mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-06 11:00:49 +02:00
Treat alerts as fatal errors regardless of level in TLS1.3
This commit is contained in:
@@ -22036,6 +22036,12 @@ static int DoAlert(WOLFSSL* ssl, byte* input, word32* inOutIdx, int* type)
|
||||
if (level == alert_fatal) {
|
||||
ssl->options.isClosed = 1; /* Don't send close_notify */
|
||||
}
|
||||
/* RFC 8446 Section 6.2: In TLS 1.3, all error alerts are implicitly
|
||||
* fatal regardless of the AlertLevel byte. */
|
||||
if (IsAtLeastTLSv1_3(ssl->version) &&
|
||||
code != close_notify && code != user_canceled) {
|
||||
ssl->options.isClosed = 1;
|
||||
}
|
||||
}
|
||||
|
||||
if (++ssl->options.alertCount >= WOLFSSL_ALERT_COUNT_MAX) {
|
||||
@@ -23510,6 +23516,15 @@ default:
|
||||
if (type == decrypt_error)
|
||||
return FATAL_ERROR;
|
||||
|
||||
/* RFC 8446 Section 6.2: In TLS 1.3, all error alerts MUST
|
||||
* be treated as fatal regardless of the AlertLevel byte.
|
||||
* Only close_notify (handled above) and user_canceled
|
||||
* are exempt. */
|
||||
if (IsAtLeastTLSv1_3(ssl->version) &&
|
||||
type != user_canceled && type != invalid_alert) {
|
||||
return FATAL_ERROR;
|
||||
}
|
||||
|
||||
/* Reset error if we got an alert level in ret */
|
||||
if (ret > 0)
|
||||
ret = 0;
|
||||
|
||||
Reference in New Issue
Block a user