From e7047819eef8d27285acfdbbd66d2855ab4e18f5 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 13 Sep 2021 19:26:39 +0800 Subject: [PATCH 1/5] add pend fatal alert Signed-off-by: Jerry Yu --- include/mbedtls/ssl.h | 25 +++++++++++++++++++++++++ library/ssl_misc.h | 5 +++++ library/ssl_msg.c | 22 ++++++++++++++++++++++ library/ssl_tls.c | 16 ++++++++++++++++ 4 files changed, 68 insertions(+) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 725b156d5d..58cc113b7f 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1526,6 +1526,23 @@ struct mbedtls_ssl_context int MBEDTLS_PRIVATE(keep_current_message); /*!< drop or reuse current message on next call to record layer? */ + /* The following three variables indicate if and, if yes, + * what kind of alert or warning is pending to be sent. + * They should not be set manually but through the macro + * MBEDTLS_SSL_PEND_FATAL_ALERT( type, user_return_value ) + * defined below. + */ + unsigned char MBEDTLS_PRIVATE(send_alert); /*!< Determines if either a fatal error + or a warning should be sent. Values: + - \c 0 if no alert is to be sent. + - #MBEDTLS_SSL_ALERT_LEVEL_FATAL + if a fatal alert is to be sent + - #MBEDTLS_SSL_ALERT_LEVEL_WARNING + if a non-fatal alert is to be sent. */ + unsigned char MBEDTLS_PRIVATE(alert_type); /*!< Type of alert if send_alert != 0 */ + int MBEDTLS_PRIVATE(alert_reason); /*!< The error code to be returned to the + * user once the fatal alert has been sent. */ + #if defined(MBEDTLS_SSL_PROTO_DTLS) uint8_t MBEDTLS_PRIVATE(disable_datagram_packing); /*!< Disable packing multiple records * within a single datagram. */ @@ -1624,6 +1641,14 @@ struct mbedtls_ssl_context #endif }; +#define MBEDTLS_SSL_PEND_FATAL_ALERT( type, user_return_value ) \ + do \ + { \ + ssl->send_alert = 1; \ + ssl->alert_reason = (user_return_value); \ + ssl->alert_type = (type); \ + } while( 0 ) + /** * \brief Return the name of the ciphersuite associated with the * given ID diff --git a/library/ssl_misc.h b/library/ssl_misc.h index c338d79eec..8b26983556 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1342,6 +1342,11 @@ void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context *ssl ); int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial ); +/* + * Send pending fatal alerts or warnings. + */ +int mbedtls_ssl_handle_pending_alert( mbedtls_ssl_context *ssl ); + #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) void mbedtls_ssl_dtls_replay_reset( mbedtls_ssl_context *ssl ); #endif diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 2fe801a283..3144d9818c 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -5639,4 +5639,26 @@ void mbedtls_ssl_read_version( int *major, int *minor, int transport, } } +/* + * Send pending fatal alerts or warnings. + */ +int mbedtls_ssl_handle_pending_alert( mbedtls_ssl_context *ssl ) +{ + int ret; + + /* Send alert if requested */ + if( ssl->send_alert != 0 ) + { + ret = mbedtls_ssl_send_alert_message( ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + ssl->alert_type ); + if( ret != 0 ) + return( ret ); + } + + ssl->send_alert = 0; + ssl->alert_type = 0; + return( 0 ); +} + #endif /* MBEDTLS_SSL_TLS_C */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 360419240f..7bb5f9fd7e 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5170,6 +5170,10 @@ int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl ) if( ret != 0 ) return( ret ); + ret = mbedtls_ssl_handle_pending_alert( ssl ); + if( ret != 0 ) + goto cleanup; + #if defined(MBEDTLS_SSL_CLI_C) if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) { @@ -5199,6 +5203,18 @@ int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl ) } #endif + if( ret != 0 ) + { + int alert_ret; + alert_ret = mbedtls_ssl_handle_pending_alert( ssl ); + if( alert_ret != 0 ) + { + ret = alert_ret; + goto cleanup; + } + } + +cleanup: return( ret ); } From 33cedca8aa9d6fb8dc0c0107de38911f3cfd21c8 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 14 Sep 2021 19:55:49 +0800 Subject: [PATCH 2/5] fix comments issue Signed-off-by: Jerry Yu --- include/mbedtls/ssl.h | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 58cc113b7f..18142a8617 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1532,16 +1532,15 @@ struct mbedtls_ssl_context * MBEDTLS_SSL_PEND_FATAL_ALERT( type, user_return_value ) * defined below. */ - unsigned char MBEDTLS_PRIVATE(send_alert); /*!