Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-11 12:25:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

bug 889831 - always call SSL_PeerStapledOCSPResponses r=bsmith

Browse Source
This commit is contained in:
David Keeler 2013-07-08 14:56:08 -07:00
parent 283c2903dc
commit 9609fc132a
1 changed files with 12 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
security/manager/ssl/src/SSLServerCertVerification.cpp
View File

@ -1167,21 +1167,18 @@ AuthCertificateHook(void *arg, PRFileDesc *fd, PRBool checkSig, PRBool isServer)
// This value of "now" is used both here for OCSP stapling and later
// when calling CreateCertErrorRunnable.
PRTime now = PR_Now();
PRBool enabled;
if (SECSuccess != SSL_OptionGet(fd, SSL_ENABLE_OCSP_STAPLING, &enabled)) {
return SECFailure;
}
if (enabled) {
// no ownership
const SECItemArray *csa = SSL_PeerStapledOCSPResponses(fd);
// we currently only support single stapled responses
if (csa && csa->len == 1) {
CERTCertDBHandle *handle = CERT_GetDefaultCertDB();
SECStatus cacheResult = CERT_CacheOCSPResponseFromSideChannel(
handle, serverCert, now, &csa->items[0], arg);
if (cacheResult != SECSuccess) {
return SECFailure;
}
// SSL_PeerStapledOCSPResponses will never return a non-empty response if
// OCSP stapling wasn't enabled because libssl wouldn't have let the server
// return a stapled OCSP response.
// We don't own this pointer.
const SECItemArray *csa = SSL_PeerStapledOCSPResponses(fd);
// we currently only support single stapled responses
if (csa && csa->len == 1) {
CERTCertDBHandle *handle = CERT_GetDefaultCertDB();
SECStatus cacheResult = CERT_CacheOCSPResponseFromSideChannel(
handle, serverCert, now, &csa->items[0], arg);
if (cacheResult != SECSuccess) {
return SECFailure;
}
}