Abort on unrecognised warning alerts

A peer continually sending unrecognised warning alerts could mean that we make no progress on a connection. We should abort rather than continuing if we receive an unrecognised warning alert. Thanks to Shi Lei for reporting this issue. Reviewed-by: Rich Salz <rsalz@openssl.org>
author: Matt Caswell <matt@openssl.org> 2016-09-12 11:04:51 +0100
committer: Matt Caswell <matt@openssl.org> 2016-09-13 11:51:00 +0100
commit: 77a6be4dfc2ecf406c2559a99bea51317ce0f533 (patch)
tree: ad14d5714a07eecf2d14489758abe6f9b332705e
parent: c0f9e23c6b8d1076796987d5a84557d410682d85 (diff)
1 files changed, 8 insertions, 2 deletions
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 46870c054b..aa148ba490 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -1351,9 +1351,15 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
                 goto f_err;
             }
 #ifdef SSL_AD_MISSING_SRP_USERNAME
-            else if (alert_descr == SSL_AD_MISSING_SRP_USERNAME)
-                return (0);
+            else if (alert_descr == SSL_AD_MISSING_SRP_USERNAME) {
+                return 0;
+            }
 #endif
+            else {
+                al = SSL_AD_HANDSHAKE_FAILURE;
+                SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNKNOWN_ALERT_TYPE);
+                goto f_err;
+            }
         } else if (alert_level == SSL3_AL_FATAL) {
             char tmp[16];
author	Matt Caswell <matt@openssl.org>	2016-09-12 11:04:51 +0100
committer	Matt Caswell <matt@openssl.org>	2016-09-13 11:51:00 +0100
commit	77a6be4dfc2ecf406c2559a99bea51317ce0f533 (patch)
tree	ad14d5714a07eecf2d14489758abe6f9b332705e
parent	c0f9e23c6b8d1076796987d5a84557d410682d85 (diff)