1 files changed, 23 insertions, 1 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 814eb7c5cf..1ec8ac00ef 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.68 2020/05/13 17:55:34 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.69 2020/05/19 01:30:34 beck Exp $ */
 /*
 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -909,12 +909,34 @@ tlsext_ocsp_server_parse(SSL *s, CBS *cbs, int *alert)
 int
 tlsext_ocsp_server_needs(SSL *s)
 {
+        if (s->version >= TLS1_3_VERSION &&
+            s->ctx->internal->tlsext_status_cb != NULL) {
+                s->internal->tlsext_status_expected = 0;
+                if (s->ctx->internal->tlsext_status_cb(s,
+                    s->ctx->internal->tlsext_status_arg) == SSL_TLSEXT_ERR_OK &&
+                    s->internal->tlsext_ocsp_resp_len > 0)
+                        s->internal->tlsext_status_expected = 1;
+        }
        return s->internal->tlsext_status_expected;
 }
 int
 tlsext_ocsp_server_build(SSL *s, CBB *cbb)
 {
+        CBB ocsp_response;
+        if (s->version >= TLS1_3_VERSION) {
+                if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp))
+                        return 0;
+                if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response))
+                        return 0;
+                if (!CBB_add_bytes(&ocsp_response,
+                    s->internal->tlsext_ocsp_resp,
+                    s->internal->tlsext_ocsp_resp_len))
+                        return 0;
+                if (!CBB_flush(cbb))
+                        return 0;
+        }
        return 1;
 }

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 814eb7c5cf..1ec8ac00ef 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_tlsext.c,v 1.68 2020/05/13 17:55:34 jsing Exp $ */	1	/* $OpenBSD: ssl_tlsext.c,v 1.69 2020/05/19 01:30:34 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>	4	* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -909,12 +909,34 @@ tlsext_ocsp_server_parse(SSL s, CBS cbs, int *alert)
909	int	909	int
910	tlsext_ocsp_server_needs(SSL *s)	910	tlsext_ocsp_server_needs(SSL *s)
911	{	911	{
		912	if (s->version >= TLS1_3_VERSION &&
		913	s->ctx->internal->tlsext_status_cb != NULL) {
		914	s->internal->tlsext_status_expected = 0;
		915	if (s->ctx->internal->tlsext_status_cb(s,
		916	s->ctx->internal->tlsext_status_arg) == SSL_TLSEXT_ERR_OK &&
		917	s->internal->tlsext_ocsp_resp_len > 0)
		918	s->internal->tlsext_status_expected = 1;
		919	}
912	return s->internal->tlsext_status_expected;	920	return s->internal->tlsext_status_expected;
913	}	921	}
914		922
915	int	923	int
916	tlsext_ocsp_server_build(SSL s, CBB cbb)	924	tlsext_ocsp_server_build(SSL s, CBB cbb)
917	{	925	{
		926	CBB ocsp_response;
		927
		928	if (s->version >= TLS1_3_VERSION) {
		929	if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp))
		930	return 0;
		931	if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response))
		932	return 0;
		933	if (!CBB_add_bytes(&ocsp_response,
		934	s->internal->tlsext_ocsp_resp,
		935	s->internal->tlsext_ocsp_resp_len))
		936	return 0;
		937	if (!CBB_flush(cbb))
		938	return 0;
		939	}
918	return 1;	940	return 1;
919	}	941	}
920		942