ssl_read() stops returning non-application data

2014-08-19 12:28:50 +02:00 · 2014-08-19 12:28:50 +02:00 · f26a1e8602
commit f26a1e8602
parent 55e4ff2ace
2 changed files with 16 additions and 3 deletions
--- a/4
+++ b/4
@ -10,6 +10,8 @@ Bugfix
   * Fix compile error in timing.c when POLARSSL_NET_C and POLARSSL_SELFTEST
     are defined but not POLARSSL_HAVE_TIME (found by Stephane Di Vito).
   * Remove non-existent file from VS projects (found by Peter Vaskovic).
+   * ssl_read() could return non-application data records on server while
+     renegotation was pending, and on client when a HelloRequest was received.

 Changes
   * Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no
@ -18,6 +20,8 @@ Changes
     ambiguous on how to encode some packets with SSL 3.0).
   * Made buffer size in pk_write_(pub)key_pem() more dynamic, eg smaller if
     RSA is disabled, larger if POLARSSL_MPI_MAX_SIZE is larger.
+   * ssl_read() now returns POLARSSL_ERR_NET_WANT_READ rather than
+     POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts.

 = PolarSSL 1.3.8 released 2014-07-11
 Security
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -4357,9 +4357,10 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
                    SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
                    return( ret );
                }
-
-                return( POLARSSL_ERR_NET_WANT_READ );
            }
+
+            /* Tell the user to call ssl_read() again */
+            return( POLARSSL_ERR_NET_WANT_READ );
        }
        else if( ssl->renegotiation == SSL_RENEGOTIATION_PENDING )
        {
@ -4373,7 +4374,15 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
                return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
            }
        }
-        else if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
+
+        /* Fatal and closure alerts handled by ssl_read_record() */
+        if( ssl->in_msgtype == SSL_MSG_ALERT )
+        {
+            SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) );
+            return( POLARSSL_ERR_NET_WANT_READ );
+        }
+
+        if( ssl->in_msgtype != SSL_MSG_APPLICATION_DATA )
        {
            SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
            return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );