Don't send unexpected_message if we receive CCS while stateless
authorMatt Caswell <matt@openssl.org>
Fri, 29 Dec 2017 17:36:28 +0000 (17:36 +0000)
committerMatt Caswell <matt@openssl.org>
Wed, 24 Jan 2018 18:02:37 +0000 (18:02 +0000)
Probably this is the CCS between the first and second ClientHellos. It
should be ignored.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4435)

ssl/statem/statem_lib.c

index 38b86c9ef257b60cb437e52d2aca67e955831150..6bd54ac2b76177ae5d0316d3b57d9d7c7eb7d402 100644 (file)
@@ -1120,6 +1120,17 @@ int tls_get_message_header(SSL *s, int *mt)
                              SSL_R_BAD_CHANGE_CIPHER_SPEC);
                     return 0;
                 }
+                if (s->statem.hand_state == TLS_ST_BEFORE
+                        && (s->s3->flags & TLS1_FLAGS_STATELESS) != 0) {
+                    /*
+                     * We are stateless and we received a CCS. Probably this is
+                     * from a client between the first and second ClientHellos.
+                     * We should ignore this, but return an error because we do
+                     * not return success until we see the second ClientHello
+                     * with a valid cookie.
+                     */
+                    return 0;
+                }
                 s->s3->tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
                 s->init_num = readbytes - 1;
                 s->init_msg = s->init_buf->data;