git.ipfire.org Git - thirdparty/openssl.git/commit

author	Neil Horman <nhorman@openssl.org>
	Sun, 16 Feb 2025 13:35:38 +0000 (08:35 -0500)
committer	Neil Horman <nhorman@openssl.org>
	Tue, 25 Feb 2025 21:00:26 +0000 (16:00 -0500)
commit	c932099d8f6f638244a1f2ef66a4429ac4ccdfb3
tree	b2351cea3a74f045535d30e23c7231b58b767d71	tree \| snapshot
parent	b4be505af3e8fc244471dd4ee33c247a617030b5	commit \| diff

Change cipher suite alert for 0 length cipher_suites

From RFC 8446:

Note: TLS defines two generic alerts (see Section 6) to use upon
   failure to parse a message.  Peers which receive a message which
   cannot be parsed according to the syntax (e.g., have a length
   extending beyond the message boundary or contain an out-of-range
   length) MUST terminate the connection with a "decode_error" alert.
   Peers which receive a message which is syntactically correct but
   semantically invalid (e.g., a DHE share of p - 1, or an invalid enum)
   MUST terminate the connection with an "illegal_parameter" alert.

A zero length cipher suite list I think is considered out of range, and
so we should return "decode_error" rather than "illegal_parameter"

Fixes #25309

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26781)

(cherry picked from commit 2ce46ad8cef8909ae9162a429daf8e3d5fc8cb03)