1 files changed, 12 insertions, 4 deletions
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 79318d9313..aab83dcc69 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.54 2020/04/28 20:37:22 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.55 2020/05/09 15:05:50 beck Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -550,13 +550,13 @@ tls13_server_certificate_request_recv(struct tls13_ctx *ctx, CBS *cbs)
 int
 tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)
 {
-        CBS cert_request_context, cert_list, cert_data, cert_exts;
+        CBS cert_request_context, cert_list, cert_data;
        struct stack_st_X509 *certs = NULL;
        SSL *s = ctx->ssl;
        X509 *cert = NULL;
        EVP_PKEY *pkey;
        const uint8_t *p;
-        int cert_idx;
+        int cert_idx, alert_desc;
        int ret = 0;
        if ((certs = sk_X509_new_null()) == NULL)
@@ -572,8 +572,12 @@ tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)
        while (CBS_len(&cert_list) > 0) {
                if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data))
                        goto err;
-                if (!CBS_get_u16_length_prefixed(&cert_list, &cert_exts))
+                if (!tlsext_client_parse(ctx->ssl, &cert_list, &alert_desc,
+                    SSL_TLSEXT_MSG_CT)) {
+                        ctx->alert = alert_desc;
                        goto err;
+                }
                p = CBS_data(&cert_data);
                if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL)
@@ -628,6 +632,10 @@ tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)
        s->session->peer = cert;
        s->session->verify_result = s->verify_result;
+        if (ctx->ocsp_status_recv_cb != NULL &&
+            !ctx->ocsp_status_recv_cb(ctx))
+                goto err;
        ret = 1;
 err:

diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index 79318d9313..aab83dcc69 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_client.c,v 1.54 2020/04/28 20:37:22 jsing Exp $ */	1	/* $OpenBSD: tls13_client.c,v 1.55 2020/05/09 15:05:50 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -550,13 +550,13 @@ tls13_server_certificate_request_recv(struct tls13_ctx ctx, CBS cbs)
550	int	550	int
551	tls13_server_certificate_recv(struct tls13_ctx ctx, CBS cbs)	551	tls13_server_certificate_recv(struct tls13_ctx ctx, CBS cbs)
552	{	552	{
553	CBS cert_request_context, cert_list, cert_data, cert_exts;	553	CBS cert_request_context, cert_list, cert_data;
554	struct stack_st_X509 *certs = NULL;	554	struct stack_st_X509 *certs = NULL;
555	SSL *s = ctx->ssl;	555	SSL *s = ctx->ssl;
556	X509 *cert = NULL;	556	X509 *cert = NULL;
557	EVP_PKEY *pkey;	557	EVP_PKEY *pkey;
558	const uint8_t *p;	558	const uint8_t *p;
559	int cert_idx;	559	int cert_idx, alert_desc;
560	int ret = 0;	560	int ret = 0;
561		561
562	if ((certs = sk_X509_new_null()) == NULL)	562	if ((certs = sk_X509_new_null()) == NULL)
@@ -572,8 +572,12 @@ tls13_server_certificate_recv(struct tls13_ctx ctx, CBS cbs)
572	while (CBS_len(&cert_list) > 0) {	572	while (CBS_len(&cert_list) > 0) {
573	if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data))	573	if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data))
574	goto err;	574	goto err;
575	if (!CBS_get_u16_length_prefixed(&cert_list, &cert_exts))	575
		576	if (!tlsext_client_parse(ctx->ssl, &cert_list, &alert_desc,
		577	SSL_TLSEXT_MSG_CT)) {
		578	ctx->alert = alert_desc;
576	goto err;	579	goto err;
		580	}
577		581
578	p = CBS_data(&cert_data);	582	p = CBS_data(&cert_data);
579	if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL)	583	if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL)
@@ -628,6 +632,10 @@ tls13_server_certificate_recv(struct tls13_ctx ctx, CBS cbs)
628	s->session->peer = cert;	632	s->session->peer = cert;
629	s->session->verify_result = s->verify_result;	633	s->session->verify_result = s->verify_result;
630		634
		635	if (ctx->ocsp_status_recv_cb != NULL &&
		636	!ctx->ocsp_status_recv_cb(ctx))
		637	goto err;
		638
631	ret = 1;	639	ret = 1;
632		640
633	err:	641	err: