crypto/tls: reject change_cipher_spec record after handshake in TLS 1.3

RPRX · web-flow · commit 15efa424b2b3 · 2023-03-07T15:19:08.000Z
golang/go#58912
diff --git a/conn.go b/conn.go
@@ -762,7 +762,7 @@ func (c *Conn) readRecordOrCCS(expectChangeCipherSpec bool) error {
 		// 5, a server can send a ChangeCipherSpec before its ServerHello, when
 		// c.vers is still unset. That's not useful though and suspicious if the
 		// server then selects a lower protocol version, so don't allow that.
-		if c.vers == VersionTLS13 {
+		if c.vers == VersionTLS13 && !handshakeComplete {
 			return c.retryReadRecord(expectChangeCipherSpec)
 		}
 		if !expectChangeCipherSpec {

Original file line number	Diff line number	Diff line change
`@@ -762,7 +762,7 @@ func (c *Conn) readRecordOrCCS(expectChangeCipherSpec bool) error {`
`762`	`762`	`// 5, a server can send a ChangeCipherSpec before its ServerHello, when`
`763`	`763`	`// c.vers is still unset. That's not useful though and suspicious if the`
`764`	`764`	`// server then selects a lower protocol version, so don't allow that.`
`765`		`- if c.vers == VersionTLS13 {`
	`765`	`+ if c.vers == VersionTLS13 && !handshakeComplete {`
`766`	`766`	`return c.retryReadRecord(expectChangeCipherSpec)`
`767`	`767`	`}`
`768`	`768`	`if !expectChangeCipherSpec {`