wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Check that the PSK extension is last

Browse source 
We need to check that the PSK extension in a ClientHello is the last one.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2896)
This commit is contained in:
Matt Caswell 2017-03-10 13:53:53 +00:00
parent 0b1f266486
commit 652a6b7ee1
1 changed files with 6 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
ssl/statem/extensions.c
View file

@ -447,10 +447,14 @@ int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
} }
/* /*
* Verify this extension is allowed. We only check duplicates for * Verify this extension is allowed. We only check duplicates for
* extensions that we recognise. * extensions that we recognise. We also have a special case for the
* PSK extension, which must be the last one in the ClientHello.
*/ */
if (!verify_extension(s, context, type, exts, raw_extensions, &thisex) if (!verify_extension(s, context, type, exts, raw_extensions, &thisex)
|| (thisex != NULL && thisex->present == 1)) { || (thisex != NULL && thisex->present == 1)
|| (type == TLSEXT_TYPE_psk
&& (context & EXT_CLIENT_HELLO) != 0
&& PACKET_remaining(&extensions) != 0)) {
SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_BAD_EXTENSION); SSLerr(SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_BAD_EXTENSION);
*al = SSL_AD_ILLEGAL_PARAMETER; *al = SSL_AD_ILLEGAL_PARAMETER;
goto err; goto err;