From 579950c2bb85fc2114e27287d1c0a49faa0a46fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 29 Sep 2014 17:47:33 +0200 Subject: [PATCH] Fix bug with non-blocking I/O and cookies --- include/polarssl/ssl.h | 1 + library/ssl_srv.c | 15 +++++++-------- tests/ssl-opt.sh | 10 ++++++++++ 3 files changed, 18 insertions(+), 8 deletions(-) diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index ddbac5836..202a2004e 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -516,6 +516,7 @@ typedef enum SSL_HANDSHAKE_WRAPUP, SSL_HANDSHAKE_OVER, SSL_SERVER_NEW_SESSION_TICKET, + SSL_SERVER_HELLO_VERIFY_REQUEST_SENT, } ssl_states; diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 219fc018f..3cd87f92c 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -2052,7 +2052,7 @@ static int ssl_write_hello_verify_request( ssl_context *ssl ) ssl->out_msgtype = SSL_MSG_HANDSHAKE; ssl->out_msg[0] = SSL_HS_HELLO_VERIFY_REQUEST; - ssl->state = SSL_CLIENT_HELLO; + ssl->state = SSL_SERVER_HELLO_VERIFY_REQUEST_SENT; if( ( ret = ssl_write_record( ssl ) ) != 0 ) { @@ -2084,13 +2084,7 @@ static int ssl_write_server_hello( ssl_context *ssl ) SSL_DEBUG_MSG( 2, ( "client hello was not authenticated" ) ); SSL_DEBUG_MSG( 2, ( "<= write server hello" ) ); - if( ( ret = ssl_write_hello_verify_request( ssl ) ) != 0 ) - { - SSL_DEBUG_RET( 1, "ssl_write_hello_verify_request", ret ); - return( ret ); - } - - return( POLARSSL_ERR_SSL_HELLO_VERIFY_REQUIRED ); + return( ssl_write_hello_verify_request( ssl ) ); } #endif /* POLARSSL_SSL_DTLS_HELLO_VERIFY */ @@ -3534,6 +3528,11 @@ int ssl_handshake_server_step( ssl_context *ssl ) ret = ssl_parse_client_hello( ssl ); break; +#if defined(POLARSSL_SSL_PROTO_DTLS) + case SSL_SERVER_HELLO_VERIFY_REQUEST_SENT: + return( POLARSSL_ERR_SSL_HELLO_VERIFY_REQUIRED ); +#endif + /* * ==> ServerHello * Certificate diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 09a94f170..a657f79ff 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2046,6 +2046,16 @@ run_test "DTLS cookie: enabled, IPv6" \ -c "received hello verify request" \ -S "SSL - The requested feature is not available" +run_test "DTLS cookie: enabled, nbio" \ + "$P_SRV dtls=1 nbio=2 debug_level=2" \ + "$P_CLI dtls=1 nbio=2 debug_level=2" \ + 0 \ + -s "cookie verification failed" \ + -s "cookie verification passed" \ + -S "cookie verification skipped" \ + -c "received hello verify request" \ + -S "SSL - The requested feature is not available" + # Tests for various cases of client authentication with DTLS # (focused on handshake flows and message parsing)