Reject unknown fields in d2i_SSL_SESSION. The original OpenSSL implementation did the same. M_ASN1_D2I_Finish checks this. Forwards compatibility with future sessions with unknown fields is probably not desirable. Change-Id: I116a8c482cbcc47c3fcc31515c4a3718f66cf268 Reviewed-on: https://boringssl-review.googlesource.com/4941 Reviewed-by: Adam Langley <agl@google.com>

commit: f297e021f1403614f90c2f01e669022edfc1cfe6 [log] [tgz]
author: David Benjamin <davidben@chromium.org> Thu May 28 19:55:29 2015 -0400
committer: Adam Langley <agl@google.com> Mon Jun 01 20:29:07 2015 +0000
tree: 073e7a391f8146cad7e354863698403862298b23
parent: 8a228f5bfe82e8178fc42262a1cc21e82c3f8bf8 [diff] [blame]
diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c
index eb0c725..b0ab622 100644
--- a/ssl/ssl_asn1.c
+++ b/ssl/ssl_asn1.c

@@ -477,7 +477,8 @@
   }
   if (!CBS_get_optional_asn1_bool(&session, &extended_master_secret,
                                   kExtendedMasterSecretTag,
-                                  0 /* default to false */)) {
+                                  0 /* default to false */) ||
+      CBS_len(&session) != 0) {
     OPENSSL_PUT_ERROR(SSL, d2i_SSL_SESSION, SSL_R_INVALID_SSL_SESSION);
     goto err;
   }
commit	f297e021f1403614f90c2f01e669022edfc1cfe6	[log] [tgz]
author	David Benjamin <davidben@chromium.org>	Thu May 28 19:55:29 2015 -0400
committer	Adam Langley <agl@google.com>	Mon Jun 01 20:29:07 2015 +0000
tree	073e7a391f8146cad7e354863698403862298b23
parent	8a228f5bfe82e8178fc42262a1cc21e82c3f8bf8 [diff] [blame]