Commit 58932715 authored by Philippe Coval's avatar Philippe Coval Committed by Randeep

build: Remove tinydtls library

[Chul Lee]

Remove tinydtls library

[Philippe Coval]

Ported from 1.2-rel branch to master,
and removed presence is other SConscript.

Conflicts:
	service/coap-http-proxy/unittests/SConscript
	resource/csdk/SConscript
	resource/csdk/connectivity/src/SConscript
	resource/csdk/stack/test/SConscript
	resource/csdk/security/src/doxmresource.c

Change-Id: I78f470af822587f2cd50eac6e9b1fb4ff5b87219
Signed-off-by: default avatarChul Lee <chuls.lee@samsung.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/16137Tested-by: default avatarjenkins-iotivity <jenkins-iotivity@opendaylight.org>
Reviewed-by: default avatarGreg Zaverucha <gregz@microsoft.com>
Reviewed-by: Randeep's avatarRandeep Singh <randeep.s@samsung.com>
Signed-off-by: default avatarPhilippe Coval <philippe.coval@osg.samsung.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/16941Tested-by: default avatarjenkins-iotivity <jenkins@iotivity.org>
Reviewed-by: default avatarAshwini  Kumar <k.ashwini@samsung.com>
Reviewed-by: default avatarZiran Sun <ziran.sun@samsung.com>
parent d7778f4e
......@@ -25,13 +25,11 @@ which is open source software, written and copyright by Olaf Bergmann
with a BSD and GPLv2 license. The original software is available from
http://sourceforge.net/projects/libcoap/
The DTLS protocol is provided by the tinyDTLS package,
which is open source software, written and copyright by Olaf Bergmann
with an MIT license. The tinyDTLS library relies on algorithms whose
source is under a BSD license. The additional licenses can be viewed at
http://tinydtls.sourceforge.net/
The TLS/DTLS protocol is provided by the mbedTLS package,
which is open source software, written and copyright by ARM
with an Apache 2.0 license.
The original software is available from
http://sourceforge.net/projects/tinydtls/
https://github.com/ARMmbed/mbedtls
This project relies on utilities in the Boost C++library which is open
source software with a Boost Software License v1.0. The details of the
......@@ -50,3 +48,8 @@ which is open source software, written and copyright by Dave Gamble
with an MIT license. The original software is available from
http://sourceforge.net/projects/cjson/
The Linked List macro(utlist.h) is provided by the uthash package,
which is open source software, written and copyright by Troy D. Hanson
with an BSD license.
The original software is available from
https://github.com/troydhanson/uthash
\ No newline at end of file
......@@ -221,7 +221,6 @@ env.AppendUnique(LIBPATH = [src_dir + '/resource/csdk/connectivity/lib/android']
env.AppendUnique(LIBS = ['log', 'coap'])
if env.get('SECURED') == '1':
env.AppendUnique(LIBS = ['tinydtls'])
env.SConscript('#extlibs/mbedtls/SConscript')
env.AppendUnique(LIBS = ['mbedtls','mbedx509','mbedcrypto'])
......
From c78aa91005b7b9542d595dc32d8c8fe020d2257d Mon Sep 17 00:00:00 2001
From: Sachin Agrawal <sachin.agrawal@intel.com>
Date: Wed, 21 Jan 2015 08:55:00 -0800
Subject: [PATCH 1/1] Added support in tinyDTLS to support rehandshake
As per RFC 6347 section 4.2.8, DTLS Server should support requests
from clients who have silently abandoned the existing association
and initiated a new handshake request by sending a ClientHello.
Code is updated to detect this scenario and delete the old
association when client successfully responds to HelloVerifyRequest.
