Provide SSL chain/cert chain APIs.

These allow for chains to be managed on a per-certificate basis rather than as a single "extra certificates" list. Note that "chain" in this context does not actually include the leaf certificate however, unlike SSL_CTX_use_certificate_chain_{file,mem}(). Thanks to sthen@ for running this through a bulk ports build. ok beck@ tb@
author: jsing <> 2019-04-04 15:03:21 +0000
committer: jsing <> 2019-04-04 15:03:21 +0000
commit: ef18f5fcfa9cf3eeefcc89685bead61b8239028f (patch)
tree: 3b602635dbbb5b70f50030b6207d774c40c1b7b8
parent: 3b50812b7511c2b9b68aa78ee812e5eb6939a3d5 (diff)
download: openbsd-ef18f5fcfa9cf3eeefcc89685bead61b8239028f.tar.gz
openbsd-ef18f5fcfa9cf3eeefcc89685bead61b8239028f.tar.bz2
openbsd-ef18f5fcfa9cf3eeefcc89685bead61b8239028f.zip
3 files changed, 161 insertions, 2 deletions
diff --git a/src/lib/libssl/Symbols.list b/src/lib/libssl/Symbols.list
index 425d71126b..e72616a779 100644
--- a/src/lib/libssl/Symbols.list
+++ b/src/lib/libssl/Symbols.list
@@ -57,14 +57,18 @@ SSL_CIPHER_is_aead
 SSL_COMP_add_compression_method
 SSL_COMP_get_compression_methods
 SSL_COMP_get_name
+SSL_CTX_add0_chain_cert
+SSL_CTX_add1_chain_cert
 SSL_CTX_add_client_CA
 SSL_CTX_add_session
 SSL_CTX_callback_ctrl
 SSL_CTX_check_private_key
+SSL_CTX_clear_chain_certs
 SSL_CTX_ctrl
 SSL_CTX_flush_sessions
 SSL_CTX_free
 SSL_CTX_get0_certificate
+SSL_CTX_get0_chain_certs
 SSL_CTX_get0_param
 SSL_CTX_get_cert_store
 SSL_CTX_get_ciphers
@@ -93,6 +97,8 @@ SSL_CTX_sess_set_get_cb
 SSL_CTX_sess_set_new_cb
 SSL_CTX_sess_set_remove_cb
 SSL_CTX_sessions
+SSL_CTX_set0_chain
+SSL_CTX_set1_chain
 SSL_CTX_set1_groups
 SSL_CTX_set1_groups_list
 SSL_CTX_set1_param
@@ -164,6 +170,8 @@ SSL_SESSION_set_time
 SSL_SESSION_set_timeout
 SSL_SESSION_up_ref
 SSL_accept
+SSL_add0_chain_cert
+SSL_add1_chain_cert
 SSL_add_client_CA
 SSL_add_dir_cert_subjects_to_stack
 SSL_add_file_cert_subjects_to_stack
@@ -175,6 +183,7 @@ SSL_cache_hit
 SSL_callback_ctrl
 SSL_check_private_key
 SSL_clear
+SSL_clear_chain_certs
 SSL_connect
 SSL_copy_session_id
 SSL_ctrl
@@ -184,6 +193,7 @@ SSL_dup_CA_list
 SSL_export_keying_material
 SSL_free
 SSL_get0_alpn_selected
+SSL_get0_chain_certs
 SSL_get0_next_proto_negotiated
 SSL_get0_param
 SSL_get1_session
@@ -247,6 +257,8 @@ SSL_renegotiate_pending
 SSL_rstate_string
 SSL_rstate_string_long
 SSL_select_next_proto
+SSL_set0_chain
+SSL_set1_chain
 SSL_set1_groups
 SSL_set1_groups_list
 SSL_set1_host
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 49f402d065..0357a70ca3 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.185 2019/03/25 17:21:18 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.186 2019/04/04 15:03:21 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1876,6 +1876,47 @@ _SSL_set_tlsext_status_ocsp_resp(SSL *s, unsigned char *resp, int resp_len)
 }
 int
+SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain)
+{
+        return ssl_cert_set0_chain(ssl->cert, chain);
+}
+int
+SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain)
+{
