Propagate record overflows to the record layer and alert.

ok beck@ tb@
author: jsing <> 2020-05-11 18:08:11 +0000
committer: jsing <> 2020-05-11 18:08:11 +0000
commit: b533040a570f1fe902202c032531870f58ad4453 (patch)
tree: dbb27561139b82aa9e5d608eacbc8c9224b46124
parent: 825d508a4b688821e99561b72a842c81c93b84a5 (diff)
download: openbsd-b533040a570f1fe902202c032531870f58ad4453.tar.gz
openbsd-b533040a570f1fe902202c032531870f58ad4453.tar.bz2
openbsd-b533040a570f1fe902202c032531870f58ad4453.zip
3 files changed, 8 insertions, 6 deletions
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h
index d35610e179..5ea09db8a0 100644
--- a/src/lib/libssl/tls13_internal.h
+++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.78 2020/05/11 18:03:51 jsing Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.79 2020/05/11 18:08:11 jsing Exp $ */
 /*
 * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
 * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -39,6 +39,7 @@ __BEGIN_HIDDEN_DECLS
 #define TLS13_IO_WANT_RETRY             -5 /* Retry the previous call immediately. */
 #define TLS13_IO_USE_LEGACY             -6
 #define TLS13_IO_RECORD_VERSION         -7
+#define TLS13_IO_RECORD_OVERFLOW        -8
 #define TLS13_ERR_VERIFY_FAILED         16
 #define TLS13_ERR_HRR_FAILED            17
diff --git a/src/lib/libssl/tls13_record.c b/src/lib/libssl/tls13_record.c
index ca61a94ff1..c856932b40 100644
--- a/src/lib/libssl/tls13_record.c
+++ b/src/lib/libssl/tls13_record.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_record.c,v 1.5 2020/05/11 18:03:51 jsing Exp $ */
+/* $OpenBSD: tls13_record.c,v 1.6 2020/05/11 18:08:11 jsing Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -145,11 +145,10 @@ tls13_record_recv(struct tls13_record *rec, tls13_read_cb wire_read,
                if (!CBS_get_u16(&cbs, &rec_len))
                        return TLS13_IO_FAILURE;
-                /* XXX - record overflow alert. */
                if ((rec_version >> 8) != SSL3_VERSION_MAJOR)
                        return TLS13_IO_RECORD_VERSION;
                if (rec_len > TLS13_RECORD_MAX_CIPHERTEXT_LEN)
-                        return TLS13_IO_FAILURE;
+                        return TLS13_IO_RECORD_OVERFLOW;
                rec->content_type = content_type;
                rec->version = rec_version;
diff --git a/src/lib/libssl/tls13_record_layer.c b/src/lib/libssl/tls13_record_layer.c
index 8ca52d0b7f..82a49ae425 100644
--- a/src/lib/libssl/tls13_record_layer.c
+++ b/src/lib/libssl/tls13_record_layer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_record_layer.c,v 1.40 2020/05/11 18:03:51 jsing Exp $ */
+/* $OpenBSD: tls13_record_layer.c,v 1.41 2020/05/11 18:08:11 jsing Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -768,11 +768,13 @@ tls13_record_layer_read_record(struct tls13_record_layer *rl)
                if ((rl->rrec = tls13_record_new()) == NULL)
                        goto err;
        }
+ 
        if ((ret = tls13_record_recv(rl->rrec, rl->cb.wire_read, rl->cb_arg)) <= 0) {
                switch (ret) {
                case TLS13_IO_RECORD_VERSION:
                        return tls13_send_alert(rl, SSL_AD_PROTOCOL_VERSION);
+                case TLS13_IO_RECORD_OVERFLOW:
+                        return tls13_send_alert(rl, SSL_AD_RECORD_OVERFLOW);
                }
                return ret;
        }
author	jsing <>	2020-05-11 18:08:11 +0000
committer	jsing <>	2020-05-11 18:08:11 +0000
commit	b533040a570f1fe902202c032531870f58ad4453 (patch)
tree	dbb27561139b82aa9e5d608eacbc8c9224b46124
parent	825d508a4b688821e99561b72a842c81c93b84a5 (diff)
download	openbsd-b533040a570f1fe902202c032531870f58ad4453.tar.gz openbsd-b533040a570f1fe902202c032531870f58ad4453.tar.bz2 openbsd-b533040a570f1fe902202c032531870f58ad4453.zip