diff options
| author | tb <> | 2022-07-22 13:10:31 +0000 |
|---|---|---|
| committer | tb <> | 2022-07-22 13:10:31 +0000 |
| commit | 2cbb701c400c6c504c9ff1ca44de02091de6dbf3 (patch) | |
| tree | f3cae018c6e17a2ca93fead33ed5862d582751e1 /src | |
| parent | 8f58a18c1565c03748923cc25ee3d0f60c1f375f (diff) | |
| download | openbsd-2cbb701c400c6c504c9ff1ca44de02091de6dbf3.tar.gz openbsd-2cbb701c400c6c504c9ff1ca44de02091de6dbf3.tar.bz2 openbsd-2cbb701c400c6c504c9ff1ca44de02091de6dbf3.zip | |
Remove redundant length checks in parse functions
The main parsing function already checks that the entire extension data
was consumed, so the length checks inside some of the parse handlers are
redundant. They were also not done everywhere, so this makes the parse
handlers more consistent.
Similar diff was sent by jsing a long while back
ok jsing
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libssl/ssl_tlsext.c | 22 |
1 files changed, 1 insertions, 21 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index d802a6e135..ab6450deab 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_tlsext.c,v 1.125 2022/07/20 15:16:06 tb Exp $ */ | 1 | /* $OpenBSD: ssl_tlsext.c,v 1.126 2022/07/22 13:10:31 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> | 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> |
| @@ -93,8 +93,6 @@ tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert) | |||
| 93 | 93 | ||
| 94 | if (!CBS_get_u16_length_prefixed(cbs, &alpn)) | 94 | if (!CBS_get_u16_length_prefixed(cbs, &alpn)) |
| 95 | goto err; | 95 | goto err; |
| 96 | if (CBS_len(cbs) != 0) | ||
| 97 | goto err; | ||
| 98 | 96 | ||
| 99 | if (!tlsext_alpn_check_format(&alpn)) | 97 | if (!tlsext_alpn_check_format(&alpn)) |
| 100 | goto err; | 98 | goto err; |
| @@ -179,8 +177,6 @@ tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) | |||
| 179 | 177 | ||
| 180 | if (!CBS_get_u16_length_prefixed(cbs, &list)) | 178 | if (!CBS_get_u16_length_prefixed(cbs, &list)) |
| 181 | goto err; | 179 | goto err; |
| 182 | if (CBS_len(cbs) != 0) | ||
| 183 | goto err; | ||
| 184 | 180 | ||
| 185 | if (!CBS_get_u8_length_prefixed(&list, &proto)) | 181 | if (!CBS_get_u8_length_prefixed(&list, &proto)) |
| 186 | goto err; | 182 | goto err; |
| @@ -251,8 +247,6 @@ tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, | |||
| 251 | 247 | ||
| 252 | if (!CBS_get_u16_length_prefixed(cbs, &grouplist)) | 248 | if (!CBS_get_u16_length_prefixed(cbs, &grouplist)) |
| 253 | goto err; | 249 | goto err; |
| 254 | if (CBS_len(cbs) != 0) | ||
| 255 | goto err; | ||
| 256 | 250 | ||
| 257 | groups_len = CBS_len(&grouplist); | 251 | groups_len = CBS_len(&grouplist); |
| 258 | if (groups_len == 0 || groups_len % 2 != 0) | 252 | if (groups_len == 0 || groups_len % 2 != 0) |
| @@ -377,8 +371,6 @@ tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) | |||
| 377 | return 0; | 371 | return 0; |
| 378 | if (CBS_len(&ecpf) == 0) | 372 | if (CBS_len(&ecpf) == 0) |
| 379 | return 0; | 373 | return 0; |
| 380 | if (CBS_len(cbs) != 0) | ||
| 381 | return 0; | ||
| 382 | 374 | ||
| 383 | /* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */ | 375 | /* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */ |
| 384 | if (!CBS_contains_zero_byte(&ecpf)) { | 376 | if (!CBS_contains_zero_byte(&ecpf)) { |
| @@ -466,8 +458,6 @@ tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) | |||
| 466 | 458 | ||
| 467 | if (!CBS_get_u8_length_prefixed(cbs, &reneg)) | 459 | if (!CBS_get_u8_length_prefixed(cbs, &reneg)) |
| 468 | goto err; | 460 | goto err; |
| 469 | if (CBS_len(cbs) != 0) | ||
| 470 | goto err; | ||
| 471 | 461 | ||
| 472 | if (!CBS_mem_equal(&reneg, s->s3->previous_client_finished, | 462 | if (!CBS_mem_equal(&reneg, s->s3->previous_client_finished, |
| 473 | s->s3->previous_client_finished_len)) { | 463 | s->s3->previous_client_finished_len)) { |
| @@ -540,8 +530,6 @@ tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) | |||
| 540 | goto err; | 530 | goto err; |
| 541 | if (CBS_len(&reneg) != 0) | 531 | if (CBS_len(&reneg) != 0) |
| 542 | goto err; | 532 | goto err; |
| 543 | if (CBS_len(cbs) != 0) | ||
| 544 | goto err; | ||
| 545 | 533 | ||
| 546 | if (!CBS_mem_equal(&prev_client, s->s3->previous_client_finished, | 534 | if (!CBS_mem_equal(&prev_client, s->s3->previous_client_finished, |
| 547 | s->s3->previous_client_finished_len)) { | 535 | s->s3->previous_client_finished_len)) { |
| @@ -833,8 +821,6 @@ tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) | |||
| 833 | *alert = SSL_AD_ILLEGAL_PARAMETER; | 821 | *alert = SSL_AD_ILLEGAL_PARAMETER; |
| 834 | goto err; | 822 | goto err; |
| 835 | } | 823 | } |
| 836 | if (CBS_len(cbs) != 0) | ||
| 837 | goto err; | ||
| 838 | 824 | ||
| 839 | return 1; | 825 | return 1; |
| 840 | 826 | ||
| @@ -1014,10 +1000,6 @@ tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) | |||
| 1014 | goto err; | 1000 | goto err; |
| 1015 | } | 1001 | } |
| 1016 | 1002 | ||
| 1017 | /* should be nothing left */ | ||
| 1018 | if (CBS_len(cbs) > 0) | ||
| 1019 | goto err; | ||
| 1020 | |||
| 1021 | ret = 1; | 1003 | ret = 1; |
| 1022 | err: | 1004 | err: |
| 1023 | if (ret == 0) | 1005 | if (ret == 0) |
| @@ -1324,8 +1306,6 @@ tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) | |||
| 1324 | *alert = SSL_AD_DECODE_ERROR; | 1306 | *alert = SSL_AD_DECODE_ERROR; |
| 1325 | goto done; | 1307 | goto done; |
| 1326 | } | 1308 | } |
| 1327 | if (CBS_len(cbs) != 0) | ||
| 1328 | goto err; | ||
| 1329 | 1309 | ||
| 1330 | /* | 1310 | /* |
| 1331 | * Per RFC 5764 section 4.1.1 | 1311 | * Per RFC 5764 section 4.1.1 |