diff options
author | Matt Caswell <matt@openssl.org> | 2019-09-05 16:43:57 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2019-09-06 10:07:11 +0100 |
commit | debb64a0ca43969eb3f043aa8895a4faa7f12b6e (patch) | |
tree | a6a0a771c6bd14b43467a3e76640e45c7bdf67e4 /ssl | |
parent | 7e8c3381937354cf171ceaf4c69315e9a45d4858 (diff) | |
download | openssl-new-debb64a0ca43969eb3f043aa8895a4faa7f12b6e.tar.gz |
Don't send a status_request extension in a CertificateRequest message
If a TLSv1.3 server configured to respond to the status_request extension
also attempted to send a CertificateRequest then it was incorrectly
inserting a non zero length status_request extension into that message.
The TLSv1.3 RFC does allow that extension in that message but it must
always be zero length.
In fact we should not be sending the extension at all in that message
because we don't support it.
Fixes #9767
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9780)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/statem/extensions_srvr.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index e16722cbeb..1c023fc6c4 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -1491,6 +1491,10 @@ EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx) { + /* We don't currently support this extension inside a CertificateRequest */ + if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST) + return EXT_RETURN_NOT_SENT; + if (!s->ext.status_expected) return EXT_RETURN_NOT_SENT; |