upstream fix for status request extension non-compliance (#1737471)

This commit is contained in:
Tomas Mraz 2019-09-06 17:02:18 +02:00
parent dba4c3b578
commit 45ebb7fdc2
2 changed files with 39 additions and 0 deletions

View File

@ -0,0 +1,36 @@
From 93e26cedac20844733d59f33e313880da17fa23a Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Thu, 5 Sep 2019 16:43:57 +0100
Subject: [PATCH 1/2] Don't send a status_request extension in a
CertificateRequest message
If a TLSv1.3 server configured to respond to the status_request extension
also attempted to send a CertificateRequest then it was incorrectly
inserting a non zero length status_request extension into that message.
The TLSv1.3 RFC does allow that extension in that message but it must
always be zero length.
In fact we should not be sending the extension at all in that message
because we don't support it.
Fixes #9767
---
ssl/statem/extensions_srvr.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index e16722cbeb8..1c023fc6c40 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -1491,6 +1491,10 @@ EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x,
size_t chainidx)
{
+ /* We don't currently support this extension inside a CertificateRequest */
+ if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
+ return EXT_RETURN_NOT_SENT;
+
if (!s->ext.status_expected)
return EXT_RETURN_NOT_SENT;

View File

@ -454,6 +454,9 @@ export LD_LIBRARY_PATH
%ldconfig_scriptlets libs
%changelog
* Fri Sep 6 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-6
- upstream fix for status request extension non-compliance (#1737471)
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.1c-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild