Avoid modifying alert in the success path.

ok beck jsing
author: tb <> 2020-01-22 10:28:49 +0000
committer: tb <> 2020-01-22 10:28:49 +0000
commit: bd8add8e67126e3d5b120b2316d4dfc94eba57d0 (patch)
tree: 13cf5ca7ef9a776350738fdf58c740e3eea720f6 /src
parent: 5b77cdf79751ec0ec2e3f2b0a0d159d7f16d9e21 (diff)
download: openbsd-bd8add8e67126e3d5b120b2316d4dfc94eba57d0.tar.gz
openbsd-bd8add8e67126e3d5b120b2316d4dfc94eba57d0.tar.bz2
openbsd-bd8add8e67126e3d5b120b2316d4dfc94eba57d0.zip
1 files changed, 17 insertions, 11 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index fdaf251be4..d45dd50863 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.51 2019/11/16 15:36:53 beck Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.52 2020/01/22 10:28:49 tb Exp $ */
 /*
 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1936,6 +1936,7 @@ tlsext_parse(SSL *s, CBS *cbs, int *alert, int is_server, uint16_t msg_type)
        uint16_t type;
        size_t idx;
        uint16_t version;
+        uint8_t alert_desc;
        S3I(s)->hs.extensions_seen = 0;
@@ -1948,16 +1949,16 @@ tlsext_parse(SSL *s, CBS *cbs, int *alert, int is_server, uint16_t msg_type)
        if (CBS_len(cbs) == 0)
                return 1;
-        *alert = SSL_AD_DECODE_ERROR;
+        alert_desc = SSL_AD_DECODE_ERROR;
        if (!CBS_get_u16_length_prefixed(cbs, &extensions))
-                return 0;
+                goto err;
        while (CBS_len(&extensions) > 0) {
                if (!CBS_get_u16(&extensions, &type))
-                        return 0;
+                        goto err;
                if (!CBS_get_u16_length_prefixed(&extensions, &extension_data))
-                        return 0;
+                        goto err;
                if (s->internal->tlsext_debug_cb != NULL)
                        s->internal->tlsext_debug_cb(s, is_server, type,
@@ -1972,24 +1973,29 @@ tlsext_parse(SSL *s, CBS *cbs, int *alert, int is_server, uint16_t msg_type)
                /* RFC 8446 Section 4.2 */
                if (version >= TLS1_3_VERSION &&
                    !(tlsext->messages & msg_type)) {
-                        *alert = SSL_AD_ILLEGAL_PARAMETER;
+                        alert_desc = SSL_AD_ILLEGAL_PARAMETER;
-                        return 0;
+                        goto err;
                }
                /* Check for duplicate known extensions. */
                if ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0)
-                        return 0;
+                        goto err;
                S3I(s)->hs.extensions_seen |= (1 << idx);
                ext = tlsext_funcs(tlsext, is_server);
-                if (!ext->parse(s, &extension_data, alert))
+                if (!ext->parse(s, &extension_data, &alert_desc))
-                        return 0;
+                        goto err;
                if (CBS_len(&extension_data) != 0)
-                        return 0;
+                        goto err;
        }
        return 1;
+ err:
+        *alert = alert_desc;
+        return 0;
 }
 static void
author	tb <>	2020-01-22 10:28:49 +0000
committer	tb <>	2020-01-22 10:28:49 +0000
commit	bd8add8e67126e3d5b120b2316d4dfc94eba57d0 (patch)
tree	13cf5ca7ef9a776350738fdf58c740e3eea720f6 /src
parent	5b77cdf79751ec0ec2e3f2b0a0d159d7f16d9e21 (diff)
download	openbsd-bd8add8e67126e3d5b120b2316d4dfc94eba57d0.tar.gz openbsd-bd8add8e67126e3d5b120b2316d4dfc94eba57d0.tar.bz2 openbsd-bd8add8e67126e3d5b120b2316d4dfc94eba57d0.zip