Tighten up client status_request processing
authorBenjamin Kaduk <bkaduk@akamai.com>
Tue, 14 Mar 2017 23:57:43 +0000 (18:57 -0500)
committerMatt Caswell <matt@openssl.org>
Wed, 15 Mar 2017 20:44:57 +0000 (20:44 +0000)
Instead of making a positive comparison against the invalid value
that our server would send, make a negative check against the only
value that is not an error.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2953)

ssl/statem/extensions_clnt.c

index 98159b5..d40c9ce 100644 (file)
@@ -1016,7 +1016,7 @@ int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context,
      * MUST only be sent if we've requested a status
      * request message. In TLS <= 1.2 it must also be empty.
      */
-    if (s->ext.status_type == TLSEXT_STATUSTYPE_nothing
+    if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp
             || (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) > 0)) {
         *al = SSL_AD_UNSUPPORTED_EXTENSION;
         return 0;