kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Reject warning alerts in TLS 1.3.

Browse Source 
As of https://github.com/tlswg/tls13-spec/pull/530, they're gone.
They're still allowed just before the ClientHello or ServerHello, which
is kind of odd, but so it goes.

BUG=86

Change-Id: I3d556ab45e42d0755d23566e006c0db9af35b7b6
Reviewed-on: https://boringssl-review.googlesource.com/9114
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
This commit is contained in:
David Benjamin 2016-08-03 15:39:47 -04:00 committed by CQ bot account: commit-bot@chromium.org
parent 7259f2fd08
commit e8e84b9008
2 changed files with 36 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
ssl/test/runner/runner.go
View File

@ -1925,22 +1925,44 @@ func addBasicTests() {
expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:", expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
}, },
{ {
name: "SendWarningAlerts-Pass", name: "SendWarningAlerts-Pass",
config: Config{
MaxVersion: VersionTLS12,
},
sendWarningAlerts: 4, sendWarningAlerts: 4,
}, },
{ {
protocol: dtls, protocol: dtls,
name: "SendWarningAlerts-DTLS-Pass", name: "SendWarningAlerts-DTLS-Pass",
config: Config{
MaxVersion: VersionTLS12,
},
sendWarningAlerts: 4, sendWarningAlerts: 4,
}, },
{ {
name: "SendWarningAlerts", name: "SendWarningAlerts-TLS13",
config: Config{
MaxVersion: VersionTLS13,
},
sendWarningAlerts: 4,
shouldFail: true,
expectedError: ":BAD_ALERT:",
expectedLocalError: "remote error: error decoding message",
},
{
name: "SendWarningAlerts",
config: Config{
MaxVersion: VersionTLS12,
},
sendWarningAlerts: 5, sendWarningAlerts: 5,
shouldFail: true, shouldFail: true,
expectedError: ":TOO_MANY_WARNING_ALERTS:", expectedError: ":TOO_MANY_WARNING_ALERTS:",
}, },
{ {
name: "SendWarningAlerts-Async", name: "SendWarningAlerts-Async",
config: Config{
MaxVersion: VersionTLS12,
},
sendWarningAlerts: 5, sendWarningAlerts: 5,
flags: []string{"-async"}, flags: []string{"-async"},
shouldFail: true, shouldFail: true,
@ -3685,6 +3707,7 @@ func addStateMachineCoverageTests(config stateMachineTestConfig) {
tests = append(tests, testCase{ tests = append(tests, testCase{
name: "Shutdown-Shim", name: "Shutdown-Shim",
config: Config{ config: Config{
MaxVersion: VersionTLS12,
Bugs: ProtocolBugs{ Bugs: ProtocolBugs{
ExpectCloseNotify: true, ExpectCloseNotify: true,
}, },

8
ssl/tls_record.c
View File

@ -429,6 +429,14 @@ enum ssl_open_record_t ssl_process_alert(SSL *ssl, uint8_t *out_alert,
return ssl_open_record_close_notify; return ssl_open_record_close_notify;
} }
/* Warning alerts do not exist in TLS 1.3. */
if (ssl->s3->have_version &&
ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
*out_alert = SSL_AD_DECODE_ERROR;
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ALERT);
return ssl_open_record_error;
}
ssl->s3->warning_alert_count++; ssl->s3->warning_alert_count++;
if (ssl->s3->warning_alert_count > kMaxWarningAlerts) { if (ssl->s3->warning_alert_count > kMaxWarningAlerts) {
*out_alert = SSL_AD_UNEXPECTED_MESSAGE; *out_alert = SSL_AD_UNEXPECTED_MESSAGE;