mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-04-12 20:30:52 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix NPN protocol name list validation

Browse Source 
Since 50932c4 "PACKETise ServerHello processing",
ssl_next_proto_validate() incorrectly allows empty protocol name.
draft-agl-tls-nextprotoneg-04[1] says "Implementations MUST ensure that
the empty string is not included and that no byte strings are
truncated."
This patch restores the old correct behavior.

[1] https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
This commit is contained in:
Kazuki Yamaguchi 2015-12-13 00:51:06 +09:00 committed by Matt Caswell
parent c5ebfcab71
commit b04f947941
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ssl/t1_lib.c
View File

@ -2339,11 +2339,11 @@ int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt)
*/
static char ssl_next_proto_validate(PACKET *pkt)
{
unsigned int len;
PACKET tmp_protocol;
while (PACKET_remaining(pkt)) {
if (!PACKET_get_1(pkt, &len)
|| !PACKET_forward(pkt, len))
if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)
|| PACKET_remaining(&tmp_protocol) == 0)
return 0;
}