From: Filippo Valsorda <filippo@golang.org>
Date: Wed, 21 May 2025 20:41:54 +0000 (+0200)
Subject: crypto/tls: signature_algorithms in CertificateRequest can't be empty
X-Git-Tag: go1.25rc1~72
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=aca9f4e484b529aeb15bf6f9633a5f07d9bab940;p=gostls13.git

crypto/tls: signature_algorithms in CertificateRequest can't be empty

Change-Id: I6a6a4656ab97e1f247df35b2589cd73461b4ac76
Reviewed-on: https://go-review.googlesource.com/c/go/+/675917
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---

diff --git a/src/crypto/tls/handshake_messages.go b/src/crypto/tls/handshake_messages.go
index ad3e5fa352..d9a475aab1 100644
--- a/src/crypto/tls/handshake_messages.go
+++ b/src/crypto/tls/handshake_messages.go
@@ -1790,7 +1790,7 @@ func (m *certificateRequestMsg) unmarshal(data []byte) bool {
 		}
 		sigAndHashLen := uint16(data[0])<<8 | uint16(data[1])
 		data = data[2:]
-		if sigAndHashLen&1 != 0 {
+		if sigAndHashLen&1 != 0 || sigAndHashLen == 0 {
 			return false
 		}
 		if len(data) < int(sigAndHashLen) {