Cleanly reject non-HS in-between HS fragments Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>

commit: 8a4ec49671a66c20f09789d0fbee7ee8dcdafcfd [log] [tgz]
author: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Wed Mar 05 12:52:18 2025 +0100
committer: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Mon Mar 10 21:38:48 2025 +0100
tree: 9d1068097baadd2f9b430b517acd103b3c793830
parent: 26c378cb73a86765dda62f1ce372d36a7f420a8b [diff]
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 0a8f4a3..4adaf7d 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c

@@ -5148,6 +5148,18 @@
 {
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
 
+    /* If we're in the middle of a fragmented TLS handshake message,
+     * we don't accept any other message type. For TLS 1.3, the spec forbids
+     * interleaving other message types between handshake fragments. For TLS
+     * 1.2, the spec does not forbid it but we do. */
+    if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM &&
+        ssl->badmac_seen_or_in_hsfraglen != 0 &&
+        ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
+        MBEDTLS_SSL_DEBUG_MSG(1, ("non-handshake message in the middle"
+                                  " of a fragmented handshake message"));
+        return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
+    }
+
     /*
      * Handle particular types of records
      */
commit	8a4ec49671a66c20f09789d0fbee7ee8dcdafcfd	[log] [tgz]
author	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Wed Mar 05 12:52:18 2025 +0100
committer	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Mon Mar 10 21:38:48 2025 +0100
tree	9d1068097baadd2f9b430b517acd103b3c793830
parent	26c378cb73a86765dda62f1ce372d36a7f420a8b [diff]