diff options
| author |   jsing <jsing@openbsd.org> | 2017-09-20 17:05:17 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2017-09-20 17:05:17 +0000 |
| commit | 9ee433b9e681afff59510d0337182d8c3e149f7f (patch) | |
| tree | 7019d929815f03c497f0c5f4f29ab5f0e33a1fd7 /lib/libtls/tls.c | |
| parent | Slightly restructure tls_ocsp_verify_cb() to make it more like libtls code. (diff) | |
| download | wireguard-openbsd-9ee433b9e681afff59510d0337182d8c3e149f7f.tar.xz wireguard-openbsd-9ee433b9e681afff59510d0337182d8c3e149f7f.zip | |
Keep track of which keypair is in use by a TLS context.
This fixes a bug where by a TLS server with SNI would always only return
the OCSP staple for the default keypair, rather than returning the OCSP
staple associated with the keypair that was selected via SNI.
Issue reported by William Graeber and confirmed by Andreas Bartelt.
Fix tested by William Graeber and Andreas Bartelt - thanks!
Diffstat (limited to 'lib/libtls/tls.c')
| -rw-r--r-- | lib/libtls/tls.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/libtls/tls.c b/lib/libtls/tls.c index d4e8d0114f2..f07c4c6deb0 100644 --- a/lib/libtls/tls.c +++ b/lib/libtls/tls.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.c,v 1.70 2017/08/28 13:58:02 beck Exp $ */ +/* $OpenBSD: tls.c,v 1.71 2017/09/20 17:05:17 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -235,6 +235,7 @@ tls_new(void) return (NULL); tls_reset(ctx); + if (tls_configure(ctx, tls_config_default) == -1) { free(ctx); return NULL; @@ -252,7 +253,9 @@ tls_configure(struct tls *ctx, struct tls_config *config) config->refcount++; tls_config_free(ctx->config); + ctx->config = config; + ctx->keypair = config->keypair; if ((ctx->flags & TLS_SERVER) != 0) return (tls_configure_server(ctx)); |