skip the sanity check on a duplicate change cipher spec message in DTLS mode, they are allowed

2015-08-08 23:52:32 -07:00 · 2015-08-08 23:52:32 -07:00 · 106abb873f
commit 106abb873f
parent e16ff73273
1 changed files with 16 additions and 0 deletions
--- a/src/internal.c
+++ b/src/internal.c
@ -6686,6 +6686,22 @@ int ProcessReply(WOLFSSL* ssl)
                        }
                    #endif

+                    /* Check for duplicate CCS message in DTLS mode.
+                     * DTLS allows for duplicate messages, and it should be
+                     * skipped. */
+                    if (ssl->options.dtls &&
+                        ssl->msgsReceived.got_change_cipher) {
+
+                        WOLFSSL_MSG("Duplicate ChangeCipher msg");
+                        if (ssl->curSize != 1) {
+                            WOLFSSL_MSG("Malicious or corrupted"
+                                        " duplicate ChangeCipher msg");
+                            return LENGTH_ERROR;
+                        }
+                        ssl->buffers.inputBuffer.idx++;
+                        break;
+                    }
+
                    ret = SanityCheckMsgReceived(ssl, change_cipher_hs);
                    if (ret != 0)
                        return ret;