projects / tinc / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Prevent oracle attacks in the legacy protocol (CVE-2018-16737, CVE-2018-16738)
[tinc] / src / sptps.c
diff --git a/src/sptps.c b/src/sptps.c
index 4a9683f..82e913e 100644 (file)
--- a/src/sptps.c
+++ b/src/sptps.c
@@ -1,6 +1,6 @@
 /*
     sptps.c -- Simple Peer-to-Peer Security
-    Copyright (C) 2011-2014 Guus Sliepen <guus@tinc-vpn.org>,
+    Copyright (C) 2011-2015 Guus Sliepen <guus@tinc-vpn.org>,
                   2010      Brandon L. Black <blblack@gmail.com>
 
     This program is free software; you can redistribute it and/or modify
@@ -103,8 +103,9 @@ static bool send_record_priv_datagram(sptps_t *s, uint8_t type, const void *data
 }
 // Send a record (private version, accepts all record types, handles encryption and authentication).
 static bool send_record_priv(sptps_t *s, uint8_t type, const void *data, uint16_t len) {
-       if(s->datagram)
+       if(s->datagram) {
                return send_record_priv_datagram(s, type, data, len);
+       }
 
        char buffer[len + 19UL];
 
@@ -130,11 +131,13 @@ static bool send_record_priv(sptps_t *s, uint8_t type, const void *data, uint16_
 bool sptps_send_record(sptps_t *s, uint8_t type, const void *data, uint16_t len) {
        // Sanity checks: application cannot send data before handshake is finished,
        // and only record types 0..127 are allowed.
-       if(!s->outstate)
+       if(!s->outstate) {
                return error(s, EINVAL, "Handshake phase not finished yet");
+       }
 
-       if(type >= SPTPS_HANDSHAKE)
+       if(type >= SPTPS_HANDSHAKE) {
                return error(s, EINVAL, "Invalid application record type");
+       }
 
        return send_record_priv(s, type, data, len);
 }
@@ -144,11 +147,15 @@ static bool send_kex(sptps_t *s) {
        size_t keylen = ECDH_SIZE;
 
        // Make room for our KEX message, which we will keep around since send_sig() needs it.
-       if(s->mykex)
+       if(s->mykex) {
                return false;
+       }
+
        s->mykex = realloc(s->mykex, 1 + 32 + keylen);
-       if(!s->mykex)
+
+       if(!s->mykex) {
                return error(s, errno, strerror(errno));
+       }
 
        // Set version byte to zero.
        s->mykex[0] = SPTPS_VERSION;
@@ -157,8 +164,9 @@ static bool send_kex(sptps_t *s) {
        randomize(s->mykex + 1, 32);
 
        // Create a new ECDH public key.
-       if(!(s->ecdh = ecdh_generate_public(s->mykex + 1 + 32)))
+       if(!(s->ecdh = ecdh_generate_public(s->mykex + 1 + 32))) {
                return error(s, EINVAL, "Failed to generate ECDH public key");
+       }
 
        return send_record_priv(s, SPTPS_HANDSHAKE, s->mykex, 1 + 32 + keylen);
 }
@@ -178,11 +186,12 @@ static bool send_sig(sptps_t *s) {
        memcpy(msg + 1 + 2 * (33 + keylen), s->label, s->labellen);
 
        // Sign the result.
-       if(!ecdsa_sign(s->mykey, msg, sizeof msg, sig))
+       if(!ecdsa_sign(s->mykey, msg, sizeof(msg), sig)) {
                return error(s, EINVAL, "Failed to sign SIG record");
+       }
 
        // Send the SIG exchange record.
-       return send_record_priv(s, SPTPS_HANDSHAKE, sig, sizeof sig);
+       return send_record_priv(s, SPTPS_HANDSHAKE, sig, sizeof(sig));
 }
 
