record: improve empty message handling in TLS 1.3

Previously, _gnutls_recv_in_buffers() silently discarded empty
messages because such messages are used as a countermeasure to
vulnerabilities in the CBC mode.  In TLS 1.3, however, there are only
AEAD ciphers and such logic is meaningless.  Moreover, in the protocol
it is suggested to send "unexpected_message" alert when receiving
empty messages in certain occasions.  This change moves the empty
message handling to record_add_to_buffers().

Signed-off-by: Daiki Ueno <dueno@redhat.com>

diff --git a/lib/record.c b/lib/record.c
index be5f867141c4a8ea45333e28c22644a00ebc0f58..a0c9d5cf5ab1436f6b1d56d7a625224772494561 100644 (file)
--- a/lib/record.c
+++ b/lib/record.c
@@ -776,6 +776,20 @@ record_add_to_buffers(gnutls_session_t session,
            && (type == GNUTLS_APPLICATION_DATA ||
                type == GNUTLS_CHANGE_CIPHER_SPEC ||
                type == GNUTLS_HANDSHAKE)) {
+               if (bufel->msg.size == 0) {
+                       if (type == GNUTLS_APPLICATION_DATA) {
+                               /* this is needed to distinguish an empty
+                                * message and EOF */
+                               ret = GNUTLS_E_AGAIN;
+                               goto cleanup;
+                       } else {
+                               ret =
+                                   gnutls_assert_val
+                                   (GNUTLS_E_UNEXPECTED_PACKET);
+                               goto unexpected_packet;
+                       }
+               }
+
                _gnutls_record_buffer_put(session, type, seq, bufel);
 
                /* if we received application data as expected then we
@@ -1374,7 +1388,14 @@ _gnutls_recv_in_buffers(gnutls_session_t session, content_type_t type,
  * In that case we go to the beginning and start reading
  * the next packet.
  */
-       if (_mbuffer_get_udata_size(decrypted) == 0) {
+       if (_mbuffer_get_udata_size(decrypted) == 0 &&
+           /* Under TLS 1.3, there are only AEAD ciphers and this
+            * logic is meaningless. Moreover, the implementation need
+            * to send correct alert upon receiving empty messages in
+            * certain occasions. Skip this and leave
+            * record_add_to_buffers() to handle the empty
+            * messages. */
+           !(vers && vers->tls13_sem)) {
                _mbuffer_xfree(&decrypted);
                n_retries++;
                goto begin;