From a2ee48f27a063262b94d5f6eb321659dc22d4146 Mon Sep 17 00:00:00 2001
From: beck <>
Date: Sun, 29 Jan 2017 17:52:11 +0000
Subject: Move the ocsp staple to being part of the keypair structure
 internally, so that it does not send back bogus staples when SNI is in use.
 (Further change is required to be able to use staples on all keypairs and not
 just the main one) ok jsing@

---
 src/lib/libtls/tls_config.c   | 26 +++++++++++++++++++++-----
 src/lib/libtls/tls_internal.h |  6 +++---
 src/lib/libtls/tls_ocsp.c     | 14 ++++++++------
 3 files changed, 32 insertions(+), 14 deletions(-)

(limited to 'src')

diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index 8fa810461c..83c649fd51 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.34 2017/01/24 01:48:05 claudio Exp $ */
+/* $OpenBSD: tls_config.c,v 1.35 2017/01/29 17:52:11 beck Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -101,6 +101,22 @@ tls_keypair_set_key_mem(struct tls_keypair *keypair, const uint8_t *key,
 	return set_mem(&keypair->key_mem, &keypair->key_len, key, len);
 }
 
+static int
+tls_keypair_set_ocsp_staple_file(struct tls_keypair *keypair,
+    struct tls_error *error, const char *ocsp_file)
+{
+	return tls_config_load_file(error, "ocsp", ocsp_file,
+	    &keypair->ocsp_staple, &keypair->ocsp_staple_len);
+}
+
+static int
+tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair,
+    const uint8_t *staple, size_t len)
+{
+	return set_mem(&keypair->ocsp_staple, &keypair->ocsp_staple_len, staple,
+	    len);
+}
+
 static void
 tls_keypair_clear(struct tls_keypair *keypair)
 {
@@ -118,6 +134,7 @@ tls_keypair_free(struct tls_keypair *keypair)
 
 	free(keypair->cert_mem);
 	free(keypair->key_mem);
+	free(keypair->ocsp_staple);
 
 	free(keypair);
 }
@@ -241,7 +258,6 @@ tls_config_free(struct tls_config *config)
 	free((char *)config->ca_mem);
 	free((char *)config->ca_path);
 	free((char *)config->ciphers);
-	free(config->ocsp_staple);
 
 	free(config);
 }
@@ -664,14 +680,14 @@ tls_config_verify_client_optional(struct tls_config *config)
 int
 tls_config_set_ocsp_staple_file(struct tls_config *config, const char *staple_file)
 {
-	return tls_config_load_file(&config->error, "OCSP", staple_file,
-	    &config->ocsp_staple, &config->ocsp_staple_len);
+	return tls_keypair_set_ocsp_staple_file(config->keypair, &config->error,
+	    staple_file);
 }
 
 int
 tls_config_set_ocsp_staple_mem(struct tls_config *config, char *staple, size_t len)
 {
-	return set_mem(&config->ocsp_staple, &config->ocsp_staple_len, staple, len);
+	return tls_keypair_set_ocsp_staple_mem(config->keypair, staple, len);
 }
 
 int
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index 37737c3499..fbb139c84a 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.52 2017/01/26 12:56:37 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.53 2017/01/29 17:52:11 beck Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -51,6 +51,8 @@ struct tls_keypair {
 	size_t cert_len;
 	char *key_mem;
 	size_t key_len;
+	char *ocsp_staple;
+	size_t ocsp_staple_len;
 };
 
 #define TLS_MIN_SESSION_TIMEOUT (4)
@@ -83,8 +85,6 @@ struct tls_config {
 	int ecdhecurve;
 	struct tls_keypair *keypair;
 	int ocsp_require_stapling;
-	char *ocsp_staple;
-	size_t ocsp_staple_len;
 	uint32_t protocols;
 	unsigned char session_id[TLS_MAX_SESSION_ID_LENGTH];
 	int session_lifetime;
diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c
index 791bee0e17..a7aca37a7d 100644
--- a/src/lib/libtls/tls_ocsp.c
+++ b/src/lib/libtls/tls_ocsp.c
@@ -332,17 +332,19 @@ tls_ocsp_stapling_cb(SSL *ssl, void *arg)
 	if ((ctx = SSL_get_app_data(ssl)) == NULL)
 		goto err;
 
-	if (ctx->config->ocsp_staple == NULL ||
-	    ctx->config->ocsp_staple_len == 0)
+	if (ctx->config->keypair == NULL ||
+	    ctx->config->keypair->ocsp_staple == NULL ||
+	    ctx->config->keypair->ocsp_staple_len == 0)
 		return SSL_TLSEXT_ERR_NOACK;
 
-	if ((ocsp_staple = malloc(ctx->config->ocsp_staple_len)) == NULL)
+	if ((ocsp_staple = malloc(ctx->config->keypair->ocsp_staple_len)) ==
+	    NULL)
 		goto err;
 
-	memcpy(ocsp_staple, ctx->config->ocsp_staple,
-	    ctx->config->ocsp_staple_len);
+	memcpy(ocsp_staple, ctx->config->keypair->ocsp_staple,
+	    ctx->config->keypair->ocsp_staple_len);
 	if (SSL_set_tlsext_status_ocsp_resp(ctx->ssl_conn, ocsp_staple,
-		ctx->config->ocsp_staple_len) != 1)
+		ctx->config->keypair->ocsp_staple_len) != 1)
 		goto err;
 
 	ret = SSL_TLSEXT_ERR_OK;
-- 
cgit v1.2.3-55-g6feb