diff options
author | Matt Caswell <matt@openssl.org> | 2021-09-20 14:15:18 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2021-10-11 11:18:05 +0100 |
commit | e164577e720e9377b4f5ae4c726f47878547e616 (patch) | |
tree | 96c6efbbaba98cce65239f4e04feaac6cf8a054a /ssl | |
parent | 4f4711c7657396239ba9b9e5a7149e3cdcafe2e4 (diff) |
New extensions can be sent in a certificate request
Normally we expect a client to send new extensions in the ClientHello,
which may be echoed back by the server in subsequent messages. However the
server can also send a new extension in the certificate request message to
be echoed back in a certificate message
Fixes #16632
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16634)
(cherry picked from commit cbb862fbaaa1ec5a3e33836bc92a6dbea97ceba0)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/statem/extensions_cust.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/ssl/statem/extensions_cust.c b/ssl/statem/extensions_cust.c index a00194bf33..401a4c5c76 100644 --- a/ssl/statem/extensions_cust.c +++ b/ssl/statem/extensions_cust.c @@ -145,11 +145,12 @@ int custom_ext_parse(SSL *s, unsigned int context, unsigned int ext_type, } /* - * Extensions received in the ClientHello are marked with the - * SSL_EXT_FLAG_RECEIVED. This is so we know to add the equivalent - * extensions in the ServerHello/EncryptedExtensions message + * Extensions received in the ClientHello or CertificateRequest are marked + * with the SSL_EXT_FLAG_RECEIVED. This is so we know to add the equivalent + * extensions in the response messages */ - if ((context & SSL_EXT_CLIENT_HELLO) != 0) + if ((context & (SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)) + != 0) meth->ext_flags |= SSL_EXT_FLAG_RECEIVED; /* If no parse function set return success */ @@ -191,7 +192,7 @@ int custom_ext_add(SSL *s, int context, WPACKET *pkt, X509 *x, size_t chainidx, | SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS | SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST)) != 0) { - /* Only send extensions present in ClientHello. */ + /* Only send extensions present in ClientHello/CertificateRequest */ if (!(meth->ext_flags & SSL_EXT_FLAG_RECEIVED)) continue; } |