commit 6c7aed048ca0a335e02dfee10976c5dc8620783e
author David Benjamin <davidben@chromium.org> Wed Aug 27 16:42:38 2014 -0400
committer Adam Langley <agl@google.com> Fri Aug 29 00:39:33 2014 +0000
tree afdad4ea0491a082ff6a3bc4f2acb934af88124e
parent e098ec2460c12e7061f3584086d75dd72eb4c5c9

Client-side OCSP stapling support.

Remove the old implementation which was excessively general. This mirrors the
SCT support and adds a single boolean flag to request an OCSP response with no
responder IDs, extensions, or frills. The response, if received, is stored on
the SSL_SESSION so that it is available for (re)validation on session
resumption; Chromium revalidates the saved auth parameters on resume.

Server support is unimplemented for now. This API will also need to be adjusted
in the future if we implement RFC 6961.

Change-Id: I533c029b7f7ea622d814d05f934fdace2da85cb1
Reviewed-on: https://boringssl-review.googlesource.com/1671
Reviewed-by: Adam Langley <agl@google.com>

ssl/s3_srvr.c

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 1017f4a..0e9c7d5 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -352,7 +352,7 @@
 				{
 				ret=ssl3_send_server_certificate(s);
 				if (ret <= 0) goto end;
-				if (s->tlsext_status_expected)
+				if (s->s3->tmp.certificate_status_expected)
 					s->state=SSL3_ST_SW_CERT_STATUS_A;
 				else
 					s->state=SSL3_ST_SW_KEY_EXCH_A;
@@ -569,6 +569,8 @@
 			s->init_num=0;
 			break;
 
+#if 0
+		// TODO(davidben): Implement OCSP stapling on the server.
 		case SSL3_ST_SW_CERT_STATUS_A:
 		case SSL3_ST_SW_CERT_STATUS_B:
 			ret=ssl3_send_cert_status(s);
@@ -576,6 +578,7 @@
 			s->state=SSL3_ST_SW_KEY_EXCH_A;
 			s->init_num=0;
 			break;
+#endif
 
 		case SSL3_ST_SW_CHANGE_A:
 		case SSL3_ST_SW_CHANGE_B:
@@ -1137,16 +1140,6 @@
 	 * s->tmp.new_cipher	- the new cipher to use.
 	 */
 
-	/* Handles TLS extensions that we couldn't check earlier */
-	if (s->version >= SSL3_VERSION)
-		{
-		if (ssl_check_clienthello_tlsext_late(s) <= 0)
-			{
-			OPENSSL_PUT_ERROR(SSL, ssl3_get_client_hello, SSL_R_CLIENTHELLO_TLSEXT);
-			goto err;
-			}
-		}
-
 	if (ret < 0) ret=-ret;
 	if (0)
 		{
@@ -2651,6 +2644,7 @@
 	return ssl_do_write(s);
 	}
 
+#if 0
 int ssl3_send_cert_status(SSL *s)
 	{
 	if (s->state == SSL3_ST_SW_CERT_STATUS_A)
@@ -2685,6 +2679,7 @@
 	/* SSL3_ST_SW_CERT_STATUS_B */
 	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
 	}
+#endif
 
 /* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. It
  * sets the next_proto member in s if found */