diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-01-18 13:47:02 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-01-18 15:33:34 +0100 |
commit | 54400bc4ad012a9704d729fade5c1ea5372eb1fb (patch) | |
tree | b2d2da5290d39694c26c13ac422e6382a66112e4 | |
parent | 6a62ddfc416a4ec2118704f93c97fdd448d66566 (diff) | |
download | gnutls-54400bc4ad012a9704d729fade5c1ea5372eb1fb.tar.gz |
Refuse to receive data during handshake
This prevents buggy applications from receiving non-authenticated data
that may have arrived during the handshake.
Relates #158
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | lib/record.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/lib/record.c b/lib/record.c index e10fa46433..133f23e145 100644 --- a/lib/record.c +++ b/lib/record.c @@ -1771,6 +1771,14 @@ int gnutls_record_uncork(gnutls_session_t session, unsigned int flags) ssize_t gnutls_record_recv(gnutls_session_t session, void *data, size_t data_size) { + if (unlikely(!session->internals.initial_negotiation_completed)) { + /* this is to protect buggy applications from sending unencrypted + * data. We allow sending however, if we are in false start handshake + * state. */ + if (session->internals.recv_state != RECV_STATE_FALSE_START) + return gnutls_assert_val(GNUTLS_E_UNAVAILABLE_DURING_HANDSHAKE); + } + return _gnutls_recv_int(session, GNUTLS_APPLICATION_DATA, data, data_size, NULL, session->internals.record_timeout_ms); |