提交 1a281aab 编写于 作者: M Matt Caswell

Ensure we fail with a decode error alert if the server sends and empty Cert

Reviewed-by: NTim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3436)
上级 f69fe73a
...@@ -1688,7 +1688,8 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) ...@@ -1688,7 +1688,8 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt)
if ((SSL_IS_TLS13(s) && !PACKET_get_1(pkt, &context)) if ((SSL_IS_TLS13(s) && !PACKET_get_1(pkt, &context))
|| context != 0 || context != 0
|| !PACKET_get_net_3(pkt, &cert_list_len) || !PACKET_get_net_3(pkt, &cert_list_len)
|| PACKET_remaining(pkt) != cert_list_len) { || PACKET_remaining(pkt) != cert_list_len
|| PACKET_remaining(pkt) == 0) {
al = SSL_AD_DECODE_ERROR; al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, SSL_R_LENGTH_MISMATCH); SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
goto f_err; goto f_err;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册