+        return ssl_cert_set1_chain(ssl->cert, chain);
+}
+int
+SSL_add0_chain_cert(SSL *ssl, X509 *x509)
+{
+        return ssl_cert_add0_chain_cert(ssl->cert, x509);
+}
+int
+SSL_add1_chain_cert(SSL *ssl, X509 *x509)
+{
+        return ssl_cert_add1_chain_cert(ssl->cert, x509);
+}
+int
+SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain)
+{
+        *out_chain = NULL;
+        if (ssl->cert->key != NULL)
+                *out_chain = ssl->cert->key->chain;
+        return 1;
+}
+int
+SSL_clear_chain_certs(SSL *ssl)
+{
+        return ssl_cert_set0_chain(ssl->cert, NULL);
+}
+int
 SSL_set1_groups(SSL *s, const int *groups, size_t groups_len)
 {
        return tls1_set_groups(&s->internal->tlsext_supportedgroups,
@@ -1956,6 +1997,21 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
        case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP:
                return _SSL_set_tlsext_status_ocsp_resp(s, parg, larg);
+        case SSL_CTRL_CHAIN:
+                if (larg == 0)
+                        return SSL_set0_chain(s, (STACK_OF(X509) *)parg);
+                else
+                        return SSL_set1_chain(s, (STACK_OF(X509) *)parg);
+        case SSL_CTRL_CHAIN_CERT:
+                if (larg == 0)
+                        return SSL_add0_chain_cert(s, (X509 *)parg);
+                else
+                        return SSL_add1_chain_cert(s, (X509 *)parg);
+        case SSL_CTRL_GET_CHAIN_CERTS:
+                return SSL_get0_chain_certs(s, (STACK_OF(X509) **)parg);
        case SSL_CTRL_SET_GROUPS:
                return SSL_set1_groups(s, parg, larg);
@@ -2127,6 +2183,47 @@ _SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg)
        return 1;
 }
+int
+SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain)
+{
+        return ssl_cert_set0_chain(ctx->internal->cert, chain);
+}
+int
+SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain)
+{
+        return ssl_cert_set1_chain(ctx->internal->cert, chain);
+}
+int
+SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509)
+{
+        return ssl_cert_add0_chain_cert(ctx->internal->cert, x509);
+}
+int
+SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509)
+{
+        return ssl_cert_add1_chain_cert(ctx->internal->cert, x509);
+}
+int
+SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain)
+{
+        *out_chain = NULL;
+        if (ctx->internal->cert->key != NULL)
+                *out_chain = ctx->internal->cert->key->chain;
+        return 1;
+}
+int
+SSL_CTX_clear_chain_certs(SSL_CTX *ctx)
+{
+        return ssl_cert_set0_chain(ctx->internal->cert, NULL);
+}
 static int
 _SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *cert)
 {
@@ -2208,6 +2305,21 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
        case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG:
                return _SSL_CTX_set_tlsext_status_arg(ctx, parg);
+        case SSL_CTRL_CHAIN:
+                if (larg == 0)
+                        return SSL_CTX_set0_chain(ctx, (STACK_OF(X509) *)parg);
+                else