< Determines if either a fatal error - or a warning should be sent. Values: - - \c 0 if no alert is to be sent. - - #MBEDTLS_SSL_ALERT_LEVEL_FATAL - if a fatal alert is to be sent - - #MBEDTLS_SSL_ALERT_LEVEL_WARNING - if a non-fatal alert is to be sent. */ - unsigned char MBEDTLS_PRIVATE(alert_type); /*!< Type of alert if send_alert != 0 */ - int MBEDTLS_PRIVATE(alert_reason); /*!< The error code to be returned to the - * user once the fatal alert has been sent. */ + unsigned char MBEDTLS_PRIVATE(send_alert); /*!< Determines if a fatal alert + should be sent. Values: + - \c 0 , no alert is to be sent. + - \c 1 , alert is to be sent. */ + unsigned char MBEDTLS_PRIVATE(alert_type); /*!< Type of alert if send_alert + != 0 */ + int MBEDTLS_PRIVATE(alert_reason); /*!< The error code to be returned + to the user once the fatal alert + has been sent. */ #if defined(MBEDTLS_SSL_PROTO_DTLS) uint8_t MBEDTLS_PRIVATE(disable_datagram_packing); /*!< Disable packing multiple records From 394ece6cdd71d06e2186024769170588bb342ac8 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 14 Sep 2021 22:17:21 +0800 Subject: [PATCH 3/5] Add function for set pending alert flag Signed-off-by: Jerry Yu --- include/mbedtls/ssl.h | 13 +------------ library/ssl_misc.h | 14 +++++++++++++- library/ssl_msg.c | 18 +++++++++++++++--- 3 files changed, 29 insertions(+), 16 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 18142a8617..822205ee48 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1527,10 +1527,7 @@ struct mbedtls_ssl_context on next call to record layer? */ /* The following three variables indicate if and, if yes, - * what kind of alert or warning is pending to be sent. - * They should not be set manually but through the macro - * MBEDTLS_SSL_PEND_FATAL_ALERT( type, user_return_value ) - * defined below. + * what kind of alert is pending to be sent. */ unsigned char MBEDTLS_PRIVATE(send_alert); /*!< Determines if a fatal alert should be sent. Values: @@ -1640,14 +1637,6 @@ struct mbedtls_ssl_context #endif }; -#define MBEDTLS_SSL_PEND_FATAL_ALERT( type, user_return_value ) \ - do \ - { \ - ssl->send_alert = 1; \ - ssl->alert_reason = (user_return_value); \ - ssl->alert_type = (type); \ - } while( 0 ) - /** * \brief Return the name of the ciphersuite associated with the * given ID diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 8b26983556..5be5b03ac2 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1343,10 +1343,22 @@ void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context *ssl ); int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial ); /* - * Send pending fatal alerts or warnings. + * Send pending alert */ int mbedtls_ssl_handle_pending_alert( mbedtls_ssl_context *ssl ); +/* + * Set pending fatal alert flag. + */ +void mbedtls_ssl_pend_fatal_alert( mbedtls_ssl_context *ssl, + unsigned char alert_type, + int alert_reason ); + +/* Alias of mbedtls_ssl_pend_fatal_alert */ +#define MBEDTLS_SSL_PEND_FATAL_ALERT( type, user_return_value ) \ + mbedtls_ssl_pend_fatal_alert( ssl, type, user_return_value ) + + #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) void mbedtls_ssl_dtls_replay_reset( mbedtls_ssl_context *ssl ); #endif diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 3144d9818c..9230bcd82a 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -5649,16 +5649,28 @@ int mbedtls_ssl_handle_pending_alert( mbedtls_ssl_context *ssl ) /* Send alert if requested */ if( ssl->send_alert != 0 ) { + /* Clear send_alert to avoid infinite loop */ + ssl->send_alert = 0; + ret = mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, ssl->alert_type ); if( ret != 0 ) return( ret ); } - - ssl->send_alert = 0; - ssl->alert_type = 0; return( 0 ); } +/* + * Set pending fatal alert flag. + */ +void mbedtls_ssl_pend_fatal_alert( mbedtls_ssl_context *ssl, + unsigned char alert_type, + int alert_reason ) +{ + ssl->send_alert = 1; + ssl->alert_type = alert_type; + ssl->alert_reason = alert_reason; +} + #endif /* MBEDTLS_SSL_TLS_C */ From bbd5a3fded73092349306d084b75de0b6a9b2c1f Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Sat, 18 Sep 2021 20:50:22 +0800 Subject: [PATCH 4/5] fix pending_alert issues Signed-off-by: Jerry Yu --- library/ssl_misc.h | 1 - library/ssl_msg.c | 35 ++++++++++++++++++++++++----------- library/ssl_tls.c | 5 +++++ 3 files changed, 29 insertions(+), 12 