提交 538bea6c 编写于 作者: M Matt Caswell

Add extra validation parsing the server-to-client early_data extension

Check that we actually resumed the session, and that we selected the first
identity.
Reviewed-by: NRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
上级 329114f9
...@@ -931,10 +931,12 @@ int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context, ...@@ -931,10 +931,12 @@ int tls_parse_stoc_early_data(SSL *s, PACKET *pkt, unsigned int context,
return 0; return 0;
} }
if (s->ext.early_data != SSL_EARLY_DATA_REJECTED) { if (s->ext.early_data != SSL_EARLY_DATA_REJECTED
|| !s->hit
|| s->session->ext.tick_identity != 0) {
/* /*
* If we get here then we didn't send early data, so the server should * If we get here then we didn't send early data, or we didn't resume
* not be accepting it. * using the first identity so the server should not be accepting it.
*/ */
*al = SSL_AD_ILLEGAL_PARAMETER; *al = SSL_AD_ILLEGAL_PARAMETER;
return 0; return 0;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册