Change-Id: I6e256921215c1a22e9e5013499c4dfd98659f8cc
Signed-off-by: Sachin Agrawal <sachin.agrawal@intel.com>
---
extlibs/tinydtls/dtls.c | 74 +++++++++++++++++++++++++++++++++++++++++++----
1 file changed, 68 insertions(+), 6 deletions(-)
diff --git a/extlibs/tinydtls/dtls.c b/extlibs/tinydtls/dtls.c
index 779e701..111a65d 100644
--- a/extlibs/tinydtls/dtls.c
+++ b/extlibs/tinydtls/dtls.c
@@ -529,6 +529,37 @@ known_cipher(dtls_context_t *ctx, dtls_cipher_t code, int is_client) {
(ecdsa && is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(code));
}
+/**
+ * This method detects if we already have a established DTLS session with
+ * peer and the peer is attempting to perform a fresh handshake by sending
+ * messages with epoch = 0. This is to handle situations mentioned in
+ * RFC 6347 - section 4.2.8.
+ *
+ * @param msg The packet received from Client
+ * @param msglen Packet length
+ * @param peer peer who is the sender for this packet
+ * @return @c 1 if this is a rehandshake attempt by
+ * client
+ */
+static int
+hs_attempt_with_existing_peer(uint8_t *msg, size_t msglen,
+ dtls_peer_t *peer)
+{
+ if ((peer) && (peer->state == DTLS_STATE_CONNECTED)) {
+ if (msg[0] == DTLS_CT_HANDSHAKE) {
+ uint16_t msg_epoch = dtls_uint16_to_int(DTLS_RECORD_HEADER(msg)->epoch);
+ if (msg_epoch == 0) {
+ dtls_handshake_header_t * hs_header = DTLS_HANDSHAKE_HEADER(msg + DTLS_RH_LENGTH);
+ if (hs_header->msg_type == DTLS_HT_CLIENT_HELLO ||
+ hs_header->msg_type == DTLS_HT_HELLO_REQUEST) {
+ return 1;
+ }
+ }
+ }
+ }
+ return 0;
+}
+
/** Dump out the cipher keys and IVs used for the symetric cipher. */
static void dtls_debug_keyblock(dtls_security_parameters_t *config)
{
@@ -1540,6 +1571,7 @@ static int
dtls_verify_peer(dtls_context_t *ctx,
dtls_peer_t *peer,
session_t *session,
+ const dtls_state_t state,
uint8 *data, size_t data_length)
{
uint8 buf[DTLS_HV_LENGTH + DTLS_COOKIE_LENGTH];
@@ -1595,9 +1627,11 @@ dtls_verify_peer(dtls_context_t *ctx,
/* TODO use the same record sequence number as in the ClientHello,
see 4.2.1. Denial-of-Service Countermeasures */
- err = dtls_send_handshake_msg_hash(ctx, peer, session,
- DTLS_HT_HELLO_VERIFY_REQUEST,
- buf, p - buf, 0);
+ err = dtls_send_handshake_msg_hash(ctx,
+ state == DTLS_STATE_CONNECTED ? peer : NULL,
+ session,
+ DTLS_HT_HELLO_VERIFY_REQUEST,
+ buf, p - buf, 0);
if (err < 0) {
dtls_warn("cannot send HelloVerify request\n");
}
@@ -3209,7 +3243,7 @@ handle_handshake_msg(dtls_context_t *ctx, dtls_peer_t *peer, session_t *session,
case DTLS_HT_CLIENT_HELLO:
- if ((peer && state != DTLS_STATE_CONNECTED) ||
+ if ((peer && state != DTLS_STATE_CONNECTED && state != DTLS_STATE_WAIT_CLIENTHELLO) ||
(!peer && state != DTLS_STATE_WAIT_CLIENTHELLO)) {
return dtls_alert_fatal_create(DTLS_ALERT_UNEXPECTED_MESSAGE);
}
@@ -3223,7 +3257,7 @@ handle_handshake_msg(dtls_context_t *ctx, dtls_peer_t *peer, session_t *session,
Anything else will be rejected. Fragementation is not allowed
here as it would require peer state as well.
