diff options
author | beck <> | 2017-01-29 17:52:11 +0000 |
---|---|---|
committer | beck <> | 2017-01-29 17:52:11 +0000 |
commit | a2ee48f27a063262b94d5f6eb321659dc22d4146 (patch) | |
tree | 87cead16195a1077918bc769c77b847b69cfdf34 /src/lib/libtls/tls_ocsp.c | |
parent | 957b11334a7afb14537322f0e4795b2e368b3f59 (diff) | |
download | openbsd-a2ee48f27a063262b94d5f6eb321659dc22d4146.tar.gz openbsd-a2ee48f27a063262b94d5f6eb321659dc22d4146.tar.bz2 openbsd-a2ee48f27a063262b94d5f6eb321659dc22d4146.zip |
Move the ocsp staple to being part of the keypair structure internally,
so that it does not send back bogus staples when SNI is in use.
(Further change is required to be able to use staples on all keypairs
and not just the main one)
ok jsing@
Diffstat (limited to '')
-rw-r--r-- | src/lib/libtls/tls_ocsp.c | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c index 791bee0e17..a7aca37a7d 100644 --- a/src/lib/libtls/tls_ocsp.c +++ b/src/lib/libtls/tls_ocsp.c | |||
@@ -332,17 +332,19 @@ tls_ocsp_stapling_cb(SSL *ssl, void *arg) | |||
332 | if ((ctx = SSL_get_app_data(ssl)) == NULL) | 332 | if ((ctx = SSL_get_app_data(ssl)) == NULL) |
333 | goto err; | 333 | goto err; |
334 | 334 | ||
335 | if (ctx->config->ocsp_staple == NULL || | 335 | if (ctx->config->keypair == NULL || |
336 | ctx->config->ocsp_staple_len == 0) | 336 | ctx->config->keypair->ocsp_staple == NULL || |
337 | ctx->config->keypair->ocsp_staple_len == 0) | ||
337 | return SSL_TLSEXT_ERR_NOACK; | 338 | return SSL_TLSEXT_ERR_NOACK; |
338 | 339 | ||
339 | if ((ocsp_staple = malloc(ctx->config->ocsp_staple_len)) == NULL) | 340 | if ((ocsp_staple = malloc(ctx->config->keypair->ocsp_staple_len)) == |
341 | NULL) | ||
340 | goto err; | 342 | goto err; |
341 | 343 | ||
342 | memcpy(ocsp_staple, ctx->config->ocsp_staple, | 344 | memcpy(ocsp_staple, ctx->config->keypair->ocsp_staple, |
343 | ctx->config->ocsp_staple_len); | 345 | ctx->config->keypair->ocsp_staple_len); |
344 | if (SSL_set_tlsext_status_ocsp_resp(ctx->ssl_conn, ocsp_staple, | 346 | if (SSL_set_tlsext_status_ocsp_resp(ctx->ssl_conn, ocsp_staple, |
345 | ctx->config->ocsp_staple_len) != 1) | 347 | ctx->config->keypair->ocsp_staple_len) != 1) |
346 | goto err; | 348 | goto err; |
347 | 349 | ||
348 | ret = SSL_TLSEXT_ERR_OK; | 350 | ret = SSL_TLSEXT_ERR_OK; |