dtls=1" \
+            0 \
+            -c "HTTP/1.0 200 OK"
+
+run_test    "DTLS proxy: lots of duplication" \
+            -p "$P_PXY duplicate=1" \
+            "$P_SRV dtls=1" \
+            "$P_CLI dtls=1" \
+            0 \
+            -c "HTTP/1.0 200 OK"

 # Final report