commit 21df7f90d225ca717b9a558260053a712dbc8957
author Hanno Becker <hanno.becker@arm.com> Tue Oct 17 11:03:26 2017 +0100
committer Hanno Becker <hanno.becker@arm.com> Tue Oct 17 11:03:26 2017 +0100
tree d182899cb03d2231260586ff5fa3cbe5307a9e85
parent b4ff0aafd96b3bf5f94a86a970911ff7ee4822f9

Fix handling of HS msgs in mbedtls_ssl_read if renegotiation unused

Previously, if `MBEDTLS_SSL_RENEGOTIATION` was disabled, incoming handshake
messages in `mbedtls_ssl_read` (expecting application data) lead to the
connection being closed. This commit fixes this, restricting the
`MBEDTLS_SSL_RENEGOTIATION`-guard to the code-paths responsible for accepting
renegotiation requests and aborting renegotiation attempts after too many
unexpected records have been received.

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 2443a86..89eba05 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -6878,7 +6878,6 @@
             }
         }
 
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
         if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
         {
             MBEDTLS_SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
@@ -6920,6 +6919,7 @@
             }
 #endif /* MBEDTLS_SSL_SRV_C */
 
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
             /* Determine whether renegotiation attempt should be accepted */
             if( ! ( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
                     ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
@@ -6947,6 +6947,7 @@
                 }
             }
             else
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
             {
                 /*
                  * Refuse renegotiation
@@ -6987,6 +6988,7 @@
 
             return( MBEDTLS_ERR_SSL_WANT_READ );
         }
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
         else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
         {
             if( ssl->conf->renego_max_records >= 0 )