[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Mon Mar 5 12:02:55 UTC 2018
The branch master has been updated
via 5de683d2c6ae2f8c30b97326e72ff19f41228b74 (commit)
from c04c60217ab748effc5a07bf098abda2045c927b (commit)
- Log -----------------------------------------------------------------
commit 5de683d2c6ae2f8c30b97326e72ff19f41228b74
Author: Matt Caswell <matt at openssl.org>
Date: Fri Mar 2 15:02:11 2018 +0000
Fix status_request and SCT extensions
They are valid for use in a CertificateRequest message, but we did not
allow it. If a server sent such a message using either of those two
extensions then the handshake would abort.
This corrects that error, but does not add support for actually processing
the extensions. They are simply ignored, and a TODO is inserted to add
support at a later time.
This was found during interoperability testing with btls:
https://gitlab.com/ilari_l/btls
Prompted by these errors I reviewed the complete list of extensions and
compared them with the latest table in draft-24 to confirm there were no
other errors of a similar type. I did not find any.
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Ben Kaduk <kaduk at mit.edu>
(Merged from https://github.com/openssl/openssl/pull/5490)
-----------------------------------------------------------------------
Summary of changes:
ssl/statem/extensions.c | 4 ++--
ssl/statem/extensions_clnt.c | 12 ++++++++++++
2 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index 722943f..6e3f8d1 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -211,7 +211,7 @@ static const EXTENSION_DEFINITION ext_defs[] = {
{
TLSEXT_TYPE_status_request,
SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
- | SSL_EXT_TLS1_3_CERTIFICATE,
+ | SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
init_status_request, tls_parse_ctos_status_request,
tls_parse_stoc_status_request, tls_construct_stoc_status_request,
tls_construct_ctos_status_request, NULL
@@ -263,7 +263,7 @@ static const EXTENSION_DEFINITION ext_defs[] = {
{
TLSEXT_TYPE_signed_certificate_timestamp,
SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
- | SSL_EXT_TLS1_3_CERTIFICATE,
+ | SSL_EXT_TLS1_3_CERTIFICATE | SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
NULL,
/*
* No server side support for this, but can be provided by a custom
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 6bc3d0d..d569f3b 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -1397,6 +1397,12 @@ int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, unsigned int context,
int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context,
X509 *x, size_t chainidx)
{
+ if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) {
+ /* We ignore this if the server sends a CertificateRequest */
+ /* TODO(TLS1.3): Add support for this */
+ return 1;
+ }
+
/*
* MUST only be sent if we've requested a status
* request message. In TLS <= 1.2 it must also be empty.
@@ -1435,6 +1441,12 @@ int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context,
int tls_parse_stoc_sct(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
size_t chainidx)
{
+ if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) {
+ /* We ignore this if the server sends it in a CertificateRequest */
+ /* TODO(TLS1.3): Add support for this */
+ return 1;
+ }
+
/*
* Only take it if we asked for it - i.e if there is no CT validation
* callback set, then a custom extension MAY be processing it, so we
More information about the openssl-commits
mailing list