Add replay detection in parse_client_hello()
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index a0bb653..ba46f5a 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -1164,6 +1164,9 @@
SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
+#if defined(POLARSSL_SSL_DTLS_ANTI_REPLAY)
+read_record_header:
+#endif
/*
* If renegotiating, then the input was read with ssl_read_record(),
* otherwise read it ourselves manually in order to support SSLv2
@@ -1235,6 +1238,19 @@
}
memcpy( ssl->out_ctr + 2, ssl->in_ctr + 2, 6 );
+
+#if defined(POLARSSL_SSL_DTLS_ANTI_REPLAY)
+ if( ssl_dtls_replay_check( ssl ) != 0 )
+ {
+ SSL_DEBUG_MSG( 1, ( "replayed record, discarding" ) );
+ ssl->next_record_offset = 0;
+ ssl->in_left = 0;
+ goto read_record_header;
+ }
+
+ /* No MAC to check yet, so we can update right now */
+ ssl_dtls_replay_update( ssl );
+#endif
}
#endif /* POLARSSL_SSL_PROTO_DTLS */