From e28bdf4c51aff3424107287d352cee238c14031c Mon Sep 17 00:00:00 2001 From: jsing <> Date: Thu, 21 Feb 2019 17:15:00 +0000 Subject: Wire up alert handling for TLSv1.3. In TLSv1.3 there are two types of alerts "closure alerts" and "error alerts". This makes the record layer more strict and handles closure of the read and write channels. The callback then handles the record layer to SSL mapping/behaviour. ok tb@ --- src/lib/libssl/tls13_lib.c | 34 ++++++++++++++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) (limited to 'src/lib/libssl/tls13_lib.c') diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c index 3860ddefef..f9505fa438 100644 --- a/src/lib/libssl/tls13_lib.c +++ b/src/lib/libssl/tls13_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_lib.c,v 1.3 2019/01/21 13:45:57 jsing Exp $ */ +/* $OpenBSD: tls13_lib.c,v 1.4 2019/02/21 17:15:00 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -61,6 +61,35 @@ tls13_cipher_hash(const SSL_CIPHER *cipher) return NULL; } +static void +tls13_alert_received_cb(uint8_t alert_level, uint8_t alert_desc, void *arg) +{ + struct tls13_ctx *ctx = arg; + SSL *s = ctx->ssl; + + if (alert_desc == SSL_AD_CLOSE_NOTIFY) { + ctx->ssl->internal->shutdown |= SSL_RECEIVED_SHUTDOWN; + S3I(ctx->ssl)->warn_alert = alert_desc; + return; + } + + if (alert_desc == SSL_AD_USER_CANCELLED) { + /* + * We treat this as advisory, since a close_notify alert + * SHOULD follow this alert (RFC 8446 section 6.1). + */ + return; + } + + /* All other alerts are treated as fatal in TLSv1.3. */ + S3I(ctx->ssl)->fatal_alert = alert_desc; + + SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc); + ERR_asprintf_error_data("SSL alert number %d", alert_desc); + + SSL_CTX_remove_session(s->ctx, s->session); +} + struct tls13_ctx * tls13_ctx_new(int mode) { @@ -72,7 +101,8 @@ tls13_ctx_new(int mode) ctx->mode = mode; if ((ctx->rl = tls13_record_layer_new(tls13_legacy_wire_read_cb, - tls13_legacy_wire_write_cb, NULL, NULL, ctx)) == NULL) + tls13_legacy_wire_write_cb, tls13_alert_received_cb, NULL, + ctx)) == NULL) goto err; return ctx; -- cgit v1.2.3-55-g6feb