diff options
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/ssl/ssl3con.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c index ef883b725..84246954a 100644 --- a/lib/ssl/ssl3con.c +++ b/lib/ssl/ssl3con.c @@ -13429,7 +13429,7 @@ ssl3_GetCipherSpec(sslSocket *ss, SSL3Ciphertext *cText) SECStatus ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText) { - SECStatus rv; + SECStatus rv = SECFailure; PRBool isTLS, isTLS13; DTLSEpoch epoch; ssl3CipherSpec *spec = NULL; @@ -13555,8 +13555,13 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Ciphertext *cText) * Additionaly, this is used to silently drop DTLS encryption/record * errors/alerts using the error handling below as suggested in the * DTLS specification [RFC6347, Section 4.1.2.7]. */ - if (spec->version < SSL_LIBRARY_VERSION_TLS_1_3 || - spec->epoch == 0) { + if (spec->cipherDef->cipher == cipher_null && cText->buf->len == 0) { + /* Handle a zero-length unprotected record + * In this case, we treat it as a no-op and let later functions decide + * whether to ignore or alert accordingly. */ + PR_ASSERT(plaintext->len == 0); + rv = SECSuccess; + } else if (spec->version < SSL_LIBRARY_VERSION_TLS_1_3 || spec->epoch == 0) { rv = ssl3_UnprotectRecord(ss, spec, cText, plaintext, &alert); } else { rv = tls13_UnprotectRecord(ss, spec, cText, plaintext, &rType, |