diff options
author | Matt Caswell <matt@openssl.org> | 2016-08-02 17:43:32 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2016-08-15 23:14:30 +0100 |
commit | a01c86a25198921c5b8adb45c9379088ace4e42e (patch) | |
tree | fa0e1f7eee0ce22b2882a137b3f780b7149a211f /ssl | |
parent | 44efb88a21d464dba3ac5084c8d4553d696fab33 (diff) |
Send an alert if we get a non-initial record with the wrong version
If we receive a non-initial record but the version number isn't right then
we should send an alert.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/record/ssl3_record.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index 8481815cf6..f67b85f0a9 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -238,7 +238,7 @@ int ssl3_get_record(SSL *s) } if ((version >> 8) != SSL3_VERSION_MAJOR) { - if (s->first_packet) { + if (RECORD_LAYER_is_first_record(&s->rlayer)) { /* Go back to start of packet, look at the five bytes * that we have. */ p = RECORD_LAYER_get_packet(&s->rlayer); @@ -253,9 +253,17 @@ int ssl3_get_record(SSL *s) SSL_R_HTTPS_PROXY_REQUEST); goto err; } + + /* Doesn't look like TLS - don't send an alert */ + SSLerr(SSL_F_SSL3_GET_RECORD, + SSL_R_WRONG_VERSION_NUMBER); + goto err; + } else { + SSLerr(SSL_F_SSL3_GET_RECORD, + SSL_R_WRONG_VERSION_NUMBER); + al = SSL_AD_PROTOCOL_VERSION; + goto f_err; } - SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER); - goto err; } if (rr[num_recs].length > |