Skip to content

Commit 958fa1a

Browse files
SparkiDevSparkiDev
committed
TLS 1.2: client message order check
Error when client receives CertificateRequest out of order: not after Certificate and not after ServerKeyExchange if being sent.
1 parent 9fdcd2e commit 958fa1a

File tree

1 file changed

+14
-0
lines changed

1 file changed

+14
-0
lines changed

src/internal.c

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17659,6 +17659,20 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
1765917659
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
1766017660
return OUT_OF_ORDER_E;
1766117661
}
17662+
if (!ssl->options.resuming && ssl->specs.kea != rsa_kea &&
17663+
(ssl->specs.kea != ecc_diffie_hellman_kea ||
17664+
!ssl->specs.static_ecdh) &&
17665+
ssl->specs.kea != ecc_static_diffie_hellman_kea &&
17666+
!ssl->msgsReceived.got_server_key_exchange) {
17667+
WOLFSSL_MSG("No ServerKeyExchange before CertificateRequest");
17668+
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
17669+
return OUT_OF_ORDER_E;
17670+
}
17671+
if (!ssl->msgsReceived.got_certificate) {
17672+
WOLFSSL_MSG("No Certificate before CertificateRequest");
17673+
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
17674+
return OUT_OF_ORDER_E;
17675+
}
1766217676
if (ssl->msgsReceived.got_server_hello_done) {
1766317677
WOLFSSL_MSG("CertificateRequest received in wrong order");
1766417678
WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);

0 commit comments

Comments
 (0)