crypto/tls: detect unexpected leftover handshake data

There should be no data in the Handshake buffer on encryption state changes (including implicit 1.3 transitions). Checking that also blocks all Handshake messages fragmented across CCS. BoGo: PartialClientFinishedWithClientHello
2017-01-18 17:13:07 +00:00 · 2017-01-18 17:13:07 +00:00 · c758567785
commit c758567785
--- a/13.go
+++ b/13.go
@ -120,6 +120,9 @@ CurvePreferenceLoop:
 	serverCipher, _ = hs.prepareCipher(handshakeCtx, hs.masterSecret, "server application traffic secret")
 	c.out.setCipher(c.vers, serverCipher)

+	if c.hand.Len() > 0 {
+		return c.sendAlert(alertUnexpectedMessage)
+	}
 	if hs.hello13Enc.earlyData {
 		c.in.setCipher(c.vers, earlyClientCipher)
 		c.phase = readingEarlyData
@ -162,6 +165,9 @@ func (hs *serverHandshakeState) readClientFinished13() error {
 	hs.finishedHash13.Write(clientFinished.marshal())

 	c.hs = nil // Discard the server handshake state
+	if c.hand.Len() > 0 {
+		return c.sendAlert(alertUnexpectedMessage)
+	}
 	c.in.setCipher(c.vers, hs.appClientCipher)
 	c.in.traceErr, c.out.traceErr = nil, nil
 	c.phase = handshakeConfirmed
@ -224,6 +230,10 @@ func (c *Conn) handleEndOfEarlyData() {
 		return
 	}
 	c.phase = waitingClientFinished
+	if c.hand.Len() > 0 {
+		c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage))
+		return
+	}
 	c.in.setCipher(c.vers, c.hs.hsClientCipher)
 }

--- a/handshake_server.go
+++ b/handshake_server.go
@ -132,6 +132,9 @@ func (c *Conn) serverHandshake() error {
 			return err
 		}
 	}
+	if c.hand.Len() > 0 {
+		return c.sendAlert(alertUnexpectedMessage)
+	}
 	c.phase = handshakeConfirmed
 	atomic.StoreInt32(&c.handshakeConfirmed, 1)
 	c.handshakeComplete = true