Drop unexpected ApplicationData
This is likely to happen on resumption if client speaks first at the
application level.
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 089d17e..b322052 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2939,6 +2939,28 @@
return( POLARSSL_ERR_SSL_INVALID_RECORD );
}
+#if defined(POLARSSL_SSL_PROTO_DTLS)
+ if( ssl->transport == SSL_TRANSPORT_DATAGRAM )
+ {
+ /* Drop unexpected ChangeCipherSpec messages */
+ if( ssl->in_msgtype == SSL_MSG_CHANGE_CIPHER_SPEC &&
+ ssl->state != SSL_CLIENT_CHANGE_CIPHER_SPEC &&
+ ssl->state != SSL_SERVER_CHANGE_CIPHER_SPEC )
+ {
+ SSL_DEBUG_MSG( 1, ( "dropping unexpected ChangeCipherSpec" ) );
+ return( POLARSSL_ERR_SSL_INVALID_RECORD );
+ }
+
+ /* Drop unexpected ApplicationData records */
+ if( ssl->in_msgtype == SSL_MSG_APPLICATION_DATA &&
+ ssl->state != SSL_HANDSHAKE_OVER )
+ {
+ SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) );
+ return( POLARSSL_ERR_SSL_INVALID_RECORD );
+ }
+ }
+#endif
+
/* Check version */
if( major_ver != ssl->major_ver )
{
@@ -3284,20 +3306,6 @@
}
}
-#if defined(POLARSSL_SSL_PROTO_DTLS)
- if( ssl->transport == SSL_TRANSPORT_DATAGRAM )
- {
- /* Drop unexpected ChangeCipherSpec messages */
- if( ssl->in_msgtype == SSL_MSG_CHANGE_CIPHER_SPEC &&
- ssl->state != SSL_CLIENT_CHANGE_CIPHER_SPEC &&
- ssl->state != SSL_SERVER_CHANGE_CIPHER_SPEC )
- {
- SSL_DEBUG_MSG( 2, ( "dropping unexpected ChangeCipherSpec" ) );
- return( POLARSSL_ERR_NET_WANT_READ );
- }
- }
-#endif
-
SSL_DEBUG_MSG( 2, ( "<= read record" ) );
return( 0 );