 // Generate key material from the shared secret created from the ECDHE key exchange.
@@ -191,20 +200,25 @@ static bool generate_key_material(sptps_t *s, const char *shared, size_t len) {
        if(!s->outstate) {
                s->incipher = chacha_poly1305_init();
                s->outcipher = chacha_poly1305_init();
-               if(!s->incipher || !s->outcipher)
+
+               if(!s->incipher || !s->outcipher) {
                        return error(s, EINVAL, "Failed to open cipher");
+               }
        }
 
        // Allocate memory for key material
        size_t keylen = 2 * CHACHA_POLY1305_KEYLEN;
 
        s->key = realloc(s->key, keylen);
-       if(!s->key)
+
+       if(!s->key) {
                return error(s, errno, strerror(errno));
+       }
 
        // Create the HMAC seed, which is "key expansion" + session label + server nonce + client nonce
        char seed[s->labellen + 64 + 13];
-       strcpy(seed, "key expansion");
+       memcpy(seed, "key expansion", 13);
+
        if(s->initiator) {
                memcpy(seed + 13, s->mykex + 1, 32);
                memcpy(seed + 45, s->hiskex + 1, 32);
@@ -212,11 +226,13 @@ static bool generate_key_material(sptps_t *s, const char *shared, size_t len) {
                memcpy(seed + 13, s->hiskex + 1, 32);
                memcpy(seed + 45, s->mykex + 1, 32);
        }
+
        memcpy(seed + 77, s->label, s->labellen);
 
        // Use PRF to generate the key material
-       if(!prf(shared, len, seed, s->labellen + 64 + 13, s->key, keylen))
+       if(!prf(shared, len, seed, s->labellen + 64 + 13, s->key, keylen)) {
                return error(s, EINVAL, "Failed to generate key material");
+       }
 
        return true;
 }
@@ -228,15 +244,18 @@ static bool send_ack(sptps_t *s) {
 
 // Receive an ACKnowledgement record.
 static bool receive_ack(sptps_t *s, const char *data, uint16_t len) {
-       if(len)
+       if(len) {
                return error(s, EIO, "Invalid ACK record length");
+       }
 
        if(s->initiator) {
-               if(!chacha_poly1305_set_key(s->incipher, s->key))
+               if(!chacha_poly1305_set_key(s->incipher, s->key)) {
                        return error(s, EINVAL, "Failed to set counter");
+               }
        } else {
-               if(!chacha_poly1305_set_key(s->incipher, s->key + CHACHA_POLY1305_KEYLEN))
+               if(!chacha_poly1305_set_key(s->incipher, s->key + CHACHA_POLY1305_KEYLEN)) {
                        return error(s, EINVAL, "Failed to set counter");
+               }
        }
 
        free(s->key);
@@ -249,21 +268,30 @@ static bool receive_ack(sptps_t *s, const char *data, uint16_t len) {
 // Receive a Key EXchange record, respond by sending a SIG record.
 static bool receive_kex(sptps_t *s, const char *data, uint16_t len) {
        // Verify length of the HELLO record
-       if(len != 1 + 32 + ECDH_SIZE)
+       if(len != 1 + 32 + ECDH_SIZE) {
                return error(s, EIO, "Invalid KEX record length");
+       }
 
        // Ignore version number for now.
 
        // Make a copy of the KEX message, send_sig() and receive_sig() need it
-       if(s->hiskex)
+       if(s->hiskex) {
                return error(s, EINVAL, "Received a second KEX message before first has been processed");
+       }
+
        s->hiskex = realloc(s->hiskex, len);
-       if(!s->hiskex)
+
+       if(!s->hiskex) {
                return error(s, errno, strerror(errno));
+       }
 
        memcpy(s->hiskex, data, len);
 
-       return send_sig(s);
+       if(s->initiator) {
+               return send_sig(s);
+       } else {
+               return true;
+       }
 }
 
 // Receive a SIGnature record, verify it, if it passed, compute the shared secret and calculate the session keys.
@@ -272,8 +300,9 @@ static bool receive_sig(sptps_t *s, const char *data, uint16_t len) {
        size_t siglen = ecdsa_size(s->hiskey);
 
        // Verify length of KEX record.
-       if(len != siglen)
+       if(len != siglen) {
                return error(s, EIO, "Invalid KEX record length");
+       }
 
        // Concatenate both KEX messages, plus tag indicating if it is from the connection originator
        char msg[(1 + 32 + keylen) * 2 + 1 + s->labellen];
@@ -284,18 +313,27 @@ static bool receive_sig(sptps_t *s, const char *data, uint16_t len) {
        memcpy(msg + 1 + 2 * (33 + keylen), s->label, s->labellen);
 
        // Verify signature.
-       if(!ecdsa_verify(s->hiskey, msg, sizeof msg, data))
+       if(!ecdsa_verify(s->hiskey, msg, sizeof(msg), data)) {
                return error(s, EIO, "Failed to verify SIG record");
+       }
 
        // Compute shared secret.
        char shared[ECDH_SHARED_SIZE];
-       if(!ecdh_compute_shared(s->ecdh, s->hiskex + 1 + 32, shared))
+
+       if(!ecdh_compute_shared(s->ecdh, s->hiskex + 1 + 32, shared)) {
                return error(s, EINVAL, "Failed to compute ECDH shared secret");
+       }
+
        s->ecdh = NULL;
 
        // Generate key material from shared secret.
-       if(!generate_key_material(s, shared, sizeof shared))
+       if(!generate_key_material(s, shared, sizeof(shared))) {
+               return false;
+       }
+
+       if(!s->initiator && !send_sig(s)) {
                return false;
+       }
 
        free(s->mykex);
        free(s->hiskex);
@@ -304,16 +342,19 @@ static bool receive_sig(sptps_t *s, const char *data, uint16_t len) {
        s->hiskex = NULL;
 
        // Send cipher change record
-       if(s->outstate && !send_ack(s))
+       if(s->outstate && !send_ack(s)) {
                return false;
+       }
 
        // TODO: only set new keys after ACK has been set/received
        if(s->initiator) {
-               if(!chacha_poly1305_set_key(s->outcipher, s->key + CHACHA_POLY1305_KEYLEN))
+               if(!chacha_poly1305_set_key(s->outcipher, s->key + CHACHA_POLY1305_KEYLEN)) {
                        return error(s, EINVAL, "Failed to set key");
+               }
        } else {
-               if(!chacha_poly1305_set_key(s->outcipher, s->key))
+               if(!chacha_poly1305_set_key(s->outcipher, s->key)) {
                        return error(s, EINVAL, "Failed to set key");
+               }
        }
 
        return true;
@@ -321,8 +362,9 @@ static bool receive_sig(sptps_t *s, const char *data, uint16_t len) {
 
 // Force another Key EXchange (for testing purposes).
 bool sptps_force_kex(sptps_t *s) {
-       if(!s->outstate || s->state != SPTPS_SECONDARY_KEX)
+       if(!s->outstate || s->state != SPTPS_SECONDARY_KEX) {
                return error(s, EINVAL, "Cannot force KEX in current state");
+       }
 
        s->state = SPTPS_KEX;
        return send_kex(s);
@@ -332,41 +374,59 @@ bool sptps_force_kex(sptps_t *s) {
 static bool receive_handshake(sptps_t *s, const char *data, uint16_t len) {
        // Only a few states to deal with handshaking.
        switch(s->state) {
-               case SPTPS_SECONDARY_KEX:
-                       // We receive a secondary KEX request, first respond by sending our own.
-                       if(!send_kex(s))
-                               return false;
-               case SPTPS_KEX:
-                       // We have sent our KEX request, we expect our peer to sent one as well.
-                       if(!receive_kex(s, data, len))
-                               return false;
-                       s->state = SPTPS_SIG;
-                       return true;
-               case SPTPS_SIG:
-                       // If we already sent our secondary public ECDH key, we expect the peer to send his.
-                       if(!receive_sig(s, data, len))
+       case SPTPS_SECONDARY_KEX:
+
+               // We receive a secondary KEX request, first respond by sending our own.
+               if(!send_kex(s)) {
+                       return false;
+               }
+
+       case SPTPS_KEX:
+
+               // We have sent our KEX request, we expect our peer to sent one as well.
+               if(!receive_kex(s, data, len)) {
+                       return false;
+               }
+
+               s->state = SPTPS_SIG;
+               return true;
+
+       case SPTPS_SIG:
+
+               // If we already sent our secondary public ECDH key, we expect the peer to send his.
+               if(!receive_sig(s, data, len)) {
+                       return false;
+               }
+
+               if(s->outstate) {
+                       s->state = SPTPS_ACK;
+               } else {
+                       s->outstate = true;
+
+                       if(!receive_ack(s, NULL, 0)) {
                                return false;
-                       if(s->outstate)
-                               s->state = SPTPS_ACK;
-                       else {
-                               s->outstate = true;
-                               if(!receive_ack(s, NULL, 0))
-                                       return false;
-                               s->receive_record(s->handle, SPTPS_HANDSHAKE, NULL, 0);
-                               s->state = SPTPS_SECONDARY_KEX;
                        }
 
