Don't allow fragmented alerts

[openssl.git] / ssl / record / rec_layer_s3.c
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c

index bff93ebfffba57bc3f9b325361535b85a6b372d8..dabb02cf1b021438f2810ed663b582ef6379934d 100644 (file)
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -17,6 +17,7 @@
  #include <openssl/buffer.h>
  #include <openssl/rand.h>
  #include "record_locl.h"
+#include "../packet_locl.h"
  
  #if     defined(OPENSSL_SMALL_FOOTPRINT) || \
          !(      defined(AES_ASM) &&     ( \
@@ -47,8 +48,6 @@ void RECORD_LAYER_clear(RECORD_LAYER *rl)
      rl->packet = NULL;
      rl->packet_length = 0;
      rl->wnum = 0;
-    memset(rl->alert_fragment, 0, sizeof(rl->alert_fragment));
-    rl->alert_fragment_len = 0;
      memset(rl->handshake_fragment, 0, sizeof(rl->handshake_fragment));
      rl->handshake_fragment_len = 0;
      rl->wpend_tot = 0;
@@ -995,6 +994,13 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
              s->msg_callback(1, 0, SSL3_RT_HEADER, recordstart,
                              SSL3_RT_HEADER_LENGTH, s,
                              s->msg_callback_arg);
+
+            if (SSL_TREAT_AS_TLS13(s) && s->enc_write_ctx != NULL) {
+                unsigned char ctype = type;
+
+                s->msg_callback(1, s->version, SSL3_RT_INNER_CONTENT_TYPE,
+                                &ctype, 1, s, s->msg_callback_arg);
+            }
          }
  
          if (!WPACKET_finish(thispkt)) {
@@ -1395,10 +1401,6 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
              dest_maxlen = sizeof s->rlayer.handshake_fragment;
              dest = s->rlayer.handshake_fragment;
              dest_len = &s->rlayer.handshake_fragment_len;
-        } else if (SSL3_RECORD_get_type(rr) == SSL3_RT_ALERT) {
-            dest_maxlen = sizeof s->rlayer.alert_fragment;
-            dest = s->rlayer.alert_fragment;
-            dest_len = &s->rlayer.alert_fragment_len;
          }
  
          if (dest_maxlen > 0) {
@@ -1422,7 +1424,6 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
  
      /*-
       * s->rlayer.handshake_fragment_len == 4  iff  rr->type == SSL3_RT_HANDSHAKE;
-     * s->rlayer.alert_fragment_len == 2      iff  rr->type == SSL3_RT_ALERT.
       * (Possibly rr is 'empty' now, i.e. rr->length may be 0.)
       */
  
@@ -1445,15 +1446,23 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
          ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
          goto start;
      }
-    if (s->rlayer.alert_fragment_len >= 2) {
-        int alert_level = s->rlayer.alert_fragment[0];
-        int alert_descr = s->rlayer.alert_fragment[1];
-
-        s->rlayer.alert_fragment_len = 0;
+    if (SSL3_RECORD_get_type(rr) == SSL3_RT_ALERT) {
+        unsigned int alert_level, alert_descr;
+        unsigned char *alert_bytes = SSL3_RECORD_get_data(rr)
+                                     + SSL3_RECORD_get_off(rr);
+        PACKET alert;
+
+        if (!PACKET_buf_init(&alert, alert_bytes, SSL3_RECORD_get_length(rr))
+                || !PACKET_get_1(&alert, &alert_level)
+                || !PACKET_get_1(&alert, &alert_descr)
+                || PACKET_remaining(&alert) != 0) {
+            al = SSL_AD_UNEXPECTED_MESSAGE;
+            SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_INVALID_ALERT);
+            goto f_err;
+        }
  
          if (s->msg_callback)
-            s->msg_callback(0, s->version, SSL3_RT_ALERT,
-                            s->rlayer.alert_fragment, 2, s,
+            s->msg_callback(0, s->version, SSL3_RT_ALERT, alert_bytes, 2, s,
                              s->msg_callback_arg);
  
          if (s->info_callback != NULL)
@@ -1481,6 +1490,15 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
                  s->shutdown |= SSL_RECEIVED_SHUTDOWN;
                  return 0;
              }
+            /*
+             * Apart from close_notify the only other warning alert in TLSv1.3
+             * is user_cancelled - which we just ignore.
+             */
+            if (SSL_IS_TLS13(s) && alert_descr != SSL_AD_USER_CANCELLED) {
+                al = SSL_AD_ILLEGAL_PARAMETER;
+                SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNKNOWN_ALERT_TYPE);
+                goto f_err;
+            }
              /*
               * This is a warning but we receive it if we requested
               * renegotiation and the peer denied it. Terminate with a fatal
@@ -1489,7 +1507,7 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
               * future we might have a renegotiation where we don't care if
               * the peer refused it where we carry on.
               */
-            else if (alert_descr == SSL_AD_NO_RENEGOTIATION) {
+            if (alert_descr == SSL_AD_NO_RENEGOTIATION) {
                  al = SSL_AD_HANDSHAKE_FAILURE;
                  SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_NO_RENEGOTIATION);
                  goto f_err;