Google Git
Sign in
boringssl/boringssl/cfa08c3b7740275ef3994ff07a2c7f4639c88ccb^!/./ssl/internal.h
commit
cfa08c3b7740275ef3994ff07a2c7f4639c88ccb
[log]
author
Adam Langley <alangley@gmail.com>
Thu Nov 17 13:21:27 2016 -0800
committer
Adam Langley <agl@google.com>
Fri Nov 18 19:19:48 2016 +0000
tree
f3d1b9ac22a86e3124af1ef63bc180525870d402
parent
b5172a722ccb62e5bdd893e9d4c6741b8425c942 [diff] [blame]
Enforce basic sanity of SCT lists.

According to the RFC[1], SCT lists may not be empty and nor may any SCT
itself be empty.

[1] https://tools.ietf.org/html/rfc6962#section-3.3

Change-Id: Ia1f855907588b36a4fea60872f87e25dc20782b4
Reviewed-on: https://boringssl-review.googlesource.com/12362
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/ssl/internal.h b/ssl/internal.h
index 7e505db..1d78ec1 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h

@@ -1073,6 +1073,10 @@
                                              uint8_t *out_alert, CBS *contents);
 int ssl_ext_pre_shared_key_add_serverhello(SSL *ssl, CBB *out);
 
+/* ssl_is_sct_list_valid does a shallow parse of the SCT list in |contents| and
+ * returns one iff it's valid. */
+int ssl_is_sct_list_valid(const CBS *contents);
+
 int ssl_write_client_hello(SSL *ssl);
 
 /* ssl_clear_tls13_state releases client state only needed for TLS 1.3. It