reject unencrypted SHLOs

handshake/crypto_setup_client.go

@@ -36,6 +36,8 @@ type cryptoSetupClient struct {
 	clientHelloCounter int
 	serverVerified     bool // has the certificate chain and the proof already been verified
 	keyDerivation      KeyDerivationFunction
+
+	receivedSecurePacket bool
 	secureAEAD           crypto.AEAD
 	forwardSecureAEAD    crypto.AEAD
 }
@@ -175,6 +177,10 @@ func (h *cryptoSetupClient) handleREJMessage(cryptoData map[Tag][]byte) error {
 }
 
 func (h *cryptoSetupClient) handleSHLOMessage(cryptoData map[Tag][]byte) error {
+	if !h.receivedSecurePacket {
+		return qerr.Error(qerr.CryptoEncryptionLevelIncorrect, "unencrypted SHLO message")
+	}
+
 	serverPubs, ok := cryptoData[TagPUBS]
 	if !ok {
 		return qerr.Error(qerr.CryptoMessageParameterNotFound, "PUBS")
@@ -219,13 +225,18 @@ func (h *cryptoSetupClient) Open(dst, src []byte, packetNumber protocol.PacketNu
 		}
 		return nil, err
 	}
+
 	if h.secureAEAD != nil {
 		data, err := h.secureAEAD.Open(dst, src, packetNumber, associatedData)
 		if err == nil {
+			h.receivedSecurePacket = true
 			return data, nil
 		}
+		if h.receivedSecurePacket {
 			return nil, err
 		}
+	}
+
 	return (&crypto.NullAEAD{}).Open(dst, src, packetNumber, associatedData)
 }
 

handshake/crypto_setup_client_test.go

@@ -342,6 +342,13 @@ var _ = Describe("Crypto setup", func() {
 				kex: kex,
 			}
 			cs.serverConfig = serverConfig
+			cs.receivedSecurePacket = true
+		})
+
+		It("rejects unencrypted SHLOs", func() {
+			cs.receivedSecurePacket = false
+			err := cs.handleSHLOMessage(tagMap)
+			Expect(err).To(MatchError(qerr.Error(qerr.CryptoEncryptionLevelIncorrect, "unencrypted SHLO message")))
 		})
 
 		It("rejects SHLOs without a PUBS", func() {