commit df9a0a846013ab71566f8ec2a0c18eef2e0de35c
author Manuel Pégourié-Gonnard <mpg@elzevir.fr> Thu Oct 02 14:17:18 2014 +0200
committer Paul Bakker <p.j.bakker@polarssl.org> Tue Oct 21 16:32:46 2014 +0200
tree 04490755329639f55edc5587c249aadeece361dd
parent f1e0df3ccd05a38a45c4517aac223a8a4a7c2f2b

Drop unexpected ApplicationData

This is likely to happen on resumption if client speaks first at the
application level.

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 089d17e..b322052 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2939,6 +2939,28 @@
         return( POLARSSL_ERR_SSL_INVALID_RECORD );
     }
 
+#if defined(POLARSSL_SSL_PROTO_DTLS)
+    if( ssl->transport == SSL_TRANSPORT_DATAGRAM )
+    {
+        /* Drop unexpected ChangeCipherSpec messages */
+        if( ssl->in_msgtype == SSL_MSG_CHANGE_CIPHER_SPEC &&
+            ssl->state != SSL_CLIENT_CHANGE_CIPHER_SPEC &&
+            ssl->state != SSL_SERVER_CHANGE_CIPHER_SPEC )
+        {
+            SSL_DEBUG_MSG( 1, ( "dropping unexpected ChangeCipherSpec" ) );
+            return( POLARSSL_ERR_SSL_INVALID_RECORD );
+        }
+
+        /* Drop unexpected ApplicationData records */
+        if( ssl->in_msgtype == SSL_MSG_APPLICATION_DATA &&
+            ssl->state != SSL_HANDSHAKE_OVER )
+        {
+            SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) );
+            return( POLARSSL_ERR_SSL_INVALID_RECORD );
+        }
+    }
+#endif
+
     /* Check version */
     if( major_ver != ssl->major_ver )
     {
@@ -3284,20 +3306,6 @@
         }
     }
 
-#if defined(POLARSSL_SSL_PROTO_DTLS)
-    if( ssl->transport == SSL_TRANSPORT_DATAGRAM )
-    {
-        /* Drop unexpected ChangeCipherSpec messages */
-        if( ssl->in_msgtype == SSL_MSG_CHANGE_CIPHER_SPEC &&
-            ssl->state != SSL_CLIENT_CHANGE_CIPHER_SPEC &&
-            ssl->state != SSL_SERVER_CHANGE_CIPHER_SPEC )
-        {
-            SSL_DEBUG_MSG( 2, ( "dropping unexpected ChangeCipherSpec" ) );
-            return( POLARSSL_ERR_NET_WANT_READ );
-        }
-    }
-#endif
-
     SSL_DEBUG_MSG( 2, ( "<= read record" ) );
 
     return( 0 );

tests/ssl-opt.sh

diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 21130e6..759c8f5 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -959,7 +959,8 @@
 
 run_test    "Renegotiation: DTLS, server-initiated" \
             "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \
-            "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1" \
+            "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \
+             read_timeout=1000 max_resend=2" \
             0 \
             -c "client hello, adding renegotiation extension" \
             -s "received TLS_EMPTY_RENEGOTIATION_INFO" \