summaryrefslogtreecommitdiff
path: root/src/lib/libtls/tls_ocsp.c
diff options
context:
space:
mode:
authorbeck <>2017-01-29 17:52:11 +0000
committerbeck <>2017-01-29 17:52:11 +0000
commita2ee48f27a063262b94d5f6eb321659dc22d4146 (patch)
tree87cead16195a1077918bc769c77b847b69cfdf34 /src/lib/libtls/tls_ocsp.c
parent957b11334a7afb14537322f0e4795b2e368b3f59 (diff)
downloadopenbsd-a2ee48f27a063262b94d5f6eb321659dc22d4146.tar.gz
openbsd-a2ee48f27a063262b94d5f6eb321659dc22d4146.tar.bz2
openbsd-a2ee48f27a063262b94d5f6eb321659dc22d4146.zip
Move the ocsp staple to being part of the keypair structure internally,
so that it does not send back bogus staples when SNI is in use. (Further change is required to be able to use staples on all keypairs and not just the main one) ok jsing@
Diffstat (limited to '')
-rw-r--r--src/lib/libtls/tls_ocsp.c14
1 files changed, 8 insertions, 6 deletions
diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c
index 791bee0e17..a7aca37a7d 100644
--- a/src/lib/libtls/tls_ocsp.c
+++ b/src/lib/libtls/tls_ocsp.c
@@ -332,17 +332,19 @@ tls_ocsp_stapling_cb(SSL *ssl, void *arg)
332 if ((ctx = SSL_get_app_data(ssl)) == NULL) 332 if ((ctx = SSL_get_app_data(ssl)) == NULL)
333 goto err; 333 goto err;
334 334
335 if (ctx->config->ocsp_staple == NULL || 335 if (ctx->config->keypair == NULL ||
336 ctx->config->ocsp_staple_len == 0) 336 ctx->config->keypair->ocsp_staple == NULL ||
337 ctx->config->keypair->ocsp_staple_len == 0)
337 return SSL_TLSEXT_ERR_NOACK; 338 return SSL_TLSEXT_ERR_NOACK;
338 339
339 if ((ocsp_staple = malloc(ctx->config->ocsp_staple_len)) == NULL) 340 if ((ocsp_staple = malloc(ctx->config->keypair->ocsp_staple_len)) ==
341 NULL)
340 goto err; 342 goto err;
341 343
342 memcpy(ocsp_staple, ctx->config->ocsp_staple, 344 memcpy(ocsp_staple, ctx->config->keypair->ocsp_staple,
343 ctx->config->ocsp_staple_len); 345 ctx->config->keypair->ocsp_staple_len);
344 if (SSL_set_tlsext_status_ocsp_resp(ctx->ssl_conn, ocsp_staple, 346 if (SSL_set_tlsext_status_ocsp_resp(ctx->ssl_conn, ocsp_staple,
345 ctx->config->ocsp_staple_len) != 1) 347 ctx->config->keypair->ocsp_staple_len) != 1)
346 goto err; 348 goto err;
347 349
348 ret = SSL_TLSEXT_ERR_OK; 350 ret = SSL_TLSEXT_ERR_OK;