1 files changed, 37 insertions, 6 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index cb2b2cadc7..bc122686c9 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.64 2020/05/09 10:51:55 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.65 2020/05/09 15:05:50 beck Exp $ */
 /*
 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -921,12 +921,43 @@ tlsext_ocsp_server_build(SSL *s, CBB *cbb)
 int
 tlsext_ocsp_client_parse(SSL *s, CBS *cbs, int *alert)
 {
-        if (s->tlsext_status_type == -1) {
+        CBS response;
-                *alert = TLS1_AD_UNSUPPORTED_EXTENSION;
+        size_t stow_len;
-                return 0;
+        uint16_t version = TLS1_get_client_version(s);
+        uint8_t status_type;
+        if (version >= TLS1_3_VERSION) {
+                if (!CBS_get_u8(cbs, &status_type)) {
+                        SSLerror(s, SSL_R_LENGTH_MISMATCH);
+                        return 0;
+                }
+                if (status_type != TLSEXT_STATUSTYPE_ocsp) {
+                        SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE);
+                        return 0;
+                }
+                if (!CBS_get_u24_length_prefixed(cbs, &response)) {
+                        SSLerror(s, SSL_R_LENGTH_MISMATCH);
+                        return 0;
+                }
+                if (CBS_len(&response) > 65536) {
+                        SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
+                        return 0;
+                }
+                if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp,
+                    &stow_len)) {
+                        s->internal->tlsext_ocsp_resplen = 0;
+                        *alert = SSL_AD_INTERNAL_ERROR;
+                        return 0;
+                }
+                s->internal->tlsext_ocsp_resplen = (int)stow_len;
+        } else {
+                if (s->tlsext_status_type == -1) {
+                        *alert = TLS1_AD_UNSUPPORTED_EXTENSION;
+                        return 0;
+                }
+                /* Set flag to expect CertificateStatus message */
+                s->internal->tlsext_status_expected = 1;
        }
-        /* Set flag to expect CertificateStatus message */
-        s->internal->tlsext_status_expected = 1;
        return 1;
 }

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index cb2b2cadc7..bc122686c9 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_tlsext.c,v 1.64 2020/05/09 10:51:55 jsing Exp $ */	1	/* $OpenBSD: ssl_tlsext.c,v 1.65 2020/05/09 15:05:50 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>	4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -921,12 +921,43 @@ tlsext_ocsp_server_build(SSL s, CBB cbb)
921	int	921	int
922	tlsext_ocsp_client_parse(SSL s, CBS cbs, int *alert)	922	tlsext_ocsp_client_parse(SSL s, CBS cbs, int *alert)
923	{	923	{
924	if (s->tlsext_status_type == -1) {	924	CBS response;
925	*alert = TLS1_AD_UNSUPPORTED_EXTENSION;	925	size_t stow_len;
926	return 0;	926	uint16_t version = TLS1_get_client_version(s);
		927	uint8_t status_type;
		928
		929	if (version >= TLS1_3_VERSION) {
		930	if (!CBS_get_u8(cbs, &status_type)) {
		931	SSLerror(s, SSL_R_LENGTH_MISMATCH);
		932	return 0;
		933	}
		934	if (status_type != TLSEXT_STATUSTYPE_ocsp) {
		935	SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE);
		936	return 0;
		937	}
		938	if (!CBS_get_u24_length_prefixed(cbs, &response)) {
		939	SSLerror(s, SSL_R_LENGTH_MISMATCH);
		940	return 0;
		941	}
		942	if (CBS_len(&response) > 65536) {
		943	SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
		944	return 0;
		945	}
		946	if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp,
		947	&stow_len)) {
		948	s->internal->tlsext_ocsp_resplen = 0;
		949	*alert = SSL_AD_INTERNAL_ERROR;
		950	return 0;
		951	}
		952	s->internal->tlsext_ocsp_resplen = (int)stow_len;
		953	} else {
		954	if (s->tlsext_status_type == -1) {
		955	*alert = TLS1_AD_UNSUPPORTED_EXTENSION;
		956	return 0;
		957	}
		958	/* Set flag to expect CertificateStatus message */
		959	s->internal->tlsext_status_expected = 1;
927	}	960	}
928	/* Set flag to expect CertificateStatus message */
929	s->internal->tlsext_status_expected = 1;
930	return 1;	961	return 1;
931	}	962	}
932		963