+                        return SSL_CTX_set1_chain(ctx, (STACK_OF(X509) *)parg);
+        case SSL_CTRL_CHAIN_CERT:
+                if (larg == 0)
+                        return SSL_CTX_add0_chain_cert(ctx, (X509 *)parg);
+                else
+                        return SSL_CTX_add1_chain_cert(ctx, (X509 *)parg);
+        case SSL_CTRL_GET_CHAIN_CERTS:
+                return SSL_CTX_get0_chain_certs(ctx, (STACK_OF(X509) **)parg);
        case SSL_CTRL_EXTRA_CHAIN_CERT:
                return _SSL_CTX_add_extra_chain_cert(ctx, parg);
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 58b1be6d0d..fc89b0ef6e 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.165 2019/03/17 17:28:08 jsing Exp $ */
+/* $OpenBSD: ssl.h,v 1.166 2019/04/04 15:03:21 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1118,6 +1118,9 @@ int PEM_write_SSL_SESSION(FILE *fp, SSL_SESSION *x);
 #define SSL_CTRL_GET_EXTRA_CHAIN_CERTS          82
 #define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS        83
+#define SSL_CTRL_CHAIN                                  88
+#define SSL_CTRL_CHAIN_CERT                             89
 #define SSL_CTRL_SET_GROUPS                             91
 #define SSL_CTRL_SET_GROUPS_LIST                        92
@@ -1125,6 +1128,8 @@ int PEM_write_SSL_SESSION(FILE *fp, SSL_SESSION *x);
 #define SSL_CTRL_GET_SERVER_TMP_KEY             109
+#define SSL_CTRL_GET_CHAIN_CERTS                        115
 #define SSL_CTRL_SET_DH_AUTO                    118
 #define SSL_CTRL_SET_MIN_PROTO_VERSION                  123
@@ -1174,6 +1179,20 @@ int PEM_write_SSL_SESSION(FILE *fp, SSL_SESSION *x);
 #define SSL_set_ecdh_auto(s, onoff) \
        SSL_ctrl(s,SSL_CTRL_SET_ECDH_AUTO,onoff,NULL)
+int SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain);
+int SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain);
+int SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509);
+int SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509);
+int SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain);
+int SSL_CTX_clear_chain_certs(SSL_CTX *ctx);
+int SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain);
+int SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain);
+int SSL_add0_chain_cert(SSL *ssl, X509 *x509);
+int SSL_add1_chain_cert(SSL *ssl, X509 *x509);
+int SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain);
+int SSL_clear_chain_certs(SSL *ssl);
 int SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len);
 int SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups);
@@ -1215,14 +1234,30 @@ int SSL_set_max_proto_version(SSL *ssl, uint16_t version);
 * Also provide those functions as macros for compatibility with
 * existing users.
 */
+#define SSL_CTX_set0_chain              SSL_CTX_set0_chain
+#define SSL_CTX_set1_chain              SSL_CTX_set1_chain
+#define SSL_CTX_add0_chain_cert         SSL_CTX_add0_chain_cert
+#define SSL_CTX_add1_chain_cert         SSL_CTX_add1_chain_cert
+#define SSL_CTX_get0_chain_certs        SSL_CTX_get0_chain_certs
+#define SSL_CTX_clear_chain_certs       SSL_CTX_clear_chain_certs
