Merge pull request #10537 from SparkiDev/tls13_pt_alert_before_enc

TLS 1.3 plaintext alert: ignore before seeing encrypted
This commit is contained in:
Daniel Pouzzner
2026-06-05 11:12:47 -05:00
committed by GitHub
2 changed files with 153 additions and 12 deletions
+30 -12
View File
@@ -22468,6 +22468,9 @@ static int DoAlert(WOLFSSL* ssl, byte* input, word32* inOutIdx, int* type)
byte level;
byte code;
word32 dataSz = (word32)ssl->curSize;
#ifdef WOLFSSL_TLS13_IGNORE_PT_ALERT_ON_ENC
int ignorePtAlert;
#endif
#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
if (ssl->hsInfoOn)
@@ -22496,9 +22499,19 @@ static int DoAlert(WOLFSSL* ssl, byte* input, word32* inOutIdx, int* type)
code = input[(*inOutIdx)++];
*type = code;
#ifdef WOLFSSL_TLS13_IGNORE_PT_ALERT_ON_ENC
/* Don't process alert when TLS 1.3 and encrypting but plaintext alert. */
if (!IsAtLeastTLSv1_3(ssl->version) || !IsEncryptionOn(ssl, 0) ||
ssl->keys.decryptedCur)
/* A plaintext alert received in TLS 1.3 once we are decrypting is only
* tolerated while still in the handshake and before the peer has sent an
* encrypted message. The peer sequence number is reset to zero each time
* decryption keys are installed and incremented for each record decrypted,
* so a non-zero value means the peer has sent an encrypted message and a
* plaintext alert is treated as an error. */
ignorePtAlert = IsAtLeastTLSv1_3(ssl->version) && IsEncryptionOn(ssl, 0) &&
!ssl->keys.decryptedCur && !ssl->options.handShakeDone &&
ssl->keys.peer_sequence_number_hi == 0 &&
ssl->keys.peer_sequence_number_lo == 0;
/* Don't record an ignored plaintext alert in the alert history. */
if (!ignorePtAlert)
#endif
{
ssl->alert_history.last_rx.code = code;
@@ -22529,16 +22542,21 @@ static int DoAlert(WOLFSSL* ssl, byte* input, word32* inOutIdx, int* type)
!ssl->keys.decryptedCur)
{
#ifdef WOLFSSL_TLS13_IGNORE_PT_ALERT_ON_ENC
/* Ignore alert if TLS 1.3 and encrypting but was plaintext alert. */
*type = invalid_alert;
level = alert_none;
#else
/* Unexpected message when encryption is on and alert not encrypted. */
SendAlert(ssl, alert_fatal, unexpected_message);
WOLFSSL_ERROR_VERBOSE(PARSE_ERROR);
return PARSE_ERROR;
if (ignorePtAlert) {
/* Ignore plaintext alert: TLS 1.3, decrypting, and the peer has
* not yet sent an encrypted handshake message. */
*type = invalid_alert;
level = alert_none;
}
else
#endif
{
/* Unexpected message when encryption is on and alert not
* encrypted. */
SendAlert(ssl, alert_fatal, unexpected_message);
WOLFSSL_ERROR_VERBOSE(PARSE_ERROR);
return PARSE_ERROR;
}
}
else {
if (*type == close_notify) {