From 929318731a1ba27ba1a5022cff5728d24a5aa325 Mon Sep 17 00:00:00 2001 From: beck Date: Fri, 22 May 2020 02:37:27 +0000 Subject: Ensure we only attach an ocsp staple to a leaf certificate, because for the moment that is all we support. fixes an issue where gnuTLS cares that mistmatching staples come back on the certs in the chain. This should be fixed correctly later by associating the staple to the individual certs rather than the ssl, so this is temporary. running on www@. ok tb@, "got that's oopy but an interim ok" jsing@ --- lib/libssl/tls13_lib.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'lib/libssl/tls13_lib.c') diff --git a/lib/libssl/tls13_lib.c b/lib/libssl/tls13_lib.c index 7232b6dea00..174da2f9c3c 100644 --- a/lib/libssl/tls13_lib.c +++ b/lib/libssl/tls13_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_lib.c,v 1.49 2020/05/21 19:43:40 tb Exp $ */ +/* $OpenBSD: tls13_lib.c,v 1.50 2020/05/22 02:37:27 beck Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * Copyright (c) 2019 Bob Beck @@ -430,8 +430,14 @@ tls13_cert_add(struct tls13_ctx *ctx, CBB *cbb, X509 *cert, return 0; if (i2d_X509(cert, &data) != cert_len) return 0; - if (!build_extensions(ctx->ssl, cbb, SSL_TLSEXT_MSG_CT)) - return 0; + if (build_extensions != NULL) { + if (!build_extensions(ctx->ssl, cbb, SSL_TLSEXT_MSG_CT)) + return 0; + } else { + CBB cert_exts; + if (!CBB_add_u16_length_prefixed(cbb, &cert_exts)) + return 0; + } if (!CBB_flush(cbb)) return 0; -- cgit v1.2.3-59-g8ed1b