diff options
| author | jsing <> | 2020-01-02 06:37:13 +0000 |
|---|---|---|
| committer | jsing <> | 2020-01-02 06:37:13 +0000 |
| commit | d7e8782493bda5a46e15fb13e492e89970fed909 (patch) | |
| tree | c238927ae87e866bfc523f55a22fdb2ba246d1de /src/lib/libssl/s3_lib.c | |
| parent | 92c7edc8eaad10f666525c5fb64a55987aaf0a81 (diff) | |
| download | openbsd-d7e8782493bda5a46e15fb13e492e89970fed909.tar.gz openbsd-d7e8782493bda5a46e15fb13e492e89970fed909.tar.bz2 openbsd-d7e8782493bda5a46e15fb13e492e89970fed909.zip | |
Revise SSL_CTX_get_extra_chain_certs() to match OpenSSL behaviour.
In OpenSSL, SSL_CTX_get_extra_chain_certs() really means return extra
certs, unless there are none, in which case return the chain associated
with the certificate. If you really just want the extra certs, including
knowing if there are no extra certs, then you need to call
SSL_CTX_get_extra_chain_certs_only()! And to make this even more
entertaining, these functions are not documented in any OpenSSL release.
Reported by sephiroth-j on github, since the difference in behaviour
apparently breaks OCSP stapling with nginx.
ok beck@ inoguchi@ tb@
Diffstat (limited to 'src/lib/libssl/s3_lib.c')
| -rw-r--r-- | src/lib/libssl/s3_lib.c | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index 2943842ce7..9adf257ff3 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_lib.c,v 1.187 2019/10/04 17:21:24 jsing Exp $ */ | 1 | /* $OpenBSD: s3_lib.c,v 1.188 2020/01/02 06:37:13 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -2242,6 +2242,16 @@ static int | |||
| 2242 | _SSL_CTX_get_extra_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **certs) | 2242 | _SSL_CTX_get_extra_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **certs) |
| 2243 | { | 2243 | { |
| 2244 | *certs = ctx->extra_certs; | 2244 | *certs = ctx->extra_certs; |
| 2245 | if (*certs == NULL) | ||
| 2246 | *certs = ctx->internal->cert->key->chain; | ||
| 2247 | |||
| 2248 | return 1; | ||
| 2249 | } | ||
| 2250 | |||
| 2251 | static int | ||
| 2252 | _SSL_CTX_get_extra_chain_certs_only(SSL_CTX *ctx, STACK_OF(X509) **certs) | ||
| 2253 | { | ||
| 2254 | *certs = ctx->extra_certs; | ||
| 2245 | return 1; | 2255 | return 1; |
| 2246 | } | 2256 | } |
| 2247 | 2257 | ||
| @@ -2325,7 +2335,10 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) | |||
| 2325 | return _SSL_CTX_add_extra_chain_cert(ctx, parg); | 2335 | return _SSL_CTX_add_extra_chain_cert(ctx, parg); |
| 2326 | 2336 | ||
| 2327 | case SSL_CTRL_GET_EXTRA_CHAIN_CERTS: | 2337 | case SSL_CTRL_GET_EXTRA_CHAIN_CERTS: |
| 2328 | return _SSL_CTX_get_extra_chain_certs(ctx, parg); | 2338 | if (larg == 0) |
| 2339 | return _SSL_CTX_get_extra_chain_certs(ctx, parg); | ||
| 2340 | else | ||
| 2341 | return _SSL_CTX_get_extra_chain_certs_only(ctx, parg); | ||
| 2329 | 2342 | ||
| 2330 | case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS: | 2343 | case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS: |
| 2331 | return _SSL_CTX_clear_extra_chain_certs(ctx); | 2344 | return _SSL_CTX_clear_extra_chain_certs(ctx); |