Add WOLFSSL_MAX_EMPTY_RECORDS

Author: embhorn

src/internal.c

@@ -21862,6 +21862,23 @@ int DoApplicationData(WOLFSSL* ssl, byte* input, word32* inOutIdx, int sniff)
     }
 #endif
 
+    /* Rate-limit empty application data records to prevent DoS */
+    if (dataSz == 0) {
+        if (++ssl->options.emptyRecordCount >= WOLFSSL_MAX_EMPTY_RECORDS) {
+            WOLFSSL_MSG("Too many empty records");
+#ifdef WOLFSSL_EXTRA_ALERTS
+            if (sniff == NO_SNIFF) {
+                SendAlert(ssl, alert_fatal, unexpected_message);
+            }
+#endif
+            WOLFSSL_ERROR_VERBOSE(EMPTY_RECORD_LIMIT_E);
+            return EMPTY_RECORD_LIMIT_E;
+        }
+    }
+    else {
+        ssl->options.emptyRecordCount = 0;
+    }
+
     /* read data */
     if (dataSz) {
         int rawSz = dataSz;       /* keep raw size for idx adjustment */
@@ -27573,6 +27590,9 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
     case ALERT_COUNT_E:
         return "Alert Count exceeded error";
 
+    case EMPTY_RECORD_LIMIT_E:
+        return "Too many empty records error";
+
     case EXT_MISSING:
         return "Required TLS extension missing";
 

