Tighten up client status_request processing

Instead of making a positive comparison against the invalid value that our server would send, make a negative check against the only value that is not an error. Reviewed-by: N Richard Levitte <levitte@openssl.org> Reviewed-by: N Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2953)

Tighten up client status_request processing
Instead of making a positive comparison against the invalid value that our server would send, make a negative check against the only value that is not an error. Reviewed-by: N Richard Levitte <levitte@openssl.org> Reviewed-by: N Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2953)
d9aea041 · Benjamin Kaduk · Matt Caswell · 26721d32 · d9aea041
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

ssl/statem/extensions_clnt.c ssl/statem/extensions_clnt.c +1 -1

未找到文件。
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -1016,7 +1016,7 @@ int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context,
     * MUST only be sent if we've requested a status
     * request message. In TLS <= 1.2 it must also be empty.
     */
-    if (s->ext.status_type == TLSEXT_STATUSTYPE_nothing
+    if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp
            || (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) > 0)) {
        *al = SSL_AD_UNSUPPORTED_EXTENSION;
        return 0;