diff options
| -rw-r--r-- | src/lib/libssl/ssl_tlsext.c | 22 |
1 files changed, 1 insertions, 21 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index d802a6e135..ab6450deab 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_tlsext.c,v 1.125 2022/07/20 15:16:06 tb Exp $ */ | 1 | /* $OpenBSD: ssl_tlsext.c,v 1.126 2022/07/22 13:10:31 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> | 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> |
| @@ -93,8 +93,6 @@ tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert) | |||
| 93 | 93 | ||
| 94 | if (!CBS_get_u16_length_prefixed(cbs, &alpn)) | 94 | if (!CBS_get_u16_length_prefixed(cbs, &alpn)) |
| 95 | goto err; | 95 | goto err; |
| 96 | if (CBS_len(cbs) != 0) | ||
| 97 | goto err; | ||
| 98 | 96 | ||
| 99 | if (!tlsext_alpn_check_format(&alpn)) | 97 | if (!tlsext_alpn_check_format(&alpn)) |
| 100 | goto err; | 98 | goto err; |
| @@ -179,8 +177,6 @@ tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) | |||
| 179 | 177 | ||
| 180 | if (!CBS_get_u16_length_prefixed(cbs, &list)) | 178 | if (!CBS_get_u16_length_prefixed(cbs, &list)) |
| 181 | goto err; | 179 | goto err; |
| 182 | if (CBS_len(cbs) != 0) | ||
| 183 | goto err; | ||
| 184 | 180 | ||
| 185 | if (!CBS_get_u8_length_prefixed(&list, &proto)) | 181 | if (!CBS_get_u8_length_prefixed(&list, &proto)) |
| 186 | goto err; | 182 | goto err; |
| @@ -251,8 +247,6 @@ tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, | |||
| 251 | 247 | ||
| 252 | if (!CBS_get_u16_length_prefixed(cbs, &grouplist)) | 248 | if (!CBS_get_u16_length_prefixed(cbs, &grouplist)) |
| 253 | goto err; | 249 | goto err; |
| 254 | if (CBS_len(cbs) != 0) | ||
| 255 | goto err; | ||
| 256 | 250 | ||
| 257 | groups_len = CBS_len(&grouplist); | 251 | groups_len = CBS_len(&grouplist); |
| 258 | if (groups_len == 0 || groups_len % 2 != 0) | 252 | if (groups_len == 0 || groups_len % 2 != 0) |
| @@ -377,8 +371,6 @@ tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) | |||
| 377 | return 0; | 371 | return 0; |
| 378 | if (CBS_len(&ecpf) == 0) | 372 | if (CBS_len(&ecpf) == 0) |
| 379 | return 0; | 373 | return 0; |
| 380 | if (CBS_len(cbs) != 0) | ||
| 381 | return 0; | ||
| 382 | 374 | ||
| 383 | /* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */ | 375 | /* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */ |
| 384 | if (!CBS_contains_zero_byte(&ecpf)) { | 376 | if (!CBS_contains_zero_byte(&ecpf)) { |
| @@ -466,8 +458,6 @@ tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) | |||
| 466 | 458 | ||
| 467 | if (!CBS_get_u8_length_prefixed(cbs, &reneg)) | 459 | if (!CBS_get_u8_length_prefixed(cbs, &reneg)) |
| 468 | goto err; | 460 | goto err; |
| 469 | if (CBS_len(cbs) != 0) | ||
| 470 | goto err; | ||
| 471 | 461 | ||
| 472 | if (!CBS_mem_equal(&reneg, s->s3->previous_client_finished, | 462 | if (!CBS_mem_equal(&reneg, s->s3->previous_client_finished, |
| 473 | s->s3->previous_client_finished_len)) { | 463 | s->s3->previous_client_finished_len)) { |
| @@ -540,8 +530,6 @@ tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) | |||
| 540 | goto err; | 530 | goto err; |
| 541 | if (CBS_len(&reneg) != 0) | 531 | if (CBS_len(&reneg) != 0) |
| 542 | goto err; | 532 | goto err; |
| 543 | if (CBS_len(cbs) != 0) | ||
| 544 | goto err; | ||
| 545 | 533 | ||
| 546 | if (!CBS_mem_equal(&prev_client, s->s3->previous_client_finished, | 534 | if (!CBS_mem_equal(&prev_client, s->s3->previous_client_finished, |
| 547 | s->s3->previous_client_finished_len)) { | 535 | s->s3->previous_client_finished_len)) { |
| @@ -833,8 +821,6 @@ tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) | |||
| 833 | *alert = SSL_AD_ILLEGAL_PARAMETER; | 821 | *alert = SSL_AD_ILLEGAL_PARAMETER; |
| 834 | goto err; | 822 | goto err; |
| 835 | } | 823 | } |
| 836 | if (CBS_len(cbs) != 0) | ||
| 837 | goto err; | ||
| 838 | 824 | ||
| 839 | return 1; | 825 | return 1; |
| 840 | 826 | ||
| @@ -1014,10 +1000,6 @@ tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) | |||
| 1014 | goto err; | 1000 | goto err; |
| 1015 | } | 1001 | } |
| 1016 | 1002 | ||
| 1017 | /* should be nothing left */ | ||
| 1018 | if (CBS_len(cbs) > 0) | ||
| 1019 | goto err; | ||
| 1020 | |||
| 1021 | ret = 1; | 1003 | ret = 1; |
| 1022 | err: | 1004 | err: |
| 1023 | if (ret == 0) | 1005 | if (ret == 0) |
| @@ -1324,8 +1306,6 @@ tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) | |||
| 1324 | *alert = SSL_AD_DECODE_ERROR; | 1306 | *alert = SSL_AD_DECODE_ERROR; |
| 1325 | goto done; | 1307 | goto done; |
| 1326 | } | 1308 | } |
| 1327 | if (CBS_len(cbs) != 0) | ||
| 1328 | goto err; | ||
| 1329 | 1309 | ||
| 1330 | /* | 1310 | /* |
| 1331 | * Per RFC 5764 section 4.1.1 | 1311 | * Per RFC 5764 section 4.1.1 |