Reject warning alerts in TLS 1.3.
As of https://github.com/tlswg/tls13-spec/pull/530, they're gone. They're still allowed just before the ClientHello or ServerHello, which is kind of odd, but so it goes. BUG=86 Change-Id: I3d556ab45e42d0755d23566e006c0db9af35b7b6 Reviewed-on: https://boringssl-review.googlesource.com/9114 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
This commit is contained in:
parent
7259f2fd08
commit
e8e84b9008
@ -1925,22 +1925,44 @@ func addBasicTests() {
|
|||||||
expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
|
expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "SendWarningAlerts-Pass",
|
name: "SendWarningAlerts-Pass",
|
||||||
|
config: Config{
|
||||||
|
MaxVersion: VersionTLS12,
|
||||||
|
},
|
||||||
sendWarningAlerts: 4,
|
sendWarningAlerts: 4,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
protocol: dtls,
|
protocol: dtls,
|
||||||
name: "SendWarningAlerts-DTLS-Pass",
|
name: "SendWarningAlerts-DTLS-Pass",
|
||||||
|
config: Config{
|
||||||
|
MaxVersion: VersionTLS12,
|
||||||
|
},
|
||||||
sendWarningAlerts: 4,
|
sendWarningAlerts: 4,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "SendWarningAlerts",
|
name: "SendWarningAlerts-TLS13",
|
||||||
|
config: Config{
|
||||||
|
MaxVersion: VersionTLS13,
|
||||||
|
},
|
||||||
|
sendWarningAlerts: 4,
|
||||||
|
shouldFail: true,
|
||||||
|
expectedError: ":BAD_ALERT:",
|
||||||
|
expectedLocalError: "remote error: error decoding message",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "SendWarningAlerts",
|
||||||
|
config: Config{
|
||||||
|
MaxVersion: VersionTLS12,
|
||||||
|
},
|
||||||
sendWarningAlerts: 5,
|
sendWarningAlerts: 5,
|
||||||
shouldFail: true,
|
shouldFail: true,
|
||||||
expectedError: ":TOO_MANY_WARNING_ALERTS:",
|
expectedError: ":TOO_MANY_WARNING_ALERTS:",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "SendWarningAlerts-Async",
|
name: "SendWarningAlerts-Async",
|
||||||
|
config: Config{
|
||||||
|
MaxVersion: VersionTLS12,
|
||||||
|
},
|
||||||
sendWarningAlerts: 5,
|
sendWarningAlerts: 5,
|
||||||
flags: []string{"-async"},
|
flags: []string{"-async"},
|
||||||
shouldFail: true,
|
shouldFail: true,
|
||||||
@ -3685,6 +3707,7 @@ func addStateMachineCoverageTests(config stateMachineTestConfig) {
|
|||||||
tests = append(tests, testCase{
|
tests = append(tests, testCase{
|
||||||
name: "Shutdown-Shim",
|
name: "Shutdown-Shim",
|
||||||
config: Config{
|
config: Config{
|
||||||
|
MaxVersion: VersionTLS12,
|
||||||
Bugs: ProtocolBugs{
|
Bugs: ProtocolBugs{
|
||||||
ExpectCloseNotify: true,
|
ExpectCloseNotify: true,
|
||||||
},
|
},
|
||||||
|
@ -429,6 +429,14 @@ enum ssl_open_record_t ssl_process_alert(SSL *ssl, uint8_t *out_alert,
|
|||||||
return ssl_open_record_close_notify;
|
return ssl_open_record_close_notify;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Warning alerts do not exist in TLS 1.3. */
|
||||||
|
if (ssl->s3->have_version &&
|
||||||
|
ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
|
||||||
|
*out_alert = SSL_AD_DECODE_ERROR;
|
||||||
|
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ALERT);
|
||||||
|
return ssl_open_record_error;
|
||||||
|
}
|
||||||
|
|
||||||
ssl->s3->warning_alert_count++;
|
ssl->s3->warning_alert_count++;
|
||||||
if (ssl->s3->warning_alert_count > kMaxWarningAlerts) {
|
if (ssl->s3->warning_alert_count > kMaxWarningAlerts) {
|
||||||
*out_alert = SSL_AD_UNEXPECTED_MESSAGE;
|
*out_alert = SSL_AD_UNEXPECTED_MESSAGE;
|
||||||
|
Loading…
Reference in New Issue
Block a user