julek-wolfssl
diff --git a/‎src/internal.c‎
Lines changed: 68 additions & 11 deletions b/‎src/internal.c‎
Lines changed: 68 additions & 11 deletions
diff --git a/‎tests/api.c‎
Lines changed: 1 addition & 19 deletions b/‎tests/api.c‎
Lines changed: 1 addition & 19 deletions
@@ -17470,6 +17470,15 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
                 WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
                 return DUPLICATE_MSG_E;
             }
+            if (!ssl->msgsReceived.got_server_hello ||
+                    ssl->msgsReceived.got_change_cipher ||
+                    ssl->msgsReceived.got_finished ||
+                    (!ssl->options.resuming &&
+                            !ssl->msgsReceived.got_server_hello_done)) {
+                WOLFSSL_MSG("session_ticket received in wrong order");
+                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
+                return OUT_OF_ORDER_E;
+            }
             ssl->msgsReceived.got_session_ticket = 1;
 
             break;
@@ -17485,20 +17494,36 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
 
 #ifndef NO_WOLFSSL_CLIENT
             if (ssl->options.side == WOLFSSL_CLIENT_END) {
-                if ( ssl->msgsReceived.got_server_hello == 0) {
+                if (!ssl->msgsReceived.got_server_hello) {
                     WOLFSSL_MSG("No ServerHello before Cert");
                     WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
                     return OUT_OF_ORDER_E;
                 }
+                if (ssl->msgsReceived.got_certificate_status ||
+                        ssl->msgsReceived.got_server_key_exchange ||
+                        ssl->msgsReceived.got_certificate_request ||
+                        ssl->msgsReceived.got_server_hello_done) {
+                    WOLFSSL_MSG("Cert received in wrong order");
+                    WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
+                    return OUT_OF_ORDER_E;
+                }
             }
 #endif
 #ifndef NO_WOLFSSL_SERVER
             if (ssl->options.side == WOLFSSL_SERVER_END) {
-                if ( ssl->msgsReceived.got_client_hello == 0) {
+                if (!ssl->msgsReceived.got_client_hello) {
                     WOLFSSL_MSG("No ClientHello before Cert");
                     WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
                     return OUT_OF_ORDER_E;
                 }
+                if (ssl->msgsReceived.got_client_key_exchange ||
+                        ssl->msgsReceived.got_certificate_verify ||
+                        ssl->msgsReceived.got_change_cipher ||
+                        ssl->msgsReceived.got_finished) {
+                    WOLFSSL_MSG("Cert received in wrong order");
+                    WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
+                    return OUT_OF_ORDER_E;
+                }
             }
 #endif
             break;
@@ -17517,7 +17542,6 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
                 WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
                 return DUPLICATE_MSG_E;
             }
-            ssl->msgsReceived.got_certificate_status = 1;
 
             if (ssl->msgsReceived.got_certificate == 0) {
                 WOLFSSL_MSG("No Certificate before CertificateStatus");
@@ -17529,7 +17553,15 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
                 WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
                 return OUT_OF_ORDER_E;
             }
+            if (ssl->msgsReceived.got_server_key_exchange ||
+                    ssl->msgsReceived.got_certificate_request ||
+                    ssl->msgsReceived.got_server_hello_done) {
+                WOLFSSL_MSG("CertificateStatus received in wrong order");
+                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
+                return OUT_OF_ORDER_E;
+            }
 
+            ssl->msgsReceived.got_certificate_status = 1;
             break;
 #endif
 
@@ -17547,14 +17579,19 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
                 WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
                 return DUPLICATE_MSG_E;
             }
-            ssl->msgsReceived.got_server_key_exchange = 1;
-
             if (ssl->msgsReceived.got_server_hello == 0) {
                 WOLFSSL_MSG("No ServerHello before ServerKeyExchange");
                 WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
                 return OUT_OF_ORDER_E;
             }
+            if (ssl->msgsReceived.got_certificate_request ||
+                    ssl->msgsReceived.got_server_hello_done) {
+                WOLFSSL_MSG("ServerKeyExchange received in wrong order");
+                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
+                return OUT_OF_ORDER_E;
+            }
 
+            ssl->msgsReceived.got_server_key_exchange = 1;
             break;
 #endif
 
@@ -17572,6 +17609,16 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
                 WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
                 return DUPLICATE_MSG_E;
             }
+            if (ssl->msgsReceived.got_server_hello == 0) {
+                WOLFSSL_MSG("No ServerHello before CertificateRequest");
+                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
+                return OUT_OF_ORDER_E;
+            }
+            if (ssl->msgsReceived.got_server_hello_done) {
+                WOLFSSL_MSG("CertificateRequest received in wrong order");
+                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
+                return OUT_OF_ORDER_E;
+            }
             ssl->msgsReceived.got_certificate_request = 1;
 
             break;
@@ -17691,13 +17738,18 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
                 WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
                 return DUPLICATE_MSG_E;
             }
-            ssl->msgsReceived.got_certificate_verify = 1;
-
             if ( ssl->msgsReceived.got_certificate == 0) {
                 WOLFSSL_MSG("No Cert before CertVerify");
                 WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
                 return OUT_OF_ORDER_E;
             }
+            if (ssl->msgsReceived.got_change_cipher ||
+                    ssl->msgsReceived.got_finished) {
+                WOLFSSL_MSG("CertVerify received in wrong order");
+                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
+                return OUT_OF_ORDER_E;
+            }
+            ssl->msgsReceived.got_certificate_verify = 1;
             break;
 #endif
 
@@ -17715,13 +17767,19 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
                 WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
                 return DUPLICATE_MSG_E;
             }
-            ssl->msgsReceived.got_client_key_exchange = 1;
-
             if (ssl->msgsReceived.got_client_hello == 0) {
                 WOLFSSL_MSG("No ClientHello before ClientKeyExchange");
                 WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
                 return OUT_OF_ORDER_E;
             }
+            if (ssl->msgsReceived.got_certificate_verify||
+                    ssl->msgsReceived.got_change_cipher ||
+                    ssl->msgsReceived.got_finished) {
+                WOLFSSL_MSG("ClientKeyExchange received in wrong order");
+                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
+                return OUT_OF_ORDER_E;
+            }
+            ssl->msgsReceived.got_client_key_exchange = 1;
             break;
 #endif
 
@@ -17740,13 +17798,12 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
                 }
             }
 #endif
-            ssl->msgsReceived.got_finished = 1;
-
             if (ssl->msgsReceived.got_change_cipher == 0) {
                 WOLFSSL_MSG("Finished received before ChangeCipher");
                 WOLFSSL_ERROR_VERBOSE(NO_CHANGE_CIPHER_E);
                 return NO_CHANGE_CIPHER_E;
             }
+            ssl->msgsReceived.got_finished = 1;
             break;
 
         case change_cipher_hs:
 
@@ -51323,13 +51323,6 @@ TEST_DECL(test_wc_RsaPSS_DigitalSignVerify),
     /* Can't memory test as client/server hangs. */
     TEST_DECL(test_dtls_msg_from_other_peer),
     TEST_DECL(test_dtls_ipv6_check),
-    TEST_DECL(test_dtls_short_ciphertext),
-    TEST_DECL(test_dtls12_record_length_mismatch),
-    TEST_DECL(test_dtls12_short_read),
-    TEST_DECL(test_dtls13_longer_length),
-    TEST_DECL(test_dtls13_short_read),
-    TEST_DECL(test_records_span_network_boundaries),
-    TEST_DECL(test_dtls_record_cross_boundaries),
     TEST_DECL(test_wolfSSL_SCR_after_resumption),
     TEST_DECL(test_dtls_no_extensions),
     TEST_DECL(test_tls_alert_no_server_hello),
@@ -51349,12 +51342,10 @@ TEST_DECL(test_wc_RsaPSS_DigitalSignVerify),
     TEST_DECL(test_dtls13_frag_ch_pq),
     TEST_DECL(test_dtls_empty_keyshare_with_cookie),
     TEST_DECL(test_dtls_old_seq_number),
-    TEST_DECL(test_dtls12_basic_connection_id),
-    TEST_DECL(test_dtls13_basic_connection_id),
     TEST_DECL(test_dtls12_missing_finished),
     TEST_DECL(test_dtls13_missing_finished_client),
     TEST_DECL(test_dtls13_missing_finished_server),
-    TEST_DECL(test_wolfSSL_dtls_set_pending_peer),
+    TEST_DTLS_DECLS,
     TEST_DECL(test_tls_multi_handshakes_one_record),
     TEST_DECL(test_write_dup),
     TEST_DECL(test_read_write_hs),
@@ -51365,15 +51356,6 @@ TEST_DECL(test_wc_RsaPSS_DigitalSignVerify),
     TEST_DECL(test_wolfSSL_SendUserCanceled),
     TEST_DECL(test_wolfSSL_SSLDisableRead),
     TEST_DECL(test_wolfSSL_inject),
-    TEST_DECL(test_wolfSSL_dtls_cid_parse),
-    TEST_DECL(test_dtls13_epochs),
-    TEST_DECL(test_dtls_rtx_across_epoch_change),
-    TEST_DECL(test_dtls_drop_client_ack),
-    TEST_DECL(test_dtls_bogus_finished_epoch_zero),
-    TEST_DECL(test_dtls_replay),
-    TEST_DECL(test_dtls_srtp),
-    TEST_DECL(test_dtls13_ack_order),
-    TEST_DECL(test_dtls_version_checking),
     TEST_DECL(test_ocsp_status_callback),
     TEST_DECL(test_ocsp_basic_verify),
     TEST_DECL(test_ocsp_response_parsing),