libtls: Check for CHANGE_CIPHER_SPEC type only if upper layer returns NEED_MORE

A type is returned only if upper layers successfully created a record, that is
returns NEED_MORE. If we do not check for the return value, we might check a
previous record or the uninitialized type variable and falsely reset the
sequence number.

diff --git a/src/libtls/tls_protection.c b/src/libtls/tls_protection.c
index b016db21fd6777c68bf201e075f016c862cc4662..e73fedc5d71a7c3e61665a7afac11902a6b615ea 100644 (file)
--- a/src/libtls/tls_protection.c
+++ b/src/libtls/tls_protection.c
@@ -101,14 +101,13 @@ METHOD(tls_protection_t, build, status_t,
        status_t status;
 
        status = this->compression->build(this->compression, type, data);
-       if (*type == TLS_CHANGE_CIPHER_SPEC)
-       {
-               this->seq_out = 0;
-               return status;
-       }
-
        if (status == NEED_MORE)
        {
+               if (*type == TLS_CHANGE_CIPHER_SPEC)
+               {
+                       this->seq_out = 0;
+                       return status;
+               }
                if (this->aead_out)
                {
                        if (!this->aead_out->encrypt(this->aead_out, this->version,