Jelajahi Sumber

Correctly reset the Tx sequence number

All DTLS records after the ClientHello should try to start from the sequence number of the ClientHello if it is available.
Juliusz Sosinowicz 3 tahun lalu
induk
melakukan
d4302cc71b
4 mengubah file dengan 27 tambahan dan 7 penghapusan
  1. 3 7
      src/internal.c
  2. 1 0
      tests/include.am
  3. 14 0
      tests/suites.c
  4. 9 0
      tests/test-dtls-fails-cipher.conf

+ 3 - 7
src/internal.c

@@ -29785,13 +29785,8 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ],
         /* are we in scr */
         if (IsEncryptionOn(ssl, 1)) {
             byte* input;
-            int   inputSz = HANDSHAKE_HEADER_SZ + length; /* build msg adds rec hdr */
-            int   recordHeaderSz = RECORD_HEADER_SZ;
-
-            if (ssl->options.dtls) {
-                recordHeaderSz += DTLS_RECORD_EXTRA;
-                inputSz += DTLS_HANDSHAKE_EXTRA;
-            }
+            int   inputSz = DTLS_HANDSHAKE_HEADER_SZ + length; /* build msg adds rec hdr */
+            int   recordHeaderSz = DTLS_RECORD_HEADER_SZ;
 
             input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
             if (input == NULL)
@@ -29807,6 +29802,7 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ],
         }
 
         ssl->buffers.outputBuffer.length += sendSz;
+        DtlsSEQIncrement(ssl, CUR_ORDER);
 
         return SendBuffered(ssl);
     }

+ 1 - 0
tests/include.am

@@ -31,6 +31,7 @@ EXTRA_DIST += tests/test.conf \
               tests/test-psk-no-id-sha2.conf \
               tests/test-dtls.conf \
               tests/test-dtls-fails.conf \
+              tests/test-dtls-fails-cipher.conf \
               tests/test-dtls-group.conf \
               tests/test-dtls-reneg-client.conf \
               tests/test-dtls-reneg-server.conf \

+ 14 - 0
tests/suites.c

@@ -1003,6 +1003,20 @@ int SuiteTest(int argc, char** argv)
     }
     strcpy(argv0[2], "");
 #endif
+#ifdef WOLFSSL_EXTRA_ALERTS
+    /* failure tests */
+    args.argc = 3;
+    strcpy(argv0[1], "tests/test-dtls-fails-cipher.conf");
+    strcpy(argv0[2], "expFail"); /* tests are expected to fail */
+    printf("starting dtls cipher mismatch tests that expect failure\n");
+    test_harness(&args);
+    if (args.return_code != 0) {
+        printf("error from script %d\n", args.return_code);
+        args.return_code = EXIT_FAILURE;
+        goto exit;
+    }
+    strcpy(argv0[2], "");
+#endif
 #endif
 #ifdef WOLFSSL_SCTP
     /* add dtls-sctp extra suites */

+ 9 - 0
tests/test-dtls-fails-cipher.conf

@@ -0,0 +1,9 @@
+# server DTLSv1.2 cipher mismatch
+-v 3
+-u
+-l DHE-RSA-AES128-SHA256
+
+# client DTLSv1.2 cipher mismatch
+-v 3
+-u
+-l DHE-RSA-AES256-SHA256