gr1ffon/quic-go
1
0
Fork 0
forked from quic-go/quic-go
Code Pull Requests Activity

reject unencrypted SHLOs

Browse Source
This commit is contained in:
Marten Seemann
2016-12-04 14:53:01 +07:00
parent e19416a43b
commit 2589a6eff9
2 changed files with 21 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
handshake/crypto_setup_client.go
View File

@@ -36,8 +36,10 @@ type cryptoSetupClient struct {
clientHelloCounter int
serverVerified bool // has the certificate chain and the proof already been verified
keyDerivation KeyDerivationFunction
secureAEAD crypto.AEAD
forwardSecureAEAD crypto.AEAD
receivedSecurePacket bool
secureAEAD crypto.AEAD
forwardSecureAEAD crypto.AEAD
}
var _ crypto.AEAD = &cryptoSetupClient{}
@@ -175,6 +177,10 @@ func (h *cryptoSetupClient) handleREJMessage(cryptoData map[Tag][]byte) error {
}
func (h *cryptoSetupClient) handleSHLOMessage(cryptoData map[Tag][]byte) error {
if !h.receivedSecurePacket {
return qerr.Error(qerr.CryptoEncryptionLevelIncorrect, "unencrypted SHLO message")
}
serverPubs, ok := cryptoData[TagPUBS]
if !ok {
return qerr.Error(qerr.CryptoMessageParameterNotFound, "PUBS")
@@ -219,13 +225,18 @@ func (h *cryptoSetupClient) Open(dst, src []byte, packetNumber protocol.PacketNu
}
return nil, err
}
if h.secureAEAD != nil {
data, err := h.secureAEAD.Open(dst, src, packetNumber, associatedData)
if err == nil {
h.receivedSecurePacket = true
return data, nil
}
return nil, err
if h.receivedSecurePacket {
return nil, err
}
}
return (&crypto.NullAEAD{}).Open(dst, src, packetNumber, associatedData)
}

7
handshake/crypto_setup_client_test.go
View File

@@ -342,6 +342,13 @@ var _ = Describe("Crypto setup", func() {
kex: kex,
}
cs.serverConfig = serverConfig
cs.receivedSecurePacket = true
})
It("rejects unencrypted SHLOs", func() {
cs.receivedSecurePacket = false
err := cs.handleSHLOMessage(tagMap)
Expect(err).To(MatchError(qerr.Error(qerr.CryptoEncryptionLevelIncorrect, "unencrypted SHLO message")))
})
It("rejects SHLOs without a PUBS", func() {