Fail to parse ClientHello if the TLS record layer Content Type and versions are wrong

2019-08-17 00:35:28 +01:00 · 2019-08-17 00:35:28 +01:00 · 57255fdeb2
parent 0e0a3314c9
commit 57255fdeb2
2 changed files with 9 additions and 0 deletions
--- a/internal/server/TLS.go
+++ b/internal/server/TLS.go
@ -104,6 +104,10 @@ func parseClientHello(data []byte) (ret *ClientHello, err error) {
 		}
 	}()

+	if !bytes.Equal(data[0:3], []byte{0x16, 0x03, 0x01}) {
+		return ret, errors.New("wrong TLS handshake magic bytes")
+	}
+
 	peeled := make([]byte, len(data)-5)
 	copy(peeled, data[5:])
 	pointer := 0
--- a/internal/server/TLS_test.go
+++ b/internal/server/TLS_test.go
@ -12,9 +12,11 @@ func TestParseClientHello(t *testing.T) {
 		ch, err := parseClientHello(chBytes)
 		if err != nil {
 			t.Errorf("Expecting no error, got %v", err)
+			return
 		}
 		if !bytes.Equal(ch.clientVersion, []byte{0x03, 0x03}) {
 			t.Errorf("expecting client version 0x0303, got %v", ch.clientVersion)
+			return
 		}
 	})
 	t.Run("Malformed ClientHello", func(t *testing.T) {
@ -22,6 +24,7 @@ func TestParseClientHello(t *testing.T) {
 		_, err := parseClientHello(chBytes)
 		if err == nil {
 			t.Error("expecting Malformed ClientHello, got no error")
+			return
 		}
 	})
 	t.Run("not Handshake", func(t *testing.T) {
@ -29,6 +32,7 @@ func TestParseClientHello(t *testing.T) {
 		_, err := parseClientHello(chBytes)
 		if err == nil {
 			t.Error("not a tls handshake, got no error")
+			return
 		}
 	})
 	t.Run("wrong version", func(t *testing.T) {
@ -36,6 +40,7 @@ func TestParseClientHello(t *testing.T) {
 		_, err := parseClientHello(chBytes)
 		if err == nil {
 			t.Error("wrong version, got no error")
+			return
 		}
 	})
 }