From d505af57c75fdbfc458b78787fd148ae396c89e8 Mon Sep 17 00:00:00 2001 From: tb Date: Wed, 20 Jul 2022 14:08:49 +0000 Subject: [PATCH] Validate protocols in SSL{_CTX,}_set_alpn_protos() This wonderful API requires users to pass the protocol list in wire format. This list is then sent as part of the ClientHello. Validate it to be of the correct form. This reuses tlsext_alpn_check_format() that was split out of tlsext_alpn_server_parse(). Similar checks were introduced in OpenSSL 86a90dc7 ok jsing --- lib/libssl/ssl_lib.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index 08f2f740978..c6a01faa836 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.297 2022/07/20 13:57:49 tb Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.298 2022/07/20 14:08:49 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -162,6 +162,7 @@ #include "dtls_locl.h" #include "ssl_locl.h" #include "ssl_sigalgs.h" +#include "ssl_tlsext.h" const char *SSL_version_str = OPENSSL_VERSION_TEXT; @@ -1771,6 +1772,11 @@ SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos, CBS_init(&cbs, protos, protos_len); + if (protos_len > 0) { + if (!tlsext_alpn_check_format(&cbs)) + goto err; + } + if (!CBS_stow(&cbs, &ctx->internal->alpn_client_proto_list, &ctx->internal->alpn_client_proto_list_len)) goto err; @@ -1799,6 +1805,11 @@ SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos, CBS_init(&cbs, protos, protos_len); + if (protos_len > 0) { + if (!tlsext_alpn_check_format(&cbs)) + goto err; + } + if (!CBS_stow(&cbs, &ssl->internal->alpn_client_proto_list, &ssl->internal->alpn_client_proto_list_len)) goto err; -- 2.20.1