From 9711920304f0bab506fc52ccc35b8059cce8d042 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 23 Oct 2014 15:29:55 +0200 Subject: [PATCH] Fix ssl_read wrt non-Application Data --- ChangeLog | 4 ++++ library/ssl_tls.c | 15 ++++++++++++--- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9d0821c7e..7e47c4506 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,10 +16,14 @@ Bugfix * Fix compiler warnings on iOS (found by Sander Niemeijer). * Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel). * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce). + * ssl_read() could return non-application data records on server while + renegotation was pending, and on client when a HelloRequest was received. Changes * X.509 certificates with more than one AttributeTypeAndValue per RelativeDistinguishedName are not accepted any more. + * ssl_read() now returns POLARSSL_ERR_NET_WANT_READ rather than + POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts. = Version 1.2.11 released 2014-07-11 Features diff --git a/library/ssl_tls.c b/library/ssl_tls.c index d8eddd935..18bad958f 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3930,11 +3930,20 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len ) SSL_DEBUG_RET( 1, "ssl_renegotiate", ret ); return( ret ); } - - return( POLARSSL_ERR_NET_WANT_READ ); } + + /* Tell the user to call ssl_read() again */ + return( POLARSSL_ERR_NET_WANT_READ ); } - else if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA ) + + /* Fatal and closure alerts handled by ssl_read_record() */ + if( ssl->in_msgtype == SSL_MSG_ALERT ) + { + SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) ); + return( POLARSSL_ERR_NET_WANT_READ ); + } + + if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA ) { SSL_DEBUG_MSG( 1, ( "bad application data message" ) ); return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );