Rework ssl3_output_cert_chain() to take a CERT_PKEY and consider chains.

We will now include the certificates in the chain in the certificate list, or use the existing extra_certs if present. Failing that we fall back to the automatic chain building if not disabled. This also simplifies the code significantly. ok beck@ tb@
author: jsing <> 2019-03-25 16:35:48 +0000
committer: jsing <> 2019-03-25 16:35:48 +0000
commit: 4e5f1e0420a23688bec26a60ba7f49ffdd33ba62 (patch)
tree: b392fa487622bd75c8ac0ad1ff6dd527d2c42783
parent: 491a1b9b73d1852fd706b6845c3635f5bd3d3834 (diff)
download: openbsd-4e5f1e0420a23688bec26a60ba7f49ffdd33ba62.tar.gz
openbsd-4e5f1e0420a23688bec26a60ba7f49ffdd33ba62.tar.bz2
openbsd-4e5f1e0420a23688bec26a60ba7f49ffdd33ba62.zip
4 files changed, 36 insertions, 40 deletions
diff --git a/src/lib/libssl/ssl_both.c b/src/lib/libssl/ssl_both.c
index 77ab26e8b5..6bd5f08111 100644
--- a/src/lib/libssl/ssl_both.c
+++ b/src/lib/libssl/ssl_both.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_both.c,v 1.14 2018/11/08 22:28:52 jsing Exp $ */
+/* $OpenBSD: ssl_both.c,v 1.15 2019/03/25 16:35:48 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -378,60 +378,56 @@ ssl3_add_cert(CBB *cbb, X509 *x)
 }
 int
-ssl3_output_cert_chain(SSL *s, CBB *cbb, X509 *x)
+ssl3_output_cert_chain(SSL *s, CBB *cbb, CERT_PKEY *cpk)
 {
-        int no_chain = 0;
+        X509_STORE_CTX *xs_ctx = NULL;
+        STACK_OF(X509) *chain;
        CBB cert_list;
+        X509 *x;
        int ret = 0;
        int i;
        if (!CBB_add_u24_length_prefixed(cbb, &cert_list))
                goto err;
-        if ((s->internal->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs)
+        /* Send an empty certificate list when no certificate is available. */
-                no_chain = 1;
+        if (cpk == NULL)
+                goto done;
-        /* TLSv1 sends a chain with nothing in it, instead of an alert. */
+        if ((chain = cpk->chain) == NULL)
-        if (x != NULL) {
+                chain = s->ctx->extra_certs;
-                if (no_chain) {
-                        if (!ssl3_add_cert(&cert_list, x))
-                                goto err;
-                } else {
-                        X509_STORE_CTX xs_ctx;
-                        if (!X509_STORE_CTX_init(&xs_ctx, s->ctx->cert_store,
+        if (chain != NULL || (s->internal->mode & SSL_MODE_NO_AUTO_CHAIN)) {
-                            x, NULL)) {
+                if (!ssl3_add_cert(&cert_list, cpk->x509))
-                                SSLerror(s, ERR_R_X509_LIB);
+                        goto err;
-                                goto err;
+        } else {
-                        }
+                if ((xs_ctx = X509_STORE_CTX_new()) == NULL)
-                        X509_verify_cert(&xs_ctx);
+                        goto err;
+                if (!X509_STORE_CTX_init(xs_ctx, s->ctx->cert_store,
-                        /* Don't leave errors in the queue. */
+                    cpk->x509, NULL)) {
-                        ERR_clear_error();
+                        SSLerror(s, ERR_R_X509_LIB);
-                        for (i = 0; i < sk_X509_num(xs_ctx.chain); i++) {
+                        goto err;
-                                x = sk_X509_value(xs_ctx.chain, i);
-                                if (!ssl3_add_cert(&cert_list, x)) {
-                                        X509_STORE_CTX_cleanup(&xs_ctx);
-                                        goto err;
-                                }
