diff options
| author | Matt Caswell <matt@openssl.org> | 2016-12-02 14:46:54 +0000 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2017-01-06 10:25:13 +0000 |
| commit | f63e42887271c61b1c803586a47ecbfa49243a0a (patch) | |
| tree | b686adf3a1841101867f35b3bb775e8bfb3088d1 /ssl/statem/statem_srvr.c | |
| parent | e96e0f8e420c42f28b0e86c9cf757f152f696321 (diff) | |
| download | openssl-f63e42887271c61b1c803586a47ecbfa49243a0a.zip openssl-f63e42887271c61b1c803586a47ecbfa49243a0a.tar.gz openssl-f63e42887271c61b1c803586a47ecbfa49243a0a.tar.bz2 | |
Implement TLSv1.3 style CertificateStatus
We remove the separate CertificateStatus message for TLSv1.3, and instead
send back the response in the appropriate Certificate message extension.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2020)
Diffstat (limited to 'ssl/statem/statem_srvr.c')
| -rw-r--r-- | ssl/statem/statem_srvr.c | 24 |
1 files changed, 16 insertions, 8 deletions
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 5e230f0..8b765a9 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -427,12 +427,7 @@ static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s) return WRITE_TRAN_CONTINUE; case TLS_ST_SW_CERT: - st->hand_state = s->tlsext_status_expected ? TLS_ST_SW_CERT_STATUS - : TLS_ST_SW_FINISHED; - return WRITE_TRAN_CONTINUE; - - case TLS_ST_SW_CERT_STATUS: - st->hand_state = TLS_ST_SW_FINISHED; + st->hand_state = TLS_ST_SW_FINISHED; return WRITE_TRAN_CONTINUE; case TLS_ST_SW_FINISHED: @@ -3464,12 +3459,25 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) return 0; } -int tls_construct_cert_status(SSL *s, WPACKET *pkt) +/* + * In TLSv1.3 this is called from the extensions code, otherwise it is used to + * create a separate message. Returns 1 on success or 0 on failure. + */ +int tls_construct_cert_status_body(SSL *s, WPACKET *pkt) { if (!WPACKET_put_bytes_u8(pkt, s->tlsext_status_type) || !WPACKET_sub_memcpy_u24(pkt, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CERT_STATUS, ERR_R_INTERNAL_ERROR); + SSLerr(SSL_F_TLS_CONSTRUCT_CERT_STATUS_BODY, ERR_R_INTERNAL_ERROR); + return 0; + } + + return 1; +} + +int tls_construct_cert_status(SSL *s, WPACKET *pkt) +{ + if (!tls_construct_cert_status_body(s, pkt)) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); return 0; } |