summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl.h
diff options
context:
space:
mode:
authorjsing <>2020-01-02 06:37:13 +0000
committerjsing <>2020-01-02 06:37:13 +0000
commitd7e8782493bda5a46e15fb13e492e89970fed909 (patch)
treec238927ae87e866bfc523f55a22fdb2ba246d1de /src/lib/libssl/ssl.h
parent92c7edc8eaad10f666525c5fb64a55987aaf0a81 (diff)
downloadopenbsd-d7e8782493bda5a46e15fb13e492e89970fed909.tar.gz
openbsd-d7e8782493bda5a46e15fb13e492e89970fed909.tar.bz2
openbsd-d7e8782493bda5a46e15fb13e492e89970fed909.zip
Revise SSL_CTX_get_extra_chain_certs() to match OpenSSL behaviour.
In OpenSSL, SSL_CTX_get_extra_chain_certs() really means return extra certs, unless there are none, in which case return the chain associated with the certificate. If you really just want the extra certs, including knowing if there are no extra certs, then you need to call SSL_CTX_get_extra_chain_certs_only()! And to make this even more entertaining, these functions are not documented in any OpenSSL release. Reported by sephiroth-j on github, since the difference in behaviour apparently breaks OCSP stapling with nginx. ok beck@ inoguchi@ tb@
Diffstat (limited to 'src/lib/libssl/ssl.h')
-rw-r--r--src/lib/libssl/ssl.h14
1 files changed, 8 insertions, 6 deletions
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index fc89b0ef6e..521fb537de 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl.h,v 1.166 2019/04/04 15:03:21 jsing Exp $ */ 1/* $OpenBSD: ssl.h,v 1.167 2020/01/02 06:37:13 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1219,12 +1219,14 @@ int SSL_set_max_proto_version(SSL *ssl, uint16_t version);
1219#define SSL_set1_curves_list SSL_set1_groups_list 1219#define SSL_set1_curves_list SSL_set1_groups_list
1220#endif 1220#endif
1221 1221
1222#define SSL_CTX_add_extra_chain_cert(ctx,x509) \ 1222#define SSL_CTX_add_extra_chain_cert(ctx, x509) \
1223 SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509) 1223 SSL_CTX_ctrl(ctx, SSL_CTRL_EXTRA_CHAIN_CERT, 0, (char *)x509)
1224#define SSL_CTX_get_extra_chain_certs(ctx,px509) \ 1224#define SSL_CTX_get_extra_chain_certs(ctx, px509) \
1225 SSL_CTX_ctrl(ctx,SSL_CTRL_GET_EXTRA_CHAIN_CERTS,0,px509) 1225 SSL_CTX_ctrl(ctx, SSL_CTRL_GET_EXTRA_CHAIN_CERTS, 0, px509)
1226#define SSL_CTX_get_extra_chain_certs_only(ctx, px509) \
1227 SSL_CTX_ctrl(ctx, SSL_CTRL_GET_EXTRA_CHAIN_CERTS, 1, px509)
1226#define SSL_CTX_clear_extra_chain_certs(ctx) \ 1228#define SSL_CTX_clear_extra_chain_certs(ctx) \
1227 SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL) 1229 SSL_CTX_ctrl(ctx, SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS, 0, NULL)
1228 1230
1229#define SSL_get_server_tmp_key(s, pk) \ 1231#define SSL_get_server_tmp_key(s, pk) \
1230 SSL_ctrl(s,SSL_CTRL_GET_SERVER_TMP_KEY,0,pk) 1232 SSL_ctrl(s,SSL_CTRL_GET_SERVER_TMP_KEY,0,pk)