summaryrefslogtreecommitdiffstats
path: root/ssl/statem/extensions_clnt.c
diff options
context:
space:
mode:
Diffstat (limited to 'ssl/statem/extensions_clnt.c')
-rw-r--r--ssl/statem/extensions_clnt.c16
1 files changed, 13 insertions, 3 deletions
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 1fd4d84f73..2a9a182409 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -776,14 +776,24 @@ int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, X509 *x, size_t chain,
int *al)
{
/*
- * MUST be empty and only sent if we've requested a status
- * request message.
+ * MUST only be sent if we've requested a status
+ * request message. In TLS <= 1.2 it must also be empty.
*/
if (s->tlsext_status_type == TLSEXT_STATUSTYPE_nothing
- || PACKET_remaining(pkt) > 0) {
+ || (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) > 0)) {
*al = SSL_AD_UNSUPPORTED_EXTENSION;
return 0;
}
+
+ if (SSL_IS_TLS13(s)) {
+ /* We only know how to handle this if it's for the first Certificate in
+ * the chain. We ignore any other repsonses.
+ */
+ if (chain != 0)
+ return 1;
+ return tls_process_cert_status_body(s, pkt, al);
+ }
+
/* Set flag to expect CertificateStatus message */
s->tlsext_status_expected = 1;
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-13 04:47:41 +0000