*/
- err = dtls_verify_peer(ctx, peer, session, data, data_length);
+ err = dtls_verify_peer(ctx, peer, session, state, data, data_length);
if (err < 0) {
dtls_warn("error in dtls_verify_peer err: %i\n", err);
return err;
@@ -3236,7 +3270,23 @@ handle_handshake_msg(dtls_context_t *ctx, dtls_peer_t *peer, session_t *session,
/* At this point, we have a good relationship with this peer. This
* state is left for re-negotiation of key material. */
+ /* As per RFC 6347 - section 4.2.8 if this is an attempt to
+ * rehandshake, we can delete the existing key material
+ * as the client has demonstrated reachibility by completing
+ * the cookie exchange */
+ if (peer && state == DTLS_STATE_WAIT_CLIENTHELLO) {
+ dtls_debug("removing the peer\n");
+#ifndef WITH_CONTIKI
+ HASH_DEL_PEER(ctx->peers, peer);
+#else /* WITH_CONTIKI */
+ list_remove(ctx->peers, peer);
+#endif /* WITH_CONTIKI */
+
+ dtls_free_peer(peer);
+ peer = NULL;
+ }
if (!peer) {
+ dtls_debug("creating new peer\n");
dtls_security_parameters_t *security;
/* msg contains a Client Hello with a valid cookie, so we can
@@ -3594,6 +3644,7 @@ dtls_handle_message(dtls_context_t *ctx,
int data_length; /* length of decrypted payload
(without MAC and padding) */
int err;
+ int bypass_epoch_check = 0;
/* check if we have DTLS state for addr/port/ifindex */
peer = dtls_get_peer(ctx, session);
@@ -3613,6 +3664,15 @@ dtls_handle_message(dtls_context_t *ctx,
if (peer) {
data_length = decrypt_verify(peer, msg, rlen, &data);
if (data_length < 0) {
+ if (hs_attempt_with_existing_peer(msg, rlen, peer)) {
+ data = msg + DTLS_RH_LENGTH;
+ data_length = rlen - DTLS_RH_LENGTH;
+ state = DTLS_STATE_WAIT_CLIENTHELLO;
+ role = DTLS_SERVER;
+ /* Bypass epoch check as the epoch for incoming msg is 0
+ and expected epoch MAY be different */
+ bypass_epoch_check = 1;
+ } else {
int err = dtls_alert_fatal_create(DTLS_ALERT_DECRYPT_ERROR);
dtls_info("decrypt_verify() failed\n");
if (peer->state < DTLS_STATE_CONNECTED) {
@@ -3623,8 +3683,10 @@ dtls_handle_message(dtls_context_t *ctx,
}
return err;
}
+ } else {
role = peer->role;
state = peer->state;
+ }
} else {
/* is_record() ensures that msg contains at least a record header */
data = msg + DTLS_RH_LENGTH;
@@ -3677,7 +3739,7 @@ dtls_handle_message(dtls_context_t *ctx,
/* Handshake messages other than Finish must use the current
* epoch, Finish has epoch + 1. */
- if (peer) {
+ if (peer && !bypass_epoch_check) {
uint16_t expected_epoch = dtls_security_params(peer)->epoch;
uint16_t msg_epoch =
dtls_uint16_to_int(DTLS_RECORD_HEADER(msg)->epoch);
--
1.7.9.5
From b44aa20e0ff2763468bf82ff4e996dec03e872bd Mon Sep 17 00:00:00 2001
From: Sachin Agrawal <sachin.agrawal@intel.com>
Date: Thu, 2 Apr 2015 15:21:40 -0700
Subject: [PATCH 1/1] Adding autoconf generated files in tinydtls repo
tinydtls build system uses autotools while Iotivity uses
scons build system. Since tinydtls contains few source files
and header files, it seems convenient for Iotivity to use
scons to build tinydtls library.
This patch is to add autoconf generated files so that tinydtls
can be build using scons script.
Note: Since this change is a custom change and specifically
for Iotivity, I do not intend to submit this patch for
upstreaming.
Change-Id: I4da593a8abccd731466a88d365dca536f608c94a
Signed-off-by: Sachin Agrawal <sachin.agrawal@intel.com>
---
extlibs/tinydtls/dtls_config.h | 171 ++++++++++++++++++++++++++++++++++++++++
extlibs/tinydtls/tinydtls.h | 45 +++++++++++
2 files changed, 216 insertions(+)
create mode 100644 extlibs/tinydtls/dtls_config.h
create mode 100644 extlibs/tinydtls/tinydtls.h
diff --git a/extlibs/tinydtls/dtls_config.h b/extlibs/tinydtls/dtls_config.h
new file mode 100644
index 0000000..39df8c9
--- /dev/null
+++ b/extlibs/tinydtls/dtls_config.h
@@ -0,0 +1,171 @@
+/* dtls_config.h. Generated from dtls_config.h.in by configure. */
+/* tinydtls -- a very basic DTLS implementation
+ *
+ * Copyright (C) 2011--2014 Olaf Bergmann <bergmann@tzi.org>
+ * Copyright (C) 2013 Hauke Mehrtens <hauke@hauke-m.de>
+ *
+ * Permission is hereby granted, free of charge, to any person
+ * obtaining a copy of this software and associated documentation
+ * files (the "Software"), to deal in the Software without
+ * restriction, including without limitation the rights to use, copy,
+ * modify, merge, publish, distribute, sublicense, and/or sell copies
+ * of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+/**
+ * @file dtls_config.h
+ * @brief internal configuration for tinydtls library
+ *
+ * This file has been generated by configure from dtls_config.h.in.
+ */
+
+/* dummy definitions for PACKAGE_NAME and PACKAGE_VERSION */
+#define PACKAGE_NAME "tinydtls"
+#define PACKAGE_STRING "tinydtls 0.8.1"
+#define PACKAGE_VERSION "0.8.1"
+
+#ifdef CONTIKI
+#include "contiki.h"
+#include "contiki-lib.h"
+#include "contiki-net.h"
+
+#include "contiki-conf.h"
+
+/* global constants for constrained devices running Contiki */
+#ifndef DTLS_PEER_MAX
+/** The maximum number DTLS peers (i.e. sessions). */
+# define DTLS_PEER_MAX 1
+#endif
+
+#ifndef DTLS_HANDSHAKE_MAX
+/** The maximum number of concurrent DTLS handshakes. */
+# define DTLS_HANDSHAKE_MAX 1
+#endif
+
+#ifndef DTLS_SECURITY_MAX
+/** The maximum number of concurrently used cipher keys */
+# define DTLS_SECURITY_MAX (DTLS_PEER_MAX + DTLS_HANDSHAKE_MAX)
+#endif
+
+#ifndef DTLS_HASH_MAX
+/** The maximum number of hash functions that can be used in parallel. */
+# define DTLS_HASH_MAX (3 * DTLS_PEER_MAX)
+#endif
+#endif /* CONTIKI */
+
+/* Define to 1 if you have the <assert.h> header file. */
+#define HAVE_ASSERT_H 1
+
+/* Define to 1 if your system has a GNU libc compatible `malloc' function, and
+ to 0 otherwise. */
+#define HAVE_MALLOC 1
+
+/* Define to 1 if you have the <memory.h> header file. */
+#define HAVE_MEMORY_H 1
+
+/* Define to 1 if you have the `memset' function. */
+#define HAVE_MEMSET 1
+
+/* Define to 1 if you have the <stddef.h> header file. */
+#define HAVE_STDDEF_H 1
+
+/* Define to 1 if you have the <stdint.h> header file. */
+#define HAVE_STDINT_H 1
+
+/* Define to 1 if you have the <stdlib.h> header file. */
+#define HAVE_STDLIB_H 1
+
+/* Define to 1 if you have the `strdup' function. */
+#define HAVE_STRDUP 1
+
+/* Define to 1 if you have the `strerror' function. */
+#define HAVE_STRERROR 1
+
+/* Define to 1 if you have the <strings.h> header file. */
+#define HAVE_STRINGS_H 1
+
+/* Define to 1 if you have the <string.h> header file. */
+#define HAVE_STRING_H 1
+
+/* Define to 1 if you have the `strnlen' function. */
+#define HAVE_STRNLEN 1
+
+/* Define to 1 if you have the <time.h> header file. */
+#define HAVE_TIME_H 1
+
+/* Define to 1 if you have the `vprintf' function. */
+#define HAVE_VPRINTF 1
+
+/* Define to the address where bug reports for this package should be sent. */
+#define PACKAGE_BUGREPORT ""
+
+/* Define to the full name of this package. */
+#define PACKAGE_NAME "tinydtls"
