Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: update the "SSL_get_tlsext_status_type" patch (#15587)
It has been upstreamed by @nornagon google/boringssl@c0c9001
- Loading branch information
1 parent
ece4c81
commit 3a3b197
Showing
3 changed files
with
59 additions
and
41 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
implement-SSL_get_tlsext_status_type.patch | ||
implement_ssl_get_tlsext_status_type.patch |
40 changes: 0 additions & 40 deletions
40
patches/common/boringssl/implement-SSL_get_tlsext_status_type.patch
This file was deleted.
Oops, something went wrong.
58 changes: 58 additions & 0 deletions
58
patches/common/boringssl/implement_ssl_get_tlsext_status_type.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
From: Jeremy Apthorp <jeremya@chromium.org> | ||
Date: Thu, 18 Oct 2018 14:18:05 -0700 | ||
Subject: Implement SSL_get_tlsext_status_type | ||
|
||
It's used by Node.js[1], and is simple to implement. | ||
|
||
[1]: https://github.com/nodejs/node/blob/e2f58c71ddf0f91256cc85e6bb226a068256c5eb/src/node_crypto.cc#L2390 | ||
|
||
Change-Id: Ie5c76b848623d00f7478aeae0214c25472de523c | ||
Reviewed-on: https://boringssl-review.googlesource.com/c/32525 | ||
Reviewed-by: David Benjamin <davidben@google.com> | ||
Commit-Queue: David Benjamin <davidben@google.com> | ||
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> | ||
|
||
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h | ||
index ae8b8385fc73701a4346202f213b5974af4e2aed..0f3d1747173ffb09eafd5c7d5d692ae3c35c9874 100644 | ||
--- a/include/openssl/ssl.h | ||
+++ b/include/openssl/ssl.h | ||
@@ -4268,6 +4268,14 @@ OPENSSL_EXPORT int OPENSSL_init_ssl(uint64_t opts, | ||
// Use |SSL_enable_ocsp_stapling| instead. | ||
OPENSSL_EXPORT int SSL_set_tlsext_status_type(SSL *ssl, int type); | ||
|
||
+// SSL_get_tlsext_status_type returns |TLSEXT_STATUSTYPE_ocsp| if the client | ||
+// requested OCSP stapling and |TLSEXT_STATUSTYPE_nothing| otherwise. On the | ||
+// client, this reflects whether OCSP stapling was enabled via, e.g., | ||
+// |SSL_set_tlsext_status_type|. On the server, this is determined during the | ||
+// handshake. It may be queried in callbacks set by |SSL_CTX_set_cert_cb|. The | ||
+// result is undefined after the handshake completes. | ||
+OPENSSL_EXPORT int SSL_get_tlsext_status_type(const SSL *ssl); | ||
+ | ||
// SSL_set_tlsext_status_ocsp_resp sets the OCSP response. It returns one on | ||
// success and zero on error. On success, |ssl| takes ownership of |resp|, which | ||
// must have been allocated by |OPENSSL_malloc|. | ||
diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc | ||
index 9c16de4958ef29d638e05e0f90b9b15b11b15cac..1f648658b8cb6ae7b82132b276b927e8fb11a47a 100644 | ||
--- a/ssl/ssl_lib.cc | ||
+++ b/ssl/ssl_lib.cc | ||
@@ -2751,6 +2751,19 @@ int SSL_set_tlsext_status_type(SSL *ssl, int type) { | ||
return 1; | ||
} | ||
|
||
+int SSL_get_tlsext_status_type(const SSL *ssl) { | ||
+ if (ssl->server) { | ||
+ SSL_HANDSHAKE *hs = ssl->s3->hs.get(); | ||
+ return hs != nullptr && hs->ocsp_stapling_requested | ||
+ ? TLSEXT_STATUSTYPE_ocsp | ||
+ : TLSEXT_STATUSTYPE_nothing; | ||
+ } | ||
+ | ||
+ return ssl->config != nullptr && ssl->config->ocsp_stapling_enabled | ||
+ ? TLSEXT_STATUSTYPE_ocsp | ||
+ : TLSEXT_STATUSTYPE_nothing; | ||
+} | ||
+ | ||
int SSL_set_tlsext_status_ocsp_resp(SSL *ssl, uint8_t *resp, size_t resp_len) { | ||
if (SSL_set_ocsp_response(ssl, resp, resp_len)) { | ||
OPENSSL_free(resp); |