From b93f3e3ae34136250d6b92c4f5ec53c979356419 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Mon, 3 Aug 2020 19:43:16 +0000
Subject: Ensure clients only send a status_request in the CH

The current code might cause a client to send a status_request
containing a CertificateStatusRequest with its certificate. This
makes no sense.

Pointed out by Michael Forney

ok inoguchi jsing
---
 src/lib/libssl/ssl_tlsext.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 1dba9849a1..920d026fff 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.79 2020/08/03 19:27:57 tb Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.80 2020/08/03 19:43:16 tb Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -853,8 +853,12 @@ tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 int
 tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type)
 {
-	return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp &&
-	    s->version != DTLS1_VERSION);
+	if (SSL_IS_DTLS(s))
+		return 0;
+	if (msg_type != SSL_TLSEXT_MSG_CH)
+		return 0;
+
+	return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp);
 }
 
 int
-- 
cgit v1.2.3-55-g6feb