+
+/* Define to the full name and version of this package. */
+#define PACKAGE_STRING "tinydtls 0.8.1"
+
+/* Define to the one symbol short name of this package. */
+#define PACKAGE_TARNAME "tinydtls"
+
+/* Define to the home page for this package. */
+#define PACKAGE_URL ""
+
+/* Define to the version of this package. */
+#define PACKAGE_VERSION "0.8.1"
+
+/* Define to 1 if you have the ANSI C header files. */
+#define STDC_HEADERS 1
+
+/* Define to `__inline__' or `__inline' if that's what the C compiler
+ calls it, or to nothing if 'inline' is not supported under any name. */
+#ifndef __cplusplus
+/* #undef inline */
+#endif
+
+/* Define to rpl_malloc if the replacement function should be used. */
+/* #undef malloc */
+/* Define to `unsigned int' if <sys/types.h> does not define. */
+
+/* #undef size_t */
+
+/************************************************************************/
+/* Specific Contiki platforms */
+/************************************************************************/
+
+#ifdef CONTIKI
+
+#if CONTIKI_TARGET_ECONOTAG
+# include "platform-specific/config-econotag.h"
+#endif /* CONTIKI_TARGET_ECONOTAG */
+
+#ifdef CONTIKI_TARGET_CC2538DK
+# include "platform-specific/config-cc2538dk.h"
+#endif /* CONTIKI_TARGET_CC2538DK */
+
+#ifdef CONTIKI_TARGET_WISMOTE
+# include "platform-specific/config-wismote.h"
+#endif /* CONTIKI_TARGET_WISMOTE */
+
+#ifdef CONTIKI_TARGET_SKY
+# include "platform-specific/config-sky.h"
+#endif /* CONTIKI_TARGET_SKY */
+
+#ifdef CONTIKI_TARGET_MINIMAL_NET
+# include "platform-specific/config-minimal-net.h"
+#endif /* CONTIKI_TARGET_MINIMAL_NET */
+
+#endif /* CONTIKI */
diff --git a/extlibs/tinydtls/tinydtls.h b/extlibs/tinydtls/tinydtls.h
new file mode 100644
index 0000000..3fa228a
--- /dev/null
+++ b/extlibs/tinydtls/tinydtls.h
@@ -0,0 +1,45 @@
+/* tinydtls.h. Generated from tinydtls.h.in by configure. */
+/* tinydtls -- a very basic DTLS implementation
+ *
+ * Copyright (C) 2011--2014 Olaf Bergmann <bergmann@tzi.org>
+ * Copyright (C) 2013 Hauke Mehrtens <hauke@hauke-m.de>
+ *
+ * Permission is hereby granted, free of charge, to any person
+ * obtaining a copy of this software and associated documentation
+ * files (the "Software"), to deal in the Software without
+ * restriction, including without limitation the rights to use, copy,
+ * modify, merge, publish, distribute, sublicense, and/or sell copies
+ * of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be
+ * included in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+/**
+ * @file tinydtls.h
+ * @brief public tinydtls API
+ */
+
+#ifndef _DTLS_TINYDTLS_H_
+#define _DTLS_TINYDTLS_H_
+
+/** Defined to 1 if tinydtls is built with support for ECC */
+/* #undef DTLS_ECC */
+
+/** Defined to 1 if tinydtls is built with support for PSK */
+#define DTLS_PSK 1
+
+/** Defined to 1 if tinydtls is built for Contiki OS */
+/* #undef WITH_CONTIKI */
+
+#endif /* _DTLS_TINYDTLS_H_ */
--
1.7.9.5
From e25d93dec6d2907430f3680ad5fbdfedc1ee94d8 Mon Sep 17 00:00:00 2001
From: Sachin Agrawal <sachin.agrawal@intel.com>
Date: Sun, 15 Feb 2015 22:16:43 -0800
Subject: [PATCH 1/1] Bug Fix in earlier rehandhsake implementation
Identified a corner case in earlier rehandshake implementation where if
no data transfer takes place between client and Server before re-handshake
is issued, re-handshake process was failing. DTLS state machine does not
update it's state at Server until the first data packet was received from
client. Updated logic to detect for 're-handshake' situation when epoch
mis-match happens. Also updated dtls-client test app to conveniently test
the feature. Use 'client:rehandshake' command for testing.
