From 0286c965db48149ae18c03e50dcc7965dfa5887e Mon Sep 17 00:00:00 2001
From: beck <>
Date: Tue, 19 May 2020 01:30:34 +0000
Subject: Add support for TLS 1.3 server to send certificate status messages
 with oscp staples.

ok jsing@ tb@
---
 src/lib/libssl/ssl_tlsext.c | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

(limited to 'src/lib/libssl/ssl_tlsext.c')

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 814eb7c5cf..1ec8ac00ef 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.68 2020/05/13 17:55:34 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.69 2020/05/19 01:30:34 beck Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -909,12 +909,34 @@ tlsext_ocsp_server_parse(SSL *s, CBS *cbs, int *alert)
 int
 tlsext_ocsp_server_needs(SSL *s)
 {
+	if (s->version >= TLS1_3_VERSION &&
+	    s->ctx->internal->tlsext_status_cb != NULL) {
+		s->internal->tlsext_status_expected = 0;
+		if (s->ctx->internal->tlsext_status_cb(s,
+		    s->ctx->internal->tlsext_status_arg) == SSL_TLSEXT_ERR_OK &&
+		    s->internal->tlsext_ocsp_resp_len > 0)
+			s->internal->tlsext_status_expected = 1;
+	}
 	return s->internal->tlsext_status_expected;
 }
 
 int
 tlsext_ocsp_server_build(SSL *s, CBB *cbb)
 {
+	CBB ocsp_response;
+
+	if (s->version >= TLS1_3_VERSION) {
+		if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp))
+			return 0;
+		if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response))
+			return 0;
+		if (!CBB_add_bytes(&ocsp_response,
+		    s->internal->tlsext_ocsp_resp,
+		    s->internal->tlsext_ocsp_resp_len))
+			return 0;
+		if (!CBB_flush(cbb))
+			return 0;
+	}
 	return 1;
 }
 
-- 
cgit v1.2.3-55-g6feb