tests/api/test_tls13.c

@@ -3687,6 +3687,156 @@ int test_tls13_pqc_hybrid_truncated_keyshare(void)
  * (32 bytes) does not cause an unsigned integer underflow / OOB read in
  * SetTicket. Uses a full memio handshake, then injects a crafted
  * NewSessionTicket with a 5-byte ticket into the client's read path. */
+int test_tls13_empty_record_limit(void)
+{
+    EXPECT_DECLS;
+#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && defined(WOLFSSL_TLS13)
+    struct test_memio_ctx test_ctx;
+    WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
+    WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
+    int recSz;
+    int numRecs = WOLFSSL_MAX_EMPTY_RECORDS + 1;
+    byte rec[128]; /* buffer for one encrypted record */
+    byte *allRecs = NULL;
+    int i;
+    char buf[64];
+
+    /* Test 1: Exceeding the empty record limit returns an error. */
+    XMEMSET(&test_ctx, 0, sizeof(test_ctx));
+    ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
+                    wolfTLSv1_3_client_method, wolfTLSv1_3_server_method), 0);
+
+    ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
+
+    /* Consume any post-handshake messages (e.g. NewSessionTicket). */
+    wolfSSL_read(ssl_c, buf, sizeof(buf));
+    test_memio_clear_buffer(&test_ctx, 0);
+    test_memio_clear_buffer(&test_ctx, 1);
+
+    /* Get the size of an encrypted zero-length app data record. */
+    recSz = BuildTls13Message(ssl_c, NULL, 0, NULL, 0,
+                              application_data, 0, 1, 0);
+    ExpectIntGT(recSz, 0);
+    ExpectIntLE(recSz, (int)sizeof(rec));
+
+    /* Build all empty records into one contiguous buffer. */
+    if (EXPECT_SUCCESS()) {
+        allRecs = (byte*)XMALLOC((size_t)(recSz * numRecs), NULL,
+                                 DYNAMIC_TYPE_TMP_BUFFER);
+        ExpectNotNull(allRecs);
+    }
+
+    for (i = 0; i < numRecs && EXPECT_SUCCESS(); i++) {
+        XMEMSET(rec, 0, sizeof(rec));
+        ExpectIntEQ(BuildTls13Message(ssl_c, rec, (int)sizeof(rec), rec +
+                        RECORD_HEADER_SZ, 0, application_data, 0, 0, 0),
+                    recSz);
+        XMEMCPY(allRecs + i * recSz, rec, (size_t)recSz);
+    }
+
+    /* Inject all records as a single message. */
+    ExpectIntEQ(test_memio_inject_message(&test_ctx, 0, (const char*)allRecs,
+                    recSz * numRecs), 0);
+
+    /* The server's wolfSSL_read should fail with EMPTY_RECORD_LIMIT_E. */
+    ExpectIntEQ(wolfSSL_read(ssl_s, buf, sizeof(buf)),
+                WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR));
+    ExpectIntEQ(wolfSSL_get_error(ssl_s, WOLFSSL_FATAL_ERROR),
+                WC_NO_ERR_TRACE(EMPTY_RECORD_LIMIT_E));
+
+    XFREE(allRecs, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    allRecs = NULL;
+    wolfSSL_free(ssl_c);
+    ssl_c = NULL;
+    wolfSSL_free(ssl_s);
+    ssl_s = NULL;
+    wolfSSL_CTX_free(ctx_c);
+    ctx_c = NULL;
+    wolfSSL_CTX_free(ctx_s);
+    ctx_s = NULL;
+
+    /* Test 2: Counter resets on non-empty record.
+     * Send (limit - 1) empty records, then 1 non-empty, then (limit - 1)
+     * more empty records. Should succeed without hitting the limit. */
+    XMEMSET(&test_ctx, 0, sizeof(test_ctx));
+    ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
+                    wolfTLSv1_3_client_method, wolfTLSv1_3_server_method), 0);
+
+    ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
+
+    wolfSSL_read(ssl_c, buf, sizeof(buf));
+    test_memio_clear_buffer(&test_ctx, 0);
+    test_memio_clear_buffer(&test_ctx, 1);
+
+    recSz = BuildTls13Message(ssl_c, NULL, 0, NULL, 0,
+                              application_data, 0, 1, 0);
+    ExpectIntGT(recSz, 0);
+
+    {
+        int emptyBefore = WOLFSSL_MAX_EMPTY_RECORDS - 1;
+        int emptyAfter = WOLFSSL_MAX_EMPTY_RECORDS - 1;
+        int dataRecSz;
+        byte dataRec[128];
+        byte payload[1] = { 'a' };
+        int totalSz;
+
+        dataRecSz = BuildTls13Message(ssl_c, NULL, 0, NULL, 1,
+                                      application_data, 0, 1, 0);
+        ExpectIntGT(dataRecSz, 0);
+
+        totalSz = recSz * (emptyBefore + emptyAfter) + dataRecSz;
+        if (EXPECT_SUCCESS()) {
+            allRecs = (byte*)XMALLOC((size_t)totalSz, NULL,
+                                     DYNAMIC_TYPE_TMP_BUFFER);
+            ExpectNotNull(allRecs);
+        }
+
+        /* Build (limit - 1) empty records */
+        for (i = 0; i < emptyBefore && EXPECT_SUCCESS(); i++) {
+            XMEMSET(rec, 0, sizeof(rec));
+            ExpectIntEQ(BuildTls13Message(ssl_c, rec, (int)sizeof(rec),
+                            rec + RECORD_HEADER_SZ, 0, application_data,
+                            0, 0, 0), recSz);
+            XMEMCPY(allRecs + i * recSz, rec, (size_t)recSz);
+        }
+
+        /* Build 1 non-empty record */
+        XMEMSET(dataRec, 0, sizeof(dataRec));
+        XMEMCPY(dataRec + RECORD_HEADER_SZ, payload, sizeof(payload));
+        ExpectIntEQ(BuildTls13Message(ssl_c, dataRec, (int)sizeof(dataRec),
+                        dataRec + RECORD_HEADER_SZ, 1, application_data,
+                        0, 0, 0), dataRecSz);
+        XMEMCPY(allRecs + emptyBefore * recSz, dataRec, (size_t)dataRecSz);
+
+        /* Build (limit - 1) more empty records */
+        for (i = 0; i < emptyAfter && EXPECT_SUCCESS(); i++) {
+            XMEMSET(rec, 0, sizeof(rec));
+            ExpectIntEQ(BuildTls13Message(ssl_c, rec, (int)sizeof(rec),
+                            rec + RECORD_HEADER_SZ, 0, application_data,
+                            0, 0, 0), recSz);
+            XMEMCPY(allRecs + emptyBefore * recSz + dataRecSz + i * recSz,
+                     rec, (size_t)recSz);
+        }
+
+        ExpectIntEQ(test_memio_inject_message(&test_ctx, 0,
+                        (const char*)allRecs, totalSz), 0);
+    }
+
+    /* wolfSSL_read should return the 1-byte payload. The counter resets
+     * on the non-empty record so neither batch of (limit - 1) empties
+     * triggers the error. */
+    ExpectIntEQ(wolfSSL_read(ssl_s, buf, sizeof(buf)), 1);
+    ExpectIntEQ(buf[0], 'a');
+
+    XFREE(allRecs, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    wolfSSL_free(ssl_c);
+    wolfSSL_free(ssl_s);
+    wolfSSL_CTX_free(ctx_c);
+    wolfSSL_CTX_free(ctx_s);
+#endif
+    return EXPECT_RESULT();
+}
+
 int test_tls13_short_session_ticket(void)
 {
     EXPECT_DECLS;

