[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Thu May 11 12:13:28 UTC 2017
The branch master has been updated
via 9010b7bc6ec7ffc6713ad5710d846b197c0ca697 (commit)
via 26b9172a50f1ad22ed94f9d11834ca75d380fe73 (commit)
via b6fdc12d94d7527c3018492ab838cbcda81ba346 (commit)
via fc4c15faa462c1a4cbf002f214f6503e629e7a20 (commit)
via 0b367d79552401c221affa406b978a5b33d79032 (commit)
via 3c544acc385ac39b77873c9cfa77c4ae5df956b5 (commit)
via 2d871227faf7f4e287caa04be43957f8e2df43a4 (commit)
via 1a281aab730fc089291b774b05441c737f0d1d3d (commit)
via f69fe73a2ae94c7f8d0812715e29f79d40db1723 (commit)
via ef57a475a073fffd610ee3228acd855ca0d72be5 (commit)
via 721586eadf626118695365282db7f10acd105882 (commit)
via f66f8a4491f5c2207ed054fc35eb6a479ab8ecdc (commit)
from c2bdf05f4b5430b5cc9d8122295b8484280e070f (commit)
- Log -----------------------------------------------------------------
commit 9010b7bc6ec7ffc6713ad5710d846b197c0ca697
Author: Matt Caswell <matt at openssl.org>
Date: Thu May 11 12:45:16 2017 +0100
Add some extra comments following alert changes
Reviewed-by: Tim Hudson <tjh at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3436)
commit 26b9172a50f1ad22ed94f9d11834ca75d380fe73
Author: Matt Caswell <matt at openssl.org>
Date: Thu May 11 11:31:57 2017 +0100
Add some checks for trailing data after extension blocks
Reviewed-by: Tim Hudson <tjh at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3436)
commit b6fdc12d94d7527c3018492ab838cbcda81ba346
Author: Matt Caswell <matt at openssl.org>
Date: Thu May 11 10:55:54 2017 +0100
Send a missing_extension alert if key_share/supported groups not present
Only applies if we're not doing psk.
Reviewed-by: Tim Hudson <tjh at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3436)
commit fc4c15faa462c1a4cbf002f214f6503e629e7a20
Author: Matt Caswell <matt at openssl.org>
Date: Thu May 11 10:34:25 2017 +0100
TLSv1.3 alert and handshake messages can never be 0 length
We abort if we read a message like this.
Reviewed-by: Tim Hudson <tjh at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3436)
commit 0b367d79552401c221affa406b978a5b33d79032
Author: Matt Caswell <matt at openssl.org>
Date: Thu May 11 10:16:34 2017 +0100
TLSv1.3 alerts cannot be fragmented and only one per record
We should be validating that.
Reviewed-by: Tim Hudson <tjh at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3436)
commit 3c544acc385ac39b77873c9cfa77c4ae5df956b5
Author: Matt Caswell <matt at openssl.org>
Date: Thu May 11 10:16:08 2017 +0100
Check that a TLSv1.3 encrypted message has an app data content type
Reviewed-by: Tim Hudson <tjh at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3436)
commit 2d871227faf7f4e287caa04be43957f8e2df43a4
Author: Matt Caswell <matt at openssl.org>
Date: Thu May 11 10:14:17 2017 +0100
Send an illegal parameter alert if the update type in a KeyUpdate is wrong
Previously we sent a decode_error alert.
Reviewed-by: Tim Hudson <tjh at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3436)
commit 1a281aab730fc089291b774b05441c737f0d1d3d
Author: Matt Caswell <matt at openssl.org>
Date: Thu May 11 08:38:21 2017 +0100
Ensure we fail with a decode error alert if the server sends and empty Cert
Reviewed-by: Tim Hudson <tjh at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3436)
commit f69fe73a2ae94c7f8d0812715e29f79d40db1723
Author: Matt Caswell <matt at openssl.org>
Date: Wed May 10 16:47:24 2017 +0100
Fix more alert codes
Reviewed-by: Tim Hudson <tjh at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3436)
commit ef57a475a073fffd610ee3228acd855ca0d72be5
Author: Matt Caswell <matt at openssl.org>
Date: Mon May 8 15:18:25 2017 +0100
Verify that there is no trailing data after the extensions block
Reviewed-by: Tim Hudson <tjh at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3436)
commit 721586eadf626118695365282db7f10acd105882
Author: Matt Caswell <matt at openssl.org>
Date: Mon May 8 13:45:18 2017 +0100
Fix some alert codes
Make sure we are using the correct alert codes as per the spec.
