From 92125584f2fe87023cbfe96bba06358111ed8c13 Mon Sep 17 00:00:00 2001
From: James Chapman <james.chapman@pionix.de>
Date: Fri, 21 Jun 2024 10:29:44 +0100
Subject: [PATCH 1/1] feat: updates to support status_request_v2

Signed-off-by: James Chapman <james.chapman@pionix.de>
---
 include/openssl/ssl.h.in     | 2 ++
 include/openssl/tls1.h       | 7 +++++++
 ssl/s3_lib.c                 | 8 ++++++++
 ssl/statem/extensions_clnt.c | 3 ++-
 ssl/statem/extensions_srvr.c | 4 ++++
 ssl/statem/statem_clnt.c     | 3 ++-
 6 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index 105b4a4a3c..b29f65fbfa 100644
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -1251,6 +1251,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 # define SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS      69
 # define SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP        70
 # define SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP        71
+# define SSL_CTRL_GET_TLSEXT_STATUS_EXPECTED        270
+# define SSL_CTRL_SET_TLSEXT_STATUS_EXPECTED        271
 # ifndef OPENSSL_NO_DEPRECATED_3_0
 #  define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB      72
 # endif
diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index d6e9331fa1..f0a8413703 100644
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -160,6 +160,7 @@ extern "C" {
 # define TLSEXT_NAMETYPE_host_name 0
 /* status request value from RFC3546 */
 # define TLSEXT_STATUSTYPE_ocsp 1
+# define TLSEXT_STATUSTYPE_ocsp_multi 2
 
 /* ECPointFormat values from RFC4492 */
 # define TLSEXT_ECPOINTFORMAT_first                      0
@@ -291,6 +292,12 @@ __owur int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain)
 # define SSL_set_tlsext_status_ocsp_resp(ssl, arg, arglen) \
         SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP,arglen,arg)
 
+# define SSL_get_tlsext_status_expected(ssl) \
+        SSL_ctrl(ssl,SSL_CTRL_GET_TLSEXT_STATUS_EXPECTED,0,NULL)
+
+# define SSL_set_tlsext_status_expected(ssl, arg) \
+        SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_EXPECTED,arg,NULL)
+
 # define SSL_CTX_set_tlsext_servername_callback(ctx, cb) \
         SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SERVERNAME_CB,\
                 (void (*)(void))cb)
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 78d4f04056..ede3a56f2f 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3556,6 +3556,14 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
         ret = 1;
         break;
 
+    case SSL_CTRL_GET_TLSEXT_STATUS_EXPECTED:
+        return (long)s->ext.status_expected;
+
+    case SSL_CTRL_SET_TLSEXT_STATUS_EXPECTED:
+        s->ext.status_expected = larg;
+        ret = 1;
+        break;
+
     case SSL_CTRL_CHAIN:
         if (larg)
             return ssl_cert_set1_chain(s, NULL, (STACK_OF(X509) *)parg);
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 842be0722b..b9d5493e72 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -8,6 +8,7 @@
  */
 
 #include <openssl/ocsp.h>
+#include <openssl/tls1.h>
 #include "../ssl_local.h"
 #include "internal/cryptlib.h"
 #include "statem_local.h"
@@ -1397,7 +1398,7 @@ int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, unsigned int context,
      * MUST only be sent if we've requested a status
      * request message. In TLS <= 1.2 it must also be empty.
      */
-    if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
+    if ((s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) && (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp_multi)) {
         SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION, SSL_R_BAD_EXTENSION);
         return 0;
     }
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 16765a5a5b..7fb67937bf 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -8,6 +8,7 @@
  */
 
 #include <openssl/ocsp.h>
+#include <openssl/tls1.h>
 #include "../ssl_local.h"
 #include "statem_local.h"
 #include "internal/cryptlib.h"
@@ -1421,6 +1422,9 @@ EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
     if (!s->ext.status_expected)
         return EXT_RETURN_NOT_SENT;
 
+    if (s->ext.status_type == TLSEXT_STATUSTYPE_ocsp_multi)
+        return EXT_RETURN_NOT_SENT;
+
     if (SSL_IS_TLS13(s) && chainidx != 0)
         return EXT_RETURN_NOT_SENT;
 
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 3cd1ee2d3d..29a07bd413 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -9,6 +9,7 @@
  * https://www.openssl.org/source/license.html
  */
 
+#include <openssl/tls1.h>
 #include <stdio.h>
 #include <time.h>
 #include <assert.h>
@@ -2636,7 +2637,7 @@ int tls_process_cert_status_body(SSL *s, PACKET *pkt)
     unsigned int type;
 
     if (!PACKET_get_1(pkt, &type)
-        || type != TLSEXT_STATUSTYPE_ocsp) {
+        || (type != TLSEXT_STATUSTYPE_ocsp) && (type != TLSEXT_STATUSTYPE_ocsp_multi)) {
         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_UNSUPPORTED_STATUS_TYPE);
         return 0;
     }
-- 
2.34.1