On receiving a handshake or alert record with empty inner plaintext,

terminate the connection with an unexpected_message alert.
See RFC 8446 section 5.4.

Found with tlsfuzzer

hint/ok jsing

1 files changed, 11 insertions, 1 deletions

diff --git a/lib/libssl/tls13_record_layer.c b/lib/libssl/tls13_record_layer.c
index 5c2c2116c04..16a22a841b1 100644
--- a/lib/libssl/tls13_record_layer.c
+++ b/lib/libssl/tls13_record_layer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_record_layer.c,v 1.33 2020/05/03 15:57:25 jsing Exp $ */
+/* $OpenBSD: tls13_record_layer.c,v 1.34 2020/05/07 18:56:09 tb Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -813,6 +813,16 @@ tls13_record_layer_read_record(struct tls13_record_layer *rl)
 
 	tls13_record_layer_rrec_free(rl);
 
+	/*
+	 * On receiving a handshake or alert record with empty inner plaintext,
+	 * we must terminate the connection with an unexpected_message alert.
+	 * See RFC 8446 section 5.4.
+	 */
+	if (CBS_len(&rl->rbuf_cbs) == 0 &&
+	    (rl->rbuf_content_type == SSL3_RT_ALERT ||
+	     rl->rbuf_content_type == SSL3_RT_HANDSHAKE))
+		return tls13_send_alert(rl, SSL3_AD_UNEXPECTED_MESSAGE);
+
 	switch (rl->rbuf_content_type) {
 	case SSL3_RT_ALERT:
 		return tls13_record_layer_process_alert(rl);