summaryrefslogtreecommitdiff
path: root/src/lib/libssl/tls13_lib.c
diff options
context:
space:
mode:
authorbeck <>2020-05-22 02:37:27 +0000
committerbeck <>2020-05-22 02:37:27 +0000
commitcfa7c7d8ea22f50276f89f901780ab7885f495a4 (patch)
treeb00c1435c9fdf8150e39580ad61b4a3ad4eca9ba /src/lib/libssl/tls13_lib.c
parent919686e3aeba6fcad99207e3e25b401b339f721c (diff)
downloadopenbsd-cfa7c7d8ea22f50276f89f901780ab7885f495a4.tar.gz
openbsd-cfa7c7d8ea22f50276f89f901780ab7885f495a4.tar.bz2
openbsd-cfa7c7d8ea22f50276f89f901780ab7885f495a4.zip
Ensure we only attach an ocsp staple to a leaf certificate, because
for the moment that is all we support. fixes an issue where gnuTLS cares that mistmatching staples come back on the certs in the chain. This should be fixed correctly later by associating the staple to the individual certs rather than the ssl, so this is temporary. running on www@. ok tb@, "got that's oopy but an interim ok" jsing@
Diffstat (limited to 'src/lib/libssl/tls13_lib.c')
-rw-r--r--src/lib/libssl/tls13_lib.c12
1 files changed, 9 insertions, 3 deletions
diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c
index 7232b6dea0..174da2f9c3 100644
--- a/src/lib/libssl/tls13_lib.c
+++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls13_lib.c,v 1.49 2020/05/21 19:43:40 tb Exp $ */ 1/* $OpenBSD: tls13_lib.c,v 1.50 2020/05/22 02:37:27 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2019 Bob Beck <beck@openbsd.org> 4 * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -430,8 +430,14 @@ tls13_cert_add(struct tls13_ctx *ctx, CBB *cbb, X509 *cert,
430 return 0; 430 return 0;
431 if (i2d_X509(cert, &data) != cert_len) 431 if (i2d_X509(cert, &data) != cert_len)
432 return 0; 432 return 0;
433 if (!build_extensions(ctx->ssl, cbb, SSL_TLSEXT_MSG_CT)) 433 if (build_extensions != NULL) {
434 return 0; 434 if (!build_extensions(ctx->ssl, cbb, SSL_TLSEXT_MSG_CT))
435 return 0;
436 } else {
437 CBB cert_exts;
438 if (!CBB_add_u16_length_prefixed(cbb, &cert_exts))
439 return 0;
440 }
435 if (!CBB_flush(cbb)) 441 if (!CBB_flush(cbb))
436 return 0; 442 return 0;
437 443