diff options
author | Matt Caswell <matt@openssl.org> | 2021-09-20 14:15:18 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2021-10-11 11:30:52 +0100 |
commit | f5ed4f0bbe31617b6df897ac6a28af9b3c8fd18e (patch) | |
tree | 477b72889f31a691ef3b38c6fd824dfb0029d0a1 /ssl | |
parent | a653e037ef0236ea9cd84ec4c94f0bb94aca56ab (diff) |
New extensions can be sent in a certificate request
Normally we expect a client to send new extensions in the ClientHello,
which may be echoed back by the server in subsequent messages. However the
server can also send a new extension in the certificate request message to
be echoed back in a certificate message
Fixes #16632
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16634)
(cherry picked from commit cbb862fbaaa1ec5a3e33836bc92a6dbea97ceba0)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/statem/extensions_cust.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/ssl/statem/extensions_cust.c b/ssl/statem/extensions_cust.c index a0ba18efa7..fa24344db7 100644 --- a/ssl/statem/extensions_cust.c +++ b/ssl/statem/extensions_cust.c @@ -146,11 +146,12 @@ int custom_ext_parse(SSL *s, unsigned int context, unsigned int ext_type, } /* - * Extensions received in the ClientHello are marked with the - * SSL_EXT_FLAG_RECEIVED. This is so we know to add the equivalent - * extensions in the ServerHello/EncryptedExtensions message + * Extensions received in the ClientHello or CertificateRequest are marked + * with the SSL_EXT_FLAG_RECEIVED. This is so we know to add the equivalent + * extensions in the response messages */ - if ((context & SSL_EXT_CLIENT_HELLO) != 0) + if ((context & (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)) + != 0) meth->ext_flags |= SSL_EXT_FLAG_RECEIVED; /* If no parse function set return success */ @@ -192,7 +193,7 @@ int custom_ext_add(SSL *s, int context, WPACKET *pkt, X509 *x, size_t chainidx, | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS | SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST)) != 0) { - /* Only send extensions present in ClientHello. */ + /* Only send extensions present in ClientHello/CertificateRequest */ if (!(meth->ext_flags & SSL_EXT_FLAG_RECEIVED)) continue; } |