Add a chain member to CERT_PKEY and provide functions for manipulating it.

Note that this is not the full chain, as the leaf certificate currently remains in the x509 member of CERT_PKEY. Unfortunately we've got to contend with the fact that some OpenSSL *_chain_* APIs exclude the leaf certificate while others include it... ok beck@ tb@
author: jsing <> 2019-03-25 16:24:57 +0000
committer: jsing <> 2019-03-25 16:24:57 +0000
commit: 491a1b9b73d1852fd706b6845c3635f5bd3d3834 (patch)
tree: 13375f607f621c75e951e8c9dfb3c880fd5fb6e6
parent: ed1f555802549862bf6249547c85f53ce8b3cd41 (diff)
download: openbsd-491a1b9b73d1852fd706b6845c3635f5bd3d3834.tar.gz
openbsd-491a1b9b73d1852fd706b6845c3635f5bd3d3834.tar.bz2
openbsd-491a1b9b73d1852fd706b6845c3635f5bd3d3834.zip
2 files changed, 74 insertions, 3 deletions
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index 313ff3ae5c..ab76939116 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_cert.c,v 1.72 2018/11/19 14:42:01 jsing Exp $ */
+/* $OpenBSD: ssl_cert.c,v 1.73 2019/03/25 16:24:57 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -275,6 +275,12 @@ ssl_cert_dup(CERT *cert)
                                SSLerrorx(SSL_R_LIBRARY_BUG);
                        }
                }
+                if (cert->pkeys[i].chain != NULL) {
+                        if ((ret->pkeys[i].chain =
+                            X509_chain_up_ref(cert->pkeys[i].chain)) == NULL)
+                                goto err;
+                }
        }
        /*
@@ -291,12 +297,13 @@ ssl_cert_dup(CERT *cert)
        return (ret);
-err:
+ err:
        DH_free(ret->dh_tmp);
        for (i = 0; i < SSL_PKEY_NUM; i++) {
                X509_free(ret->pkeys[i].x509);
                EVP_PKEY_free(ret->pkeys[i].privatekey);
+                sk_X509_pop_free(ret->pkeys[i].chain, X509_free);
        }
        free (ret);
        return NULL;
@@ -320,11 +327,68 @@ ssl_cert_free(CERT *c)
        for (i = 0; i < SSL_PKEY_NUM; i++) {
                X509_free(c->pkeys[i].x509);
                EVP_PKEY_free(c->pkeys[i].privatekey);
+                sk_X509_pop_free(c->pkeys[i].chain, X509_free);
        }
        free(c);
 }
+int
+ssl_cert_set0_chain(CERT *c, STACK_OF(X509) *chain)
+{
+        if (c->key == NULL)
+                return 0;
+        sk_X509_pop_free(c->key->chain, X509_free);
+        c->key->chain = chain;
+        return 1;
+}
+int
+ssl_cert_set1_chain(CERT *c, STACK_OF(X509) *chain)
+{
+        STACK_OF(X509) *new_chain = NULL;
+        if (chain != NULL) {
+                if ((new_chain = X509_chain_up_ref(chain)) == NULL)
+                        return 0;
+        }
+        if (!ssl_cert_set0_chain(c, new_chain)) {
+                sk_X509_pop_free(new_chain, X509_free);
+                return 0;
+        }
+        return 1;
+}
+int
+ssl_cert_add0_chain_cert(CERT *c, X509 *cert)
+{
+        if (c->key == NULL)
+                return 0;
+        if (c->key->chain == NULL) {
+                if ((c->key->chain = sk_X509_new_null()) == NULL)
+                        return 0;
+        }
+        if (!sk_X509_push(c->key->chain, cert))
+                return 0;
+        return 1;
+}
+int
+ssl_cert_add1_chain_cert(CERT *c, X509 *cert)
