Ensure clients only send a status_request in the CH

The current code might cause a client to send a status_request
containing a CertificateStatusRequest with its certificate. This
makes no sense.

Pointed out by Michael Forney

ok inoguchi jsing

1 files changed, 7 insertions, 3 deletions

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 1dba9849a1..920d026fff 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.79 2020/08/03 19:27:57 tb Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.80 2020/08/03 19:43:16 tb Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -853,8 +853,12 @@ tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 int
 tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type)
 {
-        return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
-            s->version != DTLS1_VERSION);
+        if (SSL_IS_DTLS(s))
+                return 0;
+        if (msg_type != SSL_TLSEXT_MSG_CH)
+                return 0;
+
+        return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp);
 }
 
 int