+#define SSL_add0_chain_cert             SSL_add0_chain_cert
+#define SSL_add1_chain_cert             SSL_add1_chain_cert
+#define SSL_set0_chain                  SSL_set0_chain
+#define SSL_set1_chain                  SSL_set1_chain
+#define SSL_get0_chain_certs            SSL_get0_chain_certs
+#define SSL_clear_chain_certs           SSL_clear_chain_certs
 #define SSL_CTX_set1_groups             SSL_CTX_set1_groups
 #define SSL_CTX_set1_groups_list        SSL_CTX_set1_groups_list
 #define SSL_set1_groups                 SSL_set1_groups
 #define SSL_set1_groups_list            SSL_set1_groups_list
 #define SSL_CTX_get_min_proto_version   SSL_CTX_get_min_proto_version
 #define SSL_CTX_get_max_proto_version   SSL_CTX_get_max_proto_version
 #define SSL_CTX_set_min_proto_version   SSL_CTX_set_min_proto_version
 #define SSL_CTX_set_max_proto_version   SSL_CTX_set_max_proto_version
 #define SSL_get_min_proto_version       SSL_get_min_proto_version
 #define SSL_get_max_proto_version       SSL_get_max_proto_version
 #define SSL_set_min_proto_version       SSL_set_min_proto_version
author	jsing <>	2019-04-04 15:03:21 +0000
committer	jsing <>	2019-04-04 15:03:21 +0000
commit	ef18f5fcfa9cf3eeefcc89685bead61b8239028f (patch)
tree	3b602635dbbb5b70f50030b6207d774c40c1b7b8
parent	3b50812b7511c2b9b68aa78ee812e5eb6939a3d5 (diff)
download	openbsd-ef18f5fcfa9cf3eeefcc89685bead61b8239028f.tar.gz openbsd-ef18f5fcfa9cf3eeefcc89685bead61b8239028f.tar.bz2 openbsd-ef18f5fcfa9cf3eeefcc89685bead61b8239028f.zip

diff --git a/src/lib/libssl/Symbols.list b/src/lib/libssl/Symbols.list index 425d71126b..e72616a779 100644 --- a/src/lib/libssl/Symbols.list +++ b/src/lib/libssl/Symbols.list
@@ -57,14 +57,18 @@ SSL_CIPHER_is_aead
57	SSL_COMP_add_compression_method	57	SSL_COMP_add_compression_method
58	SSL_COMP_get_compression_methods	58	SSL_COMP_get_compression_methods
59	SSL_COMP_get_name	59	SSL_COMP_get_name
		60	SSL_CTX_add0_chain_cert
		61	SSL_CTX_add1_chain_cert
60	SSL_CTX_add_client_CA	62	SSL_CTX_add_client_CA
61	SSL_CTX_add_session	63	SSL_CTX_add_session
62	SSL_CTX_callback_ctrl	64	SSL_CTX_callback_ctrl
63	SSL_CTX_check_private_key	65	SSL_CTX_check_private_key
		66	SSL_CTX_clear_chain_certs
64	SSL_CTX_ctrl	67	SSL_CTX_ctrl
65	SSL_CTX_flush_sessions	68	SSL_CTX_flush_sessions
66	SSL_CTX_free	69	SSL_CTX_free
67	SSL_CTX_get0_certificate	70	SSL_CTX_get0_certificate
		71	SSL_CTX_get0_chain_certs
68	SSL_CTX_get0_param	72	SSL_CTX_get0_param
69	SSL_CTX_get_cert_store	73	SSL_CTX_get_cert_store
70	SSL_CTX_get_ciphers	74	SSL_CTX_get_ciphers
@@ -93,6 +97,8 @@ SSL_CTX_sess_set_get_cb
93	SSL_CTX_sess_set_new_cb	97	SSL_CTX_sess_set_new_cb
94	SSL_CTX_sess_set_remove_cb	98	SSL_CTX_sess_set_remove_cb
95	SSL_CTX_sessions	99	SSL_CTX_sessions
		100	SSL_CTX_set0_chain
		101	SSL_CTX_set1_chain
96	SSL_CTX_set1_groups	102	SSL_CTX_set1_groups
97	SSL_CTX_set1_groups_list	103	SSL_CTX_set1_groups_list
98	SSL_CTX_set1_param	104	SSL_CTX_set1_param
@@ -164,6 +170,8 @@ SSL_SESSION_set_time
164	SSL_SESSION_set_timeout	170	SSL_SESSION_set_timeout
