diff options
| author |   beck <beck@openbsd.org> | 2017-01-29 17:52:11 +0000 |
|---|---|---|
| committer | beck <beck@openbsd.org> | 2017-01-29 17:52:11 +0000 |
| commit | 9d51914575e270beb84df6c4c24e0bfae2167912 (patch) | |
| tree | bc59c0cc21f1216654385b8deb23f530a92068c3 | |
| parent | Send the function codes from the error functions to the bit bucket, (diff) | |
| download | wireguard-openbsd-9d51914575e270beb84df6c4c24e0bfae2167912.tar.xz wireguard-openbsd-9d51914575e270beb84df6c4c24e0bfae2167912.zip | |
Move the ocsp staple to being part of the keypair structure internally,
so that it does not send back bogus staples when SNI is in use.
(Further change is required to be able to use staples on all keypairs
and not just the main one)
ok jsing@
| -rw-r--r-- | lib/libtls/tls_config.c | 26 | ||||
| -rw-r--r-- | lib/libtls/tls_internal.h | 6 | ||||
| -rw-r--r-- | lib/libtls/tls_ocsp.c | 14 |
3 files changed, 32 insertions, 14 deletions
diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c index 8fa810461c3..83c649fd510 100644 --- a/lib/libtls/tls_config.c +++ b/lib/libtls/tls_config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_config.c,v 1.34 2017/01/24 01:48:05 claudio Exp $ */ +/* $OpenBSD: tls_config.c,v 1.35 2017/01/29 17:52:11 beck Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -101,6 +101,22 @@ tls_keypair_set_key_mem(struct tls_keypair *keypair, const uint8_t *key, return set_mem(&keypair->key_mem, &keypair->key_len, key, len); } +static int +tls_keypair_set_ocsp_staple_file(struct tls_keypair *keypair, + struct tls_error *error, const char *ocsp_file) +{ + return tls_config_load_file(error, "ocsp", ocsp_file, + &keypair->ocsp_staple, &keypair->ocsp_staple_len); +} + +static int +tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair, + const uint8_t *staple, size_t len) +{ + return set_mem(&keypair->ocsp_staple, &keypair->ocsp_staple_len, staple, + len); +} + static void tls_keypair_clear(struct tls_keypair *keypair) { @@ -118,6 +134,7 @@ tls_keypair_free(struct tls_keypair *keypair) free(keypair->cert_mem); free(keypair->key_mem); + free(keypair->ocsp_staple); free(keypair); } @@ -241,7 +258,6 @@ tls_config_free(struct tls_config *config) free((char *)config->ca_mem); free((char *)config->ca_path); free((char *)config->ciphers); - free(config->ocsp_staple); free(config); } @@ -664,14 +680,14 @@ tls_config_verify_client_optional(struct tls_config *config) int tls_config_set_ocsp_staple_file(struct tls_config *config, const char *staple_file) { - return tls_config_load_file(&config->error, "OCSP", staple_file, - &config->ocsp_staple, &config->ocsp_staple_len); + return tls_keypair_set_ocsp_staple_file(config->keypair, &config->error, + staple_file); } int tls_config_set_ocsp_staple_mem(struct tls_config *config, char *staple, size_t len) { - return set_mem(&config->ocsp_staple, &config->ocsp_staple_len, staple, len); + return tls_keypair_set_ocsp_staple_mem(config->keypair, staple, len); } int diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h index 37737c3499c..fbb139c84ad 100644 --- a/lib/libtls/tls_internal.h +++ b/lib/libtls/tls_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_internal.h,v 1.52 2017/01/26 12:56:37 jsing Exp $ */ +/* $OpenBSD: tls_internal.h,v 1.53 2017/01/29 17:52:11 beck Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> @@ -51,6 +51,8 @@ struct tls_keypair { size_t cert_len; char *key_mem; size_t key_len; + char *ocsp_staple; + size_t ocsp_staple_len; }; #define TLS_MIN_SESSION_TIMEOUT (4) @@ -83,8 +85,6 @@ struct tls_config { int ecdhecurve; struct tls_keypair *keypair; int ocsp_require_stapling; - char *ocsp_staple; - size_t ocsp_staple_len; uint32_t protocols; unsigned char session_id[TLS_MAX_SESSION_ID_LENGTH]; int session_lifetime; diff --git a/lib/libtls/tls_ocsp.c b/lib/libtls/tls_ocsp.c index 791bee0e171..a7aca37a7df 100644 --- a/lib/libtls/tls_ocsp.c +++ b/lib/libtls/tls_ocsp.c @@ -332,17 +332,19 @@ tls_ocsp_stapling_cb(SSL *ssl, void *arg) if ((ctx = SSL_get_app_data(ssl)) == NULL) goto err; - if (ctx->config->ocsp_staple == NULL || - ctx->config->ocsp_staple_len == 0) + if (ctx->config->keypair == NULL || + ctx->config->keypair->ocsp_staple == NULL || + ctx->config->keypair->ocsp_staple_len == 0) return SSL_TLSEXT_ERR_NOACK; - if ((ocsp_staple = malloc(ctx->config->ocsp_staple_len)) == NULL) + if ((ocsp_staple = malloc(ctx->config->keypair->ocsp_staple_len)) == + NULL) goto err; - memcpy(ocsp_staple, ctx->config->ocsp_staple, - ctx->config->ocsp_staple_len); + memcpy(ocsp_staple, ctx->config->keypair->ocsp_staple, + ctx->config->keypair->ocsp_staple_len); if (SSL_set_tlsext_status_ocsp_resp(ctx->ssl_conn, ocsp_staple, - ctx->config->ocsp_staple_len) != 1) + ctx->config->keypair->ocsp_staple_len) != 1) goto err; ret = SSL_TLSEXT_ERR_OK; |