From bfd0991daae23f6084d9479eee0f306af16bc153 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 25 Oct 2017 09:34:48 +0100 Subject: [PATCH] Fix handling of HS msgs in ssl_read if renegotiation unused Previously, if `POLARSSL_SSL_RENEGOTIATION` was disabled, incoming handshake messages in `ssl_read` (expecting application data) lead to the connection being closed. This commit fixes this, restricting the `POLARSSL_SSL_RENEGOTIATION`-guard to the code-paths responsible for accepting renegotiation requests and aborting renegotiation attempts after too many unexpected records have been received. --- library/ssl_tls.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index c72296679..ee87bc0d4 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4755,7 +4755,6 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len ) } } -#if defined(POLARSSL_SSL_RENEGOTIATION) if( ssl->in_msgtype == SSL_MSG_HANDSHAKE ) { SSL_DEBUG_MSG( 1, ( "received handshake message" ) ); @@ -4770,6 +4769,7 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len ) } #endif +#if defined(POLARSSL_SSL_RENEGOTIATION) if( ! ( ssl->disable_renegotiation == SSL_RENEGOTIATION_DISABLED || ( ssl->secure_renegotiation == SSL_LEGACY_RENEGOTIATION && ssl->allow_legacy_renegotiation == @@ -4784,6 +4784,7 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len ) } } else +#endif /* POLARSSL_SSL_RENEGOTIATION */ { SSL_DEBUG_MSG( 3, ( "ignoring renegotiation, sending alert" ) ); @@ -4820,6 +4821,7 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len ) return( POLARSSL_ERR_NET_WANT_READ ); } +#if defined(POLARSSL_SSL_RENEGOTIATION) else if( ssl->renegotiation == SSL_RENEGOTIATION_PENDING ) { ssl->renego_records_seen++;