F-4868: reject trailing bytes in TLS 1.3 CertificateRequest

DoTls13CertificateRequest advanced past the certificate_request_context and
extensions blocks but never verified the whole message body was consumed,
silently ignoring trailing bytes. RFC 8446 Section 4.3.2 fixes the wire
format; enforce that the consumed length equals the message size and return
BUFFER_ERROR (decode_error) otherwise.
This commit is contained in:
Juliusz Sosinowicz
2026-06-03 00:24:46 +02:00
parent e4007a8956
commit 2d36eca90e
+4 -1
View File
@@ -6168,6 +6168,10 @@ static int DoTls13CertificateRequest(WOLFSSL* ssl, const byte* input,
}
*inOutIdx += len;
/* No trailing bytes allowed (RFC 8446 4.3.2). */
if ((*inOutIdx - begin) != size)
return BUFFER_ERROR;
/* RFC 8446 Section 4.3.2: the signature_algorithms extension MUST be
* present in a CertificateRequest. */
if (peerSuites.hashSigAlgoSz == 0) {
@@ -6175,7 +6179,6 @@ static int DoTls13CertificateRequest(WOLFSSL* ssl, const byte* input,
WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
return INVALID_PARAMETER;
}
#ifdef WOLFSSL_CERT_SETUP_CB
if ((ret = CertSetupCbWrapper(ssl)) != 0)
return ret;