From 0b367d79552401c221affa406b978a5b33d79032 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 11 May 2017 10:16:34 +0100 Subject: [PATCH] TLSv1.3 alerts cannot be fragmented and only one per record We should be validating that. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/3436) --- include/openssl/ssl.h | 1 + ssl/record/rec_layer_s3.c | 14 ++++++++++++++ ssl/ssl_err.c | 1 + 3 files changed, 16 insertions(+) diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 54028f66c9..23dde11808 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -2650,6 +2650,7 @@ int ERR_load_SSL_strings(void); # define SSL_R_INAPPROPRIATE_FALLBACK 373 # define SSL_R_INCONSISTENT_COMPRESSION 340 # define SSL_R_INCONSISTENT_EXTMS 104 +# define SSL_R_INVALID_ALERT 205 # define SSL_R_INVALID_COMMAND 280 # define SSL_R_INVALID_COMPRESSION_ALGORITHM 341 # define SSL_R_INVALID_CONFIGURATION_NAME 113 diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index 8d0a97be98..de112cc806 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -1422,6 +1422,20 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, if (SSL3_RECORD_get_length(rr) == 0) SSL3_RECORD_set_read(rr); + if (SSL_IS_TLS13(s) + && SSL3_RECORD_get_type(rr) == SSL3_RT_ALERT) { + if (*dest_len < dest_maxlen + || SSL3_RECORD_get_length(rr) != 0) { + /* + * TLSv1.3 forbids fragmented alerts, and only one alert + * may be present in a record + */ + al = SSL_AD_UNEXPECTED_MESSAGE; + SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_INVALID_ALERT); + goto f_err; + } + } + if (*dest_len < dest_maxlen) goto start; /* fragment was too small */ } diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index 06cd8521e5..42bd6aa678 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -609,6 +609,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = { {ERR_REASON(SSL_R_INAPPROPRIATE_FALLBACK), "inappropriate fallback"}, {ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION), "inconsistent compression"}, {ERR_REASON(SSL_R_INCONSISTENT_EXTMS), "inconsistent extms"}, + {ERR_REASON(SSL_R_INVALID_ALERT), "invalid alert"}, {ERR_REASON(SSL_R_INVALID_COMMAND), "invalid command"}, {ERR_REASON(SSL_R_INVALID_COMPRESSION_ALGORITHM), "invalid compression algorithm"}, -- 2.25.1