Don't allow too many consecutive warning alerts (af58be76) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

include/openssl/ssl.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -2485,6 +2485,7 @@ int ERR_load_SSL_strings(void);
		# define SSL_R_TLS_HEARTBEAT_PENDING 366
		# define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL 367
		# define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157
		# define SSL_R_TOO_MANY_WARN_ALERTS 409
		# define SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS 314
		# define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 239
		# define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 242

+16 −0

Original line number	Diff line number	Diff line
		@@ -443,6 +443,14 @@ int dtls1_read_bytes(SSL s, int type, int recvd_type, unsigned char *buf,
		}
		}

		/*
		* Reset the count of consecutive warning alerts if we've got a non-empty
		* record that isn't an alert.
		*/
		if (SSL3_RECORD_get_type(rr) != SSL3_RT_ALERT
		&& SSL3_RECORD_get_length(rr) != 0)
		s->rlayer.alert_count = 0;

		/* we now have a packet which can be read and processed */

		if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
		@@ -722,6 +730,14 @@ int dtls1_read_bytes(SSL s, int type, int recvd_type, unsigned char *buf,

		if (alert_level == SSL3_AL_WARNING) {
		s->s3->warn_alert = alert_descr;

		s->rlayer.alert_count++;
		if (s->rlayer.alert_count == MAX_WARN_ALERT_COUNT) {
		al = SSL_AD_UNEXPECTED_MESSAGE;
		SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
		goto f_err;
		}

		if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
		#ifndef OPENSSL_NO_SCTP
		/*

+16 −0

Original line number	Diff line number	Diff line
		@@ -1063,6 +1063,14 @@ int ssl3_read_bytes(SSL s, int type, int recvd_type, unsigned char *buf,
		} while (num_recs == 0);
		rr = &rr[curr_rec];

		/*
		* Reset the count of consecutive warning alerts if we've got a non-empty
		* record that isn't an alert.
		*/
		if (SSL3_RECORD_get_type(rr) != SSL3_RT_ALERT
		&& SSL3_RECORD_get_length(rr) != 0)
		s->rlayer.alert_count = 0;

		/* we now have a packet which can be read and processed */

		if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
		@@ -1333,6 +1341,14 @@ int ssl3_read_bytes(SSL s, int type, int recvd_type, unsigned char *buf,
		if (alert_level == SSL3_AL_WARNING) {
		s->s3->warn_alert = alert_descr;
		SSL3_RECORD_set_read(rr);

		s->rlayer.alert_count++;
		if (s->rlayer.alert_count == MAX_WARN_ALERT_COUNT) {
		al = SSL_AD_UNEXPECTED_MESSAGE;
		SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
		goto f_err;
		}

		if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
		s->shutdown \|= SSL_RECEIVED_SHUTDOWN;
		return (0);

+2 −0

Original line number	Diff line number	Diff line
		@@ -178,6 +178,8 @@ typedef struct record_layer_st {
		unsigned char write_sequence[SEQ_NUM_SIZE];
		/* Set to true if this is the first record in a connection */
		unsigned int is_first_record;
		/* Count of the number of consecutive warning alerts received */
		unsigned int alert_count;
		DTLS_RECORD_LAYER *d;
		} RECORD_LAYER;

+2 −0

Original line number	Diff line number	Diff line
		@@ -14,6 +14,8 @@
		* *
		*****************************************************************************/

		#define MAX_WARN_ALERT_COUNT 5

		/* Functions/macros provided by the RECORD_LAYER component */

		#define RECORD_LAYER_get_rbuf(rl) (&(rl)->rbuf)