-                       return true;
-               case SPTPS_ACK:
-                       // We expect a handshake message to indicate transition to the new keys.
-                       if(!receive_ack(s, data, len))
-                               return false;
                        s->receive_record(s->handle, SPTPS_HANDSHAKE, NULL, 0);
                        s->state = SPTPS_SECONDARY_KEX;
-                       return true;
-               // TODO: split ACK into a VERify and ACK?
-               default:
-                       return error(s, EIO, "Invalid session state %d", s->state);
+               }
+
+               return true;
+
+       case SPTPS_ACK:
+
+               // We expect a handshake message to indicate transition to the new keys.
+               if(!receive_ack(s, data, len)) {
+                       return false;
+               }
+
+               s->receive_record(s->handle, SPTPS_HANDSHAKE, NULL, 0);
+               s->state = SPTPS_SECONDARY_KEX;
+               return true;
+
+       // TODO: split ACK into a VERify and ACK?
+       default:
+               return error(s, EIO, "Invalid session state %d", s->state);
        }
 }
 
@@ -381,43 +441,54 @@ static bool sptps_check_seqno(sptps_t *s, uint32_t seqno, bool update_state) {
                        if(seqno >= s->inseqno + s->replaywin * 8) {
                                // Prevent packets that jump far ahead of the queue from causing many others to be dropped.
                                bool farfuture = s->farfuture < s->replaywin >> 2;
-                               if (update_state)
+
+                               if(update_state) {
                                        s->farfuture++;
-                               if(farfuture)
-                                       return error(s, EIO, "Packet is %d seqs in the future, dropped (%u)\n", seqno - s->inseqno, s->farfuture);
+                               }
+
+                               if(farfuture) {
+                                       return update_state ? error(s, EIO, "Packet is %d seqs in the future, dropped (%u)\n", seqno - s->inseqno, s->farfuture) : false;
+                               }
 
                                // Unless we have seen lots of them, in which case we consider the others lost.
-                               warning(s, "Lost %d packets\n", seqno - s->inseqno);
-                               if (update_state) {
+                               if(update_state) {
+                                       warning(s, "Lost %d packets\n", seqno - s->inseqno);
+                               }
+
+                               if(update_state) {
                                        // Mark all packets in the replay window as being late.
                                        memset(s->late, 255, s->replaywin);
                                }
-                       } else if (seqno < s->inseqno) {
+                       } else if(seqno < s->inseqno) {
                                // If the sequence number is farther in the past than the bitmap goes, or if the packet was already received, drop it.
-                               if((s->inseqno >= s->replaywin * 8 && seqno < s->inseqno - s->replaywin * 8) || !(s->late[(seqno / 8) % s->replaywin] & (1 << seqno % 8)))
-                                       return error(s, EIO, "Received late or replayed packet, seqno %d, last received %d\n", seqno, s->inseqno);
-                       } else if (update_state) {
+                               if((s->inseqno >= s->replaywin * 8 && seqno < s->inseqno - s->replaywin * 8) || !(s->late[(seqno / 8) % s->replaywin] & (1 << seqno % 8))) {
+                                       return update_state ? error(s, EIO, "Received late or replayed packet, seqno %d, last received %d\n", seqno, s->inseqno) : false;
+                               }
+                       } else if(update_state) {
                                // We missed some packets. Mark them in the bitmap as being late.
-                               for(int i = s->inseqno; i < seqno; i++)
+                               for(int i = s->inseqno; i < seqno; i++) {
                                        s->late[(i / 8) % s->replaywin] |= 1 << i % 8;
+                               }
                        }
                }
 
-               if (update_state) {
+               if(update_state) {
                        // Mark the current packet as not being late.
                        s->late[(seqno / 8) % s->replaywin] &= ~(1 << seqno % 8);
                        s->farfuture = 0;
                }
        }
 
-       if (update_state) {
-               if(seqno >= s->inseqno)
+       if(update_state) {
+               if(seqno >= s->inseqno) {
                        s->inseqno = seqno + 1;
+               }
 
-               if(!s->inseqno)
+               if(!s->inseqno) {
                        s->received = 0;
-               else
+               } else {
                        s->received++;
+               }
        }
 
        return true;
@@ -425,14 +496,17 @@ static bool sptps_check_seqno(sptps_t *s, uint32_t seqno, bool update_state) {
 
 // Check datagram for valid HMAC
 bool sptps_verify_datagram(sptps_t *s, const void *data, size_t len) {
-       if(!s->instate || len < 21)
+       if(!s->instate || len < 21) {
                return error(s, EIO, "Received short packet");
+       }
 
        uint32_t seqno;
        memcpy(&seqno, data, 4);
        seqno = ntohl(seqno);
-       if (!sptps_check_seqno(s, seqno, false))
+
+       if(!sptps_check_seqno(s, seqno, false)) {
                return false;
+       }
 
        char buffer[len];
        size_t outlen;
@@ -441,52 +515,67 @@ bool sptps_verify_datagram(sptps_t *s, const void *data, size_t len) {
 
 // Receive incoming data, datagram version.
 static bool sptps_receive_data_datagram(sptps_t *s, const char *data, size_t len) {
-       if(len < (s->instate ? 21 : 5))
+       if(len < (s->instate ? 21 : 5)) {
                return error(s, EIO, "Received short packet");
+       }
 
        uint32_t seqno;
        memcpy(&seqno, data, 4);
        seqno = ntohl(seqno);
+       data += 4;
+       len -= 4;
 
        if(!s->instate) {
-               if(seqno != s->inseqno)
+               if(seqno != s->inseqno) {
                        return error(s, EIO, "Invalid packet seqno: %d != %d", seqno, s->inseqno);
+               }
 
                s->inseqno = seqno + 1;
 
-               uint8_t type = data[4];
+               uint8_t type = *(data++);
+               len--;
 
-               if(type != SPTPS_HANDSHAKE)
+               if(type != SPTPS_HANDSHAKE) {
                        return error(s, EIO, "Application record received before handshake finished");
+               }
 
-               return receive_handshake(s, data + 5, len - 5);
+               return receive_handshake(s, data, len);
        }
 
        // Decrypt
 
        char buffer[len];
-
        size_t outlen;
 
-       if(!chacha_poly1305_decrypt(s->incipher, seqno, data + 4, len - 4, buffer, &outlen))
+       if(!chacha_poly1305_decrypt(s->incipher, seqno, data, len, buffer, &outlen)) {
                return error(s, EIO, "Failed to decrypt and verify packet");
+       }
 
-       if(!sptps_check_seqno(s, seqno, true))
+       if(!sptps_check_seqno(s, seqno, true)) {
                return false;
+       }
 
        // Append a NULL byte for safety.
-       buffer[len - 20] = 0;
+       buffer[outlen] = 0;
 