Reviewed-by: Tim Hudson <tjh at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3436)
commit f66f8a4491f5c2207ed054fc35eb6a479ab8ecdc
Author: Matt Caswell <matt at openssl.org>
Date: Mon May 8 13:10:26 2017 +0100
Reject unknown warning alerts in TLSv1.3
Reviewed-by: Tim Hudson <tjh at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3436)
-----------------------------------------------------------------------
Summary of changes:
include/openssl/ssl.h | 2 ++
ssl/record/rec_layer_s3.c | 25 ++++++++++++++++++++++++-
ssl/record/ssl3_record.c | 16 +++++++++++++++-
ssl/ssl_err.c | 3 +++
ssl/statem/extensions.c | 5 ++++-
ssl/statem/extensions_clnt.c | 10 +++++-----
ssl/statem/extensions_srvr.c | 23 +++++++++++++++--------
ssl/statem/statem_clnt.c | 12 ++++++++----
ssl/statem/statem_lib.c | 15 ++++++++++++---
ssl/statem/statem_srvr.c | 3 ++-
10 files changed, 90 insertions(+), 24 deletions(-)
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 54028f6..4558b17 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -2650,6 +2650,7 @@ int ERR_load_SSL_strings(void);
# define SSL_R_INAPPROPRIATE_FALLBACK 373
# define SSL_R_INCONSISTENT_COMPRESSION 340
# define SSL_R_INCONSISTENT_EXTMS 104
+# define SSL_R_INVALID_ALERT 205
# define SSL_R_INVALID_COMMAND 280
# define SSL_R_INVALID_COMPRESSION_ALGORITHM 341
# define SSL_R_INVALID_CONFIGURATION_NAME 113
@@ -2674,6 +2675,7 @@ int ERR_load_SSL_strings(void);
# define SSL_R_MISSING_RSA_SIGNING_CERT 170
# define SSL_R_MISSING_SIGALGS_EXTENSION 112
# define SSL_R_MISSING_SRP_PARAM 358
+# define SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION 209
# define SSL_R_MISSING_TMP_DH_KEY 171
# define SSL_R_MISSING_TMP_ECDH_KEY 311
# define SSL_R_NOT_ON_RECORD_BOUNDARY 182
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 60bfd3c..de112cc 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -1422,6 +1422,20 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
if (SSL3_RECORD_get_length(rr) == 0)
SSL3_RECORD_set_read(rr);
+ if (SSL_IS_TLS13(s)
+ && SSL3_RECORD_get_type(rr) == SSL3_RT_ALERT) {
+ if (*dest_len < dest_maxlen
+ || SSL3_RECORD_get_length(rr) != 0) {
+ /*
+ * TLSv1.3 forbids fragmented alerts, and only one alert
+ * may be present in a record
+ */
+ al = SSL_AD_UNEXPECTED_MESSAGE;
+ SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_INVALID_ALERT);
+ goto f_err;
+ }
+ }
+
if (*dest_len < dest_maxlen)
goto start; /* fragment was too small */
}
@@ -1489,6 +1503,15 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
return 0;
}
/*
+ * Apart from close_notify the only other warning alert in TLSv1.3
+ * is user_cancelled - which we just ignore.
+ */
+ if (SSL_IS_TLS13(s) && alert_descr != SSL_AD_USER_CANCELLED) {
+ al = SSL_AD_ILLEGAL_PARAMETER;
+ SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNKNOWN_ALERT_TYPE);
+ goto f_err;
+ }
+ /*
* This is a warning but we receive it if we requested
* renegotiation and the peer denied it. Terminate with a fatal
* alert because if application tried to renegotiate it
@@ -1496,7 +1519,7 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
* future we might have a renegotiation where we don't care if
* the peer refused it where we carry on.
*/
- else if (alert_descr == SSL_AD_NO_RENEGOTIATION) {
+ if (alert_descr == SSL_AD_NO_RENEGOTIATION) {
al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_NO_RENEGOTIATION);
goto f_err;
diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index 806ef43..bafc976 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -618,7 +618,8 @@ int ssl3_get_record(SSL *s)
if (SSL_IS_TLS13(s) && s->enc_read_ctx != NULL) {
size_t end;
- if (thisrr->length == 0) {
+ if (thisrr->length == 0
+ || thisrr->type != SSL3_RT_APPLICATION_DATA) {
al = SSL_AD_UNEXPECTED_MESSAGE;
SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_RECORD_TYPE);
goto f_err;
@@ -643,6 +644,19 @@ int ssl3_get_record(SSL *s)
&thisrr->data[end], 1, s, s->msg_callback_arg);
}
+ /*
+ * TLSv1.3 alert and handshake records are required to be non-zero in
+ * length.
