Move the ocsp staple to being part of the keypair structure internally,

so that it does not send back bogus staples when SNI is in use. (Further change is required to be able to use staples on all keypairs and not just the main one) ok jsing@
author: beck <> 2017-01-29 17:52:11 +0000
committer: beck <> 2017-01-29 17:52:11 +0000
commit: a2ee48f27a063262b94d5f6eb321659dc22d4146 (patch)
tree: 87cead16195a1077918bc769c77b847b69cfdf34 /src/lib
parent: 957b11334a7afb14537322f0e4795b2e368b3f59 (diff)
download: openbsd-a2ee48f27a063262b94d5f6eb321659dc22d4146.tar.gz
openbsd-a2ee48f27a063262b94d5f6eb321659dc22d4146.tar.bz2
openbsd-a2ee48f27a063262b94d5f6eb321659dc22d4146.zip
3 files changed, 32 insertions, 14 deletions
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index 8fa810461c..83c649fd51 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.34 2017/01/24 01:48:05 claudio Exp $ */
+/* $OpenBSD: tls_config.c,v 1.35 2017/01/29 17:52:11 beck Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -101,6 +101,22 @@ tls_keypair_set_key_mem(struct tls_keypair *keypair, const uint8_t *key,
        return set_mem(&keypair->key_mem, &keypair->key_len, key, len);
 }
+static int
+tls_keypair_set_ocsp_staple_file(struct tls_keypair *keypair,
+    struct tls_error *error, const char *ocsp_file)
+{
+        return tls_config_load_file(error, "ocsp", ocsp_file,
+            &keypair->ocsp_staple, &keypair->ocsp_staple_len);
+}
+static int
+tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair,
+    const uint8_t *staple, size_t len)
+{
+        return set_mem(&keypair->ocsp_staple, &keypair->ocsp_staple_len, staple,
+            len);
+}
 static void
 tls_keypair_clear(struct tls_keypair *keypair)
 {
@@ -118,6 +134,7 @@ tls_keypair_free(struct tls_keypair *keypair)
        free(keypair->cert_mem);
        free(keypair->key_mem);
+        free(keypair->ocsp_staple);
        free(keypair);
 }
@@ -241,7 +258,6 @@ tls_config_free(struct tls_config *config)
        free((char *)config->ca_mem);
        free((char *)config->ca_path);
        free((char *)config->ciphers);
-        free(config->ocsp_staple);
        free(config);
 }
@@ -664,14 +680,14 @@ tls_config_verify_client_optional(struct tls_config *config)
 int
 tls_config_set_ocsp_staple_file(struct tls_config *config, const char *staple_file)
 {
-        return tls_config_load_file(&config->error, "OCSP", staple_file,
+        return tls_keypair_set_ocsp_staple_file(config->keypair, &config->error,
-            &config->ocsp_staple, &config->ocsp_staple_len);
+            staple_file);
 }
 int
 tls_config_set_ocsp_staple_mem(struct tls_config *config, char *staple, size_t len)
 {
-        return set_mem(&config->ocsp_staple, &config->ocsp_staple_len, staple, len);
+        return tls_keypair_set_ocsp_staple_mem(config->keypair, staple, len);
 }
 int
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index 37737c3499..fbb139c84a 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.52 2017/01/26 12:56:37 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.53 2017/01/29 17:52:11 beck Exp $ */
 /*
 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -51,6 +51,8 @@ struct tls_keypair {
        size_t cert_len;
        char *key_mem;
        size_t key_len;
+        char *ocsp_staple;
+        size_t ocsp_staple_len;
 };
 #define TLS_MIN_SESSION_TIMEOUT (4)
@@ -83,8 +85,6 @@ struct tls_config {
        int ecdhecurve;
        struct tls_keypair *keypair;
        int ocsp_require_stapling;
-        char *ocsp_staple;
-        size_t ocsp_staple_len;
        uint32_t protocols;
        unsigned char session_id[TLS_MAX_SESSION_ID_LENGTH];
        int session_lifetime;
diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c
index 791bee0e17..a7aca37a7d 100644
--- a/src/lib/libtls/tls_ocsp.c
+++ b/src/lib/libtls/tls_ocsp.c
@@ -332,17 +332,19 @@ tls_ocsp_stapling_cb(SSL *ssl, void *arg)
        if ((ctx = SSL_get_app_data(ssl)) == NULL)
                goto err;
-        if (ctx->config->ocsp_staple == NULL ||
+        if (ctx->config->keypair == NULL ||
-            ctx->config->ocsp_staple_len == 0)
+            ctx->config->keypair->ocsp_staple == NULL ||
+            ctx->config->keypair->ocsp_staple_len == 0)
                return SSL_TLSEXT_ERR_NOACK;
-        if ((ocsp_staple = malloc(ctx->config->ocsp_staple_len)) == NULL)
+        if ((ocsp_staple = malloc(ctx->config->keypair->ocsp_staple_len)) ==
+            NULL)
                goto err;
-        memcpy(ocsp_staple, ctx->config->ocsp_staple,
+        memcpy(ocsp_staple, ctx->config->keypair->ocsp_staple,
-            ctx->config->ocsp_staple_len);
+            ctx->config->keypair->ocsp_staple_len);
        if (SSL_set_tlsext_status_ocsp_resp(ctx->ssl_conn, ocsp_staple,
-                ctx->config->ocsp_staple_len) != 1)
+                ctx->config->keypair->ocsp_staple_len) != 1)
                goto err;
        ret = SSL_TLSEXT_ERR_OK;
author	beck <>	2017-01-29 17:52:11 +0000
committer	beck <>	2017-01-29 17:52:11 +0000
commit	a2ee48f27a063262b94d5f6eb321659dc22d4146 (patch)
tree	87cead16195a1077918bc769c77b847b69cfdf34 /src/lib
parent	957b11334a7afb14537322f0e4795b2e368b3f59 (diff)
download	openbsd-a2ee48f27a063262b94d5f6eb321659dc22d4146.tar.gz openbsd-a2ee48f27a063262b94d5f6eb321659dc22d4146.tar.bz2 openbsd-a2ee48f27a063262b94d5f6eb321659dc22d4146.zip