From 21df7f90d225ca717b9a558260053a712dbc8957 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 17 Oct 2017 11:03:26 +0100 Subject: [PATCH] Fix handling of HS msgs in mbedtls_ssl_read if renegotiation unused Previously, if `MBEDTLS_SSL_RENEGOTIATION` was disabled, incoming handshake messages in `mbedtls_ssl_read` (expecting application data) lead to the connection being closed. This commit fixes this, restricting the `MBEDTLS_SSL_RENEGOTIATION`-guard to the code-paths responsible for accepting renegotiation requests and aborting renegotiation attempts after too many unexpected records have been received. --- library/ssl_tls.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 2443a8629..89eba056c 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6878,7 +6878,6 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) } } -#if defined(MBEDTLS_SSL_RENEGOTIATION) if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "received handshake message" ) ); @@ -6920,6 +6919,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) } #endif /* MBEDTLS_SSL_SRV_C */ +#if defined(MBEDTLS_SSL_RENEGOTIATION) /* Determine whether renegotiation attempt should be accepted */ if( ! ( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED || ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && @@ -6947,6 +6947,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) } } else +#endif /* MBEDTLS_SSL_RENEGOTIATION */ { /* * Refuse renegotiation @@ -6987,6 +6988,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) return( MBEDTLS_ERR_SSL_WANT_READ ); } +#if defined(MBEDTLS_SSL_RENEGOTIATION) else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) { if( ssl->conf->renego_max_records >= 0 )