err with multiple TLS sites but one OCSP?

Sat, 28 Jan 2017 13:54:49 -0800 

Sooo.. 

Pretty sure mlucas has uncovered a problem with the ocsp interface. 

Basically I didn't attach it to the keypair, (yes Joel, I think you
told me so) so it only works with the master keypair.. OK, but the
problem is that it also returns the staple for other keypairs which is
wrong. 

This attaches the ocsp staple to the keypair, rather than the config. 

It does not yet add a way to change it for keypairs other than the
master - that will require an API change - but with this change
it should not return an incorrect ocsp staple for the non primary
keypair. I'll deal with the API change separately after pestering
joel about it a bit.

ok?

Index: tls_config.c
===================================================================
RCS file: /cvs/src/lib/libtls/tls_config.c,v
retrieving revision 1.34
diff -u -p -u -p -r1.34 tls_config.c
--- tls_config.c        24 Jan 2017 01:48:05 -0000      1.34
+++ tls_config.c        28 Jan 2017 21:40:14 -0000
@@ -101,6 +101,26 @@ tls_keypair_set_key_mem(struct tls_keypa
        return set_mem(&keypair->key_mem, &keypair->key_len, key, len);
 }
 
+static int
+tls_keypair_set_ocsp_staple_file(struct tls_keypair *keypair,
+    struct tls_error *error, const char *ocsp_file)
+{
+       if (keypair->ocsp_staple != NULL)
+               explicit_bzero(keypair->ocsp_staple, keypair->ocsp_staple_len);
+       return tls_config_load_file(error, "ocsp", ocsp_file,
+           &keypair->ocsp_staple, &keypair->ocsp_staple_len);
+}
+
+static int
+tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair,
+    const uint8_t *staple, size_t len)
+{
+       if (keypair->ocsp_staple != NULL)
+               explicit_bzero(keypair->ocsp_staple, keypair->ocsp_staple_len);
+       return set_mem(&keypair->ocsp_staple, &keypair->ocsp_staple_len, staple,
+           len);
+}
+
 static void
 tls_keypair_clear(struct tls_keypair *keypair)
 {
@@ -241,7 +261,6 @@ tls_config_free(struct tls_config *confi
        free((char *)config->ca_mem);
        free((char *)config->ca_path);
        free((char *)config->ciphers);
-       free(config->ocsp_staple);
 
        free(config);
 }
@@ -664,14 +683,14 @@ tls_config_verify_client_optional(struct
 int
 tls_config_set_ocsp_staple_file(struct tls_config *config, const char 
*staple_file)
 {
-       return tls_config_load_file(&config->error, "OCSP", staple_file,
-           &config->ocsp_staple, &config->ocsp_staple_len);
+       return tls_keypair_set_ocsp_staple_file(config->keypair, &config->error,
+           staple_file);
 }
 
 int
 tls_config_set_ocsp_staple_mem(struct tls_config *config, char *staple, size_t 
len)
 {
-       return set_mem(&config->ocsp_staple, &config->ocsp_staple_len, staple, 
len);
+       return tls_keypair_set_ocsp_staple_mem(config->keypair, staple, len);
 }
 
 int
Index: tls_internal.h
===================================================================
RCS file: /cvs/src/lib/libtls/tls_internal.h,v
retrieving revision 1.52
diff -u -p -u -p -r1.52 tls_internal.h
--- tls_internal.h      26 Jan 2017 12:56:37 -0000      1.52
+++ tls_internal.h      28 Jan 2017 21:07:25 -0000
@@ -51,6 +51,8 @@ struct tls_keypair {
        size_t cert_len;
        char *key_mem;
        size_t key_len;
+       char *ocsp_staple;
+       size_t ocsp_staple_len;
 };
 
 #define TLS_MIN_SESSION_TIMEOUT (4)
@@ -83,8 +85,6 @@ struct tls_config {
        int ecdhecurve;
        struct tls_keypair *keypair;
        int ocsp_require_stapling;
-       char *ocsp_staple;
-       size_t ocsp_staple_len;
        uint32_t protocols;
        unsigned char session_id[TLS_MAX_SESSION_ID_LENGTH];
        int session_lifetime;
Index: tls_ocsp.c
===================================================================
RCS file: /cvs/src/lib/libtls/tls_ocsp.c,v
retrieving revision 1.10
diff -u -p -u -p -r1.10 tls_ocsp.c
--- tls_ocsp.c  27 Jan 2017 07:03:27 -0000      1.10
+++ tls_ocsp.c  28 Jan 2017 21:42:22 -0000
@@ -332,17 +332,19 @@ tls_ocsp_stapling_cb(SSL *ssl, void *arg
        if ((ctx = SSL_get_app_data(ssl)) == NULL)
                goto err;
 
-       if (ctx->config->ocsp_staple == NULL ||
-           ctx->config->ocsp_staple_len == 0)
+       if (ctx->config->keypair->ocsp_staple == NULL ||
+           ctx->config->keypair->ocsp_staple == NULL ||
+           ctx->config->keypair->ocsp_staple_len == 0)
                return SSL_TLSEXT_ERR_NOACK;
 
-       if ((ocsp_staple = malloc(ctx->config->ocsp_staple_len)) == NULL)
+       if ((ocsp_staple = malloc(ctx->config->keypair->ocsp_staple_len)) ==
+           NULL)
                goto err;
 
-       memcpy(ocsp_staple, ctx->config->ocsp_staple,
-           ctx->config->ocsp_staple_len);
+       memcpy(ocsp_staple, ctx->config->keypair->ocsp_staple,
+           ctx->config->keypair->ocsp_staple_len);
        if (SSL_set_tlsext_status_ocsp_resp(ctx->ssl_conn, ocsp_staple,
-               ctx->config->ocsp_staple_len) != 1)
+               ctx->config->keypair->ocsp_staple_len) != 1)
                goto err;
 
        ret = SSL_TLSEXT_ERR_OK;

Reply via email to