diff options
| author |   jsing <jsing@openbsd.org> | 2017-08-29 17:24:12 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2017-08-29 17:24:12 +0000 |
| commit | 45c4cdaeccbc41655fb08b86f7f90f8c095fd247 (patch) | |
| tree | c698adc1af19497ae0834c7cc84fc301c374c00e /lib | |
| parent | Based on previous work from deraadt, add relinking of ld.so to (diff) | |
| download | wireguard-openbsd-45c4cdaeccbc41655fb08b86f7f90f8c095fd247.tar.xz wireguard-openbsd-45c4cdaeccbc41655fb08b86f7f90f8c095fd247.zip | |
Actually parse the ALPN extension in a client hello, even if no ALPN
callback has been installed. This ensures that the ALPN extension is valid
and avoids leaving unprocessed extension data, which leads to a decode
error.
Found the hard way by jsg@
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libssl/ssl_tlsext.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c index 2438b90d040..6b60ccd27fa 100644 --- a/lib/libssl/ssl_tlsext.c +++ b/lib/libssl/ssl_tlsext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_tlsext.c,v 1.12 2017/08/27 02:58:04 doug Exp $ */ +/* $OpenBSD: ssl_tlsext.c,v 1.13 2017/08/29 17:24:12 jsing Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> @@ -61,9 +61,6 @@ tlsext_alpn_clienthello_parse(SSL *s, CBS *cbs, int *alert) unsigned char selected_len; int r; - if (s->ctx->internal->alpn_select_cb == NULL) - return 1; - if (!CBS_get_u16_length_prefixed(cbs, &alpn)) goto err; if (CBS_len(&alpn) < 2) @@ -81,6 +78,9 @@ tlsext_alpn_clienthello_parse(SSL *s, CBS *cbs, int *alert) goto err; } + if (s->ctx->internal->alpn_select_cb == NULL) + return 1; + r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len, CBS_data(&alpn), CBS_len(&alpn), s->ctx->internal->alpn_select_cb_arg); |