diff options
Diffstat (limited to 'src/lib/libssl/ssl_tlsext.c')
| -rw-r--r-- | src/lib/libssl/ssl_tlsext.c | 49 |
1 files changed, 43 insertions, 6 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index a0e2f7320b..302211c5e7 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_tlsext.c,v 1.63 2020/04/21 17:06:16 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_tlsext.c,v 1.63.4.1 2020/08/10 18:59:47 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> | 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> |
| @@ -896,12 +896,49 @@ tlsext_ocsp_server_build(SSL *s, CBB *cbb) | |||
| 896 | int | 896 | int |
| 897 | tlsext_ocsp_client_parse(SSL *s, CBS *cbs, int *alert) | 897 | tlsext_ocsp_client_parse(SSL *s, CBS *cbs, int *alert) |
| 898 | { | 898 | { |
| 899 | if (s->tlsext_status_type == -1) { | 899 | CBS response; |
| 900 | *alert = TLS1_AD_UNSUPPORTED_EXTENSION; | 900 | size_t resp_len; |
| 901 | return 0; | 901 | uint16_t version = TLS1_get_client_version(s); |
| 902 | uint8_t status_type; | ||
| 903 | |||
| 904 | if (version >= TLS1_3_VERSION) { | ||
| 905 | /* | ||
| 906 | * RFC 8446, 4.4.2.1 - the server may request an OCSP | ||
| 907 | * response with an empty status_request. | ||
| 908 | */ | ||
| 909 | if (CBS_len(cbs) == 0) | ||
| 910 | return 1; | ||
| 911 | |||
| 912 | if (!CBS_get_u8(cbs, &status_type)) { | ||
| 913 | SSLerror(s, SSL_R_LENGTH_MISMATCH); | ||
| 914 | return 0; | ||
| 915 | } | ||
| 916 | if (status_type != TLSEXT_STATUSTYPE_ocsp) { | ||
| 917 | SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE); | ||
| 918 | return 0; | ||
| 919 | } | ||
| 920 | if (!CBS_get_u24_length_prefixed(cbs, &response)) { | ||
| 921 | SSLerror(s, SSL_R_LENGTH_MISMATCH); | ||
| 922 | return 0; | ||
| 923 | } | ||
| 924 | if (CBS_len(&response) > 65536) { | ||
| 925 | SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); | ||
| 926 | return 0; | ||
| 927 | } | ||
| 928 | if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp, | ||
| 929 | &resp_len)) { | ||
| 930 | *alert = SSL_AD_INTERNAL_ERROR; | ||
| 931 | return 0; | ||
| 932 | } | ||
| 933 | s->internal->tlsext_ocsp_resplen = (int)resp_len; | ||
| 934 | } else { | ||
| 935 | if (s->tlsext_status_type == -1) { | ||
| 936 | *alert = TLS1_AD_UNSUPPORTED_EXTENSION; | ||
| 937 | return 0; | ||
| 938 | } | ||
| 939 | /* Set flag to expect CertificateStatus message */ | ||
| 940 | s->internal->tlsext_status_expected = 1; | ||
| 902 | } | 941 | } |
| 903 | /* Set flag to expect CertificateStatus message */ | ||
| 904 | s->internal->tlsext_status_expected = 1; | ||
| 905 | return 1; | 942 | return 1; |
| 906 | } | 943 | } |
| 907 | 944 | ||