add extra handshake message checks

2023-03-24 16:32:02 +00:00 · 2023-03-24 16:32:02 +00:00 · 7af54c28e1
parent 43900e63a4
commit 7af54c28e1
1 changed files with 11 additions and 1 deletions
--- a/server.go
+++ b/server.go
@ -80,7 +80,11 @@ func peek(conn net.Conn, tlsConfig *tls.Config) {
 	}
 	// Extract handshake message length.
 	handshakeMessageLength := binary.BigEndian.Uint16(buf.Bytes()[3:5])
-	// Copy handshake message (should be a Client Hello).
+	if handshakeMessageLength == 0 {
+		log.Println("Zero-length handshake message")
+		return
+	}
+	// Copy handshake message.
 	_, err = io.CopyN(&buf, conn, int64(handshakeMessageLength))
 	if err != nil {
 		log.Println(err)
@ -88,6 +92,12 @@ func peek(conn net.Conn, tlsConfig *tls.Config) {
 	}
 	rawClientHello := buf.Bytes()

+	// Check if this really is a Client Hello message.
+	if rawClientHello[5] != 1 {
+		log.Println("HandshakeType is not client_hello")
+		return
+	}
+
 	// "Put back" the Client Hello bytes we just read, so that they can be
 	// used in the TLS handshake.  Concatenate the read bytes with the
 	// unread bytes using a MultiReader, inside a connection wrapper.