165	SSL_SESSION_up_ref	171	SSL_SESSION_up_ref
166	SSL_accept	172	SSL_accept
		173	SSL_add0_chain_cert
		174	SSL_add1_chain_cert
167	SSL_add_client_CA	175	SSL_add_client_CA
168	SSL_add_dir_cert_subjects_to_stack	176	SSL_add_dir_cert_subjects_to_stack
169	SSL_add_file_cert_subjects_to_stack	177	SSL_add_file_cert_subjects_to_stack
@@ -175,6 +183,7 @@ SSL_cache_hit
175	SSL_callback_ctrl	183	SSL_callback_ctrl
176	SSL_check_private_key	184	SSL_check_private_key
177	SSL_clear	185	SSL_clear
		186	SSL_clear_chain_certs
178	SSL_connect	187	SSL_connect
179	SSL_copy_session_id	188	SSL_copy_session_id
180	SSL_ctrl	189	SSL_ctrl
@@ -184,6 +193,7 @@ SSL_dup_CA_list
184	SSL_export_keying_material	193	SSL_export_keying_material
185	SSL_free	194	SSL_free
186	SSL_get0_alpn_selected	195	SSL_get0_alpn_selected
		196	SSL_get0_chain_certs
187	SSL_get0_next_proto_negotiated	197	SSL_get0_next_proto_negotiated
188	SSL_get0_param	198	SSL_get0_param
189	SSL_get1_session	199	SSL_get1_session
@@ -247,6 +257,8 @@ SSL_renegotiate_pending
247	SSL_rstate_string	257	SSL_rstate_string
248	SSL_rstate_string_long	258	SSL_rstate_string_long
249	SSL_select_next_proto	259	SSL_select_next_proto
		260	SSL_set0_chain
		261	SSL_set1_chain
250	SSL_set1_groups	262	SSL_set1_groups
251	SSL_set1_groups_list	263	SSL_set1_groups_list
252	SSL_set1_host	264	SSL_set1_host


diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index 49f402d065..0357a70ca3 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s3_lib.c,v 1.185 2019/03/25 17:21:18 jsing Exp $ */	1	/* $OpenBSD: s3_lib.c,v 1.186 2019/04/04 15:03:21 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1876,6 +1876,47 @@ _SSL_set_tlsext_status_ocsp_resp(SSL s, unsigned char resp, int resp_len)
1876	}	1876	}
1877		1877
1878	int	1878	int
		1879	SSL_set0_chain(SSL ssl, STACK_OF(X509) chain)
		1880	{
		1881	return ssl_cert_set0_chain(ssl->cert, chain);
		1882	}
		1883
		1884	int
		1885	SSL_set1_chain(SSL ssl, STACK_OF(X509) chain)
		1886	{
		1887	return ssl_cert_set1_chain(ssl->cert, chain);
		1888	}
		1889
		1890	int
		1891	SSL_add0_chain_cert(SSL ssl, X509 x509)
		1892	{
		1893	return ssl_cert_add0_chain_cert(ssl->cert, x509);
		1894	}
		1895
		1896	int
		1897	SSL_add1_chain_cert(SSL ssl, X509 x509)
		1898	{
		1899	return ssl_cert_add1_chain_cert(ssl->cert, x509);
		1900	}
		1901
		1902	int
		1903	SSL_get0_chain_certs(const SSL ssl, STACK_OF(X509) *out_chain)
		1904	{
		1905	*out_chain = NULL;
		1906
		1907	if (ssl->cert->key != NULL)
		1908	*out_chain = ssl->cert->key->chain;
		1909
		1910	return 1;
		1911	}
		1912
		1913	int
		1914	SSL_clear_chain_certs(SSL *ssl)
		1915	{
		1916	return ssl_cert_set0_chain(ssl->cert, NULL);
		1917	}
		1918
		1919	int
1879	SSL_set1_groups(SSL s, const int groups, size_t groups_len)	1920	SSL_set1_groups(SSL s, const int groups, size_t groups_len)
1880	{	1921	{
1881	return tls1_set_groups(&s->internal->tlsext_supportedgroups,	1922	return tls1_set_groups(&s->internal->tlsext_supportedgroups,
@@ -1956,6 +1997,21 @@ ssl3_ctrl(SSL s, int cmd, long larg, void parg)