+ */
+ if (SSL_IS_TLS13(s)
+ && (thisrr->type == SSL3_RT_HANDSHAKE
+ || thisrr->type == SSL3_RT_ALERT)
+ && thisrr->length == 0) {
+ al = SSL_AD_UNEXPECTED_MESSAGE;
+ SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BAD_LENGTH);
+ goto f_err;
+ }
+
if (thisrr->length > SSL3_RT_MAX_PLAIN_LENGTH) {
al = SSL_AD_RECORD_OVERFLOW;
SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_DATA_LENGTH_TOO_LONG);
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 06cd852..62d7d76 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -609,6 +609,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_REASON(SSL_R_INAPPROPRIATE_FALLBACK), "inappropriate fallback"},
{ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION), "inconsistent compression"},
{ERR_REASON(SSL_R_INCONSISTENT_EXTMS), "inconsistent extms"},
+ {ERR_REASON(SSL_R_INVALID_ALERT), "invalid alert"},
{ERR_REASON(SSL_R_INVALID_COMMAND), "invalid command"},
{ERR_REASON(SSL_R_INVALID_COMPRESSION_ALGORITHM),
"invalid compression algorithm"},
@@ -640,6 +641,8 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_REASON(SSL_R_MISSING_SIGALGS_EXTENSION),
"missing sigalgs extension"},
{ERR_REASON(SSL_R_MISSING_SRP_PARAM), "can't find SRP server param"},
+ {ERR_REASON(SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION),
+ "missing supported groups extension"},
{ERR_REASON(SSL_R_MISSING_TMP_DH_KEY), "missing tmp dh key"},
{ERR_REASON(SSL_R_MISSING_TMP_ECDH_KEY), "missing tmp ecdh key"},
{ERR_REASON(SSL_R_NOT_ON_RECORD_BOUNDARY), "not on record boundary"},
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index 9b16014..578ca13 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -1151,7 +1151,10 @@ static int final_key_share(SSL *s, unsigned int context, int sent, int *al)
if (!s->hit
|| (s->ext.psk_kex_mode & TLSEXT_KEX_MODE_FLAG_KE) == 0) {
/* Nothing left we can do - just fail */
- *al = SSL_AD_HANDSHAKE_FAILURE;
+ if (!sent)
+ *al = SSL_AD_MISSING_EXTENSION;
+ else
+ *al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_FINAL_KEY_SHARE, SSL_R_NO_SUITABLE_KEY_SHARE);
return 0;
}
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 3f7fce0..2d7bcd3 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -1312,7 +1312,7 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
}
if (!PACKET_get_net_2(pkt, &group_id)) {
- *al = SSL_AD_HANDSHAKE_FAILURE;
+ *al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
return 0;
}
@@ -1322,7 +1322,7 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t i, num_curves;
if (PACKET_remaining(pkt) != 0) {
- *al = SSL_AD_HANDSHAKE_FAILURE;
+ *al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
return 0;
}
@@ -1364,7 +1364,7 @@ int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
* This isn't for the group that we sent in the original
* key_share!
*/
- *al = SSL_AD_HANDSHAKE_FAILURE;
+ *al = SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_TLS_PARSE_STOC_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
return 0;
}
@@ -1465,13 +1465,13 @@ int tls_parse_stoc_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
unsigned int identity;
if (!PACKET_get_net_2(pkt, &identity) || PACKET_remaining(pkt) != 0) {
- *al = SSL_AD_HANDSHAKE_FAILURE;
+ *al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PARSE_STOC_PSK, SSL_R_LENGTH_MISMATCH);
return 0;
}
if (s->session->ext.tick_identity != (int)identity) {
- *al = SSL_AD_HANDSHAKE_FAILURE;
+ *al = SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_TLS_PARSE_STOC_PSK, SSL_R_BAD_PSK_IDENTITY);
return 0;
}
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 381e72b..f85477c 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -512,7 +512,7 @@ int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
}
if (!PACKET_as_length_prefixed_2(pkt, &key_share_list)) {
- *al = SSL_AD_HANDSHAKE_FAILURE;
+ *al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_LENGTH_MISMATCH);
return 0;
}
@@ -524,22 +524,29 @@ int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
return 0;
}
- /*
- * Get the clients list of supported curves.
- * TODO(TLS1.3): We should validate that we actually received
- * supported_groups!
