Sooo.. Pretty sure mlucas has uncovered a problem with the ocsp interface.
Basically I didn't attach it to the keypair, (yes Joel, I think you told me so) so it only works with the master keypair.. OK, but the problem is that it also returns the staple for other keypairs which is wrong. This attaches the ocsp staple to the keypair, rather than the config. It does not yet add a way to change it for keypairs other than the master - that will require an API change - but with this change it should not return an incorrect ocsp staple for the non primary keypair. I'll deal with the API change separately after pestering joel about it a bit. ok? Index: tls_config.c =================================================================== RCS file: /cvs/src/lib/libtls/tls_config.c,v retrieving revision 1.34 diff -u -p -u -p -r1.34 tls_config.c --- tls_config.c 24 Jan 2017 01:48:05 -0000 1.34 +++ tls_config.c 28 Jan 2017 21:40:14 -0000 @@ -101,6 +101,26 @@ tls_keypair_set_key_mem(struct tls_keypa return set_mem(&keypair->key_mem, &keypair->key_len, key, len); } +static int +tls_keypair_set_ocsp_staple_file(struct tls_keypair *keypair, + struct tls_error *error, const char *ocsp_file) +{ + if (keypair->ocsp_staple != NULL) + explicit_bzero(keypair->ocsp_staple, keypair->ocsp_staple_len); + return tls_config_load_file(error, "ocsp", ocsp_file, + &keypair->ocsp_staple, &keypair->ocsp_staple_len); +} + +static int +tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair, + const uint8_t *staple, size_t len) +{ + if (keypair->ocsp_staple != NULL) + explicit_bzero(keypair->ocsp_staple, keypair->ocsp_staple_len); + return set_mem(&keypair->ocsp_staple, &keypair->ocsp_staple_len, staple, + len); +} + static void tls_keypair_clear(struct tls_keypair *keypair) { @@ -241,7 +261,6 @@ tls_config_free(struct tls_config *confi free((char *)config->ca_mem); free((char *)config->ca_path); free((char *)config->ciphers); - free(config->ocsp_staple); free(config); } @@ -664,14 +683,14 @@ tls_config_verify_client_optional(struct int tls_config_set_ocsp_staple_file(struct tls_config *config, const char *staple_file) { - return tls_config_load_file(&config->error, "OCSP", staple_file, - &config->ocsp_staple, &config->ocsp_staple_len); + return tls_keypair_set_ocsp_staple_file(config->keypair, &config->error, + staple_file); } int tls_config_set_ocsp_staple_mem(struct tls_config *config, char *staple, size_t len) { - return set_mem(&config->ocsp_staple, &config->ocsp_staple_len, staple, len); + return tls_keypair_set_ocsp_staple_mem(config->keypair, staple, len); } int Index: tls_internal.h =================================================================== RCS file: /cvs/src/lib/libtls/tls_internal.h,v retrieving revision 1.52 diff -u -p -u -p -r1.52 tls_internal.h --- tls_internal.h 26 Jan 2017 12:56:37 -0000 1.52 +++ tls_internal.h 28 Jan 2017 21:07:25 -0000 @@ -51,6 +51,8 @@ struct tls_keypair { size_t cert_len; char *key_mem; size_t key_len; + char *ocsp_staple; + size_t ocsp_staple_len; }; #define TLS_MIN_SESSION_TIMEOUT (4) @@ -83,8 +85,6 @@ struct tls_config { int ecdhecurve; struct tls_keypair *keypair; int ocsp_require_stapling; - char *ocsp_staple; - size_t ocsp_staple_len; uint32_t protocols; unsigned char session_id[TLS_MAX_SESSION_ID_LENGTH]; int session_lifetime; Index: tls_ocsp.c =================================================================== RCS file: /cvs/src/lib/libtls/tls_ocsp.c,v retrieving revision 1.10 diff -u -p -u -p -r1.10 tls_ocsp.c --- tls_ocsp.c 27 Jan 2017 07:03:27 -0000 1.10 +++ tls_ocsp.c 28 Jan 2017 21:42:22 -0000 @@ -332,17 +332,19 @@ tls_ocsp_stapling_cb(SSL *ssl, void *arg if ((ctx = SSL_get_app_data(ssl)) == NULL) goto err; - if (ctx->config->ocsp_staple == NULL || - ctx->config->ocsp_staple_len == 0) + if (ctx->config->keypair->ocsp_staple == NULL || + ctx->config->keypair->ocsp_staple == NULL || + ctx->config->keypair->ocsp_staple_len == 0) return SSL_TLSEXT_ERR_NOACK; - if ((ocsp_staple = malloc(ctx->config->ocsp_staple_len)) == NULL) + if ((ocsp_staple = malloc(ctx->config->keypair->ocsp_staple_len)) == + NULL) goto err; - memcpy(ocsp_staple, ctx->config->ocsp_staple, - ctx->config->ocsp_staple_len); + memcpy(ocsp_staple, ctx->config->keypair->ocsp_staple, + ctx->config->keypair->ocsp_staple_len); if (SSL_set_tlsext_status_ocsp_resp(ctx->ssl_conn, ocsp_staple, - ctx->config->ocsp_staple_len) != 1) + ctx->config->keypair->ocsp_staple_len) != 1) goto err; ret = SSL_TLSEXT_ERR_OK;