* [PATCH] tls: Flush rx buffer on failure
@ 2018-05-09 11:13 Andrew Zaborowski
2018-05-09 13:55 ` Denis Kenzior
0 siblings, 1 reply; 2+ messages in thread
From: Andrew Zaborowski @ 2018-05-09 11:13 UTC (permalink / raw)
To: ell
[-- Attachment #1: Type: text/plain, Size: 1957 bytes --]
When we send an Alert message to the peer (and our alerts are always
fatal) ignore any buffered messages we've received. When the
certificate chain verification fails on a client we are usually
processing the third message in a sequence of five received from the
server. We would then send an Alert and forget the negotiated state,
then process the two remaining messages which would result in two more
Alerts being sent, with the default TLS 1.0 version header. There is
no need to process those remaining messages.
---
ell/tls-private.h | 1 +
ell/tls-record.c | 10 ++++++++++
2 files changed, 11 insertions(+)
diff --git a/ell/tls-private.h b/ell/tls-private.h
index d501651..8c068c6 100644
--- a/ell/tls-private.h
+++ b/ell/tls-private.h
@@ -147,6 +147,7 @@ struct l_tls {
uint8_t *record_buf;
int record_buf_len;
int record_buf_max_len;
+ bool record_flush;
uint8_t *message_buf;
int message_buf_len;
diff --git a/ell/tls-record.c b/ell/tls-record.c
index c0e5834..0ad03ed 100644
--- a/ell/tls-record.c
+++ b/ell/tls-record.c
@@ -181,6 +181,9 @@ void tls_tx_record(struct l_tls *tls, enum tls_content_type type,
uint16_t fragment_len;
uint16_t version = tls->negotiated_version ?: TLS_MIN_VERSION;
+ if (type == TLS_CT_ALERT)
+ tls->record_flush = true;
+
while (len) {
fragment = buf + TX_RECORD_HEADROOM;
fragment_len = len < TX_RECORD_MAX_LEN ?
@@ -492,6 +495,8 @@ LIB_EXPORT void l_tls_handle_rx(struct l_tls *tls, const uint8_t *data,
int need_len;
int chunk_len;
+ tls->record_flush = false;
+
/* Reassemble TLSCiphertext structures from the received chunks */
while (1) {
@@ -506,6 +511,11 @@ LIB_EXPORT void l_tls_handle_rx(struct l_tls *tls, const uint8_t *data,
tls->record_buf_len = 0;
need_len = 5;
+
+ if (tls->record_flush) {
+ tls->record_flush = false;
+ break;
+ }
}
if (!len)
--
2.14.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] tls: Flush rx buffer on failure
2018-05-09 11:13 [PATCH] tls: Flush rx buffer on failure Andrew Zaborowski
@ 2018-05-09 13:55 ` Denis Kenzior
0 siblings, 0 replies; 2+ messages in thread
From: Denis Kenzior @ 2018-05-09 13:55 UTC (permalink / raw)
To: ell
[-- Attachment #1: Type: text/plain, Size: 769 bytes --]
Hi Andrew,
On 05/09/2018 06:13 AM, Andrew Zaborowski wrote:
> When we send an Alert message to the peer (and our alerts are always
> fatal) ignore any buffered messages we've received. When the
> certificate chain verification fails on a client we are usually
> processing the third message in a sequence of five received from the
> server. We would then send an Alert and forget the negotiated state,
> then process the two remaining messages which would result in two more
> Alerts being sent, with the default TLS 1.0 version header. There is
> no need to process those remaining messages.
> ---
> ell/tls-private.h | 1 +
> ell/tls-record.c | 10 ++++++++++
> 2 files changed, 11 insertions(+)
>
Applied, thanks.
Regards,
-Denis
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-05-09 13:55 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-05-09 11:13 [PATCH] tls: Flush rx buffer on failure Andrew Zaborowski
2018-05-09 13:55 ` Denis Kenzior
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.