Merge pull request #9655 from gilles-peskine-arm/dtls_server-allow_unexpected_message_on_second_handshake-3.6

Backport 3.6: dtls_server: allow unexpected message on second handshake
2025-02-15 06:40:48 +00:00 · 2024-10-02 10:36:12 +00:00 · 2024-10-02 10:36:12 +00:00 · 711d583583
commit 711d583583
parent cab2318c77 6f8ff55884
2 changed files with 10 additions and 11 deletions
--- a/programs/ssl/dtls_server.c
+++ b/programs/ssl/dtls_server.c
@ -291,7 +291,14 @@ reset:
        ret = 0;
        goto reset;
    } else if (ret != 0) {
-        printf(" failed\n  ! mbedtls_ssl_handshake returned -0x%x\n\n", (unsigned int) -ret);
+        printf(" failed\n  ! mbedtls_ssl_handshake returned -0x%x\n", (unsigned int) -ret);
+        if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE) {
+            printf("    An unexpected message was received from our peer. If this happened at\n");
+            printf("    the beginning of the handshake, this is likely a duplicated packet or\n");
+            printf("    a close_notify alert from the previous connection, which is harmless.\n");
+            ret = 0;
+        }
+        printf("\n");
        goto reset;
    }

--- a/tests/opt-testcases/sample.sh
+++ b/tests/opt-testcases/sample.sh
@ -325,11 +325,6 @@ run_test    "Sample: ssl_pthread_server, gnutls client, TLS 1.3" \
            -S "error" \
            -C "ERROR"

-# The server complains of extra data after it closes the connection
-# because the client keeps sending data, so the server receives
-# more application data when it expects a new handshake. We consider
-# the test a success if both sides have sent and received application
-# data, no matter what happens afterwards.
 run_test    "Sample: dtls_client with dtls_server" \
            -P 4433 \
            "$PROGRAMS_DIR/dtls_server" \
@ -339,13 +334,9 @@ run_test    "Sample: dtls_client with dtls_server" \
            -s "[1-9][0-9]* bytes written" \
            -c "[1-9][0-9]* bytes read" \
            -c "[1-9][0-9]* bytes written" \
+            -S "error" \
            -C "error"

-# The server complains of extra data after it closes the connection
-# because the client keeps sending data, so the server receives
-# more application data when it expects a new handshake. We consider
-# the test a success if both sides have sent and received application
-# data, no matter what happens afterwards.
 run_test    "Sample: ssl_client2, dtls_server" \
            -P 4433 \
            "$PROGRAMS_DIR/dtls_server" \
@ -355,6 +346,7 @@ run_test    "Sample: ssl_client2, dtls_server" \
            -s "[1-9][0-9]* bytes written" \
            -c "[1-9][0-9]* bytes read" \
            -c "[1-9][0-9]* bytes written" \
+            -S "error" \
            -C "error"

 requires_protocol_version dtls12