The branch master has been updated via d9aea0416249bf7fb2dd330dd9dde825ac5e4b94 (commit) from 26721d3212daece42091629e5205deeda2e4eca3 (commit)
- Log ----------------------------------------------------------------- commit d9aea0416249bf7fb2dd330dd9dde825ac5e4b94 Author: Benjamin Kaduk <bka...@akamai.com> Date: Tue Mar 14 18:57:43 2017 -0500 Tighten up client status_request processing Instead of making a positive comparison against the invalid value that our server would send, make a negative check against the only value that is not an error. Reviewed-by: Richard Levitte <levi...@openssl.org> Reviewed-by: Matt Caswell <m...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2953) ----------------------------------------------------------------------- Summary of changes: ssl/statem/extensions_clnt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index 98159b5..d40c9ce 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -1016,7 +1016,7 @@ int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context, * MUST only be sent if we've requested a status * request message. In TLS <= 1.2 it must also be empty. */ - if (s->ext.status_type == TLSEXT_STATUSTYPE_nothing + if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp || (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) > 0)) { *al = SSL_AD_UNSUPPORTED_EXTENSION; return 0; _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits