Send an alert if we get a non-initial record with the wrong version

If we receive a non-initial record but the version number isn't right then we should send an alert. Reviewed-by: Tim Hudson <tjh@openssl.org>
2024-12-19 23:13:49 +08:00 · 2016-08-02 17:43:32 +01:00 · 2016-08-02 17:43:32 +01:00 · a01c86a251
commit a01c86a251
parent 44efb88a21
1 changed files with 11 additions and 3 deletions
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@ -238,7 +238,7 @@ int ssl3_get_record(SSL *s)
                }

                if ((version >> 8) != SSL3_VERSION_MAJOR) {
-                    if (s->first_packet) {
+                    if (RECORD_LAYER_is_first_record(&s->rlayer)) {
                        /* Go back to start of packet, look at the five bytes
                         * that we have. */
                        p = RECORD_LAYER_get_packet(&s->rlayer);
@ -253,9 +253,17 @@ int ssl3_get_record(SSL *s)
                                   SSL_R_HTTPS_PROXY_REQUEST);
                            goto err;
                        }
+
+                        /* Doesn't look like TLS - don't send an alert */
+                        SSLerr(SSL_F_SSL3_GET_RECORD,
+                               SSL_R_WRONG_VERSION_NUMBER);
+                        goto err;
+                    } else {
+                        SSLerr(SSL_F_SSL3_GET_RECORD,
+                               SSL_R_WRONG_VERSION_NUMBER);
+                        al = SSL_AD_PROTOCOL_VERSION;
+                        goto f_err;
                    }
-                    SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER);
-                    goto err;
                }

                if (rr[num_recs].length >