Commit f281a8e1 authored by Joonghwan Lee's avatar Joonghwan Lee Committed by Randeep

Send alert after bad client hello

Fix the following situation:
1. client tries OTM to server
2. OTM completed
3. network of server goes down and up => DTLS session has been removed
4. client tries to send a request to secure resource(e.g., /oic/sec/acl)
5. server prints bad client error(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO), and then ignore this
6. client never gets a response of it even if re-tries to sent same message

Change-Id: Ie2cd3eaa49fc8782522126799994a5cd47cfaf4e
Signed-off-by: default avatarDmitriy Zhuravlev <d.zhuravlev@samsung.com>
Signed-off-by: default avatarOleksii Beketov <ol.beketov@samsung.com>
Signed-off-by: default avatarJoonghwan Lee <jh05.lee@samsung.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/15853Tested-by: default avatarjenkins-iotivity <jenkins-iotivity@opendaylight.org>
Reviewed-by: Randeep's avatarRandeep Singh <randeep.s@samsung.com>
(cherry picked from commit 7241811f)
Reviewed-on: https://gerrit.iotivity.org/gerrit/15855Tested-by: default avatarjenkins-iotivity <jenkins@iotivity.org>
Reviewed-by: default avatarKevin Kane <kkane@microsoft.com>
Reviewed-by: default avatarMats Wichmann <mats@linux.com>
parent d12b8539
......@@ -214,25 +214,32 @@ if (g_sslCallback)
* @param[in] msg allert message
*/
#define SSL_CHECK_FAIL(peer, ret, str, mutex, error, msg) \
if (0 != (ret) && MBEDTLS_ERR_SSL_WANT_READ != (int) (ret) && \
MBEDTLS_ERR_SSL_WANT_WRITE != (int) (ret) && \
if (MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY != (int) (ret) && \
MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED != (int) (ret) && \
MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY != (int) (ret)) \
MBEDTLS_ERR_SSL_WANT_READ != (int) (ret) && \
MBEDTLS_ERR_SSL_WANT_WRITE != (int) (ret) && \
MBEDTLS_ERR_SSL_NON_FATAL != (int) (ret) && \
MBEDTLS_SSL_ALERT_MSG_USER_CANCELED != (int) (ret) && \
MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION != (int) (ret) && \
MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT != (int) (ret) && \
MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY != (int) (ret) && \
MBEDTLS_SSL_ALERT_MSG_NO_CERT != (int) (ret) && \
MBEDTLS_SSL_ALERT_MSG_BAD_CERT != (int) (ret) && \
MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT != (int) (ret) && \
MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED != (int) (ret) && \
MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED != (int) (ret) && \
MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN != (int) (ret) && \
MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK != (int) (ret) && \
MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME != (int) (ret) && \
MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY != (int) (ret) && \
MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL != (int) (ret)) \
{ \
OIC_LOG_V(ERROR, NET_SSL_TAG, "%s: -0x%x", (str), -(ret)); \
if ((int) MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE != (int) (ret) && \
(int) MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO != (int) (ret)) \
if ((int) MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE != (int) (ret)) \
{ \
mbedtls_ssl_send_alert_message(&(peer)->ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, (msg)); \
} \
if ((int) MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE == (int) (ret) && \
((int) MBEDTLS_SSL_ALERT_MSG_DECRYPTION_FAILED == (peer)->ssl.in_msg[1] || \
(int) MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR == (peer)->ssl.in_msg[1] || \
(int) MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE == (peer)->ssl.in_msg[1] || \
(int) MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC == (peer)->ssl.in_msg[1])) \
{ \
SSL_RES((peer), CA_DTLS_AUTHENTICATION_FAILURE); \
} \
SSL_RES((peer), CA_DTLS_AUTHENTICATION_FAILURE); \
RemovePeerFromList(&(peer)->sep.endpoint); \
if (mutex) \
{ \
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment