From 06c3d8da2f0a3de1a6a5d474d972058c56264115 Mon Sep 17 00:00:00 2001 From: Joel Sing Date: Mon, 21 Feb 2022 18:22:21 +0000 Subject: Factor out alert handing code in the legacy stack. Pull out the code that processes incoming alerts - a chunk of the complexity is due to the fact that in TLSv1.2 and earlier, alerts can be fragmented across multiple records or multiple alerts can be delivered in a single record. In DTLS there is no way that we can reassemble fragmented alerts (although the RFC is silent on this), however we could have multiple alerts in the same record. This change means that we will handle this situation more appropriately and if we encounter a fragmented alert we will now treat this as a decode error (instead of silently ignoring it). ok beck@ tb@ --- lib/libssl/d1_pkt.c | 37 ++++--------------------------------- 1 file changed, 4 insertions(+), 33 deletions(-) (limited to 'lib/libssl/d1_pkt.c') diff --git a/lib/libssl/d1_pkt.c b/lib/libssl/d1_pkt.c index e884f2d592e..e07fc7e3f9e 100644 --- a/lib/libssl/d1_pkt.c +++ b/lib/libssl/d1_pkt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_pkt.c,v 1.117 2022/02/05 14:54:10 jsing Exp $ */ +/* $OpenBSD: d1_pkt.c,v 1.118 2022/02/21 18:22:20 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -735,38 +735,9 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) goto start; } - if (rr->type == SSL3_RT_ALERT && rr->length >= DTLS1_AL_HEADER_LENGTH && - rr->off == 0) { - int alert_level = rr->data[0]; - int alert_descr = rr->data[1]; - - ssl_msg_callback(s, 0, SSL3_RT_ALERT, rr->data, 2); - - ssl_info_callback(s, SSL_CB_READ_ALERT, - (alert_level << 8) | alert_descr); - - if (alert_level == SSL3_AL_WARNING) { - s->s3->warn_alert = alert_descr; - if (alert_descr == SSL_AD_CLOSE_NOTIFY) { - s->internal->shutdown |= SSL_RECEIVED_SHUTDOWN; - return (0); - } - } else if (alert_level == SSL3_AL_FATAL) { - s->internal->rwstate = SSL_NOTHING; - s->s3->fatal_alert = alert_descr; - SSLerror(s, SSL_AD_REASON_OFFSET + alert_descr); - ERR_asprintf_error_data("SSL alert number %d", - alert_descr); - s->internal->shutdown|=SSL_RECEIVED_SHUTDOWN; - SSL_CTX_remove_session(s->ctx, s->session); - return (0); - } else { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerror(s, SSL_R_UNKNOWN_ALERT_TYPE); - goto fatal_err; - } - - rr->length = 0; + if (rr->type == SSL3_RT_ALERT) { + if ((ret = ssl3_read_alert(s)) <= 0) + return ret; goto start; } -- cgit v1.2.3