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 5be5b03ac2..a1128eda00 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1358,7 +1358,6 @@ void mbedtls_ssl_pend_fatal_alert( mbedtls_ssl_context *ssl, #define MBEDTLS_SSL_PEND_FATAL_ALERT( type, user_return_value ) \ mbedtls_ssl_pend_fatal_alert( ssl, type, user_return_value ) - #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) void mbedtls_ssl_dtls_replay_reset( mbedtls_ssl_context *ssl ); #endif diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 9230bcd82a..1ea5e89909 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -5641,24 +5641,37 @@ void mbedtls_ssl_read_version( int *major, int *minor, int transport, /* * Send pending fatal alerts or warnings. + * 0, No alert message. + * !0, error from send_alert_message or handshake_step return */ int mbedtls_ssl_handle_pending_alert( mbedtls_ssl_context *ssl ) { int ret; - /* Send alert if requested */ - if( ssl->send_alert != 0 ) - { - /* Clear send_alert to avoid infinite loop */ - ssl->send_alert = 0; + /* No pending alert, return success*/ + if( ssl->send_alert == 0 ) + return( 0 ); - ret = mbedtls_ssl_send_alert_message( ssl, - MBEDTLS_SSL_ALERT_LEVEL_FATAL, - ssl->alert_type ); - if( ret != 0 ) - return( ret ); + ret = mbedtls_ssl_send_alert_message( ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + ssl->alert_type ); + + /* Success or send message fail, clear send_alert flag + * except WANT_WRITE. WANT_WRITE means need re-send message. + */ + if( ret != MBEDTLS_ERR_SSL_WANT_WRITE ) + { + ssl->send_alert = 0; } - return( 0 ); + + if( ret != 0 ) + { + /* some errors on send alert message */ + return( ret ); + } + + /* Assume alert_reason == handshake_step return */ + return( ssl->alert_reason ); } /* diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 7bb5f9fd7e..c11810df84 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5205,10 +5205,15 @@ int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl ) if( ret != 0 ) { + /* handshake_step return error. And it is same + * with alert_reason. + */ int alert_ret; alert_ret = mbedtls_ssl_handle_pending_alert( ssl ); if( alert_ret != 0 ) { + /* If success send, ret == alert_ret. + */ ret = alert_ret; goto cleanup; } From 3bf1f97a0e471dd7ab427aaeca11b2a924b4c7f3 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 22 Sep 2021 21:37:18 +0800 Subject: [PATCH 5/5] fix various issue on pending send alert Signed-off-by: Jerry Yu --- library/ssl_msg.c | 15 ++++++--------- library/ssl_tls.c | 8 ++------ 2 files changed, 8 insertions(+), 15 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 1ea5e89909..3bf4a603db 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -5640,9 +5640,10 @@ void mbedtls_ssl_read_version( int *major, int *minor, int transport, } /* - * Send pending fatal alerts or warnings. - * 0, No alert message. - * !0, error from send_alert_message or handshake_step return + * Send pending fatal alert. + * 0, No alert message. + * !0, if mbedtls_ssl_send_alert_message() returned in error, the error code it + * returned, ssl->alert_reason otherwise. */ int mbedtls_ssl_handle_pending_alert( mbedtls_ssl_context *ssl ) { @@ -5656,8 +5657,8 @@ int mbedtls_ssl_handle_pending_alert( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_ALERT_LEVEL_FATAL, ssl->alert_type ); - /* Success or send message fail, clear send_alert flag - * except WANT_WRITE. WANT_WRITE means need re-send message. + /* If mbedtls_ssl_send_alert_message() returned with MBEDTLS_ERR_SSL_WANT_WRITE, + * do not clear the alert to be able to send it later. */ if( ret != MBEDTLS_ERR_SSL_WANT_WRITE ) { @@ -5665,12 +5666,8 @@ int mbedtls_ssl_handle_pending_alert( mbedtls_ssl_context *ssl ) } if( ret != 0 ) - { - /* some errors on send alert message */ return( ret ); - } - /* Assume alert_reason == handshake_step return */ return( ssl->alert_reason ); } diff --git a/library/ssl_tls.c b/library/ssl_tls.c index c11810df84..21a058dd57 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5208,13 +5208,9 @@ int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl ) /* handshake_step return error. And it is same * with alert_reason. */ - int alert_ret; - alert_ret = mbedtls_ssl_handle_pending_alert( ssl ); - if( alert_ret != 0 ) + if( ssl->send_alert ) { - /* If success send, ret == alert_ret. - */ - ret = alert_ret; + ret = mbedtls_ssl_handle_pending_alert( ssl ); goto cleanup; } }