When OCSP status type is unknown, ignore the extension.

This needs to skip past the CBS data or it will be treated as a decode error even though it returns 1. ok jsing@
author: doug <> 2017-08-29 19:20:13 +0000
committer: doug <> 2017-08-29 19:20:13 +0000
commit: f037a54e7f576554ef0dbbc0092e78c85c56512d (patch)
tree: 55509e3bb02d32f97b0b615b7ec29aa9ec8316ac
parent: f4e8044e709f31e720fdc5d9927a4731c17b5041 (diff)
download: openbsd-f037a54e7f576554ef0dbbc0092e78c85c56512d.tar.gz
openbsd-f037a54e7f576554ef0dbbc0092e78c85c56512d.tar.bz2
openbsd-f037a54e7f576554ef0dbbc0092e78c85c56512d.zip
1 files changed, 6 insertions, 1 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 6b60ccd27f..340ebeda5c 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.13 2017/08/29 17:24:12 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.14 2017/08/29 19:20:13 doug Exp $ */
 /*
 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -776,6 +776,11 @@ tlsext_ocsp_clienthello_parse(SSL *s, CBS *cbs, int *alert)
        if (status_type != TLSEXT_STATUSTYPE_ocsp) {
                /* ignore unknown status types */
                s->tlsext_status_type = -1;
+                if (!CBS_skip(cbs, CBS_len(cbs))) {
+                        *alert = TLS1_AD_INTERNAL_ERROR;
+                        return 0;
+                }
                return 1;
        }
        s->tlsext_status_type = status_type;
author	doug <>	2017-08-29 19:20:13 +0000
committer	doug <>	2017-08-29 19:20:13 +0000
commit	f037a54e7f576554ef0dbbc0092e78c85c56512d (patch)
tree	55509e3bb02d32f97b0b615b7ec29aa9ec8316ac
parent	f4e8044e709f31e720fdc5d9927a4731c17b5041 (diff)
download	openbsd-f037a54e7f576554ef0dbbc0092e78c85c56512d.tar.gz openbsd-f037a54e7f576554ef0dbbc0092e78c85c56512d.tar.bz2 openbsd-f037a54e7f576554ef0dbbc0092e78c85c56512d.zip