From 3d35e3a253a2895f263333bb4355760630a31955 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Fri, 8 Feb 2019 16:36:32 +0000 Subject: Don't interleave handshake and other record types in TLSv1.3 In TLSv1.3 it is illegal to interleave handshake records with non handshake records. Fixes #8189 Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/8191) --- crypto/err/openssl.txt | 2 ++ include/openssl/sslerr.h | 3 ++- ssl/record/rec_layer_s3.c | 8 ++++++++ ssl/ssl_err.c | 4 +++- 4 files changed, 15 insertions(+), 2 deletions(-) diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index e944b57153..82c33f0299 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -2796,6 +2796,8 @@ SSL_R_MISSING_SRP_PARAM:358:can't find SRP server param SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION:209:missing supported groups extension SSL_R_MISSING_TMP_DH_KEY:171:missing tmp dh key SSL_R_MISSING_TMP_ECDH_KEY:311:missing tmp ecdh key +SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA:293:\ + mixed handshake and non handshake data SSL_R_NOT_ON_RECORD_BOUNDARY:182:not on record boundary SSL_R_NOT_REPLACING_CERTIFICATE:289:not replacing certificate SSL_R_NOT_SERVER:284:not server diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h index f8783717bc..63057517dc 100644 --- a/include/openssl/sslerr.h +++ b/include/openssl/sslerr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -596,6 +596,7 @@ int ERR_load_SSL_strings(void); # define SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION 209 # define SSL_R_MISSING_TMP_DH_KEY 171 # define SSL_R_MISSING_TMP_ECDH_KEY 311 +# define SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA 293 # define SSL_R_NOT_ON_RECORD_BOUNDARY 182 # define SSL_R_NOT_REPLACING_CERTIFICATE 289 # define SSL_R_NOT_SERVER 284 diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index 2f5987b0e8..feca76eb3f 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -1363,6 +1363,14 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, } while (num_recs == 0); rr = &rr[curr_rec]; + if (s->rlayer.handshake_fragment_len > 0 + && SSL3_RECORD_get_type(rr) != SSL3_RT_HANDSHAKE + && SSL_IS_TLS13(s)) { + SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES, + SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA); + return -1; + } + /* * Reset the count of consecutive warning alerts if we've got a non-empty * record that isn't an alert. diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index 7b06878cef..ceae87bbc9 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -965,6 +965,8 @@ static const ERR_STRING_DATA SSL_str_reasons[] = { {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_TMP_DH_KEY), "missing tmp dh key"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_TMP_ECDH_KEY), "missing tmp ecdh key"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA), + "mixed handshake and non handshake data"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_ON_RECORD_BOUNDARY), "not on record boundary"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_REPLACING_CERTIFICATE), -- cgit v1.2.3