Allow delay on renego on client
Currently unbounded: will be fixed later
diff --git a/library/error.c b/library/error.c
index 22234cf..73504d4 100644
--- a/library/error.c
+++ b/library/error.c
@@ -450,6 +450,8 @@
snprintf( buf, buflen, "SSL - Internal error (eg, unexpected failure in lower-level module)" );
if( use_ret == -(POLARSSL_ERR_SSL_COUNTER_WRAPPING) )
snprintf( buf, buflen, "SSL - A counter would wrap (eg, too many messages exchanged)" );
+ if( use_ret == -(POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO) )
+ snprintf( buf, buflen, "SSL - Unexpected message at ServerHello in renegotiation" );
#endif /* POLARSSL_SSL_TLS_C */
#if defined(POLARSSL_X509_USE_C) || defined(POLARSSL_X509_CREATE_C)
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index d38d769..089b7c9 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -902,6 +902,12 @@
if( ssl->in_msgtype != SSL_MSG_HANDSHAKE )
{
+ if( ssl->renegotiation == SSL_RENEGOTIATION )
+ {
+ SSL_DEBUG_MSG( 1, ( "non-handshake message during renego" ) );
+ return( POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO );
+ }
+
SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
return( POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE );
}
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 1d68d96..e6c4efd 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -4260,14 +4260,19 @@
*/
int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
{
- int ret;
+ int ret, record_read = 0;
size_t n;
SSL_DEBUG_MSG( 2, ( "=> read" ) );
if( ssl->state != SSL_HANDSHAKE_OVER )
{
- if( ( ret = ssl_handshake( ssl ) ) != 0 )
+ ret = ssl_handshake( ssl );
+ if( ret == POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO )
+ {
+ record_read = 1;
+ }
+ else if( ret != 0 )
{
SSL_DEBUG_RET( 1, "ssl_handshake", ret );
return( ret );
@@ -4276,13 +4281,16 @@
if( ssl->in_offt == NULL )
{
- if( ( ret = ssl_read_record( ssl ) ) != 0 )
+ if( ! record_read )
{
- if( ret == POLARSSL_ERR_SSL_CONN_EOF )
- return( 0 );
+ if( ( ret = ssl_read_record( ssl ) ) != 0 )
+ {
+ if( ret == POLARSSL_ERR_SSL_CONN_EOF )
+ return( 0 );
- SSL_DEBUG_RET( 1, "ssl_read_record", ret );
- return( ret );
+ SSL_DEBUG_RET( 1, "ssl_read_record", ret );
+ return( ret );
+ }
}
if( ssl->in_msglen == 0 &&
@@ -4352,15 +4360,22 @@
}
else
{
- if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 )
+ ret = ssl_start_renegotiation( ssl );
+ if( ret == POLARSSL_ERR_SSL_WAITING_SERVER_HELLO_RENEGO )
+ {
+ record_read = 1;
+ }
+ else if( ret != 0 )
{
SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
return( ret );
}
}
- /* Tell the user to call ssl_read() again */
- return( POLARSSL_ERR_NET_WANT_READ );
+ /* If a non-handshake record was read during renego, fallthrough,
+ * else tell the user they should call ssl_read() again */
+ if( ! record_read )
+ return( POLARSSL_ERR_NET_WANT_READ );
}
else if( ssl->renegotiation == SSL_RENEGOTIATION_PENDING )
{