Fix ssl_read wrt non-Application Data

2025-01-23 23:21:04 +00:00 · 2014-10-23 15:29:55 +02:00 · 2014-10-23 15:29:55 +02:00 · 9711920304
parent 3fdfcedebb
commit 9711920304
2 changed files with 16 additions and 3 deletions
--- a/4
+++ b/4
@ -16,10 +16,14 @@ Bugfix
   * Fix compiler warnings on iOS (found by Sander Niemeijer).
   * Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel).
   * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
+   * ssl_read() could return non-application data records on server while
+     renegotation was pending, and on client when a HelloRequest was received.

 Changes
   * X.509 certificates with more than one AttributeTypeAndValue per
     RelativeDistinguishedName are not accepted any more.
+   * ssl_read() now returns POLARSSL_ERR_NET_WANT_READ rather than
+     POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts.

 = Version 1.2.11 released 2014-07-11
 Features
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -3930,11 +3930,20 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
                    SSL_DEBUG_RET( 1, "ssl_renegotiate", ret );
                    return( ret );
                }
+            }

+            /* Tell the user to call ssl_read() again */
            return( POLARSSL_ERR_NET_WANT_READ );
        }
+
+        /* Fatal and closure alerts handled by ssl_read_record() */
+        if( ssl->in_msgtype == SSL_MSG_ALERT )
+        {
+            SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) );
+            return( POLARSSL_ERR_NET_WANT_READ );
        }
-        else if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
+
+        if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
        {
            SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
            return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );