Factor out ALPN extension format check

The ALPN extension must contain a non-empty list of protocol names. Split a check of this out of tlsext_alpn_server_parse() so that it can be reused elsewhere in the library. ok jsing
author: tb <> 2022-07-20 13:35:05 +0000
committer: tb <> 2022-07-20 13:35:05 +0000
commit: dbae5c40b8895f3b49634f79c8ff8fb9e7ae7064 (patch)
tree: e2964705fcaab534cb0031cc474b50f615a22537 /src
parent: ccb4f685d743447d79e76e1380f93ba28b5b8e1e (diff)
download: openbsd-dbae5c40b8895f3b49634f79c8ff8fb9e7ae7064.tar.gz
openbsd-dbae5c40b8895f3b49634f79c8ff8fb9e7ae7064.tar.bz2
openbsd-dbae5c40b8895f3b49634f79c8ff8fb9e7ae7064.zip
2 files changed, 27 insertions, 14 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 6063991306..781d40d03a 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.121 2022/07/17 14:54:10 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.122 2022/07/20 13:35:05 tb Exp $ */
 /*
 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -63,29 +63,41 @@ tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
 }
 int
+tlsext_alpn_check_format(CBS *cbs)
+{
+        CBS proto_name_list;
+        if (CBS_len(cbs) == 0)
+                return 0;
+        CBS_dup(cbs, &proto_name_list);
+        while (CBS_len(&proto_name_list) > 0) {
+                CBS proto_name;
+                if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name))
+                        return 0;
+                if (CBS_len(&proto_name) == 0)
+                        return 0;
+        }
+        return 1;
+}
+int
 tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert)
 {
-        CBS proto_name_list, alpn;
+        CBS alpn;
        const unsigned char *selected;
        unsigned char selected_len;
        int r;
        if (!CBS_get_u16_length_prefixed(cbs, &alpn))
                goto err;
-        if (CBS_len(&alpn) < 2)
-                goto err;
        if (CBS_len(cbs) != 0)
                goto err;
-        CBS_dup(&alpn, &proto_name_list);
+        if (!tlsext_alpn_check_format(&alpn))
-        while (CBS_len(&proto_name_list) > 0) {
+                goto err;
-                CBS proto_name;
-                if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name))
-                        goto err;
-                if (CBS_len(&proto_name) == 0)
-                        goto err;
-        }
        if (s->ctx->internal->alpn_select_cb == NULL)
                return 1;
diff --git a/src/lib/libssl/ssl_tlsext.h b/src/lib/libssl/ssl_tlsext.h
index 268b274948..393ee5d90d 100644
--- a/src/lib/libssl/ssl_tlsext.h
+++ b/src/lib/libssl/ssl_tlsext.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.h,v 1.30 2022/06/29 17:39:20 beck Exp $ */
+/* $OpenBSD: ssl_tlsext.h,v 1.31 2022/07/20 13:35:05 tb Exp $ */
 /*
 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -31,6 +31,7 @@
 __BEGIN_HIDDEN_DECLS
+int tlsext_alpn_check_format(CBS *cbs);
 int tlsext_alpn_client_needs(SSL *s, uint16_t msg_type);
 int tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb);
 int tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert);
author	tb <>	2022-07-20 13:35:05 +0000
committer	tb <>	2022-07-20 13:35:05 +0000
commit	dbae5c40b8895f3b49634f79c8ff8fb9e7ae7064 (patch)
tree	e2964705fcaab534cb0031cc474b50f615a22537 /src
parent	ccb4f685d743447d79e76e1380f93ba28b5b8e1e (diff)
download	openbsd-dbae5c40b8895f3b49634f79c8ff8fb9e7ae7064.tar.gz openbsd-dbae5c40b8895f3b49634f79c8ff8fb9e7ae7064.tar.bz2 openbsd-dbae5c40b8895f3b49634f79c8ff8fb9e7ae7064.zip