Tighten up client status_request processing Instead of making a positive comparison against the invalid value that our server would send, make a negative check against the only value that is not an error. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2953)

commit: d9aea0416249bf7fb2dd330dd9dde825ac5e4b94 [log] [tgz]
author: Benjamin Kaduk <bkaduk@akamai.com> Tue Mar 14 18:57:43 2017 -0500
committer: Matt Caswell <matt@openssl.org> Wed Mar 15 20:44:57 2017 +0000
tree: 110057d3f4e60e4301e4f5ff9cb2aeccb1f1cd1e
parent: 26721d3212daece42091629e5205deeda2e4eca3 [diff]
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 98159b5..d40c9ce 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c

@@ -1016,7 +1016,7 @@
      * MUST only be sent if we've requested a status
      * request message. In TLS <= 1.2 it must also be empty.
      */
-    if (s->ext.status_type == TLSEXT_STATUSTYPE_nothing
+    if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp
             || (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) > 0)) {
         *al = SSL_AD_UNSUPPORTED_EXTENSION;
         return 0;
commit	d9aea0416249bf7fb2dd330dd9dde825ac5e4b94	[log] [tgz]
author	Benjamin Kaduk <bkaduk@akamai.com>	Tue Mar 14 18:57:43 2017 -0500
committer	Matt Caswell <matt@openssl.org>	Wed Mar 15 20:44:57 2017 +0000
tree	110057d3f4e60e4301e4f5ff9cb2aeccb1f1cd1e
parent	26721d3212daece42091629e5205deeda2e4eca3 [diff]