-       uint8_t type = buffer[0];
+       data = buffer;
+       len = outlen;
+
+       uint8_t type = *(data++);
+       len--;
 
        if(type < SPTPS_HANDSHAKE) {
-               if(!s->instate)
+               if(!s->instate) {
                        return error(s, EIO, "Application record received before handshake finished");
-               if(!s->receive_record(s->handle, type, buffer + 1, len - 21))
+               }
+
+               if(!s->receive_record(s->handle, type, data, len)) {
                        return false;
+               }
        } else if(type == SPTPS_HANDSHAKE) {
-               if(!receive_handshake(s, buffer + 1, len - 21))
+               if(!receive_handshake(s, data, len)) {
                        return false;
+               }
        } else {
                return error(s, EIO, "Invalid record type %d", type);
        }
@@ -495,96 +584,112 @@ static bool sptps_receive_data_datagram(sptps_t *s, const char *data, size_t len
 }
 
 // Receive incoming data. Check if it contains a complete record, if so, handle it.
-bool sptps_receive_data(sptps_t *s, const void *data, size_t len) {
-       if(!s->state)
+size_t sptps_receive_data(sptps_t *s, const void *data, size_t len) {
+       size_t total_read = 0;
+
+       if(!s->state) {
                return error(s, EIO, "Invalid session state zero");
+       }
 
-       if(s->datagram)
-               return sptps_receive_data_datagram(s, data, len);
+       if(s->datagram) {
+               return sptps_receive_data_datagram(s, data, len) ? len : false;
+       }
 
-       while(len) {
-               // First read the 2 length bytes.
-               if(s->buflen < 2) {
-                       size_t toread = 2 - s->buflen;
-                       if(toread > len)
-                               toread = len;
+       // First read the 2 length bytes.
+       if(s->buflen < 2) {
+               size_t toread = 2 - s->buflen;
+
+               if(toread > len) {
+                       toread = len;
+               }
 
-                       memcpy(s->inbuf + s->buflen, data, toread);
+               memcpy(s->inbuf + s->buflen, data, toread);
 
-                       s->buflen += toread;
-                       len -= toread;
-                       data += toread;
+               total_read += toread;
+               s->buflen += toread;
+               len -= toread;
+               data += toread;
 
-                       // Exit early if we don't have the full length.
-                       if(s->buflen < 2)
-                               return true;
+               // Exit early if we don't have the full length.
+               if(s->buflen < 2) {
+                       return total_read;
+               }
 
-                       // Get the length bytes
+               // Get the length bytes
 
-                       memcpy(&s->reclen, s->inbuf, 2);
-                       s->reclen = ntohs(s->reclen);
+               memcpy(&s->reclen, s->inbuf, 2);
+               s->reclen = ntohs(s->reclen);
 
-                       // If we have the length bytes, ensure our buffer can hold the whole request.
-                       s->inbuf = realloc(s->inbuf, s->reclen + 19UL);
-                       if(!s->inbuf)
-                               return error(s, errno, strerror(errno));
+               // If we have the length bytes, ensure our buffer can hold the whole request.
+               s->inbuf = realloc(s->inbuf, s->reclen + 19UL);
 
-                       // Exit early if we have no more data to process.
-                       if(!len)
-                               return true;
+               if(!s->inbuf) {
+                       return error(s, errno, strerror(errno));
                }
 
-               // Read up to the end of the record.
-               size_t toread = s->reclen + (s->instate ? 19UL : 3UL) - s->buflen;
-               if(toread > len)
-                       toread = len;
+               // Exit early if we have no more data to process.
+               if(!len) {
+                       return total_read;
+               }
+       }
 
-               memcpy(s->inbuf + s->buflen, data, toread);
-               s->buflen += toread;
-               len -= toread;
-               data += toread;
+       // Read up to the end of the record.
+       size_t toread = s->reclen + (s->instate ? 19UL : 3UL) - s->buflen;
+
+       if(toread > len) {
+               toread = len;
+       }
+
+       memcpy(s->inbuf + s->buflen, data, toread);
+       total_read += toread;
+       s->buflen += toread;
 
-               // If we don't have a whole record, exit.
-               if(s->buflen < s->reclen + (s->instate ? 19UL : 3UL))
-                       return true;
+       // If we don't have a whole record, exit.
+       if(s->buflen < s->reclen + (s->instate ? 19UL : 3UL)) {
+               return total_read;
+       }
 
-               // Update sequence number.
+       // Update sequence number.
 
