DTLS didn't handle alerts correctly [from HEAD].

PR: 1632

diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index 377696deac0bd2706464fe7a807169a9c5cfd399..e206b34e74242ede489f24c09599f17fe7331e8d 100644 (file)
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -811,6 +811,14 @@ start:
              *  may be fragmented--don't always expect dest_maxlen bytes */
                        if ( rr->length < dest_maxlen)
                                {
+#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
+                               /*
+                                * for normal alerts rr->length is 2, while
+                                * dest_maxlen is 7 if we were to handle this
+                                * non-existing alert...
+                                */
+                               FIX ME
+#endif
                                s->rstate=SSL_ST_READ_HEADER;
                                rr->length = 0;
                                goto start;
@@ -1576,7 +1584,7 @@ int dtls1_dispatch_alert(SSL *s)
        {
        int i,j;
        void (*cb)(const SSL *ssl,int type,int val)=NULL;
-       unsigned char buf[2 + 2 + 3]; /* alert level + alert desc + message seq +frag_off */
+       unsigned char buf[DTLS1_AL_HEADER_LENGTH];
        unsigned char *ptr = &buf[0];
 
        s->s3->alert_dispatch=0;
@@ -1585,6 +1593,7 @@ int dtls1_dispatch_alert(SSL *s)
        *ptr++ = s->s3->send_alert[0];
        *ptr++ = s->s3->send_alert[1];
 
+#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
        if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
                {       
                s2n(s->d1->handshake_read_seq, ptr);
@@ -1600,6 +1609,7 @@ int dtls1_dispatch_alert(SSL *s)
 #endif
                l2n3(s->d1->r_msg_hdr.frag_off, ptr);
                }
+#endif
 
        i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf), 0);
        if (i <= 0)
@@ -1609,8 +1619,11 @@ int dtls1_dispatch_alert(SSL *s)
                }
        else
                {
-               if ( s->s3->send_alert[0] == SSL3_AL_FATAL ||
-                       s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
+               if (s->s3->send_alert[0] == SSL3_AL_FATAL
+#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
+                   || s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
+#endif
+                  )
                        (void)BIO_flush(s->wbio);
 
                if (s->msg_callback)

diff --git a/ssl/dtls1.h b/ssl/dtls1.h
index a663cf85f282dc76745a4f6020f5ff8ab95c2baf..f159d3711026af17d8445a6fb1b34c2921fea687 100644 (file)
--- a/ssl/dtls1.h
+++ b/ssl/dtls1.h
@@ -70,7 +70,10 @@ extern "C" {
 #define DTLS1_VERSION                  0xFEFF
 #define DTLS1_BAD_VER                  0x0100
 
+#if 0
+/* this alert description is not specified anywhere... */
 #define DTLS1_AD_MISSING_HANDSHAKE_MESSAGE    110
+#endif
 
 /* lengths of messages */
 #define DTLS1_COOKIE_LENGTH                     32
@@ -84,7 +87,11 @@ extern "C" {
 
 #define DTLS1_CCS_HEADER_LENGTH                  1
 
+#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
 #define DTLS1_AL_HEADER_LENGTH                   7
+#else
+#define DTLS1_AL_HEADER_LENGTH                   2
+#endif
 
 
 typedef struct dtls1_bitmap_st

diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index c1518264c8c614eadcd937b3da731977b525afb3..3c4dec76d753fb71682c4ad0c5747757143a1809 100644 (file)
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -854,8 +854,10 @@ int tls1_alert_code(int code)
        case SSL_AD_INTERNAL_ERROR:     return(TLS1_AD_INTERNAL_ERROR);
        case SSL_AD_USER_CANCELLED:     return(TLS1_AD_USER_CANCELLED);
        case SSL_AD_NO_RENEGOTIATION:   return(TLS1_AD_NO_RENEGOTIATION);
+#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
        case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return 
                                          (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
+#endif
        default:                        return(-1);
                }
        }