From 57282140a99688c3e5384b7b60bd211ae358c17d Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Thu, 4 Dec 2025 11:02:33 +0100 Subject: [PATCH] WOLFSSL_CHECK_ALERT_ON_ERR: ignore non fatal errors --- src/internal.c | 39 ++++++++++++++++++++++++++++----------- src/ssl.c | 29 ++++++++++++++--------------- src/tls13.c | 6 +++--- wolfssl/internal.h | 4 ++++ 4 files changed, 49 insertions(+), 29 deletions(-) diff --git a/src/internal.c b/src/internal.c index 111eb9ffd..9d482a06a 100644 --- a/src/internal.c +++ b/src/internal.c @@ -22292,17 +22292,6 @@ static int DoProcessReplyEx(WOLFSSL* ssl, int allowSocketErr) return ssl->error; } - /* If checking alert on error (allowSocketErr == 1) do not try and - * process alerts for async or ocsp non blocking */ -#if defined(WOLFSSL_CHECK_ALERT_ON_ERR) && \ - (defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP)) - if (allowSocketErr == 1 && \ - (ssl->error == WC_NO_ERR_TRACE(WC_PENDING_E) || - ssl->error == WC_NO_ERR_TRACE(OCSP_WANT_READ))) { - return ssl->error; - } -#endif - #if defined(WOLFSSL_DTLS) && defined(WOLFSSL_ASYNC_CRYPT) /* process any pending DTLS messages - this flow can happen with async */ if (ssl->dtls_rx_msg_list != NULL) { @@ -42524,6 +42513,34 @@ int wolfSSL_TestAppleNativeCertValidation_AppendCA(WOLFSSL_CTX* ctx, #endif /* defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */ +#if defined(WOLFSSL_CHECK_ALERT_ON_ERR) +/* Do not try to process error for async, non blocking io, and app_read */ +void wolfSSL_maybeCheckAlertOnErr(WOLFSSL* ssl, int err) +{ +#if defined(WOLFSSL_ASYNC_CRYPT) + if (err == WC_NO_ERR_TRACE(WC_PENDING_E)) { + return; + } +#endif +#if defined(WOLFSSL_NONBLOCK_OCSP) + if (err == WC_NO_ERR_TRACE(OCSP_WANT_READ)) { + return; + } +#endif +#if defined(WOLFSSL_EARLY_DATA) + if (err == WC_NO_ERR_TRACE(APP_DATA_READY)) { + return; + } +#endif + if (err == WC_NO_ERR_TRACE(WANT_WRITE) || + err == WC_NO_ERR_TRACE(WANT_READ)) { + return; + } + /* check if an alert was sent */ + ProcessReplyEx(ssl, 1); +} +#endif /* WOLFSSL_CHECK_ALERT_ON_ERR */ + #undef ERROR_OUT #endif /* !WOLFCRYPT_ONLY */ diff --git a/src/ssl.c b/src/ssl.c index 4c1f7b185..f413efe6b 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -10592,7 +10592,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, if (ssl->options.sendVerify) { if ( (ssl->error = SendCertificate(ssl)) != 0) { #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; @@ -10613,7 +10613,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, if (!ssl->options.resuming) { if ( (ssl->error = SendClientKeyExchange(ssl)) != 0) { #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); #endif #ifdef WOLFSSL_EXTRA_ALERTS if (ssl->error == WC_NO_ERR_TRACE(NO_PEER_KEY) || @@ -10644,7 +10644,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, if (ssl->options.sendVerify) { if ( (ssl->error = SendCertificateVerify(ssl)) != 0) { #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; @@ -10659,7 +10659,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, case FIRST_REPLY_THIRD : if ( (ssl->error = SendChangeCipher(ssl)) != 0) { #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; @@ -10672,7 +10672,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, case FIRST_REPLY_FOURTH : if ( (ssl->error = SendFinished(ssl)) != 0) { #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; @@ -11052,7 +11052,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, } if ( (ssl->error = SendServerHello(ssl)) != 0) { #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; @@ -11071,7 +11071,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, if (!ssl->options.resuming) if ( (ssl->error = SendCertificate(ssl)) != 0) { #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; @@ -11086,7 +11086,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, if (!ssl->options.resuming) if ( (ssl->error = SendCertificateStatus(ssl)) != 0) { #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; @@ -11105,7 +11105,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, if (!ssl->options.resuming) if ( (ssl->error = SendServerKeyExchange(ssl)) != 0) { #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; @@ -11120,8 +11120,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, if (ssl->options.verifyPeer) { if ( (ssl->error = SendCertificateRequest(ssl)) != 0) { #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - /* See if an alert was sent. */ - ProcessReplyEx(ssl, 1); + wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; @@ -11141,7 +11140,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, if (!ssl->options.resuming) if ( (ssl->error = SendServerHelloDone(ssl)) != 0) { #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; @@ -11182,7 +11181,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, if (ssl->options.createTicket && !ssl->options.noTicketTls12) { if ( (ssl->error = SendTicket(ssl)) != 0) { #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); #endif WOLFSSL_MSG("Thought we need ticket but failed"); WOLFSSL_ERROR(ssl->error); @@ -11203,7 +11202,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, if ( (ssl->error = SendChangeCipher(ssl)) != 0) { #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; @@ -11215,7 +11214,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, case CHANGE_CIPHER_SENT : if ( (ssl->error = SendFinished(ssl)) != 0) { #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; diff --git a/src/tls13.c b/src/tls13.c index 98409f3a4..8de5dc882 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -13548,7 +13548,7 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl) ssl->error = SendTls13Certificate(ssl); if (ssl->error != 0) { #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; @@ -13570,7 +13570,7 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl) ssl->error = SendTls13CertificateVerify(ssl); if (ssl->error != 0) { #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; @@ -13586,7 +13586,7 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl) case FIRST_REPLY_FOURTH: if ((ssl->error = SendTls13Finished(ssl)) != 0) { #ifdef WOLFSSL_CHECK_ALERT_ON_ERR - ProcessReplyEx(ssl, 1); /* See if an alert was sent. */ + wolfSSL_maybeCheckAlertOnErr(ssl, ssl->error); #endif WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; diff --git a/wolfssl/internal.h b/wolfssl/internal.h index c975865ca..7c253d89f 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -7240,6 +7240,10 @@ WOLFSSL_LOCAL int pkcs8_encrypt(WOLFSSL_EVP_PKEY* pkey, word32* keySz); #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ +#if defined(WOLFSSL_CHECK_ALERT_ON_ERR) +WOLFSSL_LOCAL void wolfSSL_maybeCheckAlertOnErr(WOLFSSL* ssl, int err); +#endif + #ifdef __cplusplus } /* extern "C" */ #endif