From 262ac3c2783343b86e656bc94f50df32a353cd11 Mon Sep 17 00:00:00 2001 From: jsing <> Date: Mon, 25 Sep 2017 17:51:49 +0000 Subject: When building the OCSP extension, only add the length prefixed extensions after we finish building the responder ID list. Otherwise adding to the responder ID list fails. ok beck@ --- src/lib/libssl/ssl_tlsext.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index abc012d3af..8f6ff6554a 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_tlsext.c,v 1.15 2017/08/30 16:44:37 jsing Exp $ */ +/* $OpenBSD: ssl_tlsext.c,v 1.16 2017/09/25 17:51:49 jsing Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing * Copyright (c) 2017 Doug Hogan @@ -719,16 +719,14 @@ tlsext_ocsp_clienthello_needs(SSL *s) int tlsext_ocsp_clienthello_build(SSL *s, CBB *cbb) { - CBB ocsp_respid_list, respid, exts; + CBB respid_list, respid, exts; unsigned char *ext_data; size_t ext_len; int i; if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) return 0; - if (!CBB_add_u16_length_prefixed(cbb, &ocsp_respid_list)) - return 0; - if (!CBB_add_u16_length_prefixed(cbb, &exts)) + if (!CBB_add_u16_length_prefixed(cbb, &respid_list)) return 0; for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) { unsigned char *respid_data; @@ -740,13 +738,15 @@ tlsext_ocsp_clienthello_build(SSL *s, CBB *cbb) return 0; if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1) return 0; - if (!CBB_add_u16_length_prefixed(&ocsp_respid_list, &respid)) + if (!CBB_add_u16_length_prefixed(&respid_list, &respid)) return 0; if (!CBB_add_space(&respid, &respid_data, id_len)) return 0; if ((i2d_OCSP_RESPID(id, &respid_data)) != id_len) return 0; } + if (!CBB_add_u16_length_prefixed(cbb, &exts)) + return 0; if ((ext_len = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, NULL)) == -1) return 0; -- cgit v1.2.3-55-g6feb