diff options
| -rw-r--r-- | src/lib/libssl/ssl_tlsext.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 019b64f7e5..1dba9849a1 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_tlsext.c,v 1.78 2020/07/03 07:17:26 tb Exp $ */ | 1 | /* $OpenBSD: ssl_tlsext.c,v 1.79 2020/08/03 19:27:57 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> | 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> |
| @@ -1018,6 +1018,17 @@ tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) | |||
| 1018 | uint8_t status_type; | 1018 | uint8_t status_type; |
| 1019 | 1019 | ||
| 1020 | if (version >= TLS1_3_VERSION) { | 1020 | if (version >= TLS1_3_VERSION) { |
| 1021 | if (msg_type == SSL_TLSEXT_MSG_CR) { | ||
| 1022 | /* | ||
| 1023 | * RFC 8446, 4.4.2.1 - the server may request an OCSP | ||
| 1024 | * response with an empty status_request. | ||
| 1025 | */ | ||
| 1026 | if (CBS_len(cbs) == 0) | ||
| 1027 | return 1; | ||
| 1028 | |||
| 1029 | SSLerror(s, SSL_R_LENGTH_MISMATCH); | ||
| 1030 | return 0; | ||
| 1031 | } | ||
| 1021 | if (!CBS_get_u8(cbs, &status_type)) { | 1032 | if (!CBS_get_u8(cbs, &status_type)) { |
| 1022 | SSLerror(s, SSL_R_LENGTH_MISMATCH); | 1033 | SSLerror(s, SSL_R_LENGTH_MISMATCH); |
| 1023 | return 0; | 1034 | return 0; |