fix: add parsing check in TLS compress_certificate extension handler

The tls_parse_compress_certificate function was missing validation
for trailing bytes after parsing the algorithm list, violating
RFC8446 section 4.2 which requires sending a decode_error alert
for unparseable messages.

This commit adds a check for remaining bytes in the packet after
the while loop and sends SSL_AD_DECODE_ERROR if any trailing
bytes are found.

Fixes #27717

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27733)

(cherry picked from commit 8e787b102848e462a6d231883e2c42d91978c049)

diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index e71a79c7e886bd11727e4f880d88e930d7fef8bd..24e5325fc009fd8cb2c5875fe01dafb2988eba28 100644 (file)
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -1923,6 +1923,10 @@ int tls_parse_compress_certificate(SSL_CONNECTION *sc, PACKET *pkt, unsigned int
             already_set[comp] = 1;
         }
     }
+    if (PACKET_remaining(&supported_comp_algs) != 0) {
+        SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION);
+        return 0;
+    }
 #endif
     return 1;
 }