1956	case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP:	1997	case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP:
1957	return _SSL_set_tlsext_status_ocsp_resp(s, parg, larg);	1998	return _SSL_set_tlsext_status_ocsp_resp(s, parg, larg);
1958		1999
		2000	case SSL_CTRL_CHAIN:
		2001	if (larg == 0)
		2002	return SSL_set0_chain(s, (STACK_OF(X509) *)parg);
		2003	else
		2004	return SSL_set1_chain(s, (STACK_OF(X509) *)parg);
		2005
		2006	case SSL_CTRL_CHAIN_CERT:
		2007	if (larg == 0)
		2008	return SSL_add0_chain_cert(s, (X509 *)parg);
		2009	else
		2010	return SSL_add1_chain_cert(s, (X509 *)parg);
		2011
		2012	case SSL_CTRL_GET_CHAIN_CERTS:
		2013	return SSL_get0_chain_certs(s, (STACK_OF(X509) **)parg);
		2014
1959	case SSL_CTRL_SET_GROUPS:	2015	case SSL_CTRL_SET_GROUPS:
1960	return SSL_set1_groups(s, parg, larg);	2016	return SSL_set1_groups(s, parg, larg);
1961		2017
@@ -2127,6 +2183,47 @@ _SSL_CTX_set_tlsext_status_arg(SSL_CTX ctx, void arg)
2127	return 1;	2183	return 1;
2128	}	2184	}
2129		2185
		2186	int
		2187	SSL_CTX_set0_chain(SSL_CTX ctx, STACK_OF(X509) chain)
		2188	{
		2189	return ssl_cert_set0_chain(ctx->internal->cert, chain);
		2190	}
		2191
		2192	int
		2193	SSL_CTX_set1_chain(SSL_CTX ctx, STACK_OF(X509) chain)
		2194	{
		2195	return ssl_cert_set1_chain(ctx->internal->cert, chain);
		2196	}
		2197
		2198	int
		2199	SSL_CTX_add0_chain_cert(SSL_CTX ctx, X509 x509)
		2200	{
		2201	return ssl_cert_add0_chain_cert(ctx->internal->cert, x509);
		2202	}
		2203
		2204	int
		2205	SSL_CTX_add1_chain_cert(SSL_CTX ctx, X509 x509)
		2206	{
		2207	return ssl_cert_add1_chain_cert(ctx->internal->cert, x509);
		2208	}
		2209
		2210	int
		2211	SSL_CTX_get0_chain_certs(const SSL_CTX ctx, STACK_OF(X509) *out_chain)
		2212	{
		2213	*out_chain = NULL;
		2214
		2215	if (ctx->internal->cert->key != NULL)
		2216	*out_chain = ctx->internal->cert->key->chain;
		2217
		2218	return 1;
		2219	}
		2220
		2221	int
		2222	SSL_CTX_clear_chain_certs(SSL_CTX *ctx)
		2223	{
		2224	return ssl_cert_set0_chain(ctx->internal->cert, NULL);
		2225	}
		2226
2130	static int	2227	static int
2131	_SSL_CTX_add_extra_chain_cert(SSL_CTX ctx, X509 cert)	2228	_SSL_CTX_add_extra_chain_cert(SSL_CTX ctx, X509 cert)
2132	{	2229	{
@@ -2208,6 +2305,21 @@ ssl3_ctx_ctrl(SSL_CTX ctx, int cmd, long larg, void parg)
2208	case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG:	2305	case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG:
2209	return _SSL_CTX_set_tlsext_status_arg(ctx, parg);	2306	return _SSL_CTX_set_tlsext_status_arg(ctx, parg);
2210		2307
		2308	case SSL_CTRL_CHAIN:
		2309	if (larg == 0)
		2310	return SSL_CTX_set0_chain(ctx, (STACK_OF(X509) *)parg);
		2311	else
		2312	return SSL_CTX_set1_chain(ctx, (STACK_OF(X509) *)parg);
		2313
		2314	case SSL_CTRL_CHAIN_CERT:
		2315	if (larg == 0)
		2316	return SSL_CTX_add0_chain_cert(ctx, (X509 *)parg);
		2317	else
		2318	return SSL_CTX_add1_chain_cert(ctx, (X509 *)parg);
		2319
		2320	case SSL_CTRL_GET_CHAIN_CERTS:
		2321	return SSL_CTX_get0_chain_certs(ctx, (STACK_OF(X509) **)parg);
		2322
