commit 489016550997ba53185658d501d972517a1b79b5
author David Benjamin <davidben@google.com> Mon Aug 01 12:12:47 2016 -0400
committer CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Mon Aug 01 19:47:26 2016 +0000
tree 696a9665c2a996128a59a32d2f6434fdd9120ee6
parent 0c40a96455b0f720267b9eeb47704c85ee883121

Empty signature algorithms in TLS 1.3 CertificateRequest is illegal.

In TLS 1.2, this was allowed to be empty for the weird SHA-1 fallback
logic. In TLS 1.3, not only is the fallback logic gone, but omitting
them is a syntactic error.

   struct {
       opaque certificate_request_context<0..2^8-1>;
       SignatureScheme
         supported_signature_algorithms<2..2^16-2>;
       DistinguishedName certificate_authorities<0..2^16-1>;
       CertificateExtension certificate_extensions<0..2^16-1>;
   } CertificateRequest;

Thanks to Eric Rescorla for pointing this out.

Change-Id: I4991e59bc4647bb665aaf920ed4836191cea3a5a
Reviewed-on: https://boringssl-review.googlesource.com/9062
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

ssl/tls13_client.c

diff --git a/ssl/tls13_client.c b/ssl/tls13_client.c
index c38358d..6199695 100644
--- a/ssl/tls13_client.c
+++ b/ssl/tls13_client.c
@@ -323,6 +323,7 @@
       !CBS_stow(&context, &ssl->s3->hs->cert_context,
                 &ssl->s3->hs->cert_context_len) ||
       !CBS_get_u16_length_prefixed(&cbs, &supported_signature_algorithms) ||
+      CBS_len(&supported_signature_algorithms) == 0 ||
       !tls1_parse_peer_sigalgs(ssl, &supported_signature_algorithms)) {
     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);