From: Matt Caswell Date: Wed, 2 Nov 2016 09:14:51 +0000 (+0000) Subject: Fail if an unrecognised record type is received X-Git-Tag: OpenSSL_1_1_0c~48 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=77cd04bd27397161faa4ad0b211727bfd97e6a67;p=oweals%2Fopenssl.git Fail if an unrecognised record type is received TLS1.0 and TLS1.1 say you SHOULD ignore unrecognised record types, but TLS 1.2 says you MUST send an unexpected message alert. We swap to the TLS 1.2 behaviour for all protocol versions to prevent issues where no progress is being made and the peer continually sends unrecognised record types, using up resources processing them. Issue reported by 郭志攀 Reviewed-by: Tim Hudson (cherry picked from commit 436a2a0179416d2cc22b678b63e50c2638384d5f) --- diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index 4535f89a1e..28de7c384e 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -1463,14 +1463,12 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, switch (SSL3_RECORD_get_type(rr)) { default: /* - * TLS up to v1.1 just ignores unknown message types: TLS v1.2 give - * an unexpected message alert. + * TLS 1.0 and 1.1 say you SHOULD ignore unrecognised record types, but + * TLS 1.2 says you MUST send an unexpected message alert. We use the + * TLS 1.2 behaviour for all protocol versions to prevent issues where + * no progress is being made and the peer continually sends unrecognised + * record types, using up resources processing them. */ - if (s->version >= TLS1_VERSION && s->version <= TLS1_1_VERSION) { - SSL3_RECORD_set_length(rr, 0); - SSL3_RECORD_set_read(rr); - goto start; - } al = SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNEXPECTED_RECORD); goto f_err;