Commit d9aea041 authored Mar 14, 2017 by Benjamin Kaduk Committed by Matt Caswell Mar 15, 2017

Tighten up client status_request processing



Instead of making a positive comparison against the invalid value
that our server would send, make a negative check against the only
value that is not an error.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2953)

parent 26721d32

ssl/statem/extensions_clnt.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1016,7 +1016,7 @@ int tls_parse_stoc_status_request(SSL s, PACKET pkt, unsigned int context,
		* MUST only be sent if we've requested a status
		* request message. In TLS <= 1.2 it must also be empty.
		*/
		if (s->ext.status_type == TLSEXT_STATUSTYPE_nothing
		if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp
		\|\| (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) > 0)) {
		*al = SSL_AD_UNSUPPORTED_EXTENSION;
		return 0;