commit 990f9e428a7f2913c2d1ee073a2c54d8a819e161
author Manuel Pégourié-Gonnard <mpg@elzevir.fr> Sat Sep 06 12:27:02 2014 +0200
committer Paul Bakker <p.j.bakker@polarssl.org> Tue Oct 21 16:30:26 2014 +0200
tree 21c7b8a91c94f7199abe0f26320887ea6b7fed1d
parent 2c41bd85e0404b35d07600e3c67b7ab89dde0e4a

Handle late handshake messages gracefully

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 71d07b5..31413e4 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -4970,6 +4970,25 @@
                   ssl->in_hslen != 4 ) )
             {
                 SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
+
+                /* With DTLS, drop the packet (probably from last handshake) */
+#if defined(POLARSSL_SSL_PROTO_DTLS)
+                if( ssl->transport == SSL_TRANSPORT_DATAGRAM )
+                    return( POLARSSL_ERR_NET_WANT_READ );
+#endif
+                return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
+            }
+
+            if( ssl->endpoint == SSL_IS_SERVER &&
+                ssl->in_msg[0] != SSL_HS_CLIENT_HELLO )
+            {
+                SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) );
+
+                /* With DTLS, drop the packet (probably from last handshake) */
+#if defined(POLARSSL_SSL_PROTO_DTLS)
+                if( ssl->transport == SSL_TRANSPORT_DATAGRAM )
+                    return( POLARSSL_ERR_NET_WANT_READ );
+#endif
                 return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
             }
 
@@ -4978,7 +4997,7 @@
                   ssl->allow_legacy_renegotiation ==
                                                 SSL_LEGACY_NO_RENEGOTIATION ) )
             {
-                SSL_DEBUG_MSG( 3, ( "ignoring renegotiation, sending alert" ) );
+                SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) );
 
 #if defined(POLARSSL_SSL_PROTO_SSL3)
                 if( ssl->minor_ver == SSL_MINOR_VERSION_0 )

tests/ssl-opt.sh

diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 64d3973..c7758b8 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -2097,13 +2097,28 @@
             -c "found fragmented DTLS handshake message" \
             -C "error"
 
-# Temporary test for ability to use the UDP proxy
+# Tests with UDP proxy emulating unreliable transport
 
-run_test    "DTLS proxy usability test" \
+run_test    "DTLS proxy: reference" \
             -p "$P_PXY" \
             "$P_SRV dtls=1" \
             "$P_CLI dtls=1" \
-            0
+            0 \
+            -c "HTTP/1.0 200 OK"
+
+run_test    "DTLS proxy: some duplication" \
+            -p "$P_PXY duplicate=3" \
+            "$P_SRV dtls=1" \
+            "$P_CLI dtls=1" \
+            0 \
+            -c "HTTP/1.0 200 OK"
+
+run_test    "DTLS proxy: lots of duplication" \
+            -p "$P_PXY duplicate=1" \
+            "$P_SRV dtls=1" \
+            "$P_CLI dtls=1" \
+            0 \
+            -c "HTTP/1.0 200 OK"
 
 # Final report