Reject warning alerts in TLS 1.3.

As of https://github.com/tlswg/tls13-spec/pull/530, they're gone. They're still allowed just before the ClientHello or ServerHello, which is kind of odd, but so it goes. BUG=86 Change-Id: I3d556ab45e42d0755d23566e006c0db9af35b7b6 Reviewed-on: https://boringssl-review.googlesource.com/9114 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-08-03 15:39:47 -04:00 · 2016-08-03 15:39:47 -04:00 · e8e84b9008
commit e8e84b9008
parent 7259f2fd08
2 changed files with 36 additions and 5 deletions
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@ -1925,22 +1925,44 @@ func addBasicTests() {
 			expectedError:    ":TOO_MANY_EMPTY_FRAGMENTS:",
 		},
 		{
-			name:              "SendWarningAlerts-Pass",
+			name: "SendWarningAlerts-Pass",
+			config: Config{
+				MaxVersion: VersionTLS12,
+			},
 			sendWarningAlerts: 4,
 		},
 		{
-			protocol:          dtls,
-			name:              "SendWarningAlerts-DTLS-Pass",
+			protocol: dtls,
+			name:     "SendWarningAlerts-DTLS-Pass",
+			config: Config{
+				MaxVersion: VersionTLS12,
+			},
 			sendWarningAlerts: 4,
 		},
 		{
-			name:              "SendWarningAlerts",
+			name: "SendWarningAlerts-TLS13",
+			config: Config{
+				MaxVersion: VersionTLS13,
+			},
+			sendWarningAlerts:  4,
+			shouldFail:         true,
+			expectedError:      ":BAD_ALERT:",
+			expectedLocalError: "remote error: error decoding message",
+		},
+		{
+			name: "SendWarningAlerts",
+			config: Config{
+				MaxVersion: VersionTLS12,
+			},
 			sendWarningAlerts: 5,
 			shouldFail:        true,
 			expectedError:     ":TOO_MANY_WARNING_ALERTS:",
 		},
 		{
-			name:              "SendWarningAlerts-Async",
+			name: "SendWarningAlerts-Async",
+			config: Config{
+				MaxVersion: VersionTLS12,
+			},
 			sendWarningAlerts: 5,
 			flags:             []string{"-async"},
 			shouldFail:        true,
@ -3685,6 +3707,7 @@ func addStateMachineCoverageTests(config stateMachineTestConfig) {
 		tests = append(tests, testCase{
 			name: "Shutdown-Shim",
 			config: Config{
+				MaxVersion: VersionTLS12,
 				Bugs: ProtocolBugs{
 					ExpectCloseNotify: true,
 				},
--- a/ssl/tls_record.c
+++ b/ssl/tls_record.c
@ -429,6 +429,14 @@ enum ssl_open_record_t ssl_process_alert(SSL *ssl, uint8_t *out_alert,
      return ssl_open_record_close_notify;
    }

+    /* Warning alerts do not exist in TLS 1.3. */
+    if (ssl->s3->have_version &&
+        ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
+      *out_alert = SSL_AD_DECODE_ERROR;
+      OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ALERT);
+      return ssl_open_record_error;
+    }
+
    ssl->s3->warning_alert_count++;
    if (ssl->s3->warning_alert_count > kMaxWarningAlerts) {
      *out_alert = SSL_AD_UNEXPECTED_MESSAGE;