Merge pull request #2319 from SparkiDev/tls13_alerts

Improve alert sending in TLS 1.3 code from fuzz testing
2025-07-29 18:27:29 +02:00 · 2019-07-08 14:11:35 -07:00
parent 79165ce8cb 1fe69992e2
commit 1bcec1b9ab
2 changed files with 30 additions and 5 deletions
--- a/src/internal.c
+++ b/src/internal.c
@ -207,7 +207,14 @@ static WC_INLINE int IsEncryptionOn(WOLFSSL* ssl, int isSend)
        return 0;
    #endif /* WOLFSSL_DTLS */

+#ifdef WOLFSSL_TLS13
+    if (isSend)
+        return ssl->encrypt.setup;
+    else
+        return ssl->decrypt.setup;
+#else
    return ssl->keys.encryptionOn;
+#endif
 }


@ -13310,6 +13317,15 @@ int ProcessReply(WOLFSSL* ssl)
            if (ret != 0)
                return ret;

+#ifdef WOLFSSL_TLS13
+            if (IsAtLeastTLSv1_3(ssl->version) && IsEncryptionOn(ssl, 0) &&
+                                        ssl->curRL.type != application_data &&
+                                        ssl->curRL.type != change_cipher_spec) {
+                SendAlert(ssl, alert_fatal, unexpected_message);
+                return PARSE_ERROR;
+            }
+#endif
+
            ssl->options.processReply = getData;
            FALL_THROUGH;

@ -13627,6 +13643,10 @@ int ProcessReply(WOLFSSL* ssl)
    #else
                    if (IsAtLeastTLSv1_3(ssl->version)) {
                        word32 i = ssl->buffers.inputBuffer.idx;
+                        if (ssl->options.handShakeState == HANDSHAKE_DONE) {
+                            SendAlert(ssl, alert_fatal, unexpected_message);
+                            return UNKNOWN_RECORD_TYPE;
+                        }
                        if (ssl->curSize != 1 ||
                                      ssl->buffers.inputBuffer.buffer[i] != 1) {
                            SendAlert(ssl, alert_fatal, illegal_parameter);
@ -15782,9 +15802,11 @@ int SendAlert(WOLFSSL* ssl, int severity, int type)

    /* only send encrypted alert if handshake actually complete, otherwise
       other side may not be able to handle it */
-    if (IsEncryptionOn(ssl, 1) && ssl->options.handShakeDone)
-        sendSz = BuildMessage(ssl, output, outputSz, input, ALERT_SIZE,
-                                                          alert, 0, 0, 0);
+    if (IsEncryptionOn(ssl, 1) && (IsAtLeastTLSv1_3(ssl->version) ||
+                                                  ssl->options.handShakeDone)) {
+        sendSz = BuildMessage(ssl, output, outputSz, input, ALERT_SIZE, alert,
+                                                                       0, 0, 0);
+    }
    else {

        AddRecordHeader(output, ALERT_SIZE, alert, ssl);
--- a/src/tls13.c
+++ b/src/tls13.c
@ -6012,7 +6012,7 @@ exit_dcv:
    }
    else
 #endif /* WOLFSSL_ASYNC_CRYPT */
-    if (ret != 0)
+    if (ret != 0 && ret != INVALID_PARAMETER)
        SendAlert(ssl, alert_fatal, decrypt_error);

    /* Final cleanup */
@ -7457,8 +7457,11 @@ int DoTls13HandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
        byte   type;
        word32 size;

-        if (GetHandshakeHeader(ssl,input,inOutIdx,&type, &size, totalSz) != 0)
+        if (GetHandshakeHeader(ssl, input, inOutIdx, &type, &size,
+                                                                totalSz) != 0) {
+            SendAlert(ssl, alert_fatal, unexpected_message);
            return PARSE_ERROR;
+        }

        return DoTls13HandShakeMsgType(ssl, input, inOutIdx, type, size,
                                       totalSz);