diff options
author | Matt Caswell <matt@openssl.org> | 2017-03-09 22:58:05 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2017-03-16 14:20:38 +0000 |
commit | 9e0ac6a2f1237ab72f0f26a032199864c7b71f2e (patch) | |
tree | e5882b5da58d79922426cde1608402e21d43a8fd /ssl/statem/statem_srvr.c | |
parent | 6594189fa16e845df5565ca4c180220783a752d4 (diff) | |
download | openssl-9e0ac6a2f1237ab72f0f26a032199864c7b71f2e.zip openssl-9e0ac6a2f1237ab72f0f26a032199864c7b71f2e.tar.gz openssl-9e0ac6a2f1237ab72f0f26a032199864c7b71f2e.tar.bz2 |
Check ClientHello boundary as per draft-19
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2895)
Diffstat (limited to 'ssl/statem/statem_srvr.c')
-rw-r--r-- | ssl/statem/statem_srvr.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 259be22..608bef2 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1534,6 +1534,14 @@ static int tls_early_post_process_client_hello(SSL *s, int *al) goto err; } + /* TLSv1.3 defines that a ClientHello must end on a record boundary */ + if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) { + *al = SSL_AD_UNEXPECTED_MESSAGE; + SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, + SSL_R_NOT_ON_RECORD_BOUNDARY); + goto err; + } + if (SSL_IS_DTLS(s)) { /* Empty cookie was already handled above by returning early. */ if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) { |