]> git.ipfire.org Git - thirdparty/openssl.git/commitdiff
projects / thirdparty / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c164a4c)
Validate that a PSK identity is at least one byte long
authorMatt Caswell <matt@openssl.foundation>
Fri, 1 May 2026 11:29:44 +0000 (12:29 +0100)
committerNorbert Pocs <norbertp@openssl.org>
Sun, 3 May 2026 13:46:14 +0000 (15:46 +0200)
RFC8446 requires that a PSK identity is at least one byte in length. We
should validate this.

Fixes #31007

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Sun May  3 13:46:21 2026
(Merged from https://github.com/openssl/openssl/pull/31058)

ssl/statem/extensions_srvr.c patch | blob | blame | history

diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 8e66fd7230c754496ef00889ed01ff27414776d8..033c0140dca505c90b1ab9524eb39ad4689f3e10 100644 (file)
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -1354,6 +1354,10 @@ int tls_parse_ctos_psk(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
         }
 
         idlen = PACKET_remaining(&identity);
+        if (idlen == 0) {
+            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
+            return 0;
+        }
         if (s->psk_find_session_cb != NULL
             && !s->psk_find_session_cb(ussl, PACKET_data(&identity), idlen,
                 &sess)) {
Mirror of https://github.com/openssl/openssl.git