-                        }
-                        X509_STORE_CTX_cleanup(&xs_ctx);
                }
+                X509_verify_cert(xs_ctx);
+                ERR_clear_error();
+                chain = xs_ctx->chain;
        }
-        /* Thawte special :-) */
+        for (i = 0; i < sk_X509_num(chain); i++) {
-        for (i = 0; i < sk_X509_num(s->ctx->extra_certs); i++) {
+                x = sk_X509_value(chain, i);
-                x = sk_X509_value(s->ctx->extra_certs, i);
                if (!ssl3_add_cert(&cert_list, x))
                        goto err;
        }
+ done:
        if (!CBB_flush(cbb))
                goto err;
        ret = 1;
 err:
+        X509_STORE_CTX_free(xs_ctx);
        return (ret);
 }
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index f3c439e6c0..262e09fe5e 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.58 2019/03/19 16:53:03 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.59 2019/03/25 16:35:48 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2693,7 +2693,7 @@ ssl3_send_client_certificate(SSL *s)
                    SSL3_MT_CERTIFICATE))
                        goto err;
                if (!ssl3_output_cert_chain(s, &client_cert,
-                    (S3I(s)->tmp.cert_req == 2) ? NULL : s->cert->key->x509))
+                    (S3I(s)->tmp.cert_req == 2) ? NULL : s->cert->key))
                        goto err;
                if (!ssl3_handshake_msg_finish(s, &cbb))
                        goto err;
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 509183a7fa..5d39d1a391 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.239 2019/03/25 16:24:57 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.240 2019/03/25 16:35:48 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1154,7 +1154,7 @@ int ssl3_renegotiate_check(SSL *ssl);
 int ssl3_dispatch_alert(SSL *s);
 int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek);
 int ssl3_write_bytes(SSL *s, int type, const void *buf, int len);
-int ssl3_output_cert_chain(SSL *s, CBB *cbb, X509 *x);
+int ssl3_output_cert_chain(SSL *s, CBB *cbb, CERT_PKEY *cpk);
 SSL_CIPHER *ssl3_choose_cipher(SSL *ssl, STACK_OF(SSL_CIPHER) *clnt,
    STACK_OF(SSL_CIPHER) *srvr);
 int     ssl3_setup_buffers(SSL *s);
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 6872fa3523..f2aafc3032 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.64 2019/02/09 15:26:15 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.65 2019/03/25 16:35:48 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2467,7 +2467,7 @@ int
 ssl3_send_server_certificate(SSL *s)
 {
        CBB cbb, server_cert;
-        X509 *x;
+        CERT_PKEY *cpk;
        /*
         * Server Certificate - RFC 5246, section 7.4.2.
@@ -2476,7 +2476,7 @@ ssl3_send_server_certificate(SSL *s)
        memset(&cbb, 0, sizeof(cbb));
        if (S3I(s)->hs.state == SSL3_ST_SW_CERT_A) {
-                if ((x = ssl_get_server_send_cert(s)) == NULL) {
+                if ((cpk = ssl_get_server_send_pkey(s)) == NULL) {
                        SSLerror(s, ERR_R_INTERNAL_ERROR);
                        return (0);
                }
@@ -2484,7 +2484,7 @@ ssl3_send_server_certificate(SSL *s)
                if (!ssl3_handshake_msg_start(s, &cbb, &server_cert,
                    SSL3_MT_CERTIFICATE))
                        goto err;
-                if (!ssl3_output_cert_chain(s, &server_cert, x))
+                if (!ssl3_output_cert_chain(s, &server_cert, cpk))
                        goto err;
