diff options
| author | Matt Caswell <matt@openssl.org> | 2018-05-03 12:07:47 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2018-05-08 09:40:17 +0100 |
| commit | f20404fce90919b614b737d07cc75d9e1c019fb8 (patch) | |
| tree | d7a76201369b36630d03a12ac7e05b59dfba60a7 /ssl/statem | |
| parent | e15e92dbd5248bc8dbd95d2c0af33a6daf8f7255 (diff) | |
Don't fail on an out-of-order CCS in DTLS
Fixes #4929
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6170)
Diffstat (limited to 'ssl/statem')
| -rw-r--r-- | ssl/statem/statem.c | 4 | ||||
| -rw-r--r-- | ssl/statem/statem_clnt.c | 14 | ||||
| -rw-r--r-- | ssl/statem/statem_srvr.c | 14 |
3 files changed, 29 insertions, 3 deletions
diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c index 1f221e7542..e836769666 100644 --- a/ssl/statem/statem.c +++ b/ssl/statem/statem.c @@ -589,10 +589,8 @@ static SUB_STATE_RETURN read_state_machine(SSL *s) * Validate that we are allowed to move to the new state and move * to that state if so */ - if (!transition(s, mt)) { - check_fatal(s, SSL_F_READ_STATE_MACHINE); + if (!transition(s, mt)) return SUB_STATE_ERROR; - } if (s->s3->tmp.message_size > max_message_size(s)) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_READ_STATE_MACHINE, diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 91b986fc89..60e987adb1 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -375,6 +375,20 @@ int ossl_statem_client_read_transition(SSL *s, int mt) err: /* No valid transition found */ + if (SSL_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) { + BIO *rbio; + + /* + * CCS messages don't have a message sequence number so this is probably + * because of an out-of-order CCS. We'll just drop it. + */ + s->init_num = 0; + s->rwstate = SSL_READING; + rbio = SSL_get_rbio(s); + BIO_clear_retry_flags(rbio); + BIO_set_retry_read(rbio); + return 0; + } SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE, SSL_F_OSSL_STATEM_CLIENT_READ_TRANSITION, SSL_R_UNEXPECTED_MESSAGE); diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index aa38fada70..018daaa0da 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -277,6 +277,20 @@ int ossl_statem_server_read_transition(SSL *s, int mt) err: /* No valid transition found */ + if (SSL_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) { + BIO *rbio; + + /* + * CCS messages don't have a message sequence number so this is probably + * because of an out-of-order CCS. We'll just drop it. + */ + s->init_num = 0; + s->rwstate = SSL_READING; + rbio = SSL_get_rbio(s); + BIO_clear_retry_flags(rbio); + BIO_set_retry_read(rbio); + return 0; + } SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE, SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION, SSL_R_UNEXPECTED_MESSAGE); |