Fix NPN protocol name list validation

Since 50932c4 "PACKETise ServerHello processing", ssl_next_proto_validate() incorrectly allows empty protocol name. draft-agl-tls-nextprotoneg-04[1] says "Implementations MUST ensure that the empty string is not included and that no byte strings are truncated." This patch restores the old correct behavior. [1] https://tools.ietf.org/html/draft-agl-tls-nextprotoneg-04 Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
author: Kazuki Yamaguchi <k@rhe.jp> 2015-12-13 00:51:06 +0900
committer: Matt Caswell <matt@openssl.org> 2016-05-16 11:45:25 +0100
commit: b04f947941d08b5d077a63b017ecee5e4e2e11cc (patch)
tree: 4ebddd31995a1f9dcaff04529dd68bc199431877 /ssl/t1_lib.c
parent: c5ebfcab713a82a1d46a51c8c2668c419425b387 (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 6363348d54..3082a59810 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2339,11 +2339,11 @@ int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt)
  */
 static char ssl_next_proto_validate(PACKET *pkt)
 {
-    unsigned int len;
+    PACKET tmp_protocol;
 
     while (PACKET_remaining(pkt)) {
-        if (!PACKET_get_1(pkt, &len)
-                || !PACKET_forward(pkt, len))
+        if (!PACKET_get_length_prefixed_1(pkt, &tmp_protocol)
+                || PACKET_remaining(&tmp_protocol) == 0)
             return 0;
     }
author	Kazuki Yamaguchi <k@rhe.jp>	2015-12-13 00:51:06 +0900
committer	Matt Caswell <matt@openssl.org>	2016-05-16 11:45:25 +0100
commit	b04f947941d08b5d077a63b017ecee5e4e2e11cc (patch)
tree	4ebddd31995a1f9dcaff04529dd68bc199431877 /ssl/t1_lib.c
parent	c5ebfcab713a82a1d46a51c8c2668c419425b387 (diff)