Tolerate encrypted or plaintext alerts

At certain points in the handshake we could receive either a plaintext or an encrypted alert from the client. We should tolerate both where appropriate. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6887)
author: Matt Caswell <matt@openssl.org> 2018-08-07 12:40:08 +0100
committer: Matt Caswell <matt@openssl.org> 2018-08-08 10:16:58 +0100
commit: de9e884b2f43c59834c2b1c3cfde35fa2c797f2b (patch)
tree: 6e696fc5f4b219da631d844d68cd9a392e966099 /ssl/statem/statem_lib.c
parent: 7426cd343d99d3d82e3fb06c8df18e5cc6bcec75 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index caed61aaac..8a7d178a51 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -747,6 +747,12 @@ MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt)
 
     /* This is a real handshake so make sure we clean it up at the end */
     if (s->server) {
+        /*
+        * To get this far we must have read encrypted data from the client. We
+        * no longer tolerate unencrypted alerts. This value is ignored if less
+        * than TLSv1.3
+        */
+        s->statem.enc_read_state = ENC_READ_STATE_VALID;
         if (s->post_handshake_auth != SSL_PHA_REQUESTED)
             s->statem.cleanuphand = 1;
         if (SSL_IS_TLS13(s) && !tls13_save_handshake_digest_for_pha(s)) {
author	Matt Caswell <matt@openssl.org>	2018-08-07 12:40:08 +0100
committer	Matt Caswell <matt@openssl.org>	2018-08-08 10:16:58 +0100
commit	de9e884b2f43c59834c2b1c3cfde35fa2c797f2b (patch)
tree	6e696fc5f4b219da631d844d68cd9a392e966099 /ssl/statem/statem_lib.c
parent	7426cd343d99d3d82e3fb06c8df18e5cc6bcec75 (diff)