diff options
author | Zoltan Fridrich <zfridric@redhat.com> | 2022-12-08 12:41:34 +0100 |
---|---|---|
committer | Zoltan Fridrich <zfridric@redhat.com> | 2023-01-03 09:04:55 +0100 |
commit | 2fba40f1efeb8cf23ca2bb295c684888075ca505 (patch) | |
tree | 6d0dc20be9a64dde62590504f6cc3346b3b1a97c | |
parent | 17c952ec94948a12fb96f6990b726b1484ae1f0c (diff) | |
download | gnutls-2fba40f1efeb8cf23ca2bb295c684888075ca505.tar.gz |
Forbid unsolicited CompressedCertificate message
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
-rw-r--r-- | lib/ext/compress_certificate.c | 2 | ||||
-rw-r--r-- | lib/gnutls_int.h | 1 | ||||
-rw-r--r-- | lib/tls13/certificate.c | 2 |
3 files changed, 4 insertions, 1 deletions
diff --git a/lib/ext/compress_certificate.c b/lib/ext/compress_certificate.c index 2d0baa6262..66dd9e9275 100644 --- a/lib/ext/compress_certificate.c +++ b/lib/ext/compress_certificate.c @@ -263,6 +263,8 @@ _gnutls_compress_certificate_send_params(gnutls_session_t session, if (ret < 0) return gnutls_assert_val(ret); + session->internals.hsk_flags |= HSK_COMP_CRT_REQ_SENT; + return bytes_len + 1; } diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index 19da7fcee8..567d34f365 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -1357,6 +1357,7 @@ typedef struct { #define HSK_HRR_SENT (1<<3) #define HSK_HRR_RECEIVED (1<<4) #define HSK_CRT_REQ_SENT (1<<5) +#define HSK_COMP_CRT_REQ_SENT (1<<6) /* whether certificate compression has been requested */ #define HSK_KEY_UPDATE_ASKED (1<<7) /* flag is not used during handshake */ #define HSK_FALSE_START_USED (1<<8) /* TLS1.2 only */ #define HSK_HAVE_FFDHE (1<<9) /* whether the peer has advertized at least an FFDHE group */ diff --git a/lib/tls13/certificate.c b/lib/tls13/certificate.c index 065bb9a62a..4059db38de 100644 --- a/lib/tls13/certificate.c +++ b/lib/tls13/certificate.c @@ -60,7 +60,7 @@ int _gnutls13_recv_certificate(gnutls_session_t session) if (ret == GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET) { /* check if we received compressed certificate */ err = _gnutls_recv_handshake(session, GNUTLS_HANDSHAKE_COMPRESSED_CERTIFICATE_PKT, 0, &buf); - if (err >= 0) { + if (err >= 0 && (session->internals.hsk_flags & HSK_COMP_CRT_REQ_SENT)) { decompress_cert = 1; ret = err; } |