forked from wolfSSL/wolfssl
Better handling of alerts
Better checking of encrypted alerts - check unencrypted data size correctly before using data. Send an alert if the alert isn't the right size. Send an alert if the maximum alert count has been reached - but don't send it if seeing close_notify alert.
This commit is contained in:
Sean Parkinson
@ -538,7 +538,7 @@ fi
|
||||
if test "$ENABLED_OPENSSLEXTRA" = "yes" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"
|
||||
then
|
||||
AM_CFLAGS="-DOPENSSL_EXTRA -DWOLFSSL_ALWAYS_VERIFY_CB $AM_CFLAGS"
|
||||
AM_CFLAGS="-DWOLFSSL_VERIFY_CB_ALL_CERTS $AM_CFLAGS"
|
||||
AM_CFLAGS="-DWOLFSSL_VERIFY_CB_ALL_CERTS -DWOLFSSL_EXTRA_ALERTS $AM_CFLAGS"
|
||||
fi
|
||||
|
||||
if test "$ENABLED_OPENSSLEXTRA" = "yes" && test "$ENABLED_SMALL" = "yes"
|
||||
|
||||
@ -12777,6 +12777,7 @@ static int DoAlert(WOLFSSL* ssl, byte* input, word32* inOutIdx, int* type,
|
||||
{
|
||||
byte level;
|
||||
byte code;
|
||||
word32 dataSz = totalSz - *inOutIdx;
|
||||
|
||||
#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
|
||||
if (ssl->hsInfoOn)
|
||||
@ -12788,14 +12789,16 @@ static int DoAlert(WOLFSSL* ssl, byte* input, word32* inOutIdx, int* type,
|
||||
READ_PROTO, ssl->heap);
|
||||
#endif
|
||||
|
||||
if (++ssl->options.alertCount >= WOLFSSL_ALERT_COUNT_MAX) {
|
||||
WOLFSSL_MSG("Alert count exceeded");
|
||||
return ALERT_COUNT_E;
|
||||
}
|
||||
if (IsEncryptionOn(ssl, 0))
|
||||
dataSz -= ssl->keys.padSz;
|
||||
|
||||
/* make sure can read the message */
|
||||
if (*inOutIdx + ALERT_SIZE > totalSz)
|
||||
if (dataSz != ALERT_SIZE) {
|
||||
#ifdef WOLFSSL_EXTRA_ALERTS
|
||||
SendAlert(ssl, alert_fatal, unexpected_message);
|
||||
#endif
|
||||
return BUFFER_E;
|
||||
}
|
||||
|
||||
level = input[(*inOutIdx)++];
|
||||
code = input[(*inOutIdx)++];
|
||||
@ -12806,6 +12809,15 @@ static int DoAlert(WOLFSSL* ssl, byte* input, word32* inOutIdx, int* type,
|
||||
ssl->options.isClosed = 1; /* Don't send close_notify */
|
||||
}
|
||||
|
||||
if (++ssl->options.alertCount >= WOLFSSL_ALERT_COUNT_MAX) {
|
||||
WOLFSSL_MSG("Alert count exceeded");
|
||||
#ifdef WOLFSSL_EXTRA_ALERTS
|
||||
if (level != alert_warning || code != close_notify)
|
||||
SendAlert(ssl, alert_fatal, unexpected_message);
|
||||
#endif
|
||||
return ALERT_COUNT_E;
|
||||
}
|
||||
|
||||
WOLFSSL_MSG("Got alert");
|
||||
if (*type == close_notify) {
|
||||
WOLFSSL_MSG("\tclose notify");
|
||||
@ -12813,18 +12825,15 @@ static int DoAlert(WOLFSSL* ssl, byte* input, word32* inOutIdx, int* type,
|
||||
}
|
||||
#ifdef WOLFSSL_TLS13
|
||||
if (*type == decode_error) {
|
||||
WOLFSSL_MSG(" decode error");
|
||||
WOLFSSL_MSG("\tdecode error");
|
||||
}
|
||||
if (*type == illegal_parameter) {
|
||||
WOLFSSL_MSG(" illegal parameter");
|
||||
WOLFSSL_MSG("\tillegal parameter");
|
||||
}
|
||||
#endif
|
||||
WOLFSSL_ERROR(*type);
|
||||
if (IsEncryptionOn(ssl, 0)) {
|
||||
if (*inOutIdx + ssl->keys.padSz > totalSz)
|
||||
return BUFFER_E;
|
||||
if (IsEncryptionOn(ssl, 0))
|
||||
*inOutIdx += ssl->keys.padSz;
|
||||
}
|
||||
|
||||
return level;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user