From f46e1ce8128c1903b6a2b54ff61f17afec8518d5 Mon Sep 17 00:00:00 2001
From: Hanno Becker <hanno.becker@arm.com>
Date: Wed, 3 Jul 2019 13:56:59 +0100
Subject: [PATCH] Introduce SSL helper function to mark pending alerts

---
 include/mbedtls/ssl.h          |  4 ++++
 include/mbedtls/ssl_internal.h | 11 +++++++++++
 library/ssl_tls.c              | 11 +++++++++++
 3 files changed, 26 insertions(+)

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index a41182cf4..a871540d1 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -366,6 +366,7 @@
 #define MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME    112  /* 0x70 */
 #define MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY 115  /* 0x73 */
 #define MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL 120 /* 0x78 */
+#define MBEDTLS_SSL_ALERT_MSG_NONE                 255  /* internal */
 
 #define MBEDTLS_SSL_HS_HELLO_REQUEST            0
 #define MBEDTLS_SSL_HS_CLIENT_HELLO             1
@@ -1234,6 +1235,9 @@ struct mbedtls_ssl_context
 {
     const mbedtls_ssl_config *conf; /*!< configuration information          */
 
+    unsigned char pend_alert_level;
+    unsigned char pend_alert_msg;
+
     /*
      * Miscellaneous
      */
diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index b8875abd4..0db867c82 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -1724,4 +1724,15 @@ static inline unsigned int mbedtls_ssl_conf_get_ems_enforced(
 
 #endif /* MBEDTLS_SSL_CONF_SINGLE_SIG_HASH */
 
+__attribute__((always_inline)) static inline int mbedtls_ssl_pend_alert_message(
+    mbedtls_ssl_context *ssl,
+    unsigned char level,
+    unsigned char message )
+{
+    if( level != MBEDTLS_SSL_ALERT_LEVEL_FATAL )
+        ssl->pend_alert_level = level;
+    ssl->pend_alert_msg = message;
+    return( 0 );
+}
+
 #endif /* ssl_internal.h */
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index fc7ece79d..8e394cfc7 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -7983,6 +7983,9 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
     if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
         goto error;
 
+    ssl->pend_alert_msg   = MBEDTLS_SSL_ALERT_MSG_NONE;
+    ssl->pend_alert_level = MBEDTLS_SSL_ALERT_LEVEL_FATAL;
+
     return( 0 );
 
 error:
@@ -9835,6 +9838,14 @@ int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl )
         ret = mbedtls_ssl_handshake_server_step( ssl );
 #endif
 
+    if( ssl->pend_alert_msg != MBEDTLS_SSL_ALERT_MSG_NONE )
+    {
+        mbedtls_ssl_send_alert_message( ssl,
+                                        ssl->pend_alert_level,
+                                        ssl->pend_alert_msg );
+        ssl->pend_alert_msg   = MBEDTLS_SSL_ALERT_MSG_NONE;
+        ssl->pend_alert_level = MBEDTLS_SSL_ALERT_LEVEL_FATAL;
+    }
     return( ret );
 }