94 lines
3.1 KiB
Diff
94 lines
3.1 KiB
Diff
--- crypto/openssl/ssl/d1_pkt.c.orig
|
|
+++ crypto/openssl/ssl/d1_pkt.c
|
|
@@ -924,6 +924,13 @@
|
|
goto start;
|
|
}
|
|
|
|
+ /*
|
|
+ * Reset the count of consecutive warning alerts if we've got a non-empty
|
|
+ * record that isn't an alert.
|
|
+ */
|
|
+ if (rr->type != SSL3_RT_ALERT && rr->length != 0)
|
|
+ s->s3->alert_count = 0;
|
|
+
|
|
/* we now have a packet which can be read and processed */
|
|
|
|
if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
|
|
@@ -1190,6 +1197,14 @@
|
|
|
|
if (alert_level == SSL3_AL_WARNING) {
|
|
s->s3->warn_alert = alert_descr;
|
|
+
|
|
+ s->s3->alert_count++;
|
|
+ if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) {
|
|
+ al = SSL_AD_UNEXPECTED_MESSAGE;
|
|
+ SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
|
|
+ goto f_err;
|
|
+ }
|
|
+
|
|
if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
|
|
#ifndef OPENSSL_NO_SCTP
|
|
/*
|
|
--- crypto/openssl/ssl/s3_pkt.c.orig
|
|
+++ crypto/openssl/ssl/s3_pkt.c
|
|
@@ -1057,6 +1057,13 @@
|
|
return (ret);
|
|
}
|
|
|
|
+ /*
|
|
+ * Reset the count of consecutive warning alerts if we've got a non-empty
|
|
+ * record that isn't an alert.
|
|
+ */
|
|
+ if (rr->type != SSL3_RT_ALERT && rr->length != 0)
|
|
+ s->s3->alert_count = 0;
|
|
+
|
|
/* we now have a packet which can be read and processed */
|
|
|
|
if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
|
|
@@ -1271,6 +1278,14 @@
|
|
|
|
if (alert_level == SSL3_AL_WARNING) {
|
|
s->s3->warn_alert = alert_descr;
|
|
+
|
|
+ s->s3->alert_count++;
|
|
+ if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) {
|
|
+ al = SSL_AD_UNEXPECTED_MESSAGE;
|
|
+ SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
|
|
+ goto f_err;
|
|
+ }
|
|
+
|
|
if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
|
|
s->shutdown |= SSL_RECEIVED_SHUTDOWN;
|
|
return (0);
|
|
--- crypto/openssl/ssl/ssl.h.orig
|
|
+++ crypto/openssl/ssl/ssl.h
|
|
@@ -2717,6 +2717,7 @@
|
|
# define SSL_R_TLS_HEARTBEAT_PENDING 366
|
|
# define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL 367
|
|
# define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157
|
|
+# define SSL_R_TOO_MANY_WARN_ALERTS 409
|
|
# define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
|
|
# define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234
|
|
# define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235
|
|
--- crypto/openssl/ssl/ssl3.h.orig
|
|
+++ crypto/openssl/ssl/ssl3.h
|
|
@@ -587,6 +587,8 @@
|
|
char is_probably_safari;
|
|
# endif /* !OPENSSL_NO_EC */
|
|
# endif /* !OPENSSL_NO_TLSEXT */
|
|
+ /* Count of the number of consecutive warning alerts received */
|
|
+ unsigned int alert_count;
|
|
} SSL3_STATE;
|
|
|
|
# endif
|
|
--- crypto/openssl/ssl/ssl_locl.h.orig
|
|
+++ crypto/openssl/ssl/ssl_locl.h
|
|
@@ -389,6 +389,8 @@
|
|
*/
|
|
# define SSL_MAX_DIGEST 6
|
|
|
|
+# define MAX_WARN_ALERT_COUNT 5
|
|
+
|
|
# define TLS1_PRF_DGST_MASK (0xff << TLS1_PRF_DGST_SHIFT)
|
|
|
|
# define TLS1_PRF_DGST_SHIFT 10
|