From f037a54e7f576554ef0dbbc0092e78c85c56512d Mon Sep 17 00:00:00 2001 From: doug <> Date: Tue, 29 Aug 2017 19:20:13 +0000 Subject: When OCSP status type is unknown, ignore the extension. This needs to skip past the CBS data or it will be treated as a decode error even though it returns 1. ok jsing@ --- src/lib/libssl/ssl_tlsext.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 6b60ccd27f..340ebeda5c 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_tlsext.c,v 1.13 2017/08/29 17:24:12 jsing Exp $ */ +/* $OpenBSD: ssl_tlsext.c,v 1.14 2017/08/29 19:20:13 doug Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing * Copyright (c) 2017 Doug Hogan @@ -776,6 +776,11 @@ tlsext_ocsp_clienthello_parse(SSL *s, CBS *cbs, int *alert) if (status_type != TLSEXT_STATUSTYPE_ocsp) { /* ignore unknown status types */ s->tlsext_status_type = -1; + + if (!CBS_skip(cbs, CBS_len(cbs))) { + *alert = TLS1_AD_INTERNAL_ERROR; + return 0; + } return 1; } s->tlsext_status_type = status_type; -- cgit v1.2.3-55-g6feb