fix: add parsing check in TLS compress_certificate extension handler

The tls_parse_compress_certificate function was missing validation
for trailing bytes after parsing the algorithm list, violating
RFC8446 section 4.2 which requires sending a decode_error alert
for unparseable messages.

This commit adds a check for remaining bytes in the packet after
the while loop and sends SSL_AD_DECODE_ERROR if any trailing
bytes are found.

Fixes #27717

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27733)

(cherry picked from commit 8e787b102848e462a6d231883e2c42d91978c049)

diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index 4d3445c6f2295e463e65f84e905a2ceb2196984c..9811e5c94b93e0dfec6f2b0ef150e28efd11203e 100644 (file)
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -1900,6 +1900,10 @@ int tls_parse_compress_certificate(SSL_CONNECTION *sc, PACKET *pkt, unsigned int
             already_set[comp] = 1;
         }
     }
+    if (PACKET_remaining(&supported_comp_algs) != 0) {
+        SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
+        return 0;
+    }
 #endif
     return 1;
 }