Server-side OCSP stapling support.
This is a simpler implementation than OpenSSL's, lacking responder IDs
and request extensions support. This mirrors the client implementation
already present.
Change-Id: I54592b60e0a708bfb003d491c9250401403c9e69
Reviewed-on: https://boringssl-review.googlesource.com/5700
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 3902f8f..2eeffab 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1330,7 +1330,7 @@
}
static int ext_ocsp_parse_serverhello(SSL *ssl, uint8_t *out_alert,
- CBS *contents) {
+ CBS *contents) {
if (contents == NULL) {
return 1;
}
@@ -1345,13 +1345,32 @@
static int ext_ocsp_parse_clienthello(SSL *ssl, uint8_t *out_alert,
CBS *contents) {
- /* OCSP stapling as a server is not supported. */
+ if (contents == NULL) {
+ return 1;
+ }
+
+ uint8_t status_type;
+ if (!CBS_get_u8(contents, &status_type)) {
+ return 0;
+ }
+
+ /* We cannot decide whether OCSP stapling will occur yet because the correct
+ * SSL_CTX might not have been selected. */
+ ssl->s3->tmp.ocsp_stapling_requested = status_type == TLSEXT_STATUSTYPE_ocsp;
+
return 1;
}
static int ext_ocsp_add_serverhello(SSL *ssl, CBB *out) {
- /* OCSP stapling as a server is not supported. */
- return 1;
+ if (!ssl->s3->tmp.ocsp_stapling_requested ||
+ ssl->ctx->ocsp_response_length == 0) {
+ return 1;
+ }
+
+ ssl->s3->tmp.certificate_status_expected = 1;
+
+ return CBB_add_u16(out, TLSEXT_TYPE_status_request) &&
+ CBB_add_u16(out, 0 /* length */);
}
