From: Martin Willi <martin@revosec.ch>
Date: Thu, 8 Jan 2015 10:06:45 +0000 (+0100)
Subject: libtls: Check for CHANGE_CIPHER_SPEC type only if upper layer returns NEED_MORE
X-Git-Tag: 5.3.0dr1~93
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=780bf2b8e94686c535a7bc8ffaccd9e7a7646e77;p=thirdparty%2Fstrongswan.git

libtls: Check for CHANGE_CIPHER_SPEC type only if upper layer returns NEED_MORE

A type is returned only if upper layers successfully created a record, that is
returns NEED_MORE. If we do not check for the return value, we might check a
previous record or the uninitialized type variable and falsely reset the
sequence number.
---

diff --git a/src/libtls/tls_protection.c b/src/libtls/tls_protection.c
index b016db21fd..e73fedc5d7 100644
--- a/src/libtls/tls_protection.c
+++ b/src/libtls/tls_protection.c
@@ -101,14 +101,13 @@ METHOD(tls_protection_t, build, status_t,
 	status_t status;
 
 	status = this->compression->build(this->compression, type, data);
-	if (*type == TLS_CHANGE_CIPHER_SPEC)
-	{
-		this->seq_out = 0;
-		return status;
-	}
-
 	if (status == NEED_MORE)
 	{
+		if (*type == TLS_CHANGE_CIPHER_SPEC)
+		{
+			this->seq_out = 0;
+			return status;
+		}
 		if (this->aead_out)
 		{
 			if (!this->aead_out->encrypt(this->aead_out, this->version,