Support setting per-connection OCSP staple
Right now the only way to set an OCSP response is SSL_CTX_set_ocsp_response
however this assumes that all the SSLs generated from a SSL_CTX share the
same OCSP response, which is wrong.
This is similar to the OpenSSL "function" SSL_get_tlsext_status_ocsp_resp,
the main difference being that this doesn't take ownership of the OCSP buffer.
In order to avoid memory duplication in case SSL_CTX has its own response,
a CRYPTO_BUFFER is used for both SSL_CTX and SSL.
Change-Id: I3a0697f82b805ac42a22be9b6bb596aa0b530025
Reviewed-on: https://boringssl-review.googlesource.com/12660
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index c29040a..8b443fd 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -901,6 +901,13 @@
const uint8_t *response,
size_t response_len);
+/* SSL_set_ocsp_response sets the OCSP reponse that is sent to clients which
+ * request it. It returns one on success and zero on error. The caller retains
+ * ownership of |response|. */
+OPENSSL_EXPORT int SSL_set_ocsp_response(SSL *ssl,
+ const uint8_t *response,
+ size_t response_len);
+
/* SSL_SIGN_* are signature algorithm values as defined in TLS 1.3. */
#define SSL_SIGN_RSA_PKCS1_SHA1 0x0201
#define SSL_SIGN_RSA_PKCS1_SHA256 0x0401
@@ -4009,8 +4016,7 @@
size_t signed_cert_timestamp_list_length;
/* OCSP response to be sent to the client, if requested. */
- uint8_t *ocsp_response;
- size_t ocsp_response_length;
+ CRYPTO_BUFFER *ocsp_response;
/* keylog_callback, if not NULL, is the key logging callback. See
* |SSL_CTX_set_keylog_callback|. */
@@ -4224,6 +4230,9 @@
/* session_timeout is the default lifetime in seconds of the session
* created in this connection. */
long session_timeout;
+
+ /* OCSP response to be sent to the client, if requested. */
+ CRYPTO_BUFFER *ocsp_response;
};
