diff options
-rw-r--r-- | lib/errors.c | 2 | ||||
-rw-r--r-- | lib/record.c | 8 |
2 files changed, 9 insertions, 1 deletions
diff --git a/lib/errors.c b/lib/errors.c index cb3c8893ed..e17ce86557 100644 --- a/lib/errors.c +++ b/lib/errors.c @@ -399,7 +399,7 @@ static const gnutls_error_entry error_entries[] = { GNUTLS_E_UNRECOGNIZED_NAME), ERROR_ENTRY(N_("There was an issue converting to or from UTF8."), GNUTLS_E_IDNA_ERROR), - ERROR_ENTRY(N_("Cannot obtain resumption parameters while handshake is incomplete."), + ERROR_ENTRY(N_("Cannot perform this action while handshake is in progress."), GNUTLS_E_UNAVAILABLE_DURING_HANDSHAKE), ERROR_ENTRY(N_("The obtained public key is invalid."), GNUTLS_E_PK_INVALID_PUBKEY), diff --git a/lib/record.c b/lib/record.c index e2921055d2..e10fa46433 100644 --- a/lib/record.c +++ b/lib/record.c @@ -1624,6 +1624,14 @@ ssize_t gnutls_record_send(gnutls_session_t session, const void *data, size_t data_size) { + if (unlikely(!session->internals.initial_negotiation_completed)) { + /* this is to protect buggy applications from sending unencrypted + * data. We allow sending however, if we are in false start handshake + * state. */ + if (session->internals.recv_state != RECV_STATE_FALSE_START) + return gnutls_assert_val(GNUTLS_E_UNAVAILABLE_DURING_HANDSHAKE); + } + if (session->internals.record_flush_mode == RECORD_FLUSH) { return _gnutls_send_int(session, GNUTLS_APPLICATION_DATA, -1, EPOCH_WRITE_CURRENT, data, |