[openssl-commits] [openssl] master update

Wed Mar 15 20:48:42 UTC 2017

The branch master has been updated
       via  d9aea0416249bf7fb2dd330dd9dde825ac5e4b94 (commit)
      from  26721d3212daece42091629e5205deeda2e4eca3 (commit)


- Log -----------------------------------------------------------------
commit d9aea0416249bf7fb2dd330dd9dde825ac5e4b94
Author: Benjamin Kaduk <bkaduk at akamai.com>
Date:   Tue Mar 14 18:57:43 2017 -0500

    Tighten up client status_request processing
    
    Instead of making a positive comparison against the invalid value
    that our server would send, make a negative check against the only
    value that is not an error.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2953)

-----------------------------------------------------------------------

Summary of changes:
 ssl/statem/extensions_clnt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 98159b5..d40c9ce 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -1016,7 +1016,7 @@ int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context,
      * MUST only be sent if we've requested a status
      * request message. In TLS <= 1.2 it must also be empty.
      */
-    if (s->ext.status_type == TLSEXT_STATUSTYPE_nothing
+    if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp
             || (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) > 0)) {
         *al = SSL_AD_UNSUPPORTED_EXTENSION;
         return 0;
