Correctly handle server requests for an OCSP response

According to RFC 8446, 4.4.2.1, a server may request that a client
present an OCSP response with its certificate by sending an empty
status_request extension as part of the certificate request.  The
current code expects a full CertificateStatus structure, which is
only sent if the server sends an OCSP response with its certificate.

This causes interoperability issues with Go's TLS server and with
newer GnuTLS where we would abort the handshake with a decode_error
alert and length mismatch error.

Issue reported and diagnosed by Michael Forney
Problem also found by Mikolaj Kucharski and inoguchi.

ok inoguchi jsing

1 files changed, 12 insertions, 1 deletions

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 019b64f7e5..1dba9849a1 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.78 2020/07/03 07:17:26 tb Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.79 2020/08/03 19:27:57 tb Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1018,6 +1018,17 @@ tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
         uint8_t status_type;
 
         if (version >= TLS1_3_VERSION) {
+                if (msg_type == SSL_TLSEXT_MSG_CR) {
+                        /*
+                         * RFC 8446, 4.4.2.1 - the server may request an OCSP
+                         * response with an empty status_request.
+                         */
+                        if (CBS_len(cbs) == 0)
+                                return 1;
+
+                        SSLerror(s, SSL_R_LENGTH_MISMATCH);
+                        return 0;
+                }
                 if (!CBS_get_u8(cbs, &status_type)) {
                         SSLerror(s, SSL_R_LENGTH_MISMATCH);
                         return 0;