Change-Id: Idfaad7d477508603c35ad7948ca7c8f05e3228d0
Signed-off-by: Sachin Agrawal <sachin.agrawal@intel.com>
---
extlibs/tinydtls/dtls.c | 44 ++++++++++++++++++----------------
extlibs/tinydtls/tests/dtls-client.c | 27 +++++++++++++++++++++
2 files changed, 50 insertions(+), 21 deletions(-)
diff --git a/extlibs/tinydtls/dtls.c b/extlibs/tinydtls/dtls.c
index a87d7f1..a923386 100644
--- a/extlibs/tinydtls/dtls.c
+++ b/extlibs/tinydtls/dtls.c
@@ -1562,6 +1562,7 @@ static void dtls_destroy_peer(dtls_context_t *ctx, dtls_peer_t *peer, int unlink
* \param ctx The DTLS context.
* \param peer The remote party we are talking to, if any.
* \param session Transport address of the remote peer.
+ * \param state Current state of the connection.
* \param msg The received datagram.
* \param msglen Length of \p msg.
* \return \c 1 if msg is a Client Hello with a valid cookie, \c 0 or
@@ -3644,7 +3645,6 @@ dtls_handle_message(dtls_context_t *ctx,
int data_length; /* length of decrypted payload
(without MAC and padding) */
int err;
- int bypass_epoch_check = 0;
/* check if we have DTLS state for addr/port/ifindex */
peer = dtls_get_peer(ctx, session);
@@ -3668,24 +3668,21 @@ dtls_handle_message(dtls_context_t *ctx,
data = msg + DTLS_RH_LENGTH;
data_length = rlen - DTLS_RH_LENGTH;
state = DTLS_STATE_WAIT_CLIENTHELLO;
- role = DTLS_SERVER;
- /* Bypass epoch check as the epoch for incoming msg is 0
- and expected epoch MAY be different */
- bypass_epoch_check = 1;
+ role = DTLS_SERVER;
} else {
- int err = dtls_alert_fatal_create(DTLS_ALERT_DECRYPT_ERROR);
- dtls_info("decrypt_verify() failed\n");
- if (peer->state < DTLS_STATE_CONNECTED) {
- dtls_alert_send_from_err(ctx, peer, &peer->session, err);
- peer->state = DTLS_STATE_CLOSED;
- /* dtls_stop_retransmission(ctx, peer); */
- dtls_destroy_peer(ctx, peer, 1);
- }
- return err;
- }
- } else {
- role = peer->role;
- state = peer->state;
+ int err = dtls_alert_fatal_create(DTLS_ALERT_DECRYPT_ERROR);
+ dtls_info("decrypt_verify() failed\n");
+ if (peer->state < DTLS_STATE_CONNECTED) {
+ dtls_alert_send_from_err(ctx, peer, &peer->session, err);
+ peer->state = DTLS_STATE_CLOSED;
+ /* dtls_stop_retransmission(ctx, peer); */
+ dtls_destroy_peer(ctx, peer, 1);
+ }
+ return err;
+ }
+ } else {
+ role = peer->role;
+ state = peer->state;
}
} else {
/* is_record() ensures that msg contains at least a record header */
@@ -3739,7 +3736,7 @@ dtls_handle_message(dtls_context_t *ctx,
/* Handshake messages other than Finish must use the current
* epoch, Finish has epoch + 1. */
- if (peer && !bypass_epoch_check) {
+ if (peer) {
uint16_t expected_epoch = dtls_security_params(peer)->epoch;
uint16_t msg_epoch =
dtls_uint16_to_int(DTLS_RECORD_HEADER(msg)->epoch);