diff options
| author | Doug Hogan <doug@cvs.openbsd.org> | 2017-08-29 19:20:14 +0000 |
|---|---|---|
| committer | Doug Hogan <doug@cvs.openbsd.org> | 2017-08-29 19:20:14 +0000 |
| commit | abd79a9e489d69a3fcae8360f83223fb968cbfd6 (patch) | |
| tree | 8c31d36094f50470ffdf5d019fc7fce9a02e2920 /lib/libssl | |
| parent | f8d330525bc60fbd0fc5df6371358593b6e85299 (diff) | |
When OCSP status type is unknown, ignore the extension.
This needs to skip past the CBS data or it will be treated as a decode
error even though it returns 1.
ok jsing@
Diffstat (limited to 'lib/libssl')
| -rw-r--r-- | lib/libssl/ssl_tlsext.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c index 6b60ccd27fa..340ebeda5ca 100644 --- a/lib/libssl/ssl_tlsext.c +++ b/lib/libssl/ssl_tlsext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_tlsext.c,v 1.13 2017/08/29 17:24:12 jsing Exp $ */ +/* $OpenBSD: ssl_tlsext.c,v 1.14 2017/08/29 19:20:13 doug Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> @@ -776,6 +776,11 @@ tlsext_ocsp_clienthello_parse(SSL *s, CBS *cbs, int *alert) if (status_type != TLSEXT_STATUSTYPE_ocsp) { /* ignore unknown status types */ s->tlsext_status_type = -1; + + if (!CBS_skip(cbs, CBS_len(cbs))) { + *alert = TLS1_AD_INTERNAL_ERROR; + return 0; + } return 1; } s->tlsext_status_type = status_type; |