diff options
| author |   jsing <jsing@openbsd.org> | 2017-09-20 17:05:17 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2017-09-20 17:05:17 +0000 |
| commit | 9ee433b9e681afff59510d0337182d8c3e149f7f (patch) | |
| tree | 7019d929815f03c497f0c5f4f29ab5f0e33a1fd7 /lib/libtls/tls_ocsp.c | |
| parent | Slightly restructure tls_ocsp_verify_cb() to make it more like libtls code. (diff) | |
| download | wireguard-openbsd-9ee433b9e681afff59510d0337182d8c3e149f7f.tar.xz wireguard-openbsd-9ee433b9e681afff59510d0337182d8c3e149f7f.zip | |
Keep track of which keypair is in use by a TLS context.
This fixes a bug where by a TLS server with SNI would always only return
the OCSP staple for the default keypair, rather than returning the OCSP
staple associated with the keypair that was selected via SNI.
Issue reported by William Graeber and confirmed by Andreas Bartelt.
Fix tested by William Graeber and Andreas Bartelt - thanks!
Diffstat (limited to 'lib/libtls/tls_ocsp.c')
| -rw-r--r-- | lib/libtls/tls_ocsp.c | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/lib/libtls/tls_ocsp.c b/lib/libtls/tls_ocsp.c index 4e2dba34870..a8835edc8ff 100644 --- a/lib/libtls/tls_ocsp.c +++ b/lib/libtls/tls_ocsp.c @@ -331,32 +331,32 @@ tls_ocsp_verify_cb(SSL *ssl, void *arg) int tls_ocsp_stapling_cb(SSL *ssl, void *arg) { - struct tls *ctx; - unsigned char *ocsp_staple = NULL; int ret = SSL_TLSEXT_ERR_ALERT_FATAL; + unsigned char *ocsp_staple = NULL; + struct tls *ctx; if ((ctx = SSL_get_app_data(ssl)) == NULL) goto err; - if (ctx->config->keypair == NULL || - ctx->config->keypair->ocsp_staple == NULL || - ctx->config->keypair->ocsp_staple_len == 0) + if (ctx->keypair == NULL || ctx->keypair->ocsp_staple == NULL || + ctx->keypair->ocsp_staple_len == 0) return SSL_TLSEXT_ERR_NOACK; - if ((ocsp_staple = malloc(ctx->config->keypair->ocsp_staple_len)) == - NULL) + if ((ocsp_staple = malloc(ctx->keypair->ocsp_staple_len)) == NULL) goto err; - memcpy(ocsp_staple, ctx->config->keypair->ocsp_staple, - ctx->config->keypair->ocsp_staple_len); + memcpy(ocsp_staple, ctx->keypair->ocsp_staple, + ctx->keypair->ocsp_staple_len); + if (SSL_set_tlsext_status_ocsp_resp(ctx->ssl_conn, ocsp_staple, - ctx->config->keypair->ocsp_staple_len) != 1) + ctx->keypair->ocsp_staple_len) != 1) goto err; ret = SSL_TLSEXT_ERR_OK; err: if (ret != SSL_TLSEXT_ERR_OK) free(ocsp_staple); + return ret; } @@ -364,7 +364,7 @@ tls_ocsp_stapling_cb(SSL *ssl, void *arg) * Public API */ -/* Retrieve OCSP URL from peer certificate, if present */ +/* Retrieve OCSP URL from peer certificate, if present. */ const char * tls_peer_ocsp_url(struct tls *ctx) { |