Fix handling of HS msgs in ssl_read if renegotiation unused

Previously, if `POLARSSL_SSL_RENEGOTIATION` was disabled, incoming handshake messages in `ssl_read` (expecting application data) lead to the connection being closed. This commit fixes this, restricting the `POLARSSL_SSL_RENEGOTIATION`-guard to the code-paths responsible for accepting renegotiation requests and aborting renegotiation attempts after too many unexpected records have been received.
2025-01-11 01:25:41 +00:00 · 2017-10-25 09:34:48 +01:00 · 2017-10-25 09:34:48 +01:00 · bfd0991daa
parent 268191a305
commit bfd0991daa
1 changed files with 3 additions and 1 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -4755,7 +4755,6 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
            }
        }

-#if defined(POLARSSL_SSL_RENEGOTIATION)
        if( ssl->in_msgtype == SSL_MSG_HANDSHAKE )
        {
            SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
@ -4770,6 +4769,7 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
            }
 #endif

+#if defined(POLARSSL_SSL_RENEGOTIATION)
            if( ! ( ssl->disable_renegotiation == SSL_RENEGOTIATION_DISABLED ||
                    ( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION &&
                      ssl->allow_legacy_renegotiation ==
@ -4784,6 +4784,7 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
                }
            }
            else
+#endif /* POLARSSL_SSL_RENEGOTIATION */
            {
                SSL_DEBUG_MSG( 3, ( "ignoring renegotiation, sending alert" ) );

@ -4820,6 +4821,7 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )

            return( POLARSSL_ERR_NET_WANT_READ );
        }
+#if defined(POLARSSL_SSL_RENEGOTIATION)
        else if( ssl->renegotiation == SSL_RENEGOTIATION_PENDING )
        {
            ssl->renego_records_seen++;