Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

allow unencrypted alerts just before encrypted messages #499

Merged
merged 1 commit into from
Aug 4, 2023
Merged

allow unencrypted alerts just before encrypted messages #499

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 11 additions & 2 deletions tlslite/recordlayer.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -922,6 +922,15 @@ def recvRecord(self):
elif self._is_tls13_plus() and \
header.type == ContentType.change_cipher_spec:
pass
# when we're in the early handshake, then unencrypted alerts
# are fine too
elif self._is_tls13_plus() and \
header.type == ContentType.alert and \
len(data) < 3 and \
self._readState and \
self._readState.encContext and \
self._readState.seqnum == 0:
pass
elif self._readState and \
self._readState.encContext and \
self._readState.encContext.isAEAD:
Expand Down Expand Up @@ -957,10 +966,10 @@ def recvRecord(self):
# start checking the MACs
self.early_data_ok = False

# TLS 1.3 encrypts the type, CCS is not encrypted
# TLS 1.3 encrypts the type, CCS and Alerts are not encrypted
if self._is_tls13_plus() and self._readState and \
self._readState.encContext and\
header.type != ContentType.change_cipher_spec:
header.type == ContentType.application_data:
# check if plaintext is not too big, RFC 8446, section 5.4
if len(data) > self.recv_record_limit + 1:
raise TLSRecordOverflow()
Expand Down
Loading