Support setting per-connection OCSP staple Right now the only way to set an OCSP response is SSL_CTX_set_ocsp_response however this assumes that all the SSLs generated from a SSL_CTX share the same OCSP response, which is wrong. This is similar to the OpenSSL "function" SSL_get_tlsext_status_ocsp_resp, the main difference being that this doesn't take ownership of the OCSP buffer. In order to avoid memory duplication in case SSL_CTX has its own response, a CRYPTO_BUFFER is used for both SSL_CTX and SSL. Change-Id: I3a0697f82b805ac42a22be9b6bb596aa0b530025 Reviewed-on: https://boringssl-review.googlesource.com/12660 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

commit: 559f0644a5feb25c44c9324bf193545f9fc01f65 [log] [tgz]
author: Alessandro Ghedini <alessandro@ghedini.me> Wed Dec 07 12:55:32 2016 +0000
committer: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Thu Dec 08 20:29:43 2016 +0000
tree: ddf12aecb94e5d7c35fa3eed26d6c22feba306c6
parent: 7c5728649affe20e2952b11a0aeaf0e7b114aad9 [diff] [blame]
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 3530ff5..086af3c 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c

@@ -1212,7 +1212,7 @@
   SSL *const ssl = hs->ssl;
   if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION ||
       !hs->ocsp_stapling_requested ||
-      ssl->ctx->ocsp_response_length == 0 ||
+      ssl->ocsp_response == NULL ||
       ssl->s3->session_reused ||
       !ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) {
     return 1;
commit	559f0644a5feb25c44c9324bf193545f9fc01f65	[log] [tgz]
author	Alessandro Ghedini <alessandro@ghedini.me>	Wed Dec 07 12:55:32 2016 +0000
committer	CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>	Thu Dec 08 20:29:43 2016 +0000
tree	ddf12aecb94e5d7c35fa3eed26d6c22feba306c6
parent	7c5728649affe20e2952b11a0aeaf0e7b114aad9 [diff] [blame]