From e9cd27a8fe1871d70e7986a755c746f3c3bfbca9 Mon Sep 17 00:00:00 2001 From: tb <> Date: Mon, 3 Aug 2020 19:27:57 +0000 Subject: Correctly handle server requests for an OCSP response According to RFC 8446, 4.4.2.1, a server may request that a client present an OCSP response with its certificate by sending an empty status_request extension as part of the certificate request. The current code expects a full CertificateStatus structure, which is only sent if the server sends an OCSP response with its certificate. This causes interoperability issues with Go's TLS server and with newer GnuTLS where we would abort the handshake with a decode_error alert and length mismatch error. Issue reported and diagnosed by Michael Forney Problem also found by Mikolaj Kucharski and inoguchi. ok inoguchi jsing --- src/lib/libssl/ssl_tlsext.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 019b64f7e5..1dba9849a1 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_tlsext.c,v 1.78 2020/07/03 07:17:26 tb Exp $ */ +/* $OpenBSD: ssl_tlsext.c,v 1.79 2020/08/03 19:27:57 tb Exp $ */ /* * Copyright (c) 2016, 2017, 2019 Joel Sing * Copyright (c) 2017 Doug Hogan @@ -1018,6 +1018,17 @@ tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) uint8_t status_type; if (version >= TLS1_3_VERSION) { + if (msg_type == SSL_TLSEXT_MSG_CR) { + /* + * RFC 8446, 4.4.2.1 - the server may request an OCSP + * response with an empty status_request. + */ + if (CBS_len(cbs) == 0) + return 1; + + SSLerror(s, SSL_R_LENGTH_MISMATCH); + return 0; + } if (!CBS_get_u8(cbs, &status_type)) { SSLerror(s, SSL_R_LENGTH_MISMATCH); return 0; -- cgit v1.2.3-55-g6feb