Drop out-of-sequence ChangeCipherSpec messages
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 5472b4d..6c89fbe 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2637,7 +2637,7 @@
}
else
{
- SSL_DEBUG_MSG( 2, ( "dropping out-of-order message: "
+ SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: "
"message_seq = %d, expected = %d",
recv_msg_seq,
ssl->handshake->in_msg_seq ) );
@@ -3017,6 +3017,20 @@
}
}
+#if defined(POLARSSL_SSL_PROTO_DTLS)
+ if( ssl->transport == SSL_TRANSPORT_DATAGRAM )
+ {
+ /* Drop unexpected ChangeCipherSpec messages */
+ if( ssl->in_msgtype == SSL_MSG_CHANGE_CIPHER_SPEC &&
+ ssl->state != SSL_CLIENT_CHANGE_CIPHER_SPEC &&
+ ssl->state != SSL_SERVER_CHANGE_CIPHER_SPEC )
+ {
+ SSL_DEBUG_MSG( 2, ( "dropping unexpected ChangeCipherSpec" ) );
+ return( POLARSSL_ERR_NET_WANT_READ );
+ }
+ }
+#endif
+
SSL_DEBUG_MSG( 2, ( "<= read record" ) );
return( 0 );