diff options
| author | jsing <> | 2017-09-20 17:05:17 +0000 |
|---|---|---|
| committer | jsing <> | 2017-09-20 17:05:17 +0000 |
| commit | 263609dd4f2b34a02f6d2e943f58b18b8eef887a (patch) | |
| tree | f4080509dd8de2bb329aba671f06b4864aeec78e /src/lib/libtls/tls_ocsp.c | |
| parent | 8a110cc82bb2df37088502de9f15ac4c8fea6467 (diff) | |
| download | openbsd-263609dd4f2b34a02f6d2e943f58b18b8eef887a.tar.gz openbsd-263609dd4f2b34a02f6d2e943f58b18b8eef887a.tar.bz2 openbsd-263609dd4f2b34a02f6d2e943f58b18b8eef887a.zip | |
Keep track of which keypair is in use by a TLS context.
This fixes a bug where by a TLS server with SNI would always only return
the OCSP staple for the default keypair, rather than returning the OCSP
staple associated with the keypair that was selected via SNI.
Issue reported by William Graeber and confirmed by Andreas Bartelt.
Fix tested by William Graeber and Andreas Bartelt - thanks!
Diffstat (limited to 'src/lib/libtls/tls_ocsp.c')
| -rw-r--r-- | src/lib/libtls/tls_ocsp.c | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c index 4e2dba3487..a8835edc8f 100644 --- a/src/lib/libtls/tls_ocsp.c +++ b/src/lib/libtls/tls_ocsp.c | |||
| @@ -331,32 +331,32 @@ tls_ocsp_verify_cb(SSL *ssl, void *arg) | |||
| 331 | int | 331 | int |
| 332 | tls_ocsp_stapling_cb(SSL *ssl, void *arg) | 332 | tls_ocsp_stapling_cb(SSL *ssl, void *arg) |
| 333 | { | 333 | { |
| 334 | struct tls *ctx; | ||
| 335 | unsigned char *ocsp_staple = NULL; | ||
| 336 | int ret = SSL_TLSEXT_ERR_ALERT_FATAL; | 334 | int ret = SSL_TLSEXT_ERR_ALERT_FATAL; |
| 335 | unsigned char *ocsp_staple = NULL; | ||
| 336 | struct tls *ctx; | ||
| 337 | 337 | ||
| 338 | if ((ctx = SSL_get_app_data(ssl)) == NULL) | 338 | if ((ctx = SSL_get_app_data(ssl)) == NULL) |
| 339 | goto err; | 339 | goto err; |
| 340 | 340 | ||
| 341 | if (ctx->config->keypair == NULL || | 341 | if (ctx->keypair == NULL || ctx->keypair->ocsp_staple == NULL || |
| 342 | ctx->config->keypair->ocsp_staple == NULL || | 342 | ctx->keypair->ocsp_staple_len == 0) |
| 343 | ctx->config->keypair->ocsp_staple_len == 0) | ||
| 344 | return SSL_TLSEXT_ERR_NOACK; | 343 | return SSL_TLSEXT_ERR_NOACK; |
| 345 | 344 | ||
| 346 | if ((ocsp_staple = malloc(ctx->config->keypair->ocsp_staple_len)) == | 345 | if ((ocsp_staple = malloc(ctx->keypair->ocsp_staple_len)) == NULL) |
| 347 | NULL) | ||
| 348 | goto err; | 346 | goto err; |
| 349 | 347 | ||
| 350 | memcpy(ocsp_staple, ctx->config->keypair->ocsp_staple, | 348 | memcpy(ocsp_staple, ctx->keypair->ocsp_staple, |
| 351 | ctx->config->keypair->ocsp_staple_len); | 349 | ctx->keypair->ocsp_staple_len); |
| 350 | |||
| 352 | if (SSL_set_tlsext_status_ocsp_resp(ctx->ssl_conn, ocsp_staple, | 351 | if (SSL_set_tlsext_status_ocsp_resp(ctx->ssl_conn, ocsp_staple, |
| 353 | ctx->config->keypair->ocsp_staple_len) != 1) | 352 | ctx->keypair->ocsp_staple_len) != 1) |
| 354 | goto err; | 353 | goto err; |
| 355 | 354 | ||
| 356 | ret = SSL_TLSEXT_ERR_OK; | 355 | ret = SSL_TLSEXT_ERR_OK; |
| 357 | err: | 356 | err: |
| 358 | if (ret != SSL_TLSEXT_ERR_OK) | 357 | if (ret != SSL_TLSEXT_ERR_OK) |
| 359 | free(ocsp_staple); | 358 | free(ocsp_staple); |
| 359 | |||
| 360 | return ret; | 360 | return ret; |
| 361 | } | 361 | } |
| 362 | 362 | ||
| @@ -364,7 +364,7 @@ tls_ocsp_stapling_cb(SSL *ssl, void *arg) | |||
| 364 | * Public API | 364 | * Public API |
| 365 | */ | 365 | */ |
| 366 | 366 | ||
| 367 | /* Retrieve OCSP URL from peer certificate, if present */ | 367 | /* Retrieve OCSP URL from peer certificate, if present. */ |
| 368 | const char * | 368 | const char * |
| 369 | tls_peer_ocsp_url(struct tls *ctx) | 369 | tls_peer_ocsp_url(struct tls *ctx) |
| 370 | { | 370 | { |