diff options
author | Benjamin Kaduk <bkaduk@akamai.com> | 2017-03-14 18:57:43 -0500 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2017-03-15 20:44:57 +0000 |
commit | d9aea0416249bf7fb2dd330dd9dde825ac5e4b94 (patch) | |
tree | 110057d3f4e60e4301e4f5ff9cb2aeccb1f1cd1e | |
parent | 26721d3212daece42091629e5205deeda2e4eca3 (diff) |
Tighten up client status_request processing
Instead of making a positive comparison against the invalid value
that our server would send, make a negative check against the only
value that is not an error.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2953)
-rw-r--r-- | ssl/statem/extensions_clnt.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index 98159b54cc..d40c9cee11 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -1016,7 +1016,7 @@ int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context, * MUST only be sent if we've requested a status * request message. In TLS <= 1.2 it must also be empty. */ - if (s->ext.status_type == TLSEXT_STATUSTYPE_nothing + if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp || (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) > 0)) { *al = SSL_AD_UNSUPPORTED_EXTENSION; return 0; |