commit 3cd07be8899d00bb2e45f7fbe4cba112955798e4
author Hanno Becker <hanno.becker@arm.com> Tue Oct 24 11:49:19 2017 +0100
committer Hanno Becker <hanno.becker@arm.com> Tue Oct 24 11:49:19 2017 +0100
tree ae767d2bf06dc3bf2ac5c3467453788f21a4fdf0
parent e454d73cc007a9a2adb10288c64bd75e0b4073d1

Fix handling of HS msgs in mbedtls_ssl_read if renegotiation unused

Previously, if `MBEDTLS_SSL_RENEGOTIATION` was disabled, incoming handshake
messages in `mbedtls_ssl_read` (expecting application data) lead to the
connection being closed. This commit fixes this, restricting the
`MBEDTLS_SSL_RENEGOTIATION`-guard to the code-paths responsible for accepting
renegotiation requests and aborting renegotiation attempts after too many
unexpected records have been received.

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index ae12042..cf52127 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -6646,7 +6646,6 @@
             }
         }
 
-#if defined(MBEDTLS_SSL_RENEGOTIATION)
         if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
         {
             MBEDTLS_SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
@@ -6682,6 +6681,7 @@
             }
 #endif
 
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
             if( ! ( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
                     ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
                       ssl->conf->allow_legacy_renegotiation ==
@@ -6704,6 +6704,7 @@
                 }
             }
             else
+#endif /* MBEDTLS_SSL_RENEGOTIATION */
             {
                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) );
 
@@ -6740,6 +6741,7 @@
 
             return( MBEDTLS_ERR_SSL_WANT_READ );
         }
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
         else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
         {
             if( ssl->conf->renego_max_records >= 0 )