Bug 866362: Address the TODO in ssl3_ServerSendStatusRequestXtn:
authorKai Engert <kaie@kuix.de>
Tue, 21 May 2013 19:28:52 -0700
changeset 10784 60da07951c1702a35e3b8a3bab4f9a6beadc9742
parent 10783 722814555d1dd95af97995e5596ffa5f2855f3cb
child 10785 c499082b9a15f22dc9a4c882ea8769b16ac82234
push id93
push userwtc@google.com
push dateWed, 22 May 2013 02:28:57 +0000
bugs866362
Bug 866362: Address the TODO in ssl3_ServerSendStatusRequestXtn: see if we have an OCSP response for the server certificate being used, rather than if we have any OCSP response. Change ssl3_SendCertificateStatus to use the same logic. r=wtc.
lib/ssl/ssl3con.c
lib/ssl/ssl3ext.c
--- a/lib/ssl/ssl3con.c
+++ b/lib/ssl/ssl3con.c
@@ -8462,20 +8462,19 @@ ssl3_SendCertificateStatus(sslSocket *ss
 
     /* Use certStatus based on the cert being used. */
     if ((ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) ||
 	(ss->ssl3.hs.kea_def->kea == kea_dhe_rsa)) {
 	certIndex = kt_rsa;
     } else {
 	certIndex = ss->ssl3.hs.kea_def->exchKeyType;
     }
-    if (ss->certStatusArray[certIndex] && ss->certStatusArray[certIndex]->len) {
-	statusToSend = ss->certStatusArray[certIndex];
-    }
-    if (!statusToSend)
+
+    statusToSend = ss->certStatusArray[certIndex];
+    if (!statusToSend || !statusToSend->len)
 	return SECSuccess;
 
     /* Use the array's first item only (single stapling) */
     len = 1 + statusToSend->items[0].len + 3;
 
     rv = ssl3_AppendHandshakeHeader(ss, certificate_status, len);
     if (rv != SECSuccess) {
 	return rv; 		/* err set by AppendHandshake. */
--- a/lib/ssl/ssl3ext.c
+++ b/lib/ssl/ssl3ext.c
@@ -677,30 +677,30 @@ static PRInt32
 ssl3_ServerSendStatusRequestXtn(
 			sslSocket * ss,
 			PRBool      append,
 			PRUint32    maxBytes)
 {
     PRInt32 extension_length;
     SECStatus rv;
     int i;
-    PRBool haveStatus = PR_FALSE;
+    SECItemArray *statusToSend = NULL;
+    SSL3KEAType certIndex;
+
+    PORT_Assert(ss->sec.isServer);
 
-    for (i = kt_null; i < kt_kea_size; i++) {
-	/* TODO: This is a temporary workaround.
-	 *       The correct code needs to see if we have an OCSP response for
-	 *       the server certificate being used, rather than if we have any
-	 *       OCSP response. See also ssl3_SendCertificateStatus.
-	 */
-	if (ss->certStatusArray[i] && ss->certStatusArray[i]->len) {
-	    haveStatus = PR_TRUE;
-	    break;
-	}
+    if ((ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) ||
+	(ss->ssl3.hs.kea_def->kea == kea_dhe_rsa)) {
+	certIndex = kt_rsa;
+    } else {
+	certIndex = ss->ssl3.hs.kea_def->exchKeyType;
     }
-    if (!haveStatus)
+
+    statusToSend = ss->certStatusArray[certIndex];
+    if (!statusToSend || !statusToSend->len)
 	return 0;
 
     extension_length = 2 + 2;
     if (append && maxBytes >= extension_length) {
 	/* extension_type */
 	rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2);
 	if (rv != SECSuccess)
 	    return -1;