+{
+        if (!ssl_cert_add0_chain_cert(c, cert))
+                return 0;
+        X509_up_ref(cert);
+        return 1;
+}
 SESS_CERT *
 ssl_sess_cert_new(void)
 {
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 82674121b4..509183a7fa 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.238 2019/02/25 19:40:05 tb Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.239 2019/03/25 16:24:57 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -961,6 +961,7 @@ typedef struct dtls1_state_internal_st {
 typedef struct cert_pkey_st {
        X509 *x509;
        EVP_PKEY *privatekey;
+        STACK_OF(X509) *chain;
        /* sigalg to use when signing */
        const struct ssl_sigalg *sigalg;
 } CERT_PKEY;
@@ -1081,9 +1082,15 @@ void ssl_clear_cipher_state(SSL *s);
 void ssl_clear_cipher_read_state(SSL *s);
 void ssl_clear_cipher_write_state(SSL *s);
 int ssl_clear_bad_session(SSL *s);
 CERT *ssl_cert_new(void);
 CERT *ssl_cert_dup(CERT *cert);
 void ssl_cert_free(CERT *c);
+int ssl_cert_set0_chain(CERT *c, STACK_OF(X509) *chain);
+int ssl_cert_set1_chain(CERT *c, STACK_OF(X509) *chain);
+int ssl_cert_add0_chain_cert(CERT *c, X509 *cert);
+int ssl_cert_add1_chain_cert(CERT *c, X509 *cert);
 SESS_CERT *ssl_sess_cert_new(void);
 void ssl_sess_cert_free(SESS_CERT *sc);
 int ssl_get_new_session(SSL *s, int session);
author	jsing <>	2019-03-25 16:24:57 +0000
committer	jsing <>	2019-03-25 16:24:57 +0000
commit	491a1b9b73d1852fd706b6845c3635f5bd3d3834 (patch)
tree	13375f607f621c75e951e8c9dfb3c880fd5fb6e6
parent	ed1f555802549862bf6249547c85f53ce8b3cd41 (diff)
download	openbsd-491a1b9b73d1852fd706b6845c3635f5bd3d3834.tar.gz openbsd-491a1b9b73d1852fd706b6845c3635f5bd3d3834.tar.bz2 openbsd-491a1b9b73d1852fd706b6845c3635f5bd3d3834.zip

diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c index 313ff3ae5c..ab76939116 100644 --- a/src/lib/libssl/ssl_cert.c +++ b/src/lib/libssl/ssl_cert.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_cert.c,v 1.72 2018/11/19 14:42:01 jsing Exp $ */	1	/* $OpenBSD: ssl_cert.c,v 1.73 2019/03/25 16:24:57 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -275,6 +275,12 @@ ssl_cert_dup(CERT *cert)
275	SSLerrorx(SSL_R_LIBRARY_BUG);	275	SSLerrorx(SSL_R_LIBRARY_BUG);
276	}	276	}
277	}	277	}
		278
		279	if (cert->pkeys[i].chain != NULL) {
		280	if ((ret->pkeys[i].chain =
		281	X509_chain_up_ref(cert->pkeys[i].chain)) == NULL)
		282	goto err;
		283	}
278	}	284	}
279		285
280	/*	286	/*
@@ -291,12 +297,13 @@ ssl_cert_dup(CERT *cert)
291		297
292	return (ret);	298	return (ret);
293		299
294	err:	300	err:
295	DH_free(ret->dh_tmp);	301	DH_free(ret->dh_tmp);
296		302
297	for (i = 0; i < SSL_PKEY_NUM; i++) {	303	for (i = 0; i < SSL_PKEY_NUM; i++) {
298	X509_free(ret->pkeys[i].x509);	304	X509_free(ret->pkeys[i].x509);
299	EVP_PKEY_free(ret->pkeys[i].privatekey);	305	EVP_PKEY_free(ret->pkeys[i].privatekey);
		306	sk_X509_pop_free(ret->pkeys[i].chain, X509_free);
300	}	307	}
301	free (ret);	308	free (ret);
302	return NULL;	309	return NULL;
@@ -320,11 +327,68 @@ ssl_cert_free(CERT *c)
320	for (i = 0; i < SSL_PKEY_NUM; i++) {	327	for (i = 0; i < SSL_PKEY_NUM; i++) {
321	X509_free(c->pkeys[i].x509);	328	X509_free(c->pkeys[i].x509);
322	EVP_PKEY_free(c->pkeys[i].privatekey);	329	EVP_PKEY_free(c->pkeys[i].privatekey);
		330	sk_X509_pop_free(c->pkeys[i].chain, X509_free);
323	}	331	}
324		332
325	free(c);	333	free(c);
326	}	334	}
327		335
		336	int
		337	ssl_cert_set0_chain(CERT c, STACK_OF(X509) chain)
		338	{
		339	if (c->key == NULL)
		340	return 0;
		341
		342	sk_X509_pop_free(c->key->chain, X509_free);
		343	c->key->chain = chain;
		344
		345	return 1;
		346	}
		347
		348	int
		349	ssl_cert_set1_chain(CERT c, STACK_OF(X509) chain)
		350	{
		351	STACK_OF(X509) *new_chain = NULL;
		352
		353	if (chain != NULL) {
		354	if ((new_chain = X509_chain_up_ref(chain)) == NULL)
		355	return 0;
		356	}
		357	if (!ssl_cert_set0_chain(c, new_chain)) {
		358	sk_X509_pop_free(new_chain, X509_free);
		359	return 0;
		360	}
		361
		362	return 1;
		363	}
		364
		365	int
		366	ssl_cert_add0_chain_cert(CERT c, X509 cert)
		367	{
		368	if (c->key == NULL)
		369	return 0;
		370
		371	if (c->key->chain == NULL) {
		372	if ((c->key->chain = sk_X509_new_null()) == NULL)
		373	return 0;
		374	}
		375	if (!sk_X509_push(c->key->chain, cert))
		376	return 0;
		377
		378	return 1;
		379	}
		380
		381	int
		382	ssl_cert_add1_chain_cert(CERT c, X509 cert)
		383	{
		384	if (!ssl_cert_add0_chain_cert(c, cert))
		385	return 0;
		386
		387	X509_up_ref(cert);
		388
		389	return 1;
		390	}
		391
328	SESS_CERT *	392	SESS_CERT *
329	ssl_sess_cert_new(void)	393	ssl_sess_cert_new(void)
330	{	394	{


diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 82674121b4..509183a7fa 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_locl.h,v 1.238 2019/02/25 19:40:05 tb Exp $ */	1	/* $OpenBSD: ssl_locl.h,v 1.239 2019/03/25 16:24:57 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -961,6 +961,7 @@ typedef struct dtls1_state_internal_st {
961	typedef struct cert_pkey_st {	961	typedef struct cert_pkey_st {
962	X509 *x509;	962	X509 *x509;
963	EVP_PKEY *privatekey;	963	EVP_PKEY *privatekey;
		964	STACK_OF(X509) *chain;
964	/* sigalg to use when signing */	965	/* sigalg to use when signing */
965	const struct ssl_sigalg *sigalg;	966	const struct ssl_sigalg *sigalg;
966	} CERT_PKEY;	967	} CERT_PKEY;
@@ -1081,9 +1082,15 @@ void ssl_clear_cipher_state(SSL *s);
1081	void ssl_clear_cipher_read_state(SSL *s);	1082	void ssl_clear_cipher_read_state(SSL *s);
1082	void ssl_clear_cipher_write_state(SSL *s);	1083	void ssl_clear_cipher_write_state(SSL *s);
1083	int ssl_clear_bad_session(SSL *s);	1084	int ssl_clear_bad_session(SSL *s);
		1085
1084	CERT *ssl_cert_new(void);	1086	CERT *ssl_cert_new(void);
1085	CERT ssl_cert_dup(CERT cert);	1087	CERT ssl_cert_dup(CERT cert);
1086	void ssl_cert_free(CERT *c);	1088	void ssl_cert_free(CERT *c);
		1089	int ssl_cert_set0_chain(CERT c, STACK_OF(X509) chain);
		1090	int ssl_cert_set1_chain(CERT c, STACK_OF(X509) chain);
		1091	int ssl_cert_add0_chain_cert(CERT c, X509 cert);
		1092	int ssl_cert_add1_chain_cert(CERT c, X509 cert);
		1093
1087	SESS_CERT *ssl_sess_cert_new(void);	1094	SESS_CERT *ssl_sess_cert_new(void);
1088	void ssl_sess_cert_free(SESS_CERT *sc);	1095	void ssl_sess_cert_free(SESS_CERT *sc);
1089	int ssl_get_new_session(SSL *s, int session);	1096	int ssl_get_new_session(SSL *s, int session);