commit 711d583583b68bad8d3affe5fb4d1e28a027e335
author Manuel Pégourié-Gonnard <mpg@elzevir.fr> Wed Oct 02 10:36:12 2024 +0000
committer GitHub <noreply@github.com> Wed Oct 02 10:36:12 2024 +0000
tree 151fd44edce5dffe6d22a889dd80329373b354aa
parent cab2318c77a5ce5e6718380af136c347b13c7f4d
parent 6f8ff55884278feca293a12b1105dab73cc43eee

Merge pull request #9655 from gilles-peskine-arm/dtls_server-allow_unexpected_message_on_second_handshake-3.6

Backport 3.6: dtls_server: allow unexpected message on second handshake

programs/ssl/dtls_server.c

diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c
index 0a02694..d1063cb 100644
--- a/programs/ssl/dtls_server.c
+++ b/programs/ssl/dtls_server.c
@@ -291,7 +291,14 @@
         ret = 0;
         goto reset;
     } else if (ret != 0) {
-        printf(" failed\n  ! mbedtls_ssl_handshake returned -0x%x\n\n", (unsigned int) -ret);
+        printf(" failed\n  ! mbedtls_ssl_handshake returned -0x%x\n", (unsigned int) -ret);
+        if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE) {
+            printf("    An unexpected message was received from our peer. If this happened at\n");
+            printf("    the beginning of the handshake, this is likely a duplicated packet or\n");
+            printf("    a close_notify alert from the previous connection, which is harmless.\n");
+            ret = 0;
+        }
+        printf("\n");
         goto reset;
     }
 

tests/opt-testcases/sample.sh

diff --git a/tests/opt-testcases/sample.sh b/tests/opt-testcases/sample.sh
index 8b2bc99..ff847cc 100644
--- a/tests/opt-testcases/sample.sh
+++ b/tests/opt-testcases/sample.sh
@@ -325,11 +325,6 @@
             -S "error" \
             -C "ERROR"
 
-# The server complains of extra data after it closes the connection
-# because the client keeps sending data, so the server receives
-# more application data when it expects a new handshake. We consider
-# the test a success if both sides have sent and received application
-# data, no matter what happens afterwards.
 run_test    "Sample: dtls_client with dtls_server" \
             -P 4433 \
             "$PROGRAMS_DIR/dtls_server" \
@@ -339,13 +334,9 @@
             -s "[1-9][0-9]* bytes written" \
             -c "[1-9][0-9]* bytes read" \
             -c "[1-9][0-9]* bytes written" \
+            -S "error" \
             -C "error"
 
-# The server complains of extra data after it closes the connection
-# because the client keeps sending data, so the server receives
-# more application data when it expects a new handshake. We consider
-# the test a success if both sides have sent and received application
-# data, no matter what happens afterwards.
 run_test    "Sample: ssl_client2, dtls_server" \
             -P 4433 \
             "$PROGRAMS_DIR/dtls_server" \
@@ -355,6 +346,7 @@
             -s "[1-9][0-9]* bytes written" \
             -c "[1-9][0-9]* bytes read" \
             -c "[1-9][0-9]* bytes written" \
+            -S "error" \
             -C "error"
 
 requires_protocol_version dtls12