diff options
| author |   doug <doug@openbsd.org> | 2017-08-29 19:20:13 +0000 |
|---|---|---|
| committer | doug <doug@openbsd.org> | 2017-08-29 19:20:13 +0000 |
| commit | 0aa48e6c528a56e13a7db7635af7b8887e31dd23 (patch) | |
| tree | 508445a29b4f01c3b5d08b9cd083bc898a0ff98d | |
| parent | It is confusing to talk about priorities being ordered from high (diff) | |
| download | wireguard-openbsd-0aa48e6c528a56e13a7db7635af7b8887e31dd23.tar.xz wireguard-openbsd-0aa48e6c528a56e13a7db7635af7b8887e31dd23.zip | |
When OCSP status type is unknown, ignore the extension.
This needs to skip past the CBS data or it will be treated as a decode
error even though it returns 1.
ok jsing@
| -rw-r--r-- | lib/libssl/ssl_tlsext.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c index 6b60ccd27fa..340ebeda5ca 100644 --- a/lib/libssl/ssl_tlsext.c +++ b/lib/libssl/ssl_tlsext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_tlsext.c,v 1.13 2017/08/29 17:24:12 jsing Exp $ */ +/* $OpenBSD: ssl_tlsext.c,v 1.14 2017/08/29 19:20:13 doug Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> @@ -776,6 +776,11 @@ tlsext_ocsp_clienthello_parse(SSL *s, CBS *cbs, int *alert) if (status_type != TLSEXT_STATUSTYPE_ocsp) { /* ignore unknown status types */ s->tlsext_status_type = -1; + + if (!CBS_skip(cbs, CBS_len(cbs))) { + *alert = TLS1_AD_INTERNAL_ERROR; + return 0; + } return 1; } s->tlsext_status_type = status_type; |