diff options
| author | beck <> | 2020-05-22 02:37:27 +0000 |
|---|---|---|
| committer | beck <> | 2020-05-22 02:37:27 +0000 |
| commit | cfa7c7d8ea22f50276f89f901780ab7885f495a4 (patch) | |
| tree | b00c1435c9fdf8150e39580ad61b4a3ad4eca9ba /src | |
| parent | 919686e3aeba6fcad99207e3e25b401b339f721c (diff) | |
| download | openbsd-cfa7c7d8ea22f50276f89f901780ab7885f495a4.tar.gz openbsd-cfa7c7d8ea22f50276f89f901780ab7885f495a4.tar.bz2 openbsd-cfa7c7d8ea22f50276f89f901780ab7885f495a4.zip | |
Ensure we only attach an ocsp staple to a leaf certificate, because
for the moment that is all we support. fixes an issue where gnuTLS
cares that mistmatching staples come back on the certs in the chain.
This should be fixed correctly later by associating the staple
to the individual certs rather than the ssl, so this is temporary.
running on www@.
ok tb@, "got that's oopy but an interim ok" jsing@
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libssl/tls13_lib.c | 12 | ||||
| -rw-r--r-- | src/lib/libssl/tls13_server.c | 9 |
2 files changed, 16 insertions, 5 deletions
diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c index 7232b6dea0..174da2f9c3 100644 --- a/src/lib/libssl/tls13_lib.c +++ b/src/lib/libssl/tls13_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_lib.c,v 1.49 2020/05/21 19:43:40 tb Exp $ */ | 1 | /* $OpenBSD: tls13_lib.c,v 1.50 2020/05/22 02:37:27 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2019 Bob Beck <beck@openbsd.org> | 4 | * Copyright (c) 2019 Bob Beck <beck@openbsd.org> |
| @@ -430,8 +430,14 @@ tls13_cert_add(struct tls13_ctx *ctx, CBB *cbb, X509 *cert, | |||
| 430 | return 0; | 430 | return 0; |
| 431 | if (i2d_X509(cert, &data) != cert_len) | 431 | if (i2d_X509(cert, &data) != cert_len) |
| 432 | return 0; | 432 | return 0; |
| 433 | if (!build_extensions(ctx->ssl, cbb, SSL_TLSEXT_MSG_CT)) | 433 | if (build_extensions != NULL) { |
| 434 | return 0; | 434 | if (!build_extensions(ctx->ssl, cbb, SSL_TLSEXT_MSG_CT)) |
| 435 | return 0; | ||
| 436 | } else { | ||
| 437 | CBB cert_exts; | ||
| 438 | if (!CBB_add_u16_length_prefixed(cbb, &cert_exts)) | ||
| 439 | return 0; | ||
| 440 | } | ||
| 435 | if (!CBB_flush(cbb)) | 441 | if (!CBB_flush(cbb)) |
| 436 | return 0; | 442 | return 0; |
| 437 | 443 | ||
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c index 42409edbf7..e0ea6b564d 100644 --- a/src/lib/libssl/tls13_server.c +++ b/src/lib/libssl/tls13_server.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_server.c,v 1.50 2020/05/21 18:34:34 jsing Exp $ */ | 1 | /* $OpenBSD: tls13_server.c,v 1.51 2020/05/22 02:37:27 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> | 4 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> |
| @@ -461,7 +461,12 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) | |||
| 461 | 461 | ||
| 462 | for (i = 0; i < sk_X509_num(chain); i++) { | 462 | for (i = 0; i < sk_X509_num(chain); i++) { |
| 463 | cert = sk_X509_value(chain, i); | 463 | cert = sk_X509_value(chain, i); |
| 464 | if (!tls13_cert_add(ctx, &cert_list, cert, tlsext_server_build)) | 464 | /* |
| 465 | * XXX we don't send extensions with chain certs to avoid sending | ||
| 466 | * a leaf ocsp stape with the chain certs. This needs to get | ||
| 467 | * fixed | ||
| 468 | */ | ||
| 469 | if (!tls13_cert_add(ctx, &cert_list, cert, NULL)) | ||
| 465 | goto err; | 470 | goto err; |
| 466 | } | 471 | } |
| 467 | 472 | ||