/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
/* Clear our SSL3_RECORD structures */
memset(wr, 0, sizeof(wr));
for (j = 0; j < numpipes; j++) {
- unsigned int version = SSL_TREAT_AS_TLS13(s) ? TLS1_2_VERSION
- : s->version;
+ unsigned int version = (s->version == TLS1_3_VERSION) ? TLS1_2_VERSION
+ : s->version;
unsigned char *compressdata = NULL;
size_t maxcomplen;
unsigned int rectype;
* In TLSv1.3, once encrypting, we always use application data for the
* record type
*/
- if (SSL_TREAT_AS_TLS13(s) && s->enc_write_ctx != NULL)
+ if (SSL_TREAT_AS_TLS13(s)
+ && s->enc_write_ctx != NULL
+ && (s->statem.enc_write_state != ENC_WRITE_STATE_WRITE_PLAIN_ALERTS
+ || type != SSL3_RT_ALERT))
rectype = SSL3_RT_APPLICATION_DATA;
else
rectype = type;
SSL3_RECORD_reset_input(&wr[j]);
}
- if (SSL_TREAT_AS_TLS13(s) && s->enc_write_ctx != NULL) {
+ if (SSL_TREAT_AS_TLS13(s)
+ && s->enc_write_ctx != NULL
+ && (s->statem.enc_write_state != ENC_WRITE_STATE_WRITE_PLAIN_ALERTS
+ || type != SSL3_RT_ALERT)) {
size_t rlen, max_send_fragment;
if (!WPACKET_put_bytes_u8(thispkt, type)) {
SSL3_RECORD_set_length(thiswr, len);
}
- if (s->early_data_state == SSL_EARLY_DATA_WRITING
- || s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY) {
+ if (s->statem.enc_write_state == ENC_WRITE_STATE_WRITE_PLAIN_ALERTS) {
/*
* We haven't actually negotiated the version yet, but we're trying to
* send early data - so we need to use the tls13enc function.
} while (num_recs == 0);
rr = &rr[curr_rec];
+ if (s->rlayer.handshake_fragment_len > 0
+ && SSL3_RECORD_get_type(rr) != SSL3_RT_HANDSHAKE
+ && SSL_IS_TLS13(s)) {
+ SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES,
+ SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA);
+ return -1;
+ }
+
/*
* Reset the count of consecutive warning alerts if we've got a non-empty
* record that isn't an alert.
return -1;
}
- /*
- * If we've sent a close_notify but not yet received one back then ditch
- * anything we read.
- */
- if ((s->shutdown & SSL_SENT_SHUTDOWN) != 0 ) {
- /*
- * In TLSv1.3 this could get problematic if we receive a KeyUpdate
- * message after we sent a close_notify because we're about to ditch it,
- * so we won't be able to read a close_notify sent afterwards! We don't
- * support that.
- */
- s->rwstate = SSL_NOTHING;
- SSL3_RECORD_set_length(rr, 0);
- SSL3_RECORD_set_read(rr);
+ if ((s->shutdown & SSL_SENT_SHUTDOWN) != 0) {
+ if (SSL3_RECORD_get_type(rr) == SSL3_RT_HANDSHAKE) {
+ BIO *rbio;
- if (SSL3_RECORD_get_type(rr) == SSL3_RT_HANDSHAKE
- && (s->mode & SSL_MODE_AUTO_RETRY) != 0)
- goto start;
- return 0;
+ /*
+ * We ignore any handshake messages sent to us unless they are
+ * TLSv1.3 in which case we want to process them. For all other
+ * handshake messages we can't do anything reasonable with them
+ * because we are unable to write any response due to having already
+ * sent close_notify.
+ */
+ if (!SSL_IS_TLS13(s)) {
+ SSL3_RECORD_set_length(rr, 0);
+ SSL3_RECORD_set_read(rr);
+
+ if ((s->mode & SSL_MODE_AUTO_RETRY) != 0)
+ goto start;
+
+ s->rwstate = SSL_READING;
+ rbio = SSL_get_rbio(s);
+ BIO_clear_retry_flags(rbio);
+ BIO_set_retry_read(rbio);
+ return -1;
+ }
+ } else {
+ /*
+ * The peer is continuing to send application data, but we have
+ * already sent close_notify. If this was expected we should have
+ * been called via SSL_read() and this would have been handled
+ * above.
+ * No alert sent because we already sent close_notify
+ */
+ SSL3_RECORD_set_length(rr, 0);
+ SSL3_RECORD_set_read(rr);
+ SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_READ_BYTES,
+ SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY);
+ return -1;
+ }
}
/*