tests/api/test_tls13.h

@@ -44,6 +44,7 @@ int test_tls13_warning_alert_is_fatal(void);
 int test_tls13_cert_req_sigalgs(void);
 int test_tls13_derive_keys_no_key(void);
 int test_tls13_pqc_hybrid_truncated_keyshare(void);
+int test_tls13_empty_record_limit(void);
 int test_tls13_short_session_ticket(void);
 
 #define TEST_TLS13_DECLS                                        \
@@ -67,6 +68,7 @@ int test_tls13_short_session_ticket(void);
     TEST_DECL_GROUP("tls13", test_tls13_cert_req_sigalgs),       \
     TEST_DECL_GROUP("tls13", test_tls13_derive_keys_no_key),    \
     TEST_DECL_GROUP("tls13", test_tls13_pqc_hybrid_truncated_keyshare), \
+    TEST_DECL_GROUP("tls13", test_tls13_empty_record_limit),          \
     TEST_DECL_GROUP("tls13", test_tls13_short_session_ticket)
 
 #endif /* WOLFCRYPT_TEST_TLS13_H */

wolfssl/error-ssl.h

@@ -240,7 +240,9 @@ enum wolfSSL_ErrorCodes {
 
     SESSION_TICKET_NONCE_OVERFLOW = -517,  /* Session ticket nonce overflow */
 
-    WOLFSSL_LAST_E               = -517
+    EMPTY_RECORD_LIMIT_E         = -518,  /* Too many empty records received */
+
+    WOLFSSL_LAST_E               = -518
 
     /* codes -1000 to -1999 are reserved for wolfCrypt. */
 };

wolfssl/internal.h

@@ -5218,6 +5218,7 @@ struct Options {
     byte            asyncState;         /* sub-state for enum asyncState */
     byte            buildMsgState;      /* sub-state for enum buildMsgState */
     byte            alertCount;         /* detect warning dos attempt */
+    byte            emptyRecordCount;   /* detect empty record dos attempt */
 #ifdef WOLFSSL_MULTICAST
     word16          mcastID;            /* Multicast group ID */
 #endif

wolfssl/wolfcrypt/settings.h

@@ -4144,6 +4144,10 @@ extern void uITRON4_free(void *p) ;
     #define WOLFSSL_ALERT_COUNT_MAX 5
 #endif
 
+#ifndef WOLFSSL_MAX_EMPTY_RECORDS
+    #define WOLFSSL_MAX_EMPTY_RECORDS 32
+#endif
+
 /* Enable blinding by default for C-only, non-small curve25519 implementation */
 #if defined(HAVE_CURVE25519) && !defined(CURVE25519_SMALL) && \
     !defined(FREESCALE_LTC_ECC) && !defined(WOLFSSL_ARMASM) && \