From 1fe69992e2fc1a83a6ab7b0a6efc60382717ee8f Mon Sep 17 00:00:00 2001
From: Sean Parkinson <sean@wolfssl.com>
Date: Mon, 1 Jul 2019 14:20:36 +1000
Subject: [PATCH] Improve alert sending in TLS 1.3 code from fuzz testing

---
 src/internal.c | 28 +++++++++++++++++++++++++---
 src/tls13.c    |  7 +++++--
 2 files changed, 30 insertions(+), 5 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index ea1b2e816..7d0fe8fce 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -207,7 +207,14 @@ static WC_INLINE int IsEncryptionOn(WOLFSSL* ssl, int isSend)
         return 0;
     #endif /* WOLFSSL_DTLS */
 
+#ifdef WOLFSSL_TLS13
+    if (isSend)
+        return ssl->encrypt.setup;
+    else
+        return ssl->decrypt.setup;
+#else
     return ssl->keys.encryptionOn;
+#endif
 }
 
 
@@ -13142,6 +13149,15 @@ int ProcessReply(WOLFSSL* ssl)
             if (ret != 0)
                 return ret;
 
+#ifdef WOLFSSL_TLS13
+            if (IsAtLeastTLSv1_3(ssl->version) && IsEncryptionOn(ssl, 0) &&
+                                        ssl->curRL.type != application_data &&
+                                        ssl->curRL.type != change_cipher_spec) {
+                SendAlert(ssl, alert_fatal, unexpected_message);
+                return PARSE_ERROR;
+            }
+#endif
+
             ssl->options.processReply = getData;
             FALL_THROUGH;
 
@@ -13426,6 +13442,10 @@ int ProcessReply(WOLFSSL* ssl)
     #else
                     if (IsAtLeastTLSv1_3(ssl->version)) {
                         word32 i = ssl->buffers.inputBuffer.idx;
+                        if (ssl->options.handShakeState == HANDSHAKE_DONE) {
+                            SendAlert(ssl, alert_fatal, unexpected_message);
+                            return UNKNOWN_RECORD_TYPE;
+                        }
                         if (ssl->curSize != 1 ||
                                       ssl->buffers.inputBuffer.buffer[i] != 1) {
                             SendAlert(ssl, alert_fatal, illegal_parameter);
@@ -15581,9 +15601,11 @@ int SendAlert(WOLFSSL* ssl, int severity, int type)
 
     /* only send encrypted alert if handshake actually complete, otherwise
        other side may not be able to handle it */
-    if (IsEncryptionOn(ssl, 1) && ssl->options.handShakeDone)
-        sendSz = BuildMessage(ssl, output, outputSz, input, ALERT_SIZE,
-                                                          alert, 0, 0, 0);
+    if (IsEncryptionOn(ssl, 1) && (IsAtLeastTLSv1_3(ssl->version) ||
+                                                  ssl->options.handShakeDone)) {
+        sendSz = BuildMessage(ssl, output, outputSz, input, ALERT_SIZE, alert,
+                                                                       0, 0, 0);
+    }
     else {
 
         AddRecordHeader(output, ALERT_SIZE, alert, ssl);
diff --git a/src/tls13.c b/src/tls13.c
index a0b778a53..5cdfc6e64 100644
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -5954,7 +5954,7 @@ exit_dcv:
     }
     else
 #endif /* WOLFSSL_ASYNC_CRYPT */
-    if (ret != 0)
+    if (ret != 0 && ret != INVALID_PARAMETER)
         SendAlert(ssl, alert_fatal, decrypt_error);
 
     /* Final cleanup */
@@ -7398,8 +7398,11 @@ int DoTls13HandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
         byte   type;
         word32 size;
 
-        if (GetHandshakeHeader(ssl,input,inOutIdx,&type, &size, totalSz) != 0)
+        if (GetHandshakeHeader(ssl, input, inOutIdx, &type, &size,
+                                                                totalSz) != 0) {
+            SendAlert(ssl, alert_fatal, unexpected_message);
             return PARSE_ERROR;
+        }
 
         return DoTls13HandShakeMsgType(ssl, input, inOutIdx, type, size,
                                        totalSz);