root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

Support OSCP responses for DTLS 1.3 

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28455)
This commit is contained in:
Frederik Wedel-Heinen 2025-09-08 19:30:29 +02:00 committed by Tomas Mraz
parent 6061f14765
commit 23def27798
4 changed files with 12 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
apps/s_client.c
View File

@ -3679,7 +3679,8 @@ static int ocsp_resp_cb(SSL *s, void *arg)
STACK_OF(OCSP_RESPONSE) *sk_resp = NULL; STACK_OF(OCSP_RESPONSE) *sk_resp = NULL;
OCSP_RESPONSE *rsp; OCSP_RESPONSE *rsp;
if (SSL_version(s) >= TLS1_3_VERSION) { if ((!SSL_is_dtls(s) && SSL_version(s) >= TLS1_3_VERSION)
|| (SSL_is_dtls(s) && SSL_version(s) <= DTLS1_3_VERSION)) {
(void)SSL_get0_tlsext_status_ocsp_resp_ex(s, &sk_resp); (void)SSL_get0_tlsext_status_ocsp_resp_ex(s, &sk_resp);
BIO_puts(arg, "OCSP responses: "); BIO_puts(arg, "OCSP responses: ");

14
apps/s_server.c
View File

@ -616,11 +616,10 @@ static int bring_ocsp_resp_in_correct_order(SSL *s, tlsextstatusctx *srctx,
sk_OCSP_RESPONSE_pop_free(*sk_resp, OCSP_RESPONSE_free); sk_OCSP_RESPONSE_pop_free(*sk_resp, OCSP_RESPONSE_free);
SSL_get0_chain_certs(s, &server_certs); SSL_get0_chain_certs(s, &server_certs);
/*
* TODO(DTLS-1.3): in future DTLS should also be considered
*/
if (server_certs != NULL && srctx->status_all && if (server_certs != NULL && srctx->status_all &&
!SSL_is_dtls(s) && SSL_version(s) >= TLS1_3_VERSION) { ((!SSL_is_dtls(s) && SSL_version(s) >= TLS1_3_VERSION)
|| (SSL_is_dtls(s) && SSL_version(s) <= DTLS1_3_VERSION))) {
/* certificate chain is available */ /* certificate chain is available */
num = sk_X509_num(server_certs) + 1; num = sk_X509_num(server_certs) + 1;
} }
@ -763,11 +762,10 @@ static int get_ocsp_resp_from_responder(SSL *s, tlsextstatusctx *srctx,
} }
SSL_get0_chain_certs(s, &server_certs); SSL_get0_chain_certs(s, &server_certs);
/*
* TODO(DTLS-1.3): in future DTLS should also be considered
*/
if (server_certs != NULL && srctx->status_all && if (server_certs != NULL && srctx->status_all &&
!SSL_is_dtls(s) && SSL_version(s) >= TLS1_3_VERSION) { ((!SSL_is_dtls(s) && SSL_version(s) >= TLS1_3_VERSION)
|| (SSL_is_dtls(s) && SSL_version(s) <= DTLS1_3_VERSION))) {
/* certificate chain is available */ /* certificate chain is available */
num = sk_X509_num(server_certs) + 1; num = sk_X509_num(server_certs) + 1;
} else { } else {

7
ssl/ssl_cert.c
View File

@ -436,6 +436,7 @@ static int ssl_verify_internal(SSL_CONNECTION *s, STACK_OF(X509) *sk, EVP_PKEY *
SSL_CTX *sctx; SSL_CTX *sctx;
#ifndef OPENSSL_NO_OCSP #ifndef OPENSSL_NO_OCSP
SSL *ssl; SSL *ssl;
const int version1_3 = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_3_VERSION : TLS1_3_VERSION;
#endif #endif
/* Something must be passed in */ /* Something must be passed in */
@ -498,10 +499,8 @@ static int ssl_verify_internal(SSL_CONNECTION *s, STACK_OF(X509) *sk, EVP_PKEY *
*/ */
#ifndef OPENSSL_NO_OCSP #ifndef OPENSSL_NO_OCSP
ssl = SSL_CONNECTION_GET_SSL(s); ssl = SSL_CONNECTION_GET_SSL(s);
/*
* TODO(DTLS-1.3): in future DTLS should also be considered if (ssl_version_cmp(s, SSL_version(ssl), version1_3) >= 0) {
*/
if (!SSL_is_dtls(ssl) && SSL_version(ssl) >= TLS1_3_VERSION) {
/* ignore status_request_v2 if TLS version < 1.3 */ /* ignore status_request_v2 if TLS version < 1.3 */
int status = SSL_get_tlsext_status_type(ssl); int status = SSL_get_tlsext_status_type(ssl);

5
ssl/statem/statem_clnt.c
View File

@ -3031,10 +3031,7 @@ int tls_process_cert_status_body(SSL_CONNECTION *s, size_t chainidx, PACKET *pkt
if (s->ext.ocsp.resp_ex == NULL) if (s->ext.ocsp.resp_ex == NULL)
s->ext.ocsp.resp_ex = sk_OCSP_RESPONSE_new_null(); s->ext.ocsp.resp_ex = sk_OCSP_RESPONSE_new_null();
/* if (!SSL_CONNECTION_IS_VERSION13(s) && type == TLSEXT_STATUSTYPE_ocsp) {
* TODO(DTLS-1.3): in future DTLS should also be considered
*/
if (!SSL_CONNECTION_IS_TLS13(s) && type == TLSEXT_STATUSTYPE_ocsp) {
sk_OCSP_RESPONSE_pop_free(s->ext.ocsp.resp_ex, OCSP_RESPONSE_free); sk_OCSP_RESPONSE_pop_free(s->ext.ocsp.resp_ex, OCSP_RESPONSE_free);
s->ext.ocsp.resp_ex = sk_OCSP_RESPONSE_new_null(); s->ext.ocsp.resp_ex = sk_OCSP_RESPONSE_new_null();
} }