diff options
| -rw-r--r-- | src/lib/libssl/tls13_record_layer.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/src/lib/libssl/tls13_record_layer.c b/src/lib/libssl/tls13_record_layer.c index 5c2c2116c0..16a22a841b 100644 --- a/src/lib/libssl/tls13_record_layer.c +++ b/src/lib/libssl/tls13_record_layer.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_record_layer.c,v 1.33 2020/05/03 15:57:25 jsing Exp $ */ | 1 | /* $OpenBSD: tls13_record_layer.c,v 1.34 2020/05/07 18:56:09 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -813,6 +813,16 @@ tls13_record_layer_read_record(struct tls13_record_layer *rl) | |||
| 813 | 813 | ||
| 814 | tls13_record_layer_rrec_free(rl); | 814 | tls13_record_layer_rrec_free(rl); |
| 815 | 815 | ||
| 816 | /* | ||
| 817 | * On receiving a handshake or alert record with empty inner plaintext, | ||
| 818 | * we must terminate the connection with an unexpected_message alert. | ||
| 819 | * See RFC 8446 section 5.4. | ||
| 820 | */ | ||
| 821 | if (CBS_len(&rl->rbuf_cbs) == 0 && | ||
| 822 | (rl->rbuf_content_type == SSL3_RT_ALERT || | ||
| 823 | rl->rbuf_content_type == SSL3_RT_HANDSHAKE)) | ||
| 824 | return tls13_send_alert(rl, SSL3_AD_UNEXPECTED_MESSAGE); | ||
| 825 | |||
| 816 | switch (rl->rbuf_content_type) { | 826 | switch (rl->rbuf_content_type) { |
| 817 | case SSL3_RT_ALERT: | 827 | case SSL3_RT_ALERT: |
| 818 | return tls13_record_layer_process_alert(rl); | 828 | return tls13_record_layer_process_alert(rl); |