-               uint32_t seqno = s->inseqno++;
+       uint32_t seqno = s->inseqno++;
 
-               // Check HMAC and decrypt.
-               if(s->instate) {
-                       if(!chacha_poly1305_decrypt(s->incipher, seqno, s->inbuf + 2UL, s->reclen + 17UL, s->inbuf + 2UL, NULL))
-                               return error(s, EINVAL, "Failed to decrypt and verify record");
+       // Check HMAC and decrypt.
+       if(s->instate) {
+               if(!chacha_poly1305_decrypt(s->incipher, seqno, s->inbuf + 2UL, s->reclen + 17UL, s->inbuf + 2UL, NULL)) {
+                       return error(s, EINVAL, "Failed to decrypt and verify record");
                }
+       }
 
-               // Append a NULL byte for safety.
-               s->inbuf[s->reclen + 3UL] = 0;
+       // Append a NULL byte for safety.
+       s->inbuf[s->reclen + 3UL] = 0;
 
-               uint8_t type = s->inbuf[2];
+       uint8_t type = s->inbuf[2];
 
-               if(type < SPTPS_HANDSHAKE) {
-                       if(!s->instate)
-                               return error(s, EIO, "Application record received before handshake finished");
-                       if(!s->receive_record(s->handle, type, s->inbuf + 3, s->reclen))
-                               return false;
-               } else if(type == SPTPS_HANDSHAKE) {
-                       if(!receive_handshake(s, s->inbuf + 3, s->reclen))
-                               return false;
-               } else {
-                       return error(s, EIO, "Invalid record type %d", type);
+       if(type < SPTPS_HANDSHAKE) {
+               if(!s->instate) {
+                       return error(s, EIO, "Application record received before handshake finished");
                }
 
-               s->buflen = 0;
+               if(!s->receive_record(s->handle, type, s->inbuf + 3, s->reclen)) {
+                       return false;
+               }
+       } else if(type == SPTPS_HANDSHAKE) {
+               if(!receive_handshake(s, s->inbuf + 3, s->reclen)) {
+                       return false;
+               }
+       } else {
+               return error(s, EIO, "Invalid record type %d", type);
        }
 
-       return true;
+       s->buflen = 0;
+
+       return total_read;
 }
 
 // Start a SPTPS session.
 bool sptps_start(sptps_t *s, void *handle, bool initiator, bool datagram, ecdsa_t *mykey, ecdsa_t *hiskey, const void *label, size_t labellen, send_data_t send_data, receive_record_t receive_record) {
        // Initialise struct sptps
-       memset(s, 0, sizeof *s);
+       memset(s, 0, sizeof(*s));
 
        s->handle = handle;
        s->initiator = initiator;
@@ -592,21 +697,30 @@ bool sptps_start(sptps_t *s, void *handle, bool initiator, bool datagram, ecdsa_
        s->mykey = mykey;
        s->hiskey = hiskey;
        s->replaywin = sptps_replaywin;
+
        if(s->replaywin) {
                s->late = malloc(s->replaywin);
-               if(!s->late)
+
+               if(!s->late) {
                        return error(s, errno, strerror(errno));
+               }
+
                memset(s->late, 0, s->replaywin);
        }
 
        s->label = malloc(labellen);
-       if(!s->label)
+
+       if(!s->label) {
                return error(s, errno, strerror(errno));
+       }
 
        if(!datagram) {
                s->inbuf = malloc(7);
-               if(!s->inbuf)
+
+               if(!s->inbuf) {
                        return error(s, errno, strerror(errno));
+               }
+
                s->buflen = 0;
        }
 
@@ -633,6 +747,6 @@ bool sptps_stop(sptps_t *s) {
        free(s->key);
        free(s->label);
        free(s->late);
-       memset(s, 0, sizeof *s);
+       memset(s, 0, sizeof(*s));
        return true;
 }
tinc, the VPN daemon