Commit 1a281aab authored by Matt Caswell's avatar Matt Caswell
Browse files

Ensure we fail with a decode error alert if the server sends and empty Cert 



Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3436)
parent f69fe73a

ssl/statem/statem_clnt.c

+2 −1
Original line number Diff line number Diff line
@@ -1688,7 +1688,8 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) 
    if ((SSL_IS_TLS13(s) && !PACKET_get_1(pkt, &context))

            || context != 0

            || !PACKET_get_net_3(pkt, &cert_list_len)

            || PACKET_remaining(pkt) != cert_list_len) {

            || PACKET_remaining(pkt) != cert_list_len

            || PACKET_remaining(pkt) == 0) {

        al = SSL_AD_DECODE_ERROR;

        SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, SSL_R_LENGTH_MISMATCH);

        goto f_err;