                if (!ssl3_handshake_msg_finish(s, &cbb))
                        goto err;
author	jsing <>	2019-03-25 16:35:48 +0000
committer	jsing <>	2019-03-25 16:35:48 +0000
commit	4e5f1e0420a23688bec26a60ba7f49ffdd33ba62 (patch)
tree	b392fa487622bd75c8ac0ad1ff6dd527d2c42783
parent	491a1b9b73d1852fd706b6845c3635f5bd3d3834 (diff)
download	openbsd-4e5f1e0420a23688bec26a60ba7f49ffdd33ba62.tar.gz openbsd-4e5f1e0420a23688bec26a60ba7f49ffdd33ba62.tar.bz2 openbsd-4e5f1e0420a23688bec26a60ba7f49ffdd33ba62.zip

diff --git a/src/lib/libssl/ssl_both.c b/src/lib/libssl/ssl_both.c index 77ab26e8b5..6bd5f08111 100644 --- a/src/lib/libssl/ssl_both.c +++ b/src/lib/libssl/ssl_both.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_both.c,v 1.14 2018/11/08 22:28:52 jsing Exp $ */	1	/* $OpenBSD: ssl_both.c,v 1.15 2019/03/25 16:35:48 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -378,60 +378,56 @@ ssl3_add_cert(CBB cbb, X509 x)
378	}	378	}
379		379
380	int	380	int
381	ssl3_output_cert_chain(SSL s, CBB cbb, X509 *x)	381	ssl3_output_cert_chain(SSL s, CBB cbb, CERT_PKEY *cpk)
382	{	382	{
383	int no_chain = 0;	383	X509_STORE_CTX *xs_ctx = NULL;
		384	STACK_OF(X509) *chain;
384	CBB cert_list;	385	CBB cert_list;
		386	X509 *x;
385	int ret = 0;	387	int ret = 0;
386	int i;	388	int i;
387		389
388	if (!CBB_add_u24_length_prefixed(cbb, &cert_list))	390	if (!CBB_add_u24_length_prefixed(cbb, &cert_list))
389	goto err;	391	goto err;
390		392
391	if ((s->internal->mode & SSL_MODE_NO_AUTO_CHAIN) \|\| s->ctx->extra_certs)	393	/* Send an empty certificate list when no certificate is available. */
392	no_chain = 1;	394	if (cpk == NULL)
		395	goto done;
393		396
394	/* TLSv1 sends a chain with nothing in it, instead of an alert. */	397	if ((chain = cpk->chain) == NULL)
395	if (x != NULL) {	398	chain = s->ctx->extra_certs;
396	if (no_chain) {
397	if (!ssl3_add_cert(&cert_list, x))
398	goto err;
399	} else {
400	X509_STORE_CTX xs_ctx;
401		399
402	if (!X509_STORE_CTX_init(&xs_ctx, s->ctx->cert_store,	400	if (chain != NULL \|\| (s->internal->mode & SSL_MODE_NO_AUTO_CHAIN)) {
403	x, NULL)) {	401	if (!ssl3_add_cert(&cert_list, cpk->x509))
404	SSLerror(s, ERR_R_X509_LIB);	402	goto err;
405	goto err;	403	} else {
406	}	404	if ((xs_ctx = X509_STORE_CTX_new()) == NULL)
407	X509_verify_cert(&xs_ctx);	405	goto err;
408		406	if (!X509_STORE_CTX_init(xs_ctx, s->ctx->cert_store,
409	/* Don't leave errors in the queue. */	407	cpk->x509, NULL)) {
410	ERR_clear_error();	408	SSLerror(s, ERR_R_X509_LIB);
411	for (i = 0; i < sk_X509_num(xs_ctx.chain); i++) {	409	goto err;
412	x = sk_X509_value(xs_ctx.chain, i);
413	if (!ssl3_add_cert(&cert_list, x)) {
414	X509_STORE_CTX_cleanup(&xs_ctx);
415	goto err;
416	}
417	}
418	X509_STORE_CTX_cleanup(&xs_ctx);
419	}	410	}
		411	X509_verify_cert(xs_ctx);
		412	ERR_clear_error();
		413	chain = xs_ctx->chain;
420	}	414	}
421		415
422	/* Thawte special :-) */	416	for (i = 0; i < sk_X509_num(chain); i++) {
423	for (i = 0; i < sk_X509_num(s->ctx->extra_certs); i++) {	417	x = sk_X509_value(chain, i);
424	x = sk_X509_value(s->ctx->extra_certs, i);
425	if (!ssl3_add_cert(&cert_list, x))	418	if (!ssl3_add_cert(&cert_list, x))
426	goto err;	419	goto err;
427	}	420	}
428		421
		422	done:
429	if (!CBB_flush(cbb))	423	if (!CBB_flush(cbb))
430	goto err;	424	goto err;
431		425
432	ret = 1;	426	ret = 1;
433		427
434	err:	428	err:
		429	X509_STORE_CTX_free(xs_ctx);
		430
435	return (ret);	431	return (ret);
436	}	432	}
437		433


diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index f3c439e6c0..262e09fe5e 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_clnt.c,v 1.58 2019/03/19 16:53:03 jsing Exp $ */	1	/* $OpenBSD: ssl_clnt.c,v 1.59 2019/03/25 16:35:48 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -2693,7 +2693,7 @@ ssl3_send_client_certificate(SSL *s)
2693	SSL3_MT_CERTIFICATE))	2693	SSL3_MT_CERTIFICATE))
2694	goto err;	2694	goto err;
2695	if (!ssl3_output_cert_chain(s, &client_cert,	2695	if (!ssl3_output_cert_chain(s, &client_cert,
2696	(S3I(s)->tmp.cert_req == 2) ? NULL : s->cert->key->x509))	2696	(S3I(s)->tmp.cert_req == 2) ? NULL : s->cert->key))
2697	goto err;	2697	goto err;
2698	if (!ssl3_handshake_msg_finish(s, &cbb))	2698	if (!ssl3_handshake_msg_finish(s, &cbb))
2699	goto err;	2699	goto err;


diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index 509183a7fa..5d39d1a391 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_locl.h,v 1.239 2019/03/25 16:24:57 jsing Exp $ */	1	/* $OpenBSD: ssl_locl.h,v 1.240 2019/03/25 16:35:48 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1154,7 +1154,7 @@ int ssl3_renegotiate_check(SSL *ssl);
1154	int ssl3_dispatch_alert(SSL *s);	1154	int ssl3_dispatch_alert(SSL *s);
1155	int ssl3_read_bytes(SSL s, int type, unsigned char buf, int len, int peek);	1155	int ssl3_read_bytes(SSL s, int type, unsigned char buf, int len, int peek);
1156	int ssl3_write_bytes(SSL s, int type, const void buf, int len);	1156	int ssl3_write_bytes(SSL s, int type, const void buf, int len);
1157	int ssl3_output_cert_chain(SSL s, CBB cbb, X509 *x);	1157	int ssl3_output_cert_chain(SSL s, CBB cbb, CERT_PKEY *cpk);
1158	SSL_CIPHER ssl3_choose_cipher(SSL ssl, STACK_OF(SSL_CIPHER) *clnt,	1158	SSL_CIPHER ssl3_choose_cipher(SSL ssl, STACK_OF(SSL_CIPHER) *clnt,
1159	STACK_OF(SSL_CIPHER) *srvr);	1159	STACK_OF(SSL_CIPHER) *srvr);
1160	int ssl3_setup_buffers(SSL *s);	1160	int ssl3_setup_buffers(SSL *s);


diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index 6872fa3523..f2aafc3032 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_srvr.c,v 1.64 2019/02/09 15:26:15 jsing Exp $ */	1	/* $OpenBSD: ssl_srvr.c,v 1.65 2019/03/25 16:35:48 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -2467,7 +2467,7 @@ int
2467	ssl3_send_server_certificate(SSL *s)	2467	ssl3_send_server_certificate(SSL *s)
2468	{	2468	{
2469	CBB cbb, server_cert;	2469	CBB cbb, server_cert;
2470	X509 *x;	2470	CERT_PKEY *cpk;
2471		2471
2472	/*	2472	/*
2473	* Server Certificate - RFC 5246, section 7.4.2.	2473	* Server Certificate - RFC 5246, section 7.4.2.
@@ -2476,7 +2476,7 @@ ssl3_send_server_certificate(SSL *s)
2476	memset(&cbb, 0, sizeof(cbb));	2476	memset(&cbb, 0, sizeof(cbb));
2477		2477
2478	if (S3I(s)->hs.state == SSL3_ST_SW_CERT_A) {	2478	if (S3I(s)->hs.state == SSL3_ST_SW_CERT_A) {
2479	if ((x = ssl_get_server_send_cert(s)) == NULL) {	2479	if ((cpk = ssl_get_server_send_pkey(s)) == NULL) {
2480	SSLerror(s, ERR_R_INTERNAL_ERROR);	2480	SSLerror(s, ERR_R_INTERNAL_ERROR);
2481	return (0);	2481	return (0);
2482	}	2482	}
@@ -2484,7 +2484,7 @@ ssl3_send_server_certificate(SSL *s)
2484	if (!ssl3_handshake_msg_start(s, &cbb, &server_cert,	2484	if (!ssl3_handshake_msg_start(s, &cbb, &server_cert,
2485	SSL3_MT_CERTIFICATE))	2485	SSL3_MT_CERTIFICATE))
2486	goto err;	2486	goto err;
2487	if (!ssl3_output_cert_chain(s, &server_cert, x))	2487	if (!ssl3_output_cert_chain(s, &server_cert, cpk))
2488	goto err;	2488	goto err;
2489	if (!ssl3_handshake_msg_finish(s, &cbb))	2489	if (!ssl3_handshake_msg_finish(s, &cbb))
2490	goto err;	2490	goto err;