Merge pull request #9655 from gilles-peskine-arm/dtls_server-allow_un…

…expected_message_on_second_handshake-3.6 Backport 3.6: dtls_server: allow unexpected message on second handshake
Mbed-TLS · Oct 2, 2024 · 711d583 · 711d583
2 parents cab2318 + 6f8ff55
commit 711d583
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 11 deletions.
diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c
@@ -291,7 +291,14 @@ int main(void)
  ret = 0;
  goto reset;
  } else if (ret != 0) {
- printf(" failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n", (unsigned int) -ret);
+ printf(" failed\n ! mbedtls_ssl_handshake returned -0x%x\n", (unsigned int) -ret);
+ if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE) {
+ printf(" An unexpected message was received from our peer. If this happened at\n");
+ printf(" the beginning of the handshake, this is likely a duplicated packet or\n");
+ printf(" a close_notify alert from the previous connection, which is harmless.\n");
+ ret = 0;
+ }
+ printf("\n");
  goto reset;
  }
 

diff --git a/tests/opt-testcases/sample.sh b/tests/opt-testcases/sample.sh
@@ -325,11 +325,6 @@ run_test "Sample: ssl_pthread_server, gnutls client, TLS 1.3" \
  -S "error" \
  -C "ERROR"
 
-# The server complains of extra data after it closes the connection
-# because the client keeps sending data, so the server receives
-# more application data when it expects a new handshake. We consider
-# the test a success if both sides have sent and received application
-# data, no matter what happens afterwards.
 run_test "Sample: dtls_client with dtls_server" \
  -P 4433 \
  "$PROGRAMS_DIR/dtls_server" \
@@ -339,13 +334,9 @@ run_test "Sample: dtls_client with dtls_server" \
  -s "[1-9][0-9]* bytes written" \
  -c "[1-9][0-9]* bytes read" \
  -c "[1-9][0-9]* bytes written" \
+ -S "error" \
  -C "error"
 
-# The server complains of extra data after it closes the connection
-# because the client keeps sending data, so the server receives
-# more application data when it expects a new handshake. We consider
-# the test a success if both sides have sent and received application
-# data, no matter what happens afterwards.
 run_test "Sample: ssl_client2, dtls_server" \
  -P 4433 \
  "$PROGRAMS_DIR/dtls_server" \
@@ -355,6 +346,7 @@ run_test "Sample: ssl_client2, dtls_server" \
  -s "[1-9][0-9]* bytes written" \
  -c "[1-9][0-9]* bytes read" \
  -c "[1-9][0-9]* bytes written" \
+ -S "error" \
  -C "error"
 
 requires_protocol_version dtls12