2211	case SSL_CTRL_EXTRA_CHAIN_CERT:	2323	case SSL_CTRL_EXTRA_CHAIN_CERT:
2212	return _SSL_CTX_add_extra_chain_cert(ctx, parg);	2324	return _SSL_CTX_add_extra_chain_cert(ctx, parg);
2213		2325


diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index 58b1be6d0d..fc89b0ef6e 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl.h,v 1.165 2019/03/17 17:28:08 jsing Exp $ */	1	/* $OpenBSD: ssl.h,v 1.166 2019/04/04 15:03:21 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1118,6 +1118,9 @@ int PEM_write_SSL_SESSION(FILE fp, SSL_SESSION x);
1118	#define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82	1118	#define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82
1119	#define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83	1119	#define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83
1120		1120
		1121	#define SSL_CTRL_CHAIN 88
		1122	#define SSL_CTRL_CHAIN_CERT 89
		1123
1121	#define SSL_CTRL_SET_GROUPS 91	1124	#define SSL_CTRL_SET_GROUPS 91
1122	#define SSL_CTRL_SET_GROUPS_LIST 92	1125	#define SSL_CTRL_SET_GROUPS_LIST 92
1123		1126
@@ -1125,6 +1128,8 @@ int PEM_write_SSL_SESSION(FILE fp, SSL_SESSION x);
1125		1128
1126	#define SSL_CTRL_GET_SERVER_TMP_KEY 109	1129	#define SSL_CTRL_GET_SERVER_TMP_KEY 109
1127		1130
		1131	#define SSL_CTRL_GET_CHAIN_CERTS 115
		1132
1128	#define SSL_CTRL_SET_DH_AUTO 118	1133	#define SSL_CTRL_SET_DH_AUTO 118
1129		1134
1130	#define SSL_CTRL_SET_MIN_PROTO_VERSION 123	1135	#define SSL_CTRL_SET_MIN_PROTO_VERSION 123
@@ -1174,6 +1179,20 @@ int PEM_write_SSL_SESSION(FILE fp, SSL_SESSION x);
1174	#define SSL_set_ecdh_auto(s, onoff) \	1179	#define SSL_set_ecdh_auto(s, onoff) \
1175	SSL_ctrl(s,SSL_CTRL_SET_ECDH_AUTO,onoff,NULL)	1180	SSL_ctrl(s,SSL_CTRL_SET_ECDH_AUTO,onoff,NULL)
1176		1181
		1182	int SSL_CTX_set0_chain(SSL_CTX ctx, STACK_OF(X509) chain);
		1183	int SSL_CTX_set1_chain(SSL_CTX ctx, STACK_OF(X509) chain);
		1184	int SSL_CTX_add0_chain_cert(SSL_CTX ctx, X509 x509);
		1185	int SSL_CTX_add1_chain_cert(SSL_CTX ctx, X509 x509);
		1186	int SSL_CTX_get0_chain_certs(const SSL_CTX ctx, STACK_OF(X509) *out_chain);
		1187	int SSL_CTX_clear_chain_certs(SSL_CTX *ctx);
		1188
		1189	int SSL_set0_chain(SSL ssl, STACK_OF(X509) chain);
		1190	int SSL_set1_chain(SSL ssl, STACK_OF(X509) chain);
		1191	int SSL_add0_chain_cert(SSL ssl, X509 x509);
		1192	int SSL_add1_chain_cert(SSL ssl, X509 x509);
		1193	int SSL_get0_chain_certs(const SSL ssl, STACK_OF(X509) *out_chain);
		1194	int SSL_clear_chain_certs(SSL *ssl);
		1195
1177	int SSL_CTX_set1_groups(SSL_CTX ctx, const int groups, size_t groups_len);	1196	int SSL_CTX_set1_groups(SSL_CTX ctx, const int groups, size_t groups_len);
1178	int SSL_CTX_set1_groups_list(SSL_CTX ctx, const char groups);	1197	int SSL_CTX_set1_groups_list(SSL_CTX ctx, const char groups);
1179		1198
@@ -1215,14 +1234,30 @@ int SSL_set_max_proto_version(SSL *ssl, uint16_t version);
1215	* Also provide those functions as macros for compatibility with	1234	* Also provide those functions as macros for compatibility with
1216	* existing users.	1235	* existing users.
1217	*/	1236	*/
		1237	#define SSL_CTX_set0_chain SSL_CTX_set0_chain
		1238	#define SSL_CTX_set1_chain SSL_CTX_set1_chain
		1239	#define SSL_CTX_add0_chain_cert SSL_CTX_add0_chain_cert
		1240	#define SSL_CTX_add1_chain_cert SSL_CTX_add1_chain_cert
		1241	#define SSL_CTX_get0_chain_certs SSL_CTX_get0_chain_certs
		1242	#define SSL_CTX_clear_chain_certs SSL_CTX_clear_chain_certs
		1243
		1244	#define SSL_add0_chain_cert SSL_add0_chain_cert
		1245	#define SSL_add1_chain_cert SSL_add1_chain_cert
		1246	#define SSL_set0_chain SSL_set0_chain
		1247	#define SSL_set1_chain SSL_set1_chain
		1248	#define SSL_get0_chain_certs SSL_get0_chain_certs
		1249	#define SSL_clear_chain_certs SSL_clear_chain_certs
		1250
1218	#define SSL_CTX_set1_groups SSL_CTX_set1_groups	1251	#define SSL_CTX_set1_groups SSL_CTX_set1_groups
1219	#define SSL_CTX_set1_groups_list SSL_CTX_set1_groups_list	1252	#define SSL_CTX_set1_groups_list SSL_CTX_set1_groups_list
1220	#define SSL_set1_groups SSL_set1_groups	1253	#define SSL_set1_groups SSL_set1_groups
1221	#define SSL_set1_groups_list SSL_set1_groups_list	1254	#define SSL_set1_groups_list SSL_set1_groups_list
		1255
1222	#define SSL_CTX_get_min_proto_version SSL_CTX_get_min_proto_version	1256	#define SSL_CTX_get_min_proto_version SSL_CTX_get_min_proto_version
1223	#define SSL_CTX_get_max_proto_version SSL_CTX_get_max_proto_version	1257	#define SSL_CTX_get_max_proto_version SSL_CTX_get_max_proto_version
1224	#define SSL_CTX_set_min_proto_version SSL_CTX_set_min_proto_version	1258	#define SSL_CTX_set_min_proto_version SSL_CTX_set_min_proto_version
1225	#define SSL_CTX_set_max_proto_version SSL_CTX_set_max_proto_version	1259	#define SSL_CTX_set_max_proto_version SSL_CTX_set_max_proto_version
		1260
1226	#define SSL_get_min_proto_version SSL_get_min_proto_version	1261	#define SSL_get_min_proto_version SSL_get_min_proto_version
1227	#define SSL_get_max_proto_version SSL_get_max_proto_version	1262	#define SSL_get_max_proto_version SSL_get_max_proto_version
1228	#define SSL_set_min_proto_version SSL_set_min_proto_version	1263	#define SSL_set_min_proto_version SSL_set_min_proto_version