Actually ignore most non-fatal alerts

fixes #308
2024-11-26 00:55:39 +01:00 · 2015-10-27 13:42:11 +01:00 · 2015-10-27 13:42:11 +01:00 · 0aaefcebc0
commit 0aaefcebc0
parent ad9c68ab21
2 changed files with 31 additions and 1 deletions
--- a/6
+++ b/6
@ -1,5 +1,11 @@
 mbed TLS ChangeLog (Sorted per branch, date)

+= mbed TLS 1.3.15 released 2015-10-xx
+
+Bugfix
+   * Fix bug causing some handshakes to fail due to some non-fatal alerts not
+     begin properly ignored. Found by mancha and Kasom Koht-arsa, #308
+
 = mbed TLS 1.3.14 released 2015-10-06

 Security
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -2211,6 +2211,7 @@ int ssl_read_record( ssl_context *ssl )
    /*
     * Read the record header and validate it
     */
+read_record_header:
    if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
    {
        SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
@ -2408,7 +2409,7 @@ int ssl_read_record( ssl_context *ssl )
                       ssl->in_msg[0], ssl->in_msg[1] ) );

        /*
-         * Ignore non-fatal alerts, except close_notify
+         * Ignore non-fatal alerts, except close_notify and no_renego
         */
        if( ssl->in_msg[0] == SSL_ALERT_LEVEL_FATAL )
        {
@ -2423,6 +2424,29 @@ int ssl_read_record( ssl_context *ssl )
            SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
            return( POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY );
        }
+
+        if( ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
+            ssl->in_msg[1] == SSL_ALERT_MSG_NO_RENEGOTIATION )
+        {
+            SSL_DEBUG_MSG( 2, ( "is a no_renegotiation" ) );
+            /* Will be handled when trying to parse ServerHello */
+            ssl->in_left = 0;
+            return( 0 );
+        }
+
+        if( ssl->minor_ver == SSL_MINOR_VERSION_0 &&
+            ssl->endpoint == SSL_IS_SERVER &&
+            ssl->in_msg[0] == SSL_ALERT_LEVEL_WARNING &&
+            ssl->in_msg[1] == SSL_ALERT_MSG_NO_CERT )
+        {
+            SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) );
+            /* Will be handled in ssl_parse_certificate() */
+            ssl->in_left = 0;
+            return( 0 );
+        }
+
+        /* Silently discard: fetch new message */
+        goto read_record_header;
    }

    ssl->in_left = 0;