julek-wolfssl
diff --git a/‎src/internal.c‎
Lines changed: 68 additions & 11 deletions b/‎src/internal.c‎
Lines changed: 68 additions & 11 deletions
diff --git a/‎src/ssl.c‎
Lines changed: 1 addition & 1 deletion b/‎src/ssl.c‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎tests/api.c‎
Lines changed: 2 additions & 24 deletions b/‎tests/api.c‎
Lines changed: 2 additions & 24 deletions
@@ -17525,6 +17525,15 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
                 WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
                 return DUPLICATE_MSG_E;
             }
+            if (!ssl->msgsReceived.got_server_hello ||
+                    ssl->msgsReceived.got_change_cipher ||
+                    ssl->msgsReceived.got_finished ||
+                    (!ssl->options.resuming &&
+                            !ssl->msgsReceived.got_server_hello_done)) {
+                WOLFSSL_MSG("session_ticket received in wrong order");
+                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
+                return OUT_OF_ORDER_E;
+            }
             ssl->msgsReceived.got_session_ticket = 1;
 
             break;
@@ -17540,20 +17549,36 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
 
 #ifndef NO_WOLFSSL_CLIENT
             if (ssl->options.side == WOLFSSL_CLIENT_END) {
-                if ( ssl->msgsReceived.got_server_hello == 0) {
+                if (!ssl->msgsReceived.got_server_hello) {
                     WOLFSSL_MSG("No ServerHello before Cert");
                     WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
                     return OUT_OF_ORDER_E;
                 }
+                if (ssl->msgsReceived.got_certificate_status ||
+                        ssl->msgsReceived.got_server_key_exchange ||
+                        ssl->msgsReceived.got_certificate_request ||
+                        ssl->msgsReceived.got_server_hello_done) {
+                    WOLFSSL_MSG("Cert received in wrong order");
+                    WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
+                    return OUT_OF_ORDER_E;
+                }
             }
 #endif
 #ifndef NO_WOLFSSL_SERVER
             if (ssl->options.side == WOLFSSL_SERVER_END) {
-                if ( ssl->msgsReceived.got_client_hello == 0) {
+                if (!ssl->msgsReceived.got_client_hello) {
                     WOLFSSL_MSG("No ClientHello before Cert");
                     WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
                     return OUT_OF_ORDER_E;
                 }
+                if (ssl->msgsReceived.got_client_key_exchange ||
+                        ssl->msgsReceived.got_certificate_verify ||
+                        ssl->msgsReceived.got_change_cipher ||
+                        ssl->msgsReceived.got_finished) {
+                    WOLFSSL_MSG("Cert received in wrong order");
+                    WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
+                    return OUT_OF_ORDER_E;
+                }
             }
 #endif
             break;
@@ -17572,7 +17597,6 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
                 WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
                 return DUPLICATE_MSG_E;
             }
-            ssl->msgsReceived.got_certificate_status = 1;
 
             if (ssl->msgsReceived.got_certificate == 0) {
                 WOLFSSL_MSG("No Certificate before CertificateStatus");
@@ -17584,7 +17608,15 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
                 WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
                 return OUT_OF_ORDER_E;
             }
+            if (ssl->msgsReceived.got_server_key_exchange ||
+                    ssl->msgsReceived.got_certificate_request ||
+                    ssl->msgsReceived.got_server_hello_done) {
+                WOLFSSL_MSG("CertificateStatus received in wrong order");
+                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
+                return OUT_OF_ORDER_E;
+            }
 
+            ssl->msgsReceived.got_certificate_status = 1;
             break;
 #endif
 
@@ -17602,14 +17634,19 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
                 WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
                 return DUPLICATE_MSG_E;
             }
-            ssl->msgsReceived.got_server_key_exchange = 1;
-
             if (ssl->msgsReceived.got_server_hello == 0) {
                 WOLFSSL_MSG("No ServerHello before ServerKeyExchange");
                 WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
                 return OUT_OF_ORDER_E;
             }
+            if (ssl->msgsReceived.got_certificate_request ||
+                    ssl->msgsReceived.got_server_hello_done) {
+                WOLFSSL_MSG("ServerKeyExchange received in wrong order");
+                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
+                return OUT_OF_ORDER_E;
+            }
 
+            ssl->msgsReceived.got_server_key_exchange = 1;
             break;
 #endif
 
@@ -17627,6 +17664,16 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
                 WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
                 return DUPLICATE_MSG_E;
             }
+            if (ssl->msgsReceived.got_server_hello == 0) {
+                WOLFSSL_MSG("No ServerHello before CertificateRequest");
+                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
+                return OUT_OF_ORDER_E;
+            }
+            if (ssl->msgsReceived.got_server_hello_done) {
+                WOLFSSL_MSG("CertificateRequest received in wrong order");
+                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
+                return OUT_OF_ORDER_E;
+            }
             ssl->msgsReceived.got_certificate_request = 1;
 
             break;
@@ -17746,13 +17793,18 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
                 WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
                 return DUPLICATE_MSG_E;
             }
-            ssl->msgsReceived.got_certificate_verify = 1;
-
             if ( ssl->msgsReceived.got_certificate == 0) {
                 WOLFSSL_MSG("No Cert before CertVerify");
                 WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
                 return OUT_OF_ORDER_E;
             }
+            if (ssl->msgsReceived.got_change_cipher ||
+                    ssl->msgsReceived.got_finished) {
+                WOLFSSL_MSG("CertVerify received in wrong order");
+                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
+                return OUT_OF_ORDER_E;
+            }
+            ssl->msgsReceived.got_certificate_verify = 1;
             break;
 #endif
 
@@ -17770,13 +17822,19 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
                 WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
                 return DUPLICATE_MSG_E;
             }
-            ssl->msgsReceived.got_client_key_exchange = 1;
-
             if (ssl->msgsReceived.got_client_hello == 0) {
                 WOLFSSL_MSG("No ClientHello before ClientKeyExchange");
                 WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
                 return OUT_OF_ORDER_E;
             }
+            if (ssl->msgsReceived.got_certificate_verify||
+                    ssl->msgsReceived.got_change_cipher ||
+                    ssl->msgsReceived.got_finished) {
+                WOLFSSL_MSG("ClientKeyExchange received in wrong order");
+                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
+                return OUT_OF_ORDER_E;
+            }
+            ssl->msgsReceived.got_client_key_exchange = 1;
             break;
 #endif
 
@@ -17795,13 +17853,12 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
                 }
             }
 #endif
-            ssl->msgsReceived.got_finished = 1;
-
             if (ssl->msgsReceived.got_change_cipher == 0) {
                 WOLFSSL_MSG("Finished received before ChangeCipher");
                 WOLFSSL_ERROR_VERBOSE(NO_CHANGE_CIPHER_E);
                 return NO_CHANGE_CIPHER_E;
             }
+            ssl->msgsReceived.got_finished = 1;
             break;
 
         case change_cipher_hs:
 
@@ -1850,7 +1850,7 @@ int wolfSSL_mutual_auth(WOLFSSL* ssl, int req)
 {
     if (ssl == NULL)
         return BAD_FUNC_ARG;
-    if (ssl->options.side == WOLFSSL_SERVER_END)
+    if (ssl->options.side == WOLFSSL_CLIENT_END)
         return SIDE_ERROR;
 
     ssl->options.mutualAuth = (word16)req;
 
@@ -51380,13 +51380,6 @@ TEST_CASE testCases[] = {
     /* Can't memory test as client/server hangs. */
     TEST_DECL(test_dtls_msg_from_other_peer),
     TEST_DECL(test_dtls_ipv6_check),
-    TEST_DECL(test_dtls_short_ciphertext),
-    TEST_DECL(test_dtls12_record_length_mismatch),
-    TEST_DECL(test_dtls12_short_read),
-    TEST_DECL(test_dtls13_longer_length),
-    TEST_DECL(test_dtls13_short_read),
-    TEST_DECL(test_records_span_network_boundaries),
-    TEST_DECL(test_dtls_record_cross_boundaries),
     TEST_DECL(test_wolfSSL_SCR_after_resumption),
     TEST_DECL(test_dtls_no_extensions),
     TEST_DECL(test_tls_alert_no_server_hello),
@@ -51406,12 +51399,10 @@ TEST_CASE testCases[] = {
     TEST_DECL(test_dtls13_frag_ch_pq),
     TEST_DECL(test_dtls_empty_keyshare_with_cookie),
     TEST_DECL(test_dtls_old_seq_number),
-    TEST_DECL(test_dtls12_basic_connection_id),
-    TEST_DECL(test_dtls13_basic_connection_id),
     TEST_DECL(test_dtls12_missing_finished),
     TEST_DECL(test_dtls13_missing_finished_client),
     TEST_DECL(test_dtls13_missing_finished_server),
-    TEST_DECL(test_wolfSSL_dtls_set_pending_peer),
+    TEST_DTLS_DECLS,
     TEST_DECL(test_tls_multi_handshakes_one_record),
     TEST_DECL(test_write_dup),
     TEST_DECL(test_read_write_hs),
@@ -51422,25 +51413,12 @@ TEST_CASE testCases[] = {
     TEST_DECL(test_wolfSSL_SendUserCanceled),
     TEST_DECL(test_wolfSSL_SSLDisableRead),
     TEST_DECL(test_wolfSSL_inject),
-    TEST_DECL(test_wolfSSL_dtls_cid_parse),
-    TEST_DECL(test_dtls13_epochs),
-    TEST_DECL(test_dtls_rtx_across_epoch_change),
-    TEST_DECL(test_dtls_drop_client_ack),
-    TEST_DECL(test_dtls_bogus_finished_epoch_zero),
-    TEST_DECL(test_dtls_replay),
-    TEST_DECL(test_dtls_srtp),
-    TEST_DECL(test_dtls_timeout),
-    TEST_DECL(test_dtls13_ack_order),
-    TEST_DECL(test_dtls_version_checking),
     TEST_DECL(test_ocsp_status_callback),
     TEST_DECL(test_ocsp_basic_verify),
     TEST_DECL(test_ocsp_response_parsing),
     TEST_DECL(test_ocsp_certid_enc_dec),
     TEST_DECL(test_ocsp_tls_cert_cb),
-    TEST_DECL(test_tls12_unexpected_ccs),
-    TEST_DECL(test_tls13_unexpected_ccs),
-    TEST_DECL(test_tls12_curve_intersection),
-    TEST_DECL(test_tls13_curve_intersection),
+    TEST_TLS_DECLS,
     TEST_DECL(test_wc_DhSetNamedKey),
     /* This test needs to stay at the end to clean up any caches allocated. */
     TEST_DECL(test_wolfSSL_Cleanup)
Original file line number	Diff line number	Diff line change
`@@ -1850,7 +1850,7 @@ int wolfSSL_mutual_auth(WOLFSSL* ssl, int req)`
`1850`	`1850`	`{`
`1851`	`1851`	`if (ssl == NULL)`
`1852`	`1852`	`return BAD_FUNC_ARG;`
`1853`		`- if (ssl->options.side == WOLFSSL_SERVER_END)`
	`1853`	`+ if (ssl->options.side == WOLFSSL_CLIENT_END)`
`1854`	`1854`	`return SIDE_ERROR;`
`1855`	`1855`
`1856`	`1856`	`ssl->options.mutualAuth = (word16)req;`