diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 725b156d5d..822205ee48 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1526,6 +1526,19 @@ struct mbedtls_ssl_context int MBEDTLS_PRIVATE(keep_current_message); /*!< drop or reuse current message on next call to record layer? */ + /* The following three variables indicate if and, if yes, + * what kind of alert is pending to be sent. + */ + unsigned char MBEDTLS_PRIVATE(send_alert); /*!< Determines if a fatal alert + should be sent. Values: + - \c 0 , no alert is to be sent. + - \c 1 , alert is to be sent. */ + unsigned char MBEDTLS_PRIVATE(alert_type); /*!< Type of alert if send_alert + != 0 */ + int MBEDTLS_PRIVATE(alert_reason); /*!< The error code to be returned + to the user once the fatal alert + has been sent. */ + #if defined(MBEDTLS_SSL_PROTO_DTLS) uint8_t MBEDTLS_PRIVATE(disable_datagram_packing); /*!< Disable packing multiple records * within a single datagram. */ diff --git a/library/ssl_misc.h b/library/ssl_misc.h index c338d79eec..a1128eda00 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1342,6 +1342,22 @@ void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context *ssl ); int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial ); +/* + * Send pending alert + */ +int mbedtls_ssl_handle_pending_alert( mbedtls_ssl_context *ssl ); + +/* + * Set pending fatal alert flag. + */ +void mbedtls_ssl_pend_fatal_alert( mbedtls_ssl_context *ssl, + unsigned char alert_type, + int alert_reason ); + +/* Alias of mbedtls_ssl_pend_fatal_alert */ +#define MBEDTLS_SSL_PEND_FATAL_ALERT( type, user_return_value ) \ + mbedtls_ssl_pend_fatal_alert( ssl, type, user_return_value ) + #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) void mbedtls_ssl_dtls_replay_reset( mbedtls_ssl_context *ssl ); #endif diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 2fe801a283..3bf4a603db 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -5639,4 +5639,48 @@ void mbedtls_ssl_read_version( int *major, int *minor, int transport, } } +/* + * Send pending fatal alert. + * 0, No alert message. + * !0, if mbedtls_ssl_send_alert_message() returned in error, the error code it + * returned, ssl->alert_reason otherwise. + */ +int mbedtls_ssl_handle_pending_alert( mbedtls_ssl_context *ssl ) +{ + int ret; + + /* No pending alert, return success*/ + if( ssl->send_alert == 0 ) + return( 0 ); + + ret = mbedtls_ssl_send_alert_message( ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + ssl->alert_type ); + + /* If mbedtls_ssl_send_alert_message() returned with MBEDTLS_ERR_SSL_WANT_WRITE, + * do not clear the alert to be able to send it later. + */ + if( ret != MBEDTLS_ERR_SSL_WANT_WRITE ) + { + ssl->send_alert = 0; + } + + if( ret != 0 ) + return( ret ); + + return( ssl->alert_reason ); +} + +/* + * Set pending fatal alert flag. + */ +void mbedtls_ssl_pend_fatal_alert( mbedtls_ssl_context *ssl, + unsigned char alert_type, + int alert_reason ) +{ + ssl->send_alert = 1; + ssl->alert_type = alert_type; + ssl->alert_reason = alert_reason; +} + #endif /* MBEDTLS_SSL_TLS_C */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 360419240f..21a058dd57 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5170,6 +5170,10 @@ int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl ) if( ret != 0 ) return( ret ); + ret = mbedtls_ssl_handle_pending_alert( ssl ); + if( ret != 0 ) + goto cleanup; + #if defined(MBEDTLS_SSL_CLI_C) if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) { @@ -5199,6 +5203,19 @@ int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl ) } #endif + if( ret != 0 ) + { + /* handshake_step return error. And it is same + * with alert_reason. + */ + if( ssl->send_alert ) + { + ret = mbedtls_ssl_handle_pending_alert( ssl ); + goto cleanup; + } + } + +cleanup: return( ret ); }