- */
+ /* Get the clients list of supported curves. */
if (!tls1_get_curvelist(s, 1, &clntcurves, &clnt_num_curves)) {
*al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
return 0;
}
+ if (clnt_num_curves == 0) {
+ /*
+ * This can only happen if the supported_groups extension was not sent,
+ * because we verify that the length is non-zero when we process that
+ * extension.
+ */
+ *al = SSL_AD_MISSING_EXTENSION;
+ SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
+ SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION);
+ return 0;
+ }
while (PACKET_remaining(&key_share_list) > 0) {
if (!PACKET_get_net_2(&key_share_list, &group_id)
|| !PACKET_get_length_prefixed_2(&key_share_list, &encoded_pt)
|| PACKET_remaining(&encoded_pt) == 0) {
- *al = SSL_AD_HANDSHAKE_FAILURE;
+ *al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE,
SSL_R_LENGTH_MISMATCH);
return 0;
@@ -554,7 +561,7 @@ int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
/* Check if this share is in supported_groups sent from client */
if (!check_in_list(s, group_id, clntcurves, clnt_num_curves, 0)) {
- *al = SSL_AD_HANDSHAKE_FAILURE;
+ *al = SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_TLS_PARSE_CTOS_KEY_SHARE, SSL_R_BAD_KEY_SHARE);
return 0;
}
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 6bff9d4..b9b8da1 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1365,7 +1365,8 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
/* TLS extensions */
if (PACKET_remaining(pkt) == 0) {
PACKET_null_init(&extpkt);
- } else if (!PACKET_as_length_prefixed_2(pkt, &extpkt)) {
+ } else if (!PACKET_as_length_prefixed_2(pkt, &extpkt)
+ || PACKET_remaining(pkt) != 0) {
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_BAD_LENGTH);
goto f_err;
@@ -1688,7 +1689,8 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt)
if ((SSL_IS_TLS13(s) && !PACKET_get_1(pkt, &context))
|| context != 0
|| !PACKET_get_net_3(pkt, &cert_list_len)
- || PACKET_remaining(pkt) != cert_list_len) {
+ || PACKET_remaining(pkt) != cert_list_len
+ || PACKET_remaining(pkt) == 0) {
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
goto f_err;
@@ -1787,7 +1789,7 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt)
if (pkey == NULL || EVP_PKEY_missing_parameters(pkey)) {
x = NULL;
- al = SSL3_AL_FATAL;
+ al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
goto f_err;
@@ -2516,6 +2518,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
PACKET extpkt;
if (!PACKET_as_length_prefixed_2(pkt, &extpkt)
+ || PACKET_remaining(pkt) != 0
|| !tls_collect_extensions(s, &extpkt,
SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
&exts, &al, NULL, 1)
@@ -3473,7 +3476,8 @@ static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt)
PACKET extensions;
RAW_EXTENSION *rawexts = NULL;
- if (!PACKET_as_length_prefixed_2(pkt, &extensions)) {
+ if (!PACKET_as_length_prefixed_2(pkt, &extensions)
+ || PACKET_remaining(pkt) != 0) {
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_ENCRYPTED_EXTENSIONS, SSL_R_LENGTH_MISMATCH);
goto err;
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 8b1ddda..d37cbc3 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -583,15 +583,24 @@ MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
}
if (!PACKET_get_1(pkt, &updatetype)
- || PACKET_remaining(pkt) != 0
- || (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
- && updatetype != SSL_KEY_UPDATE_REQUESTED)) {
+ || PACKET_remaining(pkt) != 0) {
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_KEY_UPDATE, SSL_R_BAD_KEY_UPDATE);
goto err;
}
/*
+ * There are only two defined key update types. Fail if we get a value we
+ * didn't recognise.
+ */
+ if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
+ && updatetype != SSL_KEY_UPDATE_REQUESTED) {
+ al = SSL_AD_ILLEGAL_PARAMETER;
+ SSLerr(SSL_F_TLS_PROCESS_KEY_UPDATE, SSL_R_BAD_KEY_UPDATE);
+ goto err;
+ }
+
+ /*
* If we get a request for us to update our sending keys too then, we need
* to additionally send a KeyUpdate message. However that message should
* not also request an update (otherwise we get into an infinite loop).
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 7e025a6..5c22ba7 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -1407,7 +1407,8 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
if (PACKET_remaining(pkt) == 0) {
PACKET_null_init(&clienthello->extensions);
} else {
- if (!PACKET_get_length_prefixed_2(pkt, &clienthello->extensions)) {
+ if (!PACKET_get_length_prefixed_2(pkt, &clienthello->extensions)
+ || PACKET_remaining(pkt) != 0) {
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
goto f_err;
More information about the openssl-commits
mailing list