diff options
| author | jsing <> | 2022-08-17 07:39:19 +0000 |
|---|---|---|
| committer | jsing <> | 2022-08-17 07:39:19 +0000 |
| commit | b0c5f651476e9397892adf645bba468df03d0ea9 (patch) | |
| tree | d4b208572f46a7c773aecb3e2d410aeaae5e817a /src/lib/libssl/s3_lib.c | |
| parent | 7e9e21e27683a4be2c58fedde7fc9303f63a83f9 (diff) | |
| download | openbsd-b0c5f651476e9397892adf645bba468df03d0ea9.tar.gz openbsd-b0c5f651476e9397892adf645bba468df03d0ea9.tar.bz2 openbsd-b0c5f651476e9397892adf645bba468df03d0ea9.zip | |
Deduplicate peer certificate chain processing code.
Rather than reimplement this in each TLS client and server, deduplicate it
into a single function. Furthermore, rather than dealing with the API
hazard that is SSL_get_peer_cert_chain() in this code, simply produce two
chains - one that has the leaf and one that does not.
SSL_get_peer_cert_chain() can then return the appropriate one.
This also moves the peer cert chain from the SSL_SESSION to the
SSL_HANDSHAKE, which makes more sense since it is not available on
resumption.
ok tb@
Diffstat (limited to 'src/lib/libssl/s3_lib.c')
| -rw-r--r-- | src/lib/libssl/s3_lib.c | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index b6a2c26938..2726744357 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_lib.c,v 1.235 2022/07/02 16:31:04 tb Exp $ */ | 1 | /* $OpenBSD: s3_lib.c,v 1.236 2022/08/17 07:39:19 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1559,8 +1559,10 @@ ssl3_free(SSL *s) | |||
| 1559 | tls1_cleanup_key_block(s); | 1559 | tls1_cleanup_key_block(s); |
| 1560 | ssl3_release_read_buffer(s); | 1560 | ssl3_release_read_buffer(s); |
| 1561 | ssl3_release_write_buffer(s); | 1561 | ssl3_release_write_buffer(s); |
| 1562 | freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len); | ||
| 1563 | 1562 | ||
| 1563 | freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len); | ||
| 1564 | sk_X509_pop_free(s->s3->hs.peer_certs, X509_free); | ||
| 1565 | sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free); | ||
| 1564 | tls_key_share_free(s->s3->hs.key_share); | 1566 | tls_key_share_free(s->s3->hs.key_share); |
| 1565 | 1567 | ||
| 1566 | tls13_secrets_destroy(s->s3->hs.tls13.secrets); | 1568 | tls13_secrets_destroy(s->s3->hs.tls13.secrets); |
| @@ -1586,8 +1588,8 @@ ssl3_free(SSL *s) | |||
| 1586 | void | 1588 | void |
| 1587 | ssl3_clear(SSL *s) | 1589 | ssl3_clear(SSL *s) |
| 1588 | { | 1590 | { |
| 1589 | unsigned char *rp, *wp; | 1591 | unsigned char *rp, *wp; |
| 1590 | size_t rlen, wlen; | 1592 | size_t rlen, wlen; |
| 1591 | 1593 | ||
| 1592 | tls1_cleanup_key_block(s); | 1594 | tls1_cleanup_key_block(s); |
| 1593 | sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free); | 1595 | sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free); |
| @@ -1598,6 +1600,11 @@ ssl3_clear(SSL *s) | |||
| 1598 | s->s3->hs.sigalgs = NULL; | 1600 | s->s3->hs.sigalgs = NULL; |
| 1599 | s->s3->hs.sigalgs_len = 0; | 1601 | s->s3->hs.sigalgs_len = 0; |
| 1600 | 1602 | ||
| 1603 | sk_X509_pop_free(s->s3->hs.peer_certs, X509_free); | ||
| 1604 | s->s3->hs.peer_certs = NULL; | ||
| 1605 | sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free); | ||
| 1606 | s->s3->hs.peer_certs_no_leaf = NULL; | ||
| 1607 | |||
| 1601 | tls_key_share_free(s->s3->hs.key_share); | 1608 | tls_key_share_free(s->s3->hs.key_share); |
| 1602 | s->s3->hs.key_share = NULL; | 1609 | s->s3->hs.key_